diff --git a/libotr/PKGBUILD b/libotr/PKGBUILD index a96dcf9..b75a31d 100644 --- a/libotr/PKGBUILD +++ b/libotr/PKGBUILD @@ -7,17 +7,21 @@ pkgname=libotr pkgver=4.1.1 -pkgrel=03 +pkgrel=04 pkgdesc='Off-the-Record Messaging Library and Toolkit a thunderbird dependency w/o systemd' url='https://otr.cypherpunks.ca/' depends=('libgcrypt') source=(https://otr.cypherpunks.ca/${pkgname}-${pkgver}.tar.gz{,.asc} missing-include.patch) +# "$pkgname-4.1.1-include-socket.h.patch") prepare() { cd "${srcdir}/${pkgbase}-${pkgver}" # void patch for lack of systemd patch -Np1 < ../missing-include.patch +# Arch now added the patch used by void earlier ?? +# # FS#75450 +# patch -d "$pkgname-$pkgver" -N -p 1 -i "${srcdir}/$pkgname-4.1.1-include-socket.h.patch" } build() { @@ -45,6 +49,8 @@ validpgpkeys=('22DF3305DF56667CE15784FCF24DE08F42C2ABAD') # OTR Dev Team sha256sums=(8b3b182424251067a952fb4e6c7b95a21e644fbb27fbd5f8af2b2ed87ca419f5 # libotr-4.1.1.tar.gz 3a24fe5ef490292295a5be7484d1148a4dbcace3a703279c9ea8ff7947215e90 # libotr-4.1.1.tar.gz.asc 8d2fcb7c90f13539d219f2fab898e4cba031f5703d712f88799d92ab0c9a0b6e) # missing-include.patch +# cfda75f8c5bba2e735d2b4f1bb90f60b45fa1d554a97fff75cac467f7873ebde) # libotr-4.1.1-include-socket.h.patch -## 157c8c0aef8f6a9be163a2cf83948597c368082feea7fe982426a3f0b0f27ea9 libotr-4.1.1-03-x86_64.pkg.tar.lz + +## 7750392b7347a75b6ec6b94722d951123b91ab2f11c29d2faa7b2becce21bc16 libotr-4.1.1-04-x86_64.pkg.tar.lz diff --git a/libotr/PKGBUILD-arch b/libotr/PKGBUILD-arch index f30b8c8..0f8b995 100644 --- a/libotr/PKGBUILD-arch +++ b/libotr/PKGBUILD-arch @@ -1,19 +1,27 @@ -# Maintainer: Gaetan Bisson +# Maintainer: Levente Polyak +# Contributor: Gaetan Bisson # Contributor: Pierre Schmitz # Contributor: Bug pkgname=libotr pkgver=4.1.1 -pkgrel=3 +pkgrel=4 pkgdesc='Off-the-Record Messaging Library and Toolkit' url='https://otr.cypherpunks.ca/' license=('GPL' 'LGPL') arch=('x86_64') depends=('libgcrypt') validpgpkeys=('22DF3305DF56667CE15784FCF24DE08F42C2ABAD') # OTR Dev Team -source=(https://otr.cypherpunks.ca/${pkgname}-${pkgver}.tar.gz{,.asc}) +source=(https://otr.cypherpunks.ca/${pkgname}-${pkgver}.tar.gz{,.asc} + "$pkgname-4.1.1-include-socket.h.patch") sha256sums=('8b3b182424251067a952fb4e6c7b95a21e644fbb27fbd5f8af2b2ed87ca419f5' - 'SKIP') + 'SKIP' + 'cfda75f8c5bba2e735d2b4f1bb90f60b45fa1d554a97fff75cac467f7873ebde') + +prepare() { + # FS#75450 + patch -d "$pkgname-$pkgver" -N -p 1 -i "${srcdir}/$pkgname-4.1.1-include-socket.h.patch" +} build() { cd "${srcdir}/${pkgname}-${pkgver}" diff --git a/libotr/deps b/libotr/deps new file mode 100644 index 0000000..139597f --- /dev/null +++ b/libotr/deps @@ -0,0 +1,2 @@ + + diff --git a/libotr/libotr-4.1.1-include-socket.h.patch b/libotr/libotr-4.1.1-include-socket.h.patch new file mode 100644 index 0000000..1806458 --- /dev/null +++ b/libotr/libotr-4.1.1-include-socket.h.patch @@ -0,0 +1,16 @@ +From: Rhonda D'Vine +Date: Thu, 12 May 2022 08:57:07 +0200 +Bug-Debian: https://bugs.debian.org/1009420 +Forwarded: no +Subject: test suite fails to build without the include + +--- a/tests/regression/client/client.c ++++ b/tests/regression/client/client.