Bug#756432: possible security issue on gummi/0.6.5-3

Daniel Stender debian at danielstender.com
Thu Oct 8 11:05:30 UTC 2015


On 08.10.2015 13:00, Salvatore Bonaccorso wrote:
> Hello Daniel,
> 
> On Thu, Oct 08, 2015 at 12:20:27PM +0200, Daniel Stender wrote:
>> Hello,
>>
>> there was a bug reported on gummi/0.6.5-3 [1], the program uses
>> predictable filenames in /tmp [2].
>>
>> I'm going to fix that problem now (upstream is dead). Question: do
>> we have a (minor) security related problem here, which also needs to
>> be fixed for stable? I've learned from another case that this might
>> be a problematic race condition [3].
> 
> Thanks for going to fix this in unstable already. For wheezy and
> jessie: This issue does not warrant on it's own a DSA, in particular
> since such issues are mitigated in Debian: cf.
> https://www.debian.org/releases/stable/amd64/release-notes/ch-whats-new.en.html#security
> 
> But: Could you fix this in wheezy and jessie via the proposed-updates
> mechanism? See
> https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable
> 
> Regards,
> Salvatore

Thx for the quick reply!

Yes, o.k., I'm going to fix this as non-dsa over proposed updates. I guess
a CVE request on this is not necessary, is it? Are you going to create an
entry in the security tracker, anyway? 

DS

-- 
4096R/DF5182C8
46CB 1CA8 9EA3 B743 7676 1DB9 15E0 9AF4 DF51 82C8
LPI certified Linux admin (LPI000329859 64mz6f7kt4)
http://www.danielstender.com/blog/



More information about the debian-science-maintainers mailing list