Dear release team, As Martin mentionned in the 633870 bugreport, CVE-2011-2684 "could" be fixed in a fixed point release. The proposed debdiff for squeeze is attached (the fix was uploaded to unstable already and given the non-severe nature if this bug I don't think an upload to testing is worth. What do you think ? (And would a fix to lenny be needed ?) Cheers, -- OdyX
diff -u foo2zjs-20090908dfsg/debian/changelog foo2zjs-20090908dfsg/debian/changelog --- foo2zjs-20090908dfsg/debian/changelog +++ foo2zjs-20090908dfsg/debian/changelog @@ -1,3 +1,12 @@ +foo2zjs (20090908dfsg-5.1+squeeze0) stable-proposed-updates; urgency=low + + * Non-maintainer upload. + * Update debian/patches/60-getweb.in.patch: + Fix CVE-2011-2684 "Insecure Temporary File" (CWE-277) in /usr/bin/getweb + by creating a safe temporary directory with mktemp (Closes: #633870). + + -- Didier Raboud <firstname.lastname@example.org> Tue, 26 Jul 2011 11:34:42 +0200 + foo2zjs (20090908dfsg-5.1) unstable; urgency=low * Non-maintainer upload. diff -u foo2zjs-20090908dfsg/debian/patches/60-getweb.in.patch foo2zjs-20090908dfsg/debian/patches/60-getweb.in.patch --- foo2zjs-20090908dfsg/debian/patches/60-getweb.in.patch +++ foo2zjs-20090908dfsg/debian/patches/60-getweb.in.patch @@ -1,6 +1,6 @@ Improve getweb also for installing the firmware ---- foo2zjs-20090908dfsg.orig/getweb.in -+++ foo2zjs-20090908dfsg/getweb.in +--- a/getweb.in ++++ b/getweb.in @@ -2,7 +2,7 @@ # @@ -199,8 +199,8 @@ fi +OLDPWD=`pwd` -+mkdir -p /tmp/foo2zjs -+cd /tmp/foo2zjs ++NEWPWD=`mktemp --tmpdir --directory foo2zjs.XXXXXX` ++cd "$NEWPWD" + for i in $* do
Description: This is a digitally signed message part.