Bug#626673: marked as done (pmake: insecure temporary files)

Sat, 06 Aug 2011 12:57:27 -0700 

Your message dated Sat, 06 Aug 2011 19:56:07 +0000
with message-id <e1qpmyd-00060w...@franck.debian.org>
and subject line Bug#626673: fixed in pmake 1.111-2+squeeze1
has caused the Debian Bug report #626673,
regarding pmake: insecure temporary files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
626673: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626673
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: pmake
Version: 1.111-1, 1.111-2
Severity: serious
Tags: security fixed-upstream patch

/usr/share/mk/bsd.lib.mk and /usr/share/mk/bsd.prog.mk create temporary
files insecurely, with predictable names (/tmp/_depend<PID>), and
without using $TMPDIR.

To reproduce, run the depend target in a BSD package like csh:

    /tmp/csh-20070713$ pmake -dx depend 2>&1 | grep /tmp/_depend
    + TMP=/tmp/_depend7338
    + mv /tmp/_depend7338 .depend

This applies to both lenny and squeeze.  Upstream is not affected as the
code was eliminated back in 2003:

    <http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.lib.mk#rev1.240>
    <http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.prog.mk#rev1.193>

Patch to use mktemp(1):

--- pmake-1.111/mk/bsd.lib.mk~
+++ pmake-1.111/mk/bsd.lib.mk
@@ -291,7 +291,7 @@
 
 .if defined(SRCS)
 afterdepend: .depend
-       @(TMP=/tmp/_depend$$$$; \
+       @(TMP=`mktemp -t _dependXXXXXXXXXX` || exit $$?; \
            sed -e 's/^\([^\.]*\).o[ ]*:/\1.o \1.po \1.so \1.ln:/' \
              < .depend > $$TMP; \
            mv $$TMP .depend)
--- pmake-1.111/mk/bsd.prog.mk~
+++ pmake-1.111/mk/bsd.prog.mk
@@ -124,7 +124,7 @@
 
 .if defined(SRCS)
 afterdepend: .depend
-       @(TMP=/tmp/_depend$$$$; \
+       @(TMP=`mktemp -t _dependXXXXXXXXXX` || exit $$?; \
            sed -e 's/^\([^\.]*\).o[ ]*:/\1.o \1.ln:/' \
              < .depend > $$TMP; \
            mv $$TMP .depend)

Thanks,

Matej

--- End Message ---
--- Begin Message --- 
Source: pmake
Source-Version: 1.111-2+squeeze1

We believe that the bug you reported is fixed in the latest version of
pmake, which is due to be installed in the Debian FTP archive:

pmake_1.111-2+squeeze1.debian.tar.gz
  to main/p/pmake/pmake_1.111-2+squeeze1.debian.tar.gz
pmake_1.111-2+squeeze1.dsc
  to main/p/pmake/pmake_1.111-2+squeeze1.dsc
pmake_1.111-2+squeeze1_amd64.deb
  to main/p/pmake/pmake_1.111-2+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 626...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <j...@debian.org> (supplier of updated pmake package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 03 Aug 2011 20:59:29 +0100
Source: pmake
Binary: pmake
Architecture: source amd64
Version: 1.111-2+squeeze1
Distribution: stable
Urgency: low
Maintainer: Sam Hocevar <s...@debian.org>
Changed-By: Jonathan Wiltshire <j...@debian.org>
Description: 
 pmake      - NetBSD make
Closes: 626673
Changes: 
 pmake (1.111-2+squeeze1) stable; urgency=low
 .
   * Non-maintainer upload.
   * Backport fix for CVE-2011-1920 (symlink attack in bsd.lib.mk
     (Closes: #626673)
Checksums-Sha1: 
 e82d1d2f96f4e493b73f4aed6776b567a668d3de 1633 pmake_1.111-2+squeeze1.dsc
 fd8d3ed5a145f0544a407fb34f35e5f0bbaffa38 29269 
pmake_1.111-2+squeeze1.debian.tar.gz
 8abcd0b622af2a93dae606766e298acd03c8ef87 247662 
pmake_1.111-2+squeeze1_amd64.deb
Checksums-Sha256: 
 2100c800eff89d0a785d054ff299dae39afe3bbe4d7db31f462d4053c8393218 1633 
pmake_1.111-2+squeeze1.dsc
 5162d7f26f00e33f3525e5710edde9438297762484b3ae4580334a484d698cb2 29269 
pmake_1.111-2+squeeze1.debian.tar.gz
 09cea7e39fda7a683946f3c54636cfabb030cfe2f8093a81dbdb5153efa03935 247662 
pmake_1.111-2+squeeze1_amd64.deb
Files: 
 8cd6bec12b3c6456f3d5d93d9bcfcde8 1633 devel optional pmake_1.111-2+squeeze1.dsc
 41618b945b37c1599ad57cff3ac79380 29269 devel optional 
pmake_1.111-2+squeeze1.debian.tar.gz
 94af543abede418c0fea55c7aa97ad53 247662 devel optional 
pmake_1.111-2+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJOPWIdAAoJEFOUR53TUkxR6ncP/1TWuFiQP/V3l6ew6JeXXPde
9uDgq3oz7ma9LfSzuY/FnGaw00H09/JU/73nikmqXV3r8vXYq2iMwglFAS8RTazh
PSy9z53EbS5kDCUPFRZxqOLbiAonevcmh7z/O99LO5wSC1YWTwi5/DfmS3vRSf//
pINFMZRaG8NOiedSZ2+2PecCfFNFeWxGttUa2Si38d3RKnJLJF/3twLaijjmmzdq
WF4ay1hnNoloiH+qbVBiUwaXhySvcExDBgsRPX3NX4hhG2sTr+xqsgAP6CC15LUc
xcVV9FSYzoaU9c6mRO//gs9pUoQ7hWF2Jnzfu7G+u8soGuJdr4ZhxuMxgubyHP9I
lXjcnhqyZtJ3RiGkcuPifquGUaGclwbwF3PXeUGozB06huPJ2wwoFzV1f+RPUnTN
X7jv9Ei5yO12K2d5hEWOPy2fcr/qbTEMRu6G5cAgSNSmydCQVBf3ZXgEJ7yVDVna
JTyW6909M1e8WqBBgq1oHi1cBbwAucGAXOkWeLYmRz0jc0EtUxdX/TpQieX3jar+
WmdzcU2xweRR12C6BO2++YxXgVzr8wpay0CKYwOZ9r6RO8ilANM1lsK1U6tqxdGu
J4HvwKOApOkxZwP2kVoSaCl+aYhDoXHnZccqq8z+5ziN7nM72vBcgqEr6pFB3j08
D+1q/UYMp2d+SnNilIWF
=tjas
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to