Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package munge [ Reason ] * Cherry-pick upstream patch to allow to upgrade from buster to bullseye [ Impact ] Remove some minor tests to fix kfreebsd builds and a useless check for the daemon when starting [ Tests ] All tests passed [ Risks ] It's low risk because: the change only avoid a useless check that the libgcrypt shared object linked at runtime is the same the daemon was compiled against [1] and some minor tests (removed upstream) to fix kfreebsd builds. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing diffstat for munge-0.5.14 munge-0.5.14 changelog | 14 + patches/0005-Sharness-Remove-tests-to-from-invalid-files.patch | 93 +++++++++ patches/0006-Sharness-Set-IFNAME-prereq-if-network-ifname-found.patch | 102 ++++++++++ patches/0007-Remove-GCRYPT_VERSION-from-gcry_check_version.patch | 36 +++ patches/series | 3 5 files changed, 248 insertions(+) debdiff attached unblock munge/0.5.14-6 [1] https://github.com/dun/munge/commit/0c37cc03b649d8861c2d9e8d172bff736bfd9ea4 -- Gennaro Oliva
diff -Nru munge-0.5.14/debian/changelog munge-0.5.14/debian/changelog --- munge-0.5.14/debian/changelog 2021-02-25 17:08:19.000000000 +0100 +++ munge-0.5.14/debian/changelog 2021-08-06 09:40:42.000000000 +0200 @@ -1,3 +1,17 @@ +munge (0.5.14-6) unstable; urgency=medium + + [Chris Dunlap] + * Remove GCRYPT_VERSION from gcry_check_version (Closes: #991875) + + -- Gennaro Oliva <oliv...@na.icar.cnr.it> Fri, 06 Aug 2021 09:40:42 +0200 + +munge (0.5.14-5) unstable; urgency=medium + + [Chris Dunlap] + * Fix kfreebsd builds + + -- Gennaro Oliva <oliv...@na.icar.cnr.it> Mon, 22 Mar 2021 02:00:52 +0100 + munge (0.5.14-4) unstable; urgency=medium [Chris Dunlap] diff -Nru munge-0.5.14/debian/patches/0005-Sharness-Remove-tests-to-from-invalid-files.patch munge-0.5.14/debian/patches/0005-Sharness-Remove-tests-to-from-invalid-files.patch --- munge-0.5.14/debian/patches/0005-Sharness-Remove-tests-to-from-invalid-files.patch 1970-01-01 01:00:00.000000000 +0100 +++ munge-0.5.14/debian/patches/0005-Sharness-Remove-tests-to-from-invalid-files.patch 2021-08-05 23:56:30.000000000 +0200 @@ -0,0 +1,93 @@ +Description: Sharness: Remove tests to/from invalid files + On FreeBSD (12.1, 11.4, 11.3) and NetBSD (9.0, 8.1, 7.2), the following + test fails when run with "root=/tmp/munge-test-$$": + 0012-munge-cmdline.t 24 - munge --input from invalid file + This test attempts to read data for a credential payload from the file + "." -- i.e., a directory, and not a regular file. It is expected + to fail, and on most platforms it does. However, it unexpectedly + succeeds if the input file is on a FreeBSD ufs or NetBSD ffs filesystem + (where it uses the directory file contents as the payload data), + but fails if the input file is on an nfs or tmpfs filesystem on + those platforms. Note that this test fails as expected on OpenBSD + ffs and nfs filesystems. + This passed testing for 0.5.14 because the test suite ran in an + nfs directory. But recent testing with "root=/tmp/munge-test-$$" + uncovered the failure since the "root" variable moved the input file + to a different filesystem. + Since the munge and unmunge client executables do not explicitly + check whether the input or output files are regular files, remove the + sharness checks that test for an expected failure when specifying an + invalid input, metadata, or output file. +Author: Chris Dunlap <cdun...@llnl.gov> +Origin: upstream, https://github.com/dun/munge/commit/cfbb14558ceda9dd42b23a2e4c166a07b73a3223 +Last-Update: 2020-10-14 +Forwarded: not-needed + +--- a/t/0012-munge-cmdline.t ++++ b/t/0012-munge-cmdline.t +@@ -109,10 +109,6 @@ test_expect_success 'munge --input from /dev/null' ' + test ! -s out.$$ + ' + +-test_expect_success 'munge --input from invalid file' ' +- test_must_fail "${MUNGE}" --socket="${MUNGE_SOCKET}" --input=. +-' +- + test_expect_success 'munge --input from missing file' ' + test_must_fail "${MUNGE}" --socket="${MUNGE_SOCKET}" \ + --input=missing.file.$$ +@@ -141,10 +137,6 @@ test_expect_success 'munge --output to /dev/null' ' + test ! -s out.$$ + ' + +-test_expect_success 'munge --output to invalid file' ' +- test_must_fail "${MUNGE}" --socket="${MUNGE_SOCKET}" --no-input --output=. +-' +- + for OPT_LIST_CIPHERS in '-C' '--list-ciphers'; do + test_expect_success "munge ${OPT_LIST_CIPHERS}" ' + "${MUNGE}" "${OPT_LIST_CIPHERS}" | +diff --git a/t/0013-unmunge-cmdline.t b/t/0013-unmunge-cmdline.t +index c034109..07ce8eb 100755 +--- a/t/0013-unmunge-cmdline.t ++++ b/t/0013-unmunge-cmdline.t +@@ -80,10 +80,6 @@ test_expect_success 'unmunge --input from /dev/null' ' + test_must_fail "${UNMUNGE}" --socket="${MUNGE_SOCKET}" --input=/dev/null + ' + +-test_expect_success 'unmunge --input from invalid file' ' +- test_must_fail "${UNMUNGE}" --socket="${MUNGE_SOCKET}" --input=. +-' +- + test_expect_success 'unmunge --input from missing file' ' + test_must_fail "${UNMUNGE}" --socket="${MUNGE_SOCKET}" \ + --input=missing.file.$$ +@@ -126,12 +122,6 @@ test_expect_success 'unmunge --metadata to /dev/null with payload on stdout' ' + test "$(cat out.$$)" = "${PAYLOAD}" + ' + +-test_expect_success 'unmunge --metadata to invalid file' ' +- local PAYLOAD=xyzzy-$$ && +- "${MUNGE}" --socket="${MUNGE_SOCKET}" --string="${PAYLOAD}" | +- test_must_fail "${UNMUNGE}" --socket="${MUNGE_SOCKET}" --metadata=. +-' +- + for OPT_OUTPUT in '-o' '--output'; do + test_expect_success "unmunge ${OPT_OUTPUT}" ' + local PAYLOAD=xyzzy-$$ && +@@ -160,12 +150,6 @@ test_expect_success 'unmunge --output to /dev/null with metadata on stdout' ' + grep -q -v "${PAYLOAD}" meta.$$ + ' + +-test_expect_success 'unmunge --output to invalid file' ' +- local PAYLOAD=xyzzy-$$ && +- "${MUNGE}" --socket="${MUNGE_SOCKET}" --string="${PAYLOAD}" | +- test_must_fail "${UNMUNGE}" --socket="${MUNGE_SOCKET}" --output=. +-' +- + for OPT_LIST_KEYS in '-K' '--list-keys'; do + test_expect_success "unmunge ${OPT_LIST_KEYS}" ' + "${UNMUNGE}" "${OPT_LIST_KEYS}" | +-- +2.31.0 + diff -Nru munge-0.5.14/debian/patches/0006-Sharness-Set-IFNAME-prereq-if-network-ifname-found.patch munge-0.5.14/debian/patches/0006-Sharness-Set-IFNAME-prereq-if-network-ifname-found.patch --- munge-0.5.14/debian/patches/0006-Sharness-Set-IFNAME-prereq-if-network-ifname-found.patch 1970-01-01 01:00:00.000000000 +0100 +++ munge-0.5.14/debian/patches/0006-Sharness-Set-IFNAME-prereq-if-network-ifname-found.patch 2021-08-06 00:01:31.000000000 +0200 @@ -0,0 +1,102 @@ +Description: Sharness: Set IFNAME prereq if network ifname found + Remove the "test -s ifname0.$$" statements from the sharness + checks. They make it difficult to diagnose why a check fails. + If the file is empty, munged will fail with the error 'Failed to + lookup origin ""' which provides useful information for debugging. + Create the new check 'munged --origin interface name lookup' which + greps the log from the preceding check for the loopback interface + name, checks that it is not the empty string, saves the name to + the file "ifname0.$$", and sets the sharness IFNAME prerequisite. + Change the checks for 'munged --origin interface name' and + 'munged --origin interface name metadata' to depend on this new + IFNAME prerequisite. Thus, if munged is unable to match 127.0.0.1 to + an interface name, these checks will be skipped instead of failing. + Change _net_get_hostaddr_via_ifaddrs() to check that ifa_name + is not the empty string before assigning the string for the network + interface. +Author: Chris Dunlap <cdun...@llnl.gov> +Origin: upstream, https://github.com/dun/munge/commit/77ff6823c423d19823d9259f8e0cae1fc98d9a7b +Last-Update: 2021-03-19 +Forwarded: not-needed + +--- a/src/munged/net.c ++++ b/src/munged/net.c +@@ -193,7 +193,9 @@ _net_get_hostaddr_via_ifaddrs (const char *name, struct in_addr *inaddrp, + */ + if (ifa != NULL) { + *inaddrp = ((struct sockaddr_in *) ifa->ifa_addr)->sin_addr; +- *ifnamep = (ifa->ifa_name != NULL) ? strdup (ifa->ifa_name) : NULL; ++ *ifnamep = ((ifa->ifa_name != NULL) && (ifa->ifa_name[0] != '\0')) ++ ? strdup (ifa->ifa_name) ++ : NULL; + rv = 0; + } + /* If a match is not found, but host lookup succeeded... +diff --git a/t/0110-munged-origin-addr.t b/t/0110-munged-origin-addr.t +index 1e3f642..53bc5af 100755 +--- a/t/0110-munged-origin-addr.t ++++ b/t/0110-munged-origin-addr.t +@@ -63,15 +63,12 @@ test_expect_success 'munged --origin null address warning' ' + ' + + # Check if the origin address can be set by specifying an IP address. +-# Save the interface name to ifname0.$$ for later checks. + ## + test_expect_success 'munged --origin local IP address' ' + rm -f ifname0.$$ && + munged_start_daemon --origin=127.0.0.1 && + munged_stop_daemon && +- egrep "Set origin address to 127\.0\.0\.1\>" "${MUNGE_LOGFILE}" && +- sed -n -e "s/.*Set origin address.*(\([^)]*\)).*/\1/p" \ +- "${MUNGE_LOGFILE}" >ifname0.$$ ++ egrep "Set origin address to 127\.0\.0\.1\>" "${MUNGE_LOGFILE}" + ' + + # Check if the origin address is set to the appropriate IP address in the +@@ -87,23 +84,35 @@ test_expect_success 'munged --origin local IP address metadata' ' + egrep "^ENCODE_HOST:.* 127\.0\.0\.1\>" meta.$$ + ' + +-# Check if the origin address can be set by specifying an interface name. ++# Check the log from the previous test for the network interface name ++# corresponding to the loopback address. ++# Set the IFNAME prereq if "ifname0.$$" contains a non-empty string. ++## ++test_expect_success GETIFADDRS 'munged --origin interface name lookup' ' ++ local ifname && ++ sed -n -e "s/.*Set origin address.*(\([^)]*\)).*/\1/p" "${MUNGE_LOGFILE}" \ ++ >ifname0.$$ && ++ ifname=$(cat ifname0.$$) && ++ test_debug "echo \"Loopback network interface name is [${ifname}]\"" && ++ if test "x${ifname}" != x; then test_set_prereq IFNAME; fi ++' ++ ++# Check if the origin address can be set by specifying the loopback network ++# interface name. + ## +-test_expect_success GETIFADDRS 'munged --origin interface name' ' +- test -s ifname0.$$ && ++test_expect_success IFNAME 'munged --origin interface name' ' + munged_start_daemon --origin="$(cat ifname0.$$)" && + munged_stop_daemon && + egrep "Set origin address to 127\.0\.0\.1\>" "${MUNGE_LOGFILE}" && +- sed -n -e "s/.*Set origin address.*(\([^)]*\)).*/\1/p" \ +- "${MUNGE_LOGFILE}" >ifname1.$$ && ++ sed -n -e "s/.*Set origin address.*(\([^)]*\)).*/\1/p" "${MUNGE_LOGFILE}" \ ++ >ifname1.$$ && + test_cmp ifname0.$$ ifname1.$$ + ' + + # Check if the origin address is set to the appropriate IP address in the +-# credential metadata when specifying an interface name. ++# credential metadata when specifying the loopback network interface name. + ## +-test_expect_success GETIFADDRS 'munged --origin interface name metadata' ' +- test -s ifname0.$$ && ++test_expect_success IFNAME 'munged --origin interface name metadata' ' + munged_start_daemon --origin="$(cat ifname0.$$)" && + "${MUNGE}" --socket="${MUNGE_SOCKET}" --no-input --output=cred.$$ && + "${UNMUNGE}" --socket="${MUNGE_SOCKET}" --input=cred.$$ \ +-- +2.31.0 + diff -Nru munge-0.5.14/debian/patches/0007-Remove-GCRYPT_VERSION-from-gcry_check_version.patch munge-0.5.14/debian/patches/0007-Remove-GCRYPT_VERSION-from-gcry_check_version.patch --- munge-0.5.14/debian/patches/0007-Remove-GCRYPT_VERSION-from-gcry_check_version.patch 1970-01-01 01:00:00.000000000 +0100 +++ munge-0.5.14/debian/patches/0007-Remove-GCRYPT_VERSION-from-gcry_check_version.patch 2021-08-05 19:47:09.000000000 +0200 @@ -0,0 +1,36 @@ +Description: Replace GCRYPT_VERSION with NULL in gcry_check_version() + According to the Libgcrypt documentation, gcry_check_version() + should be called with the minimum required version of the library + (or NULL if that check is not needed). The <gcrypt.h> header file + further notes GCRYPT_VERSION should not be used by the program since + gcry_check_version() should return the same version string. + Replace GCRYPT_VERSION with NULL in gcry_check_version() to disable the + version check. Debian further notes their automated system determined + v0.5.14 requires a minimum Libgcrypt version of 1.8.0. However, it + seems preferable to disable the check and let distributions perform + their dependency checks instead of maintaining this value by hand. + Note that gcry_check_version() must still be called because it also + initializes the library. +Author: Chris Dunlap <cdun...@llnl.gov> +Origin: upstream, https://github.com/dun/munge/commit/0c37cc03b649d8861c2d9e8d172bff736bfd9ea4 +Last-Update: 2021-08-05 +Forwarded: not-needed + +diff --git a/src/common/crypto.c b/src/common/crypto.c +index 29266a16..6e46ec5b 100644 +--- a/src/common/crypto.c ++++ b/src/common/crypto.c +@@ -72,11 +72,10 @@ crypto_init (void) + /* gcry_check_version() must be called before any other Libgcrypt function + * (except the GCRYCTL_SET_THREAD_CBS command prior to Libgcrypt 1.6). + */ +- v = gcry_check_version (GCRYPT_VERSION); ++ v = gcry_check_version (NULL); + if (v == NULL) { + log_err (EMUNGE_SNAFU, LOG_ERR, +- "Failed to initialize Libgcrypt: version mismatch: expected %s", +- GCRYPT_VERSION); ++ "Failed to initialize Libgcrypt %s", GCRYPT_VERSION); + } + e = gcry_control (GCRYCTL_DISABLE_SECMEM, 0); + if (e) { diff -Nru munge-0.5.14/debian/patches/series munge-0.5.14/debian/patches/series --- munge-0.5.14/debian/patches/series 2021-02-24 00:25:10.000000000 +0100 +++ munge-0.5.14/debian/patches/series 2021-08-05 10:35:43.000000000 +0200 @@ -2,3 +2,6 @@ 0002-Sharness-Fix-dup-of-failing-check-when-run-by-root.patch 0003-Sharness-Fix-EACCES-failure-succeeding-for-root.patch 0004-HKDF-Fix-big-endian-bug-caused-by-size_t-ptr-cast.patch +0005-Sharness-Remove-tests-to-from-invalid-files.patch +0006-Sharness-Set-IFNAME-prereq-if-network-ifname-found.patch +0007-Remove-GCRYPT_VERSION-from-gcry_check_version.patch