Version in base suite: 2.7.1-1 Base version: inn2_2.7.1-1 Target version: inn2_2.7.1-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/i/inn2/inn2_2.7.1-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/i/inn2/inn2_2.7.1-1+deb12u1.dsc changelog | 10 ++ patches/backport_a1f2e9323 | 154 +++++++++++++++++++++++++++++++++++++++++++++ patches/backport_f7d111aad | 74 +++++++++++++++++++++ patches/series | 2 rules | 13 +++ 5 files changed, 251 insertions(+), 2 deletions(-) diff -Nru inn2-2.7.1/debian/changelog inn2-2.7.1/debian/changelog --- inn2-2.7.1/debian/changelog 2023-05-01 17:25:42.000000000 +0000 +++ inn2-2.7.1/debian/changelog 2023-09-06 19:45:25.000000000 +0000 @@ -1,3 +1,13 @@ +inn2 (2.7.1-1+deb12u1) bookworm; urgency=medium + + * Added patch backport_a1f2e9323: this upstream commit fixes nnrpd hangs + when compression is enabled. + * Added patch backport_f7d111aad: this upstream commit adds support for + high-precision syslog timestamps which now are the default in Debian. + * Made inn-{radius,secrets}.conf not world readable. + + -- Marco d'Itri Wed, 06 Sep 2023 21:45:25 +0200 + inn2 (2.7.1-1) unstable; urgency=medium * New upstream release. diff -Nru inn2-2.7.1/debian/patches/backport_a1f2e9323 inn2-2.7.1/debian/patches/backport_a1f2e9323 --- inn2-2.7.1/debian/patches/backport_a1f2e9323 1970-01-01 00:00:00.000000000 +0000 +++ inn2-2.7.1/debian/patches/backport_a1f2e9323 2023-09-06 19:44:59.000000000 +0000 @@ -0,0 +1,154 @@ +From: Enrik Berkhan +Subject: nnrpd: avoid hang due to misplaced select() +Origin: upstream, commit:a1f2e932338a17eb4111243f29fcade52d39e0a7 + +The select() call in nnrpd's input data processing is moved right +before the related read() call to avoid blocking when it shouldn't. + +Without this change, there could still remain data to be inflated, that +has already been read, if compression had been activated. The select() +can then time out because the client might already have sent all data +before, and the yet to be inflated data will not be used until after +the timeout. + +Resolves: #269 + +diff --git a/nnrpd/line.c b/nnrpd/line.c +index fc68b15dd..6c048720c 100644 +--- a/nnrpd/line.c ++++ b/nnrpd/line.c +@@ -79,12 +79,11 @@ line_reset(struct line *line) + } + + /* +-** Timeout is used only if HAVE_OPENSSL is defined. + ** Returns -2 on timeout, -1 on read error, and otherwise the number of + ** bytes read. + */ + static ssize_t +-line_doread(void *p, size_t len, int timeout UNUSED) ++line_doread(void *p, size_t len, int timeout) + { + ssize_t n; + +@@ -122,6 +121,22 @@ line_doread(void *p, size_t len, int timeout UNUSED) + } + #endif /* HAVE_ZLIB */ + ++ /* It seems that the SSL_read cannot be mixed with select() ++ * as in the current code. TLS communicates in its own data ++ * blocks and handshaking. The line_doread using SSL_read ++ * could return, but still with a partial line in the SSL_read ++ * buffer. Then the server TLS routine would sit there waiting ++ * for completion of that data block while nnrpd sat at the ++ * select() routine waiting for more data from the server. ++ * ++ * Here, we decide to just bypass the select() wait. Unlike ++ * innd with multiple threads, the select on nnrpd is just ++ * waiting on a single file descriptor, so it is not really ++ * essential with blocked read like SSL_read. Using an alarm ++ * signal around SSL_read for non active timeout, TLS works ++ * without dead locks. However, without the select() wait, ++ * the IDLE timer stat won't be collected... ++ */ + #ifdef HAVE_OPENSSL + if (tls_conn) { + int err; +@@ -152,9 +167,38 @@ line_doread(void *p, size_t len, int timeout UNUSED) + xsignal(SIGALRM, SIG_DFL); + } else + #endif /* HAVE_OPENSSL */ ++ { ++ fd_set rmask; ++ int i; ++ ++ /* Wait for activity on stdin, updating timer stats as we go. */ ++ do { ++ struct timeval t; ++ ++ FD_ZERO(&rmask); ++ FD_SET(STDIN_FILENO, &rmask); ++ t.tv_sec = timeout; ++ t.tv_usec = 0; ++ TMRstart(TMR_IDLE); ++ i = select(STDIN_FILENO + 1, &rmask, NULL, NULL, &t); ++ TMRstop(TMR_IDLE); ++ if (i == -1 && errno != EINTR) { ++ syswarn("%s can't select", Client.host); ++ break; ++ } ++ } while (i == -1); ++ ++ /* If stdin didn't select, we must have timed out. select() ++ * failure from above is treated the same way. */ ++ if (i <= 0 || !FD_ISSET(STDIN_FILENO, &rmask)) { ++ n = -2; /* timeout */ ++ break; ++ } ++ + do { + n = read(STDIN_FILENO, p, len); + } while (n == -1 && errno == EINTR); ++ } + + if (n <= 0) + break; /* EOF or error. */ +@@ -261,8 +305,6 @@ line_read(struct line *line, int timeout, const char **p, size_t *len, + * to ask for any more. */ + if (lf == NULL) { + do { +- fd_set rmask; +- int i; + ssize_t count; + + /* If we've filled the line buffer, double the size, +@@ -295,49 +337,6 @@ line_read(struct line *line, int timeout, const char **p, size_t *len, + } + } + +-#ifdef HAVE_OPENSSL +- /* It seems that the SSL_read cannot be mixed with select() +- * as in the current code. SSL communicates in its own data +- * blocks and hand shaking. The do_readline using SSL_read +- * could return, but still with a partial line in the SSL_read +- * buffer. Then the server SSL routine would sit there waiting +- * for completion of that data block while nnrpd sat at the +- * select() routine waiting for more data from the server. +- * +- * Here, we decide to just bypass the select() wait. Unlike +- * innd with multiple threads, the select on nnrpd is just +- * waiting on a single file descriptor, so it is not really +- * essential with blocked read like SSL_read. Using an alarm +- * signal around SSL_read for non active timeout, SSL works +- * without dead locks. However, without the select() wait, +- * the IDLE timer stat won't be collected... +- */ +- if (tls_conn == NULL) { +-#endif +- /* Wait for activity on stdin, updating timer stats as we +- * go. */ +- do { +- struct timeval t; +- +- FD_ZERO(&rmask); +- FD_SET(STDIN_FILENO, &rmask); +- t.tv_sec = timeout; +- t.tv_usec = 0; +- TMRstart(TMR_IDLE); +- i = select(STDIN_FILENO + 1, &rmask, NULL, NULL, &t); +- TMRstop(TMR_IDLE); +- if (i == -1 && errno != EINTR) { +- syswarn("%s can't select", Client.host); +- return RTtimeout; +- } +- } while (i == -1); +- +- /* If stdin didn't select, we must have timed out. */ +- if (i == 0 || !FD_ISSET(STDIN_FILENO, &rmask)) +- return RTtimeout; +-#ifdef HAVE_OPENSSL +- } +-#endif + count = line_doread(where, line->allocated - (where - line->start), + timeout); + diff -Nru inn2-2.7.1/debian/patches/backport_f7d111aad inn2-2.7.1/debian/patches/backport_f7d111aad --- inn2-2.7.1/debian/patches/backport_f7d111aad 1970-01-01 00:00:00.000000000 +0000 +++ inn2-2.7.1/debian/patches/backport_f7d111aad 2023-09-06 19:44:59.000000000 +0000 @@ -0,0 +1,74 @@ +From: Julien ÉLIE +Subject: innreport: Support high-precision timestamps +Origin: upstream, commit:f7d111aadd5809dd12c9215f7aefe395c819f188 + +This format is now the default in some distributions (like Debian 12). +It should be supported by innreport. + +close #276 + +diff --git a/scripts/innreport.in b/scripts/innreport.in +index 4e68344ff..eb9bddd78 100644 +--- a/scripts/innreport.in ++++ b/scripts/innreport.in +@@ -95,6 +95,7 @@ + use strict; + use Carp qw( cluck confess ); + use Time::Local; ++use Time::Piece; + + ## Default display configuration file (parameter added in INN 2.7.0). + my $DISPLAY_FILE = 'innreport-display.conf'; +@@ -372,11 +373,11 @@ my $unrecognize_max = 0; + my @unrecognize; + my ($total_line, $total_size) = (0, 0); + my ($suffix, $HTML_output, %config, %prog_type, %prog_size); +-my $current_year; ++my ($current_year, $local_timezone); + { +- my ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst) +- = localtime(time); +- $current_year = $year += 1900; ++ my $local_time = localtime(time); ++ $current_year = $local_time->year; ++ $local_timezone = $local_time->strftime("%z"); + } + + my $HTML_header = ''; +@@ -452,6 +453,27 @@ while (!eof()) { + my ($res, $day, $hour, $prog, $left); + DECODE: + { ++ # Convert a high-precision timestamp like ++ # 2023-07-23T04:15:01.882775+02:00 ++ # to the low-precision timestamp used by innreport. ++ if ($_ =~ /^(\d+-\d+-\d+T\d+:\d+:\d+)(\.\d+)?([+-]\d+):?(\d+)/) { ++ my $timezone = "$3$4"; ++ my $t; ++ ++ # Use the local time zone if logging is in UTC. ++ if ("$timezone" eq "+0000") { ++ $t = Time::Piece->strptime( ++ "$1 " . $local_timezone, ++ "%Y-%m-%dT%T %z" ++ ); ++ } else { ++ $t = Time::Piece->strptime("$1", "%Y-%m-%dT%T"); ++ } ++ ++ my $newdate = $t->monname . " " . $t->mday . " " . $t->hms; ++ $_ =~ s/^\S+/$newdate/; ++ } ++ + ($day, $hour, $prog, $left) + = $_ =~ m/^(\S+\s+\S+) (\S+) \S+ (\S+): \[ID \d+ \S+\] (.*)$/o; + if ($day) { last DECODE; } +@@ -466,6 +488,8 @@ while (!eof()) { + if ($day) { last DECODE; } + + # Dec 31 03:01:30.796 + localhost 1821 inpaths! ++ # Always in low-precision timestamp with milliseconds (format ++ # enforced by ARTlog, not syslog). + ($day, $hour, $res, $left) + = $_ =~ m/^(\S+\s+\S+) (\S+)\.\d+ (\S+) (.*)$/o; + if ($day) { $prog = 'inn'; last DECODE; } diff -Nru inn2-2.7.1/debian/patches/series inn2-2.7.1/debian/patches/series --- inn2-2.7.1/debian/patches/series 2023-04-16 08:43:11.000000000 +0000 +++ inn2-2.7.1/debian/patches/series 2023-09-06 19:44:59.000000000 +0000 @@ -1,4 +1,6 @@ # backported fixes +backport_a1f2e9323 +backport_f7d111aad # waiting to be merged upstream diff -Nru inn2-2.7.1/debian/rules inn2-2.7.1/debian/rules --- inn2-2.7.1/debian/rules 2023-04-16 08:43:11.000000000 +0000 +++ inn2-2.7.1/debian/rules 2023-08-28 00:06:43.000000000 +0000 @@ -132,8 +132,17 @@ dh_fixperms -Xusr/lib/news/bin/innbind -Xusr/lib/news/bin/rnews # these files may contain passwords - chown root:news $D-inews/etc/news/passwd.nntp $D/etc/news/incoming.conf $D/etc/news/innfeed.conf - chmod 640 $D-inews/etc/news/passwd.nntp $D/etc/news/incoming.conf $D/etc/news/innfeed.conf + chown root:news \ + $D-inews/etc/news/passwd.nntp \ + $D/etc/news/incoming.conf \ + $D/etc/news/innfeed.conf \ + $D/etc/news/inn-radius.conf \ + $D/etc/news/inn-secrets.conf + chmod 640 $D-inews/etc/news/passwd.nntp \ + $D/etc/news/incoming.conf \ + $D/etc/news/innfeed.conf \ + $D/etc/news/inn-radius.conf \ + $D/etc/news/inn-secrets.conf chmod -x $D/usr/lib/news/bin/control/*.pl $D/etc/news/*.local