[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#782520: marked as done (unblock: rinse/3.0.8)

Your message dated Tue, 14 Apr 2015 18:16:50 +0200
with message-id <552D3D72.1050809@thykier.net>
and subject line Re: Bug#782520: unblock: rinse/3.0.9
has caused the Debian Bug report #782520,
regarding unblock: rinse/3.0.8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
782520: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782520
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package rinse 3.0.8. Debdiff is included.

The fix for #774669 (cpio CVE-2015-1197) breaks rinse 3.0.7. This was
fixed by adding the new option of cpio.



jessie[~]> debdiff rinse_3.0.7.dsc rinse_3.0.8.dsc

diff -Nru rinse-3.0.7/bin/rinse rinse-3.0.8/bin/rinse
--- rinse-3.0.7/bin/rinse       2014-07-25 13:22:30.000000000 +0200
+++ rinse-3.0.8/bin/rinse       2015-04-13 14:46:04.000000000 +0200
@@ -1147,13 +1147,13 @@
       #  Run the unpacking command.
       #
       my $cmd =
-        "rpm2cpio $file | (cd $CONFIG{'directory'} ; cpio --extract --make-directories --no-absolute-filenames --preserve-modification-time) 2>/dev/null >/dev/null";
+        "rpm2cpio $file | (cd $CONFIG{'directory'} ; cpio --extract --extract-over-symlinks --make-directories --no-absolute-filenames --preserve-modification-time) 2>/dev/null >/dev/null";
       if ( $file =~ /(fedora|centos|redhat|mandriva)-release-/ ) {
         my $rpmname = basename($file);
         $postcmd =
           "cp $file $CONFIG{'directory'}/tmp ; chroot $CONFIG{'directory'} rpm -ivh --force --nodeps /tmp/$rpmname ; rm $CONFIG{'directory'}/tmp/$rpmname";
       }
-      system($cmd );
+      system($cmd) == 0 or die "failed to extract $name: $?";
 
     }
     print "\r";
diff -Nru rinse-3.0.7/debian/changelog rinse-3.0.8/debian/changelog
--- rinse-3.0.7/debian/changelog        2015-02-25 12:02:18.000000000 +0100
+++ rinse-3.0.8/debian/changelog        2015-04-13 15:21:53.000000000 +0200
@@ -1,9 +1,18 @@
+rinse (3.0.8) unstable; urgency=high
+
+  * add --extract-over-symlinks to cpio call, Closes: #768501
+    this restores the old behaviour of cpio, which changed because of 
+    CVE-2015-1197 (see #774669)
+  * add check if cpio call failed
+
+ -- Thomas Lange <lange@debian.org>  Mon, 13 Apr 2015 14:51:41 +0200
+
 rinse (3.0.7) unstable; urgency=high
 
   * control: change depends on perl-modules to perl, Closes: #779118,
     update Vcs-git
 
- -- Thomas Lange <lange@debian.org>  Wed, 25 Feb 2015 11:47:20 +0100
+ -- Thomas Lange <lange@debian.org>  Mon, 13 Apr 2015 15:20:39 +0200
 
 rinse (3.0.6) unstable; urgency=low


-- 
regards Thomas

--- End Message ---
--- Begin Message --- 
On 2015-04-14 10:57, Thomas Lange wrote:
> rinse 3.0.9 now adds the cpio dependency and fixes the wrong date in
> the changelog of 3.0.7. Here's the debdiff
> between the testing and unstable version.
> 
> [...]
> 

Unblocked, thanks.

~Niels

--- End Message ---
Reply to: