Bug#862593: xarchiver: Adding files to .tar.xz deletes existing content
Hi Markus, > Chris, could you cancel the NMU? I do the upload today after I have done > some more tests and credit you in the changelog. Thanks for the patch! It was uploaded to DELAYED/5 so you have a while to override mine :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#862593: xarchiver: Adding files to .tar.xz deletes existing content
On May 20 2017, Markus Koschanywrote: > On Fri, 19 May 2017 16:26:03 -0700 Nikolaus Rath wrote: >> On May 20 2017, Markus Koschany wrote: >> > Am 19.05.2017 um 23:23 schrieb Chris Lamb: >> >> tags 862593 + patch >> >> thanks >> >> >> >> The archive gets overwritten as the test to see whether it already exists >> >> (to determine whether to create a new one or simply add a new file) uses >> >> an escaped path. >> >> >> >> Patch attached. >> > >> > I came to a similar conclusion but I wondered whether the real issue is >> > the wrongly escaped path. >> [...] >> >> Why is there a need for any escaping at all? I would have expected that >> tar/xz/whatever is invoked directly, but this almost sounds if >> xarchiver goes through a shell..?! > > As in the description: Xarchiver is a GUI frontend for various separate > tools which are invoked by Xarchiver. The program must ensure that > characters in filenames and archive names are properly escaped when it > passes them to the respective tools like tar or 7z. Sorry, I still do not understand. Why is there a need to escape filenames when calling other tools? For example, execve("/usr/bin/tar", { "cf", "compl cated.tar", NULL }); should work perfectly fine without any need for escaping. Best, -Nikolaus -- GPG Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F »Time flies like an arrow, fruit flies like a Banana.«
Bug#862593: xarchiver: Adding files to .tar.xz deletes existing content
On Fri, 19 May 2017 16:26:03 -0700 Nikolaus Rathwrote: > On May 20 2017, Markus Koschany wrote: > > Am 19.05.2017 um 23:23 schrieb Chris Lamb: > >> tags 862593 + patch > >> thanks > >> > >> The archive gets overwritten as the test to see whether it already exists > >> (to determine whether to create a new one or simply add a new file) uses > >> an escaped path. > >> > >> Patch attached. > > > > I came to a similar conclusion but I wondered whether the real issue is > > the wrongly escaped path. > [...] > > Why is there a need for any escaping at all? I would have expected that > tar/xz/whatever is invoked directly, but this almost sounds if > xarchiver goes through a shell..?! > As in the description: Xarchiver is a GUI frontend for various separate tools which are invoked by Xarchiver. The program must ensure that characters in filenames and archive names are properly escaped when it passes them to the respective tools like tar or 7z. signature.asc Description: OpenPGP digital signature
Bug#862593: xarchiver: Adding files to .tar.xz deletes existing content
On May 20 2017, Markus Koschanywrote: > Am 19.05.2017 um 23:23 schrieb Chris Lamb: >> tags 862593 + patch >> thanks >> >> The archive gets overwritten as the test to see whether it already exists >> (to determine whether to create a new one or simply add a new file) uses >> an escaped path. >> >> Patch attached. > > I came to a similar conclusion but I wondered whether the real issue is > the wrongly escaped path. [...] Why is there a need for any escaping at all? I would have expected that tar/xz/whatever is invoked directly, but this almost sounds if xarchiver goes through a shell..?! Best, -Nikolaus -- GPG Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F »Time flies like an arrow, fruit flies like a Banana.«
Bug#862892: marked as done (linux-signed FTBFS in stretch: Build-depends on linux packages no longer in stretch)
Your message dated Fri, 19 May 2017 23:18:16 + with message-idand subject line Bug#862902: Removed package(s) from unstable has caused the Debian Bug report #862892, regarding linux-signed FTBFS in stretch: Build-depends on linux packages no longer in stretch to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 862892: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862892 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: linux-signed Version: 4.4 Severity: serious linux-signed has build dependencies on the exact version 4.9.18-1 of packages from src:linux, but version 4.9.25-1 is now in stretch. --- End Message --- --- Begin Message --- Version: 4.9.18-1+rm Dear submitter, as the package linux-signed has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see https://bugs.debian.org/862902 The version of this package that was in Debian prior to this removal can still be found using http://snapshot.debian.org/. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org. Debian distribution maintenance software pp. Scott Kitterman (the ftpmaster behind the curtain)--- End Message ---
Bug#862987: marked as done (RM: browser-history -- RoM; no longer useful with modern browsers)
Your message dated Fri, 19 May 2017 23:19:10 + with message-idand subject line Bug#862987: Removed package(s) from unstable has caused the Debian Bug report #862987, regarding RM: browser-history -- RoM; no longer useful with modern browsers to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 862987: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862987 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: browser-history Version: 2.8-21 Severity: serious As observed by Salvo Tomaselli, the description says: It works with: Netscape Navigator, Arena, and Amaya. Support for `browser-history' can easily be added to other browsers, provided you can program and have the browser sources. This is either the (non-RC) issue of a completely outdated description or the package is now mostly useless. Also looking at: Browser-history came from the will to overcome a Netscape bug: there is no global history, and if you close a window, its whole history is lost. This might have been true in some (pre-Mozilla) versions of Netscape in the last millenium, but not during the past 15 years. --- End Message --- --- Begin Message --- We believe that the bug you reported is now fixed; the following package(s) have been removed from unstable: browser-history | 2.8-21 | source, amd64, arm64, armel, armhf, hurd-i386, i386, kfreebsd-amd64, kfreebsd-i386, mips, mips64el, mipsel, powerpc, ppc64el, s390x --- Reason --- RoM; no longer useful with modern browsers -- Note that the package(s) have simply been removed from the tag database and may (or may not) still be in the pool; this is not a bug. The package(s) will be physically removed automatically when no suite references them (and in the case of source, when no binary references it). Please also remember that the changes have been done on the master archive and will not propagate to any mirrors until the next dinstall run at the earliest. Packages are usually not removed from testing by hand. Testing tracks unstable and will automatically remove packages which were removed from unstable when removing them from testing causes no dependency problems. The release team can force a removal from testing if it is really needed, please contact them if this should be the case. We try to close bugs which have been reported against this package automatically. But please check all old bugs, if they were closed correctly or should have been re-assigned to another package. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 862...@bugs.debian.org. The full log for this bug can be viewed at https://bugs.debian.org/862987 This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org. Debian distribution maintenance software pp. Scott Kitterman (the ftpmaster behind the curtain)--- End Message ---
Bug#831860: python{,3}-sip shouldn't provide more than one sip api
On Thu, 18 May 2017 18:56:39 +0300 Adrian Bunkwrote: > Control: reassign -1 src:sip4 4.18.1+dfsg-1 > Control: retitle -1 python{,3}-sip shouldn't provide more than one sip api > Control: affects -1 python-sip python3-sip > > On Thu, Feb 16, 2017 at 02:36:19PM +0100, di dit wrote: > > Rebuilding veusz fixes this bug. > >... ... > > After a rebuild python-qt4 now uses sip-api-11.3, but veusz-helpers > still uses sip-api-11.1 > > To enforce that this problem can't happen again or during upgrades, > python-sip and python3-sip shouldn't provide more than one sip api. > > This bug is to track that this gets fixed in python{,3}-sip for stretch. > > I'll also submit a binNMU request to get veusz and the other affected > package in stretch rebuilt with sip-api-11.3 Providing more than one is fine. It appears that there was an undetected/unintended ABI break between 11.1 and 11.2, so 11.0 and 11.1 should be dropped. Scott K
Bug#862970: marked as done (dropbear: Double-free in server TCP listener cleanup (CVE-2017-9078); information disclosure with ~/.ssh/authorized_keys symlink (CVE-2017-9079))
Your message dated Fri, 19 May 2017 22:18:45 + with message-idand subject line Bug#862970: fixed in dropbear 2016.74-5 has caused the Debian Bug report #862970, regarding dropbear: Double-free in server TCP listener cleanup (CVE-2017-9078); information disclosure with ~/.ssh/authorized_keys symlink (CVE-2017-9079) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 862970: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862970 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: dropbear Version: 2014.65-1+deb8u2 Severity: grave Tags: security Justification: user security hole dropbear 2017.75 was released [0] on May 18 and fixes the following two security vulnerabilities, for which no CVE was assigned yet AFAIK [1]. - Security: Fix double-free in server TCP listener cleanup A double-free in the server could be triggered by an authenticated user if dropbear is running with -a (Allow connections to forwarded ports from any host) This could potentially allow arbitrary code execution as root by an authenticated user. Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for reporting the crash. Patch: https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c - Security: Fix information disclosure with ~/.ssh/authorized_keys symlink. Dropbear parsed authorized_keys as root, even if it were a symlink. The fix is to switch to user permissions when opening authorized_keys A user could symlink their ~/.ssh/authorized_keys to a root-owned file they couldn't normally read. If they managed to get that file to contain valid authorized_keys with command= options it might be possible to read other contents of that file. This information disclosure is to an already authenticated user. Thanks to Jann Horn of Google Project Zero for reporting this. Patch: https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123 -- Guilhem. [0] http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2017q2/001985.html https://matt.ucc.asn.au/dropbear/CHANGES (currently yields 403) [1] http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2017q2/001987.html signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Source: dropbear Source-Version: 2016.74-5 We believe that the bug you reported is fixed in the latest version of dropbear, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 862...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guilhem Moulin (supplier of updated dropbear package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 19 May 2017 23:41:21 +0200 Source: dropbear Binary: dropbear-bin dropbear-run dropbear-initramfs dropbear Architecture: source amd64 all Version: 2016.74-5 Distribution: unstable Urgency: high Maintainer: Guilhem Moulin Changed-By: Guilhem Moulin Description: dropbear - transitional dummy package for dropbear-{run,initramfs} dropbear-bin - lightweight SSH2 server and client - command line tools dropbear-initramfs - lightweight SSH2 server and client - initramfs integration dropbear-run - lightweight SSH2 server and client - startup scripts Closes: 862970 Changes: dropbear (2016.74-5) unstable; urgency=high . * Backport security fixes from 2017.75 (closes: #862970): - CVE-2017-9078: Fix double-free in server TCP listener cleanup A double-free in the server could be triggered by an authenticated user if dropbear is running with -a (Allow connections to forwarded ports from any host) This could potentially allow arbitrary code execution as root by an authenticated user. - CVE-2017-9079: Fix information disclosure with ~/.ssh/authorized_keys symlink. Dropbear parsed authorized_keys as root, even if it were a symlink. The fix is to switch to user permissions when opening authorized_keys A user could symlink their ~/.ssh/authorized_keys to a root-owned file they couldn't
Bug#862593: xarchiver: Adding files to .tar.xz deletes existing content
Am 19.05.2017 um 23:23 schrieb Chris Lamb: > tags 862593 + patch > thanks > > The archive gets overwritten as the test to see whether it already exists > (to determine whether to create a new one or simply add a new file) uses > an escaped path. > > Patch attached. I came to a similar conclusion but I wondered whether the real issue is the wrongly escaped path. I think this issue is related to #697493 where it was found that archives with spaces could not be created. I tried to fix bug #862593 by modifying line 372 in src/window.c in the xa_open_archive function. archive[current_page]->escaped_path = xa_escape_bad_chars (archive[current_page]->path,"$\'`\"\\!?* ()&|@#:;"); My solution was to change the line to archive[current_page]->escaped_path = g_strdup(path); This worked for all archives with special characters except the one mentioned in this bug report with backslash and spaces. I think escaping backslashes and spaces is not handled correctly somewhere in the code but I have just briefly tested your patch and it seems to do the trick. Chris, could you cancel the NMU? I do the upload today after I have done some more tests and credit you in the changelog. Thanks for the patch! Regards, Markus signature.asc Description: OpenPGP digital signature
Processed: Re: xarchiver: Adding files to .tar.xz deletes existing content
Processing commands for cont...@bugs.debian.org: > tags 862593 + pending patch Bug #862593 [xarchiver] xarchiver: Adding files to .tar.xz deletes existing content Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 862593: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862593 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#862593: xarchiver: Adding files to .tar.xz deletes existing content
tags 862593 + pending patch thanks I've uploaded xarchiver 0.5.4-6.1 to DELAYED/5: xarchiver (1:0.5.4-6.1) unstable; urgency=medium * Non-maintainer upload. * Fix data-loss issue where adding files to a tar-based archive removed all existing content when the target filename included shell metacharacters. The test to see whether it already existed to determine whether to create a new archive or simply add a new file incorrectly used an escaped path. (Closes: #862593) The full debdiff is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- diffstat for xarchiver-0.5.4 xarchiver-0.5.4 changelog | 11 +++ patches/pass-unescaped-filenames-to-g_file_test.patch | 61 ++ patches/series|1 3 files changed, 73 insertions(+) diff -Nru xarchiver-0.5.4/debian/changelog xarchiver-0.5.4/debian/changelog --- xarchiver-0.5.4/debian/changelog2017-01-04 16:10:53.0 +0100 +++ xarchiver-0.5.4/debian/changelog2017-05-19 23:25:18.0 +0200 @@ -1,3 +1,14 @@ +xarchiver (1:0.5.4-6.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix data-loss issue where adding files to a tar-based archive removed all +existing content when the target filename included shell metacharacters. +The test to see whether it already existed to determine whether to create +a new archive or simply add a new file incorrectly used an escaped path. +(Closes: #862593) + + -- Chris LambFri, 19 May 2017 23:25:18 +0200 + xarchiver (1:0.5.4-6) unstable; urgency=medium * Suggest binutils because it provides the ar command which is required for diff -Nru xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch --- xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch 1970-01-01 01:00:00.0 +0100 +++ xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch 2017-05-19 23:25:18.0 +0200 @@ -0,0 +1,61 @@ +Description: Pass unescaped filenames to g_file_test +Author: Chris Lamb +Last-Update: 2017-05-19 +Debian-Bug: #862593 + +--- xarchiver-0.5.4.orig/src/tar.c xarchiver-0.5.4/src/tar.c +@@ -197,7 +197,7 @@ void xa_tar_add (XArchive *archive,GStri + switch (archive->type) + { + case XARCHIVETYPE_TAR: +- if ( g_file_test (archive->escaped_path,G_FILE_TEST_EXISTS)) ++ if ( g_file_test (archive->path,G_FILE_TEST_EXISTS)) + command = g_strconcat (tar, " ", + archive->add_recurse ? "" : "--no-recursion ", + archive->remove_files ? "--remove-files " : "", +@@ -213,7 +213,7 @@ void xa_tar_add (XArchive *archive,GStri + break; + + case XARCHIVETYPE_TAR_BZ2: +- if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) ) ++ if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) ) + xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1); + else + command = g_strconcat (tar, " ", +@@ -224,7 +224,7 @@ void xa_tar_add (XArchive *archive,GStri + break; + + case XARCHIVETYPE_TAR_GZ: +- if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) ) ++ if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) ) + xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1); + else + command = g_strconcat (tar, " ", +@@ -235,7 +235,7 @@ void xa_tar_add (XArchive *archive,GStri + break; + + case XARCHIVETYPE_TAR_LZMA: +- if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) ) ++ if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) ) + xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1); + else + command = g_strconcat (tar, " ", +@@ -246,7 +246,7 @@ void xa_tar_add (XArchive *archive,GStri + break; + + case XARCHIVETYPE_TAR_XZ: +- if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) ) ++ if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) ) + xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1); + else + command = g_strconcat (tar, " ", +@@ -257,7 +257,7 @@ void xa_tar_add (XArchive *archive,GStri + break; + +
Bug#862593: xarchiver: Adding files to .tar.xz deletes existing content
tags 862593 + patch thanks The archive gets overwritten as the test to see whether it already exists (to determine whether to create a new one or simply add a new file) uses an escaped path. Patch attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- diff --git a/src/tar.c b/src/tar.c index b7d23f8..bd035ca 100644 --- a/src/tar.c +++ b/src/tar.c @@ -197,7 +197,7 @@ void xa_tar_add (XArchive *archive,GString *files,gchar *compression_string) switch (archive->type) { case XARCHIVETYPE_TAR: - if ( g_file_test (archive->escaped_path,G_FILE_TEST_EXISTS)) + if ( g_file_test (archive->path,G_FILE_TEST_EXISTS)) command = g_strconcat (tar, " ", archive->add_recurse ? "" : "--no-recursion ", archive->remove_files ? "--remove-files " : "", @@ -213,7 +213,7 @@ void xa_tar_add (XArchive *archive,GString *files,gchar *compression_string) break; case XARCHIVETYPE_TAR_BZ2: - if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) ) + if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) ) xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1); else command = g_strconcat (tar, " ", @@ -224,7 +224,7 @@ void xa_tar_add (XArchive *archive,GString *files,gchar *compression_string) break; case XARCHIVETYPE_TAR_GZ: - if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) ) + if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) ) xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1); else command = g_strconcat (tar, " ", @@ -235,7 +235,7 @@ void xa_tar_add (XArchive *archive,GString *files,gchar *compression_string) break; case XARCHIVETYPE_TAR_LZMA: - if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) ) + if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) ) xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1); else command = g_strconcat (tar, " ", @@ -246,7 +246,7 @@ void xa_tar_add (XArchive *archive,GString *files,gchar *compression_string) break; case XARCHIVETYPE_TAR_XZ: - if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) ) + if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) ) xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1); else command = g_strconcat (tar, " ", @@ -257,7 +257,7 @@ void xa_tar_add (XArchive *archive,GString *files,gchar *compression_string) break; case XARCHIVETYPE_TAR_LZOP: - if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) ) + if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) ) xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1); else command = g_strconcat (tar, " ",
Processed: Re: xarchiver: Adding files to .tar.xz deletes existing content
Processing commands for cont...@bugs.debian.org: > tags 862593 + patch Bug #862593 [xarchiver] xarchiver: Adding files to .tar.xz deletes existing content Added tag(s) patch. > thanks Stopping processing here. Please contact me if you need assistance. -- 862593: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862593 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#861298: Location of sample ogg file
[Adrian Bunk] > I am not a release manager, but the sid tag that I am setting with > this email should do what you want. Thank you very much. -- Happy hacking Petter Reinholdtsen
Bug#861298: Location of sample ogg file
On Fri, May 19, 2017 at 10:04:20PM +0200, Petter Reinholdtsen wrote: > > [Georges Racinet] > > I don't really have insight on the best place to put a sample ogg file ; > > in the meanwhile, that one is now in python-pygame-doc, and the attached > > patch fixes the FTBFS for me. Hoping this short-term fix can be > > useful. > > Thank you for investigating. The patch look good, but I believe it can > not be applied right away, due to issues with other packages. I'll try > to explain. > > The problem at hand seem to be that pygame in unstable (but not testing) > changed[1], and introduced a new python-pygame-doc with the file we use > in oggvideotools to get a random sample ogg file, causing the build of > oggvideotools to fail. The build failure is only in unstable, and do > not affect testing. The new version of pygame is unlikely to make it > into testing because it contain too many changes. We want to make sure > any new uploads of oggvideotool done to unstable are suitable for > testing, and thus can not change the build dependency to include the > python-pygame-doc package that is missing in testing. > > [1] > http://metadata.ftp-master.debian.org/changelogs/main/p/pygame/unstable_changelog > > I suspect the two options we have is (1) find another package with a > sample ogg file to use during the self testing or (2) generate a ogg > file on the fly to do the self testing. Any suggestions for (1) or (2)? What's wrong with just adding one to the package for the test? It doesn't have to be generated on the fly, just make (or take) a suitable one and include it in the debian source.
Bug#862999: totem: crash of totem about join-packages at the start of "vidéos" (french version)
Package: totem Version: 3.14.0-2 Severity: grave Tags: newcomer Justification: renders package unusable Dear Maintainer, * What led up to the situation? Nothing, an utilisation "standard" of Debian, watch films on HDD, or videos on youtube, for example. * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? I can't read any downloaded video on the computer with "vidéos" (french version), but everything is ok with VLC player. So, seemingly, codecs are operational on my computer. * What outcome did you expect instead? A standard start of totem, without error message. -- System Information: Debian Release: 8.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages totem depends on: ii gnome-icon-theme3.12.0-1 ii gnome-icon-theme-symbolic 3.12.0-1 ii grilo-plugins-0.2 0.2.13-3 ii gsettings-desktop-schemas 3.14.1-1 ii gstreamer1.0-clutter2.0.12-1 ii gstreamer1.0-plugins-bad1.4.4-2.1+deb8u2 ii gstreamer1.0-plugins-base 1.4.4-2+deb8u1 ii gstreamer1.0-plugins-good 1.4.4-2+deb8u3 ii gstreamer1.0-x 1.4.4-2+deb8u1 ii libatk1.0-0 2.14.0-1 ii libc6 2.19-18+deb8u9 ii libcairo-gobject2 1.14.0-2.1+deb8u2 ii libcairo2 1.14.0-2.1+deb8u2 ii libclutter-1.0-01.20.0-1 ii libclutter-gst-2.0-02.0.12-1 ii libclutter-gtk-1.0-01.6.0-1 ii libcogl-pango20 1.18.2-3 ii libcogl-path20 1.18.2-3 ii libcogl20 1.18.2-3 ii libdrm2 2.4.58-2 ii libegl1-mesa [libegl1-x11] 10.3.2-1+deb8u1 ii libgbm1 10.3.2-1+deb8u1 ii libgdk-pixbuf2.0-0 2.31.1-2+deb8u5 ii libgirepository-1.0-1 1.42.0-2.2 ii libglib2.0-02.42.1-1+b1 ii libgnome-desktop-3-10 3.14.1-1 ii libgrilo-0.2-1 0.2.11-2 ii libgstreamer-plugins-base1.0-0 1.4.4-2+deb8u1 ii libgstreamer1.0-0 1.4.4-2+deb8u1 ii libgtk-3-0 3.14.5-1+deb8u1 ii libjson-glib-1.0-0 1.0.2-1 ii libnautilus-extension1a 3.14.1-2 ii libpango-1.0-0 1.36.8-3 ii libpangocairo-1.0-0 1.36.8-3 ii libpeas-1.0-0 1.12.1-2 ii libtotem-plparser18 3.10.3-1 ii libtotem0 3.14.0-2 ii libwayland-client0 1.6.0-2 ii libwayland-cursor0 1.6.0-2 ii libwayland-egl1-mesa [libwayland-egl1] 10.3.2-1+deb8u1 ii libwayland-server0 1.6.0-2 ii libx11-62:1.6.2-3 ii libxcomposite1 1:0.4.4-1 ii libxdamage1 1:1.1.4-2+b1 ii libxext62:1.3.3-1 ii libxfixes3 1:5.0.1-2+b2 ii libxi6 2:1.7.4-1+b2 ii libxkbcommon0 0.4.3-2 ii libxml2 2.9.1+dfsg1-5+deb8u4 ii libxrandr2 2:1.4.2-1+b1 pn python:any ii totem-common3.14.0-2 Versions of packages totem recommends: ii gstreamer1.0-libav 1.4.4-2 ii gstreamer1.0-plugins-ugly 1.4.4-2+deb8u1 ii gstreamer1.0-pulseaudio1.4.4-2+deb8u3 ii totem-plugins 3.14.0-2 Versions of packages totem suggests: pn gnome-codec-install -- no debconf information
