[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#926480: marked as done (unblock: tvtime/1.0.11-4)

Your message dated Sun, 7 Apr 2019 18:58:11 +0100
with message-id <20190407175811.GA4189@powdarrmonkey.net>
and subject line Re: Bug#926480: unblock: tvtime/1.0.11-4
has caused the Debian Bug report #926480,
regarding unblock: tvtime/1.0.11-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
926480: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926480
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package tvtime

The patch fixes #924076, a insecure usage of /tmp.

The important part of the debdiff is this:

--- a/src/utils.c
+++ b/src/utils.c
@@ -202,17 +202,11 @@
         }
     }

-    /* If we can't use our /tmp directory, put the fifo in $HOME. */
-    if( !mkdir_and_force_owner( fifodir, uid, getgid() ) ) {
-        if( asprintf( &fifo, "%s/.tvtime/tvtimefifo-%s",
-                      getenv( "HOME" ), hostname ) < 0 ) {
-            fifo = 0;
-        }
-    } else {
-        if( asprintf( &fifo, "%s/tvtimefifo-%s", fifodir, hostname ) < 0 ) {
-            fifo = 0;
-        }
-    }
+    /* put the fifo in $HOME */
+	  if( asprintf( &fifo, "%s/.tvtime/tvtimefifo-%s",
+		        getenv( "HOME" ), hostname ) < 0 ) {
+	      fifo = 0;
+	  }
     free( hostname );
     free( fifodir );
     return fifo;

(Sorry for the refreshing of the patches, I realized this just now that
this would not have been necessary)

Debdiff attached.

Cheers,
tobi


unblock tvtime/1.0.11-4

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru tvtime-1.0.11/debian/changelog tvtime-1.0.11/debian/changelog
--- tvtime-1.0.11/debian/changelog	2018-12-10 23:50:07.000000000 +0100
+++ tvtime-1.0.11/debian/changelog	2019-04-05 20:27:01.000000000 +0200
@@ -1,3 +1,14 @@
+tvtime (1.0.11-5) unstable; urgency=medium
+
+  * QA upload.
+  * Create repository on salsa.
+  * Refresh patches
+  * Fix "insecure use of /tmp" by only using the fall back to $HOME.
+    This is patch 0002-disable-insecure-temp-file.patch
+    (Closes: #924076)
+
+ -- Tobias Frost <tobi@debian.org>  Fri, 05 Apr 2019 20:27:01 +0200
+
 tvtime (1.0.11-4) unstable; urgency=medium
 
   * QA upload.
diff -Nru tvtime-1.0.11/debian/control tvtime-1.0.11/debian/control
--- tvtime-1.0.11/debian/control	2018-12-10 23:50:07.000000000 +0100
+++ tvtime-1.0.11/debian/control	2019-04-05 19:56:54.000000000 +0200
@@ -22,6 +22,8 @@
  libasound2-dev
 Standards-Version: 3.9.3
 Homepage: https://linuxtv.org/wiki/index.php/Tvtime
+VCS-Browser: https://salsa.debian.org/debian/tvtime
+VCS-Git: https://salsa.debian.org/debian/tvtime.git
 
 Package: tvtime
 Architecture: any
diff -Nru tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch
--- tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch	2018-12-10 21:35:44.000000000 +0100
+++ tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch	2019-04-05 19:57:51.000000000 +0200
@@ -14,8 +14,6 @@
  src/get_media_devices.c | 1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/src/get_media_devices.c b/src/get_media_devices.c
-index 619734ea..453b0677 100644
 --- a/src/get_media_devices.c
 +++ b/src/get_media_devices.c
 @@ -23,6 +23,7 @@
@@ -26,6 +24,3 @@
  #include <string.h>
  #include <stdlib.h>
  #include <malloc.h>
--- 
-2.11.0
-
diff -Nru tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch
--- tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch	1970-01-01 01:00:00.000000000 +0100
+++ tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch	2019-04-05 20:10:15.000000000 +0200
@@ -0,0 +1,25 @@
+--- a/src/utils.c
++++ b/src/utils.c
+@@ -202,17 +202,11 @@
+         }
+     }
+ 
+-    /* If we can't use our /tmp directory, put the fifo in $HOME. */
+-    if( !mkdir_and_force_owner( fifodir, uid, getgid() ) ) {
+-        if( asprintf( &fifo, "%s/.tvtime/tvtimefifo-%s",
+-                      getenv( "HOME" ), hostname ) < 0 ) {
+-            fifo = 0;
+-        }
+-    } else {
+-        if( asprintf( &fifo, "%s/tvtimefifo-%s", fifodir, hostname ) < 0 ) {
+-            fifo = 0;
+-        }
+-    }
++    /* put the fifo in $HOME */
++	  if( asprintf( &fifo, "%s/.tvtime/tvtimefifo-%s",
++		        getenv( "HOME" ), hostname ) < 0 ) {
++	      fifo = 0;
++	  }
+     free( hostname );
+     free( fifodir );
+     return fifo;
diff -Nru tvtime-1.0.11/debian/patches/freetype.patch tvtime-1.0.11/debian/patches/freetype.patch
--- tvtime-1.0.11/debian/patches/freetype.patch	2018-10-26 17:32:26.000000000 +0200
+++ tvtime-1.0.11/debian/patches/freetype.patch	2019-04-05 19:57:50.000000000 +0200
@@ -2,9 +2,9 @@
 Author: Adrian Bunk <bunk@debian.org>
 Bug-Debian: https://bugs.debian.org/892455
 
---- tvtime-1.0.11.orig/configure.ac
-+++ tvtime-1.0.11/configure.ac
-@@ -71,10 +71,7 @@ dnl ------------------------------------
+--- a/configure.ac
++++ b/configure.ac
+@@ -71,10 +71,7 @@
  dnl freetype
  dnl ---------------------------------------------
  dnl Test for freetype
@@ -16,9 +16,9 @@
  
  dnl ---------------------------------------------
  dnl libxml2
---- tvtime-1.0.11.orig/src/Makefile.am
-+++ tvtime-1.0.11/src/Makefile.am
-@@ -19,9 +19,6 @@ pkgsysconfdir = $(sysconfdir)/@PACKAGE@
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -19,9 +19,6 @@
  tmpdir = /tmp
  localedir = $(datadir)/locale
  
diff -Nru tvtime-1.0.11/debian/patches/home.diff tvtime-1.0.11/debian/patches/home.diff
--- tvtime-1.0.11/debian/patches/home.diff	2016-12-12 01:43:08.000000000 +0100
+++ tvtime-1.0.11/debian/patches/home.diff	2019-04-05 19:57:49.000000000 +0200
@@ -1,7 +1,5 @@
-Index: tvtime/src/tvtime-command.c
-===================================================================
---- tvtime.orig/src/tvtime-command.c	2014-04-25 17:27:37.935860003 +0200
-+++ tvtime/src/tvtime-command.c	2014-04-25 17:27:37.931859906 +0200
+--- a/src/tvtime-command.c
++++ b/src/tvtime-command.c
 @@ -39,6 +39,9 @@
  
  int main( int argc, char **argv )
@@ -12,10 +10,8 @@
      int nc = tvtime_num_commands();
      config_t *cfg;
      FILE *fifo;
-Index: tvtime/src/tvtime-configure.c
-===================================================================
---- tvtime.orig/src/tvtime-configure.c	2014-04-25 17:27:37.935860003 +0200
-+++ tvtime/src/tvtime-configure.c	2014-04-25 17:36:42.644717220 +0200
+--- a/src/tvtime-configure.c
++++ b/src/tvtime-configure.c
 @@ -19,6 +19,8 @@
  #include <stdio.h>
  #include <sys/types.h>
@@ -35,10 +31,8 @@
      config_t *cfg;
  
      /*
-Index: tvtime/src/tvtime-scanner.c
-===================================================================
---- tvtime.orig/src/tvtime-scanner.c	2014-04-25 17:27:37.935860003 +0200
-+++ tvtime/src/tvtime-scanner.c	2014-04-25 17:36:20.736208769 +0200
+--- a/src/tvtime-scanner.c
++++ b/src/tvtime-scanner.c
 @@ -24,6 +24,7 @@
  #include <sys/types.h>
  #include <sys/stat.h>
@@ -47,7 +41,7 @@
  #include <fcntl.h>
  #include <unistd.h>
  #ifdef HAVE_CONFIG_H
-@@ -42,6 +43,9 @@
+@@ -47,6 +48,9 @@
  
  int main( int argc, char **argv )
  {
@@ -57,11 +51,9 @@
      config_t *cfg;
      station_mgr_t *stationmgr = 0;
      videoinput_t *vidin;
-Index: tvtime/src/tvtime.c
-===================================================================
---- tvtime.orig/src/tvtime.c	2014-04-25 17:27:37.935860003 +0200
-+++ tvtime/src/tvtime.c	2014-04-25 17:27:37.935860003 +0200
-@@ -2643,6 +2643,9 @@
+--- a/src/tvtime.c
++++ b/src/tvtime.c
+@@ -2624,6 +2624,9 @@
  
  int main( int argc, char **argv )
  {
diff -Nru tvtime-1.0.11/debian/patches/saveconfig.diff tvtime-1.0.11/debian/patches/saveconfig.diff
--- tvtime-1.0.11/debian/patches/saveconfig.diff	2017-01-26 11:40:33.000000000 +0100
+++ tvtime-1.0.11/debian/patches/saveconfig.diff	2019-04-05 19:57:47.000000000 +0200
@@ -1,5 +1,5 @@
---- ../orig/tvtime-1.0.2/./src/tvtimeconf.c	2005-09-08 04:07:56.000000000 +0000
-+++ ./src/tvtimeconf.c	2012-12-07 11:05:25.000000000 +0000
+--- a/src/tvtimeconf.c
++++ b/src/tvtimeconf.c
 @@ -34,6 +34,7 @@
  #include <errno.h>
  #include <libxml/parser.h>
@@ -8,7 +8,7 @@
  #ifdef HAVE_CONFIG_H
  # include "config.h"
  #endif
-@@ -565,7 +566,30 @@
+@@ -596,7 +597,30 @@
      }
  
      xmlKeepBlanksDefault( 0 );
@@ -40,7 +40,7 @@
      if( create_file ) {
          if( chown( config_filename, getuid(), getgid() ) < 0 ) {
              lfprintf( stderr, _("Cannot change owner of %s: %s.\n"),
-@@ -844,14 +868,6 @@
+@@ -897,14 +921,6 @@
      ct->buttonmapmenu[ 4 ] = TVTIME_MENU_UP;
      ct->buttonmapmenu[ 5 ] = TVTIME_MENU_DOWN;
  
@@ -55,7 +55,7 @@
      /* First read in global settings. */
      asprintf( &base, "%s/tvtime.xml", CONFDIR );
      if( file_is_openable_for_read( base ) ) {
-@@ -1043,6 +1059,7 @@
+@@ -1113,6 +1129,7 @@
      int option_index = 0;
      int filename_specified = 0;
      int c;
@@ -63,7 +63,8 @@
  
      if( argc == 1 ) {
          print_config_usage( argv );
-@@ -1052,10 +1069,10 @@
+@@ -1123,11 +1140,11 @@
+ 	    "aAhmMF:g:I:d::b::i::c:n::D:f::x:t::Ll::R::p::P::z::",
              long_options, &option_index )) != -1 ) {
          switch( c ) {
 -        case 'a': ct->aspect = 1; break;
@@ -79,7 +80,7 @@
          case 'F': if( ct->config_filename ) free( ct->config_filename );
                    filename_specified = 1;
                    ct->config_filename = expand_user_path( optarg );
-@@ -1065,18 +1082,20 @@
+@@ -1137,18 +1154,20 @@
                                  ct->config_filename );
                        conf_xml_parse( ct, ct->config_filename );
                    }
@@ -103,7 +104,7 @@
                    }
                    break;
          case 'b': if( !optarg ) {
-@@ -1085,6 +1104,7 @@
+@@ -1157,6 +1176,7 @@
                    } else {
                        free( ct->vbidev );
                        ct->vbidev = strdup( optarg );
@@ -111,7 +112,7 @@
                    }
                    break;
          case 'i': if( !optarg ) {
-@@ -1092,16 +1112,18 @@
+@@ -1164,16 +1184,18 @@
                                 config_get_inputnum( ct ) );
                    } else {
                        ct->inputnum = atoi( optarg );
@@ -131,7 +132,7 @@
                    }
                    break;
          case 'l': if( !optarg ) {
-@@ -1110,6 +1132,7 @@
+@@ -1182,6 +1204,7 @@
                    } else {
                        if( ct->xmltvlanguage ) free( ct->xmltvlanguage );
                        ct->xmltvlanguage = strdup( optarg );
@@ -139,7 +140,7 @@
                    }
                    break;
          case 'n': if( !optarg ) {
-@@ -1117,6 +1140,7 @@
+@@ -1189,6 +1212,7 @@
                    } else {
                        free( ct->norm );
                        ct->norm = strdup( optarg );
@@ -147,7 +148,7 @@
                    }
                    break;
          case 'f': if( !optarg ) {
-@@ -1125,6 +1149,7 @@
+@@ -1197,6 +1221,7 @@
                    } else {
                        free( ct->freq );
                        ct->freq = strdup( optarg );
@@ -155,13 +156,15 @@
                    }
                    break;
          case 'R': if( !optarg ) {
-@@ -1132,4 +1157,5 @@
+@@ -1204,6 +1229,7 @@
+                                config_get_priority( ct ) );
                    } else {
                        ct->priority = atoi( optarg );
 +                      config_needs_saving = 1;
                    }
                    break;
-@@ -1212,6 +1212,7 @@
+         case 'p': if( !optarg ) {
+@@ -1212,6 +1238,7 @@
                    } else {
                        free( ct->alsa_inputdev );
                        ct->alsa_inputdev = strdup( optarg );
@@ -169,7 +172,7 @@
                    }
                    break;
          case 'P': if( !optarg ) {
-@@ -1220,6 +1221,7 @@
+@@ -1220,6 +1247,7 @@
                    } else {
                        free( ct->alsa_outputdev );
                        ct->alsa_outputdev = strdup( optarg );
@@ -177,7 +180,7 @@
                    }
                    break;
  	case 'z': if( !optarg ) {
-@@ -1227,6 +1229,7 @@
+@@ -1227,6 +1255,7 @@
  			       config_get_alsa_latency( ct ) );
  		  } else {
  		      ct->alsa_latency = atoi( optarg );
@@ -185,7 +188,7 @@
  		  }
  		  break;
          default:
-@@ -1235,6 +1238,9 @@
+@@ -1235,6 +1264,9 @@
          }
      }
  
diff -Nru tvtime-1.0.11/debian/patches/series tvtime-1.0.11/debian/patches/series
--- tvtime-1.0.11/debian/patches/series	2018-12-10 21:36:08.000000000 +0100
+++ tvtime-1.0.11/debian/patches/series	2019-04-05 20:20:32.000000000 +0200
@@ -2,3 +2,4 @@
 home.diff
 freetype.patch
 0001-Fix-warning-implicit-declaration-of-function-minor-m.patch
+0002-disable-insecure-temp-file.patch

--- End Message ---
--- Begin Message --- 
On Fri, Apr 05, 2019 at 10:45:14PM +0200, Tobias Frost wrote:
> Please unblock package tvtime
> 
> The patch fixes #924076, a insecure usage of /tmp.

Unblocked; thanks.


-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

--- End Message ---
Reply to: