Your message dated Wed, 08 Nov 2006 10:04:10 -0800 with message-id <[EMAIL PROTECTED]> and subject line Bug#393846: fixed in motion 3.2.3-2 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: motion Version: 3.2.3-1.1 Severity: serious Tags: security By default motion is configured to write snapshots to /tmp, as follows: [pid 21228] open("/tmp/01-20061017221121-02.jpg", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 7 [pid 21228] open("/tmp/01-20061017221121-03.jpg", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 7 [pid 21228] open("/tmp/01-20061017221121-04.jpg", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 7 [pid 21228] open("/tmp/01-20061017221124-00.jpg", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 7 [pid 21228] open("/tmp/01-20061017221124-01.jpg", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 7 [pid 21228] open("/tmp/01-20061017221134-04.jpg", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 7 So if a user is running motion, here is an easy to guess time-based sequence number for a file that is written insecurely. Just create a bunch of symlinks to a file of the user that you want to clobber (which could even be a different snapshot created earlier). Then wave at the wabcam, and motion will happily follow the symlink and overwrite the file. The best fix would be opening the files O_EXCL, although it's also not very good that it uses /tmp anyway, and making it write them to a directory that only the person running motion can access seems like a better default. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17-2-k7 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages motion depends on: ii debconf [debconf-2.0] 1.5.5 Debian configuration management sy ii liba52-0.7.4 0.7.4-4 Library for decoding ATSC A/52 str ii libavcodec0d 0.cvs20060823-4 ffmpeg codec library ii libavformat0d 0.cvs20060823-4 ffmpeg file format library ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries ii libdc1394-13 1.1.0-3+b1 high level programming interface f ii libgsm1 1.0.10-13 Shared libraries for GSM speech co ii libjpeg62 6b-13 The Independent JPEG Group's JPEG ii libmysqlclient15off 5.0.24a-5 mysql database client library ii libogg0 1.1.3-2 Ogg Bitstream Library ii libpq4 8.1.5-1 PostgreSQL C client library ii libraw1394-8 1.2.1-2 library for direct access to IEEE ii libtheora0 0.0.0.alpha7-1 The Theora Video Compression Codec ii libvorbis0a 1.1.2-1 The Vorbis General Audio Compressi ii libvorbisenc2 1.1.2-1 The Vorbis General Audio Compressi ii zlib1g 1:1.2.3-13 compression library - runtime Versions of packages motion recommends: pn ffmpeg <none> (no description available) -- debconf information excluded -- see shy jo
--- End Message ---
--- Begin Message ---Source: motion Source-Version: 3.2.3-2 We believe that the bug you reported is fixed in the latest version of motion, which is due to be installed in the Debian FTP archive: motion_3.2.3-2.diff.gz to pool/main/m/motion/motion_3.2.3-2.diff.gz motion_3.2.3-2.dsc to pool/main/m/motion/motion_3.2.3-2.dsc motion_3.2.3-2_i386.deb to pool/main/m/motion/motion_3.2.3-2_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Frederik Dannemare <[EMAIL PROTECTED]> (supplier of updated motion package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Thu, 3 Nov 2006 09:41:23 +0100 Source: motion Binary: motion Architecture: source i386 Version: 3.2.3-2 Distribution: unstable Urgency: medium Maintainer: Frederik Dannemare <[EMAIL PROTECTED]> Changed-By: Frederik Dannemare <[EMAIL PROTECTED]> Description: motion - V4L capture program supporting motion detection Closes: 374636 391069 393846 396566 Changes: motion (3.2.3-2) unstable; urgency=medium . * Acknowledgement of patch submitted by Loic Minier (part of NMU motion 3.2.3-1.1) (Closes: #391069). * Security: Set parameter target_dir in /etc/motion/motion.conf to /var/lib/motion/snapshots + make small NOTE in README.Debian (Closes: #393846). * Add var/lib/motion/snapshots to debian/motion.dirs file. * Change build dependency from postgresql-dev (obsolete) to libpq-dev (Closes: #396566). * Remove weird/improper character (looks like a pipe, but isn't) in motion manpage on line 428 and 433. Also add an extra backslash to '\n' on line 428, 433 and 610 (Closes: #374636). * Make comment in manpage that when calling motion with -d (for debugging) -c must also be specified explicitly. * Add parameters 'threshold' and 'noise_level' to the default configuration file + add punctuation marks (.) at the end of all comment lines. * Bumped Standards-Version to 3.7.2. No changes to package necessary. Files: a5b60cd1d1d80bd7ba1782b1f7f8b25d 699 graphics optional motion_3.2.3-2.dsc d39eab2749a2802ce7263ccab4086aba 35269 graphics optional motion_3.2.3-2.diff.gz d1fd47bc93ec79ff8bbd1f48d38f2b22 195190 graphics optional motion_3.2.3-2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFUhh5JdKMxZV9WM8RAsSzAJ9jjPPI+LgNdFVLeJ9V6LUF+uP4AgCgrYH1 Y0SI5ZQOhU9WFVFurfh5274= =tsp2 -----END PGP SIGNATURE-----
--- End Message ---
