thank you for your response. My colleagues are probably too busy to review the patch :( -
please review and apply it whenever you find time to do so.
On 07.08.2014 23:40, James Bowes wrote:
Hi Jan and security team!
I won't have access to a machine where I can easily apply and test the patch until
later next week. if any of you want to review and apply it, that would be great, otherwise
I'll do so in about a week.
On Thu, Aug 7, 2014 at 7:43 AM, Jan Rusnacko <jrusnack(a)fedoraproject.org
I am looking at old vulnerabilities and package you own, pwgen, currently has three
of them: CVE-2013-4440, CVE-2013-4441 and CVE-2013-4442.
I contacted upstream author Theodore Ts`o, who acknowledged CVE-2013-4440 and
CVE-2013-4442 are problems, but refused to merge fix proposed on the list
) for good reasons. I did
analysis on CVE-2013-4441 and I believe it`s basically not fixable without breaking pwgen
For the other two issues I wrote a patch and sent it upstream, but received no
response. So, for the time being, could you please look at the patch and see if we can
update pwgen in Fedora and EPEL to fix CVE-2013-4440 and CVE-2013-4442 ?
Thank you !
Jan Rusnacko, Fedora Security Team