Author: gilbert-guest Date: 2011-09-04 18:50:53 +0000 (Sun, 04 Sep 2011) New Revision: 17167 Modified: data/CVE/list Log: TMPFILE environment variable exposure Modified: data/CVE/list ==================================================================--- data/CVE/list 2011-09-02 23:30:56 UTC (rev 17166) +++ data/CVE/list 2011-09-04 18:50:53 UTC (rev 17167) @@ -1,3 +1,6 @@ +CVE-2011-XXXX [TMPFILE environment variable exposure] + - debianutils <unfixed> (bug #640389) + - coreutils <unfixed> CVE-2011-XXXX [unescaped remote shell] - bcfg2 1.1.2-2 (bug #640028) NOTE: information as reported by maintainer
Nico Golde
2011-Sep-05 09:08 UTC
[Secure-testing-team] [Secure-testing-commits] r17167 - data/CVE
Hi, * Michael Gilbert <gilbert-guest at alioth.debian.org> [2011-09-04 20:52]:> Author: gilbert-guest > Date: 2011-09-04 18:50:53 +0000 (Sun, 04 Sep 2011) > New Revision: 17167 > > Modified: > data/CVE/list > Log: > TMPFILE environment variable exposure > > Modified: data/CVE/list > ==================================================================> --- data/CVE/list 2011-09-02 23:30:56 UTC (rev 17166) > +++ data/CVE/list 2011-09-04 18:50:53 UTC (rev 17167) > @@ -1,3 +1,6 @@ > +CVE-2011-XXXX [TMPFILE environment variable exposure] > + - debianutils <unfixed> (bug #640389) > + - coreutils <unfixed>This imho shouldn''t be a bug tracked by us. As discussed via PM you have far worse problems if you can control environment variables. This needs a specific case but not such a general bug for a "bug" class. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20110905/e597fa40/attachment.pgp>
Michael Gilbert
2011-Sep-05 15:59 UTC
[Secure-testing-team] [Secure-testing-commits] r17167 - data/CVE
On Mon, 5 Sep 2011 11:08:03 +0200 Nico Golde wrote:> Hi, > * Michael Gilbert <gilbert-guest at alioth.debian.org> [2011-09-04 20:52]: > > Author: gilbert-guest > > Date: 2011-09-04 18:50:53 +0000 (Sun, 04 Sep 2011) > > New Revision: 17167 > > > > Modified: > > data/CVE/list > > Log: > > TMPFILE environment variable exposure > > > > Modified: data/CVE/list > > ==================================================================> > --- data/CVE/list 2011-09-02 23:30:56 UTC (rev 17166) > > +++ data/CVE/list 2011-09-04 18:50:53 UTC (rev 17167) > > @@ -1,3 +1,6 @@ > > +CVE-2011-XXXX [TMPFILE environment variable exposure] > > + - debianutils <unfixed> (bug #640389) > > + - coreutils <unfixed> > > This imho shouldn''t be a bug tracked by us. As discussed via PM you have far > worse problems if you can control environment variables. This needs a specific > case but not such a general bug for a "bug" class.Agreed. Already removed :)