Hi, * Francois Marier <[EMAIL PROTECTED]> [2008-12-01 09:34]: > I noticed a (fairly recent CVE) against one of my packages (docvert): > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5147 > > I'm not exactly sure how one would exploit this given that the affected script > literally consists of: > > cat /var/www/docvert/doc/sample/sample-document.doc | > /var/www/docvert/core/lib/pyodconverter/pyodconverter2.py --stream > > /tmp/outer.odt
This is about an attacker linking /some/important/file to /tmp/out.odt. > (see > http://git.debian.org/?p=collab-maint/docvert.git;a=blob;f=core/lib/pyodconverter/test-pipe-to-pyodconverter.org.sh;hb=master) > > I was wondering if you think it's worth issuing a security advisory for. No it's not. We marked this is unimportant in the security tracker as this is only an unused test script: http://security-tracker.debian.net/tracker/CVE-2008-5147 > I will remove that (unused) script from the next upload of the package. Ok that's fine. Please ping us in this case with the version so we can mark it as fixed in the security tracker. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgparasNUJLJC.pgp
Description: PGP signature
_______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
