CVE-2012-5530

Debian Bug report logs - #698735
CVE-2012-5530

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2012-5530

Date: Tue, 22 Jan 2013 22:40:09 +0100

Package: pcp
Severity: important
Tags: security

Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5530 
for further references.

Cheers,
        Moritz

Message #10 received at 698735@bugs.debian.org (full text, mbox, reply):

From: Nathan Scott <nathans@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 698735@bugs.debian.org

Subject: Re: Bug#698735: CVE-2012-5530

Date: Thu, 24 Jan 2013 18:34:47 -0500 (EST)

----- Original Message -----
> Please see
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5530
> for further references.

Thanks Moritz; I will work on the squeeze backport over this weekend.
An upstream update is planned for next week which I'll use to get the
version in unstable updated.

cheers.

--
Nathan

Message #15 received at 698735@bugs.debian.org (full text, mbox, reply):

From: Nathan Scott <nathans@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 698735@bugs.debian.org

Subject: Re: Bug#698735: CVE-2012-5530

Date: Mon, 28 Jan 2013 18:40:43 -0500 (EST)

Hi,

----- Original Message -----
> 
> ----- Original Message -----
> > Please see
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5530
> > for further references.
> 
> Thanks Moritz; I will work on the squeeze backport over this weekend.
> An upstream update is planned for next week which I'll use to get the
> version in unstable updated.

I've prepared the squeeze backport, and done sanity testing on a
build on my laptop (which is running unstable).

Could someone from the security team help me out with details or
other assistance on a clean squeeze build?  I don't have a spare
machine (or much diskspace for new VMs, etc, currently) to do a
local squeeze build.

The updated sources are at:  git://oss.sgi.com/pcp/pcp squeeze

Many thanks!

--
Nathan

Message #20 received at 698735@bugs.debian.org (full text, mbox, reply):

From: Nathan Scott <nathans@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 698735@bugs.debian.org

Subject: Re: Bug#698735: CVE-2012-5530

Date: Tue, 19 Mar 2013 19:48:59 -0400 (EDT)

Hi all,

This is not getting any traction & in danger of being forgotten -
can anyone help out who knows the security update build process?
The patches have been prepared, tested, and are ready in the git
tree (below) - but I need some help to get it over the line.

thanks!!

----- Original Message -----
> ----- Original Message -----
> > ----- Original Message -----
> > > Please see
> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5530
> > > for further references.
> > 
> > Thanks Moritz; I will work on the squeeze backport over this
> > weekend.
> > An upstream update is planned for next week which I'll use to get
> > the
> > version in unstable updated.
> 
> I've prepared the squeeze backport, and done sanity testing on a
> build on my laptop (which is running unstable).
> 
> Could someone from the security team help me out with details or
> other assistance on a clean squeeze build?  I don't have a spare
> machine (or much diskspace for new VMs, etc, currently) to do a
> local squeeze build.
> 
> The updated sources are at:  git://oss.sgi.com/pcp/pcp squeeze
> 
> Many thanks!
> 
> --
> Nathan

Message #25 received at 698735@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Nathan Scott <nathans@debian.org>, 698735@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#698735: CVE-2012-5530

Date: Fri, 5 Apr 2013 07:09:08 +0200

# fixed in 3.6.10 upstream, first upload to Debian with 3.7.1
Control: fixed -1 3.7.1

Hi Nathan

On Tue, Mar 19, 2013 at 07:48:59PM -0400, Nathan Scott wrote:
> Hi all,
> 
> This is not getting any traction & in danger of being forgotten -
> can anyone help out who knows the security update build process?
> The patches have been prepared, tested, and are ready in the git
> tree (below) - but I need some help to get it over the line.
> 
> thanks!!

Only an update... In the security-tracker CVE-2012-5530[1] was marked
as no-dsa. This means there will not be a security announce update via
stable-security. But could you prepare a fix for it for Squeeze via a
stable-proposed-updates?

See [2] for further information on that.

 [1]: https://security-tracker.debian.org/tracker/CVE-2012-5530
 [2]: http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

Does this helps?

p.s.: Don't know if it was discussed previously already, with 2.8.0
upload the package is now a Debian native package. See [3]. Was this
intentional? Or would it be possible to convert the package to a
non-native source package?

 [3]: http://www.debian.org/doc/manuals/developers-reference/pkgs.html#sourcelayout

Thanks for your work done!

Regards,
Salvatore

Message #32 received at 698735@bugs.debian.org (full text, mbox, reply):

From: Nathan Scott <nathans@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 698735@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: [pcp] Bug#698735: CVE-2012-5530

Date: Sat, 6 Apr 2013 19:53:22 -0400 (EDT)

Hi,

----- Original Message -----
> ...
> Only an update... In the security-tracker CVE-2012-5530[1] was marked
> as no-dsa. This means there will not be a security announce update via
> stable-security. But could you prepare a fix for it for Squeeze via a
> stable-proposed-updates?
> 
> See [2] for further information on that.
> 
>  [1]: https://security-tracker.debian.org/tracker/CVE-2012-5530
>  [2]:
>  http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
> 
> Does this helps?
> 

I'm travelling at the moment with limited net access - will read
through the above in ~1 week and see.  Thanks for the pointers!

cheers.

--
Nathan

Message #37 received at 698735@bugs.debian.org (full text, mbox, reply):

From: Nathan Scott <nathans@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, Moritz Muehlenhoff <jmm@debian.org>

Cc: 698735@bugs.debian.org

Subject: Re: [pcp] Bug#698735: CVE-2012-5530

Date: Wed, 7 Aug 2013 19:36:52 -0400 (EDT)

Hi guys,

Coming back to this one after quite some time ... (my apologies!)

----- Original Message -----
> Only an update... In the security-tracker CVE-2012-5530[1] was marked
> as no-dsa. This means there will not be a security announce update via
> stable-security. But could you prepare a fix for it for Squeeze via a
> stable-proposed-updates?

I have finally been able to find resources needed to setup an oldstable
machine to appropriately build and test these changes, and have done so
now.

So, mainly FYI - I'll be following Salvatore's pointer above, and doing
an upload as a proposed update to oldstable to resolve this one (stable
has since become wheezy and it is unaffected).

cheers.

--
Nathan

Message #42 received at 698735-close@bugs.debian.org (full text, mbox, reply):

