Debian Bug report logs - #366484
"ircp -r" silently overwrites files

version graph

Package: openobex-apps; Maintainer for openobex-apps is Nobuhiro Iwamatsu <iwamatsu@debian.org>; Source for openobex-apps is src:libopenobex (PTS, buildd, popcon).

Reported by: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

Date: Tue, 9 May 2006 02:03:07 UTC

Severity: serious

Tags: security

Found in version openobex-apps/1.2-2

Fixed in version libopenobex/1.2-3

Done: Hendrik Sattler <debian@hendrik-sattler.de>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Hendrik Sattler <debian@hendrik-sattler.de>:
Bug#366484; Package openobex-apps. (full text, mbox, link).


Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
New Bug report received and forwarded. Copy sent to Hendrik Sattler <debian@hendrik-sattler.de>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: "ircp -r" silently overwrites files
Date: Tue, 9 May 2006 03:56:23 +0200
Package: openobex-apps
Version: 1.2-2
Severity: serious
Tags: security

If you "ircp -r", and someone sends you a file, the filename provided by
the remote source is used -- even if the file still exists.

The source has actually a TODO about this:

//TODO! Rename file if already exist.

(line 129, ircp_io.c)

It think this is quite dangerous, because you could be doing ircp -r in
your homedir, and get '.bashrc' or so accidently.

Of course, risk is quite limited due to the need of physical proximity,
but still.

--Jeroen

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages openobex-apps depends on:
ii  libbluetooth1                 2.25-1     Library to use the BlueZ Linux Blu
ii  libc6                         2.3.6-7    GNU C Library: Shared libraries
ii  libopenobex1                  1.2-2      OBEX protocol library
ii  libusb-0.1-4                  2:0.1.12-2 userspace USB programming library

openobex-apps recommends no packages.

-- no debconf information

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl



Reply sent to Hendrik Sattler <debian@hendrik-sattler.de>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug acknowledged by developer. (full text, mbox, link).


Message #10 received at 366484-close@bugs.debian.org (full text, mbox, reply):

From: Hendrik Sattler <debian@hendrik-sattler.de>
To: 366484-close@bugs.debian.org
Subject: Bug#366484: fixed in libopenobex 1.2-3
Date: Sun, 14 May 2006 04:02:19 -0700
Source: libopenobex
Source-Version: 1.2-3

We believe that the bug you reported is fixed in the latest version of
libopenobex, which is due to be installed in the Debian FTP archive:

libopenobex1-dev_1.2-3_i386.deb
  to pool/main/libo/libopenobex/libopenobex1-dev_1.2-3_i386.deb
libopenobex1_1.2-3_i386.deb
  to pool/main/libo/libopenobex/libopenobex1_1.2-3_i386.deb
libopenobex_1.2-3.diff.gz
  to pool/main/libo/libopenobex/libopenobex_1.2-3.diff.gz
libopenobex_1.2-3.dsc
  to pool/main/libo/libopenobex/libopenobex_1.2-3.dsc
openobex-apps_1.2-3_i386.deb
  to pool/main/libo/libopenobex/openobex-apps_1.2-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 366484@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hendrik Sattler <debian@hendrik-sattler.de> (supplier of updated libopenobex package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 12 May 2006 02:14:05 +0200
Source: libopenobex
Binary: libopenobex1 libopenobex1-dev openobex-apps
Architecture: source i386
Version: 1.2-3
Distribution: unstable
Urgency: low
Maintainer: Hendrik Sattler <debian@hendrik-sattler.de>
Changed-By: Hendrik Sattler <debian@hendrik-sattler.de>
Description: 
 libopenobex1 - OBEX protocol library
 libopenobex1-dev - OBEX protocol library - development files
 openobex-apps - Applications for OpenOBEX
Closes: 197773 216312 253857 366484
Changes: 
 libopenobex (1.2-3) unstable; urgency=low
 .
   * The "fix some bugs after some years" release
   * Update ircp.patch to never overwrite existing files but
     rename the target name instead (closes: #366484)
   * Update rodrigues_irobex_palm3.patch to fix argument parsing
     (closes: #216312)
   * Add obex_test.patch to fix some issues with the test apps
     (closes: #197773). Note that the patch from the bug report
     was not plainly used.
   * Add manpages for all applications (closes: #253857)
Files: 
 76376290a9f2c4c8ced698afc25e4545 740 comm optional libopenobex_1.2-3.dsc
 341b48491952a39d790cbe043284d635 10540 comm optional libopenobex_1.2-3.diff.gz
 8983ecedbb9d585889a33f57d7884373 53592 libdevel extra libopenobex1-dev_1.2-3_i386.deb
 e059f2e56b7a62345eae2c6caf95d28d 20000 libs optional libopenobex1_1.2-3_i386.deb
 b43d21d065c453b5d93f679a195cb3b1 32192 comm optional openobex-apps_1.2-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEZwoOVkEm8inxm9ERAoIrAKCFnHFYs+RSI8Z1OAqq7LAhiDJOFgCfSHRM
h+0bI0sOEx2a/+vifzLQodI=
=lyL7
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 20:47:31 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 11:21:56 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.