Information disclosure Vulnerability

Please check the attached precise patch. Since the package doesn't have a patch system. So let me know if I have to change anything.
Tested: Upgrading, retested that bug is corrected (unclean disconnect)

The attachment "lp1088355-precise.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

Thanks for the debdiff, however, I have a few comments:

- Since the package doesn't have a patch system, you can't just add a patch to the debian/patches directory. In this case, you must directly modify the attach.c file.
- Lucid, Oneiric, and Precise all have the same version (0.8-2). The new versioning needs to reflect that. Please use 0.8-2ubuntu0.12.04.1 for precise. (See https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging)
- Since there won't be a patch in the new debdiff, please add the link to the upstream fix in the debian/changes file.

Thanks!

Unsubscribing ubuntu-security-sponsors for now, please re-subscribe ubuntu-security-sponsors when an updated debdiff is available.

Thanks for the infos. I will prepare another patch which should reflect your input.

One question about your last comment. Did you mean add the link to the upstream fix to the debian/changelog file or create a new debian/changes file since there is no such file yet?

Second try for the precise debdiff. Let me know if everything is correct now. Specially with the link to the upstream fix from my comment before.

Thanks.

Your debdiff looks good, thanks!
I'll use the same one for lucid, oneiric, and precise, since they are all based on the same version.

I'll upload these today.

This bug was fixed in the package dtach - 0.8-2ubuntu0.10.04.1

---------------
dtach (0.8-2ubuntu0.10.04.1) lucid-security; urgency=low

  * SECURITY-UPDATE: information disclosure on unclean disconnect
    (LP: #1088355)
    - attach.c(attach_main): Clean check of read operation. Based on upstream
      patch
      (http://sourceforge.net/tracker/download.php?group_id=36489&atid=417357&file_id=441195&aid=3517812)
    - CVE-2012-3368
 -- Christian Kuersteiner <email address hidden> Sat, 15 Dec 2012 22:43:09 +0700

This bug was fixed in the package dtach - 0.8-2ubuntu0.12.04.1

---------------
dtach (0.8-2ubuntu0.12.04.1) precise-security; urgency=low

  * SECURITY-UPDATE: information disclosure on unclean disconnect
    (LP: #1088355)
    - attach.c(attach_main): Clean check of read operation. Based on upstream
      patch
      (http://sourceforge.net/tracker/download.php?group_id=36489&atid=417357&file_id=441195&aid=3517812)
    - CVE-2012-3368
 -- Christian Kuersteiner <email address hidden> Sat, 15 Dec 2012 22:43:09 +0700

This bug was fixed in the package dtach - 0.8-2ubuntu0.11.10.1

---------------
dtach (0.8-2ubuntu0.11.10.1) oneiric-security; urgency=low

  * SECURITY-UPDATE: information disclosure on unclean disconnect
    (LP: #1088355)
    - attach.c(attach_main): Clean check of read operation. Based on upstream
      patch
      (http://sourceforge.net/tracker/download.php?group_id=36489&atid=417357&file_id=441195&aid=3517812)
    - CVE-2012-3368
 -- Christian Kuersteiner <email address hidden> Sat, 15 Dec 2012 22:43:09 +0700