Your message dated Sat, 29 Dec 2012 22:17:43 +0000
with message-id <e1tp4it-0004ms...@franck.debian.org>
and subject line Bug#654341: fixed in inkscape 0.48.3.1-1.3
has caused the Debian Bug report #654341,
regarding inkscape reads .eps files from /tmp instead of the current directory
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
654341: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654341
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: inkscape
Version: 0.48.1-2.1+b1
Severity: grave
Tags: security
Justification: user security hole
When I want to open a .eps file with something like
inkscape file.eps
inkscape tries to open the file from /tmp instead of the current
directory (if the file doesn't exist, I get a ghostscript error from
ps2pdf, which is the same error as when ps2pdf is run manually).
According to strace, inkscape does a chdir to /tmp before running
ps2pdf on the argument, hence the problem.
The security problem is that the user A may open a file belonging
to some user B from /tmp, which can contain incorrect data, an
offensive image and so on. It can also be a symbolic link to some
protected file of user A (which may inadvertently diffused to other
users) or to some other special file that shouldn't be read, such as
/proc/<pid>/fd/0, which can make program <pid> behave incorrectly.
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages inkscape depends on:
ii libaspell15 0.60.7~20110707-1
ii libatk1.0-0 2.2.0-2
ii libatkmm-1.6-1 2.22.6-1
ii libc6 2.13-24
ii libcairo2 1.10.2-6.2
ii libcairomm-1.0-1 1.10.0-1
ii libfontconfig1 2.8.0-3
ii libfreetype6 2.4.8-1
ii libgc1c2 1:7.1-8
ii libgcc1 1:4.6.2-9
ii libgconf2-4 3.2.3-1
ii libgdk-pixbuf2.0-0 2.24.0-2
ii libglib2.0-0 2.30.2-4
ii libglibmm-2.4-1c2a 2.30.0-2
ii libgnomevfs2-0 1:2.24.4-1
ii libgomp1 4.6.2-9
ii libgsl0ldbl 1.15+dfsg-1
ii libgtk2.0-0 2.24.8-2
ii libgtkmm-2.4-1c2a 1:2.24.2-1
ii libgtkspell0 2.0.16-1
ii liblcms1 1.19.dfsg-1+b1
ii libmagick++4 8:6.6.9.7-5+b2
ii libmagickcore4 8:6.6.9.7-5+b2
ii libpango1.0-0 1.29.4-2
ii libpangomm-1.4-1 2.28.4-1
ii libpng12-0 1.2.46-3
ii libpoppler-glib6 0.16.7-2+b1
ii libpoppler13 0.16.7-2+b1
ii libpopt0 1.16-3
ii libsigc++-2.0-0c2a 2.2.9-1.1
ii libstdc++6 4.6.2-9
ii libwpd-0.9-9 0.9.4-1
ii libwpg-0.2-2 0.2.1-1
ii libx11-6 2:1.4.4-4
ii libxml2 2.7.8.dfsg-5.1
ii libxslt1.1 1.1.26-8
ii zlib1g 1:1.2.3.4.dfsg-3
Versions of packages inkscape recommends:
ii aspell 0.60.7~20110707-1
ii imagemagick 8:6.6.9.7-5+b2
ii libwmf-bin <none>
ii perlmagick <none>
ii pstoedit 3.60-1
Versions of packages inkscape suggests:
pn dia | dia-gnome <none>
pn libgnomevfs2-extra 1:2.24.4-1
pn libsvg-perl <none>
pn libxml-xql-perl <none>
pn python 2.7.2-9
pn python-lxml <none>
pn python-numpy 1:1.5.1-3
pn python-uniconvertor <none>
pn ruby 4.8
pn ruby1.8 [ruby] 1.8.7.352-2
pn skencil <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: inkscape
Source-Version: 0.48.3.1-1.3
We believe that the bug you reported is fixed in the latest version of
inkscape, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 654...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de> (supplier of updated
inkscape package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 29 Dec 2012 19:15:46 +0100
Source: inkscape
Binary: inkscape
Architecture: source amd64
Version: 0.48.3.1-1.3
Distribution: unstable
Urgency: low
Maintainer: Wolfram Quester <wo...@sigxcpu.org>
Changed-By: John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
Description:
inkscape - vector-based drawing program
Closes: 654341
Changes:
inkscape (0.48.3.1-1.3) unstable; urgency=low
.
* Non-maintainer upload.
* Add Debian patch to fix relative filename vulnerability (Closes: #654341).
Checksums-Sha1:
48ef367fdd2ccae756b24d3df2d83af6f73ddebd 2372 inkscape_0.48.3.1-1.3.dsc
04c039fdc609c7a0d358c6a743b6efe761a3f85c 20557 inkscape_0.48.3.1-1.3.diff.gz
d6463eae71391db323bdb48846ce9c975f52fb72 24775326
inkscape_0.48.3.1-1.3_amd64.deb
Checksums-Sha256:
71b0c065c92e1d497d288373084b4c7fdce3bff836761d13310f84d9113843eb 2372
inkscape_0.48.3.1-1.3.dsc
703ce11f605597b8e0f9b14837319339fcddc36b10a87826b90f8d7848cec35f 20557
inkscape_0.48.3.1-1.3.diff.gz
3b1d8fed6d8ed62d6368ae560537d8232ffba71efd5dff05f4120bdc1a9dda72 24775326
inkscape_0.48.3.1-1.3_amd64.deb
Files:
9f00972c8c3194f788d6c2712012f723 2372 graphics optional
inkscape_0.48.3.1-1.3.dsc
6f74f17bd59354fb535655415a8d3005 20557 graphics optional
inkscape_0.48.3.1-1.3.diff.gz
0e0aad6b26a0ef21bd35b71423d2bb4c 24775326 graphics optional
inkscape_0.48.3.1-1.3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQ32l5AAoJEHQmOzf1tfkTMN0P/j555yZ5M09EL9O6CY/e0YAh
BdcqKFomFxS+eD2y6YxOSI3ZlmlusOGkNAvAd0dwumDyk+nBnBz2QfWxPN8IiLfS
5Jn1pqNhdr2tKmCloZyEhuKe6BPaBsY7JwR6mgaCjsotLUZDHyIg06YhOZPylVyG
K2QeeXqMXe99H8Xy9JvJ9xq/xMfhkpEsYMpJuCLuF6S2sp4XwwWHuzJAPaN5W8Ky
OJbLofZxcGM6fjySOfiHg1rrm+az8YSzY/T9mZ33CDFyp/AX1Drq9ZVKHx+q05oS
q00Yv6rfQCaopvhU/Y7sPep0k4CN8Bnc4Gp6ax23cEtITdTSU1Doafe+8xlESQpR
/N/WieJOkB8s8v3M3ZCj2Q6LyDma/XMv5rKRQx+ZQuzyopWq75JXXt3Vqss1NSZw
CkGRdC8c0ePqKHrLhpV9xbySBiwdBkIrBV946WaSpnOF1OYz+VBIMCXf8r8ISEug
hbYpIb2FbmH4FnR1riASd3OJPKHztfM18ye34uXNoblXvzxm8/MvwVRY++ffljen
e/PnjYg/Dht21unQAZh+uFFobev2AQRCfY++O0ia8XrkVsaD/aUAGfndt9jKTeHT
e5zNUnaRuIRgs6ZevAn6297+GNl/u9vswh9xJsxl8Bsy6wn+CK5XQl9TEV++VP0e
cfbkGv5r4v8e4GfWaLl6
=DzUz
-----END PGP SIGNATURE-----
--- End Message ---
