Bug#806339: marked as done (wheezy-pu: package libiptables-parse-perl/1.1-1+deb7u1)

Debian Bug Tracking System Sat, 02 Apr 2016 06:33:01 -0700

Your message dated Sat, 02 Apr 2016 14:22:42 +0100
with message-id <1459603362.2441.217.ca...@adam-barratt.org.uk>
and subject line Fix included in oldstable
has caused the Debian Bug report #806339,
regarding wheezy-pu: package libiptables-parse-perl/1.1-1+deb7u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
806339: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806339
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian....@packages.debian.org
Usertags: pu

Hi  
  
libiptables-parse-perl uses temporary files in an unsafe way, this was  
assigned CVE-2015-8326 and already fixed in unstable with the 1.6-1  
upload.  
  
Attached is a debdiff to fix this issue for wheezy. Can you consider  
accepting it for the next wheezy point release?  
  
Regards,  
Salvatore

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

diff -Nru libiptables-parse-perl-1.1/debian/changelog libiptables-parse-perl-1.1/debian/changelog
--- libiptables-parse-perl-1.1/debian/changelog	2012-03-05 21:36:00.000000000 +0100
+++ libiptables-parse-perl-1.1/debian/changelog	2015-11-26 18:05:24.000000000 +0100
@@ -1,3 +1,11 @@
+libiptables-parse-perl (1.1-1+deb7u1) wheezy; urgency=medium
+
+  * Team upload.
+  * Add CVE-2015-8326.patch patch.
+    CVE-2015-8326: Use of predictable names for temporary files.
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Thu, 26 Nov 2015 18:04:51 +0100
+
 libiptables-parse-perl (1.1-1) unstable; urgency=low
 
   * Imported Upstream version 1.1
diff -Nru libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch
--- libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch	1970-01-01 01:00:00.000000000 +0100
+++ libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch	2015-11-26 18:05:24.000000000 +0100
@@ -0,0 +1,46 @@
+Description: Don't use predictable names for temporary files
+ This allows an attacker on a multi-user system to set up symlinks to
+ overwrite any file the current user has write access to.
+ .
+ Don't recommend users of this module to use predictable names either.
+Origin: backport, https://github.com/mtrmac/IPTables-Parse/commit/b400b976d81140f6971132e94eb7657b5b0a2b87
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1267962
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2015-11-26
+Applied-Upstream: 1.6
+
+---
+ lib/IPTables/Parse.pm | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/lib/IPTables/Parse.pm
++++ b/lib/IPTables/Parse.pm
+@@ -17,6 +17,7 @@ package IPTables::Parse;
+ use 5.006;
+ use POSIX ":sys_wait_h";
+ use Carp;
++use File::Temp;
+ use strict;
+ use warnings;
+ use vars qw($VERSION);
+@@ -29,8 +30,8 @@ sub new() {
+ 
+     my $self = {
+         _iptables => $args{'iptables'} || $args{'ip6tables'} || '/sbin/iptables',
+-        _iptout    => $args{'iptout'}    || '/tmp/ipt.out',
+-        _ipterr    => $args{'ipterr'}    || '/tmp/ipt.err',
++        _iptout    => $args{'iptout'}    || mktemp('/tmp/ipt.out.XXXXXX'),
++        _ipterr    => $args{'ipterr'}    || mktemp('/tmp/ipt.err.XXXXXX'),
+         _ipt_alarm => $args{'ipt_alarm'} || 30,
+         _debug     => $args{'debug'}     || 0,
+         _verbose   => $args{'verbose'}   || 0,
+@@ -701,8 +702,6 @@ IPTables::Parse - Perl extension for par
+ 
+   my %opts = (
+       'iptables' => $ipt_bin,
+-      'iptout'   => '/tmp/iptables.out',
+-      'ipterr'   => '/tmp/iptables.err',
+       'debug'    => 0,
+       'verbose'  => 0
+   );
diff -Nru libiptables-parse-perl-1.1/debian/patches/series libiptables-parse-perl-1.1/debian/patches/series
--- libiptables-parse-perl-1.1/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libiptables-parse-perl-1.1/debian/patches/series	2015-11-26 18:05:24.000000000 +0100
@@ -0,0 +1 @@
+CVE-2015-8326.patch

--- End Message ---

--- Begin Message ---

Version: 7.10

Hi,

The updates referenced in these bugs were included in today's wheezy
point release.

Regards,

Adam

--- End Message ---

Bug#806339: marked as done (wheezy-pu: package libiptables-parse-perl/1.1-1+deb7u1)

Reply via email to