Here is the debdifff for jessie. -- Mathieu
From e8478a6d112d3ba908adc964f2772d6bef949bbf Mon Sep 17 00:00:00 2001 From: Mathieu Parent <math.par...@gmail.com> Date: Wed, 3 Feb 2016 22:50:01 +0100 Subject: [PATCH] Fix CTDB behavior since CVE-2015-8543 (Closes: #813406)
--- debian/changelog | 6 ++ debian/patches/series | 1 + debian/patches/sockets-with-htons.patch | 136 ++++++++++++++++++++++++++++++++ 3 files changed, 143 insertions(+) create mode 100644 debian/patches/sockets-with-htons.patch diff --git a/debian/changelog b/debian/changelog index bb64ed8..70d230b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +ctdb (2.5.4+debian0-5) UNRELEASED; urgency=medium + + * Fix CTDB behavior since CVE-2015-8543 (Closes: #813406) + + -- Mathieu Parent <sath...@debian.org> Wed, 03 Feb 2016 22:48:35 +0100 + ctdb (2.5.4+debian0-4) unstable; urgency=medium * Install ctdb.service during dh_install, and thus before dh_systemd_enable diff --git a/debian/patches/series b/debian/patches/series index e69de29..a359082 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -0,0 +1 @@ +sockets-with-htons.patch diff --git a/debian/patches/sockets-with-htons.patch b/debian/patches/sockets-with-htons.patch new file mode 100644 index 0000000..8fb3536 --- /dev/null +++ b/debian/patches/sockets-with-htons.patch @@ -0,0 +1,136 @@ +From: Amitay Isaacs <ami...@gmail.com> +Date: Fri, 29 Jan 2016 00:05:26 +1100 +Subject: [PATCH 1/2] ctdb-common: Protocol argument must be in host order for + socket() call + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11705 + +Signed-off-by: Amitay Isaacs <ami...@gmail.com> +Reviewed-by: Volker Lendecke <v...@samba.org> +(cherry picked from commit 9f8395cb7d49b63a82f75bf504f5f83920102b29) +--- + common/system_aix.c | 4 ++-- + common/system_common.c | 2 +- + common/system_freebsd.c | 2 +- + common/system_gnu.c | 2 +- + common/system_kfreebsd.c | 2 +- + common/system_linux.c | 8 ++++---- + 6 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/common/system_aix.c b/common/system_aix.c +index 41f61ae..2637442 100644 +--- a/common/system_aix.c ++++ b/common/system_aix.c +@@ -44,7 +44,7 @@ int ctdb_sys_open_sending_socket(void) + int s, ret; + uint32_t one = 1; + +- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW)); ++ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); + if (s == -1) { + DEBUG(DEBUG_CRIT,(" failed to open raw socket (%s)\n", + strerror(errno))); +@@ -121,7 +121,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest, + + + +- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW)); ++ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); + if (s == -1) { + DEBUG(DEBUG_CRIT,(" failed to open raw socket (%s)\n", + strerror(errno))); +diff --git a/common/system_common.c b/common/system_common.c +index 899f3b5..3e30a6c 100644 +--- a/common/system_common.c ++++ b/common/system_common.c +@@ -85,7 +85,7 @@ char *ctdb_sys_find_ifname(ctdb_sock_addr *addr) + struct ifconf ifc; + char *ptr; + +- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW)); ++ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); + if (s == -1) { + DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n", + strerror(errno))); +diff --git a/common/system_freebsd.c b/common/system_freebsd.c +index 9597a7a..d026864 100644 +--- a/common/system_freebsd.c ++++ b/common/system_freebsd.c +@@ -158,7 +158,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest, + ip4pkt.tcp.th_sum = tcp_checksum((uint16_t *)&ip4pkt.tcp, sizeof(ip4pkt.tcp), &ip4pkt.ip); + + /* open a raw socket to send this segment from */ +- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW)); ++ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); + if (s == -1) { + DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n", + strerror(errno))); +diff --git a/common/system_gnu.c b/common/system_gnu.c +index 2ab1399..8f776c6 100644 +--- a/common/system_gnu.c ++++ b/common/system_gnu.c +@@ -156,7 +156,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest, + ip4pkt.tcp.check = tcp_checksum((uint16_t *)&ip4pkt.tcp, sizeof(ip4pkt.tcp), &ip4pkt.ip); + + /* open a raw socket to send this segment from */ +- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW)); ++ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); + if (s == -1) { + DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n", + strerror(errno))); +diff --git a/common/system_kfreebsd.c b/common/system_kfreebsd.c +index 41aa4d6..7d9182c 100644 +--- a/common/system_kfreebsd.c ++++ b/common/system_kfreebsd.c +@@ -156,7 +156,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest, + ip4pkt.tcp.check = tcp_checksum((uint16_t *)&ip4pkt.tcp, sizeof(ip4pkt.tcp), &ip4pkt.ip); + + /* open a raw socket to send this segment from */ +- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW)); ++ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); + if (s == -1) { + DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n", + strerror(errno))); +diff --git a/common/system_linux.c b/common/system_linux.c +index fdb8d12..652c776 100644 +--- a/common/system_linux.c ++++ b/common/system_linux.c +@@ -93,7 +93,7 @@ int ctdb_sys_send_arp(const ctdb_sock_addr *addr, const char *iface) + + switch (addr->ip.sin_family) { + case AF_INET: +- s = socket(PF_PACKET, SOCK_RAW, htons(ETHERTYPE_ARP)); ++ s = socket(PF_PACKET, SOCK_RAW, ETHERTYPE_ARP); + if (s == -1){ + DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket\n")); + return -1; +@@ -187,7 +187,7 @@ int ctdb_sys_send_arp(const ctdb_sock_addr *addr, const char *iface) + close(s); + break; + case AF_INET6: +- s = socket(PF_PACKET, SOCK_RAW, htons(ETHERTYPE_ARP)); ++ s = socket(PF_PACKET, SOCK_RAW, ETHERTYPE_ARP); + if (s == -1){ + DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket\n")); + return -1; +@@ -357,7 +357,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest, + ip4pkt.tcp.check = tcp_checksum((uint16_t *)&ip4pkt.tcp, sizeof(ip4pkt.tcp), &ip4pkt.ip); + + /* open a raw socket to send this segment from */ +- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW)); ++ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); + if (s == -1) { + DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n", + strerror(errno))); +@@ -447,7 +447,7 @@ int ctdb_sys_open_capture_socket(const char *iface, void **private_data) + int s; + + /* Open a socket to capture all traffic */ +- s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); ++ s = socket(AF_PACKET, SOCK_RAW, ETH_P_ALL); + if (s == -1) { + DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket\n")); + return -1; +-- +2.5.0 + -- 2.7.0
