[Bug 216601] Re: [CVE-2008-1633] unspecified vulnerability relating to use of /tmp
** Branch linked: lp:ubuntu/karmic/mondo -- [CVE-2008-1633] unspecified vulnerability relating to use of /tmp https://bugs.launchpad.net/bugs/216601 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 216601] Re: [CVE-2008-1633] unspecified vulnerability relating to use of /tmp
The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life - http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the Gutsy task. ** Changed in: mondo (Ubuntu Gutsy) Status: Confirmed = Won't Fix -- [CVE-2008-1633] unspecified vulnerability relating to use of /tmp https://bugs.launchpad.net/bugs/216601 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 216601] Re: [CVE-2008-1633] unspecified vulnerability relating to use of /tmp
Indeed! My upload is totally broken and must be restored. And I need to figure out *why* I applied such a fix. Thanks for catching up. -- [CVE-2008-1633] unspecified vulnerability relating to use of /tmp https://bugs.launchpad.net/bugs/216601 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 216601] Re: [CVE-2008-1633] unspecified vulnerability relating to use of /tmp
I erroneously inverted commit numbers while at http://tinyurl.com/5fpvds and reverted the fix, I'm very sorry for my silly error :( I reverted my previous upload to fix it. ** Changed in: mondo (Ubuntu Hardy) Importance: Undecided = Medium Status: Confirmed = Fix Released ** Changed in: mondo (Ubuntu) Status: Confirmed = Fix Committed -- [CVE-2008-1633] unspecified vulnerability relating to use of /tmp https://bugs.launchpad.net/bugs/216601 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 216601] Re: [CVE-2008-1633] unspecified vulnerability relating to use of /tmp
This bug was fixed in the package mondo - 2.24-2ubuntu2 --- mondo (2.24-2ubuntu2) intrepid; urgency=low * Revert my previous, broken upload and blame myself for reverting an already fixed package, this re-includes fix for CVE-2008-1633 and closes LP: #216601. -- Luca Falavigna [EMAIL PROTECTED] Fri, 17 Oct 2008 13:36:57 +0200 ** Changed in: mondo (Ubuntu) Status: Fix Committed = Fix Released -- [CVE-2008-1633] unspecified vulnerability relating to use of /tmp https://bugs.launchpad.net/bugs/216601 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 216601] Re: [CVE-2008-1633] unspecified vulnerability relating to use of /tmp
2.24-2ubuntu1 uploaded for Intrepid. ** Changed in: mondo (Ubuntu) Importance: Undecided = Medium Assignee: (unassigned) = Luca Falavigna (dktrkranz) Status: Confirmed = Fix Committed ** Changed in: mondo (Ubuntu Feisty) Status: Confirmed = Won't Fix ** Changed in: mondo (Ubuntu Edgy) Status: Invalid = Won't Fix -- [CVE-2008-1633] unspecified vulnerability relating to use of /tmp https://bugs.launchpad.net/bugs/216601 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 216601] Re: [CVE-2008-1633] unspecified vulnerability relating to use of /tmp
This bug was fixed in the package mondo - 2.24-2ubuntu1 --- mondo (2.24-2ubuntu1) intrepid; urgency=low * SECURITY UPDATE: fix errors related to the usage of /tmp or MINDI_CACHE instead of bkpinfo-tmpdir (LP: #216601). * References: - CVE-2008-1633 - http://trac.mondorescue.org/browser/branches/2.2.5, revno 1644 -- Luca Falavigna [EMAIL PROTECTED] Fri, 17 Oct 2008 00:03:44 +0200 ** Changed in: mondo (Ubuntu) Status: Fix Committed = Fix Released -- [CVE-2008-1633] unspecified vulnerability relating to use of /tmp https://bugs.launchpad.net/bugs/216601 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 216601] Re: [CVE-2008-1633] unspecified vulnerability relating to use of /tmp
I've accepted this package into intrepid because there's no freeze
justification for not doing so, but this is *not* a security fix:
[...]
- if (length_of_file(MINDI_CACHE/changed.files) 2) {
+
+ if (length_of_file(/tmp/changed.files) 2) {
[...]
system(rm -f /var/cache/mondo-archive/last-backup.aborted);
+ system(rm -Rf /tmp.mondo.* /mondo.scratch.*);
if (!retval) {
[...]
log_if_success = TRUE;
log_if_failure = TRUE;
}
- sprintf(callstr, %s %s/mondo-run-prog-thing.tmp 2
%s/mondo-run-prog-thing.err,
-program, g_mondo_tmpdir, g_mondo_tmpdir);
+ sprintf(callstr, %s /tmp/mondo-run-prog-thing.tmp 2
/tmp/mondo-run-prog-thing.err,
+program);
while ((p = strchr(callstr, '\r'))) {
*p = ' ';
}
[...]
}
printf(---FATALERROR--- %s\n, error_string);
+ sprintf(command, gzip -9c %s /tmp/MA.log.gz 2 /dev/null,
MONDO_LOGFILE);
- sprintf(command, gzip -9c %s %s/MA.log.gz 2 /dev/null,
MONDO_LOGFILE, MINDI_CACHE);
system(command);
printf
(If you require technical support, please
contact the mailing list.\n);
[...]
Using predictable filenames under /tmp is wrong, and at least some of
these changes do *exactly* the wrong thing with /tmp.
Reopening the bug.
** Changed in: mondo (Ubuntu)
Status: Fix Released = Confirmed
--
[CVE-2008-1633] unspecified vulnerability relating to use of /tmp
https://bugs.launchpad.net/bugs/216601
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 216601] Re: [CVE-2008-1633] unspecified vulnerability relating to use of /tmp
It looks like the issue in CVE-2008-1633 had been addressed in the previous upload (though not referenced) and that this upload is a reversion of the referenced upstream checkin at http://trac.mondorescue.org/changeset/1644/branches/2.2.5 -- [CVE-2008-1633] unspecified vulnerability relating to use of /tmp https://bugs.launchpad.net/bugs/216601 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 216601] Re: [CVE-2008-1633] unspecified vulnerability relating to use of /tmp
** Changed in: mondo (Debian) Status: New = Fix Released -- [CVE-2008-1633] unspecified vulnerability relating to use of /tmp https://bugs.launchpad.net/bugs/216601 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 216601] Re: [CVE-2008-1633] unspecified vulnerability relating to use of /tmp
The 18 month support period for Edgy Eft 6.10 has reached it's end of life. As a result, we are closing the Edgy Eft task. However, please note that this report will remain open against the actively developed release. Thank you for your continued support and help as we debug this issue. ** Changed in: mondo (Ubuntu Edgy) Status: New = Invalid ** Tags added: edgy-close -- [CVE-2008-1633] unspecified vulnerability relating to use of /tmp https://bugs.launchpad.net/bugs/216601 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 216601] Re: [CVE-2008-1633] unspecified vulnerability relating to use of /tmp
** Changed in: mondo (Debian) Status: Unknown = New -- [CVE-2008-1633] unspecified vulnerability relating to use of /tmp https://bugs.launchpad.net/bugs/216601 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 216601] Re: [CVE-2008-1633] unspecified vulnerability relating to use of /tmp
** Bug watch added: Debian Bug tracker #475221 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475221 ** Also affects: mondo (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475221 Importance: Unknown Status: Unknown ** Visibility changed to: Public ** Changed in: mondo (Ubuntu Feisty) Status: New = Confirmed ** Changed in: mondo (Ubuntu Hardy) Status: New = Confirmed ** Changed in: mondo (Ubuntu Gutsy) Status: New = Confirmed ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1633 -- [CVE-2008-1633] unspecified vulnerability relating to use of /tmp https://bugs.launchpad.net/bugs/216601 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
