[buildd-tools-devel] sbuild 0.62.1 released (security fix)

[Roger Leigh]

Hi,

I have released sbuild 0.62.1 and Debian release 0.62.1-1, tagged as
release/sbuild-0.62.1 and debian/sbuild-0.62.1-1.

This release fixes a security issue in the sbuild-schroot wrapper
program used for the privilege separation introduced in 0.62.0.
The setuid wrapper was performing all the needed security checks,
but was not correctly denying access to users if the checks were
found to fail.  The wrapper may now only be accessed if the
invoking user is a member of the sbuild group.  In sbuild 0.60.0,
any local user may access a build chroot as the sbuild user, or
potentially also as root for chroots granting root access to user
or group sbuild.

Additionally, the dependency on File::Path has been removed, for
Lenny compatibility.


Regards,
Roger


Roger Leigh (4):
      wrapper: Enforce group access checks
      Sbuild::ResolverBase: Remove File::Path dependency
      NEWS: Document sbuild-schroot permissions checking fix
      debian: Bump version to 0.62.1-1 and fix sbuild-schroot wrapper

 NEWS                       |    8 +++++++-
 debian/changelog           |    9 +++++++++
 lib/Sbuild/ResolverBase.pm |    9 +++++++--
 wrapper/wrapper.cc         |    5 +++++
 4 files changed, 28 insertions(+), 3 deletions(-)

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20110320/906ee9f9/attachment.pgp>