Debian
vim package

Bug #12030
Comment #31

Comment 31 for bug 12030

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-01-19:

#31

Message-ID: <email address hidden>
Date: Wed, 19 Jan 2005 11:40:47 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: Martin Pitt <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)

--fUYQa+Pmc3FrFX/N
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Jan 19, 2005 at 10:24:20AM +0100, Martin Pitt wrote:
> I read your patch, but I deliberately wrote my own very simple
> version, because:

Martin, just to get things straight, my comments are not directed=20
towards you, but towards the vim maintainer.

>=20
> - I wanted to avoid the tempfile race in any case, so if mktemp is not
> available, the script should rather fail than be vulnerable. mktemp
> is shipped in a required package, so we can assume it is there.

It would be best if instead of=20

tmp_tagfile=3D`mktemp -t tcltagXXXXXX` || exit 1=20

you had used

tmp_tagfile=3D`mktemp -t tcltagXXXXXX` || { echo "$0: error creating the=20
temporary file" >&2; exit 1 ;}

IMHO

> - A security update must be as simple and unintrusive as possible. I
> do not care about the widest possible upstream portability in
> security updates, the solution only needs to work on the platforms
> we support.

Well, in the Debian case (not Ubuntu's) the patch was not intented to be
used as a DSA (since even if the code is in stable, it's in
/usr/share/doc). I wasn't complaining about the Ubuntu update, but about
the use of Ubuntu's patch in Debian when mine could be used instead for the
sid upload (and would've been more consistent with upstream source)

> > - no credit is given to me, which I would have appreciated
>=20
> I credited you in the announcement [1] since you found the bug.

I was mentioning Debian's changelog, not Ubuntu's advisory.
Actually, all my statements are with how this bug has been handled by the=
=20
Debian maintainer, which takes no action until an Ubuntu advisory is=20
released.

In any case, no use in arguing this when there is so many things to work on=
=20
(and so many similar security bugs to report)

Regards

Javier

--fUYQa+Pmc3FrFX/N
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB7jkui4sehJTrj0oRAuUcAJ9V0dPRoGRPpY7yIGxYilDSWdZvLgCgp/nE
Am8LJyeU5/wT1EyxiDseGtk=
=PGKH
-----END PGP SIGNATURE-----

--fUYQa+Pmc3FrFX/N--

Message-ID: <20050119104047.GB12216@dat.etsit.upm.es>
Date: Wed, 19 Jan 2005 11:40:47 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <jfs@computer.org>
To: Martin Pitt <mpitt@debian.org>
Cc: 289560@bugs.debian.org
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)

--fUYQa+Pmc3FrFX/N
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Jan 19, 2005 at 10:24:20AM +0100, Martin Pitt wrote:
> I read your patch, but I deliberately wrote my own very simple
> version, because:

Martin, just to get things straight, my comments are not directed=20
towards you, but towards the vim maintainer.

>=20
> - I wanted to avoid the tempfile race in any case, so if mktemp is not
>   available, the script should rather fail than be vulnerable. mktemp
>   is shipped in a required package, so we can assume it is there.

It would be best if instead of=20

tmp_tagfile=3D`mktemp -t tcltagXXXXXX` || exit 1=20

you had used

tmp_tagfile=3D`mktemp -t tcltagXXXXXX` || { echo "$0: error creating the=20
temporary file" >&2; exit 1 ;}

IMHO

> - A security update must be as simple and unintrusive as possible. I
>   do not care about the widest possible upstream portability in
>   security updates, the solution only needs to work on the platforms
>   we support.

Well, in the Debian case (not Ubuntu's) the patch was not intented to be
used as a DSA (since even if the code is in stable, it's in
/usr/share/doc).  I wasn't complaining about the Ubuntu update, but about
the use of Ubuntu's patch in Debian when mine could be used instead for the
sid upload (and would've been more consistent with upstream source)

> > - no credit is given to me, which I would have appreciated
>=20
> I credited you in the announcement [1] since you found the bug.

In any case, no use in arguing this when there is so many things to work on=
=20
(and so many similar security bugs to report)

Regards

Javier

--fUYQa+Pmc3FrFX/N
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB7jkui4sehJTrj0oRAuUcAJ9V0dPRoGRPpY7yIGxYilDSWdZvLgCgp/nE
Am8LJyeU5/wT1EyxiDseGtk=
=PGKH
-----END PGP SIGNATURE-----

--fUYQa+Pmc3FrFX/N--

Debianvim package

Comment 31 for bug 12030

Debian
vim package