Package: mondo
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for mondo.
CVE-2008-1633[0]:
| Unspecified vulnerability in Mondo Rescue before 2.2.5 has unknown
| impact and attack vectors, related to the use of (1) /tmp and (2)
| MINDI_CACHE.
Since you (as co-upstream maintainer) didn't specify any
useful description or parts of source code when you fixed
this, you get this poor description ;)
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
BTW, grepping the source code for /tmp does show a lot of
hardcoded tmp paths in the source code an shipped scripts
(ide-opt e.g). Are you sure all of these are secure and not
possible to exploit via symlinks? I did not check this in
detail because I have no idea how mondo is really used and
if this would apply in mondo usage scenarios but it's bad
coding style anyway.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1633
http://security-tracker.debian.net/tracker/CVE-2008-1633
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp9Psj1oDSIg.pgp
Description: PGP signature