[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#941738: buster-pu: package network-manager/1.14.6-2+deb10u1

retitle 941738 buster-pu: package network-manager/1.14.6-2+deb10u1
thanks

Am 04.10.19 um 15:20 schrieb Michael Biebl:
> Am 04.10.19 um 15:09 schrieb Michael Biebl:
>> +network-manager (1.14.6-3) stable; urgency=medium
> 
> 1.14.6-3 is unused so far, but I guess it would be better us use
> 1.14.6-2+deb10u1 instead?

I guess the latter is more in line with current practice, so retitling
the bug report accordingly. Updated debdiff attached.


Please let me know if I can proceed with the upload.

Regards,
Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

diff --git a/debian/changelog b/debian/changelog
index 7cb171e5a..13658c1c3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+network-manager (1.14.6-2+deb10u1) stable; urgency=medium
+
+  * core: fix file permissions for "/var/lib/NetworkManager/secret_key"
+    Patch cherry-picked from upstream.
+  * Fix permissions of /var/lib/NetworkManager/secret_key on upgrades.
+    The file mode is supposed to be 0600. (Closes: #941609)
+  * Install directories as created by upstream build system.
+    Drop network-manager.dirs and instead use the directories created by the
+    upstream build system. Fix permissions of /var/lib/NetworkManager to be
+    0700 as it contains possibly sensitive data and should not be
+    world-readable.
+  * d/gbp.conf: Set debian-branch to buster
+
+ -- Michael Biebl <biebl@debian.org>  Fri, 04 Oct 2019 15:03:20 +0200
+
 network-manager (1.14.6-2) unstable; urgency=medium
 
   * supplicant: fix setting pmf when the supplicant doesn't advertise support
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 478d845ce..3c81df87a 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,4 +1,4 @@
 [DEFAULT]
 pristine-tar = True
 patch-numbers = False
-debian-branch = master
+debian-branch = buster
diff --git a/debian/network-manager.dirs b/debian/network-manager.dirs
deleted file mode 100644
index e09403be4..000000000
--- a/debian/network-manager.dirs
+++ /dev/null
@@ -1,10 +0,0 @@
-etc/NetworkManager/conf.d/
-etc/NetworkManager/dispatcher.d/no-wait.d/
-etc/NetworkManager/dispatcher.d/pre-down.d/
-etc/NetworkManager/dispatcher.d/pre-up.d/
-etc/NetworkManager/dnsmasq.d/
-etc/NetworkManager/dnsmasq-shared.d/
-etc/NetworkManager/system-connections/
-usr/lib/NetworkManager/conf.d/
-usr/lib/NetworkManager/VPN/
-var/lib/NetworkManager/
diff --git a/debian/network-manager.install b/debian/network-manager.install
index 0f1e82ae5..3f94d7a46 100644
--- a/debian/network-manager.install
+++ b/debian/network-manager.install
@@ -2,10 +2,7 @@ usr/sbin/NetworkManager
 usr/bin/nm-online
 usr/bin/nmcli
 usr/bin/nmtui*
-usr/lib/NetworkManager/nm-dhcp-helper
-usr/lib/NetworkManager/nm-iface-helper
-usr/lib/NetworkManager/nm-dispatcher
-usr/lib/NetworkManager/nm-initrd-generator
+usr/lib/NetworkManager/
 usr/lib/*/NetworkManager/*/libnm-settings-plugin-ifupdown.so
 usr/lib/*/NetworkManager/*/libnm-device-plugin-*.so
 usr/lib/*/NetworkManager/*/libnm-ppp-plugin.so
@@ -18,7 +15,8 @@ usr/share/dbus-1/system.d/org.freedesktop.NetworkManager.conf
 usr/share/dbus-1/system.d/nm-dispatcher.conf
 usr/share/polkit-1/
 usr/share/bash-completion/
-etc/NetworkManager/dispatcher.d/
+etc/NetworkManager/
+var/lib/NetworkManager/
 lib/udev/rules.d/*.rules
 lib/systemd/system/NetworkManager.service
 lib/systemd/system/NetworkManager-dispatcher.service
diff --git a/debian/network-manager.postinst b/debian/network-manager.postinst
index 0f95087f8..7f0589da6 100644
--- a/debian/network-manager.postinst
+++ b/debian/network-manager.postinst
@@ -24,6 +24,9 @@ case "$1" in
         # org.freedesktop.NetworkManager.settings.modify.system without prior authentication
         addgroup --quiet --system netdev
 
+        # This directory can contain sensitive data and should not be world-readable
+        chmod 0700 /var/lib/NetworkManager
+
         NIF=/etc/network/interfaces
         if [ -z "$2" ] && [ -f $NIF ]; then
             ifaces=`grep -v '^#' $NIF | awk '/iface/ {print $2}' | sort -u | sed -e 's/lo//' -e '/^$/d' -e 's/^/- /'`
@@ -44,6 +47,12 @@ case "$1" in
                 ln -sf  /run/NetworkManager/resolv.conf /etc/resolv.conf
             fi
         fi
+
+        if dpkg --compare-versions "$2" lt-nl "1.14.6-3"; then
+            if [ -f /var/lib/NetworkManager/secret_key ]; then
+                chmod 0600 /var/lib/NetworkManager/secret_key
+            fi
+        fi
         ;;
 
     abort-upgrade|abort-deconfigure|abort-remove)
diff --git a/debian/patches/core-fix-file-permissions-for-var-lib-NetworkManager-secr.patch b/debian/patches/core-fix-file-permissions-for-var-lib-NetworkManager-secr.patch
new file mode 100644
index 000000000..8e51fa6a4
--- /dev/null
+++ b/debian/patches/core-fix-file-permissions-for-var-lib-NetworkManager-secr.patch
@@ -0,0 +1,40 @@
+From: Thomas Haller <thaller@redhat.com>
+Date: Tue, 14 May 2019 13:55:41 +0200
+Subject: core: fix file permissions for "/var/lib/NetworkManager/secret_key"
+
+Ooherwise, the file has wrong permissions:
+
+  # ls -la /var/lib/NetworkManager/secret_key
+  ----r-xr-x. 1 root root 50 May 14 13:52 /var/lib/NetworkManager/secret_key
+
+Luckily, /var/lib/NetworkManager should be already
+
+  # ls -lad /var/lib/NetworkManager
+  drwx------. 2 root root 8192 May 14 13:57 /var/lib/NetworkManager
+
+which mitigates this a bit.
+
+Fixes: dbcb1d6d97c6 ('core: let nm_utils_secret_key_read() handle failures internally')
+
+https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/175
+(cherry picked from commit dc3a2f9bc4c35030bcaf9e81953daf7894ab62b6)
+(cherry picked from commit 2d46247c6ac6f89a0b8bac86d684431c07dc6c8e)
+(cherry picked from commit 7a0f8520ffd2173d0912e8cbdd192bc232e92a43)
+(cherry picked from commit 869ac551cff99162fda1eb614bf2c45bfc3e5321)
+---
+ src/nm-core-utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/nm-core-utils.c b/src/nm-core-utils.c
+index a65ac63..99a62e6 100644
+--- a/src/nm-core-utils.c
++++ b/src/nm-core-utils.c
+@@ -2896,7 +2896,7 @@ _host_id_read (guint8 **out_host_id,
+ 		} else if (!nm_utils_file_set_contents (SECRET_KEY_FILE,
+ 		                                        (const char *) new_content,
+ 		                                        len,
+-		                                        0077,
++		                                        0600,
+ 		                                        &error)) {
+ 			nm_log_warn (LOGD_CORE, "secret-key: failure to persist secret key in \"%s\" (%s) (use non-persistent key)",
+ 			             SECRET_KEY_FILE, error->message);
diff --git a/debian/patches/series b/debian/patches/series
index b21e8a16f..5504c0a8a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ supplicant-fix-setting-pmf-when-the-supplicant-doesn-t-ad.patch
 Force-online-state-with-unmanaged-devices.patch
 Don-t-setup-Sleep-Monitor-if-not-booted-with-systemd.patch
 Don-t-make-NetworkManager-D-Bus-activatable.patch
+core-fix-file-permissions-for-var-lib-NetworkManager-secr.patch

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: