[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: surf
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2012-02-11 23:09:50
Message-ID: 4F36F53E.6090206 () redhat ! com
[Download RAW message or body]
On 02/10/2012 03:11 PM, Florian Weimer wrote:
> * Kurt Seifried:
>
>> On 02/09/2012 05:24 PM, Florian Weimer wrote:
>>> surf does not protect its cookie jar against access read access from
>>> other local users, as reported by Jakub Wilk in this Debian bug:
>>>
>>> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659296>
>>>
>>> Could someone please assign a CVE for this?
>>
>> So for surf suckless (http://surf.suckless.org/) please use CVE-2012-0842
>
> Oops. I mistook this for the HTTP client library. Your reference is
> correct, and it appears I consistently wrote "surf" (the correct
> spelling).
>
>>> uzbl <http://uzbl.org/> (in the uzbl-browser wrapper script) and
>>> netsurf <http://www.netsurf-browser.org/> (the nsgtk_check_homedir
>>> function creates the dot directory with world-readable settings) have
>>> a similar issue, but are from different code bases. I think those
>>> should get distinct CVEs, too.
>>
>> I'll need advisories or code commits, or links to the vuln code to
>> assign CVE's (I need more information). Thanks!
>
> Jakub has filed bugs:
Not ideal (I'd prefer upstream stuff) but it'll do.
> uzbl: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659379
Please use CVE-2012-0843 for this issue.
> netsurf: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659376
Please use CVE-2012-0844 for this issue.
--
Kurt Seifried Red Hat Security Response Team (SRT)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic