oss-sec mailing list archives
Re: Three CVE requests: at-spi2-atk, as31, naxsi
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 06 Jul 2012 11:33:20 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/05/2012 01:00 PM, Moritz Muehlenhoff wrote:
Hi, please assign CVE IDs for the following issues: 1. Insecure tempfile handling in the Gnome accessibiliy component at-spi2-atk http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678026 https://bugzilla.gnome.org/show_bug.cgi?id=678348
Please use CVE-2012-3378 for this issue.
2. Insecure tempfile handling in the as31 assembler http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655496 Homepage: http://wiki.erazor-zone.de/doku.php?id=wiki:projects:linux:as31
Please use CVE-2012-3379 for this issue.
3. File disclosure in Naxsi web application firewall module for Nginx (also shipped in the Debian nginx package): http://code.google.com/p/naxsi/ http://code.google.com/p/naxsi/source/detail?r=307
Please use CVE-2012-3380 for this issue.
Cheers, Moritz
Also for temporary file creation please note that it is very easy to avoid: Bash Simply use ?mktemp? (?man mktemp? for details). C use mkstemp() (?man mkstemp? for details). C++ use mkstemp() (?man mkstemp? for details). Perl use mkstemp() http://perldoc.perl.org/File/Temp.html#MKTEMP-FUNCTIONS Python Simply use ?mkstemp? from the ?tempfile? module: http://docs.python.org/library/tempfile.html#tempfile.mkstemp QT use QTemporaryFile http://qt-project.org/doc/qt-4.8/qtemporaryfile.html Ruby use Tempfile http://www.ruby-doc.org/stdlib-1.9.3/libdoc/tempfile/rdoc/Tempfile.html#method-c-new - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP9yFgAAoJEBYNRVNeJnmTtd4QAMcgx+OxP3bHR8kjXNnlMus3 5kTKIJ7kf0tSB8SWJqAtQiDrf3hVG6X/DPD4dnJqlKrWXsu6bd/PxGIMLO4FMZY9 j3pJFWxHEuZ+lLneH6BIa4M6AejIKdKgZtSY3iFiAcQSAsX4+p5VytfDuCINGJO3 zmbTGY1d0AGyKacmDFexsWTv+kZBy7mnOXQrjOEsGsVRxhobK7b3z1EFGOuhkvbA 1uoDj/vr9lYFr0EaG5h5L+Qx4VdHMjTp1YfxyGoMIX6as53IMidbACaN5MM6tnEu DRaUH5nwMN8hEr4yFPbGfuTpdCCiba8I1IDRVuFRlXLc2iplRdauVDGPa9/XhASq JrtVHapl5Lm3bGVN8PhkYB6+peSsZPWB+4VP2Qfpm+SoBAYXqGvqzJL8F1by0L4p TLcJDmnyXh50kRCjoVfcppNemIXCAhnFpzQ70fwySnPUorWIthWqNrqR4d+OPWjr KR5tltaTWB0O7mwsgDxiKGv8T0hf270NGAgfa0U1K4vhnmArdFzr09+4E/lO8XpW uUSR76+vV5GSKS9f1YedNkfeXC9UVj+rwS60XHW4Tt6Fh3TCUngVMcnsMeWXV4yi xB1LnSvnA0o56oPizNz1Ysqu6E6lqQ0OhgbILNxOtbh5cqRsjmp0bDdOMN51zkkH IgsVcL4wiL6B3zqDpOAC =sx2U -----END PGP SIGNATURE-----
Current thread:
- Three CVE requests: at-spi2-atk, as31, naxsi Moritz Muehlenhoff (Jul 05)
- Re: Three CVE requests: at-spi2-atk, as31, naxsi Kurt Seifried (Jul 06)
- Re: Three CVE requests: at-spi2-atk, as31, naxsi Steven M. Christey (Aug 31)
- Re: Three CVE requests: at-spi2-atk, as31, naxsi Kurt Seifried (Aug 31)
- Re: Three CVE requests: at-spi2-atk, as31, naxsi Steven M. Christey (Aug 31)
- Re: Three CVE requests: at-spi2-atk, as31, naxsi Kurt Seifried (Jul 06)