Bug#751584: pu: package scheme48/1.8+dfsg-1+deb7u1
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Steve Kemp found a security issue in this package (#748766).
According to the security team this is only a minor issue without a DSA,
so I'd like to fix it via an upload to stable instead. This debdiff shall
solve the problem:
diff -u scheme48-1.8+dfsg/debian/changelog scheme48-1.8+dfsg/debian/changelog
--- scheme48-1.8+dfsg/debian/changelog
+++ scheme48-1.8+dfsg/debian/changelog
@@ -1,3 +1,11 @@
+scheme48 (1.8+dfsg-1+deb7u1) wheezy; urgency=medium
+
+ * patch for insecure use of tmpfile (Closes: #748766)
+ (reported by Steve Kemp, patch by Michael Sperber)
+ (CVE-2014-4150)
+
+ -- Thorsten Alteholz <debian@alteholz.de> Sat, 14 Jun 2014 15:00:00 +0200
+
scheme48 (1.8+dfsg-1) unstable; urgency=low
* Repack upstream tarball to remove non-dfsg-free emacs/cmulisp.el
diff -u scheme48-1.8+dfsg/debian/patches/series scheme48-1.8+dfsg/debian/patches/series
--- scheme48-1.8+dfsg/debian/patches/series
+++ scheme48-1.8+dfsg/debian/patches/series
@@ -9,0 +10 @@
+security-tmpfile.patch
only in patch2:
unchanged:
--- scheme48-1.8+dfsg.orig/debian/patches/security-tmpfile.patch
+++ scheme48-1.8+dfsg/debian/patches/security-tmpfile.patch
@@ -0,0 +1,15 @@
+Author: Mike Sperber <sperber@deinprogramm.de>
+Description: In cmuscheme48.el, use `make-temp-file' instead of constant file name.
+Index: scheme48-1.9/emacs/cmuscheme48.el
+===================================================================
+--- scheme48-1.9.orig/emacs/cmuscheme48.el 2012-12-27 17:43:30.000000000 +0100
++++ scheme48-1.9/emacs/cmuscheme48.el 2014-05-27 19:48:09.000000000 +0200
+@@ -58,7 +58,7 @@
+ (let ((end (point)))
+ (beginning-of-defun)
+ (if losep
+- (let ((loser "/tmp/s48lose.tmp"))
++ (let ((loser (make-temp-file "s48lose")))
+ (write-region (point) end loser)
+ (scheme48-load-file loser))
+ (scheme48-send-region (point) end)))))
Reply to: