Hallo,
* Julien Cristau [Thu, Feb 28 2013, 05:14:08PM]:
On Wed, Feb 27, 2013 at 21:05:45 +0100, Eduard Bloch wrote:
Hallo,
* Thijs Kinkhorst [Wed, Feb 27 2013, 06:52:05PM]:
Package pigz/2.2.4-2 was uploaded to sid fixing CVE-2013-0296 (#700608).
The maintainer also added hardening flags. This may be on the border of
acceptable/unacceptable for an unblock. Please let me know either way.
Thanks for reporting. If the hardening flags are not acceptable I can
just build another revision disabling them. Just tell me soon enough.
I'd prefer to have the security fix on its own.
Ok, here we go. pigz 2.2.4-3 is uploaded, debian-diff and debdiff
attached here (note: debdiff gets slightly confused on hardlinks).
Regards,
Eduard.
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in second .deb but not in first
-
-rw-r--r-- root/root /usr/share/man/man1/pigz.1.gz
-rwxr-xr-x root/root /usr/bin/unpigz
hrw-r--r-- root/root /usr/share/man/man1/unpigz.1.gz link to
./usr/share/man/man1/pigz.1.gz
hrwxr-xr-x root/root /usr/bin/pigz link to ./usr/bin/unpigz
Files in first .deb but not in second
-
-rw-r--r-- root/root /usr/share/man/man1/unpigz.1.gz
-rwxr-xr-x root/root /usr/bin/pigz
hrw-r--r-- root/root /usr/share/man/man1/pigz.1.gz link to
./usr/share/man/man1/unpigz.1.gz
hrwxr-xr-x root/root /usr/bin/unpigz link to ./usr/bin/pigz
Control files: lines which differ (wdiff format)
Version: [-2.2.4-1-] {+2.2.4-3+}
diff -Nurd pigz_2.2.4-1.debian/debian/changelog pigz_2.2.4-3.debian/debian/changelog
--- pigz_2.2.4-1.debian/debian/changelog 2012-05-08 22:59:23.0 +0200
+++ pigz_2.2.4-3.debian/debian/changelog 2013-02-28 20:17:36.0 +0100
@@ -1,3 +1,17 @@
+pigz (2.2.4-3) unstable; urgency=low
+
+ * removed hardening flags, this build is targeting Wheezy
+
+ -- Eduard Bloch bl...@debian.org Thu, 28 Feb 2013 20:16:03 +0100
+
+pigz (2.2.4-2) unstable; urgency=high
+
+ * Use 600 permissions for unfinished output files (CVE-2013-0296,
+closes: #700608)
+ * started applying Debian hardening flags
+
+ -- Eduard Bloch bl...@debian.org Sat, 23 Feb 2013 13:44:42 +0100
+
pigz (2.2.4-1) unstable; urgency=low
* New upstream release
diff -Nurd pigz_2.2.4-1.debian/debian/patches/series pigz_2.2.4-3.debian/debian/patches/series
--- pigz_2.2.4-1.debian/debian/patches/series 2012-05-01 13:02:06.0 +0200
+++ pigz_2.2.4-3.debian/debian/patches/series 2013-02-28 20:15:20.0 +0100
@@ -0,0 +1 @@
+strict_temp_file_permissions
diff -Nurd pigz_2.2.4-1.debian/debian/patches/strict_temp_file_permissions pigz_2.2.4-3.debian/debian/patches/strict_temp_file_permissions
--- pigz_2.2.4-1.debian/debian/patches/strict_temp_file_permissions 1970-01-01 01:00:00.0 +0100
+++ pigz_2.2.4-3.debian/debian/patches/strict_temp_file_permissions 2013-02-28 20:14:29.0 +0100
@@ -0,0 +1,22 @@
+Index: pigz/pigz.c
+===
+--- pigz-2.2.4/pigz.c (Revision 4038)
pigz-2.2.5/pigz.c (Arbeitskopie)
+@@ -3228,7 +3228,7 @@
+ memcpy(out, to, len);
+ strcpy(out + len, decode ? : sufx);
+ outd = open(out, O_CREAT | O_TRUNC | O_WRONLY |
+- (force ? 0 : O_EXCL), 0666);
++ (force ? 0 : O_EXCL), 0600);
+
+ /* if exists and not -f, give user a chance to overwrite */
+ if (outd 0 errno == EEXIST isatty(0) verbosity) {
+@@ -3244,7 +3244,7 @@
+ } while (ch != EOF ch != '\n' ch != '\r');
+ if (reply == 1)
+ outd = open(out, O_CREAT | O_TRUNC | O_WRONLY,
+-0666);
++0600);
+ }
+
+ /* if exists and no overwrite, report and go on to next */
signature.asc
Description: Digital signature
