Your message dated Wed, 18 Sep 2019 21:19:43 +0000
with message-id <[email protected]>
and subject line Bug#939119: fixed in gnustep-base 1.26.0-5
has caused the Debian Bug report #939119,
regarding gnustep-base-runtime: Upgrading to Debian 10 causes gdomap network
service to become enabled
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
939119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939119
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gnustep-base-runtime
Version: 1.26.0-4
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
I had "gnustep-base-runtime" installed on my system, probably as a
dependency of "unar".
When I upgrade from Debian 9 to Debian 10 (and reboot), there is a
network server "gdomap". I did not see this server on Debian 9.
"gdomap" is not wanted. It is supposed to be disabled by default
since 2013, i.e. in Debian 8.[1]
[1] #717773 "/usr/bin/gdomap: please split out gdomap or disable it by default"
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717773
The problem is due to this code change:
"Disable gdomap via defaults-disabled as per Policy 9.3.3.1."
https://salsa.debian.org/gnustep-team/gnustep-base/commit/e0da63fa9e341a38a9a493a615c2c36b8f9d418f
Salvatore Bonaccorso analyzed this for me:
> Install a fresh stretch installation and install gnustep-base-runtime
> in it. gdomap is not started by default, because gdomap init honours
> the ENABLED=no setting in /etc/default/gdomap. Now update the host to
> buster.
>
> During this update /etc/default/gdomap is updated according to the
> above. Unless the admin has modified it, where then it will be
> noticed and admin asked for a decision. As formerly the init was
> enabled, and the code to handle the ENABLED setting is removed this
> might be the problem. The postinst calls update-rc.d gdomap
> defaults-disabled [...]
"update-rc.d" does not do anything in this case. The man page says
> If any files named /etc/rcrunlevel.d/[SK]??name already exist then
> update-rc.d does nothing. The program was written this way so that
> it will never change an existing configuration, which may have been
> customized by the system administrator. The program will only
> install links if none are present, i.e., if it appears that the
> service has never been installed before.
It is unfortunate that "Policy 9.3.3.1" does not have an explicit
warning about this potential security problem.
So this is a problem with upgrades. It does not happen on a fresh
install of Debian 10.
Salvatore also suggested
> I think it's best handled though in a bugreport accordngly, and once
> fixed in unstable, to schedule a fix as well via a buster point
> release.
$ sudo netstat -l -p
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
...
udp 0 0 0.0.0.0:gdomap 0.0.0.0:*
57/gdomap
$ ps aux | grep gdomap
nobody 57 0.0 0.0 2736 2052 ? Ss 11:16 0:00
/usr/bin/gdomap -I /var/run/gdomap.pid -p -j /var/run/gdomap
$ dpkg-query -S gdomap
gnustep-base-runtime: /usr/share/man/man8/gdomap.8.gz
gnustep-base-runtime: /etc/default/gdomap
gnustep-base-runtime: /usr/bin/gdomap
gnustep-base-runtime: /etc/init.d/gdomap
[Report sent from a systemd-nspawn container, which I used to reproduce the
issue]
-- System Information:
Debian Release: 10.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.2.9-200.fc30.x86_64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages gnustep-base-runtime depends on:
ii gnustep-base-common 1.26.0-4
ii init-system-helpers 1.56+nmu1
ii libc6 2.28-10
ii libgcc1 1:8.3.0-6
ii libgnustep-base1.26 1.26.0-4
ii libobjc4 8.3.0-6
ii lsb-base 10.2019051400
gnustep-base-runtime recommends no packages.
gnustep-base-runtime suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: gnustep-base
Source-Version: 1.26.0-5
We believe that the bug you reported is fixed in the latest version of
gnustep-base, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yavor Doganov <[email protected]> (supplier of updated gnustep-base package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 18 Sep 2019 00:38:19 +0300
Source: gnustep-base
Architecture: source
Version: 1.26.0-5
Distribution: unstable
Urgency: medium
Maintainer: Debian GNUstep maintainers
<[email protected]>
Changed-By: Yavor Doganov <[email protected]>
Closes: 939119
Changes:
gnustep-base (1.26.0-5) unstable; urgency=medium
.
* debian/gnustep-base-runtime.preinst: New file; handle the poor
upgrade from stretch to buster which left the gdomap daemon enabled
(Closes: #939119). Thanks to Alan Jenkins.
* debian/gnustep-base-runtime.maintscript: Delete; migration done.
* debian/libgnustep-base-dev.maintscript: Likewise.
* debian/gnustep-base-doc.links: New file; install symlinks in
/usr/share/doc pointing to /usr/share/GNUstep/Documentation.
* debian/gnustep-base-doc.doc-base.additions: Use /usr/share/doc
symlinks for doc-base registration; fixes a lintian error.
* debian/gnustep-base-doc.doc-base.base: Likewise.
* debian/gnustep-base-doc.doc-base.manual: Likewise.
* debian/gnustep-base-doc.doc-base.standards: Likewise.
* debian/gnustep-base-doc.doc-base.tools: Likewise.
* debian/patches/gdomap-udp-amplification.patch: New; fix UDP
amplification vulnerability. Thanks Alan Jenkins.
* debian/patches/fix-spelling-error.patch: Fix yet another typo.
* debian/patches/series: Update.
* debian/templates/control.m4 (Standards-Version): Bump to 4.4.0; no
changes required.
* debian/control: Regenerate.
Checksums-Sha1:
69e0818f754caa74dc2f06fb2ffdff92a451c9d0 2673 gnustep-base_1.26.0-5.dsc
eb718449237ad189aa8ceb1ffe93a32ea3dad5bd 32776
gnustep-base_1.26.0-5.debian.tar.xz
ab8c217ec67869da66669ed42d3c3aa51f1ff861 10906
gnustep-base_1.26.0-5_amd64.buildinfo
Checksums-Sha256:
c16ac903f2f7946a578e08ba38c3310a48a6c86f13accdc2280209bbaa6d6064 2673
gnustep-base_1.26.0-5.dsc
6d1ddc47b2d19a313253db0df76abb50aeb9eabe13618e46037cf8df9aee8cf2 32776
gnustep-base_1.26.0-5.debian.tar.xz
9048ac0d7ff8e90350e8020b315adb0bf03710c6014975cbd5c203255b2118aa 10906
gnustep-base_1.26.0-5_amd64.buildinfo
Files:
7893b6755e0a2b6fb3e6528479d36f7f 2673 gnustep optional
gnustep-base_1.26.0-5.dsc
4f755d91973f10c620f58d61528324b8 32776 gnustep optional
gnustep-base_1.26.0-5.debian.tar.xz
680c4fa88def51eaf4d256da1c3ee3d2 10906 gnustep optional
gnustep-base_1.26.0-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAl2CmLUACgkQZR7vsCUn
3xO6Uw//QcfH4z6BZteyc/FCyPOR7+km/31ITvreGkZzR/tH4MNy78GlJsT1tDE5
EFi72zolsHRHvy1FHuBJvKZU4IIH2pe8eVbxG23nd3Rg0BY5tgV8+Lpb3OnF8F/M
ysOZZzzJRmXzs4PeSCHWf6+U/x7gV8hE426UlB3r/uz8JalO5oh+ZLUe7SJDJMOL
G++IrhYThLJOEHoQnYpOK5b3x4RWrIBwAhe+GQXwrIhu/z/YmRXoVsEgs+n3amc9
YSgR1CjPcrT5BWwT00r6KIH1uHeHZcr7TKr3uyjkcfDnKl+kFwqILGGaEOQ7EVpI
8UwzqRdE2Ftj+/a1nXqNsNci58CLR3ROfEUQtwIistqI+He/YTtWzRFe1qga2Zyt
eHCnU/1Sy7ZfE3oErTzI4RzjUoy3Q8GXPiS6jwBvNS7TJmGS29JX0YnQww4QbweS
MeNi9SPrL4PnljWIfibwueN/GBlj8Ds6GFbVgjJRpm/djoGQ/qId6ZdBdpSABd9h
XNVR35UevHPxL/Z0ZGvmEtVDj8Z6Y/Nq4kbg5LVTVBqdqSMDJ4cLrcCiFTBPaHkO
yk5CyGNu6tB/VFhh1H26iSWgZlk0X48EH+jX8qK4cCxXqxfWsoFDgmznJAPaWY7I
theaRgXI7pef4Ykqa9JCmdGgABkEuncmIo7yZrfNaEIY3L2gP8A=
=y6kh
-----END PGP SIGNATURE-----
--- End Message ---
