[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989025: marked as done (unblock: micro-evtd/3.4-7)

Your message dated Mon, 24 May 2021 06:43:36 +0200
with message-id <c3135b32-7559-0b5a-3257-70c96ab4799c@debian.org>
and subject line Re: Bug#989025: unblock: micro-evtd/3.4-7
has caused the Debian Bug report #989025,
regarding unblock: micro-evtd/3.4-7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989025: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989025
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package micro-evtd

[ Reason ]
Fix micro-evtd creating its pid and status files in /var/run with world-writable permissions (#988119). 

[ Impact ]
- The pid and status files in /var/run are mode 666, which could be a potential security issue. - micro-evtd does not stop when asked to with "/etc/init.d/micro-evtd stop", because start-stop-daemon refuses to use the insecure pid file. - Because of that, the daemon also does not restart on upgrade as it should, instead the old version remains running. 

[ Tests ]
There are no automated tests. I manually tested the install and upgrade cases (testing→unstable). 

[ Risks ]
The change should be trivial, but it is possible (if unlikely) that I missed some case where the umask 000 was actually needed. 

[ Checklist ]
 [✓] all changes are documented in the d/changelog
 [✓] I reviewed all changes and I approve them
 [✓] attach debdiff against the package in testing

[ Other info ]
The package builds a udeb. I tested an installation using a d-i daily build with the updated package included, and confirmed the corrected file permissions in the d-i environment. 

The issue exists already in buster (not a regression).

unblock micro-evtd/3.4-7

Thank you,
Ryan

diff -Nru micro-evtd-3.4/debian/changelog micro-evtd-3.4/debian/changelog
--- micro-evtd-3.4/debian/changelog	2021-05-03 20:22:09.000000000 -0700
+++ micro-evtd-3.4/debian/changelog	2021-05-22 00:40:17.000000000 -0700
@@ -1,3 +1,12 @@
+micro-evtd (3.4-7) unstable; urgency=medium
+
+  [ Ryan Tandy ]
+  * Fix world-writable pid and status files in /var/run (Closes: #988119)
+    - Patch micro-evtd.c to reset umask to 022 instead of 0.
+    - Fix permissions on existing files on upgrade.
+
+ -- Roger Shimizu <rosh@debian.org>  Sat, 22 May 2021 16:40:17 +0900
+
 micro-evtd (3.4-6) unstable; urgency=medium
 
   [ Ryan Tandy ]
diff -Nru micro-evtd-3.4/debian/micro-evtd.postinst micro-evtd-3.4/debian/micro-evtd.postinst
--- micro-evtd-3.4/debian/micro-evtd.postinst	2021-05-03 20:22:09.000000000 -0700
+++ micro-evtd-3.4/debian/micro-evtd.postinst	2021-05-22 00:40:17.000000000 -0700
@@ -14,6 +14,18 @@
                 rm /usr/sbin/micro-evtd.status
             fi
         fi
+
+        if dpkg --compare-versions "$2" lt-nl "3.4-7~"; then
+            # Fix permissions on the existing pid file
+            # so that the daemon is actually restarted
+            if [ -f /var/run/micro-evtd.pid ]; then
+                chmod 644 /var/run/micro-evtd.pid
+            fi
+
+            if [ -f /var/run/micro-evtd.status ]; then
+                chmod 644 /var/run/micro-evtd.status
+            fi
+        fi
     ;;
 
     *)
diff -Nru micro-evtd-3.4/debian/patches/0008-Don-t-create-world-writable-files.patch micro-evtd-3.4/debian/patches/0008-Don-t-create-world-writable-files.patch
--- micro-evtd-3.4/debian/patches/0008-Don-t-create-world-writable-files.patch	1969-12-31 16:00:00.000000000 -0800
+++ micro-evtd-3.4/debian/patches/0008-Don-t-create-world-writable-files.patch	2021-05-22 00:40:17.000000000 -0700
@@ -0,0 +1,26 @@
+From: Ryan Tandy <ryan@nardis.ca>
+Date: Fri, 21 May 2021 13:06:41 -0700
+Subject: Don't create world-writable files
+
+Set umask to 022 on startup instead of 000.
+
+Fixes the pid and status files being created world-writable.
+
+Bug-Debian: https://bugs.debian.org/988119
+---
+ src/micro-evtd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/micro-evtd.c b/src/micro-evtd.c
+index da91549..cc05b6a 100644
+--- a/src/micro-evtd.c
++++ b/src/micro-evtd.c
+@@ -1777,7 +1777,7 @@ int main(int argc, char *argv[])
+ 	setsid();
+ 
+ 	/* clear file creation mask */
+-	umask(0);
++	umask(022);
+ 
+ 	// Lock out device resource
+ 	getResourceLock();
diff -Nru micro-evtd-3.4/debian/patches/series micro-evtd-3.4/debian/patches/series
--- micro-evtd-3.4/debian/patches/series	2021-05-03 20:22:09.000000000 -0700
+++ micro-evtd-3.4/debian/patches/series	2021-05-22 00:40:17.000000000 -0700
@@ -5,3 +5,4 @@
 0005-Check-for-mmap-returning-MAP_FAILED.patch
 0006-Match-default-temperature-configuration-to-the-confi.patch
 0007-Fix-FTBFS-with-glibc-2.30.patch
+0008-Don-t-create-world-writable-files.patch

--- End Message ---
--- Begin Message --- 
Hi Ryan

On 24-05-2021 00:42, Ryan Tandy wrote:
> Please unblock package micro-evtd

Unblocked.

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


--- End Message ---
Reply to: