Bug#991940: unblock: munge/0.5.14-6
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package munge
[ Reason ]
* Cherry-pick upstream patch to allow to upgrade from buster to bullseye
[ Impact ]
Remove some minor tests to fix kfreebsd builds and a useless check for
the daemon when starting
[ Tests ]
All tests passed
[ Risks ]
It's low risk because:
the change only avoid a useless check that the libgcrypt shared object
linked at runtime is the same the daemon was compiled against [1] and
some minor tests (removed upstream) to fix kfreebsd builds.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
diffstat for munge-0.5.14 munge-0.5.14
changelog | 14 +
patches/0005-Sharness-Remove-tests-to-from-invalid-files.patch | 93 +++++++++
patches/0006-Sharness-Set-IFNAME-prereq-if-network-ifname-found.patch | 102 ++++++++++
patches/0007-Remove-GCRYPT_VERSION-from-gcry_check_version.patch | 36 +++
patches/series | 3
5 files changed, 248 insertions(+)
debdiff attached
unblock munge/0.5.14-6
[1] https://github.com/dun/munge/commit/0c37cc03b649d8861c2d9e8d172bff736bfd9ea4
--
Gennaro Oliva
diff -Nru munge-0.5.14/debian/changelog munge-0.5.14/debian/changelog
--- munge-0.5.14/debian/changelog 2021-02-25 17:08:19.000000000 +0100
+++ munge-0.5.14/debian/changelog 2021-08-06 09:40:42.000000000 +0200
@@ -1,3 +1,17 @@
+munge (0.5.14-6) unstable; urgency=medium
+
+ [Chris Dunlap]
+ * Remove GCRYPT_VERSION from gcry_check_version (Closes: #991875)
+
+ -- Gennaro Oliva <oliva.g@na.icar.cnr.it> Fri, 06 Aug 2021 09:40:42 +0200
+
+munge (0.5.14-5) unstable; urgency=medium
+
+ [Chris Dunlap]
+ * Fix kfreebsd builds
+
+ -- Gennaro Oliva <oliva.g@na.icar.cnr.it> Mon, 22 Mar 2021 02:00:52 +0100
+
munge (0.5.14-4) unstable; urgency=medium
[Chris Dunlap]
diff -Nru munge-0.5.14/debian/patches/0005-Sharness-Remove-tests-to-from-invalid-files.patch munge-0.5.14/debian/patches/0005-Sharness-Remove-tests-to-from-invalid-files.patch
--- munge-0.5.14/debian/patches/0005-Sharness-Remove-tests-to-from-invalid-files.patch 1970-01-01 01:00:00.000000000 +0100
+++ munge-0.5.14/debian/patches/0005-Sharness-Remove-tests-to-from-invalid-files.patch 2021-08-05 23:56:30.000000000 +0200
@@ -0,0 +1,93 @@
+Description: Sharness: Remove tests to/from invalid files
+ On FreeBSD (12.1, 11.4, 11.3) and NetBSD (9.0, 8.1, 7.2), the following
+ test fails when run with "root=/tmp/munge-test-$$":
+ 0012-munge-cmdline.t 24 - munge --input from invalid file
+ This test attempts to read data for a credential payload from the file
+ "." -- i.e., a directory, and not a regular file. It is expected
+ to fail, and on most platforms it does. However, it unexpectedly
+ succeeds if the input file is on a FreeBSD ufs or NetBSD ffs filesystem
+ (where it uses the directory file contents as the payload data),
+ but fails if the input file is on an nfs or tmpfs filesystem on
+ those platforms. Note that this test fails as expected on OpenBSD
+ ffs and nfs filesystems.
+ This passed testing for 0.5.14 because the test suite ran in an
+ nfs directory. But recent testing with "root=/tmp/munge-test-$$"
+ uncovered the failure since the "root" variable moved the input file
+ to a different filesystem.
+ Since the munge and unmunge client executables do not explicitly
+ check whether the input or output files are regular files, remove the
+ sharness checks that test for an expected failure when specifying an
+ invalid input, metadata, or output file.
+Author: Chris Dunlap <cdunlap@llnl.gov>
+Origin: upstream, https://github.com/dun/munge/commit/cfbb14558ceda9dd42b23a2e4c166a07b73a3223
+Last-Update: 2020-10-14
+Forwarded: not-needed
+
+--- a/t/0012-munge-cmdline.t
++++ b/t/0012-munge-cmdline.t
+@@ -109,10 +109,6 @@ test_expect_success 'munge --input from /dev/null' '
+ test ! -s out.$$
+ '
+
+-test_expect_success 'munge --input from invalid file' '
+- test_must_fail "${MUNGE}" --socket="${MUNGE_SOCKET}" --input=.
+-'
+-
+ test_expect_success 'munge --input from missing file' '
+ test_must_fail "${MUNGE}" --socket="${MUNGE_SOCKET}" \
+ --input=missing.file.$$
+@@ -141,10 +137,6 @@ test_expect_success 'munge --output to /dev/null' '
+ test ! -s out.$$
+ '
+
+-test_expect_success 'munge --output to invalid file' '
+- test_must_fail "${MUNGE}" --socket="${MUNGE_SOCKET}" --no-input --output=.
+-'
+-
+ for OPT_LIST_CIPHERS in '-C' '--list-ciphers'; do
+ test_expect_success "munge ${OPT_LIST_CIPHERS}" '
+ "${MUNGE}" "${OPT_LIST_CIPHERS}" |
+diff --git a/t/0013-unmunge-cmdline.t b/t/0013-unmunge-cmdline.t
+index c034109..07ce8eb 100755
+--- a/t/0013-unmunge-cmdline.t
++++ b/t/0013-unmunge-cmdline.t
+@@ -80,10 +80,6 @@ test_expect_success 'unmunge --input from /dev/null' '
+ test_must_fail "${UNMUNGE}" --socket="${MUNGE_SOCKET}" --input=/dev/null
+ '
+
+-test_expect_success 'unmunge --input from invalid file' '
+- test_must_fail "${UNMUNGE}" --socket="${MUNGE_SOCKET}" --input=.
+-'
+-
+ test_expect_success 'unmunge --input from missing file' '
+ test_must_fail "${UNMUNGE}" --socket="${MUNGE_SOCKET}" \
+ --input=missing.file.$$
+@@ -126,12 +122,6 @@ test_expect_success 'unmunge --metadata to /dev/null with payload on stdout' '
+ test "$(cat out.$$)" = "${PAYLOAD}"
+ '
+
+-test_expect_success 'unmunge --metadata to invalid file' '
+- local PAYLOAD=xyzzy-$$ &&
+- "${MUNGE}" --socket="${MUNGE_SOCKET}" --string="${PAYLOAD}" |
+- test_must_fail "${UNMUNGE}" --socket="${MUNGE_SOCKET}" --metadata=.
+-'
+-
+ for OPT_OUTPUT in '-o' '--output'; do
+ test_expect_success "unmunge ${OPT_OUTPUT}" '
+ local PAYLOAD=xyzzy-$$ &&
+@@ -160,12 +150,6 @@ test_expect_success 'unmunge --output to /dev/null with metadata on stdout' '
+ grep -q -v "${PAYLOAD}" meta.$$
+ '
+
+-test_expect_success 'unmunge --output to invalid file' '
+- local PAYLOAD=xyzzy-$$ &&
+- "${MUNGE}" --socket="${MUNGE_SOCKET}" --string="${PAYLOAD}" |
+- test_must_fail "${UNMUNGE}" --socket="${MUNGE_SOCKET}" --output=.
+-'
+-
+ for OPT_LIST_KEYS in '-K' '--list-keys'; do
+ test_expect_success "unmunge ${OPT_LIST_KEYS}" '
+ "${UNMUNGE}" "${OPT_LIST_KEYS}" |
+--
+2.31.0
+
diff -Nru munge-0.5.14/debian/patches/0006-Sharness-Set-IFNAME-prereq-if-network-ifname-found.patch munge-0.5.14/debian/patches/0006-Sharness-Set-IFNAME-prereq-if-network-ifname-found.patch
--- munge-0.5.14/debian/patches/0006-Sharness-Set-IFNAME-prereq-if-network-ifname-found.patch 1970-01-01 01:00:00.000000000 +0100
+++ munge-0.5.14/debian/patches/0006-Sharness-Set-IFNAME-prereq-if-network-ifname-found.patch 2021-08-06 00:01:31.000000000 +0200
@@ -0,0 +1,102 @@
+Description: Sharness: Set IFNAME prereq if network ifname found
+ Remove the "test -s ifname0.$$" statements from the sharness
+ checks. They make it difficult to diagnose why a check fails.
+ If the file is empty, munged will fail with the error 'Failed to
+ lookup origin ""' which provides useful information for debugging.
+ Create the new check 'munged --origin interface name lookup' which
+ greps the log from the preceding check for the loopback interface
+ name, checks that it is not the empty string, saves the name to
+ the file "ifname0.$$", and sets the sharness IFNAME prerequisite.
+ Change the checks for 'munged --origin interface name' and
+ 'munged --origin interface name metadata' to depend on this new
+ IFNAME prerequisite. Thus, if munged is unable to match 127.0.0.1 to
+ an interface name, these checks will be skipped instead of failing.
+ Change _net_get_hostaddr_via_ifaddrs() to check that ifa_name
+ is not the empty string before assigning the string for the network
+ interface.
+Author: Chris Dunlap <cdunlap@llnl.gov>
+Origin: upstream, https://github.com/dun/munge/commit/77ff6823c423d19823d9259f8e0cae1fc98d9a7b
+Last-Update: 2021-03-19
+Forwarded: not-needed
+
+--- a/src/munged/net.c
++++ b/src/munged/net.c
+@@ -193,7 +193,9 @@ _net_get_hostaddr_via_ifaddrs (const char *name, struct in_addr *inaddrp,
+ */
+ if (ifa != NULL) {
+ *inaddrp = ((struct sockaddr_in *) ifa->ifa_addr)->sin_addr;
+- *ifnamep = (ifa->ifa_name != NULL) ? strdup (ifa->ifa_name) : NULL;
++ *ifnamep = ((ifa->ifa_name != NULL) && (ifa->ifa_name[0] != '\0'))
++ ? strdup (ifa->ifa_name)
++ : NULL;
+ rv = 0;
+ }
+ /* If a match is not found, but host lookup succeeded...
+diff --git a/t/0110-munged-origin-addr.t b/t/0110-munged-origin-addr.t
+index 1e3f642..53bc5af 100755
+--- a/t/0110-munged-origin-addr.t
++++ b/t/0110-munged-origin-addr.t
+@@ -63,15 +63,12 @@ test_expect_success 'munged --origin null address warning' '
+ '
+
+ # Check if the origin address can be set by specifying an IP address.
+-# Save the interface name to ifname0.$$ for later checks.
+ ##
+ test_expect_success 'munged --origin local IP address' '
+ rm -f ifname0.$$ &&
+ munged_start_daemon --origin=127.0.0.1 &&
+ munged_stop_daemon &&
+- egrep "Set origin address to 127\.0\.0\.1\>" "${MUNGE_LOGFILE}" &&
+- sed -n -e "s/.*Set origin address.*(\([^)]*\)).*/\1/p" \
+- "${MUNGE_LOGFILE}" >ifname0.$$
++ egrep "Set origin address to 127\.0\.0\.1\>" "${MUNGE_LOGFILE}"
+ '
+
+ # Check if the origin address is set to the appropriate IP address in the
+@@ -87,23 +84,35 @@ test_expect_success 'munged --origin local IP address metadata' '
+ egrep "^ENCODE_HOST:.* 127\.0\.0\.1\>" meta.$$
+ '
+
+-# Check if the origin address can be set by specifying an interface name.
++# Check the log from the previous test for the network interface name
++# corresponding to the loopback address.
++# Set the IFNAME prereq if "ifname0.$$" contains a non-empty string.
++##
++test_expect_success GETIFADDRS 'munged --origin interface name lookup' '
++ local ifname &&
++ sed -n -e "s/.*Set origin address.*(\([^)]*\)).*/\1/p" "${MUNGE_LOGFILE}" \
++ >ifname0.$$ &&
++ ifname=$(cat ifname0.$$) &&
++ test_debug "echo \"Loopback network interface name is [${ifname}]\"" &&
++ if test "x${ifname}" != x; then test_set_prereq IFNAME; fi
++'
++
++# Check if the origin address can be set by specifying the loopback network
++# interface name.
+ ##
+-test_expect_success GETIFADDRS 'munged --origin interface name' '
+- test -s ifname0.$$ &&
++test_expect_success IFNAME 'munged --origin interface name' '
+ munged_start_daemon --origin="$(cat ifname0.$$)" &&
+ munged_stop_daemon &&
+ egrep "Set origin address to 127\.0\.0\.1\>" "${MUNGE_LOGFILE}" &&
+- sed -n -e "s/.*Set origin address.*(\([^)]*\)).*/\1/p" \
+- "${MUNGE_LOGFILE}" >ifname1.$$ &&
++ sed -n -e "s/.*Set origin address.*(\([^)]*\)).*/\1/p" "${MUNGE_LOGFILE}" \
++ >ifname1.$$ &&
+ test_cmp ifname0.$$ ifname1.$$
+ '
+
+ # Check if the origin address is set to the appropriate IP address in the
+-# credential metadata when specifying an interface name.
++# credential metadata when specifying the loopback network interface name.
+ ##
+-test_expect_success GETIFADDRS 'munged --origin interface name metadata' '
+- test -s ifname0.$$ &&
++test_expect_success IFNAME 'munged --origin interface name metadata' '
+ munged_start_daemon --origin="$(cat ifname0.$$)" &&
+ "${MUNGE}" --socket="${MUNGE_SOCKET}" --no-input --output=cred.$$ &&
+ "${UNMUNGE}" --socket="${MUNGE_SOCKET}" --input=cred.$$ \
+--
+2.31.0
+
diff -Nru munge-0.5.14/debian/patches/0007-Remove-GCRYPT_VERSION-from-gcry_check_version.patch munge-0.5.14/debian/patches/0007-Remove-GCRYPT_VERSION-from-gcry_check_version.patch
--- munge-0.5.14/debian/patches/0007-Remove-GCRYPT_VERSION-from-gcry_check_version.patch 1970-01-01 01:00:00.000000000 +0100
+++ munge-0.5.14/debian/patches/0007-Remove-GCRYPT_VERSION-from-gcry_check_version.patch 2021-08-05 19:47:09.000000000 +0200
@@ -0,0 +1,36 @@
+Description: Replace GCRYPT_VERSION with NULL in gcry_check_version()
+ According to the Libgcrypt documentation, gcry_check_version()
+ should be called with the minimum required version of the library
+ (or NULL if that check is not needed). The <gcrypt.h> header file
+ further notes GCRYPT_VERSION should not be used by the program since
+ gcry_check_version() should return the same version string.
+ Replace GCRYPT_VERSION with NULL in gcry_check_version() to disable the
+ version check. Debian further notes their automated system determined
+ v0.5.14 requires a minimum Libgcrypt version of 1.8.0. However, it
+ seems preferable to disable the check and let distributions perform
+ their dependency checks instead of maintaining this value by hand.
+ Note that gcry_check_version() must still be called because it also
+ initializes the library.
+Author: Chris Dunlap <cdunlap@llnl.gov>
+Origin: upstream, https://github.com/dun/munge/commit/0c37cc03b649d8861c2d9e8d172bff736bfd9ea4
+Last-Update: 2021-08-05
+Forwarded: not-needed
+
+diff --git a/src/common/crypto.c b/src/common/crypto.c
+index 29266a16..6e46ec5b 100644
+--- a/src/common/crypto.c
++++ b/src/common/crypto.c
+@@ -72,11 +72,10 @@ crypto_init (void)
+ /* gcry_check_version() must be called before any other Libgcrypt function
+ * (except the GCRYCTL_SET_THREAD_CBS command prior to Libgcrypt 1.6).
+ */
+- v = gcry_check_version (GCRYPT_VERSION);
++ v = gcry_check_version (NULL);
+ if (v == NULL) {
+ log_err (EMUNGE_SNAFU, LOG_ERR,
+- "Failed to initialize Libgcrypt: version mismatch: expected %s",
+- GCRYPT_VERSION);
++ "Failed to initialize Libgcrypt %s", GCRYPT_VERSION);
+ }
+ e = gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
+ if (e) {
diff -Nru munge-0.5.14/debian/patches/series munge-0.5.14/debian/patches/series
--- munge-0.5.14/debian/patches/series 2021-02-24 00:25:10.000000000 +0100
+++ munge-0.5.14/debian/patches/series 2021-08-05 10:35:43.000000000 +0200
@@ -2,3 +2,6 @@
0002-Sharness-Fix-dup-of-failing-check-when-run-by-root.patch
0003-Sharness-Fix-EACCES-failure-succeeding-for-root.patch
0004-HKDF-Fix-big-endian-bug-caused-by-size_t-ptr-cast.patch
+0005-Sharness-Remove-tests-to-from-invalid-files.patch
+0006-Sharness-Set-IFNAME-prereq-if-network-ifname-found.patch
+0007-Remove-GCRYPT_VERSION-from-gcry_check_version.patch
Reply to: