Your message dated Tue, 22 Nov 2016 21:05:03 +0000 with message-id <[email protected]> and subject line Bug#756565: fixed in lives 2.8.1-1 has caused the Debian Bug report #756565, regarding lives: Numerous insecure temporary files used in smogrify to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 756565: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756565 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: lives Version: 1.6.2 Severity: important Tags: security lives contains a perl script, smogrify, which is what does a lot of the work. I don't want to point out line-by-line all the issues in the smogrify script, but please consider significantly overhauling it. There are numerous insecure uses of temporary files. For example: if ($command eq "get_window_id") { smog_system("xwininfo > \"$curtmpdir/tmpinfo\""); smog_system("grep \"Window id:\" \"$curtmpdir/tmpinfo\" > \"$curtmpdir/tmpinfo2\""); if (defined(open IN,"< $curtmpdir/tmpinfo2")) { read IN,$win_id,128; close IN; } You'll see that $curtmpdir is set to /tmp/smogrify, via code such as: $handle=$ARGV[1]; $curtmpdir="$tmpdir/$handle"; To investigate all the issues is beyond my free timeframe, but I'd suggest a decent starting point is to run the whole system under strace and grep for /tmp in open|close|unlink|creat calls. Steve -- -- System Information: Debian Release: 7.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8) Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---Source: lives Source-Version: 2.8.1-1 We believe that the bug you reported is fixed in the latest version of lives, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Ramacher <[email protected]> (supplier of updated lives package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 22 Nov 2016 21:30:46 +0100 Source: lives Binary: libweed-dev libweed0 lives lives-data lives-plugins Architecture: source Version: 2.8.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers <[email protected]> Changed-By: Sebastian Ramacher <[email protected]> Description: libweed-dev - Development library for inclusion of plugins into LiVES libweed0 - Runtime library for inclusion of plugins into LiVES lives - Video Editing system allowing users to edit and create video lives-data - Data files for LiVES lives-plugins - LiVES plugins pack Closes: 756565 798043 810146 843605 845364 Changes: lives (2.8.1-1) unstable; urgency=medium . * Team upload. * New upstream release. - Do not generate empty audio files when encoding. (Closes: #810146) - No longer create world-writeable directories. (Closes: #798043) - Fix use of temporary files in smogrify. (Closes: #756565) * debian/control: - Remove Harry Rickards from Uploaders. Thanks for maintaing lives, Harry. (Closes: #843605) - Disable libschroedinger. Thanks to Andreas Cadhalpun. (Closes: #845364) Checksums-Sha1: 14b3c07ef9005827d745590942d1591acb59bae8 2652 lives_2.8.1-1.dsc 124cf14da3a8d0843e1af7dddb4ce6727b58635f 3888441 lives_2.8.1.orig.tar.bz2 70a63a1e0e4d34e81affc24d08ad296a9798126e 18600 lives_2.8.1-1.debian.tar.xz Checksums-Sha256: a39a74a8ff5845d2eb45aad6b4990b4a5756d7343a92d76f7dff1b917f6837e7 2652 lives_2.8.1-1.dsc fcfec5c802a732b2856bff5a3dbe2d157caff663f7d24d78c5e05548941a6024 3888441 lives_2.8.1.orig.tar.bz2 6b466609389d61b5413508684d25acc04bf7a9c9d066326dee3631821c51b1d9 18600 lives_2.8.1-1.debian.tar.xz Files: 12623c64d71a5e4343be0d3fb98a1daa 2652 video optional lives_2.8.1-1.dsc 5ead5834902b3b6962a72627e584ae87 3888441 video optional lives_2.8.1.orig.tar.bz2 7f0aee4b00b60c87e4f279d938745fb3 18600 video optional lives_2.8.1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAlg0q6wACgkQafL8UW6n GZNPqA//SiW5YlrNFjOZsiXf37gBEqb+rqInx1vLT+UawM7ygF95m2a/UCFPufzh MVqH+ridYO2DRXvpaAdMLnLkprQaCs8u9+oGbHkEkZCtr2HQkEttzJF4eYIsJkc/ uAEHpeo3R94/r8S/ssfcIoES7ZhIOAX5zivOrfIzP4L2iDFrFUgEclG8yM7i23XV 9YZj2wTvcRm9oRYqmpRdEL3TI3Yh59HftD0zUmisqP4GMlP9rLMD5OiLVyzOL8UD nBYe1dDheTFqIEi0W512HD3w8JsraPWGtrm5O3DMsiaCZdQ1j1yMgJV7TKKKZlz2 yQh8QICHDsFRhvA4lQrq/H8FV13tU+uOmF5sY7zDMMN7PPY9OioKEsaJ5I122wDm Jqd+UOLsbAY6vEdy6TFd23rxqyZ7wnSrKne/AtnzmcddjM2A9vPtPHYXQileO/mx /32yyQnpSt0tuxxfcAkB+cfsdrRnbYXEqX0e93UObZGG2RtRMaPRw4PwZNBPpFw4 WK2NHi6k4OkQ3feS0RXxLCpkzUJ9v2QlHwRJtRLQ0GyA7M+IqwcGpVU+J+EtKrF5 LezZ74IZvEgtAgHVMB50NwUa3Wzlf690yz1cPioJHCEQUFGjCKvOnxzIce/4FTVF fyUpBUnvlatk2DM8hDWrwmRBd6lbpm3hYYgyw6vtKqPscwXDpn8= =m0yu -----END PGP SIGNATURE-----
--- End Message ---
