Bug#448519: NMU-diff for dspam 3.6.8-5.1

Sun, 13 Jan 2008 09:24:04 -0800 

Hallo

I've fixed the cron job for libdspam7-drv-mysql, it fixes CVE-2007-6418[0]. 
Attached is the NMU-diff.

Regards, Adrian

diff -u dspam-3.6.8/debian/libdspam7-drv-mysql.cron.daily dspam-3.6.8/debian/libdspam7-drv-mysql.cron.daily
--- dspam-3.6.8/debian/libdspam7-drv-mysql.cron.daily
+++ dspam-3.6.8/debian/libdspam7-drv-mysql.cron.daily
@@ -5,6 +5,7 @@
 DSPAMCONF=/etc/dspam/dspam.conf
 MYSQLCONF=/etc/dspam/dspam.d/mysql.conf
 PURGE=/usr/share/doc/libdspam7-drv-mysql/purge-4.1.sql
+MYSQLCONF_PASSWD=/var/run/libdspam7-drv-mysql.cron.passwd
 
 if grep -q "^StorageDriver.*mysql_drv.so" $DSPAMCONF; then
   if [ -x /usr/bin/mysql ]; then
@@ -13,17 +14,26 @@
     MYSQL_DB="`grep "^MySQLDb" $MYSQLCONF | awk '{print $2}'`"
     MYSQL_HOST="`grep "^MySQLServer" $MYSQLCONF | awk '{print $2}'`"
 
+    UMASK_OLD="`umask`"
+    umask 077
+    [ -e "$MYSQLCONF_PASSWD" ] && rm "$MYSQLCONF_PASSWD"
+    echo -e "[client]\npassword=$MYSQL_PASS" > "$MYSQLCONF_PASSWD"
+    umask "$UMASK_OLD"
+
     # If host is empty or starting with a / assume it's localhost.
     if [ -z "$MYSQL_HOST" ] || [ "${MYSQL_HOST:0:1}" = "/" ]; then
-        /usr/bin/mysql --user=$MYSQL_USER --password=$MYSQL_PASS $MYSQL_DB < $PURGE
+        /usr/bin/mysql --defaults-extra-file=$MYSQLCONF_PASSWD --user=$MYSQL_USER $MYSQL_DB < $PURGE
     else
         if echo "$MYSQL_HOST" | grep "^/" > /dev/null 2>&1 ; then
             # Assume it is a socket:
-            /usr/bin/mysql --socket=$MYSQL_HOST --user=$MYSQL_USER --password=$MYSQL_PASS $MYSQL_DB < $PURGE
+            /usr/bin/mysql --defaults-extra-file=$MYSQLCONF_PASSWD --socket=$MYSQL_HOST --user=$MYSQL_USER < $PURGE
         else
-            /usr/bin/mysql --host=$MYSQL_HOST --user=$MYSQL_USER --password=$MYSQL_PASS $MYSQL_DB < $PURGE
+            /usr/bin/mysql --defaults-extra-file=$MYSQLCONF_PASSWD --host=$MYSQL_HOST --user=$MYSQL_USER < $PURGE
         fi
     fi
+
+    rm "$MYSQLCONF_PASSWD"
+
   fi
 fi
 
diff -u dspam-3.6.8/debian/changelog dspam-3.6.8/debian/changelog
--- dspam-3.6.8/debian/changelog
+++ dspam-3.6.8/debian/changelog
@@ -1,3 +1,11 @@
+dspam (3.6.8-5.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Giving the password in libdspam7-drv-mysql cronjob in a file instead of
+    the command line. CVE-2007-6418[0] (Closes: #448519)
+
+ -- Adrian Friedli <[EMAIL PROTECTED]>  Sun, 13 Jan 2008 14:59:25 +0100
+
 dspam (3.6.8-5) unstable; urgency=high
 
   [Kurt B. Kaiser]

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to