summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--debian/.git-dpm4
-rw-r--r--debian/apparmor/usr.bin.man3
-rw-r--r--debian/changelog8
-rw-r--r--debian/patches/seccomp-getrandom.patch31
-rw-r--r--debian/patches/series1
5 files changed, 45 insertions, 2 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 0c17053..e95d7f8 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-67eada88c19228c53f0f4fc846c3ae71696a7ea3
-67eada88c19228c53f0f4fc846c3ae71696a7ea3
+b54bd5d3b7b1a60cc69b7df243b906f3e94d4d3c
+b54bd5d3b7b1a60cc69b7df243b906f3e94d4d3c
182141146d0ad9c735949840504bdfc66332da4e
182141146d0ad9c735949840504bdfc66332da4e
man-db_2.8.5.orig.tar.xz
diff --git a/debian/apparmor/usr.bin.man b/debian/apparmor/usr.bin.man
index 569aec9..145ed58 100644
--- a/debian/apparmor/usr.bin.man
+++ b/debian/apparmor/usr.bin.man
@@ -95,6 +95,9 @@ profile man_filter {
# do is feed data to the invoking man process.
/** r,
+ # Allow writing cat pages.
+ /var/cache/man/** w,
+
signal peer=/usr/bin/man,
# @{profile_name} doesn't seem to work here.
signal peer=/usr/bin/man//&man_filter,
diff --git a/debian/changelog b/debian/changelog
index ae45236..f5eaffc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+man-db (2.8.5-2+deb10u1) buster-security; urgency=medium
+
+ * AppArmor: Allow man_filter to write to cat pages (closes: #926450,
+ #948238).
+ * sandbox: Allow getrandom (closes: #1061870).
+
+ -- Colin Watson <cjwatson@debian.org> Thu, 01 Feb 2024 13:35:20 +0000
+
man-db (2.8.5-2progress5u1) engywuck; urgency=medium
* Initial reupload to engywuck.
diff --git a/debian/patches/seccomp-getrandom.patch b/debian/patches/seccomp-getrandom.patch
new file mode 100644
index 0000000..67a0d67
--- /dev/null
+++ b/debian/patches/seccomp-getrandom.patch
@@ -0,0 +1,31 @@
+From b54bd5d3b7b1a60cc69b7df243b906f3e94d4d3c Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Wed, 21 Aug 2019 14:30:42 +0100
+Subject: sandbox: Allow getrandom, used by Hardened Malloc
+
+Fixes Savannah bug #56767.
+
+* lib/sandbox.c (make_seccomp_filter): Allow getrandom.
+
+Origin: upstream, https://gitlab.com/man-db/man-db/-/commit/0951f82c611c4a3c14271b0fa9c4919c84b7afe7
+Bug: https://savannah.nongnu.org/bugs/?56767
+Bug-Debian: https://bugs.debian.org/1061870
+Last-Update: 2024-01-31
+
+Patch-Name: seccomp-getrandom.patch
+---
+ lib/sandbox.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/sandbox.c b/lib/sandbox.c
+index c097482b..ce91936e 100644
+--- a/lib/sandbox.c
++++ b/lib/sandbox.c
+@@ -488,6 +488,7 @@ static scmp_filter_ctx make_seccomp_filter (int permissive)
+ SC_ALLOW ("brk");
+ SC_ALLOW ("fadvise64");
+ SC_ALLOW ("fadvise64_64");
++ SC_ALLOW ("getrandom");
+ if (permissive)
+ SC_ALLOW ("ioctl");
+ else {
diff --git a/debian/patches/series b/debian/patches/series
index 35a5cd6..fdc1971 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
systemd-mandb-quiet.patch
+seccomp-getrandom.patch