diff options
| author | Stefan Fritsch <sf@sfritsch.de> | 2016-08-10 11:25:19 +0200 |
|---|---|---|
| committer | Stefan Fritsch <sf@sfritsch.de> | 2016-08-10 11:29:30 +0200 |
| commit | 237b6b842b3eb4674a6b09d456290d6a0905043d (patch) | |
| tree | 2b68cbdb50c3b3c060a140cebda3ac092ed021b4 | |
| parent | 5eb37e95631674bdac6e0ba4d2d0f0fe1894917a (diff) | |
| download | apache2-237b6b842b3eb4674a6b09d456290d6a0905043d.tar.gz | |
Fix conffiles from wheezy upgrade
Some conffile may have got the wrong content during upgrade from
wheezy to early jessie versions. In order to fix this without dpkg
prompting the user, we need to replace those conffiles during preinst.
Unfortunately, in preinst the package is not yet unpacked so we cannot
access any of its files. Therefore, the correct conffile content is
embedded in a base64 encoded tarball in the preinst script.
| -rw-r--r-- | debian/apache2.postinst | 20 | ||||
| -rw-r--r-- | debian/apache2.preinst.in | 96 | ||||
| -rw-r--r-- | debian/changelog | 7 | ||||
| -rw-r--r-- | debian/clean | 3 | ||||
| -rwxr-xr-x | debian/create_preinst | 32 | ||||
| -rwxr-xr-x | debian/rules | 17 |
6 files changed, 174 insertions, 1 deletions
diff --git a/debian/apache2.postinst b/debian/apache2.postinst index b00075fa..7063dfa8 100644 --- a/debian/apache2.postinst +++ b/debian/apache2.postinst @@ -240,9 +240,29 @@ execute_deferred_actions () rm /var/lib/apache2/deferred_actions } +list_fixup_conffiles () { + cat <<- EOF + /etc/bash_completion.d/apache2 + /etc/apache2/sites-available/000-default.conf + /etc/apache2/sites-available/default-ssl.conf + /etc/apache2/conf-available/charset.conf + /etc/apache2/conf-available/localized-error-pages.conf + /etc/apache2/conf-available/other-vhosts-access-log.conf + /etc/apache2/conf-available/security.conf + EOF +} + case "$1" in configure) + if dpkg --compare-versions "$2" lt-nl "2.4.23-3~" ; then + list_fixup_conffiles | while read FILE ; do + if [ -e "${FILE}.dpkg-remove-fixup" ] ; then + echo "Removing backup copy of $FILE" + rm "${FILE}.dpkg-remove-fixup" + fi + done + fi enable_default_mpm $@ refresh_modules $@ install_default_files $@ diff --git a/debian/apache2.preinst.in b/debian/apache2.preinst.in new file mode 100644 index 00000000..1139f9b6 --- /dev/null +++ b/debian/apache2.preinst.in @@ -0,0 +1,96 @@ +#! /bin/bash +# preinst script for apache2 +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <new-preinst> `install' +# * <new-preinst> `install' <old-version> +# * <new-preinst> `upgrade' <old-version> +# * <old-preinst> `abort-upgrade' <new-version> +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +FIXUP_TEMPFILE= + + +list_fixup_conffiles () { + cat <<- EOF + /etc/bash_completion.d/apache2 6a5f85e62655f6b5c8fa0f95c7c35c9c removed + /etc/apache2/sites-available/000-default.conf 2cc450cf300a880abbc3767fc002477d + /etc/apache2/sites-available/default-ssl.conf 196d150beeaeaf845ece50d7e84e12de + /etc/apache2/conf-available/charset.conf e6fbb8adf631932851d6cc522c1e48d7 + /etc/apache2/conf-available/localized-error-pages.conf 844ba27ddb794fc6967bfb56b950e6a8 + /etc/apache2/conf-available/other-vhosts-access-log.conf 2cad303fc4221d6b0068a8b37597b9fb + /etc/apache2/conf-available/security.conf 0f644d9d04ad556f44f1e65674bc07dc + EOF +} + +create_fixup_conffiles_tgz () { + FIXUP_TEMPFILE=$(mktemp) + base64 -d > $FIXUP_TEMPFILE << EOF +XXX_FIXUP_CONFFILES_BASE64_XXX +EOF +} + +extract_fixup_conffile () { + local FILE=$1 + local BASENAME=${FILE##*/} + tar -xz -O -f $FIXUP_TEMPFILE $BASENAME > $FILE +} + +replace_broken_conffiles () { + local FILE + local MD5 + create_fixup_conffiles_tgz + while read FILE MD5 REMOVED ; do + if [ -f "$FILE" ] && md5sum "$FILE" | grep -q "^$MD5 " ; then + echo "Replacing broken conffile ${FILE}." + mv "$FILE" "${FILE}.dpkg-remove-fixup" + if [ -z "$REMOVED" ] ; then + extract_fixup_conffile "$FILE" + fi + fi + done + rm -f "$FIXUP_TEMPFILE" +} + +revert_broken_conffiles () { + local FILE + local MD5 + local REMOVE + while read FILE MD5 REMOVED; do + if [ -f "$FILE.dpkg-remove-fixup" ]; then + echo "Moving broken conffile $FILE back." + mv "${FILE}.dpkg-remove-fixup" "$FILE" + fi + done +} + +case "$1" in + upgrade) + + if dpkg --compare-versions "$2" lt-nl "2.4.23-3~" ; then + list_fixup_conffiles | replace_broken_conffiles + fi + + ;; + + abort-upgrade) + list_fixup_conffiles | revert_broken_conffiles + ;; + + *) + echo "preinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/changelog b/debian/changelog index 0481ed67..1787aadf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +apache2 (2.4.23-3) UNRELEASED; urgency=low + + * Fix conffiles that may have got the wrong content during upgrade from + wheezy to early jessie versions. Closes: #794933 + + -- Stefan Fritsch <sf@debian.org> Wed, 10 Aug 2016 11:25:02 +0200 + apache2 (2.4.23-2) unstable; urgency=high * CVE-2016-5387: Sets environmental variable based on user supplied Proxy diff --git a/debian/clean b/debian/clean index d49752e4..ae27f642 100644 --- a/debian/clean +++ b/debian/clean @@ -15,5 +15,8 @@ debian/config-dir/apache2.conf debian/manpages/a2query.8 debian/manpages/dh_apache2.1 debian/debhelper/dh_apache2 +debian/apache2.preinst +debian/fixup_conffiles.b64 +debian/fixup_conffiles.tgz config.nice support/suexec-custom.c diff --git a/debian/create_preinst b/debian/create_preinst new file mode 100755 index 00000000..1f30072a --- /dev/null +++ b/debian/create_preinst @@ -0,0 +1,32 @@ +#!/usr/bin/perl +# +# This script embeds a base64 encoded tarball into apache2.preinst. +# See #794933 + +use strict; +use warnings; +use autodie; + + +sub readfile +{ + my $fname = shift; + local $/; + open(my $fd, "<", $fname); + my $content = <$fd>; + return $content; +} + +sub writefile +{ + my $fname = shift; + my $content = shift; + open(my $fd, ">", $fname); + print $fd $content; +} + +my $preinst = readfile("debian/apache2.preinst.in"); +my $embed = readfile("debian/fixup_conffiles.b64"); + +$preinst =~ s/XXX_FIXUP_CONFFILES_BASE64_XXX/$embed/; +writefile("debian/apache2.preinst", $preinst); diff --git a/debian/rules b/debian/rules index b754534c..f68de5bd 100755 --- a/debian/rules +++ b/debian/rules @@ -45,6 +45,21 @@ prebuild-checks: false ; \ fi +debian/fixup_conffiles.tgz: \ + debian/config-dir/sites-available/000-default.conf \ + debian/config-dir/sites-available/default-ssl.conf \ + debian/config-dir/conf-available/charset.conf \ + debian/config-dir/conf-available/localized-error-pages.conf \ + debian/config-dir/conf-available/other-vhosts-access-log.conf \ + debian/config-dir/conf-available/security.conf + tar --transform 's,.*/,,' -cz -f $@ $^ + +debian/fixup_conffiles.b64: debian/fixup_conffiles.tgz + base64 < $< > $@ + +debian/apache2.preinst: debian/apache2.preinst.in debian/fixup_conffiles.b64 debian/create_preinst + debian/create_preinst + clean-config-vars: # Clean up config_vars.mk # FIXME: Maybe someone could document here why we actually need to @@ -59,7 +74,7 @@ prepare-scripts: debian/a2query debian/debhelper/dh_apache2 (grep -s -v apache2:API debian/apache2-bin.substvars; echo apache2:API=apache2-api-$(API)) > debian/apache2-bin.substvars.new mv debian/apache2-bin.substvars.new debian/apache2-bin.substvars -generate-maintainer-scripts: +generate-maintainer-scripts: debian/apache2.preinst set -e ; \ for type in custom pristine ; do \ for f in postinst preinst prerm links dirs lintian-overrides postrm; do \ |