ganglia: [Debian RT] CVE-2012-3448: arbitrary script execution

Debian Bug report logs - #683584
ganglia: [Debian RT] CVE-2012-3448: arbitrary script execution

Toggle useless messages

---

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: ganglia
Severity: grave
Tags: security
Justification: user security hole

Hi,

recently released Ganglia Web fixes a remote script execution
vulnerability. It has been allocated CVE-2012-3348.

More info on http://ganglia.info/?p=549 and
https://bugzilla.redhat.com/show_bug.cgi?id=845124

Can you prepare packages with isolated fixes for Squeeze and unstable
(since we are in freeze)?

Regards,
-- 
Yves-Alexis

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

---

Message #10 received at 683584@bugs.debian.org (full text, mbox, reply):

The actual assigned CVE name for this issue was CVE-2012-3448:

http://www.openwall.com/lists/oss-security/2012/08/02/1

--
Vincent Danen @ http://linsec.ca/

---

Message #15 received at 683584@bugs.debian.org (full text, mbox, reply):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


I've now done the following:

- - create an upstream 3.3.8 release which includes only the security fix

- - imported 3.3.8 into the Debian git VCS:

     94324d5e11f1332c0f5adecf17a709

- - update the changelog and control file

- - I've added myself as uploader (I am DM and not DD), Stu, can you
please verify that this is OK?

- - I will also send the unblock request now

- - I have NOT made a tag in git - whoever does the upload must make the tag

Since 3.3.5 was uploaded into Debian, upstream 3.3.6 and 3.3.7 were
released upstream with essential fixes for memory leak and
segmentation fault issues.  Upstream is not keen to support Ganglia in
Debian without these essential fixes.  They have been deliberately
cherry picked onto a stable 3.3.x series release branch due to their
critical nature.

In future, the 3.3 branch will only contain the most critical and
security related fixes, so it is suitable for Debian wheezy to take
releases from the branch without making local patches.

Also note that lintian complains a lot because upstream has a
submodule with debian artifacts, they are not used at all for the
Debian package itself and they should probably be filtered out next
time we run git-import-orig




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJQKQUjAAoJEOm1uwJp1aqDYHEP/3HHIBG61goQFfv4uILCUCOy
hTpLqc/VzOyTp8yLnXAeRkVB4w++5EsqDHyAtoZkmm1spvsABLmtrmMlRJOmIq4r
ShCGRoXQpxR9opPevygccO2CRq+HsTmZJBzS+tNY7mKmsvnABD/3Kh+kt/rtfRP4
g/fwiaGaWcvqRmJawL+piHpvLDF4Iac14aWHqOluesHULKmeQTQnqWVS5KXR6/oI
nU0fYOJH81tGp/D3HeHZHSXntrcijFHLMRqNMm9xsrFuA/utfUMLF5gWo44GAlOw
Jb+9J2WEGK4F3/BPpwdZZP115/3rJjcaoZ/mXxLGWRh4fypTZvKf/qewnAgqFEQQ
p9z2iZtaamRjvjvWuQQlwM/Ak/1XKSobx93kNbwR6+wflYe8JqMJqyqKEiTWCT6s
pr42m7usYD2WrfVXG/Sgn2nWoZ+W9Cmu65eotG4Q4fUbM4zLHWrmLZmOxvA1glCh
Cp+i3gBQ1h6ac/ZknszyjT4GxzCOqGn76mXyBBiY2e1BYfevJ3LqsTYClpapsd2n
1bsg4XJV/ERoFRgASK6ltRB7uYp3bNly/iwurvwh4I809bwkG6pcVw2FgoRg7k//
BMImTeKlmUFs7E4MetdmEnNHSP7TQNHpv/27vKRB8ZOGQj1XbmRZK9s8vzGGYhRf
yOAsMzE/eRPm1jmBiNrI
=D8JR
-----END PGP SIGNATURE-----

---

Message #20 received at 683584@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Aug 13, 2012 at 01:46:11PM +0000, Daniel Pocock wrote:
> - - I've added myself as uploader (I am DM and not DD), Stu, can you
> please verify that this is OK?

I'm happy with this. 

Stu
-- 
From the prompt of Stu Teasdale

Why won't you let me kiss you goodnight?  Is it something I said?
		-- Tom Ryan

[signature.asc (application/pgp-signature, inline)]

---

Message #25 received at 683584@bugs.debian.org (full text, mbox, reply):

Upstream have released 3.1.8 which only differs from 3.1.7 by adding the
fix for the security issue

It has now been pushed to the git.debian.org VCS for building the
Ganglia package

It is on the squeeze branch and ready for someone to build and upload a
binary package

Regards,

Daniel

---

Message #30 received at 683584-close@bugs.debian.org (full text, mbox, reply):

Source: ganglia
Source-Version: 3.3.8-1

We believe that the bug you reported is fixed in the latest version of
ganglia, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 683584@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Pocock <daniel@pocock.com.au> (supplier of updated ganglia package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 13 Aug 2012 15:17:28 +0200
Source: ganglia
Binary: ganglia-monitor ganglia-monitor-python gmetad libganglia1 libganglia1-dev ganglia-webfrontend
Architecture: source all amd64
Version: 3.3.8-1
Distribution: unstable
Urgency: low
Maintainer: Stuart Teasdale <sdt@debian.org>
Changed-By: Daniel Pocock <daniel@pocock.com.au>
Description: 
 ganglia-monitor - cluster monitoring toolkit - node daemon
 ganglia-monitor-python - cluster monitoring toolkit - python modules
 ganglia-webfrontend - cluster monitoring toolkit - web front-end
 gmetad     - cluster monitoring toolkit - Ganglia Meta-Daemon
 libganglia1 - cluster monitoring toolkit - shared libraries
 libganglia1-dev - cluster monitoring toolkit - development libraries
Closes: 638628 683584
Changes: 
 ganglia (3.3.8-1) unstable; urgency=low
 .
   * Check URL arguments thoroughly (Closes: #683584)
   * Fix un-initialized return code variable
   * Fix memory leak
   * Fix issue where Ganglia fails to start with NetworkManager
     (Closes: #638628)
   * Extra logging of buffer sizes for troubleshooting a common problem
   * Add Daniel Pocock as uploader (Debian Maintainer)
   * Add VCS URLs to control file.
   * PO translation didn't get into the package properly.
 .
   [ Stuart Teasdale ]
   * Stop deleting web/version.php during clean as it comes from upstream
Checksums-Sha1: 
 04e386ac6581e633163c6ddaccbcadde8404ebf9 2357 ganglia_3.3.8-1.dsc
 e136f619078e26185c60c64c4abbbae64ff469c1 1797534 ganglia_3.3.8.orig.tar.gz
 a280816c64909da04ed9debf1c8e0cea6d4b777e 20840 ganglia_3.3.8-1.debian.tar.gz
 471bd5faeb9a13e2cd149e835984093708049a4d 61056 ganglia-monitor-python_3.3.8-1_all.deb
 ca658517a33c2eb58bf35a97fd2a13fb9ecfc03c 668728 ganglia-webfrontend_3.3.8-1_all.deb
 320cba56a91f6aef37367c4ec3e457e8bbbf0090 81432 ganglia-monitor_3.3.8-1_amd64.deb
 12be592ff48a844bdf3bb7dc226881e032c85fa3 37028 gmetad_3.3.8-1_amd64.deb
 b8635a029bff78aa221c5f281e6e5dd16ba75c11 129488 libganglia1_3.3.8-1_amd64.deb
 a75e0fc92b504c8432b849ce96525257541e9a67 48042 libganglia1-dev_3.3.8-1_amd64.deb
Checksums-Sha256: 
 80b2268fa6123fe5205f80d3518e5640b093fb0bde0651b9abc2eb29f3592aaf 2357 ganglia_3.3.8-1.dsc
 1cc51f884ae729ff67c5204212ca988884958d14132c3610daa3f585fb72bef5 1797534 ganglia_3.3.8.orig.tar.gz
 7dca26a4f0743fd203306a4a69cc5aa98ff060b80c43a316c5d03b952f7a6413 20840 ganglia_3.3.8-1.debian.tar.gz
 b4e310db17a499020cd59ee0d0a97575efa6c44c623615d818a34f8e68d161e8 61056 ganglia-monitor-python_3.3.8-1_all.deb
 2420b5d9070732e12b1514370967cc814296d2d553a8f2affbb8df3200be4ebc 668728 ganglia-webfrontend_3.3.8-1_all.deb
 a82b72f3b3f71683aa938c1e3c603a54fcec9ca96ac6b97cdd53d36ee265cdc1 81432 ganglia-monitor_3.3.8-1_amd64.deb
 6c5cbfac779d3ae64ba70ec1803a3fb336cabb3dd759d0a6062ef447a1856d67 37028 gmetad_3.3.8-1_amd64.deb
 f79ca81604e1a510682f31566ff7d7f8026531a7300f91a2258ebd500f79f9a3 129488 libganglia1_3.3.8-1_amd64.deb
 d8d1403b1ec52dd1d705a69e2aae074c0f7ed8914548b20da3283b56a4566174 48042 libganglia1-dev_3.3.8-1_amd64.deb
Files: 
 7db25f482aa2f323ab7d939baac36d81 2357 net optional ganglia_3.3.8-1.dsc
 46831245b5a5dc22abbdbeaa3d708075 1797534 net optional ganglia_3.3.8.orig.tar.gz
 de946ef905db554829b431824dd62315 20840 net optional ganglia_3.3.8-1.debian.tar.gz
 af38ede7222a3f342be483dbe80af141 61056 net optional ganglia-monitor-python_3.3.8-1_all.deb
 23fa9731a918d8c1cdd8aeee58b3c977 668728 net optional ganglia-webfrontend_3.3.8-1_all.deb
 47fe28fbe123faa7387e997039ceb81b 81432 net optional ganglia-monitor_3.3.8-1_amd64.deb
 184c553b1ab958864aadb773ee131bd5 37028 net optional gmetad_3.3.8-1_amd64.deb
 9c393f007e0c2eedbafb14b6ec9ef3dc 129488 libs optional libganglia1_3.3.8-1_amd64.deb
 833e26590340375774bd9c08013ad698 48042 libdevel optional libganglia1-dev_3.3.8-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Signed by Ana Guerrero

iQIcBAEBCAAGBQJQP5pZAAoJELNGT4lqoVlILCgQAIbqCkZ7I+nOXrckWy5o7XDP
V+41NSbzqn2kLkiJYWZPsZpclQKnJ7syAWZUNXlw72DJQOAvPnphouCJYjilwpgI
p3O7WHJ8ndn2346o89u5sMF9m4sT81LmLOa8W8jdVCaNKFmA3MctBvrwoQIoJNGb
PIGytBViC4cYj37sS3qYsef/v96XWoWZKpWTePAGLO8IbecvINmdQyZNTkJBEGAQ
ReUNR6sXKPusTFVujX98iu1PseOsVCV6Mn+MMif9KaJri6H6MVzO62zDo5EANPZ4
/V9BcxPFYWk4Lbup2T+hbpHOLF8J74DaRLKnKAb4khylOnTM4yANc3bdvbnu7QqC
UGgRz3jz5C/znqJ++NC/RKQacb9+zyq2KO7jyqI/c6jmNTaKnaFUGTXTsGCcckSG
YUMuxTcAP3A3uagvADzNv2Ns/2Sqmn67Sr8zIC2flRJVNe4AGp0As0NPd2/FGY/L
QzkxpdYA2rIMp+uxIwzQ0lwAtw00GDyOpwCt3Al9ipfaSaz27MDr1rVNfkcV40Gc
PKpVFzT51SjWYW8OzmmEDYoQDRJojcxZVtvyopBEoJ16ySOtt0lYWDeLP+ZRuLZv
hFgnpFTQAT8ySHM82V6z/r1h8DERAmSPSPne8uOMxahrFghY55dVW+Npb0ebmzHx
bV1b796niHDR1Cj5krfZ
=UhqO
-----END PGP SIGNATURE-----

---

Message #35 received at 683584@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi Daniel

On Wed, Aug 15, 2012 at 05:49:00PM +0000, Daniel Pocock wrote:
> Upstream have released 3.1.8 which only differs from 3.1.7 by adding the
> fix for the security issue
> 
> It has now been pushed to the git.debian.org VCS for building the
> Ganglia package
> 
> It is on the squeeze branch and ready for someone to build and upload a
> binary package

I was looking at current open RC bugs and stumbled over #683584 for
Squeeze. If I'm reading correctly, this is both high severity but
still open in Squeeze. I haven't looked a the details; is there an
update planned for ganglia in Squeeze?

Regards,
Salvatore

[signature.asc (application/pgp-signature, inline)]

---

Message #42 received at 683584@bugs.debian.org (full text, mbox, reply):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 05/01/13 16:21, Salvatore Bonaccorso wrote:
> Hi Daniel
> 
> On Wed, Aug 15, 2012 at 05:49:00PM +0000, Daniel Pocock wrote:
>> Upstream have released 3.1.8 which only differs from 3.1.7 by
>> adding the fix for the security issue
>> 
>> It has now been pushed to the git.debian.org VCS for building
>> the Ganglia package
>> 
>> It is on the squeeze branch and ready for someone to build and
>> upload a binary package
> 
> I was looking at current open RC bugs and stumbled over #683584
> for Squeeze. If I'm reading correctly, this is both high severity
> but still open in Squeeze. I haven't looked a the details; is there
> an update planned for ganglia in Squeeze?
> 

Yes, the 3.1.8 security fix from upstream has been packaged and has
been waiting for security team to process through to the archive
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJQ6gpEAAoJEOm1uwJp1aqD8f4P/3qeSRMj9t2KDxCxODgeOs7F
rZywn4uqA1PBtfoNXMEI/6lvd4BSfhisfnYL0+vIEl2zctzqpWv6dB64uGpDhI2g
C68CVJ3by+/kcLTagi7//p3xbyowP0EYWMHSoUJt6srT7s5rH7IZMI1O/J8t/4Gg
Vs8PYcjUCPzWVfHYWwnWoRo2cY909YhhQ3gc0knbPg3wDBJgKqmIFnf3D8gr3V4A
V2rx2mgiF83nF81iHnuMuivWJ0vhHDU+Zov26HdEP8z9/ExztPdUqZQiTeW8k9Ni
IylErKFhqTSCfQm70Sk0paIbidiCbS4W9J+gz0ImPR0vjF/Cot9xuqmjD0iQ+8lB
eHf5ITQkc1JkC9XZbqp8pKzizjLsFWXy8ADszLAPutnEd+HqenmOVMAKf8k+l4Ac
Fk5MtOcQZwG+UWk4TLwCi/MtHBZmXt9YJA31xx9lZ5/q9M3vcsi9r0otnzSWaQyI
XFetfKW61EWUWaY7MlxhmbBOTP3kqK+yPpYSncdU07UbOlMLSnyPwoj5At2sKaFc
9DEGt3BQDCPRVD4LuedQD+wY0RTaPWFzpJ4Qwy+tz/IBiQDYBDnrGSk2qViqaQ4q
nS45jZ21s2uFny0ZKAbjWtffiKNL4boCs2pK07o4LWiWs4fpFaUMx1c44BJbPsde
EcaWfYkLWNWnmmGUfWN8
=shmf
-----END PGP SIGNATURE-----

---

Message #47 received at 683584@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On lun., 2013-01-07 at 00:35 +0100, Daniel Pocock wrote:
> Yes, the 3.1.8 security fix from upstream has been packaged and has
> been waiting for security team to process through to the archive

Can you elaborate on that?
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

---

Message #52 received at 683584@bugs.debian.org (full text, mbox, reply):

On 07/01/13 07:27, Yves-Alexis Perez wrote:
> On lun., 2013-01-07 at 00:35 +0100, Daniel Pocock wrote:
>   
>> Yes, the 3.1.8 security fix from upstream has been packaged and has
>> been waiting for security team to process through to the archive
>>     
> Can you elaborate on that?
>   


http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683584#25

was done before I became a DD, so although I could upload the fix into
git.debian.org, I did not have any access to upload any binary package

Has somebody built and uploaded to the archive already?  As it is for
current stable branch, can I upload myself or does the security team
take care of the upload?

---

Message #57 received at 683584@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On lun., 2013-01-07 at 09:11 +0100, Daniel Pocock wrote:
> On 07/01/13 07:27, Yves-Alexis Perez wrote:
> > On lun., 2013-01-07 at 00:35 +0100, Daniel Pocock wrote:
> >   
> >> Yes, the 3.1.8 security fix from upstream has been packaged and has
> >> been waiting for security team to process through to the archive
> >>     
> > Can you elaborate on that?
> >   
> 
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683584#25
> 
> was done before I became a DD, so although I could upload the fix into
> git.debian.org, I did not have any access to upload any binary package
> 
> Has somebody built and uploaded to the archive already?  As it is for
> current stable branch, can I upload myself or does the security team
> take care of the upload?

Please provide a debdiff against stable.
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

---

Message #62 received at 683584@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi Yves,

On Mon, Jan 07, 2013 at 09:32:48PM +0100, Yves-Alexis Perez wrote:
> On lun., 2013-01-07 at 09:11 +0100, Daniel Pocock wrote:
> > On 07/01/13 07:27, Yves-Alexis Perez wrote:
> > > On lun., 2013-01-07 at 00:35 +0100, Daniel Pocock wrote:
> > >   
> > >> Yes, the 3.1.8 security fix from upstream has been packaged and has
> > >> been waiting for security team to process through to the archive
> > >>     
> > > Can you elaborate on that?
> > >   
> > 
> > 
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683584#25
> > 
> > was done before I became a DD, so although I could upload the fix into
> > git.debian.org, I did not have any access to upload any binary package
> > 
> > Has somebody built and uploaded to the archive already?  As it is for
> > current stable branch, can I upload myself or does the security team
> > take care of the upload?
> 
> Please provide a debdiff against stable.

I tried to look at this myself and found upstream commit [1], for a
similar commit.

 [1]: https://github.com/ganglia/ganglia-web/commit/b9f47b0eb9ae81144e90544b04e85bed15c8c2f4

Comparing the diff 3.1.7 to 3.1.8 source I find this:

----cut---------cut---------cut---------cut---------cut---------cut-----
diff -urN source-ganglia/ganglia-3.1.7/web/graph.php ganglia-3.1.8/web/graph.php
--- source-ganglia/ganglia-3.1.7/web/graph.php	2010-02-17 12:05:39.000000000 +0100
+++ ganglia-3.1.8/web/graph.php	2012-08-15 19:12:12.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-/* $Id: graph.php 2183 2010-01-07 16:09:55Z d_pocock $ */
+/* $Id$ */
 include_once "./eval_config.php";
 include_once "./get_context.php";
 include_once "./functions.php";
@@ -122,7 +122,7 @@
 
 $graph_file = "$graphdir/$graph.php";
 
-if ( is_readable($graph_file) ) {
+if ( is_readable($graph_file) and realpath($graphdir) === dirname(realpath($graph_file)) ) {
     include_once($graph_file);
 
     $graph_function = "graph_${graph}";
----cut---------cut---------cut---------cut---------cut---------cut-----

By passing g= argument, it is possible to traverse the path and load
another file and execute code from it.

Attached is the debdiff against 3.1.7-1 in squeeze.

Regards,
Salvatore

[ganglia_3.1.7-1+squeeze1.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

---

Message #67 received at 683584@bugs.debian.org (full text, mbox, reply):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 19/01/13 10:09, Salvatore Bonaccorso wrote:
> Hi Yves,
> 
> On Mon, Jan 07, 2013 at 09:32:48PM +0100, Yves-Alexis Perez wrote:
>> On lun., 2013-01-07 at 09:11 +0100, Daniel Pocock wrote:
>>> On 07/01/13 07:27, Yves-Alexis Perez wrote:
>>>> On lun., 2013-01-07 at 00:35 +0100, Daniel Pocock wrote:
>>>> 
>>>>> Yes, the 3.1.8 security fix from upstream has been packaged
>>>>> and has been waiting for security team to process through
>>>>> to the archive
>>>>> 
>>>> Can you elaborate on that?
>>>> 
>>> 
>>> 
>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683584#25
>>> 
>>> was done before I became a DD, so although I could upload the
>>> fix into git.debian.org, I did not have any access to upload
>>> any binary package
>>> 
>>> Has somebody built and uploaded to the archive already?  As it
>>> is for current stable branch, can I upload myself or does the
>>> security team take care of the upload?
>> 
>> Please provide a debdiff against stable.
> 
> I tried to look at this myself and found upstream commit [1], for
> a similar commit.
> 
> [1]:
> https://github.com/ganglia/ganglia-web/commit/b9f47b0eb9ae81144e90544b04e85bed15c8c2f4
>
>  Comparing the diff 3.1.7 to 3.1.8 source I find this:
> 
> ----cut---------cut---------cut---------cut---------cut---------cut-----
>
> 
diff -urN source-ganglia/ganglia-3.1.7/web/graph.php
ganglia-3.1.8/web/graph.php
> --- source-ganglia/ganglia-3.1.7/web/graph.php	2010-02-17
> 12:05:39.000000000 +0100 +++ ganglia-3.1.8/web/graph.php	2012-08-15
> 19:12:12.000000000 +0200 @@ -1,5 +1,5 @@ <?php -/* $Id: graph.php
> 2183 2010-01-07 16:09:55Z d_pocock $ */ +/* $Id$ */ include_once
> "./eval_config.php"; include_once "./get_context.php"; include_once
> "./functions.php"; @@ -122,7 +122,7 @@
> 
> $graph_file = "$graphdir/$graph.php";
> 
> -if ( is_readable($graph_file) ) { +if ( is_readable($graph_file)
> and realpath($graphdir) === dirname(realpath($graph_file)) ) { 
> include_once($graph_file);
> 
> $graph_function = "graph_${graph}"; 
> ----cut---------cut---------cut---------cut---------cut---------cut-----
>
>  By passing g= argument, it is possible to traverse the path and
> load another file and execute code from it.
> 
> Attached is the debdiff against 3.1.7-1 in squeeze.
> 
> Regards, Salvatore


Just following up on this

- - I've added pkg-monitoring-maintainers@lists.alioth.debian.org to the
CC, as there are more people now involved with Ganglia packaging

- - if it is acceptable for the upload, I've also put the current
Maintainer and VCS details in debian/control on the squeeze branch



diff --git a/debian/changelog b/debian/changelog
index a655fa6..0a0cb20 100644
- --- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+ganglia (3.1.8-2) UNRELEASED; urgency=low
+
+  * Package now under pkg-monitoring maintainership, update control
+
+ -- Daniel Pocock <daniel@pocock.com.au>
+
 ganglia (3.1.8-1) unstable; urgency=low

   * Fix for path injection security bug (Closes: #683584)
diff --git a/debian/control b/debian/control
index e308bad..4970f40 100644
- --- a/debian/control
+++ b/debian/control
@@ -1,10 +1,12 @@
 Source: ganglia
 Section: net
 Priority: optional
- -Maintainer: Stuart Teasdale <sdt@debian.org>
+Maintainer: Debian Monitoring Maintainers
<pkg-monitoring-maintainers@lists.alioth.debian.org>
 Homepage: http://www.ganglia.info/
 Build-Depends: debhelper (>> 5.0.0), librrd2-dev, autoconf,
autotools-dev, automake, libapr1-dev, libexpat1-dev, python-dev,
libconfuse-dev, po-debconf, libxml2-dev, libdbi0-dev, libpcre3-dev
 Standards-Version: 3.8.4
+Vcs-Git: git://git.debian.org/pkg-monitoring/ganglia.git
+Vcs-Browser:
http://git.debian.org/?p=pkg-monitoring/ganglia.git;a=summary

 Package: ganglia-monitor
 Architecture: any

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJQ+nP3AAoJEOm1uwJp1aqDN0kP/3g9SBcE5eHkDByH8db2Lu4E
1jFIHRbOUn/eOmK1YGcxW+t+sBzS4SJYLkXl6l+xnb9PJxRl6NnCNrJc+Vpam3ih
f4z1A4gQyHGu9ahUreH0SixE4j8it/nGuxClcRctEJ802+BVnkHUncLxQZtKbisS
973BDcOU5+nyBcW93BomQGcy/E3Gozyu5KNrgOOvarKxMF8I+qUWuyfyqrv4qxn/
FQHLOKA+D+zEgrQagECD3/7HPeYE/nMCjb2EwdBp19/4UWbXHfb/m2+my3hSrZyn
pn8BHrcTncDs7hYPve98v1WybjVH+/zZxs+BMaxsMQ8ouTdhxXC6snx5j9xf+QVf
iP/fg/Hy0kFWRxmWBEDY+r0BB1mwXmY/noo7CaCBYLXW2KrFpbyC9ORx6qT62uwS
ts4PfDiNnDnjWnbQ2zb4giQNLguq2gVhzCMpju1dDm8hfhvxLzAn98BvJjidFPcz
Gj7ztmEXQo6wzBCa9K2YALtcoNo0xuSc+EtW9E/wfa9BeLppmI4hc/FaUiJmva7A
2DhLbdzAnNUJYDWrpopp6wovz5zO2b05OBf5d9ujun4X911WbyJbPLI4o7IKFOrC
+SWdHlGkBE/7KXoreQcjItpl2DLAydT5ST+40S0T+KIZCDoDedjcSHYgFnmSPCOT
MS1k7t+SPZi1HFWE466z
=vdTp
-----END PGP SIGNATURE-----

---

Message #72 received at 683584@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi Daniel

Thanks for you followup! Even better if you (or someone else of
pkg-monitoring team) can do the security upload:

On Sat, Jan 19, 2013 at 11:22:47AM +0100, Daniel Pocock wrote:
> Just following up on this
> 
> - - I've added pkg-monitoring-maintainers@lists.alioth.debian.org to the
> CC, as there are more people now involved with Ganglia packaging
> 
> - - if it is acceptable for the upload, I've also put the current
> Maintainer and VCS details in debian/control on the squeeze branch

IMHO yes (but cannot speak for the security team; but the VCS seem
still on old location so far?)

Can you furthermore please include the CVE identifier in the
changelog? (CVE-2012-3448)

> diff --git a/debian/changelog b/debian/changelog
> index a655fa6..0a0cb20 100644
> - --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,9 @@
> +ganglia (3.1.8-2) UNRELEASED; urgency=low
> +
> +  * Package now under pkg-monitoring maintainership, update control
> +
> + -- Daniel Pocock <daniel@pocock.com.au>
> +
>  ganglia (3.1.8-1) unstable; urgency=low
> 
>    * Fix for path injection security bug (Closes: #683584)

Note that in general only the fixes for the security upload should be
included. I know: you mentioned that 3.1.8 includes only the fixes for
#683584. But looking at the diff between the two tar.gz:

$ diff -urN ganglia-3.1.7 ganglia-3.1.8 | diffstat
[...]
110 files changed, 49330 insertions(+), 73094 deletions(-)

(part of it seems autogenerated stuff).

The git repo on other side seem to be based upon 3.1.7-2 (uploaded
once to unstable) and then 3.1.8 (according at least looking at the
changelog[1]).

 [1]: http://anonscm.debian.org/gitweb/?p=collab-maint/ganglia.git;a=blob;f=debian/changelog;hb=refs/heads/squeeze

I'm sorry if I miss something here.

Regards,
Salvatore

[signature.asc (application/pgp-signature, inline)]

---

Message #77 received at 683584@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On sam., 2013-01-19 at 10:09 +0100, Salvatore Bonaccorso wrote:
> By passing g= argument, it is possible to traverse the path and load
> another file and execute code from it.
> 
> Attached is the debdiff against 3.1.7-1 in squeeze.


Part of the diff (the is_numeric() parts mainly) seems missing. Is it
intended?

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

---

Message #82 received at 683584@bugs.debian.org (full text, mbox, reply):

Hi

On Sat, Jan 19, 2013 at 08:36:08PM +0100, Yves-Alexis Perez wrote:
> On sam., 2013-01-19 at 10:09 +0100, Salvatore Bonaccorso wrote:
> > By passing g= argument, it is possible to traverse the path and load
> > another file and execute code from it.
> > 
> > Attached is the debdiff against 3.1.7-1 in squeeze.
> 
> 
> Part of the diff (the is_numeric() parts mainly) seems missing. Is it
> intended?

Yes. I downloaded both 3.1.7 and 3.1.8 source tarballs and looked at
the diff. web/graph.php contain only following changes:

----cut---------cut---------cut---------cut---------cut---------cut-----
filterdiff -i '*web/graph.php' ganglia_3.1.7_3.1.8.diff 
--- ganglia-3.1.7/web/graph.php 2010-02-17 12:05:39.000000000 +0100
+++ ganglia-3.1.8/web/graph.php 2012-08-15 19:12:12.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-/* $Id: graph.php 2183 2010-01-07 16:09:55Z d_pocock $ */
+/* $Id$ */
 include_once "./eval_config.php";
 include_once "./get_context.php";
 include_once "./functions.php";
@@ -122,7 +122,7 @@
 
 $graph_file = "$graphdir/$graph.php";
 
-if ( is_readable($graph_file) ) {
+if ( is_readable($graph_file) and realpath($graphdir) === dirname(realpath($graph_file)) ) {
     include_once($graph_file);
 
     $graph_function = "graph_${graph}";
----cut---------cut---------cut---------cut---------cut---------cut-----

If I see it correctly the corresponding code is not present in 3.1.7,
and the above are the only changes done in web/graph.php between 3.1.7
and 3.1.8.

Regards,
Salvatore

---

Message #87 received at 683584@bugs.debian.org (full text, mbox, reply):

On 19/01/13 21:01, Salvatore Bonaccorso wrote:
> Hi
> 
> On Sat, Jan 19, 2013 at 08:36:08PM +0100, Yves-Alexis Perez wrote:
>> On sam., 2013-01-19 at 10:09 +0100, Salvatore Bonaccorso wrote:
>>> By passing g= argument, it is possible to traverse the path and load
>>> another file and execute code from it.
>>>
>>> Attached is the debdiff against 3.1.7-1 in squeeze.
>>
>>
>> Part of the diff (the is_numeric() parts mainly) seems missing. Is it
>> intended?
> 
> Yes. I downloaded both 3.1.7 and 3.1.8 source tarballs and looked at
> the diff. web/graph.php contain only following changes:
> 
> ----cut---------cut---------cut---------cut---------cut---------cut-----
> filterdiff -i '*web/graph.php' ganglia_3.1.7_3.1.8.diff 
> --- ganglia-3.1.7/web/graph.php 2010-02-17 12:05:39.000000000 +0100
> +++ ganglia-3.1.8/web/graph.php 2012-08-15 19:12:12.000000000 +0200
> @@ -1,5 +1,5 @@
>  <?php
> -/* $Id: graph.php 2183 2010-01-07 16:09:55Z d_pocock $ */
> +/* $Id$ */
>  include_once "./eval_config.php";
>  include_once "./get_context.php";
>  include_once "./functions.php";
> @@ -122,7 +122,7 @@
>  
>  $graph_file = "$graphdir/$graph.php";
>  
> -if ( is_readable($graph_file) ) {
> +if ( is_readable($graph_file) and realpath($graphdir) === dirname(realpath($graph_file)) ) {
>      include_once($graph_file);
>  
>      $graph_function = "graph_${graph}";
> ----cut---------cut---------cut---------cut---------cut---------cut-----
> 
> If I see it correctly the corresponding code is not present in 3.1.7,
> and the above are the only changes done in web/graph.php between 3.1.7
> and 3.1.8.
> 

Please keep in mind, the version in wheezy has the new ganglia web/*
code, which is a massive overhaul with more functionality and
potentially more things to change when there is an issue

The version in squeeze is the legacy Ganglia web code

For wheezy + 1, the web code is an independent upstream release and
independent source package

Anyhow, please let me know when it needs further action from myself, or
I'm just as happy for somebody else to build and NMU, please just
remember to tag it in git

Here is my usual workflow (abbreviated):

git clone git+ssh://git.debian.org/git/pkg-monitoring/ganglia.git
cd ganglia
git checkout squeeze
vi debian/changelog
git add debian/changelog && git commit -m 'Update changelog, etc'
dpkg-buildpackage -rfakeroot
dput ../
git tag -s -m 'Tag v3.1.8-2' squeeze/3.1.8-2
git push origin squeeze

Regards,

Daniel

---

Message #92 received at 683584@bugs.debian.org (full text, mbox, reply):

Hi Daniel, hi all

Ok let's try to reassume (I feel like there is some confusion ;-))

Squeeze currently has ganglia 3.1.7-1. So the updated package needs to
be based on this. Usually introducing a new upstream version is not
accepted for security updates (an exception is e.g. mysql, where it
seems not other possible). So this should/will be 3.1.7-1+squeeze1 for
a Squeeze update.

Adjusting the Subject of this mail to avoid further confusions.

The source diff between 3.1.7 and 3.1.8 is somehow huge (4.8M, 110
files changed, 49330 insertions(+), 73094 deletions(-)).

The isolated fix is only in web/graph.php right?

So the upload for stable-security needs only to include the fix to
actually fix CVE-2012-3448, which seems the part discussed. You as
contributor upstream might give some more hints what is actually
needed apart the change in web/graph.php (if there is any).

p.s.: I'm not trying to hijack your work, but only would like to make
      sure that the fix get's into Squeeze for CVE-2012-3448.

Regards,
Salvatore

---

Message #97 received at 683584@bugs.debian.org (full text, mbox, reply):

On 19/01/13 21:52, Salvatore Bonaccorso wrote:
> Hi Daniel, hi all
> 
> Ok let's try to reassume (I feel like there is some confusion ;-))
> 
> Squeeze currently has ganglia 3.1.7-1. So the updated package needs to
> be based on this. Usually introducing a new upstream version is not
> accepted for security updates (an exception is e.g. mysql, where it
> seems not other possible). So this should/will be 3.1.7-1+squeeze1 for
> a Squeeze update.

The upstream 3.1 branch only receives updates of the type that qualify
for the stable branch in Debian (e.g. security updates, fixes for seg
faults).  The 3.1.8 upstream release only differs from 3.1.7 with the
addition of the fix for this issue

In this instance, upstream even created a 3.1.8 branch off the 3.1
branch, just to isolate the fix:

https://github.com/ganglia/monitor-core/commits/release/3.1.8


> Adjusting the Subject of this mail to avoid further confusions.
> 
> The source diff between 3.1.7 and 3.1.8 is somehow huge (4.8M, 110
> files changed, 49330 insertions(+), 73094 deletions(-)).
>
> The isolated fix is only in web/graph.php right?

This seems odd, and not what I would expect if I check upstream:

git clone git@github.com:ganglia/monitor-core.git

cd ganglia
git diff monitor-core-3.1.7 3.1.8

(from that diff, ignore the git2dist and bootstrap changes, those files
are not released in the tarballs)

Is it possible that dpkg-buildpackage is incorrectly regenerating the
tarball, or does squeeze possibly have a modified 3.1.7.orig tarball?

I PGP sign the upstream release announcements, so it should be easy to
verify.
http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg05533.html
http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg06329.html

> So the upload for stable-security needs only to include the fix to
> actually fix CVE-2012-3448, which seems the part discussed. You as
> contributor upstream might give some more hints what is actually
> needed apart the change in web/graph.php (if there is any).
> 
> p.s.: I'm not trying to hijack your work, but only would like to make
>       sure that the fix get's into Squeeze for CVE-2012-3448.

I agree this needs to be understood, you'll notice from github that
georgiou (Fedora maintainer) did the backport onto the branch and then I
cut the upstream release.  It's good to have multiple people involved in
the process to double-check things like this.  If we are not sure the
fix is correct or complete, it probably needs to be raised on ganglia-dev

---

Message #102 received at 683584@bugs.debian.org (full text, mbox, reply):

Hi Daniel, hi Yves-Alexis

In short, [1] looks to be the only change needed for the security
update. So the debdiff I posted should be okay. But I will leave it to
Yves-Alexis (who is Debian Security Team member) which way to go.

On Sat, Jan 19, 2013 at 10:15:00PM +0100, Daniel Pocock wrote:
> On 19/01/13 21:52, Salvatore Bonaccorso wrote:
> > Hi Daniel, hi all
> > 
> > Ok let's try to reassume (I feel like there is some confusion ;-))
> > 
> > Squeeze currently has ganglia 3.1.7-1. So the updated package needs to
> > be based on this. Usually introducing a new upstream version is not
> > accepted for security updates (an exception is e.g. mysql, where it
> > seems not other possible). So this should/will be 3.1.7-1+squeeze1 for
> > a Squeeze update.
> 
> The upstream 3.1 branch only receives updates of the type that qualify
> for the stable branch in Debian (e.g. security updates, fixes for seg
> faults).  The 3.1.8 upstream release only differs from 3.1.7 with the
> addition of the fix for this issue
> 
> In this instance, upstream even created a 3.1.8 branch off the 3.1
> branch, just to isolate the fix:
> 
> https://github.com/ganglia/monitor-core/commits/release/3.1.8

Ok and indeed this[1] confirms that the isolated fix is the oneliner.
Thanks.

 [1]: https://github.com/ganglia/monitor-core/commit/3404fbfcfad74c4c050578add31ea3a5ec5f0276
 
> > Adjusting the Subject of this mail to avoid further confusions.
> > 
> > The source diff between 3.1.7 and 3.1.8 is somehow huge (4.8M, 110
> > files changed, 49330 insertions(+), 73094 deletions(-)).
> >
> > The isolated fix is only in web/graph.php right?
> 
> This seems odd, and not what I would expect if I check upstream:
> 
> git clone git@github.com:ganglia/monitor-core.git
> 
> cd ganglia
> git diff monitor-core-3.1.7 3.1.8
> 
> (from that diff, ignore the git2dist and bootstrap changes, those files
> are not released in the tarballs)
> 
> Is it possible that dpkg-buildpackage is incorrectly regenerating the
> tarball, or does squeeze possibly have a modified 3.1.7.orig tarball?
> 
> I PGP sign the upstream release announcements, so it should be easy to
> verify.
> http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg05533.html
> http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg06329.html

This is how I checked the above:

wget http://cdn.debian.net/debian/pool/main/g/ganglia/ganglia_3.1.7.orig.tar.gz

From [2] there is link to source tarball:

 [2] http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg06329.html

fetch the ganglia-3.1.8.tar.gz and checksum with sha224sum; and
compared the two source trees. (A lot can be excluded, right, as is
autogenerated stuff).

Regards,
Salvatore

---

Message #107 received at 683584@bugs.debian.org (full text, mbox, reply):

On 20/01/13 00:02, Salvatore Bonaccorso wrote:
> Hi Daniel, hi Yves-Alexis
> 
> In short, [1] looks to be the only change needed for the security
> update. So the debdiff I posted should be okay. But I will leave it to
> Yves-Alexis (who is Debian Security Team member) which way to go.
> 
> On Sat, Jan 19, 2013 at 10:15:00PM +0100, Daniel Pocock wrote:
>> On 19/01/13 21:52, Salvatore Bonaccorso wrote:
>>> Hi Daniel, hi all
>>>
>>> Ok let's try to reassume (I feel like there is some confusion ;-))
>>>
>>> Squeeze currently has ganglia 3.1.7-1. So the updated package needs to
>>> be based on this. Usually introducing a new upstream version is not
>>> accepted for security updates (an exception is e.g. mysql, where it
>>> seems not other possible). So this should/will be 3.1.7-1+squeeze1 for
>>> a Squeeze update.
>>
>> The upstream 3.1 branch only receives updates of the type that qualify
>> for the stable branch in Debian (e.g. security updates, fixes for seg
>> faults).  The 3.1.8 upstream release only differs from 3.1.7 with the
>> addition of the fix for this issue
>>
>> In this instance, upstream even created a 3.1.8 branch off the 3.1
>> branch, just to isolate the fix:
>>
>> https://github.com/ganglia/monitor-core/commits/release/3.1.8
> 
> Ok and indeed this[1] confirms that the isolated fix is the oneliner.
> Thanks.
> 
>  [1]: https://github.com/ganglia/monitor-core/commit/3404fbfcfad74c4c050578add31ea3a5ec5f0276
>  
>>> Adjusting the Subject of this mail to avoid further confusions.
>>>
>>> The source diff between 3.1.7 and 3.1.8 is somehow huge (4.8M, 110
>>> files changed, 49330 insertions(+), 73094 deletions(-)).
>>>
>>> The isolated fix is only in web/graph.php right?
>>
>> This seems odd, and not what I would expect if I check upstream:
>>
>> git clone git@github.com:ganglia/monitor-core.git
>>
>> cd ganglia
>> git diff monitor-core-3.1.7 3.1.8
>>
>> (from that diff, ignore the git2dist and bootstrap changes, those files
>> are not released in the tarballs)
>>
>> Is it possible that dpkg-buildpackage is incorrectly regenerating the
>> tarball, or does squeeze possibly have a modified 3.1.7.orig tarball?
>>
>> I PGP sign the upstream release announcements, so it should be easy to
>> verify.
>> http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg05533.html
>> http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg06329.html
> 
> This is how I checked the above:
> 
> wget http://cdn.debian.net/debian/pool/main/g/ganglia/ganglia_3.1.7.orig.tar.gz
> 
> From [2] there is link to source tarball:
> 
>  [2] http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg06329.html
> 
> fetch the ganglia-3.1.8.tar.gz and checksum with sha224sum; and
> compared the two source trees. (A lot can be excluded, right, as is
> autogenerated stuff).
> 

Thanks for confirming that

It is possible that I bootstrapped 3.1.7 on an earlier Debian version
than 3.1.8.  E.g. Maybe 3.1.7 was bootstrapped on lenny and 3.1.8 on
squeeze.  This would mean different versions of autoconf were present,
and each of them dumps different stuff in the source tree.

However, just excluding that change (e.g. by hacking the one line change
into the 3.1.7 tree rather than using the whole 3.1.8 tree) doesn't
guarantee identical autotools behavior unless the build is done on a
platform equivalent to where the original 3.1.7-1 package was built.

If we need to be that pedantic about it to put something into squeeze
(which may well be a good idea), then maybe we need to make the change
without building and releasing any of the actual binaries, just release
the ganglia-web.deb package (which contains no binary code, just PHP).
Is there a workflow to do that?

---

Message #114 received at 683584@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On dim., 2013-01-20 at 00:44 +0100, Daniel Pocock wrote:
> Thanks for confirming that
> 
> It is possible that I bootstrapped 3.1.7 on an earlier Debian version
> than 3.1.8.  E.g. Maybe 3.1.7 was bootstrapped on lenny and 3.1.8 on
> squeeze.  This would mean different versions of autoconf were present,
> and each of them dumps different stuff in the source tree.

Looks possible.
> 
> However, just excluding that change (e.g. by hacking the one line
> change
> into the 3.1.7 tree rather than using the whole 3.1.8 tree) doesn't
> guarantee identical autotools behavior unless the build is done on a
> platform equivalent to where the original 3.1.7-1 package was built.

I'd be really concerned if it'd be the case. But if you fear something
like that, it'd be best if you could test the package indeed fixes the
bug.
> 
> If we need to be that pedantic about it to put something into squeeze
> (which may well be a good idea), then maybe we need to make the change
> without building and releasing any of the actual binaries, just
> release
> the ganglia-web.deb package (which contains no binary code, just PHP).
> Is there a workflow to do that?

No. We want minimal changes against the version in Squeeze, remember?

In any case, provided it actually fixes the bug, I'm ok with Salvatore
package including only the oneliner patch.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

---

Message #119 received at 683584@bugs.debian.org (full text, mbox, reply):

On 20/01/13 10:14, Yves-Alexis Perez wrote:
> On dim., 2013-01-20 at 00:44 +0100, Daniel Pocock wrote:
>> Thanks for confirming that
>>
>> It is possible that I bootstrapped 3.1.7 on an earlier Debian version
>> than 3.1.8.  E.g. Maybe 3.1.7 was bootstrapped on lenny and 3.1.8 on
>> squeeze.  This would mean different versions of autoconf were present,
>> and each of them dumps different stuff in the source tree.
> 
> Looks possible.
>>
>> However, just excluding that change (e.g. by hacking the one line
>> change
>> into the 3.1.7 tree rather than using the whole 3.1.8 tree) doesn't
>> guarantee identical autotools behavior unless the build is done on a
>> platform equivalent to where the original 3.1.7-1 package was built.
> 
> I'd be really concerned if it'd be the case. But if you fear something

That is the case, for any autotools project: autotools is a whole world
of it's own.  For example, a newer version may build the code with
different compiler or linker flags, and this may or may not cause the
build to fail or produce a different result on some or all platforms.

In practice, people do stuff like this every day, but usually when
compiling for a single platform where they can see the results
themselves.  I just don't know if there is some more pedantic approach
to managing this type of risk for updates to stable and would appreciate
feedback on that, however...

> like that, it'd be best if you could test the package indeed fixes the
> bug.
>>
>> If we need to be that pedantic about it to put something into squeeze
>> (which may well be a good idea), then maybe we need to make the change
>> without building and releasing any of the actual binaries, just
>> release
>> the ganglia-web.deb package (which contains no binary code, just PHP).
>> Is there a workflow to do that?
> 
> No. We want minimal changes against the version in Squeeze, remember?

Minimal change would mean exactly what I described: not producing any
new binary packages for ganglia-monitor.deb, gmetad.deb, etc.  We would
only release the ganglia-web.deb binary package.

If we release all the binary packages, that means they are all
recompiled, even though none of the code in them is changing.  It is
only the PHP code that changes, and that is not compiled anyway.


> In any case, provided it actually fixes the bug, I'm ok with Salvatore
> package including only the oneliner patch.
> 
> Regards,
> 
> 
> 
> _______________________________________________
> Pkg-monitoring-maintainers mailing list
> Pkg-monitoring-maintainers@lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-monitoring-maintainers

---

Message #124 received at 683584@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On dim., 2013-01-20 at 10:40 +0100, Daniel Pocock wrote:
> In practice, people do stuff like this every day, but usually when
> compiling for a single platform where they can see the results
> themselves.  I just don't know if there is some more pedantic approach
> to managing this type of risk for updates to stable and would appreciate
> feedback on that, however...

Well, if a oneliner patch is not applied because of autotools, we really
have a problem. And indeed, by only including the oneliner patch, we
make sure nothing else changed in Squeeze, since the buildds still run
the same compilers version it was used before.

> Minimal change would mean exactly what I described: not producing any
> new binary packages for ganglia-monitor.deb, gmetad.deb, etc.  We would
> only release the ganglia-web.deb binary package.

We're not interested in binary packages in Debian but you're indeed free
to do that kind of QA work upstream.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

---

Message #129 received at 683584@bugs.debian.org (full text, mbox, reply):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 20/01/13 10:44, Yves-Alexis Perez wrote:
> On dim., 2013-01-20 at 10:40 +0100, Daniel Pocock wrote:
>> In practice, people do stuff like this every day, but usually
>> when compiling for a single platform where they can see the
>> results themselves.  I just don't know if there is some more
>> pedantic approach to managing this type of risk for updates to
>> stable and would appreciate feedback on that, however...
> 
> Well, if a oneliner patch is not applied because of autotools, we
> really have a problem. And indeed, by only including the oneliner
> patch, we make sure nothing else changed in Squeeze, since the
> buildds still run the same compilers version it was used before.

If that is the case, then there is no problem

>> Minimal change would mean exactly what I described: not producing
>> any new binary packages for ganglia-monitor.deb, gmetad.deb, etc.
>> We would only release the ganglia-web.deb binary package.
> 
> We're not interested in binary packages in Debian but you're indeed
> free to do that kind of QA work upstream.

I'm not quite sure what you mean there... any package produced by
dpkg-buildpackage is, by definition, a binary package, even in the
case of ganglia-web.deb, which just contains un-compiled PHP text
files copied from the source package.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJQ+8DdAAoJEOm1uwJp1aqDQRcP/Aywf7JlW2GMXEgvsEk0avZw
gsFhHGWcznl3yYfwEsCxePFzyhLSsaAsaJlCSLuPhShpR1m3+eMvahxCuVmseSSS
E8BqvJM5zP/j7UAo81nlmvcq59pq1LX9e0HoV7kLwxD+DodyFAkzHMfkndhyeytp
rtBDwZAC/Dz93dlSNGnt1ZiMNLMTrHNq+xvTKWQk5gc+xCNZiGgtZGnB1SSeGqqp
khcIY01n7JNYgAXEM5920J9ubWkmS6lE0K8L0S0pkkhsWwqtW2HHESDtFQoICIlS
EE4xGQ+T/KG8q6Jl7zQVi43I0mF+y23xgr/S3CgTKVCwXA1iuyYDdYm7ouDoysK/
vyfrBJk1+e/s+q4uzysYwEWUBR/Vk683H6SyTxS0Zqvav0DvFvMJrdUnraCfAVwN
G32yoZhYhVfP1Z39Pr04Z4eU/rlWKswGGqrZHHrwajth7b/68Uec1v3qnrbzkp8p
h0pST8ZLTqvPAhpLWJn1K8vBie5NFPQ4nlUr3BRUD37eYfHWrPb5ZEUuJFY4dziY
bHhbcQTVnO+hjr3oZ1BuYn2JhuGIhjCeyvMexO2QzkcBZG44jE4SNiPVbHLdC99/
GIUEWB0HQ3DEGVJT8LL7AsKWPPk/oBSKF14uq6YBOwWEoc0j6wMaEwVYXTuNuFqb
mrgvNyANH/9Y7TbLolWT
=BVc2
-----END PGP SIGNATURE-----

---

Message #134 received at 683584@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On dim., 2013-01-20 at 11:03 +0100, Daniel Pocock wrote:
> > We're not interested in binary packages in Debian but you're indeed
> > free to do that kind of QA work upstream.
> 
> I'm not quite sure what you mean there... any package produced by
> dpkg-buildpackage is, by definition, a binary package,

Yes.

>  even in the
> case of ganglia-web.deb, which just contains un-compiled PHP text
> files copied from the source package.

But we're not interested in *upstream* binary packages. In any case,
that's a discussion for the ganglia Debian maintainers, I'm only
interested in the fix for Squeeze here.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

---

Message #139 received at 683584@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi

On Sun, Jan 20, 2013 at 10:14:26AM +0100, Yves-Alexis Perez wrote:
[...]
> > If we need to be that pedantic about it to put something into squeeze
> > (which may well be a good idea), then maybe we need to make the change
> > without building and releasing any of the actual binaries, just
> > release
> > the ganglia-web.deb package (which contains no binary code, just PHP).
> > Is there a workflow to do that?
> 
> No. We want minimal changes against the version in Squeeze, remember?
> 
> In any case, provided it actually fixes the bug, I'm ok with Salvatore
> package including only the oneliner patch.

So I have verified the following things:

 - The debdiff contains only the mentioned change (debdiff attached).

 - The patch is applied to /usr/share/ganglia-webfrontend/graph.php in
   the produced binary package ganglia-webfrontend.

 - If I try to exploit the argument g= passed to graph.php on a
   squeeze with installed package it does not work anymore and in logs
   I correctly notice the Error output produced by the error_log. At
   least with the obvious exploit variant.

 - I also checked the debdiff against the produced binary packages:

----cut---------cut---------cut---------cut---------cut---------cut-----

ganglia-webfrontend:
--------------------

File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Version: [-3.1.7-1-] {+3.1.7-1+squeeze1+}

ganglia-monitor:
----------------

File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: libapr1 (>= 1.2.7), libc6 (>= 2.2.5), libconfuse0 (>= 2.5), libexpat1 (>= 1.95.8), libganglia1 (= [-3.1.7-1+b1),-] {+3.1.7-1+squeeze1),+} libpcre3 (>= 7.7), adduser
Installed-Size: [-168-] {+228+}
Source: ganglia [-(3.1.7-1)-]
Version: [-3.1.7-1+b1-] {+3.1.7-1+squeeze1+}

gmetad:
-------

File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: libapr1 (>= 1.2.7), libc6 (>= 2.3), libconfuse0 (>= 2.5), libexpat1 (>= 1.95.8), libganglia1 (= [-3.1.7-1+b1),-] {+3.1.7-1+squeeze1),+} libpcre3 (>= 7.7), librrd4 (>= 1.3.0), adduser
Installed-Size: [-92-] {+160+}
Source: ganglia [-(3.1.7-1)-]
Version: [-3.1.7-1+b1-] {+3.1.7-1+squeeze1+}

libganglia1:
------------

File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Installed-Size: [-836-] {+896+}
Source: ganglia [-(3.1.7-1)-]
Version: [-3.1.7-1+b1-] {+3.1.7-1+squeeze1+}

libganglia1-dev:
----------------

File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: libganglia1 (= [-3.1.7-1+b1)-] {+3.1.7-1+squeeze1)+}
Installed-Size: [-172-] {+208+}
Source: ganglia [-(3.1.7-1)-]
Version: [-3.1.7-1+b1-] {+3.1.7-1+squeeze1+}
----cut---------cut---------cut---------cut---------cut---------cut-----

 - Attached is also the buildlog. It shows some problems, but if then
   they are also right now already present in the version in Squeeze.

So I think we are on the safe side, but if you, Daniel, see an actual
problem with one of the produced binary packages please let us know.
I also could provide the binary packages somewhere if you want to test
them.

Regards,
Salvatore

[ganglia_3.1.7-1+squeeze1.debdiff (text/plain, attachment)]

[ganglia_3.1.7-1+squeeze1_amd64.build.gz (application/octet-stream, attachment)]

---

Message #144 received at 683584@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On dim., 2013-01-20 at 13:07 +0100, Salvatore Bonaccorso wrote:
> So I have verified the following things:
> 
>  - The debdiff contains only the mentioned change (debdiff attached).
> 
>  - The patch is applied to /usr/share/ganglia-webfrontend/graph.php in
>    the produced binary package ganglia-webfrontend.
> 
>  - If I try to exploit the argument g= passed to graph.php on a
>    squeeze with installed package it does not work anymore and in logs
>    I correctly notice the Error output produced by the error_log. At
>    least with the obvious exploit variant.

Can you upload to security-master? Remember to build with -sa.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

---

Message #149 received at 683584@bugs.debian.org (full text, mbox, reply):

Hi

On Sun, Jan 20, 2013 at 06:15:30PM +0100, Yves-Alexis Perez wrote:
> On dim., 2013-01-20 at 13:07 +0100, Salvatore Bonaccorso wrote:
> > So I have verified the following things:
> > 
> >  - The debdiff contains only the mentioned change (debdiff attached).
> > 
> >  - The patch is applied to /usr/share/ganglia-webfrontend/graph.php in
> >    the produced binary package ganglia-webfrontend.
> > 
> >  - If I try to exploit the argument g= passed to graph.php on a
> >    squeeze with installed package it does not work anymore and in logs
> >    I correctly notice the Error output produced by the error_log. At
> >    least with the obvious exploit variant.
> 
> Can you upload to security-master? Remember to build with -sa.

Done!

And thanks for your work on the Security Team!

Regards,
Salvatore

---

Message #154 received at 683584-close@bugs.debian.org (full text, mbox, reply):

Source: ganglia
Source-Version: 3.1.7-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
ganglia, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 683584@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ganglia package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 19 Jan 2013 10:04:17 +0100
Source: ganglia
Binary: ganglia-monitor gmetad libganglia1 libganglia1-dev ganglia-webfrontend
Architecture: source all amd64
Version: 3.1.7-1+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Stuart Teasdale <sdt@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 ganglia-monitor - cluster monitoring toolkit - node daemon
 ganglia-webfrontend - cluster monitoring toolkit - web front-end
 gmetad     - cluster monitoring toolkit - Ganglia Meta-Daemon
 libganglia1 - cluster monitoring toolkit - shared libraries
 libganglia1-dev - cluster monitoring toolkit - development libraries
Closes: 683584
Changes: 
 ganglia (3.1.7-1+squeeze1) stable-security; urgency=high
 .
   * Non-maintainer upload.
   * Fix for path traversal issue when supplying name of a graph
     web/graph.php: Check for path traversal issues by making sure real path
     is actually in graphdir. Fixes CVE-2012-3448.
     Fix backported from ganglia 3.1.8. (Closes: #683584)
Checksums-Sha1: 
 2290ba128ab210741321cad251f4b92e97c1f020 1885 ganglia_3.1.7-1+squeeze1.dsc
 e234d64814af1c9f55f1cd039a5840039d175f85 1278023 ganglia_3.1.7.orig.tar.gz
 b4b08eb9fa601be74015c76e97a1d4e56928567b 46695 ganglia_3.1.7-1+squeeze1.diff.gz
 5a52ac3eebab113e5ae57c85a6acb3beaa0e22a3 112074 ganglia-webfrontend_3.1.7-1+squeeze1_all.deb
 05475510eb0e007b0b2823642ec7c6b7a2773daa 59890 ganglia-monitor_3.1.7-1+squeeze1_amd64.deb
 ecf312800807aecf3afa8c20b672edfb712fd9b6 32748 gmetad_3.1.7-1+squeeze1_amd64.deb
 04f9f2bff6cb9cf5819c5279f05f7766ebf2b137 139724 libganglia1_3.1.7-1+squeeze1_amd64.deb
 0334031631d65137aee62fbaa025fec0337b9882 45238 libganglia1-dev_3.1.7-1+squeeze1_amd64.deb
Checksums-Sha256: 
 a0a84c993ebfec6956ce02db64997d7b5a08ba592f527cba4e26139c74960998 1885 ganglia_3.1.7-1+squeeze1.dsc
 bb1a4953d72e7dace76010a30d6d332e4ac0991d1371dbbcbcc7b048e0a7e4bf 1278023 ganglia_3.1.7.orig.tar.gz
 f76eddf43497a757a4b578d1dea15bafe76a0f4b9dd310f12baafa856b74d62e 46695 ganglia_3.1.7-1+squeeze1.diff.gz
 4ac04256a2ed381f64c82ba156ade367ccda7a062706fd5a95dd9f59bae9676e 112074 ganglia-webfrontend_3.1.7-1+squeeze1_all.deb
 be608229b61f94517638600f495388bf6b7d0e482ad39ec88deca45f0dcf9da1 59890 ganglia-monitor_3.1.7-1+squeeze1_amd64.deb
 ed9a7527a0c8a479f6d8d3b2c12aa7edbc9fd057d72eab553ceae259eddf6442 32748 gmetad_3.1.7-1+squeeze1_amd64.deb
 ec93fca0ae717dd040baa5125942506bc450e6aa41060d3ec9c35045c79bea87 139724 libganglia1_3.1.7-1+squeeze1_amd64.deb
 a467dd94f95011339a0691af9204eb84585047fb410dd6ceb2183b532a0fa14d 45238 libganglia1-dev_3.1.7-1+squeeze1_amd64.deb
Files: 
 1cd1fead68bce729e79f7659e442d307 1885 net optional ganglia_3.1.7-1+squeeze1.dsc
 6aa5e2109c2cc8007a6def0799cf1b4c 1278023 net optional ganglia_3.1.7.orig.tar.gz
 0fa8ec30db2351361d1c7a2b5dfb418f 46695 net optional ganglia_3.1.7-1+squeeze1.diff.gz
 208bbe2bb0992d46f2888e5514b9f04e 112074 net optional ganglia-webfrontend_3.1.7-1+squeeze1_all.deb
 945ce005e3454ddb8aed97124b3406da 59890 net optional ganglia-monitor_3.1.7-1+squeeze1_amd64.deb
 c372abd5f0aca9f8354b5db5effc99e7 32748 net optional gmetad_3.1.7-1+squeeze1_amd64.deb
 739a8ccd75baac723283627b2d368a24 139724 libs optional libganglia1_3.1.7-1+squeeze1_amd64.deb
 bcf088ceeee590747d252071c2d24f08 45238 libdevel optional libganglia1-dev_3.1.7-1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJQ/Cz2AAoJEHidbwV/2GP+7FQP/2QofWECUuXSyKAgl+XCRGBI
0M4A8MkwmANoDbXL6e6UELoKxnkR3c2iruwceWJc547TZpaK1HRL85u8gg6gVmNH
JDtecfim9R4kRVB5zCbOjtvByDsFr9eLZgTW+SHyjPBTHfoNnT5wvjmaRSMpbT6U
ECmgle/Cfh8XRyMwLH3DHF3PkZL+ye6pS9hvaO7kssXGS5kQxrShdMXNLj1HIB+Z
6JAGpDKj8cqpxmWTVLVCgp+Shu/zsEfwCoaojOYOCX5PhCavFn/z3LItPmFHp9sE
4lps34dL4B38ApYjwyRKW6bpsiiMIM5U7KIQDbe+2UyY2cpUO/0IXgvVq1RCIJ/Q
CfNvXNmGFs8dvqKwpGlt3rHFm/hC7kNTPwiQoekuLe4oWXK5UzQuKoP3tRdh4/S2
iFzTaSRGFzod1tPiu7DOhpbMIze/AtDgfC6kLr2Awrk94QGkehwrPqEKZb9AWEve
wr4lf0U1e66i1oZA7WAsMeWgIzh9C+C0Tgs6ZXX26TmR7avJ/dAayxPHvaJb8ka3
juP3MEMhIuaJ4IE1Fi+SpQ3HTZe3vhb2zErxp5MxyBty2FFkYDOcW/IgszUobwpJ
CjZA0IbTBuefYopSOlVba7X3SLWDuRw/HE2ZHwX/XmvjcQThGaPHbxrxQVPU6oFI
uSxlYwzM+lehXvke8iq2
=MTNi
-----END PGP SIGNATURE-----

---

Send a report that this bug log contains spam.

---

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:09:56 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.