Your message dated Fri, 17 Jan 2014 19:25:55 +0100 with message-id <[email protected]> and subject line Re: Bug#702184: gambas3: CVE-2013-1809: insecure temporary directory creation has caused the Debian Bug report #702184, regarding gambas3: CVE-2013-1809: insecure temporary directory creation to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 702184: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702184 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: gambas3 Severity: important Tags: security Hi, the following vulnerability was published for gambas3. CVE-2013-1809[0]: Gambas creates hijackable directory in /tmp It was found that Gambas is vulnerable to a (temorary files) directory hijack vulnerability. Here two references: http://seclists.org/fulldisclosure/2013/Feb/116 (fulldisclosure) http://code.google.com/p/gambas/issues/detail?id=365 (upstream bugtracker) Upstream also mentioned the following in their changelog for 3.4.0 release: * BUG: Ensure that the interpreter temporary directory is owned by the current user and that its rights are accurate. Otherwise abort. * BUG: When creating the process temporary directory, check the permissions of both the top directory (gambas.) and the process directory inside. http://gambasdoc.org/help/doc/release/3.4.0?view Upstream fixes done via #5438 and #5464: http://sourceforge.net/p/gambas/code/5438/ http://sourceforge.net/p/gambas/code/5464/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information and references see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1809 http://security-tracker.debian.org/tracker/CVE-2013-1809 Could you possibly also bring the following to upstream's attention, which is from the CVE request[1]. On Sat, Mar 02, 2013 at 07:56:01PM -0700, Kurt Seifried wrote: > This is one root issue, failure to create tmp dir safely, please use > > > CVE-2013-1809 for this issue. Also please refer to: > > http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/ [1] http://marc.info/?l=oss-security&m=136227938405637&w=2 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: gambas3 Source-Version: 3.5.1-1 Hi This was fixed upstream with 3.4.0. Regards, Salvatore
--- End Message ---
_______________________________________________ Pkg-gambas-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-gambas-devel
