Bug#77652: marked as done (cgic-capture is unreliable and uses /tmp in a silly way)
Your message dated Wed, 07 Feb 2001 15:02:42 -0500
with message-id <E14Qana-0002dO-00@auric.debian.org>
and subject line Bug#77652: fixed in libcgic 1.07-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Darren Benham
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 21 Nov 2000 19:56:11 +0000
>From ian@davenant.greenend.org.uk Tue Nov 21 13:56:11 2000
Return-path: <ian@davenant.greenend.org.uk>
Received: from chiark.greenend.org.uk [195.224.76.132] (mail)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 13yJWV-0005iV-00; Tue, 21 Nov 2000 13:56:11 -0600
Received: from (davenant.greenend.org.uk) [172.31.80.6]
by chiark.greenend.org.uk with esmtp (Exim 3.12 #2)
id 13yJWS-0007Az-00 (Debian); Tue, 21 Nov 2000 19:56:09 +0000
Received: from ian by davenant.greenend.org.uk with local (Exim 3.12 #2)
id 13yJWS-0000EF-00 (Debian); Tue, 21 Nov 2000 19:56:08 +0000
From: Ian Jackson <ian@davenant.greenend.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <14874.54104.197873.60995@davenant.relativity.greenend.org.uk>
Date: Tue, 21 Nov 2000 19:56:08 +0000 (GMT)
To: submit@bugs.debian.org
Subject: cgic-capture is unreliable and uses /tmp in a silly way
X-Mailer: VM 6.75 under Emacs 19.34.1
Delivered-To: submit@bugs.debian.org
Package: cgic-capture
Version: 1.06-4
This program does this, for example:
stat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=20480, ...}) = 0
open("/tmp/capcgi.dat", O_WRONLY|O_CREAT|O_EXCL, 01001101531) = -1 EEXIST (File exists)
fcntl(-1, F_GETFL) = -1 EBADF (Bad file descriptor)
...
write(1, "Your form submission was capture"..., 45) = 45
This is silly for a number of reasons:
* It shouldn't use fixed filename in /tmp for this, because that
prevents more than one user from using this program. Better would be
to use a file in the current directory and not open it with O_EXCL.
Then you could use it more than once and it still wouldn't be a
security risk unless you (foolishly) run your CGI scripts with an
inappropriately-writeable current directory.
* It fails to notice when it can't open the file and reports success
anyway.
* The documentation tells you to compile a filename into capture.c -
but of course with Debian the program comes precompiled, and the
documentation doesn't say where the file will appear.
* There are many better ways of debugging CGI scripts :-).
I suggest that:
* The filename is changed to be a `capcgi.dat' in the current
directory, and O_TRUNC is used instead of O_EXCL.
* The documentation be changed to (a) say where the file is put and
(b) warn the administrator not to use an inappropriately-writeable
directory for the current directory of their CGI scripts.
* The package priority is changed to `extra'.
Ian.
---------------------------------------
Received: (at 77652-close) by bugs.debian.org; 7 Feb 2001 20:12:34 +0000
>From troup@auric.debian.org Wed Feb 07 14:12:32 2001
Return-path: <troup@auric.debian.org>
Received: from auric.debian.org [::ffff:206.246.226.45]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 14Qax6-0002x7-00; Wed, 07 Feb 2001 14:12:32 -0600
Received: from troup by auric.debian.org with local (Exim 3.12 1 (Debian))
id 14Qana-0002dO-00; Wed, 07 Feb 2001 15:02:42 -0500
From: Colin Watson <cjwatson@debian.org>
To: 77652-close@bugs.debian.org
Subject: Bug#77652: fixed in libcgic 1.07-1
Message-Id: <E14Qana-0002dO-00@auric.debian.org>
Sender: James Troup <troup@auric.debian.org>
Date: Wed, 07 Feb 2001 15:02:42 -0500
Delivered-To: 77652-close@bugs.debian.org
We believe that the bug you reported is fixed in the latest version of
libcgic, which has been installed in the Debian FTP archive:
libcgicg1-dev_1.07-1_i386.deb
to pool/main/libc/libcgic/libcgicg1-dev_1.07-1_i386.deb
libcgicg1_1.07-1_i386.deb
to pool/main/libc/libcgic/libcgicg1_1.07-1_i386.deb
libcgic_1.07-1.diff.gz
to pool/main/libc/libcgic/libcgic_1.07-1.diff.gz
libcgic_1.07.orig.tar.gz
to pool/main/libc/libcgic/libcgic_1.07.orig.tar.gz
libcgic_1.07-1.dsc
to pool/main/libc/libcgic/libcgic_1.07-1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 77652@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated libcgic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 7 Feb 2001 00:33:25 +0000
Source: libcgic
Binary: libcgicg1 libcgicg1-dev
Architecture: source i386
Version: 1.07-1
Distribution: unstable
Urgency: low
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
libcgicg1 - C library for developing CGI applications
libcgicg1-dev - C library for developing CGI applications
Closes: 68591 74212 74254 77544 77652
Changes:
libcgic (1.07-1) unstable; urgency=low
.
* New maintainer (closes: #68591).
* New upstream release:
- Fixed a fencepost error causing various functions to return
cgiFormTruncated if the returned string fit the buffer exactly.
* Standards-Version: 3.5.0:
- Build dependencies.
- Support DEB_BUILD_OPTIONS.
- Don't install shared libraries executable (though dh_fixperms fixed
this anyway).
- The postinst of libcgicg1 didn't have a debhelper token, so the
/usr/doc link got lost. Fixed.
- Added postrm with missing ldconfig call (triggers lintian bug #82479).
* Build with debhelper v2.
* Build libraries with -D_REENTRANT, as per policy 2.1.3.0. (Does anyone
actually use threaded CGI scripts?)
.
* Removed old libc5 packages libcgic1 and libcgic1-altdev, and got rid of
the consequent cruft from debian/rules (to all intents and purposes this
closes: #74254, especially since the libgd development packages for
libc5 have also been dropped; also see the next changelog entry).
* Use new names of libgd packages (libgd1 and libgd-dev) (closes: #74212).
* Moved support.txt to the runtime package.
* Constructed an upstream changelog from cgic.html.
* Removed unnecessary call to dh_suidregister.
* Other miscellaneous packaging cleanups.
.
* Correctly prototype cgiMain() (closes: #77544).
* Applied Ian Jackson's suggestions for cgic-capture (closes: #77652):
- Change all /tmp references to use the current directory instead. Added
documentation that the current directory needs to be writeable.
- Revert an earlier Debian patch which coped with the security issues of
writing into /tmp by opening with O_WRONLY | O_CREAT | O_EXCL. Since a
CGI script's current directory may reasonably be assumed to be secure,
this isn't necessary.
- Since capture is far from the best way to debug CGI scripts, we don't
ship it as a separate package any more. Instead, install it as one of
the examples in libcgicg1-dev, like cgictest.c; those who need it for
debugging can compile it themselves, since they must be doing the same
for the script they're debugging anyway. An abridged copy of the main
Makefile is provided.
- Check return code of cgiReadEnvironment() and cgiWriteEnvironment() in
cgictest.c and capture.c respectively.
* Fix format string in cgictest.c (%s -> %d).
Files:
98d1737d94d249f7db9f88f310b492b6 619 web optional libcgic_1.07-1.dsc
ff79ec949c9f9440f37e958a677b9859 47119 web optional libcgic_1.07.orig.tar.gz
1b5cd85e9545c535e486a608a6c69c8c 8303 web optional libcgic_1.07-1.diff.gz
1956e4a6ad23126970085e1dd043866b 17738 web optional libcgicg1_1.07-1_i386.deb
68619bbf93ed9d48d326ed443f91e2a0 56316 web optional libcgicg1-dev_1.07-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6gJjCMVrRHkkXpRQRAn/xAJ96okupcaXkQq5gQfoKzmXragMeDACeKtdt
VNB9yng7L5gp7l6OfvwgDPg=
=GrL6
-----END PGP SIGNATURE-----
Reply to: