Re: CVE request: PHP configure script and Lynis tool /tmp/ issues reported on full disclosure

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://seclists.org/fulldisclosure/2014/Jun/21
> https://bugzilla.redhat.com/show_bug.cgi?id=1104978

Use CVE-2014-3981 for this issue in PHP.


> The second issue is Lynis ...
> 2 runs on Fedora 20 revealed the following file being used each time:
>
> /tmp/ffiYFc1nZ
>
> I cannot find that in the source. I do not know if lynsis exec()'s any
> other scripts or programs.

We probably can't make a CVE assignment for this because the primary
affected product is unknown, and this /tmp/ffiYFc1nZ observation might
already be covered by a previous CVE. Lynis apparently runs many other
scripts and programs; for example, there are hundreds of

  FIND=`

lines.

> The full disclosure report might be referring to the following in
> include/tests_webservers:
>
>   39     if [ "${OS}" = "AIX" ]; then
>   40         TMPFILE=/tmp/lynis.$$

We can make a CVE assignment corresponding to your disclosure of this
lynis.$$ issue on oss-security. Use CVE-2014-3982. A CVE for this most
likely won't (or shouldn't) have a
http://seclists.org/fulldisclosure/2014/Jun/21 reference unless the
original fulldisclosure author confirms the association.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTkat2AAoJEKllVAevmvmsYoYIAISk5kSEkjIDI0d1Ky3udkJm
/gzIpiKm4gWudGac9z4D0rhxJmCy6JaGIN87n46CxgWUDCJoTCdgNx4HOs4czC7b
CsLagZfSdcFH4rkKxfWMsoB4Kyc3kMNK2sVc+TgKY8Vbk2oY7S54to/mAcmMxN9I
pT4KtMTK6w+XKIcMszD3reIgoxG35tRhvpqh8C/fZMY2H7XQgzn1Us2GqNV8emDG
ckkZJgLvlgLIGn+NArogzd2noBhpR4MqhDfLNL7y5LV0mXbV7b0MSwYLB5Da8qU1
tkODpivVlr49oDU50jznAVV/1Eg/KWqswY2ldTOy9k3jN4hw/1mp7wTBE4nTvCA=
=Ltzt
-----END PGP SIGNATURE-----