Bug#1056970: bullseye-pu: package swupdate/2020.11-2+deb11u1

Bastian Germann Mon, 27 Nov 2023 03:15:15 -0800

Package: release.debian.org
Control: affects -1 + src:swupdate
X-Debbugs-Cc: swupd...@packages.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: bullseye
Severity: normal


[ Reason ]
There is a local privilege escalation in swupdate package because the
service's control socket has world-writable file permissions.

[ Impact ]
The rights of the swupdate daemon, which is usually used to run full
system updates, can be aquired by any user on the system.

[ Tests ]
Run the service and check that the control socket is created with the
reduced permission set. Also check that the service user "swupdate" is created.

[ Risks ]
None.

[ Checklist ]
   [x] *all* changes are documented in the d/changelog
   [x] I reviewed all changes and I approve them
   [x] attach debdiff against the package in oldstable
   [x] the issue is verified as fixed in unstable

diff -Nru swupdate-2020.11/debian/changelog swupdate-2020.11/debian/changelog
--- swupdate-2020.11/debian/changelog   2021-01-19 08:56:14.000000000 +0100
+++ swupdate-2020.11/debian/changelog   2023-11-27 11:10:38.000000000 +0100
@@ -1,3 +1,10 @@
+swupdate (2020.11-2+deb11u1) bullseye; urgency=medium
+
+  * Add swupdate system user
+  * Create the sockets for group use with SocketMode 0660
+
+ -- Bastian Germann <b...@debian.org>  Mon, 27 Nov 2023 11:10:38 +0100
+
 swupdate (2020.11-2) unstable; urgency=medium
 
   [ Bastian Germann ]
diff -Nru swupdate-2020.11/debian/control swupdate-2020.11/debian/control
--- swupdate-2020.11/debian/control     2021-01-19 08:55:59.000000000 +0100
+++ swupdate-2020.11/debian/control     2023-11-27 11:10:38.000000000 +0100
@@ -6,6 +6,7 @@
            Nobuhiro Iwamatsu <iwama...@debian.org>
 Build-Depends: debhelper-compat (= 13),
                dh-lua <!nolua>,
+               dh-sysuser,
                liblua5.2-dev <!nolua>,
                libfdisk-dev,
                latexmk <!nodoc>,
diff -Nru swupdate-2020.11/debian/rules swupdate-2020.11/debian/rules
--- swupdate-2020.11/debian/rules       2020-12-28 09:58:21.000000000 +0100
+++ swupdate-2020.11/debian/rules       2023-11-27 11:10:38.000000000 +0100
@@ -13,7 +13,7 @@
 export LUA_VERSION=5.2
 export LUA_MODNAME=lua_swupdate
 export PKG_NAME=swupdate
-export DH_WITH=--with lua
+export DH_WITH=,lua
 export HAVE_LUA=y
 endif
 
@@ -87,4 +87,4 @@
        dh_missing --fail-missing
 
 %:
-       dh $@ $(DH_WITH)
+       dh $@ --with sysuser$(DH_WITH)
diff -Nru swupdate-2020.11/debian/swupdate.socket 
swupdate-2020.11/debian/swupdate.socket
--- swupdate-2020.11/debian/swupdate.socket     2020-12-28 09:58:21.000000000 
+0100
+++ swupdate-2020.11/debian/swupdate.socket     2023-11-27 11:10:38.000000000 
+0100
@@ -6,6 +6,8 @@
 [Socket]
 ListenStream=/tmp/sockinstctrl
 ListenStream=/tmp/swupdateprog
+SocketMode=0660
+SocketGroup=swupdate
 
 [Install]
 WantedBy=sockets.target
diff -Nru swupdate-2020.11/debian/swupdate.sysuser 
swupdate-2020.11/debian/swupdate.sysuser
--- swupdate-2020.11/debian/swupdate.sysuser    1970-01-01 01:00:00.000000000 
+0100
+++ swupdate-2020.11/debian/swupdate.sysuser    2023-11-27 11:10:38.000000000 
+0100
@@ -0,0 +1 @@
+swupdate defaults

Bug#1056970: bullseye-pu: package swupdate/2020.11-2+deb11u1

Reply via email to