Bug#615029: marked as done (kernel-package: Please restrict permissions of System.map and vmlinuz for security reasons)

Debian Bug Tracking System Mon, 05 May 2014 02:40:32 -0700

Your message dated Mon, 05 May 2014 09:37:10 +0000
with message-id <[email protected]>
and subject line Bug#615029: fixed in kernel-package 13.003
has caused the Debian Bug report #615029,
regarding kernel-package: Please restrict permissions of System.map and vmlinuz 
for security reasons
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
615029: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=615029
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: kernel-package
Version: 12.036+nmu1
Severity: wishlist

As part of an effort to deter kernel exploits [1], System.map and the
kernel image should be made readable by root only, to prevent attackers
from getting knowledge of kernel addresses.

A patch would look like this:


--- ruleset/targets/image.mk    2011-02-24 02:23:38.000000000 +0100
+++ ruleset/targets/image.mk    2011-02-25 01:40:57.000000000 +0100
@@ -168,7 +168,7 @@
   ifeq ($(strip $(HAVE_INST_PATH)),)
        test ! -f System.map ||  cp System.map                         \
                        $(TMPTOP)/$(IMAGEDIR)/System.map-$(KERNELRELEASE);
-       test ! -f System.map ||  chmod 644                             \
+       test ! -f System.map ||  chmod 600                             \
                        $(TMPTOP)/$(IMAGEDIR)/System.map-$(KERNELRELEASE);
        cp $(kimagesrc) $(kimagedest)
   else
@@ -180,12 +180,12 @@
 endif
 ifeq ($(strip $(HAVE_COFF_IMAGE)),YES)
        cp $(coffsrc)   $(coffdest)
-       chmod 644       $(coffdest)
+       chmod 600       $(coffdest)
 endif
 ifeq ($(strip $(int_install_vmlinux)),YES)
   ifneq ($(strip $(kelfimagesrc)),)
        cp $(kelfimagesrc) $(kelfimagedest)
-       chmod 644 $(kelfimagedest)
+       chmod 600 $(kelfimagedest)
   endif
 endif
 ######################################################################
@@ -197,12 +197,12 @@
 endif
 # Set permissions on the image
 ifeq ($(strip $(KERNEL_ARCH)),um)
-       chmod 755 $(kimagedest);
+       chmod 700 $(kimagedest);
   ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
        strip --strip-unneeded --remove-section=.note --remove-section=.comment 
 $(kimagedest);
   endif
 else
-       chmod 644 $(kimagedest);
+       chmod 600 $(kimagedest);
 endif
 ######################################################################
 ###   Hooks and information


However, later all permissions are reset by a big chmod:


@@ -331,6 +331,7 @@
        $(create_md5sum)               $(TMPTOP)
        chmod -R og=rX                 $(TMPTOP)
        chown -R root:root             $(TMPTOP)
+       chmod og-rx $(TMPTOP)/$(IMAGEDIR)/System.map-$(KERNELRELEASE) 
$(kimagedest)
        dpkg --build                   $(TMPTOP) $(DEB_DEST)
 ifeq ($(strip $(do_clean)),YES)
 # just to be sure we are not nuking ./debian


What is this chmod for? The above snippet works for me, but is kind of
lame. And I guess the debug taget should be modified too.

[1] 
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.37.y.git;a=commitdiff;h=59365d136d205cc20fe666ca7f89b1c5001b0d5a

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37.1-grsec (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages kernel-package depends on:
ii  binutils               2.21.0.20110216-2 The GNU assembler, linker and bina
ii  build-essential        11.5              Informational list of build-essent
ii  debianutils            3.4.4             Miscellaneous utilities specific t
ii  file                   5.04-5            Determines file type using "magic"
ii  gettext                0.18.1.1-3        GNU Internationalization utilities
ii  make                   3.81-8            An utility for Directing compilati
ii  module-init-tools      3.12-1            tools for managing Linux kernel mo
ii  po-debconf             1.0.16+nmu1       tool for managing templates file t
ii  util-linux             2.17.2-9.1        Miscellaneous system utilities

Versions of packages kernel-package recommends:
ii  cpio                          2.11-7     GNU cpio -- a program to manage ar

Versions of packages kernel-package suggests:
pn  btrfs-tools               <none>         (no description available)
ii  bzip2                     1.0.5-6        high-quality block-sorting file co
pn  docbook-utils             <none>         (no description available)
ii  e2fsprogs                 1.41.12-2      ext2/ext3/ext4 file system utiliti
ii  grub                      0.97-64        GRand Unified Bootloader (dummy pa
pn  jfsutils                  <none>         (no description available)
ii  libncurses5-dev [libncurs 5.7+20100313-5 developer's libraries and docs for
pn  linux-initramfs-tool      <none>         (no description available)
pn  linux-source | kernel-sou <none>         (no description available)
pn  mcelog                    <none>         (no description available)
pn  oprofile                  <none>         (no description available)
pn  pcmciautils               <none>         (no description available)
pn  ppp                       <none>         (no description available)
ii  procps                    1:3.2.8-10     /proc file system utilities
pn  quota                     <none>         (no description available)
pn  reiserfsprogs             <none>         (no description available)
pn  squashfs-tools            <none>         (no description available)
ii  udev                      166-1          /dev/ and hotplug management daemo
pn  xfsprogs                  <none>         (no description available)
pn  xmlto                     <none>         (no description available)

-- Configuration Files:
/etc/kernel-pkg.conf changed [not included]

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: kernel-package
Source-Version: 13.003

We believe that the bug you reported is fixed in the latest version of
kernel-package, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Manoj Srivastava <[email protected]> (supplier of updated kernel-package 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 05 May 2014 01:23:16 -0700
Source: kernel-package
Binary: kernel-package
Architecture: source all
Version: 13.003
Distribution: unstable
Urgency: low
Maintainer: Manoj Srivastava <[email protected]>
Changed-By: Manoj Srivastava <[email protected]>
Description: 
 kernel-package - utility for building Linux kernel related Debian packages
Closes: 593894 615029 684888 690813 696264 696922 745686 746539
Changes: 
 kernel-package (13.003) unstable; urgency=low
 .
   * The image installation process upstream has changed; and uses the
     /sbin/installkernel method now (which is not really aware of
     installing into a temp directory for packaging). Updating the install
     process to match. This also means that this version of kernel-package
     can not compile kernels older than July 2009.
   * Fixed a typo in the control file for debug image packages.
   * Just compiled a kernel linux-image-3.15.0-rc4 with these changes
     (Closes: #745686).
   * To build a kernel  with LZ4 compression enabled, lz4c is
     needed. Added a suggests for liblz4-tool (Closes:  #746539).
   * As part of an effort to deter kernel exploits, System.map and the
     kernel image should be made readable by root only to prevent attackers
     from getting knowledge of kernel addresses. This version of kernel
     package does exactly that.  (Closes: #615029).
   * Upstream kernel Makefiles provide an header_install target to install
     sanitized headers into the destination. Use that while generating the
     headers package.  (Closes: #696922).
   * Bash autocomletion doesn't support all target commands.  Bartosz Janda
     provided an updated autocomplete script (Closes: #696264).
   * Previously the lguest source moved from Documentation/lguest to
     Documentation/virtual/lguest, and more recently it moved again to
     tools/lguest. Look now in all these places. (Closes: #690813).
   * The documentation for the kernel requires db2html from the
     docvoot-utils package to render. kernel-package has always Suggested
     the package, but there was some surprise when the documentation
     packages ended up mostly empty. Moved the relationship to Recommends.
     (Closes: #593894).
   * Bug fix #745686: "fails to build Linux 3.15-rc*", thanks to Darren Salt
   * Bug fix #746539: "Please suggest liblz4-tool", thanks to Toby Speight
   * Bug fix: #615029: "Please restrict permissions of System.map and
     vmlinuz for security reasons", thanks to Pierre Ynard
   * Bug fix #696922: "kernel-headers does not include linux/limits.h",
     thanks to Michal Suchanek
   * Bug fix: #696264: "[kernel-package] Bash autocompletion for missing
     targets", thanks to Bartosz Janda
   * Bug fix #690813: "kernel-package doesn&#39;t look for lguest in
     tools/lguest", thanks to Dave Bechtel
   * Bug fix: "[kernel-package] Makefile.build:44:
     /usr/src/linux-headers-3.2.0-3-common/scripts/basic/Makefile: Datei
     oder Verzeichnis nicht gefunden", thanks to [email protected]. This was
     fixed in the last update. (Closes: #684888).
   * Bug fi: #593894x: "Building linux-manual package without docbook-utils
     quietly fails", thanks to Christoph Anton Mitterer
Checksums-Sha1: 
 9a755402417d08114074567d47150129accd0122 1393 kernel-package_13.003.dsc
 530d0697f383e9bcb4beae2c92d36e8631f8995f 312268 kernel-package_13.003.tar.xz
 dc427b2582b96709502cd10f5a8d54e6151f1eea 376050 kernel-package_13.003_all.deb
Checksums-Sha256: 
 94cb9d0a62a416133b2987ad45ef9aa32dd59e87ccb60a19d8aa3131d5cb1ad1 1393 
kernel-package_13.003.dsc
 a9e611806509ca4f287ef4df8af02b7903686dd2edcf86fc05afe717691bef42 312268 
kernel-package_13.003.tar.xz
 d50d4d7e8187c69ff098016cf01c7c4649fea70634a59c1246f12f3b746d39e6 376050 
kernel-package_13.003_all.deb
Files: 
 309765e2fb2898a3703aae2b7f981602 376050 kernel optional 
kernel-package_13.003_all.deb
 0cf94554153b8ed26a722f66f3c67d0f 1393 kernel optional kernel-package_13.003.dsc
 a631205a002900db508119723fd70a50 312268 kernel optional 
kernel-package_13.003.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQFtBAEBCgBXBQJTZ0t0UBSAAAAAABsALHNyaXZhc3RhQGdvbGRlbi1ncnlwaG9u
LmNvbUFCQTcxMDI1QTFCNUE4OEE0RTVGNjhDMjM2QkQ3MjBGNkY1NzY0NzJfNjE5
AAoJEDa9cg9vV2Ryj68IAMQJgSl4AWelEWATLGHo0/nMQXle7AW17CYtz/pAR1hF
mDxvNPKGUVHDWfc3mu+JWd0YK3rN64W1feJh/HnNmMNj/ErW2UDEJXB/7UnoKBue
rmqQXyBS1nKLxJpRgvDN7h2OcHdcY4pqnaVmEFtSd81CKNJY5RAu/S2Ay0Gnp6eh
DkwXtEyw0Hf7bXMtWJGjkoREvtKKd8hRcoslxMmlw1P7JL/aOvspUFO2id7kZBvu
qSM9i5t5x6qRAqEvoT50L3gcmpwjIzMEGainc8G5BYfiCVVoViI9S/8DTOWZaY8d
2lkzUOUW37P3VXqu7BC5+jVHjeSSjqTl3Dx3r24E/m8=
=LYsM
-----END PGP SIGNATURE-----

--- End Message ---

Bug#615029: marked as done (kernel-package: Please restrict permissions of System.map and vmlinuz for security reasons)

Reply via email to