[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnash-commit] [bug #34903] CVE-2011-4328: gnash creates world-readable
From: |
Gabriele Giacone |
Subject: |
[Gnash-commit] [bug #34903] CVE-2011-4328: gnash creates world-readable cookies under /tmp with predictable filenames |
Date: |
Sat, 26 Nov 2011 03:40:29 +0000 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20100101 Firefox/8.0 Iceweasel/8.0 |
URL:
<http://savannah.gnu.org/bugs/?34903>
Summary: CVE-2011-4328: gnash creates world-readable cookies
under /tmp with predictable filenames
Project: Gnash - The GNU Flash player
Submitted by: gg0
Submitted on: Sat 26 Nov 2011 04:40:28 AM CET
Category: plugin
Severity: 3 - Normal
Release: master
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
Forwarding http://bugs.debian.org/649384
Attached 2 patches. One moves cookies/launchers under $HOME/.gnash, proposed
few days ago [0]. Second one doesn't move them, randomizes file names and
makes them 600 with mkstemp(). I don't really like it cause I had to add boost
libs to the plugin, but it's the best I've managed to do so far.
Please review and feel free to push better ones.
[0] http://bugs.debian.org/649384#49
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Sat 26 Nov 2011 04:40:28 AM CET Name: movetohomedir.diff Size: 3kB
By: gg0
<http://savannah.gnu.org/bugs/download.php?file_id=24459>
-------------------------------------------------------
Date: Sat 26 Nov 2011 04:40:28 AM CET Name: mkstemp.diff Size: 4kB By: gg0
<http://savannah.gnu.org/bugs/download.php?file_id=24460>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?34903>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [Gnash-commit] [bug #34903] CVE-2011-4328: gnash creates world-readable cookies under /tmp with predictable filenames,
Gabriele Giacone <=