Version in base suite: 0.53.1+ds-2 Base version: puredata_0.53.1+ds-2 Target version: puredata_0.53.1+ds-2+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/puredata/puredata_0.53.1+ds-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/puredata/puredata_0.53.1+ds-2+deb12u1.dsc changelog | 7 + patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch | 38 ++++++++++ patches/series | 1 3 files changed, 46 insertions(+) diff -Nru puredata-0.53.1+ds/debian/changelog puredata-0.53.1+ds/debian/changelog --- puredata-0.53.1+ds/debian/changelog 2023-01-28 21:00:40.000000000 +0000 +++ puredata-0.53.1+ds/debian/changelog 2024-09-26 07:17:50.000000000 +0000 @@ -1,3 +1,10 @@ +puredata (0.53.1+ds-2+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * CVE-2023-47480: Terminate if canceling setuid() privilege fails + + -- Adrian Bunk Thu, 26 Sep 2024 10:17:50 +0300 + puredata (0.53.1+ds-2) unstable; urgency=medium * Backport upstream ALSA-MIDI fix diff -Nru puredata-0.53.1+ds/debian/patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch puredata-0.53.1+ds/debian/patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch --- puredata-0.53.1+ds/debian/patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch 1970-01-01 00:00:00.000000000 +0000 +++ puredata-0.53.1+ds/debian/patches/0001-Terminate-if-canceling-setuid-privilege-fails.patch 2024-09-26 07:12:33.000000000 +0000 @@ -0,0 +1,38 @@ +From b97fe443787982b1f0e4ad7db123418bcdf409b4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?IOhannes=20m=20zm=C3=B6lnig?= +Date: Tue, 25 Jul 2023 17:03:58 +0200 +Subject: Terminate if canceling setuid() privilege fails + +Closes: https://github.com/pure-data/pure-data/issues/2063 +--- + src/s_main.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/s_main.c b/src/s_main.c +index 56fd633e..8eef4922 100644 +--- a/src/s_main.c ++++ b/src/s_main.c +@@ -337,7 +337,19 @@ int sys_main(int argc, const char **argv) + if (getuid() != geteuid()) + { + fprintf(stderr, "warning: canceling setuid privilege\n"); +- setuid(getuid()); ++ if(setuid(getuid()) < 0) { ++ /* sometimes this fails (which, according to 'man 2 setuid' is a ++ * grave security error), in which case we bail out and quit. */ ++ fprintf(stderr, "\n\nFATAL: could not cancel setuid privilege"); ++ fprintf(stderr, "\nTo fix this, please remove the setuid flag from the Pd binary"); ++ if(argc>0) { ++ fprintf(stderr, "\ne.g. by running the following as root/superuser:"); ++ fprintf(stderr, "\n chmod u-s '%s'", argv[0]); ++ } ++ fprintf(stderr, "\n\n"); ++ perror("setuid"); ++ return (1); ++ } + } + #endif /* _WIN32 */ + if (socket_init()) +-- +2.30.2 + diff -Nru puredata-0.53.1+ds/debian/patches/series puredata-0.53.1+ds/debian/patches/series --- puredata-0.53.1+ds/debian/patches/series 2023-01-28 21:00:40.000000000 +0000 +++ puredata-0.53.1+ds/debian/patches/series 2024-09-26 07:15:42.000000000 +0000 @@ -6,3 +6,4 @@ debian_remove_timestamp-macros.patch debian_etc-gui-plugins.patch debian_privacy.patch +0001-Terminate-if-canceling-setuid-privilege-fails.patch