Your message dated Tue, 15 May 2012 13:19:32 +0000
with message-id <[email protected]>
and subject line Bug#654262: fixed in lio-utils 3.1+git2.fd0b34fd-1
has caused the Debian Bug report #654262,
regarding lio-utils: debug is enabled by default, allowing symlink attacks
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
654262: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654262
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: lio-utils
Version: 3.1+git0.91b96103-2
Severity: normal
Tags: patch security
/etc/init.d/target contains the following code:
| #########################################################################
| # Allows saving command & arguments into a file for subsequent debugging
| # Enable: Set DEBUG=1 Disable: Set DEBUG=0
|
| DEBUG=0
| LOGFILE=/tmp/tgtctl.dbug
|
| if [ $DEBUG ]; then
| echo "$0 $*" >> $LOGFILE
| fi
| #########################################################################
The test on the debug is wrong, so the test is always valid. This causes
DEBUG to be enabled by default, and given the filename is fixed and the
file located in /tmp, it can be use for a symlink attack.
The test should be replaced by:
| if [ $DEBUG != 0 ]; then
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Source: lio-utils
Source-Version: 3.1+git2.fd0b34fd-1
We believe that the bug you reported is fixed in the latest version of
lio-utils, which is due to be installed in the Debian FTP archive:
lio-utils_3.1+git2.fd0b34fd-1.debian.tar.gz
to main/l/lio-utils/lio-utils_3.1+git2.fd0b34fd-1.debian.tar.gz
lio-utils_3.1+git2.fd0b34fd-1.dsc
to main/l/lio-utils/lio-utils_3.1+git2.fd0b34fd-1.dsc
lio-utils_3.1+git2.fd0b34fd-1_amd64.deb
to main/l/lio-utils/lio-utils_3.1+git2.fd0b34fd-1_amd64.deb
lio-utils_3.1+git2.fd0b34fd.orig.tar.gz
to main/l/lio-utils/lio-utils_3.1+git2.fd0b34fd.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ritesh Raj Sarraf <[email protected]> (supplier of updated lio-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 15 May 2012 17:54:48 +0530
Source: lio-utils
Binary: lio-utils
Architecture: source amd64
Version: 3.1+git2.fd0b34fd-1
Distribution: unstable
Urgency: low
Maintainer: Ritesh Raj Sarraf <[email protected]>
Changed-By: Ritesh Raj Sarraf <[email protected]>
Description:
lio-utils - configuration tool for LIO core target
Closes: 652052 654262
Changes:
lio-utils (3.1+git2.fd0b34fd-1) unstable; urgency=low
.
* [2dcd774] Add README.source
* [074e1fc] Imported Upstream version 3.1+git2.fd0b34fd
(Closes: #654262, #652052)
* [b84f9ac] Fix debian/copyright to comply to format 1.0
* [ff79fe6] Add patch shell-script-header.patch to define header for
shell scripts
Checksums-Sha1:
d0d70069ec04715f3631d627d007de367d030590 1996 lio-utils_3.1+git2.fd0b34fd-1.dsc
c711f7e3bdf2be716d4cfc9fcfb1a6b4d9132ec3 116670
lio-utils_3.1+git2.fd0b34fd.orig.tar.gz
0cae98e7af874f17800ba398506aea5d05e5209e 3421
lio-utils_3.1+git2.fd0b34fd-1.debian.tar.gz
0c119cfce81bcfe0ff27e49e86e6c47d356ac913 104006
lio-utils_3.1+git2.fd0b34fd-1_amd64.deb
Checksums-Sha256:
16de9754f02969942abf8adee12597001734235b19c6bb938e5b1f3312c3cfb3 1996
lio-utils_3.1+git2.fd0b34fd-1.dsc
fadff465d32e076a6b9dfde3bbf48319f11de209ce0f186795f9cb40137ad8f2 116670
lio-utils_3.1+git2.fd0b34fd.orig.tar.gz
f7cd4f8e2db89cb0eefaf150afa6782af75682b5aca9570fa51d03ea2b18bcf5 3421
lio-utils_3.1+git2.fd0b34fd-1.debian.tar.gz
cb6777896310cf096c061e966e4411c8847d3b1107cd9bab280bb6e5fbd73fdb 104006
lio-utils_3.1+git2.fd0b34fd-1_amd64.deb
Files:
1af045d93ba0ae89665258af8ea53f59 1996 python optional
lio-utils_3.1+git2.fd0b34fd-1.dsc
fccea9937e3b2d52644135d5f2dba51c 116670 python optional
lio-utils_3.1+git2.fd0b34fd.orig.tar.gz
e18ee1fcd02ece57678aacd9c5a24054 3421 python optional
lio-utils_3.1+git2.fd0b34fd-1.debian.tar.gz
f9832af4b867e272108bb3b1a65aec06 104006 python optional
lio-utils_3.1+git2.fd0b34fd-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJPslE+AAoJEKY6WKPy4XVpvXcP/0NGMSWoX3W/md9W3zNtoI1y
IaIACb1Pb1x7vwYeC3i1K1kurmGe1kkEVDcuc38N7jpFHohxTxez73sSZqngBmsc
hBggCsp2DaQUPB0kGRHAvuLh1rdeK0Kkf1khToisEY+azdR71rd1VN7bX7KolZ6d
zBYNvmlzlrq7gu74LFHfngscdjOx4OGDpKZLst1qyyFItdxOXukaWLVkiTlG8Njh
r28VPVN0w7Sh7kcClgFFBwvP11b+BC4/6tjJBVgQRrpJwtsEur+2a0HzEAq2H/3W
PeamWe9Ia3qZBdrcXpOKdiknZ+ZSaPWef8mpQTv+mhACW+e9fYC2RRD/ubdi6RrN
CpIzbYD6S7vw4/fEkFRuSKsCZ+kae11iclSxY2P21sZv1Zmwx73+NJ0e11Irs+1L
To2ifwm2Np/Ph/jK1d4ge6BlnHNMz6TIyQiMwirCCzU3VtIW9Jw9Pv7tdEiqt5wX
w2SMyKohyL1/MqRvWMsnyrySNzKsmT0hiUSIFqCU4Cd3tBOZRUQt2dv59y2lmhLc
YpT4RnIYrwEsJ5BTpSkfCMLhhUCikgpvR+5PJTxZ+dhxaNWbOb8DE1XGrFbtTkjb
XW0obhfc/CrYeOK+qFEyEebhB47J2UZzVgRz2W+hZllgE8aewQv+OTwuWlB0+03t
EUHoAwbA+nuNQEgJPqk3
=P6FQ
-----END PGP SIGNATURE-----
--- End Message ---
