Dear release team,
As Martin mentionned in the 633870 bugreport, CVE-2011-2684 could be fixed
in a fixed point release.
The proposed debdiff for squeeze is attached (the fix was uploaded to unstable
already and given the non-severe nature if this bug I don't think an upload to
testing is worth. What do you think ? (And would a fix to lenny be needed ?)
Cheers,
--
OdyX
diff -u foo2zjs-20090908dfsg/debian/changelog foo2zjs-20090908dfsg/debian/changelog
--- foo2zjs-20090908dfsg/debian/changelog
+++ foo2zjs-20090908dfsg/debian/changelog
@@ -1,3 +1,12 @@
+foo2zjs (20090908dfsg-5.1+squeeze0) stable-proposed-updates; urgency=low
+
+ * Non-maintainer upload.
+ * Update debian/patches/60-getweb.in.patch:
+Fix CVE-2011-2684 Insecure Temporary File (CWE-277) in /usr/bin/getweb
+by creating a safe temporary directory with mktemp (Closes: #633870).
+
+ -- Didier Raboud o...@debian.org Tue, 26 Jul 2011 11:34:42 +0200
+
foo2zjs (20090908dfsg-5.1) unstable; urgency=low
* Non-maintainer upload.
diff -u foo2zjs-20090908dfsg/debian/patches/60-getweb.in.patch foo2zjs-20090908dfsg/debian/patches/60-getweb.in.patch
--- foo2zjs-20090908dfsg/debian/patches/60-getweb.in.patch
+++ foo2zjs-20090908dfsg/debian/patches/60-getweb.in.patch
@@ -1,6 +1,6 @@
Improve getweb also for installing the firmware
foo2zjs-20090908dfsg.orig/getweb.in
-+++ foo2zjs-20090908dfsg/getweb.in
+--- a/getweb.in
b/getweb.in
@@ -2,7 +2,7 @@
#
@@ -199,8 +199,8 @@
fi
+OLDPWD=`pwd`
-+mkdir -p /tmp/foo2zjs
-+cd /tmp/foo2zjs
++NEWPWD=`mktemp --tmpdir --directory foo2zjs.XX`
++cd $NEWPWD
+
for i in $*
do
signature.asc
Description: This is a digitally signed message part.