[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#827352: marked as done (jessie-pu: package automake-1.14/1.14.1-4+deb8u1)

Your message dated Sat, 17 Sep 2016 13:08:06 +0100
with message-id <1474114086.2011.126.camel@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 8.6
has caused the Debian Bug report #827352,
regarding jessie-pu: package automake-1.14/1.14.1-4+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
827352: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827352
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

On my Debian Jessie machine, I would like to fix a security problem with
automake-1.14 that show up the debsecan report, see
<URL: https://security-tracker.debian.org/tracker/source-package/automake-1.14 >.
The issue never got a CVE (no reply to the request), so I point to the
source package entry instead of the some times changing TEMP reference.

The issue is fixed in automake-1.15, but not in automake-1.14 that is in
stable but removed from unstable.

The issue is unsafe use of /tmp/.  The patch is similar to the code in
version 1.15.

OK to upload?

-- 
Happy hacking
Petter Reinholdtsen

diff -Nru automake-1.14-1.14.1/debian/changelog automake-1.14-1.14.1/debian/changelog
--- automake-1.14-1.14.1/debian/changelog	2014-10-27 02:52:07.000000000 +0000
+++ automake-1.14-1.14.1/debian/changelog	2016-06-15 08:56:21.000000000 +0000
@@ -1,3 +1,11 @@
+automake-1.14 (1:1.14.1-4+deb8u1) unstable; urgency=medium
+
+  * Non-maintainer upload to fix security issue.
+  * Avoid insecure use of /tmp/ in install-sh (Closes: #827347).
+    Based on patch from RedHat and Pavel Raiskup.
+
+ -- Petter Reinholdtsen <pere@debian.org>  Wed, 15 Jun 2016 10:56:14 +0200
+
 automake-1.14 (1:1.14.1-4) unstable; urgency=medium
 
   * debian/patches/03-ensure-ac_aux_dir-set.diff: Add patch to ensure
diff -Nru automake-1.14-1.14.1/debian/patches/CVE-bug-827347.diff automake-1.14-1.14.1/debian/patches/CVE-bug-827347.diff
--- automake-1.14-1.14.1/debian/patches/CVE-bug-827347.diff	1970-01-01 00:00:00.000000000 +0000
+++ automake-1.14-1.14.1/debian/patches/CVE-bug-827347.diff	2016-06-15 08:55:04.000000000 +0000
@@ -0,0 +1,60 @@
+Fix security problem.  The patch is based on fix found in
+ <URL: https://bugzilla.redhat.com/show_bug.cgi?id=1140725 > and
+ verified to be identical to the code in automake 1.15.
+From: Petter Reinholdtsen <pere@hungry.com>
+Last-Update: 2016-06-15
+Debian-Bug: https://bugs.debian.org/827347
+
+Index: automake-1.14-1.14.1/lib/install-sh
+===================================================================
+--- automake-1.14-1.14.1.orig/lib/install-sh	2016-06-15 10:44:49.000000000 +0200
++++ automake-1.14-1.14.1/lib/install-sh	2016-06-15 10:48:18.924178517 +0200
+@@ -345,34 +345,41 @@
+ 	    # is incompatible with FreeBSD 'install' when (umask & 300) != 0.
+ 	    ;;
+ 	  *)
++            # $RANDOM is not portable (e.g. dash);  use it when possible to
++            # lower collision chance
+ 	    tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
+-	    trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
++	    trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0
+ 
++	     # As "mkdir -p" follows symlinks and we work in /tmp possibly;  so
++	     # create the $tmpdir first (and fail if unsuccessful) to make sure
++	     # that nobody tries to guess the $tmpdir name.
+ 	    if (umask $mkdir_umask &&
+-		exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
++		$mkdirprog $mkdir_mode "$tmpdir" &&
++		exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
+ 	    then
+ 	      if test -z "$dir_arg" || {
+ 		   # Check for POSIX incompatibilities with -m.
+ 		   # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
+ 		   # other-writable bit of parent directory when it shouldn't.
+ 		   # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
+-		   ls_ld_tmpdir=`ls -ld "$tmpdir"`
++		   test_tmpdir="$tmpdir/a"
++		   ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
+ 		   case $ls_ld_tmpdir in
+ 		     d????-?r-*) different_mode=700;;
+ 		     d????-?--*) different_mode=755;;
+ 		     *) false;;
+ 		   esac &&
+-		   $mkdirprog -m$different_mode -p -- "$tmpdir" && {
+-		     ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
++		   $mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
++		     ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
+ 		     test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
+ 		   }
+ 		 }
+ 	      then posix_mkdir=:
+ 	      fi
+-	      rmdir "$tmpdir/d" "$tmpdir"
++	      rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
+ 	    else
+ 	      # Remove any dirs left behind by ancient mkdir implementations.
+-	      rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
++	      rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
+ 	    fi
+ 	    trap '' 0;;
+ 	esac;;
diff -Nru automake-1.14-1.14.1/debian/patches/series automake-1.14-1.14.1/debian/patches/series
--- automake-1.14-1.14.1/debian/patches/series	2014-10-27 02:52:07.000000000 +0000
+++ automake-1.14-1.14.1/debian/patches/series	2016-06-15 08:51:33.000000000 +0000
@@ -1,3 +1,4 @@
 01-texi-rename.diff
 02-init-m4-newline.diff
 03-ensure-ac_aux_dir-set.diff
+CVE-bug-827347.diff

--- End Message ---
--- Begin Message --- 
Version: 8.6

The updates referred to in each of these bugs were included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: