Debian Bug report logs - #282815
cscope: Vulnerable to CAN-2004-0996

version graph

Package: cscope; Maintainer for cscope is Tobias Klauser <>; Source for cscope is src:cscope.

Reported by: Martin Pitt <>

Date: Wed, 24 Nov 2004 18:03:11 UTC

Severity: grave

Tags: fixed, patch, security

Found in version 15.5-1

Fixed in version cscope/15.5+cvs20050816-1

Done: Anthony Fok <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Anthony Fok <>:
Bug#282815; Package cscope. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <>:
New Bug report received and forwarded. Copy sent to Anthony Fok <>. Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Martin Pitt <>
To: Debian Bug Tracking System <>
Subject: cscope: Vulnerable to CAN-2004-0996
Date: Wed, 24 Nov 2004 18:57:46 +0100
[Message part 1 (text/plain, inline)]
Package: cscope
Version: 15.5-1
Severity: grave
Tags: security patch
Justification: user security hole


cscope is vulnerable to a temporary file flaw (CAN-2004-0996). See

for details. I just prepared an updated Ubuntu package, you can get
the debdiff from

Joey is already notified, he cares for a woody update. Please fix the
unstable and testing version.



-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.9
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8

Martin Pitt             
Ubuntu Developer  
Debian GNU/Linux Developer
[signature.asc (application/pgp-signature, inline)]

Tags added: fixed Request was from Joey Hess <> to Full text and rfc822 format available.

Reply sent to Anthony Fok <>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Martin Pitt <>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #12 received at (full text, mbox):

From: Anthony Fok <>
Subject: Bug#282815: fixed in cscope 15.5+cvs20050816-1
Date: Sun, 13 Nov 2005 07:02:03 -0800
Source: cscope
Source-Version: 15.5+cvs20050816-1

We believe that the bug you reported is fixed in the latest version of
cscope, which is due to be installed in the Debian FTP archive:

  to pool/main/c/cscope/cscope_15.5+cvs20050816-1.diff.gz
  to pool/main/c/cscope/cscope_15.5+cvs20050816-1.dsc
  to pool/main/c/cscope/cscope_15.5+cvs20050816-1_i386.deb
  to pool/main/c/cscope/cscope_15.5+cvs20050816.orig.tar.gz

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Anthony Fok <> (supplier of updated cscope package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.7
Date: Sun, 13 Nov 2005 00:30:02 +0800
Source: cscope
Binary: cscope
Architecture: source i386
Version: 15.5+cvs20050816-1
Distribution: unstable
Urgency: low
Maintainer: Anthony Fok <>
Changed-By: Anthony Fok <>
 cscope     - Interactively examine a C program source
Closes: 282815 298931 315466
 cscope (15.5+cvs20050816-1) unstable; urgency=low
   * New upstream CVS as of 2005-08-16.  Fixes the following in Debian BTS:
      - 2004-06-23  Hans-Bernhard Broeker  <>
         * src/dir.c (makefilelist): Fix broken movement of point_in_line
           when parsing quoted names.  Simplify structure by moving default
           handling upward.
        Closes: Bug#298931 - bug in handling quote-protected filenames in
      - 2004-12-06  Neil Horman  <>
         * src/main.c: Fix for temp file security bug (sourceforge
           bug number 1062807 / CAN-2004-0970 [sic, should be CAN-2004-0996])
        Acknowledge NMU of 15.5-1.1 (Thanks to Joey Hess, Martin Pitt
        and Gerardo Di Giacomo).  Upstream fixed the same issue in a
        slightly different way, by creating a temp directory to store
        the temp files.  (Closes: #282815)
   * xcscope.el: Applied Lasse Kantola's change_let_to_setq.patch
     so that disabling of fuzzy matching would work correctly.
     (Closes: Bug#315466)
   * Adds Build-Depends: automake1.7 to avoid warnings.
   * Updated Standards-Version: from to 3.6.2.
   * Updated author list in debian/copyright.
 29e07b4cf15de58be9c290279e255040 645 devel optional cscope_15.5+cvs20050816-1.dsc
 77267e7e0b9e3ec4a223313be08f7a06 261713 devel optional cscope_15.5+cvs20050816.orig.tar.gz
 14d192c7600fa65012e94e772b9c2b18 38245 devel optional cscope_15.5+cvs20050816-1.diff.gz
 00131acfe2157e41156e30daf231e873 142454 devel optional cscope_15.5+cvs20050816-1_i386.deb

Version: GnuPG v1.4.2 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Sun, 24 Jun 2007 16:43:22 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Fri Apr 18 08:06:12 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.