[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#389934: marked as done (libg20-perl: include unsafe rpath to /build/buildd)

Your message dated Mon, 27 Apr 2009 18:32:03 +0000
with message-id <E1LyVcZ-0001hu-UX@ries.debian.org>
and subject line Bug#389934: fixed in g2 0.72-1
has caused the Debian Bug report #389934,
regarding libg20-perl: include unsafe rpath to /build/buildd
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

389934: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=389934
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: libg20-perl
Version: 0.70-1.2
Severity: grave
Tags: security

Hello Eric,

The file /usr/lib/perl5/auto/G2/G2.so include a rpath pointing to
/build/buildd/g2-0.70/g2_perl/.. which is not a FHS approved location.

% chrpath /usr/lib/perl5/auto/G2/G2.so
/usr/lib/perl5/auto/G2/G2.so: RPATH=/build/buildd/g2-0.70/g2_perl/..

On some system, a user could have write access to /build and thus be able
to set up a rogue library in that location that will get loaded by users
of libg20-perl.

Bill. <ballombe@debian.org>

Imagine a large red swirl here. 

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)

--- End Message ---
--- Begin Message ---
Source: g2
Source-Version: 0.72-1

We believe that the bug you reported is fixed in the latest version of
g2, which is due to be installed in the Debian FTP archive:

  to pool/main/g/g2/g2_0.72-1.diff.gz
  to pool/main/g/g2/g2_0.72-1.dsc
  to pool/main/g/g2/g2_0.72.orig.tar.gz
  to pool/main/g/g2/libg2-dev_0.72-1_i386.deb
  to pool/main/g/g2/libg20-perl_0.72-1_i386.deb
  to pool/main/g/g2/libg20_0.72-1_i386.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 389934@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Barry deFreese <bdefreese@debian.org> (supplier of updated g2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.8
Date: Mon, 27 Apr 2009 12:22:34 -0400
Source: g2
Binary: libg2-dev libg20 libg20-perl
Architecture: source i386
Version: 0.72-1
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Barry deFreese <bdefreese@debian.org>
 libg2-dev  - g2 2D graphics library (development files)
 libg20     - g2 2D graphics library
 libg20-perl - g2 2D graphics library (Perl module)
Closes: 389934
 g2 (0.72-1) unstable; urgency=low
   * QA upload.
   * New upstream release.
   * Add quilt patch system.
     + Move old source changes to quilt.
   * Update build-dep from xutils to xutils-dev.
   * Remove rpath with chrpath. (Closes: #389934).
     + Add build-dep on chrpath.
   * Make clean not ignore errors.
   * Replace ${Source-Version} with ${binary:Version}.
   * Set -e in maintainer scripts.
   * Update debian/copyright syntax and add missing holders.
   * Bump debhelper build-dep and compat to 5.
   * Bump Standards Version to 3.8.1.
 3cfc1e3b33c4511e2bcc43c5e26f96a6ffcc4ff0 1084 g2_0.72-1.dsc
 38a6865a7456ef12dda5aae8085f9347e8c77e4c 487081 g2_0.72.orig.tar.gz
 c5c7d3201151b436e3d4384730b5d5aa93d9b95d 6429 g2_0.72-1.diff.gz
 5f35ef2f68c1f8233cf515bd74893bf143a86cb9 297594 libg2-dev_0.72-1_i386.deb
 585db921714ac3ebe022aba573e63836c7ed51fa 43552 libg20_0.72-1_i386.deb
 3fc3faadc079e4bbd2c58fba3156bc157dd1f20c 40472 libg20-perl_0.72-1_i386.deb
 3d7aa37ecb72485b0009fab00700af5638b443899ef850b540120b497ad5e8fb 1084 g2_0.72-1.dsc
 381967065a57354f61b768a1378573f7e66ed706621bcbaa2e8e3aa0f34625d3 487081 g2_0.72.orig.tar.gz
 7183b314b86d844cd6b1144cbd7eb4258199f870ee89bcbd8c74ce2c4d8abf7b 6429 g2_0.72-1.diff.gz
 f235f31171e789b65157aaba80740406e27c6e3b48e560291574cf464b141f69 297594 libg2-dev_0.72-1_i386.deb
 f91309be8bf7c088dda6529be2e1ff83556a389e88d3966d338ecc0d7520d1f2 43552 libg20_0.72-1_i386.deb
 152b7af7ebe093a03a20901d92953392501dfe157ca4df146bc9c906d4862470 40472 libg20-perl_0.72-1_i386.deb
 cda19fa6d97b7ce9720434fedddeaad0 1084 libs optional g2_0.72-1.dsc
 4b2dc9252c1c785dcb0e0a84d7ba7119 487081 libs optional g2_0.72.orig.tar.gz
 925ea167d3db6472f2510f28618ce04e 6429 libs optional g2_0.72-1.diff.gz
 d3d4ff579319fca175ef2bee56190bb6 297594 libdevel optional libg2-dev_0.72-1_i386.deb
 11ca2e52067e9f49aae2c99727e2bea3 43552 libs optional libg20_0.72-1_i386.deb
 9b8e5b43c28b226c671e50640c53b5e9 40472 perl optional libg20-perl_0.72-1_i386.deb

Version: GnuPG v1.4.9 (GNU/Linux)


--- End Message ---

Reply to: