Bug#954001: buster-pu: package timeshift/19.01+ds-2+deb10u1

To: submit@bugs.debian.org
Subject: Bug#954001: buster-pu: package timeshift/19.01+ds-2+deb10u1
From: Boyuan Yang <byang@debian.org>
Date: Sun, 15 Mar 2020 12:32:24 -0400
Message-id: <[🔎] ca9325be86148d6671865790ba19bc15034eee57.camel@debian.org>
Reply-to: Boyuan Yang <byang@debian.org>, 954001@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: carnil@debian.org yanhaocs@gmail.com swm@swm1.com

Dear Stable Release Team,

I am looking into solving CVE-2020-10174 (https://bugs.debian.org/953385) in
Buster. Please find the proposed diff in the attachment.

-- 
Thanks,
Boyuan Yang

diff -Nru timeshift-19.01+ds/debian/changelog timeshift-19.01+ds/debian/changelog
--- timeshift-19.01+ds/debian/changelog	2019-02-27 23:03:15.000000000 -0500
+++ timeshift-19.01+ds/debian/changelog	2020-03-12 17:24:24.000000000 -0400
@@ -1,3 +1,13 @@
+timeshift (19.01+ds-2+deb10u1) buster; urgency=medium
+
+  * Team upload.
+  * debian/control: Use new homepage. (Closes: #952685)
+  * debian/patches/0006: Backport upstream fix on predictable
+    location of temporary directory.
+    (Closes: #953385, CVE-2020-10174)
+
+ -- Boyuan Yang <byang@debian.org>  Thu, 12 Mar 2020 17:24:24 -0400
+
 timeshift (19.01+ds-2) unstable; urgency=medium
 
   * d/control: Add missing dependency: psmisc (Closes: #919760).
diff -Nru timeshift-19.01+ds/debian/control timeshift-19.01+ds/debian/control
--- timeshift-19.01+ds/debian/control	2019-02-27 23:03:09.000000000 -0500
+++ timeshift-19.01+ds/debian/control	2020-03-12 17:11:19.000000000 -0400
@@ -10,7 +10,7 @@
  libjson-glib-dev,
  libvte-2.91-dev,
 Standards-Version: 4.3.0
-Homepage: http://teejeetech.blogspot.in/
+Homepage: https://teejeetech.in/timeshift/
 Vcs-Git: https://salsa.debian.org/yanhao-guest/timeshift.git
 Vcs-Browser: https://salsa.debian.org/yanhao-guest/timeshift
 
diff -Nru timeshift-19.01+ds/debian/patches/0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patch timeshift-19.01+ds/debian/patches/0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patch
--- timeshift-19.01+ds/debian/patches/0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patch	1969-12-31 19:00:00.000000000 -0500
+++ timeshift-19.01+ds/debian/patches/0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patch	2020-03-12 17:24:12.000000000 -0400
@@ -0,0 +1,48 @@
+From: Tony George <teejeetech@gmail.com>
+Date: Thu, 5 Mar 2020 08:57:24 +0530
+Subject: Change TEMP_DIR permissions and path; Cleanup on exit;
+
+---
+ src/Core/Main.vala              |  2 ++
+ src/Utility/TeeJee.Process.vala | 11 +++++++----
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/Core/Main.vala b/src/Core/Main.vala
+index 7ff094c..4f460e1 100644
+--- a/src/Core/Main.vala
++++ b/src/Core/Main.vala
+@@ -4229,6 +4229,8 @@ public class Main : GLib.Object{
+ 
+ 		app_lock.remove();
+ 
++		dir_delete(TEMP_DIR);
++
+ 		exit(exit_code);
+ 
+ 		//Gtk.main_quit ();
+diff --git a/src/Utility/TeeJee.Process.vala b/src/Utility/TeeJee.Process.vala
+index 70dd934..7153d15 100644
+--- a/src/Utility/TeeJee.Process.vala
++++ b/src/Utility/TeeJee.Process.vala
+@@ -36,14 +36,17 @@ namespace TeeJee.ProcessHelper{
+     public static void init_tmp(string subdir_name){
+ 		string std_out, std_err;
+ 
+-		TEMP_DIR = Environment.get_tmp_dir() + "/" + subdir_name + "/" + random_string();
++		TEMP_DIR = Environment.get_tmp_dir() + "/" + random_string();
+ 		dir_create(TEMP_DIR);
++		chmod(TEMP_DIR, "0750");
+ 
+ 		exec_script_sync("echo 'ok'",out std_out,out std_err, true);
+-		if ((std_out == null)||(std_out.strip() != "ok")){
+-			TEMP_DIR = Environment.get_home_dir() + "/.temp/" + subdir_name + "/" + random_string();
+-			exec_sync("rm -rf '%s'".printf(TEMP_DIR), null, null);
++
++		if ((std_out == null) || (std_out.strip() != "ok")){
++
++			TEMP_DIR = Environment.get_home_dir() + "/.temp/" + random_string();
+ 			dir_create(TEMP_DIR);
++			chmod(TEMP_DIR, "0750");
+ 		}
+ 
+ 		//log_debug("TEMP_DIR=" + TEMP_DIR);
diff -Nru timeshift-19.01+ds/debian/patches/series timeshift-19.01+ds/debian/patches/series
--- timeshift-19.01+ds/debian/patches/series	2019-02-26 05:01:52.000000000 -0500
+++ timeshift-19.01+ds/debian/patches/series	2020-03-12 17:24:12.000000000 -0400
@@ -3,3 +3,4 @@
 0004-select-etc-timeshift-as-the-default-config-dir.patch
 0005-build-with-debug-info.patch
 0005-Fix-build-errors-with-new-version-of-vala.patch
+0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patch

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Bug#954001: buster-pu: package timeshift/19.01+ds-2+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#954001: buster-pu: package timeshift/19.01+ds-2+deb10u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#954001: timeshift 19.01+ds-2+deb10u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#949187: transition: python3.8
Next by Date: Bug#954006: release.debian.org: Please allow postfix to migrate despite autopkgtest failures, they are unrelated
Previous by thread: Processed: Python 3.8 transition blocks
Next by thread: Bug#954001: buster-pu: package timeshift/19.01+ds-2+deb10u1
Index(es):
- Date
- Thread