Bug#1050588: bookworm-pu: package nsis/3.08-3+deb12u1

[Didier 'OdyX' Raboud]

> Le dimanche, 16 juin 2024, 01.26:56 h CEST Jonathan Wiltshire a écrit :
> Control: tag -1 confirmed
> 
> On Mon, Feb 05, 2024 at 11:26:12AM +0100, Didier 'OdyX' Raboud wrote:
> > Here comes the debdiff as I would upload it.
> 
> Please go ahead.

Uploaded (as _source.changes via dgit, hope that's fine).

++,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#1050588: bookworm-pu: package nsis/3.08-3+deb12u1

[Jonathan Wiltshire]

Control: tag -1 confirmed

On Mon, Feb 05, 2024 at 11:26:12AM +0100, Didier 'OdyX' Raboud wrote:
> Here comes the debdiff as I would upload it.

Please go ahead.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1050588: bookworm-pu: package nsis/3.08-3+deb12u1

[Didier 'OdyX' Raboud]

Control: tag -1 -moreinfo

Le lundi, 8 avril 2024, 12.16:34 h CEST Christian Franke a écrit :
> Jonathan Wiltshire wrote:
> > ...
> > Thanks. The bug #1050288 isn't fixed in unstable according to the BTS,
> > which is a requirement. What's the status?
> 
> The problem described in #1050288 does not longer occur since NSIS 3.09.
> The problem appeared in Debian 12 because the Mingw-w64 toolchain now
> enables ASLR (and therefore emits relocation information) by default but
> NSIS does not support relocation information. NSIS upstream addressed
> this in the build recipes of 3.09.
> 
> I could confirm that this has the desired effect:
> In the smartmontools project, we use a Debian 12 based docker image for
> reproducible CI builds (https://builds.smartmontools.org/). After
> forcibly upgrading NSIS to 3.09 from Debian trixie, the problem
> disappeared. Here the related commit:
> https://github.com/smartmontools/docker-build/commit/9b231f0
> 
> Therefore I guess that #1050288 is also fixed in unstable.

I've just now marked it as fixed. Sorry I hadn't checked that the bug was in 
the correct state.

All lights should now be green.

Best,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#1050588: bookworm-pu: package nsis/3.08-3+deb12u1

[Christian Franke]

Jonathan Wiltshire wrote:

...
Thanks. The bug #1050288 isn't fixed in unstable according to the BTS,
which is a requirement. What's the status?


The problem described in #1050288 does not longer occur since NSIS 3.09. 
The problem appeared in Debian 12 because the Mingw-w64 toolchain now 
enables ASLR (and therefore emits relocation information) by default but 
NSIS does not support relocation information. NSIS upstream addressed 
this in the build recipes of 3.09.


I could confirm that this has the desired effect:
In the smartmontools project, we use a Debian 12 based docker image for 
reproducible CI builds (https://builds.smartmontools.org/). After 
forcibly upgrading NSIS to 3.09 from Debian trixie, the problem 
disappeared. Here the related commit:

https://github.com/smartmontools/docker-build/commit/9b231f0

Therefore I guess that #1050288 is also fixed in unstable.

--
Regards,
Christian

Bug#1050588: bookworm-pu: package nsis/3.08-3+deb12u1

[Jonathan Wiltshire]

Control: tag -1 moreinfo

Hi,

On Mon, Feb 05, 2024 at 11:26:12AM +0100, Didier 'OdyX' Raboud wrote:
> Le samedi, 3 février 2024, 10.46:29 h CET Adam D. Barratt a écrit :
> > On Sat, 2024-02-03 at 10:33 +0100, Thomas Gaugler wrote:
> > > I am the maintainer of Nullsoft Scriptable Install System (NSIS) and
> > > propose the changes committed into the debian/bookworm branch on the
> > > 27th January 2024 to be released as updated nsis 3.08-3+deb12u1
> > > packages
> > > ().
> > 
> > Thanks, but you've still not attached a debdiff of a prepared package,
> > as requsted. Pointers to git are useful, but they're not the same as an
> > actual package debdiff, which sometimes reveals changes that aren't
> > immediately obvious from git.
> > 
> > (A debdiff attached to the bug is also there in perpetuity.)
> 
> Here comes the debdiff as I would upload it.

Thanks. The bug #1050288 isn't fixed in unstable according to the BTS,
which is a requirement. What's the status?

