[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2011-2684 fix in {old,}stable ?

On Tue, 26 Jul 2011 11:52:27 +0200, Didier Raboud wrote:
As Martin mentionned in the 633870 bugreport, CVE-2011-2684 "could" be fixed
in a fixed point release.

The proposed debdiff for squeeze is attached (the fix was uploaded to
unstable already and given the non-severe nature if this bug I don't
think an upload to testing is worth.

Probably not, no.

What do you think ? (And would a fix to lenny be needed ?)

Looking at the patch:

++NEWPWD=`mktemp --tmpdir --directory foo2zjs.XXXXXX`

++cd "$NEWPWD"

What happens if mktemp fails? The script in question appears to be neither -e nor -u, so afaics there's the possibility for the code following the above snippet to be run in whatever happens to be the current directory when the script is run.



Reply to: