Bug#633870: CVE-2011-2684 fix in {old,}stable ?

To: Didier Raboud <odyx@debian.org>
Cc: <633870@bugs.debian.org>, <debian-release@lists.debian.org>
Subject: Bug#633870: CVE-2011-2684 fix in {old,}stable ?
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Tue, 26 Jul 2011 20:28:42 +0100
Message-id: <[🔎] 73da4f47edc73ebbd2c86c998bdf18de@adsl.funky-badger.org>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 633870@bugs.debian.org
In-reply-to: <[🔎] 201107261152.36316.odyx@debian.org>
References: <[🔎] 201107261152.36316.odyx@debian.org>

On Tue, 26 Jul 2011 11:52:27 +0200, Didier Raboud wrote:

As Martin mentionned in the 633870 bugreport, CVE-2011-2684 "could"be fixed

in a fixed point release.

The proposed debdiff for squeeze is attached (the fix was uploaded to
unstable already and given the non-severe nature if this bug I don't
think an upload to testing is worth.


Probably not, no.

What do you think ? (And would a fix to lenny be needed ?)


Looking at the patch:

++NEWPWD=`mktemp --tmpdir --directory foo2zjs.XXXXXX`

++cd "$NEWPWD"

What happens if mktemp fails? The script in question appears to beneither -e nor -u, so afaics there's the possibility for the codefollowing the above snippet to be run in whatever happens to be thecurrent directory when the script is run.


Regards,

Adam

Reply to:

References:
- Bug#633870: CVE-2011-2684 fix in {old,}stable ?
  - From: Didier Raboud <odyx@debian.org>

Prev by Date: epson-inkjet-printer-escpr_1.0.4-1_amd64.changes ACCEPTED into unstable
Next by Date: Bug#635549: Two security issues
Previous by thread: Bug#633870: CVE-2011-2684 fix in {old,}stable ?
Next by thread: Processing of foo2zjs_20110722dfsg-2_amd64.changes
Index(es):
- Date
- Thread