[Secure-testing-team] Bug#523476: pptp-linux: pptpsetup permissions

Ola Lundqvist ola at inguza.com
Tue Apr 28 04:54:13 UTC 2009 

Hi Moritz

This is the patch:

--- pptp-linux-1.7.2.orig/pptpsetup
+++ pptp-linux-1.7.2/pptpsetup
@@ -168,11 +168,14 @@
     # backup
     rename( $chap_file, "$chap_file.bkp" );
 
+    my $umask_save = umask();
+    umask 0077;
     # write new chap-secrets
     open( FILE, ">$chap_file" )
         or die "$0: can't write '$chap_file': $!\n";
     print FILE $new_chap;
     close FILE;
+    umask $umask_save;
 
     exit;
 }

I have uploaded a corrected version to unstable with this fix. It is the
only fix in that package compared to the version in stable. I used high
severity in order to get it into testing as soon as possible. I have also
made sure that it works well by reproducing the problem and testing it.

Uploading to ftp-master (via ftp to ftp.upload.debian.org):
  pptp-linux_1.7.2-3.dsc: done.
  pptp-linux_1.7.2-3.diff.gz: done.
  pptp-linux_1.7.2-3_i386.deb: done.
  pptp-linux_1.7.2-3_i386.changes: done.
Successfully uploaded packages.
Not running dinstall.

Best regards,

// Ola

On Sun, Apr 26, 2009 at 10:17:16AM +0200, Moritz Muehlenhoff wrote:
> On Sun, Apr 12, 2009 at 06:56:34PM +0200, Ola Lundqvist wrote:
> > Hi Michael
> > It is a problem on Debian. I have successfully reproduced the problem.
> > 
> > The fix was very easy, just to add a chmod 600 /etc/ppp/chap-secrets.
> > I have uploaded a fixed package to unstable now.
> > 
> > I agree that it it not a critical bug but I think it is worth a DSA for this,
> > so I'm cc:ing the security team about this.
> > 
> > The corrected package is pptp-linux_1.7.2-2 and this is the only fix in
> > that package compared to stable.
> 
> Could you please fix this through a stable point update for Lenny?
> 
> The best way to do that is to send the proposed debdiff to
> debian-release at lists.debian.org with [stable] in the subject, so that the
> stable release managers can review it.
> 
> Cheers,
>         Moritz
> 

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola at inguza.com                    Annebergsslingan 37        \
|  opal at debian.org                   654 65 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

More information about the Secure-testing-team mailing list