Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package rinse 3.0.8. Debdiff is included. The fix for #774669 (cpio CVE-2015-1197) breaks rinse 3.0.7. This was fixed by adding the new option of cpio. jessie[~]> debdiff rinse_3.0.7.dsc rinse_3.0.8.dsc diff -Nru rinse-3.0.7/bin/rinse rinse-3.0.8/bin/rinse --- rinse-3.0.7/bin/rinse 2014-07-25 13:22:30.000000000 +0200 +++ rinse-3.0.8/bin/rinse 2015-04-13 14:46:04.000000000 +0200 @@ -1147,13 +1147,13 @@ # Run the unpacking command. # my $cmd = - "rpm2cpio $file | (cd $CONFIG{'directory'} ; cpio --extract --make-directories --no-absolute-filenames --preserve-modification-time) 2>/dev/null >/dev/null"; + "rpm2cpio $file | (cd $CONFIG{'directory'} ; cpio --extract --extract-over-symlinks --make-directories --no-absolute-filenames --preserve-modification-time) 2>/dev/null >/dev/null"; if ( $file =~ /(fedora|centos|redhat|mandriva)-release-/ ) { my $rpmname = basename($file); $postcmd = "cp $file $CONFIG{'directory'}/tmp ; chroot $CONFIG{'directory'} rpm -ivh --force --nodeps /tmp/$rpmname ; rm $CONFIG{'directory'}/tmp/$rpmname"; } - system($cmd ); + system($cmd) == 0 or die "failed to extract $name: $?"; } print "\r"; diff -Nru rinse-3.0.7/debian/changelog rinse-3.0.8/debian/changelog --- rinse-3.0.7/debian/changelog 2015-02-25 12:02:18.000000000 +0100 +++ rinse-3.0.8/debian/changelog 2015-04-13 15:21:53.000000000 +0200 @@ -1,9 +1,18 @@ +rinse (3.0.8) unstable; urgency=high + + * add --extract-over-symlinks to cpio call, Closes: #768501 + this restores the old behaviour of cpio, which changed because of + CVE-2015-1197 (see #774669) + * add check if cpio call failed + + -- Thomas Lange <la...@debian.org> Mon, 13 Apr 2015 14:51:41 +0200 + rinse (3.0.7) unstable; urgency=high * control: change depends on perl-modules to perl, Closes: #779118, update Vcs-git - -- Thomas Lange <la...@debian.org> Wed, 25 Feb 2015 11:47:20 +0100 + -- Thomas Lange <la...@debian.org> Mon, 13 Apr 2015 15:20:39 +0200 rinse (3.0.6) unstable; urgency=low -- regards Thomas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org