Your message dated Sun, 28 Dec 2008 14:47:09 +0000
with message-id <[email protected]>
and subject line Bug#509277: fixed in cmus 2.2.0-1.1
has caused the Debian Bug report #509277,
regarding CVE-2008-5375: insecure temp file handling
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
509277: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=509277
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cmus
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cmus.

CVE-2008-5375[0]:
| cmus-status-display in cmus 2.2.0 allows local users to overwrite
| arbitrary files via a symlink attack on the /tmp/cmus-status temporary
| file.

debug.c also does something in /tmp, so one would need to check that as
well.

Since the program is not executed with root rights, this could be fixed
for stable via stable-proposed-updates.
It would also be nice to fix this bug for lenny.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5375
    http://security-tracker.debian.net/tracker/CVE-2008-5375



--- End Message ---
--- Begin Message ---
Source: cmus
Source-Version: 2.2.0-1.1

We believe that the bug you reported is fixed in the latest version of
cmus, which is due to be installed in the Debian FTP archive:

cmus_2.2.0-1.1.diff.gz
  to pool/main/c/cmus/cmus_2.2.0-1.1.diff.gz
cmus_2.2.0-1.1.dsc
  to pool/main/c/cmus/cmus_2.2.0-1.1.dsc
cmus_2.2.0-1.1_i386.deb
  to pool/main/c/cmus/cmus_2.2.0-1.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Muehlenhoff <[email protected]> (supplier of updated cmus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 28 Dec 2008 14:57:06 +0100
Source: cmus
Binary: cmus
Architecture: source i386
Version: 2.2.0-1.1
Distribution: unstable
Urgency: high
Maintainer: Julien Louis <[email protected]>
Changed-By: Moritz Muehlenhoff <[email protected]>
Description: 
 cmus       - Lightweight ncurses audio player
Closes: 509277
Changes: 
 cmus (2.2.0-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Modify example script cmus-status-display to write the current
     status to .cmus-status in the user's home instead of /tmp/cmus-status,
     since the latter could lead to symlink attacks. CVE-2008-5375
     (Closes: #509277)
Checksums-Sha1: 
 b31a53b71ba573135dcc27bd81d395401b553922 1164 cmus_2.2.0-1.1.dsc
 02d5af37a0a20dc1b8422d22f32ff8e1957ed240 3425 cmus_2.2.0-1.1.diff.gz
 a68a552d4ba2769e73378d0a15f1cf311e39aac9 142782 cmus_2.2.0-1.1_i386.deb
Checksums-Sha256: 
 e5e13f60cc18e00aa67d1cf64da08a114c7ec7851a1bb73297f4d42f5a2b4fd0 1164 
cmus_2.2.0-1.1.dsc
 4c7554b0eeb685300c9eadcb76c28f2e788e8eec5bf4cc0612911ed4e4082555 3425 
cmus_2.2.0-1.1.diff.gz
 91d115bde633e38b318d9dc14cb6840b08c8adeab18e0efbbcbd641103d9e893 142782 
cmus_2.2.0-1.1_i386.deb
Files: 
 31c9f8f549364dc0142acfad53ca10dc 1164 sound optional cmus_2.2.0-1.1.dsc
 352cf4c3510531cc9f0d7a6393c03b91 3425 sound optional cmus_2.2.0-1.1.diff.gz
 e81283c1d046655fa7cdeafc51bb8a73 142782 sound optional cmus_2.2.0-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklXh0oACgkQXm3vHE4uylqciwCePuvWedr6hyhKcDEazlFKnidN
k8MAoN+XWSzXqaftuzrMtRVADsYAsepS
=D9s8
-----END PGP SIGNATURE-----



--- End Message ---

Reply via email to