Re: CVE request: surf

[Kurt Seifried <kseifried () redhat com>]

On 02/10/2012 03:11 PM, Florian Weimer wrote:
> * Kurt Seifried:
>
> > On 02/09/2012 05:24 PM, Florian Weimer wrote:
> > > surf does not protect its cookie jar against access read access from
> > > other local users, as reported by Jakub Wilk in this Debian bug:
> > >
> > > <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659296>
> > >
> > > Could someone please assign a CVE for this?
> >
> > So for surf suckless (http://surf.suckless.org/) please use CVE-2012-0842
>
> Oops.  I mistook this for the HTTP client library.  Your reference is
> correct, and it appears I consistently wrote "surf" (the correct
> spelling).
>
> > > uzbl <http://uzbl.org/> (in the uzbl-browser wrapper script) and
> > > netsurf <http://www.netsurf-browser.org/> (the nsgtk_check_homedir
> > > function creates the dot directory with world-readable settings) have
> > > a similar issue, but are from different code bases.  I think those
> > > should get distinct CVEs, too.
> >
> > I'll need advisories or code commits, or links to the vuln code to
> > assign CVE's (I need more information). Thanks!
>
> Jakub has filed bugs:

Not ideal (I'd prefer upstream stuff) but it'll do.

> uzbl: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659379

Please use CVE-2012-0843 for this issue.

> netsurf: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659376

Please use CVE-2012-0844 for this issue.


-- 
Kurt Seifried Red Hat Security Response Team (SRT)