-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
tags 463907 + confirmed
thanks
On 04-02-2008 10:16, Nico Golde wrote:
> * Frank Lichtenheld <[EMAIL PROTECTED]> [2008-02-04 12:56]:
>> Package: wml
>> Version: 2.0.11-1
>> Severity: serious
>> Tags: security
>>
>> The following code in wml_backend/p1_ipp/ipp.src is obviously unsafe
>> (and actually causing practical problems during the Debian website
>> build):
>>
>> $tmpdir = $ENV{'TMPDIR'} || '/tmp';
>> $tmpfile = $tmpdir . "/ipp.$$.tmp";
>> unlink($tmpfile);
>> $tmp = new IO::File;
>> $tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!");
> [...]
>
> Thanks I confirmed this, a CVE id is pending.
> Kind regards
> Nico
Just for the record, there is a new version of wml that
should be packaged, I will take care to properly keep this fix
if it is not present upstream. Would you like me to prepare a
package to fix this? Or should I wait for Debian Security Team?
I'm OK with a NMU.
As soon as possible, I will work on the new package and
also to clean up the BTS for wml. Sorry for the delay.
Kind regards,
- --
Felipe Augusto van de Wiel (faw)
"Debian. Freedom to code. Code to freedom!"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHqeuvCjAO0JDlykYRAu8dAJsHOipcdRwmkEZrSEWbwCUa8sIufACeMHXT
jbRk9HEtScmQCp7Ucru89TM=
=ScIt
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
