Bug#894667: beep bug

[rain1]

Hello.

After analysis of the diff it in unclear what exactly the race condition 
bug is and how it would constitute a privileged escalation.


Please could somebody provide an explanation of what the race condition 
is, and how it is a security issue rather than just being a regular bug. 
so we can understand why the patch fixes it.


It seems that open/closing the console_device (set with -e) was done 
repeatedly in the -n case. It's possible that the race in question would 
be triggered if a SIGINT or SIGTERM was sent at the right time (which 
time)? possibly causing a double free. As the beep program just performs 
ioctl or writes a very simple struct to an fd it does not seem there is 
enough attacker control to actually do any sort of code execution with 
beep.


So this may not really be a security issue, just a minor improvement in 
the code. I welcome being corrected though.


(Note: we have looked at the satire website about the bug 
https://holeybeep.ninja and it does not provide any technical details of 
interest)


Cheers!

Bug#820194: nasm: please make the build reproducible (font ordering in documentation)

[rain1]

Source: nasm
Version: 2.11.08
Severity: wishlist
Tags: patch
User: reproducible-bui...@lists.alioth.debian.org
Usertags: timestamps fileordering hostname umask
X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org

Hi!

While working on the “reproducible builds” effort [1], we have noticed
that nasm could not be built reproducibly.

The attached patch sorts keys from a hash table listing fonts to ensure 
a stable file order when creating the postscript and pdf documentation. 
Once applied, nasm can be built reproducibly in our

current experimental framework.* sort 'keys' for reproducibility.

Author: Raymond Nicholson 

---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:

Origin: , 
Bug: 
Bug-Debian: https://bugs.debian.org/
Bug-Ubuntu: https://launchpad.net/bugs/
Forwarded: 
Reviewed-By: 
Last-Update: 

--- nasm-2.11.08.orig/doc/genps.pl
+++ nasm-2.11.08/doc/genps.pl
@@ -968,18 +968,18 @@ print "%%Pages: $curpage\n";
 print "%%BoundingBox: 0 0 ", $psconf{pagewidth}, ' ', $psconf{pageheight}, "\n";
 print "%%Creator: (NASM psflow.pl)\n";
 print "%%DocumentData: Clean7Bit\n";
-print "%%DocumentFonts: ", join(' ', keys(%ps_all_fonts)), "\n";
-print "%%DocumentNeededFonts: ", join(' ', keys(%ps_all_fonts)), "\n";
+print "%%DocumentFonts: ", join(' ', sort keys(%ps_all_fonts)), "\n";
+print "%%DocumentNeededFonts: ", join(' ', sort keys(%ps_all_fonts)), "\n";
 print "%%Orientation: Portrait\n";
 print "%%PageOrder: Ascend\n";
 print "%%EndComments\n";
 print "%%BeginProlog\n";
 
 # Emit the configurables as PostScript tokens
-foreach $c ( keys(%psconf) ) {
+foreach $c ( sort keys(%psconf) ) {
 print "/$c ", $psconf{$c}, " def\n";
 }
-foreach $c ( keys(%psbool) ) {
+foreach $c ( sort keys(%psbool) ) {
 print "/$c ", ($psbool{$c}?'true':'false'), " def\n";
 }
 
@@ -1007,7 +1007,7 @@ print "  definefont pop\n";
 print "} def\n";
 
 # Emit fontset definitions
-foreach $font ( keys(%ps_all_fonts) ) {
+foreach $font ( sort keys(%ps_all_fonts) ) {
 print '/',$font,'-NASM /',$font," nasmenc\n";
 }
 

Bug#819767: libtool: please make the build reproducible (timestamps, fileordering, hostname, umask)

[rain1]

Source: libtool
Version: 2.4.6
Severity: wishlist
Tags: patch
User: reproducible-bui...@lists.alioth.debian.org
Usertags: timestamps fileordering hostname umask
X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org

Hi!

While working on the “reproducible builds” effort [1], we have noticed
that libtool could not be built reproducibly.

The attached patch removes extra timestamps from the build system and
ensure a stable file order when creating the source archive as well as 
replacing uses of the `hostname` command with the fixed string 
"localhost". Once applied, libtool can be built reproducibly in our 
current experimental framework.


I also added to rules: dh_strip_nondeterminism -i/-a to the makefile 
before the compress stage.


 [1]: https://wiki.debian.org/ReproducibleBuilds   * deterministic tar archives by sorting by name.

Author: rain1 <ra...@openmailbox.org>

---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:

Origin: <vendor|upstream|other>, 
Bug: 
Bug-Debian: https://bugs.debian.org/
Bug-Ubuntu: https://launchpad.net/bugs/
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: 
Last-Update: 

--- libtool-2.4.6.orig/aclocal.m4
+++ libtool-2.4.6/aclocal.m4
@@ -1104,8 +1104,8 @@ m4_if([$1], [v7],
   # Must skip GNU tar: if it does not support --format= it doesn't create
   # ustar tarball either.
   (tar --version) >/dev/null 2>&1 && continue
-  am__tar='tar chf - "$$tardir"'
-  am__tar_='tar chf - "$tardir"'
+  am__tar='tar --sort=name chf - "$$tardir"'
+  am__tar_='tar --sort=name chf - "$tardir"'
   am__untar='tar xf -'
   ;;
 pax)
@@ -1114,8 +1114,8 @@ m4_if([$1], [v7],
   am__untar='pax -r'
   ;;
 cpio)
-  am__tar='find "$$tardir" -print | cpio -o -H $1 -L'
-  am__tar_='find "$tardir" -print | cpio -o -H $1 -L'
+  am__tar='find "$$tardir" -print | LC_ALL=C sort -z | cpio -o -H $1 -L'
+  am__tar_='find "$tardir" -print | LC_ALL=C sort -z | cpio -o -H $1 -L'
   am__untar='cpio -i -H $1 -d'
   ;;
 none)
--- libtool-2.4.6.orig/libltdl/aclocal.m4
+++ libtool-2.4.6/libltdl/aclocal.m4
@@ -1104,8 +1104,8 @@ m4_if([$1], [v7],
   # Must skip GNU tar: if it does not support --format= it doesn't create
   # ustar tarball either.
   (tar --version) >/dev/null 2>&1 && continue
-  am__tar='tar chf - "$$tardir"'
-  am__tar_='tar chf - "$tardir"'
+  am__tar='tar --sort=name chf - "$$tardir"'
+  am__tar_='tar --sort=name chf - "$tardir"'
   am__untar='tar xf -'
   ;;
 pax)
@@ -1114,8 +1114,8 @@ m4_if([$1], [v7],
   am__untar='pax -r'
   ;;
 cpio)
-  am__tar='find "$$tardir" -print | cpio -o -H $1 -L'
-  am__tar_='find "$tardir" -print | cpio -o -H $1 -L'
+  am__tar='find "$$tardir" -print | LC_ALL=C sort -z | cpio -o -H $1 -L'
+  am__tar_='find "$tardir" -print | LC_ALL=C sort -z | cpio -o -H $1 -L'
   am__untar='cpio -i -H $1 -d'
   ;;
 none)
   * set the hostname to a reproducible dummy value.
Author: rain1 <ra...@openmailbox.org>

---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:

Origin: <vendor|upstream|other>, 
Bug: 
Bug-Debian: https://bugs.debian.org/
Bug-Ubuntu: https://launchpad.net/bugs/
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: 
Last-Update: 

--- libtool-2.4.6.orig/m4/autobuild.m4
+++ libtool-2.4.6/m4/autobuild.m4
@@ -22,7 +22,7 @@ AC_DEFUN([AB_INIT],
   fi
   AC_MSG_NOTICE([autobuild revision... $AB_VERSION])
 
-  hostname=`hostname`
+  hostname="debian"
   if test "$hostname"; then
 AC_MSG_NOTICE([autobuild hostname... $hostname])
   fi
   * change all instances of executing `hostname` with constant string "localhost"

Author: rain1 <ra...@openmailbox.org>

---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:

Origin: <vendor|upstream|other>, 
Bug: 
Bug-Debian: https://bugs.debian.org/
Bug-Ubuntu: https://launchpad.net/bugs/
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: 
Last-Update: 

--- libtool-2.4.6.orig/configure
+++ libtool-2.4.6/configure
@@ -577,7 +577,7 @@ exec 6>&1
 # Name of the host.
 # hostname on some systems (SVR3.2, old GNU/Lin