Your message dated Sun, 29 Nov 2015 01:04:03 +0000
with message-id <e1a2qpl-0000gn...@franck.debian.org>
and subject line Bug#756432: fixed in gummi 0.6.5-6
has caused the Debian Bug report #756432,
regarding gummi: Uses predictable filenames in /tmp based on basename
(CVE-2015-7758)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
756432: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756432
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gummi
Version: 0.6.5-3
Severity: normal
I opened a file called thesis.tex in gummi, this created the following
files in /tmp:
-rw-r--r-- 1 jak jak 3196 Jul 29 21:39 .thesis.tex.aux
-rw-r--r-- 1 jak jak 42672 Jul 29 21:39 .thesis.tex.log
-rw-r--r-- 1 jak jak 559 Jul 29 21:39 .thesis.tex.out
-rw-r--r-- 1 jak jak 266755 Jul 29 21:39 .thesis.tex.pdf
-rw-r--r-- 1 jak jak 885 Jul 29 21:39 .thesis.tex.toc
Obviously, this has serious implications for multi-user systems, because
two users editing a file with the same name would write to the same files
in /tmp.
I'm not sure if there are security implications here if you create symbol
links using those names that an attacker could use to overwrite files
in /home (potentially deleting valuable user information)
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (980, 'unstable'), (500, 'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages gummi depends on:
ii libc6 2.19-7
ii libcairo2 1.12.16-2
ii libgdk-pixbuf2.0-0 2.30.7-1
ii libglib2.0-0 2.40.0-3
ii libgtk2.0-0 2.24.24-1
ii libgtksourceview2.0-0 2.10.5-1
ii libgtkspell0 2.0.16-1
ii libpango-1.0-0 1.36.3-1
ii libpoppler-glib8 0.26.3-1
ii zlib1g 1:1.2.8.dfsg-1
Versions of packages gummi recommends:
ii texlive-extra-utils 2014.20140717-1
ii texlive-latex-base 2014.20140717-01
ii texlive-xetex 2014.20140717-01
gummi suggests no packages.
-- no debconf information
--
Julian Andres Klode - Debian Developer, Ubuntu Member
See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.
Be friendly, do not top-post, and follow RFC 1855 "Netiquette".
- If you don't I might ignore you.
--- End Message ---
--- Begin Message ---
Source: gummi
Source-Version: 0.6.5-6
We believe that the bug you reported is fixed in the latest version of
gummi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 756...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Stender <deb...@danielstender.com> (supplier of updated gummi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 29 Nov 2015 01:35:11 +0100
Source: gummi
Binary: gummi
Architecture: source
Version: 0.6.5-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Science Maintainers
<debian-science-maintainers@lists.alioth.debian.org>
Changed-By: Daniel Stender <deb...@danielstender.com>
Closes: 756432
Description:
gummi - GTK+ based LaTeX editor with live preview
Changes:
gummi (0.6.5-6) unstable; urgency=medium
.
* Added no-predictable-tmpfiles.patch, fix of CVE-2015-7758 (Closes:
#756432).
Checksums-Sha1:
acccbd72527390d03b59137b1296e5b35ef58ad8 2079 gummi_0.6.5-6.dsc
dc7cc00518f925629574990d13982ae050515e0b 520902 gummi_0.6.5.orig.tar.gz
3e2fafd39b10da63210710ea0ad8d3085927856e 5064 gummi_0.6.5-6.debian.tar.xz
Checksums-Sha256:
d6019ed67f7e00e8935494e6808663f84734e7f46560e1dcc80500f854410494 2079
gummi_0.6.5-6.dsc
b23c2958376ea43c701a276ad19ceac5b50d9cb32a489a10897b25aa5004fffb 520902
gummi_0.6.5.orig.tar.gz
cd6ff96c2861507a8c389ab601b2e07c0f6c61e11e485ea298eeac5e577c9f06 5064
gummi_0.6.5-6.debian.tar.xz
Files:
c6e13d478c397cb2d91dac9e007266f7 2079 tex optional gummi_0.6.5-6.dsc
da6b8736fd42ab3f5a9703a7a7917a7d 520902 tex optional gummi_0.6.5.orig.tar.gz
c5bff50cfbf9bc6ccbd141a42d07fa15 5064 tex optional gummi_0.6.5-6.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWWkzDAAoJEBXgmvTfUYLI3T0P/jp98LEqlt/o9y5yWaYKBOiA
t4m094MHC2CDU86nyynNEICFNuxyk6Y1NIweWEtK3mgT5n9H7uCA9TNf5SRTchw6
WbBL9L6zxZv7uvMHEFUli/0Dgna8tHQNty+SYB8PoRhvu1G2c93u0kY8xjiw+/p0
aB6wjW6tpw7D0PrmqDV09OPH+WvCnGL0zCFDDm6ghXOSaGlm1Nt0tF9bcaLpc2j6
rjy7JIxsHmTqpseNjKwVLhzg2Rdin5mDdxohliTkqdjG3YwMRV6uX9/wawOqYHnD
fYkdqIGXUQmBNBL240ZLUBc1XNyf/AVS0wp3DPUisH+vd9Pk7nDkDIu81ex1zJw2
pCyC7G1rmhglSszqVXLSF8wIla4cuWshMdCFkdviK1esAOybbpj60NdQ1fMye4QR
HOf/RcVgpoG4TerkSqUuIKzQkkZk1yhwPjd06nd4UaJtYiZo6CkVlWcVFSulyOln
tIhBUD8yxUhRXk47PrnVjHU28ndnEnvKdXtOBFx4ot/m5lEZ+hyUq1YaqTC5Ydzo
26ar9Gigx3UzeRbVCDOQkvGEvVW5ornOkqe2k5OkdKo+CZaV1sa5bgW9U+HPR/GZ
0KDt3bCNfyXFMPn7Wzyskcgfdns/2jdIxHw/4rOlKZXbYF8v/Zh5KYKuEooZfogs
+shBrZATtpeXoemRxS6L
=TmrH
-----END PGP SIGNATURE-----
--- End Message ---
--
debian-science-maintainers mailing list
debian-science-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/debian-science-maintainers
