[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#806247: marked as done (jessie-pu: package dbconfig-common/1.8.47+nmu3+deb8u1)

Your message dated Sat, 23 Jan 2016 13:57:15 +0000
with message-id <1453557435.1835.52.camel@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #806247,
regarding jessie-pu: package dbconfig-common/1.8.47+nmu3+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
806247: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806247
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Stable Release Managers,

I come to you with this request after discussion with the security
team. Because the issue I describe below only manifest itself upon database
upgrades, which are extremely rare in a stable release, they consider it more
appropriate for a SRU than for a DSA.

Recently a security issue¹ was reported against my package
dbconfig-common. dbconfig-common is a Debian helper package for packages that
require data in a database. The issue is that backups made by dbconfig-common
during updates that involve PostgreSQL databases end up in files that may be
readable by every user on the system (depending on the umask) because file
permissions are not properly enforced. The code sets the umask but only after
the file is created. The fix is simple, move the lines creating the files and
setting the ownership to after the change of the umask (see below the patch for
unstable).

Apart from fixing the issue for creation of new files, the original reporter
was suggesting to fix the permissions of already created files as well. What
would your opinion be on that matter? I haven't created a proper patch for that
yet, but it should simply chmod all the files in
/var/cache/dbconfig-common/backups during installation of dbconfig-common.

I will start to work on a proper debdiff, but I appreciate it to know if I
should include the fixing of existing files in it.

Paul
Current maintainer of dbconfig-common

¹ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805638

- --- /usr/share/dbconfig-common/internal/pgsql.orig	2014-11-02
21:54:07.000000000 +0100
+++ /usr/share/dbconfig-common/internal/pgsql	2015-11-21
13:49:04.863637686 +0100
@@ -174,14 +174,14 @@
 	local extra retval PGSSLMODE localuser _dbc_asuser dumpfile old_umask
 	dumpfile=$1
 	localuser=`_dbc_psql_local_username`
- -	touch $dumpfile
- -	chown $localuser $dumpfile
	PGSSLMODE="prefer"
 	retval=0
 	_dbc_psql_cmd_setup
 	if [ "$dbc_ssl" ]; then PGSSLMODE="require"; fi
 	old_umask=`umask`
 	umask 0066
+	touch $dumpfile
+	chown $localuser $dumpfile
 	extra=`_dbc_psql_cmd_args`
 	extra="-f \"$dumpfile\" $extra"
 	_dbc_debug "su -s /bin/sh $localuser -c \"env
HOME='$_dbc_pgsql_tmpdir' PGPASSFILE='$_dbc_pgsql_tmpdir/.pgpass'
PGSSLMODE='$PGSSLMODE' pg_dump $extra $dbc_dbname\" 2>&1"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJWVhO9AAoJEJxcmesFvXUKH/AIAMC+y4ZZc8kmeF09lqv1U4/b
vqvTjovDu0X9vSrK7/Urfdzo38mlOgrufRFlqFqbkMhXCph5nm+OQyRagxRbTl9K
dFSD3fhf5axzpQThnim+qBbYNl/yzq+J4W/NQQGws+TO1xGlMTnNmb6W8Uf1+ca1
kFIFa370+Rv+d21NaJk6Y/RE1uR9V7yGnJNRSM5zwTo/zzN6XECJPCYklMRpnmA/
DVxnKT0LZHqAFr5q1L07bvjgGhx0xMk0ObVUvkgPH2fnxdWlBVXoXQQ6L7C0OcJq
thYQqGVH1Ef9g93gtjkBAGVaUjBFcHfApHHLZojX3Jg0P324GC3NCvM14ZrTObk=
=4Qe0
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message --- 
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam

--- End Message ---
Reply to: