oss-sec mailing list archives
Re: CVE request: surf
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 11 Feb 2012 16:09:50 -0700
On 02/10/2012 03:11 PM, Florian Weimer wrote:
* Kurt Seifried:On 02/09/2012 05:24 PM, Florian Weimer wrote:surf does not protect its cookie jar against access read access from other local users, as reported by Jakub Wilk in this Debian bug: <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659296> Could someone please assign a CVE for this?So for surf suckless (http://surf.suckless.org/) please use CVE-2012-0842Oops. I mistook this for the HTTP client library. Your reference is correct, and it appears I consistently wrote "surf" (the correct spelling).uzbl <http://uzbl.org/> (in the uzbl-browser wrapper script) and netsurf <http://www.netsurf-browser.org/> (the nsgtk_check_homedir function creates the dot directory with world-readable settings) have a similar issue, but are from different code bases. I think those should get distinct CVEs, too.I'll need advisories or code commits, or links to the vuln code to assign CVE's (I need more information). Thanks!Jakub has filed bugs:
Not ideal (I'd prefer upstream stuff) but it'll do.
uzbl: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659379
Please use CVE-2012-0843 for this issue.
netsurf: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659376
Please use CVE-2012-0844 for this issue. -- Kurt Seifried Red Hat Security Response Team (SRT)
Current thread:
- CVE request: surf Florian Weimer (Feb 09)
- Re: CVE request: surf Kurt Seifried (Feb 09)
- Re: CVE request: surf Florian Weimer (Feb 10)
- RE: CVE request: surf Daniel Suarez (Feb 10)
- Re: CVE request: surf Kurt Seifried (Feb 11)
- Re: CVE request: surf Florian Weimer (Feb 10)
- Re: CVE request: surf Kurt Seifried (Feb 09)