Control: severity -1 important
Control: tags -1 patch
On Tue, 28 Jun 2016 22:28:07 +0200 Nicolas Braud-Santoni
wrote:
The audit source package ships a (custom, patched) copy of libev.
Moreover, it is not listed in the security team's list of code copies:
https://anonscm.debian.org/viewvc/secure-testing/data/embedded-code-copies?view=markup
I discovered the issue while preparing a DEP5 copyright file for
the audit source package, and more generally fixing all Lintian
warnings while preparing a patch for #759604.
I think this is an important issue and have included a patch.
Would you please consider to apply this before the bookworm freeze?From a90a5a128acb223185efcad5e2bdacc573e04b72 Mon Sep 17 00:00:00 2001
From: Bastian Germann
Date: Thu, 15 Dec 2022 16:52:28 +0100
Subject: [PATCH] Build auditd with system libev. (Closes: #828903)
The source package has an embedded libev, which is discouraged, and according to
the bug report it is not even registered at the Security Team.
Patch auditd's Makefile.am to use the system library.
Set EV_CHILD_ENABLE=0 as the build will break intentionally with it set.
---
debian/control| 3 +-
.../05-Build-auditd-with-system-libev.patch | 38 +++
debian/patches/series | 1 +
debian/rules | 1 +
4 files changed, 41 insertions(+), 2 deletions(-)
create mode 100644 debian/patches/05-Build-auditd-with-system-libev.patch
diff --git a/debian/control b/debian/control
index 5ad89d0..aaf1e28 100644
--- a/debian/control
+++ b/debian/control
@@ -6,8 +6,7 @@ Build-Depends: debhelper-compat (= 12),
# dh-golang,
dpkg-dev (>= 1.16.1~),
libcap-ng-dev,
-# audit sources embed their own patched version of libev
-# libev-dev,
+ libev-dev,
libkrb5-dev,
libldap2-dev ,
libwrap0-dev,
diff --git a/debian/patches/05-Build-auditd-with-system-libev.patch b/debian/patches/05-Build-auditd-with-system-libev.patch
new file mode 100644
index 000..5ba81bd
--- /dev/null
+++ b/debian/patches/05-Build-auditd-with-system-libev.patch
@@ -0,0 +1,38 @@
+From: Bastian Germann
+Date: Thu, 15 Dec 2022 16:48:04 +0100
+Forwarded: not-needed
+Subject: Build auditd with system libev
+
+---
+ src/Makefile.am | 7 ++-
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 9c68b42..c759ca2 100644
+--- a/src/Makefile.am
b/src/Makefile.am
+@@ -23,7 +23,7 @@
+
+ CONFIG_CLEAN_FILES = *.rej *.orig
+ SUBDIRS = test
+-AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/src/libev -I${top_srcdir}/auparse -I${top_srcdir}/audisp -I${top_srcdir}/common
++AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/auparse -I${top_srcdir}/audisp -I${top_srcdir}/common
+ sbin_PROGRAMS = auditd auditctl aureport ausearch autrace
+ AM_CFLAGS = -D_GNU_SOURCE -Wno-pointer-sign
+ noinst_HEADERS = auditd-config.h auditd-event.h auditd-listen.h ausearch-llist.h ausearch-options.h auditctl-llist.h aureport-options.h ausearch-parse.h aureport-scan.h ausearch-lookup.h ausearch-int.h auditd-dispatch.h ausearch-string.h ausearch-nvpair.h ausearch-common.h ausearch-avc.h ausearch-time.h ausearch-lol.h auditctl-listing.h ausearch-checkpt.h
+@@ -34,7 +34,7 @@ auditd_SOURCES += auditd-listen.c
+ endif
+ auditd_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pthread -Wno-pointer-sign
+ auditd_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now
+-auditd_LDADD = @LIBWRAP_LIBS@ ${top_builddir}/src/libev/libev.la ${top_builddir}/audisp/libdisp.la ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la -lpthread -lm $(gss_libs) ${top_builddir}/common/libaucommon.la
++auditd_LDADD = @LIBWRAP_LIBS@ ${top_builddir}/audisp/libdisp.la ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la -lpthread -lm -lev $(gss_libs) ${top_builddir}/common/libaucommon.la
+
+ auditctl_SOURCES = auditctl.c auditctl-llist.c delete_all.c auditctl-listing.c
+ auditctl_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE
+@@ -49,6 +49,3 @@ ausearch_LDADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libaupa
+
+ autrace_SOURCES = autrace.c delete_all.c auditctl-llist.c
+ autrace_LDADD = ${top_builddir}/lib/libaudit.la
+-
+-libev/libev.a:
+- make -C libev
diff --git a/debian/patches/series b/debian/patches/series
index 8c07650..b634337 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
02-restorecon-path.patch
03-Set-log_group-adm.patch
04-auditswig-i-avoid-setter-generation-for-audit-rule-data.patch
+05-Build-auditd-with-system-libev.patch
diff --git a/debian/rules b/debian/rules
index 63d45fc..4522ad1 100755
--- a/debian/rules
+++ b/debian/rules
@@ -4,6 +4,7 @@ DPKG_EXPORT_BUILDFLAGS = 1
include /usr/share/dpkg/buildflags.mk
include /usr/share/dpkg/architecture.mk
+CPPFLAGS +=