Add patches "solving" the issue of bacula exposing passwords et cetera

through the command line parameters of various tools (CVE-2007-5626).

7 files changed, 110 insertions, 2 deletions

diff --git a/sysutils/bacula-doc/Makefile b/sysutils/bacula-doc/Makefile
index 8b338a56115..893c9d665a0 100644
--- a/sysutils/bacula-doc/Makefile
+++ b/sysutils/bacula-doc/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.15 2008/01/04 14:32:50 ghen Exp $
+# $NetBSD: Makefile,v 1.16 2008/07/13 15:26:36 tonnerre Exp $
 
 DISTNAME=		bacula-docs-2.0.2
+PKGREVISION=		1
 PKGNAME=		${DISTNAME:S/docs/doc/}
 CATEGORIES=		sysutils
 MASTER_SITES=		${MASTER_SITE_SOURCEFORGE:=bacula/}
diff --git a/sysutils/bacula-doc/distinfo b/sysutils/bacula-doc/distinfo
index fa9a75d4851..28f3054df46 100644
--- a/sysutils/bacula-doc/distinfo
+++ b/sysutils/bacula-doc/distinfo
@@ -1,5 +1,10 @@
-$NetBSD: distinfo,v 1.13 2007/01/31 17:59:10 ghen Exp $
+$NetBSD: distinfo,v 1.14 2008/07/13 15:26:36 tonnerre Exp $
 
 SHA1 (bacula-docs-2.0.2.tar.gz) = a07c74b0c98f7afe0896f3f4908004e3984819e6
 RMD160 (bacula-docs-2.0.2.tar.gz) = 14c6582e9dabc4448fb681be192f46835ba0cb30
 Size (bacula-docs-2.0.2.tar.gz) = 29776690 bytes
+SHA1 (patch-aa) = 04898ece4b4c13b50acf08dad16a76eea0fbfc7d
+SHA1 (patch-ab) = e8320baae18f53f5091a0d0b662ec7e613cc1713
+SHA1 (patch-ac) = 829d3cff40f095f3d2e0959f8dbb368031d7c51b
+SHA1 (patch-ad) = 16a4e438f0931d436d914440d98874dcf0b17467
+SHA1 (patch-ae) = ddcb2258ae20aec96904bf6b08672a413358ed13
diff --git a/sysutils/bacula-doc/patches/patch-aa b/sysutils/bacula-doc/patches/patch-aa
new file mode 100644
index 00000000000..2bc02683d52
--- /dev/null
+++ b/sysutils/bacula-doc/patches/patch-aa
@@ -0,0 +1,16 @@
+$NetBSD: patch-aa,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
+
+--- manual/tips.tex.orig	2007-01-15 10:37:15.000000000 +0100
++++ manual/tips.tex
+@@ -598,6 +598,11 @@ setup procedure leaves the database open
+ assign the user {\bf bacula} a userid and add it to your Director's
+ configuration file in the appropriate Catalog resource. 
+ 
++If you use the make_catalog_backup script provided by Bacula, remember that
++you should take care when supplying passwords on the command line.  Read the
++\ilink{BackingUpBaculaSecurityConsiderations}{Backing Up Your Bacula
++Database - Security Considerations } for more information.
++
+ \section{Creating Holiday Schedules}
+ \label{holiday}
+ \index[general]{Schedules!Creating Holiday }
diff --git a/sysutils/bacula-doc/patches/patch-ab b/sysutils/bacula-doc/patches/patch-ab
new file mode 100644
index 00000000000..63dbe364b49
--- /dev/null
+++ b/sysutils/bacula-doc/patches/patch-ab
@@ -0,0 +1,47 @@
+$NetBSD: patch-ab,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
+
+--- manual/catmaintenance.tex.orig	2007-01-05 18:20:40.000000000 +0100
++++ manual/catmaintenance.tex
+@@ -545,6 +545,8 @@ Job {
+   Storage = DLTDrive
+   Messages = Standard
+   Pool = Default
++  # WARNING!!! Passing the password via the command line is insecure.
++  # see comments in make_catalog_backup for details.
+   RunBeforeJob = "/home/kern/bacula/bin/make_catalog_backup"
+   RunAfterJob  = "/home/kern/bacula/bin/delete_catalog_backup"
+   Write Bootstrap = "/home/kern/bacula/working/BackupCatalog.bsr"
+@@ -573,6 +575,33 @@ you to quickly recover the database back
+ you do not have a bootstrap file, it is still possible to recover your
+ database backup, but it will be more work and take longer. 
+ 
++
++\label{BackingUpBaculaSecurityConsiderations}
++\section{Security considerations}
++\index[general]{Backing Up Your Bacula Database - Security Considerations }
++\index[general]{Database!Backing Up Your Bacula Database - Security Considerations }
++
++We provide make_catalog_backup as an example of what can be used to backup
++your Bacula database.  We expect you to take security precautions relevant
++to your situation.  make_catalog_backup is designed to take a password on
++the command line.  This is fine on machines with only trusted users.  It is
++not acceptable on machines without trusted users.  Most database systems
++provide a alternative method, which does not place the password on the
++command line.
++
++The make_catalog_backup contains some warnings about how to use it. Please
++read those tips.
++
++To help you get started, we know PostgreSQL has a password file,
++\elink{
++.pgpass}{http://www.postgresql.org/docs/8.2/static/libpq-pgpass.html}, and
++we know MySQL has
++\elink{ .my.cnf}{http://dev.mysql.com/doc/refman/4.1/en/password-security.html}.
++
++Only you can decide what is appropriate for your situation. We have provided
++you with a starting point.  We hope it helps.
++
++
+ \label{BackingUPOtherDBs}
+ \section{Backing Up Third Party Databases}
+ \index[general]{Backing Up Third Party Databases }
diff --git a/sysutils/bacula-doc/patches/patch-ac b/sysutils/bacula-doc/patches/patch-ac
new file mode 100644
index 00000000000..a5cdd011709
--- /dev/null
+++ b/sysutils/bacula-doc/patches/patch-ac
@@ -0,0 +1,13 @@
+$NetBSD: patch-ac,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
+
+--- manual/pools.tex.orig	2007-01-05 18:20:41.000000000 +0100
++++ manual/pools.tex
+@@ -235,6 +235,8 @@ Job {
+   Messages = Standard
+   Pool = Default
+   # This creates an ASCII copy of the catalog
++  # WARNING!!! Passing the password via the command line is insecure.
++  # see comments in make_catalog_backup for details.
+   RunBeforeJob = "/home/bacula/bin/make_catalog_backup bacula bacula"
+   # This deletes the copy of the catalog
+   RunAfterJob  = "/home/bacula/bin/delete_catalog_backup"
diff --git a/sysutils/bacula-doc/patches/patch-ad b/sysutils/bacula-doc/patches/patch-ad
new file mode 100644
index 00000000000..bc92e170885
--- /dev/null
+++ b/sysutils/bacula-doc/patches/patch-ad
@@ -0,0 +1,13 @@
+$NetBSD: patch-ad,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
+
+--- manual/postgresql.tex.orig	2007-01-05 18:20:41.000000000 +0100
++++ manual/postgresql.tex
+@@ -200,6 +200,8 @@ password in place, these two lines shoul
+ \begin{verbatim}
+   dbname = bacula; user = bacula; password = "secret"
+     ... and ...
++ # WARNING!!! Passing the password via the command line is insecure.
++ # see comments in make_catalog_backup for details.
+   RunBeforeJob = "/etc/make_catalog_backup bacula bacula secret"
+ \end{verbatim}
+ \normalsize
diff --git a/sysutils/bacula-doc/patches/patch-ae b/sysutils/bacula-doc/patches/patch-ae
new file mode 100644
index 00000000000..199f44ba844
--- /dev/null
+++ b/sysutils/bacula-doc/patches/patch-ae
@@ -0,0 +1,13 @@
+$NetBSD: patch-ae,v 1.1 2008/07/13 15:26:36 tonnerre Exp $
+
+--- manual/strategies.tex.orig	2007-01-15 10:37:15.000000000 +0100
++++ manual/strategies.tex
+@@ -232,6 +232,8 @@ Job {
+   Messages = Standard
+   Pool = Default
+  # This creates an ASCII copy of the catalog
++ # WARNING!!! Passing the password via the command line is insecure.
++ # see comments in make_catalog_backup for details.
+   RunBeforeJob = "/usr/lib/bacula/make_catalog_backup -u bacula"
+  # This deletes the copy of the catalog, and ejects the tape
+   RunAfterJob  = "/etc/bacula/end_of_backup.sh"