Package: xfce4-sensors-plugin
Version: 1.2.5-1+b1
Severity: important
Tags: patch security
Hello,
xfce4-sensors-plugin seems to want, although not necessary, to have hddtemp
setuid in the system in order to read the temperature of the HDD. It even goes
to suggest to the user to setuid hddtemp.
But there is an option to fetch hddtemp information without having hddtemp
setuid, to read directly from a local port. This option is now disabled at
buildtime because there is no netcat installed during build.
So I just added netcat as a build depends and the resulting package works fine
and no longer recommends the user the unsafe option of running hddtemp setuid.
Please use the attached patch to fix this issue.
Thanks,
Eddy
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (999, 'testing'), (500, 'stable'), (50, 'unstable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.4.0-heidi (SMP w/2 CPU cores)
Locale: LANG=ro_RO.utf8, LC_CTYPE=ro_RO.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages xfce4-sensors-plugin depends on:
ii libatk1.0-0 2.4.0-2
ii libc6 2.13-35
ii libcairo2 1.12.2-2
ii libfontconfig1 2.9.0-7
ii libfreetype6 2.4.9-1
ii libgdk-pixbuf2.0-0 2.26.1-1
ii libglib2.0-0 2.32.3-1
ii libgtk2.0-0 2.24.10-2
ii libnotify4 0.7.5-1
ii libpango1.0-0 1.30.0-1
ii libsensors4 1:3.3.2-2
ii libxfce4ui-1-0 4.8.1-1
ii libxfce4util4 4.8.2-1
ii xfce4-panel 4.8.6-3
Versions of packages xfce4-sensors-plugin recommends:
ii hddtemp 0.3-beta15-51
ii lm-sensors 1:3.3.2-2
Versions of packages xfce4-sensors-plugin suggests:
ii xsensors 0.70-2
-- no debconf information
diff -ruN xfce4-sensors-plugin-1.2.5.orig/debian/changelog xfce4-sensors-plugin-1.2.5/debian/changelog
--- xfce4-sensors-plugin-1.2.5.orig/debian/changelog 2012-05-16 00:20:17.000000000 +0300
+++ xfce4-sensors-plugin-1.2.5/debian/changelog 2012-07-04 00:29:22.000000000 +0300
@@ -1,3 +1,11 @@
+xfce4-sensors-plugin (1.2.5-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Build depend on netcat's different flavours to enable unpriviliged
+ hddtemp temperature reading
+
+ -- Eddy PetriÈor <eddy.petri...@gmail.com> Wed, 04 Jul 2012 00:24:21 +0300
+
xfce4-sensors-plugin (1.2.5-1) unstable; urgency=low
* New upstream release.
diff -ruN xfce4-sensors-plugin-1.2.5.orig/debian/control xfce4-sensors-plugin-1.2.5/debian/control
--- xfce4-sensors-plugin-1.2.5.orig/debian/control 2012-04-08 16:15:00.000000000 +0300
+++ xfce4-sensors-plugin-1.2.5/debian/control 2012-07-04 00:23:09.000000000 +0300
@@ -7,7 +7,7 @@
Build-Depends: debhelper (>= 9), libgtk2.0-dev, dpkg-dev (>= 1.16.1),
xfce4-panel-dev (>= 4.8.0), libxml2-dev, libsensors4-dev, libxml-parser-perl,
hddtemp [!kfreebsd-amd64 !kfreebsd-i386 !hurd-i386], intltool, libxfce4ui-1-dev,
- libnotify-dev
+ libnotify-dev, netcat-traditional | netcat-openbsd | netcat
Standards-Version: 3.9.3
Homepage: http://goodies.xfce.org/
Vcs-Svn: svn://svn.debian.org/pkg-xfce/goodies/trunk/xfce4-sensors-plugin/
@@ -16,7 +16,7 @@
Package: xfce4-sensors-plugin
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}
-Recommends: hddtemp, lm-sensors
+Recommends: hddtemp, lm-sensors, netcat
Suggests: xsensors
Description: hardware sensors plugin for the Xfce4 panel
The sensors plugin reads your hardware sensor values and displays
