Bug#739958: marked as done (catfish: insecure when cwd is world-writable (CVE-2014-2093 CVE-2014-2094 CVE-2014-2095 CVE-2014-2096))

Fri, 28 Feb 2014 13:21:43 -0800 

Your message dated Fri, 28 Feb 2014 21:18:40 +0000
with message-id <[email protected]>
and subject line Bug#739958: fixed in catfish 1.0.1-1
has caused the Debian Bug report #739958,
regarding catfish: insecure when cwd is world-writable (CVE-2014-2093 
CVE-2014-2094 CVE-2014-2095 CVE-2014-2096)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
739958: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739958
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: catfish
Version: 1.0.0-2
Tags: security
/usr/bin/catfish tries to execute bin/catfish.pyc and bin/catfish.py from the current working directory. If you call catfish from a world-writable directory (e.g. /tmp), malicious local user could exploit this flaw to execute arbitrary code. 

--
Jakub Wilk

--- End Message ---
--- Begin Message --- 
Source: catfish
Source-Version: 1.0.1-1

We believe that the bug you reported is fixed in the latest version of
catfish, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jackson Doak <[email protected]> (supplier of updated catfish package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 28 Feb 2014 16:10:56 +1100
Source: catfish
Binary: catfish
Architecture: source all
Version: 1.0.1-1
Distribution: unstable
Urgency: medium
Maintainer: Jackson Doak <[email protected]>
Changed-By: Jackson Doak <[email protected]>
Description: 
 catfish    - File searching tool which is configurable via the command line
Closes: 739958
Changes: 
 catfish (1.0.1-1) unstable; urgency=medium
 .
   * New upstream release
     - Fix CVE-2014-2093, CVE-2014-2094, CVE-2014-2095, CVE-2014-2096.
       (Closes: #739958)
Checksums-Sha1: 
 50bb2430e99309ccb7bcaa2a081fd6b4bc644a1d 1954 catfish_1.0.1-1.dsc
 33812f7dc802c43ac605616a033757c5e239bb8d 73810 catfish_1.0.1.orig.tar.bz2
 49f91d0cff772c7a958ec64c5e2f8492bd244c05 5288 catfish_1.0.1-1.debian.tar.xz
 35fd630feca1332e596491389d156c255602ef13 72740 catfish_1.0.1-1_all.deb
Checksums-Sha256: 
 ceed370286a1988c11ac8833ce0fbed8048317b76e477fc7920ccef64707b0c3 1954 
catfish_1.0.1-1.dsc
 70b3c095f49df246592bc7a1db8f6868ea202660d8e90ba6113f0b87114803ea 73810 
catfish_1.0.1.orig.tar.bz2
 53a529bbfd6ca4f3030f4b3c56b73f069c517fac57505e4325bc96f69feaf8af 5288 
catfish_1.0.1-1.debian.tar.xz
 41f013c8dbd92f082ae51a53cf18da40bb58c60275c8760ae067915fe63d6d7a 72740 
catfish_1.0.1-1_all.deb
Files: 
 0d94957094a33844737e2408d94db5d2 1954 utils optional catfish_1.0.1-1.dsc
 54f67f33ab475a826a18d621c8861458 73810 utils optional 
catfish_1.0.1.orig.tar.bz2
 6be6243a698a0d932389b3498d30b82a 5288 utils optional 
catfish_1.0.1-1.debian.tar.xz
 10cfc0a08b59f632db781ecdbf3cee29 72740 utils optional catfish_1.0.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJTEPcsAAoJEI7tzBuqHzL/MggQAOIge1Cu+fz++IRIbaQubzUO
HnElXS69kLJIiWBjKCFBXR4c+f3y89jQghIySmcgJdVwU1xMRM6/atTGuw/hgrg6
2RDTdxOjydIMxbKg5TxidKtdTEk2tcKUUDQ4xYy3/869j049eqZDvUu++PhStbhd
0tKarrffzE0Cr1B/2mGppTM2j+rzK/v6ifsd0HDYDYxYg2H/SfISQxXlT2828EC/
vrmGzr9c7YJLWFusTt5/YhcGVtCz//WaY64wOHVbw724oIq0IzOJnwYFEgWop/sX
A1Ry9IZP6qvTCjQXVfSc0kVomYBTqP7cNnNaEGtC2kgR449kFajd+xvxuFvE2S0O
FgXhCB1Ke5BIUFzs4QxJbVZSQ6EABKhFgByL+2Tbz4d9mKGvRibYuuPkUChAEU1L
l76qwclZOsqfnRlSa+vT/gLQ9cVrv6LOVqlVD6igoEbuJvgaEW+6xYQmKLk1brt1
hOlqL1tN4xEhGHoTw7f40gGthSVweEtX4y84sr0exv2CiBMqDRmMiRtGSjDCA/Ly
4bdlpe0UaNY/z9Cu1wcSnBIpYUu0IudfHGifkQPT5vgudRPgd9Nvw+v2xj4QHAvu
dEeSSzSt3ko+I4CxMP+IML10Lpl6Y+9nV/xa1VDbENUQj4xETXwki/HkwiIBBNyF
8T+CIDcp0BKwkD+13s7R
=3vnh
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to