Bug#598134: marked as done (ocrodjvu: insecure use of temporary files)

Sun, 26 Sep 2010 16:21:27 -0700 

Your message dated Sun, 26 Sep 2010 23:17:14 +0000
with message-id <e1p00t4-0005fp...@franck.debian.org>
and subject line Bug#598134: fixed in ocrodjvu 0.6.1-1
has caused the Debian Bug report #598134,
regarding ocrodjvu: insecure use of temporary files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
598134: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598134
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: ocrodjvu
Version: 0.4.6-1
Severity: grave
Tags: security
Justification: user security hole
If Cuneiform is used as OCR engine, ocrodjvu atomically creates a temporary file in /tmp (or $TMPDIR) and then runs 

cuneiform -l <language> -f hocr -o <tmpoutputfile> <inputfile>
This turns out to be insecure: in some circumstances (e.g. if OCRed paged contains illustrations), Cuneiform creates additional files in the same directory as output file. As a consequence, a local attacker can overwrite arbitrary files via a symlink attack. 

--
Jakub Wilk

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
Source: ocrodjvu
Source-Version: 0.6.1-1

We believe that the bug you reported is fixed in the latest version of
ocrodjvu, which is due to be installed in the Debian FTP archive:

ocrodjvu_0.6.1-1.debian.tar.gz
  to main/o/ocrodjvu/ocrodjvu_0.6.1-1.debian.tar.gz
ocrodjvu_0.6.1-1.dsc
  to main/o/ocrodjvu/ocrodjvu_0.6.1-1.dsc
ocrodjvu_0.6.1-1_all.deb
  to main/o/ocrodjvu/ocrodjvu_0.6.1-1_all.deb
ocrodjvu_0.6.1.orig.tar.gz
  to main/o/ocrodjvu/ocrodjvu_0.6.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jakub Wilk <jw...@debian.org> (supplier of updated ocrodjvu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 27 Sep 2010 00:58:24 +0200
Source: ocrodjvu
Binary: ocrodjvu
Architecture: source all
Version: 0.6.1-1
Distribution: experimental
Urgency: low
Maintainer: Jakub Wilk <jw...@debian.org>
Description: 
 ocrodjvu   - tool to perform OCR on DjVu documents
Closes: 598134 598139
Changes: 
 ocrodjvu (0.6.1-1) experimental; urgency=low
 .
   * New upstream release.
     + Fix crash on hOCR with image elements (closes: #598139).
     + Fix insecure use of temporary files (closes: #598134).
Checksums-Sha1: 
 5762c859b2dfe4d4ccf33b9472658b0192dd08b1 2075 ocrodjvu_0.6.1-1.dsc
 7b7c2c3ec16b31a6bc871555a930c8b35cb7c9dd 312497 ocrodjvu_0.6.1.orig.tar.gz
 8b615dfa19a172f210fa4aaca16af1e1768337c4 3713 ocrodjvu_0.6.1-1.debian.tar.gz
 2aa3ea23e3ae310ff5fc7b6b2227bc96543ebe2b 33760 ocrodjvu_0.6.1-1_all.deb
Checksums-Sha256: 
 d8a8dedfb94f51985b30df4cb81a9603fdf20eb1557be665b18012cfb4ddef33 2075 
ocrodjvu_0.6.1-1.dsc
 feff62929acd8e32d4ff88267322b837a8f92c0cf577fc3f188bc5d07c36bd30 312497 
ocrodjvu_0.6.1.orig.tar.gz
 2a2d82432514eb9ecd41c74a08f2e7b8f88ba931bd21bf2497e27f36a5c7b14f 3713 
ocrodjvu_0.6.1-1.debian.tar.gz
 d5e5cb74fa8b7e6373bf06b29bfd6b2279f8bdab5c010c7d6d4119bc54edb31c 33760 
ocrodjvu_0.6.1-1_all.deb
Files: 
 171501887135c41bc952606911c43a3b 2075 text optional ocrodjvu_0.6.1-1.dsc
 a4f67b5603f8ee4dcd699d97c7c14277 312497 text optional 
ocrodjvu_0.6.1.orig.tar.gz
 a9289b2a851284cbda3c615605a5a296 3713 text optional 
ocrodjvu_0.6.1-1.debian.tar.gz
 709453f59265fad38121acdf6990a716 33760 text optional ocrodjvu_0.6.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJMn9JdAAoJEC1Os6YBVHX1UooQAJFuPZhHZEwluGzrxNRBPIe9
dmOERgnL1Zu65Nf2I1i6913EWqR5kFocOK9jet6x63yRbtU8/1OdkCIf3UWozjEb
7MHLdmOLMRR7NBk/NFYW2nvAURmqc2WywnxoqID1e/9Q3VgbSzaz16PboWbHKvi4
yTORlkraLaSONIkfxtxLgeLD2GwKViwQMK8PkWYSSpy0VX0ea3zwIUckhEhzw5ZC
18qf8/hWVdWPd9xG9Z3Bur4WPhy8xjFYvSH4eepKCFTL2cehp7cZmWDCJf1wGfX1
eniWbVog12I5A+YZX29nvzYjO6SJ6G6lEe/4JUVBgMxroZAeC7tfQ+zjDbbQPW0p
8hyjjumY90m4T/diryAg1GzennPmPrJk6zfRG2IEzHd5cSP56gSnFWR+v7o4UEjC
G+6GUAdGJyw3tpOjZvGoBPuFLcTs4dRIbjmYiyk4gXar2OqonLM8VG1fTXWKDJ3n
3yLk83HJPZwsq4MASjS+uR95N8QaRb8vAvzIVEsQQct0/Dz5VelA/ZQAcka4QW9f
XsyeQ+3Ah44BsLstjE/l7d/bYkqyfkLdXon2pGDJoKYcSan9yO8N6/SM9xHT0fWO
dIC8bpwJrs1mOnuLiuOyQeYiYcPx/5o0eeWg13NUqD8DaOimOcPQlOlln5AL105D
VFVm6dr3hfe3LTBUzUeg
=9X/Z
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to