Dear release team, I would like to upload a new version of the backup-manager to stable in order to fix a (relatively minor) security issue. The fix is trivial, just transposing to lines and thus ensuring that a password is not written to a file until the world is denied read access. Full debdiff is attached. There is certainly no need for a DSA, since the problem is similar to CVE-2007-2766 (to be fixed in oldstable, no DSA), but even harder to exploit. Regards, Sven
diff -u backup-manager-0.7.7/debian/control backup-manager-0.7.7/debian/control --- backup-manager-0.7.7/debian/control +++ backup-manager-0.7.7/debian/control @@ -3,7 +3,7 @@ Priority: optional Build-Depends-Indep: debiandoc-sgml, tetex-bin, tetex-extra Build-Depends: po-debconf, debhelper (>= 5), dpatch -Maintainer: Alexis Sukrieh <sukria@debian.org> +Maintainer: Sven Joachim <svenjoac@gmx.de> Standards-Version: 3.7.3 XS-Vcs-Svn: svn://svn.debian.org/svn/pkg-backup-mngr/trunk/ diff -u backup-manager-0.7.7/debian/changelog backup-manager-0.7.7/debian/changelog --- backup-manager-0.7.7/debian/changelog +++ backup-manager-0.7.7/debian/changelog @@ -1,3 +1,12 @@ +backup-manager (0.7.7-2) stable; urgency=high + + * Fix possible MYSQL password leaking to local users by making the + .my.cnf file world-unreadable before writing the password to it. + * Set myself as maintainer in debian/control. + * Remove spurious debian/patches/00list.diff and update 00list. + + -- Sven Joachim <svenjoac@gmx.de> Fri, 22 Jan 2010 12:47:43 +0100 + backup-manager (0.7.7-1.1) unstable; urgency=low * Non-maintainer upload. diff -u backup-manager-0.7.7/debian/patches/00list backup-manager-0.7.7/debian/patches/00list --- backup-manager-0.7.7/debian/patches/00list +++ backup-manager-0.7.7/debian/patches/00list @@ -4,0 +5,2 @@ +05_German_transation_update.dpatch +06_no_password_leak.dpatch reverted: --- backup-manager-0.7.7/debian/patches/00list.diff +++ backup-manager-0.7.7.orig/debian/patches/00list.diff @@ -1,7 +0,0 @@ ---- 00list~ 2008-09-21 09:03:58.000000000 +0200 -+++ 00list 2008-09-21 08:20:06.000000000 +0200 -@@ -2,3 +2,4 @@ - 02_cdrecord_to_wodim.dpatch - 03_VERSION.dpatch - 04_Makefile.dpatch -+05_German_transation_update.dpatch only in patch2: unchanged: --- backup-manager-0.7.7.orig/debian/patches/06_no_password_leak.dpatch +++ backup-manager-0.7.7/debian/patches/06_no_password_leak.dpatch @@ -0,0 +1,20 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 06_no_password_leak.dpatch by Sven Joachim <svenjoac@gmx.de> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix possible leaking of MYSQL passwords to local users. + +@DPATCH@ +diff -urNad backup-manager-0.7.7~/lib/backup-methods.sh backup-manager-0.7.7/lib/backup-methods.sh +--- backup-manager-0.7.7~/lib/backup-methods.sh 2008-04-14 19:58:43.000000000 +0200 ++++ backup-manager-0.7.7/lib/backup-methods.sh 2010-01-22 12:40:04.787321885 +0100 +@@ -852,8 +852,8 @@ + warning "Creating a default MySQL client configuration file: \$HOME/.my.cnf" + echo "[client]" > $HOME/.my.cnf + echo "# The following password will be sent to all standard MySQL clients" >> $HOME/.my.cnf +- echo "password=\"$BM_MYSQL_ADMINPASS\"" >> $HOME/.my.cnf + chmod 600 $HOME/.my.cnf ++ echo "password=\"$BM_MYSQL_ADMINPASS\"" >> $HOME/.my.cnf + fi + base_command="$mysqldump $opt -u$BM_MYSQL_ADMINLOGIN -h$BM_MYSQL_HOST -P$BM_MYSQL_PORT" + compress="$BM_MYSQL_FILETYPE"
Attachment:
pgp6omgq4irf7.pgp
Description: PGP signature