Debian Bug report logs - #496360
The possibility of attack with the help of symlinks in some Debian packages

version graph

Package: liguidsoap; Maintainer for liguidsoap is Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>; Source for liguidsoap is src:liquidsoap.

Reported by: "Dmitry E. Oboukhov" <dimka@uvw.ru>

Date: Sun, 24 Aug 2008 18:06:13 UTC

Severity: important

Tags: confirmed, patch, security

Fixed in versions liquidsoap/0.3.8.1+2-2, liquidsoap/0.3.6-4lenny1

Done: Romain Beauxis <toots@rastageeks.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#496360; Package liguidsoap. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
To: submit@bugs.debian.org
Cc: dimka@uvw.ru
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 22:05:28 +0400
Package: liguidsoap
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#496360; Package liguidsoap. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. Full text and rfc822 format available.

Message #10 received at 496360@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 496360@bugs.debian.org, 496360-submitter@bugs.debian.org
Subject: Re: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 14:02:06 -0700
severity 496360 normal
tags 496360 moreinfo unreproducible
thanks

Your bug report contains *no* information about the liquidsoap package. 
Where is the vulnerability?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Severity set to `normal' from `grave' Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Sun, 24 Aug 2008 21:03:04 GMT) Full text and rfc822 format available.

Tags added: moreinfo, unreproducible Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Sun, 24 Aug 2008 21:03:05 GMT) Full text and rfc822 format available.

Message sent on to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug#496360. Full text and rfc822 format available.

Tags removed: moreinfo Request was from "Dmitry E. Oboukhov" <dimka@avanto.org> to control@bugs.debian.org. (Mon, 25 Aug 2008 07:39:04 GMT) Full text and rfc822 format available.

Tags removed: unreproducible Request was from "Dmitry E. Oboukhov" <dimka@avanto.org> to control@bugs.debian.org. (Mon, 25 Aug 2008 07:39:04 GMT) Full text and rfc822 format available.

Information stored:
Bug#496360; Package liguidsoap. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@avanto.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #26 received at 496360-quiet@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <dimka@avanto.org>
To: Steve Langasek <vorlon@debian.org>, 496360-quiet@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#496360: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 11:36:37 +0400
[Message part 1 (text/plain, inline)]
tags 496360 -moreinfo
tags 496360 -unreproducible
thanks

On 14:02 Sun 24 Aug     , Steve Langasek wrote:
SL> severity 496360 normal
SL> tags 496360 moreinfo unreproducible
SL> thanks

SL> Your bug report contains *no* information about the liquidsoap package.
SL> Where is the vulnerability?
following by link in bugreport you can find the full report: 
    http://uvw.ru/report.lenny.txt


apache:[~/tmp]$ dpkg -x liguidsoap_0.3.6-4_all.deb temp_dir

apache:[~/tmp]$ ls -l temp_dir/var/lib/liguidsoap/liguidsoap.py|awk '{print $1}'
-rwxr-xr-x  - executable

apache:[~/tmp]$ grep -A5 -B4 /tmp/ temp_dir/var/lib/liguidsoap/liguidsoap.py 
    addbackup=""
  else:
    addbackup=';"backup"'

  os.system("""cat > /tmp/liguidsoap.liq <<__EOL__
set("log.file.path","/tmp/lig.<pid>.log")
set("log.stdout",true)
set("server.telnet",true)

bg = request.equeue (id="bed")
music = request.equeue (id="music")
--
output.file.vorbis(id="backup",start=false,"%s",mixer)
""" % (host, port, mount, backup))
  pid = os.fork()
  if pid==0:
    os.execlp("liquidsoap","liquidsoap","/tmp/liguidsoap.liq")
  else:
    print "Running liquidsoap..."
    return pid

# liguidsoap is the toplevel call, starts everything
--

    lbl = gtk.Label("Local backup OGG file")
    erunconf.attach(lbl,0,2,4,5)
    backup = gtk.Entry()
    backup.set_text('/tmp/emission.ogg')
    erunconf.attach(backup,0,2,5,6)
    backup.show() ; lbl.show()

    erun = gtk.CheckButton("Run liquidsoap automatically.")
    erun.show()


script rewrites file: /tmp/liguidsoap.liq



--

. ''`. Dmitry E. Oboukhov
: :’  : unera@debian.org
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#496360; Package liguidsoap. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. Full text and rfc822 format available.

Message #31 received at 496360@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: "Dmitry E. Oboukhov" <dimka@avanto.org>
Cc: 496360@bugs.debian.org
Subject: Re: Bug#496360: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 01:10:55 -0700
severity 496360 grave
thanks

On Mon, Aug 25, 2008 at 11:36:37AM +0400, Dmitry E. Oboukhov wrote:
> tags 496360 -moreinfo
> tags 496360 -unreproducible
> thanks

> SL> Your bug report contains *no* information about the liquidsoap package.
> SL> Where is the vulnerability?
> following by link in bugreport you can find the full report: 
>     http://uvw.ru/report.lenny.txt

Oh; there's the problem, I can't read my font and the package name is
liguidsoap - not liquidsoap.

Resetting severity back to 'grave', pending further analysis.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Severity set to `grave' from `normal' Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Mon, 25 Aug 2008 08:15:17 GMT) Full text and rfc822 format available.

Reply sent to Romain Beauxis <toots@rastageeks.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #38 received at 496360-done@bugs.debian.org (full text, mbox):

From: Romain Beauxis <toots@rastageeks.org>
To: 496360-done@bugs.debian.org
Cc: "Dmitry E. Oboukhov" <dimka@uvw.ru>
Subject: Not a bug for us
Date: Mon, 25 Aug 2008 11:21:24 +0200
	Hi !

Indeed, liguidsoap uses files under /tmp to write logs and dump audio data 
during the live show.

We don't consider this as a bug, but as feature (tm). Furthermore, this is 
known to the user, the name is predictible -- "/tmp/liguidsoap.log" -- and 
run manually by the user, with no root rights.

It would be nice if your system could report scripts that are meant to be run 
as root, at least starting with maintainers scripts only...


Romain




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#496360; Package liguidsoap. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. Full text and rfc822 format available.

Message #43 received at 496360@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
To: 496360@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#496360 closed by Romain Beauxis <toots@rastageeks.org> (Not a bug for us)
Date: Mon, 25 Aug 2008 14:08:12 +0400
[Message part 1 (text/plain, inline)]
reopen 496360
thanks


Please do not close, if You want, change severity :)

user's files can be very important,
for example ~/.gnupg/*

if attacker creates symlink to its then your gpg's private key may be
	corrupted.


On 09:24 Mon 25 Aug     , Debian Bug Tracking System wrote:

DBTS> This is an automatic notification regarding your Bug report
DBTS> which was filed against the liguidsoap package:

DBTS> #496360: The possibility of attack with the help of symlinks in some Debian packages

DBTS> It has been closed by Romain Beauxis <toots@rastageeks.org>.

DBTS> Their explanation is attached below along with your original report.
DBTS> If this explanation is unsatisfactory and you have not received a
DBTS> better one in a separate message then please contact Romain Beauxis <toots@rastageeks.org> by
DBTS> replying to this email.

DBTS> --
DBTS> 496360: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496360
DBTS> Debian Bug Tracking System
DBTS> Contact owner@bugs.debian.org with problems

DBTS> Date: Mon, 25 Aug 2008 11:21:24 +0200
DBTS> From: Romain Beauxis <toots@rastageeks.org>
DBTS> To: 496360-done@bugs.debian.org
DBTS> Subject: Not a bug for us
DBTS> User-Agent: KMail/1.9.9
DBTS> Cc: "Dmitry E. Oboukhov" <dimka@uvw.ru>

DBTS> Hi !

DBTS> Indeed, liguidsoap uses files under /tmp to write logs and dump audio data
DBTS> during the live show.

DBTS> We don't consider this as a bug, but as feature (tm). Furthermore, this is
DBTS> known to the user, the name is predictible -- "/tmp/liguidsoap.log" -- and
DBTS> run manually by the user, with no root rights.

DBTS> It would be nice if your system could report scripts that are meant to be run
DBTS> as root, at least starting with maintainers scripts only...

DBTS> Romain

DBTS> Date: Sun, 24 Aug 2008 22:05:28 +0400
DBTS> From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
DBTS> To: submit@bugs.debian.org
DBTS> Subject: The possibility of attack with the help of
DBTS> symlinks in some Debian packages
DBTS> Cc: dimka@uvw.ru

DBTS> Package: liguidsoap
DBTS> Severity: grave

DBTS> Hi, maintainer!

DBTS> This message about the error concerns a few packages  at  once.   I've
DBTS> tested all the packages (for Lenny) on my Debian mirror.  All  scripts
DBTS> of packages (marked as executable) were tested.

DBTS> In some packages I've discovered scripts with errors which may be used
DBTS> by a user for damaging important system files or user's files.

DBTS> For example if a script uses in its work a temp file which is  created
DBTS> in /tmp directory, then every user can create symlink  with  the  same
DBTS> name in this directory in order to  destroy  or  rewrite  some  system
DBTS> or user file.  Symlink attack may also  lead  not  only  to  the  data
DBTS> desctruction but to denial of service as well.

DBTS> Even if you create files or directories with help of function 'RANDOM'
DBTS> or pid(), then your system is not protected. Attacker can create many
DBTS> symlinks in order to destroy your data or create 'denial  of  service'
DBTS> for your package scripts.

DBTS> Even if you make rm(dir) for files/directories, then  your  system  is
DBTS> not protected. Attacker can permanently create symlinks.

DBTS> This list is created with the help of script.  This list is sorted  by
DBTS> hand. Howewer in some cases mistake is possible.

DBTS> Please, Be understanding to possible mistakes. :)

DBTS> I set Severity into grave for this bug. The table of discovered
DBTS> problems is below.

DBTS> Discussion of this bug you can see in debian-devel@:
DBTS> http://lists.debian.org/debian-devel/2008/08/msg00271.html

DBTS> Binary-package: r-base-core-ra (1.1.1-1)
DBTS> file: /usr/lib/Ra/lib/R/bin/javareconf
DBTS> Binary-package: rccp (0.9-2)
DBTS> file: /usr/lib/rccp/delqueueask
DBTS> Binary-package: mafft (6.240-1)
DBTS> file: /usr/bin/mafft-homologs
DBTS> Binary-package: openoffice.org-common (1:2.4.1-6)
DBTS> file: /usr/lib/openoffice/program/senddoc
DBTS> Binary-package: crossfire-maps (1.11.0-1)
DBTS> file: /usr/share/games/crossfire/maps/Info/combine.pl
DBTS> Binary-package: sgml2x (1.0.0-11.1)
DBTS> file: /usr/bin/rlatex
DBTS> Binary-package: liguidsoap (0.3.6-4)
DBTS> file: /var/lib/liguidsoap/liguidsoap.py
DBTS> Binary-package: citadel-server (7.37-1)
DBTS> file: /usr/lib/citadel-server/migrate_aliases.sh
DBTS> Binary-package: ampache (3.4.1-1)
DBTS> file: /usr/share/ampache/www/locale/base/gather-messages.sh
DBTS> Binary-package: xen-utils-3.2-1 (3.2.1-2)
DBTS> file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
DBTS> Binary-package: dtc-common (0.29.6-1)
DBTS> file: /usr/share/dtc/admin/accesslog.php
DBTS> file: /usr/share/dtc/admin/sa-wrapper
DBTS> Binary-package: honeyd-common (1.5c-3)
DBTS> file: /usr/share/honeyd/scripts/test.sh
DBTS> Binary-package: lustre-tests (1.6.5-1)
DBTS> file: /usr/lib/lustre/tests/runiozone
DBTS> Binary-package: linuxtrade (3.65-8+b4)
DBTS> file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
DBTS> file: /usr/share/linuxtrade/bin/linuxtrade.wn
DBTS> file: /usr/share/linuxtrade/bin/moneyam.helper
DBTS> Binary-package: freevo (1.8.1-0)
DBTS> file: /usr/bin/freevo.real
DBTS> Binary-package: fml (4.0.3.dfsg-2)
DBTS> file: /usr/share/fml/libexec/mead.pl
DBTS> Binary-package: rkhunter (1.3.2-3)
DBTS> file: /usr/bin/rkhunter
DBTS> Binary-package: openswan (1:2.4.12+dfsg-1.1)
DBTS> file: /usr/lib/ipsec/livetest
DBTS> Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
DBTS> file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
DBTS> file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
DBTS> Binary-package: aptoncd (0.1-1.1)
DBTS> file: /usr/share/aptoncd/xmlfile.py
DBTS> Binary-package: cdcontrol (1.90-1.1)
DBTS> file: /usr/lib/cdcontrol/writtercontrol
DBTS> Binary-package: newsgate (1.6-23)
DBTS> file: /usr/bin/mkmailpost
DBTS> Binary-package: gpsdrive-scripts (2.10~pre4-3)
DBTS> file: /usr/bin/geo-code
DBTS> Binary-package: impose+ (0.2-11)
DBTS> file: /usr/bin/impose
DBTS> Binary-package: mgt (2.31-5)
DBTS> file: /usr/games/mailgo
DBTS> Binary-package: audiolink (0.05-1)
DBTS> file: /usr/bin/audiolink
DBTS> Binary-package: ibackup (2.27-4.1)
DBTS> file: /usr/bin/ibackup
DBTS> Binary-package: emacspeak (26.0-3)
DBTS> file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
DBTS> Binary-package: bk2site (1:1.1.9-3.1)
DBTS> file: /usr/lib/cgi-bin/bk2site/redirect.pl
DBTS> Binary-package: datafreedom-perl (0.1.7-1)
DBTS> file: /usr/bin/dfxml-invoice
DBTS> Binary-package: emacs-jabber (0.7.91-1)
DBTS> file: /usr/lib/emacsen-common/packages/install/emacs-jabber
DBTS> Binary-package: lmbench (3.0-a7-1)
DBTS> file: /usr/lib/lmbench/scripts/rccs
DBTS> file: /usr/lib/lmbench/scripts/STUFF
DBTS> Binary-package: rancid-util (2.3.2~a8-1)
DBTS> file: /var/lib/rancid/getipacctg
DBTS> Binary-package: ogle (0.9.2-5.2)
DBTS> file: /usr/lib/ogle/ogle_audio_debug
DBTS> file: /usr/lib/ogle/ogle_cli_debug
DBTS> file: /usr/lib/ogle/ogle_ctrl_debug
DBTS> file: /usr/lib/ogle/ogle_gui_debug
DBTS> file: /usr/lib/ogle/ogle_mpeg_ps_debug
DBTS> file: /usr/lib/ogle/ogle_mpeg_vs_debug
DBTS> file: /usr/lib/ogle/ogle_nav_debug
DBTS> file: /usr/lib/ogle/ogle_vout_debug
DBTS> Binary-package: firehol (1.256-4)
DBTS> file: /sbin/firehol
DBTS> Binary-package: aview (1.3.0rc1-8)
DBTS> file: /usr/bin/asciiview
DBTS> Binary-package: radiance (3R9+20080530-3)
DBTS> file: /usr/bin/optics2rad
DBTS> file: /usr/bin/pdelta
DBTS> file: /usr/bin/dayfact
DBTS> file: /usr/bin/raddepend
DBTS> Binary-package: vdr-dbg (1.6.0-5)
DBTS> file: /usr/bin/vdrleaktest
DBTS> Binary-package: ogle-mmx (0.9.2-5.2)
DBTS> file: /usr/lib/ogle/ogle_audio_debug
DBTS> file: /usr/lib/ogle/ogle_cli_debug
DBTS> file: /usr/lib/ogle/ogle_ctrl_debug
DBTS> file: /usr/lib/ogle/ogle_gui_debug
DBTS> file: /usr/lib/ogle/ogle_mpeg_ps_debug
DBTS> file: /usr/lib/ogle/ogle_mpeg_vs_debug
DBTS> file: /usr/lib/ogle/ogle_nav_debug
DBTS> file: /usr/lib/ogle/ogle_vout_debug
DBTS> Binary-package: convirt (0.8.2-3)
DBTS> file: /usr/share/convirt/image_store/_template_/provision.sh
DBTS> file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
DBTS> file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
DBTS> file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
DBTS> file: /usr/share/convirt/image_store/common/provision.sh
DBTS> file: /usr/share/convirt/image_store/example/provision.sh
DBTS> file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
DBTS> Binary-package: printfilters-ppd (2.13-9)
DBTS> file: /usr/lib/printfilters/master-filter
DBTS> Binary-package: r-base-core (2.7.1-1)
DBTS> file: /usr/lib/R/bin/javareconf
DBTS> file: /usr/lib/R/bin/javareconf.orig
DBTS> Binary-package: xmcd (2.6-19.3)
DBTS> file: /usr/share/xmcd/scripts/ncsarmt
DBTS> file: /usr/share/xmcd/scripts/ncsawrap
DBTS> Binary-package: tiger (1:3.2.2-3.1)
DBTS> file: /usr/lib/tiger/util/genmsgidx
DBTS> Binary-package: scilab-bin (4.1.2-5)
DBTS> file: /usr/lib/scilab-4.1.2/bin/scilink
DBTS> file: /usr/lib/scilab-4.1.2/util/scidoc
DBTS> file: /usr/lib/scilab-4.1.2/util/scidem
DBTS> Binary-package: dpkg-cross (2.3.0)
DBTS> file: /usr/share/dpkg-cross/bin/gccross
DBTS> Binary-package: ltp-network-test (20060918-2.1)
DBTS> file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
DBTS> file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
DBTS> Binary-package: cman (2.20080629-1)
DBTS> file: /usr/sbin/fence_egenera
DBTS> Binary-package: scratchbox2 (1.99.0.24-1)
DBTS> file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
DBTS> file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
DBTS> Binary-package: sendmail-base (8.14.3-5)
DBTS> file: /usr/sbin/checksendmail
DBTS> file: /usr/bin/expn
DBTS> Binary-package: fwbuilder (2.1.19-3)
DBTS> file: /usr/bin/fwb_install
DBTS> Binary-package: sng (1.0.2-5)
DBTS> file: /usr/bin/sng_regress
DBTS> Binary-package: dist (1:3.5-17-1)
DBTS> file: /usr/bin/patcil
DBTS> file: /usr/bin/patdiff
DBTS> Binary-package: sympa (5.3.4-5)
DBTS> file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
DBTS> file: /usr/lib/sympa/bin/sympa.pl
DBTS> Binary-package: postfix (2.5.2-2)
DBTS> file: /usr/lib/postfix_groups.pl
DBTS> Binary-package: caudium (3:1.4.12-11)
DBTS> file: /usr/share/caudium/configvar
DBTS> Binary-package: mgetty-fax (1.1.36-1.2)
DBTS> file: /usr/bin/faxspool
DBTS> Binary-package: aegis (4.24-3)
DBTS> file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
DBTS> file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
DBTS> file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
DBTS> file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
DBTS> Binary-package: aegis-web (4.24-3)
DBTS> file: /usr/lib/cgi-bin/aegis.cgi
DBTS> Binary-package: digitaldj (0.7.5-6+b1)
DBTS> file: /usr/share/digitaldj/fest.pl
DBTS> Binary-package: mon (0.99.2-12)
DBTS> file: /usr/lib/mon/alert.d/test.alert
DBTS> Binary-package: feta (1.4.16)
DBTS> file: /usr/share/feta/plugins/to-upgrade
DBTS> Binary-package: arb-common (0.0.20071207.1-4)
DBTS> file: /usr/lib/arb/SH/arb_fastdnaml
DBTS> file: /usr/lib/arb/SH/dszmconnect.pl
DBTS> Binary-package: qemu (0.9.1-5)
DBTS> file: /usr/sbin/qemu-make-debian-root
DBTS> Binary-package: apertium (3.0.7+1-1+b1)
DBTS> file: /usr/bin/apertium-gen-deformat
DBTS> file: /usr/bin/apertium-gen-reformat
DBTS> file: /usr/bin/apertium
DBTS> Binary-package: xcal (4.1-18.3)
DBTS> file: /usr/bin/pscal
DBTS> Binary-package: myspell-tools (1:3.1-20)
DBTS> file: /usr/bin/i2myspell
DBTS> Binary-package: gccxml (0.9.0+cvs20080525-1)
DBTS> file: /usr/share/gccxml-0.9/MIPSpro/find_flags
DBTS> Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
DBTS> file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
DBTS> file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
DBTS> file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
DBTS> file: /usr/share/freeradius-dialupadmin/bin/tot_stats
DBTS> file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
DBTS> Binary-package: dhis-server (5.3-1)
DBTS> file: /usr/lib/dhis-server/dhis-dummy-log-engine
DBTS> Binary-package: wims (3.62-13)
DBTS> file: /var/lib/wims/public_html/bin/coqweb
DBTS> file: /var/lib/wims/bin/account.sh
DBTS> Binary-package: initramfs-tools (0.92f)
DBTS> file: /usr/share/initramfs-tools/init
DBTS> Binary-package: realtimebattle-common (1.0.8-7)
DBTS> file: /usr/lib/realtimebattle/Robots/perl.robot
DBTS> Binary-package: netmrg (0.20-1)
DBTS> file: /usr/bin/rrdedit
DBTS> Binary-package: bulmages-servers (0.11.1-2)
DBTS> file: /usr/share/bulmages/examples/scripts/actualizabulmacont
DBTS> file: /usr/share/bulmages/examples/scripts/installbulmages-db
DBTS> file: /usr/share/bulmages/examples/scripts/creabulmafact
DBTS> file: /usr/share/bulmages/examples/scripts/creabulmacont
DBTS> file: /usr/share/bulmages/examples/scripts/actualizabulmafact
DBTS> Binary-package: xastir (1.9.2-1)
DBTS> file: /usr/lib/xastir/get-maptools.sh
DBTS> file: /usr/lib/xastir/get_shapelib.sh
DBTS> Binary-package: plait (1.5.2-1)
DBTS> file: /usr/bin/plaiter
DBTS> file: /usr/bin/plait
DBTS> Binary-package: cdrw-taper (0.4-2)
DBTS> file: /usr/sbin/amlabel-cdrw
DBTS> Binary-package: konwert-filters (1.8-11.1)
DBTS> file: /usr/share/konwert/filters/any-UTF8
DBTS> Binary-package: gdrae (0.1-1)
DBTS> file: /usr/bin/gdrae
DBTS> Binary-package: lazarus-src (0.9.24-0-9)
DBTS> file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh
--

. ''`. Dmitry E. Oboukhov
: :’  : unera@debian.org
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537
[signature.asc (application/pgp-signature, inline)]

Bug reopened, originator not changed. Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Mon, 25 Aug 2008 10:12:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#496360; Package liguidsoap. Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. Full text and rfc822 format available.

Message #50 received at 496360@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Romain Beauxis <toots@rastageeks.org>
Cc: 496360@bugs.debian.org, "Dmitry E. Oboukhov" <dimka@uvw.ru>
Subject: Re: Not a bug for us
Date: Mon, 25 Aug 2008 12:23:58 +0200
reopen 496360
severity 496360 important
kthxbye

On Mon, Aug 25, 2008 at 11:21:24 +0200, Romain Beauxis wrote:

> 	Hi !
> 
> Indeed, liguidsoap uses files under /tmp to write logs and dump audio data 
> during the live show.
> 
> We don't consider this as a bug, but as feature (tm).

This is broken.

> Furthermore, this is known to the user, the name is predictible --
> "/tmp/liguidsoap.log" -- and run manually by the user, with no root
> rights.
> 
That makes symlink attacks against root impossible, but it still allows
an attacker to overwrite any file owned by the user running liguidsoap.
Please move the files out of /tmp.

Cheers,
Julien




Severity set to `important' from `grave' Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Mon, 25 Aug 2008 10:24:09 GMT) Full text and rfc822 format available.

Tags added: confirmed Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Mon, 25 Aug 2008 12:12:23 GMT) Full text and rfc822 format available.

Tags added: Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:45:05 GMT) Full text and rfc822 format available.

Tags added: security Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:57:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#496360; Package liguidsoap. (Fri, 10 Oct 2008 15:42:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tobias Klauser <tklauser@distanz.ch>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. (Fri, 10 Oct 2008 15:42:02 GMT) Full text and rfc822 format available.

Message #63 received at 496360@bugs.debian.org (full text, mbox):

From: Tobias Klauser <tklauser@distanz.ch>
To: 496360@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#496360: The possibility of attack with the help of symlinks in some Debian packages
Date: Fri, 10 Oct 2008 17:39:09 +0200
[Message part 1 (text/plain, inline)]
tags 496360 +patch
kthxbye

Hi,

Attached is a patch which fixes the issue in liguidsoap.py.  It makes
use of tempfile.mkstemp to create the temporary file and deletes it on
exit of liguidsoap (which wasn't the case up to now).

I still see a problem with the liquidsoap logfile being written to /tmp
[1].  The filename there is only depended on the PID of the liquidsoap
process.  Unfortunately I lack OCaml hacking skills so I didn't patch
this one.

[1] set("log.file.path","/tmp/lig.<pid>.log")

Cheers, Tobias
[liguidsoap.patch (text/x-diff, attachment)]

Tags added: patch Request was from Tobias Klauser <tklauser@distanz.ch> to control@bugs.debian.org. (Fri, 10 Oct 2008 15:42:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#496360; Package liguidsoap. (Fri, 10 Oct 2008 20:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. (Fri, 10 Oct 2008 20:15:03 GMT) Full text and rfc822 format available.

Message #70 received at 496360@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Tobias Klauser <tklauser@distanz.ch>, 496360@bugs.debian.org
Subject: Re: Bug#496360: The possibility of attack with the help of symlinks in some Debian packages
Date: Fri, 10 Oct 2008 22:11:34 +0200
On Fri, Oct 10, 2008 at 17:39:09 +0200, Tobias Klauser wrote:

> I still see a problem with the liquidsoap logfile being written to /tmp
> [1].  The filename there is only depended on the PID of the liquidsoap
> process.  Unfortunately I lack OCaml hacking skills so I didn't patch
> this one.
> 
> [1] set("log.file.path","/tmp/lig.<pid>.log")
> 
set("log.file.path", Filename.temp_file "liguidsoap" ".log")

would probably work (untested, though).

Cheers,
Julien




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#496360; Package liguidsoap. (Fri, 10 Oct 2008 20:48:15 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tobias Klauser <tklauser@distanz.ch>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. (Fri, 10 Oct 2008 20:48:15 GMT) Full text and rfc822 format available.

Message #75 received at 496360@bugs.debian.org (full text, mbox):

From: Tobias Klauser <tklauser@distanz.ch>
To: 496360@bugs.debian.org
Subject: Updated patch
Date: Fri, 10 Oct 2008 22:45:33 +0200
[Message part 1 (text/plain, inline)]
The previous patch contains a small flaw when trying to delete the file
on exit even if it does not exist.

An updated patch is attached.

Cheers, Tobias
[liguidsoap.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#496360; Package liguidsoap. (Thu, 06 Nov 2008 22:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. (Thu, 06 Nov 2008 22:06:03 GMT) Full text and rfc822 format available.

Message #80 received at 496360@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Tobias Klauser <tklauser@distanz.ch>
Cc: 496360@bugs.debian.org
Subject: Re: Updated patch
Date: Thu, 6 Nov 2008 23:03:30 +0100
On Fri, Oct 10, 2008 at 10:45:33PM +0200, Tobias Klauser wrote:
> The previous patch contains a small flaw when trying to delete the file
> on exit even if it does not exist.
> 
> An updated patch is attached.

Ocaml maintainers, what's the status for Lenny?

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#496360; Package liguidsoap. (Fri, 07 Nov 2008 09:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefano Zacchiroli <zack@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. (Fri, 07 Nov 2008 09:48:04 GMT) Full text and rfc822 format available.

Message #85 received at 496360@bugs.debian.org (full text, mbox):

From: Stefano Zacchiroli <zack@debian.org>
To: Romain Beauxis <toots@rastageeks.org>
Cc: Tobias Klauser <tklauser@distanz.ch>, Moritz Muehlenhoff <jmm@inutil.org>, 496360@bugs.debian.org
Subject: Re: Bug#496360: Updated patch
Date: Fri, 7 Nov 2008 10:28:42 +0100
[Message part 1 (text/plain, inline)]
On Thu, Nov 06, 2008 at 11:03:30PM +0100, Moritz Muehlenhoff wrote:
> On Fri, Oct 10, 2008 at 10:45:33PM +0200, Tobias Klauser wrote:
> > The previous patch contains a small flaw when trying to delete the file
> > on exit even if it does not exist.
> > 
> > An updated patch is attached.
> 
> Ocaml maintainers, what's the status for Lenny?

Romain,
as the main liguidsoap maintainer, this question is for you.

More generally, with my OCaml maintainer cap on, I thus far neglected
this bug for Lenny because it was downgraded to non-RC. If you
(security team) consider this bug classes a need fix for Lenny I can
prepare an upload and do that this week-end (unless Romain reacts
first of course, in that case it's his call).

Cheers.

-- 
Stefano Zacchiroli -*- PhD in Computer Science \ PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Dietro un grande uomo c'è sempre /oo\ All one has to do is hit the right
uno zaino        -- A.Bergonzoni \__/ keys at the right time -- J.S.Bach
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#496360; Package liguidsoap. (Fri, 07 Nov 2008 10:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Romain Beauxis <toots@rastageeks.org>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. (Fri, 07 Nov 2008 10:06:03 GMT) Full text and rfc822 format available.

Message #90 received at 496360@bugs.debian.org (full text, mbox):

From: Romain Beauxis <toots@rastageeks.org>
To: Stefano Zacchiroli <zack@debian.org>
Cc: Tobias Klauser <tklauser@distanz.ch>, Moritz Muehlenhoff <jmm@inutil.org>, 496360@bugs.debian.org
Subject: Re: Bug#496360: Updated patch
Date: Fri, 7 Nov 2008 11:01:14 +0100
	Hi all !

Le Friday 07 November 2008 10:28:42 Stefano Zacchiroli, vous avez écrit :
> Romain,
> as the main liguidsoap maintainer, this question is for you.
>
> More generally, with my OCaml maintainer cap on, I thus far neglected
> this bug for Lenny because it was downgraded to non-RC. If you
> (security team) consider this bug classes a need fix for Lenny I can
> prepare an upload and do that this week-end (unless Romain reacts
> first of course, in that case it's his call).

I too have far negleted this issue, mostly because the importance of the issue 
seemed not clear to me..

However, the patch looks fine to me, and it should be very easy to check that 
it doesn't break anything. I will try to test it this week end and propose an 
update (and commit upstream of course).

Romain




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#496360; Package liguidsoap. (Mon, 10 Nov 2008 13:36:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefano Zacchiroli <zack@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. (Mon, 10 Nov 2008 13:36:02 GMT) Full text and rfc822 format available.

Message #95 received at 496360@bugs.debian.org (full text, mbox):

From: Stefano Zacchiroli <zack@debian.org>
To: Romain Beauxis <toots@rastageeks.org>
Cc: Tobias Klauser <tklauser@distanz.ch>, Moritz Muehlenhoff <jmm@inutil.org>, 496360@bugs.debian.org
Subject: Re: Bug#496360: Updated patch
Date: Mon, 10 Nov 2008 14:33:06 +0100
[Message part 1 (text/plain, inline)]
On Fri, Nov 07, 2008 at 11:01:14AM +0100, Romain Beauxis wrote:
> However, the patch looks fine to me, and it should be very easy to
> check that it doesn't break anything. I will try to test it this
> week end and propose an update (and commit upstream of course).

Ping. Any news?

-- 
Stefano Zacchiroli -*- PhD in Computer Science \ PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Dietro un grande uomo c'è sempre /oo\ All one has to do is hit the right
uno zaino        -- A.Bergonzoni \__/ keys at the right time -- J.S.Bach
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#496360; Package liguidsoap. (Mon, 10 Nov 2008 23:33:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Romain Beauxis <toots@rastageeks.org>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. (Mon, 10 Nov 2008 23:33:09 GMT) Full text and rfc822 format available.

Message #100 received at 496360@bugs.debian.org (full text, mbox):

From: Romain Beauxis <toots@rastageeks.org>
To: team@security.debian.org
Cc: 496360@bugs.debian.org
Subject: Update for liquidsoap
Date: Mon, 10 Nov 2008 18:25:08 +0100
[Message part 1 (text/plain, inline)]
	Hi Team !

I have prepared an update for liquidsoap that I'd like to push for lenny.

The initial fix was against bug #496360, which severity used to be RC. But 
alow the path of testing the patch, I also encountered an issue with the 
portaudio support in liquidsoap that was also reported in our trac.

Hence, I would like to propose the following patch, which fixes bug #496360 as 
well as desactivates portaudio support (drops build-dep).

Changes are minimal, so I think it should be fine. 


Romain
[liquidsoap_lenny_proposed_update.patch (text/x-diff, inline)]
Index: debian/control
===================================================================
--- debian/control	(.../tags/packages/liquidsoap/0.3.6-4)	(r��vision 6029)
+++ debian/control	(.../trunk/packages/liquidsoap/lenny)	(r��vision 6030)
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Liquidsoap Debian Packaging <savonet-debian@lists.sourceforge.net>
 Uploaders: Romain Beauxis <toots@rastageeks.org>, Samuel Mimram <smimram@debian.org>
-Build-Depends: debhelper (>= 4.2.0), quilt, patchutils (>= 0.2.25), cdbs (>= 0.4.27), ocaml-nox, ocaml-findlib, libshout-ocaml-dev, libogg-ocaml-dev (>= 0.1.1), libvorbis-ocaml-dev (>= 0.4.0), libmad-ocaml-dev (>= 0.3.2), libid3tag0-dev, libdtools-ocaml-dev (>= 0.1.4), libcamomile-ocaml-dev, festival, wget, libxml-dom-perl, texlive, python-gtk2-dev, python, python-support (>= 0.3), libao-ocaml-dev, libalsa-ocaml-dev (>= 0.1.2), libpcre-ocaml-dev, libxml-light-ocaml-dev, libextlib-ocaml-dev, libladspa-ocaml-dev, libportaudio-ocaml-dev, libsoundtouch-ocaml-dev
+Build-Depends: debhelper (>= 4.2.0), quilt, patchutils (>= 0.2.25), cdbs (>= 0.4.27), ocaml-nox, ocaml-findlib, libshout-ocaml-dev, libogg-ocaml-dev (>= 0.1.1), libvorbis-ocaml-dev (>= 0.4.0), libmad-ocaml-dev (>= 0.3.2), libid3tag0-dev, libdtools-ocaml-dev (>= 0.1.4), libcamomile-ocaml-dev, festival, wget, libxml-dom-perl, texlive, python-gtk2-dev, python, python-support (>= 0.3), libao-ocaml-dev, libalsa-ocaml-dev (>= 0.1.2), libpcre-ocaml-dev, libxml-light-ocaml-dev, libextlib-ocaml-dev, libladspa-ocaml-dev, libsoundtouch-ocaml-dev
 Standards-Version: 3.7.3
 Vcs-Svn: svn://svn.debian.org/svn/pkg-ocaml-maint/trunk/packages/liquidsoap/trunk
 Vcs-Browser: http://svn.debian.org/wsvn/pkg-ocaml-maint/trunk/packages/liquidsoap/trunk/
Index: debian/control.in
===================================================================
--- debian/control.in	(.../tags/packages/liquidsoap/0.3.6-4)	(r��vision 6029)
+++ debian/control.in	(.../trunk/packages/liquidsoap/lenny)	(r��vision 6030)
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Liquidsoap Debian Packaging <savonet-debian@lists.sourceforge.net>
 Uploaders: Romain Beauxis <toots@rastageeks.org>, Samuel Mimram <smimram@debian.org>
-Build-Depends: @cdbs@, ocaml-nox, ocaml-findlib, libshout-ocaml-dev, libogg-ocaml-dev (>= 0.1.1), libvorbis-ocaml-dev (>= 0.4.0), libmad-ocaml-dev (>= 0.3.2), libid3tag0-dev, libdtools-ocaml-dev (>= 0.1.4), libcamomile-ocaml-dev, festival, wget, libxml-dom-perl, texlive, python-gtk2-dev, python, python-support (>= 0.3), libao-ocaml-dev, libalsa-ocaml-dev (>= 0.1.2), libpcre-ocaml-dev, libxml-light-ocaml-dev, libextlib-ocaml-dev, libladspa-ocaml-dev, libportaudio-ocaml-dev, libsoundtouch-ocaml-dev
+Build-Depends: @cdbs@, ocaml-nox, ocaml-findlib, libshout-ocaml-dev, libogg-ocaml-dev (>= 0.1.1), libvorbis-ocaml-dev (>= 0.4.0), libmad-ocaml-dev (>= 0.3.2), libid3tag0-dev, libdtools-ocaml-dev (>= 0.1.4), libcamomile-ocaml-dev, festival, wget, libxml-dom-perl, texlive, python-gtk2-dev, python, python-support (>= 0.3), libao-ocaml-dev, libalsa-ocaml-dev (>= 0.1.2), libpcre-ocaml-dev, libxml-light-ocaml-dev, libextlib-ocaml-dev, libladspa-ocaml-dev, libsoundtouch-ocaml-dev
 Standards-Version: 3.7.3
 Vcs-Svn: svn://svn.debian.org/svn/pkg-ocaml-maint/trunk/packages/liquidsoap/trunk
 Vcs-Browser: http://svn.debian.org/wsvn/pkg-ocaml-maint/trunk/packages/liquidsoap/trunk/
Index: debian/changelog
===================================================================
--- debian/changelog	(.../tags/packages/liquidsoap/0.3.6-4)	(r��vision 6029)
+++ debian/changelog	(.../trunk/packages/liquidsoap/lenny)	(r��vision 6030)
@@ -1,3 +1,13 @@
+liquidsoap (0.3.6-4lenny1) testing-security; urgency=high
+
+  * Added patch to fix liquigsoap's temporary file creation.
+    Thanks to Tobias Klauser for providing a patch.
+  Closes: #496360
+  * Desactivated portaudio option, since it is buggy and should
+    be tested more. 
+
+ -- Romain Beauxis <toots@rastageeks.org>  Mon, 10 Nov 2008 17:32:30 +0100
+
 liquidsoap (0.3.6-4) unstable; urgency=high
 
   * Updated fix for smartcross
Index: debian/patches/fix_tmp_file.patch
===================================================================
--- debian/patches/fix_tmp_file.patch	(.../tags/packages/liquidsoap/0.3.6-4)	(r��vision 0)
+++ debian/patches/fix_tmp_file.patch	(.../trunk/packages/liquidsoap/lenny)	(r��vision 6030)
@@ -0,0 +1,81 @@
+Index: liquidsoap-0.3.6/gui/liguidsoap.py
+===================================================================
+--- liquidsoap-0.3.6.orig/gui/liguidsoap.py	2007-12-17 16:47:32.000000000 +0100
++++ liquidsoap-0.3.6/gui/liguidsoap.py	2008-11-10 17:30:56.000000000 +0100
+@@ -8,6 +8,8 @@
+ import threading, socket, sys, os, time, re
+ import getopt
+ 
++import tempfile
++
+ from client import LiqClient
+ from widgets import View
+ 
+@@ -104,6 +106,7 @@
+ # liquidsoap runs liquidsoap with a fixed script
+ # a few parameteres are available
+ def liquidsoap(
++    scriptfile,
+     host='localhost',port=1234,mount='emission.ogg',
+     backup=''):
+   if backup=='':
+@@ -111,7 +114,7 @@
+   else:
+     addbackup=';"backup"'
+ 
+-  os.system("""cat > /tmp/liguidsoap.liq <<__EOL__
++  os.system("""cat > %s <<__EOL__
+ set("log.file.path","/tmp/lig.<pid>.log")
+ set("log.stdout",true)
+ set("server.telnet",true)
+@@ -132,10 +135,10 @@
+   id="broadcast",
+   host="%s",port=%d,mount="%s",start=false,mixer)
+ output.file.vorbis(id="backup",start=false,"%s",mixer)
+-""" % (host, port, mount, backup))
++""" % (scriptfile, host, port, mount, backup))
+   pid = os.fork()
+   if pid==0:
+-    os.execlp("liquidsoap","liquidsoap","/tmp/liguidsoap.liq")
++    os.execlp("liquidsoap","liquidsoap",scriptfile)
+   else:
+     print "Running liquidsoap..."
+     return pid
+@@ -162,10 +165,11 @@
+   ehost=eport=erun=dialog=None
+   icehost=iceport=icemount=backup=None
+ 
+-  def exit(pid):
++  def exit(pid, scriptfile):
+     if pid!=None:
+       os.kill(pid,15)
+       os.waitpid(pid,0)
++    os.remove(scriptfile)
+     gtk.main_quit()
+ 
+   # This startup function can be used to start the GUI directly
+@@ -173,12 +177,15 @@
+   def start(response=None):
+     # Dialog stuff
+     liquid_pid=None
++    scriptfile=None
+     if response!=None:
+       if response!=gtk.RESPONSE_ACCEPT:
+         sys.exit()
+       if erun.get_active():
+         host,port = 'localhost',1234
++        __unused, scriptfile = tempfile.mkstemp('.liq', 'liquidsoap')
+         liquid_pid=liquidsoap(
++            scriptfile,
+             host=icehost.get_text(),
+             port=iceport.get_value(),
+             mount=icemount.get_text(),
+@@ -195,7 +202,7 @@
+     win = gtk.Window()
+     win.set_border_width(10)
+     win.connect("delete_event", lambda w,e: False)
+-    win.connect("destroy", lambda osb: exit(liquid_pid))
++    win.connect("destroy", lambda osb: exit(liquid_pid,scriptfile))
+     win.set_title('Liquidsoap on '+host+':'+str(port))
+     win.resize(700,300)
+     try:
Index: debian/patches/series
===================================================================
--- debian/patches/series	(.../tags/packages/liquidsoap/0.3.6-4)	(r��vision 6029)
+++ debian/patches/series	(.../trunk/packages/liquidsoap/lenny)	(r��vision 6030)
@@ -1,2 +1,3 @@
 ladspa_backport.patch
 fix_smart_crossfade.patch
+fix_tmp_file.patch

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#496360; Package liguidsoap. (Mon, 10 Nov 2008 23:33:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. (Mon, 10 Nov 2008 23:33:10 GMT) Full text and rfc822 format available.

Message #105 received at 496360@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Romain Beauxis <toots@rastageeks.org>
Cc: team@security.debian.org, 496360@bugs.debian.org
Subject: Re: Update for liquidsoap
Date: Mon, 10 Nov 2008 21:06:08 +0100
[Message part 1 (text/plain, inline)]
Hi,
* Romain Beauxis <toots@rastageeks.org> [2008-11-10 19:17]:
> I have prepared an update for liquidsoap that I'd like to push for lenny.
> 
> The initial fix was against bug #496360, which severity used to be RC. But 
> alow the path of testing the patch, I also encountered an issue with the 
> portaudio support in liquidsoap that was also reported in our trac.
> 
> Hence, I would like to propose the following patch, which fixes bug #496360 as 
> well as desactivates portaudio support (drops build-dep).
> 
> Changes are minimal, so I think it should be fine. 

Looks good to me, please go ahead and upload this.
http://testing-security.debian.net/uploading.html

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Romain Beauxis <toots@rastageeks.org>:
You have taken responsibility. (Tue, 11 Nov 2008 01:03:19 GMT) Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. (Tue, 11 Nov 2008 01:03:20 GMT) Full text and rfc822 format available.

Message #110 received at 496360-close@bugs.debian.org (full text, mbox):

From: Romain Beauxis <toots@rastageeks.org>
To: 496360-close@bugs.debian.org
Subject: Bug#496360: fixed in liquidsoap 0.3.8.1+2-2
Date: Mon, 10 Nov 2008 17:32:03 +0000
Source: liquidsoap
Source-Version: 0.3.8.1+2-2

We believe that the bug you reported is fixed in the latest version of
liquidsoap, which is due to be installed in the Debian FTP archive:

liguidsoap_0.3.8.1+2-2_all.deb
  to pool/main/l/liquidsoap/liguidsoap_0.3.8.1+2-2_all.deb
liquidsoap_0.3.8.1+2-2.diff.gz
  to pool/main/l/liquidsoap/liquidsoap_0.3.8.1+2-2.diff.gz
liquidsoap_0.3.8.1+2-2.dsc
  to pool/main/l/liquidsoap/liquidsoap_0.3.8.1+2-2.dsc
liquidsoap_0.3.8.1+2-2_amd64.deb
  to pool/main/l/liquidsoap/liquidsoap_0.3.8.1+2-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496360@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Romain Beauxis <toots@rastageeks.org> (supplier of updated liquidsoap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 11 Aug 2008 14:36:31 +0200
Source: liquidsoap
Binary: liquidsoap liguidsoap
Architecture: source all amd64
Version: 0.3.8.1+2-2
Distribution: unstable
Urgency: high
Maintainer: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>
Changed-By: Romain Beauxis <toots@rastageeks.org>
Description: 
 liguidsoap - control GUI for liquidsoap
 liquidsoap - audio streaming language
Closes: 496360
Changes: 
 liquidsoap (0.3.8.1+2-2) unstable; urgency=high
 .
   * Fix liguidsoap temporary file name.
     Thanks to Tobias Klauser for providing a patch.
   Closes: #496360
   * Desactivated portaudio option since it is buggy
     and should be more tested.
Checksums-Sha1: 
 bd0bff9fd3ac7bc98e07ed5babd814a75a8267f7 2280 liquidsoap_0.3.8.1+2-2.dsc
 a6f9c69a5880ab495deb4eb3d09cb80b84b9c8d9 76172 liquidsoap_0.3.8.1+2-2.diff.gz
 714b5a9fbde97b5973be4d14434ac4897205cab0 90154 liguidsoap_0.3.8.1+2-2_all.deb
 8d610e8a1e6726c5f2d334a87e7d8dbc20d78c94 1336750 liquidsoap_0.3.8.1+2-2_amd64.deb
Checksums-Sha256: 
 2c95bd9c71e178ccd3f09557fafa33becdc92a17d1df2d594cef54b02c3a3d8e 2280 liquidsoap_0.3.8.1+2-2.dsc
 7a63da4989e29646ec182b1706f06806ab650ab6b794293fcd32bb278738c1ad 76172 liquidsoap_0.3.8.1+2-2.diff.gz
 84ed75e14932389175f6f97335332d1759c7b5d6bb38381e85dd49a5fd700d9c 90154 liguidsoap_0.3.8.1+2-2_all.deb
 2a3705127195bc5c372e3a5a50b5ebe1becce19fc70f461f8396f2497050715c 1336750 liquidsoap_0.3.8.1+2-2_amd64.deb
Files: 
 910b924dae0d420b8caa84e83eaaf2a5 2280 sound optional liquidsoap_0.3.8.1+2-2.dsc
 2ad09d1ef96df744a531f8f4bd19ae90 76172 sound optional liquidsoap_0.3.8.1+2-2.diff.gz
 ff7e78245d7954a774d5221dd61d974b 90154 sound optional liguidsoap_0.3.8.1+2-2_all.deb
 d8cade8af1e19ea2d0dd05c7c61589c5 1336750 sound optional liquidsoap_0.3.8.1+2-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJGGvUAAoJEAC5aaocqV0ZhwQH/RF9UH/qx+0uKXcNMhBFT0Sz
YmZ9L2C7ADXHNoRKlIJDC6GFPcqv8QW0gj8X+OGlpIVpp6D6drxeYCqSovgZLAb9
7O+bkCmbNOXsc1cDFAGW70Ye9y57wwvBv/9jnc7jqNNWKNJb5buL2mKH+dbLYT+c
uXgBaXMn+dY0HP63QOsO/YgYSJcpXqMLkerYLoIRhonSYOQQV3FIEbNLqkKakxY8
zwlzqrwpx9Yff5AKvEzQ6di4tBVDpG9NcA614Rn1dxBytt/VRv91wXFd2yYXa6GX
h0Ub20gkDBWvGaogiwrOuSeiqilLd5VNAfhnf7UBCJzPjpwhZfMuCA6uXWWPEBc=
=vO+b
-----END PGP SIGNATURE-----





Reply sent to Romain Beauxis <toots@rastageeks.org>:
You have taken responsibility. (Sun, 16 Nov 2008 17:03:11 GMT) Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. (Sun, 16 Nov 2008 17:03:11 GMT) Full text and rfc822 format available.

Message #115 received at 496360-close@bugs.debian.org (full text, mbox):

From: Romain Beauxis <toots@rastageeks.org>
To: 496360-close@bugs.debian.org
Subject: Bug#496360: fixed in liquidsoap 0.3.6-4lenny1
Date: Sun, 16 Nov 2008 16:33:28 +0000
Source: liquidsoap
Source-Version: 0.3.6-4lenny1

We believe that the bug you reported is fixed in the latest version of
liquidsoap, which is due to be installed in the Debian FTP archive:

liguidsoap_0.3.6-4lenny1_all.deb
  to pool/main/l/liquidsoap/liguidsoap_0.3.6-4lenny1_all.deb
liquidsoap_0.3.6-4lenny1.diff.gz
  to pool/main/l/liquidsoap/liquidsoap_0.3.6-4lenny1.diff.gz
liquidsoap_0.3.6-4lenny1.dsc
  to pool/main/l/liquidsoap/liquidsoap_0.3.6-4lenny1.dsc
liquidsoap_0.3.6-4lenny1_amd64.deb
  to pool/main/l/liquidsoap/liquidsoap_0.3.6-4lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496360@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Romain Beauxis <toots@rastageeks.org> (supplier of updated liquidsoap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 10 Nov 2008 17:32:30 +0100
Source: liquidsoap
Binary: liquidsoap liguidsoap
Architecture: source all amd64
Version: 0.3.6-4lenny1
Distribution: testing-security
Urgency: high
Maintainer: Liquidsoap Debian Packaging <savonet-debian@lists.sourceforge.net>
Changed-By: Romain Beauxis <toots@rastageeks.org>
Description: 
 liguidsoap - control GUI for liquidsoap
 liquidsoap - audio streaming language
Closes: 496360
Changes: 
 liquidsoap (0.3.6-4lenny1) testing-security; urgency=high
 .
   * Added patch to fix liguidsoap's temporary file creation.
     Thanks to Tobias Klauser for providing a patch.
   Closes: #496360
   * Desactivated portaudio option, since it is buggy and should
     be tested more.
Checksums-Sha1: 
 f11de08c554b283239a31fcc11d5018638907a0d 2136 liquidsoap_0.3.6-4lenny1.dsc
 8c17d4a6a5d4c360f58a0a19f9c175f1712b617b 392626 liquidsoap_0.3.6.orig.tar.gz
 42ceba79d5eb829445d505a567f3e31c4fb0f275 76863 liquidsoap_0.3.6-4lenny1.diff.gz
 56bfd3fbeace4bb476da83a9c8b9988b31d9e177 90074 liguidsoap_0.3.6-4lenny1_all.deb
 07abe99175f4c04b8ba4c0b24d1958bd3f54cecd 1169680 liquidsoap_0.3.6-4lenny1_amd64.deb
Checksums-Sha256: 
 a55a7a6f220cbec3409236b12a49393c585c1692c865fa258fd9544327b7817b 2136 liquidsoap_0.3.6-4lenny1.dsc
 b0b840b8f9c54d8b06bd933bf45f078ddcd7f33d7ff66a89aa42d64f3c78e795 392626 liquidsoap_0.3.6.orig.tar.gz
 4e95bc4b74efff596b23be75abeb5f9a4955506df8750ba2a01dd32617155fea 76863 liquidsoap_0.3.6-4lenny1.diff.gz
 0fba8d2fd633b77a84a8726477ca19f47fb082d688ee01e370da0792cc142695 90074 liguidsoap_0.3.6-4lenny1_all.deb
 256e6ed9d1f01d8b36e957a983d525f546eec9aa0169aaedc820ff1d6b421af1 1169680 liquidsoap_0.3.6-4lenny1_amd64.deb
Files: 
 acda7fc46ec556119f553b3471fc17ba 2136 sound optional liquidsoap_0.3.6-4lenny1.dsc
 c867ece544658fbbf905ae35f2d037bd 392626 sound optional liquidsoap_0.3.6.orig.tar.gz
 165c13bf886fc0cdc0d2da2d312cd160 76863 sound optional liquidsoap_0.3.6-4lenny1.diff.gz
 f8ad779cd2d9db833d1ea9f4e3d56d11 90074 sound optional liguidsoap_0.3.6-4lenny1_all.deb
 af4f1ccfda05851c1b3eae4a882d2ec0 1169680 sound optional liquidsoap_0.3.6-4lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJGPKbAAoJEAC5aaocqV0ZxyYH/1x+yJQb7vBP2s20BYzoEFpT
PqLASNDnYpkBhnNouuTKlU/IH3FKkGKwaqHlDExbK/RvWnDZKZycmDkDRNCikiG4
htxL2i1fAD5RrBGWtkEXNG5NG4huONJZxqlJ9MCewCWBqqMuu7yEeNITjRxImD/J
BkzCHgGiXNaIFOy2gPLRud78Sgek4aZ+Bu8IRgw+5IMED4gMZ21fhoYaEmInI6V/
Gh3gDhHQ53U7PSoiFxswqA3B369JvbqepFCSK0fmW7Tnv2/RmdkhuXw3yELnY+Df
phTpmSEsjRHtC05Y3nHCjoqeIlGzEI4q5+qakGZ8xuiyysYFBf6Bruz19oKBjRA=
=HYMq
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 15 Dec 2008 07:29:53 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 13:37:20 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.