Bug#496369: The possibility of attack with the help of symlinks in some Debian packages

2008-08-28 Thread Charliej
I have discussed this bug with upstream and it has been decided to not use the patch provided but to add -Xgather-messages.sh option to dh_install in debian/rules. This way the offending file is not installed onto the user's system and thus not a security risk. /locale/base/gather-messages.sh is

Bug#496369: The possibility of attack with the help of symlinks in some Debian packages

2008-08-26 Thread Charliej
Moritz Muehlenhoff wrote: > 3Rseverity 496369 normal > tag 496369 confirmed > > Dmitry E. Oboukhov wrote: > >> Binary-package: ampache (3.4.1-1) >> file: /usr/share/ampache/www/locale/base/gather-messages.sh >> > > Since this script is only used for translating ampache and not for > the

Bug#496369: The possibility of attack with the help of symlinks in some Debian packages

2008-08-26 Thread Moritz Muehlenhoff
3Rseverity 496369 normal tag 496369 confirmed Dmitry E. Oboukhov wrote: > Binary-package: ampache (3.4.1-1) > file: /usr/share/ampache/www/locale/base/gather-messages.sh Since this script is only used for translating ampache and not for the general package usage, I'm lowering the severity to

Bug#496369: The possibility of attack with the help of symlinks in some Debian packages

2008-08-24 Thread Dmitry E. Oboukhov
Package: ampache Severity: grave Hi, maintainer! This message about the error concerns a few packages at once. I've tested all the packages (for Lenny) on my Debian mirror. All scripts of packages (marked as executable) were tested. In some packages I've discovered scripts with errors whic