Bug#553948: marked as done (winkeydaemon: Symlink attack allows creation of arbitrary files)

Sun, 06 Dec 2009 08:52:26 -0800 

Your message dated Sun, 06 Dec 2009 16:40:08 +0000
with message-id <1260117608.463947.3927.nullmai...@kmos.homeip.net>
and subject line Package winkeydaemon has been removed from Debian
has caused the Debian Bug report #553948,
regarding winkeydaemon: Symlink attack allows creation of arbitrary files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
553948: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=553948
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: winkeydaemon
Version: 1.0.1-3
Justification: user security hole
Severity: grave
Tags: security

*** Please type your report below this line ***

  This is probably not a hugely exploitable issue, but reporting
 regardless:

 winkeydaemon.pl:

if (-d "/tmp/.winkey") {
    # ok, no action required
} else {
    my $dir = "/tmp/.winkey";
    `mkdir "$dir"`;
    if ($debug) {print "Arranging mutex directory\n";}
}
...
...
                        `touch /tmp/.winkey/keyer_busy`;
...
                            `rm /tmp/.winkey/keyer_busy`;
...


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages winkeydaemon depends on:
ii  libdevice-serialport-perl     1.04-2+b1  emulation of Win32::SerialPort for

winkeydaemon recommends no packages.

winkeydaemon suggests no packages.

--- End Message ---
--- Begin Message --- 
Version: 1.0.1-4+rm

You filled the bug http://bugs.debian.org/553948 in Debian BTS
against the package winkeydaemon. I'm closing it at *unstable*, but it will
remain open for older distributions.

For more information about this package's removal, read
http://bugs.debian.org/558450. That bug might give the reasons why
this package was removed and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.

--
Marco Rodrigues

--- End Message ---

Reply via email to