Bug#862593: xarchiver: Adding files to .tar.xz deletes existing content

[Chris Lamb]

Hi Markus,

> Chris, could you cancel the NMU? I do the upload today after I have done
> some more tests and credit you in the changelog. Thanks for the patch!

It was uploaded to DELAYED/5 so you have a while to override mine :)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#862593: xarchiver: Adding files to .tar.xz deletes existing content

[Nikolaus Rath]

On May 20 2017, Markus Koschany  wrote:
> On Fri, 19 May 2017 16:26:03 -0700 Nikolaus Rath  wrote:
>> On May 20 2017, Markus Koschany  wrote:
>> > Am 19.05.2017 um 23:23 schrieb Chris Lamb:
>> >> tags 862593 + patch
>> >> thanks
>> >> 
>> >> The archive gets overwritten as the test to see whether it already exists
>> >> (to determine whether to create a new one or simply add a new file) uses
>> >> an escaped path.
>> >> 
>> >> Patch attached. 
>> >
>> > I came to a similar conclusion but I wondered whether the real issue is
>> > the wrongly escaped path.
>> [...]
>> 
>> Why is there a need for any escaping at all? I would have expected that
>> tar/xz/whatever is invoked directly, but  this almost sounds if
>> xarchiver goes through a shell..?!
>
> As in the description: Xarchiver is a GUI frontend for various separate
> tools which are invoked by Xarchiver. The program must ensure that
> characters in filenames and archive names are properly escaped when it
> passes them to the respective tools like tar or 7z.

Sorry, I still do not understand. Why is there a need to escape
filenames when calling other tools? For example,

execve("/usr/bin/tar", { "cf", "compl cated.tar", NULL });

should work perfectly fine without any need for escaping.


Best,
-Nikolaus

-- 
GPG Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

 »Time flies like an arrow, fruit flies like a Banana.«

Bug#862593: xarchiver: Adding files to .tar.xz deletes existing content

[Markus Koschany]

On Fri, 19 May 2017 16:26:03 -0700 Nikolaus Rath  wrote:
> On May 20 2017, Markus Koschany  wrote:
> > Am 19.05.2017 um 23:23 schrieb Chris Lamb:
> >> tags 862593 + patch
> >> thanks
> >> 
> >> The archive gets overwritten as the test to see whether it already exists
> >> (to determine whether to create a new one or simply add a new file) uses
> >> an escaped path.
> >> 
> >> Patch attached. 
> >
> > I came to a similar conclusion but I wondered whether the real issue is
> > the wrongly escaped path.
> [...]
> 
> Why is there a need for any escaping at all? I would have expected that
> tar/xz/whatever is invoked directly, but  this almost sounds if
> xarchiver goes through a shell..?!
> 

As in the description: Xarchiver is a GUI frontend for various separate
tools which are invoked by Xarchiver. The program must ensure that
characters in filenames and archive names are properly escaped when it
passes them to the respective tools like tar or 7z.



signature.asc
Description: OpenPGP digital signature

Bug#862593: xarchiver: Adding files to .tar.xz deletes existing content

[Nikolaus Rath]

On May 20 2017, Markus Koschany  wrote:
> Am 19.05.2017 um 23:23 schrieb Chris Lamb:
>> tags 862593 + patch
>> thanks
>> 
>> The archive gets overwritten as the test to see whether it already exists
>> (to determine whether to create a new one or simply add a new file) uses
>> an escaped path.
>> 
>> Patch attached. 
>
> I came to a similar conclusion but I wondered whether the real issue is
> the wrongly escaped path.
[...]

Why is there a need for any escaping at all? I would have expected that
tar/xz/whatever is invoked directly, but  this almost sounds if
xarchiver goes through a shell..?!


Best,
-Nikolaus


-- 
GPG Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

 »Time flies like an arrow, fruit flies like a Banana.«

Bug#862892: marked as done (linux-signed FTBFS in stretch: Build-depends on linux packages no longer in stretch)

[Debian Bug Tracking System]

Your message dated Fri, 19 May 2017 23:18:16 +
with message-id 
and subject line Bug#862902: Removed package(s) from unstable
has caused the Debian Bug report #862892,
regarding linux-signed FTBFS in stretch: Build-depends on linux packages no 
longer in stretch
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862892: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862892
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: linux-signed
Version: 4.4
Severity: serious

linux-signed has build dependencies on the exact version 4.9.18-1
of packages from src:linux, but version 4.9.25-1 is now in stretch.
--- End Message ---
--- Begin Message ---
Version: 4.9.18-1+rm

Dear submitter,

as the package linux-signed has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/862902

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)--- End Message ---

Bug#862987: marked as done (RM: browser-history -- RoM; no longer useful with modern browsers)

[Debian Bug Tracking System]

Your message dated Fri, 19 May 2017 23:19:10 +
with message-id 
and subject line Bug#862987: Removed package(s) from unstable
has caused the Debian Bug report #862987,
regarding RM: browser-history -- RoM; no longer useful with modern browsers
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862987: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862987
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: browser-history
Version: 2.8-21
Severity: serious

As observed by Salvo Tomaselli, the description says:
 It works with: Netscape Navigator, Arena, and Amaya. Support for
 `browser-history' can easily be added to other browsers, provided you can
 program and have the browser sources.

This is either the (non-RC) issue of a completely outdated description
or the package is now mostly useless.

Also looking at:
 Browser-history came from the will to overcome a Netscape bug: there is no
 global history, and if you close a window, its whole history is lost.

This might have been true in some (pre-Mozilla) versions of Netscape
in the last millenium, but not during the past 15 years.
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from unstable:

browser-history | 2.8-21 | source, amd64, arm64, armel, armhf, hurd-i386, 
i386, kfreebsd-amd64, kfreebsd-i386, mips, mips64el, mipsel, powerpc, ppc64el, 
s390x

--- Reason ---
RoM; no longer useful with modern browsers
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

We try to close bugs which have been reported against this package
automatically. But please check all old bugs, if they were closed
correctly or should have been re-assigned to another package.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 862...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/862987

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)--- End Message ---

Bug#831860: python{,3}-sip shouldn't provide more than one sip api

[Scott Kitterman]

On Thu, 18 May 2017 18:56:39 +0300 Adrian Bunk  wrote:
> Control: reassign -1 src:sip4 4.18.1+dfsg-1
> Control: retitle -1 python{,3}-sip shouldn't provide more than one sip api
> Control: affects -1 python-sip python3-sip
> 
> On Thu, Feb 16, 2017 at 02:36:19PM +0100, di dit wrote:
> > Rebuilding veusz fixes this bug.
> >...
...
> 
> After a rebuild python-qt4 now uses sip-api-11.3, but veusz-helpers 
> still uses sip-api-11.1
> 
> To enforce that this problem can't happen again or during upgrades, 
> python-sip and python3-sip shouldn't provide more than one sip api.
> 
> This bug is to track that this gets fixed in python{,3}-sip for stretch.
> 
> I'll also submit a binNMU request to get veusz and the other affected 
> package in stretch rebuilt with sip-api-11.3

Providing more than one is fine.  It appears that there was an 
undetected/unintended ABI break between 11.1 and 11.2, so 11.0 and 11.1 should 
be dropped.

Scott K

Bug#862970: marked as done (dropbear: Double-free in server TCP listener cleanup (CVE-2017-9078); information disclosure with ~/.ssh/authorized_keys symlink (CVE-2017-9079))

[Debian Bug Tracking System]

Your message dated Fri, 19 May 2017 22:18:45 +
with message-id 
and subject line Bug#862970: fixed in dropbear 2016.74-5
has caused the Debian Bug report #862970,
regarding dropbear: Double-free in server TCP listener cleanup (CVE-2017-9078); 
information disclosure with ~/.ssh/authorized_keys symlink (CVE-2017-9079)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862970: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862970
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dropbear
Version: 2014.65-1+deb8u2
Severity: grave
Tags: security
Justification: user security hole

dropbear 2017.75 was released [0] on May 18 and fixes the following two
security vulnerabilities, for which no CVE was assigned yet AFAIK [1].

- Security: Fix double-free in server TCP listener cleanup
  A double-free in the server could be triggered by an authenticated
  user if dropbear is running with -a (Allow connections to
  forwarded ports from any host) This could potentially allow
  arbitrary code execution as root by an authenticated user.
  Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for
  reporting the crash.

Patch: https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c

- Security: Fix information disclosure with ~/.ssh/authorized_keys
  symlink.
  Dropbear parsed authorized_keys as root, even if it were a
  symlink. The fix is to switch to user permissions when opening
  authorized_keys

  A user could symlink their ~/.ssh/authorized_keys to a root-owned
  file they couldn't normally read. If they managed to get that file
  to contain valid authorized_keys with command= options it might be
  possible to read other contents of that file.
  This information disclosure is to an already authenticated user.
  Thanks to Jann Horn of Google Project Zero for reporting this.

Patch: https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123

-- 
Guilhem.

[0] http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2017q2/001985.html
https://matt.ucc.asn.au/dropbear/CHANGES (currently yields 403)
[1] http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2017q2/001987.html


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: dropbear
Source-Version: 2016.74-5

We believe that the bug you reported is fixed in the latest version of
dropbear, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 862...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin  (supplier of updated dropbear package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 19 May 2017 23:41:21 +0200
Source: dropbear
Binary: dropbear-bin dropbear-run dropbear-initramfs dropbear
Architecture: source amd64 all
Version: 2016.74-5
Distribution: unstable
Urgency: high
Maintainer: Guilhem Moulin 
Changed-By: Guilhem Moulin 
Description:
 dropbear   - transitional dummy package for dropbear-{run,initramfs}
 dropbear-bin - lightweight SSH2 server and client - command line tools
 dropbear-initramfs - lightweight SSH2 server and client - initramfs integration
 dropbear-run - lightweight SSH2 server and client - startup scripts
Closes: 862970
Changes:
 dropbear (2016.74-5) unstable; urgency=high
 .
   * Backport security fixes from 2017.75 (closes: #862970):
 - CVE-2017-9078: Fix double-free in server TCP listener cleanup
   A double-free in the server could be triggered by an authenticated user
   if dropbear is running with -a (Allow connections to forwarded ports
   from any host) This could potentially allow arbitrary code execution as
   root by an authenticated user.
 - CVE-2017-9079: Fix information disclosure with ~/.ssh/authorized_keys
   symlink.
   Dropbear parsed authorized_keys as root, even if it were a symlink. The
   fix is to switch to user permissions when opening authorized_keys
   A user could symlink their ~/.ssh/authorized_keys to a root-owned file
   they couldn't 

Bug#862593: xarchiver: Adding files to .tar.xz deletes existing content

[Markus Koschany]

Am 19.05.2017 um 23:23 schrieb Chris Lamb:
> tags 862593 + patch
> thanks
> 
> The archive gets overwritten as the test to see whether it already exists
> (to determine whether to create a new one or simply add a new file) uses
> an escaped path.
> 
> Patch attached. 

I came to a similar conclusion but I wondered whether the real issue is
the wrongly escaped path.

I think this issue is related to #697493 where it was found that
archives with spaces could not be created. I tried to fix bug #862593 by
modifying line 372 in src/window.c in the xa_open_archive function.

archive[current_page]->escaped_path = xa_escape_bad_chars
(archive[current_page]->path,"$\'`\"\\!?* ()&|@#:;");

My solution was to change the line to

archive[current_page]->escaped_path = g_strdup(path);

This worked for all archives with special characters except the one
mentioned in this bug report with backslash and spaces.

I think escaping backslashes and spaces is not handled correctly
somewhere in the code but I have just briefly tested your patch and it
seems to do the trick.

Chris, could you cancel the NMU? I do the upload today after I have done
some more tests and credit you in the changelog. Thanks for the patch!

Regards,

Markus





signature.asc
Description: OpenPGP digital signature

Processed: Re: xarchiver: Adding files to .tar.xz deletes existing content

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 862593 + pending patch
Bug #862593 [xarchiver] xarchiver: Adding files to .tar.xz deletes existing 
content
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
862593: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862593
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862593: xarchiver: Adding files to .tar.xz deletes existing content

[Chris Lamb]

tags 862593 + pending patch
thanks

I've uploaded xarchiver 0.5.4-6.1 to DELAYED/5:
  
  xarchiver (1:0.5.4-6.1) unstable; urgency=medium
  
* Non-maintainer upload.
* Fix data-loss issue where adding files to a tar-based archive removed all
  existing content when the target filename included shell metacharacters.
  The test to see whether it already existed to determine whether to create
  a new archive or simply add a new file incorrectly used an escaped path.
  (Closes: #862593)

The full debdiff is attached.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
diffstat for xarchiver-0.5.4 xarchiver-0.5.4

 changelog |   11 +++
 patches/pass-unescaped-filenames-to-g_file_test.patch |   61 ++
 patches/series|1 
 3 files changed, 73 insertions(+)

diff -Nru xarchiver-0.5.4/debian/changelog xarchiver-0.5.4/debian/changelog
--- xarchiver-0.5.4/debian/changelog2017-01-04 16:10:53.0 +0100
+++ xarchiver-0.5.4/debian/changelog2017-05-19 23:25:18.0 +0200
@@ -1,3 +1,14 @@
+xarchiver (1:0.5.4-6.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix data-loss issue where adding files to a tar-based archive removed all
+existing content when the target filename included shell metacharacters.
+The test to see whether it already existed to determine whether to create
+a new archive or simply add a new file incorrectly used an escaped path.
+(Closes: #862593)
+
+ -- Chris Lamb   Fri, 19 May 2017 23:25:18 +0200
+
 xarchiver (1:0.5.4-6) unstable; urgency=medium
 
   * Suggest binutils because it provides the ar command which is required for
diff -Nru 
xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch 
xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch
--- 
xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch
1970-01-01 01:00:00.0 +0100
+++ 
xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch
2017-05-19 23:25:18.0 +0200
@@ -0,0 +1,61 @@
+Description: Pass unescaped filenames to g_file_test
+Author: Chris Lamb 
+Last-Update: 2017-05-19
+Debian-Bug: #862593
+
+--- xarchiver-0.5.4.orig/src/tar.c
 xarchiver-0.5.4/src/tar.c
+@@ -197,7 +197,7 @@ void xa_tar_add (XArchive *archive,GStri
+   switch (archive->type)
+   {
+   case XARCHIVETYPE_TAR:
+-  if ( g_file_test (archive->escaped_path,G_FILE_TEST_EXISTS))
++  if ( g_file_test (archive->path,G_FILE_TEST_EXISTS))
+   command = g_strconcat (tar, " ",
+   
archive->add_recurse ? "" : "--no-recursion ",
+   
archive->remove_files ? "--remove-files " : "",
+@@ -213,7 +213,7 @@ void xa_tar_add (XArchive *archive,GStri
+   break;
+ 
+   case XARCHIVETYPE_TAR_BZ2:
+-  if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) 
)
++  if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
+   xa_add_delete_bzip2_gzip_lzma_compressed_tar 
(files,archive,1);
+   else
+   command = g_strconcat (tar, " ",
+@@ -224,7 +224,7 @@ void xa_tar_add (XArchive *archive,GStri
+   break;
+ 
+   case XARCHIVETYPE_TAR_GZ:
+-  if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) 
)
++  if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
+   xa_add_delete_bzip2_gzip_lzma_compressed_tar 
(files,archive,1);
+   else
+   command = g_strconcat (tar, " ",
+@@ -235,7 +235,7 @@ void xa_tar_add (XArchive *archive,GStri
+   break;
+   
+   case XARCHIVETYPE_TAR_LZMA:
+-  if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) 
)
++  if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
+   xa_add_delete_bzip2_gzip_lzma_compressed_tar 
(files,archive,1);
+   else
+   command = g_strconcat (tar, " ",
+@@ -246,7 +246,7 @@ void xa_tar_add (XArchive *archive,GStri
+   break;
+   
+   case XARCHIVETYPE_TAR_XZ:
+-  if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) 
)
++  if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
+   xa_add_delete_bzip2_gzip_lzma_compressed_tar 
(files,archive,1);
+   else
+   command = g_strconcat (tar, " ",
+@@ -257,7 +257,7 @@ void xa_tar_add (XArchive *archive,GStri
+   break;
+   
+   

Bug#862593: xarchiver: Adding files to .tar.xz deletes existing content

[Chris Lamb]

tags 862593 + patch
thanks

The archive gets overwritten as the test to see whether it already exists
(to determine whether to create a new one or simply add a new file) uses
an escaped path.

Patch attached. 


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
diff --git a/src/tar.c b/src/tar.c
index b7d23f8..bd035ca 100644
--- a/src/tar.c
+++ b/src/tar.c
@@ -197,7 +197,7 @@ void xa_tar_add (XArchive *archive,GString *files,gchar 
*compression_string)
switch (archive->type)
{
case XARCHIVETYPE_TAR:
-   if ( g_file_test (archive->escaped_path,G_FILE_TEST_EXISTS))
+   if ( g_file_test (archive->path,G_FILE_TEST_EXISTS))
command = g_strconcat (tar, " ",

archive->add_recurse ? "" : "--no-recursion ",

archive->remove_files ? "--remove-files " : "",
@@ -213,7 +213,7 @@ void xa_tar_add (XArchive *archive,GString *files,gchar 
*compression_string)
break;
 
case XARCHIVETYPE_TAR_BZ2:
-   if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) 
)
+   if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
xa_add_delete_bzip2_gzip_lzma_compressed_tar 
(files,archive,1);
else
command = g_strconcat (tar, " ",
@@ -224,7 +224,7 @@ void xa_tar_add (XArchive *archive,GString *files,gchar 
*compression_string)
break;
 
case XARCHIVETYPE_TAR_GZ:
-   if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) 
)
+   if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
xa_add_delete_bzip2_gzip_lzma_compressed_tar 
(files,archive,1);
else
command = g_strconcat (tar, " ",
@@ -235,7 +235,7 @@ void xa_tar_add (XArchive *archive,GString *files,gchar 
*compression_string)
break;

case XARCHIVETYPE_TAR_LZMA:
-   if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) 
)
+   if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
xa_add_delete_bzip2_gzip_lzma_compressed_tar 
(files,archive,1);
else
command = g_strconcat (tar, " ",
@@ -246,7 +246,7 @@ void xa_tar_add (XArchive *archive,GString *files,gchar 
*compression_string)
break;

case XARCHIVETYPE_TAR_XZ:
-   if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) 
)
+   if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
xa_add_delete_bzip2_gzip_lzma_compressed_tar 
(files,archive,1);
else
command = g_strconcat (tar, " ",
@@ -257,7 +257,7 @@ void xa_tar_add (XArchive *archive,GString *files,gchar 
*compression_string)
break;

case XARCHIVETYPE_TAR_LZOP:
-   if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) 
)
+   if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
xa_add_delete_bzip2_gzip_lzma_compressed_tar 
(files,archive,1);
else
command = g_strconcat (tar, " ",

Processed: Re: xarchiver: Adding files to .tar.xz deletes existing content

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 862593 + patch
Bug #862593 [xarchiver] xarchiver: Adding files to .tar.xz deletes existing 
content
Added tag(s) patch.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
862593: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862593
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#861298: Location of sample ogg file

[Petter Reinholdtsen]

[Adrian Bunk]
> I am not a release manager, but the sid tag that I am setting with
> this email should do what you want.

Thank you very much.
-- 
Happy hacking
Petter Reinholdtsen

Bug#861298: Location of sample ogg file

[Ron]

On Fri, May 19, 2017 at 10:04:20PM +0200, Petter Reinholdtsen wrote:
> 
> [Georges Racinet]
> > I don't really have insight on the best place to put a sample ogg file ;
> > in the meanwhile, that one is now in python-pygame-doc, and the attached
> > patch fixes the FTBFS for me. Hoping this short-term fix can be
> > useful.
> 
> Thank you for investigating.  The patch look good, but I believe it can
> not be applied right away, due to issues with other packages.  I'll try
> to explain.
> 
> The problem at hand seem to be that pygame in unstable (but not testing)
> changed[1], and introduced a new python-pygame-doc with the file we use
> in oggvideotools to get a random sample ogg file, causing the build of
> oggvideotools to fail.  The build failure is only in unstable, and do
> not affect testing.  The new version of pygame is unlikely to make it
> into testing because it contain too many changes.  We want to make sure
> any new uploads of oggvideotool done to unstable are suitable for
> testing, and thus can not change the build dependency to include the
> python-pygame-doc package that is missing in testing.
> 
>  [1] 
> http://metadata.ftp-master.debian.org/changelogs/main/p/pygame/unstable_changelog
> 
> I suspect the two options we have is (1) find another package with a
> sample ogg file to use during the self testing or (2) generate a ogg
> file on the fly to do the self testing.  Any suggestions for (1) or (2)?

What's wrong with just adding one to the package for the test?
It doesn't have to be generated on the fly, just make (or take)
a suitable one and include it in the debian source.

Bug#862999: totem: crash of totem about join-packages at the start of "vidéos" (french version)

[Benoit]

Package: totem
Version: 3.14.0-2
Severity: grave
Tags: newcomer
Justification: renders package unusable

Dear Maintainer,

   * What led up to the situation?
Nothing, an utilisation "standard" of Debian, watch films on HDD, or
videos on youtube, for example.
   * What exactly did you do (or not do) that was effective (or
 ineffective)?
   * What was the outcome of this action?
I can't read any downloaded video on the computer with "vidéos"
(french version), but everything is ok with VLC player. So, seemingly, codecs
are operational on my computer.
   * What outcome did you expect instead?
A standard start of totem, without error message.



-- System Information:
Debian Release: 8.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages totem depends on:
ii  gnome-icon-theme3.12.0-1
ii  gnome-icon-theme-symbolic   3.12.0-1
ii  grilo-plugins-0.2   0.2.13-3
ii  gsettings-desktop-schemas   3.14.1-1
ii  gstreamer1.0-clutter2.0.12-1
ii  gstreamer1.0-plugins-bad1.4.4-2.1+deb8u2
ii  gstreamer1.0-plugins-base   1.4.4-2+deb8u1
ii  gstreamer1.0-plugins-good   1.4.4-2+deb8u3
ii  gstreamer1.0-x  1.4.4-2+deb8u1
ii  libatk1.0-0 2.14.0-1
ii  libc6   2.19-18+deb8u9
ii  libcairo-gobject2   1.14.0-2.1+deb8u2
ii  libcairo2   1.14.0-2.1+deb8u2
ii  libclutter-1.0-01.20.0-1
ii  libclutter-gst-2.0-02.0.12-1
ii  libclutter-gtk-1.0-01.6.0-1
ii  libcogl-pango20 1.18.2-3
ii  libcogl-path20  1.18.2-3
ii  libcogl20   1.18.2-3
ii  libdrm2 2.4.58-2
ii  libegl1-mesa [libegl1-x11]  10.3.2-1+deb8u1
ii  libgbm1 10.3.2-1+deb8u1
ii  libgdk-pixbuf2.0-0  2.31.1-2+deb8u5
ii  libgirepository-1.0-1   1.42.0-2.2
ii  libglib2.0-02.42.1-1+b1
ii  libgnome-desktop-3-10   3.14.1-1
ii  libgrilo-0.2-1  0.2.11-2
ii  libgstreamer-plugins-base1.0-0  1.4.4-2+deb8u1
ii  libgstreamer1.0-0   1.4.4-2+deb8u1
ii  libgtk-3-0  3.14.5-1+deb8u1
ii  libjson-glib-1.0-0  1.0.2-1
ii  libnautilus-extension1a 3.14.1-2
ii  libpango-1.0-0  1.36.8-3
ii  libpangocairo-1.0-0 1.36.8-3
ii  libpeas-1.0-0   1.12.1-2
ii  libtotem-plparser18 3.10.3-1
ii  libtotem0   3.14.0-2
ii  libwayland-client0  1.6.0-2
ii  libwayland-cursor0  1.6.0-2
ii  libwayland-egl1-mesa [libwayland-egl1]  10.3.2-1+deb8u1
ii  libwayland-server0  1.6.0-2
ii  libx11-62:1.6.2-3
ii  libxcomposite1  1:0.4.4-1
ii  libxdamage1 1:1.1.4-2+b1
ii  libxext62:1.3.3-1
ii  libxfixes3  1:5.0.1-2+b2
ii  libxi6  2:1.7.4-1+b2
ii  libxkbcommon0   0.4.3-2
ii  libxml2 2.9.1+dfsg1-5+deb8u4
ii  libxrandr2  2:1.4.2-1+b1
pn  python:any  
ii  totem-common3.14.0-2

Versions of packages totem recommends:
ii  gstreamer1.0-libav 1.4.4-2
ii  gstreamer1.0-plugins-ugly  1.4.4-2+deb8u1
ii  gstreamer1.0-pulseaudio1.4.4-2+deb8u3
ii  totem-plugins  3.14.0-2

Versions of packages totem suggests:
pn  gnome-codec-install  

-- no debconf information

Bug#861298: Location of sample ogg file

[Adrian Bunk]

Control: tags -1 sid

On Fri, May 19, 2017 at 10:04:20PM +0200, Petter Reinholdtsen wrote:
>...
> The bug version information here is problematic, as the problem is with
> the version currently in testing and unstable, but the problem only
> exist in unstable.  And as long as the bug is flagged as valid for the
> version in unstable, it will cause oggvideotools to be removed from
> testing, even though the problem do not exist there.

No, it only gets removed if the bug is according to the BTS present
in *stretch*.

> CC to the release managers, in case any of you have a tip on how to best
> handle this?  Perhaps tag it to ignore this bug in stretch?

I am not a release manager, but the sid tag that I am setting with this 
email should do what you want.

> Happy hacking
> Petter Reinholdtsen

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

Processed: Re: Bug#861298: Location of sample ogg file

[Debian Bug Tracking System]

Processing control commands:

> tags -1 sid
Bug #861298 [src:oggvideotools] oggvideotools: FTBFS: can not open file 
 for reading
Added tag(s) sid.

-- 
861298: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861298
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#848060: Pending fixes for bugs in the libx11-protocol-other-perl package

[pkg-perl-maintainers]

tag 848060 + pending
thanks

Some bugs in the libx11-protocol-other-perl package are closed in
revision 87510aa1c0b37c61f7ed2b395a0f5ebed75a6ca1 in branch ' 
jessie' by gregor herrmann

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-perl/packages/libx11-protocol-other-perl.git/commit/?id=87510aa

Commit message:

Disable t/XSetRoot.t during build and autopkgtest.

This test is known to have problems with xvfb.

Thanks: Santiago Vila for the bug report.
Closes: #848060

Processed: Pending fixes for bugs in the libx11-protocol-other-perl package

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tag 848060 + pending
Bug #848060 {Done: gregor herrmann } 
[src:libx11-protocol-other-perl] libx11-protocol-other-perl: FTBFS randomly 
(failing tests)
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
848060: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848060
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#861298: Location of sample ogg file

[Petter Reinholdtsen]

[Georges Racinet]
> I don't really have insight on the best place to put a sample ogg file ;
> in the meanwhile, that one is now in python-pygame-doc, and the attached
> patch fixes the FTBFS for me. Hoping this short-term fix can be
> useful.

Thank you for investigating.  The patch look good, but I believe it can
not be applied right away, due to issues with other packages.  I'll try
to explain.

The problem at hand seem to be that pygame in unstable (but not testing)
changed[1], and introduced a new python-pygame-doc with the file we use
in oggvideotools to get a random sample ogg file, causing the build of
oggvideotools to fail.  The build failure is only in unstable, and do
not affect testing.  The new version of pygame is unlikely to make it
into testing because it contain too many changes.  We want to make sure
any new uploads of oggvideotool done to unstable are suitable for
testing, and thus can not change the build dependency to include the
python-pygame-doc package that is missing in testing.

 [1] 
http://metadata.ftp-master.debian.org/changelogs/main/p/pygame/unstable_changelog

I suspect the two options we have is (1) find another package with a
sample ogg file to use during the self testing or (2) generate a ogg
file on the fly to do the self testing.  Any suggestions for (1) or (2)?

The bug version information here is problematic, as the problem is with
the version currently in testing and unstable, but the problem only
exist in unstable.  And as long as the bug is flagged as valid for the
version in unstable, it will cause oggvideotools to be removed from
testing, even though the problem do not exist there.

CC to the release managers, in case any of you have a tip on how to best
handle this?  Perhaps tag it to ignore this bug in stretch?

-- 
Happy hacking
Petter Reinholdtsen

Processed: tagging 834961

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 834961 + sid stretch
Bug #834961 {Done: Niko Tyni } [src:libvitacilina-perl] 
libvitacilina-perl: FTBFS too much often (configure fails)
Added tag(s) stretch and sid.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
834961: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834961
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862689: marked as done (flightgear: CVE-2017-8921)

[Debian Bug Tracking System]

Your message dated Fri, 19 May 2017 19:48:41 +
with message-id 
and subject line Bug#862689: fixed in flightgear 1:2016.4.4+dfsg-3
has caused the Debian Bug report #862689,
regarding flightgear: CVE-2017-8921
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862689: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862689
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: flightgear
Version: 1:2016.4.4+dfsg-2
Severity: grave
Tags: upstream patch security
Control: found -1 3.0.0-5

Hi,

the following vulnerability was published for flightgear.

CVE-2017-8921[0]:
| In FlightGear before 2017.2.1, the FGCommand interface allows
| overwriting any file the user has write access to, but not with
| arbitrary data: only with the contents of a FlightGear flightplan
| (XML). A resource such as a malicious third-party aircraft could
| exploit this to damage files belonging to the user. Both this issue and
| CVE-2016-9956 are directory traversal vulnerabilities in
| Autopilot/route_mgr.cxx - this one exists because of an incomplete fix
| for CVE-2016-9956.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-8921
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8921

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: flightgear
Source-Version: 1:2016.4.4+dfsg-3

We believe that the bug you reported is fixed in the latest version of
flightgear, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 862...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dr. Tobias Quathamer  (supplier of updated flightgear package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 19 May 2017 21:10:15 +0200
Source: flightgear
Binary: flightgear
Architecture: source
Version: 1:2016.4.4+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian FlightGear Crew 
Changed-By: Dr. Tobias Quathamer 
Description:
 flightgear - Flight Gear Flight Simulator
Closes: 862689
Changes:
 flightgear (1:2016.4.4+dfsg-3) unstable; urgency=medium
 .
   * Team upload.
   * Fix RouteMgr security: don't allow overwriting arbitrary files.
 This fixes CVE-2017-8921.
 Thanks to Salvatore Bonaccorso  (Closes: #862689)
Checksums-Sha1:
 fa203d81442dbae20768e0e1df871f23bba5f9d7 2617 flightgear_2016.4.4+dfsg-3.dsc
 608554e3a7f289196838fe25633bc30ff5771fd0 24260 
flightgear_2016.4.4+dfsg-3.debian.tar.xz
 44fe685b8c5bba440a9cf2b10b230e4f6eaed68e 16627 
flightgear_2016.4.4+dfsg-3_amd64.buildinfo
Checksums-Sha256:
 3e2d823a448de0555bf5d69d735820833612b1454f5c1deb03678121e8078807 2617 
flightgear_2016.4.4+dfsg-3.dsc
 21aca663b6536eaed2b7c5c368ba3e36468cc4362ea2ad7bdd27cdf0096feb53 24260 
flightgear_2016.4.4+dfsg-3.debian.tar.xz
 b08e3494515546ae4649a4f7f75d2b83575022e3559be8993504c5d871780510 16627 
flightgear_2016.4.4+dfsg-3_amd64.buildinfo
Files:
 845442557d68fcab00df7613c1850b88 2617 games extra 
flightgear_2016.4.4+dfsg-3.dsc
 ce28e30a3003b4ce433206720279d065 24260 games extra 
flightgear_2016.4.4+dfsg-3.debian.tar.xz
 b715c07029b98d418b75ce1c97311531 16627 games extra 
flightgear_2016.4.4+dfsg-3_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJZH0UgAAoJEBMC8fA26+sZJLMP/iCzDd1kzHC0gK5ARMTdGux+
JxNN0KJhbqe6TRQxBZkJT6gxLZ+a263qCH2BbjIoXRPfXEXdEzmCsOo4F+q9nzn6
12LR322FN629sUgGCjYBr2i+4qq175vlmSWaCxlGQZZZzOnvv5/xruAiFNVSUYYU
kq1jONgcgXVOq3rBcwM/doOa42djjiwP1w3PiiofHfWvTz5xTjhub6imfqVOloxo
95cLOZW+wX3nb+hoz7wiGeePZid7JsPf/w9xKooQBrxJI0S7UBp2LX2X106sDjv7
Jwhis1dZSddITQw3lW8jGaH0PS3n4vDV9nZiBaqDtEsd+e9wNF9B8etW43qfpNVK
rbjcBU27GcQ5w3X8VE9dD4Q+nHjEa954iksoQHXQc5vpUc6F3I8w0UGwvjlWB38g
2Kne4DoRqHA8aXcN3zO+J+gdTUqsZfG+ZB1WP5ZVDf0sue+4dKjSblSwBfYS+CFB
abCwSaQT00IAYYaNZZHBzQxKt+pP80OcAs6rpGjFzVQG2i+G6A5dNv0BQpNFybVh
QOy3a6qvYqcYhTmBsTM0p0MEsyxIhRYKZ7/LzyU2i8Y8oI+KNM6kyvg5ezxcpVGV

Processed: Re: Bug#862987: browser-history: Is the package still working and useful?

[Debian Bug Tracking System]

Processing control commands:

> reassign -1 ftp.debian.org
Bug #862987 [browser-history] browser-history: Is the package still working and 
useful?
Bug reassigned from package 'browser-history' to 'ftp.debian.org'.
No longer marked as found in versions browser-history/2.8-21.
Ignoring request to alter fixed versions of bug #862987 to the same values 
previously set
> affects -1 browser-history
Bug #862987 [ftp.debian.org] browser-history: Is the package still working and 
useful?
Added indication that 862987 affects browser-history
> retitle -1 RM: browser-history -- RoM; no longer useful with modern browsers
Bug #862987 [ftp.debian.org] browser-history: Is the package still working and 
useful?
Changed Bug title to 'RM: browser-history -- RoM; no longer useful with modern 
browsers' from 'browser-history: Is the package still working and useful?'.

-- 
862987: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862987
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862987: browser-history: Is the package still working and useful?

[Colin Watson]

Control: reassign -1 ftp.debian.org
Control: affects -1 browser-history
Control: retitle -1 RM: browser-history -- RoM; no longer useful with modern 
browsers

On Fri, May 19, 2017 at 07:31:35PM +0300, Adrian Bunk wrote:
> As observed by Salvo Tomaselli, the description says:
>  It works with: Netscape Navigator, Arena, and Amaya. Support for
>  `browser-history' can easily be added to other browsers, provided you can
>  program and have the browser sources.
> 
> This is either the (non-RC) issue of a completely outdated description
> or the package is now mostly useless.
> 
> Also looking at:
>  Browser-history came from the will to overcome a Netscape bug: there is no
>  global history, and if you close a window, its whole history is lost.
> 
> This might have been true in some (pre-Mozilla) versions of Netscape
> in the last millenium, but not during the past 15 years.

The facility that this package relies on no longer exists in the
post-Netscape Mozilla codebase, and won't be re-added:

  https://bugzilla.mozilla.org/show_bug.cgi?id=36925
  https://bugzilla.mozilla.org/show_bug.cgi?id=64598

(Chrome and Chromium similarly have no such facility.)

So yes, I agree that there's not much point keeping this around in the
archive out of nostalgia.  ftpmaster, please remove browser-history.

Thanks,

-- 
Colin Watson   [cjwat...@debian.org]

Bug#862987: browser-history: Is the package still working and useful?

[Adrian Bunk]

Package: browser-history
Version: 2.8-21
Severity: serious

As observed by Salvo Tomaselli, the description says:
 It works with: Netscape Navigator, Arena, and Amaya. Support for
 `browser-history' can easily be added to other browsers, provided you can
 program and have the browser sources.

This is either the (non-RC) issue of a completely outdated description
or the package is now mostly useless.

Also looking at:
 Browser-history came from the will to overcome a Netscape bug: there is no
 global history, and if you close a window, its whole history is lost.

This might have been true in some (pre-Mozilla) versions of Netscape
in the last millenium, but not during the past 15 years.

Bug#808454: Pending fixes for bugs in the libdata-faker-perl package

[pkg-perl-maintainers]

tag 808454 + pending
thanks

Some bugs in the libdata-faker-perl package are closed in revision
1a8cf729f766d595328a38a59ed15d5de6795848 in branch '  jessie' by
gregor herrmann

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-perl/packages/libdata-faker-perl.git/commit/?id=1a8cf72

Commit message:

Set C locale for tests.

Thanks: Chris Lamb for the bug report.
Closes: #808454

Processed: Pending fixes for bugs in the libdata-faker-perl package

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tag 808454 + pending
Bug #808454 {Done: gregor herrmann } 
[src:libdata-faker-perl] libdata-faker-perl: FTBFS under some locales (eg. 
fr_CH.UTF-8)
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
808454: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808454
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#862970: dropbear-bin: Double-free in server TCP listener cleanup; information disclosure with ~/.ssh/authorized_keys symlink

[Debian Bug Tracking System]

Processing control commands:

> retitle -1 dropbear: Double-free in server TCP listener cleanup 
> (CVE-2017-9078); information disclosure with ~/.ssh/authorized_keys symlink 
> (CVE-2017-9079)
Bug #862970 [dropbear] dropbear-bin: Double-free in server TCP listener 
cleanup; information disclosure with ~/.ssh/authorized_keys symlink
Changed Bug title to 'dropbear: Double-free in server TCP listener cleanup 
(CVE-2017-9078); information disclosure with ~/.ssh/authorized_keys symlink 
(CVE-2017-9079)' from 'dropbear-bin: Double-free in server TCP listener 
cleanup; information disclosure with ~/.ssh/authorized_keys symlink'.

-- 
862970: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862970
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862970: dropbear-bin: Double-free in server TCP listener cleanup; information disclosure with ~/.ssh/authorized_keys symlink

[Salvatore Bonaccorso]

Control: retitle -1 dropbear: Double-free in server TCP listener cleanup 
(CVE-2017-9078); information disclosure with ~/.ssh/authorized_keys symlink 
(CVE-2017-9079)

Two CVEs were assigned for the two issues, retitling the bug
accordingly.

Regards,
Salvatore

Bug#824936: Pending fixes for bugs in the libsys-syscall-perl package

[pkg-perl-maintainers]

tag 824843 + pending
tag 824936 + pending
tag 826136 + pending
thanks

Some bugs in the libsys-syscall-perl package are closed in revision
154cbe339a1ff967c2c825df4dbf7407c6c91030 in branch '  jessie' by
gregor herrmann

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-perl/packages/libsys-syscall-perl.git/commit/?id=154cbe3

Commit message:

Add patches (from -3, -4, and -6) to support more architectures.

aarch64.patch, hppa.patch, mips.patch, ppc64le.patch, s390x.patch.

Closes: #824843, #824936, #826136

Processed (with 1 error): Pending fixes for bugs in the libsys-syscall-perl package

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tag 824843 + pending
Bug #824843 {Done: Niko Tyni } [libsys-syscall-perl] 
libsys-syscall-perl: FTBFS on arm64: test suite failures
Added tag(s) pending.
> tag 824936 + pending
Bug #824936 {Done: Niko Tyni } [libsys-syscall-perl] 
libsys-syscall-perl: FTBFS on mips*: test failures
Added tag(s) pending.
> tag 826136 + pending
Failed to alter tags of Bug 826136: Not altering archived bugs; see unarchive.

> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
824843: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824843
824936: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824936
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates

[Michael Shuler]

On 05/19/2017 10:07 AM, Chris Lamb wrote:
> I've uploaded ca-certificates 20161130+nmu1 to DELAYED/5:
>   
>   ca-certificates (20161130+nmu1) unstable; urgency=medium
>   
> * Non-maintainer upload.
> * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they 
> are
>   now untrusted by the major browser vendors. Closes: #858539

Thank you for the NMU, Chris, I'm good with that change.

-- 
Kind regards,
Michael




signature.asc
Description: OpenPGP digital signature

Processed: Re: ca-certificates: Contains untrusted StartCom and WoSign certificates

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 858539 + pending patch
Bug #858539 [ca-certificates] ca-certificates: Contains untrusted StartCom and 
WoSign certificates
Added tag(s) patch and pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
858539: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858539
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates

[Chris Lamb]

tags 858539 + pending patch
thanks

I've uploaded ca-certificates 20161130+nmu1 to DELAYED/5:
  
  ca-certificates (20161130+nmu1) unstable; urgency=medium
  
* Non-maintainer upload.
* Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are
  now untrusted by the major browser vendors. Closes: #858539

The full debdiff is attached.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
diffstat for ca-certificates-20161130 ca-certificates-20161130+nmu1

 debian/changelog  |8 
 mozilla/blacklist.txt |   16 
 2 files changed, 24 insertions(+)

diff -Nru ca-certificates-20161130/debian/changelog 
ca-certificates-20161130+nmu1/debian/changelog
--- ca-certificates-20161130/debian/changelog   2016-12-01 04:20:53.0 
+0100
+++ ca-certificates-20161130+nmu1/debian/changelog  2017-05-19 
16:53:16.0 +0200
@@ -1,3 +1,11 @@
+ca-certificates (20161130+nmu1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are
+now untrusted by the major browser vendors. Closes: #858539
+
+ -- Chris Lamb   Fri, 19 May 2017 16:53:16 +0200
+
 ca-certificates (20161130) unstable; urgency=medium
 
   [ Philipp Kern ]
diff -Nru ca-certificates-20161130/mozilla/blacklist.txt 
ca-certificates-20161130+nmu1/mozilla/blacklist.txt
--- ca-certificates-20161130/mozilla/blacklist.txt  2016-11-03 
08:40:01.0 +0100
+++ ca-certificates-20161130+nmu1/mozilla/blacklist.txt 2017-05-19 
16:53:16.0 +0200
@@ -5,3 +5,19 @@
 
 # DigiNotar Root CA (see debbug#639744)
 "DigiNotar Root CA"
+
+# StartCom and WoSign certificates are now untrusted by the major browser
+# vendors[0]. See [1] for discussion. The list was generated by:
+#
+#   $ egrep 'WoSign|StartCom' mozilla/certdata.txt \
+# | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq
+#
+# [0] 
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
+# [1] https://bugs.debian.org/858539
+#
+"StartCom Certification Authority"
+"StartCom Certification Authority G2"
+"WoSign"
+"WoSign China"
+"Certification Authority of WoSign G2"
+"CA WoSign ECC Root"

Processed: Pending fixes for bugs in the libhttp-proxy-perl package

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tag 788350 + pending
Bug #788350 {Done: gregor herrmann } [libhttp-proxy-perl] 
libhttp-proxy-perl: FTBFS - proxy tests
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
788350: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788350
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#788350: Pending fixes for bugs in the libhttp-proxy-perl package

[pkg-perl-maintainers]

tag 788350 + pending
thanks

Some bugs in the libhttp-proxy-perl package are closed in revision
60f02b77031754872d0823543302255350d0754b in branch '  jessie' by
gregor herrmann

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-perl/packages/libhttp-proxy-perl.git/commit/?id=60f02b7

Commit message:

Add patch to fix broken custom 'via' handling.

(Patch taken from upstream release 0.304.)

Closes: #788350

Bug#857986: npm: This pakcage is 3 years old? (consider removal)

[Riku Voipio]

On Fri, May 19, 2017 at 12:15:32PM +0200, Jérémy Lal wrote:
> 2017-05-19 12:07 GMT+02:00 Riku Voipio :
> 
> > Jérémy Lal:
> > > To others, preoccupied that npm won't be available in debian:
> > > - please help with npm maintenance
> > > - hopefully we'll make an updated version installable through debian
> > backports
> >
> > Are there any complications to building npm as part of nodejs package?
> >

> There are complications to distributing npm: it depends on a LOT of
> modules, which
> means it requires a lot of debian-maintainer time to package, and update.
> Using the upstream nodejs tarball as source for npm or the upstream npm
> tarball
> does not change anything about that.

Ok, thanks for clarifying.

Riku

Processed: tagging 862970

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 862970 + upstream fixed-upstream
Bug #862970 [dropbear] dropbear-bin: Double-free in server TCP listener 
cleanup; information disclosure with ~/.ssh/authorized_keys symlink
Added tag(s) upstream and fixed-upstream.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
862970: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862970
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: retitle 788350 to libhttp-proxy-perl: FTBFS - proxy tests

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 788350 libhttp-proxy-perl: FTBFS - proxy tests
Bug #788350 {Done: gregor herrmann } [libhttp-proxy-perl] 
FTBFS - proxy tests
Changed Bug title to 'libhttp-proxy-perl: FTBFS - proxy tests' from 'FTBFS - 
proxy tests'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
788350: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788350
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Version tracking fix

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 862970 2013.60-1
Bug #862970 [dropbear] dropbear-bin: Double-free in server TCP listener 
cleanup; information disclosure with ~/.ssh/authorized_keys symlink
Marked as found in versions dropbear/2013.60-1.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
862970: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862970
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: your mail

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 858250 Fails to build for unstable, build-depends not strict enough
Bug #858250 [runc] Fails to build for stretch, build-depends not strict enough
Bug #861966 [runc] Fails to build for sid, build-depends not strict enough
Changed Bug title to 'Fails to build for unstable, build-depends not strict 
enough' from 'Fails to build for stretch, build-depends not strict enough'.
Changed Bug title to 'Fails to build for unstable, build-depends not strict 
enough' from 'Fails to build for sid, build-depends not strict enough'.
> affects 858250 +sid
Bug #858250 [runc] Fails to build for unstable, build-depends not strict enough
Bug #861966 [runc] Fails to build for unstable, build-depends not strict enough
Added indication that 858250 affects sid
Added indication that 861966 affects sid
> affects 858250 +unstable
Bug #858250 [runc] Fails to build for unstable, build-depends not strict enough
Bug #861966 [runc] Fails to build for unstable, build-depends not strict enough
Added indication that 858250 affects unstable
Added indication that 861966 affects unstable
> tag 858250 +sid
Bug #858250 [runc] Fails to build for unstable, build-depends not strict enough
Bug #861966 [runc] Fails to build for unstable, build-depends not strict enough
Added tag(s) sid.
Added tag(s) sid.
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
858250: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858250
861966: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861966
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#861953: unblock: runc/0.1.1+dfsg1-3

[Debian Bug Tracking System]

Processing control commands:

> tag 858250 -pending
Bug #858250 [runc] Fails to build for stretch, build-depends not strict enough
Bug #861966 [runc] Fails to build for sid, build-depends not strict enough
Removed tag(s) pending.
Removed tag(s) pending.
> affects 858250 -stretch +sid
Bug #858250 [runc] Fails to build for stretch, build-depends not strict enough
Bug #861966 [runc] Fails to build for sid, build-depends not strict enough
Removed indication that 858250 affects stretch
Removed indication that 861966 affects stretch
> notfound 858250 0.1.1+dfsg1-2
Bug #858250 [runc] Fails to build for stretch, build-depends not strict enough
Bug #861966 [runc] Fails to build for sid, build-depends not strict enough
No longer marked as found in versions runc/0.1.1+dfsg1-2.
No longer marked as found in versions runc/0.1.1+dfsg1-2.

-- 
858250: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858250
861966: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861966
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#858250: Bug#861953: unblock: runc/0.1.1+dfsg1-3

[Roger Shimizu]

control: tag 858250 -pending
control: affects 858250 -stretch +sid
control: notfound 858250 0.1.1+dfsg1-2

On Thu, 18 May 2017 12:48:11 +0100
Jonathan Wiltshire  wrote:

> Control: tag -1 wontfix moreinfo
> 
> Hi,
> 
> On 2017-05-08 00:40, Roger Shimizu wrote:
> > Since you say it should fix unstable first, then stretch or t-p-u,
> > now I think we may just leave runc/0.1.1+dfsg1-2 (current in stretch)
> > as it is in stretch. Because it builds OK (without FTBFS) for stretch.
> > The #858250 FTBFS only occurs on unstable.
> 
> If runc currently builds in stretch, there is no need to touch it (and 
> #858250 should be tagged 'sid').
> 
> It's not clear from #858250 if that is actually the case or not though.

Thanks for your explanation!

Yes, it builds well in stretch.
I did a s/unstable/testing/ for latest changelog, and upload it to DoM:
  
http://debomatic-amd64.debian.net/distribution#testing/runc/0.1.1+dfsg1-2/buildlog

So I close the unblock request, and mark the original bug only affects unstable.
It's not a RC for stretch.

Cheers,
-- 
Roger Shimizu, GMT +9 Tokyo
PGP/GPG: 4096R/6C6ACD6417B3ACB1


pgpTlJqJghWa2.pgp
Description: PGP signature

Bug#862970: dropbear-bin: Double-free in server TCP listener cleanup; information disclosure with ~/.ssh/authorized_keys symlink

[Guilhem Moulin]

Package: dropbear
Version: 2014.65-1+deb8u2
Severity: grave
Tags: security
Justification: user security hole

dropbear 2017.75 was released [0] on May 18 and fixes the following two
security vulnerabilities, for which no CVE was assigned yet AFAIK [1].

- Security: Fix double-free in server TCP listener cleanup
  A double-free in the server could be triggered by an authenticated
  user if dropbear is running with -a (Allow connections to
  forwarded ports from any host) This could potentially allow
  arbitrary code execution as root by an authenticated user.
  Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for
  reporting the crash.

Patch: https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c

- Security: Fix information disclosure with ~/.ssh/authorized_keys
  symlink.
  Dropbear parsed authorized_keys as root, even if it were a
  symlink. The fix is to switch to user permissions when opening
  authorized_keys

  A user could symlink their ~/.ssh/authorized_keys to a root-owned
  file they couldn't normally read. If they managed to get that file
  to contain valid authorized_keys with command= options it might be
  possible to read other contents of that file.
  This information disclosure is to an already authenticated user.
  Thanks to Jann Horn of Google Project Zero for reporting this.

Patch: https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123

-- 
Guilhem.

[0] http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2017q2/001985.html
https://matt.ucc.asn.au/dropbear/CHANGES (currently yields 403)
[1] http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2017q2/001987.html


signature.asc
Description: PGP signature

Bug#861112: xsane: always crashes on start

[Aaro Koskinen]

Hi,

On Fri, May 19, 2017 at 11:44:56AM +0200, Wolfgang Schweer wrote:
> On Fri, May 19, 2017 at 09:47:51AM +0200, John Paul Adrian Glaubitz wrote:
> > On 05/17/2017 10:57 PM, Andreas Henriksson wrote:
> > >> It's disabling Avahi support (I don't have such daemon)
> 
> IMO a daemon isn't needed, that might be a misleading debug message. On 
> my system (up-to-date stretch, GNOME) the package libavahi-client3 
> (Depends: libavahi-common3) is installed via libreoffice-draw / 
> libgnomevfs2-0 Depends -- and I'm unable to reproduce the bug. 
> 
> Maybe it would be sufficent to add libavahi-client3 (instead of 
> libavahi-common3) as a Depends to sane-utils to solve this problem.

Doesn't help:

$ sudo apt-get install libavahi-client3
Reading package lists... Done
Building dependency tree   
Reading state information... Done
libavahi-client3 is already the newest version (0.6.32-2).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
$ scanimage -L
scanimage: thread-watch.c:171: avahi_threaded_poll_lock: Assertion `p' failed.
Aborted
$ 

A.

Bug#862967: imagemagick: use of uninitialized memory in RLE decoder

[Salvatore Bonaccorso]

Source: imagemagick
Version: 8:6.9.7.4+dfsg-8
Severity: grave
Tags: security upstream patch

Hi

See 

https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html

for details, which has been addressed via

https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b

Regards,
Salvatore

Bug#862400: several bios updates exist since 2007

[Arturo Borrero Gonzalez]

On Mon, 15 May 2017 13:56:24 +0200 Arturo Borrero Gonzalez
 wrote:
> (please keep me in CC)
>
> On Sat, 13 May 2017 06:16:44 +0200 franckr  wrote:
> > Hi Arturo,
> >
> > I cannot help for kernel, however, and you probably already know it:
> > Several bios updates became available since 10/04/2007 version.
> > Did you consider them ? (ie checking release logs)
> > Will you try ?
> >
>
> Sure, we are in the way of updating the BIOS.
>
> But the question remains, is this some kind of kernel regression?
>

We managed to upgrade the BIOS (not the last one, though).

Still no luck, kernel 4.9 doesn't boot while 4.7 does.

Processed: Pending fixes for bugs in the libhtml-microformats-perl package

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tag 783656 + pending
Bug #783656 {Done: Jonas Smedegaard } 
[libhtml-microformats-perl] libhtml-microformats-perl: missing dependency on 
libmodule-pluggable-perl
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
783656: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783656
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#783656: Pending fixes for bugs in the libhtml-microformats-perl package

[pkg-perl-maintainers]

tag 783656 + pending
thanks

Some bugs in the libhtml-microformats-perl package are closed in
revision b07796c9f117f24155da70193c0cd818ede253f3 in branch ' 
jessie' by gregor herrmann

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-perl/packages/libhtml-microformats-perl.git/commit/?id=b07796c

Commit message:

Add buildtime and runtime dependency on libmodule-pluggable-perl.

Closes: #783656

Bug#861112: xsane: always crashes on start

[Andreas Henriksson]

Hello Adrian,

Thanks for looking at this again. More comments below.

On Fri, May 19, 2017 at 09:47:51AM +0200, John Paul Adrian Glaubitz wrote:
> But wouldn't that only address the symptoms instead of the actual cause
> of the problem? If I understood Laurent correctly, the NULL value of
> avahi_thread is a result of a race condition that can be avoided by
> calling net_avahi_init() later inside sane_init().

It might be that Laurents fix should *also* go in. It might make things
work more often, but still...

The net_avahi_init() function handles failures by setting avahi_thread
(etc.) to NULL.

The caller of net_avahi_init() does nothing to catch when net_avahi_init()
returns failure (maybe this should be caught and handled here? But I assumed
it was considered ok for it to fail.)

Thus, If for ANY reason net_avahi_init() failed and we continue running
with avahi_thread==NULL. Sane must make sure to not pass it to something
which does not accept a NULL argument, eg. the avahi lock functions.
Locking avahi when we're not using avahi at all is obviously not needed
as I see it.

Thus the patch I proposed. I'm not familiar with sane code so maybe this
is not the best fix, but either way Laurents change definitely doesn't
cover all theoretical bases (ie. it doesn't handle the failure, just
possibly makes failure happen less often)

Hope this helps make my proposal more clear.

Regards,
Andreas Henriksson

Bug#861612: pixbros: level designs appear to be non-free

[Markus Koschany]

Am 19.05.2017 um 02:24 schrieb Steve Cotton:
> On Fri, May 12, 2017 at 11:03:24PM +0200, Markus Koschany wrote:
>> What we need to check is: Does the game comply with the DFSG and does it
>> infringe the copyright of another programmer/artist. In my opinion that
>> is not the case here because the license is DFSG-compatible and the game
>> looks and works differently in style and artwork. We are not aware of a
>> verdict which states that the level resemblance infringes the rights of
>> another party.
> 
> Hi Markus,
> 
> To clarify, I think it's a copyright violation.  The copyrights in
> question are the layout of the levels, the level designers' choices of
> where the platforms are.  For a simple level like level 30 it would be
> unremarkable for games in the same genre to have a similar level, but
> not the complex designs of most of the levels from 31 to 49.
> 
>> This whole bug report reminds me of Giana Sisters, ...

You are not even the copyright holder of the original game. Just just
claim that the level layout in this case is a copyright violation which
is not backed up by anything. I am sorry but this is layman talk and as
I previously said the mere level resemblance alone is not what paragraph
2.3 in Debian's Policy is talking about.

>> On the other hand we have many open source games that try to clone an
>> older game but they look and behave often differently and use their own
>> graphics or they just reinvent the engine and then use the original
>> artwork (hence why those games are shipped in contrib)
> 
> But the ones in contrib using original artwork only have the DFSG
> parts in contrib, the copy of the original artwork isn't in contrib.

Exactly. But Pixbros has its own distinct DFSG-free artwork. Can't you
see that?

>> Look at Pathological which is obviously a clone of Logical or Tuxpuck
>> which very much resembles the Shuffle Puck Cafe game. Are they non-free
>> too? I don't think so because I have played the original games and I can
>> tell you that the older games had both better graphics, more levels and
>> were more feature complete. They resemble each other but they are not on
>> a par and the risk that some company sues Debian just for distributing
>> them is highly unlikely because we make no money with them either.
> 
> Just as they used new artwork, Pathological used (AFAIK) new level
> designs. The first level looks like a level of Logical, but that's
> forced by the genre, there's a limited set of level designs for a
> tutorial level that introduces the concept of the game.
> 
> With tuxpuck the level design seems to be a rectangular table, with a
> rectangular area of that table that the player can move the bat to.
> 
> Neither of these games seems to have a direct copy from the game that
> inspired them.

Well and here it shows that you apply double standards. In Pathological
the levels are "forced by the genre", in Tuxpuck it is just the
rectangular table and the bat (and you forgot that the second player
uses the same technique to move the bat as in the original game but
nevermind). All major game aspects are implemented from the original
games and it is easy to see from which one they stem from. Nevertheless
the code and the artwork are completely different, DFSG-free and an
independent piece of art. But Pixbros' levels which are simply bars in
vertical and horizontal directions are somehow a copyright violation.

Sorry but this bug report really makes me sad and I'm off to do
something more useful now.










signature.asc
Description: OpenPGP digital signature

Processed: Pending fixes for bugs in the libcgi-application-plugin-anytemplate-perl package

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tag 788008 + pending
Bug #788008 {Done: Niko Tyni } 
[libcgi-application-plugin-anytemplate-perl] 
libcgi-application-plugin-anytemplate-perl: missing dependency on libclone-perl
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
788008: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788008
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#788008: Pending fixes for bugs in the libcgi-application-plugin-anytemplate-perl package

[pkg-perl-maintainers]

tag 788008 + pending
thanks

Some bugs in the libcgi-application-plugin-anytemplate-perl package
are closed in revision 902139f110bdfdf3b22083a009fa06147072b8a7 in
branch '  jessie' by gregor herrmann

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-perl/packages/libcgi-application-plugin-anytemplate-perl.git/commit/?id=902139f

Commit message:

Add missing dependency on libclone-perl | libclone-pp-perl.

Closes: #788008

Bug#857986: npm: This pakcage is 3 years old? (consider removal)

[Jérémy Lal]

2017-05-19 12:07 GMT+02:00 Riku Voipio :

> Jérémy Lal:
> > To others, preoccupied that npm won't be available in debian:
> > - please help with npm maintenance
> > - hopefully we'll make an updated version installable through debian
> backports
>
> Are there any complications to building npm as part of nodejs package?
>

There are complications to distributing npm: it depends on a LOT of
modules, which
means it requires a lot of debian-maintainer time to package, and update.
Using the upstream nodejs tarball as source for npm or the upstream npm
tarball
does not change anything about that.

Jérémy

Bug#857986: npm: This pakcage is 3 years old? (consider removal)

[Riku Voipio]

Jérémy Lal:
> To others, preoccupied that npm won't be available in debian:
> - please help with npm maintenance
> - hopefully we'll make an updated version installable through debian backports

Are there any complications to building npm as part of nodejs package?

Riku

Bug#841421: python-opcua: FTBFS (build hangs)

[W. Martin Borgert]

Hi Santiago,

could you test the new version 0.90.3-1 in unstable, please?
No hurry, because of the freeze the package will not migrate
to testing soon anyway.

TIA & Cheers!

Bug#861112: xsane: always crashes on start

[Wolfgang Schweer]

On Fri, May 19, 2017 at 09:47:51AM +0200, John Paul Adrian Glaubitz wrote:
> On 05/17/2017 10:57 PM, Andreas Henriksson wrote:
> >> It's disabling Avahi support (I don't have such daemon)

IMO a daemon isn't needed, that might be a misleading debug message. On 
my system (up-to-date stretch, GNOME) the package libavahi-client3 
(Depends: libavahi-common3) is installed via libreoffice-draw / 
libgnomevfs2-0 Depends -- and I'm unable to reproduce the bug. 

Maybe it would be sufficent to add libavahi-client3 (instead of 
libavahi-common3) as a Depends to sane-utils to solve this problem.

'apt show libavahi-client3' tells me:
This package contains the library for Avahi's C API which allows you to 
integrate mDNS/DNS-SD functionality into your application. 
 
Wolfgang


signature.asc
Description: PGP signature

Processed: Bug#862001 in apt marked as pending

[Debian Bug Tracking System]

Processing control commands:

> tag 862001 pending
Bug #862001 {Done: Julian Andres Klode } [libapt-pkg5.0] 
libapt-pkg5.0: Failed to try-restart apt-daily-upgrade.timer: Unit 
apt-daily-upgrade.timer not found.
Added tag(s) pending.

-- 
862001: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862001
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#862001: in apt marked as pending

[Julian Andres Klode]

Control: tag 862001 pending

Hello,

Bug #862001 in apt reported by you has been fixed in the Git repository. You can
see the commit message below, and you can check the diff of the fix at:

https://anonscm.debian.org/cgit/apt/apt.git/diff/?id=8d42a4e

(this message was generated automatically based on the git commit message)
---
commit 8d42a4e4ff7190e802b1b2f91adfc7a6e5b0ac69
Author: Julian Andres Klode 
Date:   Sun May 7 12:17:05 2017 +0200

Do not try to (re)start timers outside 'apt' package

dh_systemd_start inserted postinst commands in all packages,
rather than just the package containing the timers.

This also gets rid of postinst scripts for all other
packages, yay.

Closes: #862001
(cherry picked from commit 315d6aac02b657a4742b5fe2695707904c6033dd)

Bug#855324: Info received (Bug#855324: pdfsam fails to start)

[Philip Rinn]

Hi,

One could probably just advise people to execute this in their terminal:

sed -i 's/[0-9]*<\/LAF>/0<\/LAF>/' ~/.pdfsam/config.xml

Best,
Philip



signature.asc
Description: OpenPGP digital signature

Bug#861112: xsane: always crashes on start

[John Paul Adrian Glaubitz]

On 05/17/2017 10:57 PM, Andreas Henriksson wrote:
>> It's disabling Avahi support (I don't have such daemon) but still later
>> calling avahi_threaded_poll_lock() with NULL avahi_thread.
> [...]
> 
> Yes, definitely seems so. Could you please test the attached patch
> which hopefully takes care of your issue?

But wouldn't that only address the symptoms instead of the actual cause
of the problem? If I understood Laurent correctly, the NULL value of
avahi_thread is a result of a race condition that can be avoided by
calling net_avahi_init() later inside sane_init().

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaub...@debian.org
`. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
  `-GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Processed: severity of 861521 is grave

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> # raising to RC, fixed in stable, otherwise regression, should be fixed in 
> stretch
> severity 861521 grave
Bug #861521 {Done: Emmanuel Bourg } [src:libxstream-java] 
libxstream-java: CVE-2017-7957
Severity set to 'grave' from 'important'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
861521: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861521
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems