--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package db/5.1.29-9+deb8u1
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 24 Sep 2017 11:29:16 +0200
- Message-id: <150624535630.25614.10312793783791633830.reportbug@eldamar.local>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
db in jessie is affected by the CVE-2017-10140 ("Berkeley DB reads
DB_CONFIG from cwd)", no bug in BTS filled for that since src;db
removed from unstable. The NMU for src:db5.3 to unstable back on end
of august has not raised any regression reports we would be aware of.
We though think it's still safer to have it via point release and have
it for a short time exposed as well via proposed-updates (once, and if
accepted).
The changelog reads as:
>db (5.1.29-9+deb8u1) jessie; urgency=medium
>
> * Non-maintainer upload.
> * CVE-2017-10140: Reads DB_CONFIG from the current working directory.
> Do not access DB_CONFIG when db_home is not set.
>
> -- Salvatore Bonaccorso <carnil@debian.org> Sun, 24 Sep 2017 11:12:52 +0200
Attached ist the full proposed debdiff.
Regards,
Salvatore
diff -Nru db-5.1.29/debian/changelog db-5.1.29/debian/changelog
--- db-5.1.29/debian/changelog 2014-08-19 14:49:46.000000000 +0200
+++ db-5.1.29/debian/changelog 2017-09-24 11:12:52.000000000 +0200
@@ -1,3 +1,11 @@
+db (5.1.29-9+deb8u1) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2017-10140: Reads DB_CONFIG from the current working directory.
+ Do not access DB_CONFIG when db_home is not set.
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 24 Sep 2017 11:12:52 +0200
+
db (5.1.29-9) unstable; urgency=medium
* Fix for FTBFS on ppc64el (Courtesy of Matthias Klose/Ubuntu)
diff -Nru db-5.1.29/debian/patches/CVE-2017-10140-cwd-db_config.patch db-5.1.29/debian/patches/CVE-2017-10140-cwd-db_config.patch
--- db-5.1.29/debian/patches/CVE-2017-10140-cwd-db_config.patch 1970-01-01 01:00:00.000000000 +0100
+++ db-5.1.29/debian/patches/CVE-2017-10140-cwd-db_config.patch 2017-09-24 11:12:52.000000000 +0200
@@ -0,0 +1,22 @@
+Description: CVE-2017-10140: Reads DB_CONFIG from the current working directory
+ Do not access DB_CONFIG when db_home is not set.
+Origin: vendor, https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10140
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464032
+Bug-SuSE: https://bugzilla.novell.com/show_bug.cgi?id=1043886
+Forwarded: no
+Author: Petr Kubat <pkubat@redhat.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2017-08-17
+
+--- db-5.3.28/src/env/env_open.c.old 2017-06-26 10:32:11.011419981 +0200
++++ db-5.3.28/src/env/env_open.c 2017-06-26 10:32:46.893721233 +0200
+@@ -473,7 +473,7 @@
+ env->db_mode = mode == 0 ? DB_MODE_660 : mode;
+
+ /* Read the DB_CONFIG file. */
+- if ((ret = __env_read_db_config(env)) != 0)
++ if (env->db_home != NULL && (ret = __env_read_db_config(env)) != 0)
+ return (ret);
+
+ /*
diff -Nru db-5.1.29/debian/patches/series db-5.1.29/debian/patches/series
--- db-5.1.29/debian/patches/series 2014-08-19 14:49:46.000000000 +0200
+++ db-5.1.29/debian/patches/series 2017-09-24 11:12:52.000000000 +0200
@@ -6,3 +6,4 @@
006-mutex_alignment.patch
007-link-sql-libs.patch
libtool-update.diff
+CVE-2017-10140-cwd-db_config.patch
--- End Message ---