Debian Bug report logs - #485752
dogtail: [DoS] use of /tmp/dogtail prevents use by multiple users

version graph

Package: python-dogtail; Maintainer for python-dogtail is Alessio Treglia <alessio@debian.org>; Source for python-dogtail is src:dogtail.

Reported by: "Yann Dirson (Debian)" <dirson@debian.org>

Date: Wed, 11 Jun 2008 08:21:04 UTC

Severity: serious

Tags: patch

Found in version dogtail/0.6.1-3

Fixed in version dogtail/0.6.1-3.1

Done: Bastian Venthur <venthur@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jose Carlos Garcia Sogo <jsogo@debian.org>:
Bug#485752; Package python-dogtail. Full text and rfc822 format available.

Acknowledgement sent to "Yann Dirson (Debian)" <dirson@debian.org>:
New Bug report received and forwarded. Copy sent to Jose Carlos Garcia Sogo <jsogo@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Yann Dirson (Debian)" <dirson@debian.org>
To: submit@bugs.debian.org
Subject: dogtail: [DoS] use of /tmp/dogtail prevents use by multiple users
Date: Wed, 11 Jun 2008 10:18:29 +0200 (CEST)
Package: python-dogtail
Version: 0.6.1-3
Severity: serious

Dogtail systematically create logfiles in /tmp/dogtail/.  The 1st user to
run a script using dogtail (including the sniff gui) wins, and no other
user can use dogtail any more until that dir is manually removed.

>>> from dogtail import *
Creating /tmp/dogtail ...
Creating /tmp/dogtail/logs ...
Creating /tmp/dogtail/data ...
Creating logfile at /tmp/dogtail/logs/log_20080611-101107_debug ...
Detecting distribution: Debian (or derived distribution)
Warning: AT-SPI's desktop is visible but it has no children. Are you
running any AT-SPI-aware applications?
Creating logfile at /tmp/dogtail/logs/log_20080611-101108_results ...
>>>
$ ls -ld /tmp/dogtail
drwxr-xr-x 4 yann yann 80 jun 11 10:11 /tmp/dogtail






Information forwarded to debian-bugs-dist@lists.debian.org, Jose Carlos Garcia Sogo <jsogo@debian.org>:
Bug#485752; Package python-dogtail. (Thu, 25 Sep 2008 20:12:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ludovico Gardenghi <garden@acheronte.it>:
Extra info received and forwarded to list. Copy sent to Jose Carlos Garcia Sogo <jsogo@debian.org>. (Thu, 25 Sep 2008 20:12:04 GMT) Full text and rfc822 format available.

Message #10 received at 485752@bugs.debian.org (full text, mbox):

From: Ludovico Gardenghi <garden@acheronte.it>
To: "Yann Dirson (Debian)" <dirson@debian.org>, 485752@bugs.debian.org
Subject: Re: Bug#485752: dogtail: [DoS] use of /tmp/dogtail prevents use by multiple users
Date: Thu, 25 Sep 2008 22:08:52 +0200
On Wed, Jun 11, 2008 at 10:18:29AM +0200, Yann Dirson (Debian) wrote:

> Dogtail systematically create logfiles in /tmp/dogtail/.  The 1st user to
> run a script using dogtail (including the sniff gui) wins, and no other
> user can use dogtail any more until that dir is manually removed.

The path for logfiles and datafiles can be set using the scratchDir,
logDir and dataDir in any configuration file.

However, using a (partially predictable) default under /tmp can lead to
security issues, so here I propose a patch to change the default to:

$HOME/dogtail/

if the HOME environment variable is defined, and to

/tmp/dogtail-<username>/

if the HOME variable is not set.

Just my 0.02${CURRENCY}.

Ludovico
-- 
<garden@acheronte.it>        #acheronte (irc.freenode.net) ICQ: 64483080
GPG ID: 07F89BB8          Jabber: gardengl@gmail.com Yahoo: gardenghelle
-- This is signature nr. 4524




Information forwarded to debian-bugs-dist@lists.debian.org, Jose Carlos Garcia Sogo <jsogo@debian.org>:
Bug#485752; Package python-dogtail. (Thu, 25 Sep 2008 20:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ludovico Gardenghi <garden@acheronte.it>:
Extra info received and forwarded to list. Copy sent to Jose Carlos Garcia Sogo <jsogo@debian.org>. (Thu, 25 Sep 2008 20:18:02 GMT) Full text and rfc822 format available.

Message #15 received at 485752@bugs.debian.org (full text, mbox):

From: Ludovico Gardenghi <garden@acheronte.it>
To: "Yann Dirson (Debian)" <dirson@debian.org>, 485752@bugs.debian.org
Subject: Re: Bug#485752: dogtail: [DoS] use of /tmp/dogtail prevents use by multiple users
Date: Thu, 25 Sep 2008 22:13:35 +0200
[Message part 1 (text/plain, inline)]
Ahem. *Here* is the patch. :-)

Ludovico
-- 
<garden@acheronte.it>        #acheronte (irc.freenode.net) ICQ: 64483080
GPG ID: 07F89BB8          Jabber: gardengl@gmail.com Yahoo: gardenghelle
-- This is signature nr. 4525
[dogtail_0.6.1-3.configdirs.diff (text/x-diff, attachment)]

Tags added: patch Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. (Sat, 29 Nov 2008 18:57:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jose Carlos Garcia Sogo <jsogo@debian.org>:
Bug#485752; Package python-dogtail. (Sat, 29 Aug 2009 04:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Finney <ben@benfinney.id.au>:
Extra info received and forwarded to list. Copy sent to Jose Carlos Garcia Sogo <jsogo@debian.org>. (Sat, 29 Aug 2009 04:27:03 GMT) Full text and rfc822 format available.

Message #22 received at 485752@bugs.debian.org (full text, mbox):

From: Ben Finney <ben@benfinney.id.au>
To: Jose Carlos Garcia Sogo <jsogo@debian.org>
Cc: 485752@bugs.debian.org
Subject: Re: Bug#485752: dogtail: [DoS] use of /tmp/dogtail prevents use by multiple users
Date: Sat, 29 Aug 2009 14:19:12 +1000
[Message part 1 (text/plain, inline)]
Howdy Jose,

The ‘python-dogtail’ package has a reported bug, #485752, that was
reported 2008-06-11. The report is severity “serious”, and it has had
a patch since 2008-09-25.

Have you managed to review this bug report and the patch? If so, it
would be very helpful if you could send a message to this bug report
with your response.

More generally, the package is currently removed from ‘testing’ and
without an active maintainer it will likely not continue in Debian.
Are you still in a position to have ongoing time and opportunity to
maintain the ‘python-dogtail’ package?

-- 
 \      “Every valuable human being must be a radical and a rebel, for |
  `\      what he must aim at is to make things better than they are.” |
_o__)                                                      —Niels Bohr |
Ben Finney <ben@benfinney.id.au>
[signature.asc (application/pgp-signature, inline)]

Reply sent to Bastian Venthur <venthur@debian.org>:
You have taken responsibility. (Sun, 21 Feb 2010 15:54:07 GMT) Full text and rfc822 format available.

Notification sent to "Yann Dirson (Debian)" <dirson@debian.org>:
Bug acknowledged by developer. (Sun, 21 Feb 2010 15:54:07 GMT) Full text and rfc822 format available.

Message #27 received at 485752-close@bugs.debian.org (full text, mbox):

From: Bastian Venthur <venthur@debian.org>
To: 485752-close@bugs.debian.org
Subject: Bug#485752: fixed in dogtail 0.6.1-3.1
Date: Sun, 21 Feb 2010 15:51:10 +0000
Source: dogtail
Source-Version: 0.6.1-3.1

