Bug#1033752: marked as done (sniproxy: CVE-2023-25076)
Your message dated Mon, 29 May 2023 19:32:29 + with message-id and subject line Bug#1033752: fixed in sniproxy 0.6.0-2+deb11u1 has caused the Debian Bug report #1033752, regarding sniproxy: CVE-2023-25076 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1033752: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033752 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: sniproxy Version: 0.6.0-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for sniproxy. CVE-2023-25076[0]: | A buffer overflow vulnerability exists in the handling of wildcard | backend hosts of SNIProxy 0.6.0-2 and the master branch (commit: | 822bb80df9b7b345cc9eba55df74a07b498819ba). A specially crafted HTTP, | TLS or DTLS packet can lead to arbitrary code execution. An attacker | could send a malicious packet to trigger this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-25076 https://www.cve.org/CVERecord?id=CVE-2023-25076 [1] https://talosintelligence.com/vulnerability_reports/TALOS-2023-1731 [2] https://github.com/dlundquist/sniproxy/commit/f8d9a433fe22ab2fa15c00179048ab02ae23d583 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: sniproxy Source-Version: 0.6.0-2+deb11u1 Done: Thorsten Alteholz We believe that the bug you reported is fixed in the latest version of sniproxy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1033...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thorsten Alteholz (supplier of updated sniproxy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 29 Apr 2023 19:03:02 +0200 Source: sniproxy Architecture: source Version: 0.6.0-2+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Jan Dittberner Changed-By: Thorsten Alteholz Closes: 1033752 Changes: sniproxy (0.6.0-2+deb11u1) bullseye-security; urgency=high . * Non-maintainer upload by the LTS Team. * CVE-2023-25076 (Closes: #1033752) fix buffer overflow while handling wildcard backend hosts Checksums-Sha1: d81905617e3a72442c5432e1722a82a401bbd3ba 2082 sniproxy_0.6.0-2+deb11u1.dsc 26ff187c46eb4f98f9f1731cd26f341383ea6454 78515 sniproxy_0.6.0.orig.tar.gz c1c82f4753c0b411b0efdb8e1f4c0e1935ad63e9 7360 sniproxy_0.6.0-2+deb11u1.debian.tar.xz 7efdb292214bde96a55cc9f535b50a489465f146 7293 sniproxy_0.6.0-2+deb11u1_amd64.buildinfo Checksums-Sha256: cf74b2dbd00c4f4d42f29b4cfa0397de103a0f0de455ce8a7b99db139c0aa0a8 2082 sniproxy_0.6.0-2+deb11u1.dsc d73c77a9fa8199ae7ac551c0332d3e0a3ff234623f53d65369a8fa560d9880e2 78515 sniproxy_0.6.0.orig.tar.gz f7f775f04f70678b582a1d286cdf1a18cd895b33a5961f65e19c06ffb9887101 7360 sniproxy_0.6.0-2+deb11u1.debian.tar.xz 2dbe5523248748d68eb1cb55500810cf3be03c5d1ed7b9e79a469c1472c82855 7293 sniproxy_0.6.0-2+deb11u1_amd64.buildinfo Files: d6fe81c74ada7adbcdb1c5cc17b04b25 2082 web optional sniproxy_0.6.0-2+deb11u1.dsc bcfb5d1efe045b8b356a4229f2339f02 78515 web optional sniproxy_0.6.0.orig.tar.gz 0d02cedd110faa719682d9f3799c8d25 7360 web optional sniproxy_0.6.0-2+deb11u1.debian.tar.xz ac85a1334e8d5b5cd1f05b14bebf7a36 7293 web optional sniproxy_0.6.0-2+deb11u1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmRvmOFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh bHRlaG9sei5kZQAKCRCW/KwNOHtYR2wpD/9zna8SFz9uJ+hXJwZ8RjE0fvnkyOO8 7JyvHE2N57mnmldWkNfxiprRlhFgtffO11Plh+uia18FjHdCjueHHKAa+Q5uDhzx pIyiwwqbB0pr7RjDTzwgTXtDKdeB/K/frxiwupXIWfpg+Xs4/CG8n7AXOvTxoaw3 ojkwrusqwDXBMgE0B2k3FHF/oU6V1dwRWRlJzuL4PTyYNT7q8C34epVfMMvP6kqW KU/CxxFZuR8YNmYIxjfhUMrVGvL4WzRcU03Ui9dU7mp11bvQglNCc9WARGhJac+K ReAB7zM/Ee7DEzlVwadA1z4l0HExm4gvFvwoJqvQsC/cR3kRlga0UhRzA
Bug#1036281: marked as done (libraw: CVE-2023-1729)
Your message dated Mon, 29 May 2023 19:32:23 + with message-id and subject line Bug#1036281: fixed in libraw 0.20.2-1+deb11u1 has caused the Debian Bug report #1036281, regarding libraw: CVE-2023-1729 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1036281: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036281 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: libraw X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for libraw. CVE-2023-1729[0]: | A flaw was found in LibRaw. A heap-buffer-overflow in raw2image_ex() | caused by a maliciously crafted file may lead to an application crash. https://bugzilla.redhat.com/show_bug.cgi?id=2188240 https://github.com/LibRaw/LibRaw/issues/557 Fixed by: https://github.com/LibRaw/LibRaw/commit/9ab70f6dca19229cb5caad7cc31af4e7501bac93 (master) Fixed by: https://github.com/LibRaw/LibRaw/commit/477e0719ffc07190c89b4f3d12d51b1292e75828 (0.21-stable) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-1729 https://www.cve.org/CVERecord?id=CVE-2023-1729 Please adjust the affected versions in the BTS as needed. --- End Message --- --- Begin Message --- Source: libraw Source-Version: 0.20.2-1+deb11u1 Done: Salvatore Bonaccorso We believe that the bug you reported is fixed in the latest version of libraw, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1036...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated libraw package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 27 May 2023 07:51:55 +0200 Source: libraw Architecture: source Version: 0.20.2-1+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Debian PhotoTools Maintainers Changed-By: Salvatore Bonaccorso Closes: 1031790 1036281 Changes: libraw (0.20.2-1+deb11u1) bullseye-security; urgency=high . * Non-maintainer upload by the Security Team. * check for input buffer size on datastream::gets (CVE-2021-32142) (Closes: #1031790) * do not set shrink flag for 3/4 component images (CVE-2023-1729) (Closes: #1036281) Checksums-Sha1: c97542c8d3c1a032bee9a0ce50aab3dff2a3edab 2371 libraw_0.20.2-1+deb11u1.dsc 0b425d9a5ed873adeeb68ea1b4945745f3ec1507 512176 libraw_0.20.2.orig.tar.gz 5689b82f4d93fa85f715fb391ed878965482dac1 23208 libraw_0.20.2-1+deb11u1.debian.tar.xz Checksums-Sha256: b8ec7dc340f46a1925f717067efe905449628cb76581a75aa92ddd1d7e4f1b68 2371 libraw_0.20.2-1+deb11u1.dsc 02df7d403b34602b769bb38e5bf7d4258e075eeefbe980b6832e6e1491989d60 512176 libraw_0.20.2.orig.tar.gz bd16a68a2d776b77964e931d67cf08b342639540b11ba12bcfe305c36ae11772 23208 libraw_0.20.2-1+deb11u1.debian.tar.xz Files: 9405bdd1638d2e715351385b41bafb76 2371 libs optional libraw_0.20.2-1+deb11u1.dsc f92fd7c0f47b771e18607a2198618d15 512176 libs optional libraw_0.20.2.orig.tar.gz a00883b5ca1cdab77813f4048b8acf39 23208 libs optional libraw_0.20.2-1+deb11u1.debian.tar.xz -BEGIN PGP SIGNATURE- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmRxm1dfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ec0AP/AqdVkUH6g7DFzxMrOeiLIFuqZ2rq9JA cTWYIYxm++3rppTJ2ZvNSZWGyh1C0N/x9I9qbMo6klHk6zaZhFqKOTYu0OA/A+sv WYcTIUduHRPSkt+ctfTYZYTVzMecrJamQHw5cHTEA9VJ0f/A6gdWp62n20GJ0LUM i34CxpTeY2JKNofTJzrYnyJZ1vSq82vGts0HIqI4VdsUq+aEeJHzoiX+ruZpY7FJ V6FuL4FI1v/CCDad7So6/DXMsfI0lKftHNul1DcauXjlMl4+BljNiMFEMl6Q80cr sSUhHYPJUdRfDCAFceU+2Q+Xl4YKsJK+C0l4J4I3jBvmKiXtq3XVpqfq41ohTFvl gU/+SGijyzkdW7nDKZpx5t6WHy6yzEFMoH5B/uDKgHoSuUpEh6iZXzat6Tpyrcr/ XHMxGyw+SFfLNdAkeJnxwX71bPfxtIydyuwaKl+1R/wnZw25m6sFmd1lXvaYhvuQ aQOvH1Qc0VQffFlEWRTGTxkzgsoVJDA2ZrxDHUbUCmSo56uAGdWrMnzp0DUlGdFn aU15Ia30goN+4ei9KxUjR2cGEuIvfzVwmDARVxr0DWY6Kvv3hFQQNTHK2H3Pr7C7 FFyStksGFNBtULfQtoMdqEItBmPm2zySIfNOsCFDxi5V2RwcAC5CtidGS83yAJbD jS2v2Mb
Processed: Re: systemd: please ship a placeholder in /usr/lib/modules-load.d/
Processing control commands: > severity -1 important Bug #1036920 [systemd] systemd: please ship a placeholder in /usr/lib/modules-load.d/ Severity set to 'important' from 'serious' -- 1036920: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036920 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1036920: systemd: please ship a placeholder in /usr/lib/modules-load.d/
Control: severity -1 important On Mon, 29 May 2023 14:42:14 +0200 Andreas Beckmann wrote: > Package: systemd > Version: 252.6-1 > Severity: serious > User: debian...@lists.debian.org > Usertags: piuparts Given what was discussed: - bookworm is in hard freeze - there is no functional impact - unmerged-usr paths are no longer supported - as soon as trixie opens for business we might just canonicalize everything (assuming all the ducks will be in a row) if it's all right with you Andreas, I am going to go ahead and downgrade this. If we don't manage to canonicalize early in trixie's cycle we can revisit. -- Kind regards, Luca Boccassi signature.asc Description: This is a digitally signed message part
Bug#1036591: marked as done (reaver: segmentation fault)
Your message dated Mon, 29 May 2023 17:48:55 + with message-id and subject line Bug#1036591: fixed in reaver 1.6.6-0.1 has caused the Debian Bug report #1036591, regarding reaver: segmentation fault to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1036591: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036591 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: reaver Version: 1.6.5-1+b1 Severity: grave Justification: package unusable Tags: fixed Dear Maintainer, * What led up to the situation? The package has a segmentation fault on any command I tried to run, but I've used this package in the past and it was working and I think some more up-to-date dependency is causing this. * What exactly did you do (or not do) that was effective (or ineffective)? Executing multiple commands. * What was the outcome of this action? Every command executed returns segmentation fault. * What outcome did you expect instead? The correct thing is that all commands were executed correctly. I tried compiling a newer version 1.6.6 and it worked fine with no segmentation fault. Plus several improvements upstream. Remembering that this packaging is unusable in the face of tests carried out. Short description of what the segmentation fault is about in your description. In the context of segmentation fault, segment refers to the program memory address space. Only the program's memory space is readable. Of this space, only the stack and part of the data segment are writable. Other parts of the data segment and text segment are not writable. The data segment is where global or static variables reside. The text segment, also called the code segment, is where program instructions are stored. Segments have size and permissions, such as write, read, and execute. Segmentation fault occurs when a program tries to access restricted memory, such as trying to write to the text segment or read from a non-existent memory address. The failure is reported by the memory protection system of the Memory Management Unit or MMU. The MMU is the hardware responsible for translating the virtual memory address to physical addresses. As soon as the MMU notices a memory access violation, it informs the Kernel of the problem. In the case of Linux, the Kernel sends a signal to the program, the SEGV. Upon receiving the signal, the program is usually terminated. -- System Information: Debian Release: 12.0 APT prefers testing APT policy: (990, 'testing'), (500, 'testing-security'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8), LANGUAGE=pt_BR:pt:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages reaver depends on: ii libc6 2.36-9 ii libpcap0.8 1.10.3-1 Versions of packages reaver recommends: ii pixiewps 1.4.2-5 Versions of packages reaver suggests: ii aircrack-ng 1:1.7-5 -- no debconf information --- End Message --- --- Begin Message --- Source: reaver Source-Version: 1.6.6-0.1 Done: Leandro Cunha We believe that the bug you reported is fixed in the latest version of reaver, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1036...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Leandro Cunha (supplier of updated reaver package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 27 May 2023 14:24:29 -0300 Source: reaver Architecture: source Version: 1.6.6-0.1 Distribution: unstable Urgency: high Maintainer: Bartosz Fenski Changed-By: Leandro Cunha Closes: 901595 1036591 Changes: reaver (1.6.6-0.1) unstable; urgency=high . * Non-maintainer upload. * New upstream version. * debian/watch: - Fix watch file is broken and generating errors. (Closes: #901595) - Change version of 3 to 4. * Fix segmentation fault. (Closes: #1036591) Checksums-Sha1: b045c51de7384c4fb4ddabbdc9bad870cdc37869 1736 reaver_1.6.6-0.1.dsc 7e018618bf827b2db274c4b349c3a5ad72ddf4c3 485854 reaver_1.6
Processed: Adjust bug again
Processing commands for cont...@bugs.debian.org:
> notfound 1036163 fcitx5-zhuyin/5.0.11-1
Bug #1036163 {Done: Shengjing Zhu } [fcitx5-zhuyin]
failed.mmap /usr/share/fcitx5/zhuyin/gb_char.bin failed
No longer marked as found in versions fcitx5-zhuyin/5.0.11-1.
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
1036163: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036163
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Processed: Adjust bug 1036163 range
Processing commands for cont...@bugs.debian.org:
> # BTS does not recognize binNMU
> # Circumvent with somehow incorrect version numbers
> # Actually fixed 1036163 fcitx5-zhuyin/5.0.11-1+b1
> notfixed 1036163 fcitx5-zhuyin/5.0.10-1
Bug #1036163 {Done: Shengjing Zhu } [fcitx5-zhuyin]
failed.mmap /usr/share/fcitx5/zhuyin/gb_char.bin failed
Ignoring request to alter fixed versions of bug #1036163 to the same values
previously set
> found 1036163 fcitx5-zhuyin/5.0.10-1
Bug #1036163 {Done: Shengjing Zhu } [fcitx5-zhuyin]
failed.mmap /usr/share/fcitx5/zhuyin/gb_char.bin failed
Marked as found in versions fcitx5-zhuyin/5.0.10-1.
> fixed 1036163 fcitx5-zhuyin/5.0.11-1
Bug #1036163 {Done: Shengjing Zhu } [fcitx5-zhuyin]
failed.mmap /usr/share/fcitx5/zhuyin/gb_char.bin failed
Marked as fixed in versions fcitx5-zhuyin/5.0.11-1.
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
1036163: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036163
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Bug#1035543: init-system-helpers: new systemd units may not get enabled on upgrades from bullseye if systemd is installed
Followup-For: Bug #1035543 X-Debbugs-Cc: ty...@mit.edu, bi...@debian.org, hel...@subdivi.de, jspri...@debian.org, ans...@debian.org, a...@debian.org, debian.bugrep...@wodny.org I've been 'approximately' testing this locally on bookworm by: * Editing the Install.WantedBy in /lib/systemd/system/e2scrub_reap.service * Reconfiguring the package using 'dpkg-reconfigure e2fsprogs' (I know, it's not a comprehensive workflow - but I think that it calls the relevant deb-systemd-helper and e2fsprogs postinst script sections) Also: Marcin's patch[1] from #985787 is also intended to fix a very similar problem (perhaps exactly the same issue). Some puzzles: * Why does the 'deb-systemd-helper disable' invocation not work (as found by Helmut and Jochen)? It seems like it should read the symlink path to remove from the dsh-also state file, so the Install.WantedBy change should not affect it. * Is the /var/lib/systemd/deb-systemd-helper-enabled/ path relevant? This seems to contain a shadow copy of much of the /etc/systemd/system service state. * Is the 'create links unless no links installed' logic correct? (that sounds like it could be incorrect, but I'm not sure) I did manage to get something kinda-working locally with a combination of an 'update-state' call and Marcin's patch. However, I'd like to understand more about the 'deb-systemd-helper disable' call failure before recommending that. And, quoting Andreas: > Actually the difference is between the minimal bullseye chroot upgraded > to bookworm and the bullseye chroot with some packages to be tested > installed (here: systemd) and upgraded to bookworm. Ideally, after > removing the packages to be tested and their dependencies, the two > bookworm chroots should be identical ... I agree on the goals there. Being unhappy about systemd and maintaining a package that has divergent on-filesystem results depending on how users upgraded seems distinctly worse than being unhappy about systemd while maintaining a consistently-deployed package. [1] - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985787#25 [2] - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035543#62
Bug#1036920: systemd: please ship a placeholder in /usr/lib/modules-load.d/
On Mon, 29 May 2023 15:17:51 +0200 Andreas Beckmann wrote: > On 29/05/2023 14.57, Luca Boccassi wrote: > >> Side question first: does systemd evaluate both > >> /usr/lib/modules-load.d/* and /lib/modules-load.d/* ? > >> Otherwise all packages shipping something in /lib/modules-load.d/ are > >> broken on unmerged-/usr because their config snippets are not being > >> taken into account. > > > > The correct path since bullseye was /usr/lib/modules-load.d, see: > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971282 > > I read this as these packages have been buggy on unmerged-/usr in > bullseye. Why weren't there bugs filed? Good question, I guess nobody ever noticed because most users are on merged-usr anyway? But as you can see from the bug, it's been years. > > Anyway, we don't really care about what happens on unmerged > > installations, as they are no longer supported since Bookworm. > > Well, there is still limited support, e.g. for buildd usage. But > probably (hopefully?) for the last time. IIRC the plan was to switch buildds as soon as bookworm ships, but I don't think that's finalised. Also I don't think it's supported to install and load kernel modules for a package build, at least I've never came across that, but I might be wrong. -- Kind regards, Luca Boccassi signature.asc Description: This is a digitally signed message part
Bug#1036920: systemd: please ship a placeholder in /usr/lib/modules-load.d/
On May 29, Luca Boccassi wrote: > Does it matter that much if the empty directory is removed? Next time > a package shipping a modules-load config is installed it will be just > re-added, no? Or are there functional issues? I do not think that it is a big deal if /usr/lib/modules-load.d/ disappears from time to time. Local users are expected to install local files in /etc/modules-load.d/ anyway. -- ciao, Marco signature.asc Description: PGP signature
Bug#1036920: systemd: please ship a placeholder in /usr/lib/modules-load.d/
Hi Andreas, On Mon, May 29, 2023 at 02:42:14PM +0200, Andreas Beckmann wrote: > during a test with piuparts I noticed your package ships an empty > directory (/usr/lib/modules-load.d/) which disappears after installation > and removal of another package (e.g. multipath-tools) in a merged-/usr > setup. This is not a bug in the other package, but an effect of our > merged-/usr implementation. Thank you Andreas for your attention to detail in locating and reporting these kind of issues. Your QA work is being very useful again as it was when you noticed how we broke adduser users. I caution that this is an instance of a generic problem that affects all sorts of packages shipping empty directories in aliased locations. It is a problem that has not previously been on my radar of things to watch out for and now is. I have yet to do the math of figuring out how many other packages are affected in a similar way and intend to follow up with that on d-devel@l.d.o. > This is happening to trigger the bug: In what sense is the behaviour actually buggy? Quite obviously, this is a reproducibility issue, because depending on how you order operations, different things happen. I somewhat question though that this is a serious issue and would expect systemd to deal with the absence in a sane way. Do you have any evidence of it behaving otherwise? If you file further bugs pertaining issues related to /usr-merge, I'd appreciate an X-Debbugs-Cc. Helmut
Bug#1036920: systemd: please ship a placeholder in /usr/lib/modules-load.d/
On 29/05/2023 14.57, Luca Boccassi wrote: Side question first: does systemd evaluate both /usr/lib/modules-load.d/* and /lib/modules-load.d/* ? Otherwise all packages shipping something in /lib/modules-load.d/ are broken on unmerged-/usr because their config snippets are not being taken into account. The correct path since bullseye was /usr/lib/modules-load.d, see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971282 I read this as these packages have been buggy on unmerged-/usr in bullseye. Why weren't there bugs filed? Anyway, we don't really care about what happens on unmerged installations, as they are no longer supported since Bookworm. Well, there is still limited support, e.g. for buildd usage. But probably (hopefully?) for the last time. Andreas
Bug#1036920: systemd: please ship a placeholder in /usr/lib/modules-load.d/
On Mon, 29 May 2023 at 14:07, Andreas Beckmann wrote: > > On 29/05/2023 14.57, Luca Boccassi wrote: > > Wouldn't the correct workaround be to list /usr/lib/modules-load.d in > > systemd.dirs so that dpkg leaves it alone? Seems way too late for > > Bookworm though? > > for dpkg, /usr/lib/modules-load.d is already owned by systemd, dpkg only > accidentally deletes it while removing /lib/modules-load.d > > That's the reason for adding some placeholder file there, to prevent > accidental removal of the (no longer empty) directory. > Could be part of the first bookworm point release. Does it matter that much if the empty directory is removed? Next time a package shipping a modules-load config is installed it will be just re-added, no? Or are there functional issues? Kind regards, Luca Boccassi
Bug#1036920: systemd: please ship a placeholder in /usr/lib/modules-load.d/
On 29/05/2023 14.57, Luca Boccassi wrote: Wouldn't the correct workaround be to list /usr/lib/modules-load.d in systemd.dirs so that dpkg leaves it alone? Seems way too late for Bookworm though? for dpkg, /usr/lib/modules-load.d is already owned by systemd, dpkg only accidentally deletes it while removing /lib/modules-load.d That's the reason for adding some placeholder file there, to prevent accidental removal of the (no longer empty) directory. Could be part of the first bookworm point release. Andreas
Bug#1036920: systemd: please ship a placeholder in /usr/lib/modules-load.d/
On Mon, 29 May 2023 14:42:14 +0200 Andreas Beckmann wrote: > Package: systemd > Version: 252.6-1 > Severity: serious > User: debian...@lists.debian.org > Usertags: piuparts > > Hi, > > during a test with piuparts I noticed your package ships an empty > directory (/usr/lib/modules-load.d/) which disappears after installation > and removal of another package (e.g. multipath-tools) in a merged- /usr > setup. This is not a bug in the other package, but an effect of our > merged-/usr implementation. > > Side question first: does systemd evaluate both > /usr/lib/modules-load.d/* and /lib/modules-load.d/* ? > Otherwise all packages shipping something in /lib/modules-load.d/ are > broken on unmerged-/usr because their config snippets are not being > taken into account. The correct path since bullseye was /usr/lib/modules-load.d, see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971282 Anyway, we don't really care about what happens on unmerged installations, as they are no longer supported since Bookworm. > This is happening to trigger the bug: > > systemd ships /usr/lib/modules-load.d/ (empty directory) > multipath-tools ships /lib/modules-load.d/multipath.conf > dpkg doesn't know that /lib/modules-load.d/ and /usr/lib/modules- load.d/ > are the same, and therefore removal of multipath-tools causes removal of > * /lib/modules-load.d/multipath.conf (OK) > * /lib/modules-load.d/ (if it was the last owner of that directory), while > it effectively is /usr/lib/modules-load.d/ getting removed > > When adding a placeholder file, it needs to be something that is ignored > by the processing of the .d directory (the pattern could be *.conf, but I > might be mistaken here). > > An alternative to shipping a placeholder file could be shipping > /lib/modules-load.d/ as additional empty directory, but I don't know > whether this would be allowed w.r.t. merged-/usr. > > > From the attached log (scroll to the bottom...): > > 0m39.2s ERROR: FAIL: After purging files have disappeared: > /usr/lib/modules-load.d/ owned by: systemd > > > This is not caught by default piuparts tests as there is no test with > systemd explicitly installed. > > I could not reproduce this issue in bullseye (and haven't tried to > reproduce it in earlier releases). Wouldn't the correct workaround be to list /usr/lib/modules-load.d in systemd.dirs so that dpkg leaves it alone? Seems way too late for Bookworm though? -- Kind regards, Luca Boccassi signature.asc Description: This is a digitally signed message part
Bug#1031046: Error while trying to create asterisk-20.3.0 deb file
Hi, I try to create a deb file using dh_make or cowbuilder and it fail with the same error: configure.ac:508: error: possibly undefined macro: AC_MSG_WARN If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. configure.ac:849: error: possibly undefined macro: AC_LANG_PROGRAM autoreconf: error: /usr/bin/autoconf failed with exit status: 1 dh_autoreconf: error: autoreconf -f -i returned exit code 1 make: *** [debian/rules:19: binary] Error 255 dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2 I: copying local configuration E: Failed autobuilding of package I: unmounting dev/ptmx filesystem I: unmounting dev/pts filesystem I: unmounting dev/shm filesystem I: unmounting proc filesystem I: unmounting sys filesystem I: Cleaning COW directory I: forking: rm -rf /var/cache/pbuilder/build/cow.76107 root@cherry:/home/dh/packages# Base package is asterisk-20-current.tar.gz Any clue? -- Daniel
Bug#1036920: systemd: please ship a placeholder in /usr/lib/modules-load.d/
Package: systemd Version: 252.6-1 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package ships an empty directory (/usr/lib/modules-load.d/) which disappears after installation and removal of another package (e.g. multipath-tools) in a merged-/usr setup. This is not a bug in the other package, but an effect of our merged-/usr implementation. Side question first: does systemd evaluate both /usr/lib/modules-load.d/* and /lib/modules-load.d/* ? Otherwise all packages shipping something in /lib/modules-load.d/ are broken on unmerged-/usr because their config snippets are not being taken into account. This is happening to trigger the bug: systemd ships /usr/lib/modules-load.d/ (empty directory) multipath-tools ships /lib/modules-load.d/multipath.conf dpkg doesn't know that /lib/modules-load.d/ and /usr/lib/modules-load.d/ are the same, and therefore removal of multipath-tools causes removal of * /lib/modules-load.d/multipath.conf (OK) * /lib/modules-load.d/ (if it was the last owner of that directory), while it effectively is /usr/lib/modules-load.d/ getting removed When adding a placeholder file, it needs to be something that is ignored by the processing of the .d directory (the pattern could be *.conf, but I might be mistaken here). An alternative to shipping a placeholder file could be shipping /lib/modules-load.d/ as additional empty directory, but I don't know whether this would be allowed w.r.t. merged-/usr. >From the attached log (scroll to the bottom...): 0m39.2s ERROR: FAIL: After purging files have disappeared: /usr/lib/modules-load.d/ owned by: systemd This is not caught by default piuparts tests as there is no test with systemd explicitly installed. I could not reproduce this issue in bullseye (and haven't tried to reproduce it in earlier releases). cheers, Andreas PS: packages shipping files in modules-load.d/ (in sid): # apt-file search /lib/modules-load.d/ aoetools: /usr/lib/modules-load.d/aoetools.conf dlm-controld: /usr/lib/modules-load.d/configfs.conf drbd-utils: /lib/modules-load.d/drbd.conf ecryptfs-utils: /lib/modules-load.d/ecryptfs.conf fwupd: /usr/lib/modules-load.d/fwupd-msr.conf iwd: /usr/lib/modules-load.d/pkcs8.conf libddccontrol0: /usr/lib/modules-load.d/ddccontrol-i2c-dev.conf mbpfan: /lib/modules-load.d/mbpfan.depend.conf multipath-tools: /lib/modules-load.d/multipath.conf open-vm-tools-desktop: /usr/lib/modules-load.d/open-vm-tools-desktop.conf osspd: /lib/modules-load.d/osspd.conf zfsutils-linux: /lib/modules-load.d/zfs.conf systemd-modules-load.d.log.gz Description: application/gzip
Bug#1036096: marked as done (jed,xjed: unhandled symlink to directory conversion: /usr/share/doc/PACKAGE)
Your message dated Mon, 29 May 2023 12:34:20 + with message-id and subject line Bug#1036096: fixed in jed 1:0.99.20~pre.180+dfsg-1 has caused the Debian Bug report #1036096, regarding jed,xjed: unhandled symlink to directory conversion: /usr/share/doc/PACKAGE to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1036096: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036096 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: jed,xjed Version: 1:0.99.20~pre.178+dfsg-4 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, an upgrade test with piuparts revealed that your package installs files over existing symlinks and possibly overwrites files owned by other packages. This usually means an old version of the package shipped a symlink but that was later replaced by a real (and non-empty) directory. This kind of overwriting another package's files cannot be detected by dpkg. This was observed on the following upgrade paths: bullseye -> sid For /usr/share/doc/PACKAGE this may not be problematic as long as both packages are installed, ship byte-for-byte identical files and are upgraded in lockstep. But once one of the involved packages gets removed, the other one will lose its documentation files, too, including the copyright file, which is a violation of Policy 12.5: https://www.debian.org/doc/debian-policy/ch-docs.html#copyright-information For other overwritten locations anything interesting may happen. Note that dpkg intentionally does not replace directories with symlinks and vice versa, you need the maintainer scripts to do this. See in particular the end of point 4 in https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#details-of-unpack-phase-of-installation-or-upgrade It is recommended to use the dpkg-maintscript-helper commands 'dir_to_symlink' and 'symlink_to_dir' (available since dpkg 1.17.14) to perform the conversion, ideally using d/$PACKAGE.maintscript. See dpkg-maintscript-helper(1) and dh_installdeb(1) for details. >From the attached log (scroll to the bottom...): 0m42.0s ERROR: FAIL: silently overwrites files via directory symlinks: /usr/share/doc/jed/NEWS.Debian.gz (jed) != /usr/share/doc/jed-common/NEWS.Debian.gz (jed-common) /usr/share/doc/jed -> jed-common /usr/share/doc/jed/README.Debian (jed) != /usr/share/doc/jed-common/README.Debian (?) /usr/share/doc/jed -> jed-common /usr/share/doc/jed/TODO.Debian (jed) != /usr/share/doc/jed-common/TODO.Debian (?) /usr/share/doc/jed -> jed-common /usr/share/doc/jed/changelog.Debian.gz (jed) != /usr/share/doc/jed-common/changelog.Debian.gz (jed-common) /usr/share/doc/jed -> jed-common /usr/share/doc/jed/changelog.gz (jed) != /usr/share/doc/jed-common/changelog.gz (jed-common) /usr/share/doc/jed -> jed-common /usr/share/doc/jed/copyright (jed) != /usr/share/doc/jed-common/copyright (jed-common) /usr/share/doc/jed -> jed-common 0m46.5s ERROR: FAIL: silently overwrites files via directory symlinks: /usr/share/doc/xjed/NEWS.Debian.gz (xjed) != /usr/share/doc/jed-common/NEWS.Debian.gz (jed-common) /usr/share/doc/xjed -> jed-common /usr/share/doc/xjed/changelog.Debian.gz (xjed) != /usr/share/doc/jed-common/changelog.Debian.gz (jed-common) /usr/share/doc/xjed -> jed-common /usr/share/doc/xjed/changelog.gz (xjed) != /usr/share/doc/jed-common/changelog.gz (jed-common) /usr/share/doc/xjed -> jed-common /usr/share/doc/xjed/copyright (xjed) != /usr/share/doc/jed-common/copyright (jed-common) /usr/share/doc/xjed -> jed-common This is probably an older bug that never showed up in piuparts since jed/xjed could not be tested after jed-common had failed. cheers, Andreas jed_1:0.99.20~pre.178+dfsg-4.log.gz Description: application/gzip --- End Message --- --- Begin Message --- Source: jed Source-Version: 1:0.99.20~pre.180+dfsg-1 Done: Rafael Laboissière We believe that the bug you reported is fixed in the latest version of jed, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1036...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Rafael Laboissière (supplier of updated jed package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing
Bug#1035839: marked as done (jed-common: Fails to upgrade: new jed-common package pre-installation script subprocess returned error exit status 1)
Your message dated Mon, 29 May 2023 12:34:20 + with message-id and subject line Bug#1035839: fixed in jed 1:0.99.20~pre.180+dfsg-1 has caused the Debian Bug report #1035839, regarding jed-common: Fails to upgrade: new jed-common package pre-installation script subprocess returned error exit status 1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1035839: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035839 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: jed-common Version: 1:0.99.20~pre.178+dfsg-3 Severity: serious Hi, I'm sorry to say, but it now fails elsewhere to upgrade from 1:0.99.20~pre.178+dfsg-1 to 1:0.99.20~pre.178+dfsg-3: Preparing to unpack .../01-jed_1%3a0.99.20~pre.178+dfsg-3_amd64.deb ... Unpacking jed (1:0.99.20~pre.178+dfsg-3) over (1:0.99.20~pre.178+dfsg-1) ... Preparing to unpack .../02-jed-common_1%3a0.99.20~pre.178+dfsg-3_all.deb ... dpkg: error processing archive /tmp/apt-dpkg-install-UN0WZQ/02-jed-common_1%3a0.99.20~pre.178+dfsg-3_all.deb (--unpack): new jed-common package pre-installation script subprocess returned error exit status 1 […] Errors were encountered while processing: /tmp/apt-dpkg-install-UN0WZQ/02-jed-common_1%3a0.99.20~pre.178+dfsg-3_all.deb […] dpkg: dependency problems prevent configuration of jed: jed depends on jed-common (= 1:0.99.20~pre.178+dfsg-3); however: Version of jed-common on system is 1:0.99.20~pre.178+dfsg-1. dpkg: error processing package jed (--configure): dependency problems - leaving unconfigured I think that cause is this line in combination with "set -e" test -d $txtdir && rm -rf $txtdir If the directory does not exist, it returns false because the test failed. And due to the (totally legit) "set -e" it aborts there with exit code not equal zero. You likely need to replace it with a full if clause: if [ -d $txtdir ] ; then rm -rf $txtdir ; fi Such code will not have this side effect. -- System Information: Debian Release: 12.0 APT prefers unstable APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), (500, 'testing-security'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1, 'buildd-experimental') merged-usr: no Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-7-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages jed-common depends on: pn slsh jed-common recommends no packages. Versions of packages jed-common suggests: ii emacs-gtk [info-browser] 1:28.2+1-14 ii info [info-browser] 6.8-6+b1 iu jed [info-browser]1:0.99.20~pre.178+dfsg-3 ii konqueror [info-browser] 4:22.12.3-1 ii pinfo [info-browser] 0.6.13-1.3 -- no debconf information -- debsums errors found: debsums: changed file /usr/share/doc/jed-common/changelog.Debian.gz (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/abbrev.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/color.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/compile.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/dfa.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/edt.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/emacs.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/filelock.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/fold.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/hooks.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/ide-mode.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/jed_faq.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/linux-keys.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/menus.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/mouse.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/pc-keys.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/program.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/recentx.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/
Bug#1035780: marked as done (jed-common: Fails to upgrade: unable to install new version of '/usr/share/jed/doc/txt/abbrev.txt': No such file or directory)
Your message dated Mon, 29 May 2023 12:34:20 + with message-id and subject line Bug#1035780: fixed in jed 1:0.99.20~pre.180+dfsg-1 has caused the Debian Bug report #1035780, regarding jed-common: Fails to upgrade: unable to install new version of '/usr/share/jed/doc/txt/abbrev.txt': No such file or directory to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1035780: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035780 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: jed-common Version: 1:0.99.20~pre.178+dfsg-2 Severity: serious jed-common fails to upgrade from 1:0.99.20~pre.178+dfsg-1 to 1:0.99.20~pre.178+dfsg-2 for me as follows: Preparing to unpack .../4-jed-common_1%3a0.99.20~pre.178+dfsg-2_all.deb ... Unpacking jed-common (1:0.99.20~pre.178+dfsg-2) over (1:0.99.20~pre.178+dfsg-1) ... dpkg: error processing archive /tmp/apt-dpkg-install-OeNOOg/4-jed-common_1%3a0.99.20~pre.178+dfsg-2_all.deb (--unpack): unable to install new version of '/usr/share/jed/doc/txt/abbrev.txt': No such file or directory […] dpkg: dependency problems prevent configuration of jed: jed depends on jed-common (= 1:0.99.20~pre.178+dfsg-2); however: Version of jed-common on system is 1:0.99.20~pre.178+dfsg-1. dpkg: error processing package jed (--configure): dependency problems - leaving unconfigured […] Errors were encountered while processing: jed -- System Information: Debian Release: 12.0 APT prefers unstable APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), (500, 'testing-security'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1, 'buildd-experimental') merged-usr: no Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-7-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages jed-common depends on: ii slsh 2.3.3-3 jed-common recommends no packages. Versions of packages jed-common suggests: ii emacs-gtk [info-browser] 1:28.2+1-14 ii info [info-browser] 6.8-6+b1 iu jed [info-browser]1:0.99.20~pre.178+dfsg-2 ii konqueror [info-browser] 4:22.12.3-1 ii pinfo [info-browser] 0.6.13-1.3 -- no debconf information -- debsums errors found: debsums: changed file /usr/share/doc/jed-common/changelog.Debian.gz (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/abbrev.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/color.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/compile.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/dfa.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/edt.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/emacs.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/filelock.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/fold.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/hooks.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/ide-mode.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/jed_faq.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/linux-keys.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/menus.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/mouse.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/pc-keys.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/program.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/recentx.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/rgrep.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/rmail.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/script.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/sessions.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/syntax.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/txt/undo.txt (from jed-common package) debsums: missing file /usr/share/doc/jed-common/
Bug#1035692: marked as done (jed-common: unhandled symlink to directory conversion: /usr/share/doc/jed-common/txt -> ../../jed/doc/txt)
Your message dated Mon, 29 May 2023 12:34:20 + with message-id and subject line Bug#1035692: fixed in jed 1:0.99.20~pre.180+dfsg-1 has caused the Debian Bug report #1035692, regarding jed-common: unhandled symlink to directory conversion: /usr/share/doc/jed-common/txt -> ../../jed/doc/txt to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1035692: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035692 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: jed-common Version: 1:0.99.20~pre.178+dfsg-1 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, an upgrade test with piuparts revealed that your package installs files over existing symlinks and possibly overwrites files owned by other packages. This usually means an old version of the package shipped a symlink but that was later replaced by a real (and non-empty) directory. This kind of overwriting another package's files cannot be detected by dpkg. This was observed on the following upgrade paths: bullseye -> bookworm For /usr/share/doc/PACKAGE this may not be problematic as long as both packages are installed, ship byte-for-byte identical files and are upgraded in lockstep. But once one of the involved packages gets removed, the other one will lose its documentation files, too, including the copyright file, which is a violation of Policy 12.5: https://www.debian.org/doc/debian-policy/ch-docs.html#copyright-information For other overwritten locations anything interesting may happen. Note that dpkg intentionally does not replace directories with symlinks and vice versa, you need the maintainer scripts to do this. See in particular the end of point 4 in https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#details-of-unpack-phase-of-installation-or-upgrade It is recommended to use the dpkg-maintscript-helper commands 'dir_to_symlink' and 'symlink_to_dir' (available since dpkg 1.17.14) to perform the conversion, ideally using d/$PACKAGE.maintscript. See dpkg-maintscript-helper(1) and dh_installdeb(1) for details. >From the attached log (scroll to the bottom...): 0m39.5s ERROR: installs objects over existing directory symlinks: /usr/share/doc/jed-common/txt/abbrev.txt (jed-common) != /usr/share/jed/doc/txt/abbrev.txt (?) /usr/share/doc/jed-common/txt -> ../../jed/doc/txt /usr/share/doc/jed-common/txt/color.txt (jed-common) != /usr/share/jed/doc/txt/color.txt (?) /usr/share/doc/jed-common/txt -> ../../jed/doc/txt /usr/share/doc/jed-common/txt/compile.txt (jed-common) != /usr/share/jed/doc/txt/compile.txt (?) /usr/share/doc/jed-common/txt -> ../../jed/doc/txt /usr/share/doc/jed-common/txt/dfa.txt (jed-common) != /usr/share/jed/doc/txt/dfa.txt (?) /usr/share/doc/jed-common/txt -> ../../jed/doc/txt /usr/share/doc/jed-common/txt/edt.txt (jed-common) != /usr/share/jed/doc/txt/edt.txt (?) /usr/share/doc/jed-common/txt -> ../../jed/doc/txt /usr/share/doc/jed-common/txt/emacs.txt (jed-common) != /usr/share/jed/doc/txt/emacs.txt (?) /usr/share/doc/jed-common/txt -> ../../jed/doc/txt /usr/share/doc/jed-common/txt/filelock.txt (jed-common) != /usr/share/jed/doc/txt/filelock.txt (?) /usr/share/doc/jed-common/txt -> ../../jed/doc/txt /usr/share/doc/jed-common/txt/fold.txt (jed-common) != /usr/share/jed/doc/txt/fold.txt (?) /usr/share/doc/jed-common/txt -> ../../jed/doc/txt /usr/share/doc/jed-common/txt/hooks.txt (jed-common) != /usr/share/jed/doc/txt/hooks.txt (?) /usr/share/doc/jed-common/txt -> ../../jed/doc/txt /usr/share/doc/jed-common/txt/ide-mode.txt (jed-common) != /usr/share/jed/doc/txt/ide-mode.txt (?) /usr/share/doc/jed-common/txt -> ../../jed/doc/txt /usr/share/doc/jed-common/txt/jed_faq.txt (jed-common) != /usr/share/jed/doc/txt/jed_faq.txt (?) /usr/share/doc/jed-common/txt -> ../../jed/doc/txt /usr/share/doc/jed-common/txt/linux-keys.txt (jed-common) != /usr/share/jed/doc/txt/linux-keys.txt (?) /usr/share/doc/jed-common/txt -> ../../jed/doc/txt /usr/share/doc/jed-common/txt/menus.txt (jed-common) != /usr/share/jed/doc/txt/menus.txt (?) /usr/share/doc/jed-common/txt -> ../../jed/doc/txt /usr/share/doc/jed-common/txt/mouse.txt (jed-common) != /usr/share/jed/doc/txt/mouse.txt (?) /usr/share/doc/jed-common/txt -> ../../jed/doc/txt /usr/share/doc/jed-common/txt/pc-keys.txt (jed-common) != /usr/share/jed/doc/txt/pc-keys.txt (?) /usr/share/doc/jed-common/txt -> ../../jed/doc/txt /usr/share/doc/jed-common/txt/program.txt (jed-common) != /usr/share/jed/doc/txt/program.txt (?) /usr
Bug#1036847: marked as done (sofia-sip: CVE-2023-32307: heap-over-flow and integer-overflow in stun_parse_attr_error_code and stun_parse_attr_uint32)
Your message dated Mon, 29 May 2023 10:04:33 + with message-id and subject line Bug#1036847: fixed in sofia-sip 1.12.11+20110422.1+1e14eea~dfsg-6 has caused the Debian Bug report #1036847, regarding sofia-sip: CVE-2023-32307: heap-over-flow and integer-overflow in stun_parse_attr_error_code and stun_parse_attr_uint32 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1036847: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036847 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: sofia-sip Version: 1.12.11+20110422.1+1e14eea~dfsg-5 Severity: grave Tags: security upstream Forwarded: https://github.com/freeswitch/sofia-sip/pull/214 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for sofia-sip. CVE-2023-32307[0]: | Sofia-SIP is an open-source SIP User-Agent library, compliant with the | IETF RFC3261 specification. Referring to [GHSA-8599-x7rq- | fr54](https://github.com/freeswitch/sofia- | sip/security/advisories/GHSA-8599-x7rq-fr54), several other potential | heap-over-flow and integer-overflow in stun_parse_attr_error_code and | stun_parse_attr_uint32 were found because the lack of attributes | length check when Sofia-SIP handles STUN packets. The previous patch | of [GHSA-8599-x7rq-fr54](https://github.com/freeswitch/sofia- | sip/security/advisories/GHSA-8599-x7rq-fr54) fixed the vulnerability | when attr_type did not match the enum value, but there are also | vulnerabilities in the handling of other valid cases. The OOB read and | integer-overflow made by attacker may lead to crash, high consumption | of memory or even other more serious consequences. These issue have | been addressed in version 1.13.15. Users are advised to upgrade. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-32307 https://www.cve.org/CVERecord?id=CVE-2023-32307 [1] https://github.com/freeswitch/sofia-sip/pull/214 [2] https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-rm4c-ccvf-ff9c [3] https://github.com/freeswitch/sofia-sip/commit/c3bbc50c88d168065de34ca01b9b1d98c1b0e810 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: sofia-sip Source-Version: 1.12.11+20110422.1+1e14eea~dfsg-6 Done: Evangelos Ribeiro Tzaras We believe that the bug you reported is fixed in the latest version of sofia-sip, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1036...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Evangelos Ribeiro Tzaras (supplier of updated sofia-sip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 29 May 2023 11:36:38 +0200 Source: sofia-sip Architecture: source Version: 1.12.11+20110422.1+1e14eea~dfsg-6 Distribution: unstable Urgency: medium Maintainer: Debian VoIP Team Changed-By: Evangelos Ribeiro Tzaras Closes: 1036847 Changes: sofia-sip (1.12.11+20110422.1+1e14eea~dfsg-6) unstable; urgency=medium . * Add patch to fix reported CVE-2023-32307. For further information see: - CVE-2023-32307[0] [0] https://security-tracker.debian.org/tracker/CVE-2023-32307 https://www.cve.org/CVERecord?id=CVE-2023-32307 (closes: bug#1036847) Checksums-Sha1: 46a987774725bfa5d77cbcffcc0516b914ab8338 2675 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-6.dsc 38a98525619ecc53fef59dc48347b0e5afe1dd47 1172172 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg.orig.tar.xz 783bf57318256b73dcf3877f30694bf16493bd40 32216 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-6.debian.tar.xz 36e2b5e009db9d85cd99fc4c5c47b084d45a8bcf 7697 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-6_source.buildinfo Checksums-Sha256: 3a2f76739c816736aa7de81c26ea4913130f546b61780e25fce26848a165a239 2675 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-6.dsc 9aedd1f013d705488a77fcdf19b949906f542cdd9830a7847da8075b3164db09 1172172 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg.orig.tar.xz b2cefb7aa21460711221b23a9f3f077465
Bug#1034943: marked as done (liblxqt1-dev: missing Breaks+Replaces for liblxqt0-dev when upgrading from bullseye)
Your message dated Mon, 29 May 2023 07:49:16 + with message-id and subject line Bug#1034943: fixed in liblxqt 1.2.0-8 has caused the Debian Bug report #1034943, regarding liblxqt1-dev: missing Breaks+Replaces for liblxqt0-dev when upgrading from bullseye to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1034943: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034943 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: liblxqt1-dev Version: 1.2.0-5 Severity: serious Justification: dpkg unpack error Attempting to unpack liblxqt1-dev/1.2.0-5 from Debian bookworm on a minimal Debian bullseye with liblxqt0-dev/0.16.0-1 installed, causes an unpack error from dpkg due to /usr/include/lxqt/LXQt/Application being contained in both packages. | Selecting previously unselected package liblxqt1-dev. | (Reading database ... 23632 files and directories currently installed.) | Preparing to unpack .../liblxqt1-dev_1.2.0-5_amd64.deb ... | Unpacking liblxqt1-dev (1.2.0-5) ... | dpkg: error processing archive ./liblxqt1-dev_1.2.0-5_amd64.deb (--unpack): | trying to overwrite '/usr/include/lxqt/LXQt/Application', which is also in package liblxqt0-dev 0.16.0-1 | Errors were encountered while processing: | ./liblxqt1-dev_1.2.0-5_amd64.deb Please ensure that liblxqt1-dev has sufficient Breaks and Replaces declarations. Helmut --- End Message --- --- Begin Message --- Source: liblxqt Source-Version: 1.2.0-8 Done: ChangZhuo Chen (陳昌倬) We believe that the bug you reported is fixed in the latest version of liblxqt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1034...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. ChangZhuo Chen (陳昌倬) (supplier of updated liblxqt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 29 May 2023 03:12:02 +0800 Source: liblxqt Architecture: source Version: 1.2.0-8 Distribution: unstable Urgency: medium Maintainer: LXQt Packaging Team Changed-By: ChangZhuo Chen (陳昌倬) Closes: 1034943 Changes: liblxqt (1.2.0-8) unstable; urgency=medium . * Fix wrong Breaks/Replaces in liblxqt1-dev. (Closes: #1034943) Checksums-Sha1: 398a19b8755d05af5cc831d764a659676196f517 2687 liblxqt_1.2.0-8.dsc 19880017f9f0f8e3ab11e92d0dddae27eede6049 83144 liblxqt_1.2.0.orig.tar.xz fb72418ec1df40f7557950b44b04a3d98a1996d6 862 liblxqt_1.2.0.orig.tar.xz.asc bd4d92c2a862ea5967bb9704cae4e9206bc495d8 8632 liblxqt_1.2.0-8.debian.tar.xz 750e29e9a8d2f34d7b80198ca1ce53c0a96a9895 15404 liblxqt_1.2.0-8_amd64.buildinfo Checksums-Sha256: 3a893984b654f21aaa0c2e92c06c2c16ff104a27b683109c705d900bbf042e99 2687 liblxqt_1.2.0-8.dsc 7fabc8b9b1a409cda3c31c71c18580763698522450f17577b8034ef36b6fec14 83144 liblxqt_1.2.0.orig.tar.xz 985644d26c84bad183106767dc4a17d897d0466050abcd4baf165ece1a05b0a7 862 liblxqt_1.2.0.orig.tar.xz.asc fd18bb417405b40f80e8702cf45e49c05262491f06f0f75299c9d1b5b3e9e0ed 8632 liblxqt_1.2.0-8.debian.tar.xz c7ee37a78080dec9b5af197e4cd1730c286364dd847f2a8f07fa38ef00397da4 15404 liblxqt_1.2.0-8_amd64.buildinfo Files: 9121423f168f5782a952ebcc5ab98039 2687 libs optional liblxqt_1.2.0-8.dsc 74160940b88a2e4abe3445f1198ab509 83144 libs optional liblxqt_1.2.0.orig.tar.xz 598df76d9f7be8194a9337ac355e7ee9 862 libs optional liblxqt_1.2.0.orig.tar.xz.asc 2bfe657db266c3c6a9fbfd68575ac4f0 8632 libs optional liblxqt_1.2.0-8.debian.tar.xz d5262a96e00e766ca5c34e46be2ea96b 15404 libs optional liblxqt_1.2.0-8_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE703UlH90QYpfEyJV58vhUqwX+XMFAmR0Vi4ACgkQ58vhUqwX +XPrBRAA1IY+fEnp5M7yqLkeHJrMuUzuKVdZUYAW+HBW8ES5pUiTi6XyJGtymvqj fEBxKxMHbnoEF1aeceq0lf9lx6Olg3AfRHRUSQq3swOLeRdSBh37BaC4acnRQujB qcwLLlqeLw4UdMRFWnNpcwJbviLgKcMI53396S7Hu8xqwRyVpo6kXCfdHOSOkxsT fHnvxZBKBmBR3nKtpg91VfZmAYlyAfmHCWSEKF5V4uafxbV7oxDV59FAB8ngsBko XJF9nXnJWCurH0buP8nYCDQAB5ciMxl3R4mFn3uo5RuMC4ewGlEVqnQbT/fg1lVi b7v4fbVg9MNmamwPgEBr+UMX/QmxLtMoGzzwUxNQuz4CtK2s21+XSswBIENylwui B65qarLPMUgtj69vLLA6LMya2R+6kX8MLU1s32WjR2KGmr7RPen0SnaXoQ+Do0xc VVUDH/UxGkStV9S4eqImj6JSxgQ1raI8s6yHnPJeO8R2GtNZgnb0frrH6aTRfWja qFH5uUkdk+0CC/H9k+FoIVliqeMhHWF244pvoVHL4NmZkP41nFsOExt2KrE/8
