Bug#860058: unblock: libnl3/3.2.27-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libnl3 In CVE-2017-0553 a possible (but moderate) security issue was found which resulted in bug #859948 against the Debian libnl3 package. The 3.2.27-2 fixes this (and only this) issue. debdiff: diff -Nru libnl3-3.2.27/debian/changelog libnl3-3.2.27/debian/changelog --- libnl3-3.2.27/debian/changelog 2016-01-24 23:54:53.0 +0100 +++ libnl3-3.2.27/debian/changelog 2017-04-10 11:48:23.0 +0200 @@ -1,3 +1,9 @@ +libnl3 (3.2.27-2) unstable; urgency=low + + * Add upstream fix for CVE-2017-0553 (Closes: #859948) + + -- Heiko Stuebner <mm...@debian.org> Mon, 10 Apr 2017 11:48:23 +0200 + libnl3 (3.2.27-1) unstable; urgency=low * New upstream release diff -Nru libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch --- libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch 1970-01-01 01:00:00.0 +0100 +++ libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch 2017-04-10 10:55:21.0 +0200 @@ -0,0 +1,38 @@ +From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001 +From: Thomas Haller <thal...@redhat.com> +Date: Mon, 6 Feb 2017 22:23:52 +0100 +Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve() + +In general, libnl functions are not robust against calling with +invalid arguments. Thus, never call libnl functions with invalid +arguments. In case of nlmsg_reserve() this means never provide +a @len argument that causes overflow. + +Still, add an additional safeguard to avoid exploiting such bugs. + +Assume that @pad is a trusted, small integer. +Assume that n->nm_size is a valid number of allocated bytes (and thus +much smaller then SIZE_T_MAX). +Assume, that @len may be set to an untrusted value. Then the patch +avoids an integer overflow resulting in reserving too few bytes. +--- + lib/msg.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/msg.c b/lib/msg.c +index 9af3f3a..3e27d4e 100644 +--- a/lib/msg.c b/lib/msg.c +@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad) + size_t nlmsg_len = n->nm_nlh->nlmsg_len; + size_t tlen; + ++ if (len > n->nm_size) ++ return NULL; ++ + tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len; + + if ((tlen + nlmsg_len) > n->nm_size) +-- +2.9.3 + diff -Nru libnl3-3.2.27/debian/patches/series libnl3-3.2.27/debian/patches/series --- libnl3-3.2.27/debian/patches/series 2016-01-24 00:36:27.0 +0100 +++ libnl3-3.2.27/debian/patches/series 2017-04-10 10:57:45.0 +0200 @@ -3,3 +3,4 @@ debian/no-symvers.diff -p1 debian/__nl_cache_ops_lookup-unstatic.diff -p1 debian/_nl_socket_generate_local_port_no_release.diff -p1 +debian/nlmsg_reserve-overflow.patch -p1 unblock libnl3/3.2.27-2 -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf Kernel: Linux 4.8.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Re: Bug#745019: problems with 2.6.32 kernel (and wheezy libnl3)
Hi Dietmar, Am Donnerstag, 17. April 2014, 10:15:21 schrieben Sie: Package: libnl3 Version: 3.2.7 The library does not work when running newer versions of the 2.6.32 kernel: # nl-qdisc-list Error: Unable to allocate link cache: Input data out of range (same bug with 3.2.24-1) This is already fixed upstream: http://git.infradead.org/users/tgr/libnl.git/commit/dfd0a80ec845a800504fecb9 36c2b33d6918fc9c Also see: https://bugzilla.openvz.org/show_bug.cgi?id=2939 Would be great to have a fix for wheezy. As I was doing an upload for another problem anyway, I backported the fix from the upstream git into our 3.2.24. 2.6.32 was the kernel from squeeze, while wheezy uses mainly 3.2, so I'm not sure if this fix is critical enough to warrant a stable update. I've therefore added debian-release to get an answer to this question :-) . Heiko -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/2305885.fzbCAUopYp@phil
libnl3: provide static libraries severity
Hi Ondřej, Am Samstag, 9. März 2013, 17:15:52 schrieb Ondřej Surý: severity 693939 693...@bugs.debian.org serious severity 693940 693...@bugs.debian.org serious thank you it seems this command was not sucessful, as both bugs are still at severity normal. I would argue that not providing static libraries is violation the Debian policy and makes dev package unusable for people wanting to compile with -static. I would follow your argument and the issue seems easily fixable by the change blow. The only question would be about the severity, aka it getting a freeze exception, as policy only say is usually provided, which I don't read as a clear must but as a really should. Therefore I'd added debian-release to get this hopefully answered. Heiko diff --git a/debian/libnl-3-dev.install b/debian/libnl-3-dev.install index e64b775..3715b8b 100755 --- a/debian/libnl-3-dev.install +++ b/debian/libnl-3-dev.install @@ -2,3 +2,4 @@ debian/tmp/usr/include/* debian/tmp/usr/lib/*/pkgconfig/libnl-3* debian/tmp/usr/lib/${DEB_HOST_MULTIARCH}/libnl-3.so lib/${DEB_HOST_MULTIARCH}/ +debian/tmp/usr/lib/${DEB_HOST_MULTIARCH}/libnl-3.a lib/${DEB_HOST_MULTIARCH}/ diff --git a/debian/libnl-cli-3-dev.install b/debian/libnl-cli-3-dev.install index 91ff45b..66aa3b3 100644 --- a/debian/libnl-cli-3-dev.install +++ b/debian/libnl-cli-3-dev.install @@ -1,2 +1,3 @@ debian/tmp/usr/lib/*/pkgconfig/libnl-cli-3* debian/tmp/usr/lib/*/libnl-cli-3*.so +debian/tmp/usr/lib/*/libnl-cli-3*.a diff --git a/debian/libnl-genl-3-dev.install b/debian/libnl-genl-3-dev.install index 19201a3..cbc6b51 100755 --- a/debian/libnl-genl-3-dev.install +++ b/debian/libnl-genl-3-dev.install @@ -1,3 +1,4 @@ #!/usr/bin/dh-exec debian/tmp/usr/lib/*/pkgconfig/libnl-genl-3* debian/tmp/usr/lib/${DEB_HOST_MULTIARCH}/libnl-genl-3*.so lib/${DEB_HOST_MULTIARCH}/ +debian/tmp/usr/lib/${DEB_HOST_MULTIARCH}/libnl-genl-3*.a lib/${DEB_HOST_MULTIARCH}/ diff --git a/debian/libnl-nf-3-dev.install b/debian/libnl-nf-3-dev.install index c50d642..d1307c7 100644 --- a/debian/libnl-nf-3-dev.install +++ b/debian/libnl-nf-3-dev.install @@ -1,2 +1,3 @@ debian/tmp/usr/lib/*/pkgconfig/libnl-nf-3* debian/tmp/usr/lib/*/libnl-nf-3*.so +debian/tmp/usr/lib/*/libnl-nf-3*.a diff --git a/debian/libnl-route-3-dev.install b/debian/libnl-route-3-dev.install index 3e31a2d..37e248c 100644 --- a/debian/libnl-route-3-dev.install +++ b/debian/libnl-route-3-dev.install @@ -1,2 +1,3 @@ debian/tmp/usr/lib/*/pkgconfig/libnl-route-3* debian/tmp/usr/lib/*/libnl-route-3*.so +debian/tmp/usr/lib/*/libnl-route-3*.a -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201303091830.51423.mm...@debian.org
release date for debian wheezy?
Hello. Is there a release date for debian squeeze to stable ? -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201302281606.13084.heiko.er...@aschershain.de
Re: [pkg-wpa-devel] libnl3 soname change
Am Montag 19 Dezember 2011, 18:08:34 schrieb Stefan Lippers-Hollmann: Hi On Monday 19 December 2011, Heiko Stübner wrote: Am Montag, 19. Dezember 2011, 09:03:47 schrieb Gaudenz Steinlin: On Sun, 18 Dec 2011 20:16:08 +0100, Heiko Stübner he...@sntech.de wrote: Am Donnerstag 15 Dezember 2011, 22:13:43 schrieb Stefan Lippers- Hollmann: On Thursday 15 December 2011, Joey Hess wrote: Heiko Stübner wrote: So the question would be on how to proceed to get this into unstable without breaking to much. [...] I have prepared and tested (for the non-udeb cases, see below) iw[1] and wpasupplicant[2] in svn now, likewise hostapd[3] will switch to libnl-3 = 3.2 (from libnl1) after it gets available in unstable (no urgency at all). Something seems to be missing for the udeb handling though: Package: wpasupplicant-udeb [...] Depends: libc6-udeb (= 2.13), libcrypto1.0.0-udeb (= 1.0.0), libnl-3-200-udeb (= 3.2.3), libnl-genl-3-200, busybox-udeb [...] As I did not split the udeb libnl-genl-3 resides at the moment in libnl-3-200- udeb. The dependencies all have a -udeb in its package name, but libnl- genl-3-200 has not. So my guess would be, that a libnl-genl-3-200-udeb is also necessary. I'll try to look into the udeb issues but not before Thursday this week. If anyone has time to do this before I'm more than happy. If you have any specific questions I can answer mails even before. does the following look remotely sane? (I.e. it creates a libnl-genl-3-200-udeb with the correct library) From c826b7a811a7931dd151b9c28aad93eda7af321f Mon Sep 17 00:00:00 2001 From: Heiko Stuebner heiko.stueb...@nexst4.de Date: Mon, 19 Dec 2011 10:30:51 +0100 Subject: [PATCH 1/2] create a libnl-genl-udeb Yes, that results in correct dependencies for the udeb, thanks a lot: Package: wpasupplicant-udeb [...] Depends: libc6-udeb (= 2.13), libcrypto1.0.0-udeb (= 1.0.0), libnl-3-200-udeb (= 3.2.3), libnl-genl-3-200-udeb (= 3.2.3), busybox-udeb cool, so if no one shouts in the next 1-2 hours I will upload 3.2.3-2 to unstable with the change: - separate libnl-genl-3-200-udeb - move of libnl3.200 and libnl-genl3.200 to /lib (the other stuff stays in /usr) Heiko -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201112191903.48769.he...@sntech.de
Re: [pkg-wpa-devel] libnl3 soname change
Am Montag 19 Dezember 2011, 19:03:47 schrieb Heiko Stübner: Am Montag 19 Dezember 2011, 18:08:34 schrieb Stefan Lippers-Hollmann: Hi On Monday 19 December 2011, Heiko Stübner wrote: Am Montag, 19. Dezember 2011, 09:03:47 schrieb Gaudenz Steinlin: On Sun, 18 Dec 2011 20:16:08 +0100, Heiko Stübner he...@sntech.de wrote: Am Donnerstag 15 Dezember 2011, 22:13:43 schrieb Stefan Lippers- Hollmann: On Thursday 15 December 2011, Joey Hess wrote: Heiko Stübner wrote: So the question would be on how to proceed to get this into unstable without breaking to much. [...] I have prepared and tested (for the non-udeb cases, see below) iw[1] and wpasupplicant[2] in svn now, likewise hostapd[3] will switch to libnl-3 = 3.2 (from libnl1) after it gets available in unstable (no urgency at all). Something seems to be missing for the udeb handling though: Package: wpasupplicant-udeb [...] Depends: libc6-udeb (= 2.13), libcrypto1.0.0-udeb (= 1.0.0), libnl-3-200-udeb (= 3.2.3), libnl-genl-3-200, busybox-udeb [...] As I did not split the udeb libnl-genl-3 resides at the moment in libnl-3-200- udeb. The dependencies all have a -udeb in its package name, but libnl- genl-3-200 has not. So my guess would be, that a libnl-genl-3-200-udeb is also necessary. I'll try to look into the udeb issues but not before Thursday this week. If anyone has time to do this before I'm more than happy. If you have any specific questions I can answer mails even before. does the following look remotely sane? (I.e. it creates a libnl-genl-3-200-udeb with the correct library) From c826b7a811a7931dd151b9c28aad93eda7af321f Mon Sep 17 00:00:00 2001 From: Heiko Stuebner heiko.stueb...@nexst4.de Date: Mon, 19 Dec 2011 10:30:51 +0100 Subject: [PATCH 1/2] create a libnl-genl-udeb Yes, that results in correct dependencies for the udeb, thanks a lot: Package: wpasupplicant-udeb [...] Depends: libc6-udeb (= 2.13), libcrypto1.0.0-udeb (= 1.0.0), libnl-3-200-udeb (= 3.2.3), libnl-genl-3-200-udeb (= 3.2.3), busybox-udeb cool, so if no one shouts in the next 1-2 hours I will upload 3.2.3-2 to unstable with the change: - separate libnl-genl-3-200-udeb - move of libnl3.200 and libnl-genl3.200 to /lib (the other stuff stays in /usr) it's in new now and will hopefully make its way into _unstable_ during the next days. Heiko -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201112192219.40816.he...@sntech.de
libnl3 soname change
Hi all, last week I did an upload of the current version 3.2.3 libnl3 to experimental. Libnl = 3.2 is for example necessary for network-manager. Beginning from 3.2 upstream changed the soname changed from libnl3 to libnl3-200 and due to now correct .pc files it was possible to also create separate packages for the individual libraries instead of cramming all of them into one package. So the question would be on how to proceed to get this into unstable without breaking to much. Another question for the installer folks: should the udeb stay as it is, or should it be split too. Thanks Heiko -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201112141623.20369.he...@sntech.de
please remove agtl from squeeze
(please CC me for any follow-ups as I am not subscribed to the list) Hi, my package agtl 0.5.1-2 currently in squeeze and unstable is outdated and doesn't work with current geocaching.com interfaces so it's essentially useless in its current form. It also was never released as part of a stable release so it seems to me the most useful course of action would be its removal from squeeze and reentering after the squeeze release and I had time to update it. Thanks Heiko signature.asc Description: This is a digitally signed message part.