On Sun, 20 Mar 2022 11:40:44 +0100 Guilhem Moulin <guil...@debian.org> wrote:
> netcat-openbsd 1.218-5 adds support for abstract sockets (on Linux), > which is a breaking change with possible security implications: > https://sources.debian.org/src/netcat-openbsd/1.218-5/debian/NEWS/ . > elbrus suggested to mention that in the Bookworm release notes; I > propose the following text, mostly straight from the NEWS entry — feel free to > adjust of course :-) Is the following approximately what is meant? (i didnt think the bit about still fitting the argument into 108 bytes was going to cause issues often enough to need a mention in release-notes - i would assume people using huge file names know to check for these things) <section id="netcat-openbsd-now-supports-abstract-sockets"> <title>netcat-openbsd now supports abstract sockets</title> <para> The <literal>netcat</literal> utility for reading and writing data across network connections supports <link url="&url-man;/&releasename;/manpages/unix.7.html#Abstract_sockets">abstract sockets</link>, and uses them by default in some circumstances. This applies when you are using an <literal>AF_UNIX</literal> socket under a <literal>Linux</literal> kernel, and when <literal>netcat</literal> is provided by the <systemitem role="package">netcat-openbsd</systemitem> package (rather than by <systemitem role="package">netcat-traditional</systemitem>, which is the Debian default). If so, the `-U' option to <command>nc</command> will now interpret an argument starting with an `@' as requesting an abstract socket rather than as a filename beginning with an `@' in the current directory. This can have security implications because filesystem permissions can no longer used to control access to an abstract socket. You can continue to use a filename starting with an `@' by prefixing the name with `./' or by specifying an absolute path. </para> </section>
