[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#923897: marked as done (stretch-pu: package chrony/3.0-4+deb9u2)

Your message dated Sat, 27 Apr 2019 11:14:32 +0100
with message-id <1556360072.2690.35.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.9
has caused the Debian Bug report #923897,
regarding stretch-pu: package chrony/3.0-4+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
923897: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923897
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

I would like to update chrony in Stretch to fix #923137 (severity 
important). This issue is caused by the absence of the _llseek() system 
call in the seccomp filter provided by chrony, which prevents some 
information to be logged on various 32-bit architectures when the system 
call filter is active.

While working on the bug report mentionned above, I discovered that 
chronyd could also be incorrectly stopped when the system call filter is 
enabled. This is due to the waitpid() system call being absent from the 
seccomp filter. This is addressed by the 
allow-waitpid-in-seccomp-filter.patch patch.

I’m testing the proposed changes since a few days without any 
regression. Debdiff attached!

Cheers,
Vincent

-----BEGIN PGP SIGNATURE-----

iQJLBAEBCgA1FiEE/VQBlxWoTJPh4vI5ipzudlpxp4AFAlyANnwXHHZpbmNlbnQu
ZGViaWFuQGZyZWUuZnIACgkQipzudlpxp4BwUg//cxLwFRApU06w57sr7smRmwS7
00dR4NHcHHf2os82AmP1ugaHYT5KeQeCoU1s8pIIq3dXbwemf/TgjzOSBsOVK018
Qb15o3B5mN3ydeQl5sqKUwlBpnmj4IBD9ktmTMHbR6BQBvuBNI3OkZnjHTAFlZCB
htH3g0u8VUZ7p2hqr+PrBICUhooIFSEvrnEUcZfEFPjD+aTq6joMbrslNTgLkhvE
SEx/QZCzAgbEcbczeu2+s3PvvtLdPBRE+szWBNcXZoRJCfXuDqvBJzlQngwhCYNY
CTiQVmB2fjROjVpTzDYj97TdEJVV4EtOJefywYmquugdtphg5d4lVJ4vhYy8sp6t
ukOm43Q240Ae/bzvahXNU5xqFdZ3muOhG9uSPsg9KzOncyu65mHPxRpZ6Cq8vUlC
1uOCkzfvRS7vnUTM4K8QHIatqPcjQNu1/qyLoHUleQqClC+iZruvCwYyr7yijj+M
e9C5f34lKYm39CrPdMxy6gCtwJZEIkCPFwFYh1XtTMt+daLjpS3+mtlI5wl6l2Q3
qRXS1PVgA+nETU30e+ofPPGPGHwtx32yhtnIY3durfPkChR7qQVIFJ4jHoYpL4G9
u5cgeGg37wyCxcnmi8qFHrzpEaf2vFc0zqIPYYN4s6jBBjfqzmbZ9rx1xuLlZc9M
GKtwRTA840u1nN2zaLE=
=JdHo
-----END PGP SIGNATURE-----

diffstat for chrony-3.0 chrony-3.0

 changelog                                     |   12 ++++++++++
 patches/allow-_llseek-in-seccomp-filter.patch |   30 ++++++++++++++++++++++++++
 patches/allow-waitpid-in-seccomp-filter.patch |   20 +++++++++++++++++
 patches/series                                |    2 +
 4 files changed, 64 insertions(+)

diff -Nru chrony-3.0/debian/changelog chrony-3.0/debian/changelog
--- chrony-3.0/debian/changelog	2017-07-22 17:24:44.000000000 +0200
+++ chrony-3.0/debian/changelog	2019-03-06 11:13:29.000000000 +0100
@@ -1,3 +1,15 @@
+chrony (3.0-4+deb9u2) stretch; urgency=medium
+
+  * debian/patches/*:
+    - Add allow-_llseek-in-seccomp-filter.patch. Needed on various 32-bit
+    plateforms to log the {raw}measurements and statistics information when
+    the seccomp filter is enabled. Thanks a lot to Francesco Poli (wintermute)
+    <invernomuto@paranoici.org> for the report. (Closes: #923137)
+    - Add allow-waitpid-in-seccomp-filter.patch. Needed to correctly stop
+    chronyd on some plateforms when the seccomp filter is enabled.
+
+ -- Vincent Blut <vincent.debian@free.fr>  Wed, 06 Mar 2019 11:13:29 +0100
+
 chrony (3.0-4+deb9u1) stretch; urgency=medium
 
   * debian/chrony.if-up:
diff -Nru chrony-3.0/debian/patches/allow-_llseek-in-seccomp-filter.patch chrony-3.0/debian/patches/allow-_llseek-in-seccomp-filter.patch
--- chrony-3.0/debian/patches/allow-_llseek-in-seccomp-filter.patch	1970-01-01 01:00:00.000000000 +0100
+++ chrony-3.0/debian/patches/allow-_llseek-in-seccomp-filter.patch	2019-03-05 23:36:44.000000000 +0100
@@ -0,0 +1,30 @@
+From: Vincent Blut <vincent.debian@free.fr>
+Date: Thu, 28 Feb 2019 14:39:13 +0100
+Subject: sys_linux: allow _llseek in seccomp filter
+
+This is needed on various 32-bit platforms to reposition read/write file
+offset on {raw}measurements and statistics log files.
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923137
+Forwarded: https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/02/msg00003.html
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=e392d1fde94db26b88a0a017850415f1d34266d7
+---
+ sys_linux.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -473,10 +473,10 @@ SYS_Linux_EnableSystemCallFilter(int lev
+     SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2),
+     SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),
+     /* Filesystem */
+-    SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown), SCMP_SYS(chown32),
+-    SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents), SCMP_SYS(getdents64),
+-    SCMP_SYS(lseek), SCMP_SYS(rename), SCMP_SYS(stat), SCMP_SYS(stat64),
+-    SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink),
++    SCMP_SYS(_llseek), SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown),
++    SCMP_SYS(chown32), SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents),
++    SCMP_SYS(getdents64), SCMP_SYS(lseek), SCMP_SYS(rename), SCMP_SYS(stat),
++    SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink),
+     /* Socket */
+     SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname),
+     SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg),
diff -Nru chrony-3.0/debian/patches/allow-waitpid-in-seccomp-filter.patch chrony-3.0/debian/patches/allow-waitpid-in-seccomp-filter.patch
--- chrony-3.0/debian/patches/allow-waitpid-in-seccomp-filter.patch	1970-01-01 01:00:00.000000000 +0100
+++ chrony-3.0/debian/patches/allow-waitpid-in-seccomp-filter.patch	2019-03-05 23:54:02.000000000 +0100
@@ -0,0 +1,20 @@
+From: Vincent Blut <vincent.debian@free.fr>
+Date: Thu, 28 Feb 2019 16:43:56 +0100
+Subject: sys_linux: allow waitpid in seccomp filter
+
+Forwarded: https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/02/msg00001.html
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=2ebba7fbaaf7c86d1840cacb7aa78b62d0166d5a
+---
+ sys_linux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -468,7 +468,7 @@ SYS_Linux_EnableSystemCallFilter(int lev
+     SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getpid),
+     SCMP_SYS(getrlimit),SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn),
+     SCMP_SYS(rt_sigprocmask), SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn),
+-    SCMP_SYS(wait4),
++    SCMP_SYS(wait4), SCMP_SYS(waitpid),
+     /* Memory */
+     SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2),
+     SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),
diff -Nru chrony-3.0/debian/patches/series chrony-3.0/debian/patches/series
--- chrony-3.0/debian/patches/series	2017-07-22 17:24:44.000000000 +0200
+++ chrony-3.0/debian/patches/series	2019-03-05 23:51:17.000000000 +0100
@@ -1,2 +1,4 @@
 allow_getpid_in_seccomp_filter.patch
+allow-_llseek-in-seccomp-filter.patch
+allow-waitpid-in-seccomp-filter.patch
 fix_time_smoothing_in_interleaved_mode.patch

--- End Message ---
--- Begin Message --- 
Version: 9.9

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

--- End Message ---
Reply to: