Bug#775193: marked as done (djvudigital: insecure use of /tmp)

Sun, 16 Aug 2015 05:22:10 -0700 

Your message dated Sun, 16 Aug 2015 12:20:38 +0000
with message-id <[email protected]>
and subject line Bug#775193: fixed in djvulibre 3.5.27.1-3
has caused the Debian Bug report #775193,
regarding djvudigital: insecure use of /tmp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
775193: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775193
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: djvulibre-bin
Version: 3.5.25.4-4+b1
Tags: security

This is how djvudigital uses temporary files:

           djvutext="/tmp/dj$$.ps"
           trap "rm 2>/dev/null $djvutext" 0
           cat > $djvutext <<\EOF
(ps2utf8.ps) runlibfile currentglobal /setglobal load true setglobal
.ps2utf8 begin /onpage { } bind def /onfont { pop pop pop } bind def
/onmark { pop pop pop pop currentx currenty currentpoint
.djvutextmark } bind def end exec
EOF
This is insecure because the filename is predictable and, more importantly, the program doesn't fail atomically if the file already exists. 

Please use mktemp(1) for creating temporary files.

--
Jakub Wilk

--- End Message ---
--- Begin Message --- 
Source: djvulibre
Source-Version: 3.5.27.1-3

We believe that the bug you reported is fixed in the latest version of
djvulibre, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Barak A. Pearlmutter <[email protected]> (supplier of updated djvulibre package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 16 Aug 2015 14:03:10 +0200
Source: djvulibre
Binary: libdjvulibre-dev libdjvulibre21 libdjvulibre-text djvulibre-dbg 
djvulibre-desktop djview djview3 djvuserve djvulibre-bin
Architecture: source amd64 all
Version: 3.5.27.1-3
Distribution: unstable
Urgency: medium
Maintainer: Barak A. Pearlmutter <[email protected]>
Changed-By: Barak A. Pearlmutter <[email protected]>
Description:
 djview     - Transition package, djview3 to djview4
 djview3    - Transition package, djview3 to djview4
 djvulibre-bin - Utilities for the DjVu image format
 djvulibre-dbg - Debug symbols for the DjVu image format
 djvulibre-desktop - Desktop support for the DjVu image format
 djvuserve  - CGI program for unbundling DjVu files on the fly
 libdjvulibre-dev - Development files for the DjVu image format
 libdjvulibre-text - Linguistic support files for libdjvulibre
 libdjvulibre21 - Runtime support for the DjVu image format
Closes: 775193
Changes:
 djvulibre (3.5.27.1-3) unstable; urgency=medium
 .
   * use mktemp in shell script if available (closes: #775193)
Checksums-Sha1:
 5b9d310f7b3313871cfcc612c6998a8de2dadc9b 2455 djvulibre_3.5.27.1-3.dsc
 83704737c302ccd903434b386d6f1c81800f7ad1 17524 
djvulibre_3.5.27.1-3.debian.tar.xz
 d1ce9e991df73a6307fe1edc7acc8acd2cb1bef8 16292 djview3_3.5.27.1-3_amd64.deb
 f0f62824f692ed3ba37ad227af8afdf652e4dc94 16296 djview_3.5.27.1-3_amd64.deb
 b9f391af2ebd9bcfc62f9413a5927ce63f4a5a19 289504 
djvulibre-bin_3.5.27.1-3_amd64.deb
 96bbc490d85d927b4927869e015ba18a22399c34 4347726 
djvulibre-dbg_3.5.27.1-3_amd64.deb
 fbc5205bd3618f6f26fd8ecc5d601c22a5959fc8 100938 
djvulibre-desktop_3.5.27.1-3_all.deb
 55f50d72b9d4f6274c7b7f68b0e4a8a8a49b97cd 33672 djvuserve_3.5.27.1-3_amd64.deb
 66af9f526cc7d5d8e60f4a4482ee951254d153d6 2400484 
libdjvulibre-dev_3.5.27.1-3_amd64.deb
 3424808a97d0a9055d07d3e3c4bdf46f3a639986 60348 
libdjvulibre-text_3.5.27.1-3_all.deb
 6bbfdda4a67e81e56e0a9e83c0a897b9fa753c0f 595720 
libdjvulibre21_3.5.27.1-3_amd64.deb
Checksums-Sha256:
 5656fc08402818a93e82c73fae33172c2a3cf97a5304d8c58f398f0d8741e0b0 2455 
djvulibre_3.5.27.1-3.dsc
 eb71e7b9619bf04c7b743584f6f7bed0349e73ce8e202ea28215fda866e424e0 17524 
djvulibre_3.5.27.1-3.debian.tar.xz
 fb7800458bfc609e4b39dce98181a1f1d51c1c2eafb29a157481b2ab7e0292fe 16292 
djview3_3.5.27.1-3_amd64.deb
 0f4a70ee9732ad803acaa31d8e452bd2f7c8fa6a0171034eb9104e94cff1582f 16296 
djview_3.5.27.1-3_amd64.deb
 752520e0358f5d12912929dde9115e58603e568ee6c016b5a450ba003b786b1a 289504 
djvulibre-bin_3.5.27.1-3_amd64.deb
 bef37f0b7814953917acd8fbdc71b23cd79fc751185de89451a2bcb94f238801 4347726 
djvulibre-dbg_3.5.27.1-3_amd64.deb
 66fed66f1cdb749bf519be83dc370963e04f2cf96936933ada184dfb2b39e6eb 100938 
djvulibre-desktop_3.5.27.1-3_all.deb
 94f5ade46a7266d06f7e2980f2714a119c8c26d6bf7e62645b3d31db6357426e 33672 
djvuserve_3.5.27.1-3_amd64.deb
 012fa58bc702b7e9b8fb912854b3cb3cee04cd4aa55f6dc9aa2695d1ccfec832 2400484 
libdjvulibre-dev_3.5.27.1-3_amd64.deb
 c143f71ee5173c23e08618f3a86318ac72aa34b069198ab5e4620a3ea61e6af1 60348 
libdjvulibre-text_3.5.27.1-3_all.deb
 00c31be0a98a141898e5c99a584c455f5ca4f62646ec730a9b8324615eef899e 595720 
libdjvulibre21_3.5.27.1-3_amd64.deb
Files:
 d4762f4941066714e54a4fca45d76be3 2455 libs optional djvulibre_3.5.27.1-3.dsc
 934774b1915823e67fbe8c66f2eea43e 17524 libs optional 
djvulibre_3.5.27.1-3.debian.tar.xz
 f23c3f77f4390fcf79d619b46449845b 16292 graphics optional 
djview3_3.5.27.1-3_amd64.deb
 d13abd124a05c7ff4dd3dfcec8e78d29 16296 graphics optional 
djview_3.5.27.1-3_amd64.deb
 e0f4cb4f52f1c185deb2ff79b6105bdf 289504 graphics optional 
djvulibre-bin_3.5.27.1-3_amd64.deb
 d03af2ad38e2f5883ed5bb7ff0ae28cc 4347726 debug extra 
djvulibre-dbg_3.5.27.1-3_amd64.deb
 4f44c41f9eb684003255354ddfac7de5 100938 libs optional 
djvulibre-desktop_3.5.27.1-3_all.deb
 f59e8789725bfaa43fd17b8c3d9c3f0f 33672 web optional 
djvuserve_3.5.27.1-3_amd64.deb
 1b965489719b83493ce65ce6503ccc5f 2400484 libdevel optional 
libdjvulibre-dev_3.5.27.1-3_amd64.deb
 dcba3b6b0c2e463f9cbed84a047afef3 60348 libs optional 
libdjvulibre-text_3.5.27.1-3_all.deb
 f239288e2b95607d2668b7906e709e81 595720 libs optional 
libdjvulibre21_3.5.27.1-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJV0H4gAAoJEBJbV0deGQ0Y/d8QALLBoBI5qZspDRY04qNInO9E
l0M7escvq9LLZwINuQTS6JohgMe0Ozv50guCLbd6NFWAJeP6GZsGuSRwaLrVzZNL
px8x5hA3aM44vZp/QLB8TAhpAGYoXbGgLVVSFh3xGrjULUtBll2c/VoXhaaL8QaB
uJ0yyXwI2yjJOj/GD0RYWid3KF1gnP6HkDVAFYg0mjYKDsZl7J2AmAxm0WRHy20P
SwUVU5PQxjHz0amOKVwEZCNhicYCrEKu/Oc/UnTXA+QWt1Bq+bUyx/e2VZJdA4j4
SKZaoSqMZkaosMu16P0XXNEHbq9m7NYdVWJTMDvM3FalSFabaoHFEMM5E3Hs3Yk3
ZPCvdLkXMpn/AhFij5vOxc/S7pWbvRDGS6JPLAfLCkug3CePcEfb0xyZnAGIlG/N
tUf4lcFZ8uEgxQ1NK7/LLu7KfHG29b76ynCjirFXeaFyrTv/mF4PaP8w/GlB1WvV
a1Ns/klLB6AMHwJy4YO+xU+odsocpJPsplqzVND6jJdlHH7ixXTvExl2BJPieiN7
s4URG4wL2nXRNkHbPcpt+cknujCujXfGCVhLsk9jzTepLDq2Rn98kXr0+4KClcWe
qIp278WOc5B8w7aEr9UHPy8WEl/eVO4V71uZQTXqSFnrCpdqp9Vm2tijEkzGuIhm
TJZpcGL0mvKQ1P709Ck9
=liQs
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to