Your message dated Sat, 09 Dec 2017 10:47:53 +0000
with message-id <[email protected]>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #876630,
regarding jessie-pu: package db5.3/5.3.28-9+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
876630: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876630
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
Hi stable release managers,
db5.3 in jessie is affected by the CVE-2017-10140 ("Berkeley DB reads
DB_CONFIG from cwd)", #872436. The NMU to unstable back on end of
august has not raised any regression reports we would be aware of. We
though think it's still safer to have it via point release and have it
for a short time exposed as well via proposed-updates (once, and if
accepted).
The changelog reads as:
>db5.3 (5.3.28-9+deb8u1) jessie; urgency=medium
>
> * Non-maintainer upload.
> * CVE-2017-10140: Reads DB_CONFIG from the current working directory.
> Do not access DB_CONFIG when db_home is not set. (Closes: #872436)
>
> -- Salvatore Bonaccorso <[email protected]> Sun, 24 Sep 2017 09:54:22 +0200
Attached ist the full proposed debdiff.
Regards,
Salvatore
diff -Nru db5.3-5.3.28/debian/changelog db5.3-5.3.28/debian/changelog
--- db5.3-5.3.28/debian/changelog 2014-12-31 08:57:45.000000000 +0100
+++ db5.3-5.3.28/debian/changelog 2017-09-24 09:54:22.000000000 +0200
@@ -1,3 +1,11 @@
+db5.3 (5.3.28-9+deb8u1) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2017-10140: Reads DB_CONFIG from the current working directory.
+ Do not access DB_CONFIG when db_home is not set. (Closes: #872436)
+
+ -- Salvatore Bonaccorso <[email protected]> Sun, 24 Sep 2017 09:54:22 +0200
+
db5.3 (5.3.28-9) unstable; urgency=medium
* Bump required debhelper version to 9.20141221~ to it correctly set
diff -Nru db5.3-5.3.28/debian/patches/CVE-2017-10140-cwd-db_config.patch
db5.3-5.3.28/debian/patches/CVE-2017-10140-cwd-db_config.patch
--- db5.3-5.3.28/debian/patches/CVE-2017-10140-cwd-db_config.patch
1970-01-01 01:00:00.000000000 +0100
+++ db5.3-5.3.28/debian/patches/CVE-2017-10140-cwd-db_config.patch
2017-09-24 09:54:22.000000000 +0200
@@ -0,0 +1,23 @@
+Description: CVE-2017-10140: Reads DB_CONFIG from the current working directory
+ Do not access DB_CONFIG when db_home is not set.
+Origin: vendor,
https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch
+Bug-Debian: https://bugs.debian.org/872436
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10140
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464032
+Bug-SuSE: https://bugzilla.novell.com/show_bug.cgi?id=1043886
+Forwarded: no
+Author: Petr Kubat <[email protected]>
+Reviewed-by: Salvatore Bonaccorso <[email protected]>
+Last-Update: 2017-08-17
+
+--- db-5.3.28/src/env/env_open.c.old 2017-06-26 10:32:11.011419981 +0200
++++ db-5.3.28/src/env/env_open.c 2017-06-26 10:32:46.893721233 +0200
+@@ -473,7 +473,7 @@
+ env->db_mode = mode == 0 ? DB_MODE_660 : mode;
+
+ /* Read the DB_CONFIG file. */
+- if ((ret = __env_read_db_config(env)) != 0)
++ if (env->db_home != NULL && (ret = __env_read_db_config(env)) != 0)
+ return (ret);
+
+ /*
diff -Nru db5.3-5.3.28/debian/patches/series db5.3-5.3.28/debian/patches/series
--- db5.3-5.3.28/debian/patches/series 2014-12-31 08:57:45.000000000 +0100
+++ db5.3-5.3.28/debian/patches/series 2017-09-24 09:54:22.000000000 +0200
@@ -6,3 +6,4 @@
007-link-sql-libs.patch
mmap_extend-mode-requires-page-aligned-extends.patch
008-autoconf-in-lang-sql-sqlite.patch
+CVE-2017-10140-cwd-db_config.patch
--- End Message ---
--- Begin Message ---
Version: 8.10
Hi,
Each of the updates referenced in these bugs was included in this
morning's jessie point release. Thanks!
Regards,
Adam
--- End Message ---
