Bug#736562: pu: package rush_1.7+dfsg-1+deb7u1

To: submit@bugs.debian.org
Subject: Bug#736562: pu: package rush_1.7+dfsg-1+deb7u1
From: Mats Erik Andersson <mats.andersson@gisladisker.se>
Date: Sat, 25 Jan 2014 00:06:12 +0100
Message-id: <[🔎] 20140124230612.GA13490@mail.gisladisker.se>
Reply-to: Mats Erik Andersson <mats.andersson@gisladisker.se>, 736562@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertag: pu


Dear supervisors,

I would like to pledge for an update of the package

    rush_1.7+dfsg-1

within the stable release. The cause is CVE-2013-6889:

   http://bugs.debian.org/733505

The matter concerns file access elevation due to SUID-bit
when running the software in test mode.

The issue has been resolved and uploaded to unstable in

    rush_1.7+dfsg-4

and I propose the identical patching for the package kept
in the stable release. The upstream project has incorporated
my patch verbatim in its repository. The solution was to reset
the effective user identification then running in test mode,
thus cancelling all ill effects.

The complete debdiff of the package, as deposited at mentors.d.n,
is included below.

Best regards,

  Mats Erik Andersson, maintainer of GNU Rush

diff -Nru rush-1.7+dfsg/debian/changelog rush-1.7+dfsg/debian/changelog
--- rush-1.7+dfsg/debian/changelog	2011-07-06 17:48:31.000000000 +0200
+++ rush-1.7+dfsg/debian/changelog	2014-01-24 22:10:50.000000000 +0100
@@ -1,3 +1,10 @@
+rush (1.7+dfsg-1+deb7u1) stable; urgency=high
+
+  * Attend to CVE-2013-6889, file access escalation.
+    + debian/patches/cve_2013_6889.diff: New file.
+
+ -- Mats Erik Andersson <mats.andersson@gisladisker.se>  Fri, 24 Jan 2014 22:01:24 +0100
+
 rush (1.7+dfsg-1) unstable; urgency=low
 
   * Initial release. (Closes: #515198)
diff -Nru rush-1.7+dfsg/debian/patches/cve_2013_6889.diff rush-1.7+dfsg/debian/patches/cve_2013_6889.diff
--- rush-1.7+dfsg/debian/patches/cve_2013_6889.diff	1970-01-01 01:00:00.000000000 +0100
+++ rush-1.7+dfsg/debian/patches/cve_2013_6889.diff	2014-01-19 16:42:45.000000000 +0100
@@ -0,0 +1,27 @@
+Description: CVE-2013-6889, elevated access.
+ The executable will, when used with SUID-bit set,
+ allow opening and reading access to every system
+ file also by an unprivileged user, whenever invocation
+ is done in testing mode, i.e., using '-t' without '-u'.
+ .
+ Prevent this mistake by resetting the effective user
+ identification to the real user identification when-
+ ever testing mode is asked for.
+Author: Mats Erik Andersson <debian@gisladisker.se>
+Forwarded: yes
+Bug-Debian: http://bugs.debian.org/733505
+Last-update: 2014-01-16
+
+--- rush-1.7+dfsg.debian/src/rush.c
++++ rush-1.7+dfsg/src/rush.c
+@@ -913,6 +913,10 @@ main(int argc, char **argv)
+ 	} else if (argc > optind)
+ 		die(usage_error, NULL, _("invalid command line"));
+ 	
++	/* Step down from SUID when running in test mode.  */
++	if (lint_option)
++		setuid(getuid());
++
+ 	if (test_user_name) {
+ 		struct passwd *pw = getpwnam(test_user_name);
+ 		if (!pw)
diff -Nru rush-1.7+dfsg/debian/patches/series rush-1.7+dfsg/debian/patches/series
--- rush-1.7+dfsg/debian/patches/series	2011-04-18 14:07:15.000000000 +0200
+++ rush-1.7+dfsg/debian/patches/series	2014-01-24 13:12:34.000000000 +0100
@@ -1,2 +1,3 @@
 dfsg_reduction.diff
 tcpmux_service.diff
+cve_2013_6889.diff

Reply to:

Follow-Ups:
- Bug#736562: pu: package rush_1.7+dfsg-1+deb7u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#736562: pu: package rush_1.7+dfsg-1+deb7u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: Re: pillow: FTBFS: _imagingtk.cpython-33m.so not found
Next by Date: Bug#735586: marked as done (nmu: vlc_2.1.2-2)
Previous by thread: Processed: Re: pillow: FTBFS: _imagingtk.cpython-33m.so not found
Next by thread: Bug#736562: pu: package rush_1.7+dfsg-1+deb7u1
Index(es):
- Date
- Thread