Your message dated Sat, 10 Feb 2024 13:11:19 +0000 with message-id <e1ryn8z-002yyp...@coccia.debian.org> and subject line Released with 12.5 has caused the Debian Bug report #1056969, regarding bookworm-pu: package swupdate/2022.12+dfsg-4+deb12u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1056969: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056969 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Control: affects -1 + src:swupdate X-Debbugs-Cc: swupd...@packages.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: bookworm Severity: normal [ Reason ] There is a local privilege escalation in swupdate package because the service's control socket has world-writable file permissions. [ Impact ] The rights of the swupdate daemon, which is usually used to run full system updates, can be aquired by any user on the system. [ Tests ] Run the service and check that the control socket is created with the reduced permission set. Also check that the service user "swupdate" is created. [ Risks ] None. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstablediff -Nru swupdate-2022.12+dfsg/debian/changelog swupdate-2022.12+dfsg/debian/changelog --- swupdate-2022.12+dfsg/debian/changelog 2023-04-04 15:36:06.000000000 +0200 +++ swupdate-2022.12+dfsg/debian/changelog 2023-11-27 11:10:38.000000000 +0100 @@ -1,3 +1,10 @@ +swupdate (2022.12+dfsg-4+deb12u1) bookworm; urgency=medium + + * Add swupdate system user + * Create the sockets for group use with SocketMode 0660 + + -- Bastian Germann <b...@debian.org> Mon, 27 Nov 2023 11:10:38 +0100 + swupdate (2022.12+dfsg-4) unstable; urgency=medium * Enable backported libebgenv-dev diff -Nru swupdate-2022.12+dfsg/debian/control swupdate-2022.12+dfsg/debian/control --- swupdate-2022.12+dfsg/debian/control 2023-04-04 15:25:36.000000000 +0200 +++ swupdate-2022.12+dfsg/debian/control 2023-11-27 11:10:38.000000000 +0100 @@ -7,6 +7,7 @@ Build-Depends: debhelper-compat (= 13), dh-lua:native <!nolua>, dh-nodejs | dh-nodejs:any, + dh-sysuser, graphviz <!nodoc>, liblua5.3-dev <!nolua>, libfdisk-dev, diff -Nru swupdate-2022.12+dfsg/debian/rules swupdate-2022.12+dfsg/debian/rules --- swupdate-2022.12+dfsg/debian/rules 2023-04-04 15:30:15.000000000 +0200 +++ swupdate-2022.12+dfsg/debian/rules 2023-11-27 11:10:38.000000000 +0100 @@ -13,7 +13,7 @@ export LUA_VERSION=5.3 export LUA_MODNAME=lua_swupdate export PKG_NAME=swupdate -export DH_WITH=--with lua +export DH_WITH=,lua export HAVE_LUA=y endif @@ -108,4 +108,4 @@ dh_missing --fail-missing %: - dh $@ $(DH_WITH) + dh $@ --with sysuser$(DH_WITH) diff -Nru swupdate-2022.12+dfsg/debian/swupdate.socket swupdate-2022.12+dfsg/debian/swupdate.socket --- swupdate-2022.12+dfsg/debian/swupdate.socket 2023-04-04 14:41:04.000000000 +0200 +++ swupdate-2022.12+dfsg/debian/swupdate.socket 2023-11-27 11:10:38.000000000 +0100 @@ -6,6 +6,8 @@ [Socket] ListenStream=/tmp/sockinstctrl ListenStream=/tmp/swupdateprog +SocketMode=0660 +SocketGroup=swupdate [Install] WantedBy=sockets.target diff -Nru swupdate-2022.12+dfsg/debian/swupdate.sysuser swupdate-2022.12+dfsg/debian/swupdate.sysuser --- swupdate-2022.12+dfsg/debian/swupdate.sysuser 1970-01-01 01:00:00.000000000 +0100 +++ swupdate-2022.12+dfsg/debian/swupdate.sysuser 2023-11-27 11:10:38.000000000 +0100 @@ -0,0 +1 @@ +swupdate defaults
--- End Message ---
--- Begin Message ---Version: 12.5 The upload requested in this bug has been released as part of 12.5.
--- End Message ---
