Hello community, here is the log from the commit of package libnetfilter_conntrack for openSUSE:Factory checked in at 2013-03-08 13:23:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libnetfilter_conntrack (Old) and /work/SRC/openSUSE:Factory/.libnetfilter_conntrack.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libnetfilter_conntrack", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/libnetfilter_conntrack/libnetfilter_conntrack.changes 2012-12-14 09:35:24.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libnetfilter_conntrack.new/libnetfilter_conntrack.changes 2013-03-08 13:23:24.000000000 +0100 @@ -1,0 +2,9 @@ +Mon Mar 4 19:17:33 UTC 2013 - [email protected] + +- Update to new upstream release 1.0.3 +* Treat the ATTR_HELPER_INFO attribute as the variable-length type + that it actually is. +* Fix a use after free when nfct_clone was used with certain + attribute data types. + +------------------------------------------------------------------- Old: ---- libnetfilter_conntrack-1.0.2.tar.bz2 libnetfilter_conntrack-1.0.2.tar.bz2.sig New: ---- libnetfilter_conntrack-1.0.3.tar.bz2 libnetfilter_conntrack-1.0.3.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libnetfilter_conntrack.spec ++++++ --- /var/tmp/diff_new_pack.Grwf3A/_old 2013-03-08 13:23:25.000000000 +0100 +++ /var/tmp/diff_new_pack.Grwf3A/_new 2013-03-08 13:23:25.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package libnetfilter_conntrack # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,13 +18,14 @@ Name: libnetfilter_conntrack %define lname %{name}3 -Version: 1.0.2 +Version: 1.0.3 Release: 0 Url: http://netfilter.org/projects/libnetfilter_conntrack/ Summary: Userspace library for the in-kernel connection tracking state table License: GPL-2.0+ Group: Productivity/Networking/Security +#Freecode-URL: http://freecode.com/projects/libnetfilter_conntrack/ #Git-Clone: git://git.netfilter.org/libnetfilter_conntrack #DL-URL: http://netfilter.org/projects/libnetfilter_conntrack/files/ Source: http://netfilter.org/projects/libnetfilter_conntrack/files/%name-%version.tar.bz2 @@ -64,9 +65,9 @@ used by conntrack-tools among many other applications. %package devel -Requires: %lname = %version Summary: Userspace library for the in-kernel connection tracking state table Group: Development/Libraries/C and C++ +Requires: %lname = %version %description devel libnetfilter_conntrack is a userspace library providing a programming @@ -76,15 +77,10 @@ used by conntrack-tools among many other applications. %prep -%if 0%{?gpg_verify:1} -%gpg_verify %{S:2} -%endif +%{?gpg_verify: %gpg_verify %{S:2}} %setup -q %build -if [ "%git_snapshot" -ne 0 ] || [ ! -e configure ]; then - autoreconf -fi; -fi; %configure --disable-static --includedir="%_includedir/%name-%version" make %{?_smp_mflags} ++++++ libnetfilter_conntrack-1.0.2.tar.bz2 -> libnetfilter_conntrack-1.0.3.tar.bz2 ++++++ ++++ 2065 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnetfilter_conntrack-1.0.2/build-aux/ar-lib new/libnetfilter_conntrack-1.0.3/build-aux/ar-lib --- old/libnetfilter_conntrack-1.0.2/build-aux/ar-lib 1970-01-01 01:00:00.000000000 +0100 +++ new/libnetfilter_conntrack-1.0.3/build-aux/ar-lib 2013-03-04 15:57:33.000000000 +0100 @@ -0,0 +1,270 @@ +#! /bin/sh +# Wrapper for Microsoft lib.exe + +me=ar-lib +scriptversion=2012-03-01.08; # UTC + +# Copyright (C) 2010, 2012 Free Software Foundation, Inc. +# Written by Peter Rosin <[email protected]>. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# This file is maintained in Automake, please report +# bugs to <[email protected]> or send patches to +# <[email protected]>. + + +# func_error message +func_error () +{ + echo "$me: $1" 1>&2 + exit 1 +} + +file_conv= + +# func_file_conv build_file +# Convert a $build file to $host form and store it in $file +# Currently only supports Windows hosts. +func_file_conv () +{ + file=$1 + case $file in + / | /[!/]*) # absolute file, and not a UNC file + if test -z "$file_conv"; then + # lazily determine how to convert abs files + case `uname -s` in + MINGW*) + file_conv=mingw + ;; + CYGWIN*) + file_conv=cygwin + ;; + *) + file_conv=wine + ;; + esac + fi + case $file_conv in + mingw) + file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` + ;; + cygwin) + file=`cygpath -m "$file" || echo "$file"` + ;; + wine) + file=`winepath -w "$file" || echo "$file"` + ;; + esac + ;; + esac +} + +# func_at_file at_file operation archive +# Iterate over all members in AT_FILE performing OPERATION on ARCHIVE +# for each of them. +# When interpreting the content of the @FILE, do NOT use func_file_conv, +# since the user would need to supply preconverted file names to +# binutils ar, at least for MinGW. +func_at_file () +{ + operation=$2 + archive=$3 + at_file_contents=`cat "$1"` + eval set x "$at_file_contents" + shift + + for member + do + $AR -NOLOGO $operation:"$member" "$archive" || exit $? + done +} + +case $1 in + '') + func_error "no command. Try '$0 --help' for more information." + ;; + -h | --h*) + cat <<EOF +Usage: $me [--help] [--version] PROGRAM ACTION ARCHIVE [MEMBER...] + +Members may be specified in a file named with @FILE. +EOF + exit $? + ;; + -v | --v*) + echo "$me, version $scriptversion" + exit $? + ;; +esac + +if test $# -lt 3; then + func_error "you must specify a program, an action and an archive" +fi + +AR=$1 +shift +while : +do + if test $# -lt 2; then + func_error "you must specify a program, an action and an archive" + fi + case $1 in + -lib | -LIB \ + | -ltcg | -LTCG \ + | -machine* | -MACHINE* \ + | -subsystem* | -SUBSYSTEM* \ + | -verbose | -VERBOSE \ + | -wx* | -WX* ) + AR="$AR $1" + shift + ;; + *) + action=$1 + shift + break + ;; + esac +done +orig_archive=$1 +shift +func_file_conv "$orig_archive" +archive=$file + +# strip leading dash in $action +action=${action#-} + +delete= +extract= +list= +quick= +replace= +index= +create= + +while test -n "$action" +do + case $action in + d*) delete=yes ;; + x*) extract=yes ;; + t*) list=yes ;; + q*) quick=yes ;; + r*) replace=yes ;; + s*) index=yes ;; + S*) ;; # the index is always updated implicitly + c*) create=yes ;; + u*) ;; # TODO: don't ignore the update modifier + v*) ;; # TODO: don't ignore the verbose modifier + *) + func_error "unknown action specified" + ;; + esac + action=${action#?} +done + +case $delete$extract$list$quick$replace,$index in + yes,* | ,yes) + ;; + yesyes*) + func_error "more than one action specified" + ;; + *) + func_error "no action specified" + ;; +esac + +if test -n "$delete"; then + if test ! -f "$orig_archive"; then + func_error "archive not found" + fi + for member + do + case $1 in + @*) + func_at_file "${1#@}" -REMOVE "$archive" + ;; + *) + func_file_conv "$1" + $AR -NOLOGO -REMOVE:"$file" "$archive" || exit $? + ;; + esac + done + +elif test -n "$extract"; then + if test ! -f "$orig_archive"; then + func_error "archive not found" + fi + if test $# -gt 0; then + for member + do + case $1 in + @*) + func_at_file "${1#@}" -EXTRACT "$archive" + ;; + *) + func_file_conv "$1" + $AR -NOLOGO -EXTRACT:"$file" "$archive" || exit $? + ;; + esac + done + else + $AR -NOLOGO -LIST "$archive" | sed -e 's/\\/\\\\/g' | while read member + do + $AR -NOLOGO -EXTRACT:"$member" "$archive" || exit $? + done + fi + +elif test -n "$quick$replace"; then + if test ! -f "$orig_archive"; then + if test -z "$create"; then + echo "$me: creating $orig_archive" + fi + orig_archive= + else + orig_archive=$archive + fi + + for member + do + case $1 in + @*) + func_file_conv "${1#@}" + set x "$@" "@$file" + ;; + *) + func_file_conv "$1" + set x "$@" "$file" + ;; + esac + shift + shift + done + + if test -n "$orig_archive"; then + $AR -NOLOGO -OUT:"$archive" "$orig_archive" "$@" || exit $? + else + $AR -NOLOGO -OUT:"$archive" "$@" || exit $? + fi + +elif test -n "$list"; then + if test ! -f "$orig_archive"; then + func_error "archive not found" + fi + $AR -NOLOGO -LIST "$archive" || exit $? +fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnetfilter_conntrack-1.0.2/configure.ac new/libnetfilter_conntrack-1.0.3/configure.ac --- old/libnetfilter_conntrack-1.0.2/configure.ac 2012-10-08 11:03:55.000000000 +0200 +++ new/libnetfilter_conntrack-1.0.3/configure.ac 2013-03-04 15:54:39.000000000 +0100 @@ -1,12 +1,13 @@ dnl Process this file with autoconf to create configure. -AC_INIT([libnetfilter_conntrack], [1.0.2]) +AC_INIT([libnetfilter_conntrack], [1.0.3]) AC_CONFIG_AUX_DIR([build-aux]) AC_CANONICAL_HOST AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE([-Wall foreign subdir-objects tar-pax no-dist-gzip dist-bzip2 1.6]) +m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) dnl kernel style compile messages m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnetfilter_conntrack-1.0.2/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h new/libnetfilter_conntrack-1.0.3/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h --- old/libnetfilter_conntrack-1.0.2/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h 2012-06-27 15:27:06.000000000 +0200 +++ new/libnetfilter_conntrack-1.0.3/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h 2013-01-23 15:50:25.000000000 +0100 @@ -13,6 +13,8 @@ IPCTNL_MSG_CT_GET_CTRZERO, IPCTNL_MSG_CT_GET_STATS_CPU, IPCTNL_MSG_CT_GET_STATS, + IPCTNL_MSG_CT_GET_DYING, + IPCTNL_MSG_CT_GET_UNCONFIRMED, IPCTNL_MSG_MAX }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnetfilter_conntrack-1.0.2/qa/test_api.c new/libnetfilter_conntrack-1.0.3/qa/test_api.c --- old/libnetfilter_conntrack-1.0.2/qa/test_api.c 2012-04-30 01:13:08.000000000 +0200 +++ new/libnetfilter_conntrack-1.0.3/qa/test_api.c 2013-03-04 15:44:08.000000000 +0100 @@ -2,6 +2,7 @@ * Run this after adding a new attribute to the nf_conntrack object */ +#include <assert.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> @@ -35,7 +36,7 @@ int ret, i; struct nf_conntrack *ct, *ct2, *tmp; struct nf_expect *exp, *tmp_exp; - char data[32]; + char data[256]; const char *val; int status; @@ -83,9 +84,6 @@ ret = fork(); if (ret == 0) { for (i=0; i<ATTR_MAX; i++) { - data[0] = (uint8_t) i; - nfct_set_attr(ct, i, data); - val = nfct_get_attr(ct, i); /* These attributes cannot be set, ignore them. */ switch(i) { case ATTR_ORIG_COUNTER_PACKETS: @@ -97,7 +95,16 @@ case ATTR_TIMESTAMP_START: case ATTR_TIMESTAMP_STOP: continue; + /* These attributes require special handling */ + case ATTR_HELPER_INFO: + nfct_set_attr_l(ct, i, data, sizeof(data)); + break; + default: + data[0] = (uint8_t) i; + nfct_set_attr(ct, i, data); } + val = nfct_get_attr(ct, i); + if (val[0] != data[0]) { printf("ERROR: set/get operations don't match " "for attribute %d (%x != %x)\n", @@ -199,6 +206,11 @@ eval_sigterm(status); } + ct2 = nfct_clone(ct); + assert(ct2); + assert(nfct_cmp(ct, ct2, NFCT_CMP_ALL) == 1); + nfct_destroy(ct2); + ct2 = nfct_new(); if (!ct2) { perror("nfct_new"); @@ -222,7 +234,7 @@ printf("== test get grp API ==\n"); ret = fork(); if (ret == 0) { - char buf[16]; + char buf[32]; /* IPv6 group address is 16 bytes * 2 */ for (i=0; i<ATTR_GRP_MAX; i++) nfct_get_attr_grp(ct2, i, buf); @@ -236,7 +248,7 @@ ret = fork(); if (ret == 0) { for (i=0; i<ATTR_GRP_MAX; i++) { - char buf[16]; + char buf[32]; /* IPv6 group address is 16 bytes */ data[0] = (uint8_t) i; nfct_set_attr_grp(ct2, i, data); @@ -264,9 +276,12 @@ } nfct_destroy(ct2); + printf("== destroy cloned ct entry ==\n"); nfct_destroy(ct); nfct_destroy(tmp); nfexp_destroy(exp); nfexp_destroy(tmp_exp); + printf("OK\n"); + return EXIT_SUCCESS; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnetfilter_conntrack-1.0.2/src/conntrack/api.c new/libnetfilter_conntrack-1.0.3/src/conntrack/api.c --- old/libnetfilter_conntrack-1.0.2/src/conntrack/api.c 2012-06-26 17:26:30.000000000 +0200 +++ new/libnetfilter_conntrack-1.0.3/src/conntrack/api.c 2013-03-04 15:22:03.000000000 +0100 @@ -147,7 +147,7 @@ if ((clone = nfct_new()) == NULL) return NULL; - memcpy(clone, ct, sizeof(*ct)); + nfct_copy(clone, ct, NFCT_CP_OVERRIDE); return clone; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnetfilter_conntrack-1.0.2/src/conntrack/compare.c new/libnetfilter_conntrack-1.0.3/src/conntrack/compare.c --- old/libnetfilter_conntrack-1.0.2/src/conntrack/compare.c 2012-01-04 17:07:56.000000000 +0100 +++ new/libnetfilter_conntrack-1.0.3/src/conntrack/compare.c 2013-01-23 15:48:16.000000000 +0100 @@ -300,8 +300,8 @@ #define __NFCT_CMP_TIMEOUT (NFCT_CMP_TIMEOUT_LE | NFCT_CMP_TIMEOUT_GT) if (!(flags & __NFCT_CMP_TIMEOUT) && - ct1->timeout != ct2->timeout) - return 0; + ct1->timeout == ct2->timeout) + return 1; else { if (flags & NFCT_CMP_TIMEOUT_GT && ct1->timeout > ct2->timeout) @@ -312,9 +312,6 @@ else if (flags & NFCT_CMP_TIMEOUT_EQ && ct1->timeout == ct2->timeout) ret = 1; - - if (ret == 0) - return 0; } return ret; } @@ -364,6 +361,8 @@ const struct nf_conntrack *ct2, unsigned int flags) { + if (ct1->secctx == NULL || ct2->secctx == NULL) + return ct1->secctx == ct2->secctx; return strcmp(ct1->secctx, ct2->secctx) == 0; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnetfilter_conntrack-1.0.2/src/conntrack/copy.c new/libnetfilter_conntrack-1.0.3/src/conntrack/copy.c --- old/libnetfilter_conntrack-1.0.2/src/conntrack/copy.c 2012-06-26 17:26:30.000000000 +0200 +++ new/libnetfilter_conntrack-1.0.3/src/conntrack/copy.c 2013-03-04 15:27:41.000000000 +0100 @@ -524,5 +524,8 @@ { memcpy(ct1, ct2, sizeof(*ct1)); /* special case: secctx attribute is allocated dinamically. */ + ct1->secctx = NULL; /* don't free: ct2 uses it */ + ct1->helper_info = NULL; copy_attr_secctx(ct1, ct2); + copy_attr_help_info(ct1, ct2); } -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
