summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortonnerre <tonnerre>2008-07-13 15:26:36 +0000
committertonnerre <tonnerre>2008-07-13 15:26:36 +0000
commit8ec953cbb03746d9f7095c0732f9751ff79715d7 (patch)
treed53c7f6928dff2c8f703e70dc22a1b568504f2e2
parentcc90ac8895c6d5ad74e74d46aea238a6a0fef606 (diff)
downloadpkgsrc-8ec953cbb03746d9f7095c0732f9751ff79715d7.tar.gz
Add patches "solving" the issue of bacula exposing passwords et cetera
through the command line parameters of various tools (CVE-2007-5626).
-rw-r--r--sysutils/bacula-doc/Makefile3
-rw-r--r--sysutils/bacula-doc/distinfo7
-rw-r--r--sysutils/bacula-doc/patches/patch-aa16
-rw-r--r--sysutils/bacula-doc/patches/patch-ab47
-rw-r--r--sysutils/bacula-doc/patches/patch-ac13
-rw-r--r--sysutils/bacula-doc/patches/patch-ad13
-rw-r--r--sysutils/bacula-doc/patches/patch-ae13
-rw-r--r--sysutils/bacula/Makefile4
-rw-r--r--sysutils/bacula/distinfo4
-rw-r--r--sysutils/bacula/patches/patch-ab26
-rw-r--r--sysutils/bacula/patches/patch-ak13
11 files changed, 154 insertions, 5 deletions
diff --git a/sysutils/bacula-doc/Makefile b/sysutils/bacula-doc/Makefile
index 8b338a56115..893c9d665a0 100644
--- a/sysutils/bacula-doc/Makefile
+++ b/sysutils/bacula-doc/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.15 2008/01/04 14:32:50 ghen Exp $
+# $NetBSD: Makefile,v 1.16 2008/07/13 15:26:36 tonnerre Exp $
DISTNAME= bacula-docs-2.0.2
+PKGREVISION= 1
PKGNAME= ${DISTNAME:S/docs/doc/}
CATEGORIES= sysutils
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=bacula/}
diff --git a/sysutils/bacula-doc/distinfo b/sysutils/bacula-doc/distinfo
index fa9a75d4851..28f3054df46 100644
--- a/sysutils/bacula-doc/distinfo
+++ b/sysutils/bacula-doc/distinfo
@@ -1,5 +1,10 @@
-$NetBSD: distinfo,v 1.13 2007/01/31 17:59:10 ghen Exp $
+$NetBSD: distinfo,v 1.14 2008/07/13 15:26:36 tonnerre Exp $
SHA1 (bacula-docs-2.0.2.tar.gz) = a07c74b0c98f7afe0896f3f4908004e3984819e6
RMD160 (bacula-docs-2.0.2.tar.gz) = 14c6582e9dabc4448fb681be192f46835ba0cb30
Size (bacula-docs-2.0.2.tar.gz) = 29776690 bytes
+SHA1 (patch-aa) = 04898ece4b4c13b50acf08dad16a76eea0fbfc7d
+SHA1 (patch-ab) = e8320baae18f53f5091a0d0b662ec7e613cc1713
+SHA1 (patch-ac) = 829d3cff40f095f3d2e0959f8dbb368031d7c51b
+SHA1 (patch-ad) = 16a4e438f0931d436d914440d98874dcf0b17467
+SHA1 (patch-ae) = ddcb2258ae20aec96904bf6b08672a413358ed13
diff --git a/sysutils/bacula-doc/patches/patch-aa b/sysutils/bacula-doc/patches/patch-aa
new file mode 100644
index 00000000000..2bc02683d52
--- /dev/null
+++ b/sysutils/bacula-doc/patches/patch-aa
@@ -0,0 +1,16 @@
+$NetBSD: patch-aa,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
+
+--- manual/tips.tex.orig 2007-01-15 10:37:15.000000000 +0100
++++ manual/tips.tex
+@@ -598,6 +598,11 @@ setup procedure leaves the database open
+ assign the user {\bf bacula} a userid and add it to your Director's
+ configuration file in the appropriate Catalog resource.
+
++If you use the make_catalog_backup script provided by Bacula, remember that
++you should take care when supplying passwords on the command line. Read the
++\ilink{BackingUpBaculaSecurityConsiderations}{Backing Up Your Bacula
++Database - Security Considerations } for more information.
++
+ \section{Creating Holiday Schedules}
+ \label{holiday}
+ \index[general]{Schedules!Creating Holiday }
diff --git a/sysutils/bacula-doc/patches/patch-ab b/sysutils/bacula-doc/patches/patch-ab
new file mode 100644
index 00000000000..63dbe364b49
--- /dev/null
+++ b/sysutils/bacula-doc/patches/patch-ab
@@ -0,0 +1,47 @@
+$NetBSD: patch-ab,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
+
+--- manual/catmaintenance.tex.orig 2007-01-05 18:20:40.000000000 +0100
++++ manual/catmaintenance.tex
+@@ -545,6 +545,8 @@ Job {
+ Storage = DLTDrive
+ Messages = Standard
+ Pool = Default
++ # WARNING!!! Passing the password via the command line is insecure.
++ # see comments in make_catalog_backup for details.
+ RunBeforeJob = "/home/kern/bacula/bin/make_catalog_backup"
+ RunAfterJob = "/home/kern/bacula/bin/delete_catalog_backup"
+ Write Bootstrap = "/home/kern/bacula/working/BackupCatalog.bsr"
+@@ -573,6 +575,33 @@ you to quickly recover the database back
+ you do not have a bootstrap file, it is still possible to recover your
+ database backup, but it will be more work and take longer.
+
++
++\label{BackingUpBaculaSecurityConsiderations}
++\section{Security considerations}
++\index[general]{Backing Up Your Bacula Database - Security Considerations }
++\index[general]{Database!Backing Up Your Bacula Database - Security Considerations }
++
++We provide make_catalog_backup as an example of what can be used to backup
++your Bacula database. We expect you to take security precautions relevant
++to your situation. make_catalog_backup is designed to take a password on
++the command line. This is fine on machines with only trusted users. It is
++not acceptable on machines without trusted users. Most database systems
++provide a alternative method, which does not place the password on the
++command line.
++
++The make_catalog_backup contains some warnings about how to use it. Please
++read those tips.
++
++To help you get started, we know PostgreSQL has a password file,
++\elink{
++.pgpass}{http://www.postgresql.org/docs/8.2/static/libpq-pgpass.html}, and
++we know MySQL has
++\elink{ .my.cnf}{http://dev.mysql.com/doc/refman/4.1/en/password-security.html}.
++
++Only you can decide what is appropriate for your situation. We have provided
++you with a starting point. We hope it helps.
++
++
+ \label{BackingUPOtherDBs}
+ \section{Backing Up Third Party Databases}
+ \index[general]{Backing Up Third Party Databases }
diff --git a/sysutils/bacula-doc/patches/patch-ac b/sysutils/bacula-doc/patches/patch-ac
new file mode 100644
index 00000000000..a5cdd011709
--- /dev/null
+++ b/sysutils/bacula-doc/patches/patch-ac
@@ -0,0 +1,13 @@
+$NetBSD: patch-ac,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
+
+--- manual/pools.tex.orig 2007-01-05 18:20:41.000000000 +0100
++++ manual/pools.tex
+@@ -235,6 +235,8 @@ Job {
+ Messages = Standard
+ Pool = Default
+ # This creates an ASCII copy of the catalog
++ # WARNING!!! Passing the password via the command line is insecure.
++ # see comments in make_catalog_backup for details.
+ RunBeforeJob = "/home/bacula/bin/make_catalog_backup bacula bacula"
+ # This deletes the copy of the catalog
+ RunAfterJob = "/home/bacula/bin/delete_catalog_backup"
diff --git a/sysutils/bacula-doc/patches/patch-ad b/sysutils/bacula-doc/patches/patch-ad
new file mode 100644
index 00000000000..bc92e170885
--- /dev/null
+++ b/sysutils/bacula-doc/patches/patch-ad
@@ -0,0 +1,13 @@
+$NetBSD: patch-ad,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
+
+--- manual/postgresql.tex.orig 2007-01-05 18:20:41.000000000 +0100
++++ manual/postgresql.tex
+@@ -200,6 +200,8 @@ password in place, these two lines shoul
+ \begin{verbatim}
+ dbname = bacula; user = bacula; password = "secret"
+ ... and ...
++ # WARNING!!! Passing the password via the command line is insecure.
++ # see comments in make_catalog_backup for details.
+ RunBeforeJob = "/etc/make_catalog_backup bacula bacula secret"
+ \end{verbatim}
+ \normalsize
diff --git a/sysutils/bacula-doc/patches/patch-ae b/sysutils/bacula-doc/patches/patch-ae
new file mode 100644
index 00000000000..199f44ba844
--- /dev/null
+++ b/sysutils/bacula-doc/patches/patch-ae
@@ -0,0 +1,13 @@
+$NetBSD: patch-ae,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
+
+--- manual/strategies.tex.orig 2007-01-15 10:37:15.000000000 +0100
++++ manual/strategies.tex
+@@ -232,6 +232,8 @@ Job {
+ Messages = Standard
+ Pool = Default
+ # This creates an ASCII copy of the catalog
++ # WARNING!!! Passing the password via the command line is insecure.
++ # see comments in make_catalog_backup for details.
+ RunBeforeJob = "/usr/lib/bacula/make_catalog_backup -u bacula"
+ # This deletes the copy of the catalog, and ejects the tape
+ RunAfterJob = "/etc/bacula/end_of_backup.sh"
diff --git a/sysutils/bacula/Makefile b/sysutils/bacula/Makefile
index a7caa537a1f..dbf02d7b61b 100644
--- a/sysutils/bacula/Makefile
+++ b/sysutils/bacula/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.26 2008/07/10 13:54:56 dmcmahill Exp $
+# $NetBSD: Makefile,v 1.27 2008/07/13 15:26:36 tonnerre Exp $
-PKGREVISION= 3
+PKGREVISION= 4
CONFLICTS+= bacula-client-[0-9]* bacula-clientonly-[0-9]*
diff --git a/sysutils/bacula/distinfo b/sysutils/bacula/distinfo
index 985ed3e2574..d1895deb934 100644
--- a/sysutils/bacula/distinfo
+++ b/sysutils/bacula/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.28 2008/07/10 13:54:56 dmcmahill Exp $
+$NetBSD: distinfo,v 1.29 2008/07/13 15:26:36 tonnerre Exp $
SHA1 (bacula-2.2.4/2.2.4-lost-block.patch) = d3b9f927100d148e831248b381c5b2543d215502
RMD160 (bacula-2.2.4/2.2.4-lost-block.patch) = ff24810e204324acc42dbaff0291a0fa02b56e21
@@ -28,6 +28,7 @@ SHA1 (bacula-2.2.4/bacula-2.2.4.tar.gz) = 1fd8e75f231fb3a811696c05ea3c0c719c7528
RMD160 (bacula-2.2.4/bacula-2.2.4.tar.gz) = 5005d5566f55a8feb8a7efa610cd60a3d92383af
Size (bacula-2.2.4/bacula-2.2.4.tar.gz) = 3020298 bytes
SHA1 (patch-aa) = c1e5ec7c3e78c125b9fbaba97190ead10adbc599
+SHA1 (patch-ab) = 24104c731532c00d2901ccd72f43b7184b006496
SHA1 (patch-ac) = 585f8a00fe7c0e6e8e4c0b91a0bd32bd2fb81c81
SHA1 (patch-ae) = 69db6d396bd1654b3065d693c5ea2c0afbb8bc61
SHA1 (patch-af) = 6ecbac39c156c81f30ba53b565f55ab5e876b3e0
@@ -35,4 +36,5 @@ SHA1 (patch-ag) = a2734446ac79380692dd5a2647928919c9b2f2b8
SHA1 (patch-ah) = 83b156ac18b64d19ea0022103c50c431f3b86b87
SHA1 (patch-ai) = 499a164fcf9e4fc466b691f91203b4293dcee7eb
SHA1 (patch-aj) = df5eba3c80d36ecc26c6acb1566a4411c308b2f0
+SHA1 (patch-ak) = d2b751888edf23a696f347c65ab0f11e6a3829f9
SHA1 (patch-am) = 0b5b81543eb66ad191d94b59c986561e492a069d
diff --git a/sysutils/bacula/patches/patch-ab b/sysutils/bacula/patches/patch-ab
new file mode 100644
index 00000000000..6f645aabe7d
--- /dev/null
+++ b/sysutils/bacula/patches/patch-ab
@@ -0,0 +1,26 @@
+$NetBSD: patch-ab,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
+
+--- src/cats/make_catalog_backup.in.orig 2007-04-24 17:36:15.000000000 +0200
++++ src/cats/make_catalog_backup.in
+@@ -8,7 +8,11 @@
+ # $2 is the user name with which to access the database
+ # (default = bacula).
+ # $3 is the password with which to access the database or "" if no password
+-# (default "")
++# (default ""). WARNING!!! Passing the password via the command line is
++# insecure and should not be used since any user can display the command
++# line arguments and the environment using ps. Please consult your
++# MySQL or PostgreSQL manual for secure methods of specifying the
++# password.
+ # $4 is the host on which the database is located
+ # (default "")
+ #
+@@ -31,7 +35,7 @@ else
+ else
+ MYSQLHOST=""
+ fi
+- ${BINDIR}/mysqldump -u $2$MYSQLPASSWORD$MYSQLHOST -f --opt $1 >$1.sql
++ ${BINDIR}/mysqldump -u ${2}${MYSQLPASSWORD}${MYSQLHOST} -f --opt $1 >$1.sql
+ else
+ if test xpostgresql = x@DB_TYPE@ ; then
+ if test $# -gt 2; then
diff --git a/sysutils/bacula/patches/patch-ak b/sysutils/bacula/patches/patch-ak
new file mode 100644
index 00000000000..09b4e85387e
--- /dev/null
+++ b/sysutils/bacula/patches/patch-ak
@@ -0,0 +1,13 @@
+$NetBSD: patch-ak,v 1.3 2008/07/13 15:26:36 tonnerre Exp $
+
+--- src/dird/bacula-dir.conf.in.orig 2007-05-27 21:30:39.000000000 +0200
++++ src/dird/bacula-dir.conf.in
+@@ -61,6 +61,8 @@ Job {
+ FileSet="Catalog"
+ Schedule = "WeeklyCycleAfterBackup"
+ # This creates an ASCII copy of the catalog
++ # WARNING!!! Passing the password via the command line is insecure.
++ # see comments in make_catalog_backup for details.
+ RunBeforeJob = "@scriptdir@/make_catalog_backup bacula bacula"
+ # This deletes the copy of the catalog
+ RunAfterJob = "@scriptdir@/delete_catalog_backup"