Dear release team,
I would like to upload a new version of the backup-manager to stable in
order to fix a (relatively minor) security issue. The fix is trivial,
just transposing to lines and thus ensuring that a password is not
written to a file until the world is denied read access. Full debdiff
is attached.
There is certainly no need for a DSA, since the problem is similar to
CVE-2007-2766 (to be fixed in oldstable, no DSA), but even harder to
exploit.
Regards,
Sven
diff -u backup-manager-0.7.7/debian/control backup-manager-0.7.7/debian/control
--- backup-manager-0.7.7/debian/control
+++ backup-manager-0.7.7/debian/control
@@ -3,7 +3,7 @@
Priority: optional
Build-Depends-Indep: debiandoc-sgml, tetex-bin, tetex-extra
Build-Depends: po-debconf, debhelper (>= 5), dpatch
-Maintainer: Alexis Sukrieh
+Maintainer: Sven Joachim
Standards-Version: 3.7.3
XS-Vcs-Svn: svn://svn.debian.org/svn/pkg-backup-mngr/trunk/
diff -u backup-manager-0.7.7/debian/changelog backup-manager-0.7.7/debian/changelog
--- backup-manager-0.7.7/debian/changelog
+++ backup-manager-0.7.7/debian/changelog
@@ -1,3 +1,12 @@
+backup-manager (0.7.7-2) stable; urgency=high
+
+ * Fix possible MYSQL password leaking to local users by making the
+.my.cnf file world-unreadable before writing the password to it.
+ * Set myself as maintainer in debian/control.
+ * Remove spurious debian/patches/00list.diff and update 00list.
+
+ -- Sven Joachim Fri, 22 Jan 2010 12:47:43 +0100
+
backup-manager (0.7.7-1.1) unstable; urgency=low
* Non-maintainer upload.
diff -u backup-manager-0.7.7/debian/patches/00list backup-manager-0.7.7/debian/patches/00list
--- backup-manager-0.7.7/debian/patches/00list
+++ backup-manager-0.7.7/debian/patches/00list
@@ -4,0 +5,2 @@
+05_German_transation_update.dpatch
+06_no_password_leak.dpatch
reverted:
--- backup-manager-0.7.7/debian/patches/00list.diff
+++ backup-manager-0.7.7.orig/debian/patches/00list.diff
@@ -1,7 +0,0 @@
00list~ 2008-09-21 09:03:58.0 +0200
-+++ 00list 2008-09-21 08:20:06.0 +0200
-@@ -2,3 +2,4 @@
- 02_cdrecord_to_wodim.dpatch
- 03_VERSION.dpatch
- 04_Makefile.dpatch
-+05_German_transation_update.dpatch
only in patch2:
unchanged:
--- backup-manager-0.7.7.orig/debian/patches/06_no_password_leak.dpatch
+++ backup-manager-0.7.7/debian/patches/06_no_password_leak.dpatch
@@ -0,0 +1,20 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 06_no_password_leak.dpatch by Sven Joachim
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix possible leaking of MYSQL passwords to local users.
+
+...@dpatch@
+diff -urNad backup-manager-0.7.7~/lib/backup-methods.sh backup-manager-0.7.7/lib/backup-methods.sh
+--- backup-manager-0.7.7~/lib/backup-methods.sh 2008-04-14 19:58:43.0 +0200
backup-manager-0.7.7/lib/backup-methods.sh 2010-01-22 12:40:04.787321885 +0100
+@@ -852,8 +852,8 @@
+ warning "Creating a default MySQL client configuration file: \$HOME/.my.cnf"
+ echo "[client]" > $HOME/.my.cnf
+ echo "# The following password will be sent to all standard MySQL clients" >> $HOME/.my.cnf
+-echo "password=\"$BM_MYSQL_ADMINPASS\"" >> $HOME/.my.cnf
+ chmod 600 $HOME/.my.cnf
++echo "password=\"$BM_MYSQL_ADMINPASS\"" >> $HOME/.my.cnf
+ fi
+ base_command="$mysqldump $opt -u$BM_MYSQL_ADMINLOGIN -h$BM_MYSQL_HOST -P$BM_MYSQL_PORT"
+ compress="$BM_MYSQL_FILETYPE"
pgpHPFqdkCLKq.pgp
Description: PGP signature
