Bug#1082783: marked as done (bookworm-pu: package puredata/0.53.1+ds-2+deb12u1)

Sat, 09 Nov 2024 02:59:10 -0800 

Your message dated Sat, 09 Nov 2024 10:51:02 +0000
with message-id 
<b0a29248bc631362ed06a8879f93b8cdae5414d0.ca...@adam-barratt.org.uk>
and subject line Closing bugs released with 12.8
has caused the Debian Bug report #1082783,
regarding bookworm-pu: package puredata/0.53.1+ds-2+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1082783: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082783
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: secur...@debian.org, Debian Multimedia Maintainers 
<debian-multime...@lists.debian.org>

  * CVE-2023-47480: Terminate if canceling setuid() privilege fails

diffstat for puredata-0.53.1+ds puredata-0.53.1+ds

 changelog                                                        |    7 +
 patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch |   38 
++++++++++
 patches/series                                                   |    1 
 3 files changed, 46 insertions(+)

diff -Nru puredata-0.53.1+ds/debian/changelog 
puredata-0.53.1+ds/debian/changelog
--- puredata-0.53.1+ds/debian/changelog 2023-01-28 23:00:40.000000000 +0200
+++ puredata-0.53.1+ds/debian/changelog 2024-09-26 10:17:50.000000000 +0300
@@ -1,3 +1,10 @@
+puredata (0.53.1+ds-2+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2023-47480: Terminate if canceling setuid() privilege fails
+
+ -- Adrian Bunk <b...@debian.org>  Thu, 26 Sep 2024 10:17:50 +0300
+
 puredata (0.53.1+ds-2) unstable; urgency=medium
 
   * Backport upstream ALSA-MIDI fix
diff -Nru 
puredata-0.53.1+ds/debian/patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch
 
puredata-0.53.1+ds/debian/patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch
--- 
puredata-0.53.1+ds/debian/patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch
  1970-01-01 02:00:00.000000000 +0200
+++ 
puredata-0.53.1+ds/debian/patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch
  2024-09-26 10:12:33.000000000 +0300
@@ -0,0 +1,38 @@
+From b97fe443787982b1f0e4ad7db123418bcdf409b4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?IOhannes=20m=20zm=C3=B6lnig?= <zmoel...@iem.at>
+Date: Tue, 25 Jul 2023 17:03:58 +0200
+Subject: Terminate if canceling setuid() privilege fails
+
+Closes: https://github.com/pure-data/pure-data/issues/2063
+---
+ src/s_main.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/s_main.c b/src/s_main.c
+index 56fd633e..8eef4922 100644
+--- a/src/s_main.c
++++ b/src/s_main.c
+@@ -337,7 +337,19 @@ int sys_main(int argc, const char **argv)
+     if (getuid() != geteuid())
+     {
+         fprintf(stderr, "warning: canceling setuid privilege\n");
+-        setuid(getuid());
++        if(setuid(getuid()) < 0) {
++                /* sometimes this fails (which, according to 'man 2 setuid' 
is a
++                 * grave security error), in which case we bail out and quit. 
*/
++            fprintf(stderr, "\n\nFATAL: could not cancel setuid privilege");
++            fprintf(stderr, "\nTo fix this, please remove the setuid flag 
from the Pd binary");
++            if(argc>0) {
++                fprintf(stderr, "\ne.g. by running the following as 
root/superuser:");
++                fprintf(stderr, "\n chmod u-s '%s'", argv[0]);
++            }
++            fprintf(stderr, "\n\n");
++            perror("setuid");
++            return (1);
++        }
+     }
+ #endif  /* _WIN32 */
+     if (socket_init())
+-- 
+2.30.2
+
diff -Nru puredata-0.53.1+ds/debian/patches/series 
puredata-0.53.1+ds/debian/patches/series
--- puredata-0.53.1+ds/debian/patches/series    2023-01-28 23:00:40.000000000 
+0200
+++ puredata-0.53.1+ds/debian/patches/series    2024-09-26 10:15:42.000000000 
+0300
@@ -6,3 +6,4 @@
 debian_remove_timestamp-macros.patch
 debian_etc-gui-plugins.patch
 debian_privacy.patch
+0001-Terminate-if-canceling-setuid-privilege-fails.patch

--- End Message ---
--- Begin Message --- 
Source: release.debian.org
Version: 12.8

Hi,

Each of the updates tracked by these bugs was included in today's 12.8
bookworm point release.

Regards,

Adam

--- End Message ---

Reply via email to