Bug#1071247: golang-github-google-nftables-dev: broken AddSet() on all little-endian systems

[Cyril Brulebois]

Cyril Brulebois  (2024-05-17):
> I was tempted to open a second bug on crowdsec-firewall-bouncer,
> referencing this one, and to upload both packages to unstable (this one
> with the upstream patch, the other one with a bumped build-dep to make
> sure it cannot be rebuilt against the broken package; there are a lot of
> binNMUs flying around already). Then to submit p-u requests to get the
> same updates into bookworm. But does that issue warrant a DSA?

The crowdsec-firewall-bouncer bug is #1071248.

The only other reverse dependency is opensnitch (maintainers Cc'd) but
it doesn't seem to use the AddSet() function (in any versions/suites).


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Processed: Re: Bug#1071247: golang-github-google-nftables-dev: broken AddSet() on all little-endian systems

[Debian Bug Tracking System]

Processing control commands:

> found -1 0.1.0-3
Bug #1071247 [golang-github-google-nftables-dev] 
golang-github-google-nftables-dev: broken AddSet() on all little-endian systems
Marked as found in versions golang-github-google-nftables/0.1.0-3.
> notfound -1 0.1.0-4
Bug #1071247 [golang-github-google-nftables-dev] 
golang-github-google-nftables-dev: broken AddSet() on all little-endian systems
There is no source info for the package 'golang-github-google-nftables-dev' at 
version '0.1.0-4' with architecture ''
Unable to make a source version for version '0.1.0-4'
No longer marked as found in versions 0.1.0-4.

-- 
1071247: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071247
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1071247: golang-github-google-nftables-dev: broken AddSet() on all little-endian systems

[Cyril Brulebois]

Control: found -1 0.1.0-3
Control: notfound -1 0.1.0-4

Cyril Brulebois  (2024-05-17):
> Package: golang-github-google-nftables-dev
> Version: 0.1.0-4

> I also verified that applying the golang-github-google-nftables patch
> and rebuilding crowdsec-firewall-bouncer against it fixes the problem
> on LE systems, and doesn't regress on BE systems.

Sorry for the version discrepancy; reportbug warned me but I lost track
while thinking about a possible DSA, etc.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#1071247: golang-github-google-nftables-dev: broken AddSet() on all little-endian systems

[Cyril Brulebois]

Package: golang-github-google-nftables-dev
Version: 0.1.0-4
Severity: serious
Tags: upstream security patch
Justification: broken feature, security implications
X-Debbugs-Cc: Debian Security Team , 
debian.pack...@crowdsec.net

Hi,

I was contacted by CrowdSec upstream about a bug report filed against
the firewall bouncer, which is in charge of applying rules at the
firewall level based on decisions passed on by the crowdsec engine:
  https://github.com/crowdsecurity/cs-firewall-bouncer/issues/368

I've been able to verify that despite correct IPv4 and IPv6 addresses
getting logged by the bouncer (e.g. at debug level), all of them get
added in reverse byte order at the nftables level. :(

Upstream bug:
  https://github.com/google/nftables/issues/225

Upstream fix:
  https://github.com/google/nftables/pull/226

I confirmed that affects LE systems (e.g. amd64), both in stable and in
unstable (same versions, modulo binNMUs). That doesn't affect BE systems
(i.e. s390x, verified via debvm).

I also verified that applying the golang-github-google-nftables patch
and rebuilding crowdsec-firewall-bouncer against it fixes the problem on
LE systems, and doesn't regress on BE systems.

Security team, I've added the security tag (and you to Cc) because the
consequence is that admins who installed crowdsec-firewall-bouncer have
been thinking they were applying restrictions gathered by crowdsec,
while they've actually been (1) not blocking offending addresses and (2)
blocking possibly harmless ones.

I was tempted to open a second bug on crowdsec-firewall-bouncer,
referencing this one, and to upload both packages to unstable (this one
with the upstream patch, the other one with a bumped build-dep to make
sure it cannot be rebuilt against the broken package; there are a lot of
binNMUs flying around already). Then to submit p-u requests to get the
same updates into bookworm. But does that issue warrant a DSA?


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant