Your message dated Mon, 12 Sep 2016 22:19:38 +0000 with message-id <e1bjzzi-00023e...@franck.debian.org> and subject line Bug#837534: fixed in apt-listchanges 3.4 has caused the Debian Bug report #837534, regarding apt-listchanges: postinst runs a Python script out of /tmp/ to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 837534: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837534 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: apt-listchanges Version: 3.3 Severity: critical Tags: security The postinst script runs a Python script that it creates in /tmp/. Unfortunately python will add the directory where the script resides to sys.path and all the imports will be thus resolved in that directory. A simple user could create "/tmp/debconf.py" for example and have his code executed by root the next time that apt-listchanges is upgraded/configured. (cf recent discussion in debian-devel, https://lists.debian.org/87twdq4cqx....@hope.eyrie.org) You should thus create that temporary file in a root-owned directory which is specific to apt-listchanges. You should also review whether that issue needs to be fixed in stable/oldstable... -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apt-listchanges depends on: ii apt 1.3~rc4 ii debconf [debconf-2.0] 1.5.59 ii debianutils 4.8 ii python3-apt 1.1.0~beta5 pn python3:any <none> ii ucf 3.0036 apt-listchanges recommends no packages. Versions of packages apt-listchanges suggests: ii chromium [www-browser] 53.0.2785.92-2 ii eterm [x-terminal-emulator] 0.9.6-4 ii firefox-esr [www-browser] 45.3.0esr-2 ii gnome-terminal [x-terminal-emulator] 3.21.90-3 ii lynx [www-browser] 2.8.9dev9-1 ii postfix [mail-transport-agent] 3.1.0-5+b1 ii python3-gi 3.21.91-2 ii terminator [x-terminal-emulator] 0.98-1 ii w3m [www-browser] 0.5.3-29 ii xterm [x-terminal-emulator] 325-1 -- debconf information excluded
--- End Message ---
--- Begin Message ---Source: apt-listchanges Source-Version: 3.4 We believe that the bug you reported is fixed in the latest version of apt-listchanges, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 837...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Robert Luberda <rob...@debian.org> (supplier of updated apt-listchanges package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 12 Sep 2016 22:47:40 +0200 Source: apt-listchanges Binary: apt-listchanges Architecture: source all Version: 3.4 Distribution: unstable Urgency: high Maintainer: Robert Luberda <rob...@debian.org> Changed-By: Robert Luberda <rob...@debian.org> Description: apt-listchanges - package change history notification tool Closes: 835046 835375 837534 Changes: apt-listchanges (3.4) unstable; urgency=high . * Fix the security issue introduced in version 3.2: make config and postinst scripts create new directory (with the help of `mktemp') for the helper Python script they execute (closes: #837534). * When aptitude/synaptic/etc. is used to install new upgrades without being restarted after apt-listchanges upgrade, it might happen that the value of APT_HOOK_INFO_FD is still 0. Do not fail on such a value, but display a warning instead (closes: #835046, LP: #1614191). * Print a warning message if an e-mail cannot be sent (closes: #835375). Checksums-Sha1: 464c0cda66669656291935706caa068eb2e70197 1653 apt-listchanges_3.4.dsc ec14c987f69e8040cac1b358b15f443744177787 106072 apt-listchanges_3.4.tar.xz dcfd6a588bc3edde4ae65fb5ed107c614714d358 104828 apt-listchanges_3.4_all.deb Checksums-Sha256: f09af623578ace1d2ac9a5faa80274d5f1b24734c25390c6863e60ef93f7145b 1653 apt-listchanges_3.4.dsc 9cea1e25c7a7afe74886fc3fb6c7e84042e7e062d057e19cb3ee4b7afb5af25f 106072 apt-listchanges_3.4.tar.xz 9cc1b758fabd5e1371684ac983ed7de57ad57314942127df07bcfa424b8645cb 104828 apt-listchanges_3.4_all.deb Files: d787de9aa4fcb10019150f3231f22637 1653 utils standard apt-listchanges_3.4.dsc 072fc1bf607b7aebc344966a4debea22 106072 utils standard apt-listchanges_3.4.tar.xz d731297a04c4d4788661f7e61ae63206 104828 utils standard apt-listchanges_3.4_all.deb -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJX1xbxAAoJEGMd51U76K/UhP0P/iD1QIYikmpWqZYT0nZTBCfq kDHpR/EKfL9x3/Q7cXexYR7pyj6SvJSJGZciOkO/RiMxX7D5RqeMy13i5RQsC/xC NCnCu728Xbgxe41X4FxyYbISUHdPrJpqiEpjNYRH3067tI4iMmUtjWPdK6FISTX4 QMcx0IUPqPd74ngbk+Vd+d7JVXZKgFCf5o0hn7R/VSqIu0Zx6ooKyOSaisnC6sbJ n524fAamlqeG6nncoigZb0dCmvw0aoYzYjGyzZsQrIW4u2C8BfaYZQJHlB/FVGWR ATWofbiFXTVANylsDpNmju1mjVEHcxRT29CBbpvNuuYKSWcc2OkOLhR7DezRrKCv Kexe/GzpBXSUi8Qh1utEqFqIba1Tepzdxfm4r4Om9FzPQD8xnAiRKUPu6w1sXJCF s3gIp0OLdpm0XS+YBKMGoxXKKw1P57wKUq0fG62gremcOXA6pRbMlBaX7lpNJdP9 w8xjYiG7xfIDKFFCW4pIcWZabWUzF8jabWXY1uzLlC8pOhwICis40uPwZP+W8psV HUj0913Zo+/rTFxrZtMV8XnZ7xdj7nOS7OVDogn3xm+PoIFrPanhc/3TEoqxzaDG QU3m5rTfXc1fLd2s6TtDsSfwCpDorWQt3aWVRq+U53u80M+q3Qf3dlcJHLDoA2H3 1/4MZmPZ1MdD3jub17z9 =OXSD -----END PGP SIGNATURE-----
--- End Message ---
