Joey Hess [2004-10-25 16:00 -0400]:
> The der_chop script that is in the source only of openssl (not in any
> debs) is vulnerable to a file in /tmp security hole, according to
> CAN-2004-0975:
This is not quite correct, the script is shipped as
/usr/lib/ssl/misc/der_chop, together with some other auxiliary
scripts. Therefore I increase the severity.
I prepared a patch for Ubuntu Warty and Hoary. The Hoary package is
the same version as in Debian Sid/Sarge, so the patch should apply
without problems. Just be sure to adapt the version number.
Message-ID: <email address hidden>
Date: Thu, 11 Nov 2004 11:47:59 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: der_chop script has file in /tmp security holes
--cWoXeonUoKmBZSoM Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
severity 278260 grave
tag 278260 patch
thanks
Joey Hess [2004-10-25 16:00 -0400]:
> The der_chop script that is in the source only of openssl (not in any
> debs) is vulnerable to a file in /tmp security hole, according to
> CAN-2004-0975:
This is not quite correct, the script is shipped as ssl/misc/ der_chop, together with some other auxiliary
/usr/lib/
scripts. Therefore I increase the severity.
I prepared a patch for Ubuntu Warty and Hoary. The Hoary package is
the same version as in Debian Sid/Sarge, so the patch should apply
without problems. Just be sure to adapt the version number.
The patch is at
http:// patches. ubuntulinux. org/patches/ openssl. CAN-2004- 0975.diff
Please do not use the RedHat patch (with doing things like
`mktemp ..`
this is flawed and a bit too much overhead. The perl module File::Temp
is portable and works fine. Please also submit this patch upstream.
Thanks,
Martin
--=20 www.piware. de www.ubuntulinux .org www.debian. org
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
--cWoXeonUoKmBZSoM pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
nbV4Fd/ IRAhJjAKCAO6Apv QzNPdabXSvSUv3E axEXDgCg+ s38 H2u5GwSo=
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBk0NfDec
gtq0uqlzGM86g3k
=gy/H
-----END PGP SIGNATURE-----
--cWoXeonUoKmBZ SoM--