Bug#756432: possible security issue on gummi/0.6.5-3

Salvatore Bonaccorso carnil at debian.org
Thu Oct 8 11:29:49 UTC 2015


Hi Daniel,

On Thu, Oct 08, 2015 at 01:05:30PM +0200, Daniel Stender wrote:
> On 08.10.2015 13:00, Salvatore Bonaccorso wrote:
> > Hello Daniel,
> > 
> > On Thu, Oct 08, 2015 at 12:20:27PM +0200, Daniel Stender wrote:
> >> Hello,
> >>
> >> there was a bug reported on gummi/0.6.5-3 [1], the program uses
> >> predictable filenames in /tmp [2].
> >>
> >> I'm going to fix that problem now (upstream is dead). Question: do
> >> we have a (minor) security related problem here, which also needs to
> >> be fixed for stable? I've learned from another case that this might
> >> be a problematic race condition [3].
> > 
> > Thanks for going to fix this in unstable already. For wheezy and
> > jessie: This issue does not warrant on it's own a DSA, in particular
> > since such issues are mitigated in Debian: cf.
> > https://www.debian.org/releases/stable/amd64/release-notes/ch-whats-new.en.html#security
> > 
> > But: Could you fix this in wheezy and jessie via the proposed-updates
> > mechanism? See
> > https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable
> > 
> > Regards,
> > Salvatore
> 
> Thx for the quick reply!

You are welcome!

> Yes, o.k., I'm going to fix this as non-dsa over proposed updates. I guess
> a CVE request on this is not necessary, is it? Are you going to create an
> entry in the security tracker, anyway? 

I have actually already created a tracker entry, see
https://security-tracker.debian.org/756432 . For the CVE request: not
absolutely necessary but helps identifying it across various security
trackers. Do you want to request a CVE on your own? This needs to be
done on the oss-security mailinglist:
http://oss-security.openwall.org/wiki/mailing-lists/oss-security

Regards,
Salvatore



More information about the debian-science-maintainers mailing list