[Secure-testing-team] Bug#514386: iceweasel-firegpg: Vulnerability Affecting FireGPG Passphrase and Cleartext Recovery
Daniel Moerner
dmoerner at gmail.com
Fri Feb 6 23:15:17 UTC 2009
Package: iceweasel-firegpg
Version: 0.5.dfsg-1
Severity: grave
Tags: security
Justification: user security hole
Hi, Debian is currently set to release iceweasel-firegpg in Lenny. Unfortunately,
as the firegpg home page explains, version 0.5 suffers from some serious security
problems. It seems that the gist of it is the unsafe creation and destruction of
3 temp files.
http://securityvulns.com/Udocument757.html
Upstream did not label their fixing of this in the upstream svn between 0.5.3 and
0.6.0. Three revisions are candidates for the fix: r464, r465, or r467. r467 is the
most likely from a brief glance at the code. However, I do not have the time or
skill to pull the patch from those revisions that will fix this.
I am hopeful that we can get this resolved before Lenny releases without the need
to pull the severely outdated iceweasel-firegpg package, but I'm not sure if that
is possible.
Cheers,
Daniel
-- System Information:
Debian Release: 5.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.28-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
More information about the Secure-testing-team
mailing list