from:"Michael S Gilbert"

package: midori
version: 0.1.10-1
severity: wishlist

hi,

there is a new upstream version of midori.  it would be great if you
have the time to prepare a new debian package.  thanks!

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550379: acknowledged by developer (closing 550379)

 # explanation given by maintainer
 close 550379 

there is no explanation in the bug logs.  the closest thing to an
explanation is:

  This is not possible for other reasons.

where the 'other reasons' are never explained.  if someone can state
these reasons, i would be content to give this up if they are justified.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550379: acknowledged by developer (closing 550379)

On Sun, 18 Oct 2009 21:56:57 +0200 maximilian attems wrote:

 On Sun, Oct 18, 2009 at 03:40:02PM -0400, Michael S Gilbert wrote:
   # explanation given by maintainer
   close 550379 
  
  there is no explanation in the bug logs.  the closest thing to an
  explanation is:
  
This is not possible for other reasons.
  
  where the 'other reasons' are never explained.  if someone can state
  these reasons, i would be content to give this up if they are justified.
 
 they are, please reread carefully
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550379#22

ok, i think we're caught in a continuing cycle of miscommunication and
misinterpretation.  for clarity, social contract item 4 states:

  4. Our priorities are our users and free software

  We will be guided by the needs of our users and the free software
  community. We will place their interests first in our priorities. We
  will support the needs of our users for operation in many different
  kinds of computing environments. We will not object to non-free works
  that are intended to be used on Debian systems, or attempt to charge a
  fee to people who create or use such works. We will allow others to
  create distributions containing both the Debian system and other
  works, without any fee from us. In furtherance of these goals, we will
  provide an integrated system of high-quality materials with no legal
  restrictions that would prevent such uses of the system.

i understand very well that you intend to serve the needs of your
users, and i have no intention of impeding that.  i have not
intentionally made any statement contrary to that requirement in this
thread and do not wish to do so.  

i, in fact, fully support the kbuild binary packages.  i am part of the
pkg-fglrx team, so i very much rely on kbuild's availablity. that
package, of course, is non-free, and i have no problems with that fact.
i too volunteer my time for the benefit of debian's users even on
non-free stuff.

the only way that i can understand the kernel team's perspective in
message #22 is that you have misinterpreted my report as a request for
kbuild to be done away with (maybe based on some non-free concept or
something that i never stated). this was certainly not my intent, and
perhaps i can clarify. 

in one sentence, my request is for the linux-2.6 and linux-kbuild-2.6
*source* packages to be merged (they are both in main, so there should
be no social reason for this to be impossible). 

consequently, i fully support the continued existence of the kbuild
binary packages (which would be built via the linux-2.6 source package
instead of the separate linux-kbuild-2.6 source package).

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550379: acknowledged by developer (closing 550379)

maybe there is also some confusion due to my use of the term kbuild
binary packages.  i am referring to the linux-kbuild-$(uname -r)
binary packages when i say that, not the plain old kbuild binary/source
package.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550379: acknowledged by developer (closing 550379)

reopen 550379
severity 550379 wishlist
thanks

On Sun, 18 Oct 2009 23:50:04 +0100 Ben Hutchings wrote:

 On Sun, 2009-10-18 at 18:18 -0400, Michael S Gilbert wrote:
 [...]
  in one sentence, my request is for the linux-2.6 and linux-kbuild-2.6
  *source* packages to be merged (they are both in main, so there should
  be no social reason for this to be impossible). 
  
  consequently, i fully support the continued existence of the kbuild
  binary packages (which would be built via the linux-2.6 source package
  instead of the separate linux-kbuild-2.6 source package).
 
 It is not for us to justify the way we package the kernel, but for you
 to justify why we should change.  We can make this a wishlist bug but we
 have a long list of more important bugs.

ok, thank you very much.  that is all i was asking.  when i find the
time, i will see if i can implement the required changes.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#551513: closed by Ryan Niebur r...@debian.org (Bug#551513: fixed in midori 0.2.0-1)

On Sun, 18 Oct 2009 23:36:11 + Debian Bug Tracking System wrote:

 This is an automatic notification regarding your Bug report
 which was filed against the midori package:
 
 #551513: new upstream version 0.2.0
 
 It has been closed by Ryan Niebur

thanks for the insanely fast response time!

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#502925: closed by Marco Rodrigues goth...@sapo.pt (Package xfce-mcs-manager has been removed from Debian)

2009-10-17 Thread Michael S Gilbert

On Sat, 17 Oct 2009 10:51:21 + Debian Bug Tracking System wrote:
 This is an automatic notification regarding your Bug report
 which was filed against the xfce4-mcs-manager package:
 
 #502925: xfce4-mcs-manager: new fonts are not available until all terminals 
 closed
 
 It has been closed by Marco Rodrigues

this bug is still present in the latest version of xfce4-terminal in
unstable.  which package should it be reassigned to since
xfce4-mcs-manager has been removed? thanks.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550913: dopewars: CVE-2009-3591 denial-of-service

2009-10-13 Thread Michael S Gilbert

Package: dopewars
Version: 1.5.12-2
Severity: important
Tags: security

Hi,

The following CVE (Common Vulnerabilities  Exposures) id was
published for dopewars.

CVE-2009-3591[0]:
| Dopewars 1.5.12 allows remote attackers to cause a denial of service
| (segmentation fault) via a REQUESTJET message with an invalid
| location.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

This issue is not severe enough to warrant a DSA, so please coordinate
updates for the next stable/oldstable point releases with the release
team.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3591
http://security-tracker.debian.net/tracker/CVE-2009-3591



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550441: advi: statically links to camlimages

2009-10-10 Thread Michael S Gilbert

On Sat, 10 Oct 2009 12:28:15 +0200 Stéphane Glondu wrote:

 Michael S Gilbert a écrit :
  advi statically links to camlimages, which makes security updates very
  complicated.  please update advi to dynamically link to camlimages.
  thanks.
 
 Unfortunately, this is not possible without making significant changes
 to advi (and/or OCaml itself). Almost all programs written in OCaml
 suffer from this limitation. I had already asked to have advi be
 recompiled with the new camlimages, but the request got lost somehow
 (maybe Mehdi can give more information on this).
 
 There is no shared library support in OCaml. Upstream is hostile to this
 [1], so if some support would be added, it would be Debian-specific and
 make the whole OCaml stack of Debian diverge from everywhere else (we
 don't really want that). There is however dynamic linking (à la dlopen).
 
 [1] http://article.gmane.org/gmane.comp.lang.caml.inria/23778

thanks for the update on the situation.  based on the link, upstream's
response is not entirely hostile.  see:

  Feature 3- (dynamic code loading) is already available in bytecode
  through the Dynlink API.  I understand there's a demand for having it
  in native-code as well, and that might be possible without too much
  fuss, at least on selected operating systems.

so, perhaps if the work is done for them, they would be willing to
accept the changes.

 Note that even there was shared library support in OCaml, that wouldn't
 automatically make security updates easier because of the checks OCaml
 performs at link time, and it would be very unwise to disable these
 checks. In other words, an updated library can require recompilation of
 all reverse dependencies anyway.

i'm not aware of this as a concern for other packages. why is this a
larger concern for advi? usually security updates do not change the
ABI, so this (hopefully) shouldn't be a problem.  and if it is, advi
will FTBFS, so we will be more acutely aware of the fact that it needs
to be updated as well.

mike



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550441: advi: statically links to camlimages

2009-10-10 Thread Michael S Gilbert

reopen 550441
thanks

On Sat, 10 Oct 2009 22:24:31 +0200 Mehdi Dogguy wrote:
 AFAICS, the version of advi currently in unstable/testing (1.6.0-14+b1)
 is not affected since it was built with the latest (fixed) version of
 camlimages.

the specific flaw is being tracked with bug #550440, which should remain
open for now since etch/lenny are still affected. this bug should also
remain open until the static link is fixed. or you can mark it wontfix
if that is your plan.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550422: samba: CVE-2009-2813 sharing restriction bypass

package: samba
version: 3.0.24-6
severity: important
tags: security

hi,

CVE-2009-2813 has been issued for samba and from the text [0], it
appears to be mac-specific; however, there is not enough information
to confirm or negate this.  i have submitting a bug upstream
requesting assistance [1].  you can follow the issue there.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2813
[1] https://bugzilla.samba.org/show_bug.cgi?id=6798



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550423: samba: CVE-2009-2906 dos and CVE-2009-2948 password access

package: samba
version: 3.0.24-6
severity: serious
tags: security , patch

hi,

the following CVEs were issued for samba.

CVE-2009-2906 [0]:
| smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4
| before 3.4.2 allows remote authenticated users to cause a denial of service
| (infinite loop) via an unanticipated oplock break notification reply packet.

CVE-2009-2948 [1]:
| mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8 and
| 3.4 before 3.4.2, when mount.cifs is installed suid root, does not properly
| enforce permissions, which allows local users to read part of the
credentials file
| and obtain the password by specifying the path to the credentials file and
| using the --verbose or -v option.

these are fixed in unstable.  patches are available from [2].

mike

[0] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2906
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2948
[2] http://www.samba.org/samba/security/



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550424: openexr6: CVE-2009-1720,1721,1722 potential vectors for arbitrary code execution

Package: openexr6
Version: 1.6.1
Severity: serious
Tags: security

Hi,
the following CVE (Common Vulnerabilities  Exposures) ids were
published for openexr6.

CVE-2009-1720[0]:
| Multiple integer overflows in OpenEXR 1.2.2 and 1.6.1 allow
| context-dependent attackers to cause a denial of service (application
| crash) or possibly execute arbitrary code via unspecified vectors that
| trigger heap-based buffer overflows, related to (1) the
| Imf::PreviewImage::PreviewImage function and (2) compressor
| constructors.  NOTE: some of these details are obtained from third
| party information.

CVE-2009-1721[1]:
| The decompression implementation in the Imf::hufUncompress function in
| OpenEXR 1.2.2 and 1.6.1 allows context-dependent attackers to cause a
| denial of service (application crash) or possibly execute arbitrary
| code via vectors that trigger a free of an uninitialized pointer.

CVE-2009-1722[2]:
| Heap-based buffer overflow in the compression implementation in
| OpenEXR 1.2.2 allows context-dependent attackers to cause a denial of
| service (application crash) or possibly execute arbitrary code via
| unspecified vectors.

These issues are already fixed in the stable releases.  If you fix the
vulnerabilities please also make sure to include the CVE ids in your
changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1720
http://security-tracker.debian.net/tracker/CVE-2009-1720
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1721
http://security-tracker.debian.net/tracker/CVE-2009-1721
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1722
http://security-tracker.debian.net/tracker/CVE-2009-1722



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550379: closed by Bastian Blank wa...@debian.org (Re: Bug#550379: linux-kbulid-2.6: embeds linux-2.6)

On Sat, 10 Oct 2009 03:03:06 +0200 Bastian Blank wrote:

 On Fri, Oct 09, 2009 at 05:49:13PM -0400, Michael Gilbert wrote:
   On Fri, Oct 09, 2009 at 02:04:20PM -0400, Michael Gilbert wrote:
   the linux-kbuild-2.6 source package includes portions of code from the
   linux-2.6 source package (i.e. everything in ./kbuild/*).  this is bad
   in terms of security support because it causes more work for the
   security team and increases the risk of errors, omissions, and mistakes.
   No, it does not. It is a different source package and both are derived
   from the same upstream code. 
  two different source packages with portions being the same code are
  considered a case of an embedded code copy; which is generally
  considered bad practice from a security perspective.
 
 Well, please start with every source using autoconf then. autoconf
 embeds copies of a large amount of source code snippets in the targets.
 This have about the same practical relevance and use then the code we
 are talking about.

automatically generated code (a la autoconf) is not a concern for the
security team.  however, the kbuild code copy is not computer generated;
it consists of human-created perl, c, and shell scripts.

   less significant, but also important, is that since the kbuild package
   is separated from the linux package, the kbuild packages always lag by
   weeks or months after a new kernel release; making it impossible to
   build modules for that new kernel.
   the recommended course of action is to update the linux-2.6 source
   package to also build the kbuild binaries.  thanks.
   This is not possible for other reasons.
  what are these reasons, and why do they seem so insurmountable?
 
 They are backed by §4 Social Contract. 

i don't see the connection between the social contract and your
requirement to keep the kbuild source package separate from the
kernel source package.  after all, both packages are in main, so from a
social perspective, there is nothing preventing them from being merged.

 To be exact, it is part of the cross-compile support in the
 linux packages. And yes, this is heavily used.

ok, i already know the purpose of the kbuild package, and i already had
the feeling that it was indeed used quite a bit.  i had no intention of
calling either of these facts into question.  i don't see how these
statements relevant to the discussion.

mike



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550437: curl: forks libntlm

package: curl
version: 7.19.5-1.1
severity: important
tags: security

hi,

curl implements a forked version of libntlm.  in order to provide
timely security support (and to reduce some of the burden on the
security team), it would be very desirable (if possible) for curl to
link to the existing libntlm library, rather than implementing its own
version. thanks.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550436: wget: forks libntlm

package: wget
version: 1.12-1
severity: important
tags: security

hi,

wget implements a forked version of libntlm.  in order to provide
timely security support (and to reduce some of the burden on the
security team), it would be very desirable (if possible) for wget to
link to the existing libntlm library, rather than implementing its own
version. thanks.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550438: cntlm: forks libntlm

package: cntlm
version: 0.35.1-5
severity: important
tags: security

hi,

cntlm implements a forked version of libntlm.  in order to provide
timely security support (and to reduce some of the burden on the
security team), it would be very desirable (if possible) for cntlm to
link to the existing libntlm library, rather than implementing its own
version. thanks.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550440: advi: CVE-2009-2295 arbitrary code execution

Package: advi
Version: 1.6.0-12
Severity: serious
Tags: security

Hi,

The following CVE (Common Vulnerabilities  Exposures) id was
published for camlimages.  advi statically links to camlimages, so any
issues in that package are also applicable to advi.  There were already
updates to camlimages for etch an lenny, so advi just needs to be
relinked using those new versions.  Please coordinate these updates with
the security team.

CVE-2009-2295[0]:
| Multiple integer overflows in CamlImages 2.2 and earlier might allow
| context-dependent attackers to execute arbitrary code via a crafted
| PNG image with large width and height values that trigger a heap-based
| buffer overflow in the (1) read_png_file or (2) read_png_file_as_rgb24
| function.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2295
http://security-tracker.debian.net/tracker/CVE-2009-2295



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550436: wget: forks libntlm

On Sat, Oct 10, 2009 at 12:17 AM, Micah Cowan wrote:
 Michael S Gilbert wrote:
 package: wget
 version: 1.12-1
 severity: important
 tags: security

 hi,

 wget implements a forked version of libntlm.  in order to provide
 timely security support (and to reduce some of the burden on the
 security team), it would be very desirable (if possible) for wget to
 link to the existing libntlm library, rather than implementing its own
 version. thanks.

 This is untrue. Wget's ntlm support was taken from curl, not from libntlm.

it appeared to me to be a fork since essentially the same code is
implemented with slightly differing function names.  i imagine that
this is a consequence of the fact that there is one right way to
implement support for the ntlm standard.

 Taking advantage of libntlm could be a possible goal, however it
 currently lacks support for the most recent version of the protocol,
 whereas a user has recently contributed that support to Wget. It is not
 present in 1.12 because it hasn't been sufficiently tested (mainly
 against the earlier versions of the protocol).

 It'd probably be ideal for that support to find its way into libntlm. At
 that time, we'd probably consider using it. For the immediate future,
 though, we (upstream) are probably not going to pursue that just yet.

thanks for the info and quick response!

mike



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550441: advi: statically links to camlimages

package: advi
version: 1.6.0-14+b1
severity: important
tags: security

hi,

advi statically links to camlimages, which makes security updates very
complicated.  please update advi to dynamically link to camlimages.
thanks.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

package: ffmpeg
version: 0.cvs20060823-8
severity: serious
tags: security

hi,

ffmpeg has been found to be vulnerable to many crashers [0],[1].  this
may enable remote compromise of a system.

please coordinate with upstream and the security team to push out
updates for these issues.

mike

[0] https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240
[1] https://roundup.ffmpeg.org/roundup/ffmpeg/issue1245



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550423: [Pkg-samba-maint] Bug#550423: samba: CVE-2009-2906 dos and CVE-2009-2948 password access

On Sat, 10 Oct 2009 07:10:51 +0200 Christian Perrier wrote:

 Version: 3.4.2-1
 
 Quoting Michael S Gilbert (michael.s.gilb...@gmail.com):
  package: samba
  version: 3.0.24-6
  severity: serious
  tags: security , patch
  
  hi,
  
  the following CVEs were issued for samba.
 
 
 Fixed in 3.4.2
 
 Fixes for lenny are on their way.

good to know.  thanks for the quick response.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550150: cupsys: CVE-2009-2807 issue in usb backend

2009-10-07 Thread Michael S Gilbert

package: cupsys
version: 1.2.7-4
severity: serious
tags: security

hi,

cups may be affected by a security issue in its usb backend [0].  the
advisories state that this affects mac os x, but it is unclear if
other os'es are affected.  i've submitted a bug upstream requesting
more info [1].  you can follow the issue there.

best wishes,
mike

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2807
[1] http://www.cups.org/str.php?L3368



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550002: xscreensaver: sonar should be moved to xscreensaver-gl

2009-10-06 Thread Michael S Gilbert

package: xscreensaver
version: 5.10-2
severity: normal

according to the xscreensaver readme, sonar has been rewritten using
opengl.  in order to prevent potential problems and other badness for
non-gl users, it should be moved to the xscreensaver-gl package. thanks.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#542849: [Pkg-fglrx-devel] Bug#542849: Bug#542849: Bug#542849: fglrx-source: fglrx:firegl_init_device_list ERROR Out of memory when allocating device heads

On Tue, 15 Sep 2009 14:23:42 +0800 Paul Harris wrote:

2009/9/15 Patrick Matthäi pmatth...@debian.org

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Paul Harris schrieb:
as stated here:

http://support.amd.com/us/gpudownload/linux/Legacy/Pages/radeon_linux.aspx?type=2.4.2product=2.4.2.3.9lang=English

the support for older cards has been moved to a legacy driver.

can we see Debian support for the legacy driver? I think this is very
important due to the extended lifecycle of linux computers, its likely
these old graphics cards will be around for quite some time into the
future.

This seems to be the only way to get hardware accelerated 3D graphics on
linux with these cards... right?

Wrong. Legacy is only for windows.

Ah, which is why they state:
The Linux ATI Catalyst™ driver will only be supported in Linux distributions
prior to February 2009 for the legacy products listed above.

So can we use the older drivers with newer kernels? Is it possible to
create a working driver based on an old release?

amd's plan is to transition legacy users to the open source driver
(xserver-xorg-video-radeon/radeonhd). when linux 2.6.31 gets packaged
for debian (which should be very soon), this driver will fully support
3d for cards up through the r500 series.

mike

--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#546781: [Pkg-fglrx-devel] Bug#546781: Bug#546781: fglrx-driver: With kernel module, displays blank screen

On Tue, 15 Sep 2009 19:17:43 -0700 Daniel Schepler wrote:
 The 1:9-8-2 version of the driver worked fine on the same machine.

what is the output of 'lsmod | grep fglrx' and 'sudo modprobe fglrx'?

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#546781: [Pkg-fglrx-devel] Bug#546781: Bug#546781: fglrx-driver: With kernel module, displays blank screen

On Tue, 15 Sep 2009 22:51:57 -0400 Michael S Gilbert wrote:

 On Tue, 15 Sep 2009 19:17:43 -0700 Daniel Schepler wrote:
  The 1:9-8-2 version of the driver worked fine on the same machine.

also, this may be related to bug #542735 [0].  can you try:

  $ sudo aticonfig --acpi-services=off

[0] http://bugs.debian.org/542735



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#520882: not fixed

reopen 520882
notfixed 520882 1:9-9-1
thanks

oops, i goofed up due to cross-posting by another bug submitter.  this
one likely still exists.

submitter, if you can find the time to check on this bug, that would be
very helpful.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#544915: adoption

2009-09-14 Thread Michael S Gilbert

hi,

i would be willing to adopt mathwar and amphetamine.  i'm not a dd, but
do have some packaging experience.  i would need a mentor to do uploads
for me.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#546198: xfs: uninstallable due to logged in debian-xfs user

2009-09-11 Thread Michael S Gilbert

package: xfs
version: 1:1.0.8-4
severity: serious

the latest xfs update is currently uninstallable on unstable.  the error is:

  Setting up xfs (1:1.0.8-4) ...
  Installing new version of config file /etc/init.d/xfs ...
  usermod: user debian-xfs is currently logged in
  dpkg: error processing xfs (--configure):
subprocess installed post-installation script returned error exit status 8

fyi, the debian-xfs entry in /etc/password is:

  debian-xfs:x:109:115::/nonexistant:/bin/false

i don't think this had existed prior to this xfs update.  let me know
if you need any more info.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#545501: xfce4-clipman: uninstallable due file conflict with xfce4-clipman-plugin

2009-09-07 Thread Michael S Gilbert

package: xfce4-clipman
severity: serious
version: 2:1.1.0-2

hello,

both xfce4-clipman and xfce4-clipman-plugin install the file
'/usr/share/applications/xfce4-clipman-plugin.desktop', which causes
xfce4-clipman's installation to fail:

  Unpacking xfce4-clipman (from .../xfce4-clipman_2%3a1.1.0-2_amd64.deb) ... 
dpkg: error
  processing /var/cache/apt/archives/xfce4-clipman_2%3a1.1.0-2_amd64.deb 
(--unpack): trying to overwrite
  '/usr/share/applications/xfce4-clipman-plugin.desktop', which is also
  in package xfce4-clipman-plugin 2:1.0.2-1

this may only be a problem for upgrades from previous versions of 
xfce4-clipman-plugin.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#524806: RFS: sponsor for poppler stable point release

2009-08-26 Thread Michael S Gilbert

Hi,

A new lenny release is coming soon and there are some open security
issues in poppler that I have fixed.  Attached is the debdiff of the
changes.

The package can be found on mentors.debian.net:
- URL: http://mentors.debian.net/debian/pool/main/p/poppler
- Source repository: deb-src http://mentors.debian.net/debian unstable
main contrib non-free
- dget
http://mentors.debian.net/debian/pool/main/p/poppler/poppler_0.8.7-2lenny1.dsc

I would be glad if someone uploaded this package for me.

Kind regards,
Michael Gilbert


poppler.debdiff
Description: Binary data

Bug#543257: xscreensaver: does not show screen unlock dialog for gl screensavers

2009-08-23 Thread Michael S Gilbert

package: xscreensaver-gl
version: 5.05-3
severity: normal

hello, on my system there is no dialog drawn when unlocking gl screensavers; 
however it is still possible to enter the password and unlock the screen; there 
will just be no visual feedback.  this works fine for the non-gl screensavers.  

note that i am using the ati-proprietary fglrx driver for gl support right now, 
which may very well be the problem.  i looked at a machine that has an intel 
gma 900 video card and it was not affected by this issue.

thanks for looking into this.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#543159: kvm: embeds qemu

2009-08-22 Thread Michael S Gilbert

package: kvm
version: 85+dfsg-4
severity: important
tags: security

hello,

since kvm embeds qemu it makes security updates/tracking more difficult, 
troublesome, and potentially more prone to error/omission.  i understand that 
kvm is somewhat of a divergence from qemu, but if it is possible, please update 
kvm to use qemu.

best regards,
mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#539410: useful?

2009-08-14 Thread Michael S. Gilbert

hello,

was any of the above information useful?  anything else i can provide?

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#529318: linux-2.6: CVE-2007-6514 smbfs information disclosure vulnerability

2009-08-13 Thread Michael S. Gilbert

On Thu, 13 Aug 2009 23:51:40 +0200 Moritz Muehlenhoff wrote:

 On Mon, May 18, 2009 at 12:06:58PM -0400, Michael S. Gilbert wrote:
  Package: linux-2.6
  Severity: important
  Tags: security
  
  Hi,
  
  The following CVE (Common Vulnerabilities  Exposures) id was
  published for linux-2.6.
  
  CVE-2007-6514[0]:
  | Apache HTTP Server, when running on Linux with a document root on a
  | Windows share mounted using smbfs, allows remote attackers to obtain
  | unprocessed content such as source files for .php programs via a
  | trailing \ (backslash), which is not handled by the intended AddType
  | directive.
  
  If you fix the vulnerability please also make sure to include the
  CVE id in your changelog entry.
 
 Have you been able to test this against recent kernels such as 2.6.30?

here is my assessment of this issue:

 the attack vector for this one is so obscure: the worst that can 
 happen is disclosure of scripts hosted on an apache server serving
 those scripts, and only if those scripts are mounted from a windows
 share via smbfs. i'd almost be inclined to say no-dsa for this one (or
 issue a dsa that says don't host your web scripts on a windows share
 when using apache if you are concerned about the confidentiality of
 those scripts). it's hardly worth worrying about.

i have not done any tests to determine affected versions, but it
should be fairly straightforward to do so.  see [0].

also, see redhat bug on this [1].  they have a patch for rhel 2.1, but
i wasn't able to search it down.

mike

[0]
http://www.securityfocus.com/archive/1/archive/1/485316/100/0/threaded
[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6514



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540958: libvorbis: CVE-2009-2663 vulnerability

On Mon, 10 Aug 2009 23:01:36 -0500, Peter Samuelson wrote:
 
  CVE-2009-2663[0]:
  | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
  | 3.5.x before 3.5.2 and other products, allows context-dependent
  | attackers to cause a denial of service (memory corruption and
  | application crash) or possibly execute arbitrary code via a crafted
  | .ogg file.
 
 Thanks, I'll prepare updates for etch, lenny, and sid.  I assume the
 Mozillae in Debian use the system libvorbis, not a separate copy.

no, in fact they embed, and i've submitted a bug for that separately.
thanks for working this!

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540961: xulrunner: CVE-2009-2663 vulnerability

On Tue, 11 Aug 2009 11:47:50 +0200, Alexander Sack wrote:
 On Mon, Aug 10, 2009 at 07:47:29PM -0400, Michael S Gilbert wrote:
  Package: xulrunner
  Version: 1.9.1.1-2
  Severity: grave
  Tags: security
  
  Hi,
  the following CVE (Common Vulnerabilities  Exposures) id was
  published for xulrunner.
  
  CVE-2009-2663[0]:
  | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
  | 3.5.x before 3.5.2 and other products, allows context-dependent
  | attackers to cause a denial of service (memory corruption and
  | application crash) or possibly execute arbitrary code via a crafted
  | .ogg file.
  
  This does not affect versions 1.9.0.12 and earlier, so no updates
  are needed for the stable releases.
 
 The summary you pasted suggest that before 3.0.13 is affected, which
 would mean that xul 1.9.0.12 would be affected too; but OTOH, 1.9
 branch didnt have any libvorbis/codec support afaik. So this feels
 like a typo in the CVE. Anyway. xul should probably be updated to .13
 anyway in stable.

yes, this is a flaw in the cve text (which often you can't take at
face value). i checked the source, and vorbis is not present in 1.9.0.12
or before, and i doubt it will be introduced in 1.9.0.13, but i could
be wrong.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540862: reassign

reassign 540862 libxerces2-java
thanks

this appears to be a flaw in the xerces xml parser.  see previous
discussion and pdf.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#517639: severity

severity 532689 important
thanks

denial-of-services are not serious.  this should probably be fixed
with CVE-2009-0642 which is actually serious.  please coordinate with
the security team to prepare updates for the stable releases on these.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#541146: python-matplotlib: 0.99 version released upstream

package: python-matplotlib
severity: wishlist

a new version of matplotlib has been released in the last few days [0].
this is a request for this to be packaged for debian.  thanks!

[0] http://matplotlib.sourceforge.net/_static/CHANGELOG



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#541146: [Python-modules-team] Bug#541146: python-matplotlib: 0.99 version released upstream

On Wed, 12 Aug 2009 00:35:53 +0200, Sandro Tosi wrote:
 Hi Michael,
 
 On Wed, Aug 12, 2009 at 00:25, Michael S.
 Gilbertmichael.s.gilb...@gmail.com wrote:
  package: python-matplotlib
  severity: wishlist
 
  a new version of matplotlib has been released in the last few days [0].
  this is a request for this to be packaged for debian.  thanks!
 
 I'm aware of the new release, and I'm already working on updating
 Debian package.

good to hear!  thanks.



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540611: [php-maint] Bug#540611: Bug#540611: php5: exif buffer overread

On Mon, 10 Aug 2009 08:17:44 +0200, sean finney wrote:
 hi michael,
 
 On Sun, Aug 09, 2009 at 10:57:09PM -0400, Michael S. Gilbert wrote:
  maybe it's just me, but dealing with issues in multiple releases with
  the debian bts is non-obvious and a major pain.  is the *right* way
  to do this documented somewhere?
 
 i've brought this up in the past on -devel because i also find it
 annoying.  i wasn't given a good solution apart from you can probably
 do it with usertags, which is more of a cop out than anything else
 imho :(
 
 fyi i'm out on vacation now so won't have any time to put forward on
 php related stuff for at least another week if not two.

ok, thanks for the info.  have a good one.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#535888: [php-maint] Bug#540611: php5: exif buffer overread

On Mon, 10 Aug 2009 18:05:57 +0200, Nico Golde wrote:
  maybe it's just me, but dealing with issues in multiple releases with
  the debian bts is non-obvious and a major pain.  is the *right* way
  to do this documented somewhere?
 
 http://wiki.debian.org/BugsVersionTracking maybe helps you.

thanks for the link.  this makes it clear how the system is supposed
to work, but it also makes it clear that the system is rather broken --
at least from the standpoint that bugs get closed on the first fix,
rather than when all releases are either fixed or marked as not
affected.

i guess i'll just deal with the broken system as is...

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540862: apache2: xml-based firewall bypass / port scanning vulnerability

package: apache2
version: 2.2.3-4+etch6
severity: important
tags: security

it has been dislosed that apache (and potentially other web servers)
can be used to port scan behind a firewall.  i don't think this issue
issue too severe, but a firewall bypass nevertheless is probably not a
good thing.  see [0].

[0] http://www.sift.com.au/assets/downloads/SIFT-XML-Port-Scanning-v1-00.pdf



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540610: [DRE-maint] Bug#540610: rubygems: integrity violation

On Mon, 10 Aug 2009 08:24:06 -0500, Gunnar Wolf wrote:
 Michael S. Gilbert dijo [Sun, Aug 09, 2009 at 11:58:04PM -0400]:
   I tried testgem downloaded from 
   http://bugs.gentoo.org/show_bug.cgi?id=278566.
   
   % sudo gem install testgem-0.0.1.gem
   Successfully installed testgem-0.0.1
   1 gem installed
   Installing ri documentation for testgem-0.0.1...
   File not found: lib
   
   (I think that making document files causes this error.)
   
   % ls /var/lib/gems/1.8/bin/less
   /var/lib/gems/1.8/bin/less
   
   
   So, /usr/bin/less is not overwritten.
   Debian's RubyGems is patched to replace the upstream's indiscriminate 
   default
   directory.
  
  ok, but when you run 'less', does that run /usr/bin/less
  or /var/lib/gems/1.8/bin/less?  if it is the latter, then there is
  definately a problem here.
 
 No, Debian's path does not include /var/lib/*/bin - The default paths,
 set by /etc/profile, read:
 
 
 if [ `id -u` -eq 0 ]; then
   PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 else
   PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
 fi
 
 Requiring rubygems does not change it, even from within Ruby:
 
 $ irb
 irb(main):001:0 require 'rubygems'
 = true
 irb(main):002:0 system 'echo $PATH'
 /usr/local/bin:/usr/bin:/bin:/usr/games
 = true
 
 So I think this bug does not bite us.

ok, sounds like a non-issue to me then.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#535888: [php-maint] Bug#540611: php5: exif buffer overread

 i guess i'll just deal with the broken system as is...

 I'm sure Don welcomes constructive criticism ;)

ok, i'll put together a constructive bug report when i have the chance.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540437: [Pkg-xfce-devel] Bug#540437: Bug#540437: Bug#540437: xfdesktop4: keeps regenerating 'Desktop' folder in user's home dir

On Mon, 10 Aug 2009 07:58:33 +0200, Yves-Alexis Perez wrote:
 On dim, 2009-08-09 at 23:22 -0400, Michael S Gilbert wrote:
  yes, it is xfdesktop.  removed 'Desktop', ran 'xfdesktop' and it was
  back.  i straced xfdesktop, but there was no reference to 'Desktop'.
  would it be useful to attach that output?
 
 By the way, Desktop/ is required if xfdesktop is set to display
 Files/Launchers, so it creates (or maybe xfconf) it. But here it
 *doesn't* happens when the icon type is set to “None” or “Minimized
 applications”

ok, so sorry to waste your time, but this looks like a non-issue.  i
switched from 'None' to 'Minimized' and ran xfdesktop; no 'Desktop' was
created.  then i switched back to 'None' again, and still no 'Desktop'
was created.  i'm betting that there was some kind of difference
between settings on one of the xfce upgrades (maybe when i upgraded from
4.4).

maybe this is something that will need to be handled for lenny-squeeze
upgrades?  or maybe documenting the workaround in the release notes
would be sufficient?

i have two other virtual machines that are still demonstrating this
behavior if you want me to look at anything else.  i did try 'strace
-f' before and did not see any reference to 'Desktop'.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540885: websvn: blame is excruciatingly slow for large files

package: websvn
severity: normal

hello, trying to look at the blame for large files in websvn is
excruciatingly slow.  for example, try to see the blame for:

http://svn.debian.org/wsvn/secure-testing/data/CVE/list

i waited over two hours and the page still had not generated the blame.
thanks for looking into this.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540905: apt-file: doesn't need to say 'run as root' in postinst

package: apt-file
severity: minor

since apt-file can now be run as non-root, it no longer needs to say
that is a requirement in its postinst script.

i.e. change the text You need to run 'apt-file update' as root to
update the cache to You need to run 'apt-file update' to update the
cache.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540958: libvorbis: CVE-2009-2663 vulnerability

Package: libvorbis
Version: 1.1.2.dfsg-1.4
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities  Exposures) id was
published for libvorbis.

CVE-2009-2663[0]:
| libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
| 3.5.x before 3.5.2 and other products, allows context-dependent
| attackers to cause a denial of service (memory corruption and
| application crash) or possibly execute arbitrary code via a crafted
| .ogg file.

Please coordinate with the security team to prepare updates for the
stable releases.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2663
http://security-tracker.debian.net/tracker/CVE-2009-2663



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540959: xulrunner: embeds libvorbis

package: xulrunner
severity: important
tags: security

hello, it seems that xulrunner embeds the libvorbis library in its
source code.  this is bad since it makes security updates much more
difficult and troublesome.  please modify the package to use the
system libvorbis.  thank you.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540961: xulrunner: CVE-2009-2663 vulnerability

Package: xulrunner
Version: 1.9.1.1-2
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities  Exposures) id was
published for xulrunner.

CVE-2009-2663[0]:
| libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
| 3.5.x before 3.5.2 and other products, allows context-dependent
| attackers to cause a denial of service (memory corruption and
| application crash) or possibly execute arbitrary code via a crafted
| .ogg file.

This does not affect versions 1.9.0.12 and earlier, so no updates
are needed for the stable releases.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2663
   http://security-tracker.debian.net/tracker/CVE-2009-2663



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540610: rubygems: integrity violation

package: rubygems1.9
version: 1.3.1
tags: security
severity: serious

hello, it has been disclosed thet a specially crafted gem archive could
be used to overwrite system files.  confirmed for 1.3.x, but older
versions may also be affected.  please check and help the security
team prepare updates for the stable releases. see:

http://bugs.gentoo.org/show_bug.cgi?id=278566
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/24472
http://redmine.ruby-lang.org/issues/show/1800



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540611: php5: exif buffer overread

package: php5
version: 5.2.0-8+etch13
severity: important
tags: security

hello, it has been disclosed that php is vulnerable to a buffer
over-read in versions befor 5.2.10.  see:

http://secunia.com/advisories/35441/
http://www.vupen.com/english/advisories/2009/1632



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540610: rubygems: integrity violation

On Sun, 09 Aug 2009 15:34:18 +0900 Daigo Moriwaki wrote:

 Hello Michael,
 
 Michael S. Gilbert wrote:
  package: rubygems1.9
  version: 1.3.1
  tags: security
  severity: serious
  
  hello, it has been disclosed thet a specially crafted gem archive could
  be used to overwrite system files.  confirmed for 1.3.x, but older
  versions may also be affected.  please check and help the security
  team prepare updates for the stable releases. see:
  
  http://bugs.gentoo.org/show_bug.cgi?id=278566
  http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/24472
  http://redmine.ruby-lang.org/issues/show/1800
 
 Thank you for the references. I have just read them.
 
 In Debian, executables from gems install into a particular directory specific 
 to
 RubyGems such as /var/lib/gems/{1.8|1.9.0}/bin instead of the system directory
 /usr/bin. There should be no risk that they talked about.
 
 If you think of any problems in Debian, please let me know; otherwise, please
 close this ticket.

what about installing a rogue 'ls' to '/var/lib/gems/{1.8|1.9.0}/bin'?
i've never used rubygems before, so i'm not sure how paths are
configured. would this override the system 'ls'?

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#535888: [php-maint] Bug#540611: php5: exif buffer overread

On Sun, 9 Aug 2009 21:02:36 -0500 Raphael Geissert wrote:

 On Sunday 09 August 2009 01:13:42 Michael S. Gilbert wrote:
 
  hello, it has been disclosed that php is vulnerable to a buffer
  over-read in versions befor 5.2.10.  see:
 
 You already reported it as #535888, there's no need to report it more than 
 once.
 And no, reopening the report is *not necessary*, the BTS knows what versions 
 are affected. *Take a look at the graph at the top if necessary*
 
 And adding another entry to  the security tracker doesn't help either.

i appologize for the mistake.  when issues don't get assigned a common
number, it's easy to miss the fact that different reports are actually
the same issue.  it was not my intent to open a duplicate bug, it looked
like this was new.

maybe it's just me, but dealing with issues in multiple releases with
the debian bts is non-obvious and a major pain.  is the *right* way
to do this documented somewhere?

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540437: [Pkg-xfce-devel] Bug#540437: Bug#540437: xfdesktop4: keeps regenerating 'Desktop' folder in user's home dir

2009-08-09 Thread Michael S Gilbert

On Sun, Aug 9, 2009 at 3:10 PM, Yves-Alexis Perez wrote:
 I don't know how to find the culprit, but knowing if it's xfdesktop is
 easy. Just remove Desktop/ and restart xfdesktop. Maybe stracing it, and
 you'll be sure.

yes, it is xfdesktop.  removed 'Desktop', ran 'xfdesktop' and it was
back.  i straced xfdesktop, but there was no reference to 'Desktop'.
would it be useful to attach that output?

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#535909:

On Sun, 9 Aug 2009 11:00:50 +0200 Sylvain Le Gall wrote:

 Hello,
 
 On Sat, Aug 08, 2009 at 11:01:45PM -0400, Michael S. Gilbert wrote:
  reopen 535909
  fixed 535909 1:3.0.1-3
  thanks
  
   This bug has been solved with 1:3.0.1-2 before the bug was opened.
  
  thanks for the update.  please coordinate with the security team to
  prepare updates for the stable releases.
  
  
 
 For stable and oldstable, already done.
 
 lenny: 1:2.2.0-4+lenny1 
 etch: 2.20-8+etch1

great!  thanks for pushing out these updates.



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540610: rubygems: integrity violation

On Sun, 09 Aug 2009 17:01:38 +0900 Daigo Moriwaki wrote:

 Hello Michael,
 
 Michael S. Gilbert wrote:
  In Debian, executables from gems install into a particular directory 
  specific to
  RubyGems such as /var/lib/gems/{1.8|1.9.0}/bin instead of the system 
  directory
  /usr/bin. There should be no risk that they talked about.
 
  If you think of any problems in Debian, please let me know; otherwise, 
  please
  close this ticket.
  
  what about installing a rogue 'ls' to '/var/lib/gems/{1.8|1.9.0}/bin'?
  i've never used rubygems before, so i'm not sure how paths are
  configured. would this override the system 'ls'?
 
 I tried testgem downloaded from http://bugs.gentoo.org/show_bug.cgi?id=278566.
 
 % sudo gem install testgem-0.0.1.gem
 Successfully installed testgem-0.0.1
 1 gem installed
 Installing ri documentation for testgem-0.0.1...
 File not found: lib
 
 (I think that making document files causes this error.)
 
 % ls /var/lib/gems/1.8/bin/less
 /var/lib/gems/1.8/bin/less
 
 
 So, /usr/bin/less is not overwritten.
 Debian's RubyGems is patched to replace the upstream's indiscriminate default
 directory.

ok, but when you run 'less', does that run /usr/bin/less
or /var/lib/gems/1.8/bin/less?  if it is the latter, then there is
definately a problem here.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#535909:

reopen 535909
fixed 535909 1:3.0.1-3
thanks

 This bug has been solved with 1:3.0.1-2 before the bug was opened.

thanks for the update.  please coordinate with the security team to
prepare updates for the stable releases.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540437: [Pkg-xfce-devel] Bug#540437: xfdesktop4: keeps regenerating 'Desktop' folder in user's home dir

On Sat, 8 Aug 2009 06:17:01 +0200 Yves-Alexis Perez wrote:
 On Fri, 7 Aug 2009 20:43:16 -0400
 Michael S Gilbert michael.s.gilb...@gmail.com wrote:
 
  i reported this upstream [0], but they were unable to reproduce.
  perhaps this is an issue specifically with the debian package?
 
 Are you sure it's created by xfdesktop?

not really.  any thoughts on how to find the culprit?  whatever is
causing the problem always regenerates 'Desktop' on x login, so i tried:

  $ ./check  out  startx

where check is

  #!/bin/bash
  lsof  ./check

then i searched through 'out', but there were no instances of 'Desktop'
being open.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540605: php5: memory disclosure

package: php5
version: 5.2.0-8+etch13
severity: serious
tags: security , patch

it has been disclosed that php is potentially vulnerable to remote
memory dislosure [0].  patches are available for 5.2.10 and 5.3.0, but
older versions are likely affected (as well as php4).  please check and
coordinate with the security team to prepare updates for the stable
releases. thank you.

[0] http://securityreason.com/achievement_securityalert/65



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540606: php5: 'open_basedir' bypass

package: php5
version: 5.3.0
severity: important
tags: security , patch

it has been disclosed that php is potentially vulnerable to an
'open_basedir' bypass [0]. the advisory says that only 5.3.0 is
affected, but it would be useful to check that older versions
are safe.

[0]
http://securityreason.com/achievement_securityalert/64



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#536724: incomplete fix

the 2.8.1 fix is incomplete, and is now claimed fixed in 2.8.3.  see:

http://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/
http://core.trac.wordpress.org/changeset/11765
http://core.trac.wordpress.org/changeset/11766
http://core.trac.wordpress.org/changeset/11768
http://core.trac.wordpress.org/changeset/11769



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540608: initscripts: wireless key stored in logs

package: initscripts
severity: important
tags: security

hello, mandriva issued the following advisory [0],[1],[2] for
initscripts. supposedly part of the user's wireless key is logged.  i
don't use WPA, so i can't verify this on debian, but it is worth checking.

[0] http://www.mandriva.com/en/security/advisories?name=MDVSA-2009:170
[1] https://qa.mandriva.com/52149
[2] https://qa.mandriva.com/51606



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#540437: xfdesktop4: keeps regenerating 'Desktop' folder in user's home dir

2009-08-07 Thread Michael S Gilbert

package: xfdesktop4
version: 4.6.1-1
severity: normal

hello,

as of the xfce 4.6 transition to untsable, there is a 'Desktop'
directory created
in the user's home folder by default, which always reappears shortly after
deletion (this did not occur in 4.4 and earlier).  i personally always set the
desktop icon type to None because i don't like clutter; hence i really don't
need the 'Desktop' directory, so i want it to be gone.

i reported this upstream [0], but they were unable to reproduce. perhaps
this is an issue specifically with the debian package?

mike

[0] http://bugzilla.xfce.org/show_bug.cgi?id=5659



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#524806: Fwd: etch patch for CVE-2009-0146/147/0166/0799/0800/1179/1180/1181/1182/1183/1187

2009-08-04 Thread Michael S Gilbert

tag 524806 patch
thanks

derived from ubuntu's 0.5.1 patch, here is a patch set for etch's
0.4.5.  i am fairly certain all of these CVEs are addressed in this one.

note vulnerable code not present in etch for CVE-2009-0755/1188.

please test; i've done some basic testing with existing pdfs on my
system, but have by no means done extensive or robust testing.
hopefully nothings been broken.

this may be useful for the etch r9 point release (if not for a DSA)?

good night,
mike
diff -ur poppler-0.4.5/poppler/CairoOutputDev.cc poppler-0.4.5-new/poppler/CairoOutputDev.cc
--- poppler-0.4.5/poppler/CairoOutputDev.cc	2005-12-12 17:24:01.0 -0500
+++ poppler-0.4.5-new/poppler/CairoOutputDev.cc	2009-08-04 01:27:24.0 -0400
@@ -509,7 +509,7 @@
   cairo_matrix_t matrix;
   int is_identity_transform;
   
-  buffer = (unsigned char *)gmalloc (width * height * 4);
+  buffer = (unsigned char *)gmallocn (width, height * 4);
 
   /* TODO: Do we want to cache these? */
   imgStr = new ImageStream(str, width,
Only in poppler-0.4.5-new/poppler: CairoOutputDev.cc.orig
diff -ur poppler-0.4.5/poppler/JBIG2Stream.cc poppler-0.4.5-new/poppler/JBIG2Stream.cc
--- poppler-0.4.5/poppler/JBIG2Stream.cc	2006-01-10 13:53:54.0 -0500
+++ poppler-0.4.5-new/poppler/JBIG2Stream.cc	2009-08-04 01:26:46.0 -0400
@@ -422,12 +422,14 @@
   table[i] = table[len];
 
   // assign prefixes
-  i = 0;
-  prefix = 0;
-  table[i++].prefix = prefix++;
-  for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) {
-prefix = table[i].prefixLen - table[i-1].prefixLen;
-table[i].prefix = prefix++;
+  if (table[0].rangeLen != jbig2HuffmanEOT) {
+i = 0;
+prefix = 0;
+table[i++].prefix = prefix++;
+for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) {
+  prefix = table[i].prefixLen - table[i-1].prefixLen;
+  table[i].prefix = prefix++;
+}
   }
 }
 
@@ -491,7 +493,7 @@
   }
   if (p-bits  0) {
 error(str-getPos(), Bad two dim code in JBIG2 MMR stream);
-return 0;
+return EOF;
   }
   bufLen -= p-bits;
   return p-n;
@@ -507,7 +509,7 @@
 ++nBytesRead;
   }
   while (1) {
-if (bufLen = 7  ((buf  (bufLen - 7))  0x7f) == 0) {
+if (bufLen = 11  ((buf  (bufLen - 7))  0x7f) == 0) {
   if (bufLen = 12) {
 	code = buf  (12 - bufLen);
   } else {
@@ -550,14 +552,15 @@
 ++nBytesRead;
   }
   while (1) {
-if (bufLen = 6  ((buf  (bufLen - 6))  0x3f) == 0) {
+if (bufLen = 10  ((buf  (bufLen - 6))  0x3f) == 0) {
   if (bufLen = 13) {
 	code = buf  (13 - bufLen);
   } else {
 	code = buf  (bufLen - 13);
   }
   p = blackTab1[code  0x7f];
-} else if (bufLen = 4  ((buf  (bufLen - 4))  0x0f) == 0) {
+} else if (bufLen = 7  ((buf  (bufLen - 4))  0x0f) == 0 
+	   ((buf  (bufLen - 6))  0x03) != 0) {
   if (bufLen = 12) {
 	code = buf  (12 - bufLen);
   } else {
@@ -667,6 +670,7 @@
   void combine(JBIG2Bitmap *bitmap, int x, int y, Guint combOp);
   Guchar *getDataPtr() { return data; }
   int getDataSize() { return h * line; }
+  GBool isOk() { return data != NULL; }
 
 private:
 
@@ -762,6 +766,8 @@
 inline void JBIG2Bitmap::getPixelPtr(int x, int y, JBIG2BitmapPtr *ptr) {
   if (y  0 || y = h || x = w) {
 ptr-p = NULL;
+ptr-shift = 0; // make gcc happy
+ptr-x = 0; // make gcc happy
   } else if (x  0) {
 ptr-p = data[y * line];
 ptr-shift = 7;
@@ -806,6 +812,10 @@
   Guint src0, src1, src, dest, s1, s2, m1, m2, m3;
   GBool oneByte;
 
+  // check for the pathological case where y = -2^31
+  if (y  -0x7fff) {
+return;
+  }
   if (y  0) {
 y0 = -y;
   } else {
@@ -1226,6 +1236,7 @@
   Guint segNum, segFlags, segType, page, segLength;
   Guint refFlags, nRefSegs;
   Guint *refSegs;
+  int segDataPos;
   int c1, c2, c3;
   Guint i;
 
@@ -1293,6 +1304,16 @@
   goto eofError2;
 }
 
+// keep track of the start of the segment data 
+segDataPos = getPos();
+
+// check for missing page information segment
+if (!pageBitmap  ((segType = 4  segType = 7) ||
+			(segType = 20  segType = 43))) {
+  error(getPos(), First JBIG2 segment associated with a page must be a page information segment);
+  return;
+}
+
 // read the segment data
 switch (segType) {
 case 0:
@@ -1368,6 +1389,45 @@
   break;
 }
 
+// Make sure the segment handler read all of the bytes in the 
+// segment data, unless this segment is marked as having an
+// unknown length (section 7.2.7 of the JBIG2 Final Committee Draft)
+
+if (segLength != 0x) {
+
+  int segExtraBytes = segDataPos + segLength - getPos();
+  if (segExtraBytes  0) {
+
+	// If we didn't read all of the bytes in the segment data,
+	// indicate an error, and throw away the rest of the data.
+	
+	// v.3.1.01.13 of the LuraTech PDF Compressor Server will
+	// sometimes generate an extraneous NULL byte at the end of
+	// arithmetic-coded symbol dictionary segments when numNewSyms
+	// == 0.  Segments like this often

Bug#539410: xserver-xorg-input-evdev: lost support for mousewheel scroll under kvm with option -usb -usbdevice tablet

2009-07-31 Thread Michael S. Gilbert

package: xserver-xorg-input-evdev
version: 1:2.2.3-1
severity: important

hello, i recently upgraded unstable on one of my kvm instances and
subsequently lost support for mousewheel scroll.
xserver-xorg-input-evdev was among the packages upgraded, and is my
best guess for the problematic package (other packages that were
upgraded that could be the culprit are libdbus-glib-1-2, makedev, and
linux-image-2.6.30).

note that this only occurs under kvm when the -usb -usbdevice tablet
option, which enables mouse over mode versus the standard mouse capture,
is used. when testing under mouse capture mode, mousewheel scroll works
just fine.

thanks for looking into this,
mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#539410: xserver-xorg-input-evdev: lost support for mousewheel scroll under kvm with option -usb -usbdevice tablet

2009-07-31 Thread Michael S Gilbert

On 7/31/09, Julien Cristau wrote:
 kthxbye

 please file bugs with reportbug, so essential information is not missing
 from your reports.

 thanks,
 Julien

what do you want to know?

-- Package-specific info:
/var/lib/x11/X.roster does not exist.

/var/lib/x11/X.md5sum does not exist.

X server symlink status:
lrwxrwxrwx 1 root root 13 2009-04-24 14:42 /etc/X11/X - /usr/bin/Xorg
-rwxr-xr-x 1 root root 1867808 2009-07-26 19:28 /usr/bin/Xorg

/var/lib/x11/xorg.conf.roster does not exist.

VGA-compatible devices on PCI bus:
00:02.0 VGA compatible controller: Cirrus Logic GD 5446

/var/lib/x11/xorg.conf.md5sum does not exist.

Xorg X server configuration file status:
-rw-r--r-- 1 root root 1232 2009-05-19 16:03 /etc/X11/xorg.conf

Contents of /etc/X11/xorg.conf:
# xorg.conf (X.Org X Window System server configuration file)
#
# This file was generated by dexconf, the Debian X Configuration tool, using
# values from the debconf database.
#
# Edit this file with caution, and see the xorg.conf manual page.
# (Type man xorg.conf at the shell prompt.)
#
# This file is automatically updated on xserver-xorg package upgrades *only*
# if it has not been modified since the last upgrade of the xserver-xorg
# package.
#
# If you have edited this file but would like it to be automatically updated
# again, run the following command:
#   sudo dpkg-reconfigure -phigh xserver-xorg

Section InputDevice
Identifier  Generic Keyboard
Driver  kbd
Option  XkbRules  xorg
Option  XkbModel  pc104
Option  XkbLayout us
Option  XkbVariantdvorak
EndSection

Section InputDevice
Identifier  Configured Mouse
Driver  mouse
EndSection

Section Device
Identifier  Configured Video Device
EndSection

Section Monitor
Identifier  Configured Monitor
HorizSync   30-140
VertRefresh 50-160
Option DPMS   on
EndSection

Section Screen
Identifier  Default Screen
Monitor Configured Monitor
SubSection Display
Modes   1024x768 800x600
EndSubSection
EndSection


Xorg X server log files on system:
-rw-r--r-- 1 root root 25624 2009-07-31 12:03 /var/log/Xorg.0.log

Contents of most recent Xorg X server log file
/var/log/Xorg.0.log:

This is a pre-release version of the X server from The X.Org Foundation.
It is not supported in any way.
Bugs may be filed in the bugzilla at http://bugs.freedesktop.org/.
Select the xorg product for bugs you find in this release.
Before reporting bugs in pre-release versions please check the
latest version in the X.Org Foundation git repository.
See http://wiki.x.org/wiki/GitPage for git access instructions.

X.Org X Server 1.6.2.901 (1.6.3 RC 1)
Release Date: 2009-7-26
X Protocol Version 11, Revision 0
Build Operating System: Linux 2.6.18-xen-3.1-1-amd64 x86_64 Debian
Current Operating System: Linux twink 2.6.30-1-amd64 #1 SMP Thu Jul 30
13:12:47 UTC 2009 x86_64
Build Date: 26 July 2009  11:28:17PM
xorg-server 2:1.6.2.901-1 (bui...@nautilus.fivetimesnine.net)
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: /var/log/Xorg.0.log, Time: Fri Jul 31 12:03:21 2009
(==) Using config file: /etc/X11/xorg.conf
(==) No Layout section.  Using the first Screen section.
(**) |--Screen Default Screen (0)
(**) |   |--Monitor Configured Monitor
(==) No device specified for screen Default Screen.
Using the first device section listed.
(**) |   |--Device Configured Video Device
(==) Automatically adding devices
(==) Automatically enabling devices
(WW) The directory /usr/share/fonts/X11/cyrillic does not exist.
Entry deleted from font path.
(==) FontPath set to:
/usr/share/fonts/X11/misc,
/usr/share/fonts/X11/100dpi/:unscaled,
/usr/share/fonts/X11/75dpi/:unscaled,
/usr/share/fonts/X11/Type1,
/usr/share/fonts/X11/100dpi,
/usr/share/fonts/X11/75dpi,
/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType,
built-ins
(==) ModulePath set to /usr/lib/xorg/modules
(II) Cannot locate a core pointer device.
(II) Cannot locate a core keyboard device.
(II) The server relies on HAL to provide the list of input devices.
If no devices become available, reconfigure HAL or disable 
AllowEmptyInput.
(II) Loader magic: 0x3540
(II) Module ABI versions:
X.Org ANSI C Emulation: 0.4
X.Org Video Driver: 5.0
X.Org XInput driver : 4.0
X.Org Server Extension : 2.0
(II) Loader running on linux
(++) using VT number 7

(--) PCI:*(0:0:2:0) 1013:00b8:: Cirrus Logic GD 5446 rev 0,
Mem @ 0xf000/33554432, 0xf200/4096
(II) Open ACPI

Bug#539410: xserver-xorg-input-evdev: lost support for mousewheel scroll under kvm with option -usb -usbdevice tablet

2009-07-31 Thread Michael S Gilbert

oops, the previous reportbug output was for the kvm instance without
-usb -usbdevice tablet.  the following is for the kvm instance with
that option enabled:

-- Package-specific info:
/var/lib/x11/X.roster does not exist.

/var/lib/x11/X.md5sum does not exist.

X server symlink status:
lrwxrwxrwx 1 root root 13 2009-04-24 14:42 /etc/X11/X - /usr/bin/Xorg
-rwxr-xr-x 1 root root 1867808 2009-07-26 19:28 /usr/bin/Xorg

/var/lib/x11/xorg.conf.roster does not exist.

VGA-compatible devices on PCI bus:
00:02.0 VGA compatible controller: Cirrus Logic GD 5446

/var/lib/x11/xorg.conf.md5sum does not exist.

Xorg X server configuration file status:
-rw-r--r-- 1 root root 1232 2009-05-19 16:03 /etc/X11/xorg.conf

Contents of /etc/X11/xorg.conf:
# xorg.conf (X.Org X Window System server configuration file)
#
# This file was generated by dexconf, the Debian X Configuration tool, using
# values from the debconf database.
#
# Edit this file with caution, and see the xorg.conf manual page.
# (Type man xorg.conf at the shell prompt.)
#
# This file is automatically updated on xserver-xorg package upgrades *only*
# if it has not been modified since the last upgrade of the xserver-xorg
# package.
#
# If you have edited this file but would like it to be automatically updated
# again, run the following command:
#   sudo dpkg-reconfigure -phigh xserver-xorg

Section InputDevice
Identifier  Generic Keyboard
Driver  kbd
Option  XkbRules  xorg
Option  XkbModel  pc104
Option  XkbLayout us
Option  XkbVariantdvorak
EndSection

Section InputDevice
Identifier  Configured Mouse
Driver  mouse
EndSection

Section Device
Identifier  Configured Video Device
EndSection

Section Monitor
Identifier  Configured Monitor
HorizSync   30-140
VertRefresh 50-160
Option DPMS   on
EndSection

Section Screen
Identifier  Default Screen
Monitor Configured Monitor
SubSection Display
Modes   1024x768 800x600
EndSubSection
EndSection


Xorg X server log files on system:
-rw-r--r-- 1 root root 26565 2009-07-31 13:14 /var/log/Xorg.0.log

Contents of most recent Xorg X server log file
/var/log/Xorg.0.log:

This is a pre-release version of the X server from The X.Org Foundation.
It is not supported in any way.
Bugs may be filed in the bugzilla at http://bugs.freedesktop.org/.
Select the xorg product for bugs you find in this release.
Before reporting bugs in pre-release versions please check the
latest version in the X.Org Foundation git repository.
See http://wiki.x.org/wiki/GitPage for git access instructions.

X.Org X Server 1.6.2.901 (1.6.3 RC 1)
Release Date: 2009-7-26
X Protocol Version 11, Revision 0
Build Operating System: Linux 2.6.18-xen-3.1-1-amd64 x86_64 Debian
Current Operating System: Linux twink 2.6.30-1-amd64 #1 SMP Thu Jul 30
13:12:47 UTC 2009 x86_64
Build Date: 26 July 2009  11:28:17PM
xorg-server 2:1.6.2.901-1 (bui...@nautilus.fivetimesnine.net)
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: /var/log/Xorg.0.log, Time: Fri Jul 31 13:14:18 2009
(==) Using config file: /etc/X11/xorg.conf
(==) No Layout section.  Using the first Screen section.
(**) |--Screen Default Screen (0)
(**) |   |--Monitor Configured Monitor
(==) No device specified for screen Default Screen.
Using the first device section listed.
(**) |   |--Device Configured Video Device
(==) Automatically adding devices
(==) Automatically enabling devices
(WW) The directory /usr/share/fonts/X11/cyrillic does not exist.
Entry deleted from font path.
(==) FontPath set to:
/usr/share/fonts/X11/misc,
/usr/share/fonts/X11/100dpi/:unscaled,
/usr/share/fonts/X11/75dpi/:unscaled,
/usr/share/fonts/X11/Type1,
/usr/share/fonts/X11/100dpi,
/usr/share/fonts/X11/75dpi,
/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType,
built-ins
(==) ModulePath set to /usr/lib/xorg/modules
(II) Cannot locate a core pointer device.
(II) Cannot locate a core keyboard device.
(II) The server relies on HAL to provide the list of input devices.
If no devices become available, reconfigure HAL or disable 
AllowEmptyInput.
(II) Loader magic: 0x3540
(II) Module ABI versions:
X.Org ANSI C Emulation: 0.4
X.Org Video Driver: 5.0
X.Org XInput driver : 4.0
X.Org Server Extension : 2.0
(II) Loader running on linux
(++) using VT number 7

(--) PCI:*(0:0:2:0) 1013:00b8:: Cirrus Logic GD 5446 rev 0,
Mem @ 0xf000/33554432, 0xf200/4096
(II) Open ACPI successful

Bug#539449: openssl: vulnerable to null character certificate spoofing

2009-07-31 Thread Michael S. Gilbert

package: openssl
version: 0.9.8
severity: important
tags: security

it has been disclosed that ssl applications can be tricked via
inauthentic certificates containing null characters [0]. i have not
personally checked whether openssl is affected by this, but since this
is newly disclosed, it is very likely the case.  please check and fix
if need be.  thanks.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#539449: Acknowledgement (openssl: vulnerable to null character certificate spoofing)

2009-07-31 Thread Michael S Gilbert

[0] http://www.wired.com/threatlevel/2009/07/kaminsky/



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#537633: libio-socket-ssl-perl: incorrect validation of hostnames

2009-07-19 Thread Michael S. Gilbert

package: libio-socket-ssl-perl
version: 1.01-1
severity: serious
tags: security , patch

a security issue has been fixed in the latest upstream version of
libio-socket-ssl-perl [0].  see patch [1].  please coordinate with the
security team to prepare updates for the stable releases.  thank you.

[0] https://bugzilla.redhat.com/show_bug.cgi?id=509819
[1]
http://search.cpan.org/diff?from=IO-Socket-SSL-1.25to=IO-Socket-SSL-1.26w=1



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#537634: mediawiki: multiple vulnerabilities fixed in new upstreams

2009-07-19 Thread Michael S. Gilbert

package: mediawiki
version: 1:1.15.0-1
severity: serious
tags: security

hello, multiple vulnerabilies have been fixed in upstream mediawiki
1.15.1 (these problems did not exist before 1.14.0, so lenny/etch are
not vulnerable) [0]. please update unstable to this version. thanks.

[0]
http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-July/87.html



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#537637: htmldoc: buffer overflow in util.cxx's set_page_size()

2009-07-19 Thread Michael S. Gilbert

package: htmldoc
version: 1.8.27-2
severity: serious
tags: security , patch

hello, a security advisory has been issued for htmldoc [0].  patches
available from gentoo [1].  please coordinate with the security team to
prepare updates for the stable releases.  thank you.

[0] http://secunia.com/advisories/35780/
[1] http://bugs.gentoo.org/show_bug.cgi?id=278186



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#537409: info

2009-07-19 Thread Michael S Gilbert

while this bug is still open, would it make sense to disable the gcc
option/optimization/bug/flaw that allows this vulnerability to exist?
the -fno-delete-null-pointer-checks flag will completely disable
this option kernel-wide [1].

obviously there is a tradeoff here.  the null pointer optimization
does make the kernel run a bit faster (and maybe that should be
quantified to determine the impact), but on the other hand it opens up
a slew of vulnerabilities.  i think erring on the side of
caution/security is the way to go.

anyway, just a thought.

mike

[1] http://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#537396: moonlight: doesn't appear to work for microsoft's tuva site

2009-07-17 Thread Michael S. Gilbert

package: moonlight-plugin-mozilla
version: 1.0.1-3
severity: important

hello, i just tried out the moonlight plugin, but it doesn't appear to
work out of the box.  steps to reproduce:

1. $ sudo apt-get install moonlight-plugin-mozilla
2. $ iceweasel http://research.microsoft.com/tuva
3. observe error message about a silverlight-unsupported browser

thanks for looking into this.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#537281: dbus: uninstallable due to missing directory

2009-07-16 Thread Michael S. Gilbert

package: dbus
version: 1.2.16-1
severity: grave

hello, dbus is currently uninstallable on sid; erroring with the
following message:

  chown: cannot access `/usr/lib/dbus-1.0/dbus-daemon-launch-help': No
  such file or directory

this can be fixed with a 'mkdir -p':

  $ sudo mkdir -p /usr/lib/dbus-1.0/dbus-daemon-launch-help
  $ sudo apt-get install -f

thanks for fixing this.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#537104: iceweasel: critical 0-day remote shellcode injection

2009-07-14 Thread Michael S. Gilbert

package: iceweasel
version: 3.5
severity: critical
tags: security

hello, a remote shellcode injection has been disclosed for firefox [0],
[1].  the advisory says that version 3.5 has been verified as
vulnerable, but older versions are very likely susseptable as well. i
have not checked.

this is critical since it is being exploited in the wild.

[0] http://secunia.com/advisories/35789
[1] http://milw0rm.com/exploits/9137



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#537104: forwarded

2009-07-14 Thread Michael S Gilbert

forwarded 537104 https://bugzilla.mozilla.org/show_bug.cgi?id=504237
thanks



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#536718: apache2: CVE-2009-1890 denial-of-service vulnerability

Package: apache2
Version: 2.2.3-4+etch6
Severity: serious
Tags: security , patch

Hi,
the following CVE (Common Vulnerabilities  Exposures) id was
published for apache2.

CVE-2009-1890[0]:
| The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy
| module in the Apache HTTP Server before 2.3.3, when a reverse proxy is
| configured, does not properly handle an amount of streamed data that
| exceeds the Content-Length value, which allows remote attackers to
| cause a denial of service (CPU consumption) via crafted requests.

Patches are available [0].  Please coordinate with the security team to
prepare updates for the stable releases.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890
http://security-tracker.debian.net/tracker/CVE-2009-1890



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#535489: [Pkg-cups-devel] Bug#535488: cupsys: CVE-2009-0791 integer overflow vulnerabilities

reopen 535488
reopen 535489
thanks

On Sat, 11 Jul 2009 17:20:46 +0200 Martin Pitt wrote:

 Hello Michael,
 
 Michael S. Gilbert [2009-07-02 12:35 -0400]:
  Hi,
  the following CVE (Common Vulnerabilities  Exposures) id was
  published for cups.
  
  CVE-2009-0791[0]:
  | Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
  | 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service
  | (application crash) or possibly execute arbitrary code via a crafted
  | PDF file that triggers a heap-based buffer overflow, possibly related
  | to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4)
  | JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/.  NOTE: the
  | JBIG2Stream.cxx vector may overlap CVE-2009-1179.
 
 This vulnerability does not affect cups. Because xpdf vulnerabilities
 are so common, the Debian cups package has used the external
 xpdf-utils or poppler-utils since at least woody.

are you sure about this?  i've checked the etch cupsys and lenny cups
packages and found that the pdftops source is indeed present (and the
patches for this are not applied).  the only way i see this as not
affected is if these packages do not build the pdftops code.  i am not
that familiar with the package, so i did not check whether this is the
case.  i've checked the unstable cups package and the pdftops code is
in fact removed there.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#536724: wordpress: CORE-2009-0515 priviledges unchecked and multiple information disclosures

package: wordpress
version: 2.0.10-1etch3
severity: serious
tags: security

an advisory, CORE-2009-0515, has been issued for wordpress.  there are issues
with unchecked privilidges and many potential information disclosures.  see [1].

this is fixed in upstream version 2.8.1.  please coordinate with the security
team to prepare updates for the stable releases.

[1] 
http://corelabs.coresecurity.com/index.php?module=FrontEndModaction=viewtype=advisoryname=WordPress_Privileges_Unchecked



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#536726: mysql: post-authentication format string vulnerability

package: mysql-dfsg-5.0
version: 5.0.32-7etch8
severity: important
tags: security

hello, it has been disclosed that mysql has a post-authentication
format string vulnerability [1].  according to that message, affected
versions are claimed to be 5.0.45 and older, which would mean that lenny
and sid are not affected; however, this needs to be checked.

[1] http://seclists.org/fulldisclosure/2009/Jul/0058.html



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#535888: reopen

2009-07-10 Thread Michael S. Gilbert

reopen 535888
fixed 535888 5.2.10.dfsg.1-2
thanks

thanks for fixing this issue!  reopening to continue tracking in
etch/lenny, which haven't been fixed yet.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#535888: [php-maint] Bug#535888: reopen

2009-07-10 Thread Michael S. Gilbert

On Fri, 10 Jul 2009 10:26:22 -0500, Raphael Geissert wrote:
 close 535888
 found 535888 5.2.6.dfsg.1-1+lenny3
 found 535888 5.2.9.dfsg.1-4
 fixed 535888 5.3.0-1
 thanks
 
 On Friday 10 July 2009 10:14:08 Michael S. Gilbert wrote:
  reopen 535888
  fixed 535888 5.2.10.dfsg.1-2
  thanks
 
  thanks for fixing this issue!  reopening to continue tracking in
  etch/lenny, which haven't been fixed yet.
 
 That's not the right way to do it, you should mark the bug as found in the 
 other versions.

doesn't it make more sense to keep the bug open until all versions are
fixed?  at least that way it continues to show up on the bug tracking
pages; and i think more accurately represents the state of the bug. my
interpretation is that closed means that the bug is gone.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#535888: Info received ([php-maint] Bug#535888: reopen)

2009-07-10 Thread Michael S. Gilbert

i probably should have asked whether you think that this issue warrants
a DSA, would be good for an SPU, or whether you think it is
unimportant.  if this can be considered unimportant, then yes, i agree
the bug should be closed, but if there do need to be stable updates,
then i think that the bug should remain open.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#534973: stable updates

2009-07-06 Thread Michael S. Gilbert

On Mon, 6 Jul 2009 21:44:44 +0200 Thijs Kinkhorst wrote:
  version 1:1.5.2-5 that I released to unstable is suitable for stable
  aswell. Prior to this bugfix unstable and stable both contained
  version 1:1.5.2-4. Attached is a patch with the fix. Do you want me to
  build it for stable aswell?
 
 Thank you for getting in touch with us. Judging from the context in which 
 this 
 bug manifests itself, I think releasing a DSA for it is overkill. It happens 
 when creating a new X-Face header, which is something you would do rarely,
 mostly not with any random image you didn't check out before, always as an 
 unprivileged user and what can happen is a crash of the conversion which is 
 harly harmful. The security implications of this are very minor. Normally 
 there's a process to fix minor security issues through a stable point update 
 but I think this one is even too minor for that. It's great that testing and 
 unstable are fixed for the future, but I propose that we just leave it at 
 that and consider this case closed.

i would agree.  the implications (a user-initiated application crash on
invalid input) are so minor that this probably should not have been
tagged as a security concern nor given a CVE in the first place.
although, has the possibility of code injection been fully ruled out?

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#534497: tag fixed version in unstable

fixed 534497 3.6.8-1
thanks

version in unstable is fixed



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#532520: forwarded

forwarded 532520 
http://lists.gnu.org/archive/html/lynx-dev/2009-07/msg0.html
thanks

it looks like the lynx situation for this issue isn't so simple.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#532520: info

from some of the upstream discussion, it looks like libbsd provides an
arc4random cryptographically secure PRNG, which lynx prefers when
available. an appropriate fix for this issue thus would be to depend on
libbsd0 and make sure lynx makes use of its arc4random.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#535870: xscreensaver: symlink attack enables local information disclosure

package: xscreensaver
version: 4.24-5
severity: important
tags: security

xscreensaver is vulnerable to a local information disclosure 
vulnerability [1].

[1] http://isowarez.de/xscreensaver.txt



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#535881: clamav: recent vulnerabilities

package: clamav
version: 0.90.1dfsg-4etch16
severity: important
tags: security

hello,

clamav is vulnerable to several scanner bypass vulnerabilities [1].
note that the upstream version also appears to address some other
security-related issues as well:

 * libclamav: detect and handle archives hidden inside other files (eg.
images), which can be unpacked by WinZip, WinRAR and other tools
(bb#1554) Reported by ROGER Mickael and Thierry Zoller

 * libclamav/mspack.c, cab.c: don't rely on file sizes stored in CAB
headers (bb#1562) Reported by Thierry*Zoller Thierry*Zoller.lu

 * libclamunrar/unrarvm.c: fix handling of some broken rar files

 * libclamav/mbox.c: handle malformed emails with embedded \0s (bb
#1573)

 * libclamav/readdb.c: add offset checks (bb#1615)

[1] http://blog.zoller.lu/2009/05/advisory-clamav-generic-bypass.html



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#535886: apache2: htaccess override

package: apache2
severity: important
version: 2.2.3-4+etch6
tags: security

apache2 in etch is vulnerable to an override vulnerability in .htaccess
[1].

[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=44262



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#535890: phpmyadmin: remote code injection via xss vulnerability

Package: phpmyadmin
Version: 4:2.9.1.1-10
Severity: serious
Tags: security

Hi,
the following CVE (Common Vulnerabilities  Exposures) id was
published for phpmyadmin.

CVE-2009-2284[0]:
| Cross-site scripting (XSS) vulnerability in phpMyAdmin before 3.2.0.1
| allows remote attackers to inject arbitrary web script or HTML via a
| crafted SQL bookmark.

This is fixed in unstable.  Please coordinate with the security team to
prepare updates for the stable releases.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2284
http://security-tracker.debian.net/tracker/CVE-2009-2284



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#535888: php: segfaults on corrupted jpeg files

package: php5
version: 5.2.0-8+etch13
severity: important
tags: security

hello,

php has is vulnerable to segfaulting on certain corrupted jpegs [1].
this is likely fixed in 5.3.0 since the commit to svn was made on May
28, but i haven't check the code to determine whether this is the case
or not.

[1] http://bugs.php.net/bug.php?id=48378



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#535896: rails: potential password bypass

package: rails
version: 1.1.6-3
severity: serious
tags: security

hello,

it has been found that rails is vulnerable to a password bypass [1].  this will 
be 
fixed in upstream version 2.3.3.

[1] 
http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#535909: camlimages: CVE-2009-2295 several integer overflows