Bug#928893: Workaround
Simple: A) Package gnome-disk-utility with this feature disabled, until bug is solved. B) Not including buggy gnome-disk-utility in repositories Is really dangerous for people to have this possibility to loss their data, because of a small piece of bad code or bad release decision. -- __ I'm using this express-made address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors.
Bug#931483: konsole: Konsole will not launch from mate-panel or from KDE Application Launcher.
Package: konsole Version: 4:18.04.0-1 Severity: grave Justification: renders package unusable Dear Maintainer, konsole will not launch from mate-panel shortcut or from KDE Application menu. konsole WILL launch from mate-terminal and will subsequently open both new windows and new tabs. konsole is unusable because of the problem, but I do not know if the problem is konsole or the KDE launcher or mate-panel. Regards, David -- System Information: Debian Release: 10.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_WARN, TAINT_CRAP Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages konsole depends on: ii kio 5.54.1-1 ii konsole-kpart 4:18.04.0-1 ii libc6 2.28-10 ii libkf5completion5 5.54.0-1 ii libkf5configcore5 5.54.0-1 ii libkf5configgui5 5.54.0-1 ii libkf5configwidgets5 5.54.0-1 ii libkf5coreaddons5 5.54.0-1 ii libkf5crash5 5.54.0-1 ii libkf5dbusaddons5 5.54.0-1 ii libkf5globalaccel55.54.0-1 ii libkf5i18n5 5.54.0-1 ii libkf5iconthemes5 5.54.0-1 ii libkf5kiowidgets5 5.54.1-1 ii libkf5notifyconfig5 5.54.0-1 ii libkf5widgetsaddons5 5.54.0-1 ii libkf5windowsystem5 5.54.0-1 ii libkf5xmlgui5 5.54.0-1 ii libqt5core5a 5.11.3+dfsg1-2 ii libqt5gui55.11.3+dfsg1-2 ii libqt5widgets55.11.3+dfsg1-2 ii libstdc++68.3.0-7 konsole recommends no packages. konsole suggests no packages. -- no debconf information
Bug#866472: Uniconvertor 2.0 upstream depends on python-pil and has some .debs
Well, for what is worth here're the files for a package that builds and install on buster for uniconvertor-2.0rc4. But I haven't tested. Only did a sg to pdf conversion once. I may have done lots of things wrong, of course. So far it does no seem to require sk1libs. python-uniconvertor_2.0rc4-1.dfsg.1.debian.tar.xz Description: application/xz Format: 3.0 (quilt) Source: python-uniconvertor Binary: python-uniconvertor, python-uniconvertor-dbg Architecture: any Version: 2.0rc4-1.dfsg.1 Maintainer: Debian QA Group Homepage: https://sk1project.net/modules.php?name=Products&product=uniconvertor Standards-Version: 4.0 Build-Depends: debhelper (>= 9), dh-python, perl, python-all-dbg (>= 2.4), python-all-dev (>= 2.4), libcairo2-dev, liblcms2-dev, libmagickwand-dev, libpango1.0-dev, python-cairo-dev, libgs9-common, icc-profiles-free Package-List: python-uniconvertor deb python optional arch=any python-uniconvertor-dbg deb debug extra arch=any Checksums-Sha1: cf75fe706b9d144603f15b0ee8bd0674122453b0 801880 python-uniconvertor_2.0rc4.orig.tar.xz aae32f0c76337d2baa516a5c46a557cb12506301 12540 python-uniconvertor_2.0rc4-1.dfsg.1.debian.tar.xz Checksums-Sha256: a0a658a140fcadd1090b2ce91ceecf9b840ee8521ee3fc3d8ea2713f19ce1d15 801880 python-uniconvertor_2.0rc4.orig.tar.xz c114a218964c37c83954206c29b6bfc2d9819d690215dc59d785710032d1a942 12540 python-uniconvertor_2.0rc4-1.dfsg.1.debian.tar.xz Files: a58ca4de9c8db19bc092330f3b2f660e 801880 python-uniconvertor_2.0rc4.orig.tar.xz 42146410bdf17a1e5fc9a734d9a56a90 12540 python-uniconvertor_2.0rc4-1.dfsg.1.debian.tar.xz
Bug#931002: rust-coresimd: FTBFS (unrecognized platform-specific intrinsic function: `x86_rdrand16_step`unrecognized platform-specific intrinsic function: `x86_rdrand16_step`)
> For future release, a better way of handling this will be needed. The fact > that these updates break random other packages isn't really acceptable. The fix in sid involved patching encoding_rs 0.8.15, which addressed the simd crate problem. The reason why simd complied previously and got packaged is explained by the build.rs hack in the simd crate. Upstream encoding_rs 0.8.16 no longer depends on the simd crate and instead depends on packed_simd, which doesn't have such a hack. Indeed, the hack was recognized as problematic upstream, and the present the harmlessness of the hack in encoding_rs's own build.rs now depends on the build failing in packed_simd when using the stable compiler. As reported, the failures were not only in the simd crate but also in coresimd, which was pulled in by packed_simd, which was pulled in as an optional dependency of the bytecount crate. None of these three crates have the build.rs hack, so the build for packed_simd and coresimd should have failed even before the recent rustc update in sid and buster. Indeed, if I try to build the corresponding upstream versions of bytecount and packed_simd with by invoking cargo build --features generic-simd from the bytecount directory locally with Rust 1.32 from rustup, the build fails in packed_simd due to use of unstable features. In the interest of avoiding future breakage, it would be particularly worthwhile investigate how it was possible that packed_simd and coresimd made it through the import as optional dependencies of bytecount and compiled with the previous compiler when they shouldn't have compiled. (Also: Why does the newly-uploaded version of packed_simd in sid compile now?) -- Henri Sivonen
Bug#930676: goplay: Should this package be removed?
> goplay has not received any updates since 2015, it uses libept, > which we'd like to get rid of eventually I think, as it's also > unmaintained, so I think it would be best to remove it. I agree. I think it should be removed. Miry
Bug#930321: marked as done (php-horde-form: CVE-2019-9858)
Your message dated Fri, 05 Jul 2019 11:47:23 + with message-id and subject line Bug#930321: fixed in php-horde-form 2.0.15-1+deb9u1 has caused the Debian Bug report #930321, regarding php-horde-form: CVE-2019-9858 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 930321: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930321 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: php-horde-form Version: 2.0.18-3 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerability was published for php-horde-form. CVE-2019-9858[0]: | Remote code execution was discovered in Horde Groupware Webmail 5.2.22 | and 5.2.17. Horde/Form/Type.php contains a vulnerable class that | handles image upload in forms. When the Horde_Form_Type_image method | onSubmit() is called on uploads, it invokes the functions getImage() | and _getUpload(), which uses unsanitized user input as a path to save | the image. The unsanitized POST parameter object[photo][img][file] is | saved in the $upload[img][file] PHP variable, allowing an attacker to | manipulate the $tmp_file passed to move_uploaded_file() to save the | uploaded file. By setting the parameter to (for example) | ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside | the web root. The static/ destination folder is a good candidate to | drop the backdoor because it is always writable in Horde | installations. (The unsanitized POST parameter went probably unnoticed | because it's never submitted by the forms, which default to securely | using a random path.) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-9858 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9858 [1] https://github.com/horde/Form/commit/c916ba979ad1613d76a9407dd0b67968a9594c0e Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: php-horde-form Source-Version: 2.0.15-1+deb9u1 We believe that the bug you reported is fixed in the latest version of php-horde-form, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 930...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated php-horde-form package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 16 Jun 2019 13:47:48 +0200 Source: php-horde-form Architecture: source Version: 2.0.15-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Horde Maintainers Changed-By: Salvatore Bonaccorso Closes: 930321 Changes: php-horde-form (2.0.15-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent directory traversal vulnerability (CVE-2019-9858) (Closes: #930321) Checksums-Sha1: dafddca05a926ee33583cf5e73e104ddf9907bd6 2196 php-horde-form_2.0.15-1+deb9u1.dsc 00943397c80622f0ebc24d25b7b4cd29c02fb300 196141 php-horde-form_2.0.15.orig.tar.gz cdc8edfc34e419a71d0bd281b4039619e446e2c9 3184 php-horde-form_2.0.15-1+deb9u1.debian.tar.xz 762f8f8d45d22f6f02c083c6e33128e031e10834 6127 php-horde-form_2.0.15-1+deb9u1_source.buildinfo Checksums-Sha256: ca7a26d5ebcf71fd1821fbae139c113bbb06bd93b7d08976164c0a69746d 2196 php-horde-form_2.0.15-1+deb9u1.dsc 12d757311995346c487dde98af795cbbaf2d520ab902a320d3a607ce8881666d 196141 php-horde-form_2.0.15.orig.tar.gz 6149c3ecb911feab399fcac6b26b1c5668374e36bdfa06feebbc3251aa33def9 3184 php-horde-form_2.0.15-1+deb9u1.debian.tar.xz fed9a6794fdbb0a4a0b728564e82c31a5e5ae03ffc494818e95955e44d283915 6127 php-horde-form_2.0.15-1+deb9u1_source.buildinfo Files: bc201c3bb16ceedad1bb7f3eabf9db74 2196 php extra php-horde-form_2.0.15-1+deb9u1.dsc 403bd1b37af061548bc51db5a90f358c 196141 php extra php-horde-form_2.0.15.orig.tar.gz be7c23d1b2f6e8f16d6df8b20f4dd2ad 3184 php extra php-horde-form_2.0.15-1+deb9u1.debian.tar.xz 28a87a26e527dd8db0acd89b2752c75e 6127 php extra php-horde-form_2.0.15-1+deb9u1_sou
