Apologies for my long delay in dealing with these bugs, both reported by halfdog. Fixes turned out to be quite complicated, since in part they involved unwinding incorrect logic from nearly 20 years ago and ensuring that everything else built on that was appropriately adjusted.
* SECURITY: Eliminate dangerous setgid-root directories. In the default
configuration, cache files and directories are now owned by man:man
rather than man:root; man and mandb are now setgid man as well as
setuid man (except in the --disable-setuid case). This is a much
simpler and safer solution to the original problem that caused my
predecessor to make directories setgid root, and doesn't introduce any
interesting new privilege since the man group's only real purpose is
to be the man user's primary group and nothing in cache directories is
group-writeable.
Maintainers of distribution packagers should take care to review their
installation rules in light of this change.
As far as I know this has no CVE ID, but it is described here:
The security fix above was quite involved. If you're trying to backport
it to a stable release, then you should probably consider at least these
commits:
e62b9edafe00c51e52863718cb2eb1e29385230e Rename some anomalous x* functions
9ab9f3dd9b0d5f290c635995559332c1710e5b4d man(1): Fix gcc warnings
0f8b5518949866075c25787bdc4e9c064597c21e Separate cache owner from --enable-setuid option
94b9d1e2a14ce8790d7c73df00d0bbd9e40cd437 Handle cleanup stack more safely
c7f7daa9b2ffbbf4c45a2b168802a51acc2263c0 Make --disable-cache-owner imply --disable-setuid
31552334cecee82809059ec598a37d9ea82683f0 Eliminate dangerous setgid-root directories
755a9551c45da82f99d0ad8e46ef756afbeafb3f Fix distcheck following cache-owner/setuid changes
75701f7fd9a00108abeb851792231b3d9bc2a67d Fix systemd tmpfiles group/perms of /var/cache/man
I've uploaded 2.7.6-1 to unstable with fixes for these vulnerabilities. I'd be happy to help out the Debian and Ubuntu security teams with backports if they need it, although hopefully the above list of git commits is enough to get started.
Apologies for my long delay in dealing with these bugs, both reported by halfdog. Fixes turned out to be quite complicated, since in part they involved unwinding incorrect logic from nearly 20 years ago and ensuring that everything else built on that was appropriately adjusted.
Here are the relevant sections from my release announcement, which should appear at https:/ /lists. nongnu. org/archive/ html/man- db-announce/ 2016-12/ msg00000. html in the near future:
* SECURITY: Eliminate dangerous setgid-root directories. In the default writeable.
configuration, cache files and directories are now owned by man:man
rather than man:root; man and mandb are now setgid man as well as
setuid man (except in the --disable-setuid case). This is a much
simpler and safer solution to the original problem that caused my
predecessor to make directories setgid root, and doesn't introduce any
interesting new privilege since the man group's only real purpose is
to be the man user's primary group and nothing in cache directories is
group-
Maintainers of distribution packagers should take care to review their
installation rules in light of this change.
As far as I know this has no CVE ID, but it is described here:
http:// www.halfdog. net/Security/ 2015/SetgidDire ctoryPrivilegeE scalation/
[...]
Notes for distributors ======= ======= ===
=====
The security fix above was quite involved. If you're trying to backport
it to a stable release, then you should probably consider at least these
commits:
e62b9edafe0 0c51e52863718cb 2eb1e29385230e Rename some anomalous x* functions d5f290c63599555 9332c1710e5b4d man(1): Fix gcc warnings 866075c25787bdc 4e9c064597c21e Separate cache owner from --enable-setuid option ce8790d7c73df00 d0bbd9e40cd437 Handle cleanup stack more safely fbbf4c45a2b1688 02a51acc2263c0 Make --disable- cache-owner imply --disable-setuid ee82809059ec598 a37d9ea82683f0 Eliminate dangerous setgid-root directories da82f99d0ad8e46 ef756afbeafb3f Fix distcheck following cache-owner/setuid changes 00108abeb851792 231b3d9bc2a67d Fix systemd tmpfiles group/perms of /var/cache/man
9ab9f3dd9b0
0f8b5518949
94b9d1e2a14
c7f7daa9b2f
31552334cec
755a9551c45
75701f7fd9a
Feel free to contact me if you have difficulty. You should also www.halfdog. net/Security/ 2015/MandbSymli nkLocalRootPriv ilegeEscalation /,
consider
http://
which could not be fixed without fixing the above bug first; while this
bug was in Debian-specific cron jobs, others may have copied them.
I've uploaded 2.7.6-1 to unstable with fixes for these vulnerabilities. I'd be happy to help out the Debian and Ubuntu security teams with backports if they need it, although hopefully the above list of git commits is enough to get started.