Re: isc-dhcp-server in squeeze-lst broken after update

To: Ben Hutchings <ben@decadent.org.uk>
Cc: Olivier Dousse <odousse@me.com>, debian-lts@lists.debian.org
Subject: Re: isc-dhcp-server in squeeze-lst broken after update
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Mon, 18 Jan 2016 05:08:42 +0000
Message-id: <[🔎] 20160118050842.Horde.surcg1drFE8N2N0DXApR9_x@mail.das-netzwerkteam.de>
In-reply-to: <[🔎] 1453070539.2519.93.camel@decadent.org.uk>
References: <[🔎] EA6F438C-F9F4-43EE-BBE5-E64CDC14086D@me.com> <[🔎] 1453070539.2519.93.camel@decadent.org.uk>

Hi Ben, hi all,

On  So 17 Jan 2016 23:42:19 CET, Ben Hutchings wrote:

On Sun, 2016-01-17 at 13:10 +0100, Olivier Dousse wrote:

Hi Mike,

I have the exact same problem on my server. I simply upgraded from
4.1.1-P1-15+squeeze8 to 4.1.1-P1-15+squeeze9.
Given the patch you attached, this is very strange. But after
downgrading back to 4.1.1-P1-15+squeeze8, everything was fine again.
So there seems to be indeed a (critical) issue with 4.1.1-P1-
15+squeeze9, as it basically breaks the DHCP server.


I can't see anything wrong with the patch, so I wonder whether there
was something wrong with the build environment.

The package has been source-built on Debian jessie (debuild -uc -us-S) and then binary-built with sbuild in a squeeze-lts (not squeeze)chroot.

I have checked my build log again. It seems that the CFLAGS specifiedin debian/rules do not get exported properly to the build environmentand thus are not used at build time:


""" (from +squeeze9 build log)
[...]
Making all in server
make[2]: Entering directory `/«PKGBUILDDIR»/server'

gcc -DHAVE_CONFIG_H -I. -I../includes -I.. -DLOCALSTATEDIR='"/var"'-g -O2 -Wall -Werror -fno-strict-aliasing -MT dhcpd.o -MD -MP -MF.deps/dhcpd.Tpo -c -o dhcpd.o dhcpd.c

[...]
"""

When adding "export CFLAGS" at the end of the CFLAGS declarations indebian/rules, I get this:


""" (from upcoming +squeeze10 build log)
[...]
make[1]: Entering directory `/«PKGBUILDDIR»/server'

gcc -DHAVE_CONFIG_H -I. -I../includes -I.. -DLOCALSTATEDIR='"/var"'-DLDAP_DEPRECATED -Wall -g -O2-D_PATH_DHCLIENT_SCRIPT='"/sbin/dhclient-script"'-D_PATH_DHCPD_CONF='"/etc/dhcp/dhcpd.conf"'-D_PATH_DHCLIENT_CONF='"/etc/dhcp/dhclient.conf"' -DNOMINUM -MTdhcpd-dhcpd.o -MD -MP -MF .deps/dhcpd-dhcpd.Tpo -c -o dhcpd-dhcpd.o`test -f 'dhcpd.c' || echo './'`dhcpd.c

[...]
"""

I wonder why this has been working in the first place.

Additionally, the patch is *not* being applied isc-dhcp-server.  It is
only applied when building isc-dhcp-server-ldap (see the commands for
the build-stamp target).  It needs to be moved further up the patch
series.

Oh wow... Thanks for spotting this. I am currenly preparing a+squeeze10 revision upload, but I'd really like to get the dhcpd.confissue sorted out and addressed with next upload first.



I will upload +squeeze10 with attached .debdiff later today.

Any feedback on the provided .debdiff is welcome.

Thanks+Greets,
Mike

--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de

diff -u isc-dhcp-4.1.1-P1/debian/rules isc-dhcp-4.1.1-P1/debian/rules
--- isc-dhcp-4.1.1-P1/debian/rules
+++ isc-dhcp-4.1.1-P1/debian/rules
@@ -37,6 +37,8 @@
 CFLAGS += -D_PATH_DHCLIENT_CONF='"/etc/dhcp/dhclient.conf"'
 CFLAGS += -DNOMINUM
 
+export CFLAGS
+
 patched-ldap/build-stamp:
 	dh_testdir
 
diff -u isc-dhcp-4.1.1-P1/debian/changelog isc-dhcp-4.1.1-P1/debian/changelog
--- isc-dhcp-4.1.1-P1/debian/changelog
+++ isc-dhcp-4.1.1-P1/debian/changelog
@@ -1,3 +1,16 @@
+isc-dhcp (4.1.1-P1-15+squeeze10) squeeze-lts; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS Team (regression fix).
+  * debian/patches:
+    + Move CVE-2015-8605.dpatch further up in the patch series. Assure that
+      the patch is applied to the non-LDAP build variant. Thanks to Ben
+      Hutchings for spotting this.
+  * debian/rules:
+    + Export CFLAGS before build. Make sure that our Debianic path definitions
+      end-up in the binary builds of isc-dhcp-server*.
+
+ -- Mike Gabriel <sunweaver@debian.org>  Mon, 18 Jan 2016 05:19:44 +0100
+
 isc-dhcp (4.1.1-P1-15+squeeze9) squeeze-lts; urgency=medium
 
   * Non-maintainer upload by the Debian LTS Team.
diff -u isc-dhcp-4.1.1-P1/debian/patches/00list isc-dhcp-4.1.1-P1/debian/patches/00list
--- isc-dhcp-4.1.1-P1/debian/patches/00list
+++ isc-dhcp-4.1.1-P1/debian/patches/00list
@@ -17,6 +17,7 @@
 security-20110810
 CVE-2012-3571_CVE-2012-3954
 CVE-2011-4539_CVE-2012-3955
+CVE-2015-8605
 
 # must be applied before the LDAP stuff
 no-libcrypto
@@ -26,6 +27,4 @@
 dhcp-4.1.0-ldap-code
 
-CVE-2015-8605
-
 # fix build when gcc option -Werror is used
 drop_unused_vars_from_ldap-c.dpatch

Attachment: pgp1NVvOEiBmG.pgp
Description: Digitale PGP-Signatur

Reply to:

Follow-Ups:
- Re: isc-dhcp-server in squeeze-lst broken after update
  - From: Ben Hutchings <ben@decadent.org.uk>

References:
- Re: Re: isc-dhcp-server in squeeze-lst broken after update
  - From: Olivier Dousse <odousse@me.com>
- Re: Re: isc-dhcp-server in squeeze-lst broken after update
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Re: Re: isc-dhcp-server in squeeze-lst broken after update
Next by Date: Re: squeeze update of librsvg?
Previous by thread: Re: Re: isc-dhcp-server in squeeze-lst broken after update
Next by thread: Re: isc-dhcp-server in squeeze-lst broken after update
Index(es):
- Date
- Thread