[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#928418: marked as done (unblock: preapproval: corekeeper/1.7)

Your message dated Sun, 12 May 2019 22:02:45 +0200
with message-id <4e1720d9-9989-06f4-9ad9-1821e6083d9b@debian.org>
and subject line Re: Bug#928418: unblock: preapproval: corekeeper/1.7
has caused the Debian Bug report #928418,
regarding unblock: preapproval: corekeeper/1.7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
928418: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928418
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

I would like to fix some issues in corekeeper reported by Jakub Wilk.

unblock corekeeper/1.7

-- 
bye,
pabs

https://wiki.debian.org/PaulWise


diff -Nru corekeeper-1.6/debian/changelog corekeeper-1.7/debian/changelog
--- corekeeper-1.6/debian/changelog	2015-11-12 00:44:29.000000000 +0800
+++ corekeeper-1.7/debian/changelog	2019-05-04 14:53:44.000000000 +0800
@@ -1,3 +1,16 @@
+corekeeper (1.7) unstable; urgency=medium
+
+  * Do not use a world-writable /var/crash with the dumper script
+    and fix the permissions on upgrade as dpkg doesn't do that.
+    (Closes: #924397) (See-also: #515211)
+  * Handle older versions of the Linux kernel in a safer way
+    (Closes: #924398)
+  * Harden ownership determination and core file names
+  * Do not truncate core names for executables with spaces
+  * Update VCS URLs from alioth to salsa
+
+ -- Paul Wise <pabs@debian.org>  Sat, 04 May 2019 14:53:44 +0800
+
 corekeeper (1.6) unstable; urgency=medium
 
   * Prevent installation with other core dump handlers:
diff -Nru corekeeper-1.6/debian/control corekeeper-1.7/debian/control
--- corekeeper-1.6/debian/control	2015-11-11 22:19:31.000000000 +0800
+++ corekeeper-1.7/debian/control	2019-05-04 14:53:44.000000000 +0800
@@ -5,8 +5,8 @@
 Build-Depends:
  debhelper (>= 9)
 Standards-Version: 3.9.6
-Vcs-Git: git://anonscm.debian.org/collab-maint/corekeeper.git
-Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/corekeeper.git
+Vcs-Git: https://salsa.debian.org/debian/corekeeper.git
+Vcs-Browser: https://salsa.debian.org/debian/corekeeper
 
 Package: corekeeper
 Architecture: kfreebsd-any linux-any
diff -Nru corekeeper-1.6/debian/copyright corekeeper-1.7/debian/copyright
--- corekeeper-1.6/debian/copyright	2013-11-22 10:23:37.000000000 +0800
+++ corekeeper-1.7/debian/copyright	2019-05-04 14:53:44.000000000 +0800
@@ -1,7 +1,7 @@
 Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: corekeeper
 Upstream-Contact: Paul Wise <pabs@debian.org>
-Source: git://anonscm.debian.org/collab-maint/corekeeper.git
+Source: https://salsa.debian.org/debian/corekeeper.git
 Comment: original package by Ben Pfaff has been rewritten
 
 Files: *
diff -Nru corekeeper-1.6/debian/corekeeper.lintian-overrides corekeeper-1.7/debian/corekeeper.lintian-overrides
--- corekeeper-1.6/debian/corekeeper.lintian-overrides	2013-11-22 10:23:42.000000000 +0800
+++ corekeeper-1.7/debian/corekeeper.lintian-overrides	2019-05-04 13:57:59.000000000 +0800
@@ -1,6 +1,6 @@
 # /var/crash is intentionally world-writable to allow for
 # centralized core dumps.
-non-standard-dir-perm
+[kfreebsd-any]: non-standard-dir-perm
 
 # The postrm script checks if systemd is running before
 # using the systemctl command
diff -Nru corekeeper-1.6/debian/corekeeper.postinst.linux corekeeper-1.7/debian/corekeeper.postinst.linux
--- corekeeper-1.6/debian/corekeeper.postinst.linux	2013-04-25 14:49:30.000000000 +0800
+++ corekeeper-1.7/debian/corekeeper.postinst.linux	2019-05-04 14:53:44.000000000 +0800
@@ -4,4 +4,11 @@
 # Activate the sysctl settings
 [ $1 != configure ] || sysctl --quiet --load="/etc/sysctl.d/corekeeper.conf"
 
+# Set /var/crash to not be world writable
+# to prevent crashes being able to write arbitrary files
+[ "$1" = configure ] &&
+dpkg --compare-versions "$2" le-nl 1.6 &&
+! dpkg-statoverride --list /var/crash &&
+chmod 0755 /var/crash
+
 #DEBHELPER#
diff -Nru corekeeper-1.6/debian/dump corekeeper-1.7/debian/dump
--- corekeeper-1.6/debian/dump	2013-04-25 16:01:53.000000000 +0800
+++ corekeeper-1.7/debian/dump	2019-05-04 14:47:56.000000000 +0800
@@ -19,7 +19,9 @@
 # because Linux does not create directories when dumping core files
 # and it is apparently painful to do that from within Linux.
 #
-# Thanks for the security audit go to Kees Cook <kees@debian.org>!
+# Thanks for the security audits go to:
+# Jakub Wilk <jwilk@jwilk.net>
+# Kees Cook <kees@debian.org>
 
