tags 336096 + patch pending
thanks
Hi,
On Sat, Oct 29, 2005, Nico Golde wrote:
> i will provide a security update asap.
It has been two weeks, unless you object, and if the security team
acks the patch, I'll upload the attached changes.
Bye,
--
Loïc Minier <[EMAIL PROTECTED]>
"What do we want? BRAINS! When do we want it? BRAINS!"
diff -urN fetchmail-6.2.5.orig/debian/changelog fetchmail-6.2.5/debian/changelog
--- fetchmail-6.2.5.orig/debian/changelog 2005-11-14 15:55:54.000000000
+0100
+++ fetchmail-6.2.5/debian/changelog 2005-11-14 16:36:27.000000000 +0100
@@ -1,3 +1,14 @@
+fetchmail (6.2.5-12sarge2) stable-security; urgency=low
+
+ * Non-maintainer upload targetted at stable-security.
+ * fetchmailconf: change umask to 077 before creating the output
+ configuration file. (Closes: #336096)
+ This is CVE-2005-3088.
+ (Please note that the version of the fetchmailconf script isn't touched by
+ this fix.)
+
+ -- Loic Minier <[EMAIL PROTECTED]> Mon, 14 Nov 2005 16:27:03 +0100
+
fetchmail (6.2.5-12sarge1) stable-security; urgency=high
* Non-maintainer upload by The Security Team.
diff -urN fetchmail-6.2.5.orig/fetchmailconf fetchmail-6.2.5/fetchmailconf
--- fetchmail-6.2.5.orig/fetchmailconf 2003-10-15 21:22:31.000000000 +0200
+++ fetchmail-6.2.5/fetchmailconf 2005-11-14 16:26:43.000000000 +0100
@@ -858,14 +858,17 @@
# Pre-1.5.2 compatibility...
except os.error:
pass
+ old_umask = os.umask(077)
fm = open(self.outfile, 'w')
+ os.umask(old_umask)
if fm:
- fm.write("# Configuration created %s by fetchmailconf\n" %
time.ctime(time.time()))
+ if fm != sys.stdout:
+ os.chmod(self.outfile, 0600)
+ fm.write("# Configuration created %s by fetchmailconf %s\n"
+ % (time.ctime(time.time()), version))
fm.write(`self.configuration`)
if self.outfile:
fm.close()
- if fm != sys.stdout:
- os.chmod(self.outfile, 0600)
self.destruct()
#
