Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:bird2 User: [email protected] Usertags: pu
This upload fixes in stable some significant bugs, as requested by the upstream maintainer. These commits have been backported from the precedent stable release and have been in testing/unstable for some time. I am also taking over maintenance of the package. https://salsa.debian.org/md/bird/-/commits/debian/bird2/trixie diff -Nru bird2-2.17.1/debian/bird2.bird.service bird2-2.17.1/debian/bird2.bird.service --- bird2-2.17.1/debian/bird2.bird.service 2025-01-13 16:13:45.000000000 +0100 +++ bird2-2.17.1/debian/bird2.bird.service 2025-12-18 00:21:35.000000000 +0100 @@ -8,7 +8,7 @@ ExecStartPre=/usr/sbin/bird -p ExecReload=/usr/sbin/birdc configure ExecStart=/usr/sbin/bird -f -u $BIRD_RUN_USER -g $BIRD_RUN_GROUP $BIRD_ARGS -Restart=on-abort +Restart=on-abnormal [Install] WantedBy=multi-user.target diff -Nru bird2-2.17.1/debian/changelog bird2-2.17.1/debian/changelog --- bird2-2.17.1/debian/changelog 2025-05-06 16:20:00.000000000 +0200 +++ bird2-2.17.1/debian/changelog 2025-12-18 00:21:35.000000000 +0100 @@ -1,3 +1,16 @@ +bird2 (2.17.1-1+deb13u1) stable; urgency=medium + + * New maintainer. + * Use Restart=on-abnormal instead of on-abort. (Closes: #1099513) + * Backport all fixes from upstream 2.17.3: + + RAdv: Fix flags for deprecated prefixes. + + BMP: Fix crash when exporting a route with non-bgp attributes. + * Backport all fixes from upstream 2.17.2: + + ASPA check fix for AS_SET. + + Invalid check fix in text_or_ipa grammar. + + -- Marco d'Itri <[email protected]> Thu, 18 Dec 2025 00:21:35 +0100 + bird2 (2.17.1-1) unstable; urgency=medium * New upstream version 2.17.1 diff -Nru bird2-2.17.1/debian/control bird2-2.17.1/debian/control --- bird2-2.17.1/debian/control 2025-01-13 16:13:45.000000000 +0100 +++ bird2-2.17.1/debian/control 2025-12-18 00:21:35.000000000 +0100 @@ -16,10 +16,10 @@ linuxdoc-tools-latex, opensp, texlive-latex-extra, -Maintainer: Jakub Ružička <[email protected]> +Maintainer: Marco d'Itri <[email protected]> Standards-Version: 4.7.0 -Vcs-Browser: https://salsa.debian.org/debian/bird2 -Vcs-Git: https://salsa.debian.org/debian/bird2.git +Vcs-Browser: https://salsa.debian.org/md/bird +Vcs-Git: https://salsa.debian.org/md/bird.git -b debian/bird2/unstable Homepage: https://bird.network.cz/ Rules-Requires-Root: no diff -Nru bird2-2.17.1/debian/patches/backport-01-8f5b2196 bird2-2.17.1/debian/patches/backport-01-8f5b2196 --- bird2-2.17.1/debian/patches/backport-01-8f5b2196 1970-01-01 01:00:00.000000000 +0100 +++ bird2-2.17.1/debian/patches/backport-01-8f5b2196 2025-12-18 00:21:35.000000000 +0100 @@ -0,0 +1,28 @@ +From 8f5b21964ece066d15794cf9d17be5b3906fe596 Mon Sep 17 00:00:00 2001 +From: Ondrej Zajicek <[email protected]> +Date: Tue, 6 May 2025 14:50:53 +0200 +Subject: [PATCH] Conf: Fix invalid check in text_or_ipa grammar + +Can cause crash when a bad expression is used. +--- + conf/confbase.Y | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/conf/confbase.Y b/conf/confbase.Y +index af64e3ff9..857689707 100644 +--- a/conf/confbase.Y ++++ b/conf/confbase.Y +@@ -426,8 +426,8 @@ text_or_ipa: + } + | '(' term ')' { + $$ = cf_eval($2, T_VOID); +- if (($$.type != T_BYTESTRING) && ($$.type != T_STRING)) +- cf_error("Bytestring or string value expected"); ++ if (($$.type != T_STRING) && ($$.type != T_IP)) ++ cf_error("String or IP value expected"); + } + ; + +-- +GitLab + diff -Nru bird2-2.17.1/debian/patches/backport-02-067f361d bird2-2.17.1/debian/patches/backport-02-067f361d --- bird2-2.17.1/debian/patches/backport-02-067f361d 1970-01-01 01:00:00.000000000 +0100 +++ bird2-2.17.1/debian/patches/backport-02-067f361d 2025-12-18 00:21:35.000000000 +0100 @@ -0,0 +1,88 @@ +From 067f361d9b6e2e1a0fa5d3bd62900e23b6ded4bb Mon Sep 17 00:00:00 2001 +From: Evann DREUMONT <[email protected]> +Date: Tue, 2 Sep 2025 16:23:34 +0200 +Subject: [PATCH] Nest: Function aspa_check() should return ASPA_INVALID for + paths containing AS_SET + +The aspa_check() uses as_path_getlen() to estimate the size of a buffer, +which does not work for AS_SET segments, because as_path_getlen() returns +length 1 for them regardless of their length. This may cause buffer +overflow and crash. + +As AS_SET segments are not valid for ASPA verification, we can just +handle them explicitly. See https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-verification#section-6 + +Co-Authored-By: Alarig <[email protected]> + +Minor changes by committer. +--- + nest/a-path.c | 21 +++++++++++++++++++++ + nest/attrs.h | 1 + + nest/rt-table.c | 7 ++++++- + 3 files changed, 28 insertions(+), 1 deletion(-) + +diff --git a/nest/a-path.c b/nest/a-path.c +index aba2c86df..6f52ccf6a 100644 +--- a/nest/a-path.c ++++ b/nest/a-path.c +@@ -177,6 +177,27 @@ as_path_contains_confed(const struct adata *path) + return 0; + } + ++int ++as_path_contains_set(const struct adata *path) ++{ ++ const byte *pos = path->data; ++ const byte *end = pos + path->length; ++ ++ while (pos < end) ++ { ++ uint type = pos[0]; ++ uint slen = 2 + BS * pos[1]; ++ ++ if ((type == AS_PATH_SET) || ++ (type == AS_PATH_CONFED_SET)) ++ return 1; ++ ++ pos += slen; ++ } ++ ++ return 0; ++} ++ + struct adata * + as_path_strip_confed(struct linpool *pool, const struct adata *path) + { +diff --git a/nest/attrs.h b/nest/attrs.h +index 0475afa72..699b91df2 100644 +--- a/nest/attrs.h ++++ b/nest/attrs.h +@@ -36,6 +36,7 @@ int as_path_16to32(byte *dst, const byte *src, uint len); + int as_path_32to16(byte *dst, const byte *src, uint len); + int as_path_contains_as4(const struct adata *path); + int as_path_contains_confed(const struct adata *path); ++int as_path_contains_set(const struct adata *path); + struct adata *as_path_strip_confed(struct linpool *pool, const struct adata *op); + struct adata *as_path_prepend2(struct linpool *pool, const struct adata *op, int seq, u32 as); + struct adata *as_path_to_old(struct linpool *pool, const struct adata *path); +diff --git a/nest/rt-table.c b/nest/rt-table.c +index ee3f11882..ed364d351 100644 +--- a/nest/rt-table.c ++++ b/nest/rt-table.c +@@ -362,7 +362,12 @@ enum aspa_result aspa_check(rtable *tab, const adata *path, bool force_upstream) + if (as_path_contains_confed(path)) + return ASPA_INVALID; + +- /* Check path length */ ++ /* No support for AS_SET */ ++ /* See draft-ietf-sidrops-aspa-verification section 6 */ ++ if (as_path_contains_set(path)) ++ return ASPA_INVALID; ++ ++ /* Check path length; we assume just AS_SEQUENCE segments */ + uint len = as_path_getlen(path); + if (len == 0) + return ASPA_INVALID; +-- +GitLab + diff -Nru bird2-2.17.1/debian/patches/backport-03-f8770e81 bird2-2.17.1/debian/patches/backport-03-f8770e81 --- bird2-2.17.1/debian/patches/backport-03-f8770e81 1970-01-01 01:00:00.000000000 +0100 +++ bird2-2.17.1/debian/patches/backport-03-f8770e81 2025-12-18 00:21:35.000000000 +0100 @@ -0,0 +1,25 @@ +From f8770e816ac17df535c32b52e79a7ccffaea9bcc Mon Sep 17 00:00:00 2001 +From: Maria Matejka <[email protected]> +Date: Thu, 20 Nov 2025 14:35:02 +0100 +Subject: [PATCH] BMP: Fix crash when exporting a route with non-bgp attributes + +Reported-By: Annika Hannig +--- + proto/bgp/packets.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c +index 0971107ce..157afdd90 100644 +--- a/proto/bgp/packets.c ++++ b/proto/bgp/packets.c +@@ -2550,6 +2550,7 @@ bgp_create_update_bmp(struct bgp_channel *c, byte *buf, byte *end, struct bgp_bu + .add_path = c->add_path_rx, + .mpls = c->desc->mpls, + .sham = 1, ++ .ignore_non_bgp_attrs = 1, + }; + + if (!update) +-- +GitLab + diff -Nru bird2-2.17.1/debian/patches/backport-04-c4d54c21 bird2-2.17.1/debian/patches/backport-04-c4d54c21 --- bird2-2.17.1/debian/patches/backport-04-c4d54c21 1970-01-01 01:00:00.000000000 +0100 +++ bird2-2.17.1/debian/patches/backport-04-c4d54c21 2025-12-18 00:21:35.000000000 +0100 @@ -0,0 +1,68 @@ +From c4d54c21fd773557e8b91b9fc11e00436801b09a Mon Sep 17 00:00:00 2001 +From: Ondrej Zajicek <[email protected]> +Date: Thu, 27 Nov 2025 17:59:44 +0100 +Subject: [PATCH] RAdv: Fix flags for deprecated prefixes + +When a prefix is deprecated (valid_lifetime == 0), it should be +announced with the same flags as before. The old code announced it +without any flags, which leads to being ignored by recipients. + +Note that a prefix could be depreacted for two reason - it is removed +from the interface, or it is deconfigured in BIRD configuration. + +Thanks to Michael Saxl for the bugreport. + +Fixes: #323 +--- + proto/radv/packets.c | 4 ++-- + proto/radv/radv.c | 4 ++++ + proto/radv/radv.h | 3 +++ + 3 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/proto/radv/packets.c b/proto/radv/packets.c +index 77c987949..8b060a206 100644 +--- a/proto/radv/packets.c ++++ b/proto/radv/packets.c +@@ -306,8 +306,8 @@ radv_prepare_prefix(struct radv_iface *ifa, struct radv_prefix *px, + op->type = OPT_PREFIX; + op->length = 4; + op->pxlen = px->prefix.pxlen; +- op->flags = (pc->onlink ? OPT_PX_ONLINK : 0) | +- (pc->autonomous ? OPT_PX_AUTONOMOUS : 0); ++ op->flags = (px->onlink ? OPT_PX_ONLINK : 0) | ++ (px->autonomous ? OPT_PX_AUTONOMOUS : 0); + op->valid_lifetime = (ifa->ra->active || !pc->valid_lifetime_sensitive) ? + htonl(pc->valid_lifetime) : 0; + op->preferred_lifetime = (ifa->ra->active || !pc->preferred_lifetime_sensitive) ? +diff --git a/proto/radv/radv.c b/proto/radv/radv.c +index ba31e1a84..4ff075713 100644 +--- a/proto/radv/radv.c ++++ b/proto/radv/radv.c +@@ -161,6 +161,10 @@ radv_prepare_prefixes(struct radv_iface *ifa) + existing->valid = 1; + existing->changed = now; + existing->mark = 1; ++ ++ existing->onlink = pc->onlink; ++ existing->autonomous = pc->autonomous; ++ + existing->cf = pc; + } + +diff --git a/proto/radv/radv.h b/proto/radv/radv.h +index ba4a1b6c7..d4d3a50f3 100644 +--- a/proto/radv/radv.h ++++ b/proto/radv/radv.h +@@ -170,6 +170,9 @@ struct radv_prefix /* One prefix we advertise */ + u8 valid; /* Is the prefix valid? If not, we advertise it + with 0 lifetime, so clients stop using it */ + u8 mark; /* A temporary mark for processing */ ++ u8 onlink; /* Flags copied from prefix config */ ++ u8 autonomous; ++ + btime changed; /* Last time when the prefix changed */ + struct radv_prefix_config *cf; /* The config tied to this prefix */ + }; +-- +GitLab + diff -Nru bird2-2.17.1/debian/patches/series bird2-2.17.1/debian/patches/series --- bird2-2.17.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ bird2-2.17.1/debian/patches/series 2025-12-18 00:21:35.000000000 +0100 @@ -0,0 +1,4 @@ +backport-01-8f5b2196 +backport-02-067f361d +backport-03-f8770e81 +backport-04-c4d54c21 -- ciao, Marco
signature.asc
Description: PGP signature
