Your message dated Thu, 14 Feb 2008 09:17:19 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#399584: speech-dispatcher has rpath to insecure
location
(/build/buildd/speech-dispatcher-0.6.1/debian/speech-dispatcher/usr/lib)
has caused the Debian Bug report #399584,
regarding speech-dispatcher has rpath to insecure location
(/build/buildd/speech-dispatcher-0.6.1/debian/speech-dispatcher/usr/lib)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
399584: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=399584
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: speech-dispatcher
Version: 0.6.1-2
Severity: serious
Tags: security
Hello Milan,
The arm and ia64 debian packages of speech-dispatcher includes a binary
with a rpath pointing to
/build/buildd/speech-dispatcher-0.6.1/debian/speech-dispatcher/usr/lib.
%chrpath /usr/bin/spd-say
/usr/bin/spd-say:
RPATH=/build/buildd/speech-dispatcher-0.6.1/debian/speech-dispatcher/usr/lib
This allows an attacker with write access to that directory to
add modified libraries which will be loaded when someone
else run speech-dispatcher.
Cheers,
--
Bill. <[EMAIL PROTECTED]>
Imagine a large blue swirl here.
--- End Message ---
--- Begin Message ---
There is no additional information about the bug for more than a year.
It is not present on amd64 in speech-dispatcher 0.6.6-1 and perhaps it
is not present on the mentioned architectures anymore. So I'm closing
the bug, please reopen it if it still exists.
Regards,
Milan Zamazal
--- End Message ---
