Your message dated Sat, 15 Oct 2005 22:12:08 -0700
with message-id <[EMAIL PROTECTED]>
and subject line gtkdiskfree: insecure temporary file creation
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 16 Sep 2005 06:28:56 +0000
>From [EMAIL PROTECTED] Thu Sep 15 23:28:56 2005
Return-path: <[EMAIL PROTECTED]>
Received: from box79162.elkhouse.de [213.9.79.162]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EG9iR-0001eg-00; Thu, 15 Sep 2005 23:28:55 -0700
Received: by box79162.elkhouse.de (Postfix, from userid 1000)
id 67D401F9484; Fri, 16 Sep 2005 08:28:24 +0200 (CEST)
Date: Fri, 16 Sep 2005 08:28:24 +0200
From: Martin Pitt <[EMAIL PROTECTED]>
To: Debian BTS Submit <[EMAIL PROTECTED]>
Subject: gtkdiskfree: insecure temporary file creation
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="DBIVS5p969aUjpLe"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
--DBIVS5p969aUjpLe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: gtkdiskfree
Version: 1.9.3-4
Severity: grave
Tags: security
gtkdiskfree handles a temporary file (/tmp/gtkdiskfree) in an insecure
way, which allows a local attacker to remove or overwrite an arbitrary
file of the user who invokes gtkdiskfree. See
http://www.zataz.net/adviso/gtkdiskfree-09052005.txt
for details.
There is no CAN number yet, I will ask for one and send it to this
bug.
Thanks,
Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian Developer http://www.debian.org
--DBIVS5p969aUjpLe
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDKmYIDecnbV4Fd/IRAszTAJ9k/YaEb5k5m0gyXi/hHbohd6f3xQCg+6N/
lnwowiCH2ZMdgnTvC3E4QHM=
=vYaC
-----END PGP SIGNATURE-----
--DBIVS5p969aUjpLe--
---------------------------------------
Received: (at 328566-done) by bugs.debian.org; 16 Oct 2005 05:12:10 +0000
>From [EMAIL PROTECTED] Sat Oct 15 22:12:10 2005
Return-path: <[EMAIL PROTECTED]>
Received: from dsl093-039-086.pdx1.dsl.speakeasy.net (tennyson.dodds.net)
[66.93.39.86]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1ER0oc-00036r-00; Sat, 15 Oct 2005 22:12:10 -0700
Received: by tennyson.dodds.net (Postfix, from userid 1000)
id BD6D67002; Sat, 15 Oct 2005 22:12:08 -0700 (PDT)
Date: Sat, 15 Oct 2005 22:12:08 -0700
From: Steve Langasek <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: gtkdiskfree: insecure temporary file creation
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
--J2SCkAp4GZ/dPZZf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Version: 1.9.3-4sarge1
This bug appears to have been fixed in the upload of 1.9.3-4sarge1:
gtkdiskfree (1.9.3-4sarge1) stable-security; urgency=3Dhigh
* Non-maintainer upload by the Security Team
* Backported Gentoo patch to fix insecure temporary file creation
[src/mount.c, CAN-2005-2918]
-- Martin Schulze <[EMAIL PROTECTED]> Sat, 17 Sep 2005 11:50:22 +0200
Cheers,
--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
[EMAIL PROTECTED] http://www.debian.org/
--J2SCkAp4GZ/dPZZf
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDUeEoKN6ufymYLloRAoWOAKChn1S/ekRz3QN4RAA/EtGz2QI5LwCgiTBd
6YMl2CuYhmhXk+Vh8Ocvbjo=
=tyYD
-----END PGP SIGNATURE-----
--J2SCkAp4GZ/dPZZf--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
