Bug#876629: marked as done (stretch-pu: package db5.3/5.3.28-12+deb9u1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#876629: marked as done (stretch-pu: package db5.3/5.3.28-12+deb9u1)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 07 Oct 2017 10:42:12 +0000
Message-id: <[🔎] handler.876629.D876629.15073724602520.ackdone@bugs.debian.org>
Reply-to: 876629@bugs.debian.org
References: <1507372435.18586.64.camel@adam-barratt.org.uk> <150623952614.2148.17318797977337013167.reportbug@lorien.valinor.li>

Your message dated Sat, 07 Oct 2017 11:33:55 +0100
with message-id <1507372435.18586.64.camel@adam-barratt.org.uk>
and subject line Closing bugs for 9.2 point release
has caused the Debian Bug report #876629,
regarding stretch-pu: package db5.3/5.3.28-12+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
876629: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876629
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: stretch-pu: package db5.3/5.3.28-12+deb9u1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 24 Sep 2017 09:52:06 +0200
Message-id: <150623952614.2148.17318797977337013167.reportbug@lorien.valinor.li>

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi stable release managers,

db5.3 in stretch is affected by the CVE-2017-10140 ("Berkeley DB reads
DB_CONFIG from cwd)", #872436. The NMU to unstable back on end of
august has not raised any regression reports we would be aware of. We
though think it's still safer to have it via point release and have it
for a short time exposed as well via proposed-updates (once, and if
accepted).

The changelog reads as:

>db5.3 (5.3.28-12+deb9u1) stretch; urgency=medium
>
>  * Non-maintainer upload.
>  * CVE-2017-10140: Reads DB_CONFIG from the current working directory.
>    Do not access DB_CONFIG when db_home is not set. (Closes: #872436)
>
> -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 24 Sep 2017 09:14:53 +0200

Attached ist the full proposed debdiff.

Regards,
Salvatore

diff -Nru db5.3-5.3.28/debian/changelog db5.3-5.3.28/debian/changelog
--- db5.3-5.3.28/debian/changelog	2016-07-19 08:41:52.000000000 +0200
+++ db5.3-5.3.28/debian/changelog	2017-09-24 09:14:53.000000000 +0200
@@ -1,3 +1,11 @@
+db5.3 (5.3.28-12+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2017-10140: Reads DB_CONFIG from the current working directory.
+    Do not access DB_CONFIG when db_home is not set. (Closes: #872436)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 24 Sep 2017 09:14:53 +0200
+
 db5.3 (5.3.28-12) unstable; urgency=medium
 
   * Fix FTBFS when built with dpkg-buildpackage -A (Closes: #806012)
diff -Nru db5.3-5.3.28/debian/patches/CVE-2017-10140-cwd-db_config.patch db5.3-5.3.28/debian/patches/CVE-2017-10140-cwd-db_config.patch
--- db5.3-5.3.28/debian/patches/CVE-2017-10140-cwd-db_config.patch	1970-01-01 01:00:00.000000000 +0100
+++ db5.3-5.3.28/debian/patches/CVE-2017-10140-cwd-db_config.patch	2017-09-24 09:14:53.000000000 +0200
@@ -0,0 +1,23 @@
+Description: CVE-2017-10140: Reads DB_CONFIG from the current working directory
+ Do not access DB_CONFIG when db_home is not set.
+Origin: vendor, https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch
+Bug-Debian: https://bugs.debian.org/872436
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10140
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464032
+Bug-SuSE: https://bugzilla.novell.com/show_bug.cgi?id=1043886
+Forwarded: no
+Author: Petr Kubat <pkubat@redhat.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2017-08-17
+
+--- db-5.3.28/src/env/env_open.c.old	2017-06-26 10:32:11.011419981 +0200
++++ db-5.3.28/src/env/env_open.c	2017-06-26 10:32:46.893721233 +0200
+@@ -473,7 +473,7 @@
+ 	env->db_mode = mode == 0 ? DB_MODE_660 : mode;
+ 
+ 	/* Read the DB_CONFIG file. */
+-	if ((ret = __env_read_db_config(env)) != 0)
++	if (env->db_home != NULL && (ret = __env_read_db_config(env)) != 0)
+ 		return (ret);
+ 
+ 	/*
diff -Nru db5.3-5.3.28/debian/patches/series db5.3-5.3.28/debian/patches/series
--- db5.3-5.3.28/debian/patches/series	2016-07-19 08:41:52.000000000 +0200
+++ db5.3-5.3.28/debian/patches/series	2017-09-24 09:14:53.000000000 +0200
@@ -6,3 +6,4 @@
 007-link-sql-libs.patch
 mmap_extend-mode-requires-page-aligned-extends.patch
 008-autoconf-in-lang-sql-sqlite.patch
+CVE-2017-10140-cwd-db_config.patch

--- End Message ---

--- Begin Message ---

To: 863734-done@bugs.debian.org, 864027-done@bugs.debian.org, 864028-done@bugs.debian.org, 864911-done@bugs.debian.org, 865971-done@bugs.debian.org, 866045-done@bugs.debian.org, 866537-done@bugs.debian.org, 867814-done@bugs.debian.org, 868284-done@bugs.debian.org, 868517-done@bugs.debian.org, 868684-done@bugs.debian.org, 868756-done@bugs.debian.org, 868809-done@bugs.debian.org, 869414-done@bugs.debian.org, 869419-done@bugs.debian.org, 869434-done@bugs.debian.org, 869574-done@bugs.debian.org, 869577-done@bugs.debian.org, 869634-done@bugs.debian.org, 869661-done@bugs.debian.org, 869667-done@bugs.debian.org, 869676-done@bugs.debian.org, 869754-done@bugs.debian.org, 869772-done@bugs.debian.org, 869836-done@bugs.debian.org, 869920-done@bugs.debian.org, 869966-done@bugs.debian.org, 870005-done@bugs.debian.org, 870142-done@bugs.debian.org, 870181-done@bugs.debian.org, 870205-done@bugs.debian.org, 870465-done@bugs.debian.org, 870604-done@bugs.debian.org, 870609-done@bugs.debian.org, 870659-done@bugs.debian.org, 870911-done@bugs.debian.org, 871242-done@bugs.debian.org, 871440-done@bugs.debian.org, 871451-done@bugs.debian.org, 871466-done@bugs.debian.org, 871661-done@bugs.debian.org, 871720-done@bugs.debian.org, 871739-done@bugs.debian.org, 871943-done@bugs.debian.org, 872441-done@bugs.debian.org, 872774-done@bugs.debian.org, 872776-done@bugs.debian.org, 872818-done@bugs.debian.org, 872928-done@bugs.debian.org, 872953-done@bugs.debian.org, 872991-done@bugs.debian.org, 873054-done@bugs.debian.org, 873061-done@bugs.debian.org, 873309-done@bugs.debian.org, 873371-done@bugs.debian.org, 873479-done@bugs.debian.org, 873624-done@bugs.debian.org, 873771-done@bugs.debian.org, 874198-done@bugs.debian.org, 874350-done@bugs.debian.org, 874389-done@bugs.debian.org, 874477-done@bugs.debian.org, 874580-done@bugs.debian.org, 875695-done@bugs.debian.org, 875765-done@bugs.debian.org, 875777-done@bugs.debian.org, 876020-done@bugs.debian.org, 876092-done@bugs.debian.org, 876114-done@bugs.debian.org, 876116-done@bugs.debian.org, 876117-done@bugs.debian.org, 876139-done@bugs.debian.org, 876314-done@bugs.debian.org, 876629-done@bugs.debian.org, 876731-done@bugs.debian.org, 876909-done@bugs.debian.org, 876913-done@bugs.debian.org, 876949-done@bugs.debian.org, 877348-done@bugs.debian.org, 877415-done@bugs.debian.org, 875771-done@bugs.debian.org, 876633-done@bugs.debian.org

Subject: Closing bugs for 9.2 point release

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 07 Oct 2017 11:33:55 +0100

Message-id: <1507372435.18586.64.camel@adam-barratt.org.uk>
Version: 9.2

Hi.

The updates referenced by each of these bugs was included in today's
point release of stretch.

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Bug#876139: marked as done (stretch-pu: package pcb-rnd)
Next by Date: Bug#876314: marked as done (stretch-pu: package trace-cmd/2.6-0.1+b1)
Previous by thread: Bug#876139: marked as done (stretch-pu: package pcb-rnd)
Next by thread: Bug#876314: marked as done (stretch-pu: package trace-cmd/2.6-0.1+b1)
Index(es):
- Date
- Thread