Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: jessie Severity: normal
Dear release team, the security issue in dietlibc (see also #832123 for binNMUs in sid) was deemed no-DSA by the security team, so I would like to schedule an update via the next point release. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832169 https://security-tracker.debian.org/tracker/TEMP-0832169-0F9220 Source debdiff is attached. Since dietlibc is a static library, after the upload, there will need to be binNMUs in stable for the following three packages: nmu minit_0.10-5 . ALL . jessie . -m "Security: rebuild against fixed dietlibc" nmu mksh_50d-5 . ALL . jessie . -m "Security: rebuild against fixed dietlibc" nmu util-vserver_0.30.216-pre3054-1 . ALL . jessie . -m "Security: rebuild against fixed dietlibc" Also, I don't know the syntax for that, but could you make sure that the binNMU for minit gets at least +b2? Because the version of minit is the same in Wheezy and Jessie, and the Wheezy LTS team will also schedule a binNMU for minit. Thank you! Regards, Christian
diff -Nru dietlibc-0.33~cvs20120325/debian/changelog dietlibc-0.33~cvs20120325/debian/changelog --- dietlibc-0.33~cvs20120325/debian/changelog 2014-02-11 21:48:24.000000000 +0100 +++ dietlibc-0.33~cvs20120325/debian/changelog 2016-07-23 10:49:25.000000000 +0200 @@ -1,3 +1,10 @@ +dietlibc (0.33~cvs20120325-6+deb8u1) jessie; urgency=high + + * Security: fix insecure default PATH. (Closes: #832169) + Thanks to Thorsten Glaser <t.gla...@tarent.de> for discovering this + + -- Christian Seiler <christ...@iwakd.de> Sat, 23 Jul 2016 10:41:00 +0200 + dietlibc (0.33~cvs20120325-6) unstable; urgency=low * Team upload. diff -Nru dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff --- dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff 1970-01-01 01:00:00.000000000 +0100 +++ dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff 2016-07-23 10:49:25.000000000 +0200 @@ -0,0 +1,20 @@ +Description: Fix insecure default PATH + Throsten Glaser <t.gla...@tarent.de> discovered that the default PATH + (absent the environment variable) contains the local directory. +Author: Christian Seiler <christ...@iwakd.de> +Bug: http://news.gmane.org/find-root.php?message_id=alpine.DEB.2.20.1607181048300.24083%40tglase.lan.tarent.de +Bug-Debian: https://bugs.debian.org/832169 +Last-Update: 2016-07-23 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/include/paths.h ++++ b/include/paths.h +@@ -2,7 +2,7 @@ + #define _PATHS_H + + #define _PATH_BSHELL "/bin/sh" +-#define _PATH_DEFPATH "/bin:/usr/bin:" ++#define _PATH_DEFPATH "/bin:/usr/bin" + + #define _PATH_DEVNULL "/dev/null" + diff -Nru dietlibc-0.33~cvs20120325/debian/patches/series dietlibc-0.33~cvs20120325/debian/patches/series --- dietlibc-0.33~cvs20120325/debian/patches/series 2014-02-11 21:41:35.000000000 +0100 +++ dietlibc-0.33~cvs20120325/debian/patches/series 2016-07-23 10:49:25.000000000 +0200 @@ -28,3 +28,4 @@ 0035-Use-syscall-_newselect-instead-of-select-on-ppc64.diff 0036-fix-jmp_buf-size-on-armhf.diff 0037-support-powerpcspe.diff +0100-security-insecure-default-PATH.diff
