Bug#976874: marked as done (audacity: CVE-2020-11867)

To: Dennis Braun <d_braun@kabelmail.de>
Subject: Bug#976874: marked as done (audacity: CVE-2020-11867)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 27 Feb 2021 17:06:07 +0000
Message-id: <[🔎] handler.976874.D976874.1614445418852.ackdone@bugs.debian.org>
Reply-to: 976874@bugs.debian.org
References: <E1lG30A-0003G1-VX@fasolo.debian.org> <160745935725.20513.9821434898154218337.reportbug@eldamar.lan>

Your message dated Sat, 27 Feb 2021 17:03:34 +0000
with message-id <E1lG30A-0003G1-VX@fasolo.debian.org>
and subject line Bug#976874: fixed in audacity 2.4.2~dfsg0-4
has caused the Debian Bug report #976874,
regarding audacity: CVE-2020-11867
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
976874: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976874
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: audacity: CVE-2020-11867
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 08 Dec 2020 21:29:17 +0100
Message-id: <160745935725.20513.9821434898154218337.reportbug@eldamar.lan>

Source: audacity
Version: 2.4.2~dfsg0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for audacity.

CVE-2020-11867[0]:
| Audacity through 2.3.3 saves temporary files to
| /var/tmp/audacity-$USER by default. After Audacity creates the
| temporary directory, it sets its permissions to 755. Any user on the
| system can read and play the temporary audio .au files located there.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-11867
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11867
[1] https://salvatoresecurity.com/the-many-perils-of-tmp/
[2] https://bugzilla.suse.com/show_bug.cgi?id=1179449

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 976874-close@bugs.debian.org
Subject: Bug#976874: fixed in audacity 2.4.2~dfsg0-4
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sat, 27 Feb 2021 17:03:34 +0000
Message-id: <E1lG30A-0003G1-VX@fasolo.debian.org>
Reply-to: Dennis Braun <d_braun@kabelmail.de>

Source: audacity
Source-Version: 2.4.2~dfsg0-4
Done: Dennis Braun <d_braun@kabelmail.de>

We believe that the bug you reported is fixed in the latest version of
audacity, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 976874@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dennis Braun <d_braun@kabelmail.de> (supplier of updated audacity package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 08 Dec 2020 23:46:09 +0100
Source: audacity
Architecture: source
Version: 2.4.2~dfsg0-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Dennis Braun <d_braun@kabelmail.de>
Closes: 969571 976874
Changes:
 audacity (2.4.2~dfsg0-4) unstable; urgency=medium
 .
   [ Sebastian Ramacher ]
   * Bump cmake requirement (Closes: #969571)
 .
   [ Dennis Braun ]
   * Fix temporary audio .au files exposure (CVE-2020-11867). (Closes: #976874)
   * Bump S-V to 4.5.1, no changes needed
Checksums-Sha1:
 8b9d675bd202f0cf5358cca6a38244d308ec92e8 2744 audacity_2.4.2~dfsg0-4.dsc
 aaced868cb9405914c2a0f15282e63f25a912c7a 37044 audacity_2.4.2~dfsg0-4.debian.tar.xz
Checksums-Sha256:
 0ca421a33af84b729d7289ead71580be670f00b781bcf5ad5eea5ed91453e3e1 2744 audacity_2.4.2~dfsg0-4.dsc
 4aa16370e19380dbc9c6cdb58b01530520f5425010a3757414d3fbcd5041dd05 37044 audacity_2.4.2~dfsg0-4.debian.tar.xz
Files:
 ae63ef20ca16f5028e680e8b27a83019 2744 sound optional audacity_2.4.2~dfsg0-4.dsc
 b5bcbdb8c6d63002fd536cd454e7df89 37044 sound optional audacity_2.4.2~dfsg0-4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAmA6eLkACgkQafL8UW6n
GZPgbQ/+MNTS4IHVa2Oy25RnUT8hyXOzeMQLw/CcSn1wcvjTY+BclBGDIMxxS80f
EsljKl9R/XzmeUAjOr7pQN0TOyrIUomRC0kkLrjMg1bBkgsoE8rBy/5ywSJRAzRA
yM7eO/MvU6xRyI82bc16DULSeQpKLfsUhDI1IYLwKuqO9Cy3k8IFLNkQ16ZsbRq7
nekwMS2HzJMWghOOflhzN5RfoS79vfW1GQeTjk4DLk46J2UvRsnQwVG/pVD0Jj/U
CPPCZe+YzM9WlRSG6jwwz3eGtlpUAY6FjhUQfh8oAUEcH0ErFgK2NAT4yS/OhqUl
hUOrwc+WSoZjt70TeR+HK4+DtH6TEQjQD8ZbPwShA5NguDUThDd4QfLMnsm0YWF1
QwXxasjtew54e/75k0/paWVu0XbHPkcd9ap0yKg/eU5TK4KlPGonxg6UiPyPBYOJ
3xrowVfy/7xvyWooBRTpmeqrDBOgmQJedxHWL4IY3NMjC+OSFFeS9VpfBEOl0emt
SrAxs9f1Z6tgvmBocMTkvYVknAaawJ+mAwkFLBj4SUbBswIpl5HdhUNgd6EfNRHX
8EANb3PapqFuEHal2GIQut+MqMcfsh0Caqk+XCA7T7tGm2JN1TAubU+tpLaMl6O4
+6ayBphVoV6HgqhUfEhrg6k5pZgvaP05OXHESj9k4aGtI0r51b0=
=Grcs
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#969571: marked as done (needs versioned build-depends on cmake)
Next by Date: Processing of audacity_2.4.2~dfsg0-4_source.changes
Previous by thread: Bug#969571: marked as done (needs versioned build-depends on cmake)
Next by thread: Processing of audacity_2.4.2~dfsg0-4_source.changes
Index(es):
- Date
- Thread