Debian Bug report logs -
#454089
CVE-2007-6208 insecure tmp file handling in sylprint.pl prone to symlink attack
Reported by: Nico Golde <nion@debian.org>
Date: Sun, 2 Dec 2007 23:39:02 UTC
Severity: important
Tags: security
Fixed in version claws-mail/3.1.0-2
Done: Ricardo Mones <mones@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Ricardo Mones <mones@debian.org>
:
Bug#454089
; Package claws-mail-tools
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
New Bug report received and forwarded. Copy sent to Ricardo Mones <mones@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: claws-mail-tools
Severity: important
Tags: security
Hi,
the sylprint.pl also shipped in an installation of the
package is prone to a symlink attack.
sylprint.pl:
213 $tmpfn="/tmp/sylprint.$ENV{'USER'}.$$";
214 open(TMP,">$tmpfn");
215 open(FIN,"<$ARGV[0]");
216 LN: while (<FIN>) {
217 >···$ln = $_;
218 >···foreach $n (@cabn) {
[...]
242 # print headers
243 if ($headers) {
244 >···print TMP "\n\n";
Since the process id is pretty predictable as well as the user name in
this case an attacker could create a symlink to the tmp file and thereby
overwriting arbitrary files owned by the user.
Opening with O_EXCL and raising an error would be sufficient from my
point of view.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Ricardo Mones <mones@debian.org>
:
Bug#454089
; Package claws-mail-tools
.
(full text, mbox, link).
Acknowledgement sent to Colin Leroy <colin@colino.net>
:
Extra info received and forwarded to list. Copy sent to Ricardo Mones <mones@debian.org>
.
(full text, mbox, link).
Message #10 received at 454089@bugs.debian.org (full text, mbox, reply):
This bug is going to be fixed.
Would it be too much to ask the submitter to handle security issues
privately until they're resolved, or is it more interesting to have
them published all over the place[*] when no solution is available?
[*]
http://secwatch.org/advisories/1019661/
http://www.securityfocus.com/bid/26676
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6208
--
Colin
Changed Bug title to `CVE-2007-6208 insecure tmp file handling in sylprint.pl prone to symlink attack' from `insecure tmp file handling in sylprint.pl'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Tue, 04 Dec 2007 12:48:02 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Ricardo Mones <mones@debian.org>
:
Bug#454089
; Package claws-mail-tools
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Ricardo Mones <mones@debian.org>
.
(full text, mbox, link).
Message #17 received at 454089@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Name: CVE-2007-6208
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6208
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=454089
sylprint.pl in claws mail tools (claws-mail-tools) allows local users
to overwrite arbitrary files via a symlink attack on the
sylprint.[USER].[PID] temporary file.
Please mention the CVE id in the changelog if you fix this bug (I suggesst by
removing this script from the package as upstream also wants to remove it).
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent to Ricardo Mones <mones@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #22 received at 454089-close@bugs.debian.org (full text, mbox, reply):
Source: claws-mail
Source-Version: 3.1.0-2
We believe that the bug you reported is fixed in the latest version of
claws-mail, which is due to be installed in the Debian FTP archive:
claws-mail-bogofilter_3.1.0-2_amd64.deb
to pool/main/c/claws-mail/claws-mail-bogofilter_3.1.0-2_amd64.deb
claws-mail-clamav_3.1.0-2_amd64.deb
to pool/main/c/claws-mail/claws-mail-clamav_3.1.0-2_amd64.deb
claws-mail-dbg_3.1.0-2_amd64.deb
to pool/main/c/claws-mail/claws-mail-dbg_3.1.0-2_amd64.deb
claws-mail-dillo-viewer_3.1.0-2_amd64.deb
to pool/main/c/claws-mail/claws-mail-dillo-viewer_3.1.0-2_amd64.deb
claws-mail-doc_3.1.0-2_all.deb
to pool/main/c/claws-mail/claws-mail-doc_3.1.0-2_all.deb
claws-mail-i18n_3.1.0-2_all.deb
to pool/main/c/claws-mail/claws-mail-i18n_3.1.0-2_all.deb
claws-mail-pgpinline_3.1.0-2_amd64.deb
to pool/main/c/claws-mail/claws-mail-pgpinline_3.1.0-2_amd64.deb
claws-mail-pgpmime_3.1.0-2_amd64.deb
to pool/main/c/claws-mail/claws-mail-pgpmime_3.1.0-2_amd64.deb
claws-mail-plugins_3.1.0-2_all.deb
to pool/main/c/claws-mail/claws-mail-plugins_3.1.0-2_all.deb
claws-mail-spamassassin_3.1.0-2_amd64.deb
to pool/main/c/claws-mail/claws-mail-spamassassin_3.1.0-2_amd64.deb
claws-mail-tools_3.1.0-2_all.deb
to pool/main/c/claws-mail/claws-mail-tools_3.1.0-2_all.deb
claws-mail-trayicon_3.1.0-2_amd64.deb
to pool/main/c/claws-mail/claws-mail-trayicon_3.1.0-2_amd64.deb
claws-mail_3.1.0-2.diff.gz
to pool/main/c/claws-mail/claws-mail_3.1.0-2.diff.gz
claws-mail_3.1.0-2.dsc
to pool/main/c/claws-mail/claws-mail_3.1.0-2.dsc
claws-mail_3.1.0-2_amd64.deb
to pool/main/c/claws-mail/claws-mail_3.1.0-2_amd64.deb
libclaws-mail-dev_3.1.0-2_amd64.deb
to pool/main/c/claws-mail/libclaws-mail-dev_3.1.0-2_amd64.deb
libsylpheed-claws-gtk2-dev_3.1.0-2_all.deb
to pool/main/c/claws-mail/libsylpheed-claws-gtk2-dev_3.1.0-2_all.deb
sylpheed-claws-gtk2-bogofilter_3.1.0-2_all.deb
to pool/main/c/claws-mail/sylpheed-claws-gtk2-bogofilter_3.1.0-2_all.deb
sylpheed-claws-gtk2-clamav_3.1.0-2_all.deb
to pool/main/c/claws-mail/sylpheed-claws-gtk2-clamav_3.1.0-2_all.deb
sylpheed-claws-gtk2-dillo-viewer_3.1.0-2_all.deb
to pool/main/c/claws-mail/sylpheed-claws-gtk2-dillo-viewer_3.1.0-2_all.deb
sylpheed-claws-gtk2-doc_3.1.0-2_all.deb
to pool/main/c/claws-mail/sylpheed-claws-gtk2-doc_3.1.0-2_all.deb
sylpheed-claws-gtk2-i18n_3.1.0-2_all.deb
to pool/main/c/claws-mail/sylpheed-claws-gtk2-i18n_3.1.0-2_all.deb
sylpheed-claws-gtk2-pgpinline_3.1.0-2_all.deb
to pool/main/c/claws-mail/sylpheed-claws-gtk2-pgpinline_3.1.0-2_all.deb
sylpheed-claws-gtk2-pgpmime_3.1.0-2_all.deb
to pool/main/c/claws-mail/sylpheed-claws-gtk2-pgpmime_3.1.0-2_all.deb
sylpheed-claws-gtk2-plugins_3.1.0-2_all.deb
to pool/main/c/claws-mail/sylpheed-claws-gtk2-plugins_3.1.0-2_all.deb
sylpheed-claws-gtk2-spamassassin_3.1.0-2_all.deb
to pool/main/c/claws-mail/sylpheed-claws-gtk2-spamassassin_3.1.0-2_all.deb
sylpheed-claws-gtk2-trayicon_3.1.0-2_all.deb
to pool/main/c/claws-mail/sylpheed-claws-gtk2-trayicon_3.1.0-2_all.deb
sylpheed-claws-gtk2_3.1.0-2_all.deb
to pool/main/c/claws-mail/sylpheed-claws-gtk2_3.1.0-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 454089@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ricardo Mones <mones@debian.org> (supplier of updated claws-mail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 04 Dec 2007 12:11:17 +0100
Source: claws-mail
Binary: sylpheed-claws-gtk2-plugins claws-mail sylpheed-claws-gtk2 claws-mail-spamassassin sylpheed-claws-gtk2-pgpinline libsylpheed-claws-gtk2-dev sylpheed-claws-gtk2-bogofilter claws-mail-bogofilter claws-mail-clamav sylpheed-claws-gtk2-dillo-viewer claws-mail-tools claws-mail-pgpinline libclaws-mail-dev sylpheed-claws-gtk2-doc claws-mail-dbg sylpheed-claws-gtk2-spamassassin claws-mail-i18n sylpheed-claws-gtk2-i18n claws-mail-doc sylpheed-claws-gtk2-pgpmime claws-mail-dillo-viewer sylpheed-claws-gtk2-clamav sylpheed-claws-gtk2-trayicon claws-mail-pgpmime claws-mail-plugins claws-mail-trayicon
Architecture: source all amd64
Version: 3.1.0-2
Distribution: unstable
Urgency: high
Maintainer: Ricardo Mones <mones@debian.org>
Changed-By: Ricardo Mones <mones@debian.org>
Description:
claws-mail - Fast, lightweight and user-friendly GTK2 based email client
claws-mail-bogofilter - Bogofilter plugin for Claws Mail
claws-mail-clamav - Clam AntiVirus plugin for Claws Mail
claws-mail-dbg - Debug symbols for Claws Mail mailer
claws-mail-dillo-viewer - HTML viewer plugin for Claws Mail using Dillo
claws-mail-doc - User documentation for Claws Mail mailer
claws-mail-i18n - Locale data for Claws Mail (i18n support)
claws-mail-pgpinline - PGP/inline plugin for Claws Mail
claws-mail-pgpmime - PGP/MIME plugin for Claws Mail
claws-mail-plugins - Installs plugins for the Claws Mail mailer
claws-mail-spamassassin - SpamAssassin plugin for Claws Mail
claws-mail-tools - Helper and utility scripts for Claws Mail mailer
claws-mail-trayicon - Notification area plugin for Claws Mail
libclaws-mail-dev - Development files for Claws Mail plugins
libsylpheed-claws-gtk2-dev - Transition package for Claws Mail renaming
sylpheed-claws-gtk2 - Transition package for Claws Mail renaming
sylpheed-claws-gtk2-bogofilter - Transition package for Claws Mail renaming
sylpheed-claws-gtk2-clamav - Transition package for Claws Mail renaming
sylpheed-claws-gtk2-dillo-viewer - Transition package for Claws Mail renaming
sylpheed-claws-gtk2-doc - Transition package for Claws Mail renaming
sylpheed-claws-gtk2-i18n - Transition package for Claws Mail renaming
sylpheed-claws-gtk2-pgpinline - Transition package for Claws Mail renaming
sylpheed-claws-gtk2-pgpmime - Transition package for Claws Mail renaming
sylpheed-claws-gtk2-plugins - Transition package for Claws Mail renaming
sylpheed-claws-gtk2-spamassassin - Transition package for Claws Mail renaming
sylpheed-claws-gtk2-trayicon - Transition package for Claws Mail renaming
Closes: 454089
Changes:
claws-mail (3.1.0-2) unstable; urgency=high
.
* debian/rules
- CVE-2007-6208: removal of sylprint files (Closes: #454089)
This is a temporary fix, until next upstream version, which
has already removed the files.
Files:
a186a42ad57ee35ec3c33f1f44a98056 1605 mail optional claws-mail_3.1.0-2.dsc
ed6c4413270b19f00881d3d9bed733a6 41114 mail optional claws-mail_3.1.0-2.diff.gz
f97b1573fd695e7f7ee4018f834a81a8 1294550 mail optional claws-mail_3.1.0-2_amd64.deb
9fbc46ac3fd0f9ac9fc2d6611707806d 4030182 mail extra claws-mail-dbg_3.1.0-2_amd64.deb
731c46e5d7ad2efa32063ae92940c096 132576 devel optional libclaws-mail-dev_3.1.0-2_amd64.deb
0c12931898992e74bcfa35585213d941 19894 mail optional claws-mail-plugins_3.1.0-2_all.deb
3748ef6bf6adf2f067694d9832a58fd7 28608 mail optional claws-mail-clamav_3.1.0-2_amd64.deb
e71e050586df4280a90e23f8ac4ec828 27960 mail optional claws-mail-dillo-viewer_3.1.0-2_amd64.deb
4b04100312889ade2542b1111757e011 42912 mail optional claws-mail-spamassassin_3.1.0-2_amd64.deb
42b1c58d8a4cdb7362d3234bc30b8ffe 36668 mail optional claws-mail-trayicon_3.1.0-2_amd64.deb
c39d3a22449d00c3af0d2d1b300531c1 57550 mail optional claws-mail-pgpmime_3.1.0-2_amd64.deb
00ee1291a96fd684df757268fe321f59 30654 mail optional claws-mail-pgpinline_3.1.0-2_amd64.deb
3be7b683987f28e16458e6548aa19749 35432 mail optional claws-mail-bogofilter_3.1.0-2_amd64.deb
0eef205af7bfbc48d53142185b67c4a5 1773776 mail optional claws-mail-i18n_3.1.0-2_all.deb
28dc77abcc8e146186e05a6cf6887b4b 979396 doc optional claws-mail-doc_3.1.0-2_all.deb
a0322f07929ae637fd0737fcf0fe3db9 87466 mail optional claws-mail-tools_3.1.0-2_all.deb
0c3ea59fb8c72c83fa39fbd3a6727c60 19820 mail optional sylpheed-claws-gtk2_3.1.0-2_all.deb
fbd5ec63a4b38db2f1800ecd8a435622 19844 devel optional libsylpheed-claws-gtk2-dev_3.1.0-2_all.deb
f189452b8c41f034666c4669827edbe9 19838 mail optional sylpheed-claws-gtk2-plugins_3.1.0-2_all.deb
b0a73ee9a3c87c09de406d59f81f0b00 19832 mail optional sylpheed-claws-gtk2-clamav_3.1.0-2_all.deb
795ea197d2a942abe9d77cd82b343cfe 19846 mail optional sylpheed-claws-gtk2-dillo-viewer_3.1.0-2_all.deb
c3b51b360e8f73cd0b326955f5479923 19836 mail optional sylpheed-claws-gtk2-doc_3.1.0-2_all.deb
6de2a9036af5c485f365b7310933d9fc 19834 mail optional sylpheed-claws-gtk2-i18n_3.1.0-2_all.deb
0e7695756e16282132f244827a6cf625 19846 mail optional sylpheed-claws-gtk2-pgpinline_3.1.0-2_all.deb
682f2344db852608f1c9912ea76e5f93 19840 mail optional sylpheed-claws-gtk2-pgpmime_3.1.0-2_all.deb
f28c5b477b351e5c436b9544d8b267e7 19840 mail optional sylpheed-claws-gtk2-spamassassin_3.1.0-2_all.deb
a58767b31d30cb6f76deb15577de99bb 19838 mail optional sylpheed-claws-gtk2-trayicon_3.1.0-2_all.deb
9efd0e5bb629a2044e3cc9ac5482b707 19840 mail optional sylpheed-claws-gtk2-bogofilter_3.1.0-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHVUlTLARVQsm1XawRAuDcAJ4kt73jvrJQE7eMUJEgzTL3yTnoXgCdGPrG
kVuydWBuPweUlwQpiLz35ms=
=pCfD
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Ricardo Mones <mones@debian.org>
:
Bug#454089
; Package claws-mail-tools
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Ricardo Mones <mones@debian.org>
.
(full text, mbox, link).
Message #27 received at 454089@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Colin,
* Colin Leroy <colin@colino.net> [2007-12-04 13:05]:
> This bug is going to be fixed.
>
> Would it be too much to ask the submitter to handle security issues
> privately until they're resolved, or is it more interesting to have
> them published all over the place[*] when no solution is available?
[...]
To make it short yes. I do not share your policy for
handling security relevant bugs especially if you consider
that upstream authors are fairly often unresponsive and this
bug is of minor importance. This is no remote root exploit
so I don't see your problem. If you don't want people to
write about what you do, then you should not publish
software. What I did is seing a bug and using the BTS of my
distribution to report it, nothing more.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#454089
; Package claws-mail-tools
.
(full text, mbox, link).
Acknowledgement sent to Ricardo Mones <mones@debian.org>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #32 received at 454089@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Nico,
On Tue, 04 Dec 2007 14:58:26 +0100
Nico Golde <nion@debian.org> wrote:
> Hi Colin,
> * Colin Leroy <colin@colino.net> [2007-12-04 13:05]:
> > This bug is going to be fixed.
> >
> > Would it be too much to ask the submitter to handle security issues
> > privately until they're resolved, or is it more interesting to have
> > them published all over the place[*] when no solution is available?
> [...]
> To make it short yes. I do not share your policy for
> handling security relevant bugs especially if you consider
This is not a upstream policy, is how most people expect security bugs to
be handled and is part of our Developers Reference [0]. I also know
confidentiality it's not required for minor bugs.
> that upstream authors are fairly often unresponsive and this
> bug is of minor importance.
Yep I agree the bug has minor importance, but generalising on upstream
unresponsiveness as justification for not sending a notice is not a good
idea. Mainly because it makes you look like you don't think or read before
posting, specially when the upstream of that precise script is also the
package maintainer. It also gives arguments to upstreams on generalising how
stupid DDs can be... :-P
> This is no remote root exploit so I don't see your problem. If you don't
I don't see your problem either in sending a private mail first, specially
when there's a explicit request to do it from upstream.
> want people to write about what you do, then you should not publish
> software. What I did is seing a bug and using the BTS of my
> distribution to report it, nothing more.
Pretending you're 'just using the BTS' is even more stupid than the
previous justification or reveals a serious lack of knowledge about how
security bugs are spread.
I know Colin's words were probably not in the best tone, but his request
is fair: nobody likes reading "There was no vendor-supplied solution at the
time of entry." in a security tracker when he had no opportunity to solve the
problem.
Your bug report was good, there was no need to made stupid justifications,
and Colin wasn't saying the opposite, just requested coordination.
BTW, the bug is already closed.
regards,
[0]
http://www.us.debian.org/doc/manuals/developers-reference/ch-pkgs.en.html#s-bug-security
--
Ricardo Mones
http://people.debian.org/~mones
«Are you a turtle?»
[signature.asc (application/pgp-signature, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Ricardo Mones <mones@debian.org>
:
Bug#454089
; Package claws-mail-tools
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Ricardo Mones <mones@debian.org>
.
(full text, mbox, link).
Message #37 received at 454089@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Ricardo,
* Ricardo Mones <mones@debian.org> [2007-12-05 13:15]:
> On Tue, 04 Dec 2007 14:58:26 +0100
> Nico Golde <nion@debian.org> wrote:
> > * Colin Leroy <colin@colino.net> [2007-12-04 13:05]:
> > > This bug is going to be fixed.
> > >
> > > Would it be too much to ask the submitter to handle security issues
> > > privately until they're resolved, or is it more interesting to have
> > > them published all over the place[*] when no solution is available?
> > [...]
> > To make it short yes. I do not share your policy for
> > handling security relevant bugs especially if you consider
>
> This is not a upstream policy, is how most people expect security bugs to
> be handled and is part of our Developers Reference [0]. I also know
> confidentiality it's not required for minor bugs.
I am aware of how to proceed with security bugs, however the
referenced text is only useful for packages that will get a
DSA and for people who believe in the opposite of full-disclosure what I don't.
> > that upstream authors are fairly often unresponsive and this
> > bug is of minor importance.
>
> Yep I agree the bug has minor importance, but generalising on upstream
> unresponsiveness as justification for not sending a notice is not a good
> idea. Mainly because it makes you look like you don't think or read before
> posting, specially when the upstream of that precise script is also the
> package maintainer. It also gives arguments to upstreams on generalising how
> stupid DDs can be... :-P
Well I had email conversation with nearly every claws
developer now about this and already had while they had a
vulnerable version on their website... I really have no
motivation to discuss this further, have a look in your own
team@claws mailbox.
> > This is no remote root exploit so I don't see your problem. If you don't
>
> I don't see your problem either in sending a private mail first, specially
> when there's a explicit request to do it from upstream.
Simply because I don't share this opinion.
> > want people to write about what you do, then you should not publish
> > software. What I did is seing a bug and using the BTS of my
> > distribution to report it, nothing more.
>
> Pretending you're 'just using the BTS' is even more stupid than the
> previous justification or reveals a serious lack of knowledge about how
> security bugs are spread.
Can you stop the trolling now? What is stupid is that I get
mails by every single claws-mails upstream developer asking
me to contact them first while a developer of them is
actually the Debian maintainer, this is stupid if you ask me
cause its your job to tell your fellow developers about
this. And seriously you guys should start fixing stuff
instead of being pissed off because it was spread about
security sites (which was not what I did) and being pissed
of because of a bad review in the Linux magazine (at least
thats what I got told by a fellow developer of you).
> I know Colin's words were probably not in the best tone, but his request
> is fair: nobody likes reading "There was no vendor-supplied solution at the
> time of entry." in a security tracker when he had no opportunity to solve the
> problem.
Then go and piss the guys of secwatch off because I am _NOT_
the one who wrote this text, thanks!
> Your bug report was good, there was no need to made stupid justifications,
> and Colin wasn't saying the opposite, just requested coordination.
Yes and he did when I already got mails by other developers
stating and asking the same in a more or less unfriendlier
way:
Hi Nico
you could contact the team before to write
"There was no vendor-supplied solution at the time of entry."
Really, the whole discussion ended yesterday and now you really need
to give your additional words that don't help too?
You guys should really start working on things instead of wasting your time
with email.
And to be honest, I am not going to contact any of you guys if I find
some bug again, simple because you showed that you are not able to handle
this just because of some bad press.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Ricardo Mones <mones@debian.org>
:
Bug#454089
; Package claws-mail-tools
.
(full text, mbox, link).
Acknowledgement sent to Colin Leroy <colin@colino.net>
:
Extra info received and forwarded to list. Copy sent to Ricardo Mones <mones@debian.org>
.
(full text, mbox, link).
Message #42 received at 454089@bugs.debian.org (full text, mbox, reply):
On Wed, 5 Dec 2007 14:35:03 +0100, Nico Golde wrote:
Hi,
> And to be honest, I am not going to contact any of you guys if I find
> some bug again, simple because you showed that you are not able to
> handle this just because of some bad press.
Dude, it's not about bad press. It's about following procedures.
Anyway, do me a favour, leave security bugs to the people who do it
correctly.
All of the previous vulns have been much better handled:
http://secunia.com/advisories/10061/
http://secunia.com/advisories/14774/
http://secunia.com/advisories/26550/
http://secunia.com/advisories/20476/
We report the ones we find. What in this process makes you think we're
bothered about bad press?
--
Colin
Information forwarded to debian-bugs-dist@lists.debian.org, Ricardo Mones <mones@debian.org>
:
Bug#454089
; Package claws-mail-tools
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Ricardo Mones <mones@debian.org>
.
(full text, mbox, link).
Message #47 received at 454089@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Colin,
* Colin Leroy <colin@colino.net> [2007-12-05 14:57]:
> On Wed, 5 Dec 2007 14:35:03 +0100, Nico Golde wrote:
> > And to be honest, I am not going to contact any of you guys if I find
> > some bug again, simple because you showed that you are not able to
> > handle this just because of some bad press.
>
> Dude, it's not about bad press. It's about following procedures.
Following whos procedures?
> Anyway, do me a favour, leave security bugs to the people who do it
> correctly.
Do me a favour and leave security bugs to the people
actually doing security work in this distribution. Thanks.
> All of the previous vulns have been much better handled:
> http://secunia.com/advisories/10061/
> http://secunia.com/advisories/14774/
> http://secunia.com/advisories/26550/
> http://secunia.com/advisories/20476/
Oh wait, you are comparing a low impact bug in a contrib
script with those bugs? You must be kidding or at least you seem to have no
clue about the impact of security bugs.
> We report the ones we find. What in this process makes you think we're
> bothered about bad press?
" I know Colin's words were probably not in the best tone, but his request
is fair: nobody likes reading "There was no vendor-supplied solution at the
time of entry." in a security tracker when he had no opportunity to solve the
problem."
What else should this tell me? If you are really just pissed of because you had
no opportunity to fix this before it was on security sites: ok, I don't care,
hate me for this, thanks for the discussion.
Anyway, I am not going to answer any mail regarding this issue from now on
since I see it as a plain waste of time. Stop whining and do something useful with
yours as well.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 03 Jan 2008 07:45:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:49:49 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.