Debian Bug report logs - #344029
libmail-audit-perl: insecure /tmp handling

version graph

Package: libmail-audit-perl; Maintainer for libmail-audit-perl is (unknown);

Reported by: Niko Tyni <ntyni@iki.fi>

Date: Mon, 19 Dec 2005 15:03:05 UTC

Severity: serious

Tags: fixed, fixed-upstream, patch, security

Found in version libmail-audit-perl/2.1-5

Fixed in version 2.1-5.1

Done: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Forwarded to http://rt.cpan.org/NoAuth/Bug.html?id=1794

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#344029; Package libmail-audit-perl. (full text, mbox, link).


Acknowledgement sent to Niko Tyni <ntyni@iki.fi>:
New Bug report received and forwarded. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Niko Tyni <ntyni@iki.fi>
To: submit@bugs.debian.org
Subject: libmail-audit-perl: insecure /tmp handling
Date: Mon, 19 Dec 2005 16:45:28 +0200
Package: libmail-audit-perl
Version: 2.1-5
Severity: serious
Justification: Etch RC policy

The Mail::Audit module logs by default to 

my $logfile = "/tmp/".getpwuid($>)."-audit.log";

if logging is turned on (the loglevel parameter to new()) and
no logfile is explicitly specified.

The module will follow any symlinks and append to the corresponding file:

if ($logging) { open LOG, ">>$logfile" or open LOG, ">>/dev/null";

This is RC according to the Etch release policy [1]:

  (h) Temporary files

	Any programs and scripts that create files in /tmp or other
	world writable directories must use a mechanism which fails if
	the file already exists.

An obvious workaround would be to log into eg. "$HOME/mail-audit.log".

(I'm not sure if this should be tagged "security" and fixed for sarge too,
 so I'm leaving that for others to judge.)

[1] http://release.debian.org/etch_rc_policy.txt

Cheers,
-- 
Niko Tyni		ntyni@iki.fi



Tags added: security Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Noted your statement that Bug has been forwarded to http://rt.cpan.org/NoAuth/Bug.html?id=1794. Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#344029; Package libmail-audit-perl. (full text, mbox, link).


Acknowledgement sent to Don Armstrong <don@donarmstrong.com>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #14 received at 344029@bugs.debian.org (full text, mbox, reply):

From: Don Armstrong <don@donarmstrong.com>
To: 344029@bugs.debian.org
Subject: Patch to fix this security bug
Date: Wed, 4 Jan 2006 03:27:48 -0800
[Message part 1 (text/plain, inline)]
tag 344029 patch
thanks

Attached is the patch for the NMU that I am preparing; I will upload
it to a delay queue sometime tomorrow (assuming it checks out when
I've had more sleep.)



Don Armstrong

-- 
"A one-question geek test. If you get the joke, you're a geek: Seen on
a California license plate on a VW Beetle: 'FEATURE'..."
 -- Joshua D. Wachs - Natural Intelligence, Inc.

http://www.donarmstrong.com              http://rzlab.ucr.edu
[nmu_security_344029.diff (text/plain, attachment)]

Tags added: patch Request was from Don Armstrong <don@donarmstrong.com> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#344029; Package libmail-audit-perl. (full text, mbox, link).


Acknowledgement sent to Niko Tyni <ntyni@iki.fi>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #21 received at 344029@bugs.debian.org (full text, mbox, reply):

From: Niko Tyni <ntyni@iki.fi>
To: Don Armstrong <don@donarmstrong.com>
Cc: 344029@bugs.debian.org
Subject: Re: Bug #344029: Patch to fix this security bug
Date: Fri, 6 Jan 2006 16:13:10 +0200
On Wed, Jan 04, 2006 at 03:27:48AM -0800, Don Armstrong wrote:
 
> Attached is the patch for the NMU that I am preparing; I will upload
> it to a delay queue sometime tomorrow (assuming it checks out when
> I've had more sleep.)

