Bug#1037945: bookworm-pu: package aide/aide_0.18.3-1+deb12u1

Marc Haber Wed, 14 Jun 2023 08:30:16 -0700

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@packages.debian.org
Control: affects -1 + src:aide


Dear stable release team,

this pre-upload request for the aide package is filed to ask for
guidance whether this package is suitable for bookworm-updates. I have
never done this before and am open for suggestions to improve and for
documentation pointers. I haven't found the bookwork point release
policy yet, for example.

A fixed package has been uploaded to unstable minutes ago, and I do not
plan to actually upload the deb12u1 version of the package until the
fixes have reached testing.

[ Reason ]
This update fixes #1037171, a serious bug that prevents new
installations and upgrades of aide due to a misunderstanding in the dh
code regarding dh_installsysusers. Embarrassing.

And it also fixes #1037436, a "just" important bug that will fix correct
processing of extended attributes on symlinks that are monitored by
aide. This is a fix suggested by upstream (who is also a DD) and I will
create a similiar package for bullseye.

[ Impact ]
Regarding #1037171, Aide will not be useable until the _aide account is
manually created and some file permissions fixed. While package
installation will succeed, neither aideinit nor the daily aide cronjob
are invokeable and will error out.

Regarding #1037436, Aide will wrongly process extended attributes for
the file a symlink points to, which is not the intended behavior. The
fixed aide will process the extended attributes of a symlink.

[ Tests ]
Both bugs are sadly not covered by automated tests, but I am kind of
surprised that piuparts didn't catch #1037171. Regarding #1037171, I
tested:

- installation of aide in a bookworm VM with no aide installed before
- updating 0.18.3-1 to 0.18.3-2 in a bookworm VM
- updating 0.17.3-4+deb11u1 (oldstable) to 0.18.3-2 in a bookworm VM

Regarding #1037436, I created a symlink with extended attributes
pointing to a file with different extended attributes and verified that
actually the extended attributes of the symlink show up in the database.

[ Risks ]
Risks are that I goofed up in the fixes.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
commit 456704ab523c6b7ca088a15ffde543fbac3fa391
Author: Marc Haber <mh+debian-packa...@zugschlus.de>
Date:   Wed Jun 14 16:51:03 2023 +0200

    remove trailing whitespace in debian/rules

    Git-Dch: ignore

commit 2c221fd08e6c4d570c4a2c86c87d0a94201fbe9d
Author: Marc Haber <mh+debian-packa...@zugschlus.de>
Date:   Wed Jun 14 15:28:15 2023 +0200

    chown aide logs even when updating from 0.18.3-1

    0.18.3-1 doesn't create the account, so we need to see for correct
    file ownership when updating to a version that actually creates the
    account.

commit 11547993349b3dffad11f2d6998875d58f6b0395
Author: Marc Haber <mh+debian-packa...@zugschlus.de>
Date:   Wed Jun 14 04:15:51 2023 +0200

    Fix handling of extended attributes on symlinks

    Closes: #1037436

    This fixes wrong behavior regarding extended attributes on symlinks.
    Prior versions of aide would wrongly process the extended attributes
    of the file a symlink points to. This fix makes aide correctly process
    the extended attributes of the link itself, which is the intended
    behavior.

    The fix for extended attributes on symlinks might lead to reported
    changed entries during the next AIDE run. You can use the
    `report_ignore_changed_attrs` option (see aide.conf(5)) to ignore
    changes of the xattrs attribute; but be aware that this will not
    only exclude the expected changes (of the symlink files) but also
    the unexpected changes (of other files).

commit 0d0251e639334e0ef139c1f6f9d34b6032378d3d
Author: Marc Haber <mh+debian-packa...@zugschlus.de>
Date:   Tue Jun 13 16:53:49 2023 +0200

    Move chown calls after #DEBHELPER#

    This is part of the fix for #1037171, the account is only created in the
    code inserted by debhelper at the #DEBHELPER# token. We thus cannot use
    the account after that tag.

commit 218fff3fc157b89e53ece470267cb238fac5daac
Author: Marc Haber <mh+debian-packa...@zugschlus.de>
Date:   Sun Jun 11 22:54:19 2023 +0200

    call dh_installsysusers manually in debian/rules

    Thanks: Tomasz Ciolek
    Closes: #1037171

    dh_installsysusers is not called in the normal dh calling sequence in dh
    compat level 13. This resulted in the account not being created in new
    installs and probably also during upgrades from bullseye. Thix fixes the
    issue by calling dh_installsysusers explicitly in
    override_dh_auto_install.


[ Other info ]
source debdiff attached.

Please indicate whether this package might be a valid candidate to be in
the next bookworm point relase once 0.18.3-2 has reached testing.

Greetings
Marc

diff -Nru aide-0.18.3/debian/aide-common.postinst 
aide-0.18.3/debian/aide-common.postinst
--- aide-0.18.3/debian/aide-common.postinst     2023-04-20 23:50:04.000000000 
+0200
+++ aide-0.18.3/debian/aide-common.postinst     2023-06-14 17:04:20.000000000 
+0200
@@ -45,18 +45,6 @@
 # added updating to 0.18-1
 rm -rf /var/tmp/aide.cron.daily /var/tmp/aide.cron.daily.old.*
 
-if dpkg --compare-versions "$2" lt 0.17.5-1; then
-    # we're updating from a version earlier than 0.17.5, chown logs
-    # and databases
-    chown --quiet _aide:adm /var/log/aide /var/log/aide/aide.log 
/var/log/aide/aide.log.* || true
-    chmod --quiet 2755 /var/log/aide || true
-    chown --quiet _aide:root /var/lib/aide/aide.db /var/lib/aide/aide.db.new 
|| true
-fi
-if dpkg --compare-versions "$2" lt 0.18-3; then
-    # we're updating from a version earlier than 0.18-3, chown aideinit logs
-    chown --quiet _aide:adm /var/log/aide/aideinit.log 
/var/log/aide/aideinit.errors|| true
-fi
-
 rm -f /var/lib/aide/aide.conf.autogenerated
 if dpkg --compare-versions "$2" le "0.16-1"; then
     # we're updating from a version earlier than 0.16-1, rename DHCP conffiles
@@ -96,6 +84,20 @@
 
 #DEBHELPER#
 
+# this needs to be after debhelper, otherwise the account doesn't
+# yet exist.
+if dpkg --compare-versions "$2" lt 0.17.5-1; then
+    # we're updating from a version earlier than 0.17.5, chown logs
+    # and databases
+    chown --quiet _aide:adm /var/log/aide /var/log/aide/aide.log 
/var/log/aide/aide.log.* || true
+    chmod --quiet 2755 /var/log/aide || true
+    chown --quiet _aide:root /var/lib/aide/aide.db /var/lib/aide/aide.db.new 
|| true
+fi
+if dpkg --compare-versions "$2" le 0.18.3-1; then
+    # we're updating from 0.18-3 or earlier, chown aideinit logs
+    chown --quiet _aide:adm /var/log/aide/aideinit.log 
/var/log/aide/aideinit.errors|| true
+fi
+
 exit 0
 
 # vim:sw=4:sts=4:et:
diff -Nru aide-0.18.3/debian/changelog aide-0.18.3/debian/changelog
--- aide-0.18.3/debian/changelog        2023-04-20 23:50:04.000000000 +0200
+++ aide-0.18.3/debian/changelog        2023-06-14 17:04:20.000000000 +0200
@@ -1,3 +1,11 @@
+aide (0.18.3-1+deb12u1) bookworm; urgency=medium
+
+  * call dh_installsysusers manually in debian/rules
+    Thanks to Tomasz Ciolek (Closes: #1037171)
+  * Fix handling of extended attributes on symlinks. (Closes: #1037436)
+
+ -- Marc Haber <mh+debian-packa...@zugschlus.de>  Wed, 14 Jun 2023 17:04:20 
+0200
+
 aide (0.18.3-1) unstable; urgency=medium
 
   * New upstream version 0.18.3
diff -Nru aide-0.18.3/debian/patches/debian-bug-1037436 
aide-0.18.3/debian/patches/debian-bug-1037436
--- aide-0.18.3/debian/patches/debian-bug-1037436       1970-01-01 
01:00:00.000000000 +0100
+++ aide-0.18.3/debian/patches/debian-bug-1037436       2023-06-14 
17:04:20.000000000 +0200
@@ -0,0 +1,25 @@
+Description: Fix handling of extended attributes on symlinks
+Author: Hannes von Haugwitz <han...@vonhaugwitz.com>
+Origin: 04b34dd46292dedf830ef2366a86666869a31488
+Date: Mon Jun 12 22:20:50 2023 +0200
+Forwarded: not-needed
+--- a/src/do_md.c
++++ b/src/do_md.c
+@@ -514,7 +514,7 @@ void xattrs2line(db_line *line) {
+                     strncmp(attr, "trusted.", strlen("trusted.")))
+                 goto next_attr; /* only store normal xattrs, and SELinux */
+ 
+-            while (((aret = getxattr(line->fullpath, attr, val, asz)) ==
++            while (((aret = lgetxattr(line->fullpath, attr, val, asz)) ==
+                         -1) && (errno == ERANGE)) {
+                 asz <<= 1;
+                 val = checked_realloc (val, asz);
+@@ -523,7 +523,7 @@ void xattrs2line(db_line *line) {
+             if (aret != -1)
+                 xattr_add(xattrs, attr, val, aret);
+             else if (errno != ENOATTR)
+-                log_msg(LOG_LEVEL_WARNING, "getxattr failed for %s:%s", 
line->fullpath, strerror(errno));
++                log_msg(LOG_LEVEL_WARNING, "lgetxattr failed for %s:%s", 
line->fullpath, strerror(errno));
+ 
+ next_attr:
+             attr += len + 1;
diff -Nru aide-0.18.3/debian/patches/series aide-0.18.3/debian/patches/series
--- aide-0.18.3/debian/patches/series   2023-04-20 23:50:04.000000000 +0200
+++ aide-0.18.3/debian/patches/series   2023-06-14 17:04:20.000000000 +0200
@@ -1 +1,2 @@
+debian-bug-1037436
 compare-logs
diff -Nru aide-0.18.3/debian/rules aide-0.18.3/debian/rules
--- aide-0.18.3/debian/rules    2023-04-20 23:50:04.000000000 +0200
+++ aide-0.18.3/debian/rules    2023-06-14 17:04:20.000000000 +0200
@@ -33,6 +33,9 @@
 override_dh_auto_configure:
        dh_auto_configure -- $(strip ${COMMON_CONFIGURE_ARGS}) $(strip 
${EXTRA_CONFIGURE_ARGS})
 
+# make this execute_after_dh_auto_install after bookworm
 override_dh_auto_install:
        dh_auto_install
        dh_installsystemd --name=dailyaidecheck
+       # this is needed until dh compat 14
+       dh_installsysusers

Bug#1037945: bookworm-pu: package aide/aide_0.18.3-1+deb12u1

Reply via email to