Bug#776378: marked as done (unblock: pxz/4.999.99~beta3+git659fc9b-3)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#776378: marked as done (unblock: pxz/4.999.99~beta3+git659fc9b-3)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 27 Jan 2015 12:48:05 +0000
Message-id: <[🔎] handler.776378.D776378.142236270128536.ackdone@bugs.debian.org>
References: <54C78842.8010903@thykier.net> <[🔎] 201501271334.36698.holger@layer-acht.org>

Your message dated Tue, 27 Jan 2015 13:44:50 +0100
with message-id <54C78842.8010903@thykier.net>
and subject line Re: Bug#776378: unblock: pxz/4.999.99~beta3+git659fc9b-3
has caused the Debian Bug report #776378,
regarding unblock: pxz/4.999.99~beta3+git659fc9b-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
776378: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776378
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: unblock: pxz/4.999.99~beta3+git659fc9b-3
From: Holger Levsen <holger@layer-acht.org>
Date: Tue, 27 Jan 2015 13:34:35 +0100
Message-id: <[🔎] 201501271334.36698.holger@layer-acht.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release team,

This is an unblock approval request for pxz fixing an important security bug
with a trivial patch which just sets the correct umask:

~/Projects/pxz/collab-maint$ debdiff pxz_4.999.99~beta3+git659fc9b-2.dsc pxz_4.999.99~beta3+git659fc9b-3.dsc 
diff -Nru pxz-4.999.99~beta3+git659fc9b/debian/changelog pxz-4.999.99~beta3+git659fc9b/debian/changelog
--- pxz-4.999.99~beta3+git659fc9b/debian/changelog      2014-08-04 16:07:17.000000000 +0200
+++ pxz-4.999.99~beta3+git659fc9b/debian/changelog      2015-01-27 12:34:39.000000000 +0100
@@ -1,3 +1,10 @@
+pxz (4.999.99~beta3+git659fc9b-3) unstable; urgency=medium
+
+  * CVE-2015-1200: Fix race condition in setting permissions. Thanks to 
+    Moritz Mühlenhoff for the patch. (Closes: #775306)
+
+ -- Holger Levsen <holger@debian.org>  Tue, 27 Jan 2015 12:34:37 +0100
+
 pxz (4.999.99~beta3+git659fc9b-2) unstable; urgency=medium
 
   * Bump Standards Version to 3.9.5, no changes needed.
diff -Nru pxz-4.999.99~beta3+git659fc9b/debian/patches/CVE-2015-1200-Fix-race-condition-in-setting-permissions.patch 
pxz-4.999.99~beta3+git659fc9b/debian/patches/CVE-2015-1200-Fix-race-condition-in-setting-permissions.patch
--- pxz-4.999.99~beta3+git659fc9b/debian/patches/CVE-2015-1200-Fix-race-condition-in-setting-permissions.patch  1970-01-01 01:00:00.000000000 +0100
+++ pxz-4.999.99~beta3+git659fc9b/debian/patches/CVE-2015-1200-Fix-race-condition-in-setting-permissions.patch  2015-01-27 12:33:33.000000000 +0100
@@ -0,0 +1,27 @@
+From 31ac8e5bd6a437a5e1acd8e1a3c1c8f2b514629f Mon Sep 17 00:00:00 2001
+From: Holger Levsen <holger@layer-acht.org>
+Date: Tue, 27 Jan 2015 12:29:50 +0100
+Subject: [PATCH] CVE-2015-1200 
+
+Fix race condition in setting permissions. (Closes: #775306) 
+Thanks to Moritz Mühlenhoff for the patch.
+
+---
+ pxz.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/pxz.c b/pxz.c
+index cfdb172..9404f0b 100644
+--- a/pxz.c
++++ b/pxz.c
+@@ -285,6 +285,7 @@ int main( int argc, char **argv ) {
+               }
+ 
+               fo = stdout;
++              umask(077);
+               if ( std_in ) {
+                       fi = stdin;
+               } else {
+-- 
+1.9.1
+
diff -Nru pxz-4.999.99~beta3+git659fc9b/debian/patches/series pxz-4.999.99~beta3+git659fc9b/debian/patches/series
--- pxz-4.999.99~beta3+git659fc9b/debian/patches/series 2013-05-27 22:48:38.000000000 +0200
+++ pxz-4.999.99~beta3+git659fc9b/debian/patches/series 2015-01-27 12:31:23.000000000 +0100
@@ -1 +1,2 @@
 fix-man-keep-option.patch
+CVE-2015-1200-Fix-race-condition-in-setting-permissions.patch




The package has been uploaded and accepted into sid.

Thanks for your work on jessie!


cheers,
	Holger

Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---

To: Holger Levsen <holger@layer-acht.org>, 776378-done@bugs.debian.org

Subject: Re: Bug#776378: unblock: pxz/4.999.99~beta3+git659fc9b-3

From: Niels Thykier <niels@thykier.net>

Date: Tue, 27 Jan 2015 13:44:50 +0100

Message-id: <54C78842.8010903@thykier.net>

In-reply-to: <[🔎] 201501271334.36698.holger@layer-acht.org>

References: <[🔎] 201501271334.36698.holger@layer-acht.org>
On 2015-01-27 13:34, Holger Levsen wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Dear release team,
> 
> This is an unblock approval request for pxz fixing an important security bug
> with a trivial patch which just sets the correct umask:
> 
> [...]
> 
> cheers,
> 	Holger
> 

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

References:
- Bug#776378: unblock: pxz/4.999.99~beta3+git659fc9b-3
  - From: Holger Levsen <holger@layer-acht.org>

Prev by Date: Bug#776378: unblock: pxz/4.999.99~beta3+git659fc9b-3
Next by Date: Bug#776276: unblock: open-iscsi/2.0.873+git0.3b4b4500-4
Previous by thread: Bug#776378: unblock: pxz/4.999.99~beta3+git659fc9b-3
Next by thread: Bug#776387: unblock: neutron/2014.1.3-12
Index(es):
- Date
- Thread