--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: dhcp...@packages.debian.org
Control: affects -1 + src:dhcpcd5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
[ Reason ]
RC bug #1050805 was fixed in Testing with src:dhcpcd 10.0.2, but upstream only
got around back-porting the fix to Stable src:dhcpcd5 9.x.x today.
[ Impact ]
As per #1050805, "This bug can be triggered remotely over the internet from any
UDP port and is critical on an internet-facing system that needs DHCP to get an
IP address, such as a gateway, a dedicated server or a VM."
[ Tests ]
Verified to boot on a Stable host.
[ Risks ]
None.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Add --no-stop-on-upgrade --no-restart-after-upgrade (Closes: #1057959).
* Cherry-pick upstream backported fixes for RC bug (Closes: #1050805).
* Update dhcpcd.preinst version check to match current one.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEyJACx3qL7GpObXOQrh+Cd8S017YFAmZtfSEACgkQrh+Cd8S0
17afbA//b7UQXcbT6qtNheW5w53MyFeD2qQbqOOQ8qmiMm+rZJJ3w4oIjRZ6E4tY
TQRc90yRmR/3RxQb7h5XHomM1ERl29CDh5+03rhdtk1WOUcWM5q+aIjhYfeLsTk2
fUW7vZdH9NwTNs+IBEtTIGsnrpFg1CzWh63kBOO934RhVIUVWLzY5zZX7p44+atL
26yJRcOWMjmhh0ciWocbmMjVvuxmxBuoZczZoMR8Pg0YYCFo7qIjgOvfrxMJaOts
TK/kTuNGoyuF2dPGW9p9byscLk/EiGp1UivH2rOu4cAAyu4rV6Wb38cYm66lwdee
ZJRyoFu3YdDv8M+Bzrd+K/rdiSqFcZCpcioYqhdUQ84tcCc5HA/cBtRNr3Xe9wwO
+Jq3FBd4dE0UfK2Mh7xupVb4YzsFiuVB6LwqR4bu9NmZ3c29jjum6Piy+DseGLGU
PW6Svq5KBxO3SJUI5+sB/wRKI7Ziu95xURbFjq0NnB1LDw6YXofNpsu+pJMwczdU
67/FT9WCQTBD7rpS4TW+ykROGt0kQic2U50RNnh5j+R8f9u+B4VmbM06NhhcZ1NO
TKjc+abzaVLkEPamUig9Nq4QQxB7WmudsHFS+qSiTHsu/ouSG4KFGXWjxWIQw8PD
NIZyQu/+lsTdL46prN9pwGekEudGRX4oOVEbMOV5EZ1GDo2jq9g=
=SM4R
-----END PGP SIGNATURE-----
diff -Nru dhcpcd5-9.4.1/debian/changelog dhcpcd5-9.4.1/debian/changelog
--- dhcpcd5-9.4.1/debian/changelog 2023-10-20 11:12:13.000000000 +0300
+++ dhcpcd5-9.4.1/debian/changelog 2024-06-15 12:37:49.000000000 +0300
@@ -1,3 +1,11 @@
+dhcpcd5 (9.4.1-24~deb12u4) bookworm; urgency=medium
+
+ * Add --no-stop-on-upgrade --no-restart-after-upgrade (Closes: #1057959).
+ * Cherry-pick upstream backported fixes for RC bug (Closes: #1050805).
+ * Update dhcpcd.preinst version check to match current one.
+
+ -- Martin-Éric Racine <martin-eric.rac...@iki.fi> Sat, 15 Jun 2024 12:37:49
+0300
+
dhcpcd5 (9.4.1-24~deb12u3) bookworm; urgency=medium
* Move Breaks/Replaces dhcpcd5 (<< 9.4.1-2) to Conflicts (Closes: #1053657).
diff -Nru dhcpcd5-9.4.1/debian/dhcpcd.preinst
dhcpcd5-9.4.1/debian/dhcpcd.preinst
--- dhcpcd5-9.4.1/debian/dhcpcd.preinst 2023-10-20 11:12:08.000000000 +0300
+++ dhcpcd5-9.4.1/debian/dhcpcd.preinst 2023-12-13 22:50:19.000000000 +0200
@@ -2,7 +2,7 @@
# As per Debian bug #1037190.
# Copyright 2023 Andreas Beckmann <a...@debian.org>
set -e
-if dpkg --compare-versions "$2" lt-nl "1:9.4.1-24~deb12u3~" ; then
+if dpkg --compare-versions "$2" lt-nl "1:9.4.1-24~deb12u4~" ; then
# Cleanup leftovers from dhcpcd 1:3.* in Wheezy.
# Can be removed after Trixie is released.
update-alternatives --remove dhcpcd /sbin/dhcpcd3
diff -Nru
dhcpcd5-9.4.1/debian/patches/53e2f6de4ba87d0534c89cae674e6c1a48724ef0.patch
dhcpcd5-9.4.1/debian/patches/53e2f6de4ba87d0534c89cae674e6c1a48724ef0.patch
--- dhcpcd5-9.4.1/debian/patches/53e2f6de4ba87d0534c89cae674e6c1a48724ef0.patch
1970-01-01 02:00:00.000000000 +0200
+++ dhcpcd5-9.4.1/debian/patches/53e2f6de4ba87d0534c89cae674e6c1a48724ef0.patch
2024-06-15 12:34:41.000000000 +0300
@@ -0,0 +1,121 @@
+From 53e2f6de4ba87d0534c89cae674e6c1a48724ef0 Mon Sep 17 00:00:00 2001
+From: Roy Marples <r...@marples.name>
+Date: Sat, 15 Jun 2024 10:04:06 +0100
+Subject: [PATCH] privsep: Allow zero length messages through
+
+They should be handled gracefully without privsep anyway.
+Fix for #179.
+---
+ src/privsep-inet.c | 12 ++++++------
+ src/privsep.c | 15 +++------------
+ src/privsep.h | 2 +-
+ 3 files changed, 10 insertions(+), 19 deletions(-)
+
+diff --git a/src/privsep-inet.c b/src/privsep-inet.c
+index 3a192ee0..7f7494f6 100644
+--- a/src/privsep-inet.c
++++ b/src/privsep-inet.c
+@@ -53,7 +53,7 @@ ps_inet_recvbootp(void *arg)
+ {
+ struct dhcpcd_ctx *ctx = arg;
+
+- if (ps_recvmsg(ctx, ctx->udp_rfd, PS_BOOTP, ctx->ps_inet_fd) == -1)
++ if (ps_recvmsg(ctx->udp_rfd, PS_BOOTP, ctx->ps_inet_fd) == -1)
+ logerr(__func__);
+ }
+ #endif
+@@ -67,12 +67,12 @@ ps_inet_recvra(void *arg)
+ struct rs_state *state = RS_STATE(ifp);
+ struct dhcpcd_ctx *ctx = ifp->ctx;
+
+- if (ps_recvmsg(ctx, state->nd_fd, PS_ND, ctx->ps_inet_fd) == -1)
++ if (ps_recvmsg(state->nd_fd, PS_ND, ctx->ps_inet_fd) == -1)
+ logerr(__func__);
+ #else
+ struct dhcpcd_ctx *ctx = arg;
+
+- if (ps_recvmsg(ctx, ctx->nd_fd, PS_ND, ctx->ps_inet_fd) == -1)
++ if (ps_recvmsg(ctx->nd_fd, PS_ND, ctx->ps_inet_fd) == -1)
+ logerr(__func__);
+ #endif
+ }
+@@ -84,7 +84,7 @@ ps_inet_recvdhcp6(void *arg)
+ {
+ struct dhcpcd_ctx *ctx = arg;
+
+- if (ps_recvmsg(ctx, ctx->dhcp6_rfd, PS_DHCP6, ctx->ps_inet_fd) == -1)
++ if (ps_recvmsg(ctx->dhcp6_rfd, PS_DHCP6, ctx->ps_inet_fd) == -1)
+ logerr(__func__);
+ }
+ #endif
+@@ -374,7 +374,7 @@ ps_inet_recvinbootp(void *arg)
+ {
+ struct ps_process *psp = arg;
+
+- if (ps_recvmsg(psp->psp_ctx, psp->psp_work_fd,
++ if (ps_recvmsg(psp->psp_work_fd,
+ PS_BOOTP, psp->psp_ctx->ps_data_fd) == -1)
+ logerr(__func__);
+ }
+@@ -463,7 +463,7 @@ ps_inet_recvin6dhcp6(void *arg)
+ {
+ struct ps_process *psp = arg;
+
+- if (ps_recvmsg(psp->psp_ctx, psp->psp_work_fd,
++ if (ps_recvmsg(psp->psp_work_fd,
+ PS_DHCP6, psp->psp_ctx->ps_data_fd) == -1)
+ logerr(__func__);
+ }
+diff --git a/src/privsep.c b/src/privsep.c
+index ab29bb7b..0f78907a 100644
+--- a/src/privsep.c
++++ b/src/privsep.c
+@@ -897,7 +897,7 @@ ps_sendcmdmsg(int fd, uint16_t cmd, const struct msghdr
*msg)
+ }
+
+ ssize_t
+-ps_recvmsg(struct dhcpcd_ctx *ctx, int rfd, uint16_t cmd, int wfd)
++ps_recvmsg(int rfd, uint16_t cmd, int wfd)
+ {
+ struct sockaddr_storage ss = { .ss_family = AF_UNSPEC };
+ uint8_t controlbuf[sizeof(struct sockaddr_storage)] = { 0 };
+@@ -913,24 +913,15 @@ ps_recvmsg(struct dhcpcd_ctx *ctx, int rfd, uint16_t
cmd, int wfd)
+
+ ssize_t len = recvmsg(rfd, &msg, 0);
+
+- if (len == -1)
++ if (len == -1) {
+ logerr("%s: recvmsg", __func__);
+- if (len == -1 || len == 0) {
+- if (ctx->options & DHCPCD_FORKED &&
+- !(ctx->options & DHCPCD_PRIVSEPROOT))
+- eloop_exit(ctx->eloop,
+- len == 0 ? EXIT_SUCCESS : EXIT_FAILURE);
+ return len;
+ }
+
+ iov[0].iov_len = (size_t)len;
+ len = ps_sendcmdmsg(wfd, cmd, &msg);
+- if (len == -1) {
++ if (len == -1)
+ logerr("ps_sendcmdmsg");
+- if (ctx->options & DHCPCD_FORKED &&
+- !(ctx->options & DHCPCD_PRIVSEPROOT))
+- eloop_exit(ctx->eloop, EXIT_FAILURE);
+- }
+ return len;
+ }
+
+diff --git a/src/privsep.h b/src/privsep.h
+index 132f679a..00184d07 100644
+--- a/src/privsep.h
++++ b/src/privsep.h
+@@ -192,7 +192,7 @@ ssize_t ps_sendmsg(struct dhcpcd_ctx *, int, uint16_t,
unsigned long,
+ const struct msghdr *);
+ ssize_t ps_sendcmd(struct dhcpcd_ctx *, int, uint16_t, unsigned long,
+ const void *data, size_t len);
+-ssize_t ps_recvmsg(struct dhcpcd_ctx *, int, uint16_t, int);
++ssize_t ps_recvmsg(int, uint16_t, int);
+ ssize_t ps_recvpsmsg(struct dhcpcd_ctx *, int,
+ ssize_t (*callback)(void *, struct ps_msghdr *, struct msghdr *), void *);
+
diff -Nru
dhcpcd5-9.4.1/debian/patches/6e127eac6903524d401b31893167e4529b8ab111.patch
dhcpcd5-9.4.1/debian/patches/6e127eac6903524d401b31893167e4529b8ab111.patch
--- dhcpcd5-9.4.1/debian/patches/6e127eac6903524d401b31893167e4529b8ab111.patch
1970-01-01 02:00:00.000000000 +0200
+++ dhcpcd5-9.4.1/debian/patches/6e127eac6903524d401b31893167e4529b8ab111.patch
2024-06-15 12:35:03.000000000 +0300
@@ -0,0 +1,57 @@
+From 6e127eac6903524d401b31893167e4529b8ab111 Mon Sep 17 00:00:00 2001
+From: Roy Marples <r...@marples.name>
+Date: Mon, 8 May 2023 15:52:11 +0100
+Subject: [PATCH] DHCP: Don't enforce the message came port 67
+
+RFC2131 and updates make no mention of what the source port
+should or must be.
+
+Update for #179.
+---
+ src/bpf.c | 11 +++++++----
+ src/dhcp.c | 4 ++--
+ 2 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/src/bpf.c b/src/bpf.c
+index 339f3a014..44b08e6e8 100644
+--- a/src/bpf.c
++++ b/src/bpf.c
+@@ -612,16 +612,19 @@ static const struct bpf_insn bpf_bootp_base[] = {
+ #define BPF_BOOTP_BASE_LEN __arraycount(bpf_bootp_base)
+
+ static const struct bpf_insn bpf_bootp_read[] = {
+- /* Make sure it's from and to the right port. */
+- BPF_STMT(BPF_LD + BPF_W + BPF_IND, 0),
+- BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (BOOTPS << 16) + BOOTPC, 1, 0),
++ /* Make sure it's to the right port.
++ * RFC2131 makes no mention of enforcing a source port. */
++ BPF_STMT(BPF_LD + BPF_H + BPF_IND, offsetof(struct udphdr, uh_dport)),
++ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, BOOTPC, 1, 0),
+ BPF_STMT(BPF_RET + BPF_K, 0),
+ };
+ #define BPF_BOOTP_READ_LEN __arraycount(bpf_bootp_read)
+
+ #ifdef BIOCSETWF
+ static const struct bpf_insn bpf_bootp_write[] = {
+- /* Make sure it's from and to the right port. */
++ /* Make sure it's from and to the right port.
++ * RFC2131 makes no mention of encforcing a source port,
++ * but dhcpcd does enforce it for sending. */
+ BPF_STMT(BPF_LD + BPF_W + BPF_IND, 0),
+ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (BOOTPC << 16) + BOOTPS, 1, 0),
+ BPF_STMT(BPF_RET + BPF_K, 0),
+diff --git a/src/dhcp.c b/src/dhcp.c
+index f76807605..9a790b50d 100644
+--- a/src/dhcp.c
++++ b/src/dhcp.c
+@@ -3459,8 +3459,8 @@ is_packet_udp_bootp(void *packet, size_t plen)
+ if (ip_hlen + ntohs(udp.uh_ulen) > plen)
+ return false;
+
+- /* Check it's to and from the right ports. */
+- if (udp.uh_dport != htons(BOOTPC) || udp.uh_sport != htons(BOOTPS))
++ /* Check it's to the right port. */
++ if (udp.uh_dport != htons(BOOTPC))
+ return false;
+
+ return true;
diff -Nru dhcpcd5-9.4.1/debian/patches/series
dhcpcd5-9.4.1/debian/patches/series
--- dhcpcd5-9.4.1/debian/patches/series 2023-05-24 16:29:33.000000000 +0300
+++ dhcpcd5-9.4.1/debian/patches/series 2024-06-15 12:35:57.000000000 +0300
@@ -8,3 +8,5 @@
0008_fix_incorrect_assert.patch
0009_allow_newfstatat_syscall.patch
0010_miss_seccomp_on_ppc64el.patch
+53e2f6de4ba87d0534c89cae674e6c1a48724ef0.patch
+6e127eac6903524d401b31893167e4529b8ab111.patch
diff -Nru dhcpcd5-9.4.1/debian/rules dhcpcd5-9.4.1/debian/rules
--- dhcpcd5-9.4.1/debian/rules 2023-07-09 22:14:37.000000000 +0300
+++ dhcpcd5-9.4.1/debian/rules 2023-12-13 22:49:49.000000000 +0200
@@ -20,8 +20,8 @@
# Avoid starting the unconfigured service as it may break connectivity.
override_dh_installinit:
- dh_installinit --name=dhcpcd --no-start
+ dh_installinit --name=dhcpcd --no-start --no-stop-on-upgrade
--no-restart-after-upgrade
override_dh_installsystemd:
- dh_installsystemd --name=dhcpcd --no-start
- dh_installsystemd --name=dhcpcd@ --no-start
+ dh_installsystemd --name=dhcpcd --no-start --no-stop-on-upgrade
--no-restart-after-upgrade
+ dh_installsystemd --name=dhcpcd@ --no-start --no-stop-on-upgrade
--no-restart-after-upgrade
--- End Message ---
