Your message dated Mon, 13 Apr 2009 21:14:13 +0100
with message-id <200904132014.n3dkedoj011...@kmos.homeip.net>
and subject line xfmail has been removed from Debian, closing #495773
has caused the Debian Bug report #495773,
regarding xfmail has rpath to insecure location
(/tmp/buildd/xfmail-1.5.5.dfsg.1/debian/xfmail/usr/lib/xfmail:/usr/lib/xfmail)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
495773: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495773
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: xfmail
Version: 1.5.5.dfsg.1-0.1
Severity: serious
Tags: security
Hello Florian,
xfmail includes a binary /usr/bin/xfmail with a rpath pointing to
/tmp/buildd/xfmail-1.5.5.dfsg.1/debian/xfmail/usr/lib/xfmail.
chrpath /usr/bin/xfmail
/usr/bin/xfmail:
RPATH=/tmp/buildd/xfmail-1.5.5.dfsg.1/debian/xfmail/usr/lib/xfmail:/usr/lib/xfmail
This allows an attacker with write access to that directory to add
modified libraries which will be loaded when someone else run xfmail.
Cheers,
--
Bill. <ballo...@debian.org>
Imagine a large red swirl here.
--- End Message ---
--- Begin Message ---
Version: 1.5.5.dfsg.1-0.1+rm
The xfmail package has been removed from Debian so we are closing
the bugs that were still opened against it.
For more information about this package's removal, read
http://bugs.debian.org/523914 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
Kind regards,
--
Marco Rodrigues
--- End Message ---
