Debian Bug report logs -
#591995
babiloo: insecure downloading and unpacking of dictionary files
Reported by: Jakub Wilk <jwilk@debian.org>
Date: Fri, 6 Aug 2010 19:51:05 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version babiloo/2.0.9-1
Fixed in version babiloo/2.0.11-1
Done: Marco Rodrigues <gothicx@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#591995; Package babiloo.
(Fri, 06 Aug 2010 19:51:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Jakub Wilk <jwilk@debian.org>:
New Bug report received and forwarded. Copy sent to jwilk@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(Fri, 06 Aug 2010 19:51:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: babiloo
Version: 2.0.9-1
Severity: grave
Tags: security
Justification: user security hole
babiloo creates temporary files with predictable names, allowing a local
attacker to overwrite arbitrary files.
An example scenario:
1. Attacker does `ln -sf /file/to/overwrite /tmp/fra_vie.dct.zip`.
2. Victim runs babiloo, selects Dictionaries > Download
Dictionaries, selects the "French-Vietnamese" dictionary, and clicks
the icon to download it.
In addition to that, babiloo appears to be affected by CVE-2007-4559.
--
Jakub Wilk
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#591995; Package babiloo.
(Sat, 04 Sep 2010 22:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Marco Rodrigues <gothicx@gmail.com>:
Extra info received and forwarded to list. Copy sent to Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(Sat, 04 Sep 2010 22:42:03 GMT) (full text, mbox, link).
Message #10 received at 591995@bugs.debian.org (full text, mbox, reply):
Hi Jakub!
I would try to fix it ASAP.
Thank you
--
Marco Rodrigues
http://www.marblehole.com
Added tag(s) upstream.
Request was from kmos@kmos.homeip.net (Marco Rodrigues)
to control@bugs.debian.org.
(Mon, 13 Sep 2010 23:27:05 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from kmos@kmos.homeip.net (Marco Rodrigues)
to control@bugs.debian.org.
(Sat, 18 Sep 2010 13:21:04 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from gothicx-guest@users.alioth.debian.org
to control@bugs.debian.org.
(Wed, 22 Sep 2010 22:03:09 GMT) (full text, mbox, link).
Reply sent
to Marco Rodrigues <gothicx@gmail.com>:
You have taken responsibility.
(Wed, 29 Sep 2010 22:06:05 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Wed, 29 Sep 2010 22:06:05 GMT) (full text, mbox, link).
Message #21 received at 591995-close@bugs.debian.org (full text, mbox, reply):
Source: babiloo
Source-Version: 2.0.11-1
We believe that the bug you reported is fixed in the latest version of
babiloo, which is due to be installed in the Debian FTP archive:
babiloo_2.0.11-1.diff.gz
to main/b/babiloo/babiloo_2.0.11-1.diff.gz
babiloo_2.0.11-1.dsc
to main/b/babiloo/babiloo_2.0.11-1.dsc
babiloo_2.0.11-1_all.deb
to main/b/babiloo/babiloo_2.0.11-1_all.deb
babiloo_2.0.11.orig.tar.gz
to main/b/babiloo/babiloo_2.0.11.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 591995@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marco Rodrigues <gothicx@gmail.com> (supplier of updated babiloo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 28 Sep 2010 22:30:41 +0100
Source: babiloo
Binary: babiloo
Architecture: source all
Version: 2.0.11-1
Distribution: unstable
Urgency: low
Maintainer: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
Changed-By: Marco Rodrigues <gothicx@gmail.com>
Description:
babiloo - dictionary viewer with multi-languages support
Closes: 591995
Changes:
babiloo (2.0.11-1) unstable; urgency=low
.
* New upstream version (Closes: #591995).
* debian/control:
+ Move python-qt4 to Recommends. Thanks Jakub Wilk for the tip.
+ Change my e-mail address.
* debian/copyright:
+ Change my e-mail address.
* debian/control:
- Bump Standards-Version to 3.9.1, no changes required.
Checksums-Sha1:
52c7a1176b1dd4050e30691df809946a23304c1a 1334 babiloo_2.0.11-1.dsc
bee082229588bfc2b7c55ae3c8e173f6ca10a789 949765 babiloo_2.0.11.orig.tar.gz
5e5197212e75b2644e82f368c64e586866a26d9c 2946 babiloo_2.0.11-1.diff.gz
b33344c2cff18c05f9f2943204626099734f3e87 895280 babiloo_2.0.11-1_all.deb
Checksums-Sha256:
2e673076315992b1ca8d697ae001726b27a2c823436bf1eba3f8da9708ec7c38 1334 babiloo_2.0.11-1.dsc
2b7fa4b0336c1664b87f9018cd8dbd0fe20edf25f4c57eb17e41c1095199611b 949765 babiloo_2.0.11.orig.tar.gz
bca1aef85eb9fc0836c65994bcacf0d1e4e76d5b1c15ba83ae40d372dd0a2798 2946 babiloo_2.0.11-1.diff.gz
f0e93409c9dbbb136ff85e00d4a3b6b84d9aaedd21311fbbfd31c4b2bbe72aa5 895280 babiloo_2.0.11-1_all.deb
Files:
cb3c2489e413658b357ba93bcc111291 1334 utils optional babiloo_2.0.11-1.dsc
c384c6874590517515a20d8530b85ab1 949765 utils optional babiloo_2.0.11.orig.tar.gz
19456945e7291be2e119583c605446a4 2946 utils optional babiloo_2.0.11-1.diff.gz
08328cdab08ddce4a1eb49bee175ff37 895280 utils optional babiloo_2.0.11-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkyjs98ACgkQB01zfu119ZnC6ACfQPOLCo8EZgakA8LcbjTvilom
9h0An3upBm2X9Q2/IfNd58xvAiSTIYOl
=pJ5A
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 28 Oct 2010 07:35:00 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:46:52 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon