Summary: | net-firewall/firehol-1.226-r1 broken by bash-3.2_p3-r1 | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Ivan Yosifov <iyosifov> |
Component: | Current packages | Assignee: | Dominik Stadler (RETIRED) <centic> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | costa, david, estoeckel, michal, voyageur |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://sourceforge.net/tracker/index.php?func=detail&aid=1607442&group_id=58425&atid=487692 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 151149 | ||
Attachments: | testapplication to show where bash behaves differently |
Description
Ivan Yosifov
2006-11-02 13:13:01 UTC
Downgrade to bash-3.1_p17 fixes the issue. This sounds similar to Bug 139526, although this one was reported for bash-3.1p17, there it was related to the hardened flag. Seems we should patch firehol to work around this problem. Created attachment 101406 [details]
testapplication to show where bash behaves differently
I cannot reproduce this for me right now. Can you please run the attached script and attach the output to show me where it fails in your installation?
The output with both bash 3.2 and 3.1 is: -m state --state -m state --state -m state ! --state -m state ! --state Running /usr/sbin/firehol start instead of /etc/init.d/firehol start seems to reveal more information: home ~ # /usr/sbin/firehol start FireHOL: Saving your old firewall to a temporary file: OK FireHOL: Processing file /etc/firehol/firehol.conf: OK FireHOL: Activating new firewall (41 rules): -------------------------------------------------------------------------------- ERROR : # 1. WHAT : A runtime command failed to execute (returned error 2). SOURCE : line 17 of /etc/firehol/firehol.conf COMMAND : /sbin/iptables -t filter -A out_world_all_c1 -m state '' --state NEW\,ESTABLISHED -j ACCEPT OUTPUT : Try `iptables -h' or 'iptables --help' for more information. Bad argument `' ... Also: home ~ # /sbin/iptables -t filter -A out_world_all_c1 -m state '' --state NEW\,ESTABLISHED -j ACCEPT Bad argument `' Try `iptables -h' or 'iptables --help' for more information. home ~ # /sbin/iptables -t filter -A out_world_all_c1 -m state --state NEW\,ESTABLISHED -j ACCEPT # Just -m state, no '' iptables: No chain/target/match by that name home ~ # iptables iptables v1.3.6: no command specified Try `iptables -h' or 'iptables --help' for more information. home ~ # iptables '' Bad argument `' Try `iptables -h' or 'iptables --help' for more information. home ~ # echo $BASH_VERSION 3.2.3(1)-release home ~ # Looks like the empty quote '' after -m state is causing the trouble. iptables calls with -m state '' also fail under bash 3.1. But /usr/sbin/firehol debug shows that under bash 3.1 firehol generates iptables calls containing just -m state whereas under 3.2 they contain -m state '' and hence fail. *** Bug 157045 has been marked as a duplicate of this bug. *** I have now added Version 1.250 as "~x86 ~ppc" and replaced %q with %b in the printf-statements. Please check if this solves your problem. The new version should be available on the mirrors soon. Should be fixed now. The new version fails to patch: home ~ # emerge -1 firehol Calculating dependencies... done! >>> Emerging (1 of 1) net-firewall/firehol-1.250 to / * firehol-1.226.tar.bz2 MD5 ;-) ... [ ok ] * firehol-1.226.tar.bz2 RMD160 ;-) ... [ ok ] * firehol-1.226.tar.bz2 SHA1 ;-) ... [ ok ] * firehol-1.226.tar.bz2 SHA256 ;-) ... [ ok ] * firehol-1.226.tar.bz2 size ;-) ... [ ok ] * checking ebuild checksums ;-) ... [ ok ] * checking auxfile checksums ;-) ... [ ok ] * checking miscfile checksums ;-) ... [ ok ] * checking firehol-1.226.tar.bz2 ;-) ... [ ok ] >>> Unpacking source... >>> Unpacking firehol-1.226.tar.bz2 to /var/tmp/portage/net-firewall/firehol-1.250/work * Applying firehol-1.226-to-228.patch ... [ ok ] * Applying firehol-1.226-to-250.patch ... * Failed Patch: firehol-1.226-to-250.patch ! * ( /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ) * * Include in your bugreport the contents of: * * /var/tmp/portage/net-firewall/firehol-1.250/temp/firehol-1.226-to-250.patch-31437.out !!! ERROR: net-firewall/firehol-1.250 failed. Call stack: ebuild.sh, line 1603: Called dyn_unpack ebuild.sh, line 732: Called src_unpack firehol-1.250.ebuild, line 45: Called epatch '/usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch' eutils.eclass, line 341: Called die !!! Failed Patch: firehol-1.226-to-250.patch! !!! If you need support, post the topmost build error, and the call stack if relevant. home ~ # cat /var/tmp/portage/net-firewall/firehol-1.250/temp/firehol-1.226-to-250.patch-31437.out ***** firehol-1.226-to-250.patch ***** ====================================== PATCH COMMAND: patch -p0 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== patching file firehol.sh Hunk #1 FAILED at 10. Hunk #5 FAILED at 171. Hunk #43 FAILED at 5415. Hunk #44 FAILED at 5601. Hunk #47 FAILED at 5907. Hunk #48 FAILED at 5990. 6 out of 49 hunks FAILED -- saving rejects to file firehol.sh.rej ====================================== PATCH COMMAND: patch -p1 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== missing header for unified diff at line 3 of patch can't find file to patch at input line 3 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- firehol.new 2006-12-27 14:13:39.000000000 +0100 |+++ firehol.sh 2006-12-27 14:15:57.000000000 +0100 -------------------------- No file to patch. Skipping patch. 49 out of 49 hunks ignored ====================================== PATCH COMMAND: patch -p2 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== missing header for unified diff at line 3 of patch can't find file to patch at input line 3 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- firehol.new 2006-12-27 14:13:39.000000000 +0100 |+++ firehol.sh 2006-12-27 14:15:57.000000000 +0100 -------------------------- No file to patch. Skipping patch. 49 out of 49 hunks ignored ====================================== PATCH COMMAND: patch -p3 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== missing header for unified diff at line 3 of patch can't find file to patch at input line 3 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- firehol.new 2006-12-27 14:13:39.000000000 +0100 |+++ firehol.sh 2006-12-27 14:15:57.000000000 +0100 -------------------------- No file to patch. Skipping patch. 49 out of 49 hunks ignored ====================================== PATCH COMMAND: patch -p4 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== missing header for unified diff at line 3 of patch can't find file to patch at input line 3 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- firehol.new 2006-12-27 14:13:39.000000000 +0100 |+++ firehol.sh 2006-12-27 14:15:57.000000000 +0100 -------------------------- No file to patch. Skipping patch. 49 out of 49 hunks ignored *** Bug 159311 has been marked as a duplicate of this bug. *** sorry, seems a wrong patch went into CVS, I'm not sure how it worked for me during testing... The latest version in CVS should work now. Please excuse me if this is due to sync mirror lag but it still fails here: ... * Failed Patch: firehol-1.226-to-250.patch ! * ( /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ) * * Include in your bugreport the contents of: * * /var/tmp/portage/net-firewall/firehol-1.250/temp/firehol-1.226-to-250.patch-14293.out ... ***** firehol-1.226-to-250.patch ***** ====================================== PATCH COMMAND: patch -p0 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== can't find file to patch at input line 4 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |diff -Nur firehol-1.226/firehol.sh firehol-1.226.new/firehol.sh |--- firehol-1.226/firehol.sh 2006-12-29 23:48:19.000000000 +0100 |+++ firehol-1.226.new/firehol.sh 2006-12-29 23:49:40.000000000 +0100 -------------------------- No file to patch. Skipping patch. 49 out of 49 hunks ignored ====================================== PATCH COMMAND: patch -p1 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== patching file firehol.sh Hunk #1 FAILED at 10. Hunk #5 FAILED at 171. Hunk #43 FAILED at 5415. Hunk #44 FAILED at 5601. Hunk #47 FAILED at 5907. Hunk #48 FAILED at 5990. 6 out of 49 hunks FAILED -- saving rejects to file firehol.sh.rej ====================================== PATCH COMMAND: patch -p2 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== missing header for unified diff at line 4 of patch can't find file to patch at input line 4 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |diff -Nur firehol-1.226/firehol.sh firehol-1.226.new/firehol.sh |--- firehol-1.226/firehol.sh 2006-12-29 23:48:19.000000000 +0100 |+++ firehol-1.226.new/firehol.sh 2006-12-29 23:49:40.000000000 +0100 -------------------------- No file to patch. Skipping patch. 49 out of 49 hunks ignored ====================================== PATCH COMMAND: patch -p3 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== missing header for unified diff at line 4 of patch can't find file to patch at input line 4 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |diff -Nur firehol-1.226/firehol.sh firehol-1.226.new/firehol.sh |--- firehol-1.226/firehol.sh 2006-12-29 23:48:19.000000000 +0100 |+++ firehol-1.226.new/firehol.sh 2006-12-29 23:49:40.000000000 +0100 -------------------------- No file to patch. Skipping patch. 49 out of 49 hunks ignored ====================================== PATCH COMMAND: patch -p4 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== missing header for unified diff at line 4 of patch can't find file to patch at input line 4 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |diff -Nur firehol-1.226/firehol.sh firehol-1.226.new/firehol.sh |--- firehol-1.226/firehol.sh 2006-12-29 23:48:19.000000000 +0100 |+++ firehol-1.226.new/firehol.sh 2006-12-29 23:49:40.000000000 +0100 -------------------------- No file to patch. Skipping patch. 49 out of 49 hunks ignored I don't think this is a mirror lag, the Changelog does mention the entry for "Fix invalid patch", but epatch still fails I don't understand this. It works befor I commit it to CVS, but it down't work afterwards. Let me take a look again and see what happens here. I think I finally found out what happened, it was caused by the way I created the patches directly from the CVS-version and some automatic CVS-replacement that I was not aware of (Id-Tag), I hope this is finally fixed now. *** Bug 159480 has been marked as a duplicate of this bug. *** After latest sync, 1.250 emerges fine and works OK with bash 3.1 on hardened profile (confirms bug #139526 is finally stumped) The new firehol now emerges fine and works smoothly with bash 3.2, thanks. Happy Holidays Everyone :) Hi, Check this: # printf " %q\n" a b c "d e f g" a b c d\ e\ f\ g while: # printf " %b\n" a b c "d e f g" a b c d e f g Note that %b loses the backslashes. Using %b instead of %q will break firehol in cases where the generated iptables commands need to have arguments with whitespaces in them. Regards. |