Your message dated Fri, 14 Feb 2025 17:31:09 +0000 with message-id <e1tizwv-002s7y...@fasolo.debian.org> and subject line Bug#1077605: fixed in pinfo 0.6.13-1.4 has caused the Debian Bug report #1077605, regarding pinfo: copies a file from the current directory to /tmp to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1077605: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077605 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: pinfo Version: 0.6.13-1.3+b1 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> When running "pinfo mpfr", I can see in the strace output: execve("/bin/sh", ["sh", "-c", "--", "cat ./mpfr> /tmp/pinfo.tVVaeB"], 0x7ffc16308110 /* 135 vars */ <unfinished ...> This is the case including when the argument is a symbolic link. This means that private data can end up in /tmp (the file seems private by default as created with 0600, but the fact that it can escape the original file system is bad). This is also bad in case of a symbolic link to some special file, such as a dev file. Like "info" and "man", pinfo should not look into the current directory (except explicitly requestion via the INFOPATH environment variable). -- System Information: Debian Release: trixie/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.9.12-amd64 (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages pinfo depends on: ii install-info 7.1-3+b1 ii libc6 2.39-6 ii libncursesw6 6.5-2 ii libreadline8t64 8.2-4 ii libtinfo6 6.5-2 pinfo recommends no packages. pinfo suggests no packages. -- no debconf information -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
--- End Message ---
--- Begin Message ---Source: pinfo Source-Version: 0.6.13-1.4 Done: Sven Geuer <s...@debian.org> We believe that the bug you reported is fixed in the latest version of pinfo, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1077...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sven Geuer <s...@debian.org> (supplier of updated pinfo package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 14 Feb 2025 17:36:51 +0100 Source: pinfo Architecture: source Version: 0.6.13-1.4 Distribution: unstable Urgency: medium Maintainer: Bas Zoetekouw <b...@debian.org> Changed-By: Sven Geuer <s...@debian.org> Closes: 1077605 Changes: pinfo (0.6.13-1.4) unstable; urgency=medium . * Non-maintainer upload. * Add patch to ignore current directory when searching for files to display (Closes: #1077605). * Add d/NEWS. Checksums-Sha1: 19b0a1c90cb236546871c03cbb9ad649b2094216 1782 pinfo_0.6.13-1.4.dsc d8740602eed24ebb004fdfc6bc09cc7aba93e20d 9324 pinfo_0.6.13-1.4.debian.tar.xz ac662c0740a725ea4e79843ae33d226c6c51fc7f 6438 pinfo_0.6.13-1.4_amd64.buildinfo Checksums-Sha256: a0ce2a40a026b95eb5130fedbea61ba40ed858e6eb18d4414a5ce1d42af412fa 1782 pinfo_0.6.13-1.4.dsc 1066effd47a1be2e81428ccb313de1a984691ba1a7b00243297e3ee8eb635f55 9324 pinfo_0.6.13-1.4.debian.tar.xz 1f4c6883ed5e16690d51fef53db7d7973cfecfd7b95ade69dfd82ff74e7a6cca 6438 pinfo_0.6.13-1.4_amd64.buildinfo Files: 935ca1ce1a13d3aff68905c9c872abae 1782 doc optional pinfo_0.6.13-1.4.dsc 1f2dde75b3a7fe6fcece0a21bc6d402e 9324 doc optional pinfo_0.6.13-1.4.debian.tar.xz f337012cc8cfaf26af9cb12b4c67a6f8 6438 doc optional pinfo_0.6.13-1.4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJDBAEBCgAtFiEEPfXoqkP8n9/QhvGVrfUO2vit1YUFAmevdx0PHHNnZUBkZWJp YW4ub3JnAAoJEK31Dtr4rdWF/IMP/RIU5YnLdZmW1HvMwQJGxLrZA63UiJX45YLI KD7sPjShMgJtD9Z6MV/X8G6Hn/e/aACvx2MB1BNPKJsDeliqQAh06FhOh+KO+y4H n4UbZNuv2tUHyeHtJibECKep3Ca2EMiVZ71tosHDzNqehfDAVVbDmugtMm1lNEmP 9i2hoCX8FCRlJVAUrntbw8OKeClVtK9CeFDiad/Djm9VFPehkGJTgN2jOdxwMWR6 Cjv6F1ydNK7k3Me+v2KKWqYsG950P+NKoCD7muJqOyoFBuJz+obeYMxXrY/E3HtC EYmz4K7W21a6/YjrXAfVQTnRa8KiFuWUEHMUwrbYjXueH09xLr2ZK2QdCqQl3kxO Ou63gqBM59nWZBS1lUm5ytdOlXrxSzebvWR4CPrcIxSiI634ETUnVNPLMl6Tej8x Xp1LXMp/RijQpFl3HuqgMXXRjqMaDdrp5Y7S45mrPne0gAhXy1RnhgIxpCopc2Qw fyqRpI2QJAbxxPQxEmc6Cao2ypT6H1hed2HZlQDC5g7PTHecVRlWZKmd+4jqQD4O MKY6Hgsu/CzsKaoe3pX5MjkEGUBEXrwyMwoq/U7Wh+MWNMTzjM/OhpZEgkIBCbhg KQRlucsohQXr5rMtH+u7rVR+4a/pMKyzxfILC2WC8kGmb/AMKyOcXU+MP8ieG0I1 jVLJTP4J =oEB7 -----END PGP SIGNATURE-----
pgpAAlWoaSNj9.pgp
Description: PGP signature
--- End Message ---