From: Nathan Scott <nathans@debian.org>

To: 698735-close@bugs.debian.org

Subject: Bug#698735: fixed in pcp 3.3.3-squeeze3

Date: Sat, 10 Aug 2013 15:48:25 +0000

Source: pcp
Source-Version: 3.3.3-squeeze3

We believe that the bug you reported is fixed in the latest version of
pcp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 698735@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nathan Scott <nathans@debian.org> (supplier of updated pcp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 08 Aug 2013 09:15:39 +1000
Source: pcp
Binary: pcp libpcp3-dev libpcp3 libpcp-gui2-dev libpcp-gui2 libpcp-mmv1-dev libpcp-mmv1 libpcp-pmda3-dev libpcp-pmda3 libpcp-trace2-dev libpcp-trace2 libpcp-pmda-perl libpcp-logsummary-perl libpcp-mmv-perl
Architecture: source amd64
Version: 3.3.3-squeeze3
Distribution: oldstable
Urgency: high
Maintainer: Nathan Scott <nathans@debian.org>
Changed-By: Nathan Scott <nathans@debian.org>
Description: 
 libpcp-gui2 - Performance Co-Pilot graphical client tools library
 libpcp-gui2-dev - Performance Co-Pilot graphical client tools library and headers
 libpcp-logsummary-perl - Performance Co-Pilot historical log summary module
 libpcp-mmv-perl - Performance Co-Pilot Memory Mapped Value Perl module
 libpcp-mmv1 - Performance Co-Pilot Memory Mapped Value client library
 libpcp-mmv1-dev - Performance Co-Pilot Memory Mapped Value library and headers
 libpcp-pmda-perl - Performance Co-Pilot Domain Agent Perl module
 libpcp-pmda3 - Performance Co-Pilot Domain Agent library
 libpcp-pmda3-dev - Performance Co-Pilot Domain Agent library and headers
 libpcp-trace2 - Performance Co-Pilot application tracing library
 libpcp-trace2-dev - Performance Co-Pilot application tracing library and headers
 libpcp3    - Performance Co-Pilot library
 libpcp3-dev - Performance Co-Pilot library and headers
 pcp        - System level performance monitoring and performance management
Closes: 698735
Changes: 
 pcp (3.3.3-squeeze3) oldstable; urgency=high
 .
   * Provides resolution for no-dsa security advisory CVE-2012-5530
   * Backport SuSE insecure tmpfile handling fixes (closes: #698735)
Checksums-Sha1: 
 df17b3aef69181574e84ce1becdd287f423fee7c 1097 pcp_3.3.3-squeeze3.dsc
 16ab3000eea5a0ae3a1419013ae9b4c5db849c9b 2367851 pcp_3.3.3-squeeze3.tar.gz
 92b09ae709c49e20263b21aa02b45b528abd86c8 1301044 pcp_3.3.3-squeeze3_amd64.deb
 7155952b56a10e1fcbd8f223d3cdb31785fb20e8 316724 libpcp3-dev_3.3.3-squeeze3_amd64.deb
 ef6edcd4d2817bc07d372fe7afa1b16068cea4d0 144346 libpcp3_3.3.3-squeeze3_amd64.deb
 226f1e59a7debf61aa917af22cc4c756cc0d33fe 15832 libpcp-gui2-dev_3.3.3-squeeze3_amd64.deb
 166cc48291e07475ad28c686d2ba06c5e823d5f0 14216 libpcp-gui2_3.3.3-squeeze3_amd64.deb
 b6a8f8e085c3c504c5454028b045870709e58b1b 16878 libpcp-mmv1-dev_3.3.3-squeeze3_amd64.deb
 7cb0ee328032eac79f2b8df87886dea2c08202b1 10136 libpcp-mmv1_3.3.3-squeeze3_amd64.deb
 b4fad5565c4800b65a70b8a74d38a31014aef433 70598 libpcp-pmda3-dev_3.3.3-squeeze3_amd64.deb
 535cbf1e6aa03ed89f9a148755c077da1dfe658f 26324 libpcp-pmda3_3.3.3-squeeze3_amd64.deb
 a548e8e0f61246b4c0dba326114033a8cdee509d 27954 libpcp-trace2-dev_3.3.3-squeeze3_amd64.deb
 ccfba0434b3b069ffcc3db20c5e8bccf4df98335 18916 libpcp-trace2_3.3.3-squeeze3_amd64.deb
 c757a63dd33ac12319884351182b2bfe0d5201da 41076 libpcp-pmda-perl_3.3.3-squeeze3_amd64.deb
 822855dc4a0630b7a43a473c26cbfcfcb5690e3f 10014 libpcp-logsummary-perl_3.3.3-squeeze3_amd64.deb
 1d0051f68007a5b6a7bcb5a94c8bff256e639f27 21290 libpcp-mmv-perl_3.3.3-squeeze3_amd64.deb
Checksums-Sha256: 
 9533ac9f42541e0fb191f6e6220563fa1130cf7aaf3c610b74d3405d9b4d741d 1097 pcp_3.3.3-squeeze3.dsc
 5fdf090f8a118934f421ada65e5354b4a52dcbc88a4de70d39544de97a1e5013 2367851 pcp_3.3.3-squeeze3.tar.gz
 ecd5dd8eb67f65eae7c659f6ce3328138094ebecb97721685fe64bc8ebdb0e1d 1301044 pcp_3.3.3-squeeze3_amd64.deb
 2fef2aeb085af39fd76090d311a07f485968de5d9ca14cb2ce92aa15414b914f 316724 libpcp3-dev_3.3.3-squeeze3_amd64.deb
 a7bcb6f1819a0784d1b962099182f4031b6ca07acb39364df4ef9c9d3342375b 144346 libpcp3_3.3.3-squeeze3_amd64.deb
 4cbef61858e71f675773ec6153b7fce7992e7dedf140f0e454dbb771194d6050 15832 libpcp-gui2-dev_3.3.3-squeeze3_amd64.deb
 ed893f7ef1ba5948edbf0d3fd3dee6bdb01e791261e8713f5e09f7c70f0fb659 14216 libpcp-gui2_3.3.3-squeeze3_amd64.deb
 25ce395348449417a45c92eb856bf13dfa9cc86b780a91a5385f62f5594cb2ce 16878 libpcp-mmv1-dev_3.3.3-squeeze3_amd64.deb
 680838abf76a9b44ff915683d58c5580d41a67d390b67a4688755e89afc3ac20 10136 libpcp-mmv1_3.3.3-squeeze3_amd64.deb
 bdc01ecf45e1c7b086aa0187d60edb8db7c7c2f207373bc905fe6ba694620a33 70598 libpcp-pmda3-dev_3.3.3-squeeze3_amd64.deb
 f7047ff7815184061f46bd6de4dda279b7b3c5b085bccffb2b6775dd9cd9897e 26324 libpcp-pmda3_3.3.3-squeeze3_amd64.deb
 29f5de0b4842f4e75ed2304194996dd2ad36d39dc87f1376bf8845d056d21b78 27954 libpcp-trace2-dev_3.3.3-squeeze3_amd64.deb
 b2914b47a04b572a255742d1bb76c5e537f00c8713bee8e9a84cdd6642b764de 18916 libpcp-trace2_3.3.3-squeeze3_amd64.deb
 6af0cdefb49aada213e3d5d9988ec25a1e37e0a92afece0b9abd307db89436b6 41076 libpcp-pmda-perl_3.3.3-squeeze3_amd64.deb
 f15d8645e6ca594a31700ea9e0d6ee968836e3ac6d6a25a98da907a765c37a9e 10014 libpcp-logsummary-perl_3.3.3-squeeze3_amd64.deb
 08af037607877a45f202877e6702158aa7d5e2b0e0bea8d5fb647d47dbb1f752 21290 libpcp-mmv-perl_3.3.3-squeeze3_amd64.deb
Files: 
 9f034e438b1491f81feed2c27cfa6bcc 1097 utils extra pcp_3.3.3-squeeze3.dsc
 fab4c761695ff9b88aadf14af6c14c2c 2367851 utils extra pcp_3.3.3-squeeze3.tar.gz
 d99192a9905dffdd1c2311a8b0656365 1301044 utils extra pcp_3.3.3-squeeze3_amd64.deb
 d55811c95b3b985acaa20c7e3a3956fd 316724 libdevel extra libpcp3-dev_3.3.3-squeeze3_amd64.deb
 72473cc30a566a3519eaf4313cf9d22b 144346 libs extra libpcp3_3.3.3-squeeze3_amd64.deb
 ee7e9188b2e95cd475595159dd0d72dd 15832 libdevel extra libpcp-gui2-dev_3.3.3-squeeze3_amd64.deb
 ad8e4cfba186348ee9a509fe85ee8e9b 14216 libs extra libpcp-gui2_3.3.3-squeeze3_amd64.deb
 4806890d758767529485962752c2d025 16878 libdevel extra libpcp-mmv1-dev_3.3.3-squeeze3_amd64.deb
 e4e3ec3d74ef2503900d19873ebced27 10136 libs extra libpcp-mmv1_3.3.3-squeeze3_amd64.deb
 4b4af39862bf4fc5ac3126d1158766d6 70598 libdevel extra libpcp-pmda3-dev_3.3.3-squeeze3_amd64.deb
 2fbafa372bd259c41f704b5652a710a5 26324 libs extra libpcp-pmda3_3.3.3-squeeze3_amd64.deb
 54fda067a623d96403bb7852e58b41cc 27954 libdevel extra libpcp-trace2-dev_3.3.3-squeeze3_amd64.deb
 b158fd31dc8d7ad64c9f2a6141d0e68e 18916 libs extra libpcp-trace2_3.3.3-squeeze3_amd64.deb
 da45f9be79bf6a903607bbd617f8c518 41076 perl optional libpcp-pmda-perl_3.3.3-squeeze3_amd64.deb
 32aa00d75e0863f021539c7de082c7fe 10014 perl optional libpcp-logsummary-perl_3.3.3-squeeze3_amd64.deb
 7393975d8db1f0181180015936e2d7ae 21290 perl optional libpcp-mmv-perl_3.3.3-squeeze3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlIC2R8ACgkQm8fl3HSIa2N5GgCgrRQ9SQnmIop4cCuL0ymjxWaT
+4oAn2ZxUNVLnRNF7U5XZq7xvBh4rghR
=Fye8
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.