Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package perltidy Fixes an important security bug (CVE-2016-10374) #862667 by erroring out. [The bug is severity important, but should be fixed.] unblock perltidy/20140328-2 -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.10.0-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru perltidy-20140328/debian/changelog perltidy-20140328/debian/changelog --- perltidy-20140328/debian/changelog 2014-04-07 18:27:20.000000000 -0700 +++ perltidy-20140328/debian/changelog 2017-05-21 12:41:30.000000000 -0700 @@ -1,3 +1,10 @@ +perltidy (20140328-2) unstable; urgency=high + + * Backport fix for CVE-2016-10374 which fixes insecure file deletion of + perltidy.ERR and perltidy.LOG files (closes: #862667) + + -- Don Armstrong <d...@debian.org> Sun, 21 May 2017 12:41:30 -0700 + perltidy (20140328-1) unstable; urgency=medium * New upstream release diff -Nru perltidy-20140328/debian/patches/die_on_unlink_failures perltidy-20140328/debian/patches/die_on_unlink_failures --- perltidy-20140328/debian/patches/die_on_unlink_failures 1969-12-31 16:00:00.000000000 -0800 +++ perltidy-20140328/debian/patches/die_on_unlink_failures 2017-05-21 12:39:07.000000000 -0700 @@ -0,0 +1,30 @@ +Description: die if perltidy.ERR and other temporary files cannot be unlinked +Origin: Upstream, Cherrypicked from 20170521. +Author: Don Armstrong <d...@debian.org>, Steve Hancock +--- a/lib/Perl/Tidy.pm ++++ b/lib/Perl/Tidy.pm +@@ -3643,7 +3643,10 @@ + # now wish for luck... + my $msg = qx/perl $flags $quoted_stream_filename $error_redirection/; + +- unlink $stream_filename if ($is_tmpfile); ++ if ($is_tmpfile) { ++ unlink $stream_filename ++ or Perl::Tidy::Die("couldn't unlink stream $stream_filename: $!\n"); ++ } + return $stream_filename, $msg; + } + +@@ -4074,7 +4077,11 @@ + + # remove any old error output file if we might write a new one + unless ( $fh_warnings || ref($warning_file) ) { +- if ( -e $warning_file ) { unlink($warning_file) } ++ if ( -e $warning_file ) { ++ unlink($warning_file) ++ or Perl::Tidy::Die( ++ "couldn't unlink warning file $warning_file: $!\n"); ++ } + } + + my $logfile_gap = diff -Nru perltidy-20140328/debian/patches/series perltidy-20140328/debian/patches/series --- perltidy-20140328/debian/patches/series 2014-04-07 18:23:44.000000000 -0700 +++ perltidy-20140328/debian/patches/series 2017-05-21 12:38:51.000000000 -0700 @@ -1 +1,2 @@ +die_on_unlink_failures document_bst_better