Your message dated Mon, 24 May 2021 06:43:36 +0200
with message-id <[email protected]>
and subject line Re: Bug#989025: unblock: micro-evtd/3.4-7
has caused the Debian Bug report #989025,
regarding unblock: micro-evtd/3.4-7
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
989025: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989025
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package micro-evtd
[ Reason ]
Fix micro-evtd creating its pid and status files in /var/run with
world-writable permissions (#988119).
[ Impact ]
- The pid and status files in /var/run are mode 666, which could be a
potential security issue.
- micro-evtd does not stop when asked to with "/etc/init.d/micro-evtd
stop", because start-stop-daemon refuses to use the insecure pid file.
- Because of that, the daemon also does not restart on upgrade as it
should, instead the old version remains running.
[ Tests ]
There are no automated tests. I manually tested the install and upgrade
cases (testing→unstable).
[ Risks ]
The change should be trivial, but it is possible (if unlikely) that I
missed some case where the umask 000 was actually needed.
[ Checklist ]
[✓] all changes are documented in the d/changelog
[✓] I reviewed all changes and I approve them
[✓] attach debdiff against the package in testing
[ Other info ]
The package builds a udeb. I tested an installation using a d-i daily
build with the updated package included, and confirmed the corrected
file permissions in the d-i environment.
The issue exists already in buster (not a regression).
unblock micro-evtd/3.4-7
Thank you,
Ryan
diff -Nru micro-evtd-3.4/debian/changelog micro-evtd-3.4/debian/changelog
--- micro-evtd-3.4/debian/changelog 2021-05-03 20:22:09.000000000 -0700
+++ micro-evtd-3.4/debian/changelog 2021-05-22 00:40:17.000000000 -0700
@@ -1,3 +1,12 @@
+micro-evtd (3.4-7) unstable; urgency=medium
+
+ [ Ryan Tandy ]
+ * Fix world-writable pid and status files in /var/run (Closes: #988119)
+ - Patch micro-evtd.c to reset umask to 022 instead of 0.
+ - Fix permissions on existing files on upgrade.
+
+ -- Roger Shimizu <[email protected]> Sat, 22 May 2021 16:40:17 +0900
+
micro-evtd (3.4-6) unstable; urgency=medium
[ Ryan Tandy ]
diff -Nru micro-evtd-3.4/debian/micro-evtd.postinst
micro-evtd-3.4/debian/micro-evtd.postinst
--- micro-evtd-3.4/debian/micro-evtd.postinst 2021-05-03 20:22:09.000000000
-0700
+++ micro-evtd-3.4/debian/micro-evtd.postinst 2021-05-22 00:40:17.000000000
-0700
@@ -14,6 +14,18 @@
rm /usr/sbin/micro-evtd.status
fi
fi
+
+ if dpkg --compare-versions "$2" lt-nl "3.4-7~"; then
+ # Fix permissions on the existing pid file
+ # so that the daemon is actually restarted
+ if [ -f /var/run/micro-evtd.pid ]; then
+ chmod 644 /var/run/micro-evtd.pid
+ fi
+
+ if [ -f /var/run/micro-evtd.status ]; then
+ chmod 644 /var/run/micro-evtd.status
+ fi
+ fi
;;
*)
diff -Nru
micro-evtd-3.4/debian/patches/0008-Don-t-create-world-writable-files.patch
micro-evtd-3.4/debian/patches/0008-Don-t-create-world-writable-files.patch
--- micro-evtd-3.4/debian/patches/0008-Don-t-create-world-writable-files.patch
1969-12-31 16:00:00.000000000 -0800
+++ micro-evtd-3.4/debian/patches/0008-Don-t-create-world-writable-files.patch
2021-05-22 00:40:17.000000000 -0700
@@ -0,0 +1,26 @@
+From: Ryan Tandy <[email protected]>
+Date: Fri, 21 May 2021 13:06:41 -0700
+Subject: Don't create world-writable files
+
+Set umask to 022 on startup instead of 000.
+
+Fixes the pid and status files being created world-writable.
+
+Bug-Debian: https://bugs.debian.org/988119
+---
+ src/micro-evtd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/micro-evtd.c b/src/micro-evtd.c
+index da91549..cc05b6a 100644
+--- a/src/micro-evtd.c
++++ b/src/micro-evtd.c
+@@ -1777,7 +1777,7 @@ int main(int argc, char *argv[])
+ setsid();
+
+ /* clear file creation mask */
+- umask(0);
++ umask(022);
+
+ // Lock out device resource
+ getResourceLock();
diff -Nru micro-evtd-3.4/debian/patches/series
micro-evtd-3.4/debian/patches/series
--- micro-evtd-3.4/debian/patches/series 2021-05-03 20:22:09.000000000
-0700
+++ micro-evtd-3.4/debian/patches/series 2021-05-22 00:40:17.000000000
-0700
@@ -5,3 +5,4 @@
0005-Check-for-mmap-returning-MAP_FAILED.patch
0006-Match-default-temperature-configuration-to-the-confi.patch
0007-Fix-FTBFS-with-glibc-2.30.patch
+0008-Don-t-create-world-writable-files.patch
--- End Message ---
--- Begin Message ---
Hi Ryan
On 24-05-2021 00:42, Ryan Tandy wrote:
> Please unblock package micro-evtd
Unblocked.
Paul
OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
