Bug#1082783: bookworm-pu: package puredata/0.53.1+ds-2+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
* CVE-2023-47480: Terminate if canceling setuid() privilege fails
diffstat for puredata-0.53.1+ds puredata-0.53.1+ds
changelog | 7 +
patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch | 38 ++++++++++
patches/series | 1
3 files changed, 46 insertions(+)
diff -Nru puredata-0.53.1+ds/debian/changelog puredata-0.53.1+ds/debian/changelog
--- puredata-0.53.1+ds/debian/changelog 2023-01-28 23:00:40.000000000 +0200
+++ puredata-0.53.1+ds/debian/changelog 2024-09-26 10:17:50.000000000 +0300
@@ -1,3 +1,10 @@
+puredata (0.53.1+ds-2+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2023-47480: Terminate if canceling setuid() privilege fails
+
+ -- Adrian Bunk <bunk@debian.org> Thu, 26 Sep 2024 10:17:50 +0300
+
puredata (0.53.1+ds-2) unstable; urgency=medium
* Backport upstream ALSA-MIDI fix
diff -Nru puredata-0.53.1+ds/debian/patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch puredata-0.53.1+ds/debian/patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch
--- puredata-0.53.1+ds/debian/patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch 1970-01-01 02:00:00.000000000 +0200
+++ puredata-0.53.1+ds/debian/patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch 2024-09-26 10:12:33.000000000 +0300
@@ -0,0 +1,38 @@
+From b97fe443787982b1f0e4ad7db123418bcdf409b4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?IOhannes=20m=20zm=C3=B6lnig?= <zmoelnig@iem.at>
+Date: Tue, 25 Jul 2023 17:03:58 +0200
+Subject: Terminate if canceling setuid() privilege fails
+
+Closes: https://github.com/pure-data/pure-data/issues/2063
+---
+ src/s_main.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/s_main.c b/src/s_main.c
+index 56fd633e..8eef4922 100644
+--- a/src/s_main.c
++++ b/src/s_main.c
+@@ -337,7 +337,19 @@ int sys_main(int argc, const char **argv)
+ if (getuid() != geteuid())
+ {
+ fprintf(stderr, "warning: canceling setuid privilege\n");
+- setuid(getuid());
++ if(setuid(getuid()) < 0) {
++ /* sometimes this fails (which, according to 'man 2 setuid' is a
++ * grave security error), in which case we bail out and quit. */
++ fprintf(stderr, "\n\nFATAL: could not cancel setuid privilege");
++ fprintf(stderr, "\nTo fix this, please remove the setuid flag from the Pd binary");
++ if(argc>0) {
++ fprintf(stderr, "\ne.g. by running the following as root/superuser:");
++ fprintf(stderr, "\n chmod u-s '%s'", argv[0]);
++ }
++ fprintf(stderr, "\n\n");
++ perror("setuid");
++ return (1);
++ }
+ }
+ #endif /* _WIN32 */
+ if (socket_init())
+--
+2.30.2
+
diff -Nru puredata-0.53.1+ds/debian/patches/series puredata-0.53.1+ds/debian/patches/series
--- puredata-0.53.1+ds/debian/patches/series 2023-01-28 23:00:40.000000000 +0200
+++ puredata-0.53.1+ds/debian/patches/series 2024-09-26 10:15:42.000000000 +0300
@@ -6,3 +6,4 @@
debian_remove_timestamp-macros.patch
debian_etc-gui-plugins.patch
debian_privacy.patch
+0001-Terminate-if-canceling-setuid-privilege-fails.patch
Reply to: