[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

oldstable update for backup-manager

Dear release team,

I would like to upload a new version of the backup-manager to oldstable
in order to fix CVE-2007-2766¹.  The patch is taken from a commit in
upstream's git repository², removing unrelated changes.  Full debdiff is
attached.

Regards,
        Sven


¹ http://security-tracker.debian.org/tracker/CVE-2007-2766
² http://github.com/sukria/Backup-Manager/commit/a4e57ad01d89bd0dcae1d19689ce442bfc4f118d


diff -u backup-manager-0.7.5/debian/changelog backup-manager-0.7.5/debian/changelog
--- backup-manager-0.7.5/debian/changelog
+++ backup-manager-0.7.5/debian/changelog
@@ -1,3 +1,12 @@
+backup-manager (0.7.5-5) oldstable; urgency=high
+
+  * Fix leaking of MYSQL passwords to local users (CVE-2007-2766).
+    Note that the password is now taken from $HOME/.my.cnf if it exists,
+    overriding the BM_MYSQL_ADMINPASS variable in backup-manager.conf.
+  * Set myself as maintainer.
+
+ -- Sven Joachim <svenjoac@gmx.de>  Fri, 22 Jan 2010 13:20:44 +0100
+
 backup-manager (0.7.5-4) stable-security; urgency=high
 
   * Backport from unstable (version 0.7.6-4) for closing a security issue:
diff -u backup-manager-0.7.5/debian/control backup-manager-0.7.5/debian/control
--- backup-manager-0.7.5/debian/control
+++ backup-manager-0.7.5/debian/control
@@ -3,7 +3,7 @@
 Priority: optional
 Build-Depends-Indep: debiandoc-sgml, tetex-bin, tetex-extra
 Build-Depends: po-debconf, debhelper (>= 5), dpatch
-Maintainer: Alexis Sukrieh <sukria@debian.org>
+Maintainer: Sven Joachim <svenjoac@gmx.de>
 Standards-Version: 3.7.2
 XS-Vcs-Svn: svn://svn.debian.org/svn/pkg-backup-mngr/trunk/
 
diff -u backup-manager-0.7.5/debian/patches/00list backup-manager-0.7.5/debian/patches/00list
--- backup-manager-0.7.5/debian/patches/00list
+++ backup-manager-0.7.5/debian/patches/00list
@@ -6,0 +7 @@
+08_CVE-2007-2766.dpatch
only in patch2:
unchanged:
--- backup-manager-0.7.5.orig/debian/patches/08_CVE-2007-2766.dpatch
+++ backup-manager-0.7.5/debian/patches/08_CVE-2007-2766.dpatch
@@ -0,0 +1,69 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 08_CVE-2007-2766.dpatch by Sven Joachim <svenjoac@gmx.de>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix leaking of MYSQL passwords to local users (CVE 2007-2766).
+
+@DPATCH@
+diff -urNad backup-manager-0.7.5~/doc/user-guide.sgml backup-manager-0.7.5/doc/user-guide.sgml
+--- backup-manager-0.7.5~/doc/user-guide.sgml	2006-09-16 18:48:17.000000000 +0200
++++ backup-manager-0.7.5/doc/user-guide.sgml	2010-01-22 13:12:10.327128967 +0100
+@@ -662,6 +662,21 @@
+ This method provides a way to archive MySQL databases, the archives are made with 
+ mysqldump (SQL text files) and can be compressed.
+ 
++<p>
++In versions prior to 0.8, &bmngr; used to pass the MySQL client's password through 
++the command line. As explained by the MySQL manual, that's a security issue as
++the password is then readable for a short time in the /proc directory (or using
++the ps command).
++
++<p>
++To close that vulnerability, the MySQL client password is not passed through
++the command line anymore, it is written in a configuration file located in the
++home directory of the user running &bmngr; : <tt>~/.my.cnf</tt>.
++
++<p>
++If that file doesn't exist at runtime, &bmngr; will create it and will then
++write the password provided in <tt>BM_MYSQL_ADMINPASS</tt> inside. 
++
+ <sect2 id="BM_MYSQL_DATABASES"><tt>BM_MYSQL_DATABASES</tt>
+ 
+ <p>
+diff -urNad backup-manager-0.7.5~/lib/backup-methods.sh backup-manager-0.7.5/lib/backup-methods.sh
+--- backup-manager-0.7.5~/lib/backup-methods.sh	2006-09-16 18:48:17.000000000 +0200
++++ backup-manager-0.7.5/lib/backup-methods.sh	2010-01-22 13:13:45.147119826 +0100
+@@ -680,7 +680,21 @@
+         opt="--opt"
+     fi
+     
+-    base_command="$mysqldump $opt -u$BM_MYSQL_ADMINLOGIN -p$BM_MYSQL_ADMINPASS -h$BM_MYSQL_HOST -P$BM_MYSQL_PORT"
++    # if a MySQL Client conffile exists, the password must be inside
++    if [ -f "$HOME/.my.cnf" ]; then
++        info "Using existing MySQL client configuration file: \$HOME/.my.cnf"
++    # we create a default one, just with the password
++    else
++        if [ -z "$BM_MYSQL_ADMINPASS" ]; then
++            error "You have to set BM_MYSQL_ADMINPASS in order to use the mysql method."
++        fi
++        warning "Creating a default MySQL client configuration file: \$HOME/.my.cnf"
++        echo "[client]" > $HOME/.my.cnf 
++        echo "# The following password will be sent to all standard MySQL clients" >> $HOME/.my.cnf 
++        chmod 600 $HOME/.my.cnf
++        echo "password=\"$BM_MYSQL_ADMINPASS\"" >> $HOME/.my.cnf
++    fi
++    base_command="$mysqldump $opt -u$BM_MYSQL_ADMINLOGIN -h$BM_MYSQL_HOST -P$BM_MYSQL_PORT"
+     compress="$BM_MYSQL_FILETYPE"	
+ 
+     for database in $BM_MYSQL_DATABASES
+diff -urNad backup-manager-0.7.5~/lib/sanitize.sh backup-manager-0.7.5/lib/sanitize.sh
+--- backup-manager-0.7.5~/lib/sanitize.sh	2006-09-16 18:48:17.000000000 +0200
++++ backup-manager-0.7.5/lib/sanitize.sh	2010-01-22 13:12:10.327128967 +0100
+@@ -198,7 +198,6 @@
+ 
+ if [ "$BM_ARCHIVE_METHOD" = "mysql" ]; then
+ 	confkey_require "BM_MYSQL_ADMINLOGIN" "root"
+-	confkey_require "BM_MYSQL_ADMINPASS" ""
+ 	confkey_require "BM_MYSQL_HOST" "localhost"
+ 	confkey_require "BM_MYSQL_PORT" "3306"
+ 	confkey_require "BM_MYSQL_FILETYPE" "tar.gz"

Attachment: pgp1yig38zwTY.pgp
Description: PGP signature

Reply to: