Package: gcvs Severity: normal Tags: security [Using weird severity for security report because the possibly-vulnerable code isn't in a place where it's likely to executed by accident. If we have a policy for this case that I don't know about, please enlighten me.]
Fedora Core recently put out an advisory[1] on a tempfile race in the "cvsbug" script, which ships as part of the CVS upstream release (but is not present in Debian's packaging). gcvs, however, does ship the file in its examples directory. Since examples are things one normally expects people to follow (unless prominently marked otherwise), it's probably a bad idea to teach people bad security practices. We should likely either: 1) Patch the copy of cvsbug to fix the vulnerability; or 2) Stop shipping cvsbug altogether. On IRC, Martin Pitt advised me that he prefers the latter, for what it's worth. There's a patch in Red Hat's Bugzilla[2]. [1] http://lwn.net/Alerts/148865/ [2] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166366 -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: powerpc (ppc) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.9-powerpc-smp Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
