Package: cluster-agents; Maintainer for cluster-agents is (unknown);
Reported by: Raphael Geissert <geissert@debian.org>
Date: Thu, 30 Sep 2010 00:39:01 UTC
Severity: important
Tags: security
Found in version cluster-agents/1:1.0.3-3
Fixed in version cluster-agents/1:1.0.3-3.1
Done: Jari Aalto <jari.aalto@cante.net>
Bug is archived. No further changes may be made.
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>:
Bug#598549; Package cluster-agents.
(Thu, 30 Sep 2010 00:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Geissert <geissert@debian.org>:
New Bug report received and forwarded. Copy sent to Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>.
(Thu, 30 Sep 2010 00:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: cluster-agents
Version: 1:1.0.3-3
Severity: important
Tags: security
User: team@security.debian.org
Usertags: ldpath
Hello,
During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.
The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.
Vulnerable code follows:
/usr/lib/ocf/resource.d/heartbeat/SAPDatabase line 969:
if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
/usr/lib/ocf/resource.d/heartbeat/SAPDatabase line 970:
LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
/usr/lib/ocf/resource.d/heartbeat/SAPInstance line 299:
if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
/usr/lib/ocf/resource.d/heartbeat/SAPInstance line 300:
LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.
This vulnerability has been assigned the CVE id CVE-2010-3389. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3389
[1] http://security-tracker.debian.org/tracker/CVE-2010-3389
Sincerely,
Raphael Geissert
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>:
Bug#598549; Package cluster-agents.
(Thu, 30 Sep 2010 01:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon Horman <horms@verge.net.au>:
Extra info received and forwarded to list. Copy sent to Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>.
(Thu, 30 Sep 2010 01:30:03 GMT) (full text, mbox, link).
Message #10 received at 598549@bugs.debian.org (full text, mbox, reply):
Thanks, I will discuss getting this resolved with the upstream developers. On Thu, Sep 30, 2010 at 12:36:56AM +0000, Raphael Geissert wrote: > Package: cluster-agents > Version: 1:1.0.3-3 > Severity: important > Tags: security > User: team@security.debian.org > Usertags: ldpath > > Hello, > > During a review of the Debian archive, I've found your package to > contain a script that can be abused by an attacker to execute arbitrary > code. > > The vulnerability is introduced by an insecure change to > LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for > libraries on a directory other than the standard paths. > > Vulnerable code follows: > > /usr/lib/ocf/resource.d/heartbeat/SAPDatabase line 969: > if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then > /usr/lib/ocf/resource.d/heartbeat/SAPDatabase line 970: > LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH > /usr/lib/ocf/resource.d/heartbeat/SAPInstance line 299: > if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then > /usr/lib/ocf/resource.d/heartbeat/SAPInstance line 300: > LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH > > When there's an empty item on the colon-separated list of > LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) > If the given script is executed from a directory where a potential, > local, attacker can write files to, there's a chance to exploit this > bug. > > This vulnerability has been assigned the CVE id CVE-2010-3389. Please make sure > you mention it when forwarding this report to upstream and when fixing > this bug (everywhere: upstream and here at Debian.) > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3389 > [1] http://security-tracker.debian.org/tracker/CVE-2010-3389 > > Sincerely, > Raphael Geissert > > > > _______________________________________________ > Debian-ha-maintainers mailing list > Debian-ha-maintainers@lists.alioth.debian.org > http://lists.alioth.debian.org/mailman/listinfo/debian-ha-maintainers >
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>:
Bug#598549; Package cluster-agents.
(Thu, 30 Sep 2010 01:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon Horman <horms@verge.net.au>:
Extra info received and forwarded to list. Copy sent to Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>.
(Thu, 30 Sep 2010 01:45:05 GMT) (full text, mbox, link).
Message #15 received at 598549@bugs.debian.org (full text, mbox, reply):
Hi linux-ha-dev,
I received this through the Debian bug tracker.
Its not immediately clear to me what an appropriate fix would be.
----- Forwarded message from Raphael Geissert <geissert@debian.org> -----
Date: Thu, 30 Sep 2010 00:36:56 +0000
From: Raphael Geissert <geissert@debian.org>
To: submit@bugs.debian.org
Subject: [Debian-ha-maintainers] Bug#598549: cluster-agents: CVE-2010-3389:
insecure library loading
Resent-From: Raphael Geissert <geissert@debian.org>
Package: cluster-agents
Version: 1:1.0.3-3
Severity: important
Tags: security
User: team@security.debian.org
Usertags: ldpath
Hello,
During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.
The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.
Vulnerable code follows:
/usr/lib/ocf/resource.d/heartbeat/SAPDatabase line 969:
if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
/usr/lib/ocf/resource.d/heartbeat/SAPDatabase line 970:
LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
/usr/lib/ocf/resource.d/heartbeat/SAPInstance line 299:
if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
/usr/lib/ocf/resource.d/heartbeat/SAPInstance line 300:
LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.
This vulnerability has been assigned the CVE id CVE-2010-3389. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3389
[1] http://security-tracker.debian.org/tracker/CVE-2010-3389
Sincerely,
Raphael Geissert
_______________________________________________
Debian-ha-maintainers mailing list
Debian-ha-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/debian-ha-maintainers
----- End forwarded message -----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>:
Bug#598549; Package cluster-agents.
(Fri, 01 Oct 2010 09:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Aníbal Monsalve Salazar <anibal@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>.
(Fri, 01 Oct 2010 09:57:03 GMT) (full text, mbox, link).
Message #20 received at 598549@bugs.debian.org (full text, mbox, reply):
On Thu, Sep 30, 2010 at 10:44:42AM +0900, Simon Horman wrote: >I received this through the Debian bug tracker. >Its not immediately clear to me what an appropriate fix would be. The following diff shows how I fixed "qtparted: CVE-2010-3375: insecure library loading" bug. -export LD_LIBRARY_PATH="$QTDIR/lib:$LD_LIBRARY_PATH" +LD_LIBRARY_PATH=$( echo "$LD_LIBRARY_PATH" | sed "s/\s//g" ) +if [ -n "$LD_LIBRARY_PATH" ] +then + export LD_LIBRARY_PATH="$QTDIR/lib:$LD_LIBRARY_PATH" +else + export LD_LIBRARY_PATH="$QTDIR/lib" +fi export PATH=/sbin:/usr/sbin:/bin:/usr/bin:$PATH Please note that if you also set PATH as above, you'll have to check $PATH before adding it with ":$PATH" to PATH. if $PATH is empty then ":$PATH" is equivalent to ":." and you don't want to add "." to the path search.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>:
Bug#598549; Package cluster-agents.
(Fri, 01 Oct 2010 15:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon Horman <horms@verge.net.au>:
Extra info received and forwarded to list. Copy sent to Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>.
(Fri, 01 Oct 2010 15:24:04 GMT) (full text, mbox, link).
Message #25 received at 598549@bugs.debian.org (full text, mbox, reply):
On Fri, Oct 01, 2010 at 07:55:02PM +1000, Aníbal Monsalve Salazar wrote:
> On Thu, Sep 30, 2010 at 10:44:42AM +0900, Simon Horman wrote:
> >I received this through the Debian bug tracker.
> >Its not immediately clear to me what an appropriate fix would be.
>
> The following diff shows how I fixed "qtparted: CVE-2010-3375: insecure
> library loading" bug.
>
> -export LD_LIBRARY_PATH="$QTDIR/lib:$LD_LIBRARY_PATH"
> +LD_LIBRARY_PATH=$( echo "$LD_LIBRARY_PATH" | sed "s/\s//g" )
> +if [ -n "$LD_LIBRARY_PATH" ]
> +then
> + export LD_LIBRARY_PATH="$QTDIR/lib:$LD_LIBRARY_PATH"
> +else
> + export LD_LIBRARY_PATH="$QTDIR/lib"
> +fi
> export PATH=/sbin:/usr/sbin:/bin:/usr/bin:$PATH
>
> Please note that if you also set PATH as above, you'll have to check
> $PATH before adding it with ":$PATH" to PATH.
>
> if $PATH is empty then ":$PATH" is equivalent to ":." and you don't want
> to add "." to the path search.
>
Thanks Aníbal,
poking a little further it seems that the problem has been addressed
by the following recent upstream patch. Do you have any thoughts on it?
# HG changeset patch
# User Dejan Muhamedagic <dejan@hello-penguin.com>
# Date 1284894558 -7200
# Node ID 2773e5850003fb90995a27811752224fde96c2b7
# Parent 9d67fff01b34e87b6a855f1ea9b8a8accb771680
Low: SAPDatabase,SAPInstance: improve LD_LIBRARY_PATH processing (bnc#640026)
diff -r 9d67fff01b34 -r 2773e5850003 heartbeat/SAPDatabase
--- a/heartbeat/SAPDatabase Thu Sep 16 09:48:04 2010 +0200
+++ b/heartbeat/SAPDatabase Sun Sep 19 13:09:18 2010 +0200
@@ -967,7 +967,8 @@
# as root user we need the library path to the SAP kernel to be able to call executables
if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
- LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
+ LD_LIBRARY_PATH=$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH
+ export LD_LIBRARY_PATH
fi
sidadm="`echo $SID | tr [:upper:] [:lower:]`adm"
diff -r 9d67fff01b34 -r 2773e5850003 heartbeat/SAPInstance
--- a/heartbeat/SAPInstance Thu Sep 16 09:48:04 2010 +0200
+++ b/heartbeat/SAPInstance Sun Sep 19 13:09:18 2010 +0200
@@ -297,7 +297,8 @@
# as root user we need the library path to the SAP kernel to be able to call sapcontrol
if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
- LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
+ LD_LIBRARY_PATH=$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH
+ export LD_LIBRARY_PATH
fi
sidadm="`echo $SID | tr [:upper:] [:lower:]`adm"
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>:
Bug#598549; Package cluster-agents.
(Fri, 01 Oct 2010 16:24:56 GMT) (full text, mbox, link).
Acknowledgement sent
to Lars Ellenberg <lars.ellenberg@linbit.com>:
Extra info received and forwarded to list. Copy sent to Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>.
(Fri, 01 Oct 2010 16:24:56 GMT) (full text, mbox, link).
Message #30 received at 598549@bugs.debian.org (full text, mbox, reply):
On Thu, Sep 30, 2010 at 10:44:42AM +0900, Simon Horman wrote:
> Hi linux-ha-dev,
>
> I received this through the Debian bug tracker.
> Its not immediately clear to me what an appropriate fix would be.
>
> ----- Forwarded message from Raphael Geissert <geissert@debian.org> -----
>
> Date: Thu, 30 Sep 2010 00:36:56 +0000
> From: Raphael Geissert <geissert@debian.org>
> To: submit@bugs.debian.org
> Subject: [Debian-ha-maintainers] Bug#598549: cluster-agents: CVE-2010-3389:
> insecure library loading
> Resent-From: Raphael Geissert <geissert@debian.org>
>
> Package: cluster-agents
> Version: 1:1.0.3-3
> Severity: important
> Tags: security
> User: team@security.debian.org
> Usertags: ldpath
>
> Hello,
>
> During a review of the Debian archive, I've found your package to
> contain a script that can be abused by an attacker to execute arbitrary
> code.
>
> The vulnerability is introduced by an insecure change to
> LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for
> libraries on a directory other than the standard paths.
>
> Vulnerable code follows:
>
> /usr/lib/ocf/resource.d/heartbeat/SAPDatabase line 969:
> if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
> /usr/lib/ocf/resource.d/heartbeat/SAPDatabase line 970:
> LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
> /usr/lib/ocf/resource.d/heartbeat/SAPInstance line 299:
> if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
> /usr/lib/ocf/resource.d/heartbeat/SAPInstance line 300:
> LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
>
> When there's an empty item on the colon-separated list of
> LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
> If the given script is executed from a directory where a potential,
> local, attacker can write files to, there's a chance to exploit this
> bug.
So it is run periodically by root (well, the lrmd, as root).
Even though the cwd of lrmd should be ok, permission wise, in case the
script does cd into somewhere (I don't think it does, now) where someone
with lesser privilege was able to place some evil *.so, the next command
executed by the script may do interesting things.
Ok.
Simply doing
#remove it, if present.
LD_LIBRARY_PATH=${LD_LIBRARY_PATH#"$DIR_EXECUTABLE"}
#remove possible remaining leading :
LD_LIBRARY_PATH=${LD_LIBRARY_PATH#:}
#prepend it
LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH
#remove possible trailing :
LD_LIBRARY_PATH=${LD_LIBRARY_PATH%:}
Would do away with the empty component as well as the if [ `echo | grep` ].
> This vulnerability has been assigned the CVE id CVE-2010-3389. Please make sure
> you mention it when forwarding this report to upstream and when fixing
> this bug (everywhere: upstream and here at Debian.)
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3389
> [1] http://security-tracker.debian.org/tracker/CVE-2010-3389
>
> Sincerely,
> Raphael Geissert
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>:
Bug#598549; Package cluster-agents.
(Sat, 02 Oct 2010 03:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Aníbal Monsalve Salazar <anibal@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>.
(Sat, 02 Oct 2010 03:15:03 GMT) (full text, mbox, link).
Message #35 received at 598549@bugs.debian.org (full text, mbox, reply):
On Sat, Oct 02, 2010 at 12:22:41AM +0900, Simon Horman wrote:
>On Fri, Oct 01, 2010 at 07:55:02PM +1000, Aníbal Monsalve Salazar wrote:
>>On Thu, Sep 30, 2010 at 10:44:42AM +0900, Simon Horman wrote:
>>>I received this through the Debian bug tracker.
>>>Its not immediately clear to me what an appropriate fix would be.
>>
>>The following diff shows how I fixed the "qtparted: CVE-2010-3375:
>>insecure library loading" bug.
>>
>>-export LD_LIBRARY_PATH="$QTDIR/lib:$LD_LIBRARY_PATH"
>>+LD_LIBRARY_PATH=$( echo "$LD_LIBRARY_PATH" | sed "s/\s//g" )
>>+if [ -n "$LD_LIBRARY_PATH" ]
>>+then
>>+ export LD_LIBRARY_PATH="$QTDIR/lib:$LD_LIBRARY_PATH"
>>+else
>>+ export LD_LIBRARY_PATH="$QTDIR/lib"
>>+fi
>> export PATH=/sbin:/usr/sbin:/bin:/usr/bin:$PATH
>>
>>Please note that if you also set PATH as above, you'll have to check
>>$PATH before adding it with ":$PATH" to PATH.
>>
>>if $PATH is empty then ":$PATH" is equivalent to ":." and you don't want
>>to add "." to the path search.
>>
>
>Thanks Aníbal,
>
>poking a little further it seems that the problem has been addressed
>by the following recent upstream patch. Do you have any thoughts on it?
>
># HG changeset patch
># User Dejan Muhamedagic <dejan@hello-penguin.com>
># Date 1284894558 -7200
># Node ID 2773e5850003fb90995a27811752224fde96c2b7
># Parent 9d67fff01b34e87b6a855f1ea9b8a8accb771680
>Low: SAPDatabase,SAPInstance: improve LD_LIBRARY_PATH processing (bnc#640026)
>
>diff -r 9d67fff01b34 -r 2773e5850003 heartbeat/SAPDatabase
>--- a/heartbeat/SAPDatabase Thu Sep 16 09:48:04 2010 +0200
>+++ b/heartbeat/SAPDatabase Sun Sep 19 13:09:18 2010 +0200
>@@ -967,7 +967,8 @@
>
> # as root user we need the library path to the SAP kernel to be able to call executables
> if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
>- LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
>+ LD_LIBRARY_PATH=$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH
>+ export LD_LIBRARY_PATH
> fi
> sidadm="`echo $SID | tr [:upper:] [:lower:]`adm"
>
>diff -r 9d67fff01b34 -r 2773e5850003 heartbeat/SAPInstance
>--- a/heartbeat/SAPInstance Thu Sep 16 09:48:04 2010 +0200
>+++ b/heartbeat/SAPInstance Sun Sep 19 13:09:18 2010 +0200
>@@ -297,7 +297,8 @@
>
> # as root user we need the library path to the SAP kernel to be able to call sapcontrol
> if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
>- LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
>+ LD_LIBRARY_PATH=$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH
>+ export LD_LIBRARY_PATH
> fi
>
> sidadm="`echo $SID | tr [:upper:] [:lower:]`adm"
DIR_EXECUTABLE=/tmp/bin; LD_LIBRARY_PATH=/tmp/lib:/var/tmp/lib; LD_LIBRARY_PATH=$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH
+ DIR_EXECUTABLE=/tmp/bin
+ LD_LIBRARY_PATH=/tmp/lib:/var/tmp/lib
+ LD_LIBRARY_PATH=/tmp/bin:/tmp/lib:/var/tmp/lib
It works if LD_LIBRARY_PATH is well defined (see above) but it doesn't
(still vulnerable) if LD_LIBRARY_PATH has a space or a ':' only (see
below).
DIR_EXECUTABLE=/tmp/bin; LD_LIBRARY_PATH=' '; LD_LIBRARY_PATH=$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH
+ DIR_EXECUTABLE=/tmp/bin
+ LD_LIBRARY_PATH=' '
+ LD_LIBRARY_PATH='/tmp/bin: '
DIR_EXECUTABLE=/tmp/bin; LD_LIBRARY_PATH=':'; LD_LIBRARY_PATH=$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH
+ DIR_EXECUTABLE=/tmp/bin
+ LD_LIBRARY_PATH=:
+ LD_LIBRARY_PATH=/tmp/bin::
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>:
Bug#598549; Package cluster-agents.
(Sat, 16 Oct 2010 17:42:02 GMT) (full text, mbox, link).
Acknowledgement sent
to jari.aalto@cante.net:
Extra info received and forwarded to list. Copy sent to Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>.
(Sat, 16 Oct 2010 17:42:02 GMT) (full text, mbox, link).
Message #40 received at 598549@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dear maintainer,
Here is the NMU diff according to DevRef 5.11.1[1][2] for bug: #598549.
See the debian/patches directory for the important fixes.
Let me know if it's okay to proceed with the NMU.
Thank you for maintaining the package,
Jari Aalto
[1] http://www.debian.org/doc/developers-reference/pkgs.html#nmu
[2] http://dep.debian.net/deps/dep1.html
lsdiff(1) of changes:
cluster-agents-1.0.3/debian/changelog
cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch
cluster-agents-1.0.3/debian/patches/series
[cluster-agents_1.0.3-3--1.0.3-3.1.deb.diff (text/x-diff, inline)]
diffstat for cluster-agents-1.0.3 cluster-agents-1.0.3
changelog | 8 ++++
patches/CVE-2010-3389--bug598549.patch | 53 +++++++++++++++++++++++++++++++++
patches/series | 1
3 files changed, 62 insertions(+)
diff -Nru cluster-agents-1.0.3/debian/changelog cluster-agents-1.0.3/debian/changelog
--- cluster-agents-1.0.3/debian/changelog 2010-05-04 16:04:18.000000000 +0300
+++ cluster-agents-1.0.3/debian/changelog 2010-10-16 20:28:40.000000000 +0300
@@ -1,3 +1,11 @@
+cluster-agents (1:1.0.3-3.1) unstable; urgency=low
+
+ * debian/patches
+ - (CVE-2010-3389--bug598549): New. Correct LD_LIBRARY_PATH handling.
+ (important, security; Closes: #598549).
+
+ -- Jari Aalto <jari.aalto@cante.net> Sat, 16 Oct 2010 20:28:40 +0300
+
cluster-agents (1:1.0.3-3) unstable; urgency=low
* Add build dependency on docbook-xml. (Closes: #579623)
diff -Nru cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch
--- cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch 1970-01-01 02:00:00.000000000 +0200
+++ cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch 2010-10-16 20:26:28.000000000 +0300
@@ -0,0 +1,53 @@
+From a4afa69fda9a375d7763e335c556231eaefe516d Mon Sep 17 00:00:00 2001
+From: Jari Aalto <jari.aalto@cante.net>
+Date: Sat, 16 Oct 2010 20:26:25 +0300
+Subject: [PATCH] CVE-2010-3389: insecure library loading
+Organization: Private
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Jari Aalto <jari.aalto@cante.net>
+---
+ heartbeat/SAPDatabase | 7 +++++--
+ heartbeat/SAPInstance | 7 +++++--
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/heartbeat/SAPDatabase b/heartbeat/SAPDatabase
+index 5e07046..e9574ea 100755
+--- a/heartbeat/SAPDatabase
++++ b/heartbeat/SAPDatabase
+@@ -966,8 +966,11 @@ else
+ fi
+
+ # as root user we need the library path to the SAP kernel to be able to call executables
+-if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
+- LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
++if [ "$DIR_EXECUTABLE" ]; then
++ if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
++ LD_LIBRARY_PATH="$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
++ export LD_LIBRARY_PATH
++ fi
+ fi
+ sidadm="`echo $SID | tr [:upper:] [:lower:]`adm"
+
+diff --git a/heartbeat/SAPInstance b/heartbeat/SAPInstance
+index 08f47f8..d7dea78 100755
+--- a/heartbeat/SAPInstance
++++ b/heartbeat/SAPInstance
+@@ -296,8 +296,11 @@ sapinstance_init() {
+ fi
+
+ # as root user we need the library path to the SAP kernel to be able to call sapcontrol
+- if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
+- LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
++ if [ "$DIR_EXECUTABLE" ]; then
++ if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
++ LD_LIBRARY_PATH="$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
++ export LD_LIBRARY_PATH
++ fi
+ fi
+
+ sidadm="`echo $SID | tr [:upper:] [:lower:]`adm"
+--
+1.7.1
+
diff -Nru cluster-agents-1.0.3/debian/patches/series cluster-agents-1.0.3/debian/patches/series
--- cluster-agents-1.0.3/debian/patches/series 2010-05-03 20:31:33.000000000 +0300
+++ cluster-agents-1.0.3/debian/patches/series 2010-10-16 20:26:49.000000000 +0300
@@ -1 +1,2 @@
+CVE-2010-3389--bug598549.patch
spelling-fixes.patch
Message sent on
to Raphael Geissert <geissert@debian.org>:
Bug#598549.
(Sat, 16 Oct 2010 17:42:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>:
Bug#598549; Package cluster-agents.
(Sun, 17 Oct 2010 21:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon Horman <horms@verge.net.au>:
Extra info received and forwarded to list. Copy sent to Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>.
(Sun, 17 Oct 2010 21:51:02 GMT) (full text, mbox, link).
Message #48 received at 598549@bugs.debian.org (full text, mbox, reply):
On Sat, Oct 16, 2010 at 08:40:30PM +0300, jari.aalto@cante.net wrote:
>
> Dear maintainer,
>
> Here is the NMU diff according to DevRef 5.11.1[1][2] for bug: #598549.
> See the debian/patches directory for the important fixes.
>
> Let me know if it's okay to proceed with the NMU.
>
> Thank you for maintaining the package,
Hi Jari,
Its unclear to me that this patch covers all cases.
e.g
$ DIR_EXECUTABLE=/abc
$ LD_LIBRARY_PATH="::"
$ /bin/echo "$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
/abc:::
Am I missing something?
> Jari Aalto
>
> [1] http://www.debian.org/doc/developers-reference/pkgs.html#nmu
> [2] http://dep.debian.net/deps/dep1.html
>
> lsdiff(1) of changes:
>
> cluster-agents-1.0.3/debian/changelog
> cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch
> cluster-agents-1.0.3/debian/patches/series
>
> diffstat for cluster-agents-1.0.3 cluster-agents-1.0.3
>
> changelog | 8 ++++
> patches/CVE-2010-3389--bug598549.patch | 53 +++++++++++++++++++++++++++++++++
> patches/series | 1
> 3 files changed, 62 insertions(+)
>
> diff -Nru cluster-agents-1.0.3/debian/changelog cluster-agents-1.0.3/debian/changelog
> --- cluster-agents-1.0.3/debian/changelog 2010-05-04 16:04:18.000000000 +0300
> +++ cluster-agents-1.0.3/debian/changelog 2010-10-16 20:28:40.000000000 +0300
> @@ -1,3 +1,11 @@
> +cluster-agents (1:1.0.3-3.1) unstable; urgency=low
> +
> + * debian/patches
> + - (CVE-2010-3389--bug598549): New. Correct LD_LIBRARY_PATH handling.
> + (important, security; Closes: #598549).
> +
> + -- Jari Aalto <jari.aalto@cante.net> Sat, 16 Oct 2010 20:28:40 +0300
> +
> cluster-agents (1:1.0.3-3) unstable; urgency=low
>
> * Add build dependency on docbook-xml. (Closes: #579623)
> diff -Nru cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch
> --- cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch 1970-01-01 02:00:00.000000000 +0200
> +++ cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch 2010-10-16 20:26:28.000000000 +0300
> @@ -0,0 +1,53 @@
> +From a4afa69fda9a375d7763e335c556231eaefe516d Mon Sep 17 00:00:00 2001
> +From: Jari Aalto <jari.aalto@cante.net>
> +Date: Sat, 16 Oct 2010 20:26:25 +0300
> +Subject: [PATCH] CVE-2010-3389: insecure library loading
> +Organization: Private
> +Content-Type: text/plain; charset="utf-8"
> +Content-Transfer-Encoding: 8bit
> +
> +Signed-off-by: Jari Aalto <jari.aalto@cante.net>
> +---
> + heartbeat/SAPDatabase | 7 +++++--
> + heartbeat/SAPInstance | 7 +++++--
> + 2 files changed, 10 insertions(+), 4 deletions(-)
> +
> +diff --git a/heartbeat/SAPDatabase b/heartbeat/SAPDatabase
> +index 5e07046..e9574ea 100755
> +--- a/heartbeat/SAPDatabase
> ++++ b/heartbeat/SAPDatabase
> +@@ -966,8 +966,11 @@ else
> + fi
> +
> + # as root user we need the library path to the SAP kernel to be able to call executables
> +-if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
> +- LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
> ++if [ "$DIR_EXECUTABLE" ]; then
> ++ if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
> ++ LD_LIBRARY_PATH="$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
> ++ export LD_LIBRARY_PATH
> ++ fi
> + fi
> + sidadm="`echo $SID | tr [:upper:] [:lower:]`adm"
> +
> +diff --git a/heartbeat/SAPInstance b/heartbeat/SAPInstance
> +index 08f47f8..d7dea78 100755
> +--- a/heartbeat/SAPInstance
> ++++ b/heartbeat/SAPInstance
> +@@ -296,8 +296,11 @@ sapinstance_init() {
> + fi
> +
> + # as root user we need the library path to the SAP kernel to be able to call sapcontrol
> +- if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
> +- LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
> ++ if [ "$DIR_EXECUTABLE" ]; then
> ++ if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
> ++ LD_LIBRARY_PATH="$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
> ++ export LD_LIBRARY_PATH
> ++ fi
> + fi
> +
> + sidadm="`echo $SID | tr [:upper:] [:lower:]`adm"
> +--
> +1.7.1
> +
> diff -Nru cluster-agents-1.0.3/debian/patches/series cluster-agents-1.0.3/debian/patches/series
> --- cluster-agents-1.0.3/debian/patches/series 2010-05-03 20:31:33.000000000 +0300
> +++ cluster-agents-1.0.3/debian/patches/series 2010-10-16 20:26:49.000000000 +0300
> @@ -1 +1,2 @@
> +CVE-2010-3389--bug598549.patch
> spelling-fixes.patch
> _______________________________________________
> Debian-ha-maintainers mailing list
> Debian-ha-maintainers@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/debian-ha-maintainers
Message sent on
to Raphael Geissert <geissert@debian.org>:
Bug#598549.
(Sun, 17 Oct 2010 21:51:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>:
Bug#598549; Package cluster-agents.
(Sun, 17 Oct 2010 23:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jari Aalto <jari.aalto@cante.net>:
Extra info received and forwarded to list. Copy sent to Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>.
(Sun, 17 Oct 2010 23:30:03 GMT) (full text, mbox, link).
Message #56 received at 598549@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Simon Horman <horms@verge.net.au> writes:
> On Sat, Oct 16, 2010 at 08:40:30PM +0300, jari.aalto@cante.net wrote:
>
>>
>> Dear maintainer,
>>
>> Here is the NMU diff according to DevRef 5.11.1[1][2] for bug: #598549.
>> See the debian/patches directory for the important fixes.
>>
>> Let me know if it's okay to proceed with the NMU.
>>
>> Thank you for maintaining the package,
>
> Hi Jari,
>
> Its unclear to me that this patch covers all cases.
>
> e.g
>
> $ DIR_EXECUTABLE=/abc
> $ LD_LIBRARY_PATH="::"
> $ /bin/echo "$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
> /abc:::
>
> Am I missing something?
Nice catch. Here is an update that incorporates this:
Ldpath ()
{
# Vulnerability fix for insecure library loading
# Make sure "::", "^:" or ":$" is not in $LD_LIBRARY_PATH
local tmp
tmp=$(echo $LD_LIBRARY_PATH | sed -e 's/::\+// ; s/^:// ; s/:$//' )
[ "$tmp" ] && echo "$tmp"
}
( DIR_EXECUTABLE=/abc
LD_LIBRARY_PATH="::"
LD_LIBRARY_PATH="$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
Ldpath
)
# => abc
Jari
[cluster-agents_1.0.3-3--1.0.3-3.1.deb.diff (text/x-diff, inline)]
diffstat for cluster-agents-1.0.3 cluster-agents-1.0.3
changelog | 9
patches/CVE-2010-3389--bug598549.patch | 53 +++
patches/debian-changes-1:1.0.3-3.1 | 553 +++++++++++++++++++++++++++++++++
patches/series | 2
4 files changed, 617 insertions(+)
diff -Nru cluster-agents-1.0.3/debian/changelog cluster-agents-1.0.3/debian/changelog
--- cluster-agents-1.0.3/debian/changelog 2010-05-04 16:04:18.000000000 +0300
+++ cluster-agents-1.0.3/debian/changelog 2010-10-17 00:59:07.000000000 +0300
@@ -1,3 +1,12 @@
+cluster-agents (1:1.0.3-3.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * debian/patches
+ - (CVE-2010-3389--bug598549): New. Correct LD_LIBRARY_PATH handling.
+ (important, security; Closes: #598549).
+
+ -- Jari Aalto <jari.aalto@cante.net> Sun, 17 Oct 2010 00:59:07 +0300
+
cluster-agents (1:1.0.3-3) unstable; urgency=low
* Add build dependency on docbook-xml. (Closes: #579623)
diff -Nru cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch
--- cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch 1970-01-01 02:00:00.000000000 +0200
+++ cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch 2010-10-16 20:26:28.000000000 +0300
@@ -0,0 +1,53 @@
+From a4afa69fda9a375d7763e335c556231eaefe516d Mon Sep 17 00:00:00 2001
+From: Jari Aalto <jari.aalto@cante.net>
+Date: Sat, 16 Oct 2010 20:26:25 +0300
+Subject: [PATCH] CVE-2010-3389: insecure library loading
+Organization: Private
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Jari Aalto <jari.aalto@cante.net>
+---
+ heartbeat/SAPDatabase | 7 +++++--
+ heartbeat/SAPInstance | 7 +++++--
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/heartbeat/SAPDatabase b/heartbeat/SAPDatabase
+index 5e07046..e9574ea 100755
+--- a/heartbeat/SAPDatabase
++++ b/heartbeat/SAPDatabase
+@@ -966,8 +966,11 @@ else
+ fi
+
+ # as root user we need the library path to the SAP kernel to be able to call executables
+-if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
+- LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
++if [ "$DIR_EXECUTABLE" ]; then
++ if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
++ LD_LIBRARY_PATH="$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
++ export LD_LIBRARY_PATH
++ fi
+ fi
+ sidadm="`echo $SID | tr [:upper:] [:lower:]`adm"
+
+diff --git a/heartbeat/SAPInstance b/heartbeat/SAPInstance
+index 08f47f8..d7dea78 100755
+--- a/heartbeat/SAPInstance
++++ b/heartbeat/SAPInstance
+@@ -296,8 +296,11 @@ sapinstance_init() {
+ fi
+
+ # as root user we need the library path to the SAP kernel to be able to call sapcontrol
+- if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
+- LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
++ if [ "$DIR_EXECUTABLE" ]; then
++ if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
++ LD_LIBRARY_PATH="$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
++ export LD_LIBRARY_PATH
++ fi
+ fi
+
+ sidadm="`echo $SID | tr [:upper:] [:lower:]`adm"
+--
+1.7.1
+
diff -Nru cluster-agents-1.0.3/debian/patches/debian-changes-1:1.0.3-3.1 cluster-agents-1.0.3/debian/patches/debian-changes-1:1.0.3-3.1
--- cluster-agents-1.0.3/debian/patches/debian-changes-1:1.0.3-3.1 1970-01-01 02:00:00.000000000 +0200
+++ cluster-agents-1.0.3/debian/patches/debian-changes-1:1.0.3-3.1 2010-10-17 00:59:28.000000000 +0300
@@ -0,0 +1,553 @@
+Description: Upstream changes introduced in version 1:1.0.3-3.1
+ This patch has been created by dpkg-source during the package build.
+ Here's the last changelog entry, hopefully it gives details on why
+ those changes were made:
+ .
+ cluster-agents (1:1.0.3-3.1) unstable; urgency=low
+ .
+ * Non-maintainer upload.
+ * debian/patches
+ - (CVE-2010-3389--bug598549): New. Correct LD_LIBRARY_PATH handling.
+ (important, security; Closes: #598549).
+ .
+ The person named in the Author field signed this changelog entry.
+Author: Jari Aalto <jari.aalto@cante.net>
+Bug-Debian: http://bugs.debian.org/598549
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- /dev/null
++++ cluster-agents-1.0.3/tools/ocft/Makefile.in
+@@ -0,0 +1,521 @@
++# Makefile.in generated by automake 1.11.1 from Makefile.am.
++# @configure_input@
++
++# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
++# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
++# Inc.
++# This Makefile.in is free software; the Free Software Foundation
++# gives unlimited permission to copy and/or distribute it,
++# with or without modifications, as long as this notice is preserved.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
++# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
++# PARTICULAR PURPOSE.
++
++@SET_MAKE@
++
++# Author: John Shi
++# jshi@suse.de
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version 2
++# of the License, or (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
++#
++
++
++VPATH = @srcdir@
++pkgdatadir = $(datadir)/@PACKAGE@
++pkgincludedir = $(includedir)/@PACKAGE@
++pkglibdir = $(libdir)/@PACKAGE@
++pkglibexecdir = $(libexecdir)/@PACKAGE@
++am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
++install_sh_DATA = $(install_sh) -c -m 644
++install_sh_PROGRAM = $(install_sh) -c
++install_sh_SCRIPT = $(install_sh) -c
++INSTALL_HEADER = $(INSTALL_DATA)
++transform = $(program_transform_name)
++NORMAL_INSTALL = :
++PRE_INSTALL = :
++POST_INSTALL = :
++NORMAL_UNINSTALL = :
++PRE_UNINSTALL = :
++POST_UNINSTALL = :
++build_triplet = @build@
++host_triplet = @host@
++subdir = tools/ocft
++DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
++ $(srcdir)/README.in $(srcdir)/README.zh_CN.in \
++ $(srcdir)/caselib.in $(srcdir)/ocft.in ChangeLog
++ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
++am__aclocal_m4_deps = $(top_srcdir)/configure.in
++am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
++ $(ACLOCAL_M4)
++mkinstalldirs = $(install_sh) -d
++CONFIG_HEADER = $(top_builddir)/include/config.h \
++ $(top_builddir)/include/agent_config.h
++CONFIG_CLEAN_FILES = ocft caselib README README.zh_CN
++CONFIG_CLEAN_VPATH_FILES =
++am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
++am__vpath_adj = case $$p in \
++ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
++ *) f=$$p;; \
++ esac;
++am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
++am__install_max = 40
++am__nobase_strip_setup = \
++ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
++am__nobase_strip = \
++ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
++am__nobase_list = $(am__nobase_strip_setup); \
++ for p in $$list; do echo "$$p $$p"; done | \
++ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
++ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
++ if (++n[$$2] == $(am__install_max)) \
++ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
++ END { for (dir in files) print dir, files[dir] }'
++am__base_list = \
++ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
++ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
++am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(ocftdir)" \
++ "$(DESTDIR)$(ocftcfgsdir)"
++SCRIPTS = $(sbin_SCRIPTS)
++SOURCES =
++DIST_SOURCES =
++DATA = $(ocft_DATA) $(ocftcfgs_DATA)
++DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
++ACLOCAL = @ACLOCAL@
++AMTAR = @AMTAR@
++AUTOCONF = @AUTOCONF@
++AUTOHEADER = @AUTOHEADER@
++AUTOMAKE = @AUTOMAKE@
++AWK = @AWK@
++BUILD_VERSION = @BUILD_VERSION@
++CC = @CC@
++CCDEPMODE = @CCDEPMODE@
++CFLAGS = @CFLAGS@
++CFLAGS_COPY = @CFLAGS_COPY@
++CPP = @CPP@
++CPPFLAGS = @CPPFLAGS@
++CYGPATH_W = @CYGPATH_W@
++DEFS = @DEFS@
++DEPDIR = @DEPDIR@
++ECHO_C = @ECHO_C@
++ECHO_N = @ECHO_N@
++ECHO_T = @ECHO_T@
++EGREP = @EGREP@
++EXEEXT = @EXEEXT@
++GLUE_STATE_DIR = @GLUE_STATE_DIR@
++GREP = @GREP@
++HA_VARLIBHBDIR = @HA_VARLIBHBDIR@
++HA_VARRUNDIR = @HA_VARRUNDIR@
++HG = @HG@
++IFCONFIG = @IFCONFIG@
++IFCONFIG_A_OPT = @IFCONFIG_A_OPT@
++INITDIR = @INITDIR@
++INIT_EXT = @INIT_EXT@
++INSTALL = @INSTALL@
++INSTALL_DATA = @INSTALL_DATA@
++INSTALL_PROGRAM = @INSTALL_PROGRAM@
++INSTALL_SCRIPT = @INSTALL_SCRIPT@
++INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
++LDFLAGS = @LDFLAGS@
++LIBNETCONFIG = @LIBNETCONFIG@
++LIBNETDEFINES = @LIBNETDEFINES@
++LIBNETLIBS = @LIBNETLIBS@
++LIBOBJS = @LIBOBJS@
++LIBS = @LIBS@
++LOCALE = @LOCALE@
++LTLIBOBJS = @LTLIBOBJS@
++MAILCMD = @MAILCMD@
++MAKE = @MAKE@
++MAKEINFO = @MAKEINFO@
++MD5 = @MD5@
++MKDIR_P = @MKDIR_P@
++NON_FATAL_CFLAGS = @NON_FATAL_CFLAGS@
++OBJEXT = @OBJEXT@
++OCF_RA_DIR = @OCF_RA_DIR@
++OCF_ROOT_DIR = @OCF_ROOT_DIR@
++PACKAGE = @PACKAGE@
++PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
++PACKAGE_NAME = @PACKAGE_NAME@
++PACKAGE_STRING = @PACKAGE_STRING@
++PACKAGE_TARNAME = @PACKAGE_TARNAME@
++PACKAGE_URL = @PACKAGE_URL@
++PACKAGE_VERSION = @PACKAGE_VERSION@
++PATH_SEPARATOR = @PATH_SEPARATOR@
++PING = @PING@
++PKGCONFIG = @PKGCONFIG@
++PKGNAME = @PKGNAME@
++POD2MAN = @POD2MAN@
++POWEROFF_CMD = @POWEROFF_CMD@
++POWEROFF_OPTIONS = @POWEROFF_OPTIONS@
++PYTHON = @PYTHON@
++PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
++PYTHON_PLATFORM = @PYTHON_PLATFORM@
++PYTHON_PREFIX = @PYTHON_PREFIX@
++PYTHON_VERSION = @PYTHON_VERSION@
++REBOOT = @REBOOT@
++REBOOT_OPTIONS = @REBOOT_OPTIONS@
++ROUTE = @ROUTE@
++SCP = @SCP@
++SET_MAKE = @SET_MAKE@
++SHELL = @SHELL@
++SSH = @SSH@
++STRIP = @STRIP@
++TAR = @TAR@
++TEST = @TEST@
++VERSION = @VERSION@
++XSLTPROC = @XSLTPROC@
++abs_builddir = @abs_builddir@
++abs_srcdir = @abs_srcdir@
++abs_top_builddir = @abs_top_builddir@
++abs_top_srcdir = @abs_top_srcdir@
++ac_ct_CC = @ac_ct_CC@
++am__include = @am__include@
++am__leading_dot = @am__leading_dot@
++am__quote = @am__quote@
++am__tar = @am__tar@
++am__untar = @am__untar@
++bindir = @bindir@
++build = @build@
++build_alias = @build_alias@
++build_cpu = @build_cpu@
++build_os = @build_os@
++build_vendor = @build_vendor@
++builddir = @builddir@
++datadir = @datadir@
++datarootdir = @datarootdir@
++docdir = @docdir@
++dvidir = @dvidir@
++exec_prefix = @exec_prefix@
++host = @host@
++host_alias = @host_alias@
++host_cpu = @host_cpu@
++host_os = @host_os@
++host_vendor = @host_vendor@
++htmldir = @htmldir@
++includedir = @includedir@
++infodir = @infodir@
++install_sh = @install_sh@
++libdir = @libdir@
++libexecdir = @libexecdir@
++localedir = @localedir@
++localstatedir = @localstatedir@
++mandir = @mandir@
++mkdir_p = @mkdir_p@
++oldincludedir = @oldincludedir@
++pdfdir = @pdfdir@
++pkgpyexecdir = @pkgpyexecdir@
++pkgpythondir = @pkgpythondir@
++prefix = @prefix@
++program_transform_name = @program_transform_name@
++psdir = @psdir@
++pyexecdir = @pyexecdir@
++pythondir = @pythondir@
++sbindir = @sbindir@
++sharedstatedir = @sharedstatedir@
++srcdir = @srcdir@
++sysconfdir = @sysconfdir@
++target_alias = @target_alias@
++top_build_prefix = @top_build_prefix@
++top_builddir = @top_builddir@
++top_srcdir = @top_srcdir@
++MAINTAINERCLEANFILES = Makefile.in
++EXTRA_DIST = $(ocftcfgs_DATA) $(ocft_DATA)
++sbin_SCRIPTS = ocft
++ocftcfgsdir = $(datadir)/$(PACKAGE_NAME)/ocft/configs
++ocftcfgs_DATA = apache \
++ IPaddr2 \
++ IPsrcaddr \
++ MailTo \
++ mysql \
++ nfsserver \
++ portblock \
++ SendArp
++
++ocftdir = $(datadir)/$(PACKAGE_NAME)/ocft
++ocft_DATA = README \
++ README.zh_CN \
++ caselib
++
++all: all-am
++
++.SUFFIXES:
++$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
++ @for dep in $?; do \
++ case '$(am__configure_deps)' in \
++ *$$dep*) \
++ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
++ && { if test -f $@; then exit 0; else break; fi; }; \
++ exit 1;; \
++ esac; \
++ done; \
++ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu tools/ocft/Makefile'; \
++ $(am__cd) $(top_srcdir) && \
++ $(AUTOMAKE) --gnu tools/ocft/Makefile
++.PRECIOUS: Makefile
++Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
++ @case '$?' in \
++ *config.status*) \
++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
++ *) \
++ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
++ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
++ esac;
++
++$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
++
++$(top_srcdir)/configure: $(am__configure_deps)
++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
++$(ACLOCAL_M4): $(am__aclocal_m4_deps)
++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
++$(am__aclocal_m4_deps):
++ocft: $(top_builddir)/config.status $(srcdir)/ocft.in
++ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
++caselib: $(top_builddir)/config.status $(srcdir)/caselib.in
++ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
++README: $(top_builddir)/config.status $(srcdir)/README.in
++ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
++README.zh_CN: $(top_builddir)/config.status $(srcdir)/README.zh_CN.in
++ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
++install-sbinSCRIPTS: $(sbin_SCRIPTS)
++ @$(NORMAL_INSTALL)
++ test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)"
++ @list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || list=; \
++ for p in $$list; do \
++ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
++ if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
++ done | \
++ sed -e 'p;s,.*/,,;n' \
++ -e 'h;s|.*|.|' \
++ -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \
++ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \
++ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
++ if ($$2 == $$4) { files[d] = files[d] " " $$1; \
++ if (++n[d] == $(am__install_max)) { \
++ print "f", d, files[d]; n[d] = 0; files[d] = "" } } \
++ else { print "f", d "/" $$4, $$1 } } \
++ END { for (d in files) print "f", d, files[d] }' | \
++ while read type dir files; do \
++ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
++ test -z "$$files" || { \
++ echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(sbindir)$$dir'"; \
++ $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \
++ } \
++ ; done
++
++uninstall-sbinSCRIPTS:
++ @$(NORMAL_UNINSTALL)
++ @list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || exit 0; \
++ files=`for p in $$list; do echo "$$p"; done | \
++ sed -e 's,.*/,,;$(transform)'`; \
++ test -n "$$list" || exit 0; \
++ echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \
++ cd "$(DESTDIR)$(sbindir)" && rm -f $$files
++install-ocftDATA: $(ocft_DATA)
++ @$(NORMAL_INSTALL)
++ test -z "$(ocftdir)" || $(MKDIR_P) "$(DESTDIR)$(ocftdir)"
++ @list='$(ocft_DATA)'; test -n "$(ocftdir)" || list=; \
++ for p in $$list; do \
++ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
++ echo "$$d$$p"; \
++ done | $(am__base_list) | \
++ while read files; do \
++ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(ocftdir)'"; \
++ $(INSTALL_DATA) $$files "$(DESTDIR)$(ocftdir)" || exit $$?; \
++ done
++
++uninstall-ocftDATA:
++ @$(NORMAL_UNINSTALL)
++ @list='$(ocft_DATA)'; test -n "$(ocftdir)" || list=; \
++ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
++ test -n "$$files" || exit 0; \
++ echo " ( cd '$(DESTDIR)$(ocftdir)' && rm -f" $$files ")"; \
++ cd "$(DESTDIR)$(ocftdir)" && rm -f $$files
++install-ocftcfgsDATA: $(ocftcfgs_DATA)
++ @$(NORMAL_INSTALL)
++ test -z "$(ocftcfgsdir)" || $(MKDIR_P) "$(DESTDIR)$(ocftcfgsdir)"
++ @list='$(ocftcfgs_DATA)'; test -n "$(ocftcfgsdir)" || list=; \
++ for p in $$list; do \
++ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
++ echo "$$d$$p"; \
++ done | $(am__base_list) | \
++ while read files; do \
++ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(ocftcfgsdir)'"; \
++ $(INSTALL_DATA) $$files "$(DESTDIR)$(ocftcfgsdir)" || exit $$?; \
++ done
++
++uninstall-ocftcfgsDATA:
++ @$(NORMAL_UNINSTALL)
++ @list='$(ocftcfgs_DATA)'; test -n "$(ocftcfgsdir)" || list=; \
++ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
++ test -n "$$files" || exit 0; \
++ echo " ( cd '$(DESTDIR)$(ocftcfgsdir)' && rm -f" $$files ")"; \
++ cd "$(DESTDIR)$(ocftcfgsdir)" && rm -f $$files
++tags: TAGS
++TAGS:
++
++ctags: CTAGS
++CTAGS:
++
++
++distdir: $(DISTFILES)
++ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
++ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
++ list='$(DISTFILES)'; \
++ dist_files=`for file in $$list; do echo $$file; done | \
++ sed -e "s|^$$srcdirstrip/||;t" \
++ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
++ case $$dist_files in \
++ */*) $(MKDIR_P) `echo "$$dist_files" | \
++ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
++ sort -u` ;; \
++ esac; \
++ for file in $$dist_files; do \
++ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
++ if test -d $$d/$$file; then \
++ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
++ if test -d "$(distdir)/$$file"; then \
++ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
++ fi; \
++ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
++ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
++ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
++ fi; \
++ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
++ else \
++ test -f "$(distdir)/$$file" \
++ || cp -p $$d/$$file "$(distdir)/$$file" \
++ || exit 1; \
++ fi; \
++ done
++check-am: all-am
++check: check-am
++all-am: Makefile $(SCRIPTS) $(DATA)
++installdirs:
++ for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(ocftdir)" "$(DESTDIR)$(ocftcfgsdir)"; do \
++ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
++ done
++install: install-am
++install-exec: install-exec-am
++install-data: install-data-am
++uninstall: uninstall-am
++
++install-am: all-am
++ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
++
++installcheck: installcheck-am
++install-strip:
++ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
++ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
++ `test -z '$(STRIP)' || \
++ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
++mostlyclean-generic:
++
++clean-generic:
++
++distclean-generic:
++ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
++ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
++
++maintainer-clean-generic:
++ @echo "This command is intended for maintainers to use"
++ @echo "it deletes files that may require special tools to rebuild."
++ -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
++clean: clean-am
++
++clean-am: clean-generic mostlyclean-am
++
++distclean: distclean-am
++ -rm -f Makefile
++distclean-am: clean-am distclean-generic
++
++dvi: dvi-am
++
++dvi-am:
++
++html: html-am
++
++html-am:
++
++info: info-am
++
++info-am:
++
++install-data-am: install-ocftDATA install-ocftcfgsDATA
++
++install-dvi: install-dvi-am
++
++install-dvi-am:
++
++install-exec-am: install-sbinSCRIPTS
++
++install-html: install-html-am
++
++install-html-am:
++
++install-info: install-info-am
++
++install-info-am:
++
++install-man:
++
++install-pdf: install-pdf-am
++
++install-pdf-am:
++
++install-ps: install-ps-am
++
++install-ps-am:
++
++installcheck-am:
++
++maintainer-clean: maintainer-clean-am
++ -rm -f Makefile
++maintainer-clean-am: distclean-am maintainer-clean-generic
++
++mostlyclean: mostlyclean-am
++
++mostlyclean-am: mostlyclean-generic
++
++pdf: pdf-am
++
++pdf-am:
++
++ps: ps-am
++
++ps-am:
++
++uninstall-am: uninstall-ocftDATA uninstall-ocftcfgsDATA \
++ uninstall-sbinSCRIPTS
++
++.MAKE: install-am install-strip
++
++.PHONY: all all-am check check-am clean clean-generic distclean \
++ distclean-generic distdir dvi dvi-am html html-am info info-am \
++ install install-am install-data install-data-am install-dvi \
++ install-dvi-am install-exec install-exec-am install-html \
++ install-html-am install-info install-info-am install-man \
++ install-ocftDATA install-ocftcfgsDATA install-pdf \
++ install-pdf-am install-ps install-ps-am install-sbinSCRIPTS \
++ install-strip installcheck installcheck-am installdirs \
++ maintainer-clean maintainer-clean-generic mostlyclean \
++ mostlyclean-generic pdf pdf-am ps ps-am uninstall uninstall-am \
++ uninstall-ocftDATA uninstall-ocftcfgsDATA \
++ uninstall-sbinSCRIPTS
++
++
++# Tell versions [3.59,3.63) of GNU make to not export all variables.
++# Otherwise a system limit (for SysV at least) may be exceeded.
++.NOEXPORT:
diff -Nru cluster-agents-1.0.3/debian/patches/series cluster-agents-1.0.3/debian/patches/series
--- cluster-agents-1.0.3/debian/patches/series 2010-05-03 20:31:33.000000000 +0300
+++ cluster-agents-1.0.3/debian/patches/series 2010-10-17 00:59:28.000000000 +0300
@@ -1 +1,3 @@
+CVE-2010-3389--bug598549.patch
spelling-fixes.patch
+debian-changes-1:1.0.3-3.1
Message sent on
to Raphael Geissert <geissert@debian.org>:
Bug#598549.
(Sun, 17 Oct 2010 23:30:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>:
Bug#598549; Package cluster-agents.
(Mon, 18 Oct 2010 12:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Jari Aalto <jari.aalto@cante.net>:
Extra info received and forwarded to list. Copy sent to Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>.
(Mon, 18 Oct 2010 12:15:06 GMT) (full text, mbox, link).
Message #64 received at 598549@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Slightly updated NMU proposal: adds path_clean() and sapinstance_path_clean()
lsdiff(1):
cluster-agents-1.0.3/debian/changelog
cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch
cluster-agents-1.0.3/debian/patches/debian-changes-1:1.0.3-3.1
cluster-agents-1.0.3/debian/patches/series
[cluster-agents_1.0.3-3--1.0.3-3.1.deb.diff (text/x-diff, inline)]
diffstat for cluster-agents-1.0.3 cluster-agents-1.0.3
changelog | 9
patches/CVE-2010-3389--bug598549.patch | 83 ++++
patches/debian-changes-1:1.0.3-3.1 | 553 +++++++++++++++++++++++++++++++++
patches/series | 2
4 files changed, 647 insertions(+)
diff -Nru cluster-agents-1.0.3/debian/changelog cluster-agents-1.0.3/debian/changelog
--- cluster-agents-1.0.3/debian/changelog 2010-05-04 16:04:18.000000000 +0300
+++ cluster-agents-1.0.3/debian/changelog 2010-10-18 02:11:38.000000000 +0300
@@ -1,3 +1,12 @@
+cluster-agents (1:1.0.3-3.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * debian/patches
+ - (CVE-2010-3389--bug598549): New. Correct LD_LIBRARY_PATH handling.
+ (important, security; Closes: #598549).
+
+ -- Jari Aalto <jari.aalto@cante.net> Sun, 17 Oct 2010 00:59:07 +0300
+
cluster-agents (1:1.0.3-3) unstable; urgency=low
* Add build dependency on docbook-xml. (Closes: #579623)
diff -Nru cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch
--- cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch 1970-01-01 02:00:00.000000000 +0200
+++ cluster-agents-1.0.3/debian/patches/CVE-2010-3389--bug598549.patch 2010-10-18 15:00:01.000000000 +0300
@@ -0,0 +1,83 @@
+From 4551b292426d730872f903dbe1d47d6fa8c8875c Mon Sep 17 00:00:00 2001
+From: Jari Aalto <jari.aalto@cante.net>
+Date: Sat, 16 Oct 2010 20:26:25 +0300
+Subject: [PATCH] CVE-2010-3389 insecure library loading Bug#598549
+Organization: Private
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Jari Aalto <jari.aalto@cante.net>
+---
+ heartbeat/SAPDatabase | 15 ++++++++++++++-
+ heartbeat/SAPInstance | 15 ++++++++++++++-
+ 2 files changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/heartbeat/SAPDatabase b/heartbeat/SAPDatabase
+index 5e07046..a1bfd4f 100755
+--- a/heartbeat/SAPDatabase
++++ b/heartbeat/SAPDatabase
+@@ -65,6 +65,17 @@ usage() {
+ !
+ }
+
++path_clean ()
++{
++ # Vulnerability fix for insecure path content
++ # Make sure "::", "^:" or ":$" is not left in path arg $1
++
++ local tmp
++ tmp=$(echo "$1" | sed -e 's/::\+// ; s/^:// ; s/:$//' )
++
++ [ "$tmp" ] && echo "$tmp"
++}
++
+ meta_data() {
+ cat <<END
+ <?xml version="1.0"?>
+@@ -967,7 +978,9 @@ fi
+
+ # as root user we need the library path to the SAP kernel to be able to call executables
+ if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
+- LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
++ LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH
++ LD_LIBRARY_PATH=$(path_clean "$LD_LIBRARY_PATH")
++ [ "$LD_LIBRARY_PATH" ] && export LD_LIBRARY_PATH
+ fi
+ sidadm="`echo $SID | tr [:upper:] [:lower:]`adm"
+
+diff --git a/heartbeat/SAPInstance b/heartbeat/SAPInstance
+index 08f47f8..9b42aec 100755
+--- a/heartbeat/SAPInstance
++++ b/heartbeat/SAPInstance
+@@ -62,6 +62,17 @@ sapinstance_usage() {
+ !
+ }
+
++sapinstance_path_clean ()
++{
++ # Vulnerability fix for insecure path content
++ # Make sure "::", "^:" or ":$" is not left in path arg $1
++
++ local tmp
++ tmp=$(echo "$1" | sed -e 's/::\+// ; s/^:// ; s/:$//' )
++
++ [ "$tmp" ] && echo "$tmp"
++}
++
+ sapinstance_meta_data() {
+ cat <<END
+ <?xml version="1.0"?>
+@@ -297,7 +308,9 @@ sapinstance_init() {
+
+ # as root user we need the library path to the SAP kernel to be able to call sapcontrol
+ if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
+- LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
++ LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH
++ LD_LIBRARY_PATH=$(sapinstance_path_clean "$LD_LIBRARY_PATH")
++ [ "$LD_LIBRARY_PATH" ] && export LD_LIBRARY_PATH
+ fi
+
+ sidadm="`echo $SID | tr [:upper:] [:lower:]`adm"
+--
+1.7.1
+
diff -Nru cluster-agents-1.0.3/debian/patches/debian-changes-1:1.0.3-3.1 cluster-agents-1.0.3/debian/patches/debian-changes-1:1.0.3-3.1
--- cluster-agents-1.0.3/debian/patches/debian-changes-1:1.0.3-3.1 1970-01-01 02:00:00.000000000 +0200
+++ cluster-agents-1.0.3/debian/patches/debian-changes-1:1.0.3-3.1 2010-10-18 15:00:26.000000000 +0300
@@ -0,0 +1,553 @@
+Description: Upstream changes introduced in version 1:1.0.3-3.1
+ This patch has been created by dpkg-source during the package build.
+ Here's the last changelog entry, hopefully it gives details on why
+ those changes were made:
+ .
+ cluster-agents (1:1.0.3-3.1) unstable; urgency=low
+ .
+ * Non-maintainer upload.
+ * debian/patches
+ - (CVE-2010-3389--bug598549): New. Correct LD_LIBRARY_PATH handling.
+ (important, security; Closes: #598549).
+ .
+ The person named in the Author field signed this changelog entry.
+Author: Jari Aalto <jari.aalto@cante.net>
+Bug-Debian: http://bugs.debian.org/598549
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- /dev/null
++++ cluster-agents-1.0.3/tools/ocft/Makefile.in
+@@ -0,0 +1,521 @@
++# Makefile.in generated by automake 1.11.1 from Makefile.am.
++# @configure_input@
++
++# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
++# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
++# Inc.
++# This Makefile.in is free software; the Free Software Foundation
++# gives unlimited permission to copy and/or distribute it,
++# with or without modifications, as long as this notice is preserved.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
++# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
++# PARTICULAR PURPOSE.
++
++@SET_MAKE@
++
++# Author: John Shi
++# jshi@suse.de
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version 2
++# of the License, or (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
++#
++
++
++VPATH = @srcdir@
++pkgdatadir = $(datadir)/@PACKAGE@
++pkgincludedir = $(includedir)/@PACKAGE@
++pkglibdir = $(libdir)/@PACKAGE@
++pkglibexecdir = $(libexecdir)/@PACKAGE@
++am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
++install_sh_DATA = $(install_sh) -c -m 644
++install_sh_PROGRAM = $(install_sh) -c
++install_sh_SCRIPT = $(install_sh) -c
++INSTALL_HEADER = $(INSTALL_DATA)
++transform = $(program_transform_name)
++NORMAL_INSTALL = :
++PRE_INSTALL = :
++POST_INSTALL = :
++NORMAL_UNINSTALL = :
++PRE_UNINSTALL = :
++POST_UNINSTALL = :
++build_triplet = @build@
++host_triplet = @host@
++subdir = tools/ocft
++DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
++ $(srcdir)/README.in $(srcdir)/README.zh_CN.in \
++ $(srcdir)/caselib.in $(srcdir)/ocft.in ChangeLog
++ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
++am__aclocal_m4_deps = $(top_srcdir)/configure.in
++am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
++ $(ACLOCAL_M4)
++mkinstalldirs = $(install_sh) -d
++CONFIG_HEADER = $(top_builddir)/include/config.h \
++ $(top_builddir)/include/agent_config.h
++CONFIG_CLEAN_FILES = ocft caselib README README.zh_CN
++CONFIG_CLEAN_VPATH_FILES =
++am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
++am__vpath_adj = case $$p in \
++ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
++ *) f=$$p;; \
++ esac;
++am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
++am__install_max = 40
++am__nobase_strip_setup = \
++ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
++am__nobase_strip = \
++ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
++am__nobase_list = $(am__nobase_strip_setup); \
++ for p in $$list; do echo "$$p $$p"; done | \
++ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
++ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
++ if (++n[$$2] == $(am__install_max)) \
++ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
++ END { for (dir in files) print dir, files[dir] }'
++am__base_list = \
++ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
++ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
++am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(ocftdir)" \
++ "$(DESTDIR)$(ocftcfgsdir)"
++SCRIPTS = $(sbin_SCRIPTS)
++SOURCES =
++DIST_SOURCES =
++DATA = $(ocft_DATA) $(ocftcfgs_DATA)
++DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
++ACLOCAL = @ACLOCAL@
++AMTAR = @AMTAR@
++AUTOCONF = @AUTOCONF@
++AUTOHEADER = @AUTOHEADER@
++AUTOMAKE = @AUTOMAKE@
++AWK = @AWK@
++BUILD_VERSION = @BUILD_VERSION@
++CC = @CC@
++CCDEPMODE = @CCDEPMODE@
++CFLAGS = @CFLAGS@
++CFLAGS_COPY = @CFLAGS_COPY@
++CPP = @CPP@
++CPPFLAGS = @CPPFLAGS@
++CYGPATH_W = @CYGPATH_W@
++DEFS = @DEFS@
++DEPDIR = @DEPDIR@
++ECHO_C = @ECHO_C@
++ECHO_N = @ECHO_N@
++ECHO_T = @ECHO_T@
++EGREP = @EGREP@
++EXEEXT = @EXEEXT@
++GLUE_STATE_DIR = @GLUE_STATE_DIR@
++GREP = @GREP@
++HA_VARLIBHBDIR = @HA_VARLIBHBDIR@
++HA_VARRUNDIR = @HA_VARRUNDIR@
++HG = @HG@
++IFCONFIG = @IFCONFIG@
++IFCONFIG_A_OPT = @IFCONFIG_A_OPT@
++INITDIR = @INITDIR@
++INIT_EXT = @INIT_EXT@
++INSTALL = @INSTALL@
++INSTALL_DATA = @INSTALL_DATA@
++INSTALL_PROGRAM = @INSTALL_PROGRAM@
++INSTALL_SCRIPT = @INSTALL_SCRIPT@
++INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
++LDFLAGS = @LDFLAGS@
++LIBNETCONFIG = @LIBNETCONFIG@
++LIBNETDEFINES = @LIBNETDEFINES@
++LIBNETLIBS = @LIBNETLIBS@
++LIBOBJS = @LIBOBJS@
++LIBS = @LIBS@
++LOCALE = @LOCALE@
++LTLIBOBJS = @LTLIBOBJS@
++MAILCMD = @MAILCMD@
++MAKE = @MAKE@
++MAKEINFO = @MAKEINFO@
++MD5 = @MD5@
++MKDIR_P = @MKDIR_P@
++NON_FATAL_CFLAGS = @NON_FATAL_CFLAGS@
++OBJEXT = @OBJEXT@
++OCF_RA_DIR = @OCF_RA_DIR@
++OCF_ROOT_DIR = @OCF_ROOT_DIR@
++PACKAGE = @PACKAGE@
++PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
++PACKAGE_NAME = @PACKAGE_NAME@
++PACKAGE_STRING = @PACKAGE_STRING@
++PACKAGE_TARNAME = @PACKAGE_TARNAME@
++PACKAGE_URL = @PACKAGE_URL@
++PACKAGE_VERSION = @PACKAGE_VERSION@
++PATH_SEPARATOR = @PATH_SEPARATOR@
++PING = @PING@
++PKGCONFIG = @PKGCONFIG@
++PKGNAME = @PKGNAME@
++POD2MAN = @POD2MAN@
++POWEROFF_CMD = @POWEROFF_CMD@
++POWEROFF_OPTIONS = @POWEROFF_OPTIONS@
++PYTHON = @PYTHON@
++PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
++PYTHON_PLATFORM = @PYTHON_PLATFORM@
++PYTHON_PREFIX = @PYTHON_PREFIX@
++PYTHON_VERSION = @PYTHON_VERSION@
++REBOOT = @REBOOT@
++REBOOT_OPTIONS = @REBOOT_OPTIONS@
++ROUTE = @ROUTE@
++SCP = @SCP@
++SET_MAKE = @SET_MAKE@
++SHELL = @SHELL@
++SSH = @SSH@
++STRIP = @STRIP@
++TAR = @TAR@
++TEST = @TEST@
++VERSION = @VERSION@
++XSLTPROC = @XSLTPROC@
++abs_builddir = @abs_builddir@
++abs_srcdir = @abs_srcdir@
++abs_top_builddir = @abs_top_builddir@
++abs_top_srcdir = @abs_top_srcdir@
++ac_ct_CC = @ac_ct_CC@
++am__include = @am__include@
++am__leading_dot = @am__leading_dot@
++am__quote = @am__quote@
++am__tar = @am__tar@
++am__untar = @am__untar@
++bindir = @bindir@
++build = @build@
++build_alias = @build_alias@
++build_cpu = @build_cpu@
++build_os = @build_os@
++build_vendor = @build_vendor@
++builddir = @builddir@
++datadir = @datadir@
++datarootdir = @datarootdir@
++docdir = @docdir@
++dvidir = @dvidir@
++exec_prefix = @exec_prefix@
++host = @host@
++host_alias = @host_alias@
++host_cpu = @host_cpu@
++host_os = @host_os@
++host_vendor = @host_vendor@
++htmldir = @htmldir@
++includedir = @includedir@
++infodir = @infodir@
++install_sh = @install_sh@
++libdir = @libdir@
++libexecdir = @libexecdir@
++localedir = @localedir@
++localstatedir = @localstatedir@
++mandir = @mandir@
++mkdir_p = @mkdir_p@
++oldincludedir = @oldincludedir@
++pdfdir = @pdfdir@
++pkgpyexecdir = @pkgpyexecdir@
++pkgpythondir = @pkgpythondir@
++prefix = @prefix@
++program_transform_name = @program_transform_name@
++psdir = @psdir@
++pyexecdir = @pyexecdir@
++pythondir = @pythondir@
++sbindir = @sbindir@
++sharedstatedir = @sharedstatedir@
++srcdir = @srcdir@
++sysconfdir = @sysconfdir@
++target_alias = @target_alias@
++top_build_prefix = @top_build_prefix@
++top_builddir = @top_builddir@
++top_srcdir = @top_srcdir@
++MAINTAINERCLEANFILES = Makefile.in
++EXTRA_DIST = $(ocftcfgs_DATA) $(ocft_DATA)
++sbin_SCRIPTS = ocft
++ocftcfgsdir = $(datadir)/$(PACKAGE_NAME)/ocft/configs
++ocftcfgs_DATA = apache \
++ IPaddr2 \
++ IPsrcaddr \
++ MailTo \
++ mysql \
++ nfsserver \
++ portblock \
++ SendArp
++
++ocftdir = $(datadir)/$(PACKAGE_NAME)/ocft
++ocft_DATA = README \
++ README.zh_CN \
++ caselib
++
++all: all-am
++
++.SUFFIXES:
++$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
++ @for dep in $?; do \
++ case '$(am__configure_deps)' in \
++ *$$dep*) \
++ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
++ && { if test -f $@; then exit 0; else break; fi; }; \
++ exit 1;; \
++ esac; \
++ done; \
++ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu tools/ocft/Makefile'; \
++ $(am__cd) $(top_srcdir) && \
++ $(AUTOMAKE) --gnu tools/ocft/Makefile
++.PRECIOUS: Makefile
++Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
++ @case '$?' in \
++ *config.status*) \
++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
++ *) \
++ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
++ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
++ esac;
++
++$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
++
++$(top_srcdir)/configure: $(am__configure_deps)
++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
++$(ACLOCAL_M4): $(am__aclocal_m4_deps)
++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
++$(am__aclocal_m4_deps):
++ocft: $(top_builddir)/config.status $(srcdir)/ocft.in
++ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
++caselib: $(top_builddir)/config.status $(srcdir)/caselib.in
++ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
++README: $(top_builddir)/config.status $(srcdir)/README.in
++ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
++README.zh_CN: $(top_builddir)/config.status $(srcdir)/README.zh_CN.in
++ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
++install-sbinSCRIPTS: $(sbin_SCRIPTS)
++ @$(NORMAL_INSTALL)
++ test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)"
++ @list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || list=; \
++ for p in $$list; do \
++ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
++ if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
++ done | \
++ sed -e 'p;s,.*/,,;n' \
++ -e 'h;s|.*|.|' \
++ -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \
++ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \
++ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
++ if ($$2 == $$4) { files[d] = files[d] " " $$1; \
++ if (++n[d] == $(am__install_max)) { \
++ print "f", d, files[d]; n[d] = 0; files[d] = "" } } \
++ else { print "f", d "/" $$4, $$1 } } \
++ END { for (d in files) print "f", d, files[d] }' | \
++ while read type dir files; do \
++ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
++ test -z "$$files" || { \
++ echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(sbindir)$$dir'"; \
++ $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \
++ } \
++ ; done
++
++uninstall-sbinSCRIPTS:
++ @$(NORMAL_UNINSTALL)
++ @list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || exit 0; \
++ files=`for p in $$list; do echo "$$p"; done | \
++ sed -e 's,.*/,,;$(transform)'`; \
++ test -n "$$list" || exit 0; \
++ echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \
++ cd "$(DESTDIR)$(sbindir)" && rm -f $$files
++install-ocftDATA: $(ocft_DATA)
++ @$(NORMAL_INSTALL)
++ test -z "$(ocftdir)" || $(MKDIR_P) "$(DESTDIR)$(ocftdir)"
++ @list='$(ocft_DATA)'; test -n "$(ocftdir)" || list=; \
++ for p in $$list; do \
++ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
++ echo "$$d$$p"; \
++ done | $(am__base_list) | \
++ while read files; do \
++ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(ocftdir)'"; \
++ $(INSTALL_DATA) $$files "$(DESTDIR)$(ocftdir)" || exit $$?; \
++ done
++
++uninstall-ocftDATA:
++ @$(NORMAL_UNINSTALL)
++ @list='$(ocft_DATA)'; test -n "$(ocftdir)" || list=; \
++ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
++ test -n "$$files" || exit 0; \
++ echo " ( cd '$(DESTDIR)$(ocftdir)' && rm -f" $$files ")"; \
++ cd "$(DESTDIR)$(ocftdir)" && rm -f $$files
++install-ocftcfgsDATA: $(ocftcfgs_DATA)
++ @$(NORMAL_INSTALL)
++ test -z "$(ocftcfgsdir)" || $(MKDIR_P) "$(DESTDIR)$(ocftcfgsdir)"
++ @list='$(ocftcfgs_DATA)'; test -n "$(ocftcfgsdir)" || list=; \
++ for p in $$list; do \
++ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
++ echo "$$d$$p"; \
++ done | $(am__base_list) | \
++ while read files; do \
++ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(ocftcfgsdir)'"; \
++ $(INSTALL_DATA) $$files "$(DESTDIR)$(ocftcfgsdir)" || exit $$?; \
++ done
++
++uninstall-ocftcfgsDATA:
++ @$(NORMAL_UNINSTALL)
++ @list='$(ocftcfgs_DATA)'; test -n "$(ocftcfgsdir)" || list=; \
++ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
++ test -n "$$files" || exit 0; \
++ echo " ( cd '$(DESTDIR)$(ocftcfgsdir)' && rm -f" $$files ")"; \
++ cd "$(DESTDIR)$(ocftcfgsdir)" && rm -f $$files
++tags: TAGS
++TAGS:
++
++ctags: CTAGS
++CTAGS:
++
++
++distdir: $(DISTFILES)
++ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
++ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
++ list='$(DISTFILES)'; \
++ dist_files=`for file in $$list; do echo $$file; done | \
++ sed -e "s|^$$srcdirstrip/||;t" \
++ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
++ case $$dist_files in \
++ */*) $(MKDIR_P) `echo "$$dist_files" | \
++ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
++ sort -u` ;; \
++ esac; \
++ for file in $$dist_files; do \
++ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
++ if test -d $$d/$$file; then \
++ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
++ if test -d "$(distdir)/$$file"; then \
++ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
++ fi; \
++ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
++ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
++ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
++ fi; \
++ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
++ else \
++ test -f "$(distdir)/$$file" \
++ || cp -p $$d/$$file "$(distdir)/$$file" \
++ || exit 1; \
++ fi; \
++ done
++check-am: all-am
++check: check-am
++all-am: Makefile $(SCRIPTS) $(DATA)
++installdirs:
++ for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(ocftdir)" "$(DESTDIR)$(ocftcfgsdir)"; do \
++ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
++ done
++install: install-am
++install-exec: install-exec-am
++install-data: install-data-am
++uninstall: uninstall-am
++
++install-am: all-am
++ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
++
++installcheck: installcheck-am
++install-strip:
++ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
++ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
++ `test -z '$(STRIP)' || \
++ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
++mostlyclean-generic:
++
++clean-generic:
++
++distclean-generic:
++ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
++ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
++
++maintainer-clean-generic:
++ @echo "This command is intended for maintainers to use"
++ @echo "it deletes files that may require special tools to rebuild."
++ -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
++clean: clean-am
++
++clean-am: clean-generic mostlyclean-am
++
++distclean: distclean-am
++ -rm -f Makefile
++distclean-am: clean-am distclean-generic
++
++dvi: dvi-am
++
++dvi-am:
++
++html: html-am
++
++html-am:
++
++info: info-am
++
++info-am:
++
++install-data-am: install-ocftDATA install-ocftcfgsDATA
++
++install-dvi: install-dvi-am
++
++install-dvi-am:
++
++install-exec-am: install-sbinSCRIPTS
++
++install-html: install-html-am
++
++install-html-am:
++
++install-info: install-info-am
++
++install-info-am:
++
++install-man:
++
++install-pdf: install-pdf-am
++
++install-pdf-am:
++
++install-ps: install-ps-am
++
++install-ps-am:
++
++installcheck-am:
++
++maintainer-clean: maintainer-clean-am
++ -rm -f Makefile
++maintainer-clean-am: distclean-am maintainer-clean-generic
++
++mostlyclean: mostlyclean-am
++
++mostlyclean-am: mostlyclean-generic
++
++pdf: pdf-am
++
++pdf-am:
++
++ps: ps-am
++
++ps-am:
++
++uninstall-am: uninstall-ocftDATA uninstall-ocftcfgsDATA \
++ uninstall-sbinSCRIPTS
++
++.MAKE: install-am install-strip
++
++.PHONY: all all-am check check-am clean clean-generic distclean \
++ distclean-generic distdir dvi dvi-am html html-am info info-am \
++ install install-am install-data install-data-am install-dvi \
++ install-dvi-am install-exec install-exec-am install-html \
++ install-html-am install-info install-info-am install-man \
++ install-ocftDATA install-ocftcfgsDATA install-pdf \
++ install-pdf-am install-ps install-ps-am install-sbinSCRIPTS \
++ install-strip installcheck installcheck-am installdirs \
++ maintainer-clean maintainer-clean-generic mostlyclean \
++ mostlyclean-generic pdf pdf-am ps ps-am uninstall uninstall-am \
++ uninstall-ocftDATA uninstall-ocftcfgsDATA \
++ uninstall-sbinSCRIPTS
++
++
++# Tell versions [3.59,3.63) of GNU make to not export all variables.
++# Otherwise a system limit (for SysV at least) may be exceeded.
++.NOEXPORT:
diff -Nru cluster-agents-1.0.3/debian/patches/series cluster-agents-1.0.3/debian/patches/series
--- cluster-agents-1.0.3/debian/patches/series 2010-05-03 20:31:33.000000000 +0300
+++ cluster-agents-1.0.3/debian/patches/series 2010-10-18 15:00:26.000000000 +0300
@@ -1 +1,3 @@
+CVE-2010-3389--bug598549.patch
spelling-fixes.patch
+debian-changes-1:1.0.3-3.1
Message sent on
to Raphael Geissert <geissert@debian.org>:
Bug#598549.
(Mon, 18 Oct 2010 12:15:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>:
Bug#598549; Package cluster-agents.
(Tue, 19 Oct 2010 10:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Jari Aalto <jari.aalto@cante.net>:
Extra info received and forwarded to list. Copy sent to Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>.
(Tue, 19 Oct 2010 10:45:04 GMT) (full text, mbox, link).
Message #72 received at 598549@bugs.debian.org (full text, mbox, reply):
Simon Horman <horms@verge.net.au> writes:
> Its unclear to me that this patch covers all cases.
>
> e.g
>
> $ DIR_EXECUTABLE=/abc
> $ LD_LIBRARY_PATH="::"
> $ /bin/echo "$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
> /abc:::
>
> Am I missing something?
Julien Cristau from release team suggests that:
IRC #debian-qa
<jcristau> if the user set LD_LIBRARY_PATH="::" then they shot
themselves in the foot, and you're not
supposed to clean up after them.
So, we use revert back to simple approach:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598549#40
Jari
Message sent on
to Raphael Geissert <geissert@debian.org>:
Bug#598549.
(Tue, 19 Oct 2010 10:45:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>:
Bug#598549; Package cluster-agents.
(Tue, 19 Oct 2010 14:09:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon Horman <horms@verge.net.au>:
Extra info received and forwarded to list. Copy sent to Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>.
(Tue, 19 Oct 2010 14:09:09 GMT) (full text, mbox, link).
Message #80 received at 598549@bugs.debian.org (full text, mbox, reply):
On Tue, Oct 19, 2010 at 01:40:38PM +0300, Jari Aalto wrote:
>
> Simon Horman <horms@verge.net.au> writes:
> > Its unclear to me that this patch covers all cases.
> >
> > e.g
> >
> > $ DIR_EXECUTABLE=/abc
> > $ LD_LIBRARY_PATH="::"
> > $ /bin/echo "$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
> > /abc:::
> >
> > Am I missing something?
>
> Julien Cristau from release team suggests that:
>
> IRC #debian-qa
>
> <jcristau> if the user set LD_LIBRARY_PATH="::" then they shot
> themselves in the foot, and you're not
> supposed to clean up after them.
>
> So, we use revert back to simple approach:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598549#40
If that is fine by them, its fine by me too.
I'm now comfortable with this upload.
Message sent on
to Raphael Geissert <geissert@debian.org>:
Bug#598549.
(Tue, 19 Oct 2010 14:09:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>:
Bug#598549; Package cluster-agents.
(Wed, 20 Oct 2010 05:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to tony mancill <tmancill@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>.
(Wed, 20 Oct 2010 05:48:04 GMT) (full text, mbox, link).
Message #88 received at 598549@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Notification that an NMU addressing this bug has been uploaded to delayed/2. Please contact me if there is a pending maintainer upload and the NMU should be removed from the queue. Thank you, tony
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Jari Aalto <jari.aalto@cante.net>:
You have taken responsibility.
(Fri, 22 Oct 2010 05:51:08 GMT) (full text, mbox, link).
Notification sent
to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer.
(Fri, 22 Oct 2010 05:51:08 GMT) (full text, mbox, link).
Message #93 received at 598549-close@bugs.debian.org (full text, mbox, reply):
Source: cluster-agents
Source-Version: 1:1.0.3-3.1
We believe that the bug you reported is fixed in the latest version of
cluster-agents, which is due to be installed in the Debian FTP archive:
cluster-agents_1.0.3-3.1.debian.tar.gz
to main/c/cluster-agents/cluster-agents_1.0.3-3.1.debian.tar.gz
cluster-agents_1.0.3-3.1.dsc
to main/c/cluster-agents/cluster-agents_1.0.3-3.1.dsc
cluster-agents_1.0.3-3.1_i386.deb
to main/c/cluster-agents/cluster-agents_1.0.3-3.1_i386.deb
ldirectord_1.0.3-3.1_all.deb
to main/c/cluster-agents/ldirectord_1.0.3-3.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 598549@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jari Aalto <jari.aalto@cante.net> (supplier of updated cluster-agents package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 19 Oct 2010 13:35:00 +0300
Source: cluster-agents
Binary: cluster-agents ldirectord
Architecture: source i386 all
Version: 1:1.0.3-3.1
Distribution: unstable
Urgency: low
Maintainer: Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>
Changed-By: Jari Aalto <jari.aalto@cante.net>
Description:
cluster-agents - The reusable cluster components for Linux HA
ldirectord - Monitors virtual services provided by LVS
Closes: 598549
Changes:
cluster-agents (1:1.0.3-3.1) unstable; urgency=low
.
* Non-maintainer upload.
* debian/patches
- (CVE-*): New patch. Fix CVE-2010-3389 insecure library loading using
LD_LIBRARY_PATH. (important, security; Closes: #598549).
Checksums-Sha1:
4f8a1517dc0ab54742baa7f3a7c43053e403b1f3 2097 cluster-agents_1.0.3-3.1.dsc
37f4e6b72072ee8225c877f99d24df78c14984ab 10813 cluster-agents_1.0.3-3.1.debian.tar.gz
12fe1be99c08a39071e456776ee0474f307b5ddb 332632 cluster-agents_1.0.3-3.1_i386.deb
7d17f2487b00e44cacf47ae5125e6b3ebbd8966a 58930 ldirectord_1.0.3-3.1_all.deb
Checksums-Sha256:
8c7c5c41ae116bc0fc6c26ef6120b52596a2ede3301aebab8cd82c25099f94ff 2097 cluster-agents_1.0.3-3.1.dsc
07ffdfabf617a94322c4a83c238ecb027c4c03f14cf8d080029c64677e1721ef 10813 cluster-agents_1.0.3-3.1.debian.tar.gz
d08270e3cab1117a931a05150623bedeb7c5b741795a6768b142c443bb1d2ded 332632 cluster-agents_1.0.3-3.1_i386.deb
6d150997e601be9fcc0afb37069b0efd05c4a41dcbf2336e36a8d7a879a25a26 58930 ldirectord_1.0.3-3.1_all.deb
Files:
5a55a011bcd3c886dd352b5379ba4f64 2097 admin optional cluster-agents_1.0.3-3.1.dsc
c1ccc80f2517815916477352ef601b37 10813 admin optional cluster-agents_1.0.3-3.1.debian.tar.gz
f5dd2e2e9719d27a9d1de17a3869851c 332632 admin optional cluster-agents_1.0.3-3.1_i386.deb
819a841c9e1e9378478d0106160e690d 58930 admin extra ldirectord_1.0.3-3.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCAAGBQJMvnyFAAoJECHSBYmXSz6WmywP/1vY8lOSNEvWMMLRKWMWEKGs
0axpba0cVvSYS65QzJNuNh2o65GGkqHfBgIpZuWDks86tipWZQ0hji7gY3BtGJHa
Ba8r3p34OeDTw9Pe8SM26W0j7YsG/wNumrQnfy8G8kNXnIfJ8vty8cxuZjNS3eal
IGze01kyMcLwhwwlKDLT1SoCMxz5Hyvfi5F8C0FDcPM1nRRxFDFGhG5apcj9kucq
EkBx2GyxDUmeMJcFkRvgPSwOzln6O4RsV2vX4/QqQsktG4r+x73Py2CmwtVrb4iT
81DWwj0EZ0Ncytr0SkYQ32h+bmb8B7+ElYn2vr6bGcL1YntJEPwy3henDS45jxy0
9IdciYew19P2r1LBS2tUijfug7xB39mLAjGfF7bmkYHgtEOlSr/OTrku1GFqMJpv
yoXtBpYfbWRf+HurO5nlR5k60/ZnqRevVYZtxTzleMo3dxZmfN6Cw9DDiRloDEFI
LGlhf9+Bw8tXVdDOTmJRx/f5qUD6S6znuE+21xt5mnWkRJVf6uowjdPYOv2uB4GC
tmwyP72AYoboXAIO6QpZZR2t4a6AJYdzL0GZ7D6nMX+eLsQeIDTJnrlam3lhTw4U
U4l8g0zmdrnAyM0vOeGJf4SP5tNEjfl/rlbmnlvwRZ+HzTKbQZGPut1Fv58QgjG6
txw0evBN6rXBw0T9uqtP
=q9V0
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 29 Nov 2010 07:32:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.