Bug#386700: NMU uploaded

Sat, 09 Sep 2006 11:33:46 -0700 

Hi,

I will uploaded an NMU of your package. This was necessary to fix the local
privilege escalation and to make sure that /etc/maildroprc has the right
owner. Please find the used diff below. This is done as part to make
maildrop available for the next release.


Cheers,
Andi

diff -Nur maildrop-2.0.2~/debian/changelog maildrop-2.0.2/debian/changelog
--- maildrop-2.0.2~/debian/changelog    2006-09-09 16:07:36.000000000 +0200
+++ maildrop-2.0.2/debian/changelog     2006-09-09 19:41:44.576131645 +0200
@@ -1,3 +1,11 @@
+maildrop (2.0.2-6.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix local privilege escalation, CAN-2005-2655, Closes: #325135
+  * Fix wrong owner of /etc/maildroprc. Closes: #386700
+
+ -- Andreas Barth <[EMAIL PROTECTED]>  Sat,  9 Sep 2006 16:15:06 +0200
+
 maildrop (2.0.2-6) unstable; urgency=medium
 
   * Documented how return_fail_output must be used instead of return_output
diff -Nur maildrop-2.0.2~/debian/patches/006-maildrop-lockmail-privs.patch 
maildrop-2.0.2/debian/patches/006-maildrop-lockmail-privs.patch
--- maildrop-2.0.2~/debian/patches/006-maildrop-lockmail-privs.patch    
1970-01-01 01:00:00.000000000 +0100
+++ maildrop-2.0.2/debian/patches/006-maildrop-lockmail-privs.patch     
2006-09-09 16:13:12.516510300 +0200
@@ -0,0 +1,11 @@
+--- a/liblock/lockmail.c       2002-09-26 14:30:40.000000000 +0200
++++ b/liblock/lockmail.c       2006-09-09 16:12:41.057080193 +0200
+@@ -160,6 +160,8 @@
+ 
+               if (pid == 0)
+               {
++                      setgid(getgid());
++
+                       (void)caught();
+                       execvp(argvec[0], argvec);
+ 
diff -Nur maildrop-2.0.2~/debian/rules maildrop-2.0.2/debian/rules
--- maildrop-2.0.2~/debian/rules        2006-09-09 16:07:36.000000000 +0200
+++ maildrop-2.0.2/debian/rules 2006-09-09 19:47:37.483520808 +0200
@@ -22,3 +22,4 @@
        chgrp mail $(DEB_DESTDIR)/usr/bin/maildrop 
$(DEB_DESTDIR)/usr/bin/lockmail.maildrop
        chmod g+s $(DEB_DESTDIR)/usr/bin/maildrop 
$(DEB_DESTDIR)/usr/bin/lockmail.maildrop
        find $(DEB_DESTDIR)/usr -type d -empty | xargs -r rmdir -p 
--ignore-fail-on-non-empty
+       chown root:root $(DEB_DESTDIR)/etc/maildroprc
-- 
  http://home.arcor.de/andreas-barth/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to