[Bug 897525] Re: Security Vulnerability Ember 0.5.7
Marc Deslauriers
marc.deslauriers at canonical.com
Wed Nov 30 13:21:35 UTC 2011
Thanks for the debdiff, but there are a few problems with it:
1- The ember package doesn't exist in Oneiric, yet you seem to be applying a patch to that as per the debian/changelog file
2- Your debian/changelog entry doesn't contain a proper description of the issue, and the change the patch is accomplishing. See https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging for some examples.
3- The patch itself does not contain proper tags, see http://dep.debian.net/deps/dep3/ for help on the proper tags that need to be added
4- The patch seems to contain modifications to debian/changelog. That shouldn't be done in a patch, but directly in the file.
I am unsubscribing ubuntu-security-sponsors for now. Once you have
uploaded a correct debdiff, please resubscribe ubuntu-security-sponsors
so it can get looked at. Thanks!
** Changed in: ember (Ubuntu)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/897525
Title:
Security Vulnerability Ember 0.5.7
Status in “ember” package in Ubuntu:
Incomplete
Bug description:
Ember 0.5.7 places a zero-length directory name in the
LD_LIBRARY_PATH, which allows local users to gain privileges via a
Trojan horse shared library in the current working directory.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ember/+bug/897525/+subscriptions
More information about the Ubuntu-sponsors
mailing list