Debian Bug report logs - #496383
The possibility of attack with the help of symlinks in some Debian packages

version graph

Package: xastir; Maintainer for xastir is Debian Hams group <debian-hams@lists.debian.org>; Source for xastir is src:xastir.

Reported by: "Dmitry E. Oboukhov" <dimka@uvw.ru>

Date: Sun, 24 Aug 2008 18:10:03 UTC

Severity: grave

Tags: security

Fixed in version xastir/1.9.2-2.1

Done: Gerfried Fuchs <rhonda@debian.at>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Hams group <debian-hams@lists.debian.org>:
Bug#496383; Package xastir. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Debian Hams group <debian-hams@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
To: submit@bugs.debian.org
Cc: dimka@uvw.ru
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 22:05:30 +0400
Package: xastir
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh




Tags added: Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:45:27 GMT) Full text and rfc822 format available.

Tags added: security Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:57:19 GMT) Full text and rfc822 format available.

Reply sent to Joop Stakenborg <pa3aba@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #14 received at 496383-close@bugs.debian.org (full text, mbox):

From: Joop Stakenborg <pa3aba@debian.org>
To: 496383-close@bugs.debian.org
Subject: Bug#496383: fixed in xastir 1.9.2-1.1
Date: Tue, 26 Aug 2008 14:02:07 +0000
Source: xastir
Source-Version: 1.9.2-1.1

We believe that the bug you reported is fixed in the latest version of
xastir, which is due to be installed in the Debian FTP archive:

xastir_1.9.2-1.1.diff.gz
  to pool/main/x/xastir/xastir_1.9.2-1.1.diff.gz
xastir_1.9.2-1.1.dsc
  to pool/main/x/xastir/xastir_1.9.2-1.1.dsc
xastir_1.9.2-1.1_i386.deb
  to pool/main/x/xastir/xastir_1.9.2-1.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496383@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joop Stakenborg <pa3aba@debian.org> (supplier of updated xastir package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 26 Aug 2008 15:48:02 +0200
Source: xastir
Binary: xastir
Architecture: source i386
Version: 1.9.2-1.1
Distribution: unstable
Urgency: low
Maintainer: Debian Hams group <debian-hams@lists.debian.org>
Changed-By: Joop Stakenborg <pa3aba@debian.org>
Description: 
 xastir     - X Amateur Station Tracking and Information Reporting
Closes: 496383
Changes: 
 xastir (1.9.2-1.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Fix attack with the help of symlinks. scripts/get-maptools.sh and
     scripts/get_shapelib.sh now use mktemp -t. Closes: #496383.
   * Add myself to the uploaders field.
Checksums-Sha1: 
 894dbdee7d192760c6891d878ab839a3a038e38a 1321 xastir_1.9.2-1.1.dsc
 519d2c737d6394eac7efd75041c9b69fdc0e73b6 89335 xastir_1.9.2-1.1.diff.gz
 99fe0c3fd9833be972cd4ae9620beb17e6f86362 1354756 xastir_1.9.2-1.1_i386.deb
Checksums-Sha256: 
 7b57f1b7cb3dafa3921cda69a1320d5e544a7babeb0d9789e16c31e155c15595 1321 xastir_1.9.2-1.1.dsc
 f0b49ef61b5a8ede4457bbec9923fb5d2454e5f9f287f7c8083bdc60339fe606 89335 xastir_1.9.2-1.1.diff.gz
 7e0e8a839098c25ba06bf639322112dc95ad432432cbe32adffc9c23b2d5fd72 1354756 xastir_1.9.2-1.1_i386.deb
Files: 
 d4133bfec8b535a6a79823e22142cbfd 1321 hamradio optional xastir_1.9.2-1.1.dsc
 d46725443e497d3a238ba2d47b64d6a8 89335 hamradio optional xastir_1.9.2-1.1.diff.gz
 cb85ac00eb392d0829b32c7dc19c2be3 1354756 hamradio optional xastir_1.9.2-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAki0CtoACgkQ/CqtjGLxpX8N4wCeN2bNWFZrZJDnqDOOCJGaGYnp
v10AnAhmYsPpt6Lc/S7IejQVjLIYnGMy
=aoJw
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Hams group <debian-hams@lists.debian.org>:
Bug#496383; Package xastir. Full text and rfc822 format available.

Acknowledgement sent to Tomas Hoger <thoger@redhat.com>:
Extra info received and forwarded to list. Copy sent to Debian Hams group <debian-hams@lists.debian.org>. Full text and rfc822 format available.

Message #19 received at 496383@bugs.debian.org (full text, mbox):

From: Tomas Hoger <thoger@redhat.com>
To: Joop Stakenborg <pa3aba@debian.org>
Cc: 496383@bugs.debian.org
Subject: xastir - broken temp file patch (#496383)
Date: Thu, 28 Aug 2008 16:06:34 +0200
Hi Joop!

You probably wanted to use:

  TMPFILE=`mktemp -t`

instead of

  TMPFILE = 'mktemp -t'

in your patch for #496383, right?

HTH

-- 
Tomas Hoger




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Hams group <debian-hams@lists.debian.org>:
Bug#496383; Package xastir. Full text and rfc822 format available.

Acknowledgement sent to Joop Stakenborg <pa3aba@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Hams group <debian-hams@lists.debian.org>. Full text and rfc822 format available.

Message #24 received at 496383@bugs.debian.org (full text, mbox):

From: Joop Stakenborg <pa3aba@debian.org>
To: Tomas Hoger <thoger@redhat.com>, 496383@bugs.debian.org
Subject: Re: Bug#496383: xastir - broken temp file patch (#496383)
Date: Thu, 28 Aug 2008 16:53:41 +0200
[Message part 1 (text/plain, inline)]
Op donderdag 28-08-2008 om 16:06 uur [tijdzone +0200], schreef Tomas
Hoger:
> Hi Joop!
> 
> You probably wanted to use:
> 
>   TMPFILE=`mktemp -t`
> 
> instead of
> 
>   TMPFILE = 'mktemp -t'
> 
> in your patch for #496383, right?
> 

Ouch, will fix ASAP, thanks!

> HTH
> 
> -- 
> Tomas Hoger
> 
> 
> 

Joop
[signature.asc (application/pgp-signature, inline)]

Bug reopened, originator not changed. Request was from Gerfried Fuchs <rhonda@debian.at> to control@bugs.debian.org. (Sun, 31 Aug 2008 15:57:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Hams group <debian-hams@lists.debian.org>:
Bug#496383; Package xastir. Full text and rfc822 format available.

Acknowledgement sent to Gerfried Fuchs <rhonda@deb.at>:
Extra info received and forwarded to list. Copy sent to Debian Hams group <debian-hams@lists.debian.org>. Full text and rfc822 format available.

Message #31 received at 496383@bugs.debian.org (full text, mbox):

From: Gerfried Fuchs <rhonda@deb.at>
To: Joop Stakenborg <pa3aba@debian.org>, 496383@bugs.debian.org
Cc: Tomas Hoger <thoger@redhat.com>
Subject: Re: Bug#496383: xastir - broken temp file patch (#496383)
Date: Sun, 31 Aug 2008 18:06:54 +0200
[Message part 1 (text/plain, inline)]
* Joop Stakenborg <pa3aba@debian.org> [2008-08-28 16:53:41 CEST]:
> Op donderdag 28-08-2008 om 16:06 uur [tijdzone +0200], schreef Tomas
> Hoger:
> > You probably wanted to use:
> >   TMPFILE=`mktemp -t`
> > instead of
> >   TMPFILE = 'mktemp -t'
> > in your patch for #496383, right?
> 
> Ouch, will fix ASAP, thanks!

 You didn't, the required fix required to use backticks instead of
quotes ...

 I'm currently building an NMU to fix this problem (find attached the
interdiff for it). Furthermore, the TMPFILE never gets removed, is there
a particular reason to not do so?

 So long,
Rhonda
[xastir_1.9.2-2_1.9.2-2.1.interdiff.gz (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Hams group <debian-hams@lists.debian.org>:
Bug#496383; Package xastir. Full text and rfc822 format available.

Acknowledgement sent to Gerfried Fuchs <rhonda@deb.at>:
Extra info received and forwarded to list. Copy sent to Debian Hams group <debian-hams@lists.debian.org>. Full text and rfc822 format available.

Message #36 received at 496383@bugs.debian.org (full text, mbox):

From: Gerfried Fuchs <rhonda@deb.at>
To: Joop Stakenborg <pa3aba@debian.org>, 496383@bugs.debian.org
Subject: Re: Bug#496383: xastir - broken temp file patch (#496383)
Date: Sun, 31 Aug 2008 18:23:10 +0200
* Gerfried Fuchs <rhonda@deb.at> [2008-08-31 18:06:54 CEST]:
>  I'm currently building an NMU to fix this problem (find attached the
> interdiff for it). Furthermore, the TMPFILE never gets removed, is there
> a particular reason to not do so?

 Uploaded, one further question, did you actually at any point take a
look at the lintian output of the package? It's a fair bit, even
including an Error and not only Warnings, and some of the Warnings do
indeed look a bit fishy, especially the
debian-rules-calls-debhelper-in-odd-order one.

 So long,
Rhonda




Reply sent to Gerfried Fuchs <rhonda@debian.at>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #41 received at 496383-close@bugs.debian.org (full text, mbox):

From: Gerfried Fuchs <rhonda@debian.at>
To: 496383-close@bugs.debian.org
Subject: Bug#496383: fixed in xastir 1.9.2-2.1
Date: Sun, 31 Aug 2008 16:32:05 +0000
Source: xastir
Source-Version: 1.9.2-2.1

We believe that the bug you reported is fixed in the latest version of
xastir, which is due to be installed in the Debian FTP archive:

xastir_1.9.2-2.1.diff.gz
  to pool/main/x/xastir/xastir_1.9.2-2.1.diff.gz
xastir_1.9.2-2.1.dsc
  to pool/main/x/xastir/xastir_1.9.2-2.1.dsc
xastir_1.9.2-2.1_powerpc.deb
  to pool/main/x/xastir/xastir_1.9.2-2.1_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496383@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gerfried Fuchs <rhonda@debian.at> (supplier of updated xastir package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 31 Aug 2008 17:55:56 +0200
Source: xastir
Binary: xastir
Architecture: source powerpc
Version: 1.9.2-2.1
Distribution: unstable
Urgency: low
Maintainer: Debian Hams group <debian-hams@lists.debian.org>
Changed-By: Gerfried Fuchs <rhonda@debian.at>
Description: 
 xastir     - X Amateur Station Tracking and Information Reporting
Closes: 496383
Changes: 
 xastir (1.9.2-2.1) unstable; urgency=low
 .
   * NMU to fix security bug: Actually use backticks instead of quotes for the
     mktemp call (closes: #496383)
Checksums-Sha1: 
 cdce05db11d1cea3ae8a347c60ad667121fd497f 1321 xastir_1.9.2-2.1.dsc
 97fec3335125ff7cfdbc8bebc6ec4ccb897fef04 89549 xastir_1.9.2-2.1.diff.gz
 23cfd0db57e3147664937198c37c10ae44d5f780 1302748 xastir_1.9.2-2.1_powerpc.deb
Checksums-Sha256: 
 0d90c55e4d8ba7e12f3bbe72ffd7762723ccb24bbcf2c2d127ca5586acdccc7a 1321 xastir_1.9.2-2.1.dsc
 1d57ea458515b8321049e2adabbc68df49f5c048fb6fe1c397f144588f9aa616 89549 xastir_1.9.2-2.1.diff.gz
 eaa4374c70475a4f2e78206854b5988def04e4a2d049e5a78a5a8f012283609d 1302748 xastir_1.9.2-2.1_powerpc.deb
Files: 
 d369d3851df42efecc0be7f0dbb27bab 1321 hamradio optional xastir_1.9.2-2.1.dsc
 0bd992d4cb111d862388b6a3f453e108 89549 hamradio optional xastir_1.9.2-2.1.diff.gz
 f4264fae49f675b25032caa140166d40 1302748 hamradio optional xastir_1.9.2-2.1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAki6xHcACgkQELuA/Ba9d8bznACdFi8ArUaOHz+oh729jQebc2vz
z8EAoLpVTDhIaMWhhfOlXzPDfuKIjpAv
=EMD+
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Hams group <debian-hams@lists.debian.org>:
Bug#496383; Package xastir. Full text and rfc822 format available.

Acknowledgement sent to Joop Stakenborg <pa3aba@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Hams group <debian-hams@lists.debian.org>. Full text and rfc822 format available.

Message #46 received at 496383@bugs.debian.org (full text, mbox):

From: Joop Stakenborg <pa3aba@debian.org>
To: Gerfried Fuchs <rhonda@deb.at>, 496383@bugs.debian.org
Cc: Tomas Hoger <thoger@redhat.com>
Subject: Re: Bug#496383: xastir - broken temp file patch (#496383)
Date: Mon, 01 Sep 2008 08:11:02 +0200
[Message part 1 (text/plain, inline)]
Op zondag 31-08-2008 om 18:06 uur [tijdzone +0200], schreef Gerfried
Fuchs:
> * Joop Stakenborg <pa3aba@debian.org> [2008-08-28 16:53:41 CEST]:
> > Op donderdag 28-08-2008 om 16:06 uur [tijdzone +0200], schreef Tomas
> > Hoger:
> > > You probably wanted to use:
> > >   TMPFILE=`mktemp -t`
> > > instead of
> > >   TMPFILE = 'mktemp -t'
> > > in your patch for #496383, right?
> > 
> > Ouch, will fix ASAP, thanks!
> 
>  You didn't, the required fix required to use backticks instead of
> quotes ...
> 

I am sorry, I am not a very good shell script writer.

>  I'm currently building an NMU to fix this problem (find attached the
> interdiff for it). Furthermore, the TMPFILE never gets removed, is there
> a particular reason to not do so?
> 

No reason.
I will contact upstream so the next version will fix this.

>  So long,
> Rhonda

Thanks,
Joop
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Feb 2009 08:37:32 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 02:32:41 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.