Hi Adam On Sun, Dec 18, 2011 at 11:12:46PM +0100, Salvatore Bonaccorso wrote: > Hey Adam > > On Sun, Dec 18, 2011 at 02:50:49PM +0000, Adam D. Barratt wrote: > > tag 652107 + squeeze moreinfo > > thanks > > > > On Wed, 2011-12-14 at 22:12 +0100, Salvatore Bonaccorso wrote: > > > libpar-packer-perl 1.006-1 and libpar-perl 1.000-1 in Squeeze are > > > affected by CVE-2011-4114: "PAR packed files are extracted to unsafe > > > and predictable temporary directories.". > > [...] > > > The debdiffs I would propose are attached. I have one further > > > question, would you accept addition of these patches (adapted) [3] and > > > [4]? > > > > > > [3] http://search.cpan.org/diff?from=PAR-Packer-1.011&to=PAR-Packer-1.012&w=1 > > > [4] http://search.cpan.org/diff?from=PAR-1.004&to=PAR-1.005&w=1 > > > > Yes, those patches should be okay to include. I'd like to see final > > debdiffs before giving a final ACK though. > > Sure, please find both attached. In case you would like to have > something changed, I will do. > > > It wasn't entirely clear from your mail, but have the packages with the > > patches applied been tested on squeeze? > > Yes, now I tested the packages on Squeeze. The build already contains > some tests, which all pass, furthermore I did some testing with a par > file, and the pp utility. They behave now detecting unsafe directory > in /tmp if I create these manually with unsafe permissions. "ping" :) I wonder if the two debdiffs are okay for inclusion for the next point release of Squeeze? Best regards, Salvatore
Attachment:
signature.asc
Description: Digital signature