On Sat, Apr 25, 2015 at 11:06:28AM +0200, Julien Cristau wrote:
> Control: tags -1 moreinfo
>
> On Mon, Apr 20, 2015 at 09:31:04 +0100, Dominic Hargreaves wrote:
>
> > Note: I would also like to add the patch (the one attached to the ticket
> > was applied upstream) for #769741, if that's okay.
> >
> Can you send an updated debdiff?
Sure, here it is.
diff --git a/debian/.git-dpm b/debian/.git-dpm
index aa3a238..e7a3437 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-49feddb590758a85ea6aae4a25a560763fa60526
-49feddb590758a85ea6aae4a25a560763fa60526
+83b433f88de24a42d039f7aa6505c6e8901c3121
+83b433f88de24a42d039f7aa6505c6e8901c3121
f12b9d1d5307ac50ef9d526ed0c95d5113d7434e
f12b9d1d5307ac50ef9d526ed0c95d5113d7434e
ircd-hybrid_8.2.0+dfsg.1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index b2b316e..8279a3c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+ircd-hybrid (1:8.2.0+dfsg.1-2+deb8u1) UNRELEASED; urgency=medium
+
+ * Remove Suggests: hybserv as the package isn't in jessie
+ * Fix a DoS from localhost clients backported from 8.2.6
+ (Closes: #782859)
+ * Debconf configuration script no longer ignores the result of
+ upgrade questions (Closes: #779082)
+ * Don't display upgrade warnings on new installs (Closes: #782883)
+ * Support chained SSL certificates (Closes: #769741)
+
+ -- Dominic Hargreaves <d...@earth.li> Sat, 18 Apr 2015 21:19:30 +0100
+
ircd-hybrid (1:8.2.0+dfsg.1-2) unstable; urgency=medium
* Updated Swedish debconf translation (Closes: #761974)
diff --git a/debian/control b/debian/control
index 1182ee8..ce7c683 100644
--- a/debian/control
+++ b/debian/control
@@ -25,7 +25,6 @@ Pre-Depends: debconf (>= 0.5) | debconf-2.0
Depends: ${shlibs:Depends}, ${misc:Depends}
Provides: ircd
Recommends: whois
-Suggests: hybserv
Description: high-performance secure IRC server
ircd-hybrid is a stable, high-performance IRC server that features:
.
diff --git a/debian/ircd-hybrid.config.nossl b/debian/ircd-hybrid.config.nossl
index 5b88b4a..912027e 100644
--- a/debian/ircd-hybrid.config.nossl
+++ b/debian/ircd-hybrid.config.nossl
@@ -3,9 +3,10 @@
set -e
. /usr/share/debconf/confmodule
-if dpkg --compare-versions "$2" lt "1:8.0.9.dfsg.1-2"; then
+if dpkg --compare-versions "$2" lt-nl "1:8.0.9.dfsg.1-2"; then
db_input high ircd-hybrid/upgrade_no_services_warn || true
db_go
+ db_get ircd-hybrid/upgrade_no_services_warn || true
if [ "$RET" = "false" ]; then
echo "Aborting install";
db_fset ircd-hybrid/upgrade_no_services_warn seen false
diff --git a/debian/ircd-hybrid.config.ssl b/debian/ircd-hybrid.config.ssl
index 4d88433..22e50c0 100644
--- a/debian/ircd-hybrid.config.ssl
+++ b/debian/ircd-hybrid.config.ssl
@@ -3,9 +3,10 @@
set -e
. /usr/share/debconf/confmodule
-if dpkg --compare-versions "$2" lt "1:8.0.4.dfsg.1-1"; then
+if dpkg --compare-versions "$2" lt-nl "1:8.0.4.dfsg.1-1"; then
db_input high ircd-hybrid/upgrade_secure_links_warn || true
db_go
+ db_get ircd-hybrid/upgrade_secure_links_warn
if [ "$RET" = "false" ]; then
echo "Aborting install";
db_fset ircd-hybrid/upgrade_secure_links_warn seen false
@@ -13,9 +14,10 @@ if dpkg --compare-versions "$2" lt "1:8.0.4.dfsg.1-1"; then
fi
fi
-if dpkg --compare-versions "$2" lt "1:8.0.9.dfsg.1-2"; then
+if dpkg --compare-versions "$2" lt-nl "1:8.0.9.dfsg.1-2"; then
db_input high ircd-hybrid/upgrade_no_services_warn || true
db_go
+ db_get ircd-hybrid/upgrade_no_services_warn || true
if [ "$RET" = "false" ]; then
echo "Aborting install";
db_fset ircd-hybrid/upgrade_no_services_warn seen false
diff --git a/debian/patches/chained_certs.patch b/debian/patches/chained_certs.patch
new file mode 100644
index 0000000..8dc69d2
--- /dev/null
+++ b/debian/patches/chained_certs.patch
@@ -0,0 +1,30 @@
+From 83b433f88de24a42d039f7aa6505c6e8901c3121 Mon Sep 17 00:00:00 2001
+From: Stephen Rothwell <s...@canb.auug.org.au>
+Date: Sun, 16 Nov 2014 12:50:09 +1100
+Subject: Enable use of chained certificates
+
+Bug-Debian: http://bugs.debian.org/769741
+Patch-Name: chained_certs.patch
+---
+ src/conf_parser.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/conf_parser.c b/src/conf_parser.c
+index 5f43e69..85d54c6 100644
+--- a/src/conf_parser.c
++++ b/src/conf_parser.c
+@@ -2983,10 +2983,10 @@ yyreduce:
+ break;
+ }
+
+- if (SSL_CTX_use_certificate_file(ConfigServerInfo.server_ctx, yylval.string,
+- SSL_FILETYPE_PEM) <= 0 ||
+- SSL_CTX_use_certificate_file(ConfigServerInfo.client_ctx, yylval.string,
+- SSL_FILETYPE_PEM) <= 0)
++ if (SSL_CTX_use_certificate_chain_file(ConfigServerInfo.server_ctx,
++ yylval.string) <= 0 ||
++ SSL_CTX_use_certificate_chain_file(ConfigServerInfo.client_ctx,
++ yylval.string) <= 0)
+ {
+ report_crypto_errors();
+ conf_error_report("Could not open/read certificate file");
diff --git a/debian/patches/fhs_comply.patch b/debian/patches/fhs_comply.patch
index df8c950..b066894 100644
--- a/debian/patches/fhs_comply.patch
+++ b/debian/patches/fhs_comply.patch
@@ -6,8 +6,8 @@ Subject: Adjust paths for Debian/FHS
Forwarded: not-needed
Patch-Name: fhs_comply.patch
---
- include/defaults.h | 12 ++++++------
- src/Makefile.am | 2 +-
+ include/defaults.h | 12 ++++++------
+ src/Makefile.am | 2 +-
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/include/defaults.h b/include/defaults.h
diff --git a/debian/patches/localhost_dos.patch b/debian/patches/localhost_dos.patch
new file mode 100644
index 0000000..ab0375e
--- /dev/null
+++ b/debian/patches/localhost_dos.patch
@@ -0,0 +1,102 @@
+From 779c76c0cb228cbca9ff1e60f3cad08ddfc0cd76 Mon Sep 17 00:00:00 2001
+From: Dominic Hargreaves <d...@earth.li>
+Date: Sat, 18 Apr 2015 21:33:48 +0100
+Subject: Fix a potential DoS from localhost in src/packet.c
+
+Origin: http://svn.ircd-hybrid.org:8000/viewcvs.cgi/ircd-hybrid/releases/8.2.6/src/packet.c?r1=5346&r2=5412&view=patch
+Patch-Name: localhost_dos.patch
+---
+ src/packet.c | 55 +++++++++++++++++++++----------------------------------
+ 1 file changed, 21 insertions(+), 34 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 5189e2c..d9f4f32 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -54,25 +54,13 @@ static void client_dopacket(struct Client *, char *, size_t);
+ static int
+ extract_one_line(struct dbuf_queue *qptr, char *buffer)
+ {
+- int line_bytes = 0, empty_bytes = 0, phase = 0;
+- unsigned int idx = 0;
+- dlink_node *ptr = NULL;
++ int line_bytes = 0, eol_bytes = 0;
++ dlink_node *ptr;
+
+- /*
+- * Phase 0: "empty" characters before the line
+- * Phase 1: copying the line
+- * Phase 2: "empty" characters after the line
+- * (delete them as well and free some space in the dbuf)
+- *
+- * Empty characters are CR, LF and space (but, of course, not
+- * in the middle of a line). We try to remove as much of them as we can,
+- * since they simply eat server memory.
+- *
+- * --adx
+- */
+ DLINK_FOREACH(ptr, qptr->blocks.head)
+ {
+ struct dbuf_block *block = ptr->data;
++ unsigned int idx;
+
+ if (ptr == qptr->blocks.head)
+ idx = qptr->pos;
+@@ -83,39 +71,38 @@ extract_one_line(struct dbuf_queue *qptr, char *buffer)
+ {
+ char c = block->data[idx];
+
+- if (IsEol(c) || (c == ' ' && phase != 1))
++ if (IsEol(c))
+ {
+- ++empty_bytes;
++ ++eol_bytes;
+
+- if (phase == 1)
+- phase = 2;
+- }
+- else switch (phase)
+- {
+- case 0: phase = 1;
+- case 1: if (line_bytes++ < IRCD_BUFSIZE - 2)
+- *buffer++ = c;
+- break;
+- case 2: *buffer = '\0';
+- dbuf_delete(qptr, line_bytes + empty_bytes);
+- return IRCD_MIN(line_bytes, IRCD_BUFSIZE - 2);
++ /* Allow 2 eol bytes per message */
++ if (eol_bytes == 2)
++ goto out;
+ }
++ else if (eol_bytes)
++ goto out;
++ else if (line_bytes++ < IRCD_BUFSIZE - 2)
++ *buffer++ = c;
+ }
+ }
+
++out:
++
+ /*
+- * Now, if we haven't reached phase 2, ignore all line bytes
++ * Now, if we haven't found an EOL, ignore all line bytes
+ * that we have read, since this is a partial line case.
+ */
+- if (phase != 2)
+- line_bytes = 0;
+- else
++ if (eol_bytes)
+ *buffer = '\0';
++ else
++ line_bytes = 0;
+
+ /* Remove what is now unnecessary */
+- dbuf_delete(qptr, line_bytes + empty_bytes);
++ dbuf_delete(qptr, line_bytes + eol_bytes);
++
+ return IRCD_MIN(line_bytes, IRCD_BUFSIZE - 2);
+ }
++
+ /*
+ * parse_client_queued - parse client queued messages
+ */
diff --git a/debian/patches/no_ltdl_build.patch b/debian/patches/no_ltdl_build.patch
index 97348fa..b82766e 100644
--- a/debian/patches/no_ltdl_build.patch
+++ b/debian/patches/no_ltdl_build.patch
@@ -5,7 +5,7 @@ Subject: Don't build bundled libltdl
Patch-Name: no_ltdl_build.patch
---
- Makefile.am | 2 +-
+ Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
diff --git a/debian/patches/patchlevel_debian.patch b/debian/patches/patchlevel_debian.patch
index e3c6bf6..6d54430 100644
--- a/debian/patches/patchlevel_debian.patch
+++ b/debian/patches/patchlevel_debian.patch
@@ -7,7 +7,7 @@ Forwarded: not-needed
Patch-Name: patchlevel_debian.patch
---
- include/patchlevel.h | 1 +
+ include/patchlevel.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/patchlevel.h b/include/patchlevel.h
diff --git a/debian/patches/series b/debian/patches/series
index 369b00c..7fd9620 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,5 @@
patchlevel_debian.patch
fhs_comply.patch
no_ltdl_build.patch
+localhost_dos.patch
+chained_certs.patch
diff --git a/src/conf_parser.c b/src/conf_parser.c
index 5f43e69..85d54c6 100644
--- a/src/conf_parser.c
+++ b/src/conf_parser.c
@@ -2983,10 +2983,10 @@ yyreduce:
break;
}
- if (SSL_CTX_use_certificate_file(ConfigServerInfo.server_ctx, yylval.string,
- SSL_FILETYPE_PEM) <= 0 ||
- SSL_CTX_use_certificate_file(ConfigServerInfo.client_ctx, yylval.string,
- SSL_FILETYPE_PEM) <= 0)
+ if (SSL_CTX_use_certificate_chain_file(ConfigServerInfo.server_ctx,
+ yylval.string) <= 0 ||
+ SSL_CTX_use_certificate_chain_file(ConfigServerInfo.client_ctx,
+ yylval.string) <= 0)
{
report_crypto_errors();
conf_error_report("Could not open/read certificate file");
diff --git a/src/packet.c b/src/packet.c
index 5189e2c..d9f4f32 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -54,25 +54,13 @@ static void client_dopacket(struct Client *, char *, size_t);
static int
extract_one_line(struct dbuf_queue *qptr, char *buffer)
{
- int line_bytes = 0, empty_bytes = 0, phase = 0;
- unsigned int idx = 0;
- dlink_node *ptr = NULL;
+ int line_bytes = 0, eol_bytes = 0;
+ dlink_node *ptr;
- /*
- * Phase 0: "empty" characters before the line
- * Phase 1: copying the line
- * Phase 2: "empty" characters after the line
- * (delete them as well and free some space in the dbuf)
- *
- * Empty characters are CR, LF and space (but, of course, not
- * in the middle of a line). We try to remove as much of them as we can,
- * since they simply eat server memory.
- *
- * --adx
- */
DLINK_FOREACH(ptr, qptr->blocks.head)
{
struct dbuf_block *block = ptr->data;
+ unsigned int idx;
if (ptr == qptr->blocks.head)
idx = qptr->pos;
@@ -83,39 +71,38 @@ extract_one_line(struct dbuf_queue *qptr, char *buffer)
{
char c = block->data[idx];
- if (IsEol(c) || (c == ' ' && phase != 1))
+ if (IsEol(c))
{
- ++empty_bytes;
+ ++eol_bytes;
- if (phase == 1)
- phase = 2;
- }
- else switch (phase)
- {
- case 0: phase = 1;
- case 1: if (line_bytes++ < IRCD_BUFSIZE - 2)
- *buffer++ = c;
- break;
- case 2: *buffer = '\0';
- dbuf_delete(qptr, line_bytes + empty_bytes);
- return IRCD_MIN(line_bytes, IRCD_BUFSIZE - 2);
+ /* Allow 2 eol bytes per message */
+ if (eol_bytes == 2)
+ goto out;
}
+ else if (eol_bytes)
+ goto out;
+ else if (line_bytes++ < IRCD_BUFSIZE - 2)
+ *buffer++ = c;
}
}
+out:
+
/*
- * Now, if we haven't reached phase 2, ignore all line bytes
+ * Now, if we haven't found an EOL, ignore all line bytes
* that we have read, since this is a partial line case.
*/
- if (phase != 2)
- line_bytes = 0;
- else
+ if (eol_bytes)
*buffer = '\0';
+ else
+ line_bytes = 0;
/* Remove what is now unnecessary */
- dbuf_delete(qptr, line_bytes + empty_bytes);
+ dbuf_delete(qptr, line_bytes + eol_bytes);
+
return IRCD_MIN(line_bytes, IRCD_BUFSIZE - 2);
}
+
/*
* parse_client_queued - parse client queued messages
*/
