Development April 2022

development@lists.ipfire.org

18 participants
154 discussions

Fireperf: first tests an results
by daniel.weismueller＠ipfire.org 18 Apr '22

18 Apr '22

Hi guys, today I installed fireperf on my testing IPFire and my Ubuntu PC. server: IPFire Core 154; Intel i7 4790; Intel 82571EB/GB 1GBit Nic Client: Ubuntu 20.4; Intel i7 9700; Intel i219-V 1GBit Nic Michael and I agreed that one more port should be opened per 5000 expected connection per second (cps) So here my results: Server: fireperf -s -P 10000 -p 63000:630010 Client: fireperf -c <IP address> -P 1 -x -p 63000:63010 -> ~5000 cps fireperf -c <IP address> -P 10 -x -p 63000:63010 -> ~30000-35000 cps fireperf -c <IP address> -P 100 -x -p 63000:63010 -> ~35000-40000 cps fireperf -c <IP address> -P 1000 -x -p 63000:63010 -> ~40000-45000 cps fireperf -c <IP address> -P 10000 -x -p 63000:63010 -> ~46000-48000 cps The cpu utilization was limited to one core and increased in sync with the cps on both sides. In my last test, the utilization was about 85-100% on the server and 75-95% on the client. In the next days I will test our mini and post the results here. - Daniel

4 10

[PATCH] logwatch: Update to 7.6
by Matthias Fischer 16 Apr '22

16 Apr '22

The developers do not provide a changelog, the only comment I could find was on: https://packetstormsecurity.com/files/165672/Logwatch-7.6.html "Changes: Fixed bugs." Running here on Core 166. No seen problems. Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- config/rootfiles/common/logwatch | 3 ++ lfs/logwatch | 10 +++--- ...ch => logwatch-7.6-disable_iptables.patch} | 6 ++-- ...h => logwatch-7.6-enable-mdadm-sudo.patch} | 34 +++++++++---------- 4 files changed, 28 insertions(+), 25 deletions(-) rename src/patches/logwatch/{logwatch-7.5.4-disable_iptables.patch => logwatch-7.6-disable_iptables.patch} (80%) rename src/patches/logwatch/{logwatch-7.5.5-enable-mdadm-sudo.patch => logwatch-7.6-enable-mdadm-sudo.patch} (56%) diff --git a/config/rootfiles/common/logwatch b/config/rootfiles/common/logwatch index 1e4a0a81b..40d90cd96 100644 --- a/config/rootfiles/common/logwatch +++ b/config/rootfiles/common/logwatch @@ -128,6 +128,7 @@ usr/share/logwatch/default.conf/services/modprobe.conf #usr/share/logwatch/default.conf/services/named.conf #usr/share/logwatch/default.conf/services/netopia.conf #usr/share/logwatch/default.conf/services/netscreen.conf +usr/share/logwatch/default.conf/services/nut.conf #usr/share/logwatch/default.conf/services/oidentd.conf #usr/share/logwatch/default.conf/services/omsa.conf usr/share/logwatch/default.conf/services/openvpn.conf @@ -242,6 +243,7 @@ usr/share/logwatch/scripts/services/dialup #usr/share/logwatch/scripts/services/dpkg #usr/share/logwatch/scripts/services/emerge #usr/share/logwatch/scripts/services/evtapplication +#usr/share/logwatch/scripts/services/evtmswindows #usr/share/logwatch/scripts/services/evtsecurity #usr/share/logwatch/scripts/services/evtsystem #usr/share/logwatch/scripts/services/exim @@ -273,6 +275,7 @@ usr/share/logwatch/scripts/services/modprobe #usr/share/logwatch/scripts/services/named #usr/share/logwatch/scripts/services/netopia #usr/share/logwatch/scripts/services/netscreen +usr/share/logwatch/scripts/services/nut #usr/share/logwatch/scripts/services/oidentd #usr/share/logwatch/scripts/services/omsa usr/share/logwatch/scripts/services/openvpn diff --git a/lfs/logwatch b/lfs/logwatch index 262809f2b..26da2c62e 100644 --- a/lfs/logwatch +++ b/lfs/logwatch @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2020 IPFire Team <info(a)ipfire.org> # +# Copyright (C) 2007-2022 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 7.5.5 +VER = 7.6 THISAPP = logwatch-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 3e4183ea6dad4f415987870c555391d2a9496b4d4d894f1c06336876077b2a72e06b4e3f8d272aeb65aa5ea14f5f4d17a6f461ae54b2e50f073fef58a27a5241 +$(DL_FILE)_BLAKE2 = fd7f2a7c65151dbfbd924102b01ead00f92d74a59a417361b65be972368f7ed93810feefedf1ad9bba2de5ebbc74589c3fc0a8a484f19b5a9782c9799ffdf656 install : $(TARGET) @@ -73,8 +73,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && sed -e "s/^TEMPDIR=.*/TEMPDIR=\"\/tmp\"/g" -i install_logwatch.sh cd $(DIR_APP)/lib && patch < $(DIR_SRC)/src/patches/logwatch/logwatch-7.3.6-date_manip6.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/logwatch/logwatch-7.5.4-disable_iptables.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/logwatch/logwatch-7.5.5-enable-mdadm-sudo.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/logwatch/logwatch-7.6-disable_iptables.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/logwatch/logwatch-7.6-enable-mdadm-sudo.patch @cd $(DIR_APP) && chmod 755 install_logwatch.sh cd $(DIR_APP) && yes "" | ./install_logwatch.sh diff --git a/src/patches/logwatch/logwatch-7.5.4-disable_iptables.patch b/src/patches/logwatch/logwatch-7.6-disable_iptables.patch similarity index 80% rename from src/patches/logwatch/logwatch-7.5.4-disable_iptables.patch rename to src/patches/logwatch/logwatch-7.6-disable_iptables.patch index 8ad0c3b3d..99c5b493b 100644 --- a/src/patches/logwatch/logwatch-7.5.4-disable_iptables.patch +++ b/src/patches/logwatch/logwatch-7.6-disable_iptables.patch @@ -1,7 +1,7 @@ diff -U 3 a/conf/logwatch.conf b/conf/logwatch.conf ---- a/conf/logwatch.conf Thu Sep 19 01:58:55 2019 -+++ b/conf/logwatch.conf Thu Nov 26 18:46:12 2020 -@@ -94,6 +94,10 @@ +--- a/conf/logwatch.conf Sat Jan 22 01:00:00 2022 ++++ b/conf/logwatch.conf Sun Apr 10 10:33:20 2022 +@@ -96,6 +96,10 @@ # prints useful system configuration info. Service = "-eximstats" # Prevents execution of eximstats service, which # is a wrapper for the eximstats program. diff --git a/src/patches/logwatch/logwatch-7.5.5-enable-mdadm-sudo.patch b/src/patches/logwatch/logwatch-7.6-enable-mdadm-sudo.patch similarity index 56% rename from src/patches/logwatch/logwatch-7.5.5-enable-mdadm-sudo.patch rename to src/patches/logwatch/logwatch-7.6-enable-mdadm-sudo.patch index b7034077b..af792250f 100644 --- a/src/patches/logwatch/logwatch-7.5.5-enable-mdadm-sudo.patch +++ b/src/patches/logwatch/logwatch-7.6-enable-mdadm-sudo.patch @@ -1,6 +1,6 @@ -diff -Naur logwatch-7.5.5-orig/conf/services/mdadm.conf logwatch-7.5.5/conf/services/mdadm.conf ---- logwatch-7.5.5-orig/conf/services/mdadm.conf 2021-01-22 21:59:40.000000000 +0100 -+++ logwatch-7.5.5/conf/services/mdadm.conf 2021-10-04 13:52:30.850057355 +0200 +diff -U 3 a/conf/services/mdadm.conf b/conf/services/mdadm.conf +--- a/conf/services/mdadm.conf Sat Jan 22 01:00:00 2022 ++++ b/conf/services/mdadm.conf Sun Apr 10 10:48:21 2022 @@ -13,7 +13,7 @@ # Logwatch will try to find md devices in /etc/mdadm.conf or # /etc/mdadm/mdadm.conf. If none of these files exist it can scan actively @@ -10,19 +10,19 @@ diff -Naur logwatch-7.5.5-orig/conf/services/mdadm.conf logwatch-7.5.5/conf/serv # Logwatch will emit an error for md devices listed in /etc/mdadm.conf # that are not present. If you do not want this (e.g. raid devices may come -diff -Naur logwatch-7.5.5-orig/scripts/services/mdadm logwatch-7.5.5/scripts/services/mdadm ---- logwatch-7.5.5-orig/scripts/services/mdadm 2021-01-22 21:59:40.000000000 +0100 -+++ logwatch-7.5.5/scripts/services/mdadm 2021-10-06 11:41:14.800307603 +0200 -@@ -35,7 +35,7 @@ - } elsif ( -f "/etc/mdadm/mdadm.conf" ) { - open(MDADM,"< /etc/mdadm/mdadm.conf"); - } elsif ($enable_scan) { -- open(MDADM,"mdadm --detail --scan 2>/dev/null|"); -+ open(MDADM,"sudo mdadm --detail --scan 2>/dev/null|"); - } - while (<MDADM>) { - if (/^ARRAY/) { -@@ -51,7 +51,7 @@ +diff -U 3 a/scripts/services/mdadm b/scripts/services/mdadm +--- a/scripts/services/mdadm Sat Jan 22 01:00:00 2022 ++++ b/scripts/services/mdadm Sun Apr 10 10:38:19 2022 +@@ -36,7 +36,7 @@ + if ( + open($mdadm, "<", "/etc/mdadm.conf") or + open($mdadm, "<", "/etc/mdadm/mdadm.conf") or +- open($mdadm, "<", "mdadm --detail --scan 2>/dev/null|")) { ++ open($mdadm, "<", "sudo mdadm --detail --scan 2>/dev/null|")) { + while (<$mdadm>) { + if (/^ARRAY/) { + push(@devices,(split())[1]); +@@ -52,7 +52,7 @@ next; } @@ -31,7 +31,7 @@ diff -Naur logwatch-7.5.5-orig/scripts/services/mdadm logwatch-7.5.5/scripts/ser while (<MDADM>) { if ($_ =~ /cannot open .*: No such file or directory/) { print $_ unless $ignore_missing; -@@ -74,7 +74,11 @@ +@@ -75,7 +75,11 @@ if ($Detail <= 4) { if (lc($mdhash{'state'}) =~ /clean|active/) { -- 2.25.1

1 0

[PATCH 00/11] Kernel: Improve hardening
by Peter Müller 14 Apr '22

14 Apr '22

This patchset improves hardening of our Linux kernel configurations for all architectures. Most importantly, it features the activation of the "Linux Security Module", also known as "kernel lockdown" (a phrase coined before the pandemic), or LSM for short. Being set to "integrity" mode for a start, LSM prevents the kernel from being modified by various mechanisms, of which we have some already covered. However, it comes as a more holistic approach, which is why enabling it is desirable for our userbase. Most of this patchset is based on recommendations by the "kconfig-hardened-check" tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some inspiration taken directly from KSPP and grsecurity. Being unable to cross-compile IPFire for non-x86_64-architectures on my own, and my VM on the Mustang currently being offline, this patchset does not come with aligned kernel rootfiles for other architectures than x86_64. I am sorry for any inconvenience and extra workload caused by this. Also, for the sake of completeness, the effect of LSM on virtualisation has not been tested due to time constraints, and a lack of oversight _which_ virtualisation features we officially support and which we don't. In doubt, however, I believe the security benefit gained from LSM outweighs a partial functional loss of virtualisation - but that is a highly biased opinion. :-) Peter Müller (11): Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits Kernel: Disable support for tracing block I/O actions Kernel: Pin loading kernel files to one filesystem Kernel: Enable undefined behaviour sanity checker Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities Kernel: Enable LSM support and set security level to "integrity" Kernel: Trigger BUG if data corruption is detected Kernel: Do not automatically load TTY line disciplines, only if necessary Kernel: Enable SVA support for both Intel and AMD CPUs Kernel: Disable function and stack tracers Kernel: Update rootfile for x86_64 config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.armv6l-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.x86_64-ipfire | 57 ++++++++++++---------- config/rootfiles/common/x86_64/linux | 33 +++++++------ 5 files changed, 131 insertions(+), 100 deletions(-) -- 2.34.1

4 30

[PATCH v2 1/2] borgbackup: Update to version 1.2.0
by Adolf Belka 13 Apr '22

13 Apr '22

- Update from 1.1.17 to 1.2.0 - Update of rootfile - v2 version has x86_64 replaced by xxxMACHINExxx in the rootfile - borgbackup now requires the python module pkgconfig, installed as a set with this patch - Changelog Compatibility notes: dropped support / testing for older Pythons, minimum requirement is 3.8. In case your OS does not provide Python >= 3.8, consider using our binary, which does not need an external Python interpreter. Or continue using borg 1.1.x, which is still supported. freeing repository space only happens when “borg compact” is invoked. mount: the default for --numeric-ids is False now (same as borg extract) borg create --noatime is deprecated. Not storing atime is the default behaviour now (use --atime if you want to store the atime). list: corrected mix-up of “isomtime” and “mtime” formats. Previously, “isomtime” was the default but produced a verbose human format, while “mtime” produced a ISO-8601-like format. The behaviours have been swapped (so “mtime” is human, “isomtime” is ISO-like), and the default is now “mtime”. “isomtime” is now a real ISO-8601 format (“T” between date and time, not a space). create/recreate --list: file status for all files used to get announced AFTER the file (with borg < 1.2). Now, file status is announced BEFORE the file contents are processed. If the file status changes later (e.g. due to an error or a content change), the updated/final file status will be printed again. removed deprecated-since-long stuff (deprecated since): command “borg change-passphrase” (2017-02), use “borg key …” option “--keep-tag-files” (2017-01), use “--keep-exclude-tags” option “--list-format” (2017-10), use “--format” option “--ignore-inode” (2017-09), use “--files-cache” w/o “inode” option “--no-files-cache” (2017-09), use “--files-cache=disabled” removed BORG_HOSTNAME_IS_UNIQUE env var. to use borg you must implement one of these 2 scenarios: the combination of FQDN and result of uuid.getnode() must be unique and stable (this should be the case for almost everybody, except when having duplicate FQDN and MAC address or all-zero MAC address) if you are aware that 1) is not the case for you, you must set BORG_HOST_ID env var to something unique. exit with 128 + signal number, #5161. if you have scripts expecting rc == 2 for a signal exit, you need to update them to check for >= 128. Fixes: diff: reduce memory consumption, fix is_hardlink_master, #6295 compact: fix / improve freeable / freed space log output derive really freed space from quota use before/after, #5679 do not say “freeable”, but “maybe freeable” (based on hint, unsure) fix race conditions in internal SaveFile function, #6306 #6028 implement internal safe_unlink (was: truncate_and_unlink) function more safely: usually it does not truncate any more, only under “disk full” circumstances and only if there is only one hardlink. see: https://github.com/borgbackup/borg/discussions/6286 Other changes: info: use a pre12-meta cache to accelerate stats for borg < 1.2 archives. the first time borg info is invoked on a borg 1.1 repo, it can take a rather long time computing and caching some stats values for 1.1 archives, which borg 1.2 archives have in their archive metadata structure. be patient, esp. if you have lots of old archives. following invocations are much faster due to the cache. related change: add archive name to calc_stats progress display. docs: add borg 1.2 upgrade notes, #6217 link to borg placeholders and borg patterns help init: explain the encryption modes better clarify usage of patternfile roots put import-tar docs into same file as export-tar docs explain the difference between a path that ends with or without a slash, #6297 Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- config/rootfiles/packages/borgbackup | 46 +++++++++++++++++----------- lfs/borgbackup | 6 ++-- 2 files changed, 31 insertions(+), 21 deletions(-) diff --git a/config/rootfiles/packages/borgbackup b/config/rootfiles/packages/borgbackup index dccaf4711..a27b7c11c 100644 --- a/config/rootfiles/packages/borgbackup +++ b/config/rootfiles/packages/borgbackup @@ -7,15 +7,6 @@ usr/lib/python3.10/site-packages/borg/_version.py #usr/lib/python3.10/site-packages/borg/algorithms usr/lib/python3.10/site-packages/borg/algorithms/__init__.py usr/lib/python3.10/site-packages/borg/algorithms/checksums.cpython-310-xxxMACHINExxx-linux-gnu.so -#usr/lib/python3.10/site-packages/borg/algorithms/msgpack -usr/lib/python3.10/site-packages/borg/algorithms/msgpack/__init__.py -usr/lib/python3.10/site-packages/borg/algorithms/msgpack/_packer.cpp -usr/lib/python3.10/site-packages/borg/algorithms/msgpack/_packer.cpython-310-xxxMACHINExxx-linux-gnu.so -usr/lib/python3.10/site-packages/borg/algorithms/msgpack/_unpacker.cpp -usr/lib/python3.10/site-packages/borg/algorithms/msgpack/_unpacker.cpython-310-xxxMACHINExxx-linux-gnu.so -usr/lib/python3.10/site-packages/borg/algorithms/msgpack/_version.py -usr/lib/python3.10/site-packages/borg/algorithms/msgpack/exceptions.py -usr/lib/python3.10/site-packages/borg/algorithms/msgpack/fallback.py usr/lib/python3.10/site-packages/borg/archive.py usr/lib/python3.10/site-packages/borg/archiver.py usr/lib/python3.10/site-packages/borg/cache.py @@ -30,8 +21,22 @@ usr/lib/python3.10/site-packages/borg/crypto/keymanager.py usr/lib/python3.10/site-packages/borg/crypto/low_level.cpython-310-xxxMACHINExxx-linux-gnu.so usr/lib/python3.10/site-packages/borg/crypto/nonces.py usr/lib/python3.10/site-packages/borg/fuse.py +usr/lib/python3.10/site-packages/borg/fuse_impl.py usr/lib/python3.10/site-packages/borg/hashindex.cpython-310-xxxMACHINExxx-linux-gnu.so -usr/lib/python3.10/site-packages/borg/helpers.py +#usr/lib/python3.10/site-packages/borg/helpers +usr/lib/python3.10/site-packages/borg/helpers/__init__.py +usr/lib/python3.10/site-packages/borg/helpers/checks.py +usr/lib/python3.10/site-packages/borg/helpers/datastruct.py +usr/lib/python3.10/site-packages/borg/helpers/errors.py +usr/lib/python3.10/site-packages/borg/helpers/fs.py +usr/lib/python3.10/site-packages/borg/helpers/manifest.py +usr/lib/python3.10/site-packages/borg/helpers/misc.py +usr/lib/python3.10/site-packages/borg/helpers/msgpack.py +usr/lib/python3.10/site-packages/borg/helpers/parseformat.py +usr/lib/python3.10/site-packages/borg/helpers/process.py +usr/lib/python3.10/site-packages/borg/helpers/progress.py +usr/lib/python3.10/site-packages/borg/helpers/time.py +usr/lib/python3.10/site-packages/borg/helpers/yes.py usr/lib/python3.10/site-packages/borg/item.cpython-310-xxxMACHINExxx-linux-gnu.so usr/lib/python3.10/site-packages/borg/locking.py usr/lib/python3.10/site-packages/borg/logger.py @@ -45,6 +50,8 @@ usr/lib/python3.10/site-packages/borg/platform/base.py usr/lib/python3.10/site-packages/borg/platform/linux.cpython-310-xxxMACHINExxx-linux-gnu.so usr/lib/python3.10/site-packages/borg/platform/posix.cpython-310-xxxMACHINExxx-linux-gnu.so usr/lib/python3.10/site-packages/borg/platform/syncfilerange.cpython-310-xxxMACHINExxx-linux-gnu.so +usr/lib/python3.10/site-packages/borg/platform/xattr.py +usr/lib/python3.10/site-packages/borg/platformflags.py usr/lib/python3.10/site-packages/borg/remote.py usr/lib/python3.10/site-packages/borg/repository.py usr/lib/python3.10/site-packages/borg/selftest.py @@ -58,8 +65,11 @@ usr/lib/python3.10/site-packages/borg/testsuite/benchmark.py usr/lib/python3.10/site-packages/borg/testsuite/cache.py usr/lib/python3.10/site-packages/borg/testsuite/checksums.py usr/lib/python3.10/site-packages/borg/testsuite/chunker.py +usr/lib/python3.10/site-packages/borg/testsuite/chunker_pytest.py +usr/lib/python3.10/site-packages/borg/testsuite/chunker_slow.py usr/lib/python3.10/site-packages/borg/testsuite/compress.py usr/lib/python3.10/site-packages/borg/testsuite/crypto.py +usr/lib/python3.10/site-packages/borg/testsuite/efficient_collection_queue.py usr/lib/python3.10/site-packages/borg/testsuite/file_integrity.py usr/lib/python3.10/site-packages/borg/testsuite/hashindex.py usr/lib/python3.10/site-packages/borg/testsuite/helpers.py @@ -81,11 +91,11 @@ usr/lib/python3.10/site-packages/borg/testsuite/xattr.py usr/lib/python3.10/site-packages/borg/upgrader.py usr/lib/python3.10/site-packages/borg/version.py usr/lib/python3.10/site-packages/borg/xattr.py -usr/lib/python3.10/site-packages/borgbackup-1.1.17-py3.10.egg-info -usr/lib/python3.10/site-packages/borgbackup-1.1.17-py3.10.egg-info/PKG-INFO -usr/lib/python3.10/site-packages/borgbackup-1.1.17-py3.10.egg-info/SOURCES.txt -usr/lib/python3.10/site-packages/borgbackup-1.1.17-py3.10.egg-info/dependency_links.txt -usr/lib/python3.10/site-packages/borgbackup-1.1.17-py3.10.egg-info/entry_points.txt -usr/lib/python3.10/site-packages/borgbackup-1.1.17-py3.10.egg-info/not-zip-safe -usr/lib/python3.10/site-packages/borgbackup-1.1.17-py3.10.egg-info/requires.txt -usr/lib/python3.10/site-packages/borgbackup-1.1.17-py3.10.egg-info/top_level.txt +#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info +#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/PKG-INFO +#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/SOURCES.txt +#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/dependency_links.txt +#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/entry_points.txt +#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/not-zip-safe +#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/requires.txt +#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/top_level.txt diff --git a/lfs/borgbackup b/lfs/borgbackup index 9244900bf..08a3e8ec7 100644 --- a/lfs/borgbackup +++ b/lfs/borgbackup @@ -24,7 +24,7 @@ include Config -VER = 1.1.17 +VER = 1.2.0 SUMMARY = Deduplicating backup program with compression and authenticated encryption THISAPP = borgbackup-$(VER) @@ -33,7 +33,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = borgbackup -PAK_VER = 10 +PAK_VER = 11 DEPS = @@ -47,7 +47,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 3ceb51f3c2e4ee4e38495ca0bdef2d5c1b30225afe9a3c9987a82f4a1facd4aa203fb21512e655fbbab400bcbd412ff4aefa80242aa21a579e086d38bf3e1078 +$(DL_FILE)_BLAKE2 = 9e6cb8d85ca196cbdd6baba694bc7987d63f85d2ba0e25f3ac1e59400882fff71e29b04ca218ee78f23daeb52d13547062b0c80bd0d3f5b460b28b4f274d11ec install : $(TARGET) -- 2.35.1

1 1

[PATCH] Core Update 167: Replace /etc/mtab by symlink to /proc/self/mounts
by Peter Müller 13 Apr '22

13 Apr '22

mount, as updated via util-linux, no longer writes /etc/mtab, causing programs to rely on this file's content (such as the check_disk Nagios plugin) to stop working. /proc/self/mounts contains all the necessary information, so it is fine to replace /etc/mtab by a symlink to it. Fixes: #12843 Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- config/rootfiles/core/167/update.sh | 4 ++++ lfs/cdrom | 4 ++-- lfs/stage2 | 3 ++- src/initscripts/system/mountfs | 6 ------ src/initscripts/system/partresize | 6 ------ 5 files changed, 8 insertions(+), 15 deletions(-) diff --git a/config/rootfiles/core/167/update.sh b/config/rootfiles/core/167/update.sh index fdcb843cf..a9be60a1d 100644 --- a/config/rootfiles/core/167/update.sh +++ b/config/rootfiles/core/167/update.sh @@ -337,6 +337,10 @@ hardlink -c -vv /lib/firmware # Regenerate all initrds dracut --regenerate-all --force +# Replace /etc/mtab by symlink as mount no longer writes it +rm -vf /etc/mtab +ln -vs /proc/self/mounts /etc/mtab + # Rebuild IPS rules perl -e "require '/var/ipfire/ids-functions.pl'; &IDS::oinkmaster();" /etc/init.d/suricata reload diff --git a/lfs/cdrom b/lfs/cdrom index f35ff6a35..d84f8c23c 100644 --- a/lfs/cdrom +++ b/lfs/cdrom @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team <info(a)ipfire.org> # +# Copyright (C) 2007-2022 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -149,7 +149,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Clear mtab (prevents .journal problems) rm -vf /etc/mtab - echo > /etc/mtab + ln -s /proc/self/mounts /etc/mtab # Create filelist for packaging. BUILDTARGET="$(BUILDTARGET)" BUILD_ARCH="$(BUILD_ARCH)" KVER="$(KVER)" \ diff --git a/lfs/stage2 b/lfs/stage2 index 9f93babe2..39697a848 100644 --- a/lfs/stage2 +++ b/lfs/stage2 @@ -87,7 +87,8 @@ endif cp -rvf $(DIR_SRC)/config/etc/* /etc; [ ! -d "$(DIR_SRC)/config/etc-$(BUILD_ARCH)" ] || cp -rvf $(DIR_SRC)/config/etc-$(BUILD_ARCH)/* /etc cp -rvf $(DIR_SRC)/config/lib/* /lib; - touch /etc/{fs,m}tab + touch /etc/fstab + ln -s /proc/self/mounts /etc/mtab echo "$(NAME) v$(VERSION) - $(SLOGAN)" > /etc/issue echo "===============================" >> /etc/issue echo "\n running on \s \r \m" >> /etc/issue diff --git a/src/initscripts/system/mountfs b/src/initscripts/system/mountfs index b1533d6a2..81ed729c1 100644 --- a/src/initscripts/system/mountfs +++ b/src/initscripts/system/mountfs @@ -31,12 +31,6 @@ case "${1}" in # Remove fsck-related file system watermarks. rm -f /fastboot /forcefsck - boot_mesg "Create /etc/mtab..." - > /etc/mtab - mount -f / || failed=1 - (exit ${failed}) - evaluate_retval - # This will mount all filesystems that do not have _netdev in # their option list. _netdev denotes a network filesystem. boot_mesg "Mounting remaining file systems..." diff --git a/src/initscripts/system/partresize b/src/initscripts/system/partresize index 7605b9e2b..147405e1e 100644 --- a/src/initscripts/system/partresize +++ b/src/initscripts/system/partresize @@ -30,12 +30,6 @@ case "${1}" in mount -o remount,rw / > /dev/null evaluate_retval - boot_mesg "Create /etc/mtab..." - > /etc/mtab - mount -f / || failed=1 - (exit ${failed}) - evaluate_retval - # check if serial console enabled scon="off"; if [ ! "$(grep "console=ttyS0" /proc/cmdline)" == "" ]; then -- 2.34.1

2 6

[PATCH 1/2] borgbackup: Update to version 1.2.0
by Adolf Belka 13 Apr '22

13 Apr '22

- Update from 1.1.17 to 1.2.0 - Update of rootfile - borgbackup now requires the python module pkgconfig, installed as a set with this patch - Changelog Compatibility notes: dropped support / testing for older Pythons, minimum requirement is 3.8. In case your OS does not provide Python >= 3.8, consider using our binary, which does not need an external Python interpreter. Or continue using borg 1.1.x, which is still supported. freeing repository space only happens when “borg compact” is invoked. mount: the default for --numeric-ids is False now (same as borg extract) borg create --noatime is deprecated. Not storing atime is the default behaviour now (use --atime if you want to store the atime). list: corrected mix-up of “isomtime” and “mtime” formats. Previously, “isomtime” was the default but produced a verbose human format, while “mtime” produced a ISO-8601-like format. The behaviours have been swapped (so “mtime” is human, “isomtime” is ISO-like), and the default is now “mtime”. “isomtime” is now a real ISO-8601 format (“T” between date and time, not a space). create/recreate --list: file status for all files used to get announced AFTER the file (with borg < 1.2). Now, file status is announced BEFORE the file contents are processed. If the file status changes later (e.g. due to an error or a content change), the updated/final file status will be printed again. removed deprecated-since-long stuff (deprecated since): command “borg change-passphrase” (2017-02), use “borg key …” option “--keep-tag-files” (2017-01), use “--keep-exclude-tags” option “--list-format” (2017-10), use “--format” option “--ignore-inode” (2017-09), use “--files-cache” w/o “inode” option “--no-files-cache” (2017-09), use “--files-cache=disabled” removed BORG_HOSTNAME_IS_UNIQUE env var. to use borg you must implement one of these 2 scenarios: the combination of FQDN and result of uuid.getnode() must be unique and stable (this should be the case for almost everybody, except when having duplicate FQDN and MAC address or all-zero MAC address) if you are aware that 1) is not the case for you, you must set BORG_HOST_ID env var to something unique. exit with 128 + signal number, #5161. if you have scripts expecting rc == 2 for a signal exit, you need to update them to check for >= 128. Fixes: diff: reduce memory consumption, fix is_hardlink_master, #6295 compact: fix / improve freeable / freed space log output derive really freed space from quota use before/after, #5679 do not say “freeable”, but “maybe freeable” (based on hint, unsure) fix race conditions in internal SaveFile function, #6306 #6028 implement internal safe_unlink (was: truncate_and_unlink) function more safely: usually it does not truncate any more, only under “disk full” circumstances and only if there is only one hardlink. see: https://github.com/borgbackup/borg/discussions/6286 Other changes: info: use a pre12-meta cache to accelerate stats for borg < 1.2 archives. the first time borg info is invoked on a borg 1.1 repo, it can take a rather long time computing and caching some stats values for 1.1 archives, which borg 1.2 archives have in their archive metadata structure. be patient, esp. if you have lots of old archives. following invocations are much faster due to the cache. related change: add archive name to calc_stats progress display. docs: add borg 1.2 upgrade notes, #6217 link to borg placeholders and borg patterns help init: explain the encryption modes better clarify usage of patternfile roots put import-tar docs into same file as export-tar docs explain the difference between a path that ends with or without a slash, #6297 Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- config/rootfiles/packages/borgbackup | 64 ++++++++++++++++------------ lfs/borgbackup | 6 +-- 2 files changed, 40 insertions(+), 30 deletions(-) diff --git a/config/rootfiles/packages/borgbackup b/config/rootfiles/packages/borgbackup index dccaf4711..041d9e89a 100644 --- a/config/rootfiles/packages/borgbackup +++ b/config/rootfiles/packages/borgbackup @@ -6,33 +6,38 @@ usr/lib/python3.10/site-packages/borg/__main__.py usr/lib/python3.10/site-packages/borg/_version.py #usr/lib/python3.10/site-packages/borg/algorithms usr/lib/python3.10/site-packages/borg/algorithms/__init__.py -usr/lib/python3.10/site-packages/borg/algorithms/checksums.cpython-310-xxxMACHINExxx-linux-gnu.so -#usr/lib/python3.10/site-packages/borg/algorithms/msgpack -usr/lib/python3.10/site-packages/borg/algorithms/msgpack/__init__.py -usr/lib/python3.10/site-packages/borg/algorithms/msgpack/_packer.cpp -usr/lib/python3.10/site-packages/borg/algorithms/msgpack/_packer.cpython-310-xxxMACHINExxx-linux-gnu.so -usr/lib/python3.10/site-packages/borg/algorithms/msgpack/_unpacker.cpp -usr/lib/python3.10/site-packages/borg/algorithms/msgpack/_unpacker.cpython-310-xxxMACHINExxx-linux-gnu.so -usr/lib/python3.10/site-packages/borg/algorithms/msgpack/_version.py -usr/lib/python3.10/site-packages/borg/algorithms/msgpack/exceptions.py -usr/lib/python3.10/site-packages/borg/algorithms/msgpack/fallback.py +usr/lib/python3.10/site-packages/borg/algorithms/checksums.cpython-310-x86_64-linux-gnu.so usr/lib/python3.10/site-packages/borg/archive.py usr/lib/python3.10/site-packages/borg/archiver.py usr/lib/python3.10/site-packages/borg/cache.py -usr/lib/python3.10/site-packages/borg/chunker.cpython-310-xxxMACHINExxx-linux-gnu.so -usr/lib/python3.10/site-packages/borg/compress.cpython-310-xxxMACHINExxx-linux-gnu.so +usr/lib/python3.10/site-packages/borg/chunker.cpython-310-x86_64-linux-gnu.so +usr/lib/python3.10/site-packages/borg/compress.cpython-310-x86_64-linux-gnu.so usr/lib/python3.10/site-packages/borg/constants.py #usr/lib/python3.10/site-packages/borg/crypto usr/lib/python3.10/site-packages/borg/crypto/__init__.py usr/lib/python3.10/site-packages/borg/crypto/file_integrity.py usr/lib/python3.10/site-packages/borg/crypto/key.py usr/lib/python3.10/site-packages/borg/crypto/keymanager.py -usr/lib/python3.10/site-packages/borg/crypto/low_level.cpython-310-xxxMACHINExxx-linux-gnu.so +usr/lib/python3.10/site-packages/borg/crypto/low_level.cpython-310-x86_64-linux-gnu.so usr/lib/python3.10/site-packages/borg/crypto/nonces.py usr/lib/python3.10/site-packages/borg/fuse.py -usr/lib/python3.10/site-packages/borg/hashindex.cpython-310-xxxMACHINExxx-linux-gnu.so -usr/lib/python3.10/site-packages/borg/helpers.py -usr/lib/python3.10/site-packages/borg/item.cpython-310-xxxMACHINExxx-linux-gnu.so +usr/lib/python3.10/site-packages/borg/fuse_impl.py +usr/lib/python3.10/site-packages/borg/hashindex.cpython-310-x86_64-linux-gnu.so +#usr/lib/python3.10/site-packages/borg/helpers +usr/lib/python3.10/site-packages/borg/helpers/__init__.py +usr/lib/python3.10/site-packages/borg/helpers/checks.py +usr/lib/python3.10/site-packages/borg/helpers/datastruct.py +usr/lib/python3.10/site-packages/borg/helpers/errors.py +usr/lib/python3.10/site-packages/borg/helpers/fs.py +usr/lib/python3.10/site-packages/borg/helpers/manifest.py +usr/lib/python3.10/site-packages/borg/helpers/misc.py +usr/lib/python3.10/site-packages/borg/helpers/msgpack.py +usr/lib/python3.10/site-packages/borg/helpers/parseformat.py +usr/lib/python3.10/site-packages/borg/helpers/process.py +usr/lib/python3.10/site-packages/borg/helpers/progress.py +usr/lib/python3.10/site-packages/borg/helpers/time.py +usr/lib/python3.10/site-packages/borg/helpers/yes.py +usr/lib/python3.10/site-packages/borg/item.cpython-310-x86_64-linux-gnu.so usr/lib/python3.10/site-packages/borg/locking.py usr/lib/python3.10/site-packages/borg/logger.py usr/lib/python3.10/site-packages/borg/lrucache.py @@ -42,9 +47,11 @@ usr/lib/python3.10/site-packages/borg/patterns.py #usr/lib/python3.10/site-packages/borg/platform usr/lib/python3.10/site-packages/borg/platform/__init__.py usr/lib/python3.10/site-packages/borg/platform/base.py -usr/lib/python3.10/site-packages/borg/platform/linux.cpython-310-xxxMACHINExxx-linux-gnu.so -usr/lib/python3.10/site-packages/borg/platform/posix.cpython-310-xxxMACHINExxx-linux-gnu.so -usr/lib/python3.10/site-packages/borg/platform/syncfilerange.cpython-310-xxxMACHINExxx-linux-gnu.so +usr/lib/python3.10/site-packages/borg/platform/linux.cpython-310-x86_64-linux-gnu.so +usr/lib/python3.10/site-packages/borg/platform/posix.cpython-310-x86_64-linux-gnu.so +usr/lib/python3.10/site-packages/borg/platform/syncfilerange.cpython-310-x86_64-linux-gnu.so +usr/lib/python3.10/site-packages/borg/platform/xattr.py +usr/lib/python3.10/site-packages/borg/platformflags.py usr/lib/python3.10/site-packages/borg/remote.py usr/lib/python3.10/site-packages/borg/repository.py usr/lib/python3.10/site-packages/borg/selftest.py @@ -58,8 +65,11 @@ usr/lib/python3.10/site-packages/borg/testsuite/benchmark.py usr/lib/python3.10/site-packages/borg/testsuite/cache.py usr/lib/python3.10/site-packages/borg/testsuite/checksums.py usr/lib/python3.10/site-packages/borg/testsuite/chunker.py +usr/lib/python3.10/site-packages/borg/testsuite/chunker_pytest.py +usr/lib/python3.10/site-packages/borg/testsuite/chunker_slow.py usr/lib/python3.10/site-packages/borg/testsuite/compress.py usr/lib/python3.10/site-packages/borg/testsuite/crypto.py +usr/lib/python3.10/site-packages/borg/testsuite/efficient_collection_queue.py usr/lib/python3.10/site-packages/borg/testsuite/file_integrity.py usr/lib/python3.10/site-packages/borg/testsuite/hashindex.py usr/lib/python3.10/site-packages/borg/testsuite/helpers.py @@ -81,11 +91,11 @@ usr/lib/python3.10/site-packages/borg/testsuite/xattr.py usr/lib/python3.10/site-packages/borg/upgrader.py usr/lib/python3.10/site-packages/borg/version.py usr/lib/python3.10/site-packages/borg/xattr.py -usr/lib/python3.10/site-packages/borgbackup-1.1.17-py3.10.egg-info -usr/lib/python3.10/site-packages/borgbackup-1.1.17-py3.10.egg-info/PKG-INFO -usr/lib/python3.10/site-packages/borgbackup-1.1.17-py3.10.egg-info/SOURCES.txt -usr/lib/python3.10/site-packages/borgbackup-1.1.17-py3.10.egg-info/dependency_links.txt -usr/lib/python3.10/site-packages/borgbackup-1.1.17-py3.10.egg-info/entry_points.txt -usr/lib/python3.10/site-packages/borgbackup-1.1.17-py3.10.egg-info/not-zip-safe -usr/lib/python3.10/site-packages/borgbackup-1.1.17-py3.10.egg-info/requires.txt -usr/lib/python3.10/site-packages/borgbackup-1.1.17-py3.10.egg-info/top_level.txt +#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info +#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/PKG-INFO +#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/SOURCES.txt +#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/dependency_links.txt +#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/entry_points.txt +#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/not-zip-safe +#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/requires.txt +#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/top_level.txt diff --git a/lfs/borgbackup b/lfs/borgbackup index 9244900bf..08a3e8ec7 100644 --- a/lfs/borgbackup +++ b/lfs/borgbackup @@ -24,7 +24,7 @@ include Config -VER = 1.1.17 +VER = 1.2.0 SUMMARY = Deduplicating backup program with compression and authenticated encryption THISAPP = borgbackup-$(VER) @@ -33,7 +33,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = borgbackup -PAK_VER = 10 +PAK_VER = 11 DEPS = @@ -47,7 +47,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 3ceb51f3c2e4ee4e38495ca0bdef2d5c1b30225afe9a3c9987a82f4a1facd4aa203fb21512e655fbbab400bcbd412ff4aefa80242aa21a579e086d38bf3e1078 +$(DL_FILE)_BLAKE2 = 9e6cb8d85ca196cbdd6baba694bc7987d63f85d2ba0e25f3ac1e59400882fff71e29b04ca218ee78f23daeb52d13547062b0c80bd0d3f5b460b28b4f274d11ec install : $(TARGET) -- 2.35.1

2 3

[PATCH 1/2] wio.pl: Fix bug 12799 - Remove code scanning for all potential IP's on RED interface
by Adolf Belka 13 Apr '22

13 Apr '22

- The lines to scan the red interface were introduced at the time of a patch to remove the IPFire start/stop function from wio. These lines are not related to that change but were included in the patch with no commit message. The same lines were also added into wio.cgi in the same patch set but in that case the lines were all commented out. - These lines look like they were most likely added to the code for investigation or debugging purposes. Looking at the lines in wio.pl the results obtained are not used elsewhere in wio for obtaining info on the status of the red interface. Deleting the lines did not affect anything related to the scanning, setup or monitoring of systems by wio. - The lines were wasting space but generally not creating a huge impact on pertformance. On my production system it scans my red and comes up with a list of 1022 IP's because of the subnet my ISP uses - xxx.yy.216.0/20 - Scanning those 1022 IP's and sorting them takes my system about 3 seconds. Without sorting it is around the same level. - In Bug#12799 the originator has an ISP that is using a private network that has a defined subnet of 10.0.0.0/8 This is 16,777,214 IP's to be scanned. Even without sorting my system would end up taking around 13 hours to do that. The bug originator found that on certain machines that he had IPFire on wio just never stopped scanning. - As these lines just seem to collect a large amount of IP's on red that are not related to the actual running red IP, as there was no commit message related to their introduction and as removing the lines on vm's running dhcp and static red interfaces and also on my running production system for 4 weeks has shown no impact on the monitoring capability this patch is being submitted to remove these lines from wio Fixes: Bug#12799 Tested-by: Adolf Belka <adolf.belka(a)ipfire.org> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- src/wio/main/wio.pl | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/wio/main/wio.pl b/src/wio/main/wio.pl index 91c6c1494..78c91eeb9 100644 --- a/src/wio/main/wio.pl +++ b/src/wio/main/wio.pl @@ -98,9 +98,6 @@ my ( $ping_i, $ping_t, $ping_ib, $ping_tb, $ping_iv, $ping_tv, $pingmode ) = ''; my ( @tmp, @arptmp, @myarray, @status, @arpclients ) = ''; my @ifaces = ('GREEN','BLUE','ORANGE'); -if ( $netsettings{'RED_TYPE'} eq 'STATIC' || $netsettings{'RED_TYPE'} eq 'DHCP' ) { - push (@ifaces, "RED"); -} if ( $mailsettings{'USEMAIL'} eq 'on' ) { $mailen = 'on'; } else { $mailen = 'off'; } -- 2.35.1

2 3

Re: ipblocklist - Call for testers (disable attribute in sources)
by Tim FitzGeorge 12 Apr '22

12 Apr '22

Hello, I've not had a chance to look at the code in detail, but a few comments: - The disable value in the sources file is intended to disable conflicting sets when necessary. It's partly in reaction to people who just enable everything without thinking about it, but it's also because for the blocklists it's relatively easy to identify which lists are subsets of others. A good example is the three Feodo lists which are are different versions of the same list, but with different probabilities of blocking legitimate traffic. - I set the list to update every 15 minutes after discussion with Michael, as some of the lists update very quickly (every five minutes for some lists). I don't think there's any particular reason why a given update period is preferred. - I had code to create either a hash:ip or had:net ipset. The reason for this is that aparently (if I remember the documentation correctly), looking for an IP address against a hash:net requires checking each of the possible containing networks (/32, /31, /30...). It thus takes significantly longer than checking against a hash:ip. As the majority of lists are only single addresses this seemed like a worthwhile optimisation. - It's probably worth reviewing the list of blocklists. I would certainly remove Alienvault, which seems to be defunct. Charles Brown suggested the 3COREsec lists, which look interesting. This could be left to post-first release. As a note of caution, I found some interesting lists for blocking command and control servers which were licenced under terms that I thought would make it difficult to include in the IPFire distribution. - Longer term it may be worth adding the capability for a sources.local, but again I think this is better left until post-first release. It may be worth adding a 'Do not edit this file' in the sources file since it could be overwritten by future updates. - I think IPFire now has four different ways of using the Spamhaus DROP list (IPS, hostile networks, XD country code and IP Blocklist). When this is released it may be worth writing a blog post or a wiki page on the advantages and disadvantages of each (or even a more general one looking at all the different malware etc. facilities). Tim On 10/04/2022 19:47, Stefan Schantl wrote: > Hello Charles, > > thanks for a first look and your feedback. > > Now after you have put my attention to those "disable" value in the > sources file, I have to admit I totally have overseen this. > > When interpreting this field and the values, it seems has been designed > to automatically disable conflicting/obsolete sets in case such a set > is enabled. > > So for this feature I have go back to the drawing board and put some > attention to it. > > In the meantime please go on with testing and report any other issues. > > Best regards, > > -Stefan >> Tim, Stefan, >> I have installed the ipblocklist feature. It looks great. >> I’m curious about the disable attribute in the sources file. >> I have all the lists enabled, I would have thought enabling >> EMERGING_FWRULE would have the DSHIELD list automatically disabled. >> However, I am showing several hits on DSHIELD and I see 20 entries in >> ipset for DSHIELD. Is the disable attribute in sources there for >> informational purposes only? >> Thanks for your excellent work on this feature, >> Charles Brown >> >> > >

3 2

[PATCH] xz: Apply patch to solve security fix (ZDI-CAN-16587)
by Adolf Belka 12 Apr '22

12 Apr '22

- Malicious filenames can make xzgrep to write to arbitrary files or (with a GNU sed extension) lead to arbitrary code execution. - xzgrep from XZ Utils versions up to and including 5.2.5 are affected. 5.3.1alpha and 5.3.2alpha are affected as well. - This bug was inherited from gzip's zgrep. gzip 1.12 includes a fix for zgrep. - CU167 has gzip-1.12 with the fix already merged. Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- lfs/xz | 1 + src/patches/xzgrep-ZDI-CAN-16587.patch | 94 ++++++++++++++++++++++++++ 2 files changed, 95 insertions(+) create mode 100644 src/patches/xzgrep-ZDI-CAN-16587.patch diff --git a/lfs/xz b/lfs/xz index 586fbc90f..9345df954 100644 --- a/lfs/xz +++ b/lfs/xz @@ -75,6 +75,7 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -p1 -i $(DIR_SRC)/src/patches/xzgrep-ZDI-CAN-16587.patch cd $(DIR_APP) && ./configure --prefix=$(PREFIX) cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/src/patches/xzgrep-ZDI-CAN-16587.patch b/src/patches/xzgrep-ZDI-CAN-16587.patch new file mode 100644 index 000000000..406ded590 --- /dev/null +++ b/src/patches/xzgrep-ZDI-CAN-16587.patch @@ -0,0 +1,94 @@ +From 69d1b3fc29677af8ade8dc15dba83f0589cb63d6 Mon Sep 17 00:00:00 2001 +From: Lasse Collin <lasse.collin(a)tukaani.org> +Date: Tue, 29 Mar 2022 19:19:12 +0300 +Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587). + +Malicious filenames can make xzgrep to write to arbitrary files +or (with a GNU sed extension) lead to arbitrary code execution. + +xzgrep from XZ Utils versions up to and including 5.2.5 are +affected. 5.3.1alpha and 5.3.2alpha are affected as well. +This patch works for all of them. + +This bug was inherited from gzip's zgrep. gzip 1.12 includes +a fix for zgrep. + +The issue with the old sed script is that with multiple newlines, +the N-command will read the second line of input, then the +s-commands will be skipped because it's not the end of the +file yet, then a new sed cycle starts and the pattern space +is printed and emptied. So only the last line or two get escaped. + +One way to fix this would be to read all lines into the pattern +space first. However, the included fix is even simpler: All lines +except the last line get a backslash appended at the end. To ensure +that shell command substitution doesn't eat a possible trailing +newline, a colon is appended to the filename before escaping. +The colon is later used to separate the filename from the grep +output so it is fine to add it here instead of a few lines later. + +The old code also wasn't POSIX compliant as it used \n in the +replacement section of the s-command. Using \<newline> is the +POSIX compatible method. + +LC_ALL=C was added to the two critical sed commands. POSIX sed +manual recommends it when using sed to manipulate pathnames +because in other locales invalid multibyte sequences might +cause issues with some sed implementations. In case of GNU sed, +these particular sed scripts wouldn't have such problems but some +other scripts could have, see: + + info '(sed)Locale Considerations' + +This vulnerability was discovered by: +cleemy desu wayo working with Trend Micro Zero Day Initiative + +Thanks to Jim Meyering and Paul Eggert discussing the different +ways to fix this and for coordinating the patch release schedule +with gzip. +--- + src/scripts/xzgrep.in | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in +index b180936..e5186ba 100644 +--- a/src/scripts/xzgrep.in ++++ b/src/scripts/xzgrep.in +@@ -180,22 +180,26 @@ for i; do + { test $# -eq 1 || test $no_filename -eq 1; }; then + eval "$grep" + else ++ # Append a colon so that the last character will never be a newline ++ # which would otherwise get lost in shell command substitution. ++ i="$i:" ++ ++ # Escape & \ | and newlines only if such characters are present ++ # (speed optimization). + case $i in + (*' + '* | *'&'* | *'\'* | *'|'*) +- i=$(printf '%s\n' "$i" | +- sed ' +- $!N +- $s/[&\|]/\\&/g +- $s/\n/\\n/g +- ');; ++ i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');; + esac +- sed_script="s|^|$i:|" ++ ++ # $i already ends with a colon so don't add it here. ++ sed_script="s|^|$i|" + + # Fail if grep or sed fails. + r=$( + exec 4>&1 +- (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&- ++ (eval "$grep" 4>&-; echo $? >&4) 3>&- | ++ LC_ALL=C sed "$sed_script" >&3 4>&- + ) || r=2 + exit $r + fi >&3 5>&- +-- +2.35.1 + -- 2.35.1

3 2

Guardian does not start after upddate to Core 167 testing
by Dirk Kulmsee 12 Apr '22

12 Apr '22

Hi all, just upgraded to Core Update 167 Development Build: master/24c8e6a6. Now the guardian does not start due to a missing Perl module: [root@ipfire ~]# /etc/init.d/guardian start Starting Guardian... Can't locate Net/IP.pm in @INC (you may need to install the Net::IP module) (@INC contains: /usr/lib/perl5/site_perl/5.32.1/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.32.1 /usr/lib/perl5/5.32.1/x86_64-linux-thread-multi /usr/lib/perl5/5.32.1) at /usr/lib/perl5/site_perl/5.32.1/Guardian/Base.pm line 9. BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.32.1/Guardian/Base.pm line 9. Compilation failed in require at /usr/sbin/guardian line 30. [ FAIL ] Keep up your good work everybody! Mit freundlichen Grüßen Dirk Kulmsee _________________________________________________________________ CAPRICOMP DIRK KULMSEE (kulmsee(a)capricomp.de) Am Zehnthof 149 - COMPUTER 44141 Dortmund - NETZWERKE Telefon: +49-231-99951318 - IT-SERVICE Telefax: +49-231-99951315 _________________________________________________________________

2 1

← Newer
1
...
6
7
8
9
10
11
12
...
16
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development April 2022