Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package libuv Latest upload (0.10.28-6) is a minimal update fixing security bug #779173 (CVE-2015-0278). Debdiff attached. unblock libuv/0.10.28-6 -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru libuv-0.10.28/debian/changelog libuv-0.10.28/debian/changelog --- libuv-0.10.28/debian/changelog 2014-09-21 14:52:46.000000000 +0200 +++ libuv-0.10.28/debian/changelog 2015-02-25 11:03:04.000000000 +0100 @@ -1,3 +1,10 @@ +libuv (0.10.28-6) unstable; urgency=high + + * Backported: call setgroups before calling setuid/setgid + (Closes: #779173 - CVE-2015-0278) + + -- Luca Bruno <lu...@debian.org> Wed, 25 Feb 2015 10:50:58 +0100 + libuv (0.10.28-5) unstable; urgency=medium * Too early for versioned provides, reverted diff -Nru libuv-0.10.28/debian/patches/series libuv-0.10.28/debian/patches/series --- libuv-0.10.28/debian/patches/series 2014-09-20 23:24:57.000000000 +0200 +++ libuv-0.10.28/debian/patches/series 2015-02-25 10:41:19.000000000 +0100 @@ -2,3 +2,4 @@ make-clean.diff test_runner.diff arm64-epoll-ftbfs.diff +setgroups_CVE-2015-0278.diff diff -Nru libuv-0.10.28/debian/patches/setgroups_CVE-2015-0278.diff libuv-0.10.28/debian/patches/setgroups_CVE-2015-0278.diff --- libuv-0.10.28/debian/patches/setgroups_CVE-2015-0278.diff 1970-01-01 01:00:00.000000000 +0100 +++ libuv-0.10.28/debian/patches/setgroups_CVE-2015-0278.diff 2015-02-25 10:40:02.000000000 +0100 @@ -0,0 +1,46 @@ +From 2773e1181dfb1e10fc2e3bfd3ffd83c71b730408 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= <sag...@gmail.com> +Date: Mon, 10 Feb 2014 17:41:51 +0100 +Subject: [PATCH] unix: call setgoups before calling setuid/setgid + +Backported from v1.x (66ab389) + +PR-URL: https://github.com/libuv/libuv/pull/215 +Reviewed-By: Ben Noordhuis <i...@bnoordhuis.nl> +--- + src/unix/process.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/unix/process.c b/src/unix/process.c +index 19686a2..d1f9440 100644 +--- a/src/unix/process.c ++++ b/src/unix/process.c +@@ -40,6 +40,10 @@ + extern char **environ; + #endif + ++#ifdef __linux__ ++# include <grp.h> ++#endif ++ + + static ngx_queue_t* uv__process_queue(uv_loop_t* loop, int pid) { + assert(pid > 0); +@@ -331,6 +335,17 @@ static void uv__process_child_init(uv_process_options_t options, + _exit(127); + } + ++ if (options.flags & (UV_PROCESS_SETUID | UV_PROCESS_SETGID)) { ++ /* When dropping privileges from root, the `setgroups` call will ++ * remove any extraneous groups. If we don't call this, then ++ * even though our uid has dropped, we may still have groups ++ * that enable us to do super-user things. This will fail if we ++ * aren't root, so don't bother checking the return value, this ++ * is just done as an optimistic privilege dropping function. ++ */ ++ SAVE_ERRNO(setgroups(0, NULL)); ++ } ++ + if ((options.flags & UV_PROCESS_SETGID) && setgid(options.gid)) { + uv__write_int(error_fd, errno); + _exit(127);
