Bug#626673: marked as done (pmake: insecure temporary files)

[Debian Bug Tracking System]

Your message dated Sat, 06 Aug 2011 19:56:06 +0000
with message-id <e1qpmyc-0005zo...@franck.debian.org>
and subject line Bug#626673: fixed in pmake 1.111-1+lenny1
has caused the Debian Bug report #626673,
regarding pmake: insecure temporary files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
626673: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626673
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: pmake
Version: 1.111-1, 1.111-2
Severity: serious
Tags: security fixed-upstream patch

/usr/share/mk/bsd.lib.mk and /usr/share/mk/bsd.prog.mk create temporary
files insecurely, with predictable names (/tmp/_depend<PID>), and
without using $TMPDIR.

To reproduce, run the depend target in a BSD package like csh:

    /tmp/csh-20070713$ pmake -dx depend 2>&1 | grep /tmp/_depend
    + TMP=/tmp/_depend7338
    + mv /tmp/_depend7338 .depend

This applies to both lenny and squeeze.  Upstream is not affected as the
code was eliminated back in 2003:

    <http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.lib.mk#rev1.240>
    <http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.prog.mk#rev1.193>

Patch to use mktemp(1):

--- pmake-1.111/mk/bsd.lib.mk~
+++ pmake-1.111/mk/bsd.lib.mk
@@ -291,7 +291,7 @@
 
 .if defined(SRCS)
 afterdepend: .depend
-       @(TMP=/tmp/_depend$$$$; \
+       @(TMP=`mktemp -t _dependXXXXXXXXXX` || exit $$?; \
            sed -e 's/^\([^\.]*\).o[ ]*:/\1.o \1.po \1.so \1.ln:/' \
              < .depend > $$TMP; \
            mv $$TMP .depend)
--- pmake-1.111/mk/bsd.prog.mk~
+++ pmake-1.111/mk/bsd.prog.mk
@@ -124,7 +124,7 @@
 
 .if defined(SRCS)
 afterdepend: .depend
-       @(TMP=/tmp/_depend$$$$; \
+       @(TMP=`mktemp -t _dependXXXXXXXXXX` || exit $$?; \
            sed -e 's/^\([^\.]*\).o[ ]*:/\1.o \1.ln:/' \
              < .depend > $$TMP; \
            mv $$TMP .depend)

Thanks,

Matej

--- End Message ---

--- Begin Message ---

Source: pmake
Source-Version: 1.111-1+lenny1

We believe that the bug you reported is fixed in the latest version of
pmake, which is due to be installed in the Debian FTP archive:

pmake_1.111-1+lenny1.diff.gz
  to main/p/pmake/pmake_1.111-1+lenny1.diff.gz
pmake_1.111-1+lenny1.dsc
  to main/p/pmake/pmake_1.111-1+lenny1.dsc
pmake_1.111-1+lenny1_amd64.deb
  to main/p/pmake/pmake_1.111-1+lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 626...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <j...@debian.org> (supplier of updated pmake package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 03 Aug 2011 20:31:43 +0100
Source: pmake
Binary: pmake
Architecture: source amd64
Version: 1.111-1+lenny1
Distribution: oldstable
Urgency: low
Maintainer: Sam Hocevar (Debian packages) <sam+...@zoy.org>
Changed-By: Jonathan Wiltshire <j...@debian.org>
Description: 
 pmake      - NetBSD make
Closes: 626673
Changes: 
 pmake (1.111-1+lenny1) oldstable; urgency=low
 .
   * Non-maintainer upload.
   * Backport fix for CVE-2011-1920 (symlink attack in bsd.lib.mk
     (Closes: #626673)
Checksums-Sha1: 
 f6752dc5b69a433c1b7711d12c85d3f52ae5316c 1620 pmake_1.111-1+lenny1.dsc
 4e6b0abd0b17dd2acff2b3372adf7e01dc4ed629 26636 pmake_1.111-1+lenny1.diff.gz
 80434a770343f5d74211db1c4ddb4109180ae4d6 256122 pmake_1.111-1+lenny1_amd64.deb
Checksums-Sha256: 
 a23d86216a000a3f8bb88192ca503d827d0fc6b4455f09cc197393ddd5b6f4d0 1620 
pmake_1.111-1+lenny1.dsc
 f0ef73dc8ee0e3249e150c1116bda0a4554c84e3000226a64765335ceba8c680 26636 
pmake_1.111-1+lenny1.diff.gz
 4c48c7e7ccce892dea1d54463a909797cb01450839aed08e2a2021c4baa05af6 256122 
pmake_1.111-1+lenny1_amd64.deb
Files: 
 1045a99d131ecd901d4dbc3b64aeb303 1620 devel optional pmake_1.111-1+lenny1.dsc
 fa8e58c7729d042f3aec1f7b2646b7a8 26636 devel optional 
pmake_1.111-1+lenny1.diff.gz
 15e02ddf62a4a63a2451e10826ee7423 256122 devel optional 
pmake_1.111-1+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJOPWJvAAoJEFOUR53TUkxRIYsP/j/ctTkRnoYp3IOI871KVtec
c9ivAmxIrpyXE5MHWisq/npXX3RIkZgq+INduQVtaqAEk5RQ6WOVx6vCn5VrZOSP
+tWHu+Gc+z1MPzI2tVJEYhQZOXeLwWA26mBkdbh/bvT2W60TUJKjWKYIt0cZW9BV
OLQmUa71Mf/m6Orb5d+DGRXvuSd1NrX8SbThKpzcGlclWESNhvsNpdue8wavKZWw
ShI3c/kPEzOEbVxRY1ove/kCGpHJs2fgSiPDARrzOiikzd67eWVApEZDo8Z1XPex
c+t7iIMobKfKO2pGUyeGCW8casDEtHmIcfuNpQT7aukzJZndwlxvYnvBH0Syf7Aw
YeB3hcpSUvAvkd576PlJEm359XE4WkCp6uLP90tBeoc5tHBjVI2tr1ezdMU8hF/t
ZNFbZ8PcPVYCMY1kmpuFK5/LZZUl1VrfMk/PPfGdJTgOHoRC3Tei1D8TBRaqnuyj
KD7JlJtqDe9gkvZYxdiEbCpoSS3qhDUWq5so8NWQiaiagVchXu8NEibG4ZxmVxZy
i8Mbi2c5bvXDxzfAbU9JFrDChJbyYK+47ZsqD4i1wz1x2Y+vf9xIHdeZ1jKjp8au
fDCW9pJ48JHgnrsFmeyaBLfIBipClBl+uMLc5MRTl57TEBo8OgrvCbokICOoPs9K
r7L/1vodQ2kFPJWQPdRg
=FWgJ
-----END PGP SIGNATURE-----

--- End Message ---