Bug#950123: virtualenvwrapper: Autocomplete not loaded in default install
Hi, I can confirm that despite what is stated on /usr/share/doc/virtualenvwrapper/README.Debian, virtualenvwrapper_4.8.4-4, doesn't install /etc/bash_completion.d/virtualenvwrapper, as it was the case in the version found on Buster (4.3.1-2). Regards, David Polverari.
Bug#968751: ITP: firewalk -- active network reconnaissance security tool
Package: wnpp Severity: wishlist Owner: David da Silva Polverari * Package name: firewalk Version : 5.0 Upstream Author : Mike D. Schiffman David E. Goldsmith * URL : http://packetfactory.openwall.net/projects/firewalk/ * License : BSD Programming Lang: C Description : active network reconnaissance security tool Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. This package is relevant in network security assessments. It works in a similar way to traceroute, but with extended functionality that helps in assessing the configuration of package filtering devices. I plan to maintain this package inside the Debian Security Tools Packaging Team (pkg-security), and I will need a sponsor for my package.
Bug#744401: snowdrop: diff for NMU 0.02b-12.1
On Wed, Aug 12, 2020 at 07:11:35PM +0200, Andreas Metzler wrote: > this bug tracks the fact that the changes in the NMU have NOT been > integrated into a maintainer upload. So it should stay open until that > has happened, afaik. > Hi Andreas, I'm not sure if I follow, but from what I see, you are worried that new maintainers will not take these NMU changes into account on the next revisions, right? I have an ITA opened and I'm working on a Debian revision of the package atm, and I have created a git repository (using gbp import-dscs --debsnap), which contains your NMU. Even if I weren't doing this revision, I think any other potential Debian contributor would be basing their work on the latest Debian revision found on the archives, which happen to be your NMU at this point, as can be seen by fetching the package sources on sid with apt source. Thus I'm not sure what the benefits are of keeping this bug open. Of course, I may be completely wrong :). So, do you think I should reopen it until I (or anyone else, for that matter) release a new Debian revision? Regards, David Polverari.
Bug#744401: snowdrop: diff for NMU 0.02b-12.1
On Thu, Aug 13, 2020 at 06:29:34PM +0200, Andreas Metzler wrote: Hi Andreas, > Reopening seems to be make-work if you are in the process of adopting > anyway. ;-) Ok! :) > cu Andreas > > > [1] Worried is too strong. But the rationale for closing made no sense. I > submitted a bugreport with a diff for the NMU to make it available to > the maintainer and track its integration. Closing it with "a package > that contains the diff already entered the Debian archive" did not make > sense, since the only package in the archive with the diff is still the > NMU, so the status of the package had not changed at all since I had > submitted the tracking bug report. Sorry for "worried" lol. As English is not my first language, sometimes I make a poor choice of words. As for the rationale for closing, maybe I misinterpreted what was stated on the Debian wiki about BTS usage [1] in this case, but I see your point now. I should have deferred closing the bug after the new revision I am working on was accepted on unstable. All those processes are still new to me, so I'm unfortunately still making some mistakes along the way. Sorry for the inconvenience and thanks for the explanation! [1] https://www.debian.org/Bugs/Developer#closing Regards, David Polverari.
Bug#962939: RFS: pipewalker/1.0-3 [QA] -- combination puzzle game
Package: sponsorship-requests Severity: normal Dear mentors, I am looking for a sponsor for my package "pipewalker" * Package name: pipewalker Version : 0.9.4-3 Upstream Author : Artem Senichev * URL : http://pipewalker.sourceforge.net/ * License : GPL-3+ * Vcs : https://salsa.debian.org/debian/pipewalker Section : games It builds those binary packages: pipewalker - combination puzzle game To access further information about this package, please visit the following URL: https://mentors.debian.net/package/pipewalker Alternatively, one can download the package with dget using this command: dget -x https://mentors.debian.net/debian/pool/main/p/pipewalker/pipewalker_0.9.4-3.dsc Changes since the last upload: * QA upload. * Ran wrap-and-sort. * Set Debian QA Group as maintainer. (See #826925) * Using new DH level format. Consequently: - debian/compat: removed. - debian/control: changed from 'debhelper' to 'debhelper-compat' in Build-Depends field and bumped level to 13. * debian/control: - Added 'Rules-Requires-Root: no' to source stanza. - Added the Vcs-* fields. - Bumped Standards-Version to 4.5.0. - Changed package synopsis and long description. - Removed redundant build dependencies since DH compatibility level 10. * debian/copyright: - Added new rights in debian/* paragraph. - Migrated to 1.0 format. * debian/manpages: added to install a maintainer-provided manpage. * debian/menu: replaced a relative path reference to an icon with an absolute one, according to the "Debian Menu System" manual, section 3.2 (Syntax). Thanks to Markus Koschany . (Closes: #738006) * debian/patches/*: - 020_fix-fmt-string-vuln.patch: added to fix a format string vulnerability on upstream code. - 030_fix-xdg-dot-desktop.patch: added to make upstream provided .desktop file conform to XDG Desktop Entry Specification. - 040_fix-build-fhs-games.patch: added to make the build system conform to FHS regarding static data files for /usr/games. - datadir.diff: removed due to build system adjustments by other patches. - no-werror.diff: renamed to 010-configure-no-werror.patch and added DEP-3 header. * debian/pipewalker.1: added to provide a manpage to the game binary. * debian/rules: - Added DEB_BUILD_MAINT_OPTIONS variable to provide full GCC hardening. - Changed the '--data-dir' value to suit the modifications made to the build system. - Removed '--with autoreconf' because it is default since DH 10. * debian/salsa-ci.yml: added to provide CI tests for Salsa. * debian/tests/control: created to provide trivial CI tests. * debian/watch: bumped to version 4. Regards, -- David da Silva Polverari
Bug#963019: RFS: pem/0.7.9-3 -- command line personal expense manager
Package: sponsorship-requests
Severity: normal
Dear mentors,
I am looking for a sponsor for my package "pem"
* Package name: pem
Version : 0.7.9-3
Upstream Author : Prasad J Pandit
* URL : https://www.gnu.org/software/pem/
* License : GPL-3+
* Vcs : https://salsa.debian.org/debian/pem
Section : misc
It builds those binary packages:
pem - command line personal expense manager
To access further information about this package, please visit the following
URL:
https://mentors.debian.net/package/pem
Alternatively, one can download the package with dget using this command:
dget -x https://mentors.debian.net/debian/pool/main/p/pem/pem_0.7.9-3.dsc
Changes since the last upload:
* Using new DH level format. Consequently:
- debian/compat: removed.
- debian/control: changed from 'debhelper' to 'debhelper-compat' in
Build-Depends field and bumped level to 13.
* debian/control:
- Added '${perl:Depends}' to Depends field.
- Added 'Rules-Requires-Root: no' to source stanza.
- Added Vcs-* fields.
- Bumped Standards-Version to 4.5.0.
- Marked pem as 'Multi-Arch: foreign'.
- Removed redundant dh-autoreconf build dependency.
* debian/copyright: updated copyright years.
* debian/patches/010_use-usr-bin-perl.patch: added to use '/usr/bin/perl'
instead of '/usr/bin/env perl' for interpreter invocation.
* debian/rules: removed redundant '--with autoreconf' dh parameter.
* debian/salsa-ci.yml: added to provide CI tests for Salsa.
* debian/tests/control: added to perform a trivial CI test.
* debian/upstream/metadata: created.
* debian/watch: using a secure URI.
Regards,
--
David da Silva Polverari
Bug#962939: RFS: pipewalker/0.9.4-3 [QA] -- combination puzzle game
Package: sponsorship-requests Followup-For: Bug #962939 Dear mentors, I am looking for a sponsor for my package "pipewalker" * Package name: pipewalker Version : 0.9.4-3 Upstream Author : Artem Senichev * URL : http://pipewalker.sourceforge.net/ * License : GPL-3+ * Vcs : https://salsa.debian.org/debian/pipewalker Section : games It builds those binary packages: pipewalker - combination puzzle game To access further information about this package, please visit the following URL: https://mentors.debian.net/package/pipewalker Alternatively, one can download the package with dget using this command: dget -x https://mentors.debian.net/debian/pool/main/p/pipewalker/pipewalker_0.9.4-3.dsc Changes since the last upload: * QA upload. * Included an additional theme and a theme template found on upstream site into package. Consequently: - debian/examples: created to install the template. - debian/extra/New Year.png: included to provide the additional theme. - debian/extra/scheme.png: included to provide the upstream theme template. - debian/install: created to install the additional theme. - debian/source/include-binaries: created to include both files in the source package. * Ran wrap-and-sort. * Set Debian QA Group as maintainer. (See #826925) * Using new DH level format. Consequently: - debian/compat: removed. - debian/control: changed from 'debhelper' to 'debhelper-compat' in Build-Depends field and bumped level to 13. * debian/control: - Added 'Rules-Requires-Root: no' to source stanza. - Added the Vcs-* fields. - Bumped Standards-Version to 4.5.0. - Changed package synopsis and long description. - Removed redundant build dependencies since DH compatibility level 10. * debian/copyright: - Added a Comment field to document the origin of debian/extra/* files. - Added debian/extra/* paragraph. - Added new rights in debian/* paragraph. - Migrated to 1.0 format. * debian/manpages: added to install a maintainer-provided manpage. * debian/menu: removed to comply with CTTE #741573. (Closes: #738006) * debian/patches/*: - 010_configure-no-werror.patch: renamed from no-werror.diff and added DEP-3 header. - 020_fix-fmt-string-vuln.patch: added to fix a format string vulnerability on upstream code. - 030_fix-xdg-dot-desktop.patch: added to make upstream provided .desktop file conform to XDG Desktop Entry Specification. - 040_fix-build-fhs-games.patch: added to make the build system conform to FHS regarding static data files for /usr/games. - 050_dont-install-menu.patch: added to comply with CTTE #741573. - datadir.diff: no longer needed due to build system adjustments by other patches. Removed. * debian/pipewalker.6: added to provide a manpage to the game binary. * debian/rules: - Added DEB_BUILD_MAINT_OPTIONS variable to provide full GCC hardening. - Changed the '--data-dir' value to suit the modifications made to the build system. - Removed '--with autoreconf' because it is default since DH 10. * debian/salsa-ci.yml: added to provide CI tests for Salsa. * debian/tests/control: created to provide trivial CI tests. * debian/upstream/metadata: created. * debian/watch: bumped to version 4. Regards, -- David da Silva Polverari
Bug#963674: RFS: smbldap-tools/0.9.11-1 [QA] -- smbldap-tools - Scripts to manage Unix and Samba accounts stored on LDAP
Package: sponsorship-requests Severity: normal Dear mentors, I am looking for a sponsor for my package "smbldap-tools" * Package name: smbldap-tools Version : 0.9.11-1 Upstream Author : SATOH Fumiyas * URL : https://github.com/fumiyas/smbldap-tools * License : GPL-2+ * Vcs : https://salsa.debian.org/debian/smbldap-tools Section : admin It builds those binary packages: smbldap-tools - Scripts to manage Unix and Samba accounts stored on LDAP To access further information about this package, please visit the following URL: https://mentors.debian.net/package/smbldap-tools Alternatively, one can download the package with dget using this command: dget -x https://mentors.debian.net/debian/pool/main/s/smbldap-tools/smbldap-tools_0.9.11-1.dsc Changes since the last upload: * QA upload. * New upstream release. (Closes: #692530, #906108, #906109) * debian/clean: created to clean build artifacts. * debian/control: - Added 'Rules-Requires-Root: no' to source stanza. - Added Homepage field. - Added Vcs-* fields. - Removed redundant 'quilt' dependency from Build-Depends field. - Removed unnecessary Build-Depends-Indep field. * debian/copyright: - Updated Source field to point to the repository of the last active maintainer. Thanks to Daniele Palumbo and to SATOH Fumiyas . (Closes: #906106) - Updated upstream address. - Using GitHub repository issues in Upstream-Contact field. * debian/patches/0003_include_config_script.patch: no longer needed, as upstream solved the problem. Deleted. * debian/rules: - Added a dh_auto_configure override to run build/autogen.sh before dh_auto_configure. - Removed useless DEB_BUILD_MAINT_OPTIONS export. * debian/salsa-ci.yml: added to provide CI tests for Salsa. * debian/upstream/metadata: created. * debian/watch: - Bumped to version 4. - Updated the source address. Regards, -- David da Silva Polverari
Bug#925672: efivar: diff for NMU version 37-2.1
Control: tags 925672 + pending
Dear maintainer,
I've prepared an NMU for efivar (versioned as 37-2.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer or cancel the NMU.
Regards,
David Polverari.
diff -Nru efivar-37/debian/changelog efivar-37/debian/changelog
--- efivar-37/debian/changelog 2019-03-01 12:55:07.0 -0500
+++ efivar-37/debian/changelog 2020-06-09 17:31:58.0 -0500
@@ -1,3 +1,12 @@
+efivar (37-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * debian/patches: added upstream patches fix-gcc9-werror-format-guid.patch
+and fix-gcc9-werrors.patch to fix FTBFS with GCC 9. Thanks to Matthias
+Klose . (Closes: #925672)
+
+ -- David da Silva Polverari Tue, 09 Jun 2020 17:31:58 -0500
+
efivar (37-2) unstable; urgency=medium
* Cherry-pick fix from upstream:
diff -Nru efivar-37/debian/patches/fix-gcc9-werror-format-guid.patch efivar-37/debian/patches/fix-gcc9-werror-format-guid.patch
--- efivar-37/debian/patches/fix-gcc9-werror-format-guid.patch 1969-12-31 19:00:00.0 -0500
+++ efivar-37/debian/patches/fix-gcc9-werror-format-guid.patch 2020-06-09 17:25:29.0 -0500
@@ -0,0 +1,28 @@
+Subject: dp.h: make format_guid() handle misaligned guid pointers safely.
+Author: Peter Jones
+Bug: https://bugzilla.opensuse.org/show_bug.cgi?id=1120862
+Bug-Debian: https://bugs.debian.org/925672
+Origin: upstream, https://github.com/rhboot/efivar/commit/b98ba8921010d03f46704a476c69861515deb1ca
+Last-Update: 2019-01-07
+diff --git a/src/dp.h b/src/dp.h
+index aa4e390..20cb608 100644
+--- a/src/dp.h
b/src/dp.h
+@@ -70,8 +70,15 @@
+ #define format_guid(buf, size, off, dp_type, guid) ({ \
+ int _rc; \
+ char *_guidstr = NULL; \
+- \
+- _rc = efi_guid_to_str(guid, &_guidstr); \
++ efi_guid_t _guid; \
++ const efi_guid_t * const _guid_p = \
++ likely(__alignof__(guid) == sizeof(guid)) \
++? guid \
++: &_guid;\
++\
++ if (unlikely(__alignof__(guid) == sizeof(guid))) \
++ memmove(&_guid, guid, sizeof(_guid)); \
++ _rc = efi_guid_to_str(_guid_p, &_guidstr); \
+ if (_rc < 0) { \
+ efi_error("could not build %s GUID DP string", \
+ dp_type);\
diff -Nru efivar-37/debian/patches/fix-gcc9-werrors.patch efivar-37/debian/patches/fix-gcc9-werrors.patch
--- efivar-37/debian/patches/fix-gcc9-werrors.patch 1969-12-31 19:00:00.0 -0500
+++ efivar-37/debian/patches/fix-gcc9-werrors.patch 2020-06-09 17:24:41.0 -0500
@@ -0,0 +1,145 @@
+Subject: Fix all the places -Werror=address-of-packed-member catches.
+Author: Peter Jones
+Bug: https://github.com/rhboot/efivar/issues/123
+Bug-Debian: https://bugs.debian.org/925672
+Origin: upstream, https://github.com/rhboot/efivar/commit/c3c553db85ff10890209d0fe48fb4856ad68e4e0
+Last-Update: 2019-02-21
+--- a/src/dp-message.c
b/src/dp-message.c
+@@ -620,11 +620,13 @@
+ ) / sizeof(efi_ip_addr_t);
+ format(buf, size, off, "Dns", "Dns(");
+ for (int i=0; i < end; i++) {
+- const efi_ip_addr_t *addr = >dns.addrs[i];
++ efi_ip_addr_t addr;
++
++ memcpy(, >dns.addrs[i], sizeof(addr));
+ if (i != 0)
+ format(buf, size, off, "Dns", ",");
+ format_ip_addr(buf, size, off, "Dns",
+- dp->dns.is_ipv6, addr);
++ dp->dns.is_ipv6, );
+ }
+ format(buf, size, off, "Dns", ")");
+ break;
+--- a/src/dp.h
b/src/dp.h
+@@ -71,13 +71,9 @@
+ int _rc; \
+ char *_guidstr = NULL; \
+ efi_guid_t _guid; \
+- const efi_guid_t * const _guid_p = \
+- likely(__alignof__(guid) == sizeof(guid)) \
+-? guid \
+-: &_guid;\
+-\
+- if (unlikely(__alignof__(guid) == sizeof(guid))) \
+- memmove(&_guid, guid, sizeof(_guid)); \
++ const efi_guid_t * const _guid_p = &_guid; \
++ \
++ memmove(&_guid, guid, sizeof(_guid)); \
+ _rc = efi_guid_to_str(_guid_p, &_guidstr); \
+ if (_rc < 0) { \
+ efi_error("could not build %s GUID DP string", \
+@@ -86,7 +82,7 @@
+ _guidstr = onstack(_guidstr, \
+ strlen(_guidstr)+1); \
+ _rc = format(buf, size, off, dp_type, "%s", \
+- _guidstr); \
++ _guidstr);\
+ } \
+ _rc; \
+ })
+--- a/src/guid.c
b/src/guid.c
+@@ -31,7 +31,7 @@
+ extern const efi_guid_t efi_guid_zero;
+
+ int NONNULL(1, 2) PUBLIC
+-efi_guid_cmp(const efi_guid_t *a, const efi_guid_t *b)
++efi_guid_cmp(const void * const a, const void * const b)
+ {
+ return memcmp(a, b, sizeof (efi_guid_t));
+ }
+--- a/src/include/efivar/efivar.h
b/src/include/efivar/efivar.h
+@@ -128,7 +128,7 @@
+
+ extern int efi_guid_is_zero(const efi_guid_t *guid);
+ extern int efi_guid_is_empty(const efi_guid_t *guid);
+-extern int efi_guid_cmp(const efi_guid_t *a, const efi_guid_t *b);
++extern int efi_guid_cmp
Bug#925672: efivar: diff for NMU version 37-2.1
On Wed, Jun 10, 2020 at 07:32:36PM +, mario.limoncie...@dell.com wrote: > I don't have a concern to this, but would you mind also submitting > it to Salsa and linking back so we can get it into VCS? > I have sent a merge request [1] on Salsa with the changes included on the NMU. I branched it from cf16f73, as there was an unreleased debian/changelog entry on a newer commit. [1] https://salsa.debian.org/efi-team/efivar/-/merge_requests/2
Bug#925782: mp3check: diff for NMU version 0.8.7-3.1
Control: tags 925782 + pending
Dear maintainer,
I've prepared an NMU for mp3check (versioned as 0.8.7-3.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer or cancel the NMU.
Regards,
David Polverari.
diff -Nru mp3check-0.8.7/debian/changelog mp3check-0.8.7/debian/changelog
--- mp3check-0.8.7/debian/changelog 2018-12-22 18:33:01.0 -0500
+++ mp3check-0.8.7/debian/changelog 2020-06-11 00:33:53.0 -0500
@@ -1,3 +1,12 @@
+mp3check (0.8.7-3.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * debian/patches/60_bts925782_ftbfs_with_gcc_9.patch: added to fix FTBFS
+with GCC-9. Thanks to Joachim Reichel . (Closes:
+#925782)
+
+ -- David da Silva Polverari Thu, 11 Jun 2020 00:33:53 -0500
+
mp3check (0.8.7-3) unstable; urgency=medium
[ Helmut Grohne ]
diff -Nru mp3check-0.8.7/debian/patches/60_bts925782_ftbfs_with_gcc_9.patch mp3check-0.8.7/debian/patches/60_bts925782_ftbfs_with_gcc_9.patch
--- mp3check-0.8.7/debian/patches/60_bts925782_ftbfs_with_gcc_9.patch 1969-12-31 19:00:00.0 -0500
+++ mp3check-0.8.7/debian/patches/60_bts925782_ftbfs_with_gcc_9.patch 2020-06-11 00:33:53.0 -0500
@@ -0,0 +1,50 @@
+Description: fix FTBFS with GCC-9
+Author: Joachim Reichel
+Bug-Debian: https://bugs.debian.org/925782
+Last-Update: 2019-09-01
+
+--- a/texception.h
b/texception.h
+@@ -38,10 +38,10 @@
+
+ #define TExceptionN(n) public: virtual const char *name() const { return #n; }
+ #define TExceptionM(m) public: virtual const char *message() const { return m; }
+-#define TExceptionM1(m,a) public: virtual const char *message() const { char *buf; asprintf(, m, a); return buf; }
+-#define TExceptionM2(m,a,b) public: virtual const char *message() const { char *buf; asprintf(, m, a,b); return buf; }
+-#define TExceptionM3(m,a,b,c) public: virtual const char *message() const { char *buf; asprintf(, m, a,b,c); return buf; }
+-#define TExceptionM4(m,a,b,c,d) public: virtual const char *message() const { char *buf; asprintf(, m, a,b,c,d); return buf; }
++#define TExceptionM1(m,a) public: virtual const char *message() const { char *buf; int result = asprintf(, m, a); return result != -1 ? buf : "asprintf failure"; }
++#define TExceptionM2(m,a,b) public: virtual const char *message() const { char *buf; int result = asprintf(, m, a,b); return result != -1 ? buf : "asprintf failure"; }
++#define TExceptionM3(m,a,b,c) public: virtual const char *message() const { char *buf; int result = asprintf(, m, a,b,c); return result != -1 ? buf : "asprintf failure"; }
++#define TExceptionM4(m,a,b,c,d) public: virtual const char *message() const { char *buf; int result = asprintf(, m, a,b,c,d); return result != -1 ? buf : "asprintf failure"; }
+
+ // base class of all exceptions
+ class TException {
+--- a/tstring.cc
b/tstring.cc
+@@ -111,7 +111,7 @@
+ tstring::Rep *tstring::Rep::create(size_t tmem) {
+size_t m = sizeof(Rep) << 1;
+while((m - 1 - sizeof(Rep)) < tmem) m <<= 1;
+- Rep *p = new (m - 1 - sizeof(Rep)) Rep;
++ Rep *p = new (/*tag*/ true, m - 1 - sizeof(Rep)) Rep;
+p->mem = m - 1 - sizeof(Rep); p->ref = 1; p->vulnerable = false;
+return p;
+ }
+--- a/tstring.h
b/tstring.h
+@@ -71,9 +71,12 @@
+
+ // static methods
+ // operator new for this class
+- static void * operator new (size_t size, size_t tmem) {
++ // add a tag parameter to ensure that the signature of the delete operator does not collide with the (void*,size_t) overload
++ static void * operator new (size_t size, bool /*tag*/, size_t tmem) {
+ return ::operator new (size + tmem + 1);}
+- static void operator delete (void *p, size_t) {
++ static void operator delete (void *p, bool /*tag*/, size_t) {
++ ::operator delete (p); }
++ static void operator delete (void *p) {
+ ::operator delete (p); }
+
+ // create a new representation
diff -Nru mp3check-0.8.7/debian/patches/series mp3check-0.8.7/debian/patches/series
--- mp3check-0.8.7/debian/patches/series 2018-12-22 18:33:01.0 -0500
+++ mp3check-0.8.7/debian/patches/series 2020-06-11 00:12:11.0 -0500
@@ -4,3 +4,4 @@
30_hardening.patch
40_bts726068_remove_truncated_last_frame.patch
nostrip.patch
+60_bts925782_ftbfs_with_gcc_9.patch
Bug#976423: buster-pu: package pngcheck/2.3.0-7
Package: release.debian.org
Severity: important
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Hi,
A global buffer overflow vulnerability was found by Red Hat on
pngcheck-2.4.0 [1]. It was found and reported by the Debian Security
Team that the vulnerability also affects the versions found on the
Debian archive [2].
The bug was already fixed on unstable [2]. I have prepared a revision
for buster-security for pngcheck/2.3.0-7 with the backported changes
from unstable. The proposed update builds correctly on a minimal
up-to-date buster chroot.
I didn't coordinate with the security team, as the vulnerability is
marked "no-dsa" in the Debian Security Tracker [3].
If the update is deemed correct, I can make it available on mentors, and
open an RFS as I don't have uploading rights.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1902011
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976350
[3] https://security-tracker.debian.org/tracker/CVE-2020-27818
Regards,
Polverari
diff -Nru pngcheck-2.3.0/debian/changelog pngcheck-2.3.0/debian/changelog
--- pngcheck-2.3.0/debian/changelog 2013-06-26 09:28:27.0 +
+++ pngcheck-2.3.0/debian/changelog 2020-12-04 21:22:18.0 +
@@ -1,3 +1,10 @@
+pngcheck (2.3.0-7+deb10u1) buster-security; urgency=high
+
+ * debian/patches/60-fix-buffer-overflow.patch: added to fix CVE-2020-27818.
+Thanks to Salvatore Bonaccorso . (Closes: #976350)
+
+ -- David da Silva Polverari Fri, 04 Dec 2020
21:22:18 +
+
pngcheck (2.3.0-7) unstable; urgency=low
* debian/control
diff -Nru pngcheck-2.3.0/debian/patches/60-fix-buffer-overflow.patch
pngcheck-2.3.0/debian/patches/60-fix-buffer-overflow.patch
--- pngcheck-2.3.0/debian/patches/60-fix-buffer-overflow.patch 1970-01-01
00:00:00.0 +
+++ pngcheck-2.3.0/debian/patches/60-fix-buffer-overflow.patch 2020-12-04
21:22:18.0 +
@@ -0,0 +1,26 @@
+Description: Fix buffer overflow reported in RHBZ #1897485.
+ When char is signed, casting to a (signed) int directly could produce a
+ negative offset into the ASCII lookup table; adding an intermediate cast to
+ uch (a typedef for unsigned char) ensures a nonnegative offset no greater than
+ 255, which always corresponds to a valid table index.
+Origin: vendor,
https://src.fedoraproject.org/rpms/pngcheck/blob/cc48791e34201caf7b686084b735d06cef66c974/f/pngcheck-2.4.0-overflow-bz1897485.patch
+Bug-Debian: https://bugs.debian.org/976350
+Forwarded: no
+Reviewed-By: David da Silva Polverari
+Last-Update: 2020-12-04
+
+--- a/pngcheck.c
b/pngcheck.c
+@@ -4895,8 +4895,10 @@
+ /* GRR 20061203: now EBCDIC-safe */
+ int check_chunk_name(char *chunk_name, char *fname)
+ {
+- if (isASCIIalpha((int)chunk_name[0]) && isASCIIalpha((int)chunk_name[1]) &&
+- isASCIIalpha((int)chunk_name[2]) && isASCIIalpha((int)chunk_name[3]))
++ if (isASCIIalpha((int)(uch)chunk_name[0]) &&
++ isASCIIalpha((int)(uch)chunk_name[1]) &&
++ isASCIIalpha((int)(uch)chunk_name[2]) &&
++ isASCIIalpha((int)(uch)chunk_name[3]))
+ return 0;
+
+ printf("%s%s invalid chunk name \"%.*s\" (%02x %02x %02x %02x)\n",
diff -Nru pngcheck-2.3.0/debian/patches/series
pngcheck-2.3.0/debian/patches/series
--- pngcheck-2.3.0/debian/patches/series2013-06-26 09:28:27.0
+
+++ pngcheck-2.3.0/debian/patches/series2020-12-04 21:22:18.0
+
@@ -1,2 +1,3 @@
10-pngsplit-format-strings.patch
20-pngsplit-long-options.patch
+60-fix-buffer-overflow.patch
Bug#976371: RFS: pngcheck/2.3.0-13 -- print info and check PNG, JNG and MNG files
Package: sponsorship-requests Severity: normal Dear mentors, I am looking for a sponsor for my package "pngcheck": * Package name: pngcheck Version : 2.3.0-13 Upstream Author : Greg Roelofs , * URL : http://www.libpng.org/pub/png/apps/pngcheck.html * License : GPL-2+, GPL-3+ or CC-BY-SA-3, Custom-MIT-like * Vcs : https://salsa.debian.org/debian/pngcheck Section : graphics It builds those binary packages: pngcheck - print info and check PNG, JNG and MNG files To access further information about this package, please visit the following URL: https://mentors.debian.net/package/pngcheck/ Alternatively, one can download the package with dget using this command: dget -x https://mentors.debian.net/debian/pool/main/p/pngcheck/pngcheck_2.3.0-13.dsc Changes since the last upload: pngcheck (2.3.0-13) unstable; urgency=medium . * debian/patches/60-fix-buffer-overflow.patch: added to fix CVE-2020-27818. Thanks to Salvatore Bonaccorso . (Closes: #976350) Regards, -- David da Silva Polverari
Bug#976350: pngcheck: CVE-2020-27818
Hi, I have prepared a new Debian revision for the package on unstable, containing the fix for the vulnerability. I uploaded it to mentors [1], as I have no uploading rights to the archive, and opened an RFS [2]. Should I wait until the bug is closed on unstable before I prepare a revision to stable? Debian Developer's Reference says so [3], but I was not sure whether it was valid to security fixes too. [1] https://mentors.debian.net/debian/pool/main/p/pngcheck/pngcheck_2.3.0-13.dsc [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976371 [3] https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions Regards, Polverari
Bug#1052063: regression: nvme drive not found after kernel upgrade from bookworm-security
Package: src:linux Version: 6.1.52-1 Severity: important Dear Maintainer(s), After upgrading the kernel from linux-image-6.1.0-11-amd64 (6.1.38-4) to linux-image-6.1.0-12-amd64 (6.1.52-1) from bookworm-security on my laptop (a Dell XPS 9560), the kernel fails to find the nvme disk, making it impossible for the initrd to decrypt the drive using LUKS, and as such there are no boot messages. On the previous kernel it boots fine. With tha 6.1.0-12 kernel, dmesg shows the following: [ 42.074878] nvme nvme0: Does your device have a faulty power saving mode enabled? [ 42.074879] nvme nvme0: Try "nvme_core.default_ps_max_latency_us=0 pcie_aspm=off" and report a bug [ 42.120786] nvme :04:00.0: Unable to change power state from D3cold to D0, device inaccessible [ 42.121007] nvme nvme0: Removing after probe failure status: -19 [ 42.136737] nvme0n1: detected capacity change from 1000215216 to 0 When I tried using the suggested parameters, I could boot, boot soon afterwards the system hung. I also tried some variations, as trying either only nvm_core.default_ps_max_latency_us=0 or pcie_aspm=off, but neither one worked. I attached the dmesg output from the laptop into this email. Regards, David [0.00] microcode: microcode updated early to revision 0xf4, date = 2023-02-23 [0.00] Linux version 6.1.0-12-amd64 (debian-ker...@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.52-1 (2023-09-07) [0.00] Command line: BOOT_IMAGE=/vmlinuz-6.1.0-12-amd64 root=/dev/mapper/mercurius--vg-root ro acpi_rev_override=1 mitigations=off quiet [0.00] BIOS-provided physical RAM map: [0.00] BIOS-e820: [mem 0x-0x00057fff] usable [0.00] BIOS-e820: [mem 0x00058000-0x00058fff] reserved [0.00] BIOS-e820: [mem 0x00059000-0x0009efff] usable [0.00] BIOS-e820: [mem 0x0009f000-0x000f] reserved [0.00] BIOS-e820: [mem 0x0010-0x6a305fff] usable [0.00] BIOS-e820: [mem 0x6a306000-0x6a306fff] ACPI NVS [0.00] BIOS-e820: [mem 0x6a307000-0x6a307fff] reserved [0.00] BIOS-e820: [mem 0x6a308000-0x7838dfff] usable [0.00] BIOS-e820: [mem 0x7838e000-0x7874afff] reserved [0.00] BIOS-e820: [mem 0x7874b000-0x78791fff] ACPI data [0.00] BIOS-e820: [mem 0x78792000-0x78e85fff] ACPI NVS [0.00] BIOS-e820: [mem 0x78e86000-0x7951] reserved [0.00] BIOS-e820: [mem 0x7952-0x795fefff] type 20 [0.00] BIOS-e820: [mem 0x795ff000-0x795f] usable [0.00] BIOS-e820: [mem 0x7960-0x7f7f] reserved [0.00] BIOS-e820: [mem 0xf000-0xf7ff] reserved [0.00] BIOS-e820: [mem 0xfe00-0xfe010fff] reserved [0.00] BIOS-e820: [mem 0xfec0-0xfec00fff] reserved [0.00] BIOS-e820: [mem 0xfee0-0xfee00fff] reserved [0.00] BIOS-e820: [mem 0xff00-0x] reserved [0.00] BIOS-e820: [mem 0x0001-0x00047e7f] usable [0.00] NX (Execute Disable) protection: active [0.00] efi: EFI v2.40 by American Megatrends [0.00] efi: ACPI=0x7875a000 ACPI 2.0=0x7875a000 SMBIOS=0x79367000 SMBIOS 3.0=0x79366000 TPMFinalLog=0x78b27000 ESRT=0x792bd198 MEMATTR=0x75be0018 MOKvar=0x79363000 [0.00] secureboot: Secure boot disabled [0.00] SMBIOS 3.0.0 present. [0.00] DMI: Dell Inc. XPS 15 9560/05FFDN, BIOS 1.28.0 03/23/2022 [0.00] tsc: Detected 2800.000 MHz processor [0.00] tsc: Detected 2799.927 MHz TSC [0.000717] e820: update [mem 0x-0x0fff] usable ==> reserved [0.000720] e820: remove [mem 0x000a-0x000f] usable [0.000730] last_pfn = 0x47e800 max_arch_pfn = 0x4 [0.000844] x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT [0.001398] last_pfn = 0x79600 max_arch_pfn = 0x4 [0.009942] found SMP MP-table at [mem 0x000fced0-0x000fcedf] [0.009956] esrt: Reserving ESRT space from 0x792bd198 to 0x792bd1d0. [0.009966] Kernel/User page tables isolation: disabled on command line. [0.009967] Using GB pages for direct mapping [0.010344] RAMDISK: [mem 0x304b3000-0x34250fff] [0.010349] ACPI: Early table checksum verification disabled [0.010352] ACPI: RSDP 0x7875A000 24 (v02 DELL ) [0.010356] ACPI: XSDT 0x7875A0D0 00011C (v01 DELL CBX3 01072009 AMI 00010013) [0.010361] ACPI: FACP 0x7877FA78 00010C (v05 DELL CBX3 01072009 AMI 00010013) [0.010366] ACPI: DSDT 0x7875A278 0257FF (v02 DELL CBX3 01072009 INTL 20160422) [
Bug#1055261: ITP: openmrac-data -- split-screen multiplayer 3D racing game (data files)
Package: wnpp Severity: wishlist Owner: David da Silva Polverari X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: openmrac-data Version : 1.1 Upstream Contact: Vojtěch Salajka * URL : https://github.com/Franticware/OpenMRac-data * License : CC0 Programming Lang: none (data files for openmrac) Description : split-screen multiplayer 3D racing game (data files) OpenMRac is an open-source release of FranticWare's MultiRacer. It is a multiplayer racing game that runs on Linux and Microsoft Windows. . It can be played in single player mode, running against oneself's "ghost" from previous lap, or in multi-player mode, in a vertical split screen against up to 3 other opponents. . OpenMRac is simpler than TORCS, although it offers better model reflections than the latter. . This package contains the data files for openmrac. This package is a dependency for openmrac [1]. I plan to maintain it by myself initially, but I will propose maintaining it inside the games team in the future, with me as uploader. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017986
Bug#1052199: RM: pev -- ROM; renamed upstream; replaced by readpe
Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: remove X-Debbugs-Cc: p...@packages.debian.org Control: affects -1 + src:pev Dear ftpmasters, Please remove pev. It was renamed to readpe upstream[1][2], and readpe is already packaged and is present in unstable [3]. Bugs were opened against packages that build-depends (libz-mingw-w64) [4] and depends (forensics-extra) [5] on pev. readpe builds a dummy 'pev' transitional package to provide an upgrade path for existing users. [1] https://github.com/merces/pev [2] https://github.com/mentebinaria/readpe/issues/182 [3] https://tracker.debian.org/pkg/readpe [4] https://bugs.debian.org/1050056 [5] https://bugs.debian.org/1050055 Regards, -- ⢀⣴⠾⠻⢶⣦⠀ David da Silva Polverari ⣾⠁⢠⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋⠀ Debian: The universal operating system ⠈⠳⣄ signature.asc Description: PGP signature
Bug#1052063: regression: nvme drive not found after kernel upgrade from bookworm-security
On Sat, Sep 16, 2023 at 11:15:42PM +0200, Salvatore Bonaccorso wrote: > > Can you verify if it's this issue known upstream? > > https://lore.kernel.org/regressions/5dhv0s.d0f751zf65...@gmail.com/ > Yes, it is the same issue. Sorry for taking too long to reply. I was juggling with low partition space on my /boot to install a upstream kernel on my laptop. > Does reverting the mentioned patch fix the issue? > Yes, I checked v6.1.46 out from linux stable, built it, and tried to boot. It presented the same problem as Debian's 6.1.0-12 (6.1.52-1). After reverting commit 8ee39ec479147e29af704639f8e55fce246ed2d9 and building it again, booting went fine. Hope it helps. Regards, David
Bug#1050055: forensics-extra depends on pev
Source: forensics-extra Version: 2.44 Severity: normal Dear Maintainer(s), Your package depends on pev, but it has been renamed to readpe due to upstream changes. readpe is still in experimental. I will wait 15 days before uploading it to unstable. If you need more time, please let me know. Regards, David.
Bug#1050056: libz-mingw-w64 build-depends on pev
Source: libz-mingw-w64 Version: 1.2.13+dfsg-1 Severity: normal Dear Maintainer(s), Your package build-depends on pev, but it has been renamed to readpe due to upstream changes. readpe is still in experimental. I will wait 15 days before uploading it to unstable. Please let me know if you need more time, or if you had any problems with it. Any feedback/testing is appreciated. Regards, David.
Bug#1021278: pngcheck: CVE-2020-35511
Hi, I adjusted the affected versions in the BTS, but I couldn't find any patch for it. The reference to buffer overflows seem related to CVE-2020-27818, so I wonder whether it is a duplicate or not. If it is, it was already closed in [1]. [1] CVE-2020-27818 Regards, David
Bug#1021278: pngcheck: CVE-2020-35511
Sorry, I made a mistake when trying to send the link to the closed bug [1]. You can find the right link below. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976350 Regards, David.
Bug#1021278: (no subject)
fixed 1021278 3.0.2-2 thanks
Bug#1034731: bullseye-pu: package pev/0.81-3
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: david.polver...@gmail.com
[ Reason ]
A Buffer Overflow vulnerability exists in Pev 0.81 via the pe_exports
function from exports.c.. The array offsets_to_Names is dynamically
allocated on the stack using exp->NumberOfFunctions as its size.
However, the loop uses exp->NumberOfNames to iterate over it and set its
components value. Therefore, the loop code assumes that
exp->NumberOfFunctions is greater than ordinal at each iteration. This
can lead to arbitrary code execution.
[ Impact ]
If the update isn't approved, users of pev in stable might have their
systems compromised by opening a maliciously-crafted PE file.
[ Tests ]
(What automated or manual tests cover the affected code?)
[ Risks ]
The fix is trivial and should not present any risks. Also, the fix was
already applied upstream.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
The only change made to the package was the application of the existing
upstream patch.
[ Other info ]
No more info.
diff -Nru pev-0.81/debian/changelog pev-0.81/debian/changelog
--- pev-0.81/debian/changelog 2021-05-05 12:09:18.0 +
+++ pev-0.81/debian/changelog 2023-04-22 20:48:00.0 +
@@ -1,3 +1,11 @@
+pev (0.81-3+deb11u1) bullseye; urgency=medium
+
+ * debian/patches/0002-fix-bo-pe_exports.patch: created to fix a buffer
+overflow vulnerability present on libpe's pe_exports function
+(CVE-2021-45423). (Closes: #1034725)
+
+ -- David da Silva Polverari Sat, 22 Apr 2023
20:48:00 +
+
pev (0.81-3) unstable; urgency=medium
* QA upload.
diff -Nru pev-0.81/debian/patches/0002-fix-bo-pe_exports.patch
pev-0.81/debian/patches/0002-fix-bo-pe_exports.patch
--- pev-0.81/debian/patches/0002-fix-bo-pe_exports.patch1970-01-01
00:00:00.0 +
+++ pev-0.81/debian/patches/0002-fix-bo-pe_exports.patch2023-04-22
20:48:00.0 +
@@ -0,0 +1,28 @@
+Description: fix a buffer overflow vulnerability (CVE-2021-45423)
+ A Buffer Overflow vulnerability exists in Pev 0.81 via the pe_exports function
+ from exports.c. The array offsets_to_Names is dynamically allocated on the
+ stack using exp->NumberOfFunctions as its size. However, the loop uses
+ exp->NumberOfNames to iterate over it and set its components value. Therefore,
+ the loop code assumes that exp->NumberOfFunctions is greater than ordinal at
+ each iteration. This can lead to arbitrary code execution.
+Author: Saullo Carvalho Castelo Branco
+Origin: upstream,
https://github.com/merces/libpe/commit/5f44724e8fcdebf8a6b9fd009543c9dcfae4ea32
+Bug: https://github.com/merces/libpe/issues/35
+Bug-Debian: https://bugs.debian.org/1034725
+Applied-Upstream:
https://github.com/merces/libpe/commit/5f44724e8fcdebf8a6b9fd009543c9dcfae4ea32
+Last-Update: 2023-04-22
+
+--- a/lib/libpe/exports.c
b/lib/libpe/exports.c
+@@ -130,7 +130,10 @@
+
+ const uint32_t entry_name_rva = *entry_name_list;
+ const uint64_t entry_name_ofs = pe_rva2ofs(ctx, entry_name_rva);
+- offsets_to_Names[ordinal] = entry_name_ofs;
++
++if (ordinal < exp->NumberOfFunctions) {
++offsets_to_Names[ordinal] = entry_name_ofs;
++}
+ }
+
+ //
diff -Nru pev-0.81/debian/patches/series pev-0.81/debian/patches/series
--- pev-0.81/debian/patches/series 2021-05-05 12:09:18.0 +
+++ pev-0.81/debian/patches/series 2023-04-22 20:48:00.0 +
@@ -1 +1,2 @@
0001-widechar-off-by-one.patch
+0002-fix-bo-pe_exports.patch
Bug#1034813: unblock: pev/0.81-9
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: p...@packages.debian.org, david.polver...@gmail.com
Control: affects -1 + src:pev
Please unblock package pev
[ Reason ]
As per https://udd.debian.org/cgi-bin/key_packages.yaml.cgi, pev is
considered a key package. The version in testing (0.81-8) suffers from
an important bug (#1034725). As such, it will not be removed if the
fixed version doesn't migrate to testing.
[ Impact ]
If pev/0.81-9 does not migrate to testing, bookworm users will likely
install and use an exploitable version of pev at release. If used to
open a maliciously-crafted PE file, it might result in the compromise of
the user's machine. There is a link for a PoC video of exploitability of
the bug at the closed upstream issue [1].
[1] (https://github.com/merces/libpe/issues/35)
[ Tests ]
No existing automated or manual tests exercise the affected code.
[ Risks ]
The changes made to the package are trivial. The applied patch
originated from upstream, and its changes are minimal. There is more
risk in not applying the patch than doing it.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
unblock pev/0.81-9
diff -Nru pev-0.81/debian/changelog pev-0.81/debian/changelog
--- pev-0.81/debian/changelog 2022-11-07 17:46:55.0 +
+++ pev-0.81/debian/changelog 2023-04-22 19:41:47.0 +
@@ -1,3 +1,17 @@
+pev (0.81-9) unstable; urgency=medium
+
+ [ Debian Janitor ]
+ * Use secure URI in Homepage field.
+ * Update standards version to 4.6.2, no changes needed.
+
+ [ David da Silva Polverari ]
+ * debian/copyright: updated packaging copyright years.
+ * debian/patches/0006-fix-bo-pe_exports.patch: created to fix a buffer
+overflow vulnerability present on libpe's pe_exports function
+(CVE-2021-45423). (Closes: #1034725)
+
+ -- David da Silva Polverari Sat, 22 Apr 2023
19:41:47 +
+
pev (0.81-8) unstable; urgency=medium
* debian/control: bumped Standards-Version to 4.6.1.
diff -Nru pev-0.81/debian/control pev-0.81/debian/control
--- pev-0.81/debian/control 2022-11-07 17:46:55.0 +
+++ pev-0.81/debian/control 2023-04-22 19:41:47.0 +
@@ -1,9 +1,9 @@
Source: pev
Maintainer: David da Silva Polverari
-Homepage: http://pev.sourceforge.net
+Homepage: https://pev.sourceforge.net
Section: utils
Priority: optional
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
Build-Depends: debhelper-compat (= 13), libssl-dev
Rules-Requires-Root: no
Vcs-Browser: https://salsa.debian.org/debian/pev
diff -Nru pev-0.81/debian/copyright pev-0.81/debian/copyright
--- pev-0.81/debian/copyright 2022-11-07 17:46:55.0 +
+++ pev-0.81/debian/copyright 2023-04-22 19:41:47.0 +
@@ -59,7 +59,7 @@
2016-2021 Petter Reinholdtsen
2017 Adam Borowski
2020 Adrian Bunk
- 2021-2022 David da Silva Polverari
+ 2021-2023 David da Silva Polverari
2021 Jelmer Vernooij
License: BSD-3-Clause
diff -Nru pev-0.81/debian/patches/0006-fix-bo-pe_exports.patch
pev-0.81/debian/patches/0006-fix-bo-pe_exports.patch
--- pev-0.81/debian/patches/0006-fix-bo-pe_exports.patch1970-01-01
00:00:00.0 +
+++ pev-0.81/debian/patches/0006-fix-bo-pe_exports.patch2023-04-22
19:41:47.0 +
@@ -0,0 +1,28 @@
+Description: fix a buffer overflow vulnerability (CVE-2021-45423)
+ A Buffer Overflow vulnerability exists in Pev 0.81 via the pe_exports function
+ from exports.c. The array offsets_to_Names is dynamically allocated on the
+ stack using exp->NumberOfFunctions as its size. However, the loop uses
+ exp->NumberOfNames to iterate over it and set its components value. Therefore,
+ the loop code assumes that exp->NumberOfFunctions is greater than ordinal at
+ each iteration. This can lead to arbitrary code execution.
+Author: Saullo Carvalho Castelo Branco
+Origin: upstream,
https://github.com/merces/libpe/commit/5f44724e8fcdebf8a6b9fd009543c9dcfae4ea32
+Bug: https://github.com/merces/libpe/issues/35
+Bug-Debian: https://bugs.debian.org/1034725
+Applied-Upstream:
https://github.com/merces/libpe/commit/5f44724e8fcdebf8a6b9fd009543c9dcfae4ea32
+Last-Update: 2023-04-22
+
+--- pev-0.81.orig/lib/libpe/exports.c
pev-0.81/lib/libpe/exports.c
+@@ -130,7 +130,10 @@ pe_exports_t *pe_exports(pe_ctx_t *ctx)
+
+ const uint32_t entry_name_rva = *entry_name_list;
+ const uint64_t entry_name_ofs = pe_rva2ofs(ctx, entry_name_rva);
+- offsets_to_Names[ordinal] = entry_name_ofs;
++
++if (ordinal < exp->NumberOfFunctions) {
++offsets_to_Names[ordinal] = entry_name_ofs;
++}
+ }
+
+ //
diff -Nru pev-0.81/debian/patches/series pev-0.81/debian/patches/series
---
Bug#1034736: bullseye-pu: package pev/0.81-3+deb11u1
Package: release.debian.org
Severity: important
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: david.polver...@gmail.com
[ Reason ]
A buffer overflow vulnerability exists in Pev 0.81 via the pe_exports
function from exports.c. The array offsets_to_Names is dynamically
allocated on the stack using exp->NumberOfFunctions as its size.
However, the loop uses exp->NumberOfNames to iterate over it and set its
components value. Therefore, the loop code assumes that
exp->NumberOfFunctions is greater than ordinal at each iteration. This
can lead to arbitrary code execution.
[ Impact ]
If the update isn't approved, users of pev in stable might have their
systems compromised by opening a maliciously-crafted PE file.
[ Tests ]
None of the existing autopkgtests fail.
[ Risks ]
The fix is trivial and should not present any risks. Also, the fix was
already applied upstream.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
The only change made to the package was the application of the existing
upstream patch.
[ Other info ]
No other information.
diff -Nru pev-0.81/debian/changelog pev-0.81/debian/changelog
--- pev-0.81/debian/changelog 2021-05-05 12:09:18.0 +
+++ pev-0.81/debian/changelog 2023-04-22 20:48:00.0 +
@@ -1,3 +1,12 @@
+pev (0.81-3+deb11u1) bullseye; urgency=medium
+
+ * debian/patches/0002-fix-bo-pe_exports.patch: created to fix a buffer
+overflow vulnerability present on libpe's pe_exports function from
exports.c
+(CVE-2021-45423). Without this patch, a maliciously-crafted PE file opened
+by pev utilities can trigger arbitrary code execution. (Closes: #1034725)
+
+ -- David da Silva Polverari Sat, 22 Apr 2023
20:48:00 +
+
pev (0.81-3) unstable; urgency=medium
* QA upload.
diff -Nru pev-0.81/debian/patches/0002-fix-bo-pe_exports.patch
pev-0.81/debian/patches/0002-fix-bo-pe_exports.patch
--- pev-0.81/debian/patches/0002-fix-bo-pe_exports.patch1970-01-01
00:00:00.0 +
+++ pev-0.81/debian/patches/0002-fix-bo-pe_exports.patch2023-04-22
20:48:00.0 +
@@ -0,0 +1,28 @@
+Description: fix a buffer overflow vulnerability (CVE-2021-45423)
+ A Buffer Overflow vulnerability exists in Pev 0.81 via the pe_exports function
+ from exports.c. The array offsets_to_Names is dynamically allocated on the
+ stack using exp->NumberOfFunctions as its size. However, the loop uses
+ exp->NumberOfNames to iterate over it and set its components value. Therefore,
+ the loop code assumes that exp->NumberOfFunctions is greater than ordinal at
+ each iteration. This can lead to arbitrary code execution.
+Author: Saullo Carvalho Castelo Branco
+Origin: upstream,
https://github.com/merces/libpe/commit/5f44724e8fcdebf8a6b9fd009543c9dcfae4ea32
+Bug: https://github.com/merces/libpe/issues/35
+Bug-Debian: https://bugs.debian.org/1034725
+Applied-Upstream:
https://github.com/merces/libpe/commit/5f44724e8fcdebf8a6b9fd009543c9dcfae4ea32
+Last-Update: 2023-04-22
+
+--- a/lib/libpe/exports.c
b/lib/libpe/exports.c
+@@ -130,7 +130,10 @@
+
+ const uint32_t entry_name_rva = *entry_name_list;
+ const uint64_t entry_name_ofs = pe_rva2ofs(ctx, entry_name_rva);
+- offsets_to_Names[ordinal] = entry_name_ofs;
++
++if (ordinal < exp->NumberOfFunctions) {
++offsets_to_Names[ordinal] = entry_name_ofs;
++}
+ }
+
+ //
diff -Nru pev-0.81/debian/patches/series pev-0.81/debian/patches/series
--- pev-0.81/debian/patches/series 2021-05-05 12:09:18.0 +
+++ pev-0.81/debian/patches/series 2023-04-22 20:48:00.0 +
@@ -1 +1,2 @@
0001-widechar-off-by-one.patch
+0002-fix-bo-pe_exports.patch
Bug#1040810: ITP: readpe -- command-line tools to manipulate Windows PE files
Package: wnpp Severity: wishlist Owner: David da Silva Polverari X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: readpe Version : 0.82 Upstream Contact: https://github.com/mentebinaria/readpe/issues * URL : https://github.com/mentebinaria/readpe * License : GPL-2+ with OpenSSL Exception Programming Lang: C Description : command-line tools to manipulate Windows PE files readpe is a toolkit designed to analyze Microsoft Windows PE (Portable Executable) binary files. Its tools can parse and compare PE32/PE32+ executable files (EXE, DLL, OCX, etc), and analyze them in search of suspicious characteristics. It can be used to get information from those executable files, such as headers, sections, resources and more. It also provides tools to disassemble PE files and determine their security mitigations. It is useful for application security research, digital forensics and incident response, and malware analysis. It is similar to elftools, only designed for PE files. It has more features than other more specific PE tools, such as icoextract or ntldd. This package provides the ofs2rva, pedis, pehash, peldd, pepack, peres, pescan, pesec, pestr, readpe and rva2ofs commands. This package is a newer version of the pev package (already maintained in Debian by me), as upstream renamed it to readpe. I plan to maintain it inside the pkg-security team umbrella.
Bug#1043043: UDD patches: marks Forwarded as invalid if not 'no', 'not-needed', 'yes' or URL
Package: qa.debian.org Severity: normal User: qa.debian@packages.debian.org Usertags: udd Hi, When using https://udd.debian.org/patches.cgi, I notice that whenever the Forwarded field contains anything other than "no", "not-needed", "yes" or an URL, it gets marked as invalid. That includes cases where it begins with "yes", but is complemented with other data, as can be seen by contrasting a search on Debian Sources about those packages [1] with their respective patch metadata status on UDD. In its current form, patches.cgi marks as invalid patches that include useful information on the Forwarded field, such as the mail address to which the patch was forwarded, when upstream doesn't have a public mailing list archive or a web pull/merge request tracker, for example. According to DEP-3 [2], if the Forwarded field is present, any other value other than "no" or "not-needed" should be considered valid: Any value other than "no" or "not-needed" means that the patch has been forwarded upstream. Ideally the value is an URL proving that it has been forwarded and where one can find more information about its inclusion status. As such, I think it would be interesting to either propose changes to DEP-3 or to adhere more closely to it. Thanks, David [1] https://codesearch.debian.net/search?q=file%3Adebian%2Fpatches%2F*.patch+Forwarded%3A+yes+.%2B=0 [2] https://dep-team.pages.debian.net/deps/dep3/
Bug#244289: xball: Package includes non-free source code.
I unarchived this bug as the package still contains the source file act_area.c with the same non-free license. I marked it as found in xball/3.0-12 because it was the earliest version I was able to dig on debsnaps. As such, I couldn't pinpoint the exact version between that and 3.0-5 in which the file was reintroduced. -- ⢀⣴⠾⠻⢶⣦⠀ David da Silva Polverari ⣾⠁⢠⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋⠀ Debian: The universal operating system ⠈⠳⣄
Bug#1063185: readpe: NMU diff for 64-bit time_t transition
Dear Steve,
First of all, thanks for your report and for the work on the transition!
After having a look at [1] and [2], I found the only reported problem
was due to the usage of a pointer to the pe_ctx structure (typedef'ed as
pe_ctx_t) [3] as the first parameter of the exported functions from
libpe, as its map_size field is of type off_t ("Base type has been
changed from long to long long. Recompilation of a client program may be
broken.").
The output of `apt rdepends libpe1` shows that only the binaries built
by readpe depend on it. Besides, within readpe itself, there is only one
mention to accessing the map_size field directly outside of libpe, and
it is commented out [4].
That said, I am not sure that including readpe in the transition will be
necessary, but maybe I have overlooked something. But I thought I should
add this information here.
[1]
https://adrien.dcln.fr/misc/armhf-time_t/2024-02-01T09:53:00/compat_reports/libpe-dev/base_to_lfs/compat_report.html
[2]
https://adrien.dcln.fr/misc/armhf-time_t/2024-02-01T09:53:00/compat_reports/libpe-dev/lfs_to_time_t/compat_report.html
[3]
https://salsa.debian.org/pkg-security-team/readpe/-/blob/debian/master/lib/libpe/include/libpe/context.h?ref_type=heads#L72
[4]
https://salsa.debian.org/pkg-security-team/readpe/-/blob/debian/master/src/pescan.c?ref_type=heads#L372
Regards,
--
⢀⣴⠾⠻⢶⣦⠀ David da Silva Polverari
⣾⠁⢠⠒⠀⣿⡁
⢿⡄⠘⠷⠚⠋⠀ Debian: The universal operating system
⠈⠳⣄
Bug#1063747: ITP: voacapl -- HF circuit prediction engine
Package: wnpp
Severity: wishlist
Owner: David da Silva Polverari
X-Debbugs-Cc: debian-de...@lists.debian.org
* Package name: voacapl
Version : 0.7.6
Upstream Contact: James Watson
* URL : https://github.com/jawatson/voacapl
* License : special (public domain), CC0-1.0 and GPL-3+ parts
Programming Lang: Fortran
Description : HF circuit prediction engine
voacapl is an implementation of VOACAP, the NTIA/ITS professional HF (high
frequency) propagation prediction program, originally developed for Voice of
America (VOA). It reads input files in the standard VOACAP format and writes
point-to-point or area prediction data to an output file (or files).
.
voacapl helps amateur radio operators ("hams") predict point-to-point path
loss and coverage of a given transceiver if given as inputs the transmitting
and receiving antennas, solar weather, and time/date.
.
The suggested pythonprop package provides a graphical interface for voacapl,
accepting inputs as fields and plotting the results as graphics.
VOACAP (Voice of America Coverage Analysis Program) is a modified
version of IONCAP (Ionospheric Communication Analysis and Prediction
Program), developed for use by Voice Of America (VOA).
Originally, IONCAP was developed by the National Telecommunications and
Information Administration (NTIA), being a model that has been under
development by the U.S. Government since 1942. The strength of the model
is that it uses world maps of ionospheric parameters to construct the
ionospheric path and uses path-specific statistics to evaluate the
system performance factors.
IONCAP was selected by the VOA in 1985 because it provided the system
performance analysis capability they needed for design specifications
and it had a proven track record.
VOACAP's enhanced model is used worldwide to predict HF point-to-point
or area data. It is often used on Microsoft Windows, distributed inside
the HFWIN32 suite [1], where it is called VOACAPW.
There is a shortage of HF prediction packages on Debian. In the past, I
had to resort to using Windows machines to make HF predictions. Thus, I
intend to package voacapl, along with its companion GUI, pythonprop,
which depends on it.
Initially, I plan to package it by myself, and I will propose including
it in the Debian Hamradio Team. I don't need a sponsor. I have already
packaged them both, and just need to make some minor adjustments.
[1] http://www.greg-hand.com/hfwin32.html
--
⢀⣴⠾⠻⢶⣦⠀ David da Silva Polverari
⣾⠁⢠⠒⠀⣿⡁
⢿⡄⠘⠷⠚⠋⠀ Debian: The universal operating system
⠈⠳⣄
Bug#1063748: ITP: pythonprop -- graphical interface to the VOACAP HF propagation engine
Package: wnpp
Severity: wishlist
Owner: David da Silva Polverari
X-Debbugs-Cc: debian-de...@lists.debian.org
* Package name: pythonprop
Version : 0.30.1
Upstream Contact: James Watson
* URL : https://github.com/jawatson/pythonprop
* License : GPL-2+
Programming Lang: Python3
Description : graphical interface to the VOACAP HF propagation engine
pythonprop is a collection of Python 3 scripts designed to create VOACAP
input (.dat) files and plot the resulting predictions.
.
It can be used either in point-to-point (P2P) mode, to produce HF (High
Frequency) propagation predictions between two fixed locations, or in area
mode, to produce HF propagation plots over a user-defined area from a fixed
transmit site.
.
This package provides the voacapgui, voaP2PPlot and voaAreaPlot scripts. It
is
useful for making HF (High Frequency) circuit prediction for amateur radio
("ham radio") operators.
This package provides a GUI for the voacapl package [1]. I plan to
maintain it by myself initially, later proposing to include it on the
Debian Hamradio Team. I don't need a sponsor.
[1] https://bugs.debian.org/1063747
--
⢀⣴⠾⠻⢶⣦⠀ David da Silva Polverari
⣾⠁⢠⠒⠀⣿⡁
⢿⡄⠘⠷⠚⠋⠀ Debian: The universal operating system
⠈⠳⣄
Bug#1061774: nmu: pngcheck_3.0.3-1
On Mon, Jan 29, 2024 at 04:45:59PM +0100, Filip Hroch wrote: > Dear Release Team, > > may I ask you to rebuild pngcheck package against to > the current version of zlib? > > I'm maintainer of fitspng package having bug #1059970, > and I found that the bug is not related on fitspng itself. > Actually, it is caused by pngcheck during CI tests > verification. The current binary of pngcheck is compiled > against an old zlib yet, and needs a recompilation. > In my opinion, there is no need for a rebuild. This is just a warning that upstream deemed useful to include on the program. If tests are failing because of that, I believe that fitspng tests are the ones that should be updated to take that behaviour into account (using allow-stderr and grepping for the 'OK', for example). If zlib's SONAME hasn't changed, there's not need to link against a newer version. Regards, David
