Bug#1099697: marked as done (initramfs-tools: please change default /dev/pts mode to 0600)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 28 Mar 2025 01:48:56 +0000
with message-id <E1txyq8-00FfXu-NO@fasolo.debian.org>
and subject line Bug#1095991: fixed in initramfs-tools 0.147
has caused the Debian Bug report #1095991,
regarding initramfs-tools: please change default /dev/pts mode to 0600
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1095991: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095991
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: initramfs-tools: please change default /dev/pts mode to 0600
• From: Chris Hofstaedtler <zeha@debian.org>
• Date: Thu, 6 Mar 2025 22:46:17 +0100
• Message-id: <[🔎] Z8oXqcvhtbqv_oZ0@per.namespace.at>

Package: initramfs-tools
Version: 0.145
Severity: important

Hi,

in the past there were security concerns (and security issues 
raised) around other users writing to each others terminals. Some of 
this was workarounded in util-linux, cf. CVE-2024-28085.

A fuller fix is to disallow writing unrelated users to each other's 
terminals by default.

I understand it might be a bit late for this bug report to reach 
you, but I /thought/ systemd mounts /dev/pts as part of its boot 
process. systemd has (after taking some time) applied their part of 
the fix, but it turns out systemd does -not- mount or remount 
/dev/pts in Debian's default setup.  Instead the mount flags from
initramfs-tools are used.

Theoretically we have TTYPERM in /etc/login.defs, but it appears 
almost nothing cares about this value. Please find a patch attached
following the change from 0620 to 0600 for initramfs-tools.

Please apply this for trixie.

Again sorry for not sending this earlier, I didn't realise 
initramfs-tools was involved.

Thanks,
Chris

>From 319cdc98f15d3213f58610141a84b5c67a8a1ebc Mon Sep 17 00:00:00 2001
From: Chris Hofstaedtler <zeha@debian.org>
Date: Thu, 6 Mar 2025 22:44:01 +0100
Subject: [PATCH] Tighten /dev/pts permissions

Apply a fuller fix for CVE-2024-28085 and remove g+w from
pseudo-terminals by default.

Signed-off-by: Chris Hofstaedtler <zeha@debian.org>
---
 init | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/init b/init
index 5552c64..1bd9669 100755
--- a/init
+++ b/init
@@ -42,7 +42,7 @@ mount -t devtmpfs -o nosuid,mode=0755 udev /dev
 [ ! -h /dev/stderr ] && ln -s /proc/self/fd/2 /dev/stderr
 
 mkdir /dev/pts
-mount -t devpts -o noexec,nosuid,gid=5,mode=0620 devpts /dev/pts || true
+mount -t devpts -o noexec,nosuid,gid=5,mode=0600 devpts /dev/pts || true
 
 # Export the dpkg architecture
 export DPKG_ARCH=
-- 
2.47.2

--- End Message ---

--- Begin Message ---

• To: 1095991-close@bugs.debian.org
• Subject: Bug#1095991: fixed in initramfs-tools 0.147
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 28 Mar 2025 01:48:56 +0000
• Message-id: <E1txyq8-00FfXu-NO@fasolo.debian.org>
• Reply-to: Ben Hutchings <benh@debian.org>

Source: initramfs-tools
Source-Version: 0.147
Done: Ben Hutchings <benh@debian.org>

We believe that the bug you reported is fixed in the latest version of
initramfs-tools, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1095991@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <benh@debian.org> (supplier of updated initramfs-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 28 Mar 2025 02:07:15 +0100
Source: initramfs-tools
Architecture: source
Version: 0.147
Distribution: unstable
Urgency: medium
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Ben Hutchings <benh@debian.org>
Closes: 1027458 1095991 1100008
Changes:
 initramfs-tools (0.147) unstable; urgency=medium
 .
   [ Ben Hutchings ]
   * [34f9acd] hook-functions: Add reset drivers when MODULES=dep (Closes:
     #1027458)
   * [025ce79] unmkinitramfs: Create temporary directory for initramfs
     parts
   * [25b0c61] unmkinitramfs: Fix detection of EOF marker
   * [ca1a68b] unmkinitramfs: Restore split to "early" and "main"
     subdirectories (Closes: #1100008)
   * [bbbe1d3] unmkinitramfs.8: Update and expand description of multi-
     archive handling
 .
   [ Chris Hofstaedtler ]
   * [297a9e2] hook-functions: avoid aborting in chroots
   * [319cdc9] Tighten /dev/pts permissions (Closes: #1095991)
 .
   [ Scott Moser ]
   * [cec12d7] hook-functions: add squashfs driver (LP: #1501834)
 .
   [ Benjamin Drung ]
   * [a6884dc] test: let run_qemu* take extra kernel parameters as single
     parameter
   * [5401bf3] test: support setting a disk label in build_fs_ext2
   * [ab1fe4e] test-common: introduce intermediate
     _run_qemu_default_devices
   * [20c564a] Add qemu-net-iscsi autopkgtest (LP: #2091904)
   * [716491a] mkinitramfs: add --version parameter
   * [65166a6] update-initramfs: add --version parameter
   * [2334de3] kernel/postinst.d: check for correct update-initramfs
     provider
   * [7ef4755] Fix spelling mistakes in d/changelog
   * [3ed4077] hook-functions: Move UFS storage drivers to block class (LP:
     #2081020)
   * [19b85a5] Filter block kernel modules by symbol regex from dracut (LP:
     #2031841)
   * [4069428] update-initramfs: add -s parameter (LP: #1466965)
   * [7f2ed35] Avoid updating the initramfs twice for some cases (LP:
     #1466965)
   * [dad2c90] test: run quick copy-file autopkgtest first
   * [32aa743] Bump Standards-Version to 4.7.2
Checksums-Sha1:
 ca98a0882206f76ac0b4d2ee365d4ea4ba406b1a 2028 initramfs-tools_0.147.dsc
 a4edfa32502ecca07c7d5e60f80be2775acbfc3a 111888 initramfs-tools_0.147.tar.xz
 9795a05d8524cdf77ea5a4ec5f802ed909bf4b49 7467 initramfs-tools_0.147_source.buildinfo
Checksums-Sha256:
 be1b8194b6a96b56a4747cf8cbb211b14ce28996edd5e13ec294a55a51015eea 2028 initramfs-tools_0.147.dsc
 781bab004280914de7b5578901af8ce0bef36fd7aaea7da2a608773e922d5335 111888 initramfs-tools_0.147.tar.xz
 dac35c201319f5731191f3c7ceec04df32e00013bd3bf6f058e9a138e921a692 7467 initramfs-tools_0.147_source.buildinfo
Files:
 502640c0cba7baceebcf5e3efe978d37 2028 utils optional initramfs-tools_0.147.dsc
 2ae9b6caf20489e62a366489c8157214 111888 utils optional initramfs-tools_0.147.tar.xz
 aa19da3f2059f3964fbbe2e927f1c818 7467 utils optional initramfs-tools_0.147_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmfl/bkACgkQ57/I7JWG
EQldpQ/8CbSk5y75oj9LVsjvi1NJhVi/HpoAJNnsuyiv6R1RZAlYUh56RAqLdex6
kBvniqSvWfCvJJo24zqU6wANaa9933lKeRzSYM0GJ6cUW4AyQipwqr+ZsQY2tPqg
g37XOXu+zFekXxJXhj6Hd2j1WkbYNVqBYie6wyo8yIl7q18aoV+fqejuuDgFs6Fv
5tLkmGZCoRgAlEfmzk7zsrhgYR9vJezTYRAZoFn6PIVa4Hb5/EhJSdX0H0CMP8Zi
K2z+Y7SQJ9gasUfkzUJNluHYj/RFtNohmR9ufHPObCH8NlyvVnqVeXMt9DLQ50zF
teQqDU+8oaCAJpcxI17X7bomh2SEa3nrAk+REjllQs72kvjNU0KMIjklHoLeBvSE
3OjWXL363feYCabRIptF4Gg4bKacGgvzw2ijGPDK1ScrE+ro82KJKzc3Fr4AMapb
hu0C1MCs6K+vVbuf5YpUhiMpBzFl8K8YIEOssjOi1ePG1hd7sHTLUBn7jushQNJf
zYBcBhVojBLs5ZWFWuNjUFgsjke/G4IwPoBoodEHbPy+QRp4+pIzsbI3mNL7SFg4
0bGdLliWzWaANmuXu/wZe6kBo8qUPwVmbfyRVSDCt1P2oMx9W+Drgf+AFmc3AWzs
eKuVhAPa9eV9qrAue5KOcsUgM2O4rjWnikuVNxECf2RCAOVaECk=
=z3cx
-----END PGP SIGNATURE-----

Attachment: pgpXD21WcQnrU.pgp
Description: PGP signature

--- End Message ---