Package: aptitude
Version: 0.4.11.2-1
Severity: serious
Since /var/lock is installed with mode 1777 on debian systems, if
/var/lock/aptitude does not yet exist, a normal user can symlink it to an
arbitrary location on the filesystem. Aptitude them attempts to open
this file with mode O_TRUNC, allowing an ordinary user to truncate an
arbitrary file on the filesystem the next time the system administrator
opens aptitude.
Aptitude should use O_NOFOLLOW on the open call in question to avoid
inadverant truncation.
-- Package-specific info:
aptitude 0.4.11.2 compiled at Apr 12 2008 04:21:26
Compiler: g++ 4.2.3 (Debian 4.2.3-3)
Compiled against:
apt version 4.6.0
NCurses version 5.6
libsigc++ version: 2.0.18
Ept support enabled.
Current library versions:
NCurses version: ncurses 5.6.20080308
cwidget version: 0.5.11
Apt version: 4.6.0
linux-gate.so.1 => (0xb7f38000)
libapt-pkg-libc6.7-6.so.4.6 => /usr/lib/libapt-pkg-libc6.7-6.so.4.6
(0xb7e63000)
libncursesw.so.5 => /lib/libncursesw.so.5 (0xb7e27000)
libsigc-2.0.so.0 => /usr/lib/libsigc-2.0.so.0 (0xb7e21000)
libcwidget.so.3 => /usr/lib/libcwidget.so.3 (0xb7d30000)
libept.so.0 => /usr/lib/libept.so.0 (0xb7cb8000)
libxapian.so.15 => /usr/lib/libxapian.so.15 (0xb7b45000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7b30000)
libpthread.so.0 => /lib/i686/cmov/libpthread.so.0 (0xb7b18000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0xb7a2b000)
libm.so.6 => /lib/i686/cmov/libm.so.6 (0xb7a05000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xb79f8000)
libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb78aa000)
libutil.so.1 => /lib/i686/cmov/libutil.so.1 (0xb78a6000)
libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb78a2000)
/lib/ld-linux.so.2 (0xb7f39000)
Terminal: screen
$DISPLAY not set.
`which aptitude`: /usr/bin/aptitude
aptitude version information:
aptitude linkage:
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18.8-domU-linode7 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages aptitude depends on:
ii apt [libapt-pkg-libc6. 0.7.11 Advanced front-end for dpkg
ii libc6 2.7-10 GNU C Library: Shared libraries
ii libcwidget3 0.5.11-1 high-level terminal interface libr
ii libept0 0.5.17 High-level library for managing De
ii libgcc1 1:4.3.0-3 GCC support library
ii libncursesw5 5.6+20080308-1 Shared libraries for terminal hand
ii libsigc++-2.0-0c2a 2.0.18-2 type-safe Signal Framework for C++
ii libstdc++6 4.3.0-3 The GNU Standard C++ Library v3
ii libxapian15 1.0.5-1 Search engine library
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages aptitude recommends:
pn aptitude-doc-en | aptitude-do <none> (no description available)
ii libparse-debianchangelog-perl 1.1.1-2 parse Debian changelogs and output
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
