Bug#736359: marked as done (localepurge: CVE-2014-1638: tmp file vulnerability)

Fri, 31 Jan 2014 14:37:28 -0800 

Your message dated Fri, 31 Jan 2014 22:32:21 +0000
with message-id <[email protected]>
and subject line Bug#736359: fixed in localepurge 0.6.3+deb7u1
has caused the Debian Bug report #736359,
regarding localepurge: CVE-2014-1638: tmp file vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
736359: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736359
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: localepurge
Version: 0.6.2+nmu1
Severity: important
Tags: security

Hi Niels,

the maintainer scripts of localepurge contain a funny tmp file
vulnerability:

$ grep tempfile -r .
./debian/postrm:    DEBREINSTALL="$(tempfile).$$"
./debian/localepurge.config:TEMPFILE=$(tempfile).$$
./debian/localepurge.config:LOCALEGEN=$(tempfile).locale.gen
$

All of them are doing it wrong. They create a secure tempfile, but don't
use it and instead generate a (now) predictable(!) name without opening
it in a safe (O_CREAT) way.

Helmut

--- End Message ---
--- Begin Message --- 
Source: localepurge
Source-Version: 0.6.3+deb7u1

We believe that the bug you reported is fixed in the latest version of
localepurge, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niels Thykier <[email protected]> (supplier of updated localepurge package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 31 Jan 2014 18:44:30 +0100
Source: localepurge
Binary: localepurge
Architecture: source all
Version: 0.6.3+deb7u1
Distribution: wheezy
Urgency: medium
Maintainer: Niels Thykier <[email protected]>
Changed-By: Niels Thykier <[email protected]>
Description: 
 localepurge - Reclaim disk space removing unneeded localizations
Closes: 736359
Changes: 
 localepurge (0.6.3+deb7u1) wheezy; urgency=medium
 .
    * [CVE-2014-1638] Create tempfiles in a safe manner using
      mktemp.  Thanks to Helmut Grohne for reporting the
      issue and helping with the patch.  (Closes: #736359)
    * Remove the creation of /var/tmp/reinstall_debs.sh during
      postrm.
Checksums-Sha1: 
 764da1afcfa339f18c6a3b4c4338a5f1acecd287 1573 localepurge_0.6.3+deb7u1.dsc
 faeb2f0aa488da1283655f42c6b5d985c4cdab26 48141 localepurge_0.6.3+deb7u1.tar.gz
 4d450116bc2f997708b91f50d0f4d46af4d0005c 45926 localepurge_0.6.3+deb7u1_all.deb
Checksums-Sha256: 
 a9b6ed9c7ffd94d3a5d657b8cfeee79f5900942814edb511985dee2da531d363 1573 
localepurge_0.6.3+deb7u1.dsc
 d4a687f39f1f44169ebd29d9ec01d9fe445a03306d716e7d7087b8172fbccbab 48141 
localepurge_0.6.3+deb7u1.tar.gz
 a3a01f71628b48d4371282e45667066bba0a42a2bbac7fe0641daac3f476b3f9 45926 
localepurge_0.6.3+deb7u1_all.deb
Files: 
 beb48d4a983722ee6f4747aa0d12971f 1573 admin optional 
localepurge_0.6.3+deb7u1.dsc
 c66dbcef60b2f8f290ea50479f7f0e41 48141 admin optional 
localepurge_0.6.3+deb7u1.tar.gz
 ecd7c2936509dd670370c00bf3702a7a 45926 admin optional 
localepurge_0.6.3+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJS6+ywAAoJEAVLu599gGRC0PQP/06JjFzEvV8TvWCwGUvhtEw2
4qQfQk4Vrn2DyS+7frDtLOnH9nTg0MOGLvAILe5D8hD+ieM3VUKwgdiWAaKFkvEb
jwUdYd+UIXMS6IIuN9+YGyjDb/+1SZbv/mWvDow3qdyi5ZUflLPTeYsq0hkPc+M8
OahWD7e/SGTtn19zdHO2tO7yktoVvicedCIkT7z1X0PTvqin2aaT5M/6M//Rf7B4
R12+kcokdpj9Og6qMnR136cq4lLbDx0bGdo/kggzt+PokCIDknbVm2ijwXShf29D
4gT8bFbQgZmGOCEZBCav029xECZXb9ozF6r2MvLPGWZEBw+pHxwWoCCpd8oDWPMI
Bl/60kwyYUKEk3zCe6BwV3vNmhwtmwu66vA7m62AKIK5am10Co8ObhhZWRW3sE5z
hSt1E4TQCCQdRbBpoLnPlTPrJvMmNz6i1OKwd7gvSEUqiLbZQa8OAWJ601RE1ntj
EAJt144oC20vZZ1cje2lR3Y0FZR2ecnMlIxVBNe+OhEcBkj1YNtcGXRqaLwteviC
/PnfTThKi0UU9ocD8hvwLfMUdsrkRl4JfWo2uz0zx0QNNR4N0PJs4zi1z8ybbpTR
b8bSMwA9IcEdwQZ7iLdITZnpm4mGYG8tyosp4adFm7bUd2/Z8kFyex2cntkafml4
qSNClXI696xMb3wiKFkW
=55Ua
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to