Package: release.debian.org Severity: normal Tags: jessie User: [email protected] Usertags: pu
Hi, I'd like to update apt-daemon in jessie to fix CVE-2015-1323 which is already fixed in squeeze-lts. The debdiff is attached. Cheers, -- Guido -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog index 38e82be..7a93d22 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +aptdaemon (1.1.1-4+deb8u1) stable-proposed-updates; urgency=medium + + * Non maintainer upload + * Add CVE-2015-1323.patch to address CVE-2015-1323 - taken from + 1.1.1-1ubuntu5.2 (Closes: #789162) + + -- Guido Günther <[email protected]> Mon, 29 Feb 2016 21:13:01 +0100 + aptdaemon (1.1.1-4) unstable; urgency=medium * Merge all changes from Ubuntu trusty. diff --git a/debian/patches/CVE-2015-1323.patch b/debian/patches/CVE-2015-1323.patch new file mode 100644 index 0000000..bc6a963 --- /dev/null +++ b/debian/patches/CVE-2015-1323.patch @@ -0,0 +1,377 @@ +From: =?utf-8?q?Guido_G=C3=BCnther?= <[email protected]> +Date: Sun, 28 Feb 2016 19:55:02 +0100 +Subject: CVE-2015-1323 + +--- + aptdaemon/core.py | 10 +++++--- + aptdaemon/pkcompat.py | 10 +++++--- + aptdaemon/policykit1.py | 9 ++++--- + aptdaemon/progress.py | 5 ++++ + aptdaemon/worker.py | 31 ++++++++++++++++++++++-- + tests/_test_py2_string_handling.py | 3 ++- + tests/test_high_trust_repository_whitelist.py | 4 +-- + tests/test_worker.py | 35 ++++++++++++++------------- + 8 files changed, 74 insertions(+), 33 deletions(-) + +diff --git a/aptdaemon/core.py b/aptdaemon/core.py +index 9e1e9d3..35f40d7 100644 +--- a/aptdaemon/core.py ++++ b/aptdaemon/core.py +@@ -342,7 +342,7 @@ class Transaction(DBusObject): + "DebconfSocket", "MetaData", "Locale", + "RemoveObsoleteDepends") + +- def __init__(self, tid, role, queue, pid, uid, cmdline, sender, ++ def __init__(self, tid, role, queue, pid, uid, gid, cmdline, sender, + connect=True, bus=None, packages=None, kwargs=None): + """Initialize a new Transaction instance. + +@@ -378,6 +378,7 @@ class Transaction(DBusObject): + kwargs = {} + self.queue = queue + self.uid = uid ++ self.gid = gid + self.locale = dbus.String("") + self.allow_unauthenticated = dbus.Boolean(False) + self.remove_obsoleted_depends = dbus.Boolean(False) +@@ -1538,11 +1539,12 @@ class AptDaemon(DBusObject): + @inline_callbacks + def _create_trans(self, role, sender, packages=None, kwargs=None): + """Helper method which returns the tid of a new transaction.""" +- pid, uid, cmdline = ( ++ pid, uid, gid, cmdline = ( + yield policykit1.get_proc_info_from_dbus_name(sender, self.bus)) + tid = uuid.uuid4().hex +- trans = Transaction(tid, role, self.queue, pid, uid, cmdline, sender, +- packages=packages, kwargs=kwargs, bus=self.bus) ++ trans = Transaction( ++ tid, role, self.queue, pid, uid, gid, cmdline, sender, ++ packages=packages, kwargs=kwargs, bus=self.bus) + self.queue.limbo[trans.tid] = trans + return_value(trans.tid) + +diff --git a/aptdaemon/pkcompat.py b/aptdaemon/pkcompat.py +index cc05415..da99a32 100644 +--- a/aptdaemon/pkcompat.py ++++ b/aptdaemon/pkcompat.py +@@ -469,9 +469,10 @@ class PackageKit(core.DBusObject): + + @inline_callbacks + def _create_transaction(self, sender): +- pid, uid, cmdline = yield policykit1.get_proc_info_from_dbus_name( ++ pid, uid, gid, cmdline = yield policykit1.get_proc_info_from_dbus_name( + sender, self.bus) +- pktrans = PackageKitTransaction(pid, uid, cmdline, self.queue, sender) ++ pktrans = PackageKitTransaction( ++ pid, uid, gid, cmdline, self.queue, sender) + return_value(pktrans.tid) + + # pylint: disable-msg=C0103,C0322 +@@ -602,7 +603,7 @@ class MergedTransaction(core.Transaction): + def __init__(self, pktrans, role, queue, connect=True, + bus=None, packages=None, kwargs=None): + core.Transaction.__init__(self, pktrans.tid[1:], role, queue, +- pktrans.pid, pktrans.uid, ++ pktrans.pid, pktrans.uid, pktrans.gid, + pktrans.cmdline, pktrans.sender, + connect, bus, packages, kwargs) + self.pktrans = pktrans +@@ -758,7 +759,7 @@ class PackageKitTransaction(core.DBusObject): + + """Provides a PackageKit transaction object.""" + +- def __init__(self, pid, uid, cmdline, queue, sender, ++ def __init__(self, pid, uid, gid, cmdline, queue, sender, + connect=True, bus=None): + pklog.info("Initializing PackageKit transaction") + bus_name = None +@@ -784,6 +785,7 @@ class PackageKitTransaction(core.DBusObject): + self._status = pk.StatusEnum.SETUP + self._last_package = "" + self.uid = dbus.UInt32(uid) ++ self.gid = dbus.UInt32(gid) + self.pid = pid + self.cmdline = cmdline + self.role = pk.RoleEnum.UNKNOWN +diff --git a/aptdaemon/policykit1.py b/aptdaemon/policykit1.py +index 6a21875..9a15513 100644 +--- a/aptdaemon/policykit1.py ++++ b/aptdaemon/policykit1.py +@@ -161,12 +161,15 @@ def get_proc_info_from_dbus_name(dbus_name, bus=None): + bus = dbus.SystemBus() + pid = yield get_pid_from_dbus_name(dbus_name, bus) + with open("/proc/%s/status" % pid) as proc: +- values = [v for v in proc.readlines() if v.startswith("Uid:")] ++ lines = proc.readlines() ++ uid_values = [v for v in lines if v.startswith("Uid:")] ++ gid_values = [v for v in lines if v.startswith("Gid:")] + # instead of ", encoding='utf8'" we use the "rb"/decode() here for + # py2 compatibility + with open("/proc/%s/cmdline" % pid, "rb") as cmdline_file: + cmdline = cmdline_file.read().decode("utf-8") +- uid = int(values[0].split()[1]) +- return_value((pid, uid, cmdline)) ++ uid = int(uid_values[0].split()[1]) ++ gid = int(gid_values[0].split()[1]) ++ return_value((pid, uid, gid, cmdline)) + + # vim:ts=4:sw=4:et +diff --git a/aptdaemon/progress.py b/aptdaemon/progress.py +index 73cb411..f15b7d6 100644 +--- a/aptdaemon/progress.py ++++ b/aptdaemon/progress.py +@@ -628,6 +628,11 @@ class DaemonLintianProgress(DaemonForkProgress): + + def _child(self, path): + # Avoid running lintian as root ++ try: ++ os.setgroups([self.transaction.gid]) ++ except OSError: ++ pass ++ os.setgid(self.transaction.gid) + os.setuid(self.transaction.uid) + + if platform.dist()[1] == "debian": +diff --git a/aptdaemon/worker.py b/aptdaemon/worker.py +index 85e73cc..e9272d3 100644 +--- a/aptdaemon/worker.py ++++ b/aptdaemon/worker.py +@@ -76,6 +76,25 @@ log = logging.getLogger("AptDaemon.Worker") + _ = lambda s: s + + [email protected] ++def set_euid_egid(uid, gid): ++ # no need to drop privs ++ if os.getuid() != 0 and os.getgid() != 0: ++ yield ++ return ++ # temporary drop privs ++ os.setegid(gid) ++ old_groups = os.getgroups() ++ os.setgroups([gid]) ++ os.seteuid(uid) ++ try: ++ yield ++ finally: ++ os.seteuid(os.getuid()) ++ os.setegid(os.getgid()) ++ os.setgroups(old_groups) ++ ++ + def trans_only_installs_pkgs_from_high_trust_repos(trans, + whitelist=set()): + """Return True if this transaction only touches packages in the +@@ -1329,8 +1348,16 @@ class AptWorker(GObject.GObject): + + :returns: An apt.debfile.Debfile instance. + """ +- if not os.path.isfile(path): +- raise TransactionFailed(ERROR_UNREADABLE_PACKAGE_FILE, path) ++ # This code runs as root for simulate and simulate requires no ++ # authentication - so we need to ensure we do not leak information ++ # about files here (LP: #1449587, CVE-2015-1323) ++ # ++ # Note that the actual lintian run is also droping privs (real, ++ # not just seteuid) ++ with set_euid_egid(trans.uid, trans.gid): ++ if not os.path.isfile(path): ++ raise TransactionFailed(ERROR_UNREADABLE_PACKAGE_FILE, path) ++ + if not force and os.path.isfile("/usr/bin/lintian"): + with DaemonLintianProgress(trans) as progress: + progress.run(path) +diff --git a/tests/_test_py2_string_handling.py b/tests/_test_py2_string_handling.py +index 1a56b9b..86709fb 100644 +--- a/tests/_test_py2_string_handling.py ++++ b/tests/_test_py2_string_handling.py +@@ -49,7 +49,8 @@ class TestUnicodeDecoding(AptDaemonTestCase): + self.start_dbus_daemon() + self.dbus = dbus.bus.BusConnection(self.dbus_address) + self.trans = Transaction(None, "role-test", None, +- os.getpid(), os.getuid(), sys.argv[0], ++ os.getpid(), os.getuid(), os.getgid(), ++ sys.argv[0], + "org.debian.apt.test", bus=self.dbus) + + def test(self): +diff --git a/tests/test_high_trust_repository_whitelist.py b/tests/test_high_trust_repository_whitelist.py +index ca2ebd4..fac471f 100644 +--- a/tests/test_high_trust_repository_whitelist.py ++++ b/tests/test_high_trust_repository_whitelist.py +@@ -116,7 +116,7 @@ class HighTrustRepositoryTestCase(BaseHighTrustTestCase): + ("Ubuntu", "", "silly.*")) + # a high-trust whitelisted pkg and a non-whitelisted one + trans = Transaction(None, enums.ROLE_INSTALL_PACKAGES, self.queue, +- os.getpid(), os.getuid(), sys.argv[0], ++ os.getpid(), os.getuid(), os.getgid(), sys.argv[0], + "org.debian.apt.test", connect=False, + packages=[["silly-base", "other-pkg"], [], [], [], + [], []]) +@@ -128,7 +128,7 @@ class HighTrustRepositoryTestCase(BaseHighTrustTestCase): + trans, self.worker._high_trust_repositories)) + # whitelisted only + trans = Transaction(None, enums.ROLE_INSTALL_PACKAGES, self.queue, +- os.getpid(), os.getuid(), sys.argv[0], ++ os.getpid(), os.getuid(), os.getgid(), sys.argv[0], + "org.debian.apt.test", connect=False, + packages=[["silly-base"], [], [], [], [], []]) + self.worker.simulate(trans) +diff --git a/tests/test_worker.py b/tests/test_worker.py +index 41a8caa..6cf7717 100644 +--- a/tests/test_worker.py ++++ b/tests/test_worker.py +@@ -77,7 +77,8 @@ class WorkerTestCase(aptdaemon.test.AptDaemonTestCase): + self.chroot.add_repository("/does/not/exist", copy_list=False) + # Only update the repository from the working snippet + trans = Transaction(None, enums.ROLE_UPDATE_CACHE, +- self.queue, os.getpid(), os.getuid(), sys.argv[0], ++ self.queue, os.getpid(), os.getuid(), ++ os.getgid(), sys.argv[0], + "org.debian.apt.test", connect=False, + kwargs={"sources_list": "test.list"}) + self.worker.simulate(trans) +@@ -99,7 +100,7 @@ class WorkerTestCase(aptdaemon.test.AptDaemonTestCase): + "silly-base_0.1-0_all.deb")) + # Install the package + trans = Transaction(None, enums.ROLE_UPGRADE_SYSTEM, +- self.queue, os.getpid(), ++ self.queue, os.getpid(), os.getgid(), + os.getuid(), sys.argv[0], + "org.debian.apt.test", connect=False, + kwargs={"safe_mode": False}) +@@ -130,7 +131,7 @@ class WorkerTestCase(aptdaemon.test.AptDaemonTestCase): + self.chroot.add_test_repository(copy_sig=False) + # Install the package + trans = Transaction(None, enums.ROLE_INSTALL_PACKAGES, self.queue, +- os.getpid(), os.getuid(), sys.argv[0], ++ os.getpid(), os.getuid(), os.getgid(), sys.argv[0], + "org.debian.apt.test", connect=False, + packages=[["silly-base"], [], [], [], [], []]) + self.worker.simulate(trans) +@@ -144,7 +145,7 @@ class WorkerTestCase(aptdaemon.test.AptDaemonTestCase): + + # Allow installation of unauthenticated packages + trans = Transaction(None, enums.ROLE_INSTALL_PACKAGES, self.queue, +- os.getpid(), os.getuid(), sys.argv[0], ++ os.getpid(), os.getuid(), os.getgid(), sys.argv[0], + "org.debian.apt.test", connect=False, + packages=[["silly-base"], [], [], [], [], []]) + trans.allow_unauthenticated = True +@@ -164,7 +165,7 @@ class WorkerTestCase(aptdaemon.test.AptDaemonTestCase): + self.chroot.add_test_repository() + # Install the package + trans = Transaction(None, enums.ROLE_INSTALL_PACKAGES, self.queue, +- os.getpid(), os.getuid(), sys.argv[0], ++ os.getpid(), os.getuid(), os.getgid(), sys.argv[0], + "org.debian.apt.test", connect=False, + packages=[["silly-depend-base"], [], [], [], + [], []]) +@@ -193,7 +194,7 @@ class WorkerTestCase(aptdaemon.test.AptDaemonTestCase): + Architecture: all + Auto-Installed: 1""") + trans = Transaction(None, enums.ROLE_REMOVE_PACKAGES, self.queue, +- os.getpid(), os.getuid(), sys.argv[0], ++ os.getpid(), os.getuid(), os.getgid(), sys.argv[0], + "org.debian.apt.test", connect=False, + packages=[[], [], ["silly-depend-base"], [], + [], []]) +@@ -219,7 +220,7 @@ Auto-Installed: 1""") + "silly-depend-base_0.1-0_all.deb"]: + self.chroot.install_debfile(os.path.join(REPO_PATH, pkg)) + trans = Transaction(None, enums.ROLE_REMOVE_PACKAGES, self.queue, +- os.getpid(), os.getuid(), sys.argv[0], ++ os.getpid(), os.getuid(), os.getgid(), sys.argv[0], + "org.debian.apt.test", connect=False, + packages=[[], [], ["silly-base"], [], [], []]) + self.worker.simulate(trans) +@@ -240,7 +241,7 @@ Auto-Installed: 1""") + pass + # Don't allow to remove essential packages + trans = Transaction(None, enums.ROLE_REMOVE_PACKAGES, self.queue, +- os.getpid(), os.getuid(), sys.argv[0], ++ os.getpid(), os.getuid(), os.getgid(), sys.argv[0], + "org.debian.apt.test", connect=False, + packages=[[], [], ["silly-essential"], [], [], []]) + self.worker.run(trans) +@@ -263,7 +264,7 @@ Auto-Installed: 1""") + Architecture: all + Auto-Installed: 1""") + trans = Transaction(None, enums.ROLE_COMMIT_PACKAGES, self.queue, +- os.getpid(), os.getuid(), sys.argv[0], ++ os.getpid(), os.getuid(), os.getgid(), sys.argv[0], + "org.debian.apt.test", connect=False, + packages=[[], [], [], [], + ["silly-base=0.1-0update1"], []]) +@@ -283,7 +284,7 @@ Auto-Installed: 1""") + pkg = os.path.join(REPO_PATH, "silly-base_0.1-0update1_all.deb") + self.chroot.install_debfile(pkg) + trans = Transaction(None, enums.ROLE_COMMIT_PACKAGES, self.queue, +- os.getpid(), os.getuid(), sys.argv[0], ++ os.getpid(), os.getuid(), os.getgid(), sys.argv[0], + "org.debian.apt.test", connect=False, + packages=[[], [], [], [], [], + ["silly-base=0.1-0"]]) +@@ -301,7 +302,7 @@ Auto-Installed: 1""") + for pkg in ["silly-base_0.1-0_all.deb", "silly-config_0.1-0_all.deb"]: + self.chroot.install_debfile(os.path.join(REPO_PATH, pkg)) + trans = Transaction(None, enums.ROLE_REMOVE_PACKAGES, self.queue, +- os.getpid(), os.getuid(), sys.argv[0], ++ os.getpid(), os.getuid(), os.getgid(), sys.argv[0], + "org.debian.apt.test", connect=False, + packages=[[], [], [], ["silly-config"], [], []]) + self.worker.run(trans) +@@ -324,7 +325,7 @@ Auto-Installed: 1""") + pkg = os.path.join(REPO_PATH, + "silly-depend-base-lintian-broken_0.1-0_all.deb") + trans = Transaction(None, enums.ROLE_INSTALL_FILE, self.queue, +- os.getpid(), os.getuid(), sys.argv[0], ++ os.getpid(), os.getuid(), os.getgid(), sys.argv[0], + "org.debian.apt.test", connect=False, + kwargs={"path": os.path.join(REPO_PATH, pkg), + "force": False}) +@@ -359,7 +360,7 @@ Auto-Installed: 1""") + self.chroot.install_debfile(os.path.join(REPO_PATH, pkg_base)) + pkg = os.path.join(REPO_PATH, "silly-bully_0.1-0_all.deb") + trans = Transaction(None, enums.ROLE_INSTALL_FILE, self.queue, +- os.getpid(), os.getuid(), sys.argv[0], ++ os.getpid(), os.getuid(), os.getgid(), sys.argv[0], + "org.debian.apt.test", connect=False, + kwargs={"path": os.path.join(REPO_PATH, pkg), + "force": True}) +@@ -379,7 +380,7 @@ Auto-Installed: 1""") + """ + pkg = os.path.join(REPO_PATH, "silly-base_0.1-0_all.deb") + trans = Transaction(None, enums.ROLE_INSTALL_FILE, self.queue, +- os.getpid(), os.getuid(), sys.argv[0], ++ os.getpid(), os.getuid(), os.getgid(), sys.argv[0], + "org.debian.apt.test", connect=False, + kwargs={"path": os.path.join(REPO_PATH, pkg), + "force": True}) +@@ -400,7 +401,7 @@ Auto-Installed: 1""") + for pkg in ["silly-base_0.1-0_all.deb", "silly-broken_0.1-0_all.deb"]: + self.chroot.install_debfile(os.path.join(REPO_PATH, pkg), True) + trans = Transaction(None, enums.ROLE_FIX_BROKEN_DEPENDS, self.queue, +- os.getpid(), os.getuid(), sys.argv[0], ++ os.getpid(), os.getuid(), os.getgid(), sys.argv[0], + "org.debian.apt.test", connect=False) + self.worker.simulate(trans) + self.loop.run() +@@ -420,7 +421,7 @@ Auto-Installed: 1""") + """ + self.chroot.add_test_repository() + trans = Transaction(None, enums.ROLE_COMMIT_PACKAGES, self.queue, +- os.getpid(), os.getuid(), sys.argv[0], ++ os.getpid(), os.getuid(), os.getgid(), sys.argv[0], + "org.debian.apt.test", + packages=[["silly-broken"], [], [], [], [], []], + connect=False) +@@ -459,7 +460,7 @@ Auto-Installed: 1""") + + self.chroot.add_test_repository() + trans = Transaction(None, enums.ROLE_ADD_LICENSE_KEY, self.queue, +- os.getpid(), os.getuid(), sys.argv[0], ++ os.getpid(), os.getuid(), os.getgid(), sys.argv[0], + "org.debian.apt.test", + kwargs={"pkg_name": "silly-license", + "json_token": "lalelu", diff --git a/debian/patches/series b/debian/patches/series index b1b680e..9eb67c8 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,4 @@ lp1266844.patch fix-configparser.patch py3_inheritable.patch upstream-include-pkg-version.patch +CVE-2015-1323.patch
