Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi stable release managers, db5.3 in stretch is affected by the CVE-2017-10140 ("Berkeley DB reads DB_CONFIG from cwd)", #872436. The NMU to unstable back on end of august has not raised any regression reports we would be aware of. We though think it's still safer to have it via point release and have it for a short time exposed as well via proposed-updates (once, and if accepted). The changelog reads as: >db5.3 (5.3.28-12+deb9u1) stretch; urgency=medium > > * Non-maintainer upload. > * CVE-2017-10140: Reads DB_CONFIG from the current working directory. > Do not access DB_CONFIG when db_home is not set. (Closes: #872436) > > -- Salvatore Bonaccorso <car...@debian.org> Sun, 24 Sep 2017 09:14:53 +0200 Attached ist the full proposed debdiff. Regards, Salvatore
diff -Nru db5.3-5.3.28/debian/changelog db5.3-5.3.28/debian/changelog --- db5.3-5.3.28/debian/changelog 2016-07-19 08:41:52.000000000 +0200 +++ db5.3-5.3.28/debian/changelog 2017-09-24 09:14:53.000000000 +0200 @@ -1,3 +1,11 @@ +db5.3 (5.3.28-12+deb9u1) stretch; urgency=medium + + * Non-maintainer upload. + * CVE-2017-10140: Reads DB_CONFIG from the current working directory. + Do not access DB_CONFIG when db_home is not set. (Closes: #872436) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 24 Sep 2017 09:14:53 +0200 + db5.3 (5.3.28-12) unstable; urgency=medium * Fix FTBFS when built with dpkg-buildpackage -A (Closes: #806012) diff -Nru db5.3-5.3.28/debian/patches/CVE-2017-10140-cwd-db_config.patch db5.3-5.3.28/debian/patches/CVE-2017-10140-cwd-db_config.patch --- db5.3-5.3.28/debian/patches/CVE-2017-10140-cwd-db_config.patch 1970-01-01 01:00:00.000000000 +0100 +++ db5.3-5.3.28/debian/patches/CVE-2017-10140-cwd-db_config.patch 2017-09-24 09:14:53.000000000 +0200 @@ -0,0 +1,23 @@ +Description: CVE-2017-10140: Reads DB_CONFIG from the current working directory + Do not access DB_CONFIG when db_home is not set. +Origin: vendor, https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch +Bug-Debian: https://bugs.debian.org/872436 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10140 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464032 +Bug-SuSE: https://bugzilla.novell.com/show_bug.cgi?id=1043886 +Forwarded: no +Author: Petr Kubat <pku...@redhat.com> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2017-08-17 + +--- db-5.3.28/src/env/env_open.c.old 2017-06-26 10:32:11.011419981 +0200 ++++ db-5.3.28/src/env/env_open.c 2017-06-26 10:32:46.893721233 +0200 +@@ -473,7 +473,7 @@ + env->db_mode = mode == 0 ? DB_MODE_660 : mode; + + /* Read the DB_CONFIG file. */ +- if ((ret = __env_read_db_config(env)) != 0) ++ if (env->db_home != NULL && (ret = __env_read_db_config(env)) != 0) + return (ret); + + /* diff -Nru db5.3-5.3.28/debian/patches/series db5.3-5.3.28/debian/patches/series --- db5.3-5.3.28/debian/patches/series 2016-07-19 08:41:52.000000000 +0200 +++ db5.3-5.3.28/debian/patches/series 2017-09-24 09:14:53.000000000 +0200 @@ -6,3 +6,4 @@ 007-link-sql-libs.patch mmap_extend-mode-requires-page-aligned-extends.patch 008-autoconf-in-lang-sql-sqlite.patch +CVE-2017-10140-cwd-db_config.patch