[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#818006: marked as done (jessie-pu: package aptdaemon/1.1.1-4+deb8u1)

Your message dated Sat, 02 Apr 2016 14:20:04 +0100
with message-id <1459603204.2441.216.camel@adam-barratt.org.uk>
and subject line Fix included in stable
has caused the Debian Bug report #818006,
regarding jessie-pu: package aptdaemon/1.1.1-4+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
818006: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818006
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I'd like to update apt-daemon in jessie to fix CVE-2015-1323 which is
already fixed in squeeze-lts.

The debdiff is attached.

Cheers,
 -- Guido

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff --git a/debian/changelog b/debian/changelog
index 38e82be..7a93d22 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+aptdaemon (1.1.1-4+deb8u1) stable-proposed-updates; urgency=medium
+
+  * Non maintainer upload
+  * Add CVE-2015-1323.patch to address CVE-2015-1323 - taken from
+    1.1.1-1ubuntu5.2 (Closes: #789162)
+
+ -- Guido Günther <agx@sigxcpu.org>  Mon, 29 Feb 2016 21:13:01 +0100
+
 aptdaemon (1.1.1-4) unstable; urgency=medium
 
   * Merge all changes from Ubuntu trusty.
diff --git a/debian/patches/CVE-2015-1323.patch b/debian/patches/CVE-2015-1323.patch
new file mode 100644
index 0000000..bc6a963
--- /dev/null
+++ b/debian/patches/CVE-2015-1323.patch
@@ -0,0 +1,377 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Sun, 28 Feb 2016 19:55:02 +0100
+Subject: CVE-2015-1323
+
+---
+ aptdaemon/core.py                             | 10 +++++---
+ aptdaemon/pkcompat.py                         | 10 +++++---
+ aptdaemon/policykit1.py                       |  9 ++++---
+ aptdaemon/progress.py                         |  5 ++++
+ aptdaemon/worker.py                           | 31 ++++++++++++++++++++++--
+ tests/_test_py2_string_handling.py            |  3 ++-
+ tests/test_high_trust_repository_whitelist.py |  4 +--
+ tests/test_worker.py                          | 35 ++++++++++++++-------------
+ 8 files changed, 74 insertions(+), 33 deletions(-)
+
+diff --git a/aptdaemon/core.py b/aptdaemon/core.py
+index 9e1e9d3..35f40d7 100644
+--- a/aptdaemon/core.py
++++ b/aptdaemon/core.py
+@@ -342,7 +342,7 @@ class Transaction(DBusObject):
+                            "DebconfSocket", "MetaData", "Locale",
+                            "RemoveObsoleteDepends")
+ 
+-    def __init__(self, tid, role, queue, pid, uid, cmdline, sender,
++    def __init__(self, tid, role, queue, pid, uid, gid, cmdline, sender,
+                  connect=True, bus=None, packages=None, kwargs=None):
+         """Initialize a new Transaction instance.
+ 
+@@ -378,6 +378,7 @@ class Transaction(DBusObject):
+             kwargs = {}
+         self.queue = queue
+         self.uid = uid
++        self.gid = gid
+         self.locale = dbus.String("")
+         self.allow_unauthenticated = dbus.Boolean(False)
+         self.remove_obsoleted_depends = dbus.Boolean(False)
+@@ -1538,11 +1539,12 @@ class AptDaemon(DBusObject):
+     @inline_callbacks
+     def _create_trans(self, role, sender, packages=None, kwargs=None):
+         """Helper method which returns the tid of a new transaction."""
+-        pid, uid, cmdline = (
++        pid, uid, gid, cmdline = (
+             yield policykit1.get_proc_info_from_dbus_name(sender, self.bus))
+         tid = uuid.uuid4().hex
+-        trans = Transaction(tid, role, self.queue, pid, uid, cmdline, sender,
+-                            packages=packages, kwargs=kwargs, bus=self.bus)
++        trans = Transaction(
++            tid, role, self.queue, pid, uid, gid, cmdline, sender,
++            packages=packages, kwargs=kwargs, bus=self.bus)
+         self.queue.limbo[trans.tid] = trans
+         return_value(trans.tid)
+ 
+diff --git a/aptdaemon/pkcompat.py b/aptdaemon/pkcompat.py
+index cc05415..da99a32 100644
+--- a/aptdaemon/pkcompat.py
++++ b/aptdaemon/pkcompat.py
+@@ -469,9 +469,10 @@ class PackageKit(core.DBusObject):
+ 
+     @inline_callbacks
+     def _create_transaction(self, sender):
+-        pid, uid, cmdline = yield policykit1.get_proc_info_from_dbus_name(
++        pid, uid, gid, cmdline = yield policykit1.get_proc_info_from_dbus_name(
+             sender, self.bus)
+-        pktrans = PackageKitTransaction(pid, uid, cmdline, self.queue, sender)
++        pktrans = PackageKitTransaction(
++            pid, uid, gid, cmdline, self.queue, sender)
+         return_value(pktrans.tid)
+ 
+     # pylint: disable-msg=C0103,C0322
+@@ -602,7 +603,7 @@ class MergedTransaction(core.Transaction):
+     def __init__(self, pktrans, role, queue, connect=True,
+                  bus=None, packages=None, kwargs=None):
+         core.Transaction.__init__(self, pktrans.tid[1:], role, queue,
+-                                  pktrans.pid, pktrans.uid,
++                                  pktrans.pid, pktrans.uid, pktrans.gid,
+                                   pktrans.cmdline, pktrans.sender,
+                                   connect, bus, packages, kwargs)
+         self.pktrans = pktrans
+@@ -758,7 +759,7 @@ class PackageKitTransaction(core.DBusObject):
+ 
+     """Provides a PackageKit transaction object."""
+ 
+-    def __init__(self, pid, uid, cmdline, queue, sender,
++    def __init__(self, pid, uid, gid, cmdline, queue, sender,
+                  connect=True, bus=None):
+         pklog.info("Initializing PackageKit transaction")
+         bus_name = None
+@@ -784,6 +785,7 @@ class PackageKitTransaction(core.DBusObject):
+         self._status = pk.StatusEnum.SETUP
+         self._last_package = ""
+         self.uid = dbus.UInt32(uid)
++        self.gid = dbus.UInt32(gid)
+         self.pid = pid
+         self.cmdline = cmdline
+         self.role = pk.RoleEnum.UNKNOWN
+diff --git a/aptdaemon/policykit1.py b/aptdaemon/policykit1.py
+index 6a21875..9a15513 100644
+--- a/aptdaemon/policykit1.py
++++ b/aptdaemon/policykit1.py
+@@ -161,12 +161,15 @@ def get_proc_info_from_dbus_name(dbus_name, bus=None):
+         bus = dbus.SystemBus()
+     pid = yield get_pid_from_dbus_name(dbus_name, bus)
+     with open("/proc/%s/status" % pid) as proc:
+-        values = [v for v in proc.readlines() if v.startswith("Uid:")]
++        lines = proc.readlines()
++        uid_values = [v for v in lines if v.startswith("Uid:")]
++        gid_values = [v for v in lines if v.startswith("Gid:")]
+     # instead of ", encoding='utf8'" we use the "rb"/decode() here for
+     # py2 compatibility
+     with open("/proc/%s/cmdline" % pid, "rb") as cmdline_file:
+         cmdline = cmdline_file.read().decode("utf-8")
+-    uid = int(values[0].split()[1])
+-    return_value((pid, uid, cmdline))
++    uid = int(uid_values[0].split()[1])
++    gid = int(gid_values[0].split()[1])
++    return_value((pid, uid, gid, cmdline))
+ 
+ # vim:ts=4:sw=4:et
+diff --git a/aptdaemon/progress.py b/aptdaemon/progress.py
+index 73cb411..f15b7d6 100644
+--- a/aptdaemon/progress.py
++++ b/aptdaemon/progress.py
+@@ -628,6 +628,11 @@ class DaemonLintianProgress(DaemonForkProgress):
+ 
+     def _child(self, path):
+         # Avoid running lintian as root
++        try:
++            os.setgroups([self.transaction.gid])
++        except OSError:
++            pass
++        os.setgid(self.transaction.gid)
+         os.setuid(self.transaction.uid)
+ 
+         if platform.dist()[1] == "debian":
+diff --git a/aptdaemon/worker.py b/aptdaemon/worker.py
+index 85e73cc..e9272d3 100644
+--- a/aptdaemon/worker.py
++++ b/aptdaemon/worker.py
+@@ -76,6 +76,25 @@ log = logging.getLogger("AptDaemon.Worker")
+ _ = lambda s: s
+ 
+ 
++@contextlib.contextmanager
++def set_euid_egid(uid, gid):
++    # no need to drop privs
++    if os.getuid() != 0 and os.getgid() != 0:
++        yield
++        return
++    # temporary drop privs
++    os.setegid(gid)
++    old_groups = os.getgroups()
++    os.setgroups([gid])
++    os.seteuid(uid)
++    try:
++        yield
++    finally:
++        os.seteuid(os.getuid())
++        os.setegid(os.getgid())
++        os.setgroups(old_groups)
++
++
+ def trans_only_installs_pkgs_from_high_trust_repos(trans,
+                                                    whitelist=set()):
+     """Return True if this transaction only touches packages in the
+@@ -1329,8 +1348,16 @@ class AptWorker(GObject.GObject):
+ 
+         :returns: An apt.debfile.Debfile instance.
+         """
+-        if not os.path.isfile(path):
+-            raise TransactionFailed(ERROR_UNREADABLE_PACKAGE_FILE, path)
++        # This code runs as root for simulate and simulate requires no
++        # authentication - so we need to ensure we do not leak information
++        # about files here (LP: #1449587, CVE-2015-1323)
++        #
++        # Note that the actual lintian run is also droping privs (real,
++        # not just seteuid)
++        with set_euid_egid(trans.uid, trans.gid):
++            if not os.path.isfile(path):
++                raise TransactionFailed(ERROR_UNREADABLE_PACKAGE_FILE, path)
++
+         if not force and os.path.isfile("/usr/bin/lintian"):
+             with DaemonLintianProgress(trans) as progress:
+                 progress.run(path)
+diff --git a/tests/_test_py2_string_handling.py b/tests/_test_py2_string_handling.py
+index 1a56b9b..86709fb 100644
+--- a/tests/_test_py2_string_handling.py
++++ b/tests/_test_py2_string_handling.py
+@@ -49,7 +49,8 @@ class TestUnicodeDecoding(AptDaemonTestCase):
+         self.start_dbus_daemon()
+         self.dbus = dbus.bus.BusConnection(self.dbus_address)
+         self.trans = Transaction(None, "role-test", None,
+-                                 os.getpid(), os.getuid(), sys.argv[0],
++                                 os.getpid(), os.getuid(), os.getgid(),
++                                 sys.argv[0],
+                                  "org.debian.apt.test", bus=self.dbus)
+ 
+     def test(self):
+diff --git a/tests/test_high_trust_repository_whitelist.py b/tests/test_high_trust_repository_whitelist.py
+index ca2ebd4..fac471f 100644
+--- a/tests/test_high_trust_repository_whitelist.py
++++ b/tests/test_high_trust_repository_whitelist.py
+@@ -116,7 +116,7 @@ class HighTrustRepositoryTestCase(BaseHighTrustTestCase):
+             ("Ubuntu", "", "silly.*"))
+         # a high-trust whitelisted pkg and a non-whitelisted one
+         trans = Transaction(None, enums.ROLE_INSTALL_PACKAGES, self.queue,
+-                            os.getpid(), os.getuid(), sys.argv[0],
++                            os.getpid(), os.getuid(), os.getgid(), sys.argv[0],
+                             "org.debian.apt.test", connect=False,
+                             packages=[["silly-base", "other-pkg"], [], [], [],
