Hi Ben, hi all, On So 17 Jan 2016 23:42:19 CET, Ben Hutchings wrote:
On Sun, 2016-01-17 at 13:10 +0100, Olivier Dousse wrote:Hi Mike, I have the exact same problem on my server. I simply upgraded from 4.1.1-P1-15+squeeze8 to 4.1.1-P1-15+squeeze9. Given the patch you attached, this is very strange. But after downgrading back to 4.1.1-P1-15+squeeze8, everything was fine again. So there seems to be indeed a (critical) issue with 4.1.1-P1- 15+squeeze9, as it basically breaks the DHCP server.I can't see anything wrong with the patch, so I wonder whether there was something wrong with the build environment.
The package has been source-built on Debian jessie (debuild -uc -us -S) and then binary-built with sbuild in a squeeze-lts (not squeeze) chroot.
I have checked my build log again. It seems that the CFLAGS specified in debian/rules do not get exported properly to the build environment and thus are not used at build time:
""" (from +squeeze9 build log) [...] Making all in server make[2]: Entering directory `/«PKGBUILDDIR»/server'gcc -DHAVE_CONFIG_H -I. -I../includes -I.. -DLOCALSTATEDIR='"/var"' -g -O2 -Wall -Werror -fno-strict-aliasing -MT dhcpd.o -MD -MP -MF .deps/dhcpd.Tpo -c -o dhcpd.o dhcpd.c
[...] """When adding "export CFLAGS" at the end of the CFLAGS declarations in debian/rules, I get this:
""" (from upcoming +squeeze10 build log) [...] make[1]: Entering directory `/«PKGBUILDDIR»/server'gcc -DHAVE_CONFIG_H -I. -I../includes -I.. -DLOCALSTATEDIR='"/var"' -DLDAP_DEPRECATED -Wall -g -O2 -D_PATH_DHCLIENT_SCRIPT='"/sbin/dhclient-script"' -D_PATH_DHCPD_CONF='"/etc/dhcp/dhcpd.conf"' -D_PATH_DHCLIENT_CONF='"/etc/dhcp/dhclient.conf"' -DNOMINUM -MT dhcpd-dhcpd.o -MD -MP -MF .deps/dhcpd-dhcpd.Tpo -c -o dhcpd-dhcpd.o `test -f 'dhcpd.c' || echo './'`dhcpd.c
[...] """ I wonder why this has been working in the first place.
Additionally, the patch is *not* being applied isc-dhcp-server. It is only applied when building isc-dhcp-server-ldap (see the commands for the build-stamp target). It needs to be moved further up the patch series.
Oh wow... Thanks for spotting this. I am currenly preparing a +squeeze10 revision upload, but I'd really like to get the dhcpd.conf issue sorted out and addressed with next upload first.
I will upload +squeeze10 with attached .debdiff later today. Any feedback on the provided .debdiff is welcome. Thanks+Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de
diff -u isc-dhcp-4.1.1-P1/debian/rules isc-dhcp-4.1.1-P1/debian/rules
--- isc-dhcp-4.1.1-P1/debian/rules
+++ isc-dhcp-4.1.1-P1/debian/rules
@@ -37,6 +37,8 @@
CFLAGS += -D_PATH_DHCLIENT_CONF='"/etc/dhcp/dhclient.conf"'
CFLAGS += -DNOMINUM
+export CFLAGS
+
patched-ldap/build-stamp:
dh_testdir
diff -u isc-dhcp-4.1.1-P1/debian/changelog isc-dhcp-4.1.1-P1/debian/changelog
--- isc-dhcp-4.1.1-P1/debian/changelog
+++ isc-dhcp-4.1.1-P1/debian/changelog
@@ -1,3 +1,16 @@
+isc-dhcp (4.1.1-P1-15+squeeze10) squeeze-lts; urgency=medium
+
+ * Non-maintainer upload by the Debian LTS Team (regression fix).
+ * debian/patches:
+ + Move CVE-2015-8605.dpatch further up in the patch series. Assure that
+ the patch is applied to the non-LDAP build variant. Thanks to Ben
+ Hutchings for spotting this.
+ * debian/rules:
+ + Export CFLAGS before build. Make sure that our Debianic path definitions
+ end-up in the binary builds of isc-dhcp-server*.
+
+ -- Mike Gabriel <sunwea...@debian.org> Mon, 18 Jan 2016 05:19:44 +0100
+
isc-dhcp (4.1.1-P1-15+squeeze9) squeeze-lts; urgency=medium
* Non-maintainer upload by the Debian LTS Team.
diff -u isc-dhcp-4.1.1-P1/debian/patches/00list
isc-dhcp-4.1.1-P1/debian/patches/00list
--- isc-dhcp-4.1.1-P1/debian/patches/00list
+++ isc-dhcp-4.1.1-P1/debian/patches/00list
@@ -17,6 +17,7 @@
security-20110810
CVE-2012-3571_CVE-2012-3954
CVE-2011-4539_CVE-2012-3955
+CVE-2015-8605
# must be applied before the LDAP stuff
no-libcrypto
@@ -26,6 +27,4 @@
dhcp-4.1.0-ldap-code
-CVE-2015-8605
-
# fix build when gcc option -Werror is used
drop_unused_vars_from_ldap-c.dpatch
pgpxdtRDldEiP.pgp
Description: Digitale PGP-Signatur
