[Secure-testing-team] Security advisory for docvert's CVE-2008-5147 ?
Nico Golde
debian-secure-testing+ml at ngolde.de
Mon Dec 1 09:55:33 UTC 2008
Hi,
* Francois Marier <francois at debian.org> [2008-12-01 09:34]:
> I noticed a (fairly recent CVE) against one of my packages (docvert):
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5147
>
> I'm not exactly sure how one would exploit this given that the affected script
> literally consists of:
>
> cat /var/www/docvert/doc/sample/sample-document.doc | /var/www/docvert/core/lib/pyodconverter/pyodconverter2.py --stream > /tmp/outer.odt
This is about an attacker linking /some/important/file to /tmp/out.odt.
> (see http://git.debian.org/?p=collab-maint/docvert.git;a=blob;f=core/lib/pyodconverter/test-pipe-to-pyodconverter.org.sh;hb=master)
>
> I was wondering if you think it's worth issuing a security advisory for.
No it's not. We marked this is unimportant in the security
tracker as this is only an unused test script:
http://security-tracker.debian.net/tracker/CVE-2008-5147
> I will remove that (unused) script from the next upload of the package.
Ok that's fine. Please ping us in this case with the version
so we can mark it as fixed in the security tracker.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081201/092a880f/attachment.pgp
More information about the Secure-testing-team
mailing list