Bug#939890: buster-pu: package rpcbind/1.2.5-0.3+deb10u1
Hi,
I've included the recommended changes for the fix:
rpcbind (1.2.5-0.3+deb10u1) buster; urgency=medium
* Add 00-rmt-calls.patch (Closes: #939877):
+ Add command line option to enable remote calls at runtime
+ Refresh debian/patches
* debian/control: Update maintainer information
* Add debian/README.debian explaining remote calls activation for
Debian systems
* Add debian/NEWS
$ debdiff rpcbind_1.2.5-0.3.dsc rpcbind_1.2.5-0.3+deb10u1.dsc | diffstat
NEWS | 12 ++
README.debian | 11 ++
changelog | 12 ++
control | 2
patches/00-rmt-calls.patch | 118
++++++++++++++++++++++++
patches/02-manpages.patch | 4
patches/03-563971-warmstart-error-msg.patch | 14 +-
patches/04-610718-non-linux.patch | 2
patches/rpcinfo-Fix-stack-buffer-overflow.patch | 4
patches/run-migration | 2
patches/series | 1
11 files changed, 167 insertions(+), 15 deletions(-)
The debdiff is attached.
Regards
--Josue
diff -Nru rpcbind-1.2.5/debian/NEWS rpcbind-1.2.5/debian/NEWS
--- rpcbind-1.2.5/debian/NEWS 1969-12-31 18:00:00.000000000 -0600
+++ rpcbind-1.2.5/debian/NEWS 2019-09-09 12:19:21.000000000 -0600
@@ -0,0 +1,12 @@
+rpcbind (1.2.5-0.3+deb10u1) buster; urgency=medium
+
+ Since version 1.2.5 upstream has turned off the remote calls functionality
+ in order to improve security. This can be turned on at build time.
+ This functionality caused rpcbind to open up random listening ports. This
+ change broke up broadcasts requests to rpcbind making systems depending
+ on this feature unusable, e.g. NIS systems.
+
+ This release accepts the new command line parameter 'r' to turn on the
+ remote calls functionality when needed.
+
+ -- Josue Ortega <josue@debian.org> Tue, 17 Sep 2019 19:08:34 -0600
diff -Nru rpcbind-1.2.5/debian/README.debian rpcbind-1.2.5/debian/README.debian
--- rpcbind-1.2.5/debian/README.debian 1969-12-31 18:00:00.000000000 -0600
+++ rpcbind-1.2.5/debian/README.debian 2019-09-09 12:19:21.000000000 -0600
@@ -0,0 +1,11 @@
+rpcbind for Debian
+------------------
+Since version 1.2.5 due to security concerns upstream has turned off
+the remote calls functionality by default and added a configuration
+flag at build time to enable it.
+This functionality caused rpcbind to open up random listening ports.
+With remote calls turned off rpcbind stops to receive any broadcast query
+causing breakage on systems depending on this feature, e.g., NIS systems.
+
+On Debian systems the remote calls can be turned on at run-time using
+the command line argument 'r'. See rpcbind(8) for more details.
diff -Nru rpcbind-1.2.5/debian/changelog rpcbind-1.2.5/debian/changelog
--- rpcbind-1.2.5/debian/changelog 2018-10-22 04:54:11.000000000 -0600
+++ rpcbind-1.2.5/debian/changelog 2019-09-09 12:19:21.000000000 -0600
@@ -1,3 +1,15 @@
+rpcbind (1.2.5-0.3+deb10u1) buster; urgency=medium
+
+ * Add 00-rmt-calls.patch (Closes: #939877):
+ + Add command line option to enable remote calls at runtime
+ + Refresh debian/patches
+ * debian/control: Update maintainer information
+ * Add debian/README.debian explaining remote calls activation for
+ Debian systems
+ * Add debian/NEWS
+
+ -- Josue Ortega <josue@debian.org> Mon, 09 Sep 2019 12:19:21 -0600
+
rpcbind (1.2.5-0.3) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru rpcbind-1.2.5/debian/control rpcbind-1.2.5/debian/control
--- rpcbind-1.2.5/debian/control 2018-10-20 05:18:17.000000000 -0600
+++ rpcbind-1.2.5/debian/control 2019-09-09 12:19:21.000000000 -0600
@@ -1,7 +1,7 @@
Source: rpcbind
Section: net
Priority: optional
-Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
+Maintainer: Josue Ortega <josue@debian.org>
Build-Depends: debhelper (>= 11), pkg-config, libtirpc-dev (>= 1.0.2), libwrap0-dev, libsystemd-dev [linux-any]
Standards-Version: 4.2.1
Homepage: http://sourceforge.net/projects/rpcbind/
diff -Nru rpcbind-1.2.5/debian/patches/00-rmt-calls.patch rpcbind-1.2.5/debian/patches/00-rmt-calls.patch
--- rpcbind-1.2.5/debian/patches/00-rmt-calls.patch 1969-12-31 18:00:00.000000000 -0600
+++ rpcbind-1.2.5/debian/patches/00-rmt-calls.patch 2019-09-09 12:19:21.000000000 -0600
@@ -0,0 +1,118 @@
+Description: Add command line option to enable remote calls at runtime instead build time
+Author: Josue Ortega <josue@debian.org>
+Last-Update: 2019-09-17
+
+
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -29,10 +29,6 @@
+ AM_CPPFLAGS += -DLIBWRAP
+ endif
+
+-if RMTCALLS
+-AM_CPPFLAGS += -DRMTCALLS
+-endif
+-
+ bin_PROGRAMS = rpcinfo
+ sbin_PROGRAMS = rpcbind
+
+--- a/src/rpcbind.c
++++ b/src/rpcbind.c
+@@ -88,6 +88,7 @@
+ int doabort = 0; /* When debugging, do an abort on errors */
+ int dofork = 1; /* fork? */
+ int createdsocket = 0; /* Did I create the socket or systemd did it for me? */
++int rmtcalls = 0; /* Remote calls */
+
+ rpcblist_ptr list_rbl; /* A list of version 3/4 rpcbind services */
+
+@@ -796,12 +797,12 @@
+ #endif
+
+
+-#ifdef RMTCALLS
++ if (rmtcalls) {
+ /*
+ * rmtcall only supported on CLTS transports for now.
+ */
+- if (nconf->nc_semantics == NC_TPI_CLTS) {
+- status = create_rmtcall_fd(nconf);
++ if (nconf->nc_semantics == NC_TPI_CLTS) {
++ status = create_rmtcall_fd(nconf);
+ #ifdef RPCBIND_DEBUG
+ if (debugging) {
+ if (status < 0) {
+@@ -814,8 +815,8 @@
+ }
+ }
+ #endif
+- }
+-#endif
++ }
++ }
+
+ return (0);
+ error:
+@@ -881,7 +882,7 @@
+ {
+ int c;
+ oldstyle_local = 1;
+- while ((c = getopt(argc, argv, "adh:ilswf")) != -1) {
++ while ((c = getopt(argc, argv, "adh:ilswfr")) != -1) {
+ switch (c) {
+ case 'a':
+ doabort = 1; /* when debugging, do an abort on */
+@@ -911,13 +912,16 @@
+ case 'f':
+ dofork = 0;
+ break;
++ case 'r':
++ rmtcalls = 1;
++ break;
+ #ifdef WARMSTART
+ case 'w':
+ warmstart = 1;
+ break;
+ #endif
+ default: /* error */
+- fprintf(stderr, "usage: rpcbind [-adhilswf]\n");
++ fprintf(stderr, "usage: rpcbind [-adhilswfr]\n");
+ exit (1);
+ }
+ }
+--- a/man/rpcbind.8
++++ b/man/rpcbind.8
+@@ -11,7 +11,7 @@
+ .Nd universal addresses to RPC program number mapper
+ .Sh SYNOPSIS
+ .Nm
+-.Op Fl adhiLls
++.Op Fl adhiLlsr
+ .Sh DESCRIPTION
+ The
+ .Nm
+@@ -137,6 +137,11 @@
+ starts up. The state file is created when
+ .Nm
+ terminates.
++.It Fl r
++Turn on remote calls. Cause
++.Nm
++to open up random listening ports. Note that rpcinfo need this feature turned on
++for work properly.
+ .El
+ .Sh NOTES
+ All RPC servers must be restarted if
+--- a/configure.ac
++++ b/configure.ac
+@@ -21,10 +21,6 @@
+ AS_HELP_STRING([--enable-warmstarts], [Enables Warm Starts @<:@default=no@:>@]))
+ AM_CONDITIONAL(WARMSTART, test x$enable_warmstarts = xyes)
+
+-AC_ARG_ENABLE([rmtcalls],
+- AS_HELP_STRING([--enable-rmtcalls], [Enables Remote Calls @<:@default=no@:>@]))
+-AM_CONDITIONAL(RMTCALLS, test x$enable_rmtcalls = xyes)
+-
+ AC_ARG_WITH([statedir],
+ AS_HELP_STRING([--with-statedir=ARG], [use ARG as state dir @<:@default=/var/run/rpcbind@:>@])
+ ,, [with_statedir=/var/run/rpcbind])
diff -Nru rpcbind-1.2.5/debian/patches/02-manpages.patch rpcbind-1.2.5/debian/patches/02-manpages.patch
--- rpcbind-1.2.5/debian/patches/02-manpages.patch 2018-10-14 05:57:17.000000000 -0600
+++ rpcbind-1.2.5/debian/patches/02-manpages.patch 2019-09-09 12:19:21.000000000 -0600
@@ -2,7 +2,7 @@
--- a/man/rpcbind.8
+++ b/man/rpcbind.8
-@@ -145,5 +145,4 @@ is restarted.
+@@ -150,5 +150,4 @@
.Sh SEE ALSO
.Xr rpcinfo 8
.Sh LINUX PORT
@@ -11,7 +11,7 @@
+Aurelien Charbon <aurelien.charbon@bull.net>
--- a/man/rpcinfo.8
+++ b/man/rpcinfo.8
-@@ -303,7 +303,7 @@ option to display a more concise list:
+@@ -303,7 +303,7 @@
example$ rpcinfo -s klaxon
.Ed
.Bl -column "program" "w,x,y,z" "local,tcp,udp,tcp6,udp6" "nlockmgr" "super-user"
diff -Nru rpcbind-1.2.5/debian/patches/03-563971-warmstart-error-msg.patch rpcbind-1.2.5/debian/patches/03-563971-warmstart-error-msg.patch
--- rpcbind-1.2.5/debian/patches/03-563971-warmstart-error-msg.patch 2017-05-05 11:46:00.000000000 -0600
+++ rpcbind-1.2.5/debian/patches/03-563971-warmstart-error-msg.patch 2019-09-09 12:19:21.000000000 -0600
@@ -9,13 +9,11 @@
Signed-off-by: sacrificial-spam-address@horizon.com
Tested-by: Anibal Monsalve Salazar <anibal@debian.org>
-Index: rpcbind-0.2.1/src/rpcbind.c
-===================================================================
---- rpcbind-0.2.1.orig/src/rpcbind.c
-+++ rpcbind-0.2.1/src/rpcbind.c
-@@ -778,13 +778,18 @@ parseargs(int argc, char *argv[])
- case 'f':
- dofork = 0;
+--- a/src/rpcbind.c
++++ b/src/rpcbind.c
+@@ -915,13 +915,18 @@
+ case 'r':
+ rmtcalls = 1;
break;
-#ifdef WARMSTART
case 'w':
@@ -24,7 +22,7 @@
break;
-#endif
default: /* error */
- fprintf(stderr, "usage: rpcbind [-adhilswf]\n");
+ fprintf(stderr, "usage: rpcbind [-adhilswfr]\n");
+#else
+ fprintf(stderr, "-w: rpcbind compiled without WARMSTART support.\n");
+ /* FALLTHROUGH */
diff -Nru rpcbind-1.2.5/debian/patches/04-610718-non-linux.patch rpcbind-1.2.5/debian/patches/04-610718-non-linux.patch
--- rpcbind-1.2.5/debian/patches/04-610718-non-linux.patch 2017-05-05 11:46:00.000000000 -0600
+++ rpcbind-1.2.5/debian/patches/04-610718-non-linux.patch 2019-09-09 12:19:21.000000000 -0600
@@ -2,7 +2,7 @@
===================================================================
--- rpcbind-0.2.1.orig/src/security.c
+++ rpcbind-0.2.1/src/security.c
-@@ -53,7 +53,7 @@ int deny_severity = LIBWRAP_DENY_FACILIT
+@@ -72,7 +72,7 @@ int deny_severity = LIBWRAP_DENY_FACILIT
#ifndef PORTMAP_LOG_SEVERITY
# define PORTMAP_LOG_SEVERITY LOG_INFO
#endif
diff -Nru rpcbind-1.2.5/debian/patches/rpcinfo-Fix-stack-buffer-overflow.patch rpcbind-1.2.5/debian/patches/rpcinfo-Fix-stack-buffer-overflow.patch
--- rpcbind-1.2.5/debian/patches/rpcinfo-Fix-stack-buffer-overflow.patch 2018-10-14 07:57:31.000000000 -0600
+++ rpcbind-1.2.5/debian/patches/rpcinfo-Fix-stack-buffer-overflow.patch 2019-09-09 12:19:21.000000000 -0600
@@ -27,7 +27,7 @@
index 9b46864..cfdba88 100644
--- a/src/rpcinfo.c
+++ b/src/rpcinfo.c
-@@ -973,6 +973,7 @@ rpcbdump (dumptype, netid, argc, argv)
+@@ -980,6 +980,7 @@
(" program version(s) netid(s) service owner\n");
for (rs = rs_head; rs; rs = rs->next)
{
@@ -35,7 +35,7 @@
char *p = buf;
printf ("%10ld ", rs->prog);
-@@ -985,12 +986,22 @@ rpcbdump (dumptype, netid, argc, argv)
+@@ -992,12 +993,22 @@ rpcbdump (dumptype, netid, argc, argv)
}
printf ("%-10s", buf);
buf[0] = '\0';
diff -Nru rpcbind-1.2.5/debian/patches/run-migration rpcbind-1.2.5/debian/patches/run-migration
--- rpcbind-1.2.5/debian/patches/run-migration 2017-05-05 11:46:00.000000000 -0600
+++ rpcbind-1.2.5/debian/patches/run-migration 2019-09-09 12:19:21.000000000 -0600
@@ -8,7 +8,7 @@
===================================================================
--- rpcbind-0.2.1.orig/src/rpcbind.c
+++ rpcbind-0.2.1/src/rpcbind.c
-@@ -93,7 +93,14 @@ char *rpcbinduser = NULL;
+@@ -106,7 +106,14 @@ char *rpcbinduser = NULL;
/* who to suid to if -s is given */
#define RUN_AS "daemon"
diff -Nru rpcbind-1.2.5/debian/patches/series rpcbind-1.2.5/debian/patches/series
--- rpcbind-1.2.5/debian/patches/series 2018-10-14 07:57:45.000000000 -0600
+++ rpcbind-1.2.5/debian/patches/series 2019-09-09 12:19:21.000000000 -0600
@@ -1,3 +1,4 @@
+00-rmt-calls.patch
02-manpages.patch
03-563971-warmstart-error-msg.patch
04-610718-non-linux.patch
Reply to: