Hi, On Wed, Aug 24, 2011 at 5:27 AM, Jonathan Wiltshire <jmw@debian.org> wrote: > > Package: pyro > Followup-For: Bug #631912 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Dear maintainer, > > Recently you fixed one or more security problems and as a result you closed > this bug. These problems were not serious enough for a Debian Security > Advisory, so they are now on my radar for fixing in the following suites > through point releases: > > squeeze (6.0.3) > > Please prepare a minimal-changes upload targetting each of these suites, > and submit a debdiff to the Release Team [0] for consideration. They will > offer additional guidance or instruct you to upload your package. Please find attached the debdiffs for lenny and squeeze. No adaptation was necessary from sid. Regards
diff -u pyro-3.7/debian/pyro.pyro-nsd.default pyro-3.7/debian/pyro.pyro-nsd.default --- pyro-3.7/debian/pyro.pyro-nsd.default +++ pyro-3.7/debian/pyro.pyro-nsd.default @@ -5,4 +5,5 @@ # Options to pass to pyro-nsd +# available: "--pidfile=..." OPTIONS="" diff -u pyro-3.7/debian/NEWS.Debian pyro-3.7/debian/NEWS.Debian --- pyro-3.7/debian/NEWS.Debian +++ pyro-3.7/debian/NEWS.Debian @@ -1,3 +1,14 @@ +pyro (3.7-2+lenny1) oldstable-security; urgency=high + + Changed default location for pidfile from /tmp/nsd.pid to + /var/run/pyro-nsd.pid for security reasons. + + If you need to restore the previous behavior, the pyro-nsd binary now + accepts a new parameter: --pidfile=... + This parameter can be set system-wide through the /etc/default/pyro-nsd file. + + -- Gustavo Goretkin <gustavo.goretkin@gmail.com> Sun, 21 Aug 2011 18:44:37 -0400 + pyro (3.7-1) unstable; urgency=low * Since version 3.7-1 the Debian package follows upstream's change in diff -u pyro-3.7/debian/pyro.pyro-nsd.init pyro-3.7/debian/pyro.pyro-nsd.init --- pyro-3.7/debian/pyro.pyro-nsd.init +++ pyro-3.7/debian/pyro.pyro-nsd.init @@ -29,7 +29,6 @@ fi PYRO_NS=/usr/bin/pyro-nsd -PYRO_PID=/var/run/pyro-nsd.pid END_PHRASE="python remote objects name service: pyro-nsd" set -e @@ -42,12 +41,12 @@ ;; stop) echo -n "Stopping $DESC: " - $DAEMON stop + $DAEMON stop $OPTIONS echo "$NAME." ;; restart|force-reload) echo -n "Restarting $DESC: " - $DAEMON stop + $DAEMON stop $OPTIONS sleep 1 $DAEMON start $OPTIONS echo "$NAME." diff -u pyro-3.7/debian/changelog pyro-3.7/debian/changelog --- pyro-3.7/debian/changelog +++ pyro-3.7/debian/changelog @@ -1,3 +1,16 @@ +pyro (3.7-2+lenny1) oldstable-security; urgency=high + + * SECURITY UPDATE: arbitrary file overwriting via symlink (Closes: #631912, + LP: #830742) + - store pidfile in /var/run instead of /tmp + - Pyro/ext/daemonizer.py changed default location to /var/run + - Pyro/ext/daemonizer.py added command-line parameter (--pidfile=...) to + override default pidfile location + - default location for pidfile is tunable via /etc/default/pyro-nsd + - CVE-2011-2765 + + -- Gustavo Goretkin <gustavo.goretkin@gmail.com> Sun, 21 Aug 2011 16:04:00 -0400 + pyro (3.7-2) unstable; urgency=medium [ Bernd Zeimetz ] diff -u pyro-3.7/debian/patches/00list pyro-3.7/debian/patches/00list --- pyro-3.7/debian/patches/00list +++ pyro-3.7/debian/patches/00list @@ -1,0 +2 @@ +pidfile_path only in patch2: unchanged: --- pyro-3.7.orig/debian/patches/pidfile_path.dpatch +++ pyro-3.7/debian/patches/pidfile_path.dpatch @@ -0,0 +1,45 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +#Description: CVE-2011-2765: fix for arbitrary file overwriting via symlink +#The upstream version stores the pidfile in /tmp/nmd.pid which allows arbitrary +#file overwriting via symlink. Now, the default location for pidfile is +#/var/run/. The default can be overriden by passing -pidfile=/path/to/file to +#daemon init script + +#Author: Gustavo Goretkin <gustavo.goretkin@gmail.com> +#Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631912 +#Forwarded: yes +#Reviewed-By: Obey Arthur Liu <arthur@milliways.fr>, Luke Faraone <lfaraone@debian.org> +#Last-Update: 2011-08-21 + + +@DPATCH@ +--- pyro-3.14.orig/Pyro/ext/daemonizer.py ++++ pyro-3.14/Pyro/ext/daemonizer.py +@@ -47,7 +47,9 @@ class Daemonizer: + """ + def __init__(self, pidfile=None): + if not pidfile: +- self.pidfile = "/tmp/%s.pid" % self.__class__.__name__.lower() ++ # PID file moved out of /tmp to avoid security vulnerability ++ # changed by Debian maintainer per Debian bug #631912 ++ self.pidfile = "/var/run/pyro-%s.pid" % self.__class__.__name__.lower() + else: + self.pidfile = pidfile + +@@ -121,12 +123,16 @@ class Daemonizer: + + def process_command_line(self, argv, verbose=1): + usage = "usage: %s start | stop | restart | status | debug " \ ++ "[--pidfile=...] " \ + "(run as non-daemon)" % os.path.basename(argv[0]) + if len(argv) < 2: + print usage + raise SystemExit + else: + operation = argv[1] ++ if len(argv) > 2 and argv[2].startswith("--pidfile=") and \ ++ len(argv[2]) > len("--pidfile="): ++ self.pidfile = argv[2][len("--pidfile="):] + pid = self.get_pid() + if operation == 'status': + if self.is_process_running():
diff -Nru pyro-3.9.1/debian/changelog pyro-3.9.1/debian/changelog --- pyro-3.9.1/debian/changelog 2010-09-15 13:24:34.000000000 -0400 +++ pyro-3.9.1/debian/changelog 2011-08-24 00:17:09.000000000 -0400 @@ -1,3 +1,16 @@ +pyro (1:3.9.1-2+squeeze1) stable-security; urgency=high + + * SECURITY UPDATE: arbitrary file overwriting via symlink (Closes: #631912, + LP: #830742) + - store pidfile in /var/run instead of /tmp + - Pyro/ext/daemonizer.py changed default location to /var/run + - Pyro/ext/daemonizer.py added command-line parameter (--pidfile=...) to + override default pidfile location + - default location for pidfile is tunable via /etc/default/pyro-nsd + - CVE-2011-2765 + + -- Gustavo Goretkin <gustavo.goretkin@gmail.com> Sun, 21 Aug 2011 16:04:00 -0400 + pyro (1:3.9.1-2) unstable; urgency=low [Carl Chenet] diff -Nru pyro-3.9.1/debian/NEWS.Debian pyro-3.9.1/debian/NEWS.Debian --- pyro-3.9.1/debian/NEWS.Debian 2010-09-15 13:24:34.000000000 -0400 +++ pyro-3.9.1/debian/NEWS.Debian 2011-08-24 00:16:56.000000000 -0400 @@ -1,3 +1,14 @@ +pyro (1:3.9.1-2+squeeze1) stable-security; urgency=high + + Changed default location for pidfile from /tmp/nsd.pid to + /var/run/pyro-nsd.pid for security reasons. + + If you need to restore the previous behavior, the pyro-nsd binary now + accepts a new parameter: --pidfile=... + This parameter can be set system-wide through the /etc/default/pyro-nsd file. + + -- Gustavo Goretkin <gustavo.goretkin@gmail.com> Sun, 21 Aug 2011 18:44:37 -0400 + pyro (3.7-1) unstable; urgency=low * Since version 3.7-1 the Debian package follows upstream's change in diff -Nru pyro-3.9.1/debian/patches/pidfile_path.patch pyro-3.9.1/debian/patches/pidfile_path.patch --- pyro-3.9.1/debian/patches/pidfile_path.patch 1969-12-31 19:00:00.000000000 -0500 +++ pyro-3.9.1/debian/patches/pidfile_path.patch 2011-08-21 18:58:16.000000000 -0400 @@ -0,0 +1,42 @@ +Description: CVE-2011-2765: fix for arbitrary file overwriting via symlink +The upstream version stores the pidfile in /tmp/nmd.pid which allows arbitrary +file overwriting via symlink. Now, the default location for pidfile is +/var/run/. The default can be overriden by passing -pidfile=/path/to/file to +daemon init script + +Author: Gustavo Goretkin <gustavo.goretkin@gmail.com> +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631912 +Forwarded: yes +Reviewed-By: Obey Arthur Liu <arthur@milliways.fr>, Luke Faraone <lfaraone@debian.org> +Last-Update: 2011-08-21 + +--- pyro-3.14.orig/Pyro/ext/daemonizer.py ++++ pyro-3.14/Pyro/ext/daemonizer.py +@@ -47,7 +47,9 @@ class Daemonizer: + """ + def __init__(self, pidfile=None): + if not pidfile: +- self.pidfile = "/tmp/%s.pid" % self.__class__.__name__.lower() ++ # PID file moved out of /tmp to avoid security vulnerability ++ # changed by Debian maintainer per Debian bug #631912 ++ self.pidfile = "/var/run/pyro-%s.pid" % self.__class__.__name__.lower() + else: + self.pidfile = pidfile + +@@ -121,12 +123,16 @@ class Daemonizer: + + def process_command_line(self, argv, verbose=1): + usage = "usage: %s start | stop | restart | status | debug " \ ++ "[--pidfile=...] " \ + "(run as non-daemon)" % os.path.basename(argv[0]) + if len(argv) < 2: + print usage + raise SystemExit + else: + operation = argv[1] ++ if len(argv) > 2 and argv[2].startswith("--pidfile=") and \ ++ len(argv[2]) > len("--pidfile="): ++ self.pidfile = argv[2][len("--pidfile="):] + pid = self.get_pid() + if operation == 'status': + if self.is_process_running(): diff -Nru pyro-3.9.1/debian/patches/series pyro-3.9.1/debian/patches/series --- pyro-3.9.1/debian/patches/series 1969-12-31 19:00:00.000000000 -0500 +++ pyro-3.9.1/debian/patches/series 2011-08-21 18:27:40.000000000 -0400 @@ -0,0 +1 @@ +pidfile_path.patch diff -Nru pyro-3.9.1/debian/pyro.pyro-nsd.default pyro-3.9.1/debian/pyro.pyro-nsd.default --- pyro-3.9.1/debian/pyro.pyro-nsd.default 2010-09-15 13:24:34.000000000 -0400 +++ pyro-3.9.1/debian/pyro.pyro-nsd.default 2011-08-24 00:18:38.000000000 -0400 @@ -4,5 +4,6 @@ ENABLED=0 # Options to pass to pyro-nsd +# available: "--pidfile=..." OPTIONS="" diff -Nru pyro-3.9.1/debian/pyro.pyro-nsd.init pyro-3.9.1/debian/pyro.pyro-nsd.init --- pyro-3.9.1/debian/pyro.pyro-nsd.init 2010-09-15 13:24:34.000000000 -0400 +++ pyro-3.9.1/debian/pyro.pyro-nsd.init 2011-08-21 17:51:31.000000000 -0400 @@ -29,7 +29,6 @@ fi PYRO_NS=/usr/bin/pyro-nsd -PYRO_PID=/var/run/pyro-nsd.pid END_PHRASE="python remote objects name service: pyro-nsd" set -e @@ -42,12 +41,12 @@ ;; stop) echo -n "Stopping $DESC: " - $DAEMON stop + $DAEMON stop $OPTIONS echo "$NAME." ;; restart|force-reload) echo -n "Restarting $DESC: " - $DAEMON stop + $DAEMON stop $OPTIONS sleep 1 $DAEMON start $OPTIONS echo "$NAME."
Attachment:
signature.asc
Description: OpenPGP digital signature