Bug#832171: jessie-pu: package dietlibc/0.33~cvs20120325-6
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal
Dear release team,
the security issue in dietlibc (see also #832123 for binNMUs in sid)
was deemed no-DSA by the security team, so I would like to schedule an
update via the next point release.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832169
https://security-tracker.debian.org/tracker/TEMP-0832169-0F9220
Source debdiff is attached.
Since dietlibc is a static library, after the upload, there will need
to be binNMUs in stable for the following three packages:
nmu minit_0.10-5 . ALL . jessie . -m "Security: rebuild against fixed dietlibc"
nmu mksh_50d-5 . ALL . jessie . -m "Security: rebuild against fixed dietlibc"
nmu util-vserver_0.30.216-pre3054-1 . ALL . jessie . -m "Security: rebuild against fixed dietlibc"
Also, I don't know the syntax for that, but could you make sure that
the binNMU for minit gets at least +b2? Because the version of minit is
the same in Wheezy and Jessie, and the Wheezy LTS team will also
schedule a binNMU for minit.
Thank you!
Regards,
Christian
diff -Nru dietlibc-0.33~cvs20120325/debian/changelog dietlibc-0.33~cvs20120325/debian/changelog
--- dietlibc-0.33~cvs20120325/debian/changelog 2014-02-11 21:48:24.000000000 +0100
+++ dietlibc-0.33~cvs20120325/debian/changelog 2016-07-23 10:49:25.000000000 +0200
@@ -1,3 +1,10 @@
+dietlibc (0.33~cvs20120325-6+deb8u1) jessie; urgency=high
+
+ * Security: fix insecure default PATH. (Closes: #832169)
+ Thanks to Thorsten Glaser <t.glaser@tarent.de> for discovering this
+
+ -- Christian Seiler <christian@iwakd.de> Sat, 23 Jul 2016 10:41:00 +0200
+
dietlibc (0.33~cvs20120325-6) unstable; urgency=low
* Team upload.
diff -Nru dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff
--- dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff 1970-01-01 01:00:00.000000000 +0100
+++ dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff 2016-07-23 10:49:25.000000000 +0200
@@ -0,0 +1,20 @@
+Description: Fix insecure default PATH
+ Throsten Glaser <t.glaser@tarent.de> discovered that the default PATH
+ (absent the environment variable) contains the local directory.
+Author: Christian Seiler <christian@iwakd.de>
+Bug: http://news.gmane.org/find-root.php?message_id=alpine.DEB.2.20.1607181048300.24083%40tglase.lan.tarent.de
+Bug-Debian: https://bugs.debian.org/832169
+Last-Update: 2016-07-23
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/include/paths.h
++++ b/include/paths.h
+@@ -2,7 +2,7 @@
+ #define _PATHS_H
+
+ #define _PATH_BSHELL "/bin/sh"
+-#define _PATH_DEFPATH "/bin:/usr/bin:"
++#define _PATH_DEFPATH "/bin:/usr/bin"
+
+ #define _PATH_DEVNULL "/dev/null"
+
diff -Nru dietlibc-0.33~cvs20120325/debian/patches/series dietlibc-0.33~cvs20120325/debian/patches/series
--- dietlibc-0.33~cvs20120325/debian/patches/series 2014-02-11 21:41:35.000000000 +0100
+++ dietlibc-0.33~cvs20120325/debian/patches/series 2016-07-23 10:49:25.000000000 +0200
@@ -28,3 +28,4 @@
0035-Use-syscall-_newselect-instead-of-select-on-ppc64.diff
0036-fix-jmp_buf-size-on-armhf.diff
0037-support-powerpcspe.diff
+0100-security-insecure-default-PATH.diff
Reply to: