Re: CVE Request - cups, dovecot-managesieve, perl, wireshark

[Jan Lieskovsky <jlieskov () redhat com>]

Steve,

  ------------------------------------------------------------
> perl -- perl-File-Path rmtree race condition (CVE-2005-0448 was assigned to address this)
>      -- from below posted proposed fix: "This vulnerability was fixed in 5.8.4-7 but re-introduced in 5.8.8-1.
>                                          It's also present in File::Path 2.xx, up to and including 2.07 which
>                                          has only a partial fix."
>      -- affects all upstream 5.8.8-1 based perl releases (have checked perl-5.8.8-1+ is reaffected, perl-5.8.10 
> already contains the fix)
>      -- needs a new CVE id
>      -- references: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286922
>                     http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286922
>                     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0448
>                     
> http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=85;filename=etch_03_fix_file_path;att=1;bug=286905
>                     http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=85;filename=sid_fix_file_path;att=2;bug=286905
>
> ------------------------------------------------------------

One point yet -- this is perl-5.8.8-1+ specific issue (different than
CVE-2004-0452, CVE-2005-0448 and even different than recently fixed
CVE-2008-2827). Seems that upstream forgot to apply the fix for
CVE-2005-0448 to 5.8 perl after rebase. This newly reported issue
already fixed in perl-5.10.

CVE-2008-2827 affects only perl-5.10 (and it already applies additional
fix to CVE-2005-0448, which has been properly applied in perl-5.10).

Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team