Bug#776009: unblock: xymon/4.3.17-5

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#776009: unblock: xymon/4.3.17-5
From: Christoph Berg <christoph.berg@credativ.de>
Date: Thu, 22 Jan 2015 17:57:49 +0100
Message-id: <[🔎] 20150122165749.GA1152@msg.df7cb.de>
Mail-followup-to: Christoph Berg <christoph.berg@credativ.de>, Debian Bug Tracking System <submit@bugs.debian.org>
Reply-to: Christoph Berg <christoph.berg@credativ.de>, 776009@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

several updates for xymon have accumulated since the last upload. We'd
like to have them in Jessie, so we are asking for approval of the
changes below.

Changelog:

diff -Nru xymon-4.3.17/debian/changelog xymon-4.3.17/debian/changelog
--- xymon-4.3.17/debian/changelog	2014-10-23 16:50:53.000000000 +0200
+++ xymon-4.3.17/debian/changelog	2015-01-22 17:37:30.000000000 +0100
@@ -1,3 +1,21 @@
+xymon (4.3.17-5) unstable; urgency=medium
+
+  [ Christoph Berg ]
+  * Restore the lost ROOTFS variable in xymonclient-linux.sh, and patch
+    xymond/rrd/do_disk.c to ignore duplicate submissions for the / partition.
+    (Closes: #767901)
+  * Fix buffer overrun in web/acknowledge.c (Closes: #776007)
+  * Debconf translations, thanks!
+    + pt by Américo Monteiro (Closes: #767840)
+    + fr by Jean-Pierre Giraud (Closes: #770168)
+    + nl by Frans Spiesschaert (Closes: #771182)
+
+  [ Axel Beckert ]
+  * Fix aborting installation in cases where a hobbit user exists despite
+    hobbit-client was not installed before. (LP: #1407498)
+
+ -- Christoph Berg <christoph.berg@credativ.de>  Thu, 22 Jan 2015 17:37:26 +0100
+
 xymon (4.3.17-4) unstable; urgency=medium
 
   * Add debconf question to disable the automatic migration from hobbit to


The first patch is the buffer overrun from #776007:

diff -Nru xymon-4.3.17/debian/patches/acknowledge-malloc xymon-4.3.17/debian/patches/acknowledge-malloc
--- xymon-4.3.17/debian/patches/acknowledge-malloc	1970-01-01 01:00:00.000000000 +0100
+++ xymon-4.3.17/debian/patches/acknowledge-malloc	2015-01-22 16:49:28.000000000 +0100
@@ -0,0 +1,11 @@
+--- a/web/acknowledge.c
++++ b/web/acknowledge.c
+@@ -289,7 +289,7 @@ int main(int argc, char *argv[])
+ 					pcre *dummy;
+ 					char *re;
+ 
+-					re = (char *)malloc(8 + strlen(pagename));
++					re = (char *)malloc(8 + 2*strlen(pagename));
+ 					sprintf(re, "%s$|^%s/.+", pagename, pagename);
+ 					dummy = compileregex(re);
+ 					if (dummy) {

(This is probably exploitable, but the URL for this is only accessible
for authenticated admin users, so it's not a very bad security issue.)


The next one is the #767901 issue that causes monitoring graphs for
the / partition (disk space and inodes) to be broken. The C part
accounts for the fact that the "df" output in the default
installations have "/" listed twice, and suppresses duplicate updates
for that partitions (which cause rrd to get confused).

The hard-to-read sh diff below merely restores the ROOTFS line that's
present in the upstream version of the original file, but got lost
during some patch update.

diff -Nru xymon-4.3.17/debian/patches/disk-no-duplicate-root xymon-4.3.17/debian/patches/disk-no-duplicate-root
--- xymon-4.3.17/debian/patches/disk-no-duplicate-root	1970-01-01 01:00:00.000000000 +0100
+++ xymon-4.3.17/debian/patches/disk-no-duplicate-root	2015-01-21 16:31:46.000000000 +0100
@@ -0,0 +1,30 @@
+--- a/xymond/rrd/do_disk.c
++++ b/xymond/rrd/do_disk.c
+@@ -20,6 +20,7 @@ int do_disk_rrd(char *hostname, char *te
+ 	static int ptnsetup = 0;
+ 	static pcre *inclpattern = NULL;
+ 	static pcre *exclpattern = NULL;
++	int seen_root_fs = 0;
+ 
+ 	if (strstr(msg, "netapp.pl")) return do_netapp_disk_rrd(hostname, testname, classname, pagepaths, msg, tstamp);
+ 	if (strstr(msg, "dbcheck.pl")) return do_dbcheck_tablespace_rrd(hostname, testname, classname, pagepaths, msg, tstamp);
+@@ -163,6 +164,19 @@ int do_disk_rrd(char *hostname, char *te
+ 
+ 		/* Check include/exclude patterns */
+ 		wanteddisk = 1;
++		/*
++		 * On some systems, including the Debian Wheezy default setup,
++		 * df shows two entries for / (one for "rootfs", one for the
++		 * real device). Skip the second one or else the rrd files
++		 * produced contain ugly gaps. (A complete fix would do this
++		 * for all filesystems, but this case should be rare.)
++		 */
++		if (!strcmp(diskname, "/")) {
++			if (seen_root_fs)
++				wanteddisk = 0;
++			else
++				seen_root_fs = 1;
++		}
+ 		if (exclpattern) {
+ 			int ovector[30];
+ 			int result;
diff -Nru xymon-4.3.17/debian/patches/hobbitclient-tmpfs xymon-4.3.17/debian/patches/hobbitclient-tmpfs
--- xymon-4.3.17/debian/patches/hobbitclient-tmpfs	2014-10-01 15:41:26.000000000 +0200
+++ xymon-4.3.17/debian/patches/hobbitclient-tmpfs	2014-11-03 13:05:02.000000000 +0100
@@ -15,31 +15,27 @@
 
  -- Christoph Berg <myon@debian.org>  Sat, 05 Jul 2008 14:43:23 +0200
 
-Index: xymon/client/xymonclient-linux.sh
-===================================================================
---- xymon.orig/client/xymonclient-linux.sh	2013-05-20 16:04:13.319498276 +0200
-+++ xymon/client/xymonclient-linux.sh	2013-05-20 16:04:13.299497611 +0200
-@@ -45,9 +45,13 @@
+--- a/client/xymonclient-linux.sh
++++ b/client/xymonclient-linux.sh
+@@ -45,9 +45,14 @@ uptime
  echo "[who]"
  who
  echo "[df]"
 -EXCLUDES=`cat /proc/filesystems | grep nodev | grep -v rootfs | awk '{print $2}' | xargs echo | sed -e 's! ! -x !g'`
--ROOTFS=`readlink -m /dev/root`
--df -Pl -x iso9660 -x $EXCLUDES | sed -e '/^[^ 	][^ 	]*$/{
 +if test -f /proc/filesystems ; then # Linux
 +	EXCLUDES=`cat /proc/filesystems | grep nodev | egrep -v 'tmpfs|rootfs' | awk '{print $2}' | xargs echo | sed -e 's! ! -x !g'`
 +else # kfreebsd (or /proc not mounted)
 +	EXCLUDES=`mount | grep -v '^/' | egrep -v 'tmpfs|rootfs' | awk '{print $1}' | xargs echo | sed -e 's! ! -x !g'`
 +fi
+ ROOTFS=`readlink -m /dev/root`
+-df -Pl -x iso9660 -x $EXCLUDES | sed -e '/^[^ 	][^ 	]*$/{
 +# kfreebsd needs an extra grep -v
 +df -Pl -x iso9660 -x $EXCLUDES | grep -v '^/sys' | sed -e '/^[^ 	][^ 	]*$/{
  N
  s/[ 	]*\n[ 	]*/ /
  }' -e "s&^rootfs&${ROOTFS}&"
-Index: xymon/xymond/etcfiles/analysis.cfg
-===================================================================
---- xymon.orig/xymond/etcfiles/analysis.cfg	2013-05-20 16:04:13.319498276 +0200
-+++ xymon/xymond/etcfiles/analysis.cfg	2013-05-20 16:04:13.307497876 +0200
+--- a/xymond/etcfiles/analysis.cfg
++++ b/xymond/etcfiles/analysis.cfg
 @@ -353,6 +353,11 @@
  
  


... the inevitable debian/patches/series update for the above:

diff -Nru xymon-4.3.17/debian/patches/series xymon-4.3.17/debian/patches/series
--- xymon-4.3.17/debian/patches/series	2014-10-01 15:41:26.000000000 +0200
+++ xymon-4.3.17/debian/patches/series	2015-01-22 16:49:00.000000000 +0100
@@ -23,3 +23,5 @@
 fix-exp-values-in-ncv
 netstat-ant-vs-ipv6-address-truncating
 apache2.4
+disk-no-duplicate-root
+acknowledge-malloc


... some i18n updates:

diff -Nru xymon-4.3.17/debian/po/fr.po xymon-4.3.17/debian/po/fr.po
diff -Nru xymon-4.3.17/debian/po/nl.po xymon-4.3.17/debian/po/nl.po
diff -Nru xymon-4.3.17/debian/po/pt.po xymon-4.3.17/debian/po/pt.po


... and finally a fix for the migration from the old hobbit user that
avoids invoking "find" on non-existing directories (LP #1407498)

diff -Nru xymon-4.3.17/debian/xymon-client.postinst xymon-4.3.17/debian/xymon-client.postinst
--- xymon-4.3.17/debian/xymon-client.postinst	2014-10-23 14:57:28.000000000 +0200
+++ xymon-4.3.17/debian/xymon-client.postinst	2015-01-21 16:31:46.000000000 +0100
@@ -49,7 +49,9 @@
 		--gecos "Xymon System Monitor" xymon
 	if [ "$MIGRATE" ] && getent passwd hobbit > /dev/null; then
 	    for d in /etc/hobbit /etc/xymon /var/*/hobbit /var/*/xymon; do
-		find $d -user hobbit -print0 2>/dev/null | xargs -0 -r chown xymon
+                if [ -d $d ]; then
+		    find $d -user hobbit -print0 2>/dev/null | xargs -0 -r chown xymon
+                fi
 	    done
 	    pkill -u hobbit vmstat || true
 	    deluser hobbit || echo "Couldn't delete user hobbit, please remove it manually"
@@ -58,7 +60,9 @@
 	# Migrate old group
 	if [ "$MIGRATE" ] && getent group hobbit > /dev/null; then
 	    for d in /etc/hobbit /etc/xymon /var/*/hobbit /var/*/xymon; do
-		find $d -group hobbit -print0 2>/dev/null | xargs -0 -r chgrp xymon
+                if [ -d $d ]; then
+		    find $d -group hobbit -print0 2>/dev/null | xargs -0 -r chgrp xymon
+                fi
 	    done
 	    delgroup --only-if-empty hobbit || echo "Couldn't delete group hobbit, please remove it manually"
 	fi


I've uploaded the package to DELAYED/15. Are these ok for Jessie? I'd
either reschedule the upload for immediate release, or cancel the
upload.

Thanks,
Christoph
-- 
cb@df7cb.de | http://www.df7cb.de/

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#776009: Gentle ping wrt. Bug#776009: unblock: xymon/4.3.17-5
  - From: Axel Beckert <abe@debian.org>
- Processed: Re: Bug#776009: unblock: xymon/4.3.17-5
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#776009: unblock: xymon/4.3.17-5
  - From: Niels Thykier <niels@thykier.net>
- Processed: Re: Bug#776009: unblock: xymon/4.3.17-5
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#776008: unblock: needrestart/1.2-7
Next by Date: Bug#774737: unblock: libjpeg9/1:9a-2
Previous by thread: Bug#776008: marked as done (unblock: needrestart/1.2-7)
Next by thread: Bug#776009: Gentle ping wrt. Bug#776009: unblock: xymon/4.3.17-5
Index(es):
- Date
- Thread