[SRM] devscripts update (#507482)
Hi,
The devscripts package in etch has an insecure temporary directory issue
when signing files which are copied from a remote machine; see #507482.
The security team don't consider this to warrant a DSA - would it be
suitable for a stable update? I've attached a minimal debdiff.
Regards,
Adam
diff -adNru devscripts-2.9.26etch1/debsign.sh devscripts-2.9.26etch2/debsign.sh
--- devscripts-2.9.26etch1/debsign.sh 2008-12-08 18:11:35.000000000 +0000
+++ devscripts-2.9.26etch2/debsign.sh 2009-01-08 23:19:13.000000000 +0000
@@ -40,6 +40,7 @@
PRECIOUS_FILES=0
PROGNAME=`basename $0`
MODIFIED_CONF_MSG='Default settings modified by devscripts configuration files:'
+TEMP_DIR=
# --- Functions
@@ -85,9 +86,9 @@
cleanup_tmpdir () {
if [ "$PRECIOUS_FILES" -gt 0 ]; then
- echo "$PROGNAME: aborting with $PRECIOUS_FILES signed files in `pwd`" >&2
+ echo "$PROGNAME: aborting with $PRECIOUS_FILES signed files in $TEMP_DIR" >&2
else
- cd ..; rm -rf debsign.$$
+ cd ..; rm -rf $TEMP_DIR
fi
}
@@ -384,9 +385,9 @@
# Do we have to download the changes file?
if [ -n "$remotehost" ]
then
- mkdir debsign.$$ || { echo "$PROGNAME: Can't mkdir!" >&2; exit 1; }
+ TEMP_DIR="$(mktemp -dt "debsign.XXXXXXX")" || { echo "$PROGNAME: Can't make temporary dir!" >&2; exit 1; }
trap "cleanup_tmpdir" 0 1 2 3 7 10 13 15
- cd debsign.$$
+ cd $TEMP_DIR
remotechanges=$changes
remotedsc=$dsc
Reply to: