[Pkg-gnupg-commit] [gnupg2] 01/02: block ptrace on scdaemon as well as gpg-agent (Closes: #878952)

[Daniel Kahn Gillmor]

This is an automated email from the git hooks/post-receive script.

dkg pushed a commit to branch master
in repository gnupg2.

commit 57d138583d3ea23bb2f24823714d6146a053dea0
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date:   Fri Oct 27 01:19:16 2017 -0400

    block ptrace on scdaemon as well as gpg-agent (Closes: #878952)
---
 .../Avoid-simple-memory-dumps-via-ptrace.patch     | 30 +++++++++++++++++++++-
 debian/patches/series                              |  2 +-
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/debian/patches/block-ptrace-on-agent/Avoid-simple-memory-dumps-via-ptrace.patch b/debian/patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch
similarity index 72%
rename from debian/patches/block-ptrace-on-agent/Avoid-simple-memory-dumps-via-ptrace.patch
rename to debian/patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch
index 98e7788..a033ef2 100644
--- a/debian/patches/block-ptrace-on-agent/Avoid-simple-memory-dumps-via-ptrace.patch
+++ b/debian/patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch
@@ -18,7 +18,8 @@ Upstream bug: https://dev.gnupg.org/T1211
 ---
  agent/gpg-agent.c | 8 ++++++++
  configure.ac      | 1 +
- 2 files changed, 9 insertions(+)
+ scd/scdaemon.c    | 9 +++++++++
+ 3 files changed, 18 insertions(+)
 
 diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
 index 030d1da..d91d687 100644
@@ -58,3 +59,30 @@ index fbd5c18..e5ade60 100644
  AC_CHECK_FUNCS([gettimeofday getrusage getrlimit setrlimit clock_gettime])
  AC_CHECK_FUNCS([atexit raise getpagesize strftime nl_langinfo setlocale])
  AC_CHECK_FUNCS([waitpid wait4 sigaction sigprocmask pipe getaddrinfo])
+diff --git a/scd/scdaemon.c b/scd/scdaemon.c
+index 60d539d..133a8b4 100644
+--- a/scd/scdaemon.c
++++ b/scd/scdaemon.c
+@@ -36,6 +36,9 @@
+ #include <unistd.h>
+ #include <signal.h>
+ #include <npth.h>
++#ifdef HAVE_PRCTL
++# include <sys/prctl.h>
++#endif
+ 
+ #define GNUPG_COMMON_NEED_AFLOCAL
+ #include "scdaemon.h"
+@@ -414,6 +417,12 @@ main (int argc, char **argv )
+   npth_t pipecon_handler;
+ 
+   early_system_init ();
++
++#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
++  /* Disable ptrace on Linux without sgid bit */
++  prctl(PR_SET_DUMPABLE, 0);
++#endif
++
+   set_strusage (my_strusage);
+   gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
+   /* Please note that we may running SUID(ROOT), so be very CAREFUL
diff --git a/debian/patches/series b/debian/patches/series
index adff014..9a3d9c7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,6 +1,6 @@
 debian-packaging/avoid-beta-warning.patch
 debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch
-block-ptrace-on-agent/Avoid-simple-memory-dumps-via-ptrace.patch
+block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch
 dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch
 dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch
 dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git