Debian Bug report logs - #454089
CVE-2007-6208 insecure tmp file handling in sylprint.pl prone to symlink attack

version graph

Package: claws-mail-tools; Maintainer for claws-mail-tools is Ricardo Mones <mones@debian.org>; Source for claws-mail-tools is src:claws-mail.

Reported by: Nico Golde <nion@debian.org>

Date: Sun, 2 Dec 2007 23:39:02 UTC

Severity: important

Tags: security

Fixed in version claws-mail/3.1.0-2

Done: Ricardo Mones <mones@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Ricardo Mones <mones@debian.org>:
Bug#454089; Package claws-mail-tools. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Ricardo Mones <mones@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: insecure tmp file handling in sylprint.pl
Date: Mon, 3 Dec 2007 00:36:59 +0100
[Message part 1 (text/plain, inline)]
Package: claws-mail-tools
Severity: important
Tags: security

Hi,
the sylprint.pl also shipped in an installation of the 
package is prone to a symlink attack.
sylprint.pl:
213 $tmpfn="/tmp/sylprint.$ENV{'USER'}.$$";
214 open(TMP,">$tmpfn");
215 open(FIN,"<$ARGV[0]");
216 LN: while (<FIN>) {
217 >···$ln = $_;
218 >···foreach $n (@cabn) {
[...]
242 # print headers
243 if ($headers) {
244 >···print TMP "\n\n";

Since the process id is pretty predictable as well as the user name in
this case an attacker could create a symlink to the tmp file and thereby
overwriting arbitrary files owned by the user.
Opening with O_EXCL and raising an error would be sufficient from my
point of view.
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ricardo Mones <mones@debian.org>:
Bug#454089; Package claws-mail-tools. Full text and rfc822 format available.

Acknowledgement sent to Colin Leroy <colin@colino.net>:
Extra info received and forwarded to list. Copy sent to Ricardo Mones <mones@debian.org>. Full text and rfc822 format available.

Message #10 received at 454089@bugs.debian.org (full text, mbox):

From: Colin Leroy <colin@colino.net>
To: 454089@bugs.debian.org
Subject: Resolution
Date: Tue, 4 Dec 2007 09:42:21 +0000
This bug is going to be fixed.

Would it be too much to ask the submitter to handle security issues
privately until they're resolved, or is it more interesting to have
them published all over the place[*] when no solution is available?

[*]
http://secwatch.org/advisories/1019661/
http://www.securityfocus.com/bid/26676
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6208
-- 
Colin




Changed Bug title to `CVE-2007-6208 insecure tmp file handling in sylprint.pl prone to symlink attack' from `insecure tmp file handling in sylprint.pl'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Tue, 04 Dec 2007 12:48:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Ricardo Mones <mones@debian.org>:
Bug#454089; Package claws-mail-tools. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Ricardo Mones <mones@debian.org>. Full text and rfc822 format available.

Message #17 received at 454089@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 454089@bugs.debian.org
Subject: Re: Bug#454089: insecure tmp file handling in sylprint.pl
Date: Tue, 4 Dec 2007 13:48:45 +0100
[Message part 1 (text/plain, inline)]
Hi,
Name: CVE-2007-6208
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6208
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=454089

sylprint.pl in claws mail tools (claws-mail-tools) allows local users
to overwrite arbitrary files via a symlink attack on the
sylprint.[USER].[PID] temporary file.


Please mention the CVE id in the changelog if you fix this bug (I suggesst by
removing this script from the package as upstream also wants to remove it).
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Ricardo Mones <mones@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #22 received at 454089-close@bugs.debian.org (full text, mbox):

From: Ricardo Mones <mones@debian.org>
To: 454089-close@bugs.debian.org
Subject: Bug#454089: fixed in claws-mail 3.1.0-2
Date: Tue, 04 Dec 2007 12:47:04 +0000
Source: claws-mail
Source-Version: 3.1.0-2

We believe that the bug you reported is fixed in the latest version of
claws-mail, which is due to be installed in the Debian FTP archive:

claws-mail-bogofilter_3.1.0-2_amd64.deb
  to pool/main/c/claws-mail/claws-mail-bogofilter_3.1.0-2_amd64.deb
claws-mail-clamav_3.1.0-2_amd64.deb
  to pool/main/c/claws-mail/claws-mail-clamav_3.1.0-2_amd64.deb
claws-mail-dbg_3.1.0-2_amd64.deb
  to pool/main/c/claws-mail/claws-mail-dbg_3.1.0-2_amd64.deb
claws-mail-dillo-viewer_3.1.0-2_amd64.deb
  to pool/main/c/claws-mail/claws-mail-dillo-viewer_3.1.0-2_amd64.deb
claws-mail-doc_3.1.0-2_all.deb
  to pool/main/c/claws-mail/claws-mail-doc_3.1.0-2_all.deb
claws-mail-i18n_3.1.0-2_all.deb
  to pool/main/c/claws-mail/claws-mail-i18n_3.1.0-2_all.deb
claws-mail-pgpinline_3.1.0-2_amd64.deb
  to pool/main/c/claws-mail/claws-mail-pgpinline_3.1.0-2_amd64.deb
claws-mail-pgpmime_3.1.0-2_amd64.deb
  to pool/main/c/claws-mail/claws-mail-pgpmime_3.1.0-2_amd64.deb
claws-mail-plugins_3.1.0-2_all.deb
  to pool/main/c/claws-mail/claws-mail-plugins_3.1.0-2_all.deb
claws-mail-spamassassin_3.1.0-2_amd64.deb
  to pool/main/c/claws-mail/claws-mail-spamassassin_3.1.0-2_amd64.deb
claws-mail-tools_3.1.0-2_all.deb
  to pool/main/c/claws-mail/claws-mail-tools_3.1.0-2_all.deb
claws-mail-trayicon_3.1.0-2_amd64.deb
  to pool/main/c/claws-mail/claws-mail-trayicon_3.1.0-2_amd64.deb
claws-mail_3.1.0-2.diff.gz
  to pool/main/c/claws-mail/claws-mail_3.1.0-2.diff.gz
claws-mail_3.1.0-2.dsc
  to pool/main/c/claws-mail/claws-mail_3.1.0-2.dsc
claws-mail_3.1.0-2_amd64.deb
  to pool/main/c/claws-mail/claws-mail_3.1.0-2_amd64.deb
libclaws-mail-dev_3.1.0-2_amd64.deb
  to pool/main/c/claws-mail/libclaws-mail-dev_3.1.0-2_amd64.deb
libsylpheed-claws-gtk2-dev_3.1.0-2_all.deb
  to pool/main/c/claws-mail/libsylpheed-claws-gtk2-dev_3.1.0-2_all.deb
sylpheed-claws-gtk2-bogofilter_3.1.0-2_all.deb
  to pool/main/c/claws-mail/sylpheed-claws-gtk2-bogofilter_3.1.0-2_all.deb
sylpheed-claws-gtk2-clamav_3.1.0-2_all.deb
  to pool/main/c/claws-mail/sylpheed-claws-gtk2-clamav_3.1.0-2_all.deb
sylpheed-claws-gtk2-dillo-viewer_3.1.0-2_all.deb
  to pool/main/c/claws-mail/sylpheed-claws-gtk2-dillo-viewer_3.1.0-2_all.deb
sylpheed-claws-gtk2-doc_3.1.0-2_all.deb
  to pool/main/c/claws-mail/sylpheed-claws-gtk2-doc_3.1.0-2_all.deb
sylpheed-claws-gtk2-i18n_3.1.0-2_all.deb
  to pool/main/c/claws-mail/sylpheed-claws-gtk2-i18n_3.1.0-2_all.deb
sylpheed-claws-gtk2-pgpinline_3.1.0-2_all.deb
  to pool/main/c/claws-mail/sylpheed-claws-gtk2-pgpinline_3.1.0-2_all.deb
sylpheed-claws-gtk2-pgpmime_3.1.0-2_all.deb
  to pool/main/c/claws-mail/sylpheed-claws-gtk2-pgpmime_3.1.0-2_all.deb
sylpheed-claws-gtk2-plugins_3.1.0-2_all.deb
  to pool/main/c/claws-mail/sylpheed-claws-gtk2-plugins_3.1.0-2_all.deb
sylpheed-claws-gtk2-spamassassin_3.1.0-2_all.deb
  to pool/main/c/claws-mail/sylpheed-claws-gtk2-spamassassin_3.1.0-2_all.deb
sylpheed-claws-gtk2-trayicon_3.1.0-2_all.deb
  to pool/main/c/claws-mail/sylpheed-claws-gtk2-trayicon_3.1.0-2_all.deb
sylpheed-claws-gtk2_3.1.0-2_all.deb
