Bug#863211: unblock: perltidy/20140328-2

Don Armstrong Tue, 23 May 2017 10:09:37 -0700

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock


Please unblock package perltidy

Fixes an important security bug (CVE-2016-10374) #862667 by erroring
out. [The bug is severity important, but should be fixed.]

unblock perltidy/20140328-2

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.10.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru perltidy-20140328/debian/changelog perltidy-20140328/debian/changelog
--- perltidy-20140328/debian/changelog  2014-04-07 18:27:20.000000000 -0700
+++ perltidy-20140328/debian/changelog  2017-05-21 12:41:30.000000000 -0700
@@ -1,3 +1,10 @@
+perltidy (20140328-2) unstable; urgency=high
+
+  * Backport fix for CVE-2016-10374 which fixes insecure file deletion of
+    perltidy.ERR and perltidy.LOG files (closes: #862667)
+
+ -- Don Armstrong <d...@debian.org>  Sun, 21 May 2017 12:41:30 -0700
+
 perltidy (20140328-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru perltidy-20140328/debian/patches/die_on_unlink_failures 
perltidy-20140328/debian/patches/die_on_unlink_failures
--- perltidy-20140328/debian/patches/die_on_unlink_failures     1969-12-31 
16:00:00.000000000 -0800
+++ perltidy-20140328/debian/patches/die_on_unlink_failures     2017-05-21 
12:39:07.000000000 -0700
@@ -0,0 +1,30 @@
+Description: die if perltidy.ERR and other temporary files cannot be unlinked
+Origin: Upstream, Cherrypicked from 20170521.
+Author: Don Armstrong <d...@debian.org>, Steve Hancock
+--- a/lib/Perl/Tidy.pm
++++ b/lib/Perl/Tidy.pm
+@@ -3643,7 +3643,10 @@
+     # now wish for luck...
+     my $msg = qx/perl $flags $quoted_stream_filename $error_redirection/;
+ 
+-    unlink $stream_filename if ($is_tmpfile);
++    if ($is_tmpfile) {
++        unlink $stream_filename
++          or Perl::Tidy::Die("couldn't unlink stream $stream_filename: $!\n");
++    }
+     return $stream_filename, $msg;
+ }
+ 
+@@ -4074,7 +4077,11 @@
+ 
+     # remove any old error output file if we might write a new one
+     unless ( $fh_warnings || ref($warning_file) ) {
+-        if ( -e $warning_file ) { unlink($warning_file) }
++        if ( -e $warning_file ) {
++            unlink($warning_file)
++              or Perl::Tidy::Die(
++                "couldn't unlink warning file $warning_file: $!\n");
++        }
+     }
+ 
+     my $logfile_gap =
diff -Nru perltidy-20140328/debian/patches/series 
perltidy-20140328/debian/patches/series
--- perltidy-20140328/debian/patches/series     2014-04-07 18:23:44.000000000 
-0700
+++ perltidy-20140328/debian/patches/series     2017-05-21 12:38:51.000000000 
-0700
@@ -1 +1,2 @@
+die_on_unlink_failures
 document_bst_better

Bug#863211: unblock: perltidy/20140328-2

Reply via email to