Your message dated Mon, 29 Sep 2008 21:02:13 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#500611: fixed in jumpnbump 1.50+dfsg1-1
has caused the Debian Bug report #500611,
regarding jumpnbump: insecure use of /tmp
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
500611: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500611
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: jumpnbump
Version: 1.50-6
Severity: grave
Tags: security
Justification: user security hole
Hi,
jumpnbump uses files in the /tmp directory in an unsafe manner:
* jumpnbump-menu calls `convert' on files in /tmp, this allows
another user to overwrite arbitrary files via symlinks.
The patch for #500340 should solve this.
* jumpnbump-menu calls `jumpnbump-unpack' in /tmp, same problem
(this only affects the version in Etch, the version in Lenny is
broken)
The patch above addresses this as well.
* in sdl/sound.c:509, the file "/tmp/jnb.tmpmusic.mod" is opened
for writing
* jumpnbump-unpack should not follow symlinks when overwriting files
(makes it at least more safe if called in /tmp)
I think the last point is not as critical as the others, as the user
will have to start jumpnbump-unpack in a directory writable by others.
Regards,
Ansgar
--- End Message ---
--- Begin Message ---
Source: jumpnbump
Source-Version: 1.50+dfsg1-1
We believe that the bug you reported is fixed in the latest version of
jumpnbump, which is due to be installed in the Debian FTP archive:
jumpnbump_1.50+dfsg1-1.diff.gz
to pool/main/j/jumpnbump/jumpnbump_1.50+dfsg1-1.diff.gz
jumpnbump_1.50+dfsg1-1.dsc
to pool/main/j/jumpnbump/jumpnbump_1.50+dfsg1-1.dsc
jumpnbump_1.50+dfsg1-1_i386.deb
to pool/main/j/jumpnbump/jumpnbump_1.50+dfsg1-1_i386.deb
jumpnbump_1.50+dfsg1.orig.tar.gz
to pool/main/j/jumpnbump/jumpnbump_1.50+dfsg1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ansgar Burchardt <[EMAIL PROTECTED]> (supplier of updated jumpnbump package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 29 Sep 2008 22:01:59 +0200
Source: jumpnbump
Binary: jumpnbump
Architecture: source i386
Version: 1.50+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Debian Games Team <[EMAIL PROTECTED]>
Changed-By: Ansgar Burchardt <[EMAIL PROTECTED]>
Description:
jumpnbump - cute multiplayer platform game with bunnies
Closes: 500340 500611
Changes:
jumpnbump (1.50+dfsg1-1) unstable; urgency=high
.
* Urgency set to high as this upload closes a security issue:
* Fix insecure handling of /tmp (Closes: #500611)
* Fix path to utility programs in jumpnbump-menu (Closes: #500340).
Thanks to Kilian Kilger <[EMAIL PROTECTED]> for the patch.
* Repackage source to remove dos/libdj.a (no source provided),
mention this in debian/copyright
* Bump Standards Version to 3.8.0 (no changes)
* Add myself to Uploaders.
Checksums-Sha1:
642ed0692ca1d25dc2e029e6c72a57e2581fa612 1394 jumpnbump_1.50+dfsg1-1.dsc
d3ae3972aa4bb681e9de1749445fc185ce8370c8 375934
jumpnbump_1.50+dfsg1.orig.tar.gz
c1293285dd5f0b40d1d2f8332a6d9337b34a1361 15877 jumpnbump_1.50+dfsg1-1.diff.gz
456cb0444646f27b7c1747f2756088655c0a10e2 308186 jumpnbump_1.50+dfsg1-1_i386.deb
Checksums-Sha256:
9a5d36b562cd7db8a2d3dcf9625f28792c5df8f1242cb9fa1f670b6c583c9417 1394
jumpnbump_1.50+dfsg1-1.dsc
86308a178c89459539df4a978515f25c0055f84f66f617fd1ee7cb32509d9ff3 375934
jumpnbump_1.50+dfsg1.orig.tar.gz
dd98d965acd0fa6b9afaf202f0d6e20ebd7b1c460a22813a3b16a5594a9be1ab 15877
jumpnbump_1.50+dfsg1-1.diff.gz
e5b3ea85b7de92494ced92da2beba80aac9cb877ed2f6025227da93adb29e99f 308186
jumpnbump_1.50+dfsg1-1_i386.deb
Files:
93fd87034a771b598257d112c1b167ad 1394 games optional jumpnbump_1.50+dfsg1-1.dsc
2a9d05b7b5d75168e53094dea7932c4a 375934 games optional
jumpnbump_1.50+dfsg1.orig.tar.gz
0ad207dc34bf6f9cb1e986e1ad6fcdf2 15877 games optional
jumpnbump_1.50+dfsg1-1.diff.gz
56f4e8014fa6d0d132700bf244ceb579 308186 games optional
jumpnbump_1.50+dfsg1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjhP2QACgkQ5ItltUs5T34L/ACgr7jth6Bw/1cg1fzgNU8rgw4t
FtQAnRdLhHiZAmXKb09L7WsCphay0zHR
=2eSH
-----END PGP SIGNATURE-----
--- End Message ---
