Bug#1055827: ITP: elenv -- Emacs Lisp Environment Detection Library

[Xiyue Deng]

Xiyue Deng  writes:

> Package: wnpp
> Owner: Xiyue Deng 
> Severity: wishlist
>
> * Package name: elenv
>   Version : 0.1.0+git20231106.e7619ff
>   Upstream Author : Jen-Chieh Shen 
> * URL or Web page : g...@github.com:jcs-elpa/elenv.git
> * License : GPL-3+
>   Description : Emacs Lisp Environment Detection Library
>
> Elenv is an Emacs Lisp library that provides a consistent interface to
> detect operating sytem types, graphic environments, environmental
> variables, executables, etc.
>
> I intent to maintain this within the Debian Emacsen team.

Forgot to mention that this package is a dependency of newer lsp-mode
package.  More packages will potentially use this in the future as well.

-- 
Xiyue Deng

Bug#1055828: libqxmppqt5-dev has an undeclared file conflict on /usr/lib/x86_64-linux-gnu/pkgconfig/qxmpp.pc

[Helmut Grohne]

Package: libqxmppqt5-dev
Version: 1.5.5-0.1~exp1
Severity: serious
User: debian...@lists.debian.org
Usertags: fileconflict
Control: affects -1 + libqxmpp-dev

libqxmppqt5-dev has an undeclared file conflict. This may result in an
unpack error from dpkg.

The file /usr/lib/x86_64-linux-gnu/pkgconfig/qxmpp.pc is contained in
the packages
 * libqxmpp-dev
   * 1.3.2-2 as present in bullseye
   * 1.4.0-2 as present in bookworm|trixie|unstable
   * 1.4.0-2~bpo11+1 as present in bullseye-backports
 * libqxmppqt5-dev/1.5.5-0.1~exp1 as present in experimental

These packages can be unpacked concurrently, because there is no
relevant Replaces or Conflicts relation. Attempting to unpack these
packages concurrently results in an unpack error from dpkg, because none
of the packages installs a diversion for the affected file.

Kind regards

The Debian Usr Merge Analysis Tool

This bug report has been automatically filed with no human intervention.
The source code is available at https://salsa.debian.org/helmutg/dumat.
If the filing is unclear or in error, don't hesitate to contact
hel...@subdivi.de for assistance.

Bug#1055827: ITP: elenv -- Emacs Lisp Environment Detection Library

[Xiyue Deng]

Package: wnpp
Owner: Xiyue Deng 
Severity: wishlist

* Package name: elenv
  Version : 0.1.0+git20231106.e7619ff
  Upstream Author : Jen-Chieh Shen 
* URL or Web page : g...@github.com:jcs-elpa/elenv.git
* License : GPL-3+
  Description : Emacs Lisp Environment Detection Library

Elenv is an Emacs Lisp library that provides a consistent interface to
detect operating sytem types, graphic environments, environmental
variables, executables, etc.

I intent to maintain this within the Debian Emacsen team.

Bug#1055773: esptool: CVE-2023-46894

[Faidon Liambotis]

On Sat, Nov 11, 2023 at 08:51:30AM +0100, Salvatore Bonaccorso wrote:
> The following vulnerability was published for esptool.
> 
> CVE-2023-46894[0]:
> | An issue discovered in esptool 4.6.2 allows attackers to view
> | sensitive information via weak cryptographic algorithm.
> 
> If I undestand the upstream discussion[1] correctly this is not
> something hich is going to be fixed until the oldest earliest chips
> are not supported anymore. So this bug is merely for documentation
> purpose and can be closed once this support vanishes (or feel free to
> aswer the above, we might then simply mark it as unimportant in the
> security-tracker.

I'd go one step further, and express that IMHO this is not a security
vulnerability and that it shouldn't have been assigned a CVE in the
first place.

As you mentioned, based on upstream's comment above, old revisions of
one of the supported chipsets were using AES ECB for secure boot and
flash encryption, but newer ones have switched to newer cryptographic
algorithms. esptool has kept support for the older algorithms, in order
to keep the ability to work with older revisions of the hardware.

