Bug#1022311: python-stdnum: FTBFS: AssertionError: Failed doctest test for test_no_fodselsnummer.doctest
On Thu, 2024-05-23 at 13:36 +0200, Santiago Vila wrote: > Arthur: Would be ok for you if I fix this in bullseye via team > upload? Please do, thanks. I only have limited time available at the moment and have quite a big backlog of issues to pick up so any help is really welcome. Thanks, -- -- arthur - adej...@debian.org - https://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#1072355: nss-pam-ldapd: upload with maintainer-built binaries cannot migrate
On Sat, 2024-06-01 at 14:59 +0200, Chris Hofstaedtler wrote: > thanks for uploading to unstable. However the upload included > maintainer-built binaries (for Arch: all and amd64). Migration to > testing of these is forbidden by release team policy. > Please upload a new version (no further changes needed) without any > binaries to let the package migrate. Thanks. I always seem to be confused about which changes file to upload :/ Anyway, I've just uploaded 0.9.12-7 which should be source-only again. -- -- arthur - adej...@debian.org - https://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#1022311: python-stdnum: FTBFS: AssertionError: Failed doctest test for test_no_fodselsnummer.doctest
On Sun, 2022-10-23 at 14:50 +0200, Lucas Nussbaum wrote: > During a rebuild of all packages in sid, your package failed to build > on amd64. A fix has just been uploaded and is part of version 1.18-1. If this ever needs to be backported for some reason the fix is trivial: https://arthurdejong.org/git/python-stdnum/commit/?id=1003033fa0e97726d92f47231f96cf02fb35869a -- -- arthur - art...@arthurdejong.org - https://arthurdejong.org/ -- signature.asc Description: This is a digitally signed message part
Bug#989409: nss-pam-ldapd's autopkgtest fails with OpenLDAP 2.5
On Fri, 2022-02-18 at 19:11 -0800, Ryan Tandy wrote: > I removed "pwdMustChange: TRUE" from the policy and then the tests > passed. Not sure if this is the correct fix, but at least I don't > currently see anything in test_pamcmds.expect that would be expecting > a forced reset? Applying this change makes the autopkgtest pass again (this change has just been merged in Git). That means that the expected functionality of nss-pam-ldapd is tested properly. The tests currently don't test the forced password reset by the user functionality (presence of pwdReset on a user account) and it seems that exact behaviour differs between LDAP server implementations (the password policy controls differ and the return code of the BIND operation may also differ). It seems that currently nslcd (default configuration) rejects the login if a password change is needed on OpenLDAP 2.5. This can be worked around by setting "pam_authc_search NONE" in nslcd.conf which should not cause issues with most OpenLDAP LDAP servers. I plan to upload a new version of the package soon. If anyone has any concerns regarding e.g. insufficient testing of the above use case, please let me know. Kind regards, -- -- arthur - adej...@debian.org - https://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#1002047: reportbug: nslcd silently modifies /etc/nslcd.conf on upgrade, breaking authentication
Control: tags -1 + pending On Mon, 2021-12-20 at 22:03 +0100, Thomas Fargeix wrote: > The postinst script of nslcd silently modifies the configuration file > /etc/nslcd.conf on package upgrades. It rewrites or adds settings > without notification to the administrator. Thanks for this report. > In my case, the script appended "base dc=olddomain,dc=example,dc=org" > during the dist-upgrade from Buster to Bullseye. After reboot, remote > and local login to the server was broken except for root due to this > change. The base option is used by nslcd for both the post-login check (pam_authc_search) as well as the authorisation check (pam_authz_check). If you don't specify one on start-up nslcd will contact the LDAP server and try to get one from the server. It turns out that the debconf scripts were not expecting the base option to be absent from nslcd.conf causing an old cached version of the value to be used. > It also failed to consider the more precise "bases" that were already > configured. The debconf configuration does not support changing these options but they should be retained on any changes that happen through debconf. > I would have expected the script to not modify the existing > configuration or at least to warn me it had been modified. I've had a quick look into adding logging (which would be nice) but that would require some restructuring in the postinst script because we now use sed to change nslcd.conf unconditionally. The postinst is already overly complex and I would like to avoid making it even longer. Kind regards, -- -- arthur - adej...@debian.org - https://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#939259: webcheck: Python2 removal in sid/bullseye
On Mon, 2020-07-27 at 00:42 -0400, Sandro Tosi wrote: > 9 months have passed and i dont see any progress on this porting to > python3: last commits on https://arthurdejong.org/git/webcheck are > from 2013 (!) > > Are you still interested in this program (which you wrote)? should we > just remove it from Debian entire? Hi Sandro, Thanks for the reminder. I haven't really found the time to work on webcheck for a while now so if removing it from Debian makes migration easier that would be fine. If anyone is willing to help test/port a new version that would be really welcome though. Kind regards, -- -- arthur - adej...@debian.org - https://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#937165: nss-pam-ldapd: Python2 removal in sid/bullseye
Control: tags -1 + upstream FWIW, I am working supporting Python 3 upstream, see https://arthurdejong.org/git/nss-pam-ldapd/commit/?id=221ce5a2680c1a91b7b87a36d73be5c0ad7e5ddb This will be part of the upcoming 0.9.11 release. -- -- arthur - adej...@debian.org - https://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#872798: nslcd: can be killed by the OOM Killer, DoS
Control: sevirity -1 normal On Mon, 2017-08-21 at 13:17 +0200, Vincent Lefevre wrote: > Severity: grave > Justification: causes non-serious data loss and DoS from an end user. The severity is a bit questionable and, at the very least not a flaw in or unique to nslcd. Any local user that does not have resource limits applied to them can DoS the whole system easily so I'm lowering the severity to normal. > It appears that nslcd can be killed by the OOM Killer when some user > process takes all the memory. In such a case, it is no longer > possible to connect to the machine by SSH. Thus this is DoS by an end > user, with possible data loss concerning what is running on the > machine. The OOM is indeed a bit of Russian roulette on your system. You can tune it a bit with vm.panic_on_oom and vm.overcommit_memory sysctls or perform the following action that is equivalent to what newer nslcd does: echo -1000 > /proc/`cat /var/run/nslcd/nslcd.pid`/oom_score_adj The patch should be pretty easy to backport though. I've put it on my list but can't really guarantee a turn-around-time. Thanks, -- -- arthur - adej...@debian.org - https://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#851134: Info received (Bug#851134: nslcd crashes when losing contact with its server)
Control: severity -1 important On Tue, 2017-02-07 at 12:42 -0500, James Valleroy wrote: > Any update on this bug? Is it possible the severity could be lowered > until the analysis is complete? > > I have some packages (plinth, freedombox-setup) that depend on nslcd, > so I'm hoping that it won't be removed from testing. Lowering severity to important because I haven't been able to reproduce this issue yet and the package works in most configurations. I have done some tests with a simple ldaps:// connection and haven't been able to trigger a crash in nslcd. -- -- arthur - adej...@debian.org - https://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#851134: Info received (Bug#851134: nslcd crashes when losing contact with its server)
On Mon, 23 Jan 2017, Elizabeth Myers wrote: I can't reproduce it with nslcd -d. It happens reliably outside of it though. I will try to get a core dump. You probably want to avoid adding the core file to the bug report since it will probably contain your client's private SSL key. If you want me to look at it you can send the file to me securely via: https://arthurdejong.org/upload/ I will remove the file after analysing it. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong --
Bug#851134: nslcd crashes when losing contact with its server
Hi Elizabeth, I have been trying to reproduce this (nslcd 0.9.7-1, slapd 2.4.40+dfsg- 1+deb8u2). I have not been able to reproduce this when not using SSL and the following nslcd.conf also works without problems for me: uid nslcd gid nslcd uri ldaps://192.168.12.1/ base dc=thuis,dc=net tls_reqcert never tls_cacertfile /etc/ssl/certs/ca-certificates.crt reconnect_invalidate passwd,group This leaves the following settings (mostly client-side certificates) which I haven't tested yet: sasl_mech EXTERNAL tls_reqcert demand tls_cacertfile /etc/ssl/certs/cacert.pem tls_key /etc/ssl/private/alakazam_ldap.key tls_cert /etc/ssl/certs/alakazam_ldap.pem Now setting up CA infra for my test environment to see if I can reproduce this but it is a bit of a pain to integrate this into my scripts. Having a backtrace would be very helpful. Thanks, -- -- arthur - adej...@debian.org - https://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#851564: nslcd fails to start: postinst sets tls_cacertdir wrong
Control: found -1 nss-pam-ldapd/0.9.4-2 Control: tags -1 + pending On Mon, 2017-01-16 at 12:55 +0100, Thomas Wallrafen wrote: > See the attached ncslcd.conf file (the version before the > upgrade). Thanks for providing the info. I tracked the bug down to a problem in the parsing of the configuration file. The bug itself was present in nss-pam-ldapd at least since 0.7.13 but it could only be triggerred since 0.9.4-2 if you have a tls_cacertdir option specified. This option will most likely be ignored on Debian because I understand that GnuTLS does not use it. It is also not configured by default which probably explained why this was not found earlier. You can probbaly safely remove or comment out the tls_cacertdir option in nslcd.conf without any ill effects. This fix is pretty simple and a patch is attached for reference. I will prepare a fix for unstable and try to get a fix into jessie soon. Thanks, -- -- arthur - adej...@debian.org - https://people.debian.org/~adejong -- Index: debian/changelog === --- debian/changelog (revision 2159) +++ debian/changelog (working copy) @@ -3,8 +3,10 @@ * recommend ca-certificate which is needed due to adding tls_cacertfile by default (see #750949) and the checking of tls_cacertfile in 0.9.7 (closes: #836720) + * fix parsing of nslcd.conf tls_cacert option in package configuration +(closes: #851564) - -- Arthur de Jong <adej...@debian.org> Wed, 07 Sep 2016 23:10:45 +0200 + -- Arthur de Jong <adej...@debian.org> Tue, 17 Jan 2017 14:42:28 +0100 nss-pam-ldapd (0.9.7-1) unstable; urgency=medium Index: debian/nslcd.config === --- debian/nslcd.config (revision 2157) +++ debian/nslcd.config (working copy) @@ -27,7 +27,7 @@ if [ -z "$RET" ] || [ "$force" = "force" ] then # the first part avoids getting options that have an optional MAP parameter -cfgfile_value=`sed -n '/^'"$cfg_param"'[[:space:]]\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\)[[:space:]]/!s/^'"$cfg_param"'[[:space:]]*\([^[:space:]].*[^[:space:]]\)[[:space:]]*$/\1/ip' "$cfgfile" | head -n 1` +cfgfile_value=`sed -n '/^'"$cfg_param"'[[:space:]][[:space:]]*\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\)[[:space:]]/!s/^'"$cfg_param"'[[:space:]][[:space:]]*\([^[:space:]].*[^[:space:]]\)[[:space:]]*$/\1/ip' "$cfgfile" | head -n 1` [ -n "$cfgfile_value" ] && db_set "$debconf_param" "$cfgfile_value" fi # we're done signature.asc Description: This is a digitally signed message part
Bug#851564: nslcd fails to start: postinst sets tls_cacertdir wrong
Hi, On Mon, 2017-01-16 at 11:52 +0100, Thomas Wallrafen wrote: > The aforementioned setting is probably added to the file via the > postinstall script of the nslcd package. If one removes the line > tls_cacertfile dir /etc/ssl/certs from the file /etc/nslcd.conf and > runs > # dpkg --configrue -a > the line reappers and nslcd is still unable to start. Can you post your whole nslcd.conf file? Previously there was a tls_cacert option that got renamed to tls_cacertfile. There is also a tls_cacertdir option but that should not be used on Debian. Also can you provide your debconf settings from # debconf-get-selections | grep ^nslcd | grep -v password Thanks, -- -- arthur - adej...@debian.org - https://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#851134: nslcd crashes when losing contact with its server
On Thu, 2017-01-12 at 04:16 -0600, Elizabeth Myers wrote: > When restarting the OpenLDAP server, nslcd often crashes on multiple > servers with the following messages logged (I know they're not > helpful but it's what I have at the moment): > > nslcd[14819]: segfault at 0 ip 7fdc51502ce4 sp 7fdc4e553fe0 > error 4 in libsasl2.so.2.0.25[7fdc514fb000+1a000] > traps: nslcd[10619] general protection ip:7f0977bd322b > sp:7f0974465bb0 > error:0 in libc-2.24.so[7f0977b5c000+195000] Can you install the following packages and try to reproduce the crash: libc6-dbg libgnutls30-dbgsym libgssapi-perl-dbgsym libkrb5-dbg libldap-2.4-2-dbg libsasl2-2-dbgsym libsasl2-modules-db-dbgsym libsasl2-modules-dbgsym (for installing the -dbgsym packages you probably need to add another repo to APT, see https://wiki.debian.org/AutomaticDebugPackages) If you could run nslcd under gdb and trigger the crash: # gdb /usr/sbin/nslcd ... (gdb) r -d ... try to force the crash ... (gdb) thread apply all bt full Alternatively sometimes valgrind provides very useful crash information. Judging by the backtrace the crash is in libsasl2 which is used by libldap so I expect the bug to be in one of those packages but we probably need more information. Thanks, -- -- arthur - adej...@debian.org - https://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#820025: python-pskc-doc: missing Breaks+Replaces: python-pskc (<< 0.4)
On Mon, 2016-04-04 at 22:35 +0200, Andreas Beckmann wrote: > during a test with piuparts I noticed your package fails to upgrade > from 'testing'. > It installed fine in 'testing', then the upgrade to 'sid' fails > because it tries to overwrite other packages files without declaring > a Breaks+Replaces relation. Thanks for pointing this out and thanks for the testing. I'll upload a fix shortly. Thanks, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#820025: marked as pending
tag 820025 pending thanks Hello, Bug #820025 reported by you has been fixed in the Git repository. You can see the changelog below, and you can check the diff of the fix at: http://git.debian.org/?p=python-modules/packages/python-pskc.git;a=commitdiff;h=9e18041 --- commit 9e1804141d131cbc3f6d4564e4e10f601ddcaa28 Author: Arthur de Jong <adej...@debian.org> Date: Tue Apr 5 22:05:59 2016 +0200 Add Breaks/Replaces to allow upgrades from older versions (closes: #820025) diff --git a/debian/changelog b/debian/changelog index d3de377..1500cc2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +python-pskc (0.4-2) UNRELEASED; urgency=medium + + * Add Breaks/Replaces to allow upgrades from older versions +(closes: #820025) + + -- Arthur de Jong <adej...@debian.org> Tue, 05 Apr 2016 22:03:24 +0200 + python-pskc (0.4-1) unstable; urgency=medium * New upstream release:
Bug#794686: nslcd start script does not report starting failure
On Thu, 2016-02-11 at 14:13 +0300, Nikolay Shaplov wrote: > This bug was not fixed for debian jessie, as I can see... > And I think it should be fixed in all supported distributives, as it > can cause problems. Thanks for reminding me. I uploaded a new version for jessie yesterday. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#794686: nslcd start script does not report starting failure
Control: tags -1 + pending On Wed, 2015-08-05 at 20:02 +0300, Nikolay Shaplov wrote: Package: nslcd Version: 0.9.4-3 Severity: serious Justification: fails to build from source Justification is not right but the init script return code is not according to policy so I'll leave it at serious. # /etc/init.d/nslcd stop [ ok ] Stopping nslcd (via systemctl): nslcd.service. # /etc/init.d/nslcd start [ ok ] Starting nslcd (via systemctl): nslcd.service. It does not report any problem, not to the console, not to the syslog It does report a problem to stderr but systemd seems to hide it when the return code is 0 (that was incorrect). The fix is to remove the last exit 0 from /etc/init.d/nslcd. Thanks for reporting this. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#733869: python-stdnum: FTBFS: tries to access internet
Control: tags -1 + pending On Wed, 2014-01-01 at 20:22 +0400, Dmitry Shachnev wrote: Your package fails to build from source on machines which do not have internet connection. Thanks. I think the wrong thing ended up in setup.py. Will do a new upload shortly. Thanks, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#706185: libpam-ldap: purging one architecture of this M-A:same package removes configuration still needed by the other architectures
On Thu, 2013-10-31 at 22:16 +0100, Petter Reinholdtsen wrote: Any plan for fixing this bug? This RC bug caused libpam-ldap to be removed from testing/jessie today. Perhaps it is better to migrate users of libpam-ldap to one of the alternative packages (libpam-ldapd or libpam-sssd) and drop libpam-ldap? I've tried to get libnss-ldap somewhat into shape and I'll also look at libpam-ldap at some point. Since my available time (and interest) is not always constant I can't make promises on a timeline for this. I did uploaded packaging to collab-maint so contributions are welcome: http://anonscm.debian.org/viewvc/collab-maint/deb-maint/libpam-ldap/trunk/ (this is basically the same issue as #706182 in libnss-ldap) -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#727177: Upgrade of libnss-ldap to 265-1 causes important binaries to segfault
On Thu, 2013-10-24 at 10:25 -0400, Klee Dienes wrote: The issue is that libnss-ldap is ending up with a dependency on __libc_lock_lock, which was removed from glibc. Thanks for the pointer to the patch. I thought I tested the release before uploading but apparently I was mistaken. Sorry about that. Preparing another upload with this fix (I'll run some tests this time). A few other thoughts: * It might be nice to build nss-ldap with -Wimplicit -Werror or something along those lines. FTBFS is much better than fail-to-boot. * 'sudo' just crashes on null pointer dereference; 'su' complains about the link error. It'd be much better if the client apps would just ignore the missing nsswitch module. Patches are always welcome, however, libnss-ldap currently doesn't have a maintainer so if someone who actually regularly uses this package would step up to become maintainer that would help. I personally use nss-pam-ldapd which is easier to maintain and contains almost all features nss_ldap has but I understand some people still prefer nss_ldap so I uploaded a new release that should fix some bugs. Kind regards, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#706182: libnss-ldap: purging deletes shared config file /etc/libnss-ldap.conf still in use by other architectures
On Wed, 2013-10-02 at 00:18 +0200, Petter Reinholdtsen wrote: [Arthur de Jong] I've been looking into how to fix this problem. I couldn't find a common solution to this problem. What about moving the configuration to a arch: all package and depend on it from the arch: any packages? A package with a single configuration file somehow seem like wasteful. There must be other packages that face the same problem. In essence it is not much difference as several packages sharing the same configuration file. Anyway, I'm about to upload a new package to unstable which includes a number of fixes and cleanups. Thanks, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#706182: libnss-ldap: purging deletes shared config file /etc/libnss-ldap.conf still in use by other architectures
On Fri, 2013-04-26 at 02:10 +0200, Andreas Beckmann wrote: libnss-ldap has been converted to Multi-Arch: same, but manages the configuration file /etc/libnss-ldap.conf that is now shared between all installed architectures of the libnss-ldap package. The problem arises during purge: the configuration file is deleted even if there are still other architectures installed (or in config-files-remaining state) that share the ownership on that file. From the attached log (scroll to the bottom), observed during the following sequence: apt-get install libnss-ldap:amd64 apt-get install libnss-ldap:i386 dpkg --purge libnss-ldap:i386 0m25.8s ERROR: FAIL: After purging files have disappeared: /etc/libnss-ldap.conf not owned I've been looking into how to fix this problem. I couldn't find a common solution to this problem. The idea I've come up so far is to run dpkg -s libnss-ldap in the postrm and check the Status field of the output. Will have to run some tests to see if this actually works and sensible status combinations. Any input or pointers are more than welcome. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#718699: Changelog is not in UTF8
On Sun, 2013-08-04 at 15:19 +0200, Enrico Zini wrote: the package declares Standards-Version: 3.9.2 but the changelog is encoded in latin1. I've had a look at the changelog but the version currently in the python-modules Subversion repository is UTF-8 encoded. The fix was in r23712 while the file that went into the version that was uploaded does not seem to be in Subversion. It looks somewhat similar to r23711 but the upload also contains an outdated README.source and maintainer line. The next upload, if based on the current Subversion version, should be OK. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#710640: libapache2-mod-python: FTBFS: x86_64-linux-gnu-gcc: error: /usr/lib/python2.7/config/libpython2.7.a: No such file or directory
Control fixed -1 libapache2-mod-python/3.3.1-10 Control tags -1 + fixed-in-experimental On Fri, 2013-05-31 at 21:53 +0200, David Suárez wrote: During a rebuild of all packages in sid, your package failed to build on amd64. This has been fixed in the version currently in experimental. The fix was take from Ubuntu which have the same bug: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-python/+bug/1098597 Thanks, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#666796: Apache 2.4 upload date scheduled for May 30
On Thu, 2013-05-23 at 13:13 +0200, Arno Töll wrote: we are ready to upload Apache2 2.4 to Debian Sid now. This means the transition is effectively starting now, and going to break your modules. I have been working on getting mod_python into shape (somewhat). I have cleaned up the packaging (switch to dh_python2, dh sequencer, quilt 3.0 source format, etc. I also tried to clean up a little (removing code for upgrades from ancient versions, etc.). As a last step I've upgraded to the code to build using Apache 2.4 and switch the maintainer scripts to use apache2-maintscript-helper (actually using dh_apache2 resulted in the removal of all maintainer scripts). In the patch (20_apach24.patch) I only made the absolute minimal number of changes to allow mod_python to be buildable and loadable by Apache (breaking some functionality in the process, see the patch). This is far from a nice solution. I only did minimal testing (that the module loads). I've uploaded the updated package to experimental. I don't know yet if I'm 100% comfortable with uploading this to unstable. If someone can do more thorough testing, that would be very welcome. I don't think I can upload the package to unstable in a specific time slot. Packages is in DPMT repository: Vcs-Svn: svn://anonscm.debian.org/python-modules/packages/libapache2-mod-python/trunk/ Vcs-Browser: http://anonscm.debian.org/viewvc/python-modules/packages/libapache2-mod-python/trunk/ In any case, if no-one steps up, removing mod_python from testing to get Apache 2.4 in is probably the best option. The number of users of mod_python should be limited (everyone should be using mod_wsgi). -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#690319: Fix regression for kfreebsd-{i386,amd64} builds (#690319/CVE-2013-0288)
On Tue, 2013-05-07 at 21:00 +0200, Salvatore Bonaccorso wrote:
Thanks for notifying. Yes, indeed nss-pam-ldapd did not build for
kfreebsd-amd64 and kfreebsd-i386. As the FTBFS is a regression for the
kfreebsd builds when appliying the initial fix for CVE-2013-0288 I
think we should release an updated version targetting squeeze-security
to include the fix for it and send an updated DSA.
Thanks. Attached is a debdiff with the version I'd like to upload.
As indicated before it also provides a fix for RC bug #700971 which
happens on package upgrades in some environments.
--
-- arthur - adej...@debian.org - http://people.debian.org/~adejong --
diff -Nru nss-pam-ldapd-0.7.15+squeeze3/debian/changelog nss-pam-ldapd-0.7.15+squeeze4/debian/changelog
--- nss-pam-ldapd-0.7.15+squeeze3/debian/changelog 2013-02-15 23:04:03.0 +0100
+++ nss-pam-ldapd-0.7.15+squeeze4/debian/changelog 2013-05-11 20:17:27.0 +0200
@@ -1,3 +1,11 @@
+nss-pam-ldapd (0.7.15+squeeze4) stable-security; urgency=low
+
+ * fix FTBFS on kFreeBSD (see #690319)
+ * debian/nslcd.config: handle options that are specified multiple times
+in nslcd.conf consistently (closes: #700971)
+
+ -- Arthur de Jong adej...@debian.org Sat, 11 May 2013 20:00:00 +0200
+
nss-pam-ldapd (0.7.15+squeeze3) stable-security; urgency=high
* SECURITY FIX: Garth Mollett discovered that a file descriptor overflow
diff -Nru nss-pam-ldapd-0.7.15+squeeze3/common/tio.c nss-pam-ldapd-0.7.15+squeeze4/common/tio.c
--- nss-pam-ldapd-0.7.15+squeeze3/common/tio.c 2013-02-12 22:03:06.0 +0100
+++ nss-pam-ldapd-0.7.15+squeeze4/common/tio.c 2013-05-02 09:54:49.0 +0200
@@ -185,7 +185,7 @@
/* prepare our filedescriptorset */
if (fp-fd=FD_SETSIZE)
{
- errno=EBADFD;
+ errno=EBADF;
return -1;
}
FD_ZERO(fdset);
@@ -397,7 +397,7 @@
/* prepare our filedescriptorset */
if (fp-fd=FD_SETSIZE)
{
-errno=EBADFD;
+errno=EBADF;
return -1;
}
FD_ZERO(fdset);
diff -Nru nss-pam-ldapd-0.7.15+squeeze3/debian/nslcd.config nss-pam-ldapd-0.7.15+squeeze4/debian/nslcd.config
--- nss-pam-ldapd-0.7.15+squeeze3/debian/nslcd.config 2012-01-15 09:27:33.0 +0100
+++ nss-pam-ldapd-0.7.15+squeeze4/debian/nslcd.config 2013-02-22 21:05:14.0 +0100
@@ -78,7 +78,7 @@
if [ -z $uris ]
then
hosts=`sed -n 's/^host[[:space:]]*//ip' $cfgfile`
- port=`sed -n 's/^port[[:space:]]*//ip' $cfgfile | tail -n 1`
+ port=`sed -n 's/^port[[:space:]]*//ip' $cfgfile | head -n 1`
for host in $hosts
do
if [ -z $port ] || (echo $host | grep -q ':' )
@@ -95,21 +95,21 @@
db_get nslcd/ldap-base
if [ -z $RET ]
then
-searchbase=`sed -n 's/^base[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' $cfgfile | tail -n 1`
+searchbase=`sed -n 's/^base[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' $cfgfile | head -n 1`
[ -n $searchbase ] db_set nslcd/ldap-base $searchbase
fi
# find binddn
db_get nslcd/ldap-binddn
if [ -z $RET ]
then
-binddn=`sed -n 's/^binddn[[:space:]]*//ip' $cfgfile | tail -n 1`
+binddn=`sed -n 's/^binddn[[:space:]]*//ip' $cfgfile | head -n 1`
db_set nslcd/ldap-binddn $binddn
fi
# find bindpw
db_get nslcd/ldap-bindpw
if [ -z $RET ]
then
-bindpw=`sed -n 's/^bindpw[[:space:]]*//ip' $cfgfile | tail -n 1`
+bindpw=`sed -n 's/^bindpw[[:space:]]*//ip' $cfgfile | head -n 1`
db_set nslcd/ldap-bindpw $bindpw
fi
# check ssl option
@@ -128,7 +128,7 @@
db_get nslcd/ldap-reqcert
if [ -z $RET ]
then
-reqcert=`sed -n 's/^tls_\(reqcert\|checkpeer\)[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\2/ip' $cfgfile | tail -n 1`
+reqcert=`sed -n 's/^tls_\(reqcert\|checkpeer\)[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\2/ip' $cfgfile | head -n 1`
# normalise value
reqcert=`echo $reqcert | tr 'A-Z' 'a-z' | sed 's/^no$/never/;s/^yes$/demand/;s/^hard$/demand/'`
[ -n $reqcert ] db_set nslcd/ldap-reqcert $reqcert
signature.asc
Description: This is a digitally signed message part
Bug#690319: lookup fail to contact nslcd when first 1024 filedescriptor are already used (select)
On Wed, 2013-05-01 at 23:05 +0100, Steven Chamberlain wrote: I noticed (by chance) there is a problem with the squeeze-security patch for #690319; it introduces a regression on kfreebsd and has not built. I'm not sure where to find build logs of this, or if they are public, but I think it is due to using a non-standard EBADFD errno (file descriptor in bad state). I don't think the security build logs are public (even after the advisory is released) and I hadn't noticed the buil failure before. Perhaps EBADF (is not a valid file descriptor / bad file number) would be suitable instead and is more portable; please consider attached bug690319-amend-1.diff This looks like the right approach. The exact value of errno doesn't make that much of a difference in this case. I've applied this change upstream and am willing to prepare a 0.7.15+squeeze4 package. I think it's up to the security team to decide whether this should go to stable or stable-security. One thing to consider is that I'd also like to fix RC bug #700971 (the bug report contains the patch that would be applied). People run into this bug when installing a security update for nss-pam-ldapd. Thanks for pointing this out, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#696445: nslcd: Discards local modifications in nslcd.conf without warning
Control: severity -1 important Control: tags -1 + unreproducible On Fri, 2013-03-01 at 16:02 -0800, Russ Allbery wrote: Should this bug be downgraded until it can be confirmed as reproducible? I also looked through the postinst script and, while it's complex, I didn't see any obvious way in which it could produce the behavior described here. I'll downgrade to important and marked it as unreproducible. Once more information is present or the bug is reproducible I'll up the severity again. The postinst is indeed a bit complex which is mainly due to the fact that I want to support setting up a basic configuration with Debconf (with a smooth upgrade path from libnss-ldap and reasonable guesses for defaults). It currently also supports preseeding and reconfiguring an already present configuration which adds to the complexity. Suggestions for another approach or ways to improve the current situation are more than welcome. Thanks, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#700971: nslcd mangles config file upon update
Control: fixed -1 0.8.5 Control: tags -1 + patch On Thu, 2013-02-21 at 01:09 +, Mark Cunningham wrote: Before install, i get the defaults i configured when installed the package. I set these to non used variables and created the nslcd.conf myself. I've been able to find the problem: the package configuration scripts don't do the modifications properly when an option is specified multiple times in nslcd.conf. This is allowed for the base keyword. When reading the configuration file, the last value from the configuration file is used but when writing back the changes the first option is replaced. This was fixed in 0.8.5 to both read and write the first option only which means the configuration should no longer be mangled in those cases (debconf configuration still doesn't support configuring with multiple base options though). The change that went into 0.8.5 is here: http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1567view=revision Attached is a patch which has basically the same change for 0.7.15+squeeze3. Also, the 0.8 packaging has been updated to be more robust in parsing and writing the configuration. Btw, in nslcd.conf you currently have: base ou=users,ou=users,dc=example,dc=com base ou=groups,dc=example,dc=com while this is probably what is meant: base passwd ou=users,ou=users,dc=example,dc=com base group ou=groups,dc=example,dc=com The way is more efficient because if you have two base statements two searches are always performed. If i understand the process, are debian scripts actually parsing out options that you've configured and attempting to regenerate the config file? Yes. The package tries to guess reasonable defaults during installation (e.g. if libnss_ldap was installed before, look in DNS for a likely search base, etc.). The package also supports managing most common configurations with: dpkg-reconfigure nslcd The package also supports pre-seeding (setting site-wide defaults for automated installation). If a configuration file is already in place it should take the values of the configuration file instead of using pre-seeded or guessed values. Should it not be done the same as any other package with a changed config file. You're prompted to install the package maintaner's version or keep your own and have the ability of doing a diff. Not to mention there doesn't actually seem to be any changes needed in this case. Why even attempt to mess with the config file at all? It is a little more complicated than that. When managing configuration files as described you will not get prompts to install the maintainer's version (the two mechanisms are mutually exclusive). Hope this clarifies a few things. Thanks for the bug report and providing the detailed information that made it possible to track down this issue. I will try to get this into an update for squeeze if possible. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- Property changes on: . ___ Modified: svn:mergeinfo Merged /nss-pam-ldapd:r1566 Index: debian/nslcd.config === --- debian/nslcd.config (revision 1926) +++ debian/nslcd.config (working copy) @@ -78,7 +78,7 @@ if [ -z $uris ] then hosts=`sed -n 's/^host[[:space:]]*//ip' $cfgfile` - port=`sed -n 's/^port[[:space:]]*//ip' $cfgfile | tail -n 1` + port=`sed -n 's/^port[[:space:]]*//ip' $cfgfile | head -n 1` for host in $hosts do if [ -z $port ] || (echo $host | grep -q ':' ) @@ -95,21 +95,21 @@ db_get nslcd/ldap-base if [ -z $RET ] then -searchbase=`sed -n 's/^base[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' $cfgfile | tail -n 1` +searchbase=`sed -n 's/^base[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' $cfgfile | head -n 1` [ -n $searchbase ] db_set nslcd/ldap-base $searchbase fi # find binddn db_get nslcd/ldap-binddn if [ -z $RET ] then -binddn=`sed -n 's/^binddn[[:space:]]*//ip' $cfgfile | tail -n 1` +binddn=`sed -n 's/^binddn[[:space:]]*//ip' $cfgfile | head -n 1` db_set nslcd/ldap-binddn $binddn fi # find bindpw db_get nslcd/ldap-bindpw if [ -z $RET ] then -bindpw=`sed -n 's/^bindpw[[:space:]]*//ip' $cfgfile | tail -n 1` +bindpw=`sed -n 's/^bindpw[[:space:]]*//ip' $cfgfile | head -n 1` db_set nslcd/ldap-bindpw $bindpw fi # check ssl option @@ -128,7 +128,7 @@ db_get nslcd/ldap-reqcert if [ -z $RET ] then -reqcert=`sed -n 's/^tls_\(reqcert\|checkpeer\)[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\2/ip' $cfgfile | tail -n 1` +reqcert=`sed -n 's/^tls_\(reqcert\|checkpeer\)[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\2/ip' $cfgfile | head -n 1` # normalise value reqcert=`echo $reqcert | tr 'A-Z' 'a-z' | sed 's/^no$/never/;s/^yes$/demand/;s/^hard$/demand/'` [ -n $reqcert ] db_set nslcd/ldap-reqcert $reqcert
Bug#700971: nslcd mangles config file upon update
On Tue, 2013-02-19 at 21:29 +, Mark Cunningham wrote: Originally: nslcd: 0.7.15+squeeze2 file: nslcd.orig After installing nslcd: 0.7.15+squeeze3 file nslcd.conf diff nslcd.* 16c16 base ou=groups,dc=example,dc=com --- base ou=users,ou=users,dc=example,dc=com Thanks, this provides some information to go on. Do you happen to have information from debconf after and perhaps before the upgrade? The configuration can be dumped with: debconf-show nslcd If you don't have a backup of /var/cache/debconf/ it could be that an config.dat-old file is present with different information. Do you remember if there were any debconf prompts during the upgrade? Thanks, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#690319: lookup fail to contact nslcd when first 1024 filedescriptor are already used (select)
Control: tags -1 + security It has been determined that this bug has security implications and CVE-2013-0288 has been assigned to this issue. For more details see the upstream advisory: http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288 A Debian security advisory for this issue will be issued shortly and a 0.7.15+squeeze3 release will be made available. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#696445: nslcd: Discards local modifications in nslcd.conf without warning
Hi Arno, On Sun, 2012-12-23 at 12:39 +0100, Arthur de Jong wrote: Do you by any change have the configuration file before and after the upgrade? Also, can you confirm that this debconf information was in place after the upgrade for the broken machine: * nslcd/ldap-auth-type: none * nslcd/ldap-base: dc=loos,dc=site nslcd/ldap-binddn: * nslcd/ldap-reqcert: try nslcd/ldap-sasl-authcid: nslcd/ldap-sasl-authzid: nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt nslcd/ldap-sasl-mech: nslcd/ldap-sasl-realm: nslcd/ldap-sasl-secprops: * nslcd/ldap-starttls: true * nslcd/ldap-uris: ldap://gnome.loos.site ldap://genie.loos.site Do you recall if any debconf prompts were shown during the upgrade? Can you provide some more information on this bugreport? Without more information I won't be able to look into this. Thanks, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#696445: nslcd: Discards local modifications in nslcd.conf without warning
On Thu, 2012-12-20 at 22:24 +0100, Arno wrote: Which was caused by the removal of the line tls_cacertfile /etc/ssl/certs/loos.site.pem from nslcd.conf on upgrade. This is really weird, nslcd package scripts shouldn't do anything with this option (neither this version or any before). Do you by any change have the configuration file before and after the upgrade? Also, can you confirm that this debconf information was in place after the upgrade for the broken machine: * nslcd/ldap-auth-type: none * nslcd/ldap-base: dc=loos,dc=site nslcd/ldap-binddn: * nslcd/ldap-reqcert: try nslcd/ldap-sasl-authcid: nslcd/ldap-sasl-authzid: nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt nslcd/ldap-sasl-mech: nslcd/ldap-sasl-realm: nslcd/ldap-sasl-secprops: * nslcd/ldap-starttls: true * nslcd/ldap-uris: ldap://gnome.loos.site ldap://genie.loos.site Do you recall if any debconf prompts were shown during the upgrade? Thanks, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#696445: nslcd: Discards local modifications in nslcd.conf without warning
On Fri, 2012-12-21 at 12:40 +0100, Dominik George wrote: I have looked into the config and postinst script to find some hints on why this might happen. Here are some remarks, be they relevant or not: Thanks for the feedback. Always good to have another set of eyes looking at the code. - Using backticks in shell scripts is incompatible and might break with some shells, POSIX says use $() I will consider replacing backticks with $() but this requires very careful testing because backslash handling seems to be different. I occasionally make shellscripts that also have to work on Solaris where /bin/sh doesn't have $(). - postinst, line 93: Just replacing any occurence of nss-ldapd with nslcd in the config file is a bit over the top and might^Wwill break. Simple, and bug-related, example: user has- their cacertfile stored in /etc/ssl/certs/nss-ldapd-cacert.pem or something. A fix would be to use look-around assertions on ^# to only replace matches on lines that are comments. Thanks, I'll drop the conversion code because that is only useful for upgrades from before version 0.7 (when upgrading from lenny). Neither of these things should be a problem for this particular bug and I don't think these changes should be in the release targeted towards wheezy (although the second change is simple enough). Arno, can you provide the config files of the two systems from *before* they got clobbered? When sending them to the BTS as attachments, please gzip them beforehand due to #695627 breaking plaintext attachments. I don't think you sent your message to Arno but I've asked again. Thanks for looking into this, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#682752:
Control: tags -1 + patch On Sat, 2012-11-03 at 01:47 -0400, Michael Gilbert wrote: reopen 682752 thanks This still affects unstable. The change that was meant to fix this bug is in http://anonscm.debian.org/loggerhead/pkg-cups/cups-filters/debian-trunk/revision/62/debian/copyright however the copyright file was updated for 1.0.20 with another addition for 1.0.22 so it is not completely correct for 1.0.18. Attached is a patch to fix the 1.0.18-2 debian/copyright file. It is loosely based on the changes from experimental but should be mostly valid for 1.0.18. It is probably not perfect (I haven't done a exhaustive review) but at least it is a big improvement and should fix the reported problems. The copyright file can probably be further simplified by aggregating copyright years and first having a Files: * section that lists the global license and copyright holders and after that only list the exceptions. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- --- debian/copyright.orig 2012-11-10 15:36:53.0 +0100 +++ debian/copyright 2012-11-10 17:18:35.0 +0100 @@ -5,25 +5,47 @@ Files: AUTHORS.txt CHANGES.txt - acloacl.m4 - configure - install-sh - debian/* -Copyright: 2012, Till Kamppeter till.kamppe...@gmail.com + INSTALL.txt + Makedefs.in + Makefile + README.txt + config.h.in + configure.in +Copyright: 2007-2011 Apple Inc. + 1997-2007 Easy Software Products +License: GPL-2 + +Files: aclocal.m4 +Copyright: 1996-2009 Free Software Foundation, Inc. + 2004 Scott James Remnant sc...@netsplit.com +License: GPL2+ + +Files: configure +Copyright: 1999-2009 Free Software Foundation, Inc. +License: + This configure script is free software; the Free Software Foundation + gives unlimited permission to copy, distribute and modify it. + +Files: install-sh +Copyright: 2008-2009 Apple Inc. + 1991 Massachusetts Institute of Technology +License: MIT + +Files: debian/* +Copyright: 1999-2003 Jeff Licquia licq...@debian.org + 2003-2007 Kenshi Muto km...@debian.org + 2007-2012 Martiin Pitt mp...@debian.org + 2012 Till Kamppeter till.kamppe...@gmail.com + 2009 Canonical Ltd. License: GPL-2+ -Files: debian/local/textonly* debian/local/text.convs +Files: filter/textonly + ppd/textonly.ppd Copyright: 2003-2006 Red Hat, Inc. - 2003-2006 Tim Waugh twa...@redhat.com -License: GPL-2 + 2003-2006 Tim Waugh twa...@redhat.com +License: GPL-2+ -Files: config.h.in - configure.in - INSTALL.txt - LICENSE.txt - README.txt - Makedefs.in - Makefile +Files: backend/* config-scripts/* scripting/* @@ -41,22 +63,25 @@ filter/pcl-common.h filter/pcl.h filter/pdftops.c - filter/pdfutils.c - filter/pdfutils.h filter/rastertoescpx.c filter/rastertopclx.c filter/textcommon.c filter/textcommon.h -Copyright: 2007-2011, Apple Inc. - 1997-2007, Easy Software Products. +Copyright: 2007-2011 Apple Inc. + 1997-2007 Easy Software Products. + 2012 Till Kamppeter till.kamppe...@gmail.com License: GPL-2 Files: cupsfilters/* -Copyright: 2007-2011, Apple Inc. - 1997-2007, Easy Software Products. +Copyright: 2007-2011 Apple Inc. + 1997-2007 Easy Software Products License: LGPL-2 Files: filter/fontembed/* +Copyright: 2008, 2012 Tobias Hoffmann +License: MIT + +Files: filter/pdf.utf-8.heavy filter/pdf.utf-8.simple filter/pdfutils.c @@ -64,19 +89,23 @@ filter/test_pdf1.c filter/test_pdf2.c filter/texttopdf.c -Copyright: 2008, Tobias Hoffmann. - 2007, Apple Inc. - 1993-2007, Easy Software Products. +Copyright: 2008-2012 Tobias Hoffmann + 2007 Apple Inc. + 1993-2007 Easy Software Products License: GPL-2 -Files: filter/pstopdf.in +Files: fontembed/* +Copyright: 2008, 2012 Tobias Hoffmann +License: MIT + +Files: filter/pstopdf Copyright: 2003, Robert Sander robert.san...@epigenomics.com 2008-2012, Till Kamppeter till.kamppe...@gmail.com License: GPL-2 Files: filter/imagetopdf.c -Copyright: 1993-2006, Easy Software Products. - 2006-2007, BBR Inc. +Copyright: 1993-2006 Easy Software Products + 2006-2007 BBR Inc. License: GPL-2 Files: filter/banner.c @@ -93,19 +122,25 @@ filter/testprint filter/topsecret filter/unclassified -Copyright: 2012, Canonical Ltd. +Copyright: 2012 Canonical Ltd. License: GPL-3 -Files: pdftoopvp/* - pdftopdf/* - filter/pdftoraster.cxx - ppd/HP-PhotoSmart_Pro_B8300-hpijs-pdftoijs.ppd -Copyright: Copyright 2006-2011, BBR Inc. All rights reserved. +Files: filter/pdftoraster.cxx +Copyright: 2008-2011 BBR Inc. +License: Expat + +Files: filter/PDFError.h +Copyright: 2012 BBR Inc. License: Expat +Files: filter/pdftopdf/* +Copyright: 2006-2011 BBR Inc. + 2012 Tobias Hoffmann +License: MIT + Files: filter/pdftoijs.cxx -Copyright: 2008, BBR Inc. All rights reserved. - 2008, Tobias Hoffmann +Copyright: 2008 BBR Inc. + 2008 Tobias Hoffmann License: Expat License: GPL-2 @@ -189,3
Bug#692472: ncpfs - Fails with Cannot convert kernel release 3.6-trunk-amd64 to number
Control: tags -1 + patch
On Tue, 2012-11-06 at 16:25 +0100, Bastian Blank wrote:
ncpmount fails on current Debian kernels with:
| Cannot convert kernel release 3.6-trunk-amd64 to number
It expects three digits, but this is not longer the case.
Attached is a patch, suitable for being dropped in debian/patches that
short-circuits the test altogether. I haven't tested it because I
haven't used IPX in a few years.
--
-- arthur - adej...@debian.org - http://people.debian.org/~adejong --
Description: avoid doing a kernel version check to handle 3.x kernels
This patch takes out the kernel version checks that were in place in
ncpfs. The checks in place have some special handling for kernels older
than 2.5.31. Since no-one is expected to use these old kernels any more
it is easiest to remove the checks.
Author: Arthur de Jong adej...@debian.org
Bug-Debian: http://bugs.debian.org/692472
--- a/sutil/ncpm_common.c
+++ b/sutil/ncpm_common.c
@@ -244,6 +244,8 @@ static int load_ncpfs(void)
#endif /* MOUNT2 */
static int getmountver(void) {
+/*
+ Commented out because this is only useful for kernels before 2.5.31.
struct utsname name;
int maj, mid, rev;
int ver;
@@ -261,6 +263,7 @@ static int getmountver(void) {
return 3;
if (ver 0x2051F)
return 4;
+*/
return 5;
}
signature.asc
Description: This is a digitally signed message part
Bug#692471: ncpfs - Fails to build to times
Control: tags -1 + patch On Tue, 2012-11-06 at 16:24 +0100, Bastian Blank wrote: | dpkg-source: info: local changes detected, the modified files are: | ncpfs-2.2.6/include/private/libncp-atomic.h Attached is a trivial patch which fixes this issue. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- --- debian/rules.orig 2012-11-10 22:43:30.0 +0100 +++ debian/rules 2012-11-10 22:53:13.0 +0100 @@ -38,6 +38,7 @@ dh_testroot rm -f build-stamp install-stamp po/de.gmo rm -f config.sub config.guess + rm -f include/private/libncp-atomic.h # Add here commands to clean up after the build process. [ ! -f Makefile ] || $(MAKE) distclean signature.asc Description: This is a digitally signed message part
Bug#682648: python-gnupg: FTBFS: test hangs for 60 mins
Control: tags -1 + patch On Mon, 2012-09-10 at 15:33 +0200, Elena ``of Valhalla'' wrote: Yes, I've been working to add the switch via the above feature, but it is breaking other tests, and I didn't have time to fix those further failures yet. I've had a look at this and made a patch for using the --quick-random option during the tests. The patch itself is perhaps not nice enough for upstream but it works. It modifies the doctests in the module which might also be useful as documentation for people using the API. They should obviously not always pass --quick-random. This significantly brings down the build time. BTW, where is the --quick-random switch documented? I couldn't find anything in the manpage, info nor by googling. It is only vaguely documented in the GnuPG FAQ. The insecure key thing is not documented at all (as far as I could find). I looked in the GnuPG source for that. I'm not sure if version 0.3.1 would be fit for wheezy or if too much has changed for bugs that are not RC, or if I should just backport the command-line arguments feature to 0.3.0 to fix this bug (which is quite trivial), and consider 0.3.1 and further releases for backports.d.o. I've based this patch on 0.3.1 because IMO it is better to ship 0.3.1 than a 0.3.0 version patched with 80% of the changes from 0.3.1. Using 0.3.1 allows dropping of two of the three existing patches. Also, 0.3.1 seems to be well tested by upstream and has only two other changes: one bugfix and one added feature to check the trust level of the key used when verifying signatures. Attached is a debdiff with the relevant changes (upstream changes and removal of patches stripped out). Unless anyone objects I'm going to commit this to the python-modules SVN repository. Any objections to an upload with this fix? I can also contact the release team to request an unblock. Thanks, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- diff -Nru python-gnupg-0.3.0/debian/changelog python-gnupg-0.3.1/debian/changelog --- python-gnupg-0.3.0/debian/changelog 2012-05-18 12:05:01.0 +0200 +++ python-gnupg-0.3.1/debian/changelog 2012-10-20 22:14:39.0 +0200 @@ -1,3 +1,23 @@ +python-gnupg (0.3.1-1) UNRELEASED; urgency=low + + * New upstream release: +- Issue #45: Allow additional arguments to gpg executable. +- Issue #50: Use latin-1 encoding in tests when it's known to be required. +- Issue #51: Test now returns non-zero exit status on test failure. +- Issue #53: Now handles INV_SGNR and KEY_NOT_CREATED statuses. +- Issue #55: Verification and decryption now return trust level of + signer in integer and text form. + * Drop allow_test_to_run_under_c_locale.patch because upstream change for +issue #50 fixes this. + * Drop return_nonzero_on_test_failure.patch because this is fixed in +upstream issue #41. + * Refresh skip_network_needing_test.patch. + * Add use_quick_random_in_tests.patch to patch the testsuite to pass the +--quick-random option to the gpg command to make it buildable in +environments with limited entropy (Closes: #682648). + + -- Arthur de Jong adej...@debian.org Sat, 20 Oct 2012 19:09:44 +0200 + python-gnupg (0.3.0-1) unstable; urgency=low * New upstream release diff -Nru python-gnupg-0.3.0/debian/patches/series python-gnupg-0.3.1/debian/patches/series --- python-gnupg-0.3.0/debian/patches/series 2012-05-18 07:18:18.0 +0200 +++ python-gnupg-0.3.1/debian/patches/series 2012-10-20 22:02:33.0 +0200 @@ -1,3 +1,2 @@ skip_network_needing_test.patch -return_nonzero_on_test_failure.patch -allow_test_to_run_under_c_locale.patch +use_quick_random_in_tests.patch diff -Nru python-gnupg-0.3.0/debian/patches/skip_network_needing_test.patch python-gnupg-0.3.1/debian/patches/skip_network_needing_test.patch --- python-gnupg-0.3.0/debian/patches/skip_network_needing_test.patch 2012-03-27 15:45:15.0 +0200 +++ python-gnupg-0.3.1/debian/patches/skip_network_needing_test.patch 2012-10-20 22:16:32.0 +0200 @@ -1,9 +1,10 @@ Description: Skip a doctest snippet that requires internet access Forwarded: not-needed Author: Elena Grandi elena.valha...@gmail.com + --- a/gnupg.py +++ b/gnupg.py -@@ -744,11 +744,11 @@ +@@ -791,11 +791,11 @@ class GPG(object): def recv_keys(self, keyserver, *keyids): Import a key from a keyserver diff -Nru python-gnupg-0.3.0/debian/patches/use_quick_random_in_tests.patch python-gnupg-0.3.1/debian/patches/use_quick_random_in_tests.patch --- python-gnupg-0.3.0/debian/patches/use_quick_random_in_tests.patch 1970-01-01 01:00:00.0 +0100 +++ python-gnupg-0.3.1/debian/patches/use_quick_random_in_tests.patch 2012-10-20 22:15:28.0 +0200 @@ -0,0 +1,96 @@ +Description: Pass --quick-random to all gpg commands in tests + This ensures that the test suite passes --quick-random option to the gpg + command to make it buildable in environments with limited entropy. + . + The --quick
Bug#690319: lookup fail to contact nslcd when first 1024 filedescriptor are already used (select)
On Fri, 2012-10-12 at 16:04 +0200, Adrien Urban wrote: When trying to get the identity, after establishing the connection (connect /var/run/nslcd/socket), it uses select to wait on it. If the filedescriptor is over 1024, it still uses FD_SET to write outside of the fd_set, and calls select with a max at 1024. The select won't have any fd to check, and will timeout. Thanks for reporting this and providing the detailed test. I guess the proper solution is to switch to poll() instead of select(). A smaller change would be to implement a check to see the FD would fit in the set. Exemple provided with binary id. First noticed it after tracing nginx having *alot* of log files, and crashing less than a minute after starting. Attached files : bug.c - example of sources used to show the bug cli.txt - example usage, and results from previous prog trace.log - strace showing the select dpkg.txt - list of packages on a box where the trace was generated trace.log is missing but with bug.c I can reproduce the problem easily. Thanks. Btw, I first couldn't reproduce the problem because I had nscd running (which also may be a good idea in your configuration) so that is at least a workaround in some cases. The patch with minimal changes for the 0.7 and 0.8 branches are here: http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1782view=revision http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1781view=revision With this patch the id command will still fail but it will do so quickly and memory shouldn't be corrupted. I will work on switching to poll() instead. Thanks, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#678559: pysvn: ftbs with svn 1.7
tags 678559 + fixed-upstream patch thanks It seems that this requires a new upstream release of pysvn. The 1.7.6 version release notes: http://pysvn.tigris.org/ds/viewMessage.do?dsForumId=1333dsMessageId=2930777 The diff between 1.7.5 and 1.7.6 appears to be rather large though: 268 files changed, 35301 insertions(+), 40135 deletions(-) but excluding Win/Mac build scripts, bundled PyCXX, test logs, auto-generated files and other not relevant files it seems more manageable: 27 files changed, 367 insertions(+), 425 deletions(-) Anyway, attached is a patch to the 1.7.5-1.1 packaging to upgrade to 1.7.6. I haven't really tested the resulting packages yet but at least the build works now. Can someone test resulting packages? (btw, it would be nice if the package was in the DPMT repository) -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- diff -Naur pysvn-1.7.5/debian/changelog pysvn-1.7.6/debian/changelog --- pysvn-1.7.5/debian/changelog 2011-12-05 13:30:36.0 +0100 +++ pysvn-1.7.6/debian/changelog 2012-07-18 23:46:04.0 +0200 @@ -1,3 +1,11 @@ +pysvn (1.7.6-0.1) UNRELEASED; urgency=low + + * Non-maintainer upload. + * New upstream release. + * Drop the 01-setup_configure.patch which should be integrated upstream. + + -- Arthur de Jong adej...@debian.org Wed, 18 Jul 2012 23:03:31 +0200 + pysvn (1.7.5-1.1) unstable; urgency=low * Non maintainer upload. diff -Naur pysvn-1.7.5/debian/patches/series pysvn-1.7.6/debian/patches/series --- pysvn-1.7.5/debian/patches/series 2011-08-14 21:27:17.0 +0200 +++ pysvn-1.7.6/debian/patches/series 2012-07-18 23:03:19.0 +0200 @@ -1 +0,0 @@ -01-setup_configure.patch diff -Naur pysvn-1.7.5/debian/rules pysvn-1.7.6/debian/rules --- pysvn-1.7.5/debian/rules 2011-12-04 23:15:09.0 +0100 +++ pysvn-1.7.6/debian/rules 2012-07-18 23:38:36.0 +0200 @@ -53,9 +53,10 @@ rm -f $(if $(filter $*, 2.4 2.5),backport/)Source/*.o $(if $(filter $*, 2.4 2.5),backport/)Source/Makefile cd $(if $(filter $*, 2.4 2.5),backport/)Source python$* setup.py configure \ --pycxx-src-dir=/usr/share/python$*/CXX \ - --pycxx-dir=/usr/share/python$*/CXX \ + --pycxx-dir=/usr/include/python$* \ --svn-lib-dir=/usr/lib/$(DEB_HOST_MULTIARCH) \ --apr-inc-dir=$(APR_INC) \ + --apu-inc-dir=$(APR_INC) \ # --norpath PYSVN_BUILD_REVISION=1 \ @@ -69,9 +70,10 @@ rm -f $(if $(filter $*, 2.4 2.5),backport/)Source/*.o $(if $(filter $*, 2.4 2.5),backport/)Source/Makefile cd $(if $(filter $*, 2.4 2.5),backport/)Source python$*-dbg setup.py configure \ --pycxx-src-dir=/usr/share/python$*/CXX \ - --pycxx-dir=/usr/share/python$*/CXX \ + --pycxx-dir=/usr/include/python$* \ --svn-lib-dir=/usr/lib/$(DEB_HOST_MULTIARCH) \ --apr-inc-dir=$(APR_INC) \ + --apu-inc-dir=$(APR_INC) \ # --norpath PYSVN_BUILD_REVISION=1 \ signature.asc Description: This is a digitally signed message part
Bug#670133: nslcd: /etc/nslcd.conf's binddn/bindpw removed during upgrade
tags 670133 + pending thanks On Mon, 2012-04-23 at 12:14 +0200, Luca Capello wrote: Basically, with today's upgrade, my /etc/nslcd.conf was automatically changed and the LDAP setup completely broke. Thank you for the detailed bug report and analysis. It helped me greatly in pinpointing the bug. Strangely enough, this should have already been fixed by #610117. Some debugging and the problem in my case was clear: I did not used debconf/dpkg-reconfigure to configure nslcd (which is perfectly fine, no configuration method is mandatory in Debian), thus given that debconf's nslcd/ldap-auth-type was empty /var/lib/dpkg/info/nslcd.postinst:212 thinks that there is no authentication at all. After some digging it turned out that the change for #610117 which was introduced in 0.8.2 was actually the cause of the problem. If the authtype was set in debconf (by default none which is probably why you saw the problem) the configuration is overwritten. I've changed the functionality to always determine the authtype based on the configuration file if it is present and only use the debconf guessing from #610117 if installing for the first time. The problem is present on the debconf's side as well, reproducible with: I found a nice way to trigger the underlying bug is to use debconf to configure no authentication, then change the config by hand with the binddn and bindpw options and then reinstall or upgrade. It seems the /etc/nslcd.conf handling is in some way broken :-( Although debconf is very nice, it is very difficult to provide configuration options that can both be preseeded and retain the system administrator's modifications that have been made outside of debconf. Thanks, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#656808: gnome-settings-daemon: segmentation fault after some use
On Sun, 2012-01-22 at 00:08 +0100, Michael Biebl wrote: Could you please downgrade libglib2.0 (and related packages) to 2.30.2-4, ie. the version from testing and see if the gnome-settings-daemon crashes go away? Will try that if all else fails or things get too annoying. What would also be helpful, if you could get a backtrace resp. core dump. For that install the libglib2.0-0-dbg package and either run gnome-settings-daemon in gdb, or set ulimit [1] accordingly. I have seen a few more crashes: Jan 22 11:58:03 sorbet kernel: [ 7621.074371] gnome-settings-[2716]: segfault at 8 ip f70d4d5e sp ffe81780 error 4 in libglib-2.0.so.0.3000.2[f704c000+fa000] Jan 23 17:51:36 sorbet kernel: [ 424.210862] gnome-settings-[2594]: segfault at 8 ip f700bd5e sp ffa07270 error 4 in libglib-2.0.so.0.3000.2[f6f83000+fa000] Jan 24 19:41:28 sorbet kernel: [11173.155305] gnome-settings-[2525]: segfault at 8 ip f704ed5e sp ffd787a0 error 4 in libglib-2.0.so.0.3000.2[f6fc6000+fa000] Jan 25 22:07:47 sorbet kernel: [24255.787654] gnome-settings-[25544]: segfault at 8 ip f70a9d5e sp ffa7ed20 error 4 in libglib-2.0.so.0.3000.2[f7021000+fa000] Jan 28 07:57:29 sorbet kernel: [68784.224014] gnome-settings-[2539]: segfault at 8 ip f705dd5e sp ffbe53b0 error 4 in libglib-2.0.so.0.3000.2[f6fd5000+fa000] Jan 28 09:03:13 sorbet kernel: [72727.948421] gnome-settings-[11291]: segfault at 8 ip f70f5d5e sp ffb96b10 error 4 in libglib-2.0.so.0.3000.2[f706d000+fa000] Jan 28 09:08:27 sorbet kernel: [73042.976550] gnome-settings-[16452]: segfault at 8 ip f701bd5e sp fff12040 error 4 in libglib-2.0.so.0.3000.2[f6f93000+fa000] Jan 29 13:28:13 sorbet kernel: [15102.880243] gnome-settings-[14174]: segfault at 8 ip f7082d5e sp ff9e3990 error 4 in libglib-2.0.so.0.3000.2[f6ffa000+fa000] but have not been able to get a core dump for some reason. ulimit -c says unlimited but no core file could be found. I will now try to attach gdb to it to try to catch a crash. I still don't know how to trigger a crash which makes this a wait-and-see game for now. The good news is that gnome-session doesn't seem to lobotomise itself that often and gnome-settings-daemon seems to be restarted. Now the theme just goes back to basic for a few seconds and then comes back. Thanks -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#656808: gnome-settings-daemon: segmentation fault after some use
Package: gnome-settings-daemon Version: 3.2.2-2 Severity: critical Justification: breaks unrelated software Occasionally gnome-settings-daemon crashes and the friendly by oh so useless Oh no! Something has gone wrong. message in Gnome pops up and all the things I'm working on are unavailable. Crashes from my logs: Jan 20 14:37:22 sorbet kernel: [14770.849397] gnome-settings-[2656]: segfault at 8 ip f7005d5e sp fff505e0 error 4 in libglib-2.0.so.0.3000.2[f6f7d000+fa000] Jan 20 15:07:19 sorbet kernel: [16567.521009] gnome-settings-[29507]: segfault at 8 ip f7051d5e sp fffac020 error 4 in libglib-2.0.so.0.3000.2[f6fc9000+fa000] Jan 21 13:15:14 sorbet kernel: [ 2030.375351] gnome-settings-[4764]: segfault at 8 ip f7052d5e sp ff8bfe60 error 4 in libglib-2.0.so.0.3000.2[f6fca000+fa000] Jan 21 21:20:48 sorbet kernel: [31163.588260] gnome-settings-[5880]: segfault at 8 ip f707bd5e sp ffcec900 error 4 in libglib-2.0.so.0.3000.2[f6ff3000+fa000] I cannot correlate the crashes to something I am doing but last time I was typing in Geany. There does not appear to be any useful information in ~/.xsession-errors. Is there any useful way I can provide more debugging info? Do you know what package is responsible for the BSOD equivalent? I just lost quite some work over this and only offering logout without the possibility to allow me te save my work is really annoying, especially if all applications are otherwise working fine (judging by the gnome-shell activities overview mode). Thanks (sorry about the tone of this, I'm a bit angry about the BSOD issue). -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: i386 (x86_64) Kernel: Linux 3.2.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages gnome-settings-daemon depends on: ii dconf-gsettings-backend [gsettings-backend] 0.10.0-3 ii dpkg 1.16.1.2 ii gsettings-desktop-schemas3.2.0-2 ii libatk1.0-0 2.2.0-2 ii libc62.13-24 ii libcairo-gobject21.10.2-6.2 ii libcairo21.10.2-6.2 ii libcanberra-gtk3-0 0.28-3 ii libcanberra0 0.28-3 ii libcolord1 0.1.15-3 ii libcomerr2 1.42-1 ii libcups2 1.5.0-15 ii libdbus-1-3 1.4.16-1 ii libdbus-glib-1-2 0.98-1 ii libfontconfig1 2.8.0-3 ii libfreetype6 2.4.8-1 ii libgconf2-4 3.2.3-1 ii libgcrypt11 1.5.0-3 ii libgdk-pixbuf2.0-0 2.24.0-2 ii libglib2.0-0 2.30.2-5 ii libgnome-desktop-3-2 3.2.1-3 ii libgnome2-common 2.32.1-2 ii libgnomekbd7 3.2.0-1 ii libgnutls26 2.12.16-1 ii libgssapi-krb5-2 1.10+dfsg~beta1-2 ii libgtk-3-0 3.2.3-1 ii libgudev-1.0-0 175-3 ii libk5crypto3 1.10+dfsg~beta1-2 ii libkrb5-31.10+dfsg~beta1-2 ii liblcms2-2 2.2+git20110628-2 ii libnotify4 0.7.4-1 ii libpackagekit-glib2-14 0.7.2-2 ii libpango1.0-01.29.4-2 ii libpolkit-gobject-1-00.104-1 ii libpulse-mainloop-glib0 1.1-2 ii libpulse01.1-2 ii libsqlite3-0 3.7.9-2 ii libupower-glib1 0.9.15-1 ii libx11-6 2:1.4.4-4 ii libxfixes3 1:5.0-4 ii libxi6 2:1.4.5-1 ii libxklavier165.1-3 ii nautilus-data3.2.1-2 ii zlib1g 1:1.2.3.4.dfsg-3 Versions of packages gnome-settings-daemon recommends: ii hwdata 0.233-1 ii pulseaudio 1.1-2 Versions of packages gnome-settings-daemon suggests: ii gnome-screensaver3.2.0-2+b1 ii metacity [x-window-manager] 1:2.34.1-2 ii mutter [x-window-manager]3.2.1-2 ii x11-xserver-utils7.6+3 -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc
Bug#636166: exiftran: dies with Segmentation fault when rotating an image
On Tue, 2011-09-27 at 22:22 +0200, Moritz Mühlenhoff wrote: Feel free to NMU, either with Steve's patch or by updating to 2.08. Otherwise I'll upload a fix in a few weeks myself. I've uploaded 2.07-8.1. I've introduced a patch that just uses the jpeg/08 files from 2.08. I've had a quick look at a new upstream version but the upstream tarball seems to be repacked and uses a different name so this was a quick fix. I'm not sure about the fbi package but I've tested exiftran and the reported issue is fixed. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#636166: exiftran: dies with Segmentation fault when rotating an image
Subject: exiftran: dies with Segmentation fault when rotating an image
Package: exiftran
Version: 2.07-8
Justification: renders package unusable
Severity: grave
exiftran dies when it tries to rotate a JPEG file:
$ ./exiftran -a -i -p ../20110711163247.jpg
processing ../20110711163247.jpg
Segmentation fault
It doesn't seem to depend on the picture (it seems to happen with all
portrait pictures I just got off my camera).
Attached is a backtrace with a version of exiftran built while keeping
the symbols.
I did notice this during the build:
/usr/bin/ld: warning: libjpeg.so.62, needed by /usr/lib/libtiff.so, may
conflict with libjpeg.so.8
but don't known whether it is relevant as the stacktrace doesn't include
libjpeg code directly. I haven't been able to get another combination of
libjpeg*-dev and libtiff*-dev installed together to test whether it may
be relevant.
From a quick look at the code it seems that exiftran uses libjpeg
internals and perhaps the meaning of comp_info has changed between
libjpeg62 and libjpeg8?
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (x86_64)
Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages exiftran depends on:
ii libc6 2.13-13Embedded GNU C Library: Shared lib
ii libexif12 0.6.20-1 library to parse EXIF files
ii libjpeg8 8c-2 Independent JPEG Group's JPEG runt
--
-- arthur - adej...@debian.org - http://people.debian.org/~adejong --
$ gdb exiftran
GNU gdb (GDB) 7.2-debian
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type show copying
and show warranty for details.
This GDB was configured as i486-linux-gnu.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/...
Reading symbols from /tmp/1/fbi-2.07/exiftran...done.
(gdb) r -a -i -p ../20110711163247.jpg
Starting program: /tmp/1/fbi-2.07/exiftran -a -i -p ../20110711163247.jpg
processing ../20110711163247.jpg
Program received signal SIGSEGV, Segmentation fault.
transpose_critical_parameters (dstinfo=0xc7fc) at jpeg/transupp.c:656
656 itemp = compptr-h_samp_factor;
(gdb) bt
#0 transpose_critical_parameters (dstinfo=0xc7fc) at jpeg/transupp.c:656
#1 0x0804b487 in jtransform_adjust_parameters (srcinfo=0xc618,
dstinfo=0xc7fc,
src_coef_arrays=0x805eec4, info=0xc5b4) at jpeg/transupp.c:785
#2 0x0804a668 in do_transform (src=0xc618, dst=0xc7fc,
transform=JXFORM_ROT_90,
comment=0x0, thumbnail=0x0, tsize=0, flags=1) at jpegtools.c:442
#3 0x0804aa3a in do_thumbnail (transform=JXFORM_ROT_90, ed=value optimized
out)
at jpegtools.c:297
#4 0x0804a7b4 in do_exif (src=0xcb6c, dst=0xcd50,
transform=JXFORM_ROT_90, comment=0x0,
thumbnail=0x0, tsize=0, flags=547) at jpegtools.c:362
#5 do_transform (src=0xcb6c, dst=0xcd50, transform=JXFORM_ROT_90,
comment=0x0,
thumbnail=0x0, tsize=0, flags=547) at jpegtools.c:423
#6 0x0804ab7f in jpeg_transform_fp (in=0x8052008, out=0x8052198,
transform=4294967295,
comment=0x0, thumbnail=0x0, tsize=0, flags=547) at jpegtools.c:491
#7 0x0804ae3d in jpeg_transform_inplace (file=0xd52c
../20110711163247.jpg,
transform=4294967295, comment=0x0, thumbnail=0x0, tsize=0, flags=547) at
jpegtools.c:588
#8 0x08049ac4 in main (argc=5, argv=0xd364) at exiftran.c:263
(gdb) bt full
#0 transpose_critical_parameters (dstinfo=0xc7fc) at jpeg/transupp.c:656
tblno = value optimized out
i = value optimized out
j = value optimized out
ci = value optimized out
itemp = value optimized out
compptr = 0x78
qtblptr = value optimized out
dtemp = 120
qtemp = value optimized out
#1 0x0804b487 in jtransform_adjust_parameters (srcinfo=0xc618,
dstinfo=0xc7fc,
src_coef_arrays=0x805eec4, info=0xc5b4) at jpeg/transupp.c:785
No locals.
#2 0x0804a668 in do_transform (src=0xc618, dst=0xc7fc,
transform=JXFORM_ROT_90,
comment=0x0, thumbnail=0x0, tsize=0, flags=1) at jpegtools.c:442
src_coef_arrays = 0x805eec4
dst_coef_arrays = value optimized out
transformoption = {transform = JXFORM_ROT_90, trim = 0, force_grayscale
= 0,
num_components = 3, workspace_coef_arrays = 0x805ec14}
#3 0x0804aa3a in do_thumbnail (transform=JXFORM_ROT_90, ed=value optimized
out)
at jpegtools.c:297
th = {src = {err = 0xc9a8, mem = 0x805e350, progress = 0x0,
client_data = 0x0,
is_decompressor = 1, global_state = 210, src = 0x8051a1c,
image_width = 160,
image_height =
Bug#618795: nss-pam-ldapd: FTBFS on kfreebsd-*: cfg.c:184:12: error: 'HOST_NAME_MAX' undeclared
tags 618795 + pending thanks On Fri, 2011-03-18 at 15:46 +0100, Cyril Brulebois wrote: your package no longer builds on kfreebsd-*: | gcc -DHAVE_CONFIG_H -I. -I.. -I.. -pthread -g -O2 -pedantic -Wall -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Waggregate-return -Wmissing-declarations -Wunused -Wformat=2 -Wswitch-default -Wswitch-enum -Wfloat-equal -Wbad-function-cast -Wredundant-decls -Wextra -Wdeclaration-after-statement -Werror-implicit-function-declaration -c cfg.c | cfg.c: In function 'cfg_getdomainname': | cfg.c:169:7: warning: assignment discards qualifiers from pointer target type | cfg.c: In function 'add_uris_from_dns': | cfg.c:184:12: error: 'HOST_NAME_MAX' undeclared (first use in this function) | cfg.c:184:12: note: each undeclared identifier is reported only once for each function it appears in | cfg.c:184:8: warning: unused variable 'buf' | make[3]: *** [cfg.o] Error 1 Thanks for the report. This was due to some reorganisation of code. It will be fixed in the next upload. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#606781: viewvc: package fails to upgrade properly from lenny
On Sat, 2010-12-11 at 18:50 +0100, Lucas Nussbaum wrote: While testing the installation of all packages in squeeze, I ran into the following problem: [...] CONFIGURATION FILE `/ETC/VIEWVC/VIEWVC.CONF' == MODIFIED (BY YOU OR BY A SCRIPT) SINCE INSTALLATION. == PACKAGE DISTRIBUTOR HAS SHIPPED AN UPDATED VERSION. WHAT WOULD YOU LIKE TO DO ABOUT IT ? YOUR OPTIONS ARE: Y OR I : INSTALL THE PACKAGE MAINTAINER'S VERSION N OR O : KEEP YOUR CURRENTLY-INSTALLED VERSION D : SHOW THE DIFFERENCES BETWEEN THE VERSIONS Z : BACKGROUND THIS PROCESS TO EXAMINE THE SITUATION THE DEFAULT ACTION IS TO KEEP YOUR CURRENT VERSION. *** VIEWVC.CONF (Y/I/N/O/D/Z) [DEFAULT=N] ? DPKG: ERROR PROCESSING VIEWVC (--CONFIGURE): EOF ON STDIN AT CONFFILE PROMPT SETTING UP XML-CORE (0.13) ... ERRORS WERE ENCOUNTERED WHILE PROCESSING: VIEWVC E: Sub-process /usr/bin/dpkg returned an error code (1) [..] The full build log is available from: http://people.debian.org/~lucas/logs/2010/12/11/viewvc.log It is reproducible by installing your package in a clean chroot, using the debconf Noninteractive frontend, and priority: critical. Presumably the bug is the relevant part quoted above (during upgrade dpkg asks about the modified configuration file). This is happening because the lenny version modified /etc/viewvc/viewvc.conf in postinst. Judging by the changelog this was fixed in version 1.1.5-1 so the squeeze version should be OK. Btw, do you have any idea why part of the log is in all-caps? I ran into this a couple of times but never found a cause. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#545414: Bug#545414: sudo-ldap: sudo fails with sudo: setreuid(ROOT_UID, user_uid): Operation not permitted for ldap users
On Fri, 2010-12-10 at 11:42 +0800, David Adam wrote: libnss-ldapd should be used to replace libnss-ldap on squeeze upgrades. I am still a touch wary of libnss-ldapd, only in that adding the daemon introduces an additional point of failure, but have been running it on our Ubuntu and squeeze systems with zero problems. I agree that adding an extra interface opens a possibility for problems but it also allows for better separation. If the daemon is not running more things could go wrong and I welcome improvements for that (e.g. possibly starting earlier during the boot sequence and poll the LDAP server until it is available or improved availability during upgrades). On the other hand its operation is much simpler than with nss_ldap because the daemon can hold some state as to whether the LDAP server is available or not and failure when the LDAP server is unavailable is much faster (will not hang the whole system). Also, the daemon always runs as an unprivileged user and security of the LDAP authentication credentials (bind password) is much more robust. There are some differences between nss_ldap on one end and nss-pam-ldapd on the other. nss-pam-ldapd does not currently support nested groups and has less features in the password changing operation so it's not a drop-in replacement for all configurations (yet). I've also been using it without problems. There are some issues when using Microsoft Active Directory (memory leak when chasing referrals and a problem in the timeout handling) but I've personally had less issues with nss-ldapd than with nss_ldap. I don't know if it's possible (or wise) to automatically upgrade from libnss-ldap to libnss-ldapd on a lenny-sqeeze upgrade but for people who switch it should already be quite smooth (configuration is migrated automatically in most cases). If no-one thinks it is a bad idea I can change the earlier text to be a recommendation to switch to nss-pam-ldapd instead of a proposed workaround. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#585968: nslcd: init.d script should start after $named at boot
On Fri, 2010-07-02 at 09:13 +0200, Petter Reinholdtsen wrote: Hi. When do you plan to upload a fix for this issue into unstable? It affect Debian Edu, and it would be nice to have a fix in place soon. I will probably make another release this weekend. This will include the fix for #585968. I'm in the process of seeing whether to include the changes from #586532. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#585968: nslcd: init.d script should start after $named at boot
tags 585968 + pending thanks On Tue, 2010-06-15 at 11:09 +0200, Petter Reinholdtsen wrote: When the DNS server is on the local machine and the nslcd.conf file uses DNS (name or SRV records) to find the LDAP server, nslcd currently fail to start at boot because it starts before the DNS server is operational. Because of this, I believe the nslcd init.d script should be changes to have an optional dependency on the $named virtual boot facility, to ensure that it starts after local DNS servers are started. The only problem with this dependency is that nslcd can provide $named in some environments (when hostnames are resolved through LDAP, see #544093). I don't know if such a circular dependency is problematic. Here is a patch to implement this change. Thanks. I've applied your patch and it will be in the next upload. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#552431: Status of this libnss/libnss-ldap/sshd: no login possible after some time bug report
On Thu, 2010-05-27 at 19:20 +0200, Christian PERRIER wrote: First of all, let me add a disclaimer: I am *not* the maintainer of libnss-ldap nor do I have much clue about LDAP auth and even that package. Let me then also add my comments (I'm also not the maintainer of libnss-ldap but I'm the one for libnss-ldapd). I think you should give libnss-ldapd a try, especially if you are using SSL/TLS or Kerberos. That package does LDAP queries in a separate process space and has a much more maintainable code base. It is also available in lenny and should be very stable. Anyway, going over the bugreport (and #541188) I find this a bit odd (/etc/nsswitch.conf): passwd: files ldap [UNAVAIL=return] group: files ldap [UNAVAIL=return] I think the expressions between brackets are only really useful between different lookup methods. Another thing that could be causing it is nscd. It has been known to give problems in some cases. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#578638: libpam-ldap: needs versioned dependency on libpam-runtime
Subject: libpam-ldap: needs versioned dependency on libpam-runtime Package: libpam-ldap Version: 184-8.3 Severity: serious Justification: Policy 3.5 During an upgrade from lenny to squeeze I ran into the following: /var/lib/dpkg/info/libpam-ldap.prerm: line 6: pam-auth-update: command not found dpkg: error processing libpam-ldap (--purge): subprocess pre-removal script returned error exit status 127 /var/lib/dpkg/info/libpam-ldap.postinst: line 5: pam-auth-update: command not found dpkg: error while cleaning up: subprocess post-installation script returned error exit status 127 Errors were encountered while processing: libpam-ldap E: Sub-process /usr/bin/dpkg returned an error code (1) It seems libpam-ldap was upgraded before libpam-runtime and libpam-ldap needs a versioned depends on libpam-runtime (= 1.0.1-6). -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.30-bpo.2-686 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libpam-ldap depends on: ii debconf [debconf-2.0] 1.5.30 Debian configuration management sy ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib ii libldap-2.4-2 2.4.17-2.1 OpenLDAP libraries ii libpam-runtime1.0.1-5+lenny1 Runtime support for the PAM librar ii libpam0g 1.1.1-2Pluggable Authentication Modules l libpam-ldap recommends no packages. Versions of packages libpam-ldap suggests: ii libnss-ldapd [libnss-ldap]0.6.7.2NSS module for using LDAP as a nam -- -- arthur de jong - art...@west.nl - west consulting b.v. -- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#552433: stable update: nss-ldapd (#552433: libnss-ldapd: ignores case of uids)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, 2009-12-06 at 17:48 +0100, Arthur de Jong wrote: I have prepared a 0.6.7.2 version which can be found here: [2], [3]. The debdiff is attached (9 source files changed, 133 insertions and 151 deletions). Please go ahead. Thanks, I will upload an updated package to proposed-updates this weekend. - -- - -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAksonTgACgkQVYan35+NCKdCygCg6yvIkCiIKQIqYoitEErZLeyy GFAAnj0UuIjfJawZR2omv6fA42bqeo8U =/Ajb -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#552433: stable update: nss-ldapd (#552433: libnss-ldapd: ignores case of uids)
I brought up bug #552433 here earlier [0] and have been in contact with
the security team about this but haven't had a definite answer from them
whether they want (or don't want) to issue an advisory for this.
I'm now convinced this is a security problem because it can result in
wrong privileges to be assigned and in denial of service (see [1] for
more information). Since I haven't heard back from the security team in
a month (I've sent several pings) I guess it should go through
proposed-updates.
I have prepared a 0.6.7.2 version which can be found here: [2], [3]. The
debdiff is attached (9 source files changed, 133 insertions and 151
deletions).
I it OK to upload this to proposed-updates?
[0] http://lists.debian.org/debian-release/2009/10/msg00242.html
[1] http://arthurdejong.org/nss-pam-ldapd/news.html#20091122
[2] http://arthurdejong.org/viewvc/nss-pam-ldapd/nss-ldapd-0.6.7.2/
[3] http://arthurdejong.org/svn/nss-pam-ldapd/nss-ldapd-0.6.7.2/
--
-- arthur - adej...@debian.org - http://people.debian.org/~adejong --
diff -Nru nss-ldapd-0.6.7.1/debian/changelog nss-ldapd-0.6.7.2/debian/changelog
--- nss-ldapd-0.6.7.1/debian/changelog 2009-03-21 10:48:50.0 +0100
+++ nss-ldapd-0.6.7.2/debian/changelog 2009-11-07 12:04:10.0 +0100
@@ -1,6 +1,14 @@
-nss-ldapd (0.6.7.1) stable-security; urgency=high
+nss-ldapd (0.6.7.2) stable-security; urgency=low
* security upload
+ * perform case-sensitive filtering for group, netgroup, passwd, protocols,
+rpc, services and shadow lookups (closes: #552433)
+
+ -- Arthur de Jong adej...@debian.org Thu, 07 Nov 2009 12:00:00 +0100
+
+nss-ldapd (0.6.7.1) stable-security; urgency=high
+
+ * security upload (CVE-2009-1073)
* fix the permissions of /etc/nss-ldapd.conf to not be world readable
(file can be used to store LDAP password) (closes: #520476)
diff -Nru nss-ldapd-0.6.7.1/nslcd/alias.c nss-ldapd-0.6.7.2/nslcd/alias.c
--- nss-ldapd-0.6.7.1/nslcd/alias.c 2009-03-21 09:40:45.0 +0100
+++ nss-ldapd-0.6.7.2/nslcd/alias.c 2009-11-05 21:34:55.0 +0100
@@ -92,34 +92,27 @@
static int write_alias(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqalias)
{
int32_t tmpint32,tmp2int32,tmp3int32;
- const char *tmparr[2];
const char **names,**members;
int i;
/* get the name of the alias */
- if (reqalias!=NULL)
+ names=myldap_get_values(entry,attmap_alias_cn);
+ if ((names==NULL)||(names[0]==NULL))
{
-names=tmparr;
-names[0]=reqalias;
-names[1]=NULL;
- }
- else
- {
-names=myldap_get_values(entry,attmap_alias_cn);
-if ((names==NULL)||(names[0]==NULL))
-{
- log_log(LOG_WARNING,alias entry %s does not contain %s value,
- myldap_get_dn(entry),attmap_alias_cn);
- return 0;
-}
+log_log(LOG_WARNING,alias entry %s does not contain %s value,
+myldap_get_dn(entry),attmap_alias_cn);
+return 0;
}
/* get the members of the alias */
members=myldap_get_values(entry,attmap_alias_rfc822MailMember);
/* for each name, write an entry */
for (i=0;names[i]!=NULL;i++)
{
-WRITE_INT32(fp,NSLCD_RESULT_SUCCESS);
-WRITE_STRING(fp,names[i]);
-WRITE_STRINGLIST(fp,members);
+if ((reqalias==NULL)||(strcasecmp(reqalias,names[i])==0))
+{
+ WRITE_INT32(fp,NSLCD_RESULT_SUCCESS);
+ WRITE_STRING(fp,names[i]);
+ WRITE_STRINGLIST(fp,members);
+}
}
return 0;
}
diff -Nru nss-ldapd-0.6.7.1/nslcd/ether.c nss-ldapd-0.6.7.2/nslcd/ether.c
--- nss-ldapd-0.6.7.1/nslcd/ether.c 2009-03-21 09:40:45.0 +0100
+++ nss-ldapd-0.6.7.2/nslcd/ether.c 2009-11-05 21:34:55.0 +0100
@@ -122,21 +122,12 @@
const char **names,**ethers;
int i,j;
/* get the name of the ether entry */
- if (reqname!=NULL)
+ names=myldap_get_values(entry,attmap_ether_cn);
+ if ((names==NULL)||(names[0]==NULL))
{
-names=tmparr;
-names[0]=reqname;
-names[1]=NULL;
- }
- else
- {
-names=myldap_get_values(entry,attmap_ether_cn);
-if ((names==NULL)||(names[0]==NULL))
-{
- log_log(LOG_WARNING,ether entry %s does not contain %s value,
- myldap_get_dn(entry),attmap_ether_cn);
- return 0;
-}
+log_log(LOG_WARNING,ether entry %s does not contain %s value,
+myldap_get_dn(entry),attmap_ether_cn);
+return 0;
}
/* get the addresses */
if (reqether!=NULL)
@@ -158,12 +149,13 @@
}
/* write entries for all names and addresses */
for (i=0;names[i]!=NULL;i++)
-for (j=0;ethers[j]!=NULL;j++)
-{
- WRITE_INT32(fp,NSLCD_RESULT_SUCCESS);
- WRITE_STRING(fp,names[i]);
- WRITE_ETHER(fp,ethers[j]);
-}
+if ((reqname==NULL)||(strcasecmp(reqname,names[i])==0))
+ for (j=0;ethers[j]!=NULL;j++)
+ {
+WRITE_INT32(fp,NSLCD_RESULT_SUCCESS);
+WRITE_STRING(fp,names[i]);
+WRITE_ETHER(fp,ethers[j]);
+ }
return 0;
}
diff -Nru nss-ldapd-0.6.7.1/nslcd/group.c nss-ldapd-0.6.7.2
Bug#552433: Fwd: Bug#552433: libnss-ldapd: ignores case of uids
On Thu, 2009-11-05 at 21:07 +0100, Arthur de Jong wrote: I will contact the security team and prepare an update. I am awaiting a response from the security team whether to do this via a security update or via proposed-updates. An updated 0.6.7.2 package is being prepared here: http://arthurdejong.org/viewvc/nss-pam-ldapd/nss-ldapd-0.6.7.2/ (svn co http://arthurdejong.org/svn/nss-pam-ldapd/nss-ldapd-0.6.7.2/) Some more details on this issue can be found here: http://arthurdejong.org/nss-pam-ldapd/news.html#20091122 -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#552433: Fwd: Bug#552433: libnss-ldapd: ignores case of uids
On Thu, 2009-11-05 at 17:32 +0100, Petter Reinholdtsen wrote: I really hope you find time to fix this in Lenny, as it affects Debian Edu. The issue is also a security issue, where users can by-pass netgroup based limitations by changing the case of the username they use when logging in. See URL: http://bugs.skolelinux.org/show_bug.cgi?id=1383 for more information about that facet of this problem. Thanks for pointing this out and providing the link. I will contact the security team and prepare an update. It is strange though that the group membership is lost because I would think those lookups would also be case-insensitive. I noticed the case-insensitive problem before (that's why it's fixed in 0.6.11) but not the group-membership problem. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#552433: libnss-ldapd: ignores case of uids
On Mon, 2009-10-26 at 11:28 +0300, Alexandra N. Kossovsky wrote: I've got a problem with libnss-ldpad package. In my environment, any (non-root) local user can break normal work of any other user. The problem is, nss-ldapd makes strange things with case of uids. For example: bash$ id uid=NNN(sasha) gid=ZZZ(zzz) groups=... bash$ id SasHa uid=NNN(SasHa) gid=ZZZ(zzz) groups=... bash$ id uid=NNN(SasHa) gid=ZZZ(zzz) groups=... bash$ id sasha uid=NNN(SasHa) gid=ZZZ(zzz) groups=... bash$ id uid=NNN(SasHa) gid=ZZZ(zzz) groups=... So, nss now thinks that I'm SasHa, not sasha. As a result, when I run ssh otherhost it does not work (just because pam can't authorise SasHa, it knows only sasha). In the same way, all other Kerberos services stop working for me. The problem is actually more in nscd in that it does not handle cases elegantly where username - uid lookups result in the same uid for different usernames (it caches information from the forward lookup for the reverse lookup). Btw, the same issue is also in nss_ldap and in probably more naming services that are case-insensitive. Looking on changelog, I see this problem fixed in version 0.6.11: Changes: This release fixes a couple of bugs in the username to group mapping and a problem with too many uidNumber or uidNumber attributes in the LDAP server. Name lookups are now also case-sensitive for group, netgroup, passwd, protocols, RPC, services, and shadow maps. I've tried libnss-ldapd=0.7.1 (sources from sid, compiled on lenny) and it works perfectly. It will be nice to get this problem fixed in the next stable update. The change can be found here: http://arthurdejong.org/viewvc/nss-pam-ldapd?view=revrevision=934 but I haven't yet checked whether it can be applied to 0.6.7 cleanly. I don't think I've seen any regressions due to that change (I'll have to check more thoroughly though). I will ask the stable release team their opinion on whether this qualifies for an update in a point release. Thanks for using nss-ldapd. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#552433: Fwd: Bug#552433: libnss-ldapd: ignores case of uids
Dear stable release team, A user reported a bug (#552433) against libnss-ldapd which causes some problems and asked if a fix can be made available in a stable update. I can probably backport the fix to version 0.6.7.1 but I wanted to know if such a fix will be considered a candidate for proposed-updates before putting in the effort. I'm not 100% sure I completely agree with the severity but in a multi-user system one user can pollute the nscd cache which causes problems for another user user which is not good. A little more info is in the bugreport. Btw, the commit that implements this functionality can be found here: http://arthurdejong.org/viewvc/nss-pam-ldapd?view=revrevision=934 I haven't tested yet if it applies correctly to 0.6.7.1 but it is not very small (9 files changed, 133 insertions, 151 deletions, excluding documentation and tests). Thanks. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#448470: pidofproc falls back to pidof
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've tested the above patch and it seems to solve the problem. It took me a couple of times reading though /lib/lsb/init-functions to understand why though (use of $specified is confusing). Also this problem doesn't seem to show in all circumstances. It shows up on systems with and /etc/network/interfaces like: auto lo eth0 iface lo inet loopback iface eth0 inet dhcp but not with: auto lo iface lo inet loopback allow-hotplug eth0 iface eth0 inet dhcp (the second was on a machine that was more recently installed) - -- - -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJLQ8xVYan35+NCKcRAiTYAKDl7aNSWNLKs+1ubN0+HrVicdmgEACfT8ox f5uXIUK2j7k2Z1fgAoht2UA= =/UbY -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#448470: bugs are the same
Bugs #506429 and #448470 are the same. Also, a workaround (if you can't downgrade to 6.0-7) is to add ASYNCMOUNTNFS=no to /etc/default/rcS (at least until this is fixed). -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#504142: Willing to upload
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Just for the bug report, this is the patch I'd use for the NMU. I'd like to upload today, along with the fix for #502760. I'll do it this evening. I have the same fix pending: http://arthurenhella.demon.nl/viewcvs/nss-ldapd/nss-ldapd/debian/libnss-ldapd.postinst?rev=789r1=747r2=789 (I have some other small updates that I want to include) If you want to make the upload yourself, please ping me on irc (codehelp) - find me on #debian-uk, #emdebian or #debian-dpkg I'm sorry I don't use irc. - -- - -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJEGNUVYan35+NCKcRAmoRAJ9w6C1By95LeK8zlG71bKS580ID+ACZAbXK a1B7qwFCRrxg5Wvp9i9XakY= =XYDF -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#500778: libnss-ldapd: groups resolve to nogroup after boot
retitle 500778 nss-ldapd: problem resolving groups and users with nfs4 severity 500778 important tags 500778 + help thanks On Mon, 2008-10-06 at 11:42 +0200, Patrick Schoenfeld wrote: 2008/10/3 Arthur de Jong [EMAIL PROTECTED]: Patrick, does adding Cache-Expiration = 10 to /etc/idmapd.conf in the [General] section help at all in your setup? (the correct values should be loaded sooner) very good. This betters the situation a lot. Its a good workaround. Now if you'd find the reason why the behaviour differs from libnss-ldap and could enhance libnss-ldapd in this way, this would be great :-)) I am lowering the severity of this bug for now because the problem is limited to using nss-ldapd in combination to nfs4 and there is a workaround (adding Cache-Expiration = 10 to /etc/idmapd.conf). I will try to investigate this some more but help is appreciated with this. -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#500778: libnss-ldapd: groups resolve to nogroup after boot
(Cc-ing the nfs-utils maintainers, perhaps they have some insight that could solve this) On Sat, 2008-10-04 at 09:52 +0200, Patrick Schoenfeld wrote: My guess is that name lookups are cached in idmapd. Can you check that by restarting idmapd (/etc/init.d/nfs-common restart) the problem goes away? Nope, it does not. I have been able to reproduce this. On the server I have in /etc/exports (/export/newhome is a bind-mounted /home with half a dozen users): /export 192.168.1.0/24(ro,sync,insecure,root_squash,no_subtree_check,fsid=0) /export/newhome 192.168.1.0/24(rw,nohide,sync,insecure,root_squash,no_subtree_check) On the client I have in /etc/fstab: fs:/newhome/mntnfs4 rw 0 0 Now if I stop nslcd (all name lookup calls should now return NSS_STATUS_UNAVAIL/ENOENT) an 'ls -l /mnt' shows: [...] drwx-x 148 nobody users 12288 Oct 3 21:02 arthur [...] (the user arthur from the server is mapped to the user nobody on the client because the namelookup failed). With some more verbose logging rpc.idmapd shows: [...] rpc.idmapd: nfs4_name_to_uid: calling nsswitch-name_to_uid rpc.idmapd: nss_getpwnam: name '[EMAIL PROTECTED]' domain 'localdomain': resulting localname 'arthur' rpc.idmapd: nss_getpwnam: name 'arthur' not found in domain 'localdomain' rpc.idmapd: nfs4_name_to_uid: nsswitch-name_to_uid returned -2 rpc.idmapd: nfs4_name_to_uid: final return value is -2 rpc.idmapd: Client 16: (user) name [EMAIL PROTECTED] - id 65534 [...] If I repeat the ls command a couple of times rpc.idmapd no longer logs the failed lookups and a strace of rpc.idmapd also shows that that process is no longer asked (by the kernel?) to look up the user. If I then start nslcd (now name lookups should be performed as usual and getent shows that they do) the results aren't quickly fixed. After a while (I've been messing about with stuff in /proc so I don't know how long this normally takes) the kernel asks rpc.idmapd again to look up user arthur (and the other users in the filesystem). Also note that the bugreporter had problems with groups and I've reproduced the behaviour with users. [...] drwx-x 148 arthur users 12288 Oct 3 21:02 /mnt/arthur [...] Now the question is, how should this caching mechanism be tuned and how should we solve this problem. Is there a reliable way to flush the cache? There seems to be /proc/net/rpc/nfs4.nametoid which contains some stuff that could be relevant and /proc/sys/fs/nfs/idmap_cache_timeout. However setting /proc/sys/fs/nfs/idmap_cache_timeout or Cache-Expiration does not result in the expected timeout in seconds (read from the idmapd.c). Setting it to 10 results in a retry every 30 to 60 seconds, setting it to 100 seems to result in a retry in 60-120 seconds. Also, writing to /proc/net/rpc/nfs4.idtoname/flush and /proc/net/rpc/nfs4.nametoid/flush (like is done in flush_nfsd_idmap_cache()) doesn't seem to make a difference. I haven't had a look at the kernel code yet (this is running kernel Linux 2.6.26-1-686 (SMP w/2 CPU cores)). Patrick, does adding Cache-Expiration = 10 to /etc/idmapd.conf in the [General] section help at all in your setup? (the correct values should be loaded sooner) -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#500778: libnss-ldapd: groups resolve to nogroup after boot
On Thu, 2008-10-02 at 10:28 +0200, Patrick Schoenfeld wrote: attached is a log, while the problem exists. [EMAIL PROTECTED] ~ % ls -l test -rw-rw-r-- 1 schoenfeld nogroup 0 12. Sep 09:49 test Interesting enough: The symptom is similar to the system behaviour, if nslcd is _not_ running. Then all files resolve to nobody:nogroup. If using nfs4 (I've been doing some reading up but still no first-hand experience) is that if the user doesn't exist it is generally mapped to nobody:nogroup. The mapping is done by idmapd but at some point in combination with something in the kernel. From what I understand from scanning the idmapd code is that there is a default cache expiry time (in the kernel) of 500 seconds (10 minutes). Current value should be available in /proc/sys/fs/nfs/idmap_cache_timeout. My guess is that name lookups are cached in idmapd. Can you check that by restarting idmapd (/etc/init.d/nfs-common restart) the problem goes away? On my system, idmapd is started way before nslcd and it probably isn't a good idea to start if before idmapd. There seems to be an undocumented Cache-Expiration option in the General section of /etc/idmapd.conf that could help to bring down the cache timeout value. Can you check the idmapd logs anything out of the ordinary? Perhaps you can increase the verbosity in /etc/idmapd.conf. Thanks. Perhaps I should set up a test environment myself with NFS4. Do you have some pointers for that (I use NFS3 myself). -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#500778: libnss-ldapd: groups resolve to nogroup after boot
On Wed, 2008-10-01 at 13:11 +0200, Patrick Schoenfeld wrote: Our setup is a mixed Windows/Linux environment with a LDAP server, for central authentication. Linux clients use libnss-ldapd for resolution of usernames and groups. Could you provide some more details? Is the LDAP server on the system that also runs nss-ldapd, what options do you use, which LDAP server software etc? Your configuration file should also help. After reboot of the Linux clients they are unable to resolve groups and sometimes are also unable to resolve users. The result is that files are owned by [nobody]:nogroup, while getent passwd and getent group show the right result. I don't understand this. If you perform getent passwd and getent group you get the expected result but if you do ls -l the files are reported as nobody:nogroup? If ls can't resolve numeric user and group ids it should print the numeric form, not make up something. Can you produce logs of nslcd? It should report whether the LDAP server was reachable or not. If you can run nslcd with the -d option it should report more information that will help in tracking this down. In consequence people are unable to properly login (because desktop environment need read permissions on their setting ;) and user permissions are broken. Note that for logging in you also need pam_ldap which has it's own configuration. If the problem is in that you should probably also provide information about that. After 10-30 minutes of running the problem disappears. This makes me think that some timeout occours, but I can't tell which. I thought its probably somehow related to the udev resolution issues that are handled different in libnss-ldapd from libnss-ldap which produces a significant delay when booting because groups can't be resolved while ldap is accessible, which is handled gracefully bei libnss-ldapd. Maybe you gather invalid results while booting, because LDAP is not accessible. But I don't see why nslcd should cache these results so I think my idea is absurd. nslcd only caches the relationship between DNs and uids for group membership lookups (when the uniqueMember attribute is used). This timeout is hardcoded at 15 minutes. Other than that I can't think of a timeout as long unless you set it that high in the config. The way nss-ldapd solves the udev problem is by not doing LDAP lookups that early during boot at all and fail quickly. Only when nslcd is started are lookups attempted. In any case I can't think of a case where getent passwd should work and ls would fail. One known issue (#475626) is related to the order at which nslcd is started during boot. If the LDAP server is unavailable when nslcd is started a timeout could occur and the LDAP server will not be found immediately when it is available. I've choosen severity serious for this issue because at the one hand the problem would fit severity 'Critical', because it makes unrelated software on the system (or the whole system) break, but then again I felt uncomfortable with it, because the problem does not persist over the uptime of the system and after 10-30 minutes the problem disappears. I am inclined to lower it to important because it seems to work in a lot of common environments. But I think it should definitive be fixed for lenny. I hope to fix this soon. Thanks for your bugreport. -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#462967: SSL problems solved for me
I also saw this problem today but after upgrading to 1.12.3-1 of evolution-data-server and evolution-data-server-common (from 1.12.2-1+b1 and 1.12.2-1 respectively) everything was working as expected again -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#451893: xserver-xorg-video-intel: shows no fonts
On Mon, 2007-11-19 at 20:33 +0100, Brice Goglin wrote: Does it help if you add Option AccelMethod XAA in the above section? EXA is enabled by default in 2.2.0. But there is at least one known problem with fonts and EXA. I can confirm that fixes the problem for me (82Q963/Q965). -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#440661: Done in 0.80.0-13
On Tue, 2007-10-16 at 19:17 +0200, Sven Mueller wrote: Package: lirc-modules-source Version: 0.80.0-13 This should probably be 0.8.0-13. Anyway, I have 0.8.0-13 installed and the tarball /usr/src/lirc-modules.tar.gz contains the following kernel specific directories under modules/lirc/drivers/lirc_gpio: extra_2.6.16 extra_2.6.17 extra_2.6.18 The relevant part of the build log (m-a a-i lirc) is: mkdir -p /usr/src/modules/lirc/drivers/lirc_gpio/.tmp_versions rm -f /usr/src/modules/lirc/drivers/lirc_gpio/.tmp_versions/* /usr/bin/make -f scripts/Makefile.build obj=/usr/src/modules/lirc/drivers/lirc_gpio gcc-4.1 -m32 -Wp,-MD,/usr/src/modules/lirc/drivers/lirc_gpio/.lirc_gpio.o.d -nostdinc -isystem /usr/lib/gcc/i486-linux-gnu/4.1.3/include -D__KERNEL__ -Iinclude -include include/linux/autoconf.h -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -Os -pipe -msoft-float -mregparm=3 -freg-struct-return -mpreferred-stack-boundary=2 -march=i686 -ffreestanding -maccumulate-outgoing-args -DCONFIG_AS_CFI=1 -DCONFIG_AS_CFI_SIGNAL_FRAME=1 -Iinclude/asm-i386/mach-default -fomit-frame-pointer -fno-stack-protector -Wdeclaration-after-statement -Wno-pointer-sign -DIRCTL_DEV_MAJOR=61 -DEXPORT_SYMTAB -DHAVE_CONFIG_H -I. -I. -I../.. -I/usr/src/modules/lirc/drivers/lirc_gpio/../.. -I/lib/modules/2.6.22-2-686/build/include/ -DMODULE -DKBUILD_STR(s)=#s -DKBUILD_BASENAME=KBUILD_STR(lirc_gpio) -DKBUILD_MODNAME=KBUILD_STR(lirc_gpio) -c -o /usr/src/modules/lirc/drivers/lirc_gpio/.tmp_lirc_gpio.o /usr/src/modules/lirc/drivers/lirc_gpio/lirc_gpio.c /usr/src/modules/lirc/drivers/lirc_gpio/lirc_gpio.c:65:47: error: ../drivers/media/video/bt8xx/bttv.h: No such file or directory /usr/src/modules/lirc/drivers/lirc_gpio/lirc_gpio.c:66:48: error: ../drivers/media/video/bt8xx/bttvp.h: No such file or directory /usr/src/modules/lirc/drivers/lirc_gpio/lirc_gpio.c:70:5: warning: BTTV_VERSION_CODE is not defined /usr/src/modules/lirc/drivers/lirc_gpio/lirc_gpio.c:71:2: error: #error *** /usr/src/modules/lirc/drivers/lirc_gpio/lirc_gpio.c:72:2: error: #error Sorry, this driver needs bttv version 0.7.45 or /usr/src/modules/lirc/drivers/lirc_gpio/lirc_gpio.c:73:2: error: #error higher. If you are using the bttv package, copy it to /usr/src/modules/lirc/drivers/lirc_gpio/lirc_gpio.c:74:2: error: #error the kernel /usr/src/modules/lirc/drivers/lirc_gpio/lirc_gpio.c:75:2: error: #error *** /usr/src/modules/lirc/drivers/lirc_gpio/lirc_gpio.c:85: error: 'BTTV_BOARD_UNKNOWN' undeclared here (not in a function) /usr/src/modules/lirc/drivers/lirc_gpio/lirc_gpio.c:112: error: 'BTTV_BOARD_PXELVWPLTVPAK' undeclared here (not in a function) The /usr/src/modules/lirc/drivers/media directory does not exist and also is not in the tarball, the /usr/src/linux-headers-2.6.22-2/drivers/media/video/bt8xx/ directory does exist but does not include the needed headers. I haven't yet tried the experimental version. Is there a particular reason it's in experimental? This duplicate of #440494 and 436166 has been resolved in Version 0.80.0-13 of lirc-modules-source #440494 is a bug report about compiz. #436166 does look like it's relevant but the bug report does not include any indication that it is really solved (with an upload or otherwise) I have tried to use the linux-source-2.6.22 package and create symlinks into the linux-headers directory but have not been able to get a working module that can be loaded into the kernel (but I'm no expert at this so I may have done something incredibly stupid). Does anybody have clear instructions on getting lirc working with 2.6.22-2? -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#435414: using conflicts
On Tue, 2007-07-31 at 22:40 +0200, Andreas Barth wrote: * Arthur de Jong ([EMAIL PROTECTED]) [070731 22:37]: Would not using: Conflicts: nfs-common ( 1:1.1.0-13) be a nicer solution? That way, dpkg and apt would know what to do. Because that would remove nfs-common. Thanks. Shouldn't that only happen on dist-upgrade (users would notice)? And since a newer nfs-common would be available wouldn't that be installed instead of removed (maybe I should try it out sometime)? Also with this mechanism wouldn't the transition to testing cause potential prolems (e.g. mount goes in before nfs-common)? (just curious) -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#435414: using conflicts
Would not using: Conflicts: nfs-common ( 1:1.1.0-13) be a nicer solution? That way, dpkg and apt would know what to do. -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#399070: sarge version probably also vulnerable
On Tue, 2006-11-21 at 16:56 +0100, Francesco P. Lovergine wrote: On Tue, Nov 21, 2006 at 10:06:03AM +0100, Arthur de Jong wrote: From a quick glance at the source code the version in sarge (1.2.10-15sarge1.0.1) also appears to be vulnerable. It contains the same code snippet that was modified from 1.292 to 1.294. http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.292r2=1.294 A new security-stable version is already on-air since yesterday. Thanks for the quick response. -- -- arthur de jong - [EMAIL PROTECTED] - west consulting b.v. -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#391352: still upgrade problem with missing ntp user
reopen 391352 thanks After a recent upgrade the ntp system user seems to be gone. Tracing my steps, this is probably caused by purging the ntp-simple package after the new ntp package is installed (from a glance at the postinst and postrm). Also it seems that /var/lib/ntp and /var/log/ntpstats are also gone. The system user and these directories were probably owned by an old ntp-* package and moving them to the plain ntp package causes these problems. -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#375077: libnss_ldap problems during boot
I was also bitten by this. At work we were hit earlier because we fetch hosts from ldap (see #359713). We have modified /etc/init.d/udev to edit /etc/nsswitch.conf on the fly (this is obviously a dirty hack). Maybe it's a good idea to only enable libnss_ldap in the boot process after networking is available and/or slapd has been started? -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#318261: nedit: looks like it is related to the composite feature
Subject: nedit: looks like it is related to the composite feature Followup-For: Bug #318261 Package: nedit Version: 1:5.5-1 After having some stability problems with the composite feature nedit suddenly started working when commenting out Option Composite Enable from the extensions section of /etc/X11/xorg.conf. So this bug has a workaround. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12.3-spiritus Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages nedit depends on: ii lesstif2 1:0.93.94-11.4 OSF/Motif 2.1 implementation relea ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libice6 6.8.2.dfsg.1-4 Inter-Client Exchange library ii libsm66.8.2.dfsg.1-4 X Window System Session Management ii libx11-6 6.8.2.dfsg.1-4 X Window System protocol client li ii libxext6 6.8.2.dfsg.1-4 X Window System miscellaneous exte ii libxp66.8.2.dfsg.1-4 X Window System printing extension ii libxt66.8.2.dfsg.1-4 X Toolkit Intrinsics ii xlibs 6.8.2.dfsg.1-4 X Window System client libraries m -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#318796: /usr/bin/gq: exits with segmentation fault when adding or editing server
Subject: /usr/bin/gq: exits with segmentation fault when adding or editing server Package: gq Version: 1.0beta1-3 Severity: grave Justification: renders package unusable File: /usr/bin/gq When I started gq with a configuration file from 2005-03-21 gq exited immediatly with a segmentation fault. I moved the ~/.gq config file aside and started gq. Everything appeared to work until I tried to add a server via File - Preferences - Servers - New. As soon as I click the New button gq exits with a segmentation fault. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.11.6-spiritus Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages gq depends on: ii libatk1.0-0 1.10.1-2 The ATK accessibility toolkit ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libglib2.0-02.6.5-1 The GLib library of C routines ii libgtk2.0-0 2.6.8-1 The GTK+ graphical user interface ii libldap22.1.30-11OpenLDAP libraries ii libpango1.0-0 1.8.1-1 Layout and rendering of internatio ii libssl0.9.7 0.9.7g-1 SSL shared libraries ii libxml2 2.6.20-1 GNOME XML library ii zlib1g 1:1.2.2-9compression library - runtime -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
