Your message dated Thu, 21 Jul 2016 01:26:44 +0200
with message-id <[email protected]>
and subject line tendra was removed from unstable
has caused the Debian Bug report #609474,
regarding potential symlink attack when compiling tendra
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
609474: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609474
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: tendra
Version: 4.1.2-18
Severity: normal
Tags: patch security
tendra's ./INSTALL script writes to (for instance) /var/tmp/tuname_$$, which
is predictable enough to be open to symlink attacks while compiling the
package.
I'm not setting the usual grave severity for security bugs, since this doesn't
affect ordinary users of the package.
A patch follows; it'll also be available in
http://git.debian.org/?p=users/smcv/qa/tendra.git shortly.
Regards,
Simon
commit f5048384bd4dd6ea1e954707f0c7951a61203692
Author: Simon McVittie <[email protected]>
Date: 2011-01-09 18:40:27 +0000
Avoid writing predictable filenames to /var/tmp during package build
This avoids potential symlink attacks.
diff --git a/INSTALL b/INSTALL
index e628d65..f2eeb91 100755
--- a/INSTALL
+++ b/INSTALL
@@ -75,6 +75,7 @@ MACH_DIR=${INSTALL_DIR}/machines
MAN_DIR=${DEB_DIR}/usr/man
WORK_DIR=${BASE_DIR}/work
TEMP_DIR=/var/tmp
+TEMP_SUBDIR=`mktemp -d` || exit 1
#
@@ -202,10 +203,10 @@ cat ${BASE_DIR}/COPYRIGHT
#
${COMMENT} building host type determiner, tuname ...
-TUNAME=${TEMP_DIR}/tuname_$$${EXEC_SUFFIX}
-MACH_HEADER=${TEMP_DIR}/mach_$$.h
+TUNAME=${TEMP_SUBDIR}/tuname_$$${EXEC_SUFFIX}
+MACH_HEADER=${TEMP_SUBDIR}/mach_$$.h
SRC=${BASE_DIR}/src/utilities/tuname
-cd ${TEMP_DIR} || exit 1
+cd ${TEMP_SUBDIR} || exit 1
make -f ${SRC}/Makefile CC="${CC}" ${TCCOPTS}\
BASE=${BASE_DIR} NAME=${TUNAME} all
if [ -f ${TUNAME} ]
@@ -324,7 +325,7 @@ ${COMMENT}
# during development work.
#
-MACH_SED=${TEMP_DIR}/mach$$.sed
+MACH_SED=${TEMP_SUBDIR}/mach$$.sed
cat > ${MACH_SED} << EOF
1,\$s/MACH_OS/${MACH_OS}/g
1,\$s/MACH_CPU/${MACH_CPU}/g
@@ -422,7 +423,7 @@ if ${BUILD_UPDATE}
then
${COMMENT} installing tcc environments ...
- ENV_SED=${TEMP_DIR}/env$$.sed
+ ENV_SED=${TEMP_SUBDIR}/env$$.sed
cat > ${ENV_SED} << EOF
1,\$s%-MACH-%${MACH_OS}/${MACH_CPU}%g
1,\$s%-MACHDIR-%${MACH_BASE}%g
@@ -802,4 +803,6 @@ else
${COMMENT} installation completed with errors
exit 1
fi
+
+rm -r ${TMP_SUBDIR}
exit 0
--- End Message ---
--- Begin Message ---
Version: 4.1.2-19+rm
tendra was just removed from unstable, but the old bugs were forgotten
to be closed at the same time
see https://bugs.debian.org/831695 for details on the removal
Andreas
--- End Message ---
