Bug#881067: Debian mirror ftp.uni-sofia.bg: out of date

2017-11-07 Thread Alexander Velin 

On 2017-11-07 16:47, Peter Palfrader wrote:

According to
  https://mirror-master.debian.org/status/mirror-info/ftp.uni-sofia.bg.html
your mirror is out of date by about a week.

Please investigate.


Thanks for the notification. It seems, that due to the upgrade of the 
distribution on the mirror, old DSA SSH keys used by upstream trigger 
where no longer working. Issue is resolved, and the mirror is 
synchronizing at the moment.


regards,
--velin

Bug#880739: ERROR: PhantomJS executable not found in PATH, download it from http://phantomjs.org

2017-11-07 Thread Rogério Brito 
Dear Mathieu.

On Nov 04 2017, Mathieu Malaterre wrote:
> Package: youtube-dl
> Version: 2017.10.15.1-1
> Tags: patch

Your message didn't contain any patch. Anyway, it is so trivial that I
uploaded another package with the recommends in place.

> It would be super nice to add a Recommends: phantomjs on youtube-dl
> package. Otherwise it may fails sometimes with:
> 
> ERROR: PhantomJS executable not found in PATH, download it from
> http://phantomjs.org
(...)

Great. Can you please put offending URLs the next time, so that I can test
to see if the problem really went away?


Thanks,

-- 
Rogério Brito : rbrito@{ime.usp.br,gmail.com} : GPG key 4096R/BCFC
http://cynic.cc/blog/ : github.com/rbrito : profiles.google.com/rbrito
DebianQA: http://qa.debian.org/developer.php?login=rbrito%40ime.usp.br

Bug#881145: sox: null pointer dereference while running play

2017-11-07 Thread Joonun Jang 
Package: sox
Version: 14.4.1-5+b2
Severity: normal
Tags: security

null pointer dereference while running play with "poc bass +3" option

Running 'play poc bass +3' with the attached file raises null pointer 
dereference
which may allow a remote attack to cause a denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

I sent this to debian security team before, but I didn't get any response.
So I send this to public.

---

june@yuweol:~/poc/play/crash1$ play poc bass +3

poc:

 File Size: 48Bit Rate: 0.00394
  Encoding: WavPack
  Channels: 2 @ 16-bit
Samplerate: 44100Hz
Replaygain: off
  Duration: 27:03:11.55

In:0.00% 00:00:00.00 [27:03:11.55] Out:0 [  |  ]Clip:0
Segmentation fault

---

Thread 1 "play" received signal SIGSEGV, Segmentation fault.
0x7fffed796f34 in WavpackUnpackSamples () from 
/usr/lib/x86_64-linux-gnu/libwavpack.so.1
(gdb) x/i $rip
=> 0x7fffed796f34 :  mov0x1e0(%rdi),%rax
(gdb) i r rdi
rdi0x0  0

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sox depends on:
ii  libc6 2.24-17
ii  libgomp1  7.2.0-12
ii  libsox-fmt-alsa   14.4.1-5+b2
ii  libsox-fmt-ao 14.4.1-5+b2
ii  libsox-fmt-base   14.4.1-5+b2
ii  libsox-fmt-oss14.4.1-5+b2
ii  libsox-fmt-pulse  14.4.1-5+b2
ii  libsox2   14.4.1-5+b2

sox recommends no packages.

Versions of packages sox suggests:
ii  libsox-fmt-all  14.4.1-5+b2

-- no debconf information
wvpk

Bug#881144: fig2dev: out of bound read while running fig2dev with -L pic option

2017-11-07 Thread Joonun Jang 
Package: fig2dev
Version: 1:3.2.6a-4
Severity: important
Tags: security

out of bound read while running fig2dev with -L pic option

Running 'fig2dev -L pic poc' with the attached file raises out of bound read bug
which may allow a remote attack to cause a denial-of-service attack or 
information
disclosure with a crafted file.

I expected the program to terminate without segfault, but the program crashes 
as follow

===

june@yuweol:~/poc/fig2dev/crash2$ fig2dev -L pic ./poc
.PS
.ps 11
Segmentation fault

===

Program received signal SIGSEGV, Segmentation fault.
0x55567960 in unpsfont (t=t@entry=0x55810160) at psfonts.c:194
194   if (PSmapwarn[t->font+1])
(gdb) p t->font
$1 = 7111
(gdb) bt
#0  0x55567960 in unpsfont (t=t@entry=0x55810160) at psfonts.c:194
#1  0x5558e282 in genpic_text (t=0x55810160) at genpic.c:443
#2  0x555615d2 in gendev_objects (dev=0x557ef200 , 
objects=0x7fffe0f0)
at fig2dev.c:833
#3  main (argc=, argv=) at fig2dev.c:467
(gdb) x/i $rip
=> 0x55567960 :  mov(%rcx,%rdx,4),%ecx
(gdb) i r rcx rdx
rcx0x555c3f60 93824992690016
rdx0x43d11c8  7112

===

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages fig2dev depends on:
ii  gawk 1:4.1.4+dfsg-1
ii  libc62.24-17
ii  libpng16-16  1.6.34-1
ii  libxpm4  1:3.5.12-1
ii  x11-common   1:7.7+19

Versions of packages fig2dev recommends:
ii  ghostscript  9.22~dfsg-1
ii  netpbm   2:10.0-15.3+b2

Versions of packages fig2dev suggests:
pn  xfig  

-- no debconf information


poc
Description: Binary data

Bug#880691: ruby-yajl: diff for NMU version 1.2.0-3.1

2017-11-07 Thread Salvatore Bonaccorso 
Control: tags 880691 + patch
Control: tags 880691 + pending

Dear maintainer,

I've prepared an NMU for ruby-yajl (versioned as 1.2.0-3.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
diff -Nru ruby-yajl-1.2.0/debian/changelog ruby-yajl-1.2.0/debian/changelog
--- ruby-yajl-1.2.0/debian/changelog	2015-07-08 16:51:23.0 +0200
+++ ruby-yajl-1.2.0/debian/changelog	2017-11-08 07:31:37.0 +0100
@@ -1,3 +1,11 @@
+ruby-yajl (1.2.0-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2017-16516: Crafted JSON file allows to crash ruby process with a
+SIGABRT in the yajl_string_decode function (Closes: #880691)
+
+ -- Salvatore Bonaccorso   Wed, 08 Nov 2017 07:31:37 +0100
+
 ruby-yajl (1.2.0-3) unstable; urgency=medium
 
   [ Balasankar C ]
diff -Nru ruby-yajl-1.2.0/debian/patches/Don-t-advance-our-end-pointer-until-we-ve-checked-we.patch ruby-yajl-1.2.0/debian/patches/Don-t-advance-our-end-pointer-until-we-ve-checked-we.patch
--- ruby-yajl-1.2.0/debian/patches/Don-t-advance-our-end-pointer-until-we-ve-checked-we.patch	1970-01-01 01:00:00.0 +0100
+++ ruby-yajl-1.2.0/debian/patches/Don-t-advance-our-end-pointer-until-we-ve-checked-we.patch	2017-11-08 07:31:37.0 +0100
@@ -0,0 +1,52 @@
+From: Brian Lopez 
+Date: Mon, 6 Nov 2017 21:46:42 -0800
+Subject: Don't advance our end pointer until we've checked we have enough
+ buffer left and have peeked ahead to see that a unicode escape is
+ approaching.
+Origin: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
+Bug: https://github.com/brianmario/yajl-ruby/issues/176
+Bug-Debian: https://bugs.debian.org/880691
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16516
+
+Thanks @kivikakk for helping me track down the actual bug here!
+---
+ ext/yajl/yajl_encode.c   | 4 ++--
+ spec/parsing/one_off_spec.rb | 7 +++
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/ext/yajl/yajl_encode.c b/ext/yajl/yajl_encode.c
+index 8535c1b..716ddde 100644
+--- a/ext/yajl/yajl_encode.c
 b/ext/yajl/yajl_encode.c
+@@ -162,8 +162,8 @@ void yajl_string_decode(yajl_buf buf, const unsigned char * str,
+ end+=3;
+ /* check if this is a surrogate */
+ if ((codepoint & 0xFC00) == 0xD800) {
+-end++;
+-if (str[end] == '\\' && str[end + 1] == 'u') {
++if (end + 2 < len && str[end + 1] == '\\' && str[end + 2] == 'u') {
++end++;
+ unsigned int surrogate = 0;
+ hexToDigit(, str + end + 2);
+ codepoint =
+diff --git a/spec/parsing/one_off_spec.rb b/spec/parsing/one_off_spec.rb
+index 9bc6b32..f1a8aea 100644
+--- a/spec/parsing/one_off_spec.rb
 b/spec/parsing/one_off_spec.rb
+@@ -2,6 +2,13 @@
+ require File.expand_path(File.dirname(__FILE__) + '/../spec_helper.rb')
+ 
+ describe "One-off JSON examples" do
++  it "should not blow up with a bad surrogate trailer" do
++# https://github.com/brianmario/yajl-ruby/issues/176
++bad_json = "{\"e\":{\"\\uD800DC00\":\"a\"}}"
++
++Yajl::Parser.new.parse(bad_json)
++  end
++
+   it "should parse 23456789012E666 and return Infinity" do
+ infinity = (1.0/0)
+ silence_warnings do
+-- 
+2.15.0
+
diff -Nru ruby-yajl-1.2.0/debian/patches/series ruby-yajl-1.2.0/debian/patches/series
--- ruby-yajl-1.2.0/debian/patches/series	2015-07-08 16:47:52.0 +0200
+++ ruby-yajl-1.2.0/debian/patches/series	2017-11-08 07:31:37.0 +0100
@@ -1,2 +1,3 @@
 mocks-test-fix
 RSpec3-test-fix
+Don-t-advance-our-end-pointer-until-we-ve-checked-we.patch

Bug#881143: fig2dev: out of bound read while running fig2dev with -L tikz

2017-11-07 Thread Joonun Jang 
Package: fig2dev
Version: 1:3.2.6a-4
Severity: important
Tags: security

out of bound read while running fig2dev with -L tikz option

Running 'fig2dev -L tikz poc' with the attached file raises out of bound read 
bug
which may allow a remote attack to cause a denial-of-service attack or 
information
disclosure with a crafted file.

I expected the program to terminate without segfault, but the program crashes 
as follow

I sent this to debian security team before, but I didn't get any response.
So I send this to public.

===
june@june:~/project/analyze/poc/fig2dev/crash1$ fig2dev -L tikz poc
\ifx\XFigwidth\undefined\dimen1=0pt\else\dimen1\XFigwidth\fi
\divide\dimen1 by 1
\ifx\XFigheight\undefined\dimen3=0pt\else\dimen3\XFigheight\fi
\divide\dimen3 by 5
\ifdim\dimen1=0pt\ifdim\dimen3=0pt\dimen1=-9223372036854775808sp\dimen3\dimen1
\else\dimen1\dimen3\fi\else\ifdim\dimen3=0pt\dimen3\dimen1\fi\fi
\tikzpicture[x=+\dimen1, y=+\dimen3]
{\ifx\XFigu\undefined\catcode`\@11
\def\temp{\alloc@1\dimen\dimendef\insc@unt}\temp\XFigu\catcode`\@12\fi}
\XFigu-9223372036854775808sp
% Uncomment to scale line thicknesses with the same
% factor as width of the drawing.
%\pgfextractx\XFigu{\pgfqpointxy{1}{1}}
\ifdim\XFigu<0pt\XFigu-\XFigu\fi
\clip(91,-1) rectangle (92,4);
\tikzset{inner sep=+0pt, outer sep=+0pt}
Segmentation fault

[debugging]
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x77339d78 in _IO_vfprintf_internal (s=0x7768b600 
<_IO_2_1_stdout_>,
format=, ap=ap@entry=0x7fffde88) at vfprintf.c:1637
#2  0x77340157 in __fprintf (stream=,
format=format@entry=0x555cc7e5 "\\normalfont%s ") at fprintf.c:32
#3  0x555b4615 in put_font (t=0x55810160) at gentikz.c:1725
#4  gentikz_text (t=0x55810160) at gentikz.c:1769
#5  0x555618cd in gendev_objects (dev=0x557f8ec0 , 
objects=0x7fffdfa0)
at fig2dev.c:833
#6  main (argc=, argv=) at fig2dev.c:467
(gdb) x/i $rip
=> 0x77371646 :  movdqu (%rax),%xmm4
(gdb) i r rax
rax0x29292922 690563362
(gdb) f 3
#3  0x555b4615 in put_font (t=0x55810160) at gentikz.c:1725
1725fprintf(tfp, "\\normalfont%s ",
(gdb) p t->font
$1 = -51
(gdb) p texfonts[-51]
$3 = 0x29292922 

with attached file, t->font can be set to negative value which causes this bug
[fig2dev/dev/gentikz.c]
1724   else
1725   fprintf(tfp, "\\normalfont%s ",
1726 texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]);

===

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages fig2dev depends on:
ii  gawk 1:4.1.4+dfsg-1
ii  libc62.24-17
ii  libpng16-16  1.6.34-1
ii  libxpm4  1:3.5.12-1
ii  x11-common   1:7.7+19

Versions of packages fig2dev recommends:
ii  ghostscript  9.22~dfsg-1
ii  netpbm   2:10.0-15.3+b2

Versions of packages fig2dev suggests:
pn  xfig  

-- no debconf information

 1  1

1

11 4-51

11 0 5
1
91
1 
c

Bug#881142: ruby-yajl: uses embedded copy of yajl

2017-11-07 Thread Salvatore Bonaccorso 
Source: ruby-yajl
Severity: normal

Hi

ruby-yajl embedds a copy of yajl, which is packaged for Debian.
src:yajl is packaged in Debian.

It might need first investigation, but if possible please consider
switching to the system library for ruby-yajl instead of the embeeded
copy.

Regards,
Salvatore

Bug#881141: gifsicle: out of bound read while running gifsicle

2017-11-07 Thread Joonun Jang 
Package: gifsicle
Version: 1.90-1
Severity: important
Tags: security

out of bound read while running gifsicle with "gifsicle --dither --use-col=bw 
poc -o output" option

Running 'gifsicle --dither --use-col=bw poc -o output' with the attached file 
raises out of bound read
which may allow a remote attack to cause a denial-of-service attack or 
information disclosure
with a crafted file.
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/gifsicle/crash2$ gifsicle --dither --use-col=bw poc -o output
gifsicle:poc:#0: read error: unknown block type 114 at file offset 25
gifsicle:poc: read error: image corrupted, min_code_size too big
gifsicle:poc: read error: image corrupted, code out of range (13 times)
gifsicle:poc: read error: missing 82455 pixels of image data
Segmentation fault

---

Breakpoint 2, colormap_image_floyd_steinberg (gfi=0x55790c50, 
all_new_data=0x55792520 "",
old_cm=0x55790390, kd3=0x7fffdef0, histogram=0x7fffdae0) at 
quantize.c:1149
1149if (kc_distance(>ks[e], ) < kd3->xradius[e])
(gdb) p/x old_cm->col[*data].pixel
$83 = 0xdeadbeef
(gdb) list
1144+ (err[x+1].a[k] & ~(DITHER_ITEM2ERR-1)) / DITHER_ITEM2ERR;
1145use.a[k] = KC_CLAMPV(v);
1146}
1147
1148e = old_cm->col[*data].pixel;
1149if (kc_distance(>ks[e], ) < kd3->xradius[e])
1150*new_data = e;
1151else
1152*new_data = kd3_closest_transformed(kd3, , NULL);
1153histogram[*new_data]++;

* At 1148, e was set to 0xdeadbeef which was manipulated.
* This value used to reference the array kd3->ks as an index at 1149 which cause
* segmentation faule in this case

(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x55568b2f in kc_distance (x=0x55548d8b909a, y=0x7fffda02) at 
kcolor.h:110
110 int32_t d0 = x->a[0] - y->a[0], d1 = x->a[1] - y->a[1],

(gdb) bt
#0  0x55568b2f in kc_distance (x=0x55548d8b909a, y=0x7fffda02) at 
kcolor.h:110
#1  0x5556ca0e in colormap_image_floyd_steinberg (gfi=0x55790c50,
all_new_data=0x55792520 "", old_cm=0x55790390, kd3=0x7fffdef0,
histogram=0x7fffdae0) at quantize.c:1149
#2  0x5556e19a in dither (gfi=0x55790c50, new_data=0x55792520 
"",
old_cm=0x55790390, kd3=0x7fffdef0, histogram=0x7fffdae0,
od=0x5578dbc0 ) at quantize.c:1488
#3  0x5556e83f in colormap_stream (gfs=0x55790330, 
new_cm=0x5578e890,
od=0x5578dbc0 ) at quantize.c:1613
#4  0x5557bdd8 in do_colormap_change (gfs=0x55790330) at 
gifsicle.c:904
#5  0x5557c1db in merge_and_write_frames (outfile=0x7fffe52d 
"output", f1=0, f2=-1)
at gifsicle.c:1030
#6  0x5557c54d in output_frames () at gifsicle.c:1105
#7  0x5557f212 in main (argc=6, argv=0x7fffe1e8) at gifsicle.c:2173

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gifsicle depends on:
ii  libc6 2.24-17
ii  libx11-6  2:1.6.4-3

gifsicle recommends no packages.

gifsicle suggests no packages.

-- no debconf information


poc
Description: Binary data

Bug#881140: ruby-yajl: New upstream version available

2017-11-07 Thread Salvatore Bonaccorso 
Source: ruby-yajl
Severity: wishlist

Hi

There is a new upstream version (1.3.1) ruby-yajl available. Can you
package it for unstable?

Regards,
Salvatore

Bug#881139: ffmpeg2theora: heap buffer overflow while running ffmpeg2theora

2017-11-07 Thread Joonun Jang 
Package: ffmpeg2theora
Version: 0.30-1+b2
Severity: important
Tags: security

heap buffer overflow running ffmpeg2theora with "poc" option

Running 'ffmpeg2theora poc' with the attached file raises null pointer 
dereference
which may allow a remote attacker to cause unspecified impact including 
denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/ffmpeg2theora/crash7$ ffmpeg2theora poc
[h263 @ 0x5642844b4840] Format h263 detected only with low score of 25, 
misdetection possible!
[h263 @ 0x5642844b5d60] Independent Segment Decoding not supported
Input #0, h263, from 'poc':
  Duration: N/A, bitrate: N/A
Stream #0:0: Video: h263, yuv420p, 40x1732 [SAR 1:1 DAR 10:433], 599.40 
tbr, 1200k tbn, 599.40 tbc
  Pixel Aspect Ratio: 1.00/1   Frame Aspect Ratio: 0.02/1

WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track.
[h263 @ 0x5642844b5880] Independent Segment Decoding not supported
[h263 @ 0x5642844b5880] warning: first frame is no keyframe
[h263 @ 0x5642844b5880] illegal ac vlc code at 0x0
[h263 @ 0x5642844b5880] Error at MB: 0
[h263 @ 0x5642844b5880] concealing 327 DC, 327 AC, 327 MV errors in P frame
[h263 @ 0x5642844b5880] warning: first frame is no keyframe
[h263 @ 0x5642844b5880] illegal ac vlc code at 7x0
[h263 @ 0x5642844b5880] Error at MB: 7
[h263 @ 0x5642844b5880] concealing 396 DC, 396 AC, 396 MV errors in P frame
Segmentation fault

---

[h263 @ 0x61b00080] Format h263 detected only with low score of 25, 
misdetection possible!
[h263 @ 0x61900580] Independent Segment Decoding not supported
Input #0, h263, from '/home/june/poc/ffmpeg2theora/crash7/poc':
  Duration: N/A, bitrate: N/A
Stream #0:0: Video: h263, yuv420p, 40x1732 [SAR 1:1 DAR 10:433], 599.40 
tbr, 1200k tbn, 599.40 tbc
  Pixel Aspect Ratio: 1.00/1   Frame Aspect Ratio: 0.02/1

WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track.
[h263 @ 0x61900080] Independent Segment Decoding not supported
[h263 @ 0x61900080] warning: first frame is no keyframe
[h263 @ 0x61900080] illegal ac vlc code at 0x0
[h263 @ 0x61900080] Error at MB: 0
[h263 @ 0x61900080] concealing 327 DC, 327 AC, 327 MV errors in P frame
[h263 @ 0x61900080] warning: first frame is no keyframe
[h263 @ 0x61900080] illegal ac vlc code at 7x0
[h263 @ 0x61900080] Error at MB: 7
[h263 @ 0x61900080] concealing 396 DC, 396 AC, 396 MV errors in P frame
=
==11538==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x633a7980 at pc 0x7fb5ce7046c2 bp 0x7ffcb5580080 sp 0x7ffcb557f830
READ of size 40 at 0x633a7980 thread T0
#0 0x7fb5ce7046c1  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x766c1)
#1 0x7fb5ca6d9c8d in image_copy_plane libavutil/imgutils.c:317
#2 0x7fb5ca6d9c8d in image_copy libavutil/imgutils.c:379
#3 0x7fb5ca6d9c8d in av_image_copy libavutil/imgutils.c:398
#4 0x7fb5cb5879ee in av_picture_copy libavcodec/avpicture.c:78
#5 0x55d20da5cbbf in ff2theora_output src/ffmpeg2theora.c:1538
#6 0x55d20da65ad8 in main src/ffmpeg2theora.c:3095
#7 0x7fb5c9e182e0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#8 0x55d20da4ee79 in _start 
(/home/june/project/analyze/bins/ffmpeg2theora-0.30/ffmpeg2theora+0x15e79)

0x633a7980 is located 337 bytes to the right of 110639-byte region 
[0x6338c800,0x633a782f)
allocated by thread T0 here:
#0 0x7fb5ce768758 in __interceptor_posix_memalign 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xda758)
#1 0x7fb5ca6de2b6 in av_malloc libavutil/mem.c:87

SUMMARY: AddressSanitizer: heap-buffer-overflow 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x766c1)
Shadow bytes around the buggy address:
  0x0c668000cee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c668000cef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c668000cf00: 00 00 00 00 00 07 fa fa fa fa fa fa fa fa fa fa
  0x0c668000cf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c668000cf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c668000cf30:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c668000cf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c668000cf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c668000cf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c668000cf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c668000cf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack after return:  f5
  Stack use after scope:   f8
  Global

Bug#881138: ffmpeg2theora: use uninitialized stack value as a pointer while running ffmpeg2theora

2017-11-07 Thread Joonun Jang 
Package: ffmpeg2theora
Version: 0.30-1+b2
Severity: important
Tags: security

use uninitialized stack value as a pointer while running ffmpeg2theora with 
"poc" option

Running 'ffmpeg2theora poc' with the attached file uses uninitialized stack 
value as a pointer
which may allow a remote attacker to cause unspecified impact including 
denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/ffmpeg2theora/crash3$ ffmpeg2theora poc
[h263 @ 0x557eb7fb5840] Format h263 detected only with low score of 25, 
misdetection possible!
Input #0, h263, from 'poc':
  Duration: N/A, bitrate: N/A
Stream #0:0: Video: h263, yuv420p, 176x144 [SAR 12:11 DAR 4:3], 29.97 tbr, 
1200k tbn, 29.97 tbc
  Pixel Aspect Ratio: 1.09/1   Frame Aspect Ratio: 1.33/1

WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track.
[h263 @ 0x557eb7fb6880] I cbpc damaged at 0 0
[h263 @ 0x557eb7fb6880] Error at MB: 0
[h263 @ 0x557eb7fb6880] concealing 99 DC, 99 AC, 99 MV errors in I frame
  0:00:00.03 audio: 0kbps video: 16kbps, time elapsed: 00:00:00   
Segmentation fault

---

Starting program: /usr/bin/ffmpeg2theora poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[h263 @ 0x55811820] Format h263 detected only with low score of 25, 
misdetection possible!
Input #0, h263, from 'poc':
  Duration: N/A, bitrate: N/A
Stream #0:0: Video: h263, yuv420p, 176x144 [SAR 12:11 DAR 4:3], 29.97 tbr, 
1200k tbn, 29.97 tbc


Breakpoint 1, 0x55563ab8 in ?? ()
(gdb) x/2x $rbp - 0x368
0x7fffca18: 0xf493f960  0x7fff

- This is entry point of function,local variable $rbp - 0x368 is 0x7693f960.


(gdb) c
Continuing.
  Pixel Aspect Ratio: 1.09/1   Frame Aspect Ratio: 1.33/1

WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track.
[h263 @ 0x55812860] I cbpc damaged at 0 0
[h263 @ 0x55812860] Error at MB: 0
[h263 @ 0x55812860] concealing 99 DC, 99 AC, 99 MV errors in I frame
  0:00:00.03 audio: 0kbps video: 16kbps, time elapsed: 00:01:55

Program received signal SIGSEGV, Segmentation fault.
clear_context (s=0x7493f960) at libswresample/swresample.c:116
116 s->in_buffer_index= 0;


- the value 7493f960 which is same as the above uninitialized value
  was passed to clear_context function as a parameter.


(gdb) bt
#0  clear_context (s=0x7493f960) at libswresample/swresample.c:116
#1  0x555648e6 in ?? ()
#2  0xc8da in main ()
(gdb) f 1
#1  0x555648e6 in ?? ()
(gdb) x/5i $rip-16
   0x555648d6:  mov-0x368(%rbp),%edi
   0x555648dc:  test   %rdi,%rdi
   0x555648df:  je 0x555648e6
   0x555648e1:  callq  0xb650 
=> 0x555648e6:  mov-0x38(%rbp),%rax
(gdb) x/2x $rbp - 0x368
0x7fffca18: 0xf493f960  0x7fff


- argument %rdi comes from -0x368(%rbp) which is same position
  when we check at the entry point of this function

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ffmpeg2theora depends on:
ii  libavcodec577:3.3.4-2+b2
ii  libavdevice57   7:3.3.4-2+b2
ii  libavfilter67:3.3.4-2+b2
ii  libavformat57   7:3.3.4-2+b2
ii  libavutil55 7:3.3.4-2+b2
ii  libc6   2.24-17
ii  libkate10.4.1-7+b1
ii  libogg0 1.3.2-1+b1
ii  liboggkate1 0.4.1-7+b1
ii  libpostproc54   7:3.3.4-2+b2
ii  libswresample2  7:3.3.4-2+b2
ii  libswscale4 7:3.3.4-2+b2
ii  libtheora0  1.1.1+dfsg.1-14+b1
ii  libvorbis0a 1.3.5-4
ii  libvorbisenc2   1.3.5-4

ffmpeg2theora recommends no packages.

ffmpeg2theora suggests no packages.

-- no debconf information


poc
Description: Binary data

Bug#881066: [#QMM-573-27544]: Bug#881066: Debian mirror debian.ipserverone.com: out of date

2017-11-07 Thread IP SERVERONE - Support 
Hi Peter,

We are sorry for the incident, have just manually run the sync, could you 
please check if the mirror is up-to-date now?

Thanks

--

Mak Kuen Seng
Support Team Lead

IP SERVERONE SOLUTIONS SDN BHD
A-1-1, Block A, Glomac Damansara
Jalan Damansara, 6 Kuala Lumpur

Tel: 603 2026 1688 | Fax: 603 7728 3188

Ticket History
===

Peter Palfrader (Client) Posted On: 07 November 2017 10:48 PM

===
Package: mirrors
User: mirr...@packages.debian.org
Usertags: mirror-problem may-auto-close
Control: submitter -1 mirr...@debian.org

Hi!

According to
 https://mirror-master.debian.org/status/mirror-info/debian.ipserverone.com.html
your mirror is out of date by over a week.

Please investigate.
-- 
|  .''`.   ** Debian **
  Peter Palfrader   | : :' :  The  universal
 https://www.palfrader.org/ | `. `'  Operating System
|   `-https://www.debian.org/







Ticket Details
-
Ticket ID: QMM-573-27544
Department: Support
Type: Issue
Status: Replied
Priority: Normal

Helpdesk: https://support.ipserverone.com/index.php?

Bug#881137: xul-ext-https-everywhere: Please update xul-ext-https-everywhere to version 2017.10.30 by next pu

2017-11-07 Thread Julien Aubin 
Package: xul-ext-https-everywhere
Version: 5.2.8-1
Severity: grave
Justification: renders package unusable

Hi,

Firefox release 59 is coming quite soon to Debian, actually next March for
the
ones using mozilla.debian.net.

By this time current https-everywhere extension won't work anymore as it
does
not
have webext standard. Upstream version 2017.10.30 does follow this standard.

Could you please make it available for next p-u in order to anticipate the
transition ?

Thanks a lot



-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages xul-ext-https-everywhere depends on:
ii  firefox-esr52.4.0esr-1~deb9u1
ii  icedove1:52.4.0-1~deb9u1
ii  iceweasel  52.4.0esr-1~deb9u1
ii  thunderbird [icedove]  1:52.4.0-1~deb9u1

xul-ext-https-everywhere recommends no packages.

xul-ext-https-everywhere suggests no packages.

-- no debconf information

Bug#881135: xul-ext-ublock-origin: Update ublock-origin to version 1.14.16 by next p-u

2017-11-07 Thread Julien Aubin 
Package: xul-ext-ublock-origin
Version: 1.10.4+dfsg-1
Severity: grave
Justification: renders package unusable

Hi,

Firefox release 59 is coming quite soon to Debian, actually next March for
the
ones using mozilla.debian.net.

By this time current ublock-origin extension won't work anymore as it does
not
have webext standard. Upstream version 1.14.16 does follow this standard.

Could you please make it available for next p-u in order to anticipate the
transition ?

Thanks a lot



-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages xul-ext-ublock-origin depends on:
ii  firefox-esr52.4.0esr-1~deb9u1
ii  fonts-font-awesome 4.7.0~dfsg-1
ii  icedove1:52.4.0-1~deb9u1
ii  iceweasel  52.4.0esr-1~deb9u1
ii  thunderbird [icedove]  1:52.4.0-1~deb9u1

xul-ext-ublock-origin recommends no packages.

xul-ext-ublock-origin suggests no packages.

-- no debconf information

Bug#881136: ITP: ocaml-rope -- Ropes ("heavyweight strings") for OCaml

2017-11-07 Thread Andy Li 
Package: wnpp
Severity: wishlist
Owner: Andy Li 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

* Package name: ocaml-rope
  Version : 0.5
  Upstream Author : Christophe Troestler 
* URL : http://rope.forge.ocamlcore.org/
* License : LGPL-2.1 with linking exception
  Programming Lang: OCaml
  Description : Ropes ("heavyweight strings") for OCaml

Ropes are a scalable string implementation: they are designed for efficient
operation that involve the string as a whole such as concatenation and
substring. This library implements ropes for OCaml. It is rich enough to
replace strings.

This is a dependency of the next version of Haxe (4.0.0).
I will co-maintain it with the Debian OCaml Maintainers team.




-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJaAprwAAoJENYPsCrEEWxp2JIH/0QOS8Tkms+fb3SDLfnBN1uC
LPGJzd5vuMEBFUHQj4F3DcW44y77690EPEFH+QDJtwdGBxjJhbG9CfQUP7G8V52/
rstWtnetVF1VMyeq4voMG6pOHT/eXKTg9H8L8zK3ccwSUSvrRlJE+OppN1owb4Am
b3bfUMsnD7GYTKb9f/VoQ+7zVD0JPh71xphcCSjBHH0hKoqMaDWfP9uRE/2e3zcU
Iy4SvX66Pn4/9bSxOJZOZ/pX8xucZrD0wmmjuyZmNONXcIeSuWSZ7YUBJrr/EePb
wsao+8r28nSBNYcJ3FfdoXacsLvHbZb5PeiZ94E9WZX+dFORvWsO9Wl0THPdngc=
=c38q
-END PGP SIGNATURE-

Bug#881133: x264: out of bound read while running x264

2017-11-07 Thread Joonun Jang 
Package: x264
Version: 2:0.148.2795+gitaaa9aa8-1
Severity: important
Tags: security

out of bound read while running x264 with "--crf 24 -o output.264 poc" option

Running 'x264 --crf 24 -o output.264 poc' with the attached file raises out of 
bound read
which may allow a remote attack to cause a denial-of-service attack or 
information disclosure
with a crafted file.
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/x264/crash1$ x264 --crf 24 -o output.264 poc
Segmentation fault

---

Breakpoint 1, Vgm_Emu_Impl::run_commands (this=0x557aafd0, end_time=2205)
at 
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu_Impl.cpp:202
warning: Source file is more recent than executable.
202   pcm_pos = pcm_data + pos [3] * 0x100L + pos [2] * 0x1L +
(gdb) l
197   pos += size;
198   break;
199 }
200
201 case cmd_pcm_seek:
202   pcm_pos = pcm_data + pos [3] * 0x100L + pos [2] * 0x1L +
203   pos [1] * 0x100L + pos [0];
204   pos += 4;
205   break;
206
(gdb) x/s [0]
0x557b2d75: "DEAD\235\235\235\235T\302\\", '\302' , 
"TTT}\374\270\337U\020"

* Here pcm_pos was calculated based on the value in pos buffer.
* the values in pos buffer can be manipulated(In this case pos buffer starts 
with DEAD)

(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x77bbcf73 in Vgm_Emu_Impl::run_commands (this=0x557aafd0, 
end_time=2205)
at 
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu_Impl.cpp:212
212   write_pcm( vgm_time, *pcm_pos++ );
(gdb) l
207 default:
208   int cmd = pos [-1];
209   switch ( cmd & 0xF0 )
210   {
211 case cmd_pcm_delay:
212   write_pcm( vgm_time, *pcm_pos++ );
213   vgm_time += cmd & 0x0F;
214   break;
215
216 case cmd_short_delay:

* Later this manipulated pcm_pos used at 212 line which raises segmentation 
fault in this case.

(gdb) bt
#0  0x77bbcf73 in Vgm_Emu_Impl::run_commands (this=0x557aafd0, 
end_time=2205)
at 
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu_Impl.cpp:212
#1  0x77bbc2b8 in Vgm_Emu::run_clocks (this=0x557aafd0, 
time_io=@0x7fffcc34: 178977,
msec=50) at 
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu.cpp:403
#2  0x77b7d047 in Classic_Emu::play_ (this=0x557aafd0, count=2048, 
out=0x557b1d10)
at 
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Classic_Emu.cpp:113
#3  0x77bbc31f in Vgm_Emu::play_ (this=0x557aafd0, count=2048, 
out=0x557b1d10)
at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu.cpp:411
#4  0x77b8692b in Music_Emu::emu_play (this=0x557aafd0, count=2048, 
out=0x557b1d10)
at 
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Music_Emu.cpp:305
#5  0x77b86a4d in Music_Emu::fill_buf (this=0x557aafd0)
at 
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Music_Emu.cpp:327
#6  0x77b86ecc in Music_Emu::play (this=0x557aafd0, out_count=256, 
out=0x557da6c0)
at 
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Music_Emu.cpp:400
#7  0x77b82a1f in gme_play (me=0x557aafd0, n=256, p=0x557da6c0)
at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/gme.cpp:336
#8  0x767f2e1d in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57
#9  0x768d870a in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57
#10 0x768d937c in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57
#11 0x768db320 in avformat_find_stream_info () from 
/usr/lib/x86_64-linux-gnu/libavformat.so.57
#12 0x76b9a0af in ?? () from /usr/lib/x86_64-linux-gnu/libffms2.so.4
#13 0x76b9620a in ?? () from /usr/lib/x86_64-linux-gnu/libffms2.so.4
#14 0x76b9399c in FFMS_CreateIndexerWithDemuxer () from 
/usr/lib/x86_64-linux-gnu/libffms2.so.4
#15 0x5556b60a in ?? ()
#16 0xc93d in ?? ()
#17 0x7426c2e1 in __libc_start_main (main=0xa030, argc=6, 
argv=0x7fffe208,
init=, fini=, rtld_fini=, 
stack_end=0x7fffe1f8)
at ../csu/libc-start.c:291
#18 0xcb3a in ?? ()

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.



-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#881134: RFS: runescape/0.2-2 [QA] -- Multiplayer online game set in a fantasy world

2017-11-07 Thread Carlos Donizete Froes 
Package: sponsorship-requests
Severity: normal

  Dear mentors,

  I am looking for a sponsor for my package "runescape"

 * Package name: runescape
   Version : 0.2-2
   Upstream Author : Carlos Donizete Froes 
 * URL : https://github.com/coringao/runescape/wiki
 * License : BSD-2-Clause
   Section : non-free/games

  It builds those binary packages:

runescape  - Multiplayer online game set in a fantasy world

  To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/runescape

  Alternatively, one can download the package with dget using this command:

dget -x 
https://mentors.debian.net/debian/pool/non-free/r/runescape/runescape_0.2-2.dsc

  More information about Runescape can be obtained from 
https://github.com/coringao/runescape.

  Changes since the last upload: (d/changelog)

  * Team upload
  * Added 'XS-Autobuild: yes' in debian/control
  * Notification of the 'disclaimer' and about 'autobuilding' in d/copyright

  ---

  Disclaimer:
This package is not part of the Debian distribution. It is provided in
the non-free archive area as a convenience to Debian users.
The contents of this package can not be distributed as part of Debian
distribution because the license mentioned does not allow commercial use.
  Autobuilding:
According the license there are no problems to build this software
on several architectures automatically and distributing it.

  Regards,
   Carlos Donizete Froes

Bug#881132: bs1770gain: stack buffer overflow while running bs1770gain

2017-11-07 Thread Joonun Jang 
Package: bs1770gain
Version: 0.4.12-2
Severity: important
Tags: security

stack buffer overflow while running bs1770gain with "poc -o output" option

Running 'bs1770gain poc -o output' with the attached file raises stack buffer 
overflow
which may allow a remote attack to cause a denial-of-service attack or 
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/bs1770gain/crash2$ bs1770gain poc -o output
analyzing ...
  [1/1] "poc": Segmentation fault

---

june@yuweol:~/poc/bs1770gain/crash2$ 
~/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain poc -o output
analyzing ...
  [1/1] "poc": =
==5034==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7fffded69470 at pc 0x55e89c1c8419 bp 0x7fffded693b0 sp 0x7fffded693a8
WRITE of size 8 at 0x7fffded69470 thread T0
#0 0x55e89c1c8418 in convert_fltp 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2b418)
#1 0x55e89c1c99af in ffsox_frame_convert_sox 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2c9af)
#2 0x55e89c1c1f29 in sox_reader_run 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x24f29)
#3 0x55e89c1bd686 in ffsox_machine_run 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x20686)
#4 0x55e89c1c19d3 in ffsox_sox_reader_read 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x249d3)
#5 0x55e89c1c2577 in drain 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x25577)
#6 0x7f2434b9db4d in sox_flow_effects 
(/usr/lib/x86_64-linux-gnu/libsox.so.2+0x28b4d)
#7 0x55e89c1b98f2 in ffsox_analyze 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1c8f2)
#8 0x55e89c1b19fd in bs1770gain_tree_analyze 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd)
#9 0x55e89c1ae14e in main 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e)
#10 0x7f24347f82e0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#11 0x55e89c1aa4e9 in _start 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0xd4e9)

Address 0x7fffded69470 is located in stack of thread T0 at offset 96 in frame
#0 0x55e89c1c81df in convert_fltp 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2b1df)

  This frame has 1 object(s):
[32, 96) 'rp' <== Memory access at offset 96 overflows this variable
HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism or swapcontext
  (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2b418)
 in convert_fltp
Shadow bytes around the buggy address:
  0x10007bda5230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007bda5240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007bda5250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007bda5260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007bda5270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007bda5280: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00[f3]f3
  0x10007bda5290: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10007bda52a0: f1 f1 00 00 00 00 00 f2 f2 f2 f3 f3 f3 f3 00 00
  0x10007bda52b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007bda52c0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 f3 f3
  0x10007bda52d0: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
==5034==ABORTING

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via

Bug#881131: bs1770gain: divide by zero while running bs1770gain

2017-11-07 Thread Joonun Jang 
Package: bs1770gain
Version: 0.4.12-2
Severity: normal
Tags: security

divide by zero while running bs1770gain with "poc -o output" option

Running 'bs1770gain poc -o output' with the attached file raises divide by zero 
exception
which may allow a remote attack to cause a denial-of-service attack.
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/bs1770gain/crash1$ bs1770gain poc output
analyzing ...
  [1/1] "poc": Floating point exception

---

Program received signal SIGFPE, Arithmetic exception.
0x75858e6d in sox_flow_effects () from 
/usr/lib/x86_64-linux-gnu/libsox.so.2
(gdb) x/i $rip
=> 0x75858e6d :  div%rcx
(gdb) i r rcx
rcx0x0  0

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages bs1770gain depends on:
ii  libavcodec577:3.3.4-2+b2
ii  libavformat57   7:3.3.4-2+b2
ii  libavutil55 7:3.3.4-2+b2
ii  libc6   2.24-17
ii  libsox2 14.4.1-5+b2
ii  libswresample2  7:3.3.4-2+b2

bs1770gain recommends no packages.

bs1770gain suggests no packages.

-- no debconf information


poc
Description: audio/flac

Bug#881130: vorbis-tools: use uninitialized local value as a pointer running oggenc

2017-11-07 Thread Joonun Jang 
Package: vorbis-tools
Version: 1.4.0-10+b1
Severity: important
Tags: security

bad free while running oggenc with "poc -o output" option

Running 'oggenc poc -o output' with the attached file raises
bad free(use uninitalized local value as a pointer)
which may allow a remote attacker to cause unspecified impact including 
denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/oggenc/crash1$ oggenc poc -o output
Opening with flac module: FLAC file reader
Encoding "poc" to
 "output"
at quality 3.00
*** Error in `oggenc': free(): invalid pointer: 0x7fff9a8ae710 ***
=== Backtrace: =
/lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7f77a7e69bfb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7f77a7e6ffc6]
/lib/x86_64-linux-gnu/libc.so.6(+0x7780e)[0x7f77a7e7080e]
/usr/lib/x86_64-linux-gnu/libogg.so.0(oggpack_writeclear+0x12)[0x7f77a819ba32]
/usr/lib/x86_64-linux-gnu/libvorbis.so.0(vorbis_analysis_headerout+0x467)[0x7f77a892a807]
oggenc(+0x7aa7)[0x55cc5a9afaa7]
oggenc(+0x3cf6)[0x55cc5a9abcf6]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f77a7e192e1]
oggenc(+0x485a)[0x55cc5a9ac85a]
=== Memory map: 
55cc5a9a8000-55cc5a9b9000 r-xp  08:01 2135134
/usr/bin/oggenc
55cc5abb8000-55cc5abb9000 r--p 0001 08:01 2135134
/usr/bin/oggenc
55cc5abb9000-55cc5abba000 rw-p 00011000 08:01 2135134
/usr/bin/oggenc
55cc5c25a000-55cc5c29c000 rw-p  00:00 0  [heap]
7f77a000-7f77a0021000 rw-p  00:00 0
7f77a0021000-7f77a400 ---p  00:00 0
7f77a7be2000-7f77a7bf8000 r-xp  08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f77a7bf8000-7f77a7df7000 ---p 00016000 08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f77a7df7000-7f77a7df8000 r--p 00015000 08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f77a7df8000-7f77a7df9000 rw-p 00016000 08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f77a7df9000-7f77a7f8c000 r-xp  08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f77a7f8c000-7f77a818c000 ---p 00193000 08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f77a818c000-7f77a819 r--p 00193000 08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f77a819-7f77a8192000 rw-p 00197000 08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f77a84a2000-7f77a86a1000 ---p 00103000 08:01 2235490
/lib/x86_64-linux-gnu/libm-2.24.so
7f77a86a1000-7f77a86a2000 r--p 00102000 08:01 2235490
/lib/x86_64-linux-gnu/libm-2.24.so
7f77a86a2000-7f77a86a3000 rw-p 00103000 08:01 2235490
/lib/x86_64-linux-gnu/libm-2.24.so
7f77a86a3000-7f77a8718000 r-xp  08:01 2106746
/usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7f77a8718000-7f77a8918000 ---p 00075000 08:01 2106746
/usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7f77a8918000-7f77a8919000 r--p 00075000 08:01 2106746
/usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7f77a8919000-7f77a891a000 rw-p 00076000 08:01 2106746
/usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7f77a891a000-7f77a8945000 r-xp  08:01 2106748
/usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f77a8945000-7f77a8b44000 ---p 0002b000 08:01 2106748
/usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f77a8b44000-7f77a8b45000 r--p 0002a000 08:01 2106748
/usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f77a8b45000-7f77a8b46000 rw-p 0002b000 08:01 2106748
/usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f77a8b46000-7f77a8bd3000 r-xp  08:01 2106751
/usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7f77a8bd3000-7f77a8dd2000 ---p 0008d000 08:01 2106751
/usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7f77a8dd2000-7f77a8dee000 r--p 0008c000 08:01 2106751
/usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7f77a8dee000-7f77a8def000 rw-p 000a8000 08:01 2106751
/usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7f77a8def000-7f77a8e12000 r-xp  08:01 2230784
/lib/x86_64-linux-gnu/ld-2.24.so
7f77a8e5-7f77a8feb000 r--p  08:01 2116104
/usr/lib/locale/locale-archive
7f77a8feb000-7f77a8fef000 rw-p  00:00 0
7f77a900e000-7f77a9012000 rw-p  00:00 0
7f77a9012000-7f77a9013000 r--p 00023000 08:01 2230784
/lib/x86_64-linux-gnu/ld-2.24.so
7f77a9013000-7f77a9014000 rw-p 00024000 08:01 2230784
/lib/x86_64-linux-gnu/ld-2.24.so
7f77a9014000-7f77a9015000 rw-p  00:00 0
7fff9a89-7fff9a8b1000 rw-p  00:00 0

Bug#881129: icewm-themes obsolete package left on disk

2017-11-07 Thread 積丹尼 Dan Jacobson 
Package: icewm-experimental
Version: 1.4.3.0~pre-20171017-1
Severity: minor

I found icewm-themes obsolete package.

icewm-themes:
  Installed: 1.2.26-2
  Candidate: 1.2.26-2
  Version table:
 *** 1.2.26-2 100
100 /var/lib/dpkg/status

Shouldn't it have been removed automatically?
Can I remove it safely?

Bug#881128: texlive-publishers: revtex4/docs.sty is not part of revtex

2017-11-07 Thread Jerome Benoit 
Package: texlive-publishers
Version: 2016.20170123-5
Severity: normal

Dear Maintainer,

it appears that revtex4/docs.sty is systemwidely distributed in
/usr/share/texlive/texmf-dist/tex/latex/revtex4 ,
namely as part of REVTeX4 : as claimed in its header,
docs.sty is only meant to compose the REVTeX guides.
In short revtex4/docs.sty must not be distributed in texlive-publishers .

hth,
Jerome


-- Package-specific info:
IMPORTANT INFORMATION: We will only consider bug reports concerning
the packaging of TeX Live as relevant. If you have problems with
combination of packages in a LaTeX document, please consult your
local TeX User Group, the comp.text.tex user group, the author of
the original .sty file, or any other help resource. 

In particular, bugs that are related to up-upstream, i.e., neither
Debian nor TeX Live (upstream), but the original package authors,
will be closed immediately.

   *** The Debian TeX Team is *not* a LaTeX Help Desk ***

If you report an error when running one of the TeX-related binaries 
(latex, pdftex, metafont,...), or if the bug is related to bad or wrong
output, please include a MINIMAL example input file that produces the
error in your report.

Please run your example with
(pdf)latex -recorder ...
(or any other program that supports -recorder) and send us the generated
file with the extension .fls, it lists all the files loaded during
the run and can easily explain problems induced by outdated files in
your home directory.

Don't forget to also include minimal examples of other files that are 
needed, e.g. bibtex databases. Often it also helps
to include the logfile. Please, never send included pictures!

If your example file isn't short or produces more than one page of
output (except when multiple pages are needed to show the problem),
you can probably minimize it further. Instructions on how to do that
can be found at

http://www.minimalbeispiel.de/mini-en.html (english)

or 

http://www.minimalbeispiel.de/mini.html (german)

##
minimal input file


##
other files

##
 List of ls-R files

-rw-r--r-- 1 root root 2538 Sep 12 18:46 /var/lib/texmf/ls-R
-rw-r--r-- 1 root staff 4321 Aug 18  2016 /usr/local/share/texmf/ls-R
lrwxrwxrwx 1 root root 29 Jan 17  2017 /usr/share/texmf/ls-R -> 
/var/lib/texmf/ls-R-TEXMFMAIN
lrwxrwxrwx 1 root root 31 Mar  4  2017 /usr/share/texlive/texmf-dist/ls-R -> 
/var/lib/texmf/ls-R-TEXLIVEDIST
lrwxrwxrwx 1 root root 31 Mar  4  2017 /usr/share/texlive/texmf-dist/ls-R -> 
/var/lib/texmf/ls-R-TEXLIVEDIST
##
 Config files
-rw-r--r-- 1 root root 2344 Jun 26 18:27 /etc/texmf/web2c/texmf.cnf
lrwxrwxrwx 1 root root 33 Mar  4  2017 /usr/share/texmf/web2c/fmtutil.cnf -> 
/var/lib/texmf/fmtutil.cnf-DEBIAN
lrwxrwxrwx 1 root root 32 Mar  4  2017 /usr/share/texmf/web2c/updmap.cfg -> 
/var/lib/texmf/updmap.cfg-DEBIAN
-rw-r--r-- 1 root root 4138 Jun 28 11:09 
/var/lib/texmf/tex/generic/config/language.dat
##
 Files in /etc/texmf/web2c/
total 8
-rw-r--r-- 1 root root  283 Jan 10  2013 mktex.cnf
-rw-r--r-- 1 root root 2344 Jun 26 18:27 texmf.cnf
##
 md5sums of texmf.d
3bb00b8d973d9968c7204e593c3249e3  /etc/texmf/texmf.d/000local.cnf
ca40c66f144b4bafc3e59a2dd32ecb9c  /etc/texmf/texmf.d/00debian.cnf.disabled
055e06548bac99958d8ab2dd1248f2b4  /etc/texmf/texmf.d/80tex4ht.cnf
1df66bc319cec731e202eaf39f5d85e1  /etc/texmf/texmf.d/96JadeTeX.cnf

-- System Information:
Debian Release: Stretch*
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.12.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), LANGUAGE=en_GB:en 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages texlive-publishers depends on:
ii  tex-common 6.06
ii  texlive-base   2016.20170123-5
ii  texlive-latex-base 2016.20170123-5
ii  texlive-latex-recommended  2016.20170123-5

Versions of packages texlive-publishers recommends:
ii  texlive-latex-extra 2016.20170123-5
ii  texlive-publishers-doc  2016.20170123-5

texlive-publishers suggests no packages.

Versions of packages tex-common depends on:
ii  dpkg  1.18.24
ii  ucf   3.0036

Versions of packages tex-common suggests:
ii  debhelper  10.2.5

Versions of packages texlive-publishers is related to:
ii  tex-common6.06
ii  texlive-binaries  2016.20160513.41080.dfsg-2

-- debconf information excluded

Bug#878270: anthy (EUCJP->UTF-8) and *-anthy packages

2017-11-07 Thread dai 
On Tue, Nov 07, 2017 at 11:44:45PM +0900, Osamu Aoki wrote:
> Are *-anthy packages uploaded to cope with this new anthy just like 
> ibus-anthy?
>  fcitx-anthy
>  hime-anthy
>  scim-anthy
>  uim-anthy

They are rebuild with new anthy (libanthy1).

https://release.debian.org/transitions/html/auto-anthy.html

- https://packages.debian.org/unstable/fcitx-anthy (0.2.3-1)
- https://packages.debian.org/unstable/gcin-anthy (2.8.5+dfsg1-4+b1)
- https://packages.debian.org/unstable/hime-anthy 
(0.9.10+git20170427+dfsg1-2+b1)
- https://packages.debian.org/unstable/ibus-anthy (1.5.9-2.1)
- https://packages.debian.org/unstable/scim-anthy (1.2.7-6+b2)
- https://packages.debian.org/unstable/uim-plugins 
(1:1.8.6+gh20161003.0.d63dadd-8)

> Otherwise, they are broken in unstable now. (I did not have time to test
> them yet)

At least, I tested uim-anthy a little, it looks well.

> Even these are updated with manual patches, all these updated package
> needs to move together from unstable to testing.  I am not very familiar
> with this ABI breaking library update.  We may need to add BREAKS: to
> anthy to ensure this.  (I am not sure)  That may reqire to upload -7 for
> anthy.

I am not familiar and not sure, too.
-- 
Regards,
dai

GPG Fingerprint = 0B29 D88E 42E6 B765 B8D8 EA50 7839 619D D439 668E


signature.asc
Description: PGP signature

Bug#711469: [Pkg-openldap-devel] Bug#711469: Can we have libslapi-dev back please:

2017-11-07 Thread Ryan Tandy 

On Tue, Nov 07, 2017 at 03:07:04PM +0100, Florian Schlichting wrote:

Control: tags 711469 + patch


Hi, thank you for pinging the bug, and for the patch. I intend to make 
an upload in the coming weeks and I will definitely evaluate this 
addition. Do you have a convenient test case that I could use for 
verifying the result?


Thanks
Ryan

Bug#861796: Make Chromium run natively on Wayland

2017-11-07 Thread Michael Gilbert 
As of chromium 62 passing enable_wayland_server=true to gn fails with
an error related to ash.

For anyone interested in getting this working, you could try debugging
that error.

Best wishes,
Mike

Bug#879886: [Debian-med-packaging] Bug#879886: libhts2: libhts2 needs to handle ABI changes

2017-11-07 Thread Charles Plessy 
Hi Diane and everybody,

Le Tue, Nov 07, 2017 at 05:09:34PM -0800, Diane Trout a écrit :
> 
> I do think we should bring back the symbols file

I think so too.

Symbols file are strange to work with because their update usually goes
through a build failure that outputs a patch, which is not very
intuitive.  And then the patched symbols file has to be edited to remove
the Debian minor version, otherwise it complicates backports etc.
Perhaps it can be simplified, better explained and streamlined.  In any
case, I think that for the htslib it is worth the effort.

> I was wondering if we should split the cram headers into a
> libhts-private-dev so we can at least track what is depending on the
> non-public api.

An ideal solution, and I understand that it may not be easy, would be to
make the upstream users of htslib talk with the htslib developers, so
that they can implement what they want to without needing to access
private functions.  I think that it would fit the aims of both sides.

> I did realize that my thought about updating the SOVERSION might be
> wrong because I was just looking in the source tree for the removed
> functions but I should have been checking the public header files.

Indeed, packages using private functions need to have a tight dependency
on the htslib (unless we are very confident that there are regression
tests that cover this area of the code).  Packages that are more
well-behaved can infer their dependency through the (to be re-added)
symbols file.

Have a nice day,

Charles

-- 
Charles Plessy
Debian Med packaging team,
http://www.debian.org/devel/debian-med
Tsurumi, Kanagawa, Japan

Bug#881127: transition: xerces-c

2017-11-07 Thread William Blough 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition
Control: block -1 by 881026 881023 881108 881016 881018 881112 881114 881115
Control: block 873669 by -1

Hi,

I would like to transition xerces-c from 3.1 to 3.2 (currently in
experimental).  Test building the rdepends produced issues with the
following packages:

cegui-mk2 - Bug #881018 (with patch)
librcsb-core-wrapper - Bug #881023 (with patch)
openms - Bug #881026 (FTBFS with current unstable, not in testing)
pktanon - Bug #881016 (with patch)
xsd - Bug #881108
camitk - Bug #881112 (Blocked by 881108)
freecontact - Bug #881114 (Blocked by 881108)
libkolabxml - Bug #881115 (Blocked by 881108)


All other reverse dependencies (listed at [1]) build successfully against 3.2
and should be able to be transitioned via binNMU.

[1] https://release.debian.org/transitions/html/auto-xerces-c.html

Please schedule a slot for this transition.

Thanks!
Bill


Ben file:

title = "xerces-c";
is_affected = .depends ~ "libxerces-c3.1" | .depends ~ "libxerces-c3.2";
is_good = .depends ~ "libxerces-c3.2";
is_bad = .depends ~ "libxerces-c3.1";


signature.asc
Description: PGP signature

Bug#881126: mirror submission for debian.vancouver.fullhost.com

2017-11-07 Thread FullHost 
Package: mirrors
Severity: wishlist
User: mirr...@packages.debian.org
Usertags: mirror-submission

Submission-Type: new
Site: debian.vancouver.fullhost.com
Type: leaf
Archive-architecture: amd64 i386
Archive-http: /debian/
Maintainer: FullHost 
Country: CA Canada
Location: Vancouver, BC
Sponsor: FullHost https://www.fullhost.com




Trace Url: http://debian.vancouver.fullhost.com/debian/project/trace/
Trace Url: 
http://debian.vancouver.fullhost.com/debian/project/trace/ftp-master.debian.org
Trace Url: 
http://debian.vancouver.fullhost.com/debian/project/trace/debian.vancouver.fullhost.com

Bug#880573: chromium: Chromium built-in PDF visor prints garbage

2017-11-07 Thread Michael Gilbert 
control: forwarded -1 http://crbug.com/777837

The latest upstream versions introduced a lot of printing problems.
They should all be fixed in chromium 63.  Please retest once that
version is released.

Best wishes,
Mike

Bug#881125: arp-scan: Segmentation fault at link-packet-socket.c:127

2017-11-07 Thread Nelson A. de Oliveira 
Package: arp-scan
Version: 1.9-2
Severity: important

Hi!

While calling a simple "arp-scan" with an unprivileged user it segfaults.

gdb output with arp-scan-dbgsym and "thread apply all bt full" is
attached.

Thank you!

Best regards,
Nelson

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8), 
LANGUAGE=pt_BR:pt:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages arp-scan depends on:
ii  ieee-data   20160613.1
ii  libc6   2.24-17
ii  libpcap0.8  1.8.1-5

Versions of packages arp-scan recommends:
ii  libwww-perl  6.27-1

arp-scan suggests no packages.

-- no debconf information
Starting program: /usr/sbin/arp-scan 

Program received signal SIGSEGV, Segmentation fault.
get_hardware_address (if_name=0x77dd8600 "wlan0", 
hw_address=0x7fffddea "") at link-packet-socket.c:127
127 link-packet-socket.c: No such file or directory.

Thread 1 (process 20764):
#0  get_hardware_address (if_name=0x77dd8600 "wlan0", 
hw_address=0x7fffddea "") at link-packet-socket.c:127
No locals.
#1  0x6890 in main (argc=1, argv=0x7fffe188) at arp-scan.c:165
now = {tv_sec = 10, tv_usec = 0}
diff = {tv_sec = 0, tv_usec = 0}
select_timeout = 
loop_timediff = 
host_timediff = 
last_packet_time = {tv_sec = 0, tv_usec = 140737351918452}
req_interval = 
cum_err = 0
start_time = {tv_sec = 1510107635, tv_usec = 114334}
end_time = {tv_sec = 140737354131208, tv_usec = 140737354113448}
elapsed_time = {tv_sec = 8, tv_usec = 140737354113688}
elapsed_seconds = 
reset_cum_err = 
pass_no = 0
first_timeout = 1
i = 
errbuf = "\000\000\000\000\000\000\000\000\b\347\377\367\377\177", 
'\000' , 
"\220\352\377\367\377\177\000\000\320\337\377\377\377\177\000\000\000\000\000\000\000\000\000\000\b\347\377\367\377\177\000\000\300\337\377\377\377\177\000\000\307\262\225\367\377\177\000\000&\260be\000\000\000\000\377\377\377\377",
 '\000' , 
"h\242\377\367\377\177\000\000\b\347\377\367\377\177", '\000' ...
filter = {bf_len = 4160725656, bf_insns = 0x77de2bb3}
filter_string = 
netmask = 32767
localnet = 8192
datalink = 
get_addr_status = 0
pcap_fd = 
interface_mac = "\000\000\000\000\000"
pcap_handle =

Bug#881124: shadow.ind.ntou.edu.tw: request name change, and add as candidate of ftp.tw

2017-11-07 Thread 魏銘廷 
Package: mirrors
Severity: wishlist

Dear Maintainer,

I would like to change the name of the server shadow.ind.ntou.edu.tw to
ftp.ntou.edu.tw, also set up as a ftp.tw.d.o candidate if possible.

Due to recent removal of linux3.cc.ntu.edu.tw mirror server, ftp.tw.d.o
is redirected to Hong Kong.  Also I got out of sync due to it.  However
we recently completed setting up push mirror of debian archive from
mirror.xtom.com.hk (current ftp.{tw,cn,hk}.d.o).

The mirror I am maintaining (shadow.ind.ntou.edu.tw/ftp.ntou.edu.tw) can
be a good candidate of ftp.tw.debian.org since the access to
mirror.xtom.com.hk is slower from public ISP in Taiwan, and I can try to
access the machine physically if needed.

The server is configured not to use TLS from ftp.tw.debian.org.  Also,
the mirror I am maintaining does not have debian-security for security
concerns.

If that requires for the mirror to become a primary mirror, we can also
accomplish that.

Thanks,
Yao Wei

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)


signature.asc
Description: PGP signature

Bug#881123: ffmpeg2theora: null pointer dereference while running ffmpeg2theora

2017-11-07 Thread Joonun Jang 
Package: ffmpeg2theora
Version: 0.30-1+b2
Severity: normal
Tags: security

null pointer dereference while running ffmpeg2theora with "poc" option

Running 'ffmpeg2theora poc' with the attached file raises null pointer 
dereference
which may allow a remote attack to cause a denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/ffmpeg2theora/crash4$ ffmpeg2theora poc
[aac @ 0x55a00e699840] Format aac detected only with low score of 1, 
misdetection possible!
[aac @ 0x55a00e69abc0] More than one AAC RDB per ADTS frame is not implemented. 
Update your FFmpeg version to the newest one from Git. If the problem still 
occurs, it means that your file has a feature which has not been implemented.
[aac @ 0x55a00e69abc0] Assuming an incorrectly encoded 7.1 channel layout 
instead of a spec-compliant 7.1(wide) layout, use -strict 1 to decode according 
to the specification instead.
[aac @ 0x55a00e69abc0] Multiple frames in a packet.
Input #0, aac, from 'poc':
  Duration: N/A, bitrate: N/A
Stream #0:0: Audio: aac (LC), 16000 Hz, 7.1, fltp
[aac @ 0x55a00e69a5e0] Assuming an incorrectly encoded 7.1 channel layout 
instead of a spec-compliant 7.1(wide) layout, use -strict 1 to decode according 
to the specification instead.
WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track.
[aac @ 0x55a00e69a5e0] More than one AAC RDB per ADTS frame is not implemented. 
Update your FFmpeg version to the newest one from Git. If the problem still 
occurs, it means that your file has a feature which has not been implemented.
[aac @ 0x55a00e69a5e0] Assuming an incorrectly encoded 7.1 channel layout 
instead of a spec-compliant 7.1(wide) layout, use -strict 1 to decode according 
to the specification instead.
[aac @ 0x55a00e69a5e0] Multiple frames in a packet.
[aac @ 0x55a00e69a5e0] Reserved bit set.
[aac @ 0x55a00e69a5e0] Prediction is not allowed in AAC-LC.
Segmentation fault

---

Program received signal SIGSEGV, Segmentation fault.
0x55560ab1 in ?? ()
(gdb) bt
#0  0x55560ab1 in ?? ()
#1  0x55564ab4 in ?? ()
#2  0xc8da in main ()
(gdb) x/i $rip
=> 0x55560ab1:  movss  (%r10,%r8,1),%xmm0
(gdb) i r r10 r8
r100x0  0
r8 0x0  0

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ffmpeg2theora depends on:
ii  libavcodec577:3.3.4-2+b2
ii  libavdevice57   7:3.3.4-2+b2
ii  libavfilter67:3.3.4-2+b2
ii  libavformat57   7:3.3.4-2+b2
ii  libavutil55 7:3.3.4-2+b2
ii  libc6   2.24-17
ii  libkate10.4.1-7+b1
ii  libogg0 1.3.2-1+b1
ii  liboggkate1 0.4.1-7+b1
ii  libpostproc54   7:3.3.4-2+b2
ii  libswresample2  7:3.3.4-2+b2
ii  libswscale4 7:3.3.4-2+b2
ii  libtheora0  1.1.1+dfsg.1-14+b1
ii  libvorbis0a 1.3.5-4
ii  libvorbisenc2   1.3.5-4

ffmpeg2theora recommends no packages.

ffmpeg2theora suggests no packages.

-- no debconf information


poc
Description: audio/hx-aac-adts

Bug#881122: ffmpeg2theora: null pointer dereference while running ffmpeg2theora

2017-11-07 Thread Joonun Jang 
Package: ffmpeg2theora
Version: 0.30-1+b2
Severity: normal
Tags: security

null pointer dereference while running ffmpeg2theora with "poc" option

Running 'ffmpeg2theora poc' with the attached file raises null pointer 
dereference
which may allow a remote attack to cause a denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/ffmpeg2theora/crash2$ ffmpeg2theora poc
[adp @ 0x55fbce8ff840] Format adp detected only with low score of 1, 
misdetection possible!
Input #0, adp, from 'poc':
  Duration: 00:00:00.00, start: 0.00, bitrate: 658 kb/s
Stream #0:0: Audio: adpcm_dtk, 48000 Hz, stereo, s16p
Segmentation fault

---

Program received signal SIGSEGV, Segmentation fault.
0x74b98199 in av_samples_fill_arrays () from 
/usr/lib/x86_64-linux-gnu/libavutil.so.55
(gdb) bt
#0  0x74b98199 in av_samples_fill_arrays () from 
/usr/lib/x86_64-linux-gnu/libavutil.so.55
#1  0x74b984d9 in av_samples_alloc () from 
/usr/lib/x86_64-linux-gnu/libavutil.so.55
#2  0x55565e7a in ?? ()
#3  0xc8da in main ()
(gdb) x/i $rip
=> 0x74b98199 : mov%rbx,(%r12)
(gdb) i r r12
r120x0  0

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ffmpeg2theora depends on:
ii  libavcodec577:3.3.4-2+b2
ii  libavdevice57   7:3.3.4-2+b2
ii  libavfilter67:3.3.4-2+b2
ii  libavformat57   7:3.3.4-2+b2
ii  libavutil55 7:3.3.4-2+b2
ii  libc6   2.24-17
ii  libkate10.4.1-7+b1
ii  libogg0 1.3.2-1+b1
ii  liboggkate1 0.4.1-7+b1
ii  libpostproc54   7:3.3.4-2+b2
ii  libswresample2  7:3.3.4-2+b2
ii  libswscale4 7:3.3.4-2+b2
ii  libtheora0  1.1.1+dfsg.1-14+b1
ii  libvorbis0a 1.3.5-4
ii  libvorbisenc2   1.3.5-4

ffmpeg2theora recommends no packages.

ffmpeg2theora suggests no packages.

-- no debconf information

Bug#881121: sox: null pointer dereference while running sox

2017-11-07 Thread Joonun Jang 
Package: sox
Version: 14.4.1-5+b2
Severity: normal
Tags: security

null pointer dereference while running sox with "poc.aiff output.aiff speed 
1.027" option

Running 'sox poc.aiff output.aiff speed 1.027' with the attached file raises 
null pointer dereference
which may allow a remote attack to cause a denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/sox/crash1$ sox ./poc.aiff output.aiff speed 1.027
Segmentation fault

---

Program received signal SIGSEGV, Segmentation fault.
0x77ba7ff8 in ?? () from /usr/lib/x86_64-linux-gnu/libsox.so.2
(gdb) bt
#0  0x77ba7ff8 in ?? () from /usr/lib/x86_64-linux-gnu/libsox.so.2
#1  0x77b5cb17 in sox_read () from /usr/lib/x86_64-linux-gnu/libsox.so.2
#2  0xfc74 in ?? ()
#3  0x77b6cb4e in sox_flow_effects () from 
/usr/lib/x86_64-linux-gnu/libsox.so.2
#4  0x8e21 in ?? ()
#5  0x770772e1 in __libc_start_main (main=0x7980, argc=5, 
argv=0x7fffe268,
init=, fini=, rtld_fini=, 
stack_end=0x7fffe258)
at ../csu/libc-start.c:291
#6  0xa45a in ?? ()
(gdb) x/i $rip
=> 0x77ba7ff8:  movzbl (%r11,%rsi,1),%edi
(gdb) i r r11 rsi
r110x0  0
rsi0x0  0

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sox depends on:
ii  libc6 2.24-17
ii  libgomp1  7.2.0-12
ii  libsox-fmt-alsa   14.4.1-5+b2
ii  libsox-fmt-ao 14.4.1-5+b2
ii  libsox-fmt-base   14.4.1-5+b2
ii  libsox-fmt-oss14.4.1-5+b2
ii  libsox-fmt-pulse  14.4.1-5+b2
ii  libsox2   14.4.1-5+b2

sox recommends no packages.

Versions of packages sox suggests:
ii  libsox-fmt-all  14.4.1-5+b2

-- no debconf information


poc.aiff
Description: Binary data

Bug#880992: debian-policy should not recommend running editor using absolute path

2017-11-07 Thread Sean Whitton 
Hello Jonathan,

On Mon, Nov 06 2017, Jonathan Nieder wrote:

>   Thus, every program that launches an editor or pager must use
>   the EDITOR or PAGER environment variable to determine the editor
>   or pager the user wishes to use. If these variables are not set,
>   the programs /usr/bin/editor and /usr/bin/pager should be used,
>   respectively.
>
> If read strictly, this says that I must use "/usr/bin/editor" instead
> of invoking "editor" from the $PATH.  (I'm not sure I agree with that
> interpretation, but it came up in https://bugs.debian.org/682347.)
> Running "editor" from the $PATH instead of using that full path should
> be perfectly acceptable and IMHO is a better behavior, since it allows
> the user to put a custom editor in /usr/local/bin or $HOME/bin.

ISTM that the intention is for the user to set EDITOR and PAGER to
select an editor or pager, rather than putting things called 'editor'
and 'pager' into PATH.  This seems sensible because 'editor' and 'pager'
are fairly generic terms and a user might have things in ~/bin/editor or
~/bin/pager that don't edit or page, respectively.

-- 
Sean Whitton


signature.asc
Description: PGP signature

Bug#881120: gifsicle: use after free while running gifsicle

2017-11-07 Thread Joonun Jang 
Package: gifsicle
Version: 1.90-1
Severity: important
Tags: security

use after free while running gifsicle with "poc poc -o output" option

Running 'gifsicle poc poc -o output' with the attached file raises use after 
free
which may allow a remote attack to cause a denial-of-service attack or other 
unspecified
impact with a crafted file
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/gifsicle/crash3$ gifsicle poc poc -o output
gifsicle:poc:#0: read error: unknown block type 49 at file offset 13
gifsicle:poc: read error: image position and/or dimensions out of range
gifsicle:poc:#0: read error: unknown block type 49 at file offset 13
gifsicle:poc: read error: image position and/or dimensions out of range
*** Error in `gifsicle': corrupted size vs. prev_size: 0x5607ed886d40 ***
=== Backtrace: =
/lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7f4338e5abfb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7f4338e60fc6]
/lib/x86_64-linux-gnu/libc.so.6(+0x7738d)[0x7f4338e6138d]
/lib/x86_64-linux-gnu/libc.so.6(+0x78dfa)[0x7f4338e62dfa]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7f4338e64f64]
gifsicle(+0x877e)[0x5607ecfff77e]
gifsicle(+0x21a51)[0x5607ed018a51]
gifsicle(+0x22d97)[0x5607ed019d97]
gifsicle(+0x1f674)[0x5607ed016674]
gifsicle(+0x209a3)[0x5607ed0179a3]
gifsicle(+0x4054)[0x5607ecffb054]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f4338e0a2e1]
gifsicle(+0x472a)[0x5607ecffb72a]
=== Memory map: 
5607ecff7000-5607ed024000 r-xp  08:01 2104695
/usr/bin/gifsicle
5607ed224000-5607ed225000 r--p 0002d000 08:01 2104695
/usr/bin/gifsicle
5607ed225000-5607ed226000 rw-p 0002e000 08:01 2104695
/usr/bin/gifsicle
5607ed885000-5607ed8ad000 rw-p  00:00 0  [heap]
7f433400-7f4334021000 rw-p  00:00 0
7f4334021000-7f433800 ---p  00:00 0
7f4338bd3000-7f4338be9000 r-xp  08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f4338be9000-7f4338de8000 ---p 00016000 08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f4338de8000-7f4338de9000 r--p 00015000 08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f4338de9000-7f4338dea000 rw-p 00016000 08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f4338dea000-7f4338f7d000 r-xp  08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f4338f7d000-7f433917d000 ---p 00193000 08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f433917d000-7f4339181000 r--p 00193000 08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f4339181000-7f4339183000 rw-p 00197000 08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f4339183000-7f4339187000 rw-p  00:00 0
7f4339187000-7f433928a000 r-xp  08:01 2235490
/lib/x86_64-linux-gnu/libm-2.24.so
7f433928a000-7f4339489000 ---p 00103000 08:01 2235490
/lib/x86_64-linux-gnu/libm-2.24.so
7f4339489000-7f433948a000 r--p 00102000 08:01 2235490
/lib/x86_64-linux-gnu/libm-2.24.so
7f433948a000-7f433948b000 rw-p 00103000 08:01 2235490
/lib/x86_64-linux-gnu/libm-2.24.so
7f433948b000-7f43394a3000 r-xp  08:01 2235501
/lib/x86_64-linux-gnu/libpthread-2.24.so
7f43394a3000-7f43396a2000 ---p 00018000 08:01 2235501
/lib/x86_64-linux-gnu/libpthread-2.24.so
7f43396a2000-7f43396a3000 r--p 00017000 08:01 2235501
/lib/x86_64-linux-gnu/libpthread-2.24.so
7f43396a3000-7f43396a4000 rw-p 00018000 08:01 2235501
/lib/x86_64-linux-gnu/libpthread-2.24.so
7f43396a4000-7f43396a8000 rw-p  00:00 0
7f43396a8000-7f43396cb000 r-xp  08:01 2230784
/lib/x86_64-linux-gnu/ld-2.24.so
7f43398a6000-7f43398a8000 rw-p  00:00 0
7f43398c7000-7f43398cb000 rw-p  00:00 0
7f43398cb000-7f43398cc000 r--p 00023000 08:01 2230784
/lib/x86_64-linux-gnu/ld-2.24.so
7f43398cc000-7f43398cd000 rw-p 00024000 08:01 2230784
/lib/x86_64-linux-gnu/ld-2.24.so
7f43398cd000-7f43398ce000 rw-p  00:00 0
7ffddc943000-7ffddc964000 rw-p  00:00 0  [stack]
7ffddc96f000-7ffddc971000 r--p  00:00 0  [vvar]
7ffddc971000-7ffddc973000 r-xp  00:00 0  [vdso]
ff60-ff601000 r-xp  00:00 0  
[vsyscall]
Aborted

---

june@yuweol:~/poc/gifsicle/crash3$ 
~/project/analyze/bins/gifsicle-1.90/src/gifsicle poc poc -o output
gifsicle:poc:#0: read error: unknown block type 49 at file offset 13
gifsicle:poc: read error: image position and/or dimensions out of range
gifsicle:poc:#0:

Bug#881119: gifsicle: double free while running gifsicle

2017-11-07 Thread Joonun Jang 
Package: gifsicle
Version: 1.90-1
Severity: important
Tags: security

double free while running 'gifsicle with --delay 50 poc poc -o output' option

Running 'gifsicle --delay 50 poc poc -o output' with the attached file raises 
double free
which may allow a remote attacker to cause a denial-of-service attack or other 
unspecified
impact with a crafted file
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/gifsicle/crash1$ gifsicle poc poc -o output
gifsicle:poc:#0: read error: unknown block type 83 at file offset 37
gifsicle:poc: file not in GIF format
Segmentation fault

---

june@yuweol:~/poc/gifsicle/crash1$ 
~/project/analyze/bins/gifsicle-1.90/src/gifsicle --delay 50 poc poc -o output
gifsicle:poc:#0: read error: unknown block type 83 at file offset 37
gifsicle:poc: file not in GIF format
=
==4607==ERROR: AddressSanitizer: attempting double-free on 0x61100400 in 
thread T0:
#0 0x7f519caaafd0 in __interceptor_realloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0)
#1 0x562d9a5a6de8 in Gif_Realloc 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x1fde8)
#2 0x562d9a5b19db in suck_data 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2a9db)
#3 0x562d9a5b2fe2 in read_gif 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2bfe2)
#4 0x562d9a5b38cd in Gif_FullReadFile 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c8cd)
#5 0x562d9a60301d in input_stream 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x7c01d)
#6 0x562d9a60a2e2 in main 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x832e2)
#7 0x7f519c3502e0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#8 0x562d9a596da9 in _start 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0xfda9)

0x61100400 is located 0 bytes inside of 207-byte region 
[0x61100400,0x611004cf)
freed by thread T0 here:
#0 0x7f519caaa8c8 in __interceptor_free 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
#1 0x562d9a5b33ae in read_gif 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c3ae)
#2 0x562d9a5b38cd in Gif_FullReadFile 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c8cd)
#3 0x562d9a60301d in input_stream 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x7c01d)
#4 0x562d9a60a2e2 in main 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x832e2)
#5 0x7f519c3502e0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

previously allocated by thread T0 here:
#0 0x7f519caaafd0 in __interceptor_realloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0)
#1 0x562d9a5a6de8 in Gif_Realloc 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x1fde8)
#2 0x562d9a5b19db in suck_data 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2a9db)
#3 0x562d9a5b2fe2 in read_gif 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2bfe2)
#4 0x562d9a5b38cd in Gif_FullReadFile 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c8cd)
#5 0x562d9a60301d in input_stream 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x7c01d)
#6 0x562d9a60a2e2 in main 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x832e2)
#7 0x7f519c3502e0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: double-free 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0) in __interceptor_realloc
==4607==ABORTING

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gifsicle depends on:
ii  libc6 2.24-17
ii  libx11-6  2:1.6.4-3

gifsicle recommends no packages.

gifsicle suggests no packages.

-- no debconf information


poc
Description: Binary data

Bug#881118: RFS: boost-numeric-bindings/0.99-1 [ITP] -- Numeric Library Bindings for Boost

2017-11-07 Thread Stephen Sinclair 
Package: sponsorship-requests
Severity: wishlist

Dear mentors,

I am looking for a sponsor for my package "boost-numeric-bindings":

* Package name: boost-numeric-bindings
  Version : 0.99
  Upstream Author : Kresimir Fresl et. al.
* URL : https://github.com/uBLAS/numeric_bindings
* License : Boost Software License - Version 1.0
  Programming Lang: C++
  Description : boost-numeric-bindings -- Numeric Library Bindings for Boost


Boost Bindings is a bindings library (not just) for Boost.Ublas.
It offers an easy way of calling BLAS, LAPACK, UMFPACK, MUMPS and
many other mature legacy numerical codes from within C++.

The package source may be found at:

http://anonscm.debian.org/cgit/debian-science/packages/boost-numeric-bindings.git

And the package description may be found at:

https://mentors.debian.net/debian/pool/main/b/boost-numeric-bindings/boost-numeric-bindings_0.99-1.dsc

Previously an ITP bug was filed by someone else (#536270) but then
dropped.  Since then a github repo was created by an upstream author
and a "pre-release 0.99" was released with a bit more work, in 2015.
I have updated the preliminary package by Teemu Ikonen from that bug
to the latest version, as well as the latest Debian compat and policy
versions.

This version of the package installs the header files to the
/usr/include/boost directory.

Please note that this version 0.99 did not include a LICENSE file in
the main directory, however all files nonetheless still have a
reference to their license at the top and it remains the same as in
debian/copyright.  (I have filed an upstream issue to restore the
license file.)

Preliminary support for running some of the tests should hopefully
come in the near future.  I intend to improve this, add documentation
if possible, and keep it up to date with any future releases.  It
would be beneficial to Debian to have these headers more easily
available, since projects are currently often embedding them in their
source distributions.

Bug#879886: [Debian-med-packaging] libhts2: libhts2 needs to handle ABI changes

2017-11-07 Thread Diane Trout 
Hi everyone,

I talked some with upstream about the symbols issues with htslib2

https://github.com/samtools/htslib/issues/616

They think that cram/*.h are private headers, but because we have a
policy of avoiding convenience copies we made those functions public[1]
because a few applications embed htslib and directly use the private
headers.

I do think we should bring back the symbols file, but I was wondering
if we should split the cram headers into a libhts-private-dev so we can
at least track what is depending on the non-public api.

I did realize that my thought about updating the SOVERSION might be
wrong because I was just looking in the source tree for the removed
functions but I should have been checking the public header files.

Diane

[1] https://anonscm.debian.org/cgit/debian-med/htslib.git/tree/debian/p
atches/htslib-add-cram_to_bam.patch

Bug#880709: zfsutils-linux 0.7.3 has an unlisted dependency on libuutil1linux >= 0.7.3

2017-11-07 Thread Nathaniel W Filardo 
It appears that libzpool2linux is also an unlisted dependency.  Merely
having libuutil1linux installed was enough to clear the error of this bug
but left "/sbin/zfs: symbol lookup error: /lib/libzfs.so.2: undefined
symbol: SHA2Update" behind until libzpool2linux got added to the system.

Cheers,
--nwf;


signature.asc
Description: PGP signature

Bug#881051: dpkg: Fails to build packages in non-ascii directories

2017-11-07 Thread James Clarke 
Control: tags -1 patch

On Tue, Nov 07, 2017 at 01:58:23PM +0100, Samuel Thibault wrote:
> Package: dpkg
> Version: 1.19.0.4
> Severity: normal
>
> Hello,
>
> $ locale charmap
> UTF-8
> $ mkdir testé
> $ cd testé
> $ apt-get source hello
> $ cd hello-*
> $ dpkg-buildpackage -b
>
> fails with
>
> dh clean
> Can't use string ("0") as a HASH ref while "strict refs" in use at 
> /usr/share/perl5/Dpkg/Vendor/Debian.pm line 397.
>
> This is working when using "teste" instead of "testé".
> This was working with dpkg 1.18.24.
>
> Samuel

It's not just non-ASCII, it's anything other than a "safe" subset of
ASCII (i.e. anything that might need escaping). This should fix it:

> --- a/scripts/Dpkg/Vendor/Debian.pm/Debian.pm
> +++ b/scripts/Dpkg/Vendor/Debian.pm/Debian.pm
> @@ -204,7 +204,7 @@
>  # so that we do not need to worry about escaping the characters
>  # on output.
>  if ($build_path =~ m/[^-+:.0-9a-zA-Z~\/_]/) {
> -$use_feature{fixdebugpath} = 0;
> +$use_feature{reproducible}{fixdebugpath} = 0;
>  }
>  }
>  

Regards,
James

Bug#876211:

2017-11-07 Thread Yangfl 
Literally you and me can't do anything to help packages get through new
queue. The new queue is widely known as seriously backlogged [
https://ftp-master.debian.org/stat.html]. We (another team) also suffer
from this.

But, you can try emailing ftp masters about this. Maybe they'll process our
package first.

2017年11月7日 下午10:39,"Nicholas Brown" 写道:

For what it's worth, I've build this package on a local OBS instance and
found it useful for developing local software I'm building.
How does the package get from new into testing?

Bug#871542: Chromium 60 UI is huge on HiDPI displays

2017-11-07 Thread Leandro Doctors 
Hi, all,

The problem seems to be solved using the latest version from unstable
(62.0.3202.89-1).
Could someone please confirm this?

Best,
Leandro

Bug#804638: kde-plasma-desktop: "The window switcher installation is broken"

2017-11-07 Thread Marcus Hansson 
Package: kde-plasma-desktop
Version: 5:92
Followup-For: Bug #804638

Hello!

This is present for me as well.

Also:

ii  kwin-addons  4:5.8.5-2

-- System Information:
Debian Release: 9.2
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), LANGUAGE=en 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages kde-plasma-desktop depends on:
ii  kde-baseapps  4:16.08.3-1
ii  kde-runtime   4:16.08.3-2
ii  plasma-desktop4:5.8.6-1
ii  plasma-workspace  4:5.8.6-2.1
ii  udisks2   2.1.8-1
ii  upower0.99.4-4+b1

Versions of packages kde-plasma-desktop recommends:
ii  kwin-x11  4:5.8.6-1
ii  sddm  0.14.0-4
ii  xserver-xorg  1:7.7+19

Versions of packages kde-plasma-desktop suggests:
ii  kde-l10n-engb [kde-l10n]  4:16.04.3-1
ii  kde-l10n-sv [kde-l10n]4:16.04.3-1

-- no debconf information

Bug#439121: Add a .pc file for libapt-pkt

2017-11-07 Thread Corentin Noël 
Ah, you're right, so here is finally the right one

2017-11-07 23:44 GMT+01:00 Julian Andres Klode :

> On Tue, Nov 07, 2017 at 11:20:50PM +0100, Corentin Noël wrote:
> > Here is a patch working with current master, It's now fully working. It
> > contains a test to ensure that it works, I tested it with autopkgtest.
>
> > From 44fa7251911378bb0ca16a23024b7f7ede5a8f84 Mon Sep 17 00:00:00 2001
> > From: =?UTF-8?q?Corentin=20No=C3=ABl?= 
> > Date: Tue, 7 Nov 2017 20:38:13 +0100
> > Subject: [PATCH] Enable PkgConfig on the apt-pkg and apt-inst libraries
> >
> > ---
> >  apt-inst/CMakeLists.txt   |  3 +++
> >  apt-inst/apt-inst.pc.in   | 11 +++
> >  apt-pkg/CMakeLists.txt|  3 +++
> >  apt-pkg/apt-pkg.pc.in | 10 ++
> >  debian/libapt-pkg-dev.install |  1 +
> >  debian/tests/control  |  5 +++--
> >  debian/tests/pkg-config-test  | 22 ++
> >  7 files changed, 53 insertions(+), 2 deletions(-)
> >  create mode 100644 apt-inst/apt-inst.pc.in
> >  create mode 100644 apt-pkg/apt-pkg.pc.in
> >  create mode 100644 debian/tests/pkg-config-test
> >
> > diff --git a/apt-inst/CMakeLists.txt b/apt-inst/CMakeLists.txt
> > index 31da115e4..063b40318 100644
> > --- a/apt-inst/CMakeLists.txt
> > +++ b/apt-inst/CMakeLists.txt
> > @@ -12,6 +12,8 @@ set(APT_INST_MAJOR ${MAJOR} PARENT_SCOPE)
> >  file(GLOB_RECURSE library "*.cc")
> >  file(GLOB_RECURSE headers "*.h")
> >
> > +configure_file(apt-inst.pc.in ${CMAKE_CURRENT_BINARY_DIR}/apt-inst.pc
> @ONLY)
> > +
> >  # Create a library using the C++ files
> >  add_library(apt-inst SHARED ${library})
> >
> > @@ -25,4 +27,5 @@ add_version_script(apt-inst)
> >  # Install the library and the headers
> >  install(TARGETS apt-inst LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR})
> >  install(FILES ${headers} DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/
> apt-pkg)
> > +install(FILES ${CMAKE_CURRENT_BINARY_DIR}/apt-inst.pc DESTINATION
> ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
> >  flatify(${PROJECT_BINARY_DIR}/include/apt-pkg/ "${headers}")
> > diff --git a/apt-inst/apt-inst.pc.in b/apt-inst/apt-inst.pc.in
> > new file mode 100644
> > index 0..c752f4657
> > --- /dev/null
> > +++ b/apt-inst/apt-inst.pc.in
> > @@ -0,0 +1,11 @@
> > +prefix=@CMAKE_INSTALL_PREFIX@
> > +exec_prefix=${prefix}
> > +libdir=${prefix}/@CMAKE_INSTALL_LIBDIR@
> > +includedir=${prefix}/@CMAKE_INSTALL_INCLUDEDIR@
>
> That's wrong. If I define CMAKE_INSTALL_LIBDIR to /foo,
> and prefix is /usr, you just set libdir to /usr//foo instead
> of /foo.
>
> Generally, we must not use CMAKE_INSTALL_PREFIX, and only
> use CMAKE_INSTALL_FULL_LIBDIR, CMAKE_INSTALL_FULL_INCLUDEDIR,
> and thus only define libdir and includedir, not prefix or
> exec_prefix.
>
> > +
> > +Name: apt-inst
> > +Description: deb package format runtime library
> > +Version: @MAJOR@.@MINOR@
> > +Libs: -L${libdir} -lapt-inst
> > +Cflags: -I${includedir}/apt-pkg
>
> The /apt-pkg should not be there.
>
> > diff --git a/apt-pkg/apt-pkg.pc.in b/apt-pkg/apt-pkg.pc.in
> > new file mode 100644
> > index 0..97c90ce5e
> > --- /dev/null
> > +++ b/apt-pkg/apt-pkg.pc.in
> > @@ -0,0 +1,10 @@
> > +prefix=@CMAKE_INSTALL_PREFIX@
> > +exec_prefix=${prefix}
> > +libdir=${prefix}/@CMAKE_INSTALL_LIBDIR@
> > +includedir=${prefix}/@CMAKE_INSTALL_INCLUDEDIR@
>
> as above
>
> > +
> > +Name: apt-pkg
> > +Description: package management runtime library
> > +Version: @MAJOR@.@MINOR@
> > +Libs: -L${libdir} -lapt-pkg -pthread
> > +Cflags: -I${includedir}/apt-pkg
>
> as above
>
>
>
> --
> Debian Developer - deb.li/jak | jak-linux.org - free software dev
> Ubuntu Core Developer  de, en speaker
>
From 19d95cdb3b1c70419ca7d7c34bafe068a7e056f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Corentin=20No=C3=ABl?= 
Date: Tue, 7 Nov 2017 20:38:13 +0100
Subject: [PATCH] Enable PkgConfig on the apt-pkg and apt-inst libraries

---
 apt-inst/CMakeLists.txt   |  3 +++
 apt-inst/apt-inst.pc.in   |  9 +
 apt-pkg/CMakeLists.txt|  3 +++
 apt-pkg/apt-pkg.pc.in |  8 
 debian/libapt-pkg-dev.install |  1 +
 debian/tests/control  |  5 +++--
 debian/tests/pkg-config-test  | 22 ++
 7 files changed, 49 insertions(+), 2 deletions(-)
 create mode 100644 apt-inst/apt-inst.pc.in
 create mode 100644 apt-pkg/apt-pkg.pc.in
 create mode 100644 debian/tests/pkg-config-test

diff --git a/apt-inst/CMakeLists.txt b/apt-inst/CMakeLists.txt
index 31da115e4..063b40318 100644
--- a/apt-inst/CMakeLists.txt
+++ b/apt-inst/CMakeLists.txt
@@ -12,6 +12,8 @@ set(APT_INST_MAJOR ${MAJOR} PARENT_SCOPE)
 file(GLOB_RECURSE library "*.cc")
 file(GLOB_RECURSE headers "*.h")
 
+configure_file(apt-inst.pc.in ${CMAKE_CURRENT_BINARY_DIR}/apt-inst.pc @ONLY)
+
 # Create a library using the C++ files
 add_library(apt-inst SHARED ${library})
 
@@ -25,4 +27,5 @@ add_version_script(apt-inst)
 # Install the library and the headers

Bug#877670: [Debian-med-packaging] Bug#877670: Bug#877670: bcftools FTBFS on armel armhf and ppc64el

2017-11-07 Thread Graham Inggs 
Control: reassign -1 htslib 1.4-1
Control: tags -1 + patch
Control: affects -1 bcftools

It seems this code appeared in htslib 1.4, but was only tested in bcftools 1.5.
Description: Fix calculation of PLs on ARM and POWER
Bug: https://github.com/samtools/bcftools/issues/702
Bug-Debian: https://bugs.debian.org/877670
Forwarded: https://github.com/samtools/htslib/pull/617
Author: Graham Inggs 
Last-Update: 2017-11-08
--- a/errmod.c
+++ b/errmod.c
@@ -82,10 +82,11 @@
 double le1 = log(1.0 - e);
 for (n = 1; n <= 255; ++n) {
 double *beta = em->beta + (q<<16|n<<8);
-sum1 = sum = 0.0;
-for (k = n; k >= 0; --k, sum1 = sum) {
-sum = sum1 + expl(lC[n<<8|k] + k*le + (n-k)*le1);
-beta[k] = -10. / M_LN10 * logl(sum1 / sum);
+sum1 = lC[n<<8|n] + n*le;
+beta[n] = INFINITY;
+for (k = n - 1; k >= 0; --k, sum1 = sum) {
+sum = sum1 + log1pl(expl(lC[n<<8|k] + k*le + (n-k)*le1 - sum1));
+beta[k] = -10. / M_LN10 * (sum1 - sum);
 }
 }
 }

Bug#439121: Add a .pc file for libapt-pkt

2017-11-07 Thread Julian Andres Klode 
On Tue, Nov 07, 2017 at 11:20:50PM +0100, Corentin Noël wrote:
> Here is a patch working with current master, It's now fully working. It
> contains a test to ensure that it works, I tested it with autopkgtest.

> From 44fa7251911378bb0ca16a23024b7f7ede5a8f84 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Corentin=20No=C3=ABl?= 
> Date: Tue, 7 Nov 2017 20:38:13 +0100
> Subject: [PATCH] Enable PkgConfig on the apt-pkg and apt-inst libraries
> 
> ---
>  apt-inst/CMakeLists.txt   |  3 +++
>  apt-inst/apt-inst.pc.in   | 11 +++
>  apt-pkg/CMakeLists.txt|  3 +++
>  apt-pkg/apt-pkg.pc.in | 10 ++
>  debian/libapt-pkg-dev.install |  1 +
>  debian/tests/control  |  5 +++--
>  debian/tests/pkg-config-test  | 22 ++
>  7 files changed, 53 insertions(+), 2 deletions(-)
>  create mode 100644 apt-inst/apt-inst.pc.in
>  create mode 100644 apt-pkg/apt-pkg.pc.in
>  create mode 100644 debian/tests/pkg-config-test
> 
> diff --git a/apt-inst/CMakeLists.txt b/apt-inst/CMakeLists.txt
> index 31da115e4..063b40318 100644
> --- a/apt-inst/CMakeLists.txt
> +++ b/apt-inst/CMakeLists.txt
> @@ -12,6 +12,8 @@ set(APT_INST_MAJOR ${MAJOR} PARENT_SCOPE)
>  file(GLOB_RECURSE library "*.cc")
>  file(GLOB_RECURSE headers "*.h")
>  
> +configure_file(apt-inst.pc.in ${CMAKE_CURRENT_BINARY_DIR}/apt-inst.pc @ONLY)
> +
>  # Create a library using the C++ files
>  add_library(apt-inst SHARED ${library})
>  
> @@ -25,4 +27,5 @@ add_version_script(apt-inst)
>  # Install the library and the headers
>  install(TARGETS apt-inst LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR})
>  install(FILES ${headers} DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/apt-pkg)
> +install(FILES ${CMAKE_CURRENT_BINARY_DIR}/apt-inst.pc DESTINATION 
> ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
>  flatify(${PROJECT_BINARY_DIR}/include/apt-pkg/ "${headers}")
> diff --git a/apt-inst/apt-inst.pc.in b/apt-inst/apt-inst.pc.in
> new file mode 100644
> index 0..c752f4657
> --- /dev/null
> +++ b/apt-inst/apt-inst.pc.in
> @@ -0,0 +1,11 @@
> +prefix=@CMAKE_INSTALL_PREFIX@
> +exec_prefix=${prefix}
> +libdir=${prefix}/@CMAKE_INSTALL_LIBDIR@
> +includedir=${prefix}/@CMAKE_INSTALL_INCLUDEDIR@

That's wrong. If I define CMAKE_INSTALL_LIBDIR to /foo,
and prefix is /usr, you just set libdir to /usr//foo instead
of /foo.

Generally, we must not use CMAKE_INSTALL_PREFIX, and only
use CMAKE_INSTALL_FULL_LIBDIR, CMAKE_INSTALL_FULL_INCLUDEDIR,
and thus only define libdir and includedir, not prefix or
exec_prefix.

> +
> +Name: apt-inst
> +Description: deb package format runtime library
> +Version: @MAJOR@.@MINOR@
> +Libs: -L${libdir} -lapt-inst
> +Cflags: -I${includedir}/apt-pkg

The /apt-pkg should not be there.

> diff --git a/apt-pkg/apt-pkg.pc.in b/apt-pkg/apt-pkg.pc.in
> new file mode 100644
> index 0..97c90ce5e
> --- /dev/null
> +++ b/apt-pkg/apt-pkg.pc.in
> @@ -0,0 +1,10 @@
> +prefix=@CMAKE_INSTALL_PREFIX@
> +exec_prefix=${prefix}
> +libdir=${prefix}/@CMAKE_INSTALL_LIBDIR@
> +includedir=${prefix}/@CMAKE_INSTALL_INCLUDEDIR@

as above

> +
> +Name: apt-pkg
> +Description: package management runtime library
> +Version: @MAJOR@.@MINOR@
> +Libs: -L${libdir} -lapt-pkg -pthread
> +Cflags: -I${includedir}/apt-pkg

as above



-- 
Debian Developer - deb.li/jak | jak-linux.org - free software dev
Ubuntu Core Developer  de, en speaker

Bug#881117: Printing a pdf with non-ascii title with evince fails

2017-11-07 Thread Brian Oney 
Package: hplip
Version: 3.16.11+repack0-3

Package: evince
Version: 3.22.1-3+deb9u1

Dear Debian Developers,
I can't print a pdf with a title that has a non-ascii character (possibly) with 
evince. It looks like evince's handling of the pdf (ps conversion?) seems to 
cause it. qpdfviewer works just find. lp also works fine. The cups error log is 
appended but the important bit is: 
D [07/Nov/2017:23:17:25 +0100] [Job 114] os.write(output_fd, 
to_bytes_utf8(\'@PJL SET JOBNAME=\"%s\"\\x0a\' % title))D [07/Nov/2017:23:17:25 
+0100] [Job 114] File \"/usr/share/hplip/base/sixext.py\", line 109, in 
to_bytes_utf8D [07/Nov/2017:23:17:25 +0100] [Job 114] return 
s.encode(\"utf-8\")D [07/Nov/2017:23:17:25 +0100] [Job 114] UnicodeEncodeError: 
\'utf-8\' codec can\'t encode character \'\\udcc3\' in position 21: surrogates 
not allowed
It looks the pdf 'Title:' may not contain an ä (or the like).
I guess it has to be evince, but it also appears that hplip could better handle 
pdf metadata.
Thanks!Brian
Tex filecat > test.tex << end_tex% Intended LaTeX compiler: 
pdflatex\documentclass[DIV=14,
fontsize=11pt,
parskip=half,
backaddress=false,
fromemail=true,
fromphone=true,
  fromalign=left]{scrlttr2}
 \usepackage[ngerman, germanb]{babel}
\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\usepackage{graphicx}
\usepackage{grffile}
\usepackage{longtable}
\usepackage{wrapfig}
\usepackage{rotating}
\usepackage[normalem]{ulem}
\usepackage{amsmath}
\usepackage{textcomp}
\usepackage{amssymb}
\usepackage{capt-of}
\usepackage{hyperref}
\KOMAoption{fromurl}{false}
\LoadLetterOption{SN}
\setkomavar{fromname}{Brian O}
\setkomavar{fromemail}{}
\KOMAoption{fromemail}{false}
\KOMAoption{fromphone}{true}
\setkomavar{signature}{Brian  O}
\KOMAoption{backaddress}{false}
\setkomavar{place}{Earth}
\KOMAoptions{foldmarks=true}
\date{den 08.11.2017}
\hypersetup{
 pdfauthor={Brian O},
 pdftitle={Banänas!},
 pdflang={Germanb}}
\begin{document}
\setkomavar{title}{Banänas!}
\begin{letter}{%
Universe}
\opening{We the people\ldots{}}
\ldots{}like bananas!
And apples!
\url{https://youtu.be/wopHYlQEv7s}
\closing{Feed me}
\end{letter}
\end{document}
end_tex
pdflatex test.tex

CUPS error log:

[Job 114] Job stopped due to filter errors; please consult the error_log file 
for details.
[Job 114] The following messages were recorded from 23:17:11 to 23:17:25
[Job 114] Adding start banner page "none".
[Job 114] Queued on "HP_LaserJet_600_M602" by "".
[Job 114] Auto-typing file...
[Job 114] Request file type is application/pdf.
[Job 114] File of type application/pdf queued by "".
[Job 114] Adding end banner page "none".
[Job 114] time-at-processing=1510093031
[Job 114] 3 filters for job:
[Job 114] pdftopdf (application/pdf to application/vnd.cups-pdf, cost 66)
[Job 114] pdftops (application/vnd.cups-pdf to application/vnd.cups-postscript, 
cost 100)
[Job 114] hpps (application/vnd.cups-postscript to 
printer/HP_LaserJet_600_M602, cost 0)
[Job 114] job-sheets=none,none
[Job 114] argv[0]="HP_LaserJet_600_M602"
[Job 114] argv[1]="114"
[Job 114] argv[2]=""
[Job 114] argv[3]="Banänas!"
[Job 114] argv[4]="1"
[Job 114] argv[5]="noCollate cups-browsed cups-browsed-dest-printer=\\\"38\\ 
barry.local:631\\\" Duplex=None HPEconoMode HPEdgeToEdge HPFIDigit=0 
HPFTDigit=0 HPPaperSource=AutomaticallySelect noHPPinPrnt HPPrintQuality=600dpi 
HPSEDigit=0 HPTHDigit=0 job-uuid=urn:uuid:5e668a8e-b163-390d-47e5-d5d9159b4e18 
MediaType=Unspecified number-up=1 OutputBin=None PageSize=A4 
job-originating-host-name=192.168.0.29 date-time-at-creation= 
date-time-at-processing= time-at-creation=1510093031 
time-at-processing=1510093031"
[Job 114] argv[6]="/var/spool/cups/d00114-001"
[Job 114] envp[0]="CUPS_CACHEDIR=/var/cache/cups"
[Job 114] envp[1]="CUPS_DATADIR=/usr/share/cups"
[Job 114] envp[2]="CUPS_DOCROOT=/usr/share/cups/doc-root"
[Job 114] envp[3]="CUPS_FONTPATH=/usr/share/cups/fonts"
[Job 114] envp[4]="CUPS_REQUESTROOT=/var/spool/cups"
[Job 114] envp[5]="CUPS_SERVERBIN=/usr/lib/cups"
[Job 114] envp[6]="CUPS_SERVERROOT=/etc/cups"
[Job 114] envp[7]="CUPS_STATEDIR=/var/run/cups"
[Job 114] envp[8]="HOME=/var/spool/cups/tmp"
[Job 114] envp[9]="PATH=/usr/lib/cups/filter:/usr/bin:/usr/sbin:/bin:/usr/bin"
[Job 114] envp[10]="SERVER_ADMIN=root@barry"
[Job 114] envp[11]="SOFTWARE=CUPS/2.2.1"
[Job 114] envp[12]="TMPDIR=/var/spool/cups/tmp"
[Job 114] envp[13]="USER=root"
[Job 114] envp[14]="CUPS_MAX_MESSAGE=2047"
[Job 114] envp[15]="CUPS_SERVER=/var/run/cups/cups.sock"
[Job 114] envp[16]="CUPS_ENCRYPTION=IfRequested"
[Job 114] envp[17]="IPP_PORT=631"
[Job 114] envp[18]="CHARSET=utf-8"
[Job 114] envp[19]="LANG=en_US.UTF-8"
[Job 114] envp[20]="PPD=/etc/cups/ppd/HP_LaserJet_600_M602.ppd"
[Job 114] envp[21]="RIP_MAX_CACHE=128m"
[Job 114]

Bug#880604: mirror listing update for debian.utalca.cl

2017-11-07 Thread Fabio Duran Verdugo 
As recommendation I update the upstream mirror from debian.netlinux.cl
to mirrors.sfo.kernel.org. 

Now the repository is synchronized and you can check in this link https
://mirror-master.debian.org/status/mirror-info/debian.utalca.cl.html



-- 
Fabio Durán Verdugo
Escuela de Ingeniería Civil en Bioinformática 
Facultad de Ingeniería, Universidad de Talca
Fono: (56) -(71) - 2418857

On Tue, 2017-11-07 at 08:51 +, Peter Palfrader wrote:
> On Fri, 03 Nov 2017, Fabio Duran Verdugo wrote:
> 
> > It's done!
> 
> We recommend mirrors update four times a day.  Unfortunately, your
> upstream mirror doesn't do that.  Are there other places you could
> consider to mirror from?
> 
> Cheers,

signature.asc
Description: This is a digitally signed message part

Bug#881061: python-lz4 FTBFS on big endian: FAIL: test_get_frame_info (test_frame.TestLZ4Frame)

2017-11-07 Thread Thomas Goirand 
Hi James,

I tried to build on zelenka.debian.org, which is a s390 porter box (big
endian), and it failed even more.

Cheers,

Thomas Goirand (zigo)

Bug#881116: Call trace at debian stretch

2017-11-07 Thread paulo bruck 
Package: linux-image-4.9.0-4-amd64
Version: 4.9.51-1
Severity: critical
Justification: breaks the whole system

Dear Mainteners

Actually I am using kernel from jessie because if I try to use kernel
from strech it hangs at boot  with this message bellow.

Let me know if I could help witn more details.

nov 07 18:10:12 zeus kernel: CPU: 0 PID: 5729 Comm: munin-update
Tainted: G  DO4.9.0-4-amd64 #1
 Debian 4.9.51-1
nov 07 18:10:12 zeus kernel: Hardware name: Gigabyte Technology Co.,
Ltd. P67A-D3-B3/P67A-D3-B3, BIOS F1 03
/03/2011
nov 07 18:10:12 zeus kernel: task: 98ebd40e0040 task.stack: bd4cc8274000
nov 07 18:10:12 zeus kernel: RIP: 0010:[]
[] in_group_p+0x40/0x60
nov 07 18:10:12 zeus kernel: RSP: 0018:bd4cc8277c98  EFLAGS: 00010a07
nov 07 18:10:12 zeus kernel: RAX: 7ced RBX:
41ed RCX: 
nov 07 18:10:13 zeus kernel: RDX: f9db RSI:
7ced RDI: 
nov 07 18:10:13 zeus kernel: RBP: 98ec6f651168 R08:
98eba96d99c0 R09: 2f2f2f2f2f2f2f2f
nov 07 18:10:13 zeus kernel: R10:  R11:
98ebd40e0040 R12: 0081
nov 07 18:10:13 zeus kernel: R13: 0001 R14:
bd4cc8277e90 R15: 
nov 07 18:10:13 zeus kernel: FS:  7f576d6642c0()
GS:98ec7f40() knlGS:
nov 07 18:10:13 zeus kernel: CS:  0010 DS:  ES:  CR0: 80050033
nov 07 18:10:13 zeus kernel: CR2: 98eda96d8d7c CR3:
000232656000 CR4: 000426f0
nov 07 18:10:13 zeus kernel: Stack:
nov 07 18:10:13 zeus kernel:  9320d625 cbf036f6ecc9a92c
98ec6f651168 0081
nov 07 18:10:13 zeus kernel:  bd4cc8277d80 0001
9320d6c4 98ec73ec101d
nov 07 18:10:13 zeus kernel:  fefefefefefefeff bd4cc8277d80
9320fea6 2f2f2f2f2f2f2f2f
nov 07 18:10:13 zeus kernel: Call Trace:
nov 07 18:10:13 zeus kernel:  [] ?
generic_permission+0x105/0x180
nov 07 18:10:13 zeus kernel:  [] ?
__inode_permission+0x24/0xc0
nov 07 18:10:13 zeus kernel:  [] ? link_path_walk+0x86/0x650
nov 07 18:10:13 zeus kernel:  [] ? path_lookupat+0x86/0x120
nov 07 18:10:13 zeus kernel:  [] ? filename_lookup+0xb1/0x180
nov 07 18:10:13 zeus kernel:  [] ?
__check_object_size+0xfa/0x1d8
nov 07 18:10:13 zeus kernel:  [] ?
strncpy_from_user+0x48/0x160
nov 07 18:10:13 zeus kernel:  [] ? getname_flags+0x6a/0x1e0
nov 07 18:10:13 zeus kernel:  [] ? vfs_fstatat+0x59/0xb0
nov 07 18:10:13 zeus kernel:  [] ? SYSC_newstat+0x2a/0x60
nov 07 18:10:13 zeus kernel:  [] ? __do_page_fault+0x2d1/0x510
nov 07 18:10:13 zeus kernel:  [] ?
system_call_fast_compare_end+0xc/0x9b
nov 07 18:10:13 zeus kernel: Code: 3b 78 20 74 38 4c 8b 80 90 00 00 00
4d 85 c0 74 29 41 8b 50 04 85 d2 74 21 31 c9 eb 07 8d 48 01 39 ca 76
16 8d 04 0a d1 e8 89 c6 <41> 3b 7c b0 08 77 eb 73 09 89 c2 39 ca 77 ea
31 c0 c3 b8 01 00
nov 07 18:10:13 zeus kernel: RIP  [] in_group_p+0x40/0x60
nov 07 18:10:13 zeus kernel:  RSP 
nov 07 18:10:13 zeus kernel: CR2: 98eda96d8d7c
nov 07 18:10:13 zeus kernel: ---[ end trace 84c3ad992cd5b40b ]---

-- 
Paulo Ricardo Bruck consultor
tel 011 3596-4881/4882  011 98140-9184 (TIM)
http://www.contatogs.com.br
http://www.protejasuarede.com.br
gpg AAA59989 at wwwkeys.us.pgp.net

Bug#439121: Add a .pc file for libapt-pkt

2017-11-07 Thread Corentin Noël 
Here is a patch working with current master, It's now fully working. It
contains a test to ensure that it works, I tested it with autopkgtest.
From 44fa7251911378bb0ca16a23024b7f7ede5a8f84 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Corentin=20No=C3=ABl?= 
Date: Tue, 7 Nov 2017 20:38:13 +0100
Subject: [PATCH] Enable PkgConfig on the apt-pkg and apt-inst libraries

---
 apt-inst/CMakeLists.txt   |  3 +++
 apt-inst/apt-inst.pc.in   | 11 +++
 apt-pkg/CMakeLists.txt|  3 +++
 apt-pkg/apt-pkg.pc.in | 10 ++
 debian/libapt-pkg-dev.install |  1 +
 debian/tests/control  |  5 +++--
 debian/tests/pkg-config-test  | 22 ++
 7 files changed, 53 insertions(+), 2 deletions(-)
 create mode 100644 apt-inst/apt-inst.pc.in
 create mode 100644 apt-pkg/apt-pkg.pc.in
 create mode 100644 debian/tests/pkg-config-test

diff --git a/apt-inst/CMakeLists.txt b/apt-inst/CMakeLists.txt
index 31da115e4..063b40318 100644
--- a/apt-inst/CMakeLists.txt
+++ b/apt-inst/CMakeLists.txt
@@ -12,6 +12,8 @@ set(APT_INST_MAJOR ${MAJOR} PARENT_SCOPE)
 file(GLOB_RECURSE library "*.cc")
 file(GLOB_RECURSE headers "*.h")
 
+configure_file(apt-inst.pc.in ${CMAKE_CURRENT_BINARY_DIR}/apt-inst.pc @ONLY)
+
 # Create a library using the C++ files
 add_library(apt-inst SHARED ${library})
 
@@ -25,4 +27,5 @@ add_version_script(apt-inst)
 # Install the library and the headers
 install(TARGETS apt-inst LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR})
 install(FILES ${headers} DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/apt-pkg)
+install(FILES ${CMAKE_CURRENT_BINARY_DIR}/apt-inst.pc DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
 flatify(${PROJECT_BINARY_DIR}/include/apt-pkg/ "${headers}")
diff --git a/apt-inst/apt-inst.pc.in b/apt-inst/apt-inst.pc.in
new file mode 100644
index 0..c752f4657
--- /dev/null
+++ b/apt-inst/apt-inst.pc.in
@@ -0,0 +1,11 @@
+prefix=@CMAKE_INSTALL_PREFIX@
+exec_prefix=${prefix}
+libdir=${prefix}/@CMAKE_INSTALL_LIBDIR@
+includedir=${prefix}/@CMAKE_INSTALL_INCLUDEDIR@
+
+Name: apt-inst
+Description: deb package format runtime library
+Version: @MAJOR@.@MINOR@
+Libs: -L${libdir} -lapt-inst
+Cflags: -I${includedir}/apt-pkg
+Requires: apt-pkg
diff --git a/apt-pkg/CMakeLists.txt b/apt-pkg/CMakeLists.txt
index 2f5ad3200..44e5fd9c7 100644
--- a/apt-pkg/CMakeLists.txt
+++ b/apt-pkg/CMakeLists.txt
@@ -29,6 +29,8 @@ execute_process(COMMAND grep "^#define APT_PKG_RELEASE"
 message(STATUS "Building libapt-pkg ${MAJOR} (release ${MINOR})")
 set(APT_PKG_MAJOR ${MAJOR} PARENT_SCOPE) # exporting for methods/CMakeLists.txt
 
+configure_file(apt-pkg.pc.in ${CMAKE_CURRENT_BINARY_DIR}/apt-pkg.pc @ONLY)
+
 # Definition of the C++ files used to build the library - note that this
 # is expanded at CMake time, so you have to rerun cmake if you add or remove
 # a file (you can just run cmake . in the build directory)
@@ -65,6 +67,7 @@ add_version_script(apt-pkg)
 # Install the library and the header files
 install(TARGETS apt-pkg LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR})
 install(FILES ${headers} DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/apt-pkg)
+install(FILES ${CMAKE_CURRENT_BINARY_DIR}/apt-pkg.pc DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
 flatify(${PROJECT_BINARY_DIR}/include/apt-pkg/ "${headers}")
 
 if(CMAKE_BUILD_TYPE STREQUAL "Coverage")
diff --git a/apt-pkg/apt-pkg.pc.in b/apt-pkg/apt-pkg.pc.in
new file mode 100644
index 0..97c90ce5e
--- /dev/null
+++ b/apt-pkg/apt-pkg.pc.in
@@ -0,0 +1,10 @@
+prefix=@CMAKE_INSTALL_PREFIX@
+exec_prefix=${prefix}
+libdir=${prefix}/@CMAKE_INSTALL_LIBDIR@
+includedir=${prefix}/@CMAKE_INSTALL_INCLUDEDIR@
+
+Name: apt-pkg
+Description: package management runtime library
+Version: @MAJOR@.@MINOR@
+Libs: -L${libdir} -lapt-pkg -pthread
+Cflags: -I${includedir}/apt-pkg
diff --git a/debian/libapt-pkg-dev.install b/debian/libapt-pkg-dev.install
index 42e7c34d5..563e99909 100644
--- a/debian/libapt-pkg-dev.install
+++ b/debian/libapt-pkg-dev.install
@@ -1,3 +1,4 @@
 usr/include/apt-pkg/
 usr/lib/*/libapt-inst*.so
 usr/lib/*/libapt-pkg*.so
+usr/lib/*/pkgconfig/apt-*.pc
diff --git a/debian/tests/control b/debian/tests/control
index 85b16e062..a0234b50b 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,8 +1,9 @@
-Tests: run-tests
+Tests: run-tests, pkg-config-test
 Restrictions: allow-stderr
 Depends: @, @builddeps@, dpkg, fakeroot, wget, stunnel4, lsof, db-util,
  gnupg (>= 2) | gnupg2,
  gnupg1 | gnupg (<< 2),
  gpgv (>= 2) | gpgv2,
  gpgv1 | gpgv (<< 2),
- libfile-fcntllock-perl, python3-apt
+ libfile-fcntllock-perl, python3-apt,
+ pkg-config
diff --git a/debian/tests/pkg-config-test b/debian/tests/pkg-config-test
new file mode 100644
index 0..cb8d1ffb0
--- /dev/null
+++ b/debian/tests/pkg-config-test
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+set -e
+
+WORKDIR=$(mktemp -d)
+trap "rm -rf $WORKDIR" 0 INT QUIT ABRT PIPE TERM
+cd $WORKDIR
+cat < pkgconfigtest.c

Bug#857730: Need to support DPKG_ROOT

2017-11-07 Thread Bastien ROUCARIES 
On Thu, Nov 2, 2017 at 6:27 PM, Thomas Liske  wrote:
>
> tags 857730 upstream
> severity 857730 wishlist
> thanks
>
>
> Hi Bastien,
>
>
> Bastien ROUCARIES  writes:
>
 severity: important
>>>
>>> Using severity important for anything DPKG_ROOT related sounds dubious
>>> to me, because the feature is not finalized in dpkg, but a technology
>>> preview.
>
> Please do not abuse the bug severity - I do not think that this issue has any
> major effect on the usability of a package.
>
> [1] https://www.debian.org/Bugs/Developer#severities
>
>
 Testing dpkg testsuite without beeing root needrestart crash.
>>>
>>> Maybe you can give more details here as to what crashes and how it
>>> fails?
>>>
 I believe need restart need to take in account $DPKG_ROOT
>>>
>>> You mentioned on irc that the file you want to touch is
>>> /etc/dpkg/dpkg.cfg.d/needrestart. That's not a maintainer script.
>>> DPKG_ROOT is only defined during maintainer script execution. Thus
>>> DPKG_ROOT will be undefined here.
>>>
 at least it should not execute if dpkg-root is set (so patch)
>>>
>>> Why should execution of needrestart depend on the way maintainer scripts
>>> are executed? That doesn't make any sense to me. Shouldn't the real
>>> condition be something like skipping needrestart when it is not
>>> installed in the system /?
>>
>> No rootless dpkg fail if needrestart is installed. This is the bug.
>>
>> To test install dpkg testsuite and run
>>
>>  DPKG_TESTSUITE_OPTIONS="not-root" eatmydata make test
>>
>> it will fail with a permission problem
>
> Please provide a consistent error description (Does needrestart crash or
> is there a permission problem?) including some screen logs and howto
> reproduce the problem.
>
> If the testsuite stuff is WIP we maybe should wait until it is finalized
> and there is a recommendation available howto handle the testsuite in
> (pre-invoke|post-invoke|status-logger) commands.

Seems reasonable but it still fail with permission problem. It is
reproductible do not remember the exact error but it fail apt
>
>
> HTH,
> Thomas
>
> --
>
> ::  WWW:https://fiasko-nw.net/~thomas/  ::
>:::  Jabber:   xmpp:tho...@jabber.fiasko-nw.net  :::
> ::  flickr: https://www.flickr.com/photos/laugufe/  ::

Bug#880982: ifup does not trigger scripts any more after booting

2017-11-07 Thread Guus Sliepen 
On Tue, Nov 07, 2017 at 09:55:17PM +0100, Narcis Garcia wrote:

> Thanks Guus for the suggestion about netplug as alternative.
> Network interface's configurtaion (IP) is already done when hotplugging
> the cable.
> 
> What is not working on same event is the run-parts of scripts in
> /etc/network/if-up.d [...]

Aha. If you are using DHCP, then the DHCP client will probably detect
that the cable is plugged in again at some point, and will assign it an
address. However, ifupdown is never called when that happens, so
ifupdown will not cause any of the scripts to run. Also, ifupdown will
consider the interface to be up all the time, whether the cable is
plugged in or not.

Note that dhclient itself can also run scripts when it gets or loses a
lease, see man dhclient-script.

> (as non-Systemd Debian versions did)

This has nothing to do with systemd vs. sysvinit. Maybe it is caused by
changes in udev. But on my computers, I don't see udev generating any
events when I plug or unplug a network cable...

-- 
Met vriendelijke groet / with kind regards,
  Guus Sliepen 


signature.asc
Description: PGP signature

Bug#881115: libkolabxml: Transition to xerces-c 3.2

2017-11-07 Thread William Blough 
Source: libkolabxml
Severity: important
User: de...@blough.us
Usertags: xerces-c3.2-transition
Control: block -1 by 881108


This bug is for transition tracking purposes.

xerces-c will be transitioning from 3.1 to 3.2 soon.  However,
libkolabxml depends on src:xsd which does not currently work with
libxerces-c3.2 (bug 881108).  Once the issue with xsd has been resolved, it
will be necessary to test libkolabxml with xerces 3.2

Bug#881114: freecontact: Transition to xerces-c 3.2

2017-11-07 Thread William Blough 
Source: freecontact
Severity: important
User: de...@blough.us
Usertags: xerces-c3.2-transition
Control: block -1 by 881108


This bug is for transition tracking purposes.

xerces-c will be transitioning from 3.1 to 3.2 soon.  However,
freecontact depends on src:xsd which does not currently work with
libxerces-c3.2 (bug 881108).  Once the issue with xsd has been resolved,
it will be necessary to test freecontact with xerces 3.2

Bug#881112: camitk: Transition to xerces-c 3.2

2017-11-07 Thread William Blough 
Source: camitk
Severity: important
User: de...@blough.us
Usertags: xerces-c3.2-transition
Control: block -1 by 881108

This bug is for transition tracking purposes.

xerces-c will be transitioning from 3.1 to 3.2 soon.  However, camitk
depends on src:xsd which does not currently work with libxerces-c3.2
(bug 881108).  Once the issue with xsd has been resolved, it will be
necessary to test camitk with xerces 3.2

Bug#881113: mailman3-core: Package should suggest lynx

2017-11-07 Thread Philip Frei 
Package: mailman3-core
Version: 3.1.0-1
Severity: minor

Dear Maintainer,

Mailman uses lynx to convert html to plain text messages. Maybe it's a
good idea to add lynx to the package suggestions.



-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), 
LANGUAGE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Bug#880234: Re%3A nibabel%3A FTBFS%3A Test failures

2017-11-07 Thread Yaroslav Halchenko 
Thanks for checking it out!  I will issue an updated package shortly

Cheers and thnks again

On Tue, 07 Nov 2017, Thiago Franco de Moraes wrote:

> Hi

> I cloned the git repo from nibabel and did some tests. I saw the HEAD of 
> upstream doesn't have this problem. The difference from the HEAD to the 2.1.0 
> version in the file with the error is diff I've attached in this email. 
> Applying this diff fix this problem. I think you can send this patch to the 
> guy which packages nibabel.

> Kind regards.



-- 
Yaroslav O. Halchenko
Center for Open Neuroscience http://centerforopenneuroscience.org
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834   Fax: +1 (603) 646-1419
WWW:   http://www.linkedin.com/in/yarik

Bug#881111: python3-netaddr: unicode vs bytes issue between Python 2.x and 3.x when reading and writing IEEE data files

2017-11-07 Thread MoaMoaK 
Package: python3-netaddr
Version: 0.7.18-2
Severity: normal

Dear Maintainer,

When requesting OUI information on some MAC address with Python 3.x
( EUI("70:5A:B6:B8:64:8C").oui ), the package seems to fail on unicode vs bytes 
decoding
if the MAC has been used before with Python 2.x

The issue has been solved in the latest version of python3-netaddr (0.7.19)
( the commit 
https://github.com/drkjam/netaddr/commit/af145601df4329a4dc55ef0ce9ce5f8645f09d4f
 )

The package needs to be updated to latest version to solve this.

-- MoaMoaK

-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages python3-netaddr depends on:
ii  ieee-data  20160613.1
ii  python33.5.3-1

python3-netaddr recommends no packages.

Versions of packages python3-netaddr suggests:
ii  ipython3 5.1.0-3
pn  python-netaddr-docs  

-- no debconf information

Bug#877562: libqb FTCBFS: uses uncached AC_RUN_IFELSE

2017-11-07 Thread Ferenc Wágner 
Control: forwarded -1 https://github.com/ClusterLabs/libqb/pull/269

"Manuel A. Fernandez Montecelo"  writes:

> If upstream Hurd people were so sure about it I'd strongly consider to
> follow their advice.

That's the plan.  Unfortunately, the POSIX interface defers the check to
runtime on amd64 for example, so we'll have to code that up.

> From what you talk about in this bug report, if the extra check is
> mostly to satisfy a bug in Hurd and they fix it, you could as well
> remove it.

When we have the runtime check, the configure check will degrade to a
mere optimization specific to exotic platforms guaranteeing a monotonic
clock.  Probably not worth keeping.

> But on the other hand, as Helmut says, if many other projects do it and
> since Hurd is not very popular, perhaps it's a wider problem than Hurd.

Yes, in the above sense it is, see also the discussion in the linked
upstream pull request.
-- 
Regards,
Feri

Bug#881110: cacti: CVE-2017-16641: arbitrary execution of os commands via path_rrdtool parameter in an action=save request

2017-11-07 Thread Salvatore Bonaccorso 
Source: cacti
Version: 1.1.27+ds1-2
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/Cacti/cacti/issues/1057

Hi,

the following vulnerability was published for cacti.

CVE-2017-16641[0]:
| lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators
| to execute arbitrary OS commands via the path_rrdtool parameter in an
| action=save request to settings.php.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-16641
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16641
[1] https://github.com/Cacti/cacti/issues/1057

Please adjust the affected versions in the BTS as needed, only did
check unstable's version for now source-wise.

Regards,
Salvatore

Bug#881109: ITP: boost-numeric-bindings -- boost-numeric-bindings -- Numeric Library Bindings for Boost

2017-11-07 Thread Stephen Sinclair 
Package: wnpp
Severity: wishlist
Owner: Stephen Sinclair 

* Package name: boost-numeric-bindings
  Version : 0.99
  Upstream Author : Kresimir Fresl et. al.
* URL : https://github.com/uBLAS/numeric_bindings
* License : Boost Software License - Version 1.0
  Programming Lang: C++
  Description : boost-numeric-bindings -- Numeric Library Bindings for Boost


Boost Bindings is a bindings library (not just) for Boost.Ublas.
It offers an easy way of calling BLAS, LAPACK, UMFPACK, MUMPS and
many other mature legacy numerical codes from within C++.

Previously an ITP bug was filed (#536270) but then dropped.  Since
then a github repo was created and a "pre-release 0.99" was released
with a bit more work, in 2015.  I have updated the preliminary package
by Teemu Ikonen from that bug to the latest version, as well as the
latest Debian compat and policy versions, based on his package repo:
git://git.debian.org/debian-science/packages/boost-numeric-bindings.git

The package already installs the header files successfully to within
the /usr/include/boost directory and I have preliminary support for
running some of the tests.  I intend to improve this, add
documentation if possible, and keep it up to date with any future
releases.  It would be beneficial to Debian to have these headers more
easily available, since projects are currently often embedding them
headers in their source distributions.

Bug#812721: gbp could filter out Files-Excluded: entries when committing to the pristine-tar branch

2017-11-07 Thread Michael Stapelberg 
Thanks for your reply. Answers inline:

On Mon, Nov 6, 2017 at 8:59 AM, Guido Günther  wrote:
> Hi,
> On Tue, Oct 31, 2017 at 05:24:05PM +0100, Michael Stapelberg wrote:
>> Hi Guido,
>>
>> The pkg-go team is currently discussing changes to its workflow, and
>> we’d be interested in resolving this feature request.
>
> Can you provide a pointer to the discussion?

Have a look at 
https://lists.alioth.debian.org/pipermail/pkg-go-maintainers/Week-of-Mon-20171016/015809.html

>
>>
>> Guido Günther  writes:
>> > I would rather do this with a dfsg-clean branch. You delete once and
>> > then use git tools from there on.
>>
>> Searching for how dfsg-clean branches should be named, I found
>> https://honk.sigxcpu.org/projects/git-buildpackage/manual-html/gbp.branch.naming.html,
>> which recommends “dfsg/latest”.
>>
>> However, my reading of section “About repacked upstream sources” of
>> http://dep.debian.net/deps/dep14/ directly contradicts the above advice:
>> DEP14 says upstream/* should contain the repackaged files.
>>
>> How do we reconcile this apparent contradiction?
>
> Since gbp makes no assumptions on this I'm happy to update the docs. How
> would we call the non-filtered branch then "nondfsg/latest"?  When we
> base our packaging on upstream git we'll likely use upstream's branch
> name but in case of tarballs we should provide a good recommendation.

Just to make sure we’re talking about the same thing: the branch
you’re asking for naming recommendations is currently called
“upstream”, yes?

If yes, then I don’t particularly like the name “nondfsg/latest”, as
it is a double-negative, but describes a very common case. Why not
keep calling it “upstream”, or “upstream/latest” if symmetry is
desired?

>
>> >> It would be great if gbp could produce the 1.2.3+dfsg tag itself by
>> >> reading debian/copyright and excluding the Files-Excluded: files.
>> >
>> > If somebody comes up with a clean patch I'm happy to merge that.
>>
>> Which part of gbp specifically should be patched here? AFAICT, there is
>> no command which pulls a new version from upstream yet. Should one be
>> added? What should it be called?
>
> My first reaction was to teach gbp import-orig to have a
>
> gbp import-orig "git-ref"
>
> mode that would do the right thing but I now think having
>
> gbp update "git-ref"
>
> that
>
> - does the excluding and tagging if necessary
> - merges to the debian branch
>
> is better. We need to make sure that gbp import-orig's filtering (using
> the --filter command line or filter= gbp.conf option) stays in sync with
> what we do so we don't have on tool using --filter= and the other one
> parsing debian/changelog.

You’re saying gbp import-orig and gbp update should both support the
same filter option, in additon to d/copyright, yes?

>
> If somebody comes up with a better name than "update" that's all fine.

“update” is a rather generic term. Given that the underlying git
operation is “git pull”, how about “gbp pull-upstream”?


-- 
Best regards,
Michael

Bug#866343: extlinux: Files in /etc/kernel/ not removed during upgrade

2017-11-07 Thread Lukas Schwaighofer 
Hi again,

I just checked the contents of the
 /etc/kernel/post{inst,rm}.d/zz-extlinux
files which are identical:

#!/bin/sh

set -e

# Exit if extlinux was removed (!= purged)
if [ -x /usr/sbin/extlinux-update ]
then
# Update extlinux configuration
extlinux-update
fi

Since the file is harmless enough when /usr/sbin/extlinux-update does
not exist, I think removing the file in sid/testing will be good enough.

Sorry for the noise, should have checked that file earlier.

Regards
Lukas

Bug#880982: ifup does not trigger scripts any more after booting

2017-11-07 Thread Narcis Garcia 
Thanks Guus for the suggestion about netplug as alternative.
Network interface's configurtaion (IP) is already done when hotplugging
the cable.
What is not working on same event is the run-parts of scripts in
/etc/network/if-up.d (as non-Systemd Debian versions did) and maybe
other directories as:

/etc/network/if-down.d
/etc/network/if-pre-up.d
/etc/network/if-post-down.d

This bad behavior happens when no Desktop/NetworkManager is in effect,
and since Debian 9 is beyond 5 minutes after boot.

I've tried to set TimeoutStartSec=infinity with no success at
/lib/systemd/system/ifup@.service


__
I'm using this express-made address because personal addresses aren't
masked enough at this mail public archive. Public archive administrator
should fix this against automated addresses collectors.

Bug#881097: libnet-ping-external-perl: long-standing command injection via crafted arguments

2017-11-07 Thread Salvatore Bonaccorso 
Control: retitle -1 libnet-ping-external-perl: CVE-2008-7319: command injection 
via crafted arguments

This issue got assigned CVE-2008-7319.

I have filled #881102 for requesting the removal from unstable.

For stretch and jessie I think the best course would be to have it
removed as well in the next point releases, given no package depends
on it.

Regards,
Salvatore

Bug#878722: bts reassign 878722 partman-auto

2017-11-07 Thread Michael Kesper 
Dear Cyril,


On 07.11.2017 08:12, Cyril Brulebois wrote:
> Michael Kesper  (2017-11-06):
>> I think this bug is specific to partman-auto.
>> Partman should allow rescanning devices and recognize NVMe devices when
>> preconfigured with /dev/sda.
>> Alternatively, there should be an installation target "largest disk" or
>> something similar.
> 
> I'm not sure hardcoding /dev/sda as the target device is right when all you
> have is NVMe… Don't feed wrong info through preseed in the first place?

Yes sure but why can't I correct it after the fact?
Even "rescanning disks" does not let you chose any other disks.

> Also, “largest disk” doesn't seem too good an idea, as evidenced here:
>   https://lists.debian.org/debian-boot/2017/11/msg00028.html

Is there a way of chosing "first internal disk" then?
Imagine I want to create one installation medium for laptops which only
differ whether they are set up with a NVM or a sata SSD.
I did not find any documentation helping me with this.

Best wishes
Michael



signature.asc
Description: OpenPGP digital signature

Bug#880996: ring: FTBFS on mips64el

2017-11-07 Thread James Cowgill 
Hi,

On 06/11/17 19:48, Sebastian Ramacher wrote:
> Source: ring
> Version: 20170912.1.912f772~dfsg1-2
> Severity: serious
> Tags: sid buster
> Control: block 880355 by -1
> 
> ring FTBFS on mips64el during the libva transition:
[...]
> | ../src/.libs/libring.a(libringacc_la-ringaccount.o): In function 
> `ring::RingAccount::useIdentity(std::pair  std::shared_ptr > const&)':
> | ./daemon/src/ringdht/ringaccount.cpp:845: undefined reference to 
> `dht::Value::msgpack_unpack(msgpack::v1::object)'
> | ./daemon/src/ringdht/ringaccount.cpp:845: undefined reference to 
> `dht::Value::msgpack_unpack(msgpack::v1::object)'
> | ../src/.libs/libring.a(libringacc_la-ringaccount.o): In function 
> `msgpack::v1::type::detail::convert_integer_sign false>::convert(msgpack::v1::object const&)':
> | /usr/include/msgpack/v1/adaptor/int.hpp:46: undefined reference to 
> `dht::unpackBlob(msgpack::v1::object&)'
> | ../src/.libs/libring.a(libringacc_la-ringaccount.o): In function 
> `dht::IceCandidates::msgpack_unpack(msgpack::v1::object)':
> | /usr/include/opendht/default_types.h:190: undefined reference to 
> `dht::unpackBlob(msgpack::v1::object&)'
> | ../src/.libs/libring.a(libringacc_la-ringaccount.o): In function 
> `msgpack::v1::type::detail::convert_integer_sign false>::convert(msgpack::v1::object const&)':
> | /usr/include/msgpack/v1/adaptor/int.hpp:46: undefined reference to 
> `dht::unpackBlob(msgpack::v1::object&)'
> | ../src/.libs/libring.a(libringacc_la-ringaccount.o): In function 
> `dht::IceCandidates::msgpack_unpack(msgpack::v1::object)':
> | /usr/include/opendht/default_types.h:190: undefined reference to 
> `dht::unpackBlob(msgpack::v1::object&)'
> | ../src/.libs/libring.a(libringacc_la-ringaccount.o): In function 
> `msgpack::v1::type::detail::convert_integer_sign false>::convert(msgpack::v1::object const&)':
> | /usr/include/msgpack/v1/adaptor/int.hpp:46: undefined reference to 
> `dht::unpackBlob(msgpack::v1::object&)'
> | 
> ../src/.libs/libring.a(libringacc_la-ringaccount.o):/usr/include/opendht/default_types.h:190:
>  more undefined references to `dht::unpackBlob(msgpack::v1::object&)' follow
> | ../src/.libs/libring.a(libringacc_la-ringaccount.o): In function 
> `msgpack::v1::adaptor::convert void>::operator()(msgpack::v1::object const&, dht::crypto::RevocationList&) 
> const':
> | /usr/include/msgpack/v1/object.hpp:209: undefined reference to 
> `dht::crypto::RevocationList::msgpack_unpack(msgpack::v1::object)'
> | /usr/include/msgpack/v1/object.hpp:209: undefined reference to 
> `dht::crypto::RevocationList::msgpack_unpack(msgpack::v1::object)'
> | collect2: error: ld returned 1 exit status
> | Makefile:628: recipe for target 'dring' failed

The problem is that ring forces the use of the msgpack v1 API, but
opendht uses whatever the default msgpack API was when it was built.
When opendht was originally uploaded this was v1 and everything was
good. Around 1 month ago, opendht was binNMUed on just mips64el and this
caused the mips64el version of opendht to use v2 of the API. Ring then
FTBFS on mips64el because it tried to use the v1 functions which don't
exist anymore.

There needs to be some agreement between ring and opendht as to what
msgpack API to use (both use v1 or v2). I'm not sure what the best
option is, but I would guess that forcing opendht to v1 would fix this.

Thanks,
James



signature.asc
Description: OpenPGP digital signature

Bug#866343: extlinux: Files in /etc/kernel/ not removed during upgrade

2017-11-07 Thread Lukas Schwaighofer 
On Tue, 7 Nov 2017 21:48:04 +0100
Lukas Schwaighofer  wrote:

> 0. The syslinux installer is part of the syslinux binary package

That should have been:
0. The syslinux installer is part of the *extlinux* binary package

Bug#879856: okular(25652)/kdecore (KConfigSkeleton) KCoreConfigSkeleton::writeConfig:

2017-11-07 Thread Sandro Knauß 
Contro: tags -1 +moreinfo

Hey,

it is a upstream bug. So please report this bug upstream (htps://bugs.kde.org) 
and send the bug number to this bugreport. If you have any further questions, 
feel free to ask them here.

Best Regards,

sandro

--
On Donnerstag, 26. Oktober 2017 16:46:15 CEST Nomen Nescio wrote:
> Package: okular
> Version: 4:16.08.2-1+b1
> Severity: minor
> 
> Dear Maintainer,
> 
> When okular is invoked on the commandline, the terminal from which it
> launches is junked up with this:
> 
> okular(25652)/kdecore (KConfigSkeleton) KCoreConfigSkeleton::writeConfig:
> okular(25652)/kdecore (KConfigSkeleton) KCoreConfigSkeleton::writeConfig:
> okular(25652)/kdecore (KConfigSkeleton) KCoreConfigSkeleton::writeConfig:
> okular(25652)/kdecore (KConfigSkeleton) KCoreConfigSkeleton::writeConfig:
> 
> If that noise is necessary, it should be re-worded so users know what
> the message is trying to convey.  Otherwise it should be silenced.
> 
> -- System Information:
> Debian Release: 9.2
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=1509013311 WARNING
> torsocks[10749]: [syscall] Unsupported syscall number 217. Denying the call
> (in tsocks_syscall() at syscall.c:488) UTF-8), LANGUAGE=en_US.UTF-8
> (charmap=1509013311 WARNING torsocks[10751]: [syscall] Unsupported syscall
> number 217. Denying the call (in tsocks_syscall() at syscall.c:488) UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages okular depends on:
> ii  kde-runtime 4:16.08.3-2
> ii  libc6   2.24-11+deb9u1
> ii  libfreetype62.6.3-3.2
> ii  libjpeg62-turbo 1:1.5.1-2
> ii  libkdecore5 4:4.14.26-2
> ii  libkdeui5   4:4.14.26-2
> ii  libkexiv2-114:15.04.3-1
> ii  libkio5 4:4.14.26-2
> ii  libkparts4  4:4.14.26-2
> ii  libkprintutils4 4:4.14.26-2
> ii  libkpty44:4.14.26-2
> ii  libokularcore7  4:16.08.2-1+b1
> ii  libphonon4  4:4.9.0-4
> ii  libpoppler-qt4-40.48.0-2
> ii  libqca2 2.1.1-4+b2
> ii  libqimageblitz4 1:0.0.6-4+b2
> ii  libqmobipocket1 4:16.08.0-1
> ii  libqt4-dbus 4:4.8.7+dfsg-11
> ii  libqt4-declarative  4:4.8.7+dfsg-11
> ii  libqt4-svg  4:4.8.7+dfsg-11
> ii  libqt4-xml  4:4.8.7+dfsg-11
> ii  libqtcore4  4:4.8.7+dfsg-11
> ii  libqtgui4   4:4.8.7+dfsg-11
> ii  libsolid4   4:4.14.26-2
> ii  libspectre1 0.2.8-1
> ii  libstdc++6  6.3.0-18
> ii  phonon  4:4.9.0-4
> ii  zlib1g  1:1.2.8.dfsg-5
> 
> Versions of packages okular recommends:
> ii  cups-bsd  2.2.1-8
> 
> Versions of packages okular suggests:
> ii  ghostscript9.20~dfsg-3.2+deb9u1
> pn  jovie  
> pn  okular-extra-backends  
> ii  poppler-data   0.4.7-8
> ii  texlive-binaries   2016.20160513.41080.dfsg-2
> ii  unrar  1:5.3.2-1+deb9u1



signature.asc
Description: This is a digitally signed message part.

Bug#866343: extlinux: Files in /etc/kernel/ not removed during upgrade

2017-11-07 Thread Lukas Schwaighofer 
Hi Laurent,

thanks for reporting this problem.  Leftover files in /etc/kernel/*.d
are bad…  I made a bit of research and found out the following, all of
which happened during the jessie release cycle:

0. The syslinux installer is part of the syslinux binary package
1. Version 3:6.03~pre1+dfsg-2: The installer was moved from the
   extlinux binary package to a newly introduced syslinux-stuff binary
   package
2. Version 3:6.03~pre19+dfsg-1: The syslinux-stuff binary package was
   dropped (completely removing the extlinux installer from Debian)

So, as far as I can tell, every system that has syslinux since
pre-jessie (and was never reinstalled since) will have those leftover
files.

Fixing this now in unstable feels somewhat in vain… I will ask for
advise on how to best deal with this issue.  For now I wanted to
document my findings.

Regards
Lukas

Bug#878203: apparmor logs /proc//cmdline denials on vm shutdown

2017-11-07 Thread Gabriel Filion 
Hello,

I can still see this in the apparmor file included in
libvirt-daemon-system 3.9.0-1

FWIW according to this ubuntu bug they've added a line to the profile to
permit access:

https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1693115



signature.asc
Description: OpenPGP digital signature

Bug#867671: libratbag-tools: removal of libratbag-tools/sid makes files disappear from liblur3/testing

2017-11-07 Thread Andreas Beckmann 
On 07/08/2017 03:35 PM, Stephen Kitt wrote:
> As I understand Policy in this case, I’m not convinced this is a violation.
> lur-command.1.gz should never have been in liblur3; it should always have
> been in libratbag-tools. I moved the file from liblur3 to libratbag-tools, and
> added the appropriate Replaces relationship; but as I understand it, Breaks
> isn’t needed because the upgrade doesn’t actually break liblur3.

It breaks anything assuming that a certain file exists if a certain
(buggy) package version is installed.

> Considering
> the behaviour described in footnote 54 (53 doesn’t apply here AFAICT), I don’t
> think there’s a problem: the old liblur3 does end up missing a file, but it’s
> a file it doesn’t need and should never have had, so its disappearance
> doesn’t cause any problems.

"its disappearance doesn’t cause any problems"
That's something very hard to teach some automated tools. These tools
look for things that could be problematic (or become problematic at some
point).

What's the actual problem with adding the matching Breaks?
That's just going to invalidate some version mixtures and downgrade
paths that you don't want to support anyway.


Andreas

Bug#881106: flam3: Update to flam3 v3.1.1

2017-11-07 Thread linus . luessing 
Package: flam3
Severity: wishlist

Hi,

Qosmic[0] seems to require flam3 v3.1.1. Would it be possible to update
the flam3 package?

Regards, Linus

[0]: https://github.com/bitsed/qosmic


-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: armhf (armv7l)

Kernel: Linux 4.13.2 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages flam3 depends on:
ii  libc62.24-17
ii  libjpeg62-turbo  1:1.5.2-2
ii  libpng16-16  1.6.34-1
ii  libxml2  2.9.4+dfsg1-5+b1
ii  zlib1g   1:1.2.8.dfsg-5

flam3 recommends no packages.

flam3 suggests no packages.

Bug#881105: golang-github-nebulouslabs-fastrand build depends on the obsolete golang-1.8-go

2017-11-07 Thread Adrian Bunk 
Source: golang-github-nebulouslabs-fastrand
Version: 0.0~git20170420.0.5a1a312-1
Severity: serious

golang-github-nebulouslabs-fastrand build depends on the
obsolete golang-1.8-go.

Bug#881107: gb (build) depends on the obsolete golang-1.8-go

2017-11-07 Thread Adrian Bunk 
Source: gb
Version: 0.4.4-1
Severity: serious

gb depends and build depends on the obsolete golang-1.8-go.

Bug#881104: RM: libhdcd -- ROM; unused library

2017-11-07 Thread Sebastian Ramacher 
Package: ftp.debian.org
Severity: normal

Please remove libhdcd from the archive. Initially ffmpeg was supposed to use it,
but integrated the code in a different way. So libhdcd is not used and can be
removed from the archive.

Cheers
-- 
Sebastian Ramacher


signature.asc
Description: PGP signature

Bug#881103: openresolv: bump version to 3.9.0 so it works with systemd

2017-11-07 Thread Roy Marples 
Package: openresolv
Version: 3.8.0-1
Severity: important

Dear Maintainer,

Please consider bumping openresolv to 3.9.0 so it works with systemd,
which is the Debian default init now.
The current version fails to restart services, rendering it pretty
useless.

Thanks

Roy


-- System Information:
Distributor ID: Sparky
Description:SparkyLinux
Release:5
Codename:   Nibiru
Architecture: x86_64

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- no debconf information

Bug#880889: zfs-linux: zvol not in /dev after upgrade to 0.7.3-1

2017-11-07 Thread Moritz "LittleFox" Grosch 
Hi again,

sorry for the false bug report. This problem came from some packages at
0.6.5 and some at 0.7.3.

Since there are already other bugs asking for fixed versions (#881013,
#880709), this bug can be closed.

Best regards,
Moritz "LittleFox" Grosch

Bug#880587: [Pkg-tigervnc-devel] Bug#880587: xrandr -o left/right crashes the X server if libvnc.so loaded

2017-11-07 Thread Ola Lundqvist 
Hi

Thank you for the report.

// Ola

On 2 November 2017 at 16:13, Pierre Dinh-van  wrote:
> Package: tigervnc-xorg-extension
> Version: 1.7.0+dfsg-7
> Severity: normal
> Tags: upstream
>
> Dear Maintainer,
>
> I set up libvnc.so from tigervnc-xorg-extension for my stretch
> workstations by adding a config file
> /usr/share/X11/xorg.conf.d/99-vnc.conf with in it :
>
>
> Section "Module"
>   Load  "vnc"
> EndSection
> Section "Screen"
>   Identifier "Screen0"
>   Device "Card0"
>   Monitor"Monitor0"
>   Option "SecurityTypes" "VncAuth"
>   Option "QueryConnect"
>   Option "QueryConnectTimeout" "30"
>   Option "IdleTimeout" "60"
>   Option "UserPasswdVerifier" "VncAuth"
>   Option "PasswordFile" "/etc/vncpasswd"
> EndSection
>
>
> I try to rotate locally my screen with 'xrandr -o left' or 'xrandr -o right'
>
> it crashes the X session and goes back to lightdm.
>
> If the resolution is not changed, for example with '-o inverted' then, the
> session runs further.
>
> I tried with the upstream release 1.8.0 and it's affected by the same
> problem
> I tried on computers with intel graphics, and in a VirtualBox VM. The result
> is the same on both.
>
> removing the /usr/share/X11/xorg.conf.d/99-vnc.conf and restarting ligthdm
> removes the issue.
>
>
> It's a problem for my users who might have the orientation of the display
> set up in the preferences of there XFCE4.
>
> I cannot upgrade such users, or they will be first unable to login until
> they fix there xfce4 profile and they are then unable to use a vertical
> layout for their screen.
>
>
>
> -- System Information:
> Debian Release: 9.2
>   APT prefers unstable
>   APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
> LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages tigervnc-xorg-extension depends on:
> ii  libaudit1  1:2.6.7-2
> ii  libbsd00.8.3-1
> ii  libc6  2.24-11+deb9u1
> ii  libgcc11:6.3.0-18
> ii  libgnutls303.5.8-5+deb9u3
> ii  libjpeg62-turbo1:1.5.1-2
> ii  libpam0g   1.1.8-3.6
> ii  libstdc++6 6.3.0-18
> ii  xserver-xorg-core  2:1.19.2-1+deb9u2
> ii  zlib1g 1:1.2.8.dfsg-5
>
> Versions of packages tigervnc-xorg-extension recommends:
> ii  tigervnc-common  1.7.0+dfsg-7
>
> tigervnc-xorg-extension suggests no packages.
>
> -- no debconf information
>
>
> ___
> Pkg-tigervnc-devel mailing list
> pkg-tigervnc-de...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-tigervnc-devel



-- 
 - Ola Lundqvist ---
/  o...@debian.org Folkebogatan 26  \
|  o...@inguza.com  654 68 KARLSTAD  |
|  http://inguza.com/  +46 (0)70-332 1551   |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---

Bug#881102: RM: libnet-ping-external-perl -- RoQA; unmaintained upstream, contains security issue for several years unadressed

2017-11-07 Thread Salvatore Bonaccorso 
Package: ftp.debian.org
Severity: normal

Hi

As prompted by http://www.openwall.com/lists/oss-security/2017/11/07/4
and has been reported to the BTS as #881097:

libnet-ping-external-perl is basically unmaintained upstream and has a
command injection vulnerability reported upstream without having had a
reply. Thus thinking this is basically unmaintained upstream. The same
version is back in wheezy.

There are no packages depending on it in Debian, so it looks the
safest course of action is to remove it from unstable (possibly as
well from other suites later on via point release) and not having it
included in buster.

Regards
Salvatore

Bug#881101: eyed3 FTBFS with LC_ALL=C

2017-11-07 Thread Adrian Bunk 
Source: eyed3
Version: 0.8.3-1
Severity: serious

https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/eyed3.html

...
dh clean --with python2,python3 --buildsystem=pybuild
   dh_auto_clean -O--buildsystem=pybuild
I: pybuild base:184: python2.7 setup.py clean 
running clean
removing '/build/1st/eyed3-0.8.3/.pybuild/pythonX.Y_2.7/build' (and everything 
under it)
'build/bdist.linux-amd64' does not exist -- can't clean it
'build/scripts-2.7' does not exist -- can't clean it
I: pybuild base:184: python3.6 setup.py clean 
Traceback (most recent call last):
  File "setup.py", line 108, in 
PKG_INFO, REQUIREMENTS = getPackageInfo()
  File "setup.py", line 72, in getPackageInfo
history = history_file.read().replace(".. :changelog:", "")
  File "/usr/lib/python3.6/encodings/ascii.py", line 26, in decode
return codecs.ascii_decode(input, self.errors)[0]
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 11969: 
ordinal not in range(128)
E: pybuild pybuild:283: clean: plugin distutils failed with: exit code=1: 
python3.6 setup.py clean 
dh_auto_clean: pybuild --clean -i python{version} -p 3.6 returned exit code 13
debian/rules:10: recipe for target 'clean' failed
make: *** [clean] Error 25

Bug#881100: libnss-winbind is not multiarch safe

2017-11-07 Thread Matthew Gabeler-Lee 
Package: libnss-winbind
Version: 2:4.5.12+dfsg-2
Severity: normal

Background: I use libnss-winbind, and a mulitiarch amd64/i386 system because
I need to run some third party i386 binaries.  At least one of those
binaries needs to be able to do nss lookups for some basic account information.

Trying to install libnss-winbind:i386 fails because:

1) It depends on the i386 version of the main winbind package.  This seems
   wrong-ish?  It just needs _some_ version of winbind installed so it can
   talk to it over the socket.

2) It depends on samba-libs, which fails multiarch because of at least
   #862338, though it's not immediately obvious to me _why_ it depends on
   samba-libs if the nss lib is just a thin shim to talk to other daemons? 
   If it's dlopening stuff from that, though, it'd make sense.

-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'unstable-debug'), (500, 'stable-debug'), 
(500, 'testing'), (490, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libnss-winbind depends on:
ii  dpkg  1.18.24
ii  libbsd0   0.8.3-1
ii  libc6 2.24-11+deb9u1
ii  libwbclient0  2:4.5.12+dfsg-2
ii  samba-common  2:4.5.12+dfsg-2
ii  samba-libs2:4.5.12+dfsg-2
ii  winbind   2:4.5.12+dfsg-2

libnss-winbind recommends no packages.

Versions of packages libnss-winbind suggests:
ii  libpam-winbind  2:4.5.12+dfsg-2

-- no debconf information

Bug#881099: libatk-adaptor: breaks LibreOffice TexMaths extension

2017-11-07 Thread Paul Gevers 
Package: libatk-adaptor
Version: 2.22.0-2
Severity: normal

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

This bug is a forward of Ubuntu bug 1641284¹, that was reported to also exist
in Debian Strech. I have not verified myself, but the report seemed carefully
written.

=

If the package libatk-adaptor is installed on Ubuntu (as a depency of
gnome-orca for example), it breaks down the LibreOffice TexMaths
extension. TexMaths is a popular extension used to enter / edit LaTeX equations
on LibreOffice (see http://roland65.free.fr/texmaths).

Step to reproduce the bug:

1. It is assumed that LibreOffice 5.1.4 (with at least the Writer and Draw
components) is installed on Ubuntu. It is also assumed that libatk-adaptor is
installed.

2. Install texlive:
sudo apt-get install texlive

3. Download and install the TexMaths extension (version 0.42) from there:
https://sourceforge.net/projects/texmaths/files/0.42/

4. Create a new empty Writer document, then click on the Pi icon (this is the
TexMaths icon) and in the window that opens, type: 'x(t)+y(t)' (without the
quotes), then click on the LaTeX button. This generates an SVG image of the
'x(t)+y(t)' equation.

5. Select the SVG image of the equation by left clicking on it. Then click on
the Pi icon. Now, instead of editing the equation, an error message is
displayed: "The selected object is not a TexMaths equation... Please unselect
it and call the macro again...".

6. Now, right click on the SVG image and select the 'Description' menu
voice. In the window that opens, the description is empty and does not contain
the equation text, as it should.

7. Now purge (and not just remove) the libatk-adaptor package:
sudo apt-get purge libatk-adaptor
then logout and login and repeat the steps 4, 5, and 6: everything is OK and
the equation can be edited as usual.

Another way to remove the bug instead of purging libatk-adaptor is to rename
the file: /etc/X11/Xsession.d/90atk-adaptor to
/etc/X11/Xsession.d/90atk-adaptor.orig . Then logout and login.

- ---

I forgot to mention that I am the author of the TexMaths extension. Of course,
during my testing there was no other extension installed. The bug occurs in
5.1.x and 5.2.x versions of LibreOffice. I used a fresh Ubuntu 16.04.1 install
for the test, but the bug appears in various Ubuntu flavours too, as many
TexMaths users reported.

You should also consider the other bug I reported
(https://bugs.launchpad.net/ubuntu/+source/at-spi2-atk/+bug/1584795), which
relates LibreOffice and liabatk-adaptor.

These two bugs are 100% reproducibles.

- ---

Bug confirmed on Debian 9 (stretch), too.

Here, libatk-adaptor is installed by default as a dependency of orca und
task-xfce-desktop.  So i cannot purge it without breaking my system.

After disabling atk-adaptor
  mv /etc/X11/Xsession.d/90atk-adaptor /etc/X11/Xsession.d/90atk-adaptor.bak
as suggested by Roland65 here
  https://sourceforge.net/p/texmaths/bugs/69/#822d
my TexMaths-Plugin works fine.

¹ https://bugs.launchpad.net/ubuntu/+bug/1641284

- -- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 'testing'), (50, 
'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libatk-adaptor depends on:
ii  libatk-bridge2.0-0  2.26.0-1
ii  libatk1.0-0 2.26.0-2
ii  libatspi2.0-0   2.26.0-2
ii  libc6   2.24-17
ii  libdbus-1-3 1.11.22-1
ii  libglib2.0-02.54.1-1

libatk-adaptor recommends no packages.

libatk-adaptor suggests no packages.

- -- no debconf information

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAloCCVsACgkQnFyZ6wW9
dQp8IAf/UmJKirNG5kgCjioyQanwr3eKVy4d8a7NUlOeIPCO1iRJTFgsjkoDY1po
FOefdf4zj1rmxFwbxWEfaVbbxwykgLUsjNlwNvekh2nAwNwzJKp1DJNLKiRGK7wM
ZKgFxDmDj7dYkdUwpCmDQG16lYrLESnckO+57cstsaZCEGyMvEMOGmkRQNUWTYUu
fkDCct66tT+CiWS3XNnzUuwSRMoJMGM2vlM3QtVExLgX8fRi2YkczwGpTG6+4mw0
JwyHrO6A7xE496Nc3k4kGouLKGDC+M9Px7kbhBlAG29uqtWruWYIQtIh8vpQU0C9
tTqm9VLYTRIT111tJXGn4RU8ZG6gCQ==
=gexh
-END PGP SIGNATURE-

Bug#877168: transition: ldc

2017-11-07 Thread Gianfranco Costamagna 
On Tue, 7 Nov 2017 02:02:30 +0100 Matthias Klumpp  wrote:
> Hi!
> 
> 2017-10-04 13:36 GMT+02:00 Matthias Klumpp :
> > 2017-10-04 9:39 GMT+02:00 Emilio Pozuelo Monfort :
> >> [...]
> > Thank you!
> > Both issues are reported upstream:
> > ppc64el: https://github.com/ldc-developers/ldc/issues/2356
> > sambamba assert: https://github.com/ldc-developers/ldc/issues/2357
> 
> Just a quick heads up: There is a new version of LDC soon in unstable
> that will fix at least the Sambamba issue, and maybe (hopefully?) also
> the ppc64el issue.
> This will restart this transition though - unstable ABIs are a lot of fun...
> 

please update the tracker 74 -> 75

thanks

G.



signature.asc
Description: OpenPGP digital signature

Bug#843926: jemalloc hard codes page size during build

2017-11-07 Thread Faidon Liambotis 
On Tue, Nov 07, 2017 at 05:07:42PM +, James Cowgill wrote:
> Ah nevermind - I see it FTBFS in experimental on lots of arches.

Yeah, I've fixed some in git already and been working with upstream on a
lot of those (upstream #761, #979, #985, #999). They've been extremely
collaborative (and even trying to make sure breakages on non-x86 won't
happen again, #1044).

I'm currently waiting for either a backport of one of the fixes or a
release, the latter being blocked on them figuring out their release
strategy (#1049).

Regards,
Faidon

Bug#814459: pxelinux: doesn't use gPXE/iPXE anymore to load files

2017-11-07 Thread Lukas Schwaighofer 
Hi Christian,

thanks for reporting this problem.  I've only recently taken over
maintenance of syslinux/pxelinux in the Debian CD Group.  Sorry you had
to wait more than a year for a response…

We recently uploaded a pre-release of syslinux 6.04 to Debian
experimental. Amongst other things the changelog mentions:

core: Re-add gPXE/iPXE support for HTTP on pxelinux.0 (Gene Cumm).

So I hope the problem has been resolved, but I didn't verify that yet.
In case you still have a suitable setup, would you mind testing the
version in experimental?

Thanks
Lukas

Bug#877562: libqb FTCBFS: uses uncached AC_RUN_IFELSE

2017-11-07 Thread Manuel A. Fernandez Montecelo 

Hi,

2017-10-12 10:07 Ferenc Wágner:

Helmut Grohne  writes:


On Wed, Oct 11, 2017 at 03:24:50PM +0200, Ferenc Wágner wrote:


#hurd confirmed that this is a Hurd bug in glibc, and promised a fix it
in the next upload.  So I guess an unconditional check for
_POSIX_MONOTONIC_CLOCK being positive would be a good general solution.
Do you agree?


I do agree that hurd should fix this. Yet, it may not be the thing to
rely on here.


It was the explicit recommendation I got on #hurd: "just use the POSIX
interface."  If that breaks on Hurd right now, that's fine.  The bug
will be fixed shortly.


Testing for a working CLOCK_MONOTONIC is something that many projects
do.


Aren't these all manifestations of the same misguided attempt to work
around the above bug in Hurd?  In what other cases is this check
necessary?


If upstream Hurd people were so sure about it I'd strongly consider to
follow their advice.


From what you talk about in this bug report, if the extra check is

mostly to satisfy a bug in Hurd and they fix it, you could as well
remove it.

But on the other hand, as Helmut says, if many other projects do it and
since Hurd is not very popular, perhaps it's a wider problem than Hurd.

If the way that Helmut proposes fixes cross-compilation and still works
fine for "native" builds, maybe it will help to detect the same problem
as Hurd in new architectures in the future.


Cheers.
--
Manuel A. Fernandez Montecelo

Bug#881015: Massive memory leak in ksmserver

2017-11-07 Thread Julien Aubin 
Hi,

No I don't.

However I saw today a Skype update which could be related to the issue.
Cannot recall exactly whether the issue came with Skype update or with 9.2
release.

I'll keep you updated with this issue.

2017-11-07 19:22 GMT+01:00 Lisandro Damián Nicanor Pérez Meyer <
perezme...@gmail.com>:

> Hi! Do you have the wallpaper images changing from time to time?
> Because there is an upstream bug for that and it could not be solved
> so far (to the best of my knowledge).
>

Bug#881015: Massive memory leak in ksmserver

2017-11-07 Thread Lisandro Damián Nicanor Pérez Meyer 
Hi! Do you have the wallpaper images changing from time to time?
Because there is an upstream bug for that and it could not be solved
so far (to the best of my knowledge).

Bug#828522: qt4-x11: FTBFS with openssl 1.1.0

2017-11-07 Thread Lisandro Damián Nicanor Pérez Meyer 
Hi Dmitry!

On 13 October 2017 at 21:43, Dmitry Eremin-Solenikov
 wrote:
> Source: qt4-x11
> Version: 4:4.8.7+dfsg-11
> Followup-For: Bug #828522
>
> Hello,
>
> Please try adding the attached patch, which should fix the rest of
> incompatibilities between qt4-x11 and OpenSSL 1.1.0. With this patch I'm
> able to successfully use Psi jabber client together with Qt4 built
> against OpenSSL 1.1.0.

I will try it.

> Also please note, that I had to apply two more fixes to build Qt4
> properly (see second attachment):
>
> - In debian/rules define DEB_HOST_ARCH
>
> - In qt4-x11-4.8.7+dfsg/config.tests/unix/alsa/alsatest.cpp support
>   libasound2 >= 1.1.0

I haven't seen the need for this (maybe because the last time I've
built qt4 this was not a problem). Did you try your builds on a clen
chroot?

Bug#880234: Re%3A nibabel%3A FTBFS%3A Test failures

2017-11-07 Thread Thiago Franco de Moraes 
Hi

I cloned the git repo from nibabel and did some tests. I saw the HEAD of 
upstream doesn't have this problem. The difference from the HEAD to the 2.1.0 
version in the file with the error is diff I've attached in this email. 
Applying this diff fix this problem. I think you can send this patch to the guy 
which packages nibabel.

Kind regards.diff --git a/nibabel/orientations.py b/nibabel/orientations.py
index 2567b41..bc85173 100644
--- a/nibabel/orientations.py
+++ b/nibabel/orientations.py
@@ -63,7 +63,7 @@ def io_orientation(affine, tol=None):
 RS = RZS / zooms
 # Transform below is polar decomposition, returning the closest
 # shearless matrix R to RS
-P, S, Qs = npl.svd(RS)
+P, S, Qs = npl.svd(RS, full_matrices=False)
 # Threshold the singular values to determine the rank.
 if tol is None:
 tol = S.max() * max(RS.shape) * np.finfo(S.dtype).eps

Bug#862522: cuda 9.0 RC available

2017-11-07 Thread Andreas Beckmann 
On 09/26/2017 11:31 AM, Lumin wrote:
> CUDA 9.0.176 is available.
> https://developer.nvidia.com/cuda-downloads
> I didn't download it.

The nvidia-cuda-toolkit packaging has now been moved to GIT :-)
We may have to see how to develop an efficient workflow there.

There is also a 9.0 branch. It builds packages for amd64 and ppc64el,
but I haven't tested it beyond that :-)

Probably the README needs updating for the instructions regarding the
CUDA Code Samples.

Have fun playing around with it :-)

And tell me once I should upload it to experimental.


Andreas

Bug#881098: moreutils: pee should have an unbuffered or line-buffered mode

2017-11-07 Thread Matthew Gabeler-Lee 
Package: moreutils
Version: 0.60-1
Severity: wishlist

Using pee to work with something generating output but also going through
more processing before heading to a logfile gets icky, because pee always
has the pipes it uses to talk to the child processes buffered.

e.g.  output-generating-thing | pee "cat" "ts >logfile" results in the
terminal output being batched due to the output buffer in pee for the pipe
to cat, no matter how many places one adds stdbuf invocations.

-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'unstable-debug'), (500, 'stable-debug'), 
(500, 'testing'), (490, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages moreutils depends on:
ii  libc62.24-11+deb9u1
ii  libipc-run-perl  0.94-1
ii  perl 5.24.1-3+deb9u2

moreutils recommends no packages.

Versions of packages moreutils suggests:
pn  libtime-duration-perl  
ii  libtimedate-perl   2.3000-2

-- no debconf information

Bug#879637: Ping?

2017-11-07 Thread Lisandro Damián Nicanor Pérez Meyer 
Hi! Would it be possible at least to ignore the tests on mips64el for the time 
being? This has been stopping the Qt transition for too long already.

Thanks!

-- 
 1: Una computadora sirve:
* Para tratar de dominar el mundo, un caso conocido de esto fue el de
  Skinet
Damian Nadales
http://mx.grulic.org.ar/lurker/message/20080307.141449.a70fb2fc.es.html

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/


signature.asc
Description: This is a digitally signed message part.

Bug#881097: libnet-ping-external-perl: long-standing command injection via crafted arguments

2017-11-07 Thread Simon McVittie 
Package: libnet-ping-external-perl
Version: 0.13-1
Severity: grave
Tags: security patch upstream
Justification: user security hole
Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=33230

See forwarded message below. The reporter's proposed patch is also
attached.

The proposed patch seems to pretend to be a new upstream release, which
seems weird to me, but it isn't my patch.

For what it's worth, dak says nothing in unstable depends on this
package; so perhaps it's time to remove it from Debian.

smcv

- Forwarded message from Matthias Weckbecker  
-

Date: Tue, 7 Nov 2017 17:51:27 +0100
From: Matthias Weckbecker 
To: oss-secur...@lists.openwall.com
Subject: [oss-security] Net::Ping::External command injections
Message-ID: <20171107165127.ga1...@weckbecker.name>

Hi,

Net::Ping::External [0] is prone to command injection vulnerabilities.

The issues are roughly 10 (!) years old [1], but the code is still being
shipped these days (e.g. in ubuntu artful and debian stretch [2]).

I had contacted the author of the code a few days ago, but obviously did
not get any reaction.

A patch is available here:

  http://matthias.sdfeu.org/devel/net-ping-external-cmd-injection.patch

Maybe time to just patch it downstream? Or drop this pkg. altogether?

Thanks,
Matthias

--
[0] https://metacpan.org/pod/Net::Ping::External
[1] https://rt.cpan.org/Public/Dist/Display.html?Name=Net-Ping-External
(id #33230)
[2] https://packages.debian.org/stable/perl/libnet-ping-external-perl \
https://launchpad.net/ubuntu/+source/libnet-ping-external-perl

- End forwarded message -
>From b3dd4de6417f5f9d06710fc185ae6b4ee3661c45 Mon Sep 17 00:00:00 2001
From: Matthias Weckbecker 
Date: Fri, 27 Oct 2017 15:01:10 +0200
Subject: [PATCH 1/1] Fix 10 year old command injection vulnerability

---
 Changes |  3 +++
 External.pm | 24 
 test.pl | 53 +++--
 3 files changed, 74 insertions(+), 6 deletions(-)

diff --git a/Changes b/Changes
index 283ad4d..f36f0d0 100644
--- a/Changes
+++ b/Changes
@@ -8,6 +8,9 @@ newer versions of Net::Ping::External.
 - Support Debian GNU/kFreeBSD
 - ping location on Darwin
 
+0.16 2017-10-27
+- Fix 10 year old command injection vulnerability
+
 0.15 2014-04-12
 - Better detect Windows ping under Cygwin
 - Add ping output for test 2 if it fails
diff --git a/External.pm b/External.pm
index eb472bd..82bc0b8 100644
--- a/External.pm
+++ b/External.pm
@@ -15,11 +15,26 @@ use Carp;
 use Socket qw(inet_ntoa);
 require Exporter;
 
-$VERSION = "0.15";
+$VERSION = "0.16";
 @ISA = qw(Exporter);
 @EXPORT = qw();
 @EXPORT_OK = qw(ping);
 
+sub _clean_args {
+  my %args = @_;
+  for my $arg (qw(size count timeout)) {
+  if ($args{$arg} !~ /([0-9]+)/) {
+croak("$arg must be numeric");
+  }
+  $args{$arg} = $1;
+  }
+  if ($args{host} !~ /([A-Z0-9\.\-]+)/i) {
+croak("invalid host");
+  }
+  $args{host} = $1;
+  return %args;
+}
+
 sub ping {
   # Set up defaults & override defaults with parameters sent.
   my %args = (count => 1, size => 56, @_);
@@ -34,7 +49,7 @@ sub ping {
   croak("You must provide a hostname") unless defined $args{host};
   $args{timeout} = 5 unless defined $args{timeout} && $args{timeout} > 0;
 
-  my %dispatch = 
+  my %dispatch =
 (linux=> \&_ping_linux,
  gnukfreebsd => \&_ping_linux, #Debian GNU/kFreeBSD
  mswin32  => \&_ping_win32,
@@ -61,6 +76,7 @@ sub ping {
 
   croak("External ping not supported on your system") unless $subref;
 
+  %args = _clean_args(%args);
   return $subref->(%args);
 }
 
@@ -83,7 +99,7 @@ sub _ping_win32 {
 }
 
 # Mac OS X 10.2 ping does not handle -w timeout now does it return a
-# status code if it fails to ping (unless it cannot resolve the domain 
+# status code if it fails to ping (unless it cannot resolve the domain
 # name)
 # Thanks to Peter N. Lewis for this one.
 sub _ping_darwin {
@@ -201,7 +217,7 @@ sub _ping_netbsd {
 # -s size option supported -- superuser only... fixme
 sub _ping_bsd {
   my %args = @_;
-  my $command = "ping -c $args{count} -q $args{hostname}";
+  my $command = "ping -c $args{count} -q $args{host}";
   return _ping_system($command, 0);
 }
 
diff --git a/test.pl b/test.pl
index 591f6d4..29c5bc8 100644
--- a/test.pl
+++ b/test.pl
@@ -6,7 +6,7 @@
 # Change 1..1 below to 1..last_test_to_print .
 # (It may become useful if the test is moved to ./t subdirectory.)
 
-BEGIN { $| = 1; $num_tests = 6; print "1..$num_tests\n"; }
+BEGIN { $| = 1; $num_tests = 8; print "1..$num_tests\n"; }
 END {print "not ok 1\n" unless $loaded;}
 use Net::Ping::External qw(ping);
 $loaded = 1;
@@ -24,7 +24,12 @@ $Net::Ping::External::DEBUG_OUTPUT = 1;
 	   3 => "ping(host => '127.0.0.1', timeout => 5)",
 	   4 => "ping(host => 'some.non.existent.host.')",
 	   5 => "ping(host => '127.0.0.1', count => 10)",
-	   6 => "ping(host => '127.0.0.1', size => 32)"
+	   6 => "ping(host

Bug#767414: RFP: 2048 -- Simple number game for the text console

2017-11-07 Thread Nicolas Boulenguez 
Hello.
Here are some comments about the current packaging.
Hope this helps…

As upstream contributor, you should merge your changes into the
original project at https://github.com/mevdschee.
Your fork misses README.md, latest bug fixes,
and the original project would probably welcome a manpage and
improvements in the Makefile.

The attachment fixes cosmetic issues in the manpage
(https://liw.fi/manpages/),
and contains many suggestions for the Makefile:
* allow prefix /= /usr
* avoid as many repetitions as possible, so that any renaming or version
  change is easyer
  (I suggest a name starting with a letter for the package and executable)
* reduce the subshell runs, declare .PHONY targets, use := variables
  (for performance)

Once an upstream tarball is released
* without any debian/ subdirectory (there may be other distributors)
* without .gitignore (the tarball is unrelated with the VCS)
* with explicit authors and license
* maybe with a short ./changelog file, either referencing the version
  control system or manually listing changes.
* visible somewhere on the web (for automatic detection of new versions)
* maybe signed by your electronic signature

you can start the Debian packaging.

debian/2048.debhelper.log
debian/2048.substvars
debian/files
show that you have committed without cleaning your working directory.

debian/changelog should only contain the history of the official
Debian packages (currently, only one). In other words, it only sees
the debian/subdirectory.
In normal circumstances, changes to the upstream sources should be
mentioned in ./changelog (or the VCS it refers to).

Text files should end with an empty line (it helps diff tools).

Your package is ready for debhelper 10 and Standards-Version 4.1.0.

control/Vcs-* and copyright/Source changes should be self-explaining.

I hate trailing whitespaces, but YMMV.

Once upstream releases visible tarballs, adding a watch file scanning
new upstream releases and checking signatures would be a good thing.
See uscan(1).

Bug#879673: ffmpeg 3.4 API compat layer not 100% backwards compatible

2017-11-07 Thread James Cowgill 
Control: affects -1 src:kodi src:gst-libav1.0


Control: tags -1 patch

Hi,

On 24/10/17 09:52, Sebastian Dröge wrote:
> Package: ffmpeg
> Version: 7:3.4-1
> Severity: serious
> 
> Hi,
> 
> ffmpeg 3.4 comes with a new decoding API (among other things), and
> provides a compatibility layer around that for the old API.
> Unfortunately this compatibility layer is apparently not 100% backwards
> compatible or buggy. It breaks at least h264 decoding with gst-
> libav1.0, but then probably also breaks other packages.
> 
> gst-libav upstream bug can be found here:
> https://bugzilla.gnome.org/show_bug.cgi?id=789193
> 
> We'll try to port over to the new API but it looks like some effort,
> and even independent of that the compatibility layer should either be
> fixed or the soname of the libraries has to be updated.

Unfortunately there doesn't seem to have been a lot of activity on the
upstream bug report from FFmpeg themselves. Based on what I can infer
from the source code, I think there is no API breakage here. The
documentation on draining packets in the old API is pretty poor and it
"worked" with ffmpeg < 3.4 so people started using it that way. However,
I think that even under the old API, drain packets can only be sent at
the end of a stream. This seems to make the most sense and aligns with
new the API (where the documentation does say that this is required).

I think the best solution is to apply the attached workaround for the
time being to the Debian package. The workaround will call
avcodec_flush_buffers automatically when it detects that a data packet
has been sent to avcodec_decode_* after the codec has been completely
drained. This allows gst-libav1.0 and kodi (which I also discovered does
this) to play video again.

I am wondering why gst-libav1.0 needs to drain the code at every
discontinuity in the stream? I would have thought there are two separate
cases here: seeking where you want to reset the codec, and dropped
packets where you allow the codec itself to fix the stream (as best it can).

Thanks,
James
diff --git a/debian/patches/0003-reset-codec-after-eof.patch b/debian/patches/0003-reset-codec-after-eof.patch
new file mode 100644
index ..a8bb7692
--- /dev/null
+++ b/debian/patches/0003-reset-codec-after-eof.patch
@@ -0,0 +1,34 @@
+Description: lavc: reset codec on receiving packet after EOF
+ In ffmpeg 3.4, the deprecated avcodec_decode_* APIs were reworked so that they
+ called into the new avcodec_send_packet / avcodec_receive_frame API. This had
+ the side effect of prohibiting sending new packets containing data after a
+ NULL packet. In the new API, it is documented that a NULL packet means EOF.
+ .
+ While the documentation is sparse in this area. It seems that a NULL packet
+ also meant EOF in the old API, but since it was unclear and worked, a few
+ applications assumed that it was ok to to continue sending data after an EOF,
+ and subsequently broke with ffmpeg 3.4.
+ .
+ This patch adds a workaround to the old API which will reset the codec
+ (allowing new data) if a packet is received after an EOF. Hopefully this
+ allow these applications to continue to work with newer ffmpeg.
+Author: James Cowgill 
+Bug: https://trac.ffmpeg.org/ticket/6775
+Bug-Debian: https://bugs.debian.org/879673
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/libavcodec/decode.c
 b/libavcodec/decode.c
+@@ -753,6 +753,12 @@ static int compat_decode(AVCodecContext
+ 
+ av_assert0(avci->compat_decode_consumed == 0);
+ 
++if (avci->draining_done && pkt && pkt->size != 0) {
++av_log(avctx, AV_LOG_WARNING,
++"Got unexpected packet after EOF. Resetting codec and continuing...\n");
++avcodec_flush_buffers(avctx);
++}
++
+ *got_frame = 0;
+ avci->compat_decode = 1;
+ 
diff --git a/debian/patches/series b/debian/patches/series
index bb700bb6..4fe4a0d2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 0001-arm-thumb2-blx.patch
 0002-arm-Check-for-have_vfp_vm-instead-of-have_vfpv3.patch
+0003-reset-codec-after-eof.patch


signature.asc
Description: OpenPGP digital signature

Bug#878674: [Pkg-javascript-devel] Bug#878674: Bug#878674: Bug#878674: Bug#878674: Bug#878674: Bug#878674: nodejs segfaults when building d3-* with webpack

2017-11-07 Thread Jérémy Lal 
2017-10-25 16:04 GMT+02:00 Pirate Praveen :

> On ബുധന്‍ 25 ഒക്ടോബര്‍ 2017 07:08 വൈകു, Pirate Praveen wrote:
> > I can reach the segfaulting point faster by setting break point at
> > thread creation
> >
> > b pthread_create.c:333
> >
> > after 8 c, I reach the segfault point.
> >
> >
> >
>
> hopefully more useful bt
>
> (gdb) bt
> #0  node::fs_req_wrap::~fs_req_wrap (this=,
> __in_chrg=) at ../src/node_file.cc:334
> #1  node::Open (args=...) at ../src/node_file.cc:1063
> #2  0x3b905decccb8 in ?? ()
> #3  0x7fff8fc7a418 in ?? ()
> #4  0x7fff8fc7a468 in ?? ()
> #5  0x0003 in ?? ()
> #6  0x in ?? ()
> (gdb) s
> node::Open (args=...) at ../src/node_file.cc:1064
> 1064in ../src/node_file.cc
> (gdb) bt
> #0  node::Open (args=...) at ../src/node_file.cc:1064
> #1  0x3b905decccb8 in ?? ()
> #2  0x7fff8fc7a418 in ?? ()
> #3  0x7fff8fc7a468 in ?? ()
> #4  0x0003 in ?? ()
> #5  0x in ?? ()
> (gdb) s
> v8::ReturnValue::Set (i=, this=)
> at ../src/node_file.cc:1064
> 1064in ../src/node_file.cc
> (gdb) s
> v8::internal::Internals::IntToSmi (value=)
> at ../src/node_file.cc:1064
> 1064in ../src/node_file.cc
> (gdb) s
> v8::internal::SmiTagging<8ul>::IntToSmi (value=)
> at ../src/node_file.cc:1064
> 1064in ../src/node_file.cc
> (gdb) s
> v8::internal::IntToSmi<31> (value=)
> at ../deps/v8/include/v8.h:7274
> 7274../deps/v8/include/v8.h: No such file or directory.
> (gdb) s
> node::Open (args=...) at ../src/node_file.cc:1063
> 1063../src/node_file.cc: No such file or directory.
> (gdb) s
> node::fs_req_wrap::~fs_req_wrap (this=0x7fff8fc79db0,
> __in_chrg=) at ../src/node_file.cc:334
> 334 in ../src/node_file.cc
> (gdb) s
> uv_fs_req_cleanup (req=req@entry=0x7fff8fc79db0) at src/unix/fs.c:1351
> 1351src/unix/fs.c: No such file or directory.
> (gdb) s
> 1357in src/unix/fs.c
> (gdb) s
> 1363in src/unix/fs.c
> (gdb) s
> 1360in src/unix/fs.c
> (gdb) s
> 1361in src/unix/fs.c
> (gdb) s
> 1363in src/unix/fs.c
> (gdb) s
> 1366in src/unix/fs.c
> (gdb) s
> 1367in src/unix/fs.c
> (gdb)
> uv__free (ptr=0x0) at src/uv-common.c:78
> 78  src/uv-common.c: No such file or directory.
> (gdb)
> 84  in src/uv-common.c
> (gdb)
> __errno_location () at ../csu/errno-loc.c:26
> 26  ../csu/errno-loc.c: No such file or directory.
> (gdb)
> 27  in ../csu/errno-loc.c
> (gdb)
> uv__free (ptr=0x0) at src/uv-common.c:85
> 85  src/uv-common.c: No such file or directory.
> (gdb)
> __GI___libc_free (mem=0x0) at malloc.c:2954
>

This points a lot to a libuv bug.

Now that ilbuv 1.11 is in unstable, can you update and post results here ?

Jérémy

  1   2   3   >