--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:bird2
User: [email protected]
Usertags: pu
This upload fixes in stable some significant bugs, as requested by the
upstream maintainer.
These commits have been backported from the precedent stable release and
have been in testing/unstable for some time.
I am also taking over maintenance of the package.
https://salsa.debian.org/md/bird/-/commits/debian/bird2/trixie
diff -Nru bird2-2.17.1/debian/bird2.bird.service
bird2-2.17.1/debian/bird2.bird.service
--- bird2-2.17.1/debian/bird2.bird.service 2025-01-13 16:13:45.000000000
+0100
+++ bird2-2.17.1/debian/bird2.bird.service 2025-12-18 00:21:35.000000000
+0100
@@ -8,7 +8,7 @@
ExecStartPre=/usr/sbin/bird -p
ExecReload=/usr/sbin/birdc configure
ExecStart=/usr/sbin/bird -f -u $BIRD_RUN_USER -g $BIRD_RUN_GROUP $BIRD_ARGS
-Restart=on-abort
+Restart=on-abnormal
[Install]
WantedBy=multi-user.target
diff -Nru bird2-2.17.1/debian/changelog bird2-2.17.1/debian/changelog
--- bird2-2.17.1/debian/changelog 2025-05-06 16:20:00.000000000 +0200
+++ bird2-2.17.1/debian/changelog 2025-12-18 00:21:35.000000000 +0100
@@ -1,3 +1,16 @@
+bird2 (2.17.1-1+deb13u1) stable; urgency=medium
+
+ * New maintainer.
+ * Use Restart=on-abnormal instead of on-abort. (Closes: #1099513)
+ * Backport all fixes from upstream 2.17.3:
+ + RAdv: Fix flags for deprecated prefixes.
+ + BMP: Fix crash when exporting a route with non-bgp attributes.
+ * Backport all fixes from upstream 2.17.2:
+ + ASPA check fix for AS_SET.
+ + Invalid check fix in text_or_ipa grammar.
+
+ -- Marco d'Itri <[email protected]> Thu, 18 Dec 2025 00:21:35 +0100
+
bird2 (2.17.1-1) unstable; urgency=medium
* New upstream version 2.17.1
diff -Nru bird2-2.17.1/debian/control bird2-2.17.1/debian/control
--- bird2-2.17.1/debian/control 2025-01-13 16:13:45.000000000 +0100
+++ bird2-2.17.1/debian/control 2025-12-18 00:21:35.000000000 +0100
@@ -16,10 +16,10 @@
linuxdoc-tools-latex,
opensp,
texlive-latex-extra,
-Maintainer: Jakub Ružička <[email protected]>
+Maintainer: Marco d'Itri <[email protected]>
Standards-Version: 4.7.0
-Vcs-Browser: https://salsa.debian.org/debian/bird2
-Vcs-Git: https://salsa.debian.org/debian/bird2.git
+Vcs-Browser: https://salsa.debian.org/md/bird
+Vcs-Git: https://salsa.debian.org/md/bird.git -b debian/bird2/unstable
Homepage: https://bird.network.cz/
Rules-Requires-Root: no
diff -Nru bird2-2.17.1/debian/patches/backport-01-8f5b2196
bird2-2.17.1/debian/patches/backport-01-8f5b2196
--- bird2-2.17.1/debian/patches/backport-01-8f5b2196 1970-01-01
01:00:00.000000000 +0100
+++ bird2-2.17.1/debian/patches/backport-01-8f5b2196 2025-12-18
00:21:35.000000000 +0100
@@ -0,0 +1,28 @@
+From 8f5b21964ece066d15794cf9d17be5b3906fe596 Mon Sep 17 00:00:00 2001
+From: Ondrej Zajicek <[email protected]>
+Date: Tue, 6 May 2025 14:50:53 +0200
+Subject: [PATCH] Conf: Fix invalid check in text_or_ipa grammar
+
+Can cause crash when a bad expression is used.
+---
+ conf/confbase.Y | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/conf/confbase.Y b/conf/confbase.Y
+index af64e3ff9..857689707 100644
+--- a/conf/confbase.Y
++++ b/conf/confbase.Y
+@@ -426,8 +426,8 @@ text_or_ipa:
+ }
+ | '(' term ')' {
+ $$ = cf_eval($2, T_VOID);
+- if (($$.type != T_BYTESTRING) && ($$.type != T_STRING))
+- cf_error("Bytestring or string value expected");
++ if (($$.type != T_STRING) && ($$.type != T_IP))
++ cf_error("String or IP value expected");
+ }
+ ;
+
+--
+GitLab
+
diff -Nru bird2-2.17.1/debian/patches/backport-02-067f361d
bird2-2.17.1/debian/patches/backport-02-067f361d
--- bird2-2.17.1/debian/patches/backport-02-067f361d 1970-01-01
01:00:00.000000000 +0100
+++ bird2-2.17.1/debian/patches/backport-02-067f361d 2025-12-18
00:21:35.000000000 +0100
@@ -0,0 +1,88 @@
+From 067f361d9b6e2e1a0fa5d3bd62900e23b6ded4bb Mon Sep 17 00:00:00 2001
+From: Evann DREUMONT <[email protected]>
+Date: Tue, 2 Sep 2025 16:23:34 +0200
+Subject: [PATCH] Nest: Function aspa_check() should return ASPA_INVALID for
+ paths containing AS_SET
+
+The aspa_check() uses as_path_getlen() to estimate the size of a buffer,
+which does not work for AS_SET segments, because as_path_getlen() returns
+length 1 for them regardless of their length. This may cause buffer
+overflow and crash.
+
+As AS_SET segments are not valid for ASPA verification, we can just
+handle them explicitly. See
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-verification#section-6
+
+Co-Authored-By: Alarig <[email protected]>
+
+Minor changes by committer.
+---
+ nest/a-path.c | 21 +++++++++++++++++++++
+ nest/attrs.h | 1 +
+ nest/rt-table.c | 7 ++++++-
+ 3 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/nest/a-path.c b/nest/a-path.c
+index aba2c86df..6f52ccf6a 100644
+--- a/nest/a-path.c
++++ b/nest/a-path.c
+@@ -177,6 +177,27 @@ as_path_contains_confed(const struct adata *path)
+ return 0;
+ }
+
++int
++as_path_contains_set(const struct adata *path)
++{
++ const byte *pos = path->data;
++ const byte *end = pos + path->length;
++
++ while (pos < end)
++ {
++ uint type = pos[0];
++ uint slen = 2 + BS * pos[1];
++
++ if ((type == AS_PATH_SET) ||
++ (type == AS_PATH_CONFED_SET))
++ return 1;
++
++ pos += slen;
++ }
++
++ return 0;
++}
++
+ struct adata *
+ as_path_strip_confed(struct linpool *pool, const struct adata *path)
+ {
+diff --git a/nest/attrs.h b/nest/attrs.h
+index 0475afa72..699b91df2 100644
+--- a/nest/attrs.h
++++ b/nest/attrs.h
+@@ -36,6 +36,7 @@ int as_path_16to32(byte *dst, const byte *src, uint len);
+ int as_path_32to16(byte *dst, const byte *src, uint len);
+ int as_path_contains_as4(const struct adata *path);
+ int as_path_contains_confed(const struct adata *path);
++int as_path_contains_set(const struct adata *path);
+ struct adata *as_path_strip_confed(struct linpool *pool, const struct adata
*op);
+ struct adata *as_path_prepend2(struct linpool *pool, const struct adata *op,
int seq, u32 as);
+ struct adata *as_path_to_old(struct linpool *pool, const struct adata *path);
+diff --git a/nest/rt-table.c b/nest/rt-table.c
+index ee3f11882..ed364d351 100644
+--- a/nest/rt-table.c
++++ b/nest/rt-table.c
+@@ -362,7 +362,12 @@ enum aspa_result aspa_check(rtable *tab, const adata
*path, bool force_upstream)
+ if (as_path_contains_confed(path))
+ return ASPA_INVALID;
+
+- /* Check path length */
++ /* No support for AS_SET */
++ /* See draft-ietf-sidrops-aspa-verification section 6 */
++ if (as_path_contains_set(path))
++ return ASPA_INVALID;
++
++ /* Check path length; we assume just AS_SEQUENCE segments */
+ uint len = as_path_getlen(path);
+ if (len == 0)
+ return ASPA_INVALID;
+--
+GitLab
+
diff -Nru bird2-2.17.1/debian/patches/backport-03-f8770e81
bird2-2.17.1/debian/patches/backport-03-f8770e81
--- bird2-2.17.1/debian/patches/backport-03-f8770e81 1970-01-01
01:00:00.000000000 +0100
+++ bird2-2.17.1/debian/patches/backport-03-f8770e81 2025-12-18
00:21:35.000000000 +0100
@@ -0,0 +1,25 @@
+From f8770e816ac17df535c32b52e79a7ccffaea9bcc Mon Sep 17 00:00:00 2001
+From: Maria Matejka <[email protected]>
+Date: Thu, 20 Nov 2025 14:35:02 +0100
+Subject: [PATCH] BMP: Fix crash when exporting a route with non-bgp attributes
+
+Reported-By: Annika Hannig
+---
+ proto/bgp/packets.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c
+index 0971107ce..157afdd90 100644
+--- a/proto/bgp/packets.c
++++ b/proto/bgp/packets.c
+@@ -2550,6 +2550,7 @@ bgp_create_update_bmp(struct bgp_channel *c, byte *buf,
byte *end, struct bgp_bu
+ .add_path = c->add_path_rx,
+ .mpls = c->desc->mpls,
+ .sham = 1,
++ .ignore_non_bgp_attrs = 1,
+ };
+
+ if (!update)
+--
+GitLab
+
diff -Nru bird2-2.17.1/debian/patches/backport-04-c4d54c21
bird2-2.17.1/debian/patches/backport-04-c4d54c21
--- bird2-2.17.1/debian/patches/backport-04-c4d54c21 1970-01-01
01:00:00.000000000 +0100
+++ bird2-2.17.1/debian/patches/backport-04-c4d54c21 2025-12-18
00:21:35.000000000 +0100
@@ -0,0 +1,68 @@
+From c4d54c21fd773557e8b91b9fc11e00436801b09a Mon Sep 17 00:00:00 2001
+From: Ondrej Zajicek <[email protected]>
+Date: Thu, 27 Nov 2025 17:59:44 +0100
+Subject: [PATCH] RAdv: Fix flags for deprecated prefixes
+
+When a prefix is deprecated (valid_lifetime == 0), it should be
+announced with the same flags as before. The old code announced it
+without any flags, which leads to being ignored by recipients.
+
+Note that a prefix could be depreacted for two reason - it is removed
+from the interface, or it is deconfigured in BIRD configuration.
+
+Thanks to Michael Saxl for the bugreport.
+
+Fixes: #323
+---
+ proto/radv/packets.c | 4 ++--
+ proto/radv/radv.c | 4 ++++
+ proto/radv/radv.h | 3 +++
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/proto/radv/packets.c b/proto/radv/packets.c
+index 77c987949..8b060a206 100644
+--- a/proto/radv/packets.c
++++ b/proto/radv/packets.c
+@@ -306,8 +306,8 @@ radv_prepare_prefix(struct radv_iface *ifa, struct
radv_prefix *px,
+ op->type = OPT_PREFIX;
+ op->length = 4;
+ op->pxlen = px->prefix.pxlen;
+- op->flags = (pc->onlink ? OPT_PX_ONLINK : 0) |
+- (pc->autonomous ? OPT_PX_AUTONOMOUS : 0);
++ op->flags = (px->onlink ? OPT_PX_ONLINK : 0) |
++ (px->autonomous ? OPT_PX_AUTONOMOUS : 0);
+ op->valid_lifetime = (ifa->ra->active || !pc->valid_lifetime_sensitive) ?
+ htonl(pc->valid_lifetime) : 0;
+ op->preferred_lifetime = (ifa->ra->active ||
!pc->preferred_lifetime_sensitive) ?
+diff --git a/proto/radv/radv.c b/proto/radv/radv.c
+index ba31e1a84..4ff075713 100644
+--- a/proto/radv/radv.c
++++ b/proto/radv/radv.c
+@@ -161,6 +161,10 @@ radv_prepare_prefixes(struct radv_iface *ifa)
+ existing->valid = 1;
+ existing->changed = now;
+ existing->mark = 1;
++
++ existing->onlink = pc->onlink;
++ existing->autonomous = pc->autonomous;
++
+ existing->cf = pc;
+ }
+
+diff --git a/proto/radv/radv.h b/proto/radv/radv.h
+index ba4a1b6c7..d4d3a50f3 100644
+--- a/proto/radv/radv.h
++++ b/proto/radv/radv.h
+@@ -170,6 +170,9 @@ struct radv_prefix /* One prefix we advertise */
+ u8 valid; /* Is the prefix valid? If not, we advertise it
+ with 0 lifetime, so clients stop using it */
+ u8 mark; /* A temporary mark for processing */
++ u8 onlink; /* Flags copied from prefix config */
++ u8 autonomous;
++
+ btime changed; /* Last time when the prefix changed */
+ struct radv_prefix_config *cf; /* The config tied to this prefix */
+ };
+--
+GitLab
+
diff -Nru bird2-2.17.1/debian/patches/series bird2-2.17.1/debian/patches/series
--- bird2-2.17.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ bird2-2.17.1/debian/patches/series 2025-12-18 00:21:35.000000000 +0100
@@ -0,0 +1,4 @@
+backport-01-8f5b2196
+backport-02-067f361d
+backport-03-f8770e81
+backport-04-c4d54c21
--
ciao,
Marco
signature.asc
Description: PGP signature
--- End Message ---
