Your message dated Tue, 28 Oct 2008 23:32:10 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#496418: fixed in r-base 2.7.1-1+lenny1 has caused the Debian Bug report #496418, regarding The possibility of attack with the help of symlinks in some Debian packages to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 496418: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496418 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: r-base-core Severity: grave Hi, maintainer! This message about the error concerns a few packages at once. I've tested all the packages (for Lenny) on my Debian mirror. All scripts of packages (marked as executable) were tested. In some packages I've discovered scripts with errors which may be used by a user for damaging important system files or user's files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlink with the same name in this directory in order to destroy or rewrite some system or user file. Symlink attack may also lead not only to the data desctruction but to denial of service as well. Even if you create files or directories with help of function 'RANDOM' or pid(), then your system is not protected. Attacker can create many symlinks in order to destroy your data or create 'denial of service' for your package scripts. Even if you make rm(dir) for files/directories, then your system is not protected. Attacker can permanently create symlinks. This list is created with the help of script. This list is sorted by hand. Howewer in some cases mistake is possible. Please, Be understanding to possible mistakes. :) I set Severity into grave for this bug. The table of discovered problems is below. Discussion of this bug you can see in debian-devel@: http://lists.debian.org/debian-devel/2008/08/msg00271.html Binary-package: r-base-core-ra (1.1.1-1) file: /usr/lib/Ra/lib/R/bin/javareconf Binary-package: rccp (0.9-2) file: /usr/lib/rccp/delqueueask Binary-package: mafft (6.240-1) file: /usr/bin/mafft-homologs Binary-package: openoffice.org-common (1:2.4.1-6) file: /usr/lib/openoffice/program/senddoc Binary-package: crossfire-maps (1.11.0-1) file: /usr/share/games/crossfire/maps/Info/combine.pl Binary-package: sgml2x (1.0.0-11.1) file: /usr/bin/rlatex Binary-package: liguidsoap (0.3.6-4) file: /var/lib/liguidsoap/liguidsoap.py Binary-package: citadel-server (7.37-1) file: /usr/lib/citadel-server/migrate_aliases.sh Binary-package: ampache (3.4.1-1) file: /usr/share/ampache/www/locale/base/gather-messages.sh Binary-package: xen-utils-3.2-1 (3.2.1-2) file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug Binary-package: dtc-common (0.29.6-1) file: /usr/share/dtc/admin/accesslog.php file: /usr/share/dtc/admin/sa-wrapper Binary-package: honeyd-common (1.5c-3) file: /usr/share/honeyd/scripts/test.sh Binary-package: lustre-tests (1.6.5-1) file: /usr/lib/lustre/tests/runiozone Binary-package: linuxtrade (3.65-8+b4) file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol file: /usr/share/linuxtrade/bin/linuxtrade.wn file: /usr/share/linuxtrade/bin/moneyam.helper Binary-package: freevo (1.8.1-0) file: /usr/bin/freevo.real Binary-package: fml (4.0.3.dfsg-2) file: /usr/share/fml/libexec/mead.pl Binary-package: rkhunter (1.3.2-3) file: /usr/bin/rkhunter Binary-package: openswan (1:2.4.12+dfsg-1.1) file: /usr/lib/ipsec/livetest Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1) file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest Binary-package: aptoncd (0.1-1.1) file: /usr/share/aptoncd/xmlfile.py Binary-package: cdcontrol (1.90-1.1) file: /usr/lib/cdcontrol/writtercontrol Binary-package: newsgate (1.6-23) file: /usr/bin/mkmailpost Binary-package: gpsdrive-scripts (2.10~pre4-3) file: /usr/bin/geo-code Binary-package: impose+ (0.2-11) file: /usr/bin/impose Binary-package: mgt (2.31-5) file: /usr/games/mailgo Binary-package: audiolink (0.05-1) file: /usr/bin/audiolink Binary-package: ibackup (2.27-4.1) file: /usr/bin/ibackup Binary-package: emacspeak (26.0-3) file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl Binary-package: bk2site (1:1.1.9-3.1) file: /usr/lib/cgi-bin/bk2site/redirect.pl Binary-package: datafreedom-perl (0.1.7-1) file: /usr/bin/dfxml-invoice Binary-package: emacs-jabber (0.7.91-1) file: /usr/lib/emacsen-common/packages/install/emacs-jabber Binary-package: lmbench (3.0-a7-1) file: /usr/lib/lmbench/scripts/rccs file: /usr/lib/lmbench/scripts/STUFF Binary-package: rancid-util (2.3.2~a8-1) file: /var/lib/rancid/getipacctg Binary-package: ogle (0.9.2-5.2) file: /usr/lib/ogle/ogle_audio_debug file: /usr/lib/ogle/ogle_cli_debug file: /usr/lib/ogle/ogle_ctrl_debug file: /usr/lib/ogle/ogle_gui_debug file: /usr/lib/ogle/ogle_mpeg_ps_debug file: /usr/lib/ogle/ogle_mpeg_vs_debug file: /usr/lib/ogle/ogle_nav_debug file: /usr/lib/ogle/ogle_vout_debug Binary-package: firehol (1.256-4) file: /sbin/firehol Binary-package: aview (1.3.0rc1-8) file: /usr/bin/asciiview Binary-package: radiance (3R9+20080530-3) file: /usr/bin/optics2rad file: /usr/bin/pdelta file: /usr/bin/dayfact file: /usr/bin/raddepend Binary-package: vdr-dbg (1.6.0-5) file: /usr/bin/vdrleaktest Binary-package: ogle-mmx (0.9.2-5.2) file: /usr/lib/ogle/ogle_audio_debug file: /usr/lib/ogle/ogle_cli_debug file: /usr/lib/ogle/ogle_ctrl_debug file: /usr/lib/ogle/ogle_gui_debug file: /usr/lib/ogle/ogle_mpeg_ps_debug file: /usr/lib/ogle/ogle_mpeg_vs_debug file: /usr/lib/ogle/ogle_nav_debug file: /usr/lib/ogle/ogle_vout_debug Binary-package: convirt (0.8.2-3) file: /usr/share/convirt/image_store/_template_/provision.sh file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh file: /usr/share/convirt/image_store/common/provision.sh file: /usr/share/convirt/image_store/example/provision.sh file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh Binary-package: printfilters-ppd (2.13-9) file: /usr/lib/printfilters/master-filter Binary-package: r-base-core (2.7.1-1) file: /usr/lib/R/bin/javareconf file: /usr/lib/R/bin/javareconf.orig Binary-package: xmcd (2.6-19.3) file: /usr/share/xmcd/scripts/ncsarmt file: /usr/share/xmcd/scripts/ncsawrap Binary-package: tiger (1:3.2.2-3.1) file: /usr/lib/tiger/util/genmsgidx Binary-package: scilab-bin (4.1.2-5) file: /usr/lib/scilab-4.1.2/bin/scilink file: /usr/lib/scilab-4.1.2/util/scidoc file: /usr/lib/scilab-4.1.2/util/scidem Binary-package: dpkg-cross (2.3.0) file: /usr/share/dpkg-cross/bin/gccross Binary-package: ltp-network-test (20060918-2.1) file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh Binary-package: cman (2.20080629-1) file: /usr/sbin/fence_egenera Binary-package: scratchbox2 (1.99.0.24-1) file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings Binary-package: sendmail-base (8.14.3-5) file: /usr/sbin/checksendmail file: /usr/bin/expn Binary-package: fwbuilder (2.1.19-3) file: /usr/bin/fwb_install Binary-package: sng (1.0.2-5) file: /usr/bin/sng_regress Binary-package: dist (1:3.5-17-1) file: /usr/bin/patcil file: /usr/bin/patdiff Binary-package: sympa (5.3.4-5) file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi file: /usr/lib/sympa/bin/sympa.pl Binary-package: postfix (2.5.2-2) file: /usr/lib/postfix_groups.pl Binary-package: caudium (3:1.4.12-11) file: /usr/share/caudium/configvar Binary-package: mgetty-fax (1.1.36-1.2) file: /usr/bin/faxspool Binary-package: aegis (4.24-3) file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh Binary-package: aegis-web (4.24-3) file: /usr/lib/cgi-bin/aegis.cgi Binary-package: digitaldj (0.7.5-6+b1) file: /usr/share/digitaldj/fest.pl Binary-package: mon (0.99.2-12) file: /usr/lib/mon/alert.d/test.alert Binary-package: feta (1.4.16) file: /usr/share/feta/plugins/to-upgrade Binary-package: arb-common (0.0.20071207.1-4) file: /usr/lib/arb/SH/arb_fastdnaml file: /usr/lib/arb/SH/dszmconnect.pl Binary-package: qemu (0.9.1-5) file: /usr/sbin/qemu-make-debian-root Binary-package: apertium (3.0.7+1-1+b1) file: /usr/bin/apertium-gen-deformat file: /usr/bin/apertium-gen-reformat file: /usr/bin/apertium Binary-package: xcal (4.1-18.3) file: /usr/bin/pscal Binary-package: myspell-tools (1:3.1-20) file: /usr/bin/i2myspell Binary-package: gccxml (0.9.0+cvs20080525-1) file: /usr/share/gccxml-0.9/MIPSpro/find_flags Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4) file: /usr/share/freeradius-dialupadmin/bin/backup_radacct file: /usr/share/freeradius-dialupadmin/bin/clean_radacct file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats file: /usr/share/freeradius-dialupadmin/bin/tot_stats file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct Binary-package: dhis-server (5.3-1) file: /usr/lib/dhis-server/dhis-dummy-log-engine Binary-package: wims (3.62-13) file: /var/lib/wims/public_html/bin/coqweb file: /var/lib/wims/bin/account.sh Binary-package: initramfs-tools (0.92f) file: /usr/share/initramfs-tools/init Binary-package: realtimebattle-common (1.0.8-7) file: /usr/lib/realtimebattle/Robots/perl.robot Binary-package: netmrg (0.20-1) file: /usr/bin/rrdedit Binary-package: bulmages-servers (0.11.1-2) file: /usr/share/bulmages/examples/scripts/actualizabulmacont file: /usr/share/bulmages/examples/scripts/installbulmages-db file: /usr/share/bulmages/examples/scripts/creabulmafact file: /usr/share/bulmages/examples/scripts/creabulmacont file: /usr/share/bulmages/examples/scripts/actualizabulmafact Binary-package: xastir (1.9.2-1) file: /usr/lib/xastir/get-maptools.sh file: /usr/lib/xastir/get_shapelib.sh Binary-package: plait (1.5.2-1) file: /usr/bin/plaiter file: /usr/bin/plait Binary-package: cdrw-taper (0.4-2) file: /usr/sbin/amlabel-cdrw Binary-package: konwert-filters (1.8-11.1) file: /usr/share/konwert/filters/any-UTF8 Binary-package: gdrae (0.1-1) file: /usr/bin/gdrae Binary-package: lazarus-src (0.9.24-0-9) file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh
--- End Message ---
--- Begin Message ---Source: r-base Source-Version: 2.7.1-1+lenny1 We believe that the bug you reported is fixed in the latest version of r-base, which is due to be installed in the Debian FTP archive: r-base-core-dbg_2.7.1-1+lenny1_i386.deb to pool/main/r/r-base/r-base-core-dbg_2.7.1-1+lenny1_i386.deb r-base-core_2.7.1-1+lenny1_i386.deb to pool/main/r/r-base/r-base-core_2.7.1-1+lenny1_i386.deb r-base-dev_2.7.1-1+lenny1_all.deb to pool/main/r/r-base/r-base-dev_2.7.1-1+lenny1_all.deb r-base-html_2.7.1-1+lenny1_all.deb to pool/main/r/r-base/r-base-html_2.7.1-1+lenny1_all.deb r-base-latex_2.7.1-1+lenny1_all.deb to pool/main/r/r-base/r-base-latex_2.7.1-1+lenny1_all.deb r-base_2.7.1-1+lenny1.diff.gz to pool/main/r/r-base/r-base_2.7.1-1+lenny1.diff.gz r-base_2.7.1-1+lenny1.dsc to pool/main/r/r-base/r-base_2.7.1-1+lenny1.dsc r-base_2.7.1-1+lenny1_all.deb to pool/main/r/r-base/r-base_2.7.1-1+lenny1_all.deb r-doc-html_2.7.1-1+lenny1_all.deb to pool/main/r/r-base/r-doc-html_2.7.1-1+lenny1_all.deb r-doc-info_2.7.1-1+lenny1_all.deb to pool/main/r/r-base/r-doc-info_2.7.1-1+lenny1_all.deb r-doc-pdf_2.7.1-1+lenny1_all.deb to pool/main/r/r-base/r-doc-pdf_2.7.1-1+lenny1_all.deb r-mathlib_2.7.1-1+lenny1_i386.deb to pool/main/r/r-base/r-mathlib_2.7.1-1+lenny1_i386.deb r-recommended_2.7.1-1+lenny1_all.deb to pool/main/r/r-base/r-recommended_2.7.1-1+lenny1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated r-base package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Tue, 28 Oct 2008 22:38:33 +0000 Source: r-base Binary: r-base r-base-core r-base-dev r-mathlib r-base-html r-base-latex r-doc-pdf r-doc-html r-doc-info r-recommended r-base-core-dbg Architecture: source i386 all Version: 2.7.1-1+lenny1 Distribution: testing-proposed-updates Urgency: low Maintainer: Dirk Eddelbuettel <[EMAIL PROTECTED]> Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]> Description: r-base - GNU R statistical computing language and environment r-base-core - GNU R core of statistical computing language and environment r-base-core-dbg - GNU R debug symbols for statistical comp. language and environmen r-base-dev - GNU R installation of auxiliary GNU R packages r-base-html - GNU R html docs for statistical computing system functions r-base-latex - GNU R LaTeX docs for statistical computing system functions r-doc-html - GNU R html manuals for statistical computing system r-doc-info - GNU R info manuals statistical computing system r-doc-pdf - GNU R pdf manuals for statistical computing system r-mathlib - GNU R standalone mathematics library r-recommended - GNU R collection of recommended packages [metapackage] Closes: 496418 Changes: r-base (2.7.1-1+lenny1) testing-proposed-updates; urgency=low . * Non-maintainer upload. * Port temp file race in src/scripts/javareconf from 2.7.2-1. (CVE-2008-3931, closes: 496418) Checksums-Sha1: 301308037a13a3ede606dbb1351a8cb2140ea00c 1984 r-base_2.7.1-1+lenny1.dsc ef0bacaee90efabb4bbe74e8d98fbe73a86fbceb 57395 r-base_2.7.1-1+lenny1.diff.gz db462500f67b4775f17844c01fe99b59b067ca63 10302426 r-base-core_2.7.1-1+lenny1_i386.deb 2998ef65743852a0b410efbbc0c2981a1e4d1fef 493940 r-mathlib_2.7.1-1+lenny1_i386.deb 56b4ef5d3a1e1f3e86bfad0735869a6873640404 2335604 r-base-core-dbg_2.7.1-1+lenny1_i386.deb 28b2865516d38a891200fc88c5fb19485ee0d9f8 29704 r-base_2.7.1-1+lenny1_all.deb 4d257aa61f3791b700570da384c3f86f557c3f3d 2930 r-base-dev_2.7.1-1+lenny1_all.deb 72670fa70916f67ddda93ca017cf687ce30b7da6 1281312 r-base-html_2.7.1-1+lenny1_all.deb 02eed19ed5b3e33d8165f7a50484fe9acefd5a96 1198862 r-base-latex_2.7.1-1+lenny1_all.deb a3798637fddc4603c75982b0debad6c5a2501cda 6678034 r-doc-pdf_2.7.1-1+lenny1_all.deb d40a0c098534bbc5dc2e1cf502950ff9b77d4a88 602398 r-doc-html_2.7.1-1+lenny1_all.deb 836953fa076daf4e39fbf7656e8041ec1f9a9569 526484 r-doc-info_2.7.1-1+lenny1_all.deb 080e72485324bd87ce158552ad59235ff8adc254 2208 r-recommended_2.7.1-1+lenny1_all.deb Checksums-Sha256: c6b34d83ccd2c4b4220469e6aaa5fdf06b2f203413250be518579b0e9bf97db4 1984 r-base_2.7.1-1+lenny1.dsc 71b3860d10ef327dd31786f74ae80dd7f03e78f725d9029e222f34d51829c7e8 57395 r-base_2.7.1-1+lenny1.diff.gz 49c9b766f0d56d7ba5278dee90886ce62678676346f41620c32ad96c30e11494 10302426 r-base-core_2.7.1-1+lenny1_i386.deb b15c627780e23a139e845c934c1e77335dbb0e269e397a39a045c7485089e267 493940 r-mathlib_2.7.1-1+lenny1_i386.deb bcfc9967d2adb65235bc92a568f291394c4bc2662e1bd7cf7f01bb3393d58c6a 2335604 r-base-core-dbg_2.7.1-1+lenny1_i386.deb 719f44bd1024ff7dd018105d7cc2af5edf6593fa75fa6939f4cfcba652e286cb 29704 r-base_2.7.1-1+lenny1_all.deb 0ec6ea35a027c40c5ef77ad3a0a408031b0434a3493ce501af36e446e694d593 2930 r-base-dev_2.7.1-1+lenny1_all.deb 7934018a98893114f7d43fbda1bde0d144bb9095ddea79d99d282ed106857a20 1281312 r-base-html_2.7.1-1+lenny1_all.deb 8e431e2c520bd800c136c587706c995925cfc9f56f05493d3bec885410ca980c 1198862 r-base-latex_2.7.1-1+lenny1_all.deb 79e11b2a7d48e1c2bdcda1563408a35e3a5333cc92bd400ee1a31bee442a8c2d 6678034 r-doc-pdf_2.7.1-1+lenny1_all.deb cc8477e6f5f7eb85e1798c3576d43df9b61f06c9b6a8fa0757e52a5a57a8f96e 602398 r-doc-html_2.7.1-1+lenny1_all.deb a0d863a2ac5f658b4bdec2137826122267d2be34378787312e964a9a7b13ce0a 526484 r-doc-info_2.7.1-1+lenny1_all.deb aa30f93f3622ca71c3b83261fec631fddee886c73be6a3fc61c5d79f91050243 2208 r-recommended_2.7.1-1+lenny1_all.deb Files: d93f18938546e44c24b39b769df74c2a 1984 math optional r-base_2.7.1-1+lenny1.dsc 724394b4591180a4f21391fea7002112 57395 math optional r-base_2.7.1-1+lenny1.diff.gz 592e84356874fd5cba915de780910370 10302426 math optional r-base-core_2.7.1-1+lenny1_i386.deb cb9f8fc65d8d77f91a738038e569a1b3 493940 math optional r-mathlib_2.7.1-1+lenny1_i386.deb f85728833a637a44c103691bbe896e1b 2335604 math extra r-base-core-dbg_2.7.1-1+lenny1_i386.deb 443d7ac72283805c4c7e45b1a03ceb27 29704 math optional r-base_2.7.1-1+lenny1_all.deb d87f680006503844c8132b6264b3ec06 2930 devel optional r-base-dev_2.7.1-1+lenny1_all.deb 8051cf9672ac6f30856de9096f2ce5cf 1281312 math extra r-base-html_2.7.1-1+lenny1_all.deb a0e7202715799bbaa6da7ff23bf20b21 1198862 math extra r-base-latex_2.7.1-1+lenny1_all.deb 3953f092ff57a3d30558e591b8b5f7d4 6678034 doc optional r-doc-pdf_2.7.1-1+lenny1_all.deb 87548e040e8f679ebf970b0e008c8fe1 602398 doc optional r-doc-html_2.7.1-1+lenny1_all.deb 60818fc16517a3a4da9f081f1beee280 526484 doc optional r-doc-info_2.7.1-1+lenny1_all.deb 9e81f875b304c5fead55621b364b24de 2208 math optional r-recommended_2.7.1-1+lenny1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSQedd2z0hbPcukPfAQLCNgf+KEDfAa08rdcEGJPj19OdNMq+Ek9nJGsb Iz+QxnzxLJSMiqChvl8T1DVY8w1So8SC0TvoOR7q7OcMbHeNL2FtMRqJGUHkoE3b FaBtKnPqm0evSf4EMm+N6JDmfHRYtoCKZ8850/CZpSxKeJA62cg4yuy0tDiD/yiG RaTGykP2qAr8kucz1PU9tqEBqjMz6dvwFJ4VG7j9YVx0MSzhpEJ+pjeqB3BeegKD ozMgzoNsC5/aoYxEtmJfZRWM26X/yvhd6ql+Ia0HWNfFGyVk0gn+Ob6Sm0VxDrJF eyF/xJ6PY966Ic3ADccFLz6dZkpNc+bplXPlEILuSv7bLnl4dAGZHg== =VlFE -----END PGP SIGNATURE-----
--- End Message ---
