db5.3: CVE-2017-10140: Berkeley DB reads DB_CONFIG from cwd

Debian Bug report logs - #872436
db5.3: CVE-2017-10140: Berkeley DB reads DB_CONFIG from cwd

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: db5.3: CVE-2017-10140: Berkeley DB reads DB_CONFIG from cwd

Date: Thu, 17 Aug 2017 14:14:09 +0200

Source: db5.3
Version: 5.3.28-9
Severity: grave
Tags: upstream security

Hi,

the following vulnerability was published for db5.3.

CVE-2017-10140[0]:
Berkeley DB reads DB_CONFIG from cwd

Fedora used the patch in [3], and according to [1], comment #9 this
has been acknowledged by upstream to be fine solution.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-10140
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10140
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1464032
[2] https://bugzilla.novell.com/show_bug.cgi?id=1043886
[3] https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch

Regards,
Salvatore

Message #10 received at 872436@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 872436@bugs.debian.org

Subject: Re: Bug#872436: db5.3: CVE-2017-10140: Berkeley DB reads DB_CONFIG from cwd

Date: Thu, 17 Aug 2017 14:39:07 +0200

[Message part 1 (text/plain, inline)]

Control: tags -1 + patch

Attached the extracted patch.

Regards,
Salvatore

[CVE-2017-10140-cwd-db_config.patch (text/x-diff, attachment)]

Message #17 received at 872436@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 872436@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#872436: db5.3: CVE-2017-10140: Berkeley DB reads DB_CONFIG from cwd

Date: Thu, 17 Aug 2017 14:58:11 +0200

Hi

A further comment: We (security team) thinks it would be wise to first
have the patch exposed for a while in unstable, and look for possible
regression if there are applications basically relying on that
behaviour (hopefully not).

Then we could look furhter if release a DSA for it or rather going
safer via a point release and having it exposed as well a while via
the propsed-updates queues.

I can prepare a NMU for sid if needed, will follow up with debdiff
shortly and upload to a delayed queue (10 days). if you then are fine
to either override it or having it rescheduled that would be as well
great.

Regards,
Salvatore

Message #22 received at 872436@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 872436@bugs.debian.org

Subject: db5.3: diff for NMU version 5.3.28-13.1

Date: Thu, 17 Aug 2017 15:08:06 +0200

[Message part 1 (text/plain, inline)]

Control: tags 872436 + pending

Dear maintainer,

I've prepared an NMU for db5.3 (versioned as 5.3.28-13.1) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

[db5.3-5.3.28-13.1-nmu.diff (text/x-diff, attachment)]

Message #29 received at 872436-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 872436-close@bugs.debian.org

Subject: Bug#872436: fixed in db5.3 5.3.28-13.1

Date: Sun, 27 Aug 2017 15:05:21 +0000

Source: db5.3
Source-Version: 5.3.28-13.1

We believe that the bug you reported is fixed in the latest version of
db5.3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 872436@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated db5.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 17 Aug 2017 14:35:22 +0200
Source: db5.3
Binary: db5.3-doc libdb5.3-dev libdb5.3 db5.3-util db5.3-sql-util libdb5.3++ libdb5.3++-dev libdb5.3-tcl libdb5.3-dbg libdb5.3-java-jni libdb5.3-java libdb5.3-java-dev libdb5.3-sql-dev libdb5.3-sql libdb5.3-stl-dev libdb5.3-stl
Architecture: source
Version: 5.3.28-13.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Berkeley DB Group <pkg-db-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 db5.3-doc  - Berkeley v5.3 Database Documentation [html]
 db5.3-sql-util - Berkeley v5.3 SQL Database Utilities
 db5.3-util - Berkeley v5.3 Database Utilities
 libdb5.3   - Berkeley v5.3 Database Libraries [runtime]
 libdb5.3++ - Berkeley v5.3 Database Libraries for C++ [runtime]
 libdb5.3++-dev - Berkeley v5.3 Database Libraries for C++ [development]
 libdb5.3-dbg - Berkeley v5.3 Database Libraries [debug]
 libdb5.3-dev - Berkeley v5.3 Database Libraries [development]
 libdb5.3-java - Berkeley v5.3 Database Libraries for Java
 libdb5.3-java-dev - Berkeley v5.3 Database Libraries for Java [development]
 libdb5.3-java-jni - Berkeley v5.3 Database Libraries for Java
 libdb5.3-sql - Berkeley v5.3 Database Libraries [SQL runtime]
 libdb5.3-sql-dev - Berkeley v5.3 Database Libraries [SQL development]
 libdb5.3-stl - Berkeley v5.3 Database Libraries [STL runtime]
 libdb5.3-stl-dev - Berkeley v5.3 Database Libraries [STL development]
 libdb5.3-tcl - Berkeley v5.3 Database Libraries for Tcl [module]
Closes: 872436
Changes:
 db5.3 (5.3.28-13.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2017-10140: Reads DB_CONFIG from the current working directory.
     Do not access DB_CONFIG when db_home is not set. (Closes: #872436)
Checksums-Sha1:
 055f65f46fbef63f8426fa869e9865dc2b332b7d 3124 db5.3_5.3.28-13.1.dsc
 9ecf25e1b9855ee2401c80e6a71046685438bbbd 28180 db5.3_5.3.28-13.1.debian.tar.xz
 433cf019b6aecceafe58dd2c06b1e6410178a92e 6089 db5.3_5.3.28-13.1_source.buildinfo
Checksums-Sha256:
 8941edcad8e16fe6bc76ffcbe86dbdaadc654b5ed994654689cf5408602a84f3 3124 db5.3_5.3.28-13.1.dsc
 9e04b9269be51de4e73536584addc61e19b29e34f769e263c180228064c72ec9 28180 db5.3_5.3.28-13.1.debian.tar.xz
 ceac7ee4268092db85df99b084eb5ffa8905e7f5fbe1db73d47075c7599f2177 6089 db5.3_5.3.28-13.1_source.buildinfo
Files:
 0c44e9b0f9d88e1f78185872aed60169 3124 libs standard db5.3_5.3.28-13.1.dsc
 20445d4c813e83a72389138171a7bc0b 28180 libs standard db5.3_5.3.28-13.1.debian.tar.xz
 516f6560c792b44fba9f3fbc172c28da 6089 libs standard db5.3_5.3.28-13.1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmVlJxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EAnEP/1uTCZ8dQQ3WZjsSGBk/ctEQK86jVzHy
WwyA+0Y1RvwGTjK8MhxdIKS8Kda5E3M/Mle/oJTaCNQnAacRsrZGJC4NVWAnTHjl
Tnlc7p7w0oMk/rhekRPyxD7CvNu4JkuSpVqMDd0wIF91hy2vQBtfWBBta9ICHYic
vX4kuKC4XtxFdN/ZJz5Reeim4qDJKrIM1CYEDw49Xb0AuVc57tyAnM1vcGFi24rc
9FKfnaxcKnFqdd1wEkSADXfHTNUznRoFHFNIX1oXHeHxIFy9k4ptWy75qYIyFm2H
oFFN5yLWisa/NN/9r10LfWO9xwLVVx4wYTHusc9pLtyGHIiXyxXplLjA6fVsjgf6
PVDfESqTFrGVL/a1Znr3zjgTl8YvMjFb4VdaIKTibSWqhjAtZdlUmDd6uvGahMcX
4BCjUWwW2LKpEUKDGPZDA/VYta+dS+6ytC6Bt+ID/OywXU1ZIJFjIWm4teOXXzc/
LQeoIjAXZW5vK0PeXpxLDjNBq8VrtjIjI5XEQDXDh4B4NEz+GpxnUNW5tGUNbJLT
j9OmmjHzSMbNatHUjf06fVLfrnc3pQxOwfWARflTox5f21UeSZP26+XYP4EINWNk
w5v7iHqWprJzVn7fpLF7K5J4eTNeeJQRpzp/0B0m+Ir9rVL2zZkhxIluRRYrO61r
376PuAbGTeCS
=qow8
-----END PGP SIGNATURE-----

Message #34 received at 872436-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 872436-close@bugs.debian.org

Subject: Bug#872436: fixed in db5.3 5.3.28-12+deb9u1

Date: Thu, 28 Sep 2017 05:47:09 +0000

Source: db5.3
Source-Version: 5.3.28-12+deb9u1

We believe that the bug you reported is fixed in the latest version of
db5.3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 872436@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated db5.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 24 Sep 2017 09:14:53 +0200
Source: db5.3
Binary: db5.3-doc libdb5.3-dev libdb5.3 db5.3-util db5.3-sql-util libdb5.3++ libdb5.3++-dev libdb5.3-tcl libdb5.3-dbg libdb5.3-java-jni libdb5.3-java libdb5.3-java-gcj libdb5.3-java-dev libdb5.3-sql-dev libdb5.3-sql libdb5.3-stl-dev libdb5.3-stl
Architecture: source
Version: 5.3.28-12+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Berkeley DB Group <pkg-db-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 872436
Description: 
 db5.3-doc  - Berkeley v5.3 Database Documentation [html]
 db5.3-sql-util - Berkeley v5.3 SQL Database Utilities
 db5.3-util - Berkeley v5.3 Database Utilities
 libdb5.3   - Berkeley v5.3 Database Libraries [runtime]
 libdb5.3++ - Berkeley v5.3 Database Libraries for C++ [runtime]
 libdb5.3++-dev - Berkeley v5.3 Database Libraries for C++ [development]
 libdb5.3-dbg - Berkeley v5.3 Database Libraries [debug]
 libdb5.3-dev - Berkeley v5.3 Database Libraries [development]
 libdb5.3-java - Berkeley v5.3 Database Libraries for Java
 libdb5.3-java-dev - Berkeley v5.3 Database Libraries for Java [development]
 libdb5.3-java-gcj - Berkeley v5.3 Database Libraries for Java (native code)
 libdb5.3-java-jni - Berkeley v5.3 Database Libraries for Java
 libdb5.3-sql - Berkeley v5.3 Database Libraries [SQL runtime]
 libdb5.3-sql-dev - Berkeley v5.3 Database Libraries [SQL development]
 libdb5.3-stl - Berkeley v5.3 Database Libraries [STL runtime]
 libdb5.3-stl-dev - Berkeley v5.3 Database Libraries [STL development]
 libdb5.3-tcl - Berkeley v5.3 Database Libraries for Tcl [module]
Changes:
 db5.3 (5.3.28-12+deb9u1) stretch; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2017-10140: Reads DB_CONFIG from the current working directory.
     Do not access DB_CONFIG when db_home is not set. (Closes: #872436)
Checksums-Sha1: 
 4bf3caaeb98ab4d145203ca78404b59809b4d529 3266 db5.3_5.3.28-12+deb9u1.dsc
 ce82aa53fa4fef02672e96d382217ae54a98caa6 28348 db5.3_5.3.28-12+deb9u1.debian.tar.xz
Checksums-Sha256: 
 22284095ad8d13f640736d3a3d2b05598497f4ce1a5b370f174217b497d8ccc7 3266 db5.3_5.3.28-12+deb9u1.dsc
 66b31f416940b48f3c09e8c1780feabe8e928742e5e819dde4ee1004ad828f3e 28348 db5.3_5.3.28-12+deb9u1.debian.tar.xz
Files: 
 51b50c97c747bf352bcd1eaaab1314c1 3266 libs standard db5.3_5.3.28-12+deb9u1.dsc
 1c91288ae4ba9d6f890c2668578c40fe 28348 libs standard db5.3_5.3.28-12+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlnHYg5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EU7gP/3rR6N18pCPEXA9cAc2oZbukyb5QkGCT
ZH9Aw4rh05EJmhJMUfhsjHS0Wx3rfvaZm+3IZYuUNMTZQM0YswJiW8z2daDG7jiQ
zsOb5y4yHKPE/Esl9vKpwd9Tj0oxLHVFBLmH5PgpxkUMP+nqGoXPH/QTXPFMofop
sUknfw4VEynryhd71OipgkA6HrPpyLVI23iYX+ES7BjFwHAMfhDbkmWTAaUa+1Y9
R0fbiVh/iaMbDjmgbtwVRkd88HSxWL5rSFhkXwRbIaq5ci0G2fuYF0zpkxk44c+t
pOUfO6U9+OJM2C5R/59XnoseJ2s6+iaU4bU87L+n0UFQt9cYRJxoMPykn/5zKG/w
kRRgFMcN/R0GgH4g+SqdTglWNH7GVQD0YJtEHDsJmZYLvBJniU9idGpS2Pflzmkl
+yS1zMQWPxuYPo+UFqE5IjXSwE7z8MXJHPCiweKJOGQ133olLCjwwv9hoDm/tEiW
XQ5W76KwhEJRIx9KLKbDPcUEKDxytQJy/kl2iYVz6VbtV4ez9WcjJRO2OJV92pf4
XOrb2r6ePp+DkRMXG324B59el3SS4APmmAbY5MpDmPMPqaoWfNIK6gIZSqnePNd2
8FMzjrMRi3N4zcS+R3YbSK33yBezKYSCAW5+1Khho4wmfL9G4n5O8HMZG59iWYua
yZ3aoNYHvR1m
=pqB8
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.