[Pkg-monitoring-maintainers] ganglia update for Squeeze (CVE-2012-3448)

Sat Jan 19 23:44:38 UTC 2013

On 20/01/13 00:02, Salvatore Bonaccorso wrote:
> Hi Daniel, hi Yves-Alexis
> 
> In short, [1] looks to be the only change needed for the security
> update. So the debdiff I posted should be okay. But I will leave it to
> Yves-Alexis (who is Debian Security Team member) which way to go.
> 
> On Sat, Jan 19, 2013 at 10:15:00PM +0100, Daniel Pocock wrote:
>> On 19/01/13 21:52, Salvatore Bonaccorso wrote:
>>> Hi Daniel, hi all
>>>
>>> Ok let's try to reassume (I feel like there is some confusion ;-))
>>>
>>> Squeeze currently has ganglia 3.1.7-1. So the updated package needs to
>>> be based on this. Usually introducing a new upstream version is not
>>> accepted for security updates (an exception is e.g. mysql, where it
>>> seems not other possible). So this should/will be 3.1.7-1+squeeze1 for
>>> a Squeeze update.
>>
>> The upstream 3.1 branch only receives updates of the type that qualify
>> for the stable branch in Debian (e.g. security updates, fixes for seg
>> faults).  The 3.1.8 upstream release only differs from 3.1.7 with the
>> addition of the fix for this issue
>>
>> In this instance, upstream even created a 3.1.8 branch off the 3.1
>> branch, just to isolate the fix:
>>
>> https://github.com/ganglia/monitor-core/commits/release/3.1.8
> 
> Ok and indeed this[1] confirms that the isolated fix is the oneliner.
> Thanks.
> 
>  [1]: https://github.com/ganglia/monitor-core/commit/3404fbfcfad74c4c050578add31ea3a5ec5f0276
>  
>>> Adjusting the Subject of this mail to avoid further confusions.
>>>
>>> The source diff between 3.1.7 and 3.1.8 is somehow huge (4.8M, 110
>>> files changed, 49330 insertions(+), 73094 deletions(-)).
>>>
>>> The isolated fix is only in web/graph.php right?
>>
>> This seems odd, and not what I would expect if I check upstream:
>>
>> git clone git at github.com:ganglia/monitor-core.git
>>
>> cd ganglia
>> git diff monitor-core-3.1.7 3.1.8
>>
>> (from that diff, ignore the git2dist and bootstrap changes, those files
>> are not released in the tarballs)
>>
>> Is it possible that dpkg-buildpackage is incorrectly regenerating the
>> tarball, or does squeeze possibly have a modified 3.1.7.orig tarball?
>>
>> I PGP sign the upstream release announcements, so it should be easy to
>> verify.
>> http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg05533.html
>> http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg06329.html
> 
> This is how I checked the above:
> 
> wget http://cdn.debian.net/debian/pool/main/g/ganglia/ganglia_3.1.7.orig.tar.gz
> 
> From [2] there is link to source tarball:
> 
>  [2] http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg06329.html
> 
> fetch the ganglia-3.1.8.tar.gz and checksum with sha224sum; and
> compared the two source trees. (A lot can be excluded, right, as is
> autogenerated stuff).
> 

Thanks for confirming that

It is possible that I bootstrapped 3.1.7 on an earlier Debian version
than 3.1.8.  E.g. Maybe 3.1.7 was bootstrapped on lenny and 3.1.8 on
squeeze.  This would mean different versions of autoconf were present,
and each of them dumps different stuff in the source tree.

However, just excluding that change (e.g. by hacking the one line change
into the 3.1.7 tree rather than using the whole 3.1.8 tree) doesn't
guarantee identical autotools behavior unless the build is done on a
platform equivalent to where the original 3.1.7-1 package was built.

If we need to be that pedantic about it to put something into squeeze
(which may well be a good idea), then maybe we need to make the change
without building and releasing any of the actual binaries, just release
the ganglia-web.deb package (which contains no binary code, just PHP).
Is there a workflow to do that?