Accepting request 76496 from security:netfilter

- update to 2.0.10.1 * fix --among-dst-file, which translated to --among-src * Makefile: respect LDFLAGS during ebtables build * Makefile: create directories to avoid build failure when DESTDIR is supplied * incorporate fixes for possible issues found by Coverity analysis * extend ebt_ip6 to allow matching on ipv6-icmp types/codes * add --concurrent option, which enables using a file lock to support concurrent scripts updating the ebtables kernel tables - run spec-beautifier over specfile OBS-URL: https://build.opensuse.org/request/show/76496 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ebtables?expand=0&rev=19
2011-07-20 07:15:21 +00:00 · 2011-07-20 07:15:21 +00:00 · f2e44a0faa
commit f2e44a0faa
parent 074fbee07f 3257055edc
6 changed files with 150 additions and 54 deletions
--- a/ebtables-typepuns.diff
+++ b/ebtables-typepuns.diff
@ -0,0 +1,75 @@
+From: Jan Engelhardt <jengelh@medozas.de>
+Date: 2011-07-11 01:11 +0200
+
+libebt_among: fix undefined behavior on dereference of typepunned ptr
+
+extensions/ebt_among.c: In function ‘create_wormhash’:
+extensions/ebt_among.c:250:4: warning: dereferencing type-punned pointer will break strict-aliasing rules
+extensions/ebt_among.c:261:3: warning: dereferencing type-punned pointer will break strict-aliasing rules
+
+---
+ extensions/ebt_among.c |   18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+Index: ebtables-v2.0.10-1/extensions/ebt_among.c
+===================================================================
+--- ebtables-v2.0.10-1.orig/extensions/ebt_among.c
+++ ebtables-v2.0.10-1/extensions/ebt_among.c
+@@ -183,7 +183,7 @@ static struct ebt_mac_wormhash *create_w
+ 	char *endptr;
+ 	struct ebt_mac_wormhash *workcopy, *result, *h;
+ 	unsigned char mac[6];
+-	unsigned char ip[4];
+	uint32_t ip;
+ 	int nmacs = 0;
+ 	int i;
+ 	char token[4];
+@@ -222,16 +222,18 @@ static struct ebt_mac_wormhash *create_w
+ 			ebt_print_error("MAC parse error: %.20s", anchor);
+ 			return NULL;
+ 		}
+		ip = 0;
+ 		if (*pc == '=') {
+ 			/* an IP follows the MAC; collect similarly to MAC */
+ 			pc++;
+ 			anchor = pc;
+-			for (i = 0; i < 3; i++) {
+			for (i = 3; i > 0; --i) {
+ 				if (read_until(&pc, ".", token, 3) < 0 || token[0] == 0) {
+ 					ebt_print_error("IP parse error: %.20s", anchor);
+ 					return NULL;
+ 				}
+-				ip[i] = strtol(token, &endptr, 10);
+				/* 0xFF warrants using 8 - not CHAR_BIT. */
+				ip |= (strtoul(token, &endptr, 10) & 0xFF) << (8 * i);
+ 				if (*endptr) {
+ 					ebt_print_error("IP parse error: %.20s", anchor);
+ 					return NULL;
+@@ -242,23 +244,21 @@ static struct ebt_mac_wormhash *create_w
+ 				ebt_print_error("IP parse error: %.20s", anchor);
+ 				return NULL;
+ 			}
+-			ip[3] = strtol(token, &endptr, 10);
+			ip |= strtoul(token, &endptr, 10) & 0xFF;
+ 			if (*endptr) {
+ 				ebt_print_error("IP parse error: %.20s", anchor);
+ 				return NULL;
+ 			}
+-			if (*(uint32_t*)ip == 0) {
+			ip = htonl(ip);
+			if (ip == 0) {
+ 				ebt_print_error("Illegal IP 0.0.0.0");
+ 				return NULL;
+ 			}
+-		} else {
+-			/* no IP, we set it to 0.0.0.0 */
+-			memset(ip, 0, 4);
+ 		}
+ 
+ 		/* we have collected MAC and IP, so we add an entry */
+ 		memcpy(((char *) workcopy->pool[nmacs].cmp) + 2, mac, 6);
+-		workcopy->pool[nmacs].ip = *(const uint32_t *) ip;
+		workcopy->pool[nmacs].ip = ip;
+ 		nmacs++;
+ 
+ 		/* re-allocate memory if needed */
--- a/ebtables-v2.0.10-1.tar.xz
+++ b/ebtables-v2.0.10-1.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0cbc998b86997559ecef7e75ed3eaf45a4775cb63cf74e2f648d21d3a1125bce
+size 86072
--- a/ebtables-v2.0.8-makefile.diff
+++ b/ebtables-v2.0.8-makefile.diff
@ -1,32 +1,39 @@
+---
+ Makefile |   24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
 Index: Makefile
 ===================================================================
 --- Makefile.orig
 +++ Makefile
-@@ -154,28 +154,28 @@ tmp3:=$(shell printf $(PIPE) | sed 's/\/
- .PHONY: scripts
+@@ -157,31 +157,31 @@ tmp3:=$(shell printf $(PIPE) | sed 's/\/
 scripts: ebtables-save ebtables.sysv ebtables-config
 	cat ebtables-save | sed 's/__EXEC_PATH__/$(tmp1)/g' > ebtables-save_
+ 	mkdir -p $(DESTDIR)$(BINDIR)
 -	install -m 0755 -o root -g root ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save
 +	install -m 0755 ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save
 	cat ebtables.sysv | sed 's/__EXEC_PATH__/$(tmp1)/g' | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables.sysv_
-	install -m 0755 -o root -g root ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables
-+	install -m 0755 ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables
+ 	if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(INITDIR); fi
+-	if test -d $(DESTDIR)$(INITDIR); then install -m 0755 -o root -g root ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables; fi
+	if test -d $(DESTDIR)$(INITDIR); then install -m 0755 ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables; fi
 	cat ebtables-config | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables-config_
-	install -m 0600 -o root -g root ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config
-+	install -m 0600 ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config
+ 	if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(SYSCONFIGDIR); fi
+-	if test -d $(DESTDIR)$(SYSCONFIGDIR); then install -m 0600 -o root -g root ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config; fi
+	if test -d $(DESTDIR)$(SYSCONFIGDIR); then install -m 0600 ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config; fi
 	rm -f ebtables-save_ ebtables.sysv_ ebtables-config_
 
+ tmp4:=$(shell printf $(LOCKFILE) | sed 's/\//\\\//g')
 $(MANDIR)/man8/ebtables.8: ebtables.8
 	mkdir -p $(DESTDIR)$(@D)
- 	sed 's/$$(VERSION)/$(PROGVERSION)/' ebtables.8 | sed 's/$$(DATE)/$(PROGDATE)/' > ebtables.8_
+ 	sed -e 's/$$(VERSION)/$(PROGVERSION)/' -e 's/$$(DATE)/$(PROGDATE)/' -e 's/$$(LOCKFILE)/$(tmp4)/' ebtables.8 > ebtables.8_
 -	install -m 0644 -o root -g root ebtables.8_ $(DESTDIR)$@
 +	install -m 0644 ebtables.8_ $(DESTDIR)$@
 	rm -f ebtables.8_
 
- $(ETHERTYPESFILE): ethertypes
- 	mkdir -p $(DESTDIR)$(@D)
-	install -m 0644 -o root -g root $< $(DESTDIR)$@
-+	install -m 0644 $< $(DESTDIR)$@
+ $(DESTDIR)$(ETHERTYPESFILE): ethertypes
+ 	mkdir -p $(@D)
+-	install -m 0644 -o root -g root $< $@
+	install -m 0644 $< $@
 
 .PHONY: exec
 exec: ebtables ebtables-restore
@ -37,8 +44,8 @@ Index: Makefile
 +	install -m 0755 ebtables-restore $(DESTDIR)$(BINDIR)/ebtables-restore
 
 .PHONY: install
- install: $(MANDIR)/man8/ebtables.8 $(ETHERTYPESFILE) exec scripts
-@@ -199,18 +199,18 @@ release:
+ install: $(MANDIR)/man8/ebtables.8 $(DESTDIR)$(ETHERTYPESFILE) exec scripts
+@@ -205,18 +205,18 @@ release:
 	rm -f extensions/ebt_inat.c
 	rm -rf $(CVSDIRS)
 	mkdir -p include/linux/netfilter_bridge
--- a/ebtables-v2.0.9-2.tar.bz2
+++ b/ebtables-v2.0.9-2.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:10afe46cf12bb97dde83bd6dbf4c183b184d7183283f5897ed9178dd246c9b36
-size 83116
--- a/ebtables.changes
+++ b/ebtables.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Sun Jul 10 23:03:57 UTC 2011 - jengelh@medozas.de
+
+- update to 2.0.10.1
+* fix --among-dst-file, which translated to --among-src
+* Makefile: respect LDFLAGS during ebtables build
+* Makefile: create directories to avoid build failure when DESTDIR
+  is supplied
+* incorporate fixes for possible issues found by Coverity analysis
+* extend ebt_ip6 to allow matching on ipv6-icmp types/codes
+* add --concurrent option, which enables using a file lock to
+  support concurrent scripts updating the ebtables kernel tables
+- run spec-beautifier over specfile
+
 -------------------------------------------------------------------
 Mon Jun  6 11:18:31 UTC 2011 - puzel@novell.com

--- a/ebtables.spec
+++ b/ebtables.spec
@ -18,16 +18,18 @@


 Name:           ebtables
-Version:        v2.0.9.2
+Version:        2.0.10.1
 Release:        1
 License:        GPLv2
 Summary:        Ethernet Bridge Tables
-Url:            http://ebtables.sourceforge.net/
+URL:            http://ebtables.sf.net/
 Group:          Productivity/Networking/Security
-Source:         %{name}-v2.0.9-2.tar.bz2
-Patch0:         %{name}-v2.0.8-makefile.diff
-Patch1:         %{name}-v2.0.8-initscript.diff
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+Source:         %name-v2.0.10-1.tar.xz
+Patch0:         %name-v2.0.8-makefile.diff
+Patch1:         %name-v2.0.8-initscript.diff
+Patch2:		ebtables-typepuns.diff
+BuildRoot:      %_tmppath/%name-%version-build
+BuildRequires:	xz

 %description
 A firewalling tool to transparently filter network traffic passing a
@ -37,9 +39,10 @@ can be used together with the other Linux filtering tools, like
 iptables. There are no incompatibility issues.

 %prep
-%setup -q -n %{name}-v2.0.9-2
+%setup -q -n %name-v2.0.10-1
 %patch0
 %patch1
+%patch -P 2 -p1

 %build
 # The way ebtables is built requires ASNEEDED=0 forever [bnc#567267]
@ -52,32 +55,32 @@ rm -f include/linux/netfilter_bridge/*.h
 mv include/linux/netfilter_bridge/ebt_ip6.{h.save,h}
 mv include/linux/netfilter_bridge/ebt_nflog.{h.save,h}
 make \
-    CFLAGS="%{optflags}" \
-    CXXFLAGS="%{optflags}" \
-    LIBDIR=%{_libdir}/%{name} \
-    MANDIR=%{_mandir} \
-    BINDIR=%{_sbindir} \
-    ETCDIR=%{_sysconfdir} \
-    INITDIR=%{_sysconfdir}/init.d \
-    SYSCONFIGDIR=%{_sysconfdir}
+    CFLAGS="%optflags" \
+    CXXFLAGS="%optflags" \
+    LIBDIR=%_libdir/%name \
+    MANDIR=%_mandir \
+    BINDIR=%_sbindir \
+    ETCDIR=%_sysconfdir \
+    INITDIR=%_sysconfdir/init.d \
+    SYSCONFIGDIR=%_sysconfdir

 %install
 # The way ebtables is built requires ASNEEDED=0 forever [bnc#567267]
 export SUSE_ASNEEDED=0
-install -d -m 755 %{buildroot}%{_sbindir}
-install -d -m 755 %{buildroot}%{_sysconfdir}/init.d
+install -d -m 755 %buildroot%_sbindir
+install -d -m 755 %buildroot%_sysconfdir/init.d
 make \
-    DESTDIR=%{buildroot} \
-    LIBDIR=%{_libdir}/%{name} \
-    MANDIR=%{_mandir} \
-    BINDIR=%{_sbindir} \
-    ETCDIR=%{_sysconfdir} \
-    INITDIR=%{_sysconfdir}/init.d \
-    SYSCONFIGDIR=%{_sysconfdir} \
+    DESTDIR=%buildroot \
+    LIBDIR=%_libdir/%name \
+    MANDIR=%_mandir \
+    BINDIR=%_sbindir \
+    ETCDIR=%_sysconfdir \
+    INITDIR=%_sysconfdir/init.d \
+    SYSCONFIGDIR=%_sysconfdir \
    install
-ln -sf %{_sysconfdir}/init.d/ebtables %{buildroot}%{_sbindir}/rcebtables
+ln -sf %_sysconfdir/init.d/ebtables %buildroot%_sbindir/rcebtables
 # not used
-rm -f %{buildroot}%{_sysconfdir}/ebtables-config
+rm -f %buildroot%_sysconfdir/ebtables-config

 %post
 %fillup_and_insserv ebtables
@ -89,20 +92,17 @@ rm -f %{buildroot}%{_sysconfdir}/ebtables-config
 %restart_on_update ebtables
 %insserv_cleanup

-%clean
-rm -rf %{buildroot}
-
 %files
 %defattr(-,root,root)
 %doc COPYING ChangeLog
-%doc %{_mandir}/man8/ebtables.8*
-%config(noreplace) %{_sysconfdir}/ethertypes
-%{_sysconfdir}/init.d/ebtables
-%dir %{_libdir}/%{name}
-%{_libdir}/%{name}/*.so
-%{_sbindir}/ebtables
-%{_sbindir}/ebtables-restore
-%{_sbindir}/ebtables-save
-%{_sbindir}/rcebtables
+%doc %_mandir/man8/ebtables.8*
+%config(noreplace) %_sysconfdir/ethertypes
+%_sysconfdir/init.d/ebtables
+%dir %_libdir/%name
+%_libdir/%name/*.so
+%_sbindir/ebtables
+%_sbindir/ebtables-restore
+%_sbindir/ebtables-save
+%_sbindir/rcebtables

 %changelog