Bug#537604: marked as done (slim: overwrites arbitrary files)

Tue, 09 Feb 2010 07:41:23 -0800 

Your message dated Tue, 09 Feb 2010 15:36:20 +0000
with message-id <[email protected]>
and subject line Bug#537604: fixed in slim 1.3.1-5
has caused the Debian Bug report #537604,
regarding slim: overwrites arbitrary files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
537604: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=537604
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: slim
Version: 1.3.0-2
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: [email protected]

If scrot is installed, users are able to overwrite arbitrary files in the
filesystem.

Pressing F11 on the slim login screen runs scrot with the root rights to
save a screenshot to /tmp/slim.png. If this file is symlinked to another
location, that location is overwritten instead.

This bug is introduced by debian/patches/slim-conf.patch and hence
Debian-specific - upstream saves the screenshot in the directory that is
only writable by root.


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (400, 'unstable'), (300, 'experimental')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.30 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages slim depends on:
ii  debconf [debconf-2.0]         1.5.27     Debian configuration management sy
ii  libc6                         2.9-12     GNU C Library: Shared libraries
ii  libgcc1                       1:4.4.0-5  GCC support library
ii  libjpeg62                     6b-14      The Independent JPEG Group's JPEG
ii  libpam0g                      1.0.1-9    Pluggable Authentication Modules l
ii  libpng12-0                    1.2.37-1   PNG library - runtime
ii  libstdc++6                    4.4.0-5    The GNU Standard C++ Library v3
ii  libx11-6                      2:1.2.1-1  X11 client-side library
ii  libxft2                       2.1.13-3   FreeType-based font drawing librar
ii  libxmu6                       2:1.0.4-1  X11 miscellaneous utility library

Versions of packages slim recommends:
ii  gnome-terminal [x-terminal-em 2.26.2-2   The GNOME terminal emulator applic

Versions of packages slim suggests:
pn  scrot                         <none>     (no description available)

--- End Message ---
--- Begin Message --- 
Source: slim
Source-Version: 1.3.1-5

We believe that the bug you reported is fixed in the latest version of
slim, which is due to be installed in the Debian FTP archive:

slim_1.3.1-5.diff.gz
  to main/s/slim/slim_1.3.1-5.diff.gz
slim_1.3.1-5.dsc
  to main/s/slim/slim_1.3.1-5.dsc
slim_1.3.1-5_i386.deb
  to main/s/slim/slim_1.3.1-5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nobuhiro Iwamatsu <[email protected]> (supplier of updated slim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 09 Feb 2010 22:58:12 +0900
Source: slim
Binary: slim
Architecture: source i386
Version: 1.3.1-5
Distribution: unstable
Urgency: low
Maintainer: Nobuhiro Iwamatsu <[email protected]>
Changed-By: Nobuhiro Iwamatsu <[email protected]>
Description: 
 slim       - desktop-independent graphical login manager for X11
Closes: 537604
Changes: 
 slim (1.3.1-5) unstable; urgency=low
 .
   * Update debian/control.
     - Bump up Standards-Version.
   * Update patches/slim-conf.patch
     - scrot default location to /root. (Closes: #537604)
Checksums-Sha1: 
 fd18cc594da69182f928ebd54d73c681b73a7d11 1116 slim_1.3.1-5.dsc
 330745d1023add2cb7bdd32ae2e627e204961112 661840 slim_1.3.1-5.diff.gz
 c309b780e45bafd3c436207c5e63eb4c538a9364 812018 slim_1.3.1-5_i386.deb
Checksums-Sha256: 
 0bb40e6999d4d5d3ca284e2a08e0df7354e7e4f873abf6fa6c06f3339df0364b 1116 
slim_1.3.1-5.dsc
 bebef4160af224419a4b03384fdbb4246cbb08a7b13d505a7788acb4004ad314 661840 
slim_1.3.1-5.diff.gz
 1d59970cba0aa8718701c0b3bd629250a3d136d8ee3791d9f5638a769d61bd1a 812018 
slim_1.3.1-5_i386.deb
Files: 
 16e75efc65e47ba282c65ea5b68878dc 1116 x11 optional slim_1.3.1-5.dsc
 5fd06438e2e184c4f24b8758d7897ff1 661840 x11 optional slim_1.3.1-5.diff.gz
 9dc90882e04a5b62e2b329626b2325ff 812018 x11 optional slim_1.3.1-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktxbCIACgkQQSHHQzFw6+m+9gCfQCTPun6MqdJcGNTPtMZwjJoa
O94AoIdAEuZqkqwhmkmxlq3tB0p7Rg7J
=UDAm
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to