Bug#860058: unblock: libnl3/3.2.27-2

2017-04-10 Thread Heiko Stuebner 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libnl3

In CVE-2017-0553 a possible (but moderate) security issue was found
which resulted in bug #859948 against the Debian libnl3 package.

The 3.2.27-2 fixes this (and only this) issue.

debdiff:
diff -Nru libnl3-3.2.27/debian/changelog libnl3-3.2.27/debian/changelog
--- libnl3-3.2.27/debian/changelog  2016-01-24 23:54:53.0 +0100
+++ libnl3-3.2.27/debian/changelog  2017-04-10 11:48:23.0 +0200
@@ -1,3 +1,9 @@
+libnl3 (3.2.27-2) unstable; urgency=low
+
+  * Add upstream fix for CVE-2017-0553 (Closes: #859948)
+
+ -- Heiko Stuebner <mm...@debian.org>  Mon, 10 Apr 2017 11:48:23 +0200
+
 libnl3 (3.2.27-1) unstable; urgency=low

   * New upstream release
diff -Nru libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch
libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch
--- libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch
1970-01-01 01:00:00.0 +0100
+++ libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch
2017-04-10 10:55:21.0 +0200
@@ -0,0 +1,38 @@
+From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thal...@redhat.com>
+Date: Mon, 6 Feb 2017 22:23:52 +0100
+Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve()
+
+In general, libnl functions are not robust against calling with
+invalid arguments. Thus, never call libnl functions with invalid
+arguments. In case of nlmsg_reserve() this means never provide
+a @len argument that causes overflow.
+
+Still, add an additional safeguard to avoid exploiting such bugs.
+
+Assume that @pad is a trusted, small integer.
+Assume that n->nm_size is a valid number of allocated bytes (and thus
+much smaller then SIZE_T_MAX).
+Assume, that @len may be set to an untrusted value. Then the patch
+avoids an integer overflow resulting in reserving too few bytes.
+---
+ lib/msg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/msg.c b/lib/msg.c
+index 9af3f3a..3e27d4e 100644
+--- a/lib/msg.c
 b/lib/msg.c
+@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)
+   size_t nlmsg_len = n->nm_nlh->nlmsg_len;
+   size_t tlen;
+
++  if (len > n->nm_size)
++  return NULL;
++
+   tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
+
+   if ((tlen + nlmsg_len) > n->nm_size)
+--
+2.9.3
+
diff -Nru libnl3-3.2.27/debian/patches/series
libnl3-3.2.27/debian/patches/series
--- libnl3-3.2.27/debian/patches/series 2016-01-24 00:36:27.0 +0100
+++ libnl3-3.2.27/debian/patches/series 2017-04-10 10:57:45.0 +0200
@@ -3,3 +3,4 @@
 debian/no-symvers.diff -p1
 debian/__nl_cache_ops_lookup-unstatic.diff -p1
 debian/_nl_socket_generate_local_port_no_release.diff -p1
+debian/nlmsg_reserve-overflow.patch -p1


unblock libnl3/3.2.27-2

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 4.8.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Re: Bug#745019: problems with 2.6.32 kernel (and wheezy libnl3)

2014-04-18 Thread Heiko Stübner 
Hi Dietmar,

Am Donnerstag, 17. April 2014, 10:15:21 schrieben Sie:
 Package: libnl3 
 Version:  3.2.7

 The library does not work when running newer versions of the 2.6.32 kernel:
 
 # nl-qdisc-list
 Error: Unable to allocate link cache: Input data out of range
 
 (same bug with 3.2.24-1)
 
 This is already fixed upstream:
 
 http://git.infradead.org/users/tgr/libnl.git/commit/dfd0a80ec845a800504fecb9
 36c2b33d6918fc9c
 
 Also see: https://bugzilla.openvz.org/show_bug.cgi?id=2939
 
 Would be great to have a fix for wheezy.

As I was doing an upload for another problem anyway, I backported the fix from 
the upstream git into our 3.2.24.

2.6.32 was the kernel from squeeze, while wheezy uses mainly 3.2, so I'm not 
sure if this fix is critical enough to warrant a stable update.

I've therefore added debian-release to get an answer to this question :-) .


Heiko


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/2305885.fzbCAUopYp@phil

libnl3: provide static libraries severity

2013-03-09 Thread Heiko Stübner 
Hi Ondřej,

Am Samstag, 9. März 2013, 17:15:52 schrieb Ondřej Surý:
 severity 693939 693...@bugs.debian.org serious
 severity 693940 693...@bugs.debian.org serious
 thank you

it seems this command was not sucessful, as both bugs are still at severity
normal.

 I would argue that not providing static libraries is violation the Debian
 policy and makes dev package unusable for people wanting to compile with
 -static.

I would follow your argument and the issue seems easily fixable by the change
blow. The only question would be about the severity, aka it getting a freeze
exception, as policy only say is usually provided, which I don't read as a
clear must but as a really should.

Therefore I'd added debian-release to get this hopefully answered.


Heiko
 

diff --git a/debian/libnl-3-dev.install b/debian/libnl-3-dev.install
index e64b775..3715b8b 100755
--- a/debian/libnl-3-dev.install
+++ b/debian/libnl-3-dev.install
@@ -2,3 +2,4 @@
 debian/tmp/usr/include/*
 debian/tmp/usr/lib/*/pkgconfig/libnl-3*
 debian/tmp/usr/lib/${DEB_HOST_MULTIARCH}/libnl-3.so lib/${DEB_HOST_MULTIARCH}/
+debian/tmp/usr/lib/${DEB_HOST_MULTIARCH}/libnl-3.a lib/${DEB_HOST_MULTIARCH}/
diff --git a/debian/libnl-cli-3-dev.install b/debian/libnl-cli-3-dev.install
index 91ff45b..66aa3b3 100644
--- a/debian/libnl-cli-3-dev.install
+++ b/debian/libnl-cli-3-dev.install
@@ -1,2 +1,3 @@
 debian/tmp/usr/lib/*/pkgconfig/libnl-cli-3*
 debian/tmp/usr/lib/*/libnl-cli-3*.so
+debian/tmp/usr/lib/*/libnl-cli-3*.a
diff --git a/debian/libnl-genl-3-dev.install b/debian/libnl-genl-3-dev.install
index 19201a3..cbc6b51 100755
--- a/debian/libnl-genl-3-dev.install
+++ b/debian/libnl-genl-3-dev.install
@@ -1,3 +1,4 @@
 #!/usr/bin/dh-exec
 debian/tmp/usr/lib/*/pkgconfig/libnl-genl-3*
 debian/tmp/usr/lib/${DEB_HOST_MULTIARCH}/libnl-genl-3*.so 
lib/${DEB_HOST_MULTIARCH}/
+debian/tmp/usr/lib/${DEB_HOST_MULTIARCH}/libnl-genl-3*.a 
lib/${DEB_HOST_MULTIARCH}/
diff --git a/debian/libnl-nf-3-dev.install b/debian/libnl-nf-3-dev.install
index c50d642..d1307c7 100644
--- a/debian/libnl-nf-3-dev.install
+++ b/debian/libnl-nf-3-dev.install
@@ -1,2 +1,3 @@
 debian/tmp/usr/lib/*/pkgconfig/libnl-nf-3*
 debian/tmp/usr/lib/*/libnl-nf-3*.so
+debian/tmp/usr/lib/*/libnl-nf-3*.a
diff --git a/debian/libnl-route-3-dev.install b/debian/libnl-route-3-dev.install
index 3e31a2d..37e248c 100644
--- a/debian/libnl-route-3-dev.install
+++ b/debian/libnl-route-3-dev.install
@@ -1,2 +1,3 @@
 debian/tmp/usr/lib/*/pkgconfig/libnl-route-3*
 debian/tmp/usr/lib/*/libnl-route-3*.so
+debian/tmp/usr/lib/*/libnl-route-3*.a


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201303091830.51423.mm...@debian.org

release date for debian wheezy?

2013-02-28 Thread heiko 
Hello.

Is there a release date for debian squeeze to stable ?


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201302281606.13084.heiko.er...@aschershain.de

Re: [pkg-wpa-devel] libnl3 soname change

2011-12-19 Thread Heiko Stübner 
Am Montag 19 Dezember 2011, 18:08:34 schrieb Stefan Lippers-Hollmann:
 Hi
 
 On Monday 19 December 2011, Heiko Stübner wrote:
  Am Montag, 19. Dezember 2011, 09:03:47 schrieb Gaudenz Steinlin:
   On Sun, 18 Dec 2011 20:16:08 +0100, Heiko Stübner he...@sntech.de 
wrote:
Am Donnerstag 15 Dezember 2011, 22:13:43 schrieb Stefan Lippers-
Hollmann:
 On Thursday 15 December 2011, Joey Hess wrote:
  Heiko Stübner wrote:
   So the question would be on how to proceed to get this into
   unstable without breaking to much.
 
 [...]
 I have prepared and tested (for the non-udeb cases, see below)
 iw[1] and wpasupplicant[2] in svn now, likewise hostapd[3] will
 switch to libnl-3 = 3.2 (from libnl1) after it gets available in
 unstable (no urgency at all).
 
 Something seems to be missing for the udeb handling though:
 Package: wpasupplicant-udeb
 [...]
 Depends: libc6-udeb (= 2.13), libcrypto1.0.0-udeb (= 1.0.0),
 libnl-3-200-udeb (= 3.2.3), libnl-genl-3-200, busybox-udeb
 
 
 [...]
 
As I did not split the udeb libnl-genl-3 resides at the moment in
libnl-3-200- udeb. The dependencies all have a -udeb in its package
name, but libnl- genl-3-200 has not. So my guess would be, that a
libnl-genl-3-200-udeb is also necessary.
   
   I'll try to look into the udeb issues but not before Thursday this
   week. If anyone has time to do this before I'm more than happy. If you
   have any specific questions I can answer mails even before.
  
  does the following look remotely sane? (I.e. it creates a
  libnl-genl-3-200-udeb with the correct library)
  
  From c826b7a811a7931dd151b9c28aad93eda7af321f Mon Sep 17 00:00:00 2001
  From: Heiko Stuebner heiko.stueb...@nexst4.de
  Date: Mon, 19 Dec 2011 10:30:51 +0100
  Subject: [PATCH 1/2] create a libnl-genl-udeb
 
 Yes, that results in correct dependencies for the udeb, thanks a lot:
 
 Package: wpasupplicant-udeb
 [...]
 Depends: libc6-udeb (= 2.13), libcrypto1.0.0-udeb (= 1.0.0),
 libnl-3-200-udeb (= 3.2.3), libnl-genl-3-200-udeb (= 3.2.3),
 busybox-udeb

cool, so if no one shouts in the next 1-2 hours I will upload 3.2.3-2 to 
unstable with the change:
- separate libnl-genl-3-200-udeb
- move of libnl3.200 and libnl-genl3.200 to /lib (the other stuff stays in 
/usr)

Heiko


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201112191903.48769.he...@sntech.de

Re: [pkg-wpa-devel] libnl3 soname change

2011-12-19 Thread Heiko Stübner 
Am Montag 19 Dezember 2011, 19:03:47 schrieb Heiko Stübner:
 Am Montag 19 Dezember 2011, 18:08:34 schrieb Stefan Lippers-Hollmann:
  Hi
  
  On Monday 19 December 2011, Heiko Stübner wrote:
   Am Montag, 19. Dezember 2011, 09:03:47 schrieb Gaudenz Steinlin:
On Sun, 18 Dec 2011 20:16:08 +0100, Heiko Stübner he...@sntech.de
 
 wrote:
 Am Donnerstag 15 Dezember 2011, 22:13:43 schrieb Stefan Lippers-
 
 Hollmann:
  On Thursday 15 December 2011, Joey Hess wrote:
   Heiko Stübner wrote:
So the question would be on how to proceed to get this into
unstable without breaking to much.
  
  [...]
  I have prepared and tested (for the non-udeb cases, see below)
  iw[1] and wpasupplicant[2] in svn now, likewise hostapd[3] will
  switch to libnl-3 = 3.2 (from libnl1) after it gets available in
  unstable (no urgency at all).
  
  Something seems to be missing for the udeb handling though:
  Package: wpasupplicant-udeb
  [...]
  Depends: libc6-udeb (= 2.13), libcrypto1.0.0-udeb (= 1.0.0),
  libnl-3-200-udeb (= 3.2.3), libnl-genl-3-200, busybox-udeb
  
  
  [...]
  
 As I did not split the udeb libnl-genl-3 resides at the moment in
 libnl-3-200- udeb. The dependencies all have a -udeb in its
 package name, but libnl- genl-3-200 has not. So my guess would be,
 that a libnl-genl-3-200-udeb is also necessary.

I'll try to look into the udeb issues but not before Thursday this
week. If anyone has time to do this before I'm more than happy. If
you have any specific questions I can answer mails even before.
   
   does the following look remotely sane? (I.e. it creates a
   libnl-genl-3-200-udeb with the correct library)
   
   From c826b7a811a7931dd151b9c28aad93eda7af321f Mon Sep 17 00:00:00 2001
   From: Heiko Stuebner heiko.stueb...@nexst4.de
   Date: Mon, 19 Dec 2011 10:30:51 +0100
   Subject: [PATCH 1/2] create a libnl-genl-udeb
  
  Yes, that results in correct dependencies for the udeb, thanks a lot:
  
  Package: wpasupplicant-udeb
  [...]
  Depends: libc6-udeb (= 2.13), libcrypto1.0.0-udeb (= 1.0.0),
  libnl-3-200-udeb (= 3.2.3), libnl-genl-3-200-udeb (= 3.2.3),
  busybox-udeb
 
 cool, so if no one shouts in the next 1-2 hours I will upload 3.2.3-2 to
 unstable with the change:
 - separate libnl-genl-3-200-udeb
 - move of libnl3.200 and libnl-genl3.200 to /lib (the other stuff stays in
 /usr)

it's in new now and will hopefully make its way into _unstable_ during the 
next days.

Heiko


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201112192219.40816.he...@sntech.de

libnl3 soname change

2011-12-14 Thread Heiko Stübner 
Hi all,

last week I did an upload of the current version 3.2.3 libnl3 to experimental. 
Libnl = 3.2 is for example necessary for network-manager.

Beginning from 3.2 upstream changed the soname changed from libnl3 to 
libnl3-200 and due to now correct .pc files it was possible to also create 
separate packages for the individual libraries instead of cramming all of them 
into one package.

So the question would be on how to proceed to get this into unstable without 
breaking to much.

Another question for the installer folks: should the udeb stay as it is, or 
should it be split too.


Thanks
Heiko


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201112141623.20369.he...@sntech.de

please remove agtl from squeeze

2010-10-17 Thread Heiko Stübner 
(please CC me for any follow-ups as I am not subscribed to the list)

Hi,

my package agtl 0.5.1-2 currently in squeeze and unstable is outdated and 
doesn't work with current geocaching.com interfaces so it's essentially 
useless in its current form.

It also was never released as part of a stable release so it seems to me the 
most useful course of action would be its removal from squeeze and reentering 
after the squeeze release and I had time to update it.

Thanks
Heiko


signature.asc
Description: This is a digitally signed message part.