Re: Bug#631912: pidfile in /tmp, opened insecurely [CVE-2011-2765]

To: Obey Arthur Liu <arthur@milliways.fr>
Cc: debian-release@lists.debian.org, Jonathan Wiltshire <jmw@debian.org>, Luke Faraone <lfaraone@debian.org>, Gustavo Goretkin <gustavo.goretkin@gmail.com>
Subject: Re: Bug#631912: pidfile in /tmp, opened insecurely [CVE-2011-2765]
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Wed, 24 Aug 2011 20:03:16 +0100
Message-id: <[🔎] 1314212597.24278.5.camel@hathi.jungle.funky-badger.org>
In-reply-to: <[🔎] 4E5543B5.9050908@milliways.fr>
References: <20110824092711.30739.58899.reportbug@lupin> <[🔎] 4E5543B5.9050908@milliways.fr>

On Wed, 2011-08-24 at 14:32 -0400, Obey Arthur Liu wrote:
> On Wed, Aug 24, 2011 at 5:27 AM, Jonathan Wiltshire <jmw@debian.org> wrote:
> > Please prepare a minimal-changes upload targetting each of these suites,
> > and submit a debdiff to the Release Team [0] for consideration. They will
> > offer additional guidance or instruct you to upload your package.
> 
> Please find attached the debdiffs for lenny and squeeze.

Thanks for working on this.  A couple of comments:

+pyro (3.7-2+lenny1) oldstable-security; urgency=high

Please drop the -security from NEWS and changelog in both cases.

> No adaptation was necessary from sid.

In that case, either I'm missing something or the change is likely also
buggy in sid.  Specifcially:

-PYRO_PID=/var/run/pyro-nsd.pid
[...]
    status)
[...]
            if [ -f "$PYRO_PID" ]; then

Regards,

Adam

Reply to:

References:
- Re: Bug#631912: pidfile in /tmp, opened insecurely [CVE-2011-2765]
  - From: Obey Arthur Liu <arthur@milliways.fr>

Prev by Date: Re: Bug#631912: pidfile in /tmp, opened insecurely [CVE-2011-2765]
Next by Date: Bug#635974: pu: package win32-loader/0.6.21+squeeze1
Previous by thread: Re: Bug#631912: pidfile in /tmp, opened insecurely [CVE-2011-2765]
Next by thread: Re: Future of sun-java6 package ?
Index(es):
- Date
- Thread