Bug#948904: buster-pu: package spf-engine/2.9.1-0+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
After the last stable update, a serious problem with using Unix sockets
was reported upstream by a Debian user and fixed in version 2.9.2.  The
proposed update makes it so Unix sockets work.  There are also some minor
documentation improvements.  Being limited to TCP sockets is a
substantial limitation for a milter application.
The fix has been tested on buster prior to upstream release and no
significant issues have come up in the two months since it was released.
This change will not affect TCP socket users and makes Unix sockets
working vice not working, so the regression risk is negligible.
Scott K
diff -Nru spf-engine-2.9.1/CHANGES spf-engine-2.9.2/CHANGES
--- spf-engine-2.9.1/CHANGES	2019-10-06 20:31:00.000000000 -0400
+++ spf-engine-2.9.2/CHANGES	2019-11-22 19:01:08.000000000 -0500
@@ -4,6 +4,16 @@
 #   ! = Changed something significant, or removed a feature
 #   * = Fixed a bug, or made a minor improvement
 
+--- 2.9.2 (1019-11-22)
+  * Add mention in policyd-spf.conf (5) in the TestOnly entry that to get both
+    TestOnly behavior and no header field appended, Header_Type = None also
+    needs to be set (LP: #1849994)
+  * Milter: Move drop_privileges before Milter.runmilter and delete
+    own_socketfile so that the milter interface runs as the correct user
+    without race conditions about changing ownership of the socket file when
+    it hasn't been created yet (When the milter is started, it will create the
+    socket based on uMask, so we don't need to manually change it)
+
 --- 2.9.1 (2019-10-06)
   * Use /run instead of /var/run
   * Fix-up sysv init so it works
diff -Nru spf-engine-2.9.1/debian/changelog spf-engine-2.9.2/debian/changelog
--- spf-engine-2.9.1/debian/changelog	2019-10-14 19:04:55.000000000 -0400
+++ spf-engine-2.9.2/debian/changelog	2020-01-14 11:41:17.000000000 -0500
@@ -1,3 +1,19 @@
+spf-engine (2.9.2-0+deb10u1) buster; urgency=medium
+
+  * New upstream bugfix release:
+  * Improve documentation based on user feedbacK:
+    Add mention in policyd-spf.conf (5) in the TestOnly entry that to get both
+    TestOnly behavior and no header field appended, Header_Type = None also
+    needs to be set (LP: #1849994)
+  * Fix priviledge managment at startup so Unix sockets work:
+    Milter: Move drop_privileges before Milter.runmilter and delete
+    own_socketfile so that the milter interface runs as the correct user
+    without race conditions about changing ownership of the socket file when
+    it hasn't been created yet (When the milter is started, it will create the
+    socket based on uMask, so we don't need to manually change it)
+
+ -- Scott Kitterman <scott@kitterman.com>  Tue, 14 Jan 2020 11:41:17 -0500
+
 spf-engine (2.9.1-0+deb10u1) buster; urgency=medium
 
   * New upstream bugfix release
diff -Nru spf-engine-2.9.1/PKG-INFO spf-engine-2.9.2/PKG-INFO
--- spf-engine-2.9.1/PKG-INFO	2019-10-06 20:31:42.000000000 -0400
+++ spf-engine-2.9.2/PKG-INFO	2019-11-22 19:01:59.000000000 -0500
@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: spf-engine
-Version: 2.9.1
+Version: 2.9.2
 Summary: SPF processing for Postfix (and Sendmail)
 Home-page: https://launchpad.net/spf-engine
 Author: Scott Kitterman
diff -Nru spf-engine-2.9.1/policyd-spf.conf.5 spf-engine-2.9.2/policyd-spf.conf.5
--- spf-engine-2.9.1/policyd-spf.conf.5	2019-02-07 21:09:08.000000000 -0500
+++ spf-engine-2.9.2/policyd-spf.conf.5	2019-10-26 21:08:05.000000000 -0400
@@ -212,7 +212,8 @@
 The policy server can operate in a test only mode. This allows you to see the
 potential impact of SPF checking in your mail logs without rejecting mail.
 Headers are prepended in messages, but message delivery is not affected. This
-mode is not enabled by default.  To enable it, set TestOnly = 0.  
+mode is not enabled by default.  To enable it, set TestOnly = 0.  If you want
+test operation with no header added, also set Header_Type = None. 
 
 Note: This option was previously named defaultSeedOnly.  This is still
 accepted, but logs an error.
diff -Nru spf-engine-2.9.1/setup.py spf-engine-2.9.2/setup.py
--- spf-engine-2.9.1/setup.py	2019-02-01 21:29:44.000000000 -0500
+++ spf-engine-2.9.2/setup.py	2019-10-26 21:15:11.000000000 -0400
@@ -5,7 +5,7 @@
 DESC = """SPF (Sender Policy Framework) processing engine for Postfix policy server and Milter implemented in Python."""
 
 setup(name='spf-engine',
-    version='2.9.1',
+    version='2.9.2',
     description='SPF processing for Postfix (and Sendmail)',
     long_description=DESC,
     author='Scott Kitterman',
diff -Nru spf-engine-2.9.1/spf_engine/milter_spf.py spf-engine-2.9.2/spf_engine/milter_spf.py
--- spf-engine-2.9.1/spf_engine/milter_spf.py	2019-02-01 21:30:24.000000000 -0500
+++ spf-engine-2.9.2/spf_engine/milter_spf.py	2019-10-26 21:15:59.000000000 -0400
@@ -40,7 +40,7 @@
 from spf_engine.util import own_socketfile
 from spf_engine.util import fold
 
-__version__ = "2.9.1"
+__version__ = "2.9.2"
 FWS = re.compile(r'\r?\n[ \t]+')
 
 
@@ -231,9 +231,8 @@
     syslog.syslog('pyspf-milter started:{0} user:{1}'
                   .format(pid, milterconfig.get('UserID')))
     sys.stdout.flush()
-    Milter.runmilter(miltername, socketname, 240)
-    own_socketfile(milterconfig)
     drop_privileges(milterconfig)
+    Milter.runmilter(miltername, socketname, 240)
 
 if __name__ == "__main__":
     main()
diff -Nru spf-engine-2.9.1/spf_engine/policyd_spf.py spf-engine-2.9.2/spf_engine/policyd_spf.py
--- spf-engine-2.9.1/spf_engine/policyd_spf.py	2019-02-01 21:30:04.000000000 -0500
+++ spf-engine-2.9.2/spf_engine/policyd_spf.py	2019-10-26 21:15:38.000000000 -0400
@@ -24,7 +24,7 @@
 '''
 
 def main():
-    __version__ = "2.9.1"
+    __version__ = "2.9.2"
 
     import syslog
     import os
diff -Nru spf-engine-2.9.1/spf_engine/util.py spf-engine-2.9.2/spf_engine/util.py
--- spf-engine-2.9.1/spf_engine/util.py	2019-02-01 13:22:20.000000000 -0500
+++ spf-engine-2.9.2/spf_engine/util.py	2019-10-26 21:14:23.000000000 -0400
@@ -124,13 +124,3 @@
     return pid
 
 
-def own_socketfile(milterconfig):
-    """If socket is Unix socket, chown to UserID before dropping privileges"""
-    import os
-    user, group = user_group(milterconfig.get('UserID'))
-    if milterconfig.get('Socket')[:1] == '/':
-        os.chown(milterconfig.get('Socket')[1:], user, group)
-    if milterconfig.get('Socket')[:6] == "local:":
-        os.chown(milterconfig.get('Socket')[6:], user, group)
-
-
diff -Nru spf-engine-2.9.1/spf_engine.egg-info/PKG-INFO spf-engine-2.9.2/spf_engine.egg-info/PKG-INFO
--- spf-engine-2.9.1/spf_engine.egg-info/PKG-INFO	2019-10-06 20:31:42.000000000 -0400
+++ spf-engine-2.9.2/spf_engine.egg-info/PKG-INFO	2019-11-22 19:01:59.000000000 -0500
@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: spf-engine
-Version: 2.9.1
+Version: 2.9.2
 Summary: SPF processing for Postfix (and Sendmail)
 Home-page: https://launchpad.net/spf-engine
 Author: Scott Kitterman
Reply to: