Package: release.debian.org Severity: normal Tags: jessie User: [email protected] Usertags: pu
On my Debian Jessie machine, I would like to fix a security problem with automake-1.14 that show up the debsecan report, see <URL: https://security-tracker.debian.org/tracker/source-package/automake-1.14 >. The issue never got a CVE (no reply to the request), so I point to the source package entry instead of the some times changing TEMP reference. The issue is fixed in automake-1.15, but not in automake-1.14 that is in stable but removed from unstable. The issue is unsafe use of /tmp/. The patch is similar to the code in version 1.15. OK to upload? -- Happy hacking Petter Reinholdtsen
diff -Nru automake-1.14-1.14.1/debian/changelog automake-1.14-1.14.1/debian/changelog --- automake-1.14-1.14.1/debian/changelog 2014-10-27 02:52:07.000000000 +0000 +++ automake-1.14-1.14.1/debian/changelog 2016-06-15 08:56:21.000000000 +0000 @@ -1,3 +1,11 @@ +automake-1.14 (1:1.14.1-4+deb8u1) unstable; urgency=medium + + * Non-maintainer upload to fix security issue. + * Avoid insecure use of /tmp/ in install-sh (Closes: #827347). + Based on patch from RedHat and Pavel Raiskup. + + -- Petter Reinholdtsen <[email protected]> Wed, 15 Jun 2016 10:56:14 +0200 + automake-1.14 (1:1.14.1-4) unstable; urgency=medium * debian/patches/03-ensure-ac_aux_dir-set.diff: Add patch to ensure diff -Nru automake-1.14-1.14.1/debian/patches/CVE-bug-827347.diff automake-1.14-1.14.1/debian/patches/CVE-bug-827347.diff --- automake-1.14-1.14.1/debian/patches/CVE-bug-827347.diff 1970-01-01 00:00:00.000000000 +0000 +++ automake-1.14-1.14.1/debian/patches/CVE-bug-827347.diff 2016-06-15 08:55:04.000000000 +0000 @@ -0,0 +1,60 @@ +Fix security problem. The patch is based on fix found in + <URL: https://bugzilla.redhat.com/show_bug.cgi?id=1140725 > and + verified to be identical to the code in automake 1.15. +From: Petter Reinholdtsen <[email protected]> +Last-Update: 2016-06-15 +Debian-Bug: https://bugs.debian.org/827347 + +Index: automake-1.14-1.14.1/lib/install-sh +=================================================================== +--- automake-1.14-1.14.1.orig/lib/install-sh 2016-06-15 10:44:49.000000000 +0200 ++++ automake-1.14-1.14.1/lib/install-sh 2016-06-15 10:48:18.924178517 +0200 +@@ -345,34 +345,41 @@ + # is incompatible with FreeBSD 'install' when (umask & 300) != 0. + ;; + *) ++ # $RANDOM is not portable (e.g. dash); use it when possible to ++ # lower collision chance + tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ +- trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0 ++ trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0 + ++ # As "mkdir -p" follows symlinks and we work in /tmp possibly; so ++ # create the $tmpdir first (and fail if unsuccessful) to make sure ++ # that nobody tries to guess the $tmpdir name. + if (umask $mkdir_umask && +- exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1 ++ $mkdirprog $mkdir_mode "$tmpdir" && ++ exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 + then + if test -z "$dir_arg" || { + # Check for POSIX incompatibilities with -m. + # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or + # other-writable bit of parent directory when it shouldn't. + # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. +- ls_ld_tmpdir=`ls -ld "$tmpdir"` ++ test_tmpdir="$tmpdir/a" ++ ls_ld_tmpdir=`ls -ld "$test_tmpdir"` + case $ls_ld_tmpdir in + d????-?r-*) different_mode=700;; + d????-?--*) different_mode=755;; + *) false;; + esac && +- $mkdirprog -m$different_mode -p -- "$tmpdir" && { +- ls_ld_tmpdir_1=`ls -ld "$tmpdir"` ++ $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { ++ ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` + test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" + } + } + then posix_mkdir=: + fi +- rmdir "$tmpdir/d" "$tmpdir" ++ rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" + else + # Remove any dirs left behind by ancient mkdir implementations. +- rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null ++ rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null + fi + trap '' 0;; + esac;; diff -Nru automake-1.14-1.14.1/debian/patches/series automake-1.14-1.14.1/debian/patches/series --- automake-1.14-1.14.1/debian/patches/series 2014-10-27 02:52:07.000000000 +0000 +++ automake-1.14-1.14.1/debian/patches/series 2016-06-15 08:51:33.000000000 +0000 @@ -1,3 +1,4 @@ 01-texi-rename.diff 02-init-m4-newline.diff 03-ensure-ac_aux_dir-set.diff +CVE-bug-827347.diff
