diff options
-rw-r--r-- | debian/.git-dpm | 4 | ||||
-rw-r--r-- | debian/apparmor/usr.bin.man | 3 | ||||
-rw-r--r-- | debian/changelog | 8 | ||||
-rw-r--r-- | debian/patches/seccomp-getrandom.patch | 31 | ||||
-rw-r--r-- | debian/patches/series | 1 |
5 files changed, 45 insertions, 2 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm index 0c17053..e95d7f8 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -67eada88c19228c53f0f4fc846c3ae71696a7ea3 -67eada88c19228c53f0f4fc846c3ae71696a7ea3 +b54bd5d3b7b1a60cc69b7df243b906f3e94d4d3c +b54bd5d3b7b1a60cc69b7df243b906f3e94d4d3c 182141146d0ad9c735949840504bdfc66332da4e 182141146d0ad9c735949840504bdfc66332da4e man-db_2.8.5.orig.tar.xz diff --git a/debian/apparmor/usr.bin.man b/debian/apparmor/usr.bin.man index 569aec9..145ed58 100644 --- a/debian/apparmor/usr.bin.man +++ b/debian/apparmor/usr.bin.man @@ -95,6 +95,9 @@ profile man_filter { # do is feed data to the invoking man process. /** r, + # Allow writing cat pages. + /var/cache/man/** w, + signal peer=/usr/bin/man, # @{profile_name} doesn't seem to work here. signal peer=/usr/bin/man//&man_filter, diff --git a/debian/changelog b/debian/changelog index ae45236..f5eaffc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +man-db (2.8.5-2+deb10u1) buster-security; urgency=medium + + * AppArmor: Allow man_filter to write to cat pages (closes: #926450, + #948238). + * sandbox: Allow getrandom (closes: #1061870). + + -- Colin Watson <cjwatson@debian.org> Thu, 01 Feb 2024 13:35:20 +0000 + man-db (2.8.5-2progress5u1) engywuck; urgency=medium * Initial reupload to engywuck. diff --git a/debian/patches/seccomp-getrandom.patch b/debian/patches/seccomp-getrandom.patch new file mode 100644 index 0000000..67a0d67 --- /dev/null +++ b/debian/patches/seccomp-getrandom.patch @@ -0,0 +1,31 @@ +From b54bd5d3b7b1a60cc69b7df243b906f3e94d4d3c Mon Sep 17 00:00:00 2001 +From: Colin Watson <cjwatson@debian.org> +Date: Wed, 21 Aug 2019 14:30:42 +0100 +Subject: sandbox: Allow getrandom, used by Hardened Malloc + +Fixes Savannah bug #56767. + +* lib/sandbox.c (make_seccomp_filter): Allow getrandom. + +Origin: upstream, https://gitlab.com/man-db/man-db/-/commit/0951f82c611c4a3c14271b0fa9c4919c84b7afe7 +Bug: https://savannah.nongnu.org/bugs/?56767 +Bug-Debian: https://bugs.debian.org/1061870 +Last-Update: 2024-01-31 + +Patch-Name: seccomp-getrandom.patch +--- + lib/sandbox.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/sandbox.c b/lib/sandbox.c +index c097482b..ce91936e 100644 +--- a/lib/sandbox.c ++++ b/lib/sandbox.c +@@ -488,6 +488,7 @@ static scmp_filter_ctx make_seccomp_filter (int permissive) + SC_ALLOW ("brk"); + SC_ALLOW ("fadvise64"); + SC_ALLOW ("fadvise64_64"); ++ SC_ALLOW ("getrandom"); + if (permissive) + SC_ALLOW ("ioctl"); + else { diff --git a/debian/patches/series b/debian/patches/series index 35a5cd6..fdc1971 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ systemd-mandb-quiet.patch +seccomp-getrandom.patch |