Bug#790060: jessie-pu: nbd update?
Control: tags -1 + pending On Mon, 2015-07-27 at 23:22 +0200, Wouter Verhelst wrote: > On Sat, Jul 25, 2015 at 05:46:15PM +0100, Adam D. Barratt wrote: > > Control: tags -1 -moreinfo +cpnfirmed > > > > On Mon, 2015-07-20 at 09:51 +0200, Wouter Verhelst wrote: > > > On Sun, Jul 19, 2015 at 04:29:30PM +0200, Julien Cristau wrote: > > > > On Sun, Jul 19, 2015 at 14:37:57 +0200, Wouter Verhelst wrote: > > [...] > > > > > If you don't want me to immediately upload, what do you want me to do > > > > > instead? > > > > > > > > > Send us the proposed (source) debdiff. > > > > > > Attached. > > > > Please go ahead. > > Uploaded. Flagged for acceptance. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#790060: jessie-pu: nbd update?
On Sat, Jul 25, 2015 at 05:46:15PM +0100, Adam D. Barratt wrote: > Control: tags -1 -moreinfo +cpnfirmed > > On Mon, 2015-07-20 at 09:51 +0200, Wouter Verhelst wrote: > > On Sun, Jul 19, 2015 at 04:29:30PM +0200, Julien Cristau wrote: > > > On Sun, Jul 19, 2015 at 14:37:57 +0200, Wouter Verhelst wrote: > [...] > > > > If you don't want me to immediately upload, what do you want me to do > > > > instead? > > > > > > > Send us the proposed (source) debdiff. > > > > Attached. > > Please go ahead. Uploaded. Thanks, -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#790060: jessie-pu: nbd update?
Control: tags -1 -moreinfo +cpnfirmed On Mon, 2015-07-20 at 09:51 +0200, Wouter Verhelst wrote: > On Sun, Jul 19, 2015 at 04:29:30PM +0200, Julien Cristau wrote: > > On Sun, Jul 19, 2015 at 14:37:57 +0200, Wouter Verhelst wrote: [...] > > > If you don't want me to immediately upload, what do you want me to do > > > instead? > > > > > Send us the proposed (source) debdiff. > > Attached. Please go ahead. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#790060: jessie-pu: nbd update?
On Sun, Jul 19, 2015 at 04:29:30PM +0200, Julien Cristau wrote: > On Sun, Jul 19, 2015 at 14:37:57 +0200, Wouter Verhelst wrote: > > > On Sat, Jul 18, 2015 at 02:59:08PM +0100, Adam D. Barratt wrote: > > > On Sat, 2015-07-18 at 15:33 +0200, Wouter Verhelst wrote: > > > > On Sat, Jul 18, 2015 at 12:07:13PM +0100, Adam D. Barratt wrote: > > > > > That's much bigger than I was expecting given your description, and > > > > > I'm > > > > > not sure all of the changes were intended to be included. > > > > > > > > Crap. I fucked up again. Can you reject that, or is it too late? > > > > > > No problem. There's a gateway policy queue (slightly incorrectly > > > referred to as "stable-new") in front of proposed-updates which we have > > > to accept or reject packages from before they hit p-u. > > > > > > I've flagged the upload for rejection but unfortunately just missed the > > > start of the 13:52 dinstall, so it will need to wait until after that > > > for dak to notice. > > > > Thanks. > > > > If you don't want me to immediately upload, what do you want me to do > > instead? > > > Send us the proposed (source) debdiff. Attached. -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 diff -u nbd-3.8/debian/changelog nbd-3.8/debian/changelog --- nbd-3.8/debian/changelog +++ nbd-3.8/debian/changelog @@ -1,3 +1,10 @@ +nbd (1:3.8-4+deb8u2) jessie; urgency=low + + * Cherry-pick two commits from 3.10 to fix authfile parsing. +Closes: #785727. + + -- Wouter Verhelst Fri, 17 Jul 2015 21:52:40 +0200 + nbd (1:3.8-4+deb8u1) jessie-security; urgency=medium * Add fix for CVE-2015-0847. Closes: #784657. only in patch2: unchanged: --- nbd-3.8.orig/nbdsrv.c +++ nbd-3.8/nbdsrv.c @@ -21,14 +21,14 @@ #include -bool address_matches(const char* mask, const void* addr, int af, GError** err) { +bool address_matches(const char* mask, const struct sockaddr* addr, GError** err) { struct addrinfo *res, *aitmp, hints; char *masksep; char privmask[strlen(mask)+1]; int masklen; - int addrlen = af == AF_INET ? 4 : 16; + int addrlen = addr->sa_family == AF_INET ? 4 : 16; - assert(af == AF_INET || af == AF_INET6); + assert(addr->sa_family == AF_INET || addr->sa_family == AF_INET6); strcpy(privmask, mask); @@ -50,18 +50,20 @@ } aitmp = res; while(res) { - const uint8_t* byte_s = addr; + const uint8_t* byte_s; uint8_t* byte_t; uint8_t mask = 0; int len_left = masklen; - if(res->ai_family != af) { + if(res->ai_family != addr->sa_family) { goto next; } - switch(af) { + switch(addr->sa_family) { case AF_INET: + byte_s = (const uint8_t*)(&(((struct sockaddr_in*)addr)->sin_addr)); byte_t = (uint8_t*)(&(((struct sockaddr_in*)(res->ai_addr))->sin_addr)); break; case AF_INET6: + byte_s = (const uint8_t*)(&(((struct sockaddr_in6*)addr)->sin6_addr)); byte_t = (uint8_t*)(&(((struct sockaddr_in6*)(res->ai_addr))->sin6_addr)); break; } @@ -129,8 +131,7 @@ if(!(*pos)) { continue; } - struct sockaddr* sa = (struct sockaddr*)&opts->clientaddr; - if(address_matches(line, sa->sa_data, sa->sa_family, NULL)) { + if(address_matches(line, (struct sockaddr*)&opts->clientaddr, NULL)) { fclose(f); return 1; } only in patch2: unchanged: --- nbd-3.8.orig/nbdsrv.h +++ nbd-3.8/nbdsrv.h @@ -123,14 +123,13 @@ * Check whether a given address matches a given netmask. * * @param mask the address or netmask to check against, in ASCII representation - * @param addr the address to check, in network byte order - * @param af the address family of the passed address (AF_INET or AF_INET6) + * @param addr the address to check * * @return true if the address matches the mask, false otherwise; in case of * failure to parse netmask, returns false with err set appropriately. * @todo decide what to do with v6-mapped IPv4 addresses. */ -bool address_matches(const char* mask, const void* addr, int af, GError** err); +bool address_matches(const char* mask, const struct sockaddr* addr, GError** err); /** * Gets a byte to allow for address masking. only in patch2: unchanged: --- nbd-3.8.orig/tests/code/clientacl.c +++ nbd-3.8/tests/code/clientacl.c @@ -31,7 +31,7 @@ &(((struct sockaddr_in*)res->ai_addr)->sin_addr),
Bug#790060: jessie-pu: nbd update?
On Sun, Jul 19, 2015 at 14:37:57 +0200, Wouter Verhelst wrote: > On Sat, Jul 18, 2015 at 02:59:08PM +0100, Adam D. Barratt wrote: > > On Sat, 2015-07-18 at 15:33 +0200, Wouter Verhelst wrote: > > > On Sat, Jul 18, 2015 at 12:07:13PM +0100, Adam D. Barratt wrote: > > > > That's much bigger than I was expecting given your description, and I'm > > > > not sure all of the changes were intended to be included. > > > > > > Crap. I fucked up again. Can you reject that, or is it too late? > > > > No problem. There's a gateway policy queue (slightly incorrectly > > referred to as "stable-new") in front of proposed-updates which we have > > to accept or reject packages from before they hit p-u. > > > > I've flagged the upload for rejection but unfortunately just missed the > > start of the 13:52 dinstall, so it will need to wait until after that > > for dak to notice. > > Thanks. > > If you don't want me to immediately upload, what do you want me to do > instead? > Send us the proposed (source) debdiff. Cheers, Julien signature.asc Description: Digital signature
Bug#790060: jessie-pu: nbd update?
On Sat, Jul 18, 2015 at 02:59:08PM +0100, Adam D. Barratt wrote: > On Sat, 2015-07-18 at 15:33 +0200, Wouter Verhelst wrote: > > On Sat, Jul 18, 2015 at 12:07:13PM +0100, Adam D. Barratt wrote: > > > That's much bigger than I was expecting given your description, and I'm > > > not sure all of the changes were intended to be included. > > > > Crap. I fucked up again. Can you reject that, or is it too late? > > No problem. There's a gateway policy queue (slightly incorrectly > referred to as "stable-new") in front of proposed-updates which we have > to accept or reject packages from before they hit p-u. > > I've flagged the upload for rejection but unfortunately just missed the > start of the 13:52 dinstall, so it will need to wait until after that > for dak to notice. Thanks. If you don't want me to immediately upload, what do you want me to do instead? -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#790060: jessie-pu: nbd update?
On Sat, 2015-07-18 at 15:33 +0200, Wouter Verhelst wrote: > On Sat, Jul 18, 2015 at 12:07:13PM +0100, Adam D. Barratt wrote: > > That's much bigger than I was expecting given your description, and I'm > > not sure all of the changes were intended to be included. > > Crap. I fucked up again. Can you reject that, or is it too late? No problem. There's a gateway policy queue (slightly incorrectly referred to as "stable-new") in front of proposed-updates which we have to accept or reject packages from before they hit p-u. I've flagged the upload for rejection but unfortunately just missed the start of the 13:52 dinstall, so it will need to wait until after that for dak to notice. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#790060: jessie-pu: nbd update?
On Sat, Jul 18, 2015 at 12:07:13PM +0100, Adam D. Barratt wrote: > That's much bigger than I was expecting given your description, and I'm > not sure all of the changes were intended to be included. Crap. I fucked up again. Can you reject that, or is it too late? -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#790060: jessie-pu: nbd update?
On Tue, 2015-07-14 at 22:40 +0200, Wouter Verhelst wrote: > On Tue, Jul 14, 2015 at 08:21:02PM +0100, Adam D. Barratt wrote: > > Control: tags -1 + moreinfo > > > > On Fri, 2015-06-26 at 19:07 +0200, Wouter Verhelst wrote: > > > #785727 describes a regression in the version of nbd-server in jessie > > > wrt the one in wheezy, related to the "allow" configuration file. It's > > > not a security-related bug (as it disallows more than it should), but > > > it's still a problem. [...] > > > Is this something that would warrant a stable update? > > > > Potentially, but a) the metadata for #785727 implies that the bug > > currently affects the version of nbd in unstable, which would need > > resolving first > > Only because I'm lazy and didn't fix the metadata; the bug does not actually > affect unstable, and the patch that's sent to the bug in > <20150601152240.gc9...@lemon.iwr.uni-heidelberg.de> came from the 3.8..3.9 git > history. I just updated the metadata. Ok, thanks. > > and b) we'd want to see a full debdiff for a package > > built and tested on jessie in order to confirm. > > Okay, I'll work on that then. I see that it's been uploaded already. By "see ... in order to confirm" I meant "before upload"; apologies if that wasn't clear. Looking at the diff that was uploaded, I do have a few questions I'm afraid: ChangeLog| 91 ++ Makefile.in |4 doc/proto.html | 515 + doc/proto.markdown | 565 + gznbd/Makefile.in| 641 +++ libcliserv.la| 41 +++ man/nbd-server.1.sh.in |5 man/nbd-server.5.sh.in | 105 --- nbd-3.8/debian/changelog |7 nbdsrv.c | 17 - nbdsrv.h |5 tests/code/clientacl.c |2 That's much bigger than I was expecting given your description, and I'm not sure all of the changes were intended to be included. For instance, the Changelog diff includes the release of 3.11, doc/proto.{html,markdown} are completely new, man/nbd-server.1.sh.in mentions a new(?) option and man/nbd-server.5.sh.in describes a behaviour change in nbd 3.10. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#790060: jessie-pu: nbd update?
On Tue, Jul 14, 2015 at 08:21:02PM +0100, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Fri, 2015-06-26 at 19:07 +0200, Wouter Verhelst wrote: > > #785727 describes a regression in the version of nbd-server in jessie > > wrt the one in wheezy, related to the "allow" configuration file. It's > > not a security-related bug (as it disallows more than it should), but > > it's still a problem. > > > > I'm not sure how often the "allow" feature is used, however, and if the > > file is not in use, nbd-server will work perfectly well. It provides > > additional functionality above a firewall if someone would like to allow > > access to some, but not all, exports from a particular range of IP > > addresses; but beyond that, it's not very important. > > > > Is this something that would warrant a stable update? > > Potentially, but a) the metadata for #785727 implies that the bug > currently affects the version of nbd in unstable, which would need > resolving first Only because I'm lazy and didn't fix the metadata; the bug does not actually affect unstable, and the patch that's sent to the bug in <20150601152240.gc9...@lemon.iwr.uni-heidelberg.de> came from the 3.8..3.9 git history. I just updated the metadata. > and b) we'd want to see a full debdiff for a package > built and tested on jessie in order to confirm. Okay, I'll work on that then. -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#790060: jessie-pu: nbd update?
Control: tags -1 + moreinfo On Fri, 2015-06-26 at 19:07 +0200, Wouter Verhelst wrote: > #785727 describes a regression in the version of nbd-server in jessie > wrt the one in wheezy, related to the "allow" configuration file. It's > not a security-related bug (as it disallows more than it should), but > it's still a problem. > > I'm not sure how often the "allow" feature is used, however, and if the > file is not in use, nbd-server will work perfectly well. It provides > additional functionality above a firewall if someone would like to allow > access to some, but not all, exports from a particular range of IP > addresses; but beyond that, it's not very important. > > Is this something that would warrant a stable update? Potentially, but a) the metadata for #785727 implies that the bug currently affects the version of nbd in unstable, which would need resolving first and b) we'd want to see a full debdiff for a package built and tested on jessie in order to confirm. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#790060: jessie-pu: nbd update?
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, #785727 describes a regression in the version of nbd-server in jessie wrt the one in wheezy, related to the "allow" configuration file. It's not a security-related bug (as it disallows more than it should), but it's still a problem. I'm not sure how often the "allow" feature is used, however, and if the file is not in use, nbd-server will work perfectly well. It provides additional functionality above a firewall if someone would like to allow access to some, but not all, exports from a particular range of IP addresses; but beyond that, it's not very important. Is this something that would warrant a stable update? -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.0.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=nl_BE.UTF-8, LC_CTYPE=nl_BE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org