Your message dated Sun, 10 Feb 2013 14:48:39 +0000 with message-id <[email protected]> and subject line Bug#650500: fixed in libproc-processtable-perl 0.45-6 has caused the Debian Bug report #650500, regarding libproc-processtable-perl: [CVE-2011-4363] unsafe use of /tmp to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 650500: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650500 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libproc-processtable-perl Version: 0.45-1 Severity: important Tags: security Proc::ProcessTable can cache TTY information (not enabled by default). For this it uses the file /tmp/TTYDEVS. If caching is enabled, there is a race condition that allows to overwrite arbitrary files in ProcessTable.pm: 102 if( -r $TTYDEVSFILE ) 103 { 104 $_ = Storable::retrieve($TTYDEVSFILE); [...] 107 else 108 { [...] 112 Storable::store(\%Proc::ProcessTable::TTYDEVS, $TTYDEVSFILE); If a symlink /tmp/TTYDEVS is created between line 102 and 112, the file the link points to is overwritten. Alternatively wrong information can be provided. The relevant code path can be reached with perl -MProc::ProcessTable -e 'my $t = Proc::ProcessTable->new(cache_ttys => 1, enable_ttys => 1); $t->table;' Ansgar
--- End Message ---
--- Begin Message ---Source: libproc-processtable-perl Source-Version: 0.45-6 We believe that the bug you reported is fixed in the latest version of libproc-processtable-perl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <[email protected]> (supplier of updated libproc-processtable-perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 10 Feb 2013 15:01:30 +0100 Source: libproc-processtable-perl Binary: libproc-processtable-perl Architecture: source amd64 Version: 0.45-6 Distribution: unstable Urgency: low Maintainer: Debian Perl Group <[email protected]> Changed-By: Salvatore Bonaccorso <[email protected]> Description: libproc-processtable-perl - Perl library for accessing process table information Closes: 650500 Changes: libproc-processtable-perl (0.45-6) unstable; urgency=low . * Add CVE-2011-4363.patch patch [SECURITY] CVE-2011-4363: Fix unsafe temporary file usage. (Closes: #650500) Checksums-Sha1: 7faec375cd6481c19adecce29bbcf9c5bf468ccc 2230 libproc-processtable-perl_0.45-6.dsc d4de5e85ca234ed3a294a853502cf74d9105d127 8620 libproc-processtable-perl_0.45-6.debian.tar.gz 2238bc73ae3fa8cd2d90eebad02ca20f3840a524 48866 libproc-processtable-perl_0.45-6_amd64.deb Checksums-Sha256: 8ea19379534ec7404c9110dbb208961d4e1e2bf98dc71175dbad5a48dab33b5c 2230 libproc-processtable-perl_0.45-6.dsc ad1a95b47b8080b227377de861432c32d49fd14909dbaa18a8226344ec7d6350 8620 libproc-processtable-perl_0.45-6.debian.tar.gz 2e2499c179e7116f1ba8017251a1f8819b391a921cb3c0b633916ccde7218f5f 48866 libproc-processtable-perl_0.45-6_amd64.deb Files: fe0aefd22c971b79c21f4354eef66976 2230 perl optional libproc-processtable-perl_0.45-6.dsc a4a2d435652f48b100a9b34133118ce3 8620 perl optional libproc-processtable-perl_0.45-6.debian.tar.gz f213b7dcb1ee488a3596ea7c040a5cee 48866 perl optional libproc-processtable-perl_0.45-6_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJRF6yEAAoJEHidbwV/2GP+w9oP/iW22tOYsIcKbUoJt3fkS6f5 22BGecOL/o7nLApIhMv6of4RSZqvUs9NgvJqdSCnkqjNMKBd1zUklBt8xuSwOQKD grFjynUwlU4qAic8t1KvKWx0hGe57mpjn7vYX7FJON63s5S5NM17MaG8yy4sNXyb TB6+7gBK7zuoWNChie8zjrze4Cr/wefyOej6fI7bT/waIp2GqjIfZwWx02MwXgUN Yw6SYgiWynj2161+4q6R6YfvwrH5DNA/1rBY6Lip7pY0RBgaiIOdnrzQYvm4e+3f 8COMsA0stXjK5xJbIzCuC37zllH/uMwcQYL4q2UipmkG49i4KVmSOBzi5CQpfnYy bTL8Pd3bhl0y00o6dyM84wuwG17j+1Rc1GfAaojsZsqxLxdFuiUEHYcHIHj02AZZ 1zr0uwh4hZck4O5ZLCybr3GniOd5G2VkUhSQf71uCwje+7OoDIkBSPtPP0gLW9oW Pjd0aT+YEOPAKLHO6ZaBh/LkQ0Kq+GdSOiLUyyWm/PUyUSXq8iRnR79VwOW2oNsn 0gJ/G7Ej6Knm7uTn/C7C3W25bSyNSyF4O2POF/b84uAq2fTjU92RoBlOfXw0+P4P mByPa30zCBsdTBq6KAh6xhRNXyA44syHYaMSEmrbIBW9Rk7E8KQOGeXhRfodYzZ3 GIaSRiT3P7YZ9VmrxrQe =vjgH -----END PGP SIGNATURE-----
--- End Message ---

