Package: miniupnpd Version: 2.1-6 Severity: normal Tags: patch pending
Dear maintainer, I've prepared an NMU for miniupnpd (versioned as 2.1-6.1). The diff is attached to this message. The code can be merged from my git branch: https://salsa.debian.org/bigon/miniupnpd Regards. diff -Nru miniupnpd-2.1/debian/changelog miniupnpd-2.1/debian/changelog --- miniupnpd-2.1/debian/changelog 2019-06-07 00:37:36.000000000 +0200 +++ miniupnpd-2.1/debian/changelog 2020-03-27 14:11:07.000000000 +0100 @@ -1,3 +1,22 @@ +miniupnpd (2.1-6.1) unstable; urgency=medium + + * Non-maintainer upload. + [ Thomas Goirand ] + * Added a debian/salsa-ci.yml + + [ Laurent Bigonville ] + * Cherry-pick patches from upstream to fix FTBFS with linux > 5.0 + (Closes: #931978) + * Update the French debconf translation (Closes: #935152) + * Update the Italian debconf translation (Closes: #952802) + * Remove iptables-dev from the BD, add libiptc-dev and libxtables-dev + instead (Closes: #946150) + * debian/miniupnpd.service: Pass -d to miniupnpd and set Type to simple. + That way systemd will detect whether the process is exiting with a + non-zero code or not and properly track the it. + + -- Laurent Bigonville <[email protected]> Fri, 27 Mar 2020 14:11:07 +0100 + miniupnpd (2.1-6) unstable; urgency=medium * Add upstream patches for CVE-2019-12107 CVE-2019-12108 CVE-2019-12109 diff -Nru miniupnpd-2.1/debian/control miniupnpd-2.1/debian/control --- miniupnpd-2.1/debian/control 2019-06-07 00:37:36.000000000 +0200 +++ miniupnpd-2.1/debian/control 2020-03-27 14:11:07.000000000 +0100 @@ -6,7 +6,8 @@ Yangfl <[email protected]>, Build-Depends: debhelper (>= 12~), - iptables-dev, + libiptc-dev, + libxtables-dev, pkg-config, po-debconf, Standards-Version: 4.3.0 diff -Nru miniupnpd-2.1/debian/miniupnpd.service miniupnpd-2.1/debian/miniupnpd.service --- miniupnpd-2.1/debian/miniupnpd.service 2019-06-07 00:37:36.000000000 +0200 +++ miniupnpd-2.1/debian/miniupnpd.service 2020-03-27 14:11:07.000000000 +0100 @@ -4,12 +4,12 @@ After=network-online.target [Service] -Type=forking +Type=simple EnvironmentFile=-/etc/default/miniupnpd EnvironmentFile=/etc/miniupnpd/miniupnpd.conf ExecStartPre=/etc/miniupnpd/iptables_init.sh -i $ext_ifname ExecStartPre=/bin/sh -c "[ \"$MiniUPnPd_ip6tables_enable\" != 1 ] || /etc/miniupnpd/ip6tables_init.sh -i $ext_ifname" -ExecStart=/usr/sbin/miniupnpd -f /etc/miniupnpd/miniupnpd.conf $MiniUPnPd_OTHER_OPTIONS +ExecStart=/usr/sbin/miniupnpd -d -f /etc/miniupnpd/miniupnpd.conf $MiniUPnPd_OTHER_OPTIONS ExecStopPost=/etc/miniupnpd/iptables_removeall.sh -i $ext_ifname ExecStopPost=/bin/sh -c "[ \"$MiniUPnPd_ip6tables_enable\" != 1 ] || /etc/miniupnpd/ip6tables_removeall.sh -i $ext_ifname" PrivateTmp=yes diff -Nru miniupnpd-2.1/debian/patches/miniupnpd-netfilter-build-with-linux-kernel-5.0.patch miniupnpd-2.1/debian/patches/miniupnpd-netfilter-build-with-linux-kernel-5.0.patch --- miniupnpd-2.1/debian/patches/miniupnpd-netfilter-build-with-linux-kernel-5.0.patch 1970-01-01 01:00:00.000000000 +0100 +++ miniupnpd-2.1/debian/patches/miniupnpd-netfilter-build-with-linux-kernel-5.0.patch 2020-03-27 14:11:07.000000000 +0100 @@ -0,0 +1,100 @@ +From: Thomas Bernard <[email protected]> +Date: Sun, 3 Feb 2019 13:26:27 +0100 +Subject: miniupnpd/netfilter: build with linux kernel 5.0 + +should fix #346 +--- + netfilter/iptcrdr.c | 38 +++++++++++++++++++++++++++----------- + 1 file changed, 27 insertions(+), 11 deletions(-) + +diff --git a/netfilter/iptcrdr.c b/netfilter/iptcrdr.c +index 48c6dbb..82c5890 100644 +--- a/netfilter/iptcrdr.c ++++ b/netfilter/iptcrdr.c +@@ -1,7 +1,7 @@ + /* $Id: iptcrdr.c,v 1.59 2016/03/08 09:23:52 nanard Exp $ */ + /* MiniUPnP project + * http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ +- * (c) 2006-2016 Thomas Bernard ++ * (c) 2006-2019 Thomas Bernard + * This software is subject to the conditions detailed + * in the LICENCE file provided within the distribution */ + #include <stdio.h> +@@ -1116,9 +1116,11 @@ addnatrule(int proto, unsigned short eport, + } else { + match = get_udp_match(eport, 0); + } +- e->nfcache = NFC_IP_DST_PT; ++ e->nfcache = NFC_UNKNOWN; + target = get_dnat_target(iaddr, iport); +- e->nfcache |= NFC_UNKNOWN; ++#ifdef NFC_IP_DST_PT ++ e->nfcache |= NFC_IP_DST_PT; ++#endif + tmp = realloc(e, sizeof(struct ipt_entry) + + match->u.match_size + + target->u.target_size); +@@ -1186,9 +1188,11 @@ addmasqueraderule(int proto, + } else { + match = get_udp_match(0, iport); + } +- e->nfcache = NFC_IP_DST_PT; ++ e->nfcache = NFC_UNKNOWN; + target = get_masquerade_target(eport); +- e->nfcache |= NFC_UNKNOWN; ++#ifdef NFC_IP_DST_PT ++ e->nfcache |= NFC_IP_DST_PT; ++#endif + tmp = realloc(e, sizeof(struct ipt_entry) + + match->u.match_size + + target->u.target_size); +@@ -1266,9 +1270,14 @@ addpeernatrule(int proto, + } else { + match = get_udp_match(rport, iport); + } +- e->nfcache = NFC_IP_DST_PT | NFC_IP_SRC_PT; ++ e->nfcache = NFC_UNKNOWN; + target = get_snat_target(eaddr, eport); +- e->nfcache |= NFC_UNKNOWN; ++#ifdef NFC_IP_DST_PT ++ e->nfcache |= NFC_IP_DST_PT; ++#endif ++#ifdef NFC_IP_SRC_PT ++ e->nfcache |= NFC_IP_SRC_PT; ++#endif + tmp = realloc(e, sizeof(struct ipt_entry) + + match->u.match_size + + target->u.target_size); +@@ -1337,9 +1346,14 @@ addpeerdscprule(int proto, unsigned char dscp, + } else { + match = get_udp_match(rport, iport); + } +- e->nfcache = NFC_IP_DST_PT | NFC_IP_SRC_PT; ++ e->nfcache = NFC_UNKNOWN; + target = get_dscp_target(dscp); +- e->nfcache |= NFC_UNKNOWN; ++#ifdef NFC_IP_DST_PT ++ e->nfcache |= NFC_IP_DST_PT; ++#endif ++#ifdef NFC_IP_SRC_PT ++ e->nfcache |= NFC_IP_SRC_PT; ++#endif + tmp = realloc(e, sizeof(struct ipt_entry) + + match->u.match_size + + target->u.target_size); +@@ -1420,11 +1434,13 @@ add_filter_rule(int proto, const char * rhost, + } else { + match = get_udp_match(iport,0); + } +- e->nfcache = NFC_IP_DST_PT; + e->ip.dst.s_addr = inet_addr(iaddr); + e->ip.dmsk.s_addr = INADDR_NONE; ++ e->nfcache = NFC_UNKNOWN; + target = get_accept_target(); +- e->nfcache |= NFC_UNKNOWN; ++#ifdef NFC_IP_DST_PT ++ e->nfcache |= NFC_IP_DST_PT; ++#endif + tmp = realloc(e, sizeof(struct ipt_entry) + + match->u.match_size + + target->u.target_size); diff -Nru miniupnpd-2.1/debian/patches/miniupnpd-netfilter-ipctcrdr.c-conditionnaly-use-NFC_UNKN.patch miniupnpd-2.1/debian/patches/miniupnpd-netfilter-ipctcrdr.c-conditionnaly-use-NFC_UNKN.patch --- miniupnpd-2.1/debian/patches/miniupnpd-netfilter-ipctcrdr.c-conditionnaly-use-NFC_UNKN.patch 1970-01-01 01:00:00.000000000 +0100 +++ miniupnpd-2.1/debian/patches/miniupnpd-netfilter-ipctcrdr.c-conditionnaly-use-NFC_UNKN.patch 2020-03-27 14:11:07.000000000 +0100 @@ -0,0 +1,64 @@ +From: Thomas Bernard <[email protected]> +Date: Sun, 3 Feb 2019 19:04:44 +0100 +Subject: miniupnpd/netfilter/ipctcrdr.c: conditionnally use NFC_UNKNOWN as + well + +fix #346 +--- + netfilter/iptcrdr.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/netfilter/iptcrdr.c b/netfilter/iptcrdr.c +index 82c5890..f40b8a2 100644 +--- a/netfilter/iptcrdr.c ++++ b/netfilter/iptcrdr.c +@@ -1116,7 +1116,9 @@ addnatrule(int proto, unsigned short eport, + } else { + match = get_udp_match(eport, 0); + } ++#ifdef NFC_UNKNOWN + e->nfcache = NFC_UNKNOWN; ++#endif + target = get_dnat_target(iaddr, iport); + #ifdef NFC_IP_DST_PT + e->nfcache |= NFC_IP_DST_PT; +@@ -1188,7 +1190,9 @@ addmasqueraderule(int proto, + } else { + match = get_udp_match(0, iport); + } ++#ifdef NFC_UNKNOWN + e->nfcache = NFC_UNKNOWN; ++#endif + target = get_masquerade_target(eport); + #ifdef NFC_IP_DST_PT + e->nfcache |= NFC_IP_DST_PT; +@@ -1270,7 +1274,9 @@ addpeernatrule(int proto, + } else { + match = get_udp_match(rport, iport); + } ++#ifdef NFC_UNKNOWN + e->nfcache = NFC_UNKNOWN; ++#endif + target = get_snat_target(eaddr, eport); + #ifdef NFC_IP_DST_PT + e->nfcache |= NFC_IP_DST_PT; +@@ -1346,7 +1352,9 @@ addpeerdscprule(int proto, unsigned char dscp, + } else { + match = get_udp_match(rport, iport); + } ++#ifdef NFC_UNKNOWN + e->nfcache = NFC_UNKNOWN; ++#endif + target = get_dscp_target(dscp); + #ifdef NFC_IP_DST_PT + e->nfcache |= NFC_IP_DST_PT; +@@ -1436,7 +1444,9 @@ add_filter_rule(int proto, const char * rhost, + } + e->ip.dst.s_addr = inet_addr(iaddr); + e->ip.dmsk.s_addr = INADDR_NONE; ++#ifdef NFC_UNKNOWN + e->nfcache = NFC_UNKNOWN; ++#endif + target = get_accept_target(); + #ifdef NFC_IP_DST_PT + e->nfcache |= NFC_IP_DST_PT; diff -Nru miniupnpd-2.1/debian/patches/series miniupnpd-2.1/debian/patches/series --- miniupnpd-2.1/debian/patches/series 2019-06-07 00:37:36.000000000 +0200 +++ miniupnpd-2.1/debian/patches/series 2020-03-27 14:11:07.000000000 +0100 @@ -5,3 +5,5 @@ CVE-2019-12109_fix_error_from_commit_13585f1.patch CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch CVE-2019-12111_pcpserver.c_copyIPv6IfDifferent_check_for_NULL_src_argument.patch +miniupnpd-netfilter-build-with-linux-kernel-5.0.patch +miniupnpd-netfilter-ipctcrdr.c-conditionnaly-use-NFC_UNKN.patch diff -Nru miniupnpd-2.1/debian/po/fr.po miniupnpd-2.1/debian/po/fr.po --- miniupnpd-2.1/debian/po/fr.po 2019-06-07 00:37:36.000000000 +0200 +++ miniupnpd-2.1/debian/po/fr.po 2020-03-27 14:11:07.000000000 +0100 @@ -2,13 +2,13 @@ # Copyright (C) 2013 # This file is distributed under the same license as the miniupnpd package. # -# Baptiste Jammet <[email protected]>, 2013, 2018. +# Baptiste Jammet <[email protected]>, 2013, 2018, 2019. msgid "" msgstr "" "Project-Id-Version: miniupnpd\n" "Report-Msgid-Bugs-To: [email protected]\n" "POT-Creation-Date: 2019-01-06 21:56+0800\n" -"PO-Revision-Date: 2018-08-28 21:38+0100\n" +"PO-Revision-Date: 2019-07-31 14:12+0100\n" "Last-Translator: Baptiste Jammet <[email protected]>\n" "Language-Team: French <[email protected]>\n" "Language: french\n" @@ -110,7 +110,7 @@ #. Description #: ../miniupnpd.templates:6001 msgid "Force reporting IGDv1 in rootDesc?" -msgstr "" +msgstr "Forcer la déclaration IGDv1 dans rootDesc ?" #. Type: boolean #. Description @@ -120,6 +120,9 @@ "do not recognize IGDv2 as a valid IGD service. This option will fool them by " "pretending itself to be IGDv1." msgstr "" +"Certains clients IGD (principalement Microsoft® Windows® BITS) recherchent " +"des service IGDv1 et ne reconnaissent pas IGDv2 comme un service IGD valide. " +"Cette option les trompera en se présentant comme un service IGDv1." #. Type: boolean #. Description @@ -128,3 +131,5 @@ "Of course you will lose IGDv2 functions (notably IPv6 support) by enabling " "this." msgstr "" +"Bien évidement, les fonctions de IGDv2 (en particulier la prise en charge de " +"IPv6) seront perdues en activant cette option." diff -Nru miniupnpd-2.1/debian/po/it.po miniupnpd-2.1/debian/po/it.po --- miniupnpd-2.1/debian/po/it.po 2019-06-07 00:37:36.000000000 +0200 +++ miniupnpd-2.1/debian/po/it.po 2020-03-27 14:11:07.000000000 +0100 @@ -1,13 +1,13 @@ # Italian translation of miniupnpd debconf messages # Copyright (C) 2013, miniupnpd package copyright holder # This file is distributed under the same license as the miniupnpd package. -# Beatrice Torracca <[email protected]>, 2013. +# Beatrice Torracca <[email protected]>, 2013, 2020. msgid "" msgstr "" "Project-Id-Version: miniupnpd\n" "Report-Msgid-Bugs-To: [email protected]\n" "POT-Creation-Date: 2019-01-06 21:56+0800\n" -"PO-Revision-Date: 2013-09-26 18:04+0200\n" +"PO-Revision-Date: 2020-02-29 14:23+0100\n" "Last-Translator: Beatrice Torracca <[email protected]>\n" "Language-Team: Italian <[email protected]>\n" "Language: it\n" @@ -15,7 +15,7 @@ "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" -"X-Generator: Virtaal 0.7.1\n" +"X-Generator: Poedit 2.2.4\n" #. Type: boolean #. Description @@ -36,25 +36,19 @@ #. Type: string #. Description #: ../miniupnpd.templates:3001 -#, fuzzy -#| msgid "LAN IP address to listen on for UPnP queries:" msgid "Interfaces to listen on for UPnP queries:" -msgstr "" -"Indirizzo IP nella LAN sul quale restare in ascolto per richieste UPnP:" +msgstr "Interfacce sulle quali restare in ascolto per richieste UPnP:" #. Type: string #. Description #: ../miniupnpd.templates:3001 -#, fuzzy -#| msgid "" -#| "The MiniUPnP daemon will listen for requests on the local network. Please " -#| "enter the IP address it should listen on." msgid "" "The MiniUPnP daemon will listen for requests on the local network. Please " "enter the interfaces or IP addresses it should listen on, separated by space." msgstr "" "Il demone MiniUPnP resterà in ascolto per le richieste sulla rete locale. " -"Inserire l'indirizzo IP su cui deve restare in ascolto." +"Inserire, separati da spazi, le interfacce o gli indirizzi IP su cui deve " +"restare in ascolto." #. Type: string #. Description @@ -63,6 +57,8 @@ "Interface names are preferred, and required if you plan to enable IPv6 port " "forwarding." msgstr "" +"I nomi di interfacce sono preferiti e sono richiesti se si ha intenzione di " +"abilitare il forwarding delle porte IPv6." #. Type: string #. Description @@ -107,12 +103,14 @@ msgid "" "Note: This option is useless if you don't block any IPv6 forwarded traffic." msgstr "" +"Nota bene: questa opzione è inutile se non si blocca alcun traffico IPv6 con " +"forwarding." #. Type: boolean #. Description #: ../miniupnpd.templates:6001 msgid "Force reporting IGDv1 in rootDesc?" -msgstr "" +msgstr "Forzare la segnalazione come IGDv1 in rootDesc?" #. Type: boolean #. Description @@ -122,6 +120,9 @@ "do not recognize IGDv2 as a valid IGD service. This option will fool them by " "pretending itself to be IGDv1." msgstr "" +"Alcuni client IGD (in particolare Microsoft® Windows® BITS) cercano IGDv1 e " +"non riconoscono IGDv2 come servizio IGD valido. Questa opzione li ingannerà " +"facendo finta di essere IGDv1." #. Type: boolean #. Description @@ -130,3 +131,5 @@ "Of course you will lose IGDv2 functions (notably IPv6 support) by enabling " "this." msgstr "" +"Abilitando ciò, naturalmente verranno perse le funzioni IGDv2 (e, in modo " +"degno di nota, il supporto per IPv6)." diff -Nru miniupnpd-2.1/debian/salsa-ci.yml miniupnpd-2.1/debian/salsa-ci.yml --- miniupnpd-2.1/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100 +++ miniupnpd-2.1/debian/salsa-ci.yml 2020-03-27 14:11:07.000000000 +0100 @@ -0,0 +1,3 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml \ Pas de fin de ligne à la fin du fichier
