Bug#1033090: unblock: dhcpdump/1.8-6

[Boian Bonev <bbonev@ipacct.com>]

Control: tags -1 - moreinfo

Hi Sebastian,

On Sat, 2023-03-18 at 09:06 +0100, Sebastian Ramacher wrote:


> Unfortunately these fixes come with a complete overhaul of debian/ which
> is no longer appopriate at this point of the freeze. Please upload a new
> version with targetted fixes only.

Thanks!

https://mentors.debian.net/package/dhcpdump/

Adam, please sponsor it and add DM rights, if you find appropriate.

Here is my reasoning for the additional changes to the old packaging:

- not installing copyright is a lintian error
- not stripped binary is a lintian error
- dhcpdump runs as root and processes data from the network, building with
hardening flags is essential (IMHO)

I allowed myself to change maintainer and close the ITA, not sure how good is
that at this time. I can easily change it back to a QA upload and postpone for
trixie.

--
With best regards,
b.

diff -Nru dhcpdump-1.8/debian/changelog dhcpdump-1.8/debian/changelog
--- dhcpdump-1.8/debian/changelog	2022-12-05 15:08:35.000000000 +0000
+++ dhcpdump-1.8/debian/changelog	2023-03-18 21:43:18.000000000 +0000
@@ -1,3 +1,57 @@
+dhcpdump (1.8-7) unstable; urgency=medium
+
+  * Revert all non-targeted changes since 1.8-4
+  * New maintainer (Closes: #934419)
+  * Fix old packaging
+    - install copyright
+    - hardening flags
+    - proper strip
+  * Add 2 missing checks to d/p/dhcpdump-bugfix_strcounts.patch
+
+ -- Boian Bonev <bbonev@ipacct.com>  Sat, 18 Mar 2023 21:43:18 +0000
+
+dhcpdump (1.8-6) unstable; urgency=medium
+
+  * QA upload.
+  * Upload 1.8-5 fixes to unstable.
+
+ -- Adam Borowski <kilobyte@angband.pl>  Wed, 08 Mar 2023 17:43:02 +0100
+
+dhcpdump (1.8-5) experimental; urgency=medium
+
+  [ Boian Bonev ]
+  * QA upload.
+  * Install binary and man page.
+  * Add patches that fix:
+    - build options in Makefile (hardening and cross)
+    - ethertype handling (Closes: #873635)
+    - flags calculation
+    - opt82 processing
+    - counts in string arrays (OOB access)
+    - spelling errors
+    - wrong description in man page (Closes: #647228)
+  * Do not depend on tcpdump.
+  * Bump standards to 4.6.2, no changes.
+  * Remove unrelated key and override source not signed.
+  * wrap-and-sort
+
+  [ Joao Paulo Lima de Oliveira ]
+  * debian/control:
+    - Set Rules-Requires-Root:no.
+    - Set homepage-field.
+    - Bumped Standards-Version to 4.6.1.
+    - Set debhelper-compat version in Build-Depends.
+    - Added Depends ${shlibs:Depends} in Depends fields.
+  * debian/rules:
+    - Rewrite to use dh-sequencer.
+  * debian/metadata:
+    - Added missing upstream metadata.
+    - Added upstream's key.
+  * debian/watch:
+    - Add watch file.
+
+ -- Boian Bonev <bbonev@ipacct.com>  Thu, 23 Feb 2023 08:31:03 +0000
+
 dhcpdump (1.8-4) unstable; urgency=medium
 
   * QA upload.
diff -Nru dhcpdump-1.8/debian/control dhcpdump-1.8/debian/control
--- dhcpdump-1.8/debian/control	2022-12-05 15:08:35.000000000 +0000
+++ dhcpdump-1.8/debian/control	2023-03-18 21:43:18.000000000 +0000
@@ -1,13 +1,20 @@
 Source: dhcpdump
 Section: admin
 Priority: optional
-Maintainer: Debian QA Group <packages@qa.debian.org>
-Build-Depends: libpcap0.8-dev
-Standards-Version: 3.8.0.1
+Maintainer: Boian Bonev <bbonev@ipacct.com>
+Build-Depends:
+ debhelper-compat (= 13),
+ libpcap-dev,
+Standards-Version: 4.6.2
+Rules-Requires-Root: no
+Homepage: http://www.mavetju.org/download/
 
 Package: dhcpdump
 Architecture: any
-Depends: ${shlibs:Depends}, tcpdump
-Description: Parse DHCP packets from tcpdump
- This package provides a tool for visualization of DHCP packets as
- recorded and output by tcpdump to analyze DHCP server responses.
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Description: Parse DHCP packets from interface
+ This package provides a tool for visualization of DHCP packets
+ on a network interface to analyze DHCP client requests and
+ server responses.
diff -Nru dhcpdump-1.8/debian/patches/dhcpdump-bugfix_ethertype.patch dhcpdump-1.8/debian/patches/dhcpdump-bugfix_ethertype.patch
--- dhcpdump-1.8/debian/patches/dhcpdump-bugfix_ethertype.patch	1970-01-01 00:00:00.000000000 +0000
+++ dhcpdump-1.8/debian/patches/dhcpdump-bugfix_ethertype.patch	2023-03-18 21:33:55.000000000 +0000
@@ -0,0 +1,22 @@
+Description: Fix network order 16bit value
+ Get the packet's ethertype in a way that works on any
+ kind of endian machine
+ .
+Author: Ben Hildred <42656e@gmail.com>
+Origin: vendor
+Forwarded: BTS #873635
+Last-Update: 2017-08-29
+
+--- a/dhcpdump.c
++++ b/dhcpdump.c
+@@ -132,8 +132,8 @@ void pcap_callback(u_char *user, const s
+ 	offset += ETHER_HDR_LEN;
+ 
+ 	// Check for IPv4 packets
+-	if (eh->ether_type != 8) { 
+-		printf("Ignored non IPv4 packet: %d\n", eh->ether_type);
++	if (eh->ether_type != htons(0x800)) { 
++		printf("Ignored non IPv4 packet: %x\n", ntohs(eh->ether_type));
+ 		return;
+ 	}
+ 
diff -Nru dhcpdump-1.8/debian/patches/dhcpdump-bugfix_flags.patch dhcpdump-1.8/debian/patches/dhcpdump-bugfix_flags.patch
--- dhcpdump-1.8/debian/patches/dhcpdump-bugfix_flags.patch	1970-01-01 00:00:00.000000000 +0000
+++ dhcpdump-1.8/debian/patches/dhcpdump-bugfix_flags.patch	2023-03-18 21:33:55.000000000 +0000
@@ -0,0 +1,19 @@
+Description: Fix the flags calculation
+ An obvious typo in converting network order 16bit value
+ .
+Author: Boian Bonev <bbonev@ipacct.com>
+Origin: other
+Forwarded: by-email
+Last-Update: 2013-05-28
+
+--- a/dhcpdump.c
++++ b/dhcpdump.c
+@@ -326,7 +326,7 @@ int printdata(u_char *data, int data_len
+ 	printf(  "   XID: %02x%02x%02x%02x\n",
+ 	    data[4], data[5], data[6], data[7]);
+ 	printf(  "  SECS: "); print16bits(data + 8);
+-	printf("\n FLAGS: %x\n", 255 * data[10] + data[11]);
++	printf("\n FLAGS: %x\n", 256 * data[10] + data[11]);
+ 
+ 	printf(  "CIADDR: "); printIPaddress(data + 12);
+ 	printf("\nYIADDR: "); printIPaddress(data + 16);
diff -Nru dhcpdump-1.8/debian/patches/dhcpdump-bugfix_opt82.patch dhcpdump-1.8/debian/patches/dhcpdump-bugfix_opt82.patch
--- dhcpdump-1.8/debian/patches/dhcpdump-bugfix_opt82.patch	1970-01-01 00:00:00.000000000 +0000
+++ dhcpdump-1.8/debian/patches/dhcpdump-bugfix_opt82.patch	2023-03-18 21:33:55.000000000 +0000
@@ -0,0 +1,33 @@
+Description: Fix opt82 handling
+ Print option 82 content in a usable way
+ .
+Author: Boian Bonev <bbonev@ipacct.com>
+Origin: other
+Forwarded: by-email
+Last-Update: 2013-10-04
+
+--- a/dhcpdump.c
++++ b/dhcpdump.c
+@@ -526,18 +526,17 @@ int printdata(u_char *data, int data_len
+ 		break;
+ 
+ 	case 82:	// Relay Agent Information
+-		printf("\n");
+-		for (i = j + 2; i < j + data[j + 1]; ) {
+-			printf("%-17s %-13s ", " ",
++		for (i = j + 2; i < j + data[j + 1] + 2; ) {
++			printf("\n%-17s %-13s ", " ",
+ 			    data[i] > sizeof(relayagent_suboptions) ?
+ 			    "*wrong value*" :
+ 			    relayagent_suboptions[data[i]]);
+-			if (i + data[i + 1] > j + data[j + 1]) {
++			if (i + data[i + 1] + 2 > j + data[j + 1] + 2) {
+ 				printf("*MALFORMED -- TOO LARGE*\n");
+ 				break;
+ 			}
+ 			printHexColon(data + i + 2, data[i + 1]);
+-			i += data[i + 1];
++			i += data[i + 1] + 2;
+ 		}
+ 		break;
+ 
diff -Nru dhcpdump-1.8/debian/patches/dhcpdump-bugfix_strcounts.patch dhcpdump-1.8/debian/patches/dhcpdump-bugfix_strcounts.patch
--- dhcpdump-1.8/debian/patches/dhcpdump-bugfix_strcounts.patch	1970-01-01 00:00:00.000000000 +0000
+++ dhcpdump-1.8/debian/patches/dhcpdump-bugfix_strcounts.patch	2023-03-18 21:43:18.000000000 +0000
@@ -0,0 +1,81 @@
+Description: Add check to avoid OOB access
+ sizeof(char *[]) should be divided by sizeof(char *) in
+ order to get the element count
+ .
+Author: Boian Bonev <bbonev@ipacct.com>
+Origin: other
+Forwarded: by-email
+Last-Update: 2023-03-19
+
+--- a/dhcpdump.c
++++ b/dhcpdump.c
+@@ -39,6 +39,8 @@
+ 
+ #define LARGESTRING 1024
+ 
++#define strcountof(x) (sizeof(x)/sizeof(*(x)))
++
+ // header variables
+ char	timestamp[40];			// timestamp on header
+ char	mac_origin[40];			// mac address of origin
+@@ -446,7 +448,11 @@ int printdata(u_char *data, int data_len
+ 	case 31:	// Perform router discovery
+ 	case 34:	// Trailer encapsulation
+ 	case 39:	// TCP keepalive garbage
+-		printf("%d (%s)", data[j + 2], enabledisable[data[j + 2]]);
++		printf("%d (%s)",
++			data[j + 2],
++			data[j + 2] > strcountof(enabledisable) ?
++				"*unknown*" :
++				enabledisable[data[j + 2]]);
+ 		break;
+ 
+ 	case 23:	// Default IP TTL
+@@ -464,7 +470,10 @@ int printdata(u_char *data, int data_len
+ 
+ 	case 46:	// NetBIOS over TCP/IP node type
+ 		printf("%d (%s)",
+-		    data[j + 2], netbios_node_type[data[j + 2]]);
++			data[j + 2],
++			data[j + 2] > strcountof(netbios_node_type) ?
++				"*unknown*" :
++				netbios_node_type[data[j + 2]]);
+ 		break;
+ 	    
+ 	case  2:	// Time offset
+@@ -480,7 +489,7 @@ int printdata(u_char *data, int data_len
+ 	case 36:	// Ethernet encapsulation
+ 		printf("%d (%s)",
+ 		    data[j + 2],
+-		    data[j +2 ] > sizeof(ethernet_encapsulation) ?
++		    data[j +2 ] > strcountof(ethernet_encapsulation) ?
+ 			"*wrong value*" :
+ 			ethernet_encapsulation[data[j + 2]]);
+ 		break;
+@@ -488,7 +497,7 @@ int printdata(u_char *data, int data_len
+ 	case 52:	// Option overload
+ 		printf("%d (%s)",
+ 		    data[j + 2],
+-		    data[j + 2] > sizeof(option_overload) ?
++		    data[j + 2] > strcountof(option_overload) ?
+ 			"*wrong value*" :
+ 			option_overload[data[j + 2]]);
+ 		break;
+@@ -496,7 +505,7 @@ int printdata(u_char *data, int data_len
+ 	case 53:	// DHCP message type
+ 		printf("%d (%s)",
+ 		    data[j + 2],
+-		    data[j + 2] > sizeof(dhcp_message_types) ?
++		    data[j + 2] > strcountof(dhcp_message_types) ?
+ 			"*wrong value*" :
+ 			dhcp_message_types[data[j + 2]]);
+ 		break;
+@@ -528,7 +537,7 @@ int printdata(u_char *data, int data_len
+ 	case 82:	// Relay Agent Information
+ 		for (i = j + 2; i < j + data[j + 1] + 2; ) {
+ 			printf("\n%-17s %-13s ", " ",
+-			    data[i] > sizeof(relayagent_suboptions) ?
++			    data[i] > strcountof(relayagent_suboptions) ?
+ 			    "*wrong value*" :
+ 			    relayagent_suboptions[data[i]]);
+ 			if (i + data[i + 1] + 2 > j + data[j + 1] + 2) {
diff -Nru dhcpdump-1.8/debian/patches/dhcpdump-build.patch dhcpdump-1.8/debian/patches/dhcpdump-build.patch
--- dhcpdump-1.8/debian/patches/dhcpdump-build.patch	1970-01-01 00:00:00.000000000 +0000
+++ dhcpdump-1.8/debian/patches/dhcpdump-build.patch	2023-03-18 21:33:55.000000000 +0000
@@ -0,0 +1,21 @@
+Description: Fix makefile ignoring env vars
+ Append the local values to the already provided CFLAGS/LDFLAGS
+ from the environment. Add CPPFLAGS to CFLAGS - fixes hardening.
+ .
+Author: Boian Bonev <bbonev@ipacct.com>
+Origin: other
+Forwarded: by-email
+Last-Update: 2023-02-23
+
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+-CFLAGS=	 -Wall -g
+-LDFLAGS= -g
+-LIBS=	-lpcap
++CFLAGS += $(CPPFLAGS) -Wall -g
++LDFLAGS += -g
++LIBS += -lpcap
+ 
+ all: dhcpdump dhcpdump.8
+ 
diff -Nru dhcpdump-1.8/debian/patches/dhcpdump-spelling.patch dhcpdump-1.8/debian/patches/dhcpdump-spelling.patch
--- dhcpdump-1.8/debian/patches/dhcpdump-spelling.patch	1970-01-01 00:00:00.000000000 +0000
+++ dhcpdump-1.8/debian/patches/dhcpdump-spelling.patch	2023-03-18 21:33:55.000000000 +0000
@@ -0,0 +1,69 @@
+Description: Fix spelling and description
+ Fix several spelling errors and the program description
+ in the man page.
+ .
+Author: Boian Bonev <bbonev@ipacct.com>
+Origin: other
+Forwarded: by-email
+Last-Update: 2023-02-23
+
+--- a/dhcp_options.h
++++ b/dhcp_options.h
+@@ -118,7 +118,7 @@ const char *dhcp_options[] = {
+ /* 107 */	"???",
+ /* 108 */	"Swap Path",
+ /* 109 */	"???",
+-/* 110 */	"IPX Compatability",
++/* 110 */	"IPX Compatibility",
+ /* 111 */	"???",
+ /* 112 */	"Netinfo Address",
+ /* 113 */	"Netinfo Tag",
+--- a/dhcpdump.c
++++ b/dhcpdump.c
+@@ -95,7 +95,7 @@ int main(int argc, char **argv) {
+ 			interface = argv[++i];
+ 			break;
+ 		default:
+-			fprintf(stderr, "%s: %c: uknown option\n",
++			fprintf(stderr, "%s: %c: unknown option\n",
+ 			    argv[0], argv[i][1]);
+ 			usage();
+ 		}
+@@ -290,7 +290,7 @@ void printHex(u_char *data, int len) {
+ 	}
+ }
+ 
+-// print the data as a hex-list seperated by colons
++// print the data as a hex-list separated by colons
+ void printHexColon(u_char *data, int len) {
+ 	int i;
+ 
+--- a/dhcpdump.pod
++++ b/dhcpdump.pod
+@@ -12,7 +12,7 @@ B<dhcpdump> [B<-h> I<regular-expression>
+ 
+ =head1 DESCRIPTION
+ 
+-This command parses the output of tcpdump to display the dhcp-packets for
++This command listens on a network interface to display the dhcp-packets for
+ easier checking and debugging.
+ 
+ =head1 USAGE
+@@ -20,7 +20,7 @@ easier checking and debugging.
+ S<dhcpdump -i /dev/fxp0>
+ 
+ If you want to filter a specific Client Hardware Address (CHADDR), then
+-you can specifiy it as a regular expressions:
++you can specify it as a regular expressions:
+ 
+ S<dhcpdump -i /dev/fxp0 -h ^00:c0:4f>
+ 
+@@ -71,7 +71,7 @@ Privileged access is often needed for ac
+ Not all the parameter options are printed verbose, because of lack of
+ documentation. Not all the options are tested, because of lack of
+ clients/servers with these options. If you have a dump of one of
+-them, please send them to me and I'll incorperate them.
++them, please send them to me and I'll incorporate them.
+ 
+ =head1 THANKS TO
+ 
diff -Nru dhcpdump-1.8/debian/patches/dhcpdump-warnings.patch dhcpdump-1.8/debian/patches/dhcpdump-warnings.patch
--- dhcpdump-1.8/debian/patches/dhcpdump-warnings.patch	1970-01-01 00:00:00.000000000 +0000
+++ dhcpdump-1.8/debian/patches/dhcpdump-warnings.patch	2023-03-18 21:33:55.000000000 +0000
@@ -0,0 +1,19 @@
+Description: Fix a warning
+ Declare an unused parameter
+ .
+Author: Boian Bonev <bbonev@ipacct.com>
+Origin: other
+Forwarded: by-email
+Last-Update: 2023-02-20
+
+--- a/dhcpdump.c
++++ b/dhcpdump.c
+@@ -118,7 +118,7 @@ int main(int argc, char **argv) {
+ 	return 0;
+ }
+ 
+-void pcap_callback(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) {
++void pcap_callback(u_char *user __attribute__((unused)), const struct pcap_pkthdr *h, const u_char *sp) {
+ 	struct ether_header *eh;
+ 	struct ip *ip;
+ 	struct udphdr *udp;
diff -Nru dhcpdump-1.8/debian/patches/dhcpdump.c.patch dhcpdump-1.8/debian/patches/dhcpdump.c.patch
--- dhcpdump-1.8/debian/patches/dhcpdump.c.patch	2022-12-05 15:08:35.000000000 +0000
+++ dhcpdump-1.8/debian/patches/dhcpdump.c.patch	2023-03-18 21:33:55.000000000 +0000
@@ -1,5 +1,14 @@
---- dhcpdump-1.8.orig/dhcpdump.c
-+++ dhcpdump-1.8/dhcpdump.c
+Description: Fix build system
+ Add missing headers.
+ Add conditional compiling for hurd and *bsd
+ Use char * for strings, keep unsigned char * for packet data
+ and explicitly cast it to char * where needed.
+ .
+Forwarded: not-needed
+Last-Update: 2023-02-23
+
+--- a/dhcpdump.c
++++ b/dhcpdump.c
 @@ -16,11 +16,13 @@
  #include <netinet/in.h>
  #include <netinet/ip.h>
@@ -82,22 +91,3 @@
  		buf[data[j + 1] - 3]=0;
  		printf("%s", buf);
  		break;
-@@ -518,6 +528,9 @@ int printdata(u_char *data, int data_len
- 	case 82:	// Relay Agent Information
- 		printf("\n");
- 		for (i = j + 2; i < j + data[j + 1]; ) {
-+			if (i != j+2) {
-+				printf("\n");
-+			}
- 			printf("%-17s %-13s ", " ",
- 			    data[i] > sizeof(relayagent_suboptions) ?
- 			    "*wrong value*" :
-@@ -527,7 +540,7 @@ int printdata(u_char *data, int data_len
- 				break;
- 			}
- 			printHexColon(data + i + 2, data[i + 1]);
--			i += data[i + 1];
-+			i += data[i + 1] + 2;
- 		}
- 		break;
- 
diff -Nru dhcpdump-1.8/debian/patches/series dhcpdump-1.8/debian/patches/series
--- dhcpdump-1.8/debian/patches/series	2022-12-05 15:08:35.000000000 +0000
+++ dhcpdump-1.8/debian/patches/series	2023-03-18 21:32:08.000000000 +0000
@@ -1 +1,8 @@
 dhcpdump.c.patch
+dhcpdump-build.patch
+dhcpdump-bugfix_ethertype.patch
+dhcpdump-bugfix_flags.patch
+dhcpdump-bugfix_opt82.patch
+dhcpdump-bugfix_strcounts.patch
+dhcpdump-warnings.patch
+dhcpdump-spelling.patch
diff -Nru dhcpdump-1.8/debian/rules dhcpdump-1.8/debian/rules
--- dhcpdump-1.8/debian/rules	2022-12-05 15:08:35.000000000 +0000
+++ dhcpdump-1.8/debian/rules	2023-03-18 21:43:18.000000000 +0000
@@ -17,6 +17,8 @@
 #
 SHELL=/bin/bash
 
+export DEB_BUILD_MAINT_OPTIONS=hardening=+all
+
 DEB_HOST_GNU_TYPE = $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
 
 # The name and version of the source
@@ -37,17 +39,17 @@
 endif
 
 ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS)))
-CFLAGS = -g -O2 -Wall
+CFLAGS := -g -O2 -Wall $(shell dpkg-buildflags --get CPPFLAGS) $(shell dpkg-buildflags --get CFLAGS)
 else
-CFLAGS = -O2 -Wall
+CFLAGS := -O2 -Wall $(shell dpkg-buildflags --get CPPFLAGS) $(shell dpkg-buildflags --get CFLAGS)
 endif
 STRIP = $(DEB_HOST_GNU_TYPE)-strip
-ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
+ifneq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
 STRIP = : strip
 endif
 
 build:
-	$(MAKE) CC=$(CC) CFLAGS="$(CFLAGS) $(EXTRAFLAG) -DHAVE_STRSEP"
+	$(MAKE) CC=$(CC) CFLAGS="$(CFLAGS) $(EXTRAFLAG) -DHAVE_STRSEP" LDFLAGS="$(CFLAGS) $(shell dpkg-buildflags --get LDFLAGS)"
 	touch stamp-build
 
 clean: debclean
@@ -69,11 +71,12 @@
 	chmod -R g-ws debian/tmp
 	$(installbin) -d debian/tmp/usr/share/doc/$(package)
 	$(installdoc) debian/changelog debian/tmp/usr/share/doc/$(package)/changelog.Debian
+	$(installdoc) debian/copyright debian/tmp/usr/share/doc/$(package)/copyright
 	#
 	gzip -9nf debian/tmp/usr/share/doc/$(package)/changelog.Debian
 	#
 	$(installbin) -d debian/tmp/usr/sbin
-	$(STRIP) dhcpdump
+	$(STRIP) --remove-section=.comment --remove-section=.note dhcpdump
 	$(installbin) dhcpdump debian/tmp/usr/sbin
 	#
 	$(installbin) -d debian/tmp/usr/share/man/man8

Attachment: signature.asc
Description: This is a digitally signed message part