[Pkg-mongodb-maintainers] [pkg-mongodb] 394/394: Imported Debian patch 1:2.6.12-3

[Apollon Oikonomopoulos]

This is an automated email from the git hooks/post-receive script.

apoikos pushed a commit to branch master
in repository pkg-mongodb.

commit 402ee1e323460d728680dbd80abd6d905d2f83af
Author: Laszlo Boszormenyi (GCS) <gcs at debian.org>
Date:   Mon Aug 8 21:56:32 2016 +0000

    Imported Debian patch 1:2.6.12-3
---
 debian/changelog                   |  7 +++++++
 debian/patches/CVE-2016-6494.patch | 39 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 47 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index b9e2ce9..268e7ea 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+mongodb (1:2.6.12-3) unstable; urgency=high
+
+  * Fix CVE-2016-6494 , prevent group and other access to .dbshell
+    (closes: #832908).
+
+ -- Laszlo Boszormenyi (GCS) <gcs at debian.org>  Mon, 08 Aug 2016 21:56:32 +0000
+
 mongodb (1:2.6.12-2) unstable; urgency=medium
 
   * Do not use tcmalloc on ppc64el (fixes FTBFS on ppc64el).
diff --git a/debian/patches/CVE-2016-6494.patch b/debian/patches/CVE-2016-6494.patch
new file mode 100644
index 0000000..b04e7ff
--- /dev/null
+++ b/debian/patches/CVE-2016-6494.patch
@@ -0,0 +1,39 @@
+Description: prevent group and other access on .dbshell
+ Use umask on file creation and chmod on existing file load.
+Forwarded: no
+Bug-Debian: https://bugs.debian.org/832908
+Author: Laszlo Boszormenyi (GCS) <gcs at debian.org>
+Last-Update: 2016-08-04
+
+---
+
+--- mongodb-2.4.10.orig/src/mongo/shell/linenoise.cpp
++++ mongodb-2.4.10/src/mongo/shell/linenoise.cpp
+@@ -103,6 +103,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <sys/types.h>
++#include <sys/stat.h>
+ #include <sys/ioctl.h>
+ #include <cctype>
+ #include <wctype.h>
+@@ -2626,7 +2627,10 @@ int linenoiseHistorySetMaxLen( int len )
+ /* Save the history in the specified file. On success 0 is returned
+  * otherwise -1 is returned. */
+ int linenoiseHistorySave( const char* filename ) {
++    mode_t old_umask;
++    old_umask = umask(S_IRWXG | S_IRWXO);
+     FILE* fp = fopen( filename, "wt" );
++    umask(old_umask);
+     if ( fp == NULL ) {
+         return -1;
+     }
+@@ -2651,6 +2655,8 @@ int linenoiseHistoryLoad( const char* fi
+         return -1;
+     }
+ 
++    chmod(filename, 00600);
++
+     char buf[LINENOISE_MAX_LINE];
+     while ( fgets( buf, LINENOISE_MAX_LINE, fp ) != NULL ) {
+         char* p = strchr( buf, '\r' );
diff --git a/debian/patches/series b/debian/patches/series
index c34c600..965e722 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@ fix-yaml-detection.patch
 add-option-to-disable-javascript.patch
 hardened-build.patch
 fix-gcc-6-ftbfs.patch
+CVE-2016-6494.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-mongodb/pkg-mongodb.git