Debian Bug report logs - #357392
beagle: Security issue - shell script checks "."

version graph

Package: beagle; Maintainer for beagle is Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>; Source for beagle is src:beagle (PTS, buildd, popcon).

Reported by: James McCaw <james.mccaw@gmail.com>

Date: Fri, 17 Mar 2006 00:48:12 UTC

Severity: grave

Tags: patch, security

Found in version beagle/0.2.2.1-1

Fixed in version beagle/0.2.3-1

Done: Jose Carlos Garcia Sogo <jsogo@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Jose Carlos Garcia Sogo <jsogo@debian.org>:
Bug#357392; Package beagle. (full text, mbox, link).


Acknowledgement sent to James McCaw <james.mccaw@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Jose Carlos Garcia Sogo <jsogo@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: James McCaw <james.mccaw@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: beagle: Security issue - shell script checks "."
Date: Fri, 17 Mar 2006 11:42:38 +1100
Package: beagle
Version: 0.2.2.1-1
Severity: grave
Tags: security
Justification: user security hole

Speaks for itself really...

jamesm@feathertop:~% cat `which beagle-status`
#!/bin/sh

if [ -x "./beagle-info" ]; then
    CMD="./beagle-info"
else
    CMD="beagle-info"
fi
    watch -n 5 $CMD --status

Solution: Replace beagle-status with new script
#!/bin/sh

watch -n 5 beagle-info --status

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)

Versions of packages beagle depends on:
ii  bash                      3.1-3          The GNU Bourne Again SHell
ii  libatk1.0-0               1.10.3-1       The ATK accessibility toolkit
ii  libc6                     2.3.6-3        GNU C Library: Shared libraries an
ii  libcairo2                 1.0.2-3        The Cairo 2D vector graphics libra
ii  libexif12                 0.6.13-4       library to parse EXIF files
ii  libfontconfig1            2.3.2-5        generic font configuration library
ii  libgalago-cil             0.3.2-4        CLI bindings for libgalago
ii  libgconf2.0-cil           2.8.2-1        CLI binding for GConf 2.12
ii  libglade2.0-cil           2.8.2-1        CLI binding for the Glade librarie
ii  libglib2.0-0              2.8.6-1        The GLib library of C routines
ii  libglib2.0-cil            2.8.2-1        CLI binding for the GLib utility l
ii  libgmime2.1-cil           2.1.19-1       CLI binding for the MIME library, 
ii  libgnome2.0-cil           2.8.2-1        CLI binding for GNOME 2.12
ii  libgnomevfs2-0            2.12.2-7       GNOME virtual file-system (runtime
ii  libgtk2.0-0               2.8.13-1       The GTK+ graphical user interface 
ii  libgtk2.0-cil             2.8.2-1        CLI binding for the GTK+ toolkit 2
ii  libice6                   6.9.0.dfsg.1-4 Inter-Client Exchange library
ii  libmono0                  1.1.13.2-1     libraries for the Mono JIT
ii  libpango1.0-0             1.10.4-1       Layout and rendering of internatio
ii  librsvg2-2                2.12.7-5       SAX-based renderer library for SVG
ii  libsm6                    6.9.0.dfsg.1-4 X Window System Session Management
ii  libsqlite0                2.8.16-1       SQLite shared library
ii  libx11-6                  6.9.0.dfsg.1-4 X Window System protocol client li
ii  libxcursor1               1.1.3-1        X cursor management library
ii  libxext6                  6.9.0.dfsg.1-4 X Window System miscellaneous exte
ii  libxi6                    6.9.0.dfsg.1-4 X Window System Input extension li
ii  libxinerama1              6.9.0.dfsg.1-4 X Window System multi-head display
ii  libxrandr2                6.9.0.dfsg.1-4 X Window System Resize, Rotate and
ii  libxrender1               1:0.9.0.2-1    X Rendering Extension client libra
ii  libxss1                   6.9.0.dfsg.1-4 X Screen Saver client-side library
ii  mono-classlib-1.0         1.1.13.2-1     Mono class library (1.0)
ii  mono-jit                  1.1.13.2-1     fast CLI JIT/AOT compiler for Mono

Versions of packages beagle recommends:
ii  beagle-backend-evolution      0.2.2.1-1  evolution data backend for beagle
ii  poppler-utils                 0.4.5-3    PDF utilitites (based on libpopple

-- no debconf information



Tags added: patch Request was from Justin Pryzby <justinpryzby@users.sourceforge.net> to control@bugs.debian.org. (full text, mbox, link).


Reply sent to Jose Carlos Garcia Sogo <jsogo@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to James McCaw <james.mccaw@gmail.com>:
Bug acknowledged by developer. (full text, mbox, link).


Message #12 received at 357392-close@bugs.debian.org (full text, mbox, reply):

From: Jose Carlos Garcia Sogo <jsogo@debian.org>
To: 357392-close@bugs.debian.org
Subject: Bug#357392: fixed in beagle 0.2.3-1
Date: Mon, 20 Mar 2006 04:17:08 -0800
Source: beagle
Source-Version: 0.2.3-1

We believe that the bug you reported is fixed in the latest version of
beagle, which is due to be installed in the Debian FTP archive:

beagle-backend-evolution_0.2.3-1_all.deb
  to pool/main/b/beagle/beagle-backend-evolution_0.2.3-1_all.deb
beagle-dev_0.2.3-1_i386.deb
  to pool/main/b/beagle/beagle-dev_0.2.3-1_i386.deb
beagle_0.2.3-1.diff.gz
  to pool/main/b/beagle/beagle_0.2.3-1.diff.gz
beagle_0.2.3-1.dsc
  to pool/main/b/beagle/beagle_0.2.3-1.dsc
beagle_0.2.3-1_i386.deb
  to pool/main/b/beagle/beagle_0.2.3-1_i386.deb
beagle_0.2.3.orig.tar.gz
  to pool/main/b/beagle/beagle_0.2.3.orig.tar.gz
libbeagle0_0.2.3-1_i386.deb
  to pool/main/b/beagle/libbeagle0_0.2.3-1_i386.deb
python-beagle_0.2.3-1_i386.deb
  to pool/main/b/beagle/python-beagle_0.2.3-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 357392@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jose Carlos Garcia Sogo <jsogo@debian.org> (supplier of updated beagle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 19 Mar 2006 17:20:49 +0100
Source: beagle
Binary: beagle python-beagle beagle-dev beagle-backend-evolution libbeagle0
Architecture: source i386 all
Version: 0.2.3-1
Distribution: unstable
Urgency: low
Maintainer: Jose Carlos Garcia Sogo <jsogo@debian.org>
Changed-By: Jose Carlos Garcia Sogo <jsogo@debian.org>
Description: 
 beagle     - indexing and search tool for your personal data
 beagle-backend-evolution - evolution data backend for beagle
 beagle-dev - library for accessing beagle (development files)
 libbeagle0 - library for accessing beagle (development files)
 python-beagle - python bindings for beagle
Closes: 341387 355831 356732 357102 357392
Changes: 
 beagle (0.2.3-1) unstable; urgency=low
 .
   * New upstream release.
   * debian/patches:
      + beagle-status_watch: don't check for local beagle-info (Closes: #357392)
   * debian/beagle.dirs:
      + create /usr/share/doc/beagle/mozilla-extension in order to install
      there beagle.xpi file for mozilla extension. (Closes: #357102)
   * debian/control:
      + make beagle bin package to depend on gnome-icon-theme (Closes: #355831)
   * relibtoolize.dpatch:
      + remake configure script to avoid checking for libxt (Closes: #356732)
   * README.Debian:
      + state that XFS and JFS has extended attributes enabled by default.
      Thanks to Jesper Louis Andersen for pointing me this.
      + talk about BEAGLE_STORAGE option, which will allows to change default
      path for storing index files. (Closes: #341387)
Files: 
 80bcefcf1a51c42837b8c4f203bdcafe 1022 gnome optional beagle_0.2.3-1.dsc
 061e973f7b7ce3daf4613b1a11eecdad 1703932 gnome optional beagle_0.2.3.orig.tar.gz
 f0821a20d515cb081f0249f158c49436 16246 gnome optional beagle_0.2.3-1.diff.gz
 b78e17ba6edf25b11ce59f84c736af12 1334698 gnome optional beagle_0.2.3-1_i386.deb
 d12c515afea712969e4f8a2e4f1af2dd 57766 gnome optional beagle-backend-evolution_0.2.3-1_all.deb
 140d4c3876f43f7b0377d9ddeb5b0a5d 54742 gnome optional libbeagle0_0.2.3-1_i386.deb
 cefc0377588b56afc9931f38d1e6d8b0 68572 gnome optional beagle-dev_0.2.3-1_i386.deb
 0a83a6637812293818830a7e7a8b626a 41336 gnome optional python-beagle_0.2.3-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEHb1fS+BYJZB4jhERAm6eAJ499W7Xq4K6Cz5odGeLYSCDE/ZDxQCggt4a
FgYqn4N0aXFpUe0S83BZBwE=
=nbZb
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 04:09:04 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 08:39:28 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.