Bug#1007998: release-notes: netcat-openbsd incompatibilities

[Guilhem Moulin]

Package: release-notes
Severity: wishlist

Hi there,

netcat-openbsd 1.218-5 adds support for abstract sockets (on Linux),
which is a breaking change with possible security implications:
https://sources.debian.org/src/netcat-openbsd/1.218-5/debian/NEWS/ .
elbrus suggested to mention that in the Bookworm release notes; I
propose the following text, mostly straight from the NEWS entry — feel free to
adjust of course :-)

--8<--------------------------------------------------------------------->8--

netcat-openbsd and abstract socket support
==========================================

Starting with netcat-openbsd 1.218-5, nc.openbsd(1)'s Linux builds support
[abstract namespace sockets](https://manpages.debian.org/unix.7.en.html#Abstract_sockets)
in the AF_UNIX family. Socket paths starting with an at symbol '@' are
interpreted in the abstract namespace.

This has possible security implications: `nc -lU @foobar.sock` used to bind
pathname socket '@foobar.sock' in the current directory, subject to umask and
file system access restrictions, while (on Linux) it now binds 'foobar.sock'
in the abstract namespace where ownership and permissions have *no meaning*.

In order to specify a pathname socket make sure the argument doesn't start
with '@'; for instance by prefixing with './' or by using a fully-qualified
socket path. (Note however that on Linux socket pathnames may not exceed 108
bytes in size.)

This change is a Linux-only behavior, and only affects UNIX domain sockets
(flag '-U').

--8<--------------------------------------------------------------------->8--

Cheers
--
Guilhem.

[Richard Lewis]

On Sun, 20 Mar 2022 11:40:44 +0100 Guilhem Moulin <gui...@debian.org> wrote:

> netcat-openbsd 1.218-5 adds support for abstract sockets (on Linux),
> which is a breaking change with possible security implications:
> https://sources.debian.org/src/netcat-openbsd/1.218-5/debian/NEWS/ .
> elbrus suggested to mention that in the Bookworm release notes; I
> propose the following text, mostly straight from the NEWS entry — feel free to
> adjust of course :-)

Is the following approximately what is meant? (i didnt think the bit
about still fitting the argument into 108 bytes was going to cause
issues often enough to need a mention in release-notes - i would
assume people using huge file names know to check for these things)


<section id="netcat-openbsd-now-supports-abstract-sockets">
<title>netcat-openbsd now supports abstract sockets</title>
<para>
The <literal>netcat</literal> utility for reading and writing data
across network connections supports
<link url="&url-man;/&releasename;/manpages/unix.7.html#Abstract_sockets">abstract
sockets</link>, and uses them by default in some circumstances.
This applies when you are using an <literal>AF_UNIX</literal> socket
under a <literal>Linux</literal> kernel,
and when <literal>netcat</literal> is provided by the
<systemitem role="package">netcat-openbsd</systemitem> package (rather than by
<systemitem role="package">netcat-traditional</systemitem>, which is
the Debian default).
If so, the `-U' option to <command>nc</command> will now interpret
an argument starting with an `@' as requesting an abstract
socket rather than as a filename beginning with an `@' in the
current directory.
This can have security implications because filesystem permissions
can no longer used to control access to an abstract socket.
You can continue to use a filename starting with an `@' by prefixing
the name with `./' or by specifying an absolute path.
</para>
</section>

[Richard Lewis]

On Mon, 8 May 2023 12:13:40 +0100 Richard Lewis
<richard.le...@googlemail.com> wrote:
> On Sun, 20 Mar 2022 11:40:44 +0100 Guilhem Moulin <gui...@debian.org> wrote:
>

> > netcat-openbsd 1.218-5 adds support for abstract sockets (on Linux),

Suggested words at:

https://salsa.debian.org/ddp-team/release-notes/-/merge_requests/172