Bug#575921: marked as done (install_packages may write to world writable directory)

Mon, 05 Apr 2010 06:51:58 -0700 

Your message dated Mon, 05 Apr 2010 13:32:13 +0000
with message-id <e1nympv-0000gt...@ries.debian.org>
and subject line Bug#575921: fixed in fai 3.3.5
has caused the Debian Bug report #575921,
regarding install_packages may write to world writable directory
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
575921: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=575921
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: fai-client
Severity: critical
Tags: security
Tags: pending

When using fai softupdate, install_packages writes a list of all
packages to the file /var/tmp/package, which is located in a world
writeable directory. It also writes to /tmp/packages.list if
FAI_DEBSOURCESDIR is set. These problems only affect FAI versions from
3.3 to 3.3.4.

In case you use PACKAGES dselect-upgrade (I guess it's not used very
often) in package_config it writes to
$FAI_ROOT/tmp/dpkg-selections.tmp. Since FAI_ROOT is set to / if you
are calling fai softupdate, this is a security problem. This problem
also affects older versions.

I've already prepared a patch for this, which is available in the svn trunk.
-- 
regards Thomas

--- End Message ---
--- Begin Message --- 
Source: fai
Source-Version: 3.3.5

We believe that the bug you reported is fixed in the latest version of
fai, which is due to be installed in the Debian FTP archive:

fai-client_3.3.5_all.deb
  to main/f/fai/fai-client_3.3.5_all.deb
fai-doc_3.3.5_all.deb
  to main/f/fai/fai-doc_3.3.5_all.deb
fai-nfsroot_3.3.5_all.deb
  to main/f/fai/fai-nfsroot_3.3.5_all.deb
fai-quickstart_3.3.5_all.deb
  to main/f/fai/fai-quickstart_3.3.5_all.deb
fai-server_3.3.5_all.deb
  to main/f/fai/fai-server_3.3.5_all.deb
fai_3.3.5.dsc
  to main/f/fai/fai_3.3.5.dsc
fai_3.3.5.tar.gz
  to main/f/fai/fai_3.3.5.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 575...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Lange <la...@debian.org> (supplier of updated fai package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 05 Apr 2010 14:35:34 +0200
Source: fai
Binary: fai-client fai-doc fai-server fai-quickstart fai-nfsroot
Architecture: source all
Version: 3.3.5
Distribution: unstable
Urgency: high
Maintainer: Thomas Lange <la...@debian.org>
Changed-By: Thomas Lange <la...@debian.org>
Description: 
 fai-client - Fully Automatic Installation client package
 fai-doc    - Documentation for FAI
 fai-nfsroot - Fully Automatic Installation nfsroot package
 fai-quickstart - Fully Automatic Installation quickstart package
 fai-server - Fully Automatic Installation server package
Closes: 575921
Changes: 
 fai (3.3.5) unstable; urgency=high
 .
   [ Thomas Lange ]
   * install_packages: security fix, do not wite to world writeable
     directories (closes: #575921)
   * fai-chboot: do not print templates containing a number as subnet
   * disk-info: remove local to make it a pure shell script
Checksums-Sha1: 
 bc5ac0ced392110d4beb967da8c1e5e466a97a19 1011 fai_3.3.5.dsc
 236c13acf7a724793c450e81d80d6a6f45d1e7b0 279368 fai_3.3.5.tar.gz
 dc5c9639cbff59ce8732686a6e55edae043f3fe7 163852 fai-client_3.3.5_all.deb
 15479c7ac7bcf84e044cea04971ee31156313d8d 616396 fai-doc_3.3.5_all.deb
 f2bc2ff7d41e3b21d752ef4b12e8c675fe6a1877 52672 fai-server_3.3.5_all.deb
 9675cb0f16a878900782ce211602df0ca0ad40da 2040 fai-quickstart_3.3.5_all.deb
 e3089d84c531c4ce8b8340c2c758a6e0b0c3c1ae 62222 fai-nfsroot_3.3.5_all.deb
Checksums-Sha256: 
 cb26bd6fd0fa5d28f4460d4680ab896f3998d7d305781800358f6b5ac24d40c6 1011 
fai_3.3.5.dsc
 93f23249c2b084e8056ebde4f2acf1626e4f23013d1b36b61b2b99c8c00d2a06 279368 
fai_3.3.5.tar.gz
 e1fd2d3f89f11777dfde463c5d40e3f6a4afda007946e47ecaf51edb3f8ded29 163852 
fai-client_3.3.5_all.deb
 ce9f4ffcc5c459c07f3cba6111efd1c8a44af66afb0f097c7b4fb503c46cb705 616396 
fai-doc_3.3.5_all.deb
 e5c502b368b51722ce4c3e999ea08bdc17f38fbec25e79be98da366db751f878 52672 
fai-server_3.3.5_all.deb
 66f020db253520b9cf3158380f3061099e2d0ff4b3d59cbdbdecdb0001b622bd 2040 
fai-quickstart_3.3.5_all.deb
 56bf346907c0f0db85545c0d328f90f8df8bbc5020b35ca78b1f25210715ea44 62222 
fai-nfsroot_3.3.5_all.deb
Files: 
 9c1f5b309d39808f4927e96c51d945ac 1011 admin extra fai_3.3.5.dsc
 d12af7fac368874f92c2bbc6f197018e 279368 admin extra fai_3.3.5.tar.gz
 0283b860e5203cca051d0f231edd374e 163852 admin extra fai-client_3.3.5_all.deb
 fec259a9f568c0e101cd4cba8ea1bf97 616396 doc extra fai-doc_3.3.5_all.deb
 67912fa78ea86f747fc4ec8085829d7c 52672 admin extra fai-server_3.3.5_all.deb
 402b7ac17f1c908abb14ad576fd342ec 2040 admin extra fai-quickstart_3.3.5_all.deb
 d30a25462d81c7492fbcbb7085fd02dd 62222 admin extra fai-nfsroot_3.3.5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLudoR3BPlTqubZv0RAsMMAKCksl2Hrl2Ri1pxcYetbW3+4q264QCeMXq7
QT87Hyv8LLAedq8+eF7eWL8=
=Bisq
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to