Date: Friday, February 9, 2018 @ 18:19:03 Author: andyrtr Revision: 316532
upgpkg: man-db 2.8.1-1 upstream update 2.8.1 Modified: man-db/trunk/PKGBUILD Deleted: man-db/trunk/fix_manconv_under_seccomp_when_man_is_setuid.diff man-db/trunk/refactor_do_system_drop_privs.diff ---------------------------------------------------+ PKGBUILD | 22 --- fix_manconv_under_seccomp_when_man_is_setuid.diff | 127 -------------------- refactor_do_system_drop_privs.diff | 121 ------------------- 3 files changed, 6 insertions(+), 264 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2018-02-09 18:16:57 UTC (rev 316531) +++ PKGBUILD 2018-02-09 18:19:03 UTC (rev 316532) @@ -3,8 +3,8 @@ # Contributor: Sergej Pupykin <ser...@aur.archlinux.org> pkgname=man-db -pkgver=2.8.0 -pkgrel=2 +pkgver=2.8.1 +pkgrel=1 pkgdesc="A utility for reading man pages" arch=('x86_64') url="http://www.nongnu.org/man-db/" @@ -18,27 +18,17 @@ provides=('man') replaces=('man') install=${pkgname}.install -source=(https://download-mirror.savannah.gnu.org/releases/man-db/$pkgname-$pkgver.tar.xz{,.sig} - fix_manconv_under_seccomp_when_man_is_setuid.diff - refactor_do_system_drop_privs.diff +source=(#https://download-mirror.savannah.gnu.org/releases/man-db/$pkgname-$pkgver.tar.xz{,.sig} + https://savannah.nongnu.org/download/man-db/$pkgname-$pkgver.tar.xz{,.asc} convert-mans man-db.{timer,service}) -sha512sums=('06f52ecd6e7ced858a32117ea4be3ed5fc3d4428cb810d31b85dd75556e999f5badc6eb81f642b56afe2a697462ccca9fd8cc5ecfbd40f132d5a74f84f316d39' +validpgpkeys=('AC0A4FF12611B6FCCF01C111393587D97D86500B') # Colin Watson <cjwat...@debian.org> +sha512sums=('82e75df32eb8575f47c3f36b5f2bbc827776747abfa39af589802e6566636c0771df0ee3197cb2bec3318c3055ff4e9d04c7da13b3bc6ea8a1ea1b1340554ef0' 'SKIP' - 'd9a16db27cb6bf4d6d134f2e18d8eedf136ac258a2ad76fdd59ff617bf532fe474eef39856d623c7773eb6e0f8de76f0eaaee846ef4dc02a84b6f62e449821d7' - '1ab8fc3a88dec9dae05fdbfaac8d1c8d37be203f0d37734ef7fbe802590a8d682a9c55ec84608e42e34b2b7cf1640c63c094c733a7f7c21b07e0c9d0e891db03' '0b159285da20008f0fc0afb21f1eaebd39e8df5b0594880aa0e8a913b656608b8d16bb8d279d9e62d7aae52f62cb9b2fc49e237c6711f4a5170972b38d345535' '2ed529500fbe18ba00ac7a6fc4c9da59e396464afb256db33f462b1127e497916602370e65e485c8d788c839f5b1b1130028502f61e1cc9ec8571ad6dd993738' '76f8d51866418b612a72deaf3b07134d416a6d014dd3883fa78e08683c6b08553f483a4384ac87da25ac9896faa4807842fc69c42950cefe3c1c0590883aa600') -validpgpkeys=('AC0A4FF12611B6FCCF01C111393587D97D86500B') # Colin Watson <cjwat...@debian.org> -prepare() { - cd ${pkgname}-${pkgver} - patch -Np1 -i $srcdir/refactor_do_system_drop_privs.diff - # FS#57436 - patch -Np1 -i $srcdir/fix_manconv_under_seccomp_when_man_is_setuid.diff -} - build() { cd ${pkgname}-${pkgver} ./configure --prefix=/usr \ Deleted: fix_manconv_under_seccomp_when_man_is_setuid.diff =================================================================== --- fix_manconv_under_seccomp_when_man_is_setuid.diff 2018-02-09 18:16:57 UTC (rev 316531) +++ fix_manconv_under_seccomp_when_man_is_setuid.diff 2018-02-09 18:19:03 UTC (rev 316532) @@ -1,127 +0,0 @@ -From 10027a400d6a05f463f3981e1191a2f35d0cc02b Mon Sep 17 00:00:00 2001 -From: Colin Watson <cjwat...@debian.org> -Date: Wed, 7 Feb 2018 13:44:30 +0000 -Subject: Fix manconv under seccomp when man is setuid - -We must drop privileges before loading the sandbox. - -Reported by Lars Wendler. - -* src/manconv_client.c (manconv_pre_exec): New function. -(manconv_stdin): Move setuid hack to ... -(add_manconv): ... here, now implemented using a custom pre-exec hook. -We no longer have a fall-through if dropping privileges fails, since -that's now harder to do and wasn't really necessary in the first place. ---- - src/manconv_client.c | 80 +++++++++++++++++++++++++++++----------------------- - 1 file changed, 45 insertions(+), 35 deletions(-) - -diff --git a/src/manconv_client.c b/src/manconv_client.c -index d6e010b..41ce479 100644 ---- a/src/manconv_client.c -+++ b/src/manconv_client.c -@@ -56,41 +56,6 @@ static void manconv_stdin (void *data) - struct manconv_codes *codes = data; - pipeline *p; - --#ifdef MAN_OWNER -- /* iconv_open may not work correctly in setuid processes; in GNU -- * libc, gconv modules may be linked against other gconv modules and -- * rely on RPATH $ORIGIN to load those modules from the correct -- * path, but $ORIGIN is disabled in setuid processes. It is -- * impossible to reset libc's idea of setuidness without creating a -- * whole new process image. Therefore, if the calling process is -- * setuid, we must drop privileges and execute manconv. -- * -- * If dropping privileges fails, fall through to the in-process -- * code, as in some situations it may actually manage to work. -- */ -- if (running_setuid () && !idpriv_drop ()) { -- char **from_code; -- char *sources = NULL; -- pipecmd *cmd; -- -- for (from_code = codes->from; *from_code; ++from_code) { -- sources = appendstr (sources, *from_code, NULL); -- if (*(from_code + 1)) -- sources = appendstr (sources, ":", NULL); -- } -- -- cmd = pipecmd_new_args (MANCONV, "-f", sources, -- "-t", codes->to, NULL); -- free (sources); -- -- if (quiet >= 2) -- pipecmd_arg (cmd, "-q"); -- -- pipecmd_exec (cmd); -- /* never returns */ -- } --#endif /* MAN_OWNER */ -- - p = decompress_fdopen (dup (STDIN_FILENO)); - pipeline_start (p); - manconv (p, codes->from, codes->to); -@@ -98,6 +63,17 @@ static void manconv_stdin (void *data) - pipeline_free (p); - } - -+#ifdef MAN_OWNER -+static void manconv_pre_exec (void *data) -+{ -+ /* We must drop privileges before loading the sandbox, since our -+ * seccomp filter doesn't allow setresuid and friends. -+ */ -+ drop_privs (NULL); -+ sandbox_load (data); -+} -+#endif /* MAN_OWNER */ -+ - static void free_manconv_codes (void *data) - { - struct manconv_codes *codes = data; -@@ -139,6 +115,40 @@ void add_manconv (pipeline *p, const char *source, const char *target) - name = appendstr (name, " -t ", codes->to, NULL); - if (quiet >= 2) - name = appendstr (name, " -q", NULL); -+ -+#ifdef MAN_OWNER -+ /* iconv_open may not work correctly in setuid processes; in GNU -+ * libc, gconv modules may be linked against other gconv modules and -+ * rely on RPATH $ORIGIN to load those modules from the correct -+ * path, but $ORIGIN is disabled in setuid processes. It is -+ * impossible to reset libc's idea of setuidness without creating a -+ * whole new process image. Therefore, if the calling process is -+ * setuid, we must drop privileges and execute manconv. -+ */ -+ if (running_setuid ()) { -+ char **from_code; -+ char *sources = NULL; -+ -+ cmd = pipecmd_new_args (MANCONV, "-f", NULL); -+ for (from_code = codes->from; *from_code; ++from_code) { -+ sources = appendstr (sources, *from_code, NULL); -+ if (*(from_code + 1)) -+ sources = appendstr (sources, ":", NULL); -+ } -+ pipecmd_arg (cmd, sources); -+ free (sources); -+ pipecmd_args (cmd, "-t", codes->to, NULL); -+ if (quiet >= 2) -+ pipecmd_arg (cmd, "-q"); -+ pipecmd_pre_exec (cmd, manconv_pre_exec, sandbox_free, -+ sandbox); -+ free (name); -+ free_manconv_codes (codes); -+ pipeline_command (p, cmd); -+ return; -+ } -+#endif /* MAN_OWNER */ -+ - cmd = pipecmd_new_function (name, &manconv_stdin, &free_manconv_codes, - codes); - free (name); --- -cgit v1.0-41-gc330 - - Deleted: refactor_do_system_drop_privs.diff =================================================================== --- refactor_do_system_drop_privs.diff 2018-02-09 18:16:57 UTC (rev 316531) +++ refactor_do_system_drop_privs.diff 2018-02-09 18:19:03 UTC (rev 316532) @@ -1,121 +0,0 @@ -From 24624eaf853158856b8fd0a6f78c873475a16686 Mon Sep 17 00:00:00 2001 -From: Colin Watson <cjwat...@debian.org> -Date: Wed, 7 Feb 2018 12:23:15 +0000 -Subject: Refactor do_system_drop_privs - -Now that we have pipecmd_pre_exec, this can be simplified quite a bit. - -* lib/security.c (drop_privs): New function. -(do_system_drop_privs_child, do_system_drop_privs): Remove. -* lib/security.h (drop_privs): Add prototype. -(do_system_drop_privs): Remove prototype. -* src/man.c (make_browser): Add drop_privs pre-exec hook to browser -command. -(format_display): Call browser using pipeline_run rather than -do_system_drop_privs, since it now has a pre-exec hook to drop -privileges. ---- - lib/security.c | 37 +++---------------------------------- - lib/security.h | 2 +- - src/man.c | 7 +++++-- - 3 files changed, 9 insertions(+), 37 deletions(-) - -diff --git a/lib/security.c b/lib/security.c -index 6e84de8..c9b365d 100644 ---- a/lib/security.c -+++ b/lib/security.c -@@ -158,42 +158,11 @@ void regain_effective_privs (void) - #endif /* MAN_OWNER */ - } - --#ifdef MAN_OWNER --void do_system_drop_privs_child (void *data) -+/* Pipeline command pre-exec hook to permanently drop privileges. */ -+void drop_privs (void *data ATTRIBUTE_UNUSED) - { -- pipeline *p = data; -- -+#ifdef MAN_OWNER - if (idpriv_drop ()) - gripe_set_euid (); -- exit (pipeline_run (p)); --} --#endif /* MAN_OWNER */ -- --/* The safest way to execute a pipeline with no effective privileges is to -- * fork, permanently drop privileges in the child, run the pipeline from the -- * child, and wait for it to die. -- * -- * It is possible to use saved IDs to avoid the fork, since effective IDs -- * are copied to saved IDs on execve; we used to do this. However, forking -- * is not expensive enough to justify the extra code. -- * -- * Note that this frees the supplied pipeline. -- */ --int do_system_drop_privs (pipeline *p) --{ --#ifdef MAN_OWNER -- pipecmd *child_cmd; -- pipeline *child; -- int status; -- -- child_cmd = pipecmd_new_function ("unprivileged child", -- do_system_drop_privs_child, NULL, p); -- child = pipeline_new_commands (child_cmd, NULL); -- status = pipeline_run (child); -- -- pipeline_free (p); -- return status; --#else /* !MAN_OWNER */ -- return pipeline_run (p); - #endif /* MAN_OWNER */ - } -diff --git a/lib/security.h b/lib/security.h -index 7545502..851127d 100644 ---- a/lib/security.h -+++ b/lib/security.h -@@ -27,7 +27,7 @@ - /* security.c */ - extern void drop_effective_privs (void); - extern void regain_effective_privs (void); --extern int do_system_drop_privs (struct pipeline *p); -+extern void drop_privs (void *data); - extern void init_security (void); - extern int running_setuid (void); - extern struct passwd *get_man_owner (void); -diff --git a/src/man.c b/src/man.c -index 959d6cc..ff7ebc7 100644 ---- a/src/man.c -+++ b/src/man.c -@@ -1481,6 +1481,7 @@ static pipeline *make_roff_command (const char *dir, const char *file, - static pipeline *make_browser (const char *pattern, const char *file) - { - pipeline *p; -+ pipecmd *cmd; - char *browser = xmalloc (1); - int found_percent_s = 0; - char *percent; -@@ -1526,7 +1527,9 @@ static pipeline *make_browser (const char *pattern, const char *file) - free (esc_file); - } - -- p = pipeline_new_command_args ("/bin/sh", "-c", browser, NULL); -+ cmd = pipecmd_new_args ("/bin/sh", "-c", browser, NULL); -+ pipecmd_pre_exec (cmd, drop_privs, NULL, NULL); -+ p = pipeline_new_commands (cmd, NULL); - pipeline_ignore_signals (p, 1); - free (browser); - -@@ -2021,7 +2024,7 @@ static void format_display (pipeline *decomp, - pipeline *browser; - debug ("Trying browser: %s\n", candidate); - browser = make_browser (candidate, htmlfile); -- disp_status = do_system_drop_privs (browser); -+ disp_status = pipeline_run (browser); - if (!disp_status) - break; - } --- -cgit v1.0-41-gc330 - -