[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#954001: marked as done (buster-pu: package timeshift/19.01+ds-2+deb10u1)

Your message dated Sat, 09 May 2020 11:53:52 +0100
with message-id <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk>
and subject line Closing requests included in 10.4 point release
has caused the Debian Bug report #954001,
regarding buster-pu: package timeshift/19.01+ds-2+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
954001: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954001
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: carnil@debian.org yanhaocs@gmail.com swm@swm1.com

Dear Stable Release Team,

I am looking into solving CVE-2020-10174 (https://bugs.debian.org/953385) in
Buster. Please find the proposed diff in the attachment.

-- 
Thanks,
Boyuan Yang

diff -Nru timeshift-19.01+ds/debian/changelog timeshift-19.01+ds/debian/changelog
--- timeshift-19.01+ds/debian/changelog	2019-02-27 23:03:15.000000000 -0500
+++ timeshift-19.01+ds/debian/changelog	2020-03-12 17:24:24.000000000 -0400
@@ -1,3 +1,13 @@
+timeshift (19.01+ds-2+deb10u1) buster; urgency=medium
+
+  * Team upload.
+  * debian/control: Use new homepage. (Closes: #952685)
+  * debian/patches/0006: Backport upstream fix on predictable
+    location of temporary directory.
+    (Closes: #953385, CVE-2020-10174)
+
+ -- Boyuan Yang <byang@debian.org>  Thu, 12 Mar 2020 17:24:24 -0400
+
 timeshift (19.01+ds-2) unstable; urgency=medium
 
   * d/control: Add missing dependency: psmisc (Closes: #919760).
diff -Nru timeshift-19.01+ds/debian/control timeshift-19.01+ds/debian/control
--- timeshift-19.01+ds/debian/control	2019-02-27 23:03:09.000000000 -0500
+++ timeshift-19.01+ds/debian/control	2020-03-12 17:11:19.000000000 -0400
@@ -10,7 +10,7 @@
  libjson-glib-dev,
  libvte-2.91-dev,
 Standards-Version: 4.3.0
-Homepage: http://teejeetech.blogspot.in/
+Homepage: https://teejeetech.in/timeshift/
 Vcs-Git: https://salsa.debian.org/yanhao-guest/timeshift.git
 Vcs-Browser: https://salsa.debian.org/yanhao-guest/timeshift
 
diff -Nru timeshift-19.01+ds/debian/patches/0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patch timeshift-19.01+ds/debian/patches/0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patch
--- timeshift-19.01+ds/debian/patches/0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patch	1969-12-31 19:00:00.000000000 -0500
+++ timeshift-19.01+ds/debian/patches/0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patch	2020-03-12 17:24:12.000000000 -0400
@@ -0,0 +1,48 @@
+From: Tony George <teejeetech@gmail.com>
+Date: Thu, 5 Mar 2020 08:57:24 +0530
+Subject: Change TEMP_DIR permissions and path; Cleanup on exit;
+
+---
+ src/Core/Main.vala              |  2 ++
+ src/Utility/TeeJee.Process.vala | 11 +++++++----
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/Core/Main.vala b/src/Core/Main.vala
+index 7ff094c..4f460e1 100644
+--- a/src/Core/Main.vala
++++ b/src/Core/Main.vala
+@@ -4229,6 +4229,8 @@ public class Main : GLib.Object{
+ 
+ 		app_lock.remove();
+ 
++		dir_delete(TEMP_DIR);
++
+ 		exit(exit_code);
+ 
+ 		//Gtk.main_quit ();
+diff --git a/src/Utility/TeeJee.Process.vala b/src/Utility/TeeJee.Process.vala
+index 70dd934..7153d15 100644
+--- a/src/Utility/TeeJee.Process.vala
++++ b/src/Utility/TeeJee.Process.vala
+@@ -36,14 +36,17 @@ namespace TeeJee.ProcessHelper{
+     public static void init_tmp(string subdir_name){
+ 		string std_out, std_err;
+ 
+-		TEMP_DIR = Environment.get_tmp_dir() + "/" + subdir_name + "/" + random_string();
++		TEMP_DIR = Environment.get_tmp_dir() + "/" + random_string();
+ 		dir_create(TEMP_DIR);
++		chmod(TEMP_DIR, "0750");
+ 
+ 		exec_script_sync("echo 'ok'",out std_out,out std_err, true);
+-		if ((std_out == null)||(std_out.strip() != "ok")){
+-			TEMP_DIR = Environment.get_home_dir() + "/.temp/" + subdir_name + "/" + random_string();
+-			exec_sync("rm -rf '%s'".printf(TEMP_DIR), null, null);
++
++		if ((std_out == null) || (std_out.strip() != "ok")){
++
++			TEMP_DIR = Environment.get_home_dir() + "/.temp/" + random_string();
+ 			dir_create(TEMP_DIR);
++			chmod(TEMP_DIR, "0750");
+ 		}
+ 
+ 		//log_debug("TEMP_DIR=" + TEMP_DIR);
diff -Nru timeshift-19.01+ds/debian/patches/series timeshift-19.01+ds/debian/patches/series
--- timeshift-19.01+ds/debian/patches/series	2019-02-26 05:01:52.000000000 -0500
+++ timeshift-19.01+ds/debian/patches/series	2020-03-12 17:24:12.000000000 -0400
@@ -3,3 +3,4 @@
 0004-select-etc-timeshift-as-the-default-config-dir.patch
 0005-build-with-debug-info.patch
 0005-Fix-build-errors-with-new-version-of-vala.patch
+0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patch

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.4

Hi,

Each of the uploads referred to by these bugs was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: