Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: pu RT: please consider the attached patch for aptitude in Squeeze, to fix a security bug. Maintainer: this is notice of intent to NMU as attached. Thanks, -- Jonathan Wiltshire jmw@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
diff -Nru aptitude-0.6.3/debian/changelog aptitude-0.6.3/debian/changelog
--- aptitude-0.6.3/debian/changelog 2010-10-16 18:36:26.000000000 +0100
+++ aptitude-0.6.3/debian/changelog 2011-08-11 00:09:31.000000000 +0100
@@ -1,3 +1,13 @@
+aptitude (0.6.3-3.2+squeeze1) stable; urgency=low
+
+ * Non-maintainer upload.
+ * Backport of 0009-fix-symlink-attack:
+ Fix a potential symlink attack that could occur if a user
+ with no home directory edited and saved the package hierarchy
+ definitions. (Closes: #612034)
+
+ -- Jonathan Wiltshire <jmw@debian.org> Wed, 10 Aug 2011 23:30:04 +0100
+
aptitude (0.6.3-3.2) unstable; urgency=low
* Non-maintainer upload.
diff -Nru aptitude-0.6.3/debian/patches/0009-fix-tmp-symlink-attach.patch aptitude-0.6.3/debian/patches/0009-fix-tmp-symlink-attach.patch
--- aptitude-0.6.3/debian/patches/0009-fix-tmp-symlink-attach.patch 1970-01-01 01:00:00.000000000 +0100
+++ aptitude-0.6.3/debian/patches/0009-fix-tmp-symlink-attach.patch 2011-08-11 00:09:08.000000000 +0100
@@ -0,0 +1,42 @@
+From: Daniel_Burrows@alumni.brown.edu <Daniel_Burrows@alumni.brown.edu>
+Date: Tue Mar 29 21:43:30 2011 -0700
+Subject: Don't clobber a fixed-name file in /tmp if the user's home directory isn't set. (Closes: #612034)
+
+diff --git a/src/edit_pkg_hier.cc b/src/edit_pkg_hier.cc
+index 7189580..213a97f 100644
+--- a/src/edit_pkg_hier.cc
++++ b/src/edit_pkg_hier.cc
+@@ -1,6 +1,6 @@
+ // edit_pkg_hier.cc
+ //
+-// Copyright (C) 2000-2001, 2004-2006 Daniel Burrows
++// Copyright (C) 2000-2001, 2004-2006, 2011 Daniel Burrows
+ //
+ // This program is free software; you can redistribute it and/or
+ // modify it under the terms of the GNU General Public License as
+@@ -332,18 +332,20 @@ bool hier_editor::handle_key(const cw::config::key &k)
+ if(cw::config::global_bindings.key_matches(k, "SaveHier"))
+ {
+ string homedir = get_homedir();
+- string cfgfile;
+
+ if(homedir.empty())
+ {
+- show_message(_("Unable to look up your home directory, saving to /tmp/function_pkgs!"),
++ // This normally will not happen. Don't default to a fixed
++ // filename to prevent symlink attacks. (Debian bug #612034)
++ show_message(_("Unable to look up your home directory!"),
+ NULL,
+ cw::get_style("Error"));
+- cfgfile = "/tmp/function_pkgs";
+ }
+ else
+- cfgfile = homedir + "/.aptitude/function_pkgs";
+- save_hier(cfgfile);
++ {
++ string cfgfile = homedir + "/.aptitude/function_pkgs";
++ save_hier(cfgfile);
++ }
+ }
+ else if(cw::config::global_bindings.key_matches(k, "Quit"))
+ {
diff -Nru aptitude-0.6.3/debian/patches/series aptitude-0.6.3/debian/patches/series
--- aptitude-0.6.3/debian/patches/series 2010-10-16 18:35:47.000000000 +0100
+++ aptitude-0.6.3/debian/patches/series 2011-08-11 00:09:08.000000000 +0100
@@ -6,3 +6,4 @@
0006-Comment-out-std-ostream-operator-std-ostream-out-con.patch
debian-changes-0.6.3-3.1
0007-preferences-dir.patch
+0009-fix-tmp-symlink-attach.patch
Attachment:
signature.asc
Description: Digital signature