Bug#779266: marked as done (unblock: libuv/0.10.28-6)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#779266: marked as done (unblock: libuv/0.10.28-6)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 26 Feb 2015 19:57:08 +0000
Message-id: <[🔎] handler.779266.D779266.142498055913357.ackdone@bugs.debian.org>
References: <1424980551.20407.12.camel@adam-barratt.org.uk> <[🔎] 20150226072011.4690.47816.reportbug@localhost>

Your message dated Thu, 26 Feb 2015 19:55:51 +0000
with message-id <1424980551.20407.12.camel@adam-barratt.org.uk>
and subject line Re: Bug#779266: unblock: libuv/0.10.28-6
has caused the Debian Bug report #779266,
regarding unblock: libuv/0.10.28-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
779266: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779266
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: libuv/0.10.28-6
From: Luca Bruno <lucab@debian.org>
Date: Thu, 26 Feb 2015 08:20:11 +0100
Message-id: <[🔎] 20150226072011.4690.47816.reportbug@localhost>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libuv

Latest upload (0.10.28-6) is a minimal update fixing security
bug #779173 (CVE-2015-0278).

Debdiff attached.

unblock libuv/0.10.28-6

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru libuv-0.10.28/debian/changelog libuv-0.10.28/debian/changelog
--- libuv-0.10.28/debian/changelog	2014-09-21 14:52:46.000000000 +0200
+++ libuv-0.10.28/debian/changelog	2015-02-25 11:03:04.000000000 +0100
@@ -1,3 +1,10 @@
+libuv (0.10.28-6) unstable; urgency=high
+
+  * Backported: call setgroups before calling setuid/setgid
+    (Closes: #779173 - CVE-2015-0278)
+
+ -- Luca Bruno <lucab@debian.org>  Wed, 25 Feb 2015 10:50:58 +0100
+
 libuv (0.10.28-5) unstable; urgency=medium
 
   * Too early for versioned provides, reverted
diff -Nru libuv-0.10.28/debian/patches/series libuv-0.10.28/debian/patches/series
--- libuv-0.10.28/debian/patches/series	2014-09-20 23:24:57.000000000 +0200
+++ libuv-0.10.28/debian/patches/series	2015-02-25 10:41:19.000000000 +0100
@@ -2,3 +2,4 @@
 make-clean.diff
 test_runner.diff
 arm64-epoll-ftbfs.diff
+setgroups_CVE-2015-0278.diff
diff -Nru libuv-0.10.28/debian/patches/setgroups_CVE-2015-0278.diff libuv-0.10.28/debian/patches/setgroups_CVE-2015-0278.diff
--- libuv-0.10.28/debian/patches/setgroups_CVE-2015-0278.diff	1970-01-01 01:00:00.000000000 +0100
+++ libuv-0.10.28/debian/patches/setgroups_CVE-2015-0278.diff	2015-02-25 10:40:02.000000000 +0100
@@ -0,0 +1,46 @@
+From 2773e1181dfb1e10fc2e3bfd3ffd83c71b730408 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= <saghul@gmail.com>
+Date: Mon, 10 Feb 2014 17:41:51 +0100
+Subject: [PATCH] unix: call setgoups before calling setuid/setgid
+
+Backported from v1.x (66ab389)
+
+PR-URL: https://github.com/libuv/libuv/pull/215
+Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
+---
+ src/unix/process.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/unix/process.c b/src/unix/process.c
+index 19686a2..d1f9440 100644
+--- a/src/unix/process.c
++++ b/src/unix/process.c
+@@ -40,6 +40,10 @@
+ extern char **environ;
+ #endif
+ 
++#ifdef __linux__
++# include <grp.h>
++#endif
++
+ 
+ static ngx_queue_t* uv__process_queue(uv_loop_t* loop, int pid) {
+   assert(pid > 0);
+@@ -331,6 +335,17 @@ static void uv__process_child_init(uv_process_options_t options,
+     _exit(127);
+   }
+ 
++  if (options.flags & (UV_PROCESS_SETUID | UV_PROCESS_SETGID)) {
++    /* When dropping privileges from root, the `setgroups` call will
++     * remove any extraneous groups. If we don't call this, then
++     * even though our uid has dropped, we may still have groups
++     * that enable us to do super-user things. This will fail if we
++     * aren't root, so don't bother checking the return value, this
++     * is just done as an optimistic privilege dropping function.
++     */
++    SAVE_ERRNO(setgroups(0, NULL));
++  }
++
+   if ((options.flags & UV_PROCESS_SETGID) && setgid(options.gid)) {
+     uv__write_int(error_fd, errno);
+     _exit(127);

--- End Message ---

--- Begin Message ---

To: Luca Bruno <lucab@debian.org>, 779266-done@bugs.debian.org

Subject: Re: Bug#779266: unblock: libuv/0.10.28-6

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Thu, 26 Feb 2015 19:55:51 +0000

Message-id: <1424980551.20407.12.camel@adam-barratt.org.uk>

In-reply-to: <[🔎] 20150226072011.4690.47816.reportbug@localhost>

References: <[🔎] 20150226072011.4690.47816.reportbug@localhost>
On Thu, 2015-02-26 at 08:20 +0100, Luca Bruno wrote:
> Please unblock package libuv
> 
> Latest upload (0.10.28-6) is a minimal update fixing security
> bug #779173 (CVE-2015-0278).

Unblocked, thanks.

Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#779266: unblock: libuv/0.10.28-6
  - From: Luca Bruno <lucab@debian.org>

Prev by Date: Bug#779290: unblock: dvd+rw-tools/7.1-11
Next by Date: Bug#779283: marked as done (RM: debbindiff/3)
Previous by thread: Bug#779266: unblock: libuv/0.10.28-6
Next by thread: Bug#779283: RM: debbindiff/3
Index(es):
- Date
- Thread