Your message dated Wed, 03 Aug 2011 19:55:14 +0000
with message-id <e1qohx8-0003km...@franck.debian.org>
and subject line Bug#622794: fixed in atop 1.23-1+lenny1
has caused the Debian Bug report #622794,
regarding atop: vulnerable to symlink attack via insecure /tmp directory or file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
622794: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622794
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: atop
Version: 1.23-1
Severity: grave
Tags: security
Justification: user security hole
Hi,
I've just noticed that atop keeps the runtime data in /tmp/atop* directories
or files (mentioned on man page too). I think it was established from a
discussion on debian-devel@l.d.o that this is potentially a security
vulnerability. Probably it should keep its temporary runtime data in its own
directory under /var/run (or /run for next release).
Please consider to backport the fix for 'stable' too.
Thanks
-- System Information:
Debian Release: 6.0.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages atop depends on:
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libncurses5 5.7+20100313-5 shared libraries for terminal hand
ii logrotate 3.7.8-6 Log rotation utility
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
atop recommends no packages.
atop suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: atop
Source-Version: 1.23-1+lenny1
We believe that the bug you reported is fixed in the latest version of
atop, which is due to be installed in the Debian FTP archive:
atop_1.23-1+lenny1.diff.gz
to main/a/atop/atop_1.23-1+lenny1.diff.gz
atop_1.23-1+lenny1.dsc
to main/a/atop/atop_1.23-1+lenny1.dsc
atop_1.23-1+lenny1_amd64.deb
to main/a/atop/atop_1.23-1+lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 622...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Wiltshire <j...@debian.org> (supplier of updated atop package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 01 Aug 2011 15:35:16 +0100
Source: atop
Binary: atop
Architecture: source amd64
Version: 1.23-1+lenny1
Distribution: oldstable
Urgency: high
Maintainer: Edelhard Becker <edelh...@debian.org>
Changed-By: Jonathan Wiltshire <j...@debian.org>
Description:
atop - Monitor for system resources and process activity
Closes: 622794
Changes:
atop (1.23-1+lenny1) oldstable; urgency=high
.
* Non-maintainer upload.
* Fix CVE-2011-XXXX: Insecure use of temporary files in rawlog.c and
acctproc.c (Closes: #622794)
Checksums-Sha1:
0d06bd61d39cfc34fa38fdf9eeeff1e2448a58f2 1663 atop_1.23-1+lenny1.dsc
c804c0e63d96f9d69a48696828fda913b991131c 7060 atop_1.23-1+lenny1.diff.gz
3337cf6aa927c6942ddda93434ba35308ee2c3a4 78530 atop_1.23-1+lenny1_amd64.deb
Checksums-Sha256:
11f54dcba81d0f0b1bb3768e9e5eb75c65cf55f198c656470df7035b0fd22b02 1663
atop_1.23-1+lenny1.dsc
785c1c0679740dc2c6544dcfb7f72f2f680bdfc261326e2f5e8d3d80de5006f5 7060
atop_1.23-1+lenny1.diff.gz
aa84f3072deb3d9c9848e97b90c61071354eab6b1adf8a705804e64e11005ea9 78530
atop_1.23-1+lenny1_amd64.deb
Files:
7cd7bff1251ccee7d8f5e71dc0a9aee2 1663 admin optional atop_1.23-1+lenny1.dsc
fd03c0655dffa5255c37c196fb85890a 7060 admin optional atop_1.23-1+lenny1.diff.gz
7961b7af47c2d8201520c8e57bacf665 78530 admin optional
atop_1.23-1+lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBAgAGBQJOOY5vAAoJEFOUR53TUkxRjPAP/RFOGwnRzISWjXgfVVzJf3fp
UPrayVULHvLOeV23ELAmg4GtpCAEbjgIs0ZgUIj776i48pMAuVlhC32gsnk+OZ+S
S5rrDbXNycWPq1QhUR6pFq6Tr8o9Li0cFAQsV++W4O23jS1d7IHHLQ1OCtwr0Ah3
WFoy2mPJDTqHdTKn+Vf0dgC2MmfSqUZDiq2eyiLC3kwyjTNGprKl0iA6X3lk9WMM
mjOVirkHPVZEymWUrZx5Ak64rIZcW/4MGVItNZD78ZGtGOnMKqAlpd7LwXihGqP9
LOBVeNgUF+/nw5LF65llQSSA+7bYiyQjCl0ZRhHFdw1X9x00Oxepw6ZrlOlL3HON
W28hfdPFN1bjJtrs42F6sSFHjdyRKDmrsOZ7dHuKOWWn2Nz79ARGSkU6irHNfgxV
eKgeXYP4rJa/za6ZuTYRukepbB4C2jjIs/7dVDqvXsrbW8FS4nJhOw8swgHTfV8f
s81Zo2DVF/mqYtRCNzicCI+bDpgRlxqk5L3AWQ3pPF3+bfLEb0wj8BcS9wet9Qrs
UqocJ7zW7hel8sJKHmJRmV4ffIjIpV5d9dNdSO3Z/xohd4Dx+iw2DzQ4mySDnXss
wKjn2EwJIXpmFp2gGnkIPZ+r3P7IaLCOuW6J9s+H2D3keyz/R9VIZQpX7CQd68+8
x7yA0bZKZEruExWRgCRs
=MDzR
-----END PGP SIGNATURE-----
--- End Message ---
