Hello, popper/popper-send.sh #!/bin/sh echo "$2" > /tmp/.popper-new echo `date +"%a %l:%m %p"` >> /tmp/.popper-new cat "$1" >> /tmp/.popper-new mv -f /tmp/.popper-new /tmp/.popper The .popper is also used into : popper/popper.cpp Possible to overwrite or create arbitrary files with the right off the user using kpopper. Regards.
Auditors please verify.
yep, clear cut.
Hello, I contact upstream Regards.
Pulling in carlo from KDE for an advice on that kde-herd package. We'll probably have to patch it ourselves if upstream doesn't react.
Unmaintained for three years and there's net-im/kpopup as alternative. Why not just bury this package? btw. Maybe someone from the security herd would be so nice and have a look at kpopup as well. There was a problem once, solved by the author via a world wide writeable directory for messages. I don't think smb messaging is safe at all, but you may think about other attack vectors in conjunction with possible holes in samba's message handling. Maybe i'm just too suspicious. Please excuse, that I do not like to make my fingers dirty with instant messaging sh*t... ;)
Hello, Published on vendor-sec@lst.de Regards.
carlo, feel free to mask it, prior to complete removal
Konn: Masked Romang: Thanks for your report.
Masked, going public on 20050604.
> going public on 20050604 I'm not sure, if we passed the date by month or year given the date you wrote this. ;) Just would like to ask, if it's when I remove the package from the repository before the this issue will be public!?
Hmm forgot that one :)
(In reply to comment #11) > Hmm forgot that one :) Yes, I think so. ;)
A few months more has passed on this one...
Thierry, since you're active today, could you revisit this bug please? It's a minor one, but more than half a year, know.
The idea would be to remove it after a last rites email. Can't do it right now, but anybody else can do it...
I sent a last-rites mail to gentoo-dev.
(In reply to comment #15) > The idea would be to remove it after a last rites email. Can't do it right now, > but anybody else can do it... > The point is that you said something about "going public" so I'm still waiting for the GLSA. Otherwise I'd have purged the package months ago.
Well, I think sending a GLSA half a year later is pretty embarrasing and probably useless, so I'd say that we just let this package die in peace ...
(In reply to comment #18) > Well, I think sending a GLSA half a year later is pretty embarrasing and > probably useless, so I'd say that we just let this package die in peace ... > In short: You want to be as dishonest as lots of vendors of prorietary products...
It's not really that. Our security policy states that security masks for level B3 (minor) do not generate maskGLSAs, that's why we didn't issue one back then. It's like a GLSA vote that automatically says "no"... About the "going public" it was about opening this bug (which was restricted in te first place). It's already been done, see Bug activity, what happened 2005-07-11. This bug stayed open just so that sometime in the future we remember to remove it completely.
Thierry, that's a different statement than "Uh, the bug is quite old, so let's drop it behind the curtain." and I won't disagree that this isn't a big issue, it's just that comment #9 sound otherwise. Also looking at the previous GLSAs, this sort of bug usually was announced.
KDE any news on this one?
The package is masked since June last year and can be removed any day. It's only up to the security herd how to deal with it. Close or GLSA.
Carlo please remove kpopper from the tree and I'll close this bug.
buried
Thx, package removed, now it's time to close this one.