diff --git a/bacula-2.4.4-dbcheck.patch b/bacula-2.4.4-dbcheck.patch new file mode 100644 index 0000000..68d19f5 --- /dev/null +++ b/bacula-2.4.4-dbcheck.patch @@ -0,0 +1,162 @@ +Patch by Robert Scheck for bacula >= 2.4.4, which hopefully unbreaks +the issues introduced by the attempt to fix CVE-2007-5626: The new make_catalog_backup.pl replaces +the previous make_catalog_backup. However, make_catalog_backup.pl requires "dbscan -B" working and +the backport contains missing substitutions for the environment causing make_catalog_backup.pl to +fail at two places, where the environment variable issue is easily solved. The second part of this +patch tries to backport "dbscan -B" from newer Bacula versions (with some adaptions). Additionally +the spec file was corrected to not override dbscan(1) with bscan.variant(1), but dbscan.variant(1). +See also https://bugzilla.redhat.com/show_bug.cgi?id=456612#c19 for some more details, please. + +--- bacula-2.4.4/src/dird/dird_conf.c 2008-06-19 21:44:34.000000000 +0200 ++++ bacula-2.4.4/src/dird/dird_conf.c.dbcheck 2012-09-26 00:52:23.000000000 +0200 +@@ -483,6 +483,16 @@ + {NULL, 0} + }; + ++char *CAT::display(POOLMEM *dst) { ++ Mmsg(dst,"catalog=%s\ndb_name=%s\ndb_user=%s\n" ++ "db_password=%s\ndb_address=%s\ndb_port=%i\n" ++ "db_socket=%s\n", ++ name(), NPRTB(db_name), ++ NPRTB(db_user), NPRTB(db_password), ++ NPRTB(db_address), db_port, NPRTB(db_socket)); ++ return dst; ++} ++ + const char *level_to_str(int level) + { + int i; +--- bacula-2.4.4/src/dird/dird_conf.h 2008-06-18 21:22:03.000000000 +0200 ++++ bacula-2.4.4/src/dird/dird_conf.h.dbcheck 2012-09-26 00:54:04.000000000 +0200 +@@ -230,6 +230,7 @@ + + /* Methods */ + char *name() const; ++ char *display(POOLMEM *dst); /* Get catalog information */ + }; + + inline char *CAT::name() const { return hdr.name; } +--- bacula-2.4.4/src/tools/dbcheck.c 2007-10-03 13:36:47.000000000 +0200 ++++ bacula-2.4.4/src/tools/dbcheck.c.dbcheck 2012-09-26 00:50:02.000000000 +0200 +@@ -101,10 +101,11 @@ + static void usage() + { + fprintf(stderr, +-"Usage: dbcheck [-c config] [-C catalog name] [-d debug_level] []\n" ++"Usage: dbcheck [-c config] [-B] [-C catalog name] [-d debug_level] [] []\n" + " -b batch mode\n" + " -C catalog name in the director conf file\n" + " -c director conf filename\n" ++" -B print catalog configuration and exit\n" + " -dnn set debug level to nn\n" + " -f fix inconsistencies\n" + " -v verbose\n" +@@ -116,8 +117,11 @@ + { + int ch; + const char *user, *password, *db_name, *dbhost; ++ int dbport = 0; ++ bool print_catalog=false; + char *configfile = NULL; + char *catalogname = NULL; ++ char *endptr; + + setlocale(LC_ALL, ""); + bindtextdomain("bacula", LOCALEDIR); +@@ -130,8 +134,12 @@ + memset(&name_list, 0, sizeof(name_list)); + + +- while ((ch = getopt(argc, argv, "bc:C:d:fv?")) != -1) { ++ while ((ch = getopt(argc, argv, "bc:C:d:fvB?")) != -1) { + switch (ch) { ++ case 'B': ++ print_catalog = true; /* get catalog information from config */ ++ break; ++ + case 'b': /* batch */ + batch = true; + break; +@@ -203,6 +211,18 @@ + exit(1); + } + set_working_directory(director->working_directory); ++ ++ /* ++ * Print catalog information and exit (-B) ++ */ ++ if (print_catalog) { ++ POOLMEM *buf = get_pool_memory(PM_MESSAGE); ++ printf("%sdb_type=%s\nworking_dir=%s\n", catalog->display(buf), ++ db_get_type(), working_directory); ++ free_pool_memory(buf); ++ exit(0); ++ } ++ + db_name = catalog->db_name; + user = catalog->db_user; + password = catalog->db_password; +@@ -210,6 +230,7 @@ + if (dbhost && dbhost[0] == 0) { + dbhost = NULL; + } ++ dbport = catalog->db_port; + } + } else { + if (argc > 5) { +@@ -244,6 +265,20 @@ + user = argv[2]; + password = argv[3]; + dbhost = argv[4]; ++ } else if (argc == 6) { ++ db_name = argv[1]; ++ user = argv[2]; ++ password = argv[3]; ++ dbhost = argv[4]; ++ errno = 0; ++ dbport = strtol(argv[5], &endptr, 10); ++ if (*endptr != '\0') { ++ Pmsg0(0, _("Database port must be a numeric value.\n")); ++ exit(1); ++ } else if (errno == ERANGE) { ++ Pmsg0(0, _("Database port must be a int value.\n")); ++ exit(1); ++ } + } + } + +--- bacula-2.4.4/src/baconfig.h 2008-05-21 13:59:00.000000000 +0200 ++++ bacula-2.4.4/src/baconfig.h.dbcheck 2012-09-26 00:52:58.000000000 +0200 +@@ -77,6 +77,7 @@ + + /* Allow printing of NULL pointers */ + #define NPRT(x) (x)?(x):_("*None*") ++#define NPRTB(x) (x)?(x):"" + + #if defined(HAVE_WIN32) + +--- bacula-2.4.4/src/cats/make_catalog_backup.pl.in 2012-09-26 00:14:48.000000000 +0200 ++++ bacula-2.4.4/src/cats/make_catalog_backup.pl.in.dbcheck 2012-09-26 00:16:31.000000000 +0200 +@@ -41,6 +41,8 @@ + + =cut + ++$ENV{PATH}="/usr/bin:$ENV{PATH}"; ++ + my $cat = shift or die "Usage: $0 catalogname"; + my $dir_conf='@sbindir@/dbcheck -B -c @sysconfdir@/bacula-dir.conf'; + my $wd = "@working_dir@"; +@@ -115,13 +117,10 @@ + { + my %args = @_; + if ($args{db_type} eq 'SQLite3') { +- $ENV{PATH}="@SQLITE_BINDIR@:$ENV{PATH}"; + dump_sqlite3(%args); + } elsif ($args{db_type} eq 'PostgreSQL') { +- $ENV{PATH}="@POSTGRESQL_BINDIR@:$ENV{PATH}"; + dump_pgsql(%args); + } elsif ($args{db_type} eq 'MySQL') { +- $ENV{PATH}="@MYSQL_BINDIR@:$ENV{PATH}"; + dump_mysql(%args); + } else { + die "This database type isn't supported"; diff --git a/bacula.spec b/bacula.spec index e03a139..8575be9 100644 --- a/bacula.spec +++ b/bacula.spec @@ -25,6 +25,7 @@ Patch3: %{name}-2.4.4-pamd.patch Patch4: %{name}-2.4.4-make_catalog_backup.patch Patch5: %{name}-2.4.4-gtk-labels.patch Patch6: %{name}-2.4.4-acl.patch +Patch7: %{name}-2.4.4-dbcheck.patch BuildRequires: atk-devel BuildRequires: bonobo-activation-devel @@ -314,6 +315,7 @@ pushd %{name}-%{version} %patch4 -p1 -b .make_catalog_backup %patch5 -p1 -b .gtk-labels %patch6 -p2 -b .acl +%patch7 -p1 -b .dbcheck # Remove execution permissions from files we're packaging as docs later on find updatedb -type f | xargs chmod -x @@ -663,10 +665,8 @@ replace_symlink() { cp $alternatives_name.$suffix $alternatives_name } replace_symlink /usr/sbin/bcopy mysql -if [ -h /usr/sbin/dbcheck ]; then - rm -f /usr/sbin/dbcheck -fi -cp /usr/sbin/bscan.mysql /usr/sbin/dbcheck +replace_symlink /usr/sbin/bscan mysql +replace_symlink /usr/sbin/dbcheck mysql %post storage-sqlite replace_symlink() { @@ -678,10 +678,8 @@ replace_symlink() { cp $alternatives_name.$suffix $alternatives_name } replace_symlink /usr/sbin/bcopy sqlite -if [ -h /usr/sbin/dbcheck ]; then - rm -f /usr/sbin/dbcheck -fi -cp /usr/sbin/bscan.sqlite /usr/sbin/dbcheck +replace_symlink /usr/sbin/bscan sqlite +replace_symlink /usr/sbin/dbcheck sqlite %post storage-postgresql @@ -694,10 +692,8 @@ replace_symlink() { cp $alternatives_name.$suffix $alternatives_name } replace_symlink /usr/sbin/bcopy postgresql -if [ -h /usr/sbin/dbcheck ]; then - rm -f /usr/sbin/dbcheck -fi -cp /usr/sbin/bscan.postgresql /usr/sbin/dbcheck +replace_symlink /usr/sbin/bscan postgresql +replace_symlink /usr/sbin/dbcheck postgresql %preun storage-mysql @@ -713,6 +709,7 @@ remove_fake_alternative() { } remove_fake_alternative /usr/sbin/bcopy mysql +remove_fake_alternative /usr/sbin/bscan mysql remove_fake_alternative /usr/sbin/dbcheck mysql # As proposed on epel-devel, we will not re-enable alternatives in EPEL-5 @@ -728,6 +725,7 @@ remove_fake_alternative() { fi } remove_fake_alternative /usr/sbin/bcopy sqlite +remove_fake_alternative /usr/sbin/bscan sqlite remove_fake_alternative /usr/sbin/dbcheck sqlite # As proposed on epel-devel, we will not re-enable alternatives in EPEL-5 @@ -743,6 +741,7 @@ remove_fake_alternative() { fi } remove_fake_alternative /usr/sbin/bcopy postgresql +remove_fake_alternative /usr/sbin/bscan postgresql remove_fake_alternative /usr/sbin/dbcheck postgresql %post client @@ -971,6 +970,11 @@ fi %changelog +* Wed Sep 26 2012 Robert Scheck 2.4.4-12 +- Backported required 'dbcheck -B' functionality after very + broken backport of make_catalog_backup.pl to unbreak the + self-backup (#456612 #c19, discovered by Markus Espenhain) + * Tue Sep 18 2012 Lukáš Nykrýn - 2.4.4-11 - Make dump_resource respect console ACL's (#857958)