preappoval request for avahi t-p-u upload

[Michael Biebl <biebl@debian.org>]

Hi release team,

I already asked for an unblock for avahi 0.6.23-2 some time ago [1].
The debdiff between 0.6.22-3 and 0.6.23-2 has already reviewed and the only
major complaint then was, that during an upgrade, the sysv init script update
procedure re-enabled a disabled service [2]. It tried to address that in
0.6.23-4. The other changes, from what I remember, where considered ok.

So what remains to review, is the changes between 0.6.23-2 and 0.6.23-4, one of
them containing a security fix (CVE-2008-5081) which would be good to have in
lenny.



The changelog is:


avahi (0.6.23-4) unstable; urgency=low

  * debian/avahi-{daemon,dnsconfd}.postinst
    - When upgrading the init script priorities, check if the service is
      enabled for the default runlevel before removing the old init script
      symlinks to avoid accidentally re-enabling it. (Closes: #499815)

 -- Michael Biebl <biebl@debian.org>  Wed, 14 Jan 2009 23:22:59 +0100

avahi (0.6.23-3) unstable; urgency=low

  [ Loic Minier ]
  * Generate a POT file during build; helps downstreams such as Ubuntu import
    an always up-to-date pot, even we patch the source of upstream forgets to
    do so; from Ubuntu; thanks Martin Pitt; closes: #486908.

  [ Michael Biebl ]
  * debian/avahi-daemon-check-dns.sh
    - Fix quoting error in dns_has_local().
      Thanks to James Westby for the patch. (Closes: #492466)

  [ Sjoerd Simons ]
  * debian/patches/14_CVE-2008-5081.patch
    - Added. Don't abort on receiving an UDP packet with a source port of zero.
      Fixes CVE-2008-5081 (Closes: #508700)

 -- Sjoerd Simons <sjoerd@debian.org>  Sun, 14 Dec 2008 19:39:58 +0000


The complete debdiff between 0.6.23-2 and 0.6.23-4 is attached.

Only problem is, that libdaemon, on of the build-deps, has bumped shlibs in
unstable.

So if the release team acks this changes, I'd re-upload -4 as -3lenny1 with
target testing-proposed-updates to t-p-u. I hope this is the correct approach.
If not, please advice.

Cheers,
Michael




[1] http://lists.debian.org/debian-release/2008/08/msg00691.html
[2] http://lists.debian.org/debian-release/2008/08/msg01097.html
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

Index: debian/avahi-dnsconfd.postinst
===================================================================
--- debian/avahi-dnsconfd.postinst	(Revision 2344)
+++ debian/avahi-dnsconfd.postinst	(Revision 2749)
@@ -5,7 +5,8 @@
 
 # update init script symlinks for new runlevels and priorities for upgrades
 # from older versions
-if [ "$1" = configure ] && dpkg --compare-versions "$2" lt-nl 0.6.22-4; then
+if [ "$1" = configure ] && dpkg --compare-versions "$2" lt-nl 0.6.22-4 && \
+   [ -e /etc/rc2.d/S??avahi-dnsconfd ]; then
   echo "Reinstalling init script for new runlevels and priorities ..." >&2
   # remove old init script symlinks; dh_installinit adds the proper
   # update-rc.d snippet later on
Index: debian/avahi-daemon.postinst
===================================================================
--- debian/avahi-daemon.postinst	(Revision 2344)
+++ debian/avahi-daemon.postinst	(Revision 2749)
@@ -33,7 +33,8 @@
 
     # update init script symlinks for new runlevels and priorities for upgrades
     # from older versions
-    if dpkg --compare-versions "$2" lt-nl 0.6.22-4; then
+    if dpkg --compare-versions "$2" lt-nl 0.6.22-4 && \
+       [ -e /etc/rc2.d/S??avahi-daemon ]; then
       echo "Reinstalling init script for new runlevels and priorities ..." >&2
       # remove old init script symlinks; dh_installinit adds the proper
       # update-rc.d snippet later on
Index: debian/rules
===================================================================
--- debian/rules	(Revision 2344)
+++ debian/rules	(Revision 2749)
@@ -37,10 +37,17 @@
                          debian/libavahi-glib1/usr/lib \
                          debian/libavahi-ui0/usr/lib
 
-#ensure that ServiceTypeDatabase.py is regenerated 
+# ensure that ServiceTypeDatabase.py is regenerated 
 pre-build::
-	-rm -f avahi-python/avahi/ServiceTypeDatabase.py 
+	-rm -f avahi-python/avahi/ServiceTypeDatabase.py
 
+common-build-arch::
+	# create an up to date PO template
+	cd po; intltool-update -p --verbose
+
+clean::
+	rm -f po/*.pot
+
 binary-install/avahi-discover::
 	dh_pysupport -p$(cdbs_curpkg)
 	rm -f debian/tmp/usr/lib/python*/site-packages/avahi/*.py[co]
Index: debian/patches/14_CVE-2008-5081.patch
===================================================================
--- debian/patches/14_CVE-2008-5081.patch	(Revision 0)
+++ debian/patches/14_CVE-2008-5081.patch	(Revision 2749)
@@ -0,0 +1,27 @@
+commit 3093047f1aa36bed8a37fa79004bf0ee287929f4
+Author: Lennart Poettering <lennart@poettering.net>
+Date:   Thu Dec 11 20:57:45 2008 +0100
+
+    Don't get confused by UDP packets with a source port that is zero
+    
+    This is a fix for rhbz 475394.
+    
+    Problem identified by Hugo Dias.
+
+diff --git a/avahi-core/server.c b/avahi-core/server.c
+index c4980af..11ab6cf 100644
+--- a/avahi-core/server.c
++++ b/avahi-core/server.c
+@@ -898,6 +898,12 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres
+         return;
+     }
+ 
++    if (port <= 0) {
++        /* This fixes RHBZ #475394 */
++        avahi_log_warn("Received packet from invalid source port.");
++        return;
++    }
++
+     if (avahi_address_is_ipv4_in_ipv6(src_address))
+         /* This is an IPv4 address encapsulated in IPv6, so let's ignore it. */
+         return;
Index: debian/avahi-daemon-check-dns.sh
===================================================================
--- debian/avahi-daemon-check-dns.sh	(Revision 2344)
+++ debian/avahi-daemon-check-dns.sh	(Revision 2749)
@@ -45,7 +45,7 @@
 
 dns_has_local() { 
   # Some magic to do tests 
-  if [ -n ${FAKE_HOST_RETURN} ] ; then
+  if [ -n "${FAKE_HOST_RETURN}" ] ; then
     if [ "${FAKE_HOST_RETURN}" = "true" ]; then
       return 0;
     else
Index: debian/changelog
===================================================================
--- debian/changelog	(Revision 2344)
+++ debian/changelog	(Revision 2749)
@@ -1,3 +1,31 @@
+avahi (0.6.23-4) unstable; urgency=low
+
+  * debian/avahi-{daemon,dnsconfd}.postinst
+    - When upgrading the init script priorities, check if the service is
+      enabled for the default runlevel before removing the old init script
+      symlinks to avoid accidentally re-enabling it. (Closes: #499815)
+
+ -- Michael Biebl <biebl@debian.org>  Wed, 14 Jan 2009 23:22:59 +0100
+
+avahi (0.6.23-3) unstable; urgency=low
+
+  [ Loic Minier ]
+  * Generate a POT file during build; helps downstreams such as Ubuntu import
+    an always up-to-date pot, even we patch the source of upstream forgets to
+    do so; from Ubuntu; thanks Martin Pitt; closes: #486908.
+
+  [ Michael Biebl ]
+  * debian/avahi-daemon-check-dns.sh
+    - Fix quoting error in dns_has_local().
+      Thanks to James Westby for the patch. (Closes: #492466)
+
+  [ Sjoerd Simons ]
+  * debian/patches/14_CVE-2008-5081.patch
+    - Added. Don't abort on receiving an UDP packet with a source port of zero.
+      Fixes CVE-2008-5081 (Closes: #508700)
+
+ -- Sjoerd Simons <sjoerd@debian.org>  Sun, 14 Dec 2008 19:39:58 +0000
+
 avahi (0.6.23-2) unstable; urgency=low
 
   * debian/control

Attachment: signature.asc
Description: OpenPGP digital signature