Bug#1056969: marked as done (bookworm-pu: package swupdate/2022.12+dfsg-4+deb12u1)

To: Jonathan Wiltshire <jmw@coccia.debian.org>
Subject: Bug#1056969: marked as done (bookworm-pu: package swupdate/2022.12+dfsg-4+deb12u1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 10 Feb 2024 13:15:18 +0000
Message-id: <[🔎] handler.1056969.D1056969.1707570683683642.ackdone@bugs.debian.org>
Reply-to: 1056969@bugs.debian.org
References: <E1rYn8Z-002yYp-S3@coccia.debian.org> <06cf1e48-78b4-4ba9-9399-00b50b625eea@debian.org>

Your message dated Sat, 10 Feb 2024 13:11:19 +0000
with message-id <E1rYn8Z-002yYp-S3@coccia.debian.org>
and subject line Released with 12.5
has caused the Debian Bug report #1056969,
regarding bookworm-pu: package swupdate/2022.12+dfsg-4+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1056969: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056969
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit <submit@bugs.debian.org>
Subject: bookworm-pu: package swupdate/2022.12+dfsg-4+deb12u1
From: Bastian Germann <bage@debian.org>
Date: Mon, 27 Nov 2023 12:09:33 +0100
Message-id: <06cf1e48-78b4-4ba9-9399-00b50b625eea@debian.org>

Package: release.debian.org
Control: affects -1 + src:swupdate
X-Debbugs-Cc: swupdate@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal

[ Reason ]
There is a local privilege escalation in swupdate package because the
service's control socket has world-writable file permissions.

[ Impact ]
The rights of the swupdate daemon, which is usually used to run full
system updates, can be aquired by any user on the system.

[ Tests ]
Run the service and check that the control socket is created with the
reduced permission set. Also check that the service user "swupdate" is created.

[ Risks ]
None.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

diff -Nru swupdate-2022.12+dfsg/debian/changelog swupdate-2022.12+dfsg/debian/changelog
--- swupdate-2022.12+dfsg/debian/changelog	2023-04-04 15:36:06.000000000 +0200
+++ swupdate-2022.12+dfsg/debian/changelog	2023-11-27 11:10:38.000000000 +0100
@@ -1,3 +1,10 @@
+swupdate (2022.12+dfsg-4+deb12u1) bookworm; urgency=medium
+
+  * Add swupdate system user
+  * Create the sockets for group use with SocketMode 0660
+
+ -- Bastian Germann <bage@debian.org>  Mon, 27 Nov 2023 11:10:38 +0100
+
 swupdate (2022.12+dfsg-4) unstable; urgency=medium
 
   * Enable backported libebgenv-dev
diff -Nru swupdate-2022.12+dfsg/debian/control swupdate-2022.12+dfsg/debian/control
--- swupdate-2022.12+dfsg/debian/control	2023-04-04 15:25:36.000000000 +0200
+++ swupdate-2022.12+dfsg/debian/control	2023-11-27 11:10:38.000000000 +0100
@@ -7,6 +7,7 @@
 Build-Depends: debhelper-compat (= 13),
                dh-lua:native <!nolua>,
                dh-nodejs | dh-nodejs:any,
+               dh-sysuser,
                graphviz <!nodoc>,
                liblua5.3-dev <!nolua>,
                libfdisk-dev,
diff -Nru swupdate-2022.12+dfsg/debian/rules swupdate-2022.12+dfsg/debian/rules
--- swupdate-2022.12+dfsg/debian/rules	2023-04-04 15:30:15.000000000 +0200
+++ swupdate-2022.12+dfsg/debian/rules	2023-11-27 11:10:38.000000000 +0100
@@ -13,7 +13,7 @@
 export LUA_VERSION=5.3
 export LUA_MODNAME=lua_swupdate
 export PKG_NAME=swupdate
-export DH_WITH=--with lua
+export DH_WITH=,lua
 export HAVE_LUA=y
 endif
 
@@ -108,4 +108,4 @@
 	dh_missing --fail-missing
 
 %:
-	dh $@ $(DH_WITH)
+	dh $@ --with sysuser$(DH_WITH)
diff -Nru swupdate-2022.12+dfsg/debian/swupdate.socket swupdate-2022.12+dfsg/debian/swupdate.socket
--- swupdate-2022.12+dfsg/debian/swupdate.socket	2023-04-04 14:41:04.000000000 +0200
+++ swupdate-2022.12+dfsg/debian/swupdate.socket	2023-11-27 11:10:38.000000000 +0100
@@ -6,6 +6,8 @@
 [Socket]
 ListenStream=/tmp/sockinstctrl
 ListenStream=/tmp/swupdateprog
+SocketMode=0660
+SocketGroup=swupdate
 
 [Install]
 WantedBy=sockets.target
diff -Nru swupdate-2022.12+dfsg/debian/swupdate.sysuser swupdate-2022.12+dfsg/debian/swupdate.sysuser
--- swupdate-2022.12+dfsg/debian/swupdate.sysuser	1970-01-01 01:00:00.000000000 +0100
+++ swupdate-2022.12+dfsg/debian/swupdate.sysuser	2023-11-27 11:10:38.000000000 +0100
@@ -0,0 +1 @@
+swupdate defaults

--- End Message ---

--- Begin Message ---

To: 1056969-done@bugs.debian.org

Subject: Released with 12.5

From: Jonathan Wiltshire <jmw@coccia.debian.org>

Date: Sat, 10 Feb 2024 13:11:19 +0000

Message-id: <E1rYn8Z-002yYp-S3@coccia.debian.org>
Version: 12.5

The upload requested in this bug has been released as part of 12.5.
--- End Message ---

Reply to:

Prev by Date: Bug#1057891: marked as done (bookworm-pu: package debian-edu-artwork/2.12.4-1~deb12u1)
Next by Date: Bug#1057179: marked as done (bookworm-pu: package mariadb-10.6 1:10.11.6-0+deb12u1)
Previous by thread: Bug#1057891: marked as done (bookworm-pu: package debian-edu-artwork/2.12.4-1~deb12u1)
Next by thread: Bug#1057179: marked as done (bookworm-pu: package mariadb-10.6 1:10.11.6-0+deb12u1)
Index(es):
- Date
- Thread