Bug#939890: buster-pu: package rpcbind/1.2.5-0.3+deb10u1

[Josue Ortega <josue@debian.org>]

Hi,

I've included the recommended changes for the fix:

rpcbind (1.2.5-0.3+deb10u1) buster; urgency=medium

  * Add 00-rmt-calls.patch (Closes: #939877):
    + Add command line option to enable remote calls at runtime
    + Refresh debian/patches
  * debian/control: Update maintainer information
  * Add debian/README.debian explaining remote calls activation for
    Debian systems
  * Add debian/NEWS

$ debdiff rpcbind_1.2.5-0.3.dsc rpcbind_1.2.5-0.3+deb10u1.dsc | diffstat

 NEWS                                            |   12 ++
 README.debian                                   |   11 ++
 changelog                                       |   12 ++
 control                                         |    2 
 patches/00-rmt-calls.patch                      |  118
++++++++++++++++++++++++
 patches/02-manpages.patch                       |    4 
 patches/03-563971-warmstart-error-msg.patch     |   14 +-
 patches/04-610718-non-linux.patch               |    2 
 patches/rpcinfo-Fix-stack-buffer-overflow.patch |    4 
 patches/run-migration                           |    2 
 patches/series                                  |    1 
 11 files changed, 167 insertions(+), 15 deletions(-)

The debdiff is attached.

Regards

--Josue


diff -Nru rpcbind-1.2.5/debian/NEWS rpcbind-1.2.5/debian/NEWS
--- rpcbind-1.2.5/debian/NEWS	1969-12-31 18:00:00.000000000 -0600
+++ rpcbind-1.2.5/debian/NEWS	2019-09-09 12:19:21.000000000 -0600
@@ -0,0 +1,12 @@
+rpcbind (1.2.5-0.3+deb10u1) buster; urgency=medium
+
+  Since version 1.2.5 upstream has turned off the remote calls functionality
+  in order to improve security. This can be turned on at build time.
+  This functionality caused rpcbind to open up random listening ports. This
+  change broke up broadcasts requests to rpcbind making systems depending
+  on this feature unusable, e.g. NIS systems.
+  
+  This release accepts the new command line parameter 'r' to turn on the
+  remote calls functionality when needed.
+
+ -- Josue Ortega <josue@debian.org>  Tue, 17 Sep 2019 19:08:34 -0600
diff -Nru rpcbind-1.2.5/debian/README.debian rpcbind-1.2.5/debian/README.debian
--- rpcbind-1.2.5/debian/README.debian	1969-12-31 18:00:00.000000000 -0600
+++ rpcbind-1.2.5/debian/README.debian	2019-09-09 12:19:21.000000000 -0600
@@ -0,0 +1,11 @@
+rpcbind for Debian
+------------------
+Since version 1.2.5 due to security concerns upstream has turned off
+the remote calls functionality by default and added a configuration
+flag at build time to enable it.
+This functionality caused rpcbind to open up random listening ports.
+With remote calls turned off rpcbind stops to receive any broadcast query
+causing breakage on systems depending on this feature, e.g., NIS systems.
+
+On Debian systems the remote calls can be turned on at run-time using
+the command line argument 'r'. See rpcbind(8) for more details.
diff -Nru rpcbind-1.2.5/debian/changelog rpcbind-1.2.5/debian/changelog
--- rpcbind-1.2.5/debian/changelog	2018-10-22 04:54:11.000000000 -0600
+++ rpcbind-1.2.5/debian/changelog	2019-09-09 12:19:21.000000000 -0600
@@ -1,3 +1,15 @@
+rpcbind (1.2.5-0.3+deb10u1) buster; urgency=medium
+
+  * Add 00-rmt-calls.patch (Closes: #939877):
+    + Add command line option to enable remote calls at runtime
+    + Refresh debian/patches
+  * debian/control: Update maintainer information
+  * Add debian/README.debian explaining remote calls activation for
+    Debian systems
+  * Add debian/NEWS
+
+ -- Josue Ortega <josue@debian.org>  Mon, 09 Sep 2019 12:19:21 -0600
+
 rpcbind (1.2.5-0.3) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru rpcbind-1.2.5/debian/control rpcbind-1.2.5/debian/control
--- rpcbind-1.2.5/debian/control	2018-10-20 05:18:17.000000000 -0600
+++ rpcbind-1.2.5/debian/control	2019-09-09 12:19:21.000000000 -0600
@@ -1,7 +1,7 @@
 Source: rpcbind
 Section: net
 Priority: optional
-Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
+Maintainer: Josue Ortega <josue@debian.org>
 Build-Depends: debhelper (>= 11), pkg-config, libtirpc-dev (>= 1.0.2), libwrap0-dev, libsystemd-dev [linux-any]
 Standards-Version: 4.2.1
 Homepage: http://sourceforge.net/projects/rpcbind/
diff -Nru rpcbind-1.2.5/debian/patches/00-rmt-calls.patch rpcbind-1.2.5/debian/patches/00-rmt-calls.patch
--- rpcbind-1.2.5/debian/patches/00-rmt-calls.patch	1969-12-31 18:00:00.000000000 -0600
+++ rpcbind-1.2.5/debian/patches/00-rmt-calls.patch	2019-09-09 12:19:21.000000000 -0600
@@ -0,0 +1,118 @@
+Description: Add command line option to enable remote calls at runtime instead build time
+Author: Josue Ortega <josue@debian.org>
+Last-Update: 2019-09-17
+
+
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -29,10 +29,6 @@
+ AM_CPPFLAGS +=	-DLIBWRAP
+ endif
+ 
+-if RMTCALLS
+-AM_CPPFLAGS +=	-DRMTCALLS
+-endif
+-
+ bin_PROGRAMS = rpcinfo
+ sbin_PROGRAMS = rpcbind
+ 
+--- a/src/rpcbind.c
++++ b/src/rpcbind.c
+@@ -88,6 +88,7 @@
+ int doabort = 0;	/* When debugging, do an abort on errors */
+ int dofork = 1;		/* fork? */
+ int createdsocket = 0;  /* Did I create the socket or systemd did it for me? */
++int rmtcalls = 0; /* Remote calls */
+ 
+ rpcblist_ptr list_rbl;	/* A list of version 3/4 rpcbind services */
+ 
+@@ -796,12 +797,12 @@
+ #endif
+ 
+ 
+-#ifdef RMTCALLS
++    if (rmtcalls) {
+ 	/*
+ 	 * rmtcall only supported on CLTS transports for now.
+ 	 */
+-	if (nconf->nc_semantics == NC_TPI_CLTS) {
+-		status = create_rmtcall_fd(nconf);
++	    if (nconf->nc_semantics == NC_TPI_CLTS) {
++		    status = create_rmtcall_fd(nconf);
+ #ifdef RPCBIND_DEBUG
+ 		if (debugging) {
+ 			if (status < 0) {
+@@ -814,8 +815,8 @@
+ 			}
+ 		}
+ #endif
+-	}
+-#endif
++	   }
++    }
+ 
+ 	return (0);
+ error:
+@@ -881,7 +882,7 @@
+ {
+ 	int c;
+ 	oldstyle_local = 1;
+-	while ((c = getopt(argc, argv, "adh:ilswf")) != -1) {
++	while ((c = getopt(argc, argv, "adh:ilswfr")) != -1) {
+ 		switch (c) {
+ 		case 'a':
+ 			doabort = 1;	/* when debugging, do an abort on */
+@@ -911,13 +912,16 @@
+ 		case 'f':
+ 			dofork = 0;
+ 			break;
++		case 'r':
++            rmtcalls = 1;
++			break;
+ #ifdef WARMSTART
+ 		case 'w':
+ 			warmstart = 1;
+ 			break;
+ #endif
+ 		default:	/* error */
+-			fprintf(stderr,	"usage: rpcbind [-adhilswf]\n");
++			fprintf(stderr,	"usage: rpcbind [-adhilswfr]\n");
+ 			exit (1);
+ 		}
+ 	}
+--- a/man/rpcbind.8
++++ b/man/rpcbind.8
+@@ -11,7 +11,7 @@
+ .Nd universal addresses to RPC program number mapper
+ .Sh SYNOPSIS
+ .Nm
+-.Op Fl adhiLls
++.Op Fl adhiLlsr
+ .Sh DESCRIPTION
+ The
+ .Nm
+@@ -137,6 +137,11 @@
+ starts up. The state file is created when
+ .Nm
+ terminates.
++.It Fl r
++Turn on remote calls. Cause
++.Nm
++to open up random listening ports. Note that rpcinfo need this feature turned on
++for work properly.
+ .El
+ .Sh NOTES
+ All RPC servers must be restarted if
+--- a/configure.ac
++++ b/configure.ac
+@@ -21,10 +21,6 @@
+   AS_HELP_STRING([--enable-warmstarts], [Enables Warm Starts @<:@default=no@:>@]))
+ AM_CONDITIONAL(WARMSTART, test x$enable_warmstarts = xyes)
+ 
+-AC_ARG_ENABLE([rmtcalls],
+-  AS_HELP_STRING([--enable-rmtcalls], [Enables Remote Calls @<:@default=no@:>@]))
+-AM_CONDITIONAL(RMTCALLS, test x$enable_rmtcalls = xyes)
+-
+ AC_ARG_WITH([statedir],
+   AS_HELP_STRING([--with-statedir=ARG], [use ARG as state dir @<:@default=/var/run/rpcbind@:>@])
+   ,, [with_statedir=/var/run/rpcbind])
diff -Nru rpcbind-1.2.5/debian/patches/02-manpages.patch rpcbind-1.2.5/debian/patches/02-manpages.patch
--- rpcbind-1.2.5/debian/patches/02-manpages.patch	2018-10-14 05:57:17.000000000 -0600
+++ rpcbind-1.2.5/debian/patches/02-manpages.patch	2019-09-09 12:19:21.000000000 -0600
@@ -2,7 +2,7 @@
 
 --- a/man/rpcbind.8
 +++ b/man/rpcbind.8
-@@ -145,5 +145,4 @@ is restarted.
+@@ -150,5 +150,4 @@
  .Sh SEE ALSO
  .Xr rpcinfo 8
  .Sh LINUX PORT
@@ -11,7 +11,7 @@
 +Aurelien Charbon <aurelien.charbon@bull.net>
 --- a/man/rpcinfo.8
 +++ b/man/rpcinfo.8
-@@ -303,7 +303,7 @@ option to display a more concise list:
+@@ -303,7 +303,7 @@
  	example$ rpcinfo -s klaxon
  .Ed
  .Bl -column "program" "w,x,y,z" "local,tcp,udp,tcp6,udp6" "nlockmgr" "super-user"
diff -Nru rpcbind-1.2.5/debian/patches/03-563971-warmstart-error-msg.patch rpcbind-1.2.5/debian/patches/03-563971-warmstart-error-msg.patch
--- rpcbind-1.2.5/debian/patches/03-563971-warmstart-error-msg.patch	2017-05-05 11:46:00.000000000 -0600
+++ rpcbind-1.2.5/debian/patches/03-563971-warmstart-error-msg.patch	2019-09-09 12:19:21.000000000 -0600
@@ -9,13 +9,11 @@
 Signed-off-by: sacrificial-spam-address@horizon.com
 Tested-by: Anibal Monsalve Salazar <anibal@debian.org>
 
-Index: rpcbind-0.2.1/src/rpcbind.c
-===================================================================
---- rpcbind-0.2.1.orig/src/rpcbind.c
-+++ rpcbind-0.2.1/src/rpcbind.c
-@@ -778,13 +778,18 @@ parseargs(int argc, char *argv[])
- 		case 'f':
- 			dofork = 0;
+--- a/src/rpcbind.c
++++ b/src/rpcbind.c
+@@ -915,13 +915,18 @@
+ 		case 'r':
+             rmtcalls = 1;
  			break;
 -#ifdef WARMSTART
  		case 'w':
@@ -24,7 +22,7 @@
  			break;
 -#endif
  		default:	/* error */
- 			fprintf(stderr,	"usage: rpcbind [-adhilswf]\n");
+ 			fprintf(stderr,	"usage: rpcbind [-adhilswfr]\n");
 +#else
 +			fprintf(stderr,	"-w: rpcbind compiled without WARMSTART support.\n");
 +			/* FALLTHROUGH */
diff -Nru rpcbind-1.2.5/debian/patches/04-610718-non-linux.patch rpcbind-1.2.5/debian/patches/04-610718-non-linux.patch
--- rpcbind-1.2.5/debian/patches/04-610718-non-linux.patch	2017-05-05 11:46:00.000000000 -0600
+++ rpcbind-1.2.5/debian/patches/04-610718-non-linux.patch	2019-09-09 12:19:21.000000000 -0600
@@ -2,7 +2,7 @@
 ===================================================================
 --- rpcbind-0.2.1.orig/src/security.c
 +++ rpcbind-0.2.1/src/security.c
-@@ -53,7 +53,7 @@ int deny_severity = LIBWRAP_DENY_FACILIT
+@@ -72,7 +72,7 @@ int deny_severity = LIBWRAP_DENY_FACILIT
  #ifndef PORTMAP_LOG_SEVERITY
  # define PORTMAP_LOG_SEVERITY LOG_INFO
  #endif
diff -Nru rpcbind-1.2.5/debian/patches/rpcinfo-Fix-stack-buffer-overflow.patch rpcbind-1.2.5/debian/patches/rpcinfo-Fix-stack-buffer-overflow.patch
--- rpcbind-1.2.5/debian/patches/rpcinfo-Fix-stack-buffer-overflow.patch	2018-10-14 07:57:31.000000000 -0600
+++ rpcbind-1.2.5/debian/patches/rpcinfo-Fix-stack-buffer-overflow.patch	2019-09-09 12:19:21.000000000 -0600
@@ -27,7 +27,7 @@
 index 9b46864..cfdba88 100644
 --- a/src/rpcinfo.c
 +++ b/src/rpcinfo.c
-@@ -973,6 +973,7 @@ rpcbdump (dumptype, netid, argc, argv)
+@@ -980,6 +980,7 @@
  	("   program version(s) netid(s)                         service     owner\n");
        for (rs = rs_head; rs; rs = rs->next)
  	{
@@ -35,7 +35,7 @@
  	  char *p = buf;
  
  	  printf ("%10ld  ", rs->prog);
-@@ -985,12 +986,22 @@ rpcbdump (dumptype, netid, argc, argv)
+@@ -992,12 +993,22 @@ rpcbdump (dumptype, netid, argc, argv)
  	    }
  	  printf ("%-10s", buf);
  	  buf[0] = '\0';
diff -Nru rpcbind-1.2.5/debian/patches/run-migration rpcbind-1.2.5/debian/patches/run-migration
--- rpcbind-1.2.5/debian/patches/run-migration	2017-05-05 11:46:00.000000000 -0600
+++ rpcbind-1.2.5/debian/patches/run-migration	2019-09-09 12:19:21.000000000 -0600
@@ -8,7 +8,7 @@
 ===================================================================
 --- rpcbind-0.2.1.orig/src/rpcbind.c
 +++ rpcbind-0.2.1/src/rpcbind.c
-@@ -93,7 +93,14 @@ char *rpcbinduser = NULL;
+@@ -106,7 +106,14 @@ char *rpcbinduser = NULL;
  /* who to suid to if -s is given */
  #define RUN_AS  "daemon"
  
diff -Nru rpcbind-1.2.5/debian/patches/series rpcbind-1.2.5/debian/patches/series
--- rpcbind-1.2.5/debian/patches/series	2018-10-14 07:57:45.000000000 -0600
+++ rpcbind-1.2.5/debian/patches/series	2019-09-09 12:19:21.000000000 -0600
@@ -1,3 +1,4 @@
+00-rmt-calls.patch
 02-manpages.patch
 03-563971-warmstart-error-msg.patch
 04-610718-non-linux.patch