[Merge] ~mirespace/ubuntu/+source/corosync:sru-corosync-bionic-lp1677684-lp1437359 into ubuntu/+source/corosync:ubuntu/bionic-devel

Sergio Durigan Junior mp+409319 at code.launchpad.net
Tue Sep 28 21:06:23 UTC 2021 

On Tuesday, September 28 2021, Miriam EspaƱa Acebal wrote:

> Also, I noticed an error on lintian when building (that I suppose it has to be resolved before it can be SRU-processed):
>
> E: libtotem-pg5: symbols-file-contains-current-version-with-debian-revision on symbol crypto_get_current_sec_header_size at Base
> E: Lintian run failed (policy violation)

Hi Miriam,

This is not really a review, but just a reply to the question above.
This lintian error happens because the symbol
crypto_get_current_sec_header_size is not listed in the
d/libtotem-pg5.symbols file, as can be seen during the build:

...
dpkg-gensymbols: warning: some new symbols appeared in the symbols file: see diff output below
dpkg-gensymbols: warning: debian/libtotem-pg5/DEBIAN/symbols doesn't match completely debian/libtotem-pg5.symbols
--- debian/libtotem-pg5.symbols (libtotem-pg5_2.4.3-0ubuntu1.2_amd64)
+++ dpkg-gensymbolsnBsU7j       2021-09-28 20:47:44.575794305 +0000
@@ -10,6 +10,7 @@
  cipher_to_nss at Base 1.99.9
  crypto_authenticate_and_decrypt at Base 1.99.9
  crypto_encrypt_and_sign at Base 1.99.9
+ crypto_get_current_sec_header_size at Base 2.4.3-0ubuntu1.2
  crypto_init at Base 1.99.9
  crypto_sec_header_size at Base 1.99.9
  cypher_block_len at Base 1.99.9
...

As you can see, when a symbol is not present dpkg-gensymbols will add it
on-the-fly, but using the full package version (including the
Debian/Ubuntu-specific "-0ubuntu1.2" part) when determining the symbol
version.  This is why lintian is displaying the error.

Investigating a bit more led me to the following patch:

debian/patches/CVE-2018-1084-4.patch

This is the patch that actually added the new symbol.  It was added in
version 2.4.3-0ubuntu1.1; this means that it's not really possible to
use just the upstream version when specifying when the symbol first
appeared.  Fortunately, the lintian extended message covers this very
same scenario:

  [...] If the debian revision can't be stripped because the symbol
  really appeared between two specific Debian revisions, you should
  postfix the version with a single "~" (example: 1.0-3~ if the symbol
  appeared in 1.0-3).

Which means that, in this case, the right thing to do would be to add
the following line to d/libtotem-pg5.symbols:

  crypto_get_current_sec_header_size at Base 2.4.3-0ubuntu1.1~

If you were preparing an SRU just to fix this specific issue, I'd
probably tell you that it's not worth it.  In this case, however, you're
already SRU'ing some important fixes, so IMHO it's justifiable to also
include this small fix to the d/libtotem-pg5.symbols file.

Thanks,

-- 
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0  EB2F 106D A1C8 C3CB BF14

https://code.launchpad.net/~mirespace/ubuntu/+source/corosync/+git/corosync/+merge/409319
Your team Ubuntu Core Development Team is requested to review the proposed merge of ~mirespace/ubuntu/+source/corosync:sru-corosync-bionic-lp1677684-lp1437359 into ubuntu/+source/corosync:ubuntu/bionic-devel.

More information about the Ubuntu-reviews mailing list