Your message dated Sat, 29 Jun 2024 10:46:20 +0000
with message-id <e1snvb2-002bin...@coccia.debian.org>
and subject line Released with 12.6
has caused the Debian Bug report #1072983,
regarding bookworm-pu: package golang-github-google-nftables/0.1.0-4~deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1072983: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072983
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: golang-github-google-nftab...@packages.debian.org
Control: affects -1 + src:golang-github-google-nftables
Hi,
[ Reason ]
I'd like to fix the #1071247/#1071248 pair in bookworm, which results in
crowdsec-firewall-bouncer's being broken on little-endian architectures
(addresses are getting logged just fine, but they're not passed over
correctly to the firewall layer).
I've checked with the security team, this doesn't warrant a DSA.
This is the library part (golang-github-google-nftables).
[ Impact ]
If the fix doesn't make it into stable, crowdsec-firewall-bouncer
remains broken on little-endian architectures.
[ Tests ]
Same checks as for unstable when I uploaded the fixes there:
- amd64 (LE, baremetal) before: KO
- amd64 (LE, baremetal) after: OK
- s390x (BE, debvm) before: OK
- s390x (BE, debvm) after: OK
[ Risks ]
Except for a possible regression on s390x (which isn't the case, see
previous section), it cannot be worse than it currently is.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
Additionally, that reached testing.
[ Changes ]
The fix is a direct backport from upstream, which adds byte order
information to the function used by crowdsec-firewall-bouncer
(AddSet).
[ Other info ]
Next bug report is the crowdsec-firewall-bouncer part.
Cheers,
--
Cyril Brulebois -- Debian Consultant @ DEBAMAX -- https://debamax.com/
diff -Nru golang-github-google-nftables-0.1.0/debian/changelog
golang-github-google-nftables-0.1.0/debian/changelog
--- golang-github-google-nftables-0.1.0/debian/changelog 2022-12-12
05:07:14.000000000 +0100
+++ golang-github-google-nftables-0.1.0/debian/changelog 2024-06-11
10:22:28.000000000 +0200
@@ -1,3 +1,18 @@
+golang-github-google-nftables (0.1.0-4~deb12u1) bookworm; urgency=medium
+
+ * Rebuild for bookworm.
+
+ -- Cyril Brulebois <cy...@debamax.com> Tue, 11 Jun 2024 10:22:28 +0200
+
+golang-github-google-nftables (0.1.0-4) unstable; urgency=high
+
+ * Backport upstream fix for the AddSet() function that's been reversing
+ byte order on all little-endian architectures (Closes: #1071247),
+ breaking crowdsec-firewall-bouncer (See: #1071248):
+ - 0002-Implement-set-KeyByteOrder-226.patch
+
+ -- Cyril Brulebois <cy...@debamax.com> Tue, 21 May 2024 09:42:17 +0200
+
golang-github-google-nftables (0.1.0-3) unstable; urgency=medium
* Backport fix from upstream to fix the test suite on 32-bit archs (the
diff -Nru
golang-github-google-nftables-0.1.0/debian/patches/0002-Implement-set-KeyByteOrder-226.patch
golang-github-google-nftables-0.1.0/debian/patches/0002-Implement-set-KeyByteOrder-226.patch
---
golang-github-google-nftables-0.1.0/debian/patches/0002-Implement-set-KeyByteOrder-226.patch
1970-01-01 01:00:00.000000000 +0100
+++
golang-github-google-nftables-0.1.0/debian/patches/0002-Implement-set-KeyByteOrder-226.patch
2024-05-15 13:08:54.000000000 +0200
@@ -0,0 +1,42 @@
+From d746ecb0e494e7200180c3886fde9664d9100729 Mon Sep 17 00:00:00 2001
+From: turekt <32360115+tur...@users.noreply.github.com>
+Date: Thu, 18 May 2023 18:05:49 +0200
+Subject: [PATCH] Implement set KeyByteOrder (#226)
+
+Fixes https://github.com/google/nftables/issues/225
+Introduced KeyByteOrder in sets which fills UDATA with endianess information
+---
+ set.go | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/set.go b/set.go
+index 1ef8e89..b1f63e8 100644
+--- a/set.go
++++ b/set.go
+@@ -261,6 +261,9 @@ type Set struct {
+ Timeout time.Duration
+ KeyType SetDatatype
+ DataType SetDatatype
++ // Either host (binaryutil.NativeEndian) or big (binaryutil.BigEndian)
endian as per
++ //
https://git.netfilter.org/nftables/tree/include/datatype.h?id=d486c9e626405e829221b82d7355558005b26d8a#n109
++ KeyByteOrder binaryutil.ByteOrder
+ }
+
+ // SetElement represents a data point within a set.
+@@ -560,11 +563,11 @@ func (cc *Conn) AddSet(s *Set, vals []SetElement) error {
+ // Marshal concat size description as set description
+ tableInfo = append(tableInfo, netlink.Attribute{Type:
unix.NLA_F_NESTED | unix.NFTA_SET_DESC, Data: concatBytes})
+ }
+- if s.Anonymous || s.Constant || s.Interval {
++ if s.Anonymous || s.Constant || s.Interval || s.KeyByteOrder ==
binaryutil.BigEndian {
+ tableInfo = append(tableInfo,
+ // Semantically useless - kept for binary compatability
with nft
+ netlink.Attribute{Type: unix.NFTA_SET_USERDATA, Data:
[]byte("\x00\x04\x02\x00\x00\x00")})
+- } else if !s.IsMap {
++ } else if s.KeyByteOrder == binaryutil.NativeEndian {
+ // Per
https://git.netfilter.org/nftables/tree/src/mnl.c?id=187c6d01d35722618c2711bbc49262c286472c8f#n1165
+ tableInfo = append(tableInfo,
+ netlink.Attribute{Type: unix.NFTA_SET_USERDATA, Data:
[]byte("\x00\x04\x01\x00\x00\x00")})
+--
+2.39.2
+
diff -Nru golang-github-google-nftables-0.1.0/debian/patches/series
golang-github-google-nftables-0.1.0/debian/patches/series
--- golang-github-google-nftables-0.1.0/debian/patches/series 2022-12-12
05:04:34.000000000 +0100
+++ golang-github-google-nftables-0.1.0/debian/patches/series 2024-05-15
13:08:54.000000000 +0200
@@ -1 +1,2 @@
0001-alignedbuff-fix-alignment-test-issue-on-32-bit-archs.patch
+0002-Implement-set-KeyByteOrder-226.patch
--- End Message ---
--- Begin Message ---
Version: 12.6
The upload requested in this bug has been released as part of 12.6.
--- End Message ---
