Your message dated Thu, 01 Aug 2013 01:33:09 +0000 with message-id <e1v4hln-0003ic...@franck.debian.org> and subject line Bug#718418: fixed in i7z 0.27.2-2 has caused the Debian Bug report #718418, regarding Insecurely creates /tmp/cpufreq.txt when run to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 718418: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718418 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: i7z Version: 0.27.2-1 Severity: serious Hello, i7z can only be run by root. When run, it creates a file /tmp/cpufreq.txt without checking if it previously exists. I successfully managed to set up a dangling symlink and have i7z follow it when creating the file. This is somewhat mitigated by the fact that the attack doesn't seem to work if the symlink is not owned by root: in that case, i7z will refuse to start. However, this allows any user to prevent root from running i7z, by just creating a dummy /tmp/cpufreq.txt . Ciao, Enrico -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.9-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages i7z depends on: ii libc6 2.17-7 ii libncurses5 5.9+20130608-1 ii libtinfo5 5.9+20130608-1 ii msr-tools 1.2-3 ii ruby 1:1.9.3 ii ruby1.8 [ruby-interpreter] 1.8.7.358-7.1 ii ruby1.9.1 [ruby-interpreter] 1.9.3.194-8.1+b1 i7z recommends no packages. i7z suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: i7z Source-Version: 0.27.2-2 We believe that the bug you reported is fixed in the latest version of i7z, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 718...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Beckmann <a...@debian.org> (supplier of updated i7z package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 01 Aug 2013 03:16:07 +0200 Source: i7z Binary: i7z i7z-gui Architecture: source amd64 Version: 0.27.2-2 Distribution: unstable Urgency: low Maintainer: Andreas Beckmann <a...@debian.org> Changed-By: Andreas Beckmann <a...@debian.org> Description: i7z - reporting tool for i7, i5, i3 CPUs i7z-gui - GUI for i7z, a reporting tool for i7, i5, i3 CPUs Closes: 718418 Changes: i7z (0.27.2-2) unstable; urgency=low . * Use canonical Vcs-* URLs. * hyphen-used-as-minus-sign.patch: New. Fix manpage. * fix-insecure-tempfile.patch: New. Fix insecure usage of /tmp/cpufreq.txt. Use popen() instead of a temporary file. (Closes: #718418) Checksums-Sha1: 0ee3b8f709edf484793bdb424387ae38a3e2c41e 1871 i7z_0.27.2-2.dsc 8ef12ea8c6399a875259771fc167902eaa1cc73a 4572 i7z_0.27.2-2.debian.tar.gz f6375a6dc77e107355e0bedd6a62dec02c50add9 25584 i7z_0.27.2-2_amd64.deb 83acae520497c42b2c722b027b0412a77aaaed16 17476 i7z-gui_0.27.2-2_amd64.deb Checksums-Sha256: 5fbbc03226a624663849998c5091b695dae2bb14cb38c14bef890047ad489443 1871 i7z_0.27.2-2.dsc a3ee7242998cff4bbb7065efc8cd2a07583705b4c56be0710dc98c296435c11f 4572 i7z_0.27.2-2.debian.tar.gz e8fd30cfd195b101e44f3ab16b7c6fb7e7c0d1cc83715cce3d908769c0e576c9 25584 i7z_0.27.2-2_amd64.deb 94c125762ee2c223d2934f43e9e13d915f4d347c21b4d5071776320e4af8afbd 17476 i7z-gui_0.27.2-2_amd64.deb Files: b3e70bbf3061c83091889d71e19a933f 1871 admin extra i7z_0.27.2-2.dsc 1d55dc0d7be51d616874062c13cd4adc 4572 admin extra i7z_0.27.2-2.debian.tar.gz 86b9acc3783cc6edc81b4f0478b41dca 25584 admin extra i7z_0.27.2-2_amd64.deb e3a4480fff6e58d2269a069fc2522186 17476 admin extra i7z-gui_0.27.2-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJR+biXAAoJEF+zP5NZ6e0IY+0QAKJ91J6HrQCuFp2aJY/f9n8v e2y5dG+i/GFU4hipNi0aJAv7gm1gi/5VB+VyYvze0uGENw38TeGzCMa/Fwe1EedP rU77co088mizvJQ4X65HU/2LMNdnxOimoT6mJoeShOEZdSK3vWWqMMRYrfwbQ6fB 7pOn0qoz++hs5yT1hOdkqk6MdwGSe0qX2FkjaPMt/05nfekftpzCFq5IcRHOxMhr XjU0xKdHwaz9wLEtwlEoBqGPJGeWAa5T+ai7vaFL7qnxQQy+AaJqeozz+yWqg9h/ Kiezt7mgpJz2+peZYb6OGy0MPvyrksqjAXK7SBOdh/wW0D2DqbjEMp19rKmRht1P AKGzWNNyuBe+Efm+Yeqe0vkDanbDEpz89/NAg+6f6ZsGYLpb1rMQ7mKa6Szv6RoL i6LNc3vezsMPCNaX2ojjJkSr8UP88iCzAM/IADpotiLtGKSmkpKuHoMIXDXCqiIf +gLHk0GIhVdmlVL7Zy2fI1ABIo93CZ3rJUrcS7o+PHh5z9oCM62ty1CzyyDcDrog q+rJW5XRJYbeEhBFDrJrEKAP7JcpVBGSeUBHYjlr7fW1nmlOv8P7sXRIHNPYQjSK LUkPOKmk2Gm9CzaBHPGqenv1LPWF61mSwdkzY9CHqj2CTzd+sDYJPr9mr1IYUdU/ OxmCY8A3PJbxibdV9Fmv =/aLV -----END PGP SIGNATURE-----
--- End Message ---
