Debian Bug report logs - #476313
RM: tss -- RoM: security problems, never part of release

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: أحمد المحمودي <aelmahmoudy@users.sourceforge.net>

To: submit@bugs.debian.org

Subject: RM: tss

Date: Tue, 15 Apr 2008 21:05:10 +0200

Package: ftp.debian.org

Due to security vulernabilities of this package and upstream not being 
able to correctly fix them. Please refer to the following chat log:

15:06 >jcristau< AnAnt: the code is broken
15:07 >nion< AnAnt: it does not tell you the password is invalid it does tell you I need to be SUID for VT locking.\n
15:07 <nion> because the effective user id is not 0 (root) if(geteuid() != 0){
15:07 <AnAnt> nion: yes, I removed the geteuid() != 0 check
15:08 >nion< AnAnt: why do tell me this _now_?
15:08 <AnAnt> nion: if getpwuid does not need suid, then I don't need this geteuid check, do I ?
15:08 <nion> args
15:08 <jcristau> it tries to read /etc/shadow
15:08 <jcristau> to get your password
15:08 <nion> lol
15:09 <jcristau> seriously that my_getpwuid function is full of crap
15:09 <AnAnt> jcristau: what do you suggest ?
15:10 <nion> oh it uses getspnam()
15:10 <jcristau> nion: yeah
15:10 >jcristau< AnAnt: i suggest to stop distributing that in debian
15:11 <nion> ACK looking at the fact that the upstream also doesn't seem to know what he is doing i think it makes no sense to fix this cause we would have to check every new upload. sadly vulnerable people stay vulnerable this way

-- 
 أحمد المحمودي (Ahmed El-Mahmoudy)
  Digital design engineer
 GPG KeyID: 0x9DCA0B27 (@ subkeys.pgp.net)
 GPG Fingerprint: 087D 3767 8CAC 65B1 8F6C  156E D325 C3C8 9DCA 0B27

Message #12 received at 476313-close@bugs.debian.org (full text, mbox, reply):

From: Debian Archive Maintenance <ftpmaster@ftp-master.debian.org>

To: 476313-close@bugs.debian.org

Cc: tss@packages.debian.org, tss@packages.qa.debian.org, tss@packages.debian.org, tss@packages.qa.debian.org

Subject: Bug#476313: fixed

Date: Wed, 16 Apr 2008 03:21:56 +0000

We believe that the bug you reported is now fixed; the following
package(s) have been removed from unstable:

       tss |    0.8.1-3 | source, alpha, amd64, arm, armel, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390, sparc

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive (ftp-master.debian.org) and will not propagate to any
mirrors (ftp.debian.org included) until the next cron.daily run at the
earliest.

Packages are never removed from testing by hand.  Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 476313@bugs.debian.org.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.

Debian distribution maintenance software
pp.
Anthony Towns (the ftpmaster behind the curtain)

Send a report that this bug log contains spam.