Bug#571005: Way to reproduce

2010-04-13 Thread Hendrik Weimer 
Hi,

I've also been hit by this bug. I can perfectly reproduce it by bringing
down the network connection. Killing the sshfs process helps, however,
while the process touching the mount point does not react on a SIGKILL.

Hendrik



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#639916: spread: license wackiness

2011-08-31 Thread Hendrik Weimer 
Ken Arromdee  writes:

> Unlike the original BSD 4 clause license this adds "or software that uses
> this software".
>
> If I interpret this broadly (all software that uses this software must
> display the sentence) it's non-free, since it imposes conditions on
> non-derived software that happens to use it.  Even if I interpret it
> narrowly (all advertising materials mentioning software that uses this
> software, must display the sentence) it imposes conditions on advertising
> for non-derived software.

But this does not break unrelated software as the code that uses it has
to be inserted deliberately, making it no longer unrelated. In a way,
this is a stronger restriction than the usual linking arguments pushed
by the FSF, but it's not totally crazy. In some jurisdictions even
copying a program into memory by an exec(3) call is an action for which
you need the permission by the rights holder.

Hendrik



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#651662: vlc: missing mailcap entry for Ogg video

2011-12-10 Thread Hendrik Weimer 
Package: vlc
Version: 1.1.12-3
Severity: normal
Tags: patch

Hello,

VLC does not add a mailcap entry for video/ogg, making it very
inconvenient to share patent-unencumbered video files. Please see the
attached patch for a fix.

Hendrik

--- debian/vlc.mime.orig	2011-12-10 20:17:14.0 -0500
+++ debian/vlc.mime	2011-12-10 20:24:59.0 -0500
@@ -31,6 +31,9 @@
 video/quicktime; vlc %s; description="Apple Quicktime Video"; test=test -n "$DISPLAY"; priority=4
 video/quicktime; vlc -I rc -V caca %s; needsterminal; description="Apple Quicktime Video"; priority=3
 
+video/ogg; vlc %s; description="Ogg Video"; test=test -n "$DISPLAY"; priority=4
+video/quicktime; vlc -I rc -V caca %s; needsterminal; description="Ogg Video"; priority=3
+
 application/ogg; vlc %s; nametemplate=%s.ogg; description="Ogg stream"; test=test -n "$DISPLAY"; priority=4
 application/ogg; vlc -I rc -V caca %s; nametemplate=%s.ogg; needsterminal; description="Ogg stream"; priority=3
 application/x-ogg; vlc %s; nametemplate=%s.ogg; description="Ogg stream"; test=test -n "$DISPLAY"; priority=4

Bug#503128: Improve LAPACK support

2008-10-22 Thread Hendrik Weimer 
Package: maxima-share
Version: 5.16.3-1
Severity: wishlist

Currently, the LAPACK integration in Maxima is far from optimal. First
of all, one has to run load(lapack) once as root as the first call
starts a compilation of the libs and requires write access to files in
/usr/share. Second, this requires gcl to be installed, which is not
mentioned anywhere. And third, the process creates
architecture-dependent files under /usr/share, a clear violation of
FHS [1]. See [2] for a discussion of these issues on the Maxima
mailing list.

I guess the proper way would be to create the LAPACK libs at
build-time and include them in the maxima-share package for
installation under /usr/lib. If you can point me in the right
direction, I probably could come up with a patch myself.

[1] http://www.pathname.com/fhs/pub/fhs-2.3.html#PURPOSE26
[2] http://www.math.utexas.edu/pipermail/maxima/2007/006494.html



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#514271: New upstream version available

2009-02-05 Thread Hendrik Weimer 
Package: libquantum
Version: 0.2.4-2
Severity: wishlist

Hi,

first of all thanks a lot for your efforts in packaging libquantum. I
just received a request from a user for updated Debian packages, which
I would hereby like to pass onto you. The latest version of libquantum
(1.1.0) can be found at
http://www.libquantum.de/files/libquantum-1.1.0.tar.gz.

Best regards,

Hendrik (your most friendly upstream developer)



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#500589: Present in 2.6.28 as well

2009-03-08 Thread Hendrik Weimer 
Hi,

I have the same issure here on a Dell Inspiron 1525, using 2.6.28-1
from sid. Output of alsa-info.sh is at
http://www.alsa-project.org/db/?f=0c23c8209d5d4ebccbccd6b4a8048ba3f38a1903

HTH,
Hendrik



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#423503: Liberation Font License revisited

2008-04-26 Thread Hendrik Weimer 
Hello,

I've spent some time on the Liberation font license mess [1], here are
my results. Red Hat's Tom Callaway (who is responsible for dealing
with such licensing issues) stated that according to the FSF the
license was "free but GPL-incompatible" [2]. I contacted the FSF to
further clarify on the alleged contradiction in the terms. The reply I
got says that the FSF considers this to be a valid license:

'We believe it would have been far clearer if Red Hat had created,
say, the "Liberation Font License" with their extra conditions.
However, since they are the copyright holders, they are within their
rights to do it the way they did.'

This should make this license acceptable for Debian, right?

Best regards,

Hendrik Weimer

[1] http://www.mail-archive.com/[EMAIL PROTECTED]/msg36584.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=253774#c7

-- 
*** OS Reviews: Free and Open Source Software for GNU/Linux and more ***
*** http://www.osreviews.net/        ***
*** OS Reviews * Hendrik Weimer  Phone: +49-711-81041666 ***
*** Tiroler Str. 70 * 70329 Stuttgart * GERMANY  [EMAIL PROTECTED]  ***



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#478789: Possible fix

2008-11-24 Thread Hendrik Weimer 
Hi,

I just grabbed the 0.5.0 tarball, removed the bin/ and music/
directories, and compressed it again with lzma. Result: a 255 MB
archive. For comparison, nexuiz-data is 323 MB, so this shouldn't be a
problem.

HTH,
Hendrik



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#778896: [amd64] Please enable CONFIG_ACPI_I2C_OPREGION

2015-02-21 Thread Hendrik Weimer 
Package: src:linux
Version: 3.19-1~exp1

The config flag CONFIG_ACPI_I2C_OPREGION is needed for battery status on
various Bay Trail notebooks [1]. It depends on CONFIG_I2c=y, while the
Debian package has it set to "m".

Hendrik

[1] .


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#795908: Missing hashes for firmware-8.1.0-amd64-i386-netinst.iso

2015-08-17 Thread Hendrik Weimer 
Package: cdimage.debian.org
Tags: security

Dear Maintainers,

the directory
http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/8.1.0/multi-arch/iso-cd/
contains a multiarch installation image including non-free firmware
(firmware-8.1.0-amd64-i386-netinst.iso), but no accompanying
hashes. This makes it impossible to verify the image.

Hendrik

Bug#772578: Missing keyboard modules i2c_designware_*

2015-08-22 Thread Hendrik Weimer 
Steve McIntyre  writes:

> We'll need to make sure that the same set of modules are included in
> the initramfs generated on the installed system, of course...

This doesn't seem to be the case. I just did a fresh install of Debian
8.1 on an Asus X205TA, and the resulting initramfs didn't contain the
required modules. The installer was working fine.

Hendrik

Bug#860375: wmaker: Cannot start multiple terminal instances

2017-04-15 Thread Hendrik Weimer 
Package: wmaker
Version: 0.95.7-8

After updating the wmaker package from 0.95.2-1, I can no longer start
multiple xterms from the same appicon on the dock. I'm using the
configuration described in the Window Maker FAQ at
. Other terminal emulators have the
same issue. As a workaround, I can select "Launch" from the title bar of
the xterm window to start another terminal instance.

Hendrik

Bug#773835: Please enable modules for RT5640 sound devices

2014-12-23 Thread Hendrik Weimer 
Package: linux-image-3.16.0-4-amd64
Version: 3.16.7-2

I have an Asus X205TA (Intel Atom Z3735F) Bay Trail notebook and its
on-board sound device is not detected. Apparently, it uses a Realtek
RT5640 chip, but the relevant kernel modules (snd-soc-sst-baytrail-pcm,
snd-soc-sst-byt-rt5640-mach, etc.) are not being built.

Hendrik


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#359138: firefox: Firefox crashes on http://en.wikipedia.org/wiki/Dash

2006-03-26 Thread Hendrik Weimer 
Package: firefox
Version: 1.5.dfsg+1.5.0.1-4
Severity: important


Trying to access http://en.wikipedia.org/wiki/Dash always brings up a
segfault. 

gdb output, however the address is different each time:
[Thread -1252717648 (LWP 6282) exited]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1221876032 (LWP 6267)]
0xb7a1cdbb in FcFreeTypeCharIndex () from /usr/lib/libfontconfig.so.1

Backtrace is useless since return addresses get overwritten.

Strace says:
6707  <... read resumed> 
"GIF89a\16\0\20\0\263\0\0\0\0\0\200\0\0\0\200\0\200\200"..., 4096) = 165
6681  <... gettimeofday resumed> {1143399437, 548154}, NULL) = 0
6707  read(48,  
6681  write(6, "\372", 1 
6707  <... read resumed> "", 3931)  = 0
6681  <... write resumed> ) = 1
6707  futex(0x8baea24, FUTEX_WAIT, 2, NULL 
6681  futex(0x8baea24, FUTEX_WAKE, 1 
6707  <... futex resumed> ) = -1 EAGAIN (Resource temporarily 
unavailable)
6681  <... futex resumed> ) = 0
6681  write(3, "\1\30\r\0\326\5\240\1\267\4\240\1\0\0\0\0\1\0\1\0\0\0\1"..., 
240) = 240
6681  ioctl(3, FIONREAD, [128]) = 0
6681  read(3, "\26\0\3661\327\5\240\1\327\5\240\1\0\0\0\0\0\0\0\0008\3"..., 
128) = 128
6681  poll([{fd=3, events=POLLIN}, {fd=9, events=POLLIN}, {fd=13, 
events=POLLIN|POLLPRI}, {fd=15, events=POLLIN|POLLPRI}, {fd=16, event
s=POLLIN|POLLPRI}, {fd=17, events=POLLIN|POLLPRI}], 6, 0) = 0
6681  poll([{fd=3, events=POLLIN}, {fd=9, events=POLLIN}, {fd=13, 
events=POLLIN|POLLPRI}, {fd=15, events=POLLIN|POLLPRI}, {fd=16, event
s=POLLIN|POLLPRI}, {fd=17, events=POLLIN|POLLPRI}], 6, 0) = 0
6681  ioctl(3, FIONREAD, [0])   = 0
6681  poll([{fd=3, events=POLLIN}, {fd=9, events=POLLIN}, {fd=13, 
events=POLLIN|POLLPRI}, {fd=15, events=POLLIN|POLLPRI}, {fd=16, event
s=POLLIN|POLLPRI}, {fd=17, events=POLLIN|POLLPRI}], 6, 0) = 0
6681  ioctl(3, FIONREAD, [0])   = 0
6681  poll([{fd=3, events=POLLIN}, {fd=9, events=POLLIN}, {fd=13, 
events=POLLIN|POLLPRI}, {fd=15, events=POLLIN|POLLPRI}, {fd=16, event
s=POLLIN|POLLPRI}, {fd=17, events=POLLIN|POLLPRI}, {fd=5, events=POLLIN, 
revents=POLLIN}], 7, -1) = 1
6681  gettimeofday({1143399437, 549719}, NULL) = 0
6681  open("/var/lib/defoma/fontconfig.d/B/Bitstream-Vera-Sans-Oblique.ttf", 
O_RDONLY 
6707  futex(0x8baea24, FUTEX_WAKE, 1 
6681  <... open resumed> )  = 47
6707  <... futex resumed> ) = 0
6681  fcntl64(47, F_SETFD, FD_CLOEXEC 
6707  close(48 
6681  <... fcntl64 resumed> )   = 0
6707  <... close resumed> ) = 0
6681  fstat64(47,  
6707  gettimeofday( 
6681  <... fstat64 resumed> {st_mode=S_IFREG|0644, st_size=63684, ...}) = 0
6707  <... gettimeofday resumed> {1143399437, 558851}, NULL) = 0
6681  mmap2(NULL, 63684, PROT_READ, MAP_PRIVATE, 47, 0 
6707  gettimeofday( 
6681  <... mmap2 resumed> ) = 0xb552d000
6707  <... gettimeofday resumed> {1143399437, 558925}, NULL) = 0
6681  close(47 
6707  clock_gettime(CLOCK_REALTIME,  
6681  <... close resumed> ) = 0
6707  <... clock_gettime resumed> {1143399437, 558968000}) = 0
6707  futex(0x8c69718, FUTEX_WAIT, 47, {59, 57000} 
6681  
open("/var/lib/defoma/fontconfig.d/B/Bitstream-Vera-Sans-Bold-Oblique.ttf", 
O_RDONLY) = 47
6681  fcntl64(47, F_SETFD, FD_CLOEXEC)  = 0
6681  fstat64(47, {st_mode=S_IFREG|0644, st_size=63208, ...}) = 0
6681  mmap2(NULL, 63208, PROT_READ, MAP_PRIVATE, 47, 0) = 0xb551d000
6681  close(47) = 0
6681  brk(0x948f000)= 0x948f000
6681  brk(0x948d000)= 0x948d000
6681  open("/var/lib/defoma/fontconfig.d/B/Bitstream-Vera-Sans-Bold.ttf", 
O_RDONLY) = 47
6681  fcntl64(47, F_SETFD, FD_CLOEXEC)  = 0
6681  fstat64(47, {st_mode=S_IFREG|0644, st_size=58716, ...}) = 0
6681  mmap2(NULL, 58716, PROT_READ, MAP_PRIVATE, 47, 0) = 0xb550e000
6681  close(47) = 0
6681  brk(0x94ae000)= 0x94ae000
6681  open("/var/lib/defoma/fontconfig.d/F/FreeSans-Medium.ttf", O_RDONLY) = 47
6681  fcntl64(47, F_SETFD, FD_CLOEXEC)  = 0
6681  fstat64(47, {st_mode=S_IFREG|0644, st_size=477820, ...}) = 0
6681  mmap2(NULL, 477820, PROT_READ, MAP_PRIVATE, 47, 0) = 0xb438b000
6681  close(47) = 0
6681  brk(0x94cf000)= 0x94cf000
6681  brk(0x94f3000)= 0x94f3000
6681  open("/var/lib/defoma/fontconfig.d/D/DejaVu-Sans-Bold.ttf", O_RDONLY) = 47
6681  fcntl64(47, F_SETFD, FD_CLOEXEC)  = 0
6681  fstat64(47, {st_mode=S_IFREG|0644, st_size=125188, ...}) = 0
6681  mmap2(NULL, 125188, PROT_READ, MAP_PRIVATE, 47, 0) = 0xb436c000
6681  close(47) = 0
6681  brk(0x9514000)= 0x9514000
6681  brk(0x9535000)= 0x9535000
6681  brk(0x9565000)= 0x9565000
6681  open("/usr/share/fonts/truetype/ttf-dejavu/DejaVuSansMono.ttf", O_RDONLY) 
= 47
6681  fcntl64(47, F_SETFD, FD_CLOEXEC)  = 0
6681  fstat64(47, {st_mode=S_IFREG|0644, st_size=94156, ...}

Bug#360559: Remote root exploit against connected clients

2006-04-03 Thread Hendrik Weimer 
Package: openvpn
Version: 2.0.5-1
Severity: important
Tags: security

As described in http://www.osreviews.net/reviews/security/openvpn
OpenVPN contains a security hole that allows a malicious VPN server to
take over connected clients.

OpenVPN allows to push environment variables to a client via 'push
setenv ...'. Using LD_PRELOAD it is possible to run arbitrary code as
root. The only prerequisite is that the attacker needs to control a
file on the victim's computer, e.g. by returning a specially crafted
document upon web access.

A possible solution would be to prefix all pushed environment
variables with something like 'OPENVPN_'.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#360560: Timing attacks using OProfile

2006-04-03 Thread Hendrik Weimer 
Package: oprofile
Version: 0.9.1-9
Tags: security

As described in http://www.osreviews.net/reviews/devel/oprofile
OProfile allows unprivileged users to profile all code on a
system. This makes cryptographic services vulnerable to timing attacks
(e.g. compromise of secret keys).


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#360560: Timing attacks using OProfile

2006-04-03 Thread Hendrik Weimer 
Al Stone <[EMAIL PROTECTED]> writes:

> I could be completely wrong.  Would it be possible for you to
> send me a demonstration of this scenario?

Suppose a server performs password checking by

strncmp(user_supplied_password, password_stored_in_database, size).

Now strncmp does its comparison by subsequently comparing parts of the
two strings. Since OProfile allows profiling other users' processes a
local attacker can see after how many parts the two strings differ. He
knows which parts of his entered string are correct and therefore can
greatly reduce the key space.

Even though this example is a bit far-fetched, I think you'll get the
idea. Real world attacks would probably be directed at cryptographic
keys, e.g. in the spirit of [1].

Probably the best solution would be to restrict reading
/var/lib/oprofile/samples/current/{$USER}/ to $USER.

Hendrik

[1] http://www.cs.cmu.edu/~dbrumley/pubs/openssltiming.pdf


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#692728: Possible GPL violation: Geogebra

2014-01-28 Thread Hendrik Weimer 
Sylvestre Ledru  writes:

> From it last few releases, geogebra is released under GPL with a non
> commercial clause.
>
> Besides the fact that it seems invalid, it also ships Jlatexmath (which I co
> maintain) which is published under the GPL v2.

If the program is a derived work of both the GPLed source code and the
CC-BY-SAed language files, the resulting work has already been
non-distributable before because the two licenses are incompatible. The
new NC clause and the vague statements on the website only add insult to
injury.

You should contact Jlatexmath upstream to check whether they gave an
exemption to geogebra. If not, they might want to apply some pressure.

Hendrik


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#692728: Possible GPL violation: Geogebra

2014-01-29 Thread Hendrik Weimer 
Bruce Perens  writes:

> Internationalization files are derivative works if they
> internationalize strings that were created by someone else. And if
> those strings were part of an original GPL work there is potentially a
> license violation. But if they were created by the same author as the
> GPL program they are not derivative of anything. It's also going to be
> difficult to argue convincingly to a court that they must be under a
> license that is compatible with the rest of the program, they are
> arguably input to the program.

I'm not so sure about the last part as it heavily depends on the
particular implementation. For gettext-style translations you are
probably right, as you can remove the translation files and still have a
working program. If *all* languages are equally stored in a separate
file, then removing this file will stop the program from working. So the
question is: How is this one in Geogebra?

Anyway, the potentially infringing copy has been created by an Austrian
organization and is hosted in Germany; U.S. case law is probably not
too relevant here.

Hendrik


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#692728: Possible GPL violation: Geogebra

2014-01-29 Thread Hendrik Weimer 
Bruce Perens  writes:

> On 01/29/2014 09:57 AM, Hendrik Weimer wrote:
>> If *all* languages are equally stored in a separate file, then
>> removing this file will stop the program from working.
> Another file could be substituted for it, one created using a
> clean-room process so that we are certain it's not derivative, and the
> program would again operate and emit proper messages. So, we can't
> really use the fact that removing the file breaks the program to prove
> that all such files must be derivative of the program.

Oh, I think we're both talking about two different issues here. I'm not
saying that language files are always a derivative of the source code of
the program. Rather, I'm saying that the final product that is being
distributed is a derivative of both the source code *and* the actual
language file that is included in the distribution.

So, assuming the source code is GPLed, it's fine to distribute a product
based on the source code and a GPL-compatible language file (say, BSD-3)
because the product as a whole can be distributed under the
GPL. However, if the language file carries a GPL-incompatible license
(such as CC-BY-SA), the resulting product cannot be distributed in a
legal way.

Hendrik


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#748321: ITP: raceintospace -- free software version of the Liftoff! board game

2014-09-13 Thread Hendrik Weimer 
 it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include "physfscompat.h"
+#include "utils.h"
+#include "logging.h"
+
+#ifdef _PHYSFS_COMPAT
+
+LOG_DEFAULT_CATEGORY(filesys)
+
+PHYSFS_DECL int PHYSFS_stat(const char *fname, PHYSFS_Stat *stat)
+{
+PHYSFS_File * handle;
+
+if (PHYSFS_exists(fname))
+{
+handle = PHYSFS_openRead(fname);
+if (handle)
+{
+stat->filesize = PHYSFS_fileLength(handle);
+PHYSFS_close(handle);
+handle = 0;
+}
+else
+stat->filesize = -1;
+
+stat->modtime = PHYSFS_getLastModTime(fname);
+stat->createtime = -1;
+stat->accesstime = -1;
+
+if (PHYSFS_isSymbolicLink(fname))
+stat->filetype = PHYSFS_FILETYPE_SYMLINK;
+else if (PHYSFS_isDirectory(fname))
+stat->filetype = PHYSFS_FILETYPE_DIRECTORY;
+else stat->filetype = PHYSFS_FILETYPE_REGULAR;
+
+stat->readonly = 0; /* not supported */
+
+/* success */
+return 1;
+}
+
+/* does not exist, can't stat */
+return 0;
+}
+
+PHYSFS_DECL PHYSFS_sint64 PHYSFS_readBytes(PHYSFS_File *handle, void *buffer,
+   PHYSFS_uint64 len)
+{
+return PHYSFS_read(handle, buffer, 1, len);
+}
+
+
+PHYSFS_DECL PHYSFS_sint64 PHYSFS_writeBytes(PHYSFS_File *handle,
+const void *buffer,
+PHYSFS_uint64 len)
+{
+return PHYSFS_write(handle, buffer, 1, len);
+}
+
+/* Compatibility wrapper around PHYSFS_getPrefDir, essentially a backport
+   from PhysFS upstream, with minor modifications by Hendrik Weimer
+   . The PhysFS license text is reproduced below.
+
+   Copyright (c) 2001-2011 Ryan C. Gordon and others.
+
+   This software is provided 'as-is', without any express or implied warranty.
+   In no event will the authors be held liable for any damages arising from
+   the use of this software.
+
+   Permission is granted to anyone to use this software for any purpose,
+   including commercial applications, and to alter it and redistribute it
+   freely, subject to the following restrictions:
+
+   1. The origin of this software must not be misrepresented; you must not
+   claim that you wrote the original software. If you use this software in a
+   product, an acknowledgment in the product documentation would be
+   appreciated but is not required.
+
+   2. Altered source versions must be plainly marked as such, and must not be
+   misrepresented as being the original software.
+
+   3. This notice may not be removed or altered from any source distribution.
+
+   Ryan C. Gordon 
+*/
+   
+PHYSFS_DECL const char *PHYSFS_getPrefDir(const char *org, const char *app)
+{
+const char *envr = getenv("XDG_DATA_HOME");
+const char *append = "/";
+char *retval = NULL;
+size_t len = 0;
+struct stat st;
+
+if (!envr)
+{
+/* You end up with "$HOME/.local/share/Game Name 2" */
+envr = getenv("HOME"); 
+append = "/.local/share/";
+} /* if */
+
+if(!envr)
+{
+CRITICAL1("could not find preferences directory");
+exit(EXIT_FAILURE);
+}
+
+len = strlen(envr) + strlen(append) + strlen(app) + 2;
+retval = (char *) xmalloc(len);
+snprintf(retval, len, "%s%s%s/", envr, append, app);
+
+if(stat(retval, &st) && (errno == ENOENT))
+mkdir(retval, 0755);
+
+return retval;
+
+}
+
+#endif /* _PHYSFS_COMPAT */
diff -ruN -x .git -x .pc raceintospace.orig/src/game/physfscompat.h raceintospace/src/game/physfscompat.h
--- raceintospace.orig/src/game/physfscompat.h	1970-01-01 01:00:00.0 +0100
+++ raceintospace/src/game/physfscompat.h	2014-09-13 13:51:04.280079729 +0200
@@ -0,0 +1,73 @@
+/*
+ * PhysFS compatibility layer from Hedgewars, a free turn based strategy game
+ * Copyright (c) 2004-2014 Andrey Korotaev 
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License
+ *
+ * This program

Bug#761636: RFS: raceintospace/1.1+dfsg1-1 [ITP]

2014-09-19 Thread Hendrik Weimer 
Dariusz Dwornikowski  writes:

> I also filled d/copyright completely and now it works with physfs 2.0,
> which is in Debian.

The copyright file does not contain the correct information on the
physfscompat patch. Modulo the license texts, it should read:

Files: debian/patches/physfscompat.patch
Copyright: 2004-2014 Andrey Korotaev 
   2001-2011 Ryan C. Gordon and others
   2014 Hendrik Weimer 
License: GPL-2 and Zlib

Yes, that's GPL-2 and not GPL-2+ here.

Hendrik


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#696436: Upstream patch

2013-05-09 Thread Hendrik Weimer 
Tags: patch

This appears to be upstream bug #944077, reported at
. A patch for 0.48 can
be found at
.

Hendrik


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#767273: context-gnuplot: missing metapost file

2014-10-29 Thread Hendrik Weimer 
Package: context-modules
Version: 20140528-1

The file metapost/context/third/gnuplot/mp-gnuplot.mp is present in the
source package but does not get installed to /usr/share/texmf, making
the gnuplot module unusable. It looks like this file used to be provided
by the context package, but this seems no longer to be the case.

Hendrik


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#772578: Missing keyboard modules i2c_designware_*

2014-12-08 Thread Hendrik Weimer 
Package: initramfs-tools
Version: 0.116

I just got an ASUS X205TA notebook, which requires the
i2c_designware_core and i2c_designware_platform modules to be loaded for
the keyboard to work. The module gets correctly loaded when booting up,
but it's not present in the initramfs. As a result, I had to attach an
USB keyboard when being asked for the passphrase to unlock my root
partition. Adding the two modules to /etc/initramfs-tools/modules solves
the problem.

This also affects the jessie netinst image, requiring a spare USB
keyboard during installation, shall I file a separate bug for this?


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#772581: grub-install: Does not work on mixed mode EFI systems

2014-12-08 Thread Hendrik Weimer 
Package: grub-efi-ia32
Version: 2.02-beta2-15

I just got an ASUS X205TA notebook, which has a Bay Trail 64-bit CPU and
requires a 32-bit UEFI (no BIOS legacy mode). After installation, I
tried to get a bootable system via "grub-install --target i386-efi":

| Installing for i386-efi platform.
| 
| EFI variables are not supported on this system.
| 
| 
| EFI variables are not supported on this system.
| 
| Installation finished. No error reported.

This creates two files in the "EFI/debian" directory of the EFI system
partition, but booting any of them manually from an EFI shell only
results in a blank screen.

Output of "dmesg | grep -i EFI":

| [0.00] efi: EFI v2.31 by American Megatrends
| [0.00] efi:  ACPI=0x7bf77000  ACPI 2.0=0x7bf77014  SMBIOS=0x7c928190 
| [0.00] efi: No EFI runtime due to 32/64-bit mismatch with kernel
| [0.00] efi: mem00: type=7, attr=0xf, 
range=[0x-0x0008f000) (0MB)
| [0.00] efi: mem01: type=10, attr=0xf, 
range=[0x0008f000-0x0009) (0MB)
| [0.00] efi: mem02: type=7, attr=0xf, 
range=[0x0009-0x0009e000) (0MB)
| [0.00] efi: mem03: type=0, attr=0xf, 
range=[0x0009e000-0x000a) (0MB)
| [0.00] efi: mem04: type=2, attr=0xf, 
range=[0x0010-0x01015000) (15MB)
| [0.00] efi: mem05: type=7, attr=0xf, 
range=[0x01015000-0x0120) (1MB)
| [0.00] efi: mem06: type=2, attr=0xf, 
range=[0x0120-0x02115000) (15MB)
| [0.00] efi: mem07: type=7, attr=0xf, 
range=[0x02115000-0x2000) (478MB)
| [0.00] efi: mem08: type=0, attr=0xf, 
range=[0x2000-0x2020) (2MB)
| [0.00] efi: mem09: type=7, attr=0xf, 
range=[0x2020-0x36256000) (352MB)
| [0.00] efi: mem10: type=2, attr=0xf, 
range=[0x36256000-0x37123000) (14MB)
| [0.00] efi: mem11: type=7, attr=0xf, 
range=[0x37123000-0x5a6b6000) (565MB)
| [0.00] efi: mem12: type=2, attr=0xf, 
range=[0x5a6b6000-0x78c0) (485MB)
| [0.00] efi: mem13: type=4, attr=0xf, 
range=[0x78c0-0x78c2) (0MB)
| [0.00] efi: mem14: type=7, attr=0xf, 
range=[0x78c2-0x79449000) (8MB)
| [0.00] efi: mem15: type=1, attr=0xf, 
range=[0x79449000-0x794eb000) (0MB)
| [0.00] efi: mem16: type=4, attr=0xf, 
range=[0x794eb000-0x7b914000) (36MB)
| [0.00] efi: mem17: type=7, attr=0xf, 
range=[0x7b914000-0x7bd11000) (3MB)
| [0.00] efi: mem18: type=2, attr=0xf, 
range=[0x7bd11000-0x7bd1b000) (0MB)
| [0.00] efi: mem19: type=3, attr=0xf, 
range=[0x7bd1b000-0x7bf14000) (1MB)
| [0.00] efi: mem20: type=0, attr=0xf, 
range=[0x7bf14000-0x7bf44000) (0MB)
| [0.00] efi: mem21: type=9, attr=0xf, 
range=[0x7bf44000-0x7bf78000) (0MB)
| [0.00] efi: mem22: type=10, attr=0xf, 
range=[0x7bf78000-0x7c041000) (0MB)
| [0.00] efi: mem23: type=6, attr=0x800f, 
range=[0x7c041000-0x7c929000) (8MB)
| [0.00] efi: mem24: type=5, attr=0x800f, 
range=[0x7c929000-0x7c985000) (0MB)
| [0.00] efi: mem25: type=4, attr=0xf, 
range=[0x7c985000-0x7cbf6000) (2MB)
| [0.00] efi: mem26: type=2, attr=0xf, 
range=[0x7cbf6000-0x7cbf7000) (0MB)
| [0.00] efi: mem27: type=4, attr=0xf, 
range=[0x7cbf7000-0x7cc0) (0MB)
| [0.00] efi: mem28: type=11, attr=0x8001, 
range=[0xe00f8000-0xe00f9000) (0MB)
| [0.00] efi: mem29: type=11, attr=0x8001, 
range=[0xfed01000-0xfed02000) (0MB)
| [0.00] efi: mem30: type=11, attr=0x8001, 
range=[0xfed08000-0xfed09000) (0MB)
| [0.00] efi: mem31: type=11, attr=0x8001, 
range=[0xffb0-0x0001) (5MB)
| [0.00] ACPI: UEFI 0x7BFF4000 42 (v01 _ASUS_ Notebook 
  )
| [0.00] efi: efi: Setup done, disabling due to 32/64-bit mismatch
| [0.442486] Switched to clocksource refined-jiffies

I've managed to get a bootable system by creating an EFI image by hand,
using the instructions provided in [1] (but using grub-mkimage from sid)
and copying grub.cfg, the kernel image and the initrd to the EFI
partition.

[1] 



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#374609: usermin-chfn: Root Shell Denial of Service

2006-06-20 Thread Hendrik Weimer 
Package: usermin-chfn
Version: 1.110-3
Tags: security

As pointed out in http://www.osreviews.net/reviews/admin/usermin it is
possible to disable the login shell of the root account by calling
save.cgi with an empty value for the shell. The problem is that the
command is expanded to `chsh -s foo`, which changes the shell of the
root account to foo instead of changing foo's shell.

When combined with some well-known social engineering tactics (cf.
"Stealing Superuser" in Practical UNIX & Internet Security) it might
even be possible to obtain root access to the system.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#365910: AWStats: Malicious config file shell code injection

2006-05-03 Thread Hendrik Weimer 
Package: awstats
Version: 6.5-1
Severity: important
Tags: security

Source: http://www.osreviews.net/reviews/comm/awstats

| Arbitrary code can be executed by uploading a specially crafted
| configuration file if an attacker can put a file on the server with
| chosen file name and content (e.g. by using an FTP account on a
| shared hosting server). In this configuration file, the LogFile
| directive can be used to execute shell code following a pipe
| character. As above, an open call on unsanitized input is the source
| of this vulnerability.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#365909: AWStats: Shell code injection via 'migrate'

2006-05-03 Thread Hendrik Weimer 
Package: awstats
Version: 6.5-1
Severity: important
Tags: security

Source: http://www.osreviews.net/reviews/comm/awstats

| If the update of the stats via web front-end is allowed, a remote
| attacker can execute arbitrary code on the server using a specially
| crafted request involving the migrate parameter. Input starting with
| a pipe character ("|") leads to an insecure call to Perl's open
| function and the rest of the input being executed in a shell. The
| code is run in the context of the process running the AWStats CGI.

Note that AllowToUpdateStatsFromBrowser, which is required for
successful exploitation is disabled by default.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#364443: Vulnerability exists also with the 'diricons' parameter

2006-05-03 Thread Hendrik Weimer 
Hello,

as mentioned in http://www.osreviews.net/reviews/comm/awstats, the
same type of XSS vulnerability also exists with the 'diricons'
parameter. In this case, Debian is affected, too.

Hendrik


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also with the 'diricons' parameter

2006-05-05 Thread Hendrik Weimer 
Charles Fry <[EMAIL PROTECTED]> writes:

>> as mentioned in http://www.osreviews.net/reviews/comm/awstats, the
>> same type of XSS vulnerability also exists with the 'diricons'
>> parameter. In this case, Debian is affected, too.
>
> As Eldy already explained (earlier in this bug report), the entire query
> string is sanitised against XSS by a call to CleanFromCSSA. The
> osreviews guys noticed that the word "Sanitize" does not surround
> diricons ("and possibly others as well"), but they failed to notice the
> cleaning call to CleanFromCSSA.

Exploit #1: 
http://www.example.com/cgi-bin/awstats.pl?diricons=%22%3E0wned!%3Cspan%20%22

Hendrik


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#365910: [Pkg-awstats-devel] Bug#365910: AWStats: Malicious config file shell code injection

2006-05-05 Thread Hendrik Weimer 
Charles Fry <[EMAIL PROTECTED]> writes:

> In this case, this report doesn't appear to be an actual security
> vulnerability. The configuration file needs to be placed in
> /etc/awstats, /usr/local/etc/awstats, /etc, or /etc/opt/awstats. This
> can not be done without having root access (nor can the current
> configuration files be modified without root access). Someone with root
> permissions can already execute shell code with broader permissions than
> the webserver, so this "attack" seems like a non-issue to me.

Exploit #2: http://www.example.com/cgi-bin/awstats.pl?configdir=/tmp
with the attached file being placed in /tmp.

Hendrik



awstats.conf
Description: Binary data

Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also with the 'diricons' parameter

2006-05-05 Thread Hendrik Weimer 
Charles Fry <[EMAIL PROTECTED]> writes:

> Any final comments on anything I'm missing before moving forward with
> this patch?

Seems fine to me.

Hendrik


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also with the 'diricons' parameter

2006-05-12 Thread Hendrik Weimer 
Martin Schulze <[EMAIL PROTECTED]> writes:

> How can the diricons and config parameters be exploited?  From a quick
> glance I can't find an open associated with $DirIcons.

The diricons issue is a XSS vulnerability. It has nothing to do with
the two other holes (which lead to arbitrary code execution) other
than they all are a case of missing input sanitizing.

Hendrik


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#365909: Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also with the 'diricons' parameter

2006-05-12 Thread Hendrik Weimer 
Martin Schulze <[EMAIL PROTECTED]> writes:

> Umh... but since the query_string is already sanitised globally
> how can XSS still happen?  Was the sanitising not sucessful?

AFAICS the query_string is not being decoded first. Therefore, a '>'
encoded as %3E will slip through. Version 6.5-2 contains the proper
fix.

Hendrik


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#359138: firefox: Firefox crashes on http://en.wikipedia.org/wiki/Dash

2006-04-10 Thread Hendrik Weimer 
Eric Dorland <[EMAIL PROTECTED]> writes:

> That bugzilla bug goes on about SIL graphite pango modules, which I'm
> not familiar with. Do you have those installed? 

I have now found the source of the problem. I had a previous version
of libcairo installed under /usr/local/lib, which I had totally
forgotten. Now Firefox uses the correct library and everything works
fine. :-) Sorry for the inconvenience.

Hendrik


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#360559: openvpn: CVE-2006-1629?

2006-04-12 Thread Hendrik Weimer 
Geoff Crompton <[EMAIL PROTECTED]> writes:

> Package: openvpn
> Version: 2.0-1sarge2
> Followup-For: Bug #360559
>
> Is this the same as CVE-2006-1629?

Yes, it is.

Hendrik


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#260362: prj2make-sharp requires libmono-dev

2005-12-13 Thread Hendrik Weimer 
Hi,

I just stumbled over this bug, which is also present in 0.95-1.2. The
problem is that pkg-config searches for a file named mono.cs, which is
included in the libmono-dev package. After installing the package the
"Error running pkg-config" message goes away and a Makefile is
created.

HTH,
Hendrik


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#325472: libaqhbci-qt-tools: uninstallable

2005-08-28 Thread Hendrik Weimer 
Package: libaqhbci-qt-tools
Severity: grave
Justification: renders package unusable


The following packages have unmet dependencies:
  libaqhbci-qt-tools: Depends: libaqbanking0 but it is not installable
  Depends: libaqhbci2 but it is not going to be installed
  Depends: libgwenhywfar17 (>= 1.11.0) but it is not 
installable
  Depends: libktoblzcheck1 but it is not installable
  Depends: libofx1 but it is not installable
  Depends: libosp4 (>= 1.5.1.0-1) but it is not installable
E: Broken packages


-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#403034: Deep MIME Nesting Content Filter Bypass

2006-12-27 Thread Hendrik Weimer 
Stephen Gran <[EMAIL PROTECTED]> writes:

> We could return OverNesteded.MIME as the virus name, I suppose, but I
> have had plenty of complaints over the years about the various block max
> settings, so I'm not sure this is always the right thing to do either.
> We could change clamscan's exit code, but that of course doesn't do
> anything for the people who don't use clamscan - exiscan uses a direct
> socket to clamd, dansguardian uses a public library API, etc.

Changing the return code is definitely a thing you should do if a file
cannot be scanned properly. In addition, clamd should not report "OK",
but something like "ERROR". This gives more information to the service
that calls ClamAV, which can then decide to do with the mail.

Hendrik


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#401873: Unusual MIME Encoding Content Filter Bypass

2006-12-06 Thread Hendrik Weimer 
Package: clamav
Version: 0.88.6-1
Tags: security
Severity: grave

As reported in http://www.quantenblog.net/security/virus-scanner-bypass 
ClamAV passed an EICAR test file if the following conditions are met:

1. the EICAR file is encoded in Base64 including characters not in the
   standard alphabet (e.g. whitespaces) and
2. the part containing the EICAR file is nested within one or several
   levels of multipart/mixed content.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#401874: Multipart Nesting Denial of Service

2006-12-06 Thread Hendrik Weimer 
Package: clamav
Version: 0.88.6-1
Tags: security
Severity: important

As reported in http://www.quantenblog.net/security/virus-scanner-bypass 
ClamAV contains a denial of service vulnerability when fed with a mail
containing a large number of multipart layers. This is due to a
recursion-based stack overflow in the function parseEmailBody
(mbox.c). Arbitrary code execution is proably not possible.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#401873: closed by Stephen Gran <[EMAIL PROTECTED]> (Bug#401873: fixed in clamav 0.90~rc2-1)

2006-12-13 Thread Hendrik Weimer 
The bug is still present in 0.88.7. Files nested deeper than
--max-mail-recursion are not scanned and there is no error returned
(exit code is 0). When using clamscan I get a warning from libclamav,
but the EICAR string still passes.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#403034: Deep MIME Nesting Content Filter Bypass

2006-12-14 Thread Hendrik Weimer 
Package: clamav
Version: 0.88.7-1
Severity: grave
Tags: security

While the new 0.88.7 version fixes CVE-2006-6406 and CVE-2006-6481 the
update introduces another flaw that lets viruses pass undetected. If a
virus is nested deeper than the --max-mail-recursion limit, the file
will pass and ClamAV's exit code indicates that the file was scanned
properly.

Again, details, PoC, and discussion can be found at
http://www.quantenblog.net/security/virus-scanner-bypass.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#423379: OpenSSL license violation

2007-05-11 Thread Hendrik Weimer 
Package: kmymoney2
Version: 0.8.6-1
Severity: serious

According to the copyright file kmymoney2 is being distributed under
GPLv2. However, it depends on libgwenhywfar, which in turns is linked
against OpenSSL. While libgwenhywfar contains an OpenSSL exception,
kmymoney2 does not.

So, please obtain an OpenSSL exception from upstream, fix bug #340573,
or upload a version not linking against libgwenhywfar.

Hendrik


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]