[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#636527: pu: pmake: diff for NMU version 1.111-2+squeeze1

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Release managers: Please consider the attached patch for pmake in Squeeze.
This fixes CVE-2011-1920 and is identical to the patch already applied to
unstable.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

diff -Nru pmake-1.111/debian/changelog pmake-1.111/debian/changelog
--- pmake-1.111/debian/changelog	2009-12-21 22:08:58.000000000 +0000
+++ pmake-1.111/debian/changelog	2011-08-03 20:59:45.000000000 +0100
@@ -1,3 +1,11 @@
+pmake (1.111-2+squeeze1) stable; urgency=low
+
+  * Non-maintainer upload.
+  * Backport fix for CVE-2011-1920 (symlink attack in bsd.lib.mk
+    (Closes: #626673)
+
+ -- Jonathan Wiltshire <jmw@debian.org>  Wed, 03 Aug 2011 20:59:29 +0100
+
 pmake (1.111-2) unstable; urgency=low
 
   [ Sam Hocevar <sho@debian.org> ]
diff -Nru pmake-1.111/debian/patches/CVE-2011-1920.diff pmake-1.111/debian/patches/CVE-2011-1920.diff
--- pmake-1.111/debian/patches/CVE-2011-1920.diff	1970-01-01 01:00:00.000000000 +0100
+++ pmake-1.111/debian/patches/CVE-2011-1920.diff	2011-08-03 20:58:32.000000000 +0100
@@ -0,0 +1,29 @@
+Description: insecure temporary files
+Origin: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;bug=626673
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626673
+Author: Matej Vela <vela@debian.org>
+Reviewed-by: Jonathan Wiltshire <jmw@debian.org>
+Last-Update: 2011-08-03
+
+--- pmake-1.111.orig/mk/bsd.lib.mk
++++ pmake-1.111/mk/bsd.lib.mk
+@@ -291,7 +291,7 @@
+ 
+ .if defined(SRCS)
+ afterdepend: .depend
+-	@(TMP=/tmp/_depend$$$$; \
++	@(TMP=`mktemp -t _dependXXXXXXXXXX` || exit $$?; \
+ 	    sed -e 's/^\([^\.]*\).o[ ]*:/\1.o \1.po \1.so \1.ln:/' \
+ 	      < .depend > $$TMP; \
+ 	    mv $$TMP .depend)
+--- pmake-1.111.orig/mk/bsd.prog.mk
++++ pmake-1.111/mk/bsd.prog.mk
+@@ -124,7 +124,7 @@
+ 
+ .if defined(SRCS)
+ afterdepend: .depend
+-	@(TMP=/tmp/_depend$$$$; \
++	@(TMP=`mktemp -t _dependXXXXXXXXXX` || exit $$?; \
+ 	    sed -e 's/^\([^\.]*\).o[ ]*:/\1.o \1.ln:/' \
+ 	      < .depend > $$TMP; \
+ 	    mv $$TMP .depend)
diff -Nru pmake-1.111/debian/patches/series pmake-1.111/debian/patches/series
--- pmake-1.111/debian/patches/series	2009-12-21 22:09:30.000000000 +0000
+++ pmake-1.111/debian/patches/series	2011-08-03 20:56:06.000000000 +0100
@@ -2,3 +2,4 @@
 110_mkdep.diff
 120_fixes.diff
 130_maxpathlen.diff
+CVE-2011-1920.diff

Attachment: signature.asc
Description: Digital signature

Reply to: