[Secure-testing-team] Security advisory for docvert's CVE-2008-5147 ?
Francois Marier
francois at debian.org
Mon Dec 1 06:26:53 UTC 2008
(Please CC me on your replies)
Hello,
I noticed a (fairly recent CVE) against one of my packages (docvert):
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5147
I'm not exactly sure how one would exploit this given that the affected script
literally consists of:
cat /var/www/docvert/doc/sample/sample-document.doc | /var/www/docvert/core/lib/pyodconverter/pyodconverter2.py --stream > /tmp/outer.odt
(see http://git.debian.org/?p=collab-maint/docvert.git;a=blob;f=core/lib/pyodconverter/test-pipe-to-pyodconverter.org.sh;hb=master)
I was wondering if you think it's worth issuing a security advisory for.
I will remove that (unused) script from the next upload of the package.
Cheers,
Francois
More information about the Secure-testing-team
mailing list