diff options
| -rw-r--r-- | debian/changelog | 14 | ||||
| -rw-r--r-- | debian/patches/drop-privs-after-opening-savefile.diff | 12 | ||||
| -rw-r--r-- | debian/patches/drop-privs-only-if-non-root.diff | 42 | ||||
| -rw-r--r-- | debian/patches/drop-privs-silently.diff | 4 | ||||
| -rw-r--r-- | debian/patches/install.diff | 2 | ||||
| -rw-r--r-- | debian/patches/man-section.diff | 4 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
7 files changed, 25 insertions, 54 deletions
diff --git a/debian/changelog b/debian/changelog index 1b35ca7..319e0f3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +tcpdump (4.99.5-1) unstable; urgency=low + + * New upstream release. + * Drop upstream patch related to #1035842, now included. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 01 Sep 2024 12:49:43 +0200 + +tcpdump (4.99.4-5) unstable; urgency=medium + + * Avoid getpwnam(NULL) when called with `-Z root', thanks to Rodney + Dawes <dobey@ubuntu.com> for the report and patch (closes: #1078771). + + -- Romain Francoise <rfrancoise@debian.org> Fri, 23 Aug 2024 18:53:46 +0200 + tcpdump (4.99.4-4) unstable; urgency=medium * debian/watch: switch to .tar.xz URLs as upstream homepage no longer diff --git a/debian/patches/drop-privs-after-opening-savefile.diff b/debian/patches/drop-privs-after-opening-savefile.diff index a4c856a..664e980 100644 --- a/debian/patches/drop-privs-after-opening-savefile.diff +++ b/debian/patches/drop-privs-after-opening-savefile.diff @@ -9,7 +9,7 @@ Origin: https://src.fedoraproject.org/rpms/tcpdump/raw/master/f/0003-Drop-root-p --- a/tcpdump.1.in +++ b/tcpdump.1.in -@@ -269,6 +269,9 @@ +@@ -268,6 +268,9 @@ flag, with a number after it, starting at 1 and continuing upward. The units of \fIfile_size\fP are millions of bytes (1,000,000 bytes, not 1,048,576 bytes). @@ -19,7 +19,7 @@ Origin: https://src.fedoraproject.org/rpms/tcpdump/raw/master/f/0003-Drop-root-p .TP .B \-d Dump the compiled packet-matching code in a human readable form to -@@ -966,12 +969,14 @@ +@@ -965,12 +968,14 @@ If .I tcpdump is running as root, after opening the capture device or input savefile, @@ -38,7 +38,7 @@ Origin: https://src.fedoraproject.org/rpms/tcpdump/raw/master/f/0003-Drop-root-p selects which packets will be dumped. --- a/tcpdump.c +++ b/tcpdump.c -@@ -1510,6 +1510,7 @@ +@@ -1511,6 +1511,7 @@ cap_rights_t rights; int cansandbox; #endif /* HAVE_CAPSICUM */ @@ -46,7 +46,7 @@ Origin: https://src.fedoraproject.org/rpms/tcpdump/raw/master/f/0003-Drop-root-p int Oflag = 1; /* run filter code optimizer */ int yflag_dlt = -1; const char *yflag_dlt_name = NULL; -@@ -2338,6 +2339,19 @@ +@@ -2372,6 +2373,19 @@ } capng_apply(CAPNG_SELECT_BOTH); #endif /* HAVE_LIBCAP_NG */ @@ -66,13 +66,13 @@ Origin: https://src.fedoraproject.org/rpms/tcpdump/raw/master/f/0003-Drop-root-p if (username || chroot_dir) droproot(username, chroot_dir); -@@ -2395,6 +2409,22 @@ +@@ -2429,6 +2443,22 @@ #endif /* HAVE_LIBCAP_NG */ if (pdd == NULL) error("%s", pcap_geterr(pd)); + + /* Change ownership of file and drop root privileges */ -+ if (chown_flag) { ++ if (chown_flag && username) { + struct passwd *pwd; + + pwd = getpwnam(username); diff --git a/debian/patches/drop-privs-only-if-non-root.diff b/debian/patches/drop-privs-only-if-non-root.diff deleted file mode 100644 index 25a3a8e..0000000 --- a/debian/patches/drop-privs-only-if-non-root.diff +++ /dev/null @@ -1,42 +0,0 @@ -From dec0e5183c026ccef342ba3a877c13c1cdab61d5 Mon Sep 17 00:00:00 2001 -From: Martin Willi <martin@strongswan.org> -Date: Tue, 12 Nov 2019 13:43:31 +0100 -Subject: [PATCH] Skip privilege dropping when using -Z root on --with-user - builds -Forwarded: not-needed - -Distributions which started building --with-user to switch to an -unpriviliged user claim that the old behavior of running under root -can be restored by passing "-Z root" on the command line. However, -doing so is different from not using --with-user, as tcpdump still -drops privileges and sets supplementary user groups. - -In Linux containers using user namespaces with an in-container root -user mapped to an unprivileged external user, calling setgroups() is -usually denied, as it would allow that unprivileged user to leave -groups (see user_namespaces(7) for details). Passing "-Z root" on -a --with-user build still goes through initgroups() and therefore -setgroups(), which will fail in such a container environment. This -makes tcpdump builds using --with-user effectively unusable in such -containers. - -Adjust the "-Z root" fallback to skip any privilege dropping and -supplementary group setup, making it identical to builds not using ---with-user. ---- - tcpdump.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/tcpdump.c b/tcpdump.c -index 219ac2a2b..36ba60c17 100644 ---- a/tcpdump.c -+++ b/tcpdump.c -@@ -2078,6 +2078,8 @@ main(int argc, char **argv) - /* Run with '-Z root' to restore old behaviour */ - if (!username) - username = WITH_USER; -+ else if (strcmp(username, "root") == 0) -+ username = NULL; - } - #endif - diff --git a/debian/patches/drop-privs-silently.diff b/debian/patches/drop-privs-silently.diff index b4a5412..7e14887 100644 --- a/debian/patches/drop-privs-silently.diff +++ b/debian/patches/drop-privs-silently.diff @@ -8,7 +8,7 @@ Origin: vendor, https://src.fedoraproject.org/rpms/tcpdump/raw/master/f/0008-Don --- a/tcpdump.c +++ b/tcpdump.c -@@ -788,8 +788,6 @@ +@@ -786,8 +786,6 @@ int ret = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_NO_FLAG); if (ret < 0) error("capng_change_id(): return %d\n", ret); @@ -17,7 +17,7 @@ Origin: vendor, https://src.fedoraproject.org/rpms/tcpdump/raw/master/f/0008-Don } #else if (initgroups(pw->pw_name, pw->pw_gid) != 0 || -@@ -799,9 +797,6 @@ +@@ -797,9 +795,6 @@ (unsigned long)pw->pw_uid, (unsigned long)pw->pw_gid, pcap_strerror(errno)); diff --git a/debian/patches/install.diff b/debian/patches/install.diff index 69a550f..64d8ed2 100644 --- a/debian/patches/install.diff +++ b/debian/patches/install.diff @@ -4,7 +4,7 @@ Author: Romain Francoise <rfrancoise@debian.org> --- a/Makefile.in +++ b/Makefile.in -@@ -424,15 +424,14 @@ +@@ -426,15 +426,14 @@ [ -d $(DESTDIR)$(bindir) ] || \ (mkdir -p $(DESTDIR)$(bindir); chmod 755 $(DESTDIR)$(bindir)) $(INSTALL_PROGRAM) $(PROG) $(DESTDIR)$(bindir)/$(PROG) diff --git a/debian/patches/man-section.diff b/debian/patches/man-section.diff index 83df10d..f05a532 100644 --- a/debian/patches/man-section.diff +++ b/debian/patches/man-section.diff @@ -8,8 +8,8 @@ Author: Romain Francoise <rfrancoise@debian.org> .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. .\" --.TH TCPDUMP 1 "12 March 2023" -+.TH TCPDUMP 8 "12 March 2023" +-.TH TCPDUMP 1 "26 March 2024" ++.TH TCPDUMP 8 "26 March 2024" .SH NAME tcpdump \- dump traffic on a network .SH SYNOPSIS diff --git a/debian/patches/series b/debian/patches/series index 297b6c9..1e2e8a9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,5 +1,4 @@ drop-privs-after-opening-savefile.diff drop-privs-silently.diff -drop-privs-only-if-non-root.diff install.diff man-section.diff |