Your message dated Tue, 14 Apr 2015 18:16:50 +0200
with message-id <[email protected]>
and subject line Re: Bug#782520: unblock: rinse/3.0.9
has caused the Debian Bug report #782520,
regarding unblock: rinse/3.0.8
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
782520: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782520
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package rinse 3.0.8. Debdiff is included.
The fix for #774669 (cpio CVE-2015-1197) breaks rinse 3.0.7. This was
fixed by adding the new option of cpio.
jessie[~]> debdiff rinse_3.0.7.dsc rinse_3.0.8.dsc
diff -Nru rinse-3.0.7/bin/rinse rinse-3.0.8/bin/rinse
--- rinse-3.0.7/bin/rinse 2014-07-25 13:22:30.000000000 +0200
+++ rinse-3.0.8/bin/rinse 2015-04-13 14:46:04.000000000 +0200
@@ -1147,13 +1147,13 @@
# Run the unpacking command.
#
my $cmd =
- "rpm2cpio $file | (cd $CONFIG{'directory'} ; cpio --extract
--make-directories --no-absolute-filenames --preserve-modification-time)
2>/dev/null >/dev/null";
+ "rpm2cpio $file | (cd $CONFIG{'directory'} ; cpio --extract
--extract-over-symlinks --make-directories --no-absolute-filenames
--preserve-modification-time) 2>/dev/null >/dev/null";
if ( $file =~ /(fedora|centos|redhat|mandriva)-release-/ ) {
my $rpmname = basename($file);
$postcmd =
"cp $file $CONFIG{'directory'}/tmp ; chroot $CONFIG{'directory'} rpm
-ivh --force --nodeps /tmp/$rpmname ; rm $CONFIG{'directory'}/tmp/$rpmname";
}
- system($cmd );
+ system($cmd) == 0 or die "failed to extract $name: $?";
}
print "\r";
diff -Nru rinse-3.0.7/debian/changelog rinse-3.0.8/debian/changelog
--- rinse-3.0.7/debian/changelog 2015-02-25 12:02:18.000000000 +0100
+++ rinse-3.0.8/debian/changelog 2015-04-13 15:21:53.000000000 +0200
@@ -1,9 +1,18 @@
+rinse (3.0.8) unstable; urgency=high
+
+ * add --extract-over-symlinks to cpio call, Closes: #768501
+ this restores the old behaviour of cpio, which changed because of
+ CVE-2015-1197 (see #774669)
+ * add check if cpio call failed
+
+ -- Thomas Lange <[email protected]> Mon, 13 Apr 2015 14:51:41 +0200
+
rinse (3.0.7) unstable; urgency=high
* control: change depends on perl-modules to perl, Closes: #779118,
update Vcs-git
- -- Thomas Lange <[email protected]> Wed, 25 Feb 2015 11:47:20 +0100
+ -- Thomas Lange <[email protected]> Mon, 13 Apr 2015 15:20:39 +0200
rinse (3.0.6) unstable; urgency=low
--
regards Thomas
--- End Message ---
--- Begin Message ---
On 2015-04-14 10:57, Thomas Lange wrote:
> rinse 3.0.9 now adds the cpio dependency and fixes the wrong date in
> the changelog of 3.0.7. Here's the debdiff
> between the testing and unstable version.
>
> [...]
>
Unblocked, thanks.
~Niels
--- End Message ---
