lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat Jul 16 13:05:03 2005
From: jerome.athias at free.fr (Jerome Athias)
Subject: Secunia published adviso
	withoutrespectingrelease date !

2 things i remind myself...

1) http://seclists.org/lists/vulndiscuss/2004/Dec/0006.html

2) This is an answer of Thomas before a disclosure of some vuln that Secunia 
found "at the same time" :

10/09/2004 19:40

Re: OpenOffice World-Readable Temporary Files Disclose Files to Local Users

Hi J?r?me,

This issue was originally discovered by Secunia on 16th August and
reported to the vendors.

Please do not forward to anyone else. The various vendors well release
updates on Wednesday in a co-ordinated disclosure.

Kind regards,

Thomas

On Fri, 2004-09-10 at 17:31, jerome.athias@...amail.com wrote:
> Date:  Thu, 9 Sep 2004 23:52:18 -0400
> Subject:  http://www.openoffice.org/issues/show_bug.cgi?id=33357>
> Reporter: pmladek
> OS:  Linux
> Version:  OOo 1.1.2
> Summary:  Insecure permissions on temporary files at runtime
>  When OOo is started, a directory /tmp/sv.tmp is created, where
> RAND is a 3 character random string. The permissions of this directory 
> allow other users (depending on the user's
> umask) to 'cd' to this directory and list the contents.
>  Once a file is saved, a zipped file is created in /tmp/sv.tmp and the
> name of the file follows the same convention. The permissions of the file
> allow others (depending on the user's umask) to read the content.
>  Due to this any user can grab sensitive information of someother user.
>  Steps to reproduce the problem:
> 1. Launch OpenOffice.
> 2. List /tmp contents. Locate the directory 'sv*.tmp'
> 3. Type in some contents in the document and save it.
> 4. List the contents of the directory /tmp/sv*.tmp/
> 5. Do not cl
>  ose OpenOffice. 'su' to a different user.
> 6. Copy the file under /tmp/sv*.tmp/ to home directory.
> 7. Use 'unzip' to unzip the files.
> 8. The file content.xml holds the data the user had just saved.
>  The workaround is to set more secure umask. The problem is that the users 
> does
> not know about it. Why should they need to set more strict umask if they 
> save
> its data in a directory which has the correct permissions. They do not 
> expect
>
> Regards,
> J?r?me ATHIAS
> -------------------
> that there are any world-readable temporary data available somewhere on 
> the system.
>
>
>

-- 
Kind regards,

Thomas Kristensen
CTO

Secunia
Toldbodgade 37B
1253 Copenhagen K
Denmark

Tlf.: +45 7020 5144
Fax:  +45 7020 5145



So, express your opinion, but either they want exclusivity, either they 
respect the majority of the time the "full-disclosure policy"

My 0,000001?
/JA

******************
http://www.secunia.fr


----- Original Message ----- 
From: "Xavier Beaudouin" <kiwi@....net>
To: <ad@...ss101.orgad@...ss101.org>
Cc: <full-disclosure@...ts.grok.org.uk>
Sent: Thursday, July 14, 2005 12:59 PM
Subject: Re: [Full-disclosure] Secunia published adviso 
withoutrespectingrelease date !


This is usual with secunia..

I had at "bug" in a beta version of software and they "release" a
vulnerability to *all* version of this software
without even inform the maintainer (me) of this "pseudo advisory".

My thought with this guys are now : don't even trust them... They
push advisory without testing and respect the
usual way to inform developper as it should.

My 0,02?
/xavier
Le 13 juil. 05 ? 23:45, <ad@...ss101.org> <ad@...ss101.org> a ?crit :

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Then don't send to Secunia b4 the rls date ! HUH
>
>
> - -----Message d'origine-----
> De : full-disclosure-bounces@...ts.grok.org.uk [mailto:full- 
> disclosure-bounces@...ts.grok.org.uk] De la part de Eric Romang  Envoy? : 
> mardi 12 juillet 2005 21:09 ? : support@...unia.com Cc : 
> full-disclosure@...ts.grok.org.uk; Eric Romang Objet : [Full- disclosure] 
> Secunia published adviso without respectingrelease date !
>
>
> Hello,
>
> This adviso are published on your website, but the patch are not
> already ok.
> I have contact upstream today, before you release the adviso, so they
> could react.
>
> As you  can see in the adviso, the release date was not given !!!!
>
> http://secunia.com/advisories/16040/
> http://secunia.com/advisories/16040/
> http://secunia.com/advisories/16038/
>
> You release adviso without respect the normal process to publish  adviso.
>
> This guy is monitoring my /adviso/ folder.
>
> 80.161.200.182
>
> I think this guy is working for you.
>
> So please say to him to respect the normal process in a security
> process.
>
> Regards.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2rc2 (MingW32)
>
> iQIVAwUBQtWLU6+LRXunxpxfAQL+1w/+IE947ec5TVHTUox8RC5JCSSAkk+C3GTf
> wAvkTzYoN7p0LLgFOGmf0oZUQytxQ1QKjgRSv0WeHM3sh/ZX3E33l6z+1aPwLOsO
> asJDVVYHoxJMTbxccO01dM724UvANPvfO68Y3YHOIcZupJQhzuIqIR8u+clUwwpc
> M7bToYBMaQbyGKCPuBpVdUqK8DVuXj9Q/+Fz8G+2kvEfM/leGhkOh55AWqcQyyJ0
> YMEYFz4pxoR7HnYvMbxh3GLdRda0YhQj12uNw29VacLDmlYJ9JEIp2skfuk/nMM/
> CMoVGMHz+HbOhBJTOYoLvqVUcPB9rahXNxgRHas/z8gydFUYzY8IXF5oWlAnw6UQ
> XrAYR9EvEJaXFO+FqDAoppEnvfv7NNm+dzs5yZCZM1cKel028Zg95sKkzjoAnqZA
> CfVke2I7/0nFX3gnq/Ka54reKKKk0U732zwV1RFqanmaVueCsmoj8IhbL+3Gc1So
> fwuhG5uGXskTqVh0qr3FMxXgf9dHDJqzZyTIS2Wi2St8SZzAQSOfIpZ8tuOA4YQO
> QK3hIOExKFDzZXSidlZzR0455YQKEyzjuylctWRcZwx51a/E6u1/ZDty/DRgO37S
> d4YFiD0za38qE7Etu5nEG1CZIhlU5mroKCqE00ld97eu9rv2tUeYC/aN4W+wnOTm
> S6Q77U46E8A=
> =VbS3
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