We believe that the bug you reported is fixed in the latest version of
dogtail, which is due to be installed in the Debian FTP archive:

dogtail_0.6.1-3.1.diff.gz
  to main/d/dogtail/dogtail_0.6.1-3.1.diff.gz
dogtail_0.6.1-3.1.dsc
  to main/d/dogtail/dogtail_0.6.1-3.1.dsc
python-dogtail_0.6.1-3.1_all.deb
  to main/d/dogtail/python-dogtail_0.6.1-3.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 485752@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Venthur <venthur@debian.org> (supplier of updated dogtail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 21 Feb 2010 14:57:10 +0100
Source: dogtail
Binary: python-dogtail
Architecture: source all
Version: 0.6.1-3.1
Distribution: unstable
Urgency: low
Maintainer: Jose Carlos Garcia Sogo <jsogo@debian.org>
Changed-By: Bastian Venthur <venthur@debian.org>
Description: 
 python-dogtail - GUI test tool and automation framework
Closes: 485752
Changes: 
 dogtail (0.6.1-3.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Fix "[DoS] use of /tmp/dogtail prevents use by multiple users"
     Applied patch by Ludovico Gardenghi (Closes: #485752)
Checksums-Sha1: 
 f9863f4ae75814f1b1282bcc963bd7ed92fbb960 1662 dogtail_0.6.1-3.1.dsc
 179fa6e8d55decf77abc36091c5bde13cbc5da66 2651 dogtail_0.6.1-3.1.diff.gz
 27518a6f4cf49af2c5963ed948c2b04b084fc229 101442 python-dogtail_0.6.1-3.1_all.deb
Checksums-Sha256: 
 85880a6df3e1220f177d4f75ea8f25016184c7bf288d18e0fadf67f3f7c42794 1662 dogtail_0.6.1-3.1.dsc
 e85c0f8ac3379c8738d4e36cb0a660b7b93bd943ac234acee034a01add4f6042 2651 dogtail_0.6.1-3.1.diff.gz
 6b8247ba3880b938eb873559c1abb382542fc8ce63874300f7eca30ac54d854c 101442 python-dogtail_0.6.1-3.1_all.deb
Files: 
 e591d2b5aa41cb782b50a07d7f19919a 1662 misc optional dogtail_0.6.1-3.1.dsc
 9c1751c054a3fa7075525a716931eaa8 2651 misc optional dogtail_0.6.1-3.1.diff.gz
 f635c09beb029d377cb44e8d29fd405b 101442 misc optional python-dogtail_0.6.1-3.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJLgTxnAAoJEI6IlUTZhQANtWsQAJZ7wXo2GCpPa7OByZFI+5Nz
GOEFbQX62HrbV8BkdoeOfvYZj4A6bIalO4sVib+TP5100ZHRRBJvymlpuSlsc79J
v4/CtKIvWK+LuvrpbHtglk0BhDh1E+jfdb6fsfWu/+sS+U+2docf9GiwVE/f+s36
NsRfVC9xkxyejZo9me6AQwtIzIV4cp8YqK2GlhZxP+cD70htu2gbD1qmo0H3HMEo
elfeKuRXStSWXvhi/p0V8N0PDTwsbhDPNUs50Ahua3NsnySkilAu7HVN3b3uom1x
xFbORF7tnsKcQZmaFQtQhTwstwRRrtzUbkFvXrE+EGfaI2MMMp3sSbDb6K/UqQ6T
o0cd7pOSo6+OWxCepuBy3cv13osJrGWthvqMsOCxEbaZ7PoPCUeVCE4re3Dr3vv1
AbxdgecvgaZVRJtbr+hyCS6C4WiGhYWjJ9R8cwFR53BkhaEsH+zPjvQExBkzdfnd
+7Vc5MaDz2ZcOggRbUqSKfM21VdG9yErPlk+L7FYM0F7W0twLap+92cU6hkUA9z0
AqR3rHSoApyXk9+cmaaKkzgCviFxa5FeLKuTYy4KY1Pk8KHYtOl4/xcC7JLy1TK1
4kz4eu8gARXmjD3TNbQDrA8nBQdFSqr+t/K+S8aZQVVWOoRh52lQEJdWUOLlqU04
9ULkoBErRC2wDbRjZfJJ
=SdkZ
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 01 Apr 2010 07:34:02 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 13:43:48 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.