Processed: Re: Bug#1056970: bullseye-pu: package swupdate/2020.11-2+deb11u1

2023-12-19 Thread Debian Bug Tracking System 
Processing control commands:

> tag -1 confirmed
Bug #1056970 [release.debian.org] bullseye-pu: package 
swupdate/2020.11-2+deb11u1
Added tag(s) confirmed.

-- 
1056970: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056970
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1056970: bullseye-pu: package swupdate/2020.11-2+deb11u1

2023-12-19 Thread Jonathan Wiltshire 
Control: tag -1 confirmed

On Mon, Nov 27, 2023 at 12:12:27PM +0100, Bastian Germann wrote:
> There is a local privilege escalation in swupdate package because the
> service's control socket has world-writable file permissions.

Please go ahead.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1056970: bullseye-pu: package swupdate/2020.11-2+deb11u1

2023-11-27 Thread Bastian Germann 

Package: release.debian.org
Control: affects -1 + src:swupdate
X-Debbugs-Cc: swupd...@packages.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bullseye
Severity: normal

[ Reason ]
There is a local privilege escalation in swupdate package because the
service's control socket has world-writable file permissions.

[ Impact ]
The rights of the swupdate daemon, which is usually used to run full
system updates, can be aquired by any user on the system.

[ Tests ]
Run the service and check that the control socket is created with the
reduced permission set. Also check that the service user "swupdate" is created.

[ Risks ]
None.

[ Checklist ]
   [x] *all* changes are documented in the d/changelog
   [x] I reviewed all changes and I approve them
   [x] attach debdiff against the package in oldstable
   [x] the issue is verified as fixed in unstablediff -Nru swupdate-2020.11/debian/changelog swupdate-2020.11/debian/changelog
--- swupdate-2020.11/debian/changelog   2021-01-19 08:56:14.0 +0100
+++ swupdate-2020.11/debian/changelog   2023-11-27 11:10:38.0 +0100
@@ -1,3 +1,10 @@
+swupdate (2020.11-2+deb11u1) bullseye; urgency=medium
+
+  * Add swupdate system user
+  * Create the sockets for group use with SocketMode 0660
+
+ -- Bastian Germann   Mon, 27 Nov 2023 11:10:38 +0100
+
 swupdate (2020.11-2) unstable; urgency=medium
 
   [ Bastian Germann ]
diff -Nru swupdate-2020.11/debian/control swupdate-2020.11/debian/control
--- swupdate-2020.11/debian/control 2021-01-19 08:55:59.0 +0100
+++ swupdate-2020.11/debian/control 2023-11-27 11:10:38.0 +0100
@@ -6,6 +6,7 @@
Nobuhiro Iwamatsu 
 Build-Depends: debhelper-compat (= 13),
dh-lua ,
+   dh-sysuser,
liblua5.2-dev ,
libfdisk-dev,
latexmk ,
diff -Nru swupdate-2020.11/debian/rules swupdate-2020.11/debian/rules
--- swupdate-2020.11/debian/rules   2020-12-28 09:58:21.0 +0100
+++ swupdate-2020.11/debian/rules   2023-11-27 11:10:38.0 +0100
@@ -13,7 +13,7 @@
 export LUA_VERSION=5.2
 export LUA_MODNAME=lua_swupdate
 export PKG_NAME=swupdate
-export DH_WITH=--with lua
+export DH_WITH=,lua
 export HAVE_LUA=y
 endif
 
@@ -87,4 +87,4 @@
dh_missing --fail-missing
 
 %:
-   dh $@ $(DH_WITH)
+   dh $@ --with sysuser$(DH_WITH)
diff -Nru swupdate-2020.11/debian/swupdate.socket 
swupdate-2020.11/debian/swupdate.socket
--- swupdate-2020.11/debian/swupdate.socket 2020-12-28 09:58:21.0 
+0100
+++ swupdate-2020.11/debian/swupdate.socket 2023-11-27 11:10:38.0 
+0100
@@ -6,6 +6,8 @@
 [Socket]
 ListenStream=/tmp/sockinstctrl
 ListenStream=/tmp/swupdateprog
+SocketMode=0660
+SocketGroup=swupdate
 
 [Install]
 WantedBy=sockets.target
diff -Nru swupdate-2020.11/debian/swupdate.sysuser 
swupdate-2020.11/debian/swupdate.sysuser
--- swupdate-2020.11/debian/swupdate.sysuser1970-01-01 01:00:00.0 
+0100
+++ swupdate-2020.11/debian/swupdate.sysuser2023-11-27 11:10:38.0 
+0100
@@ -0,0 +1 @@
+swupdate defaults