[pkg-netfilter-team] Bug#1118769: ipset 7.22 segfaults in some circumstances

[David]

Package: ipset
Version: 7.22-1+b1
Severity: important

Dear Maintainer,

ipset 7.21 (commit a7432ba786ca478eba8724c4d8ba6d1ff6446ad8) introduced an argv
array overstepping bug that causes

  ipset add <ipset> <addr> comment <comment>

to segfault for my architecture unless the shell environment happens to be long enough. This is
fixed in ipset 7.23 (commit f1bcacf5eeb8620ea684524e1ce9c3951a77f1f9).

Debian 13 has ipset 7.22 so is affected.

Eg (create ipset foo first if needed (ipset create foo hash:net family inet comment))

  # env -i /usr/sbin/ipset add foo 127.0.0.1 comment localhost

segfaults. Without "env -i", ipset will probably run ok when run on the
command line, but will likely fail in a cron job, where the shell
environment tends to be minimal.

As a workaround, something like

  # env -i FOO=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /usr/sbin/ipset add foo 127.0.0.1 comment localhost

works (or put FOO=... into the crontab file if that is where it is being called from).


-- System Information:
Debian Release: 13.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.48+deb13-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ipset depends on:
ii  libc6          2.41-12
ii  libipset13t64  7.22-1+b1

Versions of packages ipset recommends:
ii  iptables  1.8.11-2

ipset suggests no packages.

-- no debconf information