Skip to content
Commits on Source (10)
  • Jeremy Bicha's avatar
    debian/watch: Watch for stable releases · eda60a2a
    Jeremy Bicha authored
    eda60a2a
  • Jeremy Bicha's avatar
    Build-Depend on dh-sequence-gnome instead of gnome-pkg-tools · 41b29ed5
    Jeremy Bicha authored
    41b29ed5
  • Jeremy Bicha's avatar
    Build-Depend on debhelper-compat 13 · faf9b939
    Jeremy Bicha authored
    faf9b939
  • Jeremy Bicha's avatar
    debian/rules: clean up unneeded rules · 039dbd77
    Jeremy Bicha authored 
    -Wl,--as-needed is default since Bullseye
dh_auto_test handles nocheck and some env stuff in dh compat 13
    039dbd77
  • Jeremy Bicha's avatar
    releasing package gnome-keyring version 40.0-2 · 9817adf7
    Jeremy Bicha authored
    9817adf7
  • Simon McVittie's avatar
    Don't add CAP_IPC_LOCK capability to gnome-keyring-daemon · 4cd87240
    Simon McVittie authored 
    GNOME Keyring uses "memory locking" to prevent memory buffers from being
written out to swap, in an attempt to prevent passwords and other secrets
from being written to disk unencrypted. Since Linux 2.6.9 (Debian 4.0,
2007) it has been possible to lock memory up to the limit defined by
RLIMIT_MEMLOCK without requiring the CAP_IPC_LOCK capability.

Since GLib 2.70, processes with higher privilege than their caller are
prevented from accessing most environment variables as part of a security
hardening effort intended to prevent processes with elevated privileges
from being subverted by their caller. This applies to any process with
the AT_SECURE attribute, including executables with setuid, setgid or
filesystem capabilities (setcap), as well as executables that undergo
AppArmor transitions with mode Cx, Px or Ux, or any other similar
privilege-elevation mechanism.

Denying access to environment variables in this way interferes with the
ability to connect to the D-Bus session bus, which is required
functionality for gnome-keyring.

RLIMIT_MEMLOCK defaults to 64 KiB, although it is considerably higher on
typical Debian systems due to #976373. If memory locking for larger
quantities of secret data is required, please configure a higher
RLIMIT_MEMLOCK in /etc/security/limits.conf.

Memory locking is not effective when using suspend-to-disk (hibernation),
which ignores memory locking and writes the contents of memory to disk
regardless. It is also only fully effective if the entire path that the
password takes through the overall system makes use of memory locking,
which in practice does not occur. Using encrypted swap, with an ephemeral
key if suspend-to-disk is not required, is recommended as a more robust
way to prevent passwords from reaching disk. Full-disk encryption is
also recommended for systems where confidentiality is important.

Closes: #994961
    4cd87240
  • Simon McVittie's avatar
    Don't build with capabilities support on Linux architectures · 82a131c7
    Simon McVittie authored 
    Now that we are not setting CAP_IPC_LOCK, this is not useful, and
disabling it silences some misleading warnings. gnome-keyring will still
log a warning if it cannot allocate enough locked memory for its needs.
    82a131c7
  • Simon McVittie's avatar
    Add proposed patches to avoid unnecessary use of unlocked memory · 4801b8a0
    Simon McVittie authored 
    Older versions of gnome-keyring did not always prevent larger items of
secret data from being swapped out, even if they could, due to a logic
error when allocating new blocks of locked memory.
    4801b8a0
  • Simon McVittie's avatar
    Release to unstable · e7a3929b
    Simon McVittie authored
    e7a3929b
  • Rico Tzschichholz's avatar
    Merge branch 'debian/master' into ubuntu/master · 77ebd78c
    Rico Tzschichholz authored
    77ebd78c
Hide whitespace changes
Inline Side-by-side
debian/changelog
View file @ 77ebd78c
gnome-keyring (40.0-3ubuntu1) UNRELEASED; urgency=medium
* Sync with Debian. Remaining changes:
- debian/user/*, debian/gnome-keyring.links, debian/gnome-keyring.install:
+ Install units to start gnome-keyring with systemd if the session
is using it
-- Rico Tzschichholz <ricotz@ubuntu.com> Wed, 27 Oct 2021 08:45:29 +0200
gnome-keyring (40.0-3) unstable; urgency=medium
* Team upload
* Don't add CAP_IPC_LOCK capability to gnome-keyring-daemon.
GNOME Keyring uses "memory locking" to prevent memory buffers from being
written out to swap, in an attempt to prevent passwords and other secrets
from being written to disk unencrypted. Since Linux 2.6.9 (Debian 4.0,
2007) it has been possible to lock memory up to the limit defined by
RLIMIT_MEMLOCK without requiring the CAP_IPC_LOCK capability.
Since GLib 2.70, security hardening in GLib means that this capability
interferes with the ability to connect to the D-Bus session bus, which
is required functionality for gnome-keyring.
RLIMIT_MEMLOCK defaults to 64 KiB, although it is considerably higher on
typical Debian systems due to #976373. If memory locking for larger
quantities of secret data is required, please configure a higher
RLIMIT_MEMLOCK in /etc/security/limits.conf.
Using encrypted swap, with an ephemeral key if suspend-to-disk is not
required, is recommended as a more robust way to prevent passwords
from reaching disk. Full-disk encryption is also recommended for
systems where confidentiality is important.
(Closes: #994961)
* Don't build with capabilities support on Linux architectures.
Now that we are not setting CAP_IPC_LOCK, this is not useful, and
disabling it silences some misleading warnings. gnome-keyring will still
log a warning if it cannot allocate enough locked memory for its needs.
* Add proposed patches to avoid unnecessary use of unlocked memory.
Older versions of gnome-keyring did not always prevent larger items of
secret data from being swapped out, even if they could, due to a logic
error when allocating new blocks of locked memory.
-- Simon McVittie <smcv@debian.org> Sun, 26 Sep 2021 17:28:50 +0100
gnome-keyring (40.0-2) unstable; urgency=medium
* Build-Depend on debhelper-compat 13
* Build-Depend on dh-sequence-gnome instead of gnome-pkg-tools
* debian/rules: clean up unneeded rules
* Release to unstable
-- Jeremy Bicha <jbicha@debian.org> Sat, 21 Aug 2021 07:43:03 -0400
gnome-keyring (40.0-1ubuntu1) impish; urgency=medium
* Sync with Debian. Remaining changes:
......
debian/control
View file @ 77ebd78c
......@@ -8,14 +8,13 @@ Priority: optional
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
XSBC-Original-Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Uploaders: Iain Lane <laney@debian.org>, Jeremy Bicha <jbicha@debian.org>, Tim Lunn <tim@feathertop.org>
Build-Depends: debhelper (>= 11),
Build-Depends: debhelper-compat (= 13),
ca-certificates,
dbus <!nocheck>,
dh-sequence-gnome,
xsltproc,
docbook-xml,
docbook-xsl,
gnome-pkg-tools (>= 0.10),
libcap-ng-dev [linux-any],
libgck-1-dev (>= 3.3.4),
libgcr-3-dev (>= 3.27.90),
libgcrypt20-dev (>= 1.2.2),
......@@ -43,7 +42,6 @@ Depends: ${misc:Depends},
gcr (>= 3.4),
default-dbus-session-bus | dbus-session-bus,
p11-kit (>= 0.16),
libcap2-bin [linux-any],
pinentry-gnome3
Breaks: gnome-session (<< 3.20.0)
Recommends: libpam-gnome-keyring, gnome-keyring-pkcs11
......
debian/control.in
View file @ 77ebd78c
......@@ -4,14 +4,13 @@ Priority: optional
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
XSBC-Original-Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Uploaders: @GNOME_TEAM@
Build-Depends: debhelper (>= 11),
Build-Depends: debhelper-compat (= 13),
ca-certificates,
dbus <!nocheck>,
dh-sequence-gnome,
xsltproc,
docbook-xml,
docbook-xsl,
gnome-pkg-tools (>= 0.10),
libcap-ng-dev [linux-any],
libgck-1-dev (>= 3.3.4),
libgcr-3-dev (>= 3.27.90),
libgcrypt20-dev (>= 1.2.2),
......@@ -39,7 +38,6 @@ Depends: ${misc:Depends},
gcr (>= 3.4),
default-dbus-session-bus | dbus-session-bus,
p11-kit (>= 0.16),
libcap2-bin [linux-any],
pinentry-gnome3
Breaks: gnome-session (<< 3.20.0)
Recommends: libpam-gnome-keyring, gnome-keyring-pkcs11
......
debian/gnome-keyring.postinst deleted 100644 → 0
View file @ 767d9d17
#!/bin/sh
set -e
PROGRAM=/usr/bin/gnome-keyring-daemon
if [ "$1" = configure ]; then
if which setcap > /dev/null && [ -e $PROGRAM ]; then
if ! setcap CAP_IPC_LOCK=ep $PROGRAM >/dev/null 2>&1; then
echo "Setting capabilities for gnome-keyring-daemon using Linux Capabilities failed."
fi
fi
fi
#DEBHELPER#
debian/gnome-keyring.ubiquity deleted 100644 → 0
View file @ 767d9d17
#!/bin/sh
set -e
# Make sure that the IPC_LOCK capability is added to the gnome-keyring-daemon
# binary after installation, since file system caps aren't supported by the
# LiveCD's squashfs.
PROGRAM=/usr/bin/gnome-keyring-daemon
if [ -e /target/sbin/setcap ] && [ -e /target/$PROGRAM ]; then
if chroot /target setcap CAP_IPC_LOCK=ep $PROGRAM >/dev/null 2>&1; then
logger --tag ubiquity "Setting capabilities for gnome-keyring-daemon using Linux Capabilities failed."
fi
fi
debian/patches/egg-secure-memory-Add-a-warning-if-gnome-keyring-36-happe.patch 0 → 100644
View file @ 77ebd78c
From: Simon McVittie <smcv@debian.org>
Date: Sun, 26 Sep 2021 16:06:03 +0100
Subject: egg-secure-memory: Add a warning if gnome-keyring#36 happens again
If we call sec_block_create() to allocate a block sized to hold `length`
bytes, and we succeed, then we should really be able to sec_alloc()
a cell of `length` bytes within that block. If we can't, then we chose
the size of the block incorrectly.
Signed-off-by: Simon McVittie <smcv@debian.org>
Forwarded: https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests/43
---
egg/egg-secure-memory.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/egg/egg-secure-memory.c b/egg/egg-secure-memory.c
index 7391854..0f6a3f6 100644
--- a/egg/egg-secure-memory.c
+++ b/egg/egg-secure-memory.c
@@ -1065,8 +1065,14 @@ egg_secure_alloc_full (const char *tag,
/* None of the current blocks have space, allocate new */
if (!memory) {
block = sec_block_create (length, tag);
- if (block)
+ if (block) {
memory = sec_alloc (block, tag, length);
+
+ if (!memory && egg_secure_warnings)
+ fprintf (stderr,
+ "internal error: memory block sized to hold %lu bytes was too small\n",
+ (unsigned long) length);
+ }
}
#ifdef WITH_VALGRIND
debian/patches/egg-secure-memory-Allocate-enough-space-for-the-guard-poi.patch 0 → 100644
View file @ 77ebd78c
From: Simon McVittie <smcv@debian.org>
Date: Sun, 26 Sep 2021 16:04:19 +0100
Subject: egg-secure-memory: Allocate enough space for the guard pointers
Cell allocations have an overhead of two pointer-sized words, which we
need to take into account. Otherwise, whenever we try to allocate a new
block to hold at least `DEFAULT_BLOCK_SIZE - 2 * sizeof (void *)` bytes,
it will end up too small to allocate a cell of that size and we will
fall back to non-mlock'd memory with a warning.
Fixes: 982aadd9 "Completely overhaul the secure memory allocator"
Bug: https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/36
Signed-off-by: Simon McVittie <smcv@debian.org>
Forwarded: https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests/43
---
egg/egg-secure-memory.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/egg/egg-secure-memory.c b/egg/egg-secure-memory.c
index ed6fbcc..7391854 100644
--- a/egg/egg-secure-memory.c
+++ b/egg/egg-secure-memory.c
@@ -959,6 +959,11 @@ sec_block_create (size_t size,
return NULL;
}
+ /* Whatever size we were asked for, we'll need a little more space:
+ * each allocation has an overhead of 2 words, for the guard
+ * pointers before and after. */
+ size += (2 * sizeof (word_t));
+
/* The size above is a minimum, we're free to go bigger */
if (size < DEFAULT_BLOCK_SIZE)
size = DEFAULT_BLOCK_SIZE;
debian/patches/series
View file @ 77ebd78c
egg-secure-memory-Allocate-enough-space-for-the-guard-poi.patch
egg-secure-memory-Add-a-warning-if-gnome-keyring-36-happe.patch
03_kfreebsd.patch
05_skip-known-test-failures.patch
debian/rules
View file @ 77ebd78c
#!/usr/bin/make -f
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
export DEB_LDFLAGS_MAINT_APPEND = -Wl,-O1 -Wl,-z,defs -Wl,--as-needed
export DEB_LDFLAGS_MAINT_APPEND = -Wl,-O1 -Wl,-z,defs
%:
dh $@ --with gnome
dh $@
override_dh_auto_configure:
dh_auto_configure -- \
--with-pam-dir=/lib/$(DEB_HOST_MULTIARCH)/security \
--without-libcap-ng \
--enable-docs \
--enable-ssh-agent
override_dh_install:
find debian/tmp -name '*.la' -print -delete
dh_install
ifeq (yes,$(shell dpkg-vendor --derives-from Ubuntu && echo yes))
install -m0755 -D debian/gnome-keyring.ubiquity debian/gnome-keyring/usr/lib/ubiquity/target-config/50gkd-caps
endif
override_dh_missing:
dh_missing --fail-missing
TESTHOMEDIR = $(CURDIR)/debian/testhome
override_dh_auto_test:
ifeq (, $(filter nocheck, $(DEB_BUILD_OPTIONS)))
mkdir -p $(TESTHOMEDIR)
env -u LD_PRELOAD HOME=$(TESTHOMEDIR) XDG_RUNTIME_DIR=$(TESTHOMEDIR) dbus-run-session -- dh_auto_test
endif
override_dh_clean:
rm -rf $(TESTHOMEDIR)
dh_clean
env -u LD_PRELOAD dbus-run-session -- dh_auto_test
debian/watch
View file @ 77ebd78c
version=4
opts="uversionmangle=s/\.(alpha|beta|rc)/~$1/" \
https://download.gnome.org/sources/@PACKAGE@/@ANY_VERSION@/ \
@PACKAGE@@ANY_VERSION@\.tar\.xz
opts="searchmode=plain, uversionmangle=s/\.(alpha|beta|rc)/~$1/" \
https://download.gnome.org/sources/@PACKAGE@/cache.json \
\d+/@PACKAGE@-([\d.]+)@ARCHIVE_EXT@