Report forwarded to debian-bugs-dist@lists.debian.org, Uwe Hermann <uwe@debian.org>: Bug#496422; Package aview.
(full text, mbox, link).
Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Uwe Hermann <uwe@debian.org>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Uwe Hermann <uwe@debian.org>: Bug#496422; Package aview.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Uwe Hermann <uwe@debian.org>.
(full text, mbox, link).
tags 496422 confirmed security
thanks
Hi,
The issue is indeed clearly present in asciiview, for example:
myconvert $name >/tmp/aview$$.pgm
Since it's a shell script this can probably be quite easily addressed by using
the essential 'mktemp' to create the temporary file.
cheers,
Thijs
Tags added: confirmed, security
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Mon, 25 Aug 2008 15:51:08 GMT) (full text, mbox, link).
Tags added:
Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru>
to control@bugs.debian.org.
(Tue, 26 Aug 2008 08:45:51 GMT) (full text, mbox, link).
Tags added: security
Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru>
to control@bugs.debian.org.
(Tue, 26 Aug 2008 08:57:40 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Uwe Hermann <uwe@debian.org>: Bug#496422; Package aview.
(full text, mbox, link).
Acknowledgement sent to Patryk Cisek <patryk@prezu.one.pl>:
Extra info received and forwarded to list. Copy sent to Uwe Hermann <uwe@debian.org>.
Your message did not contain a Subject field. They are recommended and
useful because the title of a $gBug is determined using this field.
Please remember to include a Subject field in your messages in future.
Tags added: patch
Request was from Patryk Cisek <patryk@prezu.one.pl>
to control@bugs.debian.org.
(Sun, 31 Aug 2008 14:30:04 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Uwe Hermann <uwe@debian.org>: Bug#496422; Package aview.
(full text, mbox, link).
Acknowledgement sent to Gerfried Fuchs <rhonda@deb.at>:
Extra info received and forwarded to list. Copy sent to Uwe Hermann <uwe@debian.org>.
(full text, mbox, link).
To: Patryk Cisek <patryk@prezu.one.pl>, 496422@bugs.debian.org
Subject: Re: Bug#496422: (no subject)
Date: Mon, 1 Sep 2008 12:00:42 +0200
* Patryk Cisek <patryk@prezu.one.pl> [2008-08-31 16:28:09 CEST]:
> I attached a patch with a fix for this bug.
Unfortunately your patch contains another problem: It cleans up any
files instead of only the process's own created ones which lead to
runtime issues with multiple concurent running instances.
As the trap function for exit has access to all the variables used at
the time it's called there is no problem having clear() directly
"rm -f $tmpfilenam" instead.
I'm currently testing that approach and will upload an NMU in a short
while.
So long,
Rhonda
Information forwarded to debian-bugs-dist@lists.debian.org, Uwe Hermann <uwe@debian.org>: Bug#496422; Package aview.
(full text, mbox, link).
Acknowledgement sent to Gerfried Fuchs <rhonda@deb.at>:
Extra info received and forwarded to list. Copy sent to Uwe Hermann <uwe@debian.org>.
(full text, mbox, link).
* Gerfried Fuchs <rhonda@deb.at> [2008-09-01 12:00:42 CEST]:
> * Patryk Cisek <patryk@prezu.one.pl> [2008-08-31 16:28:09 CEST]:
> > I attached a patch with a fix for this bug.
>
> Unfortunately your patch contains another problem: It cleans up any
> files instead of only the process's own created ones which lead to
> runtime issues with multiple concurent running instances.
... furthermore, the tempfilenam you introduced doesn't end in .pgm and
thus the script doesn't work. Did you actually test your patch? :)
Find attached the interdiff with a tested patch for the NMU I uploaded
just right now.
So long, and thanks for taking care of this nice tool. :)
Rhonda
Information forwarded to debian-bugs-dist@lists.debian.org, Uwe Hermann <uwe@debian.org>: Bug#496422; Package aview.
(full text, mbox, link).
Acknowledgement sent to Patryk Cisek <patryk@prezu.one.pl>:
Extra info received and forwarded to list. Copy sent to Uwe Hermann <uwe@debian.org>.
(full text, mbox, link).
Monday 01 of September 2008 12:38:52 Gerfried Fuchs napisał(a):
> ... furthermore, the tempfilenam you introduced doesn't end in .pgm and
> thus the script doesn't work. Did you actually test your patch? :)
Yes, I tested it with jpg files. I didn't have any .fli, .lfc, or .flic, so
didn't check those. Only if the aview $options $tmpfilenam executes. So the
problem you're referring to is related to those files? Just out of curiosity,
could you please shed some light on it? I mean the .pgm file name extension
problem. :] Cause with jpeg works just as expected.
--
Patryk Cisek
Source: aview
Source-Version: 1.3.0rc1-8.1
We believe that the bug you reported is fixed in the latest version of
aview, which is due to be installed in the Debian FTP archive:
aview_1.3.0rc1-8.1.diff.gz
to pool/main/a/aview/aview_1.3.0rc1-8.1.diff.gz
aview_1.3.0rc1-8.1.dsc
to pool/main/a/aview/aview_1.3.0rc1-8.1.dsc
aview_1.3.0rc1-8.1_powerpc.deb
to pool/main/a/aview/aview_1.3.0rc1-8.1_powerpc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 496422@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gerfried Fuchs <rhonda@debian.at> (supplier of updated aview package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 01 Sep 2008 12:14:00 +0200
Source: aview
Binary: aview
Architecture: source powerpc
Version: 1.3.0rc1-8.1
Distribution: unstable
Urgency: low
Maintainer: Uwe Hermann <uwe@debian.org>
Changed-By: Gerfried Fuchs <rhonda@debian.at>
Description:
aview - A high quality ASCII art image viewer and video player
Closes: 496422
Changes:
aview (1.3.0rc1-8.1) unstable; urgency=low
.
* Non-maintainer upload fixing security propblem with tmp files, thanks to
Patryk Cisek for the idea (closes: #496422)
Checksums-Sha1:
8d7210764f3bfb9eb0ebc154c85a7139274c6b91 980 aview_1.3.0rc1-8.1.dsc
ae3ec8fd09a2dfab02c7af1a81665ec5d9fd6229 8300 aview_1.3.0rc1-8.1.diff.gz
0eeb643c99493f63ca1f9e4231fdb5d93237c872 34532 aview_1.3.0rc1-8.1_powerpc.deb
Checksums-Sha256:
a46fd20167e71803115ad25981be2fda7b1ad592d14d68fc8c6f1cd5f65ecaee 980 aview_1.3.0rc1-8.1.dsc
4e63dccf1e8145c586d682621ca04286e5c1437ee0c2b63a9c0fc8f220675201 8300 aview_1.3.0rc1-8.1.diff.gz
c59fa0dd1763d2b5e31dc87672da6fcbd63372faabbb31d27d27545928d1e07e 34532 aview_1.3.0rc1-8.1_powerpc.deb
Files:
385c0eb34a13d44fc7d9844dc7e86f16 980 graphics optional aview_1.3.0rc1-8.1.dsc
1678a32e1a9dde03cfd264aa886faeca 8300 graphics optional aview_1.3.0rc1-8.1.diff.gz
d35079bd2c58ece9dbf1ca63a63384ff 34532 graphics optional aview_1.3.0rc1-8.1_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAki7xjcACgkQELuA/Ba9d8Y04QCgpvUXY4LW48ucBIdV+NIjDtJD
U5EAn20rmM3jmx3Jknh0QXzKkF8f93PX
=3Ote
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Uwe Hermann <uwe@debian.org>: Bug#496422; Package aview.
(full text, mbox, link).
Acknowledgement sent to Gerfried Fuchs <rhonda@deb.at>:
Extra info received and forwarded to list. Copy sent to Uwe Hermann <uwe@debian.org>.
(full text, mbox, link).
To: Patryk Cisek <patryk@prezu.one.pl>, 496422@bugs.debian.org
Subject: Re: Bug#496422: (no subject)
Date: Mon, 1 Sep 2008 13:44:32 +0200
* Patryk Cisek <patryk@prezu.one.pl> [2008-09-01 13:00:17 CEST]:
> Monday 01 of September 2008 12:38:52 Gerfried Fuchs napisał(a):
> > ... furthermore, the tempfilenam you introduced doesn't end in .pgm and
> > thus the script doesn't work. Did you actually test your patch? :)
>
> Yes, I tested it with jpg files. I didn't have any .fli, .lfc, or .flic, so
> didn't check those. Only if the aview $options $tmpfilenam executes. So the
> problem you're referring to is related to those files? Just out of curiosity,
> could you please shed some light on it? I mean the .pgm file name extension
> problem. :] Cause with jpeg works just as expected.
Erm, that problem was a problem at my end at first, because I didn't
like the mktemp -u approach you chose, because of hopefully
understandable reasons. It would still had been a race condition, just a
very limited one. So I just removed the -u switch but didn't notice the
error message that mkfifo wasn't able to create the fifo - and thus in
the end the rest failed obviously.
As I was going a different path anyway, that small understanding
problem with your approach wasn't a big problem. Sorry for the
confusion. :)
So long! :)
Rhonda
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 16 Mar 2009 08:10:31 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.