Bug#839998: ntp: diff for NMU version 1:4.2.8p8+dfsg-1.1

Sat, 08 Oct 2016 10:45:30 -0700 

Control: tags 839998 + pending

Hi  Kurt and Peter,

I've prepared an NMU for ntp (versioned as 1:4.2.8p8+dfsg-1.1) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.

I would like to see this fixed, since it's the only remaining CVE
unfixed in unstable for src:ntp at the moment.

Regards,
Salvatore

diff -Nru ntp-4.2.8p8+dfsg/debian/changelog ntp-4.2.8p8+dfsg/debian/changelog
--- ntp-4.2.8p8+dfsg/debian/changelog	2016-06-07 22:29:52.000000000 +0200
+++ ntp-4.2.8p8+dfsg/debian/changelog	2016-10-08 19:32:52.000000000 +0200
@@ -1,3 +1,11 @@
+ntp (1:4.2.8p8+dfsg-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-0727: NTP statsdir cleanup cronjob insecure (Closes: #839998)
+    (LP: #1528050)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sat, 08 Oct 2016 19:32:52 +0200
+
 ntp (1:4.2.8p8+dfsg-1) unstable; urgency=high
 
   * New usptream version
diff -Nru ntp-4.2.8p8+dfsg/debian/ntp.cron.daily ntp-4.2.8p8+dfsg/debian/ntp.cron.daily
--- ntp-4.2.8p8+dfsg/debian/ntp.cron.daily	2015-07-25 16:52:07.000000000 +0200
+++ ntp-4.2.8p8+dfsg/debian/ntp.cron.daily	2016-10-08 19:32:52.000000000 +0200
@@ -9,19 +9,23 @@
 statsdir=$(cat /etc/ntp.conf | grep -v '^#' | sed -nr 's/^statsdir[[:space:]]+([^[:space:]]+).*$/\1/p')
 
 if [ -n "$statsdir" ] && [ -d "$statsdir" ]; then
-	# only keep a week's depth of these
-	find "$statsdir" -type f -mtime +7 -exec rm {} \;
+	# only keep a week's depth of these. Delete only files exactly
+	# within the directory and do not descend into subdirectories
+	# to avoid security risks on platforms where find is not using
+	# fts-library.
+	find "$statsdir" -maxdepth 1 -type f -mtime +7 -delete
 
-	# compress whatever is left to save space
-	cd "$statsdir"
-	ls *stats.???????? > /dev/null 2>&1
+	# compress whatever is left to save space but make sure to really
+	# do it only in the expected directory.
+	cd "$statsdir" || exit 1
+	ls -d -- *stats.???????? > /dev/null 2>&1
 	if [ $? -eq 0 ]; then
 		# Note that gzip won't compress the file names that
 		# are hard links to the live/current files, so this
 		# compresses yesterday and previous, leaving the live
 		# log alone.  We supress the warnings gzip issues
 		# about not compressing the linked file.
-		gzip --best --quiet *stats.???????? 
+		gzip --best --quiet -- *stats.????????
 		return=$?
 		case $return in
 		    2)

Reply via email to