[Pkg-gnupg-commit] [gnupg2] 01/02: block trivial access to scdaemon memory (Closes: #878952)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Oct 28 13:33:52 UTC 2017 

This is an automated email from the git hooks/post-receive script.

dkg pushed a commit to branch stretch
in repository gnupg2.

commit aa378e9cbdcc5a8ece8e48d020c7456a57b4105c
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date:   Sat Oct 28 15:13:13 2017 +0200

    block trivial access to scdaemon memory (Closes: #878952)
---
 ...0002-Avoid-simple-memory-dumps-via-ptrace.patch | 50 +++++++++++++++++-----
 debian/patches/series                              |  2 +-
 2 files changed, 41 insertions(+), 11 deletions(-)

diff --git a/debian/patches/block-ptrace-on-agent/0002-Avoid-simple-memory-dumps-via-ptrace.patch b/debian/patches/block-ptrace-on-sensitive-daemons/0002-Avoid-simple-memory-dumps-via-ptrace.patch
similarity index 54%
rename from debian/patches/block-ptrace-on-agent/0002-Avoid-simple-memory-dumps-via-ptrace.patch
rename to debian/patches/block-ptrace-on-sensitive-daemons/0002-Avoid-simple-memory-dumps-via-ptrace.patch
index 96a8e0d..1530f32 100644
--- a/debian/patches/block-ptrace-on-agent/0002-Avoid-simple-memory-dumps-via-ptrace.patch
+++ b/debian/patches/block-ptrace-on-sensitive-daemons/0002-Avoid-simple-memory-dumps-via-ptrace.patch
@@ -2,26 +2,29 @@ From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
 Date: Tue, 11 Aug 2015 20:28:26 -0400
 Subject: Avoid simple memory dumps via ptrace
 
-This avoids needing to setgid gpg-agent.  It probably doesn't defend
-against all possible attacks, but it defends against one specific (and
-easy) one.  If there are other protections we should do them too.
+This avoids needing to setgid gpg-agent or scdaemon.  It probably
+doesn't defend against all possible attacks, but it defends against
+one specific (and easy) one.  If there are other protections we should
+do them too.
 
-This will make it slightly harder to debug the agent because the
-normal user won't be able to attach gdb to it directly while it runs.
+This will make it slightly harder to debug the agent or scdaemon
+because the normal user won't be able to attach gdb to it directly
+while it runs.
 
 The remaining options for debugging are:
 
- * launch the agent from gdb directly
- * connect gdb to a running agent as the superuser
+ * launch gpg-agent or scdaemon from gdb directly
+ * connect gdb to a running gpg-agent or scdaemon as the superuser
 
 Upstream bug: https://bugs.gnupg.org/gnupg/issue1211
 ---
  agent/gpg-agent.c | 8 ++++++++
  configure.ac      | 1 +
- 2 files changed, 9 insertions(+)
+ scd/scdaemon.c    | 9 +++++++++
+ 3 files changed, 18 insertions(+)
 
 diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
-index c0208cc88..31bf3370a 100644
+index c0208cc..31bf337 100644
 --- a/agent/gpg-agent.c
 +++ b/agent/gpg-agent.c
 @@ -48,6 +48,9 @@
@@ -47,7 +50,7 @@ index c0208cc88..31bf3370a 100644
       file descriptors and the signal mask.  This info is required to
       do the exec call properly.  We don't need it on Windows.  */
 diff --git a/configure.ac b/configure.ac
-index f929cb60f..f2b6a70d2 100644
+index f929cb6..f2b6a70 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -1335,6 +1335,7 @@ AC_CHECK_FUNCS([strerror strlwr tcgetattr mmap canonicalize_file_name])
@@ -58,3 +61,30 @@ index f929cb60f..f2b6a70d2 100644
  AC_CHECK_FUNCS([gettimeofday getrusage getrlimit setrlimit clock_gettime])
  AC_CHECK_FUNCS([atexit raise getpagesize strftime nl_langinfo setlocale])
  AC_CHECK_FUNCS([waitpid wait4 sigaction sigprocmask pipe getaddrinfo])
+diff --git a/scd/scdaemon.c b/scd/scdaemon.c
+index 74fed44..4d011c4 100644
+--- a/scd/scdaemon.c
++++ b/scd/scdaemon.c
+@@ -36,6 +36,9 @@
+ #include <unistd.h>
+ #include <signal.h>
+ #include <npth.h>
++#ifdef HAVE_PRCTL
++# include <sys/prctl.h>
++#endif
+ 
+ #define GNUPG_COMMON_NEED_AFLOCAL
+ #include "scdaemon.h"
+@@ -409,6 +412,12 @@ main (int argc, char **argv )
+   npth_t pipecon_handler;
+ 
+   early_system_init ();
++
++#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
++  /* Disable ptrace on Linux without sgid bit */
++  prctl(PR_SET_DUMPABLE, 0);
++#endif
++
+   set_strusage (my_strusage);
+   gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
+   /* Please note that we may running SUID(ROOT), so be very CAREFUL
diff --git a/debian/patches/series b/debian/patches/series
index 4ec24b8..17770ee 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,5 +1,5 @@
 debian-packaging/0001-avoid-beta-warning.patch
-block-ptrace-on-agent/0002-Avoid-simple-memory-dumps-via-ptrace.patch
+block-ptrace-on-sensitive-daemons/0002-Avoid-simple-memory-dumps-via-ptrace.patch
 debian-packaging/0003-avoid-regenerating-defsincdate-use-shipped-file.patch
 dirmngr-idling/0001-dirmngr-hkp-Avoid-potential-race-condition-when-some.patch
 dirmngr-idling/0002-dimrngr-Avoid-need-for-hkp-housekeeping.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git

More information about the Pkg-gnupg-commit mailing list