Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
I'd like to backport the security fixes and hardening in corekeeper from buster to stretch. -- bye, pabs https://wiki.debian.org/PaulWise
diff -Nru corekeeper-1.6/debian/changelog corekeeper-1.7~deb9u1/debian/changelog --- corekeeper-1.6/debian/changelog 2015-11-12 00:44:29.000000000 +0800 +++ corekeeper-1.7~deb9u1/debian/changelog 2019-05-20 11:55:22.000000000 +0800 @@ -1,3 +1,22 @@ +corekeeper (1.7~deb9u1) stretch; urgency=medium + + * Backport security hardening fixes to stretch + + -- Paul Wise <p...@debian.org> Mon, 20 May 2019 11:55:22 +0800 + +corekeeper (1.7) unstable; urgency=medium + + * Do not use a world-writable /var/crash with the dumper script + and fix the permissions on upgrade as dpkg doesn't do that. + (Closes: #924397) (See-also: #515211) + * Handle older versions of the Linux kernel in a safer way + (Closes: #924398) + * Harden ownership determination and core file names + * Do not truncate core names for executables with spaces + * Update VCS URLs from alioth to salsa + + -- Paul Wise <p...@debian.org> Sat, 04 May 2019 14:53:44 +0800 + corekeeper (1.6) unstable; urgency=medium * Prevent installation with other core dump handlers: diff -Nru corekeeper-1.6/debian/control corekeeper-1.7~deb9u1/debian/control --- corekeeper-1.6/debian/control 2015-11-11 22:19:31.000000000 +0800 +++ corekeeper-1.7~deb9u1/debian/control 2019-05-04 14:55:31.000000000 +0800 @@ -5,8 +5,8 @@ Build-Depends: debhelper (>= 9) Standards-Version: 3.9.6 -Vcs-Git: git://anonscm.debian.org/collab-maint/corekeeper.git -Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/corekeeper.git +Vcs-Git: https://salsa.debian.org/debian/corekeeper.git +Vcs-Browser: https://salsa.debian.org/debian/corekeeper Package: corekeeper Architecture: kfreebsd-any linux-any diff -Nru corekeeper-1.6/debian/copyright corekeeper-1.7~deb9u1/debian/copyright --- corekeeper-1.6/debian/copyright 2013-11-22 10:23:37.000000000 +0800 +++ corekeeper-1.7~deb9u1/debian/copyright 2019-05-04 14:55:31.000000000 +0800 @@ -1,7 +1,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: corekeeper Upstream-Contact: Paul Wise <p...@debian.org> -Source: git://anonscm.debian.org/collab-maint/corekeeper.git +Source: https://salsa.debian.org/debian/corekeeper.git Comment: original package by Ben Pfaff has been rewritten Files: * diff -Nru corekeeper-1.6/debian/corekeeper.lintian-overrides corekeeper-1.7~deb9u1/debian/corekeeper.lintian-overrides --- corekeeper-1.6/debian/corekeeper.lintian-overrides 2013-11-22 10:23:42.000000000 +0800 +++ corekeeper-1.7~deb9u1/debian/corekeeper.lintian-overrides 2019-05-04 13:57:59.000000000 +0800 @@ -1,6 +1,6 @@ # /var/crash is intentionally world-writable to allow for # centralized core dumps. -non-standard-dir-perm +[kfreebsd-any]: non-standard-dir-perm # The postrm script checks if systemd is running before # using the systemctl command diff -Nru corekeeper-1.6/debian/corekeeper.postinst.linux corekeeper-1.7~deb9u1/debian/corekeeper.postinst.linux --- corekeeper-1.6/debian/corekeeper.postinst.linux 2013-04-25 14:49:30.000000000 +0800 +++ corekeeper-1.7~deb9u1/debian/corekeeper.postinst.linux 2019-05-04 14:55:31.000000000 +0800 @@ -4,4 +4,11 @@ # Activate the sysctl settings [ $1 != configure ] || sysctl --quiet --load="/etc/sysctl.d/corekeeper.conf" +# Set /var/crash to not be world writable +# to prevent crashes being able to write arbitrary files +[ "$1" = configure ] && +dpkg --compare-versions "$2" le-nl 1.6 && +! dpkg-statoverride --list /var/crash && +chmod 0755 /var/crash + #DEBHELPER# diff -Nru corekeeper-1.6/debian/dump corekeeper-1.7~deb9u1/debian/dump --- corekeeper-1.6/debian/dump 2013-04-25 16:01:53.000000000 +0800 +++ corekeeper-1.7~deb9u1/debian/dump 2019-05-04 14:47:56.000000000 +0800 @@ -19,7 +19,9 @@ # because Linux does not create directories when dumping core files # and it is apparently painful to do that from within Linux. # -# Thanks for the security audit go to Kees Cook <k...@debian.org>! +# Thanks for the security audits go to: +# Jakub Wilk <jw...@jwilk.net> +# Kees Cook <k...@debian.org> set -e @@ -28,34 +30,77 @@ exit 1 fi -# Check how many arguments the kernel sent us. -if [ $# -eq 2 ] ; then - # Awww, old kernel that does not support %d - # Cannot set the core file owner safely, use root - # See v3.6-6800-g12a2b4b in linux.git for more info - uid="$1" - core="$2" - owner="0" -elif [ $# -eq 3 ] ; then - # Yay! A kernel that does support %d - uid="$2" - core="$3" - owner="$2" - # Set the core file owner safely - if [ $1 -eq 2 ] ; then - owner="0" - fi -else - # Something is majorly broken. - echo "This script should be run with three arguments and a core file on stdin" 1>&2 - exit 1 -fi +case "$1" in + (--*) + # Option based command-line + while [ $# -gt 0 ] ; do + case "$1" in + (--dumpable) + # Old Linux kernels do not support %d + # use the safest dumpable option there + case "$2" in + (--*) dumpable=2; shift;; + (*) dumpable="$2"; shift 2;; + esac + ;; + (--owner) owner="$2"; shift 2;; + (--limit) limit="$2"; shift 2;; + # Use remaining arguments for core name + (--core) shift; core="$*.core"; break;; + (*) + echo "Unknown option: $1" 1>&2 + exit 1 + ;; + esac + done + ;; + (*[!0-9]*|'') + echo "Unknown or missing arguments" 1>&2 + exit 1 + ;; + (*) + # Dumpable, owner and core file based command-line + case "$2" in + # Old Linux kernels do not support %d + # use the safest dumpable option there + (*[!0-9]*|'') dumpable=2 ;; + (*) dumpable="$1"; shift ;; + esac + owner="$1"; shift + core="$*" + ;; +esac + +# Set the core file owner safely +SUID_DUMP_DISABLE=0 +SUID_DUMP_USER=1 +SUID_DUMP_ROOT=2 +case "$dumpable" in + ("$SUID_DUMP_DISABLE") exit 0;; + ("$SUID_DUMP_USER") ;; + ("$SUID_DUMP_ROOT"|*) owner=0;; +esac -# The exclamation marks are shell metacharacters -core="$(echo "$core" | tr '!' '-')" +# Convert potentially unsafe characters to a safe character +core="$(printf '%s' "$core" | tr -c '[:alnum:]+._-' '-')" umask 0077 mkdir -p "/var/crash/$owner" chown "$owner" "/var/crash/$owner" -owner="$owner" core="$core" \ - su -s /bin/sh -c '/bin/cat > /var/crash/"$owner"/"$core"' \ - "$(getent passwd "$owner" | cut -d: -f1)" +case "$limit" in + # Core dump is not numeric, no nothing + (*[!0-9]*) ;; + # Core dump limit is empty, write full dump + ('') + owner="$owner" core="$core" \ + su -s /bin/sh -c '/bin/cat > /var/crash/"$owner"/"$core"' \ + "$(getent passwd "$owner" | cut -d: -f1)" + ;; + # Core dump limit is non-zero, restrict dump size + (*[!0]*) + owner="$owner" core="$core" limit="$limit" \ + su -s /bin/sh -c 'head -c "$limit" > /var/crash/"$owner"/"$core"' \ + "$(getent passwd "$owner" | cut -d: -f1)" + ;; + # Core dumping is disabled, no nothing + (*) ;; +esac diff -Nru corekeeper-1.6/debian/rules corekeeper-1.7~deb9u1/debian/rules --- corekeeper-1.6/debian/rules 2015-11-11 21:59:07.000000000 +0800 +++ corekeeper-1.7~deb9u1/debian/rules 2019-05-07 17:20:54.000000000 +0800 @@ -10,7 +10,7 @@ override_dh_fixperms: dh_fixperms - chmod 1777 debian/corekeeper/var/crash + if [ ! -e $(script) ] ; then chmod 1777 debian/corekeeper/var/crash ; fi if [ -e $(script) ] ; then chmod 0755 $(script) ; fi override_dh_installinit: diff -Nru corekeeper-1.6/debian/sysctl-linux/corekeeper.conf corekeeper-1.7~deb9u1/debian/sysctl-linux/corekeeper.conf --- corekeeper-1.6/debian/sysctl-linux/corekeeper.conf 2015-11-04 18:57:15.000000000 +0800 +++ corekeeper-1.7~deb9u1/debian/sysctl-linux/corekeeper.conf 2019-05-04 14:55:31.000000000 +0800 @@ -4,8 +4,11 @@ # Non-root users can see that something crashed, no way to fix that. # It requires Linux 3.7-rc1, see v3.6-6800-g12a2b4b in linux.git for info. # If you use it with an earlier kernel then only root can access core dumps. -# If you don't want to use it, comment core_pattern below and uncomment this: +# If you don't want to use it, comment core_pattern below, dpkg-statoverride +# /var/crash to mode 1777 and uncomment this alternate core_pattern: #kernel.core_pattern = /var/crash/%p-%u-%g-%s-%t-%h-%E.core -kernel.core_pattern = |/usr/lib/corekeeper/dump %d %u %p-%u-%g-%s-%t-%h-%E.core +# When switching back to the default core pattern use mode 0755 for /var/crash +# as it is unsafe to use the dumper with a world-writable directory. +kernel.core_pattern = |/usr/lib/corekeeper/dump --dumpable %d --owner %u --limit %c --core %p-%u-%g-%s-%t-%h-%E kernel.core_uses_pid = 1 fs.suid_dumpable = 2
signature.asc
Description: This is a digitally signed message part
