Debian Bug report logs -
#577817
CVE-2010-1160, CVE-2010-1161: two security issues
Reported by: Florian Weimer <fw@deneb.enyo.de>
Date: Wed, 14 Apr 2010 20:57:01 UTC
Severity: normal
Tags: security
Found in versions nano/2.2.3-1, nano/2.0.7-4
Fixed in version nano/2.2.4-1
Done: Jordi Mallach <jordi@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Jordi Mallach <jordi@debian.org>:
Bug#577817; Package nano.
(Wed, 14 Apr 2010 20:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Jordi Mallach <jordi@debian.org>.
(Wed, 14 Apr 2010 20:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: nano
Tags: security
| Two issues were recently addressed upstream for GNU nano to provide
| better security when editing files owned by other untrusted users,
| especially when editing as root. I'm not sure if either of these
| issues require CVE identifiers due to the narrow circumstances in
| which they can be exploited, but I figured I'd leave that up to you.
|
| Changelog is at
| http://svn.savannah.gnu.org/viewvc/trunk/nano/ChangeLog?root=nano&view=log,
| relevant entries at revisions 4490, 4491, 4493, and 4496.
<http://www.openwall.com/lists/oss-security/2010/04/14/4>, see the
followup <http://www.openwall.com/lists/oss-security/2010/04/14/6>
for CVE IDs.
This should be fixed for lenny through stable-proposed-updates
because those issues seem to be minor.
Reply sent
to Jordi Mallach <jordi@debian.org>:
You have taken responsibility.
(Thu, 15 Apr 2010 23:03:10 GMT) (full text, mbox, link).
Notification sent
to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer.
(Thu, 15 Apr 2010 23:03:10 GMT) (full text, mbox, link).
Message #10 received at 577817-close@bugs.debian.org (full text, mbox, reply):
Source: nano
Source-Version: 2.2.4-1
We believe that the bug you reported is fixed in the latest version of
nano, which is due to be installed in the Debian FTP archive:
nano-tiny_2.2.4-1_amd64.deb
to main/n/nano/nano-tiny_2.2.4-1_amd64.deb
nano-tiny_2.2.4-1_i386.deb
to main/n/nano/nano-tiny_2.2.4-1_i386.deb
nano-udeb_2.2.4-1_amd64.udeb
to main/n/nano/nano-udeb_2.2.4-1_amd64.udeb
nano-udeb_2.2.4-1_i386.udeb
to main/n/nano/nano-udeb_2.2.4-1_i386.udeb
nano_2.2.4-1.debian.tar.gz
to main/n/nano/nano_2.2.4-1.debian.tar.gz
nano_2.2.4-1.dsc
to main/n/nano/nano_2.2.4-1.dsc
nano_2.2.4-1_amd64.deb
to main/n/nano/nano_2.2.4-1_amd64.deb
nano_2.2.4-1_i386.deb
to main/n/nano/nano_2.2.4-1_i386.deb
nano_2.2.4.orig.tar.gz
to main/n/nano/nano_2.2.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 577817@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jordi Mallach <jordi@debian.org> (supplier of updated nano package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 15 Apr 2010 19:26:23 +0200
Source: nano
Binary: nano nano-tiny nano-udeb
Architecture: amd64 i386 source
Version: 2.2.4-1
Distribution: unstable
Urgency: low
Maintainer: Jordi Mallach <jordi@debian.org>
Changed-By: Jordi Mallach <jordi@debian.org>
Closes: 577817
Description:
nano - small, friendly text editor inspired by Pico
nano-tiny - small, friendly text editor inspired by Pico - tiny build
nano-udeb - small, friendly text editor inspired by Pico - udeb (udeb)
Changes:
nano (2.2.4-1) unstable; urgency=low
.
* The "905€" release.
* New upstream release.
- fixes minor security issues: symlink attack (CVE-2010-1160)
and ownership of arbitrary files (CVE-2010-1161). Closes: #577817.
Checksums-Sha1:
4c653a5de1b64dadbbed3b4d9901b5ebc90b9e38 1261 nano_2.2.4-1.dsc
c69f70d30883e846f74951c5daa20d7c5a6f0662 1529085 nano_2.2.4.orig.tar.gz
140bc172034fcdfe89bdec9ac77957c33fbdf46f 28891 nano_2.2.4-1.debian.tar.gz
c91524b5c2e36c2401d64bd90e410e464d116c0c 543410 nano_2.2.4-1_amd64.deb
18084f3b6da502c1482b5c71d54bb481ba10381b 74692 nano-tiny_2.2.4-1_amd64.deb
fcc35064b5b8c2eaf48a1c0fdb9d6a6fa4be0f7e 38196 nano-udeb_2.2.4-1_amd64.udeb
a7cc0d95c3005f71ae0569b8dfac0b54aaadf69f 528908 nano_2.2.4-1_i386.deb
0f2c34d20ac6ec95e4e5975f125b8c3a5429235d 67586 nano-tiny_2.2.4-1_i386.deb
a32282989cd6f3ade08b8bfbeea19a78348e4a41 31290 nano-udeb_2.2.4-1_i386.udeb
Checksums-Sha256:
7914588cec37dc8bd36dfdff1d49f7758257e0848ec2efac2bbc038339a7c49d 1261 nano_2.2.4-1.dsc
971b8547be157de5a814cb26c804dc2515b686d7188f4dc016269312965d4da5 1529085 nano_2.2.4.orig.tar.gz
eb160fb194becfbe989f7d7d44791bedab1c4cfe74e6bf67db1befdd4e9a35b4 28891 nano_2.2.4-1.debian.tar.gz
94e40583767d073b0114c1e02ff7a2adb8c96d91d9fddf9ff0a964d1b7cfd942 543410 nano_2.2.4-1_amd64.deb
4c8c78027cbaa5a5b921ed9eb0936d8e9f45c566b8cf66230aed616ff220bf68 74692 nano-tiny_2.2.4-1_amd64.deb
4e18063f085fc541dbdb52098839bc7fc938ab7c4c61ef8a949f794c95c30611 38196 nano-udeb_2.2.4-1_amd64.udeb
60837c0deafd3a369b6ae02b878abc6753768f7a2dcaebf44491ca94d1859cab 528908 nano_2.2.4-1_i386.deb
b9233b03b5df187f7255e013188ac67f9e0de4a9aa6de5c73dbad4a1d1651046 67586 nano-tiny_2.2.4-1_i386.deb
5c2d1c92e9f7ec9dc47ca894e0411ac2445fea31164f1bcad8863e539a297f22 31290 nano-udeb_2.2.4-1_i386.udeb
Files:
885061da8e398be77e95f5f115988bc3 1261 editors optional nano_2.2.4-1.dsc
6304308afb1f7ef4a5e93eb99206632a 1529085 editors optional nano_2.2.4.orig.tar.gz
5e05bb5381ee2ae3f892058382206311 28891 editors optional nano_2.2.4-1.debian.tar.gz
b6202bcab71a64564a68512ac61cf87b 543410 editors important nano_2.2.4-1_amd64.deb
a381074fb9ed78db5f9d82333cdb19c1 74692 editors optional nano-tiny_2.2.4-1_amd64.deb
54882783401eb400d31868ea7e9061df 38196 debian-installer standard nano-udeb_2.2.4-1_amd64.udeb
cc12ee4ebd2c8644b0637e49efaa9360 528908 editors important nano_2.2.4-1_i386.deb
82bffe6d1fc8cd21602abd3499f698d0 67586 editors optional nano-tiny_2.2.4-1_i386.deb
d8a21ae559817c51c1fe29e9bbea3c64 31290 debian-installer standard nano-udeb_2.2.4-1_i386.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkvHlv0ACgkQJYSUupF6Il6/RACfVKkQ6D6TOD3XkghcbpjqKmtt
wCcAoJ0HJvoJ35iW047IjANv/tKefzu5
=1ezj
-----END PGP SIGNATURE-----
Bug Marked as found in versions nano/2.0.7-4.
Request was from Jordi Mallach <jordi@debian.org>
to control@bugs.debian.org.
(Sat, 17 Apr 2010 07:45:03 GMT) (full text, mbox, link).
Bug Marked as found in versions nano/2.2.3-1.
Request was from Jordi Mallach <jordi@debian.org>
to control@bugs.debian.org.
(Sat, 17 Apr 2010 07:45:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 24 May 2010 07:32:35 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:06:21 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon