Bug#344029: Bug #344029: Patch to fix this security bug

Niko Tyni ntyni at iki.fi
Fri Jan 6 14:13:10 UTC 2006


On Wed, Jan 04, 2006 at 03:27:48AM -0800, Don Armstrong wrote:
 
> Attached is the patch for the NMU that I am preparing; I will upload
> it to a delay queue sometime tomorrow (assuming it checks out when
> I've had more sleep.)

Hi,

and thanks for the patch.

FWIW, we discussed this package a bit on the Debian Perl list (see the
thread at <http://lists.debian.org/debian-perl/2005/12/msg00033.html>),
and the consensus was that is should be removed. It's officially
unsupported upstream, and the author recommends Email::Filter
(currently in NEW) as a replacement. I'm going to file a removal
request once libemail-filter-perl gets in.

As for the /tmp vulnerabilities, the one in Mail::Audit::MimeEntity
doesn't look quite as serious to me. I looked into it a bit, and
although it does fall back to /tmp and follows symlinks, MIME::Parser
uses a not quite trivially guessable directory underneath (current time
+ process ID, IIRC). Naturally, this doesn't mean it shouldn't be
fixed.

If you still want to do the NMU, that's fine of course. I guess the
sarge version should be patched anyway.

Cheers,
-- 
Niko Tyni	ntyni at iki.fi




More information about the pkg-perl-maintainers mailing list