Bug#737251: pu: package localepurge/0.6.2+nmu1+squeeze1
Package: release.debian.org
Severity: normal
Tags: squeeze
User: release.debian.org@packages.debian.org
Usertags: pu
(TL;DR: This is #737239 once more for opu)
Long story:
Hi,
I would like to fix #736359 / CVE-2014-1638 in Squeeze. According to
the security tracker, the security team has classified the bug as
"minor" and declared it does not need a DSA[1].
The problem is that localepurge would create tmp files in an unsafe
way. This allows a local user to have root destroy arbitrary files on the
system (via a race-condition) during upgrades and purge of localepurge.
The bug has been fixed in sid earlier this week and have migrated to
testing as well.
~Niels
[1] https://security-tracker.debian.org/tracker/CVE-2014-1638
diff -Nru localepurge-0.6.2+nmu1/debian/changelog localepurge-0.6.2+nmu1+squeeze1/debian/changelog
--- localepurge-0.6.2+nmu1/debian/changelog 2010-08-20 00:45:19.000000000 +0200
+++ localepurge-0.6.2+nmu1+squeeze1/debian/changelog 2014-01-31 20:36:10.000000000 +0100
@@ -1,3 +1,13 @@
+localepurge (0.6.2+nmu1+squeeze1) squeeze; urgency=medium
+
+ * [CVE-2014-1638] Create tempfiles in a safe manner using
+ mktemp. Thanks to Helmut Grohne for reporting the
+ issue and helping with the patch. (Closes: #736359)
+ * Remove the creation of /var/tmp/reinstall_debs.sh during
+ postrm.
+
+ -- Niels Thykier <niels@thykier.net> Fri, 31 Jan 2014 18:44:30 +0100
+
localepurge (0.6.2+nmu1) unstable; urgency=low
* Non-maintainer upload.
diff -Nru localepurge-0.6.2+nmu1/debian/localepurge.config localepurge-0.6.2+nmu1+squeeze1/debian/localepurge.config
--- localepurge-0.6.2+nmu1/debian/localepurge.config 2006-10-20 23:32:54.000000000 +0200
+++ localepurge-0.6.2+nmu1+squeeze1/debian/localepurge.config 2014-01-31 20:32:14.000000000 +0100
@@ -6,14 +6,13 @@
# first get all possible locales and create a full list of locale values:
-TEMPFILE=$(tempfile).$$
+TEMPFILE="$(mktemp --suffix ".locales")"
LOCALELIST=/var/cache/localepurge/localelist
# for the purpose of presenting a ready made preselection at the very first
# configuration, include already configured locales from locales package:
-LOCALEGEN=$(tempfile).locale.gen
-touch "$LOCALEGEN"
+LOCALEGEN="$(mktemp --suffix ".locale.gen")"
if [ -f /etc/locale.gen ]; then
grep ^[a-z] /etc/locale.gen | cut -d" " -f1 > "$LOCALEGEN"
diff -Nru localepurge-0.6.2+nmu1/debian/postrm localepurge-0.6.2+nmu1+squeeze1/debian/postrm
--- localepurge-0.6.2+nmu1/debian/postrm 2010-08-20 00:26:04.000000000 +0200
+++ localepurge-0.6.2+nmu1+squeeze1/debian/postrm 2014-01-31 20:33:32.000000000 +0100
@@ -1,7 +1,5 @@
#!/bin/sh -e
-DEBREINSTALL="$(tempfile).$$"
-
if [ "$1" = purge ] && [ -e /usr/share/debconf/confmodule ]; then
. /usr/share/debconf/confmodule
db_purge
@@ -21,14 +19,7 @@
echo " To reinstall all the packages which localepurge has been taking care"
echo " of before, you can use the following command:"
echo
-echo " apt-get --reinstall install \$(dpkg -S LC_MESSAGES | cut -d: -f1 | tr ', ' '\n' | sort -u)"
-echo
-# create a ready made shell script for further usage:
-echo "apt-get -u --reinstall --fix-missing install \$(dpkg -S LC_MESSAGES | cut -d: -f1 | tr ', ' '\n' | sort -u)" > $DEBREINSTALL
-mv $DEBREINSTALL /var/tmp/reinstall_debs.sh
-
-echo " For your further usage, the file \"/var/tmp/reinstall_debs.sh\""
-echo " contains an enhanced version of the command line printed out above."
+echo " apt-get -u --reinstall --fix-missing install \$(dpkg -S LC_MESSAGES | cut -d: -f1 | tr ', ' '\n' | sort -u)"
echo
fi
Reply to: