Bug#598471: using insecure memory on GNU/kFreeBSD
Package: gnupg
Version: 1.4.10-4
Severity: normal
Tags: patch
User: debian-bsd@lists.debian.org
Usertags: kfreebsd
gnupg is using insecure memory on GNU/kFreeBSD (unless run as root) because
mlock() kernel call is reserved to the super-user [1]:
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
Upstream recommends [2] setting the SUID bit and assures that "the program
drops root privileges as soon as locked memory is allocated".
Patch attached.
Note for those coming from google: Aside from this problem, you may also
get this error on GNU/kFreeBSD due to hard kernel limit on locked pages.
Try increasing vm.max_wired sysctl to be somewhat larger than
vm.stats.vm.v_wire_count
[1] http://www.freebsd.org/cgi/man.cgi?query=mlock&apropos=0&sektion=0&manpath=FreeBSD+8.1-RELEASE&format=html
[2] http://www.gnupg.org/faq.html#q6.1
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: kfreebsd-amd64 (x86_64)
Kernel: kFreeBSD 8.1-1-amd64
Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages gnupg depends on:
ii dpkg 1.15.8.4 Debian package management system
ii gpgv 1.4.10-4 GNU privacy guard - signature veri
ii install-info 4.13a.dfsg.1-5 Manage installed documentation in
ii libbz2-1.0 1.0.5-6 high-quality block-sorting file co
ii libc0.1 2.11.2-6 Embedded GNU C Library: Shared lib
ii libreadline6 6.1-3 GNU readline and history libraries
ii libusb-0.1-4 2:0.1.12-16 userspace USB programming library
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages gnupg recommends:
pn gnupg-curl <none> (no description available)
ii libldap-2.4-2 2.4.23-6 OpenLDAP libraries
Versions of packages gnupg suggests:
ii eog 2.30.2-1 Eye of GNOME graphics viewer progr
pn gnupg-doc <none> (no description available)
pn libpcsclite1 <none> (no description available)
-- no debconf information
diff -ur gnupg-1.4.10.old/debian/rules gnupg-1.4.10/debian/rules
--- gnupg-1.4.10.old/debian/rules 2010-09-29 10:58:26.000000000 +0200
+++ gnupg-1.4.10/debian/rules 2010-09-29 11:30:39.978762382 +0200
@@ -18,6 +18,7 @@
DEB_BUILD_GNU_TYPE = $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
DEB_HOST_GNU_TYPE = $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
DEB_BUILD_ARCH := $(shell dpkg-architecture -qDEB_BUILD_ARCH)
+DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
CONFARGS = --prefix=/usr --libexecdir=/usr/lib/ \
--enable-mailto --with-mailprog=/usr/sbin/sendmail \
@@ -130,6 +131,11 @@
dh_strip
dh_compress
dh_fixperms
+ifeq ($(DEB_HOST_ARCH_OS),kfreebsd)
+ # see http://www.gnupg.org/faq.html#q6.1
+ chown root:root debian/gnupg/usr/bin/gpg
+ chmod 4755 debian/gnupg/usr/bin/gpg
+endif
dh_installdeb
dh_shlibdeps -X debian/gnupg/usr/lib/gnupg/gpgkeys_ldap -- -dRecommends $(CURDIR)/debian/gnupg/usr/lib/gnupg/gpgkeys_ldap -dDepends
dh_gencontrol
Reply to: