Your message dated Mon, 23 Jan 2012 22:12:38 +0000
with message-id <[email protected]>
and subject line Bug#656388: Removed package(s) from unstable
has caused the Debian Bug report #656388,
regarding RM: tucan -- RoM; abandoned upstream
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
656388: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656388
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: tucan
Version: 0.3.9-1
Severity: grave
Tags: security
Justification: user security hole
Tucan comes with "plugins" to handle downloads from the various
download sites it supports. These plugins are basically python modules
which run with the same permissions as the user running tucan. The
tucan package comes with a set of such plugins in
/usr/share/default_plugins/, but it downloads updates of these plugins
via http/https and places them in ~/.tucan/plugins/. This means that
after an update, debian-packaged code is effectively replaced by code
directly from the upstream repository. This in itself is problematic,
but because the update mechanism is implemented in an insecure
fashion, a remote attacker could use it introduce a malicious plugin
which executes arbitrary code with the permissions of the user running
tucan.
The plugins tucan downloads are unsigned, so a remote attacker could
introduce a plugin containing malicious code either by compromising
the remote sites where the plugins are stored, or by means of a
man-in-the-middle attack on the http/https connection from tucan to
the site holding the updates (tucan doesn't seem to check the server
certificate on SSL connections). Tools for automating this kind of
exploit exist, e.g. https://code.google.com/p/ippon-mitm/
The best way to address this problem is probably to disable the update
mechanism entirely in the debian package, and distribute updated
plugin files via apt. (Upstream might want to look into signing their updates,
and possibly making changes to the program's design so that the plugins
run in some kind of sandbox rather than with full user permissions.)
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from unstable:
tucan | 0.3.10-2 | source, all
------------------- Reason -------------------
RoM; abandoned upstream
----------------------------------------------
Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it). Please also remember that the changes have been done on the
master archive (ftp-master.debian.org) and will not propagate to any
mirrors (ftp.debian.org included) until the next cron.daily run at the
earliest.
Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.
We try to close Bugs which have been reported against this package
automatically. But please check all old bugs, if they where closed
correctly or should have been re-assign to another package.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected].
The full log for this bug can be viewed at http://bugs.debian.org/656388
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].
Debian distribution maintenance software
pp.
Luca Falavigna (the ftpmaster behind the curtain)
--- End Message ---
