Bug#964713: stretch-pu: package storebackup/3.2.1-2~deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
* Set maintainer to Debian QA Group. (see #856299)
* Add patch to change the way the lockfile is opened in the Perl code.
(Fixes: CVE-2020-7040) (Closes: #949393)
CVE-2020-7040 is "no DSA" in stretch and buster.
diff -Nru storebackup-3.2.1/debian/changelog storebackup-3.2.1/debian/changelog
--- storebackup-3.2.1/debian/changelog 2012-06-17 07:31:31.000000000 +0300
+++ storebackup-3.2.1/debian/changelog 2020-07-09 14:54:23.000000000 +0300
@@ -1,3 +1,19 @@
+storebackup (3.2.1-2~deb9u1) stretch; urgency=medium
+
+ * QA upload.
+ * Rebuild for stretch.
+
+ -- Adrian Bunk <bunk@debian.org> Thu, 09 Jul 2020 14:54:23 +0300
+
+storebackup (3.2.1-2) unstable; urgency=medium
+
+ * QA upload.
+ * Set maintainer to Debian QA Group. (see #856299)
+ * Add patch to change the way the lockfile is opened in the Perl code.
+ (Fixes: CVE-2020-7040) (Closes: #949393)
+
+ -- Adrian Bunk <bunk@debian.org> Wed, 08 Jul 2020 15:54:21 +0300
+
storebackup (3.2.1-1) unstable; urgency=low
* change short description, recommendation from Heinz-Josef Claes
diff -Nru storebackup-3.2.1/debian/control storebackup-3.2.1/debian/control
--- storebackup-3.2.1/debian/control 2012-06-16 13:21:56.000000000 +0300
+++ storebackup-3.2.1/debian/control 2020-07-08 15:54:21.000000000 +0300
@@ -1,7 +1,7 @@
Source: storebackup
Section: utils
Priority: optional
-Maintainer: Ryan Niebur <ryan@debian.org>
+Maintainer: Debian QA Group <packages@qa.debian.org>
Build-Depends: debhelper (>= 7.2), perl
Standards-Version: 3.9.3
Homepage: http://www.nongnu.org/storebackup/
diff -Nru storebackup-3.2.1/debian/patches/CVE-2020-7040.patch storebackup-3.2.1/debian/patches/CVE-2020-7040.patch
--- storebackup-3.2.1/debian/patches/CVE-2020-7040.patch 1970-01-01 02:00:00.000000000 +0200
+++ storebackup-3.2.1/debian/patches/CVE-2020-7040.patch 2020-07-08 15:54:21.000000000 +0300
@@ -0,0 +1,27 @@
+Description: changing the way the lockfile is opened in the Perl code
+Author: Jan Ritzerfeld
+Author: Utkarsh Gupta <utkarsh@debian.org>
+Bug-Debian: https://bugs.debian.org/949393
+Origin: https://www.openwall.com/lists/oss-security/2020/01/20/3/1
+Last-Update: 2020-02-04
+
+--- a/lib/fileDir.pl
++++ b/lib/fileDir.pl
+@@ -22,7 +22,7 @@
+
+ push @VERSION, '$Id: fileDir.pl 364 2012-02-12 14:14:44Z hjc $ ';
+
+-use Fcntl qw(O_RDWR O_CREAT);
++use Fcntl qw(O_RDWR O_CREAT O_WRONLY O_EXCL);
+ use POSIX;
+
+ require 'prLog.pl';
+@@ -404,7 +404,7 @@
+ '-str' => ["creating lock file <$lockFile>"]);
+
+ &::checkDelSymLink($lockFile, $prLog, 0x01);
+- open(FILE, "> $lockFile") or
++ sysopen(FILE, $lockFile, O_WRONLY | O_CREAT | O_EXCL) or
+ $prLog->print('-kind' => 'E',
+ '-str' => ["cannot create lock file <$lockFile>"],
+ '-exit' => 1);
diff -Nru storebackup-3.2.1/debian/patches/series storebackup-3.2.1/debian/patches/series
--- storebackup-3.2.1/debian/patches/series 2012-06-16 13:19:48.000000000 +0300
+++ storebackup-3.2.1/debian/patches/series 2020-07-08 15:54:21.000000000 +0300
@@ -1 +1,2 @@
fix-spelling-error-in-manpage
+CVE-2020-7040.patch
Reply to: