[Secure-testing-team] Re: ekg: CAN-2005-1916 Bug#317027 and #318059
Marcin Owsiany
porridge at debian.org
Wed Jul 13 18:40:22 UTC 2005
On Wed, Jul 13, 2005 at 07:38:11PM +0200, Martin Schulze wrote:
> Marcin Owsiany wrote:
> > During fixing the bug in linki.py with upstream author, we have found
> > and fixed similar and other security-related bugs in other
> > user-contributed scripts.
> >
> > 1.6rc2 is released, which fixes them all. I want to upload it to
> > unstable, and backport the fixes to stable. However before that, I would
> > like to know whether I should request another CAN ID for the newly
> > discovered bugs? I mean - what is best for you - the security teams in
> > terms of tracking the bug later?
>
> Having a CVE id before disclosure is always better.
However disclosure has already happened.
> However, whether a new CVE id is warranted depends on the problem.
> Without details I can't tell.
Attached is an interdiff of a draft package for stable-security.
As you can see, the modified files are:
contrib/ekgh
contrib/ekgnv.sh
contrib/getekg.sh
contrib/scripts/ekgbot-pre1.py
contrib/scripts/linki.py
the deal is that the initial advisory
(http://www.zataz.net/adviso/ekg-06062005.txt) and CAN-2005-1916 are
only concerned with contrib/scripts/linki.py, while other scripts in
contrib/ also contained tempfile vulnerabilities, and
contrib/scripts/ekgbot-pre1.py contained potential shell injection (I'm
not entirely convinced that python's re.escape() protects between shell
command injection, so I've written my own popen implemenetation which
avoids shell altogether).
When you decide whether it's worth to request a new CAN or not, I will
prepare the final package.
Marcin
--
Marcin Owsiany <porridge at debian.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
More information about the Secure-testing-team
mailing list