Bug#866862: marked as done (diaspora-installer: installs world-writable ruby libraries)

Debian Bug Tracking System Tue, 09 Jan 2018 05:10:48 -0800

Your message dated Tue, 09 Jan 2018 13:04:03 +0000
with message-id <e1eytzt-00051m...@fasolo.debian.org>
and subject line Bug#866862: fixed in diaspora-installer 0.6.6.0+debian2
has caused the Debian Bug report #866862,
regarding diaspora-installer: installs world-writable ruby libraries
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
866862: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866862
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: diaspora-installer
Version: 0.6.6.0+debian1
Severity: grave
Tags: security
Justification: user security hole
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package installs
world-writable files, including a bunch of .rb scripts, allowing
unprivileged local users to "customize" your diaspora experience.

Since this is a downloader package, it needs to sanitize the
stuff it downloads and installs from the net.

>From the attached log (scroll to the bottom...):

  ERROR: BAD PERMISSIONS
  -rw-rw-rw- 1 diaspora nogroup 1935 Jun 29 20:22 
/var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/configurate-0.3.1/lib/configurate/lookup_chain.rb
  -rw-rw-rw- 1 diaspora nogroup  154 Jun 29 20:22 
/var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/.gitignore
  -rw-rw-rw- 1 diaspora nogroup  242 Jun 29 20:22 
/var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/.travis.yml
  -rw-rw-rw- 1 diaspora nogroup   98 Jun 29 20:22 
/var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/Gemfile
  -rw-rw-rw- 1 diaspora nogroup 1069 Jun 29 20:22 
/var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/LICENSE.txt
  -rw-rw-rw- 1 diaspora nogroup 3354 Jun 29 20:22 
/var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/README.md
  -rw-rw-rw- 1 diaspora nogroup  233 Jun 29 20:22 
/var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/Rakefile
  -rw-rw-rw- 1 diaspora nogroup  918 Jun 29 20:22 
/var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/lib/request_store.rb
  -rw-rw-rw- 1 diaspora nogroup  233 Jun 29 20:22 
/var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/lib/request_store/middleware.rb
  -rw-rw-rw- 1 diaspora nogroup  785 Jun 29 20:22 
/var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/lib/request_store/railtie.rb
  -rw-rw-rw- 1 diaspora nogroup   44 Jun 29 20:22 
/var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/lib/request_store/version.rb
  -rw-rw-rw- 1 diaspora nogroup  943 Jun 29 20:22 
/var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/request_store.gemspec
  -rw-rw-rw- 1 diaspora nogroup  981 Jun 29 20:22 
/var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/test/middleware_test.rb
  -rw-rw-rw- 1 diaspora nogroup 1607 Jun 29 20:22 
/var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/test/request_store_test.rb
  -rw-rw-rw- 1 diaspora nogroup  267 Jun 29 20:22 
/var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/test/test_helper.rb
  -rw-rw-rw- 1 diaspora nogroup 3255 Jun 29 20:24 
/var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/twitter-text-1.14.5/README.md


cheers,

Andreas

diaspora-installer_0.6.6.0+debian1.log.gz
Description: application/gzip

--- End Message ---

--- Begin Message ---

Source: diaspora-installer
Source-Version: 0.6.6.0+debian2

We believe that the bug you reported is fixed in the latest version of
diaspora-installer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 866...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pirate Praveen <prav...@debian.org> (supplier of updated diaspora-installer 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 08 Jan 2018 20:40:24 +0530
Source: diaspora-installer
Binary: diaspora-installer diaspora-installer-mysql diaspora-common
Architecture: source
Version: 0.6.6.0+debian2
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers 
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Pirate Praveen <prav...@debian.org>
Description:
 diaspora-common - distributed social networking service - common files
 diaspora-installer - distributed social networking service - installer
 diaspora-installer-mysql - distributed social networking service - installer 
(with mysql)
Closes: 866862
Changes:
 diaspora-installer (0.6.6.0+debian2) unstable; urgency=medium
 .
   * Bump standards version
   * Apply patch for bundler 1.16 compatibility
   * Remove write permissions correctly (Closes: #866862)
Checksums-Sha1:
 791a23a7138bb448bcfbff0ec1f74f00e5c3d5a8 2012 
diaspora-installer_0.6.6.0+debian2.dsc
 d462433317309fdefe9dc8355c184b2ce52624bd 41380 
diaspora-installer_0.6.6.0+debian2.tar.xz
 d9439ef4a3a0fbe81bba06fbe28a14e2d55b2ba1 6776 
diaspora-installer_0.6.6.0+debian2_source.buildinfo
Checksums-Sha256:
 df17f181664fe67b20f96da36de6bfd14171c0be9686b8d2e75dc349fc8df5e6 2012 
diaspora-installer_0.6.6.0+debian2.dsc
 b125707badb640249dc7ef0bf7beb5a5d7bd5aa75bc2a6a07efcd6589732d68a 41380 
diaspora-installer_0.6.6.0+debian2.tar.xz
 9d20e6b8fa6c33304f9fe2873b3154f7625a97e51a03b9dac69b8ac58413c8bb 6776 
diaspora-installer_0.6.6.0+debian2_source.buildinfo
Files:
 b3aa9e8b13670997ab90e2a38cf4b758 2012 net optional 
diaspora-installer_0.6.6.0+debian2.dsc
 1758df7a2e2e1224b92bebb08c71f2d7 41380 net optional 
diaspora-installer_0.6.6.0+debian2.tar.xz
 5919c09b21584acd9286dd5ddf81c344 6776 net optional 
diaspora-installer_0.6.6.0+debian2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlpUun8ACgkQzh+cZ0US
wir6Sg//Z5nzn5OFOaYoSiVAwfnvk+G8ySU23zuEBmHCTo9bfyHQKieq9boD3Xia
MLU4Oemeyvb3B3RXNLTFZuc11wgdWZGsvxGGIJEJaJOeCsMUYrYJoiepWuMu8Jft
7LwxyFXeQxDWm7vNfRHU0pSHlAGa9wwPLRc+3fKuJTAH9SvseieltWE2ztF9T8dq
L9g6Y9vBEOrRBkheE/qHw8PxKuiJuSd6pVIaxU/IJWTEgwJ6mVF1aIYs1A4JEtgn
mKrbQXqdPSj81xGUVKApjF3Ac/9STHQMdde7j93HEN8L4z7fzM+u9iPGbhn1FikS
VYdJfAHl8NFCb3g80I90YLhpHszPYVd4Z5tl9hAMHZbPT8JxC4ySrofbN5PxavMr
FNkV8x5D8CDcvyaCIev/6lqqPZkyEEAboYEFsUJVf+hrX8Cj1P8xB5+gfpD3jIJ5
hPEuQjfiTsLC6pPv86c1Z+8cnY/SkJG2PrC2jGbSkvMlh4ZIQ2T4k0PPpfcezL8U
WWYEooBb5/p0boje7tZ/Sf2cbthuZuKuBgEtydTAo3s+b9aPNI/j91+X3c5krIyS
ZtNcqN2FvPP/nKrPjiPP1T4hbaokmjRgUmPLpDJCnPmv2TRuWgm90ezfd9XiPtTn
qlWzbMQADnoN/M9FmAVYtsE9kUmN2Owilusg6/GwHjsI1OaAYdk=
=C8Jv
-----END PGP SIGNATURE-----

--- End Message ---

Bug#866862: marked as done (diaspora-installer: installs world-writable ruby libraries)

Reply via email to