CVE-2010-4170 and CVE-2010-4171: staprun module loading/unloading security fixes

Debdiff for natty.

Debdiff for maverick.

Looking at http://sources.redhat.com/git/gitweb.cgi?p=systemtap.git;a=commit;h=b7565b41228bea196cefa3a7d43ab67f8f9152e2 , one thing that's done that's missing from your debdiff is to install staprun without world execute privileges and instead limit execution to users in the stapusr group, to minimize the risk from future vulnerabilities. Do you think you could add that?

Corrected debdiff for natty.

Corrected debdiff for maverick.

Unfortunately, relying on build time permission setting is insufficient; dh_fixperms removes the setuid bit and converts everything to root ownership. In order to fix it to be owned, we need to do dpkg-statoverride in the postinst (as well as tweak the dh_fixperms_override step in the debian rules file), like so:

diff -Nru systemtap-1.3/debian/rules systemtap-1.3/debian/rules
--- systemtap-1.3/debian/rules 2010-08-06 11:34:25.000000000 -0700
+++ systemtap-1.3/debian/rules 2010-11-19 15:26:42.000000000 -0800
@@ -87,7 +87,7 @@

 override_dh_fixperms:
  dh_fixperms
- chmod 4755 debian/systemtap-runtime/usr/bin/staprun
+ chmod 4750 debian/systemtap-runtime/usr/bin/staprun

 override_dh_installchangelogs:
          dh_installchangelogs debian/changelog
diff -Nru systemtap-1.3/debian/systemtap-runtime.postinst systemtap-1.3/debian/systemtap-runtime.postinst
--- systemtap-1.3/debian/systemtap-runtime.postinst 2010-08-06 11:34:25.000000000 -0700
+++ systemtap-1.3/debian/systemtap-runtime.postinst 2010-11-19 15:30:31.000000000 -0800
@@ -12,6 +12,11 @@
   echo "Adding stapusr group..."
   addgroup --quiet --system stapusr || true
  fi
+ # Fixup staprun binary for new group 'stapusr'.
+ if [ -x /usr/sbin/dpkg-statoverride ] &&
+ ! dpkg-statoverride --list /usr/bin/staprun > /dev/null ; then
+ dpkg-statoverride --update --add root stapusr 4750 /usr/bin/staprun
+ fi
  ;;
 abort-upgrade|abort-remove|abort-deconfigure)
  ;;

I've incorporate this into packages that I've uploaded to the ubuntu-security-proposed ppa at https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/+packages and verified that the permissions and ownership are such that only users in the stapusr group (as well as root) can run staprun, and that the upstream patch addresses Tavis' example cases:

   $ staprun [module_to_remove]

and

  $ MODPROBE_OPTIONS="--dirname /tmp" staprun -u whatever

Thanks.

Re-updated debdiff for natty.

Re-updated debdiff for maverick.

Oh sorry, I seen now you uploaded the packages with the same fixes to https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/+packages . They look fine to me.

This bug was fixed in the package systemtap - 1.3-1ubuntu0.1

---------------
systemtap (1.3-1ubuntu0.1) maverick-security; urgency=low

  [ Lorenzo De Liso ]
  * SECURITY UPDATE: staprun module loading/unloading security fixes
    (LP: #677226)
    - debian/patches/CVE-2010-4170+CVE-2010-4171.patch
    - CVE 2010-4170
    - CVE 2010-4171

  [ Steve Beattie ]
  * debian/rules, debian/systemtap-runtime.postinst: restrict
    executable access to group stapusr to match upstream intent
 -- Steve Beattie <email address hidden> Fri, 19 Nov 2010 23:08:25 -0800

This bug was fixed in the package systemtap - 1.3-1ubuntu1

---------------
systemtap (1.3-1ubuntu1) natty; urgency=low

  [ Lorenzo De Liso ]
  * SECURITY UPDATE: staprun module loading/unloading security fixes
    (LP: #677226)
    - debian/patches/CVE-2010-4170+CVE-2010-4171.patch
    - CVE 2010-4170
    - CVE 2010-4171

  [ Steve Beattie ]
  * debian/rules, debian/systemtap-runtime.postinst: restrict
    executable access to group stapusr to match upstream intent
 -- Steve Beattie <email address hidden> Fri, 19 Nov 2010 15:32:49 -0800