Subject: Re: pkg/31570: additional: fix for security issue with bacula =< 1.37.39
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: Geert Hendrickx <ghen@telenet.be>
List: pkgsrc-bugs
Date: 10/13/2005 09:00:04
The following reply was made to PR pkg/31570; it has been noted by GNATS.

From: Geert Hendrickx <ghen@telenet.be>
To: gnats-bugs@netbsd.org
Cc: wiz@netbsd.org
Subject: Re: pkg/31570: additional: fix for security issue with bacula =< 1.37.39
Date: Thu, 13 Oct 2005 10:59:45 +0200

 This security vulnerability: http://www.zataz.net/adviso/bacula-09192005.txt
 has been fixed in the latest 1.37.x release of bacula.  Since this is their
 -beta branch, and we decided to stay on the stable (1.36.x) branch (amongst
 other changes, 1.37.x seems to use an incompatible database format), I have
 taken the security-relevant part of the diffs on the trunk and applied them
 to 1.36.3.  The resulting patch is to be included as patches/patch-ah: 
 
 ===>
 $NetBSD$
 
 --- autoconf/randpass.orig	2002-11-09 16:55:22.000000000 +0100
 +++ autoconf/randpass
 @@ -8,7 +8,14 @@ if test "x$1" = "x" ; then
  else
     PWL=$1
  fi 
 -tmp=/tmp/p.tmp.$$    
 +tmp=`mktemp randpass.XXXXXXXXXX`
 +if test x$tmp = x; then
 +   tmp=/tmp/p.tmp.$$    
 +   if test -f $tmp; then
 +      echo "Temp file security problem on: $tmp"
 +      exit 1
 +   fi
 +fi
  cp autoconf/randpass.bc $tmp
  ps | sum | tr -d ':[:alpha:] ' | sed 's/^/k=/' >>$tmp
  date | tr -d ':[:alpha:] ' | sed 's/^/k=k*/' >>$tmp
 <===
 
 --- distinfo.orig	2005-10-13 10:53:40.000000000 +0200
 +++ distinfo		2005-10-13 10:53:41.000000000 +0200
 @@ -8,3 +8,4 @@
  SHA1 (patch-ae) = ad4b7d5cb83f021235c11504a034def897fffcac
  SHA1 (patch-af) = 926e74b83a09f4620672ffb8419d9ea22983d231
  SHA1 (patch-ag) = d955ad9fb3772471580518c6528c898263333521
 +SHA1 (patch-ah) = 40ef8d3719e8ad2ba5c24de8d5661b3bfbbb5806
 
 (this diff is to be applied after my earlier update to 1.36.3 with the
 latest patches/patch-ag)
 
 For unambigious versioning (with and without the vulnerability), I propose
 we immediatly bump the PKGREVISION to 1 and do: 
 
 --- pkg-vulnerabilities.orig	2005-10-13 10:56:50.000000000 +0200
 +++ pkg-vulnerabilities		2005-10-13 10:57:09.000000000 +0200
 @@ -1458,7 +1458,7 @@
  nss_ldap<240		information-disclosure		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2069
  opera<8.50		cross-site-scripting		http://secunia.com/advisories/16645/
  opera<8.50		file-spoofing			http://secunia.com/advisories/16645/
 -bacula<1.37.39		insecure-temp-files		http://secunia.com/advisories/16866/
 +bacula<1.36.3nb1	insecure-temp-files		http://secunia.com/advisories/16866/
  firefox{,-bin,-gtk1,-gtk2,-gtk2-bin}<1.0.7	remote-command-execution	http://www.frsirt.com/english/advisories/2005/1794
  ruby16-base<1.6.8nb2	access-validation-bypass	http://jvn.jp/jp/JVN%2362914675/index.html
  ruby18-base<1.8.2nb4	access-validation-bypass	http://jvn.jp/jp/JVN%2362914675/index.html
 
 	Geert