Bug#686621: unblock: devscripts/2.12.2

James McCoy Mon, 03 Sep 2012 16:42:14 -0700

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock


Please unblock package devscripts

2.12.2 is a small upload to address CVE-2012-3500.  Attached is the
debdiff between 2.12.1 and 2.12.2

unblock devscripts/2.12.2

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.5-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Cheers,
-- 
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <james...@debian.org>

diffstat for devscripts-2.12.1 devscripts-2.12.2

 debian/changelog           |   10 ++++++++++
 scripts/annotate-output.sh |   10 +++++++---
 2 files changed, 17 insertions(+), 3 deletions(-)

diff -Nru devscripts-2.12.1/debian/changelog devscripts-2.12.2/debian/changelog
--- devscripts-2.12.1/debian/changelog	2012-07-13 16:06:43.000000000 -0400
+++ devscripts-2.12.2/debian/changelog	2012-08-26 11:22:44.000000000 -0400
@@ -1,3 +1,13 @@
+devscripts (2.12.2) unstable; urgency=high
+
+  * annotate-output: Fix to prevent symlink attack: don't delete
+    safely-created file and reuse its name.  Instead, create temporary
+    directory and create FIFOs therein.  Also, be sure to remove temporaries
+    upon catchable signal.  Thanks to Jim Meyering for the patch.  Fixes
+    CVE-2012-3500.
+
+ -- James McCoy <james...@debian.org>  Sun, 26 Aug 2012 11:16:17 -0400
+
 devscripts (2.12.1) unstable; urgency=low
 
   * debchange:
diff -Nru devscripts-2.12.1/scripts/annotate-output.sh devscripts-2.12.2/scripts/annotate-output.sh
--- devscripts-2.12.1/scripts/annotate-output.sh	2011-05-22 12:47:07.000000000 -0400
+++ devscripts-2.12.2/scripts/annotate-output.sh	2012-08-26 11:22:44.000000000 -0400
@@ -62,10 +62,14 @@
 	exit 1
 fi
 
-OUT=`mktemp --tmpdir annotate.XXXXXX` || exit 1
-ERR=`mktemp --tmpdir annotate.XXXXXX` || exit 1
+cleanup() { __st=$?; rm -rf "$tmp"; exit $__st; }
+trap cleanup 0
+trap 'exit $?' 1 2 13 15
+
+tmp=$(mktemp -d --tmpdir annotate.XXXXXX) || exit 1
+OUT=$tmp/out
+ERR=$tmp/err
 
-rm -f $OUT $ERR
 mkfifo $OUT $ERR || exit 1
 
 addtime O < $OUT &

signature.asc
Description: Digital signature

Bug#686621: unblock: devscripts/2.12.2

Reply via email to