Bug#779997: marked as done (unblock: mksh/50d-5)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 15 Mar 2015 20:35:49 +0100
with message-id <5505DF15.2090100@thykier.net>
and subject line Re: Bug#779997: unblock: (pre-approval) mksh/50d-4
has caused the Debian Bug report #779997,
regarding unblock: mksh/50d-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
779997: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779997
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: (pre-approval) mksh/50d-4
• From: Thorsten Glaser <tg@mirbsd.de>
• Date: Sat, 07 Mar 2015 21:24:58 +0000
• Message-id: <[🔎] 20150307212458.2622.10412.reportbug@tglase-eee.lan.tarent.de>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package mksh

With upstream hat, I found and fixed a security-relevant
(privacy related) bug in mksh and would kindly like to
request its inclusion into jessie.

The bug is: when HISTFILE has been set to a filename,
persistent history writing (logging of commands) is
enabled. Running “unset HISTFILE” is a no-op, instead
of, like with the other shells, disabling file logging
again. (Running “HISTFILE=” sort-of works, as it tries
to call open(2) with an empty string as argument, fails
and then leaves logging disabled.)

The fix is a straight backport of the upstream fix, in
two portions: the histrap.c part makes a NULL and empty
string argument ① do the same, and ② disable history
without relying on “open("", …)” to fail; the var.c
part calls the routine in the “unset” case. The other
patches (check.t and sh.h) adjust the shell version to
note that this is a vendor-patched version; it’s something
I (as upstream) request (though not absolutely require)
from distributions to do when they deviate from upstream
sources.

The full debdiff is attached. I plan to upload using a
sponsor (I have several at hand) if I get the approval,
but have no problem against an RT or Security Team member
uploading the package instead either. The package builds
cleanly in jessie and sid (i386 cowbuilder), passes its
testsuite and is lintian-clean.

The package is kept in collab-maint/mksh.git using the
“single-debian-patch” style packaging, which means that
debian/patches/debian-changes accumulates those patches.
Feel free to inspect the git repository for the actual
commit to the upstream sources instead. The package builds
without any non-standard helpers (e.g. gbp), by just invoking
dpkg-buildpackage after placing the .orig.tar.gz into
the parent directory.

unblock mksh/50d-4

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

diff -Nru mksh-50d/debian/changelog mksh-50d/debian/changelog
--- mksh-50d/debian/changelog	2014-10-23 11:20:27.000000000 +0200
+++ mksh-50d/debian/changelog	2015-03-07 22:17:11.000000000 +0100
@@ -1,3 +1,12 @@
+mksh (50d-4) unstable; urgency=medium
+
+  * QA upload.
+  * Backport upstream fix:
+    - [tg] SECURITY: make unset HISTFILE actually work
+  * Adjust shell version accordingly
+
+ -- Thorsten Glaser <tg@mirbsd.de>  Sat, 07 Mar 2015 22:16:53 +0100
+
 mksh (50d-3) unstable; urgency=high
 
   * QA upload.
diff -Nru mksh-50d/debian/patches/debian-changes mksh-50d/debian/patches/debian-changes
--- mksh-50d/debian/patches/debian-changes	2014-10-23 11:24:49.000000000 +0200
+++ mksh-50d/debian/patches/debian-changes	2015-03-07 22:19:12.000000000 +0100
@@ -18,7 +18,7 @@
  
  expected-stdout:
 -	@(#)MIRBSD KSH R50 2014/10/07
-+	@(#)MIRBSD KSH R50 2014/10/19
++	@(#)MIRBSD KSH R50 2014/10/19 Debian-4
  description:
  	Check version of shell.
  stdin:
@@ -27,7 +27,7 @@
  ---
  expected-stdout:
 -	@(#)LEGACY KSH R50 2014/10/07
-+	@(#)LEGACY KSH R50 2014/10/19
++	@(#)LEGACY KSH R50 2014/10/19 Debian-4
  description:
  	Check version of legacy shell.
  stdin:
@@ -531,6 +531,39 @@
  	/* set $# and $* */
  	if (setargs) {
  		wp += argi - 1;
+--- mksh-50d.orig/histrap.c
++++ mksh-50d/histrap.c
+@@ -563,7 +563,7 @@ sethistfile(const char *name)
+ 		return;
+ 
+ 	/* if the name is the same as the name we have */
+-	if (hname && strcmp(hname, name) == 0)
++	if (hname && name && !strcmp(hname, name))
+ 		return;
+ 
+ 	/*
+@@ -581,7 +581,8 @@ sethistfile(const char *name)
+ 		hist_source->line = 0;
+ 	}
+ 
+-	hist_init(hist_source);
++	if (name)
++		hist_init(hist_source);
+ }
+ #endif
+ 
+@@ -713,8 +714,10 @@ hist_init(Source *s)
+ 	hist_source = s;
+ 
+ #if HAVE_PERSISTENT_HISTORY
+-	if ((hname = str_val(global("HISTFILE"))) == NULL)
++	if (((hname = str_val(global("HISTFILE"))) == NULL) || !*hname) {
++		hname = NULL;
+ 		return;
++	}
+ 	strdupx(hname, hname, APERM);
+ 	hs = hist_init_first;
+ 
 --- mksh-50d.orig/main.c
 +++ mksh-50d/main.c
 @@ -34,7 +34,7 @@
@@ -561,7 +594,7 @@
 +__RCSID("$MirOS: src/bin/mksh/sh.h,v 1.701 2014/10/19 21:53:08 tg Exp $");
  #endif
 -#define MKSH_VERSION "R50 2014/10/07"
-+#define MKSH_VERSION "R50 2014/10/19"
++#define MKSH_VERSION "R50 2014/10/19 Debian-4"
  
  /* arithmetic types: C implementation */
  #if !HAVE_CAN_INTTYPES
@@ -585,3 +618,17 @@
  
  #define X_EXTRA	20	/* this many extra bytes in X string */
  
+--- mksh-50d.orig/var.c
++++ mksh-50d/var.c
+@@ -1351,6 +1351,11 @@ unsetspec(struct tbl *vp)
+ 	 */
+ 
+ 	switch (special(vp->name)) {
++#if HAVE_PERSISTENT_HISTORY
++	case V_HISTFILE:
++		sethistfile(NULL);
++		return;
++#endif
+ 	case V_IFS:
+ 		setctypes(TC_IFSWS, C_IFS);
+ 		ifs0 = ' ';

--- End Message ---

--- Begin Message ---

• To: Thorsten Glaser <tg@mirbsd.de>, Axel Beckert <abe@debian.org>
• Cc: 779997-done@bugs.debian.org, control@bugs.debian.org
• Subject: Re: Bug#779997: unblock: (pre-approval) mksh/50d-4
• From: Niels Thykier <niels@thykier.net>
• Date: Sun, 15 Mar 2015 20:35:49 +0100
• Message-id: <5505DF15.2090100@thykier.net>
• In-reply-to: <[🔎] Pine.BSM.4.64L.1503151929540.26392@herc.mirbsd.org>
• References: <[🔎] 20150307212458.2622.10412.reportbug@tglase-eee.lan.tarent.de> <[🔎] 54FC7E5B.5070400@thykier.net> <[🔎] Pine.BSM.4.64L.1503122135430.25511@herc.mirbsd.org> <[🔎] 5502803B.7090305@thykier.net> <[🔎] Pine.BSM.4.64L.1503131422020.6027@herc.mirbsd.org> <[🔎] 20150315175701.GR17353@sym.noone.org> <[🔎] Pine.BSM.4.64L.1503151929540.26392@herc.mirbsd.org>

On 2015-03-15 20:30, Thorsten Glaser wrote:
> retitle 779997 unblock: mksh/50d-5
> tags 779997 - moreinfo
> thanks
> 
> Axel Beckert dixit:
> 
>> I've just made a pbuilder build whose debdiff only differs from the
>> debdiff posted here as follows, i.e. only in dates and version numbers:
> 
> Thanks, this looks as expected.
> 
> bye,
> //mirabilos
> 

Indeed - I have unblocked the -5 version now.

Thanks,
~Niels

--- End Message ---