diff -Nru systemtap-1.3/debian/changelog systemtap-1.3/debian/changelog
--- systemtap-1.3/debian/changelog	2010-08-06 20:34:25.000000000 +0200
+++ systemtap-1.3/debian/changelog	2010-11-20 17:35:39.000000000 +0100
@@ -1,3 +1,14 @@
+systemtap (1.3-1ubuntu1) natty; urgency=low
+
+  * SECURITY UPDATE: staprun module loading/unloading security fixes
+    (LP: #677226)
+    - debian/patches/CVE-2010-4170+CVE-2010-4171.patch
+    - debian/rules, debian/systemtap-runtime.postinst: don't set the root
+      user as owner
+    - CVE 2010-4170
+    - CVE 2010-4171
+
+ -- Lorenzo De Liso <blackz@ubuntu.com>  Thu, 18 Nov 2010 22:28:29 +0100
+
 systemtap (1.3-1) experimental; urgency=low
 
   * New Upstream Release 
diff -Nru systemtap-1.3/debian/control systemtap-1.3/debian/control
--- systemtap-1.3/debian/control	2010-08-06 20:34:25.000000000 +0200
+++ systemtap-1.3/debian/control	2010-11-18 22:30:14.000000000 +0100
@@ -1,7 +1,8 @@
 Source: systemtap
 Section: devel
 Priority: optional
-Maintainer: Ritesh Raj Sarraf <rrs@debian.org> 
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Ritesh Raj Sarraf <rrs@debian.org> 
 Uploaders: Lucas Nussbaum <lucas@lucas-nussbaum.net>
 Build-Depends: debhelper (>= 7.0.50~), libelf-dev (>= 0.141),
  libdw-dev (>= 0.141), libsqlite3-dev, texlive-latex-base, texlive-latex-recommended,
diff -Nru systemtap-1.3/debian/patches/CVE-2010-4170+CVE-2010-4171.patch systemtap-1.3/debian/patches/CVE-2010-4170+CVE-2010-4171.patch
--- systemtap-1.3/debian/patches/CVE-2010-4170+CVE-2010-4171.patch	1970-01-01 01:00:00.000000000 +0100
+++ systemtap-1.3/debian/patches/CVE-2010-4170+CVE-2010-4171.patch	2010-11-20 17:21:53.000000000 +0100
@@ -0,0 +1,144 @@
+# Description: staprun module loading/unloading security fixes
+# Origin: upstream, http://sources.redhat.com/ml/systemtap/2010-q4/msg00230.html
+# Bug: https://bugzilla.redhat.com/show_bug.cgi?id=653604, https://bugzilla.redhat.com/show_bug.cgi?id=653606
+# Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603946
+
+--- systemtap-1.3.orig/Makefile.in
++++ systemtap-1.3/Makefile.in
+@@ -2095,7 +2095,10 @@ cscope:
+ @BUILD_ELFUTILS_TRUE@@BUILD_TRANSLATOR_TRUE@install-exec-local: install-elfutils
+ 
+ install-exec-hook:
+-	if [ `id -u` -eq 0 ]; then chmod 04111 "$(DESTDIR)$(bindir)/staprun"; fi
++	if [ `id -u` -eq 0 ]; then \
++		getent group stapusr >/dev/null && chgrp stapusr "$(DESTDIR)$(bindir)/staprun"; \
++		chmod 04110 "$(DESTDIR)$(bindir)/staprun"; \
++	fi
+ 
+ @BUILD_CRASHMOD_TRUE@$(STAPLOG): staplog.c
+ @BUILD_CRASHMOD_TRUE@	$(CC) $(staplog_CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -shared -rdynamic \
+--- systemtap-1.3.orig/Makefile.am
++++ systemtap-1.3/Makefile.am
+@@ -184,7 +184,10 @@ stapio_LDADD = -lpthread
+ 
+ 
+ install-exec-hook:
+-	if [ `id -u` -eq 0 ]; then chmod 04111 "$(DESTDIR)$(bindir)/staprun"; fi
++	if [ `id -u` -eq 0 ]; then \
++		getent group stapusr >/dev/null && chgrp stapusr "$(DESTDIR)$(bindir)/staprun"; \
++		chmod 04110 "$(DESTDIR)$(bindir)/staprun"; \
++	fi
+ 
+ # Why the "id -u" condition?  This way, an unprivileged user can run
+ # make install, and have "sudo stap ...." or "sudo staprun ...." work later.
+
+--- systemtap-1.3.orig/README.security
++++ systemtap-1.3/README.security
+@@ -15,7 +15,7 @@ following:
+ 
+  * the root user;
+ 
+- * a member of the 'stapdev' group; or
++ * a member of both 'stapdev' and 'stapusr' groups; or
+ 
+  * a member of the 'stapusr' group.  Members of the stapusr group can
+    only use modules located in the /lib/modules/VERSION/systemtap
+@@ -23,8 +23,8 @@ following:
+    directory must be owned by root and not be world writable.
+ 
+ So, there are two classes of users: systemtap developers (the root user
+-and members of the stapdev group) and systemtap users (members of the
+-stapusr group).  Systemtap developers can compile and run any
++and members of the stapdev/stapusr groups) and systemtap users (members of
++only the stapusr group).  Systemtap developers can compile and run any
+ systemtap script.  Systemtap users can only run "approved"
+ pre-compiled modules located in /lib/modules/VERSION/systemtap.
+ 
+--- systemtap-1.3.orig/systemtap.spec
++++ systemtap-1.3/systemtap.spec
+@@ -266,10 +266,10 @@ mv $RPM_BUILD_ROOT%{_datadir}/doc/system
+ # Fix paths in the example & testsuite scripts
+ find examples testsuite -type f -name '*.stp' -print0 | xargs -0 sed -i -r -e '1s@^#!.+stap@#!%{_bindir}/stap@'
+ 
+-# Because "make install" may install staprun with mode 04111, the
++# Because "make install" may install staprun with whatever mode, the
+ # post-processing programs rpmbuild runs won't be able to read it.
+ # So, we change permissions so that they can read it.  We'll set the
+-# permissions back to 04111 in the %files section below.
++# permissions back to 04110 in the %files section below.
+ chmod 755 $RPM_BUILD_ROOT%{_bindir}/staprun
+ 
+ #install the useful stap-prep script
+@@ -428,7 +428,7 @@ exit 0
+ 
+ %files runtime
+ %defattr(-,root,root)
+-%attr(4111,root,root) %{_bindir}/staprun
++%attr(4110,root,stapusr) %{_bindir}/staprun
+ %{_bindir}/stap-report
+ %{_bindir}/stap-authorize-signing-cert
+ %{_libexecdir}/%{name}/stapio
+--- systemtap-1.3.orig/runtime/staprun/ctl.c
++++ systemtap-1.3/runtime/staprun/ctl.c
+@@ -27,6 +27,9 @@ int init_ctl_channel(const char *name, i
+ 			return -2;
+ 	}
+ 
++	if (access(buf, R_OK|W_OK) != 0)
++		return -5;
++
+ 	control_channel = open(buf, O_RDWR);
+ 	dbug(2, "Opened %s (%d)\n", buf, control_channel);
+ 	if (control_channel < 0) {
+--- systemtap-1.3.orig/runtime/staprun/staprun.c
++++ systemtap-1.3/runtime/staprun/staprun.c
+@@ -115,19 +115,7 @@ static int enable_uprobes(void)
+ 	if (run_as(0, uid, gid, argv[0], argv) == 0)
+ 		return 0;
+ 
+-	/*
+-	 * TODO: If user can't setresuid to root here, staprun will exit.
+-	 * Is there a situation where that would fail but the subsequent
+-	 * attempt to insert_module() would succeed?
+-	 */
+-	dbug(2, "Inserting uprobes module from /lib/modules, if any.\n");
+-	i = 0;
+-	argv[i++] = "/sbin/modprobe";
+-	argv[i++] = "-q";
+-	argv[i++] = "uprobes";
+-	argv[i] = NULL;
+-	if (run_as(0, 0, 0, argv[0], argv) == 0)
+-		return 0;
++        /* NB: don't use /sbin/modprobe, without more env. sanitation. */
+ 
+ 	/* This module may be signed, so use insert_module to load it.  */
+ 	snprintf (runtimeko, sizeof(runtimeko), "%s/uprobes/uprobes.ko",
+@@ -186,9 +174,16 @@ static int remove_module(const char *nam
+ 		return 0;
+ 	}
+ 
+-        /* We could call init_ctl_channel / close_ctl_channel here, as a heuristic
+-           to determine whether the module is being used by some other stapio process.
+-           However, delete_module() does basically the same thing. */
++        /* We call init_ctl_channel/close_ctl_channel to check whether
++           the module is a systemtap-built one (having the right files),
++           and that it's already unattached (because otherwise it'd EBUSY
++           the opens. */
++        ret = init_ctl_channel (name, 0);
++        if (ret < 0) {
++                err("Error, '%s' is not a zombie systemtap module.\n", name);
++                return ret;
++        }
++        close_ctl_channel ();
+ 
+ 	dbug(2, "removing module %s\n", name);
+ 	STAP_PROBE1(staprun, remove__module, name);
+@@ -223,7 +218,7 @@ int init_staprun(void)
+                      without first removing the kernel module.  This would block
+                      a subsequent rerun attempt.  So here we gingerly try to
+                      unload it first. */
+-		  int ret = delete_module (modname, O_NONBLOCK);
++                  int ret = remove_module (modname, 0);
+ 		  err("Retrying, after attempted removal of module %s (rc %d)\n", modname, ret);
+ 		  /* Then we try an insert a second time.  */
+ 		  if (insert_stap_module() < 0)
diff -Nru systemtap-1.3/debian/patches/series systemtap-1.3/debian/patches/series
--- systemtap-1.3/debian/patches/series	2010-08-06 20:34:25.000000000 +0200
+++ systemtap-1.3/debian/patches/series	2010-11-19 20:54:15.000000000 +0100
@@ -5,3 +5,4 @@
 new-elfutils.diff
 grapher-libs.diff
 debversion.diff
+CVE-2010-4170+CVE-2010-4171.patch
diff -Nru systemtap-1.3/debian/rules systemtap-1.3/debian/rules
--- systemtap-1.3/debian/rules	2010-08-06 20:34:25.000000000 +0200
+++ systemtap-1.3/debian/rules	2010-11-20 17:32:26.000000000 +0100
@@ -87,7 +87,7 @@
 
 override_dh_fixperms:
 	dh_fixperms
-	chmod 4755 debian/systemtap-runtime/usr/bin/staprun
+	chmod 4750 debian/systemtap-runtime/usr/bin/staprun
 
 override_dh_installchangelogs:
 	        dh_installchangelogs debian/changelog
diff -Nru systemtap-1.3/debian/systemtap-runtime.postinst systemtap-1.3/debian/systemtap-runtime.postinst
--- systemtap-1.3/debian/systemtap-runtime.postinst	2010-08-06 20:34:25.000000000 +0200
+++ systemtap-1.3/debian/systemtap-runtime.postinst	2010-11-20 17:33:15.000000000 +0100
@@ -12,6 +12,12 @@
 		echo "Adding stapusr group..."
 		addgroup --quiet --system stapusr || true
 	fi
+
+	# Fixup staprun binary for new group 'stapusr'.
+	if [ -x /usr/sbin/dpkg-statoverride ] &&
+	   ! dpkg-statoverride --list /usr/bin/staprun > /dev/null ; then
+		dpkg-statoverride --update --add root stapusr 4750 /usr/bin/staprun
+	fi
 	;;
 abort-upgrade|abort-remove|abort-deconfigure)
 	;;