Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package micro-evtd
[ Reason ]
Fix micro-evtd creating its pid and status files in /var/run with
world-writable permissions (#988119).
[ Impact ]
- The pid and status files in /var/run are mode 666, which could be a
potential security issue.
- micro-evtd does not stop when asked to with "/etc/init.d/micro-evtd
stop", because start-stop-daemon refuses to use the insecure pid file.
- Because of that, the daemon also does not restart on upgrade as it
should, instead the old version remains running.
[ Tests ]
There are no automated tests. I manually tested the install and upgrade
cases (testing→unstable).
[ Risks ]
The change should be trivial, but it is possible (if unlikely) that I
missed some case where the umask 000 was actually needed.
[ Checklist ]
[✓] all changes are documented in the d/changelog
[✓] I reviewed all changes and I approve them
[✓] attach debdiff against the package in testing
[ Other info ]
The package builds a udeb. I tested an installation using a d-i daily
build with the updated package included, and confirmed the corrected
file permissions in the d-i environment.
The issue exists already in buster (not a regression).
unblock micro-evtd/3.4-7
Thank you,
Ryan
diff -Nru micro-evtd-3.4/debian/changelog micro-evtd-3.4/debian/changelog
--- micro-evtd-3.4/debian/changelog 2021-05-03 20:22:09.000000000 -0700
+++ micro-evtd-3.4/debian/changelog 2021-05-22 00:40:17.000000000 -0700
@@ -1,3 +1,12 @@
+micro-evtd (3.4-7) unstable; urgency=medium
+
+ [ Ryan Tandy ]
+ * Fix world-writable pid and status files in /var/run (Closes: #988119)
+ - Patch micro-evtd.c to reset umask to 022 instead of 0.
+ - Fix permissions on existing files on upgrade.
+
+ -- Roger Shimizu <r...@debian.org> Sat, 22 May 2021 16:40:17 +0900
+
micro-evtd (3.4-6) unstable; urgency=medium
[ Ryan Tandy ]
diff -Nru micro-evtd-3.4/debian/micro-evtd.postinst
micro-evtd-3.4/debian/micro-evtd.postinst
--- micro-evtd-3.4/debian/micro-evtd.postinst 2021-05-03 20:22:09.000000000
-0700
+++ micro-evtd-3.4/debian/micro-evtd.postinst 2021-05-22 00:40:17.000000000
-0700
@@ -14,6 +14,18 @@
rm /usr/sbin/micro-evtd.status
fi
fi
+
+ if dpkg --compare-versions "$2" lt-nl "3.4-7~"; then
+ # Fix permissions on the existing pid file
+ # so that the daemon is actually restarted
+ if [ -f /var/run/micro-evtd.pid ]; then
+ chmod 644 /var/run/micro-evtd.pid
+ fi
+
+ if [ -f /var/run/micro-evtd.status ]; then
+ chmod 644 /var/run/micro-evtd.status
+ fi
+ fi
;;
*)
diff -Nru
micro-evtd-3.4/debian/patches/0008-Don-t-create-world-writable-files.patch
micro-evtd-3.4/debian/patches/0008-Don-t-create-world-writable-files.patch
--- micro-evtd-3.4/debian/patches/0008-Don-t-create-world-writable-files.patch
1969-12-31 16:00:00.000000000 -0800
+++ micro-evtd-3.4/debian/patches/0008-Don-t-create-world-writable-files.patch
2021-05-22 00:40:17.000000000 -0700
@@ -0,0 +1,26 @@
+From: Ryan Tandy <r...@nardis.ca>
+Date: Fri, 21 May 2021 13:06:41 -0700
+Subject: Don't create world-writable files
+
+Set umask to 022 on startup instead of 000.
+
+Fixes the pid and status files being created world-writable.
+
+Bug-Debian: https://bugs.debian.org/988119
+---
+ src/micro-evtd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/micro-evtd.c b/src/micro-evtd.c
+index da91549..cc05b6a 100644
+--- a/src/micro-evtd.c
++++ b/src/micro-evtd.c
+@@ -1777,7 +1777,7 @@ int main(int argc, char *argv[])
+ setsid();
+
+ /* clear file creation mask */
+- umask(0);
++ umask(022);
+
+ // Lock out device resource
+ getResourceLock();
diff -Nru micro-evtd-3.4/debian/patches/series
micro-evtd-3.4/debian/patches/series
--- micro-evtd-3.4/debian/patches/series 2021-05-03 20:22:09.000000000
-0700
+++ micro-evtd-3.4/debian/patches/series 2021-05-22 00:40:17.000000000
-0700
@@ -5,3 +5,4 @@
0005-Check-for-mmap-returning-MAP_FAILED.patch
0006-Match-default-temperature-configuration-to-the-confi.patch
0007-Fix-FTBFS-with-glibc-2.30.patch
+0008-Don-t-create-world-writable-files.patch
