[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#774836: marked as done (unblock: libquvi/0.4.1-3)

Your message dated Thu, 08 Jan 2015 21:24:44 +0100
with message-id <54AEE78C.8020000@thykier.net>
and subject line Re: Bug#774836: unblock: libquvi/0.4.1-3
has caused the Debian Bug report #774836,
regarding unblock: libquvi/0.4.1-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
774836: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774836
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libquvi. The version currently in testing has a
small security issue: it looks for Lua helper scripts below the
current path. This can lead to arbitrary code execution if a program
using libquvi is run in a directory such as /tmp.

unblock libquvi/0.4.1-3

Ansgar

diff -Nru libquvi-0.4.1/debian/changelog libquvi-0.4.1/debian/changelog
--- libquvi-0.4.1/debian/changelog	2014-05-27 10:25:54.000000000 +0200
+++ libquvi-0.4.1/debian/changelog	2015-01-04 12:53:58.000000000 +0100
@@ -1,3 +1,11 @@
+libquvi (0.4.1-3) unstable; urgency=medium
+
+  * Do not look for Lua helper scripts below current directory.
+    (Closes: #774555)
+    + new patch: lua-scripts-below-cwd.patch
+
+ -- Ansgar Burchardt <ansgar@debian.org>  Sun, 04 Jan 2015 12:52:34 +0100
+
 libquvi (0.4.1-2.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libquvi-0.4.1/debian/patches/lua-scripts-below-cwd.patch libquvi-0.4.1/debian/patches/lua-scripts-below-cwd.patch
--- libquvi-0.4.1/debian/patches/lua-scripts-below-cwd.patch	1970-01-01 01:00:00.000000000 +0100
+++ libquvi-0.4.1/debian/patches/lua-scripts-below-cwd.patch	2015-01-04 12:45:22.000000000 +0100
@@ -0,0 +1,23 @@
+From: Ansgar Burchardt <ansgar@debian.org>
+Subject: Do not look for Lua helper scripts below current directory
+Date: Sun, 04 Jan 2015 12:39:12 +0100
+
+Bug-Debian: https://bugs.debian.org/774555
+--- a/src/libquvi/lua_wrap.c
++++ b/src/libquvi/lua_wrap.c
+@@ -367,15 +367,6 @@
+       return (QUVI_OK);
+     }
+ 
+-  /* Current working directory */
+-  buf = getcwd(NULL,0);
+-  if (!buf)
+-    return(QUVI_MEM);
+-
+-  asprintf(&path, "%s/%s", buf, spath);
+-  _free(buf);
+-  _scan;
+-
+   /* Home directory */
+   homedir = getenv("HOME");
+   if (homedir)
diff -Nru libquvi-0.4.1/debian/patches/series libquvi-0.4.1/debian/patches/series
--- libquvi-0.4.1/debian/patches/series	2014-05-22 15:44:47.000000000 +0200
+++ libquvi-0.4.1/debian/patches/series	2015-01-04 12:45:22.000000000 +0100
@@ -1,2 +1,3 @@
 configure.ac-add-missing-AM-macros.patch
 lua52.patch
+lua-scripts-below-cwd.patch

--- End Message ---
--- Begin Message --- 
On 2015-01-08 10:50, Ansgar Burchardt wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package libquvi. The version currently in testing has a
> small security issue: it looks for Lua helper scripts below the
> current path. This can lead to arbitrary code execution if a program
> using libquvi is run in a directory such as /tmp.
> 
> unblock libquvi/0.4.1-3
> 
> Ansgar
> 

Unblocked, thanks.

~Niels

--- End Message ---
Reply to: