Your message dated Wed, 02 Feb 2005 16:14:15 -0500 with message-id <[EMAIL PROTECTED]> and subject line Bug#288274: fixed has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 29 Dec 2004 00:43:21 +0000 >From [EMAIL PROTECTED] Tue Dec 28 16:43:21 2004 Return-path: <[EMAIL PROTECTED]> Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73] by spohr.debian.org with smtp (Exim 3.35 1 (Debian)) id 1CjRvt-0008Vq-00; Tue, 28 Dec 2004 16:43:21 -0800 Received: (qmail 14876 invoked by uid 1013); 29 Dec 2004 00:43:19 -0000 Date: Wed, 29 Dec 2004 01:43:19 +0100 From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: astats: Multiple temporary symlink vulnerabilities in the astats script Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LKTjZJSUETSlgu2t" Content-Disposition: inline User-Agent: Mutt/1.5.6+20040722i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: --LKTjZJSUETSlgu2t Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Package: astats Version: 1.6.5-2 Priority: grave Tags: security sarge sid The astats script does not protect itself from temporary filename attacks since it creates file in an insecure manner (using names like '/tmp/aStats-Graphic-Signature-Generation', '/tmp/aMule-temp1.png', '/tmp/aMule-temp2.png', etc.). No checks are done to prevent symlink attacks (set -C, for example). IMHO this makes this script unsuitable for release. Regards Javier --LKTjZJSUETSlgu2t Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB0f2ni4sehJTrj0oRArAfAJ4vw0Uyez4NMgmWXEJCP5QIQD1XhwCbBVuM eWrPrLuTielM1/Hldy5lR3s= =PQ9/ -----END PGP SIGNATURE----- --LKTjZJSUETSlgu2t-- --------------------------------------- Received: (at 288274-close) by bugs.debian.org; 2 Feb 2005 21:14:51 +0000 >From [EMAIL PROTECTED] Wed Feb 02 13:14:51 2005 Return-path: <[EMAIL PROTECTED]> Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1CwRpr-0004cL-00; Wed, 02 Feb 2005 13:14:51 -0800 Received: from troup by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1CwRpH-0001rR-00; Wed, 02 Feb 2005 16:14:15 -0500 From: Debian Archive Maintenance <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: melanie $Revision: 1.43 $ Subject: Bug#288274: fixed Message-Id: <[EMAIL PROTECTED]> Sender: James Troup <[EMAIL PROTECTED]> Date: Wed, 02 Feb 2005 16:14:15 -0500 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: We believe that the bug you reported is now fixed; the following package(s) have been removed from unstable: astats | 1.6.5-2 | source, all Note that the package(s) have simply been removed from the tag database and may (or may not) still be in the pool; this is not a bug. The package(s) will be physically removed automatically when no suite references them (and in the case of source, when no binary references it). Please also remember that the changes have been done on the master archive (ftp-master.debian.org) and will not propagate to any mirrors (ftp.debian.org included) until the next cron.daily run at the earliest. Packages are never removed from testing by hand. Testing tracks unstable and will automatically remove packages which were removed from unstable when removing them from testing causes no dependency problems. Bugs which have been reported against this package are not automatically removed from the Bug Tracking System. Please check all open bugs and close them or re-assign them to another package if the removed package was superseded by another one. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED] This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED] Debian distribution maintenance software pp. James Troup (the ftpmaster behind the curtain) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]