Bug#551513: closed by Ryan Niebur (Bug#551513: fixed in midori 0.2.0-1)

[Michael S Gilbert]

On Sun, 18 Oct 2009 23:36:11 + Debian Bug Tracking System wrote:

> This is an automatic notification regarding your Bug report
> which was filed against the midori package:
> 
> #551513: new upstream version 0.2.0
> 
> It has been closed by Ryan Niebur

thanks for the insanely fast response time!

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550379: acknowledged by developer (closing 550379)

[Michael S Gilbert]

reopen 550379
severity 550379 wishlist
thanks

On Sun, 18 Oct 2009 23:50:04 +0100 Ben Hutchings wrote:

> On Sun, 2009-10-18 at 18:18 -0400, Michael S Gilbert wrote:
> [...]
> > in one sentence, my request is for the linux-2.6 and linux-kbuild-2.6
> > *source* packages to be merged (they are both in main, so there should
> > be no social reason for this to be impossible). 
> > 
> > consequently, i fully support the continued existence of the kbuild
> > binary packages (which would be built via the linux-2.6 source package
> > instead of the separate linux-kbuild-2.6 source package).
> 
> It is not for us to justify the way we package the kernel, but for you
> to justify why we should change.  We can make this a wishlist bug but we
> have a long list of more important bugs.

ok, thank you very much.  that is all i was asking.  when i find the
time, i will see if i can implement the required changes.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550379: acknowledged by developer (closing 550379)

[Michael S Gilbert]

maybe there is also some confusion due to my use of the term "kbuild
binary packages".  i am referring to the linux-kbuild-$(uname -r)
binary packages when i say that, not the plain old kbuild binary/source
package.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550379: acknowledged by developer (closing 550379)

[Michael S Gilbert]

On Sun, 18 Oct 2009 21:56:57 +0200 maximilian attems wrote:

> On Sun, Oct 18, 2009 at 03:40:02PM -0400, Michael S Gilbert wrote:
> > > # explanation given by maintainer
> > > close 550379 
> > 
> > there is no explanation in the bug logs.  the closest thing to an
> > explanation is:
> > 
> >   This is not possible for other reasons.
> > 
> > where the 'other reasons' are never explained.  if someone can state
> > these reasons, i would be content to give this up if they are justified.
> 
> they are, please reread carefully
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550379#22

ok, i think we're caught in a continuing cycle of miscommunication and
misinterpretation.  for clarity, social contract item 4 states:

  4. Our priorities are our users and free software

  We will be guided by the needs of our users and the free software
  community. We will place their interests first in our priorities. We
  will support the needs of our users for operation in many different
  kinds of computing environments. We will not object to non-free works
  that are intended to be used on Debian systems, or attempt to charge a
  fee to people who create or use such works. We will allow others to
  create distributions containing both the Debian system and other
  works, without any fee from us. In furtherance of these goals, we will
  provide an integrated system of high-quality materials with no legal
  restrictions that would prevent such uses of the system.

i understand very well that you intend to serve the needs of your
users, and i have no intention of impeding that.  i have not
intentionally made any statement contrary to that requirement in this
thread and do not wish to do so.  

i, in fact, fully support the kbuild binary packages.  i am part of the
pkg-fglrx team, so i very much rely on kbuild's availablity. that
package, of course, is non-free, and i have no problems with that fact.
i too volunteer my time for the benefit of debian's users even on
"non-free" stuff.

the only way that i can understand the kernel team's perspective in
message #22 is that you have misinterpreted my report as a request for
kbuild to be done away with (maybe based on some non-free concept or
something that i never stated). this was certainly not my intent, and
perhaps i can clarify. 

in one sentence, my request is for the linux-2.6 and linux-kbuild-2.6
*source* packages to be merged (they are both in main, so there should
be no social reason for this to be impossible). 

consequently, i fully support the continued existence of the kbuild
binary packages (which would be built via the linux-2.6 source package
instead of the separate linux-kbuild-2.6 source package).

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550379: acknowledged by developer (closing 550379)

[Michael S Gilbert]

> # explanation given by maintainer
> close 550379 

there is no explanation in the bug logs.  the closest thing to an
explanation is:

  This is not possible for other reasons.

where the 'other reasons' are never explained.  if someone can state
these reasons, i would be content to give this up if they are justified.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#551513: new upstream version 0.2.0

[Michael S Gilbert]

package: midori
version: 0.1.10-1
severity: wishlist

hi,

there is a new upstream version of midori.  it would be great if you
have the time to prepare a new debian package.  thanks!

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#502925: closed by Marco Rodrigues (Package xfce-mcs-manager has been removed from Debian)

[Michael S Gilbert]

On Sat, 17 Oct 2009 10:51:21 + Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the xfce4-mcs-manager package:
> 
> #502925: xfce4-mcs-manager: new fonts are not available until all terminals 
> closed
> 
> It has been closed by Marco Rodrigues

this bug is still present in the latest version of xfce4-terminal in
unstable.  which package should it be reassigned to since
xfce4-mcs-manager has been removed? thanks.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550913: dopewars: CVE-2009-3591 denial-of-service

[Michael S Gilbert]

Package: dopewars
Version: 1.5.12-2
Severity: important
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for dopewars.

CVE-2009-3591[0]:
| Dopewars 1.5.12 allows remote attackers to cause a denial of service
| (segmentation fault) via a REQUESTJET message with an invalid
| location.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

This issue is not severe enough to warrant a DSA, so please coordinate
updates for the next stable/oldstable point releases with the release
team.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3591
http://security-tracker.debian.net/tracker/CVE-2009-3591



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550441: advi: statically links to camlimages

[Michael S Gilbert]

reopen 550441
thanks

On Sat, 10 Oct 2009 22:24:31 +0200 Mehdi Dogguy wrote:
> AFAICS, the version of advi currently in unstable/testing (1.6.0-14+b1)
> is not affected since it was built with the latest (fixed) version of
> camlimages.

the specific flaw is being tracked with bug #550440, which should remain
open for now since etch/lenny are still affected. this bug should also
remain open until the static link is fixed. or you can mark it wontfix
if that is your plan.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550441: advi: statically links to camlimages

[Michael S Gilbert]

On Sat, 10 Oct 2009 12:28:15 +0200 Stéphane Glondu wrote:

> Michael S Gilbert a écrit :
> > advi statically links to camlimages, which makes security updates very
> > complicated.  please update advi to dynamically link to camlimages.
> > thanks.
> 
> Unfortunately, this is not possible without making significant changes
> to advi (and/or OCaml itself). Almost all programs written in OCaml
> suffer from this limitation. I had already asked to have advi be
> recompiled with the new camlimages, but the request got lost somehow
> (maybe Mehdi can give more information on this).
> 
> There is no shared library support in OCaml. Upstream is hostile to this
> [1], so if some support would be added, it would be Debian-specific and
> make the whole OCaml stack of Debian diverge from everywhere else (we
> don't really want that). There is however dynamic linking (à la dlopen).
> 
> [1] http://article.gmane.org/gmane.comp.lang.caml.inria/23778

thanks for the update on the situation.  based on the link, upstream's
response is not entirely hostile.  see:

  Feature 3- (dynamic code loading) is already available in bytecode
  through the Dynlink API.  I understand there's a demand for having it
  in native-code as well, and that might be possible without too much
  fuss, at least on selected operating systems.

so, perhaps if the work is done for them, they would be willing to
accept the changes.

> Note that even there was shared library support in OCaml, that wouldn't
> automatically make security updates easier because of the checks OCaml
> performs at link time, and it would be very unwise to disable these
> checks. In other words, an updated library can require recompilation of
> all reverse dependencies anyway.

i'm not aware of this as a concern for other packages. why is this a
larger concern for advi? usually security updates do not change the
ABI, so this (hopefully) shouldn't be a problem.  and if it is, advi
will FTBFS, so we will be more acutely aware of the fact that it needs
to be updated as well.

mike



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550423: [Pkg-samba-maint] Bug#550423: samba: CVE-2009-2906 dos and CVE-2009-2948 password access

[Michael S Gilbert]

On Sat, 10 Oct 2009 07:10:51 +0200 Christian Perrier wrote:

> Version: 3.4.2-1
> 
> Quoting Michael S Gilbert (michael.s.gilb...@gmail.com):
> > package: samba
> > version: 3.0.24-6
> > severity: serious
> > tags: security , patch
> > 
> > hi,
> > 
> > the following CVEs were issued for samba.
> 
> 
> Fixed in 3.4.2
> 
> Fixes for lenny are on their way.

good to know.  thanks for the quick response.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

[Michael S Gilbert]

package: ffmpeg
version: 0.cvs20060823-8
severity: serious
tags: security

hi,

ffmpeg has been found to be vulnerable to many crashers [0],[1].  this
may enable remote compromise of a system.

please coordinate with upstream and the security team to push out
updates for these issues.

mike

[0] https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240
[1] https://roundup.ffmpeg.org/roundup/ffmpeg/issue1245



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550441: advi: statically links to camlimages

[Michael S Gilbert]

package: advi
version: 1.6.0-14+b1
severity: important
tags: security

hi,

advi statically links to camlimages, which makes security updates very
complicated.  please update advi to dynamically link to camlimages.
thanks.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550436: wget: forks libntlm

[Michael S Gilbert]

On Sat, Oct 10, 2009 at 12:17 AM, Micah Cowan wrote:
> Michael S Gilbert wrote:
>> package: wget
>> version: 1.12-1
>> severity: important
>> tags: security
>>
>> hi,
>>
>> wget implements a forked version of libntlm.  in order to provide
>> timely security support (and to reduce some of the burden on the
>> security team), it would be very desirable (if possible) for wget to
>> link to the existing libntlm library, rather than implementing its own
>> version. thanks.
>
> This is untrue. Wget's ntlm support was taken from curl, not from libntlm.

it appeared to me to be a fork since essentially the same code is
implemented with slightly differing function names.  i imagine that
this is a consequence of the fact that there is one right way to
implement support for the ntlm standard.

> Taking advantage of libntlm could be a possible goal, however it
> currently lacks support for the most recent version of the protocol,
> whereas a user has recently contributed that support to Wget. It is not
> present in 1.12 because it hasn't been sufficiently tested (mainly
> against the earlier versions of the protocol).
>
> It'd probably be ideal for that support to find its way into libntlm. At
> that time, we'd probably consider using it. For the immediate future,
> though, we (upstream) are probably not going to pursue that just yet.

thanks for the info and quick response!

mike



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550440: advi: CVE-2009-2295 arbitrary code execution

[Michael S Gilbert]

Package: advi
Version: 1.6.0-12
Severity: serious
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for camlimages.  advi statically links to camlimages, so any
issues in that package are also applicable to advi.  There were already
updates to camlimages for etch an lenny, so advi just needs to be
relinked using those new versions.  Please coordinate these updates with
the security team.

CVE-2009-2295[0]:
| Multiple integer overflows in CamlImages 2.2 and earlier might allow
| context-dependent attackers to execute arbitrary code via a crafted
| PNG image with large width and height values that trigger a heap-based
| buffer overflow in the (1) read_png_file or (2) read_png_file_as_rgb24
| function.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2295
http://security-tracker.debian.net/tracker/CVE-2009-2295



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550438: cntlm: forks libntlm

[Michael S Gilbert]

package: cntlm
version: 0.35.1-5
severity: important
tags: security

hi,

cntlm implements a forked version of libntlm.  in order to provide
timely security support (and to reduce some of the burden on the
security team), it would be very desirable (if possible) for cntlm to
link to the existing libntlm library, rather than implementing its own
version. thanks.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550436: wget: forks libntlm

[Michael S Gilbert]

package: wget
version: 1.12-1
severity: important
tags: security

hi,

wget implements a forked version of libntlm.  in order to provide
timely security support (and to reduce some of the burden on the
security team), it would be very desirable (if possible) for wget to
link to the existing libntlm library, rather than implementing its own
version. thanks.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550437: curl: forks libntlm

[Michael S Gilbert]

package: curl
version: 7.19.5-1.1
severity: important
tags: security

hi,

curl implements a forked version of libntlm.  in order to provide
timely security support (and to reduce some of the burden on the
security team), it would be very desirable (if possible) for curl to
link to the existing libntlm library, rather than implementing its own
version. thanks.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550379: closed by Bastian Blank (Re: Bug#550379: linux-kbulid-2.6: embeds linux-2.6)

[Michael S Gilbert]

On Sat, 10 Oct 2009 03:03:06 +0200 Bastian Blank wrote:

> On Fri, Oct 09, 2009 at 05:49:13PM -0400, Michael Gilbert wrote:
> > > On Fri, Oct 09, 2009 at 02:04:20PM -0400, Michael Gilbert wrote:
> > >> the linux-kbuild-2.6 source package includes portions of code from the
> > >> linux-2.6 source package (i.e. everything in ./kbuild/*).  this is bad
> > >> in terms of security support because it causes more work for the
> > >> security team and increases the risk of errors, omissions, and mistakes.
> > > No, it does not. It is a different source package and both are derived
> > > from the same upstream code. 
> > two different source packages with portions being the same code are
> > considered a case of an embedded code copy; which is generally
> > considered bad practice from a security perspective.
> 
> Well, please start with every source using autoconf then. autoconf
> embeds copies of a large amount of source code snippets in the targets.
> This have about the same practical relevance and use then the code we
> are talking about.

automatically generated code (a la autoconf) is not a concern for the
security team.  however, the kbuild code copy is not computer generated;
it consists of human-created perl, c, and shell scripts.

> > >> less significant, but also important, is that since the kbuild package
> > >> is separated from the linux package, the kbuild packages always lag by
> > >> weeks or months after a new kernel release; making it impossible to
> > >> build modules for that new kernel.
> > >> the recommended course of action is to update the linux-2.6 source
> > >> package to also build the kbuild binaries.  thanks.
> > > This is not possible for other reasons.
> > what are these reasons, and why do they seem so insurmountable?
> 
> They are backed by §4 Social Contract. 

i don't see the connection between the social contract and your
requirement to keep the kbuild source package separate from the
kernel source package.  after all, both packages are in main, so from a
social perspective, there is nothing preventing them from being merged.

> To be exact, it is part of the cross-compile support in the
> linux packages. And yes, this is heavily used.

ok, i already know the purpose of the kbuild package, and i already had
the feeling that it was indeed used quite a bit.  i had no intention of
calling either of these facts into question.  i don't see how these
statements relevant to the discussion.

mike



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550424: openexr6: CVE-2009-1720,1721,1722 potential vectors for arbitrary code execution

[Michael S Gilbert]

Package: openexr6
Version: 1.6.1
Severity: serious
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for openexr6.

CVE-2009-1720[0]:
| Multiple integer overflows in OpenEXR 1.2.2 and 1.6.1 allow
| context-dependent attackers to cause a denial of service (application
| crash) or possibly execute arbitrary code via unspecified vectors that
| trigger heap-based buffer overflows, related to (1) the
| Imf::PreviewImage::PreviewImage function and (2) compressor
| constructors.  NOTE: some of these details are obtained from third
| party information.

CVE-2009-1721[1]:
| The decompression implementation in the Imf::hufUncompress function in
| OpenEXR 1.2.2 and 1.6.1 allows context-dependent attackers to cause a
| denial of service (application crash) or possibly execute arbitrary
| code via vectors that trigger a free of an uninitialized pointer.

CVE-2009-1722[2]:
| Heap-based buffer overflow in the compression implementation in
| OpenEXR 1.2.2 allows context-dependent attackers to cause a denial of
| service (application crash) or possibly execute arbitrary code via
| unspecified vectors.

These issues are already fixed in the stable releases.  If you fix the
vulnerabilities please also make sure to include the CVE ids in your
changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1720
http://security-tracker.debian.net/tracker/CVE-2009-1720
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1721
http://security-tracker.debian.net/tracker/CVE-2009-1721
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1722
http://security-tracker.debian.net/tracker/CVE-2009-1722



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550423: samba: CVE-2009-2906 dos and CVE-2009-2948 password access

[Michael S Gilbert]

package: samba
version: 3.0.24-6
severity: serious
tags: security , patch

hi,

the following CVEs were issued for samba.

CVE-2009-2906 [0]:
| smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4
| before 3.4.2 allows remote authenticated users to cause a denial of service
| (infinite loop) via an unanticipated oplock break notification reply packet.

CVE-2009-2948 [1]:
| mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8 and
| 3.4 before 3.4.2, when mount.cifs is installed suid root, does not properly
| enforce permissions, which allows local users to read part of the
credentials file
| and obtain the password by specifying the path to the credentials file and
| using the --verbose or -v option.

these are fixed in unstable.  patches are available from [2].

mike

[0] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2906
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2948
[2] http://www.samba.org/samba/security/



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550422: samba: CVE-2009-2813 sharing restriction bypass

[Michael S Gilbert]

package: samba
version: 3.0.24-6
severity: important
tags: security

hi,

CVE-2009-2813 has been issued for samba and from the text [0], it
appears to be mac-specific; however, there is not enough information
to confirm or negate this.  i have submitting a bug upstream
requesting assistance [1].  you can follow the issue there.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2813
[1] https://bugzilla.samba.org/show_bug.cgi?id=6798



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550150: cupsys: CVE-2009-2807 issue in usb backend

[Michael S Gilbert]

package: cupsys
version: 1.2.7-4
severity: serious
tags: security

hi,

cups may be affected by a security issue in its usb backend [0].  the
advisories state that this affects mac os x, but it is unclear if
other os'es are affected.  i've submitted a bug upstream requesting
more info [1].  you can follow the issue there.

best wishes,
mike

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2807
[1] http://www.cups.org/str.php?L3368



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550002: xscreensaver: sonar should be moved to xscreensaver-gl

[Michael S Gilbert]

package: xscreensaver
version: 5.10-2
severity: normal

according to the xscreensaver readme, sonar has been rewritten using
opengl.  in order to prevent potential problems and other badness for
non-gl users, it should be moved to the xscreensaver-gl package. thanks.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#520882: not fixed

[Michael S Gilbert]

reopen 520882
notfixed 520882 1:9-9-1
thanks

oops, i goofed up due to cross-posting by another bug submitter.  this
one likely still exists.

submitter, if you can find the time to check on this bug, that would be
very helpful.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#546781: [Pkg-fglrx-devel] Bug#546781: Bug#546781: fglrx-driver: With kernel module, displays blank screen

[Michael S Gilbert]

On Tue, 15 Sep 2009 22:51:57 -0400 Michael S Gilbert wrote:

> On Tue, 15 Sep 2009 19:17:43 -0700 Daniel Schepler wrote:
> > The 1:9-8-2 version of the driver worked fine on the same machine.

also, this may be related to bug #542735 [0].  can you try:

  $ sudo aticonfig --acpi-services=off

[0] http://bugs.debian.org/542735



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#546781: [Pkg-fglrx-devel] Bug#546781: Bug#546781: fglrx-driver: With kernel module, displays blank screen

[Michael S Gilbert]

On Tue, 15 Sep 2009 19:17:43 -0700 Daniel Schepler wrote:
> The 1:9-8-2 version of the driver worked fine on the same machine.

what is the output of 'lsmod | grep fglrx' and 'sudo modprobe fglrx'?

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#542849: [Pkg-fglrx-devel] Bug#542849: Bug#542849: Bug#542849: fglrx-source: fglrx:firegl_init_device_list *ERROR* Out of memory when allocating device heads

[Michael S Gilbert]

On Tue, 15 Sep 2009 14:23:42 +0800 Paul Harris wrote:

> 2009/9/15 Patrick Matthäi 
> 
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > Paul Harris schrieb:
> > > as stated here:
> > >
> > >
> > http://support.amd.com/us/gpudownload/linux/Legacy/Pages/radeon_linux.aspx?type=2.4.2&product=2.4.2.3.9&lang=English
> > > <
> > http://support.amd.com/us/gpudownload/linux/Legacy/Pages/radeon_linux.aspx?type=2.4.2&product=2.4.2.3.9&lang=English
> > >
> > >
> > > the support for older cards has been moved to a legacy driver.
> > >
> > > can we see Debian support for the legacy driver?  I think this is very
> > > important due to the extended lifecycle of linux computers, its likely
> > > these old graphics cards will be around for quite some time into the
> > future.
> > >
> > > This seems to be the only way to get hardware accelerated 3D graphics on
> > > linux with these cards... right?
> >
> > Wrong. Legacy is only for windows.
> >
> >
> Ah, which is why they state:
> The Linux ATI Catalyst™ driver will only be supported in Linux distributions
> prior to February 2009 for the legacy products listed above.
> 
> So can we use the older drivers with newer kernels?  Is it possible to
> create a working driver based on an old release?

amd's plan is to transition legacy users to the open source driver
(xserver-xorg-video-radeon/radeonhd).  when linux 2.6.31 gets packaged
for debian (which should be very soon), this driver will fully support
3d for cards up through the r500 series.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#544915: adoption

[Michael S Gilbert]

hi,

i would be willing to adopt mathwar and amphetamine.  i'm not a dd, but
do have some packaging experience.  i would need a mentor to do uploads
for me.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#546198: xfs: uninstallable due to logged in debian-xfs user

[Michael S Gilbert]

package: xfs
version: 1:1.0.8-4
severity: serious

the latest xfs update is currently uninstallable on unstable.  the error is:

  Setting up xfs (1:1.0.8-4) ...
  Installing new version of config file /etc/init.d/xfs ...
  usermod: user debian-xfs is currently logged in
  dpkg: error processing xfs (--configure):
subprocess installed post-installation script returned error exit status 8

fyi, the debian-xfs entry in /etc/password is:

  debian-xfs:x:109:115::/nonexistant:/bin/false

i don't think this had existed prior to this xfs update.  let me know
if you need any more info.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#545501: xfce4-clipman: uninstallable due file conflict with xfce4-clipman-plugin

[Michael S Gilbert]

package: xfce4-clipman
severity: serious
version: 2:1.1.0-2

hello,

both xfce4-clipman and xfce4-clipman-plugin install the file
'/usr/share/applications/xfce4-clipman-plugin.desktop', which causes
xfce4-clipman's installation to fail:

  Unpacking xfce4-clipman (from .../xfce4-clipman_2%3a1.1.0-2_amd64.deb) ... 
dpkg: error
  processing /var/cache/apt/archives/xfce4-clipman_2%3a1.1.0-2_amd64.deb 
(--unpack): trying to overwrite
  '/usr/share/applications/xfce4-clipman-plugin.desktop', which is also
  in package xfce4-clipman-plugin 2:1.0.2-1

this may only be a problem for upgrades from previous versions of 
xfce4-clipman-plugin.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#524806: RFS: sponsor for poppler stable point release

[Michael S Gilbert]

Hi,

A new lenny release is coming soon and there are some open security
issues in poppler that I have fixed.  Attached is the debdiff of the
changes.

The package can be found on mentors.debian.net:
- URL: http://mentors.debian.net/debian/pool/main/p/poppler
- Source repository: deb-src http://mentors.debian.net/debian unstable
main contrib non-free
- dget
http://mentors.debian.net/debian/pool/main/p/poppler/poppler_0.8.7-2lenny1.dsc

I would be glad if someone uploaded this package for me.

Kind regards,
Michael Gilbert


poppler.debdiff
Description: Binary data

Bug#543257: xscreensaver: does not show screen unlock dialog for gl screensavers

[Michael S Gilbert]

package: xscreensaver-gl
version: 5.05-3
severity: normal

hello, on my system there is no dialog drawn when unlocking gl screensavers; 
however it is still possible to enter the password and unlock the screen; there 
will just be no visual feedback.  this works fine for the non-gl screensavers.  

note that i am using the ati-proprietary fglrx driver for gl support right now, 
which may very well be the problem.  i looked at a machine that has an intel 
gma 900 video card and it was not affected by this issue.

thanks for looking into this.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#543159: kvm: embeds qemu

[Michael S Gilbert]

package: kvm
version: 85+dfsg-4
severity: important
tags: security

hello,

since kvm embeds qemu it makes security updates/tracking more difficult, 
troublesome, and potentially more prone to error/omission.  i understand that 
kvm is somewhat of a divergence from qemu, but if it is possible, please update 
kvm to use qemu.

best regards,
mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#539410: useful?

[Michael S. Gilbert]

hello,

was any of the above information useful?  anything else i can provide?

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#529318: linux-2.6: CVE-2007-6514 smbfs information disclosure vulnerability

[Michael S. Gilbert]

On Thu, 13 Aug 2009 23:51:40 +0200 Moritz Muehlenhoff wrote:

> On Mon, May 18, 2009 at 12:06:58PM -0400, Michael S. Gilbert wrote:
> > Package: linux-2.6
> > Severity: important
> > Tags: security
> > 
> > Hi,
> > 
> > The following CVE (Common Vulnerabilities & Exposures) id was
> > published for linux-2.6.
> > 
> > CVE-2007-6514[0]:
> > | Apache HTTP Server, when running on Linux with a document root on a
> > | Windows share mounted using smbfs, allows remote attackers to obtain
> > | unprocessed content such as source files for .php programs via a
> > | trailing "\" (backslash), which is not handled by the intended AddType
> > | directive.
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE id in your changelog entry.
> 
> Have you been able to test this against recent kernels such as 2.6.30?

here is my assessment of this issue:

 the attack vector for this one is so obscure: the worst that can 
 happen is disclosure of scripts hosted on an apache server serving
 those scripts, and only if those scripts are mounted from a windows
 share via smbfs. i'd almost be inclined to say no-dsa for this one (or
 issue a dsa that says don't host your web scripts on a windows share
 when using apache if you are concerned about the confidentiality of
 those scripts). it's hardly worth worrying about.

i have not done any tests to determine affected versions, but it
should be fairly straightforward to do so.  see [0].

also, see redhat bug on this [1].  they have a patch for rhel 2.1, but
i wasn't able to search it down.

mike

[0]
http://www.securityfocus.com/archive/1/archive/1/485316/100/0/threaded
[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6514



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#541146: [Python-modules-team] Bug#541146: python-matplotlib: 0.99 version released upstream

[Michael S. Gilbert]

On Wed, 12 Aug 2009 00:35:53 +0200, Sandro Tosi wrote:
> Hi Michael,
> 
> On Wed, Aug 12, 2009 at 00:25, Michael S.
> Gilbert wrote:
> > package: python-matplotlib
> > severity: wishlist
> >
> > a new version of matplotlib has been released in the last few days [0].
> > this is a request for this to be packaged for debian.  thanks!
> 
> I'm aware of the new release, and I'm already working on updating
> Debian package.

good to hear!  thanks.



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#541146: python-matplotlib: 0.99 version released upstream

[Michael S. Gilbert]

package: python-matplotlib
severity: wishlist

a new version of matplotlib has been released in the last few days [0].
this is a request for this to be packaged for debian.  thanks!

[0] http://matplotlib.sourceforge.net/_static/CHANGELOG



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#517639: severity

[Michael S. Gilbert]

severity 532689 important
thanks

denial-of-services are not serious.  this should probably be fixed
with CVE-2009-0642 which is actually serious.  please coordinate with
the security team to prepare updates for the stable releases on these.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540862: reassign

[Michael S. Gilbert]

reassign 540862 libxerces2-java
thanks

this appears to be a flaw in the xerces xml parser.  see previous
discussion and pdf.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540961: xulrunner: CVE-2009-2663 vulnerability

[Michael S. Gilbert]

On Tue, 11 Aug 2009 11:47:50 +0200, Alexander Sack wrote:
> On Mon, Aug 10, 2009 at 07:47:29PM -0400, Michael S Gilbert wrote:
> > Package: xulrunner
> > Version: 1.9.1.1-2
> > Severity: grave
> > Tags: security
> > 
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for xulrunner.
> > 
> > CVE-2009-2663[0]:
> > | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
> > | 3.5.x before 3.5.2 and other products, allows context-dependent
> > | attackers to cause a denial of service (memory corruption and
> > | application crash) or possibly execute arbitrary code via a crafted
> > | .ogg file.
> > 
> > This does not affect versions 1.9.0.12 and earlier, so no updates
> > are needed for the stable releases.
> 
> The summary you pasted suggest that "before" 3.0.13 is affected, which
> would mean that xul 1.9.0.12 would be affected too; but OTOH, 1.9
> branch didnt have any libvorbis/codec support afaik. So this feels
> like a typo in the CVE. Anyway. xul should probably be updated to .13
> anyway in stable.

yes, this is a flaw in the cve text (which often you can't take at
face value). i checked the source, and vorbis is not present in 1.9.0.12
or before, and i doubt it will be introduced in 1.9.0.13, but i could
be wrong.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540958: libvorbis: CVE-2009-2663 vulnerability

[Michael S. Gilbert]

On Mon, 10 Aug 2009 23:01:36 -0500, Peter Samuelson wrote:
> 
> > CVE-2009-2663[0]:
> > | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
> > | 3.5.x before 3.5.2 and other products, allows context-dependent
> > | attackers to cause a denial of service (memory corruption and
> > | application crash) or possibly execute arbitrary code via a crafted
> > | .ogg file.
> 
> Thanks, I'll prepare updates for etch, lenny, and sid.  I assume the
> Mozillae in Debian use the system libvorbis, not a separate copy.

no, in fact they embed, and i've submitted a bug for that separately.
thanks for working this!

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540961: xulrunner: CVE-2009-2663 vulnerability

[Michael S Gilbert]

Package: xulrunner
Version: 1.9.1.1-2
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xulrunner.

CVE-2009-2663[0]:
| libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
| 3.5.x before 3.5.2 and other products, allows context-dependent
| attackers to cause a denial of service (memory corruption and
| application crash) or possibly execute arbitrary code via a crafted
| .ogg file.

This does not affect versions 1.9.0.12 and earlier, so no updates
are needed for the stable releases.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2663
   http://security-tracker.debian.net/tracker/CVE-2009-2663



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540959: xulrunner: embeds libvorbis

[Michael S Gilbert]

package: xulrunner
severity: important
tags: security

hello, it seems that xulrunner embeds the libvorbis library in its
source code.  this is bad since it makes security updates much more
difficult and troublesome.  please modify the package to use the
system libvorbis.  thank you.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540958: libvorbis: CVE-2009-2663 vulnerability

[Michael S Gilbert]

Package: libvorbis
Version: 1.1.2.dfsg-1.4
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libvorbis.

CVE-2009-2663[0]:
| libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
| 3.5.x before 3.5.2 and other products, allows context-dependent
| attackers to cause a denial of service (memory corruption and
| application crash) or possibly execute arbitrary code via a crafted
| .ogg file.

Please coordinate with the security team to prepare updates for the
stable releases.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2663
http://security-tracker.debian.net/tracker/CVE-2009-2663



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540905: apt-file: doesn't need to say 'run as root' in postinst

[Michael S. Gilbert]

package: apt-file
severity: minor

since apt-file can now be run as non-root, it no longer needs to say
that is a requirement in its postinst script.

i.e. change the text "You need to run 'apt-file update' as root to
update the cache" to "You need to run 'apt-file update' to update the
cache."



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540885: websvn: blame is excruciatingly slow for large files

[Michael S. Gilbert]

package: websvn
severity: normal

hello, trying to look at the blame for large files in websvn is
excruciatingly slow.  for example, try to see the blame for:

http://svn.debian.org/wsvn/secure-testing/data/CVE/list

i waited over two hours and the page still had not generated the blame.
thanks for looking into this.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540437: [Pkg-xfce-devel] Bug#540437: Bug#540437: Bug#540437: xfdesktop4: keeps regenerating 'Desktop' folder in user's home dir

[Michael S. Gilbert]

On Mon, 10 Aug 2009 07:58:33 +0200, Yves-Alexis Perez wrote:
> On dim, 2009-08-09 at 23:22 -0400, Michael S Gilbert wrote:
> > yes, it is xfdesktop.  removed 'Desktop', ran 'xfdesktop' and it was
> > back.  i straced xfdesktop, but there was no reference to 'Desktop'.
> > would it be useful to attach that output?
> 
> By the way, Desktop/ is required if xfdesktop is set to display
> Files/Launchers, so it creates (or maybe xfconf) it. But here it
> *doesn't* happens when the icon type is set to “None” or “Minimized
> applications”

ok, so sorry to waste your time, but this looks like a non-issue.  i
switched from 'None' to 'Minimized' and ran xfdesktop; no 'Desktop' was
created.  then i switched back to 'None' again, and still no 'Desktop'
was created.  i'm betting that there was some kind of difference
between settings on one of the xfce upgrades (maybe when i upgraded from
4.4).

maybe this is something that will need to be handled for lenny->squeeze
upgrades?  or maybe documenting the workaround in the release notes
would be sufficient?

i have two other virtual machines that are still demonstrating this
behavior if you want me to look at anything else.  i did try 'strace
-f' before and did not see any reference to 'Desktop'.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#535888: [php-maint] Bug#540611: php5: exif buffer overread

[Michael S Gilbert]

>> i guess i'll just deal with the broken system as is...
>
> I'm sure Don welcomes constructive criticism ;)

ok, i'll put together a constructive bug report when i have the chance.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540610: [DRE-maint] Bug#540610: rubygems: integrity violation

[Michael S. Gilbert]

On Mon, 10 Aug 2009 08:24:06 -0500, Gunnar Wolf wrote:
> Michael S. Gilbert dijo [Sun, Aug 09, 2009 at 11:58:04PM -0400]:
> > > I tried testgem downloaded from 
> > > http://bugs.gentoo.org/show_bug.cgi?id=278566.
> > > 
> > > % sudo gem install testgem-0.0.1.gem
> > > Successfully installed testgem-0.0.1
> > > 1 gem installed
> > > Installing ri documentation for testgem-0.0.1...
> > > File not found: lib
> > > 
> > > (I think that making document files causes this error.)
> > > 
> > > % ls /var/lib/gems/1.8/bin/less
> > > /var/lib/gems/1.8/bin/less
> > > 
> > > 
> > > So, /usr/bin/less is not overwritten.
> > > Debian's RubyGems is patched to replace the upstream's indiscriminate 
> > > default
> > > directory.
> > 
> > ok, but when you run 'less', does that run /usr/bin/less
> > or /var/lib/gems/1.8/bin/less?  if it is the latter, then there is
> > definately a problem here.
> 
> No, Debian's path does not include /var/lib/*/bin - The default paths,
> set by /etc/profile, read:
> 
> 
> if [ "`id -u`" -eq 0 ]; then
>   PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
> else
>   PATH="/usr/local/bin:/usr/bin:/bin:/usr/games"
> fi
> 
> Requiring rubygems does not change it, even from within Ruby:
> 
> $ irb
> irb(main):001:0> require 'rubygems'
> => true
> irb(main):002:0> system 'echo $PATH'
> /usr/local/bin:/usr/bin:/bin:/usr/games
> => true
> 
> So I think this bug does not bite us.

ok, sounds like a non-issue to me then.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540862: apache2: xml-based firewall bypass / port scanning vulnerability

[Michael S Gilbert]

package: apache2
version: 2.2.3-4+etch6
severity: important
tags: security

it has been dislosed that apache (and potentially other web servers)
can be used to port scan behind a firewall.  i don't think this issue
issue too severe, but a firewall bypass nevertheless is probably not a
good thing.  see [0].

[0] http://www.sift.com.au/assets/downloads/SIFT-XML-Port-Scanning-v1-00.pdf



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#535888: [php-maint] Bug#540611: php5: exif buffer overread

[Michael S. Gilbert]

On Mon, 10 Aug 2009 18:05:57 +0200, Nico Golde wrote:
> > maybe it's just me, but dealing with issues in multiple releases with
> > the debian bts is non-obvious and a major pain.  is the "*right*" way
> > to do this documented somewhere?
> 
> http://wiki.debian.org/BugsVersionTracking maybe helps you.

thanks for the link.  this makes it clear how the system is supposed
to work, but it also makes it clear that the system is rather broken --
at least from the standpoint that bugs get closed on the first fix,
rather than when all releases are either fixed or marked as not
affected.

i guess i'll just deal with the broken system as is...

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540611: [php-maint] Bug#540611: Bug#540611: php5: exif buffer overread

[Michael S. Gilbert]

On Mon, 10 Aug 2009 08:17:44 +0200, sean finney wrote:
> hi michael,
> 
> On Sun, Aug 09, 2009 at 10:57:09PM -0400, Michael S. Gilbert wrote:
> > maybe it's just me, but dealing with issues in multiple releases with
> > the debian bts is non-obvious and a major pain.  is the "*right*" way
> > to do this documented somewhere?
> 
> i've brought this up in the past on -devel because i also find it
> annoying.  i wasn't given a good solution apart from "you can probably
> do it with usertags", which is more of a cop out than anything else
> imho :(
> 
> fyi i'm out on vacation now so won't have any time to put forward on
> php related stuff for at least another week if not two.

ok, thanks for the info.  have a good one.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540610: rubygems: integrity violation

[Michael S. Gilbert]

On Sun, 09 Aug 2009 17:01:38 +0900 Daigo Moriwaki wrote:

> Hello Michael,
> 
> Michael S. Gilbert wrote:
> >> In Debian, executables from gems install into a particular directory 
> >> specific to
> >> RubyGems such as /var/lib/gems/{1.8|1.9.0}/bin instead of the system 
> >> directory
> >> /usr/bin. There should be no risk that they talked about.
> >>
> >> If you think of any problems in Debian, please let me know; otherwise, 
> >> please
> >> close this ticket.
> > 
> > what about installing a rogue 'ls' to '/var/lib/gems/{1.8|1.9.0}/bin'?
> > i've never used rubygems before, so i'm not sure how paths are
> > configured. would this override the system 'ls'?
> 
> I tried testgem downloaded from http://bugs.gentoo.org/show_bug.cgi?id=278566.
> 
> % sudo gem install testgem-0.0.1.gem
> Successfully installed testgem-0.0.1
> 1 gem installed
> Installing ri documentation for testgem-0.0.1...
> File not found: lib
> 
> (I think that making document files causes this error.)
> 
> % ls /var/lib/gems/1.8/bin/less
> /var/lib/gems/1.8/bin/less
> 
> 
> So, /usr/bin/less is not overwritten.
> Debian's RubyGems is patched to replace the upstream's indiscriminate default
> directory.

ok, but when you run 'less', does that run /usr/bin/less
or /var/lib/gems/1.8/bin/less?  if it is the latter, then there is
definately a problem here.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#535909:

[Michael S. Gilbert]

On Sun, 9 Aug 2009 11:00:50 +0200 Sylvain Le Gall wrote:

> Hello,
> 
> On Sat, Aug 08, 2009 at 11:01:45PM -0400, Michael S. Gilbert wrote:
> > reopen 535909
> > fixed 535909 1:3.0.1-3
> > thanks
> > 
> > > This bug has been solved with 1:3.0.1-2 before the bug was opened.
> > 
> > thanks for the update.  please coordinate with the security team to
> > prepare updates for the stable releases.
> > 
> > 
> 
> For stable and oldstable, already done.
> 
> lenny: 1:2.2.0-4+lenny1 
> etch: 2.20-8+etch1

great!  thanks for pushing out these updates.



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540437: [Pkg-xfce-devel] Bug#540437: Bug#540437: xfdesktop4: keeps regenerating 'Desktop' folder in user's home dir

[Michael S Gilbert]

On Sun, Aug 9, 2009 at 3:10 PM, Yves-Alexis Perez wrote:
> I don't know how to find the culprit, but knowing if it's xfdesktop is
> easy. Just remove Desktop/ and restart xfdesktop. Maybe stracing it, and
> you'll be sure.

yes, it is xfdesktop.  removed 'Desktop', ran 'xfdesktop' and it was
back.  i straced xfdesktop, but there was no reference to 'Desktop'.
would it be useful to attach that output?

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#535888: [php-maint] Bug#540611: php5: exif buffer overread

[Michael S. Gilbert]

On Sun, 9 Aug 2009 21:02:36 -0500 Raphael Geissert wrote:

> On Sunday 09 August 2009 01:13:42 Michael S. Gilbert wrote:
> >
> > hello, it has been disclosed that php is vulnerable to a buffer
> > over-read in versions befor 5.2.10.  see:
> 
> You already reported it as #535888, there's no need to report it more than 
> once.
> And no, reopening the report is *not necessary*, the BTS knows what versions 
> are affected. *Take a look at the graph at the top if necessary*
> 
> And adding another entry to  the security tracker doesn't help either.

i appologize for the mistake.  when issues don't get assigned a common
number, it's easy to miss the fact that different reports are actually
the same issue.  it was not my intent to open a duplicate bug, it looked
like this was new.

maybe it's just me, but dealing with issues in multiple releases with
the debian bts is non-obvious and a major pain.  is the "*right*" way
to do this documented somewhere?

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540610: rubygems: integrity violation

[Michael S. Gilbert]

On Sun, 09 Aug 2009 15:34:18 +0900 Daigo Moriwaki wrote:

> Hello Michael,
> 
> Michael S. Gilbert wrote:
> > package: rubygems1.9
> > version: 1.3.1
> > tags: security
> > severity: serious
> > 
> > hello, it has been disclosed thet a specially crafted gem archive could
> > be used to overwrite system files.  confirmed for 1.3.x, but older
> > versions may also be affected.  please check and help the security
> > team prepare updates for the stable releases. see:
> > 
> > http://bugs.gentoo.org/show_bug.cgi?id=278566
> > http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/24472
> > http://redmine.ruby-lang.org/issues/show/1800
> 
> Thank you for the references. I have just read them.
> 
> In Debian, executables from gems install into a particular directory specific 
> to
> RubyGems such as /var/lib/gems/{1.8|1.9.0}/bin instead of the system directory
> /usr/bin. There should be no risk that they talked about.
> 
> If you think of any problems in Debian, please let me know; otherwise, please
> close this ticket.

what about installing a rogue 'ls' to '/var/lib/gems/{1.8|1.9.0}/bin'?
i've never used rubygems before, so i'm not sure how paths are
configured. would this override the system 'ls'?

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540611: php5: exif buffer overread

[Michael S. Gilbert]

package: php5
version: 5.2.0-8+etch13
severity: important
tags: security

hello, it has been disclosed that php is vulnerable to a buffer
over-read in versions befor 5.2.10.  see:

http://secunia.com/advisories/35441/
http://www.vupen.com/english/advisories/2009/1632



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540610: rubygems: integrity violation

[Michael S. Gilbert]

package: rubygems1.9
version: 1.3.1
tags: security
severity: serious

hello, it has been disclosed thet a specially crafted gem archive could
be used to overwrite system files.  confirmed for 1.3.x, but older
versions may also be affected.  please check and help the security
team prepare updates for the stable releases. see:

http://bugs.gentoo.org/show_bug.cgi?id=278566
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/24472
http://redmine.ruby-lang.org/issues/show/1800



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540608: initscripts: wireless key stored in logs

[Michael S. Gilbert]

package: initscripts
severity: important
tags: security

hello, mandriva issued the following advisory [0],[1],[2] for
initscripts. supposedly part of the user's wireless key is logged.  i
don't use WPA, so i can't verify this on debian, but it is worth checking.

[0] http://www.mandriva.com/en/security/advisories?name=MDVSA-2009:170
[1] https://qa.mandriva.com/52149
[2] https://qa.mandriva.com/51606



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#536724: incomplete fix

[Michael S. Gilbert]

the 2.8.1 fix is incomplete, and is now claimed fixed in 2.8.3.  see:

http://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/
http://core.trac.wordpress.org/changeset/11765
http://core.trac.wordpress.org/changeset/11766
http://core.trac.wordpress.org/changeset/11768
http://core.trac.wordpress.org/changeset/11769



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540606: php5: 'open_basedir' bypass

[Michael S. Gilbert]

package: php5
version: 5.3.0
severity: important
tags: security , patch

it has been disclosed that php is potentially vulnerable to an
'open_basedir' bypass [0]. the advisory says that only 5.3.0 is
affected, but it would be useful to check that older versions
are safe.

[0]
http://securityreason.com/achievement_securityalert/64



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540605: php5: memory disclosure

[Michael S. Gilbert]

package: php5
version: 5.2.0-8+etch13
severity: serious
tags: security , patch

it has been disclosed that php is potentially vulnerable to remote
memory dislosure [0].  patches are available for 5.2.10 and 5.3.0, but
older versions are likely affected (as well as php4).  please check and
coordinate with the security team to prepare updates for the stable
releases. thank you.

[0] http://securityreason.com/achievement_securityalert/65



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540437: [Pkg-xfce-devel] Bug#540437: xfdesktop4: keeps regenerating 'Desktop' folder in user's home dir

[Michael S. Gilbert]

On Sat, 8 Aug 2009 06:17:01 +0200 Yves-Alexis Perez wrote:
> On Fri, 7 Aug 2009 20:43:16 -0400
> Michael S Gilbert  wrote:
> 
> > i reported this upstream [0], but they were unable to reproduce.
> > perhaps this is an issue specifically with the debian package?
> 
> Are you sure it's created by xfdesktop?

not really.  any thoughts on how to find the culprit?  whatever is
causing the problem always regenerates 'Desktop' on x login, so i tried:

  $ ./check > out & startx

where check is

  #!/bin/bash
  lsof && ./check

then i searched through 'out', but there were no instances of 'Desktop'
being open.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#535909:

[Michael S. Gilbert]

reopen 535909
fixed 535909 1:3.0.1-3
thanks

> This bug has been solved with 1:3.0.1-2 before the bug was opened.

thanks for the update.  please coordinate with the security team to
prepare updates for the stable releases.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540437: xfdesktop4: keeps regenerating 'Desktop' folder in user's home dir

[Michael S Gilbert]

package: xfdesktop4
version: 4.6.1-1
severity: normal

hello,

as of the xfce 4.6 transition to untsable, there is a 'Desktop'
directory created
in the user's home folder by default, which always reappears shortly after
deletion (this did not occur in 4.4 and earlier).  i personally always set the
desktop icon type to "None" because i don't like clutter; hence i really don't
need the 'Desktop' directory, so i want it to be gone.

i reported this upstream [0], but they were unable to reproduce. perhaps
this is an issue specifically with the debian package?

mike

[0] http://bugzilla.xfce.org/show_bug.cgi?id=5659



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#524806: Fwd: etch patch for CVE-2009-0146/147/0166/0799/0800/1179/1180/1181/1182/1183/1187

[Michael S Gilbert]

tag 524806 patch
thanks

derived from ubuntu's 0.5.1 patch, here is a patch set for etch's
0.4.5.  i am fairly certain all of these CVEs are addressed in this one.

note vulnerable code not present in etch for CVE-2009-0755/1188.

please test; i've done some basic testing with existing pdfs on my
system, but have by no means done extensive or robust testing.
hopefully nothings been broken.

this may be useful for the etch r9 point release (if not for a DSA)?

good night,
mike
diff -ur poppler-0.4.5/poppler/CairoOutputDev.cc poppler-0.4.5-new/poppler/CairoOutputDev.cc
--- poppler-0.4.5/poppler/CairoOutputDev.cc	2005-12-12 17:24:01.0 -0500
+++ poppler-0.4.5-new/poppler/CairoOutputDev.cc	2009-08-04 01:27:24.0 -0400
@@ -509,7 +509,7 @@
   cairo_matrix_t matrix;
   int is_identity_transform;
   
-  buffer = (unsigned char *)gmalloc (width * height * 4);
+  buffer = (unsigned char *)gmallocn (width, height * 4);
 
   /* TODO: Do we want to cache these? */
   imgStr = new ImageStream(str, width,
Only in poppler-0.4.5-new/poppler: CairoOutputDev.cc.orig
diff -ur poppler-0.4.5/poppler/JBIG2Stream.cc poppler-0.4.5-new/poppler/JBIG2Stream.cc
--- poppler-0.4.5/poppler/JBIG2Stream.cc	2006-01-10 13:53:54.0 -0500
+++ poppler-0.4.5-new/poppler/JBIG2Stream.cc	2009-08-04 01:26:46.0 -0400
@@ -422,12 +422,14 @@
   table[i] = table[len];
 
   // assign prefixes
-  i = 0;
-  prefix = 0;
-  table[i++].prefix = prefix++;
-  for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) {
-prefix <<= table[i].prefixLen - table[i-1].prefixLen;
-table[i].prefix = prefix++;
+  if (table[0].rangeLen != jbig2HuffmanEOT) {
+i = 0;
+prefix = 0;
+table[i++].prefix = prefix++;
+for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) {
+  prefix <<= table[i].prefixLen - table[i-1].prefixLen;
+  table[i].prefix = prefix++;
+}
   }
 }
 
@@ -491,7 +493,7 @@
   }
   if (p->bits < 0) {
 error(str->getPos(), "Bad two dim code in JBIG2 MMR stream");
-return 0;
+return EOF;
   }
   bufLen -= p->bits;
   return p->n;
@@ -507,7 +509,7 @@
 ++nBytesRead;
   }
   while (1) {
-if (bufLen >= 7 && ((buf >> (bufLen - 7)) & 0x7f) == 0) {
+if (bufLen >= 11 && ((buf >> (bufLen - 7)) & 0x7f) == 0) {
   if (bufLen <= 12) {
 	code = buf << (12 - bufLen);
   } else {
@@ -550,14 +552,15 @@
 ++nBytesRead;
   }
   while (1) {
-if (bufLen >= 6 && ((buf >> (bufLen - 6)) & 0x3f) == 0) {
+if (bufLen >= 10 && ((buf >> (bufLen - 6)) & 0x3f) == 0) {
   if (bufLen <= 13) {
 	code = buf << (13 - bufLen);
   } else {
 	code = buf >> (bufLen - 13);
   }
   p = &blackTab1[code & 0x7f];
-} else if (bufLen >= 4 && ((buf >> (bufLen - 4)) & 0x0f) == 0) {
+} else if (bufLen >= 7 && ((buf >> (bufLen - 4)) & 0x0f) == 0 &&
+	   ((buf >> (bufLen - 6)) & 0x03) != 0) {
   if (bufLen <= 12) {
 	code = buf << (12 - bufLen);
   } else {
@@ -667,6 +670,7 @@
   void combine(JBIG2Bitmap *bitmap, int x, int y, Guint combOp);
   Guchar *getDataPtr() { return data; }
   int getDataSize() { return h * line; }
+  GBool isOk() { return data != NULL; }
 
 private:
 
@@ -762,6 +766,8 @@
 inline void JBIG2Bitmap::getPixelPtr(int x, int y, JBIG2BitmapPtr *ptr) {
   if (y < 0 || y >= h || x >= w) {
 ptr->p = NULL;
+ptr->shift = 0; // make gcc happy
+ptr->x = 0; // make gcc happy
   } else if (x < 0) {
 ptr->p = &data[y * line];
 ptr->shift = 7;
@@ -806,6 +812,10 @@
   Guint src0, src1, src, dest, s1, s2, m1, m2, m3;
   GBool oneByte;
 
+  // check for the pathological case where y = -2^31
+  if (y < -0x7fff) {
+return;
+  }
   if (y < 0) {
 y0 = -y;
   } else {
@@ -1226,6 +1236,7 @@
   Guint segNum, segFlags, segType, page, segLength;
   Guint refFlags, nRefSegs;
   Guint *refSegs;
+  int segDataPos;
   int c1, c2, c3;
   Guint i;
 
@@ -1293,6 +1304,16 @@
   goto eofError2;
 }
 
+// keep track of the start of the segment data 
+segDataPos = getPos();
+
+// check for missing page information segment
+if (!pageBitmap && ((segType >= 4 && segType <= 7) ||
+			(segType >= 20 && segType <= 43))) {
+  error(getPos(), "First JBIG2 segment associated with a page must be a page information segment");
+  return;
+}
+
 // read the segment data
 switch (segType) {
 case 0:
@@ -1368,6 +1389,45 @@
   break;
 }
 
+// Make sure the segment handler read all of the bytes in the 
+// segment data, unless this segment is marked as having an
+// unknown length (section 7.2.7 of the JBIG2 Final Committee Draft)
+
+if (segLength != 0x) {
+
+  int segExtraBytes = segDataPos + segLength - getPos();
+  if (segExtraBytes > 0) {
+
+	// If we didn't read all of the bytes in the segment data,
+	// indicate an error, and throw away the rest of the data.
+	
+	// v.3.1.01.13 of the LuraTech PDF Compressor Server will
+	// sometimes generate an extraneous NULL byte at the end of
+	// arithmetic-

Bug#539449: Acknowledgement (openssl: vulnerable to null character certificate spoofing)

[Michael S Gilbert]

[0] http://www.wired.com/threatlevel/2009/07/kaminsky/



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#539449: openssl: vulnerable to null character certificate spoofing

[Michael S. Gilbert]

package: openssl
version: 0.9.8
severity: important
tags: security

it has been disclosed that ssl applications can be tricked via
inauthentic certificates containing null characters [0]. i have not
personally checked whether openssl is affected by this, but since this
is newly disclosed, it is very likely the case.  please check and fix
if need be.  thanks.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#539410: xserver-xorg-input-evdev: lost support for mousewheel scroll under kvm with option "-usb -usbdevice tablet"

[Michael S Gilbert]

oops, the previous reportbug output was for the kvm instance without
"-usb -usbdevice tablet".  the following is for the kvm instance with
that option enabled:

-- Package-specific info:
/var/lib/x11/X.roster does not exist.

/var/lib/x11/X.md5sum does not exist.

X server symlink status:
lrwxrwxrwx 1 root root 13 2009-04-24 14:42 /etc/X11/X -> /usr/bin/Xorg
-rwxr-xr-x 1 root root 1867808 2009-07-26 19:28 /usr/bin/Xorg

/var/lib/x11/xorg.conf.roster does not exist.

VGA-compatible devices on PCI bus:
00:02.0 VGA compatible controller: Cirrus Logic GD 5446

/var/lib/x11/xorg.conf.md5sum does not exist.

Xorg X server configuration file status:
-rw-r--r-- 1 root root 1232 2009-05-19 16:03 /etc/X11/xorg.conf

Contents of /etc/X11/xorg.conf:
# xorg.conf (X.Org X Window System server configuration file)
#
# This file was generated by dexconf, the Debian X Configuration tool, using
# values from the debconf database.
#
# Edit this file with caution, and see the xorg.conf manual page.
# (Type "man xorg.conf" at the shell prompt.)
#
# This file is automatically updated on xserver-xorg package upgrades *only*
# if it has not been modified since the last upgrade of the xserver-xorg
# package.
#
# If you have edited this file but would like it to be automatically updated
# again, run the following command:
#   sudo dpkg-reconfigure -phigh xserver-xorg

Section "InputDevice"
Identifier  "Generic Keyboard"
Driver  "kbd"
Option  "XkbRules"  "xorg"
Option  "XkbModel"  "pc104"
Option  "XkbLayout" "us"
Option  "XkbVariant""dvorak"
EndSection

Section "InputDevice"
Identifier  "Configured Mouse"
Driver  "mouse"
EndSection

Section "Device"
Identifier  "Configured Video Device"
EndSection

Section "Monitor"
Identifier  "Configured Monitor"
HorizSync   30-140
VertRefresh 50-160
Option "DPMS"   "on"
EndSection

Section "Screen"
Identifier  "Default Screen"
Monitor "Configured Monitor"
SubSection "Display"
Modes   "1024x768" "800x600"
EndSubSection
EndSection


Xorg X server log files on system:
-rw-r--r-- 1 root root 26565 2009-07-31 13:14 /var/log/Xorg.0.log

Contents of most recent Xorg X server log file
/var/log/Xorg.0.log:

This is a pre-release version of the X server from The X.Org Foundation.
It is not supported in any way.
Bugs may be filed in the bugzilla at http://bugs.freedesktop.org/.
Select the "xorg" product for bugs you find in this release.
Before reporting bugs in pre-release versions please check the
latest version in the X.Org Foundation git repository.
See http://wiki.x.org/wiki/GitPage for git access instructions.

X.Org X Server 1.6.2.901 (1.6.3 RC 1)
Release Date: 2009-7-26
X Protocol Version 11, Revision 0
Build Operating System: Linux 2.6.18-xen-3.1-1-amd64 x86_64 Debian
Current Operating System: Linux twink 2.6.30-1-amd64 #1 SMP Thu Jul 30
13:12:47 UTC 2009 x86_64
Build Date: 26 July 2009  11:28:17PM
xorg-server 2:1.6.2.901-1 (bui...@nautilus.fivetimesnine.net)
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/Xorg.0.log", Time: Fri Jul 31 13:14:18 2009
(==) Using config file: "/etc/X11/xorg.conf"
(==) No Layout section.  Using the first Screen section.
(**) |-->Screen "Default Screen" (0)
(**) |   |-->Monitor "Configured Monitor"
(==) No device specified for screen "Default Screen".
Using the first device section listed.
(**) |   |-->Device "Configured Video Device"
(==) Automatically adding devices
(==) Automatically enabling devices
(WW) The directory "/usr/share/fonts/X11/cyrillic" does not exist.
Entry deleted from font path.
(==) FontPath set to:
/usr/share/fonts/X11/misc,
/usr/share/fonts/X11/100dpi/:unscaled,
/usr/share/fonts/X11/75dpi/:unscaled,
/usr/share/fonts/X11/Type1,
/usr/share/fonts/X11/100dpi,
/usr/share/fonts/X11/75dpi,
/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType,
built-ins
(==) ModulePath set to "/usr/lib/xorg/modules"
(II) Cannot locate a core pointer device.
(II) Cannot locate a core keyboard device.
(II) The server relies on HAL to provide the list of input devices.
If no devices become available, reconfigure HAL or disable 
AllowEmptyInput.
(II) Loader magic: 0x3540
(II) Module ABI versions:
X.Org ANSI C Emulation: 0.4
X.Org Video Driver: 5.0
X.Org XInput driver : 4.0
X.Org Server Extension : 2.0
(II) Loader running on linux
(++) using VT number 7

(--) PCI:*(0:0:2:0) 1013:00b8:: Cirrus Logic GD 5446 rev 0,
Mem @ 0x

Bug#539410: xserver-xorg-input-evdev: lost support for mousewheel scroll under kvm with option "-usb -usbdevice tablet"

[Michael S Gilbert]

On 7/31/09, Julien Cristau wrote:
> kthxbye
>
> please file bugs with reportbug, so essential information is not missing
> from your reports.
>
> thanks,
> Julien

what do you want to know?

-- Package-specific info:
/var/lib/x11/X.roster does not exist.

/var/lib/x11/X.md5sum does not exist.

X server symlink status:
lrwxrwxrwx 1 root root 13 2009-04-24 14:42 /etc/X11/X -> /usr/bin/Xorg
-rwxr-xr-x 1 root root 1867808 2009-07-26 19:28 /usr/bin/Xorg

/var/lib/x11/xorg.conf.roster does not exist.

VGA-compatible devices on PCI bus:
00:02.0 VGA compatible controller: Cirrus Logic GD 5446

/var/lib/x11/xorg.conf.md5sum does not exist.

Xorg X server configuration file status:
-rw-r--r-- 1 root root 1232 2009-05-19 16:03 /etc/X11/xorg.conf

Contents of /etc/X11/xorg.conf:
# xorg.conf (X.Org X Window System server configuration file)
#
# This file was generated by dexconf, the Debian X Configuration tool, using
# values from the debconf database.
#
# Edit this file with caution, and see the xorg.conf manual page.
# (Type "man xorg.conf" at the shell prompt.)
#
# This file is automatically updated on xserver-xorg package upgrades *only*
# if it has not been modified since the last upgrade of the xserver-xorg
# package.
#
# If you have edited this file but would like it to be automatically updated
# again, run the following command:
#   sudo dpkg-reconfigure -phigh xserver-xorg

Section "InputDevice"
Identifier  "Generic Keyboard"
Driver  "kbd"
Option  "XkbRules"  "xorg"
Option  "XkbModel"  "pc104"
Option  "XkbLayout" "us"
Option  "XkbVariant""dvorak"
EndSection

Section "InputDevice"
Identifier  "Configured Mouse"
Driver  "mouse"
EndSection

Section "Device"
Identifier  "Configured Video Device"
EndSection

Section "Monitor"
Identifier  "Configured Monitor"
HorizSync   30-140
VertRefresh 50-160
Option "DPMS"   "on"
EndSection

Section "Screen"
Identifier  "Default Screen"
Monitor "Configured Monitor"
SubSection "Display"
Modes   "1024x768" "800x600"
EndSubSection
EndSection


Xorg X server log files on system:
-rw-r--r-- 1 root root 25624 2009-07-31 12:03 /var/log/Xorg.0.log

Contents of most recent Xorg X server log file
/var/log/Xorg.0.log:

This is a pre-release version of the X server from The X.Org Foundation.
It is not supported in any way.
Bugs may be filed in the bugzilla at http://bugs.freedesktop.org/.
Select the "xorg" product for bugs you find in this release.
Before reporting bugs in pre-release versions please check the
latest version in the X.Org Foundation git repository.
See http://wiki.x.org/wiki/GitPage for git access instructions.

X.Org X Server 1.6.2.901 (1.6.3 RC 1)
Release Date: 2009-7-26
X Protocol Version 11, Revision 0
Build Operating System: Linux 2.6.18-xen-3.1-1-amd64 x86_64 Debian
Current Operating System: Linux twink 2.6.30-1-amd64 #1 SMP Thu Jul 30
13:12:47 UTC 2009 x86_64
Build Date: 26 July 2009  11:28:17PM
xorg-server 2:1.6.2.901-1 (bui...@nautilus.fivetimesnine.net)
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/Xorg.0.log", Time: Fri Jul 31 12:03:21 2009
(==) Using config file: "/etc/X11/xorg.conf"
(==) No Layout section.  Using the first Screen section.
(**) |-->Screen "Default Screen" (0)
(**) |   |-->Monitor "Configured Monitor"
(==) No device specified for screen "Default Screen".
Using the first device section listed.
(**) |   |-->Device "Configured Video Device"
(==) Automatically adding devices
(==) Automatically enabling devices
(WW) The directory "/usr/share/fonts/X11/cyrillic" does not exist.
Entry deleted from font path.
(==) FontPath set to:
/usr/share/fonts/X11/misc,
/usr/share/fonts/X11/100dpi/:unscaled,
/usr/share/fonts/X11/75dpi/:unscaled,
/usr/share/fonts/X11/Type1,
/usr/share/fonts/X11/100dpi,
/usr/share/fonts/X11/75dpi,
/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType,
built-ins
(==) ModulePath set to "/usr/lib/xorg/modules"
(II) Cannot locate a core pointer device.
(II) Cannot locate a core keyboard device.
(II) The server relies on HAL to provide the list of input devices.
If no devices become available, reconfigure HAL or disable 
AllowEmptyInput.
(II) Loader magic: 0x3540
(II) Module ABI versions:
X.Org ANSI C Emulation: 0.4
X.Org Video Driver: 5.0
X.Org XInput driver : 4.0
X.Org Server Extension : 2.0
(II) Loader running on linux
(++) using VT number 7

(--) PCI:*(0:0:2:0) 1013:00b8:: Cirrus

Bug#539410: xserver-xorg-input-evdev: lost support for mousewheel scroll under kvm with option "-usb -usbdevice tablet"

[Michael S. Gilbert]

package: xserver-xorg-input-evdev
version: 1:2.2.3-1
severity: important

hello, i recently upgraded unstable on one of my kvm instances and
subsequently lost support for mousewheel scroll.
xserver-xorg-input-evdev was among the packages upgraded, and is my
best guess for the problematic package (other packages that were
upgraded that could be the culprit are libdbus-glib-1-2, makedev, and
linux-image-2.6.30).

note that this only occurs under kvm when the "-usb -usbdevice tablet"
option, which enables mouse over mode versus the standard mouse capture,
is used. when testing under mouse capture mode, mousewheel scroll works
just fine.

thanks for looking into this,
mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#537409: info

[Michael S Gilbert]

while this bug is still open, would it make sense to disable the gcc
option/optimization/bug/flaw that allows this vulnerability to exist?
the "-fno-delete-null-pointer-checks" flag will completely disable
this option kernel-wide [1].

obviously there is a tradeoff here.  the null pointer optimization
does make the kernel run a bit faster (and maybe that should be
quantified to determine the impact), but on the other hand it opens up
a slew of vulnerabilities.  i think erring on the side of
caution/security is the way to go.

anyway, just a thought.

mike

[1] http://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#537637: htmldoc: buffer overflow in util.cxx's set_page_size()

[Michael S. Gilbert]

package: htmldoc
version: 1.8.27-2
severity: serious
tags: security , patch

hello, a security advisory has been issued for htmldoc [0].  patches
available from gentoo [1].  please coordinate with the security team to
prepare updates for the stable releases.  thank you.

[0] http://secunia.com/advisories/35780/
[1] http://bugs.gentoo.org/show_bug.cgi?id=278186



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#537634: mediawiki: multiple vulnerabilities fixed in new upstreams

[Michael S. Gilbert]

package: mediawiki
version: 1:1.15.0-1
severity: serious
tags: security

hello, multiple vulnerabilies have been fixed in upstream mediawiki
1.15.1 (these problems did not exist before 1.14.0, so lenny/etch are
not vulnerable) [0]. please update unstable to this version. thanks.

[0]
http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-July/87.html



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#537633: libio-socket-ssl-perl: incorrect validation of hostnames

[Michael S. Gilbert]

package: libio-socket-ssl-perl
version: 1.01-1
severity: serious
tags: security , patch

a security issue has been fixed in the latest upstream version of
libio-socket-ssl-perl [0].  see patch [1].  please coordinate with the
security team to prepare updates for the stable releases.  thank you.

[0] https://bugzilla.redhat.com/show_bug.cgi?id=509819
[1]
http://search.cpan.org/diff?from=IO-Socket-SSL-1.25&to=IO-Socket-SSL-1.26&w=1



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#537396: moonlight: doesn't appear to work for microsoft's tuva site

[Michael S. Gilbert]

package: moonlight-plugin-mozilla
version: 1.0.1-3
severity: important

hello, i just tried out the moonlight plugin, but it doesn't appear to
work out of the box.  steps to reproduce:

1. $ sudo apt-get install moonlight-plugin-mozilla
2. $ iceweasel http://research.microsoft.com/tuva
3. observe error message about a silverlight-unsupported browser

thanks for looking into this.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#537281: dbus: uninstallable due to missing directory

[Michael S. Gilbert]

package: dbus
version: 1.2.16-1
severity: grave

hello, dbus is currently uninstallable on sid; erroring with the
following message:

  chown: cannot access `/usr/lib/dbus-1.0/dbus-daemon-launch-help': No
  such file or directory

this can be fixed with a 'mkdir -p':

  $ sudo mkdir -p /usr/lib/dbus-1.0/dbus-daemon-launch-help
  $ sudo apt-get install -f

thanks for fixing this.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#537104: forwarded

[Michael S Gilbert]

forwarded 537104 https://bugzilla.mozilla.org/show_bug.cgi?id=504237
thanks



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#537104: iceweasel: critical 0-day remote shellcode injection

[Michael S. Gilbert]

package: iceweasel
version: 3.5
severity: critical
tags: security

hello, a remote shellcode injection has been disclosed for firefox [0],
[1].  the advisory says that version 3.5 has been verified as
vulnerable, but older versions are very likely susseptable as well. i
have not checked.

this is critical since it is being exploited in the wild.

[0] http://secunia.com/advisories/35789
[1] http://milw0rm.com/exploits/9137



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#536726: mysql: post-authentication format string vulnerability

[Michael S. Gilbert]

package: mysql-dfsg-5.0
version: 5.0.32-7etch8
severity: important
tags: security

hello, it has been disclosed that mysql has a post-authentication
format string vulnerability [1].  according to that message, affected
versions are claimed to be 5.0.45 and older, which would mean that lenny
and sid are not affected; however, this needs to be checked.

[1] http://seclists.org/fulldisclosure/2009/Jul/0058.html



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#536724: wordpress: CORE-2009-0515 priviledges unchecked and multiple information disclosures

[Michael S. Gilbert]

package: wordpress
version: 2.0.10-1etch3
severity: serious
tags: security

an advisory, CORE-2009-0515, has been issued for wordpress.  there are issues
with unchecked privilidges and many potential information disclosures.  see [1].

this is fixed in upstream version 2.8.1.  please coordinate with the security
team to prepare updates for the stable releases.

[1] 
http://corelabs.coresecurity.com/index.php?module=FrontEndMod&action=view&type=advisory&name=WordPress_Privileges_Unchecked



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#535489: [Pkg-cups-devel] Bug#535488: cupsys: CVE-2009-0791 integer overflow vulnerabilities

[Michael S. Gilbert]

reopen 535488
reopen 535489
thanks

On Sat, 11 Jul 2009 17:20:46 +0200 Martin Pitt wrote:

> Hello Michael,
> 
> Michael S. Gilbert [2009-07-02 12:35 -0400]:
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for cups.
> > 
> > CVE-2009-0791[0]:
> > | Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
> > | 1.1.22, and 1.3.7 allow remote attackers to cause a denial of service
> > | (application crash) or possibly execute arbitrary code via a crafted
> > | PDF file that triggers a heap-based buffer overflow, possibly related
> > | to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4)
> > | JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/.  NOTE: the
> > | JBIG2Stream.cxx vector may overlap CVE-2009-1179.
> 
> This vulnerability does not affect cups. Because xpdf vulnerabilities
> are so common, the Debian cups package has used the external
> xpdf-utils or poppler-utils since at least woody.

are you sure about this?  i've checked the etch cupsys and lenny cups
packages and found that the pdftops source is indeed present (and the
patches for this are not applied).  the only way i see this as not
affected is if these packages do not build the pdftops code.  i am not
that familiar with the package, so i did not check whether this is the
case.  i've checked the unstable cups package and the pdftops code is
in fact removed there.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#536718: apache2: CVE-2009-1890 denial-of-service vulnerability

[Michael S. Gilbert]

Package: apache2
Version: 2.2.3-4+etch6
Severity: serious
Tags: security , patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for apache2.

CVE-2009-1890[0]:
| The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy
| module in the Apache HTTP Server before 2.3.3, when a reverse proxy is
| configured, does not properly handle an amount of streamed data that
| exceeds the Content-Length value, which allows remote attackers to
| cause a denial of service (CPU consumption) via crafted requests.

Patches are available [0].  Please coordinate with the security team to
prepare updates for the stable releases.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890
http://security-tracker.debian.net/tracker/CVE-2009-1890



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#535888: Info received ([php-maint] Bug#535888: reopen)

[Michael S. Gilbert]

i probably should have asked whether you think that this issue warrants
a DSA, would be good for an SPU, or whether you think it is
unimportant.  if this can be considered unimportant, then yes, i agree
the bug should be closed, but if there do need to be stable updates,
then i think that the bug should remain open.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#535888: [php-maint] Bug#535888: reopen

[Michael S. Gilbert]

On Fri, 10 Jul 2009 10:26:22 -0500, Raphael Geissert wrote:
> close 535888
> found 535888 5.2.6.dfsg.1-1+lenny3
> found 535888 5.2.9.dfsg.1-4
> fixed 535888 5.3.0-1
> thanks
> 
> On Friday 10 July 2009 10:14:08 Michael S. Gilbert wrote:
> > reopen 535888
> > fixed 535888 5.2.10.dfsg.1-2
> > thanks
> >
> > thanks for fixing this issue!  reopening to continue tracking in
> > etch/lenny, which haven't been fixed yet.
> 
> That's not the right way to do it, you should mark the bug as found in the 
> other versions.

doesn't it make more sense to keep the bug open until all versions are
fixed?  at least that way it continues to show up on the bug tracking
pages; and i think more accurately represents the state of the bug. my
interpretation is that closed means that the bug is gone.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#535888: reopen

[Michael S. Gilbert]

reopen 535888
fixed 535888 5.2.10.dfsg.1-2
thanks

thanks for fixing this issue!  reopening to continue tracking in
etch/lenny, which haven't been fixed yet.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#534973: stable updates

[Michael S. Gilbert]

On Mon, 6 Jul 2009 21:44:44 +0200 Thijs Kinkhorst wrote:
> > version 1:1.5.2-5 that I released to unstable is suitable for stable
> > aswell. Prior to this bugfix unstable and stable both contained
> > version 1:1.5.2-4. Attached is a patch with the fix. Do you want me to
> > build it for stable aswell?
> 
> Thank you for getting in touch with us. Judging from the context in which 
> this 
> bug manifests itself, I think releasing a DSA for it is overkill. It happens 
> when creating a new X-Face header, which is something you would do rarely,
> mostly not with any random image you didn't check out before, always as an 
> unprivileged user and what can happen is a crash of the conversion which is 
> harly harmful. The security implications of this are very minor. Normally 
> there's a process to fix minor security issues through a stable point update 
> but I think this one is even too minor for that. It's great that testing and 
> unstable are fixed for the future, but I propose that we just leave it at 
> that and consider this case closed.

i would agree.  the implications (a user-initiated application crash on
invalid input) are so minor that this probably should not have been
tagged as a security concern nor given a CVE in the first place.
although, has the possibility of code injection been fully ruled out?

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#535909: camlimages: CVE-2009-2295 several integer overflows

[Michael S. Gilbert]

package: camlimages
version: 2.20-8
severity: serious
tags: security

hello,

camlimages is vulnerable to several integer overflows [1].  this has
not yet been fixed upstream, but has been addressed by redhat [2].

[1] http://www.ocert.org/advisories/ocert-2009-009.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=509531



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#535896: rails: potential password bypass

[Michael S. Gilbert]

package: rails
version: 1.1.6-3
severity: serious
tags: security

hello,

it has been found that rails is vulnerable to a password bypass [1].  this will 
be 
fixed in upstream version 2.3.3.

[1] 
http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#535888: php: segfaults on corrupted jpeg files

[Michael S. Gilbert]

package: php5
version: 5.2.0-8+etch13
severity: important
tags: security

hello,

php has is vulnerable to segfaulting on certain corrupted jpegs [1].
this is likely fixed in 5.3.0 since the commit to svn was made on May
28, but i haven't check the code to determine whether this is the case
or not.

[1] http://bugs.php.net/bug.php?id=48378



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#535890: phpmyadmin: remote code injection via xss vulnerability

[Michael S. Gilbert]

Package: phpmyadmin
Version: 4:2.9.1.1-10
Severity: serious
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for phpmyadmin.

CVE-2009-2284[0]:
| Cross-site scripting (XSS) vulnerability in phpMyAdmin before 3.2.0.1
| allows remote attackers to inject arbitrary web script or HTML via a
| crafted SQL bookmark.

This is fixed in unstable.  Please coordinate with the security team to
prepare updates for the stable releases.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2284
http://security-tracker.debian.net/tracker/CVE-2009-2284



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#535886: apache2: htaccess override

[Michael S. Gilbert]

package: apache2
severity: important
version: 2.2.3-4+etch6
tags: security

apache2 in etch is vulnerable to an override vulnerability in .htaccess
[1].

[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=44262



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#535881: clamav: recent vulnerabilities

[Michael S. Gilbert]

package: clamav
version: 0.90.1dfsg-4etch16
severity: important
tags: security

hello,

clamav is vulnerable to several scanner bypass vulnerabilities [1].
note that the upstream version also appears to address some other
security-related issues as well:

 * libclamav: detect and handle archives hidden inside other files (eg.
images), which can be unpacked by WinZip, WinRAR and other tools
(bb#1554) Reported by ROGER Mickael and Thierry Zoller

 * libclamav/mspack.c, cab.c: don't rely on file sizes stored in CAB
headers (bb#1562) Reported by Thierry*Zoller 

 * libclamunrar/unrarvm.c: fix handling of some broken rar files

 * libclamav/mbox.c: handle malformed emails with embedded \0s (bb
#1573)

 * libclamav/readdb.c: add offset checks (bb#1615)

[1] http://blog.zoller.lu/2009/05/advisory-clamav-generic-bypass.html



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#535870: xscreensaver: symlink attack enables local information disclosure

[Michael S. Gilbert]

package: xscreensaver
version: 4.24-5
severity: important
tags: security

xscreensaver is vulnerable to a local information disclosure 
vulnerability [1].

[1] http://isowarez.de/xscreensaver.txt



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#532520: info

[Michael S. Gilbert]

from some of the upstream discussion, it looks like libbsd provides an
arc4random cryptographically secure PRNG, which lynx prefers when
available. an appropriate fix for this issue thus would be to depend on
libbsd0 and make sure lynx makes use of its arc4random.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#532520: forwarded

[Michael S. Gilbert]

forwarded 532520 
http://lists.gnu.org/archive/html/lynx-dev/2009-07/msg0.html
thanks

it looks like the lynx situation for this issue isn't so simple.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#534497: tag fixed version in unstable

[Michael S. Gilbert]

fixed 534497 3.6.8-1
thanks

version in unstable is fixed



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#535793: upstream discussion

[Michael S Gilbert]

forwarded 535793 https://bugs.webkit.org/show_bug.cgi?id=26973
thanks

i've started a discussion on these issues in the upstream bug report
in the above link.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org