Bug#622794: marked as done (atop: vulnerable to symlink attack via insecure /tmp directory or file)

Wed, 03 Aug 2011 10:33:17 -0700 

Your message dated Wed, 03 Aug 2011 17:32:09 +0000
with message-id <e1qofif-0006m2...@franck.debian.org>
and subject line Bug#622794: fixed in atop 1.23-1.1
has caused the Debian Bug report #622794,
regarding atop: vulnerable to symlink attack via insecure /tmp directory or file
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
622794: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622794
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: atop
Version: 1.23-1
Severity: grave
Tags: security
Justification: user security hole

Hi,

I've just noticed that atop keeps the runtime data in /tmp/atop* directories
or files (mentioned on man page too). I think it was established from a 
discussion on debian-devel@l.d.o that this is potentially a security
vulnerability. Probably it should keep its temporary runtime data in its own
directory under /var/run (or /run for next release).

Please consider to backport the fix for 'stable' too.

Thanks

-- System Information:
Debian Release: 6.0.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages atop depends on:
ii  libc6                   2.11.2-10        Embedded GNU C Library: Shared lib
ii  libncurses5             5.7+20100313-5   shared libraries for terminal hand
ii  logrotate               3.7.8-6          Log rotation utility
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

atop recommends no packages.

atop suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: atop
Source-Version: 1.23-1.1

We believe that the bug you reported is fixed in the latest version of
atop, which is due to be installed in the Debian FTP archive:

atop_1.23-1.1.diff.gz
  to main/a/atop/atop_1.23-1.1.diff.gz
atop_1.23-1.1.dsc
  to main/a/atop/atop_1.23-1.1.dsc
atop_1.23-1.1_amd64.deb
  to main/a/atop/atop_1.23-1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 622...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <j...@debian.org> (supplier of updated atop package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 01 Aug 2011 15:35:16 +0100
Source: atop
Binary: atop
Architecture: source amd64
Version: 1.23-1.1
Distribution: unstable
Urgency: high
Maintainer: Edelhard Becker <edelh...@debian.org>
Changed-By: Jonathan Wiltshire <j...@debian.org>
Description: 
 atop       - Monitor for system resources and process activity
Closes: 622794
Changes: 
 atop (1.23-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2011-XXXX: Insecure use of a temporary files rawlog.c and
     acctproc.c (Closes: #622794)
Checksums-Sha1: 
 bbcb0eb06efcc8fd53631eb19b5e931703667467 1643 atop_1.23-1.1.dsc
 d649052e54f4359e00195e0f12c9c7995dbb70db 7062 atop_1.23-1.1.diff.gz
 cd2e0c99e65aee4306cf211b4c6bb896d87ee825 77850 atop_1.23-1.1_amd64.deb
Checksums-Sha256: 
 fa1d2c7839854fce1a833eb0c545a3e30617620dfa02670f68dd704a57087d9c 1643 
atop_1.23-1.1.dsc
 c6db49e99ec7900206208ca6d256b8c4f9ab6e6352d669d7b4833afc027bcdec 7062 
atop_1.23-1.1.diff.gz
 647ac28c909e0daf4211e21a5b1eb2feaf78c8d048a5a8a40b5d075d5ab3aaf2 77850 
atop_1.23-1.1_amd64.deb
Files: 
 1ef1e896fff4eeaa30e7e4ac4e2e70ca 1643 admin optional atop_1.23-1.1.dsc
 c8aa56774a85ee30730680833f673591 7062 admin optional atop_1.23-1.1.diff.gz
 6c30d8b5089be424d50858651f37b867 77850 admin optional atop_1.23-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJONr+4AAoJEFOUR53TUkxRhuAP/2TM38IaDYYsRq7o1l4NAOXT
DQYwJVuD+pwp1PCt9FabqVfBqavYGX1PGfV4C3kT8MN8fOGVN1+A6mqAd4vOjmh3
wVx31Na0pJDFG1Sf0MqCnBx9tCv6Wh8LZlQq6o2/5aiR18bLjBEhLHEAWZh9NkEM
FhB5m6vljBZBmW5gKu/HTwtAZnUyNOyyvSaF3a3FZ237NPtcl57Y+DIpQfkDtCih
WKm3RGCq0BZx3u4kmCGFSUMuZ/+ULZxd7oC8P2mrRWUoLlvf370yycMDl3vmC73Z
/0VZkVr3EJmcN5f7EllA9JMoQ2MQXKxtC9ne2V3oujD2uuL0vEZgKem/vNhzScJd
z9ClhWq2gHVNyXN1fCu7oZBpYdW5noi4WYsHwpJNjoLFAfb0SxI3lHvnGvTsxSvV
Yl2d5qlBwe6jxDwN66Y9p2CBwjuKqs87uWB2L/9hbD0CyX8lLOM6xuzBFl/mq4km
LDOVvHwGDsn4LFqKLNA5c+u8HdtcuOs7dx/JjltTny6i6f9VKYpvBYwlUeeWad7g
rxl3tqFFbv0tDdvdZN12Cmg0rnZcb298jL7FoNdrCjjdh0tD0KLwiGlKTPshXueE
FypDJW3beIOf9HELK7TrlHJuJVn9K5wRwxy1pZobXPXY3L+8dQoi/l6qV04KQIBN
PBzqO2QzTpPYPiVUALuH
=gu2i
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to