--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: util-li...@packages.debian.org, car...@debian.org,
t...@security.debian.org
Control: affects -1 + src:util-linux
[ Reason ]
In the mitigation for CVE-2024-28085 util-linux intended to disable
setgid on write and wall. I used --disable-tty-group to achieve this.
However this causes `mesg y` to behave differently, it sets the tty mode
a+w.
This is surprising and not what was intended. Upstream removed this
misfeature and added a new configure flag to stop installing write, wall
setgid.
This update adds the upstream patch(es) and uses the new configure flag
instead.
[ Impact ]
`mesg y` keeps setting the current tty a+w, allowing anyone to write
to the users terminal. This is bad.
During discussions with the security team it was deemed enough to fix
the problem with the next stable update though.
[ Tests ]
I've done a manual test showing the setgid flags still being absent
(good) and mesg now behaving like before the security update.
[ Risks ]
Hopefully nobody relied on this new bug.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The diff unfortunately has a lot of uninteresting bits.
1) It fixes the patches of deb12u2 so gbp-pq can apply them. Sorry,
should have spotted that for deb12u2.
2) I took all three patches from upstream as they were a single set. The
patch to the meson build system is useless to us (we still build with
autoconf), but for completeness it's in.
The -really- relevant part is the patch dropping the #ifdef
USE_TTY_GROUP else-branch.
d/rules uses the new configure flag.
[ Other info ]
In unstable this was addressed by no longer install write and mesg.
The bug that started this is #1085848, which I'll update soon.
Chris
diff -Nru util-linux-2.38.1/debian/changelog util-linux-2.38.1/debian/changelog
--- util-linux-2.38.1/debian/changelog 2024-10-18 14:56:02.000000000 +0200
+++ util-linux-2.38.1/debian/changelog 2024-11-21 21:01:54.000000000 +0100
@@ -1,3 +1,11 @@
+util-linux (2.38.1-5+deb12u3) bookworm; urgency=medium
+
+ * Fixup upstream patches from 2.38.1-5+deb12u2 so gbp-pq can apply them
+ * Use upstream's new --disable-makeinstall-tty-setgid.
+ This fixes our wider mitigation for CVE-2024-28085.
+
+ -- Chris Hofstaedtler <z...@debian.org> Thu, 21 Nov 2024 21:01:54 +0100
+
util-linux (2.38.1-5+deb12u2) bookworm; urgency=medium
* Add the following upstream patches to identify new Arm cores:
diff -Nru util-linux-2.38.1/debian/patches/series
util-linux-2.38.1/debian/patches/series
--- util-linux-2.38.1/debian/patches/series 2024-10-18 14:56:02.000000000
+0200
+++ util-linux-2.38.1/debian/patches/series 2024-11-21 21:01:54.000000000
+0100
@@ -43,3 +43,6 @@
upstream/wall-use-fputs_careful.patch
upstream/wall-fix-calloc-cal-Werror-calloc-transposed-args.patch
upstream/wall-fix-escape-sequence-Injection-CVE-2024-28085.patch
+upstream/autotools-add-disable-makeinstall-tty-setgid.patch
+upstream/meson-add-D-tty-setgid-false-true.patch
+upstream/mesg-remove-ability-to-compile-with-fchmod-S_IWOTH.patch
diff -Nru
util-linux-2.38.1/debian/patches/upstream/0027-lscpu-Add-Neoverse-V2-Cortex-R82.patch
util-linux-2.38.1/debian/patches/upstream/0027-lscpu-Add-Neoverse-V2-Cortex-R82.patch
---
util-linux-2.38.1/debian/patches/upstream/0027-lscpu-Add-Neoverse-V2-Cortex-R82.patch
2024-10-18 14:56:02.000000000 +0200
+++
util-linux-2.38.1/debian/patches/upstream/0027-lscpu-Add-Neoverse-V2-Cortex-R82.patch
2024-11-21 21:01:54.000000000 +0100
@@ -1,15 +1,16 @@
-From 6857cccbb4157d5da34ca98f77a0ac9d68e1e740 Mon Sep 17 00:00:00 2001
From: ThomasKaiser <thomaskai...@users.noreply.github.com>
Date: Sun, 22 Jan 2023 12:37:33 +0100
Subject: [PATCH] Add missing ARM-cores
https://github.com/ThomasKaiser/sbc-bench/commit/37332238c0a8b7c1555dca9d18a7c98362564416#diff-fdfd2a032c64d6e9ba92a3197cad6b26573c7094433d74efa4ae80f44f65aa99
+
+Upstream commit 6857cccbb4157d5da34ca98f77a0ac9d68e1e740
---
sys-utils/lscpu-arm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sys-utils/lscpu-arm.c b/sys-utils/lscpu-arm.c
-index 8357253c66c..f65b25ed66d 100644
+index b30e0e7..0ee10d2 100644
--- a/sys-utils/lscpu-arm.c
+++ b/sys-utils/lscpu-arm.c
@@ -78,6 +78,7 @@ static const struct id_part arm_part[] = {
@@ -27,3 +28,4 @@
+ { 0xd4f, "Neoverse-V2" },
{ -1, "unknown" },
};
+
diff -Nru
util-linux-2.38.1/debian/patches/upstream/0028-lscpu-Add-2023-Cortex.patch
util-linux-2.38.1/debian/patches/upstream/0028-lscpu-Add-2023-Cortex.patch
--- util-linux-2.38.1/debian/patches/upstream/0028-lscpu-Add-2023-Cortex.patch
2024-10-18 14:56:02.000000000 +0200
+++ util-linux-2.38.1/debian/patches/upstream/0028-lscpu-Add-2023-Cortex.patch
2024-11-21 21:01:54.000000000 +0100
@@ -1,4 +1,3 @@
-From 6112ade968cbe8728ca25fccdafdb1f9599424db Mon Sep 17 00:00:00 2001
From: Jeremy Linton <jeremy.lin...@arm.com>
Date: Wed, 26 Jul 2023 15:54:20 -0500
Subject: [PATCH] lscpu: Even more Arm part numbers (early 2023)
@@ -10,12 +9,14 @@
Cortex-M55 and Cortex-R52+.
Signed-off-by: Jeremy Linton <jeremy.lin...@arm.com>
+
+Upstream commit 6112ade968cbe8728ca25fccdafdb1f9599424db
---
sys-utils/lscpu-arm.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/sys-utils/lscpu-arm.c b/sys-utils/lscpu-arm.c
-index d83e948b0d8..77959836873 100644
+index 0ee10d2..41cf540 100644
--- a/sys-utils/lscpu-arm.c
+++ b/sys-utils/lscpu-arm.c
@@ -79,8 +79,11 @@ static const struct id_part arm_part[] = {
@@ -39,3 +40,4 @@
+ { 0xd82, "Cortex-X4" },
{ -1, "unknown" },
};
+
diff -Nru
util-linux-2.38.1/debian/patches/upstream/0029-lscpu-Add-Neoverse-V3-N3.patch
util-linux-2.38.1/debian/patches/upstream/0029-lscpu-Add-Neoverse-V3-N3.patch
---
util-linux-2.38.1/debian/patches/upstream/0029-lscpu-Add-Neoverse-V3-N3.patch
2024-10-18 14:56:02.000000000 +0200
+++
util-linux-2.38.1/debian/patches/upstream/0029-lscpu-Add-Neoverse-V3-N3.patch
2024-11-21 21:01:54.000000000 +0100
@@ -1,18 +1,19 @@
-From 7be163aa1657c4bd854bde84a83a8c5fcffd25dd Mon Sep 17 00:00:00 2001
From: Thomas Kaiser <thomaskai...@users.noreply.github.com>
Date: Mon, 26 Feb 2024 12:20:11 +0100
Subject: [PATCH] Adding Neoverse-V3/-N3 ARM cores
(cherry picked from commit c91694dd066d07c2ca7d68cbe212b2e1f893e942)
+
+Upstream commit 7be163aa1657c4bd854bde84a83a8c5fcffd25dd
---
sys-utils/lscpu-arm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sys-utils/lscpu-arm.c b/sys-utils/lscpu-arm.c
-index 511ab281cd8..b9e8060a92f 100644
+index 41cf540..247c645 100644
--- a/sys-utils/lscpu-arm.c
+++ b/sys-utils/lscpu-arm.c
-@@ -93,6 +93,8 @@ static const struct id_part arm_part[] = {
+@@ -102,6 +102,8 @@ static const struct id_part arm_part[] = {
{ 0xd80, "Cortex-A520" },
{ 0xd81, "Cortex-A720" },
{ 0xd82, "Cortex-X4" },
@@ -20,3 +21,4 @@
+ { 0xd8e, "Neoverse-N3" },
{ -1, "unknown" },
};
+
diff -Nru
util-linux-2.38.1/debian/patches/upstream/autotools-add-disable-makeinstall-tty-setgid.patch
util-linux-2.38.1/debian/patches/upstream/autotools-add-disable-makeinstall-tty-setgid.patch
---
util-linux-2.38.1/debian/patches/upstream/autotools-add-disable-makeinstall-tty-setgid.patch
1970-01-01 01:00:00.000000000 +0100
+++
util-linux-2.38.1/debian/patches/upstream/autotools-add-disable-makeinstall-tty-setgid.patch
2024-11-21 21:01:54.000000000 +0100
@@ -0,0 +1,67 @@
+From: Karel Zak <k...@redhat.com>
+Date: Fri, 15 Nov 2024 11:30:17 +0100
+Subject: autotools: add --disable-makeinstall-tty-setgid
+
+If your distribution does not define permissions for installed
+binaries and follows the upstream guidelines, disabling the tty
+group's setgid could be a beneficial decision in certain situations.
+
+Signed-off-by: Karel Zak <k...@redhat.com>
+---
+ configure.ac | 8 ++++++++
+ term-utils/Makemodule.am | 4 ++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index d8b4d47..7bb91e4 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2627,6 +2627,14 @@ AC_ARG_ENABLE([makeinstall-setuid],
+ AM_CONDITIONAL([MAKEINSTALL_DO_SETUID], [test "x$enable_makeinstall_setuid" =
xyes])
+
+
++AC_ARG_ENABLE([makeinstall-tty-setgid],
++ AS_HELP_STRING([--disable-makeinstall-tty-setgid], [do not setgid
for wall, and write during "make install"]),
++ [], [enable_makeinstall_tty_setgid=yes]
++)
++AM_CONDITIONAL([MAKEINSTALL_DO_TTY_SETGID], [test
"x$enable_makeinstall_tty_setgid" = xyes])
++
++
++
+ AC_ARG_ENABLE([colors-default],
+ AS_HELP_STRING([--disable-colors-default], [do not colorize output from
utils by default]),
+ [], [enable_colors_default=yes]
+diff --git a/term-utils/Makemodule.am b/term-utils/Makemodule.am
+index 119324f..99deb81 100644
+--- a/term-utils/Makemodule.am
++++ b/term-utils/Makemodule.am
+@@ -96,6 +96,7 @@ wall_LDFLAGS = $(SUID_LDFLAGS) $(AM_LDFLAGS)
+ wall_LDADD = $(LDADD) libcommon.la
+ if USE_TTY_GROUP
+ if MAKEINSTALL_DO_CHOWN
++if MAKEINSTALL_DO_TTY_SETGID
+ install-exec-hook-wall::
+ chgrp tty $(DESTDIR)$(usrbin_execdir)/wall
+ chmod g+s $(DESTDIR)$(usrbin_execdir)/wall
+@@ -103,6 +104,7 @@ install-exec-hook-wall::
+ INSTALL_EXEC_HOOKS += install-exec-hook-wall
+ endif
+ endif
++endif
+ endif # BUILD_WALL
+
+
+@@ -117,6 +119,7 @@ write_LDADD = $(LDADD) libcommon.la
+
+ if USE_TTY_GROUP
+ if MAKEINSTALL_DO_CHOWN
++if MAKEINSTALL_DO_TTY_SETGID
+ install-exec-hook-write::
+ chgrp tty $(DESTDIR)$(usrbin_execdir)/write
+ chmod g+s $(DESTDIR)$(usrbin_execdir)/write
+@@ -124,4 +127,5 @@ install-exec-hook-write::
+ INSTALL_EXEC_HOOKS += install-exec-hook-write
+ endif
+ endif
++endif
+ endif # BUILD_WRITE
diff -Nru
util-linux-2.38.1/debian/patches/upstream/mesg-remove-ability-to-compile-with-fchmod-S_IWOTH.patch
util-linux-2.38.1/debian/patches/upstream/mesg-remove-ability-to-compile-with-fchmod-S_IWOTH.patch
---
util-linux-2.38.1/debian/patches/upstream/mesg-remove-ability-to-compile-with-fchmod-S_IWOTH.patch
1970-01-01 01:00:00.000000000 +0100
+++
util-linux-2.38.1/debian/patches/upstream/mesg-remove-ability-to-compile-with-fchmod-S_IWOTH.patch
2024-11-21 21:01:54.000000000 +0100
@@ -0,0 +1,91 @@
+From: Karel Zak <k...@redhat.com>
+Date: Fri, 15 Nov 2024 11:53:37 +0100
+Subject: mesg: remove ability to compile with fchmod(S_IWOTH)
+
+The default is to use mesg(1) to modify write access for the "tty"
+group, but there is an obscure legacy. If mesg(1) is compiled with the
+option "--disable-use-tty-group", then it defaults to using
+fchmod(S_IWGRP | S_IWOTH). This means that your tty is then writable
+for everyone. Let's get rid of this ugly feature.
+
+Reported-by: Chris Hofstaedtler <z...@debian.org>
+Signed-off-by: Karel Zak <k...@redhat.com>
+---
+ login-utils/login.1.adoc | 4 ++--
+ term-utils/mesg.1.adoc | 19 ++++++++++++++++++-
+ term-utils/mesg.c | 4 ----
+ 3 files changed, 20 insertions(+), 7 deletions(-)
+
+diff --git a/login-utils/login.1.adoc b/login-utils/login.1.adoc
+index a3404f3..376dca4 100644
+--- a/login-utils/login.1.adoc
++++ b/login-utils/login.1.adoc
+@@ -93,13 +93,13 @@ Delay in seconds before being allowed another three tries
after a login failure.
+
+ *TTYPERM* (string)::
+
+-The terminal permissions. The default value is _0600_ or _0620_ if tty group
is used.
++The terminal permissions. The default value is _0600_ or _0620_ if tty group
is used. See also *mesg*(1).
+
+ *TTYGROUP* (string)::
+
+ The login tty will be owned by the *TTYGROUP*. The default value is _tty_. If
the *TTYGROUP* does not exist, then the ownership of the terminal is set to the
user's primary group.
+ +
+-The *TTYGROUP* can be either the name of a group or a numeric group
identifier.
++The *TTYGROUP* can be either the name of a group or a numeric group
identifier. See also *mesg*(1).
+
+ *HUSHLOGIN_FILE* (string)::
+
+diff --git a/term-utils/mesg.1.adoc b/term-utils/mesg.1.adoc
+index 5ccef72..d4704e7 100644
+--- a/term-utils/mesg.1.adoc
++++ b/term-utils/mesg.1.adoc
+@@ -52,7 +52,23 @@ mesg - display (or do not display) messages from other users
+
+ The *mesg* utility is invoked by a user to control write access others have
to the terminal device associated with standard error output. If write access
is allowed, then programs such as *talk*(1) and *write*(1) may display messages
on the terminal.
+
+-Traditionally, write access is allowed by default. However, as users become
more conscious of various security risks, there is a trend to remove write
access by default, at least for the primary login shell. To make sure your ttys
are set the way you want them to be set, *mesg* should be executed in your
login scripts.
++Traditionally, write access is allowed by default. However, as users become
++more conscious of various security risks, there is a trend to remove write
++access by default, at least for the primary login shell.
++
++The initial permissions for the terminal are set by *login*(1) according to
TTYPERM
++and TTYGROUP from /etc/login.defs. The default is mode _0620_ if a tty group
is used,
++and _0600_ without the group. The default tty group name is "tty".
++
++To ensure that your ttys are set in a portable and independent manner from
system
++settings, *mesg* should be executed in your login scripts.
++
++*mesg* modifies the write permissions for a group on the current terminal
++device. Since version 2.41, *mesg* can no longer be compiled to make the
++terminal writable for _others_ and strictly modifies only _group_ permissions.
++The usual setup is to use a "tty" group and add relevant users to this group.
++Alternatively, a less secure solution is to set utilities like *write*(1) or
++*wall*(1) to setgid for the "tty" group.
+
+ The *mesg* utility silently exits with error status 2 if not executed on
terminal. In this case execute *mesg* is pointless. The command line option
*--verbose* forces mesg to print a warning in this situation. This behaviour
has been introduced in version 2.33.
+
+@@ -66,6 +82,7 @@ Allow messages to be displayed.
+
+ If no arguments are given, *mesg* shows the current message status on
standard error output.
+
++
+ == OPTIONS
+
+ *-v*, *--verbose*::
+diff --git a/term-utils/mesg.c b/term-utils/mesg.c
+index cb0b493..9e0b01e 100644
+--- a/term-utils/mesg.c
++++ b/term-utils/mesg.c
+@@ -157,11 +157,7 @@ int main(int argc, char *argv[])
+
+ switch (rpmatch(argv[0])) {
+ case RPMATCH_YES:
+-#ifdef USE_TTY_GROUP
+ if (fchmod(fd, sb.st_mode | S_IWGRP) < 0)
+-#else
+- if (fchmod(fd, sb.st_mode | S_IWGRP | S_IWOTH) < 0)
+-#endif
+ err(MESG_EXIT_FAILURE, _("change %s mode failed"), tty);
+ if (verbose)
+ puts(_("write access to your terminal is allowed"));
diff -Nru
util-linux-2.38.1/debian/patches/upstream/meson-add-D-tty-setgid-false-true.patch
util-linux-2.38.1/debian/patches/upstream/meson-add-D-tty-setgid-false-true.patch
---
util-linux-2.38.1/debian/patches/upstream/meson-add-D-tty-setgid-false-true.patch
1970-01-01 01:00:00.000000000 +0100
+++
util-linux-2.38.1/debian/patches/upstream/meson-add-D-tty-setgid-false-true.patch
2024-11-21 21:01:54.000000000 +0100
@@ -0,0 +1,60 @@
+From: Karel Zak <k...@redhat.com>
+Date: Fri, 15 Nov 2024 11:32:34 +0100
+Subject: meson: add -D tty-setgid=[false|true]
+
+If your distribution does not define permissions for installed
+binaries and follows the upstream guidelines, disabling the tty
+group's setgid could be a beneficial decision in certain situations.
+
+Signed-off-by: Karel Zak <k...@redhat.com>
+---
+ meson.build | 9 +++++++++
+ meson_options.txt | 4 ++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/meson.build b/meson.build
+index c1f70ab..dc02a21 100644
+--- a/meson.build
++++ b/meson.build
+@@ -2267,6 +2267,13 @@ if opt
+ bashcompletions += ['mesg']
+ endif
+
++tty_setgid = get_option('tty-setgid')
++if tty_setgid
++ tty_install_mode = [ 'rwxr-sr-x', 'root', 'tty' ]
++else
++ tty_install_mode = [ false, false, false ]
++endif
++
+ opt = not get_option('build-wall').disabled()
+ exe = executable(
+ 'wall',
+@@ -2274,6 +2281,7 @@ exe = executable(
+ include_directories : includes,
+ link_with : [lib_common],
+ install_dir : usrbin_exec_dir,
++ install_mode : tty_install_mode,
+ install : opt,
+ build_by_default : opt)
+ if opt
+@@ -2292,6 +2300,7 @@ exe = executable(
+ include_directories : includes,
+ link_with : [lib_common],
+ install_dir : usrbin_exec_dir,
++ install_mode : tty_install_mode,
+ install : opt,
+ build_by_default : opt)
+ if opt
+diff --git a/meson_options.txt b/meson_options.txt
+index 64c9924..050d706 100644
+--- a/meson_options.txt
++++ b/meson_options.txt
+@@ -201,3 +201,7 @@ option('fs-search-path-extra',
+ option('vendordir',
+ type: 'string',
+ description : 'directory for distribution provided econf files')
++
++option('tty-setgid', type : 'boolean',
++ value : true,
++ description : 'setgid tty group for wall and write programs')
diff -Nru util-linux-2.38.1/debian/rules util-linux-2.38.1/debian/rules
--- util-linux-2.38.1/debian/rules 2024-10-18 14:56:02.000000000 +0200
+++ util-linux-2.38.1/debian/rules 2024-11-21 21:01:54.000000000 +0100
@@ -46,7 +46,7 @@
CONFOPTS += --disable-hwclock-gplv3
# Reduce setgid programs (cf. CVE-2024-28085)
-CONFOPTS += --disable-use-tty-group
+CONFOPTS += --disable-makeinstall-tty-setgid
# Get the list of binary package, except lib* and *-udeb, from
# debian/control instead of hardcoding the list when installing
--- End Message ---
