[opensuse-packaging] CVE-2010-5252 seems to be windows only. Agree?
I maintain httrack and there is a new update out that addresses a CVE covering the version in openSUSE 12.3. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5252 But the CVE relates to a having a trojan dll in the local directory. Doesn't seem to apply to openSUSE. I prefer not to update it in 12.3 (I just sent the SR to factory: SR#196331) If I'm missing something, let me know. Greg -- Greg Freemyer -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Sun, Aug 25, 2013 at 10:34:16PM -0400, Greg Freemyer wrote:
I maintain httrack and there is a new update out that addresses a CVE covering the version in openSUSE 12.3.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5252
But the CVE relates to a having a trojan dll in the local directory. Doesn't seem to apply to openSUSE.
I prefer not to update it in 12.3 (I just sent the SR to factory: SR#196331)
If I'm missing something, let me know.
Depends ... if dlopen() is loading from current working directory and if an attacker can place .so files there. As LD_LIBRARY_PATH usually does not include ".", we should be good. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
participants (2)
-
Greg Freemyer -
Marcus Meissner