Bug#861298: Location of sample ogg file
Control: tags -1 sid On Fri, May 19, 2017 at 10:04:20PM +0200, Petter Reinholdtsen wrote: >... > The bug version information here is problematic, as the problem is with > the version currently in testing and unstable, but the problem only > exist in unstable. And as long as the bug is flagged as valid for the > version in unstable, it will cause oggvideotools to be removed from > testing, even though the problem do not exist there. No, it only gets removed if the bug is according to the BTS present in *stretch*. > CC to the release managers, in case any of you have a tip on how to best > handle this? Perhaps tag it to ignore this bug in stretch? I am not a release manager, but the sid tag that I am setting with this email should do what you want. > Happy hacking > Petter Reinholdtsen cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
Processed: Re: Bug#861298: Location of sample ogg file
Processing control commands: > tags -1 sid Bug #861298 [src:oggvideotools] oggvideotools: FTBFS: can not open file for reading Added tag(s) sid. -- 861298: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861298 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#848060: Pending fixes for bugs in the libx11-protocol-other-perl package
tag 848060 + pending thanks Some bugs in the libx11-protocol-other-perl package are closed in revision 87510aa1c0b37c61f7ed2b395a0f5ebed75a6ca1 in branch ' jessie' by gregor herrmann The full diff can be seen at https://anonscm.debian.org/cgit/pkg-perl/packages/libx11-protocol-other-perl.git/commit/?id=87510aa Commit message: Disable t/XSetRoot.t during build and autopkgtest. This test is known to have problems with xvfb. Thanks: Santiago Vila for the bug report. Closes: #848060
Processed: Pending fixes for bugs in the libx11-protocol-other-perl package
Processing commands for cont...@bugs.debian.org: > tag 848060 + pending Bug #848060 {Done: gregor herrmann} [src:libx11-protocol-other-perl] libx11-protocol-other-perl: FTBFS randomly (failing tests) Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 848060: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848060 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#861298: Location of sample ogg file
[Georges Racinet] > I don't really have insight on the best place to put a sample ogg file ; > in the meanwhile, that one is now in python-pygame-doc, and the attached > patch fixes the FTBFS for me. Hoping this short-term fix can be > useful. Thank you for investigating. The patch look good, but I believe it can not be applied right away, due to issues with other packages. I'll try to explain. The problem at hand seem to be that pygame in unstable (but not testing) changed[1], and introduced a new python-pygame-doc with the file we use in oggvideotools to get a random sample ogg file, causing the build of oggvideotools to fail. The build failure is only in unstable, and do not affect testing. The new version of pygame is unlikely to make it into testing because it contain too many changes. We want to make sure any new uploads of oggvideotool done to unstable are suitable for testing, and thus can not change the build dependency to include the python-pygame-doc package that is missing in testing. [1] http://metadata.ftp-master.debian.org/changelogs/main/p/pygame/unstable_changelog I suspect the two options we have is (1) find another package with a sample ogg file to use during the self testing or (2) generate a ogg file on the fly to do the self testing. Any suggestions for (1) or (2)? The bug version information here is problematic, as the problem is with the version currently in testing and unstable, but the problem only exist in unstable. And as long as the bug is flagged as valid for the version in unstable, it will cause oggvideotools to be removed from testing, even though the problem do not exist there. CC to the release managers, in case any of you have a tip on how to best handle this? Perhaps tag it to ignore this bug in stretch? -- Happy hacking Petter Reinholdtsen
Processed: tagging 834961
Processing commands for cont...@bugs.debian.org: > tags 834961 + sid stretch Bug #834961 {Done: Niko Tyni} [src:libvitacilina-perl] libvitacilina-perl: FTBFS too much often (configure fails) Added tag(s) stretch and sid. > thanks Stopping processing here. Please contact me if you need assistance. -- 834961: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834961 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#862689: marked as done (flightgear: CVE-2017-8921)
Your message dated Fri, 19 May 2017 19:48:41 + with message-idand subject line Bug#862689: fixed in flightgear 1:2016.4.4+dfsg-3 has caused the Debian Bug report #862689, regarding flightgear: CVE-2017-8921 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 862689: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862689 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: flightgear Version: 1:2016.4.4+dfsg-2 Severity: grave Tags: upstream patch security Control: found -1 3.0.0-5 Hi, the following vulnerability was published for flightgear. CVE-2017-8921[0]: | In FlightGear before 2017.2.1, the FGCommand interface allows | overwriting any file the user has write access to, but not with | arbitrary data: only with the contents of a FlightGear flightplan | (XML). A resource such as a malicious third-party aircraft could | exploit this to damage files belonging to the user. Both this issue and | CVE-2016-9956 are directory traversal vulnerabilities in | Autopilot/route_mgr.cxx - this one exists because of an incomplete fix | for CVE-2016-9956. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-8921 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8921 Regards, Salvatore --- End Message --- --- Begin Message --- Source: flightgear Source-Version: 1:2016.4.4+dfsg-3 We believe that the bug you reported is fixed in the latest version of flightgear, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 862...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dr. Tobias Quathamer (supplier of updated flightgear package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 19 May 2017 21:10:15 +0200 Source: flightgear Binary: flightgear Architecture: source Version: 1:2016.4.4+dfsg-3 Distribution: unstable Urgency: medium Maintainer: Debian FlightGear Crew Changed-By: Dr. Tobias Quathamer Description: flightgear - Flight Gear Flight Simulator Closes: 862689 Changes: flightgear (1:2016.4.4+dfsg-3) unstable; urgency=medium . * Team upload. * Fix RouteMgr security: don't allow overwriting arbitrary files. This fixes CVE-2017-8921. Thanks to Salvatore Bonaccorso (Closes: #862689) Checksums-Sha1: fa203d81442dbae20768e0e1df871f23bba5f9d7 2617 flightgear_2016.4.4+dfsg-3.dsc 608554e3a7f289196838fe25633bc30ff5771fd0 24260 flightgear_2016.4.4+dfsg-3.debian.tar.xz 44fe685b8c5bba440a9cf2b10b230e4f6eaed68e 16627 flightgear_2016.4.4+dfsg-3_amd64.buildinfo Checksums-Sha256: 3e2d823a448de0555bf5d69d735820833612b1454f5c1deb03678121e8078807 2617 flightgear_2016.4.4+dfsg-3.dsc 21aca663b6536eaed2b7c5c368ba3e36468cc4362ea2ad7bdd27cdf0096feb53 24260 flightgear_2016.4.4+dfsg-3.debian.tar.xz b08e3494515546ae4649a4f7f75d2b83575022e3559be8993504c5d871780510 16627 flightgear_2016.4.4+dfsg-3_amd64.buildinfo Files: 845442557d68fcab00df7613c1850b88 2617 games extra flightgear_2016.4.4+dfsg-3.dsc ce28e30a3003b4ce433206720279d065 24260 games extra flightgear_2016.4.4+dfsg-3.debian.tar.xz b715c07029b98d418b75ce1c97311531 16627 games extra flightgear_2016.4.4+dfsg-3_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJZH0UgAAoJEBMC8fA26+sZJLMP/iCzDd1kzHC0gK5ARMTdGux+ JxNN0KJhbqe6TRQxBZkJT6gxLZ+a263qCH2BbjIoXRPfXEXdEzmCsOo4F+q9nzn6 12LR322FN629sUgGCjYBr2i+4qq175vlmSWaCxlGQZZZzOnvv5/xruAiFNVSUYYU kq1jONgcgXVOq3rBcwM/doOa42djjiwP1w3PiiofHfWvTz5xTjhub6imfqVOloxo 95cLOZW+wX3nb+hoz7wiGeePZid7JsPf/w9xKooQBrxJI0S7UBp2LX2X106sDjv7 Jwhis1dZSddITQw3lW8jGaH0PS3n4vDV9nZiBaqDtEsd+e9wNF9B8etW43qfpNVK rbjcBU27GcQ5w3X8VE9dD4Q+nHjEa954iksoQHXQc5vpUc6F3I8w0UGwvjlWB38g 2Kne4DoRqHA8aXcN3zO+J+gdTUqsZfG+ZB1WP5ZVDf0sue+4dKjSblSwBfYS+CFB abCwSaQT00IAYYaNZZHBzQxKt+pP80OcAs6rpGjFzVQG2i+G6A5dNv0BQpNFybVh QOy3a6qvYqcYhTmBsTM0p0MEsyxIhRYKZ7/LzyU2i8Y8oI+KNM6kyvg5ezxcpVGV
Processed: Re: Bug#862987: browser-history: Is the package still working and useful?
Processing control commands: > reassign -1 ftp.debian.org Bug #862987 [browser-history] browser-history: Is the package still working and useful? Bug reassigned from package 'browser-history' to 'ftp.debian.org'. No longer marked as found in versions browser-history/2.8-21. Ignoring request to alter fixed versions of bug #862987 to the same values previously set > affects -1 browser-history Bug #862987 [ftp.debian.org] browser-history: Is the package still working and useful? Added indication that 862987 affects browser-history > retitle -1 RM: browser-history -- RoM; no longer useful with modern browsers Bug #862987 [ftp.debian.org] browser-history: Is the package still working and useful? Changed Bug title to 'RM: browser-history -- RoM; no longer useful with modern browsers' from 'browser-history: Is the package still working and useful?'. -- 862987: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862987 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#862987: browser-history: Is the package still working and useful?
Control: reassign -1 ftp.debian.org Control: affects -1 browser-history Control: retitle -1 RM: browser-history -- RoM; no longer useful with modern browsers On Fri, May 19, 2017 at 07:31:35PM +0300, Adrian Bunk wrote: > As observed by Salvo Tomaselli, the description says: > It works with: Netscape Navigator, Arena, and Amaya. Support for > `browser-history' can easily be added to other browsers, provided you can > program and have the browser sources. > > This is either the (non-RC) issue of a completely outdated description > or the package is now mostly useless. > > Also looking at: > Browser-history came from the will to overcome a Netscape bug: there is no > global history, and if you close a window, its whole history is lost. > > This might have been true in some (pre-Mozilla) versions of Netscape > in the last millenium, but not during the past 15 years. The facility that this package relies on no longer exists in the post-Netscape Mozilla codebase, and won't be re-added: https://bugzilla.mozilla.org/show_bug.cgi?id=36925 https://bugzilla.mozilla.org/show_bug.cgi?id=64598 (Chrome and Chromium similarly have no such facility.) So yes, I agree that there's not much point keeping this around in the archive out of nostalgia. ftpmaster, please remove browser-history. Thanks, -- Colin Watson [cjwat...@debian.org]
Bug#862987: browser-history: Is the package still working and useful?
Package: browser-history Version: 2.8-21 Severity: serious As observed by Salvo Tomaselli, the description says: It works with: Netscape Navigator, Arena, and Amaya. Support for `browser-history' can easily be added to other browsers, provided you can program and have the browser sources. This is either the (non-RC) issue of a completely outdated description or the package is now mostly useless. Also looking at: Browser-history came from the will to overcome a Netscape bug: there is no global history, and if you close a window, its whole history is lost. This might have been true in some (pre-Mozilla) versions of Netscape in the last millenium, but not during the past 15 years.
Bug#808454: Pending fixes for bugs in the libdata-faker-perl package
tag 808454 + pending thanks Some bugs in the libdata-faker-perl package are closed in revision 1a8cf729f766d595328a38a59ed15d5de6795848 in branch ' jessie' by gregor herrmann The full diff can be seen at https://anonscm.debian.org/cgit/pkg-perl/packages/libdata-faker-perl.git/commit/?id=1a8cf72 Commit message: Set C locale for tests. Thanks: Chris Lamb for the bug report. Closes: #808454
Processed: Pending fixes for bugs in the libdata-faker-perl package
Processing commands for cont...@bugs.debian.org: > tag 808454 + pending Bug #808454 {Done: gregor herrmann} [src:libdata-faker-perl] libdata-faker-perl: FTBFS under some locales (eg. fr_CH.UTF-8) Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 808454: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808454 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#862970: dropbear-bin: Double-free in server TCP listener cleanup; information disclosure with ~/.ssh/authorized_keys symlink
Processing control commands: > retitle -1 dropbear: Double-free in server TCP listener cleanup > (CVE-2017-9078); information disclosure with ~/.ssh/authorized_keys symlink > (CVE-2017-9079) Bug #862970 [dropbear] dropbear-bin: Double-free in server TCP listener cleanup; information disclosure with ~/.ssh/authorized_keys symlink Changed Bug title to 'dropbear: Double-free in server TCP listener cleanup (CVE-2017-9078); information disclosure with ~/.ssh/authorized_keys symlink (CVE-2017-9079)' from 'dropbear-bin: Double-free in server TCP listener cleanup; information disclosure with ~/.ssh/authorized_keys symlink'. -- 862970: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862970 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#862970: dropbear-bin: Double-free in server TCP listener cleanup; information disclosure with ~/.ssh/authorized_keys symlink
Control: retitle -1 dropbear: Double-free in server TCP listener cleanup (CVE-2017-9078); information disclosure with ~/.ssh/authorized_keys symlink (CVE-2017-9079) Two CVEs were assigned for the two issues, retitling the bug accordingly. Regards, Salvatore
Bug#824936: Pending fixes for bugs in the libsys-syscall-perl package
tag 824843 + pending tag 824936 + pending tag 826136 + pending thanks Some bugs in the libsys-syscall-perl package are closed in revision 154cbe339a1ff967c2c825df4dbf7407c6c91030 in branch ' jessie' by gregor herrmann The full diff can be seen at https://anonscm.debian.org/cgit/pkg-perl/packages/libsys-syscall-perl.git/commit/?id=154cbe3 Commit message: Add patches (from -3, -4, and -6) to support more architectures. aarch64.patch, hppa.patch, mips.patch, ppc64le.patch, s390x.patch. Closes: #824843, #824936, #826136
Processed (with 1 error): Pending fixes for bugs in the libsys-syscall-perl package
Processing commands for cont...@bugs.debian.org: > tag 824843 + pending Bug #824843 {Done: Niko Tyni} [libsys-syscall-perl] libsys-syscall-perl: FTBFS on arm64: test suite failures Added tag(s) pending. > tag 824936 + pending Bug #824936 {Done: Niko Tyni } [libsys-syscall-perl] libsys-syscall-perl: FTBFS on mips*: test failures Added tag(s) pending. > tag 826136 + pending Failed to alter tags of Bug 826136: Not altering archived bugs; see unarchive. > thanks Stopping processing here. Please contact me if you need assistance. -- 824843: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824843 824936: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824936 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates
On 05/19/2017 10:07 AM, Chris Lamb wrote: > I've uploaded ca-certificates 20161130+nmu1 to DELAYED/5: > > ca-certificates (20161130+nmu1) unstable; urgency=medium > > * Non-maintainer upload. > * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they > are > now untrusted by the major browser vendors. Closes: #858539 Thank you for the NMU, Chris, I'm good with that change. -- Kind regards, Michael signature.asc Description: OpenPGP digital signature
Processed: Re: ca-certificates: Contains untrusted StartCom and WoSign certificates
Processing commands for cont...@bugs.debian.org: > tags 858539 + pending patch Bug #858539 [ca-certificates] ca-certificates: Contains untrusted StartCom and WoSign certificates Added tag(s) patch and pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 858539: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858539 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates
tags 858539 + pending patch thanks I've uploaded ca-certificates 20161130+nmu1 to DELAYED/5: ca-certificates (20161130+nmu1) unstable; urgency=medium * Non-maintainer upload. * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are now untrusted by the major browser vendors. Closes: #858539 The full debdiff is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- diffstat for ca-certificates-20161130 ca-certificates-20161130+nmu1 debian/changelog |8 mozilla/blacklist.txt | 16 2 files changed, 24 insertions(+) diff -Nru ca-certificates-20161130/debian/changelog ca-certificates-20161130+nmu1/debian/changelog --- ca-certificates-20161130/debian/changelog 2016-12-01 04:20:53.0 +0100 +++ ca-certificates-20161130+nmu1/debian/changelog 2017-05-19 16:53:16.0 +0200 @@ -1,3 +1,11 @@ +ca-certificates (20161130+nmu1) unstable; urgency=medium + + * Non-maintainer upload. + * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are +now untrusted by the major browser vendors. Closes: #858539 + + -- Chris LambFri, 19 May 2017 16:53:16 +0200 + ca-certificates (20161130) unstable; urgency=medium [ Philipp Kern ] diff -Nru ca-certificates-20161130/mozilla/blacklist.txt ca-certificates-20161130+nmu1/mozilla/blacklist.txt --- ca-certificates-20161130/mozilla/blacklist.txt 2016-11-03 08:40:01.0 +0100 +++ ca-certificates-20161130+nmu1/mozilla/blacklist.txt 2017-05-19 16:53:16.0 +0200 @@ -5,3 +5,19 @@ # DigiNotar Root CA (see debbug#639744) "DigiNotar Root CA" + +# StartCom and WoSign certificates are now untrusted by the major browser +# vendors[0]. See [1] for discussion. The list was generated by: +# +# $ egrep 'WoSign|StartCom' mozilla/certdata.txt \ +# | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq +# +# [0] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ +# [1] https://bugs.debian.org/858539 +# +"StartCom Certification Authority" +"StartCom Certification Authority G2" +"WoSign" +"WoSign China" +"Certification Authority of WoSign G2" +"CA WoSign ECC Root"
Processed: Pending fixes for bugs in the libhttp-proxy-perl package
Processing commands for cont...@bugs.debian.org: > tag 788350 + pending Bug #788350 {Done: gregor herrmann} [libhttp-proxy-perl] libhttp-proxy-perl: FTBFS - proxy tests Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 788350: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788350 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#788350: Pending fixes for bugs in the libhttp-proxy-perl package
tag 788350 + pending thanks Some bugs in the libhttp-proxy-perl package are closed in revision 60f02b77031754872d0823543302255350d0754b in branch ' jessie' by gregor herrmann The full diff can be seen at https://anonscm.debian.org/cgit/pkg-perl/packages/libhttp-proxy-perl.git/commit/?id=60f02b7 Commit message: Add patch to fix broken custom 'via' handling. (Patch taken from upstream release 0.304.) Closes: #788350
Bug#857986: npm: This pakcage is 3 years old? (consider removal)
On Fri, May 19, 2017 at 12:15:32PM +0200, Jérémy Lal wrote: > 2017-05-19 12:07 GMT+02:00 Riku Voipio: > > > Jérémy Lal: > > > To others, preoccupied that npm won't be available in debian: > > > - please help with npm maintenance > > > - hopefully we'll make an updated version installable through debian > > backports > > > > Are there any complications to building npm as part of nodejs package? > > > There are complications to distributing npm: it depends on a LOT of > modules, which > means it requires a lot of debian-maintainer time to package, and update. > Using the upstream nodejs tarball as source for npm or the upstream npm > tarball > does not change anything about that. Ok, thanks for clarifying. Riku
Processed: tagging 862970
Processing commands for cont...@bugs.debian.org: > tags 862970 + upstream fixed-upstream Bug #862970 [dropbear] dropbear-bin: Double-free in server TCP listener cleanup; information disclosure with ~/.ssh/authorized_keys symlink Added tag(s) upstream and fixed-upstream. > thanks Stopping processing here. Please contact me if you need assistance. -- 862970: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862970 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: retitle 788350 to libhttp-proxy-perl: FTBFS - proxy tests
Processing commands for cont...@bugs.debian.org: > retitle 788350 libhttp-proxy-perl: FTBFS - proxy tests Bug #788350 {Done: gregor herrmann} [libhttp-proxy-perl] FTBFS - proxy tests Changed Bug title to 'libhttp-proxy-perl: FTBFS - proxy tests' from 'FTBFS - proxy tests'. > thanks Stopping processing here. Please contact me if you need assistance. -- 788350: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788350 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Version tracking fix
Processing commands for cont...@bugs.debian.org: > found 862970 2013.60-1 Bug #862970 [dropbear] dropbear-bin: Double-free in server TCP listener cleanup; information disclosure with ~/.ssh/authorized_keys symlink Marked as found in versions dropbear/2013.60-1. > thanks Stopping processing here. Please contact me if you need assistance. -- 862970: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862970 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: your mail
Processing commands for cont...@bugs.debian.org: > retitle 858250 Fails to build for unstable, build-depends not strict enough Bug #858250 [runc] Fails to build for stretch, build-depends not strict enough Bug #861966 [runc] Fails to build for sid, build-depends not strict enough Changed Bug title to 'Fails to build for unstable, build-depends not strict enough' from 'Fails to build for stretch, build-depends not strict enough'. Changed Bug title to 'Fails to build for unstable, build-depends not strict enough' from 'Fails to build for sid, build-depends not strict enough'. > affects 858250 +sid Bug #858250 [runc] Fails to build for unstable, build-depends not strict enough Bug #861966 [runc] Fails to build for unstable, build-depends not strict enough Added indication that 858250 affects sid Added indication that 861966 affects sid > affects 858250 +unstable Bug #858250 [runc] Fails to build for unstable, build-depends not strict enough Bug #861966 [runc] Fails to build for unstable, build-depends not strict enough Added indication that 858250 affects unstable Added indication that 861966 affects unstable > tag 858250 +sid Bug #858250 [runc] Fails to build for unstable, build-depends not strict enough Bug #861966 [runc] Fails to build for unstable, build-depends not strict enough Added tag(s) sid. Added tag(s) sid. > End of message, stopping processing here. Please contact me if you need assistance. -- 858250: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858250 861966: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861966 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#861953: unblock: runc/0.1.1+dfsg1-3
Processing control commands: > tag 858250 -pending Bug #858250 [runc] Fails to build for stretch, build-depends not strict enough Bug #861966 [runc] Fails to build for sid, build-depends not strict enough Removed tag(s) pending. Removed tag(s) pending. > affects 858250 -stretch +sid Bug #858250 [runc] Fails to build for stretch, build-depends not strict enough Bug #861966 [runc] Fails to build for sid, build-depends not strict enough Removed indication that 858250 affects stretch Removed indication that 861966 affects stretch > notfound 858250 0.1.1+dfsg1-2 Bug #858250 [runc] Fails to build for stretch, build-depends not strict enough Bug #861966 [runc] Fails to build for sid, build-depends not strict enough No longer marked as found in versions runc/0.1.1+dfsg1-2. No longer marked as found in versions runc/0.1.1+dfsg1-2. -- 858250: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858250 861966: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861966 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#858250: Bug#861953: unblock: runc/0.1.1+dfsg1-3
control: tag 858250 -pending control: affects 858250 -stretch +sid control: notfound 858250 0.1.1+dfsg1-2 On Thu, 18 May 2017 12:48:11 +0100 Jonathan Wiltshirewrote: > Control: tag -1 wontfix moreinfo > > Hi, > > On 2017-05-08 00:40, Roger Shimizu wrote: > > Since you say it should fix unstable first, then stretch or t-p-u, > > now I think we may just leave runc/0.1.1+dfsg1-2 (current in stretch) > > as it is in stretch. Because it builds OK (without FTBFS) for stretch. > > The #858250 FTBFS only occurs on unstable. > > If runc currently builds in stretch, there is no need to touch it (and > #858250 should be tagged 'sid'). > > It's not clear from #858250 if that is actually the case or not though. Thanks for your explanation! Yes, it builds well in stretch. I did a s/unstable/testing/ for latest changelog, and upload it to DoM: http://debomatic-amd64.debian.net/distribution#testing/runc/0.1.1+dfsg1-2/buildlog So I close the unblock request, and mark the original bug only affects unstable. It's not a RC for stretch. Cheers, -- Roger Shimizu, GMT +9 Tokyo PGP/GPG: 4096R/6C6ACD6417B3ACB1 pgpTlJqJghWa2.pgp Description: PGP signature
Bug#862970: dropbear-bin: Double-free in server TCP listener cleanup; information disclosure with ~/.ssh/authorized_keys symlink
Package: dropbear Version: 2014.65-1+deb8u2 Severity: grave Tags: security Justification: user security hole dropbear 2017.75 was released [0] on May 18 and fixes the following two security vulnerabilities, for which no CVE was assigned yet AFAIK [1]. - Security: Fix double-free in server TCP listener cleanup A double-free in the server could be triggered by an authenticated user if dropbear is running with -a (Allow connections to forwarded ports from any host) This could potentially allow arbitrary code execution as root by an authenticated user. Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for reporting the crash. Patch: https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c - Security: Fix information disclosure with ~/.ssh/authorized_keys symlink. Dropbear parsed authorized_keys as root, even if it were a symlink. The fix is to switch to user permissions when opening authorized_keys A user could symlink their ~/.ssh/authorized_keys to a root-owned file they couldn't normally read. If they managed to get that file to contain valid authorized_keys with command= options it might be possible to read other contents of that file. This information disclosure is to an already authenticated user. Thanks to Jann Horn of Google Project Zero for reporting this. Patch: https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123 -- Guilhem. [0] http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2017q2/001985.html https://matt.ucc.asn.au/dropbear/CHANGES (currently yields 403) [1] http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2017q2/001987.html signature.asc Description: PGP signature
Bug#861112: xsane: always crashes on start
Hi, On Fri, May 19, 2017 at 11:44:56AM +0200, Wolfgang Schweer wrote: > On Fri, May 19, 2017 at 09:47:51AM +0200, John Paul Adrian Glaubitz wrote: > > On 05/17/2017 10:57 PM, Andreas Henriksson wrote: > > >> It's disabling Avahi support (I don't have such daemon) > > IMO a daemon isn't needed, that might be a misleading debug message. On > my system (up-to-date stretch, GNOME) the package libavahi-client3 > (Depends: libavahi-common3) is installed via libreoffice-draw / > libgnomevfs2-0 Depends -- and I'm unable to reproduce the bug. > > Maybe it would be sufficent to add libavahi-client3 (instead of > libavahi-common3) as a Depends to sane-utils to solve this problem. Doesn't help: $ sudo apt-get install libavahi-client3 Reading package lists... Done Building dependency tree Reading state information... Done libavahi-client3 is already the newest version (0.6.32-2). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. $ scanimage -L scanimage: thread-watch.c:171: avahi_threaded_poll_lock: Assertion `p' failed. Aborted $ A.
Bug#862967: imagemagick: use of uninitialized memory in RLE decoder
Source: imagemagick Version: 8:6.9.7.4+dfsg-8 Severity: grave Tags: security upstream patch Hi See https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html for details, which has been addressed via https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b Regards, Salvatore
Bug#862400: several bios updates exist since 2007
On Mon, 15 May 2017 13:56:24 +0200 Arturo Borrero Gonzalezwrote: > (please keep me in CC) > > On Sat, 13 May 2017 06:16:44 +0200 franckr wrote: > > Hi Arturo, > > > > I cannot help for kernel, however, and you probably already know it: > > Several bios updates became available since 10/04/2007 version. > > Did you consider them ? (ie checking release logs) > > Will you try ? > > > > Sure, we are in the way of updating the BIOS. > > But the question remains, is this some kind of kernel regression? > We managed to upgrade the BIOS (not the last one, though). Still no luck, kernel 4.9 doesn't boot while 4.7 does.
Processed: Pending fixes for bugs in the libhtml-microformats-perl package
Processing commands for cont...@bugs.debian.org: > tag 783656 + pending Bug #783656 {Done: Jonas Smedegaard} [libhtml-microformats-perl] libhtml-microformats-perl: missing dependency on libmodule-pluggable-perl Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 783656: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783656 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#783656: Pending fixes for bugs in the libhtml-microformats-perl package
tag 783656 + pending thanks Some bugs in the libhtml-microformats-perl package are closed in revision b07796c9f117f24155da70193c0cd818ede253f3 in branch ' jessie' by gregor herrmann The full diff can be seen at https://anonscm.debian.org/cgit/pkg-perl/packages/libhtml-microformats-perl.git/commit/?id=b07796c Commit message: Add buildtime and runtime dependency on libmodule-pluggable-perl. Closes: #783656
Bug#861112: xsane: always crashes on start
Hello Adrian, Thanks for looking at this again. More comments below. On Fri, May 19, 2017 at 09:47:51AM +0200, John Paul Adrian Glaubitz wrote: > But wouldn't that only address the symptoms instead of the actual cause > of the problem? If I understood Laurent correctly, the NULL value of > avahi_thread is a result of a race condition that can be avoided by > calling net_avahi_init() later inside sane_init(). It might be that Laurents fix should *also* go in. It might make things work more often, but still... The net_avahi_init() function handles failures by setting avahi_thread (etc.) to NULL. The caller of net_avahi_init() does nothing to catch when net_avahi_init() returns failure (maybe this should be caught and handled here? But I assumed it was considered ok for it to fail.) Thus, If for ANY reason net_avahi_init() failed and we continue running with avahi_thread==NULL. Sane must make sure to not pass it to something which does not accept a NULL argument, eg. the avahi lock functions. Locking avahi when we're not using avahi at all is obviously not needed as I see it. Thus the patch I proposed. I'm not familiar with sane code so maybe this is not the best fix, but either way Laurents change definitely doesn't cover all theoretical bases (ie. it doesn't handle the failure, just possibly makes failure happen less often) Hope this helps make my proposal more clear. Regards, Andreas Henriksson
Bug#861612: pixbros: level designs appear to be non-free
Am 19.05.2017 um 02:24 schrieb Steve Cotton: > On Fri, May 12, 2017 at 11:03:24PM +0200, Markus Koschany wrote: >> What we need to check is: Does the game comply with the DFSG and does it >> infringe the copyright of another programmer/artist. In my opinion that >> is not the case here because the license is DFSG-compatible and the game >> looks and works differently in style and artwork. We are not aware of a >> verdict which states that the level resemblance infringes the rights of >> another party. > > Hi Markus, > > To clarify, I think it's a copyright violation. The copyrights in > question are the layout of the levels, the level designers' choices of > where the platforms are. For a simple level like level 30 it would be > unremarkable for games in the same genre to have a similar level, but > not the complex designs of most of the levels from 31 to 49. > >> This whole bug report reminds me of Giana Sisters, ... You are not even the copyright holder of the original game. Just just claim that the level layout in this case is a copyright violation which is not backed up by anything. I am sorry but this is layman talk and as I previously said the mere level resemblance alone is not what paragraph 2.3 in Debian's Policy is talking about. >> On the other hand we have many open source games that try to clone an >> older game but they look and behave often differently and use their own >> graphics or they just reinvent the engine and then use the original >> artwork (hence why those games are shipped in contrib) > > But the ones in contrib using original artwork only have the DFSG > parts in contrib, the copy of the original artwork isn't in contrib. Exactly. But Pixbros has its own distinct DFSG-free artwork. Can't you see that? >> Look at Pathological which is obviously a clone of Logical or Tuxpuck >> which very much resembles the Shuffle Puck Cafe game. Are they non-free >> too? I don't think so because I have played the original games and I can >> tell you that the older games had both better graphics, more levels and >> were more feature complete. They resemble each other but they are not on >> a par and the risk that some company sues Debian just for distributing >> them is highly unlikely because we make no money with them either. > > Just as they used new artwork, Pathological used (AFAIK) new level > designs. The first level looks like a level of Logical, but that's > forced by the genre, there's a limited set of level designs for a > tutorial level that introduces the concept of the game. > > With tuxpuck the level design seems to be a rectangular table, with a > rectangular area of that table that the player can move the bat to. > > Neither of these games seems to have a direct copy from the game that > inspired them. Well and here it shows that you apply double standards. In Pathological the levels are "forced by the genre", in Tuxpuck it is just the rectangular table and the bat (and you forgot that the second player uses the same technique to move the bat as in the original game but nevermind). All major game aspects are implemented from the original games and it is easy to see from which one they stem from. Nevertheless the code and the artwork are completely different, DFSG-free and an independent piece of art. But Pixbros' levels which are simply bars in vertical and horizontal directions are somehow a copyright violation. Sorry but this bug report really makes me sad and I'm off to do something more useful now. signature.asc Description: OpenPGP digital signature
Processed: Pending fixes for bugs in the libcgi-application-plugin-anytemplate-perl package
Processing commands for cont...@bugs.debian.org: > tag 788008 + pending Bug #788008 {Done: Niko Tyni} [libcgi-application-plugin-anytemplate-perl] libcgi-application-plugin-anytemplate-perl: missing dependency on libclone-perl Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 788008: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788008 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#788008: Pending fixes for bugs in the libcgi-application-plugin-anytemplate-perl package
tag 788008 + pending thanks Some bugs in the libcgi-application-plugin-anytemplate-perl package are closed in revision 902139f110bdfdf3b22083a009fa06147072b8a7 in branch ' jessie' by gregor herrmann The full diff can be seen at https://anonscm.debian.org/cgit/pkg-perl/packages/libcgi-application-plugin-anytemplate-perl.git/commit/?id=902139f Commit message: Add missing dependency on libclone-perl | libclone-pp-perl. Closes: #788008
Bug#857986: npm: This pakcage is 3 years old? (consider removal)
2017-05-19 12:07 GMT+02:00 Riku Voipio: > Jérémy Lal: > > To others, preoccupied that npm won't be available in debian: > > - please help with npm maintenance > > - hopefully we'll make an updated version installable through debian > backports > > Are there any complications to building npm as part of nodejs package? > There are complications to distributing npm: it depends on a LOT of modules, which means it requires a lot of debian-maintainer time to package, and update. Using the upstream nodejs tarball as source for npm or the upstream npm tarball does not change anything about that. Jérémy
Bug#857986: npm: This pakcage is 3 years old? (consider removal)
Jérémy Lal: > To others, preoccupied that npm won't be available in debian: > - please help with npm maintenance > - hopefully we'll make an updated version installable through debian backports Are there any complications to building npm as part of nodejs package? Riku
Bug#841421: python-opcua: FTBFS (build hangs)
Hi Santiago, could you test the new version 0.90.3-1 in unstable, please? No hurry, because of the freeze the package will not migrate to testing soon anyway. TIA & Cheers!
Bug#861112: xsane: always crashes on start
On Fri, May 19, 2017 at 09:47:51AM +0200, John Paul Adrian Glaubitz wrote: > On 05/17/2017 10:57 PM, Andreas Henriksson wrote: > >> It's disabling Avahi support (I don't have such daemon) IMO a daemon isn't needed, that might be a misleading debug message. On my system (up-to-date stretch, GNOME) the package libavahi-client3 (Depends: libavahi-common3) is installed via libreoffice-draw / libgnomevfs2-0 Depends -- and I'm unable to reproduce the bug. Maybe it would be sufficent to add libavahi-client3 (instead of libavahi-common3) as a Depends to sane-utils to solve this problem. 'apt show libavahi-client3' tells me: This package contains the library for Avahi's C API which allows you to integrate mDNS/DNS-SD functionality into your application. Wolfgang signature.asc Description: PGP signature
Processed: Bug#862001 in apt marked as pending
Processing control commands: > tag 862001 pending Bug #862001 {Done: Julian Andres Klode} [libapt-pkg5.0] libapt-pkg5.0: Failed to try-restart apt-daily-upgrade.timer: Unit apt-daily-upgrade.timer not found. Added tag(s) pending. -- 862001: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862001 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#862001: in apt marked as pending
Control: tag 862001 pending Hello, Bug #862001 in apt reported by you has been fixed in the Git repository. You can see the commit message below, and you can check the diff of the fix at: https://anonscm.debian.org/cgit/apt/apt.git/diff/?id=8d42a4e (this message was generated automatically based on the git commit message) --- commit 8d42a4e4ff7190e802b1b2f91adfc7a6e5b0ac69 Author: Julian Andres KlodeDate: Sun May 7 12:17:05 2017 +0200 Do not try to (re)start timers outside 'apt' package dh_systemd_start inserted postinst commands in all packages, rather than just the package containing the timers. This also gets rid of postinst scripts for all other packages, yay. Closes: #862001 (cherry picked from commit 315d6aac02b657a4742b5fe2695707904c6033dd)
Bug#855324: Info received (Bug#855324: pdfsam fails to start)
Hi, One could probably just advise people to execute this in their terminal: sed -i 's/[0-9]*<\/LAF>/0<\/LAF>/' ~/.pdfsam/config.xml Best, Philip signature.asc Description: OpenPGP digital signature
Bug#861112: xsane: always crashes on start
On 05/17/2017 10:57 PM, Andreas Henriksson wrote: >> It's disabling Avahi support (I don't have such daemon) but still later >> calling avahi_threaded_poll_lock() with NULL avahi_thread. > [...] > > Yes, definitely seems so. Could you please test the attached patch > which hopefully takes care of your issue? But wouldn't that only address the symptoms instead of the actual cause of the problem? If I understood Laurent correctly, the NULL value of avahi_thread is a result of a race condition that can be avoided by calling net_avahi_init() later inside sane_init(). Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
Processed: severity of 861521 is grave
Processing commands for cont...@bugs.debian.org: > # raising to RC, fixed in stable, otherwise regression, should be fixed in > stretch > severity 861521 grave Bug #861521 {Done: Emmanuel Bourg} [src:libxstream-java] libxstream-java: CVE-2017-7957 Severity set to 'grave' from 'important' > thanks Stopping processing here. Please contact me if you need assistance. -- 861521: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861521 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems