Debian Bug report logs -
#706644
tpp: [CVE-2013-2208] untrusted input file might be harmful
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Nico Golde <nion@debian.org>
:
Bug#706644
; Package tpp
.
(Thu, 02 May 2013 20:57:09 GMT) (full text, mbox, link).
Acknowledgement sent
to "W. Martin Borgert" <debacle@debian.org>
:
New Bug report received and forwarded. Copy sent to Nico Golde <nion@debian.org>
.
(Thu, 02 May 2013 20:57:09 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: tpp
Version: 1.3.1-2
Severity: grave
Tags: security
Please feel free to downgrade the bug report or remove the
security tag. It's just my point of view.
Opening an untrusted input file may be harmful, because tpp
supports an "exec" command, which can do bad things, e.g.
sending your private SSL or GnuPG files or removing your home
directory without any warning or confirmation. The manual page
does not mention this shell-style behaviour. It is probably
unexpected of an presentation program, even a geeky one.
Information forwarded
to debian-bugs-dist@lists.debian.org, Nico Golde <nion@debian.org>
:
Bug#706644
; Package tpp
.
(Thu, 02 May 2013 21:15:08 GMT) (full text, mbox, link).
Acknowledgement sent
to John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
:
Extra info received and forwarded to list. Copy sent to Nico Golde <nion@debian.org>
.
(Thu, 02 May 2013 21:15:08 GMT) (full text, mbox, link).
Message #10 received at 706644@bugs.debian.org (full text, mbox, reply):
The package has been orphaned in Debian since 2007 and abandoned by
upstream at the same time since the upstream developer and Debian
maintainer are the same person.
Popcon shows just 113 installations and there are no reverse dependencies.
I therefore suggest removing the package from testing due to it's bad shape.
Cheers,
Adrian
--
.''`. John Paul Adrian Glaubitz
: :' : Debian Developer - glaubitz@debian.org
`. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
`- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#706644
; Package tpp
.
(Thu, 02 May 2013 23:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list.
(Thu, 02 May 2013 23:18:04 GMT) (full text, mbox, link).
Message #15 received at 706644@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> [2013-05-02 23:15]:
> The package has been orphaned in Debian since 2007 and abandoned by upstream at
> the same time since the upstream developer and Debian maintainer are the same
> person.
>
> Popcon shows just 113 installations and there are no reverse dependencies.
>
> I therefore suggest removing the package from testing due to it's bad shape.
FWIF, I'm fine with that. The stuff is easy to address, but I lost interest in
doing so.
Cheers
Nico
--
Nico Golde - XMPP: nion@jabber.ccc.de - GPG: 0xA0A0AAAA
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Nico Golde <nion@debian.org>
:
Bug#706644
; Package tpp
.
(Fri, 03 May 2013 04:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>
:
Extra info received and forwarded to list. Copy sent to Nico Golde <nion@debian.org>
.
(Fri, 03 May 2013 04:51:04 GMT) (full text, mbox, link).
Message #20 received at 706644@bugs.debian.org (full text, mbox, reply):
On Fri, 2013-05-03 at 01:13 +0200, Nico Golde wrote:
> * John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> [2013-05-02 23:15]:
> > The package has been orphaned in Debian since 2007 and abandoned by upstream at
> > the same time since the upstream developer and Debian maintainer are the same
> > person.
> >
> > Popcon shows just 113 installations and there are no reverse dependencies.
> >
> > I therefore suggest removing the package from testing due to it's bad shape.
>
> FWIF, I'm fine with that. The stuff is easy to address, but I lost interest in
> doing so.
Okay, thanks; hint added.
Regards,
Adam
Added tag(s) pending.
Request was from Axel Beckert <abe@debian.org>
to control@bugs.debian.org
.
(Wed, 12 Jun 2013 20:15:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Nico Golde <nion@debian.org>
:
Bug#706644
; Package tpp
.
(Wed, 12 Jun 2013 21:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Axel Beckert <abe@debian.org>
:
Extra info received and forwarded to list. Copy sent to Nico Golde <nion@debian.org>
.
(Wed, 12 Jun 2013 21:00:04 GMT) (full text, mbox, link).
Message #27 received at 706644@bugs.debian.org (full text, mbox, reply):
Hi,
it's too late for Wheezy, but I still have to object:
John Paul Adrian Glaubitz wrote on 02-May-2013:
> The package has been orphaned in Debian since 2007
Wrong. At the time you wrote this mail it was orphaned for mere 10
days. See http://bugs.debian.org/706041 -- only the last upload was
from 2007.
> and abandoned by upstream at the same time since the upstream
> developer and Debian maintainer are the same person.
Wrong, too. There are two upstream developers and only one abandoned
the project. The last upstream commit was just 13 days before you
wrote this mail. See https://github.com/akrennmair/tpp/commit/050b5712
Regards, Axel
--
,''`. | Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
`- | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
Reply sent
to Axel Beckert <abe@debian.org>
:
You have taken responsibility.
(Wed, 12 Jun 2013 21:21:36 GMT) (full text, mbox, link).
Notification sent
to "W. Martin Borgert" <debacle@debian.org>
:
Bug acknowledged by developer.
(Wed, 12 Jun 2013 21:21:36 GMT) (full text, mbox, link).
Message #32 received at 706644-close@bugs.debian.org (full text, mbox, reply):
Source: tpp
Source-Version: 1.3.1-3
We believe that the bug you reported is fixed in the latest version of
tpp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 706644@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Axel Beckert <abe@debian.org> (supplier of updated tpp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 12 Jun 2013 22:18:56 +0200
Source: tpp
Binary: tpp
Architecture: source all
Version: 1.3.1-3
Distribution: unstable
Urgency: low
Maintainer: Axel Beckert <abe@debian.org>
Changed-By: Axel Beckert <abe@debian.org>
Description:
tpp - text presentation program
Closes: 669595 671530 671540 705965 706041 706644
Changes:
tpp (1.3.1-3) unstable; urgency=low
.
[ Jari Aalto ]
* Switch from dpatch to source format "3.0 (quilt)". (Closes: #669595)
+ Remove dpatch traces from debian/rules and remove dpatch
build-dependency
* Bump debhelper compatibility to 9
+ Update versioned debhelper build-dependency
* Use dh_prep instead of dh_clean -k
* Fix the following lintian warnings:
+ copyright-refers-to-symlink-license
+ debhelper-but-no-misc-depends
+ debian-rules-missing-recommended-target
* Add watch file
.
[ Axel Beckert ]
* Adopt the package (Closes: #706041)
* Cherry-pick afb57d9 (make key events work on ruby 1.9) from upstream
(Closes: #671530)
* Add patch to make parsing of --exec optional (Closes: #706644)
* Update homepage to point to GitHub
* Fix patch header
* Update watch file to also check release tags at GitHub
* Revamp debian/rules:
+ No more clean up stamp files manually (dh_clean does that now)
+ Remove redundant dh_installchangelogs parameter
+ Don't compress any .tpp example file
+ Replace dh_installexamples parameter with debian/examples
+ Switch to a dh7 style debian/rules file
+ Switch to gem2deb based packaging (Closes: #671540)
Thanks to Per Andersson!
* Suggest texlive-latex-extra instead of transitional package texpower
* Bump Standards-Version to 3.9.4 (no further changes necessary)
* Recode examples to UTF-8 at build time (Closes: #705965)
+ Add build-dependency on recode
* Add Vcs-* headers
* Apply wrap-and-sort
Checksums-Sha1:
e5d61832ad10d7faecf737c4f853f55c278aeda7 1190 tpp_1.3.1-3.dsc
03b4e2809bd06bb8030d2da48396037dd3229b29 7323 tpp_1.3.1-3.debian.tar.gz
f7afb16bad1ab8957f5b9f4b725a6604ad36835d 38594 tpp_1.3.1-3_all.deb
Checksums-Sha256:
bcf3f0fdec124984958ac26482acd299ae756288d6d528ba15d96b4de56bd955 1190 tpp_1.3.1-3.dsc
42f916c1784e7725c86e2de7bcbc59a2203bb23567653ff7e0f5e0e70039dff6 7323 tpp_1.3.1-3.debian.tar.gz
1fdb8c4de74d30c50e3b624f826e7ba53c0182e5ffd489c4975777e19c8e8f58 38594 tpp_1.3.1-3_all.deb
Files:
90767e3b8159d4b80bf46d585c99d762 1190 graphics optional tpp_1.3.1-3.dsc
c19e051daf1dc1bbc14dcf6f82431b85 7323 graphics optional tpp_1.3.1-3.debian.tar.gz
3431ac4f73e3f81095d9d88cc03d3af3 38594 graphics optional tpp_1.3.1-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlG42wgACgkQwJ4diZWTDt5SsgCfXM2BqfA94ueb8m+9iRCItiYL
tGAAmQGU5dXKIJYa44X9PrJ3J3IRb/jB
=iGOr
-----END PGP SIGNATURE-----
Added tag(s) upstream.
Request was from Axel Beckert <abe@debian.org>
to control@bugs.debian.org
.
(Tue, 18 Jun 2013 15:57:04 GMT) (full text, mbox, link).
Changed Bug title to 'tpp: [CVE-2013-2208] untrusted input file might be harmful' from 'untrusted input file might be harmful'
Request was from Axel Beckert <abe@debian.org>
to control@bugs.debian.org
.
(Fri, 21 Jun 2013 17:03:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 21 Jul 2013 07:29:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:35:43 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.