Hi On Sun, Jan 20, 2013 at 10:14:26AM +0100, Yves-Alexis Perez wrote: [...] > > If we need to be that pedantic about it to put something into squeeze > > (which may well be a good idea), then maybe we need to make the change > > without building and releasing any of the actual binaries, just > > release > > the ganglia-web.deb package (which contains no binary code, just PHP). > > Is there a workflow to do that? > > No. We want minimal changes against the version in Squeeze, remember? > > In any case, provided it actually fixes the bug, I'm ok with Salvatore > package including only the oneliner patch.
So I have verified the following things:
- The debdiff contains only the mentioned change (debdiff attached).
- The patch is applied to /usr/share/ganglia-webfrontend/graph.php in
the produced binary package ganglia-webfrontend.
- If I try to exploit the argument g= passed to graph.php on a
squeeze with installed package it does not work anymore and in logs
I correctly notice the Error output produced by the error_log. At
least with the obvious exploit variant.
- I also checked the debdiff against the produced binary packages:
----cut---------cut---------cut---------cut---------cut---------cut-----
ganglia-webfrontend:
--------------------
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
------------------------------------------------
Version: [-3.1.7-1-] {+3.1.7-1+squeeze1+}
ganglia-monitor:
----------------
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: libapr1 (>= 1.2.7), libc6 (>= 2.2.5), libconfuse0 (>= 2.5), libexpat1
(>= 1.95.8), libganglia1 (= [-3.1.7-1+b1),-] {+3.1.7-1+squeeze1),+} libpcre3
(>= 7.7), adduser
Installed-Size: [-168-] {+228+}
Source: ganglia [-(3.1.7-1)-]
Version: [-3.1.7-1+b1-] {+3.1.7-1+squeeze1+}
gmetad:
-------
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: libapr1 (>= 1.2.7), libc6 (>= 2.3), libconfuse0 (>= 2.5), libexpat1
(>= 1.95.8), libganglia1 (= [-3.1.7-1+b1),-] {+3.1.7-1+squeeze1),+} libpcre3
(>= 7.7), librrd4 (>= 1.3.0), adduser
Installed-Size: [-92-] {+160+}
Source: ganglia [-(3.1.7-1)-]
Version: [-3.1.7-1+b1-] {+3.1.7-1+squeeze1+}
libganglia1:
------------
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
------------------------------------------------
Installed-Size: [-836-] {+896+}
Source: ganglia [-(3.1.7-1)-]
Version: [-3.1.7-1+b1-] {+3.1.7-1+squeeze1+}
libganglia1-dev:
----------------
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: libganglia1 (= [-3.1.7-1+b1)-] {+3.1.7-1+squeeze1)+}
Installed-Size: [-172-] {+208+}
Source: ganglia [-(3.1.7-1)-]
Version: [-3.1.7-1+b1-] {+3.1.7-1+squeeze1+}
----cut---------cut---------cut---------cut---------cut---------cut-----
- Attached is also the buildlog. It shows some problems, but if then
they are also right now already present in the version in Squeeze.
So I think we are on the safe side, but if you, Daniel, see an actual
problem with one of the produced binary packages please let us know.
I also could provide the binary packages somewhere if you want to test
them.
Regards,
Salvatore
diff -u ganglia-3.1.7/debian/changelog ganglia-3.1.7/debian/changelog
--- ganglia-3.1.7/debian/changelog
+++ ganglia-3.1.7/debian/changelog
@@ -1,3 +1,13 @@
+ganglia (3.1.7-1+squeeze1) stable-security; urgency=high
+
+ * Non-maintainer upload.
+ * Fix for path traversal issue when supplying name of a graph
+ web/graph.php: Check for path traversal issues by making sure real path
+ is actually in graphdir. Fixes CVE-2012-3448.
+ Fix backported from ganglia 3.1.8. (Closes: #683584)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Sat, 19 Jan 2013 10:04:17 +0100
+
ganglia (3.1.7-1) unstable; urgency=low
* New upstream version. Closes: #584276.
only in patch2:
unchanged:
--- ganglia-3.1.7.orig/web/graph.php
+++ ganglia-3.1.7/web/graph.php
@@ -122,7 +122,7 @@
$graph_file = "$graphdir/$graph.php";
-if ( is_readable($graph_file) ) {
+if ( is_readable($graph_file) and realpath($graphdir) ===
dirname(realpath($graph_file)) ) {
include_once($graph_file);
$graph_function = "graph_${graph}";
ganglia_3.1.7-1+squeeze1_amd64.build.gz
Description: Binary data
