Your message dated Sun, 09 Sep 2007 13:17:07 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#437621: fixed in lha 1.14i-10.2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: lha
Severity: grave
Tags: security
Justification: user security hole
Hi
There is a CVE[0] issued against lha. It also leads to a patch[1], which
apparently fixes the problem. Could you please investigate this.
The CVE text says:
lharc.c in lha does not securely create temporary files, which might
allow local users to read or write files by creating a file before LHA
is invoked.
Please remember mentioning the CVE number in your changelog entry.
Thanks for your efforts.
Cheers
Steffen
[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2030
[1]: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=152702
--- End Message ---
--- Begin Message ---
Source: lha
Source-Version: 1.14i-10.2
We believe that the bug you reported is fixed in the latest version of
lha, which is due to be installed in the Debian FTP archive:
lha_1.14i-10.2.diff.gz
to pool/non-free/l/lha/lha_1.14i-10.2.diff.gz
lha_1.14i-10.2.dsc
to pool/non-free/l/lha/lha_1.14i-10.2.dsc
lha_1.14i-10.2_i386.deb
to pool/non-free/l/lha/lha_1.14i-10.2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated lha package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 09 Sep 2007 14:49:16 +0200
Source: lha
Binary: lha
Architecture: source i386
Version: 1.14i-10.2
Distribution: unstable
Urgency: high
Maintainer: GOTO Masanori <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
lha - lzh archiver
Closes: 437621
Changes:
lha (1.14i-10.2) unstable; urgency=high
.
* Non-maintainer upload by testing security team.
* Included patch.CVE-2007-2030.patch to fix insecure handling of
temporary files (CVE-2007-2030) (Closes: #437621).
Files:
37e64d7059aeb7c688184de2196f9744 550 non-free/utils optional lha_1.14i-10.2.dsc
8af038a486067313a26ce0687264bf38 46360 non-free/utils optional
lha_1.14i-10.2.diff.gz
9d3ec0d02ec1ce0aa96504d84fbd4b7a 59530 non-free/utils optional
lha_1.14i-10.2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG4+/UHYflSXNkfP8RAjyyAKCQxoOtDrtLwRv2B3UHrKEBTx0UmgCfZO8V
cucGFNHjx5QjdILlD0TZ9HU=
=oggm
-----END PGP SIGNATURE-----
--- End Message ---
