[Pkg-samba-maint] [samba] 06/13: Move world-readable private key file on upgrade

Ivo De Decker idd-guest at moszumanska.debian.org
Sat Nov 23 07:09:49 UTC 2013 

This is an automated email from the git hooks/post-receive script.

idd-guest pushed a commit to branch master
in repository samba.

commit ea3461ad995d34a0139676175c8fa88bc55c6187
Author: Ivo De Decker <ivo.dedecker at ugent.be>
Date:   Mon Nov 11 15:24:04 2013 +0100

    Move world-readable private key file on upgrade
---
 debian/changelog      |  2 ++
 debian/samba.postinst | 16 ++++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index ee97fc4..bb40199 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,8 @@ samba (2:4.0.11+dfsg-1) UNRELEASED; urgency=high
     - CVE-2013-4475: ACLs are not checked on opening an alternate data stream
                      on a file or directory
     - CVE-2013-4476: Private key in key.pem world readable
+  * Move world-readable private key file on upgrade to allow
+    auto-regeneration.
   * Update samba-libs.lintian-overrides for moved libtorture0.
 
  -- Ivo De Decker <ivo.dedecker at ugent.be>  Sat, 02 Nov 2013 11:51:28 +0100
diff --git a/debian/samba.postinst b/debian/samba.postinst
index 8556508..60ae5a8 100644
--- a/debian/samba.postinst
+++ b/debian/samba.postinst
@@ -10,6 +10,22 @@ set -e
 #	them to be readable only by root.
 umask 022
 
+if dpkg --compare-versions "$2" gt 2:4.0 &&
+	dpkg --compare-versions "$2" lt-nl 2:4.0.11+dfsg ; then
+	# CVE-2013-4475
+	KEYFILE=/var/lib/samba/private/tls/key.pem
+	if [ -e $KEYFILE ]
+	then
+		KEYPERMS=`stat -c %a $KEYFILE`
+		if [ "$KEYPERMS" != "600" ]
+		then
+			echo "moving world readable public key to /var/lib/samba/private/tls/CVE-2013-4475"
+			mkdir -m 700 /var/lib/samba/private/tls/CVE-2013-4475
+			mv -n /var/lib/samba/private/tls/*pem /var/lib/samba/private/tls/CVE-2013-4475
+		fi
+	fi
+fi
+
 if dpkg --compare-versions "$2" lt-nl 2:3.6.15-2; then
 	if [ -e /etc/default/samba ]; then
 		# this config file's one setting is now obsolete; remove it

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git

More information about the Pkg-samba-maint mailing list