Hi David On Thu, Jan 10, 2013 at 10:16:35AM +0000, David Weber wrote: > > Hi David > > > > On Mon, Jan 07, 2013 at 09:06:53AM +0000, David Weber wrote: > > > > Attached is the debdiff contianing these three refreshed for the > > > > version in unstable and testing. But I'm not yet ready to propose a > > > > NMU. Testing of the resulting package is welcome! > > > > > > Thanks for the debdiff! > > > > > > It works as expected: It creates the files with the right > > > permissions without breaking functionality. > > > > > > A problem could be that the files aren't freshly created by a simple > > > restart of the daemon. Should something be done about that? > > > > > > Some options could be: > > > - Notify the user to stop libvirtd and sanlock and run > > > rm /var/run/sanlock/sanlock.sock; rm /var/log/sanlock.log > > > > > > - Change the file permissions through the package update > > > > > > - Do nothing because most likely nobody uses sanlock on Debain atm. > > > > I have not a final answer here, but it might be easy to implement like > > libvirt-bin does in postint, mabye only conditionally checking (so > > doing it during package update from a 'broken' version): > > > > [...] > > if ! dpkg-statoverride --list "/var/log/sanlock.log" >/dev/null 2>&1; then > > # fix permissions > > fi > > [...] > > > > and the same for /var/run/sanlock/sanlock.sock. > > Great hint. I modified the patch in that way and also added the > fix for #689696
Btw, after thinking about further on it: As both /var/log/sanlock.log and /var/run/sanlock/sanlock.sock are not files installed by the package, I think the check with dpkg-statoverride is in this case wrong! Sorry about the wrong suggestion. So I think it's best to remove this again. Regarding the second: I suggest to include in this upload only fixes compliant with the freeze policy: [1]: http://release.debian.org/wheezy/freeze_policy.html (but I have not looked if #689696 can be considered RC). +sanlock (2.2-1.1) unstable; urgency=low + + * Fix CVE-2012-5638 sanlock world writable /var/log/sanlock.log. Thanks to Salvatore Bonaccorso (Closes: #696424) ^^^^ would wrap this line + Add patches cherry-picked from git repository: + - 0001-sanlock-remove-umask-0.patch + - 0001-sanlock-use-lockfile-mode-644.patch + - 0001-wdmd-use-lockfile-mode-644.patch + * Replace restrict field name (Closes: #689696) + Add patche cherry.picked from git repository: ^^^^^ s{patche}{patch} and s{cherry.picked}{cherry picked} Again thanks for your work! Regards, Salvatore
signature.asc
Description: Digital signature