oss-sec mailing list archives
Re: CVE requests: Pacemaker, Python Imaging Library, eyeD3, 9base, rc, Gamera, RPLY - insecure use of /tmp
From: cve-assign () mitre org
Date: Mon, 10 Feb 2014 22:11:09 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
* Pacemaker: https://bugs.debian.org/633964 This needs a CVE-2011-#### id.
Use CVE-2011-5271.
* Python Imaging Library: https://bugs.debian.org/737059
Note that we have two slightly different kinds of problems here: 1) in IptcImagePlugin.py and Image.py there's tempfile.mktemp() followed by open() in the same subprocess;
2) in JpegImagePlugin.py and EpsImagePlugin.py, temporary file name generated by tempfile.mktemp()
Use CVE-2014-1932 for the issue of using mktemp in all of these .py files.
2) ... temporary file name ... is passed to an external process. The latter kind is much easier to exploit, at least on some systems, because commandlines are not secret.
Use CVE-2014-1933 for the issue of including sensitive filename information on a command line that is visible by using ps or a similar approach.
* eyeD3: https://bugs.debian.org/737062
Use CVE-2014-1934.
* Tom Duff's rc (part of 9base): https://bugs.debian.org/737206
Use CVE-2014-1935.
* Byron Rakitzis's rc: https://bugs.debian.org/737125
Use CVE-2014-1936.
* Gamera: https://bugs.debian.org/737324
Use CVE-2014-1937.
* RPLY (follow-up for CVE-2014-1604): https://bugs.debian.org/737627
Use CVE-2014-1938. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJS+ZOnAAoJEKllVAevmvmsmGgH/2pKXzhtYjqTnz9/KvGeDqRH af5obLEN/SB7p/aCpMQtIQ2sRSw7bKYGQ6R+niEfw2+5ZrRuYhbiQLikd1qH4kMX OTfPYhDJUJwq5t7JdoNSc0CD1/aNg3FDvJ/cfNs80Tln97zRd7kgpp3xUPOdwsKn /cU2WIelFMGIXCuXDRpKpqep7grP3bfAZRHzo03hg0NxY/6Ah/0eJHV02/8b3ta/ CX9I1a/+4yi6TeBXnez4VhBT5Cs+2Ft1QE5nMSnHEQzf0U6USfRKK7MSWgug5mVK zEEzHwY24gEDWumv6eGhrgU+/AySN9M6d+m7QjhNV3txgZgJ6adgx4qumHSTbkg= =umjH -----END PGP SIGNATURE-----
Current thread:
- CVE requests: Pacemaker, Python Imaging Library, eyeD3, 9base, rc, Gamera, RPLY - insecure use of /tmp Jakub Wilk (Feb 10)
- Re: CVE requests: Pacemaker, Python Imaging Library, eyeD3, 9base, rc, Gamera, RPLY - insecure use of /tmp cve-assign (Feb 10)
- Re: CVE requests: Pacemaker, Python Imaging Library, eyeD3, 9base, rc, Gamera, RPLY - insecure use of /tmp Tomas Hoger (Feb 27)