pre-approval for flamethrower upload

To: debian-release@lists.debian.org
Subject: pre-approval for flamethrower upload
From: dann frazier <dannf@debian.org>
Date: Mon, 24 Nov 2008 15:29:17 -0700
Message-id: <20081124222917.GI13495@ldl.fc.hp.com>

The primary reason for this upload is to fix a security issue. There's
also an FHS issue resulting from a change in perl since the last
flamethrower upload (which was prior to etch). The remaining issues
are all relatively minor, but also pretty straightforward.

diff -u flamethrower-0.1.8/debian/changelog flamethrower-0.1.8/debian/changelog
--- flamethrower-0.1.8/debian/changelog
+++ flamethrower-0.1.8/debian/changelog
@@ -1,3 +1,20 @@
+flamethrower (0.1.8-2) unstable; urgency=medium
+
+  * Fix /tmp symlink attack vector. Closes: #506350 (CVE-2008-5141)
+  * Rebuilding with current toolchain would cause executables to
+    be installed in /usr/local/bin. Fix this by supplying an
+    appropriate SITEPREFIX.
+  * Don't package /usr/lib/flamethrower/auto subtree
+  * Lintian cleanup:
+    - Remove bogus (empty) line in lsb section of initscript
+    - Use $(CURDIR) instead of $(PWD) in rules file, suggested by lintian
+    - Don't ignore clean errors from make
+    - Update Standards-Version to 3.8.0
+    - Swap binary-arch/binary-indep rules
+    - List debhelper under Build-Depends instead of Build-Depends-Indep
+
+ -- dann frazier <dannf@debian.org>  Fri, 21 Nov 2008 10:46:08 -0700
+
 flamethrower (0.1.8-1) unstable; urgency=low
 
   * New upstream release
diff -u flamethrower-0.1.8/debian/control flamethrower-0.1.8/debian/control
--- flamethrower-0.1.8/debian/control
+++ flamethrower-0.1.8/debian/control
@@ -2,8 +2,8 @@
 Section: admin
 Priority: optional
 Maintainer: dann frazier <dannf@debian.org>
-Build-Depends-Indep: debhelper (>> 3.0.0)
-Standards-Version: 3.6.2.2
+Build-Depends: debhelper (>> 3.0.0)
+Standards-Version: 3.8.0
 
 Package: flamethrower
 Architecture: all
diff -u flamethrower-0.1.8/debian/rules flamethrower-0.1.8/debian/rules
--- flamethrower-0.1.8/debian/rules
+++ flamethrower-0.1.8/debian/rules
@@ -5,7 +5,7 @@
 
 PREFIX = $(tmp)/usr
 pkg = flamethrower
-tmp = $(PWD)/debian/$(pkg)
+tmp = $(CURDIR)/debian/$(pkg)
 
 configure: configure-stamp
 configure-stamp:
@@ -22,7 +22,7 @@
 clean:
 	dh_testdir
 	rm -f build-stamp configure-stamp
-	-$(MAKE) realclean
+	[ ! -f Makefile ] || $(MAKE) realclean
 	-rm debian/flamethrower.init
 	dh_clean
 
@@ -30,10 +30,14 @@
 	dh_testdir
 	-dh_testroot
 	dh_installdirs
-	$(MAKE) install PREFIX="$(PREFIX)" CONFDIR="$(tmp)"
+	$(MAKE) install PREFIX="$(PREFIX)" CONFDIR="$(tmp)" SITEPREFIX="$(PREFIX)"
+
+	# upstream installs this as executable
+	chmod 644 $(tmp)/usr/lib/flamethrower/*.pm
 
 	# this directory tree is empty
 	rm -rf $(tmp)/usr/lib/perl
+	rm -rf $(tmp)/usr/lib/flamethrower/auto
 
 	# let debhelper install this for us
 	rm -rf $(tmp)/etc/init.d
@@ -44,11 +48,11 @@
 	mkdir -p $(tmp)/var/log/flamethrower
 
 # Build architecture-independent files here.
-binary-indep: build install
+binary-arch: build install
 # We have nothing to do by default.
 
 # Build architecture-dependent files here.
-binary-arch: build install
+binary-indep: build install
 	dh_testdir
 	dh_testroot
 	dh_installdebconf	
only in patch2:
unchanged:
--- flamethrower-0.1.8.orig/bin/flamethrower
+++ flamethrower-0.1.8/bin/flamethrower
@@ -9,6 +9,7 @@
 
 use strict;
 use File::Path;
+use File::Temp;
 use Getopt::Long;
 
 use lib "/usr/lib/flamethrower";
@@ -23,7 +24,7 @@
 my $version_number  = "INS_VERSION";
 my $conf_file       = '/etc/flamethrower/flamethrower.conf';
 my $transport       = "udp-receiver";
-my $tmp_dir         = "/tmp/.flamethrower.$$";
+my $tmp_dir         = File::Temp::tempdir();
 
 
 my $version_info = <<"EOF";
@@ -283,13 +284,16 @@
     #
     my $udp_cmd;
     my $tar_cmd;
+    my $tar_fh;
+    my $tar_file;
 
+    ($tar_fh, $tar_file) = File::Temp::tempfile();
     if($verbose) {
-        $udp_cmd = "udp-receiver $udp_receiver_options --file /tmp/multicast.tar.$$";
-        $tar_cmd = "tar $tar_opts -C $dir -f /tmp/multicast.tar.$$";
+        $udp_cmd = "udp-receiver $udp_receiver_options --file $tar_file";
+        $tar_cmd = "tar $tar_opts -C $dir -f $tar_file";
     } else {
-        $udp_cmd = "udp-receiver $udp_receiver_options --file /tmp/multicast.tar.$$ 2>/dev/null";
-        $tar_cmd = "tar $tar_opts -C $dir -f /tmp/multicast.tar.$$";
+        $udp_cmd = "udp-receiver $udp_receiver_options --file $tar_file 2>/dev/null";
+        $tar_cmd = "tar $tar_opts -C $dir -f $tar_file";
     }
 
     print "$udp_cmd\n" if($verbose);
@@ -298,7 +302,8 @@
     print "$tar_cmd\n" if($verbose);
     !system($tar_cmd) or die("FAILED: $tar_cmd");
 
-    unlink("/tmp/multicast.tar.$$");
+    close $tar_fh;
+    unlink("$tar_file");
 }
 
 
only in patch2:
unchanged:
--- flamethrower-0.1.8.orig/etc/init.d/flamethrower-server
+++ flamethrower-0.1.8/etc/init.d/flamethrower-server
@@ -22,7 +22,6 @@
 # Default-Stop:   0 1 2 6
 # Short-Description: Daemon for multicast file distribution
 # Description: Daemon for multicast file distribution
-#
 ### END INIT INFO
 
 kill_em_all() {

Reply to:

Follow-Ups:
- Re: pre-approval for flamethrower upload
  - From: Adeodato Simó <dato@net.com.org.es>

Prev by Date: Re: Bug#500119: [Pkg-utopia-maintainers] Bug#500119: Better way to avoid both knetworkmanager and nm-applet are started in parallel
Next by Date: Re: Bug#500119: [Pkg-utopia-maintainers] Bug#500119: Better way to avoid both knetworkmanager and nm-applet are started in parallel
Previous by thread: Re: freeze exception for fakeroot_1.11
Next by thread: Re: pre-approval for flamethrower upload
Index(es):
- Date
- Thread