Processed: Re: Bug#590617: wdm: Why one has to login to do HALT !! Please make LINUX SIMPLE and HUMAN !

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 590617 wishlist
Bug #590617 [wdm] wdm: Why one has to login to do HALT !! Please make LINUX 
SIMPLE and HUMAN !
Severity set to 'wishlist' from 'important'

> tag 590617 +wontfix
Bug #590617 [wdm] wdm: Why one has to login to do HALT !! Please make LINUX 
SIMPLE and HUMAN !
Added tag(s) wontfix.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
590617: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590617
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/handler.s.c.128039788527932.transcr...@bugs.debian.org

Bug#590617: wdm: Why one has to login to do HALT !! Please make LINUX SIMPLE and HUMAN !

[Agustin Martin]

severity 590617 wishlist
tag 590617 +wontfix
thanks

On Wed, Jul 28, 2010 at 09:53:49AM +0200, Michelle Konzack wrote:
> Am 2010-07-27 22:35:21, schrieb yellow:
> > Package: wdm
> > Version: 1.28-4
> > Severity: important
> > 
> > Dear Sir,
> > 
> > It is of no senses to make linux asking a login and password to halt it.
> 
> Because it is not realy funny to  have  someone  shutdown  the  computer
> without permissions while you are running backgrond processes?
> 
> Note:   My Devel-Workstation is the fastest existing Quad-Phenom and
> I do heavy dataprocessing, while I am not on my computer.
> 
> However if you want to shutdown your Computer, configure system to allow
>  to shutdown the computer.
> 
> > Please a fix asap !
> 
> WONTFIX!

Really tagging wontfix,

-- 
Agustin



-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100729100431.gb3...@agmartin.aq.upm.es

hsolink REMOVED from testing

[Debian testing watch]

FYI: The status of the hsolink source package
in Debian's testing distribution has changed.

  Previous version: 1.0.118-3
  Current version:  (not in testing)
  Hint: 
# 20100728

The script that generates this mail tries to extract removal
reasons from comments in the britney hint files. Those comments
were not originally meant to be machine readable, so if the
reason for removing your package seems to be nonsense, it is
probably the reporting script that got confused. Please check the
actual hints file before you complain about meaningless removals.

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See http://release.debian.org/testing-watch/ for more information.


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1oew8v-0006wg...@franck.debian.org

Processing of mtink_1.0.16-3_i386.changes

[Archive Administrator]

mtink_1.0.16-3_i386.changes uploaded successfully to ftp-master.debian.org
along with the files:
  mtink_1.0.16-3.dsc
  mtink_1.0.16-3.diff.gz
  mtink-doc_1.0.16-3_all.deb
  mtink_1.0.16-3_i386.deb

Greetings,

Your Debian queue daemon (running on host ravel.debian.org)


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1oexpb-0003aw...@ravel.debian.org

Processing of iterm_0.5-8_i386.changes

[Archive Administrator]

iterm_0.5-8_i386.changes uploaded successfully to localhost
along with the files:
  iterm_0.5-8.dsc
  iterm_0.5-8.diff.gz
  libiterm1_0.5-8_i386.deb
  libiterm-dev_0.5-8_i386.deb
  libxiterm1_0.5-8_i386.deb
  libxiterm-dev_0.5-8_i386.deb
  xiterm_0.5-8_i386.deb
  fbiterm_0.5-8_i386.deb

Greetings,

Your Debian queue daemon (running on host franck.debian.org)


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1oexpd-00067t...@franck.debian.org

Processing of mtink_1.0.16-3_i386.changes

[Archive Administrator]

mtink_1.0.16-3_i386.changes uploaded successfully to localhost
along with the files:
  mtink_1.0.16-3.dsc
  mtink_1.0.16-3.diff.gz
  mtink-doc_1.0.16-3_all.deb
  mtink_1.0.16-3_i386.deb

Greetings,

Your Debian queue daemon (running on host franck.debian.org)


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1oexpd-000672...@franck.debian.org

Processing of mtink_1.0.16-3_i386.changes

[Archive Administrator]

DELAYED/7-day/mtink_1.0.16-3_i386.changes is already present on target host:
mtink_1.0.16-3_i386.deb
Either you already uploaded it, or someone else came first.
Job mtink_1.0.16-3_i386.changes removed.

Greetings,

Your Debian queue daemon (running on host franck.debian.org)


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1oexpe-00067c...@franck.debian.org

mtink_1.0.16-3_i386.changes ACCEPTED

[Archive Administrator]

Accepted:
mtink-doc_1.0.16-3_all.deb
  to main/m/mtink/mtink-doc_1.0.16-3_all.deb
mtink_1.0.16-3.diff.gz
  to main/m/mtink/mtink_1.0.16-3.diff.gz
mtink_1.0.16-3.dsc
  to main/m/mtink/mtink_1.0.16-3.dsc
mtink_1.0.16-3_i386.deb
  to main/m/mtink/mtink_1.0.16-3_i386.deb


Override entries for your package:
mtink-doc_1.0.16-3_all.deb - optional doc
mtink_1.0.16-3.dsc - source misc
mtink_1.0.16-3_i386.deb - extra misc

Announcing to debian-devel-chan...@lists.debian.org
Closing bugs: 583541 


Thank you for your contribution to Debian.


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1oexqm-0006ct...@franck.debian.org

mtink override disparity

[Archive Administrator]

There are disparities between your recently accepted upload and the
override file for the following file(s):

mtink-doc_1.0.16-3_all.deb: package says priority is extra, override says 
optional.


Please note that a list of new sections were recently added to the
archive: cli-mono, database, debug, fonts, gnu-r, gnustep, haskell,
httpd, java, kernel, lisp, localization, ocaml, php, ruby, vcs, video,
xfce, zope.  At this time a script was used to reclassify packages into
these sections.  If this is the case, please only reply to this email if
the new section is inappropriate, otherwise please update your package
at the next upload.

Either the package or the override file is incorrect.  If you think
the override is correct and the package wrong please fix the package
so that this disparity is fixed in the next upload.  If you feel the
override is incorrect then please file a bug against ftp.debian.org and
explain why. Please INCLUDE the list of packages as seen above, or we
won't be able to deal with your request due to missing information.

Please make sure that the subject of the bug you file follows the
following format:

Subject: override: BINARY1:section/priority, [...], BINARYX:section/priority

Include the justification for the change in the body of the mail please.


[NB: this is an automatically generated mail; if you already filed a bug
and have not received a response yet, please ignore this mail.  Your bug
needs to be processed by a human and will be in due course, but until
then the installer will send these automated mails; sorry.]

--
Debian distribution maintenance software

(This message was generated automatically; if you believe that there
is a problem with it please contact the archive administrators by
mailing ftpmas...@debian.org)


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1oexqr-0006cl...@franck.debian.org

Bug#528121: debian

[Philippe Coval]

# Hi, I forwarded this issue upstream
tag upstream: 
https://sourceforge.net/projects/xmlresume/forums/forum/92731/topic/1307309/index/page/1
# More: http://rzr.online.fr/q/legal
-- 
# http://rzr.online.fr -- xmpp:rzr[a]jabber.org -- sip:rzr[a]ekiga.net



-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100729200204.49a5d...@nrv.homelinux.org

Bug#583541: marked as done ([INTL:es] Spanish debconf template translation for mtink)

[Debian Bug Tracking System]

Your message dated Thu, 29 Jul 2010 18:02:08 +
with message-id 
and subject line Bug#583541: fixed in mtink 1.0.16-3
has caused the Debian Bug report #583541,
regarding [INTL:es] Spanish debconf template translation for mtink
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
583541: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583541
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: mtink
Version: 1.0.16.2
Severity: wishlist
Tags: l10n patch

Greetings,

-- 
Camaleón 
# mtink po-debconf translation to Spanish
# Copyright (C) 2010 Software in the Public Interest
# This file is distributed under the same license as the mtink package.
#
# Changes:
# - Initial translation
# Camaleón , 2010
#
# - Updates
#
#
# Traductores, si no conocen el formato PO, merece la pena leer la
# documentación de gettext, especialmente las secciones dedicadas a este
# formato, por ejemplo ejecutando:
# info -n '(gettext)PO Files'
# info -n '(gettext)Header Entry'
#
# Equipo de traducción al español, por favor lean antes de traducir
# los siguientes documentos:
#
# - El proyecto de traducción de Debian al español
# http://www.debian.org/intl/spanish/
# especialmente las notas y normas de traducción en
# http://www.debian.org/intl/spanish/notas
#
# - La guía de traducción de po's de debconf:
# /usr/share/doc/po-debconf/README-trans
# o http://www.debian.org/intl/l10n/po-debconf/README-trans
#
msgid ""
msgstr ""
"Project-Id-Version: mtink 1.0.16.2\n"
"Report-Msgid-Bugs-To: gil...@debian.org\n"
"POT-Creation-Date: 2006-09-27 00:45+0200\n"
"PO-Revision-Date: 2010-05-17 14:58+0100\n"
"Last-Translator: Camaleón \n"
"Language-Team: Debian Spanish \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=utf-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Poedit-Language: Spanish\n"

#. Type: note
#. Description
#: ../mtink.templates:1001
msgid "Permissions for mtink"
msgstr "Permisos para mtink"

#. Type: note
#. Description
#: ../mtink.templates:1001
msgid "Warning! Mtink requires special permissions for the device file 
associated with the printer. You should check your permission to see if users 
that could run mtink should also access this file. If you have got a normal 
Debian installation, this group should be lp."
msgstr "Advertencia: Mtink necesita permisos especiales para el archivo del 
dispositivo asociado con la impresora. Compruebe los permisos para verificar 
que los usuarios que pueden ejecutar mtink también puedan acceder a este 
archivo. En una instalación estándar de Debian, este grupo sería «lp»."

--- End Message ---
--- Begin Message ---
Source: mtink
Source-Version: 1.0.16-3

We believe that the bug you reported is fixed in the latest version of
mtink, which is due to be installed in the Debian FTP archive:

mtink-doc_1.0.16-3_all.deb
  to main/m/mtink/mtink-doc_1.0.16-3_all.deb
mtink_1.0.16-3.diff.gz
  to main/m/mtink/mtink_1.0.16-3.diff.gz
mtink_1.0.16-3.dsc
  to main/m/mtink/mtink_1.0.16-3.dsc
mtink_1.0.16-3_i386.deb
  to main/m/mtink/mtink_1.0.16-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 583...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier  (supplier of updated mtink package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Wed, 28 Jul 2010 09:27:40 +0200
Source: mtink
Binary: mtink mtink-doc
Architecture: source all i386
Version: 1.0.16-3
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group 
Changed-By: Christian Perrier 
Description: 
 mtink  - Status monitor tool for Epson inkjet printers
 mtink-doc  - Documentation for mtink
Closes: 583541
Changes: 
 mtink (1.0.16-3) unstable; urgency=low
 .
   * QA upload.
   * Fix pending l10n issues. Debconf translations:
 - Spanish (Camaleón).  Closes: #583541
Checksums-Sha1: 
 88405f2165d2ebd9d00f06e7abff06f189ef137c 1167 mtink_1.0.16-3.dsc
 c264024f52a4044337abdf78981d7d4a5f1974a3 35148 mtink_1.0.16-3.diff.gz
 1ab961fbe13b0bb1c159be8ff1c76c468178b302 541326 mtink-doc_1.0.16-3_all.deb
 7d610768d692780377e325a23e91921c4e0c4eb4 176544 mtink_1.0.16-3_i386.deb
Checksums-Sha256: 
 7d2d45ebd0b178b09e38541300968431b8543a42fec34c35597c1dd03c4defa3 1167 
mtink_1.0.16-3.dsc
 9

Bug#583539: Patch for the 0.5-8 NMU of iterm

[Christian PERRIER]

Dear maintainer of iterm,

On Wednesday, July 21, 2010 I sent you a notice announcing my intent to upload a
NMU of your package to fix its pending l10n issues, after an initial
notice sent on Wednesday, July 21, 2010.

You either agreed for this NMU or did not respond to my notices.

I will now upload this NMU to DELAYED/7-DAY.

The NMU patch is attached to this mail.

The NMU changelog is:


Source: iterm
Version: 0.5-8
Distribution: unstable
Urgency: low
Maintainer: Christian Perrier 
Date: Wed, 28 Jul 2010 09:19:11 +0200
Closes: 583539
Changes: 
 iterm (0.5-8) unstable; urgency=low
 .
   * QA upload.
   * Fix pending l10n issues. Debconf translations:
 - Spanish (Camaleón).  Closes: #583539

-- 


diff -Nru iterm-0.5.old/debian/changelog iterm-0.5/debian/changelog
--- iterm-0.5.old/debian/changelog	2010-07-21 00:12:06.0 -0400
+++ iterm-0.5/debian/changelog	2010-07-28 03:19:19.0 -0400
@@ -1,3 +1,11 @@
+iterm (0.5-8) unstable; urgency=low
+
+  * QA upload.
+  * Fix pending l10n issues. Debconf translations:
+- Spanish (Camaleón).  Closes: #583539
+
+ -- Christian Perrier   Wed, 28 Jul 2010 09:19:11 +0200
+
 iterm (0.5-7) unstable; urgency=low
 
   * QA upload.
diff -Nru iterm-0.5.old/debian/copyright iterm-0.5/debian/copyright
--- iterm-0.5.old/debian/copyright	2010-07-21 00:12:06.0 -0400
+++ iterm-0.5/debian/copyright	2010-07-28 03:34:05.0 -0400
@@ -10,7 +10,7 @@
 OpenI18N Advanced Level Utility Development subgroup
 
 Copyright:
-	Copyright © 2002 International Business Machines Corporation
+	Copyright © 2002, International Business Machines Corporation
 
 License: 
  Common Public License Version 0.5 
diff -Nru iterm-0.5.old/debian/po/cs.po iterm-0.5/debian/po/cs.po
--- iterm-0.5.old/debian/po/cs.po	2010-07-21 00:12:06.0 -0400
+++ iterm-0.5/debian/po/cs.po	2010-07-21 12:28:16.0 -0400
@@ -19,6 +19,7 @@
 "PO-Revision-Date: 2007-02-27 11:06+0100\n"
 "Last-Translator: Martin Sin \n"
 "Language-Team: Czech \n"
+"Language: cs\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff -Nru iterm-0.5.old/debian/po/da.po iterm-0.5/debian/po/da.po
--- iterm-0.5.old/debian/po/da.po	2010-07-21 00:12:06.0 -0400
+++ iterm-0.5/debian/po/da.po	2010-07-21 12:28:16.0 -0400
@@ -19,6 +19,7 @@
 "PO-Revision-Date: 2005-01-12 22:42+0200\n"
 "Last-Translator: Morten Brix Pedersen \n"
 "Language-Team: Danish \n"
+"Language: da\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
diff -Nru iterm-0.5.old/debian/po/de.po iterm-0.5/debian/po/de.po
--- iterm-0.5.old/debian/po/de.po	2010-07-21 00:12:06.0 -0400
+++ iterm-0.5/debian/po/de.po	2010-07-21 12:28:16.0 -0400
@@ -11,6 +11,7 @@
 "PO-Revision-Date: 2006-12-01 20:41-0500\n"
 "Last-Translator: Matthias Julius \n"
 "Language-Team: German \n"
+"Language: de\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
@@ -55,4 +56,3 @@
 "Sie sollten fbiterm mit gesetztem SUID-Bit installieren, außer Sie "
 "beabsichtigen nicht, es regelmäßig zu nutzen. Sie können diese Einstellung "
 "ändern, indem Sie »dpkg-reconfigure fbiterm« aufrufen."
-
diff -Nru iterm-0.5.old/debian/po/dz.po iterm-0.5/debian/po/dz.po
--- iterm-0.5.old/debian/po/dz.po	2010-07-21 00:12:06.0 -0400
+++ iterm-0.5/debian/po/dz.po	2010-07-21 12:28:16.0 -0400
@@ -19,6 +19,7 @@
 "PO-Revision-Date: 2006-11-30 14:34+0530\n"
 "Last-Translator: norbu \n"
 "Language-Team: Dzongkha \n"
+"Language: dz\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
@@ -36,18 +37,33 @@
 #. Type: boolean
 #. Description
 #: ../fbiterm.templates:1001
-msgid "You have the option of installing the /usr/bin/fbiterm binary with the SUID bit set.  By setting 'SUID root', non-root users may run fbiterm directly."
-msgstr "ཁྱོད་ལུ་  /usr/bin/fbiterm ཟུང་ལྡན་འདི་ ཨེསི་ཡུ་ཨའི་ཌི་ བིཊི་ཆ་ཚན་དང་གཅིག་ཁར་ གཞི་བཙུགས་འབད་ནི་གི་ གདམ་ཁ་ཡོད།  'SUID root' གཞི་སྒྲིག་འབད་ཐོག་ རྩ་བ་མིན་པའི་ལག་ལེན་པ་ཚུ་  fbiterm ཐད་ཀར་དུ་གཡོག་བཀོལ་འོང་།"
+msgid ""
+"You have the option of installing the /usr/bin/fbiterm binary with the SUID "
+"bit set.  By setting 'SUID root', non-root users may run fbiterm directly."
+msgstr ""
+"ཁྱོད་ལུ་  /usr/bin/fbiterm ཟུང་ལྡན་འདི་ ཨེསི་ཡུ་ཨའི་ཌི་ བིཊི་ཆ་ཚན་དང་གཅིག་ཁར་ གཞི་བཙུགས་འབད་"
+"ནི་གི་ གདམ་ཁ་ཡོད།  'SUID root' གཞི་སྒྲིགà¼

Bug#590751: Removed package(s) from unstable

[Debian Archive Maintenance]

We believe that the bug you reported is now fixed; the following
package(s) have been removed from unstable:

   hsolink |  1.0.118-3 | source, alpha, amd64, armel, hppa, hurd-i386, i386, 
ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc

--- Reason ---
RoST; security buggy, obsolete, NPOASR
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive (ftp-master.debian.org) and will not propagate to any
mirrors (ftp.debian.org included) until the next cron.daily run at the
earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 590...@bugs.debian.org.

The full log for this bug can be viewed at http://bugs.debian.org/590751

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@debian.org.

Debian distribution maintenance software
pp.
Luca Falavigna (the ftpmaster behind the curtain)


-- 
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1oeay0-0001s6...@franck.debian.org

Bug#590670: marked as done (insecure setuid usage, local root exploit)

[Debian Bug Tracking System]

Your message dated Thu, 29 Jul 2010 17:46:00 -0400
with message-id <20100729214600.ga19...@galadriel.inutil.org>
and subject line Re: insecure setuid usage, local root exploit
has caused the Debian Bug report #590670,
regarding insecure setuid usage, local root exploit
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
590670: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590670
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: hsolink
Version: 1.0.118-3
Severity: critical
Tags: security

Hi,

Following was reported by Christian Jaeger.

--

hsolink-1.0.118 contains a binary hsolinkcontrol that is setuid root.
The binary

- neither sets PATH
- nor fixes other environment variables
- nor checks commandline arguments
- but uses system(3)
(- and may be overflowing fixed-size buffers as well, I didn't check anymore)

and thus is a trivial target to get root, for example:

(I've tested from the files in an ar-unpacked .deb instead of
installing the deb, to avoid exposing my system. Note: apparently the
binary has to be at root-owned paths or the Linux kernel will ignore
the setuid bit.)

novo:~/chris# l -a
total 12
-rwsr-xr-x  1 root root  7072 2010-07-09 22:20 hsolinkcontrol
drwxr-x---  2 root chris   80 2010-07-09 22:55 .
drwxr-xr-x 50 root root  4272 2010-07-09 22:55 ..

ch...@novo:/root/chris$ ./hsolinkcontrol down '; bash'
Using resolvconf.
r...@novo:/root/chris# id
uid=0(root) gid=1000(chris) groups=.

The setuid recommendation is coming from the upstream author
(http://www.pharscape.org/hsolinkcontrol.html), who apparently is not
aware of the implications of the setuid bit, and good security in
general as evidenced by the problems I've listed above. I have not
informed him of the problem [yet].

I don't know about the right solution; maybe using sudo instead of
setuit and adding commandline argument checking and replacing system
calls with fork/exec* calls. Or, to be safer, instead rather turn it
into a daemon. Iff it needs to be run as ordinary users at all--I'm
used to have to run "pon" as root, for example, the charge to enable a
normal user to run hsolinkcontrol (or the program that uses it) as
root (by setting up sudo, for example) could possibly just be left to
the user (I can't say as I haven't used the program yet).

--

Debian has assigned CVE-2010-1671 to this issue.


Cheers,
Thijs


signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
On Wed, Jul 28, 2010 at 01:09:06PM +0200, Thijs Kinkhorst wrote:
> Package: hsolink
> Version: 1.0.118-3
> Severity: critical
> Tags: security
> 
> Hi,
> 
> Following was reported by Christian Jaeger.
> 
> --
> 
> hsolink-1.0.118 contains a binary hsolinkcontrol that is setuid root.
> The binary

I have filed a removal bug and hsolink has been removed (#590751).

Closing the bug.

Cheers,
Moritz

--- End Message ---

Bug#580304: marked as done (libvisual-projectm: New version)

[Debian Bug Tracking System]

Your message dated Thu, 29 Jul 2010 23:37:58 +0200
with message-id <9c0dc3b80c92f51752c447cf72153...@mb8-2.1blu.de>
and subject line Bug#580304: fixed in projectm 2.0.1+dfsg-2
has caused the Debian Bug report #580304,
regarding libvisual-projectm: New version
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
580304: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=580304
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libvisual-projectm
Version: 1.2.0-1
Severity: wishlist

Version 2.0 was released back in December of 2009 with a subsequent 2.0.1
release out.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (99, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.32-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libvisual-projectm depends on:
ii  libc6 2.10.2-6   Embedded GNU C Library: Shared lib
ii  libgcc1   1:4.4.2-9  GCC support library
ii  libprojectm2  1.2.0-3Advanced Milkdrop-compatible music
ii  libsdl1.2debian   1.2.13-5   Simple DirectMedia Layer
ii  libstdc++64.4.2-9The GNU Standard C++ Library v3
ii  libvisual-0.4-0   0.4.0-2.1  Audio visualization framework

libvisual-projectm recommends no packages.

libvisual-projectm suggests no packages.

-- no debconf information

-- 

John Eikenberry
[...@zhar.net - http://zhar.net]
[PGP public key @ http://zhar.net/jae_at_zhar_net.gpg]
__
"Perfection is attained, not when no more can be added, but when no more 
 can be removed." -- Antoine de Saint-Exupery


signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Has been fixed with the last upload of projectM.


--- End Message ---

Bug#498853: marked as done (libvisual-projectm: jack support)

[Debian Bug Tracking System]

Your message dated Thu, 29 Jul 2010 23:36:58 +0200
with message-id 
and subject line Bug#498853: fixed in projectm 2.0.1+dfsg-2
has caused the Debian Bug report #498853,
regarding libvisual-projectm: jack support
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
498853: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498853
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: libvisual-projectm
Version: 1.0-1+nmu1
Severity: wishlist

Hello,
I wish I could test projectM with jack, from what I understood it is
possible to use projectM as a standalone and connect-it to the input of
any jack application (and it would do the same with portaudio).
Unfortunately I see no binaries with debian packages which would help me
to do that.
That's all ;-)
Thanks.

-- System Information:
Debian Release: lenny/sid
 APT prefers testing
 APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26.5-rt8sept08 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libvisual-projectm depends on:
ii  libc6 2.7-13 GNU C Library: Shared libraries
ii  libgcc1   1:4.3.1-9  GCC support library
ii  libprojectm2  1.2.0-1Advanced 
Milkdrop-compatible music

ii  libsdl1.2debian   1.2.13-2   Simple DirectMedia Layer
ii  libstdc++64.3.1-9The GNU Standard C++ Library v3
ii  libvisual-0.4-0   0.4.0-2.1  Audio visualization framework

libvisual-projectm recommends no packages.

libvisual-projectm suggests no packages.

-- no debconf information



--- End Message ---
--- Begin Message ---
Has been fixed with the last upload of projectM.


--- End Message ---