Obviously software shouldn't default or recommend broken cryptographic
ciphers, when it can be avoided. But I don't think it constitutes a
vulnerability to merely implement them, when they are used to interface
with the world as it exists outside of your software, such as for
compatibility with hardware, network protocols etc.

This is the equivalent of saying that coreutils is vulnerable because it
ships md5sum, an implementation of a broken digest, or that browsers
need a CVE for supporting older TLS ciphers, etc. Or perhaps even that
python-cryptography itself needs a CVE because it ships an
implementation of AES-ECB (or 3DES or whatever) :)

Let me know if you disagree! Keeping the bug open until I hear from you.

Thanks,
Faidon

Bug#961598: O: sqlcipher -- Command line interface for SQLCipher

[Petter Reinholdtsen]

Control: affects -1 + src:sqlcipher

Seem like a good idea to make sure this issue show up in the bug list
for sqlcipher.
-- 
Happy hacking
Petter Reinholdtsen

Bug#1055765: chromium: Error: Can't open display (armhf) while other platforms (amd64, arm64, i386) are OK

[Andres Salomon]

Probably the easiest way is to manually download the chromium and 
chromium-common deb packages, and then 'sudo apt install 
/path/to/chromium_117.x.y.z-1~deb12u1_armhf.deb 
/path/to/chromium-common_117.x.y.z-1~deb12u1_armhf.deb'.


If you go to 
https://snapshot.debian.org/package/chromium/117.0.5938.149-1~deb12u1/ 
in your browser, scroll down to the "chromium 117.0.5938.149-1~deb12u1" 
section, and then click on the link for 
"chromium_117.0.5938.149-1~deb12u1_armhf.deb" (or right click and click 
'save link as', or copy the link and supply it to wget/curl in the qemu 
environment), it should download it. Do the same thing in the 
"chromium-common 117.0.5938.149-1~deb12u1" section.


https://snapshot.debian.org/package/chromium/118.0.5993.70-1~deb12u1/ 
has more armhf deb packages, if the 117 packages aren't broken in your 
test. Unfortunately it looks like 118.0.5993.117-1 never successfully 
built for armhf on debian 12..




On Sun, Nov 12 2023 at 08:20:36 AM +01:00:00, Julien Neuhart 
 wrote:
Could you guide me on how ton install those versions? As far as I 
know, they are not available in bookworm directly. Thanks!


 Le 11 nov. 2023 à 21:51, Andres Salomon  a 
écrit :


 Okay, so not distribution-specific. Between 116 and 119 there were 
a considerable number of changes in the debian packaging, including 
switching from clang-14 to clang-16 for build (done in 
118.0.5993.117-1~deb12u1) and enabling NEON for armhf (done in 
117.0.5938.132-1~deb12u1). My immediate suspicion is the NEON 
change, so it would helpful if you could try those versions as well 
and report back. Also, if it turns out to be the NEON change, having 
the output of `uname -a` and `cat /proc/cpuinfo` (inside of qemu's 
armhf emulation) would be helpful.


 On Sat, Nov 11 2023 at 12:08:42 PM +01:00:00, Julien Neuhart 
 wrote:

 Hello Andres,
 Thanks for the quick follow up.
 So I’ve tested with Chromium 116.0.5845.180-1~deb12u1 and it 
works as expected on Debian 12.
 Note that I also had to explicitly install the chromium-common 
package:
 DEBIAN_FRONTEND=noninteractive apt-get install -y -qq 
--no-install-recommends chromium-common="116.0.5845.180-1~deb12u1" 
chromium="116.0.5845.180-1~deb12u1"

 Distributor ID:Debian
 Description:   Debian GNU/Linux 12 (bookworm)
 Release:   12
 Codename:  bookworm
 Kernel: Linux buildkitsandbox 6.2.0-1015-azure #15~22.04.1-Ubuntu 
SMP Fri Oct  6 13:20:44 UTC 2023 armv7l GNU/Linux

 Architecture: armhf
 chromium —version:
 ind: '/root/.config/chromium/Crash Reports/pending/': No such file 
or directory
 Chromium 116.0.5845.180 built on Debian 12.1, running on Debian 
12.2
 Le 10 nov. 2023 à 22:01, Andres Salomon  a 
écrit :

 Hi,
 Can you please try other versions if possible?  
119.0.6045.123-1~deb12u1 is currently in bookworm-security. 
116.0.5845.180-1~deb12u1 is still in bookworm. It would be helpful 
to know if this is a bookworm-specific regression, since it worked 
on bullseye's 116, or something broken in general with chromium 
119.
 It looks like a version of 117 and 118 also successfully built 
for armhf, as other option to try:
 
https://snapshot.debian.org/package/chromium/118.0.5993.70-1~deb12u1/
 
https://snapshot.debian.org/package/chromium/117.0.5938.149-1~deb12u1/
 On Fri, Nov 10 2023 at 09:49:00 PM +01:00:00, Julien Neuhart 
 wrote:

 Package: chromium
 Version: 119.0.6045.105-1~deb12u1
 Dear maintainers,
 While building with QEMU a Docker image based on Debian bookworm 
using the chromium package, I found out that the « armhf » 
variant seems broken, which is not the case for others platforms.

 Indeed, after having installed chromium with:
 DEBIAN_FRONTEND=noninteractive apt-get install -y -qq 
--no-install-recommends chromium
 Running « chromium —version » failed on armhf (Error: Can't 
open display) while working as expected in others platform 
(amd64, arm64, i386).
 Please note it is working fine in Debian 11 & package version 
116.0.5845.180.
 Full installation logs may be found here: 
https://github.com/gulien/chromium/actions/runs/6829257786

 armhf:
 Distributor ID: Debian
 Description: Debian GNU/Linux 12 (bookworm)
 Release:   12
 Codename: bookworm
 Kernel: Linux buildkitsandbox 6.2.0-1015-azure 
#15~22.04.1-Ubuntu SMP Fri Oct  6 13:20:44 UTC 2023 armv7l 
GNU/Linux

 Architecture: armhf
 chromium —version:
 Error: Can't open display:
 i386:
 Distributor ID: Debian
 Description: Debian GNU/Linux 12 (bookworm)
 Release:   12
 Codename: bookworm
 Kernel: Linux buildkitsandbox 6.2.0-1015-azure 
#15~22.04.1-Ubuntu SMP Fri Oct  6 13:20:44 UTC 2023 x86_64 
GNU/Linux

 Architecture: i386
 chromium —version:
 find: '/root/.config/chromium/Crash Reports/pending/': No such 
file or directory
 Chromium 119.0.6045.123 built on Debian 12.2, running on Debian 
12.2

 arm64:
 Distributor ID: Debian
 Description: Debian GNU/Linux 12 (bookworm)
 Release:   12
 Codename: bookworm
 Kernel: Linux buildkitsandbox 6.2.0-1015-azure 
#15~22.04.1-Ubuntu SMP Fri 

Bug#1055826: bullseye-pu: package crun/0.17+dfsg-1+deb11u2 (bullseye regression)

[Faidon Liambotis]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: c...@packages.debian.org, car...@debian.org
Control: affects -1 + src:crun

A change merged into Linux v6.6 broke crun. The change was backported in
the stable branch with v6.1.55, the version in bookworm. We fixed crun
last week crun 1.8.1-1+deb12u1 (unblock request: #1055241).

Salvatore Bonaccorso pointed out that the change was backported into all
the stable branches, including v5.10.197, the version now in bullseye.
bullseye's crun, v0.17, is also affected, therefore bullseye crun +
bullseye Linux (or bullseye crun+bullseye-backports Linux etc.) are now
broken as well.

This upload just backports the same two patches that we backported to
bookworm and that are needed to address this issue. The patches apply
with minimal changes. There are no other changes included in this
upload.

See the bookworm-pu unblock request, #1055241, and SUA 243-1, for more
context.

[ Tests ]
Lightly tested on a bullseye VM.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Thanks,
Faidon
diff -Nru crun-0.17+dfsg/debian/changelog crun-0.17+dfsg/debian/changelog
--- crun-0.17+dfsg/debian/changelog 2023-02-11 23:44:44.0 +0200
+++ crun-0.17+dfsg/debian/changelog 2023-11-02 18:52:46.0 +0200
@@ -1,3 +1,12 @@
+crun (0.17+dfsg-1+deb11u2) bullseye; urgency=medium
+
+  * Backport two commits from upstream ("ignore ENOTSUP when chmod a
+symlink"), that restore containers with systemd as their init system, when
+running under Linux >= v6.6, >= v6.1.55 and >= 5.10.197, i.e. bullseye's
+and bookworm's current stable kernels. (Closes: #1053821)
+
+ -- Faidon Liambotis   Thu, 02 Nov 2023 18:52:46 +0200
+
 crun (0.17+dfsg-1+deb11u1) bullseye; urgency=medium
 
   * Backport upstream commits b847d14 ("spec: do not set inheritable
diff -Nru crun-0.17+dfsg/debian/patches/series 
crun-0.17+dfsg/debian/patches/series
--- crun-0.17+dfsg/debian/patches/series2023-02-11 23:44:44.0 
+0200
+++ crun-0.17+dfsg/debian/patches/series2023-11-02 18:52:46.0 
+0200
@@ -1,2 +1,4 @@
 CVE-2022-27650-b847d14.patch
 CVE-2022-27650-1aeeed2.patch
+utils-ignore-ENOTSUP-when-chmod-a-symlink.patch
+utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch
diff -Nru 
crun-0.17+dfsg/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch
 
crun-0.17+dfsg/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch
--- 
crun-0.17+dfsg/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch
   1970-01-01 02:00:00.0 +0200
+++ 
crun-0.17+dfsg/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch
   2023-11-02 18:52:46.0 +0200
@@ -0,0 +1,36 @@
+From 60296f112fddc74f4926f8ca6f6e1ef7a61ef5b9 Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano 
+Date: Tue, 26 Sep 2023 11:51:19 +0200
+Subject: [PATCH] utils: fix ignore ENOTSUP when chmod a symlink
+
+when ENOTSUP is encountered we must continue copying the other files,
+not doing an early return.
+
+commit 57262a2710c83fa08767f0ce3ba7a80993515bb2 introduced the
+regression with the Podman CI.
+
+Signed-off-by: Giuseppe Scrivano 
+
+Origin: upstream, 
https://github.com/containers/crun/commit/14afa8a46e2e83608a3a219402bce8ea8d071192
+Bug: https://github.com/containers/crun/issues/1308
+Bug-Debian: https://bugs.debian.org/1053821
+---
+ src/libcrun/utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libcrun/utils.c b/src/libcrun/utils.c
+index 5c7f315..5306c5b 100644
+--- a/src/libcrun/utils.c
 b/src/libcrun/utils.c
+@@ -1858,7 +1858,7 @@ copy_recursive_fd_to_fd (int srcdirfd, int dfd, const 
char *srcname, const char
+ {
+   /* If the operation fails with ENOTSUP we are dealing with a 
symlink, so ignore it.  */
+   if (errno == ENOTSUP)
+-return 0;
++continue;
+ 
+   if (UNLIKELY (ret < 0))
+ return crun_make_error (err, errno, "chmod `%s/%s`", destname, 
de->d_name);
+-- 
+2.39.2
+
diff -Nru 
crun-0.17+dfsg/debian/patches/utils-ignore-ENOTSUP-when-chmod-a-symlink.patch 
crun-0.17+dfsg/debian/patches/utils-ignore-ENOTSUP-when-chmod-a-symlink.patch
--- 
crun-0.17+dfsg/debian/patches/utils-ignore-ENOTSUP-when-chmod-a-symlink.patch   
1970-01-01 02:00:00.0 +0200
+++ 
crun-0.17+dfsg/debian/patches/utils-ignore-ENOTSUP-when-chmod-a-symlink.patch   
2023-11-02 18:52:46.0 +0200
@@ -0,0 +1,48 @@
+From 3bc67556e2f077337e574e4c3aaf18488410b2f5 Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano 
+Date: Fri, 22 Sep 2023 11:34:19 +0200
+Subject: [PATCH] utils: ignore ENOTSUP when chmod a symlink
+
+commit 5d1f903f75a80daa4dfb3d84e114ec8ecbf29956 in the kernel, present
+in a release since Linux 6.6