Source: libpaper
Version: 1.1.21
Severity: serious
Tags: security patch sid stretch
The clean target includes a line "exec > /tmp/libpaper1.new". Since that
is a predictable path in a world writeable location, it can effectively
be used to compromise the build user.
Surprisingly, the counterpart target debian/libpaper1.config get's this
right. So the fix is pretty simple and thus attached.
Note that the ancient version number is correct. The bug was introduced
somewhen between sarge and etch and has persisted since. I'm also
tagging the bug sid stretch as I don't think it makes sense to fix it in
a stable update.
Helmut
diff --minimal -Nru libpaper-1.1.24+nmu4/debian/changelog
libpaper-1.1.24+nmu5/debian/changelog
--- libpaper-1.1.24+nmu4/debian/changelog 2014-11-01 14:35:21.000000000
+0100
+++ libpaper-1.1.24+nmu5/debian/changelog 2016-10-22 17:54:12.000000000
+0200
@@ -1,3 +1,10 @@
+libpaper (1.1.24+nmu5) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix /tmp file vulnerability in debian/rules clean target (Closes: #-1)
+
+ -- Helmut Grohne <hel...@subdivi.de> Sat, 22 Oct 2016 17:53:54 +0200
+
libpaper (1.1.24+nmu4) unstable; urgency=medium
* Non-maintainer upload.
diff --minimal -Nru libpaper-1.1.24+nmu4/debian/rules
libpaper-1.1.24+nmu5/debian/rules
--- libpaper-1.1.24+nmu4/debian/rules 2014-11-01 14:26:20.000000000 +0100
+++ libpaper-1.1.24+nmu5/debian/rules 2016-10-22 17:53:51.000000000 +0200
@@ -64,10 +64,10 @@
[ ! -f Makefile ] || $(MAKE) distclean
dh_autoreconf_clean
dh_clean
- exec > /tmp/libpaper1.new \
+ exec > debian/libpaper1.config.new \
&& sed -n '1,/^__BEGIN_PAPERSPECS__/p' debian/libpaper1.config \
&& sed -n '/^__END_PAPERSPECS__/,$$p' debian/libpaper1.config
- mv /tmp/libpaper1.new debian/libpaper1.config
+ mv debian/libpaper1.config.new debian/libpaper1.config
binary-indep: DH_OPTIONS=-i
binary-indep: checkroot build
