Debian Bug report logs - #706644
tpp: [CVE-2013-2208] untrusted input file might be harmful

version graph

Package: tpp; Maintainer for tpp is Axel Beckert <abe@debian.org>; Source for tpp is src:tpp.

Reported by: "W. Martin Borgert" <debacle@debian.org>

Date: Thu, 2 May 2013 20:57:05 UTC

Severity: grave

Tags: security, upstream

Found in version tpp/1.3.1-2

Fixed in version tpp/1.3.1-3

Done: Axel Beckert <abe@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/akrennmair/tpp/pull/2

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Nico Golde <nion@debian.org>:
Bug#706644; Package tpp. (Thu, 02 May 2013 20:57:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to "W. Martin Borgert" <debacle@debian.org>:
New Bug report received and forwarded. Copy sent to Nico Golde <nion@debian.org>. (Thu, 02 May 2013 20:57:09 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "W. Martin Borgert" <debacle@debian.org>
To: submit@bugs.debian.org
Subject: untrusted input file might be harmful
Date: Thu, 2 May 2013 22:51:41 +0200
Package: tpp
Version: 1.3.1-2
Severity: grave
Tags: security

Please feel free to downgrade the bug report or remove the
security tag. It's just my point of view.

Opening an untrusted input file may be harmful, because tpp
supports an "exec" command, which can do bad things, e.g.
sending your private SSL or GnuPG files or removing your home
directory without any warning or confirmation. The manual page
does not mention this shell-style behaviour. It is probably
unexpected of an presentation program, even a geeky one.



Information forwarded to debian-bugs-dist@lists.debian.org, Nico Golde <nion@debian.org>:
Bug#706644; Package tpp. (Thu, 02 May 2013 21:15:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Nico Golde <nion@debian.org>. (Thu, 02 May 2013 21:15:08 GMT) Full text and rfc822 format available.

Message #10 received at 706644@bugs.debian.org (full text, mbox):

From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
To: "W. Martin Borgert" <debacle@debian.org>
Cc: 706644@bugs.debian.org, "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Re: untrusted input file might be harmful
Date: Thu, 02 May 2013 23:12:04 +0200
The package has been orphaned in Debian since 2007 and abandoned by 
upstream at the same time since the upstream developer and Debian 
maintainer are the same person.

Popcon shows just 113 installations and there are no reverse dependencies.

I therefore suggest removing the package from testing due to it's bad shape.

Cheers,

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#706644; Package tpp. (Thu, 02 May 2013 23:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. (Thu, 02 May 2013 23:18:04 GMT) Full text and rfc822 format available.

Message #15 received at 706644@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>, 706644@bugs.debian.org
Cc: "W. Martin Borgert" <debacle@debian.org>, "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Re: Bug#706644: untrusted input file might be harmful
Date: Fri, 3 May 2013 01:13:44 +0200
[Message part 1 (text/plain, inline)]
Hi,
* John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> [2013-05-02 23:15]:
> The package has been orphaned in Debian since 2007 and abandoned by upstream at 
> the same time since the upstream developer and Debian maintainer are the same 
> person.
> 
> Popcon shows just 113 installations and there are no reverse dependencies.
> 
> I therefore suggest removing the package from testing due to it's bad shape.

FWIF, I'm fine with that. The stuff is easy to address, but I lost interest in 
doing so.

Cheers
Nico
-- 
Nico Golde - XMPP: nion@jabber.ccc.de - GPG: 0xA0A0AAAA
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Nico Golde <nion@debian.org>:
Bug#706644; Package tpp. (Fri, 03 May 2013 04:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Nico Golde <nion@debian.org>. (Fri, 03 May 2013 04:51:04 GMT) Full text and rfc822 format available.

Message #20 received at 706644@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Nico Golde <nion@debian.org>
Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>, 706644@bugs.debian.org, "W. Martin Borgert" <debacle@debian.org>
Subject: Re: Bug#706644: untrusted input file might be harmful
Date: Fri, 03 May 2013 05:46:38 +0100
On Fri, 2013-05-03 at 01:13 +0200, Nico Golde wrote:
> * John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> [2013-05-02 23:15]:
> > The package has been orphaned in Debian since 2007 and abandoned by upstream at 
> > the same time since the upstream developer and Debian maintainer are the same 
> > person.
> > 
> > Popcon shows just 113 installations and there are no reverse dependencies.
> > 
> > I therefore suggest removing the package from testing due to it's bad shape.
> 
> FWIF, I'm fine with that. The stuff is easy to address, but I lost interest in 
> doing so.

Okay, thanks; hint added.

Regards,

Adam




Added tag(s) pending. Request was from Axel Beckert <abe@debian.org> to control@bugs.debian.org. (Wed, 12 Jun 2013 20:15:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Nico Golde <nion@debian.org>:
Bug#706644; Package tpp. (Wed, 12 Jun 2013 21:00:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Axel Beckert <abe@debian.org>:
Extra info received and forwarded to list. Copy sent to Nico Golde <nion@debian.org>. (Wed, 12 Jun 2013 21:00:04 GMT) Full text and rfc822 format available.

Message #27 received at 706644@bugs.debian.org (full text, mbox):

From: Axel Beckert <abe@debian.org>
To: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Cc: 706644@bugs.debian.org
Subject: Re: Bug#706644: untrusted input file might be harmful
Date: Wed, 12 Jun 2013 22:56:48 +0200
Hi,

it's too late for Wheezy, but I still have to object:

John Paul Adrian Glaubitz wrote on 02-May-2013:
> The package has been orphaned in Debian since 2007

Wrong. At the time you wrote this mail it was orphaned for mere 10
days. See http://bugs.debian.org/706041 -- only the last upload was
from 2007.

> and abandoned by upstream at the same time since the upstream
> developer and Debian maintainer are the same person.

Wrong, too. There are two upstream developers and only one abandoned
the project. The last upstream commit was just 13 days before you
wrote this mail. See https://github.com/akrennmair/tpp/commit/050b5712

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-    |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5



Reply sent to Axel Beckert <abe@debian.org>:
You have taken responsibility. (Wed, 12 Jun 2013 21:21:36 GMT) Full text and rfc822 format available.

Notification sent to "W. Martin Borgert" <debacle@debian.org>:
Bug acknowledged by developer. (Wed, 12 Jun 2013 21:21:36 GMT) Full text and rfc822 format available.

Message #32 received at 706644-close@bugs.debian.org (full text, mbox):

From: Axel Beckert <abe@debian.org>
To: 706644-close@bugs.debian.org
Subject: Bug#706644: fixed in tpp 1.3.1-3
Date: Wed, 12 Jun 2013 21:19:59 +0000
Source: tpp
Source-Version: 1.3.1-3

We believe that the bug you reported is fixed in the latest version of
tpp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 706644@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Axel Beckert <abe@debian.org> (supplier of updated tpp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 12 Jun 2013 22:18:56 +0200
Source: tpp
Binary: tpp
Architecture: source all
Version: 1.3.1-3
Distribution: unstable
Urgency: low
Maintainer: Axel Beckert <abe@debian.org>
Changed-By: Axel Beckert <abe@debian.org>
Description: 
 tpp        - text presentation program
Closes: 669595 671530 671540 705965 706041 706644
Changes: 
 tpp (1.3.1-3) unstable; urgency=low
 .
   [ Jari Aalto ]
   * Switch from dpatch to source format "3.0 (quilt)". (Closes: #669595)
     + Remove dpatch traces from debian/rules and remove dpatch
       build-dependency
   * Bump debhelper compatibility to 9
     + Update versioned debhelper build-dependency
   * Use dh_prep instead of dh_clean -k
   * Fix the following lintian warnings:
     + copyright-refers-to-symlink-license
     + debhelper-but-no-misc-depends
     + debian-rules-missing-recommended-target
   * Add watch file
 .
   [ Axel Beckert ]
   * Adopt the package (Closes: #706041)
   * Cherry-pick afb57d9 (make key events work on ruby 1.9) from upstream
     (Closes: #671530)
   * Add patch to make parsing of --exec optional (Closes: #706644)
   * Update homepage to point to GitHub
   * Fix patch header
   * Update watch file to also check release tags at GitHub
   * Revamp debian/rules:
     + No more clean up stamp files manually (dh_clean does that now)
     + Remove redundant dh_installchangelogs parameter
     + Don't compress any .tpp example file
     + Replace dh_installexamples parameter with debian/examples
     + Switch to a dh7 style debian/rules file
     + Switch to gem2deb based packaging (Closes: #671540)
       Thanks to Per Andersson!
   * Suggest texlive-latex-extra instead of transitional package texpower
   * Bump Standards-Version to 3.9.4 (no further changes necessary)
   * Recode examples to UTF-8 at build time (Closes: #705965)
     + Add build-dependency on recode
   * Add Vcs-* headers
   * Apply wrap-and-sort
Checksums-Sha1: 
 e5d61832ad10d7faecf737c4f853f55c278aeda7 1190 tpp_1.3.1-3.dsc
 03b4e2809bd06bb8030d2da48396037dd3229b29 7323 tpp_1.3.1-3.debian.tar.gz
 f7afb16bad1ab8957f5b9f4b725a6604ad36835d 38594 tpp_1.3.1-3_all.deb
Checksums-Sha256: 
 bcf3f0fdec124984958ac26482acd299ae756288d6d528ba15d96b4de56bd955 1190 tpp_1.3.1-3.dsc
 42f916c1784e7725c86e2de7bcbc59a2203bb23567653ff7e0f5e0e70039dff6 7323 tpp_1.3.1-3.debian.tar.gz
 1fdb8c4de74d30c50e3b624f826e7ba53c0182e5ffd489c4975777e19c8e8f58 38594 tpp_1.3.1-3_all.deb
Files: 
 90767e3b8159d4b80bf46d585c99d762 1190 graphics optional tpp_1.3.1-3.dsc
 c19e051daf1dc1bbc14dcf6f82431b85 7323 graphics optional tpp_1.3.1-3.debian.tar.gz
 3431ac4f73e3f81095d9d88cc03d3af3 38594 graphics optional tpp_1.3.1-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlG42wgACgkQwJ4diZWTDt5SsgCfXM2BqfA94ueb8m+9iRCItiYL
tGAAmQGU5dXKIJYa44X9PrJ3J3IRb/jB
=iGOr
-----END PGP SIGNATURE-----




Set Bug forwarded-to-address to 'https://github.com/akrennmair/tpp/pull/2'. Request was from Axel Beckert <abe@debian.org> to control@bugs.debian.org. (Tue, 18 Jun 2013 15:51:17 GMT) Full text and rfc822 format available.

Added tag(s) upstream. Request was from Axel Beckert <abe@debian.org> to control@bugs.debian.org. (Tue, 18 Jun 2013 15:57:04 GMT) Full text and rfc822 format available.

Changed Bug title to 'tpp: [CVE-2013-2208] untrusted input file might be harmful' from 'untrusted input file might be harmful' Request was from Axel Beckert <abe@debian.org> to control@bugs.debian.org. (Fri, 21 Jun 2013 17:03:04 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 21 Jul 2013 07:29:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 13:04:13 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.