Your message dated Wed, 14 Jan 2015 17:55:24 +0100
with message-id <[email protected]>
and subject line Re: Bug#775342: unblock: texlive-bin/2014.20140926.35254-5
has caused the Debian Bug report #775342,
regarding unblock: texlive-bin/2014.20140926.35254-5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
775342: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775342
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Dear release managers,
I would like to ask for an unblock of the source package
texlive-bin
for version
2014.20140926.35254-5
The only change is a fix for insecure temp file creation in mktexlsr,
see #775139.
The functional changes in the source is explained in the following
patch extract:
-treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
+treefile=`mktemp --tmpdir mktexlsrtrees.XXXXXXXXXX` || exit 1
which means, instead of using a guess-able file name, use mktemp
to create a temporary file.
Due to Jessie RC policy, "any programs and scripts that create
files in /tmp or other world writable directories must use a mechanism
which fails if the file already exists" [1], this is a required or
at least requested fix for Jessie.
Full debdiff attached.
Thanks a lot and all the best
Norbert
[1] https://release.debian.org/jessie/rc_policy.txt
unblock texlive-bin/2014.20140926.35254-5
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.19.0-rc4 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru texlive-bin-2014.20140926.35254/debian/changelog texlive-bin-2014.20140926.35254/debian/changelog
--- texlive-bin-2014.20140926.35254/debian/changelog 2014-12-24 09:19:43.000000000 +0900
+++ texlive-bin-2014.20140926.35254/debian/changelog 2015-01-13 07:32:25.000000000 +0900
@@ -1,3 +1,9 @@
+texlive-bin (2014.20140926.35254-5) unstable; urgency=high
+
+ * fix insecure temp file creation in mktexlsr (Closes: #775139)
+
+ -- Norbert Preining <[email protected]> Tue, 13 Jan 2015 07:32:13 +0900
+
texlive-bin (2014.20140926.35254-4) unstable; urgency=high
* cherrypick security fix for libpng buffer overflow (Closes: #773824)
diff -Nru texlive-bin-2014.20140926.35254/debian/patches/mktexlsr-use-mktemp texlive-bin-2014.20140926.35254/debian/patches/mktexlsr-use-mktemp
--- texlive-bin-2014.20140926.35254/debian/patches/mktexlsr-use-mktemp 1970-01-01 09:00:00.000000000 +0900
+++ texlive-bin-2014.20140926.35254/debian/patches/mktexlsr-use-mktemp 2015-01-13 07:32:25.000000000 +0900
@@ -0,0 +1,16 @@
+Don't use unsafe temp filename, use mktemp
+---
+ texk/kpathsea/mktexlsr | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- texlive-bin.orig/texk/kpathsea/mktexlsr
++++ texlive-bin/texk/kpathsea/mktexlsr
+@@ -73,7 +73,7 @@
+ dry_run=false
+ trees=
+
+-treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
++treefile=`mktemp --tmpdir mktexlsrtrees.XXXXXXXXXX` || exit 1
+ trap 'cd /; rm -f $treefile; test -z "$db_dir_tmp" || rm -rf "$db_dir_tmp";
+ exit' 0 1 2 3 7 13 15
+
diff -Nru texlive-bin-2014.20140926.35254/debian/patches/series texlive-bin-2014.20140926.35254/debian/patches/series
--- texlive-bin-2014.20140926.35254/debian/patches/series 2014-12-24 09:19:43.000000000 +0900
+++ texlive-bin-2014.20140926.35254/debian/patches/series 2015-01-13 07:32:25.000000000 +0900
@@ -19,3 +19,4 @@
upstream-svn35516-dvipdfmx-fix-crash-missing-fontmap
upstream-svn35518-mpost-fontmap-warnings
cve-libpng-heap-overflow-fix
+mktexlsr-use-mktemp
--- End Message ---
--- Begin Message ---
On 2015-01-14 14:33, Norbert Preining wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Dear release managers,
>
> I would like to ask for an unblock of the source package
> texlive-bin
> for version
> 2014.20140926.35254-5
>
> The only change is a fix for insecure temp file creation in mktexlsr,
> see #775139.
>
> [...]
>
> Full debdiff attached.
>
> Thanks a lot and all the best
>
> Norbert
>
> [1] https://release.debian.org/jessie/rc_policy.txt
>
> unblock texlive-bin/2014.20140926.35254-5
>
> [...]
Unblocked, thanks.
~Niels
--- End Message ---
