Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi libiptables-parse-perl uses temporary files in an unsafe way, this was assigned CVE-2015-8326 and already fixed in unstable with the 1.6-1 upload. Attached is a debdiff to fix this issue for jessie. Can you consider accepting it for the next jessie point release? Regards, Salvatore -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init)
diff -Nru libiptables-parse-perl-1.1/debian/changelog libiptables-parse-perl-1.1/debian/changelog --- libiptables-parse-perl-1.1/debian/changelog 2012-03-05 21:36:00.000000000 +0100 +++ libiptables-parse-perl-1.1/debian/changelog 2015-11-26 17:40:19.000000000 +0100 @@ -1,3 +1,11 @@ +libiptables-parse-perl (1.1-1+deb8u1) jessie; urgency=medium + + * Team upload. + * Add CVE-2015-8326.patch patch. + CVE-2015-8326: Use of predictable names for temporary files. + + -- Salvatore Bonaccorso <car...@debian.org> Thu, 26 Nov 2015 17:39:36 +0100 + libiptables-parse-perl (1.1-1) unstable; urgency=low * Imported Upstream version 1.1 diff -Nru libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch --- libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch 1970-01-01 01:00:00.000000000 +0100 +++ libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch 2015-11-26 17:40:19.000000000 +0100 @@ -0,0 +1,46 @@ +Description: Don't use predictable names for temporary files + This allows an attacker on a multi-user system to set up symlinks to + overwrite any file the current user has write access to. + . + Don't recommend users of this module to use predictable names either. +Origin: backport, https://github.com/mtrmac/IPTables-Parse/commit/b400b976d81140f6971132e94eb7657b5b0a2b87 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1267962 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2015-11-26 +Applied-Upstream: 1.6 + +--- + lib/IPTables/Parse.pm | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/lib/IPTables/Parse.pm ++++ b/lib/IPTables/Parse.pm +@@ -17,6 +17,7 @@ package IPTables::Parse; + use 5.006; + use POSIX ":sys_wait_h"; + use Carp; ++use File::Temp; + use strict; + use warnings; + use vars qw($VERSION); +@@ -29,8 +30,8 @@ sub new() { + + my $self = { + _iptables => $args{'iptables'} || $args{'ip6tables'} || '/sbin/iptables', +- _iptout => $args{'iptout'} || '/tmp/ipt.out', +- _ipterr => $args{'ipterr'} || '/tmp/ipt.err', ++ _iptout => $args{'iptout'} || mktemp('/tmp/ipt.out.XXXXXX'), ++ _ipterr => $args{'ipterr'} || mktemp('/tmp/ipt.err.XXXXXX'), + _ipt_alarm => $args{'ipt_alarm'} || 30, + _debug => $args{'debug'} || 0, + _verbose => $args{'verbose'} || 0, +@@ -701,8 +702,6 @@ IPTables::Parse - Perl extension for par + + my %opts = ( + 'iptables' => $ipt_bin, +- 'iptout' => '/tmp/iptables.out', +- 'ipterr' => '/tmp/iptables.err', + 'debug' => 0, + 'verbose' => 0 + ); diff -Nru libiptables-parse-perl-1.1/debian/patches/series libiptables-parse-perl-1.1/debian/patches/series --- libiptables-parse-perl-1.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libiptables-parse-perl-1.1/debian/patches/series 2015-11-26 17:40:19.000000000 +0100 @@ -0,0 +1 @@ +CVE-2015-8326.patch
