Secure testing team - Nov 2008 - libpam-mount CVE-2008-5138

Hi Bastian

I was wondering, what are your plans for lenny regarding the insecure tempfile 
issue (CVE-2008-5138)[0]? From what I can see the script is not available in 
sid anymore, so can we just drop it? Otherwise it shouldn''t be too hard
to
come up with a patch using mktemp. I am happy to take care of that and NMU, 
if the script is still needed, but wanted to check with you first.

Cheers
Steffen

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5138
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081124/8e50d632/attachment.pgp

Hello Steffen,

Am Monday 24 November 2008 12:13:55 schrieb Steffen
Joeris:
> I was wondering, what are your plans for lenny regarding the insecure
> tempfile issue (CVE-2008-5138)[0]? From what I can see the script is not
> available in sid anymore, so can we just drop it?
Yes, it can be dropped. The script has been removed in recent versions of 
libpam-mount. The script version 0.43 in lenny is broken anyway since it uses 
the old configuration format instead of the new XML format.

I will prepare an upload for testing-security, which also fixes #502146

Regards,
  Bastian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081125/f4dd70ef/attachment.pgp