Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
we would like to fix the following two problems in stable:
1 ) The bacula packages are vulnerable to a security problem similar to
CVE 2017-14610 (PID files not owned by root). On the downside this
change disables a bacula feature that permits automatic tracebacks on a
crash. I've mailed the security team about this, they recommended a
stable update.
2) Bug #880529: When updating from jessie to stretch, the package
"bacula-director-common" will be removed, but the postrm will stay
around. Upon purging this package, postrm unconditionally removes the
main bacula configuration file /etc/bacula/bacula-dir.conf, leaving
bacula unusable. We fix this by introducing a transitional package that
can then be safely removed.
Regards,
Carsten
-- System Information:
Debian Release: 9.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'oldstable-updates'), (500, 'oldoldstable'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff -Nru bacula-7.4.4+dfsg/debian/bacula-director.init bacula-7.4.4+dfsg/debian/bacula-director.init
--- bacula-7.4.4+dfsg/debian/bacula-director.init 2017-02-26 13:39:25.000000000 +0100
+++ bacula-7.4.4+dfsg/debian/bacula-director.init 2017-11-15 22:55:15.000000000 +0100
@@ -67,7 +67,7 @@
{
if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
start-stop-daemon --start --quiet --pidfile $PIDFILE \
- --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+ --oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
return 0
else
log_progress_msg "- the configtest"
diff -Nru bacula-7.4.4+dfsg/debian/bacula-fd.init bacula-7.4.4+dfsg/debian/bacula-fd.init
--- bacula-7.4.4+dfsg/debian/bacula-fd.init 2017-02-26 13:39:25.000000000 +0100
+++ bacula-7.4.4+dfsg/debian/bacula-fd.init 2017-11-15 22:55:15.000000000 +0100
@@ -54,7 +54,7 @@
{
if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
start-stop-daemon --start --quiet --pidfile $PIDFILE \
- --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+ --oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
return 0
else
log_progress_msg "- the configtest"
diff -Nru bacula-7.4.4+dfsg/debian/bacula-sd.init bacula-7.4.4+dfsg/debian/bacula-sd.init
--- bacula-7.4.4+dfsg/debian/bacula-sd.init 2017-02-26 13:39:25.000000000 +0100
+++ bacula-7.4.4+dfsg/debian/bacula-sd.init 2017-11-15 22:55:15.000000000 +0100
@@ -53,7 +53,7 @@
{
if $DAEMON -g $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
start-stop-daemon --start --quiet --pidfile $PIDFILE \
- --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+ --oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG
return 0
else
log_progress_msg "- the configtest"
diff -Nru bacula-7.4.4+dfsg/debian/changelog bacula-7.4.4+dfsg/debian/changelog
--- bacula-7.4.4+dfsg/debian/changelog 2017-02-26 13:39:25.000000000 +0100
+++ bacula-7.4.4+dfsg/debian/changelog 2017-11-15 22:55:15.000000000 +0100
@@ -1,3 +1,17 @@
+bacula (7.4.4+dfsg-6+deb9u1) stretch; urgency=medium
+
+ [Sven Hartge]
+ * Let PID files be owned by root. Mitigates a minor security problem
+ similar to CVE 2017-14610. Note that this change disables automatic
+ tracebacks.
+
+ [ Carsten Leonhardt ]
+ * Added transitional package bacula-director-common, the old leftover
+ package can't be safely purged otherwise (it deletes
+ /etc/bacula/bacula-dir.conf in postrm) (Closes: #880529)
+
+ -- Carsten Leonhardt <leo@debian.org> Wed, 15 Nov 2017 22:55:15 +0100
+
bacula (7.4.4+dfsg-6) unstable; urgency=medium
[Sven Hartge]
diff -Nru bacula-7.4.4+dfsg/debian/control bacula-7.4.4+dfsg/debian/control
--- bacula-7.4.4+dfsg/debian/control 2017-02-26 13:39:25.000000000 +0100
+++ bacula-7.4.4+dfsg/debian/control 2017-11-15 22:55:15.000000000 +0100
@@ -357,3 +357,13 @@
.
This GUI interface has been designed to ease restore operations as much as
possible as compared to the basic text console.
+
+Package: bacula-director-common
+Section: oldlibs
+Architecture: any
+Pre-Depends: ${misc:Pre-Depends}
+Depends:
+ bacula-common (= ${binary:Version}),
+ ${misc:Depends}
+Description: transitional package
+ This is a transitional package. It can safely be removed.
diff -Nru bacula-7.4.4+dfsg/debian/patches/non-forking-systemd-units.patch bacula-7.4.4+dfsg/debian/patches/non-forking-systemd-units.patch
--- bacula-7.4.4+dfsg/debian/patches/non-forking-systemd-units.patch 2017-02-26 13:39:25.000000000 +0100
+++ bacula-7.4.4+dfsg/debian/patches/non-forking-systemd-units.patch 2017-11-15 22:55:15.000000000 +0100
@@ -20,13 +20,13 @@
-PIDFile=@piddir@/bacula-dir.@dir_port@.pid
-ExecReload=@sbindir@/bacula-dir -t -c @sysconfdir@/bacula-dir.conf
+Type=simple
-+User=bacula
-+Group=bacula
++User=root
++Group=root
+Environment="CONFIG=/etc/bacula/bacula-dir.conf"
+EnvironmentFile=-/etc/default/bacula-dir
-+ExecStartPre=@sbindir@/bacula-dir -t -c $CONFIG
-+ExecStart=@sbindir@/bacula-dir -f -c $CONFIG
-+ExecReload=@sbindir@/bacula-dir -t -c $CONFIG
++ExecStartPre=@sbindir@/bacula-dir -t -u bacula -g bacula -c $CONFIG
++ExecStart=@sbindir@/bacula-dir -f -u bacula -g bacula -c $CONFIG
++ExecReload=@sbindir@/bacula-dir -t -u bacula -g bacula -c $CONFIG
ExecReload=/bin/kill -HUP $MAINPID
+SuccessExitStatus=15
StandardError=syslog
@@ -67,12 +67,12 @@
-ExecStart=@sbindir@/bacula-sd -c @sysconfdir@/bacula-sd.conf
-PIDFile=@piddir@/bacula-sd.@sd_port@.pid
+Type=simple
-+User=bacula
-+Group=tape
++User=root
++Group=root
+Environment="CONFIG=/etc/bacula/bacula-sd.conf"
+EnvironmentFile=-/etc/default/bacula-sd
-+ExecStartPre=@sbindir@/bacula-sd -t -c $CONFIG
-+ExecStart=@sbindir@/bacula-sd -f -c $CONFIG
++ExecStartPre=@sbindir@/bacula-sd -t -u bacula -g tape -c $CONFIG
++ExecStart=@sbindir@/bacula-sd -f -u bacula -g tape -c $CONFIG
+ExecReload=/bin/kill -HUP $MAINPID
+SuccessExitStatus=15
StandardError=syslog
Reply to: