Category: debian

Careful with apache upgrades
You might (or not if you don’t visit) notice all my websites were down. A rushed apt-get dist-upgrade and I found two problems:
1. PHP5 got removed, which is bad if you run a wordpress site that uses PHP to run
2. The apache configuration has changed.
Yes, the NEWS entries did warn me, if I read them fully. Yes, I didn’t read them enough.

Apache now ignores configuration files that don’t end in .conf To give a completely non-theoretical example, if you have your virtual hosts in files such as /etc/apache2/sites-enabled/enc.com.au then this will not be recognised and your sites will show the default “It works” page.

Stuff that doesn’t fall in the usual places where website stuff should go, which for my setup is a lot of things, will also be denied as the developers have tightened up the rules around what is permitted. Pretty simple to fix with a few <Directory blah> clauses.

This isn’t a criticism of the Debian apache developers. They do an awesome job of keeping the package workable, flexible but secure which isn’t easy. Now it’s all back working, I actually agree with the changes they have made. It is just that the latest changes are, well, tricky so be forewarned.

Related articles
- Switching From Apache MPM Prefork to Worker (doctorfox.wordpress.com)
- Apache MPM Worker and PHP-FPM on CentOS (garron.me)
August 6, 2013
Off to LCA2013

While I’ve been involve in Linux and Debian for many (15 or more) years, I’ve only ever been to one “major Linux thing” in all that time and that was manning some stall for Debian about 10 years ago.

Well, let’s call it two because next week I’m off to the Linux.conf.au 2013 conference. I can’t get too terribly excited about the location because its… Canberra, yep my (now) home town and about 4 blocks from my workplace; so no exotic locales for me!

I’m hoping to catch up with some Debian folk while the conference is on. There is at the very least a keysigning party where there are some others from Debian on Wednesday.

PS WordPress update broke the visual editing, I hope it looks ok.

January 25, 2013
procps 3.3.6 and Mudlet 2.0

Yesterday was a busy Debian day for me with the release of not one but two packages.

procps

procps version 3.3.6 was released both as an upstream and a Debian package. While there were many bug fixes in this release, the main new feature for it was the top inspect feature.

The top inspect feature allows you to run top in the normal way then you can inspect a specific process you have selected within top for more information. Examples of this include fuser or lsof type output to see what files or libraries are open but really the limit is how clever the operator is and how often you would need this information. Even scripts can be run off this feature if you have some customised or cooked output you need to see. Once the output is there, you can search for text.

There will be a small hold-up with the Debian packages as the section for the library has been moved to libs, where it should be. At least I think that’s why there is a delay.

procps infrastructure

procps currently has only an email list and a gitorious git repository. While this works most of the time, there are two main problems with this setup.

The first is that the only two ways you can report bugs is send an email to the list or create a git merge request. The email has the problem with tracking and gathering history while the git sets the bar pretty high for reporting something has gone wrong.

Second problem is there is no tarball file repository. gitorious does have the feature of downloading tarballs of the tag checkpoints, but this is the raw repository. When you make a tarball with “make dist” there are some generated files included in the tarball that don’t appear in the gitorious ones, which means its not a simple for some as you expect.

So I’ll be creating a project for these two features soon. Not sure where they will be but I use sourceforge for both these for a few other projects so that might be where they end up.

Mudlet

Mudlet, the multi-user dungeon or MUD client, has finally made it to version 2.0! It looks a lot more stable and polished at least from the scripting side than the previous RC versions but has all the features that we’ve come to expect with it. The most important thing is that the developers have finally put a line in the sand and said “this is version 2.0”. The Debian package was uploaded yesterday and should be on its way to your local mirror soon.

January 2, 2013
debhelper versions – Guilty!
After reading Jakub’s pet peeve about debhelper build-dependencies I decided to check my own and sponsored packages to see how they fare.
```
find debian/ -type f -name control | xargs grep -h -o 'debhelper (>= 9[^)]*)' | sort | uniq -c
      2 debhelper (>= 9)
      2 debhelper (>= 9.0)
      3 debhelper (>= 9.0.0)
      1 debhelper (>= 9.20120115)
```
Oops! Something to fix in all subsequent releases.
July 12, 2012
pam bugs hurt

I did some upgrades of what seemed like a million packages today on my Debian sid computer. I was doing this remotely and when I tried to ssh back in I got kicked out after entering my password, hmmm.

OK, so I waited until I could get in front of it and tried to login to the console and was greeted with the message “Cannot make/remove an entry” and kicked out, even as root; double hmmm.

So it was boot into single user time which, thankfully worked. bash loaded ok so it wasn’t a shell problem. However su failed which means we are into pam problem territory. I found a bug report that sounded like my problem, but with no clear solution except upgrade in Ubuntu.

The solution was pretty simple for me. It’s something funky with /etc/pam.d/common-sesssion and a simple ‘/usr/sbin/pam-auth-update’ fixed it for me.

June 6, 2012
JFFNMS 0.9.2 Released
JFFNMS Interfaces and Events

JFFNMS version 0.9.2 was released today both as an upstream tar.gz file and a new Debian package. This version fixes some bugs including making sure it works with PHP5.4.

The biggest change in PHP 5.4 is that you can no longer call by reference. Previously you could call a function like myfunc(&blah); which would send a pointer to blah and not the item itself. Now the function definition needs to define what it wants rather than change it each time.

Related articles
- PHP 5.4 Released (developers.slashdot.org)
- PHP: Object by reference in php5 (stackoverflow.com)
- After eight RCs, PHP 5.4.0 is finally released (webdev360.com)
March 4, 2012
Unlucky sometimes
Sometimes life throws little curves at you to see if you are still awake, today has been one of those days.

fglrx is (apparently) fixed

I’ve had a long-running problem with fglrx on my laptop. The problem stems from ATI closed-source drivers with one of those laptops that has an ATI and Intel driver. It means I am basically using the slow Intel chip only. This morning I had enough and backed up my home and started to rebuild the laptop with Debian 6.0.3.

So I kicked off the very very slow process of reformatting the crypto drive (it has taken 5 hours and still going) let it gurgle on its merry way and started to read my email. One of the emails was that my bug about fglrx not working is closed, apparently it is fixed. If I had read that 10 minutes earlier, a simple ‘apt-get install fglrx-driver‘ would of perhaps fixed it; oh well.

My problem is now is do I move to the latest driver and hope their fix is my fix or leave it with some ancient version? My preference is the former; I only hope it works!

psmisc 22.15 and buffer overflows

psmisc has a program called pstree which prints the set of processes in a tree fashion. It hasn’t changed much for quite a while. I released version 22.15 and the Debian package 22.15-1. 22.15-1 I also adopted the harden CFLAGS as suggested for procps.

I was a little surprised that I received an important bug. The report was saying I had a buffer overflow introduced in 22.15-1, but no relevant code had changed. The compiler options had done their job and stopped a buffer being overflowed.

But where exactly was the overflow? Running gdb on pstree quickly showed that it was line 267 of pstree.c which uses strcpy(). That function set off warning bells. The relevant code is:
```
    PROC *new;

    if (!(new = malloc(sizeof(PROC)))) {
        perror("malloc");
        exit(1);
    }
    strcpy(new->comm, comm);
```
Now comm is the short command name you find in /proc//stat. It is fixed in the kernel at 16 characters. The PROC structure has this field as 17 characters long, one extra for the NUL. I went and checked the Linux source and yes, it is still 16 characters long. The clue was in the name of the program that it died on.
```
#6  new_proc (comm=0x6111b0 "{console-kit-dae}", pid=1571, uid=0)
    at pstree.c:267
```
That string is 17 characters long. The problem is that 16 characters is for the name only. If the name is in brackets or braces, then that 16 character limit doesn’t apply. The buffer overflow bug has been there for a long time, but only with the compiler flags did it become visible.

Given you need to read names out of the /proc filesystem and if someone can fiddle with that you have bigger problems it doesn’t seem to be too much of an issue. It should be (and is in Debian 22.15-2) fixed but is a nice example of the compiler catching bad things.

Related articles
- Detecting security problems – using static analysis to catch them early and less expensively (blogs.windriver.com)
- A Textbook Buffer Overflow: A Look at the FreeBSD telnetd Code (thexploit.com)
- Exploit the buffer – Buffer Overflow Attack (alitarhini.wordpress.com)
- Aurelien Jarno: Performances of open-source Radeon driver (aurel32.net)
January 27, 2012
procps 3.32 Debian packages
Following up from the upstream release of a new procps, the Debian packages have also been updated. This upload has a significant change in that, I hope, procps is now multi-arch compliant. To make this happen, the libprocps library is now in it’s own package, separate from the binaries. It also means that if you have programs not from procps that link to this library they are now broken. I put in a Breaks: line for the three I know about (xmem, guymager and open-vm-tools) which will need a recompile with a small tweak in the control file and linked statements.

As suggested in the multi arch implementation wiki page, I tested the libprocps0-dev package by compiling something against it, in this case another Debian package xmem. Doing this was very useful for teasing out some bugs on the dev package itself that did not appear while linking the library to the procps binaries.

In short, the new procps has a lot fewer patches than the old ones and the next version will have less as I have already included the current changes into the upstream git repository. The main differences are now
- freebsd linux version is read from a file not from uts
- includes use __restrict not the auto make defined restrict which may not be present in third party packages
- libnucrsesw conditionally linked with watch for 8bit watch
The three are really bugs, especially the last, which is why the patches will disappear next release.

Related articles
- procps-ng version 3.3.2 released (enc.com.au)
January 10, 2012
rpath bites me again
Image via Wikipedia

It’s funny, in bad way, when certain sorts of bugs come back to bite you. People may remember the fun Debian had with rpath issues around in the late 90s where some binaries wanted to set the path of where their libraries were located. After much contraversy the consensus was at least in Debian (with some specific exceptions) RPATH is bad and don’t use it. I lived through that “fun” and remember hacking libtool or autoconf or some such file.

The horror of those times came back to haunt me today while working on procps 3.3.2 packages. lintian was suddenly complaining that binary-or-shlib-defines-rpath for all my binaries. I’ve not seen rpath set for many years and as I’m also part of the upstream and never saw it set there it took me a while to work out what was going on.

Certainly, my binaries were setting the RPATH, it wasn’t lintian getting the wrong idea. You can see this with objdump myfile | grep RPATH. If you get a hit, you got RPATH set, an empty result means no RPATH. libtool was definitely setting the rpath, with
```
cc -Iproc -g -O2 -o $progdir/$file pmap.o  ./proc/.libs/libprocps.so 
 -Wl,-rpath -Wl,/home/csmall/debian/procps/procps/proc/.libs 
 -Wl,-rpath -Wl,//usr/lib/x86_64-linux-gnu
```
That’s not one rpath setting but two, for double insult. Configure flags such as –disable-rpath wouldn’t work. I flicked back to a pure upstream archive and there was no rpath there in either the compile flags or objdump. There was obviously some sort of side-effect going on.

The problem, after much testing, was in the debian/rules file:
```
        ./configure 
          --build=$(DEB_BUILD_GNU_TYPE) 
          --enable-watch8bit --enable-w-from 
          --prefix=/ 
          --mandir=$${prefix}/usr/share/man  
          --libdir=$${prefix}/usr/lib/$(DEB_HOST_MULTIARCH)
```
The problem is above, and all it was was a “/”. libtool does some checking to see if the library directory exists and if it doesn’t silently turns on rpath. It’s not smart enough to know that //usr/lib/x86_64-linux-gnu is the same as /usr/lib/x86_64-linux-gnu and so it enables rpath. Removing the slash before the usr fixed the problem.

I’d say this is bad behavour on libtools part. It should know that / is // or all the other alternative ways of specifying paths. Hopefully this post will stop someone else wasting their time like I did.
January 7, 2012
procps-ng version 3.3.2 released

procps-ng version 3.3.2 was released today. This version fixes some bugs introduced in version 3.3.1 as well as a number of enhancements. Below is the most significant set of changes that 3.3.2 brings.

NLS

The most visible change is that procps-ng is now international. The NLS changes took a long windy path but we got there in the end. This means all procps-ng programs can now use standard gettext PO files to output in any supported language. While the programs have been enabled for translations, there are no po files as yet but we expect them to follow soon.

Library Changes

procps always had a “closed” library, meaning that it wasn’t supposed to be used for other non-procps programs. This meant the library was always called libprocps-(version) rather than using a SONAME. Procps 3.3.2 now uses a SONAME of version 0.0.0 The API hasn’t changed but it will be in subsequent versions.

Patch Backporting

Due to the stagnant natute of procps development in the past, there have been a large number of patches each distribution carries for procps. A significant number of patches have been incorportated into procps-ng, giving a more consistent look across the distributions and meaning any subsquent fixes or enhancements are done in one place. A major goal of procps-ng was to reduce the number of distribution specific patches which this change has helped greatly.

Debian Packages

The Debian packages will be worked on soon and will clear up some confusion about the procps binaries and library packages as this will now be split into two. It also means that some programs that depend on libprocps will break, but going on from this point will be able to use the normal shlibs process to manage that, rather than the ugly crunch we will have now.

January 6, 2012