Your message dated Sun, 6 Feb 2005 18:26:51 +0000 with message-id <[EMAIL PROTECTED]> and subject line Removed has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 29 Dec 2004 00:43:21 +0000 >From [EMAIL PROTECTED] Tue Dec 28 16:43:21 2004 Return-path: <[EMAIL PROTECTED]> Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73] by spohr.debian.org with smtp (Exim 3.35 1 (Debian)) id 1CjRvt-0008Vq-00; Tue, 28 Dec 2004 16:43:21 -0800 Received: (qmail 14876 invoked by uid 1013); 29 Dec 2004 00:43:19 -0000 Date: Wed, 29 Dec 2004 01:43:19 +0100 From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: astats: Multiple temporary symlink vulnerabilities in the astats script Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LKTjZJSUETSlgu2t" Content-Disposition: inline User-Agent: Mutt/1.5.6+20040722i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: --LKTjZJSUETSlgu2t Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Package: astats Version: 1.6.5-2 Priority: grave Tags: security sarge sid The astats script does not protect itself from temporary filename attacks since it creates file in an insecure manner (using names like '/tmp/aStats-Graphic-Signature-Generation', '/tmp/aMule-temp1.png', '/tmp/aMule-temp2.png', etc.). No checks are done to prevent symlink attacks (set -C, for example). IMHO this makes this script unsuitable for release. Regards Javier --LKTjZJSUETSlgu2t Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB0f2ni4sehJTrj0oRArAfAJ4vw0Uyez4NMgmWXEJCP5QIQD1XhwCbBVuM eWrPrLuTielM1/Hldy5lR3s= =PQ9/ -----END PGP SIGNATURE----- --LKTjZJSUETSlgu2t-- --------------------------------------- Received: (at 287604-done) by bugs.debian.org; 6 Feb 2005 18:26:58 +0000 >From [EMAIL PROTECTED] Sun Feb 06 10:26:57 2005 Return-path: <[EMAIL PROTECTED]> Received: from bangpath.uucico.de [195.71.9.197] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1Cxr7Z-0002vy-00; Sun, 06 Feb 2005 10:26:57 -0800 Received: by bangpath.uucico.de (Postfix, from userid 10) id 8A2D626BCE; Sun, 6 Feb 2005 19:26:56 +0100 (CET) Received: by deprecation.cyrius.com (Postfix, from userid 1000) id 812F84EE6A; Sun, 6 Feb 2005 18:26:51 +0000 (GMT) Date: Sun, 6 Feb 2005 18:26:51 +0000 From: Martin Michlmayr <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Removed Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.6+20040907i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-2.0 required=4.0 tests=BAYES_00,ONEWORD autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: This package has been removed ("RM: astats -- Security issues, obsolete") -- Martin Michlmayr http://www.cyrius.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]