[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Please unblock for a security fix

Hello,

Could you please unblock the package Scilab ? The version 4.1.2-6 fixes
the security problem #496414 (The possibility of attack with the help of
symlinks in some Debian packages).

Thanks!
Sylvestre
PS: Scilab is still in non-free. I don't know if it changes anything.


Index: trunk/debian/control
===================================================================
--- trunk/debian/control	(.../deb-maint/scilab/trunk)	(révision 35204)
+++ trunk/debian/control	(.../scilab/trunk)	(révision 35210)
@@ -1,15 +1,16 @@
 Source: scilab
 Section: non-free/math
 Priority: optional
-Maintainer: Torsten Werner <twerner@debian.org>
-Uploaders: Sylvestre Ledru <sylvestre.ledru@inria.fr>, Aurélien GÉRÔME <ag@roxor.cx>
+Maintainer: Debian Science Team <debian-science-maintainers@lists.alioth.debian.org> 
+Uploaders: Torsten Werner <twerner@debian.org>, Sylvestre Ledru <sylvestre.ledru@inria.fr>, 
+ Aurélien GÉRÔME <ag@roxor.cx>
 #Build-Depends: cdbs, debhelper (>> 4.1.0), libgtk2.0-dev, libgtkhtml2-dev, libzvt2.0-dev, tk8.4-dev, g77, pvm-dev, atlas3-base-dev [alpha amd64 i386 mips mipsel] | libatlas-3.so [alpha amd64 i386 mips mipsel] | lapack3-dev, atlas3-base-dev [alpha amd64 i386 mips mipsel] | libatlas-3.so [alpha amd64 i386 mips mipsel] | refblas3-dev, sablotron, ocaml-interp (>= 3.08.0), libreadline4-dev | libreadline-dev, xaw3dg-dev, gcj (?)
 Build-Depends: autoconf, cdbs, debhelper (>= 5), gfortran, ocaml-nox, pvm-dev,
  quilt, tk8.4-dev, xaw3dg-dev, xsltproc
-Standards-Version: 3.7.3
+Standards-Version: 3.8.0
 Homepage: http://www.scilab.org
-Vcs-Svn: svn://svn.debian.org/svn/collab-maint/deb-maint/scilab/trunk/
-Vcs-Browser: http://svn.debian.org/wsvn/collab-maint/deb-maint/scilab/trunk/
+Vcs-Svn: svn://svn.debian.org/svn/debian-science/packages/scilab/trunk/
+Vcs-Browser: http://svn.debian.org/viewsvn/debian-science/packages/scilab/trunk
 XS-Autobuild: yes
 DM-Upload-Allowed: yes
 
Index: trunk/debian/patches/series
===================================================================
--- trunk/debian/patches/series	(.../deb-maint/scilab/trunk)	(révision 35204)
+++ trunk/debian/patches/series	(.../scilab/trunk)	(révision 35210)
@@ -1,2 +1,3 @@
 build.diff
 stack-c.diff
+tmpdirsecurity.diff
Index: trunk/debian/patches/tmpdirsecurity.diff
===================================================================
--- trunk/debian/patches/tmpdirsecurity.diff	(.../deb-maint/scilab/trunk)	(révision 0)
+++ trunk/debian/patches/tmpdirsecurity.diff	(.../scilab/trunk)	(révision 35210)
@@ -0,0 +1,140 @@
+diff -ur scilab-4.1.2.orig/bin/scilink scilab-4.1.2/bin/scilink
+--- scilab-4.1.2.orig/bin/scilink	2008-09-10 13:57:16.000000000 +0200
++++ scilab-4.1.2/bin/scilink	2008-09-10 14:05:11.000000000 +0200
+@@ -15,30 +15,31 @@
+ shift
+ LOCALPOS=`pwd`
+ cd $SCI
+-make show | grep -v make > /tmp/SciLink$$1
+-sed -e "s+routines/default+\$SD+g"  -e "s+libs+\$SL+g" -e "s+./pvm3+\$SPVM+g" /tmp/SciLink$$1 > /tmp/SciLink$$2
++TMPWRKDIR=`mktemp -d sci.XXXXXXXXXX`
++make show | grep -v make > $TMPWRKDIR/SciLink$$1
++sed -e "s+routines/default+\$SD+g"  -e "s+libs+\$SL+g" -e "s+./pvm3+\$SPVM+g" $TMPWRKDIR/SciLink$$1 > $TMPWRKDIR/SciLink$$2
+ for i in $*
+ do
+   x=`basename $i`
+-  sed "s+\$SD/$x++g" /tmp/SciLink$$2 > /tmp/SciLink$$3
+-  rm -f /tmp/SciLink$$2
+-  mv /tmp/SciLink$$3 /tmp/SciLink$$2
++  sed "s+\$SD/$x++g" $TMPWRKDIR/SciLink$$2 > $TMPWRKDIR/SciLink$$3
++  rm -f $TMPWRKDIR/SciLink$$2
++  mv $TMPWRKDIR/SciLink$$3 $TMPWRKDIR/SciLink$$2
+ done
+-echo "#!/bin/sh" > /tmp/SciLink$$3
+-echo  SCI=$SCI >>  /tmp/SciLink$$3
+-echo "SD=\$SCI/routines/default" >>  /tmp/SciLink$$3
+-echo "SPVM=\$SCI/pvm3" >>  /tmp/SciLink$$3
+-echo "SL=\$SCI/libs" >>  /tmp/SciLink$$3
+-echo "LOCAL=\"$*\"" >>  /tmp/SciLink$$3
+-sed -e "s+\$SL+ \$LOCAL \$SL+" -e "s+show+scilex+g" /tmp/SciLink$$2 >> /tmp/SciLink$$3
++echo "#!/bin/sh" > $TMPWRKDIR/SciLink$$3
++echo  SCI=$SCI >>  $TMPWRKDIR/SciLink$$3
++echo "SD=\$SCI/routines/default" >>  $TMPWRKDIR/SciLink$$3
++echo "SPVM=\$SCI/pvm3" >>  $TMPWRKDIR/SciLink$$3
++echo "SL=\$SCI/libs" >>  $TMPWRKDIR/SciLink$$3
++echo "LOCAL=\"$*\"" >>  $TMPWRKDIR/SciLink$$3
++sed -e "s+\$SL+ \$LOCAL \$SL+" -e "s+show+scilex+g" $TMPWRKDIR/SciLink$$2 >> $TMPWRKDIR/SciLink$$3
+ cd $LOCALPOS
+-mv /tmp/SciLink$$3 Script
++mv $TMPWRKDIR/SciLink$$3 Script
+ chmod +x Script 
+ echo "Linking a new Scilab with " $*
+ ./Script 
+ echo "I've created : scilex and scilab which uses that scilex"
+ sed -e "s+\$SCI/bin/scilex+`pwd`/scilex+g" $SCI/bin/scilab > scilab 
+ chmod +x scilab 
+-#rm -f /tmp/SciLink*
++#rm -f $TMPWRKDIR/SciLink*
+ 
+ 
+Seulement dans scilab-4.1.2: sci.GfzgmvnmEP
+Seulement dans scilab-4.1.2: scilab
+Seulement dans scilab-4.1.2: sci.TeXKvuCxyT
+Seulement dans scilab-4.1.2: sci.xiMmjPREBA
+Seulement dans scilab-4.1.2: Script
+diff -ur scilab-4.1.2.orig/util/scidem scilab-4.1.2/util/scidem
+--- scilab-4.1.2.orig/util/scidem	2008-09-10 13:57:16.000000000 +0200
++++ scilab-4.1.2/util/scidem	2008-09-10 14:05:30.000000000 +0200
+@@ -6,33 +6,34 @@
+ echo ------------------- File $2--------------------
+ SCI1=$1
+ if [ -f $3  ]; then rm $3;fi;
+-trap "rm -f /tmp/$2.$$ /tmp/$2.$$.res /tmp/$2.$$.err /tmp/$2.$$.diff\
++TMPWRKDIR=`mktemp -d sci.XXXXXXXXXX`
++trap "rm -f $TMPWRKDIR/$2.$$ $TMPWRKDIR/$2.$$.res $TMPWRKDIR/$2.$$.err $TMPWRKDIR/$2.$$.diff\
+         ;exit 1"  1 2 13 15
+ echo "clear;lines(0);deff('[]=bugmes()','write(%io(2),''error on test'')');\
+-        diary('$3');driver('Pos');" >> /tmp/$2.$$ ;
++        diary('$3');driver('Pos');" >> $TMPWRKDIR/$2.$$ ;
+ sed     -e "s/pause,end/bugmes();quit;end/" \
+         -e "s/halt()//" \
+-        $2 >> /tmp/$2.$$ ;
+-echo "diary(0);xend();exit;" >> /tmp/$2.$$ ;
+-($SCI1/bin/scilab -nwni < /tmp/$2.$$ > /tmp/$2.$$.res ) 2> /tmp/$2.$$.err ;
++        $2 >> $TMPWRKDIR/$2.$$ ;
++echo "diary(0);xend();exit;" >> $TMPWRKDIR/$2.$$ ;
++($SCI1/bin/scilab -nwni < $TMPWRKDIR/$2.$$ > $TMPWRKDIR/$2.$$.res ) 2> $TMPWRKDIR/$2.$$.err ;
+ sed -e "s/ \./0\./g" -e "s/E+/D+/g" -e "s/E-/D-/g" -e "s/-\./-0\./g" -e "s/^-->//g" -e "s/^-1->//g" $3 > $3.n
+ grep -v "xinit(" $3.n | grep -v "diary(" | grep -v "exec("  > $3
+ rm -f $3.n
+-if ( grep " error" /tmp/$2.$$.res >  /dev/null ) ; then 
++if ( grep " error" $TMPWRKDIR/$2.$$.res >  /dev/null ) ; then 
+         if [ $# != 4 ]; then 
+                 echo "Test failed ERROR DETECTED  while executing $2" ;
+-        else if (grep "$4" /tmp/$2.$$.res >  /dev/null ) ; 
++        else if (grep "$4" $TMPWRKDIR/$2.$$.res >  /dev/null ) ; 
+              then  echo Test skipped ;
+              else echo "Test failed ERROR DETECTED  while executing $2" ;
+              fi;
+         fi;
+ else if [ -f $3.ref ];then 
+-        if ( diff -w $3 $3.ref > /tmp/$2.$$.diff ) ;
++        if ( diff -w $3 $3.ref > $TMPWRKDIR/$2.$$.diff ) ;
+         then  echo Test passed ;
+         else  echo Test Failed SEE : diff -w  $3 $3.ref ;
+         fi;
+       fi;
+ fi;
+ echo ---------------------------------------------------------- 
+-#rm -f /tmp/$2.$$ /tmp/$2.$$.res /tmp/$2.$$.err /tmp/$2.$$.diff
++#rm -f $TMPWRKDIR/$2.$$ $TMPWRKDIR/$2.$$.res $TMPWRKDIR/$2.$$.err $TMPWRKDIR/$2.$$.diff
+ exit 0
+diff -ur scilab-4.1.2.orig/util/scidoc scilab-4.1.2/util/scidoc
+--- scilab-4.1.2.orig/util/scidoc	2008-09-10 13:57:16.000000000 +0200
++++ scilab-4.1.2/util/scidoc	2008-09-10 14:05:24.000000000 +0200
+@@ -7,24 +7,26 @@
+ SCI=$1
+ export SCI
+ if [ -f $3  ]; then rm $3;fi;
+-trap "rm -f /tmp/$2.$$ /tmp/$2.$$.res /tmp/$2.$$.err /tmp/$2.$$.diff\
++TMPWRKDIR=`mktemp -d sci.XXXXXXXXXX`
++trap "rm -f $TMPWRKDIR/$2.$$ $TMPWRKDIR/$2.$$.res $TMPWRKDIR/$2.$$.err $TMPWRKDIR/$2.$$.diff\
+ 	;exit 1"  1 2 13 15
+ echo "clear;lines(0);deff('[]=bugmes()','write(%io(2),''error on test'')');\
+-	diary('$3');driver('Pos');" >> /tmp/$2.$$ ;
++	diary('$3');driver('Pos');" >> $TMPWRKDIR/$2.$$ ;
+ sed     -e "s/pause,end/bugmes();quit;end/" \
+ 	-e "s/halt()//" \
+-        $2 >> /tmp/$2.$$ ;
+-echo "diary(0);xend();quit;quit;quit;quit;quit;quit;" >> /tmp/$2.$$ ;
+-($SCI/bin/scilex -nw < /tmp/$2.$$ > /tmp/$2.$$.res ) 2> /tmp/$2.$$.err ;
++        $2 >> $TMPWRKDIR/$2.$$ ;
++echo "diary(0);xend();quit;quit;quit;quit;quit;quit;" >> $TMPWRKDIR/$2.$$ ;
++($SCI/bin/scilex -nw < $TMPWRKDIR/$2.$$ > $TMPWRKDIR/$2.$$.res ) 2> $TMPWRKDIR/$2.$$.err ;
+ sed -e "s/ \.[0-9]/0&/g" -e "s/0 \./0./g" -e "s/E+/D+/g" -e "s/E-/D-/g" -e "s/-\./-0\./g" $3 > $3.n
+ grep -v "xinit(" $3.n | grep -v "diary(" | grep -v "exec("  > $3
+ rm -f $3.n
+-if ( grep error /tmp/$2.$$.res >  /dev/null ) ; then 
++if ( grep error $TMPWRKDIR/$2.$$.res >  /dev/null ) ; then 
+ 	if [ $# != 4 ]; then 
+ 		echo "ERROR DETECTED  while executing $2" ;
+ 	fi;
+ fi;
+ echo ---------------------------------------------------------- 
+-rm -f /tmp/$2.$$ /tmp/$2.$$.res /tmp/$2.$$.err /tmp/$2.$$.diff
++rm -f $TMPWRKDIR/$2.$$ $TMPWRKDIR/$2.$$.res $TMPWRKDIR/$2.$$.err $TMPWRKDIR/$2.$$.diff 
++rmdir $TMPWRKDIR
+ exit 0
+ 
+Seulement dans scilab-4.1.2/util: sci.ytpPrRhbcU
+Seulement dans scilab-4.1.2/util: sci.zJjHvQdFHa
Index: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog	(.../deb-maint/scilab/trunk)	(révision 35204)
+++ trunk/debian/changelog	(.../scilab/trunk)	(révision 35210)
@@ -1,3 +1,12 @@
+scilab (4.1.2-6) unstable; urgency=low
+
+  * Debian-science added as maintainer
+  * SVN moved to debian-science repository
+  * Standards-Version updated to 3.8.0
+  * Fix a security issue reported by Dmitry E. Oboukhov. (Closes: #496414)
+
+ -- Sylvestre Ledru <sylvestre.ledru@inria.fr>  Wed, 10 Sep 2008 13:35:28 +0200
+
 scilab (4.1.2-5) unstable; urgency=low
 
   * Add DM-Upload-Allowed: yes to enable uploads for Sylvestre.
Reply to: