Bug#129104: cgiemail: buffer overflow and script reading vulnerabilities
On Mon, Apr 08, 2002 at 11:00:06PM -0500, Thomas Smith wrote:
> On Mon, Apr 08, 2002 at 02:50:18PM -0500, Colin Watson wrote:
> > Better fixes are available, though. I'd forgotten that the last
> > message in this bug left it up to me to test them ... I'll have a look
> > today or tomorrow and see if we can get this sorted.
> There is a new version to test, just in case you have already downloaded
> As before, it is at <http://finbar.dyndns.org/~tgs/deb/>. The version
> to test is 1.6-14.
OK, some things:
--- 8/debian/config Thu Jan 1 01:00:00 1970
+++ 14/debian/config Tue Apr 9 22:20:53 2002
@@ -0,0 +1,28 @@
+# use debconf
+# get configuration value
+if [ -f $CONFIG ];
+ . $CONFIG || true;
+ db_set cgiemail/template_dir $templatedir
$templatedir should be "$templatedir" here, for safety.
+if dpkg --compare-versions $2 lt-nl 1.6-13;
$2 has to be "$2" here (more than safety - the second argument is
+ # if upgrading from an older version
+ db_input critical cgiemail/template_dir || true;
+ # if installing new or upgrading from recent.
+ db_input normal cgiemail/template_dir || true;
'normal' doesn't exist as a priority - should probably be 'medium'.
With that, dpkg-reconfigure works. Looks good.
Colin Watson [email@example.com]
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com