Dear maintainer, Here is the NMU diff according to DevRef 5.11.1[1][2] for bug: #598549. See the debian/patches directory for the important fixes.
Let me know if it's okay to proceed with the NMU. Thank you for maintaining the package, Jari Aalto [1] http://www.debian.org/doc/developers-reference/pkgs.html#nmu [2] http://dep.debian.net/deps/dep1.html lsdiff(1) of changes: cluster-agents-1.0.3/debian/changelog cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch cluster-agents-1.0.3/debian/patches/series
diffstat for cluster-agents-1.0.3 cluster-agents-1.0.3 changelog | 8 ++++ patches/CVE-2010-3389--bug598549.patch | 53 +++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 62 insertions(+) diff -Nru cluster-agents-1.0.3/debian/changelog cluster-agents-1.0.3/debian/changelog --- cluster-agents-1.0.3/debian/changelog 2010-05-04 16:04:18.000000000 +0300 +++ cluster-agents-1.0.3/debian/changelog 2010-10-16 20:28:40.000000000 +0300 @@ -1,3 +1,11 @@ +cluster-agents (1:1.0.3-3.1) unstable; urgency=low + + * debian/patches + - (CVE-2010-3389--bug598549): New. Correct LD_LIBRARY_PATH handling. + (important, security; Closes: #598549). + + -- Jari Aalto <[email protected]> Sat, 16 Oct 2010 20:28:40 +0300 + cluster-agents (1:1.0.3-3) unstable; urgency=low * Add build dependency on docbook-xml. (Closes: #579623) diff -Nru cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch --- cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch 1970-01-01 02:00:00.000000000 +0200 +++ cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch 2010-10-16 20:26:28.000000000 +0300 @@ -0,0 +1,53 @@ +From a4afa69fda9a375d7763e335c556231eaefe516d Mon Sep 17 00:00:00 2001 +From: Jari Aalto <[email protected]> +Date: Sat, 16 Oct 2010 20:26:25 +0300 +Subject: [PATCH] CVE-2010-3389: insecure library loading +Organization: Private +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Signed-off-by: Jari Aalto <[email protected]> +--- + heartbeat/SAPDatabase | 7 +++++-- + heartbeat/SAPInstance | 7 +++++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/heartbeat/SAPDatabase b/heartbeat/SAPDatabase +index 5e07046..e9574ea 100755 +--- a/heartbeat/SAPDatabase ++++ b/heartbeat/SAPDatabase +@@ -966,8 +966,11 @@ else + fi + + # as root user we need the library path to the SAP kernel to be able to call executables +-if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then +- LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH ++if [ "$DIR_EXECUTABLE" ]; then ++ if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then ++ LD_LIBRARY_PATH="$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" ++ export LD_LIBRARY_PATH ++ fi + fi + sidadm="`echo $SID | tr [:upper:] [:lower:]`adm" + +diff --git a/heartbeat/SAPInstance b/heartbeat/SAPInstance +index 08f47f8..d7dea78 100755 +--- a/heartbeat/SAPInstance ++++ b/heartbeat/SAPInstance +@@ -296,8 +296,11 @@ sapinstance_init() { + fi + + # as root user we need the library path to the SAP kernel to be able to call sapcontrol +- if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then +- LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH ++ if [ "$DIR_EXECUTABLE" ]; then ++ if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then ++ LD_LIBRARY_PATH="$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" ++ export LD_LIBRARY_PATH ++ fi + fi + + sidadm="`echo $SID | tr [:upper:] [:lower:]`adm" +-- +1.7.1 + diff -Nru cluster-agents-1.0.3/debian/patches/series cluster-agents-1.0.3/debian/patches/series --- cluster-agents-1.0.3/debian/patches/series 2010-05-03 20:31:33.000000000 +0300 +++ cluster-agents-1.0.3/debian/patches/series 2010-10-16 20:26:49.000000000 +0300 @@ -1 +1,2 @@ +CVE-2010-3389--bug598549.patch spelling-fixes.patch
