Bug#779266: unblock: libuv/0.10.28-6
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package libuv
Latest upload (0.10.28-6) is a minimal update fixing security
bug #779173 (CVE-2015-0278).
Debdiff attached.
unblock libuv/0.10.28-6
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru libuv-0.10.28/debian/changelog libuv-0.10.28/debian/changelog
--- libuv-0.10.28/debian/changelog 2014-09-21 14:52:46.000000000 +0200
+++ libuv-0.10.28/debian/changelog 2015-02-25 11:03:04.000000000 +0100
@@ -1,3 +1,10 @@
+libuv (0.10.28-6) unstable; urgency=high
+
+ * Backported: call setgroups before calling setuid/setgid
+ (Closes: #779173 - CVE-2015-0278)
+
+ -- Luca Bruno <lucab@debian.org> Wed, 25 Feb 2015 10:50:58 +0100
+
libuv (0.10.28-5) unstable; urgency=medium
* Too early for versioned provides, reverted
diff -Nru libuv-0.10.28/debian/patches/series libuv-0.10.28/debian/patches/series
--- libuv-0.10.28/debian/patches/series 2014-09-20 23:24:57.000000000 +0200
+++ libuv-0.10.28/debian/patches/series 2015-02-25 10:41:19.000000000 +0100
@@ -2,3 +2,4 @@
make-clean.diff
test_runner.diff
arm64-epoll-ftbfs.diff
+setgroups_CVE-2015-0278.diff
diff -Nru libuv-0.10.28/debian/patches/setgroups_CVE-2015-0278.diff libuv-0.10.28/debian/patches/setgroups_CVE-2015-0278.diff
--- libuv-0.10.28/debian/patches/setgroups_CVE-2015-0278.diff 1970-01-01 01:00:00.000000000 +0100
+++ libuv-0.10.28/debian/patches/setgroups_CVE-2015-0278.diff 2015-02-25 10:40:02.000000000 +0100
@@ -0,0 +1,46 @@
+From 2773e1181dfb1e10fc2e3bfd3ffd83c71b730408 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= <saghul@gmail.com>
+Date: Mon, 10 Feb 2014 17:41:51 +0100
+Subject: [PATCH] unix: call setgoups before calling setuid/setgid
+
+Backported from v1.x (66ab389)
+
+PR-URL: https://github.com/libuv/libuv/pull/215
+Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
+---
+ src/unix/process.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/unix/process.c b/src/unix/process.c
+index 19686a2..d1f9440 100644
+--- a/src/unix/process.c
++++ b/src/unix/process.c
+@@ -40,6 +40,10 @@
+ extern char **environ;
+ #endif
+
++#ifdef __linux__
++# include <grp.h>
++#endif
++
+
+ static ngx_queue_t* uv__process_queue(uv_loop_t* loop, int pid) {
+ assert(pid > 0);
+@@ -331,6 +335,17 @@ static void uv__process_child_init(uv_process_options_t options,
+ _exit(127);
+ }
+
++ if (options.flags & (UV_PROCESS_SETUID | UV_PROCESS_SETGID)) {
++ /* When dropping privileges from root, the `setgroups` call will
++ * remove any extraneous groups. If we don't call this, then
++ * even though our uid has dropped, we may still have groups
++ * that enable us to do super-user things. This will fail if we
++ * aren't root, so don't bother checking the return value, this
++ * is just done as an optimistic privilege dropping function.
++ */
++ SAVE_ERRNO(setgroups(0, NULL));
++ }
++
+ if ((options.flags & UV_PROCESS_SETGID) && setgid(options.gid)) {
+ uv__write_int(error_fd, errno);
+ _exit(127);
Reply to: