Your message dated Sat, 07 Oct 2023 21:34:31 +0000 with message-id <e1qpewr-00dm90...@fasolo.debian.org> and subject line Bug#1052477: Removed package(s) from unstable has caused the Debian Bug report #772473, regarding xbindkeys-config: CVE-2014-9513: Insecure use of temporary files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 772473: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772473 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: xbindkeys-config Version: 0.1.3-2 Severity: important Tags: security If you use this program and "view generated file" the current output will be saved to the file /tmp/xbindkeysrc-tmp. This allows the corruption of any file the user has permission to write to. Later this predictable file is used to execute commands: /*****************************************************************************/ void middle_apply_action(GtkWidget *parent, void *data) { unlink(TEMP_FILE); save_file(TEMP_FILE); system("killall -9 xbindkeys"); usleep(500); /* printf("****\n\noutput = %d\n\n****",system("xbindkeys -f " TEMP_FILE )); */ system("xbindkeys -f " TEMP_FILE ); } Really most of this complexity could go away if we just assumed the editor would write to a file the user specified, or ~/.xbindkeysrc. Given the number of bugs that have been untouched for a long time this package should probably not go into the Jessie release without a good update. Regardless this is a classic case of insecure-temporary files and should almost certainly have a CVE ID allocated. Steve -- System Information: Debian Release: 7.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16-0.bpo.2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8) Shell: /bin/sh linked to /bin/dash Versions of packages xbindkeys-config depends on: ii libatk1.0-0 2.4.0-2 ii libc6 2.13-38+deb7u6 ii libcairo2 1.12.2-3 ii libfontconfig1 2.9.0-7.1 ii libfreetype6 2.4.9-1.1 ii libglib2.0-0 2.33.12+really2.32.4-5 ii libgtk2.0-0 2.24.10-2 ii libpango1.0-0 1.30.0-1 ii xbindkeys 1.8.5-1 ii zlib1g 1:1.2.7.dfsg-13 xbindkeys-config recommends no packages. xbindkeys-config suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Version: 0.1.3-3+rm Dear submitter, as the package xbindkeys-config has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see https://bugs.debian.org/1052477 The version of this package that was in Debian prior to this removal can still be found using https://snapshot.debian.org/. Please note that the changes have been done on the master archive and will not propagate to any mirrors until the next dinstall run at the earliest. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org. Debian distribution maintenance software pp. Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---
