Bug#678189: marked as done (packagekit-backend-aptcc: insecure tempfile use)

Tue, 21 Aug 2012 08:21:17 -0700 

Your message dated Tue, 21 Aug 2012 15:17:49 +0000
with message-id <e1t3qdf-0003tm...@franck.debian.org>
and subject line Bug#678189: fixed in packagekit 0.7.6-1
has caused the Debian Bug report #678189,
regarding packagekit-backend-aptcc: insecure tempfile use
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
678189: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678189
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: packagekit-backend-aptcc
Version: 0.7.4-4
Severity: grave
Tags: security
Justification: user security hole

/usr/share/PackageKit/helpers/aptcc/pkconffile uses a tempfile with a
fixed name in /tmp, which means anyone could create a
/tmp/pkconffile.templates symlink and have root trash the contents of
the linked file.  You need to use mktemp (or File::Temp or however it's
called in perl).

Cheers,
Julien

-- System Information:
Debian Release: wheezy/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'unstable'), (500, 'testing'), (500, 'stable'), (101, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages packagekit-backend-aptcc depends on:
ii  app-install-data    2010.11.17
ii  libapt-inst1.5      0.9.6
ii  libapt-pkg4.12      0.9.6
ii  libc6               2.13-33
ii  libgcc1             1:4.7.1-1
ii  libglib2.0-0        2.32.3-1
ii  libgstreamer0.10-0  0.10.36-1
ii  libstdc++6          4.7.1-1
ii  libxml2             2.8.0+dfsg1-4
ii  python              2.7.3~rc2-1
ii  python-packagekit   0.7.4-4

Versions of packages packagekit-backend-aptcc recommends:
ii  apt-xapian-index  0.45
ii  packagekit        0.7.4-4

Versions of packages packagekit-backend-aptcc suggests:
ii  gdebi-core  0.8.5

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: packagekit
Source-Version: 0.7.6-1

We believe that the bug you reported is fixed in the latest version of
packagekit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 678...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klumpp <matth...@tenstral.net> (supplier of updated packagekit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 21 Aug 2012 16:41:43 +0200
Source: packagekit
Binary: packagekit packagekit-tools packagekit-docs libpackagekit-glib2-14 
libpackagekit-glib2-dev gir1.2-packagekitglib-1.0 libpackagekit-qt2-2 
libpackagekit-qt2-dev packagekit-gtk3-module gstreamer0.10-packagekit 
browser-plugin-packagekit python-packagekit packagekit-backend-aptcc 
packagekit-backend-smart packagekit-dbg
Architecture: source amd64 all
Version: 0.7.6-1
Distribution: unstable
Urgency: low
Maintainer: Matthias Klumpp <matth...@tenstral.net>
Changed-By: Matthias Klumpp <matth...@tenstral.net>
Description: 
 browser-plugin-packagekit - Plugin to install missing plugins using PackageKit
 gir1.2-packagekitglib-1.0 - GObject introspection data for the PackageKit GLib 
library
 gstreamer0.10-packagekit - GStreamer plugin to install codecs using PackageKit
 libpackagekit-glib2-14 - Library for accessing PackageKit using GLib
 libpackagekit-glib2-dev - Library for accessing PackageKit using GLib 
(development files)
 libpackagekit-qt2-2 - Library for accessing PackageKit using Qt4
 libpackagekit-qt2-dev - Library for accessing PackageKit using Qt4 
(development files)
 packagekit - Provides a package management service
 packagekit-backend-aptcc - APT backend for PackageKit
 packagekit-backend-smart - Smart backend for PackageKit
 packagekit-dbg - Debugging symbols for PackageKit
 packagekit-docs - Documentation for PackageKit
 packagekit-gtk3-module - Install fonts automatically using PackageKit
 packagekit-tools - Provides PackageKit command-line tools
 python-packagekit - PackageKit backend Python bindings
Closes: 678189
Changes: 
 packagekit (0.7.6-1) unstable; urgency=low
 .
   * New upstream bugfix release: 0.7.6
     Changes relevant to Debian:
     - aptcc: Don't use tempfile with fixed name for conffiles
        (Matthias Klumpp) (Closes: #678189)
     - Add GStreamer 1.0 support to the PackageKit plugin
        (Richard Hughes)
     - Ignore "accept-eula" in pk-transaction-run (Gary Ching-Pang Lin)
     - Check for CancelBackgroundTransactions setting again
        (Matthias Klumpp)
     - Fix a crash where NetworkManager is restarted whilst packagekitd
        is running (Richard Hughes)
     - Drop the unused polkit-backend-1 check from configure as
        it's gone upstream (Richard Hughes)
     - Fix segfault in pkcon when user does ctrl-d at the package prompt
        (Richard Hughes)
     - Inhibit shutdown when the package manager is locked (Richard Hughes)
     - Fix several return values in pkcon when there is an error
        (Richard Hughes)
     - Allow the user to specify standard GNU help options (Richard Hughes)
     - Do not allow the client to overwrite files when downloading packages
        (Richard Hughes)
Checksums-Sha1: 
 ba6e53ebe86c6dd5f7a717fe2bfcc238834fa435 3498 packagekit_0.7.6-1.dsc
 65c5e11a1934cc1da4d8b49234f816948ea91156 1498256 packagekit_0.7.6.orig.tar.xz
 72e746f4424beeacfb4b8793d3f2392939b05183 18165 packagekit_0.7.6-1.debian.tar.gz
 08f331cec7fd26874ced32e5372747fb415414db 767982 packagekit_0.7.6-1_amd64.deb
 332c7b508181427756b5b64584028ab7a68eb341 68942 
packagekit-tools_0.7.6-1_amd64.deb
 3e80ca12740bcc15f91c87ccce5a7d2b8238d969 424424 packagekit-docs_0.7.6-1_all.deb
 b47860b9221504eb90273e1f106f8081443814d8 141236 
libpackagekit-glib2-14_0.7.6-1_amd64.deb
 6febc900e7996517ac7031a4abf0eebe0c7af81b 87060 
libpackagekit-glib2-dev_0.7.6-1_amd64.deb
 63c628fe777382862d500fbd8faead0abb949d51 45718 
gir1.2-packagekitglib-1.0_0.7.6-1_amd64.deb
 2cc48b45434af6274c90ba76c6f04b6291b87737 112868 
libpackagekit-qt2-2_0.7.6-1_amd64.deb
 36a8aa1872b191cdccb22b9ba150ef6b535e032c 26926 
libpackagekit-qt2-dev_0.7.6-1_amd64.deb
 24d2ddf435fc7495c2dce0026e399b8f8b55a6f6 19392 
packagekit-gtk3-module_0.7.6-1_amd64.deb
 4975cee0f634357795a44a97c62d3a2c32dce157 18782 
gstreamer0.10-packagekit_0.7.6-1_amd64.deb
 8eb32cd29abcb2c310f7fe226ce15c3acac92752 33386 
browser-plugin-packagekit_0.7.6-1_amd64.deb
 bc3895cad6f0fdeaaa6010ab02b631affd0be9ca 29352 
python-packagekit_0.7.6-1_all.deb
 397f7ad29bc3b13140f530c2afc20713ebb87335 127818 
packagekit-backend-aptcc_0.7.6-1_amd64.deb
 ba3c3117f6dda9b5e896bdc7081bbda5e5dd8b28 27500 
packagekit-backend-smart_0.7.6-1_amd64.deb
 e85df20f3d218bcf54721c0a0eeaf05037d9c9b9 2706426 
packagekit-dbg_0.7.6-1_amd64.deb
Checksums-Sha256: 
 5cf7ecc438ff08b2c51a5ae3c92cbb01784cc66a05032d16a372e974af90ca2d 3498 
packagekit_0.7.6-1.dsc
 82c0a553075d49add3c4f58e6e93f7f3613938809a4b8e36f46476e86981b45d 1498256 
packagekit_0.7.6.orig.tar.xz
 c3599dee9eb61e1493d1d0c6c9c31364a6ca09f6e23e51dca0d3ef3b20aa8076 18165 
packagekit_0.7.6-1.debian.tar.gz
 68283b0312aa451f322e61d43fe162556ba75f6ddfbf59e6d88407809d501a31 767982 
packagekit_0.7.6-1_amd64.deb
 f2fd58dfa8b82d76315113eea95dfa9bf87b4eb4e451bef3540508a05066cff4 68942 
packagekit-tools_0.7.6-1_amd64.deb
 3ddb5ad50a442fa1525ebdd10e85998a907392a8e4fac18e302481e7d9689500 424424 
packagekit-docs_0.7.6-1_all.deb
 3e9c42ce4bad6af5c4e0e2c7f8249ed753dde466829c8e27076542ffc4e8fd32 141236 
libpackagekit-glib2-14_0.7.6-1_amd64.deb
 c1f54a97621f56305f915638ac4abe3d9c1a19954740755fca22614c21fe786f 87060 
libpackagekit-glib2-dev_0.7.6-1_amd64.deb
 905c6e95295a7f561ad2b5350647c0083a54fd8f646b36f2d1326adab1d499d2 45718 
gir1.2-packagekitglib-1.0_0.7.6-1_amd64.deb
 c07dd85922084925177035eb4bd74f777834d5efd0dc247cda42cd1450cdbad7 112868 
libpackagekit-qt2-2_0.7.6-1_amd64.deb
 e5acfa60dbdb31d48a49aadd3304f78025e447568b0a636f71325d3163cb45cd 26926 
libpackagekit-qt2-dev_0.7.6-1_amd64.deb
 5eeb459c15d34b4839d6604246a75a6ec84f10513690fe6fb53ad484242b8b8d 19392 
packagekit-gtk3-module_0.7.6-1_amd64.deb
 b09255f5a589229b07f7b11ee122ef15141ee7cf8563a4f1831cfc76585ddbdf 18782 
gstreamer0.10-packagekit_0.7.6-1_amd64.deb
 41c87b451fae7fa206fa59b141a3a51efc76a35a9ec0ac0648ddb50867c41bed 33386 
browser-plugin-packagekit_0.7.6-1_amd64.deb
 de6751e50c763714b7dee8701180686146b7d45f1e26c5325238e0d0378d23ed 29352 
python-packagekit_0.7.6-1_all.deb
 2107bb0715022f566b8a34ab7e0bb5325552a8a0ec4a0158f4bc2877d5b6af09 127818 
packagekit-backend-aptcc_0.7.6-1_amd64.deb
 e18f2f8607e5e27bc89ff59086039ac94e387b180909c9777fb386f8549a0867 27500 
packagekit-backend-smart_0.7.6-1_amd64.deb
 b0accadfa277a15d489b375f517233e239a30f25fb953be2c0f9b09573c1a9a7 2706426 
packagekit-dbg_0.7.6-1_amd64.deb
Files: 
 59ae2969b5254292673170f887e71847 3498 admin optional packagekit_0.7.6-1.dsc
 3f1197ad450f07558f3976ebfd425c52 1498256 admin optional 
packagekit_0.7.6.orig.tar.xz
 81540f2b0d2ec612dcf8231cab66de6c 18165 admin optional 
packagekit_0.7.6-1.debian.tar.gz
 c63b77d32c162dfa9e1c371c48914316 767982 admin optional 
packagekit_0.7.6-1_amd64.deb
 31ec147edd936d63bf37de584656f04e 68942 libs optional 
packagekit-tools_0.7.6-1_amd64.deb
 f2012f769764f45e95e5cb542ef50e3d 424424 doc optional 
packagekit-docs_0.7.6-1_all.deb
 35fb425bd0e503048da69c962e7d4c00 141236 libs optional 
libpackagekit-glib2-14_0.7.6-1_amd64.deb
 e7efd8f7dfef692d390923053213f98e 87060 libdevel optional 
libpackagekit-glib2-dev_0.7.6-1_amd64.deb
 9fefa3cc6b3be8bb9c860907a0ed17ca 45718 introspection optional 
gir1.2-packagekitglib-1.0_0.7.6-1_amd64.deb
 49f5cfa124d8b834b2ca7903cfad5f1e 112868 libs optional 
libpackagekit-qt2-2_0.7.6-1_amd64.deb
 9cbbe642931494635325521da07a189c 26926 libdevel optional 
libpackagekit-qt2-dev_0.7.6-1_amd64.deb
 311f5c2fc26ab4f7d2521930a011a9a3 19392 libs optional 
packagekit-gtk3-module_0.7.6-1_amd64.deb
 bfc16c925ccc60a2754480ddeaa6bb7e 18782 libs optional 
gstreamer0.10-packagekit_0.7.6-1_amd64.deb
 376a7543f684606235e9c54d33f011d7 33386 web optional 
browser-plugin-packagekit_0.7.6-1_amd64.deb
 f8e2a30145bd74100a1bd5ab4f3f0d69 29352 python optional 
python-packagekit_0.7.6-1_all.deb
 99b8e60cafb664c69c460e0d996c8d59 127818 admin optional 
packagekit-backend-aptcc_0.7.6-1_amd64.deb
 bb118f7691abf0e028b47521f916ab2b 27500 admin optional 
packagekit-backend-smart_0.7.6-1_amd64.deb
 84979e1c62104547ba8caa78331020ab 2706426 debug extra 
packagekit-dbg_0.7.6-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJQM6QIAAoJEElMil+/Tezr/EEQAJxVD2SnKvJf5uOCUrziEUyv
M/GXwcerxYOVwomXqfVNVc2lu742O5XgCQwqNRoAiFQW5Un8o/+fl9yGkMiL7yQr
eso+jBAcfE1tV3sK++jTCDzkEKykUsIM56bbR3wNDZuQUnFh25L9CmujqJqGhnGJ
FjA6ljvY9rxEUIUNSR0pel2nnSB9eGvh/O4atF2X69qifHDT5s4Tnm7z0SnBEoxX
zce9lc8yxFY9KnLdXsBpyDlyUByyqZ35wnHzT8Kzafd/xfdiU3wwkkl+D+ayvE2t
KCIoS4rwTyaVkk7P1uzBuIAQBjFs4EPgje6EivPhFUW8QJPmO2STmqO4Blf0E5r8
6h0phC+oZZwpPGnM2AiXs6OHJWpyvawRybd8RspuuQVGSjPdnFeu0okNzfT7rzk5
tQFnuC3lyrieSsncFyrDwZTfcl2ATCkxE9c2nLfrn3FABHykJuOSPBkNNBMwqc0O
8nbUxfhQH9wOUtsNdfrTmMPTaCqslrP+uBuEneAGFv4hpw8nF35RonCTsBB15KLz
DQMhWOkyIjskU6qRTM7qf3D+S9Av/uwCJ/unEz7x/Gs+CfEJlO3hVZphFP+poFtE
VCLohsRY2ZOdFqenXHNRjsXox6vHRlUd0skrJvaszP4p7os2v+6qyj4YjEHnqkzS
HqO7Bre+BiD1sUTzwaRb
=lDaB
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to