Bug#955409: stretch-pu: package tinyproxy/1.8.4-3~deb9u2
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
I have just uploaded (via Utkarsh Gupti as sponsor) an update of tinyproxy in stretch with the following changes:
+ * debian/patches:
+ + Add CVE-2017-11747-drop-privileges-after-PID-file-creation.patch.
+ CVE-2017-11747: Create PID file before dropping privileges to non-root
+ account. (Closes: #870307).
CVE-2017-11747 is a no-dsa issue.
+ * debian/tinyproxy.init:
+ + Only set PIDDIR, if PIDFILE is a non-zero length string. (Closes:
+ #948283).
RC bug fix.
Thanks+Greets,
Mike
-- System Information:
Debian Release: 10.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru tinyproxy-1.8.4/debian/changelog tinyproxy-1.8.4/debian/changelog
--- tinyproxy-1.8.4/debian/changelog 2018-02-28 18:33:56.000000000 +0100
+++ tinyproxy-1.8.4/debian/changelog 2020-03-31 12:15:15.000000000 +0200
@@ -1,3 +1,15 @@
+tinyproxy (1.8.4-3~deb9u2) stretch; urgency=medium
+
+ * debian/patches:
+ + Add CVE-2017-11747-drop-privileges-after-PID-file-creation.patch.
+ CVE-2017-11747: Create PID file before dropping privileges to non-root
+ account. (Closes: #870307).
+ * debian/tinyproxy.init:
+ + Only set PIDDIR, if PIDFILE is a non-zero length string. (Closes:
+ #948283).
+
+ -- Mike Gabriel <sunweaver@debian.org> Tue, 31 Mar 2020 12:15:15 +0200
+
tinyproxy (1.8.4-3~deb9u1) stretch; urgency=medium
* Non-maintainer upload.
diff -Nru tinyproxy-1.8.4/debian/init tinyproxy-1.8.4/debian/init
--- tinyproxy-1.8.4/debian/init 2017-11-15 01:38:47.000000000 +0100
+++ tinyproxy-1.8.4/debian/init 2020-03-31 12:13:31.000000000 +0200
@@ -37,7 +37,9 @@
GROUP=$(grep -i '^Group[[:space:]]' "$CONFIG" | awk '{print $2}')
PIDFILE=$(grep -i '^PidFile[[:space:]]' "$CONFIG" | awk '{print $2}' |\
sed -e 's/"//g')
- PIDDIR=`dirname "$PIDFILE"`
+ if [ -n "$PIDFILE" ];then
+ PIDDIR=$(dirname "$PIDFILE")
+ fi
if [ -n "$PIDDIR" -a "$PIDDIR" != "/run" ]; then
if [ ! -d "$PIDDIR" ]; then
mkdir "$PIDDIR"
diff -Nru tinyproxy-1.8.4/debian/patches/CVE-2017-11747-drop-privileges-after-PID-file-creation.patch tinyproxy-1.8.4/debian/patches/CVE-2017-11747-drop-privileges-after-PID-file-creation.patch
--- tinyproxy-1.8.4/debian/patches/CVE-2017-11747-drop-privileges-after-PID-file-creation.patch 1970-01-01 01:00:00.000000000 +0100
+++ tinyproxy-1.8.4/debian/patches/CVE-2017-11747-drop-privileges-after-PID-file-creation.patch 2020-03-31 12:14:05.000000000 +0200
@@ -0,0 +1,47 @@
+From 9acb0cb16cb65a554c5443f0409f827390379249 Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox@samba.org>
+Date: Thu, 16 Nov 2017 01:52:55 +0100
+Subject: [PATCH] Fix CVE-2017-11747: Create PID file before dropping
+ privileges.
+
+Resolves #106
+
+Signed-off-by: Michael Adam <obnox@samba.org>
+---
+ src/main.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/src/main.c
++++ b/src/main.c
+@@ -407,6 +407,15 @@
+ exit (EX_OSERR);
+ }
+
++ /* Create pid file before we drop privileges */
++ if (config.pidpath) {
++ if (pidfile_create (config.pidpath) < 0) {
++ fprintf (stderr, "%s: Could not create PID file.\n",
++ argv[0]);
++ exit (EX_OSERR);
++ }
++ }
++
+ /* Switch to a different user if we're running as root */
+ if (geteuid () == 0)
+ change_user (argv[0]);
+@@ -419,15 +428,6 @@
+ exit (EX_SOFTWARE);
+ }
+
+- /* Create pid file after we drop privileges */
+- if (config.pidpath) {
+- if (pidfile_create (config.pidpath) < 0) {
+- fprintf (stderr, "%s: Could not create PID file.\n",
+- argv[0]);
+- exit (EX_OSERR);
+- }
+- }
+-
+ if (child_pool_create () < 0) {
+ fprintf (stderr,
+ "%s: Could not create the pool of children.\n",
diff -Nru tinyproxy-1.8.4/debian/patches/series tinyproxy-1.8.4/debian/patches/series
--- tinyproxy-1.8.4/debian/patches/series 2017-11-15 01:22:25.000000000 +0100
+++ tinyproxy-1.8.4/debian/patches/series 2020-03-31 12:14:35.000000000 +0200
@@ -1 +1,2 @@
sighup_hang.patch
+CVE-2017-11747-drop-privileges-after-PID-file-creation.patch
Reply to: