potato camediaplay security problem
Is this important enough to backport to potato? If so, should I do
that myself, or should the security team? Thanks.
The potato version of camediaplay,
camediaplay 980118-1 Still Camera Digital Interface
installs its binary suid 'uucp':
-r-sr-xr-x 1 uucp bin 17132 Feb 18 1998 /usr/bin/camediaplay
and has this runtime option:
-Nxxx Specify the output filename, in sprintf() format.
Default is: "pic%05d.jpg".
(Be careful about escaping shell meta characters!)
I've recently adopted, updated, and uploaded to unstable
camediaplay 20010211-2 Still Camera Digital Interface
which isn't suid (I instead suggest that users be added to the 'dialout' group)
-rwxr-xr-x 1 root root 20860 Mar 7 23:06 /usr/bin/camediaplay
and in which the upstream author has removed the -N option "for
security reasons."
In case I shouldn't upload it myself, the following patch to the
camediaplay 20010211-2 rules file allows it to compile and build on
current potato, and the resulting package works for me:
--- debian-work/camediaplay/debian/rules Wed Mar 7 22:23:39 2001
+++ /home/david/camediaplay-20010211/debian/rules Mon Mar 12 00:03:07 2001
@@ -6,7 +6,7 @@
#export DH_VERBOSE=1
# This is the debhelper compatibility version to use.
-export DH_COMPAT=3
+export DH_COMPAT=2
build: build-stamp
@@ -63,7 +63,7 @@
# dh_installmime
# dh_installinit
# dh_installcron
- dh_installman src/camediaplay.1
+ dh_installmanpages src/camediaplay.man
# dh_installinfo
# dh_undocumented
dh_installchangelogs
Reply to: