Processed: Re: opensysusers: does not create groups implicitly with "m" action
Processing control commands: > tags -1 patch Bug #986015 [opensysusers] opensysusers: does not create groups implicitly with "m" action Added tag(s) patch. -- 986015: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986015 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: opensysusers: uses `eval` on data that is not supposed to be safe to eval
Processing control commands: > tags -1 patch Bug #992058 [opensysusers] opensysusers: uses `eval` on data that is not supposed to be safe to eval (CVE-2021-40084) Added tag(s) patch. -- 992058: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992058 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#993275: ng: stores wrong paths to cp and ls if built on merged-/usr system
On 2021-08-29, Simon McVittie wrote: > If gnunet is built on a merged-/usr system (as created by new > installations of Debian >= 10, debootstrap --merged-usr, or installing > the usrmerge package into an existing installation), the paths to cp and > ls are recorded in the binary package as being in /usr/bin, rather than the > canonical /bin. gnunet -> ng ? ... Or should this be reassigned to gnunet? > From 483dd087b93e02d30a7bf1f022c35d3f88f74d07 Mon Sep 17 00:00:00 2001 > From: Simon McVittie > Date: Sun, 29 Aug 2021 22:15:25 +0100 > Subject: [PATCH] d/rules: Specify canonical paths of cp, ls, mv, rmdir > > When ng is built on a system where both /usr/bin/cp and /bin/cp > exist (either merged-/usr or via a symlink farm), this results in storing > /usr/bin/cp in the installed programs, which will not work as intended > on systems where only the traditional path /bin/cp exists. > > ls is in a similar situation. mv and rmdir are checked by ./configure > but not hard-coded anywhere; give them the same treatment for symmetry. Thanks for the patch! Since ng is maintained by QA, you could upload the fix yourself, or I may get to it in the coming weeks... live well, vagrant signature.asc Description: PGP signature
Bug#993275: ng: stores wrong paths to cp and ls if built on merged-/usr system
On Fri, 17 Sep 2021 at 10:46:31 -0700, Vagrant Cascadian wrote: > On 2021-08-29, Simon McVittie wrote: > > If gnunet is built on a merged-/usr system > > gnunet -> ng ? ... Or should this be reassigned to gnunet? Sorry, that was copypasta from a previously-reported bug. ng and gnunet both have bugs of this class. This one, #993275, is about ng's use of cp and ls. The similar bug about gnunet's use of ifconfig is #993249. > Since ng is maintained by QA, you could upload the fix yourself, or I > may get to it in the coming weeks... I don't know what ng is or how to test it, only how to build it and throw it at diffoscope, so I'm unlikely to do a QA upload. Looking at its package tracker page, it seems to be an Emacs-style editor with CJK input support, and hasn't had an upstream release since 2003. I have to question whether this is something we really want in the distribution, if nobody either inside or outside Debian wants to maintain it... smcv signature.asc Description: PGP signature
Processing of plib_1.8.5-9_source.changes
plib_1.8.5-9_source.changes uploaded successfully to localhost along with the files: plib_1.8.5-9.dsc plib_1.8.5.orig.tar.gz plib_1.8.5-9.debian.tar.xz plib_1.8.5-9_amd64.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org)
plib_1.8.5-9_source.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 17 Sep 2021 16:28:49 -0400 Source: plib Architecture: source Version: 1.8.5-9 Distribution: unstable Urgency: medium Maintainer: Debian QA Group Changed-By: Boyuan Yang Changes: plib (1.8.5-9) unstable; urgency=medium . * QA upload. * debian/control: + Replace obsolete Priority: extra with Priority: optional. + Add Vcs-* fields to use git packaging repo on Debian Salsa GitLab. Checksums-Sha1: 1010ab182c8aca3f7f21cf501ae2a9c27598db16 1955 plib_1.8.5-9.dsc c2cf7e3e1e58f7b63dae4bb21e4fa82c3e4d4cfc 779133 plib_1.8.5.orig.tar.gz 19afed2f067d01cc30b19b4bdde00960ae7d22da 10676 plib_1.8.5-9.debian.tar.xz a633d38a342b08004b8cdf90e8a28f2d12c10b39 8526 plib_1.8.5-9_amd64.buildinfo Checksums-Sha256: 39cb82da48dc2f0c8ef5ee20b0f5254b28aeeccf63fa9a89f77c8ab3774f4d0b 1955 plib_1.8.5-9.dsc 485b22bf6fdc0da067e34ead5e26f002b76326f6371e2ae006415dea6a380a32 779133 plib_1.8.5.orig.tar.gz 37008334e1631614f3028564982784638fedbe6bafaaf4d472048814fccc7787 10676 plib_1.8.5-9.debian.tar.xz ee53f06d1afc3f6ef62c84f1c0180e9a4fde4effb6d4eeef55f4d661d57bd698 8526 plib_1.8.5-9_amd64.buildinfo Files: f26b0b8dcb82f8a7ee87b028b12e788e 1955 devel optional plib_1.8.5-9.dsc 47a6fbf63668c1eed631024038b2ea90 779133 devel optional plib_1.8.5.orig.tar.gz 2d015595368e4cf6624eb3bb651c7afa 10676 devel optional plib_1.8.5-9.debian.tar.xz 2f7406219e43516b94565c312b419b68 8526 devel optional plib_1.8.5-9_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEfncpR22H1vEdkazLwpPntGGCWs4FAmFE/QEACgkQwpPntGGC Ws7v+xAApvI/q4RMbcD0WCqccbM8xdqBV2hfiMe3lgJNr6aUARJpZLJu6D95Epk0 gX2klUJK0BixM9PiGQkDly9HvgskyHQnin1kUWCXNkDxZTq7q/9FsJYDd+57LKpd 7F4qt8hVSxnBdEthMzTTn9nJGH4OiQ0JRJ/2LapV/Lgf3AK9MswE0OayJZFPNf4M wh/LdG6no8pT+DaIKUABpRMRtcQcYz4SxIvvtxmKQ8tnLc6cX14nBYi8VcCTHskB bG9vRCX+Bx/dBMc9/1ZszDcNMrNzgtOnC0DSnzm1eCuiJPz3nWPiVhePC1D4ekmx uodL2irH6dRFnorDEptn3WxpjMx+BJfxIj7pLPxl74vhOL51woWAHVqaRlpKjUj4 KnWrPtAfFRPrzm9aHRgij6aij7A57lEpTCCW7ixvWvI5v0XqP/+W0Xi7iVeFE7Jc L6pKgmWVaBWUxidMwT+XEJuHmbXwR6e+b+iQ8R58QqZcDJLWRay2pC99OaYWTbPR ReNl0y6PwVcxKlTEVj8ZUudbvkVFGp32DI08PJbJOzsD60DGf5SUbvELTH9Xh0RC UrjqQSZZodSDQsXXA7wNMQnytsUvCBfQPGF0ew8OwTbjjsYcV9q8yjzny9kRFVk9 vF7Gly2/6DTDJmc7SD3NANXkAeuB+Miz3ixQgawv6hviSgKxg50= =OIwb -END PGP SIGNATURE- Thank you for your contribution to Debian.
Bug#986015: opensysusers: does not create groups implicitly with "m" action
Control: tags -1 patch
Hi,
On Sat, 27 Mar 2021 15:03:02 -0700 Vagrant Cascadian
wrote:
> Package: opensysusers
> Version: 0.6-2
> Severity: normal
> X-Debbugs-Cc: vagr...@debian.org
>
> With /etc/sysusers.d/test.conf:
> #Type Name ID GECOS Home
> directory Shell u _testuser0 - "test user 0"
> /var/empty /usr/sbin/nologin m _testuser0 _testgroup
>
> $ sudo opensysusers-sysusers
> groupadd: invalid group ID '4:65534'
> groupadd: invalid group ID '65534:65534'
> usermod: group '_testgroup' does not exist
I think I found the problem, see the patch at the bottom
>
> According the the opensysusers.d man page:
>
>m
>Add a user to a group. If the user or group do not exist
> yet, they will be implicitly created.
>
> The systemd implementation does implicitly create groups that do not
> exist yet, but the opensysusers version does not appear to do so.
>
>
> live well,
> vagrant
>
Lorenzo
--- ./sysusers 2020-12-22 12:41:37.754884910 +0100
+++ ./sysusers.new 2021-09-17 19:14:06.090291921 +0200
@@ -80,7 +80,7 @@
fi
;;
m)
- add_group "${name}" '-'
+ add_group "${id}" '-'
if id "${name}" >/dev/null 2>&1; then
usermod -a -G "${id}" "${name}"
else
Bug#992058: opensysusers: uses `eval` on data that is not supposed to be safe to eval
Control: tags -1 patch
Hi,
On Tue, 10 Aug 2021 11:07:24 +0200 Ansgar wrote:
> Package: opensysusers
> Version: 0.6-2
> Severity: serious
> Tags: security upstream
> X-Debbugs-Cc: Debian Security Team
>
> opensysusers uses the shell's `eval` on everything in sysusers.d like
> there is no tomorrow. These files can contain shell meta-characters
> that should not result in code execution, e.g., in the GECOS field.
>
> +---
> | # mkdir /etc/sysusers.d
> | # echo 'u test-user - "Do not $(rm /etc/bash.bashrc)"
> /var/lib/test-users /bin/sh' > /etc/sysusers.d/test.conf | # ls -l
> /etc/bash.bashrc | -rw-r--r-- 1 root root 1994 Jun 22 02:26
> /etc/bash.bashrc | # systemd-sysusers # this is opensysusers
> | # ls -l /etc/bash*
> | ls: cannot access '/etc/bash*': No such file or directory
> +---[ opensysusers 0.6-2 ]
>
> systemd's systemd-sysuser behaves differently:
>
> +---
> | # mkdir /etc/sysusers.d
> | # echo 'u test-user - "Do not $(rm /etc/bash.bashrc)"
> /var/lib/test-users /bin/sh' > /etc/sysusers.d/test.conf | # ls -l
> /etc/bash.bashrc | -rw-r--r-- 1 root root 1994 Jun 22 02:26
> /etc/bash.bashrc | # systemd-sysusers
> | Creating group systemd-coredump with gid 999.
> | Creating user systemd-coredump (systemd Core Dumper) with uid 999
> and gid 999. | Creating group test-user with gid 998.
> | Creating user test-user (Do not $(rm /etc/bash.bashrc)) with uid
> 998 and gid 998. | # ls -l /etc/bash.bashrc
> | -rw-r--r-- 1 root root 1994 Jun 22 02:26 /etc/bash.bashrc
> | # getent passwd test-user
> | test-user:x:998:998:Do not $(rm
> /etc/bash.bashrc):/var/lib/test-users:/bin/sh +---[ systemd 247.3-6 ]
>
> As opensysusers is supposed to be a drop-in requirement for
> systemd-sysusers it *must* behave as systemd does and not execute
> data.
>
> Ansgar
>
Attached is a patch that sets the GECOS field without using eval: under
the assumption that the double quote character is not valid for
Type,Name,ID field it should work. Did not have the time to test it yet.
If someone has a better idea I do welcome suggestion.
Lorenzo
--- ./sysusers 2020-12-22 12:41:37.754884910 +0100
+++ ./sysusers.new 2021-09-17 19:38:32.927974348 +0200 @@ -66,10
+66,30 @@
parse_string() {
[ -n "${1%%#*}" ] || return
+ full_line=$1
- eval "set -- $1"
+ #eval "set -- $1" # do not eval, see #992058 and CVE-2021-40084
+ set -- $1
type="$1" name="$2" id="$3" gecos="$4" home="$5"
+ # and now set the GECOS field without eval
+ if [ "${type}" = u ]; then
+ if [ ! -z "$4" ] && [ "$4" != '-' ]; then
+ # strip everything before the first "
+ gecosplus=${full_line#*\"}
+ # now strip everything after the last "
+ gecos=${gecosplus%\"*}
+ # check if there are other valid fields after
GECOS
+ gecostest=$(echo $gecosplus | grep -o '".*' -)
+ if [ "$gecostest" = '"' ]; then
+ home=
+ else
+ set -- $gecostest
+ home=$2
+ fi
+ fi
+ fi
+
case "${type}" in
[gu])
case "${id}" in 65535|4294967295) warninvalid;
return; esac
Processing of html2ps_1.0b7-5_source.changes
html2ps_1.0b7-5_source.changes uploaded successfully to localhost along with the files: html2ps_1.0b7-5.dsc html2ps_1.0b7.orig.tar.gz html2ps_1.0b7-5.debian.tar.xz html2ps_1.0b7-5_amd64.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org)
html2ps_1.0b7-5_source.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 17 Sep 2021 22:57:23 -0400 Source: html2ps Architecture: source Version: 1.0b7-5 Distribution: unstable Urgency: medium Maintainer: Debian QA Group Changed-By: Boyuan Yang Changes: html2ps (1.0b7-5) unstable; urgency=medium . * QA upload. * debian/control: + Add Vcs-* fields to use git packaging repo on Debian Salsa GitLab. + Bump Standards-Version to 4.6.0. + Migrate from cdbs to dh buildsystem. * debian/*.menu: Dropped per tech-ctte's decision. * debian/rules: migrate to dh sequencer. * debian/changelog: Remove trailing spaces. * debian/copyright: Use machine-readable copyright format. Checksums-Sha1: 75754e3a22ab58735f72d972a2fefd4da10a87d2 1822 html2ps_1.0b7-5.dsc 20d508817803af08e397794d4986046ee8128b5c 128451 html2ps_1.0b7.orig.tar.gz 1cd29919b4799a63cdae186d151abaef9fc8 11920 html2ps_1.0b7-5.debian.tar.xz 5477cb2598403859640284bf568b18a23430d6bd 5872 html2ps_1.0b7-5_amd64.buildinfo Checksums-Sha256: dd3c660792cb60fffab2ab9b7c0a706a8ccb9dc17a94ae4f1c271990e2fa7383 1822 html2ps_1.0b7-5.dsc d553980468a14bae738982c384c17f426ecf77dafd9a4e2499d520953f156f14 128451 html2ps_1.0b7.orig.tar.gz 2cf97e7e8907afc2d1a6688870389c073c2b904308de9c7f4d9f11d6574d2f78 11920 html2ps_1.0b7-5.debian.tar.xz e6aaa7d15b4b3e270ac87032edcda95f7320b08ddc601643f33725a8dd10091a 5872 html2ps_1.0b7-5_amd64.buildinfo Files: 4f4036eae45df0d15e44d0005d07c658 1822 text optional html2ps_1.0b7-5.dsc 073ab8a239c8d0e3547192ee9016db15 128451 text optional html2ps_1.0b7.orig.tar.gz 7e09c98b85ae00589534e90bc184f5ae 11920 text optional html2ps_1.0b7-5.debian.tar.xz 5d174af1c25e02f706167be6167afe58 5872 text optional html2ps_1.0b7-5_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEfncpR22H1vEdkazLwpPntGGCWs4FAmFFVdoACgkQwpPntGGC Ws5JWw/+I40puhI6bp8KLduiPQlx7hOQFvkJBgkl/3yi9EKS0I+Cmu75spVaHL9+ vktC6ecn1+RwOsTo+07L6DPrOkSgISts/fA5gxoHXcz9giRw3FncPbWobdMM1IkA 4PJOrHwysXFJFQ7D/BrSPlwtvunTVpsN6Cop5My7G3XuHWhSQIRVcmaiwOLZd6FO WJ1TvlEhrEHPuwM8awojoZVHEkv42hQNy/Cwe5pVCWkMbyyV3MaCWoLiSXimGtby ImFA9bC5vEpSpCGHNS5gXbwnwh7wc8v+7dVtiR4IbrsZ5yJ/INUoSdQBDQRSU4cZ JMWJ82/rOJwYydONzsvMSdUmMkL/cyHa2u1j7c8BjEPfBs9zV0ZdkFjfmu9HdJKv t3j00dAT6vAb53MZi/vxVjN6u42kVennc7YjGj/1fnhK00dvHmQqRpMrnkEM+O8d Hn36LHNw1WMTcjPm6iotuzRCz19c+JJ9Vbq9mFE0S42n7TeccrGOaDWxIo85teWc SZpVO5giB22S4tW1VGRRGzVyKwJwMLTsZ/hhidc26XwrdTU9nficabt6TGTowBBE uo1xVOsKr+0DMJCS4BvEL+NWOufCjfQTfEI+bdbDrqjiE4CeW2P/SUrjUKaibjLK t4BRZdbmQQ6piMV7FeXtDoOR/NJ52BK1x5PTJm/wAHMJD8pNQ6U= =NUbt -END PGP SIGNATURE- Thank you for your contribution to Debian.
Processing of apt-rdepends_1.3.0-9_source.changes
apt-rdepends_1.3.0-9_source.changes uploaded successfully to localhost along with the files: apt-rdepends_1.3.0-9.dsc apt-rdepends_1.3.0.orig.tar.gz apt-rdepends_1.3.0-9.debian.tar.xz apt-rdepends_1.3.0-9_amd64.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org)
apt-rdepends_1.3.0-9_source.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 17 Sep 2021 23:10:19 -0400 Source: apt-rdepends Architecture: source Version: 1.3.0-9 Distribution: unstable Urgency: medium Maintainer: Debian QA Group Changed-By: Boyuan Yang Changes: apt-rdepends (1.3.0-9) unstable; urgency=medium . * QA upload. * Source-only upload to allow testing migration. * Bump Standards-Version to 4.6.0. * Bump debhelper compat level to v13. * debian/rules: Use dh13 syntax. Checksums-Sha1: 1960f8c621de1ba62d4d1f4ff7b78253b7a7584f 1919 apt-rdepends_1.3.0-9.dsc 7bb1fa67423da7da72c2dea5bdc799ebdad25191 14251 apt-rdepends_1.3.0.orig.tar.gz 409dc648bb6e24fb29a526a12b1a8e63235405ae 5720 apt-rdepends_1.3.0-9.debian.tar.xz c7b94c46b46a698eaa12fe5e7c447a8887cf70a5 5702 apt-rdepends_1.3.0-9_amd64.buildinfo Checksums-Sha256: a146c10175d129712cf27bd505c04a7cea3b2241c25f1bac4ea834ce01e05fdf 1919 apt-rdepends_1.3.0-9.dsc d09a27f447079d5a9aa62c7096c345ec5842363030cedd0ce38c6e87ec51704b 14251 apt-rdepends_1.3.0.orig.tar.gz f441f2283594204814c779632b06ec30eaa6bce1746b8438056148d64a9bc411 5720 apt-rdepends_1.3.0-9.debian.tar.xz 83dd3e439653249b5d7c11874802de7ae93fe21f7b645b1d9e34dca993200b62 5702 apt-rdepends_1.3.0-9_amd64.buildinfo Files: b5740f68e9708bf7dfb0b1ec1c614498 1919 utils optional apt-rdepends_1.3.0-9.dsc 73a8bbabf91c3e8d5ed480822350e9c8 14251 utils optional apt-rdepends_1.3.0.orig.tar.gz 492d3ea95fa5d162872c30246fd545ef 5720 utils optional apt-rdepends_1.3.0-9.debian.tar.xz 6c9ba6d7129f8ea27e453afef1c05134 5702 utils optional apt-rdepends_1.3.0-9_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEfncpR22H1vEdkazLwpPntGGCWs4FAmFFWRUACgkQwpPntGGC Ws7aCBAAjFV66bA6Kg1b7uhJODz/kI9ETfAv4Ygk7zGlCqBteElW+pDbdIzE4vif nSVMwl6FeQr4p5zkoBHvDSNJXLvcOMim3B0ABcTr9HMj/x9YEG0Y3N9O2w3+tb4q mtQmQZvEwn5g1B+75J4wpVavMqF20VL/AakwXlVllYuCqH1S7UEdNPvNmrW+IZT3 awe9jEo6tFmoqry5cUODdC6LNKNJq7iBLg09yHEbMePsjmorHR262kwXuStyvFju gkYE/yq5BjYc/YooAUnTKRRo80I8+9GzJWebal+2hEOQMgj3RAPDdCLtjgTPhVOI 04aRXzGzXAlIUVh20hISmQ96ATBIUWGL29kFsE3qqykTxUb/DoBi4ZpqBBDmrxsr MHTuA5/BU682n/CGIipvffJiWvwumOmIBT145g76oAjXWZY+oYk2McjL4at2Eqij uWUhMr//ZG0drs4+jXVjRNNHBvtCaDI0fduy6zKzGsbBg6l52UcBQXmO1CmFxzfm GYNy1g5GjPAB4kiLjnHb8ANXJmk9YMxImPkdMTEjFdZN874Ftvy07+TkXBQqtxSt 7VIkil0DFV/Rz012HK6laUgAx0YwIbVe39kt3MDvg5ExE2SH3yweIUbtWoJY2VU3 kAJz0y050MKMbBdSPLeVx0i07GZHLpxO93EY3q4kvH9wGpihZm0= =ClKL -END PGP SIGNATURE- Thank you for your contribution to Debian.
