Bug#729747: pu: package apt-listbugs/0.1.8

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#729747: pu: package apt-listbugs/0.1.8
From: "Francesco Poli \(wintermute\)" <invernomuto@paranoici.org>
Date: Sat, 16 Nov 2013 17:43:35 +0100
Message-id: <[🔎] 20131116164335.10280.80575.reportbug@homebrew>
Reply-to: "Francesco Poli \(wintermute\)" <invernomuto@paranoici.org>, 729747@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,
I am the current maintainer of the apt-listbugs package.

While preparing version 0.1.10, I fixed an insecure temporary file
creation.
The apt-listbugs program creates a temporary file in /tmp, when the
user asks to view the bug lists in HTML with a browser. This temporary
file is created, written (with HTML content), and then displayed by a
web browser (invoked by apt-listbugs itself).

Before version 0.1.10, this temporary file used to be created by an
ad-hoc class, which computed the file name by just concatenating a
fixed string, the PID, and a progressive integer starting at 0
(incremented, in case of name conflict with an already existing file).

Since I thought that this mechanism was fairly predictable and
insecure, I dropped this ad-hoc class and started using Tempfile from
Ruby standard library, which seems to be more secure.
This fix is part of apt-listbugs version 0.1.10 or later.

Version 0.1.11 migrated into testing about one month ago.

I got in touch with the security team, asking whether I should prepare
updated versions of apt-listbugs for wheezy and maybe squeeze,
back-porting the fix to versions 0.1.8 and maybe 0.1.3, and explicitly
pointing out that apt-listbugs is a package which is useful above all to
testing and unstable users, and definitely less so to stable and
oldstable users.

The security team kindly obtained a CVE number for this security issue
(CVE-2013-6049) and replied that the issue "doesn't warrant a DSA, but
it would be good to fix it for an upcoming point update".

Hence, I prepared apt-listbugs/0.1.8+deb7u1 for wheezy:
please find the source diff attached (the only other changes
are the result of running  "make update-po"  in order to update
the .pot and .po l10n files).

If you agree, I can ask my usual sponsor to upload the prepared
package to stable, so that it will end up in the next point release.

Please let me know.
Thanks for your time!


P.S.: after this, I may perhaps find the time to do the same for
oldstable (squeeze), unless you say I shouldn't bother...

Attachment: apt-listbugs_stable-update_0.1.8+deb7u1.diff.gz
Description: application/gzip

Reply to:

Prev by Date: Processed: notfound 709962 in vm/8.1.2-2, notfound 487858 in libbuffy/1.2-1, found 717989 in 0.18.1+20131108-1 ...
Next by Date: NEW changes in stable-new
Previous by thread: Processed: notfound 709962 in vm/8.1.2-2, notfound 487858 in libbuffy/1.2-1, found 717989 in 0.18.1+20131108-1 ...
Next by thread: Bug#729296: transition: kde 4.11
Index(es):
- Date
- Thread