Your message dated Sun, 6 Feb 2005 18:26:51 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Removed
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 29 Dec 2004 00:43:21 +0000
>From [EMAIL PROTECTED] Tue Dec 28 16:43:21 2004
Return-path: <[EMAIL PROTECTED]>
Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73]
by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
id 1CjRvt-0008Vq-00; Tue, 28 Dec 2004 16:43:21 -0800
Received: (qmail 14876 invoked by uid 1013); 29 Dec 2004 00:43:19 -0000
Date: Wed, 29 Dec 2004 01:43:19 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: astats: Multiple temporary symlink vulnerabilities in the astats script
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="LKTjZJSUETSlgu2t"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040722i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--LKTjZJSUETSlgu2t
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Package: astats
Version: 1.6.5-2
Priority: grave
Tags: security sarge sid
The astats script does not protect itself from temporary filename attacks
since it creates file in an insecure manner (using names like
'/tmp/aStats-Graphic-Signature-Generation', '/tmp/aMule-temp1.png',
'/tmp/aMule-temp2.png', etc.). No checks are done to prevent symlink
attacks (set -C, for example).
IMHO this makes this script unsuitable for release.
Regards
Javier
--LKTjZJSUETSlgu2t
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB0f2ni4sehJTrj0oRArAfAJ4vw0Uyez4NMgmWXEJCP5QIQD1XhwCbBVuM
eWrPrLuTielM1/Hldy5lR3s=
=PQ9/
-----END PGP SIGNATURE-----
--LKTjZJSUETSlgu2t--
---------------------------------------
Received: (at 287604-done) by bugs.debian.org; 6 Feb 2005 18:26:58 +0000
>From [EMAIL PROTECTED] Sun Feb 06 10:26:57 2005
Return-path: <[EMAIL PROTECTED]>
Received: from bangpath.uucico.de [195.71.9.197]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Cxr7Z-0002vy-00; Sun, 06 Feb 2005 10:26:57 -0800
Received: by bangpath.uucico.de (Postfix, from userid 10)
id 8A2D626BCE; Sun, 6 Feb 2005 19:26:56 +0100 (CET)
Received: by deprecation.cyrius.com (Postfix, from userid 1000)
id 812F84EE6A; Sun, 6 Feb 2005 18:26:51 +0000 (GMT)
Date: Sun, 6 Feb 2005 18:26:51 +0000
From: Martin Michlmayr <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Removed
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-2.0 required=4.0 tests=BAYES_00,ONEWORD autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
This package has been removed ("RM: astats -- Security issues,
obsolete")
--
Martin Michlmayr
http://www.cyrius.com/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
