lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <065e01c589a9$f280c1d0$0301a8c0@cb.com> Date: Sat Jul 16 13:05:03 2005 From: jerome.athias at free.fr (Jerome Athias) Subject: Secunia published adviso withoutrespectingrelease date ! 2 things i remind myself... 1) http://seclists.org/lists/vulndiscuss/2004/Dec/0006.html 2) This is an answer of Thomas before a disclosure of some vuln that Secunia found "at the same time" : 10/09/2004 19:40 Re: OpenOffice World-Readable Temporary Files Disclose Files to Local Users Hi J?r?me, This issue was originally discovered by Secunia on 16th August and reported to the vendors. Please do not forward to anyone else. The various vendors well release updates on Wednesday in a co-ordinated disclosure. Kind regards, Thomas On Fri, 2004-09-10 at 17:31, jerome.athias@...amail.com wrote: > Date: Thu, 9 Sep 2004 23:52:18 -0400 > Subject: http://www.openoffice.org/issues/show_bug.cgi?id=33357> > Reporter: pmladek > OS: Linux > Version: OOo 1.1.2 > Summary: Insecure permissions on temporary files at runtime > When OOo is started, a directory /tmp/sv.tmp is created, where > RAND is a 3 character random string. The permissions of this directory > allow other users (depending on the user's > umask) to 'cd' to this directory and list the contents. > Once a file is saved, a zipped file is created in /tmp/sv.tmp and the > name of the file follows the same convention. The permissions of the file > allow others (depending on the user's umask) to read the content. > Due to this any user can grab sensitive information of someother user. > Steps to reproduce the problem: > 1. Launch OpenOffice. > 2. List /tmp contents. Locate the directory 'sv*.tmp' > 3. Type in some contents in the document and save it. > 4. List the contents of the directory /tmp/sv*.tmp/ > 5. Do not cl > ose OpenOffice. 'su' to a different user. > 6. Copy the file under /tmp/sv*.tmp/ to home directory. > 7. Use 'unzip' to unzip the files. > 8. The file content.xml holds the data the user had just saved. > The workaround is to set more secure umask. The problem is that the users > does > not know about it. Why should they need to set more strict umask if they > save > its data in a directory which has the correct permissions. They do not > expect > > Regards, > J?r?me ATHIAS > ------------------- > that there are any world-readable temporary data available somewhere on > the system. > > > -- Kind regards, Thomas Kristensen CTO Secunia Toldbodgade 37B 1253 Copenhagen K Denmark Tlf.: +45 7020 5144 Fax: +45 7020 5145 So, express your opinion, but either they want exclusivity, either they respect the majority of the time the "full-disclosure policy" My 0,000001? /JA ****************** http://www.secunia.fr ----- Original Message ----- From: "Xavier Beaudouin" <kiwi@....net> To: <ad@...ss101.orgad@...ss101.org> Cc: <full-disclosure@...ts.grok.org.uk> Sent: Thursday, July 14, 2005 12:59 PM Subject: Re: [Full-disclosure] Secunia published adviso withoutrespectingrelease date ! This is usual with secunia.. I had at "bug" in a beta version of software and they "release" a vulnerability to *all* version of this software without even inform the maintainer (me) of this "pseudo advisory". My thought with this guys are now : don't even trust them... They push advisory without testing and respect the usual way to inform developper as it should. My 0,02? /xavier Le 13 juil. 05 ? 23:45, <ad@...ss101.org> <ad@...ss101.org> a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Then don't send to Secunia b4 the rls date ! HUH > > > - -----Message d'origine----- > De : full-disclosure-bounces@...ts.grok.org.uk [mailto:full- > disclosure-bounces@...ts.grok.org.uk] De la part de Eric Romang Envoy? : > mardi 12 juillet 2005 21:09 ? : support@...unia.com Cc : > full-disclosure@...ts.grok.org.uk; Eric Romang Objet : [Full- disclosure] > Secunia published adviso without respectingrelease date ! > > > Hello, > > This adviso are published on your website, but the patch are not > already ok. > I have contact upstream today, before you release the adviso, so they > could react. > > As you can see in the adviso, the release date was not given !!!! > > http://secunia.com/advisories/16040/ > http://secunia.com/advisories/16040/ > http://secunia.com/advisories/16038/ > > You release adviso without respect the normal process to publish adviso. > > This guy is monitoring my /adviso/ folder. > > 80.161.200.182 > > I think this guy is working for you. > > So please say to him to respect the normal process in a security > process. > > Regards. > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2rc2 (MingW32) > > iQIVAwUBQtWLU6+LRXunxpxfAQL+1w/+IE947ec5TVHTUox8RC5JCSSAkk+C3GTf > wAvkTzYoN7p0LLgFOGmf0oZUQytxQ1QKjgRSv0WeHM3sh/ZX3E33l6z+1aPwLOsO > asJDVVYHoxJMTbxccO01dM724UvANPvfO68Y3YHOIcZupJQhzuIqIR8u+clUwwpc > M7bToYBMaQbyGKCPuBpVdUqK8DVuXj9Q/+Fz8G+2kvEfM/leGhkOh55AWqcQyyJ0 > YMEYFz4pxoR7HnYvMbxh3GLdRda0YhQj12uNw29VacLDmlYJ9JEIp2skfuk/nMM/ > CMoVGMHz+HbOhBJTOYoLvqVUcPB9rahXNxgRHas/z8gydFUYzY8IXF5oWlAnw6UQ > XrAYR9EvEJaXFO+FqDAoppEnvfv7NNm+dzs5yZCZM1cKel028Zg95sKkzjoAnqZA > CfVke2I7/0nFX3gnq/Ka54reKKKk0U732zwV1RFqanmaVueCsmoj8IhbL+3Gc1So > fwuhG5uGXskTqVh0qr3FMxXgf9dHDJqzZyTIS2Wi2St8SZzAQSOfIpZ8tuOA4YQO > QK3hIOExKFDzZXSidlZzR0455YQKEyzjuylctWRcZwx51a/E6u1/ZDty/DRgO37S > d4YFiD0za38qE7Etu5nEG1CZIhlU5mroKCqE00ld97eu9rv2tUeYC/aN4W+wnOTm > S6Q77U46E8A= > =VbS3 > -----END PGP SIGNATURE----- > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists