Bug#880630: jessie-pu: package liblouis/2.5.3-3
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hello, Bug#880621 reports that Jessie is affected by CVE-2014-8184. I'm proposing to upload there the RedHat fix plus a fix for that fix (it didn't actually take care of issues in the strncpy call). Debdiff is attached. Samuel -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 'oldoldstable'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru liblouis-2.5.3/debian/changelog liblouis-2.5.3/debian/changelog --- liblouis-2.5.3/debian/changelog 2014-06-24 23:33:27.0 +0200 +++ liblouis-2.5.3/debian/changelog 2017-11-03 01:14:02.0 +0100 @@ -1,3 +1,10 @@ +liblouis (2.5.3-3+deb8u1) jessie; urgency=medium + + * Apply RedHat's patch to fix CVE-2014-8184 (Closes: Bug#880621). + * Fix RedHat's patch. + + -- Samuel ThibaultFri, 03 Nov 2017 01:14:02 +0100 + liblouis (2.5.3-3) unstable; urgency=low [ Samuel Thibault ] diff -Nru liblouis-2.5.3/debian/patches/CVE-2014-8184 liblouis-2.5.3/debian/patches/CVE-2014-8184 --- liblouis-2.5.3/debian/patches/CVE-2014-8184 1970-01-01 01:00:00.0 +0100 +++ liblouis-2.5.3/debian/patches/CVE-2014-8184 2017-11-03 01:14:02.0 +0100 @@ -0,0 +1,99 @@ +https://github.com/liblouis/liblouis/issues/425 +https://bugzilla.redhat.com/show_bug.cgi?id=1492701 +https://access.redhat.com/errata/RHSA-2017:3111 + +From 2fe2b279994e3ed70bae461e284702cc1c7d4665 Mon Sep 17 00:00:00 2001 +From: Raphael Sanchez Prudencio +Date: Mon, 18 Sep 2017 18:44:31 +0200 +Subject: [PATCH 5/7] Fix multiple stack-based buffer overflows in findTable(). + +Fixes CVE-2014-8184. +--- + liblouis/compileTranslationTable.c | 35 +++ + 1 file changed, 11 insertions(+), 24 deletions(-) + +diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c +index ec4963f0..25c0208f 100644 +--- a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c +@@ -4502,8 +4502,7 @@ findTable (const char *tableName) + char trialPath[MAXSTRING]; + if (tableName == NULL || tableName[0] == 0) + return NULL; +- strcpy (trialPath, tablePath); +- strcat (trialPath, tableName); ++ snprintf (trialPath, MAXSTRING-1, "%s%s", tablePath, tableName); + if ((tableFile = fopen (trialPath, "rb"))) + return tableFile; + pathEnd[0] = DIR_SEP; +@@ -4522,18 +4521,15 @@ findTable (const char *tableName) + break; + if (k == listLength || k == 0) + { /* Only one file */ +- strcpy (trialPath, pathList); +- strcat (trialPath, pathEnd); +- strcat (trialPath, tableName); ++ snprintf (trialPath, MAXSTRING-1, "%s%s%s", pathList, pathEnd, tableName); + if ((tableFile = fopen (trialPath, "rb"))) + break; + } + else + { /* Compile a list of files */ +- strncpy (trialPath, pathList, k); +- trialPath[k] = 0; +- strcat (trialPath, pathEnd); +- strcat (trialPath, tableName); ++ char path[MAXSTRING]; ++ strncpy (path, pathList, k); ++ snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, tableName); + currentListPos = k + 1; + if ((tableFile = fopen (trialPath, "rb"))) + break; +@@ -4542,11 +4538,8 @@ findTable (const char *tableName) + for (k = currentListPos; k < listLength; k++) + if (pathList[k] == ',') + break; +- strncpy (trialPath, +- [currentListPos], k - currentListPos); +- trialPath[k - currentListPos] = 0; +- strcat (trialPath, pathEnd); +- strcat (trialPath, tableName); ++ strncpy (path, [currentListPos], k - currentListPos); ++ snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, tableName); + if ((tableFile = fopen (trialPath, "rb"))) + currentListPos = k + 1; + break; +@@ -4564,26 +4557,20 @@ findTable (const char *tableName) + pathList = lou_getDataPath (); + if (pathList) + { +- strcpy (trialPath, pathList); +- strcat (trialPath, pathEnd); + #ifdef _WIN32 +- strcat (trialPath, "liblouis\\tables\\"); ++ snprintf (trialPath, MAXSTRING-1, "%s%sliblouis\\tables\\%s",
Bug#880622: stretch-pu: package python-arpy/1.1.1-2
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu This is a simple fix for python-arpy (missing dependencies) already tested in unstable+testing for a while. debdiff is attached. Christoph -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.12.0-0.bpo.2-amd64 (SMP w/16 CPU cores) Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru python-arpy-1.1.1/debian/changelog python-arpy-1.1.1/debian/changelog --- python-arpy-1.1.1/debian/changelog 2013-08-03 12:05:18.0 +0200 +++ python-arpy-1.1.1/debian/changelog 2017-11-02 22:14:48.0 +0100 @@ -1,3 +1,14 @@ +python-arpy (1.1.1-2+deb9u1) stretch; urgency=low + + [ Scott Kitterman ] + * Correct substitution variable for python3 interpreter depends (Closes: +#867418) + + [ Christoph Egger ] + * Upload to stable + + -- Christoph EggerThu, 02 Nov 2017 22:14:48 +0100 + python-arpy (1.1.1-2) unstable; urgency=low * Add python3 support diff -Nru python-arpy-1.1.1/debian/control python-arpy-1.1.1/debian/control --- python-arpy-1.1.1/debian/control2013-08-03 11:59:45.0 +0200 +++ python-arpy-1.1.1/debian/control2017-11-02 22:12:29.0 +0100 @@ -28,7 +28,7 @@ Architecture: all Depends: ${shlibs:Depends}, ${misc:Depends}, - ${python:Depends} + ${python3:Depends} Provides: ${python:Provides} Description: library for accessing "ar" archives arpy is a library for accessing the archive files and reading the
Bug#878685: stretch-pu: package udftools/1.3-2
On Sunday 29 October 2017 18:19:53 Adam D. Barratt wrote: > Please prepare an upload built and tested on stable, using "stretch" as > the changelog distribution, and versioned as either 1.3-1+deb9u1 or > 1.3-2~deb9u1, depending on how the changelog is structured, and attach > the debdiff to this bug log. Ok. I uploaded package version 1.3-2~deb9u1 to mentors, it is there: https://mentors.debian.net/package/udftools debdiff between current version in stretch and 1.3-2~deb9u1 is attached. -- Pali Rohár pali.ro...@gmail.com diff -Nru udftools-1.3/debian/changelog udftools-1.3/debian/changelog --- udftools-1.3/debian/changelog 2017-01-24 00:28:05.0 +0100 +++ udftools-1.3/debian/changelog 2017-10-03 21:41:57.0 +0200 @@ -1,3 +1,9 @@ +udftools (1.3-2~deb9u1) stretch; urgency=low + + * Fix path to pktsetup in udftools init script + + -- Pali RohárTue, 03 Oct 2017 21:41:57 +0200 + udftools (1.3-1) unstable; urgency=low * New upstream release diff -Nru udftools-1.3/debian/udftools.init udftools-1.3/debian/udftools.init --- udftools-1.3/debian/udftools.init 2017-01-24 00:26:46.0 +0100 +++ udftools-1.3/debian/udftools.init 2017-10-03 21:40:26.0 +0200 @@ -30,7 +30,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin DESC="udftools packet writing" -PKTSETUP=/usr/bin/pktsetup +PKTSETUP=/usr/sbin/pktsetup DEFAULTFILE=/etc/default/udftools DEVICES="" NEWINTNAMES="0 1 2 3"
RFC/RFR: Add a britney policy for checking Build-Depends and Build-Depends-Arch
Hi, I have written a [feature branch] for adding a policy in Britney to check that dependencies in Build-Depends and Build-Depends-Arch are satisfiable - either in testing or in unstable with the unstable version looking like it can migrate. * This patch is a partial solution that only covers Build-Depends and Build-Depends-Arch. The omission of Build-Depends-Indep is some what deliberate (as we do not have a well-defined "arch:all" build architecture). Even without Build-Depends-Indep, this patch will cover >= 75% of all source packages fully and partially cover the remaining ones[BDI-NUMBERS] * This will enable us avoid /some/ situations, where auto-removed packages can re-enter testing despite their build-dependencies being stuck in unstable. This will improve even further once support for Build-Depends-Indep lands. Limitations in scope: = First, the patches do not intend to cover Build-Depends-Indep. That will come in a later patch (and probably wait a bit while we try this changeset for a while). Secondly: This approach will _not_ ensure that testing is/remains self-contained in regards build-depends even once support for Build-Depends-Indep lands. This is because a policy only decides if a package is permitted to migrate. The actual migration happens in a separate step and that part does not consider build-dependencies. This omission is deliberate for now for several reasons: * It is harder to implement that logic and reason about the consequences. * It is harder to implement ways to fine-grained overrides for that part of britney. (NB: The patchset does not define an override hint, but adding one would be very easy to add) * The proposed solution is sufficient for the purpose of keeping testing RC bug free and (mostly) self-contained. * Finally, with the current approach the build-dependency issues will be visible for maintainers (via the excuses-page on e.g. tracker.d.o). Tests and results = I have added a 6 of tests in build-deps-support branch of britney2-tests to cover this functional. Among other, there are test cases for showing that: * Packages can migrate if Build-Depends are not satisfiable on an architecture provided there are no binaries produced on that architecture. * Architecture-specific Build-Depends only applies to the listed architectures. * Packages do not migrate if their build-dependencies are stuck. Also if the issue is indirect. Furthermore, running the live-data tests with these patches applied showed that then number of migrations affected were at the order of 8-10 (accumulated over all live-data test cases, where we have a baseline result). As such, I am not overly concerned that the patches will become a major issue for us in their current form. Future == Assuming there are no major issues raised in response to RFC/RFR, then I intend to merge these patches and deloy them live to see how it goes. * Deadline for initial review: 11/11 * I am happy with extending the deadline or deferring the merge on request. Thanks, ~Niels -- References/notes [feature branch]: https://anonscm.debian.org/cgit/users/nthykier/britney.git/log/?h=gate-missing-build-depends For convenience, the originally patches are also attached. However, I do not plan to re-issue patches based on review-comments or fixes. These will be applied to the branch (which will be rebased every now and then). [BDI-NUMBERS] Based on the following query: https://codesearch.debian.net/search?q=Build-Depends-Indep+path%3A%2Fdebian%2Fcontrol=1 It shows ~1200 pages and in the "per package" view, there are 5 unique source packages per page. This gives ~6000 source packages with a Build-Depends-Indep, which is (roughly) 25% of the ~25,000 source packages mentioned in the release announcement of stretch. https://lists.debian.org/debian-announce/2017/msg3.html From c537f0554f56bfad5bce54e03b61f037bb245e3a Mon Sep 17 00:00:00 2001 From: Niels ThykierDate: Wed, 1 Nov 2017 21:09:23 + Subject: [PATCH 1/2] Move PolicyVerdict to britney2.policies --- britney.py| 3 ++- britney2/policies/__init__.py | 53 + britney2/policies/policy.py | 55 +-- britney2/utils.py | 2 +- 4 files changed, 57 insertions(+), 56 deletions(-) diff --git a/britney.py b/britney.py index ef3a8f2..c617ac0 100755 --- a/britney.py +++ b/britney.py @@ -197,7 +197,8 @@ from britney2.excuse import Excuse from britney2.hints import HintParser from britney2.installability.builder import build_installability_tester from britney2.migrationitem import MigrationItem -from britney2.policies.policy import AgePolicy, RCBugPolicy, PiupartsPolicy, PolicyVerdict +from britney2.policies import PolicyVerdict +from britney2.policies.policy import AgePolicy, RCBugPolicy,
Bug#880439: stretch-pu: package getmail4/4.53.0-1+deb9u1
Hi, On Tue, Oct 31, 2017 at 04:05:01PM +, Adam D. Barratt wrote: > On 2017-10-31 14:40, Osamu Aoki wrote: > > I just uploaded to the stable-proposed-upload. > > Unfortunately you used an inappropriate version number, so I've flagged the > package for rejection. Thanks. > Currently unstable has version 4.53.0-2. The version you used - > 4.53.0-2+deb9u1 is *higher* than the unstable version, which is wrong. A > backport to stable of that version should be 4.53.0-2~deb9u1, in the same > way as backports uses ~. I just uploaded as 4.53.0-1+deb9u1 instead. (I should have read your message carefully. I followed previous security upload version style. I hope this is also OK) > Please also use "stretch" as the changelog distribution, rather than > "stable". Done. Osamu