Report forwarded
to debian-bugs-dist@lists.debian.org, Fredrik Steen <stone@debian.org>: Bug#724614; Package txt2man.
(Wed, 25 Sep 2013 18:54:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
New Bug report received and forwarded. Copy sent to Fredrik Steen <stone@debian.org>.
(Wed, 25 Sep 2013 18:54:06 GMT) (full text, mbox, link).
Package: txt2man
Version: 1.5.5-4
Severity: normal
Tags: patch pending security
Dear maintainer,
txt2man in all suites allows overwriting of arbitrary files by an unsafe
use of the file /tmp/2222. This was introduced by a Debian patch.
The fix for this is to remove the line:
echo $post > /tmp/2222
which appears to be leftover debugging.
It is my intention to perform an NMU in two days if the bug remains
unfixed, and to then upload fixes for stable and oldstable. If you object,
please tell me as soon as possible.
If you fix the bug yourself, please include a reference to the assigned CVE
number, CVE-2013-1444.
Regards.
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Changed Bug title to 'txt2man: CVE-2013-1444: unsafe use of temporary files' from 'txt2man: unsafe use of temporary files'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 25 Sep 2013 20:27:04 GMT) (full text, mbox, link).
Severity set to 'serious' from 'normal'
Request was from Jonathan Wiltshire <jmw@debian.org>
to control@bugs.debian.org.
(Wed, 25 Sep 2013 20:39:04 GMT) (full text, mbox, link).
Marked as found in versions txt2man/1.5.5-2.
Request was from Jonathan Wiltshire <jmw@debian.org>
to control@bugs.debian.org.
(Wed, 25 Sep 2013 21:21:07 GMT) (full text, mbox, link).
Reply sent
to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility.
(Fri, 27 Sep 2013 21:21:33 GMT) (full text, mbox, link).
Notification sent
to Jonathan Wiltshire <jmw@debian.org>:
Bug acknowledged by developer.
(Fri, 27 Sep 2013 21:21:33 GMT) (full text, mbox, link).
Source: txt2man
Source-Version: 1.5.5-4.1
We believe that the bug you reported is fixed in the latest version of
txt2man, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 724614@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated txt2man package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 25 Sep 2013 21:29:29 +0100
Source: txt2man
Binary: txt2man
Architecture: source all
Version: 1.5.5-4.1
Distribution: unstable
Urgency: low
Maintainer: Fredrik Steen <stone@debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description:
txt2man - Converts flat ASCII text to man page format
Closes: 724614
Changes:
txt2man (1.5.5-4.1) unstable; urgency=low
.
* Non-maintainer upload.
* Fix CVE-2013-1444: insecure use of temporary files
by removing apparant debug output from
patches/debian-changes-1.5.5-2.1 (Closes: #724614)
Thanks: Patrick Cherry of Bytemark Hosting
Checksums-Sha1:
25daa9b4b0997c7cabdb591a964349cf61f788db 1874 txt2man_1.5.5-4.1.dsc
c28b2c4d130139339117e7bfc3aa114b5c79e7d5 4351 txt2man_1.5.5-4.1.debian.tar.gz
a080987e1d1dce38df4d352a35de235e8eaec63b 14612 txt2man_1.5.5-4.1_all.deb
Checksums-Sha256:
0dfdb5f34f2b5c8dbb8e00f19ae0e286092a917395c452c8935f86c7e2ad7beb 1874 txt2man_1.5.5-4.1.dsc
83df7276e75d6f5a8a942ae1a3b48578ca8908746a1abcd3aae4c8c120e34852 4351 txt2man_1.5.5-4.1.debian.tar.gz
98eab1dc091174facf00545340832b59084b1f7092311a80d2fbedef5b54fe51 14612 txt2man_1.5.5-4.1_all.deb
Files:
cbad65724e6e0b79b589c12a36dc0bbc 1874 text optional txt2man_1.5.5-4.1.dsc
5f7998aef22de7391aec8de74b82ca7a 4351 text optional txt2man_1.5.5-4.1.debian.tar.gz
085ab2793c091a1cb0858e55c93d84bf 14612 text optional txt2man_1.5.5-4.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.21 (GNU/Linux)
iQIcBAEBAgAGBQJSQ0mbAAoJEFC7AtTIpr9hq50QAJNvPjKCzpVJJ8oWOtyNhznW
ydHWMO0a5+SiiXje9mW9Tc3fUqD9+BoRU0x6MilyJqkNH2ZRhiwi83f7f9vM32N2
623BwsA+k/62ligwaAwbA2eN2igWA7WcsZXBM5kXqzPaFxAa8NsypDBxbZHubn45
qJaxra+dEatRHYlUwzLBy1LukYWxr4FCsjrKBKDyDp4ov2QL5/N0cNeBWRtgJJwC
diBJOWWY9U+34gLBUKurq/tj4iezT+d1f1RVFlmk3mqtHg/9X6OPNDvlHW2u+TGs
AsTEgcCJ6gMHqEDRA3wgS9r5PuOm1OZXh+NMFiTviecJ9oUeEF3kx1KIr5pegcDr
QBor2wD5Je8pv8FFXOYy+V2XaEooAAYMlPJLYN3ex1FVs9FgVzEJncWY1ckdkiWB
VXIP4RUfzNiIbbQOZjZos6X7TET9/iv7EcIOLWyrjO5lJc1mmgQfwqLQAqa0WLu/
SCUZ1EzhbdXnvjz2ILVzcv1DyEcP6K8xw4Xp3DgAnF3Xdpa2XqG9h0cx/BqtSDvP
EzvCbh7m6dZR+XthJ/XamNiziWCBWAQY2++hkyCPxQF2vwwZMfSzmj6DsvRNYFXF
qwjw3z6AmVAvM7h2sfJS1Bw4DAHM5s5PsuISCKUxNHhitcq5kh6RZQTSTOAsMo8f
9TeAiegr861piwGp8xtl
=+3Rf
-----END PGP SIGNATURE-----
Reply sent
to Joao Eriberto Mota Filho <eriberto@debian.org>:
You have taken responsibility.
(Sat, 31 Jan 2015 21:21:13 GMT) (full text, mbox, link).
Notification sent
to Jonathan Wiltshire <jmw@debian.org>:
Bug acknowledged by developer.
(Sat, 31 Jan 2015 21:21:13 GMT) (full text, mbox, link).
From: Joao Eriberto Mota Filho <eriberto@debian.org>
To: 724614-close@bugs.debian.org
Subject: Bug#724614: fixed in txt2man 1.5.6-1
Date: Sat, 31 Jan 2015 21:20:25 +0000
Source: txt2man
Source-Version: 1.5.6-1
We believe that the bug you reported is fixed in the latest version of
txt2man, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 724614@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joao Eriberto Mota Filho <eriberto@debian.org> (supplier of updated txt2man package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 31 Jan 2015 13:07:36 -0200
Source: txt2man
Binary: txt2man
Architecture: source all
Version: 1.5.6-1
Distribution: experimental
Urgency: medium
Maintainer: Joao Eriberto Mota Filho <eriberto@debian.org>
Changed-By: Joao Eriberto Mota Filho <eriberto@debian.org>
Description:
txt2man - convert flat ASCII text to manpage format
Closes: 656029724614
Changes:
txt2man (1.5.6-1) experimental; urgency=medium
.
* New maintainer. Thanks a lot to Fredrik Steen and Robin Cornelius for
your nice work over this package.
* New upstream release. (Closes: #656029)
* Acknowledge NMU. Thanks to Jonathan Wiltshire. (Closes: #724614)
* Migrations:
- DH level to 9.
- Standards-Version to 3.9.6.
- debian/copyright to 1.0 format.
- debian/rules to new (reduced) format.
* debian/control:
- Improved the long description.
- Updated the Homepage field. The upstream is using GitHub now.
- Updated the Vcs-* fields.
* debian/copyright: updated the upstream and packagers names and years.
* debian/dirs: removed. The fix-makefile patch fixed the upstream Makefile
and it will create the need directories.
* debian/docs: removed (useless to final user).
* debian/examples: created to install some examples.
* debian/examples.d: create to be a stuff of examples.
* debian/patches/:
- remove-ksh-check.patch:
. Added a header.
. Renamed to drop-ksh-check.
- debian-changes-1.5.5-2.1:
. Reviewed and split to fix-bashisms and fix-pager-option.
- fix-makefile: added to fix the upstream Makefile.
- fix-path-hyphen: fix a path pointing manpages level 2 and a hyphen
used as a minus sign in bookman file.
- fix-spelling-hyphen: fix a spelling error and a hyphen used as a
minus sign in txt2man file.
* debian/README.Debian: added to point to some examples.
* debian/watch: updated (using GitHub now).
Checksums-Sha1:
809a00ee3eef0bd785fa1aae4e42610089bd82bb 1828 txt2man_1.5.6-1.dsc
02b65f08dd67a1de7b1a8b596d14f582c16f139e 17805 txt2man_1.5.6.orig.tar.gz
136336e5513eced6a3382a1af4b5e2ab96f6ae52 14640 txt2man_1.5.6-1.debian.tar.xz
0b313c984b2d1206156fa93f53d2f69756922d31 27310 txt2man_1.5.6-1_all.deb
Checksums-Sha256:
ae2853cd23b6a868a4a8218474b7d7165d5656c766796852103e4aad10a7eb67 1828 txt2man_1.5.6-1.dsc
e5aed4a44e041f3b8327e43d847707720ae71aad643d3c1d37f898b8d40c9c03 17805 txt2man_1.5.6.orig.tar.gz
bca6fe36941439f8db6111abaa098a596b17364cb7001052cb374927ce50b29a 14640 txt2man_1.5.6-1.debian.tar.xz
e2e6c8ddee160faeb436a5e86fb5f1282a04da70228bcdbc825fca2dbfaa9e56 27310 txt2man_1.5.6-1_all.deb
Files:
d9cd60f1819be53684663fd10bec284d 1828 text optional txt2man_1.5.6-1.dsc
e9d47c7b1c88681fd57dfb0ba769edda 17805 text optional txt2man_1.5.6.orig.tar.gz
c351dd2b42c309456f24b9872c293976 14640 text optional txt2man_1.5.6-1.debian.tar.xz
f31c4bf59d312197bc5c1105b3e7140c 27310 text optional txt2man_1.5.6-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUzTGJAAoJEN5juccE6+nv8koP/1/HTVaX6gu49vcBQK067M4o
bNWDEU8aYx+eO730JlLdwjS73ZH8RKu3zHULdwlnDqgoDp7niq5AD3YR2j9rZBDh
0mW+4RORDFl5sDytMBHq8RhHKETmr/L8T3jodAxXJGpUSdUkH6J2/mrv/6mjWKt5
b6fbMfL1duDQT0yG4S7Q5JuWSeCPnbdl2oO1bIAiWEnZD7A625fymwv0zjMpgsaN
2ly93H7/5assGZIFoD/hzChc678BxFb8vP/ziF3pyF7+AbEYRSxmWVKtaW08cWNY
XThHr0LO2w1gVM2oNX1NWrdOX8fHoCWZjGCXTXPRW2cU0QU5RIwU4Yv8kVGAIvl1
v03omEleZmGbb5MK/mPpLOKQTcQM7ADjr5+CtqKhRIfzDbTA3Lh8ZrTyCbb3P1w7
weDGaGOolzUfVMg/BnljEq3eid3i0CoD4fM6UmxMaq5kvsX9DlEgOylcWh0NN51J
5wWvL3wVwaHYvE22nAna57vJFLaoyK7QxgeRwoWqayLl1ton065nQ1zV9NCQ+Q9B
bbPjFbbWkEY2aOojjY2HU0DMy1qAJZoi+/91k1X2D85UAFvt8OXVuL+PObI+DS3A
lOM7oVaemXVuJbuK1ou7Qigvq00Iu/sow7Vf4ztSPHFNzo018P+Ip/awPS0TDUUC
vIrSBlwxHw1qy6dqJyzP
=JNem
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 May 2015 07:32:45 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.