[luci] Fix CVE-2010-3852 (bug #645404)
Fabio M. Di Nitto
fabbione at fedoraproject.org
Thu Oct 21 18:51:17 UTC 2010
commit 2fe66a094739b55e56377f4e6a8d8f0aa5105066
Author: Fabio M. Di Nitto <fdinitto at redhat.com>
Date: Thu Oct 21 20:51:08 2010 +0200
Fix CVE-2010-3852 (bug #645404)
Signed-off-by: Fabio M. Di Nitto <fdinitto at redhat.com>
luci.spec | 11 ++++++++++-
1 files changed, 10 insertions(+), 1 deletions(-)
---
diff --git a/luci.spec b/luci.spec
index 019a0c3..aeee67c 100644
--- a/luci.spec
+++ b/luci.spec
@@ -6,7 +6,7 @@
Name: luci
Version: 0.22.4
-Release: 1%{?alphatag:.%{alphatag}}%{?dist}
+Release: 2%{?alphatag:.%{alphatag}}%{?dist}
Summary: Web-based high availability administration application
Group: Applications/System
License: GPLv2
@@ -63,6 +63,9 @@ rm -rf %{buildroot}
%config(noreplace) %{_sysconfdir}/rc.d/init.d/luci
%attr(750, luci, luci) %dir /var/log/luci
+# We alter this file in %post - it is not user serviceable.
+%verify(not md5 mtime size) %{_localstatedir}/lib/luci/etc/who.ini
+
%pre
/usr/sbin/groupadd -g 141 luci 2> /dev/null
/usr/sbin/useradd -u 141 -g 141 -d /var/lib/luci -s /sbin/nologin -r \
@@ -71,6 +74,9 @@ exit 0
%post
/sbin/chkconfig --add luci
+secret="$(dd if=/dev/urandom bs=8 count=1 2>/dev/null | od -t x8 -A n | sed 's/^[ ]*//')"
+sedcmd=":a /^\[plugin:auth_tkt\]\$/! {p;d;ba}; {:b \$! {N;bb}; {s/\([ \t]*secret[ \t]*=[ \t]*\)[^\n]*/\1$secret/1;p;d}}"
+sed -ni "$sedcmd" %{_localstatedir}/lib/luci/etc/who.ini
exit 0
%preun
@@ -87,6 +93,9 @@ fi
exit 0
%changelog
+* Thu Oct 21 2010 Fabio M. Di Nitto <fdinitto at redhat.com> - 0.22.4-2.0.b9faf868074git
+- Fix CVE-2010-3852 (bug #645404)
+
* Thu Aug 19 2010 Fabio M. Di Nitto <fdinitto at redhat.com> - 0.22.4-1.0.b9faf868074git
- New upstream release (0.22.4)
- Steal fixes from upstream git up to b9faf868074git
More information about the scm-commits
mailing list