Bug#893184: artemis FTBFS with openjdk-9

[Markus Koschany]

Hi,

Am 13.08.2018 um 13:23 schrieb Andreas Tille:
[...]
> I tried hard to add junit4.jar to the classpath but my attempts failed.
> It should be done in the latest quilt patch in test/build-test.xml but
> I have no idea how to use it properly (I actually think all *.jar in
> /usr/share/java are in classpath but it just does not work),
> 
> Any help would be welcome
> 
>   Andreas.

I pushed some changes and the tests build now. You might want to
investigate some of the test failures though, they could be related to
the missing libjacoco-java.

Strangely the fix-tests.patch was missing although it was referenced in
the series file. I updated the test-classpath.patch and set src.lib.dir
to /usr/share/java everywhere and I also disabled three tests that were
failing since we use OpenJDK 10 and not 8 as upstream expects it.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#893302: Bug #893302 in lwjgl marked as pending

[Markus Koschany]

Control: tag -1 pending

Hello,

Bug #893302 in lwjgl reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/java-team/lwjgl/commit/4030be2589db71f39734416810dc6f40fc6b6403


Build-depend on OpenJDK 8 to work around the FTBFS with later versions.

Closes: #893302



(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/893302

Bug#897885: wbar: ftbfs with GCC-8

[Markus Koschany]

On Tue, 17 Jul 2018 22:18:57 +0300 Juhani Numminen
 wrote:

[...]
> Ah, it is the lovely -Werror.
> 
> It seems that gcc-8 build succeeds when I add this line in debian/rules:
> 
>   export DEB_CXXFLAGS_MAINT_APPEND = -Wno-error

I think this is sensible here. I will update the package as soon as my
GPG key has been updated in Debian's keyring.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#903916: undertow: Keep it out of Buster

[Markus Koschany]

Source: undertow
Version: 1.4.25-1
Severity: serious

I am filing this bug report to prevent the migration of undertow to
testing and subsequently being part of the next stable release Debian
10, "Buster". This was also briefly discussed with the Security Team.

Reasons:

 - Undertow is regularly affected by security vulnerabilities but
   upstream often does not provide enough information to fix the issue
   with a targeted patch. Sometimes additional information are not
   public or are only disclosed weeks and months later. I have filed a bug
   report and suggested to improve the communication policy but so far
   nothing has happened.

 - Undertow has no reverse-dependencies besides syncany in
   experimental.

Once Buster is released this bug report can be closed again and
hopefully the situation has improved by then.

Markus

Bug#893312: Bug #893312 in lombok marked as pending

[Markus Koschany]

Control: tag -1 pending

Hello,

Bug #893312 in lombok reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/java-team/lombok/commit/dbd082afe68332f6cabd879221af84282c61d597


Import Debian changes 1.16.18+ds-3

lombok (1.16.18+ds-3) unstable; urgency=medium

  * Team upload.
  * Switch to compat level 11.
  * Use https for Format field.
  * Declare compliance with Debian Policy 4.1.5.
  * Switch to OpenJDK 8 again and work around the FTBFS with later versions to
buy more time for a proper fix. (Closes: #893312)
  * Build-depend on libosgi-core-java to fix a FTBFS.

lombok (1.16.18+ds-2) unstable; urgency=medium

  * Team upload.
  * Upload to unstable after testing r-deps.  (Closes: #872189)

lombok (1.16.18+ds-1) experimental; urgency=medium

  * Team upload.
  * New upstream release.
  * Refresh patches for new upstream version
  * Update debian/rules for new upstream version
  * Disable logic of non-javadoc targets in buildScripts/website.ant.xml
  * Use debhelper and compat level 10

lombok (1.16.8+ds-2) unstable; urgency=medium

  * Team upload.
  * Drop liblombok-java.jlibs and use maven-repo-helper to install
jars into /usr/share/java and to reduce the duplication.
  * Declare compliance with Debian Policy 3.9.8.

lombok (1.16.8+ds-1) unstable; urgency=medium

  * Team upload.
  * Imported Upstream version 1.16.8+ds.
  * Switch B-D libasm4-java to libasm-java.
  * Remove B-D ivy.
  * Add new build-dependency libecj-java but do not include it in lombok.jar.
  * Update debian/copyright for new release. The GPL-2 licensed class is gone.
  * Ensure that lombok can be built twice in a row.

lombok (1.16.6+ds-3) unstable; urgency=medium

  * Team upload.
  * Make the build reproducible by adding addtionalparam="-notimestamp"
back to the build.
  * Do not create lombok.version.properties file in debian directory.
  * Set lombok.version to 1.16.6 explicitly.

lombok (1.16.6+ds-2) unstable; urgency=medium

  * debian/rules: Remove maven-repo-helper.jar from runtime path and do not
include those class files into lombok.jar.

lombok (1.16.6+ds-1) unstable; urgency=medium

  * Team upload.
  * Add javac.patch and fix compilation error with OpenJDK 8. (Closes: #814764)
  * Add build.patch. Use upstream's build.xml file but prevent the build system
from downloading anything from the web.
  * Drop debian/build-xml.
  * Add javadoc.patch and fix compilation error when building the
dcoumentation. Thus the -doc package will not be empty anymore.
  * Replace liblombok-java-doc.javadoc with liblombok-java-doc.install.
  * Remove debian/links file.
  * Fix debian/watch and do not use githubredir anymore. It is obsolete.
  * Simplify get-orig-source target and use Files-Excluded mechanism.
  * Repack the tarball and remove superfluous dll files.
  * Update the package description of liblombok-java because the package is
complete now.
  * Add ivyplusplus and liblombok-patcher-java to Build-Depends.
  * Ensure that cmdreader, lombok-patcher and ASM are injected into lombok.jar.
  * Install maven artifacts into local maven-repo. Build with
maven_repo_helper.

lombok (1.16.6-1) unstable; urgency=low

  * Initial release. (Closes: #807816)

lombok (0.11.6-1) UNRELEASED; urgency=low

  * Initial work



(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/893312

Bug#897533: Bug #897533 in sunflow marked as pending

[Markus Koschany]

Control: tag -1 pending

Hello,

Bug #897533 in sunflow reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/java-team/sunflow/commit/a714f09cb61abb13f7ccdda24d91e903cb6ea57e


Don't convert svg icon into xpm or png format. Install the svg icon

into hicolor icon directory and use that as our preferred desktop icon.

Closes: #897533



(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/897533

Bug#902774: jetty9: CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 CVE-2018-12536 CVE-2018-12538

[Markus Koschany]

Package: jetty9
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for jetty9.

CVE-2017-7656[0]:
| In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all
| configurations), and 9.4.x (non-default configuration with RFC2616
| compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style
| request line (i.e. method space URI space version) that declares a
| version of HTTP/0.9 was accepted and treated as a 0.9 request. If
| deployed behind an intermediary that also accepted and passed through
| the 0.9 version (but did not act on it), then the response sent could
| be interpreted by the intermediary as HTTP/1 headers. This could be
| used to poison the cache if the server allowed the origin client to
| generate arbitrary content in the response.

CVE-2017-7657[1]:
| In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all
| configurations), and 9.4.x (non-default configuration with RFC2616
| compliance enabled), transfer-encoding chunks are handled poorly. The
| chunk length parsing was vulnerable to an integer overflow. Thus a
| large chunk size could be interpreted as a smaller chunk size and
| content sent as chunk body could be interpreted as a pipelined
| request. If Jetty was deployed behind an intermediary that imposed
| some authorization and that intermediary allowed arbitrarily large
| chunks to be passed on unchanged, then this flaw could be used to
| bypass the authorization imposed by the intermediary as the fake
| pipelined request would not be interpreted by the intermediary as a
| request.

CVE-2017-7658[2]:
| In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non
| HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations),
| when presented with two content-lengths headers, Jetty ignored the
| second. When presented with a content-length and a chunked encoding
| header, the content-length was ignored (as per RFC 2616). If an
| intermediary decided on the shorter length, but still passed on the
| longer body, then body content could be interpreted by Jetty as a
| pipelined request. If the intermediary was imposing authorization, the
| fake pipelined request would bypass that authorization.

CVE-2018-12536[3]:
| In Eclipse Jetty Server, all 9.x versions, on webapps deployed using
| default Error Handling, when an intentionally bad query arrives that
| doesn't match a dynamic url-pattern, and is eventually handled by the
| DefaultServlet's static file serving, the bad characters can trigger a
| java.nio.file.InvalidPathException which includes the full path to the
| base resource directory that the DefaultServlet and/or webapp is
| using. If this InvalidPathException is then handled by the default
| Error Handler, the InvalidPathException message is included in the
| error response, revealing the full server path to the requesting
| system.

CVE-2018-12538[4]:
| In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional
| Jetty provided FileSessionDataStore for persistent storage of
| HttpSession details, it is possible for a malicious user to
| access/hijack other HttpSessions and even delete unmatched
| HttpSessions present in the FileSystem's storage for the
| FileSessionDataStore.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7656
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7656
[1] https://security-tracker.debian.org/tracker/CVE-2017-7657
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657
[2] https://security-tracker.debian.org/tracker/CVE-2017-7658
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658
[3] https://security-tracker.debian.org/tracker/CVE-2018-12536
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536
[4] https://security-tracker.debian.org/tracker/CVE-2018-12538
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12538

Please adjust the affected versions in the BTS as needed.

Markus



signature.asc
Description: OpenPGP digital signature

Bug#897494: ditaa: FTBFS: src/org/stathissideris/ascii2image/core/JavadocTaglet.java:26: error: package com.sun.tools.doclets does not exist

[Markus Koschany]

Control: tags -1 pending patch

Dear maintainer,

I have uploaded a new version of ditaa, versioned as 0.10+ds1-1.2, that
addresses the build failure with Java 10. The taglet class has been
removed and since a custom taglet is not really required for running the
program, I have dropped the JavaDocTaglet class completely.

Please find attached the debdiff.

Regards,

Markus
diff -Nru ditaa-0.10+ds1/debian/changelog ditaa-0.10+ds1/debian/changelog
--- ditaa-0.10+ds1/debian/changelog 2017-01-13 18:13:14.0 +0100
+++ ditaa-0.10+ds1/debian/changelog 2018-06-13 23:03:10.0 +0200
@@ -1,3 +1,11 @@
+ditaa (0.10+ds1-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Work around the FTBFS with Java 10 by removing the JavadocTaglet class.
+(Closes: #897494)
+
+ -- Markus Koschany   Wed, 13 Jun 2018 23:03:10 +0200
+
 ditaa (0.10+ds1-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru ditaa-0.10+ds1/debian/patches/remove-JavadocTaglet.patch 
ditaa-0.10+ds1/debian/patches/remove-JavadocTaglet.patch
--- ditaa-0.10+ds1/debian/patches/remove-JavadocTaglet.patch1970-01-01 
01:00:00.0 +0100
+++ ditaa-0.10+ds1/debian/patches/remove-JavadocTaglet.patch2018-06-13 
23:03:10.0 +0200
@@ -0,0 +1,345 @@
+From: Markus Koschany 
+Date: Wed, 13 Jun 2018 22:58:25 +0200
+Subject: remove JavadocTaglet
+
+Remove JavadocTaglet class because the Taglet class has been removed in
+Java 10.
+
+Bug-Debian: https://bugs.debian.org/897494
+---
+ .../ascii2image/core/JavadocTaglet.java| 326 -
+ 1 file changed, 326 deletions(-)
+ delete mode 100644 src/org/stathissideris/ascii2image/core/JavadocTaglet.java
+
+diff --git a/src/org/stathissideris/ascii2image/core/JavadocTaglet.java 
b/src/org/stathissideris/ascii2image/core/JavadocTaglet.java
+deleted file mode 100644
+index f1642ef..000
+--- a/src/org/stathissideris/ascii2image/core/JavadocTaglet.java
 /dev/null
+@@ -1,326 +0,0 @@
+-/* 
+- * Text Diagram Taglet 
+- *
+- * Copyright (C) 2006 Nordic Growth Market NGM AB,
+- * Mikael Brannstrom. 
+- *
+- * This program is free software; you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License as published by
+- * the Free Software Foundation; either version 2 of the License, or
+- * (at your option) any later version.
+- *
+- * This program is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY; without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+- * GNU General Public License for more details.
+- *
+- * You should have received a copy of the GNU General Public License
+- * along with this program; if not, write to the Free Software
+- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+- *
+- */
+-package org.stathissideris.ascii2image.core;
+-
+-import com.sun.javadoc.ProgramElementDoc;
+-import com.sun.javadoc.Tag;
+-import com.sun.tools.doclets.Taglet;
+-import com.sun.tools.doclets.internal.toolkit.Configuration;
+-import com.sun.tools.doclets.standard.Standard;
+-import java.awt.image.RenderedImage;
+-import java.io.File;
+-import java.io.IOException;
+-import java.io.UnsupportedEncodingException;
+-import java.lang.reflect.Field;
+-import java.lang.reflect.Method;
+-import java.util.Map;
+-import java.util.regex.Pattern;
+-import javax.imageio.ImageIO;
+-
+-import org.stathissideris.ascii2image.text.TextGrid;
+-import org.stathissideris.ascii2image.graphics.Diagram;
+-import org.stathissideris.ascii2image.core.ConversionOptions;
+-import org.stathissideris.ascii2image.graphics.BitmapRenderer;
+-
+-/** This class is a custom Javadoc taglet for embedding ditaa diagrams in
+- * javadoc comments. The tag is an inline which can be used in any javadoc
+- * comment. The tag can also be used in package documentation and in the 
+- * overview.
+- * This taglet assumes that the Standard Javadoc Doclet is being used.
+- * 
+- * The syntax is:
+- * 
+- * @textdiagram diagram_name
+- * the ascii art diagram
+- * 
+- * 
+- * 
+- * The diagram name will be used when generating the image, so that the image 
+- * can be referenced to somewhere else (by using an a-href HTML tag). The 
+- * diagram name can only contain letters, numbers and underscore. The name of 
+- * the generated image will become "classname-diagram 
name.png". 
+- * 
+- * The syntax for the ditaa diagram is described at 
+- * http://ditaa.sourceforge.net/;>http://ditaa.sourceforge.net/. 
+- * 
+- * Note: The overview file needs to be named "overview.html" if it lies
+- * in the source path, otherwise it is sufficient that it ends with ".html". 
+- *
+- * @author Mikael Brannstrom
+- */
+-public class JavadocTaglet implements Taglet {
+-
+-  private static final String NAME = "textdiagram";
+-  private static final Pattern FIGURE_NAME_PATTERN = 
Pattern.compile("\\w+");
+-

Bug#894045: libvncserver: CVE-2018-7225

[Markus Koschany]

Hi Salvatore,

Am 08.06.2018 um 22:38 schrieb Salvatore Bonaccorso:
> Hi Markus,
> 
> On Tue, Jun 05, 2018 at 02:52:58PM +0200, Markus Koschany wrote:
>> Control: tags -1 patch
>>
>> Dear maintainer,
>>
>> I've prepared a patch fixing CVE-2018-7225. I am also going to send the
>> debdiffs for stretch and jessie to the security team.
>>
>> Please find attached the debdiff for sid.
> 
> Are you planning to upload a fix proposing a NMU (In case maintainer
> has no time to work on it)? I did raise the severity to RC now, given
> Moritz has released the DSA with your updates for jessie- and
> stretch-security.

Sure, I can do that. I just wanted to give the maintainer some time but
I can upload the fix at the weekend.

Cheers,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#891957: netbeans "loading module" modules.netbinox NullPointerException

[Markus Koschany]

Control: reopen -1

It seems there is another issue with libequinox-osgi-java. Building
Netbeans from source works again but I still get the NullPointerException.



signature.asc
Description: OpenPGP digital signature

Bug#248496: raise priority

[Markus Koschany]

Control: severity -1 normal
Control: tags -1 moreinfo

On Sat, 2 Jun 2018 12:18:22 +0200 Salvo Tomaselli 
wrote:
> severity 248496 grave
> thanks
> 
> Raising priority, since the game does not run at all and the package
> seems completely abandoned.
> 
> If I'm right, the package will eventually just be dropped.

Hello,

the game works for me on amd64 and i386 in Sid. I cannot confirm that
the game is unusable for the majority of users hence I think severity
grave is not justified in this case.

Please note that the package has been orphaned. It simply needs a new
maintainer.

https://bugs.debian.org/869291

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#900598: [desmume] Include non free file

[Markus Koschany]

Control: severity -1 normal
Control: retitle -1 desmume: clarify ConvertUTF license header

Am 01.06.2018 um 22:25 schrieb Bastien ROUCARIES:
> On Fri, Jun 1, 2018 at 10:21 PM, Markus Koschany  wrote:
>>
>> Am 01.06.2018 um 22:16 schrieb Bastien ROUCARIES:
>> [...]
>>> No it is not a lintian bug. Unicode withdraw this code before applying
>>> the license change.
>>>
>>> Exhibit 1 does not apply in this case.
>>>
>>>>
>>>> http://www.unicode.org/copyright.html#Exhibit1
>>>>
>>>> Also see https://bugs.debian.org/864729 for more information. In my
>>>> opinion this is merely a documentation bug but not a Policy violation.
>>
>> No. This is not correct. Please read #864729 and
>>
>> https://bugs.chromium.org/p/google-breakpad/issues/detail?id=270
>>
>> why we are allowed to change the license too.
> 
> Ok see it. It is nevertheless a bug (not serious) because this code is
> buggy and supperseded by ICU. Did you report this upstream ?

No. I'm not a regular uploader of desmume, just someone who dislikes
that we remove files or entire packages because of wrong or misinformed
assumptions.

> Can you send a bug to lintian ? Will try to cook something

This issue was already reported to the Lintian developers in Debian bug
#852196 and #854209. You have even sent a comment respectively marked
those bugs as moreinfo.

In my opinion Lintian is wrong here. This should be a warning at best
because apparently it leads to confusions whether ConvertUTF.c is
licensed under a DFSG-free license or not. The discussion in #864729 is
the best summary why we can just relicense the file to the new
permissive Unicode license.

Markus



signature.asc
Description: OpenPGP digital signature

Bug#900598: [desmume] Include non free file

[Markus Koschany]

Am 01.06.2018 um 22:16 schrieb Bastien ROUCARIES:
[...]
> No it is not a lintian bug. Unicode withdraw this code before applying
> the license change.
> 
> Exhibit 1 does not apply in this case.
> 
>>
>> http://www.unicode.org/copyright.html#Exhibit1
>>
>> Also see https://bugs.debian.org/864729 for more information. In my
>> opinion this is merely a documentation bug but not a Policy violation.

No. This is not correct. Please read #864729 and

https://bugs.chromium.org/p/google-breakpad/issues/detail?id=270

why we are allowed to change the license too.

Not a bug.

Markus



signature.asc
Description: OpenPGP digital signature

Bug#900598: [desmume] Include non free file

[Markus Koschany]

Hi,

Am 01.06.2018 um 21:58 schrieb Bastien ROUCARIÈS:
> Package: desmume
> Severity: serious
> 
> The following file source files include material under a non-free license 
> from 
> Unicode Inc. Therefore, it is not possible to ship this in main or contrib.
> 
> src/utils/ConvertUTF.c
> 
> This license does not grant any permission to modify the files (thus failing 
> DFSG#3). Moreover, the license grant seems to attempt to restrict use to 
> "products supporting the Unicode Standard" (thus failing DFSG#6).
> 
> In this case a solution is to use libicu and to remove this code by repacking.
> 
> If this is a false-positive, please report a bug against Lintian.
> 
> Refer to https://bugs.debian.org/823100 for details.

Indeed this is a Lintian bug. Unicode changed the license and the new
license can be found here:

http://www.unicode.org/copyright.html#Exhibit1

Also see https://bugs.debian.org/864729 for more information. In my
opinion this is merely a documentation bug but not a Policy violation.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#681726: Eclipse is 6 Years Behind in Debian

[Markus Koschany]

Hello,

Am 25.05.2018 um 21:50 schrieb Josh Blagden:
> Hi folks,
> 
>     I just wanted to make the observation that Debian has had the same
> version of Eclipse for the last six years. When can we expect to see a
> new version to the Debian repository?

Maybe when a solar and lunar eclipse happen at the same time.

On a more serious note, we do not intend to ship the current version
with Debian 10 "Buster" again because, as you have rightly observed, it
is obsolete and also broken. I recommend Debian bug #681726 for further
reading. [1]

I still intend to save parts of Eclipse (eclipse-platform) but will also
look into other alternatives to save aspectj and its
reverse-dependencies, whatever is easier to achieve. Though I have made
up my mind and I don't intend to maintain Eclipse and all plugin
packages alone for Buster. I will focus on Netbeans 9 as an alternative
IDE instead which hopefully requires less maintenance but this also
depends on whether it will be released in time before the next freeze.

So in short, we are aware of the situation but we could need more help
from people who really want to _maintain_ Eclipse.

I also thought about something that was discussed at DebConf17 in
Montreal, just packaging the upstream tarball as is. Obviously we can't
ship that in Debian main but we could provide a eclipse-downloader
package in contrib instead. I'm not sure if this is really needed or
desired because it shouldn't be too difficult to run the Eclipse
installer manually. Just a thought, not a promise.

Hope that helps clarifying the situation a little

Regards,

Markus

[1] https://bugs.debian.org/681726



signature.asc
Description: OpenPGP digital signature

Bug#899332: CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication

[Markus Koschany]

Package: zookeeper
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Fixed: 3.4.10-1

Hi,

The following vulnerability was published for zookeeper.

CVE-2018-8012[0]:
| No authentication/authorization is enforced when a server attempts to
| join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha
| through 3.5.3-beta. As a result an arbitrary end point could join the
| cluster and begin propagating counterfeit changes to the leader.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-8012
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8012

Please adjust the affected versions in the BTS as needed.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#898483: PHYSFS_setWriteDir creates an empty file

[Markus Koschany]

Control: reassign 898483 libphysfs
Control: retitle 898484 physfs: setWriteDir creates an empty file
Control: found 898484 3.0.1-1

Hi,

Am 17.05.2018 um 06:43 schrieb Ryan C. Gordon:
> 
> Upstream patch is here:
> 
> https://hg.icculus.org/icculus/physfs/rev/a29fef4a20fd
> 
> I have one other pending bug to fix, hopefully tomorrow, then I'll put
> out an official 3.0.2 release.

Since Ryan confirmed the bug in physfs, I'm going to reassign this bug
to libphysfs.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#897542: raincat: FTBFS: Could not find module `Item.Items'

[Markus Koschany]

Control: tags -1 pending

I still can't upgrade to the new SDL2 version of raincat because
haskell-mixer-sdl2 and haskell-image-sdl2 or similar packages are
currently not available in Debian.

However the fix seems to be trivial. The import statement is wrong and
should be Items.Items instead of Item.Items. No idea how this could work
in the past.

Markus



signature.asc
Description: OpenPGP digital signature

Bug#891956: Your mail

[Markus Koschany]

Am 14.05.2018 um 22:21 schrieb Rafi Rubin:
> The dependencies for 3.8.1-11 end up requiring libequinox-osgi-java >=
> 3.9.1 (through eclipse-rcp), which doesn't have
> /usr/lib/eclipse/plugins/org.eclipse.osgi_3.8.1.dist.jar
> 
> 
> Going back to stable, 3.8.1-10 for the eclipse packages at least catches
> that jar, but fails after an illegal reflection error.  Maybe it will
> work with an older jdk that's less picky, I haven't tried.
> 
> 
> 
> Is there any intent to package the newer versions of eclipse?  It looks
> like 3.8 is eol at this point.

We won't ship Elicpse 3.8 in Buster. The libequinox-osgi-java issue is
only one of the most obvious bugs in Eclipse and could be easily fixed
but the illegal reflection errors are all caused by Java 10. This
version is simply not ready for everything that is newer than OpenJDK 8.
The plan is to salvage the eclipse-platform package somehow which is a
build-dependency for some important packages but maintaining Eclipse and
its plugins requires more regular help from people who are interested in
keeping it in a good shape. At the moment those volunteers don't exist.

See also https://bugs.debian.org/681726

Markus



signature.asc
Description: OpenPGP digital signature

Bug#898483: PHYSFS_setWriteDir creates an empty file

[Markus Koschany]

Hello Patrick,

Am 12.05.2018 um 16:19 schrieb James Cowgill:
[...]
> I think this is a bug in libphysfs 3.0.1. It seems that in this version
> (unlike 2.0.3), PHYSFS_setWriteDir has the side effect of creating an
> empty file if the path it is given does not exist. This will later cause
> PHYSFS_mkdir to fail even if it's given the right path.
> 
> This would also explain why this bug is not present in stretch.

A bug was reported against lincity-ng but it looks more like this is a
regression/bug in libphysfs 3.0.1. The setWriteDir function creates an
empty file which makes the mkdir function fail later on. Shall I
reassign this bug report to libphysfs?

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#898483: failed creating configuration directroy: unsupported

[Markus Koschany]

Control: tags -1 confirmed

Am 12.05.2018 um 15:06 schrieb Lumin:
> Package: lincity-ng
> Version: 2.9~git20150314-3
> Severity: serious
> 
> Dear lincity-ng maintainer,
> 
> When there is no ~/.lincity-ng directory under user's home, lincity-ng
> will fail on start.
> 
> ~ ❯❯❯ lincity-ng
> Starting lincity-ng (version 2.9.beta)...
> Unexpected exception: Failed creating configuration directory 
> '/home/lumin/.lincity-ng': unsupported

[...]

Hello,

thanks for the report! I can reproduce the issue and try to fix it soon.
The version in stable works as expected and the directory is created.
Since the code didn't change, it is a bit surprising.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#897542: raincat: FTBFS: Could not find module `Item.Items'

[Markus Koschany]

I have pushed an update of raincat to

https://salsa.debian.org/games-team/raincat

I believe the new upstream release will address this issue but even if
not it should be doable to fix this.

I'm currently waiting for haskell-sdl2 which is in the NEW queue.

Markus



signature.asc
Description: OpenPGP digital signature

Bug#898086: libequinox-osgi-java: Does not install symlinks into /usr/lib/eclipse/plugins

[Markus Koschany]

Control: reassign -1 src:eclipse
Control: retitle: Missing symlink of org.eclipse.osgi jar

Hello,

thank you for the bug report. The symlink must be created in the eclipse
package though.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#895778: jruby: Several security vulnerabilities

[Markus Koschany]

Hi Miguel,

I have prepared security updates for Jessie and Stretch. Unfortunately I
discovered that jruby in Jessie FTBFS at the moment. This is unrelated
to the patches.

Do you know how to resolve that?

generate-method-classes:

_gmc_internal_:
 [echo] Generating invokers...
 [java] Exception in thread "main" java.lang.ClassFormatError:
Duplicate method name in class file
org/jruby/RubyFixnum$i_method_multi$RUBYINVOKER$to_s
 [java] >---at java.lang.ClassLoader.defineClass1(Native Method)
 [java] >---at java.lang.ClassLoader.defineClass(ClassLoader.java:803)
 [java] >---at
org.jruby.util.JRubyClassLoader.defineClass(JRubyClassLoader.java:39)
 [java] >---at
org.jruby.internal.runtime.methods.DumpingInvocationMethodFactory.endClass(DumpingInvocationMethodFactory.java:64)
 [java] >---at
org.jruby.internal.runtime.methods.InvocationMethodFactory.getAnnotatedMethodClass(InvocationMethodFactory.java:721)
 [java] >---at
org.jruby.anno.InvokerGenerator.main(InvokerGenerator.java:45)

I'm attaching the stretch debdiff to this bug report and push the
patches for Jessie.

Cheers,

Markus
diff -Nru jruby-1.7.26/debian/changelog jruby-1.7.26/debian/changelog
--- jruby-1.7.26/debian/changelog   2016-11-12 21:33:13.0 +0100
+++ jruby-1.7.26/debian/changelog   2018-04-29 22:24:33.0 +0200
@@ -1,3 +1,25 @@
+jruby (1.7.26-1+deb9u1) stretch-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2018-173: Directory Traversal vulnerability in install_location
+function of package.rb that can result in path traversal when writing to a
+symlinked basedir outside of the root.
+  * Fix CVE-2018-174: possible Unsafe Object Deserialization Vulnerability
+in gem owner.
+  * Fix CVE-2018-175: Strictly interpret octal fields in tar headers to
+avoid infinite loop
+  * Fix CVE-2018-176: Raise a security error when there are duplicate
+files in a package
+  * Fix CVE-2018-177: Enforce URL validation on spec homepage attribute.
+  * Fix CVE-2018-178: Mitigate XSS vulnerability in homepage attribute
+when displayed via gem server.
+  * Fix CVE-2018-179: Directory Traversal vulnerability in gem installation
+that can result in writing to arbitrary filesystem locations during
+installation of malicious gems.
+    (Closes: #895778)
+
+ -- Markus Koschany <a...@debian.org>  Sun, 29 Apr 2018 22:24:33 +0200
+
 jruby (1.7.26-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru jruby-1.7.26/debian/patches/CVE-2018-173.patch 
jruby-1.7.26/debian/patches/CVE-2018-173.patch
--- jruby-1.7.26/debian/patches/CVE-2018-173.patch  1970-01-01 
01:00:00.0 +0100
+++ jruby-1.7.26/debian/patches/CVE-2018-173.patch  2018-04-29 
22:24:33.00000 +0200
@@ -0,0 +1,23 @@
+From: Markus Koschany <a...@debian.org>
+Date: Sun, 29 Apr 2018 21:29:28 +0200
+Subject: CVE-2018-173
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778
+Origin: 
https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2
+---
+ lib/ruby/shared/rubygems/package.rb | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/ruby/shared/rubygems/package.rb 
b/lib/ruby/shared/rubygems/package.rb
+index e8b8b38..25ac814 100644
+--- a/lib/ruby/shared/rubygems/package.rb
 b/lib/ruby/shared/rubygems/package.rb
+@@ -405,6 +405,8 @@ EOM
+ destination_dir = File.expand_path destination_dir
+ 
+ destination = File.join destination_dir, filename
++destination = File.realpath destination if
++  File.respond_to? :realpath
+ destination = File.expand_path destination
+ 
+ raise Gem::Package::PathError.new(destination, destination_dir) unless
diff -Nru jruby-1.7.26/debian/patches/CVE-2018-174.patch 
jruby-1.7.26/debian/patches/CVE-2018-174.patch
--- jruby-1.7.26/debian/patches/CVE-2018-174.patch  1970-01-01 
01:00:00.0 +0100
+++ jruby-1.7.26/debian/patches/CVE-2018-174.patch  2018-04-29 
22:24:33.00000 +0200
@@ -0,0 +1,23 @@
+From: Markus Koschany <a...@debian.org>
+Date: Sun, 29 Apr 2018 21:11:01 +0200
+Subject: CVE-2018-174
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778
+Origin: 
https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d
+---
+ lib/ruby/shared/rubygems/commands/owner_command.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/ruby/shared/rubygems/commands/owner_command.rb 
b/lib/ruby/shared/rubygems/commands/owner_command.rb
+index 322bf65..c5416f8 100644
+--- a/lib/ruby/shared/rubygems/commands/owner_command.rb
 b/lib/ruby/shared/rubygems/commands/owner_command.rb
+@@ -61,7 +61,7 @@ permission to.
+ end
+ 
+ with_response response do |resp|
+-  owners = YAML.load resp.body
++  owners = Gem::SafeYAML.load resp.body
+ 
+   say "Owners for gem: #{name}"
+   owners.each do |owner

Bug#893302: lwjgl FTBFS with openjdk-9

[Markus Koschany]

Am 25.04.2018 um 03:09 schrieb Michael Gilbert:
> On Mon, Apr 23, 2018 at 4:57 PM, Markus Koschany wrote:
>> lwjgl 2.9.3 is a legacy release from 2015. It is the last version of the
>> 2.x series and no longer supported. Upstream moved to lwjgl 3. If nobody
>> can fix this we should consider to remove lwjgl because the new version
>> 3 would require new Kotlin build dependencies and more.
> 
> Does anyone know what the plan is for openjdk-8 in buster?  If it
> isn't going to go away, the easiest thing may be to depend on it
> instead of default-jdk.
> 
> It look like after many years now, no one has tried to put together a
> kotlin compiler package, so supporting lwjgl3 seems very unlikely.
> 
> Best wishes,
> Mike

The current plan is to only ship OpenJDK 11 in Buster but I can imagine
that we keep OpenJDK 8 just for building packages but depend on OpenJDK
11 at runtime. OpenJDK 8 will be supported until 2020 but even without
support it should be safe to use for development purposes. Ok, let's
keep that in mind and see what happens.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#885264: childsplay: Depends on unmaintained pygtk

[Markus Koschany]

Control: forwarded -1 https://savannah.nongnu.org/bugs/index.php?53734



signature.asc
Description: OpenPGP digital signature

Bug#893302: lwjgl FTBFS with openjdk-9

[Markus Koschany]

I had a go at this today. This package has multiple issues. I tried to
work around the RuntimeExceptions by returning true instead of throwing
an exception. Very bad I know.

It turned out that not only one but four classes are not properly
generated at build time. Those will cause missing symbol errors later.
Then there are several removed or deprecated sun.* classes that either
cause a build failure or warnings.

I'm attaching a simple patch that makes more of those errors visible.

lwjgl 2.9.3 is a legacy release from 2015. It is the last version of the
2.x series and no longer supported. Upstream moved to lwjgl 3. If nobody
can fix this we should consider to remove lwjgl because the new version
3 would require new Kotlin build dependencies and more.

Markus
From: Markus Koschany <a...@debian.org>
Date: Mon, 23 Apr 2018 22:30:13 +0200
Subject: java9

---
 src/java/org/lwjgl/util/generator/GeneratorProcessor.java | 7 ++-
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/src/java/org/lwjgl/util/generator/GeneratorProcessor.java b/src/java/org/lwjgl/util/generator/GeneratorProcessor.java
index dc03404..754b262 100644
--- a/src/java/org/lwjgl/util/generator/GeneratorProcessor.java
+++ b/src/java/org/lwjgl/util/generator/GeneratorProcessor.java
@@ -87,11 +87,8 @@ public class GeneratorProcessor extends AbstractProcessor {
 			first_round = false;
 			return true;
 		} catch (Exception e) {
-			if ( lastFile == null ) {
-throw new RuntimeException(e);
-			} else {
-throw new RuntimeException("\n-- Failed to process template: " + lastFile.asType().toString() + " --", e);
-			}
+			System.out.println("\n-- Failed to process template: " + lastFile.asType().toString() + " --");
+			return true;
 		}
 	}
 


signature.asc
Description: OpenPGP digital signature

Bug#896604: lucene-solr: CVE-2018-1308 XXE in DataImportHandler

[Markus Koschany]

Package: lucene-solr
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for lucene-solr.

CVE-2018-1308[0]:
| This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1
| relates to an XML external entity expansion (XXE) in the
| `dataConfig=inlinexml` parameter of Solr's
DataImportHandler. It
| can be used as XXE using file/ftp/http protocols in order to read
| arbitrary local files from the Solr server or the internal network.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1308
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1308

Please adjust the affected versions in the BTS as needed.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#896128: glusterfs: CVE-2018-1088 privilege escalation flaw

[Markus Koschany]

Package: glusterfs
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for glusterfs.

CVE-2018-1088[0]:
| A privilege escalation flaw was found in gluster 3.x snapshot
| scheduler. Any gluster client allowed to mount gluster volumes could
| also mount shared gluster storage volume and escalate privileges by
| scheduling malicious cronjob via symlink.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1088
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1088

Please adjust the affected versions in the BTS as needed.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#889530: acm FTBFS with gdbm 1.14.1-2

[Markus Koschany]

Control: tags -1 pending

Dear maintainer,

I've uploaded a new revision of acm versioned as 5.0-29.2 to fix Debian
bug #889530.

In addition I switched to compat level 11 because compat level 6 is
deprecated and will lead to another RC bug in the near future.
Furthermore I ensured that the -dbgsym package is built correctly and
format-not-a-string-literal errors were fixed as well. The rest were
some cosmetic changes like removing trailing whitespace and ordering
some lines.

The game builds fine again but I noticed the black screen and even a
segmentation fault which seems related to #765815.

Please find attached the debdiff.

Regards,

Markus
diff -u acm-5.0/debian/acm.dirs acm-5.0/debian/acm.dirs
--- acm-5.0/debian/acm.dirs
+++ acm-5.0/debian/acm.dirs
@@ -9 +8,0 @@
-
diff -u acm-5.0/debian/changelog acm-5.0/debian/changelog
--- acm-5.0/debian/changelog
+++ acm-5.0/debian/changelog
@@ -1,3 +1,17 @@
+acm (5.0-29.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Build-depend on libgdbm-compat-dev and fix the FTBFS with newer gdbm
+versions. (Closes: #889530)
+  * wrap-and-sort -sa.
+  * Switch to compat level 11 (was 6).
+  * d/rules: Use the correct dpkg buildflag variable CFLAGS instead of
+DEBCFLAGS. This will also ensure that the -dbgsym package is created
+correctly.
+  * Fix error "format-not-a-string-literal".
+
+ -- Markus Koschany <a...@debian.org>  Wed, 18 Apr 2018 03:18:08 +0200
+
 acm (5.0-29.1) unstable; urgency=medium
 
   * Non-maintainer upload.
@@ -63,7 +77,7 @@
   * Update to standards-version 3.8.2.
   * Replaced build-dependency on x-dev with x11proto-core-dev
 (closes: #515356).
-  * Bump debian/compat to 6 and build-depends on debhelper.
+  * Bump debian/compat to 6 and build-depends on debhelper.
   * Now refer to GPL-2 common licence, not the GPL.
   * Adjust copyright notice in debian/copyright to add dates.
 
@@ -100,7 +114,7 @@
   * Applied patch from Mohammed Adnène Trojette:
   * Correct copyright file to show original source (closes: #372495).
   * Bump standards-version to 3.7.2 (no changes needed).
-  * Added PostScript version of acmdoc.rtf (HTML conversion lost images) 
+  * Added PostScript version of acmdoc.rtf (HTML conversion lost images)
 (closes: #372496).
 
  -- Phil Brooke <p...@debian.org>  Sat, 10 Jun 2006 14:01:11 +0100
@@ -124,7 +138,7 @@
 
 acm (5.0-19) unstable; urgency=low
 
-  * Applied patch from Andreas Jochens to fix dis/sdbm/util.c so that 
+  * Applied patch from Andreas Jochens to fix dis/sdbm/util.c so that
 acm builds with amd64/gcc-3.4 (Closes: #280272).
 
  -- Phil Brooke <p...@debian.org>  Thu, 11 Nov 2004 18:50:05 +
@@ -146,7 +160,7 @@
 
 acm (5.0-16) unstable; urgency=low
 
-  * Adding missing includes to prevent `assignment makes pointer from 
+  * Adding missing includes to prevent `assignment makes pointer from
 integer without a cast' warnings that are fatal on ia64
 (Closes: #226558).
   * Cleaned up similar warnings from audio.c.
@@ -237,7 +251,7 @@
 acm (5.0-6) unstable; urgency=low
 
   * Folding in suggested changes to audio code from Giuseppe Borzi'.
-  * Added -dis-silent switch.  
+  * Added -dis-silent switch.
   * More comments added to README.Debian.
 
  -- Phil Brooke <p...@debian.org>  Tue, 16 Jul 2002 13:20:25 +0100
diff -u acm-5.0/debian/compat acm-5.0/debian/compat
--- acm-5.0/debian/compat
+++ acm-5.0/debian/compat
@@ -1 +1 @@
-6
+11
diff -u acm-5.0/debian/control acm-5.0/debian/control
--- acm-5.0/debian/control
+++ acm-5.0/debian/control
@@ -2,12 +2,23 @@
 Section: games
 Priority: optional
 Maintainer: Phil Brooke <p...@debian.org>
-Build-Depends: debhelper (>> 6.0.0), libx11-dev, libxext-dev, 
x11proto-core-dev, libgdbm-dev, libaudio-dev, libelfg0-dev [hurd-i386], 
sharutils
+Build-Depends:
+ debhelper (>= 11),
+ libaudio-dev,
+ libelfg0-dev [hurd-i386],
+ libgdbm-compat-dev,
+ libgdbm-dev,
+ libx11-dev,
+ libxext-dev,
+ sharutils,
+ x11proto-core-dev
 Standards-Version: 3.9.6
 
 Package: acm
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends}
 Description: Multi-player classic aerial combat simulation
  A multiplayer aerial combat simulation. Players engage in air to air
  combat against one another using heat seeking missiles and cannons.
@@ -25,2 +35,0 @@
-
-
diff -u acm-5.0/debian/copyright acm-5.0/debian/copyright
--- acm-5.0/debian/copyright
+++ acm-5.0/debian/copyright
@@ -9,14 +9,14 @@
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; version 2 dated June, 1991.
-  
+
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
- 

Bug#893312: lombok FTBFS with openjdk-9

[Markus Koschany]

I've fixed the original errors in Javac.java but there are more later on
due to our friend OpenPain 9. I had no choice but to upgrade to a newer
lombok version. Now I'm stuck because ecj can't be found.

Markus



signature.asc
Description: OpenPGP digital signature

Bug#895920: ecj: only a virtual package and not installable

[Markus Koschany]

Source: ecj
Version: 3.13.2-2
Severity: serious

while I was having some fun with lombok, I discovered that ecj is just
a virtual package and not installable. I don't think that's intended.

Markus

Bug#875547: animals: can't be played as non root user

[Markus Koschany]

Control: tags -1 pending

Dear maintainer,

I've uploaded a new revision of animals versioned as 201207131226-2.1
that addresses the issue. Please find attached the debdiff.

Regards,

Markus
diff -Nru animals-201207131226/debian/changelog 
animals-201207131226/debian/changelog
--- animals-201207131226/debian/changelog   2016-09-11 20:20:18.0 
+0200
+++ animals-201207131226/debian/changelog   2018-04-16 19:21:27.0 
+0200
@@ -1,3 +1,12 @@
+animals (201207131226-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix typo overwrite -> override in debian/rules that prevented the use of
+correct file permissions and thus made the game unusable.
+Thanks to Aaron Howell for the report. (Closes: #875547)
+
+ -- Markus Koschany <a...@debian.org>  Mon, 16 Apr 2018 19:21:27 +0200
+
 animals (201207131226-2) unstable; urgency=medium
 
   * Switch to dh
diff -Nru animals-201207131226/debian/rules animals-201207131226/debian/rules
--- animals-201207131226/debian/rules   2016-09-11 20:20:18.0 +0200
+++ animals-201207131226/debian/rules   2018-04-16 19:21:27.0 +0200
@@ -8,7 +8,7 @@
 override_dh_strip:
dh_strip --dbgsym-migration='animals-dbg (<<201207131226-1)'
 
-overwrite_dh_fixperms:
+override_dh_fixperms:
dh_fixperms
chown games:games $(CURDIR)/debian/animals/var/games/animals
chmod 06775 $(CURDIR)/debian/animals/var/games/animals


signature.asc
Description: OpenPGP digital signature

Bug#895778: jruby: Several security vulnerabilities

[Markus Koschany]

I intend to work on the patches for Jessie and Stretch. Unstable could
be a bit more complicated due to the FTBFS with OpenJDK 9.

Markus



signature.asc
Description: OpenPGP digital signature

Bug#895778: jruby: Several security vulnerabilities

[Markus Koschany]

Package: jruby
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for jruby. Apparently
rubygems is embedded into jruby which makes it vulnerable to.

CVE-2018-179[0]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Directory Traversal vulnerability in gem installation that can result
| in the gem could write to arbitrary filesystem locations during
| installation. This attack appear to be exploitable via the victim must
| install a malicious gem. This vulnerability appears to have been fixed
| in 2.7.6.

CVE-2018-178[1]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Cross Site Scripting (XSS) vulnerability in gem server display of
| homepage attribute that can result in XSS. This attack appear to be
| exploitable via the victim must browse to a malicious gem on a
| vulnerable gem server. This vulnerability appears to have been fixed
| in 2.7.6.

CVE-2018-177[2]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Improper Input Validation vulnerability in ruby gems specification
| homepage attribute that can result in a malicious gem could set an
| invalid homepage URL. This vulnerability appears to have been fixed in
| 2.7.6.

CVE-2018-176[3]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Improper Verification of Cryptographic Signature vulnerability in
| package.rb that can result in a mis-signed gem could be installed, as
| the tarball would contain multiple gem signatures.. This vulnerability
| appears to have been fixed in 2.7.6.

CVE-2018-175[4]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| infinite loop caused by negative size vulnerability in ruby gem
| package tar header that can result in a negative size could cause an
| infinite loop.. This vulnerability appears to have been fixed in
| 2.7.6.

CVE-2018-174[5]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Deserialization of Untrusted Data vulnerability in owner command that
| can result in code execution. This attack appear to be exploitable via
| victim must run the `gem owner` command on a gem with a specially
| crafted YAML file. This vulnerability appears to have been fixed in
| 2.7.6.

CVE-2018-173[6]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Directory Traversal vulnerability in install_location function of
| package.rb that can result in path traversal when writing to a
| symlinked basedir outside of the root. This vulnerability appears to
| have been fixed in 2.7.6.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-179
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-179
[1] https://security-tracker.debian.org/tracker/CVE-2018-178
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-178
[2] https://security-tracker.debian.org/tracker/CVE-2018-177
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-177
[3] https://security-tracker.debian.org/tracker/CVE-2018-176
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-176
[4] https://security-tracker.debian.org/tracker/CVE-2018-175
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-175
[5] https://security-tracker.debian.org/tracker/CVE-2018-174
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-174
[6] https://security-tracker.debian.org/tracker/CVE-2018-173
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-173

Please adjust the affected versions in the BTS as needed.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#893129: dita-ot FTBFS with openjdk-9

[Markus Koschany]

Dear maintainer,

I've uploaded a new revision of dita-ot versioned as 1.5.3-2.1 which
addresses the build failure with Java 9. Please find attached the debdiff.

Regards,

Markus
diff -Nru dita-ot-1.5.3/debian/changelog dita-ot-1.5.3/debian/changelog
--- dita-ot-1.5.3/debian/changelog  2016-08-29 08:18:47.0 +0200
+++ dita-ot-1.5.3/debian/changelog  2018-04-14 00:56:09.0 +0200
@@ -1,3 +1,10 @@
+dita-ot (1.5.3-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add encoding.patch and fix FTBFS with Java 9. (Closes: #893129)
+
+ -- Markus Koschany <a...@debian.org>  Sat, 14 Apr 2018 00:56:09 +0200
+
 dita-ot (1.5.3-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru dita-ot-1.5.3/debian/patches/encoding.patch 
dita-ot-1.5.3/debian/patches/encoding.patch
--- dita-ot-1.5.3/debian/patches/encoding.patch 1970-01-01 01:00:00.0 
+0100
+++ dita-ot-1.5.3/debian/patches/encoding.patch 2018-04-14 00:56:09.0 
+0200
@@ -0,0 +1,54 @@
+From: Markus Koschany <a...@debian.org>
+Date: Sat, 14 Apr 2018 00:55:08 +0200
+Subject: encoding
+
+Fix FTBFS with Java 9 by specifying the encoding.
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893129
+---
+ buildPackage.xml | 4 ++--
+ demo/fo/buildPackage.xml | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/buildPackage.xml b/buildPackage.xml
+index 697ac21..969f94f 100644
+--- a/buildPackage.xml
 b/buildPackage.xml
+@@ -72,7 +72,7 @@
+   value="${version}"/>
+ 
++  source="1.5" target="1.5" encoding="iso-8859-1">
+   
+ 
+ 
+@@ -547,4 +547,4 @@
+ 
+   
+ 
+-
+\ No newline at end of file
++
+diff --git a/demo/fo/buildPackage.xml b/demo/fo/buildPackage.xml
+index d55da00..3102218 100644
+--- a/demo/fo/buildPackage.xml
 b/demo/fo/buildPackage.xml
+@@ -48,7 +48,7 @@
+   
+ 
++  source="1.5" target="1.5" encoding="iso-8859-1">
+   
+ 
+   
+@@ -57,7 +57,7 @@
+ 
++  debug="on" encoding="iso-8859-1">
+   
+ 
+   
diff -Nru dita-ot-1.5.3/debian/patches/series 
dita-ot-1.5.3/debian/patches/series
--- dita-ot-1.5.3/debian/patches/series 2012-05-03 10:58:33.0 +0200
+++ dita-ot-1.5.3/debian/patches/series 2018-04-14 00:56:09.0 +0200
@@ -1,3 +1,4 @@
 debian-custom-build.patch
 same-loader-for-tasks.patch
 distribution-saxon-compat.patch
+encoding.patch


signature.asc
Description: OpenPGP digital signature

Bug#893411: sat4j FTBFS with openjdk-9

[Markus Koschany]

Control: tags -1 pending

Dear maintainer,

I've uploaded a new revision of sat4j versioned as 2.3.5-0.3 to fix
Debian bug #893411. Please find attached the debdiff.

Regards,

Markus
diff -Nru sat4j-2.3.5/debian/changelog sat4j-2.3.5/debian/changelog
--- sat4j-2.3.5/debian/changelog2016-11-04 23:10:51.0 +0100
+++ sat4j-2.3.5/debian/changelog2018-04-13 18:54:47.0 +0200
@@ -1,3 +1,10 @@
+sat4j (2.3.5-0.3) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add encoding.patch and fix FTBFS with Java 9. (Closes: #893411)
+
+ -- Markus Koschany <a...@debian.org>  Fri, 13 Apr 2018 18:54:47 +0200
+
 sat4j (2.3.5-0.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru sat4j-2.3.5/debian/patches/encoding.patch 
sat4j-2.3.5/debian/patches/encoding.patch
--- sat4j-2.3.5/debian/patches/encoding.patch   1970-01-01 01:00:00.0 
+0100
+++ sat4j-2.3.5/debian/patches/encoding.patch   2018-04-13 18:54:47.0 
+0200
@@ -0,0 +1,32 @@
+From: Markus Koschany <a...@debian.org>
+Date: Fri, 13 Apr 2018 18:53:35 +0200
+Subject: encoding
+
+Fix FTBFS with Java 9 by specifying the encoding everywhere.
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893411
+---
+ build.xml | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/build.xml b/build.xml
+index 88f9620..e6016a5 100644
+--- a/build.xml
 b/build.xml
+@@ -326,6 +326,7 @@
+   destdir="${build}"
+   source="1.5"
+   target="${target}"
++  encoding="iso-8859-1"
+   debug="true"
+   includeantruntime="true">
+   
+@@ -430,7 +431,8 @@
+ 
+   Compiling test files
+-  
++  
+   
+   
+   Running JUNIT tests
diff -Nru sat4j-2.3.5/debian/patches/series sat4j-2.3.5/debian/patches/series
--- sat4j-2.3.5/debian/patches/series   2016-11-04 22:57:45.0 +0100
+++ sat4j-2.3.5/debian/patches/series   2018-04-13 18:54:47.0 +0200
@@ -1,2 +1,3 @@
 commmons-cli
 debian-build
+encoding.patch


signature.asc
Description: OpenPGP digital signature

Bug#893252: libjdbm-java FTBFS with openjdk-9

[Markus Koschany]

This package has no reverse-dependencies. It has been in "maintenance
mode" upstream since 2012.

https://sourceforge.net/projects/jdbm/
https://github.com/jankotek/JDBM3

The author then worked on JDBM4

https://github.com/jankotek/JDBM4

which became mapdb

https://github.com/jankotek/mapdb

This is probably very different from what we have now in Debian.

Should this package be removed?

Markus



signature.asc
Description: OpenPGP digital signature

Bug#893240: libhibernate3-java FTBFS with openjdk-9

[Markus Koschany]

Control: tags -1 confirmed

I had a look at this package. Despite the fact that we use the magic
--ignore-source-errors option we get a ClassCastException from OpenJDK
9. I wonder if this is rather a bug in OpenJDK 9 than in libhibernate3-java.

Markus



signature.asc
Description: OpenPGP digital signature

Bug#894330: apktool FTBFS with openjdk-9

[Markus Koschany]

Control: reassign -1 src:proguard

Hi,

this is a proguard bug. Version 5.3.3-1 works for me but 6.0.1-1 fails.
The reason is that the gradle.ProguardTask class is not included in
proguard-base.jar. The gradle/build.sh script requires the existence of
Gradle, fails to detect it because proguard doesn't build-depend on
gradle and thus the gradle plugin is not built at all.

I'm going to reassign the RC bugs for apktool and libsmali-java and
upload a new revision of proguard that build-depends on gradle again.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#893561: libtablelayout-java: license does not seem to meet the DFSG

[Markus Koschany]

Am 28.03.2018 um 23:34 schrieb Francesco Poli:
> On Sat, 24 Mar 2018 15:22:12 +0100 Markus Koschany wrote:
> 
>> Am 24.03.2018 um 00:17 schrieb Francesco Poli:
> [...]
>>> Was the debian-legal discussion pointed out to the FTP Masters?
>>> Did they explain the rationale behind their decision? 
>>
>> FYI, debian-legal is a mailing list and not a Debian body that can exert
>> any power over the FTP masters.
> 
> I am well aware of this, as I have participated in debian-legal
> discussions for more than 13 years.

I intend to make this my last reply to Debian bug #893561. However if my
following answer does not satisfy you, there is the last resort of
asking Debian's technical committee (CTTE) for a definite ruling.


> debian-legal is more like a sort of advisory board, where licensing
> issues are discussed and analyzed. The FTP Masters are not bound to
> follow the advice, of course.
> But, whenever an issue was actually discussed on debian-legal, it is
> useful for the FTP Masters to be informed about the discussion, so that
> they can see what was said and pointed out, before making their
> decision.
> Otherwise, what's the point in having a discussion on debian-legal, if
> the FTP Masters are left unaware of it and must analyze the license
> from scratch?

I know your involvement in debian-legal from previous discussions. Like
I said before debian-legal is a mailing list and not an authoritative
body of Debian. Of course everyone is entitled to his/her own opinion
but nevertheless in the end only the FTP masters decide whether a
license is compatible to Debian's Free Software Guidelines. It is at
least questionable why you act now, _nine_ years later.

>> They may or may not have been aware of
>> the discussion but by accepting libtablelayout-java into Debian they
>> clearly made a decision in favor of the license.
> The FTP Masters are humans and may make mistakes, like all of us.
> They could have overlooked some troublesome clause in the license, if
> not informed about the potential issue...

Please note that this package was introduced to Debian by Torsten Werner
who was once a FTP master himself. I know that Torsten was highly
critical of some game licenses that were accepted into Debian and I'm
pretty sure he didn't introduce libtablelayout-java purely on a whim.

> [...]
>>> The issue is not the requirement to modify the package through patch
>>> files. Patch-only clauses are explicitly allowed by DFSG#4, as you
>>> correctly point out.
>>> As I have previously said, the issue is that the license forbids to
>>> create a derived work that uses the info.clearthought namespace/package.
>>>
>>> This goes beyond what is allowed by DFSG#4, which only talks about
>>> patch files and requirements to change the *name* or the *version
>>> number*.
>>
>> No, this is precisely why DFSG 4 mentions patch files explicitly and why
>> DFSG 4 is named "Integrity of The Author's Source Code".
> 
> Once again, patch files are not the freeness issue I am talking about.
> The troublesome clause is the namespace-change restriction.

As I pointed out before the namespace-change is not an issue for Debian.
We are acting according to the license and there is certainly no need to
revert to the original namespace once you have created a derived work?

>> We respect the
>> authors source code and his wish to preserve the info.clearthough
>> namespace. Nevertheless we are allowed to change it for derived works
>> and can rename it to any name we want. This is sufficiently DFSG-free.
>> The name is "info.clearthought" which is the official upstream URL. It
>> is common practice in Java to use a namespace that corresponds to some
>> URL. It is completely fair to reserve info.clearthought because Debian
>> also reserves the rights for debian.org or the name Debian in general.
> 
> Please let me understand, as I am not too familiar with Java.
> Isn't the namespace concept in Java similar to the corresponding
> concept in C++?
> 
> Suppose someone has several Java programs that link with
> libtablelayout-java and use classes from the info.clearthought
> namespace.
> Suppose he/she wants to use a modified version of libtablelayout-java
> (maybe with some bugs fixed, or something like that) where the
> namespace has been changed to a different one.
> Can he/she use the programs with the modified libtablelayout-java,
> without having to modify each one of them?
> 
> In other words, can someone develop a fork of libtablelayout-java (with
> the namespace changed to a different one) which works as a drop-in
> replacement for the original libtablelayout-java?

We have already created a derived w

Bug#893359: marked as done (jboss-xnio FTBFS with openjdk-9)

[Markus Koschany]

Am 28.03.2018 um 22:35 schrieb Emmanuel Bourg:
> Le 28/03/2018 à 22:29, Markus Koschany a écrit :
> 
>> I'm just wondering, we never had 3.0.0-3 of maven-bundle-plugin in
>> Debian. How did it get fixed and what does maven-bundle-plugin do now to
>> make those Java modules accessible? I thought this was an issue of the
>> application build system and not a general tool chain problem. Just
>> asking because that could probably speed some things up. :)
> 
> Err I meant maven-javadoc-plugin/3.0.0-3. Sorry, I need some sleep ;)
> 
> Emmanuel
> 

Ah, I see. Forgive my ignorance but wasn't --ignore-source-errors some
kind of internal developer hack which can be removed at anytime? I
faintly remember that we reverted this change for Ant already because it
broke some reverse-dependencies. Oh well, you can tell me later.



signature.asc
Description: OpenPGP digital signature

Bug#893359: marked as done (jboss-xnio FTBFS with openjdk-9)

[Markus Koschany]

Hi,

I'm just wondering, we never had 3.0.0-3 of maven-bundle-plugin in
Debian. How did it get fixed and what does maven-bundle-plugin do now to
make those Java modules accessible? I thought this was an issue of the
application build system and not a general tool chain problem. Just
asking because that could probably speed some things up. :)



signature.asc
Description: OpenPGP digital signature

Bug#893382: closed by Markus Koschany <a...@debian.org> (Re: osgi-foundation-ee FTBFS with openjdk-9)

[Markus Koschany]

Am 28.03.2018 um 15:13 schrieb Adrian Bunk:
> Control: reopen -1
> 
>> Date: Wed, 28 Mar 2018 14:19:30 +0200
>> From: Markus Koschany <a...@debian.org>
>> To: 893382-d...@bugs.debian.org
>> Subject: Re: osgi-foundation-ee FTBFS with openjdk-9
>>
>> Building the package works for me. I'm going to upload a new revision
>> but I think this bug is already resolved.
> 
> Still happens for me, and also on the buildd:
> https://buildd.debian.org/status/fetch.php?pkg=osgi-foundation-ee=all=4.2.0-3=1522242580=0

Right. Apparently one of my chroots was not properly updated. This issue
is related to openjdk-9 bug

https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8186841

However they only consider the error handling of javadoc a bug (not
exiting gracefully), the "bad class file" is another story.

AFAICS osgi-foundation-ee uses identical class names and the same
namespace as several classes in the java.base module (src/java/util) and
OpenJDK 9 does not like that. Maybe --add-modules java.base might work
in this case?

We could also do the following. The only reverse-dependency of this
package is osgi-compendium. It appears it requires only some specific
class files to build correctly (namely javax.microedition.io.*" If this
is true we could move those classes into osgi-compendium and remove
osgi-foundation-ee from Debian. One package less to support.



signature.asc
Description: OpenPGP digital signature

Bug#893247: Intend to take over libjbzip2-java and libnanoxml2-java into Debian Med team

[Markus Koschany]

Am 26.03.2018 um 07:55 schrieb Andreas Tille:
> On Sun, Mar 25, 2018 at 11:56:18PM +0200, Emmanuel Bourg wrote:
>> Le 25/03/2018 à 19:55, tony mancill a écrit :
[...]

>>> (b) relaxing the default pkg-java permissions to be like those of the
>>> Debian Perl Team and allow all DDs by default
>>
>> +1, but note that this is basically how it already works today since any
>> request to join the pkg-java group (or now java-team on Salsa) is always
>> granted.
> 
> Same for Debian Med.  Its a bit sad that it can not easily be granted to
> any DD any more to enable commits of team uploads / NMUs instantly but
> require an extra step.
> 

Apparently one can share single packages with the Debian group which
contains all Debian developers. [1]


[1]
https://wiki.debian.org/Salsa/AliothMigration#Share_a_group_with_all_Debian_developers



signature.asc
Description: OpenPGP digital signature

Bug#893359: jboss-xnio FTBFS with openjdk-9

[Markus Koschany]

I could solve one part of the build issues with Java 9 but I am stuck with

"/build/jboss-xnio-3.6.2/api/src/main/java/java/nio/channels/FileChannel.java:[19,1]
package exists in another module: java.base
"

I have read about the new --patch-modules option but I am not sure if
this is the right way. Renaming the package is probably the way forward.
However upstream is still working on Java 9 support and I don't want to
act prematurely. Let's see with what they will come up with. Hopefully
it happens before Buster freezes.



signature.asc
Description: OpenPGP digital signature

Bug#873227: Please upgrade to 4.1: Java 9 support

[Markus Koschany]

Hi tony,

Am 25.03.2018 um 06:26 schrieb tony mancill:
[...]

> I'm going to upload to experimental momentarily and ask others on the
> Java Team if there any concern about uploading Gradle 3.4 to unstable.

Let's do it. I remember there were two failing packages with Gradle 3.4
but BND might be fixed already thanks to Kai-Chung Yan. I guess we will
solve the remaining issues as well eventually.

Cheers,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#893561: libtablelayout-java: license does not seem to meet the DFSG

[Markus Koschany]

Am 24.03.2018 um 00:17 schrieb Francesco Poli:
> On Thu, 22 Mar 2018 18:30:53 +0100 Markus Koschany wrote:
> 
>> Am 19.03.2018 um 22:28 schrieb Francesco Poli (wintermute):
> [...]
>>> I noticed that the license was
>>> [discussed](https://lists.debian.org/debian-legal/2009/06/msg00050.html)
>>> on debian-legal a long time ago.
>>> My
>>> [opinion](https://lists.debian.org/debian-legal/2009/06/msg00053.html)
>>> was that at least two clauses fail to meet the DFSG.
>>
>> In the end the ftp-team accepted the package into Debian and that is the
>> only thing that counts.
> 
> Was the debian-legal discussion pointed out to the FTP Masters?
> Did they explain the rationale behind their decision? 

FYI, debian-legal is a mailing list and not a Debian body that can exert
any power over the FTP masters. They may or may not have been aware of
the discussion but by accepting libtablelayout-java into Debian they
clearly made a decision in favor of the license.

>>> The debian/copyright file states, in part:
>>>
>>> | The source code has been modified to make the package suitable for main 
>>> (see
>>> | license III. 4.). The package namespace has been changed from
>>> | info.clearthought.layout to org.debian.tablelayout.
>>>
>>> Personally, I don't think that applying a patch that changes the namespace
>>> is enough to make the package suitable for Debian main.
>>
>> This is certainly enough. We change the namespace all the time in Debian
>> Java packages by using maven.rules for example. Also using patch files
>> is explicitly allowed by DFSG 4.
> 
> The issue is not the requirement to modify the package through patch
> files. Patch-only clauses are explicitly allowed by DFSG#4, as you
> correctly point out.
> As I have previously said, the issue is that the license forbids to
> create a derived work that uses the info.clearthought namespace/package.
> 
> This goes beyond what is allowed by DFSG#4, which only talks about
> patch files and requirements to change the *name* or the *version
> number*.

No, this is precisely why DFSG 4 mentions patch files explicitly and why
DFSG 4 is named "Integrity of The Author's Source Code". We respect the
authors source code and his wish to preserve the info.clearthough
namespace. Nevertheless we are allowed to change it for derived works
and can rename it to any name we want. This is sufficiently DFSG-free.
The name is "info.clearthought" which is the official upstream URL. It
is common practice in Java to use a namespace that corresponds to some
URL. It is completely fair to reserve info.clearthought because Debian
also reserves the rights for debian.org or the name Debian in general.

> 
>>
>>> I mean: it's true that it is now possible to create drop-in replacements
>>> for the Debian package (without further changing the namespace), but it is
>>> still forbidden to create a modified version that changes the namespace
>>> back to "info.clearthought".
>>>
>>> I think that this restriction goes beyond what is allowed by DFSG#4.
>>
>> This is your personal opinion. It was already discussed on debian-legal
>> back in 2009 that the license is still acceptable and in the spirit of
>> the DFSG.
> 
> Wait, it was indeed discussed on debian-legal back in 2009.
> 
> The thread is the very
> [one](https://lists.debian.org/debian-legal/2009/06/msg00050.html)
> I cited in my bug report.
> 
> There were two replies, one by Joe Smith and one by me.
> Joe said that the license is acceptable and within the spirit of the
> DFSG.
> On the other hand, I said that two clauses fail to meet the DFSG.
> 
> Now, I respect Joe's opinion, but it's not clear to me why you claim
> that *his* reply represents the outcome of the debian-legal discussion,
> while *my* reply is just my personal opinion...

I have never said that and it is also not relevant.

>>> Additionally, the license is clearly GPL-incompatible, which may
>>> be an issue for other packages that link with this library.
>>>
>>> Is it possible to persuade the upstream copyright holder to
>>> drop clauses III.3 and III.4?
>>> Or, even better, to re-license the library under well-vetted and
>>> clearly DFSG-free terms, such as the
>>> [Expat/MIT license](http://www.jclark.com/xml/copying.txt)
>>> or the
>>> [zlib license](http://www.zlib.net/zlib_license.html)
>>> ?
>>
>> No. We do not need to persuade the upstream copyright holder to change
>> the license as long as the package was accepted by the ftp-team. If you
>> think a package is 

Bug#893098: axis FTBFS with openjdk-9

[Markus Koschany]

Am 20.03.2018 um 23:13 schrieb Emmanuel Bourg:
> I got a quick look, the source encoding is easily fixed and the
> org.apache.axis.enum was long deprecated and can be removed. But there
> is more than that. Axis implements interfaces from javax.xml.soap that
> were upgraded in Java 9, so Axis now fails to build due to missing
> method implementations. I wonder if it's really worth upgrading Axis, or
> if we should try to remove it.

I've pushed some changes a few minutes ago. If my IDE was working with
OpenJDK 9 it would be relatively painless to generate the missing
methods but it doesn't yet. There are quite a few reverse-dependencies
though.



signature.asc
Description: OpenPGP digital signature

Bug#893236: activemq FTBFS with openjdk-9

[Markus Koschany]

clone 893236 -1
reassign -1 src:openjdk-9
retitle -1 openjdk9: NullPointerException when building MethodSubHeader
forwarded -1 https://bugs.openjdk.java.net/browse/JDK-8199307
thanks

The NullPointerException looks like an OpenJDK bug to me. This was
already reported upstream. The doclint feature is already set to "none"
in activemq, so I would expect that any javadoc warning is not treated
as an error. Currently the only way to work around this for activemq is
to disable the documentation completely.

Markus



signature.asc
Description: OpenPGP digital signature

Bug#893454: libjloda-java: FTBFS with java 9

[Markus Koschany]

Am 19.03.2018 um 09:30 schrieb Andreas Tille:
> package com.sun.istack.internal is not visible

With OpenJDK 9 com.sun.* API is no longer accessible unless you
explicitly tell the compiler to export the module which provides said
functionality.

I presume passing

--add-exports java.xml.bind/com.sun.istack.internal=ALL-UNNAMED

should work in this case but I haven't tested it yet.

You can take a look at my patch for jboss-threads how you can achieve
this with a Maven project.

https://sources.debian.org/src/jboss-threads/2.3.1-2/debian/patches/java9.patch/

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#893298: libsbml FTBFS with openjdk-9

[Markus Koschany]

Hello Andreas,

Am 18.03.2018 um 09:30 schrieb Andreas Tille:
> Control: tags -1 help
> 
> On Sat, Mar 17, 2018 at 10:07:50PM +0200, Adrian Bunk wrote:
>> ...
>> CMake Error at docs/CMakeLists.txt:212 (message):
>>   Cannot generate java documentation, please specify the Java_JAVADOC_JAR.
> 
> I need to admit I have no idea how to fix this.  Any help from the
> debian-java team?
> 
> Kind regards
> 
>   Andreas.


This issue is caused by the removal of tools.jar in OpenJDK 9. In
debian/rules you can remove this line:

CMAKE_OPTS += -DJava_JAVADOC_JAR=$(JDK_PATH)/lib/tools.jar
-DJAVA_INCLUDE_PATH=$(JAVA_INCLUDE_PATH)

and then you should patch docs/CMakeLists.txt and remove this line:

if (NOT EXISTS "${Java_JAVADOC_JAR}")
  message(FATAL_ERROR "Cannot generate java documentation, please
specify the Java_JAVADOC_JAR.")
endif()

This will work around the FTBFS because tools.jar is "only" needed on
the classpath when building the documentation. The build succeeds
afterwards but there might be some documentation for classes missing
which were provided by tools.jar. I would report this as an upstream bug.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#893248: libjchart2d-java FTBFS with openjdk-9

[Markus Koschany]

On Sat, 17 Mar 2018 16:23:26 +0200 Adrian Bunk  wrote:
> Source: libjchart2d-java
> Version: 3.2.2+dfsg2-1
> Severity: serious
> 
> https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/libjchart2d-java.html
> 
> ...
> BUILD FAILED
> /build/1st/libjchart2d-java-3.2.2+dfsg2/jchart2d/build.xml:140: Can't read 
> [/usr/lib/jvm/java-9-openjdk-amd64/lib/rt.jar] (No such file or directory: 
> /usr/lib/jvm/java-9-openjdk-amd64/lib/rt.jar)
> 
> Total time: 3 minutes 43 seconds
> dh_auto_build: cd jchart2d && ant -Duser.name debian returned exit code 1
> make[1]: *** [debian/rules:12: override_dh_auto_build] Error 2

I removed the line to include rt.jar in build.xml but proguard isn't
happy at all and I get a NullPointerException. I also tried to include
the new jmods directory which should contain the relevant code with


   


but the result is the same. Theoretically proguard should be able to
parse jmod files with version 6.0. No idea why it fails at the moment.


BUILD FAILED
/build/libjchart2d-java-3.2.2+dfsg2/jchart2d/build.xml:140:
java.lang.NullPointerException
at proguard.util.ListParser.parse(ListParser.java:71)
at proguard.util.ListParser.parse(ListParser.java:55)
at
proguard.ClassSpecificationVisitorFactory.createClassVisitor(ClassSpecificationVisitorFactory.java:549)
at
proguard.ClassSpecificationVisitorFactory.addMemberVisitors(ClassSpecificationVisitorFactory.java:395)
at
proguard.ClassSpecificationVisitorFactory.createClassVisitor(ClassSpecificationVisitorFactory.java:367)
at
proguard.ClassSpecificationVisitorFactory.createCombinedClassVisitor(ClassSpecificationVisitorFactory.java:321)



signature.asc
Description: OpenPGP digital signature

Bug#887785: javacc-maven-plugin, javacc, and the jtb update

[Markus Koschany]

Dear maintainer,

I've uploaded an NMU versioned as 1.4.12-1.1 to address this issue.
Please find attached the debdiff.

Regards,

Markus
diff -Nru jtb-1.4.12/debian/changelog jtb-1.4.12/debian/changelog
--- jtb-1.4.12/debian/changelog 2018-01-08 04:18:07.0 +0100
+++ jtb-1.4.12/debian/changelog 2018-03-04 16:22:40.0 +0100
@@ -1,3 +1,13 @@
+jtb (1.4.12-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+
+  [ Tiago Stürmer Daitx ]
+  * Relocate edu.ucla.cs.compilers:jtb:debian:
+- fix a few packages FTBFS due to groupId change. (Closes: #887785).
+
+ -- Markus Koschany <a...@debian.org>  Sun, 04 Mar 2018 16:22:40 +0100
+
 jtb (1.4.12-1) unstable; urgency=medium
 
   [ Markus Koschany ]
diff -Nru jtb-1.4.12/debian/jtb.poms jtb-1.4.12/debian/jtb.poms
--- jtb-1.4.12/debian/jtb.poms  2018-01-07 19:46:40.0 +0100
+++ jtb-1.4.12/debian/jtb.poms  2018-03-04 16:22:40.0 +0100
@@ -1 +1 @@
-debian/pom.xml
+debian/pom.xml --relocate=edu.ucla.cs.compilers:jtb:debian


signature.asc
Description: OpenPGP digital signature

Bug#887785: javacc-maven-plugin, javacc, and the jtb update

[Markus Koschany]

reassign -1 src:jtb

On Fri, 2 Mar 2018 12:54:36 +0100 Markus Koschany <a...@debian.org> wrote:
> Hi,
> 
> Am 02.03.2018 um 06:33 schrieb Tiago Daitx:
> > Hi,
> > 
> > A simple relocation in jtb fixed the FTBFS - tested for surefire,
> > javacc-maven-plugin, hawtbuf, avro-java, and activemq-protobuf.
> 
> Thank you very much for the investigation. I can NMU the package if
> Ludovico is currently to busy.

As discussed on debian-java this issue was caused by the update of jtb
to version 1.4.12 and the switch to use upstream's pom.xml. Since the
groupId has changed reverse-dependencies FTBFS. An artifact relocation
will fix this. I am going to NMU jtb today.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#891928: CVE-2018-1048: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser

[Markus Koschany]

Link to patch:

https://github.com/undertow-io/undertow/commit/1bc0c275aadf5835abfbd3835d5d78095c2f1cf5



signature.asc
Description: OpenPGP digital signature

Bug#891957: netbeans no starting "loading module" modules.netbinox NullPointerException

[Markus Koschany]

Control: severity -1 grave
Control: block -1 by 882525

Am 03.03.2018 um 05:30 schrieb Gustavo Castro:
> Package: netbeans
> Version: 8.1+dfsg3-4
> Severity: critical
> Justification: breaks unrelated software
> Tags: a11y

It does not really break unrelated software but thanks for reporting.

I suspect this is because of the recent update of libequinox-osgi-java.
I am aware that we need to update one OSGi related patch but I can't fix
this issue because of #882525 in jaxb.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#880886: maven-bundle-plugin FTBFS with libmaven-dependency-tree-java

[Markus Koschany]

Am 03.03.2018 um 11:32 schrieb 殷啟聰 | Kai-Chung Yan:
> I propose to bring back Maven Dependency Tree 2.x as a new package that 
> coexists with its latest version.
> 
> Even in the latest (3.5.0) version, Maven Bundle Plugin still uses those 
> deprecated APIs in Maven Dependency Tree 2.x. These deprecated APIs have been 
> removed from Maven Dependency Tree 3.x. A fix to adapt to the new APIs would 
> be non-trivial (and potentially wasting energy of the maintainers), as I have 
> tried...
> 
> I have reported this issue upstream [1].
> 
> P.S.: Rebuilding Maven Bundle Plugin is needed for the "bnd" upgrade, that's 
> way I stumbled upon this...
> 
> [1]: https://issues.apache.org/jira/browse/FELIX-5795


If it helps with upgrading bnd to a more recent version I'm in favor of it.



signature.asc
Description: OpenPGP digital signature

Bug#891929: CVE-2018-1047: information disclosure of arbitrary local files

[Markus Koschany]

Control: severity -1 important

I am no longer sure undertow is affected. The issue is marked resolved
upstream and one of the fixing commits

https://github.com/wildfly/wildfly/pull/10748/files

indicates the bug was in WildFly's undertow extension but not in
Undertow itself. I keep this bug report open for a little while longer
until UNDERTOW-1295 is resolved and we get more information about the
vulnerabilities.



signature.asc
Description: OpenPGP digital signature

Bug#891929: CVE-2018-1047: information disclosure of arbitrary local files

[Markus Koschany]

Source: undertow
Version: 1.4.8-1+deb9u1
Severity: grave
Tags: security
Forwarded: https://issues.jboss.org/browse/WFLY-9620

A flaw was found in Wildfly 9.x. A path traversal vulnerability
through the
org.wildfly.extension.undertow.deployment.ServletResourceManager.getResource
method could lead to information disclosure of arbitrary local files.

Upstream bug:

https://issues.jboss.org/browse/WFLY-9620

Bug#891928: CVE-2018-1048: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser

[Markus Koschany]

Source: undertow
Version: 1.4.8-1+deb9u1
Severity: grave
Tags: security
Forwarded: https://issues.jboss.org/browse/UNDERTOW-1245

It was found that the AJP connector in undertow, as shipped in Jboss
EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus
allow the the slash / anti-slash characters encoded in the url which
may lead to path traversal and result in the information disclosure of
arbitrary local files.

Upstream bug:

https://issues.jboss.org/browse/UNDERTOW-1245

This was apparently fixed in 1.4.22.

Bug#887785: javacc-maven-plugin, javacc, and the jtb update

[Markus Koschany]

Hi,

Am 02.03.2018 um 06:33 schrieb Tiago Daitx:
> Hi,
> 
> A simple relocation in jtb fixed the FTBFS - tested for surefire,
> javacc-maven-plugin, hawtbuf, avro-java, and activemq-protobuf.

Thank you very much for the investigation. I can NMU the package if
Ludovico is currently to busy.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#856086: Bug#885037: monster-masher: Please don't (Build-)Depend on gconfmm2.6

[Markus Koschany]

Am 28.02.2018 um 04:52 schrieb Jeremy Bicha:
> monster-masher is one of the last two packages in Debian unstable
> depending on esound. (And even if that were fixed, monster-masher
> depends on several other GNOME2 libraries that are being removed.)
> 
> monster-masher has been unmaintained usptream for 9 years.
> 
> https://git.gnome.org/browse/monster-masher/log/
> 
> Maybe it's time for monster-masher to be removed from Debian?

monster-masher is a complete game, so there was probably no interest to
continue working on it. We are aware of the removal of obsolete
libraries and intend to request their removal from Debian sometime
between now and the next Debian freeze. Personally I wanted to give
people more time to fix those bugs because they tend to notice such bugs
rather late and porting software to new libraries is a non-trivial task.
We could fix one game so far thanks to Juhanni (pegsolitaire).

I don't have any objections if you want to remove them right now but I
think you can achieve the removal of esound/Gnome2 libs anyway and you
don't have to wait for us. Just point the ftp team to this bug report.
This is true for all affected games maintained by the games team. They
will be broken in unstable but I think this might even raise more
awareness. Testing users won't be affected.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#885735: gamazons: Raising severity for libgnome dependencies

[Markus Koschany]

FTR: I don't intend to port this game to Gnome 3 and there is no
upstream activity at the moment. If nobody steps up to fix this issue I
will request the removal of gamazons before Buster freezes.

Markus



signature.asc
Description: OpenPGP digital signature

Bug#888316: jackson-databind: CVE-2018-5968

[Markus Koschany]

Am 11.02.2018 um 08:42 schrieb Sébastien Delafond:
[...]
> Hi Markus,
> 
> thanks a lot for patches. I've reviewed them, and your approach is
> sound: please upload.
> 
> Cheers,
> 
> --Seb

Hi Seb,

thanks for the review. I've just uploaded both packages.

Cheers,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#890001: libspring-java: CVE-2018-1199 Security bypass with static resources

[Markus Koschany]

Package: libspring-java
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

the following vulnerability was published for libspring-java.

I intend to fix this in sid/buster by uploading 4.3.14.

CVE-2018-1199[0]:
Security bypass with static resources

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1199
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1199

Please adjust the affected versions in the BTS as needed.



signature.asc
Description: OpenPGP digital signature

Bug#880888: maven-enforcer FTBFS with libmaven-dependency-tree-java 3.0.1-1

[Markus Koschany]

So apparently in libmaven-dependency-tree-java 3.0.1-1 the devs decided
to rename the word tree to graph...There were some other issues though
and I was not sure how to proceed. I had a look at the Fedora package
and they patched maven-enforcer to work with Maven 3 but they also added
a dependency on maven-transfer-artifact. Maybe it might help to resolve
this bug.

https://src.fedoraproject.org/cgit/rpms/maven-enforcer.git/tree/0001-Port-to-Maven-3-API.patch

Bug#681726: Time to remove eclipse from Testing?

[Markus Koschany]

On Wed, 15 Nov 2017 18:01:07 +0200 Adrian Bunk  wrote:
[...]
> I tried to sort out what I could find as required for getting the
> ancient eclipse out of testing in [1]:
> 
> 1. src:bnd
> You fixed that already.
> 
> 2. batik -> maven -> guice -> libspring-java -> aspectj -> eclipse-platform
> Is there some good way to break this dependency chain?
> 
> 3. split libequinox-osgi-java out of src:eclise
> Or as a short-term hack, build only libequinox-osgi-java from src:eclipse.

I have spent some time this weekend on Eclipse again. I have created a
standalone src:libequinox-osgi-java package and successfully rebuilt all
reverse-dependencies. We only have to make a small adjustment in
src:netbeans and src:libnb-platform18-java and update the osgi patch.

If there are no objections I could go ahead and upload
libequinox-osgi-java to NEW.

eclipse-rcp:

* svnkit:

There are two Eclipse specific classes that fail to build. As a
workaround we could remove one of them and patch SVNWCUtil.

* android-sdktools and android-platform-tools-swt

According to [1] both packages should be removed anyway.

After that there would be only three packages left (not counting the
eclipse plugins) that build-depend on either eclipse-platform (aspectj)
or eclipse-jdt (lombok, biogenesis)

Next I'm going to try if a separate eclipse-jdt package from [2] could
be a drop-in-replacement for our current package. The latest stable
release appears to be S4_8_0_M5.

Regards,

Markus

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879175#10
[2] https://github.com/eclipse/eclipse.jdt.core

Bug#871142: eclipse: FTBFS: /<>/build.xml:413: Could not find suitable system JAR for org.apache.commons.httpclient_3.1.0.v201012070820.jar. Tried: /usr/share/java/commons-httpclient.jar

[Markus Koschany]

Am 01.02.2018 um 23:29 schrieb Emmanuel Bourg:
> Le 01/02/2018 à 23:02, Markus Koschany a écrit :
> 
>> This issue was caused by commons-httpclient due to the switch from Ant
>> to Maven in version 3.1-13. The OSGi metadata is currently missing in
>> the Manifest file. The data that is added by the 05_osgi_metadata patch
>> is overridden by Maven later. I fixed this bug by using javahelper's
>> jh_manifest tool. Eclipse builds fine from source again.
> 
> Good catch! Thank you for fixing this.
> 
> Emmanuel

No problem. But now starts the real challenge... Let's see if it is
possible to split the package in smaller parts so that we can

a) remove swt-gtk from Debian
b) keep all reverse-dependencies that depend on eclipse-rcp,
eclipse-platform and eclipse-jdt in Debian

Hahaha, and after that squaring the circle should be a piece of cake.



signature.asc
Description: OpenPGP digital signature

Bug#871142: eclipse: FTBFS: /<>/build.xml:413: Could not find suitable system JAR for org.apache.commons.httpclient_3.1.0.v201012070820.jar. Tried: /usr/share/java/commons-httpclient.jar

[Markus Koschany]

Control: reassign -1 commons-httpclient
Control: retitle -1 Missing OSGi metadata breaks Eclipse
Control: tags -1 pending
Control: affects -1 src:eclipse

On Sun, 6 Aug 2017 17:55:36 -0400 Lucas Nussbaum  wrote:
> Source: eclipse
> Version: 3.8.1-10
> Severity: serious
> Tags: buster sid
> User: debian...@lists.debian.org
> Usertags: qa-ftbfs-20170805 qa-ftbfs
> Justification: FTBFS on amd64
> 
> Hi,
> 
> During a rebuild of all packages in sid, your package failed to build on
> amd64.

[...]

This issue was caused by commons-httpclient due to the switch from Ant
to Maven in version 3.1-13. The OSGi metadata is currently missing in
the Manifest file. The data that is added by the 05_osgi_metadata patch
is overridden by Maven later. I fixed this bug by using javahelper's
jh_manifest tool. Eclipse builds fine from source again.

Markus



signature.asc
Description: OpenPGP digital signature

Bug#888316: jackson-databind: CVE-2018-5968

[Markus Koschany]

Hi folks,

Am 25.01.2018 um 15:23 schrieb Salvatore Bonaccorso:
> Hi Markus,
> 
> On Thu, Jan 25, 2018 at 02:40:10PM +0100, Markus Koschany wrote:
>> Hi,
>>
>> On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso
>> <car...@debian.org> wrote:
>>> Source: jackson-databind
>>> Version: 2.9.1-1
>>> Severity: grave
>>> Tags: patch security upstream
>>> Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899
>>> Control: found -1 2.8.6-1+deb9u2
>>> Control: found -1 2.4.2-2+deb8u2
>>>
>>> Hi,
>>>
>>> the following vulnerability was published for jackson-databind.
>>
>> [...]
>>
>> Thanks for reporting. I had a look at jackson-databind in Stretch. We
>> just need to apply the patch to BeanDeserializerFactory.java again. As
>> for Sid upgrading to the latest upstream release 2.9.4 should also
>> resolve this. I'm working on it now.
> 
> Perfect, thank you! We (Moritz) have added it to the dsa-needed list
> for jessie and stretch, so once you have the update can you contact
> the security team alias, one of us will then ack the upload.

I have prepared security updates of jackson-databind for Stretch and
Jessie and would appreciate another look at the patches.

The fix for CVE-2018-5968 is straightforward. The blacklist is simply
extended.

However upstream decided to refactor the code for CVE-2017-17485 and I
decided to apply the changes to BeanDeserializerFactory.java again
instead of using the new helper class SubTypeValidator. Here is my
thought process how to create the patch based on the solution in
upstream bug 1855 [1]

1. Extend the blacklist. [2]
2. Instead of creating a new method validateSubType, I copied the fix
into checkIllegalTypes in BeanDeserializerFactory again.[3] The behavior
remains the same. This code catches some specific cases for the spring
framework.
3. I also applied the regression fix in [4] (also mentioned in bug 1855)
4. I believe that [5] only applies to the refactored code and since we
don't use that it is irrelevant for us.

Regards,

Markus

[1] https://github.com/FasterXML/jackson-databind/issues/1855
[2]
https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d
[3]
https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf
[4]
https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd
[5]
https://github.com/FasterXML/jackson-databind/commit/978798382ceb72229e5036aa1442943933d6d171
diff -Nru jackson-databind-2.4.2/debian/changelog 
jackson-databind-2.4.2/debian/changelog
--- jackson-databind-2.4.2/debian/changelog 2017-11-16 09:13:27.0 
+0100
+++ jackson-databind-2.4.2/debian/changelog 2018-01-27 19:37:47.0 
+0100
@@ -1,3 +1,13 @@
+jackson-databind (2.4.2-2+deb8u3) jessie-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2017-17485 and CVE-2018-5968:
+    Bybass of deserialization blackist to disallow unauthenticated remote code
+execution. These CVE exist due to an incomplete fix for CVE-2017-7525.
+(Closes: #888316, #888318)
+
+ -- Markus Koschany <a...@debian.org>  Sat, 27 Jan 2018 19:37:47 +0100
+
 jackson-databind (2.4.2-2+deb8u2) jessie-security; urgency=high
 
   * Team upload
diff -Nru jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch 
jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch
--- jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch  1970-01-01 
01:00:00.0 +0100
+++ jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch  2018-01-27 
19:37:47.0 +0100
@@ -0,0 +1,75 @@
+From: Markus Koschany <a...@debian.org>
+Date: Sat, 27 Jan 2018 20:16:02 +0100
+Subject: CVE-2017-17485
+
+Bug-Debian: https://bugs.debian.org/888318
+Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1855
+Origin: 
https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d
+Origin: 
https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf
+Origin: 
https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd
+---
+ .../databind/deser/BeanDeserializerFactory.java| 37 +++---
+ 1 file changed, 32 insertions(+), 5 deletions(-)
+
+diff --git 
a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
 
b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index c536b46..9b56b08 100644
+--- 
a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
 
b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -38,6 +38,8 @@ public class BeanDeserializerFactory
+ {
+ private static final long serialVersionUID = 1;
+ 
++protected f

Bug#888316: jackson-databind: CVE-2018-5968

[Markus Koschany]

Hi,

On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso
 wrote:
> Source: jackson-databind
> Version: 2.9.1-1
> Severity: grave
> Tags: patch security upstream
> Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899
> Control: found -1 2.8.6-1+deb9u2
> Control: found -1 2.4.2-2+deb8u2
> 
> Hi,
> 
> the following vulnerability was published for jackson-databind.

[...]

Thanks for reporting. I had a look at jackson-databind in Stretch. We
just need to apply the patch to BeanDeserializerFactory.java again. As
for Sid upgrading to the latest upstream release 2.9.4 should also
resolve this. I'm working on it now.

Regards,

Markus






signature.asc
Description: OpenPGP digital signature

Bug#885749: I plan to ask for removal of gnomekiss from the achive

[Markus Koschany]

Am 10.01.2018 um 22:30 schrieb Juhani Numminen:
> Hi,
> 
> Markus Koschany kirjoitti 10.01.2018 klo 18:46:
> 
>> there are even more candidates. I don't intend to port them to Gnome 3
>> and will eventually request their removal from Debian. There is still
>> time until the next freeze if someone wants to maintain them though.
>>
>> Packages at risk from being removed:
>> ...
>> pegsolitaire
> 
> I intend to maintain pegsolitaire.

That's much appreciated. Thank you very much!



signature.asc
Description: OpenPGP digital signature

Bug#886394: java.lang.ClassNotFoundException: javafx.scene.layout.HBox

[Markus Koschany]

Control: severity -1 important


Am 05.01.2018 um 11:55 schrieb Ludovic CHEVALIER:
> Package: pdfsam
> Version: 3.3.5-1
> Severity: grave
> Justification: renders package unusable
> 
> Dear Maintainer,
> 
> I can't launch pdfsam. Here is the traceback:
> 
> Exception in thread "main" java.lang.NoClassDefFoundError: 
> javafx/scene/layout/HBox
>   at java.base/java.lang.ClassLoader.defineClass1(Native Method)
>   at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1007)
>   at 
> java.base/java.security.SecureClassLoader.defineClass(SecureClassLoader.java:174)
>   at 
> java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:801)
>   at 
> java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:699)
>   at 
> java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:622)
>   at 
> java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:580)
>   at 
> java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:185)
>   at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:496)
>   at org.pdfsam.community.App.main(App.java:34)
> Caused by: java.lang.ClassNotFoundException: javafx.scene.layout.HBox
>   at 
> java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:582)
>   at 
> java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:185)
>   at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:496)
>   ... 10 more

Hello,

thanks for reporting. PDFsam works for me with OpenJDK 8 but I can
reproduce this issue with OpenJDK 9. The class javafx.scene.layout.HBox
should be present in libopenjfx-java but I presume we need to adjust the
openjfx package for Java 9 to make it work.

Regards,

Markus





signature.asc
Description: OpenPGP digital signature

Bug#885401: openmw uninstallable

[Markus Koschany]

Hi,

I suggest to continue the conversation in private. You can contact me
for future uploads directly. Should I be unresponsive, please ask for
sponsorship on the debian-games mailing list and someone will hopefully
help you. Have you considered to become a Debian maintainer?

Am 28.12.2017 um 19:30 schrieb bret curtis:
> Hello Markus, that would be awfully friendly of you. :)
> 
> Order of operations:
> 1) MyGUI needs to be bumped:
> https://qa.debian.org/cgi-bin/vcswatch?package=mygui  I've cleaned up
> the package a bit in the process to handle GCC7, debug symbols and
> other bits.

Uploaded. Thank you. Packaging could be slightly improved, e.g. compat
level 11 is now recommended but so far so good.

> 2) OpenAL-Soft https://qa.debian.org/cgi-bin/vcswatch?package=openal-soft
> needs love as well, but this isn't required for OpenMW release.

Great. I'll review that next year. ;)

> 3) OpenMW, once the libraries above are available we can upload/build
> OpenMW packages: https://qa.debian.org/cgi-bin/vcswatch?package=openmw

OpenMW fails to build for me. I've pushed some small changes to Git.
Could you take a look please?

> 
> bonus points:
> 4) WildMIDI should be updated as well:
> https://qa.debian.org/cgi-bin/vcswatch?package=wildmidi  <-- this has
> nothing to with OpenMW but is a new upstream release that I maintain.
> :)

Sure. I suggest to update the same things here: compat level,
Standard-Version, etc. I guess I can review that in a few days as well.

Cheers,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#885401: openmw uninstallable

[Markus Koschany]

On Thu, 28 Dec 2017 12:47:01 +0100 bret curtis  wrote:
> Hello Bret,
> 
> There are two things going on here. One is that libopenscenegraph
> needs to be rebuilt since that specific (version) gdal package (so
> many dependencies down) is no longer available. Look at the apt
> output, OSG depends on gdal-abi.
> 
> The second problem is that openmw on Debian is two releases behind. I
> have them all ready for upload, they just someone who has the upload
> permissions to upload the package. I, as package (unsigned) maintainer
> do not have that ability. In additional to uploading, the MyGUI
> library needs to be rebuilt with GCC7 before OpenMW can be uploaded.
> Again, this is out of my hands and we're waiting patiently for someone
> who has the ability to upload, to upload. Everything is more or less
> ready to go.

Hello Bret,

I can review and sponsor your packages. You just have to tell me in
which order I shall upload them and where I can find them.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#885037: monster-masher: Please don't (Build-)Depend on gconfmm2.6

[Markus Koschany]

Am 23.12.2017 um 04:32 schrieb Jeremy Bicha:
> Source: monster-masher
> Version: 1.8.1-7
> Severity: serious
> User: pkg-gnome-maintain...@lists.alioth.debian.org
> Usertags: oldlibs gconf gconfmm
> Tags: sid buster
> X-Debbugs-CC: vch...@debian.org
> 
> monster-masher Build-Depends and Depends on gconfmm2.6. gconfmm2.6
> will be removed from Debian soon.
> 
> gconf's last release was about 5 years ago. It has been replaced by
> dconf / gsettings.
> 
> On behalf of the Debian GNOME team,
> Jeremy Bicha

Is there a porting guide somewhere?

P.S.: A heads-up with a lower severity would have been nice. Sometimes
it gives people more time to find a solution...

Cheerio

Markus



signature.asc
Description: OpenPGP digital signature

Bug#884241: bouncycastle: CVE-2017-13098

[Markus Koschany]

Control: owner -1 !

I'm working on a fix right now.

Markus



signature.asc
Description: OpenPGP digital signature

Bug#877941: igv: FTBFS: SVGTest.java:111: error: cannot access Localizable

[Markus Koschany]

Am 05.12.2017 um 19:13 schrieb Andreas Tille:
> On Tue, Dec 05, 2017 at 07:05:23PM +0100, Emmanuel Bourg wrote:
>> Le 05/12/2017 à 18:48, Andreas Tille a écrit :
>>
>>> So either I'm doing this CLASSPATH definition wrong or it does not help.
>>
>> I think you have to use "export CLASSPATH" in debian/rules
> 
> No change. :-(

Hi,

the missing class is in /usr/share/java/batik.jar. So you just need to
include it like that in your build.xml file, respectively update
01-build.xml patch. Just tested it, works for me.



Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#883387: libjaxb-java 2.3.0-3 causes FTBFS in eclipselink

[Markus Koschany]

Control: reassign -1 src:eclipselink

I am going to fix this bug in eclipselink. It is still not clear to me
why absolute classpaths don't work for eclipselink but there is a
solution, so no need to keep the package in this FTBFS state.

Markus



signature.asc
Description: OpenPGP digital signature

Bug#831094: attal: FTBFS with GCC 6: cmath:568:33: error: 'FP_NAN' was not declared in this scope

[Markus Koschany]

Am 01.12.2017 um 13:49 schrieb Juhani Numminen:
> Control: tags -1 patch
> 
> Hello!
> 
> I made attal to build again by removing "#undef __USE_ISOC99", so I'm
> adding the patch tag.
> 
> However, as I don't know why those undefs were added in the first place,
> so this change might be breaking something. All I know is the build was
> completed and I could install the package and start the executable.
> 
> Cheers,
> Juhani

Hello,

thanks for your patch! Unfortunately there is another big issue with
this package and that is the upcoming removal of QT4 from Debian. [1]
I believe there is not much point in fixing/work-arounding this bug and
then, a few months later, the package will be in the same state again.
So unless someone is able to port this game to QT5, we should keep attal
out of testing IMHO.

Regards,

Markus


[1] https://bugs.debian.org/874827



signature.asc
Description: OpenPGP digital signature

Bug#882181: mockito: FTBFS - java.lang.UnsupportedOperationException: Cannot nest operations in the same thread

[Markus Koschany]

Control: reassign -1 src:gradle
Control: found -1 3.2.1-5
Control: fixed -1 3.4.1-2

Hi,

I'm going to reassign this bug to gradle because the issue is really in
gradle 3.2.1. It is fixed in 3.4.1-2 in experimental. Mockito will build
from source again as soon as gradle 3.4.1 is uploaded to unstable and
another revision of Mockito is uploaded as well that addresses another
issue with testng. The changes were already pushed to the Git repository.

Currently the failing bnd package is the only blocking bug for uploading
gradle 3.4.1 to unstable. It would be nice if we could fix this without
having to package the latest upstream release of bnd because this will
most likely create other issues for us and needlessly delay the fix for
this bug.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#883387: libjaxb-java 2.3.0-3 causes FTBFS in eclipselink

[Markus Koschany]

Am 03.12.2017 um 13:29 schrieb Adrian Bunk:
> Package: libjaxb-java
> Version: 2.3.0-3
> Severity: serious
> Control: affects -1 src:eclipselink

Hi,

Thanks for reporting. I had a look at this but I can't find the mistake
in libjaxb-java. The difference between 2.3.0-2 and 2.3.0-3 is that we
use absolute classpaths now and this works for Netbeans for example. [1]
I can't see that I made a typo somewhere. So my guess is something
curious is going on with eclipselink's build system. When I add the
necessary dependencies to debian/classpath-debian it works again but it
really should not make any difference in this case whether the classpath
for usr/share/java/jaxb-xjc.jar uses relative or absolute paths.

It would be nice if someone else had a look at this because I might have
overlooked something but it doesn't look like a bug in libjaxb-java.

Markus

[1]
https://anonscm.debian.org/cgit/pkg-java/jaxb.git/commit/?id=0c76b6c3fd1430f4fdc07d13af1a42a593a2319d



signature.asc
Description: OpenPGP digital signature

Bug#882525: netbeans FTBFS with jaxb 2.3.0

[Markus Koschany]

Control: reassign -1 src:jaxb
Control: found -1 2.3.0-1
Control: forwarded -1 https://github.com/javaee/jaxb-v2/issues/1144
Control: affects -1 src:netbeans

I'm going to reassign this bug to jaxb because there are currently two
issues with this package. The jar files on the classpath used relative
paths instead of absolute ones. This is problematic when jar files are
(temporarily) copied to different locations as it is the case with
Netbeans' build system. In general absolute classpaths are unambiguous
and should be preferred to avoid such issues. I have just released
version 2.3.0-3 which should address this.

Unfortunately there is another bug that prevents a successful
compilation of Netbeans now. Although all classes are generated the
build fails with the following error message (gathered with ant in debug
mode):

This appears to be upstream bug 1144.


xjc-init:

model-gen:
 [echo] java.version=1.8.0_151, ant.version=Apache Ant(TM) version
1.9.9 compiled on June 29 2017
Property "saas-service.xsd" has not been set
  [xjc]
/mnt/data/Debian-Git/netbeans/websvc.saas.api/src/org/netbeans/modules/websvc/saas/model/jaxb
is not found and thus excluded from the dependency check
  [xjc] build id of XJC is 2.3.0
  [xjc] Checking timestamp of
/mnt/data/Debian-Git/netbeans/websvc.saas.api/src/org/netbeans/modules/websvc/saas/model/SaasServices.xsd
  [xjc] the last modified time of the inputs is  1482680526000
  [xjc] the last modified time of the outputs is -9223372036854775808
  [xjc] Compiling
file:/mnt/data/Debian-Git/netbeans/websvc.saas.api/src/org/netbeans/modules/websvc/saas/model/SaasServices.xsd
  [xjc] Writing output to
/mnt/data/Debian-Git/netbeans/websvc.saas.api/src
  [xjc] Command invoked:
xjc/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
  [xjc] failure in the XJC task. Use the Ant -verbose switch for
more details
  [ant] Exiting /mnt/data/Debian-Git/netbeans/websvc.saas.api/build.xml.
  [nbmerge] Failed to build target: all-websvc.saas.api
  [antcall] Exiting /mnt/data/Debian-Git/netbeans/nbbuild/build.xml.
  [antcall] Exiting /mnt/data/Debian-Git/netbeans/nbbuild/build.xml.
  [antcall] Exiting /mnt/data/Debian-Git/netbeans/nbbuild/build.xml.

BUILD FAILED
/mnt/data/Debian-Git/netbeans/nbbuild/build.xml:433: The following error
occurred while executing this line:
/mnt/data/Debian-Git/netbeans/nbbuild/build.xml:428: The following error
occurred while executing this line:
/mnt/data/Debian-Git/netbeans/nbbuild/build.xml:463: The following error
occurred while executing this line:
/mnt/data/Debian-Git/netbeans/nbbuild/build.xml:446: The following error
occurred while executing this line:
/mnt/data/Debian-Git/netbeans/nbbuild/build.xml:428: The following error
occurred while executing this line:
/mnt/data/Debian-Git/netbeans/nbbuild/build.xml:475: The following error
occurred while executing this line:
/mnt/data/Debian-Git/netbeans/websvc.saas.api/build.xml:73: xjc failed
at com.sun.tools.xjc.XJCBase.execute(XJCBase.java:731)
at com.sun.tools.xjc.XJC2Task.execute(XJC2Task.java:55)
at com.sun.istack.tools.ProtectedTask.execute(ProtectedTask.java:103)
at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:293)
at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
at org.apache.tools.ant.Task.perform(Task.java:348)
at org.apache.tools.ant.Target.execute(Target.java:435)
at org.apache.tools.ant.Target.performTasks(Target.java:456)
at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1405)
at
org.apache.tools.ant.helper.SingleCheckExecutor.executeTargets(SingleCheckExecutor.java:38)
at org.apache.tools.ant.Project.executeTargets(Project.java:1260)
at org.apache.tools.ant.taskdefs.Ant.execute(Ant.java:441)
at sun.reflect.GeneratedMethodAccessor112.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
at org.apache.tools.ant.Task.perform(Task.java:348)
at org.apache.tools.ant.Target.execute(Target.java:435)
at org.netbeans.nbbuild.NbMerge.fixedModulesBuild(Unknown Source)
at org.netbeans.nbbuild.NbMerge.execute(Unknown Source)
at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:293)
at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at

Bug#882181: mockito: FTBFS - java.lang.UnsupportedOperationException: Cannot nest operations in the same thread

[Markus Koschany]

Control: tags -1 confirmed

Am 20.11.2017 um 00:27 schrieb Gilles Filippini:
> Source: mockito
> Version: 1.10.19-2
> Severity: serious
> Justification: FTBFS
> 
> Hi,
> 
> While testing a build of mockito against a new json-simple releae I've
> experienced a FTBFS which is reproducible when building into a clean sid
> chroot:
> 
> Task :test class loader hash: 83f3637f6805a7b149525a93c5faad58
> Task :test actions class loader hash: d883a18cf154fc57e90f4d3fa9e5588f
> Executing task ':test' (up-to-date check took 0.041 secs) due to:
>   No history is available.
> Cannot nest operations in the same thread. Each nested operation must run in 
> its own thread.

[...]

Hi,

thanks for reporting. This appears to be the same issue Olivier Sallou
has mentioned on debian-java a few weeks ago. [1] This is a Gradle bug.
I'm not exactly sure why it is surfacing now. I am in the process of
updating Gradle to a newer version but it will take more time to finish
the work.

Regards,

Markus

[1] https://lists.debian.org/debian-java/2017/10/msg00078.html



signature.asc
Description: OpenPGP digital signature

Bug#881589: d2x-rebirth: FTBFS: include/physfsrwops.h:47:1: error: unknown type name '__EXPORT__'

[Markus Koschany]

Control: tags -1 patch

Hi,

I had to fix the same issue in asc.

https://anonscm.debian.org/git/pkg-games/asc.git/tree/debian/patches/libphysfs-3.0.1.patch

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#681726: Time to remove eclipse from Testing?

[Markus Koschany]

Am 09.11.2017 um 21:34 schrieb Jeremy Bicha:
[...]
> Have you considered dropping the libswt-webkit-gtk-3-jni dependency
> from eclipse-rcp? Then the swt-gtk source package could stop building
> libswt-webkit-gtk-3-jni and we could complete the webkitgtk removal
> from Debian Testing.
> 
> Thanks,
> Jeremy Bicha

Hi,

sorry for the delay.

I haven't tested that yet but I believe this will simply make the
package unusable for everyone. I'm not sure what we can do to assist you
in your effort to remove webkitgtk from Debian. Ok, most obviously we
could "just" package the latest Eclipse version but that won't happen
anytime soon.

We should definitely try to avoid this sort of dependency mess in the
future by packaging important libraries like eclipse-rcp in a separate
source package. That would be similar to what we are doing whith
Netbeans and libnb-platform18-java at the moment. It simply ensures that
we can resolve such issues more easily by dropping the hard to maintain
IDE but keeping other important dependencies which don't require that
much effort in theory.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#881162: tomcat7: Server reports 404 on any request, even /

[Markus Koschany]

Hello,

updated packages for testing are available at:

https://people.debian.org/~roberto/

Any feedback is appreciated. Roberto's analysis of the problem can be
found at:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881162#41
Thanks

Markus



signature.asc
Description: OpenPGP digital signature

Bug#881162: tomcat7: Server reports 404 on any request, even /

[Markus Koschany]

Thank you for the report. There was a recent security update of Tomcat 7
which is the likely cause for this issue.

Roberto can you take a look please?

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#879001: Bug#879002: Patch for CVE-2017-12197

[Markus Koschany]

On Fri, 3 Nov 2017 21:48:21 +0100 Salvatore Bonaccorso
 wrote:
[...]

> It's likely that Red Hat just used the approeach as
> https://github.com/letonez/libpam4j/commit/84f32f4001fc6bdcc125ccc959081de022d18b6d
> and referenced from https://github.com/kohsuke/libpam4j/issues/18 .
> 
> The issue arises because "PAM.authentication() does not call
> pam_acct_mgmt(). As a consequence, the PAM account is not properly
> verified. Any user with a valid password but with deactivated or
> disabled account is able to log in.".
> 
> The above commit should address that.

Hi,

I haven't got a response from Red Hat or upstream yet. I will apply this
patch. It's the only hint so far that makes sense.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#879001: Bug#879002: Patch for CVE-2017-12197

[Markus Koschany]

Am 03.11.2017 um 21:48 schrieb Salvatore Bonaccorso:
[...]
> It's likely that Red Hat just used the approeach as
> https://github.com/letonez/libpam4j/commit/84f32f4001fc6bdcc125ccc959081de022d18b6d
> and referenced from https://github.com/kohsuke/libpam4j/issues/18 .
> 
> The issue arises because "PAM.authentication() does not call
> pam_acct_mgmt(). As a consequence, the PAM account is not properly
> verified. Any user with a valid password but with deactivated or
> disabled account is able to log in.".
> 
> The above commit should address that.

Hi Salvatore,

Thanks for pointing this out. I asked Red Hat for a clarification
though. It would be interesting to know why this line was commented out
in the first place.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#879001: Bug#879002: Should the package be removed?

[Markus Koschany]

On Wed, 18 Oct 2017 13:29:19 +0200 Emmanuel Bourg  wrote:
> Upstream has moved to GitHub [1] and the last update was released in
> 2014 but the security issue is still not fixed [2].
> 
> This was a dependency of Jenkins which is now gone. There is a slim
> chance that this package could be useful again in the future since it's
> a dependency of some Apache projects (Zeppelin, Atlas, Ranger and Knox).
> 
> Emmanuel Bourg
> 
> [1] https://github.com/kohsuke
> [2] https://github.com/kohsuke/libpam4j/issues/18

Apparently Red Hat patched their libpam4j package but they didn't
forward the patch upstream.

https://bugzilla.redhat.com/show_bug.cgi?id=1503103

Actually I agree with Raphael. The software is unmaintained upstream and
unused in Debian. It's rather scary that other projects depend on it,
especially when it comes to security sensitive matters like PAM. In the
end it can always be reintroduced if someone really intends to maintain it.






signature.asc
Description: OpenPGP digital signature

Bug#880116: CVE-2017-15953 / CVE-2017-15954 / CVE-2017-15955

[Markus Koschany]

Control: tags -1 patch

Hi,

upstream has released two patches to address the issue. I have verified
that they work by testing against the provided poc files. They are
attached to the upstream bug reports, for example here:

https://github.com/extramaster/bchunk/issues/3

Please find attached the debdiff against the version in Sid. I have
already released a security update for Wheezy and could also get in
contact with the security team to do the same for Jessie and Stretch.

Please note that CVE-2017-15954 was also fixed with these two patches.

Regards,

Markus
diff -Nru bchunk-1.2.0/debian/changelog bchunk-1.2.0/debian/changelog
--- bchunk-1.2.0/debian/changelog   2012-03-27 08:44:45.0 +0200
+++ bchunk-1.2.0/debian/changelog   2017-11-02 15:59:38.0 +0100
@@ -1,3 +1,13 @@
+bchunk (1.2.0-12.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2017-15953, CVE-2017-15954 and CVE-2017-15955.
+bchunk was vulnerable to a heap-based buffer overflow with an resultant
+invalid free when processing a malformed CUE (.cue) file that may lead to
+the execution of arbitrary code or a application crash.
+
+ -- Markus Koschany <a...@debian.org>  Thu, 02 Nov 2017 15:59:38 +0100
+
 bchunk (1.2.0-12) unstable; urgency=low
 
   * New maintainer. (Closes: #540585)
diff -Nru bchunk-1.2.0/debian/patches/CVE-2017-15953.patch 
bchunk-1.2.0/debian/patches/CVE-2017-15953.patch
--- bchunk-1.2.0/debian/patches/CVE-2017-15953.patch1970-01-01 
01:00:00.0 +0100
+++ bchunk-1.2.0/debian/patches/CVE-2017-15953.patch2017-11-02 
15:59:38.0 +0100
@@ -0,0 +1,36 @@
+From: Markus Koschany <a...@debian.org>
+Date: Thu, 2 Nov 2017 15:52:01 +0100
+Subject: CVE-2017-15953
+
+Bug-Debian: https://bugs.debian.org/880116
+Origin: 
https://github.com/rydnr/nixpkgs/blob/5643fd19cf46ae516c69b625cd09f5a6a8774b6f/pkgs/tools/cd-dvd/bchunk/CVE-2017-15953.patch
+---
+ bchunk.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/bchunk.c b/bchunk.c
+index 48c694b..733cfd1 100644
+--- a/bchunk.c
 b/bchunk.c
+@@ -18,6 +18,7 @@
+   *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+   */
+ 
++#define _GNU_SOURCE
+ #include 
+ #include 
+ #include 
+@@ -271,11 +272,10 @@ int writetrack(FILE *bf, struct track_t *track, char 
*bname)
+   int16_t i;
+   float fl;
+   
+-  if (!(fname = malloc(strlen(bname) + 8))) {
+-  fprintf(stderr, "main(): malloc() failed, out of memory\n");
++  if (asprintf(, "%s%2.2d.%s", bname, track->num, track->extension) 
== -1) {
++  fprintf(stderr, "writetrack(): asprintf() failed, out of 
memory\n");
+   exit(4);
+   }
+-  sprintf(fname, "%s%2.2d.%s", bname, track->num, track->extension);
+   
+   printf("%2d: %s ", track->num, fname);
+   
diff -Nru bchunk-1.2.0/debian/patches/CVE-2017-15955.patch 
bchunk-1.2.0/debian/patches/CVE-2017-15955.patch
--- bchunk-1.2.0/debian/patches/CVE-2017-15955.patch1970-01-01 
01:00:00.0 +0100
+++ bchunk-1.2.0/debian/patches/CVE-2017-15955.patch    2017-11-02 
15:59:38.0 +0100
@@ -0,0 +1,44 @@
+From: Markus Koschany <a...@debian.org>
+Date: Thu, 2 Nov 2017 15:54:51 +0100
+Subject: CVE-2017-15955
+
+Bug-Debian: https://bugs.debian.org/880116
+Origin: 
https://github.com/rydnr/nixpkgs/blob/5643fd19cf46ae516c69b625cd09f5a6a8774b6f/pkgs/tools/cd-dvd/bchunk/CVE-2017-15955.patch
+---
+ bchunk.c | 8 
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/bchunk.c b/bchunk.c
+index 733cfd1..60d3000 100644
+--- a/bchunk.c
 b/bchunk.c
+@@ -426,12 +426,12 @@ int main(int argc, char **argv)
+   printf("\nTrack ");
+   if (!(p = strchr(p, ' '))) {
+   fprintf(stderr, "... ouch, no space after 
TRACK.\n");
+-  continue;
++  exit(3);
+   }
+   p++;
+   if (!(t = strchr(p, ' '))) {
+   fprintf(stderr, "... ouch, no space after track 
number.\n");
+-  continue;
++  exit(3);
+   }
+   *t = '\0';
+   
+@@ -460,12 +460,12 @@ int main(int argc, char **argv)
+   } else if ((p = strstr(s, "INDEX"))) {
+   if (!(p = strchr(p, ' '))) {
+   printf("... ouch, no space after INDEX.\n");
+-  continue;
++  exit(3);
+   }
+   p++;
+   if (!(t = strchr(p, ' '))) {
+   printf("... ouch, no space after index 
number.\n")

Bug#681726: Time to remove eclipse from Testing?

[Markus Koschany]

Am 01.11.2017 um 22:04 schrieb Adrian Bunk:
> On Wed, Nov 01, 2017 at 09:23:32PM +0100, Markus Koschany wrote:
>> Am 01.11.2017 um 20:47 schrieb Jeremy Bicha:
>>> On Fri, Oct 20, 2017 at 6:24 PM, Emmanuel Bourg <ebo...@apache.org> wrote:
>>>> Le 20/10/2017 à 23:52, Jeremy Bicha a écrit :
>>>>
>>>>> Never mind. I tried doing the dak queries and I eventually got more
>>>>> than 500 reverse-depends before I gave up. (Attached)
>>>>
>>>> Funny, I never realized that src:eclipse was basically holding most of
>>>> the Java packages. Maybe this package deserves some of my attention
>>>> after all ;)
>>>
>>> Adrian Bunk suggests removing bnd's Build-Depends on eclipse-jdt and
>>> eclipse-rcp. He thinks that might significantly decrease the number of
>>> affected packages.
>>
>> It appears the package can be built without eclipse-jdt and eclipse-rcp.
>> Works with cowbuilder at least. We probably exclude the eclipse classes
>> in debian/bootstrap.xml anyway. I'm not exactly sure how the BND Eclipse
>> plugin is supposed to work because I see we also symlink various jars
>> into Eclipse specific directories in debian/rules.
>>
>> I believe it would be possible to drop the build-dependencies on
>> eclipse-jdt and eclipse-rcp. We would lose the BND Eclipse plugin but
>> the rest should still continue to work.
> 
> Which Eclipse plugin would we lose?
> 
> Before suggesting to drop the build dependency I did of course try it 
> with debdiff between the built packages (no difference), and read the 
> comment in README.md about the previous Eclipse-specific plugin no 
> longer available upstream (which is why I started thinking the build 
> dependency might just be a leftover).

I did a grep -r "eclipse-jdt" but now it seems those are just settings
files. I have never used the BND Eclipse plugin but I saw that we still
mention it in the package description. Apparently bndtools is the
successor and is maintained in a separate repository now. All in all
that means it should be safe to remove the build-dependencies and
obsolete symlinks in debian/rules.




signature.asc
Description: OpenPGP digital signature

Bug#681726: Time to remove eclipse from Testing?

[Markus Koschany]

Am 01.11.2017 um 20:47 schrieb Jeremy Bicha:
> On Fri, Oct 20, 2017 at 6:24 PM, Emmanuel Bourg  wrote:
>> Le 20/10/2017 à 23:52, Jeremy Bicha a écrit :
>>
>>> Never mind. I tried doing the dak queries and I eventually got more
>>> than 500 reverse-depends before I gave up. (Attached)
>>
>> Funny, I never realized that src:eclipse was basically holding most of
>> the Java packages. Maybe this package deserves some of my attention
>> after all ;)
> 
> Adrian Bunk suggests removing bnd's Build-Depends on eclipse-jdt and
> eclipse-rcp. He thinks that might significantly decrease the number of
> affected packages.

It appears the package can be built without eclipse-jdt and eclipse-rcp.
Works with cowbuilder at least. We probably exclude the eclipse classes
in debian/bootstrap.xml anyway. I'm not exactly sure how the BND Eclipse
plugin is supposed to work because I see we also symlink various jars
into Eclipse specific directories in debian/rules.

I believe it would be possible to drop the build-dependencies on
eclipse-jdt and eclipse-rcp. We would lose the BND Eclipse plugin but
the rest should still continue to work.

Markus



signature.asc
Description: OpenPGP digital signature

Bug#877225: jblas FTBFS with multiarch libatlas-base-dev

[Markus Koschany]

Control: owner -1 !

I am working on this bug and jblas and I intend to package the latest
upstream release.



signature.asc
Description: OpenPGP digital signature

Bug#681726: Time to remove eclipse from Testing?

[Markus Koschany]

Am 21.10.2017 um 00:24 schrieb Emmanuel Bourg:
> Le 20/10/2017 à 23:52, Jeremy Bicha a écrit :
> 
>> Never mind. I tried doing the dak queries and I eventually got more
>> than 500 reverse-depends before I gave up. (Attached)
> 
> Funny, I never realized that src:eclipse was basically holding most of
> the Java packages. Maybe this package deserves some of my attention
> after all ;)

Please claim this bug or tell me when you start to work on something
related to Eclipse or Tycho, so that we avoid double work.

Thanks

Markus



signature.asc
Description: OpenPGP digital signature

Bug#879123: glee: source for configure is missing

[Markus Koschany]

Am 20.10.2017 um 15:26 schrieb Simon McVittie:
> On Fri, 20 Oct 2017 at 14:36:06 +0200, Markus Koschany wrote:
>> If you insist on severity
>> serious for such a problem, then bug reports with the same severity
>> should be filed against packages
>>
>>  a) that do not recreate their build system at build time
>>  b) all packages that contain a prebuilt object without corresponding
>> source, even when they are not used to build the package, or used at
>> runtime (like .dll and .exe files)
> 
> I don't think those are the same thing at all, and I think trying to
> equate them clouds the issue.

Thanks for your reply. I think we are on the same page. My two points
were exaggerated on purpose meaning I also believe that this topic
deserves a more differentiated point of view which you delivered.

So you are basically saying that the situation for configure scripts is
less clear-cut and you tend to acknowledge that this is a bug but
usually not a release critical one and it also depends on how the
copyright holder is treating the generated file.

What do you make of this specific case now, a modifiable but unused
configure file in a source package? Would you remove this file from one
of your packages given the same circumstances? Is this release-critical
for you?

[...]
>>  b) all packages that contain a prebuilt object without corresponding
>> source, even when they are not used to build the package, or used at
>> runtime (like .dll and .exe files)
> 
> That's my (3.) above, and I think there is consensus that it is a
> release-critical bug. We remove these objects when we find them.
> 
> (If I am wrong about that, then I can stop repacking the Quake series of
> game engines to exclude prebuilt Windows DLLs... but I would not want
> to do that without approval from the ftp team, and the ftp team seem
> highly unlikely to give that approval.)

[...]

Just for clarification: I completely agree that we should remove those
files whenever we can. I have done the same in all of my packages and I
am even more picky when it comes to prebuilt jar files in my Java
packages because there is a real possibility that they are used by
accident during the build process. However I do not think the same
severity is appropriate for Windows files because they are platform
specific and usually are only there for the convenience of upstream's
windows users. They waste disk space but do not impair my freedom.

Looking at
https://lintian.debian.org/tags/source-contains-prebuilt-windows-binary.html

I can still see that we have more than 1000 source packages in the
archive that ship those files. So I think you are not correct if you
claim that we treat them as release-critical bugs at the moment
otherwise I would expect this Lintian tag to be an error not a pedantic
issue.

And this is why it is frustrating for me to read bug reports like this
one, where we have just a modifiable text file but there are arguably
more severe issues right before our eyes. Therefore my plea to use
appropriate severity levels.

Markus



signature.asc
Description: OpenPGP digital signature

Bug#879123: glee: source for configure is missing

[Markus Koschany]

Am 20.10.2017 um 06:42 schrieb Helmut Grohne:
> On Thu, Oct 19, 2017 at 10:52:41PM +0200, Markus Koschany wrote:
>> I am quoting:
>>
>> https://sources.debian.net/src/glee/5.4.0-2/configure/
>>
>> The license is very liberal. You can argue that it should be mentioned
>> in debian/copyright but that does not make the file non-free or
>> unsuitable for Debian main.
> 
> The license is a lie. It is clear that there is some source file that
> was used to generate configure. Thus configure is a derivative work of
> that file. As Adrian pointed out, very likely the FSF isn't the
> copyright holder for that source file and very likely this permissive
> "you can do anything" license does not apply to the source file.

How do you determine that this license is a "lie" without contacting the
copyright holder or upstream? Even without this information we can
faithfully assume that the FSF as the copyright holder of GNU Autoconf
are aware of any potential licensing issues with their software. They
have even created the "Autoconf Configure Script Exception". [1] Simply
put the upstream developer of glee is allowed to integrate this
configure script in any way he sees fit.

This is not a license issue.

> Saying that a generated configure script is free software is kinda
> stupid. The essence of free software is to provide users with the
> ability to modify it and this freedom is lost when all they have is the
> generated file.

It is stupid to say that you are unable to make modifications to the
package when you were the one who discovered that you don't even need
this file to build the package. How does the mere existence of a text
file impair your freedom in this case?

> 
>> This is not true. The configure file is human readable and the preferred
>> source of modification in this case. Please also note that the author of
>> glee licensed his work under the more liberal BSD-2-clause license. You
>> cannot compare two very distinct issues like minified JS files and
>> automake files and claim consensus has been reached already.
> 
> I have worked with *lots* of configure scripts and I can say that I
> never preferred modifying the generated script. Since configure scripts
> don't have reasonable indentation, the program structure is completely
> lost. Looking at them feels a lot like reading a binary disassembly. I
> contend that "human readable" is not a reasonable assessment either.
> 
>> Again quoted out of context and not relevant in this case. The source is
>> the configure script. Period. Please feel free to discuss this on
>> debian-devel or move it to the CTTE. I am willing to oppose this
>> nonsense and harmful misinterpretation of Debian's Policy whenever and
>> wherever I can.
> 
> If you insist on disucssing this in a larger scope, chances are a ftp
> master will notice and remove glee from stable (given Ximin's findings)
> as it is not clear whether glee is distributable at all.
> 
> Do you realize that my original motivation in reporting this bug was
> that I found a build issue with glee and wanted to write a patch? The
> absence of source makes that difficult and makes DFSG#3 rather
> theoretical. Why does DFGS#3 assure a "right to modify" when
> modification is often impratical? I start to wonder whether we should
> start a GR to clarify DFSG#3 that modification should be practical.
> 
> Helmut

I don't understand your technical problems at the moment. But I
understand that you have filed a serious bug against glee with the
justification that the configure script is not source. I have worked
with even more configure scripts and I also prefer modifying something
else. That does not mean it is not possible. I had to patch countless
configure files directly because dh-autoreconf or other means did not
work for me. Does that mean those packages have release critical bugs
now? I am not only disagreeing with you, I can prove you wrong. When I
can modify a configure file, you should be able to do it too.

Looking forward: I appreciate if you work on glee. If you remove the
file in this process and create your own build system, so be it. However
I cannot accept the severity and justification of this bug without
seeing the bigger picture because glee is not the only package which
contains such a file. There are packages which cannot recreate this file
out-of-the-box right now. If this is an RC bug, then all other affected
packages which are not auto-reconfigured at build time are RC too. That
would definitely need a clarification on debian-devel. I dispute your
assessment that shipping this file is a violation of DFSG 3 because

 a) the license grants you all the required freedoms. It is free
software.
 b) the file is sufficiently modifiable but not needed

Bug#879123: glee: source for configure is missing

[Markus Koschany]

Am 19.10.2017 um 22:34 schrieb Adrian Bunk:
> On Thu, Oct 19, 2017 at 08:23:24PM +0200, Markus Koschany wrote:
>> ...
>> In my opinion the configure script of glee is DFSG-compliant and
>> suitable for main. The license states:
>>
>> # Copyright (C) 2003 Free Software Foundation, Inc.
>> # This configure script is free software; the Free Software Foundation
>> # gives unlimited permission to copy, distribute and modify it.
> 
> According to debian/copyright the FSF is not a copyright holder of glee, 
> and the licence is likely not what you quote.
> 
> Whoever wrote the configure.{ac,in} would actually be relevant here.

I am quoting:

https://sources.debian.net/src/glee/5.4.0-2/configure/

The license is very liberal. You can argue that it should be mentioned
in debian/copyright but that does not make the file non-free or
unsuitable for Debian main.

> 
>> It is correct that configure scripts are usually auto-generated but we
>> have never treated the absence of those files as RC issues. In
>> consequence this means that all automake packages which cannot use
>> dh-autoreconf are unsuitable for main.
> 
> You are mixing two related but separate issues.
> 
> Problems when using dh-autoreconf are a grey area, but these are being 
> sorted out with autoreconf usually being used now (in earlier times 
> autoreconf was nearly never done in Debian).
> 
> No configure.{ac,in} at all is a pretty clear situation,
> and also very rare.

Nope, you are mixing two unrelated issues. dh-autoreconf is the default
with compat level 10 now. That does not mean at all, it would render
packages without dh-autoreconf or with earlier compat levels non
DFSG-compliant.

> 
>> Thus I believe the resolution of
>> this bug report would be of general importance to the Debian project and
>> should be discussed on debian-devel at least.
> 
> The topic has already been discussed there countless times,
> most recently for things like minified JavaScript.

This is not true. The configure file is human readable and the preferred
source of modification in this case. Please also note that the author of
glee licensed his work under the more liberal BSD-2-clause license. You
cannot compare two very distinct issues like minified JS files and
automake files and claim consensus has been reached already.

> 
>> However I am in favor of closing this bug report as "not-a-bug".
> 
> In NEW this bug alone would be sufficient for a direct reject[1]:
> 
> Source missing
> Your package contains files that need source but do not have it. These 
> include PDF and PS files in the documentation, or auto-generated files.
> 
> Source package missing source
> Source packages are part of the distribution. As such source must be 
> present for all files in the source package itself, ...

Again quoted out of context and not relevant in this case. The source is
the configure script. Period. Please feel free to discuss this on
debian-devel or move it to the CTTE. I am willing to oppose this
nonsense and harmful misinterpretation of Debian's Policy whenever and
wherever I can.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature