Bug#816023: jessie-pu: package glibc/2.19-18+deb8u4

2016-02-28 Thread Adam D. Barratt
Control: tags -1 + pending

On Sun, 2016-02-28 at 16:20 +0100, Aurelien Jarno wrote:
> On 2016-02-26 21:17, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Fri, 2016-02-26 at 19:34 +0100, Aurelien Jarno wrote:
> > > I would like to do an upload of glibc in jessie to fix a longstanding
> > > security issue with the pt_chown helper (CVE-2013-2207).
> > [...]
> > > I would therefore like to get this issue also fixed in jessie. I am
> > > confident this patch will not break any system, that said it's probably
> > > better to leave the package in jessie-proposed-updates for a few weeks
> > > and call for testing.
> > 
> > Please go ahead.
> 
> Thanks, I have just uploaded it.

Flagged for acceptance.

Regards,

Adam



Bug#816023: jessie-pu: package glibc/2.19-18+deb8u4

2016-02-28 Thread Aurelien Jarno
On 2016-02-26 21:17, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Fri, 2016-02-26 at 19:34 +0100, Aurelien Jarno wrote:
> > I would like to do an upload of glibc in jessie to fix a longstanding
> > security issue with the pt_chown helper (CVE-2013-2207).
> [...]
> > I would therefore like to get this issue also fixed in jessie. I am
> > confident this patch will not break any system, that said it's probably
> > better to leave the package in jessie-proposed-updates for a few weeks
> > and call for testing.
> 
> Please go ahead.

Thanks, I have just uploaded it.

Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net



Bug#816023: jessie-pu: package glibc/2.19-18+deb8u4

2016-02-26 Thread Adam D. Barratt
Control: tags -1 + confirmed

On Fri, 2016-02-26 at 19:34 +0100, Aurelien Jarno wrote:
> I would like to do an upload of glibc in jessie to fix a longstanding
> security issue with the pt_chown helper (CVE-2013-2207).
[...]
> I would therefore like to get this issue also fixed in jessie. I am
> confident this patch will not break any system, that said it's probably
> better to leave the package in jessie-proposed-updates for a few weeks
> and call for testing.

Please go ahead.

Regards,

Adam



Bug#816023: jessie-pu: package glibc/2.19-18+deb8u4

2016-02-26 Thread Aurelien Jarno
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear stable release team,

I would like to do an upload of glibc in jessie to fix a longstanding
security issue with the pt_chown helper (CVE-2013-2207). The upstream
solution is to just remove the pt_chown helper and rely on the kernel
to properly set up the permissions through the devpts filesystem. The
userland in jessie correctly mounts it with the correct permissions,
but given the ill kernel implementation, any subsequent mount of the
devpts filesystem without the "newinstance" option (e.g. /etc/fstab or
in a chroot) reset all the permissions for all mounts, breaking systems.
That's why we have deferred the update so far, preferring to leave a
low security issue open and avoid breaking many systems.

It seems that with the development of kernel namespaces there are more
way to trigger this security issue, so it's probably time to fix it. We
have found a way to not break systems in case the devpts filesystem is
mounted with the wrong permissions. This is been accepted upstream and
is present in testing and sid for more than 2 months, without any report
of system breakage.

I would therefore like to get this issue also fixed in jessie. I am
confident this patch will not break any system, that said it's probably
better to leave the package in jessie-proposed-updates for a few weeks
and call for testing.

At the same time I would like to fix a small issue introduced in the
last security update, which causes a test in the testsuite to use a lof
of system resources, even causing timeout when the build machine has a
lot of swap like on our build daemons. It doesn't changes the binaries
shipped in the package.

You'll find the full debdiff below.

Thanks for considering,
Aurelien


diff --git a/debian/changelog b/debian/changelog
index 19e3a4e..8b6054e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+glibc (2.19-18+deb8u4) UNRELEASED; urgency=medium
+
+  [ Aurelien Jarno ]
+  * Update from upstream stable branch:
+  - Fixes bug18240 failing with a timeout on machines with a lot of swap.
+  * patches/any/cvs-grantpt-pty-owner.diff: new patch from upstream to
+improve granpt when /dev/pts is not mounted with the correct options.
+  * rules.d/debhelper.mk: only install pt_chown when built.
+  * sysdeps/linux.mk: don't build pt_chown (CVE-2013-2207). Closes: #717544.
+
+ -- Aurelien Jarno   Tue, 16 Feb 2016 23:02:13 +0100
+
 glibc (2.19-18+deb8u3) stable-security; urgency=medium
 
   [ Aurelien Jarno ]
diff --git a/debian/patches/any/cvs-grantpt-pty-owner.diff 
b/debian/patches/any/cvs-grantpt-pty-owner.diff
new file mode 100644
index 000..2ff35bb
--- /dev/null
+++ b/debian/patches/any/cvs-grantpt-pty-owner.diff
@@ -0,0 +1,46 @@
+2015-12-10  Aurelien Jarno  
+   Jakub Wilk  
+
+   [BZ #19347]
+   * sysdeps/unix/grantpt.c [!HAVE_PT_CHOWN] (grantpt): Do not try
+   to change the group of the device to the tty group.
+
+--- a/sysdeps/unix/grantpt.c
 b/sysdeps/unix/grantpt.c
+@@ -155,6 +155,7 @@ grantpt (int fd)
+ }
+   gid_t gid = tty_gid == -1 ? __getgid () : tty_gid;
+ 
++#if HAVE_PT_CHOWN
+   /* Make sure the group of the device is that special group.  */
+   if (st.st_gid != gid)
+ {
+@@ -164,9 +165,26 @@ grantpt (int fd)
+ 
+   /* Make sure the permission mode is set to readable and writable by
+  the owner, and writable by the group.  */
+-  if ((st.st_mode & ACCESSPERMS) != (S_IRUSR|S_IWUSR|S_IWGRP))
++  mode_t mode = S_IRUSR|S_IWUSR|S_IWGRP;
++#else
++  /* When built without pt_chown, we have delegated the creation of the
++ pty node with the right group and permission mode to the kernel, and
++ non-root users are unlikely to be able to change it. Therefore let's
++ consider that POSIX enforcement is the responsibility of the whole
++ system and not only the GNU libc. Thus accept different group or
++ permission mode.  */
++
++  /* Make sure the permission is set to readable and writable by the
++ owner.  For security reasons, make it writable by the group only
++ when originally writable and when the group of the device is that
++ special group.  */
++  mode_t mode = S_IRUSR|S_IWUSR|
++  ((st.st_gid == gid) ? (st.st_mode & S_IWGRP) : 0);
++#endif
++
++  if ((st.st_mode & ACCESSPERMS) != mode)
+ {
+-  if (__chmod (buf, S_IRUSR|S_IWUSR|S_IWGRP) < 0)
++  if (__chmod (buf, mode) < 0)
+   goto helper;
+ }
+ 
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index ca3bd98..1a24dd0 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -1,10 +1,14 @@
 GIT update of git://sourceware.org/git/glibc.git/release/2.19/master from 
glibc-2.19
 
 diff --git a/ChangeLog b/ChangeLog
-index 81c393a..e17bd64 100644
+index 81c393a..9907019 100644
 ---