From e6f6dd3c508f82345b0bf58de12f7ce4033690d5 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Tue, 7 May 2024 07:30:17 +0200
Subject: Merging debian version 2.8.5-2+deb10u1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 debian/.git-dpm                        |  4 ++--
 debian/apparmor/usr.bin.man            |  3 +++
 debian/changelog                       |  8 ++++++++
 debian/patches/seccomp-getrandom.patch | 31 +++++++++++++++++++++++++++++++
 debian/patches/series                  |  1 +
 5 files changed, 45 insertions(+), 2 deletions(-)
 create mode 100644 debian/patches/seccomp-getrandom.patch

diff --git a/debian/.git-dpm b/debian/.git-dpm
index 0c17053..e95d7f8 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-67eada88c19228c53f0f4fc846c3ae71696a7ea3
-67eada88c19228c53f0f4fc846c3ae71696a7ea3
+b54bd5d3b7b1a60cc69b7df243b906f3e94d4d3c
+b54bd5d3b7b1a60cc69b7df243b906f3e94d4d3c
 182141146d0ad9c735949840504bdfc66332da4e
 182141146d0ad9c735949840504bdfc66332da4e
 man-db_2.8.5.orig.tar.xz
diff --git a/debian/apparmor/usr.bin.man b/debian/apparmor/usr.bin.man
index 569aec9..145ed58 100644
--- a/debian/apparmor/usr.bin.man
+++ b/debian/apparmor/usr.bin.man
@@ -95,6 +95,9 @@ profile man_filter {
   # do is feed data to the invoking man process.
   /** r,
 
+  # Allow writing cat pages.
+  /var/cache/man/** w,
+
   signal peer=/usr/bin/man,
   # @{profile_name} doesn't seem to work here.
   signal peer=/usr/bin/man//&man_filter,
diff --git a/debian/changelog b/debian/changelog
index ae45236..f5eaffc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+man-db (2.8.5-2+deb10u1) buster-security; urgency=medium
+
+  * AppArmor: Allow man_filter to write to cat pages (closes: #926450,
+    #948238).
+  * sandbox: Allow getrandom (closes: #1061870).
+
+ -- Colin Watson <cjwatson@debian.org>  Thu, 01 Feb 2024 13:35:20 +0000
+
 man-db (2.8.5-2progress5u1) engywuck; urgency=medium
 
   * Initial reupload to engywuck.
diff --git a/debian/patches/seccomp-getrandom.patch b/debian/patches/seccomp-getrandom.patch
new file mode 100644
index 0000000..67a0d67
--- /dev/null
+++ b/debian/patches/seccomp-getrandom.patch
@@ -0,0 +1,31 @@
+From b54bd5d3b7b1a60cc69b7df243b906f3e94d4d3c Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Wed, 21 Aug 2019 14:30:42 +0100
+Subject: sandbox: Allow getrandom, used by Hardened Malloc
+
+Fixes Savannah bug #56767.
+
+* lib/sandbox.c (make_seccomp_filter): Allow getrandom.
+
+Origin: upstream, https://gitlab.com/man-db/man-db/-/commit/0951f82c611c4a3c14271b0fa9c4919c84b7afe7
+Bug: https://savannah.nongnu.org/bugs/?56767
+Bug-Debian: https://bugs.debian.org/1061870
+Last-Update: 2024-01-31
+
+Patch-Name: seccomp-getrandom.patch
+---
+ lib/sandbox.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/sandbox.c b/lib/sandbox.c
+index c097482b..ce91936e 100644
+--- a/lib/sandbox.c
++++ b/lib/sandbox.c
+@@ -488,6 +488,7 @@ static scmp_filter_ctx make_seccomp_filter (int permissive)
+ 	SC_ALLOW ("brk");
+ 	SC_ALLOW ("fadvise64");
+ 	SC_ALLOW ("fadvise64_64");
++	SC_ALLOW ("getrandom");
+ 	if (permissive)
+ 		SC_ALLOW ("ioctl");
+ 	else {
diff --git a/debian/patches/series b/debian/patches/series
index 35a5cd6..fdc1971 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 systemd-mandb-quiet.patch
+seccomp-getrandom.patch
-- 
cgit v1.2.3