--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: wheezy-pu: package libiptables-parse-perl/1.1-1+deb7u1
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 26 Nov 2015 18:13:33 +0100
- Message-id: <144855801363.19173.17723857817415908922.reportbug@lorien.valinor.li>
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Hi
libiptables-parse-perl uses temporary files in an unsafe way, this was
assigned CVE-2015-8326 and already fixed in unstable with the 1.6-1
upload.
Attached is a debdiff to fix this issue for wheezy. Can you consider
accepting it for the next wheezy point release?
Regards,
Salvatore
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff -Nru libiptables-parse-perl-1.1/debian/changelog libiptables-parse-perl-1.1/debian/changelog
--- libiptables-parse-perl-1.1/debian/changelog 2012-03-05 21:36:00.000000000 +0100
+++ libiptables-parse-perl-1.1/debian/changelog 2015-11-26 18:05:24.000000000 +0100
@@ -1,3 +1,11 @@
+libiptables-parse-perl (1.1-1+deb7u1) wheezy; urgency=medium
+
+ * Team upload.
+ * Add CVE-2015-8326.patch patch.
+ CVE-2015-8326: Use of predictable names for temporary files.
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Thu, 26 Nov 2015 18:04:51 +0100
+
libiptables-parse-perl (1.1-1) unstable; urgency=low
* Imported Upstream version 1.1
diff -Nru libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch
--- libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch 1970-01-01 01:00:00.000000000 +0100
+++ libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch 2015-11-26 18:05:24.000000000 +0100
@@ -0,0 +1,46 @@
+Description: Don't use predictable names for temporary files
+ This allows an attacker on a multi-user system to set up symlinks to
+ overwrite any file the current user has write access to.
+ .
+ Don't recommend users of this module to use predictable names either.
+Origin: backport, https://github.com/mtrmac/IPTables-Parse/commit/b400b976d81140f6971132e94eb7657b5b0a2b87
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1267962
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-11-26
+Applied-Upstream: 1.6
+
+---
+ lib/IPTables/Parse.pm | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/lib/IPTables/Parse.pm
++++ b/lib/IPTables/Parse.pm
+@@ -17,6 +17,7 @@ package IPTables::Parse;
+ use 5.006;
+ use POSIX ":sys_wait_h";
+ use Carp;
++use File::Temp;
+ use strict;
+ use warnings;
+ use vars qw($VERSION);
+@@ -29,8 +30,8 @@ sub new() {
+
+ my $self = {
+ _iptables => $args{'iptables'} || $args{'ip6tables'} || '/sbin/iptables',
+- _iptout => $args{'iptout'} || '/tmp/ipt.out',
+- _ipterr => $args{'ipterr'} || '/tmp/ipt.err',
++ _iptout => $args{'iptout'} || mktemp('/tmp/ipt.out.XXXXXX'),
++ _ipterr => $args{'ipterr'} || mktemp('/tmp/ipt.err.XXXXXX'),
+ _ipt_alarm => $args{'ipt_alarm'} || 30,
+ _debug => $args{'debug'} || 0,
+ _verbose => $args{'verbose'} || 0,
+@@ -701,8 +702,6 @@ IPTables::Parse - Perl extension for par
+
+ my %opts = (
+ 'iptables' => $ipt_bin,
+- 'iptout' => '/tmp/iptables.out',
+- 'ipterr' => '/tmp/iptables.err',
+ 'debug' => 0,
+ 'verbose' => 0
+ );
diff -Nru libiptables-parse-perl-1.1/debian/patches/series libiptables-parse-perl-1.1/debian/patches/series
--- libiptables-parse-perl-1.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libiptables-parse-perl-1.1/debian/patches/series 2015-11-26 18:05:24.000000000 +0100
@@ -0,0 +1 @@
+CVE-2015-8326.patch
--- End Message ---