[Pkg-xfce-devel] Bug#685832: xfce4-sensors-plugin: xcfe4-sensors-plugin relies on a setuid hddtemp and recommends to setuid it
Eddy Petrișor
eddy.petrisor at gmail.com
Fri Aug 24 21:49:28 UTC 2012
Package: xfce4-sensors-plugin
Version: 1.2.5-1+b1
Severity: important
Tags: patch security
Hello,
xfce4-sensors-plugin seems to want, although not necessary, to have hddtemp
setuid in the system in order to read the temperature of the HDD. It even goes
to suggest to the user to setuid hddtemp.
But there is an option to fetch hddtemp information without having hddtemp
setuid, to read directly from a local port. This option is now disabled at
buildtime because there is no netcat installed during build.
So I just added netcat as a build depends and the resulting package works fine
and no longer recommends the user the unsafe option of running hddtemp setuid.
Please use the attached patch to fix this issue.
Thanks,
Eddy
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (999, 'testing'), (500, 'stable'), (50, 'unstable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.4.0-heidi (SMP w/2 CPU cores)
Locale: LANG=ro_RO.utf8, LC_CTYPE=ro_RO.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages xfce4-sensors-plugin depends on:
ii libatk1.0-0 2.4.0-2
ii libc6 2.13-35
ii libcairo2 1.12.2-2
ii libfontconfig1 2.9.0-7
ii libfreetype6 2.4.9-1
ii libgdk-pixbuf2.0-0 2.26.1-1
ii libglib2.0-0 2.32.3-1
ii libgtk2.0-0 2.24.10-2
ii libnotify4 0.7.5-1
ii libpango1.0-0 1.30.0-1
ii libsensors4 1:3.3.2-2
ii libxfce4ui-1-0 4.8.1-1
ii libxfce4util4 4.8.2-1
ii xfce4-panel 4.8.6-3
Versions of packages xfce4-sensors-plugin recommends:
ii hddtemp 0.3-beta15-51
ii lm-sensors 1:3.3.2-2
Versions of packages xfce4-sensors-plugin suggests:
ii xsensors 0.70-2
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: no_suid_hddtemp_needed.patch
Type: text/x-diff
Size: 1717 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-xfce-devel/attachments/20120825/a8e53f69/attachment.patch>
More information about the Pkg-xfce-devel
mailing list