This bug is also known as CVE-2006-2542. Please mention this in the
changelog.
A more suitable patch to fix this problem imho is the attached one.
Regards,
Joey
--
Given enough thrust pigs will fly, but it's not necessarily a good idea.
Please always Cc to me when replying to me on the lists.
diff -u xmcd-2.6/libdi_d/config.sh xmcd-2.6/libdi_d/config.sh
--- xmcd-2.6/libdi_d/config.sh
+++ xmcd-2.6/libdi_d/config.sh
@@ -46,9 +46,9 @@
SCRDIR=$XMCDLIB/scripts
SITES=$CFGDIR/sites
TBLDIR=$XMCDLIB/tbl
-OWNER=bin
-GROUP=bin
-CDIRPERM=777
+OWNER=root
+GROUP=audio
+CDIRPERM=03775
DFLT_CGIPATH='/~cddb/cddb.cgi'
CDDBCATS="rock jazz blues newage classical reggae folk country soundtrack misc
data"
BROWSERS="mozilla netscape Mosaic"
diff -u xmcd-2.6/debian/changelog xmcd-2.6/debian/changelog
--- xmcd-2.6/debian/changelog
+++ xmcd-2.6/debian/changelog
@@ -1,3 +1,11 @@
+xmcd (2.6-14woody1) oldstable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Fully implemented non-world-writeable directories [libdi_d/config.sh
+ alias xmcdconfig, CVE-2006-2542]
+
+ -- Martin Schulze <[EMAIL PROTECTED]> Thu, 25 May 2006 20:32:48 +0200
+
xmcd (2.6-14) unstable; urgency=low
* last upload of the day - list GPL version of COPYING files shipped
