Hallo I've fixed the cron job for libdspam7-drv-mysql, it fixes CVE-2007-6418[0]. Attached is the NMU-diff.
Regards, Adrian
diff -u dspam-3.6.8/debian/libdspam7-drv-mysql.cron.daily dspam-3.6.8/debian/libdspam7-drv-mysql.cron.daily --- dspam-3.6.8/debian/libdspam7-drv-mysql.cron.daily +++ dspam-3.6.8/debian/libdspam7-drv-mysql.cron.daily @@ -5,6 +5,7 @@ DSPAMCONF=/etc/dspam/dspam.conf MYSQLCONF=/etc/dspam/dspam.d/mysql.conf PURGE=/usr/share/doc/libdspam7-drv-mysql/purge-4.1.sql +MYSQLCONF_PASSWD=/var/run/libdspam7-drv-mysql.cron.passwd if grep -q "^StorageDriver.*mysql_drv.so" $DSPAMCONF; then if [ -x /usr/bin/mysql ]; then @@ -13,17 +14,26 @@ MYSQL_DB="`grep "^MySQLDb" $MYSQLCONF | awk '{print $2}'`" MYSQL_HOST="`grep "^MySQLServer" $MYSQLCONF | awk '{print $2}'`" + UMASK_OLD="`umask`" + umask 077 + [ -e "$MYSQLCONF_PASSWD" ] && rm "$MYSQLCONF_PASSWD" + echo -e "[client]\npassword=$MYSQL_PASS" > "$MYSQLCONF_PASSWD" + umask "$UMASK_OLD" + # If host is empty or starting with a / assume it's localhost. if [ -z "$MYSQL_HOST" ] || [ "${MYSQL_HOST:0:1}" = "/" ]; then - /usr/bin/mysql --user=$MYSQL_USER --password=$MYSQL_PASS $MYSQL_DB < $PURGE + /usr/bin/mysql --defaults-extra-file=$MYSQLCONF_PASSWD --user=$MYSQL_USER $MYSQL_DB < $PURGE else if echo "$MYSQL_HOST" | grep "^/" > /dev/null 2>&1 ; then # Assume it is a socket: - /usr/bin/mysql --socket=$MYSQL_HOST --user=$MYSQL_USER --password=$MYSQL_PASS $MYSQL_DB < $PURGE + /usr/bin/mysql --defaults-extra-file=$MYSQLCONF_PASSWD --socket=$MYSQL_HOST --user=$MYSQL_USER < $PURGE else - /usr/bin/mysql --host=$MYSQL_HOST --user=$MYSQL_USER --password=$MYSQL_PASS $MYSQL_DB < $PURGE + /usr/bin/mysql --defaults-extra-file=$MYSQLCONF_PASSWD --host=$MYSQL_HOST --user=$MYSQL_USER < $PURGE fi fi + + rm "$MYSQLCONF_PASSWD" + fi fi diff -u dspam-3.6.8/debian/changelog dspam-3.6.8/debian/changelog --- dspam-3.6.8/debian/changelog +++ dspam-3.6.8/debian/changelog @@ -1,3 +1,11 @@ +dspam (3.6.8-5.1) unstable; urgency=medium + + * Non-maintainer upload. + * Giving the password in libdspam7-drv-mysql cronjob in a file instead of + the command line. CVE-2007-6418[0] (Closes: #448519) + + -- Adrian Friedli <[EMAIL PROTECTED]> Sun, 13 Jan 2008 14:59:25 +0100 + dspam (3.6.8-5) unstable; urgency=high [Kurt B. Kaiser]
signature.asc
Description: This is a digitally signed message part.