Bug#598134: marked as done (ocrodjvu: insecure use of temporary files)

Sun, 26 Sep 2010 16:21:25 -0700 

Your message dated Sun, 26 Sep 2010 23:17:06 +0000
with message-id <e1p00sw-0005dg...@franck.debian.org>
and subject line Bug#598134: fixed in ocrodjvu 0.4.6-2
has caused the Debian Bug report #598134,
regarding ocrodjvu: insecure use of temporary files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
598134: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598134
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: ocrodjvu
Version: 0.4.6-1
Severity: grave
Tags: security
Justification: user security hole
If Cuneiform is used as OCR engine, ocrodjvu atomically creates a temporary file in /tmp (or $TMPDIR) and then runs 

cuneiform -l <language> -f hocr -o <tmpoutputfile> <inputfile>
This turns out to be insecure: in some circumstances (e.g. if OCRed paged contains illustrations), Cuneiform creates additional files in the same directory as output file. As a consequence, a local attacker can overwrite arbitrary files via a symlink attack. 

--
Jakub Wilk

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
Source: ocrodjvu
Source-Version: 0.4.6-2

We believe that the bug you reported is fixed in the latest version of
ocrodjvu, which is due to be installed in the Debian FTP archive:

ocrodjvu_0.4.6-2.debian.tar.gz
  to main/o/ocrodjvu/ocrodjvu_0.4.6-2.debian.tar.gz
ocrodjvu_0.4.6-2.dsc
  to main/o/ocrodjvu/ocrodjvu_0.4.6-2.dsc
ocrodjvu_0.4.6-2_all.deb
  to main/o/ocrodjvu/ocrodjvu_0.4.6-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jakub Wilk <jw...@debian.org> (supplier of updated ocrodjvu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 27 Sep 2010 00:13:09 +0200
Source: ocrodjvu
Binary: ocrodjvu
Architecture: source all
Version: 0.4.6-2
Distribution: unstable
Urgency: high
Maintainer: Jakub Wilk <jw...@debian.org>
Description: 
 ocrodjvu   - tool to perform OCR on DjVu documents
Closes: 594385 598134 598139
Changes: 
 ocrodjvu (0.4.6-2) unstable; urgency=high
 .
   * Fix URL in changelog-0.4.6.diff.
   * Preserve environment variables (except LC_*, LANG and LANGUAGE) when
     calling external programs (closes: #594385). [preserve-environment.diff]
   * Fix crash on hOCR with image elements (closes: #598139).
     [hocr-no-bbox.diff]
   * Fix insecure use of temporary files (closes: #598134).
     [cuneiform-temp-files.diff]
Checksums-Sha1: 
 5bb3845cf4fd14978689420fc5865b9a1001b89f 2075 ocrodjvu_0.4.6-2.dsc
 7c9de17785d1d3fe3f3e0b5bb0bd736592541728 5782 ocrodjvu_0.4.6-2.debian.tar.gz
 405a5d722ca84b855bc533b78ee5fb3869e366e9 28366 ocrodjvu_0.4.6-2_all.deb
Checksums-Sha256: 
 7cf4d87daafc0e81890526dba3f2b9810e5cbf11939de9e033047c6838e77650 2075 
ocrodjvu_0.4.6-2.dsc
 a35b231d34f733ca01197f09e69d57fb5d7e775937dc879f1dc5dcdbff65961e 5782 
ocrodjvu_0.4.6-2.debian.tar.gz
 797e928a2e94ef70d29d179daff1bfc2bbe0508d384b5a6f03fa5bd2385b60e2 28366 
ocrodjvu_0.4.6-2_all.deb
Files: 
 e076b4a178601317b60b9019485717b0 2075 text optional ocrodjvu_0.4.6-2.dsc
 38152ae09a0f188d145a79ac59f33ef9 5782 text optional 
ocrodjvu_0.4.6-2.debian.tar.gz
 20e7a0cdede3fbb629343e277e05629d 28366 text optional ocrodjvu_0.4.6-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJMn8/VAAoJEC1Os6YBVHX1LE8QAKkH3W0lxqGf8RFJ0NXHf/0h
7wnfLB8AHlxuDMphQSFCV9WIeHSOM+aUjJus5Qappvjxk5kEAdwP9pCqubhOa4ST
V+P+SDVVbKbCg8DtAZotx/Zb3YnWGm1UgOPZbGuWqyihUs96wz2vk8K/u6OmlCqS
2mM3Z14/iy9aViYOlLn/2dQiu1PgA71hqPDLtjNLvgoPPEvpjxSwEEQ0Dsz7akT+
BNBj/uqZp8laGY45e9oVFd8/y6JuyJhQShAu3VLk+u4U4SrLvLKZI4JftiyZ74KY
QYyEqBp2oICDQTn62+1Gf+QUlNalbRHl7rd7Z/L+UljAzVodiKU8lMzx3CfSH3RM
iKTBUdTTarNVBwdBnzPPsHut3YClbCnrfZyWJMAL33rgVqBWq45Qmu8UYzsFC5AY
BmPhRnm21EETI0iPmAiGrB730ZQUg61rlwaVdt+MLynCWckVb7QdDV2ZBgipqImI
v5NhWvGAnOHR259GI7SQmZNHXFPP8Upa9p5xmEQRPAcr1bwUHBpmU6r0P7+50+I8
zLK1sD2BcRS7IV5o1W0/ab1Iqbt1vj03qPG+dZrlJHK0JnFDcCGI6cTgt0s+GX/B
oFxIgFCeDDv3RXj/e2A29C4eMKYK4DcC0H6aciD+X4bEk2+KEVctmE2IfpyFcB/P
iV2mbEdWtxZrrG9oCWmd
=vbyv
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to