Your message dated Fri, 22 Feb 2008 02:17:06 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#466382: fixed in wyrd 1.4.3b-4 has caused the Debian Bug report #466382, regarding wyrd: CVE-2008-0806 insecure tempfile creation allows symlink attack to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 466382: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466382 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: wyrd Version: 1.4.3b-3 Severity: grave Tags: security Hi, while searching for a cool calendar software I tried out wyrd and noticed a wyrd file in /tmp that didn't look very random. Looking at the source code it turns out that wyrd dumps its configuration if you press ? (help) in the ui. It then stores a file named wyrd-tmp.<userid> in /tmp. rcfile.ml: 139 let tmpfile = "/tmp/wyrd-tmp." ^ (string_of_int (Unix.getuid ())) An attacker only needs to look up the userid in /etc/passwd and create a symlink from /home/victim/someimportantfile /tmp/wyrd-tmp.uid and this will overwrite the content with the wyrd configuration. Unfortunately I have no idea about ML programming so I don't have a solution for this. A CVE id for this is pending. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.pgpZF1yGxMcp2.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: wyrd Source-Version: 1.4.3b-4 We believe that the bug you reported is fixed in the latest version of wyrd, which is due to be installed in the Debian FTP archive: wyrd_1.4.3b-4.diff.gz to pool/main/w/wyrd/wyrd_1.4.3b-4.diff.gz wyrd_1.4.3b-4.dsc to pool/main/w/wyrd/wyrd_1.4.3b-4.dsc wyrd_1.4.3b-4_i386.deb to pool/main/w/wyrd/wyrd_1.4.3b-4_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Kevin Coyner <[EMAIL PROTECTED]> (supplier of updated wyrd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Thu, 21 Feb 2008 17:57:30 -0500 Source: wyrd Binary: wyrd Architecture: source i386 Version: 1.4.3b-4 Distribution: unstable Urgency: low Maintainer: Kevin Coyner <[EMAIL PROTECTED]> Changed-By: Kevin Coyner <[EMAIL PROTECTED]> Description: wyrd - text-based calendar application Closes: 466382 Changes: wyrd (1.4.3b-4) unstable; urgency=low . * Patch from Nico Golde and the security team. This patch addresses the following issue: CVE-2008-0806: insecure temporary file creation that could lead to symlink attacks and thus data loss. Closes: #466382. * Bumped Standards-Version to 3.7.3. No changes. * Moved Homepage header out of extended description. * Removed unnecessary whitespace in doc-base file. Files: 5eb1242697558f8fe3d6e5fb0a5cf497 672 utils optional wyrd_1.4.3b-4.dsc 56dd09014d7f0ced22ae56f192ac9030 4919 utils optional wyrd_1.4.3b-4.diff.gz f2d375818b5efed296bcdadfa6505d8c 304746 utils optional wyrd_1.4.3b-4_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHvi23qPceVIzhGUERAtTVAJ0WBg/659p7NjKerl/mixeOMULjIACeOo3p qgzFLUMYq1fKEsN58qAXCIw= =Fzq8 -----END PGP SIGNATURE-----
--- End Message ---