Re: Bug#482476: marked as done (Security: Unsafe lock file creation can be used to truncate arbitrary files)
On Wed, May 28, 2008 at 07:58:53PM -0700, Daniel Burrows <dburrows@debian.org> was heard to say:
> On Wed, May 28, 2008 at 02:27:55PM +0000, Debian Bug Tracking System <owner@bugs.debian.org> was heard to say:
> > Changes:
> > apt (0.7.14) unstable; urgency=low
>
> [snip]
>
> > [ Otavio Salvador ]
> > * Apply patch to avoid truncating of arbitrary files. Thanks to Bryan
> > Donlan <bdonlan@fushizen.net> for the patch. Closes: #482476
>
> Should this be urgency=high? (as per the devref section 5.8.5.3)
apt's QA page now says:
* 10 days old (needed 10 days)
* Not touching package, as requested by pkern (contact debian-release if update is needed)
* Updating apt fixes old bugs: #482476
* Not considered
apt 0.7.14 fixes a security hole in apt and aptitude that allows any
normal user to truncate arbitrary files on the system. I was asking
above, but I guess not explicitly enough, whether the priority of the
upload could be raised to hasten its migration into testing. I'll make
sure to be clearer next time I request something like this.
That aside, it looks like the opposite has happened -- apt is now
*blocked* from testing! I know we are entering a freeze soon, but this
version fixes not only this RC bug, but several RC bugs that prevent
aptitude from working in any Russian locale.
Please move apt 0.7.14 into testing as soon as it's convenient for
you to do so.
Thanks,
Daniel
Reply to: