bcron update for stable
Hi,
as suggested by Jonathan below, I prepared a bcron package fixing
#686650 as candidate for the next squeeze point release. A debdiff is
attached, the package ready for upload.
Regards, Gerrit.
On Thu, Jan 17, 2013 at 11:42:08AM -0000, Jonathan Wiltshire wrote:
> Package: bcron
>
> Dear maintainer,
>
> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases:
>
> squeeze (6.0.7) - use target "stable"
>
> Please prepare a minimal-changes upload targetting each of these suites,
> and submit a debdiff to the Release Team [0] for consideration. They will
> offer additional guidance or instruct you to upload your package.
>
> I will happily assist you at any stage if the patch is straightforward and
> you need help. Please keep me in CC at all times so I can
> track [1] the progress of this request.
>
> For details of this process and the rationale, please see the original
> announcement [2] and my blog post [3].
>
> 0: debian-release@lists.debian.org
> 1: http://prsc.debian.net/tracker/686650/
> 2: <201101232332.11736.thijs@debian.org>
> 3: http://deb.li/prsc
>
> Thanks,
>
> with his security hat on:
> --
> Jonathan Wiltshire jmw@debian.org
> Debian Developer http://people.debian.org/~jmw
>
> 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
diff -u bcron-0.09/debian/changelog bcron-0.09/debian/changelog
--- bcron-0.09/debian/changelog
+++ bcron-0.09/debian/changelog
@@ -1,3 +1,14 @@
+bcron (0.09-11+squeeze1) stable; urgency=high
+
+ * debian/diff/0008-bcron-exec-Mark-all-temporary-files-close-...diff:
+ new; from upstream git; bcron-exec: Mark all temporary files
+ close-on-exec and close selfpipe; this fixes a security bug in
+ bcron where cron jobs get access to the temporary output files from
+ all other jobs that are still running (CVE-2012-6110, closes:
+ #686650).
+
+ -- Gerrit Pape <pape@smarden.org> Fri, 18 Jan 2013 03:21:49 +0000
+
bcron (0.09-11) unstable; urgency=low
* debian/bcron-run.postrm: services' supervise dirs are now located in
only in patch2:
unchanged:
--- bcron-0.09.orig/debian/diff/0008-bcron-exec-Mark-all-temporary-files-close-on-exec-and.diff
+++ bcron-0.09/debian/diff/0008-bcron-exec-Mark-all-temporary-files-close-on-exec-and.diff
@@ -0,0 +1,79 @@
+From 6b30379c3bcab65a6a21b5c7677e333dbc357cc3 Mon Sep 17 00:00:00 2001
+From: Bruce Guenter <bruce@untroubled.org>
+Date: Fri, 5 Oct 2012 18:15:11 -0600
+Subject: [PATCH] bcron-exec: Mark all temporary files close-on-exec and
+ close selfpipe
+
+This fixes a security bug in bcron where cron jobs get access to the
+temporary output files from all other jobs that are still running.
+
+First reported in Debian:
+http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686650
+
+Conflicts:
+ NEWS
+---
+ bcron-exec.c | 3 +++
+ tests/exec-fds | 22 ++++++++++++++++++++++
+ 2 files changed, 25 insertions(+)
+ create mode 100644 tests/exec-fds
+
+diff --git a/bcron-exec.c b/bcron-exec.c
+index 2414bd8..ec6c641 100644
+--- a/bcron-exec.c
++++ b/bcron-exec.c
+@@ -13,6 +13,7 @@
+ #include <path/path.h>
+ #include <str/env.h>
+ #include <str/str.h>
++#include <unix/cloexec.h>
+ #include <unix/nonblock.h>
+ #include <unix/selfpipe.h>
+ #include <unix/sig.h>
+@@ -106,6 +107,7 @@ static void exec_cmd(int fdin, int fdout,
+ const str* env,
+ const struct passwd* pw)
+ {
++ selfpipe_close();
+ dup2(fdin, 0);
+ close(fdin);
+ dup2(fdout, 1);
+@@ -205,6 +207,7 @@ static void start_slot(int slot,
+ return;
+ }
+ unlink(tmp.s);
++ cloexec_on(fd);
+ gethostname(hostname, sizeof hostname);
+ wrap_str(str_copyns(&tmp, 6, "To: <", mailto, ">\n",
+ "From: Cron Daemon <root@", hostname, ">\n"));
+diff --git a/tests/exec-fds b/tests/exec-fds
+new file mode 100644
+index 0000000..f2c4a9f
+--- /dev/null
++++ b/tests/exec-fds
+@@ -0,0 +1,22 @@
++doexec \
++ 'sleep 1; echo all done' \
++ 'echo here >&4; echo here >&5; echo here >&6; echo here >&7; echo here >&8'
++<result>
++15:2^@KJob complete,15:1^@KJob complete,
++bcron-exec: (USER) CMD (sleep 1; echo all done)
++bcron-exec: (USER) CMD (echo here >&4; echo here >&5; echo here >&6; echo here >&7; echo here >&8)
++bcron-exec: Waiting for remaining slots to complete
++To: <USER>
++From: Cron Daemon <root@HOST>
++Subject: Cron <USER@HOST> echo here >&4; echo here >&5; echo here >&6; echo here >&7; echo here >&8
++
++/bin/sh: 1: 4: Bad file descriptor
++/bin/sh: 1: 5: Bad file descriptor
++/bin/sh: 1: 6: Bad file descriptor
++/bin/sh: 1: 7: Bad file descriptor
++/bin/sh: 1: 8: Bad file descriptor
++To: <USER>
++From: Cron Daemon <root@HOST>
++Subject: Cron <USER@HOST> sleep 1; echo all done
++
++all done
+--
+1.7.10.4
+
Reply to: