Bug#954001: marked as done (buster-pu: package timeshift/19.01+ds-2+deb10u1)

Debian Bug Tracking System Sat, 09 May 2020 04:09:07 -0700

Your message dated Sat, 09 May 2020 11:53:52 +0100
with message-id 
<fd7fa4d56896c35aab49a5a51cb69727dc60e87a.ca...@adam-barratt.org.uk>
and subject line Closing requests included in 10.4 point release
has caused the Debian Bug report #954001,
regarding buster-pu: package timeshift/19.01+ds-2+deb10u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
954001: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954001
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
X-Debbugs-CC: [email protected] [email protected] [email protected]

Dear Stable Release Team,

I am looking into solving CVE-2020-10174 (https://bugs.debian.org/953385) in
Buster. Please find the proposed diff in the attachment.

-- 
Thanks,
Boyuan Yang

diff -Nru timeshift-19.01+ds/debian/changelog timeshift-19.01+ds/debian/changelog
--- timeshift-19.01+ds/debian/changelog	2019-02-27 23:03:15.000000000 -0500
+++ timeshift-19.01+ds/debian/changelog	2020-03-12 17:24:24.000000000 -0400
@@ -1,3 +1,13 @@
+timeshift (19.01+ds-2+deb10u1) buster; urgency=medium
+
+  * Team upload.
+  * debian/control: Use new homepage. (Closes: #952685)
+  * debian/patches/0006: Backport upstream fix on predictable
+    location of temporary directory.
+    (Closes: #953385, CVE-2020-10174)
+
+ -- Boyuan Yang <[email protected]>  Thu, 12 Mar 2020 17:24:24 -0400
+
 timeshift (19.01+ds-2) unstable; urgency=medium
 
   * d/control: Add missing dependency: psmisc (Closes: #919760).
diff -Nru timeshift-19.01+ds/debian/control timeshift-19.01+ds/debian/control
--- timeshift-19.01+ds/debian/control	2019-02-27 23:03:09.000000000 -0500
+++ timeshift-19.01+ds/debian/control	2020-03-12 17:11:19.000000000 -0400
@@ -10,7 +10,7 @@
  libjson-glib-dev,
  libvte-2.91-dev,
 Standards-Version: 4.3.0
-Homepage: http://teejeetech.blogspot.in/
+Homepage: https://teejeetech.in/timeshift/
 Vcs-Git: https://salsa.debian.org/yanhao-guest/timeshift.git
 Vcs-Browser: https://salsa.debian.org/yanhao-guest/timeshift
 
diff -Nru timeshift-19.01+ds/debian/patches/0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patch timeshift-19.01+ds/debian/patches/0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patch
--- timeshift-19.01+ds/debian/patches/0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patch	1969-12-31 19:00:00.000000000 -0500
+++ timeshift-19.01+ds/debian/patches/0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patch	2020-03-12 17:24:12.000000000 -0400
@@ -0,0 +1,48 @@
+From: Tony George <[email protected]>
+Date: Thu, 5 Mar 2020 08:57:24 +0530
+Subject: Change TEMP_DIR permissions and path; Cleanup on exit;
+
+---
+ src/Core/Main.vala              |  2 ++
+ src/Utility/TeeJee.Process.vala | 11 +++++++----
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/Core/Main.vala b/src/Core/Main.vala
+index 7ff094c..4f460e1 100644
+--- a/src/Core/Main.vala
++++ b/src/Core/Main.vala
+@@ -4229,6 +4229,8 @@ public class Main : GLib.Object{
+ 
+ 		app_lock.remove();
+ 
++		dir_delete(TEMP_DIR);
++
+ 		exit(exit_code);
+ 
+ 		//Gtk.main_quit ();
+diff --git a/src/Utility/TeeJee.Process.vala b/src/Utility/TeeJee.Process.vala
+index 70dd934..7153d15 100644
+--- a/src/Utility/TeeJee.Process.vala
++++ b/src/Utility/TeeJee.Process.vala
+@@ -36,14 +36,17 @@ namespace TeeJee.ProcessHelper{
+     public static void init_tmp(string subdir_name){
+ 		string std_out, std_err;
+ 
+-		TEMP_DIR = Environment.get_tmp_dir() + "/" + subdir_name + "/" + random_string();
++		TEMP_DIR = Environment.get_tmp_dir() + "/" + random_string();
+ 		dir_create(TEMP_DIR);
++		chmod(TEMP_DIR, "0750");
+ 
+ 		exec_script_sync("echo 'ok'",out std_out,out std_err, true);
+-		if ((std_out == null)||(std_out.strip() != "ok")){
+-			TEMP_DIR = Environment.get_home_dir() + "/.temp/" + subdir_name + "/" + random_string();
+-			exec_sync("rm -rf '%s'".printf(TEMP_DIR), null, null);
++
++		if ((std_out == null) || (std_out.strip() != "ok")){
++
++			TEMP_DIR = Environment.get_home_dir() + "/.temp/" + random_string();
+ 			dir_create(TEMP_DIR);
++			chmod(TEMP_DIR, "0750");
+ 		}
+ 
+ 		//log_debug("TEMP_DIR=" + TEMP_DIR);
diff -Nru timeshift-19.01+ds/debian/patches/series timeshift-19.01+ds/debian/patches/series
--- timeshift-19.01+ds/debian/patches/series	2019-02-26 05:01:52.000000000 -0500
+++ timeshift-19.01+ds/debian/patches/series	2020-03-12 17:24:12.000000000 -0400
@@ -3,3 +3,4 @@
 0004-select-etc-timeshift-as-the-default-config-dir.patch
 0005-build-with-debug-info.patch
 0005-Fix-build-errors-with-new-version-of-vala.patch
+0006-Change-TEMP_DIR-permissions-and-path-Cleanup-on-exit.patch

signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 10.4

Hi,

Each of the uploads referred to by these bugs was included in today's
stable point release.

Regards,

Adam

--- End Message ---

Bug#954001: marked as done (buster-pu: package timeshift/19.01+ds-2+deb10u1)

Reply via email to