Package: tau
Version: 2.16.4-1.1
Severity: important
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was published for
tau.
CVE-2008-5157[1]:
> tau 2.16.4 allows local users to overwrite arbitrary files via a symlink
> attack on a (1) /tmp/makefile.tau.*.##### or (2) /tmp/makefile.tau*.#####
> temporary file, related to the (a) tau_cxx, (b) tau_f90, and (c) tau_cc
> scripts.
If you fix the vulnerability please also make sure to include the CVE id in
the changelog entry.
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5157http://security-tracker.debian.net/tracker/CVE-2008-5157
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
Source: tau
Source-Version: 2.16.4-1.3
We believe that the bug you reported is fixed in the latest version of
tau, which is due to be installed in the Debian FTP archive:
python-tau_2.16.4-1.3_amd64.deb
to main/t/tau/python-tau_2.16.4-1.3_amd64.deb
tau-examples_2.16.4-1.3_all.deb
to main/t/tau/tau-examples_2.16.4-1.3_all.deb
tau-racy_2.16.4-1.3_all.deb
to main/t/tau/tau-racy_2.16.4-1.3_all.deb
tau_2.16.4-1.3.diff.gz
to main/t/tau/tau_2.16.4-1.3.diff.gz
tau_2.16.4-1.3.dsc
to main/t/tau/tau_2.16.4-1.3.dsc
tau_2.16.4-1.3_amd64.deb
to main/t/tau/tau_2.16.4-1.3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 506348@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated tau package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 04 Feb 2010 11:32:12 +1100
Source: tau
Binary: tau tau-racy python-tau tau-examples
Architecture: source all amd64
Version: 2.16.4-1.3
Distribution: unstable
Urgency: low
Maintainer: Yann Dirson <dirson@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description:
python-tau - Tuning and Analysis Utilities - support for python bindings
tau - Tuning and Analysis Utilities - base profiling toolkit
tau-examples - Tuning and Analysis Utilities - examples
tau-racy - Tuning and Analysis Utilities - Tcl/tk profiler GUI
Closes: 506348568010
Changes:
tau (2.16.4-1.3) unstable; urgency=low
.
* Non-maintainer upload
* Merge 2.16.4-1.2ubuntu2
Co-install with python2.6-minimal
Closes: 568010
* Fix CVE-2008-5157
Don't allow files to be overwritten via a symlink attack
Closes: 506348
Checksums-Sha1:
7f5638b84f8b544c736c30bdcf997cde9a80c16a 1706 tau_2.16.4-1.3.dsc
3004f5e04d446733886243276e22fa23dc022c49 14520 tau_2.16.4-1.3.diff.gz
286e63bdd8ae2d7a7e6914068c2d334d6ce47475 108488 tau-racy_2.16.4-1.3_all.deb
1c349c0ac20f2f7141aa20104948a9ac7f2850ed 143212 tau-examples_2.16.4-1.3_all.deb
887a8d4294fa38bae648f88959c6a57a496c5bb4 394366 tau_2.16.4-1.3_amd64.deb
3966ea6903fa63c0bc65ca6316e87655601df628 31384 python-tau_2.16.4-1.3_amd64.deb
Checksums-Sha256:
80d40e9c4297cd6f030cd379e0fbcb5881a99c469a5d57c9f4f8141cca8eb116 1706 tau_2.16.4-1.3.dsc
4cecb503892f93f745f5c8795fbfd577ad07bdb61848d7d5eba76d2a1231717e 14520 tau_2.16.4-1.3.diff.gz
dd552e4316a4dbed21416dae9b2d6461145a2a6eb4af2daf5d8f2d168d75d4d3 108488 tau-racy_2.16.4-1.3_all.deb
89e90837ec1b2b01b71c8c998773448d30438d983afa6da617109adf8d0a440a 143212 tau-examples_2.16.4-1.3_all.deb
9d36f407fa9589998d96c8fce7649073c8c0248d4d2bbe15bf2646cf5ab72bdb 394366 tau_2.16.4-1.3_amd64.deb
9c8f428064740e14f48413fbdb3716261150140f9f82764be2db7df430d8a5c2 31384 python-tau_2.16.4-1.3_amd64.deb
Files:
adb02ceda458d8bd7470dd329fc23148 1706 devel optional tau_2.16.4-1.3.dsc
0e28a390d3257ad5838617454dd4b9ae 14520 devel optional tau_2.16.4-1.3.diff.gz
e7e52e26fb42217ea6f2f9be1f879873 108488 devel optional tau-racy_2.16.4-1.3_all.deb
d4c41387bc36597adee387e1d002f080 143212 devel optional tau-examples_2.16.4-1.3_all.deb
b6b2f5e041adf12c18d95c47b2af16f0 394366 devel optional tau_2.16.4-1.3_amd64.deb
8e5640c2f006333f36a696a1e04c984b 31384 python optional python-tau_2.16.4-1.3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQIcBAEBCAAGBQJLajppAAoJEHxWrP6UeJfY5U8P/0a7wisy2AXX/THPHI3VHkNH
lkQJJtSNn1LpxrJJau7KSEw/lEQkYf4pKcl0MnqP+UY4CGBPVWCwBYsEZfLeC/YY
wA4oZAAgFso0VyoZWM+80eS4+ayv8mdPFFoIqp+w9INjdfbpZz1JZwxRPjZuei+3
Wj82wXUqoV6kj6wUkDVJ2QO273OK1TkJtRqAyjXkJjbNmpmcIc9R8Xa2q6fj9x2y
/7uEYTA2PaapvMD+6/pzUIqjMxSuuUOP0LcunI3B50VrKCLd1xQLFS54xONT3Mqg
O2REu3Sp22j2Jg1KHV6NWI54XX+v+k4jIiLJ5ZHMNh3u8qOs4qlGqjyFqM9tEeej
6Rj+qsYsxkgTqfeWEX9mKMTpc8AAzAZJfOwREIzCI3/crpCFEftoDsBAANuO5gUP
/lVKrHQHRJPGsebLgnOQ4hpxy9Sgvxl1+EsIiCElWPdBO+I025jYZ+ZvAkXBp8l3
1ueys7ffWPuiiPTddyxY3/alUyWtpi0g5kIn9Y49WG89ctagazZ3sYLDWP7yJ3n6
7FkjLfLmyOAj6BqSrsv5G1hkyIYVOpWeuNn9EV4f1csDcg8rAQrnPAJVgVvTmrzl
LKf0cRXqhgQLtsNsGroMHFCmZX57kEtOBPk2iyTq0xB/sKadr/jBFwFauy0rWUby
dz+1OqyUnKgJVw3dBjsV
=+brY
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 14 Mar 2010 07:34:24 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Yann Dirson <dirson@debian.org>
to control@bugs.debian.org.
(Tue, 09 Dec 2014 22:45:15 GMT) (full text, mbox, link).
No longer marked as fixed in versions tau/2.16.4-1.3.
Request was from Yann Dirson <dirson@debian.org>
to control@bugs.debian.org.
(Tue, 09 Dec 2014 22:45:16 GMT) (full text, mbox, link).
Severity set to 'serious' from 'important'
Request was from Yann Dirson <dirson@debian.org>
to control@bugs.debian.org.
(Tue, 09 Dec 2014 22:51:04 GMT) (full text, mbox, link).
Reply sent
to Yann Dirson <dirson@debian.org>:
You have taken responsibility.
(Tue, 09 Dec 2014 23:39:14 GMT) (full text, mbox, link).
Notification sent
to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer.
(Tue, 09 Dec 2014 23:39:14 GMT) (full text, mbox, link).
Source: tau
Source-Version: 2.17.3.1.dfsg-4
We believe that the bug you reported is fixed in the latest version of
tau, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 506348@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yann Dirson <dirson@debian.org> (supplier of updated tau package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 09 Dec 2014 23:46:49 +0100
Source: tau
Binary: tau tau-racy python-tau tau-examples
Architecture: source all amd64
Version: 2.17.3.1.dfsg-4
Distribution: unstable
Urgency: medium
Maintainer: Yann Dirson <dirson@debian.org>
Changed-By: Yann Dirson <dirson@debian.org>
Description:
python-tau - Tuning and Analysis Utilities - support for python profiling/trac
tau - Tuning and Analysis Utilities - base profiling/tracing toolkit
tau-examples - Tuning and Analysis Utilities - examples
tau-racy - Tuning and Analysis Utilities - Tcl/tk profiler GUI
Closes: 506348772374772375772376
Changes:
tau (2.17.3.1.dfsg-4) unstable; urgency=medium
.
* Fix "echo -e" bashisms (Closes: #772376).
* Use bash for scripts needing pushd/popd (Closes: #772374).
* Avoid "&>" bashism (Closes: #772375).
* Fix the CVE-2008-5157 fix: the adjustement in 2.17.3.1.dfsg-1 resulted
in non-working scripts, where the 2.16.4-1.3 had been incomplete.
OTOH those scripts are not useful today since the package is not built
against PDT, so do not ship them at all.
* Fix similar tmpfile symlink attack in taucc, taucxx, tauf90 (Really
closes: #506348)
Checksums-Sha1:
c7b652fc41aad622e145094d63197f0248132cda 1424 tau_2.17.3.1.dfsg-4.dsc
e062e9d0f29b2cc9013cfdcbeeeb5da8f451ca15 18236 tau_2.17.3.1.dfsg-4.debian.tar.xz
26f79dac6e370d6efee5a261a6af64c50e4b8f5b 91586 tau-racy_2.17.3.1.dfsg-4_all.deb
d16d29afe4ebcb6df9090cdd61fe003a102cf860 136976 tau-examples_2.17.3.1.dfsg-4_all.deb
55ec552f40af0806d2051a39d437c1888b4c3473 344484 tau_2.17.3.1.dfsg-4_amd64.deb
7755f2e93ad810e4d583f438536855df20b8d1e0 30972 python-tau_2.17.3.1.dfsg-4_amd64.deb
Checksums-Sha256:
24238ff90e3e89580c854c409f9a53bb44c24296596b992fd0612fb3a50a6fbf 1424 tau_2.17.3.1.dfsg-4.dsc
afc31fd7f78c458700a56581ce63beb26f0dfd98943b741dbad07d64fc3cf506 18236 tau_2.17.3.1.dfsg-4.debian.tar.xz
7cbebcac08c81b8a3339c562567da4a5e5cdb9aa573175dee232609f7aee174b 91586 tau-racy_2.17.3.1.dfsg-4_all.deb
79bc35ab5e6fe82544d51c417e0e5ec6943e77f75732cd873f8e69f9f94b71cd 136976 tau-examples_2.17.3.1.dfsg-4_all.deb
359281def9dd81030936f7ae778457e832ba2fd6ac313d416aa9c796858ae7b9 344484 tau_2.17.3.1.dfsg-4_amd64.deb
8acde676dd0f249dd3ac6040ecaaa7c433bb2ea449cb18a07aac9841a3f8c60c 30972 python-tau_2.17.3.1.dfsg-4_amd64.deb
Files:
c808f16d8618c990db2baa18e1bf48e6 1424 devel optional tau_2.17.3.1.dfsg-4.dsc
41426b6a493dd204ae03a0f4e266a341 18236 devel optional tau_2.17.3.1.dfsg-4.debian.tar.xz
ababb3e52eb55a602909410b2901fe1a 91586 devel optional tau-racy_2.17.3.1.dfsg-4_all.deb
d81ebb4dadf8a5a94654d0a23c71ebf7 136976 devel optional tau-examples_2.17.3.1.dfsg-4_all.deb
02b5b0e5c45f3d53dcf5510606a5dc7b 344484 devel optional tau_2.17.3.1.dfsg-4_amd64.deb
1b63d8c3efecd82fbf550825cdd2014c 30972 python optional python-tau_2.17.3.1.dfsg-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUh4MIV1uVslwzwbgRAkOmAKCH6qg8lCmyqaOSwJ7DtD7i2ODJngCfZ8Lw
wLEAr99kJ3V56i/hdxy/ElM=
=TY01
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 May 2015 07:51:39 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.