[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#931416: marked as done (klibc-utils: ipconfig denial of service when IP nameservers are configured on the kernel command line)

Your message dated Fri, 21 Aug 2020 00:48:48 +0000
with message-id <E1k8vEe-0007hE-T7@fasolo.debian.org>
and subject line Bug#931416: fixed in klibc 2.0.8-1
has caused the Debian Bug report #931416,
regarding klibc-utils: ipconfig denial of service when IP nameservers are configured on the kernel command line
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
931416: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931416
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---

Package: klibc-utils

Version: 2.0.4-9

Severity: normal

 

Dear Maintainers,

It appears to me that there is a misalignment between initramfs network configuration scripts and tools in Debian and the Kernel nfsroot documentation, which results in a Denial of Service (networking unavailability) in the initramfs environment, if Debian user configures the kernel command line as per the kernel docs.

 

In the initramfs-tools-core==0.130 package, there is a file /usr/share/initramfs-tools/scripts/functions, which contains a configure_networking() function. This function claims to `support ip options, see linux sources Documentation/filesystems/nfs/nfsroot.txt`. This function does not perform network configuration on its own, it uses a ipconfig tool from the klibc-utils package.

 

When checking the latest nfsroot.txt at https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt, it appears to me that the latest syntax of the ip= parameter supports also DNS and NTP servers. Copying and pasting for your reference:

        ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>

 

On the other hand, the ipconfig utility, at least the version in package klibc-utils==2.0.4-9, does seem to support neither the DNS nor NTP options. Copying from https://salsa.debian.org/kernel-team/klibc/blob/master/usr/kinit/ipconfig/README.ipconfig and pasting here:

        <client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>
 

In general, it is quite hard to find this discrepancy as Google does not usually hint you at the klibc-utils package sources/readme.

If one uses static IP configuration with even a single DNS IP to the kernel command line, e.g.:

ip=192.0.2.2::192.0.2.1:255.255.255.0:my.host.name.com:eth0:none:8.8.8.8

the ipconfig utility fails to configure networking completely, resulting in no networking in the initramfs environment.

 

I believe the ipconfig utility should be fixed:

  • to be in line with nfsroot.txt (supporting DNS and possibly even NTP configuration)
  • not to fail if additional parameters are even introduced by the kernel developers and passed in on the command line by Debian users

 

It is true that this should be primarily handled upstream, however it is not clear to me how to report this issue to upstream, more specifically who is the upstream maintainer of this package.

 

(Also, there is currently no initramfs networking support for IPv6, the current internet protocol; there is a separate bug report/feature request for this, 627164.)

 

Thank you for your attention to this issue.

 

With kind regards,

Radek Zajic

 

-- System Information:

Debian Release: 9.9

Architecture: amd64 (x86_64)

 

Kernel: Linux 4.9.0-9-amd64 (SMP w/12 CPU cores)

Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)

Shell: /bin/sh linked to /bin/dash

Init: systemd (via /run/systemd/system)

 

Versions of packages klibc-utils depends on:

ii  libklibc  2.0.4-9

 

klibc-utils recommends no packages.

 

klibc-utils suggests no packages.

 

-- no debconf information


--- End Message ---
--- Begin Message --- 
Source: klibc
Source-Version: 2.0.8-1
Done: Ben Hutchings <benh@debian.org>

We believe that the bug you reported is fixed in the latest version of
klibc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 931416@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <benh@debian.org> (supplier of updated klibc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 21 Aug 2020 01:34:13 +0100
Source: klibc
Architecture: source
Version: 2.0.8-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Ben Hutchings <benh@debian.org>
Closes: 931416 957405 959070
Changes:
 klibc (2.0.8-1) unstable; urgency=medium
 .
   [ Ben Hutchings ]
   * New upstream version:
     - ipconfig: Ignore NTP server address and any additional fields
       (Closes: #931416)
     - Kbuild: Add "-fcommon" for clang builds (Closes: #957405)
     - Kbuild: Add a per-architecture option to disable exectable stacks
     - arch: Explicitly disable or enable executable stacks (Closes: #959070)
   * debian/control: Use my debian.org email in Uploaders field
   * Use debhelper compatibility level 12:
     - Build-Depend on debhelper-compat and remove debian/compat
     - debian/klibc-utils.triggers: Delete as redundant
   * debian/rules: Really disable stripping libc.so in libklibc-dev
 .
   [ Debian Janitor ]
   * Trim trailing whitespace.
   * Set upstream metadata fields: Repository.
Checksums-Sha1:
 a1a7ad4cad4973a6278ef05feab7b430c106d858 2107 klibc_2.0.8-1.dsc
 eaa050b663783e1278c9038a76c21a605af701c9 472200 klibc_2.0.8.orig.tar.xz
 d160f82283f759acc35a1a7bc7c1fa5e5a9210e7 17876 klibc_2.0.8-1.debian.tar.xz
 9662e534d5b7b578b4640d81022568284db89844 5914 klibc_2.0.8-1_source.buildinfo
Checksums-Sha256:
 f877a84bc71b76d6203bc7d479f687481c3bf36298d0ac7e47d7c4fe01cc4c3a 2107 klibc_2.0.8-1.dsc
 4e48f1398cfe3ce0b6df55ce6e70acf54fc8488e3aea3fb3610ee1622d9cb436 472200 klibc_2.0.8.orig.tar.xz
 4d093ff90de88fec319476a65c4671e824a4c210ee7286fc0a896aad317feff2 17876 klibc_2.0.8-1.debian.tar.xz
 dbb0226e781e02e761423d92f2984825395977b5b15ef35d4d2862011c189923 5914 klibc_2.0.8-1_source.buildinfo
Files:
 343d96fdd7e1648740ca2dc3e6e9f5be 2107 libs optional klibc_2.0.8-1.dsc
 bdd05bf16fce534e7a49d98644cdec87 472200 libs optional klibc_2.0.8.orig.tar.xz
 07f7ebdd9b3e50a4fbaf95992ffd6c22 17876 libs optional klibc_2.0.8-1.debian.tar.xz
 e04d8f15a575bfdd713bcdd9653fbc55 5914 libs optional klibc_2.0.8-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAl8/GLEACgkQ57/I7JWG
EQmmIQ//d7lcKXJbG9HqpSKott7C1q+9rFhjZIM1m5eXyIOqKN+GlyjEb3hvF1nV
RT/HQhRCafGYnidB0OP+0uCAaa10T12Sbu+VnoXGnbCafNGxD7twsJUHO1Kf7scw
dsu9ysqQihjHi3JMYrbMzLs2YFLqmHeb/PC4US7icJkUSly6WgI9s8pBOllvDIuS
WXJ788+i4w0pU+RA7+FdaO9mVy0QzyolWuKvem0QC8jKgFaRSqxrMVVyD9lUA9wa
pqfjMxCb/UPglrGtsJN6DMwL9CQsFQ23CGnKc8SAebKLyBwS8qXTnrEoR/vyG7RW
iP11qqc1cS00FJkH86bPOpEhXsNF6i3DZAZrcE7H1lRXm0grCluMytB6HraoAOAc
vwTy8uHaLcanXtK97o7BvrHnEw7clFA5DOh9XfiUCVGOEoEOVqdj5WfPp6PSXyXf
pcke/Wh9N71E8qJbIMENWFojKXaSyWjfZEt3eFxISTsYY10y+6pSEJAPtKN9gdGd
iujLJXtrXkJ70AQ4zqr7NVV8f0pNYMOUl/u23Yf5BL7ErK1VywxE9i3Z6v4LvMcR
QZMsehD+XBjKd82IPPWFrPqzGcL8uFW121pZYsmYH4zkzxhOtEw6SwCbOnYL5gvZ
sKC+kFfSiUMBrmwXTEfXRE75NV/AkyIFS7OQQrZ/BcenfC6pxeo=
=2fRk
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: