Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Dear release team, This is an unblock approval request for pxz fixing an important security bug with a trivial patch which just sets the correct umask: ~/Projects/pxz/collab-maint$ debdiff pxz_4.999.99~beta3+git659fc9b-2.dsc pxz_4.999.99~beta3+git659fc9b-3.dsc diff -Nru pxz-4.999.99~beta3+git659fc9b/debian/changelog pxz-4.999.99~beta3+git659fc9b/debian/changelog --- pxz-4.999.99~beta3+git659fc9b/debian/changelog 2014-08-04 16:07:17.000000000 +0200 +++ pxz-4.999.99~beta3+git659fc9b/debian/changelog 2015-01-27 12:34:39.000000000 +0100 @@ -1,3 +1,10 @@ +pxz (4.999.99~beta3+git659fc9b-3) unstable; urgency=medium + + * CVE-2015-1200: Fix race condition in setting permissions. Thanks to + Moritz Mühlenhoff for the patch. (Closes: #775306) + + -- Holger Levsen <holger@debian.org> Tue, 27 Jan 2015 12:34:37 +0100 + pxz (4.999.99~beta3+git659fc9b-2) unstable; urgency=medium * Bump Standards Version to 3.9.5, no changes needed. diff -Nru pxz-4.999.99~beta3+git659fc9b/debian/patches/CVE-2015-1200-Fix-race-condition-in-setting-permissions.patch pxz-4.999.99~beta3+git659fc9b/debian/patches/CVE-2015-1200-Fix-race-condition-in-setting-permissions.patch --- pxz-4.999.99~beta3+git659fc9b/debian/patches/CVE-2015-1200-Fix-race-condition-in-setting-permissions.patch 1970-01-01 01:00:00.000000000 +0100 +++ pxz-4.999.99~beta3+git659fc9b/debian/patches/CVE-2015-1200-Fix-race-condition-in-setting-permissions.patch 2015-01-27 12:33:33.000000000 +0100 @@ -0,0 +1,27 @@ +From 31ac8e5bd6a437a5e1acd8e1a3c1c8f2b514629f Mon Sep 17 00:00:00 2001 +From: Holger Levsen <holger@layer-acht.org> +Date: Tue, 27 Jan 2015 12:29:50 +0100 +Subject: [PATCH] CVE-2015-1200 + +Fix race condition in setting permissions. (Closes: #775306) +Thanks to Moritz Mühlenhoff for the patch. + +--- + pxz.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/pxz.c b/pxz.c +index cfdb172..9404f0b 100644 +--- a/pxz.c ++++ b/pxz.c +@@ -285,6 +285,7 @@ int main( int argc, char **argv ) { + } + + fo = stdout; ++ umask(077); + if ( std_in ) { + fi = stdin; + } else { +-- +1.9.1 + diff -Nru pxz-4.999.99~beta3+git659fc9b/debian/patches/series pxz-4.999.99~beta3+git659fc9b/debian/patches/series --- pxz-4.999.99~beta3+git659fc9b/debian/patches/series 2013-05-27 22:48:38.000000000 +0200 +++ pxz-4.999.99~beta3+git659fc9b/debian/patches/series 2015-01-27 12:31:23.000000000 +0100 @@ -1 +1,2 @@ fix-man-keep-option.patch +CVE-2015-1200-Fix-race-condition-in-setting-permissions.patch The package has been uploaded and accepted into sid. Thanks for your work on jessie! cheers, Holger
Attachment:
signature.asc
Description: This is a digitally signed message part.