Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: pu RT: please consider the attached patch for aptitude in Squeeze, to fix a security bug. Maintainer: this is notice of intent to NMU as attached. Thanks, -- Jonathan Wiltshire jmw@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
diff -Nru aptitude-0.6.3/debian/changelog aptitude-0.6.3/debian/changelog --- aptitude-0.6.3/debian/changelog 2010-10-16 18:36:26.000000000 +0100 +++ aptitude-0.6.3/debian/changelog 2011-08-11 00:09:31.000000000 +0100 @@ -1,3 +1,13 @@ +aptitude (0.6.3-3.2+squeeze1) stable; urgency=low + + * Non-maintainer upload. + * Backport of 0009-fix-symlink-attack: + Fix a potential symlink attack that could occur if a user + with no home directory edited and saved the package hierarchy + definitions. (Closes: #612034) + + -- Jonathan Wiltshire <jmw@debian.org> Wed, 10 Aug 2011 23:30:04 +0100 + aptitude (0.6.3-3.2) unstable; urgency=low * Non-maintainer upload. diff -Nru aptitude-0.6.3/debian/patches/0009-fix-tmp-symlink-attach.patch aptitude-0.6.3/debian/patches/0009-fix-tmp-symlink-attach.patch --- aptitude-0.6.3/debian/patches/0009-fix-tmp-symlink-attach.patch 1970-01-01 01:00:00.000000000 +0100 +++ aptitude-0.6.3/debian/patches/0009-fix-tmp-symlink-attach.patch 2011-08-11 00:09:08.000000000 +0100 @@ -0,0 +1,42 @@ +From: Daniel_Burrows@alumni.brown.edu <Daniel_Burrows@alumni.brown.edu> +Date: Tue Mar 29 21:43:30 2011 -0700 +Subject: Don't clobber a fixed-name file in /tmp if the user's home directory isn't set. (Closes: #612034) + +diff --git a/src/edit_pkg_hier.cc b/src/edit_pkg_hier.cc +index 7189580..213a97f 100644 +--- a/src/edit_pkg_hier.cc ++++ b/src/edit_pkg_hier.cc +@@ -1,6 +1,6 @@ + // edit_pkg_hier.cc + // +-// Copyright (C) 2000-2001, 2004-2006 Daniel Burrows ++// Copyright (C) 2000-2001, 2004-2006, 2011 Daniel Burrows + // + // This program is free software; you can redistribute it and/or + // modify it under the terms of the GNU General Public License as +@@ -332,18 +332,20 @@ bool hier_editor::handle_key(const cw::config::key &k) + if(cw::config::global_bindings.key_matches(k, "SaveHier")) + { + string homedir = get_homedir(); +- string cfgfile; + + if(homedir.empty()) + { +- show_message(_("Unable to look up your home directory, saving to /tmp/function_pkgs!"), ++ // This normally will not happen. Don't default to a fixed ++ // filename to prevent symlink attacks. (Debian bug #612034) ++ show_message(_("Unable to look up your home directory!"), + NULL, + cw::get_style("Error")); +- cfgfile = "/tmp/function_pkgs"; + } + else +- cfgfile = homedir + "/.aptitude/function_pkgs"; +- save_hier(cfgfile); ++ { ++ string cfgfile = homedir + "/.aptitude/function_pkgs"; ++ save_hier(cfgfile); ++ } + } + else if(cw::config::global_bindings.key_matches(k, "Quit")) + { diff -Nru aptitude-0.6.3/debian/patches/series aptitude-0.6.3/debian/patches/series --- aptitude-0.6.3/debian/patches/series 2010-10-16 18:35:47.000000000 +0100 +++ aptitude-0.6.3/debian/patches/series 2011-08-11 00:09:08.000000000 +0100 @@ -6,3 +6,4 @@ 0006-Comment-out-std-ostream-operator-std-ostream-out-con.patch debian-changes-0.6.3-3.1 0007-preferences-dir.patch +0009-fix-tmp-symlink-attach.patch
Attachment:
signature.asc
Description: Digital signature