Bug#776378: unblock: pxz/4.999.99~beta3+git659fc9b-3

To: submit@bugs.debian.org
Subject: Bug#776378: unblock: pxz/4.999.99~beta3+git659fc9b-3
From: Holger Levsen <holger@layer-acht.org>
Date: Tue, 27 Jan 2015 13:34:35 +0100
Message-id: <[🔎] 201501271334.36698.holger@layer-acht.org>
Reply-to: Holger Levsen <holger@layer-acht.org>, 776378@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release team,

This is an unblock approval request for pxz fixing an important security bug
with a trivial patch which just sets the correct umask:

~/Projects/pxz/collab-maint$ debdiff pxz_4.999.99~beta3+git659fc9b-2.dsc pxz_4.999.99~beta3+git659fc9b-3.dsc 
diff -Nru pxz-4.999.99~beta3+git659fc9b/debian/changelog pxz-4.999.99~beta3+git659fc9b/debian/changelog
--- pxz-4.999.99~beta3+git659fc9b/debian/changelog      2014-08-04 16:07:17.000000000 +0200
+++ pxz-4.999.99~beta3+git659fc9b/debian/changelog      2015-01-27 12:34:39.000000000 +0100
@@ -1,3 +1,10 @@
+pxz (4.999.99~beta3+git659fc9b-3) unstable; urgency=medium
+
+  * CVE-2015-1200: Fix race condition in setting permissions. Thanks to 
+    Moritz Mühlenhoff for the patch. (Closes: #775306)
+
+ -- Holger Levsen <holger@debian.org>  Tue, 27 Jan 2015 12:34:37 +0100
+
 pxz (4.999.99~beta3+git659fc9b-2) unstable; urgency=medium
 
   * Bump Standards Version to 3.9.5, no changes needed.
diff -Nru pxz-4.999.99~beta3+git659fc9b/debian/patches/CVE-2015-1200-Fix-race-condition-in-setting-permissions.patch 
pxz-4.999.99~beta3+git659fc9b/debian/patches/CVE-2015-1200-Fix-race-condition-in-setting-permissions.patch
--- pxz-4.999.99~beta3+git659fc9b/debian/patches/CVE-2015-1200-Fix-race-condition-in-setting-permissions.patch  1970-01-01 01:00:00.000000000 +0100
+++ pxz-4.999.99~beta3+git659fc9b/debian/patches/CVE-2015-1200-Fix-race-condition-in-setting-permissions.patch  2015-01-27 12:33:33.000000000 +0100
@@ -0,0 +1,27 @@
+From 31ac8e5bd6a437a5e1acd8e1a3c1c8f2b514629f Mon Sep 17 00:00:00 2001
+From: Holger Levsen <holger@layer-acht.org>
+Date: Tue, 27 Jan 2015 12:29:50 +0100
+Subject: [PATCH] CVE-2015-1200 
+
+Fix race condition in setting permissions. (Closes: #775306) 
+Thanks to Moritz Mühlenhoff for the patch.
+
+---
+ pxz.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/pxz.c b/pxz.c
+index cfdb172..9404f0b 100644
+--- a/pxz.c
++++ b/pxz.c
+@@ -285,6 +285,7 @@ int main( int argc, char **argv ) {
+               }
+ 
+               fo = stdout;
++              umask(077);
+               if ( std_in ) {
+                       fi = stdin;
+               } else {
+-- 
+1.9.1
+
diff -Nru pxz-4.999.99~beta3+git659fc9b/debian/patches/series pxz-4.999.99~beta3+git659fc9b/debian/patches/series
--- pxz-4.999.99~beta3+git659fc9b/debian/patches/series 2013-05-27 22:48:38.000000000 +0200
+++ pxz-4.999.99~beta3+git659fc9b/debian/patches/series 2015-01-27 12:31:23.000000000 +0100
@@ -1 +1,2 @@
 fix-man-keep-option.patch
+CVE-2015-1200-Fix-race-condition-in-setting-permissions.patch




The package has been uploaded and accepted into sid.

Thanks for your work on jessie!


cheers,
	Holger

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Bug#776378: marked as done (unblock: pxz/4.999.99~beta3+git659fc9b-3)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#776372: marked as done (unblock: xemacs21/21.4.22-11)
Next by Date: Bug#776378: marked as done (unblock: pxz/4.999.99~beta3+git659fc9b-3)
Previous by thread: Bug#776372: marked as done (unblock: xemacs21/21.4.22-11)
Next by thread: Bug#776378: marked as done (unblock: pxz/4.999.99~beta3+git659fc9b-3)
Index(es):
- Date
- Thread