[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#873624: marked as done (stretch-pu: package yadm/1.06-1+deb9u1)

Your message dated Sat, 07 Oct 2017 11:33:55 +0100
with message-id <1507372435.18586.64.camel@adam-barratt.org.uk>
and subject line Closing bugs for 9.2 point release
has caused the Debian Bug report #873624,
regarding stretch-pu: package yadm/1.06-1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
873624: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873624
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu


This pu fix the no-dsa security vulnerability CVE-2017-11353 [0]. The
diff is attached.

[0] https://security-tracker.debian.org/tracker/CVE-2017-11353


(please explain the reason for this update here)

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.12.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

-- 
ChangZhuo Chen (陳昌倬) czchen@{czchen,debconf,debian}.org
http://czchen.info/
Key fingerprint = BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B

diff -Nru yadm-1.06/debian/.git-dpm yadm-1.06/debian/.git-dpm
--- yadm-1.06/debian/.git-dpm	2017-01-22 20:34:20.000000000 +0800
+++ yadm-1.06/debian/.git-dpm	2017-08-29 18:55:37.000000000 +0800
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-9cb961482ec197763f4c8ad91a81ffded3df4a1a
-9cb961482ec197763f4c8ad91a81ffded3df4a1a
+d0794f7ce09d4a116352f88d2ff9484fd495bed8
+d0794f7ce09d4a116352f88d2ff9484fd495bed8
 4a966e850653e4ab353af1e0c033e4267c51c914
 4a966e850653e4ab353af1e0c033e4267c51c914
 yadm_1.06.orig.tar.gz
diff -Nru yadm-1.06/debian/changelog yadm-1.06/debian/changelog
--- yadm-1.06/debian/changelog	2017-01-22 20:34:20.000000000 +0800
+++ yadm-1.06/debian/changelog	2017-08-29 18:55:37.000000000 +0800
@@ -1,3 +1,9 @@
+yadm (1.06-1+deb9u1) stretch; urgency=high
+
+  * Backport for CVE-2017-11353.
+
+ -- ChangZhuo Chen (陳昌倬) <czchen@debian.org>  Tue, 29 Aug 2017 18:55:37 +0800
+
 yadm (1.06-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru yadm-1.06/debian/patches/0002-CVE-2017-11353.patch yadm-1.06/debian/patches/0002-CVE-2017-11353.patch
--- yadm-1.06/debian/patches/0002-CVE-2017-11353.patch	1970-01-01 08:00:00.000000000 +0800
+++ yadm-1.06/debian/patches/0002-CVE-2017-11353.patch	2017-08-29 18:55:37.000000000 +0800
@@ -0,0 +1,418 @@
+From d0794f7ce09d4a116352f88d2ff9484fd495bed8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?ChangZhuo=20Chen=20=28=E9=99=B3=E6=98=8C=E5=80=AC=29?=
+ <czchen@debian.org>
+Date: Tue, 29 Aug 2017 18:49:41 +0800
+Subject: CVE-2017-11353
+
+---
+ test/105_accept_clone.bats               | 137 +++++++++++++++++++++++++++++++
+ test/118_accept_assert_private_dirs.bats | 102 +++++++++++++++++++++++
+ yadm                                     |  43 ++++++++++
+ yadm.1                                   |  38 +++++++--
+ 4 files changed, 312 insertions(+), 8 deletions(-)
+ create mode 100644 test/118_accept_assert_private_dirs.bats
+
+diff --git a/test/105_accept_clone.bats b/test/105_accept_clone.bats
+index 0f32453..b2e69ec 100644
+--- a/test/105_accept_clone.bats
++++ b/test/105_accept_clone.bats
+@@ -177,3 +177,140 @@ setup() {
+   remote_output=$(GIT_DIR="$T_DIR_REPO" git remote show)
+   [ "$remote_output" = "origin" ]
+ }
++
++@test "Command 'clone' (local insecure .ssh and .gnupg data, no related data in repo)" {
++  echo "
++    Local .ssh/.gnupg data exists and is insecure
++    but yadm repo contains no .ssh/.gnupg data
++      local insecure data should remain accessible
++      (yadm is hands-off)
++  "
++  #; setup scenario
++  rm -rf "$T_DIR_WORK" "$T_DIR_REPO"
++  mkdir -p "$T_DIR_WORK/.ssh"
++  mkdir -p "$T_DIR_WORK/.gnupg"
++  touch "$T_DIR_WORK/.ssh/testfile"
++  touch "$T_DIR_WORK/.gnupg/testfile"
++  find "$T_DIR_WORK" -exec chmod a+rw '{}' ';'
++
++  #; run clone (with debug on)
++  run "${T_YADM_Y[@]}" clone -d -w "$T_DIR_WORK" "$REMOTE_URL"
++
++  #; validate status and output
++  [ "$status" -eq 0 ]
++  [[ "$output" =~ Initialized ]]
++  [[ "$output" =~ initial\ private\ dir\ perms\ drwxrwxrwx.+\.ssh ]]
++  [[ "$output" =~ initial\ private\ dir\ perms\ drwxrwxrwx.+\.gnupg ]]
++  [[ "$output" =~ pre-merge\ private\ dir\ perms\ drwxrwxrwx.+\.ssh ]]
++  [[ "$output" =~ pre-merge\ private\ dir\ perms\ drwxrwxrwx.+\.gnupg ]]
++  [[ "$output" =~ post-merge\ private\ dir\ perms\ drwxrwxrwx.+\.ssh ]]
++  [[ "$output" =~ post-merge\ private\ dir\ perms\ drwxrwxrwx.+\.gnupg ]]
++  # standard perms still apply afterwards unless disabled with auto.perms
++  test_perms "$T_DIR_WORK/.gnupg" "drwx------"
++  test_perms "$T_DIR_WORK/.ssh" "drwx------"
++
++}
++
++@test "Command 'clone' (local insecure .gnupg data, related data in repo)" {
++  echo "
++    Local .gnupg data exists and is insecure
++    and yadm repo contains .gnupg data
++      .gnupg dir should be secured post merge
++  "
++  #; setup scenario
++  IN_REPO=(.bash_profile .vimrc .gnupg/gpg.conf)
++  setup
++  rm -rf "$T_DIR_WORK" "$T_DIR_REPO"
++  mkdir -p "$T_DIR_WORK/.gnupg"
++  touch "$T_DIR_WORK/.gnupg/testfile"
++  find "$T_DIR_WORK" -exec chmod a+rw '{}' ';'
++
++  #; run clone (with debug on)
++  run "${T_YADM_Y[@]}" clone -d -w "$T_DIR_WORK" "$REMOTE_URL"
++
++  #; validate status and output
++  [ "$status" -eq 0 ]
++  [[ "$output" =~ Initialized ]]
++  [[ "$output" =~ initial\ private\ dir\ perms\ drwxrwxrwx.+\.gnupg ]]
++  [[ "$output" =~ pre-merge\ private\ dir\ perms\ drwxrwxrwx.+\.gnupg ]]
++  [[ "$output" =~ post-merge\ private\ dir\ perms\ drwxrwxrwx.+\.gnupg ]]
++  test_perms "$T_DIR_WORK/.gnupg" "drwx------"
++}
++
++@test "Command 'clone' (local insecure .ssh data, related data in repo)" {
++  echo "
++    Local .ssh data exists and is insecure
++    and yadm repo contains .ssh data
++      .ssh dir should be secured post merge
++  "
++  #; setup scenario
++  IN_REPO=(.bash_profile .vimrc .ssh/config)
++  setup
++  rm -rf "$T_DIR_WORK" "$T_DIR_REPO"
++  mkdir -p "$T_DIR_WORK/.ssh"
++  touch "$T_DIR_WORK/.ssh/testfile"
++  find "$T_DIR_WORK" -exec chmod a+rw '{}' ';'
++
++  #; run clone (with debug on)
++  run "${T_YADM_Y[@]}" clone -d -w "$T_DIR_WORK" "$REMOTE_URL"
++
++  #; validate status and output
++  [ "$status" -eq 0 ]
++  [[ "$output" =~ Initialized ]]
++  [[ "$output" =~ initial\ private\ dir\ perms\ drwxrwxrwx.+\.ssh ]]
++  [[ "$output" =~ pre-merge\ private\ dir\ perms\ drwxrwxrwx.+\.ssh ]]
++  [[ "$output" =~ post-merge\ private\ dir\ perms\ drwxrwxrwx.+\.ssh ]]
++  test_perms "$T_DIR_WORK/.ssh" "drwx------"
++}
++
++@test "Command 'clone' (no existing .gnupg, .gnupg data tracked in repo)" {
++  echo "
++    Local .gnupg does not exist
++    and yadm repo contains .gnupg data
++      .gnupg dir should be created and secured prior to merge
++      tracked .gnupg data should be user accessible only
++  "
++  #; setup scenario
++  IN_REPO=(.bash_profile .vimrc .gnupg/gpg.conf)
++  setup
++  rm -rf "$T_DIR_WORK"
++  mkdir -p "$T_DIR_WORK"
++  rm -rf "$T_DIR_REPO"
++
++  #; run clone (with debug on)
++  run "${T_YADM_Y[@]}" clone -d -w "$T_DIR_WORK" "$REMOTE_URL"
++
++  #; validate status and output
++  [ "$status" -eq 0 ]
++  [[ "$output" =~ Initialized ]]
++  [[ ! "$output" =~ initial\ private\ dir\ perms ]]
++  [[ "$output" =~ pre-merge\ private\ dir\ perms\ drwx------.+\.gnupg ]]
++  [[ "$output" =~ post-merge\ private\ dir\ perms\ drwx------.+\.gnupg ]]
++  test_perms "$T_DIR_WORK/.gnupg" "drwx------"
++}
++
++@test "Command 'clone' (no existing .ssh, .ssh data tracked in repo)" {
++  echo "
++    Local .ssh does not exist
++    and yadm repo contains .ssh data
++      .ssh dir should be created and secured prior to merge
++      tracked .ssh data should be user accessible only
++  "
++  #; setup scenario
++  IN_REPO=(.bash_profile .vimrc .ssh/config)
++  setup
++  rm -rf "$T_DIR_WORK"
++  mkdir -p "$T_DIR_WORK"
++  rm -rf "$T_DIR_REPO"
++
++  #; run clone (with debug on)
++  run "${T_YADM_Y[@]}" clone -d -w "$T_DIR_WORK" "$REMOTE_URL"
++
++  #; validate status and output
++  [ "$status" -eq 0 ]
++  [[ "$output" =~ Initialized ]]
++  [[ ! "$output" =~ initial\ private\ dir\ perms ]]
++  [[ "$output" =~ pre-merge\ private\ dir\ perms\ drwx------.+\.ssh ]]
++  [[ "$output" =~ post-merge\ private\ dir\ perms\ drwx------.+\.ssh ]]
++  test_perms "$T_DIR_WORK/.ssh" "drwx------"
++}
+diff --git a/test/118_accept_assert_private_dirs.bats b/test/118_accept_assert_private_dirs.bats
+new file mode 100644
+index 0000000..151a2e0
+--- /dev/null
++++ b/test/118_accept_assert_private_dirs.bats
+@@ -0,0 +1,102 @@
++load common
++load_fixtures
++status=;output=; #; populated by bats run()
++
++IN_REPO=(.bash_profile .vimrc)
++
++setup() {
++  destroy_tmp
++  build_repo "${IN_REPO[@]}"
++  rm -rf "$T_DIR_WORK"
++  mkdir -p "$T_DIR_WORK"
++}
++
++@test "Private dirs (private dirs missing)" {
++  echo "
++    When a git command is run
++    And private directories are missing
++      Create private directories prior to command
++  "
++
++  #; confirm directories are missing at start
++  [ ! -e "$T_DIR_WORK/.gnupg" ]
++  [ ! -e "$T_DIR_WORK/.ssh" ]
++
++  #; run status
++  export DEBUG=yes
++  run "${T_YADM_Y[@]}" status
++
++  #; validate status and output
++  [ "$status" -eq 0 ]
++  [[ "$output" =~ On\ branch\ master ]]
++
++  #; confirm private directories are created
++  [ -d "$T_DIR_WORK/.gnupg" ]
++  test_perms "$T_DIR_WORK/.gnupg" "drwx------"
++  [ -d "$T_DIR_WORK/.ssh" ]
++  test_perms "$T_DIR_WORK/.ssh" "drwx------"
++
++  #; confirm directories are created before command is run
++  [[ "$output" =~ Creating.+/.gnupg/.+Creating.+/.ssh/.+Running\ git\ command\ git\ status ]]
++}
++
++@test "Private dirs (private dirs missing / yadm.auto-private-dirs=false)" {
++  echo "
++    When a git command is run
++    And private directories are missing
++    But auto-private-dirs is false
++      Do not create private dirs
++  "
++
++  #; confirm directories are missing at start
++  [ ! -e "$T_DIR_WORK/.gnupg" ]
++  [ ! -e "$T_DIR_WORK/.ssh" ]
++
++  #; set configuration
++  run "${T_YADM_Y[@]}" config --bool "yadm.auto-private-dirs" "false"
++
++  #; run status
++  run "${T_YADM_Y[@]}" status
++
++  #; validate status and output
++  [ "$status" -eq 0 ]
++  [[ "$output" =~ On\ branch\ master ]]
++
++  #; confirm private directories are not created
++  [ ! -e "$T_DIR_WORK/.gnupg" ]
++  [ ! -e "$T_DIR_WORK/.ssh" ]
++}
++
++@test "Private dirs (private dirs exist / yadm.auto-perms=false)" {
++  echo "
++    When a git command is run
++    And private directories exist
++    And yadm is configured not to auto update perms
++      Do not alter directories
++  "
++
++  #shellcheck disable=SC2174
++  mkdir -m 0777 -p "$T_DIR_WORK/.gnupg" "$T_DIR_WORK/.ssh"
++
++  #; confirm directories are preset and open
++  [ -d "$T_DIR_WORK/.gnupg" ]
++  test_perms "$T_DIR_WORK/.gnupg" "drwxrwxrwx"
++  [ -d "$T_DIR_WORK/.ssh" ]
++  test_perms "$T_DIR_WORK/.ssh" "drwxrwxrwx"
++
++  #; set configuration
++  run "${T_YADM_Y[@]}" config --bool "yadm.auto-perms" "false"
++
++  #; run status
++  run "${T_YADM_Y[@]}" status
++
++  #; validate status and output
++  [ "$status" -eq 0 ]
++  [[ "$output" =~ On\ branch\ master ]]
++
++  #; confirm directories are still preset and open
++  [ -d "$T_DIR_WORK/.gnupg" ]
++  test_perms "$T_DIR_WORK/.gnupg" "drwxrwxrwx"
++  [ -d "$T_DIR_WORK/.ssh" ]
++  test_perms "$T_DIR_WORK/.ssh" "drwxrwxrwx"
++}
+diff --git a/yadm b/yadm
+index 2eb9acc..d8e0082 100755
+--- a/yadm
++++ b/yadm
+@@ -157,6 +157,8 @@ function clean() {
+ 
+ function clone() {
+ 
++  [ -n "$DEBUG" ] && display_private_perms "initial"
++
+   #; clone will begin with a bare repo
+   local empty=
+   init $empty
+@@ -175,6 +177,15 @@ function clone() {
+     rm -rf "$YADM_REPO"
+     error_out "Unable to fetch origin $1"
+   }
++  debug "Determining if repo tracks private directories"
++  for private_dir in .ssh/ .gnupg/; do
++    found_log=$("$GIT_PROGRAM" log -n 1 origin/master -- "$private_dir" 2>/dev/null)
++    if [ -n "$found_log" ]; then
++      debug "Private directory $private_dir is tracked by repo"
++      assert_private_dirs "$private_dir"
++    fi
++  done
++  [ -n "$DEBUG" ] && display_private_perms "pre-merge"
+   debug "Doing an initial merge of origin/master"
+   "$GIT_PROGRAM" merge origin/master || {
+     debug "Merge failed, doing a reset."
+@@ -193,6 +204,8 @@ function clone() {
+ EOF
+   }
+ 
++  [ -n "$DEBUG" ] && display_private_perms "post-merge"
++
+   CHANGES_POSSIBLE=1
+ 
+ }
+@@ -301,9 +314,18 @@ function git_command() {
+     set -- "config" "${@:2}"
+   fi
+ 
++  #; ensure private .ssh and .gnupg directories exist first
++  #; TODO: consider restricting this to only commands which modify the work-tree
++
++  auto_private_dirs=$(config --bool yadm.auto-private-dirs)
++  if [ "$auto_private_dirs" != "false" ] ; then
++    assert_private_dirs .gnupg/ .ssh/
++  fi
++
+   CHANGES_POSSIBLE=1
+ 
+   #; pass commands through to git
++  debug "Running git command $GIT_PROGRAM $*"
+   "$GIT_PROGRAM" "$@"
+   return "$?"
+ }
+@@ -546,6 +568,27 @@ function error_out() {
+ 
+ }
+ 
++function assert_private_dirs() {
++  work=$(unix_path "$("$GIT_PROGRAM" config core.worktree)")
++  for private_dir in "$@"; do
++    if [ ! -d "$work/$private_dir" ]; then
++      debug "Creating $work/$private_dir"
++      #shellcheck disable=SC2174
++      mkdir -m 0700 -p "$work/$private_dir" >/dev/null 2>&1
++    fi
++  done
++}
++
++function display_private_perms() {
++  when="$1"
++  for private_dir in .ssh .gnupg; do
++    if [ -d "$YADM_WORK/$private_dir" ]; then
++      private_perms=$(ls -ld "$YADM_WORK/$private_dir")
++      debug "$when" private dir perms "$private_perms"
++    fi
++  done
++}
++
+ #; ****** Auto Functions ******
+ 
+ function auto_alt() {
+diff --git a/yadm.1 b/yadm.1
+index 030905c..18bf43f 100644
+--- a/yadm.1
++++ b/yadm.1
+@@ -283,6 +283,9 @@ If disabled, you may still run
+ manually to update permissions.
+ This feature is enabled by default.
+ .TP
++.B yadm.auto-private-dirs
++Disable the automatic creating of private directories described in the section PERMISSIONS.
++.TP
+ .B yadm.ssh-perms
+ Disable the permission changes to
+ .IR $HOME/.ssh/* .
+@@ -431,12 +434,10 @@ It is recommended that you use a private repository when keeping confidential
+ files, even though they are encrypted.
+ .SH PERMISSIONS
+ When files are checked out of a Git repository, their initial permissions are
+-dependent upon the user's umask. This can result in confidential files with lax permissions.
+-
+-To prevent this,
++dependent upon the user's umask. Because of this,
+ .B yadm
+-will automatically update the permissions of confidential files.
+-The "group" and "others" permissions will be removed from the following files:
++will automatically update the permissions of some file paths. The "group" and
++"others" permissions will be removed from the following files:
+ 
+ .RI - " $HOME/.yadm/files.gpg
+ 
+@@ -452,11 +453,32 @@ The "group" and "others" permissions will be removed from the following files:
+ .B yadm
+ will automatically update permissions by default. This can be disabled using the
+ .I yadm.auto-perms
+-configuration.
+-Even if disabled, permissions can be manually updated by running
++configuration. Even if disabled, permissions can be manually updated by running
+ .BR yadm\ perms .
+-The SSH directory processing can be disabled using the
++The
++.I .ssh
++directory processing can be disabled using the
+ .I yadm.ssh-perms
++configuration. The
++.I .gnupg
++directory processing can be disabled using the
++.I yadm.gpg-perms
++configuration.
++
++When cloning a repo which includes data in a
++.IR .ssh " or " .gnupg
++directory, if those directories do not exist at the time of cloning,
++.B yadm
++will create the directories with mask 0700 prior to merging the fetched data
++into the work-tree.
++
++When running a Git command and
++.IR .ssh " or " .gnupg
++directories do not exist,
++.B yadm
++will create those directories with mask 0700 prior to running the Git command.
++This can be disabled using the
++.I yadm.auto-private-dirs
+ configuration.
+ .SH FILES
+ The following are the default paths
diff -Nru yadm-1.06/debian/patches/series yadm-1.06/debian/patches/series
--- yadm-1.06/debian/patches/series	2017-01-22 20:34:20.000000000 +0800
+++ yadm-1.06/debian/patches/series	2017-08-29 18:55:37.000000000 +0800
@@ -1 +1,2 @@
 0001-fix-manpage-has-errors-from-man.patch
+0002-CVE-2017-11353.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 9.2

Hi.

The updates referenced by each of these bugs was included in today's
point release of stretch.

Regards,

Adam

--- End Message ---
Reply to: