Your message dated Mon, 29 Dec 2008 21:17:03 +0000
with message-id <[email protected]>
and subject line Bug#509277: fixed in cmus 2.2.0-3
has caused the Debian Bug report #509277,
regarding CVE-2008-5375: insecure temp file handling
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
509277: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=509277
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cmus
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cmus.
CVE-2008-5375[0]:
| cmus-status-display in cmus 2.2.0 allows local users to overwrite
| arbitrary files via a symlink attack on the /tmp/cmus-status temporary
| file.
debug.c also does something in /tmp, so one would need to check that as
well.
Since the program is not executed with root rights, this could be fixed
for stable via stable-proposed-updates.
It would also be nice to fix this bug for lenny.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5375
http://security-tracker.debian.net/tracker/CVE-2008-5375
--- End Message ---
--- Begin Message ---
Source: cmus
Source-Version: 2.2.0-3
We believe that the bug you reported is fixed in the latest version of
cmus, which is due to be installed in the Debian FTP archive:
cmus_2.2.0-3.diff.gz
to pool/main/c/cmus/cmus_2.2.0-3.diff.gz
cmus_2.2.0-3.dsc
to pool/main/c/cmus/cmus_2.2.0-3.dsc
cmus_2.2.0-3_i386.deb
to pool/main/c/cmus/cmus_2.2.0-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carlos Eduardo Sotelo Pinto (krlos) <[email protected]> (supplier of updated
cmus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 29 Dec 2008 22:01:01 +0100
Source: cmus
Binary: cmus
Architecture: source i386
Version: 2.2.0-3
Distribution: unstable
Urgency: low
Maintainer: Carlos Eduardo Sotelo Pinto (krlos) <[email protected]>
Changed-By: Carlos Eduardo Sotelo Pinto (krlos) <[email protected]>
Description:
cmus - lightweight ncurses audio player
Closes: 509277
Changes:
cmus (2.2.0-3) unstable; urgency=low
.
* Acknowledging NMU. Closes: #509277.
Checksums-Sha1:
473f4618994f3124de2f06d728f17d32b4498a84 1179 cmus_2.2.0-3.dsc
0b55c74d661cf40b18d3db41f9b6ae884427dbb2 3587 cmus_2.2.0-3.diff.gz
ef7b2fabb004621a43d1e8c1b7db82a27cb76312 143262 cmus_2.2.0-3_i386.deb
Checksums-Sha256:
b2fe0c9a41fe11817eece05487827c6a4b78763d0fc432a3b8d64a89137984de 1179
cmus_2.2.0-3.dsc
8a9fac8880d707d4e0a1a736cca6e2ca7903e979fb9ca4ea20dbf81440b9f9e8 3587
cmus_2.2.0-3.diff.gz
7d74e76608df45998e718e2a87aba79e3edbb1067424facebf0110ae6c79b34c 143262
cmus_2.2.0-3_i386.deb
Files:
121393f814ed8808520b73331180ddde 1179 sound optional cmus_2.2.0-3.dsc
12e1d72970c758ba20dfb8530d0a65e1 3587 sound optional cmus_2.2.0-3.diff.gz
b0e0dd16c8ddd6c97ba925a2a0a00461 143262 sound optional cmus_2.2.0-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAklZOykACgkQbMaawmho9B9JjwCfScoK4Gw2ODvNPOKmu0ec4tg4
cR8AoKMGbuRwy3d0K4KXVwgoWfuzpmZ+
=Yk6m
-----END PGP SIGNATURE-----
--- End Message ---