Daniel Moerner
2009-Feb-06 23:15 UTC
[Secure-testing-team] Bug#514386: iceweasel-firegpg: Vulnerability Affecting FireGPG Passphrase and Cleartext Recovery
Package: iceweasel-firegpg Version: 0.5.dfsg-1 Severity: grave Tags: security Justification: user security hole Hi, Debian is currently set to release iceweasel-firegpg in Lenny. Unfortunately, as the firegpg home page explains, version 0.5 suffers from some serious security problems. It seems that the gist of it is the unsafe creation and destruction of 3 temp files. http://securityvulns.com/Udocument757.html Upstream did not label their fixing of this in the upstream svn between 0.5.3 and 0.6.0. Three revisions are candidates for the fix: r464, r465, or r467. r467 is the most likely from a brief glance at the code. However, I do not have the time or skill to pull the patch from those revisions that will fix this. I am hopeful that we can get this resolved before Lenny releases without the need to pull the severely outdated iceweasel-firegpg package, but I''m not sure if that is possible. Cheers, Daniel -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (500, ''unstable'') Architecture: i386 (i686) Kernel: Linux 2.6.28-1-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash