Message-Id: <email address hidden>
Date: Tue, 07 Sep 2004 02:32:03 -0400
From: Kevin Lindsay <email address hidden>
To: <email address hidden>
Subject: Bug#226103: fixed in slocate 2.7-3
Source: slocate
Source-Version: 2.7-3
We believe that the bug you reported is fixed in the latest version of
slocate, which is due to be installed in the Debian FTP archive:
slocate_2.7-3.dsc
to pool/main/s/slocate/slocate_2.7-3.dsc
slocate_2.7-3.tar.gz
to pool/main/s/slocate/slocate_2.7-3.tar.gz
slocate_2.7-3_i386.deb
to pool/main/s/slocate/slocate_2.7-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kevin Lindsay <email address hidden> (supplier of updated slocate package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 7 Sep 2004 03:20:42 +0000
Source: slocate
Binary: slocate
Architecture: source i386
Version: 2.7-3
Distribution: unstable
Urgency: high
Maintainer: Kevin Lindsay <email address hidden>
Changed-By: Kevin Lindsay <email address hidden>
Description:
slocate - A secure replacment of findutil's locate
Closes: 226103 234563
Changes:
slocate (2.7-3) unstable; urgency=high
.
* 'slocate' sgid privileges are now dropped when searching databases that
are not apart of the 'slocate' group. This will prevent malicious user
supplied databases from elevating user access to the 'slocate' group.
See CAN-2003-0848, (closes: #226103)
* Changed diversion /etc/cron.daily.find.notslocate to
/etc/cron.daily/find.notslocate (closes: #234563)
* I also made the database creation feature drop privileges so that the
SGID binary can't chown the group of the database to 'slocate' unless
the user has explicit access.
* Added a patch which caused LOCATE_PATH to be ignored when '-d' was used,
and vice versa. This also fixed an off by 1 overflow bug.
Files:
2223bfb26ade197154ce17f424e84743 482 utils optional slocate_2.7-3.dsc
b5b1997b35abbd56db737bca8f54a174 101576 utils optional slocate_2.7-3.tar.gz
c95e2195a2da8660f935bf4485ebcce6 26896 utils optional slocate_2.7-3_i386.deb
Message-Id: <email address hidden>
Date: Tue, 07 Sep 2004 02:32:03 -0400
From: Kevin Lindsay <email address hidden>
To: <email address hidden>
Subject: Bug#226103: fixed in slocate 2.7-3
Source: slocate
Source-Version: 2.7-3
We believe that the bug you reported is fixed in the latest version of
slocate, which is due to be installed in the Debian FTP archive:
slocate_2.7-3.dsc s/slocate/ slocate_ 2.7-3.dsc 2.7-3.tar. gz s/slocate/ slocate_ 2.7-3.tar. gz 2.7-3_i386. deb s/slocate/ slocate_ 2.7-3_i386. deb
to pool/main/
slocate_
to pool/main/
slocate_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kevin Lindsay <email address hidden> (supplier of updated slocate package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7 daily.find. notslocate to cron.daily/ find.notslocate (closes: #234563) 7154ce17f424e84 743 482 utils optional slocate_2.7-3.dsc 56db737bca8f54a 174 101576 utils optional slocate_ 2.7-3.tar. gz 60f935bf4485ebc ce6 26896 utils optional slocate_ 2.7-3_i386. deb
Date: Tue, 7 Sep 2004 03:20:42 +0000
Source: slocate
Binary: slocate
Architecture: source i386
Version: 2.7-3
Distribution: unstable
Urgency: high
Maintainer: Kevin Lindsay <email address hidden>
Changed-By: Kevin Lindsay <email address hidden>
Description:
slocate - A secure replacment of findutil's locate
Closes: 226103 234563
Changes:
slocate (2.7-3) unstable; urgency=high
.
* 'slocate' sgid privileges are now dropped when searching databases that
are not apart of the 'slocate' group. This will prevent malicious user
supplied databases from elevating user access to the 'slocate' group.
See CAN-2003-0848, (closes: #226103)
* Changed diversion /etc/cron.
/etc/
* I also made the database creation feature drop privileges so that the
SGID binary can't chown the group of the database to 'slocate' unless
the user has explicit access.
* Added a patch which caused LOCATE_PATH to be ignored when '-d' was used,
and vice versa. This also fixed an off by 1 overflow bug.
Files:
2223bfb26ade19
b5b1997b35abbd
c95e2195a2da86
-----BEGIN PGP SIGNATURE-----
V8HRsUfQRAp8GAJ kByTZwF+ XRVrcYtoMC9bp1c rRVTACg2ql3 qIEx0SD0=
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBPUSUUZp
RoAH22JMDBQeYXJ
=prVz
-----END PGP SIGNATURE-----