[pkg-apparmor] Bug#805546: apparmor-profiles-extra: AppArmor profile prevents pidgin from starting
intrigeri
intrigeri at debian.org
Wed Dec 30 11:32:19 UTC 2015
Hi Guido, hi pidgin-sipe maintainers!
Guido Günther wrote (19 Nov 2015 13:29:13 GMT) :
>> > audit: type=1400 audit(1446299435.905:81): apparmor="DENIED" operation="exec"
>> > profile="/usr/bin/pidgin" name="/usr/bin/pidgin.orig" pid=5962 comm="pidgin"
>> > requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
>> > audit: type=1400 audit(1446299435.905:82): apparmor="DENIED" operation="open"
>>
>> This doesn't make much sense to me. If this pidgin.orig is a local
>> thing, can you reproduce without it?
> No local things:
> $ dpkg -S /usr/bin/pidgin.orig
> diversion by pidgin-sipe from: /usr/bin/pidgin
> diversion by pidgin-sipe to: /usr/bin/pidgin.orig
> It's a shell wrapper:
> ----
> #!/bin/bash
> CONF=/etc/default/pidgin-sipe
> if [[ -r $CONF ]]
> then
> . $CONF
> fi
> /usr/bin/pidgin.orig $*
> ----
OK, got it, thanks! I had a quick look.
It seems that this wrapper [1] and the corresponding 'default' file
[2] were introduced three years ago in pidgin-sipe 1.13.1-2.1, as
a way to make it slightly easier for users of to communicate with
Microsoft OCS/Lync servers that had not got the fixes for the BEAST
attack (CVE-2011-3389) yet. This workaround that apparently was meant
to be temporary [3]. My understanding is that Microsoft published the
fixes needed server-side on 2012-01-10 ([4], [5]). I would hope that
the server-side situation has evolved a bit in four years, wrt.
supporting BEAST fixes.
With this in mind, I'm not super excited at the idea of modifying the
Pidgin profile to support this possibly obsolete workaround: I'd like
to first see its relevance reconsidered among pidgin-sipe maintainers.
Was it done recently?
If they decide it's worth keeping the workaround in testing/sid, then
yay, why not, let's check what exact modifications the dpkg-divert
+ wrapper technique requires on our side, and consider adding them to
the profile somehow (possibly #include'ing a file that could be
shipped by pidgin-sipe?).
Fair enough?
[1] https://sources.debian.net/src/pidgin-sipe/1.20.0-2/debian/extra/pidgin/
[2] https://sources.debian.net/src/pidgin-sipe/1.20.0-2/debian/extra/pidgin-sipe/
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642199#76
[4] https://technet.microsoft.com/library/security/ms12-006
[5] https://support.microsoft.com/en-us/kb/2643584
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list