fotoxx: Insecure use of temporary files
Andreas Tille
andreas at an3as.eu
Fri Jun 6 15:02:32 BST 2025
Hi Michael,
sorry for the long silence. The change of the name of the binary
package requires passing the Debian new queue including a new inspection
of the copyright of all files. This leaded to a rejection of the
package as you can read here:
https://alioth-lists.debian.net/pipermail/pkg-phototools-devel/2025-April/017619.html
I wonder whether you see some chance to strip those files mentioned
in doc/copyright which are licensed as
Creative Commons Attribution Non Commercial Share Alike 3.0 Unported
The "Non Commercial" is a restriction which is considered non-free in
Debian so we can't distribute the source as is. If you consider this
not a good option for your end users I could strip down the tarball for
Debian to drop these files (which will hopefully not influence the
functionality of the software itself). I just wanted to tell let you
know since it would be preferable to have the same tarball in Debian
as it is provided from your site.
Kind regards and thanks a lot for your cooperation
Andreas.
Am Wed, Nov 06, 2024 at 09:51:12AM +0100 schrieb Michael Cornelison:
> Thanks again.
>
> Re: detect root user and exit() if root.
>
> I do not want to make a new release now, but I will add this in the next
> release, planned for Jan 1 or so.
> I hope this is OK.
>
> regards
> Mike
>
>
> On Wed, Nov 6, 2024 at 9:43 AM Andreas Tille <andreas at an3as.eu> wrote:
>
> > Hi Michael,
> >
> > Am Wed, Nov 06, 2024 at 07:49:41AM +0100 schrieb Michael Cornelison:
> > > 'wprintp' function no longer exists.
> > >
> > > 'email_dialog_event' function no longer exists.
> > >
> > > file "/tmp/global_lock_fotoxx_syncfiles" no longer exists.
> > >
> > > The bug report says that using fotoxx as root user is necessary to
> > trigger
> > > this bug.
> >
> > I *personally* admit its the users own fault to use fotoxx as root, but
> > well ...
> >
> > > In fact, using fotoxx (now fotocx) as root user can do many things to
> > crash
> > > or alter a running system or alter files belonging to root. What is the
> > fix
> > > for this? I could detect if running as root user and just exit. Is that a
> > > fix?
> >
> > In my eyes this is a fix, yes.
> >
> > Thanks a lot for the quick response
> > Andreas.
> >
> > > On Tue, Nov 5, 2024 at 6:27 PM Andreas Tille <andreas at an3as.eu> wrote:
> > >
> > > > Control: tags -1 upstream
> > > > Control: forwarded -1 Michael Cornelison <mkornelix at gmail.com>
> > > > Thanks
> > > >
> > > > Hi Michael,
> > > >
> > > > there is a ten year old bug report[1] against the fotoxx code that was
> > > > uploaded to Debian at that time. I intend to close this bug in my next
> > > > upload but I would like to get your confirmation that the problem is
> > > > dealt with in your current code. Please be so kind to have a look[1]
> > > > since the issue is potentially security relevant.
> > > >
> > > > Kind regards and thank you for providing fotocx as free software
> > > > Andreas.
> > > >
> > > > [1] https://bugs.debian.org/761879
> > > >
> > > > --
> > > > https://fam-tille.de
> > > >
> > >
> > >
> > > --
> > > Mike
> > > kornelix.net open source Linux apps
> > > substack <https://michaelcornelison.substack.com/> essays
> >
> > --
> > https://fam-tille.de
> >
>
>
> --
> Mike
> kornelix.net open source Linux apps
> substack <https://michaelcornelison.substack.com/> essays
--
https://fam-tille.de
More information about the Pkg-phototools-devel
mailing list