Your message dated Sun, 21 Sep 2014 19:35:21 +0000 with message-id <e1xvmun-0002kp...@franck.debian.org> and subject line Bug#756334: fixed in haskell-hoogle 4.2.33-2 has caused the Debian Bug report #756334, regarding Configure script downloads files from the Internet to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 756334: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756334 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: hoogle Version: 4.2.33-1+b1 Severity: critical Tags: security During configuration, hoogle postinst script attempts to download a file from the URL <http://hackage.haskell.org/packages/hoogle.tar.gz> and subsequently unpack it. Moreover, the integrity of this file is not verified. This leads to the following possible attacks: * An attacker controlling the user's network connection may indefinitely delay the configuration of hoogle package by supplying data at a very low rate, even if package files themselves are available from local source. * The same attacker may supply bogus data instead of the file. This may not only lead to hoogle behaving in an erroneous manner, but may also lead to a full system compromise. For example, the archive may contain a malicious executable file marked SUID root, and local unprivileged user (who also participates in the attack) may run this file after it is extracted. The archive may also contain symlinks and device nodes, which can also be used for attack. * The same attacker may supply a very large file, filling the system partition and achieving denial of service. He may also supply a small file which becomes very large after un-gzipping. My suggestion is that downloading files in a secure manner is hard, and maintainer scripts probably shouldn't be doing it.
--- End Message ---
--- Begin Message ---Source: haskell-hoogle Source-Version: 4.2.33-2 We believe that the bug you reported is fixed in the latest version of haskell-hoogle, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 756...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Iustin Pop <ius...@debian.org> (supplier of updated haskell-hoogle package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 21 Sep 2014 21:14:14 +0200 Source: haskell-hoogle Binary: libghc-hoogle-dev libghc-hoogle-prof libghc-hoogle-doc hoogle Architecture: source all amd64 Version: 4.2.33-2 Distribution: unstable Urgency: medium Maintainer: Debian Haskell Group <pkg-haskell-maintain...@lists.alioth.debian.org> Changed-By: Iustin Pop <ius...@debian.org> Description: hoogle - Haskell API Search for Debian system libghc-hoogle-dev - Haskell API Search libghc-hoogle-doc - Haskell API Search; documentation libghc-hoogle-prof - Haskell API Search; profiling libraries Closes: 756334 Changes: haskell-hoogle (4.2.33-2) unstable; urgency=medium . * Switch from embedded to packaged jquery * Fix Vcs-* fields to point to anonscm * Fix autopkgtests definition to eliminate spurious failures * Rework the database generation so that it doesn't download files from the internet, making it (again) hermetic (Closes: #756334). Checksums-Sha1: 1e7393ce1dba04a51af6b3ea49cc4072ca0d4873 3876 haskell-hoogle_4.2.33-2.dsc 933fded7c086007617313fcda90d50ad1533ff59 168920 haskell-hoogle_4.2.33-2.debian.tar.xz 8083bfb80f7f8d1c0878c0cf7316df131c936bf9 123710 libghc-hoogle-doc_4.2.33-2_all.deb 336290c837b519d170577b44b48bb7177e6fb96c 797772 libghc-hoogle-dev_4.2.33-2_amd64.deb 86bb59ecc903905a9f5b510fef880db49040ec25 828242 libghc-hoogle-prof_4.2.33-2_amd64.deb 8dfa050ca28b58d60e69ea293b5d845c4c21a8ee 2564846 hoogle_4.2.33-2_amd64.deb Checksums-Sha256: b49ac305724bc41587db7715b44e736cbe826034f94e1dad9f32c48a544bbdf5 3876 haskell-hoogle_4.2.33-2.dsc a65a5a6f9adf012ea67184160a899e1c0f5c26d2159d2d25671a15317ad859af 168920 haskell-hoogle_4.2.33-2.debian.tar.xz 53409c2b49d46b7576660c7dd4f7f721752e1915b3d93f73f528264b00cc512d 123710 libghc-hoogle-doc_4.2.33-2_all.deb c64eee44a677c9c3912ee2dc6fe43c362bee6fc14103b3997e8c50808aa7441a 797772 libghc-hoogle-dev_4.2.33-2_amd64.deb 98727d630f92409ba7dc116439f9478a048b729efacdcb3035c42dff103b352c 828242 libghc-hoogle-prof_4.2.33-2_amd64.deb 2f8a515a7b44550cca614d34b5c8e4dd549f117aebe8bd0923cd145db2e86219 2564846 hoogle_4.2.33-2_amd64.deb Files: 619c858ed5d5067a509e97ce89544462 123710 doc extra libghc-hoogle-doc_4.2.33-2_all.deb e5eda07ad4993672919c934d3341b49e 797772 haskell extra libghc-hoogle-dev_4.2.33-2_amd64.deb 8c9f6c73e93feaa2dac3f8cdab1ffd87 828242 haskell extra libghc-hoogle-prof_4.2.33-2_amd64.deb 04e0ded5e11a0faac39e87eed35f16a3 2564846 misc extra hoogle_4.2.33-2_amd64.deb ea0949d09f2b3174b5fb79101019c628 3876 haskell extra haskell-hoogle_4.2.33-2.dsc 779462ca94aa509ba110420c64dbb8cd 168920 haskell extra haskell-hoogle_4.2.33-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJUHyWDAAoJEPZuPkGfhPTeVasP/2WFjVVckZ5k2im+tiSabqsl XcCqq425l2Yw/9sI4FjxATPZ1TZaqOxJ5yAXGA2MaX2/dwCACaepjkA6TZy3A1fl ax6xWri5k6orw4SboHrieuhYt+RwFdiCZ8N+SPIJfpccHf/wuHIon3eyEum+MkYO U9MkDnkm/eOZM8I4vdjL8vuwkBhCc9iydvq2u2zRxj0jR3ANr5rPtCmvyrBuV8DI 989XuD/8bnlnC96HXliqZaHGLDKwPlwYikupR7JuS8hIeXUCIOFG6y4oo6aQ3AAU 7NZ42uk1hj3mZYton8XKYxyo9gDDkcgQtHvBmyr5hXDhdplyk/b5ACQx+aXEM8VC /3myFX8/r97A2kEaZn0DQ1BVcWc6sh3kOmjKjwvT7MSEQmo5I6ma1r2hcJyQFgLD QdBprLgZDcpiboeMsnMZD8haI51/yxYD9WoOzBW7zm113xnSqa41Gnb+gP5IIS/O U0A2Nm6jx3B10rEkLur5W9Qsq6eTKvqcQJX+ol+5eiZNI2FMdOpTNiEv6dwqerut lCFiHhmxid4AvaMMpkjGbK9DXoo9qzUPdmTBgwnMpNff/z6lBKNdwLXGEn0M/dZm nZVqJGVUplWWOt2PvicdWZzW/zMAaLCL+Y4f7WZ6gyR7Bmz4hN6SdLtHYLuKA7Os 1oiW4H/f4+WPaAA1C6hp =GPeE -----END PGP SIGNATURE-----
--- End Message ---
