Bug#1072983: bookworm-pu: package golang-github-google-nftables/0.1.0-4~deb12u1

Tue, 11 Jun 2024 02:33:29 -0700 

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: golang-github-google-nftab...@packages.debian.org
Control: affects -1 + src:golang-github-google-nftables

Hi,

[ Reason ]

I'd like to fix the #1071247/#1071248 pair in bookworm, which results in
crowdsec-firewall-bouncer's being broken on little-endian architectures
(addresses are getting logged just fine, but they're not passed over
correctly to the firewall layer). 

I've checked with the security team, this doesn't warrant a DSA.

This is the library part (golang-github-google-nftables).

[ Impact ]

If the fix doesn't make it into stable, crowdsec-firewall-bouncer
remains broken on little-endian architectures.

[ Tests ]

Same checks as for unstable when I uploaded the fixes there:
 - amd64 (LE, baremetal) before: KO
 - amd64 (LE, baremetal) after: OK
 - s390x (BE, debvm) before: OK
 - s390x (BE, debvm) after: OK

[ Risks ]

Except for a possible regression on s390x (which isn't the case, see
previous section), it cannot be worse than it currently is.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

Additionally, that reached testing.

[ Changes ]

The fix is a direct backport from upstream, which adds byte order
information to the function used by crowdsec-firewall-bouncer
(AddSet).

[ Other info ]

Next bug report is the crowdsec-firewall-bouncer part.


Cheers,
-- 
Cyril Brulebois -- Debian Consultant @ DEBAMAX -- https://debamax.com/

diff -Nru golang-github-google-nftables-0.1.0/debian/changelog 
golang-github-google-nftables-0.1.0/debian/changelog
--- golang-github-google-nftables-0.1.0/debian/changelog        2022-12-12 
05:07:14.000000000 +0100
+++ golang-github-google-nftables-0.1.0/debian/changelog        2024-06-11 
10:22:28.000000000 +0200
@@ -1,3 +1,18 @@
+golang-github-google-nftables (0.1.0-4~deb12u1) bookworm; urgency=medium
+
+  * Rebuild for bookworm.
+
+ -- Cyril Brulebois <cy...@debamax.com>  Tue, 11 Jun 2024 10:22:28 +0200
+
+golang-github-google-nftables (0.1.0-4) unstable; urgency=high
+
+  * Backport upstream fix for the AddSet() function that's been reversing
+    byte order on all little-endian architectures (Closes: #1071247),
+    breaking crowdsec-firewall-bouncer (See: #1071248):
+     - 0002-Implement-set-KeyByteOrder-226.patch
+
+ -- Cyril Brulebois <cy...@debamax.com>  Tue, 21 May 2024 09:42:17 +0200
+
 golang-github-google-nftables (0.1.0-3) unstable; urgency=medium
 
   * Backport fix from upstream to fix the test suite on 32-bit archs (the
diff -Nru 
golang-github-google-nftables-0.1.0/debian/patches/0002-Implement-set-KeyByteOrder-226.patch
 
golang-github-google-nftables-0.1.0/debian/patches/0002-Implement-set-KeyByteOrder-226.patch
--- 
golang-github-google-nftables-0.1.0/debian/patches/0002-Implement-set-KeyByteOrder-226.patch
        1970-01-01 01:00:00.000000000 +0100
+++ 
golang-github-google-nftables-0.1.0/debian/patches/0002-Implement-set-KeyByteOrder-226.patch
        2024-05-15 13:08:54.000000000 +0200
@@ -0,0 +1,42 @@
+From d746ecb0e494e7200180c3886fde9664d9100729 Mon Sep 17 00:00:00 2001
+From: turekt <32360115+tur...@users.noreply.github.com>
+Date: Thu, 18 May 2023 18:05:49 +0200
+Subject: [PATCH] Implement set KeyByteOrder (#226)
+
+Fixes https://github.com/google/nftables/issues/225
+Introduced KeyByteOrder in sets which fills UDATA with endianess information
+---
+ set.go | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/set.go b/set.go
+index 1ef8e89..b1f63e8 100644
+--- a/set.go
++++ b/set.go
+@@ -261,6 +261,9 @@ type Set struct {
+       Timeout       time.Duration
+       KeyType       SetDatatype
+       DataType      SetDatatype
++      // Either host (binaryutil.NativeEndian) or big (binaryutil.BigEndian) 
endian as per
++      // 
https://git.netfilter.org/nftables/tree/include/datatype.h?id=d486c9e626405e829221b82d7355558005b26d8a#n109
++      KeyByteOrder binaryutil.ByteOrder
+ }
+ 
+ // SetElement represents a data point within a set.
+@@ -560,11 +563,11 @@ func (cc *Conn) AddSet(s *Set, vals []SetElement) error {
+               // Marshal concat size description as set description
+               tableInfo = append(tableInfo, netlink.Attribute{Type: 
unix.NLA_F_NESTED | unix.NFTA_SET_DESC, Data: concatBytes})
+       }
+-      if s.Anonymous || s.Constant || s.Interval {
++      if s.Anonymous || s.Constant || s.Interval || s.KeyByteOrder == 
binaryutil.BigEndian {
+               tableInfo = append(tableInfo,
+                       // Semantically useless - kept for binary compatability 
with nft
+                       netlink.Attribute{Type: unix.NFTA_SET_USERDATA, Data: 
[]byte("\x00\x04\x02\x00\x00\x00")})
+-      } else if !s.IsMap {
++      } else if s.KeyByteOrder == binaryutil.NativeEndian {
+               // Per 
https://git.netfilter.org/nftables/tree/src/mnl.c?id=187c6d01d35722618c2711bbc49262c286472c8f#n1165
+               tableInfo = append(tableInfo,
+                       netlink.Attribute{Type: unix.NFTA_SET_USERDATA, Data: 
[]byte("\x00\x04\x01\x00\x00\x00")})
+-- 
+2.39.2
+
diff -Nru golang-github-google-nftables-0.1.0/debian/patches/series 
golang-github-google-nftables-0.1.0/debian/patches/series
--- golang-github-google-nftables-0.1.0/debian/patches/series   2022-12-12 
05:04:34.000000000 +0100
+++ golang-github-google-nftables-0.1.0/debian/patches/series   2024-05-15 
13:08:54.000000000 +0200
@@ -1 +1,2 @@
 0001-alignedbuff-fix-alignment-test-issue-on-32-bit-archs.patch
+0002-Implement-set-KeyByteOrder-226.patch

Reply via email to