Include all attachments?

    PaulHowarth/Blog/2010-03

Paul's Blog Entries for March 2010

Monday 1st March 2010

Fedora Project

  • Updated libpng10 for Fedora 11 and 12 to 1.0.53 as this version has better resistance to decompression bombs

Local Packages

  • Updated moin to 1.9.2, fixing various security bugs including CVE-2010-0668 (major security issues in miscellaneous parts of moin) and CVE-2010-0669 (incomplete user profile input sanitizing)

  • Updated perl-MLDBM to 2.03, which resolves CPAN RT#54911 (test failure in t/storable_dbfile.t) but introduces a new build problem on old perls as a result of switching to a Module::Build-based installer; it's not at all obvious from the failure mode what the problem is:

  • $ perl Makefile.PL INSTALLDIRS=vendor
    Checking if your kit is complete...
    Looks good
    Writing Makefile for MLDBM
    $ make
    perl "-Iblib/arch" "-Iblib/lib" Build.PL Build
    Can't locate Module/Build.pm in @INC (@INC contains: blib/arch blib/lib /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl .) at Build.PL line 2.
    BEGIN failed--compilation aborted at Build.PL line 2.
  • However, as I've seen it before, I knew that this patch would resolve it:
  • --- MLDBM-2.03/Makefile.PL      2010-02-26 23:37:19.000000000 +0000
    +++ MLDBM-2.03/Makefile.PL      2010-03-01 12:40:11.469691866 +0000
    @@ -18,6 +18,7 @@
       BUILD_REQUIRES => {
         'Test::More' => 0,
       },
    +  'PL_FILES'  => {},
     );
     
     sub WriteMakefile1 {  #Written by Alexandr Ciornii, version 0.21. Added by eumm-upgrade.
  • This looks like the problem described in CPAN RT#45111 and but that should have been fixed in Module::Build 0.33 - MLDBM was built with Module::Build 0.36

  • Renamed libtidyp to tidyp (upstream name change) and made the package split like the tidy package, which of course it's a fork of

  • Rebuilt perl-Net-CIDR, perl-Net-CIDR-Lite, perl-Net-Server and perl-Number-Compare for perl 5.10.1 in devel branches

Tuesday 2nd March 2010

Local Packages

  • Updated java-1.6.0-sun to Sun Java 6 Update 18 (see SunJava6OnFedora)

  • Updated perl-DateTime to bump the included DateTime::TimeZone to version 1.11

  • Rebuilt perl-Package-Constants and perl-Pod-Escapes for perl 5.10.1 in devel branches

Wednesday 3rd March 2010

Fedora Project

  • The libpng10 upgrade to 1.0.53 has been assigned CVE-2010-0205 (libpng stalls on highly compressed ancillary chunks), so I changed the already-pending updates from Bugfix to Security

  • Took over ownership of the orphaned perl-RRD-Simple package and fixed the FTBFS bug #464964 (CPAN RT#46193) by dropping the buildreq on perl(Test::Deep) until such time as upstream produces a fix for the failing test t/32exported_function_interface.t; I also needed to patch some broken POD (CPAN RT#50868) to prevent the t/10pod.t test failing on recent distributions, and whilst I was at it, I fixed the versioned provide for perl(RRD::Simple) to use the real module version (1.44) instead of the svn revision number (1100), with this bit of spec-file hackery:

  • # Don't want provides/requires from %{_docdir}
    %global docfilt %{__perl} -p -e 's|%{_docdir}/%{name}-%{version}\\S+||'
    # RRD::Simple version should be from distribution version, not svn revision
    %global verfilt %{__perl} -pi -e 's/(perl\\(RRD::Simple\\) =) \\d+/\\1 %{version}/'
    # Apply provides/requires filters
    %global provfilt /bin/sh -c "%{docfilt} | %{__perl_provides} | %{verfilt}"
    %define __perl_provides %{provfilt}
    %global reqfilt /bin/sh -c "%{docfilt} | %{__perl_requires}"
    %define __perl_requires %{reqfilt}
  • The nice new package (first new Fedora build since F-9) also resolved Bug #569568, a request to update RRD::Simple to the current upstream release.

  • Updated perl-Tie-IxHash to 1.22 in Rawhide since I found the Fedora package was out of date when I came to import it into my local repository

Local Packages

  • New package perl-Tie-IxHash (1.22)

  • Updated perl-Sub-Exporter to add a manual dependency on perl(Exporter), used via a "use base Exporter" statement that rpm's auto-dependency checker doesn't spot

  • Updated perl-Sub-Install to reinstate the perl(Test::Perl::Critic) buildreq that I removed when importing the package from Fedora (I didn't have a Perl::Critic package at the time) and added buildreq perl(Test::Output), needed for tests on old distributions

  • Updated perl-XML-Simple to add buildreq perl-Tie-IxHash for improved test coverage

  • Rebuilt perl-Class-C3-XS, perl-File-Which, perl-Pod-Readme, perl-Socket6, perl-Sys-Hostname-Long, perl-Taint-Runtime, perl-Test-Distribution, perl-Test-HTML-Tidy, perl-Test-Object, perl-Test-Output and perl-Test-Pod-Coverage for perl 5.10.1 in devel branches

Thursday 4th March 2010

Fedora Project

  • Updated imlib in rawhide not to have a dependency on the /usr/share/aclocal directory, which is now included as part of the filesystem package (resolves Bug #533962)

  • Updated perl-Math-Pari to 2.01080604

Local Packages

  • Updated imlib to drop the %{_datadir}/aclocal dependency from the devel subpackage from Fedora 14, where this directory is part of the filesystem package (Bug #533962), drop the manual pkgconfig dependency from the devel package from Fedora 11, where this dependency is auto-detected, drop some of the %description text no longer appropriate for this legacy package, and don't self-obsolete Imlib and imlib-cfgeditor

  • Updated perl-Test-Prereq to buildreq perl(LWP::UserAgent) as the preferred download method for CPAN and update CPAN.conf to work with the current perl(CPAN) in Rawhide, which won't guess CPAN mirror URLs for itself

  • Updated the entire Twisted stack to version 10.0.0

  • Rebuilt perl-Test-SubCalls, perl-Test-Tester and perl-Text-Glob for perl 5.10.1 in devel branches

SELinux Policy Update

Today's update of selinux-policy to 3.6.32-92.fc12 proved to be a little more troublesome than usual. My "yum update" session went like this:

# yum update
updates-local                                                                      | 2.7 kB     00:00     
city-fan.org                                                                       | 2.7 kB     00:00 ... 
updates/metalink                                                                   |  21 kB     00:00     
updates                                                                            | 4.4 kB     00:00     
updates/primary_db                                                                 | 4.7 MB     00:10     
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package perl-Socket6.x86_64 0:0.23-4.fc12 set to be updated
---> Package selinux-policy.noarch 0:3.6.32-92.fc12 set to be updated
---> Package selinux-policy-targeted.noarch 0:3.6.32-92.fc12 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

===========================================================================================================
 Package                           Arch             Version                  Repository               Size
===========================================================================================================
Updating:
 perl-Socket6                      x86_64           0.23-4.fc12              city-fan.org             24 k
 selinux-policy                    noarch           3.6.32-92.fc12           updates-local           657 k
 selinux-policy-targeted           noarch           3.6.32-92.fc12           updates-local           2.0 M

Transaction Summary
===========================================================================================================
Install       0 Package(s)
Upgrade       3 Package(s)

Total download size: 2.7 M
Is this ok [y/N]: y
Downloading Packages:
(2/3): selinux-policy-3.6.32-92.fc12.noarch.rpm                                     | 657 kB     00:00     
(3/3): selinux-policy-targeted-3.6.32-92.fc12.noarch.rpm                            | 2.0 MB     00:00     
-----------------------------------------------------------------------------------------------------------
Total                                                                       13 MB/s | 2.7 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating       : selinux-policy-3.6.32-92.fc12.noarch                                               1/6 
  Updating       : perl-Socket6-0.23-4.fc12.x86_64                                                    2/6 
  Updating       : selinux-policy-targeted-3.6.32-92.fc12.noarch                                      3/6 
libsepol.print_missing_requirements: mcivta-site-update's global requirements were not met: type/attribute etcfile (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
  Cleanup        : selinux-policy-3.6.32-89.fc12.noarch                                               4/6 
  Cleanup        : perl-Socket6-0.23-3.fc12.x86_64                                                    5/6 
  Cleanup        : selinux-policy-targeted-3.6.32-89.fc12.noarch                                      6/6 

Updated:
  perl-Socket6.x86_64 0:0.23-4.fc12                     selinux-policy.noarch 0:3.6.32-92.fc12
  selinux-policy-targeted.noarch 0:3.6.32-92.fc12        

Complete!
#

The "Link packages failed" error meant that the new Fedora policy didn't link successfully with one or more of the existing policy modules on my system that weren't being replaced in the new version of the Fedora policy, i.e. in this case one of my local policy modules, mcivta-site-update. This is a module I wrote to support an application I have that does some unusual things like mounting a davfs filesystem, running an svn update, doing an rsync over the network and sending an email about results, all triggered using an inbound email in conjunction with procmail. The existing policy module I had included a reference to an attribute etcfile that was no longer included in the Fedora policy. The result of this failure: I was still running the old SELinux policy.

My immediate concern was to get the updated Fedora policy in place and then get my local policy module working again. So the first step was to remove the problematic module:

# semodule -r mcivta-site-update
libsepol.print_missing_requirements: localmisc's global requirements were not met: type/attribute mcivta_site_update_exec_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
#

Unfortunately, removing that module would have broken another one of my local policy modules, localmisc in this case, which had a requirement for one of the types defined in the mcivta-site-update module. So again the running SELinux policy was unchanged. In this case I didn't want to simply remove the localmisc policy module because that might have broken some running processes that needed rules defined in that module. So instead I edited localmisc.te to remove the reference to mcivta_site_update_exec_t, which was actually derived from a call to an interface mcivta_site_update_domtrans:

mcivta_site_update_domtrans(procmail_t)

This was defined in mcivta_site_update.if:

########################################
## <summary>
##      Execute a domain transition to run mcivta-site-update.
## </summary>
## <param name="domain">
## <summary>
##      Domain allowed to transition.
## </summary>
## </param>
#
interface(`mcivta_site_update_domtrans',`
        gen_require(`
                type mcivta_site_update_t, mcivta_site_update_exec_t;
        ')

        domain_auto_trans($1, mcivta_site_update_exec_t, mcivta_site_update_t)

        allow mcivta_site_update_t $1:fd use;
        allow mcivta_site_update_t $1:fifo_file rw_file_perms;
        allow mcivta_site_update_t $1:process sigchld;
')

So I rebuilt localmisc.pp, updated the running policy and was then able to remove the mcivta_site_update policy module:

# vi localmisc.te 
# make
Compiling targeted localmisc module
/usr/bin/checkmodule:  loading policy configuration from tmp/localmisc.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/localmisc.mod
Creating targeted localmisc.pp policy package
Compiling targeted mcivta-site-update-extras module
/usr/bin/checkmodule:  loading policy configuration from tmp/mcivta-site-update-extras.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/mcivta-site-update-extras.mod
Creating targeted mcivta-site-update-extras.pp policy package
Compiling targeted mcivta-site-update module
/usr/bin/checkmodule:  loading policy configuration from tmp/mcivta-site-update.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/mcivta-site-update.mod
Creating targeted mcivta-site-update.pp policy package
Compiling targeted svnmailer-extras module
/usr/bin/checkmodule:  loading policy configuration from tmp/svnmailer-extras.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/svnmailer-extras.mod
Creating targeted svnmailer-extras.pp policy package
Compiling targeted svnmailer module
/usr/bin/checkmodule:  loading policy configuration from tmp/svnmailer.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/svnmailer.mod
Creating targeted svnmailer.pp policy package
rm tmp/mcivta-site-update-extras.mod tmp/mcivta-site-update-extras.mod.fc tmp/mcivta-site-update.mod.fc tmp/svnmailer.mod.fc tmp/mcivta-site-update.mod tmp/svnmailer-extras.mod.fc tmp/svnmailer-extras.mod tmp/svnmailer.mod
# semodule -u localmisc.pp
# semodule -r mcivta-site-update.pp
#

I was now ready to try updating the Fedora policy again. I could do that by re-running the post-install script from the selinux-policy-targeted package, but that's needs some careful copy-and-pasting as there's a lot in there, and a simpler method is just to reinstall the package itself:

# yum reinstall selinux-policy selinux-policy-targeted
Setting up Reinstall Process
updates-local                                                                      | 2.7 kB     00:00     
city-fan.org                                                                       | 2.7 kB     00:00 ... 
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy.noarch 0:3.6.32-92.fc12 set to be updated
---> Package selinux-policy-targeted.noarch 0:3.6.32-92.fc12 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================
 Package                           Arch             Version                  Repository               Size
==========================================================================================================
Reinstalling:
 selinux-policy                    noarch           3.6.32-92.fc12           updates-local           657 k
 selinux-policy-targeted           noarch           3.6.32-92.fc12           updates-local           2.0 M

Transaction Summary
==========================================================================================================
Remove        0 Package(s)
Reinstall     2 Package(s)
Downgrade     0 Package(s)

Total download size: 2.6 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): selinux-policy-3.6.32-92.fc12.noarch.rpm                                     | 657 kB     00:00     
(2/2): selinux-policy-targeted-3.6.32-92.fc12.noarch.rpm                            | 2.0 MB     00:00     
-------------------------------------------------------------------------------------------------
Total                                                                       17 MB/s | 2.6 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : selinux-policy-3.6.32-92.fc12.noarch                                                1/2 
  Installing     : selinux-policy-targeted-3.6.32-92.fc12.noarch                                       2/2 
libsepol.print_missing_requirements: svnmailer's global requirements were not met: type/attribute etcfile (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

Installed:
  selinux-policy.noarch 0:3.6.32-92.fc12          selinux-policy-targeted.noarch 0:3.6.32-92.fc12                             

Complete!
#

So, same problem again, only this time with the local svnmailer policy module. I could live without that one for a few minutes so I tried removing it:

# semodule -r svnmailer.pp
libsepol.print_missing_requirements: svnmailer-extras's global requirements were not met: type/attribute httpd_svnmailer_script_exec_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
#

There was a reference to httpd_svnmailer_script_exec_t (defined in the svnmailer policy module) in the svnmailer-extras policy module, so I had to remove that too:

# semodule -r svnmailer.pp svnmailer-extras.pp
#

I was now ready to try the Fedora policy again:

# yum reinstall selinux-policy selinux-policy-targeted
Setting up Reinstall Process
updates-local                                                                      | 2.7 kB     00:00     
city-fan.org                                                                       | 2.7 kB     00:00 ... 
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy.noarch 0:3.6.32-92.fc12 set to be updated
---> Package selinux-policy-targeted.noarch 0:3.6.32-92.fc12 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

===========================================================================================================
 Package                           Arch             Version                  Repository                Size
===========================================================================================================
Reinstalling:
 selinux-policy                    noarch           3.6.32-92.fc12           updates-local           657 k
 selinux-policy-targeted           noarch           3.6.32-92.fc12           updates-local           2.0 M

Transaction Summary
===========================================================================================================
Remove        0 Package(s)
Reinstall     2 Package(s)
Downgrade     0 Package(s)

Total download size: 2.6 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): selinux-policy-3.6.32-92.fc12.noarch.rpm                                     | 657 kB     00:00     
(2/2): selinux-policy-targeted-3.6.32-92.fc12.noarch.rpm                            | 2.0 MB     00:00     
-----------------------------------------------------------------------------------------------------------
Total                                                                       19 MB/s | 2.6 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : selinux-policy-3.6.32-92.fc12.noarch                                                1/2 
  Installing     : selinux-policy-targeted-3.6.32-92.fc12.noarch                                       2/2 

Installed:
  selinux-policy.noarch 0:3.6.32-92.fc12          selinux-policy-targeted.noarch 0:3.6.32-92.fc12                             

Complete!
#

Success at last! With the new Fedora policy in place, I could now attempt to rebuild my local policy modules and add them back into the running policy:

# rm *.pp
# make
Compiling targeted localmisc module
/usr/bin/checkmodule:  loading policy configuration from tmp/localmisc.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/localmisc.mod
Creating targeted localmisc.pp policy package
Compiling targeted mcivta-site-update-extras module
/usr/bin/checkmodule:  loading policy configuration from tmp/mcivta-site-update-extras.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/mcivta-site-update-extras.mod
Creating targeted mcivta-site-update-extras.pp policy package
Compiling targeted mcivta-site-update module
/usr/bin/checkmodule:  loading policy configuration from tmp/mcivta-site-update.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/mcivta-site-update.mod
Creating targeted mcivta-site-update.pp policy package
Compiling targeted svnmailer-extras module
/usr/bin/checkmodule:  loading policy configuration from tmp/svnmailer-extras.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/svnmailer-extras.mod
Creating targeted svnmailer-extras.pp policy package
Compiling targeted svnmailer module
/usr/bin/checkmodule:  loading policy configuration from tmp/svnmailer.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/svnmailer.mod
Creating targeted svnmailer.pp policy package
rm tmp/mcivta-site-update-extras.mod tmp/mcivta-site-update-extras.mod.fc tmp/mcivta-site-update.mod.fc tmp/svnmailer.mod.fc tmp/mcivta-site-update.mod tmp/svnmailer-extras.mod.fc tmp/svnmailer-extras.mod tmp/svnmailer.mod
# semodule -i mcivta-site-update.pp svnmailer-extras.pp svnmailer.pp
#

Since that worked without changing any policy module source, it was clear that the Fedora policy update had included an ABI change (removal of the etcfile attribute) though there was no API change, so the rebuild fixed the problem. One last step I needed was to add the mcivta_site_update_domtrans(procmail_t) line back into the localmisc policy and update the running policy:

# vi localmisc.te
# make
Compiling targeted localmisc module
/usr/bin/checkmodule:  loading policy configuration from tmp/localmisc.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/localmisc.mod
Creating targeted localmisc.pp policy package
# semodule -u localmisc.pp
#

And that was it, though not the two-minute job I'd expected it to be when I kicked off the yum update!

Friday 5th March 2010

Local Packages

  • Updated c-ares to merge a patch from Fedora allowing usage of IPv6 nameservers

  • Updated perl-Term-ReadLine-Gnu to make the requires/provides filters simpler and more generic...

  • # Don't "provide" private Perl libs, and filter out docfile dependencies
    %global _use_internal_dependency_generator 0
    %global docfilt %{__perl} -p -e 's|%{_docdir}/%{name}-%{version}\\S+||'
    %global so_filt %{__grep} -v '%{perl_vendorarch}/.*\\.so$'
    %global __deploop() while read FILE; do /usr/lib/rpm/rpmdeps -%{1} ${FILE}; done | /bin/sort -u
    %global __find_provides /bin/sh -c "%{so_filt} | %{__deploop P}"
    %global __find_requires /bin/sh -c "%{docfilt} | %{__deploop R}"
  • ... and kill bogus RPATHs for distros prior to Fedora 2:
  • %build
    %{__perl} Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}"
    # Kludge to remove rpaths (needed for distros < FC2)
    %{__perl} -pi -e 's/^\tLD_RUN_PATH=[^\s]+\s*/\t/' Makefile
    %{__make} %{?_smp_mflags}
  • Updated sendmail to use noreplace for the SASL configuration file, use %ghost instead of explicit provides for alternatives targets (as per Packaging:Alternatives), and drop ownership of directory %{_sysconfdir}/NetworkManager/dispatcher.d/ in Fedora 9 onwards since the initscripts package owns that directory

  • Rebuilt perl-HTML-SimpleLinkExtor, perl-Mail-SPF, perl-Mail-SRS, perl-Test-File, perl-Text-Template, perl-Tree-DAG_Node, perl-Unicode-MapUTF8, perl-Unix-Syslog, perl-WeakRef and perl-XML-SAX for perl 5.10.1 in devel branches

Monday 8th March 2010

Fedora Project

  • Updated gtkwave to 3.3.4 in devel branches

Local Packages

  • Updated c-ares to change the IPv6 nameserver patch according to upstream changes (upstream revisions 1199, 1201, 1202)

