Bug#440411: marked as done (checkrestart: arbitrary root-privileged command execution)
Your message dated Sat, 26 Jul 2008 09:40:26 + with message-id <[EMAIL PROTECTED]> and subject line Bug#440411: fixed in debian-goodies 0.27+etch1 has caused the Debian Bug report #440411, regarding checkrestart: arbitrary root-privileged command execution to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 440411: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440411 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems --- Begin Message --- Package: debian-goodies Version: 0.33 Severity: grave Tags: security Hi, The checkrestart program from debian-goodies (both latest 0.33 and stable 0.27) allows arbitrary command execution with root privileges. Example: $ cp /bin/sleep "; OWNED" $ ./"; OWNED" 1000 & $ rm "; OWNED" $ sudo checkrestart ... sh: OWNED: command not found ... Since this program is likely launched as a daily root cron job on some systems, I think this is a grave security hole. The cause of the problem is the way "dpkg --search" is spawned from the main() function: ... dpkgQuery = 'dpkg --search ' + ' '.join(programs.keys()) for line in os.popen(dpkgQuery).readlines(): ... In my above example, one of the programs.keys() is "; OWNED", and thus the executed command is "dpkg --search ... ; OWNED ...". Fixing this should be as easy as: ... import subprocess ... dpkgQuery = ["dpkg", "--search"] + programs.keys() dpkgProc = subprocess.Popen(dpkgQuery, stdout=subprocess.PIPE) for line in dpkgProc.stdout.readlines(): ... This way, the command arguments are all well separated, without any shell interpretation. PS: sorry for any mistake i may have done in the way i've reported this bug. I'm not a Debian user, so i'm not used to your system. Actually, i just happened to come accross this "checkrestart" script reading a gentoo-dev@ post: http://article.gmane.org/gmane.linux.gentoo.devel/51366/ -- TGL. --- End Message --- --- Begin Message --- Source: debian-goodies Source-Version: 0.27+etch1 We believe that the bug you reported is fixed in the latest version of debian-goodies, which is due to be installed in the Debian FTP archive: debian-goodies_0.27+etch1.dsc to pool/main/d/debian-goodies/debian-goodies_0.27+etch1.dsc debian-goodies_0.27+etch1.tar.gz to pool/main/d/debian-goodies/debian-goodies_0.27+etch1.tar.gz debian-goodies_0.27+etch1_all.deb to pool/main/d/debian-goodies/debian-goodies_0.27+etch1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated debian-goodies package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Mon, 24 Mar 2008 15:25:59 +0100 Source: debian-goodies Binary: debian-goodies Architecture: source all Version: 0.27+etch1 Distribution: stable-security Urgency: high Maintainer: Javier Fernandez-Sanguino Pen~a <[EMAIL PROTECTED]> Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]> Description: debian-goodies - Small toolbox-style utilities for Debian systems Closes: 440411 Changes: debian-goodies (0.27+etch1) stable-security; urgency=high . * Fix security bug that enables users to generate files in the filesystem with shell metacharacters and have the checkrestart script run external code (as root, since the script will only run as admin). Thanks to Thomas de Grenier de Latour for spotting this and providing a patch. (CVE-2007-3912, Closes: 440411) Files: 8653d033f9e6b9f0949fab2cc1813970 836 utils optional debian-goodies_0.27+etch1.dsc 089ff8f154eb3fe4bc47dd85f1581a65 28708 utils optional debian-goodies_0.27+etch1.tar.gz 2739973911e8b0d9ec12559507f6a708 36868 utils optional debian-goodies_0.27+etch1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBR+e62mz0hbPcukPfAQJYoAf/Vpo+8A6hntrKOR7jDp4pGT9v7HWhhJDS wltzzk4odJkE4OFrIi69roUACp6O46xRAvCi1KJjj/JizXjmcNGPsYoXq7sSUPNS uK7GZ0/Cnf70ArAM8hvu7m1+nggs7DEB/LdhJWvItYKufD4oBAP7XihDQPVe5kIr TCufoECwlt/Xd38bKR3dDWoP/Iu39JJ6vhVL84lKxt5d1viQ3cetajGzkWqnESdj srmuwclluK+gq68/va2blvgcKaZRweD8FI2YM5mF1P3OHdzPn2fGN7vK7YfsGZBh x8MYgNVkI5LGZE9QnDKLtF9ag5xPvWaPTo1PRcgITwdlyABaHI8CTQ== =3f0S -END P
Bug#440411: marked as done (checkrestart: arbitrary root-privileged command execution)
Your message dated Sat, 12 Apr 2008 17:54:36 + with message-id <[EMAIL PROTECTED]> and subject line Bug#440411: fixed in debian-goodies 0.23+sarge1 has caused the Debian Bug report #440411, regarding checkrestart: arbitrary root-privileged command execution to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 440411: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440411 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems --- Begin Message --- Package: debian-goodies Version: 0.33 Severity: grave Tags: security Hi, The checkrestart program from debian-goodies (both latest 0.33 and stable 0.27) allows arbitrary command execution with root privileges. Example: $ cp /bin/sleep "; OWNED" $ ./"; OWNED" 1000 & $ rm "; OWNED" $ sudo checkrestart ... sh: OWNED: command not found ... Since this program is likely launched as a daily root cron job on some systems, I think this is a grave security hole. The cause of the problem is the way "dpkg --search" is spawned from the main() function: ... dpkgQuery = 'dpkg --search ' + ' '.join(programs.keys()) for line in os.popen(dpkgQuery).readlines(): ... In my above example, one of the programs.keys() is "; OWNED", and thus the executed command is "dpkg --search ... ; OWNED ...". Fixing this should be as easy as: ... import subprocess ... dpkgQuery = ["dpkg", "--search"] + programs.keys() dpkgProc = subprocess.Popen(dpkgQuery, stdout=subprocess.PIPE) for line in dpkgProc.stdout.readlines(): ... This way, the command arguments are all well separated, without any shell interpretation. PS: sorry for any mistake i may have done in the way i've reported this bug. I'm not a Debian user, so i'm not used to your system. Actually, i just happened to come accross this "checkrestart" script reading a gentoo-dev@ post: http://article.gmane.org/gmane.linux.gentoo.devel/51366/ -- TGL. --- End Message --- --- Begin Message --- Source: debian-goodies Source-Version: 0.23+sarge1 We believe that the bug you reported is fixed in the latest version of debian-goodies, which is due to be installed in the Debian FTP archive: debian-goodies_0.23+sarge1.dsc to pool/main/d/debian-goodies/debian-goodies_0.23+sarge1.dsc debian-goodies_0.23+sarge1.tar.gz to pool/main/d/debian-goodies/debian-goodies_0.23+sarge1.tar.gz debian-goodies_0.23+sarge1_all.deb to pool/main/d/debian-goodies/debian-goodies_0.23+sarge1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated debian-goodies package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Mon, 24 Mar 2008 15:13:00 +0100 Source: debian-goodies Binary: debian-goodies Architecture: source all Version: 0.23+sarge1 Distribution: oldstable-security Urgency: high Maintainer: Matt Zimmerman <[EMAIL PROTECTED]> Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]> Description: debian-goodies - Small toolbox-style utilities for Debian systems Closes: 440411 Changes: debian-goodies (0.23+sarge1) oldstable-security; urgency=high . * Non-maintainer upload by the security team. * Fix security bug that enables users to generate files in the filesystem with shell metacharacters and have the checkrestart script run external code (as root, since the script will only run as admin). (CVE-2007-3912, closes: 440411) Files: 37eb124fef7c9897ea41ec861ec740ff 819 utils optional debian-goodies_0.23+sarge1.dsc e0834e7e962fabc65362a60c73362585 11779 utils optional debian-goodies_0.23+sarge1.tar.gz c8bc8eab12c7e3f29e53f4172ee837a4 22488 utils optional debian-goodies_0.23+sarge1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBR+e5Y2z0hbPcukPfAQLBLAgAjN7dJp97Yis19s5xaPKcxKDfFUWD5Fcf w4RFo1Y9v/A0ra0oP4zQMijI8og2kyMhcYQPDQyaQU5nr4oihjVqb/b5hpYDhe2Y T0ErjGTHkBdgYJf6+NX3DNmCbvAnhSKkk7hsCP1r0q/PJQW7cVupah8JpesmysE2 +9ULUqWK1iP6sfeGh6OfC7qonj8va2Gq1uYaxbLd8wHgs53qkaiZZjdcTGRTwKUy DSNwJVGz6KNFeiqFIsYDQz6HPtCMNhP/5UKquF2hvol6UHZXyNy89Feci544fIY9 p7MIE/hzPy30HxzR560rgDaZPHaOvqNpsqx7TdoIhkadNWO9paj2MA== =pm4Q -END PGP SIGNATURE- --- End Messa
Bug#440411: marked as done (checkrestart: arbitrary root-privileged command execution)
Your message dated Wed, 02 Apr 2008 19:52:17 + with message-id <[EMAIL PROTECTED]> and subject line Bug#440411: fixed in debian-goodies 0.27+etch1 has caused the Debian Bug report #440411, regarding checkrestart: arbitrary root-privileged command execution to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 440411: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440411 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems --- Begin Message --- Package: debian-goodies Version: 0.33 Severity: grave Tags: security Hi, The checkrestart program from debian-goodies (both latest 0.33 and stable 0.27) allows arbitrary command execution with root privileges. Example: $ cp /bin/sleep "; OWNED" $ ./"; OWNED" 1000 & $ rm "; OWNED" $ sudo checkrestart ... sh: OWNED: command not found ... Since this program is likely launched as a daily root cron job on some systems, I think this is a grave security hole. The cause of the problem is the way "dpkg --search" is spawned from the main() function: ... dpkgQuery = 'dpkg --search ' + ' '.join(programs.keys()) for line in os.popen(dpkgQuery).readlines(): ... In my above example, one of the programs.keys() is "; OWNED", and thus the executed command is "dpkg --search ... ; OWNED ...". Fixing this should be as easy as: ... import subprocess ... dpkgQuery = ["dpkg", "--search"] + programs.keys() dpkgProc = subprocess.Popen(dpkgQuery, stdout=subprocess.PIPE) for line in dpkgProc.stdout.readlines(): ... This way, the command arguments are all well separated, without any shell interpretation. PS: sorry for any mistake i may have done in the way i've reported this bug. I'm not a Debian user, so i'm not used to your system. Actually, i just happened to come accross this "checkrestart" script reading a gentoo-dev@ post: http://article.gmane.org/gmane.linux.gentoo.devel/51366/ -- TGL. --- End Message --- --- Begin Message --- Source: debian-goodies Source-Version: 0.27+etch1 We believe that the bug you reported is fixed in the latest version of debian-goodies, which is due to be installed in the Debian FTP archive: debian-goodies_0.27+etch1.dsc to pool/main/d/debian-goodies/debian-goodies_0.27+etch1.dsc debian-goodies_0.27+etch1.tar.gz to pool/main/d/debian-goodies/debian-goodies_0.27+etch1.tar.gz debian-goodies_0.27+etch1_all.deb to pool/main/d/debian-goodies/debian-goodies_0.27+etch1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated debian-goodies package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Mon, 24 Mar 2008 15:25:59 +0100 Source: debian-goodies Binary: debian-goodies Architecture: source all Version: 0.27+etch1 Distribution: stable-security Urgency: high Maintainer: Javier Fernandez-Sanguino Pen~a <[EMAIL PROTECTED]> Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]> Description: debian-goodies - Small toolbox-style utilities for Debian systems Closes: 440411 Changes: debian-goodies (0.27+etch1) stable-security; urgency=high . * Fix security bug that enables users to generate files in the filesystem with shell metacharacters and have the checkrestart script run external code (as root, since the script will only run as admin). Thanks to Thomas de Grenier de Latour for spotting this and providing a patch. (CVE-2007-3912, Closes: 440411) Files: 8653d033f9e6b9f0949fab2cc1813970 836 utils optional debian-goodies_0.27+etch1.dsc 089ff8f154eb3fe4bc47dd85f1581a65 28708 utils optional debian-goodies_0.27+etch1.tar.gz 2739973911e8b0d9ec12559507f6a708 36868 utils optional debian-goodies_0.27+etch1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBR+e62mz0hbPcukPfAQJYoAf/Vpo+8A6hntrKOR7jDp4pGT9v7HWhhJDS wltzzk4odJkE4OFrIi69roUACp6O46xRAvCi1KJjj/JizXjmcNGPsYoXq7sSUPNS uK7GZ0/Cnf70ArAM8hvu7m1+nggs7DEB/LdhJWvItYKufD4oBAP7XihDQPVe5kIr TCufoECwlt/Xd38bKR3dDWoP/Iu39JJ6vhVL84lKxt5d1viQ3cetajGzkWqnESdj srmuwclluK+gq68/va2blvgcKaZRweD8FI2YM5mF1P3OHdzPn2fGN7vK7YfsGZBh x8MYgNVkI5LGZE9QnDKLtF9ag5xPvWaPTo1PRcgITwdlyABaHI8CTQ== =3f0S -END P
Bug#440411: marked as done (checkrestart: arbitrary root-privileged command execution)
Your message dated Sat, 29 Mar 2008 19:52:16 + with message-id <[EMAIL PROTECTED]> and subject line Bug#440411: fixed in debian-goodies 0.23+sarge1 has caused the Debian Bug report #440411, regarding checkrestart: arbitrary root-privileged command execution to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 440411: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440411 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems --- Begin Message --- Package: debian-goodies Version: 0.33 Severity: grave Tags: security Hi, The checkrestart program from debian-goodies (both latest 0.33 and stable 0.27) allows arbitrary command execution with root privileges. Example: $ cp /bin/sleep "; OWNED" $ ./"; OWNED" 1000 & $ rm "; OWNED" $ sudo checkrestart ... sh: OWNED: command not found ... Since this program is likely launched as a daily root cron job on some systems, I think this is a grave security hole. The cause of the problem is the way "dpkg --search" is spawned from the main() function: ... dpkgQuery = 'dpkg --search ' + ' '.join(programs.keys()) for line in os.popen(dpkgQuery).readlines(): ... In my above example, one of the programs.keys() is "; OWNED", and thus the executed command is "dpkg --search ... ; OWNED ...". Fixing this should be as easy as: ... import subprocess ... dpkgQuery = ["dpkg", "--search"] + programs.keys() dpkgProc = subprocess.Popen(dpkgQuery, stdout=subprocess.PIPE) for line in dpkgProc.stdout.readlines(): ... This way, the command arguments are all well separated, without any shell interpretation. PS: sorry for any mistake i may have done in the way i've reported this bug. I'm not a Debian user, so i'm not used to your system. Actually, i just happened to come accross this "checkrestart" script reading a gentoo-dev@ post: http://article.gmane.org/gmane.linux.gentoo.devel/51366/ -- TGL. --- End Message --- --- Begin Message --- Source: debian-goodies Source-Version: 0.23+sarge1 We believe that the bug you reported is fixed in the latest version of debian-goodies, which is due to be installed in the Debian FTP archive: debian-goodies_0.23+sarge1.dsc to pool/main/d/debian-goodies/debian-goodies_0.23+sarge1.dsc debian-goodies_0.23+sarge1.tar.gz to pool/main/d/debian-goodies/debian-goodies_0.23+sarge1.tar.gz debian-goodies_0.23+sarge1_all.deb to pool/main/d/debian-goodies/debian-goodies_0.23+sarge1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated debian-goodies package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Mon, 24 Mar 2008 15:13:00 +0100 Source: debian-goodies Binary: debian-goodies Architecture: source all Version: 0.23+sarge1 Distribution: oldstable-security Urgency: high Maintainer: Matt Zimmerman <[EMAIL PROTECTED]> Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]> Description: debian-goodies - Small toolbox-style utilities for Debian systems Closes: 440411 Changes: debian-goodies (0.23+sarge1) oldstable-security; urgency=high . * Non-maintainer upload by the security team. * Fix security bug that enables users to generate files in the filesystem with shell metacharacters and have the checkrestart script run external code (as root, since the script will only run as admin). (CVE-2007-3912, closes: 440411) Files: 37eb124fef7c9897ea41ec861ec740ff 819 utils optional debian-goodies_0.23+sarge1.dsc e0834e7e962fabc65362a60c73362585 11779 utils optional debian-goodies_0.23+sarge1.tar.gz c8bc8eab12c7e3f29e53f4172ee837a4 22488 utils optional debian-goodies_0.23+sarge1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBR+e5Y2z0hbPcukPfAQLBLAgAjN7dJp97Yis19s5xaPKcxKDfFUWD5Fcf w4RFo1Y9v/A0ra0oP4zQMijI8og2kyMhcYQPDQyaQU5nr4oihjVqb/b5hpYDhe2Y T0ErjGTHkBdgYJf6+NX3DNmCbvAnhSKkk7hsCP1r0q/PJQW7cVupah8JpesmysE2 +9ULUqWK1iP6sfeGh6OfC7qonj8va2Gq1uYaxbLd8wHgs53qkaiZZjdcTGRTwKUy DSNwJVGz6KNFeiqFIsYDQz6HPtCMNhP/5UKquF2hvol6UHZXyNy89Feci544fIY9 p7MIE/hzPy30HxzR560rgDaZPHaOvqNpsqx7TdoIhkadNWO9paj2MA== =pm4Q -END PGP SIGNATURE- --- End Messa
Bug#440411: marked as done (checkrestart: arbitrary root-privileged command execution)
Your message dated Sun, 02 Sep 2007 21:17:02 + with message-id <[EMAIL PROTECTED]> and subject line Bug#440411: fixed in debian-goodies 0.34 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) --- Begin Message --- Package: debian-goodies Version: 0.33 Severity: grave Tags: security Hi, The checkrestart program from debian-goodies (both latest 0.33 and stable 0.27) allows arbitrary command execution with root privileges. Example: $ cp /bin/sleep "; OWNED" $ ./"; OWNED" 1000 & $ rm "; OWNED" $ sudo checkrestart ... sh: OWNED: command not found ... Since this program is likely launched as a daily root cron job on some systems, I think this is a grave security hole. The cause of the problem is the way "dpkg --search" is spawned from the main() function: ... dpkgQuery = 'dpkg --search ' + ' '.join(programs.keys()) for line in os.popen(dpkgQuery).readlines(): ... In my above example, one of the programs.keys() is "; OWNED", and thus the executed command is "dpkg --search ... ; OWNED ...". Fixing this should be as easy as: ... import subprocess ... dpkgQuery = ["dpkg", "--search"] + programs.keys() dpkgProc = subprocess.Popen(dpkgQuery, stdout=subprocess.PIPE) for line in dpkgProc.stdout.readlines(): ... This way, the command arguments are all well separated, without any shell interpretation. PS: sorry for any mistake i may have done in the way i've reported this bug. I'm not a Debian user, so i'm not used to your system. Actually, i just happened to come accross this "checkrestart" script reading a gentoo-dev@ post: http://article.gmane.org/gmane.linux.gentoo.devel/51366/ -- TGL. --- End Message --- --- Begin Message --- Source: debian-goodies Source-Version: 0.34 We believe that the bug you reported is fixed in the latest version of debian-goodies, which is due to be installed in the Debian FTP archive: debian-goodies_0.34.dsc to pool/main/d/debian-goodies/debian-goodies_0.34.dsc debian-goodies_0.34.tar.gz to pool/main/d/debian-goodies/debian-goodies_0.34.tar.gz debian-goodies_0.34_all.deb to pool/main/d/debian-goodies/debian-goodies_0.34_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Javier Fernandez-Sanguino Pen~a <[EMAIL PROTECTED]> (supplier of updated debian-goodies package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Sun, 02 Sep 2007 23:07:30 +0200 Source: debian-goodies Binary: debian-goodies Architecture: source all Version: 0.34 Distribution: unstable Urgency: high Maintainer: Javier Fernandez-Sanguino Pen~a <[EMAIL PROTECTED]> Changed-By: Javier Fernandez-Sanguino Pen~a <[EMAIL PROTECTED]> Description: debian-goodies - Small toolbox-style utilities for Debian systems Closes: 440411 Changes: debian-goodies (0.34) unstable; urgency=high . * Fix security bug that enables users to generate files in the filesystem with shell metacharacters and have the checkrestart script run external code (as root, since the script will only run as admin) (Closes: 440411) Files: ba71a7cecbfb0c053fb3bdd5c5d1444b 530 utils optional debian-goodies_0.34.dsc 5377a64b6065c5b96e7409554754eadf 37345 utils optional debian-goodies_0.34.tar.gz 80ded012d3d83b6552171206df57f7bd 44854 utils optional debian-goodies_0.34_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG2yajsandgtyBSwkRAkPaAJkBRYtUTlKPSbnFA4t0bspZloB61QCcDWBt N9hG19lBaOIfiR+cqtSr8sQ= =pOLa -END PGP SIGNATURE- --- End Message ---