Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: procps

procps (2:3.3.15-2ubuntu2) disco; urgency=medium * 10-network-security.conf: change the rp_filter default from 1 to 2, the strict mode isn't compatible with the n-m handling of captive portals (lp: #1814262) -- Sebastien Bacher <seb128@ubuntu.com> Thu, 07 Feb 2019 23:46:43 +0100 procps (2:3.3.15-2ubuntu1) cosmic; urgency=medium * Merge from Debian unstable. Remaining changes: - debian/sysctl.d (Ubuntu-specific): + 10-console-messages.conf: stop low-level kernel messages on console. + 10-kernel-hardening.conf: add the kptr_restrict setting + 10-keyboard.conf.powerpc: mouse button emulation on PowerPC. + 10-ipv6-privacy.conf: add a file to sysctl.d to apply the defaults for IPv6 privacy extensions for interfaces. (LP: #176125, #841353) + 10-link-restrictions.conf: even though the Ubuntu kernel is built with these defaults in place, we want to make sure that people running stock kernels don't miss out. + 10-magic-sysrq.conf: Disable most magic sysrq by default, allowing critical sync, remount, reboot functions. (LP: #194676, LP: #1025467) + 10-network-security.conf: enable rp_filter. + 10-ptrace.conf: describe new PTRACE setting. + 10-zeropage.conf: safe mmap_min_addr value for graceful fall-back. for armhf, and arm64. + 10-qemu.conf.s390x for qemu. + README: describe how this directory is supposed to work. - debian/rules: Fix cross build - ignore_eaccess.patch: If we get eaccess when opening a sysctl file for writing, don't error out. Otherwise package upgrades can fail, especially in containers. - ignore_erofs.patch: Same as ignore_eaccess but for the case where part of /proc is read/only. -- Balint Reczey <rbalint@ubuntu.com> Tue, 05 Jun 2018 11:20:00 -0700

Modifications :
  1. Download patch debian/sysctl.d/10-qemu.conf.s390x

    --- 2:3.3.15-2/debian/sysctl.d/10-qemu.conf.s390x 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/sysctl.d/10-qemu.conf.s390x 2018-06-05 18:20:00.000000000 +0000 @@ -0,0 +1,2 @@ +# for qemu-system +vm.allocate_pgste = 1
  2. Download patch debian/sysctl.d/10-zeropage.conf

    --- 2:3.3.15-2/debian/sysctl.d/10-zeropage.conf 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/sysctl.d/10-zeropage.conf 2018-06-05 18:20:00.000000000 +0000 @@ -0,0 +1,9 @@ +# Protect the zero page of memory from userspace mmap to prevent kernel +# NULL-dereference attacks against potential future kernel security +# vulnerabilities. (Added in kernel 2.6.23.) +# +# While this default is built into the Ubuntu kernel, there is no way to +# restore the kernel default if the value is changed during runtime; for +# example via package removal (e.g. wine, dosemu). Therefore, this value +# is reset to the secure default each time the sysctl values are loaded. +vm.mmap_min_addr = 65536
  3. Download patch debian/sysctl.d/10-keyboard.conf.powerpc

    --- 2:3.3.15-2/debian/sysctl.d/10-keyboard.conf.powerpc 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/sysctl.d/10-keyboard.conf.powerpc 2018-06-05 18:20:00.000000000 +0000 @@ -0,0 +1,6 @@ + +# PowerPC: +# Emulate the middle mouse button with F11 and the right with F12. +dev.mac_hid.mouse_button_emulation = 1 +dev.mac_hid.mouse_button2_keycode = 87 +dev.mac_hid.mouse_button3_keycode = 88
  4. Download patch debian/sysctl.d/10-kernel-hardening.conf

    --- 2:3.3.15-2/debian/sysctl.d/10-kernel-hardening.conf 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/sysctl.d/10-kernel-hardening.conf 2018-06-05 18:20:00.000000000 +0000 @@ -0,0 +1,15 @@ +# These settings are specific to hardening the kernel itself from attack +# from userspace, rather than protecting userspace from other malicious +# userspace things. +# +# +# When an attacker is trying to exploit the local kernel, it is often +# helpful to be able to examine where in memory the kernel, modules, +# and data structures live. As such, kernel addresses should be treated +# as sensitive information. +# +# Many files and interfaces contain these addresses (e.g. /proc/kallsyms, +# /proc/modules, etc), and this setting can censor the addresses. A value +# of "0" allows all users to see the kernel addresses. A value of "1" +# limits visibility to the root user, and "2" blocks even the root user. +kernel.kptr_restrict = 1
  5. Download patch debian/rules

    --- 2:3.3.15-2/debian/rules 2018-05-31 09:42:46.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/rules 2018-06-05 18:20:00.000000000 +0000 @@ -7,11 +7,17 @@ PACKAGE="procps" DEBROOT=$(CURDIR)/debian/tmp DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) +DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH) DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS) DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) ifneq ($(DEB_HOST_GNU_TYPE),$(DEB_BUILD_GNU_TYPE)) configure_flags += --host=$(DEB_HOST_GNU_TYPE) +CROSS = PKG_CONFIG=$(DEB_HOST_GNU_TYPE)-pkg-config \ + ac_cv_func_malloc_0_nonnull=yes \ + ac_cv_func_realloc_0_nonnull=yes +else +CROSS= endif export DEB_BUILD_MAINT_OPTIONS = hardening=+all @@ -24,7 +30,7 @@ endif dh $@ override_dh_auto_configure: - ./configure \ + $(CROSS) ./configure \ $(configure_flags) \ --build=$(DEB_BUILD_GNU_TYPE) \ --disable-silent-rules \ @@ -34,7 +40,9 @@ override_dh_auto_configure: --disable-modern-top \ --prefix=/usr \ --exec-prefix=/ \ - --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) + --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ + --build=$(DEB_BUILD_GNU_TYPE) \ + --host=$(DEB_HOST_GNU_TYPE) \ override_dh_auto_install: $(autogen-files) @@ -43,6 +51,23 @@ override_dh_auto_install: $(autogen-file mv $(DEBROOT)/bin/kill $(DEBROOT)/bbin/ mv $(DEBROOT)/bin/ps $(DEBROOT)/bbin/ + # Build up sysctl.d + install -d $(DEBROOT)/etc/sysctl.d/ + install --mode 644 -o root -g root debian/sysctl.d/*.conf $(DEBROOT)/etc/sysctl.d/ +ifneq (,$(wildcard debian/sysctl.d/*.conf.$(DEB_HOST_ARCH))) + # If a non-arch-specific default exists, install the arch-specific + # version of the conf in place of it, otherwise, build up a general + # 10-arch-specific.conf file. + for archconf in debian/sysctl.d/*.conf.$(DEB_HOST_ARCH); do \ + conf=$$(basename $$archconf .$(DEB_HOST_ARCH)); \ + if [ -f debian/sysctl.d/$$conf ]; then \ + install --mode 644 -o root -g root $$archconf $(DEBROOT)/etc/sysctl.d/$$conf; \ + else \ + cat $$archconf >> $(DEBROOT)/etc/sysctl.d/10-arch-specific.conf; \ + fi; \ + done +endif + # Rename w as there are two of them (cd $(DEBROOT)/bin && mv w w.procps ) (cd $(DEBROOT)/usr/share/man/man1 && mv w.1 w.procps.1 )
  6. Download patch debian/patches/ignore_erofs.patch

    --- 2:3.3.15-2/debian/patches/ignore_erofs.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/patches/ignore_erofs.patch 2018-06-05 18:20:00.000000000 +0000 @@ -0,0 +1,15 @@ +Index: procps-3.3.9/sysctl.c +=================================================================== +--- procps-3.3.9.orig/sysctl.c 2015-02-10 13:52:16.358295055 -0500 ++++ procps-3.3.9/sysctl.c 2015-02-10 13:52:16.354295132 -0500 +@@ -436,6 +436,10 @@ + xwarnx(_("permission denied on key '%s'"), outname); + rc = 0; + break; ++ case EROFS: ++ xwarn(_("setting key \"%s\""), outname); ++ rc = 0; ++ break; + default: + xwarn(_("setting key \"%s\""), outname); + rc = -1;
  7. Download patch debian/sysctl.d/10-zeropage.conf.arm64

    --- 2:3.3.15-2/debian/sysctl.d/10-zeropage.conf.arm64 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/sysctl.d/10-zeropage.conf.arm64 2018-06-05 18:20:00.000000000 +0000 @@ -0,0 +1,11 @@ +# Protect the zero page of memory from userspace mmap to prevent kernel +# NULL-dereference attacks against potential future kernel security +# vulnerabilities. (Added in kernel 2.6.23.) +# +# While this default is built into the Ubuntu kernel, there is no way to +# restore the kernel default if the value is changed during runtime; for +# example via package removal (e.g. wine, dosemu). Therefore, this value +# is reset to the secure default each time the sysctl values are loaded. +# +# ARM-specific default: +vm.mmap_min_addr = 32768
  8. Download patch debian/control

    --- 2:3.3.15-2/debian/control 2018-05-31 09:42:46.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/control 2018-06-05 18:20:00.000000000 +0000 @@ -1,7 +1,8 @@ Source: procps Section: admin Priority: optional -Maintainer: Craig Small <csmall@debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Craig Small <csmall@debian.org> Build-Depends: debhelper (>= 11), dh-exec (>= 0.3), libncurses5-dev, libncursesw5-dev,
  9. Download patch debian/patches/pmap_test

    --- 2:3.3.15-2/debian/patches/pmap_test 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/patches/pmap_test 2018-06-05 18:20:00.000000000 +0000 @@ -0,0 +1,14 @@ +--- procps-3.3.8.orig/testsuite/pmap.test/pmap.exp ++++ procps-3.3.8/testsuite/pmap.test/pmap.exp +@@ -46,8 +46,9 @@ spawn $pmap -qd $mypid + expect_table $test $pmap_procname $pmap_device_items "\$" + + set test "pmap extended output" +-spawn $pmap -x $mypid +-expect_table $test $pmap_ext_header $pmap_ext_items $pmap_ext_footer ++#spawn $pmap -x $mypid ++#expect_table $test $pmap_ext_header $pmap_ext_items $pmap_ext_footer ++untested "$test" + + # -X and -XX have no real format as its dependent on smaps + set test "pmap extra extended output"
  10. Download patch debian/sysctl.d/10-zeropage.conf.armhf

    --- 2:3.3.15-2/debian/sysctl.d/10-zeropage.conf.armhf 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/sysctl.d/10-zeropage.conf.armhf 2018-06-05 18:20:00.000000000 +0000 @@ -0,0 +1,11 @@ +# Protect the zero page of memory from userspace mmap to prevent kernel +# NULL-dereference attacks against potential future kernel security +# vulnerabilities. (Added in kernel 2.6.23.) +# +# While this default is built into the Ubuntu kernel, there is no way to +# restore the kernel default if the value is changed during runtime; for +# example via package removal (e.g. wine, dosemu). Therefore, this value +# is reset to the secure default each time the sysctl values are loaded. +# +# ARM-specific default: +vm.mmap_min_addr = 32768
  11. Download patch debian/README.sysctl

    --- 2:3.3.15-2/debian/README.sysctl 2018-05-31 09:42:46.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/README.sysctl 2018-06-05 18:20:00.000000000 +0000 @@ -11,3 +11,6 @@ My personal preference would be for loca /etc/sysctl.d/local.conf but as long as you follow the rules for the names of the file, anything will work. See sysctl.conf(8) man page for details of the format. + +After making any changes, please run "service procps reload" (or, from +a Debian package maintainer script "deb-systemd-invoke restart procps.service").
  12. Download patch debian/sysctl.d/10-link-restrictions.conf
  13. Download patch debian/sysctl.d/10-ptrace.conf

    --- 2:3.3.15-2/debian/sysctl.d/10-ptrace.conf 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/sysctl.d/10-ptrace.conf 2018-06-05 18:20:00.000000000 +0000 @@ -0,0 +1,22 @@ +# The PTRACE system is used for debugging. With it, a single user process +# can attach to any other dumpable process owned by the same user. In the +# case of malicious software, it is possible to use PTRACE to access +# credentials that exist in memory (re-using existing SSH connections, +# extracting GPG agent information, etc). +# +# A PTRACE scope of "0" is the more permissive mode. A scope of "1" limits +# PTRACE only to direct child processes (e.g. "gdb name-of-program" and +# "strace -f name-of-program" work, but gdb's "attach" and "strace -fp $PID" +# do not). The PTRACE scope is ignored when a user has CAP_SYS_PTRACE, so +# "sudo strace -fp $PID" will work as before. For more details see: +# https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace +# +# For applications launching crash handlers that need PTRACE, exceptions can +# be registered by the debugee by declaring in the segfault handler +# specifically which process will be using PTRACE on the debugee: +# prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0); +# +# In general, PTRACE is not needed for the average running Ubuntu system. +# To that end, the default is to set the PTRACE scope to "1". This value +# may not be appropriate for developers or servers with only admin accounts. +kernel.yama.ptrace_scope = 1
  14. Download patch debian/sysctl.d/10-network-security.conf

    --- 2:3.3.15-2/debian/sysctl.d/10-network-security.conf 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/sysctl.d/10-network-security.conf 2019-02-07 22:43:38.000000000 +0000 @@ -0,0 +1,6 @@ + +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks. +net.ipv4.conf.default.rp_filter=2 +net.ipv4.conf.all.rp_filter=2 +
  15. Download patch debian/sysctl.d/10-zeropage.conf.armel

    --- 2:3.3.15-2/debian/sysctl.d/10-zeropage.conf.armel 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/sysctl.d/10-zeropage.conf.armel 2018-06-05 18:20:00.000000000 +0000 @@ -0,0 +1,11 @@ +# Protect the zero page of memory from userspace mmap to prevent kernel +# NULL-dereference attacks against potential future kernel security +# vulnerabilities. (Added in kernel 2.6.23.) +# +# While this default is built into the Ubuntu kernel, there is no way to +# restore the kernel default if the value is changed during runtime; for +# example via package removal (e.g. wine, dosemu). Therefore, this value +# is reset to the secure default each time the sysctl values are loaded. +# +# ARM-specific default: +vm.mmap_min_addr = 32768
  16. Download patch debian/patches/series

    --- 2:3.3.15-2/debian/patches/series 2018-05-31 09:42:46.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/patches/series 2018-06-05 18:20:00.000000000 +0000 @@ -3,4 +3,7 @@ remove_strtod_tests watch_hostname_max_define disable_sched_test uptime_test +pmap_test +ignore_eaccess.patch +ignore_erofs.patch ps_checks
  17. Download patch debian/procps.install

    --- 2:3.3.15-2/debian/procps.install 2018-05-31 09:42:46.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/procps.install 2018-06-05 18:20:00.000000000 +0000 @@ -1,6 +1,7 @@ # Files to install for non-kfreebsd and non-hurd systems # I think that just means linux debian/sysctl.conf etc +etc/sysctl.d/* debian/protect-links.conf etc/sysctl.d debian/README.sysctl etc/sysctl.d bbin/* bin
  18. Download patch debian/sysctl.d/10-console-messages.conf

    --- 2:3.3.15-2/debian/sysctl.d/10-console-messages.conf 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/sysctl.d/10-console-messages.conf 2018-06-05 18:20:00.000000000 +0000 @@ -0,0 +1,3 @@ + +# the following stops low-level messages on console +kernel.printk = 4 4 1 7
  19. Download patch debian/patches/ignore_eaccess.patch

    --- 2:3.3.15-2/debian/patches/ignore_eaccess.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/patches/ignore_eaccess.patch 2018-06-05 18:20:00.000000000 +0000 @@ -0,0 +1,19 @@ +Description: Ignore EACCESS when writing a new setting + If we are running in a container, we're not allowed to write to any + non-namespaced sysctls. +Author: Serge Hallyn <serge.hallyn@ubuntu.com> +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1157643 + +Index: procps-3.3.3/sysctl.c +=================================================================== +--- procps-3.3.3.orig/sysctl.c 2012-05-08 06:08:36.000000000 -0500 ++++ procps-3.3.3/sysctl.c 2013-10-16 13:44:56.541389676 -0500 +@@ -434,7 +434,7 @@ static int WriteSetting(const char *sett + break; + case EACCES: + xwarnx(_("permission denied on key '%s'"), outname); +- rc = -1; ++ rc = 0; + break; + default: + xwarn(_("setting key \"%s\""), outname);
  20. Download patch debian/sysctl.d/10-magic-sysrq.conf

    --- 2:3.3.15-2/debian/sysctl.d/10-magic-sysrq.conf 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/sysctl.d/10-magic-sysrq.conf 2018-06-05 18:20:00.000000000 +0000 @@ -0,0 +1,26 @@ +# The magic SysRq key enables certain keyboard combinations to be +# interpreted by the kernel to help with debugging. The kernel will respond +# to these keys regardless of the current running applications. +# +# In general, the magic SysRq key is not needed for the average Ubuntu +# system, and having it enabled by default can lead to security issues on +# the console such as being able to dump memory or to kill arbitrary +# processes including the running screen lock. +# +# Here is the list of possible values: +# 0 - disable sysrq completely +# 1 - enable all functions of sysrq +# >1 - enable certain functions by adding up the following values: +# 2 - enable control of console logging level +# 4 - enable control of keyboard (SAK, unraw) +# 8 - enable debugging dumps of processes etc. +# 16 - enable sync command +# 32 - enable remount read-only +# 64 - enable signalling of processes (term, kill, oom-kill) +# 128 - allow reboot/poweroff +# 256 - allow nicing of all RT tasks +# +# For example, to enable both control of console logging level and +# debugging dumps of processes: kernel.sysrq = 10 +# +kernel.sysrq = 176
  21. Download patch debian/sysctl.d/10-ipv6-privacy.conf

    --- 2:3.3.15-2/debian/sysctl.d/10-ipv6-privacy.conf 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.15-2ubuntu2/debian/sysctl.d/10-ipv6-privacy.conf 2018-06-05 18:20:00.000000000 +0000 @@ -0,0 +1,12 @@ +# IPv6 Privacy Extensions (RFC 4941) +# --- +# IPv6 typically uses a device's MAC address when choosing an IPv6 address +# to use in autoconfiguration. Privacy extensions allow using a randomly +# generated IPv6 address, which increases privacy. +# +# Acceptable values: +# 0 - don’t use privacy extensions. +# 1 - generate privacy addresses +# 2 - prefer privacy addresses and use them over the normal addresses. +net.ipv6.conf.all.use_tempaddr = 2 +net.ipv6.conf.default.use_tempaddr = 2
  1. procps