  • Updated gtkwave to 3.3.4

  • Updated perl-DateTime to update DateTime::TimeZone to 1.13, based on version 2010e of the Olson database (changes for Bangladesh, Fiji, Samoa, and Chile)

  • Updated perl-FreezeThaw to 0.50 (support RE's of 5.11 and later, but not yet reblessed ones)

  • Updated perl-MLDBM to 2.04 (fix for old EU::MM, basically my patch); drop upstreamed patch

  • Rebuilt perl-Sendmail-AccessDB for perl 5.10.1 in devel branches, completing my mass rebuild for Fedora 13; I found that I needed a hacked version of sendmail to get it to build with db 4.8.x in the devel branches due to Bug #556148 but I wasn't happy enough with my patch to do an update of sendmail itself - hopefully this will be resolved upstream soon

Tuesday 9th March 2010

Local Packages

  • Updated dovecot to 1.2.11

    • mbox: message header reading was unnecessarily slow and CPU-intensive
    • mbox, dbox, cydir: fix mail root directory permissions
    • maildir: reading uidlist could have ended up in an infinite loop

    • IMAP IDLE: v1.2.7+ caused extra load by checking changes too often
  • Updated perl-Moose to 0.99, dropping the upstreamed NoTabs patch and updating the old Test::More and old Scalar::Utils patches

    • new method find_type_for in Moose::Meta::TypeConstraint::Union

    • fixed DEMOLISH methods for mutable subclasses of immutable classes

    • added Moose::Manual::Support documentation

Wednesday 10th March 2010

Avensis Repair

My 2007 Avensis (2 litre diesel) has been making a low vibrating noise at around 1,800rpm for a month or two now. I had it in under warranty last month and had some work done on the flywheel, as the technician had felt some vibration and identified one or more loose bearings. This didn't actually fix the problem I'd reported though, so this time a technician came out on the road with me for a few minutes to see if he could figure out what the problem was. He quickly came to the conclusion that the air intake filter was vibrating against the car body and it was that that was amplifying the sound and making the noise. After replacing the insulation around the filter, the problem was quickly resolved.

Local Packages

  • Updated perl-ExtUtils-ParseXS to 2.2204 (downgraded warnings on using INCLUDE with a command from "deprecated" to "discouraged" and limited it to the case where the command includes "perl")

  • Updated perl-Test-Pod to 1.42

Thursday 11th March 2010

Local Packages

  • Updated perl-ExtUtils-ParseXS to 2.2205 (don't ship with Build.PL, avoiding circular dependency)

Fedora Project

  • Updated perl-Test-Pod to 1.42 in Rawhide

  • Removed the POD patch from perl-RRD-Simple in Rawhide as it's only needed with Test::Pod 1.40

  • Rebuilt perl-XML-LibXSLT in Rawhide for gdbm soname bump

  • Added macro definitions for Compress_Raw_Zlib_version, IO_Compress_Base_version and IO_Compress_Zlib_version back into perl in Rawhide, so we don't end up with:

  • Wrote: /builddir/build/RPMS/perl-Compress-Raw-Zlib-%{Compress_Raw_Zlib_version}-114.fc14.i686.rpm
    Wrote: /builddir/build/RPMS/perl-IO-Compress-Base-%{IO_Compress_Base_version}-114.fc14.i686.rpm
    Wrote: /builddir/build/RPMS/perl-IO-Compress-Zlib-%{IO_Compress_Zlib_version}-114.fc14.i686.rpm

Friday 12th March 2010

Local Packages

  • Rebuilt dovecot to track the Fedora version, which didn't have bzip2 support (Bug #572797); this was not a problem with my package

Saturday 13th March 2010

Fedora Project

Local Packages

  • Updated perl-Sendmail-PMilter to 0.98 as per Fedora

Sunday 14th March 2010

Local Packages

  • Updated perl-BerkeleyDB to 0.42 (added $db->Env method to retrieve environment object from a database object; get the tied interface to use truncate in the CLEAR method if available)

  • Updated perl-DateTime-Format-Builder to 0.80 (clean up tests), bumping epoch since upstream promises to stick to 2 digits after the decimal point from now on; the signature test is dropped upstream, so the package was considerably simplified since I was having to take extra steps to ensure it passed

Monday 15th March 2010

Local Packages

  • Updated libxml2 to 2.7.7 (fix serious trouble with zlib >= 1.2.4, add option --xpath to xmllint, various HTML parser improvements, a number of bug fixes)

  • Updated perl-DateTime to 0.54; this was quite a big change as, in addition to updating the UTF8 patch, I needed to add a large new patch to support builds with Test::More prior to 0.88 (I merged the patch for building with Scalar::Util prior to 1.10 into this patch too), and I split DateTime::Locale and DateTime::TimeZone into their own subpackages but enforced strict dependencies to make sure that all packages are pulled in together as if the bundling was still there - this makes it easier for users to find the DateTime::Locale and DateTime::TimeZone packages without breaking things (I've seen searches for these packages in the server logs)

  • Updated ppp to merge Fedora usepeerdns-var_run_ppp_resolv patch into change_resolv_conf patch; I still keep a local version of this patch for old distributions for which we don't apply the change_resolv_conf patch

  • Updated unrar to 3.9.10

Tuesday 16th March 2010

Local Packages

  • Updated perl-DateTime to update DateTime to 0.55 (get all tests passing on 5.6.2), dropping the patch for perl 5.8.0 as the issue was fixed upstream

  • Updated perl-XML-NamespaceSupport to 1.11 (re-generate the META.yml)

Wednesday 17th March 2010

Local Packages

  • Updated perl-ExtUtils-CBuilder to 0.2703 (fixed tests for Windows and MSVC)

  • Updated perl-IO-Socket-SSL to 1.33 (attempt to make t/memleak_bad_handshake.t more stable, fix hostname checking to only check an IP against subjectAltName GEN_IPADD)

Fedora Project

  • Updated perl-IO-Socket-SSL to 1.33 in devel branches, as per local package

Thursday 18th March 2010

Local Packages

  • Updated perl-Params-Util to 1.01 (fixed can_cc() bug in Makefile.PL - CPAN RT#55668)

Friday 19th March 2010

Local Packages

  • Updated perl-Data-Section to 0.100770 (__END__ now ends the whole data section - ignore_end may come someday; empty data lines between __DATA__ and first section are ignored)

  • Updated perl-IO-Socket-INET6 to 2.58 (fix for OpenBSD getaddrinfo() - CPAN RT#54656); I had to patch the distribution to get it to build on perl < 5.10.0:

  • --- IO-Socket-INET6-2.58/lib/IO/Socket/INET6.pm 2010-03-18 12:05:48.000000000 +0000
    +++ IO-Socket-INET6-2.58/lib/IO/Socket/INET6.pm 2010-03-19 10:28:31.916244865 +0000
    @@ -229,9 +229,9 @@
                     return _error($sock, $!, "sockopt: $!");
             }
     
    -        if( $family == AF_INET 
    -            ? (sockaddr_in($lres))[1] ne INADDR_ANY 
    -            : (sockaddr_in6($lres))[1] ne in6addr_any ) {
    +        if( ( $family == AF_INET )
    +            ? ((sockaddr_in($lres))[1] ne INADDR_ANY)
    +            : ((sockaddr_in6($lres))[1] ne in6addr_any) ) {
                 $sock->bind($lres) or
                     return _error($sock, $!, "bind: $!");
             }
    
  • Without the patch, the test suite failed like this:
  • Possible unintended interpolation of @sa_in6 in string at /home/david/cpantesting/perl-5.8.9/.cpan/build/IO-Socket-INET6-2.58-FEw65u/blib/lib/IO/Socket/INET6.pm line 233.
    Possible unintended interpolation of @sa_in6 in string at /home/david/cpantesting/perl-5.8.9/.cpan/build/IO-Socket-INET6-2.58-FEw65u/blib/lib/IO/Socket/INET6.pm line 233.
    Variable "$new" is not imported at /home/david/cpantesting/perl-5.8.9/.cpan/build/IO-Socket-INET6-2.58-FEw65u/blib/lib/IO/Socket/INET6.pm line 233.
            (Did you mean &new instead?)
    Variable "$new" is not imported at /home/david/cpantesting/perl-5.8.9/.cpan/build/IO-Socket-INET6-2.58-FEw65u/blib/lib/IO/Socket/INET6.pm line 233.
            (Did you mean &new instead?)
    Variable "$new" is not imported at /home/david/cpantesting/perl-5.8.9/.cpan/build/IO-Socket-INET6-2.58-FEw65u/blib/lib/IO/Socket/INET6.pm line 233.
            (Did you mean &new instead?)
    Variable "$new" is not imported at /home/david/cpantesting/perl-5.8.9/.cpan/build/IO-Socket-INET6-2.58-FEw65u/blib/lib/IO/Socket/INET6.pm line 233.
            (Did you mean &new instead?)
    Variable "$new" is not imported at /home/david/cpantesting/perl-5.8.9/.cpan/build/IO-Socket-INET6-2.58-FEw65u/blib/lib/IO/Socket/INET6.pm line 233.
            (Did you mean &new instead?)
    Global symbol "@sa_in6" requires explicit package name at /home/david/cpantesting/perl-5.8.9/.cpan/build/IO-Socket-INET6-2.58-FEw65u/blib/lib/IO/Socket/INET6.pm line 233.
    Global symbol "@sa_in6" requires explicit package name at /home/david/cpantesting/perl-5.8.9/.cpan/build/IO-Socket-INET6-2.58-FEw65u/blib/lib/IO/Socket/INET6.pm line 233.
    Global symbol "@sa_in6" requires explicit package name at /home/david/cpantesting/perl-5.8.9/.cpan/build/IO-Socket-INET6-2.58-FEw65u/blib/lib/IO/Socket/INET6.pm line 233.
    Global symbol "@sa_in6" requires explicit package name at /home/david/cpantesting/perl-5.8.9/.cpan/build/IO-Socket-INET6-2.58-FEw65u/blib/lib/IO/Socket/INET6.pm line 233.
    Global symbol "$new" requires explicit package name at /home/david/cpantesting/perl-5.8.9/.cpan/build/IO-Socket-INET6-2.58-FEw65u/blib/lib/IO/Socket/INET6.pm line 233.
    Global symbol "$peer" requires explicit package name at /home/david/cpantesting/perl-5.8.9/.cpan/build/IO-Socket-INET6-2.58-FEw65u/blib/lib/IO/Socket/INET6.pm line 233.
    Global symbol "$new" requires explicit package name at /home/david/cpantesting/perl-5.8.9/.cpan/build/IO-Socket-INET6-2.58-FEw65u/blib/lib/IO/Socket/INET6.pm line 233.
    Global symbol "$new" requires explicit package name at /home/david/cpantesting/perl-5.8.9/.cpan/build/IO-Socket-INET6-2.58-FEw65u/blib/lib/IO/Socket/INET6.pm line 233.
    Global symbol "$new" requires explicit package name at /home/david/cpantesting/perl-5.8.9/.cpan/build/IO-Socket-INET6-2.58-FEw65u/blib/lib/IO/Socket/INET6.pm line 233.
    Global symbol "$new" requires explicit package name at /home/david/cpantesting/perl-5.8.9/.cpan/build/IO-Socket-INET6-2.58-FEw65u/blib/lib/IO/Socket/INET6.pm line 233.
    syntax error at /home/david/cpantesting/perl-5.8.9/.cpan/build/IO-Socket-INET6-2.58-FEw65u/blib/lib/IO/Socket/INET6.pm line 299, near "return wantarray ? ("
      (Might be a runaway multi-line ?? string starting on line 233)
    /home/david/cpantesting/perl-5.8.9/.cpan/build/IO-Socket-INET6-2.58-FEw65u/blib/lib/IO/Socket/INET6.pm has too many errors.

Saturday 20th March 2010

Local Packages

  • New package Judy (1.05), a memory-efficient dynamic array library that will be used by gtkwave

  • Updated gtkwave to 3.3.5, adding Judy-devel buildreq for improved memory efficiency

  • Updated perl-IO-Socket-INET6 to 2.59 (my fix from yesterday for older perl versions was merged)

Sunday 21st March 2010

Fedora Project

  • Updated gtkwave in Rawhide to 3.3.5 as per yesterday's local package update; I restricted this one to Rawhide because it includes the new Judy support, which is not enabled by default upstream

Local Packages

  • Updated curl to include patch from Fedora to throw CURLE_SSL_CERTPROBLEM in case peer rejects a certificate (Bug #565972), drop no-longer-needed libidn-devel dependency from libcurl-devel package and handle the move of kerberos installation prefix in krb5 >= 1.8 as found in Rawhide

  • Updated perl-DateTime to update DateTime::Locale to 0.45, dropping the now-redundant perl(Class::ISA) buildreq

  • Updated perl-DateTime-Format-Strptime to 1.2000 (updated to use non-deprecated DateTime::Locale API)

Monday 22nd March 2010

Fedora Project

Finally created an update for the spamass-milter remote root arbitrary code vulnerability (CVE-2010-1132, Bug #572117, Bug #572119, Upstream Bug #29136). The update includes upstream's preliminary patch for the issue, which replaces the use of popen() (a function that spawns a shell to do most of its work, and hence requires careful sanitization of its input) with a new function popenv(), which has arguments similar to execv(), doesn't spawn a shell and doesn't need its input sanitizing. This preliminary patch appeared on 10th March and I tested it successfully by the 16th but nothing further has happened upstream since then. Debian issued a patched release on the 17th based on this patch. I have also reworked another patch already in the Fedora package to resolve Bug #532266 (bogus log messages about missing macros in the MTA configuration) and included that fix in this update.

Some notes on the vulnerability itself:

  • The milter is only vulnerable if used with the -x option to expand aliases and virtual users prior to passing recipient addresses to SpamAssassin

  • The -x option is not enabled by default in the Fedora package

  • Use of the -x option in Fedora requires that the milter runs as root, at least with Sendmail as the MTA; this is not the case in the Debian package because their Sendmail packages deviate from the recommendations in the upstream sendmail/SECURITY documentation regarding directory ownership and permissions for the mail queues

  • The Fedora spamass-milter initscript would need to be edited to be able to get the milter to run as root as the existing version is hard-coded to run as user sa-milt

  • The sample exploits mentioned in the original vulnerability report and lwn.net could work with Postfix as the MTA but Sendmail would reject these "addresses" prior to them reaching the milter with a "Cannot mail directly to programs" error; it is of course trivially easy to construct a variant that would work with Sendmail too - I'm not suggesting that Sendmail is any less vulnerable here

  • The vulnerability is much more difficult to exploit if the mail server is running SELinux enforcing (which it is by default in Fedora) because the milter is tightly constrained by SELinux policy; for instance, it cannot write files to /tmp and it cannot create outbound network connections to fetch an attacker's code; once the update is fully released, I will be able to tighten the policy further to prevent the milter executing a shell, as this was only needed because of the use of the popen() function

  • The vulnerability is almost identical to one affecting ClamAV in 2007 (CVE-2007-4560)

Since it's possible that users might actually want to use the -x option, the updated package allows a setting in /etc/sysconfig/spamass-milter to get the milter to run as root now, with that option off by default and discouraged from a security perspective in a comment in that file.

Local Packages

  • Updated perl-Exception-Class to 1.30 (add ability to create lightweight exceptions - CPAN RT#54826); as with other modules by Dave Rolsky, I now need to patch the test suite to get it to work on older distributions with Test::More < 0.88 due to the use of done_testing(), though at least I was able to drop the patch fixing the Makefile.PL in the previous version due to the use of a broken Module::Build::Compat to generate it. I also added buildreqs perl(Test::Spelling) and aspell-en for the spelling test and added a patch to add the missing words CPAN and Rolsky to the stopwords list.

  • Updated spamass-milter as per the Fedora package

Tuesday 23rd March 2010

Local Packages

  • Updated c-ares to 1.7.1 (added IPv6 name servers support), dropping the upstreamed IPv6 nameserver patch

  • Updated dovecot to drop bzip-ped mbox support, which is broken and upstream does not plan to fix it in dovecot 1.2.x

  • Updated perl-DateTime to update DateTime::TimeZone to 1.14, based on version 2010f of the Olson database (changes for Antarctica, Syria, and Samoa)

Wednesday 24th March 2010

Local Packages

  • Updated perl-Module-Signature to 0.62 (change default keyserver from pgp.mit.edu to pool.sks-keyservers.net)

  • Updated curl to fix missing quote in libcurl.m4 (Bug #576252)

  • Updated spamass-milter to fix compiler warnings, clean up and rebase patches to make them more upstreamable, further fix the Received-header patch to add a missing semicolon, and then I submitted the patches upstream

Thursday 25th March 2010

Local Packages

  • Updated perl-IO-Socket-INET6 to 2.61

    • Fix the inet_pton/inet_ntop import warnings (CPAN RT#55901)

    • Fix listening on :: or 0.0.0.0 (CPAN RT#54656)

    • Add test listen_port_only.t

  • Updated perl-IPC-Run to 0.86

    • Remove use UNIVERSAL (CPAN RT#51509)

    • Fix POD for Win32Helper (CPAN RT#51695)

    • Better PATHEXT logic in case cmd_name contains periods (CPAN RT#50739)

    • Enhance tests for run.t for better diagnostics (CPAN RT#47630)

    • Add all files to subversion for easier releases
    • Bump version on all files to 0.86

Fedora Project

  • Updated all of the spamass-milter builds as per yesterday's local update; I think the fix to the Received-header generation is worth it

Friday 26th March 2010

Local Packages

  • Updated perl-Class-MOP to 1.00 (fix typo in Class::MOP::Attribute); I also run the author tests during the build now

  • Updated perl-Moose to 1.00 (Moose::Meta::Attribute::Native::Trait::Code no longer creates reader methods by default; improve various parts of the documentation and fix many typos), and then to 1.01 (the handles option now also accepts a role type constraint in addition to a plain role name)

  • Updated perl-Net-CIDR-Lite to 0.21:

  • Updated perl-Scope-Guard to 0.11 (add guard() and scope_guard(); documentation tweak) and then 0.12 (fix link in README)

Sunday 28th March 2010

Local Packages

  • Updated perl-Compress-Raw-Bzip2 to 2.025 (documented the unused "verbosity" option in Compress::Raw::Bunzip2::new - CPAN RT#54425)

  • Updated perl-Compress-Raw-Zlib to 2.025 (updated to include zlib 1.2.4 and to allow the zlib version check to be disabled - CPAN RT#54510); we now need to build with the bundled zlib unless we have zlib ≥ 1.2.4

  • Updated perl-IO-Compress to 2.025 (document the Name option in IO::Uncompress::Unzip, allow the zlib version check to be disabled - CPAN RT#54510)

  • Updated perl-Module-Signature to 0.63 (fix diagnostic message from Makefile.PL when the user doesn't have gnupg or Crypt::OpenPGP)

Tuesday 30th March 2010

Fedora Project

Local Packages

  • Created packages for dovecot 2.0.beta4, though I've not included them in the repository yet apart from the development release since the Fedora version is also at 2.0.beta4 in Rawhide; the new package doesn't include the ancient documentation on migrating from UW IMAP server, and it leaves the generation of Diffie-Hellman parameters to the server rather than doing it in %post; I also found that I needed some additional SELinux policy to get it working in Fedora 12

  • Updated perl-DateTime to update DateTime::TimeZone to 1.15, based on version 2010g of the Olson database (changes for Bangladesh, Palestine, and Russia)

  • Updated perl-IPC-Run to 0.87:

    • Add doc type fixes (CPAN RT#56030)

    • Remove recommends for AUTHOR only modules
    • Add pod_coverage and simplify pod test

    • Document previously undocumented public subroutines with TODO

    • Explicitly recommend IO::Pty version number 1.08

Wednesday 31st March 2010

Local Packages

  • Updated perl-IPC-Run to 0.88

    • Missed dangling isa in IPC::Run::Debug

    • Fix retry for read of filehandle when getting "Resource temporarily unavailable"
    • Fix POD indentation in IO.pm

  • Updated sendmail to build with compatdb-4.7.25 for Fedora 13 onwards due to incompatibility of Berkeley DB 4.8.x (Bug #556148)

Previous Month: February 2010
Next Month: April 2010

Recent