[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1007998: marked as done (release-notes: netcat-openbsd incompatibilities)



Your message dated Fri, 9 Jun 2023 22:56:37 +0200
with message-id <72aebf32-0dda-b289-3fec-86c46b7a84e9@debian.org>
and subject line Re: Bug#1007998: release-notes: netcat-openbsd incompatibilities
has caused the Debian Bug report #1007998,
regarding release-notes: netcat-openbsd incompatibilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1007998: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007998
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release-notes
Severity: wishlist

Hi there,

netcat-openbsd 1.218-5 adds support for abstract sockets (on Linux),
which is a breaking change with possible security implications:
https://sources.debian.org/src/netcat-openbsd/1.218-5/debian/NEWS/ .
elbrus suggested to mention that in the Bookworm release notes; I
propose the following text, mostly straight from the NEWS entry — feel free to
adjust of course :-)

--8<--------------------------------------------------------------------->8--

netcat-openbsd and abstract socket support
==========================================

Starting with netcat-openbsd 1.218-5, nc.openbsd(1)'s Linux builds support
[abstract namespace sockets](https://manpages.debian.org/unix.7.en.html#Abstract_sockets)
in the AF_UNIX family.  Socket paths starting with an at symbol '@' are
interpreted in the abstract namespace.

This has possible security implications: `nc -lU @foobar.sock` used to bind
pathname socket '@foobar.sock' in the current directory, subject to umask and
file system access restrictions, while (on Linux) it now binds 'foobar.sock'
in the abstract namespace where ownership and permissions have *no meaning*.

In order to specify a pathname socket make sure the argument doesn't start
with '@'; for instance by prefixing with './' or by using a fully-qualified
socket path.  (Note however that on Linux socket pathnames may not exceed 108
bytes in size.)

This change is a Linux-only behavior, and only affects UNIX domain sockets
(flag '-U').

--8<--------------------------------------------------------------------->8--

Cheers
-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message ---
Hi,

On 20-03-2022 11:40, Guilhem Moulin wrote:
netcat-openbsd 1.218-5 adds support for abstract sockets (on Linux),
which is a breaking change with possible security implications:
https://sources.debian.org/src/netcat-openbsd/1.218-5/debian/NEWS/ .

I just tagged this for merging.

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


--- End Message ---

Reply to: