Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
New Bug report received and forwarded. Copy sent to Edelhard Becker <edelhard@debian.org>.
(full text, mbox, link).
Package: mgdiff
Version: 1.0-27
Priority: minor
Tags: security
While doing a source code audit looking for security bugs I've found that the
viewpatch script (distributed by mgdiff in /usr/share/doc/mgdiff/ and thus,
not provided as a binary) does not use /tmp safely and can, consequentely,
be used to conduct symlink attacks.
Attached is a patch fixing that issue.
Regards
Javier
Source: mgdiff
Source-Version: 1.0-28
We believe that the bug you reported is fixed in the latest version of
mgdiff, which is due to be installed in the Debian FTP archive:
mgdiff_1.0-28.diff.gz
to pool/main/m/mgdiff/mgdiff_1.0-28.diff.gz
mgdiff_1.0-28.dsc
to pool/main/m/mgdiff/mgdiff_1.0-28.dsc
mgdiff_1.0-28_i386.deb
to pool/main/m/mgdiff/mgdiff_1.0-28_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 335188@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Edelhard Becker <edelhard@debian.org> (supplier of updated mgdiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 25 Oct 2005 22:48:37 +0200
Source: mgdiff
Binary: mgdiff
Architecture: source i386
Version: 1.0-28
Distribution: unstable
Urgency: low
Maintainer: Edelhard Becker <edelhard@debian.org>
Changed-By: Edelhard Becker <edelhard@debian.org>
Description:
mgdiff - xdiff clone
Closes: 335188335191
Changes:
mgdiff (1.0-28) unstable; urgency=low
.
* bug fixes by Javier Fernández-Sanguino Peña <jfs@debian.org>
- Insecure /tmp usage in viewpatch example script (Closes: #335188)
- mgdiff: Allows user to set both input as '-' (Closes: #335191)
Thanks Javier!
Files:
7c876ade0f3c096114650f6efb81fc83 575 text optional mgdiff_1.0-28.dsc
27d0664b81e045a08a639fdf6ec244bc 41077 text optional mgdiff_1.0-28.diff.gz
649a96a9b6ee3387ae519a9fb15cdd3f 58242 text optional mgdiff_1.0-28_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDXqBPlByGkm8iLx8RAvMDAJ43Egega8J92G8nfSDy3S0U+6OCgACdFPYT
bawfcSX69s2p6Z+3NeZWO/8=
=kWf3
-----END PGP SIGNATURE-----
Tags added: moreinfo
Request was from Rene Engelhard <rene@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 27 Jun 2007 00:23:14 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.