Bug#702260: marked as done (libxml2: CVE-2013-0338 CVE-2013-0339)
Your message dated Wed, 27 Mar 2013 06:32:05 + with message-id e1ukju1-0006m9...@franck.debian.org and subject line Bug#702260: fixed in libxml2 2.7.8.dfsg-2+squeeze7 has caused the Debian Bug report #702260, regarding libxml2: CVE-2013-0338 CVE-2013-0339 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 702260: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702260 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: libxml2 Severity: grave Tags: security Justification: user security hole Please see the Red Hat Bugzilla entries for more details: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0338 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0339 Patch: http://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab Cheers, Moritz ---End Message--- ---BeginMessage--- Source: libxml2 Source-Version: 2.7.8.dfsg-2+squeeze7 We believe that the bug you reported is fixed in the latest version of libxml2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 702...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Gilbert mgilb...@debian.org (supplier of updated libxml2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 25 Mar 2013 23:52:58 + Source: libxml2 Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg Architecture: source amd64 all Version: 2.7.8.dfsg-2+squeeze7 Distribution: stable-security Urgency: high Maintainer: Debian XML/SGML Group debian-xml-sgml-p...@lists.alioth.debian.org Changed-By: Michael Gilbert mgilb...@debian.org Description: libxml2- GNOME XML library libxml2-dbg - Debugging symbols for the GNOME XML library libxml2-dev - Development files for the GNOME XML library libxml2-doc - Documentation for the GNOME XML library libxml2-utils - XML utilities python-libxml2 - Python bindings for the GNOME XML library python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension) Closes: 702260 Changes: libxml2 (2.7.8.dfsg-2+squeeze7) stable-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix cve-2013-0338 and cve-2013-0339: large memory consuption issues when performing string substition during entity expansion (closes: #702260). Checksums-Sha1: d5ea490fbd5d6b9bcd8a1c7ce014b9fe17ab59df 2888 libxml2_2.7.8.dfsg-2+squeeze7.dsc dc017c3621a681d6872f4ea8bb1a23939d8839e9 119263 libxml2_2.7.8.dfsg-2+squeeze7.diff.gz e66ae1c5cff7258a792c10aa6ea44a3b97b65b3f 874206 libxml2_2.7.8.dfsg-2+squeeze7_amd64.deb 114ab135376cdcd59784808aee3a295984f14abb 94050 libxml2-utils_2.7.8.dfsg-2+squeeze7_amd64.deb 9038504b9f072eae6aeec9bbebd3da12198a17f4 831920 libxml2-dev_2.7.8.dfsg-2+squeeze7_amd64.deb 11d46643e1d890e47334889b3a3406434dd953f2 988858 libxml2-dbg_2.7.8.dfsg-2+squeeze7_amd64.deb 2d35b7f809cb5e0ae900517d0770e898876a0d81 1373016 libxml2-doc_2.7.8.dfsg-2+squeeze7_all.deb 06a12590126c21d83faa90a50c1580d06d649682 339894 python-libxml2_2.7.8.dfsg-2+squeeze7_amd64.deb 5696aa5aa901f9b4b497d346618ad499f0198836 870040 python-libxml2-dbg_2.7.8.dfsg-2+squeeze7_amd64.deb Checksums-Sha256: 2f546ef13b636a87d5643c308cc4df8f3bba3752437ef46eee0b1a6de8644095 2888 libxml2_2.7.8.dfsg-2+squeeze7.dsc fc6572b2482f5ab08dbd12c0458d59c3deca98965575dd1f615f2112402a14dc 119263 libxml2_2.7.8.dfsg-2+squeeze7.diff.gz 61a1c91a87cbf559c5f7b479f5a51741802d5823d145f5da836f2de9ce7676a1 874206 libxml2_2.7.8.dfsg-2+squeeze7_amd64.deb 53c6fee546feec9cf76e8cd12e4dba95aeefc34f6e24c753b44fc32646f37c24 94050 libxml2-utils_2.7.8.dfsg-2+squeeze7_amd64.deb c19ecf32ff09beebf95564897ee947f4d4cda35a768629b77758967b1cf9dad7 831920 libxml2-dev_2.7.8.dfsg-2+squeeze7_amd64.deb b7e31ee9cb51ea02151207f6d599b89760bc3782e0176f9b5959f99e65977a6b 988858 libxml2-dbg_2.7.8.dfsg-2+squeeze7_amd64.deb 96072a933869c80e99facb39a7f38e4e9c390fd605dcd1aaa3db23be35233a60 1373016 libxml2-doc_2.7.8.dfsg-2+squeeze7_all.deb 32b22ddbd9f9f6ed16e2bf5dea45a6f389d8f4a8f3a9e9538ab1074f06244a4a 339894 python-libxml2_2.7.8.dfsg-2+squeeze7_amd64.deb
Bug#704042: CVE-2013-1892 -- mongodb: Remote shell access via run method's use of native_helper
Package: mongodb Severity: grave Tags: security Dear Maintainer, Please see here for details [1] and a link to the upstream commit [2]: [1] https://security-tracker.debian.org/tracker/CVE-2013-1892 [2] https://jira.mongodb.org/browse/SERVER-9124 Regrads -- Prach Pongpanich -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703146: Better debootstrap InRelease handling fix
On Wed, Mar 27, 2013 at 12:53:44AM +0100, Bernhard R. Link wrote: Sorry, but this is not enough to properly extract the contents of a inline signed message. You still need to do possible unescaping between those lines. Is the unescaping part necessary for InRelease files? What are the rules for this? Bastian -- Another Armenia, Belgium ... the weak innocents who always seem to be located on a natural invasion route. -- Kirk, Errand of Mercy, stardate 3198.4 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: TLS timing attack in yaSSL (Lucky 13)
Processing control commands: tags -1 +patch Bug #699886 [mysql-5.5] TLS timing attack in yaSSL (Lucky 13) Added tag(s) patch. -- 699886: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699886 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699886: TLS timing attack in yaSSL (Lucky 13)
Control: tags -1 +patch Hi Thijs, Thijs Kinkhorst th...@debian.org writes: Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing differences arising during MAC processing. Details of this attack can be found at: http://www.isg.rhul.ac.uk/tls/ The issue has been fixed in upstream yaSSL 2.5.0: http://www.yassl.com/yaSSL/Docs-cyassl-changelog.html Currently, MySQL uses yaSSL 2.2.2. yaSSL has released version 2.2.2d which addresses this problem. I downloaded yassl-2.2.2.zip from http://fossies.org/unix/privat/yassl-2.2.2.zip and yassl-2.2.2d.zip from http://yassl.com/yaSSL/download I then created a git repo in 2.2.2 and copied over the files from 2.2.2d. The following files differ: $ git status | grep 'modified' | grep -v '\.in$' | grep -v '\(INSTALL\|README\|aclocal.m4\|config.guess\|config.sub\|configure\|depcomp\|install-sh\|ltmain.sh\|missing\|mkinstalldirs\)' # modified: include/openssl/ssl.h # modified: include/yassl_error.hpp # modified: include/yassl_types.hpp # modified: src/handshake.cpp # modified: src/yassl_error.cpp # modified: src/yassl_imp.cpp # modified: taocrypt/include/asn.hpp # modified: taocrypt/include/sha.hpp # modified: taocrypt/src/asn.cpp I then created a patch and modified it so that it (somewhat) applies to the MySQL source: git diff include/openssl/ssl.h include/yassl_error.hpp include/yassl_types.hpp src/handshake.cpp src/yassl_error.cpp src/yassl_imp.cpp taocrypt/include/asn.hpp taocrypt/include/sha.hpp taocrypt/src/asn.cpp yassl.patch sed -i 's,\([iw]\)/,\1/extra/yassl/,g' yassl.patch dos2unix yassl.patch Then, I used quilt to get the patch in shape: cd /tmp/mysql-5.5-5.5.30+dfsg export QUILT_PATCHES=debian/patches quilt import ../yassl-2.2.2/yassl.patch quilt push -f # apply 4 hunks of the patch manually quilt refresh I attached the result to this email, hopefully that helps. Note that I didn’t compile and test MySQL. -- Best regards, Michael Index: mysql-5.5-5.5.30+dfsg/extra/yassl/include/openssl/ssl.h === --- mysql-5.5-5.5.30+dfsg.orig/extra/yassl/include/openssl/ssl.h 2013-03-27 10:56:31.0 +0100 +++ mysql-5.5-5.5.30+dfsg/extra/yassl/include/openssl/ssl.h 2013-03-27 10:58:30.861636193 +0100 @@ -35,7 +35,7 @@ #include rsa.h -#define YASSL_VERSION 2.2.2 +#define YASSL_VERSION 2.2.2d #if defined(__cplusplus) Index: mysql-5.5-5.5.30+dfsg/extra/yassl/include/yassl_error.hpp === --- mysql-5.5-5.5.30+dfsg.orig/extra/yassl/include/yassl_error.hpp 2013-03-27 10:56:31.0 +0100 +++ mysql-5.5-5.5.30+dfsg/extra/yassl/include/yassl_error.hpp 2013-03-27 10:58:30.861636193 +0100 @@ -53,7 +53,8 @@ badVersion_error= 117, compress_error = 118, decompress_error= 119, -pms_version_error = 120 +pms_version_error = 120, +sanityCipher_error = 121 // add error message to .cpp Index: mysql-5.5-5.5.30+dfsg/extra/yassl/include/yassl_types.hpp === --- mysql-5.5-5.5.30+dfsg.orig/extra/yassl/include/yassl_types.hpp 2013-03-27 10:56:31.0 +0100 +++ mysql-5.5-5.5.30+dfsg/extra/yassl/include/yassl_types.hpp 2013-03-27 10:58:30.861636193 +0100 @@ -220,7 +220,11 @@ const int MAX_RECORD_SIZE = 16384; // 2^14, max size by standard const int COMPRESS_EXTRA= 1024; // extra compression possible addition const int SESSION_FLUSH_COUNT = 256; // when to flush session cache - +const int MAX_PAD_SIZE= 256; // max TLS padding size +const int COMPRESS_CONSTANT = 13; // compression calculation constant +const int COMPRESS_UPPER = 55; // compression calculation numerator +const int COMPRESS_LOWER = 64; // compression calculation denominator +const int COMPRESS_DUMMY_SIZE = 64; // compression dummy round size typedef uint8 Cipher; // first byte is always 0x00 for SSLv3 TLS Index: mysql-5.5-5.5.30+dfsg/extra/yassl/src/handshake.cpp === --- mysql-5.5-5.5.30+dfsg.orig/extra/yassl/src/handshake.cpp 2013-03-27 10:56:31.0 +0100 +++ mysql-5.5-5.5.30+dfsg/extra/yassl/src/handshake.cpp 2013-03-27 11:00:12.856176496 +0100 @@ -221,12 +221,45 @@ } +// sanity checks on encrypted message size +static int sanity_check_message(SSL ssl, uint msgSz) +{ +uint minSz = 0; + +if (ssl.getSecurity().get_parms().cipher_type_ == block) { +uint blockSz = ssl.getCrypto().get_cipher().get_blockSize(); +if (msgSz % blockSz) +return -1; + +minSz = ssl.getSecurity().get_parms().hash_size_ + 1; // pad byte too +if (blockSz minSz) +minSz = blockSz; + +if (ssl.isTLSv1_1()) +
Bug#703468: linux-image-3.2.0-4-amd64 fails to boot on apple iMac
Hi Geoff, Geoff Crompton geo...@trinity.unimelb.edu.au writes: I upgraded to the 3.2.39-2 package last night, and this morning my system wouldn't boot. I used Marco's advice in #551798 to set init=/bin/bash, and found the boot stopped after running /etc/rcS.d/S02udev. Can you still reproduce this with linux-image-3.2.0-4-amd64 3.2.41-2 which recently entered the archive? -- Best regards, Michael -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703919: marked as done (kvpm: When moving a disk partition, if another partition is mounted the data being moved may become corrupted.)
Your message dated Wed, 27 Mar 2013 10:32:39 + with message-id e1uknep-00055a...@franck.debian.org and subject line Bug#703919: fixed in kvpm 0.8.6-3 has caused the Debian Bug report #703919, regarding kvpm: When moving a disk partition, if another partition is mounted the data being moved may become corrupted. to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 703919: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703919 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: kvpm Version: 0.8.6-3 Severity: critical Tags: upstream patch Justification: causes serious data loss Dear Maintainer, If a partition with data on it is moved by kvpm and that same disk has another partition which is mounted then sometimes the data on the moved partition is scrambled. Even the filesystem is gone. Unmounting the other partition is the only fix for the problem. -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages kvpm depends on: ii kde-runtime4:4.9.5-0r1 ii libblkid1 2.20.1-5.3 ii libc6 2.13-38 ii libkdecore54:4.9.5-0r1 ii libkdeui5 4:4.9.5-0r1 ii libkio54:4.9.5-0r1 ii liblvm2app2.2 2.02.98-1 ii libparted0debian1 2.3-12 ii libqtcore4 4:4.8.2+dfsg-11 ii libqtgui4 4:4.8.2+dfsg-11 ii libstdc++6 4.7.2-5 Versions of packages kvpm recommends: ii dosfstools 3.0.16-2 ii jfsutils 1.1.15-2 ii ntfs-3g1:2013.1.13AR.1-2 ii reiserfsprogs 1:3.6.21-1 ii xfsprogs 3.1.9 Versions of packages kvpm suggests: pn btrfs-tools none pn reiser4progs none -- no debconf information This patch corrects a bug in which data is sometimes corrupted when moving a disk partition while the disk has other partitions mounted. --- a/kvpm/partchange.cpp +++ b/kvpm/partchange.cpp @@ -649,13 +649,8 @@ return false; } else { -if( !movefs(old_start, current_start, old_size) ){ -return false; -} -else{ -pedCommitAndWait(m_ped_disk); -return true; -} +pedCommitAndWait(m_ped_disk); + return movefs(old_start, current_start, old_size); } } ---End Message--- ---BeginMessage--- Source: kvpm Source-Version: 0.8.6-3 We believe that the bug you reported is fixed in the latest version of kvpm, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 703...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Benjamin J. Scott bensc...@nwlink.com (supplier of updated kvpm package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sun, 24 Feb 2013 17:25:21 -0700 Source: kvpm Binary: kvpm kvpm-dbg Architecture: source amd64 Version: 0.8.6-3 Distribution: unstable Urgency: critical Maintainer: Benjamin J. Scott bensc...@nwlink.com Changed-By: Benjamin J. Scott bensc...@nwlink.com Description: kvpm - Logical volume manager and disk partitioner GUI based on KDE kvpm-dbg - kvpm's debugging symbols Closes: 703919 Changes: kvpm (0.8.6-3) unstable; urgency=critical . [ Benjamin J. Scott ] * Changed file kvpm/partchange.cpp to fix potential data corruption bug when moving a partition on a disk with mounted partitions (Closes: #703919). Checksums-Sha1: 4a628bd9d2db84dacbdd158d2e15a3013e18abf6 2007 kvpm_0.8.6-3.dsc a10315770b47ff3336213843412b70b06a13c135 808921 kvpm_0.8.6.orig.tar.gz 4606ab532180e3dbc7dbf5c163dacfd2233edfd2 10953 kvpm_0.8.6-3.debian.tar.gz aaf975cb217c2793700115ac8ce34fb8e0461759 913472 kvpm_0.8.6-3_amd64.deb e97110c111bbc8d0f615100e4ba009eb93eaa29e 10451440 kvpm-dbg_0.8.6-3_amd64.deb Checksums-Sha256: ce71d44a706185d6a5252242a1716d5f806f20036f47de65197435816ea18725 2007 kvpm_0.8.6-3.dsc a10ae3f29205a14bebc92d206f5da98f2977f97790cefad76da85c4bf8326883 808921 kvpm_0.8.6.orig.tar.gz 345fc6ff69e91fc5a4ddcdaf1033afe2c5f6ad2319ee3de9f2905a44bcee1091 10953
Bug#700169: non-free license: requires to obey US export regulation even, when not in the US
Hi Ansgar, Mattia, Ansgar Burchardt ans...@debian.org writes: I also checked the initial Debian package on snapshot.debian.org (version 20050930-1). It also has only the non-free license in the individual files, but states Dual GPLv2/ACPICA Licence in d/copyright. It also has the BSD-3-clause-or-GPL-2 bit in d/copyright. It's likely that it was already dual-licensed, but that this wasn't documented in the tarball itself. I'm not sure why they now have two tarballs instead of one with both licenses... The GNU General Public License or via a separate license that may be more favorable to commercial OSVs (from the FAQ) seems also wrong given there are *three* licenses: the non-free one, a 3-clause BSD and the GPL-2 Well, according to https://github.com/acpica/acpica/commit/84b8d0fd, the dual-license tarballs are only available starting from version 20110211. That version can indeed be downloaded as unix2 tarball. Mattia: is it reasonable to update this package to a newer version, based on one of the unix2 tarballs? -- Best regards, Michael -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699852: Proposed debdiff
Hi Tino, I am somewhat confused by what the status is for this bugreport. Could you shed some light on this? Are you preparing the upload, do you need a sponsor, is there an unblock request to be filed? -- Best regards, Michael -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703553: marked as done (src:furiusisomount: missing source for compiled gettext (.mo) files)
Your message dated Wed, 27 Mar 2013 11:32:29 + with message-id e1ukoaj-00065i...@franck.debian.org and subject line Bug#703553: fixed in furiusisomount 0.11.3.1~repack1-0.1 has caused the Debian Bug report #703553, regarding src:furiusisomount: missing source for compiled gettext (.mo) files to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 703553: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703553 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: src:furiusisomount Version: 0.11.3.1~repack0-1 Severity: serious Justification: missing source The source package ships compiled translations (.mo) in a locale directory. But there are no .po files. Those files are not in preferred form for modification, so this is a violation of the GPL-3 they are shipped under and a violation of the DFSG. Helmut ---End Message--- ---BeginMessage--- Source: furiusisomount Source-Version: 0.11.3.1~repack1-0.1 We believe that the bug you reported is fixed in the latest version of furiusisomount, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 703...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Serafeim Zanikolas s...@debian.org (supplier of updated furiusisomount package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 21 Mar 2013 23:29:40 +0100 Source: furiusisomount Binary: furiusisomount Architecture: source all Version: 0.11.3.1~repack1-0.1 Distribution: unstable Urgency: high Maintainer: Alessio Treglia ales...@debian.org Changed-By: Serafeim Zanikolas s...@debian.org Description: furiusisomount - ISO, IMG, BIN, MDF and NRG image management utility Closes: 703553 Changes: furiusisomount (0.11.3.1~repack1-0.1) unstable; urgency=high . * Non-maintainer upload. * Repack upstream source to add missing .po files. Thanks to Prach Pongpanich prach...@gmail.com for the patch. Closes: #703553. * Set high urgency due to RC bug. Checksums-Sha1: d8137162c8abef55795be9511ef9cf96286fe328 2009 furiusisomount_0.11.3.1~repack1-0.1.dsc c42c840cf68957d332782020c475743bd692275d 77064 furiusisomount_0.11.3.1~repack1.orig.tar.gz af2cb9f7eb7d7c0950ca7824af0ffd8a882d5540 9096 furiusisomount_0.11.3.1~repack1-0.1.debian.tar.gz 4a8bc6d2de2f1c9b579de28516e5499babdfeaf9 80890 furiusisomount_0.11.3.1~repack1-0.1_all.deb Checksums-Sha256: 6f828465fa340e323cb3f57b1f3cf6543d18a4f7f0952c09a2106842a7e24abf 2009 furiusisomount_0.11.3.1~repack1-0.1.dsc d0490b516d5b2e5be694cf9e9f7d5f2afe07df587bb2e9bcd742aefe07fd7aad 77064 furiusisomount_0.11.3.1~repack1.orig.tar.gz 599f8eceb0dc45c594d073f7764329e1f0d6098ba18b4b2922bd9b5827297f75 9096 furiusisomount_0.11.3.1~repack1-0.1.debian.tar.gz 3c45eebbf232a90404174e156e72273154f31b381281e45b0e273506ab15e8b3 80890 furiusisomount_0.11.3.1~repack1-0.1_all.deb Files: 6b6709265fc2bad877ea58c6a399f47d 2009 utils optional furiusisomount_0.11.3.1~repack1-0.1.dsc bc5fb93b44acd5be3287957f9550da03 77064 utils optional furiusisomount_0.11.3.1~repack1.orig.tar.gz 57576e66e9386a8fdb7500caa5922ca1 9096 utils optional furiusisomount_0.11.3.1~repack1-0.1.debian.tar.gz 3f42064cec791a310474f2f6de777b5a 80890 utils optional furiusisomount_0.11.3.1~repack1-0.1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJRS5HhAAoJEE+fbVUO1hIqsfYQAIYYATQiEso3GmjCU4FNb4uN OpKyyC9gReozyldkCR+I206esjfH9KHb8b58ahlwCIkL8MtD79oNH5rFkCc5tS8K qLrJgyWOtXAcb0NK6ge8oGItwwd3rHudB/S504ankWrvA9GG0rNRHBlnldb4iGBY kWbW12wFLipDp/Zwp3ppsOIFTNMzJDSLyBcISKKORvhsVTlfDw0ZbwsokmX7V1/w m6aT+SRY5PEd2mfiNlcN3jNeTqYNIwDxaI/ENAJK6W+rfREugvbAV0pkwjuv+su2 KRO7r+uV931n6BUyd1iPbeUZF+6lRXcI6sgyPmDQAiQAxqgJqdueLJRe72nLM3+0 NokpDtHyyKwLQAWoaF25sDK+wBuKPer4HDwpgANLcjODLtYRNbFAE3swHSwpoYQ2 bWtTQV0XMvNijrc68eOX8VY6LNTF1CjQqhwwoJqIjz+Fd9gdADdogcEZMZbood99 zwQbsJvx0Syv9FquoGdp1mIrZfA3insVQCNLy6N7Xy2wOjCz1u1pFcwPIfwij8x4 PseHhaEBHv+zL23rMo2gKDvIO46ybK96UfzbDmwRNgYMe6ZgOp8dE248p8YN1u+8 HUgF8uDW5YyTuKr5nq+Qzld45hwqJHEFZjZZ88L6CxqwYDbQtHfS1oo54+Tj9udO A86AlGjSKWzKOTOL9i/g =AAC9 -END PGP SIGNATUREEnd Message---
Bug#703146: Better debootstrap InRelease handling fix
Hi, Le mercredi 27 mars 2013 à 00:53 +0100, Bernhard R. Link a écrit : * Benjamin Cama benjamin.c...@telecom-bretagne.eu [130326 18:33]: index 1dc0f87..f44 100644 --- a/functions +++ b/functions @@ -530,8 +530,13 @@ download_release_sig () { warning KEYRING Cannot check Release signature; keyring file not available %s $KEYRING_WANTED fi if [ $release_file_variant = IN ]; then - rm -f $reldest -gpg --output $reldest --decrypt --keyring $KEYRING --ignore-time-conflict $relsigdest + sed -n '/^-BEGIN PGP SIGNED MESSAGE-$/ { \ + n \ + : check_hash /^Hash:/ { n b check_hash } \ + n # blank line \ + } \ + /^-BEGIN PGP SIGNATURE-$/ q \ + p' $relsigdest $reldest fi } Sorry, but this is not enough to properly extract the contents of a inline signed message. You still need to do possible unescaping between those lines. You are right. Furthermore, my version didn't work with GNU sed; attached version fix both problems (and is based on latest master, after Julien disabled InRelease support). Please not that it will still print what's _before_ the BEGIN header, if present (there shouldn't be anything, but if you really want to be picky…) Regards, -- Benjamin Cama benjamin.c...@telecom-bretagne.eu From 38cc6948ad7caff1df5df17cf3a21eb4228e2eda Mon Sep 17 00:00:00 2001 From: Benjamin Cama benjamin.c...@telecom-bretagne.eu Date: Wed, 27 Mar 2013 12:51:56 +0100 Subject: [PATCH] Get back InRelease support We can extract the cleartext with sed. Should be compatible with RFC 4880 format. Signed-off-by: Benjamin Cama benjamin.c...@telecom-bretagne.eu --- functions | 50 ++ 1 files changed, 38 insertions(+), 12 deletions(-) diff --git a/functions b/functions index 2dc777d..7c7f84a 100644 --- a/functions +++ b/functions @@ -503,38 +503,64 @@ download_release_sig () { local m1=$1 local reldest=$2 local relsigdest=$3 + local release_file_variant=$4 if [ -n $KEYRING ] [ -z $DISABLE_KEYRING ]; then - progress 0 100 DOWNRELSIG Downloading Release file signature - progress_next 50 - get $m1/dists/$SUITE/Release.gpg $relsigdest nocache || - error 1 NOGETRELSIG Failed getting release signature file %s \ - $m1/dists/$SUITE/Release.gpg - progress 50 100 DOWNRELSIG Downloading Release file signature + if [ $release_file_variant != IN ]; then + progress 0 100 DOWNRELSIG Downloading Release file signature + progress_next 50 + get $m1/dists/$SUITE/Release.gpg $relsigdest nocache || +error 1 NOGETRELSIG Failed getting release signature file %s \ +$m1/dists/$SUITE/Release.gpg + progress 50 100 DOWNRELSIG Downloading Release file signature + fi info RELEASESIG Checking Release signature # Don't worry about the exit status from gpgv; parsing the output will # take care of that. - (gpgv --status-fd 1 --keyring $KEYRING --ignore-time-conflict \ - $relsigdest $reldest || true) | read_gpg_status + if [ $release_file_variant = IN ]; then + (gpgv --status-fd 1 --keyring $KEYRING --ignore-time-conflict \ + $relsigdest || true) | read_gpg_status + else + (gpgv --status-fd 1 --keyring $KEYRING --ignore-time-conflict \ + $relsigdest $reldest || true) | read_gpg_status + fi progress 100 100 DOWNRELSIG Downloading Release file signature elif [ -z $DISABLE_KEYRING ] [ -n $KEYRING_WANTED ]; then warning KEYRING Cannot check Release signature; keyring file not available %s $KEYRING_WANTED fi + if [ $release_file_variant = IN ]; then + sed -n '/^-BEGIN PGP SIGNED MESSAGE-$/ { +n +: check_hash /^Hash:/ { n ; b check_hash } +n # blank line + } + s/^- // + /^-BEGIN PGP SIGNATURE-$/ q + p' $relsigdest $reldest + fi } download_release_indices () { local m1=${MIRRORS%% *} local reldest=$TARGET/$($DLDEST rel $SUITE $m1 dists/$SUITE/Release) + local inreldest=$TARGET/$($DLDEST rel $SUITE $m1 dists/$SUITE/InRelease) local relsigdest + local release_file_variant=IN progress 0 100 DOWNREL Downloading Release file progress_next 100 - get $m1/dists/$SUITE/Release $reldest nocache || - error 1 NOGETREL Failed getting release file %s $m1/dists/$SUITE/Release - relsigdest=$TARGET/$($DLDEST rel $SUITE $m1 dists/$SUITE/Release.gpg) + if get $m1/dists/$SUITE/InRelease $inreldest nocache; then + relsigdest=$inreldest + else + info RETRIEVING Failed to retrieve InRelease + get $m1/dists/$SUITE/Release $reldest nocache || + error 1 NOGETREL Failed getting release file %s $m1/dists/$SUITE/Release + release_file_variant=GPG + relsigdest=$TARGET/$($DLDEST rel $SUITE $m1 dists/$SUITE/Release.gpg) + fi progress 100 100 DOWNREL Downloading Release file - download_release_sig $m1 $reldest $relsigdest + download_release_sig $m1 $reldest
Processed: your mail
Processing commands for cont...@bugs.debian.org: severity 703332 serious Bug #703332 [libactiviz.net-cil] If they are API compatible you MUST generate and install a GAC policy file! Severity set to 'serious' from 'normal' thanks Stopping processing here. Please contact me if you need assistance. -- 703332: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703332 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704042: CVE-2013-1892 -- mongodb: Remote shell access via run method's use of native_helper
tags 704042 patch tags 704042 upstream thanks I have extracted the two patches which have been committed by upstream to address the issue, attaching them. Will create a package ready for NMU later to help speed things up if desired. Cheers, Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 From 3c5c12f7d57ba1e44250d3e1734885a5cafaf8e2 Mon Sep 17 00:00:00 2001 From: Dan Pasette d...@10gen.com Date: Tue, 26 Mar 2013 16:52:39 -0400 Subject: [PATCH] SERVER-9124: Avoid raw pointers for SM's nativeHelper --- scripting/engine_spidermonkey.cpp | 116 + 1 file changed, 78 insertions(+), 38 deletions(-) diff --git a/scripting/engine_spidermonkey.cpp b/scripting/engine_spidermonkey.cpp index 64fe21c..e857b90 100644 --- a/scripting/engine_spidermonkey.cpp +++ b/scripting/engine_spidermonkey.cpp @@ -47,6 +47,9 @@ namespace mongo { } }; +typedef std::maplong long, NativeFunction FunctionMap; +typedef std::maplong long, void* ArgumentMap; + string trim( string s ) { while ( s.size() isspace( s[0] ) ) s = s.substr( 1 ); @@ -997,43 +1000,8 @@ namespace mongo { return JS_TRUE; } -JSBool native_helper( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval ) { -Convertor c(cx); - -NativeFunction func = (NativeFunction)((long long)c.getNumber( obj , x ) ); -void* data = (void*)((long long)c.getNumber( obj , y ) ); -assert( func ); - -BSONObj a; -if ( argc 0 ) { -BSONObjBuilder args; -for ( uintN i=0; iargc; i++ ) { -c.append( args , args.numStr( i ) , argv[i] ); -} - -a = args.obj(); -} - -BSONObj out; -try { -out = func( a, data ); -} -catch ( std::exception e ) { -JS_ReportError( cx , e.what() ); -return JS_FALSE; -} - -if ( out.isEmpty() ) { -*rval = JSVAL_VOID; -} -else { -*rval = c.toval( out.firstElement() ); -} - -return JS_TRUE; -} - JSBool native_load( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval ); +JSBool native_helper( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval ); JSBool native_gc( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval ) { JS_GC( cx ); @@ -1611,11 +1579,17 @@ namespace mongo { void injectNative( const char *field, NativeFunction func, void* data ) { smlock; string name = field; -_convertor-setProperty( _global , (name + _).c_str() , _convertor-toval( (double)(long long)func ) ); +long long funcId = static_castlong long(_functionMap.size()); +_functionMap.insert(make_pair(funcId, func)); +jsval v = _convertor-toval(funcId); +_convertor-setProperty(_global, (name + _).c_str(), v); stringstream code; if (data) { -_convertor-setProperty( _global , (name + _data_).c_str() , _convertor-toval( (double)(long long)data ) ); +long long argsId = static_castlong long(_argumentMap.size()); +_argumentMap.insert(make_pair(argsId, data)); +v = _convertor-toval(argsId); +_convertor-setProperty(_global, (name + _data_).c_str(), v); code field _ = { x : field _ , y: field _data_ }; ; } else { code field _ = { x : field _ }; ; @@ -1631,6 +1605,10 @@ namespace mongo { JSContext *SavedContext() const { return _context; } +// map from internal function id to function pointer +FunctionMap _functionMap; +// map from internal function argument id to function pointer +ArgumentMap _argumentMap; private: void _postCreateHacks() { @@ -1696,7 +1674,69 @@ namespace mongo { return JS_TRUE; } +JSBool native_helper( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval ) { +try { +Convertor c(cx); + +// get function pointer from JS caller's argument property 'x' +massert(16735, nativeHelper argument requires object with 'x' property, +c.hasProperty(obj, x)); +FunctionMap::iterator funcIter = +currentScope-_functionMap.find(static_castlong long(c.getNumber(obj, x))); +massert(16734, JavaScript function not in map, +funcIter != currentScope-_functionMap.end()); +NativeFunction func = funcIter-second; +assert(func); + +// get data pointer from JS caller's argument
Processed: Re: CVE-2013-1892 -- mongodb: Remote shell access via run method's use of native_helper
Processing commands for cont...@bugs.debian.org: tags 704042 patch Bug #704042 [mongodb] CVE-2013-1892 -- mongodb: Remote shell access via run method's use of native_helper Added tag(s) patch. tags 704042 upstream Bug #704042 [mongodb] CVE-2013-1892 -- mongodb: Remote shell access via run method's use of native_helper Added tag(s) upstream. thanks Stopping processing here. Please contact me if you need assistance. -- 704042: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704042 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704030: python-bcrypt: Upstream has released a security update.
tags 704030 patch thanks Hi, I created a patch from the upstream, see attached. Cheers, Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 changeset: 12:3bc365ff4373 user:Damien Miller d...@mindrot.org date:Tue Mar 19 07:17:53 2013 +1100 summary: Fix concurrency bug reported by Alan Fairless of spideroak.com: diff -r 79e29a6fdcd5 -r 3bc365ff4373 bcrypt/bcrypt.c --- a/bcrypt/bcrypt.c Tue Mar 19 07:13:52 2013 +1100 +++ b/bcrypt/bcrypt.c Tue Mar 19 07:17:53 2013 +1100 @@ -66,15 +66,12 @@ #define BCRYPT_BLOCKS 6 /* Ciphertext blocks */ #define BCRYPT_MINROUNDS 16 /* we have log2(rounds) in salt */ -char *pybc_bcrypt(const char *, const char *); +int pybc_bcrypt(const char *, const char *, char *, size_t); void encode_salt(char *, u_int8_t *, u_int16_t, u_int8_t); static void encode_base64(u_int8_t *, u_int8_t *, u_int16_t); static void decode_base64(u_int8_t *, u_int16_t, u_int8_t *); -static charencrypted[128]; -static charerror[] = :; - const static u_int8_t Base64Code[] = ./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789; @@ -146,8 +143,8 @@ /* We handle $Vers$log2(NumRounds)$salt+passwd$ i.e. $2$04$iwouldntknowwhattosayetKdJ6iFtacBqJdKe6aW7ou */ -char * -pybc_bcrypt(const char *key, const char *salt) +int +pybc_bcrypt(const char *key, const char *salt, char *result, size_t result_len) { pybc_blf_ctx state; u_int32_t rounds, i, k; @@ -157,14 +154,18 @@ u_int8_t csalt[BCRYPT_MAXSALT]; u_int32_t cdata[BCRYPT_BLOCKS]; int n; + char encrypted[128]; + size_t elen; + + /* Return the error marker unless otherwise specified */ + bzero(result, result_len); + *result = ':'; /* Discard $ identifier */ salt++; - if (*salt BCRYPT_VERSION) { - /* How do I handle errors ? Return ':' */ - return error; - } + if (*salt BCRYPT_VERSION) + return -1; /* Check for minor versions */ if (salt[1] != '$') { @@ -175,7 +176,7 @@ salt++; break; default: - return error; + return -1; } } else minor = 0; @@ -185,21 +186,21 @@ if (salt[2] != '$') /* Out of sync with passwd entry */ - return error; + return -1; /* Computer power doesn't increase linear, 2^x should be fine */ n = atoi(salt); if (n 31 || n 0) - return error; + return -1; logr = (u_int8_t)n; if ((rounds = (u_int32_t) 1 logr) BCRYPT_MINROUNDS) - return error; + return -1; /* Discard num rounds + $ identifier */ salt += 3; if (strlen(salt) * 3 / 4 BCRYPT_MAXSALT) - return error; + return -1; /* We dont want the base64 salt but the raw data */ decode_base64(csalt, BCRYPT_MAXSALT, (u_int8_t *) salt); @@ -249,7 +250,14 @@ encode_base64((u_int8_t *) encrypted + i + 3, csalt, BCRYPT_MAXSALT); encode_base64((u_int8_t *) encrypted + strlen(encrypted), ciphertext, 4 * BCRYPT_BLOCKS - 1); - return encrypted; + elen = strlen(encrypted); + if (result_len = elen) { + bzero(encrypted, sizeof(encrypted)); + return -1; + } + memcpy(result, encrypted, elen + 1); + bzero(encrypted, sizeof(encrypted)); + return 0; } static void diff -r 79e29a6fdcd5 -r 3bc365ff4373 bcrypt/bcrypt_python.c --- a/bcrypt/bcrypt_python.c Tue Mar 19 07:13:52 2013 +1100 +++ b/bcrypt/bcrypt_python.c Tue Mar 19 07:17:53 2013 +1100 @@ -25,7 +25,7 @@ /* $Id$ */ /* Import */ -char *pybc_bcrypt(const char *, const char *); +int pybc_bcrypt(const char *, const char *, char *, size_t); void encode_salt(char *, u_int8_t *, u_int16_t, u_int8_t); PyDoc_STRVAR(bcrypt_encode_salt_doc, @@ -67,7 +67,8 @@ { static char *keywords[] = { password, salt, NULL }; char *password = NULL, *salt = NULL; - char *ret; + char hashed[128]; + int ret; char *password_copy; char *salt_copy; @@ -79,21 +80,19 @@ salt_copy = strdup(salt); Py_BEGIN_ALLOW_THREADS; - ret = pybc_bcrypt(password_copy, salt_copy); + ret = pybc_bcrypt(password_copy, salt_copy, hashed, sizeof(hashed)); Py_END_ALLOW_THREADS; bzero(password_copy, strlen(password_copy)); free(password_copy); bzero(salt_copy, strlen(salt_copy)); free(salt_copy); - - if ((ret == NULL) || - strcmp(ret, :) == 0) { + if (ret != 0 || strcmp(hashed, :) == 0) { PyErr_SetString(PyExc_ValueError, Invalid salt); return NULL; } - return PyString_FromString(ret); + return PyString_FromString(hashed); } static PyMethodDef bcrypt_methods[] = {
Processed: Re: python-bcrypt: Upstream has released a security update.
Processing commands for cont...@bugs.debian.org: tags 704030 patch Bug #704030 [python-bcrypt] python-bcrypt: CVE-2013-1895: concurrency issue leading to auth bypass Added tag(s) patch. thanks Stopping processing here. Please contact me if you need assistance. -- 704030: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704030 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703146: Better debootstrap InRelease handling fix
Le mercredi, 27 mars 2013 12.59:15, Benjamin Cama a écrit : attached version fix both problems (and is based on latest master, after Julien disabled InRelease support). Please not that it will still print what's _before_ the BEGIN header, if present (there shouldn't be anything, but if you really want to be picky…) Well, yes, we want to be picky: the whole point of checking the signature is to avoid letting unsigned content be considered valid by debootstrap / apt / etc. See CVE-2013-1051. That said, I think I would prefer a gpgv patch to only output verified content than such sed hackery (although nice). Cheers, OdyX -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704042: CVE-2013-1892 -- mongodb: Remote shell access via run method's use of native_helper
Hi all, thank you very much for the effort. Can you please do NMU for me? I am on quite distant location for next 2 days and the Internet connection is not well enough to upload anything bigger then email. Thank you, Antonin * John Paul Adrian Glaubitz glaub...@physik.fu-berlin.de [2013-03-27 13:15] wrote: tags 704042 patch tags 704042 upstream thanks I have extracted the two patches which have been committed by upstream to address the issue, attaching them. Will create a package ready for NMU later to help speed things up if desired. Cheers, Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700169: non-free license: requires to obey US export regulation even, when not in the US
On Wed, Mar 27, 2013 at 11:47:33AM +0100, Michael Stapelberg wrote: Hi Ansgar, Mattia, Ansgar Burchardt ans...@debian.org writes: I also checked the initial Debian package on snapshot.debian.org (version 20050930-1). It also has only the non-free license in the individual files, but states Dual GPLv2/ACPICA Licence in d/copyright. It also has the BSD-3-clause-or-GPL-2 bit in d/copyright. It's likely that it was already dual-licensed, but that this wasn't documented in the tarball itself. I'm not sure why they now have two tarballs instead of one with both licenses... The GNU General Public License or via a separate license that may be more favorable to commercial OSVs (from the FAQ) seems also wrong given there are *three* licenses: the non-free one, a 3-clause BSD and the GPL-2 Well, according to https://github.com/acpica/acpica/commit/84b8d0fd, the dual-license tarballs are only available starting from version 20110211. That version can indeed be downloaded as unix2 tarball. Mattia: is it reasonable to update this package to a newer version, based on one of the unix2 tarballs? yes it is, that's what Al did already: http://ftp-master.debian.org/new/acpica-unix_20130214-0.3.html In any case, most of the code of the old packages have been included in the linux kernel for years and the original download page states: The Linux package includes the same functionality as the previous two, but has been modified to integrate smoothly with the Linux kernel source. This includes conversion of the ACPI CA source code to the Linux kernel coding standard, and licensing under the GNU General Public License. ... Linux The latest IASL compiler for Linux can be built from the Unix source package: download acpica-unix-VERSION.tar.gz $ tar xzf acpica-unix-VERSION.tar.gz $ cd acpica-unix-VERSION/compiler $ make Starting with Linux kernel 2.4, ACPI CA is in the Linux kernel. (taken from a randomly old snapshot: http://web.archive.org/web/20050911035003/http://developer.intel.com/technology/iapc/acpi/downloads.htm) from the commit log you referenced the explicit licence on source files was requested by FreeBSD but ACPICA has always been dual licensed. -- mattia :wq! -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704042: marked as done (CVE-2013-1892 -- mongodb: Remote shell access via run method's use of native_helper)
Your message dated Wed, 27 Mar 2013 12:48:01 + with message-id e1ukplp-h8...@franck.debian.org and subject line Bug#704042: fixed in mongodb 1:2.0.6-1.1 has caused the Debian Bug report #704042, regarding CVE-2013-1892 -- mongodb: Remote shell access via run method's use of native_helper to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 704042: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704042 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: mongodb Severity: grave Tags: security Dear Maintainer, Please see here for details [1] and a link to the upstream commit [2]: [1] https://security-tracker.debian.org/tracker/CVE-2013-1892 [2] https://jira.mongodb.org/browse/SERVER-9124 Regrads -- Prach Pongpanich ---End Message--- ---BeginMessage--- Source: mongodb Source-Version: 1:2.0.6-1.1 We believe that the bug you reported is fixed in the latest version of mongodb, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 704...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. John Paul Adrian Glaubitz glaub...@physik.fu-berlin.de (supplier of updated mongodb package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 27 Mar 2013 13:08:10 +0100 Source: mongodb Binary: mongodb mongodb-server mongodb-clients mongodb-dev Architecture: source amd64 Version: 1:2.0.6-1.1 Distribution: testing-proposed-updates Urgency: high Maintainer: Antonin Kral a.k...@sh.cvut.cz Changed-By: John Paul Adrian Glaubitz glaub...@physik.fu-berlin.de Description: mongodb- object/document-oriented database (metapackage) mongodb-clients - object/document-oriented database (client apps) mongodb-dev - object/document-oriented database (development) mongodb-server - object/document-oriented database (server package) Closes: 704042 Changes: mongodb (1:2.0.6-1.1) testing-proposed-updates; urgency=high . * Non-maintainer upload. * Include patch to address remote vulnerability CVE-2013-1895 (Closes: #704042). Checksums-Sha1: b02a71c4fded6618f1fb1f1ca053c30f28572046 2251 mongodb_2.0.6-1.1.dsc 0e276274e32c589117635f3d6df0ff0d64a62ae0 2836857 mongodb_2.0.6.orig.tar.gz 89cf9e1753394eb8b79752ab8b8e344aea004b41 24331 mongodb_2.0.6-1.1.debian.tar.gz 7abfa70e320ccbb5d67a170f7d1be9b5a9064965 10456 mongodb_2.0.6-1.1_amd64.deb d7a62719a1a5d8d00858c4a5cebab6ca8bf72fad 4307718 mongodb-server_2.0.6-1.1_amd64.deb b0d0440484fc8550c028fe764c3a5e45a4ac6cd7 16793134 mongodb-clients_2.0.6-1.1_amd64.deb cfbfe473cc54c6a26b645f00f858330a5c918424 1907698 mongodb-dev_2.0.6-1.1_amd64.deb Checksums-Sha256: 2a66b9455d9a406ae047a7b7fa0e56c17f0794ff2f03a9bc1454dbe2bd53d12f 2251 mongodb_2.0.6-1.1.dsc 201133a810c908140ea00f84c8257a96cdd6bb84fa0c0a33e42e478628666c3f 2836857 mongodb_2.0.6.orig.tar.gz 00299de114246e1b3f24d556a17a985b58a2a032e63163d3c308ef1eec02298d 24331 mongodb_2.0.6-1.1.debian.tar.gz 2631c62a0d28228a47aed1782fd51b6623ee93d139b19cc3e498667c446bdd96 10456 mongodb_2.0.6-1.1_amd64.deb 0c225302fabe322d5cc1bfd96097117a94e2ed1b7b0498acc7720cc24d6af710 4307718 mongodb-server_2.0.6-1.1_amd64.deb aaad56ea212a7082694d1f9304a6eb3963a368b68c53df5921cc78a3b4c1f3b2 16793134 mongodb-clients_2.0.6-1.1_amd64.deb d1a7c974050ad413c11afbe5af4da26f7e006172582b7cf141718df16e5c192f 1907698 mongodb-dev_2.0.6-1.1_amd64.deb Files: 2463a70340dc8ab401137a9a834c9842 2251 database optional mongodb_2.0.6-1.1.dsc 111521f1b6b3379b4dd5fbc1e8f038cf 2836857 database optional mongodb_2.0.6.orig.tar.gz 9ceb596dd2608b2164993b4867c2251b 24331 database optional mongodb_2.0.6-1.1.debian.tar.gz ad764fdfbf1f98160d46054d925887ac 10456 database optional mongodb_2.0.6-1.1_amd64.deb 15e14000f1bd2c77afca93f6a9c8eb07 4307718 database optional mongodb-server_2.0.6-1.1_amd64.deb e44aabe6b1cd76b8a366151ed7dd5bb3 16793134 database optional mongodb-clients_2.0.6-1.1_amd64.deb 12b8952deefb0bfc5ddd506507c8fb1d 1907698 libdevel optional mongodb-dev_2.0.6-1.1_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJRUuejAAoJEHQmOzf1tfkTL7YQAIR80wKIvoBkmBLbWKZE8UKM
Processed: bug 703916 is forwarded to http://icl.cs.utk.edu/lapack-forum/archives/lapack/msg01380.html
Processing commands for cont...@bugs.debian.org: forwarded 703916 http://icl.cs.utk.edu/lapack-forum/archives/lapack/msg01380.html Bug #703916 {Done: Sébastien Villemot sebast...@debian.org} [lapack] LAPACK package contains non-free files. Set Bug forwarded-to-address to 'http://icl.cs.utk.edu/lapack-forum/archives/lapack/msg01380.html'. thanks Stopping processing here. Please contact me if you need assistance. -- 703916: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703916 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704055: libawl-php: Session.php calls private attribute 'EMail::To' in line 695, missing accessor in EMail.php
Package: libawl-php Version: 0.53-1 Severity: serious Tags: upstream Justification: unkown -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages libawl-php depends on: ii debconf 1.5.49 ii perl 5.14.2-20 Versions of packages libawl-php recommends: ii php5 5.4.4-14 libawl-php suggests no packages. -- no debconf information The package does not currently include the changes made after the release of 0.53, thus breaking the 'Session::EmailTemporaryPassword' functionality of the awl tools. E.g. the davical package depends on this to work and will produce error output like this in the /var/log/apache2/error.log: PHP Fatal error: Cannot access private property EMail::$To in /usr/share/awl/inc/Session.php on line 695, referer: someuri Solution, switch to awl 0.54, it is already there... -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704030: python-bcrypt: Upstream has released a security update.
I have prepared an NMU with the attached debdiff. I'd be happy to upload if the maintainer agrees. Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 diff -u python-bcrypt-0.1/debian/changelog python-bcrypt-0.1/debian/changelog --- python-bcrypt-0.1/debian/changelog +++ python-bcrypt-0.1/debian/changelog @@ -1,3 +1,11 @@ +python-bcrypt (0.1-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Include upstream patch to fix authentication bypass +vulnerability CVE-2013-1895 (Closes: #704030). + + -- John Paul Adrian Glaubitz glaub...@physik.fu-berlin.de Wed, 27 Mar 2013 14:08:47 +0100 + python-bcrypt (0.1-1) unstable; urgency=low * Initial release (Closes: #454627) only in patch2: unchanged: --- python-bcrypt-0.1.orig/debian/patches/series +++ python-bcrypt-0.1/debian/patches/series @@ -0,0 +1 @@ +0001-CVE-2013-1895.patch only in patch2: unchanged: --- python-bcrypt-0.1.orig/debian/patches/0001-CVE-2013-1895.patch +++ python-bcrypt-0.1/debian/patches/0001-CVE-2013-1895.patch @@ -0,0 +1,158 @@ +changeset: 12:3bc365ff4373 +user:Damien Miller d...@mindrot.org +date:Tue Mar 19 07:17:53 2013 +1100 +summary: Fix concurrency bug reported by Alan Fairless of spideroak.com: + +diff -r 79e29a6fdcd5 -r 3bc365ff4373 bcrypt/bcrypt.c +--- a/bcrypt/bcrypt.c Tue Mar 19 07:13:52 2013 +1100 b/bcrypt/bcrypt.c Tue Mar 19 07:17:53 2013 +1100 +@@ -66,15 +66,12 @@ + #define BCRYPT_BLOCKS 6 /* Ciphertext blocks */ + #define BCRYPT_MINROUNDS 16 /* we have log2(rounds) in salt */ + +-char *pybc_bcrypt(const char *, const char *); ++int pybc_bcrypt(const char *, const char *, char *, size_t); + void encode_salt(char *, u_int8_t *, u_int16_t, u_int8_t); + + static void encode_base64(u_int8_t *, u_int8_t *, u_int16_t); + static void decode_base64(u_int8_t *, u_int16_t, u_int8_t *); + +-static charencrypted[128]; +-static charerror[] = :; +- + const static u_int8_t Base64Code[] = + ./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789; + +@@ -146,8 +143,8 @@ + /* We handle $Vers$log2(NumRounds)$salt+passwd$ +i.e. $2$04$iwouldntknowwhattosayetKdJ6iFtacBqJdKe6aW7ou */ + +-char * +-pybc_bcrypt(const char *key, const char *salt) ++int ++pybc_bcrypt(const char *key, const char *salt, char *result, size_t result_len) + { + pybc_blf_ctx state; + u_int32_t rounds, i, k; +@@ -157,14 +154,18 @@ + u_int8_t csalt[BCRYPT_MAXSALT]; + u_int32_t cdata[BCRYPT_BLOCKS]; + int n; ++ char encrypted[128]; ++ size_t elen; ++ ++ /* Return the error marker unless otherwise specified */ ++ bzero(result, result_len); ++ *result = ':'; + + /* Discard $ identifier */ + salt++; + +- if (*salt BCRYPT_VERSION) { +- /* How do I handle errors ? Return ':' */ +- return error; +- } ++ if (*salt BCRYPT_VERSION) ++ return -1; + + /* Check for minor versions */ + if (salt[1] != '$') { +@@ -175,7 +176,7 @@ + salt++; + break; + default: +- return error; ++ return -1; + } + } else + minor = 0; +@@ -185,21 +186,21 @@ + + if (salt[2] != '$') + /* Out of sync with passwd entry */ +- return error; ++ return -1; + + /* Computer power doesn't increase linear, 2^x should be fine */ + n = atoi(salt); + if (n 31 || n 0) +- return error; ++ return -1; + logr = (u_int8_t)n; + if ((rounds = (u_int32_t) 1 logr) BCRYPT_MINROUNDS) +- return error; ++ return -1; + + /* Discard num rounds + $ identifier */ + salt += 3; + + if (strlen(salt) * 3 / 4 BCRYPT_MAXSALT) +- return error; ++ return -1; + + /* We dont want the base64 salt but the raw data */ + decode_base64(csalt, BCRYPT_MAXSALT, (u_int8_t *) salt); +@@ -249,7 +250,14 @@ + encode_base64((u_int8_t *) encrypted + i + 3, csalt, BCRYPT_MAXSALT); + encode_base64((u_int8_t *) encrypted + strlen(encrypted), ciphertext, + 4 * BCRYPT_BLOCKS - 1); +- return encrypted; ++ elen = strlen(encrypted); ++ if (result_len = elen) { ++ bzero(encrypted, sizeof(encrypted)); ++ return -1; ++ } ++ memcpy(result, encrypted, elen + 1); ++ bzero(encrypted, sizeof(encrypted)); ++ return 0; + } + + static void +diff -r 79e29a6fdcd5 -r 3bc365ff4373 bcrypt/bcrypt_python.c +--- a/bcrypt/bcrypt_python.c Tue Mar 19 07:13:52 2013 +1100 b/bcrypt/bcrypt_python.c Tue Mar 19 07:17:53 2013 +1100 +@@ -25,7 +25,7 @@ + /* $Id$ */ + + /* Import */ +-char *pybc_bcrypt(const char *, const char *); ++int pybc_bcrypt(const char *, const char *, char *, size_t); + void encode_salt(char *, u_int8_t *, u_int16_t, u_int8_t); + + PyDoc_STRVAR(bcrypt_encode_salt_doc, +@@ -67,7 +67,8 @@ + { + static char *keywords[] = { password, salt, NULL }; + char *password = NULL, *salt = NULL; +- char *ret; ++ char hashed[128]; ++ int ret; + char *password_copy; + char *salt_copy; + +@@ -79,21 +80,19 @@ + salt_copy = strdup(salt); + + Py_BEGIN_ALLOW_THREADS;
Bug#699886: [debian-mysql] Bug#699886: TLS timing attack in yaSSL (Lucky 13)
Thanks Michael! I suspect that we will see 2.2.2d in one of the upcoming releases from Oracle. While I would prefer to ship wheezy with no known security bugs, I don't have much time to build and test a new package. If someone else wants to do that I will gladly sponsor it. -Original Message- From: Michael Stapelberg stapelb...@debian.org To: Thijs Kinkhorst th...@debian.org, 699...@bugs.debian.org, cont...@bugs.debian.org Sent: Wed, 27 Mar 2013 3:09 Subject: [debian-mysql] Bug#699886: TLS timing attack in yaSSL (Lucky 13) Control: tags -1 +patch Hi Thijs, Thijs Kinkhorst th...@debian.org writes: Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing differences arising during MAC processing. Details of this attack can be found at: http://www.isg.rhul.ac.uk/tls/ The issue has been fixed in upstream yaSSL 2.5.0: http://www.yassl.com/yaSSL/Docs-cyassl-changelog.html Currently, MySQL uses yaSSL 2.2.2. yaSSL has released version 2.2.2d which addresses this problem. I downloaded yassl-2.2.2.zip from http://fossies.org/unix/privat/yassl-2.2.2.zip and yassl-2.2.2d.zip from http://yassl.com/yaSSL/download I then created a git repo in 2.2.2 and copied over the files from 2.2.2d. The following files differ: $ git status | grep 'modified' | grep -v '\.in$' | grep -v '\(INSTALL\|README\|aclocal.m4\|config.guess\|config.sub\|configure\|depcomp\|install-sh\|ltmain.sh\|missing\|mkinstalldirs\)' # modified: include/openssl/ssl.h # modified: include/yassl_error.hpp # modified: include/yassl_types.hpp # modified: src/handshake.cpp # modified: src/yassl_error.cpp # modified: src/yassl_imp.cpp # modified: taocrypt/include/asn.hpp # modified: taocrypt/include/sha.hpp # modified: taocrypt/src/asn.cpp I then created a patch and modified it so that it (somewhat) applies to the MySQL source: git diff include/openssl/ssl.h include/yassl_error.hpp include/yassl_types.hpp src/handshake.cpp src/yassl_error.cpp src/yassl_imp.cpp taocrypt/include/asn.hpp taocrypt/include/sha.hpp taocrypt/src/asn.cpp yassl.patch sed -i 's,\([iw]\)/,\1/extra/yassl/,g' yassl.patch dos2unix yassl.patch Then, I used quilt to get the patch in shape: cd /tmp/mysql-5.5-5.5.30+dfsg export QUILT_PATCHES=debian/patches quilt import ../yassl-2.2.2/yassl.patch quilt push -f # apply 4 hunks of the patch manually quilt refresh I attached the result to this email, hopefully that helps. Note that I didn’t compile and test MySQL. -- Best regards, Michael
Bug#703916: marked as done (LAPACK package contains non-free files.)
Your message dated Wed, 27 Mar 2013 13:33:28 + with message-id e1ukqto-0003wj...@franck.debian.org and subject line Bug#703916: fixed in lapack 3.4.2+dfsg-1~exp1 has caused the Debian Bug report #703916, regarding LAPACK package contains non-free files. to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 703916: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703916 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: lapack Version: 3.4.1-6 The LAPACK package contains two non-free files in the lapacke/examples directory, example_DGESV_rowmajor.c and example_ZGESV_rowmajor.c. Both of these files have the following proprietary license header, which clearly prohibits any and all copying or distribution: /*** * Copyright (C) 2009-2011 Intel Corporation. All Rights Reserved. * The information and material (Material) provided below is owned by Intel * Corporation or its suppliers or licensors, and title to such Material remains * with Intel Corporation or its suppliers or licensors. The Material contains * proprietary information of Intel or its suppliers and licensors. The Material * is protected by worldwide copyright laws and treaty provisions. No part of * the Material may be copied, reproduced, published, uploaded, posted, * transmitted, or distributed in any way without Intel's prior express written * permission. No license under any patent, copyright or other intellectual * property rights in the Material is granted to or conferred upon you, either * expressly, by implication, inducement, estoppel or otherwise. Any license * under such intellectual property rights must be express and approved by Intel * in writing. * */ ---End Message--- ---BeginMessage--- Source: lapack Source-Version: 3.4.2+dfsg-1~exp1 We believe that the bug you reported is fixed in the latest version of lapack, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 703...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sébastien Villemot sebast...@debian.org (supplier of updated lapack package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 27 Mar 2013 13:11:24 +0100 Source: lapack Binary: liblapack3 liblapack3gf liblapacke liblapacke-dev liblapack-dev liblapack-pic liblapack-test liblapack-doc liblapack-doc-man Architecture: source all amd64 Version: 3.4.2+dfsg-1~exp1 Distribution: experimental Urgency: low Maintainer: Debian Science Team debian-science-maintain...@lists.alioth.debian.org Changed-By: Sébastien Villemot sebast...@debian.org Description: liblapack-dev - Library of linear algebra routines 3 - static version liblapack-doc - Library of linear algebra routines 3 - documentation liblapack-doc-man - Library of linear algebra routines 3 - documentation (manual page liblapack-pic - Library of linear algebra routines 3 - static PIC version liblapack-test - Library of linear algebra routines 3 - testing programs liblapack3 - Library of linear algebra routines 3 - shared version liblapack3gf - Transitional package for liblapack3 liblapacke - Library of linear algebra routines 3 - C lib shared version liblapacke-dev - Library of linear algebra routines 3 - Headers Closes: 703916 Changes: lapack (3.4.2+dfsg-1~exp1) experimental; urgency=low . * Repackage upstream tarball. Delete non-DFSG-free files: lapacke/examples/example_{D,Z}GESV_rowmajor.c. (Closes: #703916) * Use my @debian.org email address * Remove obsolete DM-Upload-Allowed control flag * Fixes and improvements in package build logic + fix build-arch and build-indep rules + use Build-Depends-Indep field + enable parallel build (in particular, new patch parallel_build.patch) + move test failure notice from obsolete liblapack3gf to liblapack3 * Bump Standards-Version to 3.9.4 * Add lintian overrides in liblapack-doc-man about bad whatis entries in manpages (upstream does not provide the required short descriptions)
Bug#700169: non-free license: requires to obey US export regulation even, when not in the US
Hi Mattia, Mattia Dongili malat...@debian.org writes: yes it is, that's what Al did already: http://ftp-master.debian.org/new/acpica-unix_20130214-0.3.html I see. release-team: What’s your take on this? Can we get the new version into Debian in time for wheezy or how should we handle this? -- Best regards, Michael -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703146: Better debootstrap InRelease handling fix
Le mercredi 27 mars 2013 à 13:32 +0100, Didier 'OdyX' Raboud a écrit : Le mercredi, 27 mars 2013 12.59:15, Benjamin Cama a écrit : attached version fix both problems (and is based on latest master, after Julien disabled InRelease support). Please not that it will still print what's _before_ the BEGIN header, if present (there shouldn't be anything, but if you really want to be picky…) Well, yes, we want to be picky: the whole point of checking the signature is to avoid letting unsigned content be considered valid by debootstrap / apt / etc. See CVE-2013-1051. OK, I understand. With my patch, someone could sneak in an unsigned Release before the signed one, right? I don't know if apt would parse it, but it's a problem. That said, I think I would prefer a gpgv patch to only output verified content than such sed hackery (although nice). Yes, this would be a far better solution. But a quick look at gnupg doesn't make that look easy. I'll give up on this solution for now, and let InRelease files unhandled. Thanks for the comments, -- Benjamin Cama benjamin.c...@telecom-bretagne.eu -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: tagging 704025
Processing commands for cont...@bugs.debian.org: # not required when appropriate versioning will do the job tags 704025 - wheezy Bug #704025 [olsrd] olsrd does not connect with others on amd64 Removed tag(s) wheezy. thanks Stopping processing here. Please contact me if you need assistance. -- 704025: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704025 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: fixed 704042 in 1:2.4.1-1
Processing commands for cont...@bugs.debian.org: # fixed in 2.4 series fixed 704042 1:2.4.1-1 Bug #704042 {Done: John Paul Adrian Glaubitz glaub...@physik.fu-berlin.de} [mongodb] CVE-2013-1892 -- mongodb: Remote shell access via run method's use of native_helper Marked as fixed in versions mongodb/1:2.4.1-1. thanks Stopping processing here. Please contact me if you need assistance. -- 704042: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704042 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697571: marked as done (openbox hangs when removing display from dual-head configuration with xrandr)
Your message dated Wed, 27 Mar 2013 16:17:45 + with message-id e1ukt2n-0006ls...@franck.debian.org and subject line Bug#697571: fixed in openbox 3.5.0-7 has caused the Debian Bug report #697571, regarding openbox hangs when removing display from dual-head configuration with xrandr to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 697571: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697571 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: openbox Version: 3.5.0-6 Severity: important Hi, openbox hangs with 100% CPU usage, when removing a display from a dual head configuration. This only happens when removing the second display while some windows are still displayed on it. If all windows are positioned on the first display openbox does not hang after removing the second display. The bug can be reproduced using the following steps: $ xrandr --output HDMI2 --right-of LVDS1 --auto # start some X program and move it's window to the new display $ xrandr --output HDMI2 --off -- Sebastian -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (500, 'testing'), (100, 'unstable'), (50, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 armhf Kernel: Linux 3.7-trunk-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openbox depends on: ii dpkg 1.16.9 ii libc6 2.13-37 ii libglib2.0-0 2.33.12+really2.32.4-3 ii libice6 2:1.0.8-2 ii libobrender27 3.5.0-6 ii libobt0 3.5.0-6 ii libsm62:1.2.1-2 ii libstartup-notification0 0.12-1 ii libx11-6 2:1.5.0-1 ii libxau6 1:1.0.7-1 ii libxext6 2:1.3.1-2 ii libxinerama1 2:1.1.2-1 ii libxml2 2.8.0+dfsg1-7 ii libxrandr22:1.3.2-2 ii libxrender1 1:0.9.7-1 Versions of packages openbox recommends: ii obconf 1:2.0.3+20110805+debian-1 ii openbox-themes 1.0.2 Versions of packages openbox suggests: ii libxml2-dev 2.8.0+dfsg1-7 ii menu 2.1.46 ii python 2.7.3~rc2-1 ii ttf-dejavu 2.33-3 -- no debconf information ---End Message--- ---BeginMessage--- Source: openbox Source-Version: 3.5.0-7 We believe that the bug you reported is fixed in the latest version of openbox, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 697...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Stapelberg stapelb...@debian.org (supplier of updated openbox package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 27 Mar 2013 14:16:10 +0100 Source: openbox Binary: openbox gnome-panel-control libobt0 libobrender27 openbox-dev Architecture: source amd64 Version: 3.5.0-7 Distribution: unstable Urgency: low Maintainer: Debian QA Group packa...@qa.debian.org Changed-By: Michael Stapelberg stapelb...@debian.org Description: gnome-panel-control - command line utility to invoke GNOME panel run dialog/menu libobrender27 - rendering library for openbox themes libobt0- parsing library for openbox openbox- standards compliant, fast, light-weight, extensible window manage openbox-dev - development files for the openbox window manager Closes: 697571 Changes: openbox (3.5.0-7) unstable; urgency=low . * QA upload. * Apply upstream fix for an infinite loop when disabling RandR outputs (Closes: #697571) Checksums-Sha1: 66598ef15da78b4c7bde52508a67b4364f7c499e 2294 openbox_3.5.0-7.dsc 135e5be6078cf4e894f4f23835f1bd56377dbc57 41638 openbox_3.5.0-7.debian.tar.gz 16db96a7ec986c3c9765fed3b3c2b26813c0e5df 337344 openbox_3.5.0-7_amd64.deb 3ae6ed27888a662dbd9c5078dd653347c7bf7d4e 40924 gnome-panel-control_3.5.0-7_amd64.deb fc0063ae7283ca3fb5c67a93e56f5209f8940e5d 65748 libobt0_3.5.0-7_amd64.deb 103898f20142b9de6b9e53bea954bf235dcd54eb 77290 libobrender27_3.5.0-7_amd64.deb e1dc155aa9311d874026efc4da7a600635de7120 123002 openbox-dev_3.5.0-7_amd64.deb Checksums-Sha256:
Bug#703957:
Hello! On Tue, Mar 26, 2013 at 05:02:49PM +0700, Prach Pongpanich wrote: tags 703957 + patch thanks Dear maintainer, I have prepared a patch (DEP-3 format) from upstream, which solves the this bug (libarchive-3.0.4). Thanks for preparing a prettified patch. It deviates from https://github.com/libarchive/libarchive/commit/22531545514043e04633e1c015c7540b9de9dbe4 and doesn't build though Where did you get the patch from or why did you modify it? Should I be worried? -- Andreas Henriksson -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703957: marked as done (libarchive: CVE-2013-0211)
Your message dated Wed, 27 Mar 2013 16:47:35 + with message-id e1uktvf-0005ql...@franck.debian.org and subject line Bug#703957: fixed in libarchive 3.0.4-3 has caused the Debian Bug report #703957, regarding libarchive: CVE-2013-0211 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 703957: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703957 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: libarchive Severity: grave Tags: security Please see here for details and a link to the upstream commit: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0211 Cheers, Moritz ---End Message--- ---BeginMessage--- Source: libarchive Source-Version: 3.0.4-3 We believe that the bug you reported is fixed in the latest version of libarchive, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 703...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Henriksson andr...@fatal.se (supplier of updated libarchive package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Wed, 27 Mar 2013 16:20:36 +0100 Source: libarchive Binary: libarchive-dev libarchive12 bsdtar bsdcpio Architecture: source amd64 Version: 3.0.4-3 Distribution: unstable Urgency: low Maintainer: Debian Libarchive Maintainers ah-libarch...@debian.org Changed-By: Andreas Henriksson andr...@fatal.se Description: bsdcpio- Implementation of the 'cpio' program from FreeBSD bsdtar - Implementation of the 'tar' program from FreeBSD libarchive-dev - Multi-format archive and compression library (development files) libarchive12 - Multi-format archive and compression library (shared library) Closes: 703957 Changes: libarchive (3.0.4-3) unstable; urgency=low . * Add patch that fixes CVE-2013-0211. (Closes: #703957) Checksums-Sha1: 8779cb5de0b33cdeed326c8a1d16df95e0c64ab7 1612 libarchive_3.0.4-3.dsc 75d22645a3d7cec37493a3f98ee6ba62096ef540 10485 libarchive_3.0.4-3.debian.tar.gz 80695edf2f8eb59ac6481d8e595414535573521f 472080 libarchive-dev_3.0.4-3_amd64.deb 6fd2bbb4ce0da534dde1513850e8e07a7fc226be 303302 libarchive12_3.0.4-3_amd64.deb a53624f9ccdc83b92039f2c587fc38bcef1ee3e6 54464 bsdtar_3.0.4-3_amd64.deb d4c2f2606ec2adb019c83d03ddfad46c4494c33b 40920 bsdcpio_3.0.4-3_amd64.deb Checksums-Sha256: a77c593331a3297d7ddd4e163b47cac8df1e4e4186e18d5285f5abbd739c9291 1612 libarchive_3.0.4-3.dsc f02a4732419611d8408b56e4b0bb0599b11b51fe7a486510cea0a2598c6418f1 10485 libarchive_3.0.4-3.debian.tar.gz e88f23a7c353b02c3a42a108c45c47c5cb44917a9e3259c48d8c11373c95a28c 472080 libarchive-dev_3.0.4-3_amd64.deb 04a2cd31bdb55aa92f2a1397f23afb75206961d5409ef35515536b2584753743 303302 libarchive12_3.0.4-3_amd64.deb c4edb84294dbd1ef29bcb12ac90638ec9942406e2c404524dcc94725830c5c72 54464 bsdtar_3.0.4-3_amd64.deb d685078862097671873298def027079a33e0a1f836a33709bd8e2853ab63 40920 bsdcpio_3.0.4-3_amd64.deb Files: f7140c88c796b9c6a30b0d75e3afc307 1612 libs optional libarchive_3.0.4-3.dsc 5976b01ba059e84275d61ddcaf734aee 10485 libs optional libarchive_3.0.4-3.debian.tar.gz 1fd4f80bc06255544495c3f42de3e9e7 472080 libdevel optional libarchive-dev_3.0.4-3_amd64.deb b71d9a0730764de352ffd38c70911fc4 303302 libs optional libarchive12_3.0.4-3_amd64.deb 41031b90dad3c53e039d5e7e0ccef96c 54464 utils optional bsdtar_3.0.4-3_amd64.deb 9cb778371675459d448d5ab66dbfa329 40920 utils optional bsdcpio_3.0.4-3_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlFTH6oACgkQcgQ2cL3l8e730ACgqWy5msPksM3e1A8k7FbsNs4d PhIAoLBqtwT4/9IcdQtBK07ghcohTb0M =teum -END PGP SIGNATUREEnd Message---
Bug#704077: CVE-2013-0336
Package: 389-ds Severity: grave Tags: security Please see the following bug for details: https://bugzilla.redhat.com/show_bug.cgi?id=913751 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703957:
Hi Andreas, On Wed, Mar 27, 2013 at 11:30 PM, Andreas Henriksson andr...@fatal.se wrote: It deviates from https://github.com/libarchive/libarchive/commit/22531545514043e04633e1c015c7540b9de9dbe4 and doesn't build though Where did you get the patch from or why did you modify it? I got it from https://github.com/libarchive/libarchive/commit/22531545514043e04633e1c015c7540b9de9dbe4 I fail to build from source: libarchive_3.0.4-2 dget http://http.debian.net/debian/pool/main/liba/libarchive/libarchive_3.0.4-2.dsc pbuilder build libarchive_3.0.4-2.dsc --- configure: exit 77 dh_auto_configure: ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libdir=${prefix}/lib/x86_64-linux-gnu --libexecdir=${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --without-openssl --with-nettle --enable-bsdtar=shared --enable-bsdcpio=shared returned exit code 77 make[1]: *** [override_dh_auto_configure] Error 255 make[1]: Leaving directory `/tmp/buildd/libarchive-3.0.4' make: *** [build] Error 2 dpkg-buildpackage: error: debian/rules build gave error exit status 2 Regrads, -- Prach Pongpanich -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700169: non-free license: requires to obey US export regulation even, when not in the US
On 27.03.2013 13:44, Michael Stapelberg wrote: Mattia Dongili malat...@debian.org writes: yes it is, that's what Al did already: http://ftp-master.debian.org/new/acpica-unix_20130214-0.3.html I see. release-team: What’s your take on this? Can we get the new version into Debian in time for wheezy or how should we handle this? It's somewhat difficult to tell without seeing what's involved. (We can't exactly debdiff against NEW...) Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702087: 'guest' role has been created
previously, upstream and local firewalls had been opened now, a 'guest' role in the pg cluster has been created by alioth admins please test the pet importer and let us know the result -- Luca Filipozzi http://www.crowdrise.com/SupportDebian -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#696727: cheese does not start with Gtk-Warning
Processing commands for cont...@bugs.debian.org: severity 696727 grave Bug #696727 [cheese] cheese does not start with Gtk-Warning Severity set to 'grave' from 'important' thanks Stopping processing here. Please contact me if you need assistance. -- 696727: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696727 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696727: cheese does not start with Gtk-Warning
On 03/27/2013 06:22 PM, Jon Dowland wrote: severity 696727 grave thanks On Wed, Dec 26, 2012 at 03:36:44PM +0100, Giovanni74 wrote: cheese does not start at all. Here is the terminal output: Wow. I've just reproduced this. I'm mildly incredulous. Are we just unlucky? This makes the package entirely unusable for me. Can anyone use it? I'm going to take a chance and assume that my experience is the typical one, and thus the package is unusable or mostly so as it stands. I might try poking around at the source tonight but I know nothing about vala so I don't know if I'll get anywhere. Please get a backtrace with G_DEBUG=fatal-warnings set and libgtk-3-0-dbg libglib2.0-0-dbg installed. You may also need to rebuild cheese with DEB_BUILD_OPTIONS=nostrip if the backtrace isn't very useful. Thanks, Emilio -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703146: Better debootstrap InRelease handling fix
* Bastian Blank wa...@debian.org [130327 10:29]: On Wed, Mar 27, 2013 at 12:53:44AM +0100, Bernhard R. Link wrote: Sorry, but this is not enough to properly extract the contents of a inline signed message. You still need to do possible unescaping between those lines. Is the unescaping part necessary for InRelease files? What are the rules for this? That depends. If you only process InRelease files created by Debian (or for that matter likely most other legitimate producers of InRelease files), then you don't need any unescaping. If you do process a InRelease file that you only verified to be from Debian by checking that it is properly signed and you want to have the content that was actually signed, then you need to unescape the whole mail and not only strip some parts from the start and the end of the file. I do not know if the possible transformations you can do to an inline signed message without invalidating the signature can have any dangerous effects on the later use of this data here, but I'd suggest to rather get it properly extracted instead of hoping one did not overlook any attack vector. Bernhard R. Link -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696727: cheese does not start with Gtk-Warning
Am 27.03.2013 18:22, schrieb Jon Dowland: severity 696727 grave thanks On Wed, Dec 26, 2012 at 03:36:44PM +0100, Giovanni74 wrote: cheese does not start at all. Here is the terminal output: Wow. I've just reproduced this. I'm mildly incredulous. Are we just unlucky? This makes the package entirely unusable for me. Can anyone use it? I'm going to take a chance and assume that my experience is the typical one, and thus the package is unusable or mostly so as it stands. Nope, cheese works fine here. I do get those warnings, but afaics they are a red herring. Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#696727: cheese does not start with Gtk-Warning
On 03/27/2013 07:38 PM, Michael Biebl wrote: Am 27.03.2013 18:22, schrieb Jon Dowland: severity 696727 grave thanks On Wed, Dec 26, 2012 at 03:36:44PM +0100, Giovanni74 wrote: cheese does not start at all. Here is the terminal output: Wow. I've just reproduced this. I'm mildly incredulous. Are we just unlucky? This makes the package entirely unusable for me. Can anyone use it? I'm going to take a chance and assume that my experience is the typical one, and thus the package is unusable or mostly so as it stands. Nope, cheese works fine here. I do get those warnings, but afaics they are a red herring. Then the backtrace I requested should be without G_DEBUG. Regards, Emilio -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696727: cheese does not start with Gtk-Warning
Am 27.03.2013 19:58, schrieb Emilio Pozuelo Monfort: On 03/27/2013 07:38 PM, Michael Biebl wrote: Am 27.03.2013 18:22, schrieb Jon Dowland: severity 696727 grave thanks On Wed, Dec 26, 2012 at 03:36:44PM +0100, Giovanni74 wrote: cheese does not start at all. Here is the terminal output: Wow. I've just reproduced this. I'm mildly incredulous. Are we just unlucky? This makes the package entirely unusable for me. Can anyone use it? I'm going to take a chance and assume that my experience is the typical one, and thus the package is unusable or mostly so as it stands. Nope, cheese works fine here. I do get those warnings, but afaics they are a red herring. Then the backtrace I requested should be without G_DEBUG. My guess would be that it is cogl/clutter/gl related. Jon, does gnome-shell (or other clutter using applications) work for you? Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#682353: Crashes my X11 (KDE) session on upgrade
On Fri 2013-03-15 01:08:00 -0400, Daniel Kahn Gillmor wrote: Ugh, this is a bad result, but i don't think the bug is in 0.8.1 -- the crashing bug is in the earlier version (0.8-2), and one of the changes in 0.8.1 is to improve the behavior when such an upgrade is happening (as well as to make it impossible for a bug in the msva or the libraries it depends upon to kill your X session). I'd be happy to hear suggestions for how to resolve this, but i'm not sure what to do. Here's a proposal: include a NEWS file in 0.8.1 that suggests that the user probably doesn't want to accept the old agent's prompt to be reloaded due to incompatibilities between the perl modules that have changed across the system upgrade. Newer implementations don't prompt for this restart by default, and also are more safe in their consequences when crashing: an agent crash disables agent functionality, but doesn't terminate the running X11 session. Would this be sufficient to reduce the severity of 682353 to important ? --dkg pgpMVh8diWDgS.pgp Description: PGP signature
Processed: 694933 doesn't affect testing
Processing commands for cont...@bugs.debian.org: # the problem from 694933 is only present in sid notfound 694933 1.2.1.1-1 Bug #694933 [src:haskell-warp] haskell-warp: FTBFS: unsatisfiable build-dependency: libghc-blaze-builder-conduit-dev ( 0.5) No longer marked as found in versions haskell-warp/1.2.1.1-1. found 694933 1.2.1.1-2 Bug #694933 [src:haskell-warp] haskell-warp: FTBFS: unsatisfiable build-dependency: libghc-blaze-builder-conduit-dev ( 0.5) Marked as found in versions haskell-warp/1.2.1.1-2. thanks Stopping processing here. Please contact me if you need assistance. -- 694933: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694933 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: found 704042 in 1:2.0.6-1
Processing commands for cont...@bugs.debian.org: found 704042 1:2.0.6-1 Bug #704042 {Done: John Paul Adrian Glaubitz glaub...@physik.fu-berlin.de} [mongodb] CVE-2013-1892 -- mongodb: Remote shell access via run method's use of native_helper Marked as found in versions mongodb/1:2.0.6-1. thanks Stopping processing here. Please contact me if you need assistance. -- 704042: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704042 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700169: non-free license: requires to obey US export regulation even, when not in the US
On Wed, Mar 27, 2013 at 05:06:35PM +, Adam D. Barratt wrote: On 27.03.2013 13:44, Michael Stapelberg wrote: Mattia Dongili malat...@debian.org writes: yes it is, that's what Al did already: http://ftp-master.debian.org/new/acpica-unix_20130214-0.3.html I see. release-team: What’s your take on this? Can we get the new version into Debian in time for wheezy or how should we handle this? It's somewhat difficult to tell without seeing what's involved. (We can't exactly debdiff against NEW...) Michael, I don't see a valid reason to get a newer version in wheezy at this stage of the freeze. Regards, -- mattia :wq! -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696727: cheese does not start with Gtk-Warning
Hi Michael and Emilio, On Wed, Mar 27, 2013 at 08:00:06PM +0100, Michael Biebl wrote: My guess would be that it is cogl/clutter/gl related. Jon, does gnome-shell (or other clutter using applications) work for you? Yep I run GNOME 3 including gnome-shell without problems. I should probably expand on the report a bit: the process does not terminate after printing those errors, it sits there. Therefore, I don't have a core to backtrace by default. You are perhaps correct that those errors are a red herring. Nevertheless I have a bt with G_DEBUG=fatal-warnings, attached in case it's useful. -- Jonathan Dowland -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702087: UDD: vcs importer broken since PET moved to alioth
Hi, I've got confirmation that a guest account at pet.d.n was created. I was able to connect using psql -h pet.debian.net -p 5432 pet guest and udd@ullmann:/srv/udd.debian.org/udd$ ./update-and-run.sh vcs seemed to work fine - at least there were no error messages. So I reenabled the cron job and hope all works fine. Please check if all is fine and close the bug after checking. Kind regards Andreas. -- http://fam-tille.de -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696727: cheese does not start with Gtk-Warning
On Wed, Mar 27, 2013 at 07:38:45PM +0100, Michael Biebl wrote: I do get those warnings, but afaics they are a red herring. Indeed, I've fixed the warnings using the tip at https://bugzilla.gnome.org/show_bug.cgi?id=671912 and I still have the same behaviour, process runs, remains running, but nothing is ever drawn to my screen. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696727: Info received (Bug#696727: cheese does not start with Gtk-Warning)
Just FWIW I've installed camorama which works fine - just to confirm that my webcam is OK. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696727: cheese does not start with Gtk-Warning
On Wed, Mar 27, 2013 at 09:16:17PM +, Jonathan Dowland wrote: You are perhaps correct that those errors are a red herring. Nevertheless I have a bt with G_DEBUG=fatal-warnings, attached in case it's useful. Actually attached. $ gdb ./.libs/cheese GNU gdb (GDB) 7.4.1-debian Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /home/jon/wd/cheese-3.4.2/.libs/cheese...done. (gdb) run Starting program: /home/jon/wd/cheese-3.4.2/.libs/cheese warning: Could not load shared library symbols for linux-vdso.so.1. Do you need set solib-search-path or set sysroot? [Thread debugging using libthread_db enabled] Using host libthread_db library /lib/x86_64-linux-gnu/libthread_db.so.1. [New Thread 0x7fffe9385700 (LWP 13264)] [New Thread 0x7fffe88ea700 (LWP 13265)] (cheese:13261): Gtk-WARNING **: Attempting to add a widget with type GtkImage to a GtkToggleButton, but as a GtkBin subclass a GtkToggleButton can only contain one widget at a time; it already contains a widget of type GtkLabel Program received signal SIGTRAP, Trace/breakpoint trap. g_logv (log_domain=0x76592ff7 Gtk, log_level=G_LOG_LEVEL_WARNING, format=0x7659eb18 Attempting to add a widget with type %s to a %s, but as a GtkBin subclass a %s can only contain one widget at a time; it already contains a widget of type %s, args1=args1@entry=0x7fffda98) at /tmp/buildd/glib2.0-2.33.12+really2.32.4/./glib/gmessages.h:101 101 /tmp/buildd/glib2.0-2.33.12+really2.32.4/./glib/gmessages.h: No such file or directory. (gdb) bt #0 g_logv (log_domain=0x76592ff7 Gtk, log_level=G_LOG_LEVEL_WARNING, format=0x7659eb18 Attempting to add a widget with type %s to a %s, but as a GtkBin subclass a %s can only contain one widget at a time; it already contains a widget of type %s, args1=args1@entry=0x7fffda98) at /tmp/buildd/glib2.0-2.33.12+really2.32.4/./glib/gmessages.h:101 #1 0x755a2622 in g_log (log_domain=log_domain@entry=0x76592ff7 Gtk, log_level=log_level@entry=G_LOG_LEVEL_WARNING, format=format@entry=0x7659eb18 Attempting to add a widget with type %s to a %s, but as a GtkBin subclass a %s can only contain one widget at a time; it already contains a widget of type %s) at /tmp/buildd/glib2.0-2.33.12+really2.32.4/./glib/gmessages.c:792 #2 0x7633fc98 in gtk_bin_add (container=optimized out, child=0x17c8410) at /tmp/buildd/gtk+3.0-3.4.2/./gtk/gtkbin.c:124 #3 0x7585db54 in g_cclosure_marshal_VOID__OBJECTv (closure=0x64a460, return_value=optimized out, instance=0x17c02a0, args=optimized out, marshal_data=optimized out, n_params=optimized out, param_types=0x64a4d0) at /tmp/buildd/glib2.0-2.33.12+really2.32.4/./gobject/gmarshal.c:1312 #4 0x7585a9a7 in _g_closure_invoke_va (closure=0x64a460, return_value=0x0, instance=0x17c02a0, args=0x7fffdec8, n_params=1, param_types=0x64a4d0) at /tmp/buildd/glib2.0-2.33.12+really2.32.4/./gobject/gclosure.c:840 #5 0x75873006 in g_signal_emit_valist (instance=0x17c02a0, signal_id=optimized out, detail=0, var_args=var_args@entry=0x7fffdec8) at /tmp/buildd/glib2.0-2.33.12+really2.32.4/./gobject/gsignal.c:3211 #6 0x75873852 in g_signal_emit (instance=optimized out, signal_id=optimized out, detail=optimized out) at /tmp/buildd/glib2.0-2.33.12+really2.32.4/./gobject/gsignal.c:3356 #7 0x76346b42 in _gtk_builder_add (builder=0x16350f0, child_info=child_info@entry=0x1775500) at /tmp/buildd/gtk+3.0-3.4.2/./gtk/gtkbuilder.c:765 #8 0x7634b248 in end_element (error=0x7fffe058, user_data=0x174b4a0, element_name=0x17d94e0 child, context=optimized out) at /tmp/buildd/gtk+3.0-3.4.2/./gtk/gtkbuilderparser.c:1042 #9 end_element (context=optimized out, element_name=optimized out, user_data=0x174b4a0, error=0x7fffe058) at /tmp/buildd/gtk+3.0-3.4.2/./gtk/gtkbuilderparser.c:927 #10 0x7559f498 in g_markup_parse_context_parse (context=0x17bdd40, text=text@entry=0x17c3f90 ?xml version=\1.0\?\ninterface\n requires lib=\gtk+\ version=\2.16\/\n object class=\GtkGrid\ id=\mainbox_normal\\nproperty name=\orientation\vertical/property\nproperty name=\events..., text_len=optimized out, text_len@entry=13557, error=error@entry=0x7fffe118) at /tmp/buildd/glib2.0-2.33.12+really2.32.4/./glib/gmarkup.c:1559 #11 0x7634b677 in _gtk_builder_parser_parse_buffer (builder=builder@entry=0x16350f0, filename=filename@entry=0x1647060 /usr/share/cheese/cheese-main-window.ui, buffer=0x17c3f90 ?xml
Bug#694933: marked as done (haskell-warp: FTBFS: unsatisfiable build-dependency: libghc-blaze-builder-conduit-dev ( 0.5))
Your message dated Wed, 27 Mar 2013 23:07:58 +0100 with message-id 1364422078.7217.1.camel@kirk and subject line This has been fixed has caused the Debian Bug report #694933, regarding haskell-warp: FTBFS: unsatisfiable build-dependency: libghc-blaze-builder-conduit-dev ( 0.5) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 694933: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694933 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Source: haskell-warp Version: 1.2.1.1-1 Severity: serious Justification: FTBFS by unsatisfiable build-dependency libghc-blaze-builder-conduit-dev package is ver. 0.5.0.1.is.really.0.4.0.2-1 on sid now. Regards, -- Hiroyuki Yamamoto A75D B285 7050 4BF9 AEDA 91AC 3A10 59C6 5203 04DC ---End Message--- ---BeginMessage--- Version: 1.2.1.1-2 Despite http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=26;bug=694933, the bug is fixed in 1.2.1.1-2.h -- Dipl.-Math. Dipl.-Inform. Joachim Breitner Wissenschaftlicher Mitarbeiter http://pp.ipd.kit.edu/~breitner signature.asc Description: This is a digitally signed message part ---End Message---
Bug#696727: cheese does not start with Gtk-Warning
Hi, could anyone who is seeing the issue with Cheese freezing try to disconnect their webcam? This might be an issue with the webcam failing to initialize which probably depends on the model of webcam being used. I cannot reproduce the problem either, but I also currently have no webcam attached to this computer. Cheers, Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704025: stack corruption affects non-32bit platforms
In case the bug report was non-obvious, the stack corruption mentioned in the description of the upstream patch affects 64-bit platforms, and platforms with more aggressive compiler optimization. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: [request-tracker-maintainers] Bug#704107: request-tracker4: GPG data stored in /var/cache
Processing commands for cont...@bugs.debian.org: severity 704107 serious Bug #704107 [request-tracker4] request-tracker4: GPG data stored in /var/cache Severity set to 'serious' from 'important' thanks Stopping processing here. Please contact me if you need assistance. -- 704107: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704107 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: clone
Processing commands for cont...@bugs.debian.org: clone 704107 -1 Bug #704107 [request-tracker4] request-tracker4: GPG data stored in /var/cache Bug 704107 cloned as bug 704109 reassign -1 request-tracker3.8 Bug #704109 [request-tracker4] request-tracker4: GPG data stored in /var/cache Bug reassigned from package 'request-tracker4' to 'request-tracker3.8'. No longer marked as found in versions request-tracker4/4.0.7-4. Ignoring request to alter fixed versions of bug #704109 to the same values previously set retitle -1 request-tracker3.8: GPG data stored in /var/cache Bug #704109 [request-tracker3.8] request-tracker4: GPG data stored in /var/cache Changed Bug title to 'request-tracker3.8: GPG data stored in /var/cache' from 'request-tracker4: GPG data stored in /var/cache' thanks Stopping processing here. Please contact me if you need assistance. -- 704107: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704107 704109: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704109 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704111: clang fails to correctly implement hard float ABI during default compiles due to rediculously low default CPU setting.
Package: clang Version: 1:3.0-6.1 Severity: grave x-debbugs-cc: debian-...@lists.debian.org; cfe-...@cs.uiuc.edu (note for non-debian people reading this, the version of clang in debian wheezy is a 3.0 based version which already has patches to make it invoke the linker with appropriate arguments. The llvm version also appears to be 3.0 again somewhat patched by debian) I recently discovered that the version of clang in debian wheezy and raspbian wheezy does not work correctly on either debian armhf or raspbian. It seems the problem is that clang can't work out what CPU type it should be using and defaults to something very low (specifically arm7tdmi). With this CPU selected clang silently fails to properly use the hard float ABI and as such any armhf code it generates is broken and won't call floating point routines correctly. It also causes an assertion failure in the bfd linker (but links successfully with the gold linker). Setting the CPU type to something sensible makes it implement the hard float ABI correctly and also stops the assertion failure in the bfd linker. I have managed to figure out how to patch clang to change the default CPU for armhf (patch attatched). However i'm not sure what it is best to set it to for debian armhf*. In particular this block of code from just below where my patch is applied seems to map all armv7 variants to a CPU type of coretex-a8. return llvm::StringSwitchconst char *(MArch) .Cases(armv2, armv2a,arm2) .Case(armv3, arm6) .Case(armv3m, arm7m) .Cases(armv4, armv4t, arm7tdmi) .Cases(armv5, armv5t, arm10tdmi) .Cases(armv5e, armv5te, arm1026ejs) .Case(armv5tej, arm926ej-s) .Cases(armv6, armv6k, arm1136jf-s) .Case(armv6j, arm1136j-s) .Cases(armv6z, armv6zk, arm1176jzf-s) .Case(armv6t2, arm1156t2-s) .Cases(armv7, armv7a, armv7-a, cortex-a8) .Cases(armv7r, armv7-r, cortex-r4) .Cases(armv7m, armv7-m, cortex-m3) .Case(ep9312, ep9312) .Case(iwmmxt, iwmmxt) .Case(xscale, xscale) .Cases(armv6m, armv6-m, cortex-m0) // If all else failed, return the most base CPU LLVM supports. .Default(arm7tdmi); Now it is my understanding that traditional cortex a8 includes CPU features not required by debian armhf. Specifically neon and the extra vfp registers. The questions I have are 1: What does the coretex-a8 CPU setting imply for clang/llvm? in particular does it imply neon and the extra vfp registers? 2: If noone can provide an answer to the above question then taking into the account how late we are in the freeze should we play it safe and specify a lower (armv6) CPU version to make sure that neon and the extra vfp registers don't get accidently used. I personally think that the answer is yes but I'm open to arguments. If I get no response to this within about a weak I intend to attach a nmu diff containing a version of the patch that sets the default set to armv6. Then file a pre-approval request with
Bug#702102: fails to upgrade (cowbuilder) chroot
I've read the full thread now, sorry for the quick response, I was working down the list. At Tue, 26 Mar 2013 13:46:08 +0100, Michael Biebl wrote: [1 text/plain; ISO-8859-1 (quoted-printable)] Am 26.03.2013 09:48, schrieb Junichi Uekawa: not enough information in the bug, 702811 seems to be a better bug. Say what? Have you read the full bug report, including the analysis that it is because of /run/shm vs /dev/shm? It's trivial to reproduce the bug this way. So I don't understand which information you are missing Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? [2 OpenPGP digital signature application/pgp-signature (7bit)] -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: your mail
Processing commands for cont...@bugs.debian.org: severity 704055 normal Bug #704055 [libawl-php] libawl-php: Session.php calls private attribute 'EMail::To' in line 695, missing accessor in EMail.php Severity set to 'normal' from 'serious' thanks Stopping processing here. Please contact me if you need assistance. -- 704055: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704055 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: your mail
Processing commands for cont...@bugs.debian.org: tag 704111 patch Bug #704111 [clang] clang fails to correctly implement hard float ABI during default compiles due to rediculously low default CPU setting. Added tag(s) patch. thanks Stopping processing here. Please contact me if you need assistance. -- 704111: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704111 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704025: olsrd does not connect with others on amd64
Attaching debdiff for suggested NMU. Cheers, Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 diff -Nru olsrd-0.6.2/debian/changelog olsrd-0.6.2/debian/changelog --- olsrd-0.6.2/debian/changelog 2012-02-19 16:18:18.0 +0100 +++ olsrd-0.6.2/debian/changelog 2013-03-28 04:31:12.0 +0100 @@ -1,3 +1,11 @@ +olsrd (0.6.2-2.1) testing-proposed-updates; urgency=low + + * Non-maintainer upload. + * Include upstream patch to fix stack corruption in +net output (Closes: #704025). + + -- John Paul Adrian Glaubitz glaub...@physik.fu-berlin.de Thu, 28 Mar 2013 04:29:10 +0100 + olsrd (0.6.2-2) unstable; urgency=low * debian/control: Build-Depends: debhelper (= 9) (Closes: #658330) diff -Nru olsrd-0.6.2/debian/patches/300-fix-stack-corruption-in-net-output.patch olsrd-0.6.2/debian/patches/300-fix-stack-corruption-in-net-output.patch --- olsrd-0.6.2/debian/patches/300-fix-stack-corruption-in-net-output.patch 1970-01-01 01:00:00.0 +0100 +++ olsrd-0.6.2/debian/patches/300-fix-stack-corruption-in-net-output.patch 2013-03-28 04:27:03.0 +0100 @@ -0,0 +1,57 @@ +From f4d250ad4fad5fcfe5b5feaac3f3e121adef3fba Mon Sep 17 00:00:00 2001 +From: Jo-Philipp Wich j...@openwrt.org +Date: Fri, 22 Jun 2012 03:17:59 +0200 +Subject: [PATCH] olsrd: fix stack corruption in net_output() + +The net_output() function indirectly uses the stack variables dst and dst6 +outside of the scope they're declared in, this might leads to olsr_sendto() +being called with a corrupted destination sockaddr_in. + +This failure condition can be observed in the log, olsrd will continuosly +print sendto(v4): Invalid Argument or a similar message. On ARM it has been +reported to result in Unsupported Address Family. + +This bug became apparant on a custon OpenWrt x86_64 uClibc target using the +Linaro GCC 4.7-2012.04 compiler, it has been reported for an unspecified ARM +target as well. + +The offending code seems to be unchanged since 2008 and it does not cause +issues on 32bit systems and/or with older (Linaro) GCC versions, but the +compiler used in our tests seems to perform more aggressive optimizations +leading to a stack corruption. +--- + src/net_olsr.c |4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/net_olsr.c b/src/net_olsr.c +index 7d85f4f..66e103d 100644 +--- a/src/net_olsr.c b/src/net_olsr.c +@@ -336,6 +336,8 @@ net_output(struct interface *ifp) + { + struct sockaddr_in *sin = NULL; + struct sockaddr_in6 *sin6 = NULL; ++ struct sockaddr_in dst; ++ struct sockaddr_in6 dst6; + struct ptf *tmp_ptf_list; + union olsr_packet *outmsg; + int retval; +@@ -354,7 +356,6 @@ net_output(struct interface *ifp) + outmsg-v4.olsr_packlen = htons(ifp-netbuf.pending); + + if (olsr_cnf-ip_version == AF_INET) { +-struct sockaddr_in dst; + /* IP version 4 */ + sin = (struct sockaddr_in *)ifp-int_broadaddr; + +@@ -365,7 +366,6 @@ net_output(struct interface *ifp) + if (sin-sin_port == 0) + sin-sin_port = htons(olsr_cnf-olsrport); + } else { +-struct sockaddr_in6 dst6; + /* IP version 6 */ + sin6 = (struct sockaddr_in6 *)ifp-int6_multaddr; + /* Copy sin */ +-- +1.7.9.5 + diff -Nru olsrd-0.6.2/debian/patches/series olsrd-0.6.2/debian/patches/series --- olsrd-0.6.2/debian/patches/series 2012-02-19 16:07:42.0 +0100 +++ olsrd-0.6.2/debian/patches/series 2013-03-28 04:27:57.0 +0100 @@ -6,3 +6,4 @@ 270-gui-linux-gtk-align-olsr_ip_addr-to-olsr-definition-of-it.patch 280-fix-linux-gtk-build.patch 290-hardcode-etc-olsrd-olsrd-conf.patch +300-fix-stack-corruption-in-net-output.patch
Bug#704114: asterisk: asterisk security advisories: AST-2013-001 / AST-2013-002 / AST-2013-003
Package: asterisk Severity: grave Tags: security patch upstream Hi, the following vulnerabilities were published for asterisk. CVE-2013-2685[0]: Buffer Overflow Exploit Through SIP SDP Header CVE-2013-2686[1]: Denial of Service in HTTP server CVE-2013-2264[2]: Username disclosure in SIP channel driver For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you doublecheck that squeeze, testing and wheezy are not affected? If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2013-2685 http://downloads.asterisk.org/pub/security/AST-2013-001.html [1] http://security-tracker.debian.org/tracker/CVE-2013-2686 http://downloads.asterisk.org/pub/security/AST-2013-002.html [2] http://security-tracker.debian.org/tracker/CVE-2013-2264 http://downloads.asterisk.org/pub/security/AST-2013-003.html [3] https://issues.asterisk.org/jira/browse/ASTERISK-20901 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704111: clang fails to correctly implement hard float ABI during default compiles due to rediculously low default CPU setting.
Ok I just had a discussion with adam conrad about this on IRC. According to him clang currently does assume that armv7 means coretex a8 and that coretex a8 mean full vfpv3 and neon. There is a patch in ubuntu precise/quantal to fix this (26-armv7-not-neon.patch) but it's a pretty big patch and is self-described as a hideous hack. I doubt the release team would accept such a patch at this stage. Therefore it seems the only reasonable thing to do is to select armv6 for clang on armhf in wheezy. He also alerted me to a patch that disables altivec by default on powerpc since not all powerpc hardware debian supports has altivec. I intend to include this in the proposed NMU, a copy of it is attached. Since I now have confirmation on what clang does i'll prepare the NMU diff in a day or two. Description: Make sure PowerPC doesn't default to altivec on Author: Adam Conrad adcon...@ubuntu.com Forwarded: no Reviewed-By: Colin Watson cjwat...@ubuntu.com Last-Update: 2012-04-24 Index: b/tools/clang/lib/Lex/Makefile === --- a/tools/clang/lib/Lex/Makefile +++ b/tools/clang/lib/Lex/Makefile @@ -16,9 +16,5 @@ LIBRARYNAME := clangLex -ifeq ($(ARCH),PowerPC) -CXX.Flags += -maltivec -endif - include $(CLANG_LEVEL)/Makefile