Your message dated Sat, 10 Feb 2024 13:02:57 +0000
with message-id <[email protected]>
and subject line Released with 11.9
has caused the Debian Bug report #1056970,
regarding bullseye-pu: package swupdate/2020.11-2+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1056970: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056970
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Control: affects -1 + src:swupdate
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: pu
Tags: bullseye
Severity: normal
[ Reason ]
There is a local privilege escalation in swupdate package because the
service's control socket has world-writable file permissions.
[ Impact ]
The rights of the swupdate daemon, which is usually used to run full
system updates, can be aquired by any user on the system.
[ Tests ]
Run the service and check that the control socket is created with the
reduced permission set. Also check that the service user "swupdate" is created.
[ Risks ]
None.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable
diff -Nru swupdate-2020.11/debian/changelog swupdate-2020.11/debian/changelog
--- swupdate-2020.11/debian/changelog 2021-01-19 08:56:14.000000000 +0100
+++ swupdate-2020.11/debian/changelog 2023-11-27 11:10:38.000000000 +0100
@@ -1,3 +1,10 @@
+swupdate (2020.11-2+deb11u1) bullseye; urgency=medium
+
+ * Add swupdate system user
+ * Create the sockets for group use with SocketMode 0660
+
+ -- Bastian Germann <[email protected]> Mon, 27 Nov 2023 11:10:38 +0100
+
swupdate (2020.11-2) unstable; urgency=medium
[ Bastian Germann ]
diff -Nru swupdate-2020.11/debian/control swupdate-2020.11/debian/control
--- swupdate-2020.11/debian/control 2021-01-19 08:55:59.000000000 +0100
+++ swupdate-2020.11/debian/control 2023-11-27 11:10:38.000000000 +0100
@@ -6,6 +6,7 @@
Nobuhiro Iwamatsu <[email protected]>
Build-Depends: debhelper-compat (= 13),
dh-lua <!nolua>,
+ dh-sysuser,
liblua5.2-dev <!nolua>,
libfdisk-dev,
latexmk <!nodoc>,
diff -Nru swupdate-2020.11/debian/rules swupdate-2020.11/debian/rules
--- swupdate-2020.11/debian/rules 2020-12-28 09:58:21.000000000 +0100
+++ swupdate-2020.11/debian/rules 2023-11-27 11:10:38.000000000 +0100
@@ -13,7 +13,7 @@
export LUA_VERSION=5.2
export LUA_MODNAME=lua_swupdate
export PKG_NAME=swupdate
-export DH_WITH=--with lua
+export DH_WITH=,lua
export HAVE_LUA=y
endif
@@ -87,4 +87,4 @@
dh_missing --fail-missing
%:
- dh $@ $(DH_WITH)
+ dh $@ --with sysuser$(DH_WITH)
diff -Nru swupdate-2020.11/debian/swupdate.socket
swupdate-2020.11/debian/swupdate.socket
--- swupdate-2020.11/debian/swupdate.socket 2020-12-28 09:58:21.000000000
+0100
+++ swupdate-2020.11/debian/swupdate.socket 2023-11-27 11:10:38.000000000
+0100
@@ -6,6 +6,8 @@
[Socket]
ListenStream=/tmp/sockinstctrl
ListenStream=/tmp/swupdateprog
+SocketMode=0660
+SocketGroup=swupdate
[Install]
WantedBy=sockets.target
diff -Nru swupdate-2020.11/debian/swupdate.sysuser
swupdate-2020.11/debian/swupdate.sysuser
--- swupdate-2020.11/debian/swupdate.sysuser 1970-01-01 01:00:00.000000000
+0100
+++ swupdate-2020.11/debian/swupdate.sysuser 2023-11-27 11:10:38.000000000
+0100
@@ -0,0 +1 @@
+swupdate defaults
--- End Message ---
--- Begin Message ---
Version: 11.9
The upload requested in this bug has been released as part of 11.9.
--- End Message ---
