oss-sec mailing list archives
Re: CVE Request: cups: Incomplete fix for CVE-2014-3537
From: cve-assign () mitre org
Date: Tue, 22 Jul 2014 18:20:38 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://cups.org/str.php?L4455
if language[0] is null, we do not reach the lstat calls for filename and afterwardsYes, it looks like this needs to be an lstat as well
Use CVE-2014-5029.
we should probably add similar protections to the directory index files (which are also using stat) index.html index.class index.pl index.php index.pyc index.py
Use CVE-2014-5030.
+ * Similarly, if the file/directory does not have world read permissions, do + * not allow access...
Use CVE-2014-5031. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTzuMfAAoJEKllVAevmvms+k4H/jS66EIxmyPHptNkW9UTaZiJ Raxu8JKzkSokST95E9VJ/Z7CWILE5YRIRY2TCFqAncuMt1rjuaB3irVw9tqdxu1+ qSgiqmxMevQSpC0HlKcbUzZXICjWHdDsKAFW70neGoho3baO6hBQslc+5dwnuHj3 Yb2AQMKIw88aUxLu6qgGZ5Dlg7FF0Ulyds1kGTuvDJ8EJcaOMfm7oA6mKvZrjV21 JChFdKrmCBOIaNXJU39XseQr2Ft0g2ChRojCPIrjfRb4JM55VDvk/eNc1wCFsrNQ 0PYpWcz15Hh4sKLngzWoeZSBV/hw5QXDs7uOEjC0yllo2F/b9VcWCYYDFBA82c4= =6Kuo -----END PGP SIGNATURE-----
Current thread:
- CVE Request: cups: Incomplete fix for CVE-2014-3537 Salvatore Bonaccorso (Jul 21)
- Re: CVE Request: cups: Incomplete fix for CVE-2014-3537 cve-assign (Jul 22)