From 43e17d5dbab7dbfc1485d17bb4fae350cf74302f69ec1680efb9ebac558c29c2 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Mon, 20 Feb 2012 09:41:01 +0000 Subject: [PATCH] - remove read permissions for other users on local sqlite database as it may contain passwords (bnc#747833, CVE-2012-0863) OBS-URL: https://build.opensuse.org/package/show/games:tools/mumble?expand=0&rev=25 --- ...e-file-permissions-for-settings-and-D.diff | 52 +++++++++++++++++++ mumble.changes | 6 +++ mumble.spec | 2 + 3 files changed, 60 insertions(+) create mode 100644 0001-Explicitly-remove-file-permissions-for-settings-and-D.diff diff --git a/0001-Explicitly-remove-file-permissions-for-settings-and-D.diff b/0001-Explicitly-remove-file-permissions-for-settings-and-D.diff new file mode 100644 index 0000000..f9d9c9f --- /dev/null +++ b/0001-Explicitly-remove-file-permissions-for-settings-and-D.diff @@ -0,0 +1,52 @@ +From cc52dd435e281f008866439b9eb5565729bd1956 Mon Sep 17 00:00:00 2001 +From: Thorvald Natvig +Date: Fri, 27 May 2011 16:59:15 -0700 +Subject: [PATCH mumble] Explicitly remove file permissions for settings and + DB + +--- + src/mumble/Database.cpp | 5 +++++ + src/mumble/Settings.cpp | 11 +++++++++++ + 2 files changed, 16 insertions(+), 0 deletions(-) + +diff --git a/src/mumble/Database.cpp b/src/mumble/Database.cpp +index 6c4d940..5caed38 100644 +--- a/src/mumble/Database.cpp ++++ b/src/mumble/Database.cpp +@@ -92,6 +92,11 @@ Database::Database() { + qWarning("Database: Database is read-only"); + } + ++ { ++ QFile f(db.databaseName()); ++ f.setPermissions(f.permissions() & ~(QFile::ReadGroup | QFile::WriteGroup | QFile::ExeGroup | QFile::ReadOther | QFile::WriteOther | QFile::ExeOther)); ++ } ++ + QSqlQuery query; + + query.exec(QLatin1String("CREATE TABLE IF NOT EXISTS `servers` (`id` INTEGER PRIMARY KEY AUTOINCREMENT, `name` TEXT, `hostname` TEXT, `port` INTEGER DEFAULT 64738, `username` TEXT, `password` TEXT)")); +diff --git a/src/mumble/Settings.cpp b/src/mumble/Settings.cpp +index 5ebbc53..df9d7f3 100644 +--- a/src/mumble/Settings.cpp ++++ b/src/mumble/Settings.cpp +@@ -698,6 +698,17 @@ void OverlaySettings::save() { + void OverlaySettings::save(QSettings* settings_ptr) { + OverlaySettings def; + ++ settings_ptr->setValue(QLatin1String("version"), QLatin1String(MUMTEXT(MUMBLE_VERSION_STRING))); ++ settings_ptr->sync(); ++ ++#if defined(Q_OS_WIN) || defined(Q_OS_MAC) ++ if (settings_ptr->format() == QSettings::IniFormat) ++#endif ++ { ++ QFile f(settings_ptr->fileName()); ++ f.setPermissions(f.permissions() & ~(QFile::ReadGroup | QFile::WriteGroup | QFile::ExeGroup | QFile::ReadOther | QFile::WriteOther | QFile::ExeOther)); ++ } ++ + SAVELOAD(bEnable, "enable"); + + SAVELOAD(osShow, "show"); +-- +1.7.7 + diff --git a/mumble.changes b/mumble.changes index eb448e5..add856e 100644 --- a/mumble.changes +++ b/mumble.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Feb 20 08:49:15 UTC 2012 - lnussel@suse.de + +- remove read permissions for other users on local sqlite database + as it may contain passwords (bnc#747833, CVE-2012-0863) + ------------------------------------------------------------------- Mon Feb 13 14:00:57 UTC 2012 - lnussel@suse.de diff --git a/mumble.spec b/mumble.spec index 45671a6..074a074 100644 --- a/mumble.spec +++ b/mumble.spec @@ -103,6 +103,7 @@ Patch3: 0001-if-service-name-is-empty-don-t-pass-an-empty-string.diff Patch4: 0001-remove-CAP_NET_ADMIN.diff Patch5: 0001-fix-bonjour-support-using-avahi-compat-lib.diff Patch6: mumble-1.2.3-nohardcodedcas.diff +Patch7: 0001-Explicitly-remove-file-permissions-for-settings-and-D.diff Patch50: mumble-1.2.2-buildcompare.diff # hack, no clue about glx so no idea to fix this properly Patch99: mumble-1.1.4-sle10glx.diff @@ -173,6 +174,7 @@ won't be audible to other players. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 # %patch50 -p1 %if 0%{?suse_version} && 0%{?suse_version} < 1020