Bug#55507: marked as done (problem with setuid/setgid of /usr/cgi-bin/jitterbug)

To: Martin Michlmayr <tbm@cyrius.com>
Cc: Debian QA Group <packages@qa.debian.org>
Subject: Bug#55507: marked as done (problem with setuid/setgid of /usr/cgi-bin/jitterbug)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 31 Jul 2005 15:50:27 -0700
Message-id: <[🔎] handler.55507.D55507.112284926932717.ackdone@bugs.debian.org>
In-reply-to: <20050731223421.GA30947@deprecation.cyrius.com>
References: <20050731223421.GA30947@deprecation.cyrius.com> <m12AMWC-001pVIC@tt>

Your message dated Sun, 31 Jul 2005 23:34:21 +0100
with message-id <20050731223421.GA30947@deprecation.cyrius.com>
and subject line Removed from Debian - unmaintained
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 18 Jan 2000 00:30:26 +0000
Received: (qmail 12661 invoked from network); 18 Jan 2000 00:30:25 -0000
Received: from jensen-home.tsi-telsys.com (HELO tt) (205.230.130.162)
  by master.debian.org with SMTP; 18 Jan 2000 00:30:25 -0000
Received: by cc38617-a.hwrd1.md.home.com
	via sendmail from stdin
	id <m12AMWC-001pVIC@tt> (Debian Smail3.2.0.102)
	for submit@bugs.debian.org; Mon, 17 Jan 2000 19:29:08 -0500 (EST) 
Message-Id: <m12AMWC-001pVIC@tt>
From: Jim Jensen <jensen@cc38617-a.hwrd1.md.home.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: problem with setuid/setgid of /usr/cgi-bin/jitterbug
X-Reportbug-Version: 0.48
X-Mailer: reportbug 0.48
Date: Mon, 17 Jan 2000 19:29:08 -0500
Reply-to: jensen@computer.org
Bcc:

Package: jitterbug
Version: 1.6.2-4
Severity: normal

In order to use the chroot feature of jitterbug it is necessary to set
the /usr/cgi-bin/jitterbug to -rws--x-- (according to the INSTALL
document).  However, doing this causes accesses as guest to not
include the guestintro.html, header.html and footer.html because
jitterbug.display_file() does not display the file because geteuid()
returns 0.  I believe the get[ug]id() calls in jitterbug.c lines 649,
652, 656 and 659 should be gete[ug]id() calls, and possibly the
corresponding set[gu]id() calls also the effective versions.
According to a comment in jitterbug's jitterbug database, this can
cause some security risk
(http://samba.anu.edu.au/cgi-bin/jitterbug/fixed?id=425;expression=seteuid;user=guest
see reply 1) 

Thanks for your work.

       -Jim Jensen		jensen@computer.org

-- System Information
Debian Release: potato
Architecture: i386
Kernel: Linux tt 2.3.36 #4 Wed Jan 5 19:38:08 EST 2000 i686

Versions of packages jitterbug depends on:
ii  apache                       1.3.9-10    Versatile, high-performance HTTP s
ii  apache [httpd]               1.3.9-10    Versatile, high-performance HTTP s
ii  libc6                        2.1.2-11    GNU C Library: Shared libraries an
ii  smail [mail-transport-agent] 3.2.0.102-2 Electronic mail transport system. 

---------------------------------------
Received: (at 55507-done) by bugs.debian.org; 31 Jul 2005 22:34:29 +0000
>From tbm@cyrius.com Sun Jul 31 15:34:29 2005
Return-path: <tbm@cyrius.com>
Received: from sorrow.cyrius.com [65.19.161.204] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1DzMO4-0008VI-00; Sun, 31 Jul 2005 15:34:29 -0700
Received: by sorrow.cyrius.com (Postfix, from userid 10)
	id C28D264D54; Sun, 31 Jul 2005 22:34:23 +0000 (UTC)
Received: by deprecation.cyrius.com (Postfix, from userid 1000)
	id 766AA85A8; Sun, 31 Jul 2005 23:34:21 +0100 (BST)
Date: Sun, 31 Jul 2005 23:34:21 +0100
From: Martin Michlmayr <tbm@cyrius.com>
To: 47894-done@bugs.debian.org, 55507-done@bugs.debian.org,
	67612-done@bugs.debian.org, 186130-done@bugs.debian.org,
	228569-done@bugs.debian.org
Subject: Removed from Debian - unmaintained
Message-ID: <20050731223421.GA30947@deprecation.cyrius.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Delivered-To: 55507-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 
	version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 126

This package has now been removed from Debian because nobody was
interested in maintaining it; see
http://lists.debian.org/debian-devel-announce/2005/06/msg00014.html
for more information.

-- 
Martin Michlmayr
http://www.cyrius.com/

Reply to:

Prev by Date: Bug#67384: marked as done (fields are too large when looking at individual records)
Next by Date: Bug#40978: marked as done (ftape-module-2.0.35: File /etc/modutils/ftape-util configuration fails)
Previous by thread: Bug#67384: marked as done (fields are too large when looking at individual records)
Next by thread: Bug#40978: marked as done (ftape-module-2.0.35: File /etc/modutils/ftape-util configuration fails)
Index(es):
- Date
- Thread