Your message dated Tue, 09 Jan 2018 13:04:03 +0000 with message-id <e1eytzt-00051m...@fasolo.debian.org> and subject line Bug#866862: fixed in diaspora-installer 0.6.6.0+debian2 has caused the Debian Bug report #866862, regarding diaspora-installer: installs world-writable ruby libraries to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 866862: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866862 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: diaspora-installer Version: 0.6.6.0+debian1 Severity: grave Tags: security Justification: user security hole User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package installs world-writable files, including a bunch of .rb scripts, allowing unprivileged local users to "customize" your diaspora experience. Since this is a downloader package, it needs to sanitize the stuff it downloads and installs from the net. >From the attached log (scroll to the bottom...): ERROR: BAD PERMISSIONS -rw-rw-rw- 1 diaspora nogroup 1935 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/configurate-0.3.1/lib/configurate/lookup_chain.rb -rw-rw-rw- 1 diaspora nogroup 154 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/.gitignore -rw-rw-rw- 1 diaspora nogroup 242 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/.travis.yml -rw-rw-rw- 1 diaspora nogroup 98 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/Gemfile -rw-rw-rw- 1 diaspora nogroup 1069 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/LICENSE.txt -rw-rw-rw- 1 diaspora nogroup 3354 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/README.md -rw-rw-rw- 1 diaspora nogroup 233 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/Rakefile -rw-rw-rw- 1 diaspora nogroup 918 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/lib/request_store.rb -rw-rw-rw- 1 diaspora nogroup 233 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/lib/request_store/middleware.rb -rw-rw-rw- 1 diaspora nogroup 785 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/lib/request_store/railtie.rb -rw-rw-rw- 1 diaspora nogroup 44 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/lib/request_store/version.rb -rw-rw-rw- 1 diaspora nogroup 943 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/request_store.gemspec -rw-rw-rw- 1 diaspora nogroup 981 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/test/middleware_test.rb -rw-rw-rw- 1 diaspora nogroup 1607 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/test/request_store_test.rb -rw-rw-rw- 1 diaspora nogroup 267 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/test/test_helper.rb -rw-rw-rw- 1 diaspora nogroup 3255 Jun 29 20:24 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/twitter-text-1.14.5/README.md cheers, Andreasdiaspora-installer_0.6.6.0+debian1.log.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---Source: diaspora-installer Source-Version: 0.6.6.0+debian2 We believe that the bug you reported is fixed in the latest version of diaspora-installer, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 866...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Pirate Praveen <prav...@debian.org> (supplier of updated diaspora-installer package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 08 Jan 2018 20:40:24 +0530 Source: diaspora-installer Binary: diaspora-installer diaspora-installer-mysql diaspora-common Architecture: source Version: 0.6.6.0+debian2 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Pirate Praveen <prav...@debian.org> Description: diaspora-common - distributed social networking service - common files diaspora-installer - distributed social networking service - installer diaspora-installer-mysql - distributed social networking service - installer (with mysql) Closes: 866862 Changes: diaspora-installer (0.6.6.0+debian2) unstable; urgency=medium . * Bump standards version * Apply patch for bundler 1.16 compatibility * Remove write permissions correctly (Closes: #866862) Checksums-Sha1: 791a23a7138bb448bcfbff0ec1f74f00e5c3d5a8 2012 diaspora-installer_0.6.6.0+debian2.dsc d462433317309fdefe9dc8355c184b2ce52624bd 41380 diaspora-installer_0.6.6.0+debian2.tar.xz d9439ef4a3a0fbe81bba06fbe28a14e2d55b2ba1 6776 diaspora-installer_0.6.6.0+debian2_source.buildinfo Checksums-Sha256: df17f181664fe67b20f96da36de6bfd14171c0be9686b8d2e75dc349fc8df5e6 2012 diaspora-installer_0.6.6.0+debian2.dsc b125707badb640249dc7ef0bf7beb5a5d7bd5aa75bc2a6a07efcd6589732d68a 41380 diaspora-installer_0.6.6.0+debian2.tar.xz 9d20e6b8fa6c33304f9fe2873b3154f7625a97e51a03b9dac69b8ac58413c8bb 6776 diaspora-installer_0.6.6.0+debian2_source.buildinfo Files: b3aa9e8b13670997ab90e2a38cf4b758 2012 net optional diaspora-installer_0.6.6.0+debian2.dsc 1758df7a2e2e1224b92bebb08c71f2d7 41380 net optional diaspora-installer_0.6.6.0+debian2.tar.xz 5919c09b21584acd9286dd5ddf81c344 6776 net optional diaspora-installer_0.6.6.0+debian2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlpUun8ACgkQzh+cZ0US wir6Sg//Z5nzn5OFOaYoSiVAwfnvk+G8ySU23zuEBmHCTo9bfyHQKieq9boD3Xia MLU4Oemeyvb3B3RXNLTFZuc11wgdWZGsvxGGIJEJaJOeCsMUYrYJoiepWuMu8Jft 7LwxyFXeQxDWm7vNfRHU0pSHlAGa9wwPLRc+3fKuJTAH9SvseieltWE2ztF9T8dq L9g6Y9vBEOrRBkheE/qHw8PxKuiJuSd6pVIaxU/IJWTEgwJ6mVF1aIYs1A4JEtgn mKrbQXqdPSj81xGUVKApjF3Ac/9STHQMdde7j93HEN8L4z7fzM+u9iPGbhn1FikS VYdJfAHl8NFCb3g80I90YLhpHszPYVd4Z5tl9hAMHZbPT8JxC4ySrofbN5PxavMr FNkV8x5D8CDcvyaCIev/6lqqPZkyEEAboYEFsUJVf+hrX8Cj1P8xB5+gfpD3jIJ5 hPEuQjfiTsLC6pPv86c1Z+8cnY/SkJG2PrC2jGbSkvMlh4ZIQ2T4k0PPpfcezL8U WWYEooBb5/p0boje7tZ/Sf2cbthuZuKuBgEtydTAo3s+b9aPNI/j91+X3c5krIyS ZtNcqN2FvPP/nKrPjiPP1T4hbaokmjRgUmPLpDJCnPmv2TRuWgm90ezfd9XiPtTn qlWzbMQADnoN/M9FmAVYtsE9kUmN2Owilusg6/GwHjsI1OaAYdk= =C8Jv -----END PGP SIGNATURE-----
--- End Message ---