Hi release team, I already asked for an unblock for avahi 0.6.23-2 some time ago [1]. The debdiff between 0.6.22-3 and 0.6.23-2 has already reviewed and the only major complaint then was, that during an upgrade, the sysv init script update procedure re-enabled a disabled service [2]. It tried to address that in 0.6.23-4. The other changes, from what I remember, where considered ok. So what remains to review, is the changes between 0.6.23-2 and 0.6.23-4, one of them containing a security fix (CVE-2008-5081) which would be good to have in lenny. The changelog is: avahi (0.6.23-4) unstable; urgency=low * debian/avahi-{daemon,dnsconfd}.postinst - When upgrading the init script priorities, check if the service is enabled for the default runlevel before removing the old init script symlinks to avoid accidentally re-enabling it. (Closes: #499815) -- Michael Biebl <biebl@debian.org> Wed, 14 Jan 2009 23:22:59 +0100 avahi (0.6.23-3) unstable; urgency=low [ Loic Minier ] * Generate a POT file during build; helps downstreams such as Ubuntu import an always up-to-date pot, even we patch the source of upstream forgets to do so; from Ubuntu; thanks Martin Pitt; closes: #486908. [ Michael Biebl ] * debian/avahi-daemon-check-dns.sh - Fix quoting error in dns_has_local(). Thanks to James Westby for the patch. (Closes: #492466) [ Sjoerd Simons ] * debian/patches/14_CVE-2008-5081.patch - Added. Don't abort on receiving an UDP packet with a source port of zero. Fixes CVE-2008-5081 (Closes: #508700) -- Sjoerd Simons <sjoerd@debian.org> Sun, 14 Dec 2008 19:39:58 +0000 The complete debdiff between 0.6.23-2 and 0.6.23-4 is attached. Only problem is, that libdaemon, on of the build-deps, has bumped shlibs in unstable. So if the release team acks this changes, I'd re-upload -4 as -3lenny1 with target testing-proposed-updates to t-p-u. I hope this is the correct approach. If not, please advice. Cheers, Michael [1] http://lists.debian.org/debian-release/2008/08/msg00691.html [2] http://lists.debian.org/debian-release/2008/08/msg01097.html -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
Index: debian/avahi-dnsconfd.postinst =================================================================== --- debian/avahi-dnsconfd.postinst (Revision 2344) +++ debian/avahi-dnsconfd.postinst (Revision 2749) @@ -5,7 +5,8 @@ # update init script symlinks for new runlevels and priorities for upgrades # from older versions -if [ "$1" = configure ] && dpkg --compare-versions "$2" lt-nl 0.6.22-4; then +if [ "$1" = configure ] && dpkg --compare-versions "$2" lt-nl 0.6.22-4 && \ + [ -e /etc/rc2.d/S??avahi-dnsconfd ]; then echo "Reinstalling init script for new runlevels and priorities ..." >&2 # remove old init script symlinks; dh_installinit adds the proper # update-rc.d snippet later on Index: debian/avahi-daemon.postinst =================================================================== --- debian/avahi-daemon.postinst (Revision 2344) +++ debian/avahi-daemon.postinst (Revision 2749) @@ -33,7 +33,8 @@ # update init script symlinks for new runlevels and priorities for upgrades # from older versions - if dpkg --compare-versions "$2" lt-nl 0.6.22-4; then + if dpkg --compare-versions "$2" lt-nl 0.6.22-4 && \ + [ -e /etc/rc2.d/S??avahi-daemon ]; then echo "Reinstalling init script for new runlevels and priorities ..." >&2 # remove old init script symlinks; dh_installinit adds the proper # update-rc.d snippet later on Index: debian/rules =================================================================== --- debian/rules (Revision 2344) +++ debian/rules (Revision 2749) @@ -37,10 +37,17 @@ debian/libavahi-glib1/usr/lib \ debian/libavahi-ui0/usr/lib -#ensure that ServiceTypeDatabase.py is regenerated +# ensure that ServiceTypeDatabase.py is regenerated pre-build:: - -rm -f avahi-python/avahi/ServiceTypeDatabase.py + -rm -f avahi-python/avahi/ServiceTypeDatabase.py +common-build-arch:: + # create an up to date PO template + cd po; intltool-update -p --verbose + +clean:: + rm -f po/*.pot + binary-install/avahi-discover:: dh_pysupport -p$(cdbs_curpkg) rm -f debian/tmp/usr/lib/python*/site-packages/avahi/*.py[co] Index: debian/patches/14_CVE-2008-5081.patch =================================================================== --- debian/patches/14_CVE-2008-5081.patch (Revision 0) +++ debian/patches/14_CVE-2008-5081.patch (Revision 2749) @@ -0,0 +1,27 @@ +commit 3093047f1aa36bed8a37fa79004bf0ee287929f4 +Author: Lennart Poettering <lennart@poettering.net> +Date: Thu Dec 11 20:57:45 2008 +0100 + + Don't get confused by UDP packets with a source port that is zero + + This is a fix for rhbz 475394. + + Problem identified by Hugo Dias. + +diff --git a/avahi-core/server.c b/avahi-core/server.c +index c4980af..11ab6cf 100644 +--- a/avahi-core/server.c ++++ b/avahi-core/server.c +@@ -898,6 +898,12 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres + return; + } + ++ if (port <= 0) { ++ /* This fixes RHBZ #475394 */ ++ avahi_log_warn("Received packet from invalid source port."); ++ return; ++ } ++ + if (avahi_address_is_ipv4_in_ipv6(src_address)) + /* This is an IPv4 address encapsulated in IPv6, so let's ignore it. */ + return; Index: debian/avahi-daemon-check-dns.sh =================================================================== --- debian/avahi-daemon-check-dns.sh (Revision 2344) +++ debian/avahi-daemon-check-dns.sh (Revision 2749) @@ -45,7 +45,7 @@ dns_has_local() { # Some magic to do tests - if [ -n ${FAKE_HOST_RETURN} ] ; then + if [ -n "${FAKE_HOST_RETURN}" ] ; then if [ "${FAKE_HOST_RETURN}" = "true" ]; then return 0; else Index: debian/changelog =================================================================== --- debian/changelog (Revision 2344) +++ debian/changelog (Revision 2749) @@ -1,3 +1,31 @@ +avahi (0.6.23-4) unstable; urgency=low + + * debian/avahi-{daemon,dnsconfd}.postinst + - When upgrading the init script priorities, check if the service is + enabled for the default runlevel before removing the old init script + symlinks to avoid accidentally re-enabling it. (Closes: #499815) + + -- Michael Biebl <biebl@debian.org> Wed, 14 Jan 2009 23:22:59 +0100 + +avahi (0.6.23-3) unstable; urgency=low + + [ Loic Minier ] + * Generate a POT file during build; helps downstreams such as Ubuntu import + an always up-to-date pot, even we patch the source of upstream forgets to + do so; from Ubuntu; thanks Martin Pitt; closes: #486908. + + [ Michael Biebl ] + * debian/avahi-daemon-check-dns.sh + - Fix quoting error in dns_has_local(). + Thanks to James Westby for the patch. (Closes: #492466) + + [ Sjoerd Simons ] + * debian/patches/14_CVE-2008-5081.patch + - Added. Don't abort on receiving an UDP packet with a source port of zero. + Fixes CVE-2008-5081 (Closes: #508700) + + -- Sjoerd Simons <sjoerd@debian.org> Sun, 14 Dec 2008 19:39:58 +0000 + avahi (0.6.23-2) unstable; urgency=low * debian/control
Attachment:
signature.asc
Description: OpenPGP digital signature