Bug#986351: hplip: Printing Places All Jobs On Hold
Package: hplip Version: 3.18.12+dfsg0-2 Severity: grave Tags: upstream Justification: renders package unusable Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? Unknown * What exactly did you do (or not do) that was effective (or ineffective)? Reboot, reinstall printer, reinstall hplip, reinstall cups * What was the outcome of this action? Nothing * What outcome did you expect instead? *** End of the template - remove these template lines *** -- Package-specific info: Saving output in log file: /home/jolly/hp-check.log HP Linux Imaging and Printing System (ver. 3.18.12) Dependency/Version Check Utility ver. 15.1 Copyright (c) 2001-15 HP Development Company, LP This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to distribute it under certain conditions. See COPYING file for more details. Note: hp-check can be run in three modes: 1. Compile-time check mode (-c or --compile): Use this mode before compiling the HPLIP supplied tarball (.tar.gz or .run) to determine if the proper dependencies are installed to successfully compile HPLIP. 2. Run-time check mode (-r or --run): Use this mode to determine if a distro supplied package (.deb, .rpm, etc) or an already built HPLIP supplied tarball has the proper dependencies installed to successfully run. 3. Both compile- and run-time check mode (-b or --both) (Default): This mode will check both of the above cases (both compile- and run-time dependencies). Check types: a. EXTERNALDEP - External Dependencies b. GENERALDEP - General Dependencies (required both at compile and run time) c. COMPILEDEP - Compile time Dependencies d. [All are run-time checks] PYEXT SCANCONF QUEUES PERMISSION Status Types: OK MISSING - Missing Dependency or Permission or Plug-in INCOMPAT - Incompatible dependency-version or Plugin-version Gtk-Message: 21:15:47.063: Failed to load module "atk-bridge" Traceback (most recent call last): File "/usr/share/hplip/base/utils.py", line 265, in walkFiles names = os.listdir(root) FileNotFoundError: [Errno 2] No such file or directory: '/etc/PolicyKit' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/share/hplip/base/utils.py", line 267, in walkFiles raise StopIteration StopIteration The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/usr/bin/hp-check", line 861, in dep.core.init() File "/usr/share/hplip/installer/core_install.py", line 527, in init self.check_dependencies(callback) File "/usr/share/hplip/installer/core_install.py", line 620, in check_dependencies self.have_dependencies[d] = self.dependencies[d][3]() File "/usr/share/hplip/installer/core_install.py", line 1241, in check_policykit if check_file('PolicyKit.conf', "/etc/PolicyKit") and check_file('org.gnome.PolicyKit.AuthorizationManager.service', "/usr/share/dbus-1/services"): File "/usr/share/hplip/installer/dcheck.py", line 107, in check_file for w in utils.walkFiles(dir, recurse=True, abs_paths=True, return_folders=False, pattern=f): RuntimeError: generator raised StopIteration -- System Information: Debian Release: 10.9 APT prefers stable APT policy: (700, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-16-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages hplip depends on: ii adduser3.118 ii cups 2.2.10-6+deb10u4 ii hplip-data 3.18.12+dfsg0-2 ii libc6 2.28-10 ii libcups2 2.2.10-6+deb10u4 ii libdbus-1-31.12.20-0+deb10u1 ii libhpmud0 3.18.12+dfsg0-2 ii libpython3.7 3.7.3-2+deb10u3 ii libsane1.0.27-3.2 ii libsane-hpaio 3.18.12+dfsg0-2 ii libsnmp30 5.7.3+dfsg-5+deb10u2 ii libusb-1.0-0 2:1.0.22-2 ii lsb-base 10.2019051400 ii printer-driver-hpcups 3.18.12+dfsg0-2 ii python33.7.3-1 ii python3-dbus 1.2.8-3 ii python3-gi 3.30.4-1 ii python3-pexpect4.6.0-1 ii python3-pil5.4.1-2+deb10u2 ii python3-reportlab 3.5.13-1+deb10u1 ii wget 1.20.1-1.1 ii xz-utils
Processed: Re: mlucas: ftbfs with GCC-10
Processing control commands: > tags -1 patch Bug #957547 [src:mlucas] mlucas: ftbfs with GCC-10 Added tag(s) patch. -- 957547: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=957547 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#957547: mlucas: ftbfs with GCC-10
Control: tags -1 patch Hi, In Ubuntu, the attached patch was applied to achieve the following: * d/p/gcc-10.diff: Remove duplicate variable declaration to fix FTBFS with GCC 10. Thanks for considering the patch. Logan diff -Nru mlucas-17.1/debian/patches/gcc-10.diff mlucas-17.1/debian/patches/gcc-10.diff --- mlucas-17.1/debian/patches/gcc-10.diff 1969-12-31 19:00:00.0 -0500 +++ mlucas-17.1/debian/patches/gcc-10.diff 2021-04-03 17:44:31.0 -0400 @@ -0,0 +1,10 @@ +--- a/src/gcd_lehmer.c b/src/gcd_lehmer.c +@@ -49,7 +49,6 @@ + WARNING: level-2 diagnostics not recommended for large vectors! + */ + int fft_gcd_debug = 0; +- FILE *fp; + static char *file_access_mode[2] = {"a","w"}; + char string0[STR_MAX_LEN]; + #if GCD_DEBUG >= 1 diff -Nru mlucas-17.1/debian/patches/series mlucas-17.1/debian/patches/series --- mlucas-17.1/debian/patches/series 2020-01-10 12:32:35.0 -0500 +++ mlucas-17.1/debian/patches/series 2021-04-03 17:44:31.0 -0400 @@ -3,3 +3,4 @@ fix-c-identifier-typo.diff display-verbose-test-log.diff python2.diff +gcc-10.diff
Bug#964796: marked as done (bsdiff: CVE-2020-14315)
Your message dated Sat, 03 Apr 2021 21:18:21 + with message-id and subject line Bug#964796: fixed in bsdiff 4.3-22 has caused the Debian Bug report #964796, regarding bsdiff: CVE-2020-14315 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 964796: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964796 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: bsdiff Version: 4.3-21 Severity: important Tags: patch security X-Debbugs-Cc: Debian Security Team Hi, The following vulnerability was published for bsdiff. CVE-2020-14315[0]: | Memory Corruption Vulnerability in bspatch If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-14315 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14315 [1] https://bugzilla.suse.com/show_bug.cgi?id=1173974 [2] https://www.openwall.com/lists/oss-security/2020/07/09/2 [3] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:29.bspatch.asc Regards, Salvatore --- End Message --- --- Begin Message --- Source: bsdiff Source-Version: 4.3-22 Done: tony mancill We believe that the bug you reported is fixed in the latest version of bsdiff, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 964...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. tony mancill (supplier of updated bsdiff package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 03 Apr 2021 13:41:41 -0700 Source: bsdiff Architecture: source Version: 4.3-22 Distribution: unstable Urgency: high Maintainer: tony mancill Changed-By: tony mancill Closes: 920105 964796 Changes: bsdiff (4.3-22) unstable; urgency=high . [ Ondřej Nový ] * d/copyright: Change Format URL to correct one . [ tony mancill ] * Update Maintainer (Closes: #920105) * Apply patch for CVE-2020-14315 (Closes: #964796) * Freshen debian/copyright. Checksums-Sha1: def84d667478f0bcdf3ccb0ba5bc6004961a0679 1822 bsdiff_4.3-22.dsc ed2573e5f3590ba526557fa305d90c79403b523b 12108 bsdiff_4.3-22.debian.tar.xz 994c02766e065ab7a7f2e3ded524e11718a7e1b6 5900 bsdiff_4.3-22_amd64.buildinfo Checksums-Sha256: b325f9891031dac1f59f9ffdc2bd1ae5d073ca70cda5ea8e0755c5425b4f6da7 1822 bsdiff_4.3-22.dsc ff0b456679b75d2962f5e6e90fd32f71fb63dac45aaeb0f0a7be724035a3e9e9 12108 bsdiff_4.3-22.debian.tar.xz e765301020189bed52fc32ee4fe4d2f30b98531618c9066d58668fff8082a2c6 5900 bsdiff_4.3-22_amd64.buildinfo Files: 34b2c260e61913ea38d8e0302d852ded 1822 utils optional bsdiff_4.3-22.dsc 1db40a1acfbafc974d76c1d1dbf0f9ab 12108 utils optional bsdiff_4.3-22.debian.tar.xz aff92f35125a80e34d103a2e4b45ad95 5900 utils optional bsdiff_4.3-22_amd64.buildinfo -BEGIN PGP SIGNATURE- iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmBo1lgUHHRtYW5jaWxs QGRlYmlhbi5vcmcACgkQIdIFiZdLPpaDfhAA2y2BJBWaPJgrq5wt4jZBAL/f993t OkZxazasTvX2CZfcmcMnEJpE2Pkp0pz5XNHOB1gJ2lcC1D2eNk0SKWK+jxUJ8KiE aYY0d35d6nMBr/zr2PpDbMd2R9AsDJBJP5/UubXF09RyK6Gi9X2JsBw8qx3pafnT Yl6chVmFHrK4PFfJNnpnbsPieGHPK7C/EbFe9AsaMbJOIMVccQkbwpH8HeU8vbGy 1GcRK9Hhj0PUEEKWaKeuTHPGSYyJNu67rSOvlTTPg+JAXocSgzGLig7QzBbrxWoO zD+X1idbTTTu7mz6QPCUB2o2k2R6YlCfollrzWCE3/I2vclAvanfnj1PTXh7kcK1 m0abfpmmnIeLSYn7iFafI+E/AqF+E7+OO8irtAZiKv3SiWTVfe+rJpP7oDFCM9hl ZCWTnNX6FMUAVLTCgpwNL/caAuspZxihxZZruVTjMqKrG2r33nbTJcBQGFc+29bL WNe1B64HxyZ0Ud62AGN2poupkvcJ0h9bbVRcecJe8nNRI1POQMI0mpSRgK6p/j1p iXbSepSX/ab95sk1xBe3Iug/B4pxztLbPmz7RDWhhh+nEb9bRiw74+06qcjpV0ri PZh5pT7tHwb5CUQGp8xD5tQHLjCoYd8hqbScA+q4zhvR/JygD1M+vhtmvj5OI2xF SW/EBszLMg6YB8Q= =LivA -END PGP SIGNATURE End Message ---
Bug#986339: universal-ctags: prerm fails on upgrades
Package: universal-ctags Version: 0+git20200824-1.1.g15ce0a8 Severity: serious Tags: patch Justification: Policy 6.4 This is a clean buster container where I tested upgrading universal-ctags: root@1066c7b1da18:/# apt install -qy universal-ctags Reading package lists... Building dependency tree... Reading state information... The following packages will be upgraded: universal-ctags 1 upgraded, 0 newly installed, 0 to remove and 92 not upgraded. Need to get 442 kB of archives. After this operation, 311 kB of additional disk space will be used. Get:1 http://deb.debian.org/debian bullseye/main amd64 universal-ctags amd64 0+git20200824-1 [442 kB] Fetched 442 kB in 5s (87.9 kB/s) debconf: delaying package configuration, since apt-utils is not installed (Reading database ... 8631 files and directories currently installed.) Preparing to unpack .../universal-ctags_0+git20200824-1_amd64.deb ... prerm called with unknown argument `upgrade' dpkg: warning: old universal-ctags package pre-removal script subprocess returned error exit status 1 dpkg: trying script from the new package instead ... dpkg: ... it looks like that went OK Unpacking universal-ctags (0+git20200824-1) over (0+git20181215-2) ... Setting up universal-ctags (0+git20200824-1) ... update-alternatives: using /usr/bin/ctags-universal to provide /usr/bin/etags (etags) in auto mode It seems that dpkg works around the issue somehow, but still prerm should not exit non-zero. The script will also fail similarly when prerm is called with "deconfigure". The attached patch fixes both cases. -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: arm64 Kernel: Linux 5.10.0-5-amd64 (SMP w/4 CPU threads) Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8), LANGUAGE=pt_BR:pt:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages universal-ctags depends on: ii libc62.31-10 ii libjansson4 2.13.1-1.1 ii libseccomp2 2.5.1-1 ii libxml2 2.9.10+dfsg-6.3+b1 ii libyaml-0-2 0.2.2-1 universal-ctags recommends no packages. Versions of packages universal-ctags suggests: ii vim 2:8.2.2434-3 ii vim-gtk3 [vim] 2:8.2.2434-3 -- no debconf information From 490f13d5b473059dd873deab5f1f1b64e12f4f40 Mon Sep 17 00:00:00 2001 From: Antonio Terceiro Date: Sat, 3 Apr 2021 17:05:57 -0300 Subject: [PATCH 2/2] debian/prerm: handle upgrade/removal scenarios correctly --- debian/prerm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/prerm b/debian/prerm index 6ebf9a2..4b4d130 100644 --- a/debian/prerm +++ b/debian/prerm @@ -3,12 +3,12 @@ set -e case "$1" in -remove) +remove|deconfigure) update-alternatives --remove ctags /usr/bin/ctags-universal update-alternatives --remove etags /usr/bin/ctags-universal ;; -failed-upgrade) +upgrade|failed-upgrade) ;; *) -- 2.31.0 signature.asc Description: PGP signature
Bug#985292: materia-gtk-theme: unhandled symlink to directory conversion: /usr/share/themes/Materia-compact/gtk-3.0/assets -> ../gtk-assets
On 03/04/2021 07.43, Leandro Cunha wrote: Can you test the version I pushed for Salsa and confirm that the problem has been fixed? [1] https://salsa.debian.org/leandrocunha/materia-gtk-theme There is no releated change in git, only a changelog entry (I would have expected a .maintscript file to be added). But there is a revert of debian/rules to an older version (and from short debhelper 13 to something much older), which is probably unwanted and inappropriate at this point of the release cycle. Andreas
Processed: retitle 966301
Processing commands for cont...@bugs.debian.org: > retitle 966301 guile oom test fails (but currently not on buildds) Bug #966301 [src:guile-2.2] guile oom test fails on ppc64el Changed Bug title to 'guile oom test fails (but currently not on buildds)' from 'guile oom test fails on ppc64el'. > thanks Stopping processing here. Please contact me if you need assistance. -- 966301: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966301 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: give 980202 a better title
Processing commands for cont...@bugs.debian.org: > retitle 980202 "convert --label" regressed and doesn't show text anymore Bug #980202 [imagemagick] FTBFS: gscan2pdf tests fail Bug #981798 [imagemagick] imagemagick breaks gscan2pdf autopkgtest: expected format changed Changed Bug title to '"convert --label" regressed and doesn't show text anymore' from 'FTBFS: gscan2pdf tests fail'. Changed Bug title to '"convert --label" regressed and doesn't show text anymore' from 'imagemagick breaks gscan2pdf autopkgtest: expected format changed'. > thanks Stopping processing here. Please contact me if you need assistance. -- 980202: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980202 981798: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981798 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Bug 985843 is RC
Processing commands for cont...@bugs.debian.org: > severity 985843 serious Bug #985843 {Done: Markus Koschany } [src:libxstream-java] libxstream-java: CVE-2021-21341 CVE-2021-21342 CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346 CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350 CVE-2021-21351 Severity set to 'serious' from 'important' > thanks Stopping processing here. Please contact me if you need assistance. -- 985843: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: owner 964796
Processing commands for cont...@bugs.debian.org: > owner 964796 tmanc...@debian.org Bug #964796 [src:bsdiff] bsdiff: CVE-2020-14315 Owner recorded as tmanc...@debian.org. > thanks Stopping processing here. Please contact me if you need assistance. -- 964796: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964796 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#985518: node-d3-dsv: broken symlinks: /usr/bin/*2* -> ../lib/nodejs/d3-dsv/bin/*2*
Hi, On Fri, 19 Mar 2021 12:35:42 +0100 Andreas Beckmann wrote: > during a test with piuparts I noticed your package ships (or creates) > a broken symlink. > > From the attached log (scroll to the bottom...): > > 0m28.5s ERROR: FAIL: Broken symlinks: > /usr/bin/tsv2json -> ../lib/nodejs/d3-dsv/bin/dsv2json (node-d3-dsv) > /usr/bin/tsv2csv -> ../lib/nodejs/d3-dsv/bin/dsv2dsv (node-d3-dsv) > /usr/bin/json2tsv -> ../lib/nodejs/d3-dsv/bin/json2dsv (node-d3-dsv) > /usr/bin/json2dsv -> ../lib/nodejs/d3-dsv/bin/json2dsv (node-d3-dsv) > /usr/bin/json2csv -> ../lib/nodejs/d3-dsv/bin/json2dsv (node-d3-dsv) > /usr/bin/dsv2json -> ../lib/nodejs/d3-dsv/bin/dsv2json (node-d3-dsv) > /usr/bin/dsv2dsv -> ../lib/nodejs/d3-dsv/bin/dsv2dsv (node-d3-dsv) > /usr/bin/csv2tsv -> ../lib/nodejs/d3-dsv/bin/dsv2dsv (node-d3-dsv) > /usr/bin/csv2json -> ../lib/nodejs/d3-dsv/bin/dsv2json (node-d3-dsv) Can we please get a fix for this bug in unstable without the other changes that don't comply with the release policy? In the current state I can't unblock the fix. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#985569: marked as done (ruby-kramdown: CVE-2021-28834)
Your message dated Sat, 03 Apr 2021 16:18:30 + with message-id and subject line Bug#985569: fixed in ruby-kramdown 2.3.0-5 has caused the Debian Bug report #985569, regarding ruby-kramdown: CVE-2021-28834 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 985569: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985569 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: ruby-kramdown Version: 2.3.0-4 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/gettalong/kramdown/pull/708 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby-kramdown. CVE-2021-28834[0]: | Kramdown before 2.3.1 does not restrict Rouge formatters to the | Rouge::Formatters namespace, and thus arbitrary classes can be | instantiated. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-28834 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28834 [1] https://github.com/gettalong/kramdown/pull/708 [2] https://github.com/gettalong/kramdown/commit/d6a1cbcb2caa2f8a70927f176070d126b2422760 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1941044 [4] https://gitlab.com/gitlab-org/gitlab/-/commit/179329b5c3c118924fb242dc449d06b4ed6ccb66 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: ruby-kramdown Source-Version: 2.3.0-5 Done: Antonio Terceiro We believe that the bug you reported is fixed in the latest version of ruby-kramdown, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 985...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antonio Terceiro (supplier of updated ruby-kramdown package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 03 Apr 2021 10:39:28 -0300 Source: ruby-kramdown Architecture: source Version: 2.3.0-5 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Extras Maintainers Changed-By: Antonio Terceiro Closes: 985569 Changes: ruby-kramdown (2.3.0-5) unstable; urgency=medium . * Team upload. * Add upstream patch to fix arbitrary code execution vulnerability [CVE-2021-28834] (Closes: #985569) Checksums-Sha1: cc6f32f7343944e87428e5bbf05d3d51367a7570 2246 ruby-kramdown_2.3.0-5.dsc 19444f84511472c356f9dcbd23fe52e9f3d7cb2d 6232 ruby-kramdown_2.3.0-5.debian.tar.xz 69ab98fd563e477dae9c6e77d7d1f5cd9444c25f 11091 ruby-kramdown_2.3.0-5_amd64.buildinfo Checksums-Sha256: 2edcd5e445413a52c8f9008dffed01801636858577ae2cbf743b4cbe9876cf09 2246 ruby-kramdown_2.3.0-5.dsc 52f46ed89d839e082ea18e8d5b9addaec9ca99dd6640d6f63cc35b9368b0af11 6232 ruby-kramdown_2.3.0-5.debian.tar.xz 67d4c2926acba25991b18a19c4a04fba58d843fed8be78d1349f19e7f66cfb5a 11091 ruby-kramdown_2.3.0-5_amd64.buildinfo Files: c916825c632e0a876d5d646d7dd80f03 2246 ruby optional ruby-kramdown_2.3.0-5.dsc 086f0901ff737fb42977b39e7cec8d8d 6232 ruby optional ruby-kramdown_2.3.0-5.debian.tar.xz 3d6d9117b02bbd86a94122361211414a 11091 ruby optional ruby-kramdown_2.3.0-5_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAmBokQ8ACgkQ/A2xu81G C97SzQ//RRnTWPtyBIdKZVnFu8Xkjnz7o01FvCPOELgcyOU3F+QIMnrbrQ8Mj3hj CP/jGuDHE3rsvlzhutBrtJ6cUTXhSBah9LVM/LS2TVPFZCy10JIPQfEBToCLS51P Fn+7rs4kiKUZ4r21Giv4Ru2Im/ZGONbSLAjfonfdXvMhubo5nC1RY3m5J1WRQBBf 53VXc7Uz5u23TRd0Id/1axgZ6Gjl4Ab5Pwvnwm7CXx3KXgIupw/YD0uelYJjolNd bZifKtMY/G45A93s/3i9S3FNIwe0HxxJ31fj+p4F8F2cSfiJr9hTFzMjfpL7wCbA a8Mrtw6wTqrG+jpVVl9IqpbGBzLpun050St432BYvaJgcwbXf0s53OYdiotQPDGB NntTqEPNaBo0YUvU6K3IcfVI8aFe7ZLvLHTTmRJB5/6MrCw8RI21u1E3440OIGwj YnJ69oTG1y9LBuIR6lH3QOoqcOrMVxfgPXF1vPyUgomg/h5Vc5O/PS7r1NVpecLU 81ePxPQkI5FiOiQImW87Zn3abj8YdksHxQXOQ0RlHiYE/H8LkR/mOOlCdR+pWzAn 4k4U7Mr2abQ8qjIGcqa+VbszIPo29vys1aXZR2lhNa53lLaKZfGMhFQyXliQUNX0 8QfmfIwIvQ1/5McsYe+O9cytOoicWV6WOmo+AFsbIYVJGMCEl0A= =X7z1 -END PGP SIGNATURE End Message ---
Bug#985569: [DRE-maint] Bug#985569: ruby-kramdown: CVE-2021-28834
Hi, On Sat, Mar 20, 2021 at 08:50:21AM +0100, Salvatore Bonaccorso wrote: > Source: ruby-kramdown > Version: 2.3.0-4 > Severity: grave > Tags: security upstream > Justification: user security hole > Forwarded: https://github.com/gettalong/kramdown/pull/708 > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > Hi, > > The following vulnerability was published for ruby-kramdown. > > CVE-2021-28834[0]: > | Kramdown before 2.3.1 does not restrict Rouge formatters to the > | Rouge::Formatters namespace, and thus arbitrary classes can be > | instantiated. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. I just uploaded a fix for bullseye, and prepared the attached update for buster. It passes its own autopkgtest, and I don't see the possibility of any regressions in non-malicious code. Let me know if I can go ahead and upload. diff --git a/debian/changelog b/debian/changelog index 7830bf5..0541988 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +ruby-kramdown (1.17.0-1+deb10u2) buster-security; urgency=high + + * Team upload. + * Add upstream patch to fix arbitrary code execution vulnerability +[CVE-2021-28834] (Closes: #985569) + + -- Antonio Terceiro Sat, 03 Apr 2021 13:05:12 -0300 + ruby-kramdown (1.17.0-1+deb10u1) buster-security; urgency=high * Non-maintainer upload by the Security Team. diff --git a/debian/patches/0004-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch b/debian/patches/0004-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch new file mode 100644 index 000..5d9780e --- /dev/null +++ b/debian/patches/0004-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch @@ -0,0 +1,56 @@ +From: Stan Hu +Date: Sat, 3 Apr 2021 13:00:47 -0300 +Subject: Restrict Rouge formatters to Rouge::Formatters namespace + +ff0218a added support for specifying custom Rouge formatters with the +constraint that the formatter be in theRouge::Formatters namespace, but +it did not actually enforce this constraint. For example, this is valid: + +```ruby +Rouge::Formatters.const_get('CSV') +=> CSV +``` + +Adding the `false` parameter to `const_get` prevents this: + +```ruby +Rouge::Formatters.const_get('CSV', false) +NameError: uninitialized constant Rouge::Formatters::CSV +``` + +This is a backport of the original patch at +https://github.com/gettalong/kramdown/pull/708, backported by Antonio +Terceiro to version 1.17.0. + +Signed-off-by: Antonio Terceiro +--- + lib/kramdown/converter/syntax_highlighter/rouge.rb | 2 +- + test/test_files.rb | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/kramdown/converter/syntax_highlighter/rouge.rb b/lib/kramdown/converter/syntax_highlighter/rouge.rb +index e1e5a0d..a6894d6 100644 +--- a/lib/kramdown/converter/syntax_highlighter/rouge.rb b/lib/kramdown/converter/syntax_highlighter/rouge.rb +@@ -59,7 +59,7 @@ module Kramdown::Converter::SyntaxHighlighter + when Class + formatter + when /\A[[:upper:]][[:alnum:]_]*\z/ +-::Rouge::Formatters.const_get(formatter) ++::Rouge::Formatters.const_get(formatter, false) + else + # Available in Rouge 2.0 or later + ::Rouge::Formatters::HTMLLegacy +diff --git a/test/test_files.rb b/test/test_files.rb +index 30b9888..c985833 100644 +--- a/test/test_files.rb b/test/test_files.rb +@@ -20,7 +20,7 @@ begin + end + + # custom formatter for tests +- class RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class ++ class Rouge::Formatters::RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class + tag 'rouge_html_formatters' + + def stream(tokens, ) diff --git a/debian/patches/series b/debian/patches/series index 2de2e62..2a2bfc1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ skip_missing_math_engines.patch fix_manpage_warnings.patch Add-option-forbidden_inline_options.patch +0004-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch signature.asc Description: PGP signature
Bug#985569: marked as pending in ruby-kramdown
Control: tag -1 pending Hello, Bug #985569 in ruby-kramdown reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/ruby-team/ruby-kramdown/-/commit/b80244870c477d90090305f569eea39f7bd2b3f5 Add upstream patch to fix arbitrary code execution vulnerability This is CVE-2021-28834 Closes: #985569 (this message was generated automatically) -- Greetings https://bugs.debian.org/985569
Processed: Bug#985569 marked as pending in ruby-kramdown
Processing control commands: > tag -1 pending Bug #985569 [src:ruby-kramdown] ruby-kramdown: CVE-2021-28834 Added tag(s) pending. -- 985569: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985569 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#980609: Big bug
reopen 980609 severity 980609 grave This is a huge bug, breaking compilation of many packages and newer kernels. It definitely needs to go into the next stable version!
Processed: python-bleach: diff for NMU version 3.2.1-2.1
Processing control commands: > tags 986251 + patch Bug #986251 [src:python-bleach] python-bleach: CVE-2021-23980 Added tag(s) patch. > tags 986251 + pending Bug #986251 [src:python-bleach] python-bleach: CVE-2021-23980 Added tag(s) pending. -- 986251: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986251 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#986251: python-bleach: diff for NMU version 3.2.1-2.1
Control: tags 986251 + patch Control: tags 986251 + pending Dear maintainer, I've prepared an NMU for python-bleach (versioned as 3.2.1-2.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Actually if you want to take care of it that would be the preferable option, or if you think this is fine and inline in how you would like to have we can have it reschduled as well, so that the unblock can be asked earlier. The fix should in any case ideally go to bullseye. Regards, Salvatore diff -Nru python-bleach-3.2.1/debian/changelog python-bleach-3.2.1/debian/changelog --- python-bleach-3.2.1/debian/changelog 2021-01-18 07:30:51.0 +0100 +++ python-bleach-3.2.1/debian/changelog 2021-04-03 17:17:55.0 +0200 @@ -1,3 +1,11 @@ +python-bleach (3.2.1-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * sanitizer: escape HTML comments (CVE-2021-23980) (Closes: #986251) + * tests: add tests for more eject tags for GHSA-vv2x-vrpj-qqpq + + -- Salvatore Bonaccorso Sat, 03 Apr 2021 17:17:55 +0200 + python-bleach (3.2.1-2) unstable; urgency=medium * Team upload. diff -Nru python-bleach-3.2.1/debian/patches/0004-sanitizer-escape-HTML-comments.patch python-bleach-3.2.1/debian/patches/0004-sanitizer-escape-HTML-comments.patch --- python-bleach-3.2.1/debian/patches/0004-sanitizer-escape-HTML-comments.patch 1970-01-01 01:00:00.0 +0100 +++ python-bleach-3.2.1/debian/patches/0004-sanitizer-escape-HTML-comments.patch 2021-04-03 17:17:22.0 +0200 @@ -0,0 +1,95 @@ +From: Greg Guthe +Date: Thu, 28 Jan 2021 14:56:24 -0500 +Subject: sanitizer: escape HTML comments +Origin: https://github.com/mozilla/bleach/commit/1334134d34397966a7f7cfebd38639e9ba2c680e +Bug-Debian: https://bugs.debian.org/986251 +Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1689399 +Bug: https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-23980 + +fixes: bug 1689399 / GHSA vv2x-vrpj-qqpq +--- + bleach/html5lib_shim.py | 1 + + bleach/sanitizer.py | 4 + tests/test_clean.py | 47 + + 3 files changed, 52 insertions(+) + +--- a/bleach/html5lib_shim.py b/bleach/html5lib_shim.py +@@ -48,6 +48,7 @@ from html5lib._inputstream import ( + HTMLInputStream, + ) # noqa: E402 module level import not at top of file + from html5lib.serializer import ( ++escape, + HTMLSerializer, + ) # noqa: E402 module level import not at top of file + from html5lib._tokenizer import ( +--- a/bleach/sanitizer.py b/bleach/sanitizer.py +@@ -376,6 +376,10 @@ class BleachSanitizerFilter(html5lib_shi + + elif token_type == "Comment": + if not self.strip_html_comments: ++# call lxml.sax.saxutils to escape &, <, and > in addition to " and ' ++token["data"] = html5lib_shim.escape( ++token["data"], entities={'"': "", "'": ""} ++) + return token + else: + return None +--- a/tests/test_clean.py b/tests/test_clean.py +@@ -766,6 +766,53 @@ def test_namespace_rc_data_element_strip + ) + + ++@pytest.mark.parametrize( ++"namespace_tag, end_tag, data, expected", ++[ ++( ++"math", ++"p", ++"", ++), ++( ++"math", ++"br", ++"", ++), ++( ++"svg", ++"p", ++"", ++), ++( ++"svg", ++"br", ++"", ++), ++], ++) ++def test_html_comments_escaped(namespace_tag, end_tag, data, expected): ++# refs: bug 1689399 / GHSA-vv2x-vrpj-qqpq ++# ++# p and br can be just an end tag (e.g. == ) ++# ++# In browsers: ++# ++# * img and other tags break out of the svg or math namespace (e.g. == ) ++# * style does not (e.g. ==