Your message dated Sun, 29 May 2011 14:50:40 +0000 with message-id <e1qqhkc-0002oh...@franck.debian.org> and subject line Bug#626673: fixed in pmake 1.111-3 has caused the Debian Bug report #626673, regarding pmake: insecure temporary files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 626673: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626673 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: pmake Version: 1.111-1, 1.111-2 Severity: serious Tags: security fixed-upstream patch /usr/share/mk/bsd.lib.mk and /usr/share/mk/bsd.prog.mk create temporary files insecurely, with predictable names (/tmp/_depend<PID>), and without using $TMPDIR. To reproduce, run the depend target in a BSD package like csh: /tmp/csh-20070713$ pmake -dx depend 2>&1 | grep /tmp/_depend + TMP=/tmp/_depend7338 + mv /tmp/_depend7338 .depend This applies to both lenny and squeeze. Upstream is not affected as the code was eliminated back in 2003: <http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.lib.mk#rev1.240> <http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.prog.mk#rev1.193> Patch to use mktemp(1): --- pmake-1.111/mk/bsd.lib.mk~ +++ pmake-1.111/mk/bsd.lib.mk @@ -291,7 +291,7 @@ .if defined(SRCS) afterdepend: .depend - @(TMP=/tmp/_depend$$$$; \ + @(TMP=`mktemp -t _dependXXXXXXXXXX` || exit $$?; \ sed -e 's/^\([^\.]*\).o[ ]*:/\1.o \1.po \1.so \1.ln:/' \ < .depend > $$TMP; \ mv $$TMP .depend) --- pmake-1.111/mk/bsd.prog.mk~ +++ pmake-1.111/mk/bsd.prog.mk @@ -124,7 +124,7 @@ .if defined(SRCS) afterdepend: .depend - @(TMP=/tmp/_depend$$$$; \ + @(TMP=`mktemp -t _dependXXXXXXXXXX` || exit $$?; \ sed -e 's/^\([^\.]*\).o[ ]*:/\1.o \1.ln:/' \ < .depend > $$TMP; \ mv $$TMP .depend) Thanks, Matej
--- End Message ---
--- Begin Message ---Source: pmake Source-Version: 1.111-3 We believe that the bug you reported is fixed in the latest version of pmake, which is due to be installed in the Debian FTP archive: pmake_1.111-3.debian.tar.gz to main/p/pmake/pmake_1.111-3.debian.tar.gz pmake_1.111-3.dsc to main/p/pmake/pmake_1.111-3.dsc pmake_1.111-3_amd64.deb to main/p/pmake/pmake_1.111-3_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 626...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sam Hocevar <s...@debian.org> (supplier of updated pmake package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 29 May 2011 15:44:08 +0200 Source: pmake Binary: pmake Architecture: source amd64 Version: 1.111-3 Distribution: unstable Urgency: low Maintainer: Sam Hocevar <s...@debian.org> Changed-By: Sam Hocevar <s...@debian.org> Description: pmake - NetBSD make Closes: 610516 626673 626877 Changes: pmake (1.111-3) unstable; urgency=low . * 100_mk.diff: prepend -Wl for linker-only flags (Closes: 610516). * 140_multiarch.diff: new patch for multiarch, courtesy of Guillem Jover; fixes hardcoded paths (Closes: #626877). * 150_mktemp.diff: new patch, replace insecure temporary file handling with proper mktemp use, courtesy of Matej Vela (Closes: 626673). Checksums-Sha1: a47c8af6fba7fe4a3a6df6776820bed46f796b71 1599 pmake_1.111-3.dsc f4517cd4ffbc4e275b8ccc84f27d2c91b79b7c68 31585 pmake_1.111-3.debian.tar.gz 3338d2395185540312e25b601a99340675227342 249678 pmake_1.111-3_amd64.deb Checksums-Sha256: 8c0db896084bc5dd6c7036fa79ca75cb680645d0193f6719e4bab6b568da1392 1599 pmake_1.111-3.dsc 25c391e411459f4f5f2e7d9de379a92ddd941e39c54f73b06c5194a2d685eedf 31585 pmake_1.111-3.debian.tar.gz 4abf2a306a533e0429ce0bcb63c902466302d7ab607d440e534853b0328eab55 249678 pmake_1.111-3_amd64.deb Files: 3f0364f733b22522ab76bd6e1a292a5e 1599 devel optional pmake_1.111-3.dsc 485005ded8b824e3290c5bd6521bbdb2 31585 devel optional pmake_1.111-3.debian.tar.gz c880bffa7df8feba620b9ba4a3d02c99 249678 devel optional pmake_1.111-3_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJN4lOpAAoJEAVcSzX////+KKsQAIIRWH30do1QyDpGpO3tain2 gYvtKYwMg0D0xWSSsPTdwdu+TnO6Pbmw5KG5opT/Lqal7MpKAeCCdWxSceHIRcUj 6LZ7L7loYkzLENwn6a2vjrOI+kTna3+gafc8tPLhS47pJWxD4OwpRgFXXnD7ZGo7 Or76vPxMouFBE9noR9TgC3kGSsSDHj8ohBF18hT07f7l7glCmFb5Lj1Tn2xzUvgQ BpiTFhPM+Msi9yJ2o9xvk8yQMKfGjy/YDM6lAW1aog78Tra98IIpNKl3Xgg2bYcs w2qbVqnVNrRyTFjnLFYjMiSXi1S0eLqW+z0ogzjBO7yDkKE2QjeHR30Y2u1A3pd0 LANBZmQTBKGWwBDOIDNJmn1qmcBGasfGyDrCLUGNW9SQPyHmSsgp+KfOpmfQydu7 cTSk8et/rTppQub6P859Xpw69+z+lw8LZkswpN77s794C/2C6u68vTuT9IPbGh9t 11qaHSgY4QAZbbt4deaqwGivJwWFTxm1GXUOjKXm6KByOeI++iOpPXzZUKnlZV0L Y9rHccMaKezXbVj3/I2F574RQ7rvPNCYoMDZtOar+oTuj2pLbeSujzm2KqxlPyBv t9q4Ho6wHPdMVhTQ1+iezEuJmG5adfDncVwVOxb3pC7KZ+QHwiH7QIcxF16U30TD ViXGiyb2tPdRy2ImFN+w =rN1P -----END PGP SIGNATURE-----
--- End Message ---
