Debian Bug report logs - #506496
CVE-2008-5137: allows local users to overwrite arbitrary files via a symlink attack

version graph

Package: tkman; Maintainer for tkman is Maximiliano Curia <maxy@gnuservers.com.ar>;

Reported by: Raphael Geissert <atomo64@gmail.com>

Date: Sat, 22 Nov 2008 01:12:01 UTC

Severity: important

Tags: security

Found in version tkman/2.2-1

Fixed in versions tkman/2.2-4, tkman/2.2-2etch1

Done: Maximiliano Curia <maxy@gnuservers.com.ar>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Maximiliano Curia <maxy@gnuservers.com.ar>:
Bug#506496; Package tkman. (Sat, 22 Nov 2008 01:12:04 GMT) Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <atomo64@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2008-5137: allows local users to overwrite arbitrary files via a symlink attack
Date: Fri, 21 Nov 2008 19:10:02 -0600
[Message part 1 (text/plain, inline)]
Package: tkman
Version: 2.2-1
Severity: important
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was published for 
tkman.

CVE-2008-5137[1]:
> tkman in tkman 2.2 allows local users to overwrite arbitrary files via a
> symlink attack on a (1) /tmp/tkman##### or (2) /tmp/ll temporary file.

If you fix the vulnerability please also make sure to include the CVE id in 
the changelog entry.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5137
     http://security-tracker.debian.net/tracker/CVE-2008-5137

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
[signature.asc (application/pgp-signature, inline)]

Reply sent to Maximiliano Curia <maxy@gnuservers.com.ar>:
You have taken responsibility. (Sun, 30 Nov 2008 13:57:09 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer. (Sun, 30 Nov 2008 13:57:10 GMT) Full text and rfc822 format available.

Message #8 received at 506496-close@bugs.debian.org (full text, mbox):

From: Maximiliano Curia <maxy@gnuservers.com.ar>
To: 506496-close@bugs.debian.org
Subject: Bug#506496: fixed in tkman 2.2-4
Date: Sun, 30 Nov 2008 13:47:04 +0000
Source: tkman
Source-Version: 2.2-4

We believe that the bug you reported is fixed in the latest version of
tkman, which is due to be installed in the Debian FTP archive:

tkman_2.2-4.diff.gz
  to pool/main/t/tkman/tkman_2.2-4.diff.gz
tkman_2.2-4.dsc
  to pool/main/t/tkman/tkman_2.2-4.dsc
tkman_2.2-4_all.deb
  to pool/main/t/tkman/tkman_2.2-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 506496@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Maximiliano Curia <maxy@gnuservers.com.ar> (supplier of updated tkman package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 28 Nov 2008 17:26:09 -0200
Source: tkman
Binary: tkman
Architecture: source all
Version: 2.2-4
Distribution: unstable
Urgency: low
Maintainer: Maximiliano Curia <maxy@gnuservers.com.ar>
Changed-By: Maximiliano Curia <maxy@gnuservers.com.ar>
Description: 
 tkman      - A graphical, hypertext manual page and Texinfo browser
Closes: 506496
Changes: 
 tkman (2.2-4) unstable; urgency=low
 .
   * Updated to Standards Version 3.8.0, no changes needed.
   * Fixed CVE-2008-5137, by calling mktemp.
     (+ debian/patches/07_use-mktemp.dpatch) (Closes: #506496)
Checksums-Sha1: 
 75a452524edc25959a88dedec6373a94c456fc85 970 tkman_2.2-4.dsc
 c2264e0400a80f46467eb6f7f0110e18935c0e8a 15459 tkman_2.2-4.diff.gz
 d6d035a8415bada8207c063e5acb57a6ded3672c 196872 tkman_2.2-4_all.deb
Checksums-Sha256: 
 4b5137e18390beb9e372aea0fb8abcad31941bc56f5d167297c58ce3561f34d3 970 tkman_2.2-4.dsc
 dcde6790acb313125d338f1a0ba1ff4c18b699ca8a81751238013f1fea6bb16f 15459 tkman_2.2-4.diff.gz
 1e9a303e3c3bfd64de51eb0ac47362ce18dafa37b80ff50feab055b01802d6bf 196872 tkman_2.2-4_all.deb
Files: 
 92510b32f0de5157fc9bd4b44a3abdb4 970 doc optional tkman_2.2-4.dsc
 3e420c412aa7dc6bd729e5adbeb46548 15459 doc optional tkman_2.2-4.diff.gz
 e6538aae38ca0918c91d15ed7238b8e4 196872 doc optional tkman_2.2-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkyk8cACgkQIntwtlWVB0pD5gCgnEBw3funEEV7+3/AdxVbpF9I
WuYAnRxnZX6MVuFyeuvZ0DYkJDqfOJ47
=7RPF
-----END PGP SIGNATURE-----





Reply sent to Maximiliano Curia <maxy@gnuservers.com.ar>:
You have taken responsibility. (Sat, 03 Jan 2009 20:12:18 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer. (Sat, 03 Jan 2009 20:12:18 GMT) Full text and rfc822 format available.

Message #13 received at 506496-close@bugs.debian.org (full text, mbox):

From: Maximiliano Curia <maxy@gnuservers.com.ar>
To: 506496-close@bugs.debian.org
Subject: Bug#506496: fixed in tkman 2.2-2etch1
Date: Sat, 03 Jan 2009 19:52:22 +0000
Source: tkman
Source-Version: 2.2-2etch1

We believe that the bug you reported is fixed in the latest version of
tkman, which is due to be installed in the Debian FTP archive:

tkman_2.2-2etch1.diff.gz
  to pool/main/t/tkman/tkman_2.2-2etch1.diff.gz
tkman_2.2-2etch1.dsc
  to pool/main/t/tkman/tkman_2.2-2etch1.dsc
tkman_2.2-2etch1_all.deb
  to pool/main/t/tkman/tkman_2.2-2etch1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 506496@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Maximiliano Curia <maxy@gnuservers.com.ar> (supplier of updated tkman package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 15 Dec 2008 14:55:05 -0200
Source: tkman
Binary: tkman
Architecture: source all
Version: 2.2-2etch1
Distribution: stable
Urgency: low
Maintainer: Maximiliano Curia <maxy@gnuservers.com.ar>
Changed-By: Maximiliano Curia <maxy@gnuservers.com.ar>
Description: 
 tkman      - A graphical, hypertext manual page and Texinfo browser
Closes: 506496
Changes: 
 tkman (2.2-2etch1) stable; urgency=low
 .
   * Fixed CVE-2008-5137, by calling mktemp.
     (+ debian/patches/07_use-mktemp.dpatch) (Closes: #506496)
Files: 
 d6905c1a7326fdecaca57313da801730 581 doc optional tkman_2.2-2etch1.dsc
 8e021e87d63cfb75fa67af1dadd61273 14219 doc optional tkman_2.2-2etch1.diff.gz
 e9ed7d37c7d9e6e1734d85d462e9b25a 196426 doc optional tkman_2.2-2etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklGj1gACgkQIntwtlWVB0rx/QCffeCiYfsC7Rh0g6UHHjrN0ZWm
qJ4AmQFpFBDB0HOJQFhuWtZhjcziLw8S
=Ck3R
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 01 Feb 2009 07:32:06 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 10:30:38 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.