--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: grml-debootstrap/0.68.1 (pre-approval)
- From: Michael Prokop <mika@debian.org>
- Date: Tue, 10 Mar 2015 19:05:14 +0100
- Message-id: <2015-03-10T16-05-12@devnull.michael-prokop.at>
- Message-id: <20150310180514.17792.11708.reportbug@odysseus.grml.info>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
I'm hereby asking for pre-approval of grml-debootstrap/0.68.1:
unblock grml-debootstrap/0.68.1
This version of grml-debootstrap includes fixes for 4 serious
issues which we'd like to see resolved for Debian/jessie:
#779913: Stops SSH server outside (rather than inside) chroot after failures
=> the ssh and mdadm services of the *system* where
grml-debootstrap is executed might get stopped,
clearly unwanted behaviour
#779925: Lacks escaping of user input
=> security problem
#780204: warning messages aren't displayed due to missing ewarn definition
=> while it is a trivial fix it's hiding problems from the user
#776502: CVE-2015-1378: Issues with sourcing cmdlineopts.clp from current working directory
=> security problem with CVE entry 2015-1378
debdiff of grml-debootstrap/0.68 as currently in Debian/jessie
against what I'd like to upload towards Debian/unstable is at the
end of my mail.
Please let me know if I can upload this to Debian/unstable to get it
towards jessie.
Thanks for consideration!
regards,
-mika-
diff -Nru grml-debootstrap-0.68/debian/changelog grml-debootstrap-0.68.1/debian/changelog
--- grml-debootstrap-0.68/debian/changelog 2015-03-10 16:05:52.000000000 +0100
+++ grml-debootstrap-0.68.1/debian/changelog 2015-03-10 16:27:45.000000000 +0100
@@ -1,3 +1,19 @@
+grml-debootstrap (0.68.1) unstable; urgency=medium
+
+ [ Michael Prokop ]
+ * [52e9bbf] Do not stop hosts' SSH + mdadm services in cleanup
+ procedure. Thanks to Sebastian Pipping for debugging and bug report
+ (Closes: #779913)
+ * [1690a3c] Define ewarn function to properly display warning messages
+ (Closes: #780204)
+
+ [ Sebastian Pipping ]
+ * [75c3aab] Source cmdlineopts.clp from same folder as grml-debootstrap
+ file (Closes: #776502) [CVE-2015-1378]
+ * [0d9be2b] Add missing escaping of user input (Closes: #779925)
+
+ -- Michael Prokop <mika@grml.org> Tue, 10 Mar 2015 15:48:08 +0100
+
grml-debootstrap (0.68) unstable; urgency=medium
* [8a4a3c8] Adjust filesystem check for new blkid behaviour
diff -Nru grml-debootstrap-0.68/grml-debootstrap grml-debootstrap-0.68.1/grml-debootstrap
--- grml-debootstrap-0.68/grml-debootstrap 2015-03-10 16:11:53.000000000 +0100
+++ grml-debootstrap-0.68.1/grml-debootstrap 2015-03-10 16:27:14.000000000 +0100
@@ -138,6 +138,7 @@
# early helper functions {{{
GOOD='[32;01m'
BAD='[31;01m'
+WARN='[33;01m'
NORMAL='[0m'
einfo() {
@@ -152,6 +153,11 @@
return 0
}
+ewarn() {
+ printf " ${WARN}*${NORMAL} $*\n"
+ return 0
+}
+
eerror() {
[ "${RC_ENDCOL}" != "yes" ] && [ "${LAST_E_CMD}" = "ebegin" ] && echo
printf " ${BAD}*${NORMAL} $*\n" >&2
@@ -205,8 +211,11 @@
if [ -n "$MNTPOINT" ] ; then
if grep -q "$MNTPOINT" /proc/mounts ; then
# make sure nothing is left inside chroot so we can unmount it
- [ -x "$MNTPOINT"/etc/init.d/ssh ] && "$MNTPOINT"/etc/init.d/ssh stop
- [ -x "$MNTPOINT"/etc/init.d/mdadm ] && "$MNTPOINT"/etc/init.d/mdadm stop
+ for service in ssh mdadm ; do
+ if [ -x "${MNTPOINT}/etc/init.d/${service}" ] ; then
+ chroot "$MNTPOINT" "/etc/init.d/${service}" stop
+ fi
+ done
[ -x "$MNTPOINT"/bin/umount ] && chroot "$MNTPOINT" umount -a >/dev/null 2>&1
@@ -286,8 +295,9 @@
# cmdline handling {{{
# source external command line parameter-processing script
-if [ -r ./cmdlineopts.clp ] ; then
- . ./cmdlineopts.clp
+self_dir="$(dirname "$(which "$0")")"
+if [ -r "${self_dir}"/cmdlineopts.clp ] ; then
+ . "${self_dir}"/cmdlineopts.clp
elif [ -r /usr/share/grml-debootstrap/functions/cmdlineopts.clp ] ; then
. /usr/share/grml-debootstrap/functions/cmdlineopts.clp
else
@@ -1161,47 +1171,49 @@
CHROOT_VARIABLES="/var/cache/grml-debootstrap/variables_${SHORT_TARGET}"
touch "$CHROOT_VARIABLES"
chmod 600 "$CHROOT_VARIABLES" # make sure nobody except root can read it
- echo "# Configuration of ${PN}" > "$CHROOT_VARIABLES"
- [ -n "$ARCH" ] && echo "ARCH=\"$ARCH\"" >> "$CHROOT_VARIABLES"
- [ -n "$BACKPORTREPOS" ] && echo "BACKPORTREPOS=\"$BACKPORTREPOS\"" >> "$CHROOT_VARIABLES"
- [ -n "$CHROOT_SCRIPTS" ] && echo "CHROOT_SCRIPTS=\"$CHROOT_SCRIPTS\"" >> "$CHROOT_VARIABLES"
- [ -n "$CONFFILES" ] && echo "CONFFILES=\"$CONFFILES\"" >> "$CHROOT_VARIABLES"
- [ -n "$DEBCONF" ] && echo "DEBCONF=\"$DEBCONF\"" >> "$CHROOT_VARIABLES"
- [ -n "$DEBIAN_FRONTEND" ] && echo "DEBIAN_FRONTEND=\"$DEBIAN_FRONTEND\"" >> "$CHROOT_VARIABLES"
- [ -n "$DEBOOTSTRAP" ] && echo "DEBOOTSTRAP=\"$DEBOOTSTRAP\"" >> "$CHROOT_VARIABLES"
- [ -n "$DEFAULT_LOCALES" ] && echo "DEFAULT_LOCALES=\"$DEFAULT_LOCALES\"" >> "$CHROOT_VARIABLES"
- [ -n "$DEFAULT_LANGUAGE" ] && echo "DEFAULT_LANGUAGE=\"$DEFAULT_LANGUAGE\"" >> "$CHROOT_VARIABLES"
- [ -n "$EXTRAPACKAGES" ] && echo "EXTRAPACKAGES=\"$EXTRAPACKAGES\"" >> "$CHROOT_VARIABLES"
- [ -n "$FALLBACK_MIRROR" ] && echo "FALLBACK_MIRROR=\"$FALLBACK_MIRROR\"" >> "$CHROOT_VARIABLES"
- [ -n "$FORCE" ] && echo "FORCE=\"$FORCE\"" >> "$CHROOT_VARIABLES"
- [ -n "$GRMLREPOS" ] && echo "GRMLREPOS=\"$GRMLREPOS\"" >> "$CHROOT_VARIABLES"
- [ -n "$GRUB" ] && echo "GRUB=\"$GRUB\"" >> "$CHROOT_VARIABLES"
- [ -n "$HOSTNAME" ] && echo "HOSTNAME=\"$HOSTNAME\"" >> "$CHROOT_VARIABLES"
- [ -n "$INITRD" ] && echo "INITRD=\"$INITRD\"" >> "$CHROOT_VARIABLES"
- [ -n "$INSTALL_NOTES" ] && echo "INSTALL_NOTES=\"$INSTALL_NOTES\"" >> "$CHROOT_VARIABLES"
- [ -n "$ISODIR" ] && echo "ISODIR=\"$ISO\"" >> "$CHROOT_VARIABLES"
- [ -n "$ISO" ] && echo "ISO=\"$ISO\"" >> "$CHROOT_VARIABLES"
- [ -n "$KEEP_SRC_LIST" ] && echo "KEEP_SRC_LIST=\"$KEEP_SRC_LIST\"" >> "$CHROOT_VARIABLES"
- [ -n "$LOCALES" ] && echo "LOCALES=\"$LOCALES\"" >> "$CHROOT_VARIABLES"
- [ -n "$MIRROR" ] && echo "MIRROR=\"$MIRROR\"" >> "$CHROOT_VARIABLES"
- [ -n "$MKFS" ] && echo "MKFS=\"$MKFS\"" >> "$CHROOT_VARIABLES"
- [ -n "$NOPASSWORD" ] && echo "NOPASSWORD=\"true\"" >> "$CHROOT_VARIABLES"
- [ -n "$NOKERNEL" ] && echo "NOKERNEL=\"true\"" >> "$CHROOT_VARIABLES"
- [ -n "$PACKAGES" ] && echo "PACKAGES=\"$PACKAGES\"" >> "$CHROOT_VARIABLES"
- [ -n "$PRE_SCRIPTS" ] && echo "PRE_SCRIPTS=\"$PRE_SCRIPTS\"" >> "$CHROOT_VARIABLES"
- [ -n "$RECONFIGURE" ] && echo "RECONFIGURE=\"$RECONFIGURE\"" >> "$CHROOT_VARIABLES"
- [ -n "$RELEASE" ] && echo "RELEASE=\"$RELEASE\"" >> "$CHROOT_VARIABLES"
- [ -n "$RM_APTCACHE" ] && echo "RM_APTCACHE=\"$RM_APTCACHE\"" >> "$CHROOT_VARIABLES"
- [ -n "$ROOTPASSWORD" ] && echo "ROOTPASSWORD=\"$ROOTPASSWORD\"" >> "$CHROOT_VARIABLES"
- [ -n "$SCRIPTS" ] && echo "SCRIPTS=\"$SCRIPTS\"" >> "$CHROOT_VARIABLES"
- [ -n "$SECURE" ] && echo "SECURE=\"$SECURE\"" >> "$CHROOT_VARIABLES"
- [ -n "$SELECTED_PARTITIONS" ] && echo "SELECTED_PARTITIONS=\"$SELECTED_PARTITIONS\"" >> "$CHROOT_VARIABLES"
- [ -n "$TARGET" ] && echo "TARGET=\"$TARGET\"" >> "$CHROOT_VARIABLES"
- [ -n "$UPGRADE_SYSTEM" ] && echo "UPGRADE_SYSTEM=\"$UPGRADE_SYSTEM\"" >> "$CHROOT_VARIABLES"
- [ -n "$TARGET_UUID" ] && echo "TARGET_UUID=\"$TARGET_UUID\"" >> "$CHROOT_VARIABLES"
- [ -n "$TIMEZONE" ] && echo "TIMEZONE=\"$TIMEZONE\"" >> "$CHROOT_VARIABLES"
- [ -n "$TUNE2FS" ] && echo "TUNE2FS=\"$TUNE2FS\"" >> "$CHROOT_VARIABLES"
- [ -n "$VMSIZE" ] && echo "VMSIZE=\"$VMSIZE\"" >> "$CHROOT_VARIABLES"
+ echo "# Configuration of ${PN}" > "$CHROOT_VARIABLES"
+ # Resorting to sed(1) for escaping since "VAR='${VAR//\'/\'\\\'\'}'" does not work with all versions of Bash,
+ # e.g. not with 4.2.37(1)-release (a.k.a 4.2+dfsg-0.1+deb7u3) of Debian wheezy
+ [ -n "$ARCH" ] && echo "ARCH='$(sed "s,','\\\\'',g" <<<"${ARCH}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$BACKPORTREPOS" ] && echo "BACKPORTREPOS='$(sed "s,','\\\\'',g" <<<"${BACKPORTREPOS}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$CHROOT_SCRIPTS" ] && echo "CHROOT_SCRIPTS='$(sed "s,','\\\\'',g" <<<"${CHROOT_SCRIPTS}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$CONFFILES" ] && echo "CONFFILES='$(sed "s,','\\\\'',g" <<<"${CONFFILES}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$DEBCONF" ] && echo "DEBCONF='$(sed "s,','\\\\'',g" <<<"${DEBCONF}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$DEBIAN_FRONTEND" ] && echo "DEBIAN_FRONTEND='$(sed "s,','\\\\'',g" <<<"${DEBIAN_FRONTEND}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$DEBOOTSTRAP" ] && echo "DEBOOTSTRAP='$(sed "s,','\\\\'',g" <<<"${DEBOOTSTRAP}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$DEFAULT_LOCALES" ] && echo "DEFAULT_LOCALES='$(sed "s,','\\\\'',g" <<<"${DEFAULT_LOCALES}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$DEFAULT_LANGUAGE" ] && echo "DEFAULT_LANGUAGE='$(sed "s,','\\\\'',g" <<<"${DEFAULT_LANGUAGE}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$EXTRAPACKAGES" ] && echo "EXTRAPACKAGES='$(sed "s,','\\\\'',g" <<<"${EXTRAPACKAGES}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$FALLBACK_MIRROR" ] && echo "FALLBACK_MIRROR='$(sed "s,','\\\\'',g" <<<"${FALLBACK_MIRROR}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$FORCE" ] && echo "FORCE='$(sed "s,','\\\\'',g" <<<"${FORCE}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$GRMLREPOS" ] && echo "GRMLREPOS='$(sed "s,','\\\\'',g" <<<"${GRMLREPOS}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$GRUB" ] && echo "GRUB='$(sed "s,','\\\\'',g" <<<"${GRUB}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$HOSTNAME" ] && echo "HOSTNAME='$(sed "s,','\\\\'',g" <<<"${HOSTNAME}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$INITRD" ] && echo "INITRD='$(sed "s,','\\\\'',g" <<<"${INITRD}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$INSTALL_NOTES" ] && echo "INSTALL_NOTES='$(sed "s,','\\\\'',g" <<<"${INSTALL_NOTES}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$ISODIR" ] && echo "ISODIR='$(sed "s,','\\\\'',g" <<<"${ISO}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$ISO" ] && echo "ISO='$(sed "s,','\\\\'',g" <<<"${ISO}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$KEEP_SRC_LIST" ] && echo "KEEP_SRC_LIST='$(sed "s,','\\\\'',g" <<<"${KEEP_SRC_LIST}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$LOCALES" ] && echo "LOCALES='$(sed "s,','\\\\'',g" <<<"${LOCALES}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$MIRROR" ] && echo "MIRROR='$(sed "s,','\\\\'',g" <<<"${MIRROR}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$MKFS" ] && echo "MKFS='$(sed "s,','\\\\'',g" <<<"${MKFS}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$NOPASSWORD" ] && echo "NOPASSWORD=\"true\"" >> "$CHROOT_VARIABLES"
+ [ -n "$NOKERNEL" ] && echo "NOKERNEL=\"true\"" >> "$CHROOT_VARIABLES"
+ [ -n "$PACKAGES" ] && echo "PACKAGES='$(sed "s,','\\\\'',g" <<<"${PACKAGES}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$PRE_SCRIPTS" ] && echo "PRE_SCRIPTS='$(sed "s,','\\\\'',g" <<<"${PRE_SCRIPTS}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$RECONFIGURE" ] && echo "RECONFIGURE='$(sed "s,','\\\\'',g" <<<"${RECONFIGURE}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$RELEASE" ] && echo "RELEASE='$(sed "s,','\\\\'',g" <<<"${RELEASE}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$RM_APTCACHE" ] && echo "RM_APTCACHE='$(sed "s,','\\\\'',g" <<<"${RM_APTCACHE}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$ROOTPASSWORD" ] && echo "ROOTPASSWORD='$(sed "s,','\\\\'',g" <<<"${ROOTPASSWORD}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$SCRIPTS" ] && echo "SCRIPTS='$(sed "s,','\\\\'',g" <<<"${SCRIPTS}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$SECURE" ] && echo "SECURE='$(sed "s,','\\\\'',g" <<<"${SECURE}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$SELECTED_PARTITIONS" ] && echo "SELECTED_PARTITIONS='$(sed "s,','\\\\'',g" <<<"${SELECTED_PARTITIONS}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$TARGET" ] && echo "TARGET='$(sed "s,','\\\\'',g" <<<"${TARGET}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$UPGRADE_SYSTEM" ] && echo "UPGRADE_SYSTEM='$(sed "s,','\\\\'',g" <<<"${UPGRADE_SYSTEM}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$TARGET_UUID" ] && echo "TARGET_UUID='$(sed "s,','\\\\'',g" <<<"${TARGET_UUID}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$TIMEZONE" ] && echo "TIMEZONE='$(sed "s,','\\\\'',g" <<<"${TIMEZONE}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$TUNE2FS" ] && echo "TUNE2FS='$(sed "s,','\\\\'',g" <<<"${TUNE2FS}")'" >> "$CHROOT_VARIABLES"
+ [ -n "$VMSIZE" ] && echo "VMSIZE='$(sed "s,','\\\\'',g" <<<"${VMSIZE}")'" >> "$CHROOT_VARIABLES"
cp $VERBOSE "${CONFFILES}"/chroot-script "${MNTPOINT}"/bin/chroot-script
chmod 755 "${MNTPOINT}"/bin/chroot-script
--- End Message ---