Bug#875335: marked as done (predictable /tmp file vulnerability while building lp-solve)

Fri, 26 Jul 2024 11:54:25 -0700 

Your message dated Fri, 26 Jul 2024 18:52:09 +0000
with message-id <[email protected]>
and subject line Bug#875335: fixed in lp-solve 5.5.2.11-1
has caused the Debian Bug report #875335,
regarding predictable /tmp file vulnerability while building lp-solve
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
875335: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875335
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: lp-solve
Version: 5.5.0.15-4
Severity: important
Tags: security
User: [email protected]
Usertags: rebootstrap

Building the lp-solve package exposes users to a predictable /tmp file
vulnerability. debian/rules runs lpsolve55/ccc. That script hard codes
/tmp/platform.c. By setting up a carefully crafted symbolic link, and
attacker on the same machine can gain privileges of the user running an
lp-solve build. I did not request a CVE for this issue.

Helmut

--- End Message ---
--- Begin Message --- 
Source: lp-solve
Source-Version: 5.5.2.11-1
Done: Rene Engelhard <[email protected]>

We believe that the bug you reported is fixed in the latest version of
lp-solve, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rene Engelhard <[email protected]> (supplier of updated lp-solve package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 26 Jul 2024 20:26:08 +0200
Source: lp-solve
Architecture: source
Version: 5.5.2.11-1
Distribution: experimental
Urgency: medium
Maintainer: Juan Esteban Monsalve Tobon <[email protected]>
Changed-By: Rene Engelhard <[email protected]>
Closes: 875335 1008073
Changes:
 lp-solve (5.5.2.11-1) experimental; urgency=medium
 .
   * "New" upstream release (closes: #1008073)
     - does not hardode /tmp anymore in ccc (closes: #875335)
Checksums-Sha1:
 ae9d5f4623d8ee4a91be45c30c7f63330f073d49 2278 lp-solve_5.5.2.11-1.dsc
 d9359d94017a7f17cfd788d494c9d41d993988ed 1012787 
lp-solve_5.5.2.11.orig-doc.tar.gz
 c0ffa7b8d49938ba213b4d3e894d56b3aba4e983 556506 lp-solve_5.5.2.11.orig.tar.gz
 c6ffd0c047221b292e0f9c3b1ba787ca95d7aa44 16692 
lp-solve_5.5.2.11-1.debian.tar.xz
 a938dccc417d2d21ac5dd4954c9cbccd190c847f 6660 
lp-solve_5.5.2.11-1_source.buildinfo
Checksums-Sha256:
 59618429888a4a5413868e11597f3d321fa979662328de43798e2e605f48b987 2278 
lp-solve_5.5.2.11-1.dsc
 3d71bf1d03ee5150f0a33881694cb407480cd8fa98b6abf1a24eac0464526b80 1012787 
lp-solve_5.5.2.11.orig-doc.tar.gz
 6d4abff5cc6aaa933ae8e6c17a226df0fc0b671c438f69715d41d09fe81f902f 556506 
lp-solve_5.5.2.11.orig.tar.gz
 e2304a3bf03cd2281b41a500f4c1bbb0a82e079470df347aeb09cba88235fae8 16692 
lp-solve_5.5.2.11-1.debian.tar.xz
 70881153bc49775de838b20abd81bfa59ea6a9838e95beb2632e13c1cb680013 6660 
lp-solve_5.5.2.11-1_source.buildinfo
Files:
 729102e324c8a662dfbfb5617df22b9e 2278 math optional lp-solve_5.5.2.11-1.dsc
 c982cc91a0e1888866f926a580e84224 1012787 math optional 
lp-solve_5.5.2.11.orig-doc.tar.gz
 a829a8d9c60ff81dc72ff52363703886 556506 math optional 
lp-solve_5.5.2.11.orig.tar.gz
 c672f14f87e4088b5102db7728ad180d 16692 math optional 
lp-solve_5.5.2.11-1.debian.tar.xz
 d0a5f5de15d6173fc3c5bc8d5c202d87 6660 math optional 
lp-solve_5.5.2.11-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCgAuFiEE4S3qRnUGcM+pYIAdCqBFcdA+PnAFAmaj6mMQHHJlbmVAZGVi
aWFuLm9yZwAKCRAKoEVx0D4+cCaED/4nSG1Cn1DiZUn/5ASkG3l6GWRWoKvgqZdM
TZhJJZS2Ob0KJbb9/7PozQa1Q8ulyF81UV/HxqjIKmcwzDZCCTOliOCxUOPiMkX0
L2vVy+hHHqXgxmzA+KT7smAAyPx+c7/wj6m95ukBjqltCCB+RRDUcUxbnDVIDBtC
+Do8FPIlDEd/XuEtzRZrMDFwyuH3fvI7kylckWliWzw6A1Pln9gk2aMHiDhvTEo2
o1I46Ti7C9+fd6/pyYY7KxIoTZyQIIrQlx2fGQwTvZO4cIHf7ri8MnRSnCg7J/wb
yPwwPSLKgizaDMjgx7PMwwJzjk70NP360RbQ/8GdSxE1ihFmakuXrUtrgy8L4tR6
Ju79voQL5zQ0nPx/WIVUrHN3DSnvauYMQGeWfMCr2nFTEpDdg8aOauSC0H8tNhxU
9kyPWLadTL4sZ0uyoOiFe+L6kLxPnX6npQ9XQn6wiYv84QZTh+UR3A18QmcihFPc
o2sQQ7fMpxIG/mGKq5hNbQo/Sfr+427n6I4c82NxEpES81RGSAX6yJ1FAwT4kJzA
5p2FSOzIDvxmthUor5pAinHyB7jp07eIWnaK1OFTwR3dxLGizYManm23zBh5gCfq
7mZsD5gvmLBfozN2fDzPL+m4ZhiniGNYzemIJ9UE3nr6B8xET5E7TEEcve0vHzIS
sKKr4sSQgA==
=lDwu
-----END PGP SIGNATURE-----

Attachment: pgpvmGzTcQy05.pgp
Description: PGP signature


--- End Message ---

Reply via email to