Bug#955409: stretch-pu: package tinyproxy/1.8.4-3~deb9u2

Tue, 31 Mar 2020 04:15:34 -0700 

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Dear release team,

I have just uploaded (via Utkarsh Gupti as sponsor) an update of tinyproxy in 
stretch with the following changes:

+  * debian/patches:
+    + Add CVE-2017-11747-drop-privileges-after-PID-file-creation.patch.
+      CVE-2017-11747: Create PID file before dropping privileges to non-root
+      account. (Closes: #870307).

CVE-2017-11747 is a no-dsa issue.

+  * debian/tinyproxy.init:
+    + Only set PIDDIR, if PIDFILE is a non-zero length string. (Closes:
+      #948283).

RC bug fix.

Thanks+Greets,
Mike


-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru tinyproxy-1.8.4/debian/changelog tinyproxy-1.8.4/debian/changelog
--- tinyproxy-1.8.4/debian/changelog    2018-02-28 18:33:56.000000000 +0100
+++ tinyproxy-1.8.4/debian/changelog    2020-03-31 12:15:15.000000000 +0200
@@ -1,3 +1,15 @@
+tinyproxy (1.8.4-3~deb9u2) stretch; urgency=medium
+
+  * debian/patches:
+    + Add CVE-2017-11747-drop-privileges-after-PID-file-creation.patch.
+      CVE-2017-11747: Create PID file before dropping privileges to non-root
+      account. (Closes: #870307).
+  * debian/tinyproxy.init:
+    + Only set PIDDIR, if PIDFILE is a non-zero length string. (Closes:
+      #948283).
+
+ -- Mike Gabriel <sunwea...@debian.org>  Tue, 31 Mar 2020 12:15:15 +0200
+
 tinyproxy (1.8.4-3~deb9u1) stretch; urgency=medium
 
   * Non-maintainer upload.
diff -Nru tinyproxy-1.8.4/debian/init tinyproxy-1.8.4/debian/init
--- tinyproxy-1.8.4/debian/init 2017-11-15 01:38:47.000000000 +0100
+++ tinyproxy-1.8.4/debian/init 2020-03-31 12:13:31.000000000 +0200
@@ -37,7 +37,9 @@
         GROUP=$(grep   -i '^Group[[:space:]]'   "$CONFIG" | awk '{print $2}')
         PIDFILE=$(grep -i '^PidFile[[:space:]]' "$CONFIG" | awk '{print $2}' |\
           sed -e 's/"//g')
-        PIDDIR=`dirname "$PIDFILE"`
+        if [ -n "$PIDFILE" ];then
+            PIDDIR=$(dirname "$PIDFILE")
+        fi
         if [ -n "$PIDDIR" -a "$PIDDIR" != "/run" ]; then
            if [ ! -d "$PIDDIR" ]; then
                 mkdir "$PIDDIR"
diff -Nru 
tinyproxy-1.8.4/debian/patches/CVE-2017-11747-drop-privileges-after-PID-file-creation.patch
 
tinyproxy-1.8.4/debian/patches/CVE-2017-11747-drop-privileges-after-PID-file-creation.patch
--- 
tinyproxy-1.8.4/debian/patches/CVE-2017-11747-drop-privileges-after-PID-file-creation.patch
 1970-01-01 01:00:00.000000000 +0100
+++ 
tinyproxy-1.8.4/debian/patches/CVE-2017-11747-drop-privileges-after-PID-file-creation.patch
 2020-03-31 12:14:05.000000000 +0200
@@ -0,0 +1,47 @@
+From 9acb0cb16cb65a554c5443f0409f827390379249 Mon Sep 17 00:00:00 2001
+From: Michael Adam <ob...@samba.org>
+Date: Thu, 16 Nov 2017 01:52:55 +0100
+Subject: [PATCH] Fix CVE-2017-11747: Create PID file before dropping
+ privileges.
+
+Resolves #106
+
+Signed-off-by: Michael Adam <ob...@samba.org>
+---
+ src/main.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/src/main.c
++++ b/src/main.c
+@@ -407,6 +407,15 @@
+                 exit (EX_OSERR);
+         }
+ 
++        /* Create pid file before we drop privileges */
++        if (config.pidpath) {
++                if (pidfile_create (config.pidpath) < 0) {
++                        fprintf (stderr, "%s: Could not create PID file.\n",
++                                 argv[0]);
++                        exit (EX_OSERR);
++                }
++        }
++
+         /* Switch to a different user if we're running as root */
+         if (geteuid () == 0)
+                 change_user (argv[0]);
+@@ -419,15 +428,6 @@
+                 exit (EX_SOFTWARE);
+         }
+ 
+-        /* Create pid file after we drop privileges */
+-        if (config.pidpath) {
+-                if (pidfile_create (config.pidpath) < 0) {
+-                        fprintf (stderr, "%s: Could not create PID file.\n",
+-                                 argv[0]);
+-                        exit (EX_OSERR);
+-                }
+-        }
+-
+         if (child_pool_create () < 0) {
+                 fprintf (stderr,
+                          "%s: Could not create the pool of children.\n",
diff -Nru tinyproxy-1.8.4/debian/patches/series 
tinyproxy-1.8.4/debian/patches/series
--- tinyproxy-1.8.4/debian/patches/series       2017-11-15 01:22:25.000000000 
+0100
+++ tinyproxy-1.8.4/debian/patches/series       2020-03-31 12:14:35.000000000 
+0200
@@ -1 +1,2 @@
 sighup_hang.patch
+CVE-2017-11747-drop-privileges-after-PID-file-creation.patch

Reply via email to