Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package libquvi. The version currently in testing has a small security issue: it looks for Lua helper scripts below the current path. This can lead to arbitrary code execution if a program using libquvi is run in a directory such as /tmp. unblock libquvi/0.4.1-3 Ansgar
diff -Nru libquvi-0.4.1/debian/changelog libquvi-0.4.1/debian/changelog --- libquvi-0.4.1/debian/changelog 2014-05-27 10:25:54.000000000 +0200 +++ libquvi-0.4.1/debian/changelog 2015-01-04 12:53:58.000000000 +0100 @@ -1,3 +1,11 @@ +libquvi (0.4.1-3) unstable; urgency=medium + + * Do not look for Lua helper scripts below current directory. + (Closes: #774555) + + new patch: lua-scripts-below-cwd.patch + + -- Ansgar Burchardt <ans...@debian.org> Sun, 04 Jan 2015 12:52:34 +0100 + libquvi (0.4.1-2.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru libquvi-0.4.1/debian/patches/lua-scripts-below-cwd.patch libquvi-0.4.1/debian/patches/lua-scripts-below-cwd.patch --- libquvi-0.4.1/debian/patches/lua-scripts-below-cwd.patch 1970-01-01 01:00:00.000000000 +0100 +++ libquvi-0.4.1/debian/patches/lua-scripts-below-cwd.patch 2015-01-04 12:45:22.000000000 +0100 @@ -0,0 +1,23 @@ +From: Ansgar Burchardt <ans...@debian.org> +Subject: Do not look for Lua helper scripts below current directory +Date: Sun, 04 Jan 2015 12:39:12 +0100 + +Bug-Debian: https://bugs.debian.org/774555 +--- a/src/libquvi/lua_wrap.c ++++ b/src/libquvi/lua_wrap.c +@@ -367,15 +367,6 @@ + return (QUVI_OK); + } + +- /* Current working directory */ +- buf = getcwd(NULL,0); +- if (!buf) +- return(QUVI_MEM); +- +- asprintf(&path, "%s/%s", buf, spath); +- _free(buf); +- _scan; +- + /* Home directory */ + homedir = getenv("HOME"); + if (homedir) diff -Nru libquvi-0.4.1/debian/patches/series libquvi-0.4.1/debian/patches/series --- libquvi-0.4.1/debian/patches/series 2014-05-22 15:44:47.000000000 +0200 +++ libquvi-0.4.1/debian/patches/series 2015-01-04 12:45:22.000000000 +0100 @@ -1,2 +1,3 @@ configure.ac-add-missing-AM-macros.patch lua52.patch +lua-scripts-below-cwd.patch