Bug#850007: libvncserver: CVE-2016-9941

[Peter Spiess-Knafl]

Hi Salvatore!

I prepared the package containing the fixes for both CVE's on git:

https://anonscm.debian.org/cgit/collab-maint/libvncserver.git/tag/?h=debian/0.9.9%2bdfsg2-6.1%2bdeb8u2

Can you upload them?

Greetings,
Peter

On 01/03/2017 07:12 AM, Salvatore Bonaccorso wrote:
> Source: libvncserver
> Version: 0.9.10+dfsg-3
> Severity: grave
> Tags: upstream security patch
> Justification: user security hole
> 
> Hi,
> 
> the following vulnerability was published for libvncserver.
> 
> CVE-2016-9941[0]:
> | Heap-based buffer overflow in rfbproto.c in LibVNCClient in
> | LibVNCServer before 0.9.11 allows remote servers to cause a denial of
> | service (application crash) or possibly execute arbitrary code via a
> | crafted FramebufferUpdate message containing a subrectangle outside of
> | the client drawing area.
> 
> Fixing commit for the rfbproto.c part of the pull request in [1].
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-9941
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9941
> [1] 
> https://github.com/LibVNC/libvncserver/pull/137/commits/5418e8007c248bf9668d22a8c1fa9528149b69f2
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore
> 

Bug#820785: (no subject)

[Peter Spiess-Knafl]

Gentoo claims to have fixed it like this:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c13b5e88c6e9c7bd2698d844cb5ed127ed809f7e

Greetings
Peter

Bug#818155: (no subject)

[Peter Spiess-Knafl]

Since there is no activity on this bug, and I cannot fix it on my own. I
raised an issue upstream about that:

https://github.com/jm/toml/issues/43

Greetings
Peter

Bug#822500: Patch for FTBFS

[Peter Spiess-Knafl]

tags 822500 + patch

Hi!

A quick "#include " did the trick.

You can ignore of course the the changelog entry if you like, it is just
to make debdiff work.

I also forwarded it upstream: https://github.com/pdewacht/brlaser/pull/9


Greetings
Peter
diff -Nru brlaser-3/debian/changelog brlaser-3/debian/changelog
--- brlaser-3/debian/changelog	2016-02-25 19:39:28.0 +0100
+++ brlaser-3/debian/changelog	2016-04-25 15:06:20.0 +0200
@@ -1,3 +1,10 @@
+brlaser (3-5) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add patch to fix FTBFS (Closes: #822500)
+
+ -- Peter Spiess-Knafl <d...@spiessknafl.at>  Mon, 25 Apr 2016 15:04:45 +0200
+
 brlaser (3-4) unstable; urgency=medium
 
   * Import upstream patch to add support for Brother DCP-7055
diff -Nru brlaser-3/debian/patches/fix-ftbfs-missing-include.patch brlaser-3/debian/patches/fix-ftbfs-missing-include.patch
--- brlaser-3/debian/patches/fix-ftbfs-missing-include.patch	2016-04-25 14:55:35.0 +0200
+++ brlaser-3/debian/patches/fix-ftbfs-missing-include.patch	2016-04-25 15:04:41.0 +0200
@@ -1,3 +1,9 @@
+Description: Fix FTBFS due to missing include
+Author: Peter Spiess-Knafl <d...@spiessknafl.at>
+Bug: 822500
+Forwarded: https://github.com/pdewacht/brlaser/pull/9
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
 --- a/src/brdecode.cc
 +++ b/src/brdecode.cc
 @@ -21,6 +21,7 @@

Bug#821417: marked as pending

[Peter Spiess-Knafl]

tag 821417 pending
thanks

Hello,

Bug #821417 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

http://git.debian.org/?p=pkg-multimedia/nordlicht.git;a=commitdiff;h=93e09bd

---
commit 93e09bd30c3cd6f0f1907bfa37d29d787cf884dc
Author: Peter Spiess-Knafl <d...@spiessknafl.at>
Date:   Mon Apr 18 18:05:59 2016 +0200

Add patch for ffmpeg 3.0

diff --git a/debian/changelog b/debian/changelog
index 8e72de2..ee579eb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+nordlicht (0.4.4-3) UNRELEASED; urgency=medium
+
+  * d/patches: Add patch for ffmpeg-3.0 (Closes: #821417)
+
+ -- Peter Spiess-Knafl <d...@spiessknafl.at>  Mon, 18 Apr 2016 18:02:00 +0200
+
 nordlicht (0.4.4-2) unstable; urgency=medium
 
   * d/patches: Add 2 upstream patches to fix build on arm* (Closes: #813101)

Bug#821273: gqrx-sdr: gqrx crashes at start

[Peter Spiess-Knafl]

Package: gqrx-sdr
Version: 2.5.1-1
Severity: grave
Justification: renders package unusable

Dear Maintainer,

I installed the latest version in testing of gqrx-sdr.

When I tried to start it, the console throw the following error message:

$> gqrx
linux; GNU C++ version 5.3.1 20160323; Boost_105800; UHD_003.009.003-0-unknown

Controlport disabled
No user supplied config file. Using "default.conf"
gr-osmosdr 0.1.4 (0.1.4) gnuradio 3.7.9
built-in source types: file osmosdr fcd rtl rtl_tcp uhd miri hackrf bladerf
rfspace airspy redpitaya
Using Volk machine: sse4_2_64_orc
FM demod gain: 1.52789
IQ DCR alpha: 1.04166e-05
terminate called after throwing an instance of
'boost::exception_detail::clone_impl'
  what():  send_to: Operation not permitted
[1]31789 abort  gqrx


I hope this is sufficient to fix the problem.

Greetings
Peter



-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (900, 'testing'), (200, 'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gqrx-sdr depends on:
ii  libboost-program-options1.58.0  1.58.0+dfsg-5+b1
ii  libboost-system1.58.0   1.58.0+dfsg-5+b1
ii  libc6   2.22-5
ii  libgcc1 1:6-20160205-1
ii  libgnuradio-analog3.7.9 3.7.9.1-2+b1
ii  libgnuradio-audio3.7.9  3.7.9.1-2+b1
ii  libgnuradio-blocks3.7.9 3.7.9.1-2+b1
ii  libgnuradio-digital3.7.93.7.9.1-2+b1
ii  libgnuradio-fft3.7.93.7.9.1-2+b1
ii  libgnuradio-filter3.7.9 3.7.9.1-2+b1
ii  libgnuradio-osmosdr0.1.40.1.4-8
ii  libgnuradio-pmt3.7.93.7.9.1-2+b1
ii  libgnuradio-runtime3.7.93.7.9.1-2+b1
ii  libpulse0   8.0-2
ii  libqt5core5a5.5.1+dfsg-16
ii  libqt5gui5  5.5.1+dfsg-16
ii  libqt5network5  5.5.1+dfsg-16
ii  libqt5svg5  5.5.1-2
ii  libqt5widgets5  5.5.1+dfsg-16
ii  libstdc++6  6-20160205-1
ii  libvolk1.1  1.2.1-2
ii  pulseaudio  8.0-2

gqrx-sdr recommends no packages.

gqrx-sdr suggests no packages.

-- no debconf information

Bug#788945: libjsoncpp.so.0: cannot open shared object file: No such file or directory

[Peter Spiess-Knafl]

Hi!

I just did an upload including a fix for this bug.

 Please remember that all packages built against the broken version need 
 a binNMU to get the new dependency right.


However I cannot do binNMUs because I am only a DM with limited upload
privileges.

Can a DD take care of this?

Thank you and Greetings
Peter


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#788945: libjsoncpp.so.0: cannot open shared object file: No such file or directory

[Peter Spiess-Knafl]

Hi!

Sorry for the mess I've caused with this upload. Somehow the last part
of the shlibs file got lost. I will remove it completely and use the
auto generated version.

Thanks for reporting this.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#786907: libvncserver: Source package contains ISC licensed files

[Peter Spiess-Knafl]

Source: libvncserver
Version: 0.9.9+dfsg-6.1
Severity: serious
Justification: Policy 4.5

The libvncserver source package contains non-free (ISC licensed) files for the
sha1 implementation
under common/sha1.* .

This is already fixed in unstable and need to be handled also in stable.



-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'stable-updates'), (500, 'stable'), (200, 
'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#785305: keepass2: option to lock workspace on suspend does not work

[Peter Spiess-Knafl]

Hi!

Is there any progress on this bug? I really loose Keepass2 a lot and I
saw that is marked for removal because of this bug.

Can I help you somehow? Has it been forwared to upstream yet?

Greetings
Peter


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#785305: [pkg-cli-apps-team] Bug#785305: keepass2: option to lock workspace on suspend does not work

[Peter Spiess-Knafl]

On 05/25/2015 12:02 PM, Chow Loong Jin wrote:
 On Mon, May 25, 2015 at 11:13:02AM +0200, Peter Spiess-Knafl wrote:
 Hi!

 Is there any progress on this bug? I really loose Keepass2 a lot and I
 saw that is marked for removal because of this bug.

 Can I help you somehow? Has it been forwared to upstream yet?
 
 Odd, isn't this the role of GNOME, rather than Keepass2? I'm on Ubuntu and my
 screen is locked when going into sleep mode under normal circumstances. This
 is without using Keepass2.
 

I think there is a misunderstanding of the word workspace. An opened
keepass file is also called workspace.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#779689: RFS libjson-rpc-cpp

[Peter Spiess-Knafl]

Hi Aaaron!

I spent a lot of time analyzing the build logs from the failing
architectures and I think I have fixed the bugs you have reported. But
my usual sponsor is currently not responsive. Could you sponsor my
updated package on mentors?

http://mentors.debian.net/package/libjson-rpc-cpp

Basically I added a patch for the manpage creation, and removed the
parallel building, as it makes sense that the test suite fails because
of this.

Thank you in advance.
Greetings
Peter


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#779689: libjson-rpc-cpp: FTBFS: test suite errors

[Peter Spiess-Knafl]

Hi Aaron!

As I learned from mentors, it is possibly for non-DDs to get a
guest-account on various porter machines.

Would you sponsor/sign my request for this?

https://dsa.debian.org/doc/guest-account/

I will prepare a request with the required infos. I think this would be
the most straight forward way to fix this issues. It would be great if
you could agree to that.

Greetings
Peter


On 03/04/2015 05:08 PM, Aaron M. Ucko wrote:
 Peter Spiess-Knafl p...@autistici.org writes:
 
 Honestly I am kind of lost how I could fix this without access to a
 porterbox. Are there any specific ports which are not allowed to be
 used? I am using port 8383 on localhost to test the networking part of
 this framework.
 
 Good question; I know the autobuilders have historically had limited
 networking.  However, if that were the problem, wouldn't the failures
 have been more consistent?  On most affected architectures, only two of
 the three tests in question failed, and not the same two everywhere.
 At any rate, one affected architecture was i386, so you can try to
 reproduce the problem in a 32-bit chroot.
 
 Thanks for looking into this bug (and the other two I reported)!
 


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#779688: libjson-rpc-cpp: FTBFS: gen/abstractsubserver.h: No such file or directory

[Peter Spiess-Knafl]

Hi!

You are probably right. Usually I build this with make -j8 on my
machine, but maybe there is a dependency missing.

Greetings
Peter

On 03/04/2015 04:39 AM, Aaron M. Ucko wrote:
 Source: libjson-rpc-cpp
 Version: 0.4.2-3
 Severity: serious
 Justification: fails to build from source
 
 Builds of libjson-rpc-cpp failed for several architectures with the error
 
   /«PKGBUILDDIR»/src/test/test_integration.cpp:17:35: fatal error: 
 gen/abstractsubserver.h: No such file or directory
 
 It looks like this error may stem from an undeclared dependency that's
 only a problem in parallel builds; if so, you might consider simply
 dropping --parallel from your dh invocations for now.
 
 Could you please take a look?
 
 Thanks!
 


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#779689: libjson-rpc-cpp: FTBFS: test suite errors

[Peter Spiess-Knafl]

Hi!

Honestly I am kind of lost how I could fix this without access to a
porterbox. Are there any specific ports which are not allowed to be
used? I am using port 8383 on localhost to test the networking part of
this framework.

Is there a specific port which I am allowed to use for testing?

Do you have any suggestion how I could try to fix this issues (from an
infrastructure perspective)? Because always going through the sponsoring
process without knowing for sure that the new fix will work, will
probably annoy my sponsor.

Greetings,
Peter

On 03/04/2015 04:43 AM, Aaron M. Ucko wrote:
 Source: libjson-rpc-cpp
 Version: 0.4.2-3
 Severity: serious
 Justification: fails to build from source
 
 Builds of libjson-rpc-cpp failed on several platforms with test suite
 errors.  On armel,
 
   The following tests FAILED:
 4 - connector_http (Failed)
 6 - integration (Failed)
 7 - all (Failed)
 
 and each of those tests also failed on some other platforms, though
 never the whole set elsewhere.  Could you please take a look?
 
 Thanks!
 


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org