[Pkg-xfce-devel] Bug#685832: xfce4-sensors-plugin: xcfe4-sensors-plugin relies on a setuid hddtemp and recommends to setuid it

Eddy Petrișor eddy.petrisor at gmail.com
Fri Aug 24 21:49:28 UTC 2012


Package: xfce4-sensors-plugin
Version: 1.2.5-1+b1
Severity: important
Tags: patch security

Hello,

xfce4-sensors-plugin seems to want, although not necessary, to have hddtemp
setuid in the system in order to read the temperature of the HDD. It even goes 
to suggest to the user to setuid hddtemp.

But there is an option to fetch hddtemp information without having hddtemp
setuid, to read directly from a local port. This option is now disabled at
buildtime because there is no netcat installed during build.

So I just added netcat as a build depends and the resulting package works fine
and no longer recommends the user the unsafe option of running hddtemp setuid.


Please use the attached patch to fix this issue.


Thanks,
Eddy



-- System Information:
Debian Release: wheezy/sid
   APT prefers testing
   APT policy: (999, 'testing'), (500, 'stable'), (50, 'unstable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.4.0-heidi (SMP w/2 CPU cores)
Locale: LANG=ro_RO.utf8, LC_CTYPE=ro_RO.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages xfce4-sensors-plugin depends on:
ii  libatk1.0-0         2.4.0-2
ii  libc6               2.13-35
ii  libcairo2           1.12.2-2
ii  libfontconfig1      2.9.0-7
ii  libfreetype6        2.4.9-1
ii  libgdk-pixbuf2.0-0  2.26.1-1
ii  libglib2.0-0        2.32.3-1
ii  libgtk2.0-0         2.24.10-2
ii  libnotify4          0.7.5-1
ii  libpango1.0-0       1.30.0-1
ii  libsensors4         1:3.3.2-2
ii  libxfce4ui-1-0      4.8.1-1
ii  libxfce4util4       4.8.2-1
ii  xfce4-panel         4.8.6-3

Versions of packages xfce4-sensors-plugin recommends:
ii  hddtemp     0.3-beta15-51
ii  lm-sensors  1:3.3.2-2

Versions of packages xfce4-sensors-plugin suggests:
ii  xsensors  0.70-2

-- no debconf information

-------------- next part --------------
A non-text attachment was scrubbed...
Name: no_suid_hddtemp_needed.patch
Type: text/x-diff
Size: 1717 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-xfce-devel/attachments/20120825/a8e53f69/attachment.patch>


More information about the Pkg-xfce-devel mailing list