Bug#693290: unblock: horizon/2012.1.1-7 (CVE-2012-5474 fix)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#693290: unblock: horizon/2012.1.1-7 (CVE-2012-5474 fix)
From: Thomas Goirand <zigo@debian.org>
Date: Thu, 15 Nov 2012 16:04:35 +0800
Message-id: <[🔎] 20121115080435.5376.38634.reportbug@buzig.gplhost.com>
Reply-to: Thomas Goirand <zigo@debian.org>, 693290@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Horizon had its /etc/openstack-dashboard/local_settings.py
world readable. This file contains passwords, so that isn't
good. My latest upload to SID fixes this.

Please unblock package horizon 2012.1.1-7.

Note that Debian isn't affected by CVE-2012-5476, or by
CVE-2012-5483. I've checked, and the corresponding
configuration files are *not* world readable in Debian.
The security tracker has been updated for this.

Our Folsom packaging, currently in our Git on Alioth only,
isn't affected by any of the above (we rewrote all the
management on a unified library which uses BSD install,
with -m 0640, so we don't have such problems).

Cheers,

Thomas

diff -Nru horizon-2012.1.1/debian/changelog horizon-2012.1.1/debian/changelog
--- horizon-2012.1.1/debian/changelog	2012-09-21 13:20:55.000000000 +0000
+++ horizon-2012.1.1/debian/changelog	2012-11-15 08:50:33.000000000 +0000
@@ -1,3 +1,10 @@
+horizon (2012.1.1-7) unstable; urgency=high
+
+  * CVE-2012-5474: The file /etc/openstack-dashboard/local_settings is not
+  world readable anymore (Closes: #693287).
+
+ -- Thomas Goirand <zigo@debian.org>  Thu, 15 Nov 2012 08:47:18 +0000
+
 horizon (2012.1.1-6) unstable; urgency=low
 
   * Keyerror when displaying Instances & Volumes:
diff -Nru horizon-2012.1.1/debian/openstack-dashboard.postinst horizon-2012.1.1/debian/openstack-dashboard.postinst
--- horizon-2012.1.1/debian/openstack-dashboard.postinst	2012-09-21 13:20:55.000000000 +0000
+++ horizon-2012.1.1/debian/openstack-dashboard.postinst	2012-11-15 08:50:33.000000000 +0000
@@ -4,10 +4,15 @@
 if [ "$1" = "configure" ]
 then
     adduser --system \
-	--home /var/lib/horizon \
+        --home /var/lib/horizon \
         --quiet \
         --disabled-password \
         --group horizon
+
+	if[ -r /etc/openstack-dashboard/local_settings.py ] ; then
+		chmod 0640 /etc/openstack-dashboard/local_settings.py
+		chown horizon:horizon /etc/openstack-dashboard/local_settings.py
+	fi
 fi
 
-#DEBHELPER#
\ No newline at end of file
+#DEBHELPER#

Reply to:

Follow-Ups:
- Bug#693290: marked as done (unblock: horizon/2012.1.1-7 (CVE-2012-5474 fix))
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: Pre-approval request for t-p-u upload of weechat/0.3.8-2wheezy1
Next by Date: Re: [Pkg-mediawiki-devel] Candidates for removal from testing (2012-11-14)
Previous by thread: Bug#693360: segfault in xscreensaver, screen revealed
Next by thread: Bug#693290: marked as done (unblock: horizon/2012.1.1-7 (CVE-2012-5474 fix))
Index(es):
- Date
- Thread