The branch, master has been updated via af4eee664385b7dd63211820e4bbc59440638e69 (commit) from fecca4aafb3cc71df8cef682e5a2f6ffbe9776b0 (commit)
- Shortlog ------------------------------------------------------------ af4eee6 Import changes from pulseaudio NMUs Summary of changes: debian/changelog | 16 ++++++ debian/control | 2 +- debian/patches/0002-CVE-2009-1299.patch | 80 +++++++++++++++++++++++++++++++ debian/patches/series | 1 + 4 files changed, 98 insertions(+), 1 deletions(-) ----------------------------------------------------------------------- Details of changes: commit af4eee664385b7dd63211820e4bbc59440638e69 Author: Sjoerd Simons <sjo...@debian.org> Date: Sun Jun 27 12:58:37 2010 +0100 Import changes from pulseaudio NMUs diff --git a/debian/changelog b/debian/changelog index 0fadae0..124c3c2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,19 @@ +pulseaudio (0.9.21-1.2) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Added autoconf, automake, and libtool in Build-Depends to regenerate + configure and auto* files at build time, and fixed a regression introduced + in previous NMU (Closes: #576457) + + -- Giuseppe Iuculano <iucul...@debian.org> Mon, 05 Apr 2010 23:02:56 +0200 + +pulseaudio (0.9.21-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Fix insecure temporary file creation security issue (closes: #573615). + + -- Michael Gilbert <michael.s.gilb...@gmail.com> Sat, 27 Mar 2010 14:32:13 -0400 + pulseaudio (0.9.21-1) unstable; urgency=low * New upstream release diff --git a/debian/control b/debian/control index 61c0f50..530ea86 100644 --- a/debian/control +++ b/debian/control @@ -16,7 +16,7 @@ Build-Depends: debhelper (>= 5), cdbs, quilt, m4, libltdl-dev (>= 2.2.6a-2), libatomic-ops-dev, libspeexdsp-dev (>= 1.2~rc1), libbluetooth-dev (>= 4.40) [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], libgdbm-dev, intltool, libgtk2.0-dev, libxtst-dev, - libssl-dev + libssl-dev, autoconf, automake, libtool Standards-Version: 3.8.1 Vcs-Git: git://git.debian.org/git/pkg-pulseaudio/pulseaudio.git Vcs-Browser: http://git.debian.org/?p=pkg-pulseaudio/pulseaudio.git diff --git a/debian/patches/0002-CVE-2009-1299.patch b/debian/patches/0002-CVE-2009-1299.patch new file mode 100644 index 0000000..38c69dc --- /dev/null +++ b/debian/patches/0002-CVE-2009-1299.patch @@ -0,0 +1,80 @@ +# From d3efa43d85ac132c6a5a416a2b6f2115f5d577ee Mon Sep 17 00:00:00 2001 +# From: Kees Cook <k...@ubuntu.com> +# Date: Tue, 2 Mar 2010 21:33:34 -0800 +# Subject: [PATCH] core-util: ensure that we chmod only the dir we ourselves created +diff --git a/configure.ac b/configure.ac +index 1b80788..abcce13 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -424,7 +424,7 @@ AC_CHECK_FUNCS_ONCE([lrintf strtof]) + AC_FUNC_FORK + AC_FUNC_GETGROUPS + AC_FUNC_SELECT_ARGTYPES +-AC_CHECK_FUNCS_ONCE([chmod chown clock_gettime getaddrinfo getgrgid_r getgrnam_r \ ++AC_CHECK_FUNCS_ONCE([chmod chown fstat fchown fchmod clock_gettime getaddrinfo getgrgid_r getgrnam_r \ + getpwnam_r getpwuid_r gettimeofday getuid inet_ntop inet_pton mlock nanosleep \ + pipe posix_fadvise posix_madvise posix_memalign setpgid setsid shm_open \ + sigaction sleep sysconf pthread_setaffinity_np]) +diff --git a/src/pulsecore/core-util.c b/src/pulsecore/core-util.c +index d6017b9..a642553 100644 +--- a/src/pulsecore/core-util.c ++++ b/src/pulsecore/core-util.c +@@ -199,7 +199,7 @@ void pa_make_fd_cloexec(int fd) { + /** Creates a directory securely */ + int pa_make_secure_dir(const char* dir, mode_t m, uid_t uid, gid_t gid) { + struct stat st; +- int r, saved_errno; ++ int r, saved_errno, fd; + + pa_assert(dir); + +@@ -217,16 +217,45 @@ int pa_make_secure_dir(const char* dir, mode_t m, uid_t uid, gid_t gid) { + if (r < 0 && errno != EEXIST) + return -1; + +-#ifdef HAVE_CHOWN ++#ifdef HAVE_FSTAT ++ if ((fd = open(dir, ++#ifdef O_CLOEXEC ++ O_CLOEXEC| ++#endif ++#ifdef O_NOCTTY ++ O_NOCTTY| ++#endif ++#ifdef O_NOFOLLOW ++ O_NOFOLLOW| ++#endif ++ O_RDONLY)) < 0) ++ goto fail; ++ ++ if (fstat(fd, &st) < 0) { ++ pa_assert_se(pa_close(fd) >= 0); ++ goto fail; ++ } ++ ++ if (!S_ISDIR(st.st_mode)) { ++ pa_assert_se(pa_close(fd) >= 0); ++ errno = EEXIST; ++ goto fail; ++ } ++ ++#ifdef HAVE_FCHOWN + if (uid == (uid_t)-1) + uid = getuid(); + if (gid == (gid_t)-1) + gid = getgid(); +- (void) chown(dir, uid, gid); ++ (void) fchown(fd, uid, gid); ++#endif ++ ++#ifdef HAVE_FCHMOD ++ (void) fchmod(fd, m); + #endif + +-#ifdef HAVE_CHMOD +- chmod(dir, m); ++ pa_assert_se(pa_close(fd) >= 0); ++ + #endif + + #ifdef HAVE_LSTAT diff --git a/debian/patches/series b/debian/patches/series index 9d0a131..1098f92 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 0001-Work-around-some-platforms-not-having-O_CLOEXEC.patch +0002-CVE-2009-1299.patch -- pulseaudio packaging _______________________________________________ pkg-pulseaudio-devel mailing list pkg-pulseaudio-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-pulseaudio-devel