Your message dated Thu, 09 Apr 2020 16:47:36 +0000 with message-id <[email protected]> and subject line Bug#948283: fixed in tinyproxy 1.8.4-3~deb9u2 has caused the Debian Bug report #948283, regarding tinyproxy: If no PidFile is configured logrotate will change the owner of the root directory to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 948283: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948283 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: tinyproxy Version: 1.10.0-2 Severity: critical Justification: breaks unrelated software Dear Maintainer, * What led up to the situation? I configured tinyproxy without a PidFile. * What exactly did you do (or not do) that was effective (or ineffective)? I removed the PidFile configuration option from tinyproxy.conf * What was the outcome of this action? The next run of logrotate changed the owner and group of my root directory (`/`) to tinyproxy:tinyproxy. * What outcome did you expect instead? I expected that not to happen. Example demonstrating the issue in a fresh VM: root@debian-2gb-fsn1-1:~# stat / File: / Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 801h/2049d Inode: 2 Links: 18 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2019-12-08 05:11:02.514309382 +0100 Modify: 2020-01-06 01:51:41.524000000 +0100 Change: 2020-01-06 01:51:41.524000000 +0100 Birth: - root@debian-2gb-fsn1-1:~# apt-get install -yyyyqqqq tinyproxy Selecting previously unselected package tinyproxy-bin. (Reading database ... 35006 files and directories currently installed.) Preparing to unpack .../tinyproxy-bin_1.10.0-2_amd64.deb ... Unpacking tinyproxy-bin (1.10.0-2) ... Selecting previously unselected package tinyproxy. Preparing to unpack .../tinyproxy_1.10.0-2_all.deb ... Unpacking tinyproxy (1.10.0-2) ... Setting up tinyproxy-bin (1.10.0-2) ... Setting up tinyproxy (1.10.0-2) ... Created symlink /etc/systemd/system/multi-user.target.wants/tinyproxy.service → /lib/systemd/system/tinyproxy.service. Processing triggers for man-db (2.8.5-2) ... Processing triggers for systemd (241-7~deb10u2) ... root@debian-2gb-fsn1-1:~# grep PidFile /etc/tinyproxy/tinyproxy.conf # PidFile: Write the PID of the main tinyproxy thread to this file so it PidFile "/run/tinyproxy/tinyproxy.pid" root@debian-2gb-fsn1-1:~# sed -i '/PidFile/d' /etc/tinyproxy/tinyproxy.conf root@debian-2gb-fsn1-1:~# grep PidFile /etc/tinyproxy/tinyproxy.conf root@debian-2gb-fsn1-1:~# systemctl start logrotate root@debian-2gb-fsn1-1:~# sed -i 's/2020/2019/g' /var/lib/logrotate/status root@debian-2gb-fsn1-1:~# systemctl start logrotate root@debian-2gb-fsn1-1:~# stat / File: / Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 801h/2049d Inode: 2 Links: 18 Access: (0755/drwxr-xr-x) Uid: ( 106/tinyproxy) Gid: ( 112/tinyproxy) Access: 2019-12-08 05:11:02.514309382 +0100 Modify: 2020-01-06 01:51:41.524000000 +0100 Change: 2020-01-06 01:53:05.254019354 +0100 Birth: - Note that tinyproxy does not start up with this configuration, because systemd expects the PidFile to appear. For the machine where I noticed this issue I also adjusted the systemd unit to be of `Type=simple`. While this configuration might not be common and not encountered by the average user it introduced a possible security hole in my system and even if this might not be fully exploitable by the `tinyproxy` user it breaks systemd-tmpfiles: Jan 06 01:57:53 debian-2gb-fsn1-1 systemd-tmpfiles[282]: Detected unsafe path transition / → /var during canonicalization of /var. Thus I feel the severity of `critical` is justified for this bug report. Best regards Tim Düsterhus -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages tinyproxy depends on: ii adduser 3.118 ii logrotate 3.14.0-4 ii lsb-base 10.2019051400 ii tinyproxy-bin 1.10.0-2 tinyproxy recommends no packages. tinyproxy suggests no packages. -- Configuration Files: /etc/tinyproxy/tinyproxy.conf changed: User tinyproxy Group tinyproxy Port 8888 Timeout 600 DefaultErrorFile "/usr/share/tinyproxy/default.html" StatFile "/usr/share/tinyproxy/stats.html" LogFile "/var/log/tinyproxy/tinyproxy.log" LogLevel Info MaxClients 100 MinSpareServers 5 MaxSpareServers 20 StartServers 10 MaxRequestsPerChild 0 Allow 127.0.0.1 ViaProxyName "tinyproxy" ConnectPort 443 ConnectPort 563 -- no debconf information
--- End Message ---
--- Begin Message ---Source: tinyproxy Source-Version: 1.8.4-3~deb9u2 Done: Mike Gabriel <[email protected]> We believe that the bug you reported is fixed in the latest version of tinyproxy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel <[email protected]> (supplier of updated tinyproxy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 31 Mar 2020 12:15:15 +0200 Source: tinyproxy Binary: tinyproxy Architecture: source amd64 Version: 1.8.4-3~deb9u2 Distribution: stretch Urgency: medium Maintainer: Ed Boraas <[email protected]> Changed-By: Mike Gabriel <[email protected]> Description: tinyproxy - Lightweight, non-caching, optionally anonymizing HTTP proxy Closes: 870307 948283 Changes: tinyproxy (1.8.4-3~deb9u2) stretch; urgency=medium . * debian/patches: + Add CVE-2017-11747-drop-privileges-after-PID-file-creation.patch. CVE-2017-11747: Create PID file before dropping privileges to non-root account. (Closes: #870307). * debian/tinyproxy.init: + Only set PIDDIR, if PIDFILE is a non-zero length string. (Closes: #948283). Checksums-Sha1: e8be7a753b6c7eabf25f14b7444967fa493680b0 2182 tinyproxy_1.8.4-3~deb9u2.dsc 2ecc31268b386c282f4c9f4ed53dd9b76f3c3aee 192300 tinyproxy_1.8.4.orig.tar.xz ea58944daa705551ed82df72742c5ac6bd42080c 181 tinyproxy_1.8.4.orig.tar.xz.asc 01e6228f8872d1d0416511769bcf1ce9f0bf3cfc 21388 tinyproxy_1.8.4-3~deb9u2.debian.tar.xz 6cf1fd17072e4631d2709cd31483d07e01752e6b 98442 tinyproxy-dbgsym_1.8.4-3~deb9u2_amd64.deb a1f1e1e42e6fffa6c48e2b414c3418fab76633cc 6903 tinyproxy_1.8.4-3~deb9u2_amd64.buildinfo 3502d0fbc05e49e8d6084704b6f1505b1936065e 85738 tinyproxy_1.8.4-3~deb9u2_amd64.deb Checksums-Sha256: 6416ad625ca72b45721bb7a21baa94ecc5c739b2e413322903da54a8f15e4fa5 2182 tinyproxy_1.8.4-3~deb9u2.dsc a41f4ddf0243fc517469cf444c8400e1d2edc909794acda7839f1d644e8a5000 192300 tinyproxy_1.8.4.orig.tar.xz 2ab516a8a6568162d66081c617c8b9c71ada4a14b789aea02c7d832c18c432cc 181 tinyproxy_1.8.4.orig.tar.xz.asc 24848d3dc81191a9d5ebf4c5857cf9082968cd7e899e710bd84154595a625e4b 21388 tinyproxy_1.8.4-3~deb9u2.debian.tar.xz c366b0a71b548a091065c3f710789216d749bfaef6d38d7c23e6bb21fd9aa1c2 98442 tinyproxy-dbgsym_1.8.4-3~deb9u2_amd64.deb d66900c62e99c560ead4d6e994879b4d473c9ca41e3e8ed33c999354e8708354 6903 tinyproxy_1.8.4-3~deb9u2_amd64.buildinfo 0eb1f096932690ef991f6eff48aff957e33fc6102f524577a8b91ac4fdc4c38f 85738 tinyproxy_1.8.4-3~deb9u2_amd64.deb Files: 88109d3d6a53d8d91cac79932d72f38a 2182 web optional tinyproxy_1.8.4-3~deb9u2.dsc b181e8c78cb31c2bc16b61fcf2425190 192300 web optional tinyproxy_1.8.4.orig.tar.xz 40114246a53ee2be072ece9b5185bf6d 181 web optional tinyproxy_1.8.4.orig.tar.xz.asc 509e9a176db7e56310c5c288ac55c1a3 21388 web optional tinyproxy_1.8.4-3~deb9u2.debian.tar.xz 57f925ae998862ac25aae44aa1f9142d 98442 debug extra tinyproxy-dbgsym_1.8.4-3~deb9u2_amd64.deb 3cd61b82fa540597e3fa39b315621beb 6903 web optional tinyproxy_1.8.4-3~deb9u2_amd64.buildinfo eb74f6e35a6560f469824832c3a4a3eb 85738 web optional tinyproxy_1.8.4-3~deb9u2_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl6DG44ACgkQgj6WdgbD S5YRrw/9F7kWVSScILLasZIj8Av0P+tyf1L5We0spwPctZInqQRfW9oYEZ8ZyUtx VxJvJ8iol4JUMhip4C/WYJ+8y2msQXaHqGTlva+DTeQ2mLOkO2hzvfdloslYS4sC K7RWZVpr3dUNlSE8XMTV9AHFSG3dp1t+oTNPhGpnlSFywTjJ1k115BcMjWta4f6e CkdnDKRiOm9gbrbgu3O1NbZoquU+xl6RsfMgVp0xNZ0qghIZGVzpwcDwNsLFmdkK 6Bu6M/BOxHWgs1sa82v/esW2AlIf07NPRXKt4GpxGGN2POh2s3vCMYrY3yBXAQeg bMUeBC6puhtx0yYZZm2YOhLQa/696202kngGHCI6C/3WnXtncW1SFx60Fzuma1D0 jX/hIXP3tQGrD8vF/km8LJbhnYNnvMTUoCZLxil6Cz/IqUNNUM8RwGZyDJ0uZDdY hJoGoua/fvHRNSVPn7KXg7nb0tBQcUi/2BVWOurWLZxe5OvY6FlZzYUhn3sZcrm3 Fq8HvjZBp/JyNwnCCFoBO+7Wk14COf47nJZVuM9KJWHb5iOGd02UjHWU0jl00lxf WEl4kylDStmwo0jbmiL3eoowgerqUc/nCdYxa2u6t/MzVh+x17WH5MJ4l95SuRhm tj7L7bVRjHQ3Qtt9ErER+AbaIXCb4ROHPAFrEbpVsBbA7zrffcY= =poT5 -----END PGP SIGNATURE-----
--- End Message ---
