Bug#599387: moodle: Security update does not configure, missing dependency on www-config
Package: moodle Version: 1.8.13-1 Severity: serious Hi, An attempt to upgrade moodle in our server resulted in the following: moodle:~# apt-get upgrade S'està llegint la llista de paquets... Fet S'està construint l'arbre de dependències S'està llegint la informació de l'estat... Fet 0 actualitzats, 0 nous a instal·lar, 0 a suprimir i 0 no actualitzats. 1 no instal·lats o suprimits completament. Després d'aquesta operació s'empraran 0B d'espai en disc addicional. Voleu continuar [S/n]? S'està configurant moodle (1.8.13-1) ... *** WARNING: ucf was run from a maintainer script that uses debconf, but the script did not pass --debconf-ok to ucf. The maintainer script should be fixed to not stop debconf before calling ucf, and pass it this parameter. For now, ucf will revert to using old-style, non-debconf prompting. Ugh! Please inform the package maintainer about this problem. - The selected web server doesn't seem to be installed You should select a web server which is installed or configure your web server manually - /var/lib/dpkg/info/moodle.postinst: line 167: /usr/share/wwwconfig-common/restart.sh: El fitxer o directori no existeix dpkg: s'ha produït un error en processar moodle (--configure): el subprocés post-installation script retornà el codi d'eixida d'error 1 S'han trobat errors en processar: moodle E: Sub-process /usr/bin/dpkg returned an error code (1) This looked very strange, it's been a long time a Debian security upgrade breaks like this on me. changelog.Debian revealed there's been a big version jump in the version offered by stable-security and s-p-u; from 1.8.2 to 1.8.13; the dependencies of the former do list wwwconfig-common as a dependecy, while the new package doesn't. Manually installing wwwconfig-common did help the update finish. Have there been any packaging changes not documented in the changelog? Jordi -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: lang=ca_es.ut...@valencia, lc_ctype=ca_es.ut...@valencia (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#593856: gnucash: Crash when working on a split transaction: assertion failure in split-register-load.c
Hi Tim, Tim Retout schrieb: > So with this test case and the one from the upstream bug report, I think > it's enough to backport the patch and check these have gone. Thank you also from my side (and also to Don Armstrong) for analyzing and finally fixing the bug. I think I will upload a fixed package within the next few days. Regads, Micha -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Processed: openclipart: diff for NMU version 0.18+dfsg-9.1
Processing commands for cont...@bugs.debian.org: > tags 589194 + patch Bug #589194 [src:openclipart] openclipart: FTBFS: Enters infinite loop Added tag(s) patch. > tags 589194 + pending Bug #589194 [src:openclipart] openclipart: FTBFS: Enters infinite loop Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 589194: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589194 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#589194: openclipart: diff for NMU version 0.18+dfsg-9.1
tags 589194 + patch tags 589194 + pending thanks Dear maintainer, I've prepared an NMU for openclipart (versioned as 0.18+dfsg-9.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Miguel -- Miguel Angel Ruiz Manzano http://mruiz.openminds.cl Computer Engineer - PUCV - Chile Linux User #323437 PGP key 1024D/0D3FD8A9 2005-06-03 diff -u openclipart-0.18+dfsg/debian/rules openclipart-0.18+dfsg/debian/rules --- openclipart-0.18+dfsg/debian/rules +++ openclipart-0.18+dfsg/debian/rules @@ -43,6 +43,7 @@ # Create svg and png files cd $(CURDIR)/clipart && for i in `find . -name "*.svg" -printf "%p " ` ; do \ + case "$$i" in ./office/telephone/mobile_phone_01.svg) continue ; esac ; \ echo "Processing $$i" ; \ dir=`dirname $$i` ; \ file=`basename $$i` ; \ @@ -52,10 +53,10 @@ $(CURDIR)/build/usr/share/openclipart/svg/$$dir/$$file ; \ mkdir -p $(CURDIR)/build/usr/share/openclipart/png/$$dir ; \ if echo $(OVERSIZED_FILES) | grep -q $$i ; then \ - inkscape -w 1500 --export-png=$(CURDIR)/build/usr/share/openclipart/png/$$dir/$$pngfile \ + inkscape -z -w 1500 --export-png=$(CURDIR)/build/usr/share/openclipart/png/$$dir/$$pngfile \ $$dir/$$file ; \ else \ - inkscape --export-png=$(CURDIR)/build/usr/share/openclipart/png/$$dir/$$pngfile \ + inkscape -z --export-png=$(CURDIR)/build/usr/share/openclipart/png/$$dir/$$pngfile \ $$dir/$$file ; \ fi ; \ done diff -u openclipart-0.18+dfsg/debian/changelog openclipart-0.18+dfsg/debian/changelog --- openclipart-0.18+dfsg/debian/changelog +++ openclipart-0.18+dfsg/debian/changelog @@ -1,3 +1,15 @@ +openclipart (0.18+dfsg-9.1) unstable; urgency=low + + * Non-maintainer upload. + * debian/rules: ++ Applied patch from Ubuntu. Fixes FTBFS (Closes: #589194) + - Skip office/telephone/mobile_phone_01.svg as it appears to be buggy +and causes inkscape to get caught in an infinite loop. + - Use inkscape flag -z "Do not use X server". + - Thanks to Chris Cheney. + + -- Miguel Ruiz Tue, 05 Oct 2010 00:13:15 -0400 + openclipart (0.18+dfsg-9) unstable; urgency=low * rebuild for OOo 3.2 (closes: #565970)
Processed: Re: Segfault when successfully identified
Processing commands for cont...@bugs.debian.org: > # > reopen 521227 > # > # Oh, BTS... > fixed 521227 irssi-plugin-xmpp/0.13+cvs20090406-1 Bug #521227 [irssi-plugin-xmpp] irssi-plugin-xmpp: Segfault when successfully identified Bug Marked as fixed in versions irssi-plugin-xmpp/0.13+cvs20090406-1. > End of message, stopping processing here. Please contact me if you need assistance. -- 521227: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521227 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#582998: pidgin-sipe: diff for NMU version 1.9.0-1.1
Package: pidgin-sipe Version: 1.9.0-1 Severity: normal Tags: patch pending Dear maintainer, I've prepared an NMU for pidgin-sipe (versioned as 1.9.0-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards. -- Miguel Angel Ruiz Manzano http://mruiz.openminds.cl Computer Engineer - PUCV - Chile Linux User #323437 PGP key 1024D/0D3FD8A9 2005-06-03 diff -u pidgin-sipe-1.9.0/debian/changelog pidgin-sipe-1.9.0/debian/changelog --- pidgin-sipe-1.9.0/debian/changelog +++ pidgin-sipe-1.9.0/debian/changelog @@ -1,3 +1,20 @@ +pidgin-sipe (1.9.0-1.1) unstable; urgency=low + + * Non-maintainer upload. + * debian/rules ++ Added quilt support. + * debian/control ++ Added quilt as dependency. + * debian/README.source ++ Added according to Debian Policy Manual section 4.14. + * debian/patches ++ Patches taken from Ubuntu. + - 01_fix_build.diff - Fixes FTBFS. (Closes: #582998) + - 02_fix_kerberos.diff - Fixes Kerberos error. (Closes: #597437) + - Thanks to Onkar Shinde. + + -- Miguel Ruiz Mon, 04 Oct 2010 23:34:54 -0400 + pidgin-sipe (1.9.0-1) unstable; urgency=low * New upstream version (Closes: #570735) diff -u pidgin-sipe-1.9.0/debian/rules pidgin-sipe-1.9.0/debian/rules --- pidgin-sipe-1.9.0/debian/rules +++ pidgin-sipe-1.9.0/debian/rules @@ -2,6 +2,7 @@ include /usr/share/cdbs/1/class/autotools.mk include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/rules/patchsys-quilt.mk DEB_CONFIGURE_EXTRA_FLAGS := --with-purple --without-telepathy --with-krb5=yes # Don't run unnecessary ldconfig on postinst and postrm. diff -u pidgin-sipe-1.9.0/debian/control pidgin-sipe-1.9.0/debian/control --- pidgin-sipe-1.9.0/debian/control +++ pidgin-sipe-1.9.0/debian/control @@ -3,7 +3,7 @@ Priority: optional Maintainer: Anibal Avelar Homepage: http://sipe.sourceforge.net/ -Build-Depends: cdbs (>= 0.4.23-1.1), autotools-dev, debhelper (>= 5), pkg-config, libglib2.0-dev, pidgin-dev, libpurple-dev (>= 2.4.0), libtool, intltool, libkrb5-dev, libzephyr-dev +Build-Depends: cdbs (>= 0.4.23-1.1), autotools-dev, debhelper (>= 5), pkg-config, libglib2.0-dev, pidgin-dev, libpurple-dev (>= 2.4.0), libtool, intltool, libkrb5-dev, libzephyr-dev, quilt Standards-Version: 3.8.4 Package: pidgin-sipe only in patch2: unchanged: --- pidgin-sipe-1.9.0.orig/debian/README.source +++ pidgin-sipe-1.9.0/debian/README.source @@ -0,0 +1,48 @@ +This package uses quilt to manage all modifications to the upstream +source. Changes are stored in the source package as diffs in +debian/patches and applied during the build. + +To get the fully patched source after unpacking the source package, cd to +the root level of the source package and run: + +quilt push -a + +The last patch listed in debian/patches/series will become the current +patch. + +To add a new set of changes, first run quilt push -a, and then run: + +quilt new + +where is a descriptive name for the patch, used as the filename in +debian/patches. Then, for every file that will be modified by this patch, +run: + +quilt add + +before editing those files. You must tell quilt with quilt add what files +will be part of the patch before making changes or quilt will not work +properly. After editing the files, run: + +quilt refresh + +to save the results as a patch. + +Alternately, if you already have an external patch and you just want to +add it to the build system, run quilt push -a and then: + +quilt import -P /path/to/patch +quilt push -a + +(add -p 0 to quilt import if needed). as above is the filename to +use in debian/patches. The last quilt push -a will apply the patch to +make sure it works properly. + +To remove an existing patch from the list of patches that will be applied, +run: + +quilt delete + +You may need to run quilt pop -a to unapply patches first before running +this command. + only in patch2: unchanged: --- pidgin-sipe-1.9.0.orig/debian/patches/01_fix_build.diff +++ pidgin-sipe-1.9.0/debian/patches/01_fix_build.diff @@ -0,0 +1,14 @@ +--- a/src/core/sipe.c b/src/core/sipe.c +@@ -10045,6 +10045,11 @@ + #if PURPLE_VERSION_CHECK(2,6,0) + NULL, /* initiate_media */ + NULL, /* get_media_caps */ ++#if PURPLE_VERSION_CHECK(2,7,0) ++ NULL, /* get_moods */ ++ NULL, /* initiate_media */ ++ NULL, /* get_media_caps */ ++#endif + #endif + #endif + }; only in patch2: unchanged: --- pidgin-sipe-1.9.0.orig/debian/patches/02_fix_kerberos.diff +++ pidgin-sipe-1.9.0/debian/patches/02_fix_kerberos.diff @@ -0,0 +1,25 @@ +--- a/src/core/sip-sec.c b/src/core/sip-sec.c +@@ -21,6 +21,10 @@ + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + ++#ifdef HAVE_CONFIG_H ++#include "config.h" ++#endif ++ + #include + #include + #include +@@ -177,7 +181,10 @@ + domain, +
Processed: libpassword-ruby: diff for NMU version 0.5.3-1.1
Processing commands for cont...@bugs.debian.org: > tags 598178 + patch Bug #598178 [src:libpassword-ruby] libpassword-ruby: FTBFS: Unable to locate package cracklib2-dev Added tag(s) patch. > tags 598178 + pending Bug #598178 [src:libpassword-ruby] libpassword-ruby: FTBFS: Unable to locate package cracklib2-dev Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 598178: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598178 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#598178: libpassword-ruby: diff for NMU version 0.5.3-1.1
tags 598178 + patch tags 598178 + pending thanks Dear maintainer, I've prepared an NMU for libpassword-ruby (versioned as 0.5.3-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Miguel diff -u libpassword-ruby-0.5.3/debian/control libpassword-ruby-0.5.3/debian/control --- libpassword-ruby-0.5.3/debian/control +++ libpassword-ruby-0.5.3/debian/control @@ -3,7 +3,7 @@ Priority: optional Maintainer: Micah Anderson Uploaders: Debian Ruby Extras Maintainers , Ryan Niebur -Build-Depends: cdbs, debhelper (>= 5), ruby-pkg-tools (>= 0.8), ruby1.8, cracklib-runtime, cracklib2-dev, wamerican | wordlist, quilt, ruby1.8-dev, graphviz +Build-Depends: cdbs, debhelper (>= 5), ruby-pkg-tools (>= 0.8), ruby1.8, cracklib-runtime, libcrack2-dev, wamerican | wordlist, quilt, ruby1.8-dev, graphviz Standards-Version: 3.8.1 Homepage: http://www.caliban.org/ruby/ruby-password.shtml diff -u libpassword-ruby-0.5.3/debian/changelog libpassword-ruby-0.5.3/debian/changelog --- libpassword-ruby-0.5.3/debian/changelog +++ libpassword-ruby-0.5.3/debian/changelog @@ -1,3 +1,11 @@ +libpassword-ruby (0.5.3-1.1) unstable; urgency=low + + * Non-maintainer upload. + * debian/control: ++ Replaced cracklib2-dev by libcrack2-dev as Builds-Depends to fix FTBFS. (Closes: #598178) + + -- Miguel Ruiz Sun, 03 Oct 2010 22:44:31 -0400 + libpassword-ruby (0.5.3-1) unstable; urgency=low [ Micah Anderson ]
Processed: tagging 598503
Processing commands for cont...@bugs.debian.org: > # Automatically generated email from bts, devscripts version 2.10.35lenny7 > tags 598503 + pending Bug #598503 [src:linux-2.6] linux-2.6: FTBFS: (powerpc) drivers/scsi/qla4xxx/ql4_nx.c:716: error: implicit declaration of function 'readq' Added tag(s) pending. > End of message, stopping processing here. Please contact me if you need assistance. -- 598503: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598503 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#598303: marked as done (tau: CVE-2010-3382: insecure library loading)
Your message dated Thu, 07 Oct 2010 01:17:11 + with message-id and subject line Bug#598303: fixed in tau 2.16.4-1.4 has caused the Debian Bug report #598303, regarding tau: CVE-2010-3382: insecure library loading to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 598303: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598303 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: tau Version: 2.16.4-1.3 Severity: grave Tags: security User: t...@security.debian.org Usertags: ldpath Hello, During a review of the Debian archive, I've found your package to contain a script that can be abused by an attacker to execute arbitrary code. The vulnerability is introduced by an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries on a directory other than the standard paths. Vulnerable code follows: /usr/bin/tauex line 197: export LD_LIBRARY_PATH=$TAUROOT/$TAUARCH/lib/$theBinding:$LD_LIBRARY_PATH When there's an empty item on the colon-separated list of LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) If the given script is executed from a directory where a potential, local, attacker can write files to, there's a chance to exploit this bug. This vulnerability has been assigned the CVE id CVE-2010-3382. Please make sure you mention it when forwarding this report to upstream and when fixing this bug (everywhere: upstream and here at Debian.) [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3382 [1] http://security-tracker.debian.org/tracker/CVE-2010-3382 Sincerely, Raphael Geissert --- End Message --- --- Begin Message --- Source: tau Source-Version: 2.16.4-1.4 We believe that the bug you reported is fixed in the latest version of tau, which is due to be installed in the Debian FTP archive: python-tau_2.16.4-1.4_mipsel.deb to main/t/tau/python-tau_2.16.4-1.4_mipsel.deb tau-examples_2.16.4-1.4_all.deb to main/t/tau/tau-examples_2.16.4-1.4_all.deb tau-racy_2.16.4-1.4_all.deb to main/t/tau/tau-racy_2.16.4-1.4_all.deb tau_2.16.4-1.4.diff.gz to main/t/tau/tau_2.16.4-1.4.diff.gz tau_2.16.4-1.4.dsc to main/t/tau/tau_2.16.4-1.4.dsc tau_2.16.4-1.4_mipsel.deb to main/t/tau/tau_2.16.4-1.4_mipsel.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 598...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Anibal Monsalve Salazar (supplier of updated tau package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 06 Oct 2010 20:55:41 +1100 Source: tau Binary: tau tau-racy python-tau tau-examples Architecture: source all mipsel Version: 2.16.4-1.4 Distribution: unstable Urgency: low Maintainer: Yann Dirson Changed-By: Anibal Monsalve Salazar Description: python-tau - Tuning and Analysis Utilities - support for python bindings tau- Tuning and Analysis Utilities - base profiling toolkit tau-examples - Tuning and Analysis Utilities - examples tau-racy - Tuning and Analysis Utilities - Tcl/tk profiler GUI Closes: 598303 Changes: tau (2.16.4-1.4) unstable; urgency=low . * Non-maintainer upload. * Fix CVE-2010-3382 insecure library loading Add debian/patches/06-598303-CVE-2010-3382-insecure-library-loading.diff Closes: 598303 Checksums-Sha1: 591d069f2a7f96e5323e0bd23f6804dc83f98b02 1706 tau_2.16.4-1.4.dsc 0bc14f478887e8d44c260c97e8ac8cd80e4e8bc3 15225 tau_2.16.4-1.4.diff.gz 95fa9b058fc93687625f473a5ac5aec1ba41ca43 110926 tau-racy_2.16.4-1.4_all.deb 38d94b961b142777a48d58bfe3a65c0c967c2a81 140708 tau-examples_2.16.4-1.4_all.deb bef3c60990df378f5e02daa200d00894185c2f08 411082 tau_2.16.4-1.4_mipsel.deb e1d99b54b5146224e3e07d315e7a8db62ce7b626 31122 python-tau_2.16.4-1.4_mipsel.deb Checksums-Sha256: fc8a73b7ca43f5e952ec2b3e3b99d3d168b47b8514a50c2ab814d38902445d42 1706 tau_2.16.4-1.4.dsc a34f6d861d30aca6c84c72670d851e8c55946b4f0e1d89a46bb5ec5dbcf34e75 15225 tau_2.16.4-1.4.diff.gz b441d8f62cbd620ed62c4da2c3230dc21d7eca325cae49b1d724c45bd7cb5fe4 110926 tau-racy_2.16.4-1.4_all.deb d7a916c8e08f8ffac437e795d5662a07349d6b2c15d1b03206a1748b640bf2e4 140708 tau-examples_2.16.4-1.4_all.deb 5b872f311316b3643451f69aa57be5f5bb9c8292b8f01d498d35f91918eebdd8 411082 tau_2.16
Bug#598303: tau: CVE-2010-3382: insecure library loading
A new patchset is below. debdiff tau_2.16.4-1.3.dsc tau_2.16.4-1.4.dsc | diffstat debian/patches/06-598303-CVE-2010-3382-insecure-library-loading.diff | 35 ++ tau-2.16.4/debian/changelog |9 ++ tau-2.16.4/debian/patches/series |1 3 files changed, 45 insertions(+) debdiff tau_2.16.4-1.3.dsc tau_2.16.4-1.4.dsc diff -u tau-2.16.4/debian/changelog tau-2.16.4/debian/changelog --- tau-2.16.4/debian/changelog +++ tau-2.16.4/debian/changelog @@ -1,3 +1,12 @@ +tau (2.16.4-1.4) unstable; urgency=low + + * Non-maintainer upload. + * Fix CVE-2010-3382 insecure library loading +Add debian/patches/06-598303-CVE-2010-3382-insecure-library-loading.diff +Closes: 598303 + + -- Anibal Monsalve Salazar Wed, 06 Oct 2010 20:55:41 +1100 + tau (2.16.4-1.3) unstable; urgency=low * Non-maintainer upload diff -u tau-2.16.4/debian/patches/series tau-2.16.4/debian/patches/series --- tau-2.16.4/debian/patches/series +++ tau-2.16.4/debian/patches/series @@ -6,0 +7 @@ +06-598303-CVE-2010-3382-insecure-library-loading.diff only in patch2: unchanged: --- tau-2.16.4.orig/debian/patches/06-598303-CVE-2010-3382-insecure-library-loading.diff +++ tau-2.16.4/debian/patches/06-598303-CVE-2010-3382-insecure-library-loading.diff @@ -0,0 +1,35 @@ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3382 +http://security-tracker.debian.org/tracker/CVE-2010-3382 +http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598303 + +Raphael Geissert have found that this package contains a script that +can be abused by an attacker to execute arbitrary code. + +The vulnerability is introduced by an insecure change to +LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for +libraries on a directory other than the standard paths. + +Vulnerable code follows: + +/usr/bin/tauex line 197: +export LD_LIBRARY_PATH=$TAUROOT/$TAUARCH/lib/$theBinding:$LD_LIBRARY_PATH + +When there's an empty item on the colon-separated list of +LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) +If the given script is executed from a directory where a potential, +local, attacker can write files to, there's a chance to exploit this +bug. + +Patch by Julien Cristau + +--- a/tools/src/tauex.in 2007-05-19 09:04:55.0 +1000 b/tools/src/tauex.in 2010-10-06 19:03:38.0 +1100 +@@ -194,7 +194,7 @@ for c in $Counters ; do + done + + +-export LD_LIBRARY_PATH=$TAUROOT/$TAUARCH/lib/$theBinding:$LD_LIBRARY_PATH ++export LD_LIBRARY_PATH="$TAUROOT/$TAUARCH/lib/$thebinding${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" + + if [ $verbose = "true" ] ; then + echo "Matching bindings: $bindings" signature.asc Description: Digital signature
Processed: tagging 598474
Processing commands for cont...@bugs.debian.org: > tags 598474 + pending Bug #598474 [atftpd] unusable on GNU/kFreeBSD Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 598474: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598474 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#598070: marked as done (libdevel-cover-perl: FTBFS (powerpc): Test 37 fails)
Your message dated Thu, 7 Oct 2010 00:17:17 +0200 with message-id <20101006221717.ga2...@belanna.comodo.priv.at> and subject line Re: Bug#598070: libdevel-cover-perl: FTBFS (powerpc): Test 37 fails has caused the Debian Bug report #598070, regarding libdevel-cover-perl: FTBFS (powerpc): Test 37 fails to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 598070: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598070 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: libdevel-cover-perl Version: 0.71-1 Severity: serious > sbuild (Debian sbuild) 0.60.0 (23 Feb 2010) on poulenc.debian.org > > ╔══╗ > ║ libdevel-cover-perl 0.71-1 (powerpc) 25 Sep 2010 > 23:05 ║ > ╚══╝ [...] > t/e2e/amodule1.t ok > t/e2e/amodule2.t ok > t/e2e/amodule_ignore.t .. ok > t/e2e/amodule_import.t .. ok > t/e2e/amodule_relative.t ok > t/e2e/aoverload_bool.t .. ok > t/e2e/aoverloaded.t . ok > t/e2e/apod.t ok > # Test 37 got: "ww 1 0 tests/PodMod.pm:13\n" > (/build/buildd-libdevel-cover-perl_0.71-1-powerpc-GupINL/libdevel-cover-perl-0.71/blib/lib/Devel/Cover/Test.pm > at line 303 fail #37) > #Expected: "\n" > # > /build/buildd-libdevel-cover-perl_0.71-1-powerpc-GupINL/libdevel-cover-perl-0.71/blib/lib/Devel/Cover/Test.pm > line 303 is: $ENV{DEVEL_COVER_NO_COVERAGE} ? ok 1 : ok $t, $c; > # Test 38 got: "\n" > (/build/buildd-libdevel-cover-perl_0.71-1-powerpc-GupINL/libdevel-cover-perl-0.71/blib/lib/Devel/Cover/Test.pm > at line 303 fail #38) > #Expected: "Uncovered Subroutines\n" > # Test 39 got: "Uncovered Subroutines\n" > (/build/buildd-libdevel-cover-perl_0.71-1-powerpc-GupINL/libdevel-cover-perl-0.71/blib/lib/Devel/Cover/Test.pm > at line 303 fail #39) > #Expected: "-\n" > # Test 40 got: "-\n" > (/build/buildd-libdevel-cover-perl_0.71-1-powerpc-GupINL/libdevel-cover-perl-0.71/blib/lib/Devel/Cover/Test.pm > at line 303 fail #40) > #Expected: "\n" > # Test 41 got: "\n" > (/build/buildd-libdevel-cover-perl_0.71-1-powerpc-GupINL/libdevel-cover-perl-0.71/blib/lib/Devel/Cover/Test.pm > at line 303 fail #41) > #Expected: "Subroutine Count Pod Location \n" > # Test 42 got: "Subroutine Count Pod Location \n" > (/build/buildd-libdevel-cover-perl_0.71-1-powerpc-GupINL/libdevel-cover-perl-0.71/blib/lib/Devel/Cover/Test.pm > at line 303 fail #42) > #Expected: "- - --- --\n" > # Test 43 got: "- - --- --\n" > (/build/buildd-libdevel-cover-perl_0.71-1-powerpc-GupINL/libdevel-cover-perl-0.71/blib/lib/Devel/Cover/Test.pm > at line 303 fail #43) > #Expected: "vv 0 1 tests/PodMod.pm:12\n" > # Test 44 got: "vv 0 1 tests/PodMod.pm:12\n" > (/build/buildd-libdevel-cover-perl_0.71-1-powerpc-GupINL/libdevel-cover-perl-0.71/blib/lib/Devel/Cover/Test.pm > at line 303 fail #44) > #Expected: "ww 0 0 tests/PodMod.pm:13\n" > t/e2e/apod_nocp.t ... > Failed 8/65 subtests > t/e2e/arequire.t ok > t/e2e/askip.t ... ok > t/e2e/asort.t ... ok > t/e2e/aspecial_blocks.t . ok > t/e2e/astatement.t .. ok > t/e2e/asubs_only.t .. ok > t/e2e/at0.t . ok > t/e2e/at1.t . ok > t/e2e/at2.t . ok > t/e2e/atrivial.t ok > t/e2e/auncoverable.t ok > t/e2e/change.t .. ok > t/e2e/eval_sub.t ok > t/e2e/eval_use.t ok > t/e2e/md5.t . ok > t/regexp/regexp_eval.t .. ok > > Test Summary Report > --- > t/e2e/apod_nocp.t (Wstat: 0 Tests: 65 Failed: 8) > Failed tests: 37-44 > Failed 1/43 test programs. 8/3981 subtests failed. > Files=43, Tests=3981, 62 wallclock secs ( 0.96 usr 0.14 sys + 54.82 cusr > 3.53 csys = 59.45 CPU) > Result: FAIL > make[1]: *** [test_dynamic] Error 255 > make[1]: Leaving directory > `/build/buildd-libdevel-cover-perl_0.71-1-powerpc-GupINL/libdevel-cover-perl-0.71' > dh_auto_test: make -j1 test returned exit code 2 > make: *** [build] Error 29 > dpkg-buildpackage: error: debian/rules build gave error exit status 2 > > Build finished at 20100925-2313 > FAILED [dpkg-buildpackage died] > ──
Bug#598474: Intent to NMU
Il 04/10/2010 11:34, Giovanni Mascellani ha scritto: > The problem seems to stay in tftp_io.c, function tftp_send_data: the > sendto call fails with errno = 56 (EISCONN). Don't know why under > kFreeBSD the socket appears to be already connected, I'll investigate > more in the next days. FreeBSD doesn't like that an address is specified to sendto() data on a connected socket, while Linux allows it. Thus, we have to disable the call to connect() on FreeBSD. I'm attaching a patch for it, I intend to NMU it on DELAYED/03. Thanks, Gio. -- Giovanni Mascellani Pisa, Italy Web: http://poisson.phc.unipi.it/~mascellani Jabber: g.mascell...@jabber.org / giova...@elabor.homelinux.org diff -u atftp-0.7.dfsg/tftpd.c atftp-0.7.dfsg/tftpd.c --- atftp-0.7.dfsg/tftpd.c +++ atftp-0.7.dfsg/tftpd.c @@ -673,6 +673,9 @@ retval = ABORT; } /* connect the socket, faster for kernel operation */ + /* this is not a good idea on FreeBSD, because sendto() cannot + be used on a connected datagram socket */ +#if !defined(__FreeBSD_kernel__) if (connect(data->sockfd, (struct sockaddr *)&data->client_info->client, sizeof(data->client_info->client)) == -1) @@ -680,6 +683,7 @@ logger(LOG_ERR, "connect: %s", strerror(errno)); retval = ABORT; } +#endif logger(LOG_DEBUG, "Creating new socket: %s:%d", sockaddr_print_addr(&to, addr_str, sizeof(addr_str)), sockaddr_get_port(&to)); diff -u atftp-0.7.dfsg/debian/changelog atftp-0.7.dfsg/debian/changelog --- atftp-0.7.dfsg/debian/changelog +++ atftp-0.7.dfsg/debian/changelog @@ -1,3 +1,11 @@ +atftp (0.7.dfsg-9.2) unstable; urgency=low + + * Non-maintainer upload. + * Fixed use of sendto() over a connected datagram socket on FreeBSD +(closes: #598474). + + -- Giovanni Mascellani Mon, 04 Oct 2010 16:46:32 +0200 + atftp (0.7.dfsg-9.1) unstable; urgency=low * Non-maintainer upload. signature.asc Description: OpenPGP digital signature
Processed: Severity
Processing commands for cont...@bugs.debian.org: > severity 599331 grave Bug #599331 [src:ecs] ecs : binary missing Severity set to 'grave' from 'normal' > thanks Stopping processing here. Please contact me if you need assistance. -- 599331: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599331 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Processed: Re: [Pkg-kde-extras] Bug#587842: Can stop krusader neither by closing its window nor by Ctrl+q
Processing commands for cont...@bugs.debian.org: > tags 587842 patch Bug #587842 [krusader] Can stop krusader neither by closing its window nor by Ctrl+q Added tag(s) patch. > thanks Stopping processing here. Please contact me if you need assistance. -- 587842: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=587842 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Processed: Bug also in inn2 2.5.2-1
Processing commands for cont...@bugs.debian.org: > found 598135 2.5.2-1 Bug #598135 [inn2] Forwarding articles to moderators is broken Bug Marked as found in versions inn2/2.5.2-1. > thanks Stopping processing here. Please contact me if you need assistance. -- 598135: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598135 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#587842: [Pkg-kde-extras] Bug#587842: Can stop krusader neither by closing its window nor by Ctrl+q
tags 587842 patch thanks On Tue, Aug 10, 2010 at 12:06:29PM +0300, Modestas Vainius wrote: > Hello, > > On antradienis 10 Rugpj??tis 2010 11:32:27 Frank Schoolmeesters wrote: > > Hi, > > > > This bug should be fixed upstream in the SVN repository. > > http://websvn.kde.org/trunk/extragear/utils/krusader/ > > http://websvn.kde.org/trunk/extragear/utils/krusader/ChangeLog?view=log > > See changelog "FIXED: krusader doesn't exit normally" > > > > Though there is still a discussion about this fix, because the fix > > causes an other bug. > > > > Thanks and bye, > > Thanks. It would be great if you let us know when a proper fix is out. Hi Modestas, I've tested that attached patch (as fixed in SVN above) works fine and solves the problem. I suppose the confusion about people reporting that the bug is not fixed arose from the fact that people didn't kill there leftover krusader instances, which led them to believe that the patch is wrong. We could add a "killall krusader" to postinst to resolve this. OTOH, Lenny->Squeeze updates are not bitten by this bug and people can expect sid to be a little bumpy from time to time. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#589194: openclipart: FTBFS: Enters infinite loop
On Tue, Aug 24, 2010 at 11:52:05PM +0200, Rene Engelhard wrote: > Hi, > > On Thu, Jul 15, 2010 at 10:29:37AM -0700, Daniel Schepler wrote: > > ... > > and the last lines repeat ad infinitum (or at least until the log occupies > > several gigabytes, which is when I noticed this happening and stopped the > > build process). > > When I applied the patch from #594036 and built it I got a much smaller > bubildog - and there was no infinite loop. Yes, that file takes, but.. > > OK with closing this together with #594036? Looks good to me. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#595171: CVE-2010-1519
On Fri, Sep 03, 2010 at 12:15:09PM +0800, Paul Wise wrote: > On Thu, Sep 2, 2010 at 9:08 PM, Christoph Egger wrote: > > > Would be probably best to get rid of glpng soon then (pabs: how's > > the status on cromium-bsu there?). Unfortunately I'm VAC for another > > week and probably offline most of the time (as well as keyless). > > The SDL_Image loader released with chromium-bsu 0.9.14.1 from squeeze > works but has a minor rendering glitch that I wasn't able to fix yet. > Some details are available in the upstream bug report[1]. Help to fix > it or any of the other upstream bugs would be very much appreciated. > If the release team would accept the dependency change it I think it > would be reasonable to switch chromium-bsu to SDL_image and remove > glpng before squeeze releases instead of keeping it around. We should do that. Can you take care of an chromium-bsu upload? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#585614: Fails to open any mp3's to split
010 13:54, Ron wrote: > Grabbing gstreamer0.10-tools to get that, also updated me to > libgstreamer0.10-0 0.10.30-1, which does seem to have altered how it fails. I think it would be worth upgrading the other gstreamer packages, to confirm this playback bug still occurs. > If the app is just "using gstreamer", and it > seems to do what the gstreamer native tools do -- then I guess gstreamer > just doesn't like me for some reason... Yes, this is part of it - I think there are three issues here: - an mp3splt-gtk dependency problem (the bug I fixed) - mp3splt-gtk crashing when gstreamer throws an error (imho severity "important") - a gstreamer problem with playing your files (needs confirming with latest packages) I'd like the first one to migrate to squeeze... -- Tim Retout -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#593856: gnucash: Crash when working on a split transaction: assertion failure in split-register-load.c
I'm more certain now that this crash was caused by the copy/paste problem - I triggered it a second time, but again did not quite manage to capture the test case... but I am now sure it involved transaction pasting, and transaction journal mode. Here's a brief test case for a slightly different assertion I just managed to trigger: #3 0xb6d4b32f in IA__g_assertion_message (domain=0xb7e9911d "gnc.register.ledger", file=0xb7e99fd5 "split-register-control.c", line=419, func=0xb7e9a8a4 "gnc_split_register_move_cursor", message=0xb6d7483a "code should not be reached") at /build/buildd-glib2.0_2.24.2-1-i386-AScyie/glib2.0-2.24.2/glib/gtestutils.c:1318 #4 0xb7e8c6c8 in gnc_split_register_move_cursor (p_new_virt_loc=0xbfffe9e0, user_data=0x83d2818) at split-register-control.c:419 #5 0xb7e563aa in gnc_table_move_cursor_internal (table=, new_virt_loc=..., do_move_gui=1) at table-allgui.c:782 #6 0xb7e56485 in gnc_table_move_cursor_gui (table=0x0, new_virt_loc=...) at table-allgui.c:900 #7 0xb7e56574 in gnc_table_verify_cursor_position (table=0x847b018, virt_loc=...) at table-allgui.c:928 #8 0xb7e5661b in gnc_table_wrap_verify_cursor_position (table=0x847b018, virt_loc=...) at table-allgui.c:991 #9 0xb7e74f8d in gnucash_sheet_cursor_move (sheet=0x84a8060, virt_loc=...) at gnucash-sheet.c:321 #10 0xb7e754ec in gnucash_button_press_event (widget=0x84a8060, event=0x84ae558) at gnucash-sheet.c:1479 #11 0xb7353e24 in _gtk_marshal_BOOLEAN__BOXED (closure=0x8098980, return_value=0xbfffed24, n_param_values=2, param_values=0x84ffe78, invocation_hint=0xbfffed10, marshal_data=0xb7e75090) at /build/buildd-gtk+2.0_2.20.1-1+b1-i386-jmql5R/gtk+2.0-2.20.1/gtk/gtkmarshalers.c:84 1. View > Transaction Journal 2. Copy a transaction 3. Edit another transaction (and copy/paste a value from one column to another) 4. Click on first row of this transaction, and select Transaction > Paste 5. Yes, you want to overwrite 6. Click on another transaction 7. Yes, Record changes Boom. So with this test case and the one from the upstream bug report, I think it's enough to backport the patch and check these have gone. -- Tim Retout signature.asc Description: This is a digitally signed message part
Bug#591975: movabletype-opensource: does not build swf files from source
On Mon, Oct 04, 2010 at 08:14:24PM -0700, Finn Smith wrote: > Dominic -- > > We at Six Apart have just put up the plugin here: > > http://github.com/movabletype/mt-plugin-NoStats > > It should fix the problem. All it does is remove the date slider / stats / > chart from the Movable Type dashboard. > > Including this plugin and removing the offending flash files as part of the > Debian packaging should take care of the license and policy violations. > > Test it out and let us know if it works! Seems to work fine, thanks. I've uploaded a package to Debian accordingly. Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#591975: marked as done (movabletype-opensource: does not build swf files from source)
Your message dated Wed, 06 Oct 2010 20:47:22 + with message-id and subject line Bug#591975: fixed in movabletype-opensource 4.3.4+dfsg-1 has caused the Debian Bug report #591975, regarding movabletype-opensource: does not build swf files from source to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 591975: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=591975 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: movabletype-opensource Version: 4.3.4-1 Severity: serious Hi, movabletype-opensource ships multiple swf files but it doesn't build them from source. In fact, the source code doesn't seem to be shipped at all, which is a licence violation and a policy violation since they can't be modified. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net --- End Message --- --- Begin Message --- Source: movabletype-opensource Source-Version: 4.3.4+dfsg-1 We believe that the bug you reported is fixed in the latest version of movabletype-opensource, which is due to be installed in the Debian FTP archive: movabletype-opensource_4.3.4+dfsg-1.diff.gz to main/m/movabletype-opensource/movabletype-opensource_4.3.4+dfsg-1.diff.gz movabletype-opensource_4.3.4+dfsg-1.dsc to main/m/movabletype-opensource/movabletype-opensource_4.3.4+dfsg-1.dsc movabletype-opensource_4.3.4+dfsg-1_all.deb to main/m/movabletype-opensource/movabletype-opensource_4.3.4+dfsg-1_all.deb movabletype-opensource_4.3.4+dfsg.orig.tar.gz to main/m/movabletype-opensource/movabletype-opensource_4.3.4+dfsg.orig.tar.gz movabletype-plugin-core_4.3.4+dfsg-1_all.deb to main/m/movabletype-opensource/movabletype-plugin-core_4.3.4+dfsg-1_all.deb movabletype-plugin-zemanta_4.3.4+dfsg-1_all.deb to main/m/movabletype-opensource/movabletype-plugin-zemanta_4.3.4+dfsg-1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 591...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dominic Hargreaves (supplier of updated movabletype-opensource package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Wed, 06 Oct 2010 21:31:37 +0100 Source: movabletype-opensource Binary: movabletype-opensource movabletype-plugin-core movabletype-plugin-zemanta Architecture: source all Version: 4.3.4+dfsg-1 Distribution: unstable Urgency: low Maintainer: Dominic Hargreaves Changed-By: Dominic Hargreaves Description: movabletype-opensource - A well-known blogging engine movabletype-plugin-core - Core Movable Type plugins movabletype-plugin-zemanta - Zemanta Movable Type plugin Closes: 591975 Changes: movabletype-opensource (4.3.4+dfsg-1) unstable; urgency=low . * Remove non-free flash components from upstream tarball and include the NoStats plugin which disables their use in the application (closes: #591975) * Include information about how to re-enable the flash components in README.Debian Checksums-Sha1: 11d176c2267751c2605090bcec6b591d65104f72 1253 movabletype-opensource_4.3.4+dfsg-1.dsc 903357d1fc8890e412fe83fbbef872eddb0d19a3 4750020 movabletype-opensource_4.3.4+dfsg.orig.tar.gz b09faebe99a2eee18b7e87a9dc87f14603836251 26331 movabletype-opensource_4.3.4+dfsg-1.diff.gz 9405dfa67e8d35486b8912e989fb8458a35fe13e 2900088 movabletype-opensource_4.3.4+dfsg-1_all.deb c94443e3cde9d370ba9c4718476a7984e8eb8882 170542 movabletype-plugin-core_4.3.4+dfsg-1_all.deb a7531f7210d6d36050230f6c31d82d3a1f86e921 14342 movabletype-plugin-zemanta_4.3.4+dfsg-1_all.deb Checksums-Sha256: 7d425781ba630e916dba9b422e48f2e6f920de724be04b9326cfda5c1503cc03 1253 movabletype-opensource_4.3.4+dfsg-1.dsc b1c6ca7b9b195c42ee074d77b675ff0320ee515315abd2809cb391bbd46e0364 4750020 movabletype-opensource_4.3.4+dfsg.orig.tar.gz 90743039a7cd2d6444779b9ddf8a0bc73919b64ac4c8bc70869e200ea9301b79 26331 movabletype-opensource_4.3.4+dfsg-1.diff.gz 14d9b48437877a69f68c9f92364e62c2ddd50c2badc47f882860f38017f176f4 2900088 movabletype-opensource_4.3.4+dfsg-1_all.deb 49f8c1a2a332824ed09f1e62814b4a07f9a0c09663233068af924c13d86bd90e 170542 movabletype-plugin-core_4.3.4+dfsg-1_all.deb 57ad80b0ae9659ef659467e9c41472f44cf12dea079eac86214457478da8ea27 14342 movabletype-plugin-zemanta_4.3.4+dfsg-1
Processed: tagging 538133
Processing commands for cont...@bugs.debian.org: > tags 538133 + pending Bug #538133 [mon] Init script does not return success when mon is already running. Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 538133: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538133 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#591548: closed by Ben Pfaff (Re: Processed: unarchiving and reopening 591548)
On Wed, Oct 06, 2010 at 11:42:00AM -0700, Ben Pfaff wrote: > Adrian Bunk writes: >... > > AFAIK, this was considered an autoconf regression that is also fixed in > > upstream autoconf 2.68. > > I doubt that squeeze will upgrade to 2.68. The autoconf package in squeeze already contains your workaround for this issue. > Ben Pfaff cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#596986: FTBFS: tests fail on armhf (and sh4)
I appreciate your input Luca. My prior investigation led to the same conclusions. I'm pretty confident that it's not a bogofilter issue, because there are no invocations of "yes" and "no" in the source, and I've repeatedly failed to reproduce it on several different platforms. Now, if only there was a way to re-assign the bug to porters ... -S -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#591548: closed by Ben Pfaff (Re: Processed: unarchiving and reopening 591548)
Adrian Bunk writes: > On Wed, Oct 06, 2010 at 06:27:07PM +, Debian Bug Tracking System wrote: >>... >> >> > Why? Current autoconf doesn't break pkg-config, there's no reason to >> >> > reopen this afaict. >> >> >> >> Tim proposed adding "Breaks: pkg-config (<< 0.25-1.1)" to >> >> autoconf, which seemed reasonable to me, so he reopened the bug. >> >> >> >> It would also have been reasonable to file a new bug against >> >> autoconf making this request. >> >> >> >> Comments? >> > >> > Well, I think this should be a separate bug, with wishlist severity >> > instead of serious, and only makes sense if the change from 2.67-2 is >> > reverted, so preferrably after squeeze. >> >> Upon reflection I think that you are right. >> >> I'm re-closing bug #591548 (with this email). >> >> Tim, would you mind filing a new bug, as Julien suggested? > > Why would that be required? Because bug #591548 is indeed fixed. Why reopen it? > AFAIK, this was considered an autoconf regression that is also fixed in > upstream autoconf 2.68. I doubt that squeeze will upgrade to 2.68. -- Ben Pfaff http://benpfaff.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#599336: marked as done (apt-get removes other packages than requested)
Your message dated Wed, 6 Oct 2010 20:47:19 +0200 with message-id and subject line Re: Bug#599336: apt-get removes other packages than requested has caused the Debian Bug report #599336, regarding apt-get removes other packages than requested to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 599336: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599336 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apt Version: 0.8.6 Severity: serious Okay, this was a WTF moment here. I was playing with python-visual on my HTPC and when done wanted to remove all the cruft again. So I ran apt-get remove --purge "... the packages ..." and it removed me half of my system (and as apt ignores ^C at the moemnt, i was not amused :() Here is what happens when I try to re-remove the packages from my system: eiga:~# apt-get remove --purge libblas3gf libboost-python1.42.0 libboost-signals1.42.0 libboost-thread1.42.0 libcairomm-1.0-1 libgfortran3 libglade2-0 libglademm-2.4-1c2a libglibmm-2.4-1c2a libgtkglext1 libgtkglextmm-x11-1.2-0 libgtkmm-2.4-1c2a liblapack3gf libmpfr4 libpangomm-1.4-1 python-numpy python-visual Reading package lists... Done Building dependency tree Reading state information... Done Package libblas3gf is not installed, so not removed Package libboost-python1.42.0 is not installed, so not removed Package libboost-signals1.42.0 is not installed, so not removed Package libboost-thread1.42.0 is not installed, so not removed Package libcairomm-1.0-1 is not installed, so not removed Package libgfortran3 is not installed, so not removed Package libglibmm-2.4-1c2a is not installed, so not removed Package libgtkglext1 is not installed, so not removed Package libgtkglextmm-x11-1.2-0 is not installed, so not removed Package libgtkmm-2.4-1c2a is not installed, so not removed Package liblapack3gf is not installed, so not removed Package libglade2-0 is not installed, so not removed Package libglademm-2.4-1c2a is not installed, so not removed Package libpangomm-1.4-1 is not installed, so not removed Package python-numpy is not installed, so not removed Package python-visual is not installed, so not removed The following packages were automatically installed and are no longer required: libsmbclient libts-0.0-0 libtalloc2 libswscale0 libcdio10 python-bluez python2.5-minimal libusplash0 libavutil50 liblcms1 libidn11 libsamplerate0 libx264-104 ttf-liberation libsvga1 libsdl-mixer1.2 libglew1.5 libcap2 libspeex1 libapr1 libwbclient0 libboost-iostreams1.40.0 python-central libass4 libmpfr1ldbl python2.5 libsdl1.2debian-alsa libwavpack1 libmysqlclient16 libavcodec52 libdirectfb-1.2-9 libx264-88 liblog4cxx10 libx264-98 libsdl-image1.2 python-qt3 libmp3lame0 libenca0 libsdl1.2debian python-sip libcurl3 libmikmod2 libvpx0 libssh2-1 libtheora0 liba52-0.7.4 libpostproc51 liblzo2-2 libvorbisfile3 libflac8 liborc-0.4-0 libgsm1 libvorbisenc2 linux-headers-2.6.32-3-common libasyncns0 libschroedinger-1.0-0 libavformat52 libxvidcore4 tsconf libmad0 libdb4.5 libsysfs2 libopencore-amrnb0 openssl libapt-pkg-perl libpulse0 libcurl3-gnutls libqt3-mt libdirac-encoder0 usplash-theme-debian libglu1-mesa librtmp0 libvorbis0a libopenjpeg2 libaudio2 libaprutil1 mysql-common libopencore-amrwb0 ca-certificates lsb-release dpatch libsndfile1 libmng1 libmpeg2-4 libmms0 libogg0 libfaac0 libfaad2 libsmpeg0 Use 'apt-get autoremove' to remove them. The following packages will be REMOVED: build-essential* cpp* cpp-4.3* cpp-4.4* dkms* g++* g++-4.4* gcc* gcc-4.3* gcc-4.4* libmpfr4* libstdc++6-4.4-dev* linux-headers-2.6-amd64* linux-headers-2.6.32-5-amd64* nvidia-glx* nvidia-kernel-dkms* x11-utils* xbmc* xbmc-bin* xbmc-data* xbmc-skin-confluence* xbmc-standalone* 0 upgraded, 0 newly installed, 22 to remove and 0 not upgraded. After this operation, 136 MB disk space will be freed. Do you want to continue [Y/n]? ^C None of the requested packages are installed and apt still tries to remove something completelly different (rendering the system unusable as its only purpose is running xbmc :)) Report not written on the machine failing, thus no apt configuration files included. These are all default on "eiga". -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.34-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apt depends on: ii debian-archive-keyring 2010.08.28 G
Bug#591548: closed by Ben Pfaff (Re: Processed: unarchiving and reopening 591548)
On 6 October 2010 19:31, Adrian Bunk wrote: > AFAIK, this was considered an autoconf regression that is also fixed in > upstream autoconf 2.68. Hah, right, it seems I'm reading my email at unfortunate intervals compared to everyone else. I've already sent a bug to submit@, but I don't mind if it just gets closed politely. All I wanted to do was chase up the loose ends from the NMU of pkg-config, and it sounds like that's happened. Cheers, -- Tim Retout -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#591548: closed by Ben Pfaff (Re: Processed: unarchiving and reopening 591548)
On Wed, Oct 06, 2010 at 06:27:07PM +, Debian Bug Tracking System wrote: >... > >> > Why? Current autoconf doesn't break pkg-config, there's no reason to > >> > reopen this afaict. > >> > >> Tim proposed adding "Breaks: pkg-config (<< 0.25-1.1)" to > >> autoconf, which seemed reasonable to me, so he reopened the bug. > >> > >> It would also have been reasonable to file a new bug against > >> autoconf making this request. > >> > >> Comments? > > > > Well, I think this should be a separate bug, with wishlist severity > > instead of serious, and only makes sense if the change from 2.67-2 is > > reverted, so preferrably after squeeze. > > Upon reflection I think that you are right. > > I'm re-closing bug #591548 (with this email). > > Tim, would you mind filing a new bug, as Julien suggested? Why would that be required? AFAIK, this was considered an autoconf regression that is also fixed in upstream autoconf 2.68. > Thanks, > > Ben. >... cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#591548: marked as done (autoconf breaks unfixed versions of pkg-config)
Your message dated Wed, 06 Oct 2010 11:09:57 -0700 with message-id <87hbgz19ca@benpfaff.org> and subject line Re: Processed: unarchiving and reopening 591548 has caused the Debian Bug report #591548, regarding autoconf breaks unfixed versions of pkg-config to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 591548: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=591548 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: autoconf Version: 2.67-1 Severity: serious It turned out the new version was not better but worse for me... :-( autoconf needs a Breaks on all versions of pkg-config without #591547 fixed (currently all versions). --- End Message --- --- Begin Message --- Julien Cristau writes: > On Wed, Oct 6, 2010 at 09:36:26 -0700, Ben Pfaff wrote: > >> Julien Cristau writes: >> >> > On Wed, Oct 6, 2010 at 07:21:04 +, Debian Bug Tracking System wrote: >> > >> >> Processing commands for cont...@bugs.debian.org: >> >> >> >> > unarchive 591548 >> >> Bug #591548 {Done: Ben Pfaff } [autoconf] autoconf >> >> breaks unfixed versions of pkg-config >> >> Unarchived Bug 591548 >> >> > reopen 591548 >> >> Bug #591548 {Done: Ben Pfaff } [autoconf] autoconf >> >> breaks unfixed versions of pkg-config >> >> 'reopen' may be inappropriate when a bug has been closed with a version; >> >> you may need to use 'found' to remove fixed versions. >> >> > thanks >> >> Stopping processing here. >> >> >> > Why? Current autoconf doesn't break pkg-config, there's no reason to >> > reopen this afaict. >> >> Tim proposed adding "Breaks: pkg-config (<< 0.25-1.1)" to >> autoconf, which seemed reasonable to me, so he reopened the bug. >> >> It would also have been reasonable to file a new bug against >> autoconf making this request. >> >> Comments? > > Well, I think this should be a separate bug, with wishlist severity > instead of serious, and only makes sense if the change from 2.67-2 is > reverted, so preferrably after squeeze. Upon reflection I think that you are right. I'm re-closing bug #591548 (with this email). Tim, would you mind filing a new bug, as Julien suggested? Thanks, Ben. -- Ben Pfaff http://benpfaff.org --- End Message ---
Bug#591548: Processed: unarchiving and reopening 591548
On 6 October 2010 17:36, Ben Pfaff wrote: > Tim proposed adding "Breaks: pkg-config (<< 0.25-1.1)" to > autoconf, which seemed reasonable to me, so he reopened the bug. > > It would also have been reasonable to file a new bug against > autoconf making this request. > > Comments? I could have mentioned when reopening that I had asked the maintainer first, and given more reasoning. You may both be amused to know that I am being sent on a communication skills course next month. ;) We could let autoconf stay as-is in squeeze now, but that's between Ben and the release team, not something I want to decide either way. It's just a little bit more BTS manipulation to make that happen... -- Tim Retout -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#591548: Processed: unarchiving and reopening 591548
On Wed, Oct 6, 2010 at 09:36:26 -0700, Ben Pfaff wrote: > Julien Cristau writes: > > > On Wed, Oct 6, 2010 at 07:21:04 +, Debian Bug Tracking System wrote: > > > >> Processing commands for cont...@bugs.debian.org: > >> > >> > unarchive 591548 > >> Bug #591548 {Done: Ben Pfaff } [autoconf] autoconf > >> breaks unfixed versions of pkg-config > >> Unarchived Bug 591548 > >> > reopen 591548 > >> Bug #591548 {Done: Ben Pfaff } [autoconf] autoconf > >> breaks unfixed versions of pkg-config > >> 'reopen' may be inappropriate when a bug has been closed with a version; > >> you may need to use 'found' to remove fixed versions. > >> > thanks > >> Stopping processing here. > >> > > Why? Current autoconf doesn't break pkg-config, there's no reason to > > reopen this afaict. > > Tim proposed adding "Breaks: pkg-config (<< 0.25-1.1)" to > autoconf, which seemed reasonable to me, so he reopened the bug. > > It would also have been reasonable to file a new bug against > autoconf making this request. > > Comments? Well, I think this should be a separate bug, with wishlist severity instead of serious, and only makes sense if the change from 2.67-2 is reverted, so preferrably after squeeze. Cheers, Julien signature.asc Description: Digital signature
Bug#599338: pianobar: "Protocol incompatible" on start
Package: pianobar Version: 0+git20100420.3072c5a-1build1 Severity: grave Tags: upstream squeeze sid Justification: renders package unusable Forwarded: http://github.com/PromyLOPh/pianobar/issues#issue/41 Due to changes in Pandora's protocol, pianobar cannot interact with the service. $ pianobar Welcome to pianobar! Press ? for a list of commands. (i) Login... Error: Protocol incompatible. Please upgrade libpiano. $ (information below nonwithstanding, also affects the current version in unstable and testing) -- System Information: Debian Release: squeeze/sid APT prefers maverick-updates APT policy: (500, 'maverick-updates'), (500, 'maverick-security'), (500, 'maverick') Architecture: amd64 (x86_64) Kernel: Linux 2.6.35-22-generic (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages pianobar depends on: ii libao4 1.0.0-4 Cross Platform Audio Output Librar ii libc6 2.12.1-0ubuntu6 Embedded GNU C Library: Shared lib ii libfaad22.7-4freeware Advanced Audio Decoder - ii libmad0 0.15.1b-4ubuntu2 MPEG audio decoder library pianobar recommends no packages. pianobar suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#599092: libpano13: FTBFS: Creating panorama.. please wait
Processing commands for cont...@bugs.debian.org: > forwarded 599092 > https://sourceforge.net/tracker/?func=detail&aid=3082342&group_id=96188&atid=613954 Bug #599092 [libpano13-bin] endless loop on PowerPC Set Bug forwarded-to-address to 'https://sourceforge.net/tracker/?func=detail&aid=3082342&group_id=96188&atid=613954'. > tags 599092 patch Bug #599092 [libpano13-bin] endless loop on PowerPC Added tag(s) patch. > End of message, stopping processing here. Please contact me if you need assistance. -- 599092: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599092 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#599336: apt-get removes other packages than requested
Package: apt Version: 0.8.6 Severity: serious Okay, this was a WTF moment here. I was playing with python-visual on my HTPC and when done wanted to remove all the cruft again. So I ran apt-get remove --purge "... the packages ..." and it removed me half of my system (and as apt ignores ^C at the moemnt, i was not amused :() Here is what happens when I try to re-remove the packages from my system: eiga:~# apt-get remove --purge libblas3gf libboost-python1.42.0 libboost-signals1.42.0 libboost-thread1.42.0 libcairomm-1.0-1 libgfortran3 libglade2-0 libglademm-2.4-1c2a libglibmm-2.4-1c2a libgtkglext1 libgtkglextmm-x11-1.2-0 libgtkmm-2.4-1c2a liblapack3gf libmpfr4 libpangomm-1.4-1 python-numpy python-visual Reading package lists... Done Building dependency tree Reading state information... Done Package libblas3gf is not installed, so not removed Package libboost-python1.42.0 is not installed, so not removed Package libboost-signals1.42.0 is not installed, so not removed Package libboost-thread1.42.0 is not installed, so not removed Package libcairomm-1.0-1 is not installed, so not removed Package libgfortran3 is not installed, so not removed Package libglibmm-2.4-1c2a is not installed, so not removed Package libgtkglext1 is not installed, so not removed Package libgtkglextmm-x11-1.2-0 is not installed, so not removed Package libgtkmm-2.4-1c2a is not installed, so not removed Package liblapack3gf is not installed, so not removed Package libglade2-0 is not installed, so not removed Package libglademm-2.4-1c2a is not installed, so not removed Package libpangomm-1.4-1 is not installed, so not removed Package python-numpy is not installed, so not removed Package python-visual is not installed, so not removed The following packages were automatically installed and are no longer required: libsmbclient libts-0.0-0 libtalloc2 libswscale0 libcdio10 python-bluez python2.5-minimal libusplash0 libavutil50 liblcms1 libidn11 libsamplerate0 libx264-104 ttf-liberation libsvga1 libsdl-mixer1.2 libglew1.5 libcap2 libspeex1 libapr1 libwbclient0 libboost-iostreams1.40.0 python-central libass4 libmpfr1ldbl python2.5 libsdl1.2debian-alsa libwavpack1 libmysqlclient16 libavcodec52 libdirectfb-1.2-9 libx264-88 liblog4cxx10 libx264-98 libsdl-image1.2 python-qt3 libmp3lame0 libenca0 libsdl1.2debian python-sip libcurl3 libmikmod2 libvpx0 libssh2-1 libtheora0 liba52-0.7.4 libpostproc51 liblzo2-2 libvorbisfile3 libflac8 liborc-0.4-0 libgsm1 libvorbisenc2 linux-headers-2.6.32-3-common libasyncns0 libschroedinger-1.0-0 libavformat52 libxvidcore4 tsconf libmad0 libdb4.5 libsysfs2 libopencore-amrnb0 openssl libapt-pkg-perl libpulse0 libcurl3-gnutls libqt3-mt libdirac-encoder0 usplash-theme-debian libglu1-mesa librtmp0 libvorbis0a libopenjpeg2 libaudio2 libaprutil1 mysql-common libopencore-amrwb0 ca-certificates lsb-release dpatch libsndfile1 libmng1 libmpeg2-4 libmms0 libogg0 libfaac0 libfaad2 libsmpeg0 Use 'apt-get autoremove' to remove them. The following packages will be REMOVED: build-essential* cpp* cpp-4.3* cpp-4.4* dkms* g++* g++-4.4* gcc* gcc-4.3* gcc-4.4* libmpfr4* libstdc++6-4.4-dev* linux-headers-2.6-amd64* linux-headers-2.6.32-5-amd64* nvidia-glx* nvidia-kernel-dkms* x11-utils* xbmc* xbmc-bin* xbmc-data* xbmc-skin-confluence* xbmc-standalone* 0 upgraded, 0 newly installed, 22 to remove and 0 not upgraded. After this operation, 136 MB disk space will be freed. Do you want to continue [Y/n]? ^C None of the requested packages are installed and apt still tries to remove something completelly different (rendering the system unusable as its only purpose is running xbmc :)) Report not written on the machine failing, thus no apt configuration files included. These are all default on "eiga". -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.34-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apt depends on: ii debian-archive-keyring 2010.08.28 GnuPG archive keys of the Debian a ii gnupg 1.4.10-4 GNU privacy guard - a free PGP rep ii libc6 2.11.2-6 Embedded GNU C Library: Shared lib ii libgcc1 1:4.4.5-2GCC support library ii libstdc++6 4.4.5-2 The GNU Standard C++ Library v3 ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime apt recommends no packages. Versions of packages apt suggests: pn apt-doc(no description available) pn aptitude | synaptic | wajig(no description available) ii bzip2 1.0.5-6high-quality block-sorting file co ii dpkg-dev 1.15.8.5 Debian package development tools ii lzma 4.43-14Compression method of
Bug#599334: TYPO3 Security Bulletin TYPO3-SA-2010-020: Multiple vulnerabilities in TYPO3 Core
Package: typo3-src Severity: critical Tags: security Affected Versions: 4.2.14 and below, 4.3.6 and below, 4.4.3 and below Vulnerability Types: Remote File Disclosure, Cross-Site Scripting (XSS), Privilege Escalation, Denial of Service Vulnerable subcomponent #1: Access tracking mechanism Vulnerability Type: Remote File Disclosure Severity: Critical Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:N/A:N/E:F/RL:OF/RC:C Problem Description: A Remote File Disclosure vulnerability in the jumpUrl mechanism, used to track access on web pages and provided files, allows a remote attacker to read arbitrary files on a host. Because of a non-typesafe comparison between the submitted and the calculated hash, it is possible to spoof a hash value to bypass the access control. There's no authentication required to exploit this vulnerability. The vulnerability allows to read any file, the web server user account has access to. Vulnerable subcomponent #2: Backend Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C Problem Description: Failing to sanitize user input, the TYPO3 backend is susceptible to XSS attacks in several places. A valid backend login is required to exploit these vulnerabilities. Vulnerability Type: Remote File Disclosure Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:P/A:N/E:F/RL:OF/RC:C Problem Description: Failing to properly validate user input, the Extension Manager is susceptible to Remote File Disclosure. By forging a special request parameter it is possible to view (and edit under special conditions) the contents of every file the webserver has access to. A valid admin user login is required to exploit this vulnerability. Vulnerability Type: Privilege Escalation Severity: Medium Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C Problem Description: Failing to properly validate user input, the sys_action task "be_user_creation" is susceptible to Privilege Escalation. By forging a POST request an editor with the rights to create users in the taskcenter, can create users which are a member of arbitrary usergroups and by that probably leverage her privileges. Vulnerable subcomponent #3: Validation/ Filtering API Vulnerability Type: Denial of Service Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C Problem Description: Because of a PHP crash in the filter_var() function when passing large strings to it, TYPO3 is susceptible to a Denial of Service attack in every place the API function t3lib_div::validEmail() is used. Vulnerability Type: Cross-Site Scripting Severity: Low Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C Problem Description: The normalisation feature of the RemoveXSS function was incomplete, allowing an attacker to inject arbitrary JavaScript code. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#591548: Processed: unarchiving and reopening 591548
Julien Cristau writes: > On Wed, Oct 6, 2010 at 07:21:04 +, Debian Bug Tracking System wrote: > >> Processing commands for cont...@bugs.debian.org: >> >> > unarchive 591548 >> Bug #591548 {Done: Ben Pfaff } [autoconf] autoconf >> breaks unfixed versions of pkg-config >> Unarchived Bug 591548 >> > reopen 591548 >> Bug #591548 {Done: Ben Pfaff } [autoconf] autoconf >> breaks unfixed versions of pkg-config >> 'reopen' may be inappropriate when a bug has been closed with a version; >> you may need to use 'found' to remove fixed versions. >> > thanks >> Stopping processing here. >> > Why? Current autoconf doesn't break pkg-config, there's no reason to > reopen this afaict. Tim proposed adding "Breaks: pkg-config (<< 0.25-1.1)" to autoconf, which seemed reasonable to me, so he reopened the bug. It would also have been reasonable to file a new bug against autoconf making this request. Comments? -- Ben Pfaff http://benpfaff.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#599092: libpano13: FTBFS: Creating panorama.. please wait
Processing commands for cont...@bugs.debian.org: > #On 2010-10-05 Andreas Metzler wrote: > #[...] > #> It is no new breakage, 2.9.14's testsuite gets stuck at exactly the > #> same point, the debian package just did not run it then. > reassign 599092 libpano13-bin 2.9.14-2 Bug #599092 [src:libpano13] libpano13: FTBFS: Creating panorama.. please wait Bug reassigned from package 'src:libpano13' to 'libpano13-bin'. Bug No longer marked as found in versions libpano13/2.9.17+dfsg-1. Bug #599092 [libpano13-bin] libpano13: FTBFS: Creating panorama.. please wait Bug Marked as found in versions libpano13/2.9.14-2. > retitle 599092 endless loop on PowerPC Bug #599092 [libpano13-bin] libpano13: FTBFS: Creating panorama.. please wait Changed Bug title to 'endless loop on PowerPC' from 'libpano13: FTBFS: Creating panorama.. please wait' > tags 599092 confirmed Bug #599092 [libpano13-bin] endless loop on PowerPC Added tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 599092: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599092 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#599330: python-mapnik: broken on mips*: ImportError: invalid mode parameter
Package: python-mapnik Version: 0.7.1-1 Severity: grave Tags: patch User: debian-m...@lists.debian.org Usertags: mips Justification: renders package unusable (on mips & mipsel) mapnik is not importable on mips{,el}: $ python -c 'import mapnik' Traceback (most recent call last): File "", line 1, in File "/usr/lib/pymodules/python2.6/mapnik/__init__.py", line 53, in from _mapnik import * ImportError: invalid mode parameter I believe that the attached (untested) patch fixes this bug. BTW, such a breakage could be detected earlier if test suite were run at build time. -- Jakub Wilk diff --git a/bindings/python/mapnik/__init__.py b/bindings/python/mapnik/__init__.py --- a/bindings/python/mapnik/__init__.py +++ b/bindings/python/mapnik/__init__.py @@ -42,7 +42,7 @@ from sys import getdlopenflags, setdlopenflags try: -from ctypes import RTLD_NOW, RTLD_GLOBAL +from DLFCN import RTLD_NOW, RTLD_GLOBAL except ImportError: RTLD_NOW = 2 RTLD_GLOBAL = 256 signature.asc Description: Digital signature
Bug#593302: marked as done (python-cjson: CVE-2009-4924 xss vulnerability)
Your message dated Wed, 06 Oct 2010 17:17:48 + with message-id and subject line Bug#593302: fixed in python-cjson 1.0.5-4 has caused the Debian Bug report #593302, regarding python-cjson: CVE-2009-4924 xss vulnerability to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 593302: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593302 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: python-cjson Version: 1.0.5-1 Severity: important Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for python-cjson. CVE-2009-4924[0]: | Dan Pascu python-cjson 1.0.5 does not properly handle a ['/'] argument | to cjson.encode, which makes it easier for remote attackers to conduct | certain cross-site scripting (XSS) attacks involving Firefox and the | end tag of a SCRIPT element. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4924 http://security-tracker.debian.org/tracker/CVE-2009-4924 --- End Message --- --- Begin Message --- Source: python-cjson Source-Version: 1.0.5-4 We believe that the bug you reported is fixed in the latest version of python-cjson, which is due to be installed in the Debian FTP archive: python-cjson-dbg_1.0.5-4_amd64.deb to main/p/python-cjson/python-cjson-dbg_1.0.5-4_amd64.deb python-cjson_1.0.5-4.debian.tar.gz to main/p/python-cjson/python-cjson_1.0.5-4.debian.tar.gz python-cjson_1.0.5-4.dsc to main/p/python-cjson/python-cjson_1.0.5-4.dsc python-cjson_1.0.5-4_amd64.deb to main/p/python-cjson/python-cjson_1.0.5-4_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 593...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernd Zeimetz (supplier of updated python-cjson package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 06 Sep 2010 22:14:36 +0200 Source: python-cjson Binary: python-cjson python-cjson-dbg Architecture: source amd64 Version: 1.0.5-4 Distribution: unstable Urgency: high Maintainer: Debian Python Modules Team Changed-By: Bernd Zeimetz Description: python-cjson - Very fast JSON encoder/decoder for Python python-cjson-dbg - Very fast JSON encoder/decoder for Python (debug extension) Closes: 593302 Changes: python-cjson (1.0.5-4) unstable; urgency=high . * debian/patches: - New patch: 0002-fix-for-CVE-2009-4924 Fixing a xss vulnerability by handling ['/'] arguments to cjson.encode properly. Closes: #593302, Fixes: CVE-2009-2924 Checksums-Sha1: e3b412c4fdaa440100a123fd4bf28c3c9eff527c 2073 python-cjson_1.0.5-4.dsc ee7c5dc955d6e603103cdee7460920f9f14ace68 5044 python-cjson_1.0.5-4.debian.tar.gz 48d3d864b523b7627b38f7413b0f1edaec509eab 16282 python-cjson_1.0.5-4_amd64.deb 05e1865311bc9362c6cfde0ad86f6111fa14ac27 67918 python-cjson-dbg_1.0.5-4_amd64.deb Checksums-Sha256: b6fb0b973c30306288cc4171ef103658645f35d01ef0fb422b1c8754f2f96138 2073 python-cjson_1.0.5-4.dsc 9c09960035331bc55b114689e42b73e09615cdb7f2c23ed163c2734c7dd83e41 5044 python-cjson_1.0.5-4.debian.tar.gz 5acc766a251d8427a7bb7910dc6642c4a2c5e9baa7ba81e73fe9b3e85db6f5aa 16282 python-cjson_1.0.5-4_amd64.deb 9aa8cf8018c1f6ab33a873c411563aaa96abceba9b84caffcf739af4dddf540d 67918 python-cjson-dbg_1.0.5-4_amd64.deb Files: 3fbbee862e89b15d79a2224d1e5b897f 2073 python optional python-cjson_1.0.5-4.dsc c28c0de3d4b7a9a954935daae5c76f26 5044 python optional python-cjson_1.0.5-4.debian.tar.gz 893bccd32b0b5c4f825508246200a591 16282 python optional python-cjson_1.0.5-4_amd64.deb f45a6289b2377b0c99d2d26478dd1f15 67918 debug extra python-cjson-dbg_1.0.5-4_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJMrKpRAAoJEOs2Fxpv+UNf7msP/3rS1JYN8ORHSM0oJw85DP2o 5Nwwjg4y/dw5Mep57Kd51yveeH9gUwGG/G7j/DjsWI93o8nRTiyxFVV0L96RoGw5 qdN1RW1bEiKNBh0CjZKgQ2IuxLKdXyXox3F6cHr1Z4H33BSeE4iQooeO+62EhUDc usmh3Yn/RmYPVgQsiBObDH1uFGhwgroRQqPfJH6OMUXKXOSrh0QadaZhUXbE6dgT XZU2YwaO7Bqvd05znUoxOkG9V3uZcVVU96Ks4+WqQLH9z5V5b1tLa+owA5RZ7v80 thrUAhp/Q/ikfvjahQFRDdugTTPX6yFcVanpKv+JuzvjkanzvdMWTL9+4kzx8n1X K5spVqu82TyrKcCy2
Bug#473082: Should this bug closed?
> Hi, > > Since this is fixed in version 0.25.1debian1-0.1, shouldn't it be closed? > > Thanks! > > -- > Kartik Mistry Hey Kartik, I believe it should be... it has been solved for more than 2 years and I think it wasn't closed only because it was a clone and not directly referenced in the changelog. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475611#64 This is the issue it was pending on. It seems mad that this bug is still open with the RC Bug Squashing Season going on. I guess there is still a lot of low hanging fruit to pick. I wanted to close it but don't know if a non-DD, simple user/helper should close a bug or if it's going to be frowned upon :o) Let me know Cheers LeTic signature.asc Description: This is a digitally signed message part
Bug#597059: Re : unattended-upgrades: change squeeze to testing in 50unattended-upgrades
Hi Stanislav, Thanks for reporting this, but I fail to see how this is a RC bug, or even a bug at all :o) All packages are made to propagate to Stable. Maintainers are not going to re-upload a version of their package just before the release to change all configuration files that needs changing. The ideal would be to have additional dynamic parameters like : ${distro_id} or ${distro_codename} to be able to have a generic configuration file that works with all version stable/testing and unstable. On your side this is just a simple configuration file change from stable to testing that is needed. I don't know if the maintainer have a simple workaround/solution for this. This is RC squashing season so I am just trying to help :o) Closing it or even just lowering the priority seems reasonable to me. What do you think Stanislav ? Let me know Cheers ! LeTic signature.asc Description: This is a digitally signed message part
Bug#599200:
On Wed, Oct 06, 2010 at 04:55:18PM +0200, Jan Luebbe wrote: > Hi, i'm the maintainer of the qemu-kvm package and have now tried > serveral combinations: > > Host with 64-bit CPU and 32bit squeeze kernel/userspace and 32bit lenny > or squeeze netinst as guest: > lm in the host's /proc/cpuinfo but *not* in the guest's > > Host with 64-bit CPU and 64bit sid kernel/userspace and 32bit lenny > netinst as guest: > lm in *both* host's and guest's /proc/cpuinfo > > Host with 64-bit CPU and 64bit sid kernel/userspace and 64bit lenny > netinst as guest: > lm in *both* host's and guest's /proc/cpuinfo > > Host with 32-bit CPU and 32bit squeeze kernel/userspace and 32bit lenny > netinst as guest: > lm in *neither* host's nor guest's /proc/cpuinfo > > Each of those cases is what I'd expect. > > Petter Reinholdtsen wrote he was using Lenny's kvm: > > QEMU Virtual CPU version 0.10.0 > > That verion is rather old and if it is indeed broken, i don't think we > could get the cpuid fixed soon. Certainly there is a workaround of specifying -cpu qemu32. Or upgrading to a newer version using backports. Or using a 64bit kernel instead on the host. > I'll setup a lenny machine and try it there, too. -- Len Sorensen -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#599200:
Hi, i'm the maintainer of the qemu-kvm package and have now tried serveral combinations: Host with 64-bit CPU and 32bit squeeze kernel/userspace and 32bit lenny or squeeze netinst as guest: lm in the host's /proc/cpuinfo but *not* in the guest's Host with 64-bit CPU and 64bit sid kernel/userspace and 32bit lenny netinst as guest: lm in *both* host's and guest's /proc/cpuinfo Host with 64-bit CPU and 64bit sid kernel/userspace and 64bit lenny netinst as guest: lm in *both* host's and guest's /proc/cpuinfo Host with 32-bit CPU and 32bit squeeze kernel/userspace and 32bit lenny netinst as guest: lm in *neither* host's nor guest's /proc/cpuinfo Each of those cases is what I'd expect. Petter Reinholdtsen wrote he was using Lenny's kvm: > QEMU Virtual CPU version 0.10.0 That verion is rather old and if it is indeed broken, i don't think we could get the cpuid fixed soon. I'll setup a lenny machine and try it there, too. Jan -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Processed: notfixed 599284 in 0.5.3-2+b3
Processing commands for cont...@bugs.debian.org: > notfixed 599284 0.5.3-2+b3 Bug #599284 {Done: Mehdi Dogguy } [cduce] cduce: inconsistent assumption wit curl Bug No longer marked as fixed in versions 0.5.3-2+b3. > thanks Stopping processing here. Please contact me if you need assistance. -- 599284: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599284 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#591548: Processed: unarchiving and reopening 591548
On Wed, Oct 6, 2010 at 07:21:04 +, Debian Bug Tracking System wrote: > Processing commands for cont...@bugs.debian.org: > > > unarchive 591548 > Bug #591548 {Done: Ben Pfaff } [autoconf] autoconf > breaks unfixed versions of pkg-config > Unarchived Bug 591548 > > reopen 591548 > Bug #591548 {Done: Ben Pfaff } [autoconf] autoconf > breaks unfixed versions of pkg-config > 'reopen' may be inappropriate when a bug has been closed with a version; > you may need to use 'found' to remove fixed versions. > > thanks > Stopping processing here. > Why? Current autoconf doesn't break pkg-config, there's no reason to reopen this afaict. Cheers, Julien signature.asc Description: Digital signature
Bug#599251: FTBFS: waits for user input at "latex path [/usr/bin/latex]"
On Wed, 06 Oct 2010 15:15:25 +0200, Salvatore Bonaccorso wrote: > > I think in this case we can either [..] > > (I can't try now but I'm sure Salvatore will be quicker than me :)) > Well I choosed option 1. Did saw your reply only after commiting the > patch to our svn repo. I knew that you would be quicker :) (Don't worry about my mail, I was just thinking out loud after a very quick look at Makefile.PL) > If you have time please review the package. I > have already sent a unblock request [1], but we can change the request > if we want one of the other solutions. I guess that's the most simple and minimal change, so if it works I agree we should choose it. Cheers, gregor -- .''`. http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4 : :' : Debian GNU/Linux user, admin, & developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe `-NP: Arlo Guthrie: Alice's Restaurant signature.asc Description: Digital signature
Bug#599306: manpages-de 0.6-1 should conflict/break manpages-de-dev <= 0.5-5 and vice versa
Package: manpages-de Version: 0.6-1 Severity: serious Hi, the unattended upgrade failed today with this error message: 2010-10-06 12:51:13,135 INFO Initial blacklisted packages: 2010-10-06 12:51:13,136 INFO Starting unattended upgrades script 2010-10-06 12:51:13,136 INFO Allowed origins are: ["('Debian', 'stable')", "('Debian', 'squeeze-security')", "('Debian', 'testing')", "('volatile.debian.org', 'stable')"] 2010-10-06 12:51:26,202 INFO Packages that are upgraded: libasound2 libdrm-intel1 libdrm-nouveau1 libdrm-radeon1 libdrm2 manpages-de manpages-de-dev 2010-10-06 12:51:26,202 INFO Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg_2010-10-06_12:51:26.202429.log' 2010-10-06 12:51:37,769 ERROR Installing the upgrades failed! 2010-10-06 12:51:37,770 ERROR error message: 'E:Sub-process /usr/bin/dpkg returned an error code (1)' 2010-10-06 12:51:37,770 ERROR dpkg returned a error! See '/var/log/unattended-upgrades/unattended-upgrades-dpkg_2010-10-06_12:51:26.202429.log' for details The detailed log file is attached. After running "apt-get dist-upgrade" manually again, everything worked perfectly and manpages-de 0.6-1 was installed without a problem, because there were no conflicting files anymore now that manpages-de-dev had been updated. I'm filing this as serious because this could break upgrades from lenny to squeeze. Don't hesitate to downgrade/close if you think it's appropriate! Best regards Alexander Kurtz (Reading database ... 186529 files and directories currently installed.) Preparing to replace libasound2 1.0.23-1 (using .../libasound2_1.0.23-2_amd64.deb) ... Unpacking replacement libasound2 ... Preparing to replace libdrm2 2.4.18-6 (using .../libdrm2_2.4.21-1~squeeze3_amd64.deb) ... Unpacking replacement libdrm2 ... Preparing to replace libdrm-intel1 2.4.18-6 (using .../libdrm-intel1_2.4.21-1~squeeze3_amd64.deb) ... Unpacking replacement libdrm-intel1 ... Preparing to replace libdrm-nouveau1 2.4.18-6 (using .../libdrm-nouveau1_2.4.21-1~squeeze3_amd64.deb) ... Unpacking replacement libdrm-nouveau1 ... Preparing to replace libdrm-radeon1 2.4.18-6 (using .../libdrm-radeon1_2.4.21-1~squeeze3_amd64.deb) ... Unpacking replacement libdrm-radeon1 ... Preparing to replace manpages-de 0.5-5 (using .../manpages-de_0.6-1_all.deb) ... Unpacking replacement manpages-de ... dpkg: error processing /var/cache/apt/archives/manpages-de_0.6-1_all.deb (--unpack): trying to overwrite '/usr/share/man/de/man2/intro.2.gz', which is also in package manpages-de-dev 0.5-5 configured to not write apport reports dpkg-deb: subprocess paste killed by signal (Broken pipe) Preparing to replace manpages-de-dev 0.5-5 (using .../manpages-de-dev_0.6-1_all.deb) ... Unpacking replacement manpages-de-dev ... Processing triggers for man-db ... Errors were encountered while processing: /var/cache/apt/archives/manpages-de_0.6-1_all.deb signature.asc Description: This is a digitally signed message part
Bug#599200: base-installer: Install amd64 kernel on i686 kvm guest - and fail to boot
On Wed, Oct 06, 2010 at 10:39:17AM -0400, Lennart Sorensen wrote: > On Wed, Oct 06, 2010 at 12:53:04AM +0200, Petter Reinholdtsen wrote: > > [Lennart Sorensen] > > > Well try starting the kvm with '-cpu qemu32'. That should provide > > > the feature flags of a nice 32bit x86. > > > > I tried this by adding > > > > > > qemu32 > > > > > > to the libvirtm XML file for the virtual machine, which caused '-cpu > > qemu32' to be part of the kvm command line. There is no GUI to add > > this in virt-manager, as far as I can see, so this will be out of > > reach for most users. No idea if this give hardware virtualization or > > software virtualization. The qemu part of the model name make me > > suspect the latter. > > > > Anyway, booting the virtual machine and looking at the CPU flags in > > cpuinfo, I can confirm that the lm flag is gone. I also tried with > > model=pentium3, and this too did not have the lm flag. This solve my > > imediate problem of testing the Debian Edu DVD, but do not address the > > problem for the unexpecting user of kvm. > > Well it is certainly a bug in kvm. Of course most people probably run > a 64bit kernel these days, although I suppose many don't. kvm should > not tell the guest that the cpu supports something if kvm isn't capable > of supporting it. It doesn't, at least not in my tests. The kvm x86 initialisation code masks lm by default in a 32-bit kernel, and kvm-qemu does so as well when setting the flags to be exposed to the guest. Presumably there are some old versions that don't, but neither stable nor testing appear to have this bug. I've asked Petter to confirm which versions he is using. Ben. -- Ben Hutchings We get into the habit of living before acquiring the habit of thinking. - Albert Camus -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#599200: base-installer: Install amd64 kernel on i686 kvm guest - and fail to boot
On Wed, Oct 06, 2010 at 12:53:04AM +0200, Petter Reinholdtsen wrote: > [Lennart Sorensen] > > Well try starting the kvm with '-cpu qemu32'. That should provide > > the feature flags of a nice 32bit x86. > > I tried this by adding > > > qemu32 > > > to the libvirtm XML file for the virtual machine, which caused '-cpu > qemu32' to be part of the kvm command line. There is no GUI to add > this in virt-manager, as far as I can see, so this will be out of > reach for most users. No idea if this give hardware virtualization or > software virtualization. The qemu part of the model name make me > suspect the latter. > > Anyway, booting the virtual machine and looking at the CPU flags in > cpuinfo, I can confirm that the lm flag is gone. I also tried with > model=pentium3, and this too did not have the lm flag. This solve my > imediate problem of testing the Debian Edu DVD, but do not address the > problem for the unexpecting user of kvm. Well it is certainly a bug in kvm. Of course most people probably run a 64bit kernel these days, although I suppose many don't. kvm should not tell the guest that the cpu supports something if kvm isn't capable of supporting it. -- Len Sorensen -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#599303: KToon has no -dbg package
Additionally there is no debug (ktoon-dbg) package available signature.asc Description: This is a digitally signed message part.
Bug#599303: ktoon: KToon crashes with Signal 11
Subject: ktoon: KToon crashes with Signal 11 Package: ktoon Version: 0.8.1-4.1+b1 Justification: renders package unusable Severity: grave *** Please type your report below this line *** KToon in Sid and in Squeeze (Testing) are unable to open. I get a blank window that opens in KDE but there is nothing in it; from the CLI my output is: jtho...@jthomas:09:05:~$ ktoon [Initializing DApplication] [Initializing DConfig] [Initializing DConfigDocument] *Init configuration file : "/home/jthomas/.ktoon/ktoon.cfg" ktoon(4166)/ KSycocaPrivate::openDatabase: Trying to open ksycoca from "/var/tmp/kdecache-jthomas/ksycoca4" ktoon(4166)/ KSharedDataCache::Private::mapSharedMemory: Opening cache "/var/tmp/kdecache-jthomas/icon-cache.kcache" page size is 4096 ktoon(4166)/ KSharedDataCache::Private::mapSharedMemory: Attached to cache, determining if it must be initialized ktoon(4166)/ KSharedDataCache::Private::mapSharedMemory: Cache fully initialized -- attached to memory mapping ktoon(4166)/ KSharedDataCache::Private::mapSharedMemory: 4403200 bytes available out of 10485760 ktoon is crashing with signal 11 :( ^C # #jtho...@jthomas:09:05:~$ Thanks for Debian and the great packaging of KDE! -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages ktoon depends on: ii libaspell15 0.60.6-4 GNU Aspell spell-checker runtime l ii libavcodec524:0.5.2-6ffmpeg codec library ii libavformat52 4:0.5.2-6ffmpeg file format library ii libavutil49 4:0.5.2-6ffmpeg utility library ii libc6 2.11.2-6 Embedded GNU C Library: Shared lib ii libgcc1 1:4.4.5-2GCC support library ii libgl1-mesa-glx [libgl1 7.7.1-4 A free implementation of the OpenG ii libqt4-opengl 4:4.6.3-2Qt 4 OpenGL module ii libqt4-xml 4:4.6.3-2Qt 4 XML module ii libqtcore4 4:4.6.3-2Qt 4 core module ii libqtgui4 4:4.6.3-2Qt 4 GUI module ii libstdc++6 4.4.5-2 The GNU Standard C++ Library v3 ii libswscale0 4:0.5.2-6ffmpeg video scaling library ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime ktoon recommends no packages. ktoon suggests no packages. -- no debconf information signature.asc Description: This is a digitally signed message part.
Bug#598284: Info received (bareftp: diff for NMU version 0.3.4-1.1)
the updated package could be found at http://mentors.debian.net/debian/pool/main/b/bareftp/bareftp_0.3.4-1.1.dsc -- 1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333 signature.asc Description: Digital signature
Bug#596986: FTBFS: tests fail on armhf (and sh4)
Hi, after some research, I think that this bug is buildd-specific rather than package-specific. See the pattern for 1.2.2-1: * amd64 brahms - failed (three in a row) braber - built (twice) * sparc schroeder - failed (twice) spontini - built * kfreebsd-am64 fano - failed (twice) fasch -built However, the pattern seems not to be consistent between 1.2.1-2, 1.2.1-3, 1.2.2-1 in some cases, like s390 and hppa builders (rotating successes and failures). I briefly compared the toolchains and the configure stages logged on kfreebsd and amd64 builders, but I didn't notice interesting differences. Moreover, I tried to reproduce this both locally (amd64) and on sumotsu, but it never failed (trying with both bash and dash). I'm out of clues now. I think that "yes" and "no" are currently leaked answer to something, which are incorrectly tried to be sourced somewhere (pure speculation here, I didn't find the actual origin). I also noticed a strange constant warning among build logs "./configure.lineno: 5784: ${SHELL}: not found" which I wasn't able to reproduce locally, nor to track down to the source. Cheers, Luca -- .''`. ** Debian GNU/Linux ** | Luca Bruno (kaeso) : :' : The Universal O.S.| lucab (AT) debian.org `. `'` | GPG Key ID: 3BFB9FB3 `- http://www.debian.org | Debian GNU/Linux Developer signature.asc Description: PGP signature
Bug#598284: bareftp: diff for NMU version 0.3.4-1.1
i forgot to add this (trivial) patch fix a security issue, CVE-2010-3350 i will upload the dsc, deb files to mentors soon On Wed, Oct 06, 2010 at 10:08:22AM -0300, gustavo panizzo wrote: > tags 598284 + patch > tags 598284 + pending > thanks > > Dear maintainer, > > I've prepared an NMU for bareftp (versioned as 0.3.4-1.1) > > Regards. > > -- > 1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333 > > diff -u bareftp-0.3.4/debian/changelog bareftp-0.3.4/debian/changelog > --- bareftp-0.3.4/debian/changelog > +++ bareftp-0.3.4/debian/changelog > @@ -1,3 +1,10 @@ > +bareftp (0.3.4-1.1) unstable; urgency=low > + > + * Non-maintainer upload. > + * Fix security issue CVE-2010-3350 (Closes: #598284) > + > + -- gustavo panizzo Tue, 05 Oct 2010 23:37:54 -0300 > + > bareftp (0.3.4-1) unstable; urgency=low > >* New upstream bugfix release 0.3.4 > only in patch2: > unchanged: > --- bareftp-0.3.4.orig/bareftp.in > +++ bareftp-0.3.4/bareftp.in > @@ -1,3 +1,8 @@ > #!/bin/sh > -export ld_library_pa...@expanded_libdir@/bareftp:$LD_LIBRARY_PATH > +if [ -z ${LD_LIBRARY_PATH} ]; then > +export ld_library_pa...@expanded_libdir@/bareftp > +else > +export ld_library_pa...@expanded_libdir@/bareftp:${LD_LIBRARY_PATH} > +fi > + > exec @MONO@ @expanded_libdir@/bareftp/bareftp.exe $MONO_EXTRA_ARGS "$@" -- 1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333 signature.asc Description: Digital signature
Processed: Re: Processed (with 1 errors): raid spare segfault
Processing commands for cont...@bugs.debian.org: > found 598257 1.98+20100804-4 Bug #598257 [grub-pc] grub-probe segfaults when an md device on the system has spares Bug Marked as found in versions grub2/1.98+20100804-4. > quit Stopping processing here. Please contact me if you need assistance. -- 598257: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598257 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#599251: FTBFS: waits for user input at "latex path [/usr/bin/latex]"
Hi Timo and Gregor On Wed, Oct 06, 2010 at 12:30:08PM +0200, gregor herrmann wrote: > On Wed, 06 Oct 2010 13:11:24 +0300, Timo Juhani Lindfors wrote: > > > > Ok, this is indeed not directly the cause. It's more how the ttpromt > > > in Makefile.PL works, in sbuild/chroot environment these will work > > > without waiting for confirmation and if we build int interactively it > > > waits for confirmation. > > Thanks! Is this ttprompt common in perl packages? > > No, that's a hand-crafted function in the Makefile.PL of this > package. > > ExtUtils::MakeMake has prompt() which honours PERL_MM_USE_DEFAULT > (which should be set in package builds via debhelper, IIRC). > Cf. http://perldoc.perl.org/ExtUtils/MakeMaker.html#Other-Handy-Functions > > I think in this case we can either > - patch Makefile.PL to set $ACCEPT to 1 > - or patch Makefile.PL to use prompt() > - and/or set PERL_MM_USE_DEFAULT or patch Makefile.PL to honour > PERL_MM_USE_DEFAULT > > (I can't try now but I'm sure Salvatore will be quicker than me :)) Well I choosed option 1. Did saw your reply only after commiting the patch to our svn repo. If you have time please review the package. I have already sent a unblock request [1], but we can change the request if we want one of the other solutions. [1] http://bugs.debian.org/599293 Bests Salvatore signature.asc Description: Digital signature
Bug#598284: bareftp: diff for NMU version 0.3.4-1.1
tags 598284 + patch tags 598284 + pending thanks Dear maintainer, I've prepared an NMU for bareftp (versioned as 0.3.4-1.1) Regards. -- 1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333 diff -u bareftp-0.3.4/debian/changelog bareftp-0.3.4/debian/changelog --- bareftp-0.3.4/debian/changelog +++ bareftp-0.3.4/debian/changelog @@ -1,3 +1,10 @@ +bareftp (0.3.4-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix security issue CVE-2010-3350 (Closes: #598284) + + -- gustavo panizzo Tue, 05 Oct 2010 23:37:54 -0300 + bareftp (0.3.4-1) unstable; urgency=low * New upstream bugfix release 0.3.4 only in patch2: unchanged: --- bareftp-0.3.4.orig/bareftp.in +++ bareftp-0.3.4/bareftp.in @@ -1,3 +1,8 @@ #!/bin/sh -export ld_library_pa...@expanded_libdir@/bareftp:$LD_LIBRARY_PATH +if [ -z ${LD_LIBRARY_PATH} ]; then +export ld_library_pa...@expanded_libdir@/bareftp +else +export ld_library_pa...@expanded_libdir@/bareftp:${LD_LIBRARY_PATH} +fi + exec @MONO@ @expanded_libdir@/bareftp/bareftp.exe $MONO_EXTRA_ARGS "$@" signature.asc Description: Digital signature
Processed: bareftp: diff for NMU version 0.3.4-1.1
Processing commands for cont...@bugs.debian.org: > tags 598284 + patch Bug #598284 [bareftp] bareftp: CVE-2010-3350: insecure library loading Added tag(s) patch. > tags 598284 + pending Bug #598284 [bareftp] bareftp: CVE-2010-3350: insecure library loading Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 598284: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598284 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Processed: cpu: diff for NMU version 1.4.3-11.2
Processing commands for cont...@bugs.debian.org: > tags 490235 + pending Bug #490235 [cpu] cpu: should use new cracklib2 (>= 2.8.12-1) binary packages Added tag(s) pending. > tags 598173 + pending Bug #598173 [src:cpu] cpu: FTBFS: Unable to locate package cracklib2-dev Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 598173: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598173 490235: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490235 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#585614: Fails to open any mp3's to split
On Tue, Oct 05, 2010 at 10:12:06PM +0100, Tim Retout wrote: > reopen 585614 > thanks > > On Tue, 2010-10-05 at 21:17 +1030, Ron wrote: > > Hi Tim, > > > > Thanks for adding some extra perspective to this, but it still > > seems to be a bit more complicated than that :/ > > > I do have -plugins-good installed here. > > H. :( My NMU has been accepted already, but I think that's all > right - there was definitely a missing dependency on the -good plugins. Yeah, I saw that come just after my mail ;) > > For most files I toss at it, today I currently see in the bottom bar: > > gstreamer error: internal data flow error > > > > and then it hangs hard. I tried that with both .ogg (vorbis) and mp3 > > files. I did find a couple of files that it doesn't hang on - except > > it doesn't actually seem to find any content in them, it both 'plays' > > and shows silence in the display. The ones that partly work all seem > > to be 'oddball' files in one manner or another - they are all mono, > > and at sampling rates other than 44100. Every stereo 44100 file I've > > tossed at it so far seems to hang. The oddball files are also a mix > > of .ogg and .mp3 > > > > Of gstreamer, I currently have installed: > > > > $ dpkg -l | grep gstreamer > > ii gstreamer0.10-alsa 0.10.29-4 GStreamer plugin for ALSA > > ii gstreamer0.10-ffmpeg 0.10.10-1 FFmpeg plugin for GStreamer > > ii gstreamer0.10-plugins-base 0.10.29-4 GStreamer plugins from the > > "base" set > > ii gstreamer0.10-plugins-good 0.10.23-4 GStreamer plugins from the > > "good" set > > ii gstreamer0.10-x 0.10.29-4 GStreamer plugins for X11 > > and Pango > > ii libgstreamer-plugins-base0.10-0 0.10.29-4 GStreamer libraries from > > the "base" set > > ii libgstreamer0.10-0 0.10.29-1 Core GStreamer libraries > > and elements > > That seems vaguely recent. You might want to install the -ugly plugins > too, which contains libgstmpegaudioparse.so and other promising-looking > names. Installing -ugly and the couple of extra things it pulled in, doesn't seem to change anything here. > Can you try running: > > gst-launch-0.10 playbin uri=file:///path/to/the.mp3 Grabbing gstreamer0.10-tools to get that, also updated me to libgstreamer0.10-0 0.10.30-1, which does seem to have altered how it fails. I get the 'same' result from playbin as I see in mp3splt-gtk: the mono ogg "plays" for its full duration, but it plays silence not the content. And the stereo 44k one fails completely. It no longer completely hangs the gui solid though, I see the same 'internal data flow error', but the gui remains responsive and I can do other things and open other files now. If I hit the play button a couple of times, mp3splt-gtk barks to the console: (mp3splt-gtk:4280): GStreamer-CRITICAL **: Failed to deactivate pad oggdemux1:sink, very bad The output of playbin is: $ gst-launch-0.10 playbin uri=file:///home/ron/bad.ogg Setting pipeline to PAUSED ... Pipeline is PREROLLING ... ERROR: from element /GstPlayBin:playbin0/GstBin:abin/GstAutoAudioSink:audiosink/GstAlsaSink:audiosink-actual-sink-alsa: Could not get/set settings from/on resource. Additional debug info: gstalsasink.c(516): set_hwparams (): /GstPlayBin:playbin0/GstBin:abin/GstAutoAudioSink:audiosink/GstAlsaSink:audiosink-actual-sink-alsa: Unable to set hw params for playback: Invalid argument ERROR: pipeline doesn't want to preroll. Setting pipeline to NULL ... Freeing pipeline ... $ gst-launch-0.10 playbin uri=file:///home/ron/better.ogg Setting pipeline to PAUSED ... Pipeline is PREROLLING ... Pipeline is PREROLLED ... Setting pipeline to PLAYING ... New clock: GstAudioSinkClock Got EOS from element "playbin0". Execution ended after 8235649061 ns. Setting pipeline to PAUSED ... Setting pipeline to READY ... Setting pipeline to NULL ... Freeing pipeline ... > I think there's a bigger problem with mp3splt-gtk here - it shouldn't > crash and burn when gstreamer throws an error. But that actually > requires a patch... That was my bet before I saw the above too... > If installing the -ugly plugins makes it work, maybe this bug could be > downgraded to "important"? It's just a crash in an error case, by that > point. Well I'm less sure it is a bug in mp3splt-gtk now, beyond the dep that you already fixed. Upstream swears that it Works For Him, and it works for you -- and now it doesn't even really seem to do something I can blame on the app itself. If the app is just "using gstreamer", and it seems to do what the gstreamer native tools do -- then I guess gstreamer just doesn't like me for some reason... Audacity works fine on this box, and everything else I've used before these two... Am I missing something, or should we punt this to some gstreamer-* now? Thanks, Ron -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.or
Bug#590521: marked as done (gtk2-engines-qtcurve: modifies iceweasel configuration file)
Your message dated Wed, 06 Oct 2010 12:32:33 + with message-id and subject line Bug#590521: fixed in gtk2-engines-qtcurve 1.6.4-1 has caused the Debian Bug report #590521, regarding gtk2-engines-qtcurve: modifies iceweasel configuration file to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 590521: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590521 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: gtk2-engines-qtcurve Version: 1.5.1-1 Severity: serious Justification: squeeze RC policy section 3 The ~/.mozilla/firefox/*.default/chrome/userChrome.css file contains the following snippet: menubar > menu { color: #141312 !important; } menubar > menu[_moz-menuactive="true"][open="false"] { color: #141312 !important; } menubar > menu[_moz-menuactive="true"][open="true"] { color: #141312 !important; } /* MenuColors, Added by QtCurve -- do not remove */ Modifying another package's configuration file (except by an agreed upon API) is a severe violation of the Debian policy. Please stop adding the above snippet to userChrome.css. Please remove the snippets from the files they were added to or notify the affected users that they should do so manually. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing'), (400, 'unstable'), (300, 'experimental') Architecture: i386 (x86_64) Kernel: Linux 2.6.34-00165-gdab319b (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages gtk2-engines-qtcurve depends on: ii libatk1.0-0 1.30.0-1 The ATK accessibility toolkit ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib ii libcairo2 1.8.10-4 The Cairo 2D vector graphics libra ii libfontconfig12.8.0-2.1 generic font configuration library ii libfreetype6 2.4.0-2FreeType 2 font engine, shared lib ii libglib2.0-0 2.24.1-1 The GLib library of C routines ii libgtk2.0-0 2.20.1-1 The GTK+ graphical user interface ii libpango1.0-0 1.28.1-1 Layout and rendering of internatio gtk2-engines-qtcurve recommends no packages. Versions of packages gtk2-engines-qtcurve suggests: pn kde-style-qtcurve (no description available) -- no debconf information --- End Message --- --- Begin Message --- Source: gtk2-engines-qtcurve Source-Version: 1.6.4-1 We believe that the bug you reported is fixed in the latest version of gtk2-engines-qtcurve, which is due to be installed in the Debian FTP archive: gtk2-engines-qtcurve_1.6.4-1.debian.tar.gz to main/g/gtk2-engines-qtcurve/gtk2-engines-qtcurve_1.6.4-1.debian.tar.gz gtk2-engines-qtcurve_1.6.4-1.dsc to main/g/gtk2-engines-qtcurve/gtk2-engines-qtcurve_1.6.4-1.dsc gtk2-engines-qtcurve_1.6.4-1_amd64.deb to main/g/gtk2-engines-qtcurve/gtk2-engines-qtcurve_1.6.4-1_amd64.deb gtk2-engines-qtcurve_1.6.4.orig.tar.bz2 to main/g/gtk2-engines-qtcurve/gtk2-engines-qtcurve_1.6.4.orig.tar.bz2 A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 590...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Fathi Boudra (supplier of updated gtk2-engines-qtcurve package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Wed, 06 Oct 2010 14:51:31 +0300 Source: gtk2-engines-qtcurve Binary: gtk2-engines-qtcurve Architecture: source amd64 Version: 1.6.4-1 Distribution: unstable Urgency: low Maintainer: Debian KDE Extras Team Changed-By: Fathi Boudra Description: gtk2-engines-qtcurve - This is a set of widget styles for Gtk2 based apps Closes: 590521 Changes: gtk2-engines-qtcurve (1.6.4-1) unstable; urgency=low . * New upstream release. . [ Alexander Reichle-Schmehl ] * Disable QTC_MODIFY_MOZILLA to not interfere with foreign configuration files. (Closes: #590521) Checksums-Sha1: 583ea30ea21a6e01f3108b9da8a283fbf45f7c86 1522 gtk2-engines-qtcurve_1.6.4-1.dsc 0b4b3e183183c5f7c92a4afa51541e84c1acdf8f 142767 gtk2-engines-qtcurve_1.6.4.orig.tar.bz2 cca9e82029c2c80edaccdb2d88073d29c8fff227 4096 gtk2-engines-qtcurve_1.6.4-1.debian.tar.gz 0652a8ecab
Bug#599284: marked as done (cduce: inconsistent assumption wit curl)
Your message dated Wed, 06 Oct 2010 14:27:53 +0200 with message-id <4cac6b49.3070...@dogguy.org> and subject line Re: Bug#599284: cduce: inconsistent assumption wit curl has caused the Debian Bug report #599284, regarding cduce: inconsistent assumption wit curl to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 599284: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599284 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: cduce Version: 0.5.3-2+b2 Severity: grave Justification: renders package unusable When trying to compile something with cduce, I get this: File "_none_", line 1, characters 0-1: Error: Files /usr/lib/ocaml/cduce/cduce_lib.cmxa and /usr/lib/ocaml/curl/curl.cmxa make inconsistent assumptions over interface Curl A binNMU should be scheduled to solve this bug. Regards Sylvain Le Gall -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-bpo.5-amd64 (SMP w/3 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages cduce depends on: ii libc62.11.2-6Embedded GNU C Library: Shared lib ii libcurl-ocaml-dev0.5.3-1 OCaml libcurl bindings (Developmen ii libcurl3-gnutls 7.21.1-1Multi-protocol file transfer libra ii libexpat-ocaml-dev 0.9.1+debian1-7 OCaml expat bindings ii libexpat12.0.1-7 XML parsing C library - runtime li ii libocamlnet-ocaml-dev2.2.9-8 OCaml application-level Internet l ii libpcre3 8.02-1.1Perl 5 Compatible Regular Expressi ii ocaml-nox [ocaml-nox-3.1 3.11.2-1ML implementation with a class-bas ii ocaml-ulex 1.1-2 OCaml lexer generator with Unicode cduce recommends no packages. cduce suggests no packages. -- no debconf information --- End Message --- --- Begin Message --- Version: 0.5.3-2+b3 On 10/06/2010 01:50 PM, Sylvain Le Gall wrote: When trying to compile something with cduce, I get this: File "_none_", line 1, characters 0-1: Error: Files /usr/lib/ocaml/cduce/cduce_lib.cmxa and /usr/lib/ocaml/curl/curl.cmxa make inconsistent assumptions over interface Curl A binNMU should be scheduled to solve this bug. I scheduled the binNMU. It will be (really) fixed in a few hours. Regards, -- Mehdi Dogguy مهدي الدڤي http://dogguy.org/ --- End Message ---
Bug#598896: no problems on my x201s
Hi #598896, [ CCing kibi@ as my favourite intel-guru :) ] FIY, ThinkPad X201s, Core i7 2GHz, Intel Corporation Core Processor Integrated Graphics Controller running 2.6.34 kernel here. ii xserver-xorg 1:7.5+8 ii xserver-xorg-core 2:1.7.7-7 ii xserver-xorg-video-intel 2:2.12.0+shadow-2 python /usr/share/doc/python-visual/examples/doublependulum.py works just fine, no error message, performance is fine. Can someone test this on non-Intel? Regards Evgeni -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#599224: marked as done (libqt4-dbus package does not depend on the dbus library)
Your message dated Wed, 06 Oct 2010 12:04:35 + with message-id and subject line Bug#599224: fixed in qt4-x11 4:4.6.3-3 has caused the Debian Bug report #599224, regarding libqt4-dbus package does not depend on the dbus library to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 599224: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599224 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: libqt4-dbus Version: 4:4.6.3-1 Severity: serious Hello, libqt4-dbus dlopens dbus library hence it does not get libdbus-1-3 dependency via shlibs. So either a manual dependency must be added or libQtDBus should link with libdbus-1 properly. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (101, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.35-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=lt_LT.UTF-8, LC_CTYPE=lt_LT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libqt4-dbus depends on: ii libc6 2.11.2-6 Embedded GNU C Library: Shared lib ii libgcc1 1:4.4.5-1 GCC support library ii libqt4-xml4:4.6.3-2 Qt 4 XML module ii libqtcore44:4.6.3-2 Qt 4 core module ii libstdc++64.4.5-1The GNU Standard C++ Library v3 libqt4-dbus recommends no packages. libqt4-dbus suggests no packages. -- no debconf information --- End Message --- --- Begin Message --- Source: qt4-x11 Source-Version: 4:4.6.3-3 We believe that the bug you reported is fixed in the latest version of qt4-x11, which is due to be installed in the Debian FTP archive: libqt4-assistant_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-assistant_4.6.3-3_amd64.deb libqt4-core_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-core_4.6.3-3_amd64.deb libqt4-dbg_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-dbg_4.6.3-3_amd64.deb libqt4-dbus_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-dbus_4.6.3-3_amd64.deb libqt4-designer_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-designer_4.6.3-3_amd64.deb libqt4-dev_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-dev_4.6.3-3_amd64.deb libqt4-gui_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-gui_4.6.3-3_amd64.deb libqt4-help_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-help_4.6.3-3_amd64.deb libqt4-multimedia_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-multimedia_4.6.3-3_amd64.deb libqt4-network_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-network_4.6.3-3_amd64.deb libqt4-opengl-dev_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-opengl-dev_4.6.3-3_amd64.deb libqt4-opengl_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-opengl_4.6.3-3_amd64.deb libqt4-phonon_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-phonon_4.6.3-3_amd64.deb libqt4-qt3support_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-qt3support_4.6.3-3_amd64.deb libqt4-script_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-script_4.6.3-3_amd64.deb libqt4-scripttools_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-scripttools_4.6.3-3_amd64.deb libqt4-sql-ibase_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-sql-ibase_4.6.3-3_amd64.deb libqt4-sql-mysql_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-sql-mysql_4.6.3-3_amd64.deb libqt4-sql-odbc_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-sql-odbc_4.6.3-3_amd64.deb libqt4-sql-psql_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-sql-psql_4.6.3-3_amd64.deb libqt4-sql-sqlite2_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-sql-sqlite2_4.6.3-3_amd64.deb libqt4-sql-sqlite_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-sql-sqlite_4.6.3-3_amd64.deb libqt4-sql-tds_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-sql-tds_4.6.3-3_amd64.deb libqt4-sql_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-sql_4.6.3-3_amd64.deb libqt4-svg_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-svg_4.6.3-3_amd64.deb libqt4-test_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-test_4.6.3-3_amd64.deb libqt4-webkit-dbg_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-webkit-dbg_4.6.3-3_amd64.deb libqt4-webkit_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-webkit_4.6.3-3_amd64.deb libqt4-xml_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-xml_4.6.3-3_amd64.deb libqt4-xmlpatterns-dbg_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-xmlpatterns-dbg_4.6.3-3_amd64.deb libqt4-xmlpatterns_4.6.3-3_amd64.deb to main/q/qt4-x11/libqt4-xmlpatterns_4.6.3-3_amd64.deb libqtcore4_4.6.3-3_amd64.deb to main/q/qt4-x11/libqtcore4_4.6.3-3_amd64.deb libqtgui4_4.6.3-3_amd64.deb to main/q/qt4-x11/libqtgui4_4.6.3-3_amd64.deb qt4-demos-dbg_4.6.3-3_amd64.deb to main/q/qt4-x11/qt4-demos-dbg_4.6.3-3_
Bug#598303: tau: CVE-2010-3382: insecure library loading
On Wed, Oct 06, 2010 at 01:40:51PM +0200, Julien Cristau wrote: >This makes absolutely no sense. "$TAUROOT/$TAUARCH/lib/$thebinding is >not empty. I know that. I was talking about a general case where you have just one variable. See the end of http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598549#35 signature.asc Description: Digital signature
Bug#599284: cduce: inconsistent assumption wit curl
Package: cduce Version: 0.5.3-2+b2 Severity: grave Justification: renders package unusable When trying to compile something with cduce, I get this: File "_none_", line 1, characters 0-1: Error: Files /usr/lib/ocaml/cduce/cduce_lib.cmxa and /usr/lib/ocaml/curl/curl.cmxa make inconsistent assumptions over interface Curl A binNMU should be scheduled to solve this bug. Regards Sylvain Le Gall -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-bpo.5-amd64 (SMP w/3 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages cduce depends on: ii libc62.11.2-6Embedded GNU C Library: Shared lib ii libcurl-ocaml-dev0.5.3-1 OCaml libcurl bindings (Developmen ii libcurl3-gnutls 7.21.1-1Multi-protocol file transfer libra ii libexpat-ocaml-dev 0.9.1+debian1-7 OCaml expat bindings ii libexpat12.0.1-7 XML parsing C library - runtime li ii libocamlnet-ocaml-dev2.2.9-8 OCaml application-level Internet l ii libpcre3 8.02-1.1Perl 5 Compatible Regular Expressi ii ocaml-nox [ocaml-nox-3.1 3.11.2-1ML implementation with a class-bas ii ocaml-ulex 1.1-2 OCaml lexer generator with Unicode cduce recommends no packages. cduce suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#598300: marked as done (qtcreator: CVE-2010-3374: insecure library loading)
Your message dated Wed, 06 Oct 2010 11:47:39 + with message-id and subject line Bug#598300: fixed in qtcreator 1.3.1-3 has caused the Debian Bug report #598300, regarding qtcreator: CVE-2010-3374: insecure library loading to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 598300: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598300 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: qtcreator Version: 1.3.1-2 Severity: grave Tags: security User: t...@security.debian.org Usertags: ldpath Hello, During a review of the Debian archive, I've found your package to contain a script that can be abused by an attacker to execute arbitrary code. The vulnerability is introduced by an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries on a directory other than the standard paths. Vulnerable code follows: /usr/bin/qtcreator line 34: LD_LIBRARY_PATH="${libdir}/qtcreator:${LD_LIBRARY_PATH}" When there's an empty item on the colon-separated list of LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) If the given script is executed from a directory where a potential, local, attacker can write files to, there's a chance to exploit this bug. This vulnerability has been assigned the CVE id CVE-2010-3374. Please make sure you mention it when fixing. Upstream is already aware of this issue. [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3374 [1] http://security-tracker.debian.org/tracker/CVE-2010-3374 Sincerely, Raphael Geissert --- End Message --- --- Begin Message --- Source: qtcreator Source-Version: 1.3.1-3 We believe that the bug you reported is fixed in the latest version of qtcreator, which is due to be installed in the Debian FTP archive: qtcreator-doc_1.3.1-3_all.deb to main/q/qtcreator/qtcreator-doc_1.3.1-3_all.deb qtcreator_1.3.1-3.diff.gz to main/q/qtcreator/qtcreator_1.3.1-3.diff.gz qtcreator_1.3.1-3.dsc to main/q/qtcreator/qtcreator_1.3.1-3.dsc qtcreator_1.3.1-3_amd64.deb to main/q/qtcreator/qtcreator_1.3.1-3_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 598...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Fathi Boudra (supplier of updated qtcreator package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Wed, 06 Oct 2010 14:12:22 +0300 Source: qtcreator Binary: qtcreator qtcreator-doc Architecture: source all amd64 Version: 1.3.1-3 Distribution: unstable Urgency: low Maintainer: Debian Qt/KDE Maintainers Changed-By: Fathi Boudra Description: qtcreator - lightweight integrated development environment (IDE) for Qt qtcreator-doc - documentation for Qt Creator IDE Closes: 598300 Changes: qtcreator (1.3.1-3) unstable; urgency=low . * CVE-2010-3374: fix insecure library loading. (Closes: #598300) Checksums-Sha1: dd6ff5a63b6f9661b0ac084df8922ae2938cadc6 1466 qtcreator_1.3.1-3.dsc 631fe74b88206d36c67f02f7e549dfc8dbcf2a87 9601 qtcreator_1.3.1-3.diff.gz 204fc7feb665cb12117c645a88ce538b747fa930 5596048 qtcreator-doc_1.3.1-3_all.deb 1bf59b6cc9c5a69fbd259f09c2d21310ac99815b 5960288 qtcreator_1.3.1-3_amd64.deb Checksums-Sha256: 3380f43ac80cb13a47126fef7fc67ddf88ad5e7b88ec97266a37418c2eb6cb44 1466 qtcreator_1.3.1-3.dsc c41d60651ba90b9db745a4e6fb587568cbc4381cab3ea7a6d034f37d8866e112 9601 qtcreator_1.3.1-3.diff.gz cfbd4cd0b525d69aaf273eedd39143f640c29026278b6a527d19b4e3d4bb6228 5596048 qtcreator-doc_1.3.1-3_all.deb 01229c1bd3f876e150a0b29d726fa16a10888d22aee1caa01545a7c5164b6d0e 5960288 qtcreator_1.3.1-3_amd64.deb Files: 77996660143efa86e2328817555eb7d2 1466 devel optional qtcreator_1.3.1-3.dsc 5ac823180494de4fa1f3813f66428b02 9601 devel optional qtcreator_1.3.1-3.diff.gz e3bdcfa70c1dc4eaff97dc565fc831c5 5596048 doc optional qtcreator-doc_1.3.1-3_all.deb 8ee359d628004668a2878f32c306d06b 5960288 devel optional qtcreator_1.3.1-3_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iJwEAQECAAYFAkysXH0ACgkQjPU19mqlcvcdIwQAuYP7X002BvQElDzNKleG4twp Hpm/oricfw9e5SL0Je/IC/YG9PpuLGJJZljXrEC+78oornMXwD7fnvB0yY90wMI5 aq89f+9cgCUbgFzxnFPtidjVlBChcUltuXDu7n3MO5EWId9zvZxCYg3L8fzQPiJn JtmKUZu42aMfo28fvqg= =CENt -END PGP SIGNATURE-
Bug#598303: tau: CVE-2010-3382: insecure library loading
On Wed, Oct 6, 2010 at 11:37:15 +, Aníbal Monsalve Salazar wrote: > > Yay overengineering. > > > > What's wrong with a simple > > export > > LD_LIBRARY_PATH="$TAUROOT/$TAUARCH/lib/$thebinding${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" > > ? > > In the general case where you have a $foo before > ${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH} > the result is not good if $foo is empty. > > See for example: > > set -x > LD_LIBRARY_PATH="/lib"; > LD_LIBRARY_PATH="$foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" > + LD_LIBRARY_PATH=/lib > + LD_LIBRARY_PATH=:/lib This makes absolutely no sense. "$TAUROOT/$TAUARCH/lib/$thebinding is not empty. Cheers, Julien signature.asc Description: Digital signature
Bug#598303: tau: CVE-2010-3382: insecure library loading
> Yay overengineering. > > What's wrong with a simple > export > LD_LIBRARY_PATH="$TAUROOT/$TAUARCH/lib/$thebinding${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" > ? In the general case where you have a $foo before ${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH} the result is not good if $foo is empty. See for example: set -x LD_LIBRARY_PATH="/lib"; LD_LIBRARY_PATH="$foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" + LD_LIBRARY_PATH=/lib + LD_LIBRARY_PATH=:/lib signature.asc Description: Digital signature
Processed: Bug in liblatex-driver-perl fixed in revision 63420
Processing commands for cont...@bugs.debian.org: > tag 599251 + pending Bug #599251 [liblatex-driver-perl] FTBFS: waits for user input at "latex path [/usr/bin/latex]" Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 599251: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599251 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#599251: Bug in liblatex-driver-perl fixed in revision 63420
tag 599251 + pending thanks Some bugs are closed in revision 63420 by Salvatore Bonaccorso (carnil-guest) Commit message: Add accept-interactive-questions.patch patch to accept the questions asked in interactive mode (Closes: #599251). -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#598303: tau: CVE-2010-3382: insecure library loading
On Wed, Oct 6, 2010 at 10:43:08 +, Aníbal Monsalve Salazar wrote: > +--- a/tools/src/tauex.in 2007-05-19 09:04:55.0 +1000 > b/tools/src/tauex.in 2010-10-06 19:03:38.0 +1100 > +@@ -194,7 +194,31 @@ for c in $Counters ; do > + done > + > + > +-export LD_LIBRARY_PATH=$TAUROOT/$TAUARCH/lib/$theBinding:$LD_LIBRARY_PATH > ++add_dir() > ++{ > ++local dir > ++dir="$1"; > ++ > ++if [ -n "$dir" ] > ++then > ++case "$LD_LIBRARY_PATH" in > ++"$dir"|"$dir":*|*:"$dir"|*:"$dir":*) > ++# already already_in $LD_LIBRARY_PATH > ++;; > ++"") > ++# $LD_LIBRARY_PATH is empty, don't add a separator > ++LD_LIBRARY_PATH="$dir" > ++;; > ++*) > ++# add $dir > ++LD_LIBRARY_PATH="$dir":"$LD_LIBRARY_PATH" > ++;; > ++esac > ++fi > ++echo "$LD_LIBRARY_PATH" > ++} > ++ > ++export LD_LIBRARY_PATH="$( add_dir "$TAUROOT/$TAUARCH/lib/$theBinding" )" > + > + if [ $verbose = "true" ] ; then > + echo "Matching bindings: $bindings" > Yay overengineering. What's wrong with a simple export LD_LIBRARY_PATH="$TAUROOT/$TAUARCH/lib/$thebinding${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" ? Cheers, Julien signature.asc Description: Digital signature
Bug#598303: tau: CVE-2010-3382: insecure library loading
package tau tags 598303 + patch stop debdiff tau_2.16.4-1.3.dsc tau_2.16.4-1.4.dsc | diffstat debian/patches/06-598303-CVE-2010-3382-insecure-library-loading.diff | 59 ++ tau-2.16.4/debian/changelog |9 + tau-2.16.4/debian/patches/series |1 3 files changed, 69 insertions(+) debdiff tau_2.16.4-1.3.dsc tau_2.16.4-1.4.dsc diff -u tau-2.16.4/debian/changelog tau-2.16.4/debian/changelog --- tau-2.16.4/debian/changelog +++ tau-2.16.4/debian/changelog @@ -1,3 +1,12 @@ +tau (2.16.4-1.4) unstable; urgency=low + + * Non-maintainer upload. + * Fix CVE-2010-3382 insecure library loading +Add debian/patches/06-598303-CVE-2010-3382-insecure-library-loading.diff +Closes: 598303 + + -- Anibal Monsalve Salazar Wed, 06 Oct 2010 20:55:41 +1100 + tau (2.16.4-1.3) unstable; urgency=low * Non-maintainer upload diff -u tau-2.16.4/debian/patches/series tau-2.16.4/debian/patches/series --- tau-2.16.4/debian/patches/series +++ tau-2.16.4/debian/patches/series @@ -6,0 +7 @@ +06-598303-CVE-2010-3382-insecure-library-loading.diff only in patch2: unchanged: --- tau-2.16.4.orig/debian/patches/06-598303-CVE-2010-3382-insecure-library-loading.diff +++ tau-2.16.4/debian/patches/06-598303-CVE-2010-3382-insecure-library-loading.diff @@ -0,0 +1,59 @@ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3382 +http://security-tracker.debian.org/tracker/CVE-2010-3382 +http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598303 + +Raphael Geissert have found that this package contains a script that +can be abused by an attacker to execute arbitrary code. + +The vulnerability is introduced by an insecure change to +LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for +libraries on a directory other than the standard paths. + +Vulnerable code follows: + +/usr/bin/tauex line 197: +export LD_LIBRARY_PATH=$TAUROOT/$TAUARCH/lib/$theBinding:$LD_LIBRARY_PATH + +When there's an empty item on the colon-separated list of +LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) +If the given script is executed from a directory where a potential, +local, attacker can write files to, there's a chance to exploit this +bug. + +Patch by Anibal Monsalve Salazar + +--- a/tools/src/tauex.in 2007-05-19 09:04:55.0 +1000 b/tools/src/tauex.in 2010-10-06 19:03:38.0 +1100 +@@ -194,7 +194,31 @@ for c in $Counters ; do + done + + +-export LD_LIBRARY_PATH=$TAUROOT/$TAUARCH/lib/$theBinding:$LD_LIBRARY_PATH ++add_dir() ++{ ++local dir ++dir="$1"; ++ ++if [ -n "$dir" ] ++then ++case "$LD_LIBRARY_PATH" in ++"$dir"|"$dir":*|*:"$dir"|*:"$dir":*) ++# already already_in $LD_LIBRARY_PATH ++;; ++"") ++# $LD_LIBRARY_PATH is empty, don't add a separator ++LD_LIBRARY_PATH="$dir" ++;; ++*) ++# add $dir ++LD_LIBRARY_PATH="$dir":"$LD_LIBRARY_PATH" ++;; ++esac ++fi ++echo "$LD_LIBRARY_PATH" ++} ++ ++export LD_LIBRARY_PATH="$( add_dir "$TAUROOT/$TAUARCH/lib/$theBinding" )" + + if [ $verbose = "true" ] ; then + echo "Matching bindings: $bindings" -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#598303: tau: CVE-2010-3382: insecure library loading
Processing commands for cont...@bugs.debian.org: > package tau Limiting to bugs with field 'package' containing at least one of 'tau' Limit currently set to 'package':'tau' > tags 598303 + patch Bug #598303 [tau] tau: CVE-2010-3382: insecure library loading Added tag(s) patch. > stop Stopping processing here. Please contact me if you need assistance. -- 598303: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598303 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#582952: fixed in dash 0.5.5.1-6
Processing commands for cont...@bugs.debian.org: > fixed 582952 dash/0.5.5.1-7 Bug #582952 [dash] dash / LINENO-support lets many package FTBFS Bug #584096 [dash] dash as /bin/sh break autoconf/automake Bug Marked as fixed in versions dash/0.5.5.1-7. Bug Marked as fixed in versions dash/0.5.5.1-7. > found 540685 dash/0.5.5.1-7 Bug #540685 [dash] dash: Patch to support LINENO Bug Marked as found in versions dash/0.5.5.1-7; no longer marked as fixed in versions dash/0.5.5.1-7~exp0. > quit Stopping processing here. Please contact me if you need assistance. -- 540685: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=540685 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#582952: fixed in dash 0.5.5.1-6
fixed 582952 dash/0.5.5.1-7 found 540685 dash/0.5.5.1-7 quit Gerrit Pape wrote: > dash (0.5.5.1-6) unstable; urgency=high [...] >* debian/diff/0010-SHELL-Add-preliminary-LINENO-support.diff: remove > (re-opens: #540685, closes: #582952). That patch is also absent from 0.5.5.1-7, so marking #582952 fixed. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#599251: FTBFS: waits for user input at "latex path [/usr/bin/latex]"
On Wed, 06 Oct 2010 13:11:24 +0300, Timo Juhani Lindfors wrote: > > Ok, this is indeed not directly the cause. It's more how the ttpromt > > in Makefile.PL works, in sbuild/chroot environment these will work > > without waiting for confirmation and if we build int interactively it > > waits for confirmation. > Thanks! Is this ttprompt common in perl packages? No, that's a hand-crafted function in the Makefile.PL of this package. ExtUtils::MakeMake has prompt() which honours PERL_MM_USE_DEFAULT (which should be set in package builds via debhelper, IIRC). Cf. http://perldoc.perl.org/ExtUtils/MakeMaker.html#Other-Handy-Functions I think in this case we can either - patch Makefile.PL to set $ACCEPT to 1 - or patch Makefile.PL to use prompt() - and/or set PERL_MM_USE_DEFAULT or patch Makefile.PL to honour PERL_MM_USE_DEFAULT (I can't try now but I'm sure Salvatore will be quicker than me :)) Cheers, gregor -- .''`. http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4 : :' : Debian GNU/Linux user, admin, & developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe `-Hailing frequencies open, Captain. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#599251: FTBFS: waits for user input at "latex path [/usr/bin/latex]"
Salvatore Bonaccorso writes: > Ok, this is indeed not directly the cause. It's more how the ttpromt > in Makefile.PL works, in sbuild/chroot environment these will work > without waiting for confirmation and if we build int interactively it > waits for confirmation. > > I will prepare the fix and ask for release team then for the unblock. Thanks! Is this ttprompt common in perl packages? -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Processed: Re: passenger-doc: Package is empty
Processing commands for cont...@bugs.debian.org: > tags 599024 + patch Bug #599024 [passenger-doc] passenger-doc: Package is empty Added tag(s) patch. > thanks Stopping processing here. Please contact me if you need assistance. -- 599024: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599024 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#599024: passenger-doc: Package is empty
tags 599024 + patch thanks Hi, attached is a simple patch to fix the issue. cdbs tried to install the docs in the wrong (non-existing) package. Regards Evgeni diff -u passenger-2.2.11debian/debian/changelog passenger-2.2.11debian/debian/changelog --- passenger-2.2.11debian/debian/changelog +++ passenger-2.2.11debian/debian/changelog @@ -1,3 +1,10 @@ +passenger (2.2.11debian-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Correctly install docs in passenger-doc (Closes: #599024) + + -- Evgeni Golov Wed, 06 Oct 2010 11:49:07 +0200 + passenger (2.2.11debian-1) unstable; urgency=low [ Paul van Tilburg ] diff -u passenger-2.2.11debian/debian/rules passenger-2.2.11debian/debian/rules --- passenger-2.2.11debian/debian/rules +++ passenger-2.2.11debian/debian/rules @@ -3,7 +3,7 @@ include /usr/share/cdbs/1/rules/debhelper.mk DEB_DH_INSTALL_SOURCEDIR := $(DEB_DESTDIR) -DEB_INSTALL_DOCS_phusion_passenger-doc += DEVELOPERS.TXT $(DEB_DESTDIR)/usr/share/doc/phusion_passenger/ +DEB_INSTALL_DOCS_passenger-doc += DEVELOPERS.TXT $(DEB_DESTDIR)/usr/share/doc/phusion_passenger/ DEB_INSTALL_MANPAGES_libapache2-mod-passenger += man/* bindir = usr/bin
Processed: Re: Bug#599251: FTBFS: waits for user input at "latex path [/usr/bin/latex]"
Processing commands for cont...@bugs.debian.org: > tag 599251 + confirmed Bug #599251 [liblatex-driver-perl] FTBFS: waits for user input at "latex path [/usr/bin/latex]" Added tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 599251: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599251 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#599251: FTBFS: waits for user input at "latex path [/usr/bin/latex]"
tag 599251 + confirmed thanks Hi Timo On Wed, Oct 06, 2010 at 10:57:55AM +0200, Salvatore Bonaccorso wrote: > Hi Timo > > On Wed, Oct 06, 2010 at 09:50:23AM +0300, Timo Juhani Lindfors wrote: > > Package: liblatex-driver-perl > > Version: 0.08-1 > > Severity: serious > > Justification: policy 4.9: "all _required targets_ must be non-interactive." > > > > Steps to reproduce: > > 1) sudo apt-get build-dep liblatex-driver-perl > > 2) fakeroot apt-get --build source liblatex-driver-perl > > > > Expected results: > > 2) liblatex-driver-perl builds > > > > Actual results: > > 2) build stops and waits for user input: > > > > dpkg-buildpackage: export CFLAGS from dpkg-buildflags (origin: vendor): -g > > -O2 > > dpkg-buildpackage: export CPPFLAGS from dpkg-buildflags (origin: vendor): > > dpkg-buildpackage: export CXXFLAGS from dpkg-buildflags (origin: vendor): > > -g -O2 > > dpkg-buildpackage: export FFLAGS from dpkg-buildflags (origin: vendor): -g > > -O2 > > dpkg-buildpackage: export LDFLAGS from dpkg-buildflags (origin: vendor): > > dpkg-buildpackage: source package liblatex-driver-perl > > dpkg-buildpackage: source version 0.08-1 > > dpkg-buildpackage: source changed by Salvatore Bonaccorso > > > > dpkg-buildpackage: host architecture amd64 > > dpkg-source --before-build liblatex-driver-perl-0.08 > > debian/rules clean > > dh --with quilt clean > >dh_testdir > >dh_auto_clean > >dh_quilt_unpatch > > No patch removed > >dh_clean > > debian/rules build > > dh --with quilt build > >dh_testdir > >dh_quilt_patch > > Applying patch fix-manpage-has-bad-whatis-entry.patch > > patching file lib/LaTeX/Driver/FilterProgram.pm > > patching file lib/LaTeX/Driver/Paths.pm > > > > Applying patch fix-manpage-latex2ps.patch > > patching file scripts/latex2ps > > > > Applying patch fix-manpage-latex2pdf.patch > > patching file scripts/latex2pdf > > > > Applying patch fix-manpage-latex2dvi.patch > > patching file scripts/latex2dvi > > > > Now at patch fix-manpage-latex2dvi.patch > >dh_auto_configure > > > > LaTeX::Driver v0.08 > > --- > > > > LaTeX::Driver runs either the 'latex' or 'pdflatex' command on a LaTeX > > document. If unresolved cross references, bibliographic references or > > index definitions are found then 'bibtex' or 'makeindex' will be run > > as appropriate and 'latex' or 'pdflatex' re-run as necessary. The > > output will be postprocessed with the 'dvips' and 'ps2pdf' programs if > > necessary to create PDF, DVI or PostScript documents. > > > > To use the module you will first need to install LaTeX on your system > > and make sure the above programs are available. Answer the following > > questions to confirm their locations, then run 'make', 'make test' and > > 'make install'. > > > > latex path [/usr/bin/latex] > > Thanks for the bugreport. I was not able to reproduce in my sbuild > setup. But I will have a further look soon. There was a rename of > package texlive-base-bin to texlive-binaries. I will look if this was > the cause here. Ok, this is indeed not directly the cause. It's more how the ttpromt in Makefile.PL works, in sbuild/chroot environment these will work without waiting for confirmation and if we build int interactively it waits for confirmation. I will prepare the fix and ask for release team then for the unblock. Bests Salvatore signature.asc Description: Digital signature
Bug#599251: FTBFS: waits for user input at "latex path [/usr/bin/latex]"
Hi Timo On Wed, Oct 06, 2010 at 09:50:23AM +0300, Timo Juhani Lindfors wrote: > Package: liblatex-driver-perl > Version: 0.08-1 > Severity: serious > Justification: policy 4.9: "all _required targets_ must be non-interactive." > > Steps to reproduce: > 1) sudo apt-get build-dep liblatex-driver-perl > 2) fakeroot apt-get --build source liblatex-driver-perl > > Expected results: > 2) liblatex-driver-perl builds > > Actual results: > 2) build stops and waits for user input: > > dpkg-buildpackage: export CFLAGS from dpkg-buildflags (origin: vendor): -g -O2 > dpkg-buildpackage: export CPPFLAGS from dpkg-buildflags (origin: vendor): > dpkg-buildpackage: export CXXFLAGS from dpkg-buildflags (origin: vendor): -g > -O2 > dpkg-buildpackage: export FFLAGS from dpkg-buildflags (origin: vendor): -g -O2 > dpkg-buildpackage: export LDFLAGS from dpkg-buildflags (origin: vendor): > dpkg-buildpackage: source package liblatex-driver-perl > dpkg-buildpackage: source version 0.08-1 > dpkg-buildpackage: source changed by Salvatore Bonaccorso > > dpkg-buildpackage: host architecture amd64 > dpkg-source --before-build liblatex-driver-perl-0.08 > debian/rules clean > dh --with quilt clean >dh_testdir >dh_auto_clean >dh_quilt_unpatch > No patch removed >dh_clean > debian/rules build > dh --with quilt build >dh_testdir >dh_quilt_patch > Applying patch fix-manpage-has-bad-whatis-entry.patch > patching file lib/LaTeX/Driver/FilterProgram.pm > patching file lib/LaTeX/Driver/Paths.pm > > Applying patch fix-manpage-latex2ps.patch > patching file scripts/latex2ps > > Applying patch fix-manpage-latex2pdf.patch > patching file scripts/latex2pdf > > Applying patch fix-manpage-latex2dvi.patch > patching file scripts/latex2dvi > > Now at patch fix-manpage-latex2dvi.patch >dh_auto_configure > > LaTeX::Driver v0.08 > --- > > LaTeX::Driver runs either the 'latex' or 'pdflatex' command on a LaTeX > document. If unresolved cross references, bibliographic references or > index definitions are found then 'bibtex' or 'makeindex' will be run > as appropriate and 'latex' or 'pdflatex' re-run as necessary. The > output will be postprocessed with the 'dvips' and 'ps2pdf' programs if > necessary to create PDF, DVI or PostScript documents. > > To use the module you will first need to install LaTeX on your system > and make sure the above programs are available. Answer the following > questions to confirm their locations, then run 'make', 'make test' and > 'make install'. > > latex path [/usr/bin/latex] Thanks for the bugreport. I was not able to reproduce in my sbuild setup. But I will have a further look soon. There was a rename of package texlive-base-bin to texlive-binaries. I will look if this was the cause here. Bests Salvatore signature.asc Description: Digital signature
Bug#599262: usbip: After detach remote usb device the system is unusable
Package: usbip Version: 0.1.7-3 Justification: breaks the whole system Severity: critical After detach of the remote usb device (physical or via "usbip -d 0") the system freezes and the only solution is a hardware reset. In the kernel log this message is located: vhci_rx : ***ERROR*** (/tmp/buildd/linux-2.6-2.6.32/debian/build/source_amd64_none/drivers/staging/usbip/vhci_rx.c,208) vhci_rx_pdu: receiving pdu failed! size is 0, should be 48 A little googling gives a relation with bugzilla.kernel,org 13054 -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages usbip depends on: ii libc6 2.11.2-6 Embedded GNU C Library: Shared lib ii libglib2.0-0 2.24.2-1 The GLib library of C routines ii libsysfs2 2.1.0-6interface library to sysfs ii libusbip0 0.1.7-3USB device sharing system over IP ii usbutils 0.87-5 Linux USB utilities usbip recommends no packages. usbip suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#599258: qmk-groundstation: not ready for Debian Stable
Package: qmk-groundstation Version: 1.0.1-2 Severity: serious Tags: l10n upstream qmk-groundstation is not ready for stable because its UI is in German only and has no i18n, not even for English. Apart from that its full functionality can not be used with current Mikrokopter Firmware versions. Upstream is not developing it anymore since about one year, in the meanwhile it has been superseded by qmk-tools. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing'), (190, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.36-rc6-s710+ (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages qmk-groundstation depends on: ii libc6 2.11.2-6 Embedded GNU C Library: Shared lib ii libgcc1 1:4.4.4-8GCC support library ii libqt4-network 4:4.6.3-1+b1 Qt 4 network module ii libqt4-xml 4:4.6.3-1+b1 Qt 4 XML module ii libqtcore4 4:4.6.3-1+b1 Qt 4 core module ii libqtgui4 4:4.6.3-1+b1 Qt 4 GUI module ii libqwt5-qt4 5.2.0-1 Qt4 widgets library for technical ii libstdc++6 4.4.4-8 The GNU Standard C++ Library v3 Versions of packages qmk-groundstation recommends: ii avrdude 5.10-3 software for programming Atmel AVR qmk-groundstation suggests no packages. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#599256: mandos: FTBFS on kfreebsd-*: 'ELIBBAD' undeclared
Source: mandos Version: 1.2.1-3 Severity: serious Justification: FTBFS User: debian-...@lists.debian.org Usertags: kfreebsd Hi, your package no longer builds on kfreebsd-*: | plugins.d/splashy.c: In function 'main': | plugins.d/splashy.c:317: error: 'ELIBBAD' undeclared (first use in this function) | plugins.d/splashy.c:317: error: (Each undeclared identifier is reported only once | plugins.d/splashy.c:317: error: for each function it appears in.) | make[1]: *** [plugins.d/splashy] Error 1 Full build logs: https://buildd.debian.org/status/package.php?p=mandos&suite=experimental Mraw, KiBi. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#591976: Embedded chart_library/*.swf in Jifty::Plugin::Chart
Le mardi 05 octobre 2010 à 21:30 -0300, David Bremner a écrit : > Hi Raphael; > > Thanks for finding this. As far as I can tell, the flash wrapped by this > module is not actually available in source form. It seems to be copy of > the library > >http://www.maani.us/xml_charts/index.php > > Since the package has only a popcon of 5, I lean towards just removing > it from the archive. > > Yves, I've copied you on this report in case you can shed any light on > where the files under share/web/static/flash/xmlswf come from, and if > the source for these files is available. Thanks for your advice David I'm not the main author of this package. I'm just the cpan packager. So, this is my small light : On http://www.maani.us/xml_charts/index.php?menu=Download The tgz file package contains in "resources" directory some .fla files, which look like flash source files. But they are not text files and I can't build flash files. Moreover the current embedded library (certainly a 4.x version) doesn't seem downloadable and current licence is not clear but doesn't really look free. maybe just lib/Jifty/Plugin/Chart/Renderer/XMLSWF.pm and share/web/static/flash/xmlswf/ can be removed from the package, other renderer are useful and free :) Thanks to the smart debian packager for this work. (I don't have a lot of time to help currently on debian packaging :-/ ) > All the best, > > David Bremner > Debian Perl Team > > -- --- AGOSTINI Yves CRI - Université Paul Verlaine - Metz agost...@univ-metz.fr http://www.crium.univ-metz.fr tel: 03 87 31 52 63 fax: 03 87 31 53 33 PGP: 842CC261 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Processed: unarchiving and reopening 591548
Processing commands for cont...@bugs.debian.org: > unarchive 591548 Bug #591548 {Done: Ben Pfaff } [autoconf] autoconf breaks unfixed versions of pkg-config Unarchived Bug 591548 > reopen 591548 Bug #591548 {Done: Ben Pfaff } [autoconf] autoconf breaks unfixed versions of pkg-config 'reopen' may be inappropriate when a bug has been closed with a version; you may need to use 'found' to remove fixed versions. > thanks Stopping processing here. Please contact me if you need assistance. -- 591548: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=591548 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#546528: [PATCH] make dash's preinst a C binary
Hi Raphael! Some quick questions about dash.preinst: 1. The diversions for /bin/sh and /usr/share/man/sh.1.gz are handled separately. Is that intentional? What is supposed to happen if someone diverts /bin/sh but not the manpage (for example because a maintainer script was interrupted)? 2. The preinst is not idempotent: if interrupted between the dpkg-divert and cp steps, for example, the cp step will never run. Is that fixable? dpkg-divert --rename seems to have the same (timing- dependent) bug, fwiw. 3. If dash diverts /bin/sh, then bash's /bin/sh will be diverted at unpack time: no file conflict. If bash diverts /bin/sh, then dash's /bin/sh will be diverted at unpack time: still no file conflict. But what if the sysadmin diverts /bin/sh with --local? Won't this prevent dash from providing a diversion and cause file conflicts? Looking forward to your thoughts, Jonathan -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org