[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1050681: marked as done (bookworm-pu: package inn2/2.7.1-1~deb12u1)

Your message dated Sat, 07 Oct 2023 09:59:40 +0000
with message-id <E1qp460-00A4EN-Q7@coccia.debian.org>
and subject line Released with 12.2
has caused the Debian Bug report #1050681,
regarding bookworm-pu: package inn2/2.7.1-1~deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1050681: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050681
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: inn2@packages.debian.org
Control: affects -1 + src:inn2

This stable upload contains two patches backported from the upstream 
repository on request of the upstream maintainer.
The patches are also part of the package which is currently in testing.

One patch fixes hangs in nnrpd, while the other allows the package to 
process the high-precision syslog timestamps format which is currently 
the default for Debian.

The package also contains a minor security fix which changes the default 
permissions of two configuration files which contain secrets, which has 
already been added to the next unstable upload.

For a better view of the changes please see
https://salsa.debian.org/md/inn2/-/commits/bookworm .

-- 
ciao,
Marco

diff -Nru inn2-2.7.1/debian/changelog inn2-2.7.1/debian/changelog
--- inn2-2.7.1/debian/changelog	2023-05-01 19:25:42.000000000 +0200
+++ inn2-2.7.1/debian/changelog	2023-08-28 02:04:59.000000000 +0200
@@ -1,3 +1,13 @@
+inn2 (2.7.1-1~deb12u1) bookworm; urgency=medium
+
+  * Added patch backport_a1f2e9323: this upstream commit fixes nnrpd hangs
+    when compression is enabled.
+  * Added patch backport_f7d111aad: this upstream commit adds support for
+    high-precision syslog timestamps which now are the default in Debian.
+  * Made inn-{radius,secrets}.conf not world readable.
+
+ -- Marco d'Itri <md@linux.it>  Mon, 28 Aug 2023 02:04:59 +0200
+
 inn2 (2.7.1-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru inn2-2.7.1/debian/patches/backport_a1f2e9323 inn2-2.7.1/debian/patches/backport_a1f2e9323
--- inn2-2.7.1/debian/patches/backport_a1f2e9323	1970-01-01 01:00:00.000000000 +0100
+++ inn2-2.7.1/debian/patches/backport_a1f2e9323	2023-08-28 02:04:59.000000000 +0200
@@ -0,0 +1,154 @@
+From: Enrik Berkhan <Enrik.Berkhan@inka.de>
+Subject: nnrpd: avoid hang due to misplaced select()
+Origin: upstream, commit:a1f2e932338a17eb4111243f29fcade52d39e0a7
+
+The select() call in nnrpd's input data processing is moved right
+before the related read() call to avoid blocking when it shouldn't.
+
+Without this change, there could still remain data to be inflated, that
+has already been read, if compression had been activated.  The select()
+can then time out because the client might already have sent all data
+before, and the yet to be inflated data will not be used until after
+the timeout.
+
+Resolves: #269
+
+diff --git a/nnrpd/line.c b/nnrpd/line.c
+index fc68b15dd..6c048720c 100644
+--- a/nnrpd/line.c
++++ b/nnrpd/line.c
+@@ -79,12 +79,11 @@ line_reset(struct line *line)
+ }
+ 
+ /*
+-**  Timeout is used only if HAVE_OPENSSL is defined.
+ **  Returns -2 on timeout, -1 on read error, and otherwise the number of
+ **  bytes read.
+ */
+ static ssize_t
+-line_doread(void *p, size_t len, int timeout UNUSED)
++line_doread(void *p, size_t len, int timeout)
+ {
+     ssize_t n;
+ 
+@@ -122,6 +121,22 @@ line_doread(void *p, size_t len, int timeout UNUSED)
+         }
+ #endif /* HAVE_ZLIB */
+ 
++        /* It seems that the SSL_read cannot be mixed with select()
++         * as in the current code.  TLS communicates in its own data
++         * blocks and handshaking.  The line_doread using SSL_read
++         * could return, but still with a partial line in the SSL_read
++         * buffer.  Then the server TLS routine would sit there waiting
++         * for completion of that data block while nnrpd sat at the
++         * select() routine waiting for more data from the server.
++         *
++         * Here, we decide to just bypass the select() wait.  Unlike
++         * innd with multiple threads, the select on nnrpd is just
++         * waiting on a single file descriptor, so it is not really
++         * essential with blocked read like SSL_read.  Using an alarm
++         * signal around SSL_read for non active timeout, TLS works
++         * without dead locks.  However, without the select() wait,
++         * the IDLE timer stat won't be collected...
++         */
+ #ifdef HAVE_OPENSSL
+         if (tls_conn) {
+             int err;
+@@ -152,9 +167,38 @@ line_doread(void *p, size_t len, int timeout UNUSED)
+             xsignal(SIGALRM, SIG_DFL);
+         } else
+ #endif /* HAVE_OPENSSL */
++        {
++            fd_set rmask;
++            int i;
++
++            /* Wait for activity on stdin, updating timer stats as we go. */
++            do {
++                struct timeval t;
++
++                FD_ZERO(&rmask);
++                FD_SET(STDIN_FILENO, &rmask);
++                t.tv_sec = timeout;
++                t.tv_usec = 0;
++                TMRstart(TMR_IDLE);
++                i = select(STDIN_FILENO + 1, &rmask, NULL, NULL, &t);
++                TMRstop(TMR_IDLE);
++                if (i == -1 && errno != EINTR) {
++                    syswarn("%s can't select", Client.host);
++                    break;
++                }
++            } while (i == -1);
++
++            /* If stdin didn't select, we must have timed out.  select()
++             * failure from above is treated the same way. */
++            if (i <= 0 || !FD_ISSET(STDIN_FILENO, &rmask)) {
++                n = -2; /* timeout */
++                break;
++            }
++
+             do {
+                 n = read(STDIN_FILENO, p, len);
+             } while (n == -1 && errno == EINTR);
++        }
+ 
+         if (n <= 0)
+             break; /* EOF or error. */
+@@ -261,8 +305,6 @@ line_read(struct line *line, int timeout, const char **p, size_t *len,
+      * to ask for any more. */
+     if (lf == NULL) {
+         do {
+-            fd_set rmask;
+-            int i;
+             ssize_t count;
+ 
+             /* If we've filled the line buffer, double the size,
+@@ -295,49 +337,6 @@ line_read(struct line *line, int timeout, const char **p, size_t *len,
+                 }
+             }
+ 
+-#ifdef HAVE_OPENSSL
+-            /* It seems that the SSL_read cannot be mixed with select()
+-             * as in the current code.  SSL communicates in its own data
+-             * blocks and hand shaking.  The do_readline using SSL_read
+-             * could return, but still with a partial line in the SSL_read
+-             * buffer.  Then the server SSL routine would sit there waiting
+-             * for completion of that data block while nnrpd sat at the
+-             * select() routine waiting for more data from the server.
+-             *
+-             * Here, we decide to just bypass the select() wait.  Unlike
+-             * innd with multiple threads, the select on nnrpd is just
+-             * waiting on a single file descriptor, so it is not really
+-             * essential with blocked read like SSL_read.  Using an alarm
+-             * signal around SSL_read for non active timeout, SSL works
+-             * without dead locks.  However, without the select() wait,
+-             * the IDLE timer stat won't be collected...
+-             */
+-            if (tls_conn == NULL) {
+-#endif
+-                /* Wait for activity on stdin, updating timer stats as we
+-                 * go. */
+-                do {
+-                    struct timeval t;
+-
+-                    FD_ZERO(&rmask);
+-                    FD_SET(STDIN_FILENO, &rmask);
+-                    t.tv_sec = timeout;
+-                    t.tv_usec = 0;
+-                    TMRstart(TMR_IDLE);
+-                    i = select(STDIN_FILENO + 1, &rmask, NULL, NULL, &t);
+-                    TMRstop(TMR_IDLE);
+-                    if (i == -1 && errno != EINTR) {
+-                        syswarn("%s can't select", Client.host);
+-                        return RTtimeout;
+-                    }
+-                } while (i == -1);
+-
+-                /* If stdin didn't select, we must have timed out. */
+-                if (i == 0 || !FD_ISSET(STDIN_FILENO, &rmask))
+-                    return RTtimeout;
+-#ifdef HAVE_OPENSSL
+-            }
+-#endif
+             count = line_doread(where, line->allocated - (where - line->start),
+                                 timeout);
+ 
diff -Nru inn2-2.7.1/debian/patches/backport_f7d111aad inn2-2.7.1/debian/patches/backport_f7d111aad
--- inn2-2.7.1/debian/patches/backport_f7d111aad	1970-01-01 01:00:00.000000000 +0100
+++ inn2-2.7.1/debian/patches/backport_f7d111aad	2023-08-28 02:04:59.000000000 +0200
@@ -0,0 +1,74 @@
+From: Julien ÉLIE <Julien-Elie@users.noreply.github.com>
+Subject: innreport: Support high-precision timestamps
+Origin: upstream, commit:f7d111aadd5809dd12c9215f7aefe395c819f188
+
+This format is now the default in some distributions (like Debian 12).
+It should be supported by innreport.
+
+close #276
+
+diff --git a/scripts/innreport.in b/scripts/innreport.in
+index 4e68344ff..eb9bddd78 100644
+--- a/scripts/innreport.in
++++ b/scripts/innreport.in
+@@ -95,6 +95,7 @@
+ use strict;
+ use Carp qw( cluck confess );
+ use Time::Local;
++use Time::Piece;
+ 
+ ## Default display configuration file (parameter added in INN 2.7.0).
+ my $DISPLAY_FILE = 'innreport-display.conf';
+@@ -372,11 +373,11 @@ my $unrecognize_max = 0;
+ my @unrecognize;
+ my ($total_line, $total_size) = (0, 0);
+ my ($suffix, $HTML_output, %config, %prog_type, %prog_size);
+-my $current_year;
++my ($current_year, $local_timezone);
+ {
+-    my ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst)
+-      = localtime(time);
+-    $current_year = $year += 1900;
++    my $local_time = localtime(time);
++    $current_year = $local_time->year;
++    $local_timezone = $local_time->strftime("%z");
+ }
+ 
+ my $HTML_header = '';
+@@ -452,6 +453,27 @@ while (!eof()) {
+         my ($res, $day, $hour, $prog, $left);
+       DECODE:
+         {
++            # Convert a high-precision timestamp like
++            #   2023-07-23T04:15:01.882775+02:00
++            # to the low-precision timestamp used by innreport.
++            if ($_ =~ /^(\d+-\d+-\d+T\d+:\d+:\d+)(\.\d+)?([+-]\d+):?(\d+)/) {
++                my $timezone = "$3$4";
++                my $t;
++
++                # Use the local time zone if logging is in UTC.
++                if ("$timezone" eq "+0000") {
++                    $t = Time::Piece->strptime(
++                        "$1 " . $local_timezone,
++                        "%Y-%m-%dT%T %z"
++                    );
++                } else {
++                    $t = Time::Piece->strptime("$1", "%Y-%m-%dT%T");
++                }
++
++                my $newdate = $t->monname . " " . $t->mday . " " . $t->hms;
++                $_ =~ s/^\S+/$newdate/;
++            }
++
+             ($day, $hour, $prog, $left)
+               = $_ =~ m/^(\S+\s+\S+) (\S+) \S+ (\S+): \[ID \d+ \S+\] (.*)$/o;
+             if ($day) { last DECODE; }
+@@ -466,6 +488,8 @@ while (!eof()) {
+             if ($day) { last DECODE; }
+ 
+             # Dec 31 03:01:30.796 + localhost <foo@bar.baz> 1821 inpaths!
++            # Always in low-precision timestamp with milliseconds (format
++            # enforced by ARTlog, not syslog).
+             ($day, $hour, $res, $left)
+               = $_ =~ m/^(\S+\s+\S+) (\S+)\.\d+ (\S+) (.*)$/o;
+             if ($day) { $prog = 'inn'; last DECODE; }
diff -Nru inn2-2.7.1/debian/patches/series inn2-2.7.1/debian/patches/series
--- inn2-2.7.1/debian/patches/series	2023-04-16 10:43:11.000000000 +0200
+++ inn2-2.7.1/debian/patches/series	2023-08-28 02:04:59.000000000 +0200
@@ -1,4 +1,6 @@
 # backported fixes
+backport_a1f2e9323
+backport_f7d111aad
 
 # waiting to be merged upstream
 
diff -Nru inn2-2.7.1/debian/rules inn2-2.7.1/debian/rules
--- inn2-2.7.1/debian/rules	2023-04-16 10:43:11.000000000 +0200
+++ inn2-2.7.1/debian/rules	2023-08-28 02:04:59.000000000 +0200
@@ -132,8 +132,17 @@
 	dh_fixperms -Xusr/lib/news/bin/innbind -Xusr/lib/news/bin/rnews
 
 	# these files may contain passwords
-	chown root:news $D-inews/etc/news/passwd.nntp $D/etc/news/incoming.conf $D/etc/news/innfeed.conf
-	chmod 640 $D-inews/etc/news/passwd.nntp $D/etc/news/incoming.conf $D/etc/news/innfeed.conf
+	chown root:news \
+		$D-inews/etc/news/passwd.nntp \
+		$D/etc/news/incoming.conf \
+		$D/etc/news/innfeed.conf \
+		$D/etc/news/inn-radius.conf \
+		$D/etc/news/inn-secrets.conf
+	chmod 640 $D-inews/etc/news/passwd.nntp \
+		$D/etc/news/incoming.conf \
+		$D/etc/news/innfeed.conf \
+		$D/etc/news/inn-radius.conf \
+		$D/etc/news/inn-secrets.conf
 
 	chmod -x $D/usr/lib/news/bin/control/*.pl $D/etc/news/*.local

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 12.2

The upload requested in this bug has been released as part of 12.2.

--- End Message ---
Reply to: