Bug#652107: pu: package libpar-packer-perl/1.006-1 and libpar-perl/1.000-1

[Salvatore Bonaccorso <carnil@debian.org>]

Hi

Sorry, here is the corrected debdiff for the libpar-packer-perl.

Regards
Salvatore

diff -Nru libpar-packer-perl-1.006/debian/changelog libpar-packer-perl-1.006/debian/changelog
--- libpar-packer-perl-1.006/debian/changelog	2010-06-28 18:17:16.000000000 +0200
+++ libpar-packer-perl-1.006/debian/changelog	2011-12-15 09:27:14.000000000 +0100
@@ -1,3 +1,15 @@
+libpar-packer-perl (1.006-1+squeeze1) stable; urgency=low
+
+  * Team upload.
+  * Add create-safe-temporary-directories.patch patch.
+    Fixes CVE-2011-4114: PAR packed files are extracted to unsafe and
+    predictable temporary directories. (Closes: #650706)
+  * Bump (Build-)Depends on libpar-perl.
+    Bump the dependencies to libpar-perl (>= 1.000-1+squeeze1) as this
+    version contains the other half of the fix for CVE-2011-4114.
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 13 Dec 2011 22:03:26 +0100
+
 libpar-packer-perl (1.006-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru libpar-packer-perl-1.006/debian/control libpar-packer-perl-1.006/debian/control
--- libpar-packer-perl-1.006/debian/control	2010-06-28 18:13:58.000000000 +0200
+++ libpar-packer-perl-1.006/debian/control	2011-12-15 09:27:14.000000000 +0100
@@ -6,7 +6,7 @@
  libgetopt-argvfile-perl (>= 1.07),
  libinline-perl,
  libmodule-scandeps-perl (>= 0.96),
- libpar-perl (>= 1.000),
+ libpar-perl (>= 1.000-1+squeeze1),
  libperl-dev,
  libtest-pod-perl,
  perl (>= 5.10) | libio-compress-perl | libcompress-zlib-perl (>= 1.3)
@@ -28,7 +28,7 @@
  libgetopt-argvfile-perl (>= 1.07),
  libmodule-scandeps-perl (>= 0.96),
  libpar-dist-perl (>= 0.22),
- libpar-perl (>= 1.000),
+ libpar-perl (>= 1.000-1+squeeze1),
  perl (>= 5.10) | libio-compress-perl | libcompress-zlib-perl (>= 1.3)
 Recommends: libtk-perl
 Description: utility for creating PAR archives and stand-alone executables
diff -Nru libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch
--- libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch	1970-01-01 01:00:00.000000000 +0100
+++ libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch	2011-12-15 09:27:14.000000000 +0100
@@ -0,0 +1,67 @@
+Description: Create safe temporary directories
+ CVE-2011-4114: PAR packed files are extracted to unsafe and predictable
+ temporary directories.
+ .
+ - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
+ - if it already exists, make sure that (and bail out if not)
+   - it's not a symlink
+   - it's mode 0700
+   - it's owned by USER
+Origin: upstream
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=69560
+Bug-Debian: http://bugs.debian.org/650706
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2011-12-13
+
+--- a/myldr/mktmpdir.c
++++ b/myldr/mktmpdir.c
+@@ -153,7 +153,38 @@
+     stmpdir = malloc( stmp_len );
+     stmpdir2 = malloc( stmp_len );
+     sprintf(stmpdir2, "%s%s%s%s", tmpdir, dir_sep, subdirbuf_prefix, username);
+-    my_mkdir(stmpdir2, 0755);
++#ifdef WIN32
++    _mkdir(stmpdir2);         /* FIXME bail if error (other than EEXIST) */
++#else
++    {
++        struct stat st;
++
++        if (mkdir(stmpdir2, 0700) == -1 && errno != EEXIST) {
++            fprintf(stderr, "%s: creation of private subdirectory %s failed (errno=%i)\n", 
++                    argv[0], stmpdir2, errno);
++            return NULL;
++        }
++
++        /* now check that:
++         * - stmpdir2 is a directory (and not a symlink)
++         * - stmpdir2 is owned by the user
++         * - stmpdir2 has mode 0700
++         */
++        if (lstat(stmpdir2, &st) == -1) {
++            fprintf(stderr, "%s: stat of private subdirectory %s failed (errno=%i)\n",
++                    argv[0], stmpdir2, errno);
++            return NULL;
++        }
++
++        if (!S_ISDIR(st.st_mode)
++            || st.st_uid != getuid()
++            || (st.st_mode & 0777) != 0700 ) {
++            fprintf(stderr, "%s: private subdirectory %s is unsafe\n",
++                    argv[0], stmpdir2);
++            return NULL;
++        }
++    }
++#endif
+ 
+     /* Doesn't really work - XXX */
+     val = par_getenv( "PATH" );
+@@ -239,7 +270,7 @@
+            a prior invocation crashed leaving garbage in a temp directory that
+            might interfere. */
+ 
+-        while (my_mkdir(stmpdir, 0755) == -1 && errno == EEXIST) {
++        while (my_mkdir(stmpdir, 0700) == -1 && errno == EEXIST) {
+             sprintf(
+                 stmpdir,
+                 "%s%stemp-%u-%u%s",
diff -Nru libpar-packer-perl-1.006/debian/patches/series libpar-packer-perl-1.006/debian/patches/series
--- libpar-packer-perl-1.006/debian/patches/series	2010-04-14 16:43:02.000000000 +0200
+++ libpar-packer-perl-1.006/debian/patches/series	2011-12-15 09:27:14.000000000 +0100
@@ -1,3 +1,4 @@
 fix-pod-spelling.patch
 01_manpage-ext.patch
 fix-with-new-par-name
+create-safe-temporary-directories.patch

Attachment: signature.asc
Description: Digital signature