Bug 21621

Summary: setup needs adaptation for glibc 2.26
Product: Mageia Reporter: Thomas Backlund <tmb>
Component: RPM PackagesAssignee: All Packagers <pkg-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: marja11, sebsweb, westel, yvesbrungard
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: setup CVE:
Status comment:

Description Thomas Backlund 2017-08-27 18:42:38 CEST 
msec writes the lines:

nospoof on
spoofalert on

to /etc/host.conf

see /usr/share/msec/plugins/network.py

as of glibc 2.26 those options are not recognized anymore and need to be removed from that file, as they now causes warnings:

/etc/host.conf: line 3: bad command `nospoof on'
/etc/host.conf: line 4: bad command `spoofalert on'

preferably msec would remove those lines on package update, improving user experience
Comment 1 Marja Van Waes 2017-08-27 21:52:56 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 papoteur 2017-09-03 09:03:05 CEST 
Hi Thomas,
Thus, do you mean that the option in msec
enable_dns_spoofing_protection
should be deleted?
This option deal with "nospoof" and "spoofalert"

I can deal with it.

Or are there replaced with other ones?

CC: (none) => yves.brungard_mageia

papoteur 2017-09-03 09:04:07 CEST

Assignee: pkg-bugs => bugsquad

Comment 3 Marja Van Waes 2017-09-03 10:51:26 CEST 
Thanks for assigning back to bugsquad, Yves, I had indeed assigned to the wrong group. Msec is a Mageia tool, so assigning better, now :-)

Assignee: bugsquad => mageiatools

Comment 4 Thomas Backlund 2017-09-03 11:09:41 CEST 
(In reply to papoteur from comment #2)
> Hi Thomas,
> Thus, do you mean that the option in msec
> enable_dns_spoofing_protection
> should be deleted?
> This option deal with "nospoof" and "spoofalert"
> 

Yes,

> I can deal with it.
> 

> Or are there replaced with other ones?

Nope, new glibc setup is rewritten to be "better secured by default, no option to disable" it...

(the earlier setup was "less secure (compat with older stuff) by default, add nospoof/spoofalert for hardening")
Comment 5 papoteur 2017-09-03 12:12:45 CEST 
Thanks Thomas.

For the update, should I provide a script which delete the options
nospoof on
spoofalert on

in /etc/host.conf if present?

And then, the packager includes a trigger to execute it at the update?
I never managed such feature until now.
Papoteur
Comment 6 Thomas Backlund 2017-09-03 12:23:09 CEST 
No need to provide a script, as 2 simple sed commands in versioned %post trigger in msec.spec can do the removal
David Walser 2017-09-03 15:30:42 CEST

Summary: msec needs adoption for glibc 2.26 => msec needs adaptation for glibc 2.26

Comment 7 Mageia Robot 2017-09-05 09:43:57 CEST 
commit 315473c53155054c3ba1abe906c25f4211842897
Author: Papoteur <papoteur@...>
Date:   Tue Sep 5 09:40:38 2017 +0200

    suppress DNS_SPOOFING_PROTECTION (mga#21621).
---
 Commit Link:
   http://gitweb.mageia.org/software/msec/commit/?id=315473c53155054c3ba1abe906c25f4211842897
Comment 8 Rémi Verschelde 2017-09-19 19:22:37 CEST 
Fixed in msec-2.5-1.mga6.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 Thomas Backlund 2017-09-19 19:50:04 CEST 
To be user-friendly msec should nuke those 2 lines on package upgrade
Comment 10 papoteur 2018-10-05 08:28:53 CEST 
Reopening to deal with the post script to delete the lines
nospoof on
spoofalert on

in /etc/host.conf when upgrading

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

papoteur 2018-10-05 08:29:32 CEST

Assignee: mageiatools => pkg-bugs

Comment 11 papoteur 2018-10-05 08:33:30 CEST 
*** Bug 23640 has been marked as a duplicate of this bug. ***

CC: (none) => sebsweb

Comment 12 Sébastien Morin 2018-10-05 08:43:39 CEST 
(In reply to papoteur from comment #10)
> Reopening to deal with the post script to delete the lines
> nospoof on
> spoofalert on
> 
> in /etc/host.conf when upgrading

Thank you for reopening, because this doesn't seem to be really fixed ;-)

$ rpm -q msec
/etc/host.conf : ligne 3 : commande erronée« nospoof on »
/etc/host.conf : ligne 4 : commande erronée« spoofalert on »
msec-2.6-4.mga7
Comment 13 Ben McMonagle 2018-10-09 01:56:20 CEST 
for me after a Mga7 net-install today, host.config does not include those 2 lines

CC: (none) => westel

Comment 14 Sébastien Morin 2018-10-13 06:06:11 CEST 
msec was updated yesterday in Cauldron but those two lines are still printed:

$ rpm -q msec
/etc/host.conf : ligne 3 : commande erronée« nospoof on »
/etc/host.conf : ligne 4 : commande erronée« spoofalert on »
msec-2.6-5.mga7


@ ben mcmonagle: this bug affects systems upgraded from Mageia6, it doesn't concern fresh installs of Mageia7 (Cauldron)
Comment 15 Ben McMonagle 2019-01-25 06:49:37 CET 
(In reply to Sébastien Morin from comment #14)
 
> @ ben mcmonagle: this bug affects systems upgraded from Mageia6, it doesn't
> concern fresh installs of Mageia7 (Cauldron)

thanks.

upgrade yesterday (24/1/2019) issue is still evident.
Comment 16 Ben McMonagle 2019-03-02 01:03:38 CET 
still valid  upgrade x86_64
Comment 17 papoteur 2019-03-23 08:43:02 CET 
To summarize exchanges on dev ml:

On Fri, Mar 22, 2019 at 09:42:38AM +0100, Dan Fandrich wrote:
> On Fri, Mar 22, 2019 at 09:26:45AM +0100, Papoteur wrote:
>> the post script has to delete the lines
>> nospoof on
>> spoofalert on
>>
>> in /etc/host.conf when upgrading.
>
> If that's all it is, this should do:
>
>   sed -E -i.bak '/^ *(nospoof|spoofalert) +on *(#.*)?$/d' /etc/host.conf
>

On 22/03/19 10:44, Giuseppe Ghibò wrote:
>
> The problem of the nospoof warning arises due to glibc upgrade, in particular it was this patch that somewhere around glibc 2.26 was applied upstream (mga6 had glibc 2.22), i.e. this one:
>
> https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=7d68cdaa4f748e87ee921f587ee2d483db624b3d;hp=5c6e6747356f5d473c2c62e818bc24432ddef3e2
>
> that let glibc no longer recognizing that option. A dirty trick is to fake glibc, revering that patch and providing "fake" compatibility.  But in that way the nospoof will continue to be around in /etc/host.conf. Actually the bug report is https://bugs.mageia.org/show_bug.cgi?id=21621 which belongs to msec.
>
> Another is probably to add the scripts above in some trigger, maybe meta-task?

> or alternative setup-2.27-2.mga7 itself which is the package /etc/host.conf belongs to.
> Le sam. 23 mars 2019 à 00:29, "David W. Hodgins" <dev@ml.mageia.org> a écrit :

>> I agree the setup package is the proper place.
>> To delete the lines ...
>>
>> grep -v -e ^nospoof -e ^spoofalert /etc/host.conf > /etc/host.conf.rpmnew
>> mv -f /etc/host.conf /etc/host.conf.rpmsave
>> mv /etc/host.conf.rpmnew /etc/host.conf
>>
>> Regards, Dave Hodgins

Le 23/03/2019 à 02:24, Thierry Vignaud a écrit :
> setup is set up very early, in fisrt rpm transaction, so no %post,
> %trigger must be used instead
> eg:
> %triggerpostun -- setup < 2.7.24-2
>
> either the above sed command or:
> perl -pi -e 'undef $_ if /\s+(nospoof|spoofalert)\s+on\s+.*/' /etc/host.conf
> Note that the above sed doesn't handle tabs.
>

Source RPM: msec => setup

papoteur 2019-03-23 08:43:28 CET

Summary: msec needs adaptation for glibc 2.26 => setup needs adaptation for glibc 2.26

Comment 18 Jani Välimaa 2019-03-24 10:10:02 CET 
Should be fixed with setup-2.7.24-3.mga7.
Comment 19 papoteur 2019-03-24 17:33:49 CET 
Updated my cauldron.
After update, host.conf contains:
order hosts, bind
multi on

thus no more 
nospoof on
spoofalert on

Thanks Jani :)

Resolution: (none) => FIXED
Status: REOPENED => RESOLVED