Bug#880630: jessie-pu: package liblouis/2.5.3-3

[Samuel Thibault]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hello,

Bug#880621 reports that Jessie is affected by CVE-2014-8184.  I'm
proposing to upload there the RedHat fix plus a fix for that fix (it
didn't actually take care of issues in the strncpy call). Debdiff is
attached.

Samuel

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-debug'), (500, 'oldoldstable'), (500, 
'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 
'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru liblouis-2.5.3/debian/changelog liblouis-2.5.3/debian/changelog
--- liblouis-2.5.3/debian/changelog 2014-06-24 23:33:27.0 +0200
+++ liblouis-2.5.3/debian/changelog 2017-11-03 01:14:02.0 +0100
@@ -1,3 +1,10 @@
+liblouis (2.5.3-3+deb8u1) jessie; urgency=medium
+
+  * Apply RedHat's patch to fix CVE-2014-8184 (Closes: Bug#880621).
+  * Fix RedHat's patch.
+
+ -- Samuel Thibault   Fri, 03 Nov 2017 01:14:02 +0100
+
 liblouis (2.5.3-3) unstable; urgency=low
 
   [ Samuel Thibault ]
diff -Nru liblouis-2.5.3/debian/patches/CVE-2014-8184 
liblouis-2.5.3/debian/patches/CVE-2014-8184
--- liblouis-2.5.3/debian/patches/CVE-2014-8184 1970-01-01 01:00:00.0 
+0100
+++ liblouis-2.5.3/debian/patches/CVE-2014-8184 2017-11-03 01:14:02.0 
+0100
@@ -0,0 +1,99 @@
+https://github.com/liblouis/liblouis/issues/425
+https://bugzilla.redhat.com/show_bug.cgi?id=1492701
+https://access.redhat.com/errata/RHSA-2017:3111
+
+From 2fe2b279994e3ed70bae461e284702cc1c7d4665 Mon Sep 17 00:00:00 2001
+From: Raphael Sanchez Prudencio 
+Date: Mon, 18 Sep 2017 18:44:31 +0200
+Subject: [PATCH 5/7] Fix multiple stack-based buffer overflows in findTable().
+
+Fixes CVE-2014-8184.
+---
+ liblouis/compileTranslationTable.c | 35 +++
+ 1 file changed, 11 insertions(+), 24 deletions(-)
+
+diff --git a/liblouis/compileTranslationTable.c 
b/liblouis/compileTranslationTable.c
+index ec4963f0..25c0208f 100644
+--- a/liblouis/compileTranslationTable.c
 b/liblouis/compileTranslationTable.c
+@@ -4502,8 +4502,7 @@ findTable (const char *tableName)
+   char trialPath[MAXSTRING];
+   if (tableName == NULL || tableName[0] == 0)
+ return NULL;
+-  strcpy (trialPath, tablePath);
+-  strcat (trialPath, tableName);
++  snprintf (trialPath, MAXSTRING-1, "%s%s", tablePath, tableName);
+   if ((tableFile = fopen (trialPath, "rb")))
+ return tableFile;
+   pathEnd[0] = DIR_SEP;
+@@ -4522,18 +4521,15 @@ findTable (const char *tableName)
+   break;
+   if (k == listLength || k == 0)
+ { /* Only one file */
+-  strcpy (trialPath, pathList);
+-  strcat (trialPath, pathEnd);
+-  strcat (trialPath, tableName);
++  snprintf (trialPath, MAXSTRING-1, "%s%s%s", pathList, pathEnd, 
tableName);
+   if ((tableFile = fopen (trialPath, "rb")))
+ break;
+ }
+   else
+ { /* Compile a list of files */
+-  strncpy (trialPath, pathList, k);
+-  trialPath[k] = 0;
+-  strcat (trialPath, pathEnd);
+-  strcat (trialPath, tableName);
++  char path[MAXSTRING];
++  strncpy (path, pathList, k);
++  snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, 
tableName);
+   currentListPos = k + 1;
+   if ((tableFile = fopen (trialPath, "rb")))
+ break;
+@@ -4542,11 +4538,8 @@ findTable (const char *tableName)
+   for (k = currentListPos; k < listLength; k++)
+ if (pathList[k] == ',')
+   break;
+-  strncpy (trialPath,
+-   [currentListPos], k - currentListPos);
+-  trialPath[k - currentListPos] = 0;
+-  strcat (trialPath, pathEnd);
+-  strcat (trialPath, tableName);
++  strncpy (path, [currentListPos], k - currentListPos);
++  snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, 
tableName);
+   if ((tableFile = fopen (trialPath, "rb")))
+ currentListPos = k + 1;
+   break;
+@@ -4564,26 +4557,20 @@ findTable (const char *tableName)
+   pathList = lou_getDataPath ();
+   if (pathList)
+ {
+-  strcpy (trialPath, pathList);
+-  strcat (trialPath, pathEnd);
+ #ifdef _WIN32
+-  strcat (trialPath, "liblouis\\tables\\");
++  snprintf (trialPath, MAXSTRING-1, "%s%sliblouis\\tables\\%s", 

Bug#880622: stretch-pu: package python-arpy/1.1.1-2

[Christoph Egger]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

This is a simple fix for python-arpy (missing dependencies) already
tested in unstable+testing for a while. debdiff is attached.

  Christoph

-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.12.0-0.bpo.2-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_IE:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru python-arpy-1.1.1/debian/changelog python-arpy-1.1.1/debian/changelog
--- python-arpy-1.1.1/debian/changelog  2013-08-03 12:05:18.0 +0200
+++ python-arpy-1.1.1/debian/changelog  2017-11-02 22:14:48.0 +0100
@@ -1,3 +1,14 @@
+python-arpy (1.1.1-2+deb9u1) stretch; urgency=low
+
+  [ Scott Kitterman ]
+  * Correct substitution variable for python3 interpreter depends (Closes:
+#867418)
+
+  [ Christoph Egger ]
+  * Upload to stable
+
+ -- Christoph Egger   Thu, 02 Nov 2017 22:14:48 +0100
+
 python-arpy (1.1.1-2) unstable; urgency=low
 
   * Add python3 support
diff -Nru python-arpy-1.1.1/debian/control python-arpy-1.1.1/debian/control
--- python-arpy-1.1.1/debian/control2013-08-03 11:59:45.0 +0200
+++ python-arpy-1.1.1/debian/control2017-11-02 22:12:29.0 +0100
@@ -28,7 +28,7 @@
 Architecture: all
 Depends: ${shlibs:Depends},
  ${misc:Depends},
- ${python:Depends}
+ ${python3:Depends}
 Provides: ${python:Provides}
 Description: library for accessing "ar" archives
  arpy is a library for accessing the archive files and reading the

Bug#878685: stretch-pu: package udftools/1.3-2

[Pali Rohár]

On Sunday 29 October 2017 18:19:53 Adam D. Barratt wrote:
> Please prepare an upload built and tested on stable, using "stretch" as
> the changelog distribution, and versioned as either 1.3-1+deb9u1 or
> 1.3-2~deb9u1, depending on how the changelog is structured, and attach
> the debdiff to this bug log.

Ok. I uploaded package version 1.3-2~deb9u1 to mentors, it is there:
https://mentors.debian.net/package/udftools

debdiff between current version in stretch and 1.3-2~deb9u1 is attached.

-- 
Pali Rohár
pali.ro...@gmail.com
diff -Nru udftools-1.3/debian/changelog udftools-1.3/debian/changelog
--- udftools-1.3/debian/changelog   2017-01-24 00:28:05.0 +0100
+++ udftools-1.3/debian/changelog   2017-10-03 21:41:57.0 +0200
@@ -1,3 +1,9 @@
+udftools (1.3-2~deb9u1) stretch; urgency=low
+
+  * Fix path to pktsetup in udftools init script
+
+ -- Pali Rohár   Tue, 03 Oct 2017 21:41:57 +0200
+
 udftools (1.3-1) unstable; urgency=low
 
   * New upstream release
diff -Nru udftools-1.3/debian/udftools.init udftools-1.3/debian/udftools.init
--- udftools-1.3/debian/udftools.init   2017-01-24 00:26:46.0 +0100
+++ udftools-1.3/debian/udftools.init   2017-10-03 21:40:26.0 +0200
@@ -30,7 +30,7 @@
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin
 DESC="udftools packet writing"
-PKTSETUP=/usr/bin/pktsetup
+PKTSETUP=/usr/sbin/pktsetup
 DEFAULTFILE=/etc/default/udftools
 DEVICES=""
 NEWINTNAMES="0 1 2 3"

RFC/RFR: Add a britney policy for checking Build-Depends and Build-Depends-Arch

[Niels Thykier]

Hi,

I have written a [feature branch] for adding a policy in Britney to
check that dependencies in Build-Depends and Build-Depends-Arch are
satisfiable - either in testing or in unstable with the unstable version
looking like it can migrate.

 * This patch is a partial solution that only covers Build-Depends
   and Build-Depends-Arch. The omission of Build-Depends-Indep is some
   what deliberate (as we do not have a well-defined "arch:all" build
   architecture).  Even without Build-Depends-Indep, this patch will
   cover >= 75% of all source packages fully and partially cover the
   remaining ones[BDI-NUMBERS]

 * This will enable us avoid /some/ situations, where auto-removed
   packages can re-enter testing despite their build-dependencies being
   stuck in unstable.  This will improve even further once support for
   Build-Depends-Indep lands.


Limitations in scope:
=

First, the patches do not intend to cover Build-Depends-Indep.  That
will come in a later patch (and probably wait a bit while we try this
changeset for a while).

Secondly:

  This approach will _not_ ensure that testing is/remains self-contained
  in regards build-depends even once support for Build-Depends-Indep
  lands.

This is because a policy only decides if a package is permitted to
migrate.  The actual migration happens in a separate step and that part
does not consider build-dependencies.  This omission is deliberate for
now for several reasons:

 * It is harder to implement that logic and reason about the
consequences.

 * It is harder to implement ways to fine-grained overrides for that
   part of britney.  (NB: The patchset does not define an override hint,
   but adding one would be very easy to add)

 * The proposed solution is sufficient for the purpose of keeping
   testing RC bug free and (mostly) self-contained.

 * Finally, with the current approach the build-dependency issues will
   be visible for maintainers (via the excuses-page on e.g.
   tracker.d.o).


Tests and results
=

I have added a 6 of tests in build-deps-support branch of britney2-tests
to cover this functional.  Among other, there are test cases for showing
that:

 * Packages can migrate if Build-Depends are not satisfiable on an
   architecture provided there are no binaries produced on that
   architecture.

 * Architecture-specific Build-Depends only applies to the listed
   architectures.

 * Packages do not migrate if their build-dependencies are stuck.
   Also if the issue is indirect.

Furthermore, running the live-data tests with these patches applied
showed that then number of migrations affected were at the order of 8-10
 (accumulated over all live-data test cases, where we have a baseline
result).  As such, I am not overly concerned that the patches will
become a major issue for us in their current form.

Future
==

Assuming there are no major issues raised in response to RFC/RFR, then I
intend to merge these patches and deloy them live to see how it goes.

 * Deadline for initial review: 11/11

 * I am happy with extending the deadline or deferring the merge on
   request.


Thanks,
~Niels

-- 

References/notes

[feature branch]:
https://anonscm.debian.org/cgit/users/nthykier/britney.git/log/?h=gate-missing-build-depends

For convenience, the originally patches are also attached.  However, I
do not plan to re-issue patches based on review-comments or fixes.
These will be applied to the branch (which will be rebased every now and
then).

[BDI-NUMBERS] Based on the following query:
https://codesearch.debian.net/search?q=Build-Depends-Indep+path%3A%2Fdebian%2Fcontrol=1

It shows ~1200 pages and in the "per package" view, there are 5 unique
source packages per page.  This gives ~6000 source packages with a
Build-Depends-Indep, which is (roughly) 25% of the ~25,000 source
packages mentioned in the release announcement of stretch.

https://lists.debian.org/debian-announce/2017/msg3.html
From c537f0554f56bfad5bce54e03b61f037bb245e3a Mon Sep 17 00:00:00 2001
From: Niels Thykier 
Date: Wed, 1 Nov 2017 21:09:23 +
Subject: [PATCH 1/2] Move PolicyVerdict to britney2.policies

---
 britney.py|  3 ++-
 britney2/policies/__init__.py | 53 +
 britney2/policies/policy.py   | 55 +--
 britney2/utils.py |  2 +-
 4 files changed, 57 insertions(+), 56 deletions(-)

diff --git a/britney.py b/britney.py
index ef3a8f2..c617ac0 100755
--- a/britney.py
+++ b/britney.py
@@ -197,7 +197,8 @@ from britney2.excuse import Excuse
 from britney2.hints import HintParser
 from britney2.installability.builder import build_installability_tester
 from britney2.migrationitem import MigrationItem
-from britney2.policies.policy import AgePolicy, RCBugPolicy, PiupartsPolicy, PolicyVerdict
+from britney2.policies import PolicyVerdict
+from britney2.policies.policy import AgePolicy, RCBugPolicy, 

Bug#880439: stretch-pu: package getmail4/4.53.0-1+deb9u1

[Osamu Aoki]

Hi,

On Tue, Oct 31, 2017 at 04:05:01PM +, Adam D. Barratt wrote:
> On 2017-10-31 14:40, Osamu Aoki wrote:
> > I just uploaded to the stable-proposed-upload.
> 
> Unfortunately you used an inappropriate version number, so I've flagged the
> package for rejection.

Thanks.
 
> Currently unstable has version 4.53.0-2. The version you used -
> 4.53.0-2+deb9u1 is *higher* than the unstable version, which is wrong. A
> backport to stable of that version should be 4.53.0-2~deb9u1, in the same
> way as backports uses ~.

I just uploaded as 4.53.0-1+deb9u1 instead.  (I should have read your
message carefully.  I followed previous security upload version style.
I hope this is also OK)

> Please also use "stretch" as the changelog distribution, rather than
> "stable".

Done.

Osamu