[Pkg-mongodb-maintainers] [pkg-mongodb] 16/19: Import CVE-2016-6494.patch from 2.6

Apollon Oikonomopoulos apoikos at moszumanska.debian.org
Thu Dec 15 10:44:16 UTC 2016


This is an automated email from the git hooks/post-receive script.

apoikos pushed a commit to branch master
in repository pkg-mongodb.

commit 6ae63735dd0cea34554b09b5d36fa050f038b379
Author: Apollon Oikonomopoulos <apoikos at debian.org>
Date:   Thu Dec 15 11:56:23 2016 +0200

    Import CVE-2016-6494.patch from 2.6
    
    Git-Dch: ignore
---
 debian/patches/CVE-2016-6494.patch | 39 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 40 insertions(+)

diff --git a/debian/patches/CVE-2016-6494.patch b/debian/patches/CVE-2016-6494.patch
new file mode 100644
index 0000000..915e74c
--- /dev/null
+++ b/debian/patches/CVE-2016-6494.patch
@@ -0,0 +1,39 @@
+Description: prevent group and other access on .dbshell
+ Use umask on file creation and chmod on existing file load.
+Forwarded: no
+Bug-Debian: https://bugs.debian.org/832908
+Author: Laszlo Boszormenyi (GCS) <gcs at debian.org>
+Last-Update: 2016-08-04
+
+---
+
+--- a/src/mongo/shell/linenoise.cpp
++++ b/src/mongo/shell/linenoise.cpp
+@@ -105,6 +105,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <sys/types.h>
++#include <sys/stat.h>
+ #include <sys/ioctl.h>
+ #include <cctype>
+ #include <wctype.h>
+@@ -2765,7 +2766,10 @@
+ /* Save the history in the specified file. On success 0 is returned
+  * otherwise -1 is returned. */
+ int linenoiseHistorySave(const char* filename) {
++    mode_t old_umask;
++    old_umask = umask(S_IRWXG | S_IRWXO);
+     FILE* fp = fopen(filename, "wt");
++    umask(old_umask);
+     if (fp == NULL) {
+         return -1;
+     }
+@@ -2790,6 +2794,8 @@
+         return -1;
+     }
+ 
++    chmod(filename, 00600);
++
+     char buf[LINENOISE_MAX_LINE];
+     while (fgets(buf, LINENOISE_MAX_LINE, fp) != NULL) {
+         char* p = strchr(buf, '\r');
diff --git a/debian/patches/series b/debian/patches/series
index 83b3ee6..b23e471 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ hardened-build.patch
 fix-gcc-6-ftbfs.patch
 fix-boost-1.60-build.patch
 fix-boost-1.62-build.patch
+CVE-2016-6494.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-mongodb/pkg-mongodb.git



More information about the Pkg-mongodb-maintainers mailing list