Bug#683312: Please consider including this patch before wheezy
On Sun, 13 Jan 2013 19:10:00 +, Alex Owen wrote: I have regenerated the patch against uif- 1.0.6 to make it simple to review and apply to the package currently in Wheezy. Seems you didn't attach this new patch? BTW: After looking at your original patch, I have the impression that you missed moving one $not (dport, in the line with two $nots). Cheers, gregor -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06 : :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/ `. `' Member of VIBE!AT SPI, fellow of the Free Software Foundation Europe `- NP: REM: Half A World Away signature.asc Description: Digital signature
Bug#683312: Please consider including this patch before wheezy
On 14 January 2013 17:54, gregor herrmann gre...@debian.org wrote: On Sun, 13 Jan 2013 19:10:00 +, Alex Owen wrote: I have regenerated the patch against uif- 1.0.6 to make it simple to review and apply to the package currently in Wheezy. Seems you didn't attach this new patch? Oops! Sorry! BTW: After looking at your original patch, I have the impression that you missed moving one $not (dport, in the line with two $nots). Good catch... Here (and really attached this time) is an updated patch including Gregor's point also. Regards Alex Owen uif-pling-position-v2.patch Description: Binary data
Bug#683312: Please consider including this patch before wheezy
On Mon, 14 Jan 2013 18:36:05 +, Alex Owen wrote:
I have regenerated the patch against uif- 1.0.6 to make it simple to
review and apply to the package currently in Wheezy.
Seems you didn't attach this new patch?
Oops! Sorry!
No problem :)
BTW: After looking at your original patch, I have the impression that
you missed moving one $not (dport, in the line with two $nots).
Good catch...
Here (and really attached this time) is an updated patch including
Gregor's point also.
I think I found another one ...
What I did was switching the (-)-$args and $nots with perl, and
comparing the result with your patch there's one difference:
#v+
-+ push (@source, $not -s $1 -m mac --mac-source $not $2);
++ push (@source, $not -s $1 -m mac $not --mac-source $2);
#v-
I'm attaching my complete (auto-)patch; could you please double-check?
Cheers,
gregor
--
.''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
: :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/
`. `' Member of VIBE!AT SPI, fellow of the Free Software Foundation Europe
`- NP: Tracy Chapman: Subcity
diff --git a/uif.pl b/uif.pl
index be60276..40fe2f1 100755
--- a/uif.pl
+++ b/uif.pl
@@ -984,14 +984,14 @@ sub genRuleDump {
}
my $range;
foreach $range (@{$$rule{\u$proto}[2]}) {
- push (@protocol, -p $proto -m $proto --sport $not $range);
+ push (@protocol, -p $proto -m $proto $not --sport $range);
}
foreach $range (@{$$rule{\u$proto}[3]}) {
- push (@protocol, -p $proto -m $proto --dport $not $range);
+ push (@protocol, -p $proto -m $proto $not --dport $range);
}
foreach $range (@{$$rule{\u$proto}[4]}) {
$range =~ /^(.+)\/(.+)$/;
- push (@protocol, -p $proto -m $proto --sport $not $1 --dport $not $2);
+ push (@protocol, -p $proto -m $proto $not --sport $1 $not --dport $2);
}
}
}
@@ -999,16 +999,16 @@ sub genRuleDump {
my $type;
foreach $type (@{$$rule{'ICMP'}}) {
if ($type eq 'all') {
- push (@protocol, -p $not icmp);
+ push (@protocol, $not -p icmp);
} else {
- push (@protocol, -p icmp -m icmp --icmp-type $not $type);
+ push (@protocol, -p icmp -m icmp $not --icmp-type $type);
}
}
}
if (exists($$rule{'OtherProtocols'})) {
my $proto;
foreach $proto (@{$$rule{'OtherProtocols'}}) {
-push (@protocol, -p $not $proto);
+push (@protocol, $not -p $proto);
}
}
if (exists($$rule{'Source'})) {
@@ -1020,10 +1020,10 @@ sub genRuleDump {
my $source;
foreach $source (@{$$rule{'Source'}}) {
if ($source =~ /(.+)=(.+)/ ($$rule{'Table'} eq 'filter')) {
- push (@source, -s $not $1 -m mac --mac-source $not $2);
+ push (@source, $not -s $1 -m mac $not --mac-source $2);
} else {
$source =~ /([^=]+)/;
- push (@source, -s $not $1);
+ push (@source, $not -s $1);
}
}
}
@@ -1036,7 +1036,7 @@ sub genRuleDump {
my $destination;
foreach $destination (@{$$rule{'Destination'}}) {
$destination =~ /([^=]+)/;
-push (@destination, -d $not $1);
+push (@destination, $not -d $1);
}
}
if (exists($$rule{'TranslatedSource'})) {
@@ -1093,7 +1093,7 @@ sub genRuleDump {
}
my $input;
foreach $input (@{$$rule{'InputInterface'}}) {
-push (@inputinterface, -i $not $input);
+push (@inputinterface, $not -i $input);
}
}
if (exists($$rule{'OutputInterface'})) {
@@ -1104,7 +1104,7 @@ sub genRuleDump {
}
my $output;
foreach $output (@{$$rule{'OutputInterface'}}) {
-push (@outputinterface, -o $not $output);
+push (@outputinterface, $not -o $output);
}
}
if (exists($$rule{'PhysicalInputInterface'})) {
@@ -1115,7 +1115,7 @@ sub genRuleDump {
}
my $input;
foreach $input (@{$$rule{'PhysicalInputInterface'}}) {
-push (@physicalinputinterface, -m physdev --physdev-in $not $input);
+push (@physicalinputinterface, -m physdev $not --physdev-in $input);
}
}
if (exists($$rule{'PhysicalOutputInterface'})) {
@@ -1126,7 +1126,7 @@ sub genRuleDump {
}
my $output;
foreach $output (@{$$rule{'PhysicalOutputInterface'}}) {
-push (@physicaloutputinterface, -m physdev --physdev-out $not $output);
+push (@physicaloutputinterface, -m physdev $not --physdev-out $output);
}
}
if (exists($$rule{'MarkMatch'})) {
signature.asc
Description: Digital signature
Bug#683312: Please consider including this patch before wheezy
On 14 January 2013 19:04, gregor herrmann gre...@debian.org wrote: I think I found another one ... What I did was switching the (-)-$args and $nots with perl, and comparing the result with your patch there's one difference: #v+ -+ push (@source, $not -s $1 -m mac --mac-source $not $2); ++ push (@source, $not -s $1 -m mac $not --mac-source $2); #v- I'm attaching my complete (auto-)patch; could you please double-check? Hello Gregor, I have used grep and wc -l and looked and re-looked... your patch looks complete to me. Thanks for looking at this issue and fixing my mistakes! Alex Owen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#683312: Please consider including this patch before wheezy
On Mon, 14 Jan 2013 19:25:50 +, Alex Owen wrote: What I did was switching the (-)-$args and $nots with perl, and comparing the result with your patch there's one difference: #v+ -+ push (@source, $not -s $1 -m mac --mac-source $not $2); ++ push (@source, $not -s $1 -m mac $not --mac-source $2); #v- I'm attaching my complete (auto-)patch; could you please double-check? I have used grep and wc -l and looked and re-looked... your patch looks complete to me. Cool. Thanks for looking at this issue and fixing my mistakes! Thanks for checking. Cheers, gregor, preparing an NMU -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06 : :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/ `. `' Member of VIBE!AT SPI, fellow of the Free Software Foundation Europe `- NP: Die Schmetterlinge: Die Mühlen der Gerechtigkeit / Lied der Justiz signature.asc Description: Digital signature
Bug#683312: Please consider including this patch before wheezy
severity 683312 critical thanks Upgrade from squeeze to wheezy where uif is installed will break as the wheezy kernel no longer supports the long deprecated syntax --something ! and now needs ! --something. The attached patch fixes that. I have regenerated the patch against uif- 1.0.6 to make it simple to review and apply to the package currently in Wheezy. I have taken the liberty of marking this severity critical on security grounds: upgrade breaks firewall. Regrds Alex Owen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#683312: Please consider including this patch before wheezy
I have now found that wheezy version of uif breaks without this patch. Seems a kernel update since September has dropped the long deprecated syntax --something ! and now needs ! --something If I can work out how to poke the bug tracking system I may increase the bug severity as this is now an active bug affecting system security. Regards Alex Owen On 16 September 2012 13:04, Alex Owen r.alex.o...@gmail.com wrote: As stated in the original bug report the patch changes the order of the ! in the generated rules from the old deprecated position to the new position. I'm a bit concerned that during the lifetime of squeeze that the kernel will change and stop accepting the old deprecated syntax. I have already experienced this on uif compiled rulesets that I have loaded into a Scientific Linux (redhat clone) kernel. Best regards Alex Owen
Bug#683312: Please consider including this patch before wheezy
As stated in the original bug report the patch changes the order of the ! in the generated rules from the old deprecated position to the new position. I'm a bit concerned that during the lifetime of squeeze that the kernel will change and stop accepting the old deprecated syntax. I have already experienced this on uif compiled rulesets that I have loaded into a Scientific Linux (redhat clone) kernel. Best regards Alex Owen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
