[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#689390: marked as done (unblock: spice-gtk/0.12-5)

Your message dated Tue, 02 Oct 2012 21:08:04 +0100
with message-id <1349208484.14024.17.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#689390: unblock: spice-gtk/0.12-5
has caused the Debian Bug report #689390,
regarding unblock: spice-gtk/0.12-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
689390: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689390
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package spice-gtk. It fixes a root security hole via GDBus
(#689155), by correctly sanitizing the environment in a setuid helper
before doing anything non-trivial.

This is basically the same flaw as the one mitigated by #689070 in dbus,
but with GDBus instead of libdbus, and fixing it in the setuid program
rather than second-guessing it in the library.

unblock spice-gtk/0.12-5

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diffstat for spice-gtk-0.12 spice-gtk-0.12

 changelog                                |    6 ++
 patches/clearenv-in-usb-acl-helper.patch |   64 +++++++++++++++++++++++++++++++
 patches/series                           |    1 
 3 files changed, 71 insertions(+)

diff -Nru spice-gtk-0.12/debian/changelog spice-gtk-0.12/debian/changelog
--- spice-gtk-0.12/debian/changelog	2012-07-08 18:20:26.000000000 +0100
+++ spice-gtk-0.12/debian/changelog	2012-10-01 14:31:41.000000000 +0100
@@ -1,3 +1,9 @@
+spice-gtk (0.12-5) unstable; urgency=high
+
+  * Add patch clearenv-in-usb-acl-helper.patch (Closes: #689155)
+
+ -- Liang Guo <guoliang@debian.org>  Mon, 01 Oct 2012 21:30:21 +0800
+
 spice-gtk (0.12-4) unstable; urgency=low
 
   * Correct version problem in *.pc (Closes: #680290)
diff -Nru spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch
--- spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch	1970-01-01 01:00:00.000000000 +0100
+++ spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch	2012-10-01 14:29:38.000000000 +0100
@@ -0,0 +1,64 @@
+Author: Colin Walters <walters@verbum.org>
+Origin: upstream, commit:efbf867bb88845d5edf839550b54494b1bb752b9
+Date: Fri, 14 Sep 2012 09:21:28 +0000
+Subject: usb-acl-helper: Clear environment
+
+Otherwise we can be subject to attack via environment variables such
+as DBUS_SYSTEM_BUS_ADDRESS.
+This addresses CVE-2012-4425 http://seclists.org/oss-sec/2012/q3/470
+--- a/configure.ac
++++ b/configure.ac
+@@ -256,6 +256,8 @@
+         EXTERNAL_PNP_IDS="$with_pnp_ids_path"
+ fi
+ 
++AC_CHECK_FUNCS(clearenv)
++
+ PKG_CHECK_MODULES(GLIB2, glib-2.0 >= 2.22)
+ AC_SUBST(GLIB2_CFLAGS)
+ AC_SUBST(GLIB2_LIBS)
+--- a/gtk/spice-client-glib-usb-acl-helper.c
++++ b/gtk/spice-client-glib-usb-acl-helper.c
+@@ -158,7 +158,8 @@
+     if (state == STATE_WAITING_FOR_STDIN_EOF)
+         set_facl(path, getuid(), 0);
+ 
+-    g_main_loop_quit(loop);
++    if (loop)
++        g_main_loop_quit(loop);
+ }
+ 
+ /* Not available in polkit < 0.101 */
+@@ -311,11 +312,32 @@
+ }
+ #endif
+ 
++#ifndef HAVE_CLEARENV
++extern char **environ;
++
++static int
++clearenv (void)
++{
++        if (environ != NULL)
++                environ[0] = NULL;
++        return 0;
++}
++#endif
++
+ int main(void)
+ {
+     pid_t parent_pid;
+     GInputStream *stdin_unix_stream;
+ 
++  /* Nuke the environment to get a well-known and sanitized
++   * environment to avoid attacks via e.g. the DBUS_SYSTEM_BUS_ADDRESS
++   * environment variable and similar.
++   */
++    if (clearenv () != 0) {
++        FATAL_ERROR("Error clearing environment: %s\n", g_strerror (errno));
++        return 1;
++    }
++
+     g_type_init();
+ 
+     loop = g_main_loop_new(NULL, FALSE);
diff -Nru spice-gtk-0.12/debian/patches/series spice-gtk-0.12/debian/patches/series
--- spice-gtk-0.12/debian/patches/series	2012-06-28 18:15:40.000000000 +0100
+++ spice-gtk-0.12/debian/patches/series	2012-10-01 14:19:27.000000000 +0100
@@ -2,3 +2,4 @@
 fix-parsing-uri-query.patch
 fix-spice-audio-binding.patch
 make-celt-to-be-optional.patch
+clearenv-in-usb-acl-helper.patch

--- End Message ---
--- Begin Message --- 
On Tue, 2012-10-02 at 08:13 +0100, Simon McVittie wrote:
> Please unblock package spice-gtk. It fixes a root security hole via GDBus
> (#689155), by correctly sanitizing the environment in a setuid helper
> before doing anything non-trivial.
> 
> This is basically the same flaw as the one mitigated by #689070 in dbus,
> but with GDBus instead of libdbus, and fixing it in the setuid program
> rather than second-guessing it in the library.

Unblocked; thanks.

Regards,

Adam

--- End Message ---
Reply to: