Your message dated Fri, 05 Sep 2008 16:32:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#496403: fixed in mgetty 1.1.36-1.3
has caused the Debian Bug report #496403,
regarding The possibility of attack with the help of symlinks in some Debian
packages
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
496403: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496403
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: mgetty-fax
Severity: grave
Hi, maintainer!
This message about the error concerns a few packages at once. I've
tested all the packages (for Lenny) on my Debian mirror. All scripts
of packages (marked as executable) were tested.
In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.
For example if a script uses in its work a temp file which is created
in /tmp directory, then every user can create symlink with the same
name in this directory in order to destroy or rewrite some system
or user file. Symlink attack may also lead not only to the data
desctruction but to denial of service as well.
Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial of service'
for your package scripts.
Even if you make rm(dir) for files/directories, then your system is
not protected. Attacker can permanently create symlinks.
This list is created with the help of script. This list is sorted by
hand. Howewer in some cases mistake is possible.
Please, Be understanding to possible mistakes. :)
I set Severity into grave for this bug. The table of discovered
problems is below.
Discussion of this bug you can see in debian-devel@:
http://lists.debian.org/debian-devel/2008/08/msg00271.html
Binary-package: r-base-core-ra (1.1.1-1)
file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
file: /usr/share/dtc/admin/accesslog.php
file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
file: /usr/share/linuxtrade/bin/linuxtrade.wn
file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
file: /usr/bin/impose
Binary-package: mgt (2.31-5)
file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
file: /usr/lib/lmbench/scripts/rccs
file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
file: /usr/lib/ogle/ogle_audio_debug
file: /usr/lib/ogle/ogle_cli_debug
file: /usr/lib/ogle/ogle_ctrl_debug
file: /usr/lib/ogle/ogle_gui_debug
file: /usr/lib/ogle/ogle_mpeg_ps_debug
file: /usr/lib/ogle/ogle_mpeg_vs_debug
file: /usr/lib/ogle/ogle_nav_debug
file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
file: /usr/bin/optics2rad
file: /usr/bin/pdelta
file: /usr/bin/dayfact
file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
file: /usr/lib/ogle/ogle_audio_debug
file: /usr/lib/ogle/ogle_cli_debug
file: /usr/lib/ogle/ogle_ctrl_debug
file: /usr/lib/ogle/ogle_gui_debug
file: /usr/lib/ogle/ogle_mpeg_ps_debug
file: /usr/lib/ogle/ogle_mpeg_vs_debug
file: /usr/lib/ogle/ogle_nav_debug
file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
file: /usr/share/convirt/image_store/_template_/provision.sh
file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
file: /usr/share/convirt/image_store/common/provision.sh
file: /usr/share/convirt/image_store/example/provision.sh
file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
file: /usr/lib/R/bin/javareconf
file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
file: /usr/share/xmcd/scripts/ncsarmt
file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
file: /usr/lib/scilab-4.1.2/bin/scilink
file: /usr/lib/scilab-4.1.2/util/scidoc
file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
file: /usr/sbin/checksendmail
file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
file: /usr/bin/patcil
file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
file: /usr/lib/arb/SH/arb_fastdnaml
file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
file: /usr/bin/apertium-gen-deformat
file: /usr/bin/apertium-gen-reformat
file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
file: /usr/share/freeradius-dialupadmin/bin/tot_stats
file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
file: /var/lib/wims/public_html/bin/coqweb
file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
file: /usr/share/bulmages/examples/scripts/actualizabulmacont
file: /usr/share/bulmages/examples/scripts/installbulmages-db
file: /usr/share/bulmages/examples/scripts/creabulmafact
file: /usr/share/bulmages/examples/scripts/creabulmacont
file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
file: /usr/lib/xastir/get-maptools.sh
file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
file: /usr/bin/plaiter
file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh
--- End Message ---
--- Begin Message ---
Source: mgetty
Source-Version: 1.1.36-1.3
We believe that the bug you reported is fixed in the latest version of
mgetty, which is due to be installed in the Debian FTP archive:
mgetty-docs_1.1.36-1.3_all.deb
to pool/main/m/mgetty/mgetty-docs_1.1.36-1.3_all.deb
mgetty-fax_1.1.36-1.3_amd64.deb
to pool/main/m/mgetty/mgetty-fax_1.1.36-1.3_amd64.deb
mgetty-pvftools_1.1.36-1.3_amd64.deb
to pool/main/m/mgetty/mgetty-pvftools_1.1.36-1.3_amd64.deb
mgetty-viewfax_1.1.36-1.3_amd64.deb
to pool/main/m/mgetty/mgetty-viewfax_1.1.36-1.3_amd64.deb
mgetty-voice_1.1.36-1.3_amd64.deb
to pool/main/m/mgetty/mgetty-voice_1.1.36-1.3_amd64.deb
mgetty_1.1.36-1.3.diff.gz
to pool/main/m/mgetty/mgetty_1.1.36-1.3.diff.gz
mgetty_1.1.36-1.3.dsc
to pool/main/m/mgetty/mgetty_1.1.36-1.3.dsc
mgetty_1.1.36-1.3_amd64.deb
to pool/main/m/mgetty/mgetty_1.1.36-1.3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated mgetty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 05 Sep 2008 17:52:42 +0200
Source: mgetty
Binary: mgetty mgetty-fax mgetty-viewfax mgetty-voice mgetty-pvftools
mgetty-docs
Architecture: source all amd64
Version: 1.1.36-1.3
Distribution: unstable
Urgency: high
Maintainer: Andreas Barth <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
mgetty - Smart Modem getty replacement
mgetty-docs - Documentation Package for mgetty
mgetty-fax - Faxing tools for mgetty
mgetty-pvftools - Programs for listening and manipulating pvf and rmd files
mgetty-viewfax - Program for displaying Group-3 Fax files under X
mgetty-voice - Voicemail handler for mgetty
Closes: 496403
Changes:
mgetty (1.1.36-1.3) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix insecure use of temporary file names that could lead to a symlink
attack.
(debian/patches/78-insecure-tmp-usage; No CVE id yet; Closes: #496403)
Checksums-Sha1:
8627502cc05f7346333d30bf8c9868f8c3446ba0 1198 mgetty_1.1.36-1.3.dsc
67b791285cbb20636e71e4ffd7a2b6526de7cf6e 60792 mgetty_1.1.36-1.3.diff.gz
91f2d0d311c6981d9b2b32d1dc8e68039b361369 522916 mgetty-docs_1.1.36-1.3_all.deb
1047fe4bcdabbe16f420c47ae6a731d8683ec4d3 183248 mgetty_1.1.36-1.3_amd64.deb
3433cb471a8bf1238481527398478e3f3320a6c9 159802 mgetty-fax_1.1.36-1.3_amd64.deb
cf7a3dfffb7f30f22ee4def51ae58aee773d0539 68736
mgetty-viewfax_1.1.36-1.3_amd64.deb
96d324ee9558029237f49e1148d9fe18f17523e4 201506
mgetty-voice_1.1.36-1.3_amd64.deb
6a8ea599dc3e690c54393a567807d02e0cb96ada 320246
mgetty-pvftools_1.1.36-1.3_amd64.deb
Checksums-Sha256:
c3b05ca02439ec1dce1a6e619d85fc9ed5e594539be13c58c68432cd63b1fc97 1198
mgetty_1.1.36-1.3.dsc
e6d7ac14d6050765dc3c5e080c1586015f703a3eb7b42156be8eda38493719a7 60792
mgetty_1.1.36-1.3.diff.gz
3c9b1891a00bf9558c9bd3b31ca8314137007fc17258d84fab711113c6bb2668 522916
mgetty-docs_1.1.36-1.3_all.deb
3fe0c6396853ec7863b1854d58854f7021bcc97517cb05e29e788726114ac83c 183248
mgetty_1.1.36-1.3_amd64.deb
64a04f8a48ab6167935715f4c45792a94464c9c6859296ddc350318ed555908c 159802
mgetty-fax_1.1.36-1.3_amd64.deb
ae35fa632955461ac2820d378fa43d11590e5acfb859dfa8514b5d3da8b7c021 68736
mgetty-viewfax_1.1.36-1.3_amd64.deb
cd7f6e3eb048143b0539bbd5b1d3b95cb4ff6fd7adc0d7c3996c734144eca97a 201506
mgetty-voice_1.1.36-1.3_amd64.deb
2752aa3b500d5ca11cac47438b25aa5c200be77a6243c56fcc753ff3a8b8fc54 320246
mgetty-pvftools_1.1.36-1.3_amd64.deb
Files:
58311aacff5cbff1407f9ab7daa8b953 1198 comm optional mgetty_1.1.36-1.3.dsc
df151dc2948b99dc84f5392e56b7a02d 60792 comm optional mgetty_1.1.36-1.3.diff.gz
ce51bacd99c26fe62034644537c6927e 522916 comm optional
mgetty-docs_1.1.36-1.3_all.deb
7349e8ddea956135eb2f4103ffbc9258 183248 comm optional
mgetty_1.1.36-1.3_amd64.deb
055e5258991149f28b5b36e9a0261f1e 159802 comm optional
mgetty-fax_1.1.36-1.3_amd64.deb
7663f1d75a221988db1e791d41f17c4a 68736 comm optional
mgetty-viewfax_1.1.36-1.3_amd64.deb
0b9be2ea5523b862aed6b5b332179613 201506 comm optional
mgetty-voice_1.1.36-1.3_amd64.deb
8021c031a25b2aa15ebb23551c43b4b1 320246 comm optional
mgetty-pvftools_1.1.36-1.3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjBWzEACgkQHYflSXNkfP/X0wCfd7u8vMU7Q7Y7iwet5xJOVUwv
KBAAn2DTmZ9JLEHUOBIQT8I8brf1S1ug
=aRgp
-----END PGP SIGNATURE-----
--- End Message ---