Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
I would like to propose a stable update for opendmarc. [ Reason ] Since releasing the opendmarc version in Debian bullseye, two important issues affecting it have been reported upstream. [ Impact ] 1) opendmarc-import is broken in Debian bullseye (regression). https://github.com/trusteddomainproject/OpenDMARC/issues/189 2) opendmarc crashes when receiving certain ARC-Seal headers. https://github.com/trusteddomainproject/OpenDMARC/issues/183 [ Tests ] For issue 1) I have tested the fix with MariaDB on Debian bullseye. For issue 2) I am using the identical patch in unstable myself. [ Risks ] None that I know of, the fixes are small and seem sensible enough. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] See changelog and debdiff. Please let me upload this update via Debian mentors. Thank you. -- David
diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/changelog opendmarc-1.4.0~beta1+dfsg/debian/changelog --- opendmarc-1.4.0~beta1+dfsg/debian/changelog 2021-06-18 09:37:57.000000000 +0200 +++ opendmarc-1.4.0~beta1+dfsg/debian/changelog 2021-11-03 16:56:39.000000000 +0100 @@ -1,3 +1,12 @@ +opendmarc (1.4.0~beta1+dfsg-6+deb11u1) stable; urgency=medium + + * Amend patch "ticket193.patch" (Closes: #995694): + - Remove unexplained diff that breaks opendmarc-import + * Add patch "arcseal-segfaults.patch" (Closes: #995703): + - Fix segfaults, increase token max lengths in ARC-Seal headers + + -- David Bürgin <dbuer...@gluet.ch> Wed, 03 Nov 2021 16:56:39 +0100 + opendmarc (1.4.0~beta1+dfsg-6) unstable; urgency=high * Add patch for CVE-2021-34555 from upstream issue tracker: diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/patches/arcseal-segfaults.patch opendmarc-1.4.0~beta1+dfsg/debian/patches/arcseal-segfaults.patch --- opendmarc-1.4.0~beta1+dfsg/debian/patches/arcseal-segfaults.patch 1970-01-01 01:00:00.000000000 +0100 +++ opendmarc-1.4.0~beta1+dfsg/debian/patches/arcseal-segfaults.patch 2021-11-03 14:25:50.000000000 +0100 @@ -0,0 +1,39 @@ +Description: Fix segfaults, increase token max lengths in ARC-Seal headers +Origin: other, https://github.com/trusteddomainproject/OpenDMARC/files/6717466/opendmarc-arcseal.patch.txt +Bug: https://github.com/trusteddomainproject/OpenDMARC/issues/183 + +--- a/opendmarc/opendmarc-arcseal.c ++++ b/opendmarc/opendmarc-arcseal.c +@@ -24,7 +24,7 @@ + #include "opendmarc.h" + + #define OPENDMARC_ARCSEAL_MAX_FIELD_NAME_LEN 255 +-#define OPENDMARC_ARCSEAL_MAX_TOKEN_LEN 512 ++#define OPENDMARC_ARCSEAL_MAX_TOKEN_LEN 768 + + /* tables */ + struct opendmarc_arcseal_lookup +@@ -223,7 +223,12 @@ + if (*token_ptr == '\0') + return 0; + tag_label = strsep(&token_ptr, "="); ++ if (token_ptr == NULL) ++ return 0; ++ + tag_value = opendmarc_arcseal_strip_whitespace(token_ptr); ++ if (tag_value == NULL) ++ return 0; + + tag_code = opendmarc_arcseal_convert(as_tags, tag_label); + +--- a/opendmarc/opendmarc-arcseal.h ++++ b/opendmarc/opendmarc-arcseal.h +@@ -32,7 +32,7 @@ + /* max header tag value length (short) */ + #define OPENDMARC_ARCSEAL_MAX_SHORT_VALUE_LEN 256 + /* max header tag value length (long) */ +-#define OPENDMARC_ARCSEAL_MAX_LONG_VALUE_LEN 512 ++#define OPENDMARC_ARCSEAL_MAX_LONG_VALUE_LEN 768 + + /* names and field labels */ + #define OPENDMARC_ARCSEAL_HDRNAME "ARC-Seal" diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/patches/series opendmarc-1.4.0~beta1+dfsg/debian/patches/series --- opendmarc-1.4.0~beta1+dfsg/debian/patches/series 2021-06-15 16:23:10.000000000 +0200 +++ opendmarc-1.4.0~beta1+dfsg/debian/patches/series 2021-11-03 14:23:34.000000000 +0100 @@ -13,3 +13,4 @@ cve-2020-12272.patch cve-2019-20790.patch cve-2021-34555.patch +arcseal-segfaults.patch diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/patches/ticket193.patch opendmarc-1.4.0~beta1+dfsg/debian/patches/ticket193.patch --- opendmarc-1.4.0~beta1+dfsg/debian/patches/ticket193.patch 2021-06-15 16:21:17.000000000 +0200 +++ opendmarc-1.4.0~beta1+dfsg/debian/patches/ticket193.patch 2021-11-03 14:18:41.000000000 +0100 @@ -107,92 +107,3 @@ $rows = $dbi_s->execute($maxage); if (!$rows) { -diff --git a/reports/opendmarc-import.in b/reports/opendmarc-import.in -index 3a2f404..259f546 100755 ---- a/reports/opendmarc-import.in -+++ b/reports/opendmarc-import.in -@@ -233,14 +233,12 @@ sub update_db - $envfrom_id = get_table_id($envdomain, "domains"); - $pdomain_id = get_table_id($pdomain, "domains"); - $ipaddr_id = get_table_id($ipaddr, "ipaddr", "addr"); -- $request_id = get_table_id($from_id, "requests", "domain"); - - if (!defined($rep_id) || - !defined($from_id) || - !defined($envfrom_id) || - !defined($pdomain_id) || -- !defined($ipaddr_id) || -- !defined($request_id)) -+ !defined($ipaddr_id)) - { - return; - } -@@ -372,39 +370,48 @@ sub update_db - - if (get_value("requests", "locked", $request_id) != 1) - { -- if (scalar @rua > 0) -+ print STDERR "$progname: failed to retrieve table ID: " . $dbi_h->errstr . "\n"; -+ return undef; -+ } -+ -+ undef $request_id; -+ while ($dbi_a = $dbi_t->fetchrow_arrayref()) -+ { -+ if (defined($dbi_a->[0])) - { -- $repuri = join(",", @rua); -- $dbi_s = $dbi_h->prepare("UPDATE requests SET repuri = ? WHERE id = ?"); -+ $request_id = $dbi_a->[0]; -+ } -+ } - -- if (!$dbi_s->execute($repuri, $request_id)) -- { -- print STDERR "$progname: failed to update reporting URI for $fdomain: " . $dbi_h->errstr . "\n"; -- $dbi_s->finish; -- return; -- } -+ $dbi_t->finish; - -- $dbi_s->finish; -- } -- else -+ $repuri = join(",", @rua); -+ -+ if (defined($request_id)) -+ { -+ if (get_value("requests", "locked", $request_id) != 1) - { - $dbi_s = $dbi_h->prepare("UPDATE requests SET repuri = '' WHERE id = ?"); - -- if (!$dbi_s->execute($request_id)) -+ if (!$dbi_s->execute($from_id, $repuri, $adkim, $aspf, $p, $sp, $pct, $request_id)) - { -- print STDERR "$progname: failed to update reporting URI for $fdomain: " . $dbi_h->errstr . "\n"; -+ print STDERR "$progname: failed to update policy data for $fdomain: " . $dbi_h->errstr . "\n"; - $dbi_s->finish; - return; - } -- -- $dbi_s->finish; - } -+ else -+ { -+ print STDERR "$progname: policy data for $fdomain not updated, because they are locked\n"; -+ } -+ } -+ else -+ { -+ $dbi_s = $dbi_h->prepare("insert requests SET domain = ?, repuri = ?, adkim = ?, aspf = ?, policy = ?, spolicy = ?, pct = ?"); - -- $dbi_s = $dbi_h->prepare("UPDATE requests SET adkim = ?, aspf = ?, policy = ?, spolicy = ?, pct = ? WHERE id = ?"); -- -- if (!$dbi_s->execute($adkim, $aspf, $p, $sp, $pct, $request_id)) -+ if (!$dbi_s->execute($from_id, $repuri, $adkim, $aspf, $p, $sp, $pct)) - { -- print STDERR "$progname: failed to update policy data for $fdomain: " . $dbi_h->errstr . "\n"; -+ print STDERR "$progname: failed to insert policy data for $fdomain: " . $dbi_h->errstr . "\n"; - $dbi_s->finish; - return; - } diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/patches/ticket204.patch opendmarc-1.4.0~beta1+dfsg/debian/patches/ticket204.patch --- opendmarc-1.4.0~beta1+dfsg/debian/patches/ticket204.patch 2021-06-15 16:21:17.000000000 +0200 +++ opendmarc-1.4.0~beta1+dfsg/debian/patches/ticket204.patch 2021-11-03 14:16:40.000000000 +0100 @@ -11,7 +11,7 @@ index 259f546..9eaf1ab 100755 --- a/reports/opendmarc-import.in +++ b/reports/opendmarc-import.in -@@ -656,7 +656,7 @@ while (<$inputfh>) +@@ -649,7 +649,7 @@ while (<$inputfh>) } case "from" { @@ -20,7 +20,7 @@ } case "job" { -@@ -698,7 +698,7 @@ while (<$inputfh>) +@@ -691,7 +691,7 @@ while (<$inputfh>) } case "mfrom" { @@ -29,7 +29,7 @@ } case "p" { -@@ -710,7 +710,7 @@ while (<$inputfh>) +@@ -703,7 +703,7 @@ while (<$inputfh>) } case "pdomain" {
