Debian Bug report logs -
#736359
localepurge: CVE-2014-1638: tmp file vulnerability
Reported by: Helmut Grohne <helmut@subdivi.de>
Date: Wed, 22 Jan 2014 18:15:12 UTC
Severity: important
Tags: security
Found in version localepurge/0.6.2+nmu1
Fixed in versions localepurge/0.7.3.2, localepurge/0.6.3+deb7u1, localepurge/0.6.2+nmu1+squeeze1
Done: Niels Thykier <niels@thykier.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Niels Thykier <niels@thykier.net>:
Bug#736359; Package localepurge.
(Wed, 22 Jan 2014 18:15:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Helmut Grohne <helmut@subdivi.de>:
New Bug report received and forwarded. Copy sent to Niels Thykier <niels@thykier.net>.
(Wed, 22 Jan 2014 18:15:16 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: localepurge
Version: 0.6.2+nmu1
Severity: important
Tags: security
Hi Niels,
the maintainer scripts of localepurge contain a funny tmp file
vulnerability:
$ grep tempfile -r .
./debian/postrm: DEBREINSTALL="$(tempfile).$$"
./debian/localepurge.config:TEMPFILE=$(tempfile).$$
./debian/localepurge.config:LOCALEGEN=$(tempfile).locale.gen
$
All of them are doing it wrong. They create a secure tempfile, but don't
use it and instead generate a (now) predictable(!) name without opening
it in a safe (O_CREAT) way.
Helmut
Changed Bug title to 'localepurge: CVE-2014-1638: tmp file vulnerability' from 'localepurge: tmp file vulnerability'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 23 Jan 2014 05:36:05 GMT) (full text, mbox, link).
Reply sent
to Niels Thykier <niels@thykier.net>:
You have taken responsibility.
(Sun, 26 Jan 2014 09:51:30 GMT) (full text, mbox, link).
Notification sent
to Helmut Grohne <helmut@subdivi.de>:
Bug acknowledged by developer.
(Sun, 26 Jan 2014 09:51:30 GMT) (full text, mbox, link).
Message #12 received at 736359-close@bugs.debian.org (full text, mbox, reply):
Source: localepurge
Source-Version: 0.7.3.2
We believe that the bug you reported is fixed in the latest version of
localepurge, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 736359@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niels Thykier <niels@thykier.net> (supplier of updated localepurge package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 26 Jan 2014 10:31:20 +0100
Source: localepurge
Binary: localepurge
Architecture: source all
Version: 0.7.3.2
Distribution: unstable
Urgency: high
Maintainer: Niels Thykier <niels@thykier.net>
Changed-By: Niels Thykier <niels@thykier.net>
Description:
localepurge - reclaim disk space by removing unneeded localizations
Closes: 736359
Changes:
localepurge (0.7.3.2) unstable; urgency=high
.
* [CVE-2014-1638] Create tempfiles in a safe manner using
mktemp. Thanks to Helmut Grohne for reporting the
issue and helping with the patch. (Closes: #736359)
* Properly quote the usage / initialisation of the variables
containing temp files.
* Remove the creation of /var/tmp/reinstall_debs.sh during
postrm.
Checksums-Sha1:
b4570098d69f446fa1b62b0118c089f9ce1064a0 1553 localepurge_0.7.3.2.dsc
fdec3f845c6d57267b1dbe241d3d3ceab04e11c4 52832 localepurge_0.7.3.2.tar.xz
bd5c284a59b548e4d310a8f79dd71b53a6f2ec48 49920 localepurge_0.7.3.2_all.deb
Checksums-Sha256:
18ec86eb447ac32a090661bb0a8ab6e5f310093c52cbfec5932693d81b31e383 1553 localepurge_0.7.3.2.dsc
22bf6faaa1e69c4074b0f0f7ed6cab55a8948f024ce823e15550e45ef264247a 52832 localepurge_0.7.3.2.tar.xz
6079ce30f9b95e4ea9ea49ab1b7bb87add186518b13c4b0f4ddc7eb02e36bc42 49920 localepurge_0.7.3.2_all.deb
Files:
25ecc0a38dac267e147b07ce81f692c6 1553 admin optional localepurge_0.7.3.2.dsc
e428291974379a82122ae9e0ff1b3d51 52832 admin optional localepurge_0.7.3.2.tar.xz
cb16f10d1e4a09389a2a0fa6964840d1 49920 admin optional localepurge_0.7.3.2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJS5Na2AAoJEAVLu599gGRCTBoQAIOyTGKB8+u+bHjGwS17jV7j
54odYPdLTqoL/wak0OVJvEJ4f0H7Ajfxv4acYV7TVSMIxyoF03clNx462N3RC51n
R3YRdJkOzjGg8hoaTOQSi0bkfk9kR+ihWChZ8pCjOLCeCgkGbQxcEnd3jUeKag49
U4QWCvWLIryAn3XXWxcuOPZf/GBrBQ1yHW05RCUfck9Q/OX7TzyQfjE21bregy3C
gYL/8yYiR3XIoOEncHDhWsF2qMJfedc3u/maLU0/ApY6CD/NWptVK1X5IIT2ICJq
9biWCCb3X5NTMVCPwz36iReRoKYmnSmf0ZxhnB7+OFS2Uo0efnx8mvywUeeTCsrq
bSpkCm1+jihz7JbF+mAL+8m9+R8O2nGQz1nKINsJDKQPIWaU0B01m8rpJVPi2lMq
RftrEvrFvnH5m2qxbyv1jGP5A99arEJI2ehAJeBCOVkH4psQ01ougMhzYDSzyq0d
xtOrG9c4hs/VGEPTaMlUOgKTyE86dJlc2M0+RQKkEQ5VzeI7EfGI3XLWcOKhUBGP
MWu6XcfHTPPkhx14rv8SwykFb1rYpdrU2aAJhCCoKo4c9QBYRJF4aZmez8+GjuKg
Pc4JuW20B7dkYbW5R+rXqBO0HUuNGRANYeW+Iuc2XXfX6HexUlOOyYLuBNIUY/Sp
F8I28Fn/kH7tcGyXygOS
=TyN9
-----END PGP SIGNATURE-----
Reply sent
to Niels Thykier <niels@thykier.net>:
You have taken responsibility.
(Fri, 31 Jan 2014 22:36:20 GMT) (full text, mbox, link).
Notification sent
to Helmut Grohne <helmut@subdivi.de>:
Bug acknowledged by developer.
(Fri, 31 Jan 2014 22:36:20 GMT) (full text, mbox, link).
Message #17 received at 736359-close@bugs.debian.org (full text, mbox, reply):
Source: localepurge
Source-Version: 0.6.3+deb7u1
We believe that the bug you reported is fixed in the latest version of
localepurge, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 736359@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niels Thykier <niels@thykier.net> (supplier of updated localepurge package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 31 Jan 2014 18:44:30 +0100
Source: localepurge
Binary: localepurge
Architecture: source all
Version: 0.6.3+deb7u1
Distribution: wheezy
Urgency: medium
Maintainer: Niels Thykier <niels@thykier.net>
Changed-By: Niels Thykier <niels@thykier.net>
Description:
localepurge - Reclaim disk space removing unneeded localizations
Closes: 736359
Changes:
localepurge (0.6.3+deb7u1) wheezy; urgency=medium
.
* [CVE-2014-1638] Create tempfiles in a safe manner using
mktemp. Thanks to Helmut Grohne for reporting the
issue and helping with the patch. (Closes: #736359)
* Remove the creation of /var/tmp/reinstall_debs.sh during
postrm.
Checksums-Sha1:
764da1afcfa339f18c6a3b4c4338a5f1acecd287 1573 localepurge_0.6.3+deb7u1.dsc
faeb2f0aa488da1283655f42c6b5d985c4cdab26 48141 localepurge_0.6.3+deb7u1.tar.gz
4d450116bc2f997708b91f50d0f4d46af4d0005c 45926 localepurge_0.6.3+deb7u1_all.deb
Checksums-Sha256:
a9b6ed9c7ffd94d3a5d657b8cfeee79f5900942814edb511985dee2da531d363 1573 localepurge_0.6.3+deb7u1.dsc
d4a687f39f1f44169ebd29d9ec01d9fe445a03306d716e7d7087b8172fbccbab 48141 localepurge_0.6.3+deb7u1.tar.gz
a3a01f71628b48d4371282e45667066bba0a42a2bbac7fe0641daac3f476b3f9 45926 localepurge_0.6.3+deb7u1_all.deb
Files:
beb48d4a983722ee6f4747aa0d12971f 1573 admin optional localepurge_0.6.3+deb7u1.dsc
c66dbcef60b2f8f290ea50479f7f0e41 48141 admin optional localepurge_0.6.3+deb7u1.tar.gz
ecd7c2936509dd670370c00bf3702a7a 45926 admin optional localepurge_0.6.3+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJS6+ywAAoJEAVLu599gGRC0PQP/06JjFzEvV8TvWCwGUvhtEw2
4qQfQk4Vrn2DyS+7frDtLOnH9nTg0MOGLvAILe5D8hD+ieM3VUKwgdiWAaKFkvEb
jwUdYd+UIXMS6IIuN9+YGyjDb/+1SZbv/mWvDow3qdyi5ZUflLPTeYsq0hkPc+M8
OahWD7e/SGTtn19zdHO2tO7yktoVvicedCIkT7z1X0PTvqin2aaT5M/6M//Rf7B4
R12+kcokdpj9Og6qMnR136cq4lLbDx0bGdo/kggzt+PokCIDknbVm2ijwXShf29D
4gT8bFbQgZmGOCEZBCav029xECZXb9ozF6r2MvLPGWZEBw+pHxwWoCCpd8oDWPMI
Bl/60kwyYUKEk3zCe6BwV3vNmhwtmwu66vA7m62AKIK5am10Co8ObhhZWRW3sE5z
hSt1E4TQCCQdRbBpoLnPlTPrJvMmNz6i1OKwd7gvSEUqiLbZQa8OAWJ601RE1ntj
EAJt144oC20vZZ1cje2lR3Y0FZR2ecnMlIxVBNe+OhEcBkj1YNtcGXRqaLwteviC
/PnfTThKi0UU9ocD8hvwLfMUdsrkRl4JfWo2uz0zx0QNNR4N0PJs4zi1z8ybbpTR
b8bSMwA9IcEdwQZ7iLdITZnpm4mGYG8tyosp4adFm7bUd2/Z8kFyex2cntkafml4
qSNClXI696xMb3wiKFkW
=55Ua
-----END PGP SIGNATURE-----
Reply sent
to Niels Thykier <niels@thykier.net>:
You have taken responsibility.
(Sat, 01 Feb 2014 19:19:03 GMT) (full text, mbox, link).
Notification sent
to Helmut Grohne <helmut@subdivi.de>:
Bug acknowledged by developer.
(Sat, 01 Feb 2014 19:19:03 GMT) (full text, mbox, link).
Message #22 received at 736359-close@bugs.debian.org (full text, mbox, reply):
Source: localepurge
Source-Version: 0.6.2+nmu1+squeeze1
We believe that the bug you reported is fixed in the latest version of
localepurge, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 736359@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niels Thykier <niels@thykier.net> (supplier of updated localepurge package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 31 Jan 2014 18:44:30 +0100
Source: localepurge
Binary: localepurge
Architecture: source all
Version: 0.6.2+nmu1+squeeze1
Distribution: squeeze
Urgency: medium
Maintainer: Paul Seelig <pseelig@debian.org>
Changed-By: Niels Thykier <niels@thykier.net>
Description:
localepurge - Reclaim disk space removing unneeded localizations
Closes: 736359
Changes:
localepurge (0.6.2+nmu1+squeeze1) squeeze; urgency=medium
.
* [CVE-2014-1638] Create tempfiles in a safe manner using
mktemp. Thanks to Helmut Grohne for reporting the
issue and helping with the patch. (Closes: #736359)
* Remove the creation of /var/tmp/reinstall_debs.sh during
postrm.
Checksums-Sha1:
6893bfb1d25914ee13657a01cb630ee22a12351a 1403 localepurge_0.6.2+nmu1+squeeze1.dsc
7134f9367fda2c9bb0504e2f42a39f70f2d23599 45512 localepurge_0.6.2+nmu1+squeeze1.tar.gz
4bda33bee90aba0414fc75e2634edeeaca976254 43242 localepurge_0.6.2+nmu1+squeeze1_all.deb
Checksums-Sha256:
68b59d328a7e037dfde2a7ca5d3fde1bf6effe596a04e55b4630669e6d2bac1a 1403 localepurge_0.6.2+nmu1+squeeze1.dsc
6b110ce5ec06a7f815a46b7a1c471080db9c2953658c1fd928d9227eb1a96711 45512 localepurge_0.6.2+nmu1+squeeze1.tar.gz
f38f832fb588edbc52f717cdf872e05b042f70c50b49b7f8bcf458935d73b9d0 43242 localepurge_0.6.2+nmu1+squeeze1_all.deb
Files:
7424db093fb9b862a0a998ba95c867e3 1403 admin optional localepurge_0.6.2+nmu1+squeeze1.dsc
bb8c4a98b40c7420e579793fa8cd76da 45512 admin optional localepurge_0.6.2+nmu1+squeeze1.tar.gz
3fb7ec732864f1b64dfe23185cf5e9f6 43242 admin optional localepurge_0.6.2+nmu1+squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJS7BQMAAoJEAVLu599gGRCFIEP/isTfIf1ictt7mJDENFxnr08
4PLMQEO9UDLvelXGQ9sYheqjYjkKCcinF6y4K63L3slnsP1XSVJ1qAI9OqlZc2Vz
2LBM1wcuUEspnRPV5Y7Pg/76ojn2SVNRGvLv7tF6wXsGXijH2u+utlYYWb+3TZou
OHAy/rlFo7BUj2VWYMmdDA1PNj8nemH0/qgjR1/UHtAbqJZehV7keh0JV36+qxOr
ycx1NS6j4xnLk2/BUjZo5Qs+lBOUSN0JhEonpveV6j00NO9TQbcQE7r0TeOQ0jHH
I5Qwf45U7us4/iFZB4f1/LvhoRhUjTl0NLx7xpXy7iPPeru3hkklOt9+vEPx27yW
S4WBXYb5RLDlRNJoo1Fpdrs0Gje1TBrFoOCAnPgJnhDduAQ+cwf7T/CcxwV/x17x
kCEpWxCdIcKr83eRf9buPttwgf7gDtwD/9rwbwWTgw307XVpeJsLtdmhKivRH3I+
C1VsrA6W47P3oKjJAr24y9U8b3sneoR+eQlgzTZdzUY9tHGYkTwS+dHgDGglA+6K
OAO2iUkgoLeKf1sY+HvwqhH9OI1drySIWHCDaLyWzIo7tb+JcDbCIWd9oxSU5FF+
LfR8d5m7Jj+yXTPmUDzTn3U642/LbAZrDG2I/JQMMvCdv2yNZLqZKVI6OPiFwU7g
SHQuwVjohVkaE1aPHeLf
=x/K4
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 02 Mar 2014 07:30:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:44:31 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon