Dear supervisors,
I would like to pledge for an update of the package
rush_1.7+dfsg-1
within the stable release. The cause is CVE-2013-6889:
http://bugs.debian.org/733505
The matter concerns file access elevation due to SUID-bit
when running the software in test mode.
The issue has been resolved and uploaded to unstable by
rush_1.7+dfsg-4
and I propose the identical patching for the package kept
in the stable release. The upstream project has incorporated
my patch verbatim in its repository.
Best regards,
Mats Erik Andersson, maintainer of GNU Rush
diff -Nru rush-1.7+dfsg/debian/changelog rush-1.7+dfsg/debian/changelog
--- rush-1.7+dfsg/debian/changelog 2011-07-06 17:48:31.000000000 +0200
+++ rush-1.7+dfsg/debian/changelog 2014-01-24 13:15:27.000000000 +0100
@@ -1,3 +1,10 @@
+rush (1.7+dfsg-1+deb7u1) stable-security; urgency=high
+
+ * Attend to CVE-2013-6889, file access escalation.
+ + debian/patches/cve_2013_6889.diff: New file.
+
+ -- Mats Erik Andersson <mats.anders...@gisladisker.se> Fri, 24 Jan 2014 13:13:09 +0100
+
rush (1.7+dfsg-1) unstable; urgency=low
* Initial release. (Closes: #515198)
diff -Nru rush-1.7+dfsg/debian/patches/cve_2013_6889.diff rush-1.7+dfsg/debian/patches/cve_2013_6889.diff
--- rush-1.7+dfsg/debian/patches/cve_2013_6889.diff 1970-01-01 01:00:00.000000000 +0100
+++ rush-1.7+dfsg/debian/patches/cve_2013_6889.diff 2014-01-19 16:42:45.000000000 +0100
@@ -0,0 +1,27 @@
+Description: CVE-2013-6889, elevated access.
+ The executable will, when used with SUID-bit set,
+ allow opening and reading access to every system
+ file also by an unprivileged user, whenever invocation
+ is done in testing mode, i.e., using '-t' without '-u'.
+ .
+ Prevent this mistake by resetting the effective user
+ identification to the real user identification when-
+ ever testing mode is asked for.
+Author: Mats Erik Andersson <deb...@gisladisker.se>
+Forwarded: yes
+Bug-Debian: http://bugs.debian.org/733505
+Last-update: 2014-01-16
+
+--- rush-1.7+dfsg.debian/src/rush.c
++++ rush-1.7+dfsg/src/rush.c
+@@ -913,6 +913,10 @@ main(int argc, char **argv)
+ } else if (argc > optind)
+ die(usage_error, NULL, _("invalid command line"));
+
++ /* Step down from SUID when running in test mode. */
++ if (lint_option)
++ setuid(getuid());
++
+ if (test_user_name) {
+ struct passwd *pw = getpwnam(test_user_name);
+ if (!pw)
diff -Nru rush-1.7+dfsg/debian/patches/series rush-1.7+dfsg/debian/patches/series
--- rush-1.7+dfsg/debian/patches/series 2011-04-18 14:07:15.000000000 +0200
+++ rush-1.7+dfsg/debian/patches/series 2014-01-24 13:12:34.000000000 +0100
@@ -1,2 +1,3 @@
dfsg_reduction.diff
tcpmux_service.diff
+cve_2013_6889.diff
