wdiff stable update for Bug#425254

To: debian-release@lists.debian.org
Cc: Nico Golde <nion@debian.org>
Subject: wdiff stable update for Bug#425254
From: Santiago Vila <sanvila@unex.es>
Date: Fri, 8 Aug 2008 12:35:43 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.64.0808081229290.24589@cantor.unex.es>
In-reply-to: <20080807231430.GA23744@ngolde.de>
References: <20080807231430.GA23744@ngolde.de>

Hi.

I received this from the debian security team:

> Hi,
> the security issue  was published for wdiff some time ago.
> 
> | wdiff uses tmpnam(buf) to generate a temporary file, and fopen(buf, "w+") that
> | name, which is vulnerable to the usual symlink attack.  It should use one of
> | the tmpnam alternatives like tmpfile().
> 
> Unfortunately the vulnerability described above is not important enough
> to get it fixed via regular security update in Debian stable. It does
> not warrant a DSA.
> 
> However it would be nice if this could get fixed via a regular point update[0].
> Please contact the release team for this.
> 
> This is Debian bug #425254.
> 
> This is an automatically generated mail, in case you are already working on an
> upgrade this is of course pointless.
> 
> For further information:
> [0] http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-upload-stable

I'd like to upload a new wdiff for stable fixing this bug, if it's not
too late to do so. Just to be sure: It would go to stable-proposed-updates,
and it would be version 0.5-16etch1. Is this ok?

BTW: Nico, the above URL does not currently work.

Thanks.

Reply to:

Follow-Ups:
- Re: wdiff stable update for Bug#425254
  - From: Nico Golde <debian-release+ml@ngolde.de>

Prev by Date: please unblock bzip2/1.0.5-1
Next by Date: Re: wdiff stable update for Bug#425254
Previous by thread: Re: please unblock bzip2/1.0.5-1
Next by thread: Re: wdiff stable update for Bug#425254
Index(es):
- Date
- Thread