1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109654: unblock: ceph/18.2.7-3 (pre-approval)

    From Daniel Baumann@21:1/5 to All on Mon Jul 21 10:30:01 2025
    XPost: linux.debian.devel.release

    This is a multi-part message in MIME format.
    Package: release.debian.org
    Control: affects -1 + src:ceph
    User: [email protected]
    Usertags: unblock
    X-Debbugs-Cc: [email protected]

    Hi,

    this is a pre-approval request to allow uploading and unblocking
    ceph/18.2.7-3.

    It fixes a regression from CVE-2025-52555 where unprivileged users can
    set setuid or setguid on files:

    * https://bugs.debian.org/1109470

    * https://github.com/ceph/ceph/pull/64356
    * https://github.com/ceph/ceph/commit/7028ed21138522495df1e9f8b01195a3c43d47ff.patch

    I've prepared an updated package for ceph:

    * https://salsa.debian.org/ceph-team/ceph/-/commits/debian/unstable

    I've previously applied the fix on our ceph cluster at work, no issues.

    As ceph is a key package, I'm awaiting your feedback to upload it to
    unstable, diff is attached.

    Regards,
    Daniel
    ZGlmZiAtLWdpdCBhL2RlYmlhbi9jaGFuZ2Vsb2cgYi9kZWJpYW4vY2hhbmdlbG9nCmluZGV4 IDJhYzU4MGJmYTcuLjQ0ZGE3NjIxNTYgMTAwNjQ0Ci0tLSBhL2RlYmlhbi9jaGFuZ2Vsb2cK KysrIGIvZGViaWFuL2NoYW5nZWxvZwpAQCAtMSwzICsxLDExIEBACitjZXBoICgxOC4yLjct MykgdW5zdGFibGU7IHVyZ2VuY3k9aGlnaAorCisgICogQWRkaW5nIHBhdGNoIGZyb20gdXBz dHJlYW0gdG8gZml4IHJlZ3Jlc3Npb24gd2l0aCBDVkUtMjAyNS01MjU1NToKKyAgICAtIHVu cHJpdmlsZWdlZCB1c2VycyBjYW4gc2V0IFNfSVNVSUQgYW5kL29yIFNfSVNHSUQgYml0cyB3 aGVuIGNoYW5nZWQKKyAgICAgIHNlcGVyYXRseSBmcm9tIGVhY2ggb3RoZXIgKENsb3Nlczog IzExMDk0NzApLgorCisgLS0gRGFuaWVsIEJhdW1hbm4gPGRhbmllbEBkZWJpYW4ub3JnPiAg TW9uLCAyMSBKdWwgMjAyNSAxMDowNjoxNiArMDIwMAorCiBjZXBoICgxOC4yLjctMikgdW5z dGFibGU7IHVyZ2VuY3k9bWVkaXVtCiAKICAgKiBBZGQgMDAxMC1jZXBoLXZvbHVtZS1maXgt aW1wb3J0bGliLm1ldGFkYXRhLWNvbXBhdC5wYXRjaApkaWZmIC0tZ2l0IGEvZGViaWFuL3Bh dGNoZXMvMDAzMS1DVkUtMjAyNS01MjU1NS1yZWdyZXNzaW9uLnBhdGNoIGIvZGViaWFuL3Bh dGNoZXMvMDAzMS1DVkUtMjAyNS01MjU1NS1yZWdyZXNzaW9uLnBhdGNoCm5ldyBmaWxlIG1v ZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAuLmQ1YWViY2UwN2QKLS0tIC9kZXYvbnVsbAor KysgYi9kZWJpYW4vcGF0Y2hlcy8wMDMxLUNWRS0yMDI1LTUyNTU1LXJlZ3Jlc3Npb24ucGF0 Y2gKQEAgLTAsMCArMSwxMDEgQEAKK0F1dGhvcjogS2VmdSBDaGFpIDx0Y2hhaWtvdkBnbWFp bC5jb20+CitEZXNjcmlwdGlvbjogW1BBVENIXSBjbGllbnQ6IHByb2hpYml0IHVucHJpdmls ZWdlZCB1c2VycyBmcm9tIHNldHRpbmcgc2dpZC9zdWlkIGJpdHMKKyBQcmlvciB0byBmYjFi NzJkLCB1bnByaXZpbGVnZWQgdXNlcnMgY291bGQgYWRkIG1vZGUgYml0cyBhcyBsb25nIGFz CisgU19JU1VJRCBhbmQgU19JU0dJRCB3ZXJlIG5vdCBpbmNsdWRlZCBpbiB0aGUgY2hhbmdl LgorIC4KKyBBZnRlciBmYjFiNzJkLCB1bnByaXZpbGVnZWQgdXNlcnMgd2VyZSBhbGxvd2Vk IHRvIG1vZGlmeSBTX0lTVUlEIGFuZAorIFNfSVNHSUQgYml0cyBvbmx5IHdoZW4gbm8gb3Ro ZXIgbW9kZSBiaXRzIHdlcmUgY2hhbmdlZCBpbiB0aGUgc2FtZQorIG9wZXJhdGlvbi4gVGhp cyBpbmFkdmVydGVudGx5IHBlcm1pdHRlZCB1bnByaXZpbGVnZWQgdXNlcnMgdG8gc2V0Cisg U19JU1VJRCBhbmQvb3IgU19JU0dJRCBiaXRzIHdoZW4gdGhleSB3ZXJlIHRoZSBzb2xlIGJp dHMgYmVpbmcgbW9kaWZpZWQuCisgLgorIFRoaXMgYmVoYXZpb3Igc2hvdWxkIG5vdCBiZSBh bGxvd2VkLiBVbnByaXZpbGVnZWQgdXNlcnMgc2hvdWxkIGJlCisgcHJvaGliaXRlZCBmcm9t IHNldHRpbmcgU19JU1VJRCBhbmQvb3IgU19JU0dJRCBiaXRzIHVuZGVyIGFueQorIGNpcmN1 bXN0YW5jZXMuCisgLgorIFRoaXMgY2hhbmdlIHRpZ2h0ZW5zIHRoZSBwZXJtaXNzaW9uIGNo ZWNrIHRvIHByZXZlbnQgdW5wcml2aWxlZ2VkCisgdXNlcnMgZnJvbSBzZXR0aW5nIHRoZXNl IHByaXZpbGVnZWQgYml0cyBpbiBhbGwgY2FzZXMuCisKK2RpZmYgLU5hdXJwIGNlcGgub3Jp Zy9zcmMvY2xpZW50L0NsaWVudC5jYyBjZXBoL3NyYy9jbGllbnQvQ2xpZW50LmNjCistLS0g Y2VwaC5vcmlnL3NyYy9jbGllbnQvQ2xpZW50LmNjCisrKysgY2VwaC9zcmMvY2xpZW50L0Ns aWVudC5jYworQEAgLTYwMzEsMjIgKzYwMzEsMjMgQEAgaW50IENsaWVudDo6bWF5X3NldGF0 dHIoSW5vZGUgKmluLCBzdHJ1YworICAgfQorIAorICAgaWYgKG1hc2sgJiBDRVBIX1NFVEFU VFJfTU9ERSkgeworLSAgICBib29sIGFsbG93ZWQgPSBmYWxzZTsKKyAgICAgLyoKKyAgICAg ICogQ3VycmVudGx5IHRoZSBrZXJuZWwgZnVzZSBhbmQgbGliZnVzZSBjb2RlIGlzIGJ1Z2d5 IGFuZAorICAgICAgKiB3b24ndCBwYXNzIHRoZSBBVFRSX0tJTExfU1VJRC9BVFRSX0tJTExf U0dJRCB0byBjZXBoLWZ1c2UuCisgICAgICAqIEJ1dCB3aWxsIGp1c3Qgc2V0IHRoZSBBVFRS X01PREUgYW5kIGF0IHRoZSBzYW1lIHRpbWUgYnkKKyAgICAgICogY2xlYXJpbmcgdGhlIHN1 aWQvc2dpZCBiaXRzLgorICAgICAgKgorLSAgICAgKiBPbmx5IGFsbG93IHVucHJpdmlsZWdl ZCB1c2VycyB0byBjbGVhciBTX0lTVUlEIGFuZCBTX0lTVUlELgorKyAgICAgKiBPbmx5IGFs bG93IHVucHJpdmlsZWdlZCB1c2VycyB0byBjbGVhciBTX0lTVUlEIGFuZCBTX0lTR0lELgor ICAgICAgKi8KKy0gICAgaWYgKChpbi0+bW9kZSAmIChTX0lTVUlEIHwgU19JU0dJRCkpICE9 IChzdHgtPnN0eF9tb2RlICYgKFNfSVNVSUQgfCBTX0lTR0lEKSkgJiYKKy0gICAgICAgIChp bi0+bW9kZSAmIH4oU19JU1VJRCB8IFNfSVNHSUQpKSA9PSAoc3R4LT5zdHhfbW9kZSAmIH4o U19JU1VJRCB8IFNfSVNHSUQpKSkgeworLSAgICAgIGFsbG93ZWQgPSB0cnVlOworLSAgICB9 CistICAgIHVpbnQzMl90IG0gPSB+c3R4LT5zdHhfbW9kZSAmIGluLT5tb2RlOyAvLyBtb2Rl IGJpdHMgcmVtb3ZlZAorLSAgICBsZG91dChjY3QsIDIwKSA8PCBfX2Z1bmNfXyA8PCAiICIg PDwgKmluIDw8ICIgPSAiIDw8IGhleCA8PCBtIDw8IGRlYyA8PCAgZGVuZGw7CistICAgIGlm IChwZXJtcy51aWQoKSAhPSAwICYmIHBlcm1zLnVpZCgpICE9IGluLT51aWQgJiYgIWFsbG93 ZWQpCisrICAgIHVpbnQzMl90IHJlbW92ZWRfYml0cyA9IH5zdHgtPnN0eF9tb2RlICYgaW4t Pm1vZGU7CisrICAgIHVpbnQzMl90IGFkZGVkX2JpdHMgPSB+aW4tPm1vZGUgJiBzdHgtPnN0 eF9tb2RlOworKyAgICBib29sIGNsZWFyaW5nX3N1aWRfc2dpZCA9ICgKKysgICAgICAvLyBu byBuZXcgYml0cyBhZGRlZAorKyAgICAgIGFkZGVkX2JpdHMgPT0gMCAmJgorKyAgICAgIC8v IG9ubHkgc3VpZC9zdWlkIGJpdHMgcmVtb3ZlZAorKyAgICAgIChyZW1vdmVkX2JpdHMgJiB+ KFNfSVNVSUQgfCBTX0lTR0lEKSkgPT0gMCk7CisrICAgIGxkb3V0KGNjdCwgMjApIDw8IF9f ZnVuY19fIDw8ICIgIiA8PCAqaW4gPDwgIiA9ICIgPDwgaGV4IDw8IHJlbW92ZWRfYml0cyA8 PCBkZWMgPDwgIGRlbmRsOworKyAgICBpZiAocGVybXMudWlkKCkgIT0gMCAmJiBwZXJtcy51 aWQoKSAhPSBpbi0+dWlkICYmICFjbGVhcmluZ19zdWlkX3NnaWQpCisgICAgICAgZ290byBv dXQ7CisgCisgICAgIGdpZF90IGlfZ2lkID0gKG1hc2sgJiBDRVBIX1NFVEFUVFJfR0lEKSA/ IHN0eC0+c3R4X2dpZCA6IGluLT5naWQ7CitkaWZmIC1OYXVycCBjZXBoLm9yaWcvc3JjL3Rl c3QvbGliY2VwaGZzL3N1aWRzZ2lkLmNjIGNlcGgvc3JjL3Rlc3QvbGliY2VwaGZzL3N1aWRz Z2lkLmNjCistLS0gY2VwaC5vcmlnL3NyYy90ZXN0L2xpYmNlcGhmcy9zdWlkc2dpZC5jYwor KysrIGNlcGgvc3JjL3Rlc3QvbGliY2VwaGZzL3N1aWRzZ2lkLmNjCitAQCAtMTksNiArMTks NyBAQAorICNpbmNsdWRlICJpbmNsdWRlL3N0cmluZ2lmeS5oIgorICNpbmNsdWRlICJpbmNs dWRlL2NlcGhmcy9saWJjZXBoZnMuaCIKKyAjaW5jbHVkZSAiaW5jbHVkZS9yYWRvcy9saWJy YWRvcy5oIgorKyNpbmNsdWRlIDxjZXJybm8+CisgI2luY2x1ZGUgPGVycm5vLmg+CisgI2lu Y2x1ZGUgPGZjbnRsLmg+CisgI2luY2x1ZGUgPHVuaXN0ZC5oPgorQEAgLTE0Miw2ICsxNDMs MTcgQEAgdm9pZCBydW5fY2hhbmdlX21vZGVfdGVzdF9jYXNlKCkKKyAgIEFTU0VSVF9FUShj ZXBoX2NobW9kKGNtb3VudCwgY19kaXIsIDA3NzcpLCAtQ0VQSEZTX0VQRVJNKTsKKyB9Cisg Cisrc3RhdGljIHZvaWQgcnVuX3NldF9zZ2lkX3N1aWRfdGVzdF9jYXNlKGludCBvbGRfc3Vp ZF9zZ2lkLAorKwkJCQkJaW50IG5ld19zdWlkX3NnaWQsCisrCQkJCQlpbnQgZXhwZWN0ZWRf cmVzdWx0KQorK3sKKysgIGNoYXIgY19kaXJbMTAyNF07CisrICBzcHJpbnRmKGNfZGlyLCAi L21vZGVfdGVzdF8lZCIsIGdldHBpZCgpKTsKKysgIGNvbnN0IGludCBtb2RlID0gMDc2NjsK KysgIEFTU0VSVF9FUShjZXBoX21rZGlycyhhZG1pbiwgY19kaXIsIG1vZGUgfCBvbGRfc3Vp ZF9zZ2lkKSwgMCk7CisrICBBU1NFUlRfRVEoY2VwaF9jaG1vZChjbW91bnQsIGNfZGlyLCBt b2RlIHwgbmV3X3N1aWRfc2dpZCksIGV4cGVjdGVkX3Jlc3VsdCk7CisrfQorKworIFRFU1Qo U3VpZHNnaWRUZXN0LCBXcml0ZUNsZWFyU2V0dWlkKSB7CisgICBBU1NFUlRfRVEoMCwgY2Vw aF9jcmVhdGUoJmFkbWluLCBOVUxMKSk7CisgICBBU1NFUlRfRVEoMCwgY2VwaF9jb25mX3Jl YWRfZmlsZShhZG1pbiwgTlVMTCkpOworQEAgLTIxNCw4ICsyMjYsMTggQEAgVEVTVChTdWlk c2dpZFRlc3QsIFdyaXRlQ2xlYXJTZXR1aWQpIHsKKyAgIC8vIDE0LCBUcnVuY2F0ZSBieSB1 bnByaXZpbGVnZWQgdXNlciBjbGVhcnMgdGhlIHN1aWQgYW5kIHNnaWQKKyAgIHJ1bl90cnVu Y2F0ZV90ZXN0X2Nhc2UoMDY3NjYsIDAsIDEwMCk7CisgCisrICAvLyAxNSwgUHJvaGliaXQg dW5wcml2aWxlZGdlZCB1c2VyIGZyb20gY2hhbmdpbmcgbm9uLXNnaWQvc3VpZAorKyAgLy8g ICAgIG1vZGUgYml0cworICAgcnVuX2NoYW5nZV9tb2RlX3Rlc3RfY2FzZSgpOworIAorKyAg Ly8gMTYsIFByb2hpYml0IHVucHJpdmlsZWRnZWQgdXNlciBmcm9tIHNldHRpbmcgc3VpZC9z Z2lkCisrICBydW5fc2V0X3NnaWRfc3VpZF90ZXN0X2Nhc2UoMCwgU19JU1VJRCwgLUVQRVJN KTsKKysgIHJ1bl9zZXRfc2dpZF9zdWlkX3Rlc3RfY2FzZSgwLCBTX0lTR0lELCAtRVBFUk0p OworKyAgcnVuX3NldF9zZ2lkX3N1aWRfdGVzdF9jYXNlKDAsIFNfSVNVSUQgfCBTX0lTR0lE LCAtRVBFUk0pOworKyAgcnVuX3NldF9zZ2lkX3N1aWRfdGVzdF9jYXNlKFNfSVNHSUQsIFNf SVNVSUQsIC1FUEVSTSk7CisrICBydW5fc2V0X3NnaWRfc3VpZF90ZXN0X2Nhc2UoU19JU1VJ RCwgU19JU0dJRCwgLUVQRVJNKTsKKysgIHJ1bl9zZXRfc2dpZF9zdWlkX3Rlc3RfY2FzZShT X0lTR0lELCBTX0lTVUlEIHwgU19JU0dJRCwgLUVQRVJNKTsKKysKKyAgIC8vIGNsZWFuIHVw CisgICBjZXBoX3NodXRkb3duKGNtb3VudCk7CisgICBjZXBoX3NodXRkb3duKGFkbWluKTsK ZGlmZiAtLWdpdCBhL2RlYmlhbi9wYXRjaGVzL3NlcmllcyBiL2RlYmlhbi9wYXRjaGVzL3Nl cmllcwppbmRleCA4ZDJlZDRlNGI2Li5jOTM0ZTFjZTM4IDEwMDY0NAotLS0gYS9kZWJpYW4v cGF0Y2hlcy9zZXJpZXMKKysrIGIvZGViaWFuL3BhdGNoZXMvc2VyaWVzCkBAIC0yOSw2ICsy OSw3IEBACiAwMDI4LWNlcGhhZG0tZG8tbm90LXdyaXRlLWxvZ3JvdGF0ZS5wYXRjaAogMDAy OS1maXgtZnRiZnMtbG9vbmdzb242NC5wYXRjaAogMDAzMC1maXgtZnRiZnMtd2l0aC1mbXQx MC5wYXRjaAorMDAzMS1DVkUtMjAyNS01MjU1NS1yZWdyZXNzaW9uLnBhdGNoCiBweTMxMy1j b21wYXQvMDAwMS1tZ3Itc3RvcC11c2luZy1kZXByZWNhdGVkLUFQSS10by1pbml0aWFsaXpl LVB5dGhvbi5wYXRjaAogcHkzMTMtY29tcGF0LzAwMDItbWdyLXNldC1hcmd2LWZvci1weXRo b24taW4tUHlNb2R1bGVSZWdpc3RyeS5wYXRjaAogcHkzMTMtY29tcGF0LzAwMDMtbWdyLWFk ZC1zaXRlLXBhY2thZ2UtcGF0aHMtaW4tUHlNb2R1bGVSZWdpc3RyeS5wYXRjaAo=

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Daniel Baumann@21:1/5 to Ivo De Decker on Mon Jul 21 17:30:01 2025
    XPost: linux.debian.devel.release

    Hi,

    On 7/21/25 17:18, Ivo De Decker wrote:
    Please go ahead with the upload and remove the moreinfo tag from this unblock request once the new upload has been in unstable for a few days, and you think
    it's ready to migrate.

    thanks - uploaded now, will do once it's ready.

    Regards,
    Daniel

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Daniel Baumann@21:1/5 to Daniel Baumann on Mon Jul 21 17:50:01 2025
    XPost: linux.debian.devel.release

    On 7/21/25 17:23, Daniel Baumann wrote:
    thanks - uploaded now, will do once it's ready.

    got a reject, probably because ftp-master has newer lintian now:

    ceph source: lintian output: 'license-problem-json-evil [src/s3select/rapidjson/license.txt]', automatically rejected package.
    ceph source: If you have a good reason, you may override this lintian tag.
    ceph source: lintian output: 'source-contains-prebuilt-ms-help-file [src/boost/libs/beast/test/extern/zlib-1.2.11/contrib/dotzlib/DotZLib.chm]', automatically rejected package.
    ceph source: If you have a good reason, you may override this lintian tag.
    ceph source: lintian output: 'source-contains-prebuilt-ms-help-file [src/boost/tools/boost_install/test/iostreams/zlib-1.2.11/contrib/dotzlib/DotZLib.chm]',
    automatically rejected package.
    ceph source: If you have a good reason, you may override this lintian tag.

    Assuming that it is ok (= least amount of change), I will upload again
    with added lintian overrides for those. Will fix it correctly right
    after trixie release for unstable.

    Regards,
    Daniel

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ivo De Decker@21:1/5 to Daniel Baumann on Tue Jul 22 11:30:02 2025
    XPost: linux.debian.devel.release

    Hi,

    On Mon, Jul 21, 2025 at 05:47:46PM +0200, Daniel Baumann wrote:
    On 7/21/25 17:23, Daniel Baumann wrote:
    thanks - uploaded now, will do once it's ready.

    got a reject, probably because ftp-master has newer lintian now:

    ceph source: lintian output: 'license-problem-json-evil [src/s3select/rapidjson/license.txt]', automatically rejected package.
    ceph source: If you have a good reason, you may override this lintian tag. ceph source: lintian output: 'source-contains-prebuilt-ms-help-file [src/boost/libs/beast/test/extern/zlib-1.2.11/contrib/dotzlib/DotZLib.chm]', automatically rejected package.
    ceph source: If you have a good reason, you may override this lintian tag. ceph source: lintian output: 'source-contains-prebuilt-ms-help-file [src/boost/tools/boost_install/test/iostreams/zlib-1.2.11/contrib/dotzlib/DotZLib.chm]',
    automatically rejected package.
    ceph source: If you have a good reason, you may override this lintian tag.

    Assuming that it is ok (= least amount of change), I will upload again with added lintian overrides for those. Will fix it correctly right after trixie release for unstable.

    Can you get rid of the offending files? That would be a cleaner way to solve this issue (assuming they are not used).

    Cheers,

    Ivo

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Daniel Baumann@21:1/5 to Ivo De Decker on Tue Jul 22 19:50:01 2025
    XPost: linux.debian.devel.release

    On 7/22/25 11:19, Ivo De Decker wrote:
    Can you get rid of the offending files?

    doing that now, the version will thus changed from 18.2.7-3 to 18.2.7+ds-1.

    Regards,
    Daniel

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Daniel Baumann@21:1/5 to Daniel Baumann on Tue Jul 22 22:20:01 2025
    XPost: linux.debian.devel.release

    retitle 1109654 unblock: ceph/18.2.7+ds-1 (pre-approval)
    thanks

    On 7/22/25 19:00, Daniel Baumann wrote:
    doing that now, the version will thus changed from 18.2.7-3 to 18.2.7+ds-1.

    that worked.

    Regards,
    Daniel

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Daniel Baumann@21:1/5 to All on Wed Jul 23 18:40:01 2025
    XPost: linux.debian.devel.release

    retitle 1109654 unblock: ceph/18.2.7+ds-1
    tag 1109654 - moreinfo
    thanks

    Hi,

    ceph has now been successfully built on all its architectures, please
    proceed with the unblock.

    Regards,
    Daniel

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)