Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
This pu fix the no-dsa security vulnerability CVE-2017-11353 [0]. The
diff is attached.
[0] https://security-tracker.debian.org/tracker/CVE-2017-11353
(please explain the reason for this update here)
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.12.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
--
ChangZhuo Chen (陳昌倬) czchen@{czchen,debconf,debian}.org
http://czchen.info/
Key fingerprint = BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5B
diff -Nru yadm-1.06/debian/.git-dpm yadm-1.06/debian/.git-dpm
--- yadm-1.06/debian/.git-dpm 2017-01-22 20:34:20.000000000 +0800
+++ yadm-1.06/debian/.git-dpm 2017-08-29 18:55:37.000000000 +0800
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-9cb961482ec197763f4c8ad91a81ffded3df4a1a
-9cb961482ec197763f4c8ad91a81ffded3df4a1a
+d0794f7ce09d4a116352f88d2ff9484fd495bed8
+d0794f7ce09d4a116352f88d2ff9484fd495bed8
4a966e850653e4ab353af1e0c033e4267c51c914
4a966e850653e4ab353af1e0c033e4267c51c914
yadm_1.06.orig.tar.gz
diff -Nru yadm-1.06/debian/changelog yadm-1.06/debian/changelog
--- yadm-1.06/debian/changelog 2017-01-22 20:34:20.000000000 +0800
+++ yadm-1.06/debian/changelog 2017-08-29 18:55:37.000000000 +0800
@@ -1,3 +1,9 @@
+yadm (1.06-1+deb9u1) stretch; urgency=high
+
+ * Backport for CVE-2017-11353.
+
+ -- ChangZhuo Chen (陳昌倬) <czchen@debian.org> Tue, 29 Aug 2017 18:55:37 +0800
+
yadm (1.06-1) unstable; urgency=medium
* New upstream release.
diff -Nru yadm-1.06/debian/patches/0002-CVE-2017-11353.patch yadm-1.06/debian/patches/0002-CVE-2017-11353.patch
--- yadm-1.06/debian/patches/0002-CVE-2017-11353.patch 1970-01-01 08:00:00.000000000 +0800
+++ yadm-1.06/debian/patches/0002-CVE-2017-11353.patch 2017-08-29 18:55:37.000000000 +0800
@@ -0,0 +1,418 @@
+From d0794f7ce09d4a116352f88d2ff9484fd495bed8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?ChangZhuo=20Chen=20=28=E9=99=B3=E6=98=8C=E5=80=AC=29?=
+ <czchen@debian.org>
+Date: Tue, 29 Aug 2017 18:49:41 +0800
+Subject: CVE-2017-11353
+
+---
+ test/105_accept_clone.bats | 137 +++++++++++++++++++++++++++++++
+ test/118_accept_assert_private_dirs.bats | 102 +++++++++++++++++++++++
+ yadm | 43 ++++++++++
+ yadm.1 | 38 +++++++--
+ 4 files changed, 312 insertions(+), 8 deletions(-)
+ create mode 100644 test/118_accept_assert_private_dirs.bats
+
+diff --git a/test/105_accept_clone.bats b/test/105_accept_clone.bats
+index 0f32453..b2e69ec 100644
+--- a/test/105_accept_clone.bats
++++ b/test/105_accept_clone.bats
+@@ -177,3 +177,140 @@ setup() {
+ remote_output=$(GIT_DIR="$T_DIR_REPO" git remote show)
+ [ "$remote_output" = "origin" ]
+ }
++
++@test "Command 'clone' (local insecure .ssh and .gnupg data, no related data in repo)" {
++ echo "
++ Local .ssh/.gnupg data exists and is insecure
++ but yadm repo contains no .ssh/.gnupg data
++ local insecure data should remain accessible
++ (yadm is hands-off)
++ "
++ #; setup scenario
++ rm -rf "$T_DIR_WORK" "$T_DIR_REPO"
++ mkdir -p "$T_DIR_WORK/.ssh"
++ mkdir -p "$T_DIR_WORK/.gnupg"
++ touch "$T_DIR_WORK/.ssh/testfile"
++ touch "$T_DIR_WORK/.gnupg/testfile"
++ find "$T_DIR_WORK" -exec chmod a+rw '{}' ';'
++
++ #; run clone (with debug on)
++ run "${T_YADM_Y[@]}" clone -d -w "$T_DIR_WORK" "$REMOTE_URL"
++
++ #; validate status and output
++ [ "$status" -eq 0 ]
++ [[ "$output" =~ Initialized ]]
++ [[ "$output" =~ initial\ private\ dir\ perms\ drwxrwxrwx.+\.ssh ]]
++ [[ "$output" =~ initial\ private\ dir\ perms\ drwxrwxrwx.+\.gnupg ]]
++ [[ "$output" =~ pre-merge\ private\ dir\ perms\ drwxrwxrwx.+\.ssh ]]
++ [[ "$output" =~ pre-merge\ private\ dir\ perms\ drwxrwxrwx.+\.gnupg ]]
++ [[ "$output" =~ post-merge\ private\ dir\ perms\ drwxrwxrwx.+\.ssh ]]
++ [[ "$output" =~ post-merge\ private\ dir\ perms\ drwxrwxrwx.+\.gnupg ]]
++ # standard perms still apply afterwards unless disabled with auto.perms
++ test_perms "$T_DIR_WORK/.gnupg" "drwx------"
++ test_perms "$T_DIR_WORK/.ssh" "drwx------"
++
++}
++
++@test "Command 'clone' (local insecure .gnupg data, related data in repo)" {
++ echo "
++ Local .gnupg data exists and is insecure
++ and yadm repo contains .gnupg data
++ .gnupg dir should be secured post merge
++ "
++ #; setup scenario
++ IN_REPO=(.bash_profile .vimrc .gnupg/gpg.conf)
++ setup
++ rm -rf "$T_DIR_WORK" "$T_DIR_REPO"
++ mkdir -p "$T_DIR_WORK/.gnupg"
++ touch "$T_DIR_WORK/.gnupg/testfile"
++ find "$T_DIR_WORK" -exec chmod a+rw '{}' ';'
++
++ #; run clone (with debug on)
++ run "${T_YADM_Y[@]}" clone -d -w "$T_DIR_WORK" "$REMOTE_URL"
++
++ #; validate status and output
++ [ "$status" -eq 0 ]
++ [[ "$output" =~ Initialized ]]
++ [[ "$output" =~ initial\ private\ dir\ perms\ drwxrwxrwx.+\.gnupg ]]
++ [[ "$output" =~ pre-merge\ private\ dir\ perms\ drwxrwxrwx.+\.gnupg ]]
++ [[ "$output" =~ post-merge\ private\ dir\ perms\ drwxrwxrwx.+\.gnupg ]]
++ test_perms "$T_DIR_WORK/.gnupg" "drwx------"
++}
++
++@test "Command 'clone' (local insecure .ssh data, related data in repo)" {
++ echo "
++ Local .ssh data exists and is insecure
++ and yadm repo contains .ssh data
++ .ssh dir should be secured post merge
++ "
++ #; setup scenario
++ IN_REPO=(.bash_profile .vimrc .ssh/config)
++ setup
++ rm -rf "$T_DIR_WORK" "$T_DIR_REPO"
++ mkdir -p "$T_DIR_WORK/.ssh"
++ touch "$T_DIR_WORK/.ssh/testfile"
++ find "$T_DIR_WORK" -exec chmod a+rw '{}' ';'
++
++ #; run clone (with debug on)
++ run "${T_YADM_Y[@]}" clone -d -w "$T_DIR_WORK" "$REMOTE_URL"
++
++ #; validate status and output
++ [ "$status" -eq 0 ]
++ [[ "$output" =~ Initialized ]]
++ [[ "$output" =~ initial\ private\ dir\ perms\ drwxrwxrwx.+\.ssh ]]
++ [[ "$output" =~ pre-merge\ private\ dir\ perms\ drwxrwxrwx.+\.ssh ]]
++ [[ "$output" =~ post-merge\ private\ dir\ perms\ drwxrwxrwx.+\.ssh ]]
++ test_perms "$T_DIR_WORK/.ssh" "drwx------"
++}
++
++@test "Command 'clone' (no existing .gnupg, .gnupg data tracked in repo)" {
++ echo "
++ Local .gnupg does not exist
++ and yadm repo contains .gnupg data
++ .gnupg dir should be created and secured prior to merge
++ tracked .gnupg data should be user accessible only
++ "
++ #; setup scenario
++ IN_REPO=(.bash_profile .vimrc .gnupg/gpg.conf)
++ setup
++ rm -rf "$T_DIR_WORK"
++ mkdir -p "$T_DIR_WORK"
++ rm -rf "$T_DIR_REPO"
++
++ #; run clone (with debug on)
++ run "${T_YADM_Y[@]}" clone -d -w "$T_DIR_WORK" "$REMOTE_URL"
++
++ #; validate status and output
++ [ "$status" -eq 0 ]
++ [[ "$output" =~ Initialized ]]
++ [[ ! "$output" =~ initial\ private\ dir\ perms ]]
++ [[ "$output" =~ pre-merge\ private\ dir\ perms\ drwx------.+\.gnupg ]]
++ [[ "$output" =~ post-merge\ private\ dir\ perms\ drwx------.+\.gnupg ]]
++ test_perms "$T_DIR_WORK/.gnupg" "drwx------"
++}
++
++@test "Command 'clone' (no existing .ssh, .ssh data tracked in repo)" {
++ echo "
++ Local .ssh does not exist
++ and yadm repo contains .ssh data
++ .ssh dir should be created and secured prior to merge
++ tracked .ssh data should be user accessible only
++ "
++ #; setup scenario
++ IN_REPO=(.bash_profile .vimrc .ssh/config)
++ setup
++ rm -rf "$T_DIR_WORK"
++ mkdir -p "$T_DIR_WORK"
++ rm -rf "$T_DIR_REPO"
++
++ #; run clone (with debug on)
++ run "${T_YADM_Y[@]}" clone -d -w "$T_DIR_WORK" "$REMOTE_URL"
++
++ #; validate status and output
++ [ "$status" -eq 0 ]
++ [[ "$output" =~ Initialized ]]
++ [[ ! "$output" =~ initial\ private\ dir\ perms ]]
++ [[ "$output" =~ pre-merge\ private\ dir\ perms\ drwx------.+\.ssh ]]
++ [[ "$output" =~ post-merge\ private\ dir\ perms\ drwx------.+\.ssh ]]
++ test_perms "$T_DIR_WORK/.ssh" "drwx------"
++}
+diff --git a/test/118_accept_assert_private_dirs.bats b/test/118_accept_assert_private_dirs.bats
+new file mode 100644
+index 0000000..151a2e0
+--- /dev/null
++++ b/test/118_accept_assert_private_dirs.bats
+@@ -0,0 +1,102 @@
++load common
++load_fixtures
++status=;output=; #; populated by bats run()
++
++IN_REPO=(.bash_profile .vimrc)
++
++setup() {
++ destroy_tmp
++ build_repo "${IN_REPO[@]}"
++ rm -rf "$T_DIR_WORK"
++ mkdir -p "$T_DIR_WORK"
++}
++
++@test "Private dirs (private dirs missing)" {
++ echo "
++ When a git command is run
++ And private directories are missing
++ Create private directories prior to command
++ "
++
++ #; confirm directories are missing at start
++ [ ! -e "$T_DIR_WORK/.gnupg" ]
++ [ ! -e "$T_DIR_WORK/.ssh" ]
++
++ #; run status
++ export DEBUG=yes
++ run "${T_YADM_Y[@]}" status
++
++ #; validate status and output
++ [ "$status" -eq 0 ]
++ [[ "$output" =~ On\ branch\ master ]]
++
++ #; confirm private directories are created
++ [ -d "$T_DIR_WORK/.gnupg" ]
++ test_perms "$T_DIR_WORK/.gnupg" "drwx------"
++ [ -d "$T_DIR_WORK/.ssh" ]
++ test_perms "$T_DIR_WORK/.ssh" "drwx------"
++
++ #; confirm directories are created before command is run
++ [[ "$output" =~ Creating.+/.gnupg/.+Creating.+/.ssh/.+Running\ git\ command\ git\ status ]]
++}
++
++@test "Private dirs (private dirs missing / yadm.auto-private-dirs=false)" {
++ echo "
++ When a git command is run
++ And private directories are missing
++ But auto-private-dirs is false
++ Do not create private dirs
++ "
++
++ #; confirm directories are missing at start
++ [ ! -e "$T_DIR_WORK/.gnupg" ]
++ [ ! -e "$T_DIR_WORK/.ssh" ]
++
++ #; set configuration
++ run "${T_YADM_Y[@]}" config --bool "yadm.auto-private-dirs" "false"
++
++ #; run status
++ run "${T_YADM_Y[@]}" status
++
++ #; validate status and output
++ [ "$status" -eq 0 ]
++ [[ "$output" =~ On\ branch\ master ]]
++
++ #; confirm private directories are not created
++ [ ! -e "$T_DIR_WORK/.gnupg" ]
++ [ ! -e "$T_DIR_WORK/.ssh" ]
++}
++
++@test "Private dirs (private dirs exist / yadm.auto-perms=false)" {
++ echo "
++ When a git command is run
++ And private directories exist
++ And yadm is configured not to auto update perms
++ Do not alter directories
++ "
++
++ #shellcheck disable=SC2174
++ mkdir -m 0777 -p "$T_DIR_WORK/.gnupg" "$T_DIR_WORK/.ssh"
++
++ #; confirm directories are preset and open
++ [ -d "$T_DIR_WORK/.gnupg" ]
++ test_perms "$T_DIR_WORK/.gnupg" "drwxrwxrwx"
++ [ -d "$T_DIR_WORK/.ssh" ]
++ test_perms "$T_DIR_WORK/.ssh" "drwxrwxrwx"
++
++ #; set configuration
++ run "${T_YADM_Y[@]}" config --bool "yadm.auto-perms" "false"
++
++ #; run status
++ run "${T_YADM_Y[@]}" status
++
++ #; validate status and output
++ [ "$status" -eq 0 ]
++ [[ "$output" =~ On\ branch\ master ]]
++
++ #; confirm directories are still preset and open
++ [ -d "$T_DIR_WORK/.gnupg" ]
++ test_perms "$T_DIR_WORK/.gnupg" "drwxrwxrwx"
++ [ -d "$T_DIR_WORK/.ssh" ]
++ test_perms "$T_DIR_WORK/.ssh" "drwxrwxrwx"
++}
+diff --git a/yadm b/yadm
+index 2eb9acc..d8e0082 100755
+--- a/yadm
++++ b/yadm
+@@ -157,6 +157,8 @@ function clean() {
+
+ function clone() {
+
++ [ -n "$DEBUG" ] && display_private_perms "initial"
++
+ #; clone will begin with a bare repo
+ local empty=
+ init $empty
+@@ -175,6 +177,15 @@ function clone() {
+ rm -rf "$YADM_REPO"
+ error_out "Unable to fetch origin $1"
+ }
++ debug "Determining if repo tracks private directories"
++ for private_dir in .ssh/ .gnupg/; do
++ found_log=$("$GIT_PROGRAM" log -n 1 origin/master -- "$private_dir" 2>/dev/null)
++ if [ -n "$found_log" ]; then
++ debug "Private directory $private_dir is tracked by repo"
++ assert_private_dirs "$private_dir"
++ fi
++ done
++ [ -n "$DEBUG" ] && display_private_perms "pre-merge"
+ debug "Doing an initial merge of origin/master"
+ "$GIT_PROGRAM" merge origin/master || {
+ debug "Merge failed, doing a reset."
+@@ -193,6 +204,8 @@ function clone() {
+ EOF
+ }
+
++ [ -n "$DEBUG" ] && display_private_perms "post-merge"
++
+ CHANGES_POSSIBLE=1
+
+ }
+@@ -301,9 +314,18 @@ function git_command() {
+ set -- "config" "${@:2}"
+ fi
+
++ #; ensure private .ssh and .gnupg directories exist first
++ #; TODO: consider restricting this to only commands which modify the work-tree
++
++ auto_private_dirs=$(config --bool yadm.auto-private-dirs)
++ if [ "$auto_private_dirs" != "false" ] ; then
++ assert_private_dirs .gnupg/ .ssh/
++ fi
++
+ CHANGES_POSSIBLE=1
+
+ #; pass commands through to git
++ debug "Running git command $GIT_PROGRAM $*"
+ "$GIT_PROGRAM" "$@"
+ return "$?"
+ }
+@@ -546,6 +568,27 @@ function error_out() {
+
+ }
+
++function assert_private_dirs() {
++ work=$(unix_path "$("$GIT_PROGRAM" config core.worktree)")
++ for private_dir in "$@"; do
++ if [ ! -d "$work/$private_dir" ]; then
++ debug "Creating $work/$private_dir"
++ #shellcheck disable=SC2174
++ mkdir -m 0700 -p "$work/$private_dir" >/dev/null 2>&1
++ fi
++ done
++}
++
++function display_private_perms() {
++ when="$1"
++ for private_dir in .ssh .gnupg; do
++ if [ -d "$YADM_WORK/$private_dir" ]; then
++ private_perms=$(ls -ld "$YADM_WORK/$private_dir")
++ debug "$when" private dir perms "$private_perms"
++ fi
++ done
++}
++
+ #; ****** Auto Functions ******
+
+ function auto_alt() {
+diff --git a/yadm.1 b/yadm.1
+index 030905c..18bf43f 100644
+--- a/yadm.1
++++ b/yadm.1
+@@ -283,6 +283,9 @@ If disabled, you may still run
+ manually to update permissions.
+ This feature is enabled by default.
+ .TP
++.B yadm.auto-private-dirs
++Disable the automatic creating of private directories described in the section PERMISSIONS.
++.TP
+ .B yadm.ssh-perms
+ Disable the permission changes to
+ .IR $HOME/.ssh/* .
+@@ -431,12 +434,10 @@ It is recommended that you use a private repository when keeping confidential
+ files, even though they are encrypted.
+ .SH PERMISSIONS
+ When files are checked out of a Git repository, their initial permissions are
+-dependent upon the user's umask. This can result in confidential files with lax permissions.
+-
+-To prevent this,
++dependent upon the user's umask. Because of this,
+ .B yadm
+-will automatically update the permissions of confidential files.
+-The "group" and "others" permissions will be removed from the following files:
++will automatically update the permissions of some file paths. The "group" and
++"others" permissions will be removed from the following files:
+
+ .RI - " $HOME/.yadm/files.gpg
+
+@@ -452,11 +453,32 @@ The "group" and "others" permissions will be removed from the following files:
+ .B yadm
+ will automatically update permissions by default. This can be disabled using the
+ .I yadm.auto-perms
+-configuration.
+-Even if disabled, permissions can be manually updated by running
++configuration. Even if disabled, permissions can be manually updated by running
+ .BR yadm\ perms .
+-The SSH directory processing can be disabled using the
++The
++.I .ssh
++directory processing can be disabled using the
+ .I yadm.ssh-perms
++configuration. The
++.I .gnupg
++directory processing can be disabled using the
++.I yadm.gpg-perms
++configuration.
++
++When cloning a repo which includes data in a
++.IR .ssh " or " .gnupg
++directory, if those directories do not exist at the time of cloning,
++.B yadm
++will create the directories with mask 0700 prior to merging the fetched data
++into the work-tree.
++
++When running a Git command and
++.IR .ssh " or " .gnupg
++directories do not exist,
++.B yadm
++will create those directories with mask 0700 prior to running the Git command.
++This can be disabled using the
++.I yadm.auto-private-dirs
+ configuration.
+ .SH FILES
+ The following are the default paths
diff -Nru yadm-1.06/debian/patches/series yadm-1.06/debian/patches/series
--- yadm-1.06/debian/patches/series 2017-01-22 20:34:20.000000000 +0800
+++ yadm-1.06/debian/patches/series 2017-08-29 18:55:37.000000000 +0800
@@ -1 +1,2 @@
0001-fix-manpage-has-errors-from-man.patch
+0002-CVE-2017-11353.patch
Attachment:
signature.asc
Description: PGP signature