Import Debian changes 1.0.32-1

tinc (1.0.32-1) unstable; urgency=medium * New upstream release. * Add a note to new nets.boot files that it is not used with systemd. Closes: #841052 * In the post-down script, read the pid file only once. Closes: #832784 * Explicitly use /bin/sleep from coreutils. Closes: #772379 * Bump Standards-Version.
2017-09-05 20:23:36 +02:00 · 2017-09-05 20:23:36 +02:00 · ac78971aab
commit ac78971aab
parent 2989322746 e0e55285b8
32 changed files with 446 additions and 571 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,9 +1,13 @@
-tinc (1.0.31-1+deb9u1) stretch-security; urgency=high
+tinc (1.0.32-1) unstable; urgency=medium

-  * Prevent oracle attacks (CVE-2018-16737, CVE-2018-16738).
-  * Prevent a MITM from forcing a NULL cipher for UDP (CVE-2018-16758).
+  * New upstream release.
+  * Add a note to new nets.boot files that it is not used with systemd.
+    Closes: #841052
+  * In the post-down script, read the pid file only once. Closes: #832784
+  * Explicitly use /bin/sleep from coreutils. Closes: #772379
+  * Bump Standards-Version.

- -- Guus Sliepen <guus@debian.org>  Sat, 22 Sep 2018 17:35:50 +0200
+ -- Guus Sliepen <guus@debian.org>  Tue, 05 Sep 2017 20:23:36 +0200

 tinc (1.0.31-1) unstable; urgency=medium

--- a/debian/control
+++ b/debian/control
@ -2,7 +2,7 @@ Source: tinc
 Section: net
 Priority: optional
 Maintainer: Guus Sliepen <guus@debian.org>
-Standards-Version: 3.9.8
+Standards-Version: 4.0.0
 Build-Depends: libssl-dev, debhelper (>= 10), gettext, texinfo, zlib1g-dev, liblzo2-dev, libvdeplug-dev, dh-systemd
 Homepage: http://www.tinc-vpn.org/

--- a/debian/patches/security-fixes
+++ b/debian/patches/security-fixes
@ -1,234 +0,0 @@
--- a/src/connection.h
-+++ b/src/connection.h
-@@ -42,7 +42,8 @@
- 	unsigned int decryptin:1;			/* 1 if we have to decrypt incoming traffic */
- 	unsigned int mst:1;				/* 1 if this connection is part of a minimum spanning tree */
- 	unsigned int proxy_passed:1;			/* 1 if we are connecting via a proxy and we have finished talking with it */
-	unsigned int unused:22;
-+	unsigned int tarpit:1;                          /* 1 if the connection should be added to the tarpit */
-+	unsigned int unused:21;
- } connection_status_t;
- 
- #include "edge.h"
--- a/src/net.c
-+++ b/src/net.c
-@@ -158,6 +158,22 @@
- 	return max;
- }
- 
-+/* Put a misbehaving connection in the tarpit */
-+void tarpit(int fd) {
-+	static int pits[10] = {-1, -1, -1, -1, -1, -1, -1, -1, -1, -1};
-+	static int next_pit = 0;
-+
-+	if(pits[next_pit] != -1) {
-+		closesocket(pits[next_pit]);
-+	}
-+
-+	pits[next_pit++] = fd;
-+
-+	if(next_pit >= sizeof pits / sizeof pits[0]) {
-+		next_pit = 0;
-+	}
-+}
-+
- /*
-   Terminate a connection:
-   - Close the socket
-@@ -178,8 +194,13 @@
- 	if(c->node)
- 		c->node->connection = NULL;
- 
-	if(c->socket)
-		closesocket(c->socket);
-+	if(c->socket) {
-+		if(c->status.tarpit) {
-+			tarpit(c->socket);
-+		} else {
-+			closesocket(c->socket);
-+		}
-+	}
- 
- 	if(c->edge) {
- 		if(!c->node) {
-@@ -266,6 +287,7 @@
- 					closesocket(c->socket);
- 					do_outgoing_connection(c);
- 				} else {
-+					c->status.tarpit = true;
- 					terminate_connection(c, false);
- 				}
- 			}
-@@ -345,6 +367,7 @@
- 
- 		if(FD_ISSET(c->socket, readset)) {
- 			if(!receive_meta(c)) {
-+				c->status.tarpit = true;
- 				terminate_connection(c, c->status.active);
- 				continue;
- 			}
--- a/src/net.h
-+++ b/src/net.h
-@@ -150,6 +150,7 @@
- extern bool read_rsa_public_key(struct connection_t *);
- extern void send_mtu_probe(struct node_t *);
- extern void load_all_subnets(void);
-+extern void tarpit(int fd);
- 
- #ifndef HAVE_MINGW
- #define closesocket(s) close(s)
--- a/src/net_socket.c
-+++ b/src/net_socket.c
-@@ -552,6 +552,9 @@
-   new connection
- */
- bool handle_new_meta_connection(int sock) {
-+	static const int max_accept_burst = 10;
-+	static int last_accept_burst;
-+	static int last_accept_time;
- 	connection_t *c;
- 	sockaddr_t sa;
- 	int fd;
-@@ -564,6 +567,22 @@
- 		return false;
- 	}
- 
-+	if(last_accept_time == now) {
-+		last_accept_burst++;
-+
-+		if(last_accept_burst >= max_accept_burst) {
-+			if(last_accept_burst == max_accept_burst) {
-+				ifdebug(CONNECTIONS) logger(LOG_WARNING, "Throttling incoming connections");
-+			}
-+
-+			tarpit(fd);
-+			return false;
-+		}
-+	} else {
-+		last_accept_burst = 0;
-+		last_accept_time = now;
-+	}
-+
- 	sockaddrunmap(&sa);
- 
- 	c = new_connection();
-@@ -585,7 +604,6 @@
- 	connection_add(c);
- 
- 	c->allow_request = ID;
-	send_id(c);
- 
- 	return true;
- }
--- a/src/protocol_auth.c
-+++ b/src/protocol_auth.c
-@@ -59,7 +59,7 @@
- 
- 	/* Check if identity is a valid name */
- 
-	if(!check_id(name)) {
-+	if(!check_id(name) || !strcmp(name, myself->name)) {
- 		logger(LOG_ERR, "Got bad %s from %s (%s): %s", "ID", c->name,
- 			   c->hostname, "invalid name");
- 		return false;
-@@ -91,6 +91,11 @@
- 		if(!c->config_tree)
- 			init_configuration(&c->config_tree);
- 		c->allow_request = ACK;
-+
-+		if(!c->outgoing) {
-+			send_id(c);
-+		}
-+
- 		return send_ack(c);
- 	}
- 
-@@ -110,6 +115,10 @@
- 
- 	c->allow_request = METAKEY;
- 
-+	if(!c->outgoing) {
-+		send_id(c);
-+	}
-+
- 	return send_metakey(c);
- }
- 
-@@ -292,7 +301,8 @@
- 		c->inbudget = byte_budget(c->incipher);
- 		c->status.decryptin = true;
- 	} else {
-		c->incipher = NULL;
-+		logger(LOG_ERR, "%s (%s) uses null cipher!", c->name, c->hostname);
-+		return false;
- 	}
- 
- 	c->inmaclength = maclength;
-@@ -310,7 +320,8 @@
- 			return false;
- 		}
- 	} else {
-		c->indigest = NULL;
-+		logger(LOG_ERR, "%s (%s) uses null digest!", c->name, c->hostname);
-+		return false;
- 	}
- 
- 	c->incompression = compression;
-@@ -384,7 +395,11 @@
- 
- 	/* Rest is done by send_chal_reply() */
- 
-	return send_chal_reply(c);
-+	if(c->outgoing) {
-+		return send_chal_reply(c);
-+	} else {
-+		return true;
-+	}
- }
- 
- bool send_chal_reply(connection_t *c) {
-@@ -482,6 +497,10 @@
- 
- 	c->allow_request = ACK;
- 
-+	if(!c->outgoing) {
-+		send_chal_reply(c);
-+	}
-+
- 	return send_ack(c);
- }
- 
--- a/src/protocol_edge.c
-+++ b/src/protocol_edge.c
-@@ -70,7 +70,7 @@
- 
- 	/* Check if names are valid */
- 
-	if(!check_id(from_name) || !check_id(to_name)) {
-+	if(!check_id(from_name) || !check_id(to_name) || !strcmp(from_name, to_name)) {
- 		logger(LOG_ERR, "Got bad %s from %s (%s): %s", "ADD_EDGE", c->name,
- 			   c->hostname, "invalid name");
- 		return false;
-@@ -192,7 +192,7 @@
- 
- 	/* Check if names are valid */
- 
-	if(!check_id(from_name) || !check_id(to_name)) {
-+	if(!check_id(from_name) || !check_id(to_name) || !strcmp(from_name, to_name)) {
- 		logger(LOG_ERR, "Got bad %s from %s (%s): %s", "DEL_EDGE", c->name,
- 			   c->hostname, "invalid name");
- 		return false;
--- a/src/protocol_key.c
-+++ b/src/protocol_key.c
-@@ -274,6 +274,11 @@
- 			return true;
- 		}
- 	} else {
-+		if(from->outkeylength != 1) {
-+			logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name, from->hostname);
-+			return true;
-+		}
-+
- 		from->outcipher = NULL;
- 	}
- 
--- a/debian/patches/series
+++ b/debian/patches/series
@ -1 +0,0 @@
-security-fixes
--- a/debian/postinst
+++ b/debian/postinst
@ -14,7 +14,8 @@ case "$1" in
 	fi; fi

 	if [ ! -e $NETSFILE ] ; then
-	    echo "## This file contains all names of the networks to be started on system startup." > $NETSFILE
+	    echo "## This file contains all names of the networks to be started on system startup when using sysvinit." > $NETSFILE
+	    echo "## If you are using systemd, use systemctl enable tinc@netname to enable individual networks." >> $NETSFILE
 	fi
    ;;

--- a/debian/tinc.if-post-down
+++ b/debian/tinc.if-post-down
@ -17,13 +17,15 @@ fi

 # Stop the tinc daemon

+read pid rest < $IF_TINC_PIDFILE 2>/dev/null
+
 /usr/sbin/tincd -n "$IF_TINC_NET" -k $EXTRA

 # Wait for it to shut down properly

-sleep 0.1
+/bin/sleep 0.1
 i=0;
-while [ -f $IF_TINC_PIDFILE ] && read pid rest < $IF_TINC_PIDFILE ; do
+while [ -f $IF_TINC_PIDFILE ] ; do
 	if [ ! -e "/proc/$pid" ] ; then
 		exit 0
 	fi
@ -32,7 +34,7 @@ while [ -f $IF_TINC_PIDFILE ] && read pid rest < $IF_TINC_PIDFILE ; do
 		echo 'Failed to stop tinc daemon!'
 		exit 1
 	fi
-	sleep 0.1
+	/bin/sleep 0.1
 	i=$(($i+1))
 done

--- a/debian/tinc.if-pre-up
+++ b/debian/tinc.if-pre-up
@ -43,14 +43,14 @@ test -n "$LIMITS" && setlimits $LIMITS

 # Wait for it to come up properly

-sleep 0.1
+/bin/sleep 0.1
 i=0;
 while [ ! -f $IF_TINC_PIDFILE ] ; do
 	if [ $i = '30' ] ; then
 		echo 'Failed to start tinc daemon!'
 		exit 1
 	fi
-	sleep 0.1
+	/bin/sleep 0.1
 	i=$(($i+1))
 done

@ -63,7 +63,7 @@ while read pid rest < $IF_TINC_PIDFILE ; do
 		echo 'Failed to start tinc daemon!'
 		exit 1
 	fi
-	sleep 0.1
+	/bin/sleep 0.1
 	i=$(($i+1))
 done

--- a/debian/tinc.init
+++ b/debian/tinc.init
@ -82,7 +82,7 @@ stop() {
  $DAEMON -n $1 -k || return

  i=0;
-  sleep 0.5
+  /bin/sleep 0.5

  # Wait for the pidfile to disappear
  while [ -f /var/run/tinc.$1.pid ]; do
@ -91,14 +91,14 @@ stop() {

    if [ $i = '10' ] ; then
      # It's still alive, kill it again and give up
-        $DAEMON -n $1 -k && sleep 0.5
+        $DAEMON -n $1 -k && /bin/sleep 0.5
      break
    else
      echo -n "."
      i=$(($i+1))
    fi

-    sleep 0.5
+    /bin/sleep 0.5
  done
 }