Dear LTS team,
Am 03.08.2016 um 01:15 schrieb Jonas Meurer:
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of libsys-syslog-perl:
> https://security-tracker.debian.org/tracker/CVE-2016-1238
> [...]
>
> PPS: Dominic Hargreaves of the pkg-perl team already uploaded a fixed
> libsys-syslog-perl 0.33 to jessie-security. The fix is simple and can be
> overtaken for 0.29 in wheezy. I have already prepared packages. So if
> you don't object, I could do the upload.
Please find changes file and debdiff for libsys-syslog-perl
0.29-1+deb7u1 attached to this mail. This is going to be my first upload
on behalf of the LTS team, so a quick review by more experienced team
members would be awesome.
The patch itself is pretty straightforward and already applied to
libsys-syslog-perl in Jessie, so I don't expect any problems. Still, a
review would be appreciated, especially regarding things to consider
when uploading to wheezy-security.
I certainly tested upgrade and basic functionality of the built package
in a Wheezy LTS VM.
Cheers,
jonas
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Format: 1.8
Date: Wed, 03 Aug 2016 01:47:54 +0200
Source: libsys-syslog-perl
Binary: libsys-syslog-perl
Architecture: source amd64
Version: 0.29-1+deb7u1
Distribution: wheezy-stable
Urgency: high
Maintainer: Debian Perl Group
Changed-By: Jonas Meurer
Description:
libsys-syslog-perl - Perl interface to the UNIX syslog(3) calls
Changes:
libsys-syslog-perl (0.29-1+deb7u1) wheezy-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Fix CVE-2016-1238: unsafe module load path flaw.
Checksums-Sha1:
82ae6f5af77a187e3e517cdec289333f4297b85e 2265
libsys-syslog-perl_0.29-1+deb7u1.dsc
7b51fca449de2e0cd210d9af2621367cfc91a515 79657
libsys-syslog-perl_0.29.orig.tar.gz
568e24519496797f0b19827c711010b7d8cc1b15 5115
libsys-syslog-perl_0.29-1+deb7u1.debian.tar.gz
a7edf1f24f7bfa949f953c7756bc9ea1bd52e416 43780
libsys-syslog-perl_0.29-1+deb7u1_amd64.deb
Checksums-Sha256:
612690f1b7e03a25ef72a8b10f1a535351b501acd1f0e29f728d1424e8bc91c7 2265
libsys-syslog-perl_0.29-1+deb7u1.dsc
121f3cf22de99cb714bb9257fb9a3427c51d375d11d3552437305691075bb6a9 79657
libsys-syslog-perl_0.29.orig.tar.gz
5a8475fc1aa4df0f49ecc59ce5ac1e6aba47c1cc7d5c08a7e82e2af6e25b8277 5115
libsys-syslog-perl_0.29-1+deb7u1.debian.tar.gz
c2f121f5d7dbf70abbb08e66a0991c43f009fff16627c6f1a5ee1b8c238b5e70 43780
libsys-syslog-perl_0.29-1+deb7u1_amd64.deb
Files:
bd833b71e12b7605a79e61aad09d464b 2265 perl optional
libsys-syslog-perl_0.29-1+deb7u1.dsc
4c7aeb0a05e8dde2ab05a0b3be19d72c 79657 perl optional
libsys-syslog-perl_0.29.orig.tar.gz
cc88d1e630688cf11a6287fb0c850b57 5115 perl optional
libsys-syslog-perl_0.29-1+deb7u1.debian.tar.gz
da434337206d36ef799b45bcd10ff51d 43780 perl optional
libsys-syslog-perl_0.29-1+deb7u1_amd64.deb
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQIcBAEBAgAGBQJXobG0AAoJEBvzc5c7ZRqn7SMQALroJUuUXwnQGIoBZ7fIIe66
MmdxtuqxBbT8zOHe+E5V0rMKbZ2tH5CWZhcmerlqFowqvydS2Rd0I3Im/gLyvwX7
DSZ7hxHpBULAGhkoytob5UVmjnW/vsnkH7jO+XHT2zMjoN4owl57rpjd6OccvB3m
cCMYLFZI1kOGxgMGMW3Y98ra9a7zjKKpz9u6QDVSfv7DW6fCms2LSaSVHHOau6zG
BDYyU8xi8ayWGKLuyyFChVjY4jxu0uDzadGTpPouf8LTseRbXm4rqFBMWaF3YhVj
VVvOZ8XRbaOEVf03gexfEA/0O9DfOk0Psp6Oq4gN4+32j9V5yGMxviwaL61jgCb5
nOjoP4xw7lSwTH/B0wxOBzURsw3e318+xWhYfTh6H1shNS+LBOwn5LFzC3xodflK
YCdu5d8NLhCzjq16Qqpyrem5QwP+g/SL7X5bMPTHN0Q0sRg279iDSjQ/ALBUJGH+
j4ZxWqdwXasYekph9n7sA0PP1dnN6tk8h6O9xtBugku03LatVrlOPb3JrGVyju3b
i+lQn8TardFaIYjv4K8nm8uD0SqyOpVehPcuDdwVMjzEISD3UHYpPy+Pp2HvFMIl
4ZZg7pA3JA+BbJSGnlmnlO7u5shweh8GB1wqpQafMw0GhXXlUpA8nUfRvn/JaMbs
TFytO5wxwUm2kLdZVCnz
=04VH
-END PGP SIGNATURE-
diff -Nru libsys-syslog-perl-0.29/debian/changelog libsys-syslog-perl-0.29/debian/changelog
--- libsys-syslog-perl-0.29/debian/changelog 2011-04-19 19:36:38.0 +0200
+++ libsys-syslog-perl-0.29/debian/changelog 2016-08-03 01:47:54.0 +0200
@@ -1,3 +1,10 @@
+libsys-syslog-perl (0.29-1+deb7u1) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Fix CVE-2016-1238: unsafe module load path flaw.
+
+ -- Jonas Meurer Wed, 03 Aug 2016 01:47:54 +0200
+
libsys-syslog-perl (0.29-1) unstable; urgency=low
[ Jonathan Yu ]
diff -Nru libsys-syslog-perl-0.29/debian/patches/CVE-2016-1238.patch libsys-syslog-perl-0.29/debian/patches/CVE-2016-1238.patch
--- libsys-syslog-perl-0.29/debian/patches/CVE-2016-1238.patch 1970-01-01 01:00:00.0 +0100
+++ libsys-syslog-perl-0.29/debian/patches/CVE-2016-1238.patch 2016-08-03 01:41:36.0 +0200
@@ -0,0 +1,22 @@
+From: Jonas Meurer (taken over from Dominic Hargreaves )
+Date: Wed, 03 Aug 2016 01:41:25 +0200
+Subject: [PATCH] Remove . from @INC when loading modules dynamically
+ [CVE-2016-1238]
+
+---
+ Syslog.pm | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Syslog.pm b/Syslog.pm
+index a68f817..d972134 100644
+--- a/Syslog.pm
b/Syslog.pm
+@@ -859,6 +859,8 @@ sub sile