Your message dated Sat, 25 Apr 2009 00:47:07 +0000
with message-id <e1lxw2t-0002dx...@ries.debian.org>
and subject line Bug#515104: fixed in nautilus 2.26.2-1
has caused the Debian Bug report #515104,
regarding nautilus: potential exploits via application launchers
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
515104: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=515104
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: nautilus
Version: 2.20-7
Severity: grave
Tags: security
as you have probably seen by now, there has been a lot of coverage
about the potential avenue for exploits via kde and gnome application
launchers (it looks like xfce is safe, for now) [1], [2], [3].
the core of the problem is that launchers have the ability to execute
perl, python, etc scripts without the executable bit set. this
makes it much easier for an attacker to get the user to download and
run potentially malicious code.
regards,
mike
[1] http://www.geekzone.co.nz/foobar/6229
[2] http://www.geekzone.co.nz/foobar/6236
[3] http://lwn.net/Articles/178409/
--- End Message ---
--- Begin Message ---
Source: nautilus
Source-Version: 2.26.2-1
We believe that the bug you reported is fixed in the latest version of
nautilus, which is due to be installed in the Debian FTP archive:
libnautilus-extension-dev_2.26.2-1_amd64.deb
to pool/main/n/nautilus/libnautilus-extension-dev_2.26.2-1_amd64.deb
libnautilus-extension1_2.26.2-1_amd64.deb
to pool/main/n/nautilus/libnautilus-extension1_2.26.2-1_amd64.deb
nautilus-data_2.26.2-1_all.deb
to pool/main/n/nautilus/nautilus-data_2.26.2-1_all.deb
nautilus-dbg_2.26.2-1_amd64.deb
to pool/main/n/nautilus/nautilus-dbg_2.26.2-1_amd64.deb
nautilus_2.26.2-1.diff.gz
to pool/main/n/nautilus/nautilus_2.26.2-1.diff.gz
nautilus_2.26.2-1.dsc
to pool/main/n/nautilus/nautilus_2.26.2-1.dsc
nautilus_2.26.2-1_amd64.deb
to pool/main/n/nautilus/nautilus_2.26.2-1_amd64.deb
nautilus_2.26.2.orig.tar.gz
to pool/main/n/nautilus/nautilus_2.26.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 515...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Josselin Mouette <j...@debian.org> (supplier of updated nautilus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 25 Apr 2009 01:33:51 +0200
Source: nautilus
Binary: nautilus nautilus-dbg libnautilus-extension1 libnautilus-extension-dev
nautilus-data
Architecture: source all amd64
Version: 2.26.2-1
Distribution: unstable
Urgency: low
Maintainer: Josselin Mouette <j...@debian.org>
Changed-By: Josselin Mouette <j...@debian.org>
Description:
libnautilus-extension-dev - libraries for nautilus components - development
version
libnautilus-extension1 - libraries for nautilus components - runtime version
nautilus - file manager and graphical shell for GNOME
nautilus-data - data files for nautilus
nautilus-dbg - file manager and graphical shell for GNOME - debugging version
Closes: 422570 469267 512824 515078 515104 518773
Changes:
nautilus (2.26.2-1) unstable; urgency=low
.
* Break eiciel, diff-ext, nautilus-gksu, nautilus-actions,
nautilus-share and seahorse-plugins until versions rebuilt with the
new extension path.
* Only suggest xdg-user-dirs, nautilus works perfectly fine without
it.
* New upstream release.
+ Correctly cleans up session files. Closes: #469267.
+ Checks whether the session is active with ConsoleKit before
mounting a removable media. Closes: #512824.
+ Follows OnlyShowIn/NotShowIn for .desktop files on the desktop.
Closes: #422570.
+ Only accepts .desktop with executable permissions.
Closes: #515078, #515104.
* 07_desktop_file_activation.patch: removed from the sources.
* 02_eel_libadd.patch: stolen from the eel2 sources. Fix linking of
the eel convenience library.
* 14_sidebar_network-protocol.patch: removed, useless since 2.24.
Closes: #518773.
* 20_open-with_install.patch: updated for the new version.
* 90_relibtoolize.patch: new patch, relibtoolize over that.
* Refresh other patches.
* Bump shlibs version to 2.26.2.
