How to manage CVE

To: debian-security@lists.debian.org
Subject: How to manage CVE
From: Olivier Sallou <olivier.sallou@irisa.fr>
Date: Mon, 06 Aug 2012 10:20:23 +0200
Message-id: <[🔎] 501F7E47.1030305@irisa.fr>
In-reply-to: <501C174A.5060703@abeckmann.de>
References: <501C174A.5060703@abeckmann.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,
a CVE has been created for the bug id below in logol package.

In the meanwhile the issue has been fixed and uploaded.

Can anyone tell me how to manage CVEs? CVE id is in the bug report, but
should I do something else to describe the issue, tag it,... ?

Thanks

Olivier
 
- -------- Message original --------
Sujet:     [Debian-med-packaging] Bug#683647: Fwd: CVE ASSIGNMENT:
logol: creates world writable directory: /var/lib/logol/results
Date de renvoi :     Fri, 03 Aug 2012 18:27:05 +0000
De (renvoi) :     Andreas Beckmann <debian@abeckmann.de>
Pour (renvoi) :     debian-bugs-dist@lists.debian.org
Copie (renvoi) :     Debian Med Packaging Team
<debian-med-packaging@lists.alioth.debian.org>
Date :     Fri, 03 Aug 2012 20:24:10 +0200
De :     Andreas Beckmann <debian@abeckmann.de>
Répondre à :     Andreas Beckmann <debian@abeckmann.de>,
683647@bugs.debian.org
Pour :     683647@bugs.debian.org




- -------- Original Message --------
Subject: CVE ASSIGNMENT: logol: creates world writable directory:
/var/lib/logol/results
Date: Fri, 03 Aug 2012 12:07:31 -0600
From: Kurt Seifried <kseifried@redhat.com>
To: oss-security@lists.openwall.com <oss-security@lists.openwall.com>,
      Andreas Beckmann <debian@abeckmann.de>

logol: creates world writable directory: /var/lib/logol/results

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683647

Package: logol
Version: 1.5.0-2
Severity: grave
Tags: security
Justification: user security hole
User: debian-qa@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed that your packages creates a world
writable directory:

    drwxrwxrwx 2 root root 40 Jul  1 21:59 /var/lib/logol/results

There any local user may delete/replace arbitrary files that were not
created by the user himself.


Andreas

Please use CVE-2012-3453 for this issue.



_______________________________________________
Debian-med-packaging mailing list
Debian-med-packaging@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/debian-med-packaging




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJQH35GAAoJEHjcaNsybYQ4oNoP/3+mrj8Fy1XBaU+C1tpiqzEs
kq0Jv9wIDiC05Co7cj63yill41/VtY2X2DrC8EhJN7SfDcmyfRbTkuPl/bR82Qsk
ce5AStoMqugRTjCvKJW/3c/axxMqbvmHcisB7ibMXZd8k3KEZjbqft9VepL16AHl
kt/zJ9Wg8g3JG6RYo9XCgPuIxrU31merQgIBOtDurCiggyRxLeaS69+nKeWvoQJt
JZQoB+unaCXdzOZ2WW8fGfiAOwY231y5pFSQAlJZFlUdeGd52UznlEo08uR2+P51
w6f5fQO6vXj1R+auyAyqDMxpEYPGb1Pe9KePxGS1V6Rkpqis8IlG/aTryJPk46ub
a2RCnRyJO4fXCeIVEH6Zs+APZ5MB7q6jM+lMD+7mdzFHMa+BSKo4cJ8R7J5oVzfx
T1DkR6gyC/fQ58MZuCrTCnkMP5kR6zdNHO3p+I5mkCdmWMgjGvWR8aM6qkFDNkCS
+0maiFqJ22qvO6yPLUnMAKZWoszM23d6TakxMDNIkL6+IAGf6SUGug0483LAaFBb
8OvI/rDLjQXVI0ZtpMhcRolket2SXPz329r7vgIo348yT+n6O4GPUS/YAm38LWf0
52/ipnHMeVv25jrfbxmSAWnNOyPKV4EAHFOS3VOAGPDsqZlSaoG2icPqXjHI2Nlm
1vN/M1kKFgUjEY93YhEL
=IdwT
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: How to manage CVE
  - From: "Thijs Kinkhorst" <thijs@debian.org>

Prev by Date: Re: CVE-2012-1033 (bind9)
Next by Date: Re: [SECURITY] [DSA 2497-1] quagga security update
Previous by thread: Re: CVE-2012-1033 (bind9)
Next by thread: Re: How to manage CVE
Index(es):
- Date
- Thread