[DRE-commits] [SCM] ruby-parser.git branch, master, updated. debian/2.3.1-1-1-geee1438

Cédric Boutillier boutil at debian.org
Wed Feb 27 14:21:07 UTC 2013 

The following commit has been merged in the master branch:
commit eee143813939cf7aa9b92a529d57f45ec72c1501
Author: Cédric Boutillier <boutil at debian.org>
Date:   Tue Feb 26 07:16:08 2013 +0100

    Fix unsecure /tmp/ use. CVE-2013-0162. #701637

diff --git a/debian/changelog b/debian/changelog
index eefcda4..3a82070 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ruby-parser (2.3.1-2) unstable; urgency=high
+
+  * Team upload
+  * Add debian/patches/002-fix-CVE-2013-0162.patch: avoid unsecure use of
+    /tmp/ [CVE-2013-0162] (Closes: #701637).
+
+ -- Cédric Boutillier <boutil at debian.org>  Tue, 26 Feb 2013 07:08:26 +0100
+
 ruby-parser (2.3.1-1) unstable; urgency=low
 
   * New upstream release. 
diff --git a/debian/patches/002-fix-CVE-2013-0162.patch b/debian/patches/002-fix-CVE-2013-0162.patch
new file mode 100644
index 0000000..e160752
--- /dev/null
+++ b/debian/patches/002-fix-CVE-2013-0162.patch
@@ -0,0 +1,36 @@
+Description: Fix incorrect /tmp/ usage (CVE-2013-0162)
+Author: Michael Scherer <mscherer at redhat.com>
+Reviewed-by: Cédric Boutillier <boutil at debian.org>
+Last-Updated: 2013-02-26
+
+--- a/lib/gauntlet_rubyparser.rb
++++ b/lib/gauntlet_rubyparser.rb
+@@ -31,18 +31,19 @@
+   def diff_pp o1, o2
+     require 'pp'
+ 
+-    File.open("/tmp/a.#{$$}", "w") do |f|
+-      PP.pp o1, f
+-    end
++    file_a = Tempfile.new('ruby_parser_a')
++    PP.pp o1, file_a
++    file_a.close
+ 
+-    File.open("/tmp/b.#{$$}", "w") do |f|
+-      PP.pp o2, f
+-    end
++    file_b = Tempfile.new('ruby_parser_b')
++    PP.pp o2, file_b
++    file_b.close
++
++    `diff -u #{file_a.path} #{file_b.path}`
+ 
+-    `diff -u /tmp/a.#{$$} /tmp/b.#{$$}`
+   ensure
+-    File.unlink "/tmp/a.#{$$}" rescue nil
+-    File.unlink "/tmp/b.#{$$}" rescue nil
++    file_a.unlink
++    file_b.unlink
+   end
+ 
+   def broke name, file, msg
diff --git a/debian/patches/series b/debian/patches/series
index beb05d3..26cbddd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 001-remove-rubygems-require.patch
+002-fix-CVE-2013-0162.patch

-- 
ruby-parser.git

More information about the Pkg-ruby-extras-commits mailing list