[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#686621: marked as done (unblock: devscripts/2.12.2)

Your message dated Tue, 04 Sep 2012 08:38:19 +0200
with message-id <5045A1DB.20705@thykier.net>
and subject line Re: Bug#686621: unblock: devscripts/2.12.2
has caused the Debian Bug report #686621,
regarding unblock: devscripts/2.12.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
686621: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686621
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package devscripts

2.12.2 is a small upload to address CVE-2012-3500.  Attached is the
debdiff between 2.12.1 and 2.12.2

unblock devscripts/2.12.2

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.5-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Cheers,
-- 
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <jamessan@debian.org>

diffstat for devscripts-2.12.1 devscripts-2.12.2

 debian/changelog           |   10 ++++++++++
 scripts/annotate-output.sh |   10 +++++++---
 2 files changed, 17 insertions(+), 3 deletions(-)

diff -Nru devscripts-2.12.1/debian/changelog devscripts-2.12.2/debian/changelog
--- devscripts-2.12.1/debian/changelog	2012-07-13 16:06:43.000000000 -0400
+++ devscripts-2.12.2/debian/changelog	2012-08-26 11:22:44.000000000 -0400
@@ -1,3 +1,13 @@
+devscripts (2.12.2) unstable; urgency=high
+
+  * annotate-output: Fix to prevent symlink attack: don't delete
+    safely-created file and reuse its name.  Instead, create temporary
+    directory and create FIFOs therein.  Also, be sure to remove temporaries
+    upon catchable signal.  Thanks to Jim Meyering for the patch.  Fixes
+    CVE-2012-3500.
+
+ -- James McCoy <jamessan@debian.org>  Sun, 26 Aug 2012 11:16:17 -0400
+
 devscripts (2.12.1) unstable; urgency=low
 
   * debchange:
diff -Nru devscripts-2.12.1/scripts/annotate-output.sh devscripts-2.12.2/scripts/annotate-output.sh
--- devscripts-2.12.1/scripts/annotate-output.sh	2011-05-22 12:47:07.000000000 -0400
+++ devscripts-2.12.2/scripts/annotate-output.sh	2012-08-26 11:22:44.000000000 -0400
@@ -62,10 +62,14 @@
 	exit 1
 fi
 
-OUT=`mktemp --tmpdir annotate.XXXXXX` || exit 1
-ERR=`mktemp --tmpdir annotate.XXXXXX` || exit 1
+cleanup() { __st=$?; rm -rf "$tmp"; exit $__st; }
+trap cleanup 0
+trap 'exit $?' 1 2 13 15
+
+tmp=$(mktemp -d --tmpdir annotate.XXXXXX) || exit 1
+OUT=$tmp/out
+ERR=$tmp/err
 
-rm -f $OUT $ERR
 mkfifo $OUT $ERR || exit 1
 
 addtime O < $OUT &

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
On 2012-09-04 01:34, James McCoy wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package devscripts
> 
> 2.12.2 is a small upload to address CVE-2012-3500.  Attached is the
> debdiff between 2.12.1 and 2.12.2
> 
> unblock devscripts/2.12.2
> 
> [...]

Unblocked, thanks.

~Niels

--- End Message ---
Reply to: