[pkg-firebird-general] Bug#768298: unblock: firebird2.5/2.5.3.26778.ds4-3

Damyan Ivanov dmn at debian.org
Thu Nov 6 10:47:25 UTC 2014 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock

Please unblock package firebird2.5

Version 2.5.3.26778.ds4-3 fixes a bug (#767497) whether a file under 
/var/run/firebird/2.5 is created world-writable. The containing directory is 
created with stricter permissions (0770 firebird:firebird), but still a 
world-writable file under /var/run is quite disturbing.

unblock firebird2.5/2.5.3.26778.ds4-3

The debdiff since 2.5.3.26778.ds4-2 (in jessie) is below. The 
debian/patches/out/fb_guard-lock-permissions.patch is also available at 
http://anonscm.debian.org/cgit/pkg-firebird/2.5.git/tree/debian/patches/out/fb_guard-lock-permissions.patch 


Thanks,
    dam

$ debdiff firebird2.5_2.5.3.26778.ds4-{2,3}.dsc
diff -Nru firebird2.5-2.5.3.26778.ds4/debian/changelog firebird2.5-2.5.3.26778.ds4/debian/changelog
--- firebird2.5-2.5.3.26778.ds4/debian/changelog        2014-07-30 10:57:50.000000000 +0300
+++ firebird2.5-2.5.3.26778.ds4/debian/changelog        2014-11-02 00:28:56.000000000 +0200
@@ -1,3 +1,12 @@
+firebird2.5 (2.5.3.26778.ds4-3) unstable; urgency=medium
+
+  * add patch tightening fb_guard lock file permissions (Closes: #767497)
+    Thanks to Holger Levsen
+  * -super.postinst: tighten permissions on existing fbguard lock file
+  * declare conformance with Policy 3.9.6
+
+ -- Damyan Ivanov <dmn at debian.org>  Sat, 01 Nov 2014 22:27:16 +0000
+
 firebird2.5 (2.5.3.26778.ds4-2) unstable; urgency=medium
 
   * fix arm64 build by uncommenting one more place where arm64 support is
diff -Nru firebird2.5-2.5.3.26778.ds4/debian/control firebird2.5-2.5.3.26778.ds4/debian/control
--- firebird2.5-2.5.3.26778.ds4/debian/control  2014-05-29 09:21:43.000000000 +0300
+++ firebird2.5-2.5.3.26778.ds4/debian/control  2014-11-02 00:27:40.000000000 +0200
@@ -19,7 +19,7 @@
  po-debconf,
  procmail,
 Build-Conflicts: autoconf2.13, automake1.4
-Standards-Version: 3.9.5
+Standards-Version: 3.9.6
 Vcs-Git: git://anonscm.debian.org/pkg-firebird/2.5.git
 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-firebird/2.5.git;a=summary
 Homepage: http://firebirdsql.org/
diff -Nru firebird2.5-2.5.3.26778.ds4/debian/firebird2.5-super.postinst firebird2.5-2.5.3.26778.ds4/debian/firebird2.5-super.postinst
--- firebird2.5-2.5.3.26778.ds4/debian/firebird2.5-super.postinst       2014-06-19 08:16:56.000000000 +0300
+++ firebird2.5-2.5.3.26778.ds4/debian/firebird2.5-super.postinst       2014-11-02 00:27:06.000000000 +0200
@@ -46,6 +46,10 @@
         checkFirebirdAccount
 
         firebird_config_postinst
+
+        if [ -f "$RUN/fb_guard" ]; then
+            chmod 0660 "$RUN/fb_guard"
+        fi
     ;;
 
     *)
diff -Nru firebird2.5-2.5.3.26778.ds4/debian/patches/out/fb_guard-lock-permissions.patch firebird2.5-2.5.3.26778.ds4/debian/patches/out/fb_guard-lock-permissions.patch
--- firebird2.5-2.5.3.26778.ds4/debian/patches/out/fb_guard-lock-permissions.patch      1970-01-01 02:00:00.000000000 +0200
+++ firebird2.5-2.5.3.26778.ds4/debian/patches/out/fb_guard-lock-permissions.patch      2014-11-02 00:27:06.000000000 +0200
@@ -0,0 +1,29 @@
+Description: Tighten permissions of fbguard lock file
+ Creating a worls-writable file is a bad idea, even if it currently lives
+ in a directory restricted for read/write/use to firebird:firebird
+Author: Damyan Ivanov <dmn at debian.org>
+Forwarded: http://tracker.firebirdsql.org/browse/CORE-4595
+Bug-Debian: https://bugs.debian.org/767497
+
+--- a/src/utilities/guard/guard.cpp
++++ b/src/utilities/guard/guard.cpp
+@@ -146,7 +146,7 @@ int CLIB_ROUTINE main( int argc, char **
+       }
+ 
+       // get and set the umask for the current process
+-      const ULONG new_mask = 0000;
++      const ULONG new_mask = 0007;
+       const ULONG old_mask = umask(new_mask);
+ 
+       // exclusive lock the file
+--- a/src/utilities/guard/util.cpp
++++ b/src/utilities/guard/util.cpp
+@@ -253,7 +253,7 @@ int UTIL_ex_lock(const TEXT* file)
+       Firebird::PathName expanded_filename = fb_utils::getPrefix(fb_utils::FB_DIR_GUARD, file);
+ 
+       // file fd for the opened and locked file
+-      int fd_file = open(expanded_filename.c_str(), O_RDWR | O_CREAT, 0666);
++      int fd_file = open(expanded_filename.c_str(), O_RDWR | O_CREAT, 0660);
+       if (fd_file == -1)
+       {
+               fprintf(stderr, "Could not open %s for write\n", expanded_filename.c_str());
diff -Nru firebird2.5-2.5.3.26778.ds4/debian/patches/series firebird2.5-2.5.3.26778.ds4/debian/patches/series
--- firebird2.5-2.5.3.26778.ds4/debian/patches/series   2014-07-28 10:36:31.000000000 +0300
+++ firebird2.5-2.5.3.26778.ds4/debian/patches/series   2014-11-01 22:53:09.000000000 +0200
@@ -12,3 +12,4 @@
 link_atomic_ops.patch
 #ignore-collation-version.patch
 out/spelling.patch
+out/fb_guard-lock-permissions.patch

More information about the pkg-firebird-general mailing list