Bug#806339: wheezy-pu: package libiptables-parse-perl/1.1-1+deb7u1

2015-11-29 Thread Adam D. Barratt 
Control: tags -1 + pending

On Thu, 2015-11-26 at 22:38 +0100, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Thu, Nov 26, 2015 at 09:19:04PM +, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Thu, 2015-11-26 at 18:13 +0100, Salvatore Bonaccorso wrote:
> > > libiptables-parse-perl uses temporary files in an unsafe way, this was  
> > > assigned CVE-2015-8326 and already fixed in unstable with the 1.6-1  
> > > upload.  
> > 
> > Please go ahead.
> 
> Thanks here as well! Done.

Flagged for acceptance.

Regards,

Adam

Bug#806339: wheezy-pu: package libiptables-parse-perl/1.1-1+deb7u1

2015-11-26 Thread Salvatore Bonaccorso 
Hi,

On Thu, Nov 26, 2015 at 09:19:04PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Thu, 2015-11-26 at 18:13 +0100, Salvatore Bonaccorso wrote:
> > libiptables-parse-perl uses temporary files in an unsafe way, this was  
> > assigned CVE-2015-8326 and already fixed in unstable with the 1.6-1  
> > upload.  
> 
> Please go ahead.

Thanks here as well! Done.

Regards,
Salvatore

Bug#806339: wheezy-pu: package libiptables-parse-perl/1.1-1+deb7u1

2015-11-26 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Thu, 2015-11-26 at 18:13 +0100, Salvatore Bonaccorso wrote:
> libiptables-parse-perl uses temporary files in an unsafe way, this was  
> assigned CVE-2015-8326 and already fixed in unstable with the 1.6-1  
> upload.  

Please go ahead.

Regards,

Adam

Bug#806339: wheezy-pu: package libiptables-parse-perl/1.1-1+deb7u1

2015-11-26 Thread Salvatore Bonaccorso 
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu

Hi  
  
libiptables-parse-perl uses temporary files in an unsafe way, this was  
assigned CVE-2015-8326 and already fixed in unstable with the 1.6-1  
upload.  
  
Attached is a debdiff to fix this issue for wheezy. Can you consider  
accepting it for the next wheezy point release?  
  
Regards,  
Salvatore

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff -Nru libiptables-parse-perl-1.1/debian/changelog libiptables-parse-perl-1.1/debian/changelog
--- libiptables-parse-perl-1.1/debian/changelog	2012-03-05 21:36:00.0 +0100
+++ libiptables-parse-perl-1.1/debian/changelog	2015-11-26 18:05:24.0 +0100
@@ -1,3 +1,11 @@
+libiptables-parse-perl (1.1-1+deb7u1) wheezy; urgency=medium
+
+  * Team upload.
+  * Add CVE-2015-8326.patch patch.
+CVE-2015-8326: Use of predictable names for temporary files.
+
+ -- Salvatore Bonaccorso   Thu, 26 Nov 2015 18:04:51 +0100
+
 libiptables-parse-perl (1.1-1) unstable; urgency=low
 
   * Imported Upstream version 1.1
diff -Nru libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch
--- libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch	1970-01-01 01:00:00.0 +0100
+++ libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch	2015-11-26 18:05:24.0 +0100
@@ -0,0 +1,46 @@
+Description: Don't use predictable names for temporary files
+ This allows an attacker on a multi-user system to set up symlinks to
+ overwrite any file the current user has write access to.
+ .
+ Don't recommend users of this module to use predictable names either.
+Origin: backport, https://github.com/mtrmac/IPTables-Parse/commit/b400b976d81140f6971132e94eb7657b5b0a2b87
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1267962
+Forwarded: not-needed
+Author: Salvatore Bonaccorso 
+Last-Update: 2015-11-26
+Applied-Upstream: 1.6
+
+---
+ lib/IPTables/Parse.pm | 7 +++
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/lib/IPTables/Parse.pm
 b/lib/IPTables/Parse.pm
+@@ -17,6 +17,7 @@ package IPTables::Parse;
+ use 5.006;
+ use POSIX ":sys_wait_h";
+ use Carp;
++use File::Temp;
+ use strict;
+ use warnings;
+ use vars qw($VERSION);
+@@ -29,8 +30,8 @@ sub new() {
+ 
+ my $self = {
+ _iptables => $args{'iptables'} || $args{'ip6tables'} || '/sbin/iptables',
+-_iptout=> $args{'iptout'}|| '/tmp/ipt.out',
+-_ipterr=> $args{'ipterr'}|| '/tmp/ipt.err',
++_iptout=> $args{'iptout'}|| mktemp('/tmp/ipt.out.XX'),
++_ipterr=> $args{'ipterr'}|| mktemp('/tmp/ipt.err.XX'),
+ _ipt_alarm => $args{'ipt_alarm'} || 30,
+ _debug => $args{'debug'} || 0,
+ _verbose   => $args{'verbose'}   || 0,
+@@ -701,8 +702,6 @@ IPTables::Parse - Perl extension for par
+ 
+   my %opts = (
+   'iptables' => $ipt_bin,
+-  'iptout'   => '/tmp/iptables.out',
+-  'ipterr'   => '/tmp/iptables.err',
+   'debug'=> 0,
+   'verbose'  => 0
+   );
diff -Nru libiptables-parse-perl-1.1/debian/patches/series libiptables-parse-perl-1.1/debian/patches/series
--- libiptables-parse-perl-1.1/debian/patches/series	1970-01-01 01:00:00.0 +0100
+++ libiptables-parse-perl-1.1/debian/patches/series	2015-11-26 18:05:24.0 +0100
@@ -0,0 +1 @@
+CVE-2015-8326.patch