[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: surf
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-02-11 23:09:50
Message-ID: 4F36F53E.6090206 () redhat ! com
[Download RAW message or body]

On 02/10/2012 03:11 PM, Florian Weimer wrote:
> * Kurt Seifried:
> 
>> On 02/09/2012 05:24 PM, Florian Weimer wrote:
>>> surf does not protect its cookie jar against access read access from
>>> other local users, as reported by Jakub Wilk in this Debian bug:
>>>
>>> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659296>
>>>
>>> Could someone please assign a CVE for this?
>>
>> So for surf suckless (http://surf.suckless.org/) please use CVE-2012-0842
> 
> Oops.  I mistook this for the HTTP client library.  Your reference is
> correct, and it appears I consistently wrote "surf" (the correct
> spelling).
> 
>>> uzbl <http://uzbl.org/> (in the uzbl-browser wrapper script) and
>>> netsurf <http://www.netsurf-browser.org/> (the nsgtk_check_homedir
>>> function creates the dot directory with world-readable settings) have
>>> a similar issue, but are from different code bases.  I think those
>>> should get distinct CVEs, too.
>>
>> I'll need advisories or code commits, or links to the vuln code to
>> assign CVE's (I need more information). Thanks!
> 
> Jakub has filed bugs:

Not ideal (I'd prefer upstream stuff) but it'll do.

> uzbl: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659379

Please use CVE-2012-0843 for this issue.

> netsurf: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659376

Please use CVE-2012-0844 for this issue.


-- 
Kurt Seifried Red Hat Security Response Team (SRT)
[prev in list] [next in list] [prev in thread] [next in thread]