Your message dated Fri, 27 Sep 2013 21:20:50 +0000 with message-id <e1vpft0-0003ww...@franck.debian.org> and subject line Bug#724614: fixed in txt2man 1.5.5-4.1 has caused the Debian Bug report #724614, regarding txt2man: CVE-2013-1444: unsafe use of temporary files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 724614: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724614 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: txt2man Version: 1.5.5-4 Severity: normal Tags: patch pending security Dear maintainer, txt2man in all suites allows overwriting of arbitrary files by an unsafe use of the file /tmp/2222. This was introduced by a Debian patch. The fix for this is to remove the line: echo $post > /tmp/2222 which appears to be leftover debugging. It is my intention to perform an NMU in two days if the bug remains unfixed, and to then upload fixes for stable and oldstable. If you object, please tell me as soon as possible. If you fix the bug yourself, please include a reference to the assigned CVE number, CVE-2013-1444. Regards. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51diff -Nru txt2man-1.5.5/debian/changelog txt2man-1.5.5/debian/changelog --- txt2man-1.5.5/debian/changelog 2011-04-11 10:37:22.000000000 +0100 +++ txt2man-1.5.5/debian/changelog 2013-09-25 19:08:15.000000000 +0100 @@ -1,3 +1,12 @@ +txt2man (1.5.5-4.1) UNRELEASED; urgency=low + + * Non-maintainer upload. + * Fix CVE-2013-1444: insecure use of temporary files + by removing apparant debug output from + patches/debian-changes-1.5.5-2.1 (Closes: #nnnnnn) + + -- Jonathan Wiltshire <j...@debian.org> Wed, 25 Sep 2013 19:07:07 +0100 + txt2man (1.5.5-4) unstable; urgency=low * Updated Standards version diff -Nru txt2man-1.5.5/debian/patches/debian-changes-1.5.5-2.1 txt2man-1.5.5/debian/patches/debian-changes-1.5.5-2.1 --- txt2man-1.5.5/debian/patches/debian-changes-1.5.5-2.1 2011-04-11 10:37:22.000000000 +0100 +++ txt2man-1.5.5/debian/patches/debian-changes-1.5.5-2.1 2013-09-25 19:07:02.000000000 +0100 @@ -47,7 +47,7 @@ printf ".EH ||%s||\n" "$volume" --- txt2man-1.5.5.orig/txt2man +++ txt2man-1.5.5/txt2man -@@ -139,11 +139,12 @@ do +@@ -139,11 +139,11 @@ do p) doprobe=1;; I) itxt="$OPTARG§$itxt";; B) btxt=$OPTARG;; @@ -57,7 +57,6 @@ *) usage; exit;; esac done -+echo $post > /tmp/2222 shift $(($OPTIND - 1)) date=${date:-$(date +'%d %B %Y')}
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: txt2man Source-Version: 1.5.5-4.1 We believe that the bug you reported is fixed in the latest version of txt2man, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 724...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jonathan Wiltshire <j...@debian.org> (supplier of updated txt2man package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 25 Sep 2013 21:29:29 +0100 Source: txt2man Binary: txt2man Architecture: source all Version: 1.5.5-4.1 Distribution: unstable Urgency: low Maintainer: Fredrik Steen <st...@debian.org> Changed-By: Jonathan Wiltshire <j...@debian.org> Description: txt2man - Converts flat ASCII text to man page format Closes: 724614 Changes: txt2man (1.5.5-4.1) unstable; urgency=low . * Non-maintainer upload. * Fix CVE-2013-1444: insecure use of temporary files by removing apparant debug output from patches/debian-changes-1.5.5-2.1 (Closes: #724614) Thanks: Patrick Cherry of Bytemark Hosting Checksums-Sha1: 25daa9b4b0997c7cabdb591a964349cf61f788db 1874 txt2man_1.5.5-4.1.dsc c28b2c4d130139339117e7bfc3aa114b5c79e7d5 4351 txt2man_1.5.5-4.1.debian.tar.gz a080987e1d1dce38df4d352a35de235e8eaec63b 14612 txt2man_1.5.5-4.1_all.deb Checksums-Sha256: 0dfdb5f34f2b5c8dbb8e00f19ae0e286092a917395c452c8935f86c7e2ad7beb 1874 txt2man_1.5.5-4.1.dsc 83df7276e75d6f5a8a942ae1a3b48578ca8908746a1abcd3aae4c8c120e34852 4351 txt2man_1.5.5-4.1.debian.tar.gz 98eab1dc091174facf00545340832b59084b1f7092311a80d2fbedef5b54fe51 14612 txt2man_1.5.5-4.1_all.deb Files: cbad65724e6e0b79b589c12a36dc0bbc 1874 text optional txt2man_1.5.5-4.1.dsc 5f7998aef22de7391aec8de74b82ca7a 4351 text optional txt2man_1.5.5-4.1.debian.tar.gz 085ab2793c091a1cb0858e55c93d84bf 14612 text optional txt2man_1.5.5-4.1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.21 (GNU/Linux) iQIcBAEBAgAGBQJSQ0mbAAoJEFC7AtTIpr9hq50QAJNvPjKCzpVJJ8oWOtyNhznW ydHWMO0a5+SiiXje9mW9Tc3fUqD9+BoRU0x6MilyJqkNH2ZRhiwi83f7f9vM32N2 623BwsA+k/62ligwaAwbA2eN2igWA7WcsZXBM5kXqzPaFxAa8NsypDBxbZHubn45 qJaxra+dEatRHYlUwzLBy1LukYWxr4FCsjrKBKDyDp4ov2QL5/N0cNeBWRtgJJwC diBJOWWY9U+34gLBUKurq/tj4iezT+d1f1RVFlmk3mqtHg/9X6OPNDvlHW2u+TGs AsTEgcCJ6gMHqEDRA3wgS9r5PuOm1OZXh+NMFiTviecJ9oUeEF3kx1KIr5pegcDr QBor2wD5Je8pv8FFXOYy+V2XaEooAAYMlPJLYN3ex1FVs9FgVzEJncWY1ckdkiWB VXIP4RUfzNiIbbQOZjZos6X7TET9/iv7EcIOLWyrjO5lJc1mmgQfwqLQAqa0WLu/ SCUZ1EzhbdXnvjz2ILVzcv1DyEcP6K8xw4Xp3DgAnF3Xdpa2XqG9h0cx/BqtSDvP EzvCbh7m6dZR+XthJ/XamNiziWCBWAQY2++hkyCPxQF2vwwZMfSzmj6DsvRNYFXF qwjw3z6AmVAvM7h2sfJS1Bw4DAHM5s5PsuISCKUxNHhitcq5kh6RZQTSTOAsMo8f 9TeAiegr861piwGp8xtl =+3Rf -----END PGP SIGNATURE-----
--- End Message ---
