Your message dated Tue, 02 Oct 2012 21:08:04 +0100
with message-id <1349208484.14024.17.ca...@jacala.jungle.funky-badger.org>
and subject line Re: Bug#689390: unblock: spice-gtk/0.12-5
has caused the Debian Bug report #689390,
regarding unblock: spice-gtk/0.12-5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
689390: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689390
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package spice-gtk. It fixes a root security hole via GDBus
(#689155), by correctly sanitizing the environment in a setuid helper
before doing anything non-trivial.
This is basically the same flaw as the one mitigated by #689070 in dbus,
but with GDBus instead of libdbus, and fixing it in the setuid program
rather than second-guessing it in the library.
unblock spice-gtk/0.12-5
-- System Information:
Debian Release: wheezy/sid
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500,
'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diffstat for spice-gtk-0.12 spice-gtk-0.12
changelog | 6 ++
patches/clearenv-in-usb-acl-helper.patch | 64 +++++++++++++++++++++++++++++++
patches/series | 1
3 files changed, 71 insertions(+)
diff -Nru spice-gtk-0.12/debian/changelog spice-gtk-0.12/debian/changelog
--- spice-gtk-0.12/debian/changelog 2012-07-08 18:20:26.000000000 +0100
+++ spice-gtk-0.12/debian/changelog 2012-10-01 14:31:41.000000000 +0100
@@ -1,3 +1,9 @@
+spice-gtk (0.12-5) unstable; urgency=high
+
+ * Add patch clearenv-in-usb-acl-helper.patch (Closes: #689155)
+
+ -- Liang Guo <guoli...@debian.org> Mon, 01 Oct 2012 21:30:21 +0800
+
spice-gtk (0.12-4) unstable; urgency=low
* Correct version problem in *.pc (Closes: #680290)
diff -Nru spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch
--- spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch 1970-01-01 01:00:00.000000000 +0100
+++ spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch 2012-10-01 14:29:38.000000000 +0100
@@ -0,0 +1,64 @@
+Author: Colin Walters <walt...@verbum.org>
+Origin: upstream, commit:efbf867bb88845d5edf839550b54494b1bb752b9
+Date: Fri, 14 Sep 2012 09:21:28 +0000
+Subject: usb-acl-helper: Clear environment
+
+Otherwise we can be subject to attack via environment variables such
+as DBUS_SYSTEM_BUS_ADDRESS.
+This addresses CVE-2012-4425 http://seclists.org/oss-sec/2012/q3/470
+--- a/configure.ac
++++ b/configure.ac
+@@ -256,6 +256,8 @@
+ EXTERNAL_PNP_IDS="$with_pnp_ids_path"
+ fi
+
++AC_CHECK_FUNCS(clearenv)
++
+ PKG_CHECK_MODULES(GLIB2, glib-2.0 >= 2.22)
+ AC_SUBST(GLIB2_CFLAGS)
+ AC_SUBST(GLIB2_LIBS)
+--- a/gtk/spice-client-glib-usb-acl-helper.c
++++ b/gtk/spice-client-glib-usb-acl-helper.c
+@@ -158,7 +158,8 @@
+ if (state == STATE_WAITING_FOR_STDIN_EOF)
+ set_facl(path, getuid(), 0);
+
+- g_main_loop_quit(loop);
++ if (loop)
++ g_main_loop_quit(loop);
+ }
+
+ /* Not available in polkit < 0.101 */
+@@ -311,11 +312,32 @@
+ }
+ #endif
+
++#ifndef HAVE_CLEARENV
++extern char **environ;
++
++static int
++clearenv (void)
++{
++ if (environ != NULL)
++ environ[0] = NULL;
++ return 0;
++}
++#endif
++
+ int main(void)
+ {
+ pid_t parent_pid;
+ GInputStream *stdin_unix_stream;
+
++ /* Nuke the environment to get a well-known and sanitized
++ * environment to avoid attacks via e.g. the DBUS_SYSTEM_BUS_ADDRESS
++ * environment variable and similar.
++ */
++ if (clearenv () != 0) {
++ FATAL_ERROR("Error clearing environment: %s\n", g_strerror (errno));
++ return 1;
++ }
++
+ g_type_init();
+
+ loop = g_main_loop_new(NULL, FALSE);
diff -Nru spice-gtk-0.12/debian/patches/series spice-gtk-0.12/debian/patches/series
--- spice-gtk-0.12/debian/patches/series 2012-06-28 18:15:40.000000000 +0100
+++ spice-gtk-0.12/debian/patches/series 2012-10-01 14:19:27.000000000 +0100
@@ -2,3 +2,4 @@
fix-parsing-uri-query.patch
fix-spice-audio-binding.patch
make-celt-to-be-optional.patch
+clearenv-in-usb-acl-helper.patch
--- End Message ---
--- Begin Message ---
On Tue, 2012-10-02 at 08:13 +0100, Simon McVittie wrote:
> Please unblock package spice-gtk. It fixes a root security hole via GDBus
> (#689155), by correctly sanitizing the environment in a setuid helper
> before doing anything non-trivial.
>
> This is basically the same flaw as the one mitigated by #689070 in dbus,
> but with GDBus instead of libdbus, and fixing it in the setuid program
> rather than second-guessing it in the library.
Unblocked; thanks.
Regards,
Adam
--- End Message ---