[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Xen 4.1.6.1 backport + Ubuntu patches ready for testing (take 3)

Hi,

TL;DR: debdiff below, features only changes to debian/changelog and
debian/patches (apart from the upstream upgrade of course). Binary
packages in:

         https://people.debian.org/~anarcat/debian/wheezy-lts/

Long story follows...

So I *believe* I have correctly completed the backport of the Xen
4.1.6.1 release into wheezy, and successfully incorporated the Ubuntu
patches in there as well.

As mentioned before, I imported the tarball from upstream and verified
the PGP signature, so that bit is okay.

However, the qemu directory was missing from the upstream tarball and at
first, I had no idea where that tarball comes from. It turns out that
Xen builds that tarball from scratch during build, based on a git
tag. With the aid of diffoscope and the git repository, i was able to
establish with enough confidence that the tarball is correct,
however. Hint: the tarball is not built reproducibly, but can be fairly
confidently reproduced with:

   git archive --prefix qemu/ xen-4.1.6.1 | gzip -n -c ../qemu-xen-4.1.6.1.tgz

This causes problems porting patches from Ubuntu, as the Ubuntu "qemu"
tarball is based on the HEAD of the git repository instead of the
4.1.6.1 tag.

Patches from Ubuntu missing in Debian were identified with this hackish
script.


#!/bin/bash

deb="debian/patches/"
ubuntu="../xen-4.1.6.1-ubuntu/debian/patches/"

# I know about filterdiff, but it doesn't seem to take into account
# missing files and just ignores them, while it's precisely what I want.
#
# Since we care only about security issues, we only looked at the "xsa"
# patches, the other are "functional" patches regarding regular packaging
# for which we want to keep the Debian-specific material. I haven't
# reviewed those patches explicitly, but others are welcome to.
for patch in $(diff -rq  $deb $ubuntu | grep ubuntu/debian | awk '{print $NF}' | grep -i xsa ); do
    xsa=$(echo $patch | sed 's/-.*//;s/[^0-9]*//g')
    printf "ubuntu patch $patch is XSA$xsa and ..."
    CVEs=$(curl -s http://xenbits.xen.org/xsa/advisory-$xsa.txt | grep CVE- | sed 's/^.*\(CVE-[0-9]*-[0-9]*\).*$/\1/' | sort -u)
    echo $CVEs
    for CVE in $CVEs ; do
        if ls $deb/$CVE* > /dev/null ; then
            echo patch for $CVE exists in $deb/$CVE*
            diff -q $ubuntu/$patch $deb/$CVE*
        else
            echo patch for XSA$xsa "($ubuntu/$patch)" not found in $deb/$CVE*
        fi
    done
done

>From there, I used some Emacs macros to filter the data and extract a
list of CVE/XSA matches for the changelog, and imported everything using
quilt import. I had to mess around with the order for xsa162 because it
depends on some other CVEs we have implemented separately.

The Ubuntu patch names were kept to avoid any further deviance from
Ubuntu in case we need to merge again, and to facilitate them merging
with us. It breaks the existing convention in the Debian side of things,
but I think it's for the best. 

Note that the XSA154, XSA155, XSA159 and XSA169, XSA167, XSA168 and
XSA170 patches could be of interest for sid as well, as we are marked
unfixed there. Although it would probably be better to upgrade to 4.6.1
in sid and there *are* patches for all of this in jessie, some of the
above have no official release with a fix.

Rerolling the patches was a significant pain in the butt, but I think it
was worth it in the end. Note that the qemu release shipped in there is
prehistoric: even older than the qemu shipped with wheezy itself. We
also missed a bunch of CVEs that were affecting Xen but only marked as
affecting qemu in our trackers. I have updated the trackers accordingly.

The debdiff is surprisingly large (18MB?!), so I uploaded it on
people.debian.org as well:

https://people.debian.org/~anarcat/debian/wheezy-lts/xen_4.1.6.1-1+deb7u1.debdiff

Not sure why the debdiff is larger than either tarballs, go figure.

The diff only includes changes to debian/patches and the changelog,
apart of course from the upstream changes:

$ filterdiff --include='xen-4.1.4/debian/*' --exclude='xen-4.1.4/debian/patches/*' xen_4.1.6.1-1+deb7u1.debdiff | diffstat
 debian/changelog |   75 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 75 insertions(+)

Also note that a few of patches have what seem to be trivial changes
between the releases. I had to refresh a bunch of patches to make
dpkg-source happy. And a few patches were simply removed because they
were already upstream. The changelog has the details about the patch
changes (except some refreshes).

The next step here is testing, obviously. I have deployed this on a test
server just to see if the thing installs correctly, but more testers
would of course be appreciated!

Then the security tracker will need a shakedown to update all the bits
and pieces that were changed by this, once the package is uploaded.

A, who has learned more quilt commands than ever and enjoys the
performance of debomatic!

-- 
Twenty years from now you will be more disappointed by the things that
you didn't do than by the ones you did do. So throw off the bowlines.
Sail away from the safe harbor. Catch the trade winds in your sails.
Explore. Dream. Discover.
                         - Mark Twain
Reply to: