Processed: Re: Bug#1038824: bookworm-pu: package openvpn/2.6.3-1+deb12u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #1038824 [release.debian.org] bookworm-pu: package openvpn/2.6.3-1+deb12u1
Added tag(s) confirmed.

-- 
1038824: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038824
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1038824: bookworm-pu: package openvpn/2.6.3-1+deb12u1

[Jonathan Wiltshire]

Control: tag -1 confirmed

On Wed, Jun 21, 2023 at 10:04:49PM +0200, Bernhard Schmidt wrote:
> This -pu cherry-picks two fixes from upstream. One fixing a memory
> leak that is noticable on long running servers, and one dangling pointer that
> might lead to crashes. Both have been in 2.6.3-2 for about a month now,
> migrated to testing flawlessly and are part of the recent upstream stable
> release. 
> 
> There is nothing else in 2.6.3-2 that is not suitable for bookworm, I have 
> just
> changed the version and set the correct branch in gbp.conf

Please go ahead.

Thanks,


-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1038824: bookworm-pu: package openvpn/2.6.3-1+deb12u1

[Bernhard Schmidt]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: open...@packages.debian.org
Control: affects -1 + src:openvpn

This -pu cherry-picks two fixes from upstream. One fixing a memory
leak that is noticable on long running servers, and one dangling pointer that
might lead to crashes. Both have been in 2.6.3-2 for about a month now,
migrated to testing flawlessly and are part of the recent upstream stable
release. 

There is nothing else in 2.6.3-2 that is not suitable for bookworm, I have just
changed the version and set the correct branch in gbp.conf

[ Reason ]
Bugfix

[ Impact ]
Memory leak

[ Tests ]
Upstream has an extensive testsuite/CI coverage. Part of it is ran during
build.

[ Risks ]
Isolated fixes that have been vetted upstream and have been part of an upstream
release

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

Bernhard
diff -Nru openvpn-2.6.3/debian/changelog openvpn-2.6.3/debian/changelog
--- openvpn-2.6.3/debian/changelog  2023-04-13 09:19:40.0 +0200
+++ openvpn-2.6.3/debian/changelog  2023-06-21 21:41:33.0 +0200
@@ -1,3 +1,12 @@
+openvpn (2.6.3-1+deb12u1) bookworm; urgency=medium
+
+  * Cherry-pick two bugfix commits from upstream
+- Memory leak in dco_get_peer_stats_multi for Linux
+- dangling pointer passed to pkcs11-helper
+  * d/gbp.conf: set branch to bookworm
+
+ -- Bernhard Schmidt   Wed, 21 Jun 2023 21:41:33 +0200
+
 openvpn (2.6.3-1) unstable; urgency=medium
 
   * New upstream version 2.6.2
diff -Nru openvpn-2.6.3/debian/gbp.conf openvpn-2.6.3/debian/gbp.conf
--- openvpn-2.6.3/debian/gbp.conf   2023-04-13 09:19:40.0 +0200
+++ openvpn-2.6.3/debian/gbp.conf   2023-06-21 21:41:33.0 +0200
@@ -1,2 +1,3 @@
 [DEFAULT]
 pristine-tar = True
+debian-branch = debian/bookworm
diff -Nru openvpn-2.6.3/debian/patches/fix-dangling-pointer-in-pkcs11.patch 
openvpn-2.6.3/debian/patches/fix-dangling-pointer-in-pkcs11.patch
--- openvpn-2.6.3/debian/patches/fix-dangling-pointer-in-pkcs11.patch   
1970-01-01 01:00:00.0 +0100
+++ openvpn-2.6.3/debian/patches/fix-dangling-pointer-in-pkcs11.patch   
2023-06-21 21:41:33.0 +0200
@@ -0,0 +1,37 @@
+From 7e4becb4cd8be7f0d5ff80cf80877ea152f99830 Mon Sep 17 00:00:00 2001
+From: Selva Nair 
+Date: Tue, 9 May 2023 13:05:17 -0400
+Subject: [PATCH] Bugfix: dangling pointer passed to pkcs11-helper
+
+Github: Fixes OpenVPN/openvpn#323
+
+Signed-off-by: Selva Nair 
+Acked-by: Gert Doering 
+Message-Id: <20230509170517.2637245-1-selva.n...@gmail.com>
+URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26640.html
+Signed-off-by: Gert Doering 
+(cherry picked from commit f4850745709c5b80ab7d09c03a86c5ceea6d10a2)
+---
+ src/openvpn/pkcs11_openssl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/openvpn/pkcs11_openssl.c b/src/openvpn/pkcs11_openssl.c
+index eee86e17b6f..9b0ab39f9cf 100644
+--- a/src/openvpn/pkcs11_openssl.c
 b/src/openvpn/pkcs11_openssl.c
+@@ -165,6 +165,7 @@ xkey_pkcs11h_sign(void *handle, unsigned char *sig,
+ {
+ pkcs11h_certificate_t cert = handle;
+ CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0}; /* default value */
++CK_RSA_PKCS_PSS_PARAMS pss_params = {0};
+ 
+ unsigned char buf[EVP_MAX_MD_SIZE];
+ size_t buflen;
+@@ -203,7 +204,6 @@ xkey_pkcs11h_sign(void *handle, unsigned char *sig,
+ }
+ else if (!strcmp(sigalg.padmode, "pss"))
+ {
+-CK_RSA_PKCS_PSS_PARAMS pss_params = {0};
+ mech.mechanism = CKM_RSA_PKCS_PSS;
+ 
+ if (!set_pss_params(_params, sigalg, cert))
diff -Nru 
openvpn-2.6.3/debian/patches/fix-memleak-in-dco_get_peer_stats_multi.patch 
openvpn-2.6.3/debian/patches/fix-memleak-in-dco_get_peer_stats_multi.patch
--- openvpn-2.6.3/debian/patches/fix-memleak-in-dco_get_peer_stats_multi.patch  
1970-01-01 01:00:00.0 +0100
+++ openvpn-2.6.3/debian/patches/fix-memleak-in-dco_get_peer_stats_multi.patch  
2023-06-21 21:41:33.0 +0200
@@ -0,0 +1,33 @@
+From 5e8a571af165c867ccb9c4c9e6334620f42013ac Mon Sep 17 00:00:00 2001
+From: Frank Lichtenheld 
+Date: Mon, 15 May 2023 16:21:16 +0200
+Subject: [PATCH] DCO: fix memory leak in dco_get_peer_stats_multi for Linux
+
+Leaks a small amount of memory every 15s.
+
+Signed-off-by: Frank Lichtenheld 
+Acked-by: Antonio Quartulli 
+Message-Id: <20230515142116.33135-1-fr...@lichtenheld.com>
+URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26659.html
+Signed-off-by: Gert Doering 
+(cherry picked from commit 276f7c86d70666bc2ab4e6192ef5f1dcbd6a230f)
+---
+ src/openvpn/dco_linux.c | 5 -
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
+index