Bug#782520: unblock: rinse/3.0.8

Mon, 13 Apr 2015 09:34:10 -0700 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package rinse 3.0.8. Debdiff is included.

The fix for #774669 (cpio CVE-2015-1197) breaks rinse 3.0.7. This was
fixed by adding the new option of cpio.



jessie[~]> debdiff rinse_3.0.7.dsc rinse_3.0.8.dsc

diff -Nru rinse-3.0.7/bin/rinse rinse-3.0.8/bin/rinse
--- rinse-3.0.7/bin/rinse       2014-07-25 13:22:30.000000000 +0200
+++ rinse-3.0.8/bin/rinse       2015-04-13 14:46:04.000000000 +0200
@@ -1147,13 +1147,13 @@
       #  Run the unpacking command.
       #
       my $cmd =
-        "rpm2cpio $file | (cd $CONFIG{'directory'} ; cpio --extract 
--make-directories --no-absolute-filenames --preserve-modification-time) 
2>/dev/null >/dev/null";
+        "rpm2cpio $file | (cd $CONFIG{'directory'} ; cpio --extract 
--extract-over-symlinks --make-directories --no-absolute-filenames 
--preserve-modification-time) 2>/dev/null >/dev/null";
       if ( $file =~ /(fedora|centos|redhat|mandriva)-release-/ ) {
         my $rpmname = basename($file);
         $postcmd =
           "cp $file $CONFIG{'directory'}/tmp ; chroot $CONFIG{'directory'} rpm 
-ivh --force --nodeps /tmp/$rpmname ; rm $CONFIG{'directory'}/tmp/$rpmname";
       }
-      system($cmd );
+      system($cmd) == 0 or die "failed to extract $name: $?";
 
     }
     print "\r";
diff -Nru rinse-3.0.7/debian/changelog rinse-3.0.8/debian/changelog
--- rinse-3.0.7/debian/changelog        2015-02-25 12:02:18.000000000 +0100
+++ rinse-3.0.8/debian/changelog        2015-04-13 15:21:53.000000000 +0200
@@ -1,9 +1,18 @@
+rinse (3.0.8) unstable; urgency=high
+
+  * add --extract-over-symlinks to cpio call, Closes: #768501
+    this restores the old behaviour of cpio, which changed because of 
+    CVE-2015-1197 (see #774669)
+  * add check if cpio call failed
+
+ -- Thomas Lange <la...@debian.org>  Mon, 13 Apr 2015 14:51:41 +0200
+
 rinse (3.0.7) unstable; urgency=high
 
   * control: change depends on perl-modules to perl, Closes: #779118,
     update Vcs-git
 
- -- Thomas Lange <la...@debian.org>  Wed, 25 Feb 2015 11:47:20 +0100
+ -- Thomas Lange <la...@debian.org>  Mon, 13 Apr 2015 15:20:39 +0200
 
 rinse (3.0.6) unstable; urgency=low


-- 
regards Thomas


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to