Bug#591995: marked as done (babiloo: insecure downloading and unpacking of dictionary files)

[Debian Bug Tracking System]

Your message dated Wed, 29 Sep 2010 22:02:05 +0000
with message-id <e1p14iz-0000yv...@franck.debian.org>
and subject line Bug#591995: fixed in babiloo 2.0.11-1
has caused the Debian Bug report #591995,
regarding babiloo: insecure downloading and unpacking of dictionary files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
591995: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=591995
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: babiloo
Version: 2.0.9-1
Severity: grave
Tags: security
Justification: user security hole



An example scenario:

1. Attacker does `ln -sf /file/to/overwrite /tmp/fra_vie.dct.zip`.
2. Victim runs babiloo, selects Dictionaries > Download
Dictionaries, selects the "French-Vietnamese" dictionary, and clicks
the icon to download it.

In addition to that, babiloo appears to be affected by CVE-2007-4559.

--
Jakub Wilk

babiloo creates temporary files with predictable names, allowing a local attacker to overwrite arbitrary files.

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: babiloo
Source-Version: 2.0.11-1

We believe that the bug you reported is fixed in the latest version of
babiloo, which is due to be installed in the Debian FTP archive:

babiloo_2.0.11-1.diff.gz
  to main/b/babiloo/babiloo_2.0.11-1.diff.gz
babiloo_2.0.11-1.dsc
  to main/b/babiloo/babiloo_2.0.11-1.dsc
babiloo_2.0.11-1_all.deb
  to main/b/babiloo/babiloo_2.0.11-1_all.deb
babiloo_2.0.11.orig.tar.gz
  to main/b/babiloo/babiloo_2.0.11.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 591...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marco Rodrigues <goth...@gmail.com> (supplier of updated babiloo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 28 Sep 2010 22:30:41 +0100
Source: babiloo
Binary: babiloo
Architecture: source all
Version: 2.0.11-1
Distribution: unstable
Urgency: low
Maintainer: Python Applications Packaging Team 
<python-apps-t...@lists.alioth.debian.org>
Changed-By: Marco Rodrigues <goth...@gmail.com>
Description: 
 babiloo    - dictionary viewer with multi-languages support
Closes: 591995
Changes: 
 babiloo (2.0.11-1) unstable; urgency=low
 .
   * New upstream version (Closes: #591995).
   * debian/control:
     + Move python-qt4 to Recommends. Thanks Jakub Wilk for the tip.
     + Change my e-mail address.
   * debian/copyright:
     + Change my e-mail address.
   * debian/control:
     - Bump Standards-Version to 3.9.1, no changes required.
Checksums-Sha1: 
 52c7a1176b1dd4050e30691df809946a23304c1a 1334 babiloo_2.0.11-1.dsc
 bee082229588bfc2b7c55ae3c8e173f6ca10a789 949765 babiloo_2.0.11.orig.tar.gz
 5e5197212e75b2644e82f368c64e586866a26d9c 2946 babiloo_2.0.11-1.diff.gz
 b33344c2cff18c05f9f2943204626099734f3e87 895280 babiloo_2.0.11-1_all.deb
Checksums-Sha256: 
 2e673076315992b1ca8d697ae001726b27a2c823436bf1eba3f8da9708ec7c38 1334 
babiloo_2.0.11-1.dsc
 2b7fa4b0336c1664b87f9018cd8dbd0fe20edf25f4c57eb17e41c1095199611b 949765 
babiloo_2.0.11.orig.tar.gz
 bca1aef85eb9fc0836c65994bcacf0d1e4e76d5b1c15ba83ae40d372dd0a2798 2946 
babiloo_2.0.11-1.diff.gz
 f0e93409c9dbbb136ff85e00d4a3b6b84d9aaedd21311fbbfd31c4b2bbe72aa5 895280 
babiloo_2.0.11-1_all.deb
Files: 
 cb3c2489e413658b357ba93bcc111291 1334 utils optional babiloo_2.0.11-1.dsc
 c384c6874590517515a20d8530b85ab1 949765 utils optional 
babiloo_2.0.11.orig.tar.gz
 19456945e7291be2e119583c605446a4 2946 utils optional babiloo_2.0.11-1.diff.gz
 08328cdab08ddce4a1eb49bee175ff37 895280 utils optional babiloo_2.0.11-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyjs98ACgkQB01zfu119ZnC6ACfQPOLCo8EZgakA8LcbjTvilom
9h0An3upBm2X9Q2/IfNd58xvAiSTIYOl
=pJ5A
-----END PGP SIGNATURE-----

--- End Message ---