Your message dated Sat, 21 Oct 2006 22:12:51 +0100 with message-id <[EMAIL PROTECTED]> and subject line Fixing version-tracking for already fixed-in-NMU bug has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: fuzz Version: 0.6-6 Severity: important Tags: security There are a couple of problems with how fuzz uses /tmp 1. It does so insecurely. open("/tmp/grep.10000", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6 This is trivially exploitable with a symlink attack. I have not checked to see if fuzz drops root permissions on the parent process after being run as root with --chroot and --user. Anyway this at least allows overwriting of any files owned by the user running fuzz. Sample exploit: [EMAIL PROTECTED]:/tmp>ln -s grep.9988 ~joey/myfile [EMAIL PROTECTED]:/tmp>cat ~/myfile hi [EMAIL PROTECTED]:/tmp>fuzz grep foo Run: 9997 [ctrl-c] -rw-rw-r-- 1 joey joey 100000 Mar 1 15:05 /home/joey/myfile 2. It ignores TMPDIR, TMP, etc. I have all of these set to ~/tmp and fuzz is still using /tmp. Perhaps this can be closed at the same time as the above security hole by using a safe temp file creation function (be careful!) which happens to hnour these variables. -- System Information: Debian Release: testing/unstable Architecture: i386 Kernel: Linux dragon 2.4.20 #1 Thu Feb 20 11:25:25 EST 2003 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages fuzz depends on: ii libc6 2.3.1-13 GNU C Library: Shared libraries an ii libreadline4 4.3-4 GNU readline and history libraries -- no debconf information -- see shy jo
pgpuELp9rnPeR.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Version: 0.6-7.1 This bug was fixed in an NMU, but never closed. I'm closing it with the correct version so that its status can be properly version-tracked. For reference: fuzz (0.6-7.1) unstable; urgency=high . * Non-maintainer upload * Security patch ported from stable - Matt Zimmerman <[EMAIL PROTECTED]> Sun, 4 May 2003 20:32:10 -0400 - Non-maintainer upload by the Security Team - Create temporary file securely using mkstemp (Closes: #183047 Regards, Adam
--- End Message ---
