Your message dated Mon, 28 Nov 2011 01:03:19 +0000
with message-id <[email protected]>
and subject line Bug#619223: fixed in mozplugger 1.14.3-6
has caused the Debian Bug report #619223,
regarding mozplugger: insecure handling of mozdebug file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
619223: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619223
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mozplugger
Version: 1.14.2-4
Tags: security
Severity: minor
Hi,
Based on the changelog, since version 1.14.2-4 mozplugger is built with -
DDEBUG which enables the creation of 'mozdebug'. However, this file is created
in an insecure way, with a constant name, in $MOZPLUGGER_TMP, $TMPDIR, or
$HOME/tmp/. Whatever env var is found first, in that order.
A local attacker may use this vulnerability to append to another user's files,
corrupting them.
This is a fairly minor issue since it requires $MOZPLUGGER_TMP or $TMPDIR to
be set and to a world-writeable directory, but it should be fixed nevertheless.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--- End Message ---
--- Begin Message ---
Source: mozplugger
Source-Version: 1.14.3-6
We believe that the bug you reported is fixed in the latest version of
mozplugger, which is due to be installed in the Debian FTP archive:
mozplugger_1.14.3-6.debian.tar.gz
to main/m/mozplugger/mozplugger_1.14.3-6.debian.tar.gz
mozplugger_1.14.3-6.dsc
to main/m/mozplugger/mozplugger_1.14.3-6.dsc
mozplugger_1.14.3-6_amd64.deb
to main/m/mozplugger/mozplugger_1.14.3-6_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alessio Treglia <[email protected]> (supplier of updated mozplugger package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 28 Nov 2011 01:37:29 +0100
Source: mozplugger
Binary: mozplugger
Architecture: source amd64
Version: 1.14.3-6
Distribution: unstable
Urgency: low
Maintainer: Alessio Treglia <[email protected]>
Changed-By: Alessio Treglia <[email protected]>
Description:
mozplugger - Plugin allowing external viewers to be launched inside Mozilla
Closes: 619223
Changes:
mozplugger (1.14.3-6) unstable; urgency=low
.
* Turn off DEBUG mode (Closes: #619223).
Checksums-Sha1:
4201ee82459780106d5dfead555a8f21b0404567 1260 mozplugger_1.14.3-6.dsc
48c14931298cc1890631047f0a03be3282a4b855 25660
mozplugger_1.14.3-6.debian.tar.gz
d0b3a4758b4fd4d373402b6f753236c006615eaf 83870 mozplugger_1.14.3-6_amd64.deb
Checksums-Sha256:
648c445511416da0945d2f35d0e40ff1b4c58d3174db1ebde8e5f7419ed45437 1260
mozplugger_1.14.3-6.dsc
220ab1883ef86176666580f2a3cc7f7f9c451d21304769738a558165edb42de7 25660
mozplugger_1.14.3-6.debian.tar.gz
ca97b97cd4779d2425e5218bdbbc5d5c48ffe23ab5eed2334c3bc8b0e12b0413 83870
mozplugger_1.14.3-6_amd64.deb
Files:
90a6b01a2b7ca6d5bf66d10fa5be644f 1260 web optional mozplugger_1.14.3-6.dsc
59356b9356b08984c046b2ace153e3d6 25660 web optional
mozplugger_1.14.3-6.debian.tar.gz
95ba22ccbc993ba6c314b74c0cc8d0a8 83870 web optional
mozplugger_1.14.3-6_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk7S2XoACgkQRdSMfNz8P9CmRwCeNT5u/j+4baaLJdD824RWI7ur
13sAnj8VL2DHUjhBWReaZCiCw0SBUbz/
=xWNY
-----END PGP SIGNATURE-----
--- End Message ---
