Bug#686621: unblock: devscripts/2.12.2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#686621: unblock: devscripts/2.12.2
From: James McCoy <jamessan@debian.org>
Date: Mon, 3 Sep 2012 19:34:31 -0400
Message-id: <[🔎] 20120903233431.GA17057@cerberus.jamessan.com>
Reply-to: James McCoy <jamessan@debian.org>, 686621@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package devscripts

2.12.2 is a small upload to address CVE-2012-3500.  Attached is the
debdiff between 2.12.1 and 2.12.2

unblock devscripts/2.12.2

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.5-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Cheers,
-- 
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <jamessan@debian.org>

diffstat for devscripts-2.12.1 devscripts-2.12.2

 debian/changelog           |   10 ++++++++++
 scripts/annotate-output.sh |   10 +++++++---
 2 files changed, 17 insertions(+), 3 deletions(-)

diff -Nru devscripts-2.12.1/debian/changelog devscripts-2.12.2/debian/changelog
--- devscripts-2.12.1/debian/changelog	2012-07-13 16:06:43.000000000 -0400
+++ devscripts-2.12.2/debian/changelog	2012-08-26 11:22:44.000000000 -0400
@@ -1,3 +1,13 @@
+devscripts (2.12.2) unstable; urgency=high
+
+  * annotate-output: Fix to prevent symlink attack: don't delete
+    safely-created file and reuse its name.  Instead, create temporary
+    directory and create FIFOs therein.  Also, be sure to remove temporaries
+    upon catchable signal.  Thanks to Jim Meyering for the patch.  Fixes
+    CVE-2012-3500.
+
+ -- James McCoy <jamessan@debian.org>  Sun, 26 Aug 2012 11:16:17 -0400
+
 devscripts (2.12.1) unstable; urgency=low
 
   * debchange:
diff -Nru devscripts-2.12.1/scripts/annotate-output.sh devscripts-2.12.2/scripts/annotate-output.sh
--- devscripts-2.12.1/scripts/annotate-output.sh	2011-05-22 12:47:07.000000000 -0400
+++ devscripts-2.12.2/scripts/annotate-output.sh	2012-08-26 11:22:44.000000000 -0400
@@ -62,10 +62,14 @@
 	exit 1
 fi
 
-OUT=`mktemp --tmpdir annotate.XXXXXX` || exit 1
-ERR=`mktemp --tmpdir annotate.XXXXXX` || exit 1
+cleanup() { __st=$?; rm -rf "$tmp"; exit $__st; }
+trap cleanup 0
+trap 'exit $?' 1 2 13 15
+
+tmp=$(mktemp -d --tmpdir annotate.XXXXXX) || exit 1
+OUT=$tmp/out
+ERR=$tmp/err
 
-rm -f $OUT $ERR
 mkfifo $OUT $ERR || exit 1
 
 addtime O < $OUT &

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#686621: marked as done (unblock: devscripts/2.12.2)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#684871: unblock: nvidia-graphics-drivers/304.37-1,nvidia-settings/304.37-1, nvidia-xconfig/304.37-1
Next by Date: Bug#686629: nmu: xemacs21_21.4.22-4
Previous by thread: Bug#685596: marked as done (unblock: gcc-4.4/4.4.7-2)
Next by thread: Bug#686621: marked as done (unblock: devscripts/2.12.2)
Index(es):
- Date
- Thread