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1050588: bookworm-pu: package nsis/3.08-3+deb12u1

[Didier 'OdyX' Raboud]

Le samedi, 3 février 2024, 10.46:29 h CET Adam D. Barratt a écrit :
> On Sat, 2024-02-03 at 10:33 +0100, Thomas Gaugler wrote:
> > I am the maintainer of Nullsoft Scriptable Install System (NSIS) and
> > propose the changes committed into the debian/bookworm branch on the
> > 27th January 2024 to be released as updated nsis 3.08-3+deb12u1
> > packages
> > ().
> 
> Thanks, but you've still not attached a debdiff of a prepared package,
> as requsted. Pointers to git are useful, but they're not the same as an
> actual package debdiff, which sometimes reveals changes that aren't
> immediately obvious from git.
> 
> (A debdiff attached to the bug is also there in perpetuity.)

Here comes the debdiff as I would upload it.

Thanks for the reminder.

Best,
OdyXdiff -Nru nsis-3.08/debian/changelog nsis-3.08/debian/changelog
--- nsis-3.08/debian/changelog	2022-08-15 07:58:35.0 +0200
+++ nsis-3.08/debian/changelog	2024-02-05 11:18:05.0 +0100
@@ -1,3 +1,12 @@
+nsis (3.08-3+deb12u1) bookworm; urgency=medium
+
+  * Cherry-pick upstream commits to fix CVE-2023-37378 (Closes: #1040880)
+  * Use common options for nsis-doc installation
+  * Exclude Debian revison suffix from VER_REVISION
+  * Backport upstream commit to disable stub relocations (Closes: #1050288)
+
+ -- Thomas Gaugler   Mon, 05 Feb 2024 11:18:05 +0100
+
 nsis (3.08-3) unstable; urgency=medium
 
   [ Thomas Gaugler ]
diff -Nru nsis-3.08/debian/patches/CVE-2023-37378_Don-t-allow-everyone-to-delete.patch nsis-3.08/debian/patches/CVE-2023-37378_Don-t-allow-everyone-to-delete.patch
--- nsis-3.08/debian/patches/CVE-2023-37378_Don-t-allow-everyone-to-delete.patch	1970-01-01 01:00:00.0 +0100
+++ nsis-3.08/debian/patches/CVE-2023-37378_Don-t-allow-everyone-to-delete.patch	2024-02-05 11:18:05.0 +0100
@@ -0,0 +1,27 @@
+Origin: upstream, https://github.com/kichik/nsis/commit/409b5841479c44fbf33a6ba97c1146e46f965467.patch
+Bug: https://sf.net/p/nsis/bugs/1296
+Bug-Debian: https://bugs.debian.org/1040880
+
+From 409b5841479c44fbf33a6ba97c1146e46f965467 Mon Sep 17 00:00:00 2001
+From: Anders 
+Date: Wed, 21 Jun 2023 23:38:48 +
+Subject: [PATCH] Don't allow everyone to delete the uninstaller directory
+
+git-svn-id: https://svn.code.sf.net/p/nsis/code/NSIS/trunk@7396 212acab6-be3b-0410-9dea-997c60f758d6
+---
+ Source/exehead/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Source/exehead/util.c b/Source/exehead/util.c
+index ba682f6f75..634d4a69f8 100644
+--- a/Source/exehead/util.c
 b/Source/exehead/util.c
+@@ -62,7 +62,7 @@ const UINT32 g_restrictedacl[] = {
+   0x1000, // ACCESS_ALLOWED_ACE:ACCESS_MASK: GENERIC_ALL
+   0x0201, 0x0500, 0x0020, 0x0220, // ACCESS_ALLOWED_ACE:SID (BUILTIN\Administrators) NOTE: GetAdminGrpSid() relies on this being the first SID in the ACL
+   0x00140300, // ACCESS_ALLOWED_ACE:ACE_HEADER (ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE|OBJECT_INHERIT_ACE)
+-  0x00130041, // ACCESS_ALLOWED_ACE:ACCESS_MASK: DELETE|READ_CONTROL|SYNCHRONIZE|FILE_DELETE_CHILD|FILE_LIST_DIRECTORY
++  0x001200c1, // ACCESS_ALLOWED_ACE:ACCESS_MASK: SYNCHRONIZE|READ_CONTROL|FILE_LIST_DIRECTORY|FILE_DELETE_CHILD|FILE_READ_ATTRIBUTES
+   0x0101, 0x0100, 0x // ACCESS_ALLOWED_ACE:SID (WORLD\Everyone)
+ };
+ 
diff -Nru nsis-3.08/debian/patches/CVE-2023-37378_Don-t-delete-old-uninstaller.patch nsis-3.08/debian/patches/CVE-2023-37378_Don-t-delete-old-uninstaller.patch
--- nsis-3.08/debian/patches/CVE-2023-37378_Don-t-delete-old-uninstaller.patch	1970-01-01 01:00:00.0 +0100
+++ nsis-3.08/debian/patches/CVE-2023-37378_Don-t-delete-old-uninstaller.patch	2024-02-05 11:18:05.0 +0100
@@ -0,0 +1,32 @@
+Origin: upstream, https://github.com/kichik/nsis/commit/c40cf78994e74a1a3a381a850c996b251e3277c0.patch
+Bug: https://sf.net/p/nsis/bugs/1296
+Bug-Debian: https://bugs.debian.org/1040880
+
+From c40cf78994e74a1a3a381a850c996b251e3277c0 Mon Sep 17 00:00:00 2001
+From: Anders 
+Date: Sat, 3 Jun 2023 15:10:54 +
+Subject: [PATCH] Don't delete old uninstaller if it points somewhere else
+
+git-svn-id: https://svn.code.sf.net/p/nsis/code/NSIS/trunk@7394 212acab6-be3b-0410-9dea-997c60f758d6
+---
+ Source/exehead/Main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Source/exehead/Main.c b/Source/exehead/Main.c
+index 78ff558c6e..e39c631671 100644
+--- a/Source/exehead/Main.c
 b/Source/exehead/Main.c
+@@ -376,10 +376,10 @@ EXTERN_C void NSISWinMainNOCRT()
+ 
+ if (ec)
+ {
+-  // Delete previous uninstaller
+-  if (DeleteFile(unexe))
++  // Delete previous uninstaller (if it is safe to do so)
++  if (!(GetFileAttributes(unexe) & FILE_ATTRIBUTE_REPARSE_POINT) && DeleteFile(unexe))
+   {
+-myDelete(state_temp_dir, DEL_DIR|DEL_RECURSE);
++myDelete(state_temp_dir, DEL_DIR);
+ if 

Bug#1050588: bookworm-pu: package nsis/3.08-3+deb12u1

[Adam D. Barratt]

On Sat, 2024-02-03 at 10:33 +0100, Thomas Gaugler wrote:
> I am the maintainer of Nullsoft Scriptable Install System (NSIS) and 
> propose the changes committed into the debian/bookworm branch on the 
> 27th January 2024 to be released as updated nsis 3.08-3+deb12u1
> packages 
> ().

Thanks, but you've still not attached a debdiff of a prepared package,
as requsted. Pointers to git are useful, but they're not the same as an
actual package debdiff, which sometimes reveals changes that aren't
immediately obvious from git.

(A debdiff attached to the bug is also there in perpetuity.)

Regards,

Adam

Bug#1050588: bookworm-pu: package nsis/3.08-3+deb12u1

[Thomas Gaugler]

Control: tags -1 -moreinfo
Control: owner -1 Thomas Gaugler 

Hi Adam,

I am the maintainer of Nullsoft Scriptable Install System (NSIS) and 
propose the changes committed into the debian/bookworm branch on the 
27th January 2024 to be released as updated nsis 3.08-3+deb12u1 packages 
().


The changes fix the security vulnerability CVE-2023-37378 
(), bogus 
relocation section in the installer stubs 
() and a failed to build from source 
(FTBFS) bug occurring in the arm64 reproducibility build 
().


In the following I describe each commit in more detail.

2b331c4f Cherry-pick upstream commits to fix CVE-2023-37378
This commit consists of essentially the same patches as included in the 
nsis 3.04-1+deb9u1 diff uploaded by the LTS Security team. Only the 
Debian patch header fields differ slightly.

(),
(),
()

105629f0 Use common options for nsis-doc installation
In Debian Trixie additional compile flags for hardening the security 
have been introduced. These flags were wrongly applied for installing 
build artifacts of the documentation targets (install-examples, 
install-doc and install-docs) and caused the arm64 reproducibility build 
to fail. The arm64 reproducibility worked again after changing to the 
common set of flags for the documentation targets build. 
()


2d1e47e8 Exclude Debian revison suffix from VER_REVISION
The nsis 3.04-1+deb9u1 diff did "Hardcode VER_REVISION to ignore deb9u1 
suffix". This change takes a generic approach by utilizing the string 
functions (firstword, word) of make to exclude the Debian revision 
suffix from VER_REVISION.


1ec70a5e Backport upstream commit to disable stub relocations
The original fix was not effective 
(). 
This regression was pointed out in the Debian bug report #1050288 
() and the origin of this proposed 
update request. These changes are the back port of the upstream commit 
to disable stub relocations in newer GNU C(++) compiler versions.


f5795972 CVE-2023-37378, nsis-doc, VER_REVISION, disable relocs
This commit documents the above described changes.

---

Once we have your agreement, my uploading sponsor (OdyX) will proceed 
with the upload.


Best regards,
Thomas