Bug#748669: an sks update for wheezy? ( https://bugs.debian.org/748669 )

[Christoph Martin <martin@uni-mainz.de>]

Am 21.06.2014 21:56, schrieb Christoph Martin:

>>
>> As mentioned on IRC, the disabling of 511_gcc44.patch isn't documented.
>> To be entirely honest, if having the patch enabled isn't breaking
>> anything then I'd prefer leaving it enabled, on the principle of least
>> change; it should certainly be one or the other, however.
> 
> The problem was, that the patch did not work any more. I looked like the
> patch was already in the upstream source. I am not sure why. Maybe sks
> was build prior to a gcc version change.
> 
> I'll try again to get it working with the patch. If it will not wirk I
> put a note in the changelog.

Ok. It is working without disabling the patch. I attached an updated
debdiff.

Please let me know if I can upload it to stable.

Christoph

diff -Nru sks-1.1.3/debian/changelog sks-1.1.3/debian/changelog
--- sks-1.1.3/debian/changelog	2013-03-11 16:48:17.000000000 +0100
+++ sks-1.1.3/debian/changelog	2014-05-19 14:29:44.000000000 +0200
@@ -1,3 +1,14 @@
+sks (1.1.3-2+deb7u1) stable; urgency=high
+
+  [ Daniel Kahn Gillmor ]
+  * avoid trying to upgrade DB_CONFIG (Closes: #709322)
+
+  [ Christoph Martin ]
+  * fix crosssite scripting bug (CVE-2014-3207) (closes: 746626)
+  * note active Berkely DB on new install (closes: 741912)
+
+ -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon, 19 May 2014 13:36:04 +0200
+
 sks (1.1.3-2) unstable; urgency=high
 
   * add Vcs tags to control file
diff -Nru sks-1.1.3/debian/control sks-1.1.3/debian/control
--- sks-1.1.3/debian/control	2012-10-15 11:45:50.000000000 +0200
+++ sks-1.1.3/debian/control	2014-05-19 12:01:00.000000000 +0200
@@ -3,10 +3,11 @@
 Priority: optional
 Standards-Version: 3.9.1
 Maintainer: Christoph Martin <christoph.martin@uni-mainz.de>
-Uploaders: Fabio M. Di Nitto <fabbione@fabbione.net>
+Uploaders: Fabio M. Di Nitto <fabbione@fabbione.net>,
+ Daniel Kahn Gillmor <dkg@fifthhorseman.net>
 Build-Depends: ocaml (>= 3.08), camlp4, libdb-dev, debhelper (>= 7.0.50~), zlib1g-dev, libcryptokit-ocaml-dev (>= 1.2-4), ocaml-nox (>= 1.3-4), perl, perl-doc, dh-ocaml (>= 0.9~)
-Vcs-Browser: http://svn.debian.org/wsvn/pkg-sks
-Vcs-Svn: svn://svn.debian.org/pkg-sks/
+Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-sks/pkg-sks.git
+Vcs-Git: git://anonscm.debian.org/pkg-sks/pkg-sks.git
 
 Package: sks
 Architecture: any
diff -Nru sks-1.1.3/debian/patches/530_cve-2014-3207_xss.patch sks-1.1.3/debian/patches/530_cve-2014-3207_xss.patch
--- sks-1.1.3/debian/patches/530_cve-2014-3207_xss.patch	1970-01-01 01:00:00.000000000 +0100
+++ sks-1.1.3/debian/patches/530_cve-2014-3207_xss.patch	2014-05-19 12:01:00.000000000 +0200
@@ -0,0 +1,67 @@
+# https://bitbucket.org/skskeyserver/sks-keyserver/commits/88d453cdc858d1352c61a4d4a6cd5b1ac17f2724/raw/
+diff --git a/CHANGELOG b/CHANGELOG
+index 9ccd738..4b9e9aa 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -1,3 +1,7 @@
++1.1.5 backport to 1.1.3
++  - Fix a non-persistent cross-site scripting possibility resulting from 
++    improper input sanitation before writing to client. (BB Issue #26 | [CVE-2014-3207])
++  
+ 1.1.3
+   - Makefile fix for 'make dep' if .depend does not exist. Issue #4
+   - Makefile fix: sks and sks_add_mail fail to link w/o '-ccopt -pg'
+diff --git a/htmlTemplates.ml b/htmlTemplates.ml
+index ece9276..f488fad 100644
+--- a/htmlTemplates.ml
++++ b/htmlTemplates.ml
+@@ -33,6 +33,8 @@ let html_quote string =
+ 	| '>' -> sout#write_string "&gt;"
+ 	| '&' -> sout#write_string "&amp;"
+ 	| '"' -> sout#write_string "&quot;"
++        | '\''-> sout#write_string "&#x27;"
++        | '/'-> sout#write_string "&#x2F;"
+ 	| c -> sout#write_char c  
+     done;
+     ""
+diff --git a/wserver.ml b/wserver.ml
+index 2c22dd2..b3d51bd 100644
+--- a/wserver.ml
++++ b/wserver.ml
+@@ -279,7 +279,7 @@ let accept_connection f ~recover_timeout addr cin cout =
+ 	    let output = 
+ 	      HtmlTemplates.page ~title:"Not implemented"
+ 		~body:(sprintf "Error handling request %s: %s not implemented." 
+-			 (request_to_string request) s)
++			 (request_to_string request) (HtmlTemplates.html_quote s))
+ 	    in
+ 	    send_result cout ~error_code:501 output
+ 	      
+@@ -287,7 +287,7 @@ let accept_connection f ~recover_timeout addr cin cout =
+ 	    ignore (Unix.alarm recover_timeout);
+ 	    plerror 2 "Page not found: %s" s;
+ 	    let output = HtmlTemplates.page ~title:"Page not found"
+-		 ~body:(sprintf "Page not found: %s" s)
++		 ~body:(sprintf "Page not found: %s" (HtmlTemplates.html_quote s))
+ 	    in
+ 	    send_result cout ~error_code:404 output
+ 
+@@ -296,7 +296,7 @@ let accept_connection f ~recover_timeout addr cin cout =
+ 	    plerror 2 "Error handling request %s: %s" 
+ 	      (request_to_string request) s;
+ 	    let output = HtmlTemplates.page ~title:"Error handling request"
+-		 ~body:(sprintf "Error handling request: %s" s)
++		 ~body:(sprintf "Error handling request: %s" (HtmlTemplates.html_quote s))
+ 	    in
+ 	    send_result cout ~error_code:500 output
+ 
+@@ -306,8 +306,7 @@ let accept_connection f ~recover_timeout addr cin cout =
+ 	      (request_to_string request) (Common.err_to_string e);
+ 	    let output = 
+ 	      (HtmlTemplates.page ~title:"Error handling request"
+-		 ~body:(sprintf "Error handling request.  Exception raised: %s"
+-			  (Common.err_to_string e)))
++		 ~body:(sprintf "Error handling request.  Exception raised."))
+ 	    in
+ 	    send_result cout ~error_code:500 output
+     with
diff -Nru sks-1.1.3/debian/patches/series sks-1.1.3/debian/patches/series
--- sks-1.1.3/debian/patches/series	2012-06-14 19:05:39.000000000 +0200
+++ sks-1.1.3/debian/patches/series	2014-06-21 22:40:13.000000000 +0200
@@ -9,3 +9,4 @@
 511_gcc44.patch 
 #512_no_XA_berkeleydb.patch
 #520_fix_non-compliant_POST.patch
+530_cve-2014-3207_xss.patch
diff -Nru sks-1.1.3/debian/sks.postinst sks-1.1.3/debian/sks.postinst
--- sks-1.1.3/debian/sks.postinst	2012-06-20 10:41:30.000000000 +0200
+++ sks-1.1.3/debian/sks.postinst	2014-05-19 13:34:30.000000000 +0200
@@ -51,6 +51,9 @@
     chgrp -R adm /var/log/sks
     chmod -R g+rX /var/log/sks
     chmod    g+s  /var/log/sks
+
+    # Note the active Berkeley DB version
+    cp -f /usr/lib/sks/berkeley_db.txt /var/lib/sks/berkeley_db.active
 else
     if [ "$1" = "configure" ]; then
 	# fix permissions of logs after 1.0.9-0.1
@@ -120,8 +123,12 @@
 		cp -a ${SKS_DIR}/${DBHOME}/$log_file ${BACKUP_DIR}/${DBHOME}/
 	    done
 
+            if [ -e "${SKS_DIR}/${DBHOME}/DB_CONFIG" ]; then
+                cp -a ${SKS_DIR}/${DBHOME}/DB_CONFIG ${BACKUP_DIR}/${DBHOME}/
+            fi
+
 	    # Backup & upgrade database files
-	    for db in $(cd ${SKS_DIR}/${DBHOME}; ls -1 | grep -Ev "^(__|log\.)"); do
+	    for db in $(cd ${SKS_DIR}/${DBHOME}; ls -1 | grep -Ev "^(__|log\.|DB_CONFIG$)"); do
 		# Backup database file
 		su debian-sks -c "cp ${SKS_DIR}/${DBHOME}/${db} ${BACKUP_DIR}/${DBHOME}/"
 		# Upgrade database file
@@ -136,6 +143,8 @@
 	# Note the active Berkeley DB version
 	cp -f /usr/lib/sks/berkeley_db.txt /var/lib/sks/berkeley_db.active
 
+	elif [ ! -e /var/lib/sks/berkeley_db.active ]; then
+	    cp -f /usr/lib/sks/berkeley_db.txt /var/lib/sks/berkeley_db.active
 	fi
     fi
 fi

Attachment: signature.asc
Description: OpenPGP digital signature