Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-CC: formo...@debian.org
Dear release team,
I would like to do a bugfix upload of iproute2 to buster-proposed-
updates. This would be the first upload for this source package, so
waiting for feedback before uploading.
The version would backport 3 bug fixes, which have been fixed in the
latest upstream release, and which were reported on Debian Buster by
users. They make some subcommands unusable or downright dangerous.
The first two are about fixing invalid json output - these bugs make
the affected subcommands output unusable, as consumers need valid
formatted json:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961278
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972784
The third bug is about a nasty race condition - if "ip netns add foo"
is used concurrently, it might get in a loop and create thousands of
mount points on the system, causing a self-dos.
The reporter found the issue when using the command in startup scripts
executed at boot.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949235
The fixes were validated by the reporters as well.
The source debdiff is attached.
Thank you!
--
Kind regards,
Luca Boccassi
diff -Nru iproute2-4.20.0/debian/changelog iproute2-4.20.0/debian/changelog
--- iproute2-4.20.0/debian/changelog 2019-01-10 20:04:14.0 +
+++ iproute2-4.20.0/debian/changelog 2020-12-03 18:42:49.0 +
@@ -1,3 +1,15 @@
+iproute2 (4.20.0-2+deb10u1) buster; urgency=medium
+
+ * Backport ip-route-print-route-type-in-JSON-output.patch. Fixes bug in
+json output, backported from upstream. (Closes: #961278)
+ * Backport tc-mqprio-json-ify-output.patch. Fixes bug in json output,
+backported from upstream. (Closes: #972784)
+ * Backport ip-netns-use-flock-when-setting-up-run-netns.patch. Fixes
+race condition that DOSes the system when using ip netns add at boot.
+(Closes: #949235)
+
+ -- Luca Boccassi Thu, 03 Dec 2020 18:42:49 +
+
iproute2 (4.20.0-2) unstable; urgency=medium
* Upload to unstable.
diff -Nru iproute2-4.20.0/debian/gbp.conf iproute2-4.20.0/debian/gbp.conf
--- iproute2-4.20.0/debian/gbp.conf 2019-01-09 15:03:12.0 +
+++ iproute2-4.20.0/debian/gbp.conf 2020-12-03 18:42:49.0 +
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = master
+debian-branch = buster
upstream-branch = upstream
pristine-tar = True
compression = xz
diff -Nru iproute2-4.20.0/debian/.gitlab-ci.yml iproute2-4.20.0/debian/.gitlab-ci.yml
--- iproute2-4.20.0/debian/.gitlab-ci.yml 2019-01-09 15:03:12.0 +
+++ iproute2-4.20.0/debian/.gitlab-ci.yml 2020-12-03 18:42:49.0 +
@@ -1,17 +1,8 @@
-include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
-build:
-extends: .build-unstable
-
-reprotest:
-extends: .test-reprotest
-
-lintian:
-extends: .test-lintian
-
-autopkgtest:
-extends: .test-autopkgtest
-
-piuparts:
-extends: .test-piuparts
-
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'buster'
+ SALSA_CI_DISABLE_REPROTEST: 1
diff -Nru iproute2-4.20.0/debian/patches/ip-netns-use-flock-when-setting-up-run-netns.patch iproute2-4.20.0/debian/patches/ip-netns-use-flock-when-setting-up-run-netns.patch
--- iproute2-4.20.0/debian/patches/ip-netns-use-flock-when-setting-up-run-netns.patch 1970-01-01 01:00:00.0 +0100
+++ iproute2-4.20.0/debian/patches/ip-netns-use-flock-when-setting-up-run-netns.patch 2020-12-03 18:42:49.0 +
@@ -0,0 +1,86 @@
+Origin: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=975c4944e8d57b9f51960611e2bc2c0da6cd6864
+Bug-Debian: https://bugs.debian.org/949235
+Description: ip/netns: use flock when setting up /run/netns
+ If multiple ip processes are ran at the same time to set up
+ separate network namespaces, and it is the first time so /run/netns
+ has to be set up first, and they end up doing it at the same time,
+ the processes might enter a recursive loop creating thousands of
+ mount points, which might crash the system depending on resources
+ available.
+ Try to take a flock on /run/netns before doing the mount() dance, to
+ ensure this cannot happen. But do not try too hard, and if it fails
+ continue after printing a warning, to avoid introducing regressions.
+--- a/ip/ipnetns.c
b/ip/ipnetns.c
+@@ -1,5 +1,6 @@
+ /* SPDX-License-Identifier: GPL-2.0 */
+ #define _ATFILE_SOURCE
++#include
+ #include
+ #include
+ #include
+@@ -645,6 +646,7 @@
+ char netns_path[PATH_MAX];
+ const char *name;
+ int fd;
++ int lock;
+ int made_netns_run_dir_mount = 0;
+
+ if (argc < 1) {
+@@ -663,12 +665,37 @@
+ * namespace file in one namespace will unmount the network namespace
+ * file in all namespaces allowing the network namespace