--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: jessie-pu: package automake-1.14/1.14.1-4+deb8u1
- From: Petter Reinholdtsen <pere@hungry.com>
- Date: Wed, 15 Jun 2016 11:12:05 +0200
- Message-id: <2fla8imyfx6.fsf@diskless.uio.no>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
On my Debian Jessie machine, I would like to fix a security problem with
automake-1.14 that show up the debsecan report, see
<URL: https://security-tracker.debian.org/tracker/source-package/automake-1.14 >.
The issue never got a CVE (no reply to the request), so I point to the
source package entry instead of the some times changing TEMP reference.
The issue is fixed in automake-1.15, but not in automake-1.14 that is in
stable but removed from unstable.
The issue is unsafe use of /tmp/. The patch is similar to the code in
version 1.15.
OK to upload?
--
Happy hacking
Petter Reinholdtsen
diff -Nru automake-1.14-1.14.1/debian/changelog automake-1.14-1.14.1/debian/changelog
--- automake-1.14-1.14.1/debian/changelog 2014-10-27 02:52:07.000000000 +0000
+++ automake-1.14-1.14.1/debian/changelog 2016-06-15 08:56:21.000000000 +0000
@@ -1,3 +1,11 @@
+automake-1.14 (1:1.14.1-4+deb8u1) unstable; urgency=medium
+
+ * Non-maintainer upload to fix security issue.
+ * Avoid insecure use of /tmp/ in install-sh (Closes: #827347).
+ Based on patch from RedHat and Pavel Raiskup.
+
+ -- Petter Reinholdtsen <pere@debian.org> Wed, 15 Jun 2016 10:56:14 +0200
+
automake-1.14 (1:1.14.1-4) unstable; urgency=medium
* debian/patches/03-ensure-ac_aux_dir-set.diff: Add patch to ensure
diff -Nru automake-1.14-1.14.1/debian/patches/CVE-bug-827347.diff automake-1.14-1.14.1/debian/patches/CVE-bug-827347.diff
--- automake-1.14-1.14.1/debian/patches/CVE-bug-827347.diff 1970-01-01 00:00:00.000000000 +0000
+++ automake-1.14-1.14.1/debian/patches/CVE-bug-827347.diff 2016-06-15 08:55:04.000000000 +0000
@@ -0,0 +1,60 @@
+Fix security problem. The patch is based on fix found in
+ <URL: https://bugzilla.redhat.com/show_bug.cgi?id=1140725 > and
+ verified to be identical to the code in automake 1.15.
+From: Petter Reinholdtsen <pere@hungry.com>
+Last-Update: 2016-06-15
+Debian-Bug: https://bugs.debian.org/827347
+
+Index: automake-1.14-1.14.1/lib/install-sh
+===================================================================
+--- automake-1.14-1.14.1.orig/lib/install-sh 2016-06-15 10:44:49.000000000 +0200
++++ automake-1.14-1.14.1/lib/install-sh 2016-06-15 10:48:18.924178517 +0200
+@@ -345,34 +345,41 @@
+ # is incompatible with FreeBSD 'install' when (umask & 300) != 0.
+ ;;
+ *)
++ # $RANDOM is not portable (e.g. dash); use it when possible to
++ # lower collision chance
+ tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
+- trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
++ trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0
+
++ # As "mkdir -p" follows symlinks and we work in /tmp possibly; so
++ # create the $tmpdir first (and fail if unsuccessful) to make sure
++ # that nobody tries to guess the $tmpdir name.
+ if (umask $mkdir_umask &&
+- exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
++ $mkdirprog $mkdir_mode "$tmpdir" &&
++ exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
+ then
+ if test -z "$dir_arg" || {
+ # Check for POSIX incompatibilities with -m.
+ # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
+ # other-writable bit of parent directory when it shouldn't.
+ # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
+- ls_ld_tmpdir=`ls -ld "$tmpdir"`
++ test_tmpdir="$tmpdir/a"
++ ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
+ case $ls_ld_tmpdir in
+ d????-?r-*) different_mode=700;;
+ d????-?--*) different_mode=755;;
+ *) false;;
+ esac &&
+- $mkdirprog -m$different_mode -p -- "$tmpdir" && {
+- ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
++ $mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
++ ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
+ test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
+ }
+ }
+ then posix_mkdir=:
+ fi
+- rmdir "$tmpdir/d" "$tmpdir"
++ rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
+ else
+ # Remove any dirs left behind by ancient mkdir implementations.
+- rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
++ rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
+ fi
+ trap '' 0;;
+ esac;;
diff -Nru automake-1.14-1.14.1/debian/patches/series automake-1.14-1.14.1/debian/patches/series
--- automake-1.14-1.14.1/debian/patches/series 2014-10-27 02:52:07.000000000 +0000
+++ automake-1.14-1.14.1/debian/patches/series 2016-06-15 08:51:33.000000000 +0000
@@ -1,3 +1,4 @@
01-texi-rename.diff
02-init-m4-newline.diff
03-ensure-ac_aux_dir-set.diff
+CVE-bug-827347.diff
--- End Message ---