Your message dated Wed, 23 Apr 2008 01:27:45 +0100
with message-id <[EMAIL PROTECTED]>
and subject line xexec has been removed from Debian, closing #472093
has caused the Debian Bug report #472093,
regarding xexec: Insecure tempfile
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
472093: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=472093
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: xexec
Version: 0.0.3-24
Severity: grave
Tags: security
Justification: user security hole
I've been fixing outstanding GCC 4.3 issues and found this while
looking into the build failure:
--
void Exec::runline()
{
ofstream command_file;
int useless;
command_file.open("/tmp/exec.tmp", ios::out);
/* What we're doing here is saving our command
in a little shell script that will be ran comming
up here. */
command_file
<< "#!/bin/sh\n"
<< cline->text();
/* The fun, object orriented STREAM way of
doing things!! wooohoooo */
command_file.close(); // Finish up.
useless = execlp(SHELL, SHELL, "/tmp/exec.tmp", NULL);
/* Run shell with command line file as script. */
}
--
Symlinking /tmp/exec.tmp to any file writable to the user running
xexec will overwrite that file with
#!/bin/sh
name-of-executed-program
Fortunately xexec is almost useless and with hardly any users,
since the functionality is provided by the desktop equivalents
in KDE, GNOME, xfce or a regular xterm:
Description: Run a simple arbitrary command from X
xexec is a program designed to allow quick and easy access for
running simple command lines. For example, let's say you wanted to
start Netscape, but didn't have it on your window manager's menu. Just
run xexec, and type netscape in the text box, press enter, and there
you have it. It is especially useful for allowing access to any
available command via one primary menu entry.
I'll request archive removal, I don't think we need to waste time with
it. But this is a nice example why we need to be more careful about
fringe packages of poor quality: they don't receive any review
for practical purposes.
This package has been in the archive for ten years and the error
is not exactly hard to find, since the package is ridiculously
small: (the 165 lines even include generated MOC)
SLOC Directory SLOC-by-Language (Sorted)
165 top_dir cpp=165
6 debian sh=6
0 doc (none)
Totals grouped by language (dominant language first):
cpp: 165 (96.49%)
sh: 6 (3.51%)
Cheers,
Moritz
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages xexec depends on:
ii libc6 2.7-9 GNU C Library: Shared libraries
ii libgcc1 1:4.3.0-1 GCC support library
ii libqt3-mt 3:3.3.8b-4 Qt GUI Library (Threaded runtime v
ii libstdc++6 4.3.0-1 The GNU Standard C++ Library v3
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar
xexec recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 0.0.3-24+rm
The xexec package has been removed from Debian testing, unstable and
experimental, so I am now closing the bugs that were still opened
against it.
For more information about this package's removal, read
http://bugs.debian.org/472267 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
--
Marco Rodrigues
http://Marco.Tondela.org
--- End Message ---
