[ubuntu/precise] whoopsie-daisy 0.1.8 (Accepted)

Evan Dandrea ev at ubuntu.com
Thu Feb 16 17:00:26 UTC 2012 

whoopsie-daisy (0.1.8) precise; urgency=low

  * Security fixes. Thanks Jamie Strandboge for the review.
    - Check the return value of the open call in get_system_uuid.
    - Properly initialize libcrypt.
    - Check that the call to gcry_md_open succeeds
    - Ensure that reading the SHA512 message digest succeeds.
    - Protect against changes to the message digest length creating a
      security vulnerability.
    - Check the returncode of setenv.
    - Use /var/lock/whoopsie instead of /tmp/.whoopsie-lock.
    - umask is usually called before fork.
    - Future-proof by using getrlimit instead of explicitly closing STD*
    - Redirect stdin, stdout, and stderr to /dev/null.
    - Ensure strings created in update_to_crash_file are NULL-terminated.
    - Only process regular files in /var/crash.
    - Replace calls to *alloc with g_*alloc, which calls abort() on
      failure.
    - Remove unused system_uuid pointer.
    - Fix warnings in make check.
    - Initialize all of curl.
    - Redirect stderr to null in chgrp and chmod calls.
    - Set home directory to /nonexistent.
    - Enable libcrypt secure memory.
    - Put the lock file in /var/lock/whoopsie/.
    - Sanity check the CRASH_DB_URL environment variable.
    - Added tests:
      - Check handling of embedded NUL bytes.
      - Verify that symlinks in /var/crash produce the correct error
        message.
      - Verify that keys without values in reports produce an error message.
      - Ensure that the report does not start with a value.
      - Correctly identify a report without spaces as malformed.
      - Verify that directories in /var/crash produce the correct error
        message.
      - Ensure that blank lines in a report are treated as errors.
      - Ensure that carriage returns are escaped.
      - Do not start multi-line values with a newline.
      - Check that a valid report has the exact expected contents.
      - Ensure that other variants of embedded carriage returns are escaped.
      - Verify that reports without a trailing newline are handled properly.
  * Change crash database URL to http://daisy.ubuntu.com.
  * Main inclusion request approved (LP: #913694).

Date: Thu, 16 Feb 2012 16:37:35 +0000
Changed-By: Evan Dandrea <ev at ubuntu.com>
https://launchpad.net/ubuntu/precise/+source/whoopsie-daisy/0.1.8
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 16 Feb 2012 16:37:35 +0000
Source: whoopsie-daisy
Binary: whoopsie
Architecture: source
Version: 0.1.8
Distribution: precise
Urgency: low
Maintainer: Evan Dandrea <ev at ubuntu.com>
Changed-By: Evan Dandrea <ev at ubuntu.com>
Description: 
 whoopsie   - Ubuntu crash database submission daemon.
Launchpad-Bugs-Fixed: 913694
Changes: 
 whoopsie-daisy (0.1.8) precise; urgency=low
 .
   * Security fixes. Thanks Jamie Strandboge for the review.
     - Check the return value of the open call in get_system_uuid.
     - Properly initialize libcrypt.
     - Check that the call to gcry_md_open succeeds
     - Ensure that reading the SHA512 message digest succeeds.
     - Protect against changes to the message digest length creating a
       security vulnerability.
     - Check the returncode of setenv.
     - Use /var/lock/whoopsie instead of /tmp/.whoopsie-lock.
     - umask is usually called before fork.
     - Future-proof by using getrlimit instead of explicitly closing STD*
     - Redirect stdin, stdout, and stderr to /dev/null.
     - Ensure strings created in update_to_crash_file are NULL-terminated.
     - Only process regular files in /var/crash.
     - Replace calls to *alloc with g_*alloc, which calls abort() on
       failure.
     - Remove unused system_uuid pointer.
     - Fix warnings in make check.
     - Initialize all of curl.
     - Redirect stderr to null in chgrp and chmod calls.
     - Set home directory to /nonexistent.
     - Enable libcrypt secure memory.
     - Put the lock file in /var/lock/whoopsie/.
     - Sanity check the CRASH_DB_URL environment variable.
     - Added tests:
       - Check handling of embedded NUL bytes.
       - Verify that symlinks in /var/crash produce the correct error
         message.
       - Verify that keys without values in reports produce an error message.
       - Ensure that the report does not start with a value.
       - Correctly identify a report without spaces as malformed.
       - Verify that directories in /var/crash produce the correct error
         message.
       - Ensure that blank lines in a report are treated as errors.
       - Ensure that carriage returns are escaped.
       - Do not start multi-line values with a newline.
       - Check that a valid report has the exact expected contents.
       - Ensure that other variants of embedded carriage returns are escaped.
       - Verify that reports without a trailing newline are handled properly.
   * Change crash database URL to http://daisy.ubuntu.com.
   * Main inclusion request approved (LP: #913694).
Checksums-Sha1: 
 3f39a95e11d59519f9ef208826e8cd2191aacbc7 1025 whoopsie-daisy_0.1.8.dsc
 1088d4d1c838fbcd022ef58ae8f539354e4652eb 54008 whoopsie-daisy_0.1.8.tar.gz
Checksums-Sha256: 
 7be7c5592f088c7cf1be8b73fc1a12d5e9bb3ca168ad3c277adf6a7eb04b130c 1025 whoopsie-daisy_0.1.8.dsc
 7e1c6dba1b9b872d40ced912ba60be7a3abbbaa6338050e12694ddd6c77ac73a 54008 whoopsie-daisy_0.1.8.tar.gz
Files: 
 2053f9e25d489d25151e085d1a2aaf84 1025 utils optional whoopsie-daisy_0.1.8.dsc
 e6f0e3b7196fb1834ad683430c688b40 54008 utils optional whoopsie-daisy_0.1.8.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk89MRcACgkQYMSoESsJNnsc3QCgv7T4SFqxl5Yg5oWXhoyZrXh7
5kAAoMRq3QhaaYkPH1Gcg1Fyr6ulbIf2
=igO2
-----END PGP SIGNATURE-----

More information about the Precise-changes mailing list