Debian Bug report logs - #318059
ekg: Insecure tempfile generation

Package: ekg; Maintainer for ekg is Marcin Owsiany <porridge@debian.org>; Source for ekg is src:ekg.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Tue, 5 Jul 2005 19:33:26 UTC

Severity: normal

Tags: sarge, security

Done: Marcin Owsiany <marcin@owsiany.pl>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Marcin Owsiany <porridge@debian.org>:
Bug#317027; Package ekg. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Marcin Owsiany <porridge@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ekg: Insecure tempfile generation
Date: Tue, 05 Jul 2005 19:40:18 +0200
Package: ekg
Severity: important
Tags: security

ekg creates temporary files in a predictable manner, which can be
exploited through a symlink attack. For full details please have
at look at http://www.zataz.net/adviso/ekg-06062005.txt

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#317027; Package ekg. Full text and rfc822 format available.

Acknowledgement sent to Marcin Owsiany <porridge@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 317027@bugs.debian.org (full text, mbox):

From: Marcin Owsiany <porridge@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 317027@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#317027: ekg: Insecure tempfile generation
Date: Mon, 11 Jul 2005 18:29:31 +0300
severity 317027 normal
tags 317027 +pending
thanks

On Tue, Jul 05, 2005 at 07:40:18PM +0200, Moritz Muehlenhoff wrote:
> Package: ekg
> Severity: important
> Tags: security
> 
> ekg creates temporary files in a predictable manner, which can be
> exploited through a symlink attack. For full details please have
> at look at http://www.zataz.net/adviso/ekg-06062005.txt

Thanks for the notice. I read bugtraq and SF anyway though.
The severity seems a bit high, as this is only a contributed example
script, and is not installed on $PATH. 

The upstream has not decided yet what to do about this. I'll try to fix
it (and other scripts having even bigger flaws) today.

Marcin
-- 
Marcin Owsiany <porridge@debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216



Severity set to `normal'. Request was from Marcin Owsiany <porridge@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: pending Request was from Marcin Owsiany <porridge@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 317027 cloned as bug 318059. Request was from Marcin Owsiany <marcin@owsiany.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge Request was from Marcin Owsiany <marcin@owsiany.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Marcin Owsiany <marcin@owsiany.pl>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #23 received at 318059-done@bugs.debian.org (full text, mbox):

From: Marcin Owsiany <marcin@owsiany.pl>
To: 318059-done@bugs.debian.org
Subject: fixed in 1:1.5+20050411-4
Date: Tue, 19 Jul 2005 01:11:00 +0200


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 10:46:11 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 06:16:33 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.