Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi! Moritz from the security team brought to the attention of the cinnamon team that cinnamon-settings-daemon in stable contains a minor security issue that has already been fixed in upstream. This issue doesn't warrant a DSA, as it's only a circumvention of policykit restrictions, but it would be good to fix it in a future point release. I'm attaching the debdiff between the version currently in stable and the proposed package for the point release. Thanks! -- System Information: Debian Release: 8.2 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=es_AR.UTF-8, LC_CTYPE=es_AR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru cinnamon-settings-daemon-2.2.4.repack/debian/changelog cinnamon-settings-daemon-2.2.4.repack/debian/changelog --- cinnamon-settings-daemon-2.2.4.repack/debian/changelog 2014-10-25 16:14:33.000000000 +0200 +++ cinnamon-settings-daemon-2.2.4.repack/debian/changelog 2016-03-18 20:32:16.000000000 +0100 @@ -1,3 +1,10 @@ +cinnamon-settings-daemon (2.2.4.repack-7+deb8u1) stable; urgency=medium + + * Add debian/patches/csd-datetime-polkit-auth to fix a minor security bug. + http://www.openwall.com/lists/oss-security/2015/10/28/3 + + -- Margarita Manterola <ma...@debian.org> Fri, 18 Mar 2016 20:13:36 +0100 + cinnamon-settings-daemon (2.2.4.repack-7) unstable; urgency=medium [ Fabio Fantoni ] diff -Nru cinnamon-settings-daemon-2.2.4.repack/debian/patches/csd-datetime-polkit-auth cinnamon-settings-daemon-2.2.4.repack/debian/patches/csd-datetime-polkit-auth --- cinnamon-settings-daemon-2.2.4.repack/debian/patches/csd-datetime-polkit-auth 1970-01-01 01:00:00.000000000 +0100 +++ cinnamon-settings-daemon-2.2.4.repack/debian/patches/csd-datetime-polkit-auth 2016-03-18 20:32:16.000000000 +0100 @@ -0,0 +1,21 @@ +Description: csd-datetime forgets to authorize users +Author: https://github.com/leigh123linux +Origin: upstream, ac5e0be8c1817616dbdb056b6881cfc4660f57a8 +Bug: http://www.openwall.com/lists/oss-security/2015/10/28/3 +Last-Update: 2016-03-14 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: cinnamon-settings-daemon/plugins/datetime/csd-datetime-mechanism.c +=================================================================== +--- cinnamon-settings-daemon.orig/plugins/datetime/csd-datetime-mechanism.c 2016-03-14 20:18:33.588428169 +0100 ++++ cinnamon-settings-daemon/plugins/datetime/csd-datetime-mechanism.c 2016-03-14 20:26:56.302535208 +0100 +@@ -354,6 +354,9 @@ + int exit_status; + GError *error; + ++ if (!_check_polkit_for_action (mechanism, context)) ++ return FALSE; ++ + date_str = g_strdup_printf ("%02d/%02d/%d", month, day, year); + error = NULL; + diff -Nru cinnamon-settings-daemon-2.2.4.repack/debian/patches/series cinnamon-settings-daemon-2.2.4.repack/debian/patches/series --- cinnamon-settings-daemon-2.2.4.repack/debian/patches/series 2014-10-25 16:14:33.000000000 +0200 +++ cinnamon-settings-daemon-2.2.4.repack/debian/patches/series 2016-03-18 20:32:16.000000000 +0100 @@ -2,3 +2,4 @@ power-manager-upower-0.99-support calculator-mediakey.patch enable-3finger-tap.patch +csd-datetime-polkit-auth
