Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
I'm hereby asking for pre-approval of grml-debootstrap/0.68.1:
unblock grml-debootstrap/0.68.1
This version of grml-debootstrap includes fixes for 4 serious
issues which we'd like to see resolved for Debian/jessie:
#779913: Stops SSH server outside (rather than inside) chroot after failures
=> the ssh and mdadm services of the *system* where
grml-debootstrap is executed might get stopped,
clearly unwanted behaviour
#779925: Lacks escaping of user input
=> security problem
#780204: warning messages aren't displayed due to missing ewarn definition
=> while it is a trivial fix it's hiding problems from the user
#776502: CVE-2015-1378: Issues with sourcing cmdlineopts.clp from current
working directory
=> security problem with CVE entry 2015-1378
debdiff of grml-debootstrap/0.68 as currently in Debian/jessie
against what I'd like to upload towards Debian/unstable is at the
end of my mail.
Please let me know if I can upload this to Debian/unstable to get it
towards jessie.
Thanks for consideration!
regards,
-mika-
diff -Nru grml-debootstrap-0.68/debian/changelog
grml-debootstrap-0.68.1/debian/changelog
--- grml-debootstrap-0.68/debian/changelog 2015-03-10 16:05:52.000000000
+0100
+++ grml-debootstrap-0.68.1/debian/changelog 2015-03-10 16:27:45.000000000
+0100
@@ -1,3 +1,19 @@
+grml-debootstrap (0.68.1) unstable; urgency=medium
+
+ [ Michael Prokop ]
+ * [52e9bbf] Do not stop hosts' SSH + mdadm services in cleanup
+ procedure. Thanks to Sebastian Pipping for debugging and bug report
+ (Closes: #779913)
+ * [1690a3c] Define ewarn function to properly display warning messages
+ (Closes: #780204)
+
+ [ Sebastian Pipping ]
+ * [75c3aab] Source cmdlineopts.clp from same folder as grml-debootstrap
+ file (Closes: #776502) [CVE-2015-1378]
+ * [0d9be2b] Add missing escaping of user input (Closes: #779925)
+
+ -- Michael Prokop <[email protected]> Tue, 10 Mar 2015 15:48:08 +0100
+
grml-debootstrap (0.68) unstable; urgency=medium
* [8a4a3c8] Adjust filesystem check for new blkid behaviour
diff -Nru grml-debootstrap-0.68/grml-debootstrap
grml-debootstrap-0.68.1/grml-debootstrap
--- grml-debootstrap-0.68/grml-debootstrap 2015-03-10 16:11:53.000000000
+0100
+++ grml-debootstrap-0.68.1/grml-debootstrap 2015-03-10 16:27:14.000000000
+0100
@@ -138,6 +138,7 @@
# early helper functions {{{
GOOD='�[32;01m'
BAD='�[31;01m'
+WARN='�[33;01m'
NORMAL='�[0m'
einfo() {
@@ -152,6 +153,11 @@
return 0
}
+ewarn() {
+ printf " ${WARN}*${NORMAL} $*\n"
+ return 0
+}
+
eerror() {
[ "${RC_ENDCOL}" != "yes" ] && [ "${LAST_E_CMD}" = "ebegin" ] && echo
printf " ${BAD}*${NORMAL} $*\n" >&2
@@ -205,8 +211,11 @@
if [ -n "$MNTPOINT" ] ; then
if grep -q "$MNTPOINT" /proc/mounts ; then
# make sure nothing is left inside chroot so we can unmount it
- [ -x "$MNTPOINT"/etc/init.d/ssh ] && "$MNTPOINT"/etc/init.d/ssh stop
- [ -x "$MNTPOINT"/etc/init.d/mdadm ] && "$MNTPOINT"/etc/init.d/mdadm stop
+ for service in ssh mdadm ; do
+ if [ -x "${MNTPOINT}/etc/init.d/${service}" ] ; then
+ chroot "$MNTPOINT" "/etc/init.d/${service}" stop
+ fi
+ done
[ -x "$MNTPOINT"/bin/umount ] && chroot "$MNTPOINT" umount -a >/dev/null
2>&1
@@ -286,8 +295,9 @@
# cmdline handling {{{
# source external command line parameter-processing script
-if [ -r ./cmdlineopts.clp ] ; then
- . ./cmdlineopts.clp
+self_dir="$(dirname "$(which "$0")")"
+if [ -r "${self_dir}"/cmdlineopts.clp ] ; then
+ . "${self_dir}"/cmdlineopts.clp
elif [ -r /usr/share/grml-debootstrap/functions/cmdlineopts.clp ] ; then
. /usr/share/grml-debootstrap/functions/cmdlineopts.clp
else
@@ -1161,47 +1171,49 @@
CHROOT_VARIABLES="/var/cache/grml-debootstrap/variables_${SHORT_TARGET}"
touch "$CHROOT_VARIABLES"
chmod 600 "$CHROOT_VARIABLES" # make sure nobody except root can read it
- echo "# Configuration of ${PN}" >
"$CHROOT_VARIABLES"
- [ -n "$ARCH" ] && echo "ARCH=\"$ARCH\""
>> "$CHROOT_VARIABLES"
- [ -n "$BACKPORTREPOS" ] && echo "BACKPORTREPOS=\"$BACKPORTREPOS\""
>> "$CHROOT_VARIABLES"
- [ -n "$CHROOT_SCRIPTS" ] && echo "CHROOT_SCRIPTS=\"$CHROOT_SCRIPTS\""
>> "$CHROOT_VARIABLES"
- [ -n "$CONFFILES" ] && echo "CONFFILES=\"$CONFFILES\""
>> "$CHROOT_VARIABLES"
- [ -n "$DEBCONF" ] && echo "DEBCONF=\"$DEBCONF\""
>> "$CHROOT_VARIABLES"
- [ -n "$DEBIAN_FRONTEND" ] && echo "DEBIAN_FRONTEND=\"$DEBIAN_FRONTEND\""
>> "$CHROOT_VARIABLES"
- [ -n "$DEBOOTSTRAP" ] && echo "DEBOOTSTRAP=\"$DEBOOTSTRAP\""
>> "$CHROOT_VARIABLES"
- [ -n "$DEFAULT_LOCALES" ] && echo "DEFAULT_LOCALES=\"$DEFAULT_LOCALES\""
>> "$CHROOT_VARIABLES"
- [ -n "$DEFAULT_LANGUAGE" ] && echo
"DEFAULT_LANGUAGE=\"$DEFAULT_LANGUAGE\"" >> "$CHROOT_VARIABLES"
- [ -n "$EXTRAPACKAGES" ] && echo "EXTRAPACKAGES=\"$EXTRAPACKAGES\""
>> "$CHROOT_VARIABLES"
- [ -n "$FALLBACK_MIRROR" ] && echo "FALLBACK_MIRROR=\"$FALLBACK_MIRROR\""
>> "$CHROOT_VARIABLES"
- [ -n "$FORCE" ] && echo "FORCE=\"$FORCE\""
>> "$CHROOT_VARIABLES"
- [ -n "$GRMLREPOS" ] && echo "GRMLREPOS=\"$GRMLREPOS\""
>> "$CHROOT_VARIABLES"
- [ -n "$GRUB" ] && echo "GRUB=\"$GRUB\""
>> "$CHROOT_VARIABLES"
- [ -n "$HOSTNAME" ] && echo "HOSTNAME=\"$HOSTNAME\""
>> "$CHROOT_VARIABLES"
- [ -n "$INITRD" ] && echo "INITRD=\"$INITRD\""
>> "$CHROOT_VARIABLES"
- [ -n "$INSTALL_NOTES" ] && echo "INSTALL_NOTES=\"$INSTALL_NOTES\""
>> "$CHROOT_VARIABLES"
- [ -n "$ISODIR" ] && echo "ISODIR=\"$ISO\""
>> "$CHROOT_VARIABLES"
- [ -n "$ISO" ] && echo "ISO=\"$ISO\""
>> "$CHROOT_VARIABLES"
- [ -n "$KEEP_SRC_LIST" ] && echo "KEEP_SRC_LIST=\"$KEEP_SRC_LIST\""
>> "$CHROOT_VARIABLES"
- [ -n "$LOCALES" ] && echo "LOCALES=\"$LOCALES\""
>> "$CHROOT_VARIABLES"
- [ -n "$MIRROR" ] && echo "MIRROR=\"$MIRROR\""
>> "$CHROOT_VARIABLES"
- [ -n "$MKFS" ] && echo "MKFS=\"$MKFS\""
>> "$CHROOT_VARIABLES"
- [ -n "$NOPASSWORD" ] && echo "NOPASSWORD=\"true\""
>> "$CHROOT_VARIABLES"
- [ -n "$NOKERNEL" ] && echo "NOKERNEL=\"true\""
>> "$CHROOT_VARIABLES"
- [ -n "$PACKAGES" ] && echo "PACKAGES=\"$PACKAGES\""
>> "$CHROOT_VARIABLES"
- [ -n "$PRE_SCRIPTS" ] && echo "PRE_SCRIPTS=\"$PRE_SCRIPTS\""
>> "$CHROOT_VARIABLES"
- [ -n "$RECONFIGURE" ] && echo "RECONFIGURE=\"$RECONFIGURE\""
>> "$CHROOT_VARIABLES"
- [ -n "$RELEASE" ] && echo "RELEASE=\"$RELEASE\""
>> "$CHROOT_VARIABLES"
- [ -n "$RM_APTCACHE" ] && echo "RM_APTCACHE=\"$RM_APTCACHE\""
>> "$CHROOT_VARIABLES"
- [ -n "$ROOTPASSWORD" ] && echo "ROOTPASSWORD=\"$ROOTPASSWORD\""
>> "$CHROOT_VARIABLES"
- [ -n "$SCRIPTS" ] && echo "SCRIPTS=\"$SCRIPTS\""
>> "$CHROOT_VARIABLES"
- [ -n "$SECURE" ] && echo "SECURE=\"$SECURE\""
>> "$CHROOT_VARIABLES"
- [ -n "$SELECTED_PARTITIONS" ] && echo
"SELECTED_PARTITIONS=\"$SELECTED_PARTITIONS\"" >> "$CHROOT_VARIABLES"
- [ -n "$TARGET" ] && echo "TARGET=\"$TARGET\""
>> "$CHROOT_VARIABLES"
- [ -n "$UPGRADE_SYSTEM" ] && echo "UPGRADE_SYSTEM=\"$UPGRADE_SYSTEM\""
>> "$CHROOT_VARIABLES"
- [ -n "$TARGET_UUID" ] && echo "TARGET_UUID=\"$TARGET_UUID\""
>> "$CHROOT_VARIABLES"
- [ -n "$TIMEZONE" ] && echo "TIMEZONE=\"$TIMEZONE\""
>> "$CHROOT_VARIABLES"
- [ -n "$TUNE2FS" ] && echo "TUNE2FS=\"$TUNE2FS\""
>> "$CHROOT_VARIABLES"
- [ -n "$VMSIZE" ] && echo "VMSIZE=\"$VMSIZE\""
>> "$CHROOT_VARIABLES"
+ echo "# Configuration of ${PN}"
> "$CHROOT_VARIABLES"
+ # Resorting to sed(1) for escaping since "VAR='${VAR//\'/\'\\\'\'}'" does
not work with all versions of Bash,
+ # e.g. not with 4.2.37(1)-release (a.k.a 4.2+dfsg-0.1+deb7u3) of Debian
wheezy
+ [ -n "$ARCH" ] && echo "ARCH='$(sed "s,','\\\\'',g"
<<<"${ARCH}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$BACKPORTREPOS" ] && echo "BACKPORTREPOS='$(sed "s,','\\\\'',g"
<<<"${BACKPORTREPOS}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$CHROOT_SCRIPTS" ] && echo "CHROOT_SCRIPTS='$(sed "s,','\\\\'',g"
<<<"${CHROOT_SCRIPTS}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$CONFFILES" ] && echo "CONFFILES='$(sed "s,','\\\\'',g"
<<<"${CONFFILES}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$DEBCONF" ] && echo "DEBCONF='$(sed "s,','\\\\'',g"
<<<"${DEBCONF}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$DEBIAN_FRONTEND" ] && echo "DEBIAN_FRONTEND='$(sed
"s,','\\\\'',g" <<<"${DEBIAN_FRONTEND}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$DEBOOTSTRAP" ] && echo "DEBOOTSTRAP='$(sed "s,','\\\\'',g"
<<<"${DEBOOTSTRAP}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$DEFAULT_LOCALES" ] && echo "DEFAULT_LOCALES='$(sed
"s,','\\\\'',g" <<<"${DEFAULT_LOCALES}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$DEFAULT_LANGUAGE" ] && echo "DEFAULT_LANGUAGE='$(sed
"s,','\\\\'',g" <<<"${DEFAULT_LANGUAGE}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$EXTRAPACKAGES" ] && echo "EXTRAPACKAGES='$(sed "s,','\\\\'',g"
<<<"${EXTRAPACKAGES}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$FALLBACK_MIRROR" ] && echo "FALLBACK_MIRROR='$(sed
"s,','\\\\'',g" <<<"${FALLBACK_MIRROR}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$FORCE" ] && echo "FORCE='$(sed "s,','\\\\'',g"
<<<"${FORCE}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$GRMLREPOS" ] && echo "GRMLREPOS='$(sed "s,','\\\\'',g"
<<<"${GRMLREPOS}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$GRUB" ] && echo "GRUB='$(sed "s,','\\\\'',g"
<<<"${GRUB}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$HOSTNAME" ] && echo "HOSTNAME='$(sed "s,','\\\\'',g"
<<<"${HOSTNAME}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$INITRD" ] && echo "INITRD='$(sed "s,','\\\\'',g"
<<<"${INITRD}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$INSTALL_NOTES" ] && echo "INSTALL_NOTES='$(sed "s,','\\\\'',g"
<<<"${INSTALL_NOTES}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$ISODIR" ] && echo "ISODIR='$(sed "s,','\\\\'',g"
<<<"${ISO}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$ISO" ] && echo "ISO='$(sed "s,','\\\\'',g"
<<<"${ISO}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$KEEP_SRC_LIST" ] && echo "KEEP_SRC_LIST='$(sed "s,','\\\\'',g"
<<<"${KEEP_SRC_LIST}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$LOCALES" ] && echo "LOCALES='$(sed "s,','\\\\'',g"
<<<"${LOCALES}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$MIRROR" ] && echo "MIRROR='$(sed "s,','\\\\'',g"
<<<"${MIRROR}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$MKFS" ] && echo "MKFS='$(sed "s,','\\\\'',g"
<<<"${MKFS}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$NOPASSWORD" ] && echo "NOPASSWORD=\"true\""
>> "$CHROOT_VARIABLES"
+ [ -n "$NOKERNEL" ] && echo "NOKERNEL=\"true\""
>> "$CHROOT_VARIABLES"
+ [ -n "$PACKAGES" ] && echo "PACKAGES='$(sed "s,','\\\\'',g"
<<<"${PACKAGES}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$PRE_SCRIPTS" ] && echo "PRE_SCRIPTS='$(sed "s,','\\\\'',g"
<<<"${PRE_SCRIPTS}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$RECONFIGURE" ] && echo "RECONFIGURE='$(sed "s,','\\\\'',g"
<<<"${RECONFIGURE}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$RELEASE" ] && echo "RELEASE='$(sed "s,','\\\\'',g"
<<<"${RELEASE}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$RM_APTCACHE" ] && echo "RM_APTCACHE='$(sed "s,','\\\\'',g"
<<<"${RM_APTCACHE}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$ROOTPASSWORD" ] && echo "ROOTPASSWORD='$(sed "s,','\\\\'',g"
<<<"${ROOTPASSWORD}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$SCRIPTS" ] && echo "SCRIPTS='$(sed "s,','\\\\'',g"
<<<"${SCRIPTS}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$SECURE" ] && echo "SECURE='$(sed "s,','\\\\'',g"
<<<"${SECURE}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$SELECTED_PARTITIONS" ] && echo "SELECTED_PARTITIONS='$(sed
"s,','\\\\'',g" <<<"${SELECTED_PARTITIONS}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$TARGET" ] && echo "TARGET='$(sed "s,','\\\\'',g"
<<<"${TARGET}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$UPGRADE_SYSTEM" ] && echo "UPGRADE_SYSTEM='$(sed "s,','\\\\'',g"
<<<"${UPGRADE_SYSTEM}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$TARGET_UUID" ] && echo "TARGET_UUID='$(sed "s,','\\\\'',g"
<<<"${TARGET_UUID}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$TIMEZONE" ] && echo "TIMEZONE='$(sed "s,','\\\\'',g"
<<<"${TIMEZONE}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$TUNE2FS" ] && echo "TUNE2FS='$(sed "s,','\\\\'',g"
<<<"${TUNE2FS}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$VMSIZE" ] && echo "VMSIZE='$(sed "s,','\\\\'',g"
<<<"${VMSIZE}")'" >> "$CHROOT_VARIABLES"
cp $VERBOSE "${CONFFILES}"/chroot-script "${MNTPOINT}"/bin/chroot-script
chmod 755 "${MNTPOINT}"/bin/chroot-script
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: https://lists.debian.org/[email protected]
