Bug#790060: jessie-pu: nbd update?
Control: tags -1 + pending On Mon, 2015-07-27 at 23:22 +0200, Wouter Verhelst wrote: > On Sat, Jul 25, 2015 at 05:46:15PM +0100, Adam D. Barratt wrote: > > Control: tags -1 -moreinfo +cpnfirmed > > > > On Mon, 2015-07-20 at 09:51 +0200, Wouter Verhelst wrote: > > > On Sun, Jul 19, 2015 at 04:29:30PM +0200, Julien Cristau wrote: > > > > On Sun, Jul 19, 2015 at 14:37:57 +0200, Wouter Verhelst wrote: > > [...] > > > > > If you don't want me to immediately upload, what do you want me to do > > > > > instead? > > > > > > > > > Send us the proposed (source) debdiff. > > > > > > Attached. > > > > Please go ahead. > > Uploaded. Flagged for acceptance. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#790060: jessie-pu: nbd update?
On Sat, Jul 25, 2015 at 05:46:15PM +0100, Adam D. Barratt wrote: > Control: tags -1 -moreinfo +cpnfirmed > > On Mon, 2015-07-20 at 09:51 +0200, Wouter Verhelst wrote: > > On Sun, Jul 19, 2015 at 04:29:30PM +0200, Julien Cristau wrote: > > > On Sun, Jul 19, 2015 at 14:37:57 +0200, Wouter Verhelst wrote: > [...] > > > > If you don't want me to immediately upload, what do you want me to do > > > > instead? > > > > > > > Send us the proposed (source) debdiff. > > > > Attached. > > Please go ahead. Uploaded. Thanks, -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#790060: jessie-pu: nbd update?
Control: tags -1 -moreinfo +cpnfirmed On Mon, 2015-07-20 at 09:51 +0200, Wouter Verhelst wrote: > On Sun, Jul 19, 2015 at 04:29:30PM +0200, Julien Cristau wrote: > > On Sun, Jul 19, 2015 at 14:37:57 +0200, Wouter Verhelst wrote: [...] > > > If you don't want me to immediately upload, what do you want me to do > > > instead? > > > > > Send us the proposed (source) debdiff. > > Attached. Please go ahead. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#790060: jessie-pu: nbd update?
On Sun, Jul 19, 2015 at 04:29:30PM +0200, Julien Cristau wrote:
> On Sun, Jul 19, 2015 at 14:37:57 +0200, Wouter Verhelst wrote:
>
> > On Sat, Jul 18, 2015 at 02:59:08PM +0100, Adam D. Barratt wrote:
> > > On Sat, 2015-07-18 at 15:33 +0200, Wouter Verhelst wrote:
> > > > On Sat, Jul 18, 2015 at 12:07:13PM +0100, Adam D. Barratt wrote:
> > > > > That's much bigger than I was expecting given your description, and
> > > > > I'm
> > > > > not sure all of the changes were intended to be included.
> > > >
> > > > Crap. I fucked up again. Can you reject that, or is it too late?
> > >
> > > No problem. There's a gateway policy queue (slightly incorrectly
> > > referred to as "stable-new") in front of proposed-updates which we have
> > > to accept or reject packages from before they hit p-u.
> > >
> > > I've flagged the upload for rejection but unfortunately just missed the
> > > start of the 13:52 dinstall, so it will need to wait until after that
> > > for dak to notice.
> >
> > Thanks.
> >
> > If you don't want me to immediately upload, what do you want me to do
> > instead?
> >
> Send us the proposed (source) debdiff.
Attached.
--
It is easy to love a country that is famous for chocolate and beer
-- Barack Obama, speaking in Brussels, Belgium, 2014-03-26
diff -u nbd-3.8/debian/changelog nbd-3.8/debian/changelog
--- nbd-3.8/debian/changelog
+++ nbd-3.8/debian/changelog
@@ -1,3 +1,10 @@
+nbd (1:3.8-4+deb8u2) jessie; urgency=low
+
+ * Cherry-pick two commits from 3.10 to fix authfile parsing.
+Closes: #785727.
+
+ -- Wouter Verhelst Fri, 17 Jul 2015 21:52:40 +0200
+
nbd (1:3.8-4+deb8u1) jessie-security; urgency=medium
* Add fix for CVE-2015-0847. Closes: #784657.
only in patch2:
unchanged:
--- nbd-3.8.orig/nbdsrv.c
+++ nbd-3.8/nbdsrv.c
@@ -21,14 +21,14 @@
#include
-bool address_matches(const char* mask, const void* addr, int af, GError** err)
{
+bool address_matches(const char* mask, const struct sockaddr* addr, GError**
err) {
struct addrinfo *res, *aitmp, hints;
char *masksep;
char privmask[strlen(mask)+1];
int masklen;
- int addrlen = af == AF_INET ? 4 : 16;
+ int addrlen = addr->sa_family == AF_INET ? 4 : 16;
- assert(af == AF_INET || af == AF_INET6);
+ assert(addr->sa_family == AF_INET || addr->sa_family == AF_INET6);
strcpy(privmask, mask);
@@ -50,18 +50,20 @@
}
aitmp = res;
while(res) {
- const uint8_t* byte_s = addr;
+ const uint8_t* byte_s;
uint8_t* byte_t;
uint8_t mask = 0;
int len_left = masklen;
- if(res->ai_family != af) {
+ if(res->ai_family != addr->sa_family) {
goto next;
}
- switch(af) {
+ switch(addr->sa_family) {
case AF_INET:
+ byte_s = (const uint8_t*)(&(((struct
sockaddr_in*)addr)->sin_addr));
byte_t = (uint8_t*)(&(((struct
sockaddr_in*)(res->ai_addr))->sin_addr));
break;
case AF_INET6:
+ byte_s = (const uint8_t*)(&(((struct
sockaddr_in6*)addr)->sin6_addr));
byte_t = (uint8_t*)(&(((struct
sockaddr_in6*)(res->ai_addr))->sin6_addr));
break;
}
@@ -129,8 +131,7 @@
if(!(*pos)) {
continue;
}
- struct sockaddr* sa = (struct sockaddr*)&opts->clientaddr;
- if(address_matches(line, sa->sa_data, sa->sa_family, NULL)) {
+ if(address_matches(line, (struct sockaddr*)&opts->clientaddr,
NULL)) {
fclose(f);
return 1;
}
only in patch2:
unchanged:
--- nbd-3.8.orig/nbdsrv.h
+++ nbd-3.8/nbdsrv.h
@@ -123,14 +123,13 @@
* Check whether a given address matches a given netmask.
*
* @param mask the address or netmask to check against, in ASCII
representation
- * @param addr the address to check, in network byte order
- * @param af the address family of the passed address (AF_INET or AF_INET6)
+ * @param addr the address to check
*
* @return true if the address matches the mask, false otherwise; in case of
* failure to parse netmask, returns false with err set appropriately.
* @todo decide what to do with v6-mapped IPv4 addresses.
*/
-bool address_matches(const char* mask, const void* addr, int af, GError** err);
+bool address_matches(const char* mask, const struct sockaddr* addr, GError**
err);
/**
* Gets a byte to allow for address masking.
only in patch2:
unchanged:
--- nbd-3.8.orig/tests/code/clientacl.c
+++ nbd-3.8/tests/code/clientacl.c
@@ -31,7 +31,7 @@
&(((struct
sockaddr_in*)res->ai_addr)->sin_addr),
Bug#790060: jessie-pu: nbd update?
On Sun, Jul 19, 2015 at 14:37:57 +0200, Wouter Verhelst wrote: > On Sat, Jul 18, 2015 at 02:59:08PM +0100, Adam D. Barratt wrote: > > On Sat, 2015-07-18 at 15:33 +0200, Wouter Verhelst wrote: > > > On Sat, Jul 18, 2015 at 12:07:13PM +0100, Adam D. Barratt wrote: > > > > That's much bigger than I was expecting given your description, and I'm > > > > not sure all of the changes were intended to be included. > > > > > > Crap. I fucked up again. Can you reject that, or is it too late? > > > > No problem. There's a gateway policy queue (slightly incorrectly > > referred to as "stable-new") in front of proposed-updates which we have > > to accept or reject packages from before they hit p-u. > > > > I've flagged the upload for rejection but unfortunately just missed the > > start of the 13:52 dinstall, so it will need to wait until after that > > for dak to notice. > > Thanks. > > If you don't want me to immediately upload, what do you want me to do > instead? > Send us the proposed (source) debdiff. Cheers, Julien signature.asc Description: Digital signature
Bug#790060: jessie-pu: nbd update?
On Sat, Jul 18, 2015 at 02:59:08PM +0100, Adam D. Barratt wrote: > On Sat, 2015-07-18 at 15:33 +0200, Wouter Verhelst wrote: > > On Sat, Jul 18, 2015 at 12:07:13PM +0100, Adam D. Barratt wrote: > > > That's much bigger than I was expecting given your description, and I'm > > > not sure all of the changes were intended to be included. > > > > Crap. I fucked up again. Can you reject that, or is it too late? > > No problem. There's a gateway policy queue (slightly incorrectly > referred to as "stable-new") in front of proposed-updates which we have > to accept or reject packages from before they hit p-u. > > I've flagged the upload for rejection but unfortunately just missed the > start of the 13:52 dinstall, so it will need to wait until after that > for dak to notice. Thanks. If you don't want me to immediately upload, what do you want me to do instead? -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#790060: jessie-pu: nbd update?
On Sat, 2015-07-18 at 15:33 +0200, Wouter Verhelst wrote: > On Sat, Jul 18, 2015 at 12:07:13PM +0100, Adam D. Barratt wrote: > > That's much bigger than I was expecting given your description, and I'm > > not sure all of the changes were intended to be included. > > Crap. I fucked up again. Can you reject that, or is it too late? No problem. There's a gateway policy queue (slightly incorrectly referred to as "stable-new") in front of proposed-updates which we have to accept or reject packages from before they hit p-u. I've flagged the upload for rejection but unfortunately just missed the start of the 13:52 dinstall, so it will need to wait until after that for dak to notice. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#790060: jessie-pu: nbd update?
On Sat, Jul 18, 2015 at 12:07:13PM +0100, Adam D. Barratt wrote: > That's much bigger than I was expecting given your description, and I'm > not sure all of the changes were intended to be included. Crap. I fucked up again. Can you reject that, or is it too late? -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#790060: jessie-pu: nbd update?
On Tue, 2015-07-14 at 22:40 +0200, Wouter Verhelst wrote:
> On Tue, Jul 14, 2015 at 08:21:02PM +0100, Adam D. Barratt wrote:
> > Control: tags -1 + moreinfo
> >
> > On Fri, 2015-06-26 at 19:07 +0200, Wouter Verhelst wrote:
> > > #785727 describes a regression in the version of nbd-server in jessie
> > > wrt the one in wheezy, related to the "allow" configuration file. It's
> > > not a security-related bug (as it disallows more than it should), but
> > > it's still a problem.
[...]
> > > Is this something that would warrant a stable update?
> >
> > Potentially, but a) the metadata for #785727 implies that the bug
> > currently affects the version of nbd in unstable, which would need
> > resolving first
>
> Only because I'm lazy and didn't fix the metadata; the bug does not actually
> affect unstable, and the patch that's sent to the bug in
> <20150601152240.gc9...@lemon.iwr.uni-heidelberg.de> came from the 3.8..3.9 git
> history. I just updated the metadata.
Ok, thanks.
> > and b) we'd want to see a full debdiff for a package
> > built and tested on jessie in order to confirm.
>
> Okay, I'll work on that then.
I see that it's been uploaded already. By "see ... in order to confirm"
I meant "before upload"; apologies if that wasn't clear.
Looking at the diff that was uploaded, I do have a few questions I'm
afraid:
ChangeLog| 91 ++
Makefile.in |4
doc/proto.html | 515 +
doc/proto.markdown | 565 +
gznbd/Makefile.in| 641 +++
libcliserv.la| 41 +++
man/nbd-server.1.sh.in |5
man/nbd-server.5.sh.in | 105 ---
nbd-3.8/debian/changelog |7
nbdsrv.c | 17 -
nbdsrv.h |5
tests/code/clientacl.c |2
That's much bigger than I was expecting given your description, and I'm
not sure all of the changes were intended to be included.
For instance, the Changelog diff includes the release of 3.11,
doc/proto.{html,markdown} are completely new, man/nbd-server.1.sh.in
mentions a new(?) option and man/nbd-server.5.sh.in describes a
behaviour change in nbd 3.10.
Regards,
Adam
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#790060: jessie-pu: nbd update?
On Tue, Jul 14, 2015 at 08:21:02PM +0100, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Fri, 2015-06-26 at 19:07 +0200, Wouter Verhelst wrote: > > #785727 describes a regression in the version of nbd-server in jessie > > wrt the one in wheezy, related to the "allow" configuration file. It's > > not a security-related bug (as it disallows more than it should), but > > it's still a problem. > > > > I'm not sure how often the "allow" feature is used, however, and if the > > file is not in use, nbd-server will work perfectly well. It provides > > additional functionality above a firewall if someone would like to allow > > access to some, but not all, exports from a particular range of IP > > addresses; but beyond that, it's not very important. > > > > Is this something that would warrant a stable update? > > Potentially, but a) the metadata for #785727 implies that the bug > currently affects the version of nbd in unstable, which would need > resolving first Only because I'm lazy and didn't fix the metadata; the bug does not actually affect unstable, and the patch that's sent to the bug in <20150601152240.gc9...@lemon.iwr.uni-heidelberg.de> came from the 3.8..3.9 git history. I just updated the metadata. > and b) we'd want to see a full debdiff for a package > built and tested on jessie in order to confirm. Okay, I'll work on that then. -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#790060: jessie-pu: nbd update?
Control: tags -1 + moreinfo On Fri, 2015-06-26 at 19:07 +0200, Wouter Verhelst wrote: > #785727 describes a regression in the version of nbd-server in jessie > wrt the one in wheezy, related to the "allow" configuration file. It's > not a security-related bug (as it disallows more than it should), but > it's still a problem. > > I'm not sure how often the "allow" feature is used, however, and if the > file is not in use, nbd-server will work perfectly well. It provides > additional functionality above a firewall if someone would like to allow > access to some, but not all, exports from a particular range of IP > addresses; but beyond that, it's not very important. > > Is this something that would warrant a stable update? Potentially, but a) the metadata for #785727 implies that the bug currently affects the version of nbd in unstable, which would need resolving first and b) we'd want to see a full debdiff for a package built and tested on jessie in order to confirm. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#790060: jessie-pu: nbd update?
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, #785727 describes a regression in the version of nbd-server in jessie wrt the one in wheezy, related to the "allow" configuration file. It's not a security-related bug (as it disallows more than it should), but it's still a problem. I'm not sure how often the "allow" feature is used, however, and if the file is not in use, nbd-server will work perfectly well. It provides additional functionality above a firewall if someone would like to allow access to some, but not all, exports from a particular range of IP addresses; but beyond that, it's not very important. Is this something that would warrant a stable update? -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.0.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=nl_BE.UTF-8, LC_CTYPE=nl_BE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
