Dear release team, I would like to upload a new version of the backup-manager to oldstable in order to fix CVE-2007-2766¹. The patch is taken from a commit in upstream's git repository², removing unrelated changes. Full debdiff is attached. Regards, Sven ¹ http://security-tracker.debian.org/tracker/CVE-2007-2766 ² http://github.com/sukria/Backup-Manager/commit/a4e57ad01d89bd0dcae1d19689ce442bfc4f118d
diff -u backup-manager-0.7.5/debian/changelog backup-manager-0.7.5/debian/changelog --- backup-manager-0.7.5/debian/changelog +++ backup-manager-0.7.5/debian/changelog @@ -1,3 +1,12 @@ +backup-manager (0.7.5-5) oldstable; urgency=high + + * Fix leaking of MYSQL passwords to local users (CVE-2007-2766). + Note that the password is now taken from $HOME/.my.cnf if it exists, + overriding the BM_MYSQL_ADMINPASS variable in backup-manager.conf. + * Set myself as maintainer. + + -- Sven Joachim <svenjoac@gmx.de> Fri, 22 Jan 2010 13:20:44 +0100 + backup-manager (0.7.5-4) stable-security; urgency=high * Backport from unstable (version 0.7.6-4) for closing a security issue: diff -u backup-manager-0.7.5/debian/control backup-manager-0.7.5/debian/control --- backup-manager-0.7.5/debian/control +++ backup-manager-0.7.5/debian/control @@ -3,7 +3,7 @@ Priority: optional Build-Depends-Indep: debiandoc-sgml, tetex-bin, tetex-extra Build-Depends: po-debconf, debhelper (>= 5), dpatch -Maintainer: Alexis Sukrieh <sukria@debian.org> +Maintainer: Sven Joachim <svenjoac@gmx.de> Standards-Version: 3.7.2 XS-Vcs-Svn: svn://svn.debian.org/svn/pkg-backup-mngr/trunk/ diff -u backup-manager-0.7.5/debian/patches/00list backup-manager-0.7.5/debian/patches/00list --- backup-manager-0.7.5/debian/patches/00list +++ backup-manager-0.7.5/debian/patches/00list @@ -6,0 +7 @@ +08_CVE-2007-2766.dpatch only in patch2: unchanged: --- backup-manager-0.7.5.orig/debian/patches/08_CVE-2007-2766.dpatch +++ backup-manager-0.7.5/debian/patches/08_CVE-2007-2766.dpatch @@ -0,0 +1,69 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 08_CVE-2007-2766.dpatch by Sven Joachim <svenjoac@gmx.de> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix leaking of MYSQL passwords to local users (CVE 2007-2766). + +@DPATCH@ +diff -urNad backup-manager-0.7.5~/doc/user-guide.sgml backup-manager-0.7.5/doc/user-guide.sgml +--- backup-manager-0.7.5~/doc/user-guide.sgml 2006-09-16 18:48:17.000000000 +0200 ++++ backup-manager-0.7.5/doc/user-guide.sgml 2010-01-22 13:12:10.327128967 +0100 +@@ -662,6 +662,21 @@ + This method provides a way to archive MySQL databases, the archives are made with + mysqldump (SQL text files) and can be compressed. + ++<p> ++In versions prior to 0.8, &bmngr; used to pass the MySQL client's password through ++the command line. As explained by the MySQL manual, that's a security issue as ++the password is then readable for a short time in the /proc directory (or using ++the ps command). ++ ++<p> ++To close that vulnerability, the MySQL client password is not passed through ++the command line anymore, it is written in a configuration file located in the ++home directory of the user running &bmngr; : <tt>~/.my.cnf</tt>. ++ ++<p> ++If that file doesn't exist at runtime, &bmngr; will create it and will then ++write the password provided in <tt>BM_MYSQL_ADMINPASS</tt> inside. ++ + <sect2 id="BM_MYSQL_DATABASES"><tt>BM_MYSQL_DATABASES</tt> + + <p> +diff -urNad backup-manager-0.7.5~/lib/backup-methods.sh backup-manager-0.7.5/lib/backup-methods.sh +--- backup-manager-0.7.5~/lib/backup-methods.sh 2006-09-16 18:48:17.000000000 +0200 ++++ backup-manager-0.7.5/lib/backup-methods.sh 2010-01-22 13:13:45.147119826 +0100 +@@ -680,7 +680,21 @@ + opt="--opt" + fi + +- base_command="$mysqldump $opt -u$BM_MYSQL_ADMINLOGIN -p$BM_MYSQL_ADMINPASS -h$BM_MYSQL_HOST -P$BM_MYSQL_PORT" ++ # if a MySQL Client conffile exists, the password must be inside ++ if [ -f "$HOME/.my.cnf" ]; then ++ info "Using existing MySQL client configuration file: \$HOME/.my.cnf" ++ # we create a default one, just with the password ++ else ++ if [ -z "$BM_MYSQL_ADMINPASS" ]; then ++ error "You have to set BM_MYSQL_ADMINPASS in order to use the mysql method." ++ fi ++ warning "Creating a default MySQL client configuration file: \$HOME/.my.cnf" ++ echo "[client]" > $HOME/.my.cnf ++ echo "# The following password will be sent to all standard MySQL clients" >> $HOME/.my.cnf ++ chmod 600 $HOME/.my.cnf ++ echo "password=\"$BM_MYSQL_ADMINPASS\"" >> $HOME/.my.cnf ++ fi ++ base_command="$mysqldump $opt -u$BM_MYSQL_ADMINLOGIN -h$BM_MYSQL_HOST -P$BM_MYSQL_PORT" + compress="$BM_MYSQL_FILETYPE" + + for database in $BM_MYSQL_DATABASES +diff -urNad backup-manager-0.7.5~/lib/sanitize.sh backup-manager-0.7.5/lib/sanitize.sh +--- backup-manager-0.7.5~/lib/sanitize.sh 2006-09-16 18:48:17.000000000 +0200 ++++ backup-manager-0.7.5/lib/sanitize.sh 2010-01-22 13:12:10.327128967 +0100 +@@ -198,7 +198,6 @@ + + if [ "$BM_ARCHIVE_METHOD" = "mysql" ]; then + confkey_require "BM_MYSQL_ADMINLOGIN" "root" +- confkey_require "BM_MYSQL_ADMINPASS" "" + confkey_require "BM_MYSQL_HOST" "localhost" + confkey_require "BM_MYSQL_PORT" "3306" + confkey_require "BM_MYSQL_FILETYPE" "tar.gz"
Attachment:
pgp1yig38zwTY.pgp
Description: PGP signature