Your message dated Sat, 07 Oct 2023 21:34:31 +0000
with message-id <e1qpewr-00dm90...@fasolo.debian.org>
and subject line Bug#1052477: Removed package(s) from unstable
has caused the Debian Bug report #772473,
regarding xbindkeys-config: CVE-2014-9513: Insecure use of temporary files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
772473: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772473
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: xbindkeys-config
Version: 0.1.3-2
Severity: important
Tags: security

If you use this program and "view generated file" the current output
will be saved to the file /tmp/xbindkeysrc-tmp.

This allows the corruption of any file the user has permission to write
to.

Later this predictable file is used to execute commands:

/*****************************************************************************/
void middle_apply_action(GtkWidget *parent, void *data)
{

  unlink(TEMP_FILE); 
  save_file(TEMP_FILE);
  system("killall -9 xbindkeys");
  usleep(500);
  /* printf("****\n\noutput = %d\n\n****",system("xbindkeys -f " TEMP_FILE )); 
*/
  system("xbindkeys -f " TEMP_FILE );
}


Really most of this complexity could go away if we just assumed the
editor would write to a file the user specified, or ~/.xbindkeysrc.


Given the number of bugs that have been untouched for a long time this
package should probably not go into the Jessie release without a good
update.

Regardless this is a classic case of insecure-temporary files and should
almost certainly have a CVE ID allocated.

Steve


-- System Information:
Debian Release: 7.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16-0.bpo.2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash

Versions of packages xbindkeys-config depends on:
ii  libatk1.0-0     2.4.0-2
ii  libc6           2.13-38+deb7u6
ii  libcairo2       1.12.2-3
ii  libfontconfig1  2.9.0-7.1
ii  libfreetype6    2.4.9-1.1
ii  libglib2.0-0    2.33.12+really2.32.4-5
ii  libgtk2.0-0     2.24.10-2
ii  libpango1.0-0   1.30.0-1
ii  xbindkeys       1.8.5-1
ii  zlib1g          1:1.2.7.dfsg-13

xbindkeys-config recommends no packages.

xbindkeys-config suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message ---
Version: 0.1.3-3+rm

Dear submitter,

as the package xbindkeys-config has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1052477

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

--- End Message ---

Reply via email to