Your message dated Fri, 11 Sep 2015 06:07:40 +0000
with message-id <[email protected]>
and subject line Bug#753737: fixed in quassel 1:0.12.2-1
has caused the Debian Bug report #753737,
regarding quassel-core: postinst accesses location writable by non-root as root
in an unsafe way
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
753737: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=753737
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: quassel-core
Version: 0.10.0-1
Severity: normal
>From looking at quassel-core.postinst, it seems that the maintainer
script will write to and change permissions of $QUASSEL_CERT which is
located in a directory writable by non-root.
This can be abused:
$QUASSEL_CORE can be made a symlink to some other (nonexisting)
location. Then a file owned by quasselcore will be created there. This
allows trivial escalation to root: create a file under
/etc/cron.daily, wait for postinst to run (on upgrade), change file
contents to do stuff as root.
Given an attacker has to wait for postinst to run, this isn't grave,
but hey...
Ansgar
--- End Message ---
--- Begin Message ---
Source: quassel
Source-Version: 1:0.12.2-1
We believe that the bug you reported is fixed in the latest version of
quassel, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Felix Geyer <[email protected]> (supplier of updated quassel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 10 Sep 2015 22:44:32 +0200
Source: quassel
Binary: quassel-core quassel-client quassel quassel-data quassel-client-kde4
quassel-kde4
Architecture: source
Version: 1:0.12.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian KDE Extras Team <[email protected]>
Changed-By: Felix Geyer <[email protected]>
Description:
quassel - distributed IRC client - monolithic core+client
quassel-client - distributed IRC client - client component
quassel-client-kde4 - transitional package to quassel-client
quassel-core - distributed IRC client - core component
quassel-data - distributed IRC client - shared data
quassel-kde4 - transitional package to quassel
Closes: 732605 753737 779726 784519
Changes:
quassel (1:0.12.2-1) unstable; urgency=medium
.
[ Felix Geyer ]
* New upstream release. (Closes: #779726)
* Remove patches that have been applied upstream:
- CVE-2014-8483.patch
- CVE-2015-2778.patch
- CVE-2015-3427.patch
* Set maintainer to Debian KDE Extras Team.
* Add Vcs control fields pointing to the new git packaging repo.
(Closes: #732605)
* Drop explicit phonon depenencies, they are automatically added.
* Build quassel against Qt5 + KF5 libs instead of a Qt4 and a KDE4 variant.
(Closes: #784519)
- Remove quassel-data-kde4.
- Turn quassel-kde4 and quassel-client-kde4 into transitional packages.
* Enable parallel building.
* Pass --fail-missing to dh_install.
* Create the SSL certificate as user quasselcore to avoid a symlink race
condition. (Closes: #753737)
* Stop hardcoding the path to deluser / delgroup in postrm.
* Enable all hardening build flags.
* Build with -Wl,--as-needed.
* Fix detection of OpenSSL when building against Qt5.
- Add 02_set-required-libs-and-flags.patch from openSUSE.
* Work around missing icon theme fallback in KF5.
- Add 03_force_icon_theme.patch
- Add oxygen-icon-theme to quassel-data/Recommends.
.
[ Scott Kitterman ]
* Add systemd service file and associated changes for quasselcore.
Checksums-Sha1:
ffba66dbd1c19255b517da7ee587a99342cce64a 2636 quassel_0.12.2-1.dsc
12e9a88597f724498c40a1548b5f788e7c40858c 3681838 quassel_0.12.2.orig.tar.bz2
dfe86169dc43d447d2458e92a210dc49c0b80a58 17904 quassel_0.12.2-1.debian.tar.xz
Checksums-Sha256:
e4bff1e4d504dc7887e5a4702d7bd7b89efc1a4d387ff6fa5d11aa6d0488e84e 2636
quassel_0.12.2-1.dsc
6bd6f79ecb88fb857bea7e89c767a3bd0f413ff01bae9298dd2e563478947897 3681838
quassel_0.12.2.orig.tar.bz2
10f2aff43ec66ee8a686bdf3e1c3303f5a7c9311e05d327842b6c76b8bfb20a5 17904
quassel_0.12.2-1.debian.tar.xz
Files:
0de5331cccf72d398615c576019eb3b5 2636 net optional quassel_0.12.2-1.dsc
f5473a9c5927a0e8cb3a204ced887aa8 3681838 net optional
quassel_0.12.2.orig.tar.bz2
b7523dbc3557cfcf7bc258d12d0f410f 17904 net optional
quassel_0.12.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJV8evwAAoJEP4ixv2DE11FkRsQAKg6Av03MaO/iuFypso41LAj
f7PaCoF27g4Ji0UrnjesR35M7CYbWRIR90SZUR0dSlrP/l+u6jjnwpQPjmVRTpPL
X07wlnQdpielttkbk1VzeMtfPXz8+xo12sjjl+uD2sSY785CNOk0ze6JmIqbUuC3
jhaM001B2x0gXRmDFBMdXqUkB9mN+rptLs/uP6FZtpy+Ghz/ARIL2GBvAEZ803SV
ysGRbcHQCD7OXW1x16clZM4j7oTecJ3YtzvqEUgR0HVf4byXNmTMFI5hSKVMsHid
g7EnC1fiWk0kjfMO86HPlW7/n+bpneNV1Dho3Q0Exzy8rQijaPfoZn2x25u/ER22
cvQhswJEgwenzo8ZRfs24xkt8cd5d5CGw4r7DdgDPlqH8Kn5lBBsbE5Z35Q17y+k
API/Y9xgAyOibAMT65UrenMnHthCwTQmFQY9jI6xcGr9ky6wgr4G74+EyltiW45G
Z96Vr66XM+i+17ned44oCynZiPVWAamwc12eSJNodpsuiaeZYX8ftCMP3CGV2q90
IffeUCVhZ7B3moKCaAyNvbrYzDekgf3wj77nuN7luKFroMpkH43I5TA1sBHY2AhP
zs6WQUagnojKMdIL7K6ayUanlxMVxMASDa3tJ7y0kI+5k6RCdoxv4ka+d7PQuQ8w
WnppBIXMAlluorGh25tW
=ms9l
-----END PGP SIGNATURE-----
--- End Message ---
