Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: a...@packages.debian.org, Stefan Fritsch <s...@debian.org>, Debian Apache Maintainers <debian-apache@lists.debian.org>, j...@debian.org, car...@debian.org Control: affects -1 + src:apr User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] apr in bookworm is affected by CVE-2023-49582, #1080375 where permissions of shared mem files are too wide, making them word readable. The apr upstream version 1.7.5 changes those to 0600 permissions. The issue does not warrant a DSA, so we would like to include it in the point release. [ Impact ] Users of libapr1 create still shared mem files with too lax permissions. [ Tests ] Manual testing the update with apache2 ScoreBoardFile file, previously created with 0644 permissions, and now with the more restrictive 0600. [ Risks ] The patch is taken to upstream merge into 1.7.x version and there were no followups since then. The version is unstable is present since beginning of september, TTBOMK without reports. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Change to use 0600 permissions for named shared memoy. [ Other info ] Nothing specifically. Regards, Salvatore
diff -Nru apr-1.7.2/debian/changelog apr-1.7.2/debian/changelog --- apr-1.7.2/debian/changelog 2023-02-26 21:51:24.000000000 +0100 +++ apr-1.7.2/debian/changelog 2024-10-31 21:08:12.000000000 +0100 @@ -1,3 +1,11 @@ +apr (1.7.2-3+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * Use 0600 perms for named shared mem consistently (CVE-2023-49582) + (Closes: #1080375) + + -- Salvatore Bonaccorso <car...@debian.org> Thu, 31 Oct 2024 21:08:12 +0100 + apr (1.7.2-3) unstable; urgency=medium * Add more fixes for atomics from upstream, in particular for diff -Nru apr-1.7.2/debian/patches/CVE-2023-49582.patch apr-1.7.2/debian/patches/CVE-2023-49582.patch --- apr-1.7.2/debian/patches/CVE-2023-49582.patch 1970-01-01 01:00:00.000000000 +0100 +++ apr-1.7.2/debian/patches/CVE-2023-49582.patch 2024-10-31 21:07:08.000000000 +0100 @@ -0,0 +1,71 @@ +From: Eric Covener <cove...@apache.org> +Date: Tue, 20 Aug 2024 21:50:42 +0000 +Subject: Merge r1920082 from 1.8.x: +Origin: https://github.com/apache/apr/commit/36ea6d5a2bfc480dd8032cc8651e6793552bc2aa +Bug-Debian: https://bugs.debian.org/1080375 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-49582 + +use 0600 perms for named shared mem consistently + + + + +git-svn-id: https://svn.apache.org/repos/asf/apr/apr/branches/1.7.x@1920083 13f79535-47bb-0310-9956-ffa450edef68 +--- + shmem/unix/shm.c | 18 +++++++----------- + 1 file changed, 7 insertions(+), 11 deletions(-) + +diff --git a/shmem/unix/shm.c b/shmem/unix/shm.c +index 096884d99d50..ea9b94277b01 100644 +--- a/shmem/unix/shm.c ++++ b/shmem/unix/shm.c +@@ -287,10 +287,9 @@ APR_DECLARE(apr_status_t) apr_shm_create(apr_shm_t **m, + status = APR_SUCCESS; + + #if APR_USE_SHMEM_MMAP_TMP +- /* FIXME: Is APR_OS_DEFAULT sufficient? */ +- status = apr_file_open(&file, filename, +- APR_READ | APR_WRITE | APR_CREATE | APR_EXCL, +- APR_OS_DEFAULT, pool); ++ status = apr_file_open(&file, filename, ++ APR_FOPEN_READ | APR_FOPEN_WRITE | APR_FOPEN_CREATE | APR_FOPEN_EXCL, ++ APR_FPROT_UREAD | APR_FPROT_UWRITE, pool); + if (status != APR_SUCCESS) { + return status; + } +@@ -319,8 +318,7 @@ APR_DECLARE(apr_status_t) apr_shm_create(apr_shm_t **m, + } + #endif /* APR_USE_SHMEM_MMAP_TMP */ + #if APR_USE_SHMEM_MMAP_SHM +- /* FIXME: SysV uses 0600... should we? */ +- tmpfd = shm_open(shm_name, O_RDWR | O_CREAT | O_EXCL, 0644); ++ tmpfd = shm_open(shm_name, O_RDWR | O_CREAT | O_EXCL, 0600); + if (tmpfd == -1) { + return errno; + } +@@ -361,10 +359,9 @@ APR_DECLARE(apr_status_t) apr_shm_create(apr_shm_t **m, + #elif APR_USE_SHMEM_SHMGET + new_m->realsize = reqsize; + +- /* FIXME: APR_OS_DEFAULT is too permissive, switch to 600 I think. */ +- status = apr_file_open(&file, filename, ++ status = apr_file_open(&file, filename, + APR_FOPEN_WRITE | APR_FOPEN_CREATE | APR_FOPEN_EXCL, +- APR_OS_DEFAULT, pool); ++ APR_FPROT_UREAD | APR_FPROT_UWRITE, pool); + if (status != APR_SUCCESS) { + return status; + } +@@ -555,8 +552,7 @@ APR_DECLARE(apr_status_t) apr_shm_attach(apr_shm_t **m, + #if APR_USE_SHMEM_MMAP_SHM + const char *shm_name = make_shm_open_safe_name(filename, pool); + +- /* FIXME: SysV uses 0600... should we? */ +- tmpfd = shm_open(shm_name, O_RDWR, 0644); ++ tmpfd = shm_open(shm_name, O_RDWR, 0600); + if (tmpfd == -1) { + return errno; + } +-- +2.45.2 + diff -Nru apr-1.7.2/debian/patches/series apr-1.7.2/debian/patches/series --- apr-1.7.2/debian/patches/series 2023-02-26 20:58:30.000000000 +0100 +++ apr-1.7.2/debian/patches/series 2024-10-31 21:07:27.000000000 +0100 @@ -12,3 +12,4 @@ python3-hashbang.patch fix-atomics.patch fix-atomics-some-more.patch +CVE-2023-49582.patch
