Your message dated Sat, 09 Nov 2024 10:51:02 +0000
with message-id
<b0a29248bc631362ed06a8879f93b8cdae5414d0.ca...@adam-barratt.org.uk>
and subject line Closing bugs released with 12.8
has caused the Debian Bug report #1086632,
regarding bookworm-pu: package apr/1.7.2-3+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1086632: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086632
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: a...@packages.debian.org, Stefan Fritsch <s...@debian.org>,
Debian Apache Maintainers <debian-apa...@lists.debian.org>, j...@debian.org,
car...@debian.org
Control: affects -1 + src:apr
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
apr in bookworm is affected by CVE-2023-49582, #1080375 where
permissions of shared mem files are too wide, making them word
readable.
The apr upstream version 1.7.5 changes those to 0600 permissions.
The issue does not warrant a DSA, so we would like to include it in
the point release.
[ Impact ]
Users of libapr1 create still shared mem files with too lax
permissions.
[ Tests ]
Manual testing the update with apache2 ScoreBoardFile file, previously
created with 0644 permissions, and now with the more restrictive 0600.
[ Risks ]
The patch is taken to upstream merge into 1.7.x version and there were
no followups since then. The version is unstable is present since
beginning of september, TTBOMK without reports.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Change to use 0600 permissions for named shared memoy.
[ Other info ]
Nothing specifically.
Regards,
Salvatore
diff -Nru apr-1.7.2/debian/changelog apr-1.7.2/debian/changelog
--- apr-1.7.2/debian/changelog 2023-02-26 21:51:24.000000000 +0100
+++ apr-1.7.2/debian/changelog 2024-10-31 21:08:12.000000000 +0100
@@ -1,3 +1,11 @@
+apr (1.7.2-3+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Use 0600 perms for named shared mem consistently (CVE-2023-49582)
+ (Closes: #1080375)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Thu, 31 Oct 2024 21:08:12 +0100
+
apr (1.7.2-3) unstable; urgency=medium
* Add more fixes for atomics from upstream, in particular for
diff -Nru apr-1.7.2/debian/patches/CVE-2023-49582.patch
apr-1.7.2/debian/patches/CVE-2023-49582.patch
--- apr-1.7.2/debian/patches/CVE-2023-49582.patch 1970-01-01
01:00:00.000000000 +0100
+++ apr-1.7.2/debian/patches/CVE-2023-49582.patch 2024-10-31
21:07:08.000000000 +0100
@@ -0,0 +1,71 @@
+From: Eric Covener <cove...@apache.org>
+Date: Tue, 20 Aug 2024 21:50:42 +0000
+Subject: Merge r1920082 from 1.8.x:
+Origin:
https://github.com/apache/apr/commit/36ea6d5a2bfc480dd8032cc8651e6793552bc2aa
+Bug-Debian: https://bugs.debian.org/1080375
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-49582
+
+use 0600 perms for named shared mem consistently
+
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/apr/apr/branches/1.7.x@1920083
13f79535-47bb-0310-9956-ffa450edef68
+---
+ shmem/unix/shm.c | 18 +++++++-----------
+ 1 file changed, 7 insertions(+), 11 deletions(-)
+
+diff --git a/shmem/unix/shm.c b/shmem/unix/shm.c
+index 096884d99d50..ea9b94277b01 100644
+--- a/shmem/unix/shm.c
++++ b/shmem/unix/shm.c
+@@ -287,10 +287,9 @@ APR_DECLARE(apr_status_t) apr_shm_create(apr_shm_t **m,
+ status = APR_SUCCESS;
+
+ #if APR_USE_SHMEM_MMAP_TMP
+- /* FIXME: Is APR_OS_DEFAULT sufficient? */
+- status = apr_file_open(&file, filename,
+- APR_READ | APR_WRITE | APR_CREATE | APR_EXCL,
+- APR_OS_DEFAULT, pool);
++ status = apr_file_open(&file, filename,
++ APR_FOPEN_READ | APR_FOPEN_WRITE |
APR_FOPEN_CREATE | APR_FOPEN_EXCL,
++ APR_FPROT_UREAD | APR_FPROT_UWRITE, pool);
+ if (status != APR_SUCCESS) {
+ return status;
+ }
+@@ -319,8 +318,7 @@ APR_DECLARE(apr_status_t) apr_shm_create(apr_shm_t **m,
+ }
+ #endif /* APR_USE_SHMEM_MMAP_TMP */
+ #if APR_USE_SHMEM_MMAP_SHM
+- /* FIXME: SysV uses 0600... should we? */
+- tmpfd = shm_open(shm_name, O_RDWR | O_CREAT | O_EXCL, 0644);
++ tmpfd = shm_open(shm_name, O_RDWR | O_CREAT | O_EXCL, 0600);
+ if (tmpfd == -1) {
+ return errno;
+ }
+@@ -361,10 +359,9 @@ APR_DECLARE(apr_status_t) apr_shm_create(apr_shm_t **m,
+ #elif APR_USE_SHMEM_SHMGET
+ new_m->realsize = reqsize;
+
+- /* FIXME: APR_OS_DEFAULT is too permissive, switch to 600 I think. */
+- status = apr_file_open(&file, filename,
++ status = apr_file_open(&file, filename,
+ APR_FOPEN_WRITE | APR_FOPEN_CREATE |
APR_FOPEN_EXCL,
+- APR_OS_DEFAULT, pool);
++ APR_FPROT_UREAD | APR_FPROT_UWRITE, pool);
+ if (status != APR_SUCCESS) {
+ return status;
+ }
+@@ -555,8 +552,7 @@ APR_DECLARE(apr_status_t) apr_shm_attach(apr_shm_t **m,
+ #if APR_USE_SHMEM_MMAP_SHM
+ const char *shm_name = make_shm_open_safe_name(filename, pool);
+
+- /* FIXME: SysV uses 0600... should we? */
+- tmpfd = shm_open(shm_name, O_RDWR, 0644);
++ tmpfd = shm_open(shm_name, O_RDWR, 0600);
+ if (tmpfd == -1) {
+ return errno;
+ }
+--
+2.45.2
+
diff -Nru apr-1.7.2/debian/patches/series apr-1.7.2/debian/patches/series
--- apr-1.7.2/debian/patches/series 2023-02-26 20:58:30.000000000 +0100
+++ apr-1.7.2/debian/patches/series 2024-10-31 21:07:27.000000000 +0100
@@ -12,3 +12,4 @@
python3-hashbang.patch
fix-atomics.patch
fix-atomics-some-more.patch
+CVE-2023-49582.patch
--- End Message ---
--- Begin Message ---
Source: release.debian.org
Version: 12.8
Hi,
Each of the updates tracked by these bugs was included in today's 12.8
bookworm point release.
Regards,
Adam
--- End Message ---
