[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of libsys-syslog-perl?

Dear LTS team,

Am 03.08.2016 um 01:15 schrieb Jonas Meurer:
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of libsys-syslog-perl:
> https://security-tracker.debian.org/tracker/CVE-2016-1238
> [...]
>
> PPS: Dominic Hargreaves of the pkg-perl team already uploaded a fixed
> libsys-syslog-perl 0.33 to jessie-security. The fix is simple and can be
> overtaken for 0.29 in wheezy. I have already prepared packages. So if
> you don't object, I could do the upload.

Please find changes file and debdiff for libsys-syslog-perl
0.29-1+deb7u1 attached to this mail. This is going to be my first upload
on behalf of the LTS team, so a quick review by more experienced team
members would be awesome.

The patch itself is pretty straightforward and already applied to
libsys-syslog-perl in Jessie, so I don't expect any problems. Still, a
review would be appreciated, especially regarding things to consider
when uploading to wheezy-security.

I certainly tested upgrade and basic functionality of the built package
in a Wheezy LTS VM.

Cheers,
 jonas


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 03 Aug 2016 01:47:54 +0200
Source: libsys-syslog-perl
Binary: libsys-syslog-perl
Architecture: source amd64
Version: 0.29-1+deb7u1
Distribution: wheezy-stable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Jonas Meurer <mejo@debian.org>
Description:
 libsys-syslog-perl - Perl interface to the UNIX syslog(3) calls
Changes:
 libsys-syslog-perl (0.29-1+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2016-1238: unsafe module load path flaw.
Checksums-Sha1:
 82ae6f5af77a187e3e517cdec289333f4297b85e 2265 libsys-syslog-perl_0.29-1+deb7u1.dsc
 7b51fca449de2e0cd210d9af2621367cfc91a515 79657 libsys-syslog-perl_0.29.orig.tar.gz
 568e24519496797f0b19827c711010b7d8cc1b15 5115 libsys-syslog-perl_0.29-1+deb7u1.debian.tar.gz
 a7edf1f24f7bfa949f953c7756bc9ea1bd52e416 43780 libsys-syslog-perl_0.29-1+deb7u1_amd64.deb
Checksums-Sha256:
 612690f1b7e03a25ef72a8b10f1a535351b501acd1f0e29f728d1424e8bc91c7 2265 libsys-syslog-perl_0.29-1+deb7u1.dsc
 121f3cf22de99cb714bb9257fb9a3427c51d375d11d3552437305691075bb6a9 79657 libsys-syslog-perl_0.29.orig.tar.gz
 5a8475fc1aa4df0f49ecc59ce5ac1e6aba47c1cc7d5c08a7e82e2af6e25b8277 5115 libsys-syslog-perl_0.29-1+deb7u1.debian.tar.gz
 c2f121f5d7dbf70abbb08e66a0991c43f009fff16627c6f1a5ee1b8c238b5e70 43780 libsys-syslog-perl_0.29-1+deb7u1_amd64.deb
Files:
 bd833b71e12b7605a79e61aad09d464b 2265 perl optional libsys-syslog-perl_0.29-1+deb7u1.dsc
 4c7aeb0a05e8dde2ab05a0b3be19d72c 79657 perl optional libsys-syslog-perl_0.29.orig.tar.gz
 cc88d1e630688cf11a6287fb0c850b57 5115 perl optional libsys-syslog-perl_0.29-1+deb7u1.debian.tar.gz
 da434337206d36ef799b45bcd10ff51d 43780 perl optional libsys-syslog-perl_0.29-1+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXobG0AAoJEBvzc5c7ZRqn7SMQALroJUuUXwnQGIoBZ7fIIe66
MmdxtuqxBbT8zOHe+E5V0rMKbZ2tH5CWZhcmerlqFowqvydS2Rd0I3Im/gLyvwX7
DSZ7hxHpBULAGhkoytob5UVmjnW/vsnkH7jO+XHT2zMjoN4owl57rpjd6OccvB3m
cCMYLFZI1kOGxgMGMW3Y98ra9a7zjKKpz9u6QDVSfv7DW6fCms2LSaSVHHOau6zG
BDYyU8xi8ayWGKLuyyFChVjY4jxu0uDzadGTpPouf8LTseRbXm4rqFBMWaF3YhVj
VVvOZ8XRbaOEVf03gexfEA/0O9DfOk0Psp6Oq4gN4+32j9V5yGMxviwaL61jgCb5
nOjoP4xw7lSwTH/B0wxOBzURsw3e318+xWhYfTh6H1shNS+LBOwn5LFzC3xodflK
YCdu5d8NLhCzjq16Qqpyrem5QwP+g/SL7X5bMPTHN0Q0sRg279iDSjQ/ALBUJGH+
j4ZxWqdwXasYekph9n7sA0PP1dnN6tk8h6O9xtBugku03LatVrlOPb3JrGVyju3b
i+lQn8TardFaIYjv4K8nm8uD0SqyOpVehPcuDdwVMjzEISD3UHYpPy+Pp2HvFMIl
4ZZg7pA3JA+BbJSGnlmnlO7u5shweh8GB1wqpQafMw0GhXXlUpA8nUfRvn/JaMbs
TFytO5wxwUm2kLdZVCnz
=04VH
-----END PGP SIGNATURE-----

diff -Nru libsys-syslog-perl-0.29/debian/changelog libsys-syslog-perl-0.29/debian/changelog
--- libsys-syslog-perl-0.29/debian/changelog	2011-04-19 19:36:38.000000000 +0200
+++ libsys-syslog-perl-0.29/debian/changelog	2016-08-03 01:47:54.000000000 +0200
@@ -1,3 +1,10 @@
+libsys-syslog-perl (0.29-1+deb7u1) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2016-1238: unsafe module load path flaw.
+
+ -- Jonas Meurer <mejo@debian.org>  Wed, 03 Aug 2016 01:47:54 +0200
+
 libsys-syslog-perl (0.29-1) unstable; urgency=low
 
   [ Jonathan Yu ]
diff -Nru libsys-syslog-perl-0.29/debian/patches/CVE-2016-1238.patch libsys-syslog-perl-0.29/debian/patches/CVE-2016-1238.patch
--- libsys-syslog-perl-0.29/debian/patches/CVE-2016-1238.patch	1970-01-01 01:00:00.000000000 +0100
+++ libsys-syslog-perl-0.29/debian/patches/CVE-2016-1238.patch	2016-08-03 01:41:36.000000000 +0200
@@ -0,0 +1,22 @@
+From: Jonas Meurer <mejo@debian.org> (taken over from Dominic Hargreaves <dom@earth.li>)
+Date: Wed, 03 Aug 2016 01:41:25 +0200
+Subject: [PATCH] Remove . from @INC when loading modules dynamically
+ [CVE-2016-1238]
+
+---
+ Syslog.pm | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Syslog.pm b/Syslog.pm
+index a68f817..d972134 100644
+--- a/Syslog.pm
++++ b/Syslog.pm
+@@ -859,6 +859,8 @@ sub silent_eval (&) {
+ sub can_load {
+     my ($module, $verbose) = @_;
+     local($SIG{__DIE__}, $SIG{__WARN__}, $@);
++    local @INC = @INC;
++    pop @INC if $INC[-1] eq '.';
+     my $loaded = eval "use $module; 1";
+     warn $@ if not $loaded and $verbose;
+     return $loaded
diff -Nru libsys-syslog-perl-0.29/debian/patches/series libsys-syslog-perl-0.29/debian/patches/series
--- libsys-syslog-perl-0.29/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libsys-syslog-perl-0.29/debian/patches/series	2016-08-03 00:00:37.000000000 +0200
@@ -0,0 +1 @@
+CVE-2016-1238.patch

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: