Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package ncpfs While browsing the open rc bugs, I saw that for ncpfs the unblock is missing. (I did not prepare the upload; the package is orphaned). It fixes 4 RC critical bugs: 692470 ncpfs - ncpmount fiddles with /etc/mtab 692471 ncpfs - Fails to build two times 692472 ncpfs - Fails with Cannot convert kernel release "3.6-trunk-amd64" to number 692929 ncpfs - ncpmount is suid root Addtionally, the new pacakge adds hardening. Debdiff is attached. Thanks unblock ncpfs/2.2.6-9 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/3 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
diff -Nru ncpfs-2.2.6/debian/changelog ncpfs-2.2.6/debian/changelog --- ncpfs-2.2.6/debian/changelog 2010-06-08 11:13:40.000000000 +0200 +++ ncpfs-2.2.6/debian/changelog 2012-11-12 15:07:33.000000000 +0100 @@ -1,3 +1,17 @@ +ncpfs (2.2.6-9) unstable; urgency=low + + * QA upload. + * Drop generated file so package can be build twice. (closes: #692471) + * Remove all mtab fiddling. (closes: #692470) + - Depend on new enough initscripts. + * Remove kernel interface selection. (closes: #692472) + * Use hardening flags. + - Make sure LDFLAGS is used. + * Don't install ncpmount and ncpumount as suid root. (closes: #692929) + - Drop lintian overrides. + + -- Bastian Blank <[email protected]> Mon, 12 Nov 2012 14:07:30 +0000 + ncpfs (2.2.6-8) unstable; urgency=low * QA upload diff -Nru ncpfs-2.2.6/debian/control ncpfs-2.2.6/debian/control --- ncpfs-2.2.6/debian/control 2010-03-27 06:20:44.000000000 +0100 +++ ncpfs-2.2.6/debian/control 2012-11-12 14:58:23.000000000 +0100 @@ -2,7 +2,7 @@ Section: net Priority: extra Maintainer: Debian QA Group <[email protected]> -Build-Depends: debhelper (>= 7), libpam0g-dev, gettext, autotools-dev +Build-Depends: debhelper (>= 7), dpkg-dev (>= 1.16.1), libpam0g-dev, gettext, autotools-dev Standards-Version: 3.8.4 Homepage: ftp://platan.vc.cvut.cz/pub/linux/ncpfs/ @@ -10,7 +10,7 @@ Replaces: ncpfsx Conflicts: ncpfsx, suidmanager (<< 0.50) Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-ncp +Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-ncp, initscripts (>= 2.88dsf-14) Suggests: ipx Description: utilities to use resources from NetWare servers This package contains utilities to mount volumes from NetWare servers. Also diff -Nru ncpfs-2.2.6/debian/ncpfs.lintian-overrides ncpfs-2.2.6/debian/ncpfs.lintian-overrides --- ncpfs-2.2.6/debian/ncpfs.lintian-overrides 2010-03-27 05:18:45.000000000 +0100 +++ ncpfs-2.2.6/debian/ncpfs.lintian-overrides 2012-11-12 14:49:28.000000000 +0100 @@ -1,7 +1,2 @@ -# These have to be setuid, so we override lintian as being informed every time -# is not that useful. -ncpfs binary: setuid-binary usr/bin/ncpmount 4755 root/root -ncpfs binary: setuid-binary usr/bin/ncpumount 4755 root/root -ncpfs binary: setuid-binary usr/bin/nwsfind 4755 root/root # A few old changelog entries have no associated date. ncpfs binary: syntax-error-in-debian-changelog diff -Nru ncpfs-2.2.6/debian/patches/drop-kernel-check ncpfs-2.2.6/debian/patches/drop-kernel-check --- ncpfs-2.2.6/debian/patches/drop-kernel-check 1970-01-01 00:00:00.000000000 +0000 +++ ncpfs-2.2.6/debian/patches/drop-kernel-check 2012-11-11 18:46:41.000000000 +0100 @@ -0,0 +1,30 @@ +Description: Drop kernel version check +Author: Bastian Blank <[email protected]> +Bug-Debian: http://bugs.debian.org/692472 + +--- ncpfs-2.2.6.orig/sutil/ncpm_common.c ++++ ncpfs-2.2.6/sutil/ncpm_common.c +@@ -243,23 +243,6 @@ static int load_ncpfs(void) + #endif /* MOUNT2 */ + + static int getmountver(void) { +- struct utsname name; +- int maj, mid, rev; +- int ver; +- +- if (uname(&name)) { +- errexit(1, _("Cannot get kernel release\n")); +- } +- if (sscanf(name.release, "%d.%d.%d", &maj, &mid, &rev) != 3) { +- errexit(2, _("Cannot convert kernel release \"%s\" to number\n"), name.release); +- } +- ver = maj*0x10000 + mid*0x100 + rev; +- if (ver < 0x20100) +- return 2; +- if (ver < 0x20328) +- return 3; +- if (ver < 0x2051F) +- return 4; + return 5; + } + diff -Nru ncpfs-2.2.6/debian/patches/drop-mtab-support ncpfs-2.2.6/debian/patches/drop-mtab-support --- ncpfs-2.2.6/debian/patches/drop-mtab-support 1970-01-01 00:00:00.000000000 +0000 +++ ncpfs-2.2.6/debian/patches/drop-mtab-support 2012-11-11 18:45:03.000000000 +0100 @@ -0,0 +1,268 @@ +Description: Drop all mtab writes +Author: Bastian Blank <[email protected]> +Bug-Debian: http://bugs.debian.org/692470 + +--- ncpfs-2.2.6.orig/sutil/ncpm_common.h ++++ ncpfs-2.2.6/sutil/ncpm_common.h +@@ -60,7 +60,6 @@ void verify_argv(int argc, char* argv[]) + int ncp_mount_specific(struct ncp_conn* conn, int pathNS, const unsigned char* NWpath, int pathlen); + int mount_ok(struct stat *st); + void mycom_err(int, const char*, ...); +-void add_mnt_entry(char* mount_name, char* mpoint, unsigned long flags); + + struct ncp_mount_info { + struct ncp_mount_data_independent mdata; +--- ncpfs-2.2.6.orig/sutil/ncpm_common.c ++++ ncpfs-2.2.6/sutil/ncpm_common.c +@@ -104,7 +104,6 @@ + #include <stdlib.h> + #include <stdarg.h> + #include <sys/mount.h> +-#include <mntent.h> + #include <ncp/kernel/ipx.h> + #include <sys/ioctl.h> + #if MOUNT3 +@@ -1440,68 +1439,6 @@ static const struct smntflags { + {MS_NODIRATIME, "nodiratime"}, + {0, NULL}}; + +-void add_mnt_entry(char* mount_name, char* mpnt, unsigned long flags) { +- const struct smntflags* sf; +- char mnt_opts[80]; +- char* p; +- struct mntent ment; +- int fd; +- FILE* mtab; +- +- if (check_name(mount_name) == -1 || check_name(mpnt) == -1) +- errexit(107, _("Illegal character in mount entry\n")); +- +- ment.mnt_fsname = mount_name; +- ment.mnt_dir = mpnt; +- ment.mnt_type = (char*)"ncpfs"; +- ment.mnt_opts = mnt_opts; +- ment.mnt_freq = 0; +- ment.mnt_passno = 0; +- +- p = mnt_opts; +- *p++ = 'r'; +- *p++ = (flags & MS_RDONLY)?'o':'w'; +- for (sf = mntflags; sf->flag; sf++) { +- if (flags & sf->flag) { +- *p++ = ','; +- strcpy(p, sf->name); +- p += strlen(p); +- } +- } +- *p = 0; +- +- if (ncpm_suser()) { +- errexit(91, _("Cannot switch to superuser: %s\n"), strerror(errno)); +- } +- if ((fd = open(MOUNTED "~", O_RDWR | O_CREAT | O_EXCL, 0600)) == -1) +- { +- errexit(58, _("Can't get %s~ lock file\n"), MOUNTED); +- } +- close(fd); +- +- if ((mtab = setmntent(MOUNTED, "a+")) == NULL) +- { +- errexit(59, _("Can't open %s\n"), MOUNTED); +- } +- if (addmntent(mtab, &ment) == 1) +- { +- errexit(60, _("Can't write mount entry\n")); +- } +- if (fchmod(fileno(mtab), 0644) == -1) +- { +- errexit(61, _("Can't set perms on %s\n"), MOUNTED); +- } +- endmntent(mtab); +- +- if (unlink(MOUNTED "~") == -1) +- { +- errexit(62, _("Can't remove %s~\n"), MOUNTED); +- } +- if (ncpm_normal()) { +- errexit(90, _("Cannot relinquish superuser rights: %s\n"), strerror(EPERM)); +- } +-} +- + static int __proc_option(const struct optinfo* opts, struct ncp_mount_info* info, const char* opt, const char* param) { + const struct optinfo* optr; + +--- ncpfs-2.2.6.orig/sutil/ncpmount.c ++++ ncpfs-2.2.6/sutil/ncpmount.c +@@ -114,7 +114,6 @@ + #include <stdlib.h> + #include <stdarg.h> + #include <sys/mount.h> +-#include <mntent.h> + #include <ncp/kernel/ipx.h> + #include <ncp/nwclient.h> + #include <sys/ioctl.h> +@@ -719,11 +718,6 @@ ncpipx:; + } + ncp_close(conn); + +- if (!opt_n) { +- block_sigs(); +- add_mnt_entry(mount_name, mount_point, info.flags); +- unblock_sigs(); +- } + return 0; + } + +--- ncpfs-2.2.6.orig/sutil/ncplogin.c ++++ ncpfs-2.2.6/sutil/ncplogin.c +@@ -111,7 +111,6 @@ + #include <stdlib.h> + #include <stdarg.h> + #include <sys/mount.h> +-#include <mntent.h> + #include <ncp/kernel/ipx.h> + #include <sys/ioctl.h> + #ifdef CONFIG_NATIVE_UNIX +@@ -932,12 +931,6 @@ ncpipx:; + } + NWCCCloseConn(conn); + NWDSFreeContext(ctx); +- /* ncpmap, ncplogin must write in /etc/mtab */ +- { +- block_sigs(); +- add_mnt_entry(mount_name, mount_point, info.flags); +- unblock_sigs(); +- } + free(mount_name); + if (info.echo_mnt_pnt) { + printf(_("mounted on:%s\n"),mount_point); +--- ncpfs-2.2.6.orig/sutil/ncpumount.c ++++ ncpfs-2.2.6/sutil/ncpumount.c +@@ -186,108 +186,6 @@ static void enableAlarm(void) { + sigprocmask(SIG_UNBLOCK, &sa.sa_mask, NULL); + } + +-static int __clearMtab (const char* mount_points[], unsigned int numEntries) { +-// main logic from ncpumount.c +- struct mntent *mnt; +- FILE *mtab; +- FILE *new_mtab; +- +-#define MOUNTED_TMP MOUNTED".tmp" +- +- if ((mtab = setmntent(MOUNTED, "r")) == NULL){ +- eprintf(_("Can't open %s: %s\n"), MOUNTED, +- strerror(errno)); +- return 1; +- } +- +- if ((new_mtab = setmntent(MOUNTED_TMP, "w")) == NULL){ +- eprintf(_("Can't open %s: %s\n"), MOUNTED_TMP, +- strerror(errno)); +- endmntent(mtab); +- return 1; +- } +- while ((mnt = getmntent(mtab)) != NULL) { +- unsigned int i=0; +- int found=0; +- +- while (i<numEntries && !found) { +- found=!strcmp(mnt->mnt_dir, mount_points[i]); +- i++; +- } +- if (!found) { +- addmntent(new_mtab, mnt); +- } +- } +- +- endmntent(mtab); +- +- if (fchmod(fileno(new_mtab), S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) < 0){ +- eprintf(_("Error changing mode of %s: %s\n"), +- MOUNTED_TMP, strerror(errno)); +- return 1; +- } +- endmntent(new_mtab); +- +- if (rename(MOUNTED_TMP, MOUNTED) < 0){ +- eprintf(_("Cannot rename %s to %s: %s\n"), +- MOUNTED, MOUNTED_TMP, strerror(errno)); +- return 1; +- } +- return 0; +-} +- +-static int clearMtab (const char* mount_points[], unsigned int numEntries) { +- int fd; +- int err; +- int retries = 10; +- +- if (!numEntries) +- return 0; /* don't waste time ! */ +- +- block_sigs(); +- +- while ((fd = open(MOUNTED "~", O_RDWR | O_CREAT | O_EXCL, 0600)) == -1) { +- struct timespec tm; +- +- if (errno != EEXIST || retries == 0) { +- unblock_sigs(); +- eprintf(_("Can't get %s~ lock file: %s\n"), MOUNTED, strerror(errno)); +- return 1; +- } +- fd = open(MOUNTED "~", O_RDWR); +- if (fd != -1) { +- alarm(10); +- err = lockf(fd, F_LOCK, 0); +- alarm(0); +- close(fd); +- if (err) { +- unblock_sigs(); +- eprintf(_("Can't lock lock file %s~: %s\n"), MOUNTED, _("Lock timed out")); +- return 1; +- } +- tm.tv_sec = 0; +- tm.tv_nsec = 20000000; +- nanosleep(&tm, NULL); +- } +- retries--; +- } +- alarm(1); +- lockf(fd, F_LOCK, 0); +- alarm(0); +- close(fd); +- +- err = __clearMtab(mount_points, numEntries); +- +- if ((unlink(MOUNTED "~") == -1) && (err == 0)){ +- unblock_sigs(); +- eprintf(_("Can't remove %s~"), MOUNTED); +- return 1; +- } +- unblock_sigs(); +- return err; +-} +- +- + int ncp_mnt_umount(const char *abs_mnt, const char *rel_mnt) + { + if (umount(rel_mnt) != 0) { +@@ -629,10 +527,6 @@ static int old_ncpumount(int argc, char + ret = 1; + continue; + } +- if (clearMtab(&mount_point, 1)) { +- ret = 1; +- continue; +- } + } + return ret; + } +@@ -751,7 +645,6 @@ main(int argc, char *argv[]) + if (serverName || allConns) { + processBindServers(conns,curEntries,serverName,umountTable,&mountEntries); + } +- clearMtab(umountTable, mountEntries); + } else if (treeName) { + eprintf(_("No NCP connections to tree %s.