oss-sec mailing list archives
Re: CVE request: /tmp file vulnerability in ace
From: Helmut Grohne <helmut () subdivi de>
Date: Fri, 12 Sep 2014 11:55:56 +0200
On Thu, Sep 11, 2014 at 03:33:17AM -0400, cve-assign () mitre org wrote:
Use CVE-2014-6311.
Thanks.
An interesting find is bin/g++-dep line 63:TMP=/tmp/g++dep$$This path is also used for writing.As far as we can tell, there is no bin/g++-dep in the download.dre.vanderbilt.edu upstream distribution. The bin/g++-dep issue, if confirmed, would not be within the scope of CVE-2014-6311.
I point out that said bin/g++-dep file can be found within http://download.dre.vanderbilt.edu/previous_versions/ACE-6.2.7.tar.bz2. Nevertheless, this is not a CVE request, because it is not clear to me in what ways this file is intended for user consumption (if at all). The issue covered by CVE-2014-6311, on the other hand, can be reproduced by executing Debian's dpkg-buildpackage or following upstream's documentation. Helmut
Current thread:
- CVE request: /tmp file vulnerability in ace Helmut Grohne (Sep 07)
- Re: CVE request: /tmp file vulnerability in ace cve-assign (Sep 11)
- Re: CVE request: /tmp file vulnerability in ace Helmut Grohne (Sep 12)
- Re: CVE request: /tmp file vulnerability in ace cve-assign (Sep 12)
- Re: CVE request: /tmp file vulnerability in ace Helmut Grohne (Sep 12)
- Re: CVE request: /tmp file vulnerability in ace cve-assign (Sep 11)