Bug#940943: marked as done (buster-pu: package gnustep-base/1.26.0-4+deb10u1)

Sat, 16 Nov 2019 02:13:20 -0800 

Your message dated Sat, 16 Nov 2019 10:08:47 +0000
with message-id 
<83c9ffab6f08361485f70dda4733a7a24aeec09b.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 10.2 point release fixes
has caused the Debian Bug report #940943,
regarding buster-pu: package gnustep-base/1.26.0-4+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
940943: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940943
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

I'd like to update the gnustep-base package in buster to fix #939119.
Additionally, the OP has also discovered a vulnerability in the gdomap
daemon which was reported to the Debian security team.  Haven't got a
response from them but the patch was approved by the upstream
maintainer and subsequently committed to the upstream repository.

Tested on a buster system; debdiff attached.

diff -Nru gnustep-base-1.26.0/debian/changelog 
gnustep-base-1.26.0/debian/changelog
--- gnustep-base-1.26.0/debian/changelog        2019-02-01 23:20:45.000000000 
+0200
+++ gnustep-base-1.26.0/debian/changelog        2019-09-22 12:44:38.000000000 
+0300
@@ -1,3 +1,16 @@
+gnustep-base (1.26.0-4+deb10u1) buster; urgency=medium
+
+  * debian/gnustep-base-runtime.preinst: New file; handle the poor
+    upgrade from stretch to buster which left the gdomap daemon enabled
+    (Closes: #939119).  Thanks to Alan Jenkins.
+  * debian/NEWS: Document that the gdomap daemon is disabled forcefully.
+  * debian/patches/gdomap-udp-amplification.patch: New; fix UDP
+    amplification vulnerability.  Patch by Alan Jenkins.
+  * debian/patches/series: Update.
+  * debian/gbp.conf: Set debian-branch to buster.
+
+ -- Yavor Doganov <ya...@gnu.org>  Sun, 22 Sep 2019 12:44:38 +0300
+
 gnustep-base (1.26.0-4) unstable; urgency=medium
 
   * debian/patches/armhf-test.patch: New; ignore a failing test on armhf
diff -Nru gnustep-base-1.26.0/debian/gbp.conf 
gnustep-base-1.26.0/debian/gbp.conf
--- gnustep-base-1.26.0/debian/gbp.conf 2019-01-10 14:50:12.000000000 +0200
+++ gnustep-base-1.26.0/debian/gbp.conf 2019-09-22 12:44:07.000000000 +0300
@@ -1,2 +1,3 @@
 [DEFAULT]
 pristine-tar = True
+debian-branch = buster
diff -Nru gnustep-base-1.26.0/debian/gnustep-base-runtime.preinst 
gnustep-base-1.26.0/debian/gnustep-base-runtime.preinst
--- gnustep-base-1.26.0/debian/gnustep-base-runtime.preinst     1970-01-01 
02:00:00.000000000 +0200
+++ gnustep-base-1.26.0/debian/gnustep-base-runtime.preinst     2019-09-22 
12:26:06.000000000 +0300
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+set -e
+set -u
+
+# Upgrades from stretch to buster have made the gdomap daemon enabled
+# by default which is undesirable.  Explicitly delete the symlinks and
+# let update-rc.d recreate them in postinst.  See #939119.
+# Remove after bullseye is released.
+if [ "$1" = "upgrade" ]; then
+    if dpkg --compare-versions "$2" lt 1.26.0-4+deb10u1; then
+        ENABLED=no
+        if [ -f /etc/default/gdomap ]; then
+            . /etc/default/gdomap
+        fi
+        if [ "$ENABLED" != "yes" ]; then
+            find /etc/rc?.d -name "*gdomap" -delete
+        fi
+    fi
+fi
+
+#DEBHELPER#
+
+exit 0
diff -Nru gnustep-base-1.26.0/debian/NEWS gnustep-base-1.26.0/debian/NEWS
--- gnustep-base-1.26.0/debian/NEWS     2018-01-01 12:39:24.000000000 +0200
+++ gnustep-base-1.26.0/debian/NEWS     2019-09-22 12:32:35.000000000 +0300
@@ -1,3 +1,12 @@
+gnustep-base (1.26.0-4+deb10u1) buster; urgency=medium
+
+  The gdomap daemon has been inadvertently enabled in 1.25.1-1 while
+  implementing a new Debian Policy requirement (ยง9.3.3.1).  This version
+  forcefully disables it again.  If you want the daemon running, run
+  "update-rc.d gdomap enable" to enable it.
+
+ -- Yavor Doganov <ya...@gnu.org>  Sun, 22 Sep 2019 12:32:33 +0300
+
 gnustep-base (1.25.0-1) experimental; urgency=medium
 
   The example programs using the GNUstep Base library have been moved to
diff -Nru gnustep-base-1.26.0/debian/patches/gdomap-udp-amplification.patch 
gnustep-base-1.26.0/debian/patches/gdomap-udp-amplification.patch
--- gnustep-base-1.26.0/debian/patches/gdomap-udp-amplification.patch   
1970-01-01 02:00:00.000000000 +0200
+++ gnustep-base-1.26.0/debian/patches/gdomap-udp-amplification.patch   
2019-09-22 12:40:24.000000000 +0300
@@ -0,0 +1,61 @@
+Description: Fix UDP amplification vulnerability
+ A couple of is_local_net() tests were wrong: they used "&&" with
+ masks, but that is the logical shortcut operator.  The correct
+ bitwise operator is "&".  The result was that is_local_net() was
+ always returning true.
+ .
+ Only allow local processes to send GDO_SERVERS requests.  This
+ request is only useful locally.  Do not allow remote requests for the
+ server list.  Our response can be large, so it would make a great UDP
+ amplification attack.
+ . 
+ Patch by Alan Jenkins <alan.christopher.jenk...@gmail.com>; issue
+ reported to the Debian security team.
+Origin: upstream, commit:de9740c
+Last-Update: 2019-09-22
+---
+
+--- gnustep-base.orig/Tools/gdomap.c
++++ gnustep-base/Tools/gdomap.c
+@@ -419,7 +419,7 @@
+ 
+   for (i = 0; i < interfaces; i++)
+     {
+-      if ((mask[i].s_addr && addr[i].s_addr) == (mask[i].s_addr && a.s_addr))
++      if ((mask[i].s_addr & addr[i].s_addr) == (mask[i].s_addr & a.s_addr))
+       {
+         return 1;
+       }
+@@ -3100,6 +3100,21 @@
+       unsigned int    i;
+       unsigned int    j;
+ 
++      /*
++       *      See if this is a request from a local process.
++       *
++       *      This request is only useful locally.  Do not allow remote
++       *      requests for the server list.  Our response can be large,
++       *      so it would make a great UDP amplification attack.
++       */
++      if (is_local_host(ri->addr.sin_addr) == 0)
++      {
++        snprintf(ebuf, sizeof(ebuf), "Illegal attempt to list servers!");
++        gdomap_log(LOG_ERR);
++        clear_chan(desc);
++        return;
++      }
++
+       free(wi->buf);
+       wi->buf = (char*)calloc(sizeof(uint32_t)
+       + (prb_used+1)*IASIZE, 1);
+@@ -3260,8 +3275,8 @@
+                   {
+                     continue;
+                   }
+-                if ((mask[i].s_addr && addr[i].s_addr) ==
+-                      (mask[i].s_addr && ri->addr.sin_addr.s_addr))
++                if ((mask[i].s_addr & addr[i].s_addr) ==
++                      (mask[i].s_addr & ri->addr.sin_addr.s_addr))
+                   {
+                     laddr = addr[i];
+                     memcpy(wbuf, &laddr, IASIZE);
diff -Nru gnustep-base-1.26.0/debian/patches/series 
gnustep-base-1.26.0/debian/patches/series
--- gnustep-base-1.26.0/debian/patches/series   2019-02-01 22:19:23.000000000 
+0200
+++ gnustep-base-1.26.0/debian/patches/series   2019-09-22 12:41:27.000000000 
+0300
@@ -8,3 +8,4 @@
 fix-tests-timings.patch
 autogsdoc-reproducibility.patch
 armhf-test.patch
+gdomap-udp-amplification.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.2

Hi,

The fixes referenced by these bugs were included in today's 10.2 stable
point release.

Regards,

Adam

--- End Message ---

Reply via email to