Bug#659296: Comments on the 0.4.1-6 upload

To: 659296@bugs.debian.org
Subject: Bug#659296: Comments on the 0.4.1-6 upload
From: Florian Weimer <fw@deneb.enyo.de>
Date: Mon, 13 Feb 2012 16:32:26 +0100
Message-id: <[🔎] 87fweeda0l.fsf@mid.deneb.enyo.de>
Reply-to: Florian Weimer <fw@deneb.enyo.de>, 659296@bugs.debian.org

Vasudev Kamath asked me to include this information in the bug report.

From: Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Accepted surf 0.4.1-6 (source i386)
To: Vasudev Kamath <kamathvasudev@gmail.com>
Date: Fri, 10 Feb 2012 23:18:36 +0100
Message-ID: <87vcnemiwz.fsf@mid.deneb.enyo.de>

* Vasudev Kamath:

>  surf (0.4.1-6) unstable; urgency=high
>  .
>    * QA upload.
>    * debian/patches:
>      + Added fix-insecure-permissions.patch to fix world readable cookie jar
>        vulnerability CVE-2012-0842. (Closes: #659296)

-               g_mkdir_with_parents(apath, 0755);
+               g_mkdir_with_parents(apath, 0700);

I think you should also downgrade the permissions from 0755 if the
directory exists (in case we want to keep the package alive, which I doubt).

[Addendum: It is sufficient to do this with just one component of the
path.]

Reply to:

Follow-Ups:
- Bug#659296: Comments on the 0.4.1-6 upload
  - From: Jakub Wilk <jwilk@debian.org>

Prev by Date: Intent to upload mpdscribble to fix pending po-debconf l10n bugs
Next by Date: Bug#659296: Comments on the 0.4.1-6 upload
Previous by thread: Re: Intent to upload mpdscribble to fix pending po-debconf l10n bugs
Next by thread: Bug#659296: Comments on the 0.4.1-6 upload
Index(es):
- Date
- Thread