Bug#964712: buster-pu: package storebackup/3.2.1-2~deb10u1

Thu, 09 Jul 2020 05:51:17 -0700 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

  * Set maintainer to Debian QA Group. (see #856299)
  * Add patch to change the way the lockfile is opened in the Perl code.
    (Fixes: CVE-2020-7040) (Closes: #949393)

CVE-2020-7040 is "no DSA" in stretch and buster.

diff -Nru storebackup-3.2.1/debian/changelog storebackup-3.2.1/debian/changelog
--- storebackup-3.2.1/debian/changelog  2012-06-17 07:31:31.000000000 +0300
+++ storebackup-3.2.1/debian/changelog  2020-07-09 14:59:51.000000000 +0300
@@ -1,3 +1,19 @@
+storebackup (3.2.1-2~deb10u1) buster; urgency=medium
+
+  * QA upload.
+  * Rebuild for buster.
+
+ -- Adrian Bunk <b...@debian.org>  Thu, 09 Jul 2020 14:59:51 +0300
+
+storebackup (3.2.1-2) unstable; urgency=medium
+
+  * QA upload.
+  * Set maintainer to Debian QA Group. (see #856299)
+  * Add patch to change the way the lockfile is opened in the Perl code.
+    (Fixes: CVE-2020-7040) (Closes: #949393)
+
+ -- Adrian Bunk <b...@debian.org>  Wed, 08 Jul 2020 15:54:21 +0300
+
 storebackup (3.2.1-1) unstable; urgency=low
 
   * change short description, recommendation from Heinz-Josef Claes
diff -Nru storebackup-3.2.1/debian/control storebackup-3.2.1/debian/control
--- storebackup-3.2.1/debian/control    2012-06-16 13:21:56.000000000 +0300
+++ storebackup-3.2.1/debian/control    2020-07-08 15:54:21.000000000 +0300
@@ -1,7 +1,7 @@
 Source: storebackup
 Section: utils
 Priority: optional
-Maintainer: Ryan Niebur <r...@debian.org>
+Maintainer: Debian QA Group <packa...@qa.debian.org>
 Build-Depends: debhelper (>= 7.2), perl
 Standards-Version: 3.9.3
 Homepage: http://www.nongnu.org/storebackup/
diff -Nru storebackup-3.2.1/debian/patches/CVE-2020-7040.patch 
storebackup-3.2.1/debian/patches/CVE-2020-7040.patch
--- storebackup-3.2.1/debian/patches/CVE-2020-7040.patch        1970-01-01 
02:00:00.000000000 +0200
+++ storebackup-3.2.1/debian/patches/CVE-2020-7040.patch        2020-07-08 
15:54:21.000000000 +0300
@@ -0,0 +1,27 @@
+Description: changing the way the lockfile is opened in the Perl code
+Author: Jan Ritzerfeld
+Author: Utkarsh Gupta <utka...@debian.org>
+Bug-Debian: https://bugs.debian.org/949393
+Origin: https://www.openwall.com/lists/oss-security/2020/01/20/3/1
+Last-Update: 2020-02-04
+
+--- a/lib/fileDir.pl
++++ b/lib/fileDir.pl
+@@ -22,7 +22,7 @@
+ 
+ push @VERSION, '$Id: fileDir.pl 364 2012-02-12 14:14:44Z hjc $ ';
+ 
+-use Fcntl qw(O_RDWR O_CREAT);
++use Fcntl qw(O_RDWR O_CREAT O_WRONLY O_EXCL);
+ use POSIX;
+ 
+ require 'prLog.pl';
+@@ -404,7 +404,7 @@
+                 '-str' => ["creating lock file <$lockFile>"]);
+ 
+     &::checkDelSymLink($lockFile, $prLog, 0x01);
+-    open(FILE, "> $lockFile") or
++    sysopen(FILE, $lockFile, O_WRONLY | O_CREAT | O_EXCL) or
+       $prLog->print('-kind' => 'E',
+                     '-str' => ["cannot create lock file <$lockFile>"],
+                     '-exit' => 1);
diff -Nru storebackup-3.2.1/debian/patches/series 
storebackup-3.2.1/debian/patches/series
--- storebackup-3.2.1/debian/patches/series     2012-06-16 13:19:48.000000000 
+0300
+++ storebackup-3.2.1/debian/patches/series     2020-07-08 15:54:21.000000000 
+0300
@@ -1 +1,2 @@
 fix-spelling-error-in-manpage
+CVE-2020-7040.patch

Reply via email to