Bug#775342: unblock: texlive-bin/2014.20140926.35254-5
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear release managers,
I would like to ask for an unblock of the source package
texlive-bin
for version
2014.20140926.35254-5
The only change is a fix for insecure temp file creation in mktexlsr,
see #775139.
The functional changes in the source is explained in the following
patch extract:
-treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
+treefile=`mktemp --tmpdir mktexlsrtrees.XXXXXXXXXX` || exit 1
which means, instead of using a guess-able file name, use mktemp
to create a temporary file.
Due to Jessie RC policy, "any programs and scripts that create
files in /tmp or other world writable directories must use a mechanism
which fails if the file already exists" [1], this is a required or
at least requested fix for Jessie.
Full debdiff attached.
Thanks a lot and all the best
Norbert
[1] https://release.debian.org/jessie/rc_policy.txt
unblock texlive-bin/2014.20140926.35254-5
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.19.0-rc4 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru texlive-bin-2014.20140926.35254/debian/changelog texlive-bin-2014.20140926.35254/debian/changelog
--- texlive-bin-2014.20140926.35254/debian/changelog 2014-12-24 09:19:43.000000000 +0900
+++ texlive-bin-2014.20140926.35254/debian/changelog 2015-01-13 07:32:25.000000000 +0900
@@ -1,3 +1,9 @@
+texlive-bin (2014.20140926.35254-5) unstable; urgency=high
+
+ * fix insecure temp file creation in mktexlsr (Closes: #775139)
+
+ -- Norbert Preining <preining@debian.org> Tue, 13 Jan 2015 07:32:13 +0900
+
texlive-bin (2014.20140926.35254-4) unstable; urgency=high
* cherrypick security fix for libpng buffer overflow (Closes: #773824)
diff -Nru texlive-bin-2014.20140926.35254/debian/patches/mktexlsr-use-mktemp texlive-bin-2014.20140926.35254/debian/patches/mktexlsr-use-mktemp
--- texlive-bin-2014.20140926.35254/debian/patches/mktexlsr-use-mktemp 1970-01-01 09:00:00.000000000 +0900
+++ texlive-bin-2014.20140926.35254/debian/patches/mktexlsr-use-mktemp 2015-01-13 07:32:25.000000000 +0900
@@ -0,0 +1,16 @@
+Don't use unsafe temp filename, use mktemp
+---
+ texk/kpathsea/mktexlsr | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- texlive-bin.orig/texk/kpathsea/mktexlsr
++++ texlive-bin/texk/kpathsea/mktexlsr
+@@ -73,7 +73,7 @@
+ dry_run=false
+ trees=
+
+-treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
++treefile=`mktemp --tmpdir mktexlsrtrees.XXXXXXXXXX` || exit 1
+ trap 'cd /; rm -f $treefile; test -z "$db_dir_tmp" || rm -rf "$db_dir_tmp";
+ exit' 0 1 2 3 7 13 15
+
diff -Nru texlive-bin-2014.20140926.35254/debian/patches/series texlive-bin-2014.20140926.35254/debian/patches/series
--- texlive-bin-2014.20140926.35254/debian/patches/series 2014-12-24 09:19:43.000000000 +0900
+++ texlive-bin-2014.20140926.35254/debian/patches/series 2015-01-13 07:32:25.000000000 +0900
@@ -19,3 +19,4 @@
upstream-svn35516-dvipdfmx-fix-crash-missing-fontmap
upstream-svn35518-mpost-fontmap-warnings
cve-libpng-heap-overflow-fix
+mktexlsr-use-mktemp
Reply to: