Bug#506348: marked as done (CVE-2008-5157: allows local users to overwrite arbitrary files via a symlink attack)

Tue, 09 Dec 2014 15:40:14 -0800 

Your message dated Tue, 09 Dec 2014 23:35:32 +0000
with message-id <[email protected]>
and subject line Bug#506348: fixed in tau 2.17.3.1.dfsg-4
has caused the Debian Bug report #506348,
regarding CVE-2008-5157: allows local users to overwrite arbitrary files via a 
symlink attack
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
506348: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506348
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: tau
Version: 2.16.4-1.1
Severity: important
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was published for 
tau.

CVE-2008-5157[1]:
> tau 2.16.4 allows local users to overwrite arbitrary files via a symlink
> attack on a (1) /tmp/makefile.tau.*.##### or (2) /tmp/makefile.tau*.#####
> temporary file, related to the (a) tau_cxx, (b) tau_f90, and (c) tau_cc
> scripts.

If you fix the vulnerability please also make sure to include the CVE id in 
the changelog entry.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5157
     http://security-tracker.debian.net/tracker/CVE-2008-5157

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message --- 
Source: tau
Source-Version: 2.17.3.1.dfsg-4

We believe that the bug you reported is fixed in the latest version of
tau, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yann Dirson <[email protected]> (supplier of updated tau package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 09 Dec 2014 23:46:49 +0100
Source: tau
Binary: tau tau-racy python-tau tau-examples
Architecture: source all amd64
Version: 2.17.3.1.dfsg-4
Distribution: unstable
Urgency: medium
Maintainer: Yann Dirson <[email protected]>
Changed-By: Yann Dirson <[email protected]>
Description:
 python-tau - Tuning and Analysis Utilities - support for python profiling/trac
 tau        - Tuning and Analysis Utilities - base profiling/tracing toolkit
 tau-examples - Tuning and Analysis Utilities - examples
 tau-racy   - Tuning and Analysis Utilities - Tcl/tk profiler GUI
Closes: 506348 772374 772375 772376
Changes:
 tau (2.17.3.1.dfsg-4) unstable; urgency=medium
 .
   * Fix "echo -e" bashisms (Closes: #772376).
   * Use bash for scripts needing pushd/popd (Closes: #772374).
   * Avoid "&>" bashism (Closes: #772375).
   * Fix the CVE-2008-5157 fix: the adjustement in 2.17.3.1.dfsg-1 resulted
     in non-working scripts, where the 2.16.4-1.3 had been incomplete.
     OTOH those scripts are not useful today since the package is not built
     against PDT, so do not ship them at all.
   * Fix similar tmpfile symlink attack in taucc, taucxx, tauf90 (Really
     closes: #506348)
Checksums-Sha1:
 c7b652fc41aad622e145094d63197f0248132cda 1424 tau_2.17.3.1.dfsg-4.dsc
 e062e9d0f29b2cc9013cfdcbeeeb5da8f451ca15 18236 
tau_2.17.3.1.dfsg-4.debian.tar.xz
 26f79dac6e370d6efee5a261a6af64c50e4b8f5b 91586 tau-racy_2.17.3.1.dfsg-4_all.deb
 d16d29afe4ebcb6df9090cdd61fe003a102cf860 136976 
tau-examples_2.17.3.1.dfsg-4_all.deb
 55ec552f40af0806d2051a39d437c1888b4c3473 344484 tau_2.17.3.1.dfsg-4_amd64.deb
 7755f2e93ad810e4d583f438536855df20b8d1e0 30972 
python-tau_2.17.3.1.dfsg-4_amd64.deb
Checksums-Sha256:
 24238ff90e3e89580c854c409f9a53bb44c24296596b992fd0612fb3a50a6fbf 1424 
tau_2.17.3.1.dfsg-4.dsc
 afc31fd7f78c458700a56581ce63beb26f0dfd98943b741dbad07d64fc3cf506 18236 
tau_2.17.3.1.dfsg-4.debian.tar.xz
 7cbebcac08c81b8a3339c562567da4a5e5cdb9aa573175dee232609f7aee174b 91586 
tau-racy_2.17.3.1.dfsg-4_all.deb
 79bc35ab5e6fe82544d51c417e0e5ec6943e77f75732cd873f8e69f9f94b71cd 136976 
tau-examples_2.17.3.1.dfsg-4_all.deb
 359281def9dd81030936f7ae778457e832ba2fd6ac313d416aa9c796858ae7b9 344484 
tau_2.17.3.1.dfsg-4_amd64.deb
 8acde676dd0f249dd3ac6040ecaaa7c433bb2ea449cb18a07aac9841a3f8c60c 30972 
python-tau_2.17.3.1.dfsg-4_amd64.deb
Files:
 c808f16d8618c990db2baa18e1bf48e6 1424 devel optional tau_2.17.3.1.dfsg-4.dsc
 41426b6a493dd204ae03a0f4e266a341 18236 devel optional 
tau_2.17.3.1.dfsg-4.debian.tar.xz
 ababb3e52eb55a602909410b2901fe1a 91586 devel optional 
tau-racy_2.17.3.1.dfsg-4_all.deb
 d81ebb4dadf8a5a94654d0a23c71ebf7 136976 devel optional 
tau-examples_2.17.3.1.dfsg-4_all.deb
 02b5b0e5c45f3d53dcf5510606a5dc7b 344484 devel optional 
tau_2.17.3.1.dfsg-4_amd64.deb
 1b63d8c3efecd82fbf550825cdd2014c 30972 python optional 
python-tau_2.17.3.1.dfsg-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUh4MIV1uVslwzwbgRAkOmAKCH6qg8lCmyqaOSwJ7DtD7i2ODJngCfZ8Lw
wLEAr99kJ3V56i/hdxy/ElM=
=TY01
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to