Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package libuv

Latest upload (0.10.28-6) is a minimal update fixing security
bug #779173 (CVE-2015-0278).

Debdiff attached.

unblock libuv/0.10.28-6

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru libuv-0.10.28/debian/changelog libuv-0.10.28/debian/changelog
--- libuv-0.10.28/debian/changelog	2014-09-21 14:52:46.000000000 +0200
+++ libuv-0.10.28/debian/changelog	2015-02-25 11:03:04.000000000 +0100
@@ -1,3 +1,10 @@
+libuv (0.10.28-6) unstable; urgency=high
+
+  * Backported: call setgroups before calling setuid/setgid
+    (Closes: #779173 - CVE-2015-0278)
+
+ -- Luca Bruno <lu...@debian.org>  Wed, 25 Feb 2015 10:50:58 +0100
+
 libuv (0.10.28-5) unstable; urgency=medium
 
   * Too early for versioned provides, reverted
diff -Nru libuv-0.10.28/debian/patches/series libuv-0.10.28/debian/patches/series
--- libuv-0.10.28/debian/patches/series	2014-09-20 23:24:57.000000000 +0200
+++ libuv-0.10.28/debian/patches/series	2015-02-25 10:41:19.000000000 +0100
@@ -2,3 +2,4 @@
 make-clean.diff
 test_runner.diff
 arm64-epoll-ftbfs.diff
+setgroups_CVE-2015-0278.diff
diff -Nru libuv-0.10.28/debian/patches/setgroups_CVE-2015-0278.diff libuv-0.10.28/debian/patches/setgroups_CVE-2015-0278.diff
--- libuv-0.10.28/debian/patches/setgroups_CVE-2015-0278.diff	1970-01-01 01:00:00.000000000 +0100
+++ libuv-0.10.28/debian/patches/setgroups_CVE-2015-0278.diff	2015-02-25 10:40:02.000000000 +0100
@@ -0,0 +1,46 @@
+From 2773e1181dfb1e10fc2e3bfd3ffd83c71b730408 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= <sag...@gmail.com>
+Date: Mon, 10 Feb 2014 17:41:51 +0100
+Subject: [PATCH] unix: call setgoups before calling setuid/setgid
+
+Backported from v1.x (66ab389)
+
+PR-URL: https://github.com/libuv/libuv/pull/215
+Reviewed-By: Ben Noordhuis <i...@bnoordhuis.nl>
+---
+ src/unix/process.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/unix/process.c b/src/unix/process.c
+index 19686a2..d1f9440 100644
+--- a/src/unix/process.c
++++ b/src/unix/process.c
+@@ -40,6 +40,10 @@
+ extern char **environ;
+ #endif
+ 
++#ifdef __linux__
++# include <grp.h>
++#endif
++
+ 
+ static ngx_queue_t* uv__process_queue(uv_loop_t* loop, int pid) {
+   assert(pid > 0);
+@@ -331,6 +335,17 @@ static void uv__process_child_init(uv_process_options_t options,
+     _exit(127);
+   }
+ 
++  if (options.flags & (UV_PROCESS_SETUID | UV_PROCESS_SETGID)) {
++    /* When dropping privileges from root, the `setgroups` call will
++     * remove any extraneous groups. If we don't call this, then
++     * even though our uid has dropped, we may still have groups
++     * that enable us to do super-user things. This will fail if we
++     * aren't root, so don't bother checking the return value, this
++     * is just done as an optimistic privilege dropping function.
++     */
++    SAVE_ERRNO(setgroups(0, NULL));
++  }
++
+   if ((options.flags & UV_PROCESS_SETGID) && setgid(options.gid)) {
+     uv__write_int(error_fd, errno);
+     _exit(127);

Reply via email to