Your message dated Sat, 15 Dec 2007 14:32:03 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#431600: fixed in amaya 9.55~dfsg.0-1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: amaya Version: 9.54~dfsg.0-1 Severity: important The Amaya package contains the following code inside amaya-9.51/Amaya/thotlib/unicode/ustring.c { int fd; char buffer[256]; memset ( buffer, 0, 256 ); /* ask the system using locale command */ system ("locale -ck LC_MESSAGES | grep messages-codeset | sed 's/.*=\"//' | sed 's/\"//' > /tmp/locale"); fd = open ("/tmp/locale", O_RDONLY); This can be abused to allow arbitary files to be created, or truncated, when a user runs the browser as this session shows: # check there are no files, then create an evil symlink [EMAIL PROTECTED]:~$ ls -l /etc/nologin /tmp/locale ls: /etc/nologin: No such file or directory ls: /tmp/locale: No such file or directory [EMAIL PROTECTED]:~$ ln -s /etc/nologin /tmp/locale # wait for root to run the application [EMAIL PROTECTED]:~$ sudo -s [EMAIL PROTECTED]:~# amaya # see the file [EMAIL PROTECTED]:~# ls /etc/nologin /etc/nologin [EMAIL PROTECTED]:~# cat /etc/nologin UTF-8 Obviously this example relies upon root to run the application and linking to /etc/passwd would trash the system. I guess the solution is to generate a secure temporary filename with mktemp, mkstemp, or similar.. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.18-xen (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages amaya depends on: ii amaya-data 9.54~dfsg.0-1 Web Browser, HTML Editor and Testb ii libc6 2.5-11 GNU C Library: Shared libraries ii libexpat1 1.95.8-3.4 XML parsing C library - runtime li ii libfreetype6 2.2.1-6 FreeType 2 font engine, shared lib ii libgcc1 1:4.2-20070627-1 GCC support library ii libgl1-mesa-glx [libgl1 6.5.2-5 A free implementation of the OpenG ii libglu1-mesa [libglu1] 6.5.2-5 The OpenGL utility library (GLU) ii libjpeg62 6b-13 The Independent JPEG Group's JPEG ii libpng12-0 1.2.15~beta5-2 PNG library - runtime ii libraptor1 1.4.15-3 Raptor RDF parser and serializer l ii libstdc++6 4.2-20070627-1 The GNU Standard C++ Library v3 ii libwww-ssl0 5.4.0-11 The W3C-WWW library (SSL support) ii libwxbase2.6-0 2.6.3.2.1.5 wxBase library (runtime) - non-GUI ii libwxgtk2.6-0 2.6.3.2.1.5 wxWidgets Cross-platform C++ GUI t ii ttf-freefont 20060501cvs-12 Freefont Serif, Sans and Mono True ii zlib1g 1:1.2.3.3.dfsg-3 compression library - runtime Versions of packages amaya recommends: pn amaya-doc <none> (no description available) -- no debconf information Steve -- # Kink-Friendly Dating http://ctrl-alt-date.com/
--- End Message ---
--- Begin Message ---Source: amaya Source-Version: 9.55~dfsg.0-1 We believe that the bug you reported is fixed in the latest version of amaya, which is due to be installed in the Debian FTP archive: amaya-data_9.55~dfsg.0-1_all.deb to pool/main/a/amaya/amaya-data_9.55~dfsg.0-1_all.deb amaya-doc_9.55~dfsg.0-1_all.deb to pool/main/a/amaya/amaya-doc_9.55~dfsg.0-1_all.deb amaya_9.55~dfsg.0-1.diff.gz to pool/main/a/amaya/amaya_9.55~dfsg.0-1.diff.gz amaya_9.55~dfsg.0-1.dsc to pool/main/a/amaya/amaya_9.55~dfsg.0-1.dsc amaya_9.55~dfsg.0-1_amd64.deb to pool/main/a/amaya/amaya_9.55~dfsg.0-1_amd64.deb amaya_9.55~dfsg.0.orig.tar.gz to pool/main/a/amaya/amaya_9.55~dfsg.0.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Regis Boudin <[EMAIL PROTECTED]> (supplier of updated amaya package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Wed, 18 Jul 2007 23:15:23 +0100 Source: amaya Binary: amaya-data amaya-doc amaya Architecture: source amd64 all Version: 9.55~dfsg.0-1 Distribution: unstable Urgency: high Maintainer: [EMAIL PROTECTED] Changed-By: Regis Boudin <[EMAIL PROTECTED]> Description: amaya - Web Browser, HTML Editor and Testbed for Draft W3C standards amaya-data - Web Browser, HTML Editor and Testbed for Draft W3C standards [dat amaya-doc - Web Browser, HTML Editor and Testbed for Draft W3C standards [doc Closes: 423585 431600 Changes: amaya (9.55~dfsg.0-1) unstable; urgency=high . * New upstream release. Using the tarball respin fixing a bug. Let's call this one the "I love upstream when they partially revert patches and keep doing the same programming errors again and again" release. + Upstream now installs everything in $prefix/lib/Amaya, so drop installdir_amaya.diff, use 'Amaya' instead of 'amaya', and drop the conflicts against previous versions of the package. * Switch to debhelper version 5. * Don't depend on ttf-freefont (Closes: #423585). * Drop fix_ftbfs64.diff, merged upstream. * New patch, fix_ftbfs64_again.diff. * New cflags_cleanup.diff patch, getting rid of the forces CFLAGS and CXXFLAGS and was originally in rdf_conf_in_conf.diff, partially merged upstream... * but even more partially reverted, so rdf_conf_in_conf.diff is still here. Or back. Or a bit of both. * Replace raptor_split.diff with raptor.diff. Upstream does not use the redland library at all anymore, so there is no need to link against it and pull half the libraries from the archive for it. * Stop doing dirty stuff to get the locale. Use nl_langinfo() instead. This fixes a security issue (Closes: #431600). Thanks Steve Kemp for the report. * Apply the cextract, esstix, png and jpeg patch within the prune target, so the rerolled upstream tarball still works without the debian patch applied. * Update the menu file to the new structure, change from "Apps/Net" to "Applications/Web Development". * Move the .desktop file from amaya-data to amaya, so it can find the binary and make lintian happy. No need to conflict, as the files have different names Files: eb07a279417d93d17180415c5f08d080 810 web optional amaya_9.55~dfsg.0-1.dsc b35fae89e8562ac8540760fde5815fa6 7844995 web optional amaya_9.55~dfsg.0.orig.tar.gz 4d511f41b63873ed5e1507038d4636d6 45962 web optional amaya_9.55~dfsg.0-1.diff.gz 6867614c82566ff7499a4c27f9abb4d2 2462130 web optional amaya_9.55~dfsg.0-1_amd64.deb 0f44687f9de05afbcc716118445deed5 1927250 web optional amaya-data_9.55~dfsg.0-1_all.deb 4368c17a8b0ce47e678a59ecc67e7fda 866376 doc optional amaya-doc_9.55~dfsg.0-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHY+M3VE17sLEtWVoRApXnAKDPFpQdOFagBBynK/KQYYfnPAiT4QCdFOg3 TR4qAbgQkYsu7mnf3NTb+Jw= =SyFg -----END PGP SIGNATURE-----
--- End Message ---
