Bug#955409: stretch-pu: package tinyproxy/1.8.4-3~deb9u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#955409: stretch-pu: package tinyproxy/1.8.4-3~deb9u2
From: Mike Gabriel <sunweaver@debian.org>
Date: Tue, 31 Mar 2020 13:10:14 +0200
Message-id: <[🔎] 158565301471.8982.16494920428329063348.reportbug@minobo.das-netzwerkteam.de>
Reply-to: Mike Gabriel <sunweaver@debian.org>, 955409@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

I have just uploaded (via Utkarsh Gupti as sponsor) an update of tinyproxy in stretch with the following changes:

+  * debian/patches:
+    + Add CVE-2017-11747-drop-privileges-after-PID-file-creation.patch.
+      CVE-2017-11747: Create PID file before dropping privileges to non-root
+      account. (Closes: #870307).

CVE-2017-11747 is a no-dsa issue.

+  * debian/tinyproxy.init:
+    + Only set PIDDIR, if PIDFILE is a non-zero length string. (Closes:
+      #948283).

RC bug fix.

Thanks+Greets,
Mike


-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru tinyproxy-1.8.4/debian/changelog tinyproxy-1.8.4/debian/changelog
--- tinyproxy-1.8.4/debian/changelog	2018-02-28 18:33:56.000000000 +0100
+++ tinyproxy-1.8.4/debian/changelog	2020-03-31 12:15:15.000000000 +0200
@@ -1,3 +1,15 @@
+tinyproxy (1.8.4-3~deb9u2) stretch; urgency=medium
+
+  * debian/patches:
+    + Add CVE-2017-11747-drop-privileges-after-PID-file-creation.patch.
+      CVE-2017-11747: Create PID file before dropping privileges to non-root
+      account. (Closes: #870307).
+  * debian/tinyproxy.init:
+    + Only set PIDDIR, if PIDFILE is a non-zero length string. (Closes:
+      #948283).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Tue, 31 Mar 2020 12:15:15 +0200
+
 tinyproxy (1.8.4-3~deb9u1) stretch; urgency=medium
 
   * Non-maintainer upload.
diff -Nru tinyproxy-1.8.4/debian/init tinyproxy-1.8.4/debian/init
--- tinyproxy-1.8.4/debian/init	2017-11-15 01:38:47.000000000 +0100
+++ tinyproxy-1.8.4/debian/init	2020-03-31 12:13:31.000000000 +0200
@@ -37,7 +37,9 @@
         GROUP=$(grep   -i '^Group[[:space:]]'   "$CONFIG" | awk '{print $2}')
         PIDFILE=$(grep -i '^PidFile[[:space:]]' "$CONFIG" | awk '{print $2}' |\
           sed -e 's/"//g')
-        PIDDIR=`dirname "$PIDFILE"`
+        if [ -n "$PIDFILE" ];then
+            PIDDIR=$(dirname "$PIDFILE")
+        fi
         if [ -n "$PIDDIR" -a "$PIDDIR" != "/run" ]; then
 	    if [ ! -d "$PIDDIR" ]; then
                 mkdir "$PIDDIR"
diff -Nru tinyproxy-1.8.4/debian/patches/CVE-2017-11747-drop-privileges-after-PID-file-creation.patch tinyproxy-1.8.4/debian/patches/CVE-2017-11747-drop-privileges-after-PID-file-creation.patch
--- tinyproxy-1.8.4/debian/patches/CVE-2017-11747-drop-privileges-after-PID-file-creation.patch	1970-01-01 01:00:00.000000000 +0100
+++ tinyproxy-1.8.4/debian/patches/CVE-2017-11747-drop-privileges-after-PID-file-creation.patch	2020-03-31 12:14:05.000000000 +0200
@@ -0,0 +1,47 @@
+From 9acb0cb16cb65a554c5443f0409f827390379249 Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox@samba.org>
+Date: Thu, 16 Nov 2017 01:52:55 +0100
+Subject: [PATCH] Fix CVE-2017-11747: Create PID file before dropping
+ privileges.
+
+Resolves #106
+
+Signed-off-by: Michael Adam <obnox@samba.org>
+---
+ src/main.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/src/main.c
++++ b/src/main.c
+@@ -407,6 +407,15 @@
+                 exit (EX_OSERR);
+         }
+ 
++        /* Create pid file before we drop privileges */
++        if (config.pidpath) {
++                if (pidfile_create (config.pidpath) < 0) {
++                        fprintf (stderr, "%s: Could not create PID file.\n",
++                                 argv[0]);
++                        exit (EX_OSERR);
++                }
++        }
++
+         /* Switch to a different user if we're running as root */
+         if (geteuid () == 0)
+                 change_user (argv[0]);
+@@ -419,15 +428,6 @@
+                 exit (EX_SOFTWARE);
+         }
+ 
+-        /* Create pid file after we drop privileges */
+-        if (config.pidpath) {
+-                if (pidfile_create (config.pidpath) < 0) {
+-                        fprintf (stderr, "%s: Could not create PID file.\n",
+-                                 argv[0]);
+-                        exit (EX_OSERR);
+-                }
+-        }
+-
+         if (child_pool_create () < 0) {
+                 fprintf (stderr,
+                          "%s: Could not create the pool of children.\n",
diff -Nru tinyproxy-1.8.4/debian/patches/series tinyproxy-1.8.4/debian/patches/series
--- tinyproxy-1.8.4/debian/patches/series	2017-11-15 01:22:25.000000000 +0100
+++ tinyproxy-1.8.4/debian/patches/series	2020-03-31 12:14:35.000000000 +0200
@@ -1 +1,2 @@
 sighup_hang.patch
+CVE-2017-11747-drop-privileges-after-PID-file-creation.patch

Reply to:

Prev by Date: Bug#942520: buster-pu: package oar/2.5.8-1
Next by Date: Bug#955410: buster-pu: package tinyproxy/1.10.0-2+deb10u1
Previous by thread: Bug#955395: buster-pu: package libvncserver/0.9.11+dfsg-1.3+deb10u3
Next by thread: Bug#955410: buster-pu: package tinyproxy/1.10.0-2+deb10u1
Index(es):
- Date
- Thread