Bug#661061: pastescript: diff for NMU version 1.7.5-1.2

Sun, 27 May 2012 10:09:15 -0700 

tags 661061 + pending
thanks

Dear maintainer,

I've prepared an NMU for pastescript (versioned as 1.7.5-1.2) and
uploaded it to DELAYED/02. Please feel free to tell me if I
should delay it longer.

Cheers

Luk

diff -Nru pastescript-1.7.5/debian/changelog pastescript-1.7.5/debian/changelog
--- pastescript-1.7.5/debian/changelog	2012-04-29 10:30:08.000000000 +0200
+++ pastescript-1.7.5/debian/changelog	2012-05-27 19:05:20.000000000 +0200
@@ -1,3 +1,10 @@
+pastescript (1.7.5-1.2) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix CVE-2012-0878 by dropping supplementary groups (Closes: #661061).
+
+ -- Luk Claes <l...@debian.org>  Sun, 27 May 2012 19:05:16 +0200
+
 pastescript (1.7.5-1.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru pastescript-1.7.5/debian/patches/04_drop_supplementary_groups.patch pastescript-1.7.5/debian/patches/04_drop_supplementary_groups.patch
--- pastescript-1.7.5/debian/patches/04_drop_supplementary_groups.patch	1970-01-01 01:00:00.000000000 +0100
+++ pastescript-1.7.5/debian/patches/04_drop_supplementary_groups.patch	2012-05-27 19:02:03.000000000 +0200
@@ -0,0 +1,23 @@
+# HG changeset patch
+# User Clay Gerrard <clay.gerr...@gmail.com>
+# Date 1328679050 21600
+# Branch setgroups
+# Node ID a19e462769b4a5c675e25bb4dedbc0937deec8da
+# Parent  edb9ca5fdc1d47953896d131907eff810202089b
+fix group permissions for paste.script.serve
+
+diff -r edb9ca5fdc1d47953896d131907eff810202089b -r a19e462769b4a5c675e25bb4dedbc0937deec8da paste/script/serve.py
+--- a/paste/script/serve.py	Mon Nov 07 10:11:44 2011 -0600
++++ b/paste/script/serve.py	Tue Feb 07 23:30:50 2012 -0600
+@@ -497,6 +497,11 @@
+         if self.verbose > 0:
+             print 'Changing user to %s:%s (%s:%s)' % (
+                 user, group or '(unknown)', uid, gid)
++        if hasattr(os, 'initgroups'):
++            os.initgroups(user, gid)
++        else:
++            os.setgroups([e.gr_gid for e in grp.getgrall()
++                          if user in e.gr_mem] + [gid]) 
+         if gid:
+             os.setgid(gid)
+         if uid:
diff -Nru pastescript-1.7.5/debian/patches/series pastescript-1.7.5/debian/patches/series
--- pastescript-1.7.5/debian/patches/series	2011-08-20 22:09:58.000000000 +0200
+++ pastescript-1.7.5/debian/patches/series	2012-05-27 19:02:17.000000000 +0200
@@ -1,2 +1,3 @@
 03_try_to_find_templates_in_system_dir.patch
 02_rename_templates_dir.patch
+04_drop_supplementary_groups.patch

Reply via email to