Hi,

and thanks for the patch.

FWIW, we discussed this package a bit on the Debian Perl list (see the
thread at <http://lists.debian.org/debian-perl/2005/12/msg00033.html>),
and the consensus was that is should be removed. It's officially
unsupported upstream, and the author recommends Email::Filter
(currently in NEW) as a replacement. I'm going to file a removal
request once libemail-filter-perl gets in.

As for the /tmp vulnerabilities, the one in Mail::Audit::MimeEntity
doesn't look quite as serious to me. I looked into it a bit, and
although it does fall back to /tmp and follows symlinks, MIME::Parser
uses a not quite trivially guessable directory underneath (current time
+ process ID, IIRC). Naturally, this doesn't mean it shouldn't be
fixed.

If you still want to do the NMU, that's fine of course. I guess the
sarge version should be patched anyway.

Cheers,
-- 
Niko Tyni	ntyni@iki.fi



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#344029; Package libmail-audit-perl. (full text, mbox, link).


Acknowledgement sent to Don Armstrong <don@donarmstrong.com>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #26 received at 344029@bugs.debian.org (full text, mbox, reply):

From: Don Armstrong <don@donarmstrong.com>
To: Niko Tyni <ntyni@iki.fi>
Cc: 344029@bugs.debian.org
Subject: Re: Bug #344029: Patch to fix this security bug
Date: Fri, 6 Jan 2006 09:06:37 -0800
On Fri, 06 Jan 2006, Niko Tyni wrote:
> On Wed, Jan 04, 2006 at 03:27:48AM -0800, Don Armstrong wrote:
> > Attached is the patch for the NMU that I am preparing; I will upload
> > it to a delay queue sometime tomorrow (assuming it checks out when
> > I've had more sleep.)
> 
> Hi,
> 
> and thanks for the patch.
> 
> FWIW, we discussed this package a bit on the Debian Perl list (see the
> thread at <http://lists.debian.org/debian-perl/2005/12/msg00033.html>),
> and the consensus was that is should be removed. It's officially
> unsupported upstream, and the author recommends Email::Filter
> (currently in NEW) as a replacement. I'm going to file a removal
> request once libemail-filter-perl gets in.

The important issue is that we've made a stable release with the
package, and so the (albiet not so serious) security bug needs to be
fixed, even if we end up removing it from unstable and testing. [Which
I would recommend, given the rather lackluster quality of the code in
that module.]


Don Armstrong

-- 
This message brought to you by weapons of mass destruction related
program activities, and the letter G.

http://www.donarmstrong.com              http://rzlab.ucr.edu



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#344029; Package libmail-audit-perl. (full text, mbox, link).


Acknowledgement sent to Gunnar Wolf <gwolf@gwolf.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #31 received at 344029@bugs.debian.org (full text, mbox, reply):

From: Gunnar Wolf <gwolf@gwolf.org>
To: 344029@bugs.debian.org, security@debian.org
Subject: Insecure /tmp file handling in libmail-audit-perl in Sarge (+patch)
Date: Fri, 13 Jan 2006 19:29:31 -0600
[Message part 1 (text/plain, inline)]
Hi,

The bug is indeed important, even if it is not easily exploitable, and
the fix is trivial. I am pushing it to the security team so they can
apply it to the version in Sarge as well.

Greetings,

-- 
Gunnar Wolf - gwolf@gwolf.org - (+52-55)1451-2244 / 5623-0154
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973  F800 D80E F35A 8BB5 27AF
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#344029; Package libmail-audit-perl. (full text, mbox, link).


Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #36 received at 344029@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>
To: Gunnar Wolf <gwolf@gwolf.org>
Cc: 344029@bugs.debian.org, security@debian.org
Subject: Re: Insecure /tmp file handling in libmail-audit-perl in Sarge (+patch)
Date: Sat, 14 Jan 2006 08:43:57 +0100
Gunnar Wolf wrote:
> Hi,
> 
> The bug is indeed important, even if it is not easily exploitable, and
> the fix is trivial. I am pushing it to the security team so they can
> apply it to the version in Sarge as well.

Please use CVE-2005-4536 for this problem.

Are you in contact with upstream?

Regards,

	Joey

-- 
If nothing changes, everything will remain the same.  -- Barne's Law

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#344029; Package libmail-audit-perl. (full text, mbox, link).


Acknowledgement sent to Gunnar Wolf <gwolf@gwolf.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #41 received at 344029@bugs.debian.org (full text, mbox, reply):

From: Gunnar Wolf <gwolf@gwolf.org>
To: Martin Schulze <joey@infodrom.org>
Cc: 344029@bugs.debian.org, security@debian.org
Subject: Re: Insecure /tmp file handling in libmail-audit-perl in Sarge (+patch)
Date: Sat, 14 Jan 2006 15:59:44 -0600
Martin Schulze dijo [Sat, Jan 14, 2006 at 08:43:57AM +0100]:
> Gunnar Wolf wrote:
> > Hi,
> > 
> > The bug is indeed important, even if it is not easily exploitable, and
> > the fix is trivial. I am pushing it to the security team so they can
> > apply it to the version in Sarge as well.
> 
> Please use CVE-2005-4536 for this problem.
> 
> Are you in contact with upstream?

Upstream has abandoned this package and suggest replacing it - But
it's present in Sarge (the complete information is in the bug
report). 

-- 
Gunnar Wolf - gwolf@gwolf.org - (+52-55)1451-2244 / 5623-0154
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973  F800 D80E F35A 8BB5 27AF



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#344029; Package libmail-audit-perl. (full text, mbox, link).


Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #46 received at 344029@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>
To: Gunnar Wolf <gwolf@gwolf.org>
Cc: 344029@bugs.debian.org, security@debian.org
Subject: Re: Insecure /tmp file handling in libmail-audit-perl in Sarge (+patch)
Date: Sun, 15 Jan 2006 11:49:06 +0100
Gunnar Wolf wrote:
> Martin Schulze dijo [Sat, Jan 14, 2006 at 08:43:57AM +0100]:
> > Gunnar Wolf wrote:
> > > Hi,
> > > 
> > > The bug is indeed important, even if it is not easily exploitable, and
> > > the fix is trivial. I am pushing it to the security team so they can
> > > apply it to the version in Sarge as well.
> > 
> > Please use CVE-2005-4536 for this problem.
> > 
> > Are you in contact with upstream?
> 
> Upstream has abandoned this package and suggest replacing it - But
> it's present in Sarge (the complete information is in the bug
> report). 

Ok.  I'll prepare a DSA with updates for sarge and woody.

Regards,

	Joey

-- 
Given enough thrust pigs will fly, but it's not necessarily a good idea.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#344029; Package libmail-audit-perl. (full text, mbox, link).


Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #51 received at 344029@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>
To: Don Armstrong <don@donarmstrong.com>
Cc: 344029@bugs.debian.org
Subject: Re: Bug#344029: Patch to fix this security bug
Date: Mon, 23 Jan 2006 17:16:55 +0100
* Don Armstrong:

> Attached is the patch for the NMU that I am preparing; I will upload
> it to a delay queue sometime tomorrow (assuming it checks out when
> I've had more sleep.)

What has happened to the NMU?  Shall I upload your patch?



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#344029; Package libmail-audit-perl. (full text, mbox, link).


Acknowledgement sent to Don Armstrong <don@donarmstrong.com>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #56 received at 344029@bugs.debian.org (full text, mbox, reply):

From: Don Armstrong <don@donarmstrong.com>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 344029@bugs.debian.org
Subject: Re: Bug#344029: Patch to fix this security bug
Date: Mon, 23 Jan 2006 10:47:50 -0800
[Message part 1 (text/plain, inline)]
On Mon, 23 Jan 2006, Florian Weimer wrote:
> * Don Armstrong:
> > Attached is the patch for the NMU that I am preparing; I will upload
> > it to a delay queue sometime tomorrow (assuming it checks out when
> > I've had more sleep.)
> 
> What has happened to the NMU?  Shall I upload your patch?

What should really happen is the package should be removed from
testing and unstable; I'll make an upload with it sometime today, then
request removal once it has propogated to unstable/testing.


Don Armstrong.

-- 
Physics is like sex. Sure, it may give some practical results, but
that's not why we do it.
 -- Richard Feynman

http://www.donarmstrong.com              http://rzlab.ucr.edu
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#344029; Package libmail-audit-perl. (full text, mbox, link).


Acknowledgement sent to Gunnar Wolf <gwolf@gwolf.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #61 received at 344029@bugs.debian.org (full text, mbox, reply):

From: Gunnar Wolf <gwolf@gwolf.org>
To: 344029@bugs.debian.org
Subject: Re: Bug#344029: Patch to fix this security bug
Date: Mon, 23 Jan 2006 12:48:46 -0600
[Message part 1 (text/plain, inline)]
Florian,

Don't bother with the NMU - I just filed bug #349551 requesting the
removal of this package, as libemail-filter-perl has already got in.

Greetings,

-- 
Gunnar Wolf - gwolf@gwolf.org - (+52-55)5623-0154 / 1451-2244
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973  F800 D80E F35A 8BB5 27AF
[signature.asc (application/pgp-signature, inline)]

Tags added: fixed Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#344029; Package libmail-audit-perl. (full text, mbox, link).


Acknowledgement sent to Niko Tyni <ntyni@iki.fi>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #68 received at 344029@bugs.debian.org (full text, mbox, reply):

From: Niko Tyni <ntyni@iki.fi>
To: security@debian.org
Cc: 344029@bugs.debian.org, 349838@bugs.debian.org
Subject: Re: [SECURITY] [DSA 960-1] New libmail-audit-perl packages fix insecure temporary file use
Date: Tue, 31 Jan 2006 13:43:11 +0200
On Tue, Jan 31, 2006 at 11:14:37AM +0100, Martin Schulze wrote:

> Package        : libmail-audit-perl
> Vulnerability  : insecure temporay file createion
> Problem type   : local
> Debian-specific: no
> CVE ID         : CVE-2005-4536
> Debian Bug     : 344029
> 
> Niko Tyni discovered that the Mail::Audit module, a Perl library for
> creating simple mail filters, logs to a temporary file with a
> predictable filename in an insecure fashion when logging is turned on,
> which is not the case by default.
> 
> For the old stable distribution (woody) these problems have been fixed in
> version 2.0-4woody1.
> 
> For the stable distribution (sarge) these problems have been fixed in
> version 2.1-5sarge1.

Hi security team,

unfortunately there's an error in the sarge package:

% perl -c /usr/share/perl5/Mail/Audit/MimeEntity.pm
syntax error at /usr/share/perl5/Mail/Audit/MimeEntity.pm line 8, near "use MIME::Parser"
/usr/share/perl5/Mail/Audit/MimeEntity.pm had compilation errors.


ii  libmail-audit-perl        2.1-5sarge1               Perl library for creating easy mail filters


Don's patch in #344029 had a typo (missing semicolon). See #349838 for the fix.

Apologies; we should have Cc'd the patch to security@ .
-- 
Niko Tyni	ntyni@iki.fi



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#344029; Package libmail-audit-perl. (full text, mbox, link).


Acknowledgement sent to Brian Hodges <bhodges@fhcrc.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #73 received at 344029@bugs.debian.org (full text, mbox, reply):

From: Brian Hodges <bhodges@fhcrc.org>
To: 344029@bugs.debian.org
Subject: DSA-960 - New bug possibly introduced
Date: Wed, 1 Feb 2006 01:11:09 -0800 (PST)
Hello,

The recent security update for libmail-audit-perl (DSA-960) appears to 
have introduced a new bug.  I have been using debian for several years now 
and this is the first time that a security update turned out to be 
problematic for me.  Still an excellent track record in my book. :)

E-mail is often a touchy subject for a lot of people, so I thought I would 
post the problem I encountered, which might be causing delivery problems 
for other Debian/Mail::Audit users.

I am using Woody, Exim 3 and a perl script that make use of Mail::Audit. This
script executes as the mail user; the same user id under which Exim is running.

The problematic portion of the patch seems to be here:

-my $logfile = "/tmp/".getpwuid($>)."-audit.log";
+my $logfile;
+if (exists $ENV{HOME} and defined $ENV{HOME} and -d $ENV{HOME}) {
+     $logfile = "$ENV{HOME}/.mail_audit.log"
+}
+else {
+     (undef,$logfile) = tempfile("mail_audit.log-XXXXX",TMPDIR=>1);
+}

For reasons I haven't investigated, $ENV{HOME} is not being set when a 
child process (my script) is spawned.  This is causing the else clause to 
be triggered, in the above logic.  I further looked at the code for 
File::Temp, and don't see any reference to a 'TMPDIR' option related to 
the tempfile function.  I also have determined that the cwd of my 
executing script does not default to the mail user's home directory, but 
to an unwritable directory (/) under which $logfile cannot be written to.

So instead of relying on the HOME environment variable being set, it could
possibly make more sense to use to do a getpwuid call for the UID present in $<.

Below is a simple patch, but I'm sure there is more than one way to do it. I
didn't look in to how trustworthy $< is, but I think any serious risk is
mitigated with subsequent getpwuid call.

Thanks,

Brian Hodges

--- Audit.pm    Tue Jan 31 21:47:06 2006
+++ Audit-new.pm        Wed Feb  1 00:41:51 2006
@@ -6,17 +6,20 @@
use Sys::Hostname;
use vars qw($VERSION @ISA @EXPORT @EXPORT_OK);
use Fcntl ':flock';
-use File::Temp qw(tempfile);
use constant REJECTED => 100;
use constant DELIVERED => 0;
my $loglevel=3;
my $logging =0;
my $logfile;
-if (exists $ENV{HOME} and defined $ENV{HOME} and -d $ENV{HOME}) {
-     $logfile = "$ENV{HOME}/.mail_audit.log"
-}
-else {
-     (undef,$logfile) = tempfile("mail_audit.log-XXXXX",TMPDIR=>1);
+
+# Home directory is in the 8th position
+my $home = (getpwuid($<))[7];
+
+# If current user's homedirectory is writable, assign $logfile.
+# Otherwise if $logfile remains unassigned, code lower down will throw an unhandled
+# exception if logging is on, err die that is.
+if (defined $home and -w $home) {
+     $logfile = "$home/.mail_audit.log";
}

 $VERSION = '2.0';





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#344029; Package libmail-audit-perl. (full text, mbox, link).


Acknowledgement sent to Niko Tyni <ntyni@iki.fi>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #78 received at 344029@bugs.debian.org (full text, mbox, reply):

From: Niko Tyni <ntyni@iki.fi>
To: security@debian.org
Cc: 350954@bugs.debian.org, 344029@bugs.debian.org
Subject: [rob@tigertech.com: Bug#350954: DSA-960-1 security update breaks libmail-audit-perl when $ENV{HOME} is not set]
Date: Thu, 2 Feb 2006 09:00:14 +0200
Hi security team,

I'm very sorry that you have to hear from me again :(

There's a regression in the patch for DSA-960-1, for both woody and sarge.
When $HOME is not set, Mail::Audit is now creating logfiles in cwd and
dying if it's not writable.  This happens even if logging is turned off,
which makes the problem much more serious.

I have not yet had a proper look at the proposed patches in #350954 and
the last message of #344029, but I wanted to make you aware of this.

Again, my apologies for the bad handling of this.
-- 
Niko Tyni	ntyni@iki.fi



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#344029; Package libmail-audit-perl. (full text, mbox, link).


Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #83 received at 344029@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>
To: Niko Tyni <ntyni@iki.fi>
Cc: security@debian.org, 350954@bugs.debian.org, 344029@bugs.debian.org
Subject: Re: [rob@tigertech.com: Bug#350954: DSA-960-1 security update breaks libmail-audit-perl when $ENV{HOME} is not set]
Date: Sat, 4 Feb 2006 14:59:25 +0100
[Message part 1 (text/plain, inline)]
Niko Tyni wrote:
> Hi security team,
> 
> I'm very sorry that you have to hear from me again :(
> 
> There's a regression in the patch for DSA-960-1, for both woody and sarge.
> When $HOME is not set, Mail::Audit is now creating logfiles in cwd and
> dying if it's not writable.  This happens even if logging is turned off,
> which makes the problem much more serious.

Doo, I have to agree that it is confusing to have tempdir() use different
parameters as tempfile(), but only partially.

> I have not yet had a proper look at the proposed patches in #350954 and
> the last message of #344029, but I wanted to make you aware of this.
> 
> Again, my apologies for the bad handling of this.

Comments to the attached patch, which are least intrusive to the
update we're already distributing?

Regards,

	Joey

-- 
MIME - broken solution for a broken design.  -- Ralf Baechle

Please always Cc to me when replying to me on the lists.
[patch-full (text/plain, attachment)]
[patch-incremental (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#344029; Package libmail-audit-perl. (full text, mbox, link).


Acknowledgement sent to Niko Tyni <ntyni@iki.fi>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #88 received at 344029@bugs.debian.org (full text, mbox, reply):

From: Niko Tyni <ntyni@iki.fi>
To: Martin Schulze <joey@infodrom.org>
Cc: security@debian.org, 350954@bugs.debian.org, 344029@bugs.debian.org
Subject: Re: [rob@tigertech.com: Bug#350954: DSA-960-1 security update breaks libmail-audit-perl when $ENV{HOME} is not set]
Date: Sun, 5 Feb 2006 14:41:41 +0200
On Sat, Feb 04, 2006 at 02:59:25PM +0100, Martin Schulze wrote:
 
> Comments to the attached patch, which are least intrusive to the
> update we're already distributing?

It's certainly the minimum required change. However, after this patch
Mail::Audit is still leaving behind a file in /tmp every time it's used
without $HOME, whether logging is enabled or not. And the documentation
remains out of sync. (Naturally, it's your call to decide whether these
should be fixed or not, but I just wanted to point them out.)

FWIW, the patch in #350954 by Robert L Mathews addresses both of these issues.
-- 
Niko Tyni	ntyni@iki.fi



Tags added: fixed-upstream Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (full text, mbox, link).


Bug marked as fixed in version 2.1-5.1, send any further explanations to Niko Tyni <ntyni@iki.fi> Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. (full text, mbox, link).


Message sent on to Niko Tyni <ntyni@iki.fi>:
Bug#344029. (full text, mbox, link).


Message #95 received at 344029-submitter@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
To: 331601-submitter@bugs.debian.org, 331607-submitter@bugs.debian.org, 332216-submitter@bugs.debian.org, 332237-submitter@bugs.debian.org, 332389-submitter@bugs.debian.org, 332424-submitter@bugs.debian.org, 325490-submitter@bugs.debian.org, 332451-submitter@bugs.debian.org, 332507-submitter@bugs.debian.org, 332702-submitter@bugs.debian.org, 332703-submitter@bugs.debian.org, 332808-submitter@bugs.debian.org, 332896-submitter@bugs.debian.org, 333035-submitter@bugs.debian.org, 342420-submitter@bugs.debian.org, 333046-submitter@bugs.debian.org, 333460-submitter@bugs.debian.org, 333857-submitter@bugs.debian.org, 333885-submitter@bugs.debian.org, 340743-submitter@bugs.debian.org, 334252-submitter@bugs.debian.org, 334320-submitter@bugs.debian.org, 334651-submitter@bugs.debian.org, 335126-submitter@bugs.debian.org, 335144-submitter@bugs.debian.org, 335146-submitter@bugs.debian.org, 335252-submitter@bugs.debian.org, 335274-submitter@bugs.debian.org, 335567-submitter@bugs.debian.org, 335719-submitter@bugs.debian.org, 335842-submitter@bugs.debian.org, 336168-submitter@bugs.debian.org, 336312-submitter@bugs.debian.org, 336485-submitter@bugs.debian.org, 379846-submitter@bugs.debian.org, 336535-submitter@bugs.debian.org, 336710-submitter@bugs.debian.org, 337246-submitter@bugs.debian.org, 337453-submitter@bugs.debian.org, 337495-submitter@bugs.debian.org, 337576-submitter@bugs.debian.org, 337593-submitter@bugs.debian.org, 339192-submitter@bugs.debian.org, 346695-submitter@bugs.debian.org, 347154-submitter@bugs.debian.org, 337708-submitter@bugs.debian.org, 337711-submitter@bugs.debian.org, 338327-submitter@bugs.debian.org, 340076-submitter@bugs.debian.org, 345223-submitter@bugs.debian.org, 338370-submitter@bugs.debian.org, 338432-submitter@bugs.debian.org, 338483-submitter@bugs.debian.org, 338537-submitter@bugs.debian.org, 338920-submitter@bugs.debian.org, 339024-submitter@bugs.debian.org, 341234-submitter@bugs.debian.org, 339073-submitter@bugs.debian.org, 339103-submitter@bugs.debian.org, 339187-submitter@bugs.debian.org, 339220-submitter@bugs.debian.org, 339225-submitter@bugs.debian.org, 339226-submitter@bugs.debian.org, 339236-submitter@bugs.debian.org, 339241-submitter@bugs.debian.org, 339250-submitter@bugs.debian.org, 339267-submitter@bugs.debian.org, 339268-submitter@bugs.debian.org, 339280-submitter@bugs.debian.org, 339711-submitter@bugs.debian.org, 339806-submitter@bugs.debian.org, 339835-submitter@bugs.debian.org, 340010-submitter@bugs.debian.org, 340084-submitter@bugs.debian.org, 340163-submitter@bugs.debian.org, 340174-submitter@bugs.debian.org, 340516-submitter@bugs.debian.org, 340577-submitter@bugs.debian.org, 341011-submitter@bugs.debian.org, 341975-submitter@bugs.debian.org, 342035-submitter@bugs.debian.org, 342322-submitter@bugs.debian.org, 346188-submitter@bugs.debian.org, 347153-submitter@bugs.debian.org, 343035-submitter@bugs.debian.org, 343771-submitter@bugs.debian.org, 343782-submitter@bugs.debian.org, 343795-submitter@bugs.debian.org, 343804-submitter@bugs.debian.org, 343912-submitter@bugs.debian.org, 343989-submitter@bugs.debian.org, 344029-submitter@bugs.debian.org, 344254-submitter@bugs.debian.org, 344447-submitter@bugs.debian.org, 344503-submitter@bugs.debian.org, 345737-submitter@bugs.debian.org, 345880-submitter@bugs.debian.org, 344742-submitter@bugs.debian.org
Subject: Bugs fixed in NMU, documenting versions
Date: Sun, 22 Oct 2006 23:09:18 +0100
# Hi,
#
# These bugs were fixed in an NMU, but have not been acknowledged by the
# maintainers.  With version tracking in the Debian BTS, it is important
# to know which version of a package fixes each bug so that they can be
# tracked for release status, so I'm closing these bugs with the
#relevant version information now

