Your message dated Wed, 03 Aug 2011 19:55:16 +0000
with message-id <e1qohxa-0003lb...@franck.debian.org>
and subject line Bug#622794: fixed in atop 1.23-1+squeeze1
has caused the Debian Bug report #622794,
regarding atop: vulnerable to symlink attack via insecure /tmp directory or file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
622794: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622794
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: atop
Version: 1.23-1
Severity: grave
Tags: security
Justification: user security hole
Hi,
I've just noticed that atop keeps the runtime data in /tmp/atop* directories
or files (mentioned on man page too). I think it was established from a
discussion on debian-devel@l.d.o that this is potentially a security
vulnerability. Probably it should keep its temporary runtime data in its own
directory under /var/run (or /run for next release).
Please consider to backport the fix for 'stable' too.
Thanks
-- System Information:
Debian Release: 6.0.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages atop depends on:
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libncurses5 5.7+20100313-5 shared libraries for terminal hand
ii logrotate 3.7.8-6 Log rotation utility
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
atop recommends no packages.
atop suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: atop
Source-Version: 1.23-1+squeeze1
We believe that the bug you reported is fixed in the latest version of
atop, which is due to be installed in the Debian FTP archive:
atop_1.23-1+squeeze1.diff.gz
to main/a/atop/atop_1.23-1+squeeze1.diff.gz
atop_1.23-1+squeeze1.dsc
to main/a/atop/atop_1.23-1+squeeze1.dsc
atop_1.23-1+squeeze1_amd64.deb
to main/a/atop/atop_1.23-1+squeeze1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 622...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Wiltshire <j...@debian.org> (supplier of updated atop package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 01 Aug 2011 15:35:16 +0100
Source: atop
Binary: atop
Architecture: source amd64
Version: 1.23-1+squeeze1
Distribution: stable
Urgency: high
Maintainer: Edelhard Becker <edelh...@debian.org>
Changed-By: Jonathan Wiltshire <j...@debian.org>
Description:
atop - Monitor for system resources and process activity
Closes: 622794
Changes:
atop (1.23-1+squeeze1) stable; urgency=high
.
* Non-maintainer upload.
* Fix CVE-2011-XXXX: Insecure use of temporary files in rawlog.c and
acctproc.c (Closes: #622794)
Checksums-Sha1:
50d34174268d6e109db3d1a94fc56fb38c84d4cd 1671 atop_1.23-1+squeeze1.dsc
1eae0778fc35e5e0f1d7d215d3bb32da4d887172 7091 atop_1.23-1+squeeze1.diff.gz
584368fae70a49a6dac9e6db55c31af4c7430a3f 78110 atop_1.23-1+squeeze1_amd64.deb
Checksums-Sha256:
a092331b5a413e0d7f15a8a1eb4f63417a58440340ca731f31f4b060c61c1818 1671
atop_1.23-1+squeeze1.dsc
6257a3f6c2229557e458e8bb6e9953814639b7f57f735c762d8b0626d286ee89 7091
atop_1.23-1+squeeze1.diff.gz
2b4a8f251ffca32d1474814a85cac0e6a70c7139d7df3503ec39402b35f1580e 78110
atop_1.23-1+squeeze1_amd64.deb
Files:
d1dc3906fb070c7ebadfc2bd67b3699f 1671 admin optional atop_1.23-1+squeeze1.dsc
d36e48d1716a56db6ca2e98c9600ce28 7091 admin optional
atop_1.23-1+squeeze1.diff.gz
d205a961146efff07340920926aef698 78110 admin optional
atop_1.23-1+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBAgAGBQJOOY6QAAoJEFOUR53TUkxRKXEP/iT/n20gOg7SvhK64yUL+KCl
/uxa89afRX+7HhzAlVDjSoruUvgBndB3CbJOAjo7LfYrcxE/Jf5XTiAVuhvZkd5B
PT3aLbPukS6TuPkdBNk5kUXuzADSHVs7Q6yiXGvPn22Qc7MLMu8p4BqgcVSiIb83
irMNHkq6oCsVhfRKes7BAnv9ZxhPJ70TEdmP6veVb9emxOg2FUm2nZlkwfc1myj2
uGCwrqeOD26moxz6L9PS6xN7WUYcLSxubilOg6HOth7MllW/IRXp4T/2F5bqb+4v
MjR420bNHIbwejjxhHjftnnUCWJ87U5+dQun0GKdAzDOv1Xvlg/sfB4x8fjpX9R3
D3xlOS/40DBbv/wwPQ0amerLNWequYwp9we+pzaeS/ym9ooz0mFFt8I0TRvMSF9W
NwWzi5uVG8n1iTLBCP5n2GdlRNNbsZMf/eo0Z3KYZnantgB3l93niF2k9KQFkvVg
wvyjZxSfvPeJJKJvy1Iyd+ZuPtLMAEFGHOIMdefalvskytTSfturF2zofXaVETW+
XfLykS2LTKtHZUq36srmKpcs5ADcFhhB5B/oGcStXIL9g4mzaiTVwM77LsMrcufW
Nw4tuoU5kKJk0aMyDBodWg0kf4LHB+SMBxzgG18L4WFU8sNNsSjbJBoKrzAOB/ag
Q9znvw2upg9s7OtPa8Ic
=5IB1
-----END PGP SIGNATURE-----
--- End Message ---
