Debian Bug report logs - #63303
gnapster: Security hole (users can view arbitrary files) fixed in 1.9.3. (Woody, but probably Potato)

version graph

Package: gnapster; Maintainer for gnapster is (unknown);

Reported by: <jordi@pusa.informat.uv.es>

Date: Sun, 30 Apr 2000 18:03:01 UTC

Severity: grave

Found in version 1.3.3-1

Fixed in version gnapster/1.3.9-1

Done: bma@debian.org (Brian M. Almeida)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, bma@debian.org (Brian M. Almeida):
Bug#63303; Package gnapster. Full text and rfc822 format available.

Acknowledgement sent to <jordi@pusa.informat.uv.es>:
New Bug report received and forwarded. Copy sent to bma@debian.org (Brian M. Almeida). Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: <jordi@pusa.informat.uv.es>
To: submit@bugs.debian.org
Subject: gnapster: Security hole (users can view arbitrary files) fixed in 1.9.3. (Woody, but probably Potato)
Date: Sun, 30 Apr 2000 18:24:29 +0200
Package: gnapster
Version: 1.3.3-1
Severity: grave

As read in Gnapster's home page:
Changes since 1.3.8:

     Local and remote resume support 
     New browse method that uses a tree-style view instead of list 
     Completely rewritten download and queue code 
     Security hole fixed that allowed users to view arbitrary files (I
     HIGHLY suggest updating to Gnapster 1.3.9)
     Many minor changes everywhere 
     Internal bug fixes 

I have not contacted the author to find if 1.3 is affected, but plan to do
so.

Thank you.

-- System Information
Debian Release: 2.2
Kernel Version: Linux pusa 2.2.13 #1 lun nov 29 19:11:46 CET 1999 i586 unknown

Versions of the packages gnapster depends on:
ii  gdk-imlib1     1.9.8-4        Gdk-Imlib is an imaging library for use with
ii  libart2        1.0.56-3       The Gnome canvas widget
ii  libaudiofile0  0.1.9-0.1      The Audiofile Library
ii  libc6          2.1.3-8        GNU C Library: Shared libraries and Timezone
ii  libesd0        0.2.17-7       Enlightened Sound Daemon - Shared libraries
ii  libglib1.2     1.2.7-2        The GLib library of C routines
ii  libgnome32     1.0.56-3       The Gnome libraries
ii  libgnomesuppor 1.0.56-3       The Gnome libraries (Support libraries)
ii  libgnomeui32   1.0.56-3       The Gnome libraries (User Interface)
ii  libgnorba27    1.0.56-3       Gnome CORBA services
ii  libgtk1.2      1.2.7-1        The GIMP Toolkit set of widgets for X
ii  liborbit0      0.5.0-5        Libraries for ORBit - a CORBA ORB
ii  xlib6g         3.3.6-6        shared libraries required by X clients
libesd-alsa0	Not installed or no info
ii  zlib1g         1.1.3-5        compression library - runtime
	^^^ (Provides virtual package libz1)


Information forwarded to debian-bugs-dist@lists.debian.org, bma@debian.org (Brian M. Almeida):
Bug#63303; Package gnapster. Full text and rfc822 format available.

Acknowledgement sent to Brian Almeida <bma@tux.org>:
Extra info received and forwarded to list. Copy sent to bma@debian.org (Brian M. Almeida). Full text and rfc822 format available.

Message #10 received at 63303@bugs.debian.org (full text, mbox):

From: Brian Almeida <bma@tux.org>
To: aklein@debian.org
Cc: 63303@bugs.debian.org
Subject: [jordi@pusa.informat.uv.es: Bug#63303: gnapster: Security hole (users can view arbitrary files) fixed in 1.9.3. (Woody, but probably Potato)]
Date: Sun, 30 Apr 2000 15:57:27 -0400
I'm not maintainer of gnapster anymore - Adam Klein <aklein@debian.org>
is.  I'm guessing it's still got me in somewhere from potato...
----- Forwarded message from jordi@pusa.informat.uv.es -----

Delivered-To: bma@debian.org
Subject: Bug#63303: gnapster: Security hole (users can view arbitrary files) fixed in 1.9.3. (Woody, but probably Potato)
Reply-To: <jordi@pusa.informat.uv.es>, 63303@bugs.debian.org
X-Debian-PR-Message: report 63303
X-Debian-PR-Package: gnapster
From: <jordi@pusa.informat.uv.es>
To: submit@bugs.debian.org
Date: Sun, 30 Apr 2000 18:24:29 +0200

Package: gnapster
Version: 1.3.3-1
Severity: grave

As read in Gnapster's home page:
Changes since 1.3.8:

     Local and remote resume support 
     New browse method that uses a tree-style view instead of list 
     Completely rewritten download and queue code 
     Security hole fixed that allowed users to view arbitrary files (I
     HIGHLY suggest updating to Gnapster 1.3.9)
     Many minor changes everywhere 
     Internal bug fixes 

I have not contacted the author to find if 1.3 is affected, but plan to do
so.

Thank you.

-- System Information
Debian Release: 2.2
Kernel Version: Linux pusa 2.2.13 #1 lun nov 29 19:11:46 CET 1999 i586 unknown

Versions of the packages gnapster depends on:
ii  gdk-imlib1     1.9.8-4        Gdk-Imlib is an imaging library for use with
ii  libart2        1.0.56-3       The Gnome canvas widget
ii  libaudiofile0  0.1.9-0.1      The Audiofile Library
ii  libc6          2.1.3-8        GNU C Library: Shared libraries and Timezone
ii  libesd0        0.2.17-7       Enlightened Sound Daemon - Shared libraries
ii  libglib1.2     1.2.7-2        The GLib library of C routines
ii  libgnome32     1.0.56-3       The Gnome libraries
ii  libgnomesuppor 1.0.56-3       The Gnome libraries (Support libraries)
ii  libgnomeui32   1.0.56-3       The Gnome libraries (User Interface)
ii  libgnorba27    1.0.56-3       Gnome CORBA services
ii  libgtk1.2      1.2.7-1        The GIMP Toolkit set of widgets for X
ii  liborbit0      0.5.0-5        Libraries for ORBit - a CORBA ORB
ii  xlib6g         3.3.6-6        shared libraries required by X clients
libesd-alsa0	Not installed or no info
ii  zlib1g         1.1.3-5        compression library - runtime
	^^^ (Provides virtual package libz1)

----- End forwarded message -----

-- 
Brian Almeida                      | http://www.debian.org/~bma
Debian Developer                   | bma@debian.org
Linux Systems Engineeer @ Winstar  | balmeida@winstar.com
PGP/GPG public keys                | finger bma@debian.org
<llane> When the penguin army descends from the gates of OS heaven,
        don't bother begging for your petty computing lives.



Information forwarded to debian-bugs-dist@lists.debian.org, bma@debian.org (Brian M. Almeida):
Bug#63303; Package gnapster. Full text and rfc822 format available.

Acknowledgement sent to Jordi <jordi@pusa.informat.uv.es>:
Extra info received and forwarded to list. Copy sent to bma@debian.org (Brian M. Almeida). Full text and rfc822 format available.

Message #15 received at 63303@bugs.debian.org (full text, mbox):

From: Jordi <jordi@pusa.informat.uv.es>
To: Brian Almeida <bma@tux.org>, aklein@debian.org
Cc: 63303@bugs.debian.org
Subject: Bug#63303: gnapster: Security hole (users can view arbitrary files) fixed in 1.9.3. (Woody, but probably Potato)
Date: Mon, 1 May 2000 23:07:31 +0200
[Message part 1 (text/plain, inline)]
> I'm not maintainer of gnapster anymore - Adam Klein <aklein@debian.org>
> is.  I'm guessing it's still got me in somewhere from potato...

Oh well.
Adam Klein was on vacation, IIRC. I hope he gets to this on time. Maybe he
should upload something for potato with his maintainer name so bug reports
go to him?

Jordi

-- 
Jordi Mallach PĂ©rez || jordi@pusa.informat.uv.es   || Rediscovering Freedom,
ka Oskuro in RL-MUD || jordi@sindominio.net        || Using Debian GNU/Linux

http://sindominio.net  GnuPG public information:      pub  1024D/917A225E 
telnet pusa.uv.es 23   73ED 4244 FD43 5886 20AC  2644 2584 94BA 917A 225E
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, bma@debian.org (Brian M. Almeida):
Bug#63303; Package gnapster. Full text and rfc822 format available.

Acknowledgement sent to Brian Almeida <bma@debian.org>:
Extra info received and forwarded to list. Copy sent to bma@debian.org (Brian M. Almeida). Full text and rfc822 format available.

Message #20 received at 63303@bugs.debian.org (full text, mbox):

From: Brian Almeida <bma@debian.org>
To: jordi@pusa.informat.uv.es, 63303@bugs.debian.org
Cc: bugscan@debian.org
Subject: Re: Bug#63303: gnapster: Security hole (users can view arbitrary files) fixed in 1.9.3. (Woody, but probably Potato)
Date: Tue, 2 May 2000 16:38:36 -0400
This bug is not applicable to potato, the version in potato is 1.3, which
did not contain upload support, which is where the security hole was.

Please exclude this from the bugscan reports.

On Sun, Apr 30, 2000 at 06:24:29PM +0200, jordi@pusa.informat.uv.es wrote:
> Package: gnapster
> Version: 1.3.3-1
> Severity: grave
> 
> As read in Gnapster's home page:
> Changes since 1.3.8:
> 
>      Local and remote resume support 
>      New browse method that uses a tree-style view instead of list 
>      Completely rewritten download and queue code 
>      Security hole fixed that allowed users to view arbitrary files (I
>      HIGHLY suggest updating to Gnapster 1.3.9)
>      Many minor changes everywhere 
>      Internal bug fixes 
Since Adam Klein appears to be on vacation, I will upload a fixed
version to woody tomorrow.


> I have not contacted the author to find if 1.3 is affected, but plan to do
> so.
It is not.

-- 
Brian M. Almeida
Linux Systems Engineer |  http://www.winstar.com | balmeida@winstar.com
Debian Developer       |  http://www.debian.org  | bma@debian.org
Ye GODS! NT crashed the microwave!



Reply sent to bma@debian.org (Brian M. Almeida):
You have taken responsibility. Full text and rfc822 format available.

Notification sent to <jordi@pusa.informat.uv.es>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 63303-close@bugs.debian.org (full text, mbox):

From: bma@debian.org (Brian M. Almeida)
To: 63303-close@bugs.debian.org
Subject: Bug#63303: fixed in gnapster 1.3.9-1
Date: 3 May 2000 18:54:06 -0000
We believe that the bug you reported is fixed in the latest version of
gnapster, which has been installed in the Debian FTP archive:
gnapster_1.3.9-1.diff.gz
  to dists/woody/main/source/x11/gnapster_1.3.9-1.diff.gz
  replacing gnapster_1.3.8-1.diff.gz
gnapster_1.3.9-1.dsc
  to dists/woody/main/source/x11/gnapster_1.3.9-1.dsc
  replacing gnapster_1.3.8-1.dsc
gnapster_1.3.9-1_i386.deb
  to dists/woody/main/binary-i386/x11/gnapster_1.3.9-1.deb
  replacing gnapster_1.3.8-1.deb
gnapster_1.3.9.orig.tar.gz
  to dists/woody/main/source/x11/gnapster_1.3.9.orig.tar.gz
  replacing gnapster_1.3.8.orig.tar.gz

Note that this package is not part of the released stable Debian
distribution.  It may have dependencies on other unreleased software,
or other instabilities.  Please take care if you wish to install it.
The update will eventually make its way into the next released Debian
distribution.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 63303@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brian M. Almeida <bma@debian.org> (supplier of updated gnapster package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.6
Date: Wed,  3 May 2000 14:20:58 -0400
Source: gnapster
Binary: gnapster
Architecture: source i386
Version: 1.3.9-1
Distribution: unstable
Urgency: high
Maintainer: Brian M. Almeida <bma@debian.org>
Description: 
 gnapster   - Simple client for the online mp3 community called napster
Closes: 63303
Changes: 
 gnapster (1.3.9-1) unstable; urgency=high
 .
   * New upstream release, fixing security hole, closes: #63303
Files: 
 a468fc683e6dcbafd7ef6cd78175b90a 717 x11 optional gnapster_1.3.9-1.dsc
 2936efbbea5bee07fe472309e9843a66 290808 x11 optional gnapster_1.3.9.orig.tar.gz
 9ccbfe8e387b0906e6ad426391e5284a 3265 x11 optional gnapster_1.3.9-1.diff.gz
 7ae974ea25d33da53e40f7b6062b2501 66180 x11 optional gnapster_1.3.9-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5EG6RvN0db6ENkYwRAkpBAKCDA2fllMBZnopf2nn7firSA+66lQCdEmtv
fCGjiDeaujxtUjP0AyyfsK8=
=ujQP
-----END PGP SIGNATURE-----



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 14:01:19 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.