Bug#939119: marked as done (gnustep-base-runtime: Upgrading to Debian 10 causes gdomap network service to become enabled)

[Debian Bug Tracking System]

Your message dated Fri, 20 Sep 2019 11:49:58 +0000
with message-id <e1ibhqe-0006w8...@fasolo.debian.org>
and subject line Bug#939119: fixed in gnustep-base 1.26.0-6
has caused the Debian Bug report #939119,
regarding gnustep-base-runtime: Upgrading to Debian 10 causes gdomap network 
service to become enabled
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
939119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939119
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: gnustep-base-runtime
Version: 1.26.0-4
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

I had "gnustep-base-runtime" installed on my system, probably as a
dependency of "unar".

When I upgrade from Debian 9 to Debian 10 (and reboot), there is a
network server "gdomap".  I did not see this server on Debian 9.
"gdomap" is not wanted.  It is supposed to be disabled by default
since 2013, i.e. in Debian 8.[1]

[1] #717773 "/usr/bin/gdomap: please split out gdomap or disable it by default"
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717773

The problem is due to this code change:

"Disable gdomap via defaults-disabled as per Policy 9.3.3.1."
https://salsa.debian.org/gnustep-team/gnustep-base/commit/e0da63fa9e341a38a9a493a615c2c36b8f9d418f

Salvatore Bonaccorso analyzed this for me:

> Install a fresh stretch installation and install gnustep-base-runtime
> in it. gdomap is not started by default, because gdomap init honours
> the ENABLED=no setting in /etc/default/gdomap. Now update the host to
> buster.
>
> During this update /etc/default/gdomap is updated according to the
> above. Unless the admin has modified it, where then it will be
> noticed and admin asked for a decision. As formerly the init was
> enabled, and the code to handle the ENABLED setting is removed this
> might be the problem. The postinst calls update-rc.d gdomap
> defaults-disabled [...]

"update-rc.d" does not do anything in this case.  The man page says

> If any files named /etc/rcrunlevel.d/[SK]??name already exist then
> update-rc.d does nothing.  The program was written this way so that
> it will never change an existing configuration, which may have been
> customized by the system administrator.  The program will only  
> install links if none are present, i.e., if it appears that the 
> service has never been installed before.

It is unfortunate that "Policy 9.3.3.1" does not have an explicit
warning about this potential security problem.

So this is a problem with upgrades.  It does not happen on a fresh
install of Debian 10.

Salvatore also suggested

> I think it's best handled though in a bugreport accordngly, and once
> fixed in unstable, to schedule a fix as well via a buster point
> release.

    $ sudo netstat -l -p
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State   
    PID/Program name    
    ...        
    udp        0      0 0.0.0.0:gdomap          0.0.0.0:*                       
    57/gdomap

    $ ps aux | grep gdomap
    nobody      57  0.0  0.0   2736  2052 ?        Ss   11:16   0:00 
/usr/bin/gdomap -I /var/run/gdomap.pid -p -j /var/run/gdomap

    $ dpkg-query -S gdomap
    gnustep-base-runtime: /usr/share/man/man8/gdomap.8.gz
    gnustep-base-runtime: /etc/default/gdomap
    gnustep-base-runtime: /usr/bin/gdomap
    gnustep-base-runtime: /etc/init.d/gdomap


[Report sent from a systemd-nspawn container, which I used to reproduce the 
issue]

-- System Information:
Debian Release: 10.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.2.9-200.fc30.x86_64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnustep-base-runtime depends on:
ii  gnustep-base-common  1.26.0-4
ii  init-system-helpers  1.56+nmu1
ii  libc6                2.28-10
ii  libgcc1              1:8.3.0-6
ii  libgnustep-base1.26  1.26.0-4
ii  libobjc4             8.3.0-6
ii  lsb-base             10.2019051400

gnustep-base-runtime recommends no packages.

gnustep-base-runtime suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: gnustep-base
Source-Version: 1.26.0-6

We believe that the bug you reported is fixed in the latest version of
gnustep-base, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 939...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yavor Doganov <ya...@gnu.org> (supplier of updated gnustep-base package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 20 Sep 2019 13:43:28 +0300
Source: gnustep-base
Architecture: source
Version: 1.26.0-6
Distribution: unstable
Urgency: medium
Maintainer: Debian GNUstep maintainers 
<pkg-gnustep-maintain...@lists.alioth.debian.org>
Changed-By: Yavor Doganov <ya...@gnu.org>
Closes: 939119
Changes:
 gnustep-base (1.26.0-6) unstable; urgency=medium
 .
   * debian/gnustep-base-runtime.preinst: Use a different approach that
     actually does the job (really closes: #939119).  Thanks Alan Jenkins.
   * debian/NEWS: Document that the gdomap daemon is disabled forcefully.
Checksums-Sha1:
 e9e6a4f39103111bf049ed5d765d0cf1c7abd148 2673 gnustep-base_1.26.0-6.dsc
 b8ef2b6468f3533266ea6843b3815e532b151930 32996 
gnustep-base_1.26.0-6.debian.tar.xz
 b0351c0e7a930950682c42bb310709983faa77b0 10181 
gnustep-base_1.26.0-6_amd64.buildinfo
Checksums-Sha256:
 0453699ffbab7a3092898a6173c8fbd617a21f88d0371c686895c2b072018076 2673 
gnustep-base_1.26.0-6.dsc
 775c43db318abe467c31a2ecb25363e10ccc0c40c0343eabaefdbe7412204550 32996 
gnustep-base_1.26.0-6.debian.tar.xz
 d5a585629f7e3e67c8a1b18c6a521b2e83754d0c2fe250269193a71a1f026da2 10181 
gnustep-base_1.26.0-6_amd64.buildinfo
Files:
 c1735b4256241e1c912a93ce971da043 2673 gnustep optional 
gnustep-base_1.26.0-6.dsc
 ec3119407efbd7cefe0f738bf9117c0f 32996 gnustep optional 
gnustep-base_1.26.0-6.debian.tar.xz
 4ff828f403eac80fa3a16636f1bc62e4 10181 gnustep optional 
gnustep-base_1.26.0-6_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAl2Et9AACgkQZR7vsCUn
3xNVOA//YNMMfq4kVVfTWUNJokvMYZif/Ckl0O72mkji187dbuKc1wi96Lw4nZj4
d2XopO7ElPU9eKbBR3PxqD6fTfFZC3qSrTTTI6RloqPzp6a0ICVhif0zH3XRXuDR
oxc3Kxz0sZKc2xcNnuUFMELTzLOq587zxpQQ50WFLUjZwruPZuUWat77B18nVBbC
Gp3IdbM4UinbULkYrFfys1AOQoK3LhaZxlTuFGKEyqArq2JWiEwGaoVskGrAht+W
OSJQJZ0NO4XcOJNlXHS1TxOF9mgJZjWgLb5z1iaU7e64yjURJobct4E/mUHeaylv
j3AGK8VnSTLLHg2Lzol7EOjYEzgEnB+RHSvkq8eWeBB9Pjx07+BKt2+wI04xYmN6
QQJ0qnbJBIKo/DzCGL9H7IRyOFldSixgSud4HrQfsYDLMeijCrHZsO//E23LIi/Y
tenWAp4OmnVie7GJn/TBfrPDDOj7dTovtRu9WExoG2BCgRznYk5pPHJ6rhk0189E
dfGzwTpcTAkN4bthqHOyAh05zt9yzgBJhBEOXiyVtEV1jvP5vf7XU6nt7EzIlg3b
wwGvUgvarol8G1M0cQm0iR8MmVEzgWKYgXtm0YZjqHyzwNp3eD9nya5O3ILi6SPy
LGMr1QhumLaBnorOvt6gXjYsmes5NZGJn7kT0bVMAKOiKm35v04=
=2FId
-----END PGP SIGNATURE-----

--- End Message ---