Bug#949393: marked as done (storebackup: CVE-2020-7040: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 10 Jul 2020 15:02:32 +0000
with message-id <E1jtuXo-000Cva-DY@fasolo.debian.org>
and subject line Bug#949393: fixed in storebackup 3.2.1-2~deb9u1
has caused the Debian Bug report #949393,
regarding storebackup: CVE-2020-7040: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
949393: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949393
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: storebackup: CVE-2020-7040: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Mon, 20 Jan 2020 17:28:08 +0100
• Message-id: <157953768837.41511.6082808579398229966.reportbug@eldamar.local>

Source: storebackup
Version: 3.2.1-1
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for storebackup.

CVE-2020-7040[0]:
|storeBackup: denial of service and symlink attack vector via fixed
|lockfile path /tmp/storeBackup.lock

The RC severity per se is a bit exagerated for the issue, but given
the package is orphaned we should be careful on including the package
in bullseye.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-7040
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7040
[1] https://www.openwall.com/lists/oss-security/2020/01/20/3
[2] https://bugzilla.suse.com/show_bug.cgi?id=1156767

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 949393-close@bugs.debian.org
• Subject: Bug#949393: fixed in storebackup 3.2.1-2~deb9u1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 10 Jul 2020 15:02:32 +0000
• Message-id: <E1jtuXo-000Cva-DY@fasolo.debian.org>
• Reply-to: Adrian Bunk <bunk@debian.org>

Source: storebackup
Source-Version: 3.2.1-2~deb9u1
Done: Adrian Bunk <bunk@debian.org>

We believe that the bug you reported is fixed in the latest version of
storebackup, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 949393@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated storebackup package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 09 Jul 2020 14:54:23 +0300
Source: storebackup
Binary: storebackup
Architecture: source
Version: 3.2.1-2~deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Adrian Bunk <bunk@debian.org>
Description:
 storebackup - fancy compressing managing checksumming deduplicating hard-linkin
Closes: 949393
Changes:
 storebackup (3.2.1-2~deb9u1) stretch; urgency=medium
 .
   * QA upload.
   * Rebuild for stretch.
 .
 storebackup (3.2.1-2) unstable; urgency=medium
 .
   * QA upload.
   * Set maintainer to Debian QA Group. (see #856299)
   * Add patch to change the way the lockfile is opened in the Perl code.
     (Fixes: CVE-2020-7040) (Closes: #949393)
Checksums-Sha1:
 dae8a3ec72893cb4de688e0063276c8dda51cfb3 1912 storebackup_3.2.1-2~deb9u1.dsc
 f2ec33d5ef6d5ff57d3591e3c6f425dd23ce8ec9 8924 storebackup_3.2.1-2~deb9u1.debian.tar.xz
Checksums-Sha256:
 bd959ebab6f454fcd9ee0ea8d9dbe71f6fadcadee700334456c13f8bc6b2d5b5 1912 storebackup_3.2.1-2~deb9u1.dsc
 c9a98527d0c1fbb2cdc95c39df297420ae00a3b10670ab83032bb86475260f9c 8924 storebackup_3.2.1-2~deb9u1.debian.tar.xz
Files:
 068a7551d3a2bccfd0b9933b4349c476 1912 utils optional storebackup_3.2.1-2~deb9u1.dsc
 4c1d579c6f40f320c8e48e40f21cca81 8924 utils optional storebackup_3.2.1-2~deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl8HBlgACgkQiNJCh6LY
mLHjbw//Z0OwqqXWC+YtAsOQj+sTCRZkbPx7BMo8jKytO83T25MKSy0J/5kTnDDa
2wyUxKiLZyTIkhkZugcqTnDeuDG/MLBL2JtoSJuWIfLHZi4mfgTkUegVfVBuauXR
nAGnWokOPJY4NcaLaxgRGuRcWvFQEXJ4+erXzv5xuTAfVBfGUuCQntO1FIacrYp7
MVSwKny/J3hy7oskGLHpINZSGgsZZ5lI7cEPNaXnvKYdDnU9i4/8h0DY0gLAy3Jn
/OXm6v4p9BipcfCwPDlmwhsoVQiO3QGRsBx1dar5LancsagxxC57tsVbnCftyOdl
7wAO7YV3OIukurYWHazT84OHgtrrfsjquGxFwLit2R2vk009OS3G5qlwCXhgwhDi
RDoo50P/0sOC0kAxbonWQyo91hTaWCDEwwZ7mE5b+uUkYoiDxSKi7LC9pO+UCb39
ew/vPdNNIe/bNJ5DK/0QBXfFBC8M2uEc3PPjsOR8ATyUixk9BM7DRTBeRMeUW9uh
SI7FYBntkIt0wYA6UBOZsL6Tnk1DZO2MvPWaIVsuTluaQ36JkMDjEv25h9rQI1Kh
Dr5/z5dPE6hsRSl01dJdH0oQ9OXuEW/S8gMiB4M+aN7qPt44uS0mHjpDnwF7osN5
BPZiCcKmo7MIscYk41jPAgmWJBAOvxo8BB1pGWMpv4f0p3esapY=
=l9/x
-----END PGP SIGNATURE-----

--- End Message ---