Your message dated Fri, 22 Feb 2008 02:17:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#466382: fixed in wyrd 1.4.3b-4
has caused the Debian Bug report #466382,
regarding wyrd: CVE-2008-0806 insecure tempfile creation allows symlink attack
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
466382: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466382
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: wyrd
Version: 1.4.3b-3
Severity: grave
Tags: security
Hi,
while searching for a cool calendar software I tried out
wyrd and noticed a wyrd file in /tmp that didn't look very
random. Looking at the source code it turns out that wyrd
dumps its configuration if you press ? (help) in the ui.
It then stores a file named wyrd-tmp.<userid> in /tmp.
rcfile.ml:
139 let tmpfile = "/tmp/wyrd-tmp." ^ (string_of_int (Unix.getuid ()))
An attacker only needs to look up the userid in /etc/passwd
and create a symlink from /home/victim/someimportantfile /tmp/wyrd-tmp.uid
and this will overwrite the content with the wyrd
configuration.
Unfortunately I have no idea about ML programming so I don't
have a solution for this.
A CVE id for this is pending.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpZF1yGxMcp2.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: wyrd
Source-Version: 1.4.3b-4
We believe that the bug you reported is fixed in the latest version of
wyrd, which is due to be installed in the Debian FTP archive:
wyrd_1.4.3b-4.diff.gz
to pool/main/w/wyrd/wyrd_1.4.3b-4.diff.gz
wyrd_1.4.3b-4.dsc
to pool/main/w/wyrd/wyrd_1.4.3b-4.dsc
wyrd_1.4.3b-4_i386.deb
to pool/main/w/wyrd/wyrd_1.4.3b-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kevin Coyner <[EMAIL PROTECTED]> (supplier of updated wyrd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 21 Feb 2008 17:57:30 -0500
Source: wyrd
Binary: wyrd
Architecture: source i386
Version: 1.4.3b-4
Distribution: unstable
Urgency: low
Maintainer: Kevin Coyner <[EMAIL PROTECTED]>
Changed-By: Kevin Coyner <[EMAIL PROTECTED]>
Description:
wyrd - text-based calendar application
Closes: 466382
Changes:
wyrd (1.4.3b-4) unstable; urgency=low
.
* Patch from Nico Golde and the security team.
This patch addresses the following issue:
CVE-2008-0806: insecure temporary file creation that
could lead to symlink attacks and thus data loss. Closes: #466382.
* Bumped Standards-Version to 3.7.3. No changes.
* Moved Homepage header out of extended description.
* Removed unnecessary whitespace in doc-base file.
Files:
5eb1242697558f8fe3d6e5fb0a5cf497 672 utils optional wyrd_1.4.3b-4.dsc
56dd09014d7f0ced22ae56f192ac9030 4919 utils optional wyrd_1.4.3b-4.diff.gz
f2d375818b5efed296bcdadfa6505d8c 304746 utils optional wyrd_1.4.3b-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHvi23qPceVIzhGUERAtTVAJ0WBg/659p7NjKerl/mixeOMULjIACeOo3p
qgzFLUMYq1fKEsN58qAXCIw=
=Fzq8
-----END PGP SIGNATURE-----
--- End Message ---