\n"),treeName); + } else if (serverName) { diff -Nru ncpfs-2.2.6/debian/patches/ldflags ncpfs-2.2.6/debian/patches/ldflags --- ncpfs-2.2.6/debian/patches/ldflags 1970-01-01 00:00:00.000000000 +0000 +++ ncpfs-2.2.6/debian/patches/ldflags 2012-11-11 19:03:50.000000000 +0100 @@ -0,0 +1,77 @@ +Description: Add usage of LDFLAGS +Author: Bastian Blank <[email protected]> + +--- ncpfs-2.2.6.orig/Make.rules.in ++++ ncpfs-2.2.6/Make.rules.in +@@ -43,6 +43,8 @@ CFLAGS_DEFINES := -DN_PLAT_LINUX -DLOCAL + + CCFLAGS := $(CFLAGS_DEFINES) $(CFLAGS_OPTIONS) $(INCLUDES) + ++LDFLAGS := @LDFLAGS@ ++ + # If your system is ELF, either also do a 'make install', or append the util/ + # directory where the dynamic library resides to the environment + # variable LD_LIBRARY_PATH +--- ncpfs-2.2.6.orig/sutil/Makefile.in ++++ ncpfs-2.2.6/sutil/Makefile.in +@@ -85,7 +85,7 @@ ncpm_common.d mount_login.d: %.d: %.c + [ -s $@ ] || rm -f $@ + + $(UTILS): %: %.o ../lib/libncp.a ncpm_common.o mount_login.o +- $(CC) @GC_SECTIONS@-o $@ $(addsuffix .o,$@) $(LDFLAGS_$@) ../lib/libncp.a ${LIBS} ++ $(CC) @GC_SECTIONS@-o $@ $(addsuffix .o,$@) $(LDFLAGS_$@) $(LDFLAGS) ../lib/libncp.a ${LIBS} + + ../lib/libncp.a: + make -C ../lib libncp.a +--- ncpfs-2.2.6.orig/ipx-1.0/Makefile.in ++++ ncpfs-2.2.6/ipx-1.0/Makefile.in +@@ -33,10 +33,10 @@ $(ALL_OBJECTS): %.o: %.c + [ -s $@ ] || rm -f $@ + + $(UTIIPX): %: %.o ipxutil.o +- $(CC) $(CFLAGS) -o $@ $(addsuffix .o,$@) ipxutil.o ${LIBS} ++ $(CC) $(CFLAGS) -o $@ $(addsuffix .o,$@) ipxutil.o $(LDFLAGS) ${LIBS} + + $(UTILS): %: %.o +- $(CC) $(CFLAGS) -o $@ $(addsuffix .o,$@) ${LIBS} ++ $(CC) $(CFLAGS) -o $@ $(addsuffix .o,$@) $(LDFLAGS) ${LIBS} + + $(MAN8GZ): %.gz: % + gzip -9 -c $< >$@ +--- ncpfs-2.2.6.orig/util/Makefile.in ++++ ncpfs-2.2.6/util/Makefile.in +@@ -94,10 +94,10 @@ $(O_USERUTILS) $(O_SBINUTILS) $(O_OTHER) + pqstat nwpqjob nprint: dsqueue.o + + $(UTILS): %: %.o $(LIBDEP) +- $(CC) $(CFLAGS) -o $@ $(addsuffix .o,$@) $(ADDOBJS_$@) -L$(NCPLIB_DIR) -lncp ${LIBS} ++ $(CC) $(CFLAGS) -o $@ $(addsuffix .o,$@) $(ADDOBJS_$@) $(LDFLAGS) -L$(NCPLIB_DIR) -lncp ${LIBS} + + ipx_probe: ipx_probe.c +- $(CC) $(CFLAGS) $(CCFLAGS) -o ipx_probe ipx_probe.c ${LIBS} ++ $(CC) $(CFLAGS) $(CCFLAGS) -o ipx_probe ipx_probe.c $(LDFLAGS) ${LIBS} + + dep: + +--- ncpfs-2.2.6.orig/lib/Makefile.in ++++ ncpfs-2.2.6/lib/Makefile.in +@@ -122,7 +122,7 @@ $(SHARED_NCPLIB): $(SHARED_NCPLIB_BIN) + ln -sf $< $@ + + $(SHARED_NCPLIB_BIN): $(SHARED_O_OBJ) ${this_srcdir}/libncp.vers +- $(CC) -shared -o $@ -Wl,-soname=$(SHARED_NCPLIB_SONAME) $(SHARED_VLINK) $(SHARED_O_OBJ) ${LIBS} -lc ++ $(CC) -shared -o $@ -Wl,-soname=$(SHARED_NCPLIB_SONAME) $(SHARED_VLINK) $(SHARED_O_OBJ) $(LDFLAGS) ${LIBS} -lc + + install_static: $(STATIC_NCPLIB_BIN) + $(INSTALL) -d $(DESTDIR)$(libadir) +--- ncpfs-2.2.6.orig/ipxdump/Makefile.in ++++ ncpfs-2.2.6/ipxdump/Makefile.in +@@ -24,7 +24,7 @@ install: $(EXEC) + ifeq ($(ncp_if_ether_support),yes) + + $(EXEC): %: %.o $(OBJECTS) +- $(CC) $(CFLAGS) -o $@ $(addsuffix .o,$@) $(OBJECTS) ++ $(CC) $(CFLAGS) -o $@ $(addsuffix .o,$@) $(LDFLAGS) $(OBJECTS) + + else + .PHONY ipxdump ipxparse diff -Nru ncpfs-2.2.6/debian/patches/makefile-remove-generated ncpfs-2.2.6/debian/patches/makefile-remove-generated --- ncpfs-2.2.6/debian/patches/makefile-remove-generated 1970-01-01 00:00:00.000000000 +0000 +++ ncpfs-2.2.6/debian/patches/makefile-remove-generated 2012-11-11 18:45:12.000000000 +0100 @@ -0,0 +1,14 @@ +Description: Remove another generated file +Author: Bastian Blank <[email protected]> +Bug-Debian: http://bugs.debian.org/692471 + +--- ncpfs-2.2.6.orig/Makefile.in ++++ ncpfs-2.2.6/Makefile.in +@@ -71,6 +71,7 @@ distclean: + rm -f intl/Makefile po/Makefile po/Makefile.in + rm -f lib/Makefile man/Makefile sutil/Makefile util/Makefile + rm -f include/config.h ++ rm -f include/private/libncp-atomic.h + rm -f include/ncp/ext/socket.h include/ncp/ext/stdint.h + rm -f include/ncp/kernel/fs.h + rm -f include/ncp/kernel/if.h include/ncp/kernel/route.h include/ncp/kernel/types.h diff -Nru ncpfs-2.2.6/debian/patches/no-suid-root ncpfs-2.2.6/debian/patches/no-suid-root --- ncpfs-2.2.6/debian/patches/no-suid-root 1970-01-01 00:00:00.000000000 +0000 +++ ncpfs-2.2.6/debian/patches/no-suid-root 2012-11-11 19:10:22.000000000 +0100 @@ -0,0 +1,15 @@ +Description: Don't install utils as suid root +Author: Bastian Blank <[email protected]> +Bug-Debian: http://bugs.debian.org/692929 + +--- ncpfs-2.2.6.orig/sutil/Makefile.in ++++ ncpfs-2.2.6/sutil/Makefile.in +@@ -51,7 +51,7 @@ all: $(UTILS) + install: all + ${INSTALL} -d $(DESTDIR)$(bindir) + ${INSTALL} -d $(DESTDIR)/sbin +- ${INSTALL} -m 4755 $(UTILS) $(DESTDIR)$(bindir) ++ ${INSTALL} $(UTILS) $(DESTDIR)$(bindir) + ifeq ($(USE_KERNEL),1) + ln -sf $(bindir)/ncpmount $(DESTDIR)/sbin/mount.ncp + ln -sf $(bindir)/ncpmount $(DESTDIR)/sbin/mount.ncpfs diff -Nru ncpfs-2.2.6/debian/patches/series ncpfs-2.2.6/debian/patches/series --- ncpfs-2.2.6/debian/patches/series 2010-06-08 11:05:51.000000000 +0200 +++ ncpfs-2.2.6/debian/patches/series 2012-11-11 19:10:04.000000000 +0100 @@ -1,3 +1,8 @@ 01-legacy.patch 12-572937-multiple-security-issues.patch 13-580015.ia64-clone2.patch +makefile-remove-generated +drop-mtab-support +drop-kernel-check +ldflags +no-suid-root diff -Nru ncpfs-2.2.6/debian/rules ncpfs-2.2.6/debian/rules --- ncpfs-2.2.6/debian/rules 2010-03-27 06:25:45.000000000 +0100 +++ ncpfs-2.2.6/debian/rules 2012-11-11 19:17:38.000000000 +0100 @@ -7,6 +7,9 @@ # Uncomment this to turn on verbose mode. export DH_VERBOSE=1 +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk + DESTDIR = `pwd`/debian/ncpfs IVARS = DESTDIR=$(DESTDIR) @@ -97,9 +100,6 @@ dh_compress dh_fixperms - # You may want to make some executables suid here. - chmod u+s debian/ncpfs/usr/bin/nwsfind debian/ncpfs/usr/bin/ncpmount debian/ncpfs/usr/bin/ncpumount - dh_installdeb dh_shlibdeps -l$(DESTDIR)/usr/lib/ dh_gencontrol
