Message-ID: <email address hidden> Date: Tue, 2 Nov 2004 19:28:48 +0100 From: Martin Schulze <email address hidden> To: Martin Michlmayr <email address hidden> Cc: <email address hidden> Subject: Re: Bug#279229: CAN-2004-0972: Insecure temporary directory
--ys8nbMVQRzTucb0g Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline
Martin Michlmayr wrote: > * Martin Schulze <email address hidden> [2004-11-01 16:37]: > > Package: lvm10 > > Version: 1.0.8-7 > > Severity: grave > > > > I'm attaching the patch we're using for the woody update. > > FWIW, no patch was attached.
*sigh* here it is.
I should really open a grave bug against mutt for not reminding me to add the promised attachments. *grr*
Regards,
Joey
-- Given enough thrust pigs will fly, but it's not necessarily a good idea.
Please always Cc to me when replying to me on the lists.
--ys8nbMVQRzTucb0g Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: attachment; filename="patch.CAN-2004-0972.lvm10"
diff -u lvm10-1.0.4/1.0.4/tools/lvmcreate_initrd lvm10-1.0.4/1.0.4/tools/lvmcreate_initrd --- lvm10-1.0.4/1.0.4/tools/lvmcreate_initrd +++ lvm10-1.0.4/1.0.4/tools/lvmcreate_initrd @@ -237,6 +237,10 @@ # run out of room on the ramdisk while stripping the libraries. echo "$cmd -- stripping shared libraries" mkdir $TMPLIB +if [ $? -ne 0 ]; then + echo "$cmd -- ERROR making $TMPLIB" + cleanup 1 +fi for LIB in $SHLIBS; do verbose "copy $LIB to $TMPLIB$LIB" mkdir -p `dirname $TMPLIB$LIB` diff -u lvm10-1.0.4/debian/changelog lvm10-1.0.4/debian/changelog --- lvm10-1.0.4/debian/changelog +++ lvm10-1.0.4/debian/changelog @@ -1,3 +1,11 @@ +lvm10 (1:1.0.4-5woody2) stable-security; urgency=high + + * Non-maintainer upload by the Security Team + * Applied Trustix patch to correct insecure temporary directory creation + [1.0.4/tools/lvmcreate_initrd, CAN-2004-0972] + + -- Martin Schulze <email address hidden> Sun, 31 Oct 2004 20:31:55 +0100 + lvm10 (1:1.0.4-5woody1) stable; urgency=medium
* Fix bug in vgimport that could prevent volume groups with out-of-sequence
--ys8nbMVQRzTucb0g--
Message-ID: <email address hidden>
Date: Tue, 2 Nov 2004 19:28:48 +0100
From: Martin Schulze <email address hidden>
To: Martin Michlmayr <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#279229: CAN-2004-0972: Insecure temporary directory
--ys8nbMVQRzTucb0g Disposition: inline
Content-Type: text/plain; charset=iso-8859-1
Content-
Martin Michlmayr wrote:
> * Martin Schulze <email address hidden> [2004-11-01 16:37]:
> > Package: lvm10
> > Version: 1.0.8-7
> > Severity: grave
> >
> > I'm attaching the patch we're using for the woody update.
>
> FWIW, no patch was attached.
*sigh* here it is.
I should really open a grave bug against mutt for not reminding me to
add the promised attachments. *grr*
Regards,
Joey
--
Given enough thrust pigs will fly, but it's not necessarily a good idea.
Please always Cc to me when replying to me on the lists.
--ys8nbMVQRzTucb0g Disposition: attachment; filename= "patch. CAN-2004- 0972.lvm10"
Content-Type: text/plain; charset=iso-8859-1
Content-
diff -u lvm10-1. 0.4/1.0. 4/tools/ lvmcreate_ initrd lvm10-1. 0.4/1.0. 4/tools/ lvmcreate_ initrd 0.4/1.0. 4/tools/ lvmcreate_ initrd 0.4/1.0. 4/tools/ lvmcreate_ initrd 0.4/debian/ changelog lvm10-1. 0.4/debian/ changelog 0.4/debian/ changelog 0.4/debian/ changelog tools/lvmcreate _initrd, CAN-2004-0972]
--- lvm10-1.
+++ lvm10-1.
@@ -237,6 +237,10 @@
# run out of room on the ramdisk while stripping the libraries.
echo "$cmd -- stripping shared libraries"
mkdir $TMPLIB
+if [ $? -ne 0 ]; then
+ echo "$cmd -- ERROR making $TMPLIB"
+ cleanup 1
+fi
for LIB in $SHLIBS; do
verbose "copy $LIB to $TMPLIB$LIB"
mkdir -p `dirname $TMPLIB$LIB`
diff -u lvm10-1.
--- lvm10-1.
+++ lvm10-1.
@@ -1,3 +1,11 @@
+lvm10 (1:1.0.4-5woody2) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Applied Trustix patch to correct insecure temporary directory creation
+ [1.0.4/
+
+ -- Martin Schulze <email address hidden> Sun, 31 Oct 2004 20:31:55 +0100
+
lvm10 (1:1.0.4-5woody1) stable; urgency=medium
* Fix bug in vgimport that could prevent volume groups with out-of-sequence
--ys8nbMVQRzTuc b0g--