I'm neither a DD nor a DM, should I just get my normal sponsor to
upload or if not then who?
Cheers,
Roger
On 10 February 2018 at 11:31, Julien Cristau <jcris...@debian.org> wrote:
> Control: tag -1 - moreinfo
> Control: tag -1 confirmed
>
> OK, go ahead and upload then.
>
> Cheers,
> Julien
>
> On Sat, Feb 10, 2018 at 11:13:06 +, Roger Light wrote:
>
>> Thanks for taking a look at this.
>>
>> The application only creates this file and log files, so I don't
>> believe it should have any other impact.
>>
>> Regards,
>>
>> Roger
>>
>>
>> On 10 February 2018 at 09:07, Julien Cristau <jcris...@debian.org> wrote:
>> > Control: tag -1 moreinfo
>> >
>> > On Fri, Dec 22, 2017 at 23:47:34 +, Roger A. Light wrote:
>> >
>> >> +Description: Fix for CVE-207-9868.
>> >> +Author: Roger Light <ro...@atchoo.org>
>> >> +Forwarded: not-needed
>> >> +Origin: upstream,
>> >> https://mosquitto.org/files/cve/2017-9868/mosquitto-1.4.x_cve-2017-9868.patch
>> >> +--- a/src/persist.c
>> >> b/src/persist.c
>> >> +@@ -362,6 +362,10 @@
>> >> + _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Error saving
>> >> in-memory database, out of memory.");
>> >> + return MOSQ_ERR_NOMEM;
>> >> + }
>> >> ++
>> >> ++/* Restrict access to persistence file. */
>> >> ++umask(0077);
>> >> ++
>> >> + snprintf(outfile, len, "%s.new", db->config->persistence_filepath);
>> >> + outfile[len] = '\0';
>> >> +
>> >
>> > Is this likely to negatively affect other files the application might
>> > create?
>> >
>> > Cheers,
>> > Julien
>>