close 331601 0.11.3-1.3
close 331607 0.11.3-1.3
close 332216 2005.08.R1-1.1
close 332237 0.11.3-1.4
close 332389 3.1.2-0.1
close 332424 2.6.1-6sarge1
close 325490 0.7.1-1.1
close 332451 0.7.1-1.1
close 332507 0.4.5+cvs20030824-1.5
close 332702 1.5-2.1
close 332703 2.1.19-1.7
close 332808 2.0.12-1.5
close 332896 2.6.2.pre2-1.1
close 333035 0.12-8.1
close 342420 0.12-8.1
close 333046 2.2-5.1
close 333460 1.0-23.2
close 333857 1.0-23.2
close 333885 1.0.20040603-1.1
close 340743 1.0.20040603-1.1
close 334252 20031130-2.1
close 334320 1.4.2-5.1
close 334651 3.0-4.1
close 335126 0.5.3-1.1
close 335144 3.1.1-4.1
close 335146 0.2-1.1
close 335252 0.4.0-1.1
close 335274 0.13-3.2
close 335567 0.4.5+cvs20030824-1.6
close 335719 3.0.cvs20050714-1.1
close 335842 3.10-1.1
close 336168 1.4-2.1
close 336312 0.2.4-4.1
close 336485 2.1.19.dfsg1-0.3
close 379846 2.1.19.dfsg1-0.3
close 336535 2005.08.R1-1.2
close 336710 1:3.2.6-2.1
close 337246 1.0.1-6.1
close 337453 0.9b3-2.1
close 337495 2.09-2sarge1
close 337576 20.0-1.1
close 337593 1.1.3-5.1
close 339192 1.1.3-5.1
close 346695 1.1.3-5.1
close 347154 1.1.3-5.1
close 337708 1.20-2.1
close 337711 0.5-0.2
close 338327 1.9-11.1
close 340076 1.9-11.1
close 345223 1.9-11.1
close 338370 1.35-4.1
close 338432 2.3.3-6.2
close 338483 0.95-1.3
close 338537 1.6-1.1
close 338920 46-2.1
close 339024 4.2.24-1.1
close 341234 4.2.24-1.1
close 339073 1.5.19-20+sarge1
close 339103 0.5.0-1.1
close 339187 6:6.2.4.5-0.3
close 339220 0.6.5-2
close 339225 1.0.4-1.2
close 339226 2.6.1-2.2
close 339236 2.6.2.pre2-1.2
close 339241 1.2.2-4.1
close 339250 6.4-1.1
close 339267 4.2.0-8.1
close 339268 0.7.2-1.1
close 339280 0.1.5.9+cvs.2004.02.07-3.3
close 339711 2.0pl5-19.4
close 339806 0.8pre1-6.1
close 339835 2.11b-1.4
close 340010 1.3-2.2
close 340084 1:1.2.3-9.1
close 340163 0.2.9-5.1
close 340174 0.99.44-0.1
close 340516 1.1.6-2.1
close 340577 1.1.0.20050815-2.1
close 341011 1.8-1.1
close 341975 0.70.1-1.1
close 342035 0.70.1-1.1
close 342322 9.4.2-2.5
close 346188 9.4.2-2.5
close 347153 9.4.2-2.5
close 343035 0.3b.19990815-3.1
close 343771 4.3.9-2.1
close 343782 1.3.13.1-4.1
close 343795 0.5.8-0.1
close 343804 0.3.7-4.1
close 343912 0.0.4-2.1
close 343989 8.4.11-1.1
close 344029 2.1-5.1
close 344254 2.0.9-3.2
close 344447 0.79-3.1
close 344503 9.4.2-2.7
close 345737 2.1.19-1.8
close 345880 2.1.19-1.8
close 344742 0.1.14-1.1




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 17 Jun 2007 21:39:32 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 05:10:08 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.