Bug#1036918: debvm: manual mounting of root image

[Helmut Grohne]

Hi Wouter,

On Wed, May 31, 2023 at 12:18:00PM +0200, Wouter Verhelst wrote:
> I don't think it is. All packages that do things at early boot have
> complicatd requirements; nbd isn't the only one. It's just the first one
> you hear about.

Thank you for not giving up here.

> > and that debvm may not be the right hammer for your job? While debvm
> > gives you a complete rootfs, you seem to be satisfied with a kernel an
> > an initrd.
> 
> No, that is not accurate; I do need a root filesystem too.

Now that - to me - is a compelling argument. Arguably, that should have
been obvious. Thanks for spelling it out.

> Yes, I could run debvm-create and then do the extraction of the kernel
> and initrd myself, but that shouldn't be necessary -- debvm-run would be
> a perfectly good abstraction, if only it allowed me to tell it not to
> try to mount the hard drive automatically and/or let me override the
> root= parameter.

I believe I now understand your use case and I follow your reasoning
that debvm could reasonably do better at supporting it.

Both mmdebstrap and debvm-create have a --skip mechanism. Doing
something similar to debvm-run seems sensible initially. The precise way
of doing it less so. Would you be interested in helping sort the
details?

For one thing, I think your use of -append does not work well with
debvm-run. While it sounds like it was appending, it actually is
replacing the kernel cmdline. debvm-run has its own ideas and passes the
rootfs, console and terminal emulation type there. By overriding
-append, you miss all of that. I suspect, we need a more clever
management of cmdline here and am unsure what that should be exactly.

For passing the actual rootfs, I guess a --skip=rootdev would address
your need. I imagine it as skipping both the root= cmdline argument and
passing of the blockdev. Other things that users might want to skip
include the network setup (not in your case ;) and the random device
setup.

So at this point, the addition of a --skip option seems fairly likely to
me, but I'd like to consult with other users some more and won't upload
debvm before bookworm has been released anyway. Still your (and other's)
input on what kind of features should be skippable and how we could
better deal with the cmdline is welcome.

Thanks for insisting.

Helmut

Bug#1037004: msmtp-mta doesn't respect DEBIAN_FRONTEND=noninteractive

[Emmanuel Bouthenot]

Hello (again),

On Wed, May 31, 2023 at 03:26:23PM -0700, Greg wrote:
[...]

> RUN DEBIAN_FRONTEND=noninteractive apt-get -y update && \
>   apt-get install -yq --no-install-recommends msmtp-mta s-nail htop dialog 
> less paxctl sudo

I didn't noticed it in the first place but you also have to set the
noninteractive frontend when installing/updating the package not only
when updating the packages index.

Try:
RUN DEBIAN_FRONTEND=noninteractive apt-get -y update && 
DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends 
msmtp-mta s-nail htop dialog less paxctl sudo

If it works as expected it's far better than preseeding (suggested in my
previous reply).

Have a nice day.

Regards,

-- 
Emmanuel Bouthenot
  kolter@{openics,debian}.org   kolter@{libera,oftc}
  0x929D42C3/4096R

Bug#1037004: msmtp-mta doesn't respect DEBIAN_FRONTEND=noninteractive

[Emmanuel Bouthenot]

Hello Greg,

On Wed, May 31, 2023 at 03:26:23PM -0700, Greg wrote:
[...]

> Regarding your commit here: 
> https://salsa.debian.org/kolter/msmtp/-/commit/7633ea472e24bf3be003396a2e4567d101f8cf53
> 
> This has added a TUI when installing the `msmtp-mta` package that
> appears even on non-interactive terminals. This is making it very
> difficult for us to upgrade our Gitlab install which has this command
> in a Dockerfile:
> 
> RUN DEBIAN_FRONTEND=noninteractive apt-get -y update && \ apt-get
> install -yq --no-install-recommends msmtp-mta s-nail htop dialog less
> paxctl sudo

Before installing or upgrading msmtp-mta (or msmtp) from your Dockerfile
try to pressed the debconf questions by executing the following
commands:

echo "msmtp msmtp/apparmor boolean false" | debconf-set-selections
echo "msmtp msmtp/security-information error seen" | debconf-set-selections

Let me know if it works.

Have a nice day.

Regards,

-- 
Emmanuel Bouthenot
  kolter@{openics,debian}.org   kolter@{libera,oftc}
  0x929D42C3/4096R

Bug#1037006: opensnitch: Upstream change enables ebpf compilation

[Petter Reinholdtsen]

[Pijgn]
> OpenSnitch in Debian is currently incompatible with (some?) kernel space 
> network tools such as wireguard and NFS. These are entirely unusable so 
> long as the opensnitchd service is running.

I use opensnitch with NFS on Debian Bookworm, and have not noticed it is
making NFS unusable.  How did you end up with this conclusion?

I had problems with UDP traffic and Minecraft earlier, as seen in
https://github.com/evilsocket/opensnitch/issues/813 >, but managed
to get it working by enabling 'Debug invalid connections' in the Nodes
tab of the preferences.  Perhaps it can help you with NFS too?

When that is said, I would very much like to see ebpf support in Debian.
I know upstream is working on figuring this out and that patches would be
most welcome.  Perhaps you can provide some?

-- 
Happy hacking
Petter Reinholdtsen

Bug#1036995: openldap: CVE-2023-2953

[Salvatore Bonaccorso]

Hi Ryan,

On Wed, May 31, 2023 at 04:34:31PM -0700, Ryan Tandy wrote:
> Hi, thanks for the report. If I've understood the issue correctly (DoS/crash
> if malloc fails), it does not look too urgent.

Correct, agreed.

> Although the fixes look safe enough, I think we could wait until after
> bookworm is released, and fix this in unstable first and in a point release
> later. Does that sound OK to you?

Yes I do agree. The issue can be fixed after the bookworm release for
unstable and trixie, and for bookworm fixing it in the first point
release is absolutely fine. We do not need a DSA here. The same holds
for bullseye.

Thank you for the swift reply back!

Regards,
Salvatore

Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

[Yadd]

On 5/31/23 23:30, Salvatore Bonaccorso wrote:

Hi Yadd,

On Wed, May 31, 2023 at 03:13:06PM +0400, Yadd wrote:

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jquer...@packages.debian.org
Control: affects -1 + src:jqueryui

[ Reason ]
jqueryui is potentially vulnerable to cross-site scripting
(CVE-2022-31160)

[ Impact ]
Low security issue

[ Tests ]
Sadly tests are minimal in this package. Anyway passed

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
   [X] *all* changes are documented in the d/changelog
   [X] I reviewed all changes and I approve them
   [X] attach debdiff against the package in (old)stable
   [X] the issue is verified as fixed in unstable

[ Changes ]
Don't accept label outside of the root element

Cheers,
Yadd



diff --git a/debian/changelog b/debian/changelog
index 3a6a587..9b1e9cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium
+
+  * Team upload
+  * Checkboxradio: Don't re-evaluate text labels as HTML (Closes: 
CVE-2022-31160)
+
+ -- Yadd   Wed, 31 May 2023 15:08:55 +0400


Minor thing, you could as well close #1015982 with the upload.


Hi,

sure, here is the new debdiffdiff --git a/debian/changelog b/debian/changelog
index 3a6a587..dc02159 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium
+
+  * Team upload
+  * Checkboxradio: Don't re-evaluate text labels as HTML
+(Closes: #1015982, CVE-2022-31160)
+
+ -- Yadd   Thu, 01 Jun 2023 06:50:09 +0400
+
 jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-31160.patch 
b/debian/patches/CVE-2022-31160.patch
new file mode 100644
index 000..8f5238d
--- /dev/null
+++ b/debian/patches/CVE-2022-31160.patch
@@ -0,0 +1,157 @@
+Description: Checkboxradio: Don't re-evaluate text labels as HTML
+Author: Michał Gołębiowski-Owczarek 
+Origin: upstream, https://github.com/jquery/jquery-ui/commit/8cc5bae1
+Bug: 
https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
+Bug-Debian: https://bugs.debian.org/1015982
+Forwarded: not-needed
+Applied-Upstream: 1.13.2, commit:8cc5bae1
+Reviewed-By: Yadd 
+Last-Update: 2023-05-31
+
+--- a/tests/unit/checkboxradio/checkboxradio.html
 b/tests/unit/checkboxradio/checkboxradio.html
+@@ -64,6 +64,18 @@
+ 
+   
+ 
++
++  
++  Hi, I'm a label
++
++
++  
++  Hi, I'm a label
++
++
++  
++  emHi, I'm a label/em
++
+ 
+ 
+ 
+--- a/tests/unit/checkboxradio/core.js
 b/tests/unit/checkboxradio/core.js
+@@ -135,4 +135,41 @@
+   );
+ } );
+ 
++QUnit.test( "Inheriting label from initial HTML", function( assert ) {
++  var tests = [
++  {
++  id: "label-with-no-for-with-html",
++  expectedLabel: "Hi, I'm a 
label"
++  },
++  {
++  id: "label-with-no-for-with-text",
++  expectedLabel: "Hi, I'm a label"
++  },
++  {
++  id: "label-with-no-for-with-html-like-text",
++  expectedLabel: "emHi, I'm a label/em"
++  }
++  ];
++
++  assert.expect( tests.length );
++
++  tests.forEach( function( testData ) {
++  var id = testData.id;
++  var expectedLabel = testData.expectedLabel;
++  var inputElem = $( "#" + id );
++  var labelElem = inputElem.parent();
++
++  inputElem.checkboxradio( { icon: false } );
++
++  var labelWithoutInput = labelElem.clone();
++  labelWithoutInput.find( "input" ).remove();
++
++  assert.strictEqual(
++  labelWithoutInput.html().trim(),
++  expectedLabel.trim(),
++  "Label correct [" + id + "]"
++  );
++  } );
++} );
++
+ } );
+--- a/tests/unit/checkboxradio/methods.js
 b/tests/unit/checkboxradio/methods.js
+@@ -94,4 +94,42 @@
+   assert.strictEqual( input.parent()[ 0 ], element[ 0 ], "Input 
preserved" );
+ } );
+ 
++QUnit.test( "Initial text label not turned to HTML on refresh", function( 
assert ) {
++  var tests = [
++  {
++  id: "label-with-no-for-with-html",
++  expectedLabel: "Hi, I'm a 
label"
++  },
++  {
++  id: "label-with-no-for-with-text",
++  expectedLabel: "Hi, I'm a label"
++  },
++  {
++  id: "label-with-no-for-with-html-like-text",
++  expectedLabel: "emHi, I'm a label/em"
++  }
++  ];
++
++  assert.expect( tests.length );
++
++  tests.forEach( function( testData ) {
++  var id = testData.id;
++  var 

Bug#1036530: Regression from "ACPI: OSI: Remove Linux-Dell-Video _OSI string"? (was: Re: Bug#1036530: linux-signed-amd64: Hard lock up of system)

[Nick Hastings]

Hi,

* Nick Hastings  [230530 16:01]:
> 
> * Mario Limonciello  [230530 13:00]:

> > As you're actually loading nouveau, can you please try nouveau.runpm=0 on
> > the kernel command line?
> 
> I'm not intentionally loading it. This machine also has intel graphics
> which is what I prefer. Checking my
> /etc/modprobe.d/blacklist-nvidia-nouveau.conf
> I see:
> 
> blacklist nvidia
> blacklist nvidia-drm
> blacklist nvidia-modeset
> blacklist nvidia-uvm
> blacklist ipmi_msghandler
> blacklist ipmi_devintf
> 
> So I thought I had blacklisted it but it seems I did not. Since I do not
> want to use it maybe it is better to check if the lock up occurs with
> nouveau blacklisted. I will try that now.

I blacklisted nouveau and booted into a 6.1 kernel:
% uname -a
Linux xps 6.1.0-9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.27-1 (2023-05-08) 
x86_64 GNU/Linux

It has been running without problems for nearly two days now:
% uptime
 08:34:48 up 1 day, 16:22,  2 users,  load average: 1.33, 1.26, 1.27

Regards,

Nick.

Bug#1036995: openldap: CVE-2023-2953

[Ryan Tandy]

Hi, thanks for the report. If I've understood the issue correctly 
(DoS/crash if malloc fails), it does not look too urgent.


Although the fixes look safe enough, I think we could wait until after 
bookworm is released, and fix this in unstable first and in a point 
release later. Does that sound OK to you?


thanks,
Ryan

Bug#1037007: libopenmpt: failing autopkgtests with 0.7.0

[Jeremy Bícha]

Source: libopenmpt
Version: 0.7.0-1
Severity: serious
Tags: experimental

libopenmpt 0.7.0-1 in experimental has failing autopkgtests because of
errors emitted because of a deprecation warning.

pattern-dump-c.c: In function ‘main’:
pattern-dump-c.c:25:13: warning: ‘openmpt_stream_get_file_callbacks’
is deprecated [-Wdeprecated-declarations]
   25 | openmpt_stream_get_file_callbacks(),

https://release.debian.org/britney/pseudo-excuses-experimental.html#libopenmpt

Thank you,
Jeremy Bícha

Bug#1037006: opensnitch: Upstream change enables ebpf compilation

[Pijgn]

Package: opensnitch
Version: 1.5.8.1-1+b2
Severity: wishlist
Tags: upstream

Dear Maintainer,

OpenSnitch in Debian is currently incompatible with (some?) kernel space 
network tools such as wireguard and NFS. These are entirely unusable so 
long as the opensnitchd service is running. An eBPF module is required 
when the user does not wish to completely block such traffic, but until 
recently the upstream build process could not be included in Debian. [0]

The following information may be helpful for determining whether this 
change is small enough to include in a bookworm point release.

I have confirmed this works with the package version mentioned above.
Any new files are from the tree at commit 11baad0. [1]

- Replace "ebpf_prog/Makefile" with the newer file and delete unknown 
targets (" opensnitch-procs.o opensnitch-dns.o") on line 30.
- Remove "ebpf_prog/file.patch" since it is no longer needed.
- Add directory "ebpf_prog/bpf_headers" containing 4 upstream files.
- Rename "ebpf_prog/bpf_headers" to "ebpf_prog/bpf" for compatibility.

With the appropriate linux-headers package installed, it should now be 
possible to run 'make' in the "ebpf_prog" directory and copy the 
resulting "opensnitch.o" file to "/etc/opensnitchd/". (The non-standard 
location is fixed upstream and will be deprecated in a future release.)

[0] https://people.skolelinux.org/pere/blog/tags/opensnitch/
[1] https://github.com/evilsocket/opensnitch/tree/
11baad083d5396f4d30af5ce5b1ae6ad80bb5478


-- System Information:
Debian Release: 12.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE 
not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages opensnitch depends on:
ii  libc62.36-9
ii  libnetfilter-queue1  1.0.5-3
ii  libnfnetlink01.0.2-2

Versions of packages opensnitch recommends:
ii  python3-opensnitch-ui  1.5.8.1-1

Bug#1037005: prometheus-smokeping-prober: package is missing an /etc/init.d script

[Tim Wootton]

Package: prometheus-smokeping-prober
Version: 0.4.1-2+b5
Severity: normal
Tags: patch
X-Debbugs-Cc: tim_woot...@yahoo.com

Dear Maintainer,

Please include an /etc/init.d script as is provided with other prometheus 
exporters

-- System Information:
Debian Release: 11.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-21-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /bin/dash
Init: OpenRC (via /run/openrc), PID 1: init

Versions of packages prometheus-smokeping-prober depends on:
ii  adduser3.118
ii  debconf [debconf-2.0]  1.5.77
ii  libc6  2.31-13+deb11u6
ii  libcap2-bin1:2.44-1

prometheus-smokeping-prober recommends no packages.

prometheus-smokeping-prober suggests no packages.

-- debconf information:
  prometheus-smokeping-prober/want_cap_net_raw: false




Patch file /etc/init.d/prometheus-smokeping-prober, based on standard template:

#!/bin/sh
# kFreeBSD do not accept scripts as interpreters, using #!/bin/sh and sourcing.
if [ true != "$INIT_D_SCRIPT_SOURCED" ] ; then
set "$0" "$@"; INIT_D_SCRIPT_SOURCED=true . /lib/init/init-d-script
fi
### BEGIN INIT INFO
# Provides:  prometheus-smokeping-prober
# Required-Start:$remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop:  0 1 6
# Short-Description: Prometheus style "smokeping" prober 
# Description:   This prober sends a series of ICMP (or UDP) pings to a 
target and records
#the responses in Prometheus histogram metrics. The 
resulting metrics are
#useful for detecting changes in network latency (or round 
trip time), as
#well as packet loss over a network path. 
### END INIT INFO

DESC="Prometheus style smokeping prober"
NAME=prometheus-smokeping-prober
DAEMON=/usr/bin/$NAME
USER=prometheus
PIDFILE=/var/run/prometheus/$NAME.pid
LOGFILE=/var/log/prometheus/$NAME.log

HELPER=/usr/bin/daemon
HELPER_ARGS="--name=$NAME --output=$LOGFILE --pidfile=$PIDFILE --user=$USER"

ARGS=""
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

do_start_prepare()
{
mkdir -p `dirname $PIDFILE`
chown $USER: `dirname $LOGFILE`
chown $USER: `dirname $PIDFILE`
}

do_start_cmd_override()
{
# Return
#   0 if daemon has been started or already running
#   2 if daemon could not be started
$HELPER $HELPER_ARGS --running && return 0
$HELPER $HELPER_ARGS -- $DAEMON $ARGS || return 2
return 0
}

do_stop_cmd_override()
{
# Return
#   0 if daemon has been stopped or already stopped
#   2 if daemon could not be stopped
#   other if a failure occurred
$HELPER $HELPER_ARGS --running || return 0
$HELPER $HELPER_ARGS --stop || return 2
# wait for the process to really terminate
for n in 1 2 3 4 5; do
sleep $n
$HELPER $HELPER_ARGS --running || break
done
$HELPER $HELPER_ARGS --running || return 0
return 2
}

Bug#1037004: msmtp-mta doesn't respect DEBIAN_FRONTEND=noninteractive

[Greg]

Package: msmtp-mta
Version: 1.8.6-1
Severity: important

Dear Maintainer,

Regarding your commit here: 
https://salsa.debian.org/kolter/msmtp/-/commit/7633ea472e24bf3be003396a2e4567d101f8cf53

This has added a TUI when installing the `msmtp-mta` package that appears even 
on non-interactive terminals. This is making it very difficult for us to 
upgrade our Gitlab install which has this command in a Dockerfile:

RUN DEBIAN_FRONTEND=noninteractive apt-get -y update && \
  apt-get install -yq --no-install-recommends msmtp-mta s-nail htop dialog less 
paxctl sudo

The command is executed by `docker-compose build --pull`

However the TUI shows up and there’s no way to dismiss it without aborting the 
install. Pressing enter/space etc does not work, it only types keys over the 
TUI.

Any help with this is greatly appreciated!

-- System Information:
Debian Release: bullseye/sid
  APT prefers focal-updates
  APT policy: (500, 'focal-updates'), (500, 'focal-security'), (500, 'focal'), 
(100, 'focal-backports')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.6-200.fc37.x86_64 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 
(charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages msmtp-mta depends on:
ii  init-system-helpers  1.57
ii  libc62.31-0ubuntu9.9
ii  msmtp1.8.6-1

msmtp-mta recommends no packages.

msmtp-mta suggests no packages.

-- no debconf information

Bug#1037001: r-cran-htmltable: Homepage link doesn't work because it is case-sensitive

[Dirk Eddelbuettel]

On 31 May 2023 at 15:18, David Fifield wrote:
| Package: r-cran-htmltable
| Severity: minor
| X-Debbugs-Cc: da...@bamsoftware.com
| 
| The package homepage https://cran.r-project.org/package=htmltable
| leads to a 404 error page. The link
| https://cran.r-project.org/package=htmlTable works (note
| capitalization).

Good catch and my bad --- a copy-and-paste error because package and reponame
are all lowercase within Debian.

Have fixed this in my sources, will get corrected on next upload.

Dirk
 
 
| -- System Information:
| Debian Release: 11.7
|   APT prefers stable-security
|   APT policy: (500, 'stable-security'), (500, 'stable')
| Architecture: amd64 (x86_64)
| 
| Kernel: Linux 5.10.0-22-amd64 (SMP w/4 CPU threads)
| Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not 
set
| Shell: /bin/sh linked to /usr/bin/dash
| Init: systemd (via /run/systemd/system)
| LSM: AppArmor: enabled
| 
| Versions of packages r-cran-htmltable depends on:
| ii  r-base-core [r-api-4.0]  4.0.4-1
| pn  r-cran-checkmate 
| ii  r-cran-dplyr 1.0.4-1
| ii  r-cran-htmltools 0.5.1.1-1
| ii  r-cran-htmlwidgets   1.5.3+dfsg-1
| ii  r-cran-knitr 1.31+dfsg-1
| ii  r-cran-magrittr  2.0.1-1
| ii  r-cran-rstudioapi0.13-1
| ii  r-cran-stringr   1.4.0-2
| ii  r-cran-tidyr 1.1.2-1
| 
| r-cran-htmltable recommends no packages.
| 
| r-cran-htmltable suggests no packages.

-- 
dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org

Bug#1037003: unblock: forensics-extra/2.45

[Joao Eriberto Mota Filho]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: forensics-ex...@packages.debian.org
Control: affects -1 + src:forensics-extra

Please unblock package forensics-extra

[ Reason ]
forensics-extra (like forensics-all) is a metapackage to install several
tools to aid in forensics activities. Due an issue in reaver (see #1036809),
forensics-extra is marked for autoremoval. The solution was move reaver from
Depends field to Recommends field in forensics-extra. Consequently, the files
list-of-packages-extra, debian/control and debian/forensics-extra.README.Debian
were updated.

This metapackage is native and uses some scripts to generate a final
debian/control and a debian/forensics-extra.README.Debian. The
list-of-packages-extra file describes which packages will be put in
debian/control and where they will be put (Depends, Recommends, Suggests).
The debian/forensics-extra.README.Debian is a list of all packages on
forensics-extra and their short descriptions.

[ Impact ]
The impact for the user if the unblock isn't granted is that package
forensics-extra will not available in next stable release (Bookworm).

[ Tests ]
Considering that this is a metapackage, no great tests are needed. The package
has a CI test and the Salsa CI is activated too. The package pass in CI,
piuparts, etc.

There is a script in forensics-extra called find-deps.sh (available in a branch
in Salsa, not merged yet, but functional). This script ensures that no other
package is affected by reaver in forensics-extra.

[ Risks ]
No risks. This is a trivial change in a metapackage.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
No more info needed.

unblock forensics-extra/2.45
diff -Nru forensics-extra-2.44/debian/changelog 
forensics-extra-2.45/debian/changelog
--- forensics-extra-2.44/debian/changelog   2023-04-17 20:59:36.0 
-0300
+++ forensics-extra-2.45/debian/changelog   2023-05-31 17:01:50.0 
-0300
@@ -1,3 +1,12 @@
+forensics-extra (2.45) unstable; urgency=medium
+
+  * list-of-packages-extra: moved reaver from FED to FER. See #1036809 and
+#1036591.
+  * debian/control: updated.
+  * debian/forensics-extra.README.Debian: updated.
+
+ -- Joao Eriberto Mota Filho   Wed, 31 May 2023 17:01:50 
-0300
+
 forensics-extra (2.44) unstable; urgency=medium
 
   * list-of-packages-extra: changed bzip3 from FED to FER. See #1034177.
diff -Nru forensics-extra-2.44/debian/control 
forensics-extra-2.45/debian/control
--- forensics-extra-2.44/debian/control 2023-04-17 20:59:36.0 -0300
+++ forensics-extra-2.45/debian/control 2023-05-31 17:01:50.0 -0300
@@ -31,6 +31,7 @@
 exfatprogs,
 guestfs-tools,
 pngcheck,
+reaver,
 ree,
 tcpreplay
 Depends: ancient,
@@ -125,7 +126,6 @@
  psrip,
  rarcrack,
  readstat,
- reaver,
  rzip,
  scrot,
  secure-delete,
@@ -225,7 +225,7 @@
ncompress, netcat-openbsd, netdiscover, ngrep, nomarch, nstreams,
ntfs-3g, nwipe, openpace, p7zip-full, packit, parted, pcapfix,
pcaputils, pdfcrack, pecomato, pev, plzip, png-definitive-guide,
-   poppler-utils, psrip, rarcrack, readstat, reaver, rzip, scrot,
+   poppler-utils, psrip, rarcrack, readstat, rzip, scrot,
secure-delete, sipcrack, sipgrep, sipvicious, sngrep,
squashfs-tools-ng, ssh-audit, sslscan, stepic, sxiv, tcpdump,
tcpflow, tcptrace, tcpxtract, testdisk, tshark, ugrep, unrar-free,
diff -Nru forensics-extra-2.44/debian/forensics-extra.README.Debian 
forensics-extra-2.45/debian/forensics-extra.README.Debian
--- forensics-extra-2.44/debian/forensics-extra.README.Debian   2023-04-17 
20:59:36.0 -0300
+++ forensics-extra-2.45/debian/forensics-extra.README.Debian   2023-05-31 
17:01:50.0 -0300
@@ -99,7 +99,6 @@
 psrip - Extract images from PostScript files
 rarcrack - Password cracker for rar archives
 readstat - read/write data sets from SAS, Stata, and SPSS
-reaver - brute force attack tool against Wifi Protected Setup PIN number
 rzip - compression program for large files
 scrot - command line screen capture utility
 secure-delete - tools to wipe files, free disk space, swap and memory
@@ -173,8 +172,9 @@
 exfatprogs - exFAT file system utilities
 guestfs-tools - guest disk image management system - tools
 pngcheck - print info and check PNG, JNG and MNG files
+reaver - brute force attack tool against Wifi Protected Setup PIN number
 ree - extract ROM extensions
 tcpreplay - Tool to replay saved tcpdump files at arbitrary speeds
 
 
- -- Joao Eriberto Mota Filho   Mon, 17 Apr 2023 21:03:07 
-0300
+ -- Joao Eriberto Mota Filho   Wed, 31 May 2023 17:06:35 
-0300
diff -Nru forensics-extra-2.44/list-of-packages-extra 
forensics-extra-2.45/list-of-packages-extra
--- 

Bug#1037002: unblock: forensics-all/3.45

[Joao Eriberto Mota Filho]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: forensics-...@packages.debian.org
Control: affects -1 + src:forensics-all

Please unblock package forensics-all.

[ Reason ]
forensics-all (like forensics-extra) is a metapackage to install several
tools to aid in forensics activities. Due an issue in reaver (see #1036809),
forensics-all is marked for autoremoval. The solution was move wifite, that
depends of the reaver, from Depends field to Recommends field in forensics-all.
Consequently, the files list-of-packages, debian/control and
debian/forensics-all.README.Debian were updated.

This metapackage is native and uses some scripts to generate a final
debian/control and a debian/forensics-all.README.Debian. The list-of-packages
file describes which packages will be put in debian/control and where they
will be put (Depends, Recommends, Suggests). The
debian/forensics-all.README.Debian is a list of all packages on forensics-all
and their short descriptions.

[ Impact ]
The impact for the user if the unblock isn't granted is that package
forensics-all will not available in next stable release (Bookworm).

[ Tests ]
Considering that this is a metapackage, no great tests are needed. The package
has a CI test and the Salsa CI is activated too. The package pass in CI,
piuparts, etc.

There is a script in forensics-all called find-deps.sh. This script ensures
that only wifite depends of the reaver in forensics-all.

[ Risks ]
No risks. This is a trivial change in a metapackage.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
No more info needed.

unblock forensics-all/3.45
diff -Nru forensics-all-3.44/debian/changelog 
forensics-all-3.45/debian/changelog
--- forensics-all-3.44/debian/changelog 2023-03-16 08:04:52.0 -0300
+++ forensics-all-3.45/debian/changelog 2023-05-31 16:38:48.0 -0300
@@ -1,3 +1,11 @@
+forensics-all (3.45) unstable; urgency=medium
+
+  * list-of-packages: moved wifite from FD to FR. See #1036809 and #1036591.
+  * debian/control: updated.
+  * debian/forensics-all.README.Debian: updated.
+
+ -- Joao Eriberto Mota Filho   Wed, 31 May 2023 16:38:48 
-0300
+
 forensics-all (3.44) unstable; urgency=medium
 
   * list-of-packages:
diff -Nru forensics-all-3.44/debian/control forensics-all-3.45/debian/control
--- forensics-all-3.44/debian/control   2023-03-16 08:04:52.0 -0300
+++ forensics-all-3.45/debian/control   2023-05-31 16:38:48.0 -0300
@@ -38,6 +38,7 @@
 plaso,
 radare2,
 wapiti,
+wifite,
 xmount,
 yara
 Depends: acct,
@@ -145,7 +146,6 @@
  unhide.rb,
  vinetto,
  wfuzz,
- wifite,
  winregfs,
  wipe,
  ${misc:Depends}
@@ -176,7 +176,7 @@
scrounge-ntfs, shed, sleuthkit, smbmap, snowdrop, ssdeep, ssldump,
statsprocessor, stegcracker, steghide, stegsnow, sucrack,
tableau-parm, tcpick, testssl.sh, time-decode, undbx, unhide,
-   unhide.rb, vinetto, wfuzz, wifite, winregfs, wipe
+   unhide.rb, vinetto, wfuzz, winregfs, wipe
  .
  This metapackage is useful for pentesters, ethical hackers and forensics
  experts.
diff -Nru forensics-all-3.44/debian/forensics-all.README.Debian 
forensics-all-3.45/debian/forensics-all.README.Debian
--- forensics-all-3.44/debian/forensics-all.README.Debian   2023-03-16 
08:04:52.0 -0300
+++ forensics-all-3.45/debian/forensics-all.README.Debian   2023-05-31 
16:38:48.0 -0300
@@ -110,7 +110,6 @@
 unhide.rb - Forensics tool to find processes hidden by rootkits
 vinetto - forensics tool to examine Thumbs.db files
 wfuzz - Web application bruteforcer
-wifite - Python script to automate wireless auditing using aircrack-ng tools
 winregfs - Windows registry FUSE filesystem
 wipe - secure file deletion
 
@@ -128,8 +127,9 @@
 plaso - super timeline all the things -- metapackage
 radare2 - free and advanced command line hexadecimal editor
 wapiti - web application vulnerability scanner
+wifite - Python script to automate wireless auditing using aircrack-ng tools
 xmount - tool for crossmounting between disk image formats
 yara - Pattern matching swiss knife for malware researchers
 
 
- -- Joao Eriberto Mota Filho   Thu, 16 Mar 2023 08:33:39 
-0300
+ -- Joao Eriberto Mota Filho   Wed, 31 May 2023 16:43:31 
-0300
diff -Nru forensics-all-3.44/list-of-packages 
forensics-all-3.45/list-of-packages
--- forensics-all-3.44/list-of-packages 2023-03-16 08:04:52.0 -0300
+++ forensics-all-3.45/list-of-packages 2023-05-31 16:38:48.0 -0300
@@ -234,7 +234,7 @@
 websploit SS
 weevely SS
 wfuzz FD
-wifite FD
+wifite FR # FIXME. Was F-D. See #1036809 and #1036591.
 wig SS
 winregfs FD
 wipe FD

Bug#1037001: r-cran-htmltable: Homepage link doesn't work because it is case-sensitive

[David Fifield]

Package: r-cran-htmltable
Severity: minor
X-Debbugs-Cc: da...@bamsoftware.com

The package homepage https://cran.r-project.org/package=htmltable
leads to a 404 error page. The link
https://cran.r-project.org/package=htmlTable works (note
capitalization).


-- System Information:
Debian Release: 11.7
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-22-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages r-cran-htmltable depends on:
ii  r-base-core [r-api-4.0]  4.0.4-1
pn  r-cran-checkmate 
ii  r-cran-dplyr 1.0.4-1
ii  r-cran-htmltools 0.5.1.1-1
ii  r-cran-htmlwidgets   1.5.3+dfsg-1
ii  r-cran-knitr 1.31+dfsg-1
ii  r-cran-magrittr  2.0.1-1
ii  r-cran-rstudioapi0.13-1
ii  r-cran-stringr   1.4.0-2
ii  r-cran-tidyr 1.1.2-1

r-cran-htmltable recommends no packages.

r-cran-htmltable suggests no packages.

Bug#1036187: vfu: several notes about clipboard

[Vladi Belperchinov-Shabanski]

hi,

I fixed it with commit 2cfa35ceef551708481626732a4d98734e7a0f22.
also fixed size calculation so it will properly report progress
and estimate time when copy/move from the clipboard.

try it again?

P! Vladi.
-- 
Vladi Belperchinov-Shabanski  
   
http://cade.noxrun.com
pgp/gpg key 6F35B214 @ http://pgp.mit.edu

Bug#1031772: Fwd: Bug#1031772: Acknowledgement (nvidia-settings gtk icon app disappeared)

[Sergio Zamora]

Dear Maintainer,

after installing the 'nvidia-alternative' package, selecting
' /usr/lib/nvidia/current ' instead of the previous selectected option
( /usr/lib/nvidia/tesla ) and rebooting solved the issue, recovering:


   - gtk desktop app
   - startup custom configuration with nvidia-settings on tweak tool (
   Gnome Shell / Xorg )


I'm not able to explain why this option was selected due I never used the
nvidia-alternatives app before.


This issue arise along with the last nvidia-settings upgrade some weeks ago.


Best Regards.


-- Forwarded message -
De: Debian Bug Tracking System 
Date: mié, 22 feb 2023 a la(s) 10:39
Subject: Bug#1031772: Acknowledgement (nvidia-settings gtk icon app
disappeared)
To: zezamoral 


Thank you for filing a new Bug report with Debian.

You can follow progress on this Bug here: 1031772:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031772.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

As you requested using X-Debbugs-CC, your message was also forwarded to
  sazamor...@gmail.com
(after having been given a Bug report number, if it did not have one).

Your message has been sent to the package maintainer(s):
 Debian NVIDIA Maintainers 

If you wish to submit further information on this problem, please
send it to 1031...@bugs.debian.org.

Please do not send mail to ow...@bugs.debian.org unless you wish
to report a problem with the Bug-tracking system.

-- 
1031772: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031772
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1036998:

[Robert Qian]

Note that this patch fixes a Debian policy violation (
https://www.debian.org/doc/debian-policy/ch-source.html) which should
qualify this as a "serious" severity bug where:

"For packages in the main archive, required targets must not attempt
network access, except, via the loopback interface, to services on the
build host that have been started by the build."

Bug#1037000: unblock: crowdsec/1.4.6-4 and bouncers

[Cyril Brulebois]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi!

Please unblock packages crowdsec, crowdsec-custom-bouncer, and
crowdsec-firewall-bouncer.

I'm filing a single unblock request since all three packages are
entangled, and Paul suggested this would be appropriate:
 - both bouncers get the exact same changes (only the context differs);
 - crowdsec gets an extra snippet to deal with the pending registration
   requested by either one or both bouncers.

[ Reason ]
RC bugs #1035499 and #1036985 on the bouncers: they might fail to
install depending on the dpkg-level ordering as far as configuration
goes, that is: if crowdsec (which is listed in Recommends) is unpacked
but not configured, the `cscli` call fails and the postinst errors out.

Back when the bouncers were prepared, both upstream and I verified that
we could just install either bouncer package without a pre-existing
crowdsec package installed, but as seen with Andreas' piuparts-based
testing, we might get a different order over time, or across bouncers…

In any case, at the moment, a freshly-deployed Bookworm VM can't get
either bouncer installed, and I'd like to get that fixed in time for
12.0.

The proposed changes keep the existing code paths, and add detection for
the problematic case, queueing bouncer registration, letting crowdsec
catch up when it's finally configured. To prevent bouncers from starting
before crowdsec has dealt with the registration, I've added a condition
to both their systemd units, and a `deb-systemd-invoke start` call once
everything is ready.

[ Impact ]
Abysmal user experience without those fixes.

[ Tests ]
Both upstream and I have tested updated packages, stashed in a custom
repository, installing 1 to 3 packages in various order, making sure the
new code does the right thing. I've also verified this under piuparts,
seeing that policy-rc.d is respected as it should (and the start request
is ignored without triggering an error).

[ Risks ]
There might be tricky situations I haven't imagined or encountered, but
since we're basically keeping existing code, and just adding detection
and solution for a specific bad situation during the first installation,
I'm not sure what could regress.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock crowdsec/1.4.6-4
unblock crowdsec-custom-bouncer/0.0.15-3
unblock crowdsec-firewall-bouncer/0.0.25-3


Cheers,
-- 
Cyril Brulebois -- Debian Consultant @ DEBAMAX -- https://debamax.com/
diff -Nru crowdsec-1.4.6/debian/changelog crowdsec-1.4.6/debian/changelog
--- crowdsec-1.4.6/debian/changelog 2023-03-19 00:25:07.0 +0100
+++ crowdsec-1.4.6/debian/changelog 2023-05-31 18:54:17.0 +0200
@@ -1,3 +1,16 @@
+crowdsec (1.4.6-4) unstable; urgency=medium
+
+  * Implement support for pending registration: since bouncers list crowdsec
+in Recommends, we cannot guarantee the order in which bouncers and
+crowdsec are configured (See: #1035499, #1036985). Bouncers can now
+queue triplets (systemd unit name, bouncer identifier and API key) in
+/var/lib/crowdsec/pending-registration. crowdsec.postinst will register
+those bouncers, and start their systemd units after removing that file
+(satisfying their ConditionPathExists=! on it).
+  * Replace `exit 0` with `break` in the preceding code block.
+
+ -- Cyril Brulebois   Wed, 31 May 2023 18:54:17 +0200
+
 crowdsec (1.4.6-3) unstable; urgency=medium
 
   * When performing an upgrade from pre-1.4.x versions, apply a workaround
diff -Nru crowdsec-1.4.6/debian/crowdsec.postinst 
crowdsec-1.4.6/debian/crowdsec.postinst
--- crowdsec-1.4.6/debian/crowdsec.postinst 2023-03-18 14:40:31.0 
+0100
+++ crowdsec-1.4.6/debian/crowdsec.postinst 2023-05-31 17:01:15.0 
+0200
@@ -280,15 +280,35 @@
   for _ in $(seq 1 $MAX); do
 # Getting decisions means we can happily exit:
 if grep -qs 'added [0-9][0-9]* entries, deleted [0-9][0-9]* entries' $LOG; 
then
-  exit 0
+  break
 fi
 # Getting 0 new entries means we can happily trigger a restart then exit:
 if grep -qs 'received 0 new entries (expected if you just installed 
crowdsec)' $LOG; then
   echo "W: Restarting manually to force a CAPI pull (upstream #2120)" >&2
   deb-systemd-invoke restart 'crowdsec.service' >/dev/null || true
-  exit 0
+  break
 fi
 # Don't poll too aggressively:
 sleep 1
   done
 fi
+
+# Bouncer registration: they have crowdsec in Recommends only, so ordering 
isn't
+# guaranteed (#1035499, #1036985). Process pending registration if any, then
+# kick relevant systemd units once their ConditionPathExists is satisfied.
+PENDING=/var/lib/crowdsec/pending-registration
+if [ -f $PENDING ]; then
+  while read unit name key; do
+units="${units:+$units }$unit"
+bouncers="${bouncers:+$bouncers 

Bug#1036999: imagemagick: CVE-2023-34151

[Salvatore Bonaccorso]

Source: imagemagick
Version: 8:6.9.11.60+dfsg-1.6
Severity: important
Tags: security upstream
Forwarded: https://github.com/ImageMagick/ImageMagick/issues/6341
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerability was published for imagemagick.

CVE-2023-34151[0]:
| A vulnerability was found in ImageMagick. This security flaw ouccers
| as an undefined behaviors of casting double to size_t in svg, mvg and
| other coders (recurring bugs of CVE-2022-32546).


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-34151
https://www.cve.org/CVERecord?id=CVE-2023-34151
[1] https://github.com/ImageMagick/ImageMagick/issues/6341

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Bug#1036992: r8168-dkms: Adding more information

[Andreas Beckmann]

On 31/05/2023 20.52, MA wrote:

* What was the outcome of this action? ==> No expected changes and the 
driver for my Ethernet still shows as r8168 in lspci -k command
* What outcome did you expect instead?==> i expected the installed driver 
to be removed and reload the kernel built in driver(which is currently nowhere to 
be found)


which will happen upon reboot

Replacing the network driver would require stopping the network (and all 
services using the network), unloading the kernel driver, loading the 
new kernel driver, bringing up the network again. That works best if 
done by a reboot.


Andreas

Bug#1036998: emacs contains tests that will fail on builders with restricted networks

[Robert Qian]

Package: emacs
Version: 28.2+1
Tags: patch

Hi, we've noticed that some of the emacs tests currently open remote
sockets during a Debian build. Builders and build servers don't always
provide full network access and this can cause false failures during build.

I've attached a patch to disable these tests.
From: Robert Qian 

Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

[Salvatore Bonaccorso]

Hi Yadd,

On Wed, May 31, 2023 at 03:13:06PM +0400, Yadd wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: jquer...@packages.debian.org
> Control: affects -1 + src:jqueryui
> 
> [ Reason ]
> jqueryui is potentially vulnerable to cross-site scripting
> (CVE-2022-31160)
> 
> [ Impact ]
> Low security issue
> 
> [ Tests ]
> Sadly tests are minimal in this package. Anyway passed
> 
> [ Risks ]
> Low risk, patch is trivial
> 
> [ Checklist ]
>   [X] *all* changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in (old)stable
>   [X] the issue is verified as fixed in unstable
> 
> [ Changes ]
> Don't accept label outside of the root element
> 
> Cheers,
> Yadd

> diff --git a/debian/changelog b/debian/changelog
> index 3a6a587..9b1e9cc 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,10 @@
> +jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium
> +
> +  * Team upload
> +  * Checkboxradio: Don't re-evaluate text labels as HTML (Closes: 
> CVE-2022-31160)
> +
> + -- Yadd   Wed, 31 May 2023 15:08:55 +0400

Minor thing, you could as well close #1015982 with the upload.

Regards,
Salvatore

Bug#1036187: vfu: several notes about clipboard

[Anonymous 648]

Hi Vladi.

Seems to me new features work fine. But looks like I have found another issue.
When I add files to the clipboard - indicator shows that there are 0
files in the clipboard. Please check screenshot attached


On Tue, May 30, 2023 at 12:53:11AM +0300, Vladi Belperchinov-Shabanski wrote:


hi,

I have fixed the clipboard to add the file under cursor and more menu items
for adding and removing files to/from clipboard. this will enter the new 
release.

meanwhile you can test the latest dev version:

 mkdir vfu-tmp
 cd vfu-tmp
 wget https://cade.noxrun.com/projects/vfu/pull-and-build-vfu.sh
 chmod +x pull-and-build-vfu.sh
 ./pull-and-build-vfu.sh

in 'vfu' dir there should be curses and yascreen versions of vfu: vfu and 
vfu.yas

tell me if there are problems?

thanks,
Vladi.
--
Vladi Belperchinov-Shabanski
  
http://cade.noxrun.com
pgp/gpg key 6F35B214 @ http://pgp.mit.edu

Bug#1036995: openldap: CVE-2023-2953

[Salvatore Bonaccorso]

Source: openldap
Version: 2.5.13+dfsg-5
Severity: important
Tags: security upstream
Forwarded: https://bugs.openldap.org/show_bug.cgi?id=9904
X-Debbugs-Cc: car...@debian.org, Debian Security Team 
Control: fixed -1 2.6.4+dfsg-1~exp1

Hi,

The following vulnerability was published for openldap.

CVE-2023-2953[0]:
| A vulnerability was found in openldap. This security flaw causes a
| null pointer dereference in ber_memalloc_x() function.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-2953
https://www.cve.org/CVERecord?id=CVE-2023-2953
[1] https://bugs.openldap.org/show_bug.cgi?id=9904

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Bug#1036994: ITP: gir-rust-code-generator -- Generate rust code from .gir introspection files

[Matthias Geiger]

Package: wnpp
Severity: wishlist
Owner: Matthias Geiger 
X-Debbugs-Cc: debian-de...@lists.debian.org, debian-r...@lists.debian.org, 
debian-gtk-gn...@lists.debian.org, matthias.geiger1...@tutanota.de

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

* Package name: gir-rust-code-generator
  Version : 16.1
  Upstream Contact: Sebastian Dröge 
* URL : https://github.com/gtk-rs/gir
* License : MIT
  Programming Lang: Rust
  Description : Generate rust code from .gir introspection files

I intend to package gir-rust-code-generator (upstream name gir). It is used to 
generate the gtk-rs rust source code from the respective .gir files.
According to ftpmasters this program needs to be shipped so the generated code 
could be re-generated (see bug #1017905 for context). The packaging is already 
done. This package will be maintained with the Debian GNOME team. 

thanks,

werdahias

-BEGIN PGP SIGNATURE-

iQJUBAEBCgA+FiEEwuGmy/3s5RGopBdtGL0QaztsVHUFAmR3mOwgHG1hdHRoaWFz
LmdlaWdlcjEwMjRAdHV0YW5vdGEuZGUACgkQGL0QaztsVHWIJRAAke1nhrel/JL1
D/7oXR3ljp3CAJdZkcZSvHNKWPTFoBfV5sytD/bJJ3a1+JQZeRk9orOBaJLakP7W
kn2VYAHXKNSYYDjqrb46mychhC7Z4uEPzsINWyo+Xqrc/ji+3+6+T7u9EtgpA4ld
BTnLKX46HzE6Ufi779oHeVh6FydF6mlz2GGKWzH6sa7lhhs3gezDqXSFwuwTLy81
iHpgu3ZQ7weykKDVVhp/aX7cK51eIWMM+Mvh0drPHexmr9yHJAYF/cXbyE56Oh1m
RuHhdK2LlYI+uRJNWxAM/BHME8xJvsYh2oil1cV2vDnUWGEoJwl2d1DBtT4SBGm/
d4nsGEQuUXIg/qQxPifx02ll/MgWMYnEfWJ6iWP7BLf9Sfrscwc59rXMp4ZHjRlU
7LreHtpxvh1vj8djtq3zCZH468nlCozo+BKx6V28nvGihS4Y41Wb5+DZ6fM+j9LW
qxBKrVkrCu+e+oZFLgK20MqhQ2QTTXw1axnN2Mjs+M48rtpk9BDa0wvMWV3GH0SH
8KYvtOT9Hz1MMoxKA24s+0nf0lu+4GrZaU69PpgDFGOPJlcIH6fhcBOd1Ecz4QEt
BW54aQfSEDUNHXsmVnyIl5Mm9jKTDEDgAB10JesNmrztF24RojfIC1mBEms+82+c
PHcad5187bfPWs4MPceYJN/kt8/Iv4k=
=qA19
-END PGP SIGNATURE-

Bug#1031791: Accepted jquery-minicolors 2.3.5+dfsg-4 (source) into unstable

[Salvatore Bonaccorso]

Source: jquery-minicolors
Source-Version: 2.3.5+dfsg-4

- Forwarded message from Debian FTP Masters 
 -

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 31 May 2023 16:44:37 +0400
Source: jquery-minicolors
Architecture: source
Version: 2.3.5+dfsg-4
Distribution: unstable
Urgency: medium
Maintainer: Debian JavaScript Maintainers 

Changed-By: Yadd 
Changes:
 jquery-minicolors (2.3.5+dfsg-4) unstable; urgency=medium
 .
   * Team upload
   * Declare compliance with policy 4.6.2
   * Fix cross-site scripting issue (Closes: CVE-2021-32850)
Checksums-Sha1: 
 67cedb34a3218a1f1088d1edbe30caef7f18f643 2064 
jquery-minicolors_2.3.5+dfsg-4.dsc
 155bc5ab18516e9c1813b084ebe19c13efca5818 4840 
jquery-minicolors_2.3.5+dfsg-4.debian.tar.xz
Checksums-Sha256: 
 cf9934693d1f54670a68fb89ac59dde8c203734cf3e2a4a00f175933741caf62 2064 
jquery-minicolors_2.3.5+dfsg-4.dsc
 d0a8a02438629da14daeecdbba9c476a1316fb277c73cc93677313c697356dc7 4840 
jquery-minicolors_2.3.5+dfsg-4.debian.tar.xz
Files: 
 ac8a8e1f33d14098d25158e13530bd09 2064 javascript optional 
jquery-minicolors_2.3.5+dfsg-4.dsc
 74d71eede5d66409326b7473c5b165f6 4840 javascript optional 
jquery-minicolors_2.3.5+dfsg-4.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmR3QXMACgkQ9tdMp8mZ
7umdaQ/9EhS9HIufpHiWT/16f3YrrbJy7wSrWxltytTHf8VUty38urR4aBjCx7Jn
D/r+XESkfFFK+zaXrFX9qUXmdi+nHtcqCNiLhxLGv7uaGiiOQt8zkjugxehBCdmu
ugcQaQZxK1lt0BmP5W4hi5ByNrXpLyY0Y8VVa44qjBptLzcG9GJDF9tuM0+AMilx
DEWWz1C1ShWJDlGuM+uTgPdQe0dkWeWlSodrjqcTspOqVLnqp0h9Bj3lydephk/0
WO9kl+11PPk/CHljCO4evUewmqHU3eGMCL0hcgK0s4Vj82zcp8LzDfhZV5YUZT6w
coxLk+echB4qVeva/DCnM4jUGgSFJQxT1Xil6vJSEHPlyFWvsucdjvCr9DOL6abi
qPikkT6O+NnpN128EipKAHz4nQzEUy/8Yuj8HgK8To3ypNK2PGD6Y5qLqaSdUt9u
dH6IMb4cLS1TIHnkEtyZrjos7EDUq5gHQAzIiuV4e146io9NyBncE6jTYIr8TKYC
gDnBr8pijO3NQFVNmJAmVNewGXw9gaf2jbibHJoQS/ZcVINvVAkZxei/4T8wp7Gp
VpGi17s++rKdfi8pSD1nEc/TT2phTTKZMrMsoAkINvUDOPDc93jCYzmK2kAZvKKF
n0b5hHjgX8IGt2Uor/BtK2IWx0fhr1UEg8c0jyRAjs2bVCI3x1M=
=cPoo
-END PGP SIGNATURE-


- End forwarded message -

Bug#1036992: r8168-dkms: Adding more information

[MA]

Package: r8168-dkms
Followup-For: Bug #1036992

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?===> I installed r8168-dkms by accident. To 
revert it i purged the same package to reload my original driver package(r8169)
   * What exactly did you do (or not do) that was effective (or
 ineffective)? ===> I tried to purge the r8168-dkms. 
   * What was the outcome of this action? ==> No expected changes and the 
driver for my Ethernet still shows as r8168 in lspci -k command
   * What outcome did you expect instead?==> i expected the installed driver to 
be removed and reload the kernel built in driver(which is currently nowhere to 
be found)

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 11.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-23-amd64 (SMP w/8 CPU threads)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages r8168-dkms depends on:
ii  dkms  2.8.4-3

r8168-dkms recommends no packages.

r8168-dkms suggests no packages.

Bug#1036993: /lib/x86_64-linux-gnu/security/pam_sss.so: pam_sss passes KRB5CCNAME with sudo -i (see redhat bug/fix 1324486)

[J. Pfennig]

Package: libpam-sss
Version: 2.8.2-4
Severity: normal
File: /lib/x86_64-linux-gnu/security/pam_sss.so

Dear Maintainer,

   * What led up to the situation?

using kerberos, AD/DC, sssd and its pam module

   * What exactly did you do (or not do) that was effective (or
 ineffective)?

kinit ...   # to get a kerberos ticket
echo $KRB5CCNAME# path to creditial cache

sudo -i user2
echo $KRB5CCNAME# ORIGINAL path to creditial cache

   * What was the outcome of this action?

kinit, klist et al fail, wrong credential cache
echo $KRB5CCNAME# path from original user

   * What outcome did you expect instead?

KRB5CCNAME must not be passed

the case is described better than I can do at:

https://bugzilla.redhat.com/show_bug.cgi?id=1324486

Bug fixed there in 2017. Could Debian fix it too?

Thanks, Jürgen


-- System Information:
Debian Release: 12.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-9-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libpam-sss:amd64 depends on:
ii  libc6 2.36-9
ii  libgssapi-krb5-2  1.20.1-2
ii  libpam-pwquality  1.4.5-1+b1
ii  libpam-runtime1.5.2-6
ii  libpam0g  1.5.2-6

Versions of packages libpam-sss:amd64 recommends:
ii  sssd  2.8.2-4

libpam-sss:amd64 suggests no packages.

-- no debconf information

Bug#1036992: r8168-dkms: When Purging this driver, it does not restore the original driver.

[MA]

Package: r8168-dkms
Severity: minor

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
 ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 11.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-23-amd64 (SMP w/8 CPU threads)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages r8168-dkms depends on:
ii  dkms  2.8.4-3

r8168-dkms recommends no packages.

r8168-dkms suggests no packages.

Bug#1036437: please provide a simple example to reproduce the bug

[Alexis Murzeau]

On 31/05/2023 16:43, georgesk wrote:

Dear Alexis,

I packaged furo for debian in order to be able to keep maintaining the
package sympy, which depends on it.

However sympy's documentation is rather big. Creating a minimal sphinx
tree with sphinx-quickstart is not enough to trigger the bug which you
are reporting.

Please can you share a minimal example which would trigger this bug, so
I can include it in furo package's test scripts, and prevent future
regressions after this bug's fix?

Thank you in advance.   Georges.




Hi,

You can reproduce it by:
- Installing python3-sympy-doc package
- Open firefox and browse to 
file:///usr/share/doc/python-sympy-doc/html/index.html
- Check the Firefox' console, it will show "Uncaught SyntaxError: import 
declarations may only appear at top level of a module"
  for furo.js
- furo.js contains "import Gumshoe from "./gumshoe-patched.js";" line which 
means it was not minified (which is what upstream does).

The impact is just that dark/light theme and search bar won't work.

I've checked if this would be possible to do the minification, but that seems 
to require many node packages and not all of them
are available or up to date in Debian.

So maybe that's too much work to just get dark/light theme and search bar... 
(most of the theme, mostly css, is still working fine anyway)

--
Alexis Murzeau
PGP: B7E6 0EBB 9293 7B06 BDBC  2787 E7BD 1904 F480 937F|



OpenPGP_signature
Description: OpenPGP digital signature

Bug#1036957: unblock: openssl/3.0.8-1

[Paul Gevers]

Control: tags -1 d-i

Hi kibi,

Can you have a look at this onblock request? It's blocked on your 
block-udeb.


Paul

On 30-05-2023 22:52, Sebastian Andrzej Siewior wrote:

control: retitle -1 unblock: openssl/3.0.9-1

On 2023-05-30 22:16:53 [+0200], To sub...@bugs.debian.org wrote:


Please unblock package openssl.

The 3.0.9 release contains security and non-security related fixes for
the package. There are five new CVEs in total that has been addressed.
One with "moderate" severity. From the package's changelog:

 - CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
   Constraints) (Closes: #1034720).
 - CVE-2023-0465 (Invalid certificate policies in leaf certificates are
   silently ignored).
 - CVE-2023-0466 (Certificate policy check not enabled).
 - Alternative fix for CVE-2022-4304 (Timing Oracle in RSA Decryption).
 - CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers).
 - CVE-2023-1255 (Input buffer over-read in AES-XTS implementation on 64 
bit ARM).

The package built on all release architectures (it is still building on
mipsel at the of writing but I expect it to pass).
The openssl testsuite run on all architectures during the build process.
Please find attached the debdiff vs the version in testing.

unblock openssl/3.0.9-1


Sebastian



OpenPGP_signature
Description: OpenPGP digital signature

Bug#1036885: unblock: hipsparse/5.3.3+dfsg-2

[Christian Kastner]

On 2023-05-31 19:28, Adam D. Barratt wrote:
> In the versions in testing, both packages only built for amd64. In
> unstable, they have also built for arm64. Migrating the arm64 hipsparse
> binaries from unstable therefore requires migrating a version of
> rocsparse with arm64 binaries.

Oh, that's a good catch, never thought of that, mainly because in
practice, we only look at amd64. This is a rather new ecosystem and
we're still ironing out the kinks.

A successful build on arm64 is a bit annoying, as we don't expect many
users there -- I'd be surprised if one manages to even get the required
mainboard.

I'm willing to do what it takes to get this fixed in testing, but I'm
not sure which solution, if any, is agreeable to the RT:
  (1) Request an unblock for the rocsparse/5.3.0+dfsg-3 as-is
  (2) Re-upload hipsparse with a reduced arch: amd64
  (3) Prepare new (minimal debdiff) upload for rocsparse, file unblock
  request
  (4) Remove the arm64 binaries (is that even possible?)
  (5) Fix this in the first point release
  (6) Alternatives?

Please let me know what, if any, option you'd prefer.

I'm aware that we are shortly before the release and that this might
limit the available options.

Best,
Christian

Bug#1036914: [Debian-on-mobile-maintainers] Bug#1036914: unblock: librem5-flash-image/0.0.3-1

[Evangelos Ribeiro Tzaras]

On Mon, 2023-05-29 at 13:15 +0200, Guido Günther wrote:
> [ Other info ]
> I apologize for being late here, I simply missed that the version
> is outdated. I could have backported the patch but just using the
> upstream version (which didn't bring any other features) seemed more
> reasonable here.
> 
> unblock librem5-flash-image/0.0.3-1

I just wanted to add that the wiki on flashing Debian on to a L5 [0]
refers to this package (and suggests using a newer version),
so it would be very nice if the unblock request be granted :)

Thanks!

[0] https://wiki.debian.org/InstallingDebianOn/Purism/Librem5Phone

Bug#651280: don't allocate all available disk space in standard LVM partioning scheme

[James Addison]

On Wed, 31 May 2023 at 16:38, Cyril Brulebois  wrote:
>
> Control: severity -1 wishlist
>
> James Addison  (2023-05-31):
> > After the changes made to address bug #924301 (mountpoints for ext[n]
> > filesystems that have insufficient free blocks are not automatically
> > checked for faults), I think that this bug could be considered more
> > serious.
>
> How do you figure?

Previously, after installation without enough free blocks, system
administrators would be notified (perhaps repeatedly) about lack of
space encountered by each e2scrub run.

For installations after #924301 the administrator is less likely to be
aware of the problem (the alarm was silenced, but the cause had not
been addressed).

In either case, recoverable filesystem errors could occur on the
installed system -- the difference is that in the former case, the
administrators are more likely to have been aware (and at an earlier
point in time) about the risk.

> > The disk space required for e2scrub[1] snapshots is 256MiB and the
> > default allocation for LVM (encrypted or unecrypted) in the bookworm
> > RC4 installer is 100% (same as originally reported here in Y2011).
>
> That's the default setting. Users who want to use e2scrub can tweak it.

The volume group allocation size can be adjusted during an interactive
install session, yep - the operator is prompted to input a size, and
the default value is the full extent of the block device (my
terminology may be a bit wonky).

(the 256MiB requirement appears to static, though - it's a fixed size
for exactly one snapshot, I suppose)

Bug#1036885: unblock: hipsparse/5.3.3+dfsg-2

[Adam D. Barratt]

On Wed, 2023-05-31 at 19:09 +0200, Christian Kastner wrote:
> I can't see why rocsparse 5.3.0+dfsg-3 would
> block
> hipsparse? The Depends and Build-Depends aren't versioned.

In the versions in testing, both packages only built for amd64. In
unstable, they have also built for arm64. Migrating the arm64 hipsparse
binaries from unstable therefore requires migrating a version of
rocsparse with arm64 binaries.

Regards,

Adam

Bug#1036885: unblock: hipsparse/5.3.3+dfsg-2

[Christian Kastner]

Hi Graham,

On 2023-05-31 08:58, Graham Inggs wrote:
> Hi Christian
> 
> On Sun, 28 May 2023 at 18:48, Christian Kastner  wrote:
>> unblock hipsparse/5.3.3+dfsg-2
> 
> The debdiff looks good to me, however the migration of
> hipsparse/5.3.3+dfsg-2 appears to be blocked by rocsparse/5.3.0+dfsg-3
> [1].>
> Migrates after: rocsparse

I didn't notice this because I didn't expect this, and to be honest I'm
still a bit confused: I can't see why rocsparse 5.3.0+dfsg-3 would block
hipsparse? The Depends and Build-Depends aren't versioned.

> Migration status for hipsparse (5.3.3+dfsg-1 to 5.3.3+dfsg-2):
> BLOCKED: Needs an approval (either due to a freeze, the source suite
> or a manual hint)
> Issues preventing migration:
> ∙ ∙ Not touching package due to block request by freeze (Follow the
> freeze policy when applying for an unblock)
> ∙ ∙ Too young, only 2 of 5 days old
> ∙ ∙ Build-Depends(-Arch): hipsparse rocsparse
> ∙ ∙ Depends: hipsparse rocsparse
> 
> I don't see an unblock request for rocsparse/5.3.0+dfsg-3, would you
> file one please?

I'd be happy to, but the debdiff for rocsparse/5.3.0+dfsg-3 to -2 would
be a bit larger than for hipsparse; this is the changelog:

> * Update patch DEP-3 metadata fields.
>* d/rules: use DWARF 4 debug symbols
>* d/rules: enable hardening flags
>* d/rules: enable gfx1010 and gfx1011
>* Add d/p/0003-fix-oob-access-in-rocsparse-test.patch
>  to fix out-of-bound accesses in test suite.
>* Reduce arch to amd64, arm64, ppc64el

There's nothing dramatic in there, and the changes have been in unstable
for almost 3 months now, so we would be fine with letting that migrate
if that's the call.

I'd also be happy to prepare an upload with some of the changes reduced,
but I'm not sure how that would work on your end, schedule-wise.

Anyway, perhaps there is a simpler resolution to this, namely the
rocsparse block just being a false positive.

Best,
Christian

Bug#1036991: grub-common: LUKS2/argon2 rootfs w/ desktop-base annoyingly prompts unlock and silently fails

[Nathan Schulte]

Source: grub-common
Severity: normal
X-Debbugs-Cc: nmschu...@gmail.com

On an UEFI system with LUKS2/argon2 encrypted root (/), LUKS1/PBKDF encrypted 
boot (/boot) (and/via GRUB early crypto),
if desktop-base is installed (providing GRUB [emerald] theme), 
mkconfig/05_debian_theme will cause GRUB to prompt to
unlock the LUKS2 device to load the theme background, which silently fails 
(cryptomount: error: Invalid passphrase).

This causes GRUB to unnecessarily/annoyingly prompt twice for crypto 
passphrases, though it seems a quick work-around at
the LUKS2/root partition prompt is to simply enter an empty phrase to jump to 
the menu.

I understand LUKS2 GRUB support is a WIP; I do not know if this includes argon2 
support.  It would be great to avoid
this annoying prompt situation (e.g. by detecting LUKS2/argon2 on the 
partition, or supporting the situation somehow;
preferrably still with a a single prompt in a manner similar to 
cryptsetup-initramfs/KEYFILE_PATTERN and
crypttab/keyfile spec).

Thanks!


-- Package-specific info:

*** BEGIN /proc/mounts
/dev/mapper/root_crypt / ext4 rw,relatime,errors=remount-ro 0 0
/dev/mapper/boot_crypt /boot ext4 rw,relatime 0 0
/dev/nvme0n1p1 /boot/efi vfat 
rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro
 0 0
*** END /proc/mounts

*** BEGIN /boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
  set have_grubenv=true
  load_env
fi
if [ "${next_entry}" ] ; then
   set default="${next_entry}"
   set next_entry=
   save_env next_entry
   set boot_once=true
else
   set default="0"
fi

if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
else
  menuentry_id_option=""
fi

export menuentry_id_option

if [ "${prev_saved_entry}" ]; then
  set saved_entry="${prev_saved_entry}"
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
  fi
}
function load_video {
  if [ x$feature_all_video_module = xy ]; then
insmod all_video
  else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
  fi
}

if [ x$feature_default_font_path = xy ] ; then
   font=unicode
else
insmod part_gpt
insmod cryptodisk
insmod luks2
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
cryptomount -u deadc0dedeadc0dedeadc0dedeadc0de
set root='cryptouuid/deadc0dedeadc0dedeadc0dedeadc0de'
if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root 
--hint='cryptouuid/deadc0dedeadc0dedeadc0dedeadc0de'  
d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3
else
  search --no-floppy --fs-uuid --set=root d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3
fi
font="/usr/share/grub/unicode.pf2"
fi

if loadfont $font ; then
  set gfxmode=auto
  load_video
  insmod gfxterm
  set locale_dir=$prefix/locale
  set lang=en_US
  insmod gettext
fi
terminal_output gfxterm
if [ "${recordfail}" = 1 ] ; then
  set timeout=30
else
  if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=5
  # Fallback normal timeout code in case the timeout_style feature is
  # unavailable.
  else
set timeout=5
  fi
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/05_debian_theme ###
insmod part_gpt
insmod cryptodisk
insmod luks2
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
cryptomount -u deadc0dedeadc0dedeadc0dedeadc0de
set root='cryptouuid/deadc0dedeadc0dedeadc0dedeadc0de'
if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root 
--hint='cryptouuid/deadc0dedeadc0dedeadc0dedeadc0de'  
d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3
else
  search --no-floppy --fs-uuid --set=root d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3
fi
insmod png
if background_image /usr/share/desktop-base/emerald-theme/grub/grub-16x9.png; 
then
  set color_normal=white/black
  set color_highlight=black/white
else
  set menu_color_normal=cyan/blue
  set menu_color_highlight=white/blue
fi
### END /etc/grub.d/05_debian_theme ###

### BEGIN /etc/grub.d/10_linux ###
function gfxmode {
set gfxpayload="${1}"
}
set linux_gfx_mode=
export linux_gfx_mode
menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu 
--class os $menuentry_id_option 
'gnulinux-simple-d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha512
insmod ext2

Bug#1036988: crashes with TypeError: _ScrolledWindowBase.SetScrollbars(): argument 3 has unexpected type 'float'

[Konstantin L. Metlov]

Done. New release is up on GitHub.

https://github.com/metlov/cycle

With the best regards,
  Konstantin.

Quoting Andreas Tille :


Am Wed, May 31, 2023 at 05:35:46PM +0300 schrieb Konstantin L. Metlov:

Thank you for reporting this bug !

It is already fixed by the commit

https://github.com/metlov/cycle/commit/e86d72ec1a2a05c46ccde2f607f142cef7dbabb2

I should, probably, make a new bugfix release.


A bugfix release would be welcome.

Kind regards
 Andreas.


Or, alternatively, the
package can be patched with the last few cherry picked git commits. All of
the latest commits are bugfixes, only one of them (merging LMB and RMB
handling) changes the functionality a little bit, making the program more
convenient to use on touch screen devices.

With the best regards,
  Konstantin.

Quoting cacat...@tuxfamily.org:

> Package: cycle
> Version: 0.3.2-2
>
> Hello,
>
> steps to reproduce:
> - run the program
> - fill infos (name and password)
> - validate
>
> The program crashes with this output on a terminal:
>
> ~
> $ cycle
> /usr/bin/cycle:35: DeprecationWarning: Use setlocale(), getencoding()
> and getlocale() instead
>   dl = locale.getdefaultlocale()
>
> (cycle:108832): dbind-WARNING **: 08:53:27.113: AT-SPI: Error retrieving
> accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown:
> The name org.a11y.Bus was not provided by any .service files
> Traceback (most recent call last):
>   File "/usr/bin/cycle", line 212, in OnInit
> self.frame_init()
>   File "/usr/bin/cycle", line 216, in frame_init
> frame = MyFrame(None, -1, "")
> ^
>   File "/usr/bin/cycle", line 81, in __init__
> self.cal = Cal_Year(self)
>^^
>   File "/usr/share/cycle/cal_year.py", line 168, in __init__
> self.Init_Year()
>   File "/usr/share/cycle/cal_year.py", line 209, in Init_Year
> self.SetScrollbars(20, 20, w/20, h/20)
> TypeError: _ScrolledWindowBase.SetScrollbars(): argument 3 has
> unexpected type 'float'
> OnInit returned false, exiting...
> ~
>
> Have a good day,
>
>
> -- System Information:
> Debian Release: 12.0
>   APT prefers testing
>   APT policy: (900, 'testing'), (800, 'unstable'), (500,
> 'testing-security'), (500, 'testing-debug')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT)
> Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE
> not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages cycle depends on:
> ii  python3   3.11.2-1+b1
> ii  python3-wxgtk4.0  4.2.0+dfsg-3
>
> cycle recommends no packages.
>
> cycle suggests no packages.
>
> -- no debconf information

___
Debian-med-packaging mailing list
debian-med-packag...@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-med-packaging



--
http://fam-tille.de

Bug#1036990: ITP: 7zip-rar -- non-free RAR module for 7zip

[YOKOTA Hiroshi]

Package: wnpp
Severity: wishlist
Owner: YOKOTA Hiroshi 
X-Debbugs-Cc: debian-de...@lists.debian.org, yokota.h...@gmail.com

* Package name: 7zip-rar
  Version : 22.01
  Upstream Contact: Igor Pavlov
* URL : https://www.7-zip.org/
* License : unRAR License
  Programming Lang: C, C++
  Description : non-free RAR module for 7zip

This package provides a module for 7zip to make 7z able to
extract RAR files.

I was already maintain 7zip package, so I can also maintain
this package.

Current status of 7zip-rar packaging project is here:
https://salsa.debian.org/yokota/7zip-rar

Bug#1036952: rootskel: text installs on aarch64 lack glyphs for many languages

[Samuel Thibault]

Emanuele Rocca, le mer. 31 mai 2023 17:29:31 +0200, a ecrit:
> >   1. Why is aarch64 special here?
> >   2. Where does that difference come from?
> 
> According to Jessica Clarke this is due to busybox using vt102:
> https://society.oftrolls.com/@jrtc27@mastodon.social/110459684352427882

Is it not possible to fix TERM after busybox dumbly set it?

> >   3. Which other architectures might be impacted if we were to change
> >  that?
> 
> I'm not sure, and I haven't tested the S40term-linux patch yet. However I can
> report that booting the installer by passing console=tty0 to the kernel fixes
> the problem (thanks alpernebbi!).
> 
> Which of the two changes (console=tty0 vs S40term-linux patch) is less risky?

The problem is that both are frown-prone. I guess there is a reason why
on arm the default console is set to the serial port, e.g. for simpler
debugging or something like that. And considering vt102 as "ok it's a
Linux console" is meaningless.

I'd rather see a patch like

if [ "$TERM" = vt102 -a `tty` = /dev/tty1 ] ; then
# Busybox's init uses a global TERM across all consoles.
# If the serial console is the default such as on arm64, that
# will force vt102 on the Linux VT. Fix this back so we get
# colors, utf-8, etc.
TERM=linux
fi

(to be tested etc.)

Samuel

Bug#651280: don't allocate all available disk space in standard LVM partioning scheme

[Cyril Brulebois]

Control: severity -1 wishlist

James Addison  (2023-05-31):
> After the changes made to address bug #924301 (mountpoints for ext[n]
> filesystems that have insufficient free blocks are not automatically
> checked for faults), I think that this bug could be considered more
> serious.

How do you figure?

> The disk space required for e2scrub[1] snapshots is 256MiB and the
> default allocation for LVM (encrypted or unecrypted) in the bookworm
> RC4 installer is 100% (same as originally reported here in Y2011).

That's the default setting. Users who want to use e2scrub can tweak it.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#1036952: rootskel: text installs on aarch64 lack glyphs for many languages

[Emanuele Rocca]

Hi,

On Tue, May 30, 2023 at 09:08:45PM +0200, Cyril Brulebois wrote:
> Philip Hands  (2023-05-30):
> > Apparently, this MR fixes the problem:
> > 
> >   https://salsa.debian.org/installer-team/rootskel/-/merge_requests/8
> > 
> > Although this does prompt the question of why aarch64 has TERM set to
> > 'vt102' at this point, rather than 'linux'.
> 
> Glancing at the merge request earlier, my first (intertwined) questions
> were:
> 
>   1. Why is aarch64 special here?
>   2. Where does that difference come from?

According to Jessica Clarke this is due to busybox using vt102:
https://society.oftrolls.com/@jrtc27@mastodon.social/110459684352427882

>   3. Which other architectures might be impacted if we were to change
>  that?

I'm not sure, and I haven't tested the S40term-linux patch yet. However I can
report that booting the installer by passing console=tty0 to the kernel fixes
the problem (thanks alpernebbi!).

Which of the two changes (console=tty0 vs S40term-linux patch) is less risky?

Bug#1004301: please add more information

[georgesk]

Hi,

thank you for your bug report.

You are telling that when you "Decode from webcam", two webcams with the
same name and identification are listed in a select widget.

Have you more than one physical webcam? 

Please can you install another application using webcams, for example
"cheese" and test whether it reports also such a duplicate webcam?

So far, I could not reproduce the bug.

Thank you in advance.   Georges.



signature.asc
Description: PGP signature

Bug#1036988: crashes with TypeError: _ScrolledWindowBase.SetScrollbars(): argument 3 has unexpected type 'float'

[Andreas Tille]

Am Wed, May 31, 2023 at 05:35:46PM +0300 schrieb Konstantin L. Metlov:
> Thank you for reporting this bug !
> 
> It is already fixed by the commit
> 
> https://github.com/metlov/cycle/commit/e86d72ec1a2a05c46ccde2f607f142cef7dbabb2
> 
> I should, probably, make a new bugfix release.

A bugfix release would be welcome.

Kind regards
 Andreas.

> Or, alternatively, the
> package can be patched with the last few cherry picked git commits. All of
> the latest commits are bugfixes, only one of them (merging LMB and RMB
> handling) changes the functionality a little bit, making the program more
> convenient to use on touch screen devices.
> 
> With the best regards,
>   Konstantin.
> 
> Quoting cacat...@tuxfamily.org:
> 
> > Package: cycle
> > Version: 0.3.2-2
> > 
> > Hello,
> > 
> > steps to reproduce:
> > - run the program
> > - fill infos (name and password)
> > - validate
> > 
> > The program crashes with this output on a terminal:
> > 
> > ~
> > $ cycle
> > /usr/bin/cycle:35: DeprecationWarning: Use setlocale(), getencoding()
> > and getlocale() instead
> >   dl = locale.getdefaultlocale()
> > 
> > (cycle:108832): dbind-WARNING **: 08:53:27.113: AT-SPI: Error retrieving
> > accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown:
> > The name org.a11y.Bus was not provided by any .service files
> > Traceback (most recent call last):
> >   File "/usr/bin/cycle", line 212, in OnInit
> > self.frame_init()
> >   File "/usr/bin/cycle", line 216, in frame_init
> > frame = MyFrame(None, -1, "")
> > ^
> >   File "/usr/bin/cycle", line 81, in __init__
> > self.cal = Cal_Year(self)
> >^^
> >   File "/usr/share/cycle/cal_year.py", line 168, in __init__
> > self.Init_Year()
> >   File "/usr/share/cycle/cal_year.py", line 209, in Init_Year
> > self.SetScrollbars(20, 20, w/20, h/20)
> > TypeError: _ScrolledWindowBase.SetScrollbars(): argument 3 has
> > unexpected type 'float'
> > OnInit returned false, exiting...
> > ~
> > 
> > Have a good day,
> > 
> > 
> > -- System Information:
> > Debian Release: 12.0
> >   APT prefers testing
> >   APT policy: (900, 'testing'), (800, 'unstable'), (500,
> > 'testing-security'), (500, 'testing-debug')
> > Architecture: amd64 (x86_64)
> > 
> > Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT)
> > Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE
> > not set
> > Shell: /bin/sh linked to /usr/bin/dash
> > Init: systemd (via /run/systemd/system)
> > LSM: AppArmor: enabled
> > 
> > Versions of packages cycle depends on:
> > ii  python3   3.11.2-1+b1
> > ii  python3-wxgtk4.0  4.2.0+dfsg-3
> > 
> > cycle recommends no packages.
> > 
> > cycle suggests no packages.
> > 
> > -- no debconf information
> 
> ___
> Debian-med-packaging mailing list
> debian-med-packag...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-med-packaging
> 

-- 
http://fam-tille.de

Bug#1036946: webkit2gtk: Tries to build Bubblewrap support even if its disabled

[Jeremy Bícha]

On Wed, May 31, 2023 at 10:42 AM Gianfranco Costamagna
 wrote:
> On Wed, 31 May 2023 08:46:05 + Alberto Garcia  wrote:
> > Control: forwarded -1 https://bugs.webkit.org/show_bug.cgi?id=256917
> > Control: tags -1 patch fixed-upstream pending
> >
> > On Tue, May 30, 2023 at 02:23:31PM +0200, John Paul Adrian Glaubitz wrote:
> > > webkit2gtk currently FTBFS on multiple architectures since it tries
> > > to build Bubblewrap support code despite being configured with
> > > -DENABLE_BUBBLEWRAP_SANDBOX=OFF.
> >
> > This has been fixed upstream already, I'll include the fix in the next
> > upload:
> >
> > https://github.com/WebKit/WebKit/commit/4977290ab4ab35258a6da9b13795c9b0f7894bf4
>
> Hello Alberto, what about enabling bubblewrap support on riscv64?
> Looks like dependencies are already there

Good idea.

Untested, but I think this would work:
https://salsa.debian.org/webkit-team/webkit/-/merge_requests/17

Thank you,
Jeremy Bícha

Bug#1036989: unblock: needrestart/3.6-4

[Patrick Matthäi]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: tho...@fiasko-nw.net

Please unblock package needrestart

[ Reason ]
In the past I have used the wrong version number, to remove a leftover config
file.
Also this update should close two noisy bugs (ignore serial-getty) and 
especially
make the VM & microcode detection work again (just produced by a small typo).

[ Impact ]
Some smaller but noisy bugs.

[ Tests ]
Automated: debian/tests/sanity-test.sh
I also manual tested the update

[ Risks ]
Small diffs, I do not see a risk here.

[ Checklist ]
  [x ] all changes are documented in the d/changelog
  [x ] I reviewed all changes and I approve them
  [x ] attach debdiff against the package in testing


unblock needrestart/3.6-4
diff -Nru needrestart-3.6/debian/changelog needrestart-3.6/debian/changelog
--- needrestart-3.6/debian/changelog2023-01-12 11:08:33.0 +0100
+++ needrestart-3.6/debian/changelog2023-05-31 16:47:03.0 +0200
@@ -1,3 +1,15 @@
+needrestart (3.6-4) unstable; urgency=medium
+
+  * Remove leftover conffile 30-pacman with 3.6-4.
+Closes: #1036526
+  * Add patch 03-ignore-serial-getty from Helmut Grohne to ignore serial-getty.
+Closes: #1035721
+  * Add upstream patch 04-vm-detection to fix a typo, which prevents the VM and
+microcode detection.
+Closes: #1026026
+
+ -- Patrick Matthäi   Wed, 31 May 2023 16:47:03 +0200
+
 needrestart (3.6-3) unstable; urgency=medium
 
   * Adjust debian/watch to work again with GitHub.
diff -Nru needrestart-3.6/debian/needrestart.postinst 
needrestart-3.6/debian/needrestart.postinst
--- needrestart-3.6/debian/needrestart.postinst 2023-01-12 11:08:33.0 
+0100
+++ needrestart-3.6/debian/needrestart.postinst 2023-05-31 16:47:03.0 
+0200
@@ -2,6 +2,6 @@
 
 set -e
 
-dpkg-maintscript-helper rm_conffile /etc/needrestart/hook.d/30-pacman 3.5-4 -- 
"$@"
+dpkg-maintscript-helper rm_conffile /etc/needrestart/hook.d/30-pacman 3.6-4 -- 
"$@"
 
 #DEBHELPER#
diff -Nru needrestart-3.6/debian/needrestart.postrm 
needrestart-3.6/debian/needrestart.postrm
--- needrestart-3.6/debian/needrestart.postrm   2023-01-12 11:08:33.0 
+0100
+++ needrestart-3.6/debian/needrestart.postrm   2023-05-31 16:47:03.0 
+0200
@@ -2,6 +2,6 @@
 
 set -e
 
-dpkg-maintscript-helper rm_conffile /etc/needrestart/hook.d/30-pacman 3.5-4 -- 
"$@"
+dpkg-maintscript-helper rm_conffile /etc/needrestart/hook.d/30-pacman 3.6-4 -- 
"$@"
 
 #DEBHELPER#
diff -Nru needrestart-3.6/debian/needrestart.preinst 
needrestart-3.6/debian/needrestart.preinst
--- needrestart-3.6/debian/needrestart.preinst  2023-01-12 11:08:33.0 
+0100
+++ needrestart-3.6/debian/needrestart.preinst  2023-05-31 16:47:03.0 
+0200
@@ -2,6 +2,6 @@
 
 set -e
 
-dpkg-maintscript-helper rm_conffile /etc/needrestart/hook.d/30-pacman 3.5-4 -- 
"$@"
+dpkg-maintscript-helper rm_conffile /etc/needrestart/hook.d/30-pacman 3.6-4 -- 
"$@"
 
 #DEBHELPER#
diff -Nru needrestart-3.6/debian/patches/03-ignore-serial-getty.diff 
needrestart-3.6/debian/patches/03-ignore-serial-getty.diff
--- needrestart-3.6/debian/patches/03-ignore-serial-getty.diff  1970-01-01 
01:00:00.0 +0100
+++ needrestart-3.6/debian/patches/03-ignore-serial-getty.diff  2023-05-31 
16:47:03.0 +0200
@@ -0,0 +1,13 @@
+Subject: do not restart serial-getty@*.service
+Author: Helmut Grohne 
+
+--- a/ex/needrestart.conf
 b/ex/needrestart.conf
+@@ -98,6 +98,7 @@ $nrconf{override_rc} = {
+ 
+ # gettys
+ qr(^getty@.+\.service) => 0,
++qr(^serial-getty@.+\.service) => 0,
+ 
+ # systemd --user
+ qr(^user@\d+\.service) => 0,
diff -Nru needrestart-3.6/debian/patches/04-vm-detection.diff 
needrestart-3.6/debian/patches/04-vm-detection.diff
--- needrestart-3.6/debian/patches/04-vm-detection.diff 1970-01-01 
01:00:00.0 +0100
+++ needrestart-3.6/debian/patches/04-vm-detection.diff 2023-05-31 
16:47:03.0 +0200
@@ -0,0 +1,22 @@
+From 27bf4678bb92f68dfadd04ab04e96cba6ea2c376 Mon Sep 17 00:00:00 2001
+From: zxyrepf <53189615+zxyr...@users.noreply.github.com>
+Date: Sun, 24 Jul 2022 08:30:19 +
+Subject: [PATCH] Fix VM detection regression introduced in f54d85c
+
+---
+ needrestart | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/needrestart b/needrestart
+index 64509ba..bcec62b 100755
+--- a/needrestart
 b/needrestart
+@@ -51,7 +51,7 @@ my $is_tty = (-t *STDERR || -t *STDOUT || -t *STDIN);
+ my $is_vm;
+ my $is_container;
+ 
+-if($is_systemd && -x q(/usr/bin/systemds-detect-virt)) {
++if($is_systemd && -x q(/usr/bin/systemd-detect-virt)) {
+   # check if we are inside of a vm
+   my $ret = system(qw(/usr/bin/systemd-detect-virt --vm --quiet));
+   unless($? == -1 || $? & 127) {
diff -Nru needrestart-3.6/debian/patches/series 
needrestart-3.6/debian/patches/series
--- needrestart-3.6/debian/patches/series   2023-01-12 11:08:33.0 
+0100
+++ 

Bug#1036437: please provide a simple example to reproduce the bug

[georgesk]

Dear Alexis,

I packaged furo for debian in order to be able to keep maintaining the
package sympy, which depends on it.

However sympy's documentation is rather big. Creating a minimal sphinx
tree with sphinx-quickstart is not enough to trigger the bug which you
are reporting.

Please can you share a minimal example which would trigger this bug, so
I can include it in furo package's test scripts, and prevent future
regressions after this bug's fix?

Thank you in advance.   Georges.



signature.asc
Description: PGP signature

Bug#1036988: crashes with TypeError: _ScrolledWindowBase.SetScrollbars(): argument 3 has unexpected type 'float'

[Konstantin L. Metlov]

Thank you for reporting this bug !

It is already fixed by the commit

https://github.com/metlov/cycle/commit/e86d72ec1a2a05c46ccde2f607f142cef7dbabb2

I should, probably, make a new bugfix release. Or, alternatively, the  
package can be patched with the last few cherry picked git commits.  
All of the latest commits are bugfixes, only one of them (merging LMB  
and RMB handling) changes the functionality a little bit, making the  
program more convenient to use on touch screen devices.


With the best regards,
  Konstantin.

Quoting cacat...@tuxfamily.org:


Package: cycle
Version: 0.3.2-2

Hello,

steps to reproduce:
- run the program
- fill infos (name and password)
- validate

The program crashes with this output on a terminal:

~
$ cycle
/usr/bin/cycle:35: DeprecationWarning: Use setlocale(),  
getencoding() and getlocale() instead

  dl = locale.getdefaultlocale()

(cycle:108832): dbind-WARNING **: 08:53:27.113: AT-SPI: Error  
retrieving accessibility bus address:  
org.freedesktop.DBus.Error.ServiceUnknown: The name org.a11y.Bus was  
not provided by any .service files

Traceback (most recent call last):
  File "/usr/bin/cycle", line 212, in OnInit
self.frame_init()
  File "/usr/bin/cycle", line 216, in frame_init
frame = MyFrame(None, -1, "")
^
  File "/usr/bin/cycle", line 81, in __init__
self.cal = Cal_Year(self)
   ^^
  File "/usr/share/cycle/cal_year.py", line 168, in __init__
self.Init_Year()
  File "/usr/share/cycle/cal_year.py", line 209, in Init_Year
self.SetScrollbars(20, 20, w/20, h/20)
TypeError: _ScrolledWindowBase.SetScrollbars(): argument 3 has  
unexpected type 'float'

OnInit returned false, exiting...
~

Have a good day,


-- System Information:
Debian Release: 12.0
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable'), (500,  
'testing-security'), (500, 'testing-debug')

Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8),  
LANGUAGE not set

Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cycle depends on:
ii  python3   3.11.2-1+b1
ii  python3-wxgtk4.0  4.2.0+dfsg-3

cycle recommends no packages.

cycle suggests no packages.

-- no debconf information

Bug#651280: don't allocate all available disk space in standard LVM partioning scheme

[James Addison]

Package: debian-installer
Followup-For: Bug #651280
X-Debbugs-Cc: debian-b...@lists.debian.org, skirpic...@gmail.com
Control: severity -1 serious

After the changes made to address bug #924301 (mountpoints for ext[n]
filesystems that have insufficient free blocks are not automatically checked
for faults), I think that this bug could be considered more serious.

The disk space required for e2scrub[1] snapshots is 256MiB and the default
allocation for LVM (encrypted or unecrypted) in the bookworm RC4 installer
is 100% (same as originally reported here in Y2011).

One-of-two potentially-relevant looking source code areas is 
https://sources.debian.org/src/partman-auto-lvm/91/lib/auto-lvm.sh/
And the second-of-the-two is 
https://sources.debian.org/src/partman-partitioning/147/lib/resize.sh/?hl=144#L135

[1] - https://manpages.debian.org/bullseye/e2fsprogs/e2scrub.8.en.html

Bug#1036946: webkit2gtk: Tries to build Bubblewrap support even if its disabled

[Gianfranco Costamagna]

On Wed, 31 May 2023 08:46:05 + Alberto Garcia  wrote:

Control: forwarded -1 https://bugs.webkit.org/show_bug.cgi?id=256917
Control: tags -1 patch fixed-upstream pending

On Tue, May 30, 2023 at 02:23:31PM +0200, John Paul Adrian Glaubitz wrote:
> webkit2gtk currently FTBFS on multiple architectures since it tries
> to build Bubblewrap support code despite being configured with
> -DENABLE_BUBBLEWRAP_SANDBOX=OFF.

This has been fixed upstream already, I'll include the fix in the next
upload:

https://github.com/WebKit/WebKit/commit/4977290ab4ab35258a6da9b13795c9b0f7894bf4

Berto





Hello Alberto, what about enabling bubblewrap support on riscv64?
Looks like dependencies are already there

thanks

G.


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1031132: godot FTBFS on arm64, armel, ppc64el and s390x

[Petter Reinholdtsen]

Control: tags -1 + patch

I discovered a few issues with the first edition of the patch.  A
working patch is now commited to the git repository on salsa.

This was the working patch:

diff --git a/debian/rules b/debian/rules
index 0354bcb8..c8681dc5 100755
--- a/debian/rules
+++ b/debian/rules
@@ -13,6 +13,15 @@ ifeq ($(DEB_HOST_ARCH),$(filter $(DEB_HOST_ARCH),armel 
riscv64))
export DEB_LDFLAGS_MAINT_APPEND += -Wl,--no-as-needed -latomic 
-Wl,--as-needed
 endif
 
+# The denoise module depends on OIDN which is x86_64 only (in the
+# vendored version).
+# Godot's own logic to disable it on other arches is a bit brittle
+# when it comes to cross-compiling currently.
+# See https://github.com/godotengine/godot/issues/47344
+ifneq ($(DEB_HOST_ARCH),$(filter $(DEB_HOST_ARCH),amd64 i386 armel armhf))
+   DISABLE_MODULES = module_denoise_enabled=no
+endif
+
 override_dh_clean:
dh_clean
scons -c
@@ -69,9 +78,9 @@ SCONS_OPTIONS = bits=$(DEB_HOST_ARCH_BITS) \
 
 override_dh_auto_build:
dh_auto_build
-   scons platform=server tools=yes target=release_debug $(SCONS_OPTIONS) 
-j $(NUMJOBS) CCFLAGS="$(CXXFLAGS)" LINKFLAGS="$(LDFLAGS)" CFLAGS="$(CFLAGS)"
-   scons platform=x11tools=no  target=release   $(SCONS_OPTIONS) 
-j $(NUMJOBS) CCFLAGS="$(CXXFLAGS)" LINKFLAGS="$(LDFLAGS)" CFLAGS="$(CFLAGS)"
-   scons platform=x11tools=yes target=release_debug $(SCONS_OPTIONS) 
-j $(NUMJOBS) CCFLAGS="$(CXXFLAGS)" LINKFLAGS="$(LDFLAGS)" CFLAGS="$(CFLAGS)"
+   scons platform=server tools=yes target=release_debug $(SCONS_OPTIONS) 
-j $(NUMJOBS) CCFLAGS="$(CXXFLAGS)" LINKFLAGS="$(LDFLAGS)" CFLAGS="$(CFLAGS)" 
$(DISABLE_MODULES)
+   scons platform=x11tools=no  target=release   $(SCONS_OPTIONS) 
-j $(NUMJOBS) CCFLAGS="$(CXXFLAGS)" LINKFLAGS="$(LDFLAGS)" CFLAGS="$(CFLAGS)" 
$(DISABLE_MODULES)
+   scons platform=x11tools=yes target=release_debug $(SCONS_OPTIONS) 
-j $(NUMJOBS) CCFLAGS="$(CXXFLAGS)" LINKFLAGS="$(LDFLAGS)" CFLAGS="$(CFLAGS)" 
$(DISABLE_MODULES)
 
 override_dh_auto_install:
echo "Installing binaries for $(BITS) bits architecture"

-- 
Happy hacking
Petter Reinholdtsen

Bug#1036971: pwsafe: empty window after internal timeout or screen blank

[Giuseppe Sacco]

Hello Bill,
thank you for your quick reply.

Il giorno mer, 31/05/2023 alle 09.13 -0400, Bill Blough ha scritto:
> If I understand your report correctly, this sounds like expected
> behavior - the program will lock itself in order to protect your
> passwords.
[...]

I am sorry I did not explain it correctly. The database is locked, and this
is the behaviour I want, so I am happy with that. The problem is that when
I get back to pwsafe window while the database is locked, I am not prompted
for the password until I select Unlock from the menu.

Prior to switching gnome from X11 to Wayland, and with the same version on
a different machine, the prompt is automatic: when I put the focus to
pwsafe window while the database is locked, a new window appear asking for
the database password.

Bye,
Giuseppe

Bug#1009290: mariadb-server-10.6: Fails to start on live system

[Antoni Villalonga]

Hi,

I've faced same problem on a fresh Bookworm live system (mariadb-server
1:10.11.2-1).

As a workaround I've mounted /var/lib/mysql as a ext4 filesystem.

FYI: It works fine on Bullseye.

Kind regards,

-- 
Antoni Villalonga
https://friki.cat/

Bug#1036988: crashes with TypeError: _ScrolledWindowBase.SetScrollbars(): argument 3 has unexpected type 'float'

[cacatoes]

Package: cycle
Version: 0.3.2-2

Hello,

steps to reproduce:
- run the program
- fill infos (name and password)
- validate

The program crashes with this output on a terminal:

~
$ cycle
/usr/bin/cycle:35: DeprecationWarning: Use setlocale(), getencoding() 
and getlocale() instead

  dl = locale.getdefaultlocale()

(cycle:108832): dbind-WARNING **: 08:53:27.113: AT-SPI: Error retrieving 
accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown: 
The name org.a11y.Bus was not provided by any .service files

Traceback (most recent call last):
  File "/usr/bin/cycle", line 212, in OnInit
self.frame_init()
  File "/usr/bin/cycle", line 216, in frame_init
frame = MyFrame(None, -1, "")
^
  File "/usr/bin/cycle", line 81, in __init__
self.cal = Cal_Year(self)
   ^^
  File "/usr/share/cycle/cal_year.py", line 168, in __init__
self.Init_Year()
  File "/usr/share/cycle/cal_year.py", line 209, in Init_Year
self.SetScrollbars(20, 20, w/20, h/20)
TypeError: _ScrolledWindowBase.SetScrollbars(): argument 3 has 
unexpected type 'float'

OnInit returned false, exiting...
~

Have a good day,


-- System Information:
Debian Release: 12.0
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable'), (500, 
'testing-security'), (500, 'testing-debug')

Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE 
not set

Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cycle depends on:
ii  python3   3.11.2-1+b1
ii  python3-wxgtk4.0  4.2.0+dfsg-3

cycle recommends no packages.

cycle suggests no packages.

-- no debconf information

Bug#1034880: Please update to nautilus 43.4 for Debian 12

[Jeremy Bícha]

Control: severity -1 important
Control: reassign -1 src:nautilus 43.2-1
Control: tags -1 bookworm

I am bumping the severity because of the multiple crash fixes and
other important bugfixes.

Thank you,
Jeremy Bícha

Bug#1035538: nautilus: Missing dependency on "eject" package

[Jeremy Bícha]

On Fri, May 5, 2023 at 12:33 AM Andrew Ruthven  wrote:
> If the eject package isn't installed, when you try to eject a USB device
> (I didn't test anything else), then Nautilus is unable to eject the device
> and throws up an error like:
>
> Error ejecting /dev/sda: Error spawning command-line `eject '/dev/sda'': 
> Failed to execute chidl process "eject" (No such file or directory) 
> (g-exec-error-quark, 8).
>
> I reckon that the natilus package should depend on the eject package.

eject is an indirect Recommends. The Debian GNOME team strongly urges
people to not disable installing Recommends unless you're very sure
you know what packages are missing.

nautilus depends on gvfs which depends on gvfs-daemons which depends
on udisks2 which recommends eject.

Nevertheless, I am making this a Depends now since the error popup
user experience is not good and we want things to work well for
everyone.

Thank you,
Jeremy Bícha

Bug#1036987: libeccodes-data: fails to upgrade from sid: unable to install new version of '/usr/share/eccodes/definitions/bufr/tables/0/local/8/78/1/codetables/11199.table': No such file or directory

[Andreas Beckmann]

Package: libeccodes-data
Version: 2.30.0-1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package fails to upgrade from
'sid' to 'experimental'.
It installed fine in 'sid', then the upgrade to 'experimental' fails.

>From the attached log (scroll to the bottom...):

  Preparing to unpack .../libeccodes-data_2.30.0-1_all.deb ...
  Unpacking libeccodes-data (2.30.0-1) over (2.28.0-1) ...
  dpkg: error processing archive 
/var/cache/apt/archives/libeccodes-data_2.30.0-1_all.deb (--unpack):
   unable to install new version of 
'/usr/share/eccodes/definitions/bufr/tables/0/local/8/78/1/codetables/11199.table':
 No such file or directory
  Errors were encountered while processing:
   /var/cache/apt/archives/libeccodes-data_2.30.0-1_all.deb
  E: Sub-process /usr/bin/dpkg returned an error code (1)

This looks like there are some missing dpkg-maintscript-helper
symlink_to_dir calls, since e.g. in sid there is
/usr/share/eccodes/definitions/bufr/tables/0/local/8/78/1 -> 0 a symlink
while in experimental it is directory containing files.
While unpacking, dpkg seems to write a file over a dangling directory
symlink, causing the above error.

Quoting from the unhandled_symlink_to_directory_conversion template:
"""
an upgrade test with piuparts revealed that your package installs files
over existing symlinks and possibly overwrites files owned by other
packages. This usually means an old version of the package shipped a
symlink but that was later replaced by a real (and non-empty)
directory. This kind of overwriting another package's files cannot be
detected by dpkg.

This was observed on the following upgrade paths:


For /usr/share/doc/PACKAGE this may not be problematic as long as both
packages are installed, ship byte-for-byte identical files and are
upgraded in lockstep. But once one of the involved packages gets
removed, the other one will lose its documentation files, too,
including the copyright file, which is a violation of Policy 12.5:
https://www.debian.org/doc/debian-policy/ch-docs.html#copyright-information

For other overwritten locations anything interesting may happen.

Note that dpkg intentionally does not replace directories with symlinks
and vice versa, you need the maintainer scripts to do this.
See in particular the end of point 4 in
https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#details-of-unpack-phase-of-installation-or-upgrade

It is recommended to use the dpkg-maintscript-helper commands
'dir_to_symlink' and 'symlink_to_dir' (available since dpkg 1.17.14)
to perform the conversion, ideally using d/$PACKAGE.maintscript.
See dpkg-maintscript-helper(1) and dh_installdeb(1) for details.
"""

You seem to fall into the "anything interesting may happen" category,
it's the first time that I've seen such an error while caring for
piuparts.


cheers,

Andreas


libeccodes-data_2.30.0-1.log.gz
Description: application/gzip

Bug#1036891: texlive-binaries: Error "attempt to call method 'read' (a nil value)" makes lualatex unusable

[Preuße]

On 31.05.2023 15:33, Markus Koschany wrote:

Hi Markus,


Thanks for your help and explanations Max. I am going to release an updated
version for Buster soon. Apparently I somehow missed the
io_kpse_check_permissions function despite following the "Patching older
versions" paragraph.

The buster branch of texlive-bin repo contains the fix for 
CVE-2019-18604 too. Please consider up have it in the upload.


Hilmar
--
sigfault



OpenPGP_0x0C871C4C653C1F59.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1036986: libboost-json1.81-dev: missing Depends: libboost-json1.81.0 (= ${binary:Version})

[Andreas Beckmann]

Package: libboost-json1.81-dev
Version: 1.81.0-5
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package ships (or creates)
a broken symlink:

0m41.1s ERROR: FAIL: Broken symlinks:
  /usr/lib/x86_64-linux-gnu/libboost_json.so -> libboost_json.so.1.81.0 
(libboost-json1.81-dev:amd64)

Please also check the other -dev packages from src:boost1.81, even if I
don't see more failures in piuparts.


cheers,

Andreas

Bug#1036971: pwsafe: empty window after internal timeout or screen blank

[Bill Blough]

Hi,

If I understand your report correctly, this sounds like expected
behavior - the program will lock itself in order to protect your
passwords.

You can change this behavior by going to Manage->Options->Security and
then toggling the settings that relate to "Lock password database".

Please let me know if this doesn't address your issue.  Thanks.


On Wed, May 31, 2023 at 09:48:45AM +0200, Giuseppe Sacco wrote:
> Package: passwordsafe
> Version: 1.16.0+dfsg-4
> Severity: normal
> 
> Dear Maintainer,
> after running pwsafe, it select the default keystore, prompts for the
> password and displays the keystore content in the GUI. After some time the
> window automatically disappear but I may get it back using Alt-Tab key.
> Once the window is shown again, it is empty: it does not list the keystore
> content and it does not prompt for the keystore password either. Here, if I
> open the File menu and select the 'Unlock Safe' menu item, I see the
> keystore content correctly.
> 
> I did not find any configuration option that could prevent the password
> prompt when getting back the pswafe window. Is this an error?
> 
> Thank you,
> Giuseppe
> 
> -- System Information:
> Debian Release: 12.0
>   APT prefers testing-security
>   APT policy: (500, 'testing-security'), (500, 'testing')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT)
> Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8), LANGUAGE not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
> 
> Versions of packages passwordsafe depends on:
> ii  libc6    2.36-9
> ii  libgcc-s1    12.2.0-14
> ii  libmagic1    1:5.44-3
> ii  libqrencode4 4.1.1-1
> ii  libstdc++6   12.2.0-14
> ii  libuuid1 2.38.1-5+b1
> ii  libwxbase3.2-1   3.2.2+dfsg-2
> ii  libwxgtk3.2-1    3.2.2+dfsg-2
> ii  libx11-6 2:1.8.4-2
> ii  libxerces-c3.2   3.2.4+debian-1
> ii  libxtst6 2:1.2.3-1.1
> ii  libykpers-1-1    1.20.0-3
> ii  passwordsafe-common  1.16.0+dfsg-4
> 
> Versions of packages passwordsafe recommends:
> pn  xvkbd  
> 
> passwordsafe suggests no packages.
> 
> -- no debconf information
> 

-- 
GPG: 5CDD 0C9C F446 BC1B 2509  8791 1762 E022 7034 CF84

Bug#1036891: texlive-binaries: Error "attempt to call method 'read' (a nil value)" makes lualatex unusable

[Markus Koschany]

Thanks for your help and explanations Max. I am going to release an updated
version for Buster soon. Apparently I somehow missed the
io_kpse_check_permissions function despite following the "Patching older
versions" paragraph.

Best,

Markus


signature.asc
Description: This is a digitally signed message part

Bug#1035499: crowdsec-custom-bouncer: fails to install with --install-recommends: open /etc/crowdsec/config.yaml: no such file or directory

[Cyril Brulebois]

Control: clone -1 -2
Control: reassign -2 crowdsec-firewall-bouncer 0.0.25-2
Control: retitle -2 crowdsec-firewall-bouncer: fails to install with 
--install-recommends: open /etc/crowdsec/config.yaml: no such file or directory

Andreas Beckmann  (2023-05-31):
> You just got lucky in the configuration order:
> first crowdsec, thereafter crowdsec-firewall-bouncer
> 
> This heavily depends on apt's serialization of the dependency
> dag ... installation of some unrelated packaged might
> influence the outcome.

Alright, thanks!

Since this shouldn't be about luck, and since I'm seeing this on a
freshly-deployed VM, cloning accordingly.

I've just discussed plans with upstream, implementation and tests to
follow.


Cheers,
-- 
Cyril Brulebois -- Debian Consultant @ DEBAMAX -- https://debamax.com/


signature.asc
Description: PGP signature

Bug#1036891: texlive-binaries: Error "attempt to call method 'read' (a nil value)" makes lualatex unusable

[Preuße]

On 31.05.2023 09:23, Max Chernoff wrote:

Hello Max,


To fix this, there are 3 options (pick 1):

1. Cherry-pick *both* 5650c067 and b8b71a25

2. Follow the instructions in [5]

3. Apply the appropriate patch from [6]

Option (3) will the easiest, but it will only work if your LuaTeX source
very closely corresponds to the source in an upstream TL release.
Otherwise, you'll need to do option (2). Option (1) is the same as
option (2), except I've already gone to the trouble of reducing the
patch to the bare minimum.
Many thanks for your help! I'll try to check out, which option to use.


Hilmar
--
sigfault

Bug#1036983: bookworm-pu: package workflow/0.10.5-2

[Lin Qigang]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

I would like to upload a new version of workflow (0.10.5-2) which fixes 
two bugs in the package that are currently marking it for autoremoval. I 
have just uploaded version 0.10.6-2 to unstable which fixes these two bugs.


I was told to upload the version 0.10.6-2 to unstable and then file this 
proposed update to bookworm for 0.10.5-2 to keep the package in bookworm.


The attached debdiff will also apply the fix to 0.10.5-1.

Lance

GPG Fingerprint: 4A31 DB5A 1EE4 096C 8739 9880 9036 4929 4C33 F9B7
diff -Nru workflow-0.10.5/debian/changelog workflow-0.10.5/debian/changelog
--- workflow-0.10.5/debian/changelog2023-01-09 20:25:54.0 +0700
+++ workflow-0.10.5/debian/changelog2023-05-31 18:43:27.0 +0700
@@ -1,3 +1,11 @@
+workflow (0.10.5-2) bookworm; urgency=medium
+
+  [Bastian Germann]
+  * d/control: Add missing Depends (Closes: #1035444)
+  * d/libworkflow0.links: Fixed symlink direction (Closes: #1036653)
+
+ -- Lance Lin   Wed, 31 May 2023 18:43:27 +0700
+
 workflow (0.10.5-1) unstable; urgency=medium
 
   * Update to version 0.10.5
diff -Nru workflow-0.10.5/debian/control workflow-0.10.5/debian/control
--- workflow-0.10.5/debian/control  2023-01-09 20:25:54.0 +0700
+++ workflow-0.10.5/debian/control  2023-05-31 18:22:31.0 +0700
@@ -31,7 +31,7 @@
 Multi-Arch: same
 Breaks: libworkflow1 (<< 0.10.1-1)
 Replaces: libworkflow1 (<< 0.10.1-1)
-Depends: ${misc:Depends}, ${shlibs:Depends}
+Depends: ${misc:Depends}, ${shlibs:Depends}, libworkflow0 (= ${binary:Version})
 Description: Parallel computing and asynchronous web server engine
  Workflow can be used as a scalable web server to handle a variety
  of server workflows. It can be used to orchestrate complex
diff -Nru workflow-0.10.5/debian/libworkflow0.links 
workflow-0.10.5/debian/libworkflow0.links
--- workflow-0.10.5/debian/libworkflow0.links   2023-01-05 20:36:34.0 
+0700
+++ workflow-0.10.5/debian/libworkflow0.links   2023-05-31 18:23:20.0 
+0700
@@ -1 +1 @@
-usr/lib/${DEB_HOST_MULTIARCH}/libworkflow.so.0 
usr/lib/${DEB_HOST_MULTIARCH}/libworkflow.so.0.10.5
+usr/lib/${DEB_HOST_MULTIARCH}/libworkflow.so.0.10.5 
usr/lib/${DEB_HOST_MULTIARCH}/libworkflow.so.0


OpenPGP_0x903649294C33F9B7.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1036984: unblock: packagekit/1.2.6-5

[Matthias Klumpp]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package packagekit.

[ Reason ]
Three things fixed:
* A tiny memory leak has been addressed
* The daemon package now recommends the tools package again, this was
changed late in release and apparently caused issues to some people
(see the referenced bug)
* Many parts of the documentation reference the old packagekit.org
domain, which is now taken over by a 3rd-party who is playing ads on
it - so far it's harmless, but we do not know what will happen with
this domain in future, so we should avoid referencing it and rather
point at the right location @ freedesktop.org

[ Impact ]
People could click through to a defunct website with tracking ads when
trying to reach the PackageKit documentation or information about e.g.
missing codecs.

[ Tests ]
The memleak fix has been upstreamed for a while and is harmless, the
changed recommendation restores previous behavior, and the
documentation changes do not have any behavioral change.

[ Risks ]
Very low, as the only functional change is adding a missing free() for
a memory leak fix, every other change is either purely in the
documentation or restores previously tested behavior.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

Thank you!

unblock packagekit/1.2.6-5


packagekit_1.2.6-4_to_1.2.6-5.debdiff
Description: Binary data

Bug#1036982: unblock: debspawn/0.6.2-1

[Matthias Klumpp]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package debspawn.

[ Reason ]
Packaging of the 0.6.2 bugfix release which contains three changes only:
 * Fixes issue where users could not build packages against
NotAutomatic suites like Debian experimental when the
"experimental"-like suite did not contain enough of the required
dependencies (APT's solver was too limited)
 * Python 3.11 support (minimal changes)
 * Fixes a crash when regenerating an image with `update --recreate`
in case the image had a custom name

[ Impact ]
People would not be able to build packages for experimental, using
`update --recreate` for images with custom names would crash.

[ Tests ]
Tested by upstream, used in production at Purism already for a few
weeks, so far no issues have been found.

[ Risks ]
The worst that could happen is that building experimental packages
stays broken, so no regression would happen. Apart from that, this
change is very small and should be fairly safe.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

Thank you!

unblock debspawn/0.6.2-1


debspawn_0.6.1-1_to_0.6.2-1.debdiff
Description: Binary data

Bug#1036981: prosody-modules: please add mod_net_proxy

[Daniel Scharon]

Package: prosody-modules
Version: 0.0~hg20230223.556bf57d6417+dfsg-1~bpo11+1
Severity: wishlist

Hello,

I would like to propose the inclusion of mod_net_proxy.
In case prosody cannot be deployed on a host directly facing the internet, 
mod_net_proxy comes in very handy and it works very well.

Thank you and kind regards,
Dan


-- System Information:
Debian Release: 11.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-23-amd64 (SMP w/2 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages prosody-modules depends on:
ii  prosody  0.12.3-1~bpo11+1

Versions of packages prosody-modules recommends:
ii  lua-ldap  1.2.5-1+b1

prosody-modules suggests no packages.

-- no debconf information

Bug#1036980: unblock: jquery-minicolors/2.3.5+dfsg-4

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: jquery-minicol...@packages.debian.org
Control: affects -1 + src:jquery-minicolors

Please unblock package jquery-minicolors

[ Reason ]
jquery-minicolor is vulnerable to a cross-site scripting
(CVE-2021-32850)

[ Impact ]
Low security issue

[ Tests ]
No test here

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock jquery-minicolors/2.3.5+dfsg-4
diff --git a/debian/changelog b/debian/changelog
index 1e959f0..dcf5b2f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+jquery-minicolors (2.3.5+dfsg-4) unstable; urgency=medium
+
+  * Team upload
+  * Declare compliance with policy 4.6.2
+  * Fix cross-site scripting issue (Closes: CVE-2021-32850)
+
+ -- Yadd   Wed, 31 May 2023 16:44:37 +0400
+
 jquery-minicolors (2.3.5+dfsg-3) unstable; urgency=medium
 
   [ Debian Janitor ]
diff --git a/debian/control b/debian/control
index 3dcf29b..66693e1 100644
--- a/debian/control
+++ b/debian/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: Debian JavaScript Maintainers 

 Uploaders: Yadd 
 Build-Depends: debhelper-compat (= 13), uglifyjs
-Standards-Version: 4.6.0
+Standards-Version: 4.6.2
 Homepage: https://github.com/jquery-minicolors
 Vcs-Git: https://salsa.debian.org/js-team/jquery-minicolors.git
 Vcs-Browser: https://salsa.debian.org/js-team/jquery-minicolors
diff --git a/debian/patches/CVE-2021-32850.patch 
b/debian/patches/CVE-2021-32850.patch
new file mode 100644
index 000..5e54e6d
--- /dev/null
+++ b/debian/patches/CVE-2021-32850.patch
@@ -0,0 +1,21 @@
+Description: fix XSS vuln
+Author: Cory LaViska 
+Origin: upstream, https://github.com/claviska/jquery-minicolors/commit/ef134824
+Bug: 
https://securitylab.github.com/advisories/GHSL-2021-1045_jQuery_MiniColors_Plugin/
+Forwarded: not-needed
+Applied-Upstream: 2.3.6, commit:ef134824
+Reviewed-By: Yadd 
+Last-Update: 2023-05-31
+
+--- a/jquery.minicolors.js
 b/jquery.minicolors.js
+@@ -226,7 +226,8 @@
+ }
+ swatchString = swatch;
+ swatch = isRgb(swatch) ? parseRgb(swatch, true) : 
hex2rgb(parseHex(swatch, true));
+-$('')
++$('')
++  .attr("title", name)
+   .appendTo(swatches)
+   .data('swatch-color', swatchString)
+   .find('.minicolors-swatch-color')
diff --git a/debian/patches/series b/debian/patches/series
index 7ba3ddc..b5c3525 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-Use-local-CSS-and-JavaScript-in-examples.patch
+CVE-2021-32850.patch

Bug#1036967: fig2dev: insufficient Breaks+Replaces against transfig/jessie-elts

[Markus Koschany]

Am Mittwoch, dem 31.05.2023 um 14:41 +0200 schrieb Andreas Beckmann:
> On 31/05/2023 14.26, Markus Koschany wrote:
> > Hello Andreas,
> > 
> > Neither fig2dev or transfig are supported in jessie-elts anymore. I
> > appreciate
> > the report though. Since Stretch is no longer supported by Debian I believe
> > this issue is no longer actionable by the maintainer.
> 
> Is fig2dev supported in stretch-elts? stretch-elts would be the natural 
> dist-upgrade target for jessie-elts.

fig2dev is supported in stretch-elts but I don't think this issue warrants a
separate ELA. Most customers install a certain release and keep it until it
goes EOL and then they upgrade to the latest stable version anyway. 


signature.asc
Description: This is a digitally signed message part

Bug#1036979: unblock: appstream/0.16.1-2

[Matthias Klumpp]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package appstream.

[ Reason ]
Backports a few fixes from the 0.16.2 release:
 * Fixes two crashes that can happen when the tool is fed invalid or
unexpected input
 * Correctly validates some valid license expressions (LibreOffice was
affected by this)
 * Fixes an issue where component-IDs weren't reproducibly
synthesized, leading to ratings/reviews not showing up for these apps
 * Adds a fix for a noisy warning with newer GLib versions that is
inert on older releases

[ Impact ]
More crashes and invalid evaluation of valid license terms, if not updated.

[ Tests ]
Tested by upstream and other distros for months already, does not
break API/ABI, we already use these changes on Debian's appstream.d.o
service to avoid crashes with Qt apps.

[ Risks ]
None that I can think of.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

Thank you for your work on getting the release out!

unblock: appstream/0.16.1-2


appstream_0.16.1-1_to_0.16.1-2.debdiff
Description: Binary data

Bug#1036967: fig2dev: insufficient Breaks+Replaces against transfig/jessie-elts

[Andreas Beckmann]

On 31/05/2023 14.26, Markus Koschany wrote:

Hello Andreas,

Neither fig2dev or transfig are supported in jessie-elts anymore. I appreciate
the report though. Since Stretch is no longer supported by Debian I believe
this issue is no longer actionable by the maintainer.


Is fig2dev supported in stretch-elts? stretch-elts would be the natural 
dist-upgrade target for jessie-elts.


Andreas

Bug#1036967: fig2dev: insufficient Breaks+Replaces against transfig/jessie-elts

[Markus Koschany]

Hello Andreas,

Neither fig2dev or transfig are supported in jessie-elts anymore. I appreciate
the report though. Since Stretch is no longer supported by Debian I believe
this issue is no longer actionable by the maintainer.

Regards,

Markus



signature.asc
Description: This is a digitally signed message part

Bug#1036978: bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-und...@packages.debian.org
Control: affects -1 + src:node-undici

[ Reason ]
node-undici is vulnerable to:
 * CVE-2023-23936: "Host" HTTP header isn't protected against CLRF injection
 * CVE-2023-24807: Regex Denial of Service on headers set/append

[ Impact ]
Medium security issues

[ Tests ]
Test updated, passed

[ Risks ]
Low risk, patches are trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Just new little checks

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 3a69b63..92c0de8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1) bookworm; urgency=medium
+
+  * Fix security issues (Closes: #1031418):
+- Protect "Host" HTTP header from CLRF injection (Closes: CVE-2023-23936)
+- Fix potential ReDoS on Headers.set and Headers.append
+  (Closes: CVE-2023-24807)
+  * Increase httpbin.org test timeout
+
+ -- Yadd   Wed, 31 May 2023 15:52:45 +0400
+
 node-undici (5.15.0+dfsg1+~cs20.10.9.3-1) unstable; urgency=medium
 
   * Update standards version to 4.6.2, no changes needed.
diff --git a/debian/patches/CVE-2023-23936.patch 
b/debian/patches/CVE-2023-23936.patch
new file mode 100644
index 000..e6fbb0f
--- /dev/null
+++ b/debian/patches/CVE-2023-23936.patch
@@ -0,0 +1,62 @@
+Description: Protect "Host" HTTP header from CLRF injection
+Author: Yadd 
+Origin: upstream, https://github.com/nodejs/undici/commit/a2eff054
+Bug: https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
+Bug-Debian: https://bugs.debian.org/1031418
+Forwarded: not-needed
+Applied-Upstream: 5.19.1, commit:a2eff054
+Reviewed-By: Yadd 
+Last-Update: 2023-05-31
+
+--- a/lib/core/request.js
 b/lib/core/request.js
+@@ -299,6 +299,9 @@
+ key.length === 4 &&
+ key.toLowerCase() === 'host'
+   ) {
++if (headerCharRegex.exec(val) !== null) {
++  throw new InvalidArgumentError(`invalid ${key} header`)
++}
+ // Consumed by Client
+ request.host = val
+   } else if (
+--- /dev/null
 b/test/headers-crlf.js
+@@ -0,0 +1,37 @@
++'use strict'
++
++const { test } = require('tap')
++const { Client } = require('..')
++const { createServer } = require('http')
++const EE = require('events')
++
++test('CRLF Injection in Nodejs ‘undici’ via host', (t) => {
++  t.plan(1)
++
++  const server = createServer(async (req, res) => {
++res.end()
++  })
++  t.teardown(server.close.bind(server))
++
++  server.listen(0, async () => {
++const client = new Client(`http://localhost:${server.address().port}`)
++t.teardown(client.close.bind(client))
++
++const unsanitizedContentTypeInput =  '12 \r\n\r\naaa:aaa'
++
++try {
++  const { body } = await client.request({
++path: '/',
++method: 'POST',
++headers: {
++  'content-type': 'application/json',
++  'host': unsanitizedContentTypeInput
++},
++body: 'asd'
++  })
++  await body.dump()
++} catch (err) {
++  t.same(err.code, 'UND_ERR_INVALID_ARG')
++}
++  })
++})
diff --git a/debian/patches/CVE-2023-24807.patch 
b/debian/patches/CVE-2023-24807.patch
new file mode 100644
index 000..986fb16
--- /dev/null
+++ b/debian/patches/CVE-2023-24807.patch
@@ -0,0 +1,46 @@
+Description: fix potential ReDoS on Headers.set and Headers.append
+Author: Rich Trott 
+Origin: upstream, https://github.com/nodejs/undici/commit/f2324e54
+Bug: https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
+Bug-Debian: https://bugs.debian.org/1031418
+Forwarded: not-needed
+Applied-Upstream: 5.19.1, commit:f2324e54
+Reviewed-By: Yadd 
+Last-Update: 2023-05-31
+
+--- a/lib/fetch/headers.js
 b/lib/fetch/headers.js
+@@ -23,10 +23,12 @@
+   //  To normalize a byte sequence potentialValue, remove
+   //  any leading and trailing HTTP whitespace bytes from
+   //  potentialValue.
+-  return potentialValue.replace(
+-/^[\r\n\t ]+|[\r\n\t ]+$/g,
+-''
+-  )
++
++  // Trimming the end with `.replace()` and a RegExp is typically subject to
++  // ReDoS. This is safer and faster.
++  let i = potentialValue.length
++  while (/[\r\n\t ]/.test(potentialValue.charAt(--i)));
++  return potentialValue.slice(0, i + 1).replace(/^[\r\n\t ]+/, '')
+ }
+ 
+ function fill (headers, object) {
+--- a/test/fetch/headers.js
 b/test/fetch/headers.js
+@@ -665,3 +665,14 @@
+ 
+   t.end()
+ })
++
++tap.test('headers that might cause a ReDoS', (t) => {
++  t.doesNotThrow(() => {
++// This test will time out if the ReDoS attack is successful.
++const headers = new Headers()
++const attack = 'a' + '\t'.repeat(500_000) + '\ta'
++headers.append('fhqwhgads', attack)
++  

Bug#1036213: apache2: frequent SIGSEGV in mod_http2.so (purge_consumed_buckets)

[Bastien Durel]

Le 31/05/2023 à 13:15, Stefan Eissing a écrit :

Hi Bastien,

I was finally able to reproduce here what looks like the crashes you see with 
mod_proxy_http2 (notice the careful wording). And I fixed it in 
https://github.com/icing/mod_h2/releases/tag/v2.0.18

Looking forward to hear how it fares on your system.


Hello,

Thanks for your work. I've put it on my system, I'll report any new 
crash (last week I got approximately one every 2 days)


Regards,

--
Bastien Durel

Bug#1036256: golang-github-pin-tftp: FTBFS in testing

[Thiago Andrade]

Hey folks.
This bug is affecting the gobuster package that I maintain.
I've tested golang-github-pin-tftp locally and everything looks perfect. 
It looks like a false positive on the Build.
If anyone can see this by July 1st, it will be important that these 
packages are not automatically removed from testing.


Thank you all!

--
...
⢀⣴⠾⠻⢶⣦⠀ Thiago Andrade Marques
⣾⠁⢰⠒⠀⣿⡁ GPG: 4096R/F8CDB08B
⢿⡄⠘⠷⠚⠋⠀ GPG Fingerprint: 1D38 EE3C 624F 955C E1FA  3C85 5A30 3591 F8CD B08B
⠈⠳⣄

Bug#1036213: apache2: frequent SIGSEGV in mod_http2.so (purge_consumed_buckets)

[Stefan Eissing]

Hi Bastien,

I was finally able to reproduce here what looks like the crashes you see with 
mod_proxy_http2 (notice the careful wording). And I fixed it in 
https://github.com/icing/mod_h2/releases/tag/v2.0.18

Looking forward to hear how it fares on your system.

Kind Regards,
Stefan

> Am 24.05.2023 um 19:44 schrieb Stefan Eissing :
> 
> 
> 
>> Am 24.05.2023 um 16:10 schrieb Bastien Durel :
>> 
>> Le mercredi 24 mai 2023 à 14:50 +0200, Stefan Eissing a écrit :
>>> I continue to improve mod_proxy_http2:
>>> https://github.com/icing/mod_h2/releases/tag/v2.0.17
>>> 
>>> Added more edge case tests for the module, fixed observed bugs. But
>>> have not replicated your crashes which look weird. Sorry.
>> 
>> Hello,
>> 
>> I've put it in use on my server.
>> 
>> Do you need the configuration I use to serve these requests ?
> 
> I could use it to try to reproduce, yes.
> 
>> 
>> Thanks,
>> 
>> -- 
>> Bastien
>> 
> 

Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jquer...@packages.debian.org
Control: affects -1 + src:jqueryui

[ Reason ]
jqueryui is potentially vulnerable to cross-site scripting
(CVE-2022-31160)

[ Impact ]
Low security issue

[ Tests ]
Sadly tests are minimal in this package. Anyway passed

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Don't accept label outside of the root element

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 3a6a587..9b1e9cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium
+
+  * Team upload
+  * Checkboxradio: Don't re-evaluate text labels as HTML (Closes: 
CVE-2022-31160)
+
+ -- Yadd   Wed, 31 May 2023 15:08:55 +0400
+
 jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-31160.patch 
b/debian/patches/CVE-2022-31160.patch
new file mode 100644
index 000..11d7baa
--- /dev/null
+++ b/debian/patches/CVE-2022-31160.patch
@@ -0,0 +1,156 @@
+Description: Checkboxradio: Don't re-evaluate text labels as HTML
+Author: Michał Gołębiowski-Owczarek 
+Origin: upstream, https://github.com/jquery/jquery-ui/commit/8cc5bae1
+Bug: 
https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
+Forwarded: not-needed
+Applied-Upstream: 1.13.2, commit:8cc5bae1
+Reviewed-By: Yadd 
+Last-Update: 2023-05-31
+
+--- a/tests/unit/checkboxradio/checkboxradio.html
 b/tests/unit/checkboxradio/checkboxradio.html
+@@ -64,6 +64,18 @@
+ 
+   
+ 
++
++  
++  Hi, I'm a label
++
++
++  
++  Hi, I'm a label
++
++
++  
++  emHi, I'm a label/em
++
+ 
+ 
+ 
+--- a/tests/unit/checkboxradio/core.js
 b/tests/unit/checkboxradio/core.js
+@@ -135,4 +135,41 @@
+   );
+ } );
+ 
++QUnit.test( "Inheriting label from initial HTML", function( assert ) {
++  var tests = [
++  {
++  id: "label-with-no-for-with-html",
++  expectedLabel: "Hi, I'm a 
label"
++  },
++  {
++  id: "label-with-no-for-with-text",
++  expectedLabel: "Hi, I'm a label"
++  },
++  {
++  id: "label-with-no-for-with-html-like-text",
++  expectedLabel: "emHi, I'm a label/em"
++  }
++  ];
++
++  assert.expect( tests.length );
++
++  tests.forEach( function( testData ) {
++  var id = testData.id;
++  var expectedLabel = testData.expectedLabel;
++  var inputElem = $( "#" + id );
++  var labelElem = inputElem.parent();
++
++  inputElem.checkboxradio( { icon: false } );
++
++  var labelWithoutInput = labelElem.clone();
++  labelWithoutInput.find( "input" ).remove();
++
++  assert.strictEqual(
++  labelWithoutInput.html().trim(),
++  expectedLabel.trim(),
++  "Label correct [" + id + "]"
++  );
++  } );
++} );
++
+ } );
+--- a/tests/unit/checkboxradio/methods.js
 b/tests/unit/checkboxradio/methods.js
+@@ -94,4 +94,42 @@
+   assert.strictEqual( input.parent()[ 0 ], element[ 0 ], "Input 
preserved" );
+ } );
+ 
++QUnit.test( "Initial text label not turned to HTML on refresh", function( 
assert ) {
++  var tests = [
++  {
++  id: "label-with-no-for-with-html",
++  expectedLabel: "Hi, I'm a 
label"
++  },
++  {
++  id: "label-with-no-for-with-text",
++  expectedLabel: "Hi, I'm a label"
++  },
++  {
++  id: "label-with-no-for-with-html-like-text",
++  expectedLabel: "emHi, I'm a label/em"
++  }
++  ];
++
++  assert.expect( tests.length );
++
++  tests.forEach( function( testData ) {
++  var id = testData.id;
++  var expectedLabel = testData.expectedLabel;
++  var inputElem = $( "#" + id );
++  var labelElem = inputElem.parent();
++
++  inputElem.checkboxradio( { icon: false } );
++  inputElem.checkboxradio( "refresh" );
++
++  var labelWithoutInput = labelElem.clone();
++  labelWithoutInput.find( "input" ).remove();
++
++  assert.strictEqual(
++  labelWithoutInput.html().trim(),
++  expectedLabel.trim(),
++  "Label correct [" + id + "]"
++  );
++  } );
++} );
++
+ } );
+--- 

Bug#1036976: bullseye-pu: package grunt/1.3.0-1+deb11u2

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gr...@packages.debian.org
Control: affects -1 + src:grunt

[ Reason ]
file.copy operations in GruntJS are vulnerable to a TOCTOU race condition
leading to arbitrary file write in GitHub repository gruntjs/grunt prior to
1.5.3. This vulnerability is capable of arbitrary file writes which can lead
to local privilege escalation to the GruntJS user if a lower-privileged user
has write access to both source and destination directories as the
lower-privileged user can create a symlink to the GruntJS user's .bashrc
file or replace /etc/shadow file if the GruntJS user is root.

[ Impact ]
Medium security issue

[ Tests ]
Test updated, passed

[ Risks ]
Low risk: patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Refuse to copy a file if destination is a symlink

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 23c3145..dcebea4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+grunt (1.3.0-1+deb11u2) bullseye; urgency=medium
+
+  * Team upload
+  * Patch up race condition in symlink copying (Closes: CVE-2022-1537)
+
+ -- Yadd   Wed, 31 May 2023 14:59:30 +0400
+
 grunt (1.3.0-1+deb11u1) bullseye; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-1537.patch 
b/debian/patches/CVE-2022-1537.patch
new file mode 100644
index 000..19c750b
--- /dev/null
+++ b/debian/patches/CVE-2022-1537.patch
@@ -0,0 +1,39 @@
+Description: Patch up race condition in symlink copying
+Author: Vlad Filippov 
+Origin: upstream, https://github.com/gruntjs/grunt/commit/58016ffa
+Bug: https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d/
+Forwarded: not-needed
+Applied-Upstream: 1.5.3, commit:58016ffa
+Reviewed-By: Yadd 
+Last-Update: 2023-05-31
+
+--- a/lib/grunt/file.js
 b/lib/grunt/file.js
+@@ -333,8 +333,8 @@
+ }
+   }
+   // Abort copy if the process function returns false.
+-  if (contents === false) {
+-grunt.verbose.writeln('Write aborted.');
++  if (contents === false || file.isLink(destpath)) {
++grunt.verbose.writeln('Write aborted. Either the process function 
returned false or the destination is a symlink');
+   } else {
+ file.write(destpath, contents, readWriteOptions);
+   }
+--- a/test/grunt/file_test.js
 b/test/grunt/file_test.js
+@@ -916,5 +916,13 @@
+   test.ok(fs.lstatSync(path.join(destdir.path, 
path.basename(fixtures))).isSymbolicLink());
+   test.done();
+ },
+-  }
++  },
++  'symbolicLinkDestError': function(test) {
++test.expect(1);
++var tmpfile = new Tempdir();
++fs.symlinkSync(path.resolve('test/fixtures/octocat.png'), 
path.join(tmpfile.path, 'octocat.png'), 'file');
++grunt.file.copy(path.resolve('test/fixtures/octocat.png'), 
path.join(tmpfile.path, 'octocat.png'));
++test.ok(fs.lstatSync(path.join(tmpfile.path, 
'octocat.png')).isSymbolicLink());
++test.done();
++  },
+ };
diff --git a/debian/patches/series b/debian/patches/series
index 24fd9f9..6231471 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ add-root-variable.patch
 fix-for-coffescript.diff
 adapt-gruntfile.patch
 CVE-2022-0436.patch
+CVE-2022-1537.patch

Bug#1036920: another problem class from /usr-merge [Re: Bug#1036920: systemd: please ship a placeholder in /usr/lib/modules-load.d/]

[Luca Boccassi]

On Wed, 31 May 2023 at 11:18, Helmut Grohne  wrote:
>
> Hi,
>
> On Tue, May 30, 2023 at 11:53:00AM +0200, Helmut Grohne wrote:
> > In effect, this bug report is an instance of a bug class. I am in the
> > process of quantifying its effects, but I do not have useful numbers at
> > this time. As an initial gauge, I think it is about 2000 binary packages
> > that ship empty directories (which does not imply them to be affected,
> > rather this is to be seen as a grossly imprecise upper bound).
>
> I did some more analysis work here and have to admit that I know my data
> model has a weakness that may result in false negatives. I'd have to do
> a complete reimport of packages and eventually will, so for now I'm
> dealing with incomplete data here. I note that content indices do not
> cover empty directories, so you really have to download loads of .debs
> to find these.
>
> Anyway, to gauge the problem, we're effectively looking for a
> combination of packages A and B such that:
>
>  * A ships an empty directory.
>  * That empty directory is a path affected by aliasing (either in /usr
>or /).
>  * B also ships that directory (e.g. non-empty) in the "other"
>representation of that path.
>
> While we have lots of empty directories in Debian, that third condition
> trims down the numbers rapidly. A lot of empty directories (on amd64)
> are one of the following:
>  * /lib
>  * /usr/bin
>  * /usr/lib
>  * /usr/lib/x86_64-linux-gnu
>  * /usr/sbin
>
> I've ignored these, because all of these are shipped in some essential
> package and thus are not at risk of removal. /lib is kinda special in
> this list as the idea of fixing this up actually is removing /lib (the
> directory according to the dpkg database) and replacing it with a link,
> but we'll have to treat that special anyway, so not relevant here.
>
> What remains is:
>  * /usr/lib/modules-load.d is empty in systemd and aliased by 6
>packages. This is the original instance that Andreas filed. If we
>were not having this moratorium, the obvious fix were to move all
>those 6 files.
>
>  * /usr/lib/pkgconfig is empty in gretl libjte-dev libmpeg3-dev
>libswe-dev pcp pkg-config pkgconf pkgconf-bin and aliased in
>multipath-tools. Again, if it were not for the moratorium, we'd want
>to fix multipath-tools. However, in this instance, we can "bypass"
>the moratorium by moving /lib/pkgconfig/libdmmp.pc to
>/usr/lib//pkgconfig/libdmmp.pc. It also seems to bundle a
>shared library improperly. Chris Hofstaedtler confirmed this on IRC
>and reminded us to never link any of those. The only package in the
>archive that tries to do that (qemu) has its multipath integration
>disabled, so this is not presently a problem. Probably, a better
>solution is not not ship any header nor .pc file in multipath-tools
>at all as that avoids accidental linking.
>
>  * /usr/lib/systemd/system is empty in amazon-ec2-net-utils and aliased
>in lots of other packages. This probably is a regression caused by
>#1034212 and that directory simply needs to be deleted.
>
>  * /lib/udev/rules.d is empty in python3-expeyes and aliased in lots. I
>think this practically is a non-problem, because python3-expeyes
>Depends: udev and udev ships that directory in that representation.
>It will become a problem once udev canonicalizes paths. Jochen
>Sprickerhof pointed out that python3-expeyes really needs this empty
>directory in its postinst script.

I presume it's for this script that's being called from postinst/postrm:

https://sources.debian.org/src/expeyes/5.3.0%2Brepack-3/debian/eyes_udev.sh/

Could this be refactored instead? The rule seems static, ie, it
doesn't need to change its content depending on the invocation as far
as I can see from a cursory look. Is there any reason why it can't
simply be shipped as a normal rule file in the package, instead of
being written down to /lib via maintscripts? It doesn't seem like good
practice to me to do that kind of modification of the vendor tree from
a maintainer script.

>  * /usr/lib32 is empty lib32lsan0 and aliased in 5 packages. I think it
>can be dropped there. This also bears another problem. Since removing
>lib32lsan0 deletes /usr/lib32, we are left with a dangling /lib32
>link.
>
>  * /usr/libx32 is empty in libx32lsan0 and aliased in libc6-x32. I think
>it can be dropped there. Likewise, /libx32 can become dangling
>otherwise.
>
> So yeah, this bug class is clearly not one to panic about. As we move
> files from / to /usr, I expect this bug class to gain more occurences. I
> am not aware of a generic solution and it seems diversions won't cut it.
> If you can propose any generic workaround or recipe for this situation,
> I'm all ears. The placeholder file sounds ugly, but might work.

I agree, doesn't seem very worrying, and as far as I understand the
observed impact so far is on testing infrastructure, but user
functionality is not 

Bug#1036975: bullseye-pu: package node-url-parse/1.5.3-1+deb11u2

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-url-pa...@packages.debian.org
Control: affects -1 + src:node-url-parse

[ Reason ]
node-url-parse is vulnerable to authorization bypass through
user-controlled key prior version 1.5.6

[ Impact ]
Medium security issue

[ Tests ]
Test updated, passed

[ Risks ]
Low risk, the non-test part of the patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Update URL split to fix user and password values if any

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 842b4ff..c261d0e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-url-parse (1.5.3-1+deb11u2) bullseye; urgency=medium
+
+  * Team upload
+  * Correctly handle userinfo containing the at sign (Closes: CVE-2022-0512)
+
+ -- Yadd   Wed, 31 May 2023 14:43:23 +0400
+
 node-url-parse (1.5.3-1+deb11u1) bullseye; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-0512.patch 
b/debian/patches/CVE-2022-0512.patch
new file mode 100644
index 000..9b3caed
--- /dev/null
+++ b/debian/patches/CVE-2022-0512.patch
@@ -0,0 +1,135 @@
+Description: Correctly handle userinfo containing the at sign
+Author: Luigi Pinca 
+Origin: upstream, https://github.com/unshiftio/url-parse/commit/9be7ee88
+Bug: https://huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b
+Forwarded: not-needed
+Applied-Upstream: 1.5.6, commit:9be7ee88
+Reviewed-By: Yadd 
+Last-Update: 2023-05-31
+
+--- a/index.js
 b/index.js
+@@ -306,7 +306,11 @@
+ if (parse !== parse) {
+   url[key] = address;
+ } else if ('string' === typeof parse) {
+-  if (~(index = address.indexOf(parse))) {
++  index = parse === '@'
++? address.lastIndexOf(parse)
++: address.indexOf(parse);
++
++  if (~index) {
+ if ('number' === typeof instruction[2]) {
+   url[key] = address.slice(0, index);
+   address = address.slice(index + instruction[2]);
+@@ -373,9 +377,19 @@
+   //
+   url.username = url.password = '';
+   if (url.auth) {
+-instruction = url.auth.split(':');
+-url.username = instruction[0] || '';
+-url.password = instruction[1] || '';
++index = url.auth.indexOf(':');
++
++if (~index) {
++  url.username = url.auth.slice(0, index);
++  url.username = encodeURIComponent(decodeURIComponent(url.username));
++
++  url.password = url.auth.slice(index + 1);
++  url.password = encodeURIComponent(decodeURIComponent(url.password))
++} else {
++  url.username = encodeURIComponent(decodeURIComponent(url.auth));
++}
++
++url.auth = url.password ? url.username +':'+ url.password : url.username;
+   }
+ 
+   url.origin = url.protocol !== 'file:' && isSpecial(url.protocol) && url.host
+--- a/test/test.js
 b/test/test.js
+@@ -712,6 +712,54 @@
+ });
+   });
+ 
++  it('handles @ in username', function () {
++  var url = 'http://user@@www.example.com/'
++, parsed = parse(url);
++
++  assume(parsed.protocol).equals('http:');
++  assume(parsed.auth).equals('user%40');
++  assume(parsed.username).equals('user%40');
++  assume(parsed.password).equals('');
++  assume(parsed.hostname).equals('www.example.com');
++  assume(parsed.pathname).equals('/');
++  assume(parsed.href).equals('http://user...@www.example.com/');
++
++  url = 'http://user...@www.example.com/';
++  parsed = parse(url);
++
++  assume(parsed.protocol).equals('http:');
++  assume(parsed.auth).equals('user%40');
++  assume(parsed.username).equals('user%40');
++  assume(parsed.password).equals('');
++  assume(parsed.hostname).equals('www.example.com');
++  assume(parsed.pathname).equals('/');
++  assume(parsed.href).equals('http://user...@www.example.com/');
++});
++
++it('handles @ in password', function () {
++  var url = 'http://user@:pas:s@@www.example.com/'
++, parsed = parse(url);
++
++  assume(parsed.protocol).equals('http:');
++  assume(parsed.auth).equals('user%40:pas%3As%40');
++  assume(parsed.username).equals('user%40');
++  assume(parsed.password).equals('pas%3As%40');
++  assume(parsed.hostname).equals('www.example.com');
++  assume(parsed.pathname).equals('/');
++  
assume(parsed.href).equals('http://user%40:pas%3as...@www.example.com/');
++
++  url = 'http://user%40:pas%3as...@www.example.com/'
++  parsed = parse(url);
++
++  assume(parsed.protocol).equals('http:');
++  assume(parsed.auth).equals('user%40:pas%3As%40');
++  assume(parsed.username).equals('user%40');
++  assume(parsed.password).equals('pas%3As%40');
++  assume(parsed.hostname).equals('www.example.com');
++  

Bug#1036919: debvm: singleshot mode

[Wouter Verhelst]

On Mon, May 29, 2023 at 08:12:54PM +0200, Helmut Grohne wrote:
> Control: clone -1 -2
> Control: retitle -2 debvm's autopkgtests should be marked as flaky
> Control: submitter -2 !
> Control: severity -2 important
> 
> Hi Wouter,
> 
> On Mon, May 29, 2023 at 02:28:08PM +0200, Wouter Verhelst wrote:
> > I would like to use debvm to run autopkgtests for nbd-client. In order
> > to do that, I would need to run the vm noninteractively, do some in-vm
> > tests, and then shut it down again, with the result of the test
> > affecting the exit state.
> 
> Thanks for caring about debvm! Before we delve into your problem, let me
> point out that I had a rather longer talk with Paul Gevers about my
> autopkgtests. In effect, these tests - when executed in testing - still
> test unstable packages. As such, a problem in unstable may make the test
> in stable or testing fail. This is bad. I am at fault here. Please avoid
> repeating my mistake.

I will try :-)

> That being said, would you spend a moment on my autopkgtests anyway? The
> usual interaction happens on stdin/stdout via serial by default, but you
> can also background it and interact with it via ssh, which is what my
> tests do. I think this is the easiest way to script it. Does that suit
> your needs? If not, can you add more detail to how you see this
> happening?

Yeah, that could definitely work. I'll have a look at your autopkgtest

> I also note that autopkgtest has a qemu backend. While this backend is
> not available in the Debian infrastructure, it is being asked for
> repeatedly. Maybe Paul knows more here, but it seems to me that a test
> restriction asking for a VM is more useful for your use case in
> principle.

No, my test needs to communicate with a service outside the VM, so using
the qemu backend for autopkgtest won't help.

-- 
 w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}

I will have a Tin-Actinium-Potassium mixture, thanks.

Bug#1030519: hw-detect: firmware file path handling is fragile

[James Addison]

Source: hw-detect
Followup-For: Bug #1030519
X-Debbugs-Cc: a.dalm2...@googlemail.com

Hi Alexander,

I've been reviewing your patch and would like to suggest extracting the
following changes from it to consider and apply individually:

  1. Supporting firmware filenames that contain spaces.

  2. Removing (or at least reducing) the 5s wait[1] for USB devices to settle.

  3. Refactoring the fwfile 'for' loop[2] to use less-complicated parameter
 expansion (your changes didn't modify this but did highlight it
 potentially more complicated than necessary).

Each of these changes would require some description and a small patch -
writing those may require more time, I admit; the reward is that it makes it
easier for the maintainer to accept the changes.


During review, I considered these as possible other changes:

  * Loading the 'vfat' kernel module before mountpoint search.

  * Consulting the 'maybe-usb-floppy' mountmedia device as an origin.

However, it seems that mountmedia already handles these?

  https://sources.debian.org/src/mountmedia/0.26/mountmedia/?hl=20#L69
  https://sources.debian.org/src/mountmedia/0.26/mountmedia/?hl=20#L20

Thank you!
James

[1] - https://sources.debian.org/src/mountmedia/0.26/mountmedia/?hl=20#L82

[2] - 
https://sources.debian.org/src/hw-detect/1.159/check-missing-firmware.sh/#L210

Bug#1036918: debvm: manual mounting of root image

[Wouter Verhelst]

On Mon, May 29, 2023 at 08:22:06PM +0200, Helmut Grohne wrote:
> Hi Wouter,
> 
> On Mon, May 29, 2023 at 02:20:09PM +0200, Wouter Verhelst wrote:
> > I am exploring the possibility to write an autopkgtest for the initramfs
> > stuff that I wrote for nbd-client.
> 
> Please see my other mail regarding the use of debvm in autopkgtests.
> Let's not duplicate that topic here. I note that this fully applies in
> the exact way to the projected use of mmdebstrap below.

Sure, but as there were two feature requests, I opened two wishlist bugs ;-)

> > In order to do so, I want to run a client VM that has no root hard disk
> > configured, but is configured to attempt to mount the VM image over the
> > network, using NBD. This is accomplished by way of a few kernel command
> > line parameters.
> > 
> > I tried running
> > 
> > debvm-run -- -append 'nbdroot=192.168.88.103,root_export,nbd0'
> 
> May I suggest that this is a quite unusual use case

Sigh.

Everyone who I talk to about nbd autopkgtest tells me it's an "unusual"
use case.

I don't think it is. All packages that do things at early boot have
complicatd requirements; nbd isn't the only one. It's just the first one
you hear about.

> and that debvm may not be the right hammer for your job? While debvm
> gives you a complete rootfs, you seem to be satisfied with a kernel an
> an initrd.

No, that is not accurate; I do need a root filesystem too.

For reference, nbd is not nfs; it is a network BLOCK device, which means
you need to layer a filesystem on top. So in order to be able to boot
from nbd, you need to create an image that you export. While I could do
this myself, it's what debvm-create does, and I don't think it makes
much sense to replicate that.

In short, the plan is to do something along these lines:

1. Create a filesystem image
2. Configure nbd-server to export that image over NBD, and restart nbd-server
3. boot a VM with the root filesystem on NBD, pointed to the nbd-server that we
   just configured
4. Verify that we reach a shell in the VM
5. shut down the VM again
6. Verify that the shutdown worked correctly
7. Boot the VM again, make configuration changes, update the initramfs
8. Reboot the VM, repeat steps 4 through 6.

(I might also want to try some of the other nbdroot= argument formats
that are documented in nbd-client's README.Debian, which all would
require their own reboot, but these are details)

I was looking at guestfish and other similar things, but really, debvm
already does all of this, so there's no point. The only thing is that it
insists on passing root and hard disk arguments to qemu, which break for
my use case.

Yes, I could run debvm-create and then do the extraction of the kernel
and initrd myself, but that shouldn't be necessary -- debvm-run would be
a perfectly good abstraction, if only it allowed me to tell it not to
try to mount the hard drive automatically and/or let me override the
root= parameter.

Thanks for considering,

-- 
 w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}

I will have a Tin-Actinium-Potassium mixture, thanks.

Bug#1036310: bookworm installer hangs in efi mode on virtualbox 7.0.8

[Erwin Van de Velde]

Hi,

Encountering the same issue, I can confirm it still persists in RC4.
However, digging a bit deeper with the error I found on dmesg: "x86/PAT:
bterm:260: map pfn expected mapping type uncached-minus for ..., got
write-combining", I found this workaround:
Disabling paravirtualization in virtualbox acceleration or switching it to
legacy results in a properly booting installer.

Kind regards,
Erwin

Bug#1036920: another problem class from /usr-merge [Re: Bug#1036920: systemd: please ship a placeholder in /usr/lib/modules-load.d/]

[Helmut Grohne]

Hi,

On Tue, May 30, 2023 at 11:53:00AM +0200, Helmut Grohne wrote:
> In effect, this bug report is an instance of a bug class. I am in the
> process of quantifying its effects, but I do not have useful numbers at
> this time. As an initial gauge, I think it is about 2000 binary packages
> that ship empty directories (which does not imply them to be affected,
> rather this is to be seen as a grossly imprecise upper bound).

I did some more analysis work here and have to admit that I know my data
model has a weakness that may result in false negatives. I'd have to do
a complete reimport of packages and eventually will, so for now I'm
dealing with incomplete data here. I note that content indices do not
cover empty directories, so you really have to download loads of .debs
to find these.

Anyway, to gauge the problem, we're effectively looking for a
combination of packages A and B such that:

 * A ships an empty directory.
 * That empty directory is a path affected by aliasing (either in /usr
   or /).
 * B also ships that directory (e.g. non-empty) in the "other"
   representation of that path.

While we have lots of empty directories in Debian, that third condition
trims down the numbers rapidly. A lot of empty directories (on amd64)
are one of the following:
 * /lib
 * /usr/bin
 * /usr/lib
 * /usr/lib/x86_64-linux-gnu
 * /usr/sbin

I've ignored these, because all of these are shipped in some essential
package and thus are not at risk of removal. /lib is kinda special in
this list as the idea of fixing this up actually is removing /lib (the
directory according to the dpkg database) and replacing it with a link,
but we'll have to treat that special anyway, so not relevant here.

What remains is:
 * /usr/lib/modules-load.d is empty in systemd and aliased by 6
   packages. This is the original instance that Andreas filed. If we
   were not having this moratorium, the obvious fix were to move all
   those 6 files.

 * /usr/lib/pkgconfig is empty in gretl libjte-dev libmpeg3-dev
   libswe-dev pcp pkg-config pkgconf pkgconf-bin and aliased in
   multipath-tools. Again, if it were not for the moratorium, we'd want
   to fix multipath-tools. However, in this instance, we can "bypass"
   the moratorium by moving /lib/pkgconfig/libdmmp.pc to
   /usr/lib//pkgconfig/libdmmp.pc. It also seems to bundle a
   shared library improperly. Chris Hofstaedtler confirmed this on IRC
   and reminded us to never link any of those. The only package in the
   archive that tries to do that (qemu) has its multipath integration
   disabled, so this is not presently a problem. Probably, a better
   solution is not not ship any header nor .pc file in multipath-tools
   at all as that avoids accidental linking.

 * /usr/lib/systemd/system is empty in amazon-ec2-net-utils and aliased
   in lots of other packages. This probably is a regression caused by
   #1034212 and that directory simply needs to be deleted.

 * /lib/udev/rules.d is empty in python3-expeyes and aliased in lots. I
   think this practically is a non-problem, because python3-expeyes
   Depends: udev and udev ships that directory in that representation.
   It will become a problem once udev canonicalizes paths. Jochen
   Sprickerhof pointed out that python3-expeyes really needs this empty
   directory in its postinst script.

 * /usr/lib32 is empty lib32lsan0 and aliased in 5 packages. I think it
   can be dropped there. This also bears another problem. Since removing
   lib32lsan0 deletes /usr/lib32, we are left with a dangling /lib32
   link.

 * /usr/libx32 is empty in libx32lsan0 and aliased in libc6-x32. I think
   it can be dropped there. Likewise, /libx32 can become dangling
   otherwise.

So yeah, this bug class is clearly not one to panic about. As we move
files from / to /usr, I expect this bug class to gain more occurences. I
am not aware of a generic solution and it seems diversions won't cut it.
If you can propose any generic workaround or recipe for this situation,
I'm all ears. The placeholder file sounds ugly, but might work.

I still don't have any data on the multiarch variant of this problem. My
local representation of the archive is unsuitable for analysing this and
I have to perform a complete reimport first. Also placeholder files
won't cut it here.

Helmut

Bug#1036974: O: bashdb

[James Addison]

Package: wnpp
Severity: normal

The bashdb utility looks useful for interactively debugging bash scripts, but
currently lacks a maintainer.  It was previously included in Debian and was
removed[1] in Y2017.

[1] - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870992

Bug#1035543: init-system-helpers: new systemd units may not get enabled on upgrades from bullseye if systemd is installed

[James Addison]

Followup-For: Bug #1035543

On Wed, 31 May 2023 09:55:13 +0100, James wrote:
> On Fri, 05 May 2023 11:04:29 +0200, Andreas wrote:
> > If I install systemd into the bullseye chroot and upgrade that to
> > bookworm, both systemd and e2fsprogs are still installed, but 
> >   /etc/systemd/system/multi-user.target.wants/e2scrub_reap.service
> > does *NOT* get created.
>
> Is there a way to pause and step through the postinst script for a package 
> when
> it runs? (similar to an interactive debugging session)

There is/was-and-may-be-again bashdb[1]; it was removed[2] from Debian in Y2017.

[1] - https://bashdb.sourceforge.net

[2] - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870992

Bug#1036674: lintian: No line ending checks for CR or CRLF for type script, files or artifacts located under /debian

[Filus Janek LCPF-CH]

Dear Maintainer,

I have prepared a first MR which passes the salsa pipeline: 
https://salsa.debian.org/jfmt/lintian/-/pipelines/531335
and implements a possible solution for the reported Bug #1036674

Feedback is very welcome
 
Kind regards
Janek Filus

Bug#1036967: fig2dev: insufficient Breaks+Replaces against transfig/jessie-elts

[Roland Rosenfeld]

notfound 1036967 1:3.2.7a-5
notfound 1036967 1:3.2.8-3
notfound 1036967 1:3.2.8b-3
thanks

On Wed, 31 May 2023, Andreas Beckmann wrote:

> during a test with piuparts I noticed your package fails to upgrade from
> 'jessie-elts'.
> It installed fine in 'jessie-elts', then the upgrade to 'stretch-elts' fails
> because it tries to overwrite other packages files without declaring a
> Breaks+Replaces relation.
> 
> See policy 7.6 at
> https://www.debian.org/doc/debian-policy/ch-relationships.html#overwriting-files-and-replacing-packages-replaces
> 
> >From the attached log (scroll to the bottom...):
> 
> ...
>   Selecting previously unselected package fig2dev.
>   Preparing to unpack .../fig2dev_1%3a3.2.6a-2+deb9u4_amd64.deb ...
>   Unpacking fig2dev (1:3.2.6a-2+deb9u4) ...
>   dpkg: error processing archive 
> /var/cache/apt/archives/fig2dev_1%3a3.2.6a-2+deb9u4_amd64.deb (--unpack):
>trying to overwrite '/usr/bin/fig2dev', which is also in package transfig 
> 1:3.2.6a-2~deb8u1
>   dpkg-deb: error: subprocess paste was killed by signal (Broken pipe)
>   ..


> The upload of a new upstream release (1:3.2.6a-2~deb8u1) of transfig to
> jessie-elts (ELA-493-1) invalidated the versions in the existing
>   Breaks+Replaces: transfig (<< 1:3.2.6~beta-1~)
> in fig2dev (1:3.2.6a-2+deb9u4) in stretch, causing the above file overwrite 
> errors on
> several jessie-elts -> stretch-elts upgrade tests.

I switched over from transfig to fig2dev with version 1:3.2.6~beta-1,
it was never intended that someone builds a transfig
1:3.2.6a-2~deb8u1.  If someone needs a 3.2.6a backport in jessie, the
package should have been renamed as I did (transfig becoming a
transitional package after 1:3.2.6~beta-1).

Anyway this went wrong in jessie-elts and has to be solved in
stretch-elts now, I suppose.

> Ideally the Breaks+Replaces against transfig in fig2dev
> should be bumped to (<< 1:3.2.6a-2+deb9) in stretch-elts.

Since it isn't an issue in buster/bullseye/bookworm I mark these
versions fixed to avoid confusion in the release team.

Greetings
Roland

Bug#1036972: abiword: can't find type1 fonts from package xfonts-scalable

[Taylor Alexander Brown]

Package: abiword
Version: 3.0.4~dfsg-3
Severity: normal
X-Debbugs-Cc: py4...@teom.net

Dear Maintainer,

   * What led up to the situation?

 Because of the arbitrary removal of Type 1 font support in LibreOffice 5.3+
 I have been looking for an alternative word processor which retains 
support.

 Examples of Type 1 fonts I would like to continue using include Bitstream
 Charter and Courier 10 Pitch from package xfonts-scalable.

 AbiWord 3.0.2 on Debian 9 (stretch) supported these fonts, but they are
 missing in AbiWord 3.0.4 on Debian 11 (bullseye).

   * What exactly did you do (or not do) that was effective (or
 ineffective)?

 I installed the package abiword expecting to find the above-mentioned 
fonts,
 however they are missing from the font selection menu.

 Steps I tried which were not effective include:
 - Reinstalling the package xfonts-scalable,
 - Manually refreshing the font cache both as user and as root,
 - Creating symbolic links to the relevant .pfb files in 
~/.local/share/fonts

 I was able to verify that the aforementioned fonts show up in fc-list and
 xfontsel and continue to appear in other applications such as GIMP which
 support Type 1 fonts.

   * What was the outcome of this action?

 None of these actions made the fonts available in AbiWord.

   * What outcome did you expect instead?

 I had hoped that one of these actions would make the fonts available in
 AbiWord.


Much Appreciated,

Taylor Alexander Brown


-- System Information:
Debian Release: 11.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-23-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages abiword depends on:
ii  abiword-common  3.0.4~dfsg-3
ii  gsfonts 1:8.11+urwcyr1.0.7~pre44-4.5
ii  libabiword-3.0  3.0.4~dfsg-3
ii  libc6   2.31-13+deb11u6
ii  libdbus-1-3 1.12.24-0+deb11u1
ii  libdbus-glib-1-20.110-6
ii  libgcc-s1   10.2.1-6
ii  libgcrypt20 1.8.7-6
ii  libglib2.0-02.66.8-1
ii  libgnutls30 3.7.1-5+deb11u3
ii  libgoffice-0.10-10  0.10.48-1
ii  libgsf-1-1141.14.47-1
ii  libgtk-3-0  3.24.24-4+deb11u3
ii  libjpeg62-turbo 1:2.0.6-4
ii  libloudmouth1-0 1.5.3-6
ii  libots0 0.5.0-6
ii  libpng16-16 1.6.37-3
ii  librdf0 1.0.17-1.1+b1
ii  libreadline88.1-1
ii  librevenge-0.0-00.0.4-6+b1
ii  libsoup2.4-12.72.0-2
ii  libstdc++6  10.2.1-6
ii  libtelepathy-glib0  0.24.1-3
ii  libtidy5deb12:5.6.0-11
ii  libwmf0.2-7 0.2.8.4-17
ii  libwpd-0.10-10  0.10.3-1
ii  libwpg-0.3-30.3.3-1
ii  libxml2 2.9.10+dfsg-6.7+deb11u4
ii  zlib1g  1:1.2.11.dfsg-2+deb11u2

Versions of packages abiword recommends:
ii  abiword-plugin-grammar 3.0.4~dfsg-3
ii  aspell-en [aspell-dictionary]  2018.04.16-0-1
ii  fonts-liberation   1:1.07.4-11
ii  poppler-utils  20.09.0-3.1+deb11u1

abiword suggests no packages.

-- no debconf information

Bug#1030534: gbp pq import fails with series file containing form feed

[Guido Günther]

Hi Ian,
On Sat, Feb 04, 2023 at 05:31:11PM +, Ian Jackson wrote:
> Package: git-buildpackage
> Version: 0.9.30
> Severity: normal
> File: /usr/lib/python3/dist-packages/gbp/scripts/supercommand.py
> 
> Steps to reproduce:
> 
>dget 
> https://deb.debian.org/debian/pool/main/p/python-coverage/python-coverage_6.5.0+dfsg1-2.dsc
>dpkg-source --skip-patches -x python-coverage_6.5.0+dfsg1-2.dsc
>cd python-coverage-6.5.0+dfsg1/
>git init
>git add -Af .
>git commit -m import
># Now we are on a patches-unapplied packaging branch (without .pc
># directory, at least in the version of dpkg-source I have here)
>gbp pq import
> 
> Expected behaviour:
> 
>Imports the patch queue, leaving me on patch-queue/master,
>with two patches applied.
> 
> Actual behaviour:
> 
>Python stack backtrace.  (Transcript below.)
> 
>It leaves me on a broken patch-queue/master branch - one without
>the patches applied.  Even to go back to where I was before,

I've fixed that to go to an unbroken state on all exceptions (not only
the ones raised by gbp itself).

>I must
>   git checkout master; git-branch -D patch-queue/master

Or to recover with gbp iself: "gbp pq switch && gbp pq drop"

> The root cause is that the debian/patches/series file contains a line
> containing only a form feed (ctrl-L).  I think this is deranged.
> Perhaps you don't want to support it.  Maybe you want to at least
> detect and reject it
> 
> Empirically, deleting the form feed works around the problem.

gbp does the same now. Thanks for investigating!
Cheers,
 -- Guido

Bug#1035543: init-system-helpers: new systemd units may not get enabled on upgrades from bullseye if systemd is installed

[James Addison]

Followup-For: Bug #1035543

On Fri, 05 May 2023 11:04:29 +0200, Andreas wrote:
> If I install systemd into the bullseye chroot and upgrade that to
> bookworm, both systemd and e2fsprogs are still installed, but 
>   /etc/systemd/system/multi-user.target.wants/e2scrub_reap.service
> does *NOT* get created.

Is there a way to pause and step through the postinst script for a package when
it runs? (similar to an interactive debugging session)

Bug#1036946: webkit2gtk: Tries to build Bubblewrap support even if its disabled

[Alberto Garcia]

Control: forwarded -1 https://bugs.webkit.org/show_bug.cgi?id=256917
Control: tags -1 patch fixed-upstream pending

On Tue, May 30, 2023 at 02:23:31PM +0200, John Paul Adrian Glaubitz wrote:
> webkit2gtk currently FTBFS on multiple architectures since it tries
> to build Bubblewrap support code despite being configured with
> -DENABLE_BUBBLEWRAP_SANDBOX=OFF.

This has been fixed upstream already, I'll include the fix in the next
upload:

https://github.com/WebKit/WebKit/commit/4977290ab4ab35258a6da9b13795c9b0f7894bf4

Berto

Bug#1036971: pwsafe: empty window after internal timeout or screen blank

[Giuseppe Sacco]

Package: passwordsafe
Version: 1.16.0+dfsg-4
Severity: normal

Dear Maintainer,
after running pwsafe, it select the default keystore, prompts for the
password and displays the keystore content in the GUI. After some time the
window automatically disappear but I may get it back using Alt-Tab key.
Once the window is shown again, it is empty: it does not list the keystore
content and it does not prompt for the keystore password either. Here, if I
open the File menu and select the 'Unlock Safe' menu item, I see the
keystore content correctly.

I did not find any configuration option that could prevent the password
prompt when getting back the pswafe window. Is this an error?

Thank you,
Giuseppe

-- System Information:
Debian Release: 12.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages passwordsafe depends on:
ii  libc6    2.36-9
ii  libgcc-s1    12.2.0-14
ii  libmagic1    1:5.44-3
ii  libqrencode4 4.1.1-1
ii  libstdc++6   12.2.0-14
ii  libuuid1 2.38.1-5+b1
ii  libwxbase3.2-1   3.2.2+dfsg-2
ii  libwxgtk3.2-1    3.2.2+dfsg-2
ii  libx11-6 2:1.8.4-2
ii  libxerces-c3.2   3.2.4+debian-1
ii  libxtst6 2:1.2.3-1.1
ii  libykpers-1-1    1.20.0-3
ii  passwordsafe-common  1.16.0+dfsg-4

Versions of packages passwordsafe recommends:
pn  xvkbd  

passwordsafe suggests no packages.

-- no debconf information

Bug#1032995: spyder: Spyder on startup says there is a missing dependency (pylsp_black) but it is correctly installed

[Julian Gilbey]

On Tue, May 30, 2023 at 03:31:36PM -0700, Brian Vaughan wrote:
> That rgrep didn't find anything.
> 
> Executing 'spyder' from the command line while in an empty directory still
> got the same 'pylsp_black' warning.

Oh, this is so bizarre!  Let's try a sledge-hammer approach

Assuming that you have the strace package installed, could you try
this and send the resulting log file (/tmp/spyder-trace.txt.gz); you
will need to wait at least until the warning message about pylsp_black
appears:

strace -f -o /tmp/spyder-trace.txt -s 256 -e openat,read spyder

gzip /tmp/spyder-trace.txt

Hopefully this will give a clue to where this strange behaviour is
coming from!

(BTW, this log file will include the first 256 characters of any files
you open, so I recommend you do this with a clean spyder profile.)

Best wishes,

   Julian

Bug#1036970: 0ad: third party library (mbedtls) needs to be updated

[Mariam Arutunian]

Package: 0ad
Version: 0.0.26-3
Severity: normal
X-Debbugs-Cc: mariamarutun...@gmail.com

Dear Maintainer,

The project mbedtsl which is used in 0ad project (path 
0ad/build/premake/premake5/contrib/mbedtls) contains vulnerability 
(CVE-2019-16910, CVE-2017-14032).
The vulnerability is fixed in newer version of mbedtls, but in 0ad project the 
old (0.0.23) version is used.
 


-- System Information:
Debian Release: bookworm/sid
  APT prefers jammy-updates
  APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), 
(100, 'jammy-backports')
Architecture: amd64 (x86_64)

Kernel: Linux 5.15.0-72-generic (SMP w/16 CPU threads)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect

Bug#1036969: unblock: syncthing-gtk/0.9.4.4+ds+git20221205+12a9702d29ab-2

[Andrej Shadura]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: syncthing-...@packages.debian.org
Control: affects -1 + src:syncthing-gtk

Please unblock package syncthing-gtk

Syncthing-GTK has been hardcoding a non-PEP-440-compliant version for
quite some time. Since it’s not used by other packages normally, it
didn’t impact anything directly, but OTOH any package that enumerated
installed Python packages would crash if it (rightfully) didn’t handle
the possibility of an incorrect version.

Since the mere fact of Syncthing-GTK being installed breaks other
packages, we need to have in fixed for Bookworm.

Other than fixing that, this change should have no other impact on the
release.

See more details in: https://bugs.debian.org/1036947

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock syncthing-gtk/0.9.4.4+ds+git20221205+12a9702d29ab-2

Bug#1036968: linux: Enable CONFIG_SND_SOC_CS35L41_I2C for Intel Alder Lake sound

[Hans-Christoph Steiner]

Package: src:linux
Version: 6.3.2-1~exp1
Severity: important

Dear Maintainer,

I installed Debian on a Dell XPS 17 9720:
https://wiki.debian.org/InstallingDebianOn/Dell/XPS%2017%209720

The audio output works, but there are a number of problems:

* Headphone plug detection does not work at all.
* No audio input is detected.
* The audio crashes after a couple of days.

This bug goes through some of the development efforts to fix this:
https://bugzilla.kernel.org/show_bug.cgi?id=216194

One thing they said there is that all CS35L41 modules need to be
enabled.  This is the recommended set:

CONFIG_SND_HDA_SCODEC_CS35L41=m
CONFIG_SND_HDA_SCODEC_CS35L41_I2C=m
CONFIG_SND_HDA_SCODEC_CS35L41_SPI=m
CONFIG_SND_SOC_CS35L41_LIB=m
CONFIG_SND_SOC_CS35L41=m
CONFIG_SND_SOC_CS35L41_SPI=m
CONFIG_SND_SOC_CS35L41_I2C=m

There is one module still not enabled in the Debian kernels (6.1.0-8,
6.3.2-1~exp1, and 6.3.4-1~exp1):

$ grep CS35L41 /boot/config-6.3.0-0-amd64
CONFIG_SND_HDA_SCODEC_CS35L41=m
CONFIG_SND_HDA_SCODEC_CS35L41_I2C=m
CONFIG_SND_HDA_SCODEC_CS35L41_SPI=m
CONFIG_SND_SOC_CS35L41_LIB=m
CONFIG_SND_SOC_CS35L41=m
CONFIG_SND_SOC_CS35L41_SPI=m
# CONFIG_SND_SOC_CS35L41_I2C is not set

Could this module be enabled?


-- Package-specific info:
** Version:
Linux version 6.3.0-0-amd64 (debian-ker...@lists.debian.org) (gcc-12 (Debian 
12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC 
Debian 6.3.2-1~exp1 (2023-05-15)


** Command line:
BOOT_IMAGE=/vmlinuz-6.3.0-0-amd64 root=/dev/mapper/monolith--vg-root ro quiet

** Tainted: W (512)
 * kernel issued warning

** Kernel log:
Unable to read kernel log; any relevant messages should be attached

** Model information
sys_vendor: Dell Inc.
product_name: XPS 17 9720
product_version:
chassis_vendor: Dell Inc.
chassis_version:
bios_vendor: Dell Inc.
bios_version: 1.14.0
board_vendor: Dell Inc.
board_name: 0TW02W
board_version: A00

** Loaded modules:
tls
tun
mmc_block
r8153_ecm
r8152
ctr
ccm
rfcomm
cmac
algif_hash
algif_skcipher
af_alg
wireguard
libchacha20poly1305
chacha_x86_64
poly1305_x86_64
curve25519_x86_64
libcurve25519_generic
libchacha
ip6_udp_tunnel
udp_tunnel
snd_seq_dummy
snd_hrtimer
snd_seq
snd_seq_device
qrtr
overlay
bnep
binfmt_misc
nls_ascii
nls_cp437
vfat
fat
snd_ctl_led
snd_soc_sof_sdw
snd_soc_intel_hda_dsp_common
snd_sof_probes
snd_soc_intel_sof_maxim_common
snd_soc_rt711_sdca
snd_soc_rt715_sdca
regmap_sdw_mbq
snd_soc_rt1316_sdw
snd_hda_codec_hdmi
regmap_sdw
snd_soc_dmic
snd_sof_pci_intel_tgl
snd_sof_intel_hda_common
soundwire_intel
soundwire_generic_allocation
soundwire_cadence
snd_sof_intel_hda
snd_sof_pci
snd_sof_xtensa_dsp
snd_sof
snd_sof_utils
x86_pkg_temp_thermal
snd_soc_hdac_hda
intel_powerclamp
snd_hda_ext_core
coretemp
snd_soc_acpi_intel_match
iwlmvm
snd_soc_acpi
btusb
kvm_intel
btrtl
snd_soc_core
btbcm
btintel
btmtk
mac80211
snd_compress
kvm
soundwire_bus
bluetooth
snd_hda_intel
snd_intel_dspcfg
snd_intel_sdw_acpi
snd_hda_codec
uvcvideo
libarc4
snd_hda_core
videobuf2_vmalloc
irqbypass
uvc
dell_laptop
dell_wmi
iwlwifi
snd_hwdep
jitterentropy_rng
videobuf2_memops
rapl
dell_smbios
ledtrig_audio
mei_hdcp
snd_pcm
mei_pxp
drbg
hid_sensor_als
ucsi_acpi
intel_rapl_msr
videobuf2_v4l2
processor_thermal_device_pci
dcdbas
intel_cstate
ansi_cprng
dell_wmi_sysman
hid_sensor_trigger
processor_thermal_device
cfg80211
iTCO_wdt
ecdh_generic
intel_uncore
videodev
dell_wmi_ddv
dell_wmi_descriptor
firmware_attributes_class
wmi_bmof
pcspkr
typec_ucsi
snd_timer
hid_sensor_iio_common
processor_thermal_rfim
mei_me
intel_pmc_bxt
industrialio_triggered_buffer
processor_thermal_mbox
videobuf2_common
roles
snd
iTCO_vendor_support
kfifo_buf
processor_thermal_rapl
mc
industrialio
mei
watchdog
ecc
soundcore
rfkill
igen6_edac
typec
intel_rapl_common
int3403_thermal
int340x_thermal_zone
int3400_thermal
intel_hid
acpi_thermal_rel
sparse_keymap
acpi_tad
intel_pmc_core
acpi_pad
cdc_mbim
joydev
cdc_wdm
ac
hid_multitouch
evdev
serio_raw
nfsd
auth_rpcgss
nfs_acl
lockd
grace
sunrpc
fuse
msr
loop
configfs
efi_pstore
ip_tables
x_tables
autofs4
ext4
crc16
mbcache
jbd2
btrfs
blake2b_generic
dm_crypt
dm_mod
efivarfs
raid10
raid456
async_raid6_recov
async_memcpy
async_pq
async_xor
async_tx
xor
cdc_ncm
cdc_ether
usbnet
mii
raid6_pq
libcrc32c
crc32c_generic
raid1
raid0
multipath
linear
md_mod
usbhid
hid_sensor_custom
hid_sensor_hub
intel_ishtp_hid
i915
drm_buddy
i2c_algo_bit
crc32_pclmul
drm_display_helper
crc32c_intel
nvme
cec
nvme_core
ghash_clmulni_intel
rc_core
sha512_ssse3
ttm
t10_pi
hid_generic
xhci_pci
sha512_generic
crc64_rocksoft_generic
drm_kms_helper
crc64_rocksoft
xhci_hcd
rtsx_pci_sdmmc
crc_t10dif
mmc_core
crct10dif_generic
i2c_hid_acpi
usbcore
intel_lpss_pci
crct10dif_pclmul
aesni_intel
video
i2c_i801
intel_ish_ipc
i2c_hid
intel_lpss
crc64
drm
psmouse
thunderbolt
crypto_simd
rtsx_pci
i2c_smbus
intel_ishtp
idma64
usb_common
crct10dif_common
cryptd
hid
battery
wmi
button

** PCI devices:
00:00.0 Host bridge [0600]: Intel Corporation Device [8086:4621] (rev 02)