devscripts lenny update (#507482)
Hi,
The devscripts package in lenny has an insecure temporary directory
issue when signing files which are copied from a remote machine; see
#507482.
Would fixing this be suitable for a(nother) lenny update for the
package? I've attached a minimal debdiff.
Regards,
Adam
diff -adNru devscripts-2.10.35lenny1/scripts/debsign.sh devscripts-2.10.35lenny2/scripts/debsign.sh
--- devscripts-2.10.35lenny1/scripts/debsign.sh 2008-12-12 18:26:10.000000000 +0000
+++ devscripts-2.10.35lenny2/scripts/debsign.sh 2009-01-08 23:09:56.000000000 +0000
@@ -40,6 +40,7 @@
PRECIOUS_FILES=0
PROGNAME=`basename $0`
MODIFIED_CONF_MSG='Default settings modified by devscripts configuration files:'
+TEMP_DIR=
# --- Functions
@@ -109,9 +110,9 @@
cleanup_tmpdir () {
if [ "$PRECIOUS_FILES" -gt 0 ]; then
- echo "$PROGNAME: aborting with $PRECIOUS_FILES signed files in `pwd`" >&2
+ echo "$PROGNAME: aborting with $PRECIOUS_FILES signed files in $TEMP_DIR" >&2
else
- cd ..; rm -rf debsign.$$
+ cd ..; rm -rf $TEMP_DIR
fi
}
@@ -338,9 +339,9 @@
if [ -n "$remotehost" ]
then
cd ${TMPDIR:-/tmp}
- mkdir debsign.$$ || { echo "$PROGNAME: Can't mkdir!" >&2; exit 1; }
+ TEMP_DIR="$(mktemp -d "debsign.XXXXXXX")" || { echo "$PROGNAME: Can't make temporary dir!" >&2; exit 1; }
trap "cleanup_tmpdir" 0 1 2 3 7 10 13 15
- cd debsign.$$
+ cd $TEMP_DIR
remotechanges=$changes
remotedsc=$dsc
Reply to: