Debian Bug report logs -
#534731
stardict broadcasts clipboard context over network
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Andrew Lee <andrew@linux.org.tw>:
Bug#534731; Package stardict.
(Fri, 26 Jun 2009 18:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Pavel Machek <pavel@ucw.cz>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Andrew Lee <andrew@linux.org.tw>.
(Fri, 26 Jun 2009 18:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: stardict
Version: 3.0.1-4.1
Severity: grave
Tags: security
Justification: user security hole
In default config "enable net dict" is selected, it attempts to grab
clipboard and sends it over network... Unfortunately, not nearly all
data in clipboard are meant for translation, and some may be pretty
sensitive.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.30 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=cs_CZ (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/bash
Versions of packages stardict depends on:
ii stardict-gnome 3.0.1-4.1 International dictionary for GNOME
stardict recommends no packages.
stardict suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#534731; Package stardict.
(Mon, 06 Jul 2009 07:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Andrew Lee <andrew@linux.org.tw>:
Extra info received and forwarded to list.
(Mon, 06 Jul 2009 07:00:03 GMT) (full text, mbox, link).
Message #10 received at 534731@bugs.debian.org (full text, mbox, reply):
Hi Pavel,
I am not sure what's the best way to solve this issue.
I guess we can make a GConf schema registration scripts for the
package. But it seems to me that only stardict-gnome can be benefit by
the script and stardict-gtk doesn't.
Does anyone has better soultion than completely disable the netdict
plugin in build?
-Andrew
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#534731; Package stardict.
(Sun, 12 Jul 2009 13:39:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Andrew Lee <andrew@linux.org.tw>:
Extra info received and forwarded to list.
(Sun, 12 Jul 2009 13:39:07 GMT) (full text, mbox, link).
Message #17 received at 534731@bugs.debian.org (full text, mbox, reply):
Dear security team,
My package 'stardict' got CVE-2009-2260 report:
https://sourceforge.net/tracker/?func=detail&aid=2814932&group_id=80679&atid=560632
I am preparing a updated package for unstable based on the patches from
RedHat's Bugzilla. I will upload it to unstable within 6 hours.
Please let me know how to handle this update for stable after you review
my updated package in unstable.
Thanks very much,
-Andrew
Reply sent
to Andrew Lee <andrew@linux.org.tw>:
You have taken responsibility.
(Sun, 12 Jul 2009 16:33:09 GMT) (full text, mbox, link).
Notification sent
to Pavel Machek <pavel@ucw.cz>:
Bug acknowledged by developer.
(Sun, 12 Jul 2009 16:33:09 GMT) (full text, mbox, link).
Message #22 received at 534731-close@bugs.debian.org (full text, mbox, reply):
Source: stardict
Source-Version: 3.0.1-5
We believe that the bug you reported is fixed in the latest version of
stardict, which is due to be installed in the Debian FTP archive:
stardict-common_3.0.1-5_all.deb
to pool/main/s/stardict/stardict-common_3.0.1-5_all.deb
stardict-gnome_3.0.1-5_i386.deb
to pool/main/s/stardict/stardict-gnome_3.0.1-5_i386.deb
stardict-gtk_3.0.1-5_i386.deb
to pool/main/s/stardict/stardict-gtk_3.0.1-5_i386.deb
stardict-plugin-espeak_3.0.1-5_i386.deb
to pool/main/s/stardict/stardict-plugin-espeak_3.0.1-5_i386.deb
stardict-plugin-festival_3.0.1-5_i386.deb
to pool/main/s/stardict/stardict-plugin-festival_3.0.1-5_i386.deb
stardict-plugin-gucharmap_3.0.1-5_i386.deb
to pool/main/s/stardict/stardict-plugin-gucharmap_3.0.1-5_i386.deb
stardict-plugin-spell_3.0.1-5_i386.deb
to pool/main/s/stardict/stardict-plugin-spell_3.0.1-5_i386.deb
stardict-plugin_3.0.1-5_i386.deb
to pool/main/s/stardict/stardict-plugin_3.0.1-5_i386.deb
stardict_3.0.1-5.diff.gz
to pool/main/s/stardict/stardict_3.0.1-5.diff.gz
stardict_3.0.1-5.dsc
to pool/main/s/stardict/stardict_3.0.1-5.dsc
stardict_3.0.1-5_all.deb
to pool/main/s/stardict/stardict_3.0.1-5_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 534731@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrew Lee <andrew@linux.org.tw> (supplier of updated stardict package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 12 Jul 2009 21:17:43 +0800
Source: stardict
Binary: stardict stardict-gnome stardict-gtk stardict-plugin-espeak stardict-plugin-festival stardict-plugin-gucharmap stardict-plugin-spell stardict-plugin stardict-common
Architecture: source all i386
Version: 3.0.1-5
Distribution: unstable
Urgency: high
Maintainer: Andrew Lee <andrew@linux.org.tw>
Changed-By: Andrew Lee <andrew@linux.org.tw>
Description:
stardict - International dictionary
stardict-common - International dictionary - data files
stardict-gnome - International dictionary for GNOME 2
stardict-gtk - International dictionary written in GTK+ 2.x
stardict-plugin - International dictionary - common plugins
stardict-plugin-espeak - International dictionary - eSpeak TTS plugin
stardict-plugin-festival - International dictionary - Festival TTS plugin
stardict-plugin-gucharmap - International dictionary - gucharmap plugin
stardict-plugin-spell - International dictionary - spell plugin
Closes: 526162 534731
Changes:
stardict (3.0.1-5) unstable; urgency=high
.
* Applied 07_disable_netdict.dpatch: (Closes:#534731) CVE-2009-2260
- disable netdict by default
- giving warning message
* Added --disable-dictdotcn option for CVE-2009-2260
* Update 05_g++-4.4.dpatch (Closes:#526162)
* debian/control:
- Added proper ${misc:Depends}
- Replaced build-depends scrollkeeper with rarian-compat
- Bumped Standard-version to 3.8.2
* debian/rules:
- Drop deprecated dh_scrollkeeper
Checksums-Sha1:
8dc4dc22b200cb2b708a8624afc4153c37fb4de7 1611 stardict_3.0.1-5.dsc
da5e6b0e76c9fe2ff6fae9424765b0b94bddb6c1 37999 stardict_3.0.1-5.diff.gz
9befdae952826a181472767dbda3256434143ef6 13954 stardict_3.0.1-5_all.deb
d13e9edef3c540398826144b407d812680c433bd 994300 stardict-gnome_3.0.1-5_i386.deb
ea9ddb33fe6269f75fd5ba37d475c02fa97d2c41 297004 stardict-gtk_3.0.1-5_i386.deb
a5282f86050d3514cd019c9d34da5bc6a95e2dcf 5476 stardict-plugin-espeak_3.0.1-5_i386.deb
97ea2396867c5991818f471afa006975e5fd96e9 418144 stardict-plugin-festival_3.0.1-5_i386.deb
56d12c948b1c79861d1060c399833e5daade7172 8982 stardict-plugin-gucharmap_3.0.1-5_i386.deb
eb4e75be8f09573a569c23203f606e469cab0688 10052 stardict-plugin-spell_3.0.1-5_i386.deb
67ffb605ee638acd8d4fdd812af744f34b7afbbc 91146 stardict-plugin_3.0.1-5_i386.deb
b26a9ffb5d5e1e20d1e5480a7208d644725e443e 179894 stardict-common_3.0.1-5_all.deb
Checksums-Sha256:
33c1d952b397b01368473a529098bd2953cc20672a1c397c057784ecda7c6358 1611 stardict_3.0.1-5.dsc
d397bd219babe68f30a1b35a7bad9751a8624f1965e9a83cb0542b2c3100d937 37999 stardict_3.0.1-5.diff.gz
b73598db4689ceb5875d167219f6ef25304aca760379dd04f8c27da073f661e7 13954 stardict_3.0.1-5_all.deb
03b27d67c4d56bea91eb9ad1847f2f1d206c84f0006de124f4a615fd699a80c2 994300 stardict-gnome_3.0.1-5_i386.deb
8976d4f1bb27d2a368b0b24ed1ad90572f6edbe7b63e083643c80fdeef47d884 297004 stardict-gtk_3.0.1-5_i386.deb
1c87a5800acc02caf079bd80dbba02b3192f24835aa9ba9a531d14ebd40351fe 5476 stardict-plugin-espeak_3.0.1-5_i386.deb
a018f9af2e64dd7b8272a79def5a4dfebf3ad3b2d123ce140a186f101f667d2c 418144 stardict-plugin-festival_3.0.1-5_i386.deb
8b1d579b0f2b084626710ef8b0b46f1a8f7db563bc9dba24983b5ee5ab4ae4ed 8982 stardict-plugin-gucharmap_3.0.1-5_i386.deb
d4ac548aec4601c14ace3c7a5d5c22e0885ddff2f407addb649b94894fdd93a9 10052 stardict-plugin-spell_3.0.1-5_i386.deb
ab7c4ad290054498c5b55c177107d4258dd87139efb5630896fd980875d20238 91146 stardict-plugin_3.0.1-5_i386.deb
632bf953a1ee16c4153e446f9777cd1f715cbf74e2a1a0b8009cf66c1861ece2 179894 stardict-common_3.0.1-5_all.deb
Files:
2ede5a3c8fd1794e8c1f8ad66a7809fa 1611 utils optional stardict_3.0.1-5.dsc
bc8bcfbe4f8a5286a55603ecdaf0dd97 37999 utils optional stardict_3.0.1-5.diff.gz
acd25cec11783790ec2c087e72e25951 13954 utils optional stardict_3.0.1-5_all.deb
85564ca2d53967d91a9733759b683b4d 994300 utils optional stardict-gnome_3.0.1-5_i386.deb
8ba258d6ae63f047c1c3f6d9b353679d 297004 utils optional stardict-gtk_3.0.1-5_i386.deb
debbfbbec99563bd2925a066f1592d8a 5476 utils optional stardict-plugin-espeak_3.0.1-5_i386.deb
05fecb2ca59edd5840e14ef239f512fa 418144 utils optional stardict-plugin-festival_3.0.1-5_i386.deb
421688bb45c5f64ca54b8e24a87281ab 8982 utils optional stardict-plugin-gucharmap_3.0.1-5_i386.deb
5ec08e7e3c7f24c9b30deac169197fec 10052 utils optional stardict-plugin-spell_3.0.1-5_i386.deb
2b3b9cdef7fc17e52c8256628272ebc9 91146 utils optional stardict-plugin_3.0.1-5_i386.deb
00b19ef745176ada5e0a87bf7e0d9a95 179894 utils optional stardict-common_3.0.1-5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEUEARECAAYFAkpZ6iYACgkQnQYz4bYlCYV8qwCffHTtSrXQwJUhNthnQvYCYREo
Uu0AmKgRLWiQgTZlfhF1Hi8CupvMzk0=
=lIIl
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Andrew Lee <andrew@linux.org.tw>:
Bug#534731; Package stardict.
(Thu, 16 Jul 2009 14:00:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andrew Lee <andrew@linux.org.tw>.
(Thu, 16 Jul 2009 14:00:04 GMT) (full text, mbox, link).
Message #27 received at 534731@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* Andrew Lee <andrew@linux.org.tw> [2009-07-12 15:32]:
> My package 'stardict' got CVE-2009-2260 report:
> https://sourceforge.net/tracker/?func=detail&aid=2814932&group_id=80679&atid=560632
>
> I am preparing a updated package for unstable based on the patches from
> RedHat's Bugzilla. I will upload it to unstable within 6 hours.
>
> Please let me know how to handle this update for stable after you review
> my updated package in unstable.
Given that the exploit scenario is rather obscure and the
impact should be close to zero for most people who installed
stardict I think this doesn't justify a DSA. However it
would be nice if you could provide updated packages via
stable-proposed-updates.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 14 Aug 2009 07:33:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 12:59:21 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon