Bug#782520: unblock: rinse/3.0.8

To: submit@bugs.debian.org
Cc:
Subject: Bug#782520: unblock: rinse/3.0.8
From: Thomas Lange <lange@informatik.uni-koeln.de>
Date: Mon, 13 Apr 2015 18:24:14 +0200
Message-id: <[🔎] 21803.60846.8032.356500@paeffgen.informatik.uni-Koeln.de>
Reply-to: Thomas Lange <lange@informatik.uni-koeln.de>, 782520@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package rinse 3.0.8. Debdiff is included.

The fix for #774669 (cpio CVE-2015-1197) breaks rinse 3.0.7. This was
fixed by adding the new option of cpio.



jessie[~]> debdiff rinse_3.0.7.dsc rinse_3.0.8.dsc

diff -Nru rinse-3.0.7/bin/rinse rinse-3.0.8/bin/rinse
--- rinse-3.0.7/bin/rinse       2014-07-25 13:22:30.000000000 +0200
+++ rinse-3.0.8/bin/rinse       2015-04-13 14:46:04.000000000 +0200
@@ -1147,13 +1147,13 @@
       #  Run the unpacking command.
       #
       my $cmd =
-        "rpm2cpio $file | (cd $CONFIG{'directory'} ; cpio --extract --make-directories --no-absolute-filenames --preserve-modification-time) 2>/dev/null >/dev/null";
+        "rpm2cpio $file | (cd $CONFIG{'directory'} ; cpio --extract --extract-over-symlinks --make-directories --no-absolute-filenames --preserve-modification-time) 2>/dev/null >/dev/null";
       if ( $file =~ /(fedora|centos|redhat|mandriva)-release-/ ) {
         my $rpmname = basename($file);
         $postcmd =
           "cp $file $CONFIG{'directory'}/tmp ; chroot $CONFIG{'directory'} rpm -ivh --force --nodeps /tmp/$rpmname ; rm $CONFIG{'directory'}/tmp/$rpmname";
       }
-      system($cmd );
+      system($cmd) == 0 or die "failed to extract $name: $?";
 
     }
     print "\r";
diff -Nru rinse-3.0.7/debian/changelog rinse-3.0.8/debian/changelog
--- rinse-3.0.7/debian/changelog        2015-02-25 12:02:18.000000000 +0100
+++ rinse-3.0.8/debian/changelog        2015-04-13 15:21:53.000000000 +0200
@@ -1,9 +1,18 @@
+rinse (3.0.8) unstable; urgency=high
+
+  * add --extract-over-symlinks to cpio call, Closes: #768501
+    this restores the old behaviour of cpio, which changed because of 
+    CVE-2015-1197 (see #774669)
+  * add check if cpio call failed
+
+ -- Thomas Lange <lange@debian.org>  Mon, 13 Apr 2015 14:51:41 +0200
+
 rinse (3.0.7) unstable; urgency=high
 
   * control: change depends on perl-modules to perl, Closes: #779118,
     update Vcs-git
 
- -- Thomas Lange <lange@debian.org>  Wed, 25 Feb 2015 11:47:20 +0100
+ -- Thomas Lange <lange@debian.org>  Mon, 13 Apr 2015 15:20:39 +0200
 
 rinse (3.0.6) unstable; urgency=low


-- 
regards Thomas

Reply to:

Follow-Ups:
- Bug#782520: unblock: rinse/3.0.8
  - From: Niels Thykier <niels@thykier.net>
- Processed: Re: Bug#782520: unblock: rinse/3.0.8
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#782520: marked as done (unblock: rinse/3.0.8)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#782482: marked as done (unblock: initramfs-tools/0.120)
Next by Date: Bug#782520: unblock: rinse/3.0.8
Previous by thread: Bug#782516: unblock: hello/2.10-1
Next by thread: Bug#782520: unblock: rinse/3.0.8
Index(es):
- Date
- Thread