Your message dated Tue, 13 May 2014 18:19:00 +0000
with message-id <[email protected]>
and subject line Bug#745112: fixed in obnam 1.8-1
has caused the Debian Bug report #745112,
regarding data leak during restore
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
745112: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745112
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: obnam
Version: 1.7.4-1
Severity: normal
Tags: security
Imagine obnam restore running on a live system. Perhaps root is
kindly restoring to /home/user/deleted-files-restored-from-yesterday/
on a multi-user system, where /home/user does not have locked down
permissions, so other users can cd to that directory.
It looks to me like obnam restores each file by
1. opening a new file, using the default umask
2. writing the file's content
3. restoring the file owner's and permissions
So, it seems there is a race between 2 and 3, where a file from the
backup that is not world-readable, may be readable during the restore.
Note that I have not verified this to be the case, so obnam could
perhaps be doing something smart in step 1 to avoid it.
There may also be a wider race involving the permissions of restored
directories. I'm not sure.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages obnam depends on:
ii libc6 2.18-4
ii python 2.7.5-5
ii python-cliapp 1.20140315-1
ii python-fuse 2:0.2.1-9
ii python-larch 1.20131130-1
ii python-paramiko 1.10.1-1
ii python-tracing 0.8-1
ii python-ttystatus 0.23-1
obnam recommends no packages.
obnam suggests no packages.
-- no debconf information
--
see shy jo
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: obnam
Source-Version: 1.8-1
We believe that the bug you reported is fixed in the latest version of
obnam, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lars Wirzenius <[email protected]> (supplier of updated obnam package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 13 May 2014 08:04:18 +0100
Source: obnam
Binary: obnam
Architecture: amd64 i386 source
Version: 1.8-1
Distribution: unstable
Urgency: low
Maintainer: Lars Wirzenius <[email protected]>
Changed-By: Lars Wirzenius <[email protected]>
Closes: 675825 682667 745112
Description:
obnam - online and disk-based backup application
Changes:
obnam (1.8-1) unstable; urgency=low
.
* New upstream version.
- "obnam excludes files with "syslog" in the name without me
specifying it" (Closes: #682667)
- "obnam: client not found, but cannot remove lock" (Closes: #675825)
- "data leak during restore" (Closes: #745112)
Checksums-Sha1:
41fc6c3b90d8680ec742f61adfb4ca97f2523d17 822304 obnam_1.8-1_amd64.deb
d90d1071e8357e58c01a14ca366cacbde0ffc8ee 822372 obnam_1.8-1_i386.deb
4c80db9819024b94a8ae2dbe1459cce5aa92cb4e 1680 obnam_1.8-1.dsc
51792f02ad098ca1f54b4ff1e0afd22ecb04c53a 287488 obnam_1.8.orig.tar.gz
8a750d4db6023109426fa9b2d5fd97cd61c07d01 5945 obnam_1.8-1.diff.gz
Checksums-Sha256:
d3124b366b210429e28578ff511f3f8eab37c8bf27c6c7e8e3062a055903749b 822304
obnam_1.8-1_amd64.deb
dbdcf925a7be77979af557789316c4fc3dd7d3858b7a2015092cea44e0789bff 822372
obnam_1.8-1_i386.deb
d643e86e799bc18065c42bcd7f47ca8af27535f1e372f35386be18ecd9398126 1680
obnam_1.8-1.dsc
f70469c29e3d16c7080dffb433c8027ea5f2fb8f0112cd7b32b83958ccf72005 287488
obnam_1.8.orig.tar.gz
90d8c8a5698c370ef394362a9d824034245db0cef454b7c4dae755cff9a3c01c 5945
obnam_1.8-1.diff.gz
Files:
1c25564c62b483777a49ad2b14a379a4 822304 python optional obnam_1.8-1_amd64.deb
55faf13f4f0bf8f88c798711f3bf7475 822372 python optional obnam_1.8-1_i386.deb
03e85c8cc1350e8aec3e922ac494a221 1680 python optional obnam_1.8-1.dsc
7838a2678f2a0d10d88247450245787f 287488 python optional obnam_1.8.orig.tar.gz
3d41adf4333cd94ca3ea70bd3b0ea5af 5945 python optional obnam_1.8-1.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJTcmCnAAoJEIahkFub41rm/eIH/3zJJL6JOMdZAfXfvgOMrQ8r
vMKRkYB9iGOUdew1qbRS7Mkqf4jM7jho6nSCQ+PIbYcqpc75lNHvI8y+eDpPsHMy
iEqAy080aEuB0ng/zCQrRrzbmuR2XKWfkD9U1CDOltc2KIIIa6SPqISHVbsDERC9
RN0fJdIWZ2oZ/5agp00smPlb22LRASC7sXl3hU7Y+mFyvjvGkIZbB8X2cWvKCwue
t+3XnRkdDf037mas6IN7oeRsUXzwzxgDf6mTdmBmrS3YIGTYjmznzljuJrNCZEHf
lbsK8kzJ6msaw3CSJaLz3zdJ2/u13/GMb69mqz3WiQHlHwBy1Oickd1PxJFXDvo=
=vEp1
-----END PGP SIGNATURE-----
--- End Message ---
