Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Dear release managers, I would like to ask for an unblock of the source package texlive-bin for version 2014.20140926.35254-5 The only change is a fix for insecure temp file creation in mktexlsr, see #775139. The functional changes in the source is explained in the following patch extract: -treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp" +treefile=`mktemp --tmpdir mktexlsrtrees.XXXXXXXXXX` || exit 1 which means, instead of using a guess-able file name, use mktemp to create a temporary file. Due to Jessie RC policy, "any programs and scripts that create files in /tmp or other world writable directories must use a mechanism which fails if the file already exists" [1], this is a required or at least requested fix for Jessie. Full debdiff attached. Thanks a lot and all the best Norbert [1] https://release.debian.org/jessie/rc_policy.txt unblock texlive-bin/2014.20140926.35254-5 -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.19.0-rc4 (SMP w/4 CPU cores; PREEMPT) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru texlive-bin-2014.20140926.35254/debian/changelog texlive-bin-2014.20140926.35254/debian/changelog --- texlive-bin-2014.20140926.35254/debian/changelog 2014-12-24 09:19:43.000000000 +0900 +++ texlive-bin-2014.20140926.35254/debian/changelog 2015-01-13 07:32:25.000000000 +0900 @@ -1,3 +1,9 @@ +texlive-bin (2014.20140926.35254-5) unstable; urgency=high + + * fix insecure temp file creation in mktexlsr (Closes: #775139) + + -- Norbert Preining <prein...@debian.org> Tue, 13 Jan 2015 07:32:13 +0900 + texlive-bin (2014.20140926.35254-4) unstable; urgency=high * cherrypick security fix for libpng buffer overflow (Closes: #773824) diff -Nru texlive-bin-2014.20140926.35254/debian/patches/mktexlsr-use-mktemp texlive-bin-2014.20140926.35254/debian/patches/mktexlsr-use-mktemp --- texlive-bin-2014.20140926.35254/debian/patches/mktexlsr-use-mktemp 1970-01-01 09:00:00.000000000 +0900 +++ texlive-bin-2014.20140926.35254/debian/patches/mktexlsr-use-mktemp 2015-01-13 07:32:25.000000000 +0900 @@ -0,0 +1,16 @@ +Don't use unsafe temp filename, use mktemp +--- + texk/kpathsea/mktexlsr | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- texlive-bin.orig/texk/kpathsea/mktexlsr ++++ texlive-bin/texk/kpathsea/mktexlsr +@@ -73,7 +73,7 @@ + dry_run=false + trees= + +-treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp" ++treefile=`mktemp --tmpdir mktexlsrtrees.XXXXXXXXXX` || exit 1 + trap 'cd /; rm -f $treefile; test -z "$db_dir_tmp" || rm -rf "$db_dir_tmp"; + exit' 0 1 2 3 7 13 15 + diff -Nru texlive-bin-2014.20140926.35254/debian/patches/series texlive-bin-2014.20140926.35254/debian/patches/series --- texlive-bin-2014.20140926.35254/debian/patches/series 2014-12-24 09:19:43.000000000 +0900 +++ texlive-bin-2014.20140926.35254/debian/patches/series 2015-01-13 07:32:25.000000000 +0900 @@ -19,3 +19,4 @@ upstream-svn35516-dvipdfmx-fix-crash-missing-fontmap upstream-svn35518-mpost-fontmap-warnings cve-libpng-heap-overflow-fix +mktexlsr-use-mktemp