Bug#832171: marked as done (jessie-pu: package dietlibc/0.33~cvs20120325-6)

[Debian Bug Tracking System]

Your message dated Sat, 17 Sep 2016 13:08:06 +0100
with message-id <1474114086.2011.126.ca...@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 8.6
has caused the Debian Bug report #832171,
regarding jessie-pu: package dietlibc/0.33~cvs20120325-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
832171: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832171
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

Dear release team,

the security issue in dietlibc (see also #832123 for binNMUs in sid)
was deemed no-DSA by the security team, so I would like to schedule an
update via the next point release.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832169
https://security-tracker.debian.org/tracker/TEMP-0832169-0F9220

Source debdiff is attached.

Since dietlibc is a static library, after the upload, there will need
to be binNMUs in stable for the following three packages:

nmu minit_0.10-5 . ALL . jessie . -m "Security: rebuild against fixed dietlibc"
nmu mksh_50d-5 . ALL . jessie . -m "Security: rebuild against fixed dietlibc"
nmu util-vserver_0.30.216-pre3054-1 . ALL . jessie . -m "Security: rebuild 
against fixed dietlibc"

Also, I don't know the syntax for that, but could you make sure that
the binNMU for minit gets at least +b2? Because the version of minit is
the same in Wheezy and Jessie, and the Wheezy LTS team will also
schedule a binNMU for minit.

Thank you!

Regards,
Christian

diff -Nru dietlibc-0.33~cvs20120325/debian/changelog 
dietlibc-0.33~cvs20120325/debian/changelog
--- dietlibc-0.33~cvs20120325/debian/changelog  2014-02-11 21:48:24.000000000 
+0100
+++ dietlibc-0.33~cvs20120325/debian/changelog  2016-07-23 10:49:25.000000000 
+0200
@@ -1,3 +1,10 @@
+dietlibc (0.33~cvs20120325-6+deb8u1) jessie; urgency=high
+
+  * Security: fix insecure default PATH. (Closes: #832169)
+    Thanks to Thorsten Glaser <t.gla...@tarent.de> for discovering this
+
+ -- Christian Seiler <christ...@iwakd.de>  Sat, 23 Jul 2016 10:41:00 +0200
+
 dietlibc (0.33~cvs20120325-6) unstable; urgency=low
 
   * Team upload.
diff -Nru 
dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff
 
dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff
--- 
dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff
   1970-01-01 01:00:00.000000000 +0100
+++ 
dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff
   2016-07-23 10:49:25.000000000 +0200
@@ -0,0 +1,20 @@
+Description: Fix insecure default PATH
+ Throsten Glaser <t.gla...@tarent.de> discovered that the default PATH
+ (absent the environment variable) contains the local directory.
+Author: Christian Seiler <christ...@iwakd.de>
+Bug: 
http://news.gmane.org/find-root.php?message_id=alpine.DEB.2.20.1607181048300.24083%40tglase.lan.tarent.de
+Bug-Debian: https://bugs.debian.org/832169
+Last-Update: 2016-07-23
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/include/paths.h
++++ b/include/paths.h
+@@ -2,7 +2,7 @@
+ #define _PATHS_H
+ 
+ #define _PATH_BSHELL "/bin/sh"
+-#define _PATH_DEFPATH "/bin:/usr/bin:"
++#define _PATH_DEFPATH "/bin:/usr/bin"
+ 
+ #define _PATH_DEVNULL "/dev/null"
+ 
diff -Nru dietlibc-0.33~cvs20120325/debian/patches/series 
dietlibc-0.33~cvs20120325/debian/patches/series
--- dietlibc-0.33~cvs20120325/debian/patches/series     2014-02-11 
21:41:35.000000000 +0100
+++ dietlibc-0.33~cvs20120325/debian/patches/series     2016-07-23 
10:49:25.000000000 +0200
@@ -28,3 +28,4 @@
 0035-Use-syscall-_newselect-instead-of-select-on-ppc64.diff
 0036-fix-jmp_buf-size-on-armhf.diff
 0037-support-powerpcspe.diff
+0100-security-insecure-default-PATH.diff

--- End Message ---

--- Begin Message ---

Version: 8.6

The updates referred to in each of these bugs were included in today's
stable point release.

Regards,

Adam

--- End Message ---