Bug#949393: marked as done (storebackup: CVE-2020-7040: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 10 Jul 2020 15:02:09 +0000
with message-id <E1jtuXR-000CpH-O6@fasolo.debian.org>
and subject line Bug#949393: fixed in storebackup 3.2.1-2~deb10u1
has caused the Debian Bug report #949393,
regarding storebackup: CVE-2020-7040: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
949393: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949393
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: storebackup: CVE-2020-7040: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Mon, 20 Jan 2020 17:28:08 +0100
• Message-id: <157953768837.41511.6082808579398229966.reportbug@eldamar.local>

Source: storebackup
Version: 3.2.1-1
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for storebackup.

CVE-2020-7040[0]:
|storeBackup: denial of service and symlink attack vector via fixed
|lockfile path /tmp/storeBackup.lock

The RC severity per se is a bit exagerated for the issue, but given
the package is orphaned we should be careful on including the package
in bullseye.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-7040
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7040
[1] https://www.openwall.com/lists/oss-security/2020/01/20/3
[2] https://bugzilla.suse.com/show_bug.cgi?id=1156767

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 949393-close@bugs.debian.org
• Subject: Bug#949393: fixed in storebackup 3.2.1-2~deb10u1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 10 Jul 2020 15:02:09 +0000
• Message-id: <E1jtuXR-000CpH-O6@fasolo.debian.org>
• Reply-to: Adrian Bunk <bunk@debian.org>

Source: storebackup
Source-Version: 3.2.1-2~deb10u1
Done: Adrian Bunk <bunk@debian.org>

We believe that the bug you reported is fixed in the latest version of
storebackup, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 949393@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated storebackup package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 09 Jul 2020 14:59:51 +0300
Source: storebackup
Architecture: source
Version: 3.2.1-2~deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 949393
Changes:
 storebackup (3.2.1-2~deb10u1) buster; urgency=medium
 .
   * QA upload.
   * Rebuild for buster.
 .
 storebackup (3.2.1-2) unstable; urgency=medium
 .
   * QA upload.
   * Set maintainer to Debian QA Group. (see #856299)
   * Add patch to change the way the lockfile is opened in the Perl code.
     (Fixes: CVE-2020-7040) (Closes: #949393)
Checksums-Sha1:
 df336890c1d9d6e90c58fc9a39ba2a682956bbdc 1916 storebackup_3.2.1-2~deb10u1.dsc
 faf60740a718a2ad339978e01b015bc9ca350659 8920 storebackup_3.2.1-2~deb10u1.debian.tar.xz
Checksums-Sha256:
 a156fbed669820fd705074b8730cbf1090eb4d21c05a6976b460296eec9462e6 1916 storebackup_3.2.1-2~deb10u1.dsc
 45691f54126d53aca02338453a761c2dfbe22c21bf642c6e217f74ff530af339 8920 storebackup_3.2.1-2~deb10u1.debian.tar.xz
Files:
 afdc74a765f782581dbf156880abea0e 1916 utils optional storebackup_3.2.1-2~deb10u1.dsc
 7c5a6d4b803350bca130dc898eea4571 8920 utils optional storebackup_3.2.1-2~deb10u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl8HCj0ACgkQiNJCh6LY
mLF29A//air5pKkMUsXQ7+Sc6qErPc/5i8fNTxZbJkYFFcOid103+xBt6gaSw/4j
cSQqJqlgN1gdgKHzbSwpBckp4F/5z5e2ejiEh2Jdk7pg2kpUR9tZHz41kaAlBOBq
SvXL9JowEzN1y1R4LftN3QAD8+xb9Fyht6JLRvz6rFY5m7QLaqyM6vB2WvqP2pO2
EsVp2wuw+IUveTNxTvRk6FjwwAGobDFZmMGbWTLQS3OzxG8cFwqUh10WvGXsppC0
DebrEvUwyQs/60KvwKFjIT4nJRyQHVTqAB2vtq1F0ofS16Icq9pjVOxGO2meTGZH
y5351dbLf9jKxknB3qNDoGxURy8SC4pIMTKZQsLiWZq87vvoM/Q577X9CvF3jgaI
gKcCC/lVbgRVVRw/CWbkoOxkJnBH/h9a0pS+JkVDR9vHKHPIG5Atu4CV71CiD+Mr
gogjwZnVubMgNdE/sYinydLUjUR9OtIXU3xsjCXNyJbmWiJ6am46BcOB0R1ZUMiW
ZmvvLkKOYjIhsMBCSNkQLmMmxGbp3b46Kh2oANCVFo2loOvhh/H2vbxifF45pFPD
5fkonOJJfGfWO4e8Ig5vlao2AKZAsQMiQdUULLrKY6hBhsaPPN3DW3fucKCrGjPS
6zhmkbRT/DnkBcMVS4TYid9X4vm0hgaeQU+waA5rowbwhDjhg64=
=gB2y
-----END PGP SIGNATURE-----

--- End Message ---