[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#924952: marked as done (unblock: chrony/3.4-4)

Your message dated Tue, 19 Mar 2019 11:41:20 +0000
with message-id <E1h6D7Q-00083k-3l@respighi.debian.org>
and subject line unblock chrony
has caused the Debian Bug report #924952,
regarding unblock: chrony/3.4-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
924952: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924952
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

Please unblock package chrony

Compared to chrony 3.4-3, this release just add some necessary system 
calls to the seccomp filter whitelist. This allows to fix #924494, and 
probably many other bugs on some of our release architectures.

Debdiff attached!

unblock chrony/3.4-4

Thanks for your time,
Vincent

-----BEGIN PGP SIGNATURE-----

iQJLBAEBCgA1FiEE/VQBlxWoTJPh4vI5ipzudlpxp4AFAlyQK6IXHHZpbmNlbnQu
ZGViaWFuQGZyZWUuZnIACgkQipzudlpxp4CA6A/9G3j6lxibIjVPS7VuUT9N/SCD
pTC8bnCh4Mtktg9xWHualzKZHdFC2AsobBJwXH9Fkm3u2sCPlhX42Jm0Y8RDgnr3
BG0dDPL816xWQF0LDV7EAUYdqlgRGCqEArbxkmSfdmKdG/V9N4detZEw8Iv8I31U
82WrFDh068XbxyT3F+JTn0e4icQKaXFR4q4NwF5y5bElfFYxwleX4VBRHbitSMGc
Ikjm1w6/1FOkrjzRpCpFmKfjli430usyAGEIH8C9jDSdE5mQhM+ZiTIIzcJjxOje
7zqIJWLt2KTsfX7Oz3QEd9l5H2mxUZMO7HdAznNxaQNFVH47+QD3X7iA607HYh6s
vLMO5VFYEMKLiuDvvhP4sqistIhcokDGiC0zjKwxYRHSpTjRzLWvNdjP01LlwAMc
vJCJ15wDXOpLyDvoEAkcDZtDY4n2z3qe7QBn/5zoaF+AKm6jtZOpePIA4Z8k51B8
7gSR6WEi1cBC2+lxXry9i5EN8rjX1Js7vV6FTMLNn0NEV0TVMmvfslxJwh6nbciz
xKf85Ejf8e/SbOdR0gSmNQIuzh0qaREsc2eHIkOfi+CKeIQ8viFnLjeeThIbcD3v
OR6dod5jRtmUFboteKAVMMpNsgfnjHOr64nq+CXeNQt4QLEyfJi33wx+s0HT0BgV
8LdGuqGG+ZLHwU377OE=
=K3hy
-----END PGP SIGNATURE-----

diffstat for chrony-3.4 chrony-3.4

 changelog                                              |   14 +++++
 patches/allow-further-syscalls-in-seccomp-filter.patch |   41 +++++++++++++++++
 patches/allow-recv-send-in-seccomp-filter.patch        |   24 +++++++++
 patches/series                                         |    2 
 4 files changed, 81 insertions(+)

diff -Nru chrony-3.4/debian/changelog chrony-3.4/debian/changelog
--- chrony-3.4/debian/changelog	2019-03-04 23:32:12.000000000 +0100
+++ chrony-3.4/debian/changelog	2019-03-18 19:35:34.000000000 +0100
@@ -1,3 +1,17 @@
+chrony (3.4-4) unstable; urgency=medium
+
+  * debian/patches/*:
+    - Add allow-further-syscalls-in-seccomp-filter.patch. Supplementing the
+    seccomp filter whitelist with those syscalls is a prerequisite, notably for
+    the arm64 architecture.
+
+  [ Leigh Brown ]
+  * debian/patches/*:
+    - Add allow-recv-send-in-seccomp-filter.patch. Necessary on armel and
+    ppc64el. Other architectures might also be affected. (Closes: #924494)
+
+ -- Vincent Blut <vincent.debian@free.fr>  Mon, 18 Mar 2019 19:35:34 +0100
+
 chrony (3.4-3) unstable; urgency=medium
 
   * debian/.gitlab-ci.yml:
diff -Nru chrony-3.4/debian/patches/allow-further-syscalls-in-seccomp-filter.patch chrony-3.4/debian/patches/allow-further-syscalls-in-seccomp-filter.patch
--- chrony-3.4/debian/patches/allow-further-syscalls-in-seccomp-filter.patch	1970-01-01 01:00:00.000000000 +0100
+++ chrony-3.4/debian/patches/allow-further-syscalls-in-seccomp-filter.patch	2019-03-18 19:32:24.000000000 +0100
@@ -0,0 +1,41 @@
+From: Vincent Blut <vincent.debian@free.fr>
+Date: Fri, 15 Mar 2019 00:03:24 +0100
+Subject: sys_linux: allow further syscalls in seccomp filter
+
+Adding these syscalls in the seccomp filter whitelist is a prerequisite for
+the arm64 architecture.
+
+Forwarded: https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/03/msg00001.html
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=2ddd0ae23181f529bf0e8abaecfc9c726d672568
+---
+ sys_linux.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -499,9 +499,11 @@ SYS_Linux_EnableSystemCallFilter(int lev
+     SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),
+     /* Filesystem */
+     SCMP_SYS(_llseek), SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown),
+-    SCMP_SYS(chown32), SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents),
+-    SCMP_SYS(getdents64), SCMP_SYS(lseek), SCMP_SYS(rename), SCMP_SYS(stat),
+-    SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink),
++    SCMP_SYS(chown32), SCMP_SYS(faccessat), SCMP_SYS(fchmodat), SCMP_SYS(fchownat),
++    SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents), SCMP_SYS(getdents64),
++    SCMP_SYS(lseek), SCMP_SYS(newfstatat), SCMP_SYS(rename), SCMP_SYS(renameat),
++    SCMP_SYS(stat), SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64),
++    SCMP_SYS(unlink), SCMP_SYS(unlinkat),
+     /* Socket */
+     SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), SCMP_SYS(getsockopt),
+     SCMP_SYS(recv), SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg),
+@@ -510,8 +512,8 @@ SYS_Linux_EnableSystemCallFilter(int lev
+     SCMP_SYS(socketcall),
+     /* General I/O */
+     SCMP_SYS(_newselect), SCMP_SYS(close), SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(pipe),
+-    SCMP_SYS(poll), SCMP_SYS(read), SCMP_SYS(futex), SCMP_SYS(select),
+-    SCMP_SYS(set_robust_list), SCMP_SYS(write),
++    SCMP_SYS(pipe2), SCMP_SYS(poll), SCMP_SYS(ppoll), SCMP_SYS(pselect6), SCMP_SYS(read),
++    SCMP_SYS(futex), SCMP_SYS(select), SCMP_SYS(set_robust_list), SCMP_SYS(write),
+     /* Miscellaneous */
+     SCMP_SYS(getrandom), SCMP_SYS(sysinfo), SCMP_SYS(uname),
+   };
diff -Nru chrony-3.4/debian/patches/allow-recv-send-in-seccomp-filter.patch chrony-3.4/debian/patches/allow-recv-send-in-seccomp-filter.patch
--- chrony-3.4/debian/patches/allow-recv-send-in-seccomp-filter.patch	1970-01-01 01:00:00.000000000 +0100
+++ chrony-3.4/debian/patches/allow-recv-send-in-seccomp-filter.patch	2019-03-16 19:05:10.000000000 +0100
@@ -0,0 +1,24 @@
+From: Leigh Brown <leigh@solinno.co.uk>
+Date: Wed, 13 Mar 2019 17:56:08 +0100
+Subject: [PATCH] sys_linux: allow recv and send in seccomp filter
+
+The lack of these two system calls has been problematic for the armv5tel
+architecture. Other architectures might also be affected.
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924494
+Forwarded: https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/03/msg00000.html
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=79db0b7eca3ffff1b6c6a86cf1a342a40cc76d2f
+---
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -504,8 +504,8 @@ SYS_Linux_EnableSystemCallFilter(int lev
+     SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink),
+     /* Socket */
+     SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), SCMP_SYS(getsockopt),
+-    SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg),
+-    SCMP_SYS(sendmmsg), SCMP_SYS(sendmsg), SCMP_SYS(sendto),
++    SCMP_SYS(recv), SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg),
++    SCMP_SYS(send), SCMP_SYS(sendmmsg), SCMP_SYS(sendmsg), SCMP_SYS(sendto),
+     /* TODO: check socketcall arguments */
+     SCMP_SYS(socketcall),
+     /* General I/O */
diff -Nru chrony-3.4/debian/patches/series chrony-3.4/debian/patches/series
--- chrony-3.4/debian/patches/series	2019-03-04 18:02:36.000000000 +0100
+++ chrony-3.4/debian/patches/series	2019-03-18 16:47:59.000000000 +0100
@@ -1,2 +1,4 @@
 allow-_llseek-in-seccomp-filter.patch
 allow-waitpid-in-seccomp-filter.patch
+allow-recv-send-in-seccomp-filter.patch
+allow-further-syscalls-in-seccomp-filter.patch

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: