glib2.0 stable and oldstable update for CVE-2009-3289
Giuseppe Iuculano
iuculano at debian.org
Sat Oct 3 15:25:03 UTC 2009
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for glib2.0 some time ago.
CVE-2009-3289[0]:
| The g_file_copy function in glib 2.0 sets the permissions of a target
| file to the permissions of a symbolic link (777), which allows
| user-assisted local users to modify files of other users, as
| demonstrated by using Nautilus to modify the permissions of the user
| home directory.
Unfortunately the vulnerability described above is not important enough
to get it fixed via regular security update in Debian stable and oldstable. It
does not warrant a DSA.
However it would be nice if this could get fixed via a regular point update[1].
Please contact the release team for this.
This is an automatically generated mail, in case you are already working on an
upgrade this is of course pointless.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3289
http://security-tracker.debian.net/tracker/CVE-2009-3289
[1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
Kind regards
Giuseppe.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20091003/7c5b026e/attachment.pgp>
More information about the pkg-gnome-maintainers
mailing list