Bug 1185471
| Summary: | /usr/lib/python2.7/site-packages/spf.py crashes on IPv6 addresses | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Peter Bieringer <pb> |
| Component: | python-pyspf | Assignee: | Paul Wouters <pwouters> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | epel7 | CC: | bugzilla, centos, fabian.arrotin, ggiesen+redhat, gnot, pwouters |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | python-pyspf-2.0.11-5.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-11-16 15:49:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1208811 | ||
| Bug Blocks: | |||
after some investigations it looks like the code was not proper tested with
# rpm -q python-ipaddr.noarch
python-ipaddr-2.1.9-5.el7.noarch
(which is included in the base repo)
and is included by
try:
# Python standard libarary as of python3.3
import ipaddress
except ImportError:
try:
import ipaddr as ipaddress
except ImportError:
print('ipaddr module required: http://code.google.com/p/ipaddr-py/')
the python-ipaddr has simply no method for Bytes() included
Python on CentOS7 is 2.7
A short test with pyspf-2.0.7.tar.gz shows that this version is working...so either RPM needs to be downgraded to lower version or code must be fixed somehow to get the consistency back.
Same issue with 2.0.11 which was pushed to EPEL now:
# LC_ALL=C rpm -qa --last|grep pyspf
python-pyspf-2.0.11-1.el7.noarch Tue Jan 27 00:02:18 2015
# rpm -V python-pyspf
(no output)
return [ipaddress.Bytes(ip) for ip in r]
AttributeError: 'module' object has no attribute 'Bytes'
The problem is with python-ipaddr. I rebuilt the current rawhide package (2.1.10-2) for CentOS 7 and I confirm it resolves the issue. Also monitor #1208811 and update this this issue accordingly. According to my experiments, the solution to this problem involves the following steps: 1. Completely removing the python-ipaddress package from the system. 2. Upgrading python-ipaddr to version 2.1.10 or newer. pyspf does not work correctly with python-ipaddress under Python 2. I also had problems with some scripts of mine which tried to use this module under Python 2. Instead, everything works fine with the python-ipaddr module, which by the way seems to have the same internal api as the ipaddress module. Under the current conditions, the removal of the python-ipaddress package and the addition of an exclusion about it in yum.conf, so as to prevent it from being installed as a dependency by some other package, seems to be the way to go. Hello, I hit this bug with both CentOS 7.3 and Fedora 25, while running SPF checks with policyd-spf. For example, running the following under both CentOS and Fedora causes a Traceback: python /usr/lib/python2.7/site-packages/spf.py 2600:3c00::f03c:91ff:fedf:57ab forum-admin mail2.linode.com Apparently, the python-ipaddr-2.1.9-5.el7.noarch package in CentOS 7.3 is too old and causes the Traceback, as already reported by others. I found another relevant bug report here: https://bugzilla.redhat.com/show_bug.cgi?id=1417701 But so far there has been no fix in EPEL. The fix for Fedora 25 is slightly different, because it uses the python-ipaddress package, which is an entirely different thing. Dimitris : as we had the same issue for CentOS infra , I built and deployed an updated version of python-ipaddr : https://cbs.centos.org/koji/packageinfo?packageID=5152 That's what we use currently (even on our CentOS 6 nodes that do SPF checks) Hope that it helps python-pyspf-2.0.11-3.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-aded0ed528 pypolicyd-spf-1.3.2-3.el7 python-pyspf-2.0.11-4.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-aded0ed528 pypolicyd-spf-1.3.2-3.el7, python-pyspf-2.0.11-4.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-aded0ed528 pypolicyd-spf-1.3.2-5.el7 python-pyspf-2.0.11-5.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-aded0ed528 pypolicyd-spf-1.3.2-5.el7, python-pyspf-2.0.11-5.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-aded0ed528 pypolicyd-spf-1.3.2-5.el7, python-pyspf-2.0.11-5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: While working for IPv4 the spf.py has issues with IPv6 Version-Release number of selected component (if applicable): python-pyspf-2.0.8-2.el7.noarch also tested spf.py version 2.0.11 from upstream How reproducible: always Steps to Reproduce: cat <<END | /usr/libexec/postfix/policyd-spf request=smtpd_access_policy protocol_state=RCPT protocol_name=SMTP helo_name=client.domain.example queue_id=8045F2AB23 instance=12345.6789 sender=pb recipient=pb client_address=2001:a60:143c:4501:0000:1234:5678:9abc client_name=client.domain.example END Actual results: Traceback (most recent call last): File "/usr/libexec/postfix/policyd-spf", line 680, in <module> instance_dict, configData, peruser) File "/usr/libexec/postfix/policyd-spf", line 517, in _spfcheck res = spf.check2(ip, sender, helo, querytime=configData.get('Lookup_Time')) File "/usr/lib/python2.7/site-packages/spf.py", line 297, in check2 receiver=receiver,timeout=timeout,verbose=verbose,querytime=querytime).check() File "/usr/lib/python2.7/site-packages/spf.py", line 547, in check rc = self.check1(spf, self.d, 0) File "/usr/lib/python2.7/site-packages/spf.py", line 586, in check1 return self.check0(spf, recursion) File "/usr/lib/python2.7/site-packages/spf.py", line 900, in check0 if self.cidrmatch(self.dns_mx(arg), cidrlength): File "/usr/lib/python2.7/site-packages/spf.py", line 1194, in dns_mx return [a for mx in mxnames[:max] for a in self.dns_a(mx[1],self.A)] File "/usr/lib/python2.7/site-packages/spf.py", line 1206, in dns_a return [ipaddress.Bytes(ip) for ip in r] AttributeError: 'module' object has no attribute 'Bytes' Probably the in the code mentioned workaround is broken: if A == 'AAAA' and bytes is str: # work around pydns inconsistency plus python2 bytes/str ambiguity return [ipaddress.Bytes(ip) for ip in r] return r Expected results: Proper working as for IPv4 Additional Information: SPF record for bieringer.de was validated using http://www.kitterman.com/spf/validate.html and is currently: v=spf1 ip4:85.214.252.130 ip4:85.214.250.30 ip6:2001:a60:9002::/48 ip6:2001:4dd0:ff00:834::2 ip6:2a01:238:423d:8800:85b3:9e6b:3019:8909 ip4:85.214.150.73 ip4:85.214.153.25 ip6:2a01:238:4281:8600:812a:5915:8d24:58f3 mx -all # dig +short MX bieringer.de 10 st1.bieringer.de. # dig +short AAAA st1.bieringer.de 2a01:238:423d:8800:85b3:9e6b:3019:8909 2001:4dd0:ff00:834::2 # dig +short A st1.bieringer.de 85.214.252.130