Debian Bug report logs - #397241
RM: chetcpasswd -- RoM; RC-buggy, security issues

Package: ftp.debian.org; Maintainer for ftp.debian.org is Debian FTP Master <ftpmaster@ftp-master.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Sun, 5 Nov 2006 22:48:11 UTC

Severity: normal

Done: Debian Archive Maintenance <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#397241; Package chetcpassword. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to unknown-package@qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: RM: chetcpassword - Too insecure even to be in sid
Date: Sun, 05 Nov 2006 23:26:26 +0100
Package: chetcpassword
Severity: normal

Please see #394454. Plus, it copies lots of server and user-provided
data into buffers of static size, possibly allowing code injection
as well. Security-sensitive password software shouldn't have such
gaping issues. It's too buggy even for sid, so it should be removed.

Cheers,
        Moritz

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#397241; Package chetcpassword. Full text and rfc822 format available.

Acknowledgement sent to Martin Michlmayr <tbm@cyrius.com>:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org. Full text and rfc822 format available.

Message #10 received at 397241@bugs.debian.org (full text, mbox):

From: Martin Michlmayr <tbm@cyrius.com>
To: Moritz Muehlenhoff <jmm@debian.org>
Cc: control@bugs.debian.org, 397241@bugs.debian.org
Subject: Re: Bug#397241: RM: chetcpassword - Too insecure even to be in sid
Date: Mon, 6 Nov 2006 09:29:05 +0100
reassign 397241 chetcpasswd
thanks

* Moritz Muehlenhoff <jmm@debian.org> [2006-11-05 23:26]:
> Package: chetcpassword
                     ^^
Typo here.  But in any case, you want to reassign this to
ftp.debian.org if you really want to get it removed.
-- 
Martin Michlmayr
http://www.cyrius.com/



Bug reassigned from package `chetcpassword' to `chetcpasswd'. Request was from Martin Michlmayr <tbm@cyrius.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Joao Eriberto Mota Filho <eriberto@eriberto.pro.br>:
Bug#397241; Package chetcpasswd. Full text and rfc822 format available.

Acknowledgement sent to Eriberto <eriberto@eriberto.pro.br>:
Extra info received and forwarded to list. Copy sent to Joao Eriberto Mota Filho <eriberto@eriberto.pro.br>. Full text and rfc822 format available.

Message #17 received at 397241@bugs.debian.org (full text, mbox):

From: Eriberto <eriberto@eriberto.pro.br>
To: 397241@bugs.debian.org
Subject: Re: RM: chetcpasswd - Too insecure even to be in sid
Date: Mon, 6 Nov 2006 09:14:21 -0300
Hello,

The upstream is working to fix the security problems. I tested a new
version but it don't fixed all problems yet. We need more time (one
week?) to upload a new version.

Regards,

Eriberto - Brazil



Bug reassigned from package `chetcpasswd' to `ftp.debian.org'. Request was from Bas Zoetekouw <bas@zoetekouw.net> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Adam D. Barratt <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, James Troup and others <ftpmaster@ftp-master.debian.org>:
Bug#397241; Package ftp.debian.org. Full text and rfc822 format available.

Acknowledgement sent to Eriberto <eriberto@eriberto.pro.br>:
Extra info received and forwarded to list. Copy sent to James Troup and others <ftpmaster@ftp-master.debian.org>. Full text and rfc822 format available.

Message #26 received at 397241@bugs.debian.org (full text, mbox):

From: Eriberto <eriberto@eriberto.pro.br>
To: 397241@bugs.debian.org
Subject: Re: Bug#397241: RM: chetcpasswd - Too insecure even to be in sid
Date: Mon, 13 Nov 2006 16:52:22 -0200
The upstream author is not willing to cooperate on fixing the reported
bugs and considers Debian to be "too demanding". Still, the upstream
disrespected the Debian Project (used the F word). I'm not willing to
fork his work nor maintain an ever growing patch to fix chetcpasswd
security flaws. I will ask for the removal of this package from
Debian.

Regards,

Eriberto - Brazil

2006/11/6, Eriberto <eriberto@eriberto.pro.br>:
> The upstream is working to fix the security problems. I tested a new
> version but it don't fixed all problems yet. We need more time (one
> week?) to upload a new version.



Changed Bug title. Request was from Eriberto <eriberto@eriberto.pro.br> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, James Troup and others <ftpmaster@ftp-master.debian.org>:
Bug#397241; Package ftp.debian.org. Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to James Troup and others <ftpmaster@ftp-master.debian.org>. Full text and rfc822 format available.

Message #33 received at 397241@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
To: Eriberto <eriberto@eriberto.pro.br>, 397241@bugs.debian.org
Subject: Re: Bug#397241: RM: chetcpasswd - Too insecure even to be in sid
Date: Mon, 13 Nov 2006 20:53:45 +0000
retitle 397241 RM: chetcpaswd -- RoM; RC-buggy; security issues
thanks

Hi,

On Mon, 2006-11-13 at 16:52 -0200, Eriberto wrote:
> The upstream author is not willing to cooperate on fixing the reported
> bugs and considers Debian to be "too demanding". Still, the upstream
> disrespected the Debian Project (used the F word). I'm not willing to
> fork his work nor maintain an ever growing patch to fix chetcpasswd
> security flaws. I will ask for the removal of this package from
> Debian.

I noticed you changed the bug title back from the version I set
yesterday. :-)

The subjects of removal bugs against ftp.debian.org are conventionally
formatted in a particular way so as to assist the ftp team (and those of
us triaging ftp.d.o bugs) to easily get an overview of information about
each removal.

On that basis, I've retitled it again. It's slightly more accurate this
time, as you've requested removal yourself (RoM = Request of Maintainer,
whereas RoST = Request of Securiy Team).

Regards,

Adam



Changed Bug title. Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Adam D. Barratt <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Debian Archive Maintenance <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #42 received at 397241-close@bugs.debian.org (full text, mbox):

From: Debian Archive Maintenance <ftpmaster@ftp-master.debian.org>
To: 397241-close@bugs.debian.org
Cc: chetcpasswd@packages.debian.org, chetcpasswd@packages.qa.debian.org
Subject: Bug#397241: fixed
Date: Mon, 25 Dec 2006 00:31:25 +0000
We believe that the bug you reported is now fixed; the following
package(s) have been removed from unstable:

chetcpasswd |    2.3.3-1 | source, alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390, sparc

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive (ftp-master.debian.org) and will not propagate to any
mirrors (ftp.debian.org included) until the next cron.daily run at the
earliest.

Packages are never removed from testing by hand.  Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 397241@bugs.debian.org.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.

Debian distribution maintenance software
pp.
Joerg Jaspert (the ftpmaster behind the curtain)



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 03:56:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 19:59:38 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.