Bug#959157: fix for CVE-2020-1749 in linux-image-4.19.0-9 breaks wireguard

2020-06-30 Thread Timo Jyrinki 
Just to tie a loose end, it _does_ work fine on buster if you're
actually on the latest kernel. If you have a long uptime and not
rebooted, you will have these problems when it tries to compile
wireguard for your currently used, old kernel, but there's no problem as
such 4.19.0-9 anymore.

-Timo





signature.asc
Description: OpenPGP digital signature

Bug#959157: fix for CVE-2020-1749 in linux-image-4.19.0-9 breaks wireguard

2020-06-24 Thread Timo Jyrinki 
Timo Jyrinki kirjoitti 18.6.2020 klo 18.18:
> I managed to fix it thanks to message #34, changing 
> /usr/src/wireguard-1.0.20200520/compat/compat.h slightly and running dpkg 
> --configure -a. It built fine both against 4.19.0-6-marvell and 
> 4.19.0-9-marvell.

Likewise for 1.0.20200611-1~bpo10+1, I needed to make sure line 98 in
/usr/src/wireguard-1.0.*/compat/compat.h is in use. Then dpkg
--configure -a to finish building.

The patch from #34 is not enough for buster as it's nowadays included in
these backports.

-Timo





signature.asc
Description: OpenPGP digital signature

Bug#959157: fix for CVE-2020-1749 in linux-image-4.19.0-9 breaks wireguard

2020-06-18 Thread Timo Jyrinki 

  
  
Hi,

I had this too using buster + backports:

---

DKMS make.log for wireguard-1.0.20200520 for kernel 4.19.0-6-marvell (armv5tel)
to 18.6.2020 15.12.16 +0300
make: Siirrytään hakemistoon ”/usr/src/linux-headers-4.19.0-6-marvell”
  CC [M]  /var/lib/dkms/wireguard/1.0.20200520/build/main.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200520/build/noise.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200520/build/device.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200520/build/peer.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200520/build/timers.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200520/build/queueing.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200520/build/send.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200520/build/receive.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200520/build/socket.o
/var/lib/dkms/wireguard/1.0.20200520/build/socket.c: In function ‘send6’:
/var/lib/dkms/wireguard/1.0.20200520/build/socket.c:139:20: error: ‘const struct ipv6_stub’ has no member named ‘ipv6_dst_lookup_flow’; did you mean ‘ipv6_dst_lookup’?
   dst = ipv6_stub->ipv6_dst_lookup_flow(sock_net(sock), sock, ,
^~~~
ipv6_dst_lookup
make[3]: *** [/usr/src/linux-headers-4.19.0-6-common/scripts/Makefile.build:309: /var/lib/dkms/wireguard/1.0.20200520/build/socket.o] Virhe 1
make[2]: *** [/usr/src/linux-headers-4.19.0-6-common/Makefile:1534: _module_/var/lib/dkms/wireguard/1.0.20200520/build] Virhe 2
make[1]: *** [Makefile:146: sub-make] Virhe 2
make: *** [Makefile:8: all] Virhe 2
make: Poistutaan hakemistosta ”/usr/src/linux-headers-4.19.0-6-marvell”
---

I managed to fix it thanks to message #34, changing /usr/src/wireguard-1.0.20200520/compat/compat.h slightly and running dpkg --configure -a. It built fine both against 4.19.0-6-marvell and 4.19.0-9-marvell.

-Timo


  




signature.asc
Description: OpenPGP digital signature

Bug#959157: fix for CVE-2020-1749 in linux-image-4.19.0-9 breaks wireguard

2020-05-29 Thread Magnus 




Hello,
I'm experiencing the same error:
"
DKMS make.log for wireguard-1.0.20200506 for kernel 4.19.118 (x86_64)
Fri 29 May 2020 06:12:30 PM CEST
make: Entering directory '/usr/src/linux-source-4.19'
  CC [M]  /var/lib/dkms/wireguard/1.0.20200506/build/main.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200506/build/noise.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200506/build/device.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200506/build/peer.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200506/build/timers.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200506/build/queueing.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200506/build/send.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200506/build/receive.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200506/build/socket.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200506/build/peerlookup.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200506/build/allowedips.o
In file included from :
/var/lib/dkms/wireguard/1.0.20200506/build/socket.c: In function 
‘send6’:
/var/lib/dkms/wireguard/1.0.20200506/build/compat/compat.h:104:42: 
error: ‘const struct ipv6_stub’ has no member named ‘ipv6_dst_lookup’; 
did you mean ‘ipv6_dst_lookup_flow’?
 #define ipv6_dst_lookup_flow(a, b, c, d) ipv6_dst_lookup(a, b, , c) 
+ (void *)0 ?: dst

  ^~~
/var/lib/dkms/wireguard/1.0.20200506/build/socket.c:139:20: note: in 
expansion of macro ‘ipv6_dst_lookup_flow’

   dst = ipv6_stub->ipv6_dst_lookup_flow(sock_net(sock), sock, ,
^~~~
make[1]: *** [scripts/Makefile.build:308: 
/var/lib/dkms/wireguard/1.0.20200506/build/socket.o] Error 1

make[1]: *** Waiting for unfinished jobs
make: *** [Makefile:1537: 
_module_/var/lib/dkms/wireguard/1.0.20200506/build] Error 2

make: Leaving directory '/usr/src/linux-source-4.19'
"

I'm running Debian Buster 10.4 with a compiled kernel 4.19.118. Trying 
to install Wireguard via buster-backports.


Any ideas?

Thanks a lot!

Bug#959157: fix for CVE-2020-1749 in linux-image-4.19.0-9 breaks wireguard

2020-05-10 Thread Pyotr Son 
This problem is still present in stable (buster 10.4):

kernel 4.19.0-9-amd64
wireguard-dkms 0.0.20181119-1

Bug#959157: fix for CVE-2020-1749 in linux-image-4.19.0-9 breaks wireguard

2020-05-02 Thread Thom 
Package: wireguard-dkms
Followup-For: Bug #959157

Dear Maintainer,

wireguard-dkms 1.0.20200429-2 (from unstable) compile module successfully

so this set fixed the problem for me

$ dpkg -l | grep wireguard
ii  wireguard  1.0.20200319-1~bpo10+1  all
ii  wireguard-dkms 1.0.20200429-2  all
ii  wireguard-tools1.0.20200319-1~bpo10+1  amd64


-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), 
LANGUAGE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages wireguard-dkms depends on:
ii  bc1.07.1-2+b1
ii  dkms  2.6.1-4
ii  perl  5.28.1-6

Versions of packages wireguard-dkms recommends:
ii  wireguard1.0.20200319-1~bpo10+1
ii  wireguard-tools  1.0.20200319-1~bpo10+1

wireguard-dkms suggests no packages.

-- no debconf information

Bug#959157: fix for CVE-2020-1749 in linux-image-4.19.0-9 breaks wireguard

2020-05-02 Thread Thom 
Package: wireguard-dkms
Version: 1.0.20200429-1~bpo10+1
Followup-For: Bug #959157

Dear Maintainer,

look like problem is still here:

$ sudo aptitude -f install
The following partially installed packages will be configured:
  wireguard wireguard-dkms 
No packages will be installed, upgraded, or removed.
0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B of archives. After unpacking 0 B will be used.
Setting up wireguard-dkms (1.0.20200429-1~bpo10+1) ...
Removing old wireguard-1.0.20200429 DKMS files...

--
Deleting module version: 1.0.20200429
completely from the DKMS tree.
--
Done.
Loading new wireguard-1.0.20200429 DKMS files...
Building for 4.19.0-9-amd64
Building initial module for 4.19.0-9-amd64
Error! Bad return status for module build on kernel: 4.19.0-9-amd64 (x86_64)
Consult /var/lib/dkms/wireguard/1.0.20200429/build/make.log for more 
information.
dpkg: error processing package wireguard-dkms (--configure):
 installed wireguard-dkms package post-installation script subprocess returned 
error exit status 10
dpkg: dependency problems prevent configuration of wireguard:
 wireguard depends on wireguard-dkms (>= 0.0.20200121-2) | wireguard-modules 
(>= 0.0.20191219); however:
  Package wireguard-dkms is not configured yet.
  Package wireguard-modules is not installed.

dpkg: error processing package wireguard (--configure):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 wireguard-dkms
 wireguard
E: Sub-process /usr/bin/dpkg returned an error code (1)
Setting up wireguard-dkms (1.0.20200429-1~bpo10+1) ...
Removing old wireguard-1.0.20200429 DKMS files...

--
Deleting module version: 1.0.20200429
completely from the DKMS tree.
--
Done.
Loading new wireguard-1.0.20200429 DKMS files...
Building for 4.19.0-9-amd64
Building initial module for 4.19.0-9-amd64
Error! Bad return status for module build on kernel: 4.19.0-9-amd64 (x86_64)
Consult /var/lib/dkms/wireguard/1.0.20200429/build/make.log for more 
information.
dpkg: error processing package wireguard-dkms (--configure):
 installed wireguard-dkms package post-installation script subprocess returned 
error exit status 10
dpkg: dependency problems prevent configuration of wireguard:
 wireguard depends on wireguard-dkms (>= 0.0.20200121-2) | wireguard-modules 
(>= 0.0.20191219); however:
  Package wireguard-dkms is not configured yet.
  Package wireguard-modules is not installed.

dpkg: error processing package wireguard (--configure):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 wireguard-dkms
 wireguard


$ cat /var/lib/dkms/wireguard/1.0.20200429/build/make.log
DKMS make.log for wireguard-1.0.20200429 for kernel 4.19.0-9-amd64 (x86_64)
Sat May  2 16:31:27 +10 2020
make: Entering directory '/usr/src/linux-headers-4.19.0-9-amd64'
  CC [M]  /var/lib/dkms/wireguard/1.0.20200429/build/main.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200429/build/noise.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200429/build/device.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200429/build/peer.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200429/build/timers.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200429/build/queueing.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200429/build/send.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200429/build/receive.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200429/build/socket.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200429/build/peerlookup.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200429/build/allowedips.o
  CC [M]  /var/lib/dkms/wireguard/1.0.20200429/build/ratelimiter.o
In file included from :
/var/lib/dkms/wireguard/1.0.20200429/build/socket.c: In function 'send6':
/var/lib/dkms/wireguard/1.0.20200429/build/compat/compat.h:102:42: error: 
'const struct ipv6_stub' has no member named 'ipv6_dst_lookup'; did you mean 
'ipv6_dst_lookup_flow'?
 #define ipv6_dst_lookup_flow(a, b, c, d) ipv6_dst_lookup(a, b, , c) + 
(void *)0 ?: dst
  ^~~
/var/lib/dkms/wireguard/1.0.20200429/build/socket.c:145:20: note: in expansion 
of macro 'ipv6_dst_lookup_flow'
   dst = ipv6_stub->ipv6_dst_lookup_flow(sock_net(sock), sock, ,
^~~~
make[3]: *** 
[/usr/src/linux-headers-4.19.0-9-common/scripts/Makefile.build:308: 
/var/lib/dkms/wireguard/1.0.20200429/build/socket.o] Error 1
make[3]: *** Waiting for unfinished jobs
make[2]: *** [/usr/src/linux-headers-4.19.0-9-common/Makefile:1537: 
_module_/var/lib/dkms/wireguard/1.0.20200429/build] Error 2
make[1]: *** [Makefile:146: sub-make] Error 2
make: *** [Makefile:8: all] Error 2
make: Leaving directory '/usr/src/linux-headers-4.19.0-9-amd64'


$ uname -a
Linux hostname 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 
GNU/Linux


-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT

Bug#959157: fix for CVE-2020-1749 in linux-image-4.19.0-9 breaks wireguard

2020-04-30 Thread Jason A. Donenfeld 
https://git.zx2c4.com/wireguard-linux-compat/commit/?id=4602590adee92557847e61c8cd14445d35fbfa2e

Bug#959157: fix for CVE-2020-1749 in linux-image-4.19.0-9 breaks wireguard

2020-04-29 Thread Luca Filipozzi 
Package: wireguard
Version: 1.0.20200319-1~bpo10+1
Severity: grave

Hello wireguard package maintainer,

DSA 4667-1, a Linux security update released on 2020-04-28, includes a
fix for CVE-2020-1749 that changes ipv6_stub to use ip6_dst_lookup_flow
instead of ip6_dst_lookup.

In wireguard-linux-compat/src/compat/compat.h, the following must be
corrected such that ipv6_dst_lookup_flow is used for Debian linux kernel
4.19.0-9:

 99 #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 17, 0) && LINUX_VERSION_CODE >= 
KERNEL_VERSION(3, 16, 83)
100 #define ipv6_dst_lookup_flow(a, b, c, d) ipv6_dst_lookup_flow(b, c, d)
101 #elif (LINUX_VERSION_CODE < KERNEL_VERSION(5, 4, 5) && LINUX_VERSION_CODE 
>= KERNEL_VERSION(5, 4, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(5, 3, 18) 
&& !defined(ISRHEL82))
102 #define ipv6_dst_lookup_flow(a, b, c, d) ipv6_dst_lookup(a, b, , c) + 
(void *)0 ?: dst
103 #endif

Otherwise, line 102 is used and the code fails to build from source.

Thanks,

Luca

-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable'), (90, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_CA:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages wireguard depends on:
ii  wireguard-dkms   0.0.20200318-1~bpo10+1
ii  wireguard-tools  1.0.20200319-1~bpo10+1

wireguard recommends no packages.

wireguard suggests no packages.

-- no debconf information