Hi, On Wed, Aug 24, 2011 at 5:27 AM, Jonathan Wiltshire <jmw@debian.org> wrote: > > Package: pyro > Followup-For: Bug #631912 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Dear maintainer, > > Recently you fixed one or more security problems and as a result you closed > this bug. These problems were not serious enough for a Debian Security > Advisory, so they are now on my radar for fixing in the following suites > through point releases: > > squeeze (6.0.3) > > Please prepare a minimal-changes upload targetting each of these suites, > and submit a debdiff to the Release Team [0] for consideration. They will > offer additional guidance or instruct you to upload your package. Please find attached the debdiffs for lenny and squeeze. No adaptation was necessary from sid. Regards
diff -u pyro-3.7/debian/pyro.pyro-nsd.default pyro-3.7/debian/pyro.pyro-nsd.default
--- pyro-3.7/debian/pyro.pyro-nsd.default
+++ pyro-3.7/debian/pyro.pyro-nsd.default
@@ -5,4 +5,5 @@
# Options to pass to pyro-nsd
+# available: "--pidfile=..."
OPTIONS=""
diff -u pyro-3.7/debian/NEWS.Debian pyro-3.7/debian/NEWS.Debian
--- pyro-3.7/debian/NEWS.Debian
+++ pyro-3.7/debian/NEWS.Debian
@@ -1,3 +1,14 @@
+pyro (3.7-2+lenny1) oldstable-security; urgency=high
+
+ Changed default location for pidfile from /tmp/nsd.pid to
+ /var/run/pyro-nsd.pid for security reasons.
+
+ If you need to restore the previous behavior, the pyro-nsd binary now
+ accepts a new parameter: --pidfile=...
+ This parameter can be set system-wide through the /etc/default/pyro-nsd file.
+
+ -- Gustavo Goretkin <gustavo.goretkin@gmail.com> Sun, 21 Aug 2011 18:44:37 -0400
+
pyro (3.7-1) unstable; urgency=low
* Since version 3.7-1 the Debian package follows upstream's change in
diff -u pyro-3.7/debian/pyro.pyro-nsd.init pyro-3.7/debian/pyro.pyro-nsd.init
--- pyro-3.7/debian/pyro.pyro-nsd.init
+++ pyro-3.7/debian/pyro.pyro-nsd.init
@@ -29,7 +29,6 @@
fi
PYRO_NS=/usr/bin/pyro-nsd
-PYRO_PID=/var/run/pyro-nsd.pid
END_PHRASE="python remote objects name service: pyro-nsd"
set -e
@@ -42,12 +41,12 @@
;;
stop)
echo -n "Stopping $DESC: "
- $DAEMON stop
+ $DAEMON stop $OPTIONS
echo "$NAME."
;;
restart|force-reload)
echo -n "Restarting $DESC: "
- $DAEMON stop
+ $DAEMON stop $OPTIONS
sleep 1
$DAEMON start $OPTIONS
echo "$NAME."
diff -u pyro-3.7/debian/changelog pyro-3.7/debian/changelog
--- pyro-3.7/debian/changelog
+++ pyro-3.7/debian/changelog
@@ -1,3 +1,16 @@
+pyro (3.7-2+lenny1) oldstable-security; urgency=high
+
+ * SECURITY UPDATE: arbitrary file overwriting via symlink (Closes: #631912,
+ LP: #830742)
+ - store pidfile in /var/run instead of /tmp
+ - Pyro/ext/daemonizer.py changed default location to /var/run
+ - Pyro/ext/daemonizer.py added command-line parameter (--pidfile=...) to
+ override default pidfile location
+ - default location for pidfile is tunable via /etc/default/pyro-nsd
+ - CVE-2011-2765
+
+ -- Gustavo Goretkin <gustavo.goretkin@gmail.com> Sun, 21 Aug 2011 16:04:00 -0400
+
pyro (3.7-2) unstable; urgency=medium
[ Bernd Zeimetz ]
diff -u pyro-3.7/debian/patches/00list pyro-3.7/debian/patches/00list
--- pyro-3.7/debian/patches/00list
+++ pyro-3.7/debian/patches/00list
@@ -1,0 +2 @@
+pidfile_path
only in patch2:
unchanged:
--- pyro-3.7.orig/debian/patches/pidfile_path.dpatch
+++ pyro-3.7/debian/patches/pidfile_path.dpatch
@@ -0,0 +1,45 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+#Description: CVE-2011-2765: fix for arbitrary file overwriting via symlink
+#The upstream version stores the pidfile in /tmp/nmd.pid which allows arbitrary
+#file overwriting via symlink. Now, the default location for pidfile is
+#/var/run/. The default can be overriden by passing -pidfile=/path/to/file to
+#daemon init script
+
+#Author: Gustavo Goretkin <gustavo.goretkin@gmail.com>
+#Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631912
+#Forwarded: yes
+#Reviewed-By: Obey Arthur Liu <arthur@milliways.fr>, Luke Faraone <lfaraone@debian.org>
+#Last-Update: 2011-08-21
+
+
+@DPATCH@
+--- pyro-3.14.orig/Pyro/ext/daemonizer.py
++++ pyro-3.14/Pyro/ext/daemonizer.py
+@@ -47,7 +47,9 @@ class Daemonizer:
+ """
+ def __init__(self, pidfile=None):
+ if not pidfile:
+- self.pidfile = "/tmp/%s.pid" % self.__class__.__name__.lower()
++ # PID file moved out of /tmp to avoid security vulnerability
++ # changed by Debian maintainer per Debian bug #631912
++ self.pidfile = "/var/run/pyro-%s.pid" % self.__class__.__name__.lower()
+ else:
+ self.pidfile = pidfile
+
+@@ -121,12 +123,16 @@ class Daemonizer:
+
+ def process_command_line(self, argv, verbose=1):
+ usage = "usage: %s start | stop | restart | status | debug " \
++ "[--pidfile=...] " \
+ "(run as non-daemon)" % os.path.basename(argv[0])
+ if len(argv) < 2:
+ print usage
+ raise SystemExit
+ else:
+ operation = argv[1]
++ if len(argv) > 2 and argv[2].startswith("--pidfile=") and \
++ len(argv[2]) > len("--pidfile="):
++ self.pidfile = argv[2][len("--pidfile="):]
+ pid = self.get_pid()
+ if operation == 'status':
+ if self.is_process_running():
diff -Nru pyro-3.9.1/debian/changelog pyro-3.9.1/debian/changelog
--- pyro-3.9.1/debian/changelog 2010-09-15 13:24:34.000000000 -0400
+++ pyro-3.9.1/debian/changelog 2011-08-24 00:17:09.000000000 -0400
@@ -1,3 +1,16 @@
+pyro (1:3.9.1-2+squeeze1) stable-security; urgency=high
+
+ * SECURITY UPDATE: arbitrary file overwriting via symlink (Closes: #631912,
+ LP: #830742)
+ - store pidfile in /var/run instead of /tmp
+ - Pyro/ext/daemonizer.py changed default location to /var/run
+ - Pyro/ext/daemonizer.py added command-line parameter (--pidfile=...) to
+ override default pidfile location
+ - default location for pidfile is tunable via /etc/default/pyro-nsd
+ - CVE-2011-2765
+
+ -- Gustavo Goretkin <gustavo.goretkin@gmail.com> Sun, 21 Aug 2011 16:04:00 -0400
+
pyro (1:3.9.1-2) unstable; urgency=low
[Carl Chenet]
diff -Nru pyro-3.9.1/debian/NEWS.Debian pyro-3.9.1/debian/NEWS.Debian
--- pyro-3.9.1/debian/NEWS.Debian 2010-09-15 13:24:34.000000000 -0400
+++ pyro-3.9.1/debian/NEWS.Debian 2011-08-24 00:16:56.000000000 -0400
@@ -1,3 +1,14 @@
+pyro (1:3.9.1-2+squeeze1) stable-security; urgency=high
+
+ Changed default location for pidfile from /tmp/nsd.pid to
+ /var/run/pyro-nsd.pid for security reasons.
+
+ If you need to restore the previous behavior, the pyro-nsd binary now
+ accepts a new parameter: --pidfile=...
+ This parameter can be set system-wide through the /etc/default/pyro-nsd file.
+
+ -- Gustavo Goretkin <gustavo.goretkin@gmail.com> Sun, 21 Aug 2011 18:44:37 -0400
+
pyro (3.7-1) unstable; urgency=low
* Since version 3.7-1 the Debian package follows upstream's change in
diff -Nru pyro-3.9.1/debian/patches/pidfile_path.patch pyro-3.9.1/debian/patches/pidfile_path.patch
--- pyro-3.9.1/debian/patches/pidfile_path.patch 1969-12-31 19:00:00.000000000 -0500
+++ pyro-3.9.1/debian/patches/pidfile_path.patch 2011-08-21 18:58:16.000000000 -0400
@@ -0,0 +1,42 @@
+Description: CVE-2011-2765: fix for arbitrary file overwriting via symlink
+The upstream version stores the pidfile in /tmp/nmd.pid which allows arbitrary
+file overwriting via symlink. Now, the default location for pidfile is
+/var/run/. The default can be overriden by passing -pidfile=/path/to/file to
+daemon init script
+
+Author: Gustavo Goretkin <gustavo.goretkin@gmail.com>
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631912
+Forwarded: yes
+Reviewed-By: Obey Arthur Liu <arthur@milliways.fr>, Luke Faraone <lfaraone@debian.org>
+Last-Update: 2011-08-21
+
+--- pyro-3.14.orig/Pyro/ext/daemonizer.py
++++ pyro-3.14/Pyro/ext/daemonizer.py
+@@ -47,7 +47,9 @@ class Daemonizer:
+ """
+ def __init__(self, pidfile=None):
+ if not pidfile:
+- self.pidfile = "/tmp/%s.pid" % self.__class__.__name__.lower()
++ # PID file moved out of /tmp to avoid security vulnerability
++ # changed by Debian maintainer per Debian bug #631912
++ self.pidfile = "/var/run/pyro-%s.pid" % self.__class__.__name__.lower()
+ else:
+ self.pidfile = pidfile
+
+@@ -121,12 +123,16 @@ class Daemonizer:
+
+ def process_command_line(self, argv, verbose=1):
+ usage = "usage: %s start | stop | restart | status | debug " \
++ "[--pidfile=...] " \
+ "(run as non-daemon)" % os.path.basename(argv[0])
+ if len(argv) < 2:
+ print usage
+ raise SystemExit
+ else:
+ operation = argv[1]
++ if len(argv) > 2 and argv[2].startswith("--pidfile=") and \
++ len(argv[2]) > len("--pidfile="):
++ self.pidfile = argv[2][len("--pidfile="):]
+ pid = self.get_pid()
+ if operation == 'status':
+ if self.is_process_running():
diff -Nru pyro-3.9.1/debian/patches/series pyro-3.9.1/debian/patches/series
--- pyro-3.9.1/debian/patches/series 1969-12-31 19:00:00.000000000 -0500
+++ pyro-3.9.1/debian/patches/series 2011-08-21 18:27:40.000000000 -0400
@@ -0,0 +1 @@
+pidfile_path.patch
diff -Nru pyro-3.9.1/debian/pyro.pyro-nsd.default pyro-3.9.1/debian/pyro.pyro-nsd.default
--- pyro-3.9.1/debian/pyro.pyro-nsd.default 2010-09-15 13:24:34.000000000 -0400
+++ pyro-3.9.1/debian/pyro.pyro-nsd.default 2011-08-24 00:18:38.000000000 -0400
@@ -4,5 +4,6 @@
ENABLED=0
# Options to pass to pyro-nsd
+# available: "--pidfile=..."
OPTIONS=""
diff -Nru pyro-3.9.1/debian/pyro.pyro-nsd.init pyro-3.9.1/debian/pyro.pyro-nsd.init
--- pyro-3.9.1/debian/pyro.pyro-nsd.init 2010-09-15 13:24:34.000000000 -0400
+++ pyro-3.9.1/debian/pyro.pyro-nsd.init 2011-08-21 17:51:31.000000000 -0400
@@ -29,7 +29,6 @@
fi
PYRO_NS=/usr/bin/pyro-nsd
-PYRO_PID=/var/run/pyro-nsd.pid
END_PHRASE="python remote objects name service: pyro-nsd"
set -e
@@ -42,12 +41,12 @@
;;
stop)
echo -n "Stopping $DESC: "
- $DAEMON stop
+ $DAEMON stop $OPTIONS
echo "$NAME."
;;
restart|force-reload)
echo -n "Restarting $DESC: "
- $DAEMON stop
+ $DAEMON stop $OPTIONS
sleep 1
$DAEMON start $OPTIONS
echo "$NAME."
Attachment:
signature.asc
Description: OpenPGP digital signature