Your message dated Sat, 09 May 2020 11:53:52 +0100 with message-id <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk> and subject line Closing requests included in 10.4 point release has caused the Debian Bug report #954001, regarding buster-pu: package timeshift/19.01+ds-2+deb10u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 954001: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954001 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: buster-pu: package timeshift/19.01+ds-2+deb10u1
- From: Boyuan Yang <byang@debian.org>
- Date: Sun, 15 Mar 2020 12:32:24 -0400
- Message-id: <ca9325be86148d6671865790ba19bc15034eee57.camel@debian.org>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-CC: carnil@debian.org yanhaocs@gmail.com swm@swm1.com Dear Stable Release Team, I am looking into solving CVE-2020-10174 (https://bugs.debian.org/953385) in Buster. Please find the proposed diff in the attachment. -- Thanks, Boyuan Yangdiff -Nru timeshift-19.01+ds/debian/changelog timeshift-19.01+ds/debian/changelog --- timeshift-19.01+ds/debian/changelog 2019-02-27 23:03:15.000000000 -0500 +++ timeshift-19.01+ds/debian/changelog 2020-03-12 17:24:24.000000000 -0400 @@ -1,3 +1,13 @@ +timeshift (19.01+ds-2+deb10u1) buster; urgency=medium + + * Team upload. + * debian/control: Use new homepage. (Closes: #952685) + * debian/patches/0006: Backport upstream fix on predictable + location of temporary directory. + (Closes: #953385, CVE-2020-10174) + + -- Boyuan Yang <byang@debian.org> Thu, 12 Mar 2020 17:24:24 -0400 + timeshift (19.01+ds-2) unstable; urgency=medium * d/control: Add missing dependency: psmisc (Closes: #919760). diff -Nru timeshift-19.01+ds/debian/control timeshift-19.01+ds/debian/control --- timeshift-19.01+ds/debian/control 2019-02-27 23:03:09.000000000 -0500 +++ timeshift-19.01+ds/debian/control 2020-03-12 17:11:19.000000000 -0400 @@ -10,7 +10,7 @@ libjson-glib-dev, libvte-2.91-dev, Standards-Version: 4.3.0 -Homepage: http://teejeetech.blogspot.in/ +Homepage: https://teejeetech.in/timeshift/ Vcs-Git: https://salsa.debian.org/yanhao-guest/timeshift.git Vcs-Browser: https://salsa.debian.org/yanhao-guest/timeshift diff -Nru timeshift-19.01+ds/debian/patches/0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patch timeshift-19.01+ds/debian/patches/0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patch --- timeshift-19.01+ds/debian/patches/0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patch 1969-12-31 19:00:00.000000000 -0500 +++ timeshift-19.01+ds/debian/patches/0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patch 2020-03-12 17:24:12.000000000 -0400 @@ -0,0 +1,48 @@ +From: Tony George <teejeetech@gmail.com> +Date: Thu, 5 Mar 2020 08:57:24 +0530 +Subject: Change TEMP_DIR permissions and path; Cleanup on exit; + +--- + src/Core/Main.vala | 2 ++ + src/Utility/TeeJee.Process.vala | 11 +++++++---- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/Core/Main.vala b/src/Core/Main.vala +index 7ff094c..4f460e1 100644 +--- a/src/Core/Main.vala ++++ b/src/Core/Main.vala +@@ -4229,6 +4229,8 @@ public class Main : GLib.Object{ + + app_lock.remove(); + ++ dir_delete(TEMP_DIR); ++ + exit(exit_code); + + //Gtk.main_quit (); +diff --git a/src/Utility/TeeJee.Process.vala b/src/Utility/TeeJee.Process.vala +index 70dd934..7153d15 100644 +--- a/src/Utility/TeeJee.Process.vala ++++ b/src/Utility/TeeJee.Process.vala +@@ -36,14 +36,17 @@ namespace TeeJee.ProcessHelper{ + public static void init_tmp(string subdir_name){ + string std_out, std_err; + +- TEMP_DIR = Environment.get_tmp_dir() + "/" + subdir_name + "/" + random_string(); ++ TEMP_DIR = Environment.get_tmp_dir() + "/" + random_string(); + dir_create(TEMP_DIR); ++ chmod(TEMP_DIR, "0750"); + + exec_script_sync("echo 'ok'",out std_out,out std_err, true); +- if ((std_out == null)||(std_out.strip() != "ok")){ +- TEMP_DIR = Environment.get_home_dir() + "/.temp/" + subdir_name + "/" + random_string(); +- exec_sync("rm -rf '%s'".printf(TEMP_DIR), null, null); ++ ++ if ((std_out == null) || (std_out.strip() != "ok")){ ++ ++ TEMP_DIR = Environment.get_home_dir() + "/.temp/" + random_string(); + dir_create(TEMP_DIR); ++ chmod(TEMP_DIR, "0750"); + } + + //log_debug("TEMP_DIR=" + TEMP_DIR); diff -Nru timeshift-19.01+ds/debian/patches/series timeshift-19.01+ds/debian/patches/series --- timeshift-19.01+ds/debian/patches/series 2019-02-26 05:01:52.000000000 -0500 +++ timeshift-19.01+ds/debian/patches/series 2020-03-12 17:24:12.000000000 -0400 @@ -3,3 +3,4 @@ 0004-select-etc-timeshift-as-the-default-config-dir.patch 0005-build-with-debug-info.patch 0005-Fix-build-errors-with-new-version-of-vala.patch +0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patchAttachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
- To: 932251-done@bugs.debian.org, 933839-done@bugs.debian.org, 939120-done@bugs.debian.org, 942520-done@bugs.debian.org, 943889-done@bugs.debian.org, 947102-done@bugs.debian.org, 947142-done@bugs.debian.org, 947172-done@bugs.debian.org, 947442-done@bugs.debian.org, 948333-done@bugs.debian.org, 948381-done@bugs.debian.org, 948786-done@bugs.debian.org, 948855-done@bugs.debian.org, 949113-done@bugs.debian.org, 949702-done@bugs.debian.org, 949890-done@bugs.debian.org, 949891-done@bugs.debian.org, 949897-done@bugs.debian.org, 949921-done@bugs.debian.org, 950104-done@bugs.debian.org, 950105-done@bugs.debian.org, 950478-done@bugs.debian.org, 950546-done@bugs.debian.org, 950547-done@bugs.debian.org, 950655-done@bugs.debian.org, 950765-done@bugs.debian.org, 950773-done@bugs.debian.org, 950795-done@bugs.debian.org, 950854-done@bugs.debian.org, 950918-done@bugs.debian.org, 951146-done@bugs.debian.org, 951399-done@bugs.debian.org, 951563-done@bugs.debian.org, 951761-done@bugs.debian.org, 951769-done@bugs.debian.org, 951871-done@bugs.debian.org, 952414-done@bugs.debian.org, 952441-done@bugs.debian.org, 952586-done@bugs.debian.org, 952785-done@bugs.debian.org, 953005-done@bugs.debian.org, 953124-done@bugs.debian.org, 953246-done@bugs.debian.org, 953647-done@bugs.debian.org, 953737-done@bugs.debian.org, 953797-done@bugs.debian.org, 954001-done@bugs.debian.org, 954073-done@bugs.debian.org, 954269-done@bugs.debian.org, 954398-done@bugs.debian.org, 954404-done@bugs.debian.org, 954714-done@bugs.debian.org, 954757-done@bugs.debian.org, 954835-done@bugs.debian.org, 954838-done@bugs.debian.org, 954862-done@bugs.debian.org, 954985-done@bugs.debian.org, 955395-done@bugs.debian.org, 955410-done@bugs.debian.org, 955508-done@bugs.debian.org, 955509-done@bugs.debian.org, 955510-done@bugs.debian.org, 955547-done@bugs.debian.org, 955860-done@bugs.debian.org, 956155-done@bugs.debian.org, 956216-done@bugs.debian.org, 956315-done@bugs.debian.org, 956533-done@bugs.debian.org, 956535-done@bugs.debian.org, 956536-done@bugs.debian.org, 956801-done@bugs.debian.org, 956861-done@bugs.debian.org, 956890-done@bugs.debian.org, 956913-done@bugs.debian.org, 956932-done@bugs.debian.org, 958053-done@bugs.debian.org, 958141-done@bugs.debian.org, 958173-done@bugs.debian.org, 958395-done@bugs.debian.org, 958399-done@bugs.debian.org, 958489-done@bugs.debian.org, 958490-done@bugs.debian.org, 958568-done@bugs.debian.org, 958714-done@bugs.debian.org, 958716-done@bugs.debian.org, 958814-done@bugs.debian.org, 958887-done@bugs.debian.org, 958916-done@bugs.debian.org, 958931-done@bugs.debian.org, 958969-done@bugs.debian.org, 958994-done@bugs.debian.org, 959081-done@bugs.debian.org, 959101-done@bugs.debian.org, 959224-done@bugs.debian.org, 959431-done@bugs.debian.org, 959489-done@bugs.debian.org, 948191-done@bugs.debian.org
- Subject: Closing requests included in 10.4 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 09 May 2020 11:53:52 +0100
- Message-id: <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.4 Hi, Each of the uploads referred to by these bugs was included in today's stable point release. Regards, Adam
--- End Message ---