Bug#598471: using insecure memory on GNU/kFreeBSD

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#598471: using insecure memory on GNU/kFreeBSD
From: Robert Millan <rmh@debian.org>
Date: Wed, 29 Sep 2010 11:41:08 +0200
Message-id: <[🔎] 20100929094108.88825.68919.reportbug@thorin>
Reply-to: Robert Millan <rmh@debian.org>, 598471@bugs.debian.org

Package: gnupg
Version: 1.4.10-4
Severity: normal
Tags: patch
User: debian-bsd@lists.debian.org
Usertags: kfreebsd

gnupg is using insecure memory on GNU/kFreeBSD (unless run as root) because
mlock() kernel call is reserved to the super-user [1]:

  gpg: WARNING: using insecure memory!
  gpg: please see http://www.gnupg.org/faq.html for more information

Upstream recommends [2] setting the SUID bit and assures that "the program
drops root privileges as soon as locked memory is allocated".

Patch attached.

Note for those coming from google: Aside from this problem, you may also
get this error on GNU/kFreeBSD due to hard kernel limit on locked pages.
Try increasing vm.max_wired sysctl to be somewhat larger than
vm.stats.vm.v_wire_count

[1] http://www.freebsd.org/cgi/man.cgi?query=mlock&apropos=0&sektion=0&manpath=FreeBSD+8.1-RELEASE&format=html

[2] http://www.gnupg.org/faq.html#q6.1

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: kfreebsd-amd64 (x86_64)

Kernel: kFreeBSD 8.1-1-amd64
Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gnupg depends on:
ii  dpkg                    1.15.8.4         Debian package management system
ii  gpgv                    1.4.10-4         GNU privacy guard - signature veri
ii  install-info            4.13a.dfsg.1-5   Manage installed documentation in 
ii  libbz2-1.0              1.0.5-6          high-quality block-sorting file co
ii  libc0.1                 2.11.2-6         Embedded GNU C Library: Shared lib
ii  libreadline6            6.1-3            GNU readline and history libraries
ii  libusb-0.1-4            2:0.1.12-16      userspace USB programming library
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages gnupg recommends:
pn  gnupg-curl                    <none>     (no description available)
ii  libldap-2.4-2                 2.4.23-6   OpenLDAP libraries

Versions of packages gnupg suggests:
ii  eog                           2.30.2-1   Eye of GNOME graphics viewer progr
pn  gnupg-doc                     <none>     (no description available)
pn  libpcsclite1                  <none>     (no description available)

-- no debconf information

diff -ur gnupg-1.4.10.old/debian/rules gnupg-1.4.10/debian/rules
--- gnupg-1.4.10.old/debian/rules	2010-09-29 10:58:26.000000000 +0200
+++ gnupg-1.4.10/debian/rules	2010-09-29 11:30:39.978762382 +0200
@@ -18,6 +18,7 @@
 DEB_BUILD_GNU_TYPE = $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
 DEB_HOST_GNU_TYPE  = $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
 DEB_BUILD_ARCH    := $(shell dpkg-architecture -qDEB_BUILD_ARCH)
+DEB_HOST_ARCH_OS  := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
 
 CONFARGS  = --prefix=/usr --libexecdir=/usr/lib/ \
             --enable-mailto --with-mailprog=/usr/sbin/sendmail \
@@ -130,6 +131,11 @@
 	dh_strip
 	dh_compress
 	dh_fixperms
+ifeq ($(DEB_HOST_ARCH_OS),kfreebsd)
+	# see http://www.gnupg.org/faq.html#q6.1
+	chown root:root	debian/gnupg/usr/bin/gpg
+	chmod 4755	debian/gnupg/usr/bin/gpg
+endif
 	dh_installdeb
 	dh_shlibdeps -X debian/gnupg/usr/lib/gnupg/gpgkeys_ldap -- -dRecommends $(CURDIR)/debian/gnupg/usr/lib/gnupg/gpgkeys_ldap -dDepends
 	dh_gencontrol

Reply to:

Prev by Date: Re: Testing with VMWare Fusion... No virtual SCSI devices
Next by Date: Bug#598474: unusable on GNU/kFreeBSD
Previous by thread: Bug#598431: sound not working with stock mplayer.conf on GNU/kFreeBSD
Next by thread: Bug#598474: unusable on GNU/kFreeBSD
Index(es):
- Date
- Thread