Your message dated Sat, 23 Jan 2016 13:57:15 +0000 with message-id <1453557435.1835.52.camel@adam-barratt.org.uk> and subject line 8.3 point release cleanup has caused the Debian Bug report #806338, regarding jessie-pu: package libiptables-parse-perl/1.1-1+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 806338: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806338 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package libiptables-parse-perl/1.1-1+deb8u1
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 26 Nov 2015 18:12:10 +0100
- Message-id: <144855793069.18378.9099383151380291475.reportbug@lorien.valinor.li>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi libiptables-parse-perl uses temporary files in an unsafe way, this was assigned CVE-2015-8326 and already fixed in unstable with the 1.6-1 upload. Attached is a debdiff to fix this issue for jessie. Can you consider accepting it for the next jessie point release? Regards, Salvatore -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init)diff -Nru libiptables-parse-perl-1.1/debian/changelog libiptables-parse-perl-1.1/debian/changelog --- libiptables-parse-perl-1.1/debian/changelog 2012-03-05 21:36:00.000000000 +0100 +++ libiptables-parse-perl-1.1/debian/changelog 2015-11-26 17:40:19.000000000 +0100 @@ -1,3 +1,11 @@ +libiptables-parse-perl (1.1-1+deb8u1) jessie; urgency=medium + + * Team upload. + * Add CVE-2015-8326.patch patch. + CVE-2015-8326: Use of predictable names for temporary files. + + -- Salvatore Bonaccorso <carnil@debian.org> Thu, 26 Nov 2015 17:39:36 +0100 + libiptables-parse-perl (1.1-1) unstable; urgency=low * Imported Upstream version 1.1 diff -Nru libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch --- libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch 1970-01-01 01:00:00.000000000 +0100 +++ libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch 2015-11-26 17:40:19.000000000 +0100 @@ -0,0 +1,46 @@ +Description: Don't use predictable names for temporary files + This allows an attacker on a multi-user system to set up symlinks to + overwrite any file the current user has write access to. + . + Don't recommend users of this module to use predictable names either. +Origin: backport, https://github.com/mtrmac/IPTables-Parse/commit/b400b976d81140f6971132e94eb7657b5b0a2b87 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1267962 +Forwarded: not-needed +Author: Salvatore Bonaccorso <carnil@debian.org> +Last-Update: 2015-11-26 +Applied-Upstream: 1.6 + +--- + lib/IPTables/Parse.pm | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/lib/IPTables/Parse.pm ++++ b/lib/IPTables/Parse.pm +@@ -17,6 +17,7 @@ package IPTables::Parse; + use 5.006; + use POSIX ":sys_wait_h"; + use Carp; ++use File::Temp; + use strict; + use warnings; + use vars qw($VERSION); +@@ -29,8 +30,8 @@ sub new() { + + my $self = { + _iptables => $args{'iptables'} || $args{'ip6tables'} || '/sbin/iptables', +- _iptout => $args{'iptout'} || '/tmp/ipt.out', +- _ipterr => $args{'ipterr'} || '/tmp/ipt.err', ++ _iptout => $args{'iptout'} || mktemp('/tmp/ipt.out.XXXXXX'), ++ _ipterr => $args{'ipterr'} || mktemp('/tmp/ipt.err.XXXXXX'), + _ipt_alarm => $args{'ipt_alarm'} || 30, + _debug => $args{'debug'} || 0, + _verbose => $args{'verbose'} || 0, +@@ -701,8 +702,6 @@ IPTables::Parse - Perl extension for par + + my %opts = ( + 'iptables' => $ipt_bin, +- 'iptout' => '/tmp/iptables.out', +- 'ipterr' => '/tmp/iptables.err', + 'debug' => 0, + 'verbose' => 0 + ); diff -Nru libiptables-parse-perl-1.1/debian/patches/series libiptables-parse-perl-1.1/debian/patches/series --- libiptables-parse-perl-1.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libiptables-parse-perl-1.1/debian/patches/series 2015-11-26 17:40:19.000000000 +0100 @@ -0,0 +1 @@ +CVE-2015-8326.patch
--- End Message ---
--- Begin Message ---
- To: 783355-done@bugs.debian.org, 784944-done@bugs.debian.org, 787021-done@bugs.debian.org, 787423-done@bugs.debian.org, 791403-done@bugs.debian.org, 792468-done@bugs.debian.org, 792806-done@bugs.debian.org, 793556-done@bugs.debian.org, 794940-done@bugs.debian.org, 796281-done@bugs.debian.org, 797170-done@bugs.debian.org, 797710-done@bugs.debian.org, 798028-done@bugs.debian.org, 798584-done@bugs.debian.org, 798749-done@bugs.debian.org, 798889-done@bugs.debian.org, 798890-done@bugs.debian.org, 798891-done@bugs.debian.org, 798892-done@bugs.debian.org, 798893-done@bugs.debian.org, 798895-done@bugs.debian.org, 799033-done@bugs.debian.org, 799070-done@bugs.debian.org, 799229-done@bugs.debian.org, 799230-done@bugs.debian.org, 799369-done@bugs.debian.org, 799477-done@bugs.debian.org, 799758-done@bugs.debian.org, 799777-done@bugs.debian.org, 800006-done@bugs.debian.org, 800664-done@bugs.debian.org, 800793-done@bugs.debian.org, 800881-done@bugs.debian.org, 801095-done@bugs.debian.org, 801098-done@bugs.debian.org, 801100-done@bugs.debian.org, 801304-done@bugs.debian.org, 801318-done@bugs.debian.org, 801441-done@bugs.debian.org, 801580-done@bugs.debian.org, 801743-done@bugs.debian.org, 801851-done@bugs.debian.org, 801892-done@bugs.debian.org, 802851-done@bugs.debian.org, 802879-done@bugs.debian.org, 802900-done@bugs.debian.org, 802942-done@bugs.debian.org, 803362-done@bugs.debian.org, 803467-done@bugs.debian.org, 803490-done@bugs.debian.org, 803569-done@bugs.debian.org, 803678-done@bugs.debian.org, 803730-done@bugs.debian.org, 804157-done@bugs.debian.org, 804172-done@bugs.debian.org, 804208-done@bugs.debian.org, 804381-done@bugs.debian.org, 804383-done@bugs.debian.org, 804734-done@bugs.debian.org, 804885-done@bugs.debian.org, 805024-done@bugs.debian.org, 805127-done@bugs.debian.org, 805190-done@bugs.debian.org, 805214-done@bugs.debian.org, 805260-done@bugs.debian.org, 805293-done@bugs.debian.org, 805383-done@bugs.debian.org, 805634-done@bugs.debian.org, 805721-done@bugs.debian.org, 805894-done@bugs.debian.org, 806129-done@bugs.debian.org, 806165-done@bugs.debian.org, 806247-done@bugs.debian.org, 806252-done@bugs.debian.org, 806338-done@bugs.debian.org, 806529-done@bugs.debian.org, 806640-done@bugs.debian.org, 807129-done@bugs.debian.org, 807140-done@bugs.debian.org, 807142-done@bugs.debian.org, 807273-done@bugs.debian.org, 807280-done@bugs.debian.org, 807467-done@bugs.debian.org, 807489-done@bugs.debian.org, 807515-done@bugs.debian.org, 807576-done@bugs.debian.org, 807612-done@bugs.debian.org, 807828-done@bugs.debian.org, 807917-done@bugs.debian.org, 808559-done@bugs.debian.org, 808890-done@bugs.debian.org, 809200-done@bugs.debian.org, 809255-done@bugs.debian.org, 809258-done@bugs.debian.org, 809307-done@bugs.debian.org, 809534-done@bugs.debian.org, 809561-done@bugs.debian.org, 809688-done@bugs.debian.org, 809757-done@bugs.debian.org, 809824-done@bugs.debian.org, 810004-done@bugs.debian.org, 810111-done@bugs.debian.org, 810130-done@bugs.debian.org, 810542-done@bugs.debian.org, 810760-done@bugs.debian.org, 810887-done@bugs.debian.org, 811132-done@bugs.debian.org, 811320-done@bugs.debian.org, 792779-done@bugs.debian.org
- Subject: 8.3 point release cleanup
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 23 Jan 2016 13:57:15 +0000
- Message-id: <1453557435.1835.52.camel@adam-barratt.org.uk>
Version: 8.3 Hi, The updates referred to in these bugs were included in today's 8.3 Jessie point release. Regards, Adam
--- End Message ---