Bug#1050119: bullseye-pu: package unrar-nonfree/1:6.0.3-1+deb11u1

[Markus Koschany]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org


Hi,

[ Reason ]

unrar-nonfree is affected by CVE-2022-48579 in Bullseye. non-free
packages are not supported by the security team but it makes still
sense to fix this issue via a point update.

[ Impact ]

unrar-nonfree would continue to be affected by CVE-2022-48579.

[ Tests ]

I have manually created a rar archive which includes several symlinks
pointing to each other, files with relative paths and special
characters and in all cases unrar-nonfree seems to do the right thing.
An official reproducer was not available.

[ Risks ]

If I made a mistake there should be an unpack error or something
similar, which is not the case. Command switches didn't change so an
external program like xarchiver continues to work as expected.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable


[ Other info ]

Maintainer approves point update. (#1050080)
diff -Nru unrar-nonfree-6.0.3/debian/changelog 
unrar-nonfree-6.0.3/debian/changelog
--- unrar-nonfree-6.0.3/debian/changelog2022-05-10 13:26:16.0 
+0200
+++ unrar-nonfree-6.0.3/debian/changelog2023-08-20 09:58:26.0 
+0200
@@ -1,3 +1,13 @@
+unrar-nonfree (1:6.0.3-1+deb11u2) bullseye; urgency=high
+
+  * Non maintainer upload.
+  * Fix CVE-2022-48579:
+It was discovered that UnRAR, an unarchiver for rar files, allows
+extraction of files outside of the destination folder via symlink chains.
+(Closes: #1050080)
+
+ -- Markus Koschany   Sun, 20 Aug 2023 09:58:26 +0200
+
 unrar-nonfree (1:6.0.3-1+deb11u1) bullseye; urgency=high
 
   * Fix CVE-2022-30333 (Closes: #1010837)
diff -Nru unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch 
unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch
--- unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch
1970-01-01 01:00:00.0 +0100
+++ unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch
2023-08-20 09:58:26.0 +0200
@@ -0,0 +1,429 @@
+From: Markus Koschany 
+Date: Mon, 14 Aug 2023 15:43:54 +0200
+Subject: CVE-2022-48579
+
+Origin: 
https://github.com/pmachapman/unrar/commit/2ecab6bb5ac4f3b88f270218445496662020205f
+---
+ arcread.cpp   |  4 ++-
+ extinfo.cpp   | 89 +++
+ extinfo.hpp   |  3 +-
+ extract.cpp   | 44 +
+ extract.hpp   |  6 
+ hardlinks.cpp |  2 --
+ model.cpp |  6 ++--
+ os.hpp|  1 +
+ pathfn.cpp| 14 +++---
+ timefn.hpp| 11 
+ ulinks.cpp|  6 ++--
+ win32stm.cpp  |  9 --
+ 12 files changed, 170 insertions(+), 25 deletions(-)
+
+diff --git a/arcread.cpp b/arcread.cpp
+index d1df6c0..63858d9 100644
+--- a/arcread.cpp
 b/arcread.cpp
+@@ -1441,7 +1441,9 @@ bool Archive::ReadSubData(Array *UnpData,File 
*DestFile,bool TestMode)
+   {
+ if (SubHead.UnpSize>0x100)
+ {
+-  // So huge allocation must never happen in valid archives.
++  // Prevent the excessive allocation. When reading to memory, normally
++  // this function operates with reasonably small blocks, such as
++  // the archive comment, NTFS ACL or "Zone.Identifier" NTFS stream.
+   uiMsg(UIERROR_SUBHEADERUNKNOWN,FileName);
+   return false;
+ }
+diff --git a/extinfo.cpp b/extinfo.cpp
+index 5cb90a4..0f25f31 100644
+--- a/extinfo.cpp
 b/extinfo.cpp
+@@ -112,6 +112,68 @@ static bool LinkInPath(const wchar *Name)
+ }
+ 
+ 
++// Delete symbolic links in file path, if any, and replace them by 
directories.
++// Prevents extracting files outside of destination folder with symlink 
chains.
++bool LinksToDirs(const wchar *SrcName,const wchar *SkipPart,std::wstring 
)
++{
++  // Unlike Unix, Windows doesn't expand lnk1 in symlink targets like
++  // "lnk1/../dir", but converts the path to "dir". In Unix we need to call
++  // this function to prevent placing unpacked files outside of destination
++  // folder if previously we unpacked "dir/lnk1" -> "..",
++  // "dir/lnk2" -> "lnk1/.." and "dir/lnk2/anypath/poc.txt".
++  // We may still need this function to prevent abusing symlink chains
++  // in link source path if we remove detection of such chains
++  // in IsRelativeSymlinkSafe. This function seems to make other symlink
++  // related safety checks redundant, but for now we prefer to keep them too.
++  //
++  // 2022.12.01: the performance impact is minimized after adding the check
++  // against the previous path and enabling this verification only after
++  // extracting a symlink with ".." in target. So we enabled it for Windows
++  // as well for extra safety.
++//#ifdef _UNIX
++  wchar Path[NM];
++  if (wcslen(SrcName)>=ASIZE(Path))
++return false;  // It should not be that 

Bug#1043060: emacs-pgtk: wayland backend unusable with emacsclient

[Arto Jantunen]

Sean Whitton  writes:
> 2. install pgtk's emacsclient, because that seems to cover everyone.
>More testing is required.

Attached is a patch implementing this solution. The end result works for
the pgtk/Wayland side, but the other variants on X side should get more
testing.

>From cf5d2cd81bd9e39cfd6312a85351ca40dea88f85 Mon Sep 17 00:00:00 2001
From: Arto Jantunen 
Date: Wed, 2 Aug 2023 11:37:00 +0300
Subject: [PATCH 2/2] Take emacs-bin-common contents from pgtk

---
 debian/rules | 14 +++---
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/debian/rules b/debian/rules
index b42d2634a42d..1d76f18c9ece 100755
--- a/debian/rules
+++ b/debian/rules
@@ -399,7 +399,7 @@ endef
 
 override_dh_auto_install: $(autogen_install_files)
 	rm -rf \
-	  $(install_dir_gtk) $(install_dir_nox) $(install_dir_lucid) \
+	  $(install_dir_pgtk) $(install_dir_nox) $(install_dir_lucid) \
 	  $(pkgdir_common)/* \
 	  $(pkgdir_bin_common)/* \
 	  $(pkgdir_gtk)/* \
@@ -408,13 +408,13 @@ override_dh_auto_install: $(autogen_install_files)
 	  $(pkgdir_lucid)/* \
 	  $(pkgdir_el)/*
 
-	$(call emacs_inst,build-gtk,$(install_dir_gtk))
+	$(call emacs_inst,build-pgtk,$(install_dir_pgtk))
 
 ##
 # emacs-common
 ifneq (,$(findstring emacs-common, $(shell dh_listpackages)))
 	  install -d $(pkgdir_common)
-	  cp -a $(install_dir_gtk)/* $(pkgdir_common)
+	  cp -a $(install_dir_pgtk)/* $(pkgdir_common)
 
 	  rm -r $(pkgdir_common)/usr/bin
 	  rm \
@@ -488,8 +488,8 @@ override_dh_auto_install: $(autogen_install_files)
 ifneq (,$(findstring emacs-bin-common, $(shell dh_listpackages)))
 	  # Move common binaries to emacs-bin-common.
 	  install -d $(pkgdir_bin_common)/usr
-	  cp -a $(install_dir_gtk)/usr/bin $(pkgdir_bin_common)/usr
-	  cp -a $(install_dir_gtk)/usr/libexec $(pkgdir_bin_common)/usr
+	  cp -a $(install_dir_pgtk)/usr/bin $(pkgdir_bin_common)/usr
+	  cp -a $(install_dir_pgtk)/usr/libexec $(pkgdir_bin_common)/usr
 
 	  # Make sure there's just one.
 	  test -f $(pkgdir_bin_common)/usr/bin/emacs-*
@@ -517,6 +517,7 @@ override_dh_auto_install: $(autogen_install_files)
 ##
 # emacs-gtk
 ifneq (,$(findstring emacs, $(shell dh_listpackages)))
+	  $(call emacs_inst,build-gtk,$(install_dir_gtk))
 	  $(call install_common_binpkg_bits,\
 	$(install_dir_gtk),$(pkgdir_gtk),emacs-gtk,gtk)
 
@@ -530,8 +531,7 @@ override_dh_auto_install: $(autogen_install_files)
 
 ##
 # emacs-pgtk
-ifneq (,$(findstring emacs-pgtk, $(shell dh_listpackages)))
-	  $(call emacs_inst,build-pgtk,$(install_dir_pgtk))
+ifneq (,$(findstring emacs, $(shell dh_listpackages)))
 	  $(call install_common_binpkg_bits,\
 	$(install_dir_pgtk),$(pkgdir_pgtk),emacs-pgtk,pgtk)
 
-- 
2.40.1


-- 
Arto Jantunen

Bug#1050118: 7zip-standalone/experimental: undeclared file conflict with 7zip/bookworm+trixie+unstable

[Helmut Grohne]

Package: 7zip-standalone
Version: 23.01+dfsg-4~exp1
Severity: serious
User: debian...@lists.debian.org
Usertags: fileconflict
Control: affects -1 + 7zip

7zip-standalone and 7zip both ship /usr/bin/7zip, but they do not
declare any Conflicts, Replaces or diversions to alleviate that
situation. As a consequence, an unpack error may result when attempting
to install both.

Given the changelog entry saying "split", I think you meant to move
files between packages. In this case, please ensure that you set both
Breaks and Replaces.

Helmut

Bug#1050117: /usr/share/bug/linux-image-6.4.0-0.deb12.2-686-pae-unsigned/include-1cmdline: poweroff (shutdown -h) / reboot (shutdown -r) does not work properly.

[Takashi Yano]

Package: src:linux
Version: 6.4.4-3~bpo12+1
Severity: normal
File: 
/usr/share/bug/linux-image-6.4.0-0.deb12.2-686-pae-unsigned/include-1cmdline
X-Debbugs-Cc: takashi.y...@nifty.ne.jp

I installed bookworm into my OLD PC and found this problem.
Shutdown and reboot does not work properly. It stops after
displaying:
[  .xx] system-shutdown[1]: Powering off.
 or
[  .xx] system-shutdown[1]: Rebooting.

I also noticed that the another PC of similar generation works
even with linux-image-6.1.0-11-686-pae (DELL PowerEdge 1500SC).

Full screen image is like:
[ 290.821465] EXT4-fs (sda4): unmounting filesystem.
[ 291.185022] systemd-shutdown[1]: Syncing filesystems and block devices.
[ 291.358289] systemd-shutdown[1]: Sending SIGTERM to remaining processes...
[ 291.368445] systemd-journald[211]: Received SIGTERM from PID i 
(systemdeshutdow).
[ 291.406307] systemd-shutdown[1]: Sending SIGKILL to remaining processes...
[ 291.415836] systemd-shutdown[1]: Unmounting file systems.
[ 291.420449] (sd-remount)[505]: Remounting'/' read-only with options 
'errors:remount-ro'.
[ 291.431524] EXT4-fs (sda12): re-mounted. Quota mode: none.
[ 291.439996] systemd-shutdown[1]: All filesystems unmounted.
[ 291.440097] systemd-shutdown[1]: Deactivating swaps.
[ 291.440423] systemd-shutdown[1]: All swaps deactivated.
[ 291.440477] systemd-shutdown[1]: Detaching loop devices.
[ 291.444822] systemd-shutdown[1]: All loop devices detached.
[ 291.444919] systemdeshutdown[1]: Stopping MD devices.
[ 291.445354] systemd-shutdown[1]: All MD devices stopped.
[ 291.445406] systemd-shutdown[1]: Detaching DM devices.
[ 291.445753] systemd-shutdown[1]: All DM devices detached.
[ 291.445801] systemdeshutdown[1]: All filesystems, swaps, loop devices, MD 
devices and DM devices detached.
[ 291.459662] systemd-shutdown[1]: Syncing filesystems and block devices.
[ 291.461906] systemdeshutdown[1]: Powering off.


First, this happens with linux-image-6.1.0-11-686-pae.
I tried various kernel versions and the results are as follows.

linux-image-5.19.0-0.deb11.2-686-pae 5.19.11-1~bpo11+1  : OK
linux-image-6.0.0-0.deb11.2-686-pae  6.0.3-1~bpo11+1: OK
linux-image-6.1.0-0.deb11.5-686-pae  6.1.12-1~bpo11+1   : OK
linux-image-6.1.0-0.deb11.7-686-pae  6.1.20-2~bpo11+1   : OK
linux-image-6.1.0-10-686-pae 6.1.38-2   : NG
linux-image-6.1.0-11-686-pae 6.1.38-4   : NG
linux-image-6.4.0-0.deb12.2-686-pae-unsigned 6.4.4-3~bpo12+1: NG
linux-image-6.4.0-2-686-pae  6.4.4-3: NG
linux-image-6.5.0-0-686-pae-unsigned 6.5~rc6-1~exp1 : NG

OK: Works without the problem.
NG: Has the problem.

It seems that kernels built for bullseye do not have this issue.
Or maybe the kernel before 6.1.0-0 works.

Please let me know if further information is necessary.


-- Package-specific info:
** Version:
Linux version 6.4.0-0.deb12.2-686-pae (debian-ker...@lists.debian.org) (gcc-12 
(Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP 
PREEMPT_DYNAMIC Debian 6.4.4-3~bpo12+1 (2023-08-08)

** Command line:
BOOT_IMAGE=/vmlinuz-6.4.0-0.deb12.2-686-pae 
root=UUID=fc774740-5be6-44f6-b87c-b6d8305d3680 ro quiet

** Tainted: DE (8320)
 * kernel died recently, i.e. there was an OOPS or BUG
 * unsigned module was loaded

** Kernel log:
Unable to read kernel log; any relevant messages should be attached

** Model information
Mother board: MSI MS6163 VER:1 (440BX chipset)
CPU: Intel(R) Celeron(TM) CPU  1400MHz
Graphics: Nvidia FX 5900XT

** Loaded modules:
binfmt_misc(E)
sil164(E)
nouveau(E)
ppdev(E)
snd_ymfpci(E+)
saa7134(E)
tveeprom(E)
snd_ac97_codec(E)
videobuf2_dma_sg(E)
videobuf2_memops(E)
ac97_bus(E)
videobuf2_v4l2(E)
snd_mpu401_uart(E)
snd_opl3_lib(E)
snd_hwdep(E)
gameport(E)
snd_rawmidi(E)
snd_seq_device(E)
videodev(E)
mxm_wmi(E)
snd_pcm(E)
snd_timer(E)
videobuf2_common(E)
drm_display_helper(E)
pcspkr(E)
snd(E)
mc(E)
cec(E)
soundcore(E)
rc_core(E)
drm_ttm_helper(E)
ttm(E)
drm_kms_helper(E)
i2c_algo_bit(E)
parport_pc(E)
video(E)
parport(E)
wmi(E)
joydev(E)
button(E)
evdev(E)
serio_raw(E)
sg(E)
loop(E)
fuse(E)
drm(E)
efi_pstore(E)
dm_mod(E)
dax(E)
configfs(E)
ip_tables(E)
x_tables(E)
autofs4(E)
ext4(E)
crc16(E)
mbcache(E)
jbd2(E)
crc32c_generic(E)
hid_logitech_hidpp(E)
hid_logitech_dj(E)
sd_mod(E)
t10_pi(E)
hid_generic(E)
usbhid(E)
hid(E)
crc64_rocksoft(E)
crc64(E)
crc_t10dif(E)
crct10dif_generic(E)
sr_mod(E)
crct10dif_common(E)
cdrom(E)
ata_generic(E)
ata_piix(E)
ohci_pci(E)
uhci_hcd(E)
ehci_pci(E)
ohci_hcd(E)
ehci_hcd(E)
libata(E)
psmouse(E)
usbcore(E)
scsi_mod(E)
e1000(E)
i2c_piix4(E)
scsi_common(E)
usb_common(E)
floppy(E)
fan(E)

** PCI devices:
00:00.0 Host bridge [0600]: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX Host 
bridge [8086:7190] (rev 03)
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- 
Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- 

Bug#1050116: openuniverse: Please do not refer to unavailable packages in descriptions

[Axel Stammler]

Package: openuniverse
Severity: minor
X-Debbugs-Cc: a...@users.sourceforge.net

Dear Maintainer,

the description available through

apt show openuniverse

ends by saying: “users are recommended to use Celestia instead”

but there is no Debian package of that or a similar name.

-- System Information:
Debian Release: 12.1
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-11-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_IE:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openuniverse depends on:
ii  libc6   2.36-9+deb12u1
ii  libgcc-s1   12.2.0-14
ii  libgl1  1.6.0-1
ii  libglu1-mesa [libglu1]  9.0.2-1.1
ii  libglut3.12 3.4.0-1
ii  libjpeg62-turbo 1:2.1.5-2
pn  libplib1
ii  libstdc++6  12.2.0-14
pn  openuniverse-common 

openuniverse recommends no packages.

openuniverse suggests no packages.

Bug#670796: dh-autoreconf: strange interaction with mkinstalldirs

[Sven Eckelmann]

Control: unblock 924973 by 670796
Control: unblock 1049821 by 670796

On Sunday, 29 April 2012 06:08:02 CEST Russ Allbery wrote:
> I have a package (gnubg) which uses mkinstalldirs.  After the first
> build and clean cycle, mkinstalldirs has been deleted by
> dh_autoreconf_clean.  But then running autoreconf doesn't bring it
> back, which means that the build fails.
> 
> As near as I can tell, autoreconf updates mkinstalldirs if it exists,
> but if it's been deleted, it doesn't copy it into the source tree,
> which leads to build failures when the package is built twice in
> sequence.

As workaround, I am currently using following in g3dviewer:

diff --git a/debian/rules b/debian/rules
index 
0ef8b15b5613ea736ecaaa72bc6b4b000de38017..a99803c6f7db41b04f40585e8095213a46da4850
 100755
--- a/debian/rules
+++ b/debian/rules
@@ -7,8 +7,11 @@ export DEB_CPPFLAGS_MAINT_APPEND = -D_FILE_OFFSET_BITS=64
 binary binary-arch binary-indep build build-arch build-indep clean install 
install-arch install-indep:
dh $@
 
+override_dh_autoreconf:
+   dh_autoreconf -Xmkinstalldirs
+
 override_dh_installdocs:
dh_installdocs -A README NEWS TODO AUTHORS
 
 .PHONY: binary binary-arch binary-indep build build-arch build-indep clean 
install install-arch install-indep \
-   override_dh_installdocs
+   override_dh_installdocs override_dh_autoreconf
diff --git a/debian/source/options b/debian/source/options
new file mode 100644
index 
..039409ebff7151490cbd46057186153e1be682e4
--- /dev/null
+++ b/debian/source/options
@@ -0,0 +1 @@
+extend-diff-ignore = "(^|/)mkinstalldirs$"


signature.asc
Description: This is a digitally signed message part.

Bug#1050115: RFS: mp3info/0.8.5a+dfsg-1 -- MP3 technical info viewer and ID3 1.x tag editor

[Hugo Torres]

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "mp3info":

 * Package name : mp3info
   Version  : 0.8.5a+dfsg-1
   Upstream contact : Cedric Tefft 
 * URL  : https://www.ibiblio.org/mp3info/
 * License  : GPL-2+
 * Vcs  : https://salsa.debian.org/debian/mp3info
   Section  : sound

The source builds the following binary packages:

  mp3info - MP3 technical info viewer and ID3 1.x tag editor

To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/mp3info/

Alternatively, you can download the package with 'dget' using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/m/mp3info/mp3info_0.8.5a+dfsg-1.dsc

Changes since the last upload:

 mp3info (0.8.5a+dfsg-1) unstable; urgency=medium
 .
   * Removing support for gtk2. Consequently:
   - debian/control:
   - Removed libgtk2.0-dev in Build-Depends. (Closes: #967642)
   - Removed package: mp3info-gtk
   - debian/mp3info-gtk.dirs: Removed.
   - debian/mp3info-gtk.docs: Removed.
   - debian/mp3info-gtk.files: Removed.
   - debian/mp3info-gtk.menu: Removed.
   - debian/patches/04_removing_gtk2_interface.patch: Created.
   * debian/control: Bumped Standards-Version to 4.6.2.
   * debian/copyright: Updated.

Regards,
--
  Hugo Torres de Lima