Your message dated Thu, 08 Jan 2015 21:24:44 +0100
with message-id <[email protected]>
and subject line Re: Bug#774836: unblock: libquvi/0.4.1-3
has caused the Debian Bug report #774836,
regarding unblock: libquvi/0.4.1-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
774836: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774836
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package libquvi. The version currently in testing has a
small security issue: it looks for Lua helper scripts below the
current path. This can lead to arbitrary code execution if a program
using libquvi is run in a directory such as /tmp.
unblock libquvi/0.4.1-3
Ansgar
diff -Nru libquvi-0.4.1/debian/changelog libquvi-0.4.1/debian/changelog
--- libquvi-0.4.1/debian/changelog 2014-05-27 10:25:54.000000000 +0200
+++ libquvi-0.4.1/debian/changelog 2015-01-04 12:53:58.000000000 +0100
@@ -1,3 +1,11 @@
+libquvi (0.4.1-3) unstable; urgency=medium
+
+ * Do not look for Lua helper scripts below current directory.
+ (Closes: #774555)
+ + new patch: lua-scripts-below-cwd.patch
+
+ -- Ansgar Burchardt <[email protected]> Sun, 04 Jan 2015 12:52:34 +0100
+
libquvi (0.4.1-2.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru libquvi-0.4.1/debian/patches/lua-scripts-below-cwd.patch libquvi-0.4.1/debian/patches/lua-scripts-below-cwd.patch
--- libquvi-0.4.1/debian/patches/lua-scripts-below-cwd.patch 1970-01-01 01:00:00.000000000 +0100
+++ libquvi-0.4.1/debian/patches/lua-scripts-below-cwd.patch 2015-01-04 12:45:22.000000000 +0100
@@ -0,0 +1,23 @@
+From: Ansgar Burchardt <[email protected]>
+Subject: Do not look for Lua helper scripts below current directory
+Date: Sun, 04 Jan 2015 12:39:12 +0100
+
+Bug-Debian: https://bugs.debian.org/774555
+--- a/src/libquvi/lua_wrap.c
++++ b/src/libquvi/lua_wrap.c
+@@ -367,15 +367,6 @@
+ return (QUVI_OK);
+ }
+
+- /* Current working directory */
+- buf = getcwd(NULL,0);
+- if (!buf)
+- return(QUVI_MEM);
+-
+- asprintf(&path, "%s/%s", buf, spath);
+- _free(buf);
+- _scan;
+-
+ /* Home directory */
+ homedir = getenv("HOME");
+ if (homedir)
diff -Nru libquvi-0.4.1/debian/patches/series libquvi-0.4.1/debian/patches/series
--- libquvi-0.4.1/debian/patches/series 2014-05-22 15:44:47.000000000 +0200
+++ libquvi-0.4.1/debian/patches/series 2015-01-04 12:45:22.000000000 +0100
@@ -1,2 +1,3 @@
configure.ac-add-missing-AM-macros.patch
lua52.patch
+lua-scripts-below-cwd.patch
--- End Message ---
--- Begin Message ---
On 2015-01-08 10:50, Ansgar Burchardt wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock package libquvi. The version currently in testing has a
> small security issue: it looks for Lua helper scripts below the
> current path. This can lead to arbitrary code execution if a program
> using libquvi is run in a directory such as /tmp.
>
> unblock libquvi/0.4.1-3
>
> Ansgar
>
Unblocked, thanks.
~Niels
--- End Message ---
