Bug#774836: unblock: libquvi/0.4.1-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#774836: unblock: libquvi/0.4.1-3
From: Ansgar Burchardt <ansgar@debian.org>
Date: Thu, 08 Jan 2015 10:50:05 +0100
Message-id: <[🔎] 20150108095005.3833.92713.reportbug@deep-thought.43-1.org>
Reply-to: Ansgar Burchardt <ansgar@debian.org>, 774836@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libquvi. The version currently in testing has a
small security issue: it looks for Lua helper scripts below the
current path. This can lead to arbitrary code execution if a program
using libquvi is run in a directory such as /tmp.

unblock libquvi/0.4.1-3

Ansgar

diff -Nru libquvi-0.4.1/debian/changelog libquvi-0.4.1/debian/changelog
--- libquvi-0.4.1/debian/changelog	2014-05-27 10:25:54.000000000 +0200
+++ libquvi-0.4.1/debian/changelog	2015-01-04 12:53:58.000000000 +0100
@@ -1,3 +1,11 @@
+libquvi (0.4.1-3) unstable; urgency=medium
+
+  * Do not look for Lua helper scripts below current directory.
+    (Closes: #774555)
+    + new patch: lua-scripts-below-cwd.patch
+
+ -- Ansgar Burchardt <ansgar@debian.org>  Sun, 04 Jan 2015 12:52:34 +0100
+
 libquvi (0.4.1-2.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libquvi-0.4.1/debian/patches/lua-scripts-below-cwd.patch libquvi-0.4.1/debian/patches/lua-scripts-below-cwd.patch
--- libquvi-0.4.1/debian/patches/lua-scripts-below-cwd.patch	1970-01-01 01:00:00.000000000 +0100
+++ libquvi-0.4.1/debian/patches/lua-scripts-below-cwd.patch	2015-01-04 12:45:22.000000000 +0100
@@ -0,0 +1,23 @@
+From: Ansgar Burchardt <ansgar@debian.org>
+Subject: Do not look for Lua helper scripts below current directory
+Date: Sun, 04 Jan 2015 12:39:12 +0100
+
+Bug-Debian: https://bugs.debian.org/774555
+--- a/src/libquvi/lua_wrap.c
++++ b/src/libquvi/lua_wrap.c
+@@ -367,15 +367,6 @@
+       return (QUVI_OK);
+     }
+ 
+-  /* Current working directory */
+-  buf = getcwd(NULL,0);
+-  if (!buf)
+-    return(QUVI_MEM);
+-
+-  asprintf(&path, "%s/%s", buf, spath);
+-  _free(buf);
+-  _scan;
+-
+   /* Home directory */
+   homedir = getenv("HOME");
+   if (homedir)
diff -Nru libquvi-0.4.1/debian/patches/series libquvi-0.4.1/debian/patches/series
--- libquvi-0.4.1/debian/patches/series	2014-05-22 15:44:47.000000000 +0200
+++ libquvi-0.4.1/debian/patches/series	2015-01-04 12:45:22.000000000 +0100
@@ -1,2 +1,3 @@
 configure.ac-add-missing-AM-macros.patch
 lua52.patch
+lua-scripts-below-cwd.patch

Reply to:

Follow-Ups:
- Bug#774836: marked as done (unblock: libquvi/0.4.1-3)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#774835: (pre-approval) unblock: ikiwiki/3.20141016.1
Next by Date: Bug#774850: wheezy-pu: package bley/0.1.5-2+deb7u1
Previous by thread: Bug#774835: marked as done ((pre-approval) unblock: ikiwiki/3.20141016.1)
Next by thread: Bug#774836: marked as done (unblock: libquvi/0.4.1-3)
Index(es):
- Date
- Thread