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + + #include + #include diff --git a/nftables/PKGBUILD b/nftables/PKGBUILD index 8f2e4d9..3e34fb1 100644 --- a/nftables/PKGBUILD +++ b/nftables/PKGBUILD @@ -8,15 +8,17 @@ pkgname=nftables epoch=1 pkgver=1.0.8 -pkgrel=01 +pkgrel=02 pkgdesc='Netfilter tables userspace tools w/o systemd' url='https://netfilter.org/projects/nftables/' depends=('libmnl' 'libnftnl' 'gmp' 'readline' 'ncurses' 'jansson') optdepends=('python: Python bindings') -makedepends=('asciidoc' 'python' 'python-setuptools') +makedepends=('asciidoc' 'python' 'python-setuptools' 'python-build' + 'python-installer' 'python-wheel') backup=('etc/nftables.conf') validpgpkeys=('37D964ACC04981C75500FB9BD55D978A8A1420E4') # Netfilter Core Team source=("https://netfilter.org/projects/nftables/files/nftables-$pkgver.tar.xz"{,.sig} + 'meta-stash-context-statement-length.patch' 'nftables.conf') # 'nftables.service') @@ -38,20 +40,27 @@ prepare() { build() { cd $pkgname-$pkgver - autoreconf -fi #FIXME: To remove with 01.patch +# autoreconf -fi #FIXME: To remove with 01.patch ./configure \ --prefix=/usr \ --sbindir=/usr/bin \ --sysconfdir=/usr/share \ --with-json \ + --disable-python \ --with-cli=readline \ --disable-debug make + + # Building the Python module separately due to the automatic build resulting + # in an incorrect directory structure and unimportable module (see FS#79229) + cd py + python -m build --wheel --no-isolation } package() { pushd $pkgname-$pkgver make DESTDIR="$pkgdir" install + python -m installer --destdir="$pkgdir" py/dist/*.whl popd # basic safe firewall config install -Dm644 nftables.conf "$pkgdir/etc/nftables.conf" @@ -67,7 +76,8 @@ license=('GPL2') sha256sums=(9373740de41a82dbc98818e0a46a073faeb8a8d0689fa4fa1a74399c32bf3d50 # nftables-1.0.8.tar.xz eadbbad3eb70bc08a7a8c5598807f81b81860b571243f2e308dae01a97c656ae # nftables-1.0.8.tar.xz.sig + 3c428a2e5037ff5ea54be060c46a48bf659cd783c8ce5f5ee943fec6ddc61da6 # meta-stash-context-statement-length.patch 2aff88019097d21dbfa4713f5b54c184751c86376e458b683f8d90f3abd232a8) # nftables.conf -## 751183c89602c67916e54c1452a133e9bdca65e730618f4e8a893f833033c7ff nftables-1:1.0.8-01-x86_64.pkg.tar.lz +## ad2c0fbfa0ff9956a6a898cead950b8a3b3205dc3d350fbc06f01eae18c6adec nftables-1:1.0.8-02-x86_64.pkg.tar.lz diff --git a/nftables/PKGBUILD-arch b/nftables/PKGBUILD-arch index 4c1682b..6d0d0c2 100644 --- a/nftables/PKGBUILD-arch +++ b/nftables/PKGBUILD-arch @@ -3,22 +3,25 @@ pkgname=nftables epoch=1 pkgver=1.0.8 -pkgrel=1 +pkgrel=2 pkgdesc='Netfilter tables userspace tools' arch=('x86_64') url='https://netfilter.org/projects/nftables/' license=('GPL2') depends=('libmnl' 'libnftnl' 'gmp' 'readline' 'ncurses' 'jansson') optdepends=('python: Python bindings') -makedepends=('asciidoc' 'python' 'python-setuptools') +makedepends=('asciidoc' 'python' 'python-setuptools' 'python-build' + 'python-installer' 'python-wheel') backup=('etc/nftables.conf') validpgpkeys=('37D964ACC04981C75500FB9BD55D978A8A1420E4') # Netfilter Core Team source=("https://netfilter.org/projects/nftables/files/nftables-$pkgver.tar.xz"{,.sig} + 'meta-stash-context-statement-length.patch' 'nftables.conf' 'nftables.service') install=nftables.install sha256sums=('9373740de41a82dbc98818e0a46a073faeb8a8d0689fa4fa1a74399c32bf3d50' 'SKIP' + '3c428a2e5037ff5ea54be060c46a48bf659cd783c8ce5f5ee943fec6ddc61da6' '2aff88019097d21dbfa4713f5b54c184751c86376e458b683f8d90f3abd232a8' 'deffeef36fe658867dd9203ec13dec85047a6d224ea63334dcf60db97e1809ea') @@ -38,20 +41,26 @@ prepare() { build() { cd $pkgname-$pkgver - autoreconf -fi #FIXME: To remove with 01.patch ./configure \ --prefix=/usr \ --sbindir=/usr/bin \ --sysconfdir=/usr/share \ --with-json \ --with-cli=readline \ + --disable-python \ --disable-debug make + + # Building the Python module separately due to the automatic build resulting + # in an incorrect directory structure and unimportable module (see FS#79229) + cd py + python -m build --wheel --no-isolation } package() { pushd $pkgname-$pkgver make DESTDIR="$pkgdir" install + python -m installer --destdir="$pkgdir" py/dist/*.whl popd # basic safe firewall config install -Dm644 nftables.conf "$pkgdir/etc/nftables.conf" diff --git a/nftables/deps b/nftables/deps index 90d7d29..8dccc66 100644 --- a/nftables/deps +++ b/nftables/deps @@ -3,5 +3,8 @@ python autoconf automake python-setuptools +python-build +python-installer +python-wheel diff --git a/nftables/meta-stash-context-statement-length.patch b/nftables/meta-stash-context-statement-length.patch new file mode 100644 index 0000000..4b0ec4f --- /dev/null +++ b/nftables/meta-stash-context-statement-length.patch @@ -0,0 +1,245 @@ +From 5f1676ac9f1aeb36d7695c3c354dade013a1e4f3 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 18 Jul 2023 23:10:01 +0200 +Subject: [PATCH] meta: stash context statement length when generating + payload/meta dependency + +... meta mark set ip dscp + +generates an implicit dependency from the inet family to match on meta +nfproto ip. + +The length of this implicit expression is incorrectly adjusted to the +statement length, ie. relational to compare meta nfproto takes 4 bytes +instead of 1 byte. The evaluation of 'ip dscp' under the meta mark +statement triggers this implicit dependency which should not consider +the context statement length since it is added before the statement +itself. + +This problem shows when listing the ruleset, since netlink_parse_cmp() +where left->len < right->len, hence handling the implicit dependency as +a concatenation, but it is actually a bug in the evaluation step that +leads to incorrect bytecode. + +Fixes: 3c64ea7995cb ("evaluate: honor statement length in integer evaluation") +Fixes: edecd58755a8 ("evaluate: support shifts larger than the width of the left operand") +Tested-by: Brian Davidson +Signed-off-by: Pablo Neira Ayuso +--- + src/payload.c | 13 ++++++ + tests/py/inet/meta.t | 5 +++ + tests/py/inet/meta.t.json | 86 ++++++++++++++++++++++++++++++++++++ + tests/py/inet/meta.t.payload | 40 +++++++++++++++++ + 4 files changed, 144 insertions(+) + +diff --git a/src/payload.c b/src/payload.c +index f67b5407..7862745b 100644 +--- a/src/payload.c ++++ b/src/payload.c +@@ -409,6 +409,7 @@ static int payload_add_dependency(struct eval_ctx *ctx, + const struct proto_hdr_template *tmpl; + struct expr *dep, *left, *right; + struct proto_ctx *pctx; ++ unsigned int stmt_len; + struct stmt *stmt; + int protocol; + +@@ -429,11 +430,16 @@ static int payload_add_dependency(struct eval_ctx *ctx, + constant_data_ptr(protocol, tmpl->len)); + + dep = relational_expr_alloc(&expr->location, OP_EQ, left, right); ++ ++ stmt_len = ctx->stmt_len; ++ ctx->stmt_len = 0; ++ + stmt = expr_stmt_alloc(&dep->location, dep); + if (stmt_evaluate(ctx, stmt) < 0) { + return expr_error(ctx->msgs, expr, + "dependency statement is invalid"); + } ++ ctx->stmt_len = stmt_len; + + if (ctx->inner_desc) { + if (tmpl->meta_key) +@@ -543,6 +549,7 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr, + const struct hook_proto_desc *h; + const struct proto_desc *desc; + struct proto_ctx *pctx; ++ unsigned int stmt_len; + struct stmt *stmt; + uint16_t type; + +@@ -559,12 +566,18 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr, + "protocol specification is invalid " + "for this family"); + ++ stmt_len = ctx->stmt_len; ++ ctx->stmt_len = 0; ++ + stmt = meta_stmt_meta_iiftype(&expr->location, type); + if (stmt_evaluate(ctx, stmt) < 0) { + return expr_error(ctx->msgs, expr, + "dependency statement is invalid"); + } + *res = stmt; ++ ++ ctx->stmt_len = stmt_len; ++ + return 0; + } + +diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t +index 374738a7..5c062b39 100644 +--- a/tests/py/inet/meta.t ++++ b/tests/py/inet/meta.t +@@ -25,3 +25,8 @@ meta mark set ct mark >> 8;ok + meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 };ok + ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 };ok + ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 };ok ++ ++meta mark set ip dscp;ok ++meta mark set ip dscp | 0x40;ok ++meta mark set ip6 dscp;ok ++meta mark set ip6 dscp | 0x40;ok +diff --git a/tests/py/inet/meta.t.json b/tests/py/inet/meta.t.json +index 92a1f9bf..3ba0fd1d 100644 +--- a/tests/py/inet/meta.t.json ++++ b/tests/py/inet/meta.t.json +@@ -440,3 +440,89 @@ + } + ] + ++# meta mark set ip dscp ++[ ++ { ++ "mangle": { ++ "key": { ++ "meta": { ++ "key": "mark" ++ } ++ }, ++ "value": { ++ "payload": { ++ "field": "dscp", ++ "protocol": "ip" ++ } ++ } ++ } ++ } ++] ++ ++# meta mark set ip dscp | 0x40 ++[ ++ { ++ "mangle": { ++ "key": { ++ "meta": { ++ "key": "mark" ++ } ++ }, ++ "value": { ++ "|": [ ++ { ++ "payload": { ++ "field": "dscp", ++ "protocol": "ip" ++ } ++ }, ++ 64 ++ ] ++ } ++ } ++ } ++] ++ ++# meta mark set ip6 dscp ++[ ++ { ++ "mangle": { ++ "key": { ++ "meta": { ++ "key": "mark" ++ } ++ }, ++ "value": { ++ "payload": { ++ "field": "dscp", ++ "protocol": "ip6" ++ } ++ } ++ } ++ } ++] ++ ++# meta mark set ip6 dscp | 0x40 ++[ ++ { ++ "mangle": { ++ "key": { ++ "meta": { ++ "key": "mark" ++ } ++ }, ++ "value": { ++ "|": [ ++ { ++ "payload": { ++ "field": "dscp", ++ "protocol": "ip6" ++ } ++ }, ++ 64 ++ ] ++ } ++ } ++ } ++] ++ +diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload +index ea540907..c53b5077 100644 +--- a/tests/py/inet/meta.t.payload ++++ b/tests/py/inet/meta.t.payload +@@ -133,3 +133,43 @@ inet test-inet input + [ meta load mark => reg 9 ] + [ lookup reg 1 set __set%d ] + ++# meta mark set ip dscp ++inet test-inet input ++ [ meta load nfproto => reg 1 ] ++ [ cmp eq reg 1 0x00000002 ] ++ [ payload load 1b @ network header + 1 => reg 1 ] ++ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] ++ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] ++ [ meta set mark with reg 1 ] ++ ++# meta mark set ip dscp | 0x40 ++inet test-inet input ++ [ meta load nfproto => reg 1 ] ++ [ cmp eq reg 1 0x00000002 ] ++ [ payload load 1b @ network header + 1 => reg 1 ] ++ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] ++ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] ++ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] ++ [ meta set mark with reg 1 ] ++ ++# meta mark set ip6 dscp ++inet test-inet input ++ [ meta load nfproto => reg 1 ] ++ [ cmp eq reg 1 0x0000000a ] ++ [ payload load 2b @ network header + 0 => reg 1 ] ++ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] ++ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] ++ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] ++ [ meta set mark with reg 1 ] ++ ++# meta mark set ip6 dscp | 0x40 ++inet test-inet input ++ [ meta load nfproto => reg 1 ] ++ [ cmp eq reg 1 0x0000000a ] ++ [ payload load 2b @ network header + 0 => reg 1 ] ++ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] ++ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] ++ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] ++ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] ++ [ meta set mark with reg 1 ] ++