Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
On Tue, 2020-06-16 at 10:06 +0200, Carsten Leonhardt wrote: > Julien Cristau writes: > > > Control: tag -1 confirmed > > Sorry for the delay, please go ahead. > > For information, I've uploaded the package some time ago and it's > waiting in the NEW queue for FTP master review. Thanks for the update. I've asked on IRC if an ftpmaster can have a look (it needs a master rather than an assistant, in order to get the package to appear in our review queue afterwards). Regards, Adam
Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Julien Cristau writes: > Control: tag -1 confirmed > Sorry for the delay, please go ahead. For information, I've uploaded the package some time ago and it's waiting in the NEW queue for FTP master review. Regards, Carsten
Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Control: tag -1 confirmed On Sun, Mar 04, 2018 at 11:08:00AM +0100, Carsten Leonhardt wrote: > Control: tags -1 - moreinfo > > "Adam D. Barratt" writes: > > > - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG > > + --oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG > > > > The first of those "-g" is presumably supposed to be "-u". I realise > > this may seem a small point, but it does make me wonder how it wasn't > > caught in testing. > > Thank you for your work and for catching this. A new version of the > patch is attached. > Sorry for the delay, please go ahead. Cheers, Julien
Processed: Re: Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Processing control commands: > tag -1 confirmed Bug #881871 [release.debian.org] stretch-pu: package bacula/7.4.4+dfsg-6 Added tag(s) confirmed. -- 881871: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881871 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Hi, is there a chance the fixed package will be accepted? Maybe you would prefer separate fixes for the two problems? Regards, Carsten
Bug#881871: [pkg-bacula-devel] Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
On 30.03.2018 18:03, Julien Cristau wrote: > On Sun, Mar 4, 2018 at 11:08:00 +0100, Carsten Leonhardt wrote: > >> Control: tags -1 - moreinfo >> >> "Adam D. Barratt"writes: >> >>> - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG >>> + --oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG >>> >>> The first of those "-g" is presumably supposed to be "-u". I realise >>> this may seem a small point, but it does make me wonder how it wasn't >>> caught in testing. >> >> Thank you for your work and for catching this. A new version of the >> patch is attached. >> > This leaves open the question of how much was this tested. Can you > describe what has or hasn't been done there? I tested the proposed packages in a SysV-Init-based Debian Stretch VM. I can confirm every daemon runs as the user and group it is supposed to run as. root@debian-stretch:~# ps auwwx | grep [b]acula root 5101 0.0 0.2 66988 5512 ?Ssl 21:16 0:00 /usr/sbin/bacula-fd -u root -g root -c /etc/bacula/bacula-fd.conf bacula5175 0.0 0.2 130420 5384 ?Ssl 21:16 0:00 /usr/sbin/bacula-sd -u bacula -g tape -c /etc/bacula/bacula-sd.conf bacula5403 0.0 0.3 74728 6628 ?Ssl 21:20 0:00 /usr/sbin/bacula-dir -u bacula -g bacula -c /etc/bacula/bacula-dir.conf root@debian-stretch:~# ps -eo pid,comm,euser,supgrp | grep [b]acula 5101 bacula-fd root root 5175 bacula-sd bacula tape 5403 bacula-dir bacula tape,bacula I also checked why I did not notice the problem Adam spotted in the first place. I can only guess this happened because bacula-dir fell back to running as "root" when no "-u bacula" was specified, which made all my tests work as they should (because root has obviously no restrictions). The reason for this fallback is the Debian package does not specify a runtime user at build time. This was done in the past so that the runtime user can be chosen by the admin of the system. But since then we changed the packaging and got rid of this ability because in reality nobody was doing this anyway and it complicated the packaging. If the runtime user were set during package build, this problem would not have occurred because the parameters -u and -g wouldn't be needed in the first place. Grüße, Sven. signature.asc Description: OpenPGP digital signature
Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
On Sun, Mar 4, 2018 at 11:08:00 +0100, Carsten Leonhardt wrote: > Control: tags -1 - moreinfo > > "Adam D. Barratt"writes: > > > - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG > > + --oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG > > > > The first of those "-g" is presumably supposed to be "-u". I realise > > this may seem a small point, but it does make me wonder how it wasn't > > caught in testing. > > Thank you for your work and for catching this. A new version of the > patch is attached. > This leaves open the question of how much was this tested. Can you describe what has or hasn't been done there? Cheers, Julien
Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Control: tags -1 - moreinfo "Adam D. Barratt"writes: > - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG > + --oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG > > The first of those "-g" is presumably supposed to be "-u". I realise > this may seem a small point, but it does make me wonder how it wasn't > caught in testing. Thank you for your work and for catching this. A new version of the patch is attached. Regards, Carsten diff --git a/debian/bacula-common.preinst b/debian/bacula-common.preinst index 056c2944..d0b323fa 100644 --- a/debian/bacula-common.preinst +++ b/debian/bacula-common.preinst @@ -12,6 +12,14 @@ case "$1" in echo "Ok." fi ;; + install|upgrade) + # purging bacula-director-common can mistakenly delete bacula-dir.conf + # neutralize the offending line in its postrm; see bug #880529 for details + if dpkg-query -l bacula-director-common > /dev/null 2>&1 && \ + [ -e /var/lib/dpkg/info/bacula-director-common.postrm ]; then + sed -i 's/rm -f $CONFFILE $CONFFILE.dist/#disabled: bug #880529# rm -f $CONFFILE $CONFFILE.dist/' /var/lib/dpkg/info/bacula-director-common.postrm + fi + ;; esac # dh_installdeb will replace this with shell code automatically diff --git a/debian/bacula-director.init b/debian/bacula-director.init index 8ac7c36a..89cfbe65 100644 --- a/debian/bacula-director.init +++ b/debian/bacula-director.init @@ -67,7 +67,7 @@ do_start() { if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then start-stop-daemon --start --quiet --pidfile $PIDFILE \ - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG + --oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG return 0 else log_progress_msg "- the configtest" diff --git a/debian/bacula-fd.init b/debian/bacula-fd.init index 649b9cc1..698e4ea3 100644 --- a/debian/bacula-fd.init +++ b/debian/bacula-fd.init @@ -54,7 +54,7 @@ do_start() { if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then start-stop-daemon --start --quiet --pidfile $PIDFILE \ - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG + --oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG return 0 else log_progress_msg "- the configtest" diff --git a/debian/bacula-sd.init b/debian/bacula-sd.init index 47c3d07d..8559f335 100644 --- a/debian/bacula-sd.init +++ b/debian/bacula-sd.init @@ -51,9 +51,9 @@ PIDFILE=/run/bacula/$NAME.$PORT.pid do_start() { - if $DAEMON -g $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then + if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then start-stop-daemon --start --quiet --pidfile $PIDFILE \ - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG + --oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG return 0 else log_progress_msg "- the configtest" diff --git a/debian/changelog b/debian/changelog index d0a4ac54..81b0627a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,21 @@ +bacula (7.4.4+dfsg-6+deb9u1) stretch; urgency=medium + + [Sven Hartge] + * Let PID files be owned by root. Mitigates a minor security problem +similar to CVE 2017-14610. Note that this change disables automatic +tracebacks. + + [Carsten Leonhardt] + * Added transitional package bacula-director-common, the old leftover +package can't be safely purged otherwise (it deletes +/etc/bacula/bacula-dir.conf in postrm which now belongs to the +bacula-director package). For the case when the package +bacula-director-common is deinstalled but not purged, we neutralize +the offending postrm script when upgrading bacula-common. (Closes: +#880529) + + -- Carsten Leonhardt Wed, 15 Nov 2017 22:55:15 +0100 + bacula (7.4.4+dfsg-6) unstable; urgency=medium [Sven Hartge] diff --git a/debian/control b/debian/control index 19418610..7c310185 100644 --- a/debian/control +++ b/debian/control @@ -357,3 +357,13 @@ Description: network backup service - Bacula Administration Tool . This GUI interface has been designed to ease restore operations as much as possible as compared to the basic text console. + +Package: bacula-director-common +Section: oldlibs +Architecture: any +Pre-Depends: ${misc:Pre-Depends} +Depends: + bacula-common (= ${binary:Version}), + ${misc:Depends} +Description: transitional package + This is a transitional package. It can safely be removed. diff --git a/debian/patches/non-forking-systemd-units.patch b/debian/patches/non-forking-systemd-units.patch index 636c9153..03cdabd7 100644 --- a/debian/patches/non-forking-systemd-units.patch +++ b/debian/patches/non-forking-systemd-units.patch @@ -20,13 +20,13 @@ Author: Sven Hartge -PIDFile=@piddir@/bacula-dir.@dir_port@.pid -ExecReload=@sbindir@/bacula-dir -t -c @sysconfdir@/bacula-dir.conf +Type=simple -+User=bacula -+Group=bacula ++User=root ++Group=root
Processed: Re: Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Processing control commands: > tags -1 - moreinfo Bug #881871 [release.debian.org] stretch-pu: package bacula/7.4.4+dfsg-6 Removed tag(s) moreinfo. -- 881871: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881871 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#881871: [pkg-bacula-devel] Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
On 03.03.2018 14:34, Adam D. Barratt wrote: > On Mon, 2018-02-26 at 13:14 +0100, Carsten Leonhardt wrote: >> here is a new version of the patch. I now additionally let >> bacula-common.preinst check for the existence of >> bacula-director-common.postrm and comment out the offending line if >> found (first chunk in the diff). I chose to use bacula-common because >> it >> is depended upon by all other bacula packages. >> >> I've also amended the text in the changelog, otherwise the rest of >> the >> patch is the same as the previous version. > > - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG > + --oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG > > The first of those "-g" is presumably supposed to be "-u". I realise > this may seem a small point, but it does make me wonder how it wasn't > caught in testing. This is embarrassing. You are of course right. I am sorry. Must have been a copy'n'waste error on my part. I'll prepare a fix for Sid and Stretch at once. As why this has not been caught during testing I need to investigate. I have a suspicion but I need to confirm it first. Grüße, Sven. signature.asc Description: OpenPGP digital signature
Bug#881871: [pkg-bacula-devel] Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
On 03.03.2018 15:17, Sven Hartge wrote: > On 03.03.2018 14:34, Adam D. Barratt wrote: >> The first of those "-g" is presumably supposed to be "-u". I realise >> this may seem a small point, but it does make me wonder how it wasn't >> caught in testing. > > This is embarrassing. You are of course right. I am sorry. Must have > been a copy'n'waste error on my part. > > I'll prepare a fix for Sid and Stretch at once. I have pushed a fix to the master and stretch branches. > As why this has not been caught during testing I need to investigate. I > have a suspicion but I need to confirm it first. My suspicion was not true, but it shows an error in my testing procedure. It seems I only tested the systemd path and not the SysV-init one. Grüße, Sven. signature.asc Description: OpenPGP digital signature
Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Control: tags -1 + moreinfo On Mon, 2018-02-26 at 13:14 +0100, Carsten Leonhardt wrote: > here is a new version of the patch. I now additionally let > bacula-common.preinst check for the existence of > bacula-director-common.postrm and comment out the offending line if > found (first chunk in the diff). I chose to use bacula-common because > it > is depended upon by all other bacula packages. > > I've also amended the text in the changelog, otherwise the rest of > the > patch is the same as the previous version. - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG + --oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG The first of those "-g" is presumably supposed to be "-u". I realise this may seem a small point, but it does make me wonder how it wasn't caught in testing. Regards, Adam
Processed: Re: Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Processing control commands: > tags -1 + moreinfo Bug #881871 [release.debian.org] stretch-pu: package bacula/7.4.4+dfsg-6 Added tag(s) moreinfo. -- 881871: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881871 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Hi, here is a new version of the patch. I now additionally let bacula-common.preinst check for the existence of bacula-director-common.postrm and comment out the offending line if found (first chunk in the diff). I chose to use bacula-common because it is depended upon by all other bacula packages. I've also amended the text in the changelog, otherwise the rest of the patch is the same as the previous version. The patch is also viewable at https://salsa.debian.org/bacula-team/bacula/compare/debian%2F7.4.4+dfsg-6...stretch Thanks, Carsten diff --git a/debian/bacula-common.preinst b/debian/bacula-common.preinst index 056c2944..d0b323fa 100644 --- a/debian/bacula-common.preinst +++ b/debian/bacula-common.preinst @@ -12,6 +12,14 @@ case "$1" in echo "Ok." fi ;; + install|upgrade) + # purging bacula-director-common can mistakenly delete bacula-dir.conf + # neutralize the offending line in its postrm; see bug #880529 for details + if dpkg-query -l bacula-director-common > /dev/null 2>&1 && \ + [ -e /var/lib/dpkg/info/bacula-director-common.postrm ]; then + sed -i 's/rm -f $CONFFILE $CONFFILE.dist/#disabled: bug #880529# rm -f $CONFFILE $CONFFILE.dist/' /var/lib/dpkg/info/bacula-director-common.postrm + fi + ;; esac # dh_installdeb will replace this with shell code automatically diff --git a/debian/bacula-director.init b/debian/bacula-director.init index 8ac7c36a..89cfbe65 100644 --- a/debian/bacula-director.init +++ b/debian/bacula-director.init @@ -67,7 +67,7 @@ do_start() { if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then start-stop-daemon --start --quiet --pidfile $PIDFILE \ - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG + --oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG return 0 else log_progress_msg "- the configtest" diff --git a/debian/bacula-fd.init b/debian/bacula-fd.init index 649b9cc1..698e4ea3 100644 --- a/debian/bacula-fd.init +++ b/debian/bacula-fd.init @@ -54,7 +54,7 @@ do_start() { if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then start-stop-daemon --start --quiet --pidfile $PIDFILE \ - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG + --oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG return 0 else log_progress_msg "- the configtest" diff --git a/debian/bacula-sd.init b/debian/bacula-sd.init index 47c3d07d..e3863840 100644 --- a/debian/bacula-sd.init +++ b/debian/bacula-sd.init @@ -53,7 +53,7 @@ do_start() { if $DAEMON -g $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then start-stop-daemon --start --quiet --pidfile $PIDFILE \ - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG + --oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG return 0 else log_progress_msg "- the configtest" diff --git a/debian/changelog b/debian/changelog index d0a4ac54..81b0627a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,21 @@ +bacula (7.4.4+dfsg-6+deb9u1) stretch; urgency=medium + + [Sven Hartge] + * Let PID files be owned by root. Mitigates a minor security problem +similar to CVE 2017-14610. Note that this change disables automatic +tracebacks. + + [Carsten Leonhardt] + * Added transitional package bacula-director-common, the old leftover +package can't be safely purged otherwise (it deletes +/etc/bacula/bacula-dir.conf in postrm which now belongs to the +bacula-director package). For the case when the package +bacula-director-common is deinstalled but not purged, we neutralize +the offending postrm script when upgrading bacula-common. (Closes: +#880529) + + -- Carsten LeonhardtWed, 15 Nov 2017 22:55:15 +0100 + bacula (7.4.4+dfsg-6) unstable; urgency=medium [Sven Hartge] diff --git a/debian/control b/debian/control index 19418610..7c310185 100644 --- a/debian/control +++ b/debian/control @@ -357,3 +357,13 @@ Description: network backup service - Bacula Administration Tool . This GUI interface has been designed to ease restore operations as much as possible as compared to the basic text console. + +Package: bacula-director-common +Section: oldlibs +Architecture: any +Pre-Depends: ${misc:Pre-Depends} +Depends: + bacula-common (= ${binary:Version}), + ${misc:Depends} +Description: transitional package + This is a transitional package. It can safely be removed. diff --git a/debian/patches/non-forking-systemd-units.patch b/debian/patches/non-forking-systemd-units.patch index 636c9153..03cdabd7 100644 --- a/debian/patches/non-forking-systemd-units.patch +++ b/debian/patches/non-forking-systemd-units.patch @@ -20,13 +20,13 @@ Author: Sven Hartge -PIDFile=@piddir@/bacula-dir.@dir_port@.pid -ExecReload=@sbindir@/bacula-dir -t -c @sysconfdir@/bacula-dir.conf +Type=simple -+User=bacula -+Group=bacula ++User=root ++Group=root +Environment="CONFIG=/etc/bacula/bacula-dir.conf" +EnvironmentFile=-/etc/default/bacula-dir
Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Julien Cristauwrites: > On 01/15/2018 08:32 AM, Carsten Leonhardt wrote: >> Julien Cristau writes: >> >>> Control: tag -1 moreinfo >>> >>> On Thu, Nov 16, 2017 at 00:02:29 +0100, Carsten Leonhardt wrote: >>> 2) Bug #880529: When updating from jessie to stretch, the package "bacula-director-common" will be removed, but the postrm will stay around. Upon purging this package, postrm unconditionally removes the main bacula configuration file /etc/bacula/bacula-dir.conf, leaving bacula unusable. We fix this by introducing a transitional package that can then be safely removed. >>> It sounds like this won't solve the issue for anyone who has already >>> upgraded but hasn't yet purged bacula-director-common. Couldn't >>> bacula-director's postinst neuter the old postrm instead? >> >> Are you sure? I'd say that these people will get the upgrade to the >> transitional package and this will remove the old postrm. >> > How would they get an update to a removed package? (Yes, I'm pretty sure.) I see your point now. My proposed solution only helps people that still have the package installed. I'll work on a better solution. Regards, Carsten
Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
On 01/15/2018 08:32 AM, Carsten Leonhardt wrote: > Julien Cristauwrites: > >> Control: tag -1 moreinfo >> >> On Thu, Nov 16, 2017 at 00:02:29 +0100, Carsten Leonhardt wrote: >> >>> 2) Bug #880529: When updating from jessie to stretch, the package >>> "bacula-director-common" will be removed, but the postrm will stay >>> around. Upon purging this package, postrm unconditionally removes the >>> main bacula configuration file /etc/bacula/bacula-dir.conf, leaving >>> bacula unusable. We fix this by introducing a transitional package that >>> can then be safely removed. >>> >> It sounds like this won't solve the issue for anyone who has already >> upgraded but hasn't yet purged bacula-director-common. Couldn't >> bacula-director's postinst neuter the old postrm instead? > > Are you sure? I'd say that these people will get the upgrade to the > transitional package and this will remove the old postrm. > How would they get an update to a removed package? (Yes, I'm pretty sure.) Cheers, Julien
Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Julien Cristauwrites: > Control: tag -1 moreinfo > > On Thu, Nov 16, 2017 at 00:02:29 +0100, Carsten Leonhardt wrote: > >> 2) Bug #880529: When updating from jessie to stretch, the package >> "bacula-director-common" will be removed, but the postrm will stay >> around. Upon purging this package, postrm unconditionally removes the >> main bacula configuration file /etc/bacula/bacula-dir.conf, leaving >> bacula unusable. We fix this by introducing a transitional package that >> can then be safely removed. >> > It sounds like this won't solve the issue for anyone who has already > upgraded but hasn't yet purged bacula-director-common. Couldn't > bacula-director's postinst neuter the old postrm instead? Are you sure? I'd say that these people will get the upgrade to the transitional package and this will remove the old postrm. Regards, Carsten
Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Control: tag -1 moreinfo On Thu, Nov 16, 2017 at 00:02:29 +0100, Carsten Leonhardt wrote: > 2) Bug #880529: When updating from jessie to stretch, the package > "bacula-director-common" will be removed, but the postrm will stay > around. Upon purging this package, postrm unconditionally removes the > main bacula configuration file /etc/bacula/bacula-dir.conf, leaving > bacula unusable. We fix this by introducing a transitional package that > can then be safely removed. > It sounds like this won't solve the issue for anyone who has already upgraded but hasn't yet purged bacula-director-common. Couldn't bacula-director's postinst neuter the old postrm instead? Cheers, Julien
Processed: Re: Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Processing control commands: > tag -1 moreinfo Bug #881871 [release.debian.org] stretch-pu: package bacula/7.4.4+dfsg-6 Added tag(s) moreinfo. -- 881871: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881871 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Hi, is there anything else I can do to help this into the next stable update? Or at least only one of the changes? Regards, Carsten
Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Hi, > 2) Bug #880529: When updating from jessie to stretch, the package > "bacula-director-common" will be removed, but the postrm will stay > around. Upon purging this package, postrm unconditionally removes the > main bacula configuration file /etc/bacula/bacula-dir.conf, leaving > bacula unusable. We fix this by introducing a transitional package that > can then be safely removed. I just noticed that I left out a detail that might help understand the problem: the configuration file used to be owned by the package "bacula-director-common", but ownership moved to the new package "bacula-director". Regards, Carsten
Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, we would like to fix the following two problems in stable: 1 ) The bacula packages are vulnerable to a security problem similar to CVE 2017-14610 (PID files not owned by root). On the downside this change disables a bacula feature that permits automatic tracebacks on a crash. I've mailed the security team about this, they recommended a stable update. 2) Bug #880529: When updating from jessie to stretch, the package "bacula-director-common" will be removed, but the postrm will stay around. Upon purging this package, postrm unconditionally removes the main bacula configuration file /etc/bacula/bacula-dir.conf, leaving bacula unusable. We fix this by introducing a transitional package that can then be safely removed. Regards, Carsten -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'oldstable-updates'), (500, 'oldoldstable'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) diff -Nru bacula-7.4.4+dfsg/debian/bacula-director.init bacula-7.4.4+dfsg/debian/bacula-director.init --- bacula-7.4.4+dfsg/debian/bacula-director.init 2017-02-26 13:39:25.0 +0100 +++ bacula-7.4.4+dfsg/debian/bacula-director.init 2017-11-15 22:55:15.0 +0100 @@ -67,7 +67,7 @@ { if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then start-stop-daemon --start --quiet --pidfile $PIDFILE \ - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG + --oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG return 0 else log_progress_msg "- the configtest" diff -Nru bacula-7.4.4+dfsg/debian/bacula-fd.init bacula-7.4.4+dfsg/debian/bacula-fd.init --- bacula-7.4.4+dfsg/debian/bacula-fd.init 2017-02-26 13:39:25.0 +0100 +++ bacula-7.4.4+dfsg/debian/bacula-fd.init 2017-11-15 22:55:15.0 +0100 @@ -54,7 +54,7 @@ { if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then start-stop-daemon --start --quiet --pidfile $PIDFILE \ - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG + --oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG return 0 else log_progress_msg "- the configtest" diff -Nru bacula-7.4.4+dfsg/debian/bacula-sd.init bacula-7.4.4+dfsg/debian/bacula-sd.init --- bacula-7.4.4+dfsg/debian/bacula-sd.init 2017-02-26 13:39:25.0 +0100 +++ bacula-7.4.4+dfsg/debian/bacula-sd.init 2017-11-15 22:55:15.0 +0100 @@ -53,7 +53,7 @@ { if $DAEMON -g $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then start-stop-daemon --start --quiet --pidfile $PIDFILE \ - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG + --oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG return 0 else log_progress_msg "- the configtest" diff -Nru bacula-7.4.4+dfsg/debian/changelog bacula-7.4.4+dfsg/debian/changelog --- bacula-7.4.4+dfsg/debian/changelog 2017-02-26 13:39:25.0 +0100 +++ bacula-7.4.4+dfsg/debian/changelog 2017-11-15 22:55:15.0 +0100 @@ -1,3 +1,17 @@ +bacula (7.4.4+dfsg-6+deb9u1) stretch; urgency=medium + + [Sven Hartge] + * Let PID files be owned by root. Mitigates a minor security problem +similar to CVE 2017-14610. Note that this change disables automatic +tracebacks. + + [ Carsten Leonhardt ] + * Added transitional package bacula-director-common, the old leftover +package can't be safely purged otherwise (it deletes +/etc/bacula/bacula-dir.conf in postrm) (Closes: #880529) + + -- Carsten LeonhardtWed, 15 Nov 2017 22:55:15 +0100 + bacula (7.4.4+dfsg-6) unstable; urgency=medium [Sven Hartge] diff -Nru bacula-7.4.4+dfsg/debian/control bacula-7.4.4+dfsg/debian/control --- bacula-7.4.4+dfsg/debian/control 2017-02-26 13:39:25.0 +0100 +++ bacula-7.4.4+dfsg/debian/control 2017-11-15 22:55:15.0 +0100 @@ -357,3 +357,13 @@ . This GUI interface has been designed to ease restore operations as much as possible as compared to the basic text console. + +Package: bacula-director-common +Section: oldlibs +Architecture: any +Pre-Depends: ${misc:Pre-Depends} +Depends: + bacula-common (= ${binary:Version}), + ${misc:Depends} +Description: transitional package + This is a transitional package. It can safely be removed. diff -Nru bacula-7.4.4+dfsg/debian/patches/non-forking-systemd-units.patch bacula-7.4.4+dfsg/debian/patches/non-forking-systemd-units.patch --- bacula-7.4.4+dfsg/debian/patches/non-forking-systemd-units.patch 2017-02-26 13:39:25.0 +0100 +++ bacula-7.4.4+dfsg/debian/patches/non-forking-systemd-units.patch 2017-11-15 22:55:15.0 +0100 @@ -20,13 +20,13 @@ -PIDFile=@piddir@/bacula-dir.@dir_port@.pid