Your message dated Sat, 05 Sep 2015 14:31:07 +0100 with message-id <1441459867.2151.32.camel@adam-barratt.org.uk> and subject line Closing p-u bugs for 8.2 has caused the Debian Bug report #790939, regarding jessie-pu: package wesnoth-1.10/1:1.10.7-2+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 790939: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790939 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package wesnoth-1.10/1:1.10.7-2+deb8u1
- From: Vincent Cheng <vcheng@debian.org>
- Date: Fri, 3 Jul 2015 01:30:50 -0700
- Message-id: <CACZd_tDQEXEZcE2h78HkN8CeLHLHn+HMKxzXa=SHS+nGUhGL5A@mail.gmail.com>
Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: pu Tags: jessie Severity: normal X-Debbugs-CC: rhonda@debian.org Hi, I'd like to upload wesnoth-1.10/1:1.10.7-2+deb8u1 to jessie-pu to fix CVE-2015-5069 and CVE-2015-5070 (these CVEs are marked no-dsa in the security tracker and the security team has asked me to get these CVEs fixed via a point update instead). These CVEs have already been fixed in sid as of wesnoth-1.12/1:1.12.4-1. Debdiff below, thanks! Regards, Vincent diff -Nru wesnoth-1.10-1.10.7/debian/changelog wesnoth-1.10-1.10.7/debian/changelog --- wesnoth-1.10-1.10.7/debian/changelog 2015-04-09 03:12:42.000000000 -0700 +++ wesnoth-1.10-1.10.7/debian/changelog 2015-07-01 13:31:50.000000000 -0700 @@ -1,3 +1,10 @@ +wesnoth-1.10 (1:1.10.7-2+deb8u1) jessie; urgency=medium + + * Security fix: Disallowed inclusion of .pbl files from WML, independent of + extension case (CVE-2015-5069, CVE-2015-5070). + + -- Vincent Cheng <vcheng@debian.org> Wed, 01 Jul 2015 13:30:12 -0700 + wesnoth-1.10 (1:1.10.7-2) unstable; urgency=high * Pull af61f9fd from upstream to fix "Private file disclosure through diff -Nru wesnoth-1.10-1.10.7/debian/patches/CVE-2015-5069-CVE-2015-5070.patch wesnoth-1.10-1.10.7/debian/patches/CVE-2015-5069-CVE-2015-5070.patch --- wesnoth-1.10-1.10.7/debian/patches/CVE-2015-5069-CVE-2015-5070.patch 1969-12-31 16:00:00.000000000 -0800 +++ wesnoth-1.10-1.10.7/debian/patches/CVE-2015-5069-CVE-2015-5070.patch 2015-07-01 13:32:55.000000000 -0700 @@ -0,0 +1,23 @@ +Description: Disallowed inclusion of .pbl files from WML, independent of + extension case (CVE-2015-5069, CVE-2015-5070). +Origin: upstream, commits 055fea16479a755d6744a52f78f63548b692c440 + and d20f8015bc3653a10d6d4dfd751e62651d1180b7 +Bug: https://gna.org/bugs/?23504 +Last-Update: 2015-07-01 + +diff --git a/src/filesystem.cpp b/src/filesystem.cpp +index 7b4bd95..510da80 100644 +--- a/src/filesystem.cpp ++++ b/src/filesystem.cpp +@@ -1157,6 +1157,11 @@ std::string get_wml_location(const std::string &filename, const std::string &cur + return result; + } + ++ if (looks_like_pbl(filename)) { ++ ERR_FS << "Illegal path '" << filename << "' (.pbl files are not allowed)." << std::endl; ++ return result; ++ } ++ + bool already_found = false; + + if (filename[0] == '~') diff -Nru wesnoth-1.10-1.10.7/debian/patches/series wesnoth-1.10-1.10.7/debian/patches/series --- wesnoth-1.10-1.10.7/debian/patches/series 2015-04-08 10:14:12.000000000 -0700 +++ wesnoth-1.10-1.10.7/debian/patches/series 2015-07-01 13:30:05.000000000 -0700 @@ -1,3 +1,4 @@ 02wesnoth-nolog-desktop-file 03wesnothd-name af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch +CVE-2015-5069-CVE-2015-5070.patch
--- End Message ---
--- Begin Message ---
- To: 782381-done@bugs.debian.org, 785573-done@bugs.debian.org, 785780-done@bugs.debian.org, 787067-done@bugs.debian.org, 787299-done@bugs.debian.org, 787478-done@bugs.debian.org, 787635-done@bugs.debian.org, 787642-done@bugs.debian.org, 787692-done@bugs.debian.org, 787806-done@bugs.debian.org, 787867-done@bugs.debian.org, 787904-done@bugs.debian.org, 787952-done@bugs.debian.org, 788054-done@bugs.debian.org, 788110-done@bugs.debian.org, 788241-done@bugs.debian.org, 788283-done@bugs.debian.org, 788531-done@bugs.debian.org, 788608-done@bugs.debian.org, 788612-done@bugs.debian.org, 788615-done@bugs.debian.org, 788665-done@bugs.debian.org, 788928-done@bugs.debian.org, 788938-done@bugs.debian.org, 789189-done@bugs.debian.org, 789393-done@bugs.debian.org, 789724-done@bugs.debian.org, 789786-done@bugs.debian.org, 790060-done@bugs.debian.org, 790245-done@bugs.debian.org, 790833-done@bugs.debian.org, 790939-done@bugs.debian.org, 791792-done@bugs.debian.org, 792369-done@bugs.debian.org, 792452-done@bugs.debian.org, 793020-done@bugs.debian.org, 793163-done@bugs.debian.org, 793430-done@bugs.debian.org, 793470-done@bugs.debian.org, 793688-done@bugs.debian.org, 794003-done@bugs.debian.org, 794090-done@bugs.debian.org, 794407-done@bugs.debian.org, 795165-done@bugs.debian.org, 795271-done@bugs.debian.org, 795491-done@bugs.debian.org, 795706-done@bugs.debian.org, 795794-done@bugs.debian.org, 795911-done@bugs.debian.org, 795947-done@bugs.debian.org, 796088-done@bugs.debian.org, 796112-done@bugs.debian.org, 796379-done@bugs.debian.org, 796573-done@bugs.debian.org, 796595-done@bugs.debian.org, 796846-done@bugs.debian.org, 796975-done@bugs.debian.org, 797083-done@bugs.debian.org, 797179-done@bugs.debian.org, 797201-done@bugs.debian.org, 797209-done@bugs.debian.org, 797246-done@bugs.debian.org, 797304-done@bugs.debian.org, 797328-done@bugs.debian.org
- Subject: Closing p-u bugs for 8.2
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 05 Sep 2015 14:31:07 +0100
- Message-id: <1441459867.2151.32.camel@adam-barratt.org.uk>
Version: 8.2 Hi, These bugs correspond to updates which were included in the 8.2 point release. Regards, Adam
--- End Message ---