Your message dated Sun, 26 Jan 2014 09:49:07 +0000
with message-id <[email protected]>
and subject line Bug#736359: fixed in localepurge 0.7.3.2
has caused the Debian Bug report #736359,
regarding localepurge: CVE-2014-1638: tmp file vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
736359: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736359
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: localepurge
Version: 0.6.2+nmu1
Severity: important
Tags: security
Hi Niels,
the maintainer scripts of localepurge contain a funny tmp file
vulnerability:
$ grep tempfile -r .
./debian/postrm: DEBREINSTALL="$(tempfile).$$"
./debian/localepurge.config:TEMPFILE=$(tempfile).$$
./debian/localepurge.config:LOCALEGEN=$(tempfile).locale.gen
$
All of them are doing it wrong. They create a secure tempfile, but don't
use it and instead generate a (now) predictable(!) name without opening
it in a safe (O_CREAT) way.
Helmut
--- End Message ---
--- Begin Message ---
Source: localepurge
Source-Version: 0.7.3.2
We believe that the bug you reported is fixed in the latest version of
localepurge, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niels Thykier <[email protected]> (supplier of updated localepurge package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 26 Jan 2014 10:31:20 +0100
Source: localepurge
Binary: localepurge
Architecture: source all
Version: 0.7.3.2
Distribution: unstable
Urgency: high
Maintainer: Niels Thykier <[email protected]>
Changed-By: Niels Thykier <[email protected]>
Description:
localepurge - reclaim disk space by removing unneeded localizations
Closes: 736359
Changes:
localepurge (0.7.3.2) unstable; urgency=high
.
* [CVE-2014-1638] Create tempfiles in a safe manner using
mktemp. Thanks to Helmut Grohne for reporting the
issue and helping with the patch. (Closes: #736359)
* Properly quote the usage / initialisation of the variables
containing temp files.
* Remove the creation of /var/tmp/reinstall_debs.sh during
postrm.
Checksums-Sha1:
b4570098d69f446fa1b62b0118c089f9ce1064a0 1553 localepurge_0.7.3.2.dsc
fdec3f845c6d57267b1dbe241d3d3ceab04e11c4 52832 localepurge_0.7.3.2.tar.xz
bd5c284a59b548e4d310a8f79dd71b53a6f2ec48 49920 localepurge_0.7.3.2_all.deb
Checksums-Sha256:
18ec86eb447ac32a090661bb0a8ab6e5f310093c52cbfec5932693d81b31e383 1553
localepurge_0.7.3.2.dsc
22bf6faaa1e69c4074b0f0f7ed6cab55a8948f024ce823e15550e45ef264247a 52832
localepurge_0.7.3.2.tar.xz
6079ce30f9b95e4ea9ea49ab1b7bb87add186518b13c4b0f4ddc7eb02e36bc42 49920
localepurge_0.7.3.2_all.deb
Files:
25ecc0a38dac267e147b07ce81f692c6 1553 admin optional localepurge_0.7.3.2.dsc
e428291974379a82122ae9e0ff1b3d51 52832 admin optional
localepurge_0.7.3.2.tar.xz
cb16f10d1e4a09389a2a0fa6964840d1 49920 admin optional
localepurge_0.7.3.2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJS5Na2AAoJEAVLu599gGRCTBoQAIOyTGKB8+u+bHjGwS17jV7j
54odYPdLTqoL/wak0OVJvEJ4f0H7Ajfxv4acYV7TVSMIxyoF03clNx462N3RC51n
R3YRdJkOzjGg8hoaTOQSi0bkfk9kR+ihWChZ8pCjOLCeCgkGbQxcEnd3jUeKag49
U4QWCvWLIryAn3XXWxcuOPZf/GBrBQ1yHW05RCUfck9Q/OX7TzyQfjE21bregy3C
gYL/8yYiR3XIoOEncHDhWsF2qMJfedc3u/maLU0/ApY6CD/NWptVK1X5IIT2ICJq
9biWCCb3X5NTMVCPwz36iReRoKYmnSmf0ZxhnB7+OFS2Uo0efnx8mvywUeeTCsrq
bSpkCm1+jihz7JbF+mAL+8m9+R8O2nGQz1nKINsJDKQPIWaU0B01m8rpJVPi2lMq
RftrEvrFvnH5m2qxbyv1jGP5A99arEJI2ehAJeBCOVkH4psQ01ougMhzYDSzyq0d
xtOrG9c4hs/VGEPTaMlUOgKTyE86dJlc2M0+RQKkEQ5VzeI7EfGI3XLWcOKhUBGP
MWu6XcfHTPPkhx14rv8SwykFb1rYpdrU2aAJhCCoKo4c9QBYRJF4aZmez8+GjuKg
Pc4JuW20B7dkYbW5R+rXqBO0HUuNGRANYeW+Iuc2XXfX6HexUlOOyYLuBNIUY/Sp
F8I28Fn/kH7tcGyXygOS
=TyN9
-----END PGP SIGNATURE-----
--- End Message ---
