oss-sec mailing list archives
Re: Re: CVE request: a2ps insecure temporary file use
From: Murray McAllister <mmcallis () redhat com>
Date: Wed, 05 Feb 2014 18:55:13 +1100
On 02/05/2014 01:40 AM, cve-assign () mitre org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1https://bugzilla.redhat.com/show_bug.cgi?id=1060630#c5 * Fri Jan 05 2001 Preston Brown <pbrown () redhat com> - security patch for tmpfile creation from Olaf Kirch <okir () lst de> followed the next month by a fix to that patch: * Mon Feb 12 2001 Tim Waugh <twaugh () redhat com> - Fix tmpfile security patch so that it actually _works_ (bug #27155).Does anyone have information indicating that two CVE-2001-#### IDs are needed to cover the discoveries by Olaf Kirch and Tim Waugh 13 years ago? This would be the case if, for example, there was a January 2001 a2ps package that fixed part of the problem with temporary files. Admittedly, the practical value of two CVE-2001-#### IDs at present may be extremely small. The information does not seem to be in a2ps.git because data before 2004 is unavailable, e.g., http://pkgs.fedoraproject.org/cgit/a2ps.git/log/?ofs=100 Also: https://bugzilla.redhat.com/show_bug.cgi?id=27155 You are not authorized to access bug #27155. If (as we would expect) nobody is interested in checking that, we will assign one CVE-2001-#### ID.
Hello,I spent a little time looking but could not determine if a release was made to fix only part of the problem. So one ID is fine by us.
bug #27155 just contains some gdb output. Therefore I assumed it was public and didn't check before sending it here.
Thanks for looking at this. -- Murray McAllister / Red Hat Security Response Team
Current thread:
- CVE request: a2ps insecure temporary file use Murray McAllister (Feb 02)
- Re: CVE request: a2ps insecure temporary file use Murray McAllister (Feb 03)
- Re: CVE request: a2ps insecure temporary file use cve-assign (Feb 04)
- Re: Re: CVE request: a2ps insecure temporary file use Murray McAllister (Feb 05)
- Re: CVE request: a2ps insecure temporary file use cve-assign (Feb 05)