Hello James,
I am looking at old vulnerabilities and package you own, pwgen, currently has three of them: CVE-2013-4440, CVE-2013-4441 and CVE-2013-4442.
I contacted upstream author Theodore Ts`o, who acknowledged CVE-2013-4440 and CVE-2013-4442 are problems, but refused to merge fix proposed on the list (http://marc.info/?l=oss-security&m=137049241132104&w=4) for good reasons. I did analysis on CVE-2013-4441 and I believe it`s basically not fixable without breaking pwgen completely.
For the other two issues I wrote a patch and sent it upstream, but received no response. So, for the time being, could you please look at the patch and see if we can update pwgen in Fedora and EPEL to fix CVE-2013-4440 and CVE-2013-4442 ?
Thank you !
Hi Jan and security team!
I won't have access to a machine where I can easily apply and test the patch until later next week. if any of you want to review and apply it, that would be great, otherwise I'll do so in about a week.
Cheers, James
On Thu, Aug 7, 2014 at 7:43 AM, Jan Rusnacko jrusnack@fedoraproject.org wrote:
Hello James,
I am looking at old vulnerabilities and package you own, pwgen, currently has three of them: CVE-2013-4440, CVE-2013-4441 and CVE-2013-4442.
I contacted upstream author Theodore Ts`o, who acknowledged CVE-2013-4440 and CVE-2013-4442 are problems, but refused to merge fix proposed on the list (http://marc.info/?l=oss-security&m=137049241132104&w=4) for good reasons. I did analysis on CVE-2013-4441 and I believe it`s basically not fixable without breaking pwgen completely.
For the other two issues I wrote a patch and sent it upstream, but received no response. So, for the time being, could you please look at the patch and see if we can update pwgen in Fedora and EPEL to fix CVE-2013-4440 and CVE-2013-4442 ?
Thank you !
Jan Rusnacko, Fedora Security Team
Hello James,
thank you for your response. My colleagues are probably too busy to review the patch :( - please review and apply it whenever you find time to do so.
Thanks !
On 07.08.2014 23:40, James Bowes wrote:
Hi Jan and security team!
I won't have access to a machine where I can easily apply and test the patch until later next week. if any of you want to review and apply it, that would be great, otherwise I'll do so in about a week.
Cheers, James
On Thu, Aug 7, 2014 at 7:43 AM, Jan Rusnacko <jrusnack@fedoraproject.org mailto:jrusnack@fedoraproject.org> wrote:
Hello James, I am looking at old vulnerabilities and package you own, pwgen, currently has three of them: CVE-2013-4440, CVE-2013-4441 and CVE-2013-4442. I contacted upstream author Theodore Ts`o, who acknowledged CVE-2013-4440 and CVE-2013-4442 are problems, but refused to merge fix proposed on the list (http://marc.info/?l=oss-security&m=137049241132104&w=4) for good reasons. I did analysis on CVE-2013-4441 and I believe it`s basically not fixable without breaking pwgen completely. For the other two issues I wrote a patch and sent it upstream, but received no response. So, for the time being, could you please look at the patch and see if we can update pwgen in Fedora and EPEL to fix CVE-2013-4440 and CVE-2013-4442 ? Thank you ! -- Jan Rusnacko, Fedora Security Team
security-team@lists.fedoraproject.org