* Add brasero 2.26 as an alternative to n-c-b.
* Recommend consolekit.
* Pass --disable-packagekit.
* Fix section of debug package.
* Update build-dependencies and dependencies according to the upstream
changes.
* Build-depend on libglib2.0-doc and libgtk2.0-doc to ensure proper
xrefs.
* nautilus-data.install: there are no more bonobo files to ship.
* 10_load_session.patch: new patch. Support --load-session so that
sessions saved with older nautilus versions will load correctly.
Checksums-Sha1:
e0e96becadff9f8bb6aa063c5f46630a50d40529 1966 nautilus_2.26.2-1.dsc
f5f621d2eb401bdf91b0e00b9676a6687ac0548c 8697871 nautilus_2.26.2.orig.tar.gz
83df5f0fa93f25ce27c2a3db56b84f696f7cdaf5 543104 nautilus_2.26.2-1.diff.gz
7bd9dfc9e0c4b0cef5a9042aac4ac3317ba48e8c 5100846 nautilus-data_2.26.2-1_all.deb
d0b7dea53078a69032b88a58d44a1998c715c897 1460998 nautilus_2.26.2-1_amd64.deb
e31470f7ceca5cddc5bf35e9c821e132e808671c 3460670
nautilus-dbg_2.26.2-1_amd64.deb
71467023ce3c0662efc5b3c6497afedf1736df31 187948
libnautilus-extension1_2.26.2-1_amd64.deb
6dc053ac2d07ba578d57931133fb3a58ca2dea02 204094
libnautilus-extension-dev_2.26.2-1_amd64.deb
Checksums-Sha256:
8613dfc9bc894182e1fc2b55dad67c75638eafb19a68208c657c226854193f5d 1966
nautilus_2.26.2-1.dsc
451bc0514d3d184c22d20675bc3639e897042aae3fe126ba305bb50e7a413aed 8697871
nautilus_2.26.2.orig.tar.gz
5238c3df282116a7043b124daec226d0218a4384b6aa0bad32e8fcc295ef7d7f 543104
nautilus_2.26.2-1.diff.gz
78e1e6955118da0260e763b15860fbf389efa31dfbd990316e26b21597800cbe 5100846
nautilus-data_2.26.2-1_all.deb
0d1e03e7675b61fcff08bd88f550480a0c0974375501f5edfdfbaa380d3ee343 1460998
nautilus_2.26.2-1_amd64.deb
e34ca1c8a84f74418771af206e5a96de68458c7b29c55603c99bca073bd5a8e8 3460670
nautilus-dbg_2.26.2-1_amd64.deb
d5cc17fdca1787e4fe79be79b69d86492267d0edb6039fd7d1faeaec72c62c99 187948
libnautilus-extension1_2.26.2-1_amd64.deb
e6f96bd02f3331526dad299d521ced60a6cd2c953a857ecaa80854bdd146c8bb 204094
libnautilus-extension-dev_2.26.2-1_amd64.deb
Files:
42e1fbd0d025f25fab700a01fae59ca1 1966 gnome optional nautilus_2.26.2-1.dsc
312405da22ccf0c3501eed2feed615c1 8697871 gnome optional
nautilus_2.26.2.orig.tar.gz
6886637df08514942e79eacff2f3350f 543104 gnome optional
nautilus_2.26.2-1.diff.gz
03aee77156a59a828f844d17fb1745b3 5100846 gnome optional
nautilus-data_2.26.2-1_all.deb
d6bb3b47e2158053dbc8f53f971fb2a8 1460998 gnome optional
nautilus_2.26.2-1_amd64.deb
3eeb7b05c10b74107b9baa330f41ec63 3460670 debug extra
nautilus-dbg_2.26.2-1_amd64.deb
d4a14ba565d9277ea2ec0287d598c810 187948 libs optional
libnautilus-extension1_2.26.2-1_amd64.deb
94ba23be35a6f64629e9db09a502f210 204094 libdevel optional
libnautilus-extension-dev_2.26.2-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJ8lu5rSla4ddfhTMRAu2qAJ9HAXyDAHyq3jESEB8l4zxdRPTEDQCfUkni
5tvjT7hLk3/ya63Zah6qtHI=
=MB2q
-----END PGP SIGNATURE-----
--- End Message ---
