pre-approval for sqlite3/3.7.13-2 upload

To: Debian Release Mailing List <debian-release@lists.debian.org>
Subject: pre-approval for sqlite3/3.7.13-2 upload
From: "Laszlo Boszormenyi (GCS)" <gcs@debian.hu>
Date: Sun, 28 Apr 2013 19:34:17 +0000
Message-id: <[🔎] 1367177657.14333.41.camel@julia>

Dear Release Team,

 SQLite3 used umask to control file access permissions on newly created
files. But umask affects the whole process and in multi-thread
applications this means if an other thread creates a file that will use
that setting as well. This is bad as for short period of times SQLite3
set umask to 0, effectively causing world readable and writable files.
This affects Apache for example while serving Subversion repositories.
Fixed in 3.7.16 with using fchmod instead of umask[1].
Debian bug[2] is filed as normal, but on multiuser systems it is RC as
users can write arbitrary files affected by this bug.
The version in Wheezy affected as well and such I've prepared an upload.
Would it be accepted with the mentioned upstream patch[1]?

An other change would be to make -dev multi-arch: same . This is also
fixed in unstable[3], but not for Wheezy. Severity set to important, but
considered critical for dependencies that want to multi-arch crossbuild.

Thanks for considering,
Laszlo/GCS
[1] http://www.sqlite.org/src/info/6c4c2b7dba?sbs=0
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703465
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683588

Reply to:

Follow-Ups:
- Re: pre-approval for sqlite3/3.7.13-2 upload
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: Security fix for jquery-jplayer 2.1.0-1
Next by Date: Bug#706205: unblock: live-build/3.0.3-1
Previous by thread: Bug#695201: Bug#704222: release.debian.org: Request for wheezy-ignore tag: bug #693577 (libfso-glib: not properly built from source)
Next by thread: Re: pre-approval for sqlite3/3.7.13-2 upload
Index(es):
- Date
- Thread