[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#818620: jessie-pu: package cinnamon-settings-daemon/2.2.4.repack-7+deb8u1

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi!

Moritz from the security team brought to the attention of the cinnamon team
that cinnamon-settings-daemon in stable contains a minor security issue that has
already been fixed in upstream.

This issue doesn't warrant a DSA, as it's only a circumvention of policykit
restrictions, but it would be good to fix it in a future point release.

I'm attaching the debdiff between the version currently in stable and the
proposed package for the point release.

Thanks!

-- System Information:
Debian Release: 8.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_AR.UTF-8, LC_CTYPE=es_AR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru cinnamon-settings-daemon-2.2.4.repack/debian/changelog cinnamon-settings-daemon-2.2.4.repack/debian/changelog
--- cinnamon-settings-daemon-2.2.4.repack/debian/changelog	2014-10-25 16:14:33.000000000 +0200
+++ cinnamon-settings-daemon-2.2.4.repack/debian/changelog	2016-03-18 20:32:16.000000000 +0100
@@ -1,3 +1,10 @@
+cinnamon-settings-daemon (2.2.4.repack-7+deb8u1) stable; urgency=medium
+
+  * Add debian/patches/csd-datetime-polkit-auth to fix a minor security bug.
+    http://www.openwall.com/lists/oss-security/2015/10/28/3
+
+ -- Margarita Manterola <marga@debian.org>  Fri, 18 Mar 2016 20:13:36 +0100
+
 cinnamon-settings-daemon (2.2.4.repack-7) unstable; urgency=medium
 
   [ Fabio Fantoni ]
diff -Nru cinnamon-settings-daemon-2.2.4.repack/debian/patches/csd-datetime-polkit-auth cinnamon-settings-daemon-2.2.4.repack/debian/patches/csd-datetime-polkit-auth
--- cinnamon-settings-daemon-2.2.4.repack/debian/patches/csd-datetime-polkit-auth	1970-01-01 01:00:00.000000000 +0100
+++ cinnamon-settings-daemon-2.2.4.repack/debian/patches/csd-datetime-polkit-auth	2016-03-18 20:32:16.000000000 +0100
@@ -0,0 +1,21 @@
+Description: csd-datetime forgets to authorize users
+Author: https://github.com/leigh123linux
+Origin: upstream, ac5e0be8c1817616dbdb056b6881cfc4660f57a8
+Bug: http://www.openwall.com/lists/oss-security/2015/10/28/3
+Last-Update: 2016-03-14
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: cinnamon-settings-daemon/plugins/datetime/csd-datetime-mechanism.c
+===================================================================
+--- cinnamon-settings-daemon.orig/plugins/datetime/csd-datetime-mechanism.c	2016-03-14 20:18:33.588428169 +0100
++++ cinnamon-settings-daemon/plugins/datetime/csd-datetime-mechanism.c	2016-03-14 20:26:56.302535208 +0100
+@@ -354,6 +354,9 @@
+         int exit_status;
+         GError *error;
+ 
++        if (!_check_polkit_for_action (mechanism, context))
++                return FALSE;
++
+         date_str = g_strdup_printf ("%02d/%02d/%d", month, day, year);
+         error = NULL;
+ 
diff -Nru cinnamon-settings-daemon-2.2.4.repack/debian/patches/series cinnamon-settings-daemon-2.2.4.repack/debian/patches/series
--- cinnamon-settings-daemon-2.2.4.repack/debian/patches/series	2014-10-25 16:14:33.000000000 +0200
+++ cinnamon-settings-daemon-2.2.4.repack/debian/patches/series	2016-03-18 20:32:16.000000000 +0100
@@ -2,3 +2,4 @@
 power-manager-upower-0.99-support
 calculator-mediakey.patch
 enable-3finger-tap.patch
+csd-datetime-polkit-auth
Reply to: