Debian Bug report logs - #496366
The possibility of attack with the help of symlinks in some Debian packages

version graph

Package: mafft; Maintainer for mafft is Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>; Source for mafft is src:mafft.

Reported by: "Dmitry E. Oboukhov" <dimka@uvw.ru>

Date: Sun, 24 Aug 2008 18:09:16 UTC

Severity: grave

Tags: confirmed, patch, security

Fixed in version mafft/6.240-2

Done: Charles Plessy <plessy@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>:
Bug#496366; Package mafft. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
To: submit@bugs.debian.org
Cc: dimka@uvw.ru
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 22:05:28 +0400
Package: mafft
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh




Information forwarded to debian-bugs-dist@lists.debian.org, Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>:
Bug#496366; Package mafft. Full text and rfc822 format available.

Acknowledgement sent to charles@plessy.org:
Extra info received and forwarded to list. Copy sent to Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 496366@bugs.debian.org (full text, mbox):

From: Charles Plessy <plessy@debian.org>
To: debian-release@lists.debian.org, debian-security@lists.debian.org
Cc: "Dmitry E. Oboukhov" <dimka@uvw.ru>, 496366@bugs.debian.org, control@bugs.debian.org
Subject: Re: [Debian-med-packaging] Bug#496366: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 12:56:44 +0900
tag 496366 help
thanks

Le Sun, Aug 24, 2008 at 10:05:28PM +0400, Dmitry E. Oboukhov a écrit :
> Package: mafft
> Severity: grave
> 
> In some packages I've discovered scripts with errors which may be used
> by a user for damaging important system files or user's files.

Hi all,

I have not followed the discussions on -devel closely. What is the
relevance of this bug for the releasability of the package? Upstream is
already at a much higher version number and I am not able to solve the
prolem by myself.

Since the vulnerabiilty can only be exploited by other local users, and
since mafft is a scientific software either used on personnal computers
or on scientific workstations in trusted environments, can I ignore the
bug for Lenny and work with Upsteam on a fix in the latest release?

Have a nice day,

-- 
Charles Plessy
Debian Med packaging team,
Tsurumi, Kanagawa, Japan




Tags added: help Request was from Charles Plessy <plessy@debian.org> to control@bugs.debian.org. (Mon, 25 Aug 2008 04:00:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>:
Bug#496366; Package mafft. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #17 received at 496366@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 496366@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: [Debian-med-packaging] Bug#496366: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 09:01:53 +0200
[Message part 1 (text/plain, inline)]
tags 496366 confirmed
thanks

Hi Charles,

> What is the relevance of this bug for the releasability of the package?
> Upstream is already at a much higher version number and I am not able to
> solve the prolem by myself.

I've confirmed that the bug is indeed well-present: the script in question 
uses a number of files directly in /tmp with only the PID as a unique factor.

I've checked the latest upstream and that also has the exact same problem, so 
I don't think it's really relevant that upstream is many versions ahead. If 
they fix it, the fix can be applied to the current mafft package. I don't 
know on why you cannot fix the bug yourself, but at least an upstream fix 
would be easily backportable.

But applying the fix yourself would not be very invasive either. The script 
makes extensive use of the system() call, so you could simply add system 
calls to use essential 'mktemp' to create the files safely.

In the attachment is an example patch which solves the first occurrence. As 
you can see its very simple.

If you want a pure Ruby solution it would probably be a bit more invasive, but 
in that case http://ruby-stemp.rubyforge.org/ is available.

> Since the vulnerabiilty can only be exploited by other local users, and
> since mafft is a scientific software either used on personnal computers
> or on scientific workstations in trusted environments, can I ignore the
> bug for Lenny and work with Upsteam on a fix in the latest release?

In the security team, issuing a DSA for an issue that has all these properties 
is normally not high on the priority list. However, that doesn't mean that 
I'm happy with new packages entering stable that have known bugs of this 
kind. So yes, I believe this bug should be resolved before lenny, especially 
as I don't see the problem in doing so.


Thijs
[example.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Tags added: confirmed Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Mon, 25 Aug 2008 07:03:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>:
Bug#496366; Package mafft. Full text and rfc822 format available.

Acknowledgement sent to Charles Plessy <plessy@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #24 received at 496366@bugs.debian.org (full text, mbox):

From: Charles Plessy <plessy@debian.org>
To: Thijs Kinkhorst <thijs@debian.org>, 496366@bugs.debian.org, "Dmitry E. Oboukhov" <dimka@uvw.ru>
Cc: control@bugs.debian.org
Subject: Re: [Debian-med-packaging] Bug#496366: Bug#496366: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 23:52:34 +0900
tag 496366 patch
tag 496366 - help
thanks

Le Mon, Aug 25, 2008 at 09:01:53AM +0200, Thijs Kinkhorst a écrit :
> 
> In the attachment is an example patch which solves the first occurrence. As 
> you can see its very simple.

Many thanks, Thijs.

With your example it was much more simple than I thought. I prepared a
patch that I will forward upstream:

http://svn.debian.org/wsvn/debian-med/trunk/packages/mafft/trunk/debian/patches/Securisation-by-mktemp-usage.patch?op=file&rev=0&sc=0

I would appreciate if Dmitry could review it before I send it.

Have a nice day,

-- 
Charles Plessy
Debian Med packaging team,
Tsurumi, Kanagawa, Japan




Tags added: patch Request was from Charles Plessy <plessy@debian.org> to control@bugs.debian.org. (Mon, 25 Aug 2008 14:54:06 GMT) Full text and rfc822 format available.

Tags removed: help Request was from Charles Plessy <plessy@debian.org> to control@bugs.debian.org. (Mon, 25 Aug 2008 14:54:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>:
Bug#496366; Package mafft. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #33 received at 496366@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 496366@bugs.debian.org
Subject: Re: [Debian-med-packaging] Bug#496366: Bug#496366: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 16:55:27 +0200
[Message part 1 (text/plain, inline)]
On Monday 25 August 2008 16:52, Charles Plessy wrote:
> Many thanks, Thijs.
>
> With your example it was much more simple than I thought. I prepared a
> patch that I will forward upstream:

Looks good!


Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>:
Bug#496366; Package mafft. Full text and rfc822 format available.

Acknowledgement sent to Charles Plessy <plessy@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #38 received at 496366@bugs.debian.org (full text, mbox):

From: Charles Plessy <plessy@debian.org>
To: 496366@bugs.debian.org, debian-security@lists.debian.org
Cc: control@bugs.debian.org
Subject: Re: [Debian-med-packaging] Bug#496366: Bug#496366: Bug#496366: The possibility of attack with the help of symlinks in some Debian packages
Date: Tue, 26 Aug 2008 13:24:10 +0900
tag 496366 forwarded Kazutaka Katoh <katoh@bioreg.kyushu-u.ac.jp>
thanks

Hi all,

I forwarded the patch solving the problem to the upstream author. I
would prefer if I could include a note that the patch was accepted
upstream if possible. How long would you recommend to wait before
uploading ?

Have a nice day,

-- 
Charles Plessy
Debian Med packaging team,
Tsurumi, Kanagawa, Japan




Tags added: Request was from Charles Plessy <plessy@debian.org> to control@bugs.debian.org. (Tue, 26 Aug 2008 04:27:03 GMT) Full text and rfc822 format available.

Tags added: Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:45:11 GMT) Full text and rfc822 format available.

Tags added: security Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:57:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>:
Bug#496366; Package mafft. Full text and rfc822 format available.

Acknowledgement sent to Charles Plessy <plessy@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #49 received at 496366@bugs.debian.org (full text, mbox):

From: Charles Plessy <plessy@debian.org>
To: debian-release@lists.debian.org, 496366@bugs.debian.org
Subject: Re: Preparing update of 'mafft' to fix #496366 ("grave" security bug).
Date: Mon, 1 Sep 2008 21:39:44 +0900
Le Mon, Aug 25, 2008 at 10:17:02PM -0700, Steve Langasek a écrit :
> On Tue, Aug 26, 2008 at 01:40:01PM +0900, Charles Plessy wrote:
> 
> > Would you accept this package in Lenny to fix #496366?
> 
> If the diff is in line with this description, yes.

Hi Steve, hi all,

thank you for your patience. I have been in contact with Upstream who
reviewd kindly finished the patching work (I did not manage to produce a
working patch for the Ruby file).

Here is the final changelog:

 mafft (6.240-2) unstable; urgency=high
 .
   [ Charles Plessy ]
   * debian/control:
     - Moved the Homepage: field out from the package's description.
     - Enhances: t-coffee.
   * Updated my email address.
   * Securisation of the temorary files of mafft-homologs:
     - debian/control: build-depend on quilt.
     - debian/rules: modified to use quilt.
     - debian/README.source: signals that the package uses quilt.
     - debian/patches: added a patch to use non-guessable temporary files
       (Closes: #496366). Thanks to Dmitry E. Oboukhov for finding the bug,
       Thijs Kinkhorst for preliminary patch and Kazutaka Katoh for the
       final implementation.
     - debian/mafft-homologs.1*, debian/README.Debian: document that the
       program is patched.
 .
   [ David Paleino ]
   * debian/mafft.1, debian/mafft-homologs.1 added - manpages built statically.
   * debian/control:
     - B-D updated (see above)
     - added myself to Uploaders
     - moved XS-Vcs-* fields to Vcs-*
     - Updated to Standards-Version 3.7.3 (no changes needed)
   * debian/rules:
     - reflecting static build of manpages
     - minor changes


Here is the diffstat:

aqwa『build-area』$ diffstat mafft_6.240-1_6.240-2.debdiff
 debian/README.source                              |    8 
 debian/mafft-homologs.1                           |  112 ++++++
 debian/mafft.1                                    |  370 ++++++++++++++++++++++
 debian/patches/Securisation-by-mktemp-usage.patch |  211 ++++++++++++
 debian/patches/series                             |    1 
 mafft-6.240/debian/README.Debian                  |    7 
 mafft-6.240/debian/changelog                      |   31 +
 mafft-6.240/debian/control                        |   20 -
 mafft-6.240/debian/mafft-homologs.1.xml           |    9 
 mafft-6.240/debian/mafft.1.xml                    |    9 
 mafft-6.240/debian/rules                          |   20 -

I added a paragraph about the patch to the manpages, but as the sources are in
XML and the stylesheets evolved, the diff is big. All the changes unrelated to
the bug are documented in the changelog, except the addition of
DM-Upload-Allowed: yes, that is systematic in our packages anyway, and cosmetic
improvements of the description. The patch itself now affects another file in
which a similar security problem was uncovered by Upstream. Here is the full
debdiff.

Have a nice day,

-- Charles Plessy, Debian Med packaging team, Tsurumi, Kanagawa, Japan


diff -u mafft-6.240/debian/mafft.1.xml mafft-6.240/debian/mafft.1.xml
--- mafft-6.240/debian/mafft.1.xml
+++ mafft-6.240/debian/mafft.1.xml
@@ -12,7 +12,7 @@
   <!ENTITY dhemail     "charles-debian-nospam@plessy.org">
   <!ENTITY dhusername  "&dhfirstname; &dhsurname;">
   <!ENTITY dhrelease   "6.240">
-  <!ENTITY dhdate      "2007-06-09">
+  <!ENTITY dhdate      "2008-09-01">
   <!ENTITY dhtitle     "Mafft Manual">
   <!ENTITY dhucpackage "MAFFT">
   <!ENTITY dhpackage   "mafft">
@@ -739,4 +739,11 @@
     </refsect2>
   </refsect1>
+  <refsect1>
+    <title>DIVERGENCE FROM UPSTREAM</title>
+    <para><command>mafft-homologs</command> has been patched to enhance the
+    security of the temporary files it creates. You can consult the patch in
+    the Debian source package. It has been reviewed and amended by Kazutaka
+    Katoh, the upstream author of MAFFT.</para>
+  </refsect1>
 </refentry>
 
diff -u mafft-6.240/debian/control mafft-6.240/debian/control
--- mafft-6.240/debian/control
+++ mafft-6.240/debian/control
@@ -2,18 +2,22 @@
 Section: science
 Priority: optional
 Maintainer: Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
-Uploaders: Charles Plessy <charles-debian-nospam@plessy.org>
-Build-Depends: debhelper (>= 5), xsltproc, docbook-xsl, docbook-xml
-Standards-Version: 3.7.2
-XS-Vcs-Browser: http://svn.debian.org/wsvn/debian-med/trunk/packages/mafft/trunk/
-XS-Vcs-Svn: svn://svn.debian.org/svn/debian-med/trunk/packages/mafft
+DM-Upload-Allowed: yes
+Uploaders: Charles Plessy <plessy@debian.org>,
+ David Paleino <d.paleino@gmail.com>
+Build-Depends: debhelper (>= 5), quilt
+Standards-Version: 3.7.3
+Vcs-Browser: http://svn.debian.org/wsvn/debian-med/trunk/packages/mafft/trunk/?rev=0&sc=0
+Vcs-Svn: svn://svn.debian.org/svn/debian-med/trunk/packages/mafft/trunk/
+Homepage: http://align.bmr.kyushu-u.ac.jp/mafft/software/
 
 Package: mafft
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}
 Suggests: ruby, lynx, blast2
+Enhances: t-coffee
 Description: Multiple alignment program for amino acid or nucleotide sequences
- MAFFT is a multiple sequence alignment program, which offers three
+ MAFFT is a multiple sequence alignment program which offers three
  accuracy-oriented methods:
   * L-INS-i (probably most accurate; recommended for <200 sequences;
     iterative refinement method incorporating local pairwise alignment
@@ -23,7 +27,7 @@
     pairwise alignment information),
   * E-INS-i (suitable for sequences containing large unalignable regions;
     recommended for <200 sequences),
-    and five speed-oriented methods:
+ and five speed-oriented methods:
   * FFT-NS-i (iterative refinement method; two cycles only),
   * FFT-NS-i (iterative refinement method; max. 1000 iterations),
   * FFT-NS-2 (fast; progressive method),
@@ -34,2 +37,0 @@
- .
-  Homepage: http://align.bmr.kyushu-u.ac.jp/mafft/software/
diff -u mafft-6.240/debian/README.Debian mafft-6.240/debian/README.Debian
--- mafft-6.240/debian/README.Debian
+++ mafft-6.240/debian/README.Debian
@@ -21 +21,6 @@
- -- Charles Plessy <charles-debian-nospam@plessy.org>  Wed,  7 Feb 2007 21:44:40 +0900
+The programs mafft and mafft-homologs have been patched to enhance the security
+of the temporary files they create. You can consult the patch in the Debian
+source package. It has been reviewed and amended by Kazutaka Katoh, the
+upstream author of MAFFT.
+
+ -- Charles Plessy <charles-debian-nospam@plessy.org>  Mon, 25 Aug 2008 23:29:19 +0900
diff -u mafft-6.240/debian/mafft-homologs.1.xml mafft-6.240/debian/mafft-homologs.1.xml
--- mafft-6.240/debian/mafft-homologs.1.xml
+++ mafft-6.240/debian/mafft-homologs.1.xml
@@ -12,7 +12,7 @@
   <!ENTITY dhemail     "charles-debian-nospam@plessy.org">
   <!ENTITY dhusername  "&dhfirstname; &dhsurname;">
   <!ENTITY dhrelease   "2.1">
-  <!ENTITY dhdate      "2007-06-09">
+  <!ENTITY dhdate      "2008-09-01">
   <!ENTITY dhtitle     "Mafft Manual">
   <!ENTITY dhucpackage "MAFFT-HOMOLOGS">
   <!ENTITY dhpackage   "mafft-homologs">
@@ -193,2 +193,9 @@
 	</refsect1>
+  <refsect1>
+    <title>DIVERGENCE FROM UPSTREAM</title>
+    <para><command>mafft-homologs</command> has been patched to enhance the
+    security of the temporary files it creates. You can consult the patch in
+    the Debian source package. It has been reviewed and amended by Kazutaka
+    Katoh, the upstream author of MAFFT.</para>
+  </refsect1>
 </refentry>
diff -u mafft-6.240/debian/rules mafft-6.240/debian/rules
--- mafft-6.240/debian/rules
+++ mafft-6.240/debian/rules
@@ -5,11 +5,14 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 
+include /usr/share/quilt/quilt.make
+
 XP=xsltproc  \
       -''-nonet \
       -''-param man.charmap.use.subset "0" \
       -''-param make.year.ranges "1" \
-      -''-param make.single.year.ranges "1"
+      -''-param make.single.year.ranges "1" \
+      -o debian/
 
 
 CFLAGS = -Wall -g
@@ -26,11 +29,11 @@
 mafft-homologs.1: debian/mafft-homologs.1.xml
 	$(XP) $<
 
-build-stamp: build
-build: mafft.1 mafft-homologs.1
+build: patch build-stamp
+build-stamp:
 	dh_testdir
 	$(MAKE) -C src PREFIX=/usr/lib/mafft
-	touch build-stamp
+	touch $@
 
 MAFFT = MAFFT_BINARIES=$(CURDIR)/binaries scripts/mafft
 
@@ -42,11 +45,11 @@
 	-$(MAFFT) --localpair			test/sample | diff test/sample.lins1 -
 	-$(MAFFT) --localpair --maxiterate 100	test/sample | diff test/sample.linsi -
 
-clean:
+clean: unpatch
 	dh_testdir
 	dh_testroot
-	-$(MAKE) -C src clean
-	dh_clean mafft.1 mafft-homologs.1 build-stamp
+	[ ! -f Makefile ] || $(MAKE) -C src clean
+	dh_clean build-stamp
 
 install: build-stamp test
 	dh_testdir
@@ -57,14 +60,13 @@
 	mv debian/mafft/usr/bin/mafft-homologs.rb debian/mafft/usr/bin/mafft-homologs
 
 binary-indep: build install
-
 binary-arch: build install
 	dh_testdir
 	dh_testroot
 	dh_installchangelogs 
 	dh_installdocs
 	dh_install test usr/share/doc/mafft/
-	dh_installman mafft.1 mafft-homologs.1
+	dh_installman debian/mafft.1 debian/mafft-homologs.1
 	dh_link
 	dh_strip
 	dh_compress
diff -u mafft-6.240/debian/changelog mafft-6.240/debian/changelog
--- mafft-6.240/debian/changelog
+++ mafft-6.240/debian/changelog
@@ -1,3 +1,34 @@
+mafft (6.240-2) unstable; urgency=high
+
+  [ Charles Plessy ]
+  * debian/control:
+    - Moved the Homepage: field out from the package's description.
+    - Enhances: t-coffee.
+  * Updated my email address.
+  * Securisation of the temorary files of mafft-homologs:
+    - debian/control: build-depend on quilt.
+    - debian/rules: modified to use quilt.
+    - debian/README.source: signals that the package uses quilt.
+    - debian/patches: added a patch to use non-guessable temporary files
+      (Closes: #496366). Thanks to Dmitry E. Oboukhov for finding the bug,
+      Thijs Kinkhorst for preliminary patch and Kazutaka Katoh for the
+      final implementation.
+    - debian/mafft-homologs.1*, debian/README.Debian: document that the
+      program is patched.
+
+  [ David Paleino ]
+  * debian/mafft.1, debian/mafft-homologs.1 added - manpages built statically.
+  * debian/control:
+    - B-D updated (see above)
+    - added myself to Uploaders
+    - moved XS-Vcs-* fields to Vcs-*
+    - Updated to Standards-Version 3.7.3 (no changes needed)
+  * debian/rules:
+    - reflecting static build of manpages
+    - minor changes
+
+ -- Charles Plessy <plessy@debian.org>  Mon, 25 Aug 2008 23:30:20 +0900
+
 mafft (6.240-1) unstable; urgency=low
 
   * Initial release (Closes: #409640)
only in patch2:
unchanged:
--- mafft-6.240.orig/debian/mafft.1
+++ mafft-6.240/debian/mafft.1
@@ -0,0 +1,370 @@
+.\"     Title: MAFFT
+.\"    Author: Kazutaka Katoh <katoh_at_bioreg.kyushu-u.ac.jp.>
+.\" Generator: DocBook XSL Stylesheets v1.73.2 <http://docbook.sf.net/>
+.\"      Date: 2008-09-01
+.\"    Manual: Mafft Manual
+.\"    Source: mafft 6.240
+.\"
+.TH "MAFFT" "1" "2008\-09\-01" "mafft 6.240" "Mafft Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+mafft \- Multiple alignment program for amino acid or nucleotide sequences
+.SH "SYNOPSIS"
+.HP 6
+\fBmafft\fR [\fBoptions\fR] \fIinput\fR [>\ \fIoutput\fR]
+.HP 6
+\fBlinsi\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 6
+\fBginsi\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 6
+\fBeinsi\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 7
+\fBfftnsi\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 6
+\fBfftns\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 14
+\fBmafft\-profile\fR \fIgroup1\fR \fIgroup2\fR [>\ \fIoutput\fR]
+.SH "DESCRIPTION"
+.PP
+\fBMAFFT\fR
+is a multiple sequence alignment program for unix\-like operating systems\&. It offers a range of multiple alignment methods\&.
+.SS "Accuracy\-oriented methods:"
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'L\-INS\-i (probably most accurate; recommended for <200 sequences; iterative refinement method incorporating local pairwise alignment information):
+.HP 6
+\fBmafft\fR \fB\-\-localpair\fR \fB\-\-maxiterate\fR\ \fI1000\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 6
+\fBlinsi\fR \fIinput\fR [>\ \fIoutput\fR]
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'G\-INS\-i (suitable for sequences of similar lengths; recommended for <200 sequences; iterative refinement method incorporating global pairwise alignment information):
+.HP 6
+\fBmafft\fR \fB\-\-globalpair\fR \fB\-\-maxiterate\fR\ \fI1000\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 6
+\fBginsi\fR \fIinput\fR [>\ \fIoutput\fR]
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'E\-INS\-i (suitable for sequences containing large unalignable regions; recommended for <200 sequences):
+.HP 6
+\fBmafft\fR \fB\-\-ep\fR\ \fI0\fR \fB\-\-genafpair\fR \fB\-\-maxiterate\fR\ \fI1000\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 6
+\fBeinsi\fR \fIinput\fR [>\ \fIoutput\fR]
+.br
+
+For E\-INS\-i, the
+\fB\-\-ep\fR
+\fI0\fR
+option is recommended to allow large gaps\&.
+.RE
+.SS "Speed\-oriented methods:"
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'FFT\-NS\-i (iterative refinement method; two cycles only):
+.HP 6
+\fBmafft\fR \fB\-\-retree\fR\ \fI2\fR \fB\-\-maxiterate\fR\ \fI2\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 7
+\fBfftnsi\fR \fIinput\fR [>\ \fIoutput\fR]
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'FFT\-NS\-i (iterative refinement method; max\&. 1000 iterations):
+.HP 6
+\fBmafft\fR \fB\-\-retree\fR\ \fI2\fR \fB\-\-maxiterate\fR\ \fI1000\fR \fIinput\fR [>\ \fIoutput\fR]
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'FFT\-NS\-2 (fast; progressive method):
+.HP 6
+\fBmafft\fR \fB\-\-retree\fR\ \fI2\fR \fB\-\-maxiterate\fR\ \fI0\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 6
+\fBfftns\fR \fIinput\fR [>\ \fIoutput\fR]
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'FFT\-NS\-1 (very fast; recommended for >2000 sequences; progressive method with a rough guide tree):
+.HP 6
+\fBmafft\fR \fB\-\-retree\fR\ \fI1\fR \fB\-\-maxiterate\fR\ \fI0\fR \fIinput\fR [>\ \fIoutput\fR]
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'NW\-NS\-PartTree\-1 (recommended for ?50,000 sequences; progressive method with the PartTree algorithm):
+.HP 6
+\fBmafft\fR \fB\-\-retree\fR\ \fI1\fR \fB\-\-maxiterate\fR\ \fI0\fR \fB\-\-parttree\fR \fIinput\fR [>\ \fIoutput\fR]
+.RE
+.SS "Group\-to\-group alignments"
+.HP 14
+\fBmafft\-profile\fR \fIgroup1\fR \fIgroup2\fR [>\ \fIoutput\fR]
+.PP
+or:
+.HP 6
+\fBmafft\fR \fB\-\-maxiterate\fR\ \fI1000\fR \fB\-\-seed\fR\ \fIgroup1\fR \fB\-\-seed\fR\ \fIgroup2\fR /dev/null [>\ \fIoutput\fR]
+.SH "OPTIONS"
+.PP
+\fB\-\-auto\fR
+.RS 4
+.RE
+.PP
+\fB\-\-clustalout\fR
+.RS 4
+.RE
+.PP
+\fB\-\-reorder\fR
+.RS 4
+.RE
+.PP
+\fB\-\-inputorder\fR
+.RS 4
+.RE
+.PP
+\fB\-\-algq\fR
+.RS 4
+.RE
+.PP
+\fB\-\-groupsize\fR
+.RS 4
+.RE
+.PP
+\fB\-\-partsize\fR
+.RS 4
+.RE
+.PP
+\fB\-\-parttree\fR
+.RS 4
+.RE
+.PP
+\fB\-\-dpparttree\fR
+.RS 4
+.RE
+.PP
+\fB\-\-fastaparttree\fR
+.RS 4
+.RE
+.PP
+\fB\-\-treeout\fR
+.RS 4
+.RE
+.PP
+\fB\-\-fastswpair\fR
+.RS 4
+.RE
+.PP
+\fB\-\-fastapair\fR
+.RS 4
+.RE
+.PP
+\fB\-\-noscore\fR
+.RS 4
+.RE
+.PP
+\fB\-\-6merpair\fR
+.RS 4
+.RE
+.PP
+\fB\-\-blastpair\fR
+.RS 4
+.RE
+.PP
+\fB\-\-globalpair\fR
+.RS 4
+.RE
+.PP
+\fB\-\-localpair\fR
+.RS 4
+.RE
+.PP
+\fB\-\-genafpair\fR
+.RS 4
+.RE
+.PP
+\fB\-\-memsave\fR
+.RS 4
+.RE
+.PP
+\fB\-\-nuc\fR
+.RS 4
+.RE
+.PP
+\fB\-\-amino\fR
+.RS 4
+.RE
+.PP
+\fB\-\-fft\fR
+.RS 4
+.RE
+.PP
+\fB\-\-nofft\fR
+.RS 4
+.RE
+.PP
+\fB\-\-quiet\fR
+.RS 4
+.RE
+.PP
+\fB\-\-coreext\fR
+.RS 4
+.RE
+.PP
+\fB\-\-core\fR
+.RS 4
+.RE
+.PP
+\fB\-\-maxiterate\fR
+.RS 4
+.RE
+.PP
+\fB\-\-retree\fR
+.RS 4
+.RE
+.PP
+\fB\-\-aamatrix\fR
+.RS 4
+.RE
+.PP
+\fB\-\-fmodel\fR
+.RS 4
+.RE
+.PP
+\fB\-\-jtt\fR
+.RS 4
+.RE
+.PP
+\fB\-\-tm\fR
+.RS 4
+.RE
+.PP
+\fB\-\-bl\fR
+.RS 4
+.RE
+.PP
+\fB\-\-weighti\fR
+.RS 4
+.RE
+.PP
+\fB\-\-op\fR
+.RS 4
+.RE
+.PP
+\fB\-\-ep\fR
+.RS 4
+.RE
+.PP
+\fB\-\-lop\fR
+.RS 4
+.RE
+.PP
+\fB\-\-LOP\fR
+.RS 4
+.RE
+.PP
+\fB\-\-lep\fR
+.RS 4
+.RE
+.PP
+\fB\-\-lexp\fR
+.RS 4
+.RE
+.PP
+\fB\-\-LEXP\fR
+.RS 4
+.RE
+.PP
+\fB\-\-corethr\fR
+.RS 4
+.RE
+.PP
+\fB\-\-corewin\fR
+.RS 4
+.RE
+.PP
+\fB\-\-seed\fR
+.RS 4
+.RE
+.SH "FILES"
+.PP
+Mafft stores the input sequences and other files in a temporary directory, which by default is located in
+\fI/tmp\fR\&.
+.SH "ENVIONMENT"
+.PP
+\fBMAFFT_BINARIES\fR
+.RS 4
+Indicates the location of the binary files used by mafft\&. By default, they are searched in
+\fI/usr/local/lib/mafft\fR, but on Debian systems, they are searched in
+\fI/usr/lib/mafft\fR\&.
+.RE
+.PP
+\fBFASTA_4_MAFFT\fR
+.RS 4
+This variable can be set to indicate to mafft the location to the fasta34 program if it is not in the PATH\&.
+.RE
+.SH "SEE ALSO"
+.PP
+
+\fBmafft-homologs\fR(1)
+.SH "REFERENCES"
+.SS "In English"
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'Katoh and Toh (Bioinformatics 23:372\-374, 2007) PartTree: an algorithm to build an approximate tree from a large number of unaligned sequences (describes the PartTree algorithm)\&.
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'Katoh, Kuma, Toh and Miyata (Nucleic Acids Res\&. 33:511\-518, 2005) MAFFT version 5: improvement in accuracy of multiple sequence alignment (describes [ancestral versions of] the G\-INS\-i, L\-INS\-i and E\-INS\-i strategies)
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'Katoh, Misawa, Kuma and Miyata (Nucleic Acids Res\&. 30:3059\-3066, 2002) MAFFT: a novel method for rapid multiple sequence alignment based on fast Fourier transform (describes the FFT\-NS\-1, FFT\-NS\-2 and FFT\-NS\-i strategies)
+.RE
+.SS "In Japanese"
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'Katoh and Misawa (???? 46:312\-317, 2006) Multiple Sequence Alignments: the Next Generation
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'Katoh and Kuma (????? 44:102\-108, 2006) Jissen\-teki Multiple Alignment
+.RE
+.SH "DIVERGENCE FROM UPSTREAM"
+.PP
+\fBmafft\-homologs\fR
+has been patched to enhance the security of the temporary files it creates\&. You can consult the patch in the Debian source package\&. It has been reviewed and amended by Kazutaka Katoh, the upstream author of MAFFT\&.
+.SH "AUTHORS"
+.PP
+\fBKazutaka Katoh\fR <\&katoh_at_bioreg\&.kyushu\-u\&.ac\&.jp\&.\&>
+.sp -1n
+.IP "" 4
+Wrote Mafft\&.
+.PP
+\fBCharles Plessy\fR <\&charles\-debian\-nospam@plessy\&.org\&>
+.sp -1n
+.IP "" 4
+Wrote this manpage in DocBook XML for the Debian distribution, using Mafft\'s homepage as a template\&.
+.SH "COPYRIGHT"
+Copyright \(co 2002, 2003, 2004, 2005, 2006, 2007 Kazutaka Katoh (mafft)
+.br
+Copyright \(co 2007 Charles Plessy (this manpage)
+.br
+.PP
+Mafft and its manpage are offered under the following conditions:
+.PP
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+.sp
+.RS 4
+\h'-04' 1.\h'+02'Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer\&.
+.RE
+.sp
+.RS 4
+\h'-04' 2.\h'+02'Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution\&.
+.RE
+.sp
+.RS 4
+\h'-04' 3.\h'+02'The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission\&.
+.RE
+.PP
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED\&. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE\&.
+.sp
only in patch2:
unchanged:
--- mafft-6.240.orig/debian/README.source
+++ mafft-6.240/debian/README.source
@@ -0,0 +1,8 @@
+This package uses quilt to patch the sources. Please refer to
+/usr/share/doc/quilt/README.source for more informations.
+
+This package is maintained by the Debian Med packagign team. Please refer to
+our group policy if you would like to commit to our Subversion repository. All
+Debian developpers have write acces to it.
+
+http://debian-med.alioth.debian.org/docs/policy.html
only in patch2:
unchanged:
--- mafft-6.240.orig/debian/mafft-homologs.1
+++ mafft-6.240/debian/mafft-homologs.1
@@ -0,0 +1,112 @@
+.\"     Title: MAFFT-HOMOLOGS
+.\"    Author: Kazutaka Katoh <katoh_at_bioreg.kyushu-u.ac.jp.>
+.\" Generator: DocBook XSL Stylesheets v1.73.2 <http://docbook.sf.net/>
+.\"      Date: 2008-09-01
+.\"    Manual: Mafft Manual
+.\"    Source: mafft-homologs 2.1
+.\"
+.TH "MAFFT\-HOMOLOGS" "1" "2008\-09\-01" "mafft-homologs 2.1" "Mafft Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+mafft-homologs \- aligns sequences together with homologues automatically collected from SwissProt via NCBI BLAST
+.SH "SYNOPSIS"
+.HP 15
+\fBmafft\-homologs\fR [\fBoptions\fR] \fIinput\fR [>\ \fIoutput\fR]
+.SH "DESCRIPTION"
+.PP
+The accuracy of an alignment of a few distantly related sequences is considerably improved when being aligned together with their close homologs\&. The reason for the improvement is probably the same as that for PSI\-BLAST\&. That is, the positions of highly conserved residues, those with many gaps and other additional information is brought by close homologs\&. According to Katoh et al\&. (2005), the improvement by adding close homologs is 10% or so, which is comparable to the improvement by incorporating structural information of a pair of sequences\&. Mafft\-homologs in a mafft server works like this:
+.sp
+.RS 4
+\h'-04' 1.\h'+02'Collect a number (50 by default) of close homologs (E=1e\-10 by default) of the input sequences\&.
+.RE
+.sp
+.RS 4
+\h'-04' 2.\h'+02'Align the input sequences and homologs all together using the L\-INS\-i strategy\&.
+.RE
+.sp
+.RS 4
+\h'-04' 3.\h'+02'Remove the homologs\&.
+.RE
+.SH "OPTIONS"
+.PP
+\fB\-a\fR \fI\fIn\fR\fR
+.RS 4
+The number of collected sequences (default: 50)\&.
+.RE
+.PP
+\fB\-e\fR \fI\fIn\fR\fR
+.RS 4
+Threshold value (default: 1e\-10)\&.
+.RE
+.PP
+\fB\-o\fR \fI\fIxxx\fR\fR
+.RS 4
+options for mafft (default: " \-\-op 1\&.53 \-\-ep 0\&.123 \-\-maxiterate 1000")\&.
+.RE
+.PP
+\fB\-l\fR
+.RS 4
+Locally carries out blast searches instead of NCBI blast (requires locally installed blast and a database)\&.
+.RE
+.PP
+\fB\-f\fR
+.RS 4
+Outputs collected homologues also (default: off)\&.
+.RE
+.PP
+\fB\-w\fR
+.RS 4
+entire sequences are subjected to BLAST search (default: well\-aligned region only)
+.RE
+.SH "REQUIREMENTS"
+.PP
+Mafft\-homologs requires a version of mafft higher than 5\&.58\&.
+.SH "REFERENCES"
+.PP
+Katoh, Kuma, Toh and Miyata (Nucleic Acids Res\&. 33:511\-518, 2005) MAFFT version 5: improvement in accuracy of multiple sequence alignment\&.
+.SH "SEE ALSO"
+.PP
+
+\fBmafft\fR(1)
+.SH "DIVERGENCE FROM UPSTREAM"
+.PP
+\fBmafft\-homologs\fR
+has been patched to enhance the security of the temporary files it creates\&. You can consult the patch in the Debian source package\&. It has been reviewed and amended by Kazutaka Katoh, the upstream author of MAFFT\&.
+.SH "AUTHORS"
+.PP
+\fBKazutaka Katoh\fR <\&katoh_at_bioreg\&.kyushu\-u\&.ac\&.jp\&.\&>
+.sp -1n
+.IP "" 4
+Wrote Mafft\&.
+.PP
+\fBCharles Plessy\fR <\&charles\-debian\-nospam@plessy\&.org\&>
+.sp -1n
+.IP "" 4
+Wrote this manpage in DocBook XML for the Debian distribution, using Mafft\'s homepage as a template\&.
+.SH "COPYRIGHT"
+Copyright \(co 2002, 2003, 2004, 2005, 2006, 2007 Kazutaka Katoh (mafft)
+.br
+Copyright \(co 2007 Charles Plessy (this manpage)
+.br
+.PP
+Mafft and its manpage are offered under the following conditions:
+.PP
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+.sp
+.RS 4
+\h'-04' 1.\h'+02'Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer\&.
+.RE
+.sp
+.RS 4
+\h'-04' 2.\h'+02'Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution\&.
+.RE
+.sp
+.RS 4
+\h'-04' 3.\h'+02'The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission\&.
+.RE
+.PP
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED\&. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE\&.
+.sp
only in patch2:
unchanged:
--- mafft-6.240.orig/debian/patches/Securisation-by-mktemp-usage.patch
+++ mafft-6.240/debian/patches/Securisation-by-mktemp-usage.patch
@@ -0,0 +1,211 @@
+Author: Kazutaka Katoh and Charles Plessy, with the kind help of Thijs Kinkhorst.
+Description: Securisation of the temporary files of mafft-homologs.
+ Mafft-homologs uses predictable names for its temporary files. This patch
+ replaces the pid-based file names by names constructed with the `mktemp'
+ program. 
+ .
+ Quoting its manual page:
+ mktemp is a program to allow shell scripts to safely use temporary files.
+ Traditionally, many shell scripts take the name of the program with the PID
+ as a suffix and use that as a temporary filename.  This kind of naming scheme
+ is predictable and  the race condition  it  creates is  easy for an attacker
+ to win.  A safer, though still inferior approach is to make a temporary
+ directory using the same naming scheme.  While this does allow one to
+ guarantee that a temporary file will not  be  subverted, it still allows a
+ simple denial of service attack.  For these reasons it is suggested that
+ mktemp be used instead.
+Forwarded: Kazutaka Katoh <katoh@bioreg.kyushu-u.ac.jp>
+Reviewed: Kazutaka Katoh
+License: same as MAFFT itself.
+
+Index: mafft-6.240/src/mafft-homologs.tmpl
+===================================================================
+--- mafft-6.240.orig/src/mafft-homologs.tmpl
++++ mafft-6.240/src/mafft-homologs.tmpl
+@@ -31,11 +31,22 @@
+ #   -w        entire sequences are subjected to BLAST search 
+ #             (default: well-aligned region only)
+ 
+-
+ require 'getopts'
++require 'tempfile'
++
++# mktemp
++temp_vf = Tempfile.new("_vf").path
++temp_if = Tempfile.new("_if").path
++temp_pf = Tempfile.new("_pf").path
++temp_af = Tempfile.new("_af").path
++temp_qf = Tempfile.new("_qf").path
++temp_bf = Tempfile.new("_bf").path
++temp_rid = Tempfile.new("_rid").path
++temp_res = Tempfile.new("_res").path
+ 
+-system( mafftpath + " --help > /tmp/_vf#{$$} 2>&1" )
+-pfp = File.open( "/tmp/_vf#{$$}", 'r' )
++
++system( mafftpath + " --help > #{temp_vf} 2>&1" )
++pfp = File.open( "#{temp_vf}", 'r' )
+ while pfp.gets
+ 	break if $_ =~ /MAFFT v/
+ end
+@@ -114,35 +125,38 @@
+ 	mafftopt += " " + $OPT_o + " "
+ end
+ 
+-system "cat " + ARGV.to_s + " > /tmp/_if#{$$}"
++system "cat " + ARGV.to_s + " > #{temp_if}"
+ ar = mafftopt.split(" ")
+ nar = ar.length
+ for i in 0..(nar-1)
+ 	if ar[i] == "--seed" then
+-		system "cat #{ar[i+1]} >> /tmp/_if#{$$}"
++		system "cat #{ar[i+1]} >> #{temp_if}"
+ 	end
+ end
+ 
+ nseq = 0
+-ifp = File.open( "/tmp/_if#{$$}", 'r' )
++ifp = File.open( "#{temp_if}", 'r' )
+ 	while ifp.gets
+ 		nseq += 1 if $_ =~ /^>/
+ 	end
+ ifp.close
+ 
+-STDERR.puts "Performing preliminary alignment .. "
+-if nseq == 1 then
+-	system( "cp /tmp/_if#{$$}"  + " /tmp/_pf#{$$}" )
++if nseq >= 100 then
++	STDERR.puts "The number of input sequences must be <100."
++	exit
++elsif nseq == 1 then
++	system( "cp #{temp_if}"  + " #{temp_pf}" )
+ else
++	STDERR.puts "Performing preliminary alignment .. "
+ 	if entiresearch == 1 then
+-#		system( mafftpath + " --maxiterate 1000 --localpair /tmp/_if#{$$} > /tmp/_pf#{$$}" )
+-		system( mafftpath + " --maxiterate 0 --retree 2 /tmp/_if#{$$} > /tmp/_pf#{$$}" )
++#		system( mafftpath + " --maxiterate 1000 --localpair #{temp_if} > #{temp_pf}" )
++		system( mafftpath + " --maxiterate 0 --retree 2 #{temp_if} > #{temp_pf}" )
+ 	else
+-		system( mafftpath + " --maxiterate 1000 --localpair --core --coreext --corethr #{corethr.to_s} --corewin #{corewin.to_s} /tmp/_if#{$$} > /tmp/_pf#{$$}" )
++		system( mafftpath + " --maxiterate 1000 --localpair --core --coreext --corethr #{corethr.to_s} --corewin #{corewin.to_s} #{temp_if} > #{temp_pf}" )
+ 	end
+ end
+ 
+-pfp = File.open( "/tmp/_pf#{$$}", 'r' )
++pfp = File.open( "#{temp_pf}", 'r' )
+ inname = []
+ inseq = []
+ slen = []
+@@ -155,7 +169,7 @@
+ end
+ pfp.close
+ 
+-pfp = File.open( "/tmp/_if#{$$}", 'r' )
++pfp = File.open( "#{temp_if}", 'r' )
+ orname = []
+ orseq = []
+ nin = 0
+@@ -188,7 +202,7 @@
+ #p act
+ 
+ 
+-afp = File.open( "/tmp/_af#{$$}", 'w' )
++afp = File.open( "#{temp_af}", 'w' )
+ 
+ STDERR.puts "Searching .. \n"
+ ids = []
+@@ -209,10 +223,10 @@
+ 	end
+ 
+ 	if local == 0 then
+-		command = "lynx -source 'http://www.ncbi.nlm.nih.gov/blast/Blast.cgi?QUERY=" + inseq[i] + "&DATABASE=swissprot&HITLIST_SIZE=" + nadd.to_s + "&FILTER=L&EXPECT='" + eval.to_s + "'&FORMAT_TYPE=TEXT&PROGRAM=blastp&SERVICE=plain&NCBI_GI=on&PAGE=Proteins&CMD=Put' > /tmp/_rid#{$$}"
++		command = "lynx -source 'http://www.ncbi.nlm.nih.gov/blast/Blast.cgi?QUERY=" + inseq[i] + "&DATABASE=swissprot&HITLIST_SIZE=" + nadd.to_s + "&FILTER=L&EXPECT='" + eval.to_s + "'&FORMAT_TYPE=TEXT&PROGRAM=blastp&SERVICE=plain&NCBI_GI=on&PAGE=Proteins&CMD=Put' > #{temp_rid}"
+ 		system command
+ 	
+-		ridp = File.open( "/tmp/_rid#{$$}", 'r' )
++		ridp = File.open( "#{temp_rid}", 'r' )
+ 		while ridp.gets
+ 			break if $_ =~ / RID = (.*)/
+ 		end
+@@ -224,9 +238,9 @@
+ 		while 1 
+ 			STDERR.printf "."
+ 			sleep 10
+-			command = "lynx -source 'http://www.ncbi.nlm.nih.gov/blast/Blast.cgi?RID=" + rid + "&DESCRIPTIONS=500&ALIGNMENTS=" + nadd.to_s + "&ALIGNMENT_TYPE=Pairwise&OVERVIEW=no&CMD=Get&FORMAT_TYPE=XML' > /tmp/_res#{$$}"
++			command = "lynx -source 'http://www.ncbi.nlm.nih.gov/blast/Blast.cgi?RID=" + rid + "&DESCRIPTIONS=500&ALIGNMENTS=" + nadd.to_s + "&ALIGNMENT_TYPE=Pairwise&OVERVIEW=no&CMD=Get&FORMAT_TYPE=XML' > #{temp_res}"
+ 			system command
+-			resp = File.open( "/tmp/_res#{$$}", 'r' )
++			resp = File.open( "#{temp_res}", 'r' )
+ #			resp.gets
+ #			if $_ =~ /WAITING/ then
+ #				resp.close
+@@ -247,17 +261,17 @@
+ 	else
+ #		puts "Not supported"
+ #		exit
+-		qfp = File.open( "/tmp/_q#{$$}", 'w' )
++		qfp = File.open( "#{temp_qf}", 'w' )
+ 			qfp.puts "> "
+ 			qfp.puts inseq[i]
+ 		qfp.close
+-		command = blastpath + "  -p blastp  -e #{eval} -b 1000 -m 7 -i /tmp/_q#{$$} -d #{localdb} > /tmp/_res#{$$}"
++		command = blastpath + "  -p blastp  -e #{eval} -b 1000 -m 7 -i #{temp_qf} -d #{localdb} > #{temp_res}"
+ 		system command
+-		resp = File.open( "/tmp/_res#{$$}", 'r' )
++		resp = File.open( "#{temp_res}", 'r' )
+ 	end
+ 	STDERR.puts " Done.\n\n"
+ 
+-	resp = File.open( "/tmp/_res#{$$}", 'r' )
++	resp = File.open( "#{temp_res}", 'r' )
+ 	while 1
+ 		while resp.gets
+ 			break if $_ =~ /<Hit_id>(.*)<\/Hit_id>/ || $_ =~ /(<Iteration_stat>)/
+@@ -310,17 +324,15 @@
+ afp.close
+ 
+ STDERR.puts "Performing alignment .. "
+-system( mafftpath + mafftopt + " /tmp/_af#{$$} > /tmp/_bf#{$$}" )
++system( mafftpath + mafftopt + " #{temp_af} > #{temp_bf}" )
+ STDERR.puts "done."
+ 
+-bfp = File.open( "/tmp/_bf#{$$}", 'r' )
++bfp = File.open( "#{temp_bf}", 'r' )
+ outseq = []
+ outnam = []
+ readfasta( bfp, outnam, outseq )
+ bfp.close
+ 
+-
+-
+ outseq2 = []
+ outnam2 = []
+ 
+@@ -357,4 +369,5 @@
+ 	puts outseq2[i].gsub( /.{1,60}/, "\\0\n" )
+ end
+ 
+-system( "rm -rf /tmp/_if#{$$} /tmp/_vf#{$$} /tmp/_af#{$$} /tmp/_bf#{$$} /tmp/_pf#{$$} /tmp/_q#{$$} /tmp/_res#{$$} /tmp/_rid#{$$}" )
++
++#system( "rm -rf #{temp_if} #{temp_vf} #{temp_af} #{temp_bf} #{temp_pf} #{temp_qf} #{temp_res} #{temp_rid}" )
+Index: mafft-6.240/src/mafft.tmpl
+===================================================================
+--- mafft-6.240.orig/src/mafft.tmpl
++++ mafft-6.240/src/mafft.tmpl
+@@ -240,11 +240,11 @@
+ 		shift   
+ 	done;
+ 
+-#	TMPFILE=/tmp/`basename $0`.`whoami`.$$.`date +%y%m%d%H%M%S`
+-	TMPFILE=/tmp/$progname.$$
++#	TMPFILE=/tmp/$progname.$$
++	TMPFILE=`mktemp -dt $progname.XXXXXXXXXX`
+ 	umask 077
+-	mkdir  $TMPFILE  || er=1
+-	trap "rm -r $TMPFILE " 0
++#	mkdir  $TMPFILE  || er=1
++	trap "rm -rf $TMPFILE " 0
+ 	if [ $# -eq 1 ]; then
+ 		if [ -r "$1" -o "$1" = - ]; then
+ 			cat "$1" | tr "\r" "\n" > $TMPFILE/infile 
only in patch2:
unchanged:
--- mafft-6.240.orig/debian/patches/series
+++ mafft-6.240/debian/patches/series
@@ -0,0 +1 @@
+Securisation-by-mktemp-usage.patch




Information forwarded to debian-bugs-dist@lists.debian.org, Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>:
Bug#496366; Package mafft. Full text and rfc822 format available.

Acknowledgement sent to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #54 received at 496366@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: Charles Plessy <plessy@debian.org>
Cc: debian-release@lists.debian.org, 496366@bugs.debian.org
Subject: Re: Preparing update of 'mafft' to fix #496366 ("grave" security bug).
Date: Thu, 04 Sep 2008 07:36:18 +0200
Charles Plessy wrote:
> Le Mon, Aug 25, 2008 at 10:17:02PM -0700, Steve Langasek a écrit :
>> On Tue, Aug 26, 2008 at 01:40:01PM +0900, Charles Plessy wrote:
>>
>>> Would you accept this package in Lenny to fix #496366?
>> If the diff is in line with this description, yes.
> 
> Hi Steve, hi all,
> 
> thank you for your patience. I have been in contact with Upstream who
> reviewd kindly finished the patching work (I did not manage to produce a
> working patch for the Ruby file).

> I added a paragraph about the patch to the manpages, but as the sources are in
> XML and the stylesheets evolved, the diff is big. All the changes unrelated to
> the bug are documented in the changelog, except the addition of
> DM-Upload-Allowed: yes, that is systematic in our packages anyway, and cosmetic
> improvements of the description. The patch itself now affects another file in
> which a similar security problem was uncovered by Upstream. Here is the full
> debdiff.

Please upload.

Cheers

Luk




Reply sent to Charles Plessy <plessy@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #59 received at 496366-close@bugs.debian.org (full text, mbox):

From: Charles Plessy <plessy@debian.org>
To: 496366-close@bugs.debian.org
Subject: Bug#496366: fixed in mafft 6.240-2
Date: Thu, 04 Sep 2008 14:32:05 +0000
Source: mafft
Source-Version: 6.240-2

We believe that the bug you reported is fixed in the latest version of
mafft, which is due to be installed in the Debian FTP archive:

mafft_6.240-2.diff.gz
  to pool/main/m/mafft/mafft_6.240-2.diff.gz
mafft_6.240-2.dsc
  to pool/main/m/mafft/mafft_6.240-2.dsc
mafft_6.240-2_amd64.deb
  to pool/main/m/mafft/mafft_6.240-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496366@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Charles Plessy <plessy@debian.org> (supplier of updated mafft package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 25 Aug 2008 23:30:20 +0900
Source: mafft
Binary: mafft
Architecture: source amd64
Version: 6.240-2
Distribution: unstable
Urgency: high
Maintainer: Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Charles Plessy <plessy@debian.org>
Description: 
 mafft      - Multiple alignment program for amino acid or nucleotide sequences
Closes: 496366
Changes: 
 mafft (6.240-2) unstable; urgency=high
 .
   [ Charles Plessy ]
   * debian/control:
     - Moved the Homepage: field out from the package's description.
     - Enhances: t-coffee.
   * Updated my email address.
   * Securisation of the temorary files of mafft-homologs:
     - debian/control: build-depend on quilt.
     - debian/rules: modified to use quilt.
     - debian/README.source: signals that the package uses quilt.
     - debian/patches: added a patch to use non-guessable temporary files
       (Closes: #496366). Thanks to Dmitry E. Oboukhov for finding the bug, Thijs
       Kinkhorst for preliminary, Kazutaka Katoh for the final implementation,
       and Michael Schutte for the final review.
     - debian/mafft-homologs.1*, debian/README.Debian: document that the
       program is patched.
 .
   [ David Paleino ]
   * debian/mafft.1, debian/mafft-homologs.1 added - manpages built statically.
   * debian/control:
     - B-D updated (see above)
     - added myself to Uploaders
     - moved XS-Vcs-* fields to Vcs-*
     - Updated to Standards-Version 3.7.3 (no changes needed)
   * debian/rules:
     - reflecting static build of manpages
     - minor changes
Checksums-Sha1: 
 10910d283ebe60abd4daa0c23c7176080d92ab66 1301 mafft_6.240-2.dsc
 d005a67f688b17c4f9712477ead2fe73b261ed93 11463 mafft_6.240-2.diff.gz
 dfbbc28ff23a84ac8cf1db185b521eb4809a0446 2141648 mafft_6.240-2_amd64.deb
Checksums-Sha256: 
 51fec526aff16ae73c61af5faa21525bf40162fd6558efa4cc308a0040dff79c 1301 mafft_6.240-2.dsc
 5382de083844691b00f64263d49f7465110456d5a069a2dd71b2dfb35d89b7c6 11463 mafft_6.240-2.diff.gz
 6f02cf7128018b671b7f36d45a664e0c75751432610179c2ffa2873224f42911 2141648 mafft_6.240-2_amd64.deb
Files: 
 986bd9ca1a5ab63ef4abc1b726cb3854 1301 science optional mafft_6.240-2.dsc
 0c0dd3e97b085852d1cbb6e2168f9d24 11463 science optional mafft_6.240-2.diff.gz
 ebe53fee218af9a465acc3fdfec39f09 2141648 science optional mafft_6.240-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAki/7XoACgkQdYl1krr+x/K3OQCfc4PvpEL3AHYMPJOBne9+z/31
U0MAn1T01fdzF4HA/sN86jnFyq/FEm6h
=pVmN
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 07 Oct 2008 07:30:56 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 03:55:39 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.