Your message dated Sun, 24 Aug 2014 21:19:25 +0000
with message-id <[email protected]>
and subject line Bug#724837: fixed in apt-xapian-index 0.47
has caused the Debian Bug report #724837,
regarding apt-xapian-index: unsafe polkit usage
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
724837: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724837
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: apt-xapian-index
Severity: grave
Tags: security patch
Hi,
the following vulnerability was published for apt-xapian-index.
CVE-2013-1064[0]: (from Ubuntu USN)
| It was discovered that apt-xapian-index was using polkit in an unsafe
| manner. A local attacker could possibly use this issue to bypass intended
| polkit authorizations.
The patch from Ubuntu is attached.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1064
http://security-tracker.debian.org/tracker/CVE-2013-1064
Please adjust the affected versions in the BTS as needed.
--
Nico Golde - XMPP: [email protected] - GPG: 0xA0A0AAAA
Description: fix possible privilege escalation via policykit UID lookup race.
Author: Marc Deslauriers <[email protected]>
Index: apt-xapian-index-0.45ubuntu2/update-apt-xapian-index-dbus
===================================================================
--- apt-xapian-index-0.45ubuntu2.orig/update-apt-xapian-index-dbus 2012-10-31 09:07:53.000000000 -0400
+++ apt-xapian-index-0.45ubuntu2/update-apt-xapian-index-dbus 2013-09-13 14:41:36.564345788 -0400
@@ -34,15 +34,8 @@
"/org/freedesktop/PolicyKit1/Authority",
"org.freedesktop.PolicyKit1.Authority")
policykit = dbus.Interface(obj, "org.freedesktop.PolicyKit1.Authority")
- info = dbus.Interface(connection.get_object('org.freedesktop.DBus',
- '/org/freedesktop/DBus/Bus',
- False),
- 'org.freedesktop.DBus')
- pid = info.GetConnectionUnixProcessID(sender)
- subject = ('unix-process',
- { 'pid' : dbus.UInt32(pid, variant_level=1),
- 'start-time' : dbus.UInt64(0, variant_level=1),
- }
+ subject = ('system-bus-name',
+ { 'name': dbus.String(sender, variant_level = 1) }
)
details = { '' : '' }
flags = dbus.UInt32(1) # AllowUserInteraction = 0x00000001
pgpBJWT7cCCSC.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: apt-xapian-index
Source-Version: 0.47
We believe that the bug you reported is fixed in the latest version of
apt-xapian-index, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Enrico Zini <[email protected]> (supplier of updated apt-xapian-index package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 24 Aug 2014 10:44:58 -0700
Source: apt-xapian-index
Binary: apt-xapian-index
Architecture: source all
Version: 0.47
Distribution: unstable
Urgency: low
Maintainer: Enrico Zini <[email protected]>
Changed-By: Enrico Zini <[email protected]>
Description:
apt-xapian-index - maintenance and search tools for a Xapian index of Debian
package
Closes: 719940 724837 736500
Changes:
apt-xapian-index (0.47) unstable; urgency=low
.
[ Enrico Zini ]
* s/UNRELEASED/unstable/ in 0.46 changelog. Closes: #719940
* Removed dbus support files, not needed anymore since software-center has
been removed from sid and testing. Closes: #724837
* Ported to dh-python2
* Updated Standards-Version, no changes required.
.
[ Elena Grandi ]
* Use defaults when values file is broken. Closes: #736500
Checksums-Sha1:
09a22df29a4c04bfc0865950f7a60e099082aa8e 1847 apt-xapian-index_0.47.dsc
f3a2dae68258626b1d936f76a6da5a75fd6b70e2 55515 apt-xapian-index_0.47.tar.gz
fdaad69820231206c1d5d27694f9288b1c362f27 58528 apt-xapian-index_0.47_all.deb
Checksums-Sha256:
b5057a482275df69272f66ec5e580ad25914ebf5c1e505a69485e3b9b848bb91 1847
apt-xapian-index_0.47.dsc
382c5910c3ce5b0c1f7de913263cd0197471c1d0387b091b1ab671f6a78d5de5 55515
apt-xapian-index_0.47.tar.gz
0019be55259cb9226beeb313e71bae379e2bb206c4b2041724c23b9388493518 58528
apt-xapian-index_0.47_all.deb
Files:
823dc58302f4c83001159ba017affb36 58528 admin optional
apt-xapian-index_0.47_all.deb
cb113f51a20dd84dc29ff77747c061e8 1847 admin optional apt-xapian-index_0.47.dsc
ffc37bad8402bb56691510429e7d0770 55515 admin optional
apt-xapian-index_0.47.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJT+lTyAAoJEAPWVoyDcnWptzsP/1TiXnx5m6oVsG8FfKkLIv5s
FcqF4dHd7g0IJDls7VAxb2KWSzuOEUx5cfooUxHmY9ggbW96R3d1ZhdONdv009+o
t5ce3Rr+tubtAGPiSctZHMgO6OVzCjpLohyiaaZsC5kK9wR2el0gRu/pJwdFNyTQ
c0qlZ1YJ7nQPhNji3FfjgBXQMxjkQgAJQ7XPXAjCKxSWHlq1A61PISgTg9HyzEBT
L9Ly2uapb9asHVhYOrz+RjMYhBBWWIkzFwAhRbwmQ1FD+sz8mK798grSlWUcBa1w
dihVJvlgeKn+E3q/UflPhsGaq/FNH0IedjmbtbBhMOAEpvRWvzmQoVt3nDJuD6Le
gWeH4G5tj/esdyVzzflBEX1vORgSfrw4rw+IHITCC0GzjMo0mCcyeRX+ftV6CW3e
pawS6tqi44cFJKcVAhb/hB4MGCV0ngI/nXkar9GoaMSakyZnY+25gC8sKH04XAZy
mhNeKKulzeiGo1u1rfYW4ZUrTZso+dHHil62GaVMDfnSmOWvq2wEIkIce2KtkVyH
wwWrXR/Yqz05CgQj8p8kaeEk8uydxz9Y5zHXVFnDE1HkL0PtzKQk/834GqrX+9a9
jejFcUn4783XtL9Pspmyc0QxYcLU5R77eM84AMBEdJ6+Up18aM1ZOH3R8UNd44GN
4HXfXSAdeo/kLXor+g3q
=9YIT
-----END PGP SIGNATURE-----
--- End Message ---
