Your message dated Sun, 06 Sep 2015 05:33:47 +0000
with message-id <[email protected]>
and subject line Bug#795062: fixed in publicfile-installer 0.11-1
has caused the Debian Bug report #795062,
regarding publicfile-installer: insecure use of /tmp
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
795062: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795062
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: publicfile-installer
Version: 0.10-1
Severity: critical
Tags: security
Justification: root security hole
Hi Justin,
On Sun, Aug 09, 2015 at 12:38:21PM +0100, Justin B Rye wrote:
>
> This contrib installer package downloads the source code for DJB's
> publicfile, builds it, and then puts the output in a predictable
> location in a world-writable directory, using an existing directory of
> that name if it already exists, then (either automatically or by
> telling the admin to run another script) installs whatever happens to
> be in that directory.
>
> This can be exploited by malicious local users to get arbitrary
> installscripts executed as root.
<snip>
I'll investigate & fix this; thanks for checking the code.
Bye,
Joost
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: publicfile-installer
Source-Version: 0.11-1
We believe that the bug you reported is fixed in the latest version of
publicfile-installer, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joost van Baal-Ilić <[email protected]> (supplier of updated
publicfile-installer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 06 Sep 2015 07:23:33 +0200
Source: publicfile-installer
Binary: publicfile-installer
Architecture: source all
Version: 0.11-1
Distribution: unstable
Urgency: low
Maintainer: Joost van Baal-Ilić <[email protected]>
Changed-By: Joost van Baal-Ilić <[email protected]>
Description:
publicfile-installer - installer package for the publicfile http and ftp server
Closes: 795062
Changes:
publicfile-installer (0.11-1) unstable; urgency=low
.
* New upstream. No longer ships install-publicfile, no longer uses /tmp.
This fixes a serious security issue: a local privilage escalation
security hole due to insecure use of /tmp. "This [...] package downloads
the source code for DJB's publicfile, builds it, and then puts the
output in a predictable location in a world-writable directory, using an
existing directory of that name if it already exists, then (either
automatically or by telling the admin to run another script) installs
whatever happens to be in that directory. This can be exploited by
malicious local users to get arbitrary installscripts executed as root."
Thanks Justin B Rye. Closes: #795062.
+ debian/templates: adjusted.
+ debian/control: Depends: add sudo.
* debian/changelog: fix spelling error.
Checksums-Sha1:
420a02e48c1febf15a285307b315c6da01ed87b4 1580 publicfile-installer_0.11-1.dsc
0acd86aeee87338c9765a88cf953769c475d7cab 18873
publicfile-installer_0.11.orig.tar.gz
adb698e9182ebb4baa2cca2a300a546d52287b3a 4928
publicfile-installer_0.11-1.debian.tar.xz
b8c59952328536d8ecd0424fcb2520549afd05d6 11676
publicfile-installer_0.11-1_all.deb
Checksums-Sha256:
ec50bac4902c8730bd6b95d59e5e87d0b735968dd3eae54abf72f0ec8baf4c2f 1580
publicfile-installer_0.11-1.dsc
b7b4897473006da7fbef6ace95f817e6073f85e26a331d236774fd11b80382bd 18873
publicfile-installer_0.11.orig.tar.gz
7611358999414f05f58c1c7a52726f3ccf9ed488c0573c71d2360149982ee572 4928
publicfile-installer_0.11-1.debian.tar.xz
51ee9d383d9f14eab25b35ca3a0c0c58218935a295f481c5cebc0af825f58c51 11676
publicfile-installer_0.11-1_all.deb
Files:
2d21fe4255426e9e3026b82f5b3dc1b3 1580 contrib/net extra
publicfile-installer_0.11-1.dsc
51703972ffd065a82f3ef774c262d99a 18873 contrib/net extra
publicfile-installer_0.11.orig.tar.gz
640dd63aa49c86f0a24c3363d95f041d 4928 contrib/net extra
publicfile-installer_0.11-1.debian.tar.xz
cd06a3f61cb056f3406b24541873ca08 11676 contrib/net extra
publicfile-installer_0.11-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJV6848AAoJEDNRenKl5rDIps0IAIHMJrwT3NcbNdfeEQp+dk4F
1jqSdBXKN+VytV6s4TZHBENuyGRZQVb0p094t5EKRLwYI0fOwhKx5VydnRQebE60
cFkPOiPet//fYhTMLpw/FCKZprQmZioIR17USwx9aHoXy+ufgaa2Mtz0X+Y3yRfr
SNJTd9EiCPnz4haoRxa3PYkucDTFVkeoXkfStp4TaMcJ6qushJemLbV++KF4mSCI
yCFCnzOSncDcSrEyPutQNafaOLMERH3yGjqJN/e+QDqPXR5eSMYT9LyM1BakHszz
iiLQeZe/w2ybKKuyEE3If8foXnSUUghwwLGTaPw40Bi8P9DuF3yBXATRuHlbda8=
=dVQv
-----END PGP SIGNATURE-----
--- End Message ---
