Bug#1072983: marked as done (bookworm-pu: package golang-github-google-nftables/0.1.0-4~deb12u1)

To: Jonathan Wiltshire <jmw@coccia.debian.org>
Subject: Bug#1072983: marked as done (bookworm-pu: package golang-github-google-nftables/0.1.0-4~deb12u1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 29 Jun 2024 10:57:25 +0000
Message-id: <[🔎] handler.1072983.D1072983.17196579861196109.ackdone@bugs.debian.org>
Reply-to: 1072983@bugs.debian.org
References: <E1sNVb2-002bin-Rp@coccia.debian.org> <[🔎] 171809814023.199252.6529795335506240525.reportbug@tokyo>

Your message dated Sat, 29 Jun 2024 10:46:20 +0000
with message-id <E1sNVb2-002bin-Rp@coccia.debian.org>
and subject line Released with 12.6
has caused the Debian Bug report #1072983,
regarding bookworm-pu: package golang-github-google-nftables/0.1.0-4~deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1072983: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072983
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bookworm-pu: package golang-github-google-nftables/0.1.0-4~deb12u1
From: Cyril Brulebois <cyril@debamax.com>
Date: Tue, 11 Jun 2024 11:29:00 +0200
Message-id: <[🔎] 171809814023.199252.6529795335506240525.reportbug@tokyo>

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: golang-github-google-nftables@packages.debian.org
Control: affects -1 + src:golang-github-google-nftables

Hi,

[ Reason ]

I'd like to fix the #1071247/#1071248 pair in bookworm, which results in
crowdsec-firewall-bouncer's being broken on little-endian architectures
(addresses are getting logged just fine, but they're not passed over
correctly to the firewall layer). 

I've checked with the security team, this doesn't warrant a DSA.

This is the library part (golang-github-google-nftables).

[ Impact ]

If the fix doesn't make it into stable, crowdsec-firewall-bouncer
remains broken on little-endian architectures.

[ Tests ]

Same checks as for unstable when I uploaded the fixes there:
 - amd64 (LE, baremetal) before: KO
 - amd64 (LE, baremetal) after: OK
 - s390x (BE, debvm) before: OK
 - s390x (BE, debvm) after: OK

[ Risks ]

Except for a possible regression on s390x (which isn't the case, see
previous section), it cannot be worse than it currently is.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

Additionally, that reached testing.

[ Changes ]

The fix is a direct backport from upstream, which adds byte order
information to the function used by crowdsec-firewall-bouncer
(AddSet).

[ Other info ]

Next bug report is the crowdsec-firewall-bouncer part.


Cheers,
-- 
Cyril Brulebois -- Debian Consultant @ DEBAMAX -- https://debamax.com/

diff -Nru golang-github-google-nftables-0.1.0/debian/changelog golang-github-google-nftables-0.1.0/debian/changelog
--- golang-github-google-nftables-0.1.0/debian/changelog	2022-12-12 05:07:14.000000000 +0100
+++ golang-github-google-nftables-0.1.0/debian/changelog	2024-06-11 10:22:28.000000000 +0200
@@ -1,3 +1,18 @@
+golang-github-google-nftables (0.1.0-4~deb12u1) bookworm; urgency=medium
+
+  * Rebuild for bookworm.
+
+ -- Cyril Brulebois <cyril@debamax.com>  Tue, 11 Jun 2024 10:22:28 +0200
+
+golang-github-google-nftables (0.1.0-4) unstable; urgency=high
+
+  * Backport upstream fix for the AddSet() function that's been reversing
+    byte order on all little-endian architectures (Closes: #1071247),
+    breaking crowdsec-firewall-bouncer (See: #1071248):
+     - 0002-Implement-set-KeyByteOrder-226.patch
+
+ -- Cyril Brulebois <cyril@debamax.com>  Tue, 21 May 2024 09:42:17 +0200
+
 golang-github-google-nftables (0.1.0-3) unstable; urgency=medium
 
   * Backport fix from upstream to fix the test suite on 32-bit archs (the
diff -Nru golang-github-google-nftables-0.1.0/debian/patches/0002-Implement-set-KeyByteOrder-226.patch golang-github-google-nftables-0.1.0/debian/patches/0002-Implement-set-KeyByteOrder-226.patch
--- golang-github-google-nftables-0.1.0/debian/patches/0002-Implement-set-KeyByteOrder-226.patch	1970-01-01 01:00:00.000000000 +0100
+++ golang-github-google-nftables-0.1.0/debian/patches/0002-Implement-set-KeyByteOrder-226.patch	2024-05-15 13:08:54.000000000 +0200
@@ -0,0 +1,42 @@
+From d746ecb0e494e7200180c3886fde9664d9100729 Mon Sep 17 00:00:00 2001
+From: turekt <32360115+turekt@users.noreply.github.com>
+Date: Thu, 18 May 2023 18:05:49 +0200
+Subject: [PATCH] Implement set KeyByteOrder (#226)
+
+Fixes https://github.com/google/nftables/issues/225
+Introduced KeyByteOrder in sets which fills UDATA with endianess information
+---
+ set.go | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/set.go b/set.go
+index 1ef8e89..b1f63e8 100644
+--- a/set.go
++++ b/set.go
+@@ -261,6 +261,9 @@ type Set struct {
+ 	Timeout       time.Duration
+ 	KeyType       SetDatatype
+ 	DataType      SetDatatype
++	// Either host (binaryutil.NativeEndian) or big (binaryutil.BigEndian) endian as per
++	// https://git.netfilter.org/nftables/tree/include/datatype.h?id=d486c9e626405e829221b82d7355558005b26d8a#n109
++	KeyByteOrder binaryutil.ByteOrder
+ }
+ 
+ // SetElement represents a data point within a set.
+@@ -560,11 +563,11 @@ func (cc *Conn) AddSet(s *Set, vals []SetElement) error {
+ 		// Marshal concat size description as set description
+ 		tableInfo = append(tableInfo, netlink.Attribute{Type: unix.NLA_F_NESTED | unix.NFTA_SET_DESC, Data: concatBytes})
+ 	}
+-	if s.Anonymous || s.Constant || s.Interval {
++	if s.Anonymous || s.Constant || s.Interval || s.KeyByteOrder == binaryutil.BigEndian {
+ 		tableInfo = append(tableInfo,
+ 			// Semantically useless - kept for binary compatability with nft
+ 			netlink.Attribute{Type: unix.NFTA_SET_USERDATA, Data: []byte("\x00\x04\x02\x00\x00\x00")})
+-	} else if !s.IsMap {
++	} else if s.KeyByteOrder == binaryutil.NativeEndian {
+ 		// Per https://git.netfilter.org/nftables/tree/src/mnl.c?id=187c6d01d35722618c2711bbc49262c286472c8f#n1165
+ 		tableInfo = append(tableInfo,
+ 			netlink.Attribute{Type: unix.NFTA_SET_USERDATA, Data: []byte("\x00\x04\x01\x00\x00\x00")})
+-- 
+2.39.2
+
diff -Nru golang-github-google-nftables-0.1.0/debian/patches/series golang-github-google-nftables-0.1.0/debian/patches/series
--- golang-github-google-nftables-0.1.0/debian/patches/series	2022-12-12 05:04:34.000000000 +0100
+++ golang-github-google-nftables-0.1.0/debian/patches/series	2024-05-15 13:08:54.000000000 +0200
@@ -1 +1,2 @@
 0001-alignedbuff-fix-alignment-test-issue-on-32-bit-archs.patch
+0002-Implement-set-KeyByteOrder-226.patch

--- End Message ---

--- Begin Message ---

To: 1072983-done@bugs.debian.org

Subject: Released with 12.6

From: Jonathan Wiltshire <jmw@coccia.debian.org>

Date: Sat, 29 Jun 2024 10:46:20 +0000

Message-id: <E1sNVb2-002bin-Rp@coccia.debian.org>
Version: 12.6

The upload requested in this bug has been released as part of 12.6.
--- End Message ---

Reply to:

References:
- Bug#1072983: bookworm-pu: package golang-github-google-nftables/0.1.0-4~deb12u1
  - From: Cyril Brulebois <cyril@debamax.com>

Prev by Date: Bug#1072965: marked as done (bullseye-pu: package nvidia-graphics-drivers-tesla-470/470.256.02-1~deb11u1)
Next by Date: Bug#1072984: marked as done (bookworm-pu: package crowdsec-firewall-bouncer/0.0.25-4~deb12u1)
Previous by thread: Processed: golang-github-google-nftables 0.1.0-4~deb12u1 flagged for acceptance
Next by thread: Bug#1072984: bookworm-pu: package crowdsec-firewall-bouncer/0.0.25-4~deb12u1
Index(es):
- Date
- Thread