 set -e
 
@@ -28,34 +30,77 @@
 	exit 1
 fi
 
-# Check how many arguments the kernel sent us.
-if [ $# -eq 2 ] ; then
-	# Awww, old kernel that does not support %d
-	# Cannot set the core file owner safely, use root
-	# See v3.6-6800-g12a2b4b in linux.git for more info
-	uid="$1"
-	core="$2"
-	owner="0"
-elif [ $# -eq 3 ] ; then
-	# Yay! A kernel that does support %d
-	uid="$2"
-	core="$3"
-	owner="$2"
-	# Set the core file owner safely
-	if [ $1 -eq 2 ] ; then
-		owner="0"
-	fi
-else
-	# Something is majorly broken.
-	echo "This script should be run with three arguments and a core file on stdin" 1>&2
-	exit 1
-fi
+case "$1" in
+	(--*)
+		# Option based command-line
+		while [ $# -gt 0 ] ; do
+			case "$1" in
+				(--dumpable)
+					# Old Linux kernels do not support %d
+					# use the safest dumpable option there
+					case "$2" in
+						(--*) dumpable=2; shift;;
+						(*) dumpable="$2"; shift 2;;
+					esac
+				;;
+				(--owner) owner="$2"; shift 2;;
+				(--limit) limit="$2"; shift 2;;
+				# Use remaining arguments for core name
+				(--core) shift; core="$*.core"; break;;
+				(*)
+					echo "Unknown option: $1" 1>&2
+					exit 1
+				;;
+			esac
+		done
+	;;
+	(*[!0-9]*|'')
+		echo "Unknown or missing arguments" 1>&2
+		exit 1
+	;;
+	(*)
+		# Dumpable, owner and core file based command-line
+		case "$2" in
+			# Old Linux kernels do not support %d
+			# use the safest dumpable option there
+			(*[!0-9]*|'') dumpable=2 ;;
+			(*) dumpable="$1"; shift ;;
+		esac
+		owner="$1"; shift
+		core="$*"
+	;;
+esac
+
+# Set the core file owner safely
+SUID_DUMP_DISABLE=0
+SUID_DUMP_USER=1
+SUID_DUMP_ROOT=2
+case "$dumpable" in
+	("$SUID_DUMP_DISABLE") exit 0;;
+	("$SUID_DUMP_USER") ;;
+	("$SUID_DUMP_ROOT"|*) owner=0;;
+esac
 
-# The exclamation marks are shell metacharacters
-core="$(echo "$core" | tr '!' '-')"
+# Convert potentially unsafe characters to a safe character
+core="$(printf '%s' "$core" | tr -c '[:alnum:]+._-' '-')"
 umask 0077
 mkdir -p "/var/crash/$owner"
 chown "$owner" "/var/crash/$owner"
-owner="$owner" core="$core" \
-	su -s /bin/sh -c '/bin/cat > /var/crash/"$owner"/"$core"' \
-	"$(getent passwd "$owner" | cut -d: -f1)"
+case "$limit" in
+	# Core dump is not numeric, no nothing
+	(*[!0-9]*) ;;
+	# Core dump limit is empty, write full dump
+	('')
+		owner="$owner" core="$core" \
+		su -s /bin/sh -c '/bin/cat > /var/crash/"$owner"/"$core"' \
+		"$(getent passwd "$owner" | cut -d: -f1)"
+	;;
+	# Core dump limit is non-zero, restrict dump size
+	(*[!0]*)
+		owner="$owner" core="$core" limit="$limit" \
+		su -s /bin/sh -c 'head -c "$limit" > /var/crash/"$owner"/"$core"' \
+		"$(getent passwd "$owner" | cut -d: -f1)"
+	;;
+	# Core dumping is disabled, no nothing
+	(*) ;;
+esac
diff -Nru corekeeper-1.6/debian/rules corekeeper-1.7/debian/rules
--- corekeeper-1.6/debian/rules	2015-11-11 21:59:07.000000000 +0800
+++ corekeeper-1.7/debian/rules	2019-05-04 14:53:44.000000000 +0800
@@ -10,7 +10,7 @@
 
 override_dh_fixperms:
 	dh_fixperms
-	chmod 1777 debian/corekeeper/var/crash
+	if [ ! -e $(script) ] ; then chmod 1777 debian/corekeeper/var/crash ; fi
 	if [ -e $(script) ] ; then chmod 0755 $(script) ; fi
 
 override_dh_installinit:
diff -Nru corekeeper-1.6/debian/sysctl-linux/corekeeper.conf corekeeper-1.7/debian/sysctl-linux/corekeeper.conf
--- corekeeper-1.6/debian/sysctl-linux/corekeeper.conf	2015-11-04 18:57:15.000000000 +0800
+++ corekeeper-1.7/debian/sysctl-linux/corekeeper.conf	2019-05-04 14:53:44.000000000 +0800
@@ -4,8 +4,11 @@
 # Non-root users can see that something crashed, no way to fix that.
 # It requires Linux 3.7-rc1, see v3.6-6800-g12a2b4b in linux.git for info.
 # If you use it with an earlier kernel then only root can access core dumps.
-# If you don't want to use it, comment core_pattern below and uncomment this:
+# If you don't want to use it, comment core_pattern below, dpkg-statoverride
+# /var/crash to mode 1777 and uncomment this alternate core_pattern:
 #kernel.core_pattern = /var/crash/%p-%u-%g-%s-%t-%h-%E.core
-kernel.core_pattern = |/usr/lib/corekeeper/dump %d %u %p-%u-%g-%s-%t-%h-%E.core
+# When switching back to the default core pattern use mode 0755 for /var/crash
+# as it is unsafe to use the dumper with a world-writable directory.
+kernel.core_pattern = |/usr/lib/corekeeper/dump --dumpable %d --owner %u --limit %c --core %p-%u-%g-%s-%t-%h-%E
 kernel.core_uses_pid = 1
 fs.suid_dumpable = 2

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
--- Begin Message --- 
Hi Paul,

On 12-05-2019 06:59, Paul Wise wrote:
> Uploaded and built by the buildds.

Unblocked, thanks.

Paul

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
Reply to: