Your message dated Wed, 02 Feb 2005 16:14:15 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#288274: fixed
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 29 Dec 2004 00:43:21 +0000
>From [EMAIL PROTECTED] Tue Dec 28 16:43:21 2004
Return-path: <[EMAIL PROTECTED]>
Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73]
by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
id 1CjRvt-0008Vq-00; Tue, 28 Dec 2004 16:43:21 -0800
Received: (qmail 14876 invoked by uid 1013); 29 Dec 2004 00:43:19 -0000
Date: Wed, 29 Dec 2004 01:43:19 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: astats: Multiple temporary symlink vulnerabilities in the astats script
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="LKTjZJSUETSlgu2t"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040722i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--LKTjZJSUETSlgu2t
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Package: astats
Version: 1.6.5-2
Priority: grave
Tags: security sarge sid
The astats script does not protect itself from temporary filename attacks
since it creates file in an insecure manner (using names like
'/tmp/aStats-Graphic-Signature-Generation', '/tmp/aMule-temp1.png',
'/tmp/aMule-temp2.png', etc.). No checks are done to prevent symlink
attacks (set -C, for example).
IMHO this makes this script unsuitable for release.
Regards
Javier
--LKTjZJSUETSlgu2t
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB0f2ni4sehJTrj0oRArAfAJ4vw0Uyez4NMgmWXEJCP5QIQD1XhwCbBVuM
eWrPrLuTielM1/Hldy5lR3s=
=PQ9/
-----END PGP SIGNATURE-----
--LKTjZJSUETSlgu2t--
---------------------------------------
Received: (at 288274-close) by bugs.debian.org; 2 Feb 2005 21:14:51 +0000
>From [EMAIL PROTECTED] Wed Feb 02 13:14:51 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CwRpr-0004cL-00; Wed, 02 Feb 2005 13:14:51 -0800
Received: from troup by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1CwRpH-0001rR-00; Wed, 02 Feb 2005 16:14:15 -0500
From: Debian Archive Maintenance <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: melanie $Revision: 1.43 $
Subject: Bug#288274: fixed
Message-Id: <[EMAIL PROTECTED]>
Sender: James Troup <[EMAIL PROTECTED]>
Date: Wed, 02 Feb 2005 16:14:15 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
We believe that the bug you reported is now fixed; the following
package(s) have been removed from unstable:
astats | 1.6.5-2 | source, all
Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it). Please also remember that the changes have been done on the
master archive (ftp-master.debian.org) and will not propagate to any
mirrors (ftp.debian.org included) until the next cron.daily run at the
earliest.
Packages are never removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems.
Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System. Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED]
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[EMAIL PROTECTED]
Debian distribution maintenance software
pp.
James Troup (the ftpmaster behind the curtain)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
