Bug#863211: marked as done (unblock: perltidy/20140328-2)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#863211: marked as done (unblock: perltidy/20140328-2)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 23 May 2017 17:36:03 +0000
Message-id: <[🔎] handler.863211.D863211.149556083121219.ackdone@bugs.debian.org>
References: <ca71bd67-4943-9314-6dfa-3566e4713b52@thykier.net> <[🔎] 149555928176.19040.942618690198334131.reportbug@qor.donarmstrong.com>

Your message dated Tue, 23 May 2017 17:33:00 +0000
with message-id <ca71bd67-4943-9314-6dfa-3566e4713b52@thykier.net>
and subject line Re: Bug#863211: unblock: perltidy/20140328-2
has caused the Debian Bug report #863211,
regarding unblock: perltidy/20140328-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
863211: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863211
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: perltidy/20140328-2
From: Don Armstrong <don@debian.org>
Date: Tue, 23 May 2017 10:08:01 -0700
Message-id: <[🔎] 149555928176.19040.942618690198334131.reportbug@qor.donarmstrong.com>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package perltidy

Fixes an important security bug (CVE-2016-10374) #862667 by erroring
out. [The bug is severity important, but should be fixed.]

unblock perltidy/20140328-2

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.10.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru perltidy-20140328/debian/changelog perltidy-20140328/debian/changelog
--- perltidy-20140328/debian/changelog	2014-04-07 18:27:20.000000000 -0700
+++ perltidy-20140328/debian/changelog	2017-05-21 12:41:30.000000000 -0700
@@ -1,3 +1,10 @@
+perltidy (20140328-2) unstable; urgency=high
+
+  * Backport fix for CVE-2016-10374 which fixes insecure file deletion of
+    perltidy.ERR and perltidy.LOG files (closes: #862667)
+
+ -- Don Armstrong <don@debian.org>  Sun, 21 May 2017 12:41:30 -0700
+
 perltidy (20140328-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru perltidy-20140328/debian/patches/die_on_unlink_failures perltidy-20140328/debian/patches/die_on_unlink_failures
--- perltidy-20140328/debian/patches/die_on_unlink_failures	1969-12-31 16:00:00.000000000 -0800
+++ perltidy-20140328/debian/patches/die_on_unlink_failures	2017-05-21 12:39:07.000000000 -0700
@@ -0,0 +1,30 @@
+Description: die if perltidy.ERR and other temporary files cannot be unlinked
+Origin: Upstream, Cherrypicked from 20170521.
+Author: Don Armstrong <don@debian.org>, Steve Hancock
+--- a/lib/Perl/Tidy.pm
++++ b/lib/Perl/Tidy.pm
+@@ -3643,7 +3643,10 @@
+     # now wish for luck...
+     my $msg = qx/perl $flags $quoted_stream_filename $error_redirection/;
+ 
+-    unlink $stream_filename if ($is_tmpfile);
++    if ($is_tmpfile) {
++        unlink $stream_filename
++          or Perl::Tidy::Die("couldn't unlink stream $stream_filename: $!\n");
++    }
+     return $stream_filename, $msg;
+ }
+ 
+@@ -4074,7 +4077,11 @@
+ 
+     # remove any old error output file if we might write a new one
+     unless ( $fh_warnings || ref($warning_file) ) {
+-        if ( -e $warning_file ) { unlink($warning_file) }
++        if ( -e $warning_file ) {
++            unlink($warning_file)
++              or Perl::Tidy::Die(
++                "couldn't unlink warning file $warning_file: $!\n");
++        }
+     }
+ 
+     my $logfile_gap =
diff -Nru perltidy-20140328/debian/patches/series perltidy-20140328/debian/patches/series
--- perltidy-20140328/debian/patches/series	2014-04-07 18:23:44.000000000 -0700
+++ perltidy-20140328/debian/patches/series	2017-05-21 12:38:51.000000000 -0700
@@ -1 +1,2 @@
+die_on_unlink_failures
 document_bst_better

--- End Message ---

--- Begin Message ---

To: Don Armstrong <don@debian.org>, 863211-done@bugs.debian.org

Subject: Re: Bug#863211: unblock: perltidy/20140328-2

From: Niels Thykier <niels@thykier.net>

Date: Tue, 23 May 2017 17:33:00 +0000

Message-id: <ca71bd67-4943-9314-6dfa-3566e4713b52@thykier.net>

In-reply-to: <[🔎] 149555928176.19040.942618690198334131.reportbug@qor.donarmstrong.com>

References: <[🔎] 149555928176.19040.942618690198334131.reportbug@qor.donarmstrong.com>
Don Armstrong:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package perltidy
> 
> Fixes an important security bug (CVE-2016-10374) #862667 by erroring
> out. [The bug is severity important, but should be fixed.]
> 
> unblock perltidy/20140328-2
> 
> [...]

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

References:
- Bug#863211: unblock: perltidy/20140328-2
  - From: Don Armstrong <don@debian.org>

Prev by Date: Bug#863211: unblock: perltidy/20140328-2
Next by Date: Bug#863034: unblock: strip-nondeterminism/0.034-1
Previous by thread: Bug#863211: unblock: perltidy/20140328-2
Next by thread: Bug#863220: unblock: screen/4.5.0-6
Index(es):
- Date
- Thread