[pkgsrc/trunk]: pkgsrc/sysutils Add patches "solving" the issue of bacula exp...

[tonnerre <tonnerre%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/e35e38f36329
branches:  trunk
changeset: 544152:e35e38f36329
user:      tonnerre <tonnerre%pkgsrc.org@localhost>
date:      Sun Jul 13 15:26:36 2008 +0000

description:
Add patches "solving" the issue of bacula exposing passwords et cetera
through the command line parameters of various tools (CVE-2007-5626).

diffstat:

 sysutils/bacula-doc/Makefile         |   3 +-
 sysutils/bacula-doc/distinfo         |   7 ++++-
 sysutils/bacula-doc/patches/patch-aa |  16 ++++++++++++
 sysutils/bacula-doc/patches/patch-ab |  47 ++++++++++++++++++++++++++++++++++++
 sysutils/bacula-doc/patches/patch-ac |  13 +++++++++
 sysutils/bacula-doc/patches/patch-ad |  13 +++++++++
 sysutils/bacula-doc/patches/patch-ae |  13 +++++++++
 sysutils/bacula/Makefile             |   4 +-
 sysutils/bacula/distinfo             |   4 ++-
 sysutils/bacula/patches/patch-ab     |  26 +++++++++++++++++++
 sysutils/bacula/patches/patch-ak     |  13 +++++++++
 11 files changed, 154 insertions(+), 5 deletions(-)

diffs (231 lines):

diff -r d9bfc1eb12d6 -r e35e38f36329 sysutils/bacula-doc/Makefile
--- a/sysutils/bacula-doc/Makefile      Sun Jul 13 15:23:10 2008 +0000
+++ b/sysutils/bacula-doc/Makefile      Sun Jul 13 15:26:36 2008 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.15 2008/01/04 14:32:50 ghen Exp $
+# $NetBSD: Makefile,v 1.16 2008/07/13 15:26:36 tonnerre Exp $
 
 DISTNAME=              bacula-docs-2.0.2
+PKGREVISION=           1
 PKGNAME=               ${DISTNAME:S/docs/doc/}
 CATEGORIES=            sysutils
 MASTER_SITES=          ${MASTER_SITE_SOURCEFORGE:=bacula/}
diff -r d9bfc1eb12d6 -r e35e38f36329 sysutils/bacula-doc/distinfo
--- a/sysutils/bacula-doc/distinfo      Sun Jul 13 15:23:10 2008 +0000
+++ b/sysutils/bacula-doc/distinfo      Sun Jul 13 15:26:36 2008 +0000
@@ -1,5 +1,10 @@
-$NetBSD: distinfo,v 1.13 2007/01/31 17:59:10 ghen Exp $
+$NetBSD: distinfo,v 1.14 2008/07/13 15:26:36 tonnerre Exp $
 
 SHA1 (bacula-docs-2.0.2.tar.gz) = a07c74b0c98f7afe0896f3f4908004e3984819e6
 RMD160 (bacula-docs-2.0.2.tar.gz) = 14c6582e9dabc4448fb681be192f46835ba0cb30
 Size (bacula-docs-2.0.2.tar.gz) = 29776690 bytes
+SHA1 (patch-aa) = 04898ece4b4c13b50acf08dad16a76eea0fbfc7d
+SHA1 (patch-ab) = e8320baae18f53f5091a0d0b662ec7e613cc1713
+SHA1 (patch-ac) = 829d3cff40f095f3d2e0959f8dbb368031d7c51b
+SHA1 (patch-ad) = 16a4e438f0931d436d914440d98874dcf0b17467
+SHA1 (patch-ae) = ddcb2258ae20aec96904bf6b08672a413358ed13
diff -r d9bfc1eb12d6 -r e35e38f36329 sysutils/bacula-doc/patches/patch-aa
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/bacula-doc/patches/patch-aa      Sun Jul 13 15:26:36 2008 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-aa,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
+
+--- manual/tips.tex.orig       2007-01-15 10:37:15.000000000 +0100
++++ manual/tips.tex
+@@ -598,6 +598,11 @@ setup procedure leaves the database open
+ assign the user {\bf bacula} a userid and add it to your Director's
+ configuration file in the appropriate Catalog resource. 
+ 
++If you use the make_catalog_backup script provided by Bacula, remember that
++you should take care when supplying passwords on the command line.  Read the
++\ilink{BackingUpBaculaSecurityConsiderations}{Backing Up Your Bacula
++Database - Security Considerations } for more information.
++
+ \section{Creating Holiday Schedules}
+ \label{holiday}
+ \index[general]{Schedules!Creating Holiday }
diff -r d9bfc1eb12d6 -r e35e38f36329 sysutils/bacula-doc/patches/patch-ab
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/bacula-doc/patches/patch-ab      Sun Jul 13 15:26:36 2008 +0000
@@ -0,0 +1,47 @@
+$NetBSD: patch-ab,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
+
+--- manual/catmaintenance.tex.orig     2007-01-05 18:20:40.000000000 +0100
++++ manual/catmaintenance.tex
+@@ -545,6 +545,8 @@ Job {
+   Storage = DLTDrive
+   Messages = Standard
+   Pool = Default
++  # WARNING!!! Passing the password via the command line is insecure.
++  # see comments in make_catalog_backup for details.
+   RunBeforeJob = "/home/kern/bacula/bin/make_catalog_backup"
+   RunAfterJob  = "/home/kern/bacula/bin/delete_catalog_backup"
+   Write Bootstrap = "/home/kern/bacula/working/BackupCatalog.bsr"
+@@ -573,6 +575,33 @@ you to quickly recover the database back
+ you do not have a bootstrap file, it is still possible to recover your
+ database backup, but it will be more work and take longer. 
+ 
++
++\label{BackingUpBaculaSecurityConsiderations}
++\section{Security considerations}
++\index[general]{Backing Up Your Bacula Database - Security Considerations }
++\index[general]{Database!Backing Up Your Bacula Database - Security Considerations }
++
++We provide make_catalog_backup as an example of what can be used to backup
++your Bacula database.  We expect you to take security precautions relevant
++to your situation.  make_catalog_backup is designed to take a password on
++the command line.  This is fine on machines with only trusted users.  It is
++not acceptable on machines without trusted users.  Most database systems
++provide a alternative method, which does not place the password on the
++command line.
++
++The make_catalog_backup contains some warnings about how to use it. Please
++read those tips.
++
++To help you get started, we know PostgreSQL has a password file,
++\elink{
++.pgpass}{http://www.postgresql.org/docs/8.2/static/libpq-pgpass.html}, and
++we know MySQL has
++\elink{ .my.cnf}{http://dev.mysql.com/doc/refman/4.1/en/password-security.html}.
++
++Only you can decide what is appropriate for your situation. We have provided
++you with a starting point.  We hope it helps.
++
++
+ \label{BackingUPOtherDBs}
+ \section{Backing Up Third Party Databases}
+ \index[general]{Backing Up Third Party Databases }
diff -r d9bfc1eb12d6 -r e35e38f36329 sysutils/bacula-doc/patches/patch-ac
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/bacula-doc/patches/patch-ac      Sun Jul 13 15:26:36 2008 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-ac,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
+
+--- manual/pools.tex.orig      2007-01-05 18:20:41.000000000 +0100
++++ manual/pools.tex
+@@ -235,6 +235,8 @@ Job {
+   Messages = Standard
+   Pool = Default
+   # This creates an ASCII copy of the catalog
++  # WARNING!!! Passing the password via the command line is insecure.
++  # see comments in make_catalog_backup for details.
+   RunBeforeJob = "/home/bacula/bin/make_catalog_backup bacula bacula"
+   # This deletes the copy of the catalog
+   RunAfterJob  = "/home/bacula/bin/delete_catalog_backup"
diff -r d9bfc1eb12d6 -r e35e38f36329 sysutils/bacula-doc/patches/patch-ad
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/bacula-doc/patches/patch-ad      Sun Jul 13 15:26:36 2008 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-ad,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
+
+--- manual/postgresql.tex.orig 2007-01-05 18:20:41.000000000 +0100
++++ manual/postgresql.tex
+@@ -200,6 +200,8 @@ password in place, these two lines shoul
+ \begin{verbatim}
+   dbname = bacula; user = bacula; password = "secret"
+     ... and ...
++ # WARNING!!! Passing the password via the command line is insecure.
++ # see comments in make_catalog_backup for details.
+   RunBeforeJob = "/etc/make_catalog_backup bacula bacula secret"
+ \end{verbatim}
+ \normalsize
diff -r d9bfc1eb12d6 -r e35e38f36329 sysutils/bacula-doc/patches/patch-ae
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/bacula-doc/patches/patch-ae      Sun Jul 13 15:26:36 2008 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-ae,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
+
+--- manual/strategies.tex.orig 2007-01-15 10:37:15.000000000 +0100
++++ manual/strategies.tex
+@@ -232,6 +232,8 @@ Job {
+   Messages = Standard
+   Pool = Default
+  # This creates an ASCII copy of the catalog
++ # WARNING!!! Passing the password via the command line is insecure.
++ # see comments in make_catalog_backup for details.
+   RunBeforeJob = "/usr/lib/bacula/make_catalog_backup -u bacula"
+  # This deletes the copy of the catalog, and ejects the tape
+   RunAfterJob  = "/etc/bacula/end_of_backup.sh"
diff -r d9bfc1eb12d6 -r e35e38f36329 sysutils/bacula/Makefile
--- a/sysutils/bacula/Makefile  Sun Jul 13 15:23:10 2008 +0000
+++ b/sysutils/bacula/Makefile  Sun Jul 13 15:26:36 2008 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.26 2008/07/10 13:54:56 dmcmahill Exp $
+# $NetBSD: Makefile,v 1.27 2008/07/13 15:26:36 tonnerre Exp $
 
-PKGREVISION=           3
+PKGREVISION=           4
 
 CONFLICTS+=            bacula-client-[0-9]* bacula-clientonly-[0-9]*
 
diff -r d9bfc1eb12d6 -r e35e38f36329 sysutils/bacula/distinfo
--- a/sysutils/bacula/distinfo  Sun Jul 13 15:23:10 2008 +0000
+++ b/sysutils/bacula/distinfo  Sun Jul 13 15:26:36 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.28 2008/07/10 13:54:56 dmcmahill Exp $
+$NetBSD: distinfo,v 1.29 2008/07/13 15:26:36 tonnerre Exp $
 
 SHA1 (bacula-2.2.4/2.2.4-lost-block.patch) = d3b9f927100d148e831248b381c5b2543d215502
 RMD160 (bacula-2.2.4/2.2.4-lost-block.patch) = ff24810e204324acc42dbaff0291a0fa02b56e21
@@ -28,6 +28,7 @@
 RMD160 (bacula-2.2.4/bacula-2.2.4.tar.gz) = 5005d5566f55a8feb8a7efa610cd60a3d92383af
 Size (bacula-2.2.4/bacula-2.2.4.tar.gz) = 3020298 bytes
 SHA1 (patch-aa) = c1e5ec7c3e78c125b9fbaba97190ead10adbc599
+SHA1 (patch-ab) = 24104c731532c00d2901ccd72f43b7184b006496
 SHA1 (patch-ac) = 585f8a00fe7c0e6e8e4c0b91a0bd32bd2fb81c81
 SHA1 (patch-ae) = 69db6d396bd1654b3065d693c5ea2c0afbb8bc61
 SHA1 (patch-af) = 6ecbac39c156c81f30ba53b565f55ab5e876b3e0
@@ -35,4 +36,5 @@
 SHA1 (patch-ah) = 83b156ac18b64d19ea0022103c50c431f3b86b87
 SHA1 (patch-ai) = 499a164fcf9e4fc466b691f91203b4293dcee7eb
 SHA1 (patch-aj) = df5eba3c80d36ecc26c6acb1566a4411c308b2f0
+SHA1 (patch-ak) = d2b751888edf23a696f347c65ab0f11e6a3829f9
 SHA1 (patch-am) = 0b5b81543eb66ad191d94b59c986561e492a069d
diff -r d9bfc1eb12d6 -r e35e38f36329 sysutils/bacula/patches/patch-ab
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/bacula/patches/patch-ab  Sun Jul 13 15:26:36 2008 +0000
@@ -0,0 +1,26 @@
+$NetBSD: patch-ab,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
+
+--- src/cats/make_catalog_backup.in.orig       2007-04-24 17:36:15.000000000 +0200
++++ src/cats/make_catalog_backup.in
+@@ -8,7 +8,11 @@
+ #  $2 is the user name with which to access the database
+ #     (default = bacula).
+ #  $3 is the password with which to access the database or "" if no password
+-#     (default "")
++#     (default ""). WARNING!!! Passing the password via the command line is 
++#     insecure and should not be used since any user can display the command 
++#     line arguments and the environment using ps.  Please consult your
++#     MySQL or PostgreSQL manual for secure methods of specifying the
++#     password.
+ #  $4 is the host on which the database is located
+ #     (default "")
+ #
+@@ -31,7 +35,7 @@ else
+     else
+       MYSQLHOST=""
+     fi
+-    ${BINDIR}/mysqldump -u $2$MYSQLPASSWORD$MYSQLHOST -f --opt $1 >$1.sql
++    ${BINDIR}/mysqldump -u ${2}${MYSQLPASSWORD}${MYSQLHOST} -f --opt $1 >$1.sql
+   else                              
+     if test xpostgresql = x@DB_TYPE@ ; then
+       if test $# -gt 2; then
diff -r d9bfc1eb12d6 -r e35e38f36329 sysutils/bacula/patches/patch-ak
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/bacula/patches/patch-ak  Sun Jul 13 15:26:36 2008 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-ak,v 1.3 2008/07/13 15:26:36 tonnerre Exp $
+
+--- src/dird/bacula-dir.conf.in.orig   2007-05-27 21:30:39.000000000 +0200
++++ src/dird/bacula-dir.conf.in
+@@ -61,6 +61,8 @@ Job {
+   FileSet="Catalog"
+   Schedule = "WeeklyCycleAfterBackup"
+   # This creates an ASCII copy of the catalog
++  # WARNING!!! Passing the password via the command line is insecure.
++  # see comments in make_catalog_backup for details.
+   RunBeforeJob = "@scriptdir@/make_catalog_backup bacula bacula"
+   # This deletes the copy of the catalog
+   RunAfterJob  = "@scriptdir@/delete_catalog_backup"