Debian Bug report logs - #509332
CVE-2008-5371: insecure temp file handling

version graph

Package: screenie; Maintainer for screenie is Dmitry Smirnov <onlyjob@member.fsf.org>; Source for screenie is src:screenie.

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Sun, 21 Dec 2008 12:18:01 UTC

Severity: important

Tags: security

Fixed in version screenie/1.30.0-5.1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Tomas Pospisek <tpo_deb@sourcepole.ch>:
Bug#509332; Package screenie. (Sun, 21 Dec 2008 12:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Tomas Pospisek <tpo_deb@sourcepole.ch>. (Sun, 21 Dec 2008 12:18:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2008-5371: insecure temp file handling
Date: Sun, 21 Dec 2008 13:13:52 +0100
Package: screenie
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for screenie.

CVE-2008-5371[0]:
| screenie in screenie 1.30.0 allows local users to overwrite arbitrary
| files via a symlink attack on a /tmp/.screenie.##### temporary file.

Would be nice to get this fixed in lenny via migration from unstable.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5371
    http://security-tracker.debian.net/tracker/CVE-2008-5371




Information forwarded to debian-bugs-dist@lists.debian.org, Tomas Pospisek <tpo_deb@sourcepole.ch>:
Bug#509332; Package screenie. (Thu, 25 Dec 2008 00:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Tomas Pospisek <tpo_deb@sourcepole.ch>. (Thu, 25 Dec 2008 00:00:03 GMT) Full text and rfc822 format available.

Message #10 received at 509332@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 509332@bugs.debian.org
Subject: intent to NMU
Date: Thu, 25 Dec 2008 00:57:12 +0100
[Message part 1 (text/plain, inline)]
Hi,
attached is a patch to fix this issue. I will upload this as 
an NMU now.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[screenie-1.30.0-5_1.30.0-5.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Thu, 25 Dec 2008 00:39:04 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Thu, 25 Dec 2008 00:39:04 GMT) Full text and rfc822 format available.

Message #15 received at 509332-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 509332-close@bugs.debian.org
Subject: Bug#509332: fixed in screenie 1.30.0-5.1
Date: Thu, 25 Dec 2008 00:17:04 +0000
Source: screenie
Source-Version: 1.30.0-5.1

We believe that the bug you reported is fixed in the latest version of
screenie, which is due to be installed in the Debian FTP archive:

screenie_1.30.0-5.1.diff.gz
  to pool/main/s/screenie/screenie_1.30.0-5.1.diff.gz
screenie_1.30.0-5.1.dsc
  to pool/main/s/screenie/screenie_1.30.0-5.1.dsc
screenie_1.30.0-5.1_all.deb
  to pool/main/s/screenie/screenie_1.30.0-5.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 509332@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated screenie package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 25 Dec 2008 00:54:32 +0100
Source: screenie
Binary: screenie
Architecture: source all
Version: 1.30.0-5.1
Distribution: unstable
Urgency: high
Maintainer: Tomas Pospisek <tpo_deb@sourcepole.ch>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 screenie   - a small and lightweight GNU screen(1) wrapper
Closes: 509332
Changes: 
 screenie (1.30.0-5.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix insecure temporary file creation
     (CVE-2008-5371; Closes: #509332).
Checksums-Sha1: 
 f2d54fa07f17ffea5cdf732ef73fef1a999aec2b 966 screenie_1.30.0-5.1.dsc
 3aeca9de3941416f7f78c8101ebb1096ab487c6e 3258 screenie_1.30.0-5.1.diff.gz
 c5ccc51de466f296c1bb0e3fe4cfec8bddff6309 6396 screenie_1.30.0-5.1_all.deb
Checksums-Sha256: 
 271e7f6edc6af514f2be8ad9c3471b059cd188b8c628a8979d2c8b42f3890113 966 screenie_1.30.0-5.1.dsc
 1b9648fd9ed5a2a7023f6bfd888f104867846e57bdbc0c188be3fd4139f80473 3258 screenie_1.30.0-5.1.diff.gz
 0331e8094662e950acc35fedecedac2c924e9c097e2eaa033f4239b559a11321 6396 screenie_1.30.0-5.1_all.deb
Files: 
 470b8e94b4c7318062e441ee2aa60a12 966 shells extra screenie_1.30.0-5.1.dsc
 9b38390d176949bb42b99ac553e154ed 3258 shells extra screenie_1.30.0-5.1.diff.gz
 d462c3b53e489e6f520e6b22ee0d792a 6396 shells extra screenie_1.30.0-5.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklSzMQACgkQHYflSXNkfP8xUACfZwabx/jEvR9Zwhnm9ULJ6rBN
rcMAn2jFyfcv0LRacAr3YOU+lAH1LavB
=v+Bb
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 05 Feb 2009 07:27:52 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 11:25:16 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.