Hi,
[I'm fairly new to this so please apply the cluebat gently.]
[Please CC me on any replies as I'm not subscribed to this list.]
I don't think there is anything I need to do in response to the message below because:
1. Plait is not actually in Debian stable.
2. The packaging for the version currently in Testing/Unstable (1.5.2-2) includes a patch for this CVE.
3. Plait 1.6.2-1 is ready and awaiting a sponsor [1]
Please let me know if I'm wrong and need to do more.
Thanks, Dave.
[1]
http://lists.debian.org/debian-mentors/2008/09/msg00179.htmlOn Thu, Oct 2, 2008 at 9:44 PM, Nico Golde
<nion@debian.org> wrote:PS. The wording of this sentence in the email is a little awkward:
"This is an automatically generated mail, in case you are already
working on an upgrade this is of course pointless."
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for plait some time ago.
CVE-2008-4085[0]:
| Plait before 1.6 allows local users to overwrite arbitrary files via a
| symlink attack on (1) cut.$$, (2) head.$$, (3) awk.$$, and (4) ps.$$
| temporary files in /tmp/.
Unfortunately the vulnerability described above is not important enough
to get it fixed via regular security update in Debian stable. It does
not warrant a DSA.
However it would be nice if this could get fixed via a regular point update[1].
Please contact the release team for this.
This is an automatically generated mail, in case you are already working on an
upgrade this is of course pointless.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4085
[1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
--
David Symons
Armidale NSW Australia
http://www.liberatedcomputing.net