Your message dated Sat, 08 Nov 2025 18:55:35 +0000 with message-id <[email protected]> and subject line Bug#1118064: Removed package(s) from unstable has caused the Debian Bug report #761879, regarding fotoxx: Insecure use of temporary files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 761879: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761879 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: fotoxx Version: 11.11.1-1.1 Severity: important Tags: security (Irrelevent) Printing Issues ---------------------------- All three versions of fotoxx packaged for Debian (squeeze, wheezy, and jessie) make insecure use of a temporary file when printing in the function `wprintp` in zfuncs.cc. // print text dialogs void wprintp() { pid = getpid(); snprintf(tempfile,49,"/tmp/wprintp-%d",pid); err = wfiledump(mLog,tempfile); if (err) return; } Happily this code doesn't ever seem to be called, so it can be safely removed. Email Attachments ----------------- In version 11.11.1-1.1 (wheezy-only) the code to handle adding attachments to emails is seriously broken. The code in question is located in the function `email_dialog_event` in the file `fotoxx_tools.cc`, and in brief it: 1. Creates a temporary directory: /tmp/$USER/fotoxx/email 2. Removes *.jpg from that directory. 3. Copies the selected files to that directory, mandating a fixed naming pattern, after resizing/downsampling. 4. Builds up a command line: xdg-email --attach file1 --attach file2 .. 5. Executes it. The third step allows file-truncation and overwriting, due to the lack of testing for collisions in the output step. Global Lockfile --------------- In version 11.11.1-1.1 (wheezy-only) the file "/tmp/global_lock_fotoxx_syncfiles" is used insecurely as an attempt to avoid multiple syncs. Create the lockfile as a symlink and fotoxx will gladly follow it, creating an empty file. This could perhaps be leveraged if the symlink pointed to /etc/cron.d, or DoS via the creation of /etc/nologin if fotoxx is ever executed as root. $ ln -s /tmp/foo /tmp/global_lock_fotoxx_syncfiles $ ls -l /tmp/global_lock_fotoxx_syncfiles /tmp/global_lock_fotoxx_syncfiles -> /tmp/foo ls -l /tmp/foo ls: cannot access /tmp/foo: No such file or directory Now launch fotoxx and see that the file has been created: $ ls -1 /tmp/foo /tmp/foo 14.07.1 ------- This seems to unsafely create /tmp/fotoxx-%s based on the PID of the process. This should be investigated too. -- System Information: Debian Release: 7.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8) Shell: /bin/sh linked to /bin/dash Versions of packages fotoxx depends on: ii libatk1.0-0 2.4.0-2 ii libc6 2.13-38+deb7u4 ii libcairo2 1.12.2-3 ii libfontconfig1 2.9.0-7.1 ii libfreetype6 2.4.9-1.1 ii libgcc1 1:4.7.2-5 ii libgdk-pixbuf2.0-0 2.26.1-1 ii libglib2.0-0 2.33.12+really2.32.4-5 ii libgtk2.0-0 2.24.10-2 ii libpango1.0-0 1.30.0-1 ii libstdc++6 4.7.2-5 ii libtiff4 3.9.6-11 Versions of packages fotoxx recommends: ii libimage-exiftool-perl 8.60-2 pn libtiff <none> ii ufraw-batch 0.18-2 pn xgd-open <none> Versions of packages fotoxx suggests: ii brasero 3.4.1-4 -- no debconf information
--- End Message ---
--- Begin Message ---Version: 24.70-1+rm Dear submitter, as the package fotoxx has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see https://bugs.debian.org/1118064 The version of this package that was in Debian prior to this removal can still be found using https://snapshot.debian.org/. Please note that the changes have been done on the master archive and will not propagate to any mirrors until the next dinstall run at the earliest. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]. Debian distribution maintenance software pp. Thorsten Alteholz (the ftpmaster behind the curtain)
--- End Message ---
