Bug#841722: marked as done (libpaper: tmp file vulnerability in debian/rules clean target)

Debian Bug Tracking System Sun, 13 Nov 2016 04:09:25 -0800

Your message dated Sun, 13 Nov 2016 12:05:49 +0000
with message-id <e1c5txh-0003ry...@fasolo.debian.org>
and subject line Bug#841722: fixed in libpaper 1.1.24+nmu5
has caused the Debian Bug report #841722,
regarding libpaper: tmp file vulnerability in debian/rules clean target
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
841722: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841722
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: libpaper
Version: 1.1.21
Severity: serious
Tags: security patch sid stretch

The clean target includes a line "exec > /tmp/libpaper1.new". Since that
is a predictable path in a world writeable location, it can effectively
be used to compromise the build user.

Surprisingly, the counterpart target debian/libpaper1.config get's this
right. So the fix is pretty simple and thus attached.

Note that the ancient version number is correct. The bug was introduced
somewhen between sarge and etch and has persisted since. I'm also
tagging the bug sid stretch as I don't think it makes sense to fix it in
a stable update.

Helmut

diff --minimal -Nru libpaper-1.1.24+nmu4/debian/changelog 
libpaper-1.1.24+nmu5/debian/changelog
--- libpaper-1.1.24+nmu4/debian/changelog       2014-11-01 14:35:21.000000000 
+0100
+++ libpaper-1.1.24+nmu5/debian/changelog       2016-10-22 17:54:12.000000000 
+0200
@@ -1,3 +1,10 @@
+libpaper (1.1.24+nmu5) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix /tmp file vulnerability in debian/rules clean target (Closes: #-1)
+
+ -- Helmut Grohne <hel...@subdivi.de>  Sat, 22 Oct 2016 17:53:54 +0200
+
 libpaper (1.1.24+nmu4) unstable; urgency=medium
 
   * Non-maintainer upload.
diff --minimal -Nru libpaper-1.1.24+nmu4/debian/rules 
libpaper-1.1.24+nmu5/debian/rules
--- libpaper-1.1.24+nmu4/debian/rules   2014-11-01 14:26:20.000000000 +0100
+++ libpaper-1.1.24+nmu5/debian/rules   2016-10-22 17:53:51.000000000 +0200
@@ -64,10 +64,10 @@
        [ ! -f Makefile ] || $(MAKE) distclean
        dh_autoreconf_clean
        dh_clean
-       exec > /tmp/libpaper1.new \
+       exec > debian/libpaper1.config.new \
                && sed -n '1,/^__BEGIN_PAPERSPECS__/p' debian/libpaper1.config \
                && sed -n '/^__END_PAPERSPECS__/,$$p' debian/libpaper1.config
-       mv /tmp/libpaper1.new debian/libpaper1.config
+       mv debian/libpaper1.config.new debian/libpaper1.config
 
 binary-indep:  DH_OPTIONS=-i
 binary-indep:  checkroot build

--- End Message ---

--- Begin Message ---

Source: libpaper
Source-Version: 1.1.24+nmu5

We believe that the bug you reported is fixed in the latest version of
libpaper, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 841...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <j...@debian.org> (supplier of updated libpaper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 11 Nov 2016 11:28:37 +0000
Source: libpaper
Binary: libpaper1 libpaper-utils libpaper-dev
Architecture: source amd64
Version: 1.1.24+nmu5
Distribution: unstable
Urgency: medium
Maintainer: Giuseppe Sacco <eppes...@debian.org>
Changed-By: Jonathan Wiltshire <j...@debian.org>
Description:
 libpaper-dev - library for handling paper characteristics (development files)
 libpaper-utils - library for handling paper characteristics (utilities)
 libpaper1  - library for handling paper characteristics
Closes: 841722
Changes:
 libpaper (1.1.24+nmu5) unstable; urgency=medium
 .
   [ Helmut Grohne ]
   * Non-maintainer upload.
   * Fix /tmp file vulnerability in debian/rules clean target
     (Closes: #841722)
Checksums-Sha1:
 9e7dc0209304e3824a3936f4f644730e93c930ac 1597 libpaper_1.1.24+nmu5.dsc
 fde3c6ce8c8a6ef29242aace0fd6c02543493a8b 49032 libpaper_1.1.24+nmu5.tar.gz
 a6100fda1a4f8fe653db057b6d750721d292b008 16994 
libpaper-dev_1.1.24+nmu5_amd64.deb
 152c35df0d7d64b39ecaa4c19077167d64c2a650 6320 
libpaper-utils-dbgsym_1.1.24+nmu5_amd64.deb
 e893eeb6c6c8dd0eb273ff76940f0ebc1613b7b7 17646 
libpaper-utils_1.1.24+nmu5_amd64.deb
 04e943e61a732cab1e6110e941e553cddc71cfe5 7476 
libpaper1-dbgsym_1.1.24+nmu5_amd64.deb
 275b16b8a8fb82d2a792f24dd2f6f727f3cd311e 21554 libpaper1_1.1.24+nmu5_amd64.deb
 289c3816049e95da07d417e316b4cbeb8e919ac8 5486 
libpaper_1.1.24+nmu5_20161111T113025z-ceed6444.buildinfo
Checksums-Sha256:
 50edeb41f092954a636fb64bbd1cf27ca80b47a9600dcc9392c4df9b15059582 1597 
libpaper_1.1.24+nmu5.dsc
 e29deda4cd7350189c71af0925cbf4a4473f9841d1419a922e1e8ff1954db1f2 49032 
libpaper_1.1.24+nmu5.tar.gz
 6293d97dc7e75a0ea5f7149d55d1103f9049f9d77445246ae68d05c21c993ecc 16994 
libpaper-dev_1.1.24+nmu5_amd64.deb
 16588db70f9ea207b43f828f2ad3d44b3d2d754d1651d84ebda82bafd5b900b3 6320 
libpaper-utils-dbgsym_1.1.24+nmu5_amd64.deb
 9dff5771c27ad5a5362a80d90fdc0884744abd8d4e0ecaca83144c1b6d37c954 17646 
libpaper-utils_1.1.24+nmu5_amd64.deb
 a5aeb99d8f11dfd67ab5c7a6a799026c115539c0e6d351ebd95bb08a64aaece9 7476 
libpaper1-dbgsym_1.1.24+nmu5_amd64.deb
 a59a92c6cee17a742e24231c1610d8eda597550bef2bc0763535b3bfadfe18f7 21554 
libpaper1_1.1.24+nmu5_amd64.deb
 9be312fd257e76cb791d57c7b20d2d34b337519d58637d7dd9950c87be108e4a 5486 
libpaper_1.1.24+nmu5_20161111T113025z-ceed6444.buildinfo
Files:
 e53a403805a47fd8e68944f3a4170996 1597 libs optional libpaper_1.1.24+nmu5.dsc
 38bc55688c0fc5544edaa5a951a45fbd 49032 libs optional 
libpaper_1.1.24+nmu5.tar.gz
 530c9798ab55cb0c5bd5ba864316f554 16994 libdevel optional 
libpaper-dev_1.1.24+nmu5_amd64.deb
 e0105f38c8437477b91d3de0800d6d6f 6320 debug extra 
libpaper-utils-dbgsym_1.1.24+nmu5_amd64.deb
 cb12eb6a5f074ad4dad12c0b484099ee 17646 utils optional 
libpaper-utils_1.1.24+nmu5_amd64.deb
 4d2d698676b1d9952378179f026abd54 7476 debug extra 
libpaper1-dbgsym_1.1.24+nmu5_amd64.deb
 cfc5940a1bb00a77c8bda97fdfdd1abb 21554 libs optional 
libpaper1_1.1.24+nmu5_amd64.deb
 ceed6444579fbc3fe7a98b1e5aa2d373 5486 libs optional 
libpaper_1.1.24+nmu5_20161111T113025z-ceed6444.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJYJaxbAAoJEETTKrX6JvjJtsIP/3N5759ace4mu9Akpm/VIyL9
LQxSrmpoY8WFsOlXcyVN9r2BPd69ug48HZsMd70JsBO/4T7mNtUvU49zubi9wutM
LJ8/6x/+uzzpvR0WgzcS6GpU/ydnl5bTu7VDDJHs3/EVGP9VlP35/YWPUjydxRdR
cECxD2fawPT3+Mj+Ct9qHwTPuVczjZuOCFXRLEMX4OzQjh15tIOB3OCi09ApheGM
ZI9StN7Dj701/y9AoVO0XlC+RfKHGxwNAUsjLTg2+M6eXeeM81fZUixvtDVmujpM
E0NVQYO3jrQTqO9lcb1obwOCY6sXutI7GfJpw8xJadhPQaySwcEoF0Sa5MulvqAi
TiGJydgDkciTZS59kkUZSqJKXiFf+Dt1sPh2PoCoYZvrteODTS3/Aobv+Sh8iR7I
+ifSEjUNb8Daeu3Nv9fTS7sa4ZdDNsnJbsEsGpDuZ88Vq49MeJTY6Ep2KqXbgMKA
7U91vLSR6yH6+8ovkH5rfHOTGLw8FEyckNwTlui/3Pmp/a5zRPhMneRe1AV9Wg+/
u2T/sJXimRqratBOdd1lrVl8vumDMjpgmRfCFuqhq6ar540OhyvsZeKH7Vpxr3mk
/8DERFyiMig5JY9CHtrf4lPKsQXOku4HEljEzfq8zlbuAgC4KtN5m+CsKv3eTq/w
EKb6K5jnurfTz5D5TeAM
=V4Ij
-----END PGP SIGNATURE-----

--- End Message ---

Bug#841722: marked as done (libpaper: tmp file vulnerability in debian/rules clean target)

Reply via email to