Your message dated Sun, 24 Aug 2008 22:02:03 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#496426: fixed in rancid 2.3.2~a8-2 has caused the Debian Bug report #496426, regarding The possibility of attack with the help of symlinks in some Debian packages to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 496426: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496426 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: rancid-util Severity: grave Hi, maintainer! This message about the error concerns a few packages at once. I've tested all the packages (for Lenny) on my Debian mirror. All scripts of packages (marked as executable) were tested. In some packages I've discovered scripts with errors which may be used by a user for damaging important system files or user's files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlink with the same name in this directory in order to destroy or rewrite some system or user file. Symlink attack may also lead not only to the data desctruction but to denial of service as well. Even if you create files or directories with help of function 'RANDOM' or pid(), then your system is not protected. Attacker can create many symlinks in order to destroy your data or create 'denial of service' for your package scripts. Even if you make rm(dir) for files/directories, then your system is not protected. Attacker can permanently create symlinks. This list is created with the help of script. This list is sorted by hand. Howewer in some cases mistake is possible. Please, Be understanding to possible mistakes. :) I set Severity into grave for this bug. The table of discovered problems is below. Discussion of this bug you can see in debian-devel@: http://lists.debian.org/debian-devel/2008/08/msg00271.html Binary-package: r-base-core-ra (1.1.1-1) file: /usr/lib/Ra/lib/R/bin/javareconf Binary-package: rccp (0.9-2) file: /usr/lib/rccp/delqueueask Binary-package: mafft (6.240-1) file: /usr/bin/mafft-homologs Binary-package: openoffice.org-common (1:2.4.1-6) file: /usr/lib/openoffice/program/senddoc Binary-package: crossfire-maps (1.11.0-1) file: /usr/share/games/crossfire/maps/Info/combine.pl Binary-package: sgml2x (1.0.0-11.1) file: /usr/bin/rlatex Binary-package: liguidsoap (0.3.6-4) file: /var/lib/liguidsoap/liguidsoap.py Binary-package: citadel-server (7.37-1) file: /usr/lib/citadel-server/migrate_aliases.sh Binary-package: ampache (3.4.1-1) file: /usr/share/ampache/www/locale/base/gather-messages.sh Binary-package: xen-utils-3.2-1 (3.2.1-2) file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug Binary-package: dtc-common (0.29.6-1) file: /usr/share/dtc/admin/accesslog.php file: /usr/share/dtc/admin/sa-wrapper Binary-package: honeyd-common (1.5c-3) file: /usr/share/honeyd/scripts/test.sh Binary-package: lustre-tests (1.6.5-1) file: /usr/lib/lustre/tests/runiozone Binary-package: linuxtrade (3.65-8+b4) file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol file: /usr/share/linuxtrade/bin/linuxtrade.wn file: /usr/share/linuxtrade/bin/moneyam.helper Binary-package: freevo (1.8.1-0) file: /usr/bin/freevo.real Binary-package: fml (4.0.3.dfsg-2) file: /usr/share/fml/libexec/mead.pl Binary-package: rkhunter (1.3.2-3) file: /usr/bin/rkhunter Binary-package: openswan (1:2.4.12+dfsg-1.1) file: /usr/lib/ipsec/livetest Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1) file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest Binary-package: aptoncd (0.1-1.1) file: /usr/share/aptoncd/xmlfile.py Binary-package: cdcontrol (1.90-1.1) file: /usr/lib/cdcontrol/writtercontrol Binary-package: newsgate (1.6-23) file: /usr/bin/mkmailpost Binary-package: gpsdrive-scripts (2.10~pre4-3) file: /usr/bin/geo-code Binary-package: impose+ (0.2-11) file: /usr/bin/impose Binary-package: mgt (2.31-5) file: /usr/games/mailgo Binary-package: audiolink (0.05-1) file: /usr/bin/audiolink Binary-package: ibackup (2.27-4.1) file: /usr/bin/ibackup Binary-package: emacspeak (26.0-3) file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl Binary-package: bk2site (1:1.1.9-3.1) file: /usr/lib/cgi-bin/bk2site/redirect.pl Binary-package: datafreedom-perl (0.1.7-1) file: /usr/bin/dfxml-invoice Binary-package: emacs-jabber (0.7.91-1) file: /usr/lib/emacsen-common/packages/install/emacs-jabber Binary-package: lmbench (3.0-a7-1) file: /usr/lib/lmbench/scripts/rccs file: /usr/lib/lmbench/scripts/STUFF Binary-package: rancid-util (2.3.2~a8-1) file: /var/lib/rancid/getipacctg Binary-package: ogle (0.9.2-5.2) file: /usr/lib/ogle/ogle_audio_debug file: /usr/lib/ogle/ogle_cli_debug file: /usr/lib/ogle/ogle_ctrl_debug file: /usr/lib/ogle/ogle_gui_debug file: /usr/lib/ogle/ogle_mpeg_ps_debug file: /usr/lib/ogle/ogle_mpeg_vs_debug file: /usr/lib/ogle/ogle_nav_debug file: /usr/lib/ogle/ogle_vout_debug Binary-package: firehol (1.256-4) file: /sbin/firehol Binary-package: aview (1.3.0rc1-8) file: /usr/bin/asciiview Binary-package: radiance (3R9+20080530-3) file: /usr/bin/optics2rad file: /usr/bin/pdelta file: /usr/bin/dayfact file: /usr/bin/raddepend Binary-package: vdr-dbg (1.6.0-5) file: /usr/bin/vdrleaktest Binary-package: ogle-mmx (0.9.2-5.2) file: /usr/lib/ogle/ogle_audio_debug file: /usr/lib/ogle/ogle_cli_debug file: /usr/lib/ogle/ogle_ctrl_debug file: /usr/lib/ogle/ogle_gui_debug file: /usr/lib/ogle/ogle_mpeg_ps_debug file: /usr/lib/ogle/ogle_mpeg_vs_debug file: /usr/lib/ogle/ogle_nav_debug file: /usr/lib/ogle/ogle_vout_debug Binary-package: convirt (0.8.2-3) file: /usr/share/convirt/image_store/_template_/provision.sh file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh file: /usr/share/convirt/image_store/common/provision.sh file: /usr/share/convirt/image_store/example/provision.sh file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh Binary-package: printfilters-ppd (2.13-9) file: /usr/lib/printfilters/master-filter Binary-package: r-base-core (2.7.1-1) file: /usr/lib/R/bin/javareconf file: /usr/lib/R/bin/javareconf.orig Binary-package: xmcd (2.6-19.3) file: /usr/share/xmcd/scripts/ncsarmt file: /usr/share/xmcd/scripts/ncsawrap Binary-package: tiger (1:3.2.2-3.1) file: /usr/lib/tiger/util/genmsgidx Binary-package: scilab-bin (4.1.2-5) file: /usr/lib/scilab-4.1.2/bin/scilink file: /usr/lib/scilab-4.1.2/util/scidoc file: /usr/lib/scilab-4.1.2/util/scidem Binary-package: dpkg-cross (2.3.0) file: /usr/share/dpkg-cross/bin/gccross Binary-package: ltp-network-test (20060918-2.1) file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh Binary-package: cman (2.20080629-1) file: /usr/sbin/fence_egenera Binary-package: scratchbox2 (1.99.0.24-1) file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings Binary-package: sendmail-base (8.14.3-5) file: /usr/sbin/checksendmail file: /usr/bin/expn Binary-package: fwbuilder (2.1.19-3) file: /usr/bin/fwb_install Binary-package: sng (1.0.2-5) file: /usr/bin/sng_regress Binary-package: dist (1:3.5-17-1) file: /usr/bin/patcil file: /usr/bin/patdiff Binary-package: sympa (5.3.4-5) file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi file: /usr/lib/sympa/bin/sympa.pl Binary-package: postfix (2.5.2-2) file: /usr/lib/postfix_groups.pl Binary-package: caudium (3:1.4.12-11) file: /usr/share/caudium/configvar Binary-package: mgetty-fax (1.1.36-1.2) file: /usr/bin/faxspool Binary-package: aegis (4.24-3) file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh Binary-package: aegis-web (4.24-3) file: /usr/lib/cgi-bin/aegis.cgi Binary-package: digitaldj (0.7.5-6+b1) file: /usr/share/digitaldj/fest.pl Binary-package: mon (0.99.2-12) file: /usr/lib/mon/alert.d/test.alert Binary-package: feta (1.4.16) file: /usr/share/feta/plugins/to-upgrade Binary-package: arb-common (0.0.20071207.1-4) file: /usr/lib/arb/SH/arb_fastdnaml file: /usr/lib/arb/SH/dszmconnect.pl Binary-package: qemu (0.9.1-5) file: /usr/sbin/qemu-make-debian-root Binary-package: apertium (3.0.7+1-1+b1) file: /usr/bin/apertium-gen-deformat file: /usr/bin/apertium-gen-reformat file: /usr/bin/apertium Binary-package: xcal (4.1-18.3) file: /usr/bin/pscal Binary-package: myspell-tools (1:3.1-20) file: /usr/bin/i2myspell Binary-package: gccxml (0.9.0+cvs20080525-1) file: /usr/share/gccxml-0.9/MIPSpro/find_flags Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4) file: /usr/share/freeradius-dialupadmin/bin/backup_radacct file: /usr/share/freeradius-dialupadmin/bin/clean_radacct file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats file: /usr/share/freeradius-dialupadmin/bin/tot_stats file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct Binary-package: dhis-server (5.3-1) file: /usr/lib/dhis-server/dhis-dummy-log-engine Binary-package: wims (3.62-13) file: /var/lib/wims/public_html/bin/coqweb file: /var/lib/wims/bin/account.sh Binary-package: initramfs-tools (0.92f) file: /usr/share/initramfs-tools/init Binary-package: realtimebattle-common (1.0.8-7) file: /usr/lib/realtimebattle/Robots/perl.robot Binary-package: netmrg (0.20-1) file: /usr/bin/rrdedit Binary-package: bulmages-servers (0.11.1-2) file: /usr/share/bulmages/examples/scripts/actualizabulmacont file: /usr/share/bulmages/examples/scripts/installbulmages-db file: /usr/share/bulmages/examples/scripts/creabulmafact file: /usr/share/bulmages/examples/scripts/creabulmacont file: /usr/share/bulmages/examples/scripts/actualizabulmafact Binary-package: xastir (1.9.2-1) file: /usr/lib/xastir/get-maptools.sh file: /usr/lib/xastir/get_shapelib.sh Binary-package: plait (1.5.2-1) file: /usr/bin/plaiter file: /usr/bin/plait Binary-package: cdrw-taper (0.4-2) file: /usr/sbin/amlabel-cdrw Binary-package: konwert-filters (1.8-11.1) file: /usr/share/konwert/filters/any-UTF8 Binary-package: gdrae (0.1-1) file: /usr/bin/gdrae Binary-package: lazarus-src (0.9.24-0-9) file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh
--- End Message ---
--- Begin Message ---Source: rancid Source-Version: 2.3.2~a8-2 We believe that the bug you reported is fixed in the latest version of rancid, which is due to be installed in the Debian FTP archive: rancid-cgi_2.3.2~a8-2_all.deb to pool/main/r/rancid/rancid-cgi_2.3.2~a8-2_all.deb rancid-core_2.3.2~a8-2_amd64.deb to pool/main/r/rancid/rancid-core_2.3.2~a8-2_amd64.deb rancid-util_2.3.2~a8-2_all.deb to pool/main/r/rancid/rancid-util_2.3.2~a8-2_all.deb rancid_2.3.2~a8-2.diff.gz to pool/main/r/rancid/rancid_2.3.2~a8-2.diff.gz rancid_2.3.2~a8-2.dsc to pool/main/r/rancid/rancid_2.3.2~a8-2.dsc A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Roland Rosenfeld <[EMAIL PROTECTED]> (supplier of updated rancid package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 24 Aug 2008 23:29:23 +0200 Source: rancid Binary: rancid-core rancid-util rancid-cgi Architecture: source all amd64 Version: 2.3.2~a8-2 Distribution: unstable Urgency: high Maintainer: Roland Rosenfeld <[EMAIL PROTECTED]> Changed-By: Roland Rosenfeld <[EMAIL PROTECTED]> Description: rancid-cgi - CGI for rancid rancid-core - rancid -- Really Awesome New Cisco confIg Differ rancid-util - Utilities for rancid Closes: 496426 Changes: rancid (2.3.2~a8-2) unstable; urgency=high . * 06_tmp_security.dpatch: Fix some temp file security vulnerabilities by using mktemp(1) or moving the lockfiles or tempfiles to /var/lib/rancid, where they should be safe (Closes: #496426). * Remove "XS-Autobuild: yes" from debian/control, since we are in main now. Checksums-Sha1: 1824a1412e88c27826ecd38e332de4e9a83dada1 1151 rancid_2.3.2~a8-2.dsc 8267c31e42fcad7c4a02e010ba592446d223e4ef 22981 rancid_2.3.2~a8-2.diff.gz d66b2d281a03d1d75d7fa58fd7e2ba8d95a4a5c5 45958 rancid-util_2.3.2~a8-2_all.deb aa6f8f7edcd4f39cb44d2b4378fdbebd1130845a 46762 rancid-cgi_2.3.2~a8-2_all.deb 5a287a6c71851ae426ead59ba18c57dfa05a8494 204854 rancid-core_2.3.2~a8-2_amd64.deb Checksums-Sha256: d9e3fd1a6ff4eacc9fc3fc2cd56f34cd3245b670a47dbf025f51cce6aada2374 1151 rancid_2.3.2~a8-2.dsc f1af86beac9be626e287fa1e0ea94e108fee97892c5ba2819cb0263241d4ac55 22981 rancid_2.3.2~a8-2.diff.gz 07ca5abcb006c4878bb906c049caff74056d4ee2466c938c8b42f81733f46d33 45958 rancid-util_2.3.2~a8-2_all.deb 23375b118041eb60d3985d956a260520d008badbffbc61589f3d0ba3e0754f98 46762 rancid-cgi_2.3.2~a8-2_all.deb 61f5a6ce501a09fe85600748db43a9fac0830fa0955d768c714103f6e3a1596d 204854 rancid-core_2.3.2~a8-2_amd64.deb Files: 415e9def0bef470feefd97a9665c3e4a 1151 net optional rancid_2.3.2~a8-2.dsc ae805434d1bf06304a7bc1b5ada156e5 22981 net optional rancid_2.3.2~a8-2.diff.gz c678d13f894b529e6403ace3f76612fc 45958 net optional rancid-util_2.3.2~a8-2_all.deb 72f29aa26c0121fef48c2e14bec20b3f 46762 net optional rancid-cgi_2.3.2~a8-2_all.deb 41a4de6af8efdad587b58386fd38462f 204854 net optional rancid-core_2.3.2~a8-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkix15UACgkQO7/Pd72LBQ3vuQCgumADqaXx6K4DVctri8Nml8CJ IsAAn0Uw/N48OjiHWxrot3kp33GtdEDJ =lDw6 -----END PGP SIGNATURE-----
--- End Message ---
