Your message dated Wed, 25 Oct 2006 02:32:13 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#382132: fixed in diffmon 20020222-2.2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: diffmon
Version: 20020222-2
Severity: critical
Justification: root security hole
diffmon explicitly sets umask to '000' thus creating all files in /tmp with
world readable attributes. This may allow local users to read files that they
normally don't have access to.
The attached patch makes diffmon use a more reasonable umask.
Lothar Wassmann
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (50, 'unstable'), (50, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8.1
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages diffmon depends on:
ii bash 2.05b-26 The GNU Bourne Again SHell
ii debconf 1.4.30.13 Debian configuration management sy
ii exim4-daemon-light [mail-tr 4.50-8sarge2 lightweight exim MTA (v4) daemon
-- debconf information:
* diffmon/configwarning:
--- usr/bin/diffmon.org 2002-02-26 15:06:49.000000000 +0100
+++ usr/bin/diffmon 2006-08-09 08:59:21.389223825 +0200
@@ -170,7 +170,7 @@
# Make sure PATH includes location of sendmail and gzip.
PATH="/usr/local/gnubin:/usr/local/bin:${PATH}:/usr/lib:/usr/sbin"
- umask 000
+ umask 077
TRAP_SIGNALS="EXIT SIGHUP SIGINT SIGQUIT SIGTERM"
trap 'cleanup_and_exit' ${TRAP_SIGNALS}
--- End Message ---
--- Begin Message ---
Source: diffmon
Source-Version: 20020222-2.2
We believe that the bug you reported is fixed in the latest version of
diffmon, which is due to be installed in the Debian FTP archive:
diffmon_20020222-2.2.dsc
to pool/main/d/diffmon/diffmon_20020222-2.2.dsc
diffmon_20020222-2.2.tar.gz
to pool/main/d/diffmon/diffmon_20020222-2.2.tar.gz
diffmon_20020222-2.2_all.deb
to pool/main/d/diffmon/diffmon_20020222-2.2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julien Danjou <[EMAIL PROTECTED]> (supplier of updated diffmon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 25 Oct 2006 11:15:18 +0200
Source: diffmon
Binary: diffmon
Architecture: source all
Version: 20020222-2.2
Distribution: unstable
Urgency: medium
Maintainer: Jeff Bailey <[EMAIL PROTECTED]>
Changed-By: Julien Danjou <[EMAIL PROTECTED]>
Description:
diffmon - Tool for reporting changes in system configuration.
Closes: 382132
Changes:
diffmon (20020222-2.2) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix a security hole with bad umask (Closes: #382132)
* Bump standards version
* Change Build-Depends-Indep to Build-Depends
Files:
9de192ba6dcbb6dffb1150d99357b5fd 505 admin optional diffmon_20020222-2.2.dsc
7ac202b3e6a4ed4eca42ff20975c60e9 15726 admin optional
diffmon_20020222-2.2.tar.gz
b4fa52f9e376b63f5b68d9b0a4224cdd 12050 admin optional
diffmon_20020222-2.2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFPyuLpGK1HsL+5c0RAsm5AJ45PDJ2poxsedp/zpQfEGPPZwPMzQCcDyG4
5zIyFPc/XVUzwPN95XvguYQ=
=zC6k
-----END PGP SIGNATURE-----
--- End Message ---
