Hi, as suggested by Jonathan below, I prepared a bcron package fixing #686650 as candidate for the next squeeze point release. A debdiff is attached, the package ready for upload.
Regards, Gerrit. On Thu, Jan 17, 2013 at 11:42:08AM -0000, Jonathan Wiltshire wrote: > Package: bcron > > Dear maintainer, > > Recently you fixed one or more security problems and as a result you closed > this bug. These problems were not serious enough for a Debian Security > Advisory, so they are now on my radar for fixing in the following suites > through point releases: > > squeeze (6.0.7) - use target "stable" > > Please prepare a minimal-changes upload targetting each of these suites, > and submit a debdiff to the Release Team [0] for consideration. They will > offer additional guidance or instruct you to upload your package. > > I will happily assist you at any stage if the patch is straightforward and > you need help. Please keep me in CC at all times so I can > track [1] the progress of this request. > > For details of this process and the rationale, please see the original > announcement [2] and my blog post [3]. > > 0: debian-rele...@lists.debian.org > 1: http://prsc.debian.net/tracker/686650/ > 2: <201101232332.11736.th...@debian.org> > 3: http://deb.li/prsc > > Thanks, > > with his security hat on: > -- > Jonathan Wiltshire j...@debian.org > Debian Developer http://people.debian.org/~jmw > > 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
diff -u bcron-0.09/debian/changelog bcron-0.09/debian/changelog --- bcron-0.09/debian/changelog +++ bcron-0.09/debian/changelog @@ -1,3 +1,14 @@ +bcron (0.09-11+squeeze1) stable; urgency=high + + * debian/diff/0008-bcron-exec-Mark-all-temporary-files-close-...diff: + new; from upstream git; bcron-exec: Mark all temporary files + close-on-exec and close selfpipe; this fixes a security bug in + bcron where cron jobs get access to the temporary output files from + all other jobs that are still running (CVE-2012-6110, closes: + #686650). + + -- Gerrit Pape <p...@smarden.org> Fri, 18 Jan 2013 03:21:49 +0000 + bcron (0.09-11) unstable; urgency=low * debian/bcron-run.postrm: services' supervise dirs are now located in only in patch2: unchanged: --- bcron-0.09.orig/debian/diff/0008-bcron-exec-Mark-all-temporary-files-close-on-exec-and.diff +++ bcron-0.09/debian/diff/0008-bcron-exec-Mark-all-temporary-files-close-on-exec-and.diff @@ -0,0 +1,79 @@ +From 6b30379c3bcab65a6a21b5c7677e333dbc357cc3 Mon Sep 17 00:00:00 2001 +From: Bruce Guenter <br...@untroubled.org> +Date: Fri, 5 Oct 2012 18:15:11 -0600 +Subject: [PATCH] bcron-exec: Mark all temporary files close-on-exec and + close selfpipe + +This fixes a security bug in bcron where cron jobs get access to the +temporary output files from all other jobs that are still running. + +First reported in Debian: +http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686650 + +Conflicts: + NEWS +--- + bcron-exec.c | 3 +++ + tests/exec-fds | 22 ++++++++++++++++++++++ + 2 files changed, 25 insertions(+) + create mode 100644 tests/exec-fds + +diff --git a/bcron-exec.c b/bcron-exec.c +index 2414bd8..ec6c641 100644 +--- a/bcron-exec.c ++++ b/bcron-exec.c +@@ -13,6 +13,7 @@ + #include <path/path.h> + #include <str/env.h> + #include <str/str.h> ++#include <unix/cloexec.h> + #include <unix/nonblock.h> + #include <unix/selfpipe.h> + #include <unix/sig.h> +@@ -106,6 +107,7 @@ static void exec_cmd(int fdin, int fdout, + const str* env, + const struct passwd* pw) + { ++ selfpipe_close(); + dup2(fdin, 0); + close(fdin); + dup2(fdout, 1); +@@ -205,6 +207,7 @@ static void start_slot(int slot, + return; + } + unlink(tmp.s); ++ cloexec_on(fd); + gethostname(hostname, sizeof hostname); + wrap_str(str_copyns(&tmp, 6, "To: <", mailto, ">\n", + "From: Cron Daemon <root@", hostname, ">\n")); +diff --git a/tests/exec-fds b/tests/exec-fds +new file mode 100644 +index 0000000..f2c4a9f +--- /dev/null ++++ b/tests/exec-fds +@@ -0,0 +1,22 @@ ++doexec \ ++ 'sleep 1; echo all done' \ ++ 'echo here >&4; echo here >&5; echo here >&6; echo here >&7; echo here >&8' ++<result> ++15:2^@KJob complete,15:1^@KJob complete, ++bcron-exec: (USER) CMD (sleep 1; echo all done) ++bcron-exec: (USER) CMD (echo here >&4; echo here >&5; echo here >&6; echo here >&7; echo here >&8) ++bcron-exec: Waiting for remaining slots to complete ++To: <USER> ++From: Cron Daemon <root@HOST> ++Subject: Cron <USER@HOST> echo here >&4; echo here >&5; echo here >&6; echo here >&7; echo here >&8 ++ ++/bin/sh: 1: 4: Bad file descriptor ++/bin/sh: 1: 5: Bad file descriptor ++/bin/sh: 1: 6: Bad file descriptor ++/bin/sh: 1: 7: Bad file descriptor ++/bin/sh: 1: 8: Bad file descriptor ++To: <USER> ++From: Cron Daemon <root@HOST> ++Subject: Cron <USER@HOST> sleep 1; echo all done ++ ++all done +-- +1.7.10.4 +
