[libiptables-parse-perl] 01/02: Add CVE-2015-8326.patch patch

[Salvatore Bonaccorso]

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch wheezy
in repository libiptables-parse-perl.

commit 11ed0eb200884a9a1c07329a750aa9c6bb49b731
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu Nov 26 17:32:34 2015 +0100

    Add CVE-2015-8326.patch patch
    
    CVE-2015-8326: Use of predictable names for temporary files.
---
 debian/patches/CVE-2015-8326.patch | 46 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 47 insertions(+)

diff --git a/debian/patches/CVE-2015-8326.patch b/debian/patches/CVE-2015-8326.patch
new file mode 100644
index 0000000..207654c
--- /dev/null
+++ b/debian/patches/CVE-2015-8326.patch
@@ -0,0 +1,46 @@
+Description: Don't use predictable names for temporary files
+ This allows an attacker on a multi-user system to set up symlinks to
+ overwrite any file the current user has write access to.
+ .
+ Don't recommend users of this module to use predictable names either.
+Origin: backport, https://github.com/mtrmac/IPTables-Parse/commit/b400b976d81140f6971132e94eb7657b5b0a2b87
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1267962
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2015-11-26
+Applied-Upstream: 1.6
+
+---
+ lib/IPTables/Parse.pm | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/lib/IPTables/Parse.pm
++++ b/lib/IPTables/Parse.pm
+@@ -17,6 +17,7 @@ package IPTables::Parse;
+ use 5.006;
+ use POSIX ":sys_wait_h";
+ use Carp;
++use File::Temp;
+ use strict;
+ use warnings;
+ use vars qw($VERSION);
+@@ -29,8 +30,8 @@ sub new() {
+ 
+     my $self = {
+         _iptables => $args{'iptables'} || $args{'ip6tables'} || '/sbin/iptables',
+-        _iptout    => $args{'iptout'}    || '/tmp/ipt.out',
+-        _ipterr    => $args{'ipterr'}    || '/tmp/ipt.err',
++        _iptout    => $args{'iptout'}    || mktemp('/tmp/ipt.out.XXXXXX'),
++        _ipterr    => $args{'ipterr'}    || mktemp('/tmp/ipt.err.XXXXXX'),
+         _ipt_alarm => $args{'ipt_alarm'} || 30,
+         _debug     => $args{'debug'}     || 0,
+         _verbose   => $args{'verbose'}   || 0,
+@@ -701,8 +702,6 @@ IPTables::Parse - Perl extension for par
+ 
+   my %opts = (
+       'iptables' => $ipt_bin,
+-      'iptout'   => '/tmp/iptables.out',
+-      'ipterr'   => '/tmp/iptables.err',
+       'debug'    => 0,
+       'verbose'  => 0
+   );
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..cd5e164
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2015-8326.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libiptables-parse-perl.git