Bug#894667: beep bug
Hello. After analysis of the diff it in unclear what exactly the race condition bug is and how it would constitute a privileged escalation. Please could somebody provide an explanation of what the race condition is, and how it is a security issue rather than just being a regular bug. so we can understand why the patch fixes it. It seems that open/closing the console_device (set with -e) was done repeatedly in the -n case. It's possible that the race in question would be triggered if a SIGINT or SIGTERM was sent at the right time (which time)? possibly causing a double free. As the beep program just performs ioctl or writes a very simple struct to an fd it does not seem there is enough attacker control to actually do any sort of code execution with beep. So this may not really be a security issue, just a minor improvement in the code. I welcome being corrected though. (Note: we have looked at the satire website about the bug https://holeybeep.ninja and it does not provide any technical details of interest) Cheers!
Bug#820194: nasm: please make the build reproducible (font ordering in documentation)
Source: nasm Version: 2.11.08 Severity: wishlist Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: timestamps fileordering hostname umask X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org Hi! While working on the “reproducible builds” effort [1], we have noticed that nasm could not be built reproducibly. The attached patch sorts keys from a hash table listing fonts to ensure a stable file order when creating the postscript and pdf documentation. Once applied, nasm can be built reproducibly in our current experimental framework.* sort 'keys' for reproducibility. Author: Raymond Nicholson--- The information above should follow the Patch Tagging Guidelines, please checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here are templates for supplementary fields that you might want to add: Origin: , Bug: Bug-Debian: https://bugs.debian.org/ Bug-Ubuntu: https://launchpad.net/bugs/ Forwarded: Reviewed-By: Last-Update: --- nasm-2.11.08.orig/doc/genps.pl +++ nasm-2.11.08/doc/genps.pl @@ -968,18 +968,18 @@ print "%%Pages: $curpage\n"; print "%%BoundingBox: 0 0 ", $psconf{pagewidth}, ' ', $psconf{pageheight}, "\n"; print "%%Creator: (NASM psflow.pl)\n"; print "%%DocumentData: Clean7Bit\n"; -print "%%DocumentFonts: ", join(' ', keys(%ps_all_fonts)), "\n"; -print "%%DocumentNeededFonts: ", join(' ', keys(%ps_all_fonts)), "\n"; +print "%%DocumentFonts: ", join(' ', sort keys(%ps_all_fonts)), "\n"; +print "%%DocumentNeededFonts: ", join(' ', sort keys(%ps_all_fonts)), "\n"; print "%%Orientation: Portrait\n"; print "%%PageOrder: Ascend\n"; print "%%EndComments\n"; print "%%BeginProlog\n"; # Emit the configurables as PostScript tokens -foreach $c ( keys(%psconf) ) { +foreach $c ( sort keys(%psconf) ) { print "/$c ", $psconf{$c}, " def\n"; } -foreach $c ( keys(%psbool) ) { +foreach $c ( sort keys(%psbool) ) { print "/$c ", ($psbool{$c}?'true':'false'), " def\n"; } @@ -1007,7 +1007,7 @@ print " definefont pop\n"; print "} def\n"; # Emit fontset definitions -foreach $font ( keys(%ps_all_fonts) ) { +foreach $font ( sort keys(%ps_all_fonts) ) { print '/',$font,'-NASM /',$font," nasmenc\n"; }
Bug#819767: libtool: please make the build reproducible (timestamps, fileordering, hostname, umask)
Source: libtool Version: 2.4.6 Severity: wishlist Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: timestamps fileordering hostname umask X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org Hi! While working on the “reproducible builds” effort [1], we have noticed that libtool could not be built reproducibly. The attached patch removes extra timestamps from the build system and ensure a stable file order when creating the source archive as well as replacing uses of the `hostname` command with the fixed string "localhost". Once applied, libtool can be built reproducibly in our current experimental framework. I also added to rules: dh_strip_nondeterminism -i/-a to the makefile before the compress stage. [1]: https://wiki.debian.org/ReproducibleBuilds * deterministic tar archives by sorting by name. Author: rain1 <ra...@openmailbox.org> --- The information above should follow the Patch Tagging Guidelines, please checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here are templates for supplementary fields that you might want to add: Origin: <vendor|upstream|other>, Bug: Bug-Debian: https://bugs.debian.org/ Bug-Ubuntu: https://launchpad.net/bugs/ Forwarded: <no|not-needed|url proving that it has been forwarded> Reviewed-By: Last-Update: --- libtool-2.4.6.orig/aclocal.m4 +++ libtool-2.4.6/aclocal.m4 @@ -1104,8 +1104,8 @@ m4_if([$1], [v7], # Must skip GNU tar: if it does not support --format= it doesn't create # ustar tarball either. (tar --version) >/dev/null 2>&1 && continue - am__tar='tar chf - "$$tardir"' - am__tar_='tar chf - "$tardir"' + am__tar='tar --sort=name chf - "$$tardir"' + am__tar_='tar --sort=name chf - "$tardir"' am__untar='tar xf -' ;; pax) @@ -1114,8 +1114,8 @@ m4_if([$1], [v7], am__untar='pax -r' ;; cpio) - am__tar='find "$$tardir" -print | cpio -o -H $1 -L' - am__tar_='find "$tardir" -print | cpio -o -H $1 -L' + am__tar='find "$$tardir" -print | LC_ALL=C sort -z | cpio -o -H $1 -L' + am__tar_='find "$tardir" -print | LC_ALL=C sort -z | cpio -o -H $1 -L' am__untar='cpio -i -H $1 -d' ;; none) --- libtool-2.4.6.orig/libltdl/aclocal.m4 +++ libtool-2.4.6/libltdl/aclocal.m4 @@ -1104,8 +1104,8 @@ m4_if([$1], [v7], # Must skip GNU tar: if it does not support --format= it doesn't create # ustar tarball either. (tar --version) >/dev/null 2>&1 && continue - am__tar='tar chf - "$$tardir"' - am__tar_='tar chf - "$tardir"' + am__tar='tar --sort=name chf - "$$tardir"' + am__tar_='tar --sort=name chf - "$tardir"' am__untar='tar xf -' ;; pax) @@ -1114,8 +1114,8 @@ m4_if([$1], [v7], am__untar='pax -r' ;; cpio) - am__tar='find "$$tardir" -print | cpio -o -H $1 -L' - am__tar_='find "$tardir" -print | cpio -o -H $1 -L' + am__tar='find "$$tardir" -print | LC_ALL=C sort -z | cpio -o -H $1 -L' + am__tar_='find "$tardir" -print | LC_ALL=C sort -z | cpio -o -H $1 -L' am__untar='cpio -i -H $1 -d' ;; none) * set the hostname to a reproducible dummy value. Author: rain1 <ra...@openmailbox.org> --- The information above should follow the Patch Tagging Guidelines, please checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here are templates for supplementary fields that you might want to add: Origin: <vendor|upstream|other>, Bug: Bug-Debian: https://bugs.debian.org/ Bug-Ubuntu: https://launchpad.net/bugs/ Forwarded: <no|not-needed|url proving that it has been forwarded> Reviewed-By: Last-Update: --- libtool-2.4.6.orig/m4/autobuild.m4 +++ libtool-2.4.6/m4/autobuild.m4 @@ -22,7 +22,7 @@ AC_DEFUN([AB_INIT], fi AC_MSG_NOTICE([autobuild revision... $AB_VERSION]) - hostname=`hostname` + hostname="debian" if test "$hostname"; then AC_MSG_NOTICE([autobuild hostname... $hostname]) fi * change all instances of executing `hostname` with constant string "localhost" Author: rain1 <ra...@openmailbox.org> --- The information above should follow the Patch Tagging Guidelines, please checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here are templates for supplementary fields that you might want to add: Origin: <vendor|upstream|other>, Bug: Bug-Debian: https://bugs.debian.org/ Bug-Ubuntu: https://launchpad.net/bugs/ Forwarded: <no|not-needed|url proving that it has been forwarded> Reviewed-By: Last-Update: --- libtool-2.4.6.orig/configure +++ libtool-2.4.6/configure @@ -577,7 +577,7 @@ exec 6>&1 # Name of the host. # hostname on some systems (SVR3.2, old GNU/Lin