Dear LTS team, Am 03.08.2016 um 01:15 schrieb Jonas Meurer: > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of libsys-syslog-perl: > https://security-tracker.debian.org/tracker/CVE-2016-1238 > [...] > > PPS: Dominic Hargreaves of the pkg-perl team already uploaded a fixed > libsys-syslog-perl 0.33 to jessie-security. The fix is simple and can be > overtaken for 0.29 in wheezy. I have already prepared packages. So if > you don't object, I could do the upload. Please find changes file and debdiff for libsys-syslog-perl 0.29-1+deb7u1 attached to this mail. This is going to be my first upload on behalf of the LTS team, so a quick review by more experienced team members would be awesome. The patch itself is pretty straightforward and already applied to libsys-syslog-perl in Jessie, so I don't expect any problems. Still, a review would be appreciated, especially regarding things to consider when uploading to wheezy-security. I certainly tested upgrade and basic functionality of the built package in a Wheezy LTS VM. Cheers, jonas
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 03 Aug 2016 01:47:54 +0200 Source: libsys-syslog-perl Binary: libsys-syslog-perl Architecture: source amd64 Version: 0.29-1+deb7u1 Distribution: wheezy-stable Urgency: high Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> Changed-By: Jonas Meurer <mejo@debian.org> Description: libsys-syslog-perl - Perl interface to the UNIX syslog(3) calls Changes: libsys-syslog-perl (0.29-1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2016-1238: unsafe module load path flaw. Checksums-Sha1: 82ae6f5af77a187e3e517cdec289333f4297b85e 2265 libsys-syslog-perl_0.29-1+deb7u1.dsc 7b51fca449de2e0cd210d9af2621367cfc91a515 79657 libsys-syslog-perl_0.29.orig.tar.gz 568e24519496797f0b19827c711010b7d8cc1b15 5115 libsys-syslog-perl_0.29-1+deb7u1.debian.tar.gz a7edf1f24f7bfa949f953c7756bc9ea1bd52e416 43780 libsys-syslog-perl_0.29-1+deb7u1_amd64.deb Checksums-Sha256: 612690f1b7e03a25ef72a8b10f1a535351b501acd1f0e29f728d1424e8bc91c7 2265 libsys-syslog-perl_0.29-1+deb7u1.dsc 121f3cf22de99cb714bb9257fb9a3427c51d375d11d3552437305691075bb6a9 79657 libsys-syslog-perl_0.29.orig.tar.gz 5a8475fc1aa4df0f49ecc59ce5ac1e6aba47c1cc7d5c08a7e82e2af6e25b8277 5115 libsys-syslog-perl_0.29-1+deb7u1.debian.tar.gz c2f121f5d7dbf70abbb08e66a0991c43f009fff16627c6f1a5ee1b8c238b5e70 43780 libsys-syslog-perl_0.29-1+deb7u1_amd64.deb Files: bd833b71e12b7605a79e61aad09d464b 2265 perl optional libsys-syslog-perl_0.29-1+deb7u1.dsc 4c7aeb0a05e8dde2ab05a0b3be19d72c 79657 perl optional libsys-syslog-perl_0.29.orig.tar.gz cc88d1e630688cf11a6287fb0c850b57 5115 perl optional libsys-syslog-perl_0.29-1+deb7u1.debian.tar.gz da434337206d36ef799b45bcd10ff51d 43780 perl optional libsys-syslog-perl_0.29-1+deb7u1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXobG0AAoJEBvzc5c7ZRqn7SMQALroJUuUXwnQGIoBZ7fIIe66 MmdxtuqxBbT8zOHe+E5V0rMKbZ2tH5CWZhcmerlqFowqvydS2Rd0I3Im/gLyvwX7 DSZ7hxHpBULAGhkoytob5UVmjnW/vsnkH7jO+XHT2zMjoN4owl57rpjd6OccvB3m cCMYLFZI1kOGxgMGMW3Y98ra9a7zjKKpz9u6QDVSfv7DW6fCms2LSaSVHHOau6zG BDYyU8xi8ayWGKLuyyFChVjY4jxu0uDzadGTpPouf8LTseRbXm4rqFBMWaF3YhVj VVvOZ8XRbaOEVf03gexfEA/0O9DfOk0Psp6Oq4gN4+32j9V5yGMxviwaL61jgCb5 nOjoP4xw7lSwTH/B0wxOBzURsw3e318+xWhYfTh6H1shNS+LBOwn5LFzC3xodflK YCdu5d8NLhCzjq16Qqpyrem5QwP+g/SL7X5bMPTHN0Q0sRg279iDSjQ/ALBUJGH+ j4ZxWqdwXasYekph9n7sA0PP1dnN6tk8h6O9xtBugku03LatVrlOPb3JrGVyju3b i+lQn8TardFaIYjv4K8nm8uD0SqyOpVehPcuDdwVMjzEISD3UHYpPy+Pp2HvFMIl 4ZZg7pA3JA+BbJSGnlmnlO7u5shweh8GB1wqpQafMw0GhXXlUpA8nUfRvn/JaMbs TFytO5wxwUm2kLdZVCnz =04VH -----END PGP SIGNATURE-----
diff -Nru libsys-syslog-perl-0.29/debian/changelog libsys-syslog-perl-0.29/debian/changelog --- libsys-syslog-perl-0.29/debian/changelog 2011-04-19 19:36:38.000000000 +0200 +++ libsys-syslog-perl-0.29/debian/changelog 2016-08-03 01:47:54.000000000 +0200 @@ -1,3 +1,10 @@ +libsys-syslog-perl (0.29-1+deb7u1) wheezy-security; urgency=high + + * Non-maintainer upload by the LTS team. + * Fix CVE-2016-1238: unsafe module load path flaw. + + -- Jonas Meurer <mejo@debian.org> Wed, 03 Aug 2016 01:47:54 +0200 + libsys-syslog-perl (0.29-1) unstable; urgency=low [ Jonathan Yu ] diff -Nru libsys-syslog-perl-0.29/debian/patches/CVE-2016-1238.patch libsys-syslog-perl-0.29/debian/patches/CVE-2016-1238.patch --- libsys-syslog-perl-0.29/debian/patches/CVE-2016-1238.patch 1970-01-01 01:00:00.000000000 +0100 +++ libsys-syslog-perl-0.29/debian/patches/CVE-2016-1238.patch 2016-08-03 01:41:36.000000000 +0200 @@ -0,0 +1,22 @@ +From: Jonas Meurer <mejo@debian.org> (taken over from Dominic Hargreaves <dom@earth.li>) +Date: Wed, 03 Aug 2016 01:41:25 +0200 +Subject: [PATCH] Remove . from @INC when loading modules dynamically + [CVE-2016-1238] + +--- + Syslog.pm | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/Syslog.pm b/Syslog.pm +index a68f817..d972134 100644 +--- a/Syslog.pm ++++ b/Syslog.pm +@@ -859,6 +859,8 @@ sub silent_eval (&) { + sub can_load { + my ($module, $verbose) = @_; + local($SIG{__DIE__}, $SIG{__WARN__}, $@); ++ local @INC = @INC; ++ pop @INC if $INC[-1] eq '.'; + my $loaded = eval "use $module; 1"; + warn $@ if not $loaded and $verbose; + return $loaded diff -Nru libsys-syslog-perl-0.29/debian/patches/series libsys-syslog-perl-0.29/debian/patches/series --- libsys-syslog-perl-0.29/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libsys-syslog-perl-0.29/debian/patches/series 2016-08-03 00:00:37.000000000 +0200 @@ -0,0 +1 @@ +CVE-2016-1238.patch
Attachment:
signature.asc
Description: OpenPGP digital signature