Bug#992748: systemd-cron: postinst error
https://salsa.debian.org/debian/cron/-/commit/230478512cc82d879d727f6dfc18040bdd48c9d9 same as 892720, 892721, 892724 :-( ... will sync again with the latest cron.postinst and reupload Le mer. 8 sept. 2021 à 20:03, Daniel Serpell a écrit : > > Package: systemd-cron > Version: 1.5.17-2 > Followup-For: Bug #992748 > > Hi, > > After the fix, I now have: > > --- > Preparing to unpack .../systemd-cron_1.5.17-2_amd64.deb ... > Unpacking systemd-cron (1.5.17-2) over (1.5.17-1) ... > Setting up systemd-cron (1.5.17-2) ... > stat: cannot statx '*': No such file or directory > stat: cannot statx '*': No such file or directory > stat: cannot statx '*': No such file or directory > Warning: * is not a regular file!
Bug#992748: systemd-cron: postinst error
Package: systemd-cron Version: 1.5.17-2 Followup-For: Bug #992748 Hi, After the fix, I now have: --- Preparing to unpack .../systemd-cron_1.5.17-2_amd64.deb ... Unpacking systemd-cron (1.5.17-2) over (1.5.17-1) ... Setting up systemd-cron (1.5.17-2) ... stat: cannot statx '*': No such file or directory stat: cannot statx '*': No such file or directory stat: cannot statx '*': No such file or directory Warning: * is not a regular file! --- This is because the folder /var/spool/cron/crontabs/ is empty: ~# ls -l /var/spool/cron/crontabs/ total 0 I'm not sure the "for tab_name in *" is apropriate here. Regards, Daniel. -- Package-specific info: -- output of systemd-delta -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages systemd-cron depends on: ii libc6 2.32-2 ii python3 3.9.2-3 ii systemd-sysv 247.9-1 Versions of packages systemd-cron recommends: pn default-mta | exim4 | mail-transport-agent systemd-cron suggests no packages. -- no debconf information
Bug#992748: systemd-cron: postinst error - CVE-2017-9525?
Hi On Wed, Sep 08, 2021 at 01:12:44PM +0300, Martin-Éric Racine wrote: > Alexandre, > > Thanks for fixing unstable. > > Unless I'm mistaken, I think that the second bug was intentionally > cloned by Chris to track the issue in stable and oldstable. I'm thus > not sure if it was meant to be closed via the same upload. I actually cloned it for tracking the CVE specifically, but TBH and retrospectively it was probably just "overklill" it is the same fix for both apsects anywaay. It is not a problem to close it, the BTS can handle closes in mutliple versions, and is actually the right thing to do (by mentioning it in the changes). This is because BTS has the version tracking so knows which versions are still affected for other suites. That means the stable and oldstable upload would both contain as well the closes marker and can close similarly the bug. Regards, Salvatore
Bug#992748: systemd-cron: postinst error - CVE-2017-9525?
Alexandre, Thanks for fixing unstable. Unless I'm mistaken, I think that the second bug was intentionally cloned by Chris to track the issue in stable and oldstable. I'm thus not sure if it was meant to be closed via the same upload. Martin-Éric ke 8. syysk. 2021 klo 9.36 Alexandre Detiste (alexandre.deti...@gmail.com) kirjoitti: > > Hi. > > I will fix unstable today but I don't know how to learn again to fix the old > releases in a timely maner between so many things to handle at home and work. > > Forking from old git tags and pasting the same new postinst over ? > > So for this part help will be welcome. > > Greets, > > Le mer. 8 sept. 2021 à 07:21, Martin-Éric Racine > a écrit : >> >> su 5. syysk. 2021 klo 18.41 Salvatore Bonaccorso (car...@debian.org) >> kirjoitti: >> > >> > Control: clone 992748 -1 >> > Control: retitle -1 systemd-cron: CVE-2017-9525: group crontab to root >> > escalation via postinst >> > Control: severity -1 important >> > Control: found -1 1.5.16-1 >> > Control: found -1 1.5.14-2 >> > Control: tags 992748 - security >> > >> > Hi Chris, >> > >> > On Sun, Sep 05, 2021 at 02:49:40PM +0200, Chris Hofstaedtler wrote: >> > > Control: tags -1 + security >> > > >> > > * Alexandre Detiste [210905 12:47]: >> > > > Le lun. 23 août 2021 à 04:57, Martin-Éric Racine >> > > > a écrit : >> > > > > Setting up systemd-cron (1.5.17-1) ... >> > > > > xargs: warning: options --max-args and --replace/-I/-i are mutually >> > > > > exclusive, ignoring previous --max-args value >> > > > > Thanks. >> > > > >> > > > This was copy-pasted from src:cron, which must have the same bug now. >> > > >> > > src:cron removed the offending code as part of a security fix in >> > > 2018: >> > > >> > > https://salsa.debian.org/debian/cron/-/commit/a10ab4e346e941aaa92f4b671a96895392b917af >> > > >> > > This would suggest CVE-2017-9525 also affects src:systemd-cron. >> > >> > Looks right and confirmed in a quick test. If the attacher has gained >> > crontab group then further escalation is possible. >> > >> > Though technically those two bugs will be resolved at the same step I >> > though to be good to separate the escalation issue and the error in >> > postinst (but as said, they will be fixed basically together). >> > >> > Once fixed in unstable, can you please fix the issue as well via >> > upcoming point releases for bullseye and buster? Similarly as for the >> > src:cron case a DSA is not warranted. >> >> Alexandre, >> >> Do you have time to fix this now? If not, would it be okay for the >> security team to make an NMU for all affected releases? >> >> Martin-Éric
Bug#992748: systemd-cron: postinst error - CVE-2017-9525?
On Wed, Sep 08, 2021 at 08:36:32AM +0200, Alexandre Detiste wrote: > Hi. > > I will fix unstable today but I don't know how to learn again to fix the > old releases in a timely maner between so many things to handle at home and > work. > > Forking from old git tags and pasting the same new postinst over ? > > So for this part help will be welcome. The issue would not warrant a DSA, but a fix trough upcoming point releases would be good to have. Some documentation about the procedures is found in https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#upload-stable About the packaging question, not sure how your repostiory is layed out, but right, make a respetive branches for the suites from the given tags, then make the needed changes for the postinst. Regards, Salvatore
Bug#992748: systemd-cron: postinst error - CVE-2017-9525?
Hi. I will fix unstable today but I don't know how to learn again to fix the old releases in a timely maner between so many things to handle at home and work. Forking from old git tags and pasting the same new postinst over ? So for this part help will be welcome. Greets, Le mer. 8 sept. 2021 à 07:21, Martin-Éric Racine a écrit : > su 5. syysk. 2021 klo 18.41 Salvatore Bonaccorso (car...@debian.org) > kirjoitti: > > > > Control: clone 992748 -1 > > Control: retitle -1 systemd-cron: CVE-2017-9525: group crontab to root > escalation via postinst > > Control: severity -1 important > > Control: found -1 1.5.16-1 > > Control: found -1 1.5.14-2 > > Control: tags 992748 - security > > > > Hi Chris, > > > > On Sun, Sep 05, 2021 at 02:49:40PM +0200, Chris Hofstaedtler wrote: > > > Control: tags -1 + security > > > > > > * Alexandre Detiste [210905 12:47]: > > > > Le lun. 23 août 2021 à 04:57, Martin-Éric Racine > > > > a écrit : > > > > > Setting up systemd-cron (1.5.17-1) ... > > > > > xargs: warning: options --max-args and --replace/-I/-i are > mutually exclusive, ignoring previous --max-args value > > > > > Thanks. > > > > > > > > This was copy-pasted from src:cron, which must have the same bug now. > > > > > > src:cron removed the offending code as part of a security fix in > > > 2018: > > > > > > > https://salsa.debian.org/debian/cron/-/commit/a10ab4e346e941aaa92f4b671a96895392b917af > > > > > > This would suggest CVE-2017-9525 also affects src:systemd-cron. > > > > Looks right and confirmed in a quick test. If the attacher has gained > > crontab group then further escalation is possible. > > > > Though technically those two bugs will be resolved at the same step I > > though to be good to separate the escalation issue and the error in > > postinst (but as said, they will be fixed basically together). > > > > Once fixed in unstable, can you please fix the issue as well via > > upcoming point releases for bullseye and buster? Similarly as for the > > src:cron case a DSA is not warranted. > > Alexandre, > > Do you have time to fix this now? If not, would it be okay for the > security team to make an NMU for all affected releases? > > Martin-Éric >
Bug#992748: systemd-cron: postinst error - CVE-2017-9525?
su 5. syysk. 2021 klo 18.41 Salvatore Bonaccorso (car...@debian.org) kirjoitti: > > Control: clone 992748 -1 > Control: retitle -1 systemd-cron: CVE-2017-9525: group crontab to root > escalation via postinst > Control: severity -1 important > Control: found -1 1.5.16-1 > Control: found -1 1.5.14-2 > Control: tags 992748 - security > > Hi Chris, > > On Sun, Sep 05, 2021 at 02:49:40PM +0200, Chris Hofstaedtler wrote: > > Control: tags -1 + security > > > > * Alexandre Detiste [210905 12:47]: > > > Le lun. 23 août 2021 à 04:57, Martin-Éric Racine > > > a écrit : > > > > Setting up systemd-cron (1.5.17-1) ... > > > > xargs: warning: options --max-args and --replace/-I/-i are mutually > > > > exclusive, ignoring previous --max-args value > > > > Thanks. > > > > > > This was copy-pasted from src:cron, which must have the same bug now. > > > > src:cron removed the offending code as part of a security fix in > > 2018: > > > > https://salsa.debian.org/debian/cron/-/commit/a10ab4e346e941aaa92f4b671a96895392b917af > > > > This would suggest CVE-2017-9525 also affects src:systemd-cron. > > Looks right and confirmed in a quick test. If the attacher has gained > crontab group then further escalation is possible. > > Though technically those two bugs will be resolved at the same step I > though to be good to separate the escalation issue and the error in > postinst (but as said, they will be fixed basically together). > > Once fixed in unstable, can you please fix the issue as well via > upcoming point releases for bullseye and buster? Similarly as for the > src:cron case a DSA is not warranted. Alexandre, Do you have time to fix this now? If not, would it be okay for the security team to make an NMU for all affected releases? Martin-Éric
Bug#992748: systemd-cron: postinst error - CVE-2017-9525?
Control: clone 992748 -1 Control: retitle -1 systemd-cron: CVE-2017-9525: group crontab to root escalation via postinst Control: severity -1 important Control: found -1 1.5.16-1 Control: found -1 1.5.14-2 Control: tags 992748 - security Hi Chris, On Sun, Sep 05, 2021 at 02:49:40PM +0200, Chris Hofstaedtler wrote: > Control: tags -1 + security > > * Alexandre Detiste [210905 12:47]: > > Le lun. 23 août 2021 à 04:57, Martin-Éric Racine > > a écrit : > > > Setting up systemd-cron (1.5.17-1) ... > > > xargs: warning: options --max-args and --replace/-I/-i are mutually > > > exclusive, ignoring previous --max-args value > > > Thanks. > > > > This was copy-pasted from src:cron, which must have the same bug now. > > src:cron removed the offending code as part of a security fix in > 2018: > > https://salsa.debian.org/debian/cron/-/commit/a10ab4e346e941aaa92f4b671a96895392b917af > > This would suggest CVE-2017-9525 also affects src:systemd-cron. Looks right and confirmed in a quick test. If the attacher has gained crontab group then further escalation is possible. Though technically those two bugs will be resolved at the same step I though to be good to separate the escalation issue and the error in postinst (but as said, they will be fixed basically together). Once fixed in unstable, can you please fix the issue as well via upcoming point releases for bullseye and buster? Similarly as for the src:cron case a DSA is not warranted. Regards, Salvatore
Bug#992748: systemd-cron: postinst error - CVE-2017-9525?
Control: tags -1 + security * Alexandre Detiste [210905 12:47]: > Le lun. 23 août 2021 à 04:57, Martin-Éric Racine > a écrit : > > Setting up systemd-cron (1.5.17-1) ... > > xargs: warning: options --max-args and --replace/-I/-i are mutually > > exclusive, ignoring previous --max-args value > > Thanks. > > This was copy-pasted from src:cron, which must have the same bug now. src:cron removed the offending code as part of a security fix in 2018: https://salsa.debian.org/debian/cron/-/commit/a10ab4e346e941aaa92f4b671a96895392b917af This would suggest CVE-2017-9525 also affects src:systemd-cron. Chris
Bug#992748: systemd-cron: postinst error
Thanks. This was copy-pasted from src:cron, which must have the same bug now. Le lun. 23 août 2021 à 04:57, Martin-Éric Racine a écrit : > Setting up systemd-cron (1.5.17-1) ... > xargs: warning: options --max-args and --replace/-I/-i are mutually > exclusive, ignoring previous --max-args value >
Bug#992748: systemd-cron: postinst error
Package: systemd-cron Version: 1.5.17-1 Severity: normal -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Setting up systemd-cron (1.5.17-1) ... xargs: warning: options --max-args and --replace/-I/-i are mutually exclusive, ignoring previous --max-args value - -- Package-specific info: - -- output of systemd-delta - -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (900, 'unstable') Architecture: i386 (x86_64) Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads) Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8), LANGUAGE=fi:en Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages systemd-cron depends on: ii libc6 2.31-16 ii python3 3.9.2-3 ii systemd-sysv 247.9-1 Versions of packages systemd-cron recommends: ii nullmailer [mail-transport-agent] 1:2.2-3 systemd-cron suggests no packages. - -- no debconf information -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEyJACx3qL7GpObXOQrh+Cd8S017YFAmEjDbIACgkQrh+Cd8S0 17aI6BAAnsGj94GcPjBpQpj7tmMvQv4u5uHwZY9mhAofyI5lw1ELoUgnKt3dYsAp vHr3ftoUeENv0N9dsKcO88B3MU/tuHKw9OXddKPeUEDwdl6wA0dbai58gq2Q2BBR 5rfoEdQPl6f6TaRqBhtVRpJ3ytRC+r5CL+THv0pkCZyThlp7GAQ1ikZm/3j8walI D54nuNPoCi3yLJ+R3KHLGW3niwcQbfAijJOsJbz6JY+P3rr9gN8OvtTrpD0Oj/hG 4oMoufcRyQgVoIcdawYEjgg8fU2ofFTm2cx2weilMb2f+Z5cj5RhuxLRWggDjynz 3DVxeWV1X+DBfZdBWDncC+9SKJc12z+xlUp7s6T1o+0O3d88HER8zjcIW2AwmPG2 8Nyjf+LVPc6cMzwkHJ3Em3xByS7tsoXx1JHU8YueZLurNYxd3FQ+HW4eaymd3nUw nf2wPbWpdDS07uiXStDhne/6RD9+rUbb01eV/j5iB1OuMWe2QrrdwSK5BCw6XJpZ jO3MtbRdCkzf5DIlMyeaZjAr53GfBy/m51PGD6lrWzeBYUsZoB6rpcfy5+QVo6SQ XdOmYirAMEhLFwvspXvnPochGpZrc9/bWbLAKffn1o8T9ufliQ8TXSGkDYjTn/bT sbuafNJYgzUBEV+pJHSV8ZNbW2dQRA67jnzSRhKAp4ISf9oQxqc= =MO6j -END PGP SIGNATURE-