Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: pu
Hello, I am the current maintainer of the apt-listbugs package. While preparing version 0.1.10, I fixed an insecure temporary file creation. The apt-listbugs program creates a temporary file in /tmp, when the user asks to view the bug lists in HTML with a browser. This temporary file is created, written (with HTML content), and then displayed by a web browser (invoked by apt-listbugs itself). Before version 0.1.10, this temporary file used to be created by an ad-hoc class, which computed the file name by just concatenating a fixed string, the PID, and a progressive integer starting at 0 (incremented, in case of name conflict with an already existing file). Since I thought that this mechanism was fairly predictable and insecure, I dropped this ad-hoc class and started using Tempfile from Ruby standard library, which seems to be more secure. This fix is part of apt-listbugs version 0.1.10 or later. Version 0.1.11 migrated into testing about one month ago. I got in touch with the security team, asking whether I should prepare updated versions of apt-listbugs for wheezy and maybe squeeze, back-porting the fix to versions 0.1.8 and maybe 0.1.3, and explicitly pointing out that apt-listbugs is a package which is useful above all to testing and unstable users, and definitely less so to stable and oldstable users. The security team kindly obtained a CVE number for this security issue (CVE-2013-6049) and replied that the issue "doesn't warrant a DSA, but it would be good to fix it for an upcoming point update". Hence, I prepared apt-listbugs/0.1.8+deb7u1 for wheezy: please find the source diff attached (the only other changes are the result of running "make update-po" in order to update the .pot and .po l10n files). If you agree, I can ask my usual sponsor to upload the prepared package to stable, so that it will end up in the next point release. Please let me know. Thanks for your time! P.S.: after this, I may perhaps find the time to do the same for oldstable (squeeze), unless you say I shouldn't bother...
apt-listbugs_stable-update_0.1.8+deb7u1.diff.gz
Description: application/gzip
