Bug#989025: unblock: micro-evtd/3.4-7

2021-05-23 Thread Cyril Brulebois 
Paul Gevers  (2021-05-24):
> Control: tags -1 d-i confirmed
> 
> Hi kibi,
> 
> On 24-05-2021 00:42, Ryan Tandy wrote:
> > Please unblock package micro-evtd
> > 
> > [ Reason ]
> > 
> > Fix micro-evtd creating its pid and status files in /var/run with
> > world-writable permissions (#988119).
> > 
> > [ Impact ]
> > 
> > - The pid and status files in /var/run are mode 666, which could be a
> >  potential security issue.
> > - micro-evtd does not stop when asked to with "/etc/init.d/micro-evtd
> >  stop", because start-stop-daemon refuses to use the insecure pid file.
> > - Because of that, the daemon also does not restart on upgrade as it
> >  should, instead the old version remains running.
> > 
> > [ Tests ]
> > 
> > There are no automated tests. I manually tested the install and upgrade
> > cases (testing→unstable).
> > 
> > [ Risks ]
> > 
> > The change should be trivial, but it is possible (if unlikely) that I
> > missed some case where the umask 000 was actually needed.
> > 
> > [ Checklist ]
> >  [✓] all changes are documented in the d/changelog
> >  [✓] I reviewed all changes and I approve them
> >  [✓] attach debdiff against the package in testing
> > 
> > [ Other info ]
> > 
> > The package builds a udeb. I tested an installation using a d-i daily
> > build with the updated package included, and confirmed the corrected
> > file permissions in the d-i environment.
> 
> Your opinion too please.

The code change looks innocent enough, the postinst change doesn't
affect the udeb, and same comment as in #988083 regarding d-i having
been tested by Ryan → please go ahead.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#989025: unblock: micro-evtd/3.4-7

2021-05-23 Thread Paul Gevers 
Control: tags -1 d-i confirmed

Hi kibi,

On 24-05-2021 00:42, Ryan Tandy wrote:
> Please unblock package micro-evtd
> 
> [ Reason ]
> 
> Fix micro-evtd creating its pid and status files in /var/run with
> world-writable permissions (#988119).
> 
> [ Impact ]
> 
> - The pid and status files in /var/run are mode 666, which could be a
>  potential security issue.
> - micro-evtd does not stop when asked to with "/etc/init.d/micro-evtd
>  stop", because start-stop-daemon refuses to use the insecure pid file.
> - Because of that, the daemon also does not restart on upgrade as it
>  should, instead the old version remains running.
> 
> [ Tests ]
> 
> There are no automated tests. I manually tested the install and upgrade
> cases (testing→unstable).
> 
> [ Risks ]
> 
> The change should be trivial, but it is possible (if unlikely) that I
> missed some case where the umask 000 was actually needed.
> 
> [ Checklist ]
>  [✓] all changes are documented in the d/changelog
>  [✓] I reviewed all changes and I approve them
>  [✓] attach debdiff against the package in testing
> 
> [ Other info ]
> 
> The package builds a udeb. I tested an installation using a d-i daily
> build with the updated package included, and confirmed the corrected
> file permissions in the d-i environment.

Your opinion too please.

Paul



OpenPGP_signature
Description: OpenPGP digital signature

Bug#989025: unblock: micro-evtd/3.4-7

2021-05-23 Thread Ryan Tandy 

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package micro-evtd

[ Reason ]

Fix micro-evtd creating its pid and status files in /var/run with 
world-writable permissions (#988119).


[ Impact ]

- The pid and status files in /var/run are mode 666, which could be a 
 potential security issue.
- micro-evtd does not stop when asked to with "/etc/init.d/micro-evtd 
 stop", because start-stop-daemon refuses to use the insecure pid file.
- Because of that, the daemon also does not restart on upgrade as it 
 should, instead the old version remains running.


[ Tests ]

There are no automated tests. I manually tested the install and upgrade 
cases (testing→unstable).


[ Risks ]

The change should be trivial, but it is possible (if unlikely) that I 
missed some case where the umask 000 was actually needed.


[ Checklist ]
 [✓] all changes are documented in the d/changelog
 [✓] I reviewed all changes and I approve them
 [✓] attach debdiff against the package in testing

[ Other info ]

The package builds a udeb. I tested an installation using a d-i daily 
build with the updated package included, and confirmed the corrected 
file permissions in the d-i environment.


The issue exists already in buster (not a regression).

unblock micro-evtd/3.4-7

Thank you,
Ryan
diff -Nru micro-evtd-3.4/debian/changelog micro-evtd-3.4/debian/changelog
--- micro-evtd-3.4/debian/changelog 2021-05-03 20:22:09.0 -0700
+++ micro-evtd-3.4/debian/changelog 2021-05-22 00:40:17.0 -0700
@@ -1,3 +1,12 @@
+micro-evtd (3.4-7) unstable; urgency=medium
+
+  [ Ryan Tandy ]
+  * Fix world-writable pid and status files in /var/run (Closes: #988119)
+- Patch micro-evtd.c to reset umask to 022 instead of 0.
+- Fix permissions on existing files on upgrade.
+
+ -- Roger Shimizu   Sat, 22 May 2021 16:40:17 +0900
+
 micro-evtd (3.4-6) unstable; urgency=medium
 
   [ Ryan Tandy ]
diff -Nru micro-evtd-3.4/debian/micro-evtd.postinst 
micro-evtd-3.4/debian/micro-evtd.postinst
--- micro-evtd-3.4/debian/micro-evtd.postinst   2021-05-03 20:22:09.0 
-0700
+++ micro-evtd-3.4/debian/micro-evtd.postinst   2021-05-22 00:40:17.0 
-0700
@@ -14,6 +14,18 @@
 rm /usr/sbin/micro-evtd.status
 fi
 fi
+
+if dpkg --compare-versions "$2" lt-nl "3.4-7~"; then
+# Fix permissions on the existing pid file
+# so that the daemon is actually restarted
+if [ -f /var/run/micro-evtd.pid ]; then
+chmod 644 /var/run/micro-evtd.pid
+fi
+
+if [ -f /var/run/micro-evtd.status ]; then
+chmod 644 /var/run/micro-evtd.status
+fi
+fi
 ;;
 
 *)
diff -Nru 
micro-evtd-3.4/debian/patches/0008-Don-t-create-world-writable-files.patch 
micro-evtd-3.4/debian/patches/0008-Don-t-create-world-writable-files.patch
--- micro-evtd-3.4/debian/patches/0008-Don-t-create-world-writable-files.patch  
1969-12-31 16:00:00.0 -0800
+++ micro-evtd-3.4/debian/patches/0008-Don-t-create-world-writable-files.patch  
2021-05-22 00:40:17.0 -0700
@@ -0,0 +1,26 @@
+From: Ryan Tandy 
+Date: Fri, 21 May 2021 13:06:41 -0700
+Subject: Don't create world-writable files
+
+Set umask to 022 on startup instead of 000.
+
+Fixes the pid and status files being created world-writable.
+
+Bug-Debian: https://bugs.debian.org/988119
+---
+ src/micro-evtd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/micro-evtd.c b/src/micro-evtd.c
+index da91549..cc05b6a 100644
+--- a/src/micro-evtd.c
 b/src/micro-evtd.c
+@@ -1777,7 +1777,7 @@ int main(int argc, char *argv[])
+   setsid();
+ 
+   /* clear file creation mask */
+-  umask(0);
++  umask(022);
+ 
+   // Lock out device resource
+   getResourceLock();
diff -Nru micro-evtd-3.4/debian/patches/series 
micro-evtd-3.4/debian/patches/series
--- micro-evtd-3.4/debian/patches/series2021-05-03 20:22:09.0 
-0700
+++ micro-evtd-3.4/debian/patches/series2021-05-22 00:40:17.0 
-0700
@@ -5,3 +5,4 @@
 0005-Check-for-mmap-returning-MAP_FAILED.patch
 0006-Match-default-temperature-configuration-to-the-confi.patch
 0007-Fix-FTBFS-with-glibc-2.30.patch
+0008-Don-t-create-world-writable-files.patch