Your message dated Sun, 17 Jun 2007 00:17:03 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#429160: fixed in po4a 0.31-1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: po4a Version: 0.29-1 Severity: grave Tags: security patch If you run po4a-gettextize on contents that do not get converted to PO files due to some issue, the script will dump its results in /tmp/gettextization.failed.po. The script uses a file in the /tmp diretory but does not try to prevent a symlink attack. A malicious user could create a symlink named liked that in the temporary directory and pointing to one of the user's files so that when a user runs po4-gettextize (and fails) the file the symlink pointed to would get overwritten. The fix is, IMHO, simple: just dump the results in the local directory, don't use /tmp at all (it is, after all, unnecesary). The attached patch to /usr/share/perl5/Locale/Po4a/Po.pm fixes this issue. Regards Javier--- Po.pm.orig 2007-06-16 02:10:41.000000000 +0200 +++ Po.pm 2007-06-16 02:10:55.000000000 +0200 @@ -451,14 +451,14 @@ # Make sure both type are the same # if ($typeorig ne $typetrans){ - $pores->write("/tmp/gettextization.failed.po"); + $pores->write("gettextization.failed.po"); die wrap_msg(dgettext("po4a", "po4a gettextization: Structure disparity between original and translated files:\n". "msgid (at %s) is of type '%s' while\n". "msgstr (at %s) is of type '%s'.\n". "Original text: %s\n". "Translated text: %s\n". - "(result so far dumped to /tmp/gettextization.failed.po)")."%s", + "(result so far dumped to gettextization.failed.po)")."%s", $reforig, $typeorig, $reftrans, $typetrans, $orig, $trans,$toobad); }signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: po4a Source-Version: 0.31-1 We believe that the bug you reported is fixed in the latest version of po4a, which is due to be installed in the Debian FTP archive: po4a_0.31-1.diff.gz to pool/main/p/po4a/po4a_0.31-1.diff.gz po4a_0.31-1.dsc to pool/main/p/po4a/po4a_0.31-1.dsc po4a_0.31-1_all.deb to pool/main/p/po4a/po4a_0.31-1_all.deb po4a_0.31.orig.tar.gz to pool/main/p/po4a/po4a_0.31.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nicolas FRANCOIS (Nekral) <[EMAIL PROTECTED]> (supplier of updated po4a package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sat, 24 Mar 2007 21:19:01 +0100 Source: po4a Binary: po4a Architecture: source all Version: 0.31-1 Distribution: unstable Urgency: low Maintainer: Nicolas FRANCOIS (Nekral) <[EMAIL PROTECTED]> Changed-By: Nicolas FRANCOIS (Nekral) <[EMAIL PROTECTED]> Description: po4a - tools for helping translation of documentation Closes: 415643 429160 Changes: po4a (0.31-1) unstable; urgency=low . * New upstream release. - New options for po4a: --msgid-bugs-address and --copyright-holder. Options can also be set in the configuration files. Closes: #415643 - gettext (>= 0.16) is needed (use of the --previous flag). * Fix symlink attacks in /tmp vulnerability. Thanks to Javier Fernández-Sanguino Peña. Closes: #429160 * Update the FSF address. * Update the debian/copyright to mention the actual copyrights and the upstream location Files: ba306098b27cbb10fbed957b3c94a7cb 717 text optional po4a_0.31-1.dsc c814a2205a21236c56dac69e88a7f20a 834753 text optional po4a_0.31.orig.tar.gz 0fc6846b38188d136cb78aa596a0a701 164024 text optional po4a_0.31-1.diff.gz 89ea608f82deb4c96a9fc2a7d6e0d8f7 719790 text optional po4a_0.31-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGdHxMST77jl1k+HARAuPmAKDfpfUyra5UxMpdtdeby3XJ3s4xlgCeIPYa rrQMuYS/CnvDzekgOjT9Rxg= =8APe -----END PGP SIGNATURE-----
--- End Message ---