Bug#1060103: transition: imagemagick7
Le dimanche 2 juin 2024, 11:17:33 UTC Sebastian Ramacher a écrit : > On 2024-02-02 17:21:43 +0000, Bastien Roucariès wrote: > > Le vendredi 2 février 2024, 16:53:10 UTC Sebastian Ramacher a écrit : > > > Control: tags -1 moreinfo > > > > > > Hi Bastien > > > > > > On 2024-01-05 22:35:44 +, Bastien Roucariès wrote: > > > > Package: release.debian.org > > > > Severity: important > > > > User: release.debian@packages.debian.org > > > > Usertags: transition > > > > X-Debbugs-CC: ftpmas...@debian.org > > > > > > > > Imagemagick will need a new major bump > > > > > > > > I achieved to get imagemagick 7 build for experimental (it is only on > > > > salsa not > > > > uploaded yet). > > > > > > > > Every package include a version in the package name (except legacy > > > > package name > > > > and perl*) so I plan to do some step by step migration, because it is > > > > mainly > > > > coinstallable with imagemagick 6. > > > > > > Why does this migration require co-instabillity with the old version? > > > This makes the transition overly complicated. Do you expect major > > > changes required in reverse dependencies of imagemagick's shared > > > library? > > > > The problem is not the library but the command line interface that may need > > change. > > > > Librarry will break (I think here about php module that will need a > > update), but it is treatable. > > > > convert6 is not fully compatible with convert7 > > > > convert6 will be co installable with convert7 in order to test, and convert > > will be provided by alternative system. > > If they are not fully compatible, then alternatives are not an option. They are 95% compatible > How many packages are we talking about? Have bugs been filed for > packages thar are not compatible with convert7? The problem is chicken and eggs problem. If you could not test then you could not report bug. A least both should be in experimental for running a full archive rebuild Not also that imagemagick6 is supported upstream only until 2027... So we should migrate to 7. That why I think my way is a good way. Suse and redhat transitionned see https://fedoraproject.org/wiki/Changes/ImageMagick7 Discussion point to a least broken on redhat * autotrace - plan to notify upstream * dvdauthor - point to GraphicsMagick or IM6, plan to notify upstream * q - dead upstream, planned to point to IM6 * vdr-skinnopacity - current upstream dead, plan to notify new upstream * vdr-tvguide - plan to notify upstream We could also drop imagemagick6 and use graphickmagick if needed but it introduce other problem Thanks Bastien > > Cheers > signature.asc Description: This is a digitally signed message part.
Bug#1071449: bookworm-pu: package sendmail/8.17.1.9-2+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: sendm...@packages.debian.org Control: affects -1 + src:sendmail User: release.debian@packages.debian.org Usertags: pu [ Reason ] sendmail was affected by CVE-2023-51765 [ Impact ] close CVE-2023-51765 and reject NUL mail [ Tests ] CVE-2023-51765 fix was tested manually and cross checked [ Risks ] Code is complex and rejecting NUL is slighly RFC non conformant [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Fix CVE-2023-51765 (Closes: #1059386): sendmail allowed SMTP smuggling in certain configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because sendmail supports . but some other popular e-mail servers do not. This is resolved with 'o' in srv_features. * Enable _FFR_REJECT_NUL_BYTE for rejecting mail that include NUL byte * By default enable rejecting mail that include NUL byte. set confREJECT_NUL to 'true' by default . User could disable by setting confREJECT_NUL to false. (Closes: #1070190). Close a variant of CVE-2023-51765 aka SMTP smuggling. [ Other info ] No regression bugs in sid/trixie since at least two week diff -Nru sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in --- sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in 2023-01-11 22:26:28.0 + +++ sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in 2024-05-13 18:44:56.0 + @@ -65,6 +65,9 @@ dnl # define(`confDEF_USER_ID', `mail:mail')dnl dnl # +ifelse(eval(index(sm_ffr, `-D_FFR_REJECT_NUL_BYTE') >= 0), `1',dnl +`define(`confREJECT_NUL',`true')')dnl +dnl # dnl #- dnl # mailer paths and options dnl #- diff -Nru sendmail-8.17.1.9/debian/changelog sendmail-8.17.1.9/debian/changelog --- sendmail-8.17.1.9/debian/changelog 2023-01-11 22:26:28.0 + +++ sendmail-8.17.1.9/debian/changelog 2024-05-13 18:44:56.0 + @@ -1,3 +1,24 @@ +sendmail (8.17.1.9-2+deb12u1) bookworm-security; urgency=high + + * QA upload + * Fix CVE-2023-51765 (Closes: #1059386): +sendmail allowed SMTP smuggling in certain configurations. +Remote attackers can use a published exploitation +technique to inject e-mail messages with a spoofed +MAIL FROM address, allowing bypass of an SPF protection +mechanism. This occurs because sendmail supports +. but some other popular e-mail servers +do not. This is resolved with 'o' in srv_features. + * Enable _FFR_REJECT_NUL_BYTE for rejecting mail that +include NUL byte + * By default enable rejecting mail that include NUL byte. +set confREJECT_NUL to 'true' by default . +User could disable by setting confREJECT_NUL to false. +(Closes: #1070190). Close a variant of CVE-2023-51765 +aka SMTP smuggling. + + -- Bastien Roucari??s Mon, 13 May 2024 18:44:56 + + sendmail (8.17.1.9-2) unstable; urgency=medium * QA upload. diff -Nru sendmail-8.17.1.9/debian/configure.ac sendmail-8.17.1.9/debian/configure.ac --- sendmail-8.17.1.9/debian/configure.ac 2023-01-11 22:26:28.0 + +++ sendmail-8.17.1.9/debian/configure.ac 2024-05-13 18:44:56.0 + @@ -466,6 +466,7 @@ sm_envdef="$sm_envdef -DHASFLOCK=1"; sm_libsm_envdef="$sm_libsm_envdef -DHAVE_NANOSLEEP=1"; sm_ffr="$sm_ffr -D_FFR_QUEUE_SCHED_DBG"; # %% TESTING +sm_ffr="$sm_ffr -D_FFR_REJECT_NUL_BYTE"; # # version specific setup if test "$sm_version_major" = "8.17"; then diff -Nru sendmail-8.17.1.9/debian/NEWS.Debian sendmail-8.17.1.9/debian/NEWS.Debian --- sendmail-8.17.1.9/debian/NEWS.Debian 1970-01-01 00:00:00.0 + +++ sendmail-8.17.1.9/debian/NEWS.Debian 2024-05-13 18:44:56.0 + @@ -0,0 +1,19 @@ +sendmail (8.17.1.9-2+deb12u1) bookworm-security; urgency=medium + + Sendmail was affected by SMTP smurgling (CVE-2023-51765). + Remote attackers can use a published exploitation technique + to inject e-mail messages with a spoofed MAIL FROM address, + allowing bypass of an SPF protection mechanism. + This occurs because sendmail supports some combinaison of + . + . + This particular injection vulnerability has been closed, + unfortunatly full closure need to reject mail that + contain NUL. + . + This is slighly non conformant with RFC and could + be opt-out by setting confREJECT_NUL to 'false' + in sendmail.mc file. + + -- Bastien Roucari??s Sun, 12 May 2024 19:38:09 + + diff -Nru sendmail-8.17.1.9/debian/patches/0024-CVE-2023-51765.patch sendmail-8.17.1.9/debian/patches/0024-CVE-2023-51765.patch
Bug#1071417: bullseye-pu: package fossil/2.15.2-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: fos...@packages.debian.org Control: affects -1 + src:fossil User: release.debian@packages.debian.org Usertags: pu this bug was opened by previous arrangement with maintainer. [ Reason ] fossil is affected by a regression due to a security update of apache CVE-2024-24795. Backport was choosen because upstream does not document all commit needed for fixing the regression. [ Impact ] Fossil is broken at least server part [ Tests ] Full upstream test suite [ Risks ] Broken fossil [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Cherry picked and backport fix [ Other info ] None diff -Nru fossil-2.15.2/debian/changelog fossil-2.15.2/debian/changelog --- fossil-2.15.2/debian/changelog 2021-06-15 09:55:20.0 + +++ fossil-2.15.2/debian/changelog 2024-05-14 21:29:39.0 + @@ -1,3 +1,13 @@ +fossil (1:2.15.2-1+deb11u1) bullseye; urgency=medium + + * Non maintainer fix with acknowlegment by maintainer. + * Cherry-pick fix f4ffefe708793b03 for CVE-2024-24795 and add +"Breaks: apache2 (<< 2.4.59-1~)" to stage fix; see +https://bz.apache.org/bugzilla/show_bug.cgi?id=68905 +(closes: #1070069) + + -- Bastien Roucari??s Tue, 14 May 2024 21:29:39 + + fossil (1:2.15.2-1) unstable; urgency=high * New upstream version, announcement (expurgated) says: diff -Nru fossil-2.15.2/debian/control fossil-2.15.2/debian/control --- fossil-2.15.2/debian/control 2021-04-07 08:12:51.0 + +++ fossil-2.15.2/debian/control 2024-05-14 21:29:39.0 + @@ -22,6 +22,7 @@ Architecture: any Multi-Arch: foreign Depends: libtcl8.6 | libtcl, ${misc:Depends}, ${shlibs:Depends} +Breaks: apache2 (<< 2.4.59-1~), apache2-bin (<< 2.4.59-1~) Suggests: gnupg | gnupg2 Description: DSCM with built-in wiki, http interface and server, tickets database Fossil is an easy-to-use Distributed Source Control Management system diff -Nru fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch --- fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch 1970-01-01 00:00:00.0 + +++ fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch 2024-05-14 21:29:39.0 + @@ -0,0 +1,361 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Tue, 14 May 2024 21:23:16 + +Subject: Deal with the missing Content-Length field + +fix regression of CVE-2024-24795 + +bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=68905 +origin: https://fossil-scm.org/home/vpatch?from=9c40ddbcd182f264=a8e33fb161f45b65 +--- + src/cgi.c | 43 - + src/clone.c | 14 +++- + src/http.c | 71 + + src/main.c | 14 ++-- + src/xfer.c | 1 + + 5 files changed, 121 insertions(+), 22 deletions(-) + +diff --git a/src/cgi.c b/src/cgi.c +index d47575b..aade0fb 100644 +--- a/src/cgi.c b/src/cgi.c +@@ -1034,7 +1034,7 @@ void cgi_trace(const char *z){ + } + + /* Forward declaration */ +-static NORETURN void malformed_request(const char *zMsg); ++static NORETURN void malformed_request(const char *zMsg, ...); + + /* + ** Initialize the query parameter database. Information is pulled from +@@ -1080,6 +1080,7 @@ void cgi_init(void){ + const char *zRequestUri = cgi_parameter("REQUEST_URI",0); + const char *zScriptName = cgi_parameter("SCRIPT_NAME",0); + const char *zPathInfo = cgi_parameter("PATH_INFO",0); ++ const char *zContentLength = 0; + #ifdef _WIN32 + const char *zServerSoftware = cgi_parameter("SERVER_SOFTWARE",0); + #endif +@@ -1186,7 +1187,15 @@ void cgi_init(void){ + g.zIpAddr = fossil_strdup(z); + } + +- len = atoi(PD("CONTENT_LENGTH", "0")); ++ zContentLength = P("CONTENT_LENGTH"); ++ if( zContentLength==0 ){ ++len = 0; ++if( sqlite3_stricmp(PD("REQUEST_METHOD",""),"POST")==0 ){ ++ malformed_request("missing CONTENT_LENGTH on a POST method"); ++} ++ }else{ ++len = atoi(zContentLength); ++ } + zType = P("CONTENT_TYPE"); + zSemi = zType ? strchr(zType, ';') : 0; + if( zSemi ){ +@@ -1593,11 +1602,22 @@ void cgi_vprintf(const char *zFormat, va_list ap){ + /* + ** Send a reply indicating that the HTTP request was malformed + */ +-static NORETURN void malformed_request(const char *zMsg){ +- cgi_set_status(501, "Not Implemented"); +- cgi_printf( +-"Bad Request: %s\n", zMsg +- ); ++static NORETURN void malformed_request(const char *zMsg, ...){ ++ va_list ap; ++ char *z; ++ va_start(ap, zMsg); ++ z = vmprintf(zMsg, ap); ++ va_end(ap); ++ cgi_set_status(400, "Bad Request"); ++ zContentType = "text/plain"; ++ if(
Bug#1070998: bookworm-pu: package fossil/2.24-5~deb11u1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: fos...@packages.debian.org Control: affects -1 + src:fossil User: release.debian@packages.debian.org Usertags: pu this bug was opened by previous arrangement with maintainer. [ Reason ] fossil is affected by a regression due to a security update of apache CVE-2024-24795. Backport was choosen because upstream does not document all commit needed for fixing the regression. [ Impact ] Fossil is broken at least server part [ Tests ] Full upstream test suite [ Risks ] Broken fossil [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Backport from sid. They are no incompatibility and this is upstream maintenance and fix only version. [ Other info ] I have not attached the debdiff due to the fix beeing a backport from sid. Attached debdiff to sid instead diff -Nru fossil-2.24/debian/changelog fossil-2.24/debian/changelog --- fossil-2.24/debian/changelog 2024-04-30 14:32:05.0 + +++ fossil-2.24/debian/changelog 2024-05-07 19:26:27.0 + @@ -1,3 +1,10 @@ +fossil (1:2.24-6~deb12u1) bookworm; urgency=medium + + * Non maintainer upload with acknowledgement by maintainer + * Backport to bookworm + + -- Bastien Roucari??s Tue, 07 May 2024 19:26:27 + + fossil (1:2.24-6) unstable; urgency=medium * Add "Breaks: apache2-bin (<< 2.4.59-1~)" per #1070069 discussion. signature.asc Description: This is a digitally signed message part.
Bug#1070155: bullseye-pu: package wpa/2.9.0-21+deb11u1
Package: release.debian.org Severity: important Tags: bullseye X-Debbugs-Cc: w...@packages.debian.org Control: affects -1 + src:wpa User: release.debian@packages.debian.org Usertags: pu tags: security [ Reason ] CVE-2023-52160 security bug [ Impact ] security bug is present [ Tests ] Test suite run fine [ Checklist ] [ X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [ X] attach debdiff against the package in (old)stable [ X] the issue is verified as fixed in unstable [ Changes ] The previous PEAP client behavior allowed the server to skip Phase 2 authentication with the expectation that the server was authenticated during Phase 1 through TLS server certificate validation. Various PEAP specifications are not exactly clear on what the behavior on this front is supposed to be and as such, this ended up being more flexible than the TTLS/FAST/TEAP cases. However, this is not really ideal when unfortunately common misconfiguration of PEAP is used in deployed devices where the server trust root (ca_cert) is not configured or the user has an easy option for allowing this validation step to be skipped. Change the default PEAP client behavior to be to require Phase 2 authentication to be successfully completed for cases where TLS session resumption is not used and the client certificate has not been configured. Those two exceptions are the main cases where a deployed authentication server might skip Phase 2 and as such, where a more strict default behavior could result in undesired interoperability issues. Requiring Phase 2 authentication will end up disabling TLS session resumption automatically to avoid interoperability issues. [ Other info ] Buster is fixed so upgrade reintroduce the CVE Bastiendiff -Nru wpa-2.9.0/debian/changelog wpa-2.9.0/debian/changelog --- wpa-2.9.0/debian/changelog 2021-02-25 21:19:14.0 + +++ wpa-2.9.0/debian/changelog 2024-04-30 22:45:18.0 + @@ -1,3 +1,19 @@ +wpa (2:2.9.0-21+deb11u1) bullseye; urgency=high + + * Non-maintainer upload on behalf of the Security Team. + * Fix CVE-2023-52160 (Closes: #1064061): +The implementation of PEAP in wpa_supplicant allows +authentication bypass. For a successful attack, +wpa_supplicant must be configured to not verify +the network's TLS certificate during Phase 1 +authentication, and an eap_peap_decrypt vulnerability +can then be abused to skip Phase 2 authentication. +The attack vector is sending an EAP-TLV Success packet +instead of starting Phase 2. This allows an adversary +to impersonate Enterprise Wi-Fi networks. + + -- Bastien Roucari??s Tue, 30 Apr 2024 22:45:18 + + wpa (2:2.9.0-21) unstable; urgency=high * Fix typos in the package descriptions. diff -Nru wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch --- wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 1970-01-01 00:00:00.0 + +++ wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 2024-04-30 22:45:18.0 + @@ -0,0 +1,211 @@ +From: Jouni Malinen +Date: Sat, 8 Jul 2023 19:55:32 +0300 +Subject: CVE-2023-52160 PEAP client: Update Phase 2 authentication + requirements + +The previous PEAP client behavior allowed the server to skip Phase 2 +authentication with the expectation that the server was authenticated +during Phase 1 through TLS server certificate validation. Various PEAP +specifications are not exactly clear on what the behavior on this front +is supposed to be and as such, this ended up being more flexible than +the TTLS/FAST/TEAP cases. However, this is not really ideal when +unfortunately common misconfiguration of PEAP is used in deployed +devices where the server trust root (ca_cert) is not configured or the +user has an easy option for allowing this validation step to be skipped. + +Change the default PEAP client behavior to be to require Phase 2 +authentication to be successfully completed for cases where TLS session +resumption is not used and the client certificate has not been +configured. Those two exceptions are the main cases where a deployed +authentication server might skip Phase 2 and as such, where a more +strict default behavior could result in undesired interoperability +issues. Requiring Phase 2 authentication will end up disabling TLS +session resumption automatically to avoid interoperability issues. + +Allow Phase 2 authentication behavior to be configured with a new phase1 +configuration parameter option: +'phase2_auth' option can be used to control Phase 2 (i.e., within TLS +tunnel) behavior for PEAP: + * 0 = do not require Phase 2 authentication + * 1 = require Phase 2 authentication when client certificate + (private_key/client_cert) is no used and TLS session resumption was + not used
Bug#1070151: bookworm-pu: package wpa/2:2.10-12
Package: release.debian.org Severity: important Tags: bookworm X-Debbugs-Cc: w...@packages.debian.org Control: affects -1 + src:wpa User: release.debian@packages.debian.org Usertags: pu tags: security [ Reason ] CVE-2023-52160 security bug [ Impact ] security bug is present [ Tests ] Test suite run fine [ Checklist ] [ X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [ X] attach debdiff against the package in (old)stable [ X] the issue is verified as fixed in unstable [ Changes ] The previous PEAP client behavior allowed the server to skip Phase 2 authentication with the expectation that the server was authenticated during Phase 1 through TLS server certificate validation. Various PEAP specifications are not exactly clear on what the behavior on this front is supposed to be and as such, this ended up being more flexible than the TTLS/FAST/TEAP cases. However, this is not really ideal when unfortunately common misconfiguration of PEAP is used in deployed devices where the server trust root (ca_cert) is not configured or the user has an easy option for allowing this validation step to be skipped. Change the default PEAP client behavior to be to require Phase 2 authentication to be successfully completed for cases where TLS session resumption is not used and the client certificate has not been configured. Those two exceptions are the main cases where a deployed authentication server might skip Phase 2 and as such, where a more strict default behavior could result in undesired interoperability issues. Requiring Phase 2 authentication will end up disabling TLS session resumption automatically to avoid interoperability issues. [ Other info ] Buster is fixed so upgrade reintroduce the CVE Bastiendiff -Nru wpa-2.10/debian/changelog wpa-2.10/debian/changelog --- wpa-2.10/debian/changelog 2023-02-24 13:01:35.0 + +++ wpa-2.10/debian/changelog 2024-04-30 22:45:18.0 + @@ -1,3 +1,19 @@ +wpa (2:2.10-12+deb12u1) bookworm; urgency=high + + * Non-maintainer upload on behalf of the Security Team. + * Fix CVE-2023-52160 (Closes: #1064061): +The implementation of PEAP in wpa_supplicant allows +authentication bypass. For a successful attack, +wpa_supplicant must be configured to not verify +the network's TLS certificate during Phase 1 +authentication, and an eap_peap_decrypt vulnerability +can then be abused to skip Phase 2 authentication. +The attack vector is sending an EAP-TLV Success packet +instead of starting Phase 2. This allows an adversary +to impersonate Enterprise Wi-Fi networks. + + -- Bastien Roucari??s Tue, 30 Apr 2024 22:45:18 + + wpa (2:2.10-12) unstable; urgency=medium * Prevent hostapd units from being started if there???s diff -Nru wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch --- wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 1970-01-01 00:00:00.0 + +++ wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 2024-04-30 22:42:02.0 + @@ -0,0 +1,211 @@ +From: Jouni Malinen +Date: Sat, 8 Jul 2023 19:55:32 +0300 +Subject: CVE-2023-52160 PEAP client: Update Phase 2 authentication + requirements + +The previous PEAP client behavior allowed the server to skip Phase 2 +authentication with the expectation that the server was authenticated +during Phase 1 through TLS server certificate validation. Various PEAP +specifications are not exactly clear on what the behavior on this front +is supposed to be and as such, this ended up being more flexible than +the TTLS/FAST/TEAP cases. However, this is not really ideal when +unfortunately common misconfiguration of PEAP is used in deployed +devices where the server trust root (ca_cert) is not configured or the +user has an easy option for allowing this validation step to be skipped. + +Change the default PEAP client behavior to be to require Phase 2 +authentication to be successfully completed for cases where TLS session +resumption is not used and the client certificate has not been +configured. Those two exceptions are the main cases where a deployed +authentication server might skip Phase 2 and as such, where a more +strict default behavior could result in undesired interoperability +issues. Requiring Phase 2 authentication will end up disabling TLS +session resumption automatically to avoid interoperability issues. + +Allow Phase 2 authentication behavior to be configured with a new phase1 +configuration parameter option: +'phase2_auth' option can be used to control Phase 2 (i.e., within TLS +tunnel) behavior for PEAP: + * 0 = do not require Phase 2 authentication + * 1 = require Phase 2 authentication when client certificate + (private_key/client_cert) is no used and TLS session resumption was + not
Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1
Le samedi 13 avril 2024, 14:01:24 UTC Bastien Roucariès a écrit : > Le samedi 13 avril 2024, 14:00:00 UTC Moritz Mühlenhoff a écrit : > Hi, > > > Am Tue, Apr 09, 2024 at 10:01:11AM +0200 schrieb Andreas Beckmann: > > > Package: release.debian.org > > > Severity: normal > > > Tags: bullseye > > > User: release.debian@packages.debian.org > > > Usertags: pu > > > X-Debbugs-Cc: Bastien Roucariès > > > Control: affects -1 + src:json-smart > > > Control: block 1039985 with -1 > > > Control: block 1033474 with -1 > > > > > > [ Reason ] > > > Two CVEs were fixed in buster-lts, but not yet in bullseye or later, > > > causing version skew on upgrades: > > > > CVE-2023-1370 / #1033474 is unfixed in sid, and being fixed in unstable > > is a pre condition for a point update. > > > > Bastien, since you fixed it in buster-lts, can you please also take care > > of addressing unstable? Done > > > Ok will do > > > > Cheers, > > Moritz > > > > signature.asc Description: This is a digitally signed message part.
Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1
Le samedi 13 avril 2024, 14:00:00 UTC Moritz Mühlenhoff a écrit : Hi, > Am Tue, Apr 09, 2024 at 10:01:11AM +0200 schrieb Andreas Beckmann: > > Package: release.debian.org > > Severity: normal > > Tags: bullseye > > User: release.debian@packages.debian.org > > Usertags: pu > > X-Debbugs-Cc: Bastien Roucariès > > Control: affects -1 + src:json-smart > > Control: block 1039985 with -1 > > Control: block 1033474 with -1 > > > > [ Reason ] > > Two CVEs were fixed in buster-lts, but not yet in bullseye or later, > > causing version skew on upgrades: > > CVE-2023-1370 / #1033474 is unfixed in sid, and being fixed in unstable > is a pre condition for a point update. > > Bastien, since you fixed it in buster-lts, can you please also take care > of addressing unstable? Ok will do > > Cheers, > Moritz > signature.asc Description: This is a digitally signed message part.
Bug#1068888: bookworm-pu: package zookeeper/3.8.0-11+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: zookee...@packages.debian.org Control: affects -1 + src:zookeeper User: release.debian@packages.debian.org Usertags: pu [ Reason ] CVE-2024-23944 (Closes: #1066947): An information disclosure in persistent watchers handling was found in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical. [ Impact ] CVE-2024-23944 is not fixed [ Tests ] Full upstream testsuite run at build time [ Risks ] None know [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] See debdiff diff -Nru zookeeper-3.8.0/debian/changelog zookeeper-3.8.0/debian/changelog --- zookeeper-3.8.0/debian/changelog 2023-10-29 07:57:11.0 + +++ zookeeper-3.8.0/debian/changelog 2024-03-25 08:30:56.0 + @@ -1,3 +1,22 @@ +zookeeper (3.8.0-11+deb12u2) bookworm-security; urgency=medium + + * Team upload + * Bug fix: CVE-2024-23944 (Closes: #1066947): +An information disclosure in persistent watchers handling was found in +Apache ZooKeeper due to missing ACL check. It allows an attacker to +monitor child znodes by attaching a persistent watcher (addWatch +command) to a parent which the attacker has already access +to. ZooKeeper server doesn't do ACL check when the persistent watcher +is triggered and as a consequence, the full path of znodes that a +watch event gets triggered upon is exposed to the owner of the +watcher. It's important to note that only the path is exposed by this +vulnerability, not the data of znode, but since znode path can contain +sensitive information like user name or login ID, this issue is +potentially critical. + * Add salsa CI + + -- Bastien Roucari??s Mon, 25 Mar 2024 08:30:56 + + zookeeper (3.8.0-11+deb12u1) bookworm-security; urgency=medium * Team upload: diff -Nru zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch --- zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch 1970-01-01 00:00:00.0 + +++ zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch 2024-03-25 08:30:56.0 + @@ -0,0 +1,1223 @@ +From: Andor Molnar +Date: Tue, 28 Nov 2023 21:25:00 +0100 +Subject: CVE-2024-23944: ZOOKEEPER-4799: Refactor ACL check in 'addWatch' + command + +As of today, it is impossible to diagnose which watch events are dropped +because of ACLs. Let's centralize, systematize, and log the checks at +the 'process()' site in the Netty and NIO connections. + +(These 'process()' methods contain some duplicated code, and should also +be refactored at some point. This series does not change them.) + +This patch also adds a substantial number of tests in order to avoid +unexpected regressions. + +Co-authored-by: Patrick Hunt +Co-authored-by: Damien Diederen + +origin: https://github.com/apache/zookeeper/commit/65b91d2d9a56157285c2a86b106e67c26520b01d +bug: https://issues.apache.org/jira/browse/ZOOKEEPER-4799 +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-23944 +--- + .../apache/zookeeper/server/watch/WatchBench.java | 6 +- + .../java/org/apache/zookeeper/server/DataTree.java | 23 +- + .../org/apache/zookeeper/server/DumbWatcher.java | 4 +- + .../org/apache/zookeeper/server/NIOServerCnxn.java | 16 +- + .../apache/zookeeper/server/NettyServerCnxn.java | 17 +- + .../org/apache/zookeeper/server/ServerCnxn.java| 10 +- + .../org/apache/zookeeper/server/ServerWatcher.java | 29 + + .../zookeeper/server/watch/IWatchManager.java | 7 +- + .../zookeeper/server/watch/WatchManager.java | 15 +- + .../server/watch/WatchManagerOptimized.java| 15 +- + .../apache/zookeeper/server/MockServerCnxn.java| 4 +- + .../zookeeper/server/watch/WatchManagerTest.java | 14 +- + .../zookeeper/test/PersistentWatcherACLTest.java | 629 + + .../zookeeper/test/UnsupportedAddWatcherTest.java | 9 +- + 14 files changed, 763 insertions(+), 35 deletions(-) + create mode 100644
Bug#1060103: transition: imagemagick7
Le vendredi 2 février 2024, 16:53:10 UTC Sebastian Ramacher a écrit : > Control: tags -1 moreinfo > > Hi Bastien > > On 2024-01-05 22:35:44 +, Bastien Roucariès wrote: > > Package: release.debian.org > > Severity: important > > User: release.debian@packages.debian.org > > Usertags: transition > > X-Debbugs-CC: ftpmas...@debian.org > > > > Imagemagick will need a new major bump > > > > I achieved to get imagemagick 7 build for experimental (it is only on salsa > > not > > uploaded yet). > > > > Every package include a version in the package name (except legacy package > > name > > and perl*) so I plan to do some step by step migration, because it is mainly > > coinstallable with imagemagick 6. > > Why does this migration require co-instabillity with the old version? > This makes the transition overly complicated. Do you expect major > changes required in reverse dependencies of imagemagick's shared > library? The problem is not the library but the command line interface that may need change. Librarry will break (I think here about php module that will need a update), but it is treatable. convert6 is not fully compatible with convert7 convert6 will be co installable with convert7 in order to test, and convert will be provided by alternative system. We avoid a flag day, but we need co installable library. Bastien > > PS: Before the time_t transition is done, we will not process other > transitions. Not a problem, but I will like to upload work on experimental in order to test other arch than i386/amd64/arm that I could test Bastien > > Cheers > signature.asc Description: This is a digitally signed message part.
Bug#1060103: Remainder of imagemagick7 transition plan
Hi, A gentle remainder about imagemagick7 transition plan. Many thanks for santiago to review partially it, but I need green light from release team. Bastien signature.asc Description: This is a digitally signed message part.
Bug#1060103: transition: imagemagick7
Package: release.debian.org Severity: important User: release.debian@packages.debian.org Usertags: transition X-Debbugs-CC: ftpmas...@debian.org Imagemagick will need a new major bump I achieved to get imagemagick 7 build for experimental (it is only on salsa not uploaded yet). Every package include a version in the package name (except legacy package name and perl*) so I plan to do some step by step migration, because it is mainly coinstallable with imagemagick 6. - upload to experimental a version with perl and without legacy name - migrate perl and versioned package - add to experimental libmakickgwand-dev libmagick++-dev libmagickcore-dev - migrate package that depends on libmakickgwand-dev libmagick++-dev libmagickcore-dev (every thing that build against imagemagick) to imagemagick7 - add to experimental imagemagick package - migrate imagemagick package to unstable What do you think of this plan ? From a security point of view it is better to go to imagemagick7 (so important severity) I expect breakage only on the last step. See https://imagemagick.org/script/porting.php ftpmaster it need more work because it will need three manual step. Bastien * perlmagick, libmagickcore-dev, libmakickgwand-dev libmagick++-dev, imagemagick, libimage-magick-perl libimage-magick-q16-perl libimage- magick-q16hdri-perl signature.asc Description: This is a digitally signed message part.
Bug#1037219: Uploaded imagemagick/8:6.9.11.60+dfsg-1.3+deb11u2
Hi, I have just uploaded Bastien signature.asc Description: This is a digitally signed message part.
Imagemagick major version transition : ask for guidance + plan
Hi, I achieved to get imagemagick 7 build for experimental. Every package include a version in the package name (except legacy pacakge name and perl*) so I plan to do some step by step migration, because it is mainly coinstallable with imagemagick 6. - upload to experimental a version with perl and without legacy name - migrate perl and versionned package - add to experimental libmakickgwand-dev libmagick++-dev libmagickcore-dev - migrate package that depends on libmakickgwand-dev libmagick++-dev libmagickcore-dev (every thing that build against imagemagick) - add to experimental imagemagick package - migrate imagemagick package to unstable What do you think of this plan ? I expect breakage only on the last step. ftpmaster it need more work because it will need three manual step. Bastien * perlmagick, libmagickcore-dev, libmakickgwand-dev libmagick++-dev, imagemagick, libimage-magick-perl libimage-magick-q16-perl libimage-magick-q16hdri-perl signature.asc Description: This is a digitally signed message part.
Re: Pause /usr-merge moves
Le vendredi 1 décembre 2023, 21:04:12 UTC Helmut Grohne a écrit : > Hi developers, > > I have unfortunate news regarding /usr-merge. I uncovered yet another > problem that we haven't seen mentioned earlier. We do not yet know how > to deal with it and it may take some time to come up with a good > compromise. As a result, please pause further moves from / to /usr. > Exceptions: > * With more uploads, more systemd units will move. While such moves may >trigger the new problem, I expect that to be rare. > * Continue fixing RC bugs, in particular those that are due to >dh_installsystemd or systemd.pc having moved to /usr. > * Continue applying DEP17P7 mitigations for udev rules. Patches for >these have been sent by Christian Hofstaedler and a few people from >the Cambridge miniconf. These are unrelated. > > The rest of this mail is lots of funky details for those interested in > understanding what went wrong here. Others are encouraged to do > something more joyful :) > > Before we go, let me express sincere thanks to so many people that > helped me track this down. In particular, the input of David > Kalnischkies, Guillem Jover and Julian Andres Klode was invaluable. > > Fundamentally, Conflicts do not reliably prevent concurrent unpacking of > packages as policy §7.4 may suggest. I have reported this as #1057199. > Consequently, what we look at here is situations where Conflicts are > used to mitigate file loss in the face of aliasing changes. Debian > policy §6.6 is more precise and details that when unpacking a package, > conflicting packages may be deconfigured and removed after the unpack. > In theory, the difference should not be noticeable, because dpkg > accurately tracks ownership of files with respect to packages. Aliasing > changes this and can cause file loss. The situation arises when > installing or upgrading a package to a version that happens to be in > conflict with another package to be removed. A simple example is > upgrading a bookworm system with molly-guard and systemd-sysv to sid and > in the process deleting molly-guard. A similar issue happens when > upgrading a bookworm system with busybox-static to sid and in that > process installing busybox and thus removing busybox-static. The > situation is hard to come by, because apt tends to remove the package > that goes away early when it can. I have implemented a reproducer > without apt for systemd-sysv #1057220. There are also situations where > apt reproduces this available from the policy bug mentioned earlier. In > particular, when one package has versioned Conflicts for another and the > other has versioned Breaks for the former, this reproduces with apt. > This essentially breaks DEP17 proposed mitigations M7 and M18. > > I have also locally extended dumat to produce a report of affected > Conflicts and am attaching it to this mail. The only packages that have > not yet migrated and have this problem are systemd-sysv, > busybox/busybox-static and resolvconf and I have filed RC bugs for them. > There are other instances in trixie already. Could we have a list of trixie affected ? > > I welcome ideas for solving these problems. Let me summarize those I > already am aware of. > > Julian Andres Klode proposes adding a "barrier package" that we may call > usrmerge-support (or repurpose usr-is-merged). Affected Conflicts can be > moved to the barrier package and the conflicting package would then > express Pre-Depends on the barrier package. When the barrier's postinst > runs, any conflicting package definitely has been removed and due to > using Pre-Depends, the conflicting package definitely has not been > unpacked yet. Why not creating per package a barrier package ? > > Another option is duplicating affected files (e.g. using hard links) in > the data.tar and then restoring lost files during postinst. > > Depending on what problem we are solving, we may also move to protective > diversions (DEP17 M8). > > It also is not clear how easy it is to reproduce this bug class in an > actual upgrade. It took long to find the issue for a reason. Depending > on what files go missing, we may get away with asking users to dpkg > --audit and then apt reinstall affected packages. > > That barrier package approach sounds relatively promising to me, but > there is no implementation of that approach as of this writing. > > If you want to support finding a solution, please contribute to this > email thread of join #debian-usrmerge on oftc. > > Helmut >
Bug#994540: Go ahead with imagemagick/experimental ?
Le dimanche 22 octobre 2023, 15:03:50 UTC Sebastian Ramacher a écrit : > Control: tags -1 confirmed > > On 2023-10-22 14:51:42 +, Bastien Roucariès wrote: > > Le dimanche 22 octobre 2023, 14:08:20 UTC Sebastian Ramacher a écrit : > > > Hi Bastien > > > > > > On 2023-10-21 20:10:47 +, Bastien Roucariès wrote: > > > > Can I go ahead with imagemagick experimental ? > > > > > > As a year has past since the last mail to the transition bug report: did > > > any new build failures in reverse dependencies appear? What's the > > > status? > > > > Reverse build are ok (just tested in pbuilder), so for me it is a green > > light > > Please go ahead. Done > > Cheers > signature.asc Description: This is a digitally signed message part.
Re: Go ahead with imagemagick/experimental ?
Le dimanche 22 octobre 2023, 14:08:20 UTC Sebastian Ramacher a écrit : > Hi Bastien > > On 2023-10-21 20:10:47 +, Bastien Roucariès wrote: > > Can I go ahead with imagemagick experimental ? > > As a year has past since the last mail to the transition bug report: did > any new build failures in reverse dependencies appear? What's the > status? Reverse build are ok (just tested in pbuilder), so for me it is a green light > > Cheers > signature.asc Description: This is a digitally signed message part.
Go ahead with imagemagick/experimental ?
Hi, Can I go ahead with imagemagick experimental ? Thanks Bastien signature.asc Description: This is a digitally signed message part.
Bug#1037219: bullseye-pu: package imagemagick/8:6.9.11.60+dfsg-1.3+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: imagemag...@packages.debian.org Control: affects -1 + src:imagemagick [ Reason ] Imagemagick is affected in stable by a few securities problems. [ Impact ] Security problems with some exploit (image) in the wild [ Tests ] Yes testsuite is included in the package and autopkgtest [ Risks ] Code is complex,I prefer to not solve in a single step all the security bugs. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] + * Fix CVE-2021-3574: memory leak was found in TIFF coder + * Fix CVE-2021-4219: a special crafted file could lead to a DOS. + * Fix CVE-2021-20241 / CVE-2021-20243: divide by zero in +some coders (Closes: #1013282) + * Fix CVE-2021-20244: Fix a divide by zero in visual-effects.c + * Fix CVE-2021-20245: Fix a divide by zero in webp coder + * Fix CVE-2021-20246: Fix a divide by zero in resample code. + * Fix CVE-2021-20309: Fix a divide by zero in WaveImage function. + * Fix CVE-2021-39212: Postscript files could be read and written +when specifically excluded by a module policy in policy.xml file. +(Closes: #996588) + * Fix CVE-2022-1114: Heap use after free in RelinquishDCMInfo() +(Closes: #1013282) + * Fix CVE-2022-28463: Buffer overflow in cin coder. + * Fix CVE-2022-32545: Value outside the range of unsigned char +(Closes: #1016442) + * Fix CVE-2022-32546: Value outside the range of representable +values of type 'unsigned long' at coders/pcl.c, + * Use Salsa CI [ Other info ] Security team is ok with this. diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog --- imagemagick-6.9.11.60+dfsg/debian/changelog 2023-02-03 17:59:42.0 + +++ imagemagick-6.9.11.60+dfsg/debian/changelog 2023-05-26 07:10:27.0 + @@ -1,3 +1,27 @@ +imagemagick (8:6.9.11.60+dfsg-1.3+deb11u2) bullseye-security; urgency=medium + + * Fix CVE-2021-3574: memory leak was found in TIFF coder + * Fix CVE-2021-4219: a special crafted file could lead to a DOS. + * Fix CVE-2021-20241 / CVE-2021-20243: divide by zero in +some coders (Closes: #1013282) + * Fix CVE-2021-20244: Fix a divide by zero in visual-effects.c + * Fix CVE-2021-20245: Fix a divide by zero in webp coder + * Fix CVE-2021-20246: Fix a divide by zero in resample code. + * Fix CVE-2021-20309: Fix a divide by zero in WaveImage function. + * Fix CVE-2021-39212: Postscript files could be read and written +when specifically excluded by a module policy in policy.xml file. +(Closes: #996588) + * Fix CVE-2022-1114: Heap use after free in RelinquishDCMInfo() +(Closes: #1013282) + * Fix CVE-2022-28463: Buffer overflow in cin coder. + * Fix CVE-2022-32545: Value outside the range of unsigned char +(Closes: #1016442) + * Fix CVE-2022-32546: Value outside the range of representable +values of type 'unsigned long' at coders/pcl.c, + * Use Salsa CI + + -- Bastien Roucariès Fri, 26 May 2023 07:10:27 + + imagemagick (8:6.9.11.60+dfsg-1.3+deb11u1) bullseye-security; urgency=medium * Fix CVE-2022-44267 / CVE-2022-44268 diff -Nru imagemagick-6.9.11.60+dfsg/debian/debian/salsa-ci-enable-sec-and-update-repos.sh imagemagick-6.9.11.60+dfsg/debian/debian/salsa-ci-enable-sec-and-update-repos.sh --- imagemagick-6.9.11.60+dfsg/debian/debian/salsa-ci-enable-sec-and-update-repos.sh 1970-01-01 00:00:00.0 + +++ imagemagick-6.9.11.60+dfsg/debian/debian/salsa-ci-enable-sec-and-update-repos.sh 2023-05-26 07:10:27.0 + @@ -0,0 +1,23 @@ +#!/bin/sh + +set -x +set -e + +# Debug what repositories are available to begin with +grep -r "^deb " /etc/apt/sources.* + +# Enable the same repositories that were available at build time in +# registry.salsa.debian.org/salsa-ci-team/pipeline/base:bullseye +. /etc/os-release +cat << EOF > /etc/apt/sources.list.d/base-$VERSION_CODENAME-repos.list +deb http://deb.debian.org/debian $VERSION_CODENAME main +deb http://deb.debian.org/debian-security $VERSION_CODENAME-security main +deb http://deb.debian.org/debian $VERSION_CODENAME-updates main +EOF + +apt-get update + +# Ref +# bullseye piuparts test runner environment is missing the bullseye-updates apt repository: https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/292 +# piuparts: doesn't install dependencies from experimental or -backports: https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/58 +# autopkgtest: doesn't install dependencies from experimental or backports: https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/85 diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0026-CVE-2021-3574-memory-leak.patch imagemagick-6.9.11.60+dfsg/debian/patches/0026-CVE-2021-3574-memory-leak.patch --- im
CVE-2023-1289: hard to fix break ABI
Hi, I want to have some guidance about CVE-2023-1289 Fixing it will need to add a field recursion in an exported structure... It will therefore break ABI We could also disable internal svg coder and fallback on inkscape You marked the bug no DSA, so maybe we could postpone Bastien signature.asc Description: This is a digitally signed message part.
Bug#1032299: bullseye-pu: package node-css-what/4.0.0-3
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: node-css-w...@packages.debian.org Control: affects -1 + src:node-css-what [ Reason ] CVE-2022-21222/CVE-2021-33587 The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function. [ Impact ] DoS due to exponential regexp search. [ Tests ] Package testsuite was run, code modification was tested. recheck tested the absence of reDos [ Risks ] * no backport is possible due to upstream rewrite in typescript. Modification of the regex was chosen in order to be least disruptive. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] The ReDoS sensible regexp was rewritten in a linear form, step by step (5 patches). [ Other info ] None diff -Nru node-css-what-4.0.0/debian/changelog node-css-what-4.0.0/debian/changelog --- node-css-what-4.0.0/debian/changelog2021-01-09 21:06:15.0 + +++ node-css-what-4.0.0/debian/changelog2023-03-01 13:47:23.0 + @@ -1,3 +1,15 @@ +node-css-what (4.0.0-3+deb11u1) bullseye-security; urgency=medium + + * Team upload + * node-css-what was vulnerable to Regular Expression Denial of Service +(ReDoS) due to the usage of insecure regular expression in the +re_attr variable. +The exploitation of this vulnerability could be triggered +via the parse function. +Fix CVE-2022-21222, CVE-2021-33587 (Closes: #989264, #1032188) + + -- Bastien Roucariès Wed, 01 Mar 2023 13:47:23 + + node-css-what (4.0.0-3) unstable; urgency=medium * Team upload diff -Nru node-css-what-4.0.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch node-css-what-4.0.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch --- node-css-what-4.0.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch 1970-01-01 00:00:00.0 + +++ node-css-what-4.0.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch 2023-03-01 13:47:23.0 + @@ -0,0 +1,36 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Wed, 1 Mar 2023 08:12:48 + +Subject: Partial fix of reDos CVE-2022-21222/CVE-2021-33587: attribute + selector +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Per https://w3c.github.io/csswg-drafts/selectors/#attribute-selectors only = ~= |= ^= $= *= are supported. + +Add also != that is checked as invalid latter in order to pass testsuite. + +So replace \S by [~|^$*!] + +Signed-off-by: Bastien Roucariès +bug-debian: https://bugs.debian.org/989264 +bug-debian: https://bugs.debian.org/1032188 +bug: https://www.cve.org/CVERecord?id=CVE-2022-21222 +bug: https://www.cve.org/CVERecord?id=CVE-2021-33587 +--- + src/parse.ts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/parse.ts b/src/parse.ts +index 677a029..628561b 100644 +--- a/src/parse.ts b/src/parse.ts +@@ -81,7 +81,7 @@ export type TraversalType = + const reName = /^[^\\#]?(?:\\(?:[\da-f]{1,6}\s?|.)|[\w\-\u00b0-\u])+/; + const reEscape = /\\([\da-f]{1,6}\s?|(\s)|.)/gi; + // Modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87 +-const reAttr = /^\s*(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\u-])+)\s*(?:(\S?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4|(#?(?:\\.|[\w\u00b0-\u-])*)|)|)\s*([iI])?\]/; ++const reAttr = /^\s*(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\u-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4|(#?(?:\\.|[\w\u00b0-\u-])*)|)|)\s*([iI])?\]/; + + const actionTypes: { [key: string]: AttributeAction } = { + undefined: "exists", diff -Nru node-css-what-4.0.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch node-css-what-4.0.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch --- node-css-what-4.0.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch 1970-01-01 00:00:00.0 + +++ node-css-what-4.0.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch 2023-03-01 13:47:23.0 + @@ -0,0 +1,55 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Wed, 1 Mar 2023 10:10:47 + +Subject: Partial fix of ReDos CVE-2022-21222/CVE-2021-33587: trim string +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Trim left the string avoiding a \s* at the beginning of the string, thus avoiding part of complexity. + +bug-debian: ht
Bug#1018076: Add depends to armv6-support
Hi, adding support to armv6-support will help here Bastien
Bug#994540: transition: imagemagick
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Imagemagick changes some internal structures. Upstream bump so (safe), so ask for a rebuilt. Ben file: title = "imagemagick"; is_affected = .depends ~ "(?:libmagickcore-6.q[^-]+-6|libmagickwand-6.q[^-]+-6|libmagick++-6.q[^-]+-8)" | .depends ~ "(?:libmagickcore-6.q[^-]+-7|libmagickwand-6.q[^-]+-7|libmagick++-6.q[^-]+-9)"; is_good = .depends ~ "(?:libmagickcore-6.q[^-]+-7|libmagickwand-6.q[^-]+-7|libmagick++-6.q[^-]+-9)"; is_bad = .depends ~ "(?:libmagickcore-6.q[^-]+-6|libmagickwand-6.q[^-]+-6|libmagick++-6.q[^-]+-8)";
Exception for imagemagick if late by a few minutes
Hi, I am going to ask an exception for imagemagick (see debian-private for reason of being late). It is a fixing 2 CVEs and an RC bug Normally it is on the pipe so may be we do not need exception. Bastien signature.asc Description: This is a digitally signed message part.
Bug#902558: transition: imagemagick
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Imagemagick upstream break the API in stable 6 version. They are a few security bug and I prefer to go to newest pacakge in order to close the maximum of security bugs without back porting Ben file: title = "imagemagick"; is_affected = .depends ~ /libmagick-core.*-5|libmagick-wand.*-5|libmagick++.*-7/ | .depends ~ /libmagick-core.*-6|libmagick-wand.*-6|libmagick++.*-8/"; is_good = .depends ~ /libmagick-core.*-6|libmagick-wand.*-6|libmagick++.*-8/; is_bad = .depends ~ /libmagick-core.*-5|libmagick-wand.*-5|libmagick++.*-7/; -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.16.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#873103: [release.debian.org] Plan for imagemagick7 landing before next stable
Package: release.debian.org Severity: wishlist Hi, I plan to release imagemagick 7 before next stable version. And I want to coexist imagemagick6 and imagemagick7. Moreover I wish to allow smooth upgrade between the two So I open a bug in order to allow discussion with release team. Main problem is perl library. I do not know how to deal with it, I could use update alternative to select between 6 and 7 or I could package only the 7 one... Bastien signature.asc Description: This is a digitally signed message part.
Bug#873102: [release.debian.org] transition: imagemagick
Package: release.debian.org Severity: important Hi, I have just landed an imagemagick version in experimental, that break the ABI. Previous ABI used double_t that is not ABI stable... Could we get a transition of libmagickcore, libmagickwand and libmagick++ I have rebuilded reverse deps a few week ago (waiting for ftpmaster) and it was fine. I will fix ASAP the problems. I have set the severity to important because I will prefer to get quickly a newer imagemagick version due to the number of security bug to backport Thanks for your work Bastien signature.asc Description: This is a digitally signed message part.
Bug#864220: unblock: imagemagick/8:6.9.7.4+dfsg-11
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package imagemagick change are self contained and security fixes. Will avoid a security release just after release. * Fix minor security bugs: + CVE-2017-9409: Memory leak in the icon file coder. (Closes: #864087) + CVE-2017-9407: the ReadPALMImage function in palm.c allows attackers to cause a denial of service (memory leak) via a crafted file. (Closes: #864089). + CVE-2017-9409: the ReadMPCImage function in mpc.c allows attackers to cause a denial of service (memory leak) via a crafted file. (Closes: #864090). So unblock imagemagick/8:6.9.7.4+dfsg-11 -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#862772: unblock: imagemagick/8:6.9.7.4+dfsg-8
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package imagemagick This fix more than 10 security bugs and a RC bug due to built-using unblock imagemagick/8:6.9.7.4+dfsg-8 -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-rt-amd64 (SMP w/8 CPU cores; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#849218: transition: imagemagick
control: affect 844357 src:zbar control: block -1 by 844357 Le jeudi 29 décembre 2016, 16:37:43 CET Emilio Pozuelo Monfort a écrit : > Control: tags -1 confirmed > > The break was in 6.9.2-10 released in mid 2015. This is moreover only two > > version latter than current jessie and I believe it will be a security > > nightmare to support three versions with more than 100 security patches > > Alright, let's do this. > > BTW please you're breaking threading with your email replies. That's a bit > annoying. zbar block transition due to 844357. Bastien > Cheers, > Emilio signature.asc Description: This is a digitally signed message part.
Bug#849218: transition: imagemagick
Package: release.debian.org Severity: normal Hi, Due to #846385 could be possible to get transition for imagemagick. Sorry for being late but upstream is really sloppy. The break was in 6.9.2-10 released in mid 2015. This is moreover only two version latter than current jessie and I believe it will be a security nightmare to support three versions with more than 100 security patches Bastien signature.asc Description: This is a digitally signed message part.
Bug#838242: transition: imagemagick
Package: release.debian.org Severity: normal Hi, imagemagick waiting in NEWs (8:6.9.5.9+dfsg-1) will need a transition to experimental to unstable; Next stable version need to be based on this version from a security point of view. It fix more than 50 securities bugs..; Moreover this version use autopkg test improving the quality of testing. Bastien signature.asc Description: This is a digitally signed message part.
Bug#769768: unblock: [security] imagemagick/8:6.8.9.9-3
Package: release.debian.org Severity: important User: release.debian@packages.debian.org Usertags: unblock Please unblock package imagemagick It fix CVE-2014-8716 (a two line change). I have also updated previous changelog entry with proper CVE. diff -Nru imagemagick-6.8.9.9/debian/changelog imagemagick-6.8.9.9/debian/changelog --- imagemagick-6.8.9.9/debian/changelog2014-10-28 18:48:23.0 +0100 +++ imagemagick-6.8.9.9/debian/changelog2014-11-12 21:58:20.0 +0100 @@ -1,3 +1,13 @@ +imagemagick (8:6.8.9.9-3) unstable; urgency=high + + * Fix a security bug (DOS). Some special crafted JPEG +files could create a dos due to missing check in +embeded EXIF properties (EXIF directory offsets +must be greater than 0). Fix CVE-2014-8716 +(Closes: #768494). + + -- Bastien Roucariès roucaries.bastien+deb...@gmail.com Fri, 07 Nov 2014 21:16:20 +0100 + imagemagick (8:6.8.9.9-2) unstable; urgency=high * Remove build-dep loop. Remove inkscape. @@ -9,10 +19,11 @@ * New upstream version, fixing four security problems: - Remotely DOS: convert +profile regression enters infinite loop exhausting memory, thanks to - Yuri D'Elia (Closes: #764872). -- Fixed buffer overflow in PCX and DCM coder. + Yuri D'Elia (Closes: #764872). Fix CVE-2014-8561. +- Fixed buffer overflow in PCX and DCM coder. Fix + CVE-2014-8562 and CVE-2014-8355. - Don't clone a 0x0 image breaking some assumption - in client code. + in client code. Fix CVE-2014-8354. - Off-by-one count when parsing an 8BIM profile. * Fix identify -quiet has non zero exit code on warnings (Closes: #763686). diff -Nru imagemagick-6.8.9.9/debian/patches/0001-Use-svg-instead-of-png-for-generating-class-diagram.patch imagemagick-6.8.9.9/debian/patches/0001-Use-svg-instead-of-png-for-generating-class-diagram.patch --- imagemagick-6.8.9.9/debian/patches/0001-Use-svg-instead-of-png-for-generating-class-diagram.patch 2014-10-28 18:50:28.0 +0100 +++ imagemagick-6.8.9.9/debian/patches/0001-Use-svg-instead-of-png-for-generating-class-diagram.patch 2014-11-15 14:47:56.0 +0100 @@ -82,5 +82,5 @@ # If DOT_IMAGE_FORMAT is set to svg, then this option can be set to YES to # enable generation of interactive SVG images that allow zooming and panning. -- -2.1.1 +2.1.3 diff -Nru imagemagick-6.8.9.9/debian/patches/0002-Fix-html-documents.patch imagemagick-6.8.9.9/debian/patches/0002-Fix-html-documents.patch --- imagemagick-6.8.9.9/debian/patches/0002-Fix-html-documents.patch 2014-10-28 18:50:29.0 +0100 +++ imagemagick-6.8.9.9/debian/patches/0002-Fix-html-documents.patch 2014-11-15 14:47:56.0 +0100 @@ -5152,5 +5152,5 @@ +!-- Magick Cache 25th July 2014 04:06 -- + -- -2.1.1 +2.1.3 diff -Nru imagemagick-6.8.9.9/debian/patches/0003-Fix-meta-tag-damage-in-html-documentation.patch imagemagick-6.8.9.9/debian/patches/0003-Fix-meta-tag-damage-in-html-documentation.patch --- imagemagick-6.8.9.9/debian/patches/0003-Fix-meta-tag-damage-in-html-documentation.patch 2014-10-28 18:50:30.0 +0100 +++ imagemagick-6.8.9.9/debian/patches/0003-Fix-meta-tag-damage-in-html-documentation.patch 2014-11-15 14:47:57.0 +0100 @@ -2290,5 +2290,5 @@ \ No newline at end of file +!-- Magick Cache 25th July 2014 05:32 -- -- -2.1.1 +2.1.3 diff -Nru imagemagick-6.8.9.9/debian/patches/0004-Fix-remaining-html-error.patch imagemagick-6.8.9.9/debian/patches/0004-Fix-remaining-html-error.patch --- imagemagick-6.8.9.9/debian/patches/0004-Fix-remaining-html-error.patch 2014-10-28 18:50:30.0 +0100 +++ imagemagick-6.8.9.9/debian/patches/0004-Fix-remaining-html-error.patch 2014-11-15 14:47:57.0 +0100 @@ -162,5 +162,5 @@ /div -- -2.1.1 +2.1.3 diff -Nru imagemagick-6.8.9.9/debian/patches/0005-Avoid-crash-and-DOS-with-special-crafted-jpeg-file.patch imagemagick-6.8.9.9/debian/patches/0005-Avoid-crash-and-DOS-with-special-crafted-jpeg-file.patch --- imagemagick-6.8.9.9/debian/patches/0005-Avoid-crash-and-DOS-with-special-crafted-jpeg-file.patch 1970-01-01 01:00:00.0 +0100 +++ imagemagick-6.8.9.9/debian/patches/0005-Avoid-crash-and-DOS-with-special-crafted-jpeg-file.patch 2014-11-15 14:47:57.0 +0100 @@ -0,0 +1,33 @@ +From b61b7f4f0e705b6a9a9ba8b8af898a406b0fc87e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= roucaries.bast...@gmail.com +Date: Fri, 7 Nov 2014 21:05:07 +0100 +Subject: [PATCH] Avoid crash and DOS with special crafted jpeg file + +Some special crafted JPEG file could lead to dos due to missing check in +embeded EXIF properties (EXIF directory offsets must be greater than 0). + +Fix CVE-2014-8716. + +Forwarded: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3t=26456 +Bug-debian: http://bugs.debian.org/768494 +Applied-Upstream: 6.9.9.10 +--- + magick/property.c | 2 ++ + 1 file changed, 2 insertions
Bug#769697: unblock: xmorph/20140707
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, Please unblock xmorph fixing a RC bug *Bug fix: fails to upgrade from wheezy - trying to overwrite /usr/share/man/man1/morph.1.gz, thanks to Andreas Beckmann (Closes: #767834). --- xmorph-20140707/debian/changelog2014-07-07 00:01:03.0 +0200 +++ xmorph-20140707.1/debian/changelog 2014-11-15 15:47:27.0 +0100 @@ -1,3 +1,12 @@ +xmorph (1:20140707+nmu.1) unstable; urgency=medium + + * Non-maintainer upload. + * Bug fix: fails to upgrade from wheezy - trying to overwrite +/usr/share/man/man1/morph.1.gz, thanks to Andreas Beckmann (Closes: +#767834). + + -- Bastien Roucariès roucaries.bastien+deb...@gmail.com Sat, 15 Nov 2014 15:47:21 +0100 + xmorph (1:20140707) unstable; urgency=low [ A Mennucc1 ] diff -Nru xmorph-20140707/debian/control xmorph-20140707+nmu.1/debian/control --- xmorph-20140707/debian/control 2014-07-06 23:42:09.0 +0200 +++ xmorph-20140707.1/debian/control2014-11-15 15:49:41.0 +0100 @@ -10,6 +10,8 @@ Package: libmorph Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} +Breaks: xmorph ( 1:20140707~) +Replaces: xmorph ( 1:20140707~) Priority: optional Section: libs Description: digital image warping library unblock xmorph/20140707 -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-2-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141115165320.27547.6559.report...@bastien-debian.roucaries.org