Your message dated Sun, 10 Feb 2013 17:17:04 +0000 with message-id <[email protected]> and subject line Bug#650500: fixed in libproc-processtable-perl 0.45-1+squeeze1 has caused the Debian Bug report #650500, regarding libproc-processtable-perl: [CVE-2011-4363] unsafe use of /tmp to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 650500: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650500 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libproc-processtable-perl Version: 0.45-1 Severity: important Tags: security Proc::ProcessTable can cache TTY information (not enabled by default). For this it uses the file /tmp/TTYDEVS. If caching is enabled, there is a race condition that allows to overwrite arbitrary files in ProcessTable.pm: 102 if( -r $TTYDEVSFILE ) 103 { 104 $_ = Storable::retrieve($TTYDEVSFILE); [...] 107 else 108 { [...] 112 Storable::store(\%Proc::ProcessTable::TTYDEVS, $TTYDEVSFILE); If a symlink /tmp/TTYDEVS is created between line 102 and 112, the file the link points to is overwritten. Alternatively wrong information can be provided. The relevant code path can be reached with perl -MProc::ProcessTable -e 'my $t = Proc::ProcessTable->new(cache_ttys => 1, enable_ttys => 1); $t->table;' Ansgar
--- End Message ---
--- Begin Message ---Source: libproc-processtable-perl Source-Version: 0.45-1+squeeze1 We believe that the bug you reported is fixed in the latest version of libproc-processtable-perl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <[email protected]> (supplier of updated libproc-processtable-perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 10 Feb 2013 16:16:41 +0100 Source: libproc-processtable-perl Binary: libproc-processtable-perl libproc-process-perl Architecture: source amd64 all Version: 0.45-1+squeeze1 Distribution: stable Urgency: low Maintainer: Debian Perl Group <[email protected]> Changed-By: Salvatore Bonaccorso <[email protected]> Description: libproc-process-perl - Dummy package for libproc-processtable-perl rename libproc-processtable-perl - Perl library for accessing process table information Closes: 650500 Changes: libproc-processtable-perl (0.45-1+squeeze1) stable; urgency=low . * Team upload. * [SECURITY] CVE-2011-4363: Fix unsafe temporary file usage (Closes: #650500) Checksums-Sha1: 4e18641f46d616d5457b2f12ccf42eed3c2c86ce 2183 libproc-processtable-perl_0.45-1+squeeze1.dsc 3c409fe6be688de7195135f7e33e38c9a880030d 5680 libproc-processtable-perl_0.45-1+squeeze1.diff.gz 9912e7115d1b40ec3315a4459abf1412dd5eba02 49400 libproc-processtable-perl_0.45-1+squeeze1_amd64.deb af315467053b405e10629cf65b6f3cded4babac6 11966 libproc-process-perl_0.45-1+squeeze1_all.deb Checksums-Sha256: 3bfe1b20ecfc30480d65ceb90d553681b30d92c4b8d28a8d3855b315d30b1334 2183 libproc-processtable-perl_0.45-1+squeeze1.dsc 7a3507ac3a11601b554a5797e0b7d104bfef26696b23c6cdde95c140ddfde07c 5680 libproc-processtable-perl_0.45-1+squeeze1.diff.gz 56460e24a9b951b590261df95d2ec80979a06d45f3089995c6ee31294703c56a 49400 libproc-processtable-perl_0.45-1+squeeze1_amd64.deb d578af11e9829ed39da2a65430570c8e38a669119442e8f6848ad4bd6ba3a827 11966 libproc-process-perl_0.45-1+squeeze1_all.deb Files: 7079b3a62b7edc5c0ac8afce6bd4dc48 2183 perl optional libproc-processtable-perl_0.45-1+squeeze1.dsc f22cd0cb7e1246a627ae17cc4404bba7 5680 perl optional libproc-processtable-perl_0.45-1+squeeze1.diff.gz ca4432e9471c28bd0148b1d05ed33719 49400 perl optional libproc-processtable-perl_0.45-1+squeeze1_amd64.deb da7f77a2c99d6e789807c424188e3cae 11966 perl optional libproc-process-perl_0.45-1+squeeze1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJRF8CVAAoJEHidbwV/2GP+xvcQALzdK5pzBKlhQ05f4TUgdP/2 jI+IFFiZX3pgmp5F4DZ9DpgkQ3rF80vdOscrirqt/RD4CWd+C0NTY6ZbXrqyf44m verN4yMP0Ptav/2eNR/UyUgA/sgdvh881IQ50tIOkG2QaZmhsKwKx3FCwqyCuaFS Ep9pbk93q3NSA32xHszwHs389adHjNbyc/nOM4NgobdLjqHwVMrTg15mMZR52Edo ur4D8qhbloM5PF+0faXCFbHL16rv6dvpR3uQjA6Qau412xBjk7R3H8Hj9rOUwxRG G7uLOisDobxeBDOaSVBxAcj66tQIiIU4UD7lY++/cpdr45GJfeiolN4Y5dN2btJk TgHt85/KlO4QHg6/O5GRxWIh+x2zROZMEoSZ8FZKCaqVzJCyCINxvcEUFXF5S7Vz y6zCsvPY4YuJrSfo3Q0atziYD2/IH1HK2UlV5Tnp49iMxgp5PlSDKzxP4AtMQHYH hxcOCF3GeO5wrfP1YMY+hCHAkC5zo5/TwV5VGp4jUmJncQno76Lf/3rurTvWXpWQ BC46CjYIMwP0PQ/sl1KpGVqCrqB+uCF+5/OwDyxLEVh9hHLSj3a2WwuL8gt302qg VS4evBO9B111O1tasBD5fQ8A8aRshi2sxbTnNg6J0cy8fuelDpHw5YJS10A6cq1k SulBP1cxgoVSjV/RQ+Si =V4HG -----END PGP SIGNATURE-----
--- End Message ---

