Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
I would like to fix #736359 / CVE-2014-1638 in Wheezy and Squeeze[0].
According to the security tracker, the security team has classified
the bug as "minor" and declared it does not need a DSA[1].
The problem is that localepurge would create tmp files in an unsafe
way. This allows a local user to have root destroy arbitrary files on the
system (via a race-condition) during upgrades and purge of localepurge.
The bug has been fixed in sid earlier this week and have migrated to
testing as well.
~Niels
[0] I will file a separate request for Squeeze, but the request and
patch is almost the same.
[1] https://security-tracker.debian.org/tracker/CVE-2014-1638
diff -Nru localepurge-0.6.3/debian/changelog localepurge-0.6.3+deb7u1/debian/changelog
--- localepurge-0.6.3/debian/changelog 2012-06-10 20:18:01.000000000 +0200
+++ localepurge-0.6.3+deb7u1/debian/changelog 2014-01-31 18:44:52.000000000 +0100
@@ -1,3 +1,13 @@
+localepurge (0.6.3+deb7u1) wheezy; urgency=medium
+
+ * [CVE-2014-1638] Create tempfiles in a safe manner using
+ mktemp. Thanks to Helmut Grohne for reporting the
+ issue and helping with the patch. (Closes: #736359)
+ * Remove the creation of /var/tmp/reinstall_debs.sh during
+ postrm.
+
+ -- Niels Thykier <ni...@thykier.net> Fri, 31 Jan 2014 18:44:30 +0100
+
localepurge (0.6.3) unstable; urgency=low
* New maintainer (Closes: #675783)
diff -Nru localepurge-0.6.3/debian/localepurge.config localepurge-0.6.3+deb7u1/debian/localepurge.config
--- localepurge-0.6.3/debian/localepurge.config 2012-06-10 20:08:20.000000000 +0200
+++ localepurge-0.6.3+deb7u1/debian/localepurge.config 2014-01-31 18:32:46.000000000 +0100
@@ -6,14 +6,13 @@
# first get all possible locales and create a full list of locale values:
-TEMPFILE=$(tempfile).$$
+TEMPFILE="$(mktemp --suffix ".locales")"
LOCALELIST=/var/cache/localepurge/localelist
# for the purpose of presenting a ready made preselection at the very first
# configuration, include already configured locales from locales package:
-LOCALEGEN=$(tempfile).locale.gen
-touch "$LOCALEGEN"
+LOCALEGEN="$(mktemp --suffix ".locale.gen")"
if [ -f /etc/locale.gen ]; then
grep ^[a-z] /etc/locale.gen | cut -d" " -f1 > "$LOCALEGEN"
diff -Nru localepurge-0.6.3/debian/postrm localepurge-0.6.3+deb7u1/debian/postrm
--- localepurge-0.6.3/debian/postrm 2012-06-10 20:10:04.000000000 +0200
+++ localepurge-0.6.3+deb7u1/debian/postrm 2014-01-31 18:34:07.000000000 +0100
@@ -1,7 +1,5 @@
#!/bin/sh -e
-DEBREINSTALL="$(tempfile).$$"
-
if [ "$1" = purge ] && [ -e /usr/share/debconf/confmodule ]; then
. /usr/share/debconf/confmodule
db_purge
@@ -22,15 +20,7 @@
echo " To reinstall all the packages which localepurge has been taking care"
echo " of before, you can use the following command:"
echo
-echo " apt-get --reinstall install \$(dpkg -S LC_MESSAGES | cut -d: -f1 | tr ', ' '${NEWLINE}' | sort -u)"
-echo
-# create a ready made shell script for further usage:
-
-echo "apt-get -u --reinstall --fix-missing install \$(dpkg -S LC_MESSAGES | cut -d: -f1 | tr ', ' '${NEWLINE}' | sort -u)" > $DEBREINSTALL
-mv $DEBREINSTALL /var/tmp/reinstall_debs.sh
-
-echo " For your further usage, the file \"/var/tmp/reinstall_debs.sh\""
-echo " contains an enhanced version of the command line printed out above."
+echo " apt-get -u --reinstall --fix-mising install \$(dpkg -S LC_MESSAGES | cut -d: -f1 | tr ', ' '${NEWLINE}' | sort -u)"
echo
fi
