[Python-modules-commits] r18230 - in packages/pyro/trunk/debian (8 files)

lfaraone at users.alioth.debian.org lfaraone at users.alioth.debian.org
Sun Aug 21 23:22:12 UTC 2011 

    Date: Sunday, August 21, 2011 @ 23:22:11
  Author: lfaraone
Revision: 18230

* New upstream release
    - /usr/bin/pyro-rns was removed by upstream
* SECURITY UPDATE: arbitrary file overwriting via symlink (Closes: #631912,
  LP: #830742)
    - store pidfile in /var/run instead of /tmp
    - Pyro/ext/daemonizer.py changed default location to /var/run
    - Pyro/ext/daemonizer.py added command-line parameter (--pidfile=...) to
      override default pidfile location
    - default location for pidfile is tunable via /etc/default/pyro-nsd
    - CVE-2011-2765 

Added:
  packages/pyro/trunk/debian/patches/
  packages/pyro/trunk/debian/patches/pidfile_path.patch
  packages/pyro/trunk/debian/patches/series
Modified:
  packages/pyro/trunk/debian/NEWS.Debian
  packages/pyro/trunk/debian/changelog
  packages/pyro/trunk/debian/pyro.install
  packages/pyro/trunk/debian/pyro.pyro-nsd.default
  packages/pyro/trunk/debian/pyro.pyro-nsd.init

Modified: packages/pyro/trunk/debian/NEWS.Debian
===================================================================
--- packages/pyro/trunk/debian/NEWS.Debian	2011-08-21 21:33:38 UTC (rev 18229)
+++ packages/pyro/trunk/debian/NEWS.Debian	2011-08-21 23:22:11 UTC (rev 18230)
@@ -1,3 +1,14 @@
+pyro (1:3.14-1) unstable; urgency=high
+
+  Changed default location for pidfile from /tmp/nsd.pid to 
+  /var/run/pyro-nsd.pid for security reasons.
+  
+  If you need to restore the previous behavior, the pyro-nsd binary now
+  accepts a new parameter: --pidfile=...
+  This parameter can be set system-wide through the /etc/default/pyro-nsd file.
+
+ -- Gustavo Goretkin  <gustavo.goretkin at gmail.com>  Sun, 21 Aug 2011 18:44:37 -0400
+
 pyro (3.7-1) unstable; urgency=low
 
  * Since version 3.7-1 the Debian package follows upstream's change in

Modified: packages/pyro/trunk/debian/changelog
===================================================================
--- packages/pyro/trunk/debian/changelog	2011-08-21 21:33:38 UTC (rev 18229)
+++ packages/pyro/trunk/debian/changelog	2011-08-21 23:22:11 UTC (rev 18230)
@@ -1,3 +1,18 @@
+pyro (1:3.14-1) unstable; urgency=high
+
+  * New upstream release
+      - /usr/bin/pyro-rns was removed by upstream
+  * SECURITY UPDATE: arbitrary file overwriting via symlink (Closes: #631912,
+    LP: #830742)
+      - store pidfile in /var/run instead of /tmp
+      - Pyro/ext/daemonizer.py changed default location to /var/run
+      - Pyro/ext/daemonizer.py added command-line parameter (--pidfile=...) to
+        override default pidfile location
+      - default location for pidfile is tunable via /etc/default/pyro-nsd
+      - CVE-2011-2765 
+
+ -- Gustavo Goretkin <gustavo.goretkin at gmail.com>  Sun, 21 Aug 2011 16:04:00 -0400
+
 pyro (1:3.9.1-2) unstable; urgency=low
 
   [Carl Chenet]

Added: packages/pyro/trunk/debian/patches/pidfile_path.patch
===================================================================
--- packages/pyro/trunk/debian/patches/pidfile_path.patch	                        (rev 0)
+++ packages/pyro/trunk/debian/patches/pidfile_path.patch	2011-08-21 23:22:11 UTC (rev 18230)
@@ -0,0 +1,42 @@
+Description: CVE-2011-2765: fix for arbitrary file overwriting via symlink
+The upstream version stores the pidfile in /tmp/nmd.pid which allows arbitrary
+file overwriting via symlink. Now, the default location for pidfile is 
+/var/run/. The default can be overriden by passing -pidfile=/path/to/file to
+daemon init script
+
+Author: Gustavo Goretkin <gustavo.goretkin at gmail.com>
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631912
+Forwarded: yes
+Reviewed-By: Obey Arthur Liu <arthur at milliways.fr>, Luke Faraone <lfaraone at debian.org>
+Last-Update: 2011-08-21
+
+--- pyro-3.14.orig/Pyro/ext/daemonizer.py
++++ pyro-3.14/Pyro/ext/daemonizer.py
+@@ -47,7 +47,9 @@ class Daemonizer:
+     """
+     def __init__(self, pidfile=None):
+         if not pidfile:
+-            self.pidfile = "/tmp/%s.pid" % self.__class__.__name__.lower()
++            # PID file moved out of /tmp to avoid security vulnerability
++            # changed by Debian maintainer per Debian bug #631912
++            self.pidfile = "/var/run/pyro-%s.pid" % self.__class__.__name__.lower()
+         else:
+             self.pidfile = pidfile
+ 
+@@ -121,12 +123,16 @@ class Daemonizer:
+ 
+     def process_command_line(self, argv, verbose=1):
+         usage = "usage:  %s  start | stop | restart | status | debug " \
++                "[--pidfile=...] " \
+                 "(run as non-daemon)" % os.path.basename(argv[0])
+         if len(argv) < 2:
+             print usage
+             raise SystemExit
+         else:
+             operation = argv[1]
++            if len(argv) > 2 and argv[2].startswith('--pidfile=') and \
++                len(argv[2]) > len('--pidfile='):
++                self.pidfile = argv[2][len('--pidfile='):]
+         pid = self.get_pid()
+         if operation == 'status':
+             if self.is_process_running():

Added: packages/pyro/trunk/debian/patches/series
===================================================================
--- packages/pyro/trunk/debian/patches/series	                        (rev 0)
+++ packages/pyro/trunk/debian/patches/series	2011-08-21 23:22:11 UTC (rev 18230)
@@ -0,0 +1 @@
+pidfile_path.patch

Modified: packages/pyro/trunk/debian/pyro.install
===================================================================
--- packages/pyro/trunk/debian/pyro.install	2011-08-21 21:33:38 UTC (rev 18229)
+++ packages/pyro/trunk/debian/pyro.install	2011-08-21 23:22:11 UTC (rev 18230)
@@ -2,7 +2,6 @@
 usr/bin/pyro-genguid 
 usr/bin/pyro-ns 
 usr/bin/pyro-nsc 
-usr/bin/pyro-rns 
 usr/bin/pyro-esd 
 usr/bin/pyro-nsd
 usr/lib/python*/*-packages/*

Modified: packages/pyro/trunk/debian/pyro.pyro-nsd.default
===================================================================
--- packages/pyro/trunk/debian/pyro.pyro-nsd.default	2011-08-21 21:33:38 UTC (rev 18229)
+++ packages/pyro/trunk/debian/pyro.pyro-nsd.default	2011-08-21 23:22:11 UTC (rev 18230)
@@ -4,5 +4,6 @@
 ENABLED=0
 
 # Options to pass to pyro-nsd
+# available: "--pidfile=..."
 OPTIONS=""
 

Modified: packages/pyro/trunk/debian/pyro.pyro-nsd.init
===================================================================
--- packages/pyro/trunk/debian/pyro.pyro-nsd.init	2011-08-21 21:33:38 UTC (rev 18229)
+++ packages/pyro/trunk/debian/pyro.pyro-nsd.init	2011-08-21 23:22:11 UTC (rev 18230)
@@ -29,7 +29,6 @@
 fi
   
 PYRO_NS=/usr/bin/pyro-nsd
-PYRO_PID=/var/run/pyro-nsd.pid
 END_PHRASE="python remote objects name service: pyro-nsd"
 
 set -e
@@ -42,12 +41,12 @@
 	;;
     stop)
         echo -n "Stopping $DESC: "
-	$DAEMON stop
+	$DAEMON stop $OPTIONS
 	echo "$NAME."
 	;;
     restart|force-reload)
 	echo -n "Restarting $DESC: "
-	$DAEMON stop
+	$DAEMON stop $OPTIONS
 	sleep 1
 	$DAEMON start $OPTIONS
 	echo "$NAME."

More information about the Python-modules-commits mailing list