Your message dated Mon, 12 Nov 2001 12:49:01 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Fixed in leksbot 1.2-3.1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Darren Benham
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 4 Nov 2001 09:39:16 +0000
>From [EMAIL PROTECTED] Sun Nov 04 03:39:16 2001
Return-path: <[EMAIL PROTECTED]>
Received: from mail.uni-kl.de [131.246.137.52]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 160JkK-0005Ng-00; Sun, 04 Nov 2001 03:39:16 -0600
Received: from sushi.unix-ag.uni-kl.de (sushi.unix-ag.uni-kl.de [131.246.89.13])
by mail.uni-kl.de (8.11.5/8.11.5) with ESMTP id fA49dCY05309
for <[EMAIL PROTECTED]>; Sun, 4 Nov 2001 10:39:12 +0100 (MET)
Received: (from [EMAIL PROTECTED])
by sushi.unix-ag.uni-kl.de (8.12.0.Beta19/8.12.0.Beta19) id
fA49dEkD031562;
Sun, 4 Nov 2001 10:39:14 +0100
Message-Id: <[EMAIL PROTECTED]>
From: Maurice Massar <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: leksbot: insecure and unnecessary setuid-root binary
X-Reportbug-Version: 1.31
X-Mailer: reportbug 1.31
Date: Sun, 04 Nov 2001 10:39:13 +0100
Delivered-To: [EMAIL PROTECTED]
Package: leksbot
Version: 1.2-3
Severity: critical
Tags: security
Justification: root security hole
hi,
I just found this package while searching for setuid-root binarys:
-rwsr-xr-x 1 root root 4060 Aug 29 21:29 /usr/bin/KATAXWR
compiling the packages from sources resulsts in this:
gcc kataxwr.c -O2 -o KATAXWR
/tmp/cc870UKD.o: In function `main':
/tmp/cc870UKD.o(.text+0xd1): the `gets' function is dangerous and should not be
used.
need I to say more? ......
taking a look at the changelog:
> leksbot (1.2-1) unstable; urgency=low
[...]
> * Set KATAXWR setuid so that every user can edit the lexikon Index
if we want all users to be able to write to this index,
better make that file world-writeable.
-- System Information
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux sushi 2.4.5 #1 SMP Sat Jun 9 23:32:52 CEST 2001 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages leksbot depends on:
ii libc6 2.2.4-1 GNU C Library: Shared libraries an
---------------------------------------
Received: (at 118218-done) by bugs.debian.org; 12 Nov 2001 11:51:47 +0000
>From [EMAIL PROTECTED] Mon Nov 12 05:51:47 2001
Return-path: <[EMAIL PROTECTED]>
Received: from jagor.srce.hr [161.53.2.130] (mvela)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 163Fcw-0003OT-00; Mon, 12 Nov 2001 05:51:46 -0600
Received: (from [EMAIL PROTECTED])
by jagor.srce.hr (8.9.3/8.9.3) id MAA04246
for [EMAIL PROTECTED]; Mon, 12 Nov 2001 12:49:01 +0100 (MET)
Date: Mon, 12 Nov 2001 12:49:01 +0100
From: Matej Vela <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Fixed in leksbot 1.2-3.1
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Delivered-To: [EMAIL PROTECTED]
Here is the relevant changelog entry:
leksbot (1.2-3.1) unstable; urgency=low
* Don't have KATAXWR setuid, rather make the Index world writable.
-- David Kimdon <[EMAIL PROTECTED]> Fri, 9 Nov 2001 00:43:36 -0800
Thanks,
Matej
