Bug#1050119: bullseye-pu: package unrar-nonfree/1:6.0.3-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org Hi, [ Reason ] unrar-nonfree is affected by CVE-2022-48579 in Bullseye. non-free packages are not supported by the security team but it makes still sense to fix this issue via a point update. [ Impact ] unrar-nonfree would continue to be affected by CVE-2022-48579. [ Tests ] I have manually created a rar archive which includes several symlinks pointing to each other, files with relative paths and special characters and in all cases unrar-nonfree seems to do the right thing. An official reproducer was not available. [ Risks ] If I made a mistake there should be an unpack error or something similar, which is not the case. Command switches didn't change so an external program like xarchiver continues to work as expected. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable [ Other info ] Maintainer approves point update. (#1050080) diff -Nru unrar-nonfree-6.0.3/debian/changelog unrar-nonfree-6.0.3/debian/changelog --- unrar-nonfree-6.0.3/debian/changelog2022-05-10 13:26:16.0 +0200 +++ unrar-nonfree-6.0.3/debian/changelog2023-08-20 09:58:26.0 +0200 @@ -1,3 +1,13 @@ +unrar-nonfree (1:6.0.3-1+deb11u2) bullseye; urgency=high + + * Non maintainer upload. + * Fix CVE-2022-48579: +It was discovered that UnRAR, an unarchiver for rar files, allows +extraction of files outside of the destination folder via symlink chains. +(Closes: #1050080) + + -- Markus Koschany Sun, 20 Aug 2023 09:58:26 +0200 + unrar-nonfree (1:6.0.3-1+deb11u1) bullseye; urgency=high * Fix CVE-2022-30333 (Closes: #1010837) diff -Nru unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch --- unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch 1970-01-01 01:00:00.0 +0100 +++ unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch 2023-08-20 09:58:26.0 +0200 @@ -0,0 +1,429 @@ +From: Markus Koschany +Date: Mon, 14 Aug 2023 15:43:54 +0200 +Subject: CVE-2022-48579 + +Origin: https://github.com/pmachapman/unrar/commit/2ecab6bb5ac4f3b88f270218445496662020205f +--- + arcread.cpp | 4 ++- + extinfo.cpp | 89 +++ + extinfo.hpp | 3 +- + extract.cpp | 44 + + extract.hpp | 6 + hardlinks.cpp | 2 -- + model.cpp | 6 ++-- + os.hpp| 1 + + pathfn.cpp| 14 +++--- + timefn.hpp| 11 + ulinks.cpp| 6 ++-- + win32stm.cpp | 9 -- + 12 files changed, 170 insertions(+), 25 deletions(-) + +diff --git a/arcread.cpp b/arcread.cpp +index d1df6c0..63858d9 100644 +--- a/arcread.cpp b/arcread.cpp +@@ -1441,7 +1441,9 @@ bool Archive::ReadSubData(Array *UnpData,File *DestFile,bool TestMode) + { + if (SubHead.UnpSize>0x100) + { +- // So huge allocation must never happen in valid archives. ++ // Prevent the excessive allocation. When reading to memory, normally ++ // this function operates with reasonably small blocks, such as ++ // the archive comment, NTFS ACL or "Zone.Identifier" NTFS stream. + uiMsg(UIERROR_SUBHEADERUNKNOWN,FileName); + return false; + } +diff --git a/extinfo.cpp b/extinfo.cpp +index 5cb90a4..0f25f31 100644 +--- a/extinfo.cpp b/extinfo.cpp +@@ -112,6 +112,68 @@ static bool LinkInPath(const wchar *Name) + } + + ++// Delete symbolic links in file path, if any, and replace them by directories. ++// Prevents extracting files outside of destination folder with symlink chains. ++bool LinksToDirs(const wchar *SrcName,const wchar *SkipPart,std::wstring ) ++{ ++ // Unlike Unix, Windows doesn't expand lnk1 in symlink targets like ++ // "lnk1/../dir", but converts the path to "dir". In Unix we need to call ++ // this function to prevent placing unpacked files outside of destination ++ // folder if previously we unpacked "dir/lnk1" -> "..", ++ // "dir/lnk2" -> "lnk1/.." and "dir/lnk2/anypath/poc.txt". ++ // We may still need this function to prevent abusing symlink chains ++ // in link source path if we remove detection of such chains ++ // in IsRelativeSymlinkSafe. This function seems to make other symlink ++ // related safety checks redundant, but for now we prefer to keep them too. ++ // ++ // 2022.12.01: the performance impact is minimized after adding the check ++ // against the previous path and enabling this verification only after ++ // extracting a symlink with ".." in target. So we enabled it for Windows ++ // as well for extra safety. ++//#ifdef _UNIX ++ wchar Path[NM]; ++ if (wcslen(SrcName)>=ASIZE(Path)) ++return false; // It should not be that
Bug#1043060: emacs-pgtk: wayland backend unusable with emacsclient
Sean Whitton writes: > 2. install pgtk's emacsclient, because that seems to cover everyone. >More testing is required. Attached is a patch implementing this solution. The end result works for the pgtk/Wayland side, but the other variants on X side should get more testing. >From cf5d2cd81bd9e39cfd6312a85351ca40dea88f85 Mon Sep 17 00:00:00 2001 From: Arto Jantunen Date: Wed, 2 Aug 2023 11:37:00 +0300 Subject: [PATCH 2/2] Take emacs-bin-common contents from pgtk --- debian/rules | 14 +++--- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/debian/rules b/debian/rules index b42d2634a42d..1d76f18c9ece 100755 --- a/debian/rules +++ b/debian/rules @@ -399,7 +399,7 @@ endef override_dh_auto_install: $(autogen_install_files) rm -rf \ - $(install_dir_gtk) $(install_dir_nox) $(install_dir_lucid) \ + $(install_dir_pgtk) $(install_dir_nox) $(install_dir_lucid) \ $(pkgdir_common)/* \ $(pkgdir_bin_common)/* \ $(pkgdir_gtk)/* \ @@ -408,13 +408,13 @@ override_dh_auto_install: $(autogen_install_files) $(pkgdir_lucid)/* \ $(pkgdir_el)/* - $(call emacs_inst,build-gtk,$(install_dir_gtk)) + $(call emacs_inst,build-pgtk,$(install_dir_pgtk)) ## # emacs-common ifneq (,$(findstring emacs-common, $(shell dh_listpackages))) install -d $(pkgdir_common) - cp -a $(install_dir_gtk)/* $(pkgdir_common) + cp -a $(install_dir_pgtk)/* $(pkgdir_common) rm -r $(pkgdir_common)/usr/bin rm \ @@ -488,8 +488,8 @@ override_dh_auto_install: $(autogen_install_files) ifneq (,$(findstring emacs-bin-common, $(shell dh_listpackages))) # Move common binaries to emacs-bin-common. install -d $(pkgdir_bin_common)/usr - cp -a $(install_dir_gtk)/usr/bin $(pkgdir_bin_common)/usr - cp -a $(install_dir_gtk)/usr/libexec $(pkgdir_bin_common)/usr + cp -a $(install_dir_pgtk)/usr/bin $(pkgdir_bin_common)/usr + cp -a $(install_dir_pgtk)/usr/libexec $(pkgdir_bin_common)/usr # Make sure there's just one. test -f $(pkgdir_bin_common)/usr/bin/emacs-* @@ -517,6 +517,7 @@ override_dh_auto_install: $(autogen_install_files) ## # emacs-gtk ifneq (,$(findstring emacs, $(shell dh_listpackages))) + $(call emacs_inst,build-gtk,$(install_dir_gtk)) $(call install_common_binpkg_bits,\ $(install_dir_gtk),$(pkgdir_gtk),emacs-gtk,gtk) @@ -530,8 +531,7 @@ override_dh_auto_install: $(autogen_install_files) ## # emacs-pgtk -ifneq (,$(findstring emacs-pgtk, $(shell dh_listpackages))) - $(call emacs_inst,build-pgtk,$(install_dir_pgtk)) +ifneq (,$(findstring emacs, $(shell dh_listpackages))) $(call install_common_binpkg_bits,\ $(install_dir_pgtk),$(pkgdir_pgtk),emacs-pgtk,pgtk) -- 2.40.1 -- Arto Jantunen
Bug#1050118: 7zip-standalone/experimental: undeclared file conflict with 7zip/bookworm+trixie+unstable
Package: 7zip-standalone Version: 23.01+dfsg-4~exp1 Severity: serious User: debian...@lists.debian.org Usertags: fileconflict Control: affects -1 + 7zip 7zip-standalone and 7zip both ship /usr/bin/7zip, but they do not declare any Conflicts, Replaces or diversions to alleviate that situation. As a consequence, an unpack error may result when attempting to install both. Given the changelog entry saying "split", I think you meant to move files between packages. In this case, please ensure that you set both Breaks and Replaces. Helmut
Bug#1050117: /usr/share/bug/linux-image-6.4.0-0.deb12.2-686-pae-unsigned/include-1cmdline: poweroff (shutdown -h) / reboot (shutdown -r) does not work properly.
Package: src:linux Version: 6.4.4-3~bpo12+1 Severity: normal File: /usr/share/bug/linux-image-6.4.0-0.deb12.2-686-pae-unsigned/include-1cmdline X-Debbugs-Cc: takashi.y...@nifty.ne.jp I installed bookworm into my OLD PC and found this problem. Shutdown and reboot does not work properly. It stops after displaying: [ .xx] system-shutdown[1]: Powering off. or [ .xx] system-shutdown[1]: Rebooting. I also noticed that the another PC of similar generation works even with linux-image-6.1.0-11-686-pae (DELL PowerEdge 1500SC). Full screen image is like: [ 290.821465] EXT4-fs (sda4): unmounting filesystem. [ 291.185022] systemd-shutdown[1]: Syncing filesystems and block devices. [ 291.358289] systemd-shutdown[1]: Sending SIGTERM to remaining processes... [ 291.368445] systemd-journald[211]: Received SIGTERM from PID i (systemdeshutdow). [ 291.406307] systemd-shutdown[1]: Sending SIGKILL to remaining processes... [ 291.415836] systemd-shutdown[1]: Unmounting file systems. [ 291.420449] (sd-remount)[505]: Remounting'/' read-only with options 'errors:remount-ro'. [ 291.431524] EXT4-fs (sda12): re-mounted. Quota mode: none. [ 291.439996] systemd-shutdown[1]: All filesystems unmounted. [ 291.440097] systemd-shutdown[1]: Deactivating swaps. [ 291.440423] systemd-shutdown[1]: All swaps deactivated. [ 291.440477] systemd-shutdown[1]: Detaching loop devices. [ 291.444822] systemd-shutdown[1]: All loop devices detached. [ 291.444919] systemdeshutdown[1]: Stopping MD devices. [ 291.445354] systemd-shutdown[1]: All MD devices stopped. [ 291.445406] systemd-shutdown[1]: Detaching DM devices. [ 291.445753] systemd-shutdown[1]: All DM devices detached. [ 291.445801] systemdeshutdown[1]: All filesystems, swaps, loop devices, MD devices and DM devices detached. [ 291.459662] systemd-shutdown[1]: Syncing filesystems and block devices. [ 291.461906] systemdeshutdown[1]: Powering off. First, this happens with linux-image-6.1.0-11-686-pae. I tried various kernel versions and the results are as follows. linux-image-5.19.0-0.deb11.2-686-pae 5.19.11-1~bpo11+1 : OK linux-image-6.0.0-0.deb11.2-686-pae 6.0.3-1~bpo11+1: OK linux-image-6.1.0-0.deb11.5-686-pae 6.1.12-1~bpo11+1 : OK linux-image-6.1.0-0.deb11.7-686-pae 6.1.20-2~bpo11+1 : OK linux-image-6.1.0-10-686-pae 6.1.38-2 : NG linux-image-6.1.0-11-686-pae 6.1.38-4 : NG linux-image-6.4.0-0.deb12.2-686-pae-unsigned 6.4.4-3~bpo12+1: NG linux-image-6.4.0-2-686-pae 6.4.4-3: NG linux-image-6.5.0-0-686-pae-unsigned 6.5~rc6-1~exp1 : NG OK: Works without the problem. NG: Has the problem. It seems that kernels built for bullseye do not have this issue. Or maybe the kernel before 6.1.0-0 works. Please let me know if further information is necessary. -- Package-specific info: ** Version: Linux version 6.4.0-0.deb12.2-686-pae (debian-ker...@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.4.4-3~bpo12+1 (2023-08-08) ** Command line: BOOT_IMAGE=/vmlinuz-6.4.0-0.deb12.2-686-pae root=UUID=fc774740-5be6-44f6-b87c-b6d8305d3680 ro quiet ** Tainted: DE (8320) * kernel died recently, i.e. there was an OOPS or BUG * unsigned module was loaded ** Kernel log: Unable to read kernel log; any relevant messages should be attached ** Model information Mother board: MSI MS6163 VER:1 (440BX chipset) CPU: Intel(R) Celeron(TM) CPU 1400MHz Graphics: Nvidia FX 5900XT ** Loaded modules: binfmt_misc(E) sil164(E) nouveau(E) ppdev(E) snd_ymfpci(E+) saa7134(E) tveeprom(E) snd_ac97_codec(E) videobuf2_dma_sg(E) videobuf2_memops(E) ac97_bus(E) videobuf2_v4l2(E) snd_mpu401_uart(E) snd_opl3_lib(E) snd_hwdep(E) gameport(E) snd_rawmidi(E) snd_seq_device(E) videodev(E) mxm_wmi(E) snd_pcm(E) snd_timer(E) videobuf2_common(E) drm_display_helper(E) pcspkr(E) snd(E) mc(E) cec(E) soundcore(E) rc_core(E) drm_ttm_helper(E) ttm(E) drm_kms_helper(E) i2c_algo_bit(E) parport_pc(E) video(E) parport(E) wmi(E) joydev(E) button(E) evdev(E) serio_raw(E) sg(E) loop(E) fuse(E) drm(E) efi_pstore(E) dm_mod(E) dax(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) hid_logitech_hidpp(E) hid_logitech_dj(E) sd_mod(E) t10_pi(E) hid_generic(E) usbhid(E) hid(E) crc64_rocksoft(E) crc64(E) crc_t10dif(E) crct10dif_generic(E) sr_mod(E) crct10dif_common(E) cdrom(E) ata_generic(E) ata_piix(E) ohci_pci(E) uhci_hcd(E) ehci_pci(E) ohci_hcd(E) ehci_hcd(E) libata(E) psmouse(E) usbcore(E) scsi_mod(E) e1000(E) i2c_piix4(E) scsi_common(E) usb_common(E) floppy(E) fan(E) ** PCI devices: 00:00.0 Host bridge [0600]: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX Host bridge [8086:7190] (rev 03) Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=medium >TAbort-
Bug#1050116: openuniverse: Please do not refer to unavailable packages in descriptions
Package: openuniverse Severity: minor X-Debbugs-Cc: a...@users.sourceforge.net Dear Maintainer, the description available through apt show openuniverse ends by saying: “users are recommended to use Celestia instead” but there is no Debian package of that or a similar name. -- System Information: Debian Release: 12.1 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-11-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openuniverse depends on: ii libc6 2.36-9+deb12u1 ii libgcc-s1 12.2.0-14 ii libgl1 1.6.0-1 ii libglu1-mesa [libglu1] 9.0.2-1.1 ii libglut3.12 3.4.0-1 ii libjpeg62-turbo 1:2.1.5-2 pn libplib1 ii libstdc++6 12.2.0-14 pn openuniverse-common openuniverse recommends no packages. openuniverse suggests no packages.
Bug#670796: dh-autoreconf: strange interaction with mkinstalldirs
Control: unblock 924973 by 670796 Control: unblock 1049821 by 670796 On Sunday, 29 April 2012 06:08:02 CEST Russ Allbery wrote: > I have a package (gnubg) which uses mkinstalldirs. After the first > build and clean cycle, mkinstalldirs has been deleted by > dh_autoreconf_clean. But then running autoreconf doesn't bring it > back, which means that the build fails. > > As near as I can tell, autoreconf updates mkinstalldirs if it exists, > but if it's been deleted, it doesn't copy it into the source tree, > which leads to build failures when the package is built twice in > sequence. As workaround, I am currently using following in g3dviewer: diff --git a/debian/rules b/debian/rules index 0ef8b15b5613ea736ecaaa72bc6b4b000de38017..a99803c6f7db41b04f40585e8095213a46da4850 100755 --- a/debian/rules +++ b/debian/rules @@ -7,8 +7,11 @@ export DEB_CPPFLAGS_MAINT_APPEND = -D_FILE_OFFSET_BITS=64 binary binary-arch binary-indep build build-arch build-indep clean install install-arch install-indep: dh $@ +override_dh_autoreconf: + dh_autoreconf -Xmkinstalldirs + override_dh_installdocs: dh_installdocs -A README NEWS TODO AUTHORS .PHONY: binary binary-arch binary-indep build build-arch build-indep clean install install-arch install-indep \ - override_dh_installdocs + override_dh_installdocs override_dh_autoreconf diff --git a/debian/source/options b/debian/source/options new file mode 100644 index ..039409ebff7151490cbd46057186153e1be682e4 --- /dev/null +++ b/debian/source/options @@ -0,0 +1 @@ +extend-diff-ignore = "(^|/)mkinstalldirs$" signature.asc Description: This is a digitally signed message part.
Bug#1050115: RFS: mp3info/0.8.5a+dfsg-1 -- MP3 technical info viewer and ID3 1.x tag editor
Package: sponsorship-requests Severity: normal Dear mentors, I am looking for a sponsor for my package "mp3info": * Package name : mp3info Version : 0.8.5a+dfsg-1 Upstream contact : Cedric Tefft * URL : https://www.ibiblio.org/mp3info/ * License : GPL-2+ * Vcs : https://salsa.debian.org/debian/mp3info Section : sound The source builds the following binary packages: mp3info - MP3 technical info viewer and ID3 1.x tag editor To access further information about this package, please visit the following URL: https://mentors.debian.net/package/mp3info/ Alternatively, you can download the package with 'dget' using this command: dget -x https://mentors.debian.net/debian/pool/main/m/mp3info/mp3info_0.8.5a+dfsg-1.dsc Changes since the last upload: mp3info (0.8.5a+dfsg-1) unstable; urgency=medium . * Removing support for gtk2. Consequently: - debian/control: - Removed libgtk2.0-dev in Build-Depends. (Closes: #967642) - Removed package: mp3info-gtk - debian/mp3info-gtk.dirs: Removed. - debian/mp3info-gtk.docs: Removed. - debian/mp3info-gtk.files: Removed. - debian/mp3info-gtk.menu: Removed. - debian/patches/04_removing_gtk2_interface.patch: Created. * debian/control: Bumped Standards-Version to 4.6.2. * debian/copyright: Updated. Regards, -- Hugo Torres de Lima