[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#891426: stretch-pu: package nvidia-modprobe/384.111-1~deb9u1

On 2018-02-25 15:44, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sun, 2018-02-25 at 15:02 +0100, Andreas Beckmann wrote:
>> please allow the upgrade of nvidia-modprobe in stretch to a new
>> upstream release matching the updated nvidia-graphics-drivers
>> package.

> Please go ahead.

That was uploaded yesterday, but I just uploaded another fix to sid that
may be worthy to be fixed in stretch, too.

nvidia-modprobe (a setuid root binary) stopped working for regular users
since dash started dropping privileges if euid != uid (like bash has
been doing for ages). The fix is a oneliner: call setuid(0) before
forking modprobe to preserve permissions through the recursive shell and
modprobe invocations needed by our modprobe configuration using install
commands.

The problem is reproducible in stretch if /bin/sh points to bash instead
of dash.

The incremental source debdiff is attached.

If that is acceptable, please reject 384.111-1~deb9u1 and I'll upload
384.111-2~deb9u1 instead.


Andreas

diff --git a/debian/changelog b/debian/changelog
index 7deb07b..0adbb7c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+nvidia-modprobe (384.111-2~deb9u1) stretch; urgency=medium
+
+  * Rebuild for stretch.
+
+ -- Andreas Beckmann <anbe@debian.org>  Tue, 27 Feb 2018 02:06:17 +0100
+
+nvidia-modprobe (384.111-2) unstable; urgency=medium
+
+  * Add setuid.patch to run setuid(0) before forking modprobe to preserve
+    privileges through shell invocations and recursive modprobe calls.
+    Thanks to Hiromasa YOSHIMOTO for intensive debugging and the final patch!
+    (Closes: #888952)
+  * Add debian/upstream/metadata.
+  * Fix new Lintian issues.
+  * Switch Vcs-* URLs to salsa.debian.org.
+
+ -- Andreas Beckmann <anbe@debian.org>  Tue, 27 Feb 2018 01:50:01 +0100
+
 nvidia-modprobe (384.111-1) unstable; urgency=medium
 
   * New upstream release.
diff --git a/debian/control b/debian/control
index c6963ee..836da1b 100644
--- a/debian/control
+++ b/debian/control
@@ -12,8 +12,8 @@ Build-Depends:
 Rules-Requires-Root: binary-targets
 Standards-Version: 4.1.3
 Homepage: https://github.com/NVIDIA/nvidia-modprobe
-Vcs-Git: https://anonscm.debian.org/git/pkg-nvidia/nvidia-modprobe.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-nvidia/nvidia-modprobe.git
+Vcs-Browser: https://salsa.debian.org/nvidia-team/nvidia-modprobe
+Vcs-Git: https://salsa.debian.org/nvidia-team/nvidia-modprobe.git
 
 Package: nvidia-modprobe
 Architecture: i386 amd64 armhf ppc64el
diff --git a/debian/copyright b/debian/copyright
index 0974a69..ad3f83a 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,6 +1,12 @@
 Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: nvidia-modprobe
 Source: https://download.nvidia.com/XFree86/nvidia-modprobe/
+Disclaimer:
+ This package is not part of the GNU/Linux Debian distribution. It is
+ provided in the contrib archive area as a convenience to Debian users.
+ The contents of this source package are freely licensed under the Expat
+ license, but it is only useful in combination with the proprietary
+ NVIDIA drivers in non-free.
 
 Files: *
 Copyright: Copyright (C) 2004-2017 NVIDIA Corporation
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..57623ce
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+setuid.patch
diff --git a/debian/patches/setuid.patch b/debian/patches/setuid.patch
new file mode 100644
index 0000000..106df55
--- /dev/null
+++ b/debian/patches/setuid.patch
@@ -0,0 +1,27 @@
+Author: Hiromasa YOSHIMOTO <hiromasa.yoshimoto@gmail.com>
+Description: use setuid(0) to preserve privileges over shell invocations
+ Fixing bug https://bugs.debian.org/734869 dash recently started to drop
+ privileges if euid != uid. (Bash has been doing that for a long time
+ already, but is usually not used for /bin/sh.)
+ The Debian modprobe configuration /etc/modprobe.d/nvidia.conf uses install
+ commands that require forking a shell from within modprobe to (recursively)
+ run further modprobe commands. If the shell drops privileges in setuid
+ contexts, the inner modprobe commands are run unprivileged, failing to load
+ the modules.
+ Run setuid(0) before forking modprobe to preserve privileges through to the
+ inner modprobe commands.
+Bug-Debian: https://bugs.debian.org/888952
+
+--- nvidia-modprobe-384.111.orig/modprobe-utils/nvidia-modprobe-utils.c
++++ nvidia-modprobe-384.111/modprobe-utils/nvidia-modprobe-utils.c
+@@ -374,6 +374,10 @@ static int modprobe_helper(const int pri
+              */
+             silence_current_process();
+ 
++            /* Workaround for debian's /etc/modprobe.d/nvidia.conf configuration.
++             * See Bug#888952 for details */
++            setuid(0);
++
+             execle(modprobe_path, "modprobe",
+                    module_name, NULL, envp);
+ 
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
index 7ec9f82..8ebed74 100644
--- a/debian/source/lintian-overrides
+++ b/debian/source/lintian-overrides
@@ -1,2 +1,2 @@
 # upstream provides no signatures
-debian-watch-may-check-gpg-signature
+debian-watch-does-not-check-gpg-signature
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..04277b1
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,3 @@
+Name: nvidia-modprobe
+Repository: https://github.com/NVIDIA/nvidia-modprobe.git
+Repository-Browse: https://github.com/NVIDIA/nvidia-modprobe
Reply to: