[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#964713: stretch-pu: package storebackup/3.2.1-2~deb9u1

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

  * Set maintainer to Debian QA Group. (see #856299)
  * Add patch to change the way the lockfile is opened in the Perl code.
    (Fixes: CVE-2020-7040) (Closes: #949393)

CVE-2020-7040 is "no DSA" in stretch and buster.

diff -Nru storebackup-3.2.1/debian/changelog storebackup-3.2.1/debian/changelog
--- storebackup-3.2.1/debian/changelog	2012-06-17 07:31:31.000000000 +0300
+++ storebackup-3.2.1/debian/changelog	2020-07-09 14:54:23.000000000 +0300
@@ -1,3 +1,19 @@
+storebackup (3.2.1-2~deb9u1) stretch; urgency=medium
+
+  * QA upload.
+  * Rebuild for stretch.
+
+ -- Adrian Bunk <bunk@debian.org>  Thu, 09 Jul 2020 14:54:23 +0300
+
+storebackup (3.2.1-2) unstable; urgency=medium
+
+  * QA upload.
+  * Set maintainer to Debian QA Group. (see #856299)
+  * Add patch to change the way the lockfile is opened in the Perl code.
+    (Fixes: CVE-2020-7040) (Closes: #949393)
+
+ -- Adrian Bunk <bunk@debian.org>  Wed, 08 Jul 2020 15:54:21 +0300
+
 storebackup (3.2.1-1) unstable; urgency=low
 
   * change short description, recommendation from Heinz-Josef Claes
diff -Nru storebackup-3.2.1/debian/control storebackup-3.2.1/debian/control
--- storebackup-3.2.1/debian/control	2012-06-16 13:21:56.000000000 +0300
+++ storebackup-3.2.1/debian/control	2020-07-08 15:54:21.000000000 +0300
@@ -1,7 +1,7 @@
 Source: storebackup
 Section: utils
 Priority: optional
-Maintainer: Ryan Niebur <ryan@debian.org>
+Maintainer: Debian QA Group <packages@qa.debian.org>
 Build-Depends: debhelper (>= 7.2), perl
 Standards-Version: 3.9.3
 Homepage: http://www.nongnu.org/storebackup/
diff -Nru storebackup-3.2.1/debian/patches/CVE-2020-7040.patch storebackup-3.2.1/debian/patches/CVE-2020-7040.patch
--- storebackup-3.2.1/debian/patches/CVE-2020-7040.patch	1970-01-01 02:00:00.000000000 +0200
+++ storebackup-3.2.1/debian/patches/CVE-2020-7040.patch	2020-07-08 15:54:21.000000000 +0300
@@ -0,0 +1,27 @@
+Description: changing the way the lockfile is opened in the Perl code
+Author: Jan Ritzerfeld
+Author: Utkarsh Gupta <utkarsh@debian.org>
+Bug-Debian: https://bugs.debian.org/949393
+Origin: https://www.openwall.com/lists/oss-security/2020/01/20/3/1
+Last-Update: 2020-02-04
+
+--- a/lib/fileDir.pl
++++ b/lib/fileDir.pl
+@@ -22,7 +22,7 @@
+ 
+ push @VERSION, '$Id: fileDir.pl 364 2012-02-12 14:14:44Z hjc $ ';
+ 
+-use Fcntl qw(O_RDWR O_CREAT);
++use Fcntl qw(O_RDWR O_CREAT O_WRONLY O_EXCL);
+ use POSIX;
+ 
+ require 'prLog.pl';
+@@ -404,7 +404,7 @@
+ 		  '-str' => ["creating lock file <$lockFile>"]);
+ 
+     &::checkDelSymLink($lockFile, $prLog, 0x01);
+-    open(FILE, "> $lockFile") or
++    sysopen(FILE, $lockFile, O_WRONLY | O_CREAT | O_EXCL) or
+ 	$prLog->print('-kind' => 'E',
+ 		      '-str' => ["cannot create lock file <$lockFile>"],
+ 		      '-exit' => 1);
diff -Nru storebackup-3.2.1/debian/patches/series storebackup-3.2.1/debian/patches/series
--- storebackup-3.2.1/debian/patches/series	2012-06-16 13:19:48.000000000 +0300
+++ storebackup-3.2.1/debian/patches/series	2020-07-08 15:54:21.000000000 +0300
@@ -1 +1,2 @@
 fix-spelling-error-in-manpage
+CVE-2020-7040.patch
Reply to: