https://bugzilla.novell.com/show_bug.cgi?id=784670 https://bugzilla.novell.com/show_bug.cgi?id=784670#c1 Michal Vyskocil changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High Status|NEW |NEEDINFO InfoProvider| |security-team@suse.de --- Comment #1 from Michal Vyskocil 2012-10-12 07:03:54 UTC --- Hallo security team, would you consider it as a security issue? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=784670 https://bugzilla.novell.com/show_bug.cgi?id=784670#c3 Johannes Meixner changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|RPM macro %fdupes links |RPM macro %fdupes links |files with different owner, |files with different owner, |group, or permissions |group, or permissions and | |across sub-package | |boundaries --- Comment #3 from Johannes Meixner 2012-10-12 10:42:42 CEST --- It was in the hplip package where I found the issue: HPLIP's upstream "make install" installs (owner:group is root:root for all): -rw-r--r-- 962 /usr/share/hplip/fax/pstotiff -rw-r--r-- 778 /usr/share/hplip/fax/pstotiff.convs -rw-r--r-- 2084 /usr/share/hplip/fax/pstotiff.types and -rwxr-xr-x 962 /usr/lib/cups/filter/pstotiff -rw-r--r-- 778 /etc/cups/pstotiff.convs -rw-r--r-- 2084 /etc/cups/pstotiff.types The RPM macro %fdupes results (I leave out the file size): -rw-r--r-- /usr/share/hplip/fax/pstotiff lrwxrwxrwx /usr/share/hplip/fax/pstotiff.convs -> /etc/cups/pstotiff.convs lrwxrwxrwx /usr/share/hplip/fax/pstotiff.types -> /etc/cups/pstotiff.types lrwxrwxrwx /usr/lib/cups/filter/pstotiff -> ../../../share/hplip/fax/pstotiff -rw-r--r-- /etc/cups/pstotiff.convs -rw-r--r-- /etc/cups/pstotiff.types This causes several issues for HPLIP: /usr/lib/cups/filter/pstotiff is no longer executable which causes bnc#783810 (Faxing an image file using hplip fails) /usr/share/hplip/fax/pstotiff /usr/share/hplip/fax/pstotiff.convs and /usr/share/hplip/fax/pstotiff.types are in the main package "hplip" but /usr/lib/cups/filter/pstotiff /etc/cups/pstotiff.convs and /etc/cups/pstotiff.types are in the sub-package "hplip-hpijs" The RPM macro %fdupes links across sub-package boundaries which can result dangling symlinks if a sub-package or the main package is not installed. In my case "hplip" requires "hplip-hpijs" but "hplip-hpijs" does not require "hplip" so that the %fdupes link /usr/lib/cups/filter/pstotiff -> ../../../share/hplip/fax/pstotiff becomes dangling if only "hplip-hpijs" is installed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=784670 https://bugzilla.novell.com/show_bug.cgi?id=784670#c5 --- Comment #5 from Johannes Meixner 2012-10-12 11:57:05 CEST --- Many thanks for the fast response! Because I provide HPLIP in the Printing project also for older products like SLE_11, SLE_11_SP1, SLE_11_SP2 I cannot use "fdupes -p" (I must work with what I get in the build environments). For my "hplip" package I will exchange the dumb %fdupes -s %{buildroot} call by a more specific call (or calls) only for particular directories where linking files with same content should be safe. Regarding complete path checking: I think the security experts should decide this because this is too complicated for me - e.g. what about if there are links in the path or what about different filesystems under different path with different capabilities regarding access permissions e.g. ACLs or such stuff... Regarding %fdupes links across sub-package boundaries: One more reason to have this issue reported under "BuildService" to have them at least aware of the issue. rpmlint does not show a dangling symlink warning in any case when there are links across sub-package boundaries. Currently I get for hplip only: ------------------------------------------------------------------------- $ osc remotebuildlog Printing hplip openSUSE_12.2 i586 | grep dangling [ 566s] hplip.i586: W: dangling-symlink /usr/share/hplip/fax/pstotiff.types /etc/cups/pstotiff.types [ 566s] hplip.i586: W: dangling-symlink /usr/share/hplip/fax/pstotiff.convs /etc/cups/pstotiff.convs ------------------------------------------------------------------------- rpmlint finds links from the main package to files in a sub-package but not links from a sub-package to files in the main package. And the above dangling-symlink warnings are false-positives because here the main package requires the sub-package. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=784670 https://bugzilla.novell.com/show_bug.cgi?id=784670#c7 --- Comment #7 from Johannes Meixner 2012-10-12 13:12:56 CEST --- I filed bnc#784869 (rpmlint should warn about all links across sub-package boundaries) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=784670 https://bugzilla.novell.com/show_bug.cgi?id=784670#c9 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com --- Comment #9 from Marcus Meissner 2012-10-19 11:28:01 UTC --- Can we identify the affected packages of case 1 mixed permissions/ownerships? especially as we cannot rebuild all of the distro on a whim -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=784670 https://bugzilla.novell.com/show_bug.cgi?id=784670#c Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|RPM macro %fdupes links |VUL-1: fdupes: RPM macro |files with different owner, |%fdupes links files with |group, or permissions |different owner, group, or | |permissions -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=784670 https://bugzilla.novell.com/show_bug.cgi?id=784670#c12 --- Comment #12 from Michal Vyskocil 2012-10-25 13:00:35 UTC --- (In reply to comment #9)

Can we identify the affected packages of case 1 mixed permissions/ownerships?

Store all build logs from Factory, trigger the complete rebuild and review the rpmling warnings for duplicated files? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=784670 https://bugzilla.novell.com/show_bug.cgi?id=784670#c14 Michal Vyskocil changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|security-team@suse.de | --- Comment #14 from Michal Vyskocil 2012-10-26 13:20:52 UTC --- Cool, then I'll prepare the maintenance update ... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=784670 https://bugzilla.novell.com/show_bug.cgi?id=784670#c16 --- Comment #16 from Marcus Meissner 2012-10-30 13:18:06 UTC --- Created an attachment (id=511349) --> (http://bugzilla.novell.com/attachment.cgi?id=511349) fdupes-opensuse12.2.log list of file permission mismatches during fdupes. we do not need to fix them all I think. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=784670 https://bugzilla.novell.com/show_bug.cgi?id=784670#c18 Michal Vyskocil changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ajorgensen@novell.com, | |ke@suse.com, | |mseben@gmail.com, | |os.gnome.maintainers@gmail. | |com, speilicke@suse.com --- Comment #18 from Michal Vyskocil 2012-10-31 10:41:29 UTC --- (In reply to comment #15)

12.2:

dicts

0644 vs 0640 in COPYING files, not need to update

docbook-xsl-stylesheets

don't know - Karl, please check the log in comment#16 if the link was intentional, or not

erlang

don't know - Sascha, please check the log in comment#16 if the link was intentional, or not

gimp-help

one png file got 0755, no need to update

gnome-blog

don't know, gnome maintainers, please check the log in comment#16 to realize if link was intentional, or not

hawk

no needed, 0664 vc 0644 in COPYING

hplip

this one triggers the bug, so I would say we need to rebuit it

ipsec-tools

not needed, some 0600 vc 0644 in examples

kernel-source

0755 vs 0644 in header files, not needed to update

leechcraft

a lot of 0755 vs 0644 differences in images

mono-core

Andrew, please please check the log in comment#16 to realize if link was intentional, or not - to me it seems like packaging bug

ndoutils

0755 vs 0644 in png files, not needed to update

python-M2Crypto

sascha, next your package, please check

texlive-bin

0755 vs 0644 in some data files, no need to update

virtualbox

there are some so files with 0644, michal, please review the log in comment#16 - it seems like packaging bug -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=784670 https://bugzilla.novell.com/show_bug.cgi?id=784670#c20 --- Comment #20 from Sascha Peilicke 2012-10-31 13:17:30 UTC --- (In reply to comment #18)

...

erlang

don't know - Sascha, please check the log in comment#16 if the link was intentional, or not False positive, the script is comparing different files, no?

erlang.i586.log:[ 947s] files erlang-R14B04-3.2.1.i386//usr/lib/erlang/erts-5.8.5/bin/start_erl.src and erlang-R14B04-3.2.1.i386//usr/lib/erlang/bin/start_erl compare 100644 vs 100755, but modes are different!

...

python-M2Crypto

sascha, next your package, please check

python-M2Crypto.i586.log:[ 72s] files ./M2Crypto/BN.py and ./build/lib.linux-i686-2.7/M2Crypto/BN.py compare 100755 vs 100644, but modes are different! Dito, BN.py is installed only once (i.e. not linked). So I limited the scope of fdupes, see sr#139855. Not worth an update to 12.2 IMO. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=784670 https://bugzilla.novell.com/show_bug.cgi?id=784670#c22 --- Comment #22 from Karl Eichwalder 2012-10-31 14:52:24 CET --- (In reply to comment #18)

...

docbook-xsl-stylesheets

don't know - Karl, please check the log in comment#16 if the link was intentional, or not

Not nice, but in the worst case there are just links from /usr/share/xml/docbook/stylesheet/$SOME/$THING to /usr/bin/$SCRIPT executables such as ls -l /usr/share/xml/docbook/stylesheet/nwalsh/1.77.1/epub/bin/dbtoepub lrwxrwxrwx 1 root root 36 Sep 12 11:30 /usr/share/xml/docbook/stylesheet/nwalsh/1.77.1/epub/bin/dbtoepub -> ../../../../../../../../bin/dbtoepub* DO you think that that's ok? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=784670 https://bugzilla.novell.com/show_bug.cgi?id=784670#c24 --- Comment #24 from Bernhard Wiedemann 2012-10-31 15:00:09 CET --- This is an autogenerated message for OBS integration: This bug (784670) was mentioned in https://build.opensuse.org/request/show/139855 Factory / python-M2Crypto -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=784670 https://bugzilla.novell.com/show_bug.cgi?id=784670#c26 --- Comment #26 from Michal Vyskocil 2012-10-31 14:09:45 UTC --- (In reply to comment #22)

Not nice, but in the worst case there are just links from /usr/share/xml/docbook/stylesheet/$SOME/$THING to /usr/bin/$SCRIPT executables such as

ls -l /usr/share/xml/docbook/stylesheet/nwalsh/1.77.1/epub/bin/dbtoepub lrwxrwxrwx 1 root root 36 Sep 12 11:30 /usr/share/xml/docbook/stylesheet/nwalsh/1.77.1/epub/bin/dbtoepub -> ../../../../../../../../bin/dbtoepub*

DO you think that that's ok?

I would say no need to maintenance update - in the worst case you'll end with /usr/bin/$SCRIPT beeing a symlink to 0644 file, which breaks the package, but it's not a security issue. However you should change the mode of all $HOME/$THING to 0755, because fdupes now sorts according mtab, so the 0644 /usr/bin symlink might happen. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=784670 https://bugzilla.novell.com/show_bug.cgi?id=784670#c28 --- Comment #28 from Marcus Meissner 2012-10-31 14:27:06 UTC --- karl, it did not check this fact... it only compared file content up to now. Thats the bug :/ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=784670 https://bugzilla.novell.com/show_bug.cgi?id=784670#c30 --- Comment #30 from Bernhard Wiedemann 2012-10-31 16:00:10 CET --- This is an autogenerated message for OBS integration: This bug (784670) was mentioned in https://build.opensuse.org/request/show/139862 Factory / ipsec-tools https://build.opensuse.org/request/show/139863 Factory / dicts -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=784670 https://bugzilla.novell.com/show_bug.cgi?id=784670#c32 --- Comment #32 from Michal Vyskocil 2012-11-01 08:40:32 UTC --- (In reply to comment #29)

Yes, but we will fix it for Factory? I do not understand, why Michal says:

Hi Karl, sorry for beeing cryptic

"However you should change the mode of all $HOME/$THING to 0755, because fdupes now sorts according mtab, so the 0644 /usr/bin symlink might happen."

The SUSE patched fdupes sort duplicates according name - that means, the output for docbook package was usr/bin/dbtoepub usr/share/xml/docbook/stylesheet/nwalsh/1.77.1/epub/bin/dbtoepub so the %fdupes macro left the first line untouched and converted all others to a link. But that have changed in Factory, because in fdupes 1.5 upstream have added the sorting according mtime. I did not want to deviate from upstream much, but it's no longer guaranteed that shorter path will win. On the other hand, %fdupes no longer link files with different uid/gid/permissions, so that's not the big issue.

Shall I do this for 12.2? Or for Factory (just for sure?)?

Factory is enough. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.