Your message dated Sat, 03 Dec 2011 21:55:25 +0000
with message-id <[email protected]>
and subject line Bug#650707: fixed in libpar-perl 1.005-1
has caused the Debian Bug report #650707,
regarding libpar-perl: PAR packed files are extracted to unsafe and predictable
temporary directories
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
650707: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650707
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpar-perl
Version: 1.002-1
Severity: important
Tags: security
Hi
Changelog for new upstream release of libpar-perl contains:
[Changes for 1.004 - Nov 30, 2011]
- back out r1241: it causes errors in PAR::Packer's test suite
- change "unsafe directory" error message to match the wording
used by PAR::Packer
- remove "debian" sub directory: it isn't released to CPAN and
Debian will supply its own anyway
- remove some cruft from MANIFEST.SKIP
[Changes for 1.003 - Nov 28, 2011]
- RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe
and predictable temporary directories
(Note: this bug was originally reported against PAR::Packer, but
it applies to PAR as well)
- create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
- if it already exists, make sure that (and bail out if not)
- it's not a symlink
- it's mode 0700
- it's owned by USER
- Fix a problem packing XML::LibXSLT on Windows (see the thread starting
with http://www.nntp.perl.org/group/perl.par/2011/02/msg4919.html)
- Die (with a hopefully useful message) if any error is encountered
during an Archive::Zip extract operation
Version before 1.003 had the issue that PAR packed files are extracted
to unsafe and predictable temporary directories [1].
[1] https://rt.cpan.org/Public/Bug/Display.html?id=69560
This is CVE-2011-4114.
Regards
Salvatore
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Source: libpar-perl
Source-Version: 1.005-1
We believe that the bug you reported is fixed in the latest version of
libpar-perl, which is due to be installed in the Debian FTP archive:
libpar-perl_1.005-1.debian.tar.gz
to main/libp/libpar-perl/libpar-perl_1.005-1.debian.tar.gz
libpar-perl_1.005-1.dsc
to main/libp/libpar-perl/libpar-perl_1.005-1.dsc
libpar-perl_1.005-1_all.deb
to main/libp/libpar-perl/libpar-perl_1.005-1_all.deb
libpar-perl_1.005.orig.tar.gz
to main/libp/libpar-perl/libpar-perl_1.005.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libpar-perl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 03 Dec 2011 21:50:05 +0100
Source: libpar-perl
Binary: libpar-perl
Architecture: source all
Version: 1.005-1
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description:
libpar-perl - Perl redistributable module packaging framework
Closes: 650707
Changes:
libpar-perl (1.005-1) unstable; urgency=low
.
* Team upload.
.
[ Ansgar Burchardt ]
* debian/control: Convert Vcs-* fields to Git.
.
[ Salvatore Bonaccorso ]
* debian/copyright: Replace DEP5 Format-Specification URL from
svn.debian.org to anonscm.debian.org URL.
* Imported Upstream version 1.005
- Fixes CVE-2011-4114: PAR packed files are extracted to unsafe
and predictable temporary directories. (Closes: #650707).
* Refresh debian/copyright file.
Update copyright years for included inc/Module/* files.
Remove copyright stanza for inc/Test/Builder/IO/Scalar.pm as this is not
included anymore in the source package.
Checksums-Sha1:
668d31cc75b8da3b12b09064fb5a53497e25497b 2242 libpar-perl_1.005-1.dsc
2d9c1ff3a243607374e3f9f1fb61c3d1bb4d8dc1 88293 libpar-perl_1.005.orig.tar.gz
1f4124ebe2e3334a7147c17459c662552962680a 5246 libpar-perl_1.005-1.debian.tar.gz
55bb4c6de9af3bb34968b99e15e561ac6b67b87c 102476 libpar-perl_1.005-1_all.deb
Checksums-Sha256:
9fbb60191b160a1b8ec0ece854f596534549d5ab643cc41f1fc6dcb33ac02825 2242
libpar-perl_1.005-1.dsc
c5e2aeb0380c132de251c3f4eb2fad3953967b94b2869f800956aaceab5c484f 88293
libpar-perl_1.005.orig.tar.gz
08fe880f673aabb3b7812a63dc46f93ba4f8fa04d77cb90fe50d2e28daaff044 5246
libpar-perl_1.005-1.debian.tar.gz
188fe5612a4a0bede21163cd1c6f10b08a7d66f13434dbf3684fa3b944e9368d 102476
libpar-perl_1.005-1_all.deb
Files:
4fc34a18a2ac014b3afd56730cfd5f6c 2242 perl optional libpar-perl_1.005-1.dsc
a1a7d8cc4deb106c3e04b190fa2d9325 88293 perl optional
libpar-perl_1.005.orig.tar.gz
c375bf20d999f50c278c53c0735b10d9 5246 perl optional
libpar-perl_1.005-1.debian.tar.gz
dfa684e90e6f7ff3838f304afe19615d 102476 perl optional
libpar-perl_1.005-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJO2oymAAoJEHidbwV/2GP+hDUQAMyu6xe2s+bbTCdd6H1hJXPt
Ww05jXzYnOlWD1vRKdhgFNosS/+xuMYJ4JDj++bRSPKO0YUwQNp/iIPr7cSjmhtN
0DB56ymGme0yUvzpkZJq3gCFgLQJ8tDWTneFPETr7Wnm7fsWJPxPQjIylLR35Pr/
PfHZ/Rv0NKj5EvdCDOR7aVjn/YqdO6FUhRvpD/+Boh4CSFtYg9Re6rdwgxz1jp7Y
GuIxvWAFeef007oG3pfssweqOG5SVSZ4lflKzzDpmhE1d+L+Zj9d9Tbhw3Q0Pouo
mLwQtV9C5Nf4jkZJvNZmItopIKWzoA0l8om8WetQ1MMevpJsJWw7dGcDcLujpyAm
GfCxIb2MkUd8u1rbSG4VJ5Q6+TdL2IB8MszJlozKDs0rr6LTDoMUTYtyyIm5xNQy
RUoPic+ZDH/RpBRhmL9Z20Gh9f0mrbKuUSvSLJsJSeN6yVH7/oIDJ1isnxEQ5ZhM
an9yprFexe7Xhqy0jhHhSxoRDBGXFACYz6YTdyP94LLq1eC+tdgNfPY7evt2/S0G
xIKKa2xzKxR1fqGdQBf8fPIeV5+OBYjbJu1DYtOC2qQmGGPAsuoz133VyJ+k1BQs
o/RaSejTKH7YioVNzgadp3G9xAxO70psRi0mlqtR49EXJ4zf6cRMew5+xh5gydbE
NgO0QEBY8v410rzo7iwK
=H49o
-----END PGP SIGNATURE-----
--- End Message ---