+                                       [], []])
+@@ -128,7 +128,7 @@ class HighTrustRepositoryTestCase(BaseHighTrustTestCase):
+                 trans, self.worker._high_trust_repositories))
+         # whitelisted only
+         trans = Transaction(None, enums.ROLE_INSTALL_PACKAGES, self.queue,
+-                            os.getpid(), os.getuid(), sys.argv[0],
++                            os.getpid(), os.getuid(), os.getgid(), sys.argv[0],
+                             "org.debian.apt.test", connect=False,
+                             packages=[["silly-base"], [], [], [], [], []])
+         self.worker.simulate(trans)
+diff --git a/tests/test_worker.py b/tests/test_worker.py
+index 41a8caa..6cf7717 100644
+--- a/tests/test_worker.py
++++ b/tests/test_worker.py
+@@ -77,7 +77,8 @@ class WorkerTestCase(aptdaemon.test.AptDaemonTestCase):
+         self.chroot.add_repository("/does/not/exist", copy_list=False)
+         # Only update the repository from the working snippet
+         trans = Transaction(None, enums.ROLE_UPDATE_CACHE,
+-                            self.queue, os.getpid(), os.getuid(), sys.argv[0],
++                            self.queue, os.getpid(), os.getuid(),
++                            os.getgid(), sys.argv[0],
+                             "org.debian.apt.test", connect=False,
+                             kwargs={"sources_list": "test.list"})
+         self.worker.simulate(trans)
+@@ -99,7 +100,7 @@ class WorkerTestCase(aptdaemon.test.AptDaemonTestCase):
+                                                  "silly-base_0.1-0_all.deb"))
+         # Install the package
+         trans = Transaction(None, enums.ROLE_UPGRADE_SYSTEM,
+-                            self.queue, os.getpid(),
++                            self.queue, os.getpid(), os.getgid(),
+                             os.getuid(), sys.argv[0],
+                             "org.debian.apt.test", connect=False,
+                             kwargs={"safe_mode": False})
+@@ -130,7 +131,7 @@ class WorkerTestCase(aptdaemon.test.AptDaemonTestCase):
+         self.chroot.add_test_repository(copy_sig=False)
+         # Install the package
+         trans = Transaction(None, enums.ROLE_INSTALL_PACKAGES, self.queue,
+-                            os.getpid(), os.getuid(), sys.argv[0],
++                            os.getpid(), os.getuid(), os.getgid(), sys.argv[0],
+                             "org.debian.apt.test", connect=False,
+                             packages=[["silly-base"], [], [], [], [], []])
+         self.worker.simulate(trans)
+@@ -144,7 +145,7 @@ class WorkerTestCase(aptdaemon.test.AptDaemonTestCase):
+ 
+         # Allow installation of unauthenticated packages
+         trans = Transaction(None, enums.ROLE_INSTALL_PACKAGES, self.queue,
+-                            os.getpid(), os.getuid(), sys.argv[0],
++                            os.getpid(), os.getuid(), os.getgid(), sys.argv[0],
+                             "org.debian.apt.test", connect=False,
+                             packages=[["silly-base"], [], [], [], [], []])
+         trans.allow_unauthenticated = True
+@@ -164,7 +165,7 @@ class WorkerTestCase(aptdaemon.test.AptDaemonTestCase):
+         self.chroot.add_test_repository()
+         # Install the package
+         trans = Transaction(None, enums.ROLE_INSTALL_PACKAGES, self.queue,
+-                            os.getpid(), os.getuid(), sys.argv[0],
++                            os.getpid(), os.getuid(), os.getgid(), sys.argv[0],
+                             "org.debian.apt.test", connect=False,
+                             packages=[["silly-depend-base"], [], [], [],
+                                       [], []])
+@@ -193,7 +194,7 @@ class WorkerTestCase(aptdaemon.test.AptDaemonTestCase):
+ Architecture: all
+ Auto-Installed: 1""")
+         trans = Transaction(None, enums.ROLE_REMOVE_PACKAGES, self.queue,
+-                            os.getpid(), os.getuid(), sys.argv[0],
++                            os.getpid(), os.getuid(), os.getgid(), sys.argv[0],
+                             "org.debian.apt.test", connect=False,
+                             packages=[[], [], ["silly-depend-base"], [],
+                                       [], []])
+@@ -219,7 +220,7 @@ Auto-Installed: 1""")
+                     "silly-depend-base_0.1-0_all.deb"]:
+             self.chroot.install_debfile(os.path.join(REPO_PATH, pkg))
+         trans = Transaction(None, enums.ROLE_REMOVE_PACKAGES, self.queue,
+-                            os.getpid(), os.getuid(), sys.argv[0],
++                            os.getpid(), os.getuid(), os.getgid(), sys.argv[0],
+                             "org.debian.apt.test", connect=False,
+                             packages=[[], [], ["silly-base"], [], [], []])
+         self.worker.simulate(trans)
+@@ -240,7 +241,7 @@ Auto-Installed: 1""")
+             pass
+         # Don't allow to remove essential packages
+         trans = Transaction(None, enums.ROLE_REMOVE_PACKAGES, self.queue,
+-                            os.getpid(), os.getuid(), sys.argv[0],
++                            os.getpid(), os.getuid(), os.getgid(), sys.argv[0],
+                             "org.debian.apt.test", connect=False,
+                             packages=[[], [], ["silly-essential"], [], [], []])
+         self.worker.run(trans)
+@@ -263,7 +264,7 @@ Auto-Installed: 1""")
+ Architecture: all
+ Auto-Installed: 1""")
+         trans = Transaction(None, enums.ROLE_COMMIT_PACKAGES, self.queue,
+-                            os.getpid(), os.getuid(), sys.argv[0],
++                            os.getpid(), os.getuid(), os.getgid(), sys.argv[0],
+                             "org.debian.apt.test", connect=False,
+                             packages=[[], [], [], [],
+                                       ["silly-base=0.1-0update1"], []])
+@@ -283,7 +284,7 @@ Auto-Installed: 1""")
+         pkg = os.path.join(REPO_PATH, "silly-base_0.1-0update1_all.deb")
+         self.chroot.install_debfile(pkg)
+         trans = Transaction(None, enums.ROLE_COMMIT_PACKAGES, self.queue,
+-                            os.getpid(), os.getuid(), sys.argv[0],
++                            os.getpid(), os.getuid(), os.getgid(), sys.argv[0],
+                             "org.debian.apt.test", connect=False,
+                             packages=[[], [], [], [], [],
+                                       ["silly-base=0.1-0"]])
+@@ -301,7 +302,7 @@ Auto-Installed: 1""")
+         for pkg in ["silly-base_0.1-0_all.deb", "silly-config_0.1-0_all.deb"]:
+             self.chroot.install_debfile(os.path.join(REPO_PATH, pkg))
+         trans = Transaction(None, enums.ROLE_REMOVE_PACKAGES, self.queue,
+-                            os.getpid(), os.getuid(), sys.argv[0],
++                            os.getpid(), os.getuid(), os.getgid(), sys.argv[0],
+                             "org.debian.apt.test", connect=False,
+                             packages=[[], [], [], ["silly-config"], [], []])
+         self.worker.run(trans)
+@@ -324,7 +325,7 @@ Auto-Installed: 1""")
+         pkg = os.path.join(REPO_PATH,
+                            "silly-depend-base-lintian-broken_0.1-0_all.deb")
+         trans = Transaction(None, enums.ROLE_INSTALL_FILE, self.queue,
+-                            os.getpid(), os.getuid(), sys.argv[0],
++                            os.getpid(), os.getuid(), os.getgid(), sys.argv[0],
+                             "org.debian.apt.test", connect=False,
+                             kwargs={"path": os.path.join(REPO_PATH, pkg),
+                                     "force": False})
+@@ -359,7 +360,7 @@ Auto-Installed: 1""")
+         self.chroot.install_debfile(os.path.join(REPO_PATH, pkg_base))
+         pkg = os.path.join(REPO_PATH, "silly-bully_0.1-0_all.deb")
+         trans = Transaction(None, enums.ROLE_INSTALL_FILE, self.queue,
+-                            os.getpid(), os.getuid(), sys.argv[0],
++                            os.getpid(), os.getuid(), os.getgid(), sys.argv[0],
+                             "org.debian.apt.test", connect=False,
+                             kwargs={"path": os.path.join(REPO_PATH, pkg),
+                                     "force": True})
+@@ -379,7 +380,7 @@ Auto-Installed: 1""")
+         """
+         pkg = os.path.join(REPO_PATH, "silly-base_0.1-0_all.deb")
+         trans = Transaction(None, enums.ROLE_INSTALL_FILE, self.queue,
+-                            os.getpid(), os.getuid(), sys.argv[0],
++                            os.getpid(), os.getuid(), os.getgid(), sys.argv[0],
+                             "org.debian.apt.test", connect=False,
+                             kwargs={"path": os.path.join(REPO_PATH, pkg),
+                                     "force": True})
+@@ -400,7 +401,7 @@ Auto-Installed: 1""")
+         for pkg in ["silly-base_0.1-0_all.deb", "silly-broken_0.1-0_all.deb"]:
+             self.chroot.install_debfile(os.path.join(REPO_PATH, pkg), True)
+         trans = Transaction(None, enums.ROLE_FIX_BROKEN_DEPENDS, self.queue,
+-                            os.getpid(), os.getuid(), sys.argv[0],
++                            os.getpid(), os.getuid(), os.getgid(), sys.argv[0],
+                             "org.debian.apt.test", connect=False)
+         self.worker.simulate(trans)
+         self.loop.run()
+@@ -420,7 +421,7 @@ Auto-Installed: 1""")
+         """
+         self.chroot.add_test_repository()
+         trans = Transaction(None, enums.ROLE_COMMIT_PACKAGES, self.queue,
+-                            os.getpid(), os.getuid(), sys.argv[0],
++                            os.getpid(), os.getuid(), os.getgid(), sys.argv[0],
+                             "org.debian.apt.test",
+                             packages=[["silly-broken"], [], [], [], [], []],
+                             connect=False)
+@@ -459,7 +460,7 @@ Auto-Installed: 1""")
+ 
+         self.chroot.add_test_repository()
+         trans = Transaction(None, enums.ROLE_ADD_LICENSE_KEY, self.queue,
+-                            os.getpid(), os.getuid(), sys.argv[0],
++                            os.getpid(), os.getuid(), os.getgid(), sys.argv[0],
+                             "org.debian.apt.test",
+                             kwargs={"pkg_name": "silly-license",
+                                     "json_token": "lalelu",
diff --git a/debian/patches/series b/debian/patches/series
index b1b680e..9eb67c8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ lp1266844.patch
 fix-configparser.patch
 py3_inheritable.patch
 upstream-include-pkg-version.patch
+CVE-2015-1323.patch

--- End Message ---
--- Begin Message --- 
Version: 8.4

Hi,

The packages referenced by these bugs were included in today's stable
point release.

Regards,

Adam

--- End Message ---
Reply to: