[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#940943: marked as done (buster-pu: package gnustep-base/1.26.0-4+deb10u1)

Your message dated Sat, 16 Nov 2019 10:08:47 +0000
with message-id <83c9ffab6f08361485f70dda4733a7a24aeec09b.camel@adam-barratt.org.uk>
and subject line Closing bugs for 10.2 point release fixes
has caused the Debian Bug report #940943,
regarding buster-pu: package gnustep-base/1.26.0-4+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
940943: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940943
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

I'd like to update the gnustep-base package in buster to fix #939119.
Additionally, the OP has also discovered a vulnerability in the gdomap
daemon which was reported to the Debian security team.  Haven't got a
response from them but the patch was approved by the upstream
maintainer and subsequently committed to the upstream repository.

Tested on a buster system; debdiff attached.

diff -Nru gnustep-base-1.26.0/debian/changelog gnustep-base-1.26.0/debian/changelog
--- gnustep-base-1.26.0/debian/changelog	2019-02-01 23:20:45.000000000 +0200
+++ gnustep-base-1.26.0/debian/changelog	2019-09-22 12:44:38.000000000 +0300
@@ -1,3 +1,16 @@
+gnustep-base (1.26.0-4+deb10u1) buster; urgency=medium
+
+  * debian/gnustep-base-runtime.preinst: New file; handle the poor
+    upgrade from stretch to buster which left the gdomap daemon enabled
+    (Closes: #939119).  Thanks to Alan Jenkins.
+  * debian/NEWS: Document that the gdomap daemon is disabled forcefully.
+  * debian/patches/gdomap-udp-amplification.patch: New; fix UDP
+    amplification vulnerability.  Patch by Alan Jenkins.
+  * debian/patches/series: Update.
+  * debian/gbp.conf: Set debian-branch to buster.
+
+ -- Yavor Doganov <yavor@gnu.org>  Sun, 22 Sep 2019 12:44:38 +0300
+
 gnustep-base (1.26.0-4) unstable; urgency=medium
 
   * debian/patches/armhf-test.patch: New; ignore a failing test on armhf
diff -Nru gnustep-base-1.26.0/debian/gbp.conf gnustep-base-1.26.0/debian/gbp.conf
--- gnustep-base-1.26.0/debian/gbp.conf	2019-01-10 14:50:12.000000000 +0200
+++ gnustep-base-1.26.0/debian/gbp.conf	2019-09-22 12:44:07.000000000 +0300
@@ -1,2 +1,3 @@
 [DEFAULT]
 pristine-tar = True
+debian-branch = buster
diff -Nru gnustep-base-1.26.0/debian/gnustep-base-runtime.preinst gnustep-base-1.26.0/debian/gnustep-base-runtime.preinst
--- gnustep-base-1.26.0/debian/gnustep-base-runtime.preinst	1970-01-01 02:00:00.000000000 +0200
+++ gnustep-base-1.26.0/debian/gnustep-base-runtime.preinst	2019-09-22 12:26:06.000000000 +0300
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+set -e
+set -u
+
+# Upgrades from stretch to buster have made the gdomap daemon enabled
+# by default which is undesirable.  Explicitly delete the symlinks and
+# let update-rc.d recreate them in postinst.  See #939119.
+# Remove after bullseye is released.
+if [ "$1" = "upgrade" ]; then
+    if dpkg --compare-versions "$2" lt 1.26.0-4+deb10u1; then
+        ENABLED=no
+        if [ -f /etc/default/gdomap ]; then
+            . /etc/default/gdomap
+        fi
+        if [ "$ENABLED" != "yes" ]; then
+            find /etc/rc?.d -name "*gdomap" -delete
+        fi
+    fi
+fi
+
+#DEBHELPER#
+
+exit 0
diff -Nru gnustep-base-1.26.0/debian/NEWS gnustep-base-1.26.0/debian/NEWS
--- gnustep-base-1.26.0/debian/NEWS	2018-01-01 12:39:24.000000000 +0200
+++ gnustep-base-1.26.0/debian/NEWS	2019-09-22 12:32:35.000000000 +0300
@@ -1,3 +1,12 @@
+gnustep-base (1.26.0-4+deb10u1) buster; urgency=medium
+
+  The gdomap daemon has been inadvertently enabled in 1.25.1-1 while
+  implementing a new Debian Policy requirement (§9.3.3.1).  This version
+  forcefully disables it again.  If you want the daemon running, run
+  "update-rc.d gdomap enable" to enable it.
+
+ -- Yavor Doganov <yavor@gnu.org>  Sun, 22 Sep 2019 12:32:33 +0300
+
 gnustep-base (1.25.0-1) experimental; urgency=medium
 
   The example programs using the GNUstep Base library have been moved to
diff -Nru gnustep-base-1.26.0/debian/patches/gdomap-udp-amplification.patch gnustep-base-1.26.0/debian/patches/gdomap-udp-amplification.patch
--- gnustep-base-1.26.0/debian/patches/gdomap-udp-amplification.patch	1970-01-01 02:00:00.000000000 +0200
+++ gnustep-base-1.26.0/debian/patches/gdomap-udp-amplification.patch	2019-09-22 12:40:24.000000000 +0300
@@ -0,0 +1,61 @@
+Description: Fix UDP amplification vulnerability
+ A couple of is_local_net() tests were wrong: they used "&&" with
+ masks, but that is the logical shortcut operator.  The correct
+ bitwise operator is "&".  The result was that is_local_net() was
+ always returning true.
+ .
+ Only allow local processes to send GDO_SERVERS requests.  This
+ request is only useful locally.  Do not allow remote requests for the
+ server list.  Our response can be large, so it would make a great UDP
+ amplification attack.
+ . 
+ Patch by Alan Jenkins <alan.christopher.jenkins@gmail.com>; issue
+ reported to the Debian security team.
+Origin: upstream, commit:de9740c
+Last-Update: 2019-09-22
+---
+
+--- gnustep-base.orig/Tools/gdomap.c
++++ gnustep-base/Tools/gdomap.c
+@@ -419,7 +419,7 @@
+ 
+   for (i = 0; i < interfaces; i++)
+     {
+-      if ((mask[i].s_addr && addr[i].s_addr) == (mask[i].s_addr && a.s_addr))
++      if ((mask[i].s_addr & addr[i].s_addr) == (mask[i].s_addr & a.s_addr))
+ 	{
+ 	  return 1;
+ 	}
+@@ -3100,6 +3100,21 @@
+       unsigned int	i;
+       unsigned int	j;
+ 
++      /*
++       *	See if this is a request from a local process.
++       *
++       *	This request is only useful locally.  Do not allow remote
++       *	requests for the server list.  Our response can be large,
++       *	so it would make a great UDP amplification attack.
++       */
++      if (is_local_host(ri->addr.sin_addr) == 0)
++	{
++	  snprintf(ebuf, sizeof(ebuf), "Illegal attempt to list servers!");
++	  gdomap_log(LOG_ERR);
++	  clear_chan(desc);
++	  return;
++	}
++
+       free(wi->buf);
+       wi->buf = (char*)calloc(sizeof(uint32_t)
+ 	+ (prb_used+1)*IASIZE, 1);
+@@ -3260,8 +3275,8 @@
+ 		    {
+ 		      continue;
+ 		    }
+-		  if ((mask[i].s_addr && addr[i].s_addr) ==
+-			(mask[i].s_addr && ri->addr.sin_addr.s_addr))
++		  if ((mask[i].s_addr & addr[i].s_addr) ==
++			(mask[i].s_addr & ri->addr.sin_addr.s_addr))
+ 		    {
+ 		      laddr = addr[i];
+ 		      memcpy(wbuf, &laddr, IASIZE);
diff -Nru gnustep-base-1.26.0/debian/patches/series gnustep-base-1.26.0/debian/patches/series
--- gnustep-base-1.26.0/debian/patches/series	2019-02-01 22:19:23.000000000 +0200
+++ gnustep-base-1.26.0/debian/patches/series	2019-09-22 12:41:27.000000000 +0300
@@ -8,3 +8,4 @@
 fix-tests-timings.patch
 autogsdoc-reproducibility.patch
 armhf-test.patch
+gdomap-udp-amplification.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.2

Hi,

The fixes referenced by these bugs were included in today's 10.2 stable
point release.

Regards,

Adam

--- End Message ---
Reply to: