On Sun, Jul 19, 2015 at 04:29:30PM +0200, Julien Cristau wrote:
> On Sun, Jul 19, 2015 at 14:37:57 +0200, Wouter Verhelst wrote:
>
> > On Sat, Jul 18, 2015 at 02:59:08PM +0100, Adam D. Barratt wrote:
> > > On Sat, 2015-07-18 at 15:33 +0200, Wouter Verhelst wrote:
> > > > On Sat, Jul 18, 2015 at 12:07:13PM +0100, Adam D. Barratt wrote:
> > > > > That's much bigger than I was expecting given your description, and
> > > > > I'm
> > > > > not sure all of the changes were intended to be included.
> > > >
> > > > Crap. I fucked up again. Can you reject that, or is it too late?
> > >
> > > No problem. There's a gateway policy queue (slightly incorrectly
> > > referred to as "stable-new") in front of proposed-updates which we have
> > > to accept or reject packages from before they hit p-u.
> > >
> > > I've flagged the upload for rejection but unfortunately just missed the
> > > start of the 13:52 dinstall, so it will need to wait until after that
> > > for dak to notice.
> >
> > Thanks.
> >
> > If you don't want me to immediately upload, what do you want me to do
> > instead?
> >
> Send us the proposed (source) debdiff.
Attached.
--
It is easy to love a country that is famous for chocolate and beer
-- Barack Obama, speaking in Brussels, Belgium, 2014-03-26
diff -u nbd-3.8/debian/changelog nbd-3.8/debian/changelog
--- nbd-3.8/debian/changelog
+++ nbd-3.8/debian/changelog
@@ -1,3 +1,10 @@
+nbd (1:3.8-4+deb8u2) jessie; urgency=low
+
+ * Cherry-pick two commits from 3.10 to fix authfile parsing.
+ Closes: #785727.
+
+ -- Wouter Verhelst <wou...@debian.org> Fri, 17 Jul 2015 21:52:40 +0200
+
nbd (1:3.8-4+deb8u1) jessie-security; urgency=medium
* Add fix for CVE-2015-0847. Closes: #784657.
only in patch2:
unchanged:
--- nbd-3.8.orig/nbdsrv.c
+++ nbd-3.8/nbdsrv.c
@@ -21,14 +21,14 @@
#include <cliserv.h>
-bool address_matches(const char* mask, const void* addr, int af, GError** err)
{
+bool address_matches(const char* mask, const struct sockaddr* addr, GError**
err) {
struct addrinfo *res, *aitmp, hints;
char *masksep;
char privmask[strlen(mask)+1];
int masklen;
- int addrlen = af == AF_INET ? 4 : 16;
+ int addrlen = addr->sa_family == AF_INET ? 4 : 16;
- assert(af == AF_INET || af == AF_INET6);
+ assert(addr->sa_family == AF_INET || addr->sa_family == AF_INET6);
strcpy(privmask, mask);
@@ -50,18 +50,20 @@
}
aitmp = res;
while(res) {
- const uint8_t* byte_s = addr;
+ const uint8_t* byte_s;
uint8_t* byte_t;
uint8_t mask = 0;
int len_left = masklen;
- if(res->ai_family != af) {
+ if(res->ai_family != addr->sa_family) {
goto next;
}
- switch(af) {
+ switch(addr->sa_family) {
case AF_INET:
+ byte_s = (const uint8_t*)(&(((struct
sockaddr_in*)addr)->sin_addr));
byte_t = (uint8_t*)(&(((struct
sockaddr_in*)(res->ai_addr))->sin_addr));
break;
case AF_INET6:
+ byte_s = (const uint8_t*)(&(((struct
sockaddr_in6*)addr)->sin6_addr));
byte_t = (uint8_t*)(&(((struct
sockaddr_in6*)(res->ai_addr))->sin6_addr));
break;
}
@@ -129,8 +131,7 @@
if(!(*pos)) {
continue;
}
- struct sockaddr* sa = (struct sockaddr*)&opts->clientaddr;
- if(address_matches(line, sa->sa_data, sa->sa_family, NULL)) {
+ if(address_matches(line, (struct sockaddr*)&opts->clientaddr,
NULL)) {
fclose(f);
return 1;
}
only in patch2:
unchanged:
--- nbd-3.8.orig/nbdsrv.h
+++ nbd-3.8/nbdsrv.h
@@ -123,14 +123,13 @@
* Check whether a given address matches a given netmask.
*
* @param mask the address or netmask to check against, in ASCII
representation
- * @param addr the address to check, in network byte order
- * @param af the address family of the passed address (AF_INET or AF_INET6)
+ * @param addr the address to check
*
* @return true if the address matches the mask, false otherwise; in case of
* failure to parse netmask, returns false with err set appropriately.
* @todo decide what to do with v6-mapped IPv4 addresses.
*/
-bool address_matches(const char* mask, const void* addr, int af, GError** err);
+bool address_matches(const char* mask, const struct sockaddr* addr, GError**
err);
/**
* Gets a byte to allow for address masking.
only in patch2:
unchanged:
--- nbd-3.8.orig/tests/code/clientacl.c
+++ nbd-3.8/tests/code/clientacl.c
@@ -31,7 +31,7 @@
&(((struct
sockaddr_in*)res->ai_addr)->sin_addr),
buf,
res->ai_addrlen));
- if(address_matches(netmask, &(((struct
sockaddr_in*)res->ai_addr)->sin_addr), res->ai_family, NULL)) {
+ if(address_matches(netmask, (struct sockaddr_in*)res->ai_addr,
NULL)) {
printf("Yes!\n");
freeaddrinfo(tmp);
return true;
