[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1082783: marked as done (bookworm-pu: package puredata/0.53.1+ds-2+deb12u1)



Your message dated Sat, 09 Nov 2024 10:51:02 +0000
with message-id <b0a29248bc631362ed06a8879f93b8cdae5414d0.camel@adam-barratt.org.uk>
and subject line Closing bugs released with 12.8
has caused the Debian Bug report #1082783,
regarding bookworm-pu: package puredata/0.53.1+ds-2+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1082783: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082783
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>

  * CVE-2023-47480: Terminate if canceling setuid() privilege fails
diffstat for puredata-0.53.1+ds puredata-0.53.1+ds

 changelog                                                        |    7 +
 patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch |   38 ++++++++++
 patches/series                                                   |    1 
 3 files changed, 46 insertions(+)

diff -Nru puredata-0.53.1+ds/debian/changelog puredata-0.53.1+ds/debian/changelog
--- puredata-0.53.1+ds/debian/changelog	2023-01-28 23:00:40.000000000 +0200
+++ puredata-0.53.1+ds/debian/changelog	2024-09-26 10:17:50.000000000 +0300
@@ -1,3 +1,10 @@
+puredata (0.53.1+ds-2+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2023-47480: Terminate if canceling setuid() privilege fails
+
+ -- Adrian Bunk <bunk@debian.org>  Thu, 26 Sep 2024 10:17:50 +0300
+
 puredata (0.53.1+ds-2) unstable; urgency=medium
 
   * Backport upstream ALSA-MIDI fix
diff -Nru puredata-0.53.1+ds/debian/patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch puredata-0.53.1+ds/debian/patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch
--- puredata-0.53.1+ds/debian/patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch	1970-01-01 02:00:00.000000000 +0200
+++ puredata-0.53.1+ds/debian/patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch	2024-09-26 10:12:33.000000000 +0300
@@ -0,0 +1,38 @@
+From b97fe443787982b1f0e4ad7db123418bcdf409b4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?IOhannes=20m=20zm=C3=B6lnig?= <zmoelnig@iem.at>
+Date: Tue, 25 Jul 2023 17:03:58 +0200
+Subject: Terminate if canceling setuid() privilege fails
+
+Closes: https://github.com/pure-data/pure-data/issues/2063
+---
+ src/s_main.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/s_main.c b/src/s_main.c
+index 56fd633e..8eef4922 100644
+--- a/src/s_main.c
++++ b/src/s_main.c
+@@ -337,7 +337,19 @@ int sys_main(int argc, const char **argv)
+     if (getuid() != geteuid())
+     {
+         fprintf(stderr, "warning: canceling setuid privilege\n");
+-        setuid(getuid());
++        if(setuid(getuid()) < 0) {
++                /* sometimes this fails (which, according to 'man 2 setuid' is a
++                 * grave security error), in which case we bail out and quit. */
++            fprintf(stderr, "\n\nFATAL: could not cancel setuid privilege");
++            fprintf(stderr, "\nTo fix this, please remove the setuid flag from the Pd binary");
++            if(argc>0) {
++                fprintf(stderr, "\ne.g. by running the following as root/superuser:");
++                fprintf(stderr, "\n chmod u-s '%s'", argv[0]);
++            }
++            fprintf(stderr, "\n\n");
++            perror("setuid");
++            return (1);
++        }
+     }
+ #endif  /* _WIN32 */
+     if (socket_init())
+-- 
+2.30.2
+
diff -Nru puredata-0.53.1+ds/debian/patches/series puredata-0.53.1+ds/debian/patches/series
--- puredata-0.53.1+ds/debian/patches/series	2023-01-28 23:00:40.000000000 +0200
+++ puredata-0.53.1+ds/debian/patches/series	2024-09-26 10:15:42.000000000 +0300
@@ -6,3 +6,4 @@
 debian_remove_timestamp-macros.patch
 debian_etc-gui-plugins.patch
 debian_privacy.patch
+0001-Terminate-if-canceling-setuid-privilege-fails.patch

--- End Message ---
--- Begin Message ---
Source: release.debian.org
Version: 12.8

Hi,

Each of the updates tracked by these bugs was included in today's 12.8
bookworm point release.

Regards,

Adam

--- End Message ---

Reply to: