[SCM] pulseaudio packaging branch, master, updated. debian/0.9.21-1-1-gaf4eee6

sjoerd at users.alioth.debian.org sjoerd at users.alioth.debian.org
Sun Jun 27 11:58:45 UTC 2010 

The branch, master has been updated
       via  af4eee664385b7dd63211820e4bbc59440638e69 (commit)
      from  fecca4aafb3cc71df8cef682e5a2f6ffbe9776b0 (commit)


- Shortlog ------------------------------------------------------------
af4eee6 Import changes from pulseaudio NMUs

Summary of changes:
 debian/changelog                        |   16 ++++++
 debian/control                          |    2 +-
 debian/patches/0002-CVE-2009-1299.patch |   80 +++++++++++++++++++++++++++++++
 debian/patches/series                   |    1 +
 4 files changed, 98 insertions(+), 1 deletions(-)
-----------------------------------------------------------------------
Details of changes:

commit af4eee664385b7dd63211820e4bbc59440638e69
Author: Sjoerd Simons <sjoerd at debian.org>
Date:   Sun Jun 27 12:58:37 2010 +0100

    Import changes from pulseaudio NMUs

diff --git a/debian/changelog b/debian/changelog
index 0fadae0..124c3c2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+pulseaudio (0.9.21-1.2) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Added autoconf, automake, and libtool in Build-Depends to regenerate
+    configure and auto* files at build time, and fixed a regression introduced
+    in previous NMU (Closes: #576457)
+
+ -- Giuseppe Iuculano <iuculano at debian.org>  Mon, 05 Apr 2010 23:02:56 +0200
+
+pulseaudio (0.9.21-1.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix insecure temporary file creation security issue (closes: #573615).
+
+ -- Michael Gilbert <michael.s.gilbert at gmail.com>  Sat, 27 Mar 2010 14:32:13 -0400
+
 pulseaudio (0.9.21-1) unstable; urgency=low
 
   * New upstream release
diff --git a/debian/control b/debian/control
index 61c0f50..530ea86 100644
--- a/debian/control
+++ b/debian/control
@@ -16,7 +16,7 @@ Build-Depends: debhelper (>= 5), cdbs, quilt, m4, libltdl-dev (>= 2.2.6a-2),
     libatomic-ops-dev, libspeexdsp-dev (>= 1.2~rc1),
     libbluetooth-dev (>= 4.40) [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386],
     libgdbm-dev, intltool, libgtk2.0-dev, libxtst-dev,
-    libssl-dev
+    libssl-dev, autoconf, automake, libtool
 Standards-Version: 3.8.1
 Vcs-Git: git://git.debian.org/git/pkg-pulseaudio/pulseaudio.git
 Vcs-Browser: http://git.debian.org/?p=pkg-pulseaudio/pulseaudio.git
diff --git a/debian/patches/0002-CVE-2009-1299.patch b/debian/patches/0002-CVE-2009-1299.patch
new file mode 100644
index 0000000..38c69dc
--- /dev/null
+++ b/debian/patches/0002-CVE-2009-1299.patch
@@ -0,0 +1,80 @@
+# From d3efa43d85ac132c6a5a416a2b6f2115f5d577ee Mon Sep 17 00:00:00 2001
+# From: Kees Cook <kees at ubuntu.com>
+# Date: Tue, 2 Mar 2010 21:33:34 -0800
+# Subject: [PATCH] core-util: ensure that we chmod only the dir we ourselves created
+diff --git a/configure.ac b/configure.ac
+index 1b80788..abcce13 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -424,7 +424,7 @@ AC_CHECK_FUNCS_ONCE([lrintf strtof])
+ AC_FUNC_FORK
+ AC_FUNC_GETGROUPS
+ AC_FUNC_SELECT_ARGTYPES
+-AC_CHECK_FUNCS_ONCE([chmod chown clock_gettime getaddrinfo getgrgid_r getgrnam_r \
++AC_CHECK_FUNCS_ONCE([chmod chown fstat fchown fchmod clock_gettime getaddrinfo getgrgid_r getgrnam_r \
+     getpwnam_r getpwuid_r gettimeofday getuid inet_ntop inet_pton mlock nanosleep \
+     pipe posix_fadvise posix_madvise posix_memalign setpgid setsid shm_open \
+     sigaction sleep sysconf pthread_setaffinity_np])
+diff --git a/src/pulsecore/core-util.c b/src/pulsecore/core-util.c
+index d6017b9..a642553 100644
+--- a/src/pulsecore/core-util.c
++++ b/src/pulsecore/core-util.c
+@@ -199,7 +199,7 @@ void pa_make_fd_cloexec(int fd) {
+ /** Creates a directory securely */
+ int pa_make_secure_dir(const char* dir, mode_t m, uid_t uid, gid_t gid) {
+     struct stat st;
+-    int r, saved_errno;
++    int r, saved_errno, fd;
+ 
+     pa_assert(dir);
+ 
+@@ -217,16 +217,45 @@ int pa_make_secure_dir(const char* dir, mode_t m, uid_t uid, gid_t gid) {
+     if (r < 0 && errno != EEXIST)
+         return -1;
+ 
+-#ifdef HAVE_CHOWN
++#ifdef HAVE_FSTAT
++    if ((fd = open(dir,
++#ifdef O_CLOEXEC
++                   O_CLOEXEC|
++#endif
++#ifdef O_NOCTTY
++                   O_NOCTTY|
++#endif
++#ifdef O_NOFOLLOW
++                   O_NOFOLLOW|
++#endif
++                   O_RDONLY)) < 0)
++        goto fail;
++
++    if (fstat(fd, &st) < 0) {
++        pa_assert_se(pa_close(fd) >= 0);
++        goto fail;
++    }
++
++    if (!S_ISDIR(st.st_mode)) {
++        pa_assert_se(pa_close(fd) >= 0);
++        errno = EEXIST;
++        goto fail;
++    }
++
++#ifdef HAVE_FCHOWN
+     if (uid == (uid_t)-1)
+         uid = getuid();
+     if (gid == (gid_t)-1)
+         gid = getgid();
+-    (void) chown(dir, uid, gid);
++    (void) fchown(fd, uid, gid);
++#endif
++
++#ifdef HAVE_FCHMOD
++    (void) fchmod(fd, m);
+ #endif
+ 
+-#ifdef HAVE_CHMOD
+-    chmod(dir, m);
++    pa_assert_se(pa_close(fd) >= 0);
++
+ #endif
+ 
+ #ifdef HAVE_LSTAT
diff --git a/debian/patches/series b/debian/patches/series
index 9d0a131..1098f92 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-Work-around-some-platforms-not-having-O_CLOEXEC.patch
+0002-CVE-2009-1299.patch

-- 
pulseaudio packaging

More information about the pkg-pulseaudio-devel mailing list