Bug#279680: , 278278: CAN-2004-0968 security issue with glibc
Hi,
At Mon, 22 Nov 2004 10:55:22 +0100,
Martin Pitt wrote:
> Please note that I already filed #278278 way before this bug (it also
> has a patch attached). Apparently the patch was not included in the
> version from Oct 5, can you please fix this issue in the next time?
>
> My patch also contains a patch for glibcbug. You should not remove
> glibcbug from woody, but rather patch it for not breaking anything
> that worked before.
Thanks for your notification, I'll put the fix for #278278 to svn/cvs
soon after checking the result of rebuild. This problem will be fixed
in 2.3.2.ds1-19 (unstable/sarge). From debian/changelog:
- debian/patches/glibc232-catchsegv-insecure-temp.dpatch: Add fix
CAN-2004-0968: catchsegv creates insecure temporary file.
(Closes: #278278)
- debian/debhelper.in/libc.install: Remove glibcbug to fix CAN-2004-0968,
and it's meaningless to include nowadays. (Closes: #205600)
- debian/debhelper.in/libc.manpages: Remove glibcbug.1 from manpage.
- debian/patches/glibcbug.dpatch: Add comment to be removed.
I removed glibcbug from unstable/sarge (but not stable) because it's
already meaningless in the current version. I pulled the patch from
upstream that reinforces with additional lines for catchsegv.
Martin, I reviewed your patch. It seems nice, but I have the
following question:
* Looking at trap line, SIGQUIT is removed. I think we should add
"QUIT" to trap line.
-trap 'rm -f $TEMP $TEMPx; exit 1' 1 2 3 13 15
+trap 'rm -f "$TEMP" "$TEMPx"; exit 1' HUP INT PIPE TERM
Security team, I'll send for you with the patch that is debian/woody's
version after the recompilation test.
Regards,
-- gotom
Reply to: