Bug#1043037: "dead upstream", find a releasable fork
Package: mlmmj Version: 1.3.0-4 Severity: wishlist Tags: upstream MLMMJ upstream is dead for a long time; development stopped in May 2017. Baptiste Daroussin and others are continuing to work on MLMMJ in an external Git repository and have made a recent 1.4.0 b1 beta version release for testing. https://codeberg.org/mlmmj/mlmmj This needs to be investigated to see if this can be released to Debian. -- Chris -- Chris Knadle chris.kna...@coredump.us -- System Information: Debian Release: 10.13 APT prefers oldoldstable-updates APT policy: (500, 'oldoldstable-updates'), (500, 'oldoldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-24-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages mlmmj depends on: ii debconf [debconf-2.0] 1.5.71+deb10u1 ii exim4 4.92-8+deb10u7 ii exim4-daemon-heavy [mail-transport-agent] 4.92-8+deb10u7 ii libc6 2.28-10+deb10u2 mlmmj recommends no packages. Versions of packages mlmmj suggests: pn mlmmj-php-web pn mlmmj-php-web-admin -- debconf information excluded
Bug#831184: mumble: FTBFS with GCC 6
Hello again, Lucas. Thanks for reporting this bug. Sorry for the delay in response: unfortunately the hard disk in my mail server died on Thursday night and since then I've been scrambling to try to recover what data I could and get it back up again after disk replacement. I had a quick look at the bug and the build log, and I think you pointed out the correct section of the log where the compile went awry. I should be able to look more deeply at this on Monday. Meanwhile I'll try to inform upstream about the problem so that they're aware. Thanks. -- Chris
Bug#808901: wheezy-pu: package libssh/0.5.4-1+deb7u1
Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu Greetings. I would like to update libssh in Wheezy via a sponsored NMU to fix CVE-2015-3146 and CVE-2015-8132, which are non-DSA security bugs and so would need to be fixed via stable-proposed-updates. I updated libssh in Sid via sponsored NMU for these in Nov 2015. The patches used to fix this came from upstream at: https://www.libssh.org/security/patches/ Thanks. -- Chris -- Chris Knadle chris.kna...@coredump.us diff -Nru libssh-0.5.4/debian/changelog libssh-0.5.4/debian/changelog --- libssh-0.5.4/debian/changelog 2014-03-06 04:47:48.0 -0500 +++ libssh-0.5.4/debian/changelog 2015-12-04 09:31:06.0 -0500 @@ -1,3 +1,17 @@ +libssh (0.5.4-1+deb7u2) wheezy; urgency=medium + + * Non-maintainer upload. + * debian/patches: +- Add 0005-security-fix-for-vulnerability-CVE-2014-8132.patch + Fix "Double free on dangling pointers in initial key exchange packet" + (Closes: #773577, CVE-2014-8132) +- Add 0006-security-fix-for-vulnerability-CVE-2015-3146.patch + Fix "null pointer dereference due to a logical error in the handling of + a SSH_MSG_NEWKEYS and KEXDH_REPLY packets" + (Closes: #784404, CVE-2015-3146) + + -- Christopher Knadle <chris.kna...@coredump.us> Mon, 23 Nov 2015 04:08:05 -0500 + libssh (0.5.4-1+deb7u1) wheezy-security; urgency=high * debian/patches/0004-security-fix-for-vulnerability-CVE-2014-0017.patch: diff -Nru libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch --- libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch 1969-12-31 19:00:00.0 -0500 +++ libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch 2015-11-23 08:55:39.0 -0500 @@ -0,0 +1,46 @@ +From f2e14e00ff0afdb7e45a595dc4c5f9e50d413b4d Mon Sep 17 00:00:00 2001 +From: Jon Simons <j...@jonsimons.org> +Date: Sat, 18 Oct 2014 23:23:26 -0700 +Subject: [PATCH] CVE-2014-8132: Fixup error path in ssh_packet_kexinit() + +Before this change, dangling pointers can be unintentionally left in the +respective next_crypto kex methods slots. Ensure to set all slots to +NULL in the error-out path. + +Signed-off-by: Jon Simons <j...@jonsimons.org> +Reviewed-by: Andreas Schneider <a...@cryptomilk.org> + +(cherry picked from commit 2ced24ddd67a261dc364ad4d8958c068c1671ae7) +Signed-off-by: Andreas Schneider <a...@cryptomilk.org> +--- + src/kex.c | 7 ++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/kex.c b/src/kex.c +index dedf286..db35183 100644 +--- a/src/kex.c b/src/kex.c +@@ -286,7 +286,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){ + for (i = 0; i < 10; i++) { + str = buffer_get_ssh_string(packet); + if (str == NULL) { +- break; ++ goto error; + } + + if (buffer_add_ssh_string(session->in_hashbuf, str) < 0) { +@@ -333,6 +333,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){ + error: + ssh_string_free(str); + for (i = 0; i < 10; i++) { ++if (server_kex) { ++ session->server_kex.methods[i] = NULL; ++} else { ++ session->client_kex.methods[i] = NULL; ++} + SAFE_FREE(strings[i]); + } + +-- +2.2.0 + diff -Nru libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch --- libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch 1969-12-31 19:00:00.0 -0500 +++ libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch 2015-11-23 08:55:39.0 -0500 @@ -0,0 +1,98 @@ +From cadc76a8b450f4e2181009c8faa2c4dace9bcc2c Mon Sep 17 00:00:00 2001 +From: Aris Adamantiadis <a...@0xbadc0de.be> +Date: Wed, 15 Apr 2015 16:08:37 +0200 +Subject: [PATCH 1/2] CVE-2015-3146: Fix state validation in packet handlers + +The state validation in the packet handlers for SSH_MSG_NEWKEYS and +SSH_MSG_KEXDH_REPLY had a bug which did not raise an error. + +The issue has been found and reported by Mariusz Ziule. + +Signed-off-by: Aris Adamantiadis <a...@0xbadc0de.be> +Reviewed-by: Andreas Schneider <a...@cryptomilk.org> +--- + src/client.c | 4 ++-- + src/server.c | 1 + + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/client.c b/src/client.c +index 0e50497..6919e7a 100644 +--- a/src/client.c b/src/client.c +@@ -186,7 +186,7 @@ SSH_PACKET_CALLBACK(ssh_packet_dh_reply){ + (void)type; + (void)user; + ssh_log(session,SSH_LOG_PROTOCOL,"Received SSH_KEXDH_REPLY"); +- if(session->session_state!= SSH_SESSION_STATE_DH && ++ if(session->session_state!= SSH_SESSION_STATE_DH || + session->dh_handshake_state
Bug#801597: PIE and stack protection appear missing since update to GCC-5
Source: hardening-wrapper Version: 2.7 Severity: important It appears that the behavior of hardening-wrapper has changed recently, and now PIE and stack protection are missing. mumble got a binNMU for the GCC-5 upgrade relating to library transitions for protobuf and zeroc-ice after which these protections were missing where they had them before the binNMU. Looking at the snapshot: http://snapshot.debian.org/archive/debian/20141110T040546Z/pool/main/m/mumble/mumble_1.2.8-2_amd64.deb mumble_1.2.8-2_amd64 hardening check: Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes Looking at Sid: http://ftp.us.debian.org/debian/pool/main/m/mumble/mumble_1.2.8-2+b1_amd64.deb mumble_1.2.8-2+b1_amd64 hardening check: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes Reporting this as these are unexpected differences. Also: is hardening-wrapper being deprecated? I ask because lintian is reporting it as such. (See #711193) Thanks. -- Chris Chris Knadle chris.kna...@coredump.us -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#317098: KMail broken, confusing bug
Hello all. After an upgrade a month ago KMail reliably segfalts. [Kaffeine also segfaults upon quitting, or fails to quit and takes up 100% cpu until manually killed.] I found this bug report already open, so I didn't write one at the time. What is confusing me is that all of the KDE-based libraries (with the exception of kdelibs4) and the version of KMail itself are common with the Debian Stable branch -- and yet it is reported that rebuilding the kdepim package seems to fix the problem in the Unstable branch. Is there something wrong with the current binary of the kdepim package in Unstable? Rebuilding the kdepim package requires kdelibs4-dev which cannot be installed due to dependency conflicts with libfam0 and libfam0c102. Also as previously reported, Kontact seems to run just fine and seems to contain all of the functionality that KMail had. I thank the users that mentioned it, as I now have a workaround while I am unable to run KMail. - Chris -- Chris Knadle [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#296503: vegastrike: Vegastrike 0.4.3-1 segfaults on startup
Hey, Mike. On Thursday 03 March 2005 06:48 pm, you wrote: Christopher Knadle wrote: |Let me know what you would like me to test next. |Thanks. Sorry for the delay in getting back to you. No worries. I know these things take time -- don't sweat it. Thank you for your assistance and for letting me help with the issue. I built a version of the main binary with all the debugging symbols which I uploaded here: http://people.debian.org/~mfurr/vs/vegastrike.dbg.bz2 I bzip'd it since it weighs in at a hefty 161Megs! Ahh, okay -- I understand the need to recompile. Thanks for doing that. Please run it in gdb to get a backtrace: $ bzip2 -d vegastrike.dgb.bz2 $ gdb ./vegastrike.gdb (gdb) run The only thing I added other than the above was a 'chmod u+x' on vegastrike.gdb. (gdb) run Starting program: /home/sipper/Desktop/vegastrike.dbg [Thread debugging using libthread_db enabled] [New Thread -1226120512 (LWP 12374)] Vega Strike See http://www.gnu.org/copyleft/gpl.html for license details. GOT SUBDIR ARG = Found data in /usr/share/games/vegastrike Using /usr/share/games/vegastrike as data directory Using .vegastrike.4.x as the home directory Found MODDIR = /usr/share/games/vegastrike/mods USING HOMEDIR : /home/sipper/.vegastrike.4.x As the home directory CONFIGFILE - No config found in home : /home/sipper/.vegastrike.4.x/vegastrike.config CONFIGFILE - No home config file found, using datadir config file : /usr/share/games/vegastrike/vegastrike.config DATADIR - No datadir specified in config file, using ; /usr/share/games/vegastrike SIMULATION_ATOM: 0.06 MISSION_NAME is empty using : explore_universe.mission running import sys print sys.path sys.path = [r/usr/share/games/vegastrike/modules/builtin/,r/usr/share/games/vegastrike/modules/,r/usr/share/games/vegastrike/bases/] ['/usr/lib/python23.zip', '/usr/lib/python2.3', '/usr/lib/python2.3/plat-linux2', '/usr/lib/python2.3/lib-tk', '/usr/lib/python2.3/lib-dynload', '/usr/local/lib/python2.3/site-packages', '/usr/lib/python2.3/site-packages', '/usr/lib/python2.3/site-packages/Numeric', '/usr/lib/python2.3/site-packages/PIL', '/usr/lib/python2.3/site-packages/gtk-2.0', '/usr/lib/python2.3/site-packages/wx-2.5.3-gtk2-unicode', '/usr/lib/site-python'] testing VS randomrunning import sys print sys.path ['/usr/share/games/vegastrike/modules/builtin/', '/usr/share/games/vegastrike/modules/', '/usr/share/games/vegastrike/bases/'] [New Thread -1229141072 (LWP 12377)] vegastrike.dbg: arch/linux/lin_dsp.c:567: native_blitbuffer: Assertion `0' failed. Program received signal SIGABRT, Aborted. [Switching to Thread -1229141072 (LWP 12377)] 0xb79987ab in raise () from /lib/tls/libc.so.6 ... SEGV (gdb) bt (gdb) bt #0 0xb79987ab in raise () from /lib/tls/libc.so.6 #1 0xb7999f12 in abort () from /lib/tls/libc.so.6 #2 0xb799226f in __assert_fail () from /lib/tls/libc.so.6 #3 0xb7cd1695 in native_blitbuffer () from /usr/lib/libopenal.so.0 #4 0xb7cd5d42 in _alcDeviceWrite () from /usr/lib/libopenal.so.0 #5 0xb7cbe146 in async_mixer_iterate () from /usr/lib/libopenal.so.0 #6 0xb7cd44ce in _alFloatMul () from /usr/lib/libopenal.so.0 #7 0xb7ed6b63 in start_thread () from /lib/tls/libpthread.so.0 #8 0xb7a47c4a in clone () from /lib/tls/libc.so.6 One additional note: Although I'm fairly sure it doesn't matter I'm just letting you know that the output above is from the same machine now running a 2.6.11 kernel. [Slightly modified from the 2.6.10 I had been using, mostly to allow setting DMA mode for the DVD drive.] As before the OpenGL programs still work. Thanks again, and I hope this helps. This is interesting, I'm learning some things. :-) - Chris -- Chris Knadle [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#296503: vegastrike: Vegastrike 0.4.3-1 segfaults on startup
Hey, Mike. On Wednesday 23 February 2005 04:18 pm, you wrote: Chris Knadle wrote: NOTE: I was remiss in not submitting a bug report for the _previous_ version of Vegastrike, which also segfaulted on startup on this system. Hmm...that's unfortunate. :-( Let's just say I'm kicking myself for not sending a bug report earlier. 0.3.9 was (I think) working for me and the next upgrade broke. [The confusion I have abot this has to do with whether I switched from 2.4 to 2.6 kernels at that time, so I'm not sure if this issue is actually older than even I think it is. :-/] I vaguely remember having a 2.4 kernel that would work with Vega Strike, but the 2.6 kernel I was using wouldn't. I have to double-check that. I tried loading a stock kernel from the Debian tree this morning to try it, but the nvidia-kernel version for 2.4 doesn't currently have a corresponding 2.4 kernel version to go with it, so I'm going to have to build a 2.4 kernel this evening to see if that works. What kind of graphics card do you have? Which drivers are you using with it? Actually, it's now happened with two different Nvidia graphics cards, since I recently switched it and still have the same issue. [A GeForce 4 MX 440 64MB, and now a GeForce FX 5200 256MB.] I changed the video card only because the GeForce4 MX does not have a vertex shader and I wanted to try a game which needed it (in Windoze). The drivers I'm using are the Nvidia drivers [GLX] from the Debian tree, and building the nvidia-kernel-source drivers for my custom kernel the Debian way. [The main reason for this is that I've been running 2.6 kernels and there aren't kernels built with Nvidia drivers in the Debian tree. A secondary reason is because I like building in ext3 and hardware resources into the kernel to avoid having to use an initrd image for bootup.] Are you able to use other 3D applications? Lots of them. Armagetron, DoomLegacy (OpenGL), Povray, Tuxracer, VariCAD, Blender, all of the OpenGL screensavers, etc. You name it. If there's something specific you'd like me to try to test, just ask. Anyway -- I'm here to help. If you'd like an 'strace', want to see my X11 config, an 'lsmod'... etc. One way or another there should be a way of figuring out what it is specifically that's giving me a reliable segfault. Right now this has the appearance of being an issue with Vega Strike, but you can never tell for sure until the actual root cause is found. I'm going to try building a 2.4 kernel with Nvidia drivers this evening for starters and see how that goes. If there's another direction for testing that you suggest, please let me know. - Chris -- Chris Knadle [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#296503: vegastrike: Vegastrike 0.4.3-1 segfaults on startup
Hey, Mike. Last night I made a 2.4.29 kernel and got it running with OpenGL, and I had exactly the same problem -- Vega Strike segfaulted in exactly the same place. So unfortunately I'm incorrect -- at least on my system this doesn't seem to be a 2.4 vs 2.6 issue. I'll send along the kernel configs should you want them. Let me know what you would like me to test next. Thanks. - Chris -- Chris Knadle [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]