[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#659296: marked as done (surf: world-readable cookie jar)

Your message dated Fri, 10 Feb 2012 19:54:36 +0000
with message-id <E1RvwYG-0006cw-9B@franck.debian.org>
and subject line Bug#659296: fixed in surf 0.4.1-6
has caused the Debian Bug report #659296,
regarding surf: world-readable cookie jar
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
659296: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659296
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: surf
Version: 0.4.1-4.1
Severity: grave
Tags: security
Justification: user security hole

$ ls -ld ~/.surf/{,cookies.txt}
drwxr-xr-x 2 user users 4096 Feb  9 22:59 /home/user/.surf/
-rw-r--r-- 1 user users  406 Feb  9 22:59 /home/user/.surf/cookies.txt

This allows local users to steal cookies.


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages surf depends on:
ii  libatk1.0-0         2.2.0-2
ii  libc6               2.13-26
ii  libcairo2           1.10.2-6.2
ii  libfontconfig1      2.8.0-3.1
ii  libfreetype6        2.4.8-1
ii  libgdk-pixbuf2.0-0  2.24.0-2
ii  libglib2.0-0        2.30.2-6
ii  libgtk2.0-0         2.24.8-3
ii  libpango1.0-0       1.29.4-2
ii  libsoup2.4-1        2.34.3-1
ii  libwebkitgtk-1.0-0  1.6.1-5+b1
ii  libx11-6            2:1.4.4-4
ii  suckless-tools      38-1
ii  wget                1.13.4-2
ii  x11-utils           7.6+4
ii  xterm               276-2

--
Jakub Wilk

--- End Message ---
--- Begin Message --- 
Source: surf
Source-Version: 0.4.1-6

We believe that the bug you reported is fixed in the latest version of
surf, which is due to be installed in the Debian FTP archive:

surf_0.4.1-6.debian.tar.gz
  to main/s/surf/surf_0.4.1-6.debian.tar.gz
surf_0.4.1-6.dsc
  to main/s/surf/surf_0.4.1-6.dsc
surf_0.4.1-6_i386.deb
  to main/s/surf/surf_0.4.1-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 659296@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vasudev Kamath <kamathvasudev@gmail.com> (supplier of updated surf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 11 Feb 2012 00:01:08 +0530
Source: surf
Binary: surf
Architecture: source i386
Version: 0.4.1-6
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Vasudev Kamath <kamathvasudev@gmail.com>
Description: 
 surf       - simple web browser
Closes: 659296
Changes: 
 surf (0.4.1-6) unstable; urgency=high
 .
   * QA upload.
   * debian/patches:
     + Added fix-insecure-permissions.patch to fix world readable cookie jar
       vulnerability CVE-2012-0842. (Closes: #659296)
Checksums-Sha1: 
 c372b6ba750a605cb6bc9e7fb02a6a73e5dbfdea 1865 surf_0.4.1-6.dsc
 29ae3decd5c4a1e949f2debed376e99019c1eb31 5493 surf_0.4.1-6.debian.tar.gz
 08120b72914928288419d6e1069af7e688a33cf0 17142 surf_0.4.1-6_i386.deb
Checksums-Sha256: 
 71eea67330450b0fa6b0d333eff7f422917acd9df4dd43cd54bc20ade7406361 1865 surf_0.4.1-6.dsc
 7aea612298a88d794f96e3cd05f93a59b41c8a35a7d894926d898a5650e3aca0 5493 surf_0.4.1-6.debian.tar.gz
 a1b3ace2176919524e0680d7dd9f00177b54e913c292760bd598f8aa5eb85175 17142 surf_0.4.1-6_i386.deb
Files: 
 279e6d93c41d429588a60b8b923a294b 1865 web optional surf_0.4.1-6.dsc
 7020fd99ef37a42142e986e88f68fb6c 5493 web optional surf_0.4.1-6.debian.tar.gz
 ea364b04ade303a9c451e4a7b2906932 17142 web optional surf_0.4.1-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJPNXIuAAoJEC1Os6YBVHX1zmoP/1OSyHELw6cCYOA8CNOXQleV
zFTf7ozd7vv0KtMLgYvbWAqmzvgvCW58aMyw/YlWPrOTSUh2IR7ad9yE5lZfwh6k
oA85WEAErgPqjTthvz3tCwFfwWYhQH9nlYRUeVXuCa+a2KUHpzqvbEikAHkqx/G5
K6kUUI3ZBRdNqFNENSq6tuvV3S8nb5uVkx4NEXN5RAEEo43ADOEqTGI+p14IllIR
lUUBqnIGBYZL//AcilnveLih/jWJkabbGdTRvitLpN3xHnMWsqueaVpGgZPdhSsj
/SBLbJJy7xJPHd5a6Km8a540oDyt0pksr0uQjrrw+6o1unHzp6CPs63h+rtboRXV
uUwavisKoXyLRiZUoTyXTly38LqHrqbpYTaw/aeInw4Q4p3PCkxCVqnCZA+QCwpK
Fe50CFIwuFJANPuHLdy9LDB+nA0DWTK15UiWZ8kAepdthsjtzQzrScd7lqKVdOh8
Mj4pJeWslF8EiSJKifUl/Xwo5XTWY/2+vdMznmqpu/+Ih7ZFXnDfcp3J9XEs7YaE
yAyFLcbFJ4ZV/qhCZl4SgVTZMQu/mEmEBLhw+vVPYaPv0QtVof3vsW1bOvOwXU8R
Ko00xpk6AdLdBGpVcmYub0ba0HKFDtBXf4LS9+s/YN8m/6ZPqmEjiE0t9Nlsw3+g
hmHFrO6q86LGXRrIwdAj
=rkF/
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: