Version in base suite: 2.38.1-5+deb12u2 Base version: util-linux_2.38.1-5+deb12u2 Target version: util-linux_2.38.1-5+deb12u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/u/util-linux/util-linux_2.38.1-5+deb12u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/u/util-linux/util-linux_2.38.1-5+deb12u3.dsc changelog | 8 patches/series | 3 patches/upstream/0027-lscpu-Add-Neoverse-V2-Cortex-R82.patch | 6 patches/upstream/0028-lscpu-Add-2023-Cortex.patch | 6 patches/upstream/0029-lscpu-Add-Neoverse-V3-N3.patch | 8 patches/upstream/autotools-add-disable-makeinstall-tty-setgid.patch | 67 +++++++ patches/upstream/mesg-remove-ability-to-compile-with-fchmod-S_IWOTH.patch | 91 ++++++++++ patches/upstream/meson-add-D-tty-setgid-false-true.patch | 60 ++++++ rules | 2 9 files changed, 243 insertions(+), 8 deletions(-) diff -Nru util-linux-2.38.1/debian/changelog util-linux-2.38.1/debian/changelog --- util-linux-2.38.1/debian/changelog 2024-10-18 12:56:02.000000000 +0000 +++ util-linux-2.38.1/debian/changelog 2024-11-21 20:01:54.000000000 +0000 @@ -1,3 +1,11 @@ +util-linux (2.38.1-5+deb12u3) bookworm; urgency=medium + + * Fixup upstream patches from 2.38.1-5+deb12u2 so gbp-pq can apply them + * Use upstream's new --disable-makeinstall-tty-setgid. + This fixes our wider mitigation for CVE-2024-28085. + + -- Chris Hofstaedtler Thu, 21 Nov 2024 21:01:54 +0100 + util-linux (2.38.1-5+deb12u2) bookworm; urgency=medium * Add the following upstream patches to identify new Arm cores: diff -Nru util-linux-2.38.1/debian/patches/series util-linux-2.38.1/debian/patches/series --- util-linux-2.38.1/debian/patches/series 2024-10-18 12:56:02.000000000 +0000 +++ util-linux-2.38.1/debian/patches/series 2024-11-21 20:01:54.000000000 +0000 @@ -43,3 +43,6 @@ upstream/wall-use-fputs_careful.patch upstream/wall-fix-calloc-cal-Werror-calloc-transposed-args.patch upstream/wall-fix-escape-sequence-Injection-CVE-2024-28085.patch +upstream/autotools-add-disable-makeinstall-tty-setgid.patch +upstream/meson-add-D-tty-setgid-false-true.patch +upstream/mesg-remove-ability-to-compile-with-fchmod-S_IWOTH.patch diff -Nru util-linux-2.38.1/debian/patches/upstream/0027-lscpu-Add-Neoverse-V2-Cortex-R82.patch util-linux-2.38.1/debian/patches/upstream/0027-lscpu-Add-Neoverse-V2-Cortex-R82.patch --- util-linux-2.38.1/debian/patches/upstream/0027-lscpu-Add-Neoverse-V2-Cortex-R82.patch 2024-10-18 12:56:02.000000000 +0000 +++ util-linux-2.38.1/debian/patches/upstream/0027-lscpu-Add-Neoverse-V2-Cortex-R82.patch 2024-11-21 20:01:54.000000000 +0000 @@ -1,15 +1,16 @@ -From 6857cccbb4157d5da34ca98f77a0ac9d68e1e740 Mon Sep 17 00:00:00 2001 From: ThomasKaiser Date: Sun, 22 Jan 2023 12:37:33 +0100 Subject: [PATCH] Add missing ARM-cores https://github.com/ThomasKaiser/sbc-bench/commit/37332238c0a8b7c1555dca9d18a7c98362564416#diff-fdfd2a032c64d6e9ba92a3197cad6b26573c7094433d74efa4ae80f44f65aa99 + +Upstream commit 6857cccbb4157d5da34ca98f77a0ac9d68e1e740 --- sys-utils/lscpu-arm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys-utils/lscpu-arm.c b/sys-utils/lscpu-arm.c -index 8357253c66c..f65b25ed66d 100644 +index b30e0e7..0ee10d2 100644 --- a/sys-utils/lscpu-arm.c +++ b/sys-utils/lscpu-arm.c @@ -78,6 +78,7 @@ static const struct id_part arm_part[] = { @@ -27,3 +28,4 @@ + { 0xd4f, "Neoverse-V2" }, { -1, "unknown" }, }; + diff -Nru util-linux-2.38.1/debian/patches/upstream/0028-lscpu-Add-2023-Cortex.patch util-linux-2.38.1/debian/patches/upstream/0028-lscpu-Add-2023-Cortex.patch --- util-linux-2.38.1/debian/patches/upstream/0028-lscpu-Add-2023-Cortex.patch 2024-10-18 12:56:02.000000000 +0000 +++ util-linux-2.38.1/debian/patches/upstream/0028-lscpu-Add-2023-Cortex.patch 2024-11-21 20:01:54.000000000 +0000 @@ -1,4 +1,3 @@ -From 6112ade968cbe8728ca25fccdafdb1f9599424db Mon Sep 17 00:00:00 2001 From: Jeremy Linton Date: Wed, 26 Jul 2023 15:54:20 -0500 Subject: [PATCH] lscpu: Even more Arm part numbers (early 2023) @@ -10,12 +9,14 @@ Cortex-M55 and Cortex-R52+. Signed-off-by: Jeremy Linton + +Upstream commit 6112ade968cbe8728ca25fccdafdb1f9599424db --- sys-utils/lscpu-arm.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sys-utils/lscpu-arm.c b/sys-utils/lscpu-arm.c -index d83e948b0d8..77959836873 100644 +index 0ee10d2..41cf540 100644 --- a/sys-utils/lscpu-arm.c +++ b/sys-utils/lscpu-arm.c @@ -79,8 +79,11 @@ static const struct id_part arm_part[] = { @@ -39,3 +40,4 @@ + { 0xd82, "Cortex-X4" }, { -1, "unknown" }, }; + diff -Nru util-linux-2.38.1/debian/patches/upstream/0029-lscpu-Add-Neoverse-V3-N3.patch util-linux-2.38.1/debian/patches/upstream/0029-lscpu-Add-Neoverse-V3-N3.patch --- util-linux-2.38.1/debian/patches/upstream/0029-lscpu-Add-Neoverse-V3-N3.patch 2024-10-18 12:56:02.000000000 +0000 +++ util-linux-2.38.1/debian/patches/upstream/0029-lscpu-Add-Neoverse-V3-N3.patch 2024-11-21 20:01:54.000000000 +0000 @@ -1,18 +1,19 @@ -From 7be163aa1657c4bd854bde84a83a8c5fcffd25dd Mon Sep 17 00:00:00 2001 From: Thomas Kaiser Date: Mon, 26 Feb 2024 12:20:11 +0100 Subject: [PATCH] Adding Neoverse-V3/-N3 ARM cores (cherry picked from commit c91694dd066d07c2ca7d68cbe212b2e1f893e942) + +Upstream commit 7be163aa1657c4bd854bde84a83a8c5fcffd25dd --- sys-utils/lscpu-arm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys-utils/lscpu-arm.c b/sys-utils/lscpu-arm.c -index 511ab281cd8..b9e8060a92f 100644 +index 41cf540..247c645 100644 --- a/sys-utils/lscpu-arm.c +++ b/sys-utils/lscpu-arm.c -@@ -93,6 +93,8 @@ static const struct id_part arm_part[] = { +@@ -102,6 +102,8 @@ static const struct id_part arm_part[] = { { 0xd80, "Cortex-A520" }, { 0xd81, "Cortex-A720" }, { 0xd82, "Cortex-X4" }, @@ -20,3 +21,4 @@ + { 0xd8e, "Neoverse-N3" }, { -1, "unknown" }, }; + diff -Nru util-linux-2.38.1/debian/patches/upstream/autotools-add-disable-makeinstall-tty-setgid.patch util-linux-2.38.1/debian/patches/upstream/autotools-add-disable-makeinstall-tty-setgid.patch --- util-linux-2.38.1/debian/patches/upstream/autotools-add-disable-makeinstall-tty-setgid.patch 1970-01-01 00:00:00.000000000 +0000 +++ util-linux-2.38.1/debian/patches/upstream/autotools-add-disable-makeinstall-tty-setgid.patch 2024-11-21 20:01:54.000000000 +0000 @@ -0,0 +1,67 @@ +From: Karel Zak +Date: Fri, 15 Nov 2024 11:30:17 +0100 +Subject: autotools: add --disable-makeinstall-tty-setgid + +If your distribution does not define permissions for installed +binaries and follows the upstream guidelines, disabling the tty +group's setgid could be a beneficial decision in certain situations. + +Signed-off-by: Karel Zak +--- + configure.ac | 8 ++++++++ + term-utils/Makemodule.am | 4 ++++ + 2 files changed, 12 insertions(+) + +diff --git a/configure.ac b/configure.ac +index d8b4d47..7bb91e4 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2627,6 +2627,14 @@ AC_ARG_ENABLE([makeinstall-setuid], + AM_CONDITIONAL([MAKEINSTALL_DO_SETUID], [test "x$enable_makeinstall_setuid" = xyes]) + + ++AC_ARG_ENABLE([makeinstall-tty-setgid], ++ AS_HELP_STRING([--disable-makeinstall-tty-setgid], [do not setgid for wall, and write during "make install"]), ++ [], [enable_makeinstall_tty_setgid=yes] ++) ++AM_CONDITIONAL([MAKEINSTALL_DO_TTY_SETGID], [test "x$enable_makeinstall_tty_setgid" = xyes]) ++ ++ ++ + AC_ARG_ENABLE([colors-default], + AS_HELP_STRING([--disable-colors-default], [do not colorize output from utils by default]), + [], [enable_colors_default=yes] +diff --git a/term-utils/Makemodule.am b/term-utils/Makemodule.am +index 119324f..99deb81 100644 +--- a/term-utils/Makemodule.am ++++ b/term-utils/Makemodule.am +@@ -96,6 +96,7 @@ wall_LDFLAGS = $(SUID_LDFLAGS) $(AM_LDFLAGS) + wall_LDADD = $(LDADD) libcommon.la + if USE_TTY_GROUP + if MAKEINSTALL_DO_CHOWN ++if MAKEINSTALL_DO_TTY_SETGID + install-exec-hook-wall:: + chgrp tty $(DESTDIR)$(usrbin_execdir)/wall + chmod g+s $(DESTDIR)$(usrbin_execdir)/wall +@@ -103,6 +104,7 @@ install-exec-hook-wall:: + INSTALL_EXEC_HOOKS += install-exec-hook-wall + endif + endif ++endif + endif # BUILD_WALL + + +@@ -117,6 +119,7 @@ write_LDADD = $(LDADD) libcommon.la + + if USE_TTY_GROUP + if MAKEINSTALL_DO_CHOWN ++if MAKEINSTALL_DO_TTY_SETGID + install-exec-hook-write:: + chgrp tty $(DESTDIR)$(usrbin_execdir)/write + chmod g+s $(DESTDIR)$(usrbin_execdir)/write +@@ -124,4 +127,5 @@ install-exec-hook-write:: + INSTALL_EXEC_HOOKS += install-exec-hook-write + endif + endif ++endif + endif # BUILD_WRITE diff -Nru util-linux-2.38.1/debian/patches/upstream/mesg-remove-ability-to-compile-with-fchmod-S_IWOTH.patch util-linux-2.38.1/debian/patches/upstream/mesg-remove-ability-to-compile-with-fchmod-S_IWOTH.patch --- util-linux-2.38.1/debian/patches/upstream/mesg-remove-ability-to-compile-with-fchmod-S_IWOTH.patch 1970-01-01 00:00:00.000000000 +0000 +++ util-linux-2.38.1/debian/patches/upstream/mesg-remove-ability-to-compile-with-fchmod-S_IWOTH.patch 2024-11-21 20:01:54.000000000 +0000 @@ -0,0 +1,91 @@ +From: Karel Zak +Date: Fri, 15 Nov 2024 11:53:37 +0100 +Subject: mesg: remove ability to compile with fchmod(S_IWOTH) + +The default is to use mesg(1) to modify write access for the "tty" +group, but there is an obscure legacy. If mesg(1) is compiled with the +option "--disable-use-tty-group", then it defaults to using +fchmod(S_IWGRP | S_IWOTH). This means that your tty is then writable +for everyone. Let's get rid of this ugly feature. + +Reported-by: Chris Hofstaedtler +Signed-off-by: Karel Zak +--- + login-utils/login.1.adoc | 4 ++-- + term-utils/mesg.1.adoc | 19 ++++++++++++++++++- + term-utils/mesg.c | 4 ---- + 3 files changed, 20 insertions(+), 7 deletions(-) + +diff --git a/login-utils/login.1.adoc b/login-utils/login.1.adoc +index a3404f3..376dca4 100644 +--- a/login-utils/login.1.adoc ++++ b/login-utils/login.1.adoc +@@ -93,13 +93,13 @@ Delay in seconds before being allowed another three tries after a login failure. + + *TTYPERM* (string):: + +-The terminal permissions. The default value is _0600_ or _0620_ if tty group is used. ++The terminal permissions. The default value is _0600_ or _0620_ if tty group is used. See also *mesg*(1). + + *TTYGROUP* (string):: + + The login tty will be owned by the *TTYGROUP*. The default value is _tty_. If the *TTYGROUP* does not exist, then the ownership of the terminal is set to the user's primary group. + + +-The *TTYGROUP* can be either the name of a group or a numeric group identifier. ++The *TTYGROUP* can be either the name of a group or a numeric group identifier. See also *mesg*(1). + + *HUSHLOGIN_FILE* (string):: + +diff --git a/term-utils/mesg.1.adoc b/term-utils/mesg.1.adoc +index 5ccef72..d4704e7 100644 +--- a/term-utils/mesg.1.adoc ++++ b/term-utils/mesg.1.adoc +@@ -52,7 +52,23 @@ mesg - display (or do not display) messages from other users + + The *mesg* utility is invoked by a user to control write access others have to the terminal device associated with standard error output. If write access is allowed, then programs such as *talk*(1) and *write*(1) may display messages on the terminal. + +-Traditionally, write access is allowed by default. However, as users become more conscious of various security risks, there is a trend to remove write access by default, at least for the primary login shell. To make sure your ttys are set the way you want them to be set, *mesg* should be executed in your login scripts. ++Traditionally, write access is allowed by default. However, as users become ++more conscious of various security risks, there is a trend to remove write ++access by default, at least for the primary login shell. ++ ++The initial permissions for the terminal are set by *login*(1) according to TTYPERM ++and TTYGROUP from /etc/login.defs. The default is mode _0620_ if a tty group is used, ++and _0600_ without the group. The default tty group name is "tty". ++ ++To ensure that your ttys are set in a portable and independent manner from system ++settings, *mesg* should be executed in your login scripts. ++ ++*mesg* modifies the write permissions for a group on the current terminal ++device. Since version 2.41, *mesg* can no longer be compiled to make the ++terminal writable for _others_ and strictly modifies only _group_ permissions. ++The usual setup is to use a "tty" group and add relevant users to this group. ++Alternatively, a less secure solution is to set utilities like *write*(1) or ++*wall*(1) to setgid for the "tty" group. + + The *mesg* utility silently exits with error status 2 if not executed on terminal. In this case execute *mesg* is pointless. The command line option *--verbose* forces mesg to print a warning in this situation. This behaviour has been introduced in version 2.33. + +@@ -66,6 +82,7 @@ Allow messages to be displayed. + + If no arguments are given, *mesg* shows the current message status on standard error output. + ++ + == OPTIONS + + *-v*, *--verbose*:: +diff --git a/term-utils/mesg.c b/term-utils/mesg.c +index cb0b493..9e0b01e 100644 +--- a/term-utils/mesg.c ++++ b/term-utils/mesg.c +@@ -157,11 +157,7 @@ int main(int argc, char *argv[]) + + switch (rpmatch(argv[0])) { + case RPMATCH_YES: +-#ifdef USE_TTY_GROUP + if (fchmod(fd, sb.st_mode | S_IWGRP) < 0) +-#else +- if (fchmod(fd, sb.st_mode | S_IWGRP | S_IWOTH) < 0) +-#endif + err(MESG_EXIT_FAILURE, _("change %s mode failed"), tty); + if (verbose) + puts(_("write access to your terminal is allowed")); diff -Nru util-linux-2.38.1/debian/patches/upstream/meson-add-D-tty-setgid-false-true.patch util-linux-2.38.1/debian/patches/upstream/meson-add-D-tty-setgid-false-true.patch --- util-linux-2.38.1/debian/patches/upstream/meson-add-D-tty-setgid-false-true.patch 1970-01-01 00:00:00.000000000 +0000 +++ util-linux-2.38.1/debian/patches/upstream/meson-add-D-tty-setgid-false-true.patch 2024-11-21 20:01:54.000000000 +0000 @@ -0,0 +1,60 @@ +From: Karel Zak +Date: Fri, 15 Nov 2024 11:32:34 +0100 +Subject: meson: add -D tty-setgid=[false|true] + +If your distribution does not define permissions for installed +binaries and follows the upstream guidelines, disabling the tty +group's setgid could be a beneficial decision in certain situations. + +Signed-off-by: Karel Zak +--- + meson.build | 9 +++++++++ + meson_options.txt | 4 ++++ + 2 files changed, 13 insertions(+) + +diff --git a/meson.build b/meson.build +index c1f70ab..dc02a21 100644 +--- a/meson.build ++++ b/meson.build +@@ -2267,6 +2267,13 @@ if opt + bashcompletions += ['mesg'] + endif + ++tty_setgid = get_option('tty-setgid') ++if tty_setgid ++ tty_install_mode = [ 'rwxr-sr-x', 'root', 'tty' ] ++else ++ tty_install_mode = [ false, false, false ] ++endif ++ + opt = not get_option('build-wall').disabled() + exe = executable( + 'wall', +@@ -2274,6 +2281,7 @@ exe = executable( + include_directories : includes, + link_with : [lib_common], + install_dir : usrbin_exec_dir, ++ install_mode : tty_install_mode, + install : opt, + build_by_default : opt) + if opt +@@ -2292,6 +2300,7 @@ exe = executable( + include_directories : includes, + link_with : [lib_common], + install_dir : usrbin_exec_dir, ++ install_mode : tty_install_mode, + install : opt, + build_by_default : opt) + if opt +diff --git a/meson_options.txt b/meson_options.txt +index 64c9924..050d706 100644 +--- a/meson_options.txt ++++ b/meson_options.txt +@@ -201,3 +201,7 @@ option('fs-search-path-extra', + option('vendordir', + type: 'string', + description : 'directory for distribution provided econf files') ++ ++option('tty-setgid', type : 'boolean', ++ value : true, ++ description : 'setgid tty group for wall and write programs') diff -Nru util-linux-2.38.1/debian/rules util-linux-2.38.1/debian/rules --- util-linux-2.38.1/debian/rules 2024-10-18 12:56:02.000000000 +0000 +++ util-linux-2.38.1/debian/rules 2024-11-21 20:01:54.000000000 +0000 @@ -46,7 +46,7 @@ CONFOPTS += --disable-hwclock-gplv3 # Reduce setgid programs (cf. CVE-2024-28085) -CONFOPTS += --disable-use-tty-group +CONFOPTS += --disable-makeinstall-tty-setgid # Get the list of binary package, except lib* and *-udeb, from # debian/control instead of hardcoding the list when installing