Bug#991372: unblock: glibc/2.31-13

[Aurelien Jarno]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-boot@lists.debian.org

Please unblock package glibc

[ Reason ]
This new version fixes one serious bug (#990069) in the maintainer
scripts preventing the sshd daemon following a glibc upgrade on systems
where the ssh meta-package is not installed. 

It also fixes a security issue in the wordexp() function
(CVE-2021-35942, #990542) by pulling the upstream stable branch.

[ Impact ]
On systems where the ssh meta-package is not installed, following the
upgrade from buster to bullseye, incoming SSH connections are not
accepted until the sshd daemon is restarted manually or the system is
rebooted. This can be an issue for systems upgraded remotely.

[ Tests ]
The change to the maintainer scripts are not covered by automatic tests
(except maybe by piuparts). They have  however been manually tested by
multiple persons.

The change to the wordexp() function is covered by the upstream
testsuite. A new test has actually been added to catch the security
issue.

[ Risks ]
The change to the maintainer scripts is relatively simple and just
follow what is already done for other daemons where the package name is
not the same than the daemon name. The package has been in sid for 2
weeks, and no regression have been reported. The risk is therefore very
low.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
d-i team is Cc:ed.

unblock glibc/2.31-13



diff --git a/debian/changelog b/debian/changelog
index 7197d373..138f350a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+glibc (2.31-13) unstable; urgency=medium
+
+  [ Colin Watson ]
+  * debian/debhelper.in/libc.postinst, script.in/nsscheck.sh: Look for
+openssh-server package rather than ssh.  Closes: #990069
+
+  [ Aurelien Jarno ]
+  * debian/patches/git-updates.diff: update from upstream stable branch:
+- Fix an arbitrary read in wordexp() (CVE-2021-35942).  Closes:
+  #990542.
+
+ -- Aurelien Jarno   Tue, 06 Jul 2021 21:16:59 +0200
+
 glibc (2.31-12) unstable; urgency=medium
 
   * debian/po/de.po: fix encoding declaration.  Closes: #986450.
diff --git a/debian/debhelper.in/libc.postinst 
b/debian/debhelper.in/libc.postinst
index 0b312dfa..f52a1430 100644
--- a/debian/debhelper.in/libc.postinst
+++ b/debian/debhelper.in/libc.postinst
@@ -33,9 +33,10 @@ then
check="$check boa cucipop courier-authdaemon cron cups exim"
check="$check exim4-base dovecot-common cucipop incron lprng lpr"
check="$check lpr-ppd mysql-server nis openbsd-inetd"
-   check="$check openldapd postgresql-common proftpd postfix 
postfix-tls"
-   check="$check rsync samba sasl2-bin slapd smail sendmail snmpd ssh"
-   check="$check spamassassin vsftpd wu-ftpd wu-ftpd-academ wwwoffle"
+   check="$check openldapd openssh-server postgresql-common proftpd"
+   check="$check postfix postfix-tls rsync samba sasl2-bin slapd"
+   check="$check smail sendmail snmpd spamassassin vsftpd"
+   check="$check wu-ftpd wu-ftpd-academ wwwoffle"
check="$check webmin dropbear gdm"
# NSS services check: 
__NSS_CHECK__
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index 0e5aefae..e1cac4a1 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -3647,6 +3647,31 @@ index cba9cd1819..4580cefb9f 100644
dirlen = home_len + rest_len;
dirname_modified = 1;
  }
+diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
+index ed1b22308e..cb3f989cba 100644
+--- a/posix/wordexp-test.c
 b/posix/wordexp-test.c
+@@ -183,6 +183,7 @@ struct test_case_struct
+ { 0, NULL, "$var", 0, 0, { NULL, }, IFS },
+ { 0, NULL, "\"\\n\"", 0, 1, { "\\n", }, IFS },
+ { 0, NULL, "", 0, 0, { NULL, }, IFS },
++{ 0, NULL, "${1234567890123456789012}", 0, 0, { NULL, }, IFS },
+ 
+ /* Flags not already covered (testit() has special handling for these) */
+ { 0, NULL, "one two", WRDE_DOOFFS, 2, { "one", "two", }, IFS },
+diff --git a/posix/wordexp.c b/posix/wordexp.c
+index e082d94895..56289503a1 100644
+--- a/posix/wordexp.c
 b/posix/wordexp.c
+@@ -1399,7 +1399,7 @@ envsubst:
+   /* Is it a numeric parameter? */
+   else if (isdigit (env[0]))
+ {
+-  int n = atoi (env);
++  unsigned long n = strtoul (env, NULL, 10);
+ 
+   if (n >= __libc_argc)
+   /* Substitute NULL. */
 diff --git a/stdlib/Makefile b/stdlib/Makefile
 index 45214b59e4..4615f6dfe7 100644
 --- a/stdlib/Makefile
diff --git a/debian/script.in/nsscheck.sh b/debian/script.in/nsscheck.sh
index 623278c0..8406a543 100644
--- a/debian/script.in/nsscheck.sh
+++ b/debian/script.in/nsscheck.sh
@@ -12,6 +12,7 @@

Re: DebianInstaller Help Request

[Cyril Brulebois]

Hello Marcus,

Marcus L. Thompson  (2021-07-21):
> I need help locating the following information:
> 
>  * what processes are called during the "remove-live-packages" routine
>which is invoked at the end of the installation process for Debian
>10; and
>  * where the relevant configuration file(s) for this aspect of the
>installer's operations may be located in the live distro iso.
> 
> Thank you.

You'll want to check with debian-live@ (in copy).


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

DebianInstaller Help Request

[Marcus L. Thompson]

Good day.

I need help locating the following information:

 * what processes are called during the "remove-live-packages" routine
   which is invoked at the end of the installation process for Debian
   10; and
 * where the relevant configuration file(s) for this aspect of the
   installer's operations may be located in the live distro iso.

Thank you.

Bug#933523: Possible solution

[Sebastian Neuser]

Hello Adrian,


On Wed, 2021-07-21 at 14:59 +0200, John Paul Adrian Glaubitz wrote:
> > Also, if I understand correctly, in case of an error the script
> > would `exit 1` and the installation process would stop.
> 
> That's probably because of the "|| true" that Steve added to the mount
> call which means that this line will always succeed even when the
> mount attempt actually failed.

I don't think so:
mountvirtfs() mounts efivarfs with `mount ... || die ...` and die() ends
with `exit 1`, so `|| true` after the call to mountvirtfs() is actually
dead code.

Unless I still don't get shell script logic, which is of course entirely
possible. :-)


Best wishes,

Sebastian

Bug#933523: Possible solution

[Sebastian Neuser]

Hello!


On Wed, 2021-07-21 at 12:51 +0200, John Paul Adrian Glaubitz wrote:
> Are you seeing any log messages indicating that mountvirtfs() failed
> during the installation of the grub-installer udeb?

So *that*'s what the postinst file is for! ;-)

No, I see no messages indicating any errors. I just double-checked by
monitoring `tail -f /var/log/syslog | grep efivars` during installation.
I did see a debug message I added right before the call to mountvirtfs
but no error message.
Also, if I understand correctly, in case of an error the script would
`exit 1` and the installation process would stop.


Kind regards,

Sebastian

Bug#933523: Possible solution

[John Paul Adrian Glaubitz]

Hi Sebastian!

On 7/21/21 2:55 PM, Sebastian Neuser wrote:
> On Wed, 2021-07-21 at 12:51 +0200, John Paul Adrian Glaubitz wrote:
>> Are you seeing any log messages indicating that mountvirtfs() failed
>> during the installation of the grub-installer udeb?
> 
> So *that*'s what the postinst file is for! ;-)

Yes. It gets executed when the udeb is installed inside the running d-i
system.

> No, I see no messages indicating any errors. I just double-checked by
> monitoring `tail -f /var/log/syslog | grep efivars` during installation.
> I did see a debug message I added right before the call to mountvirtfs
> but no error message.
> Also, if I understand correctly, in case of an error the script would
> `exit 1` and the installation process would stop.

That's probably because of the "|| true" that Steve added to the mount call
which means that this line will always succeed even when the mount attempt
actually failed.

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaub...@debian.org
`. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
  `-GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Bug#933523: Possible solution

[John Paul Adrian Glaubitz]

Hello!

On 7/21/21 12:33 PM, Sebastian Neuser wrote:
> I ran into what seems to be the same problem as well and I think I may
> have found a solution. Interestingly, the problem occurs only on one in
> six/seven (identical, at least in theory) devices.
> 
> I stumbled upon 
> https://salsa.debian.org/installer-team/grub-installer/-/commit/5eada0008eede06c97d55adca1a9eb1eb9447aee
> and noticed that the actual script which is called by debian-installer
> was not touched, so I came up with the following patch:

That's more like a workaround than a proper fix. The question is why doesn't the
postinst succeed in mounting efivarfs all the time.

Are you seeing any log messages indicating that mountvirtfs() failed during
the installation of the grub-installer udeb?

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaub...@debian.org
`. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
  `-GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Bug#933523: Possible solution

[Sebastian Neuser]

Hello there!


I ran into what seems to be the same problem as well and I think I may
have found a solution. Interestingly, the problem occurs only on one in
six/seven (identical, at least in theory) devices.

I stumbled upon 
https://salsa.debian.org/installer-team/grub-installer/-/commit/5eada0008eede06c97d55adca1a9eb1eb9447aee
and noticed that the actual script which is called by debian-installer
was not touched, so I came up with the following patch:

diff --git a/grub-installer b/grub-installer
index b824cab8..3380e6fc 100755
--- a/grub-installer
+++ b/grub-installer
@@ -64,6 +64,11 @@ if [ "$(udpkg --print-os)" = "linux" ] && [ ! -d 
"$ROOT/run/udev" ]; then
mount --bind /run $ROOT/run
 fi

+# Sometimes we need to manually mount efivarfs: https://bugs.debian.org/933523
+if [ "$(udpkg --print-os)" = "linux" ] && [ -z $(ls 
"$ROOT/sys/firmware/efi/efivars/") ]; then
+   mount -t efivarfs efivarfs $ROOT/sys/firmware/efi/efivars || error 
"Mounting efivars failed"
+fi
+
 get_serial_console() {
# Get the last 'console=' entry (if none, the whole string is returned)
local defconsole="$(sed -e 's/.*\(console=[^ ]*\).*/\1/' /proc/cmdline)"
@@ -1429,6 +1434,10 @@ fi
 db_progress STEP 1
 db_progress STOP

+if [ "$(udpkg --print-os)" = "linux" ] && ! umount 
$ROOT/sys/firmware/efi/efivars; then
+   info "Failed to unmount /sys/firmware/efi/efivars in $ROOT"
+fi
+
 if [ "$(udpkg --print-os)" = "linux" ] && ! umount $ROOT/run; then
info "Failed to unmount /run in $ROOT"
 fi

I'll create a merge request as soon as my account on salsa.debian.org is
approved. :-)


Cheers!

PizZaKatZe

Re: Finding a tentative bullseye release date

[Ansgar]

Hi,

On Tue, 2021-07-20 at 22:35 +0200, Paul Gevers wrote:
> We currently don't have any day yet with all involved
> teams comfortably present, the one coming closest is 4 September.
> Somebody from ftp available on 14 august?

That should be doable.

Ansgar