Your message dated Fri, 15 Aug 2014 21:43:07 +0000 with message-id <[email protected]> and subject line Bug#756566: fixed in libxml-dt-perl 0.66-1 has caused the Debian Bug report #756566, regarding libxml-dt-perl: Insecure use of temporary files (CVE-2014-5260) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 756566: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756566 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libxml-dt-perl Version: 0.62-1 Severity: important Tags: security The libxml-dt-perl package installs the script "/usr/bin/mkxmltype" which blindly overwrites the contents of the file: /tmp/_xml_$$ (Where '$$' corresponds to the PID of the process.) This is insecure and can allow the truncation of arbitrary files the user has permission to access. A similar problem exists in /usr/bin/mkdtskel, again the file accessed is /tmp/_xml_$$. Both scripts should be updated to use File::Temp, or similar. Steve -- http://steve.org.uk/ -- System Information: Debian Release: 7.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8) Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---Source: libxml-dt-perl Source-Version: 0.66-1 We believe that the bug you reported is fixed in the latest version of libxml-dt-perl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. gregor herrmann <[email protected]> (supplier of updated libxml-dt-perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 15 Aug 2014 22:56:46 +0200 Source: libxml-dt-perl Binary: libxml-dt-perl Architecture: source all Version: 0.66-1 Distribution: unstable Urgency: medium Maintainer: Debian Perl Group <[email protected]> Changed-By: gregor herrmann <[email protected]> Description: libxml-dt-perl - module for down translation of XML files Closes: 756566 Changes: libxml-dt-perl (0.66-1) unstable; urgency=medium . * Team upload. * New upstream release. [CVE-2014-5260] Add missing part to the fix for the insecure useage of tempfile issue. Closes: #756566. Checksums-Sha1: d6b46be65b20df619e86500af8d46aa7564c338f 2224 libxml-dt-perl_0.66-1.dsc 3995ad29bf87e47078b256bac20c23b03569197b 30852 libxml-dt-perl_0.66.orig.tar.gz e968a887dec8fb4c751245151e629cc4c6bb9260 2360 libxml-dt-perl_0.66-1.debian.tar.xz f8183330c30703f8674e7cdbfddcd7d4fcc30caa 40470 libxml-dt-perl_0.66-1_all.deb Checksums-Sha256: cee4b94526459aeaa2d485b190b97caa2ce0d6e0a43623b822cf36ec52d8569b 2224 libxml-dt-perl_0.66-1.dsc bf3229984c00cbf2d7b2a66c21bbf4835573f99f84bc9bca4e22ee2d831638bb 30852 libxml-dt-perl_0.66.orig.tar.gz d2b2043a6018a7ff78d7159137e42faa98fbf987892a684369ffefba677b5dcc 2360 libxml-dt-perl_0.66-1.debian.tar.xz 029994dc40e5db5b8f5dfc9dc3c1e52615d2c034fe636eb6b99bea84c7c52d00 40470 libxml-dt-perl_0.66-1_all.deb Files: 63d2bb3157fc1f19dba08d072a591747 40470 perl optional libxml-dt-perl_0.66-1_all.deb bd241d32d1a80e5c02f0a18e6f30605d 2224 perl optional libxml-dt-perl_0.66-1.dsc 4460093484d0132637473e4388a3976e 30852 perl optional libxml-dt-perl_0.66.orig.tar.gz 45ba74c58609d90904d52a6098d72eb8 2360 perl optional libxml-dt-perl_0.66-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJT7nRCXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMUUxMzE2RTkzQTc2MEE4MTA0RDg1RkFC QjNBNjgwMTg2NDlBQTA2AAoJELs6aAGGSaoGcIoQAKnitajK7yM1Rdy5YD5APatx WOGo0Uqv7jYcdBKJFKC5Eg0zSFTq8OtiVglcijHTK4XWVEb/pa37Xm/esiqNBD1F adQF1f4RWiLobnIuwMa4P2MdKHLS58F6HlIqiOTgpBI2thoXfqotmqHdT918do01 +A6s6aNhEM1bmbimgWaRlDM7q0+3j0r3gaFne2Z3Y1dkAHSun7MrK7nf4OP6UGDz ElYpe63R5BONMrQNhobuEue+7OIXmrFWlEfHr7eU14noOu4rxok16txiVvfudrbI /cuvAErPkud10NUuGyNU7xJ60Ap5T7m82/hO8uz89K4Tv01ki832QqZOR5+/Z1A9 1QuNdHtewqzAhfpQCui1gAFTtnumYToDzNJ8ewEMp8pZ1laoMu9hcyL14dkEuLuN D4MkCno+vKQf4QHsnFJW/hLtehZD1TtBiouiKX03phYdGn5tkz6lu/OBMPNW94cM zdZcWMoqZ9f+xBVc4mK3Hw98wkchwppG2MA456Rb9thR1cmz4mFYHZ6gQ9me0tAY X3m4xJIoJWpI2MuAi4wLn+EaRNu7xYvPaiTQXMhnYcCW+PtIOjy99MMSXhUbasKc U7c/tGzX0EYewSzUmLI/ekIovTIHcV6MPwF/vDChVv5y466jHcgm6rxAA/HUMzcc Mb4soX1d70rjHk2RlxDK =NMnK -----END PGP SIGNATURE-----
--- End Message ---
