pre-approval for flamethrower upload
The primary reason for this upload is to fix a security issue. There's
also an FHS issue resulting from a change in perl since the last
flamethrower upload (which was prior to etch). The remaining issues
are all relatively minor, but also pretty straightforward.
diff -u flamethrower-0.1.8/debian/changelog flamethrower-0.1.8/debian/changelog
--- flamethrower-0.1.8/debian/changelog
+++ flamethrower-0.1.8/debian/changelog
@@ -1,3 +1,20 @@
+flamethrower (0.1.8-2) unstable; urgency=medium
+
+ * Fix /tmp symlink attack vector. Closes: #506350 (CVE-2008-5141)
+ * Rebuilding with current toolchain would cause executables to
+ be installed in /usr/local/bin. Fix this by supplying an
+ appropriate SITEPREFIX.
+ * Don't package /usr/lib/flamethrower/auto subtree
+ * Lintian cleanup:
+ - Remove bogus (empty) line in lsb section of initscript
+ - Use $(CURDIR) instead of $(PWD) in rules file, suggested by lintian
+ - Don't ignore clean errors from make
+ - Update Standards-Version to 3.8.0
+ - Swap binary-arch/binary-indep rules
+ - List debhelper under Build-Depends instead of Build-Depends-Indep
+
+ -- dann frazier <dannf@debian.org> Fri, 21 Nov 2008 10:46:08 -0700
+
flamethrower (0.1.8-1) unstable; urgency=low
* New upstream release
diff -u flamethrower-0.1.8/debian/control flamethrower-0.1.8/debian/control
--- flamethrower-0.1.8/debian/control
+++ flamethrower-0.1.8/debian/control
@@ -2,8 +2,8 @@
Section: admin
Priority: optional
Maintainer: dann frazier <dannf@debian.org>
-Build-Depends-Indep: debhelper (>> 3.0.0)
-Standards-Version: 3.6.2.2
+Build-Depends: debhelper (>> 3.0.0)
+Standards-Version: 3.8.0
Package: flamethrower
Architecture: all
diff -u flamethrower-0.1.8/debian/rules flamethrower-0.1.8/debian/rules
--- flamethrower-0.1.8/debian/rules
+++ flamethrower-0.1.8/debian/rules
@@ -5,7 +5,7 @@
PREFIX = $(tmp)/usr
pkg = flamethrower
-tmp = $(PWD)/debian/$(pkg)
+tmp = $(CURDIR)/debian/$(pkg)
configure: configure-stamp
configure-stamp:
@@ -22,7 +22,7 @@
clean:
dh_testdir
rm -f build-stamp configure-stamp
- -$(MAKE) realclean
+ [ ! -f Makefile ] || $(MAKE) realclean
-rm debian/flamethrower.init
dh_clean
@@ -30,10 +30,14 @@
dh_testdir
-dh_testroot
dh_installdirs
- $(MAKE) install PREFIX="$(PREFIX)" CONFDIR="$(tmp)"
+ $(MAKE) install PREFIX="$(PREFIX)" CONFDIR="$(tmp)" SITEPREFIX="$(PREFIX)"
+
+ # upstream installs this as executable
+ chmod 644 $(tmp)/usr/lib/flamethrower/*.pm
# this directory tree is empty
rm -rf $(tmp)/usr/lib/perl
+ rm -rf $(tmp)/usr/lib/flamethrower/auto
# let debhelper install this for us
rm -rf $(tmp)/etc/init.d
@@ -44,11 +48,11 @@
mkdir -p $(tmp)/var/log/flamethrower
# Build architecture-independent files here.
-binary-indep: build install
+binary-arch: build install
# We have nothing to do by default.
# Build architecture-dependent files here.
-binary-arch: build install
+binary-indep: build install
dh_testdir
dh_testroot
dh_installdebconf
only in patch2:
unchanged:
--- flamethrower-0.1.8.orig/bin/flamethrower
+++ flamethrower-0.1.8/bin/flamethrower
@@ -9,6 +9,7 @@
use strict;
use File::Path;
+use File::Temp;
use Getopt::Long;
use lib "/usr/lib/flamethrower";
@@ -23,7 +24,7 @@
my $version_number = "INS_VERSION";
my $conf_file = '/etc/flamethrower/flamethrower.conf';
my $transport = "udp-receiver";
-my $tmp_dir = "/tmp/.flamethrower.$$";
+my $tmp_dir = File::Temp::tempdir();
my $version_info = <<"EOF";
@@ -283,13 +284,16 @@
#
my $udp_cmd;
my $tar_cmd;
+ my $tar_fh;
+ my $tar_file;
+ ($tar_fh, $tar_file) = File::Temp::tempfile();
if($verbose) {
- $udp_cmd = "udp-receiver $udp_receiver_options --file /tmp/multicast.tar.$$";
- $tar_cmd = "tar $tar_opts -C $dir -f /tmp/multicast.tar.$$";
+ $udp_cmd = "udp-receiver $udp_receiver_options --file $tar_file";
+ $tar_cmd = "tar $tar_opts -C $dir -f $tar_file";
} else {
- $udp_cmd = "udp-receiver $udp_receiver_options --file /tmp/multicast.tar.$$ 2>/dev/null";
- $tar_cmd = "tar $tar_opts -C $dir -f /tmp/multicast.tar.$$";
+ $udp_cmd = "udp-receiver $udp_receiver_options --file $tar_file 2>/dev/null";
+ $tar_cmd = "tar $tar_opts -C $dir -f $tar_file";
}
print "$udp_cmd\n" if($verbose);
@@ -298,7 +302,8 @@
print "$tar_cmd\n" if($verbose);
!system($tar_cmd) or die("FAILED: $tar_cmd");
- unlink("/tmp/multicast.tar.$$");
+ close $tar_fh;
+ unlink("$tar_file");
}
only in patch2:
unchanged:
--- flamethrower-0.1.8.orig/etc/init.d/flamethrower-server
+++ flamethrower-0.1.8/etc/init.d/flamethrower-server
@@ -22,7 +22,6 @@
# Default-Stop: 0 1 2 6
# Short-Description: Daemon for multicast file distribution
# Description: Daemon for multicast file distribution
-#
### END INIT INFO
kill_em_all() {
Reply to: