Your message dated Sun, 28 Apr 2013 18:47:31 +0000 with message-id <[email protected]> and subject line Bug#706252: fixed in autojump 21.5.1-2 has caused the Debian Bug report #706252, regarding autojump: CVE-2013-2012: autojump profile will load random stuff from a directory called custom_install to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 706252: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706252 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: autojump Version: 21.5.1-1 Severity: grave Tags: security Justification: user security hole Hi Tanguy autojump in example has /usr/share/autojump/autojump.sh allowing loading random stuff from a directory called custom_install in the current working directory: ,---- [ /usr/share/autojump/autojump.sh ] | # source autojump on BASH or ZSH depending on the shell | | shell=`echo ${SHELL} | awk -F/ '{ print $NF }'` | | # check local install | if [ -s ~/.autojump/etc/profile.d/autojump.${shell} ]; then | source ~/.autojump/etc/profile.d/autojump.${shell} | | # check global install | elif [ -s /etc/profile.d/autojump.${shell} ]; then | source /etc/profile.d/autojump.${shell} | | # check custom install locations (modified by Homebrew or using --destdir option) | elif [ -s custom_install/autojump.${shell} ]; then | source custom_install/autojump.${shell} | | # check Debian install | elif [ -s /usr/share/autojump/autojump.${shell} ]; then | source /usr/share/autojump/autojump.${shell} | fi `---- The version in wheezy/unstable does not seem vulnerable to these issues, as autojump.sh is patched as: ,---- [ /usr/share/autojump/autojump.sh ] | [...] | if [ "$BASH_VERSION" ] && [ -n "$PS1" ] && echo $SHELLOPTS | grep -v posix >>/dev/null; then | . /usr/share/autojump/autojump.bash | elif [ "$ZSH_VERSION" ] && [ -n "$PS1" ]; then | . /usr/share/autojump/autojump.zsh | fi `---- If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2012 http://security-tracker.debian.org/tracker/CVE-2013-2012 [1] http://marc.info/?s=CVE-2013-2012&l=oss-security Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: autojump Source-Version: 21.5.1-2 We believe that the bug you reported is fixed in the latest version of autojump, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Tanguy Ortolo <[email protected]> (supplier of updated autojump package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 28 Apr 2013 20:21:34 +0200 Source: autojump Binary: autojump Architecture: source all Version: 21.5.1-2 Distribution: experimental Urgency: low Maintainer: Tanguy Ortolo <[email protected]> Changed-By: Tanguy Ortolo <[email protected]> Description: autojump - shell extension to jump to frequently used directories Closes: 705516 706252 Changes: autojump (21.5.1-2) experimental; urgency=low . * debian/patches: new patches + fix-arbitrary-code-flaw.patch: pick a fix for an arbitrary code execution flaw. (Closes: #706252) (CVE-2013-2012) + fix-dict-bug.patch: fix a bug that rendered the --purge option unusable. (Closes: #705516) Checksums-Sha1: 440a448d32f3ae6414d37782112d6b2238322420 1855 autojump_21.5.1-2.dsc c9a9e2ac8b5a93e6719ef977b25ebf1cab6287b3 6998 autojump_21.5.1-2.debian.tar.gz 83eec9d3d3e7348e7fe12ffe55d161869a7638b7 20462 autojump_21.5.1-2_all.deb Checksums-Sha256: 6d4c666de61c49ab081c17b9bc1a1355ea4ab47fea2b9bbe72041e77c0b460de 1855 autojump_21.5.1-2.dsc c364e4f156417ba69174dd6ef9b136c10e2a7b0a2b3acd4fe6c8d1ae5fbca443 6998 autojump_21.5.1-2.debian.tar.gz 9cb64201659c94b5b4b26b953589713f7e77ea95dd0d6b709ba3ba4bf0a9c690 20462 autojump_21.5.1-2_all.deb Files: 8a4398026abc768b238a98d6009f4987 1855 shells optional autojump_21.5.1-2.dsc 6dcfecbb5ae32266b4db3bd44db3c471 6998 shells optional autojump_21.5.1-2.debian.tar.gz 24ec7863a1ba83513cd6dfd498d175ef 20462 shells optional autojump_21.5.1-2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJRfWxLAAoJEOryzVHFAGgZERwP+wbcW1a+xh5zelhA4jmbrPna 2w0xFptjDPCYJxzDy00BRjJaZJUyE6TS5pn+aGUmF9JAuo65obtLmS/4PR2XV/8a NGuhmtzxH5ZLSj8yK+5zJ+TUAao1Cs8is5QbiKXCa90pV/PU2xCdM5HCAPSnw8q7 340JSbywWaOBD4E3TllguqnsicvMMkMk05AX35sHm4Cy47w8DDfOY/Yms8IzMRWQ HKnbM0TKyvNqSpijG+at9zu3Y+qqwVCFR5QKPzaPl82AyYfXwJK2fNbdQ9Nxl9fd Ei6r09Iv78R2uZ5o2xBd+eX8Kfgg2aLH+9dq4kjatYj5gum91jM1gdC1fkvyquas ZR3ySyq5kKUWdrjBLINIWVWZbl6XOvPSrSt1y5yS/feN3J9q/0n0IG031oWYBtVZ c2oquK0MCXsYVqaG72h6+OJXOBVlYrJGG3Oang/IQHXKlwqWDKfC6PWXjdh+psUp fvo4eTZ91n4ky3adPClLuQZW52+ykNRH+8Go8KlRoQcNg/11+zCei0qGk7AlLQvX XOxpGO4vToR5N8BaMgBBTCUjDXIAt0yzRcJB1Nz8uedVLhOg7B4JyFlF+tj3Yv+a lKoFk8x4FzbFmy3gFHi+Dap7TI1wP6/kIAAoQUKZdXDdMI9T/TlBwopSQhMjVp78 87y2HB14rgxFsN+dRBbU =imeB -----END PGP SIGNATURE-----
--- End Message ---
