Re: CVE-2013-4440, CVE-2013-4442 pwgen vulnerabilities fix
Hi Jan and security team!
I won't have access to a machine where I can easily apply and test the
patch until later next week. if any of you want to review and apply it,
that would be great, otherwise I'll do so in about a week.
Cheers,
James
On Thu, Aug 7, 2014 at 7:43 AM, Jan Rusnacko <jrusnack(a)fedoraproject.org>
wrote:
Hello James,
I am looking at old vulnerabilities and package you own, pwgen, currently
has three of them: CVE-2013-4440, CVE-2013-4441 and CVE-2013-4442.
I contacted upstream author Theodore Ts`o, who acknowledged CVE-2013-4440
and CVE-2013-4442 are problems, but refused to merge fix proposed on the
list (http://marc.info/?l=oss-security&m=137049241132104&w=4) for good
reasons. I did analysis on CVE-2013-4441 and I believe it`s basically not
fixable without breaking pwgen completely.
For the other two issues I wrote a patch and sent it upstream, but
received no response. So, for the time being, could you please look at the
patch and see if we can update pwgen in Fedora and EPEL to fix
CVE-2013-4440 and CVE-2013-4442 ?
Thank you !
--
Jan Rusnacko, Fedora Security Team
Attachments:
- attachment.html (text/html — 1.6 KB)