oss-sec mailing list archives
Re: CVE request: a2ps insecure temporary file use
From: cve-assign () mitre org
Date: Tue, 4 Feb 2014 09:40:36 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://bugzilla.redhat.com/show_bug.cgi?id=1060630#c5 * Fri Jan 05 2001 Preston Brown <pbrown () redhat com> - security patch for tmpfile creation from Olaf Kirch <okir () lst de> followed the next month by a fix to that patch: * Mon Feb 12 2001 Tim Waugh <twaugh () redhat com> - Fix tmpfile security patch so that it actually _works_ (bug #27155).
Does anyone have information indicating that two CVE-2001-#### IDs are needed to cover the discoveries by Olaf Kirch and Tim Waugh 13 years ago? This would be the case if, for example, there was a January 2001 a2ps package that fixed part of the problem with temporary files. Admittedly, the practical value of two CVE-2001-#### IDs at present may be extremely small. The information does not seem to be in a2ps.git because data before 2004 is unavailable, e.g., http://pkgs.fedoraproject.org/cgit/a2ps.git/log/?ofs=100 Also: https://bugzilla.redhat.com/show_bug.cgi?id=27155 You are not authorized to access bug #27155. If (as we would expect) nobody is interested in checking that, we will assign one CVE-2001-#### ID. Finally, the earlier abstraction question is no longer relevant because Jakub Wilk is apparently not the original discoverer of any part of the problem. Specifically, this question: The original report notes there are calls to tempname_ensure(). If any of those are found to be vulnerable, would they use the same CVE number, or require a different one? would only apply to a situation in which the spyname problem was a new discovery in 2014. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJS8PuRAAoJEKllVAevmvmsavAH/35erOpFeVh3fjUXXGdlJBVN XzXwdKV6e+joCBJ2hYQ8+os5c19zFNdYcoAz8ay4DKdD9wEHUUiDjZDAhG1rWmDW ji3I8Bbi3aMmZwaKqJwv3GYWVAOr6QzTuvKJoPVl835jF7Od1FUWeEaMPPqZmI9s mwPp4eC4CjlVz8ldCgZdU+tiUZojJjl5wFBn/lnYsdfLisJ5mCi1YScMt3p5zZVE FkXNu5MhFLEtfeQF2BUe3HLsk/UtNEq8T0cMsaNdIbckkFGKxiNiRfK8QGBHGRIp KuFEoEufFAT0BNRMvHix4MFbYT+a2SKuC5lbrRa7jbyMWh9meRxze/s9UePtEno= =cx5F -----END PGP SIGNATURE-----
Current thread:
- CVE request: a2ps insecure temporary file use Murray McAllister (Feb 02)
- Re: CVE request: a2ps insecure temporary file use Murray McAllister (Feb 03)
- Re: CVE request: a2ps insecure temporary file use cve-assign (Feb 04)
- Re: Re: CVE request: a2ps insecure temporary file use Murray McAllister (Feb 05)
- Re: CVE request: a2ps insecure temporary file use cve-assign (Feb 05)