bcron update for stable

To: debian-release@lists.debian.org
Cc: Jonathan Wiltshire <jmw@debian.org>, 686650@bugs.debian.org
Subject: bcron update for stable
From: Gerrit Pape <pape@dbnbgs.smarden.org>
Date: Fri, 18 Jan 2013 14:57:29 +0000
Message-id: <20130118145729.24346.qmail@fc3cbb2be9bf95.315fe32.mid.smarden.org>
Mail-followup-to: debian-release@lists.debian.org, Jonathan Wiltshire <jmw@debian.org>, 686650@bugs.debian.org
In-reply-to: <20130117114208.29558.64529@prsc.debian.net>
References: <20130117114208.29558.64529@prsc.debian.net>

Hi,

as suggested by Jonathan below, I prepared a bcron package fixing
#686650 as candidate for the next squeeze point release.  A debdiff is
attached, the package ready for upload.

Regards, Gerrit.


On Thu, Jan 17, 2013 at 11:42:08AM -0000, Jonathan Wiltshire wrote:
> Package: bcron
> 
> Dear maintainer,
> 
> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases:
> 
> squeeze (6.0.7) - use target "stable"
> 
> Please prepare a minimal-changes upload targetting each of these suites,
> and submit a debdiff to the Release Team [0] for consideration. They will
> offer additional guidance or instruct you to upload your package.
> 
> I will happily assist you at any stage if the patch is straightforward and
> you need help. Please keep me in CC at all times so I can
> track [1] the progress of this request.
> 
> For details of this process and the rationale, please see the original
> announcement [2] and my blog post [3].
> 
> 0: debian-release@lists.debian.org
> 1: http://prsc.debian.net/tracker/686650/
> 2: <201101232332.11736.thijs@debian.org>
> 3: http://deb.li/prsc
> 
> Thanks,
> 
> with his security hat on:
> --
> Jonathan Wiltshire                                      jmw@debian.org
> Debian Developer                         http://people.debian.org/~jmw
> 
> 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

diff -u bcron-0.09/debian/changelog bcron-0.09/debian/changelog
--- bcron-0.09/debian/changelog
+++ bcron-0.09/debian/changelog
@@ -1,3 +1,14 @@
+bcron (0.09-11+squeeze1) stable; urgency=high
+
+  * debian/diff/0008-bcron-exec-Mark-all-temporary-files-close-...diff:
+    new; from upstream git; bcron-exec: Mark all temporary files
+    close-on-exec and close selfpipe; this fixes a security bug in
+    bcron where cron jobs get access to the temporary output files from
+    all other jobs that are still running (CVE-2012-6110, closes:
+    #686650).
+
+ -- Gerrit Pape <pape@smarden.org>  Fri, 18 Jan 2013 03:21:49 +0000
+
 bcron (0.09-11) unstable; urgency=low
 
   * debian/bcron-run.postrm: services' supervise dirs are now located in
only in patch2:
unchanged:
--- bcron-0.09.orig/debian/diff/0008-bcron-exec-Mark-all-temporary-files-close-on-exec-and.diff
+++ bcron-0.09/debian/diff/0008-bcron-exec-Mark-all-temporary-files-close-on-exec-and.diff
@@ -0,0 +1,79 @@
+From 6b30379c3bcab65a6a21b5c7677e333dbc357cc3 Mon Sep 17 00:00:00 2001
+From: Bruce Guenter <bruce@untroubled.org>
+Date: Fri, 5 Oct 2012 18:15:11 -0600
+Subject: [PATCH] bcron-exec: Mark all temporary files close-on-exec and
+ close selfpipe
+
+This fixes a security bug in bcron where cron jobs get access to the
+temporary output files from all other jobs that are still running.
+
+First reported in Debian:
+http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686650
+
+Conflicts:
+	NEWS
+---
+ bcron-exec.c   |    3 +++
+ tests/exec-fds |   22 ++++++++++++++++++++++
+ 2 files changed, 25 insertions(+)
+ create mode 100644 tests/exec-fds
+
+diff --git a/bcron-exec.c b/bcron-exec.c
+index 2414bd8..ec6c641 100644
+--- a/bcron-exec.c
++++ b/bcron-exec.c
+@@ -13,6 +13,7 @@
+ #include <path/path.h>
+ #include <str/env.h>
+ #include <str/str.h>
++#include <unix/cloexec.h>
+ #include <unix/nonblock.h>
+ #include <unix/selfpipe.h>
+ #include <unix/sig.h>
+@@ -106,6 +107,7 @@ static void exec_cmd(int fdin, int fdout,
+ 		     const str* env,
+ 		     const struct passwd* pw)
+ {
++  selfpipe_close();
+   dup2(fdin, 0);
+   close(fdin);
+   dup2(fdout, 1);
+@@ -205,6 +207,7 @@ static void start_slot(int slot,
+       return;
+     }
+     unlink(tmp.s);
++    cloexec_on(fd);
+     gethostname(hostname, sizeof hostname);
+     wrap_str(str_copyns(&tmp, 6, "To: <", mailto, ">\n",
+ 			"From: Cron Daemon <root@", hostname, ">\n"));
+diff --git a/tests/exec-fds b/tests/exec-fds
+new file mode 100644
+index 0000000..f2c4a9f
+--- /dev/null
++++ b/tests/exec-fds
+@@ -0,0 +1,22 @@
++doexec \
++	'sleep 1; echo all done' \
++	'echo here >&4; echo here >&5; echo here >&6; echo here >&7; echo here >&8'
++<result>
++15:2^@KJob complete,15:1^@KJob complete,
++bcron-exec: (USER) CMD (sleep 1; echo all done)
++bcron-exec: (USER) CMD (echo here >&4; echo here >&5; echo here >&6; echo here >&7; echo here >&8)
++bcron-exec: Waiting for remaining slots to complete
++To: <USER>
++From: Cron Daemon <root@HOST>
++Subject: Cron <USER@HOST> echo here >&4; echo here >&5; echo here >&6; echo here >&7; echo here >&8
++
++/bin/sh: 1: 4: Bad file descriptor
++/bin/sh: 1: 5: Bad file descriptor
++/bin/sh: 1: 6: Bad file descriptor
++/bin/sh: 1: 7: Bad file descriptor
++/bin/sh: 1: 8: Bad file descriptor
++To: <USER>
++From: Cron Daemon <root@HOST>
++Subject: Cron <USER@HOST> sleep 1; echo all done
++
++all done
+-- 
+1.7.10.4
+

Reply to:

Follow-Ups:
- Re: bcron update for stable
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#698434: unblock: mha4mysql-manager/0.53-2
Next by Date: Bug#698444: unblock: libfm/0.1.17-2.1
Previous by thread: Bug#698434: marked as done (unblock: mha4mysql-manager/0.53-2)
Next by thread: Re: bcron update for stable
Index(es):
- Date
- Thread