Your message dated Sat, 18 Dec 2021 11:36:17 +0000 with message-id <f35b13da0620aab462a587a3d6f06f29a527c6c9.ca...@adam-barratt.org.uk> and subject line Closing p-u requests for changes included in 11.2 has caused the Debian Bug report #997597, regarding bullseye-pu: package chrony/4.0-8+deb11u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 997597: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=997597 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, [ Reason ] chrony 4.0 allows binding the NTP, NTS-KE, client and UDP command sockets to a specific network device using the 'binddevice', 'bindacqdevice' and 'bindcmddevice' directives. In Bullseye, using these directives with a network interface name longer than 3 characters (e.g. binddevice eth0) will cause chronyd to crash because of the way the system call filter handles the SO_BINDTODEVICE socket option. [ Impact ] To bind sockets to a network interface with a "long" name, users have to disable chronyd's system call filter which is certainly not ideal. [ Tests ] I manually tested each of the aforementioned directives with a network interface name longer than 3 characters. I also made sure that autopkgtests still run fine. [ Risks ] The fix is trivial and well tested. [ Checklist ] [ ] *all* changes are documented in the d/changelog [✓] I reviewed all changes and I approve them [✓] attach debdiff against the package in (old)stable [✓] the issue is verified as fixed in unstable [ Changes ] In addition to the patch fixing the issue with the system call filter, I also made a few anecdotal but practical changes that I considered unnecessary to mention for a revision targetting stable: - pointing Vcs-Git to the 'debian/bullseye' branch - running the Salsa CI pipeline on Bullseye Cheers, Vincent -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQSRJQjHKbAUfuoc+DAQn1qAt/bgAQUCYXR7MQAKCRAQn1qAt/bg AVlbAP9ZaHpjsgLA3HNcLPsWJXhMm/SUcU3DgEpdM9nMiJjDJgEAxYspGEhLBnGK 4n5lB38HAKdWm6aY1/VHGAcLZ0X9tQM= =K28n -----END PGP SIGNATURE-----diff -Nru chrony-4.0/debian/changelog chrony-4.0/debian/changelog --- chrony-4.0/debian/changelog 2021-05-13 16:51:41.000000000 +0200 +++ chrony-4.0/debian/changelog 2021-10-19 22:02:40.000000000 +0200 @@ -1,3 +1,12 @@ +chrony (4.0-8+deb11u1) bullseye; urgency=medium + + * debian/patches/: + - Add fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch to be able + to bind a socket to a network device with a name longer than 3 characters + when the system call filter is enabled. (Closes: #995207) + + -- Vincent Blut <vincent.deb...@free.fr> Tue, 19 Oct 2021 22:02:40 +0200 + chrony (4.0-8) unstable; urgency=medium * debian/patches/: diff -Nru chrony-4.0/debian/control chrony-4.0/debian/control --- chrony-4.0/debian/control 2021-05-13 16:51:41.000000000 +0200 +++ chrony-4.0/debian/control 2021-10-19 22:02:40.000000000 +0200 @@ -18,7 +18,7 @@ pps-tools (>= 0.20120406+g0deb9c7e-2) [linux-any], procps <!nocheck> Homepage: https://chrony.tuxfamily.org -Vcs-Git: https://salsa.debian.org/debian/chrony.git -b debian/latest +Vcs-Git: https://salsa.debian.org/debian/chrony.git -b debian/bullseye Vcs-Browser: https://salsa.debian.org/debian/chrony Rules-Requires-Root: no diff -Nru chrony-4.0/debian/.gitlab-ci.yml chrony-4.0/debian/.gitlab-ci.yml --- chrony-4.0/debian/.gitlab-ci.yml 2021-05-13 16:51:41.000000000 +0200 +++ chrony-4.0/debian/.gitlab-ci.yml 2021-10-19 22:02:40.000000000 +0200 @@ -9,3 +9,6 @@ only: variables: - $SEE_YOU_SOON_REPROTEST + +variables: + RELEASE: 'bullseye' diff -Nru chrony-4.0/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch chrony-4.0/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch --- chrony-4.0/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch 1970-01-01 01:00:00.000000000 +0100 +++ chrony-4.0/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch 2021-10-19 22:02:40.000000000 +0200 @@ -0,0 +1,33 @@ +From 29d7d3176d9d1b208039a9d2ca3f26bc3cc5a387 Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar <mlich...@redhat.com> +Date: Wed, 6 Oct 2021 10:02:34 +0200 +Subject: sys_linux: fix seccomp filter for BINDTODEVICE option + +The BINDTODEVICE socket option is the first option in the seccomp filter +setting a string instead of int. Remove the length check from the +setsockopt rules to allow a device name longer than 3 characters. + +This was reported in Debian bug #995207. + +Fixes: b9f5ce83b02e ("sys_linux: allow BINDTODEVICE option in seccomp filter") + +Origin: upstream, https://git.tuxfamily.org/chrony/chrony.git/commit/?id=29d7d3176d9d1b208039a9d2ca3f26bc3cc5a387 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995207 + +Index: chrony/sys_linux.c +=================================================================== +--- chrony.orig/sys_linux.c ++++ chrony/sys_linux.c +@@ -694,10 +694,9 @@ SYS_Linux_EnableSystemCallFilter(int lev + + /* Allow selected socket options */ + for (i = 0; i < sizeof (socket_options) / sizeof (*socket_options); i++) { +- if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 3, ++ if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 2, + SCMP_A1(SCMP_CMP_EQ, socket_options[i][0]), +- SCMP_A2(SCMP_CMP_EQ, socket_options[i][1]), +- SCMP_A4(SCMP_CMP_LE, sizeof (int))) < 0) ++ SCMP_A2(SCMP_CMP_EQ, socket_options[i][1]))) + goto add_failed; + } + diff -Nru chrony-4.0/debian/patches/series chrony-4.0/debian/patches/series --- chrony-4.0/debian/patches/series 2021-05-13 16:51:41.000000000 +0200 +++ chrony-4.0/debian/patches/series 2021-10-19 22:02:40.000000000 +0200 @@ -2,3 +2,4 @@ nm-dispatcher-dhcp_Move-server_dir-to-run.patch allow-BINDTODEVICE-option-in-seccomp-filter.patch allow-getuid32-in-seccomp-filter.patch +fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch
--- End Message ---
--- Begin Message ---Package: release.debian.org Version: 11.2 Hi, All of the updates referred to by these bugs were included in this morning's bullseye point release. Regards, Adam
--- End Message ---
