Your message dated Thu, 23 Oct 2008 15:27:58 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#500611: fixed in jumpnbump 1.50-6+etch1
has caused the Debian Bug report #500611,
regarding jumpnbump: insecure use of /tmp
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
500611: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500611
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: jumpnbump
Version: 1.50-6
Severity: grave
Tags: security
Justification: user security hole
Hi,
jumpnbump uses files in the /tmp directory in an unsafe manner:
* jumpnbump-menu calls `convert' on files in /tmp, this allows
another user to overwrite arbitrary files via symlinks.
The patch for #500340 should solve this.
* jumpnbump-menu calls `jumpnbump-unpack' in /tmp, same problem
(this only affects the version in Etch, the version in Lenny is
broken)
The patch above addresses this as well.
* in sdl/sound.c:509, the file "/tmp/jnb.tmpmusic.mod" is opened
for writing
* jumpnbump-unpack should not follow symlinks when overwriting files
(makes it at least more safe if called in /tmp)
I think the last point is not as critical as the others, as the user
will have to start jumpnbump-unpack in a directory writable by others.
Regards,
Ansgar
--- End Message ---
--- Begin Message ---
Source: jumpnbump
Source-Version: 1.50-6+etch1
We believe that the bug you reported is fixed in the latest version of
jumpnbump, which is due to be installed in the Debian FTP archive:
jumpnbump_1.50-6+etch1.diff.gz
to pool/main/j/jumpnbump/jumpnbump_1.50-6+etch1.diff.gz
jumpnbump_1.50-6+etch1.dsc
to pool/main/j/jumpnbump/jumpnbump_1.50-6+etch1.dsc
jumpnbump_1.50-6+etch1_powerpc.deb
to pool/main/j/jumpnbump/jumpnbump_1.50-6+etch1_powerpc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ansgar Burchardt <[EMAIL PROTECTED]> (supplier of updated jumpnbump package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 06 Oct 2008 18:00:04 +0200
Source: jumpnbump
Binary: jumpnbump
Architecture: source powerpc
Version: 1.50-6+etch1
Distribution: stable
Urgency: high
Maintainer: Debian Games Team <[EMAIL PROTECTED]>
Changed-By: Ansgar Burchardt <[EMAIL PROTECTED]>
Description:
jumpnbump - cute multiplayer platform game with bunnies
Closes: 500611
Changes:
jumpnbump (1.50-6+etch1) stable; urgency=high
.
* Update for etch to address a security issue.
* Fix insecure handling of /tmp (Closes: #500611)
* Set Maintainer to Debian Games Team, add Francois Marier and
myself as Uploaders (same as in unstable)
Files:
252cffd102bcde37e7078a6fa357b01e 794 games optional jumpnbump_1.50-6+etch1.dsc
d7988bcdab400a4e9e15ef101f2275b1 13598 games optional
jumpnbump_1.50-6+etch1.diff.gz
eea1a892ddb52bb259d071a725f62a5b 311750 games optional
jumpnbump_1.50-6+etch1_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjqShkACgkQELuA/Ba9d8Y+YACgr9CzxQHNjVCA6m9b/czBU3NE
8YkAniZkSvriu6CTGNaAtjsY3HAEaCu0
=VxKH
-----END PGP SIGNATURE-----
--- End Message ---