  to pool/main/c/claws-mail/sylpheed-claws-gtk2_3.1.0-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 454089@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ricardo Mones <mones@debian.org> (supplier of updated claws-mail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 04 Dec 2007 12:11:17 +0100
Source: claws-mail
Binary: sylpheed-claws-gtk2-plugins claws-mail sylpheed-claws-gtk2 claws-mail-spamassassin sylpheed-claws-gtk2-pgpinline libsylpheed-claws-gtk2-dev sylpheed-claws-gtk2-bogofilter claws-mail-bogofilter claws-mail-clamav sylpheed-claws-gtk2-dillo-viewer claws-mail-tools claws-mail-pgpinline libclaws-mail-dev sylpheed-claws-gtk2-doc claws-mail-dbg sylpheed-claws-gtk2-spamassassin claws-mail-i18n sylpheed-claws-gtk2-i18n claws-mail-doc sylpheed-claws-gtk2-pgpmime claws-mail-dillo-viewer sylpheed-claws-gtk2-clamav sylpheed-claws-gtk2-trayicon claws-mail-pgpmime claws-mail-plugins claws-mail-trayicon
Architecture: source all amd64
Version: 3.1.0-2
Distribution: unstable
Urgency: high
Maintainer: Ricardo Mones <mones@debian.org>
Changed-By: Ricardo Mones <mones@debian.org>
Description: 
 claws-mail - Fast, lightweight and user-friendly GTK2 based email client
 claws-mail-bogofilter - Bogofilter plugin for Claws Mail
 claws-mail-clamav - Clam AntiVirus plugin for Claws Mail
 claws-mail-dbg - Debug symbols for Claws Mail mailer
 claws-mail-dillo-viewer - HTML viewer plugin for Claws Mail using Dillo
 claws-mail-doc - User documentation for Claws Mail mailer
 claws-mail-i18n - Locale data for Claws Mail (i18n support)
 claws-mail-pgpinline - PGP/inline plugin for Claws Mail
 claws-mail-pgpmime - PGP/MIME plugin for Claws Mail
 claws-mail-plugins - Installs plugins for the Claws Mail mailer
 claws-mail-spamassassin - SpamAssassin plugin for Claws Mail
 claws-mail-tools - Helper and utility scripts for Claws Mail mailer
 claws-mail-trayicon - Notification area plugin for Claws Mail
 libclaws-mail-dev - Development files for Claws Mail plugins
 libsylpheed-claws-gtk2-dev - Transition package for Claws Mail renaming
 sylpheed-claws-gtk2 - Transition package for Claws Mail renaming
 sylpheed-claws-gtk2-bogofilter - Transition package for Claws Mail renaming
 sylpheed-claws-gtk2-clamav - Transition package for Claws Mail renaming
 sylpheed-claws-gtk2-dillo-viewer - Transition package for Claws Mail renaming
 sylpheed-claws-gtk2-doc - Transition package for Claws Mail renaming
 sylpheed-claws-gtk2-i18n - Transition package for Claws Mail renaming
 sylpheed-claws-gtk2-pgpinline - Transition package for Claws Mail renaming
 sylpheed-claws-gtk2-pgpmime - Transition package for Claws Mail renaming
 sylpheed-claws-gtk2-plugins - Transition package for Claws Mail renaming
 sylpheed-claws-gtk2-spamassassin - Transition package for Claws Mail renaming
 sylpheed-claws-gtk2-trayicon - Transition package for Claws Mail renaming
Closes: 454089
Changes: 
 claws-mail (3.1.0-2) unstable; urgency=high
 .
   * debian/rules
   - CVE-2007-6208: removal of sylprint files (Closes: #454089)
     This is a temporary fix, until next upstream version, which
     has already removed the files.
Files: 
 a186a42ad57ee35ec3c33f1f44a98056 1605 mail optional claws-mail_3.1.0-2.dsc
 ed6c4413270b19f00881d3d9bed733a6 41114 mail optional claws-mail_3.1.0-2.diff.gz
 f97b1573fd695e7f7ee4018f834a81a8 1294550 mail optional claws-mail_3.1.0-2_amd64.deb
 9fbc46ac3fd0f9ac9fc2d6611707806d 4030182 mail extra claws-mail-dbg_3.1.0-2_amd64.deb
 731c46e5d7ad2efa32063ae92940c096 132576 devel optional libclaws-mail-dev_3.1.0-2_amd64.deb
 0c12931898992e74bcfa35585213d941 19894 mail optional claws-mail-plugins_3.1.0-2_all.deb
 3748ef6bf6adf2f067694d9832a58fd7 28608 mail optional claws-mail-clamav_3.1.0-2_amd64.deb
 e71e050586df4280a90e23f8ac4ec828 27960 mail optional claws-mail-dillo-viewer_3.1.0-2_amd64.deb
 4b04100312889ade2542b1111757e011 42912 mail optional claws-mail-spamassassin_3.1.0-2_amd64.deb
 42b1c58d8a4cdb7362d3234bc30b8ffe 36668 mail optional claws-mail-trayicon_3.1.0-2_amd64.deb
 c39d3a22449d00c3af0d2d1b300531c1 57550 mail optional claws-mail-pgpmime_3.1.0-2_amd64.deb
 00ee1291a96fd684df757268fe321f59 30654 mail optional claws-mail-pgpinline_3.1.0-2_amd64.deb
 3be7b683987f28e16458e6548aa19749 35432 mail optional claws-mail-bogofilter_3.1.0-2_amd64.deb
 0eef205af7bfbc48d53142185b67c4a5 1773776 mail optional claws-mail-i18n_3.1.0-2_all.deb
 28dc77abcc8e146186e05a6cf6887b4b 979396 doc optional claws-mail-doc_3.1.0-2_all.deb
 a0322f07929ae637fd0737fcf0fe3db9 87466 mail optional claws-mail-tools_3.1.0-2_all.deb
 0c3ea59fb8c72c83fa39fbd3a6727c60 19820 mail optional sylpheed-claws-gtk2_3.1.0-2_all.deb
 fbd5ec63a4b38db2f1800ecd8a435622 19844 devel optional libsylpheed-claws-gtk2-dev_3.1.0-2_all.deb
 f189452b8c41f034666c4669827edbe9 19838 mail optional sylpheed-claws-gtk2-plugins_3.1.0-2_all.deb
 b0a73ee9a3c87c09de406d59f81f0b00 19832 mail optional sylpheed-claws-gtk2-clamav_3.1.0-2_all.deb
 795ea197d2a942abe9d77cd82b343cfe 19846 mail optional sylpheed-claws-gtk2-dillo-viewer_3.1.0-2_all.deb
 c3b51b360e8f73cd0b326955f5479923 19836 mail optional sylpheed-claws-gtk2-doc_3.1.0-2_all.deb
 6de2a9036af5c485f365b7310933d9fc 19834 mail optional sylpheed-claws-gtk2-i18n_3.1.0-2_all.deb
 0e7695756e16282132f244827a6cf625 19846 mail optional sylpheed-claws-gtk2-pgpinline_3.1.0-2_all.deb
 682f2344db852608f1c9912ea76e5f93 19840 mail optional sylpheed-claws-gtk2-pgpmime_3.1.0-2_all.deb
 f28c5b477b351e5c436b9544d8b267e7 19840 mail optional sylpheed-claws-gtk2-spamassassin_3.1.0-2_all.deb
 a58767b31d30cb6f76deb15577de99bb 19838 mail optional sylpheed-claws-gtk2-trayicon_3.1.0-2_all.deb
 9efd0e5bb629a2044e3cc9ac5482b707 19840 mail optional sylpheed-claws-gtk2-bogofilter_3.1.0-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHVUlTLARVQsm1XawRAuDcAJ4kt73jvrJQE7eMUJEgzTL3yTnoXgCdGPrG
kVuydWBuPweUlwQpiLz35ms=
=pCfD
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Ricardo Mones <mones@debian.org>:
Bug#454089; Package claws-mail-tools. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Ricardo Mones <mones@debian.org>. Full text and rfc822 format available.

Message #27 received at 454089@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Colin Leroy <colin@colino.net>, 454089@bugs.debian.org
Subject: Re: Bug#454089: Resolution
Date: Tue, 4 Dec 2007 14:58:26 +0100
[Message part 1 (text/plain, inline)]
Hi Colin,
* Colin Leroy <colin@colino.net> [2007-12-04 13:05]:
> This bug is going to be fixed.
> 
> Would it be too much to ask the submitter to handle security issues
> privately until they're resolved, or is it more interesting to have
> them published all over the place[*] when no solution is available?
[...] 
To make it short yes. I do not share your policy for 
handling security relevant bugs especially if you consider 
that upstream authors are fairly often unresponsive and this 
bug is of minor importance. This is no remote root exploit 
so I don't see your problem. If you don't want people to 
write about what you do, then you should not publish 
software. What I did is seing a bug and using the BTS of my 
distribution to report it, nothing more.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#454089; Package claws-mail-tools. Full text and rfc822 format available.

Acknowledgement sent to Ricardo Mones <mones@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #32 received at 454089@bugs.debian.org (full text, mbox):

From: Ricardo Mones <mones@debian.org>
To: Nico Golde <nion@debian.org>
Cc: 454089@bugs.debian.org, Colin Leroy <colin@colino.net>
Subject: Re: Bug#454089: Resolution
Date: Wed, 5 Dec 2007 08:55:09 +0100
[Message part 1 (text/plain, inline)]
  Hi Nico,

On Tue, 04 Dec 2007 14:58:26 +0100
Nico Golde <nion@debian.org> wrote:

> Hi Colin,
> * Colin Leroy <colin@colino.net> [2007-12-04 13:05]:
> > This bug is going to be fixed.
> > 
> > Would it be too much to ask the submitter to handle security issues
> > privately until they're resolved, or is it more interesting to have
> > them published all over the place[*] when no solution is available?
> [...] 
> To make it short yes. I do not share your policy for 
> handling security relevant bugs especially if you consider 

  This is not a upstream policy, is how most people expect security bugs to
be handled and is part of our Developers Reference [0]. I also know
confidentiality it's not required for minor bugs.


> that upstream authors are fairly often unresponsive and this 
> bug is of minor importance.

  Yep I agree the bug has minor importance, but generalising on upstream
unresponsiveness as justification for not sending a notice is not a good
idea. Mainly because it makes you look like you don't think or read before
posting, specially when the upstream of that precise script is also the
package maintainer. It also gives arguments to upstreams on generalising how
stupid DDs can be... :-P

> This is no remote root exploit so I don't see your problem. If you don't

  I don't see your problem either in sending a private mail first, specially
when there's a explicit request to do it from upstream.

> want people to write about what you do, then you should not publish 
> software. What I did is seing a bug and using the BTS of my 
> distribution to report it, nothing more.

  Pretending you're 'just using the BTS' is even more stupid than the
previous justification or reveals a serious lack of knowledge about how
security bugs are spread.

  I know Colin's words were probably not in the best tone, but his request
is fair: nobody likes reading "There was no vendor-supplied solution at the
time of entry." in a security tracker when he had no opportunity to solve the
problem.

  Your bug report was good, there was no need to made stupid justifications,
and Colin wasn't saying the opposite, just requested coordination.

  BTW, the bug is already closed.

  regards,

[0]
http://www.us.debian.org/doc/manuals/developers-reference/ch-pkgs.en.html#s-bug-security
-- 
 Ricardo Mones
 http://people.debian.org/~mones
 «Are you a turtle?»
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ricardo Mones <mones@debian.org>:
Bug#454089; Package claws-mail-tools. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Ricardo Mones <mones@debian.org>. Full text and rfc822 format available.

Message #37 received at 454089@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Ricardo Mones <mones@debian.org>, 454089@bugs.debian.org
Cc: Colin Leroy <colin@colino.net>
Subject: Re: Bug#454089: Resolution
Date: Wed, 5 Dec 2007 14:35:03 +0100
[Message part 1 (text/plain, inline)]
Hi Ricardo,
* Ricardo Mones <mones@debian.org> [2007-12-05 13:15]:
> On Tue, 04 Dec 2007 14:58:26 +0100
> Nico Golde <nion@debian.org> wrote:
> > * Colin Leroy <colin@colino.net> [2007-12-04 13:05]:
> > > This bug is going to be fixed.
> > > 
> > > Would it be too much to ask the submitter to handle security issues
> > > privately until they're resolved, or is it more interesting to have
> > > them published all over the place[*] when no solution is available?
> > [...] 
> > To make it short yes. I do not share your policy for 
> > handling security relevant bugs especially if you consider 
> 
>   This is not a upstream policy, is how most people expect security bugs to
> be handled and is part of our Developers Reference [0]. I also know
> confidentiality it's not required for minor bugs.

I am aware of how to proceed with security bugs, however the 
referenced text is only useful for packages that will get a 
DSA and for people who believe in the opposite of full-disclosure what I don't.

> > that upstream authors are fairly often unresponsive and this 
> > bug is of minor importance.
> 
>   Yep I agree the bug has minor importance, but generalising on upstream
> unresponsiveness as justification for not sending a notice is not a good
> idea. Mainly because it makes you look like you don't think or read before
> posting, specially when the upstream of that precise script is also the
> package maintainer. It also gives arguments to upstreams on generalising how
> stupid DDs can be... :-P

Well I had email conversation with nearly every claws 
developer now about this and already had while they had a 
vulnerable version on their website... I really have no 
motivation to discuss this further, have a look in your own 
team@claws mailbox.

> > This is no remote root exploit so I don't see your problem. If you don't
> 
>   I don't see your problem either in sending a private mail first, specially
> when there's a explicit request to do it from upstream.

Simply because I don't share this opinion.

> > want people to write about what you do, then you should not publish 
> > software. What I did is seing a bug and using the BTS of my 
> > distribution to report it, nothing more.
> 
>   Pretending you're 'just using the BTS' is even more stupid than the
> previous justification or reveals a serious lack of knowledge about how
> security bugs are spread.

Can you stop the trolling now? What is stupid is that I get 
mails by every single claws-mails upstream developer asking 
me to contact them first while a developer of them is 
actually the Debian maintainer, this is stupid if you ask me 
cause its your job to tell your fellow developers about 
this. And seriously you guys should start fixing stuff 
instead of being pissed off because it was spread about 
security sites (which was not what I did) and being pissed 
of because of a bad review in the Linux magazine (at least 
thats what I got told by a fellow developer of you).

>   I know Colin's words were probably not in the best tone, but his request
> is fair: nobody likes reading "There was no vendor-supplied solution at the
> time of entry." in a security tracker when he had no opportunity to solve the
> problem.

Then go and piss the guys of secwatch off because I am _NOT_ 
the one who wrote this text, thanks!

>   Your bug report was good, there was no need to made stupid justifications,
> and Colin wasn't saying the opposite, just requested coordination.

Yes and he did when I already got mails by other developers 
stating and asking the same in a more or less unfriendlier 
way:
Hi Nico
you could contact the team before to write
"There was no vendor-supplied solution at the time of entry."

Really, the whole discussion ended yesterday and now you really need
to give your additional words that don't help too?
You guys should really start working on things instead of wasting your time
with email.
And to be honest, I am not going to contact any of you guys if I find
some bug again, simple because you showed that you are not able to handle
this just because of some bad press.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ricardo Mones <mones@debian.org>:
Bug#454089; Package claws-mail-tools. Full text and rfc822 format available.

Acknowledgement sent to Colin Leroy <colin@colino.net>:
Extra info received and forwarded to list. Copy sent to Ricardo Mones <mones@debian.org>. Full text and rfc822 format available.

Message #42 received at 454089@bugs.debian.org (full text, mbox):

From: Colin Leroy <colin@colino.net>
To: Nico Golde <nion@debian.org>
Cc: theteam@claws-mail.org, 454089@bugs.debian.org
Subject: Re: Bug#454089: Resolution
Date: Wed, 5 Dec 2007 14:53:52 +0100
On Wed, 5 Dec 2007 14:35:03 +0100, Nico Golde wrote:

Hi,

> And to be honest, I am not going to contact any of you guys if I find
> some bug again, simple because you showed that you are not able to
> handle this just because of some bad press.

Dude, it's not about bad press. It's about following procedures.
Anyway, do me a favour, leave security bugs to the people who do it
correctly. 

All of the previous vulns have been much better handled:
http://secunia.com/advisories/10061/
http://secunia.com/advisories/14774/
http://secunia.com/advisories/26550/
http://secunia.com/advisories/20476/

We report the ones we find. What in this process makes you think we're
bothered about bad press?
-- 
Colin




Information forwarded to debian-bugs-dist@lists.debian.org, Ricardo Mones <mones@debian.org>:
Bug#454089; Package claws-mail-tools. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Ricardo Mones <mones@debian.org>. Full text and rfc822 format available.

Message #47 received at 454089@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Colin Leroy <colin@colino.net>
Subject: Re: Bug#454089: Resolution
Date: Wed, 5 Dec 2007 15:13:39 +0100
[Message part 1 (text/plain, inline)]
Hi Colin,
* Colin Leroy <colin@colino.net> [2007-12-05 14:57]:
> On Wed, 5 Dec 2007 14:35:03 +0100, Nico Golde wrote:
> > And to be honest, I am not going to contact any of you guys if I find
> > some bug again, simple because you showed that you are not able to
> > handle this just because of some bad press.
> 
> Dude, it's not about bad press. It's about following procedures.

Following whos procedures?

> Anyway, do me a favour, leave security bugs to the people who do it
> correctly. 

Do me a favour and leave security bugs to the people 
actually doing security work in this distribution. Thanks.

> All of the previous vulns have been much better handled:
> http://secunia.com/advisories/10061/
> http://secunia.com/advisories/14774/
> http://secunia.com/advisories/26550/
> http://secunia.com/advisories/20476/

Oh wait, you are comparing a low impact bug in a contrib 
script with those bugs? You must be kidding or at least you seem to have no
clue about the impact of security bugs.

> We report the ones we find. What in this process makes you think we're
> bothered about bad press?

"  I know Colin's words were probably not in the best tone, but his request
is fair: nobody likes reading "There was no vendor-supplied solution at the
time of entry." in a security tracker when he had no opportunity to solve the
problem."

What else should this tell me? If you are really just pissed of because you had
no opportunity to fix this before it was on security sites: ok, I don't care,
hate me for this, thanks for the discussion.

Anyway, I am not going to answer any mail regarding this issue from now on
since I see it as a plain waste of time. Stop whining and do something useful with
yours as well.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 03 Jan 2008 07:45:22 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 06:43:35 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.