Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
This is a pre-approval request for unblocking a RC bugfix upload of stunnel4 that will fix two RC bugs: - #771421 - makes stunnel unusable for some users in certain configurations; not for everyone, but still, it happens too often to be ignored - #782030 - makes stunnel start and stop properly, checking whether the action has actually succeeded The full debdiff between version 3:5.06-2 (currently in unstable and testing) and the proposed 3:5.06-3 is attached. unblock stunnel4/3:5.06-3 Thanks in advance, and thanks for all your work! G'luck, Peter -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru stunnel4-5.06/debian/changelog stunnel4-5.06/debian/changelog --- stunnel4-5.06/debian/changelog 2014-10-20 11:49:07.000000000 +0300 +++ stunnel4-5.06/debian/changelog 2015-04-08 14:00:56.000000000 +0300 @@ -1,3 +1,15 @@ +stunnel4 (3:5.06-3) unstable; urgency=medium + + * Add the 17-upstream-hangup patch to fix prematurely closed + connections when there is still data to be written. + Thanks to Joachim Falk for backporting the patch! + Closes: #771241 + * Add the 18-lsb-startup patch to make the daemons' startup consistent + with the way things are done in Debian. + Among other things, Closes: #782030 + + -- Peter Pentchev <r...@ringlet.net> Wed, 08 Apr 2015 14:00:54 +0300 + stunnel4 (3:5.06-2) unstable; urgency=medium * Limit the systemd build dependency to Linux architectures only, diff -Nru stunnel4-5.06/debian/patches/17-upstream-hangup.patch stunnel4-5.06/debian/patches/17-upstream-hangup.patch --- stunnel4-5.06/debian/patches/17-upstream-hangup.patch 1970-01-01 02:00:00.000000000 +0200 +++ stunnel4-5.06/debian/patches/17-upstream-hangup.patch 2015-04-08 12:45:17.000000000 +0300 @@ -0,0 +1,74 @@ +Description: Fix premature data truncation in the POLLRDHUP handling +DebianBug: https://bugs.debian.org/771241 +Origin: upstream; https://www.stunnel.org/pipermail/stunnel-users/2014-November/004860.html +Last-Update: 2015-03-04 + +--- a/src/client.c ++++ b/src/client.c +@@ -515,6 +515,11 @@ + int write_wants_read=0, write_wants_write=0; + /* actual conditions on file descriptors */ + int sock_can_rd, sock_can_wr, ssl_can_rd, ssl_can_wr; ++#ifdef USE_WIN32 ++ unsigned long bytes; ++#else ++ int bytes; ++#endif + + c->sock_ptr=c->ssl_ptr=0; + +@@ -810,32 +815,44 @@ + } + + /****************************** check for hangup conditions */ +- if(s_poll_rdhup(c->fds, c->sock_rfd->fd)) { +- s_log(LOG_INFO, "Read socket closed (hangup)"); ++ /* http://marc.info/?l=linux-man&m=128002066306087 */ ++ /* readsocket() must be the last sock_rfd operation before FIONREAD */ ++ if(sock_open_rd && s_poll_rdhup(c->fds, c->sock_rfd->fd) && ++ (ioctlsocket(c->sock_rfd->fd, FIONREAD, &bytes) || !bytes)) { ++ s_log(LOG_INFO, "Read socket closed (read hangup)"); + sock_open_rd=0; + } +- if(s_poll_hup(c->fds, c->sock_wfd->fd)) { ++ if(sock_open_wr && s_poll_hup(c->fds, c->sock_wfd->fd)) { + if(c->ssl_ptr) { + s_log(LOG_ERR, +- "Write socket closed (hangup) with %d unsent byte(s)", ++ "Write socket closed (write hangup) with %d unsent byte(s)", + c->ssl_ptr); + longjmp(c->err, 1); /* reset the socket */ + } +- s_log(LOG_INFO, "Write socket closed (hangup)"); ++ s_log(LOG_INFO, "Write socket closed (write hangup)"); + sock_open_wr=0; + } +- if(s_poll_hup(c->fds, c->ssl_rfd->fd) || +- s_poll_hup(c->fds, c->ssl_wfd->fd)) { ++ /* SSL_read() must be the last ssl_rfd operation before FIONREAD */ ++ if(!(SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN) && ++ s_poll_rdhup(c->fds, c->ssl_rfd->fd) && ++ (ioctlsocket(c->ssl_rfd->fd, FIONREAD, &bytes) || !bytes)) { + /* hangup -> buggy (e.g. Microsoft) peer: + * SSL socket closed without close_notify alert */ ++ s_log(LOG_INFO, "SSL socket closed (read hangup)"); ++ SSL_set_shutdown(c->ssl, ++ SSL_get_shutdown(c->ssl)|SSL_RECEIVED_SHUTDOWN); ++ } ++ if(!(SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN) && ++ s_poll_hup(c->fds, c->ssl_wfd->fd)) { + if(c->sock_ptr || write_wants_write) { + s_log(LOG_ERR, +- "SSL socket closed (hangup) with %d unsent byte(s)", ++ "SSL socket closed (write hangup) with %d unsent byte(s)", + c->sock_ptr); + longjmp(c->err, 1); /* reset the socket */ + } +- s_log(LOG_INFO, "SSL socket closed (hangup)"); +- SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); ++ s_log(LOG_INFO, "SSL socket closed (write hangup)"); ++ SSL_set_shutdown(c->ssl, ++ SSL_get_shutdown(c->ssl)|SSL_SENT_SHUTDOWN); + } + + /****************************** check write shutdown conditions */ diff -Nru stunnel4-5.06/debian/patches/18-lsb-startup.patch stunnel4-5.06/debian/patches/18-lsb-startup.patch --- stunnel4-5.06/debian/patches/18-lsb-startup.patch 1970-01-01 02:00:00.000000000 +0200 +++ stunnel4-5.06/debian/patches/18-lsb-startup.patch 2015-04-08 13:53:50.000000000 +0300 @@ -0,0 +1,199 @@ +Description: Use the LSB start/stop functions in the init script +DebianBug: https://bugs.debian.org/782030 +Author: Peter Pentchev <r...@ringlet.net> +Forwarded: not needed +Last-Update: 2014-04-08 + +--- a/tools/stunnel.init.in ++++ b/tools/stunnel.init.in +@@ -29,7 +29,7 @@ + grep -i "^$2=" | sed -e "s;^[^=]*=;;" + } + +-get_pids() { ++get_pidfile() { + local file=$1 + if [ -f $file ]; then + CHROOT=`get_opt $file chroot` +@@ -37,13 +37,13 @@ + if [ "$PIDFILE" = "" ]; then + PIDFILE=$DEFAULTPIDFILE + fi +- if [ -f $CHROOT/$PIDFILE ]; then +- cat $CHROOT/$PIDFILE +- fi ++ echo "$CHROOT/$PIDFILE" + fi + } + + startdaemons() { ++ local res file args pidfile warn status ++ + if ! [ -d /var/run/stunnel4 ]; then + rm -rf /var/run/stunnel4 + install -d -o stunnel4 -g stunnel4 /var/run/stunnel4 +@@ -51,52 +51,81 @@ + if [ -n "$RLIMITS" ]; then + ulimit $RLIMITS + fi ++ res=0 + for file in $FILES; do + if [ -f $file ]; then +- ARGS="$file $OPTIONS" +- PROCLIST=`get_pids $file` ++ echo -n " $file: " ++ args="$file $OPTIONS" ++ pidfile=`get_pidfile $file` + if egrep -qe '^pid[[:space:]]*=' "$file"; then +- warn='' ++ warn='' + else +- warn=' (no pid=pidfile specified!)' ++ warn=' (no pid=pidfile specified!)' + fi +- if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then +- echo -n "[Already running$warn: $file] " +- elif $DAEMON $ARGS; then +- echo -n "[Started$warn: $file] " ++ status=0 ++ start_daemon -p "$pidfile" "$DAEMON" $args || status=$? ++ if [ "$status" -eq 0 ]; then ++ echo -n "started$warn" + else +- echo "[Failed$warn: $file]" +- echo "You should check that you have specified the pid= in you configuration file" +- exit 1 ++ echo "failed$warn" ++ echo "You should check that you have specified the pid= in you configuration file" ++ res=1 + fi + fi + done; ++ echo '' ++ return "$res" + } + + killdaemons() + { +- SIGNAL=${1:-TERM} ++ local sig file pidfile status ++ ++ sig=${1:-TERM} ++ res=0 + for file in $FILES; do +- PROCLIST=`get_pids $file` +- if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then +- kill -s $SIGNAL $PROCLIST +- echo -n "[stopped: $file] " ++ echo -n " $file: " ++ pidfile=`get_pidfile $file` ++ if [ ! -e "$pidfile" ]; then ++ echo -n "no pid file" ++ else ++ status=0 ++ killproc -p "$pidfile" "$DAEMON" "$sig" || status=$? ++ if [ "$status" -eq 0 ]; then ++ echo -n 'stopped' ++ else ++ echo -n 'failed' ++ res=1 ++ fi + fi + done ++ echo '' ++ return "$res" + } + + querydaemons() + { ++ local res file pidfile status ++ + res=0 +- echo -n "$DESC status:" + for file in $FILES; do + echo -n " $file: " +- PROCLIST=`get_pids $file` +- if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then +- echo -n 'running' +- else +- echo -n 'stopped' ++ pidfile=`get_pidfile "$file"` ++ if [ ! -e "$pidfile" ]; then ++ echo -n 'no pid file' + res=1 ++ else ++ status=0 ++ pidofproc -p "$pidfile" "$DAEMON" >/dev/null || status="$?" ++ if [ "$status" = 0 ]; then ++ echo -n 'running' ++ elif [ "$status" = 4 ]; then ++ echo "cannot access the pid file $pidfile" ++ res=1 ++ else ++ echo -n 'stopped' ++ res=1 ++ fi + fi + done + echo '' +@@ -133,42 +162,43 @@ + + set -e + ++res=0 + case "$1" in + start) +- echo -n "Starting $DESC: " ++ echo -n "Starting $DESC:" + startdaemons +- echo "$NAME." ++ res=$? + ;; + stop) +- echo -n "Stopping $DESC: " ++ echo -n "Stopping $DESC:" + killdaemons +- echo "$NAME." ++ res=$? + ;; + reopen-logs) +- echo -n "Reopening log files $DESC: " ++ echo -n "Reopening log files $DESC:" + killdaemons USR1 +- echo "$NAME." ++ res=$? + ;; + force-reload|reload) +- echo -n "Reloading configuration $DESC: " ++ echo -n "Reloading configuration $DESC:" + killdaemons HUP +- echo "$NAME." ++ res=$? + ;; + restart) +- echo -n "Restarting $DESC: " +- killdaemons +- sleep 5 +- startdaemons +- echo "$NAME." ++ echo -n "Restarting $DESC:" ++ killdaemons && startdaemons ++ res=$? + ;; + status) +- querydaemons +- ;; ++ echo -n "$DESC status:" ++ querydaemons ++ res=$? ++ ;; + *) + N=/etc/init.d/$NAME + echo "Usage: $N {start|stop|status|reload|reopen-logs|restart} [<stunnel instance>]" >&2 +- exit 1 ++ res=1 + ;; + esac + +-exit 0 ++exit "$res" diff -Nru stunnel4-5.06/debian/patches/series stunnel4-5.06/debian/patches/series --- stunnel4-5.06/debian/patches/series 2014-10-16 14:24:04.000000000 +0300 +++ stunnel4-5.06/debian/patches/series 2015-04-08 13:52:22.000000000 +0300 @@ -9,3 +9,5 @@ 14-lsb-init-functions.patch 15-upstream-systemd-libs.patch 16-upstream-sslv23-method.patch +17-upstream-hangup.patch +18-lsb-startup.patch
signature.asc
Description: Digital signature
