Secure testing team - Dec 2008 - Security advisory for docvert's CVE-2008-5147 ?

(Please CC me on your replies)

Hello,

I noticed a (fairly recent CVE) against one of my packages (docvert):

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5147

I''m not exactly sure how one would exploit this given that the affected
script
literally consists of:

  cat /var/www/docvert/doc/sample/sample-document.doc |
/var/www/docvert/core/lib/pyodconverter/pyodconverter2.py --stream >
/tmp/outer.odt

(see
http://git.debian.org/?p=collab-maint/docvert.git;a=blob;f=core/lib/pyodconverter/test-pipe-to-pyodconverter.org.sh;hb=master)

I was wondering if you think it''s worth issuing a security advisory
for.

I will remove that (unused) script from the next upload of the package.

Cheers,
Francois

Hi,
* Francois Marier <francois at debian.org> [2008-12-01
09:34]:
> I noticed a (fairly recent CVE) against one of my packages (docvert):
> 
>   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5147
> 
> I''m not exactly sure how one would exploit this given that the
affected script
> literally consists of:
> 
>   cat /var/www/docvert/doc/sample/sample-document.doc |
/var/www/docvert/core/lib/pyodconverter/pyodconverter2.py --stream >
/tmp/outer.odt
This is about an attacker linking /some/important/file to /tmp/out.odt.
> (see
http://git.debian.org/?p=collab-maint/docvert.git;a=blob;f=core/lib/pyodconverter/test-pipe-to-pyodconverter.org.sh;hb=master)
> 
> I was wondering if you think it''s worth issuing a security
advisory for.
No it''s not. We marked this is unimportant in the security 
tracker as this is only an unused test script:
http://security-tracker.debian.net/tracker/CVE-2008-5147
> I will remove that (unused) script from the next upload of the package.
Ok that''s fine. Please ping us in this case with the version 
so we can mark it as fixed in the security tracker.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081201/092a880f/attachment.pgp

(Thanks for CCing me on your replies)

On 2008-12-01 at 10:55:33, Nico Golde wrote:
> No it''s not. We marked this is unimportant in the security 
> tracker as this is only an unused test script:
> http://security-tracker.debian.net/tracker/CVE-2008-5147
Great. By the way, is there a way for me to "subscribe" one way or
another
to receive a notification whenever one of my packages has a CVE associated
to it?
> Ok that''s fine. Please ping us in this case with the version 
> so we can mark it as fixed in the security tracker.
I have uploaded docvert 3.4-7 to unstable and requested a freeze exception
for lenny.

The debdiff is attached to this email in case you''re interested.

Cheers,
Francois
-------------- next part --------------
A non-text attachment was scrubbed...
Name: docvert_security_fix.diff
Type: text/x-diff
Size: 1114 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081202/dcf82d77/attachment.diff

Hi,
* Francois Marier <francois at debian.org> [2008-12-01
23:46]:
> (Thanks for CCing me on your replies)
> 
> On 2008-12-01 at 10:55:33, Nico Golde wrote:
> > No it''s not. We marked this is unimportant in the security 
> > tracker as this is only an unused test script:
> > http://security-tracker.debian.net/tracker/CVE-2008-5147
> 
> Great. By the way, is there a way for me to "subscribe" one way
or another
> to receive a notification whenever one of my packages has a CVE associated
> to it?
Yes the BTS :) Usually we file bugs for each CVE id except 
in cases where we rate them as unimportant.
> > Ok that''s fine. Please ping us in this case with the version 
> > so we can mark it as fixed in the security tracker.
> 
> I have uploaded docvert 3.4-7 to unstable and requested a freeze exception
> for lenny.
> 
> The debdiff is attached to this email in case you''re interested.
Thanks very much, I updated the tracker to reflect the fixed 
version in 3.4-7.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081202/02b9455e/attachment.pgp