[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: jhead
From:       "Steven M. Christey" <coley () linus ! mitre ! org>
Date:       2009-03-20 0:01:51
Message-ID: Pine.GSO.4.51.0903191950550.13013 () faron ! mitre ! org
[Download RAW message or body]


On Fri, 6 Feb 2009, Tomas Hoger wrote:

> Looks like -latest tarball was updated again and now mentions 2.86
> inside.  In that, usage of mkstemp was replaced with mktemp (previous
> version failed to close file descriptors opened by mkstemp, probably
> causing issues when trying to use command on large pile of images at
> once).  Those the temp file seem to be created user-specified
> destination directory, probably not too likely to be /tmp (and hence
> prone to races).
>
> Anyway, can anyone help me understand what was CVE-2008-4639 assigned
> to?  I tried looking at the diff between 2.7 and 2.84 and fail to see
> any relevant change...

I anchored on this:

  http://www.openwall.com/lists/oss-security/2008/10/16/3

which is John Dong's answer to an inquiry I had for how many CVEs to
create:

>> = Steve
> = John
>>
>> 1 - long -cmd
>> 2 - unsafe temp file creation
>> 3 - "more unchecked buffers" and "unsafe buffer sized strcat's in
>>    ModifyDescriptComment"  [this assumes that upstream only fixed
>>    issue 1)
>> 4 - shell escapes
>...
>
>
>So, bottom line is I think 2.84 fixes 1 and 3 acceptably, while 2 and 4
>are still unresolved.

So CVE-2008-4641 was assigned to issue 4, and CVE-2008-4639 was assigned
to issue 2.  However, I made a mistake in CVE-2008-4639 and said "before
2.84" instead of "2.84 and earlier."  I've since fixed the CVE-2008-4639
description to say ""2.84 and earlier."

Now what's this about 2.86?... Sounds like it may be a regression.

- Steve
[prev in list] [next in list] [prev in thread] [next in thread]