ubuntu-translations-coordinators team mailing list archive

Thread
Date

[Bug 1357051] [NEW] Security & runtime + package bloat issue: gdomap .

To: ubuntu-translations-coordinators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1357051@xxxxxxxxxxxxxxxxxx>
Date: Mon, 06 Jun 2016 19:50:51 -0000
Reply-to: Bug 1357051 <1357051@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug:

gdomap is running by default yet has no reason to be running by default:
gdomap -N . It is pulled from the chain of file-roller -> unar ->
Depends: gnustep-base-runtime & libgnustep-base1.24 . gdomap is pulled
in from gnustep-base-runtime.

According to Debian it shouldn't be there[in that package] or at least shouldn't be running by default and was changed.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717773

It has also been a pain in terms of being a constant security problem over the years. This random program also runs as root. The included version of 1.24.0 for example fits the <1.24.6 requirement listed here:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2980

There are boatloads more you can find previously and probably many more
to come in the future.

** Affects: elementaryos
     Importance: Medium
     Assignee: Cody Garver (codygarver)
         Status: Fix Released

** Affects: ubuntu-translations
     Importance: Undecided
         Status: Invalid

** Affects: gnustep-base (Ubuntu)
     Importance: High
         Status: Fix Released


** Tags: freya gdomap gnustep patch ubuntu
-- 
Security & runtime + package bloat issue: gdomap .
https://bugs.launchpad.net/bugs/1357051
You received this bug notification because you are a member of Ubuntu Translations Coordinators, which is subscribed to Ubuntu Translations.