[pkg-apparmor] Bug#805546: apparmor-profiles-extra: AppArmor profile prevents pidgin from starting

intrigeri intrigeri at debian.org
Wed Dec 30 11:32:19 UTC 2015 

Hi Guido, hi pidgin-sipe maintainers!

Guido Günther wrote (19 Nov 2015 13:29:13 GMT) :
>> >  audit: type=1400 audit(1446299435.905:81): apparmor="DENIED" operation="exec"
>> > profile="/usr/bin/pidgin" name="/usr/bin/pidgin.orig" pid=5962 comm="pidgin"
>> > requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
>> >  audit: type=1400 audit(1446299435.905:82): apparmor="DENIED" operation="open"
>> 
>> This doesn't make much sense to me. If this pidgin.orig is a local
>> thing, can you reproduce without it?

> No local things:

> $ dpkg -S  /usr/bin/pidgin.orig 
> diversion by pidgin-sipe from: /usr/bin/pidgin
> diversion by pidgin-sipe to: /usr/bin/pidgin.orig

> It's a shell wrapper:

> ----
> #!/bin/bash

> CONF=/etc/default/pidgin-sipe

> if [[ -r $CONF ]]
> then
>         . $CONF 
> fi

> /usr/bin/pidgin.orig $*
> ----                        

OK, got it, thanks! I had a quick look.

It seems that this wrapper [1] and the corresponding 'default' file
[2] were introduced three years ago in pidgin-sipe 1.13.1-2.1, as
a way to make it slightly easier for users of to communicate with
Microsoft OCS/Lync servers that had not got the fixes for the BEAST
attack (CVE-2011-3389) yet. This workaround that apparently was meant
to be temporary [3]. My understanding is that Microsoft published the
fixes needed server-side on 2012-01-10 ([4], [5]). I would hope that
the server-side situation has evolved a bit in four years, wrt.
supporting BEAST fixes.

With this in mind, I'm not super excited at the idea of modifying the
Pidgin profile to support this possibly obsolete workaround: I'd like
to first see its relevance reconsidered among pidgin-sipe maintainers.
Was it done recently?

If they decide it's worth keeping the workaround in testing/sid, then
yay, why not, let's check what exact modifications the dpkg-divert
+ wrapper technique requires on our side, and consider adding them to
the profile somehow (possibly #include'ing a file that could be
shipped by pidgin-sipe?).

Fair enough?

[1] https://sources.debian.net/src/pidgin-sipe/1.20.0-2/debian/extra/pidgin/
[2] https://sources.debian.net/src/pidgin-sipe/1.20.0-2/debian/extra/pidgin-sipe/
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642199#76
[4] https://technet.microsoft.com/library/security/ms12-006
[5] https://support.microsoft.com/en-us/kb/2643584

Cheers,
-- 
intrigeri

More information about the pkg-apparmor-team mailing list