Bug 32294

Summary: Update request: nftables-1.0.6-1.1.mga9
Product: Mageia Reporter: Thomas Backlund <tmb>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: andrewsfarm, marja11, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: nftables CVE:
Status comment:

Description Thomas Backlund 2023-09-16 15:36:11 CEST 
Bugfix for nftables

Userspace nftables v1.0.6 sometimes generates incorrect bytecode that hits a new
kernel check introduced in kernel-6.4.8 fix for CVE-2023-4147 that rejects adding rules to bound chains. This update fixes nftables to generate correct bytecode..


SRPMS:
nftables-1.0.6-1.1.mga9.src.rpm


i586:
libnftables1-1.0.6-1.1.mga9.i586.rpm
libnftables-devel-1.0.6-1.1.mga9.i586.rpm
nftables-1.0.6-1.1.mga9.i586.rpm
python3-nftables-1.0.6-1.1.mga9.noarch.rpm


x86_64:
lib64nftables1-1.0.6-1.1.mga9.x86_64.rpm
lib64nftables-devel-1.0.6-1.1.mga9.x86_64.rpm
nftables-1.0.6-1.1.mga9.x86_64.rpm
python3-nftables-1.0.6-1.1.mga9.noarch.rpm
Comment 1 Marja Van Waes 2023-10-12 19:22:29 CEST 
Advisory from comment 0 added to SVN. 
Please remove the "advisory" keyword if it needs to be changed. 
It also helps when obsolete advisories are tagged as "obsolete".

Keywords: (none) => advisory
CC: (none) => marja11

Comment 2 Thomas Andrews 2023-10-17 03:15:55 CEST 
MGA9-64 Plasma in VirtualBox. No installation issues.

I have no idea how to test the issue that generated this bug, so...

$ urpmq --whatrequires nftables
eddie
nftables
podman
python3-nftables
waydroid

Installing waydroid depends on another bug currently waiting for QA attention, so no help there.

Eddie is a UI for managing a VPN from Airvpn, but it is supposed to work with VPNs from other providers, as well. I installed it without issue, ran it under strace, looked around, couldn't easily determine how to get it working with a Surfshark VPN, and closed it again. Examining the strace file showed no reference to nftables, so apparently it's not invoked unless one actually activates a VPN. Again, no help.

So I installed podman, and attempted to run some of the commands from Bug 28885 comment 55:

[tom@localhost ~]$ podman images
ERRO[0000] cannot find UID/GID for user tom: no subuid ranges found for user "tom" in /etc/subuid - check rootless mode in man pages. 
WARN[0000] Using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding sub*ids if not using a network user 
REPOSITORY  TAG         IMAGE ID    CREATED     SIZE
[tom@localhost ~]$ podman search docker.io/library/mageia
[tom@localhost ~]$ podman run -dt -p 8080:80/tcp docker.io/library/mageia
Trying to pull docker.io/library/mageia:latest...
Getting image source signatures
Copying blob 2b7a6260b5e1 done  
Error: copying system image from manifest list: writing blob: adding layer with blob "sha256:2b7a6260b5e1024ee3e3aaea14424ae322182becf6d1593b6542c7e711e2c6bc": processing tar file(potentially insufficient UIDs or GIDs available in user namespace (requested 0:25 for /etc/gshadow): Check /etc/subuid and /etc/subgid if configured locally and run "podman system migrate": lchown /etc/gshadow: invalid argument): exit status 1
[tom@localhost ~]$ podman ps
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES
[tom@localhost ~]$ podman ps -a
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES

So, I didn't get very far, but the messages look to be from user error, rather than some fault of the application/libraries. To be fair, the test in bug 28885 wasn't exactly conclusive, either.

I'm going to OK this based mostly on a clean install. Validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 3 Mageia Robot 2023-10-17 16:07:29 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2023-0093.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED