Bug#1007998: release-notes: netcat-openbsd incompatibilities
On Sun, 20 Mar 2022 11:40:44 +0100 Guilhem Moulin <guilhem@debian.org> wrote:
> netcat-openbsd 1.218-5 adds support for abstract sockets (on Linux),
> which is a breaking change with possible security implications:
> https://sources.debian.org/src/netcat-openbsd/1.218-5/debian/NEWS/ .
> elbrus suggested to mention that in the Bookworm release notes; I
> propose the following text, mostly straight from the NEWS entry — feel free to
> adjust of course :-)
Is the following approximately what is meant? (i didnt think the bit
about still fitting the argument into 108 bytes was going to cause
issues often enough to need a mention in release-notes - i would
assume people using huge file names know to check for these things)
<section id="netcat-openbsd-now-supports-abstract-sockets">
<title>netcat-openbsd now supports abstract sockets</title>
<para>
The <literal>netcat</literal> utility for reading and writing data
across network connections supports
<link url="&url-man;/&releasename;/manpages/unix.7.html#Abstract_sockets">abstract
sockets</link>, and uses them by default in some circumstances.
This applies when you are using an <literal>AF_UNIX</literal> socket
under a <literal>Linux</literal> kernel,
and when <literal>netcat</literal> is provided by the
<systemitem role="package">netcat-openbsd</systemitem> package (rather than by
<systemitem role="package">netcat-traditional</systemitem>, which is
the Debian default).
If so, the `-U' option to <command>nc</command> will now interpret
an argument starting with an `@' as requesting an abstract
socket rather than as a filename beginning with an `@' in the
current directory.
This can have security implications because filesystem permissions
can no longer used to control access to an abstract socket.
You can continue to use a filename starting with an `@' by prefixing
the name with `./' or by specifying an absolute path.
</para>
</section>
Reply to: