Your message dated Thu, 14 Apr 2005 11:47:49 +0200 (CEST)
with message-id <[EMAIL PROTECTED]>
and subject line Bug#304547: rpdump TOCTOU file-permissions vulnerability
(CAN-2005-1066)
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 13 Apr 2005 22:19:10 +0000
>From [EMAIL PROTECTED] Wed Apr 13 15:19:09 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DLqCH-0003wF-00; Wed, 13 Apr 2005 15:18:57 -0700
Received: from dragon.kitenet.net (unknown [66.168.94.177])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id B3BFA17E53
for <[EMAIL PROTECTED]>; Wed, 13 Apr 2005 22:18:55 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id 7C91B6E73F; Wed, 13 Apr 2005 18:22:01 -0400 (EDT)
Date: Wed, 13 Apr 2005 18:22:00 -0400
From: Joey Hess <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: rpdump TOCTOU file-permissions vulnerability (CAN-2005-1066)
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="y0ulUmNC+osPPQO6"
Content-Disposition: inline
X-Reportbug-Version: 3.9
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--y0ulUmNC+osPPQO6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: pine
Severity: normal
Tags: security
I've verified that the rpdump.c included in the pine source package is
vulnerable to the symlink attack described here:
http://msgs.securepoint.com/cgi-bin/get/bugtraq0504/126.html
I don't see rpdump being put in any on the binary packages, but I did
not build them to check, so I'm leaving this bug's severity at normal.
If rpdump is shipped in a binary, then the bug should be release
critical.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8)
--=20
see shy jo
--y0ulUmNC+osPPQO6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCXZuId8HHehbQuO8RAtiQAKCnnoJwYKjY7AbaRGg70kyHQGONmwCeNHHX
vYrCwU2rnvAe5LEoA2fetxM=
=EyrG
-----END PGP SIGNATURE-----
--y0ulUmNC+osPPQO6--
---------------------------------------
Received: (at 304547-done) by bugs.debian.org; 14 Apr 2005 10:17:14 +0000
>From [EMAIL PROTECTED] Thu Apr 14 03:17:14 2005
Return-path: <[EMAIL PROTECTED]>
Received: from pizarro.unex.es [158.49.8.2] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DM1PL-0000eg-00; Thu, 14 Apr 2005 03:17:14 -0700
Received: from localhost (almendralejo.unex.es [158.49.8.199])
by pizarro.unex.es (Postfix/MJ-1.08) with ESMTP
id 2619CA1D33; Thu, 14 Apr 2005 11:49:30 +0200 (CEST)
Received: from pizarro.unex.es ([158.49.8.2])
by localhost (emilio [158.49.17.20]) (amavisd-new, port 10024)
with ESMTP id 12196-01; Thu, 14 Apr 2005 11:50:31 +0200 (CEST)
Received: from guadiana.unex.es (guadiana.unex.es [158.49.17.23])
by pizarro.unex.es (Postfix/MJ-1.08) with ESMTP
id CD575A1C93; Thu, 14 Apr 2005 11:49:29 +0200 (CEST)
Received: from cantor.unex.es ([158.49.18.105])
by guadiana.unex.es with esmtp (Exim 3.35 #1 (Debian))
id 1DM0yX-0005p8-00; Thu, 14 Apr 2005 11:49:29 +0200
Date: Thu, 14 Apr 2005 11:47:49 +0200 (CEST)
From: Santiago Vila <[EMAIL PROTECTED]>
To: Joey Hess <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: Bug#304547: rpdump TOCTOU file-permissions vulnerability
(CAN-2005-1066)
In-Reply-To: <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at unex.es
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
On Wed, 13 Apr 2005, Joey Hess wrote:
> Santiago Vila wrote:
> > Only two executables produced by the pine source package are actually
> > included in binary packages, namely /usr/bin/pine in package pine and
> > /usr/bin/pilot in package pilot.
> >
> > I do not consider my duty as pine maintainer to maintain dead code
> > (which is not shipped in any binary package) which is also non-free.
> >
> > Do you want me to write the above in some sort of readme so that it's
> > clear for everybody, or may I close this report directly?
>
> No, it's obviously your call as the maintainer.
Thank you.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
