Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
New Bug report received and forwarded. Copy sent to Joerg Jaspert <joerg@debian.org>.
(full text, mbox, link).
Package: cdrtools
Version: 4:2.01+01a01-2
Priority: minor
Tags: security patch
Cdrtools has some code (and default configuration) that suggests users that
want to debug its behaviour to open up a can of worms associate to insecure
temporary files usage. The Debug file defined in the configuration will
just be fopened() without any checks and is thus vulnerable to symlink
attacks.
The attached patch tries to fix this minor bug (not many users will really
enabled DEBUG) by introducing a check in rscsi.c to avoid being vulnerable
to symlink attacks and by modifying the provided config file telling users
to use safe locations for debug files. The patch introduces a DoS condition
(if somebody has created the file the program will exit) and that's why
users are suggested (in the comments of the configuration file) to use a
safe location (not /tmp) for debugging.
Regards
Javier
Information forwarded to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>: Bug#291376; Package cdrtools.
(full text, mbox, link).
Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Joerg Jaspert <joerg@debian.org>.
(full text, mbox, link).
Subject: Bug#291376: fixed in cdrtools 4:2.01+01a01-4
Date: Tue, 26 Apr 2005 05:17:20 -0400
Source: cdrtools
Source-Version: 4:2.01+01a01-4
We believe that the bug you reported is fixed in the latest version of
cdrtools, which is due to be installed in the Debian FTP archive:
cdda2wav_2.01+01a01-4_i386.deb
to pool/main/c/cdrtools/cdda2wav_2.01+01a01-4_i386.deb
cdrecord_2.01+01a01-4_i386.deb
to pool/main/c/cdrtools/cdrecord_2.01+01a01-4_i386.deb
cdrtools-doc_2.01+01a01-4_all.deb
to pool/main/c/cdrtools/cdrtools-doc_2.01+01a01-4_all.deb
cdrtools_2.01+01a01-4.diff.gz
to pool/main/c/cdrtools/cdrtools_2.01+01a01-4.diff.gz
cdrtools_2.01+01a01-4.dsc
to pool/main/c/cdrtools/cdrtools_2.01+01a01-4.dsc
mkisofs_2.01+01a01-4_i386.deb
to pool/main/c/cdrtools/mkisofs_2.01+01a01-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 291376@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eduard Bloch <blade@debian.org> (supplier of updated cdrtools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 26 Apr 2005 10:30:34 +0200
Source: cdrtools
Binary: cdrtools-doc cdda2wav mkisofs cdrecord
Architecture: source all i386
Version: 4:2.01+01a01-4
Distribution: unstable
Urgency: low
Maintainer: Joerg Jaspert <joerg@debian.org>
Changed-By: Eduard Bloch <blade@debian.org>
Description:
cdda2wav - Creates WAV files from audio CDs
cdrecord - command line CD writing tool
cdrtools-doc - Documentation for the cdrtools package-suite
mkisofs - Creates ISO-9660 CD-ROM filesystem images
Closes: 262678291376
Changes:
cdrtools (4:2.01+01a01-4) unstable; urgency=low
.
* O_EXCL issue becoming hot, uploading to unstable
* sync with Ubuntu Breezy (renamed as needed):
+ 23_o_excl.dpatch (replaced with Ubuntu's version, closes: #262678)
+ 24_debug_tmpfile.dpatch (secure file access in rscsi, closes: #291376)
+ 25_mkisofs_iconv_manpage.dpatch (explicit note about iconv support)
+ 26_author_locale.dpatch (replace ö in his name with an ascci
transliteration)
Files:
f5f38c04fe7df13455077f7b4cb7aea0 716 otherosfs optional cdrtools_2.01+01a01-4.dsc
20f39fbe1ca8a261e52d92da30c6fc31 114943 otherosfs optional cdrtools_2.01+01a01-4.diff.gz
48a8a47a4c1be46cce294555bde67d3a 220032 doc optional cdrtools-doc_2.01+01a01-4_all.deb
a31492042699a3091ac4a912cc3aa695 582066 otherosfs optional cdrecord_2.01+01a01-4_i386.deb
5705d9efa361c3a41fffa8b4eca46449 530842 otherosfs optional mkisofs_2.01+01a01-4_i386.deb
7357dd6ef1646d93cc8b44306d33cc1b 158690 sound optional cdda2wav_2.01+01a01-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCbgSq4QZIHu3wCMURArpAAJ4+Wc/00m09gk5RN7jdY7iRBz2q1gCghctJ
mPcAgVQq9fMTFKiW1RqLHJc=
=hT7c
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>: Bug#291376; Package cdrtools.
(full text, mbox, link).
Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Joerg Jaspert <joerg@debian.org>.
(full text, mbox, link).
On Tue, Apr 26, 2005 at 02:33:31AM -0700, Debian Bug Tracking System wrote:> This is an automatic notification regarding your Bug report
> #291376: cdrtools: Unsafe recommendation (and implementation) of debugging in rscsi,
> which was filed against the cdrtools package.
(...)
> * sync with Ubuntu Breezy (renamed as needed):
(...)
> + 24_debug_tmpfile.dpatch (secure file access in rscsi, closes: #291376)
1) You do not acknowledge CAN-2005-0866 as Joey requested in the bug report
2) Ubuntu's patch is, I believe, based on my patch, you could at least
granted me some credit for the patch in the changelog...
I'm surprised that a security bug (with patch) provided in January takes
four months to fix. Oh well, this was not a critical issue either, but
the fix was immediate...
Regards
Javier
Information forwarded to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>: Bug#291376; Package cdrtools.
(full text, mbox, link).
Acknowledgement sent to Eduard Bloch <edi@gmx.de>:
Extra info received and forwarded to list. Copy sent to Joerg Jaspert <joerg@debian.org>.
(full text, mbox, link).
To: Javier Fernández-Sanguino Peña <jfs@computer.org>,
291376@bugs.debian.org
Subject: Re: Bug#291376: acknowledged by developer (Bug#291376: fixed in cdrtools 4:2.01+01a01-4)
Date: Tue, 26 Apr 2005 13:50:37 +0200
#include <hallo.h>
* Javier Fernández-Sanguino Peña [Tue, Apr 26 2005, 12:06:56PM]:
> On Tue, Apr 26, 2005 at 02:33:31AM -0700, Debian Bug Tracking System wrote:> This is an automatic notification regarding your Bug report
> > #291376: cdrtools: Unsafe recommendation (and implementation) of debugging in rscsi,
> > which was filed against the cdrtools package.
>
> (...)
> > * sync with Ubuntu Breezy (renamed as needed):
> (...)
> > + 24_debug_tmpfile.dpatch (secure file access in rscsi, closes: #291376)
>
> 1) You do not acknowledge CAN-2005-0866 as Joey requested in the bug report
> 2) Ubuntu's patch is, I believe, based on my patch, you could at least
> granted me some credit for the patch in the changelog...
>
> I'm surprised that a security bug (with patch) provided in January takes
> four months to fix. Oh well, this was not a critical issue either, but
> the fix was immediate...
You see, all of that has a common reason - lack of time. Do you wish to
be credited in the next changelog? Something like the following?
* WE THANK JFS FOR PROVIDING A PATCH FIXING #291376. GET IT, BASTARDS!!!1
And nobody did hinder you on sending a reminder about the outstanding
problem. An (announced) NMU in this case would have been appropriate.
Regards,
Eduard.
--
Susan Ivanova: Ambassador, do you really want to know what's going on down
there?
Ambassador Londo Mollari: Yes, absolutely!
Susan Ivanova: Boom. Boom boom boom. Boom boom. Boom! Have a nice day!
-- Quotes from Babylon 5 --
Information forwarded to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>: Bug#291376; Package cdrtools.
(full text, mbox, link).
Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Joerg Jaspert <joerg@debian.org>.
(full text, mbox, link).
On Tue, Apr 26, 2005 at 01:50:37PM +0200, Eduard Bloch wrote:
>
> You see, all of that has a common reason - lack of time. Do you wish to
> be credited in the next changelog? Something like the following?
(...)
I estimate the time of you writing that witty mail similar to the one of
applying the patch I produced, build the package and upload it. The only
difference is that it took you ~2 hours to write that mail vs. the four
months for the patch.
Thanks for publicly encouraging others to help you out.
Javier
growing an even thicker skin
Information forwarded to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>: Bug#291376; Package cdrtools.
(full text, mbox, link).
Acknowledgement sent to Eduard Bloch <edi@gmx.de>:
Extra info received and forwarded to list. Copy sent to Joerg Jaspert <joerg@debian.org>.
(full text, mbox, link).
To: Javier Fernández-Sanguino Peña <jfs@computer.org>,
291376@bugs.debian.org
Subject: Re: Bug#291376: acknowledged by developer (Bug#291376: fixed in cdrtools 4:2.01+01a01-4)
Date: Tue, 26 Apr 2005 17:16:47 +0200
#include <hallo.h>
* Javier Fernández-Sanguino Peña [Tue, Apr 26 2005, 03:40:54PM]:
> > You see, all of that has a common reason - lack of time. Do you wish to
> > be credited in the next changelog? Something like the following?
> (...)
>
> I estimate the time of you writing that witty mail similar to the one of
> applying the patch I produced, build the package and upload it. The only
> difference is that it took you ~2 hours to write that mail vs. the four
> months for the patch.
2 hours? Do you really think that it has taken 2 hours to write the few
lines? No, it was the time needed to react (as in: get spare time + mind
context switching).
> Thanks for publicly encouraging others to help you out.
> growing an even thicker skin
A-Ha. Germans call a such thing "etwas in den falschen Hals kriegen",
translated by dict.leo.org to "to get hold of the wrong end of the
stick". Please try reading my message without interpretting offense into
it.
Regards,
Eduard.
--
Wir halten die Leichtigkeit zu sündigen für die Erlaubnis dazu.
-- Jean Paul
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.