freeze exception for proposed ncbi-tools6 upload?

To: debian-release@lists.debian.org
Cc: ucko@debian.org (Aaron M. Ucko)
Subject: freeze exception for proposed ncbi-tools6 upload?
From: ucko@debian.org (Aaron M. Ucko)
Date: Sun, 28 Dec 2008 18:10:27 -0500
Message-id: <[🔎] udlocyvhp5o.fsf@tux64.internal.ucko.debian.net>

Greetings, and happy holidays!

I am considering issuing a last-minute lenny-targeted upload of
ncbi-tools6 (via unstable, as I've kept potentially disruptive changes
to experimental) addressing two problems unearthed by archive-wide
scans: insecure temporary file usage (in an example script, assigned
CVE-2008-5149 but not reported in the BTS, and already fixed in
experimental) and undefined sprintf usage.  The source changes would
be as follows:

Index: doc/fwd_check.sh
===================================================================
--- doc/fwd_check.sh	(revision 363)
+++ doc/fwd_check.sh	(working copy)
@@ -53,16 +53,17 @@
         continue
     fi
     test "$x_status" = "READYING"  &&  unset x_status
-    ( echo ; sleep $delay_sec ) | telnet $x_host $x_port >/tmp/$$ 2>&1 &
+    tmpfile=`mktemp`
+    ( echo ; sleep $delay_sec ) | telnet $x_host $x_port >$tmpfile 2>&1 &
     pid=$!
-    trap 'rm -f /tmp/$$; kill $pid >/dev/null 2>&1' 1 2 15
+    trap 'rm -f $tmpfile; kill $pid >/dev/null 2>&1' 1 2 15
     ( sleep `expr $delay_sec + 2`  &&  kill $pid ) >/dev/null 2>&1 &
     guard=$!
     wait $pid >/dev/null 2>&1
     kill $guard >/dev/null 2>&1
     test -n "$HTTP_CAF_EXTERNAL"  || \
-        cp="`tail +4 /tmp/$$ 2>/dev/null | grep -s '^[0-9]\{1,3\}[.][0-9]\{1,3\}[.][0-9]\{1,3\}[.][0-9]\{1,3\}:[0-9]\{1,5\}'`"
-    grep -qs 'NCBI Firewall Daemon:  Invalid ticket\.  *Connection closed\.' /tmp/$$ >/dev/null 2>&1
+        cp="`tail +4 $tmpfile 2>/dev/null | grep -s '^[0-9]\{1,3\}[.][0-9]\{1,3\}[.][0-9]\{1,3\}[.][0-9]\{1,3\}:[0-9]\{1,5\}'`"
+    grep -qs 'NCBI Firewall Daemon:  Invalid ticket\.  *Connection closed\.' $tmpfile >/dev/null 2>&1
     if   [ $? -eq 0 ]; then
         echo "${x_host}:${x_port}	${x_status:-OKAY}${cp:+	}${cp}"
     elif [ -z "$x_status" ]; then
@@ -70,5 +71,5 @@
     else
         echo "${x_host}:${x_port}	FAILED	( telnet $x_host $x_port )"
     fi
-    rm -f /tmp/$$
+    rm -f $tmpfile
 done 2>&1 | grep -v 'Terminated'
Index: api/aliread.c
===================================================================
--- api/aliread.c	(revision 363)
+++ api/aliread.c	(working copy)
@@ -314,8 +314,7 @@
       seqLinePtr = (SeqLineInfoPtr) rowPtr->data.ptrvalue;
 
       if (seqLinePtr->junk != NULL)
-	sprintf(seqLinePtr->sequence,"%s%s",seqLinePtr->sequence,
-		seqLinePtr->junk);
+	strcat(seqLinePtr->sequence, seqLinePtr->junk);
 
       if ((seqLinePtr->sequence != NULL) && (seqLinePtr->id == NULL))
 	{

Would you grant a freeze exception for such an upload, or is it too
late?

-- 
Aaron M. Ucko, KB1CJC (amu at alum.mit.edu, ucko at debian.org)
Finger amu@monk.mit.edu (NOT a valid e-mail address) for more info.

Reply to:

Follow-Ups:
- Re: freeze exception for proposed ncbi-tools6 upload?
  - From: Neil McGovern <neilm@debian.org>

Prev by Date: Re: freeze exceptions for texlive-extra 2007.dfsg.13-1
Next by Date: Re: freeze exception for proposed ncbi-tools6 upload?
Previous by thread: Re: [Debian-med-packaging] Bug#509863: epigrass: depends on python-matplotlib
Next by thread: Re: freeze exception for proposed ncbi-tools6 upload?
Index(es):
- Date
- Thread