Package: ipset Version: 7.22-1+b1 Severity: important Dear Maintainer,
ipset 7.21 (commit a7432ba786ca478eba8724c4d8ba6d1ff6446ad8) introduced an argv array overstepping bug that causes ipset add <ipset> <addr> comment <comment> to segfault for my architecture unless the shell environment happens to be long enough. This is fixed in ipset 7.23 (commit f1bcacf5eeb8620ea684524e1ce9c3951a77f1f9). Debian 13 has ipset 7.22 so is affected. Eg (create ipset foo first if needed (ipset create foo hash:net family inet comment)) # env -i /usr/sbin/ipset add foo 127.0.0.1 comment localhost segfaults. Without "env -i", ipset will probably run ok when run on the command line, but will likely fail in a cron job, where the shell environment tends to be minimal. As a workaround, something like # env -i FOO=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /usr/sbin/ipset add foo 127.0.0.1 comment localhost works (or put FOO=... into the crontab file if that is where it is being called from). -- System Information: Debian Release: 13.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.12.48+deb13-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ipset depends on: ii libc6 2.41-12 ii libipset13t64 7.22-1+b1 Versions of packages ipset recommends: ii iptables 1.8.11-2 ipset suggests no packages. -- no debconf information
