Bug#594369: Fix for Bug#594369 commited to version control
tags 594369 +pending thanks Hi, The following change has been committed for this bug, and so the fix will be in the next upload. === Changeset [429] by camrdale, 2010-08-27 06:14:14 + (Fri, 27 Aug 2010) Update for ABI change in apt 0.8.0 (Closes: #594369, #452001) (LP: #163891) U apt-transport-debtorrent/trunk/connect.cc U apt-transport-debtorrent/trunk/debian/changelog U apt-transport-debtorrent/trunk/debian/control A apt-transport-debtorrent/trunk/debian/source/ A apt-transport-debtorrent/trunk/debian/source/format U apt-transport-debtorrent/trunk/debtorrent.cc http://svn.debian.org/wsvn/debtorrent?op=compcompare%5b%5d=...@428compare%5b%5d=...@429 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#594369: apt-transport-debtorrent: FTBFS with apt 0.8.0
I should be able to fix this tomorrow. If you need it sooner than that, please let me know. Thanks, Cameron -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#574198: Fix for Bug#574198 commited to version control
tags 574198 +pending thanks Hi, The following change has been committed for this bug, and so the fix will be in the next upload. === Changeset [417] by camrdale, 2010-03-20 19:24:29 + (Sat, 20 Mar 2010) Fix piuparts uninstallation failure (Closes: #574198) U debtorrent/trunk/debian/changelog http://svn.debian.org/wsvn/debtorrent?op=compcompare%5b%5d=...@416compare%5b%5d=...@417 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516708: Fix for Bug#516708 commited to version control
tags 516708 +pending thanks Hi, The following change has been committed for this bug, and so the fix will be in the next upload. === Changeset [419] by camrdale, 2010-03-20 21:53:15 + (Sat, 20 Mar 2010) Fix endless rerequesting pieces HTTP seed doesn't have (Closes: #516708) U debtorrent/trunk/DebTorrent/BT1/HTTPDownloader.py U debtorrent/trunk/debian/changelog http://svn.debian.org/wsvn/debtorrent?op=compcompare%5b%5d=...@418compare%5b%5d=...@419 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516708: Fix for Bug#516708 commited to version control
tags 516708 +pending thanks Hi, The following change has been committed for this bug, and so the fix will be in the next upload. === Changeset [420] by camrdale, 2010-03-20 22:00:22 + (Sat, 20 Mar 2010) Fix endless rerequesting pieces HTTP seed doesn't have (Closes: #516708, #451176) U debtorrent/trunk/debian/changelog http://svn.debian.org/wsvn/debtorrent?op=compcompare%5b%5d=...@419compare%5b%5d=...@420 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516708: removal request
On Sun, Jan 24, 2010 at 4:49 PM, Kees Cook k...@debian.org wrote: I've filed a removal request: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566760 I don't think this warrants a removal request. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516708: Debtorrent just won't give up after receiving 404
Sorry for the previous email, I clicked Send by mistake. On Sun, Jan 24, 2010 at 3:53 AM, Sylvain Beucler b...@beuc.net wrote: Any progress on that RC issue? I have made some progress since it was made RC in October, but the bug is more complicated than I first though. I will continue to work on the solution, though my time has been limited of late by a busy work schedule. On Sun, Jan 24, 2010 at 4:49 PM, Kees Cook k...@debian.org wrote: I've filed a removal request: I don't think this warrants a removal from testing, for the following reasons: 1. Though the original bug has been open for less than a year, the bug was not made RC (serious) until October 2009 (3 months ago), when another user noticed a side effect of the original bug that arguably makes it serious. 2. I am working on a fix for the bug, and hope to have it committed in the next week or two, and certainly before the freeze for the squeeze release. 3. The requester did not contact me (the maintainer), nor did anyone else, before requesting the removal, as mentioned here http://wiki.debian.org/ftpmaster_Removals: In all cases, if there is a maintainer and it's not you, mention the maintainer's opinion or, if you don't know it, mention how and when you tried to contact him. If you didn't try to contact the maintainer, do so first. In any case, removal of apt-transport-debtorrent is not required, as it is a separate package from debtorrent, and is unaffected by this bug. apt-transport-debtorrent doesn't depend on debtorrent, and it can be used by itself on a machine to communicate with debtorrent on a different machine. I'd like to close this removal request for the above reasons, but I'm unsure of the etiquette related to that, and so I will leave it as is in the hopes that someone will read this message before actually performing the removal. Cameron -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#514780: apticron: changes to cron.d file are disregarded or cause postinst to fail
Package: apticron Version: 1.1.27 Severity: serious Justification: Policy 10.7.3: local changes must be preserved during a package upgrade The postinst script generates errors when it greps through my modified /etc/cron.d/apticron file. All I did was to comment out the cron entry like below, as I prefer to run a more complicated script from /etc/cron.daily/apticron: # cron entry for apticron #57 22 * * * root test -x /usr/sbin/apticron /usr/sbin/apticron --cron I don't think this is unreasonable behavior, as the postinst script should be able to handle such changes to a config file. I added set -x to the postinst to get this debug output to diagnose the problem: $ sudo dpkg --configure -a Setting up apticron (1.1.27) ... + case $1 in + . /usr/share/debconf/confmodule ++ '[' '!' '' ']' ++ PERL_DL_NONLAZY=1 ++ export PERL_DL_NONLAZY ++ '[' '' ']' ++ exec /usr/share/debconf/frontend /var/lib/dpkg/info/apticron.postinst configure 1.1.25 + case $1 in + . /usr/share/debconf/confmodule ++ '[' '!' 1 ']' ++ '[' -z '' ']' ++ exec ++ '[' '' ']' ++ exec ++ DEBCONF_REDIR=1 ++ export DEBCONF_REDIR + db_get apticron/notification + _db_cmd 'GET apticron/notification' + IFS=' ' + printf '%s\n' 'GET apticron/notification' + IFS=' ' + read -r _db_internal_line + RET=root + case ${_db_internal_line%%[ ]*} in + return 0 + EMAIL=root + '[' '!' -d /etc/apticron/ ']' ++ mktemp -t apticron.conf.XX + tmpfile=/tmp/apticron.conf.DzuXiomPWj + cat + ucf --debconf-ok --three-way /tmp/apticron.conf.DzuXiomPWj /etc/apticron/apticron.conf + rm -f /tmp/apticron.conf.DzuXiomPWj + '[' -f /etc/cron.d/apticron ']' ++ grep -v '^[[:space:]]*\(\#\|$\)' /etc/cron.d/apticron ++ read min hour null + time= dpkg: error processing apticron (--configure): subprocess post-installation script returned error exit status 1 Errors were encountered while processing: apticron In this case, the grep statement is returning nothing, which I think causes the read to generate the error. You probably need to do some error checking in the postinst, such as to grep -q first to make sure there is some ouput from it. Thanks, Cameron -- System Information: Debian Release: 5.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages apticron depends on: ii apt0.7.20.1 Advanced front-end for dpkg ii bsd-mailx 8.1.2-0.20071201cvs-3 A simple mail user agent ii debconf [debconf-2 1.5.24Debian configuration management sy ii ucf3.0016Update Configuration File: preserv Versions of packages apticron recommends: ii apt-listchanges 2.83 package change history notificatio ii iproute 20080725-2 networking and traffic control too apticron suggests no packages. -- debconf information: apticron/notification: root -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#500971: transmission: losing data and wasting bandwidth
Package: transmission Version: 1.33-2 Severity: grave Justification: causes non-serious data loss I just experienced this bug, which has been reported upstream, and so I decided to report it here for other Debian users to see. See: http://trac.transmissionbt.com/ticket/1305 Also: http://forum.transmissionbt.com/viewtopic.php?f=2t=5624 According to those links, the problem has been seen in all of the 1.3x releases, including 1.34. Downgrading to 1.22 is supposed to fix the issue. Basically, a download says it's using a lot of bandwidth, and is using that bandwidth, but the download still proceeds at a very slow rate. A lot of the downloaded data is therefore being lost somehow. In my case, I ran several torrents adding up to about 1.5 GB of data, which should have taken a couple of hours. After MANY hours, my downloads were less than 50% done, but the client had used over 7 GB of bandwidth. Thanks, Cameron -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (990, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/1 CPU core) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages transmission depends on: ii transmission-cli 1.33-2 free, lightweight BitTorrent clien ii transmission-common 1.33-2 free, lightweight BitTorrent clien ii transmission-gtk 1.33-2 free, lightweight BitTorrent clien transmission recommends no packages. transmission suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#492389: [kcheckgmail] fails to login, Gmail's loging procedure has changed
Package: kcheckgmail Version: 0.5.7.4-1 Severity: grave I've tried on a couple of different machines now, one that uses kcheckgmail compiled from source, the other is using the Debian package, and both fail to login saying that the login procedure has changed. Thanks, Cameron --- System information. --- Architecture: amd64 Kernel: Linux 2.6.25-2-amd64 Debian Release: lenny/sid 990 unstablesteveholt.hopto.org 990 unstablelocalhost 990 unstabledebian.camrdale.org 500 testing debian.camrdale.org 500 stable debian.camrdale.org 1 experimentalftp.us.debian.org --- Package information. --- Depends (Version) | Installed ==-+-=== kdebase-bin (= 3.2) | 4:3.5.9.dfsg.1-4 kdelibs4c2a (= 4:3.5.8-1) | 4:3.5.9.dfsg.1-6 libc6 (= 2.7-1) | 2.7-12 libgcc1 (= 1:4.2.1) | 1:4.3.1-6 libqt3-mt (= 3:3.3.7) | 3:3.3.8b-5 libstdc++6 (= 4.2.1) | 4.3.1-6 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#479378: Do not work at all
tags 479378 moreinfo thanks On 5/4/08, Juhapekka Tolvanen [EMAIL PROTECTED] wrote: I try remember to include enough scripts and config files with this bugreport. A file called firewall is a shell script, that is run during boot process. Unfortunately the most important file is the log file from /var/log/debtorrent, which you have not included. Please send that as I can't tell what the problem is otherwise. It looks like DebTorrent can't access the Internet, but I'm not sure why that would be. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#462845: dependency on python-apt should be at least Recommends
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Package: python-debian Version: 0.1.8 Severity: serious Justification: violates policy 7.2 regarding Recommends In trying to use python-debian in one of my packages, I am going to have to also depend on python-apt, since python-debian only suggests it. I think this should be upgraded to a Depends, but to satisfy policy should be at least a Recommends since a lot of the functionality in python-debian depends on python-apt. Of the 6 modules in debian_bundle, 3 of them (changelog, debian_support, and debfile) won't import without python-apt being installed. These seem to all relate to the debian_support module always importing apt_pkg, and changelog always importing debian_support, and debfile always importing changelog. I consider half the functionality being broken to justify a dependency upgrade, and thus the severity of this bug. Alternatively, and much more work, if the use of these global imports was reduced to only where it is needed, then most of the functionality would still work. This would be more difficult to maintain though, which is why I suggest upgrading the dependency. Thanks, Cameron - --- System information. --- Architecture: amd64 Kernel: Linux 2.6.22-1-vserver-amd64 Debian Release: lenny/sid 990 unstablewww.debian-multimedia.org 990 unstablelocalhost 990 unstableftp.debian-unofficial.org 990 unstabledebian.camrdale.org 500 testing debian.camrdale.org 500 stable debian.camrdale.org - --- Package information. --- Depends (Version) | Installed =-+-=== python (= 2.4) | 2.4.4-6 python-support (= 0.7.1) | 0.7.6 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHnOvuDx924g0gNq0RAgkDAJ41srE6nA4dt7C2RQnOQAoin53xSQCfZ1GS SkXTZSuGfJU15Jy7v3/maGs= =2Yl7 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#446730: bittornado: fails to start: ImportError: No module named BitTornado
On 10/16/07, Josselin Mouette [EMAIL PROTECTED] wrote: First of all, bittornado failed to upgrade. I think this was either caused by a prerm failure or an unpack failure, leading in the end to have only bittornado 0.3.18-3 installed. So there's probably a bug in bittornado. It would be nice if you could tell us how I'm not sure what the bug could be in bittornado, as I have done the same upgrade on 2 machines and the other maintainer has as well, all without problems. One difference I noted is that Lionel also upgraded python-support at the same time, so I downgraded bittornado to do the same upgrade. Here are the results, which generated no errors at all: 2007-10-16 23:11:17 upgrade python-support 0.6.4 0.7.4 2007-10-16 23:11:17 status half-configured python-support 0.6.4 2007-10-16 23:11:17 status unpacked python-support 0.6.4 2007-10-16 23:11:17 status half-installed python-support 0.6.4 2007-10-16 23:11:18 status half-installed python-support 0.6.4 2007-10-16 23:11:18 status unpacked python-support 0.7.4 2007-10-16 23:11:18 status unpacked python-support 0.7.4 2007-10-16 23:11:18 upgrade bittornado-gui 0.3.18-3 0.3.18-4 2007-10-16 23:11:18 status half-configured bittornado-gui 0.3.18-3 2007-10-16 23:11:18 status unpacked bittornado-gui 0.3.18-3 2007-10-16 23:11:18 status half-installed bittornado-gui 0.3.18-3 2007-10-16 23:11:18 status half-installed bittornado-gui 0.3.18-3 2007-10-16 23:11:18 status unpacked bittornado-gui 0.3.18-4 2007-10-16 23:11:18 status unpacked bittornado-gui 0.3.18-4 2007-10-16 23:11:18 upgrade bittornado 0.3.18-3 0.3.18-4 2007-10-16 23:11:18 status half-configured bittornado 0.3.18-3 2007-10-16 23:11:19 status unpacked bittornado 0.3.18-3 2007-10-16 23:11:19 status half-installed bittornado 0.3.18-3 2007-10-16 23:11:19 status half-installed bittornado 0.3.18-3 2007-10-16 23:11:19 status unpacked bittornado 0.3.18-4 2007-10-16 23:11:19 status unpacked bittornado 0.3.18-4 2007-10-16 23:11:20 status unpacked python-support 0.7.4 2007-10-16 23:11:20 status half-configured python-support 0.7.4 2007-10-16 23:11:20 status installed python-support 0.7.4 2007-10-16 23:11:20 status unpacked bittornado 0.3.18-4 2007-10-16 23:11:20 status half-configured bittornado 0.3.18-4 2007-10-16 23:11:22 status installed bittornado 0.3.18-4 2007-10-16 23:11:22 status unpacked bittornado-gui 0.3.18-4 2007-10-16 23:11:22 status half-configured bittornado-gui 0.3.18-4 2007-10-16 23:11:22 status installed bittornado-gui 0.3.18-4 One interesting thing I noticed was that the bittornado 0.3.18-4 in the archive depends on python-support = 0.7.1, whereas the one I built locally only depends on python-support = 0.2. I assume that means it was built (by my sponsor) with a newer version of python-support than mine was, which I'm not sure how it would cause this problem, but I thought I'd mention it anyway. Thanks, Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#446730: bittornado: fails to start: ImportError: No module named BitTornado
There were a few reports like this s while back that were python-support related, so I'm thinking of reassigning this to the python-support package. Just to be sure, could you let me know the output of this command: locate -e BitTornado | sed -e 's#/[^/]*$##' | sort -u It should show some entries in /usr/share/python-support and /var/lib/python-support/python2.4. Also, was this a new install of BitTornado, or an upgrade from a previous version? You could probably fix this problem by reinstalling BitTornado, but if you can wait then it would be better NOT to reinstall until we (or the python-support people) can figure out what's causing these problems. Thanks, Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#446730: bittornado: fails to start: ImportError: No module named BitTornado
reassign 446730 python-support thanks On 10/15/07, Lionel Elie Mamane [EMAIL PROTECTED] wrote: On Mon, Oct 15, 2007 at 12:39:37PM -0700, Cameron Dale wrote: could you let me know the output of this command: locate -e BitTornado | sed -e 's#/[^/]*$##' | sort -u [EMAIL PROTECTED]:~$ locate -e /BitTornado | sed -e 's#/[^/]*$##' | sort -u /usr/share/python-support/bittornado /usr/share/python-support/bittornado/BitTornado /usr/share/python-support/bittornado/BitTornado/BT1 This seems to confirm that it is a python-support bug, therefore I am reassigning it there. There were 2 previous instances of an error similar to this one in BitTornado: 383799 and 386272. I can't find any other packages that report errors similar to this related to python-support, but I can't see any errors in the BitTornado packaging that would cause this, and also the error is intermittent (a reinstall will fix it). These all lead me to believe it is python-support related and so I have assigned it there. It should show some entries in /usr/share/python-support and /var/lib/python-support/python2.4. Also, was this a new install of BitTornado, or an upgrade from a previous version? /var/log/aptitude.1.gz:[UPGRADE] bittornado 0.3.18-3 - 0.3.18-4 You could probably fix this problem by reinstalling BitTornado, but if you can wait then it would be better NOT to reinstall until we (or the python-support people) can figure out what's causing these problems. I can wait. That's great, hopefully the python-support maintainer will be able to help you with this. Thanks, Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#416405: torrentflux: Upon login reports Database error: Query was empty
tag 416405 unreproducible severity 416405 normal thanks On 4/3/07, Mike Martin [EMAIL PROTECTED] wrote: I had to move this machine today. Upon reboot, torrentflux came up without a hitch and is working the way I would expect. It went straight to the update settings page when I logged in as the torrentflux user. All the settings look correct. I will add a new user and watch it over the next few days to see if it is stable. Based on this information and no one else reporting problems, I'm going to mark this as unreproducible and lower the severity. If it recurs, let me know. Thanks, Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#416405: torrentflux: Upon login reports Database error: Query was empty
Sorry for the delay Mike, I'll try and find some time work on this more this weekend. Until then, read below ... On 3/27/07, Mike Martin [EMAIL PROTECTED] wrote: Does this message appear in the browser? Are there any other error messages in log files, perhaps in the webserver logs or mysql logs? Message appears in the browser. The webserver log shows nothing out of the ordinary. I can't figure out how to check the mysql log ... (kind of embarrassing) It's in /var/log, or at least it is for me. I may have set that up myself though, so if there's nothing named mysql in /var/log then don't worry about it. When did this message appear? It looks like it is a fresh install of torrentflux, have you ever been able to log in? It is a fresh install of etch with practically nothing else installed except torrentflux. I was originally able to log on. I succesfully used it for about a day. And then nothing. That was many purge/reinstall cycles ago while I tried to correct the problem. Which version of mysql server are you using? Is it on the same machine or do you connect to it over the network? Do the torrentflux database and tables look reasonable (should be 7 tables)? How many entries are there in the tf_users table? I'm using the etch mysql-server-5.0 package installed on the local machine specifically for use by torrentflux. The database seems find. show tables produces a list of 7 tables. Select * from tf_users results in an empty set. As does a Select * from all the other tables! -- hmmm -- that's problably NOT right. Actually, that probably is right. On first install, when the users table is empty, torrentflux gives superadmin privileges to the first user to login and adds them to the table. It seems like the database is fine, you just can't connect to it properly. My current thinking is this: 1. The users table is empty, and torrentflux is prompting you to login (you do get a prompt, don't you? and then the error when you fill it in and submit?) 2. Torrentflux can connect to the database and see that the users table is empty 3. Seeing that its empty, torrentflux tries to insert you into the database 4. Insertion fails, giving the error This leads me to believe (if all I have said is true), that the database privileges were not created properly for the torrentflux user. So, he can read the database, but not write to it. To confirm, try logging in to the mysql server as the torrentflux user (you can find the password to use in /etc/torrentflux/config-db.php) by doing 'mysql -u torrentflux -p torrentflux' and then enter the password at the prompt. Now try to read the tf_users table 'select * from tf_users;', and then try to insert into it 'insert into tf_users (user_id) VALUES ('mike');'. If that works, you can delete it with 'delete from tf_users;', and I'll try and come up with something else. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#416405: torrentflux: Upon login reports Database error: Query was empty
On 3/27/07, Nicolas Aupetit [EMAIL PROTECTED] wrote: I obtain the same message after a crash of my machine, when the tf_log table is in use. After the reboot, this MySQL table is marked as used, and is obviously unavailable. I must repair this table with : [EMAIL PROTECTED] mysql mysql use torrentflux; mysql repair table tf_log; I can after that log in again to torrentflux. Thanks for the tip Nicolas. Mike, you might also want to try something like this, although since you purged and reinstalled the database, I'm not sure this is the problem. Try 'check table' on each of the torrentflux tables, then 'repair table' on each. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#416405: torrentflux: Upon login reports Database error: Query was empty
Hi Mike, On 3/27/07, root [EMAIL PROTECTED] wrote: Package: torrentflux Version: 2.1-4 Severity: grave Justification: renders package unusable Upon login, torrentflux reports: TorrentFlux Login Warning: Invalid argument supplied for foreach() in /usr/share/php/adodb/adodb-lib.inc.php on line 768 TorrentFlux Database/SQL Error Debug SQL is on. SQL: Database error: Query was empty Always check your database variables in the config.php file. Does this message appear in the browser? Are there any other error messages in log files, perhaps in the webserver logs or mysql logs? When did this message appear? It looks like it is a fresh install of torrentflux, have you ever been able to log in? Which version of mysql server are you using? Is it on the same machine or do you connect to it over the network? Do the torrentflux database and tables look reasonable (should be 7 tables)? How many entries are there in the tf_users table? Sorry for all the questions, I'm just trying to figure out what's going on, as the error message is somewhat ambiguous. A quick fix to try if this is a fresh install might be to purge the package, choosing the option to purge the database as well. Then check to make sure the database was purged. Then reinstall again, creating a fresh database. As you probably guessed, I think there was a problem with how the database was created. It appears to be the same problem described in this forum link: http://forum.linkstationwiki.net/index.php?action=vthreadforum=16topic=2402page=0 I don't think this is related, as it was due to a mysql server problem on the ARM architecture (unless your server is running remotely on an ARM machine), and the error message looks different. Thanks for the report, Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#403661: torrentflux: fails to install with error code 10
severity 403661 normal tags 403661 unreproducible thanks On 12/19/06, Remi Vanicat [EMAIL PROTECTED] wrote: 2006/12/19, Micah Anderson [EMAIL PROTECTED]: I just created a sid chroot and attempted to install torrentflux, I did not encounter this problem. I tried a few different failure scenarios (mysql-client not available, mysql-server not installed, database password incorrect, database server not running) and they all worked fine. Note that failure happen before I've been asked the database password, and mysql-server and mysql-client were installed. answer to dbconfig question was : no for keeping admin password no for using non local database I've just try to do an aptitude reinstall dbconfig-common and everything worked as expected. Now, I'm trying to reproduce the bug on my computer, but it is not there anymore. I do'nt understand. It may be a one-time thing, or something may have happened to dbconfig-common that is unexpected. Had you just installed it recently? Does it work for other packages? I asked on the dbconfig-common mail list, and it seems that I have used it properly. The dbconfig-common developer did ask if you could try debconf-show dbconfig-common, and dpkg-reconfigure dbconfig-common, as the former would be informative, the latter might fix the problem (although I gather it's been fixed already). Since it's non-reoccurring (thanks Micah!), I have downgraded it accordingly. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#403661: torrentflux: fails to install with error code 10
On 12/18/06, Remi Vanicat [EMAIL PROTECTED] wrote: $ DEBCONF_DEBUG=developer dpkg --configure --pending Setting up torrentflux (2.1-7) ... debconf (developer): frontend started debconf (developer): frontend running, package name is torrentflux debconf (developer): starting /var/lib/dpkg/info/torrentflux.config configure debconf (developer): -- CAPB backup debconf (developer): -- 0 multiselect escape backup debconf (developer): -- REGISTER dbconfig-common/database-type torrentflux/database-type debconf (developer): -- 10 No such template, dbconfig-common/database-type dpkg: error processing torrentflux (--configure): subprocess post-installation script returned error exit status 10 Errors were encountered while processing: torrentflux This is looking like a dbconfig-common problem to me, so I'm going to forward it to their list to see what they say. I'm having trouble reproducing this though. Could you describe what steps you took to get this error? Was dbconfig-common installed before installing torrentflux, or were they both in the same install? Thanks, Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
FYI, I will probably try and upload this on Thursday (Dec. 14th), in the hopes of eventually getting included back into Etch. Unless of course there are any more problems that come up, or problems pointed out with the fixes I have here. Thanks, Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
I've prepared an updated fix for this (and other) problems. I split the previous patch into 2, and created 2 other new ones to fix other problems. All 4 are attached, and my repository contains the updated packages. Here's a description of the patches: 11_missed_security_fixes.dpatch: This patch now contains only the security fixes in 2.2 that I missed when I was previously adding fixes. 12_metaInfo_remote_command.dpatch: This patch combines my previously suggested fix of using SecurityClean() on $torrent, in both metaInfo.php and startpop.php, and Stefan's suggested fix of using escapeshellarg($torrent) in metaInfo.php. Only one is required, but I used both just to be safe. 13_possible_xss_vulnerability.dpatch: This patch uses htmlentities() before printing any variables that have been urldecoded after being read in (when htmlentities is initially run). I'm still not sure this can be exploited, as I have not yet been able to do it, but it may depend on the web server in use or it's configuration, so I decided to fix it anyway to be safe. It's a pretty easy fix anyway. 14_maketorrent_remote_command.dpatch: Upstream told me about this one. In maketorrent.php there's another place where an input variable is used unescaped in an exec. This patch escapes the variable before executing it. Let me know if I missed something, or what you think of the patches. I think I managed to take care of every problem mentioned in this bug report, but it is quite long so I could be mistaken. Cameron 11_missed_security_fixes.dpatch Description: Binary data 12_metaInfo_remote_command.dpatch Description: Binary data 13_possible_xss_vulnerability.dpatch Description: Binary data 14_maketorrent_remote_command.dpatch Description: Binary data
Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
forwarded 400582 http://www.torrentflux.com/contact.php thanks Thanks for the additional info Stefan, I've forwarded this information to upstream. Unfortunately I have no time right now, so it will be a couple of days before I get to this. One question though (below). On 12/4/06, Stefan Fritsch [EMAIL PROTECTED] wrote: In index.php and dir.php, urldecode() is called after the htmlentities escaping is done by getRequestVar(). This allows to bypass the escaping. In dir.php this could be used for a XSS. Replace $dir by htmlentities($dir) in the error message. Or maybe it would be a good idea to put the urldecode() into getRequestVar() and remove it from all other places. I don't think putting urldecode() in getRequestVar() before htmlentities is called will work, as the directory name is needed decoded at some points in the file (maybe decode it only when needed and safe?). I'm starting to get over my head with some of this though, so I've forwarded this upstream in the hopes of getting some feedback. When you say the error message, do you mean this line: echo strong.$dir./strong could not be found or is not valid.; Is that the only place you've found so far that this is a problem? I see the $torrent and $file_name variables in index.php might also be problems, but I can't tell for sure. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400582: present in 2.2 as well
On 12/4/06, Stefan Fritsch [EMAIL PROTECTED] wrote: The metaInfo.php issue doesn't seem to be fixed in 2.2 To be clear, I would like to point out that the more serious remote command execution using metaInfo.php IS fixed in 2.2. However, the local privilege escalation is present in 2.2 by a local user creating a file with backticks in it, then pointing the torrent variable of details.php to it and executing the command as the web server user. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400582: CVEs assigned
Hi Micah, Thanks for doing this. Unfortunately, I think one of these reports is a duplicate, and some are inaccurate as they don't apply to version 2.2. I don't know how these work, but if you can update them you may want to make some changes. See my notes below. On 12/6/06, Micah Anderson [EMAIL PROTECTED] wrote: == Name: CVE-2006-6328 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6328 Reference: MISC:http://www.milw0rm.com/exploits/2786 Reference: SECUNIA:22880 Reference: URL:http://secunia.com/advisories/22880 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 Directory traversal vulnerability in index.php for TorrentFlux 2.2 allows remote attackers to create or overwrite arbitrary files via sequences in the alias_file parameter. This already has an advisory, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5609 It also doesn't apply to Torrentflux 2.2, only 2.1 (the original advisory from milw0rm was incorrect, but CVE-2006-5609 is correct in indicating only 2.1 is affected). Also, the Debian bug for this one was 395930. == Name: CVE-2006-6329 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6329 Reference: MISC:http://www.milw0rm.com/exploits/2786 Reference: SECUNIA:22880 Reference: URL:http://secunia.com/advisories/22880 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 index.php for TorrentFlux 2.2 allows remote attackers to delete files by specifying the target filename in the delfile parameter. Again, this is only present in version 2.1, not 2.2. The Debian bug number for this one is 399169. == Name: CVE-2006-6330 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6330 Reference: MISC:http://www.milw0rm.com/exploits/2786 Reference: SECUNIA:22880 Reference: URL:http://secunia.com/advisories/22880 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 index.php for TorrentFlux 2.2 allows remote registered users to execute arbitrary commands via shell metacharacters in the kill parameter. Again, not present in 2.2, only in version 2.1. The Debian bug number for this one is also 399169. == Name: CVE-2006-6331 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6331 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi/11_missed_security_fixes.dpatch?bug=400582;msg=71;att=1 metaInfo.php in TorrentFlux 2.2, when $cfg[enable_file_priority] is false, allows remote attackers to execute arbitrary commands via shell metacharacters (backticks) in the torrent parameter to details.php. This problem, as described, is not present in 2.2, only in 2.1. Also, the dpatch attached is a a little misleading as it contains changes that fix the 2 previous problems (6329 and 6330) as well as this one (6331). There is, however, a similar problem to this in 2.2 that Stefan described as a local priviledge escalation. It uses the torrent parameter and a local user's ability to create a file containing backticks, to then execute arbitrary commands as the webserver user (www-data). I don't think it applies to remote users though, only local. You may want to request another CVE for this one, as it is a separate problem from 6331 and does affect version 2.2. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400582: present in 2.2 as well
On 12/6/06, Cameron Dale [EMAIL PROTECTED] wrote: On 12/4/06, Stefan Fritsch [EMAIL PROTECTED] wrote: The metaInfo.php issue doesn't seem to be fixed in 2.2 To be clear, I would like to point out that the more serious remote command execution using metaInfo.php IS fixed in 2.2. Sorry for the confusion and multiple messages, but as I mentioned in my other email, this is exploitable in 2.2, though it is a little harder than in 2.1. My mistake. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400582: CVEs assigned
On 12/6/06, Cameron Dale [EMAIL PROTECTED] wrote: == Name: CVE-2006-6331 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6331 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi/11_missed_security_fixes.dpatch?bug=400582;msg=71;att=1 metaInfo.php in TorrentFlux 2.2, when $cfg[enable_file_priority] is false, allows remote attackers to execute arbitrary commands via shell metacharacters (backticks) in the torrent parameter to details.php. This problem, as described, is not present in 2.2, only in 2.1. Also, the dpatch attached is a a little misleading as it contains changes that fix the 2 previous problems (6329 and 6330) as well as this one (6331). There is, however, a similar problem to this in 2.2 that Stefan described as a local priviledge escalation. It uses the torrent parameter and a local user's ability to create a file containing backticks, to then execute arbitrary commands as the webserver user (www-data). I don't think it applies to remote users though, only local. You may want to request another CVE for this one, as it is a separate problem from 6331 and does affect version 2.2. Actually, on further investigation, I was wrong about this one, as it is a remote command execution bug in 2.2 as well, and I recommend you report it as such. I had thought that TorrentFlux's cleaning of the downloaded torrent files would make this local only, but I now see that a torrent file that includes files that have backticks will work (sorry Stefan, I misread your previous email about this). Here is how to properly take advantage of this in Torrentflux 2.2 (or 2.1): mkdir -p '`touch /tmp/' echo Test file '`touch /tmp/hello`.torrent' btmakemetafile --target test.torrent http://localhost:6969 \`touch\ / Now upload test.torrent to TorrentFlux and start it downloading (it won't download anything, but that doesn't matter as the files are created when the torrent starts). Now go to (replace username with your TorrentFlux user name): http://hostname/torrentflux/details.php?torrent=../username/`touch /tmp/hello`.torrent It should say only btshowmetainfo 20030621 - decode BitTorrent metainfo files and the /tmp/hello file should be created as the web server user (www-data). Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
On 12/4/06, Stefan Fritsch [EMAIL PROTECTED] wrote: In index.php and dir.php, urldecode() is called after the htmlentities escaping is done by getRequestVar(). This allows to bypass the escaping. In dir.php this could be used for a XSS. Replace $dir by htmlentities($dir) in the error message. Or maybe it would be a good idea to put the urldecode() into getRequestVar() and remove it from all other places. I've looked into this further, and I'm not convinced that this will result in a vulnerability. It seems to me that htmlentities() uses a different encoding format than urlencode() does, and so urldecode(htmlentities($dir)) != $dir. I've tested this, and urldecode() definitely doesn't decode the 'lt;' and 'gt;' that htmlentities() creates. Now, you could try and submit a URL such as http://hostname/torrentflux/dir.php?dir=%3Cscript%3Ealert('xss')%3C/script%3E in the hopes that htmlentities() will not replace the %3C with lt; and then later urldecode() will replace it with '', but this doesn't seem to work as all the variables are urldecoded when they are read (from my testing it seems that way, anyway). Therefore they are made safe by htmlentities(). I'm not sure why this doesn't work, so if you know, or have found a way to exploit this, please let me know. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
Unless there are any more problems found with the fix I created, I'm going to try and get this uploaded by Monday the 4th so I can start working on the soon-to-be-released new upstream version. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
On 11/29/06, Stefan Fritsch [EMAIL PROTECTED] wrote: I didn't have time yet to look at it thoroughly (or test it), but AFAICS you now check the file for existance before passing it to the shell. This should convert the remote command execution vuln into a local priviledge escalation. A local user can do touch '/tmp/`touch /tmp/hello`' I think I understand how this is supposed to work, but I can't execute this to create a file containing the ticks in it. Is this supposed to work? hostname:~$ touch '/tmp/`touch /tmp/hello`' touch: cannot touch `/tmp/`touch /tmp/hello`': No such file or directory hostname:~$ ls /tmp flashgot.lfb3lmyf.default/ .ICE-unix/ ksocket-camrdale/ .X0-lock gpg-ovJV8Y/ kde-camrdale/ ssh-PRXIyZ3903/.X11-unix/ I tried lots of variations on escaping the quotes, but nothing would cause this to create a file with ticks in it. What am I doing wrong? Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
On 11/29/06, Stefan Fritsch [EMAIL PROTECTED] wrote: I didn't have time yet to look at it thoroughly (or test it), but AFAICS you now check the file for existance before passing it to the shell. This should convert the remote command execution vuln into a local priviledge escalation. A local user can do touch '/tmp/`touch /tmp/hello`' and pass the filename to torrentflux and so get the command executed as user www-data. This is definitely less severe than before but IMHO still a bug. It would also convert any vulnerability to create a file with arbitrary name into a code execution vulnerability. I don't think this will work, because the local user would need to be the www-data user to create the '/tmp/`touch /tmp/hello`' under the $cfg[torrent_file_path] directory for it to be found. However, it will be possible to exploit the fact that the torrent input is not checked for ..'s on input, and so the following will work (assuming the touch '/tmp/`touch /tmp/hello`' has already been done): http://localhost/torrentflux/details.php?torrent=../../../../tmp/`touch /tmp/hello` I think the solution is then to use the SecurityClean function on the torrent input variable in details.php to remove the ../ ability, and that should take care of it. -$torrent = getRequestVar('torrent'); +$torrent = SecurityClean(getRequestVar('torrent')); The new patch is attached, and I have updated the packages in my repository. Cameron 11_missed_security_fixes.dpatch Description: Binary data
Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
tags 400582 + pending thanks On 11/27/06, Stefan Fritsch [EMAIL PROTECTED] wrote: I was able to exploit the problem mentioned above to execute shell commands. $cfg[enable_file_priority] must be false. Ahh, that's why I couldn't get it to work. Looking at it now it seems obvious, but then hindsight always seems to work like that. Thanks for finding it, Stefan. Try http://xxx/torrentflux/details.php?torrent=`touch /tmp/hello` This did work for me too. I've gone through the security fixes available in upstream's 2.2 beta, and found that I did not catch all of them when I was backporting to 2.1. One of them does fix this problem, so I've created a new patch with all the missing fixes in it. I've attached the new patch file for your consideration, and I think I'm going to hold off on the upload for a few days to make sure I really did get them all this time, and talk to upstream about it. Please let me know if you think this is not sufficient, or if I missed something else. In consideration of the calls to exec() and shell_exec() mentioned previously, I went through the code to see if I could find any places where this could be exploited. I found a couple of possible problems, which are fixed in the included patch. However, there are lots of occurences of these functions being called where the input is one of the settings stored in the database (unescaped), which I don't consider a security risk, as you have to be an admin to change them, and if you are an admin then it's much easier to just point the location of the bittornado files to whatever python script you want executed. The other thing I considered is the possibility of some kind of sql injection that could be used to alter these database entries, but that would be a security problem that would need to be fixed anyway, as the database has to be trusted. Am I incorrect in thinking like this, and these are security risks? By the way, if you want to try out the new package to make sure it works, you can find it in my personal repository here: deb http://www.cs.sfu.ca/~camerond/personal/debian/ http://www.cs.sfu.ca/~camerond/personal/debian/pool/main/t/torrentflux/ Cameron 11_missed_security_fixes.dpatch Description: Binary data
Bug#399169: TorrentFlux Arbitrary Command Execution and Directory Traversal
retitle 399169 torrentflux: create/delete/overwrite arbitrary files tags 399169 + pending thanks Thanks for the report Stefan, your vigilance is much appreciated. Unfortunately the report from secunia is poorly titled, and some of it doesn't apply to the Debian package, so I'll include some more info below for those interested. On 11/18/06, Stefan Fritsch [EMAIL PROTECTED] wrote: 1) Input passed to the kill parameter in index.php is not properly sanitised before being used as the command line argument to the kill command. This can be exploited to inject arbitrary shell commands via the ; character. This doesn't apply to the current version (2.1-5), as it has had this input sanitized in fixing a previous 2.1 bug. 2) Input passed to the delfile or alias_file parameters in index.php is not properly sanitised before being used to delete, create or overwrite files. The delfile parameter can be exploited to delete arbitrary files. The alias_file parameter can be exploited to create or overwrite arbitrary files, but an attacker cannot control what data will be written to them. This does apply to the current version, and will be fixed in the next version (2.1-6). Successful exploitation requires valid user credentials. None of these is very serious, as all require a registered user to exploit the hack. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#399169: TorrentFlux Arbitrary Command Execution and Directory Traversal
On 11/22/06, Stefan Fritsch [EMAIL PROTECTED] wrote: thanks for looking into this. Unfortunately I think you are only partially right. (On the other hand, I don't use torrentflux and cannot install it ATM due to libphp-adodb brokenness, so I could be wrong as well). A new libphp-adodb is in the works. Should be available soon. On Wednesday 22 November 2006 09:31, Cameron Dale wrote: On 11/18/06, Stefan Fritsch [EMAIL PROTECTED] wrote: 1) Input passed to the kill parameter in index.php is not properly sanitised before being used as the command line argument to the kill command. This can be exploited to inject arbitrary shell commands via the ; character. This doesn't apply to the current version (2.1-5), as it has had this input sanitized in fixing a previous 2.1 bug. As far as I can see, you only call htmlentities on the input. This is not enough if you use the input in a command line that is passed to a shell. For example the characters |;`$ have special meanings to the shell and are not changed by htmlentities. In fact, in the case we were discussing before (the kill parameter), the new version will also only execute the kill command if $kill is a numeric variable. So, if it wasn't fixed before then it will be now. However, in the example above, the input is only passed to exec and this does not seem to use a shell but executes the command directly. So this doesn't seem to be exploitable here. On the other hand, there are various exec()s of commands that are obviously meant to be executed by a shell (with pipes or redirects). This doesn't really make sense to me (but I am no php expert). But I have found an instance where the input is passed to shell_exec(). From metaInfo.php: $result = shell_exec(cd . $cfg[torrent_file_path].; . $cfg[pythonCmd] . -OO . $cfg[btshowmetainfo ]. \.$torrent.\); Here the input ($torrent) is wrapped in double quotes which is not enough since the shell will interpret `command` even inside double quotes. You should use escapeshellarg() on this. Although what you are saying makes sense to me, I cannot use it to cause a command to be executed. I have tried many combinations of inputs to the $torrent variable (including using `command`), and none of them has been successful. I can't say why it seems to catch these, but it seems to, so I will leave it at that. If you (or anyone else) can create a case where this is a security issue, please submit it as a new bug. None of these is very serious, as all require a registered user to exploit the hack. While this is true, the average admin would not expect that any registered user can execute arbitrary commands or delete files. So this definitely should be fixed before etch release. Definitely, I was just trying to calm people's fears about this being a globally accessible hack. It will of course be treated seriously, and fixed as soon as possible. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#399174: libphp-adodb cannot be installed on unstable
tags 399174 + pending thanks On 11/19/06, Steve Langasek [EMAIL PROTECTED] wrote: That bug submitter was misguided. the phpapi virtual package is not intended for use by apps written in php; please use the packages 'php4' and/or 'php5' for this, Thanks for the help Steve. I decided to go with php5 | php5-cli | php4 | php4-cli, which I think covers all the bases. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#399174: libphp-adodb cannot be installed on unstable
Hi Steve, I'm currently in the process of adopting this package, so I'm still a little unfamiliar with it. Please bear with me. On 11/18/06, Steve Langasek [EMAIL PROTECTED] wrote: On Sat, Nov 18, 2006 at 10:14:49AM +, Richard Burton wrote: The following packages have unmet dependencies. libphp-adodb: Depends: phpapi-20050606 but it is not installable or phpapi-20051025 but it is not installable Hrm, this package shouldn't be depending on phpapi in the first place, it's an architecture: all package and the phpapi declarations refer to the binary extension ABI... The dependency on phpapi was inserted in response to bug #335380, which suggested using phpapi as it is provided by all php clients. I take it you are saying this is not the correct way to create this dependency, but I can't see why not. Could you explain this to me, or is there some documentation you could point me to that could explain this? Also, what method would you suggest using for this dependency, something like php5-cgi | php5-cli | libapache2-mod-php5 | libapache-mod-php5 | php4-cgi | php4-cli | libapache2-mod-php4 | libapache-mod-php4, or is there a better way? Thanks, Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#398537: torrentflux: postinst fails: No mysql client to execute. (have you installed mysql-client?
severity 398537 wishlist tags 398537 wontfix thanks On 11/14/06, Lucas Nussbaum [EMAIL PROTECTED] wrote: During a piuparts run over all the packages in etch, I ran into a problem with your package: Unfortunately, torrentflux is not intended to be installed unattended in the manner that piuparts does. The mysql-client dependency is already there as a recommends, and so most people will get it when doing a normal install through apt-get or aptitude. In http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=353617#10: if you depend on dbconfig-common, then you also need to depend on the cmdline tools for the database types you support. otherwise you'd have to install postgres clients and libraries even if you were packaging a mysql app and vice versa. As I said, the dependency is there as a recommends. This is specified this way, as the minimum packages needed for torrentflux to install and run are given as depends. The reason for this is better explained by this list mail: http://lists.debian.org/debian-devel/2006/07/msg00927.html So for torrentflux, mysql-server is a suggests because a local server is not necessary as a remote mysql server could be available, and mysql-client is a recommends as most will need it but some may choose to not use the dbconfig-common method for database installation and would rather prefer to install the database themselves (dbconfig-common installation is not required, only recommended). This second dependency also allows future expansion to PostGreSQL (which is on the TODO list) by adding postgresql-client to the recommends as both dbconfig-common and torrentflux support it. I don't think this violates any debian policy that I'm aware of, or makes the package unusable to most people. Therefore I have downgraded the severity to wishlist and will leave this as wontfix for others to see until such a time as a better solution is available or required. If I've overlooked something about this, please let me know. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#395930: torrentflux: Directory traversal vulnerability
Package: torrentflux Version: 2.1-4 Severity: grave Tags: security, confirmed, pending Justification: user security hole Thanks to Stefan Fritsch for bringing this to my attention. A fix has been prepared and will be uploaded shortly. From http://www.securityfocus.com/bid/20771 : TorrentFlux is prone to a directory-traversal vulnerability because the application fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the affected application. Information obtained may aid attackers in further attacks. TorrentFlux version 2.1 is reported vulnerable; other versions may be affected as well. From bugtraq email: Dorkfire.com Security Advisory Discovered By: vooduhal (at) gmail (dot) com [email concealed] Type of problem: Directory Traversal Software: TorrentFlux 2.1 Software Description: TorrentFlux is a FREE PHP based Torrent client that runs on a web server. Manage all of your Torrent downloads through a convenient web interface from anywhere. Problem description: The dir.php script doesn't properly sanitize path passed via the dir GET variable and also doesn't confirm where it's currently creating a directory list for. Example: http://target/torrentfluxroot/dir.php?dir=\.\./\.\./\.\./etc/ will produce a directory list of /etc/ -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (990, 'unstable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17-1-amd64-k8 Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Versions of packages torrentflux depends on: ii bittornado0.3.17-1 bittorrent client with enhanced cu ii dbconfig-common 1.8.20 common framework for packaging dat ii debconf [debconf-2.0] 1.5.2 Debian configuration management sy ii libapache2-mod-php5 5.1.4-0.1 server-side, HTML-embedded scripti ii libphp-adodb 4.72-0.1 The 'adodb' database abstraction l ii php5-mysql5.1.4-0.1 MySQL module for php5 ii python2.4.3-11 An interactive high-level object-o Versions of packages torrentflux recommends: ii mysql-client 5.0.22-3 mysql database client (current ver ii mysql-client-5.0 [mysql-clien 5.0.22-3 mysql database client binaries -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#395099: CVE-2006-5451: several XSS vulnerabilities in torrentflux
tags 395099 + pending thanks Thanks again for the report. I've updated the code using patches based on the beta release from the next upstream upgrade. This should be uploaded very soon. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#391689: python-support: 0.5.3 doesn't always generate python dependencies (python-script-but-no-python-dep)
Package: python-support Version: 0.5.3 Severity: serious Justification: Policy 2.4 of the Python Policy I filed a bug about this before (#383958), and it was fixed in 0.4.2. However, some time between 0.4.3 (which worked) and 0.5.2 (which doesn't) this change was removed (I just checked, and 0.5 worked fine, but 0.5.1 didn't). Using the recommended implementation of python-support again generates no python dependencies to be included in the Depends line. Even though the changelog for 0.5.3 says: * dh_pysupport: always generate dependencies. it also doesn't generate the correct dependencies Interestingly, the control file for my package (bittornado) is for 2 binary packages, bittornado and bittornado-gui. The ${python:Depends} for the first gets replaced with python-support (= 0.2) which leads to the error, while the second gets python. This seems strange too, as I think both should be getting python, python-support (= 0.2), but maybe because the second depends on the first it doens't include the python-support depend for that one. I'll try to attach my control file to see if that helps explain it. I felt the severity was justified, as dh_python is now deprecated in debhelper, so for users of python-support this is the only way to specify the python dependencies. If I've made a mistake somewhere, please let me know, as my package's latest version being included in Etch may be at stake. You may also want to refer to these debian-python list threads: http://lists.debian.org/debian-python/2006/08/msg00097.html http://lists.debian.org/debian-python/2006/08/msg00100.html -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (990, 'unstable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17-1-amd64-k8 Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Versions of packages python-support depends on: ii python2.4.3-11 An interactive high-level object-o python-support recommends no packages. -- no debconf information Source: bittornado Section: net Priority: optional Maintainer: Micah Anderson [EMAIL PROTECTED] Uploaders: Cameron Dale [EMAIL PROTECTED] Build-Depends: dpatch, debhelper (= 5.0.37.2) Build-Depends-Indep: python-dev, python-support (= 0.4.2), docbook-to-man Standards-Version: 3.7.2 Package: bittornado Architecture: all Depends: ${python:Depends} Conflicts: bittorrent (= 3.4.2-2) Replaces: bittorrent Suggests: bittornado-gui, python-psyco Recommends: mime-support Provides: python-bittornado Description: bittorrent client with enhanced curses interface bittorrent is a tool for distributing files. Whenever more than one person is downloading at once they send pieces of the file(s) to each other, thus relieving the central server's bandwidth burden. Even with many simultaneous downloads, the upload burden on the central server remains quite small, since each new downloader introduces new upload capacity. . BitTornado is the next generation bittorrent client built on the original BitTorrent. This client features an enhanced console/curses mode, lots of new features under the hood, and is generally one of the most advanced clients out there. Get this if you need to limit your bandwidth, or you want more control of your torrents. It does everything the original bittorrent does, plus more... . This package only contains the curses interfaces, install the package bittornado-gui to get the GUI components . Homepage: http://bittornado.com Package: bittornado-gui Architecture: all Depends: ${python:Depends}, bittornado (= ${Source-Version}), python-wxgtk2.6, python-wxversion Conflicts: bittorrent (= 3.4.2-2), libfreetype6 (= 2.1.7-2.4) Replaces: bittorrent Suggests: python-psyco, python-wxgtk2.4 Recommends: mime-support Description: bittorrent client with enhanced GUI interface bittorrent is a tool for distributing files. It's extremely easy to use - downloads are started by clicking on hyperlinks. Whenever more than one person is downloading at once they send pieces of the file(s) to each other, thus relieving the central server's bandwidth burden. Even with many simultaneous downloads, the upload burden on the central server remains quite small, since each new downloader introduces new upload capacity. . BitTornado is the next generation bittorrent client built on the original BitTorrent. This client features an enhanced GUI, lots of new features under the hood, and is generally one of the most advanced clients out there. Get this if you need to limit your bandwidth, or you want more control of your torrents. It does everything the original bittorrent does, plus more...
Bug#383799: ImportError: No module named BitTornado
You beat me to it Micah. :) On 8/19/06, Micah Anderson [EMAIL PROTECTED] wrote: I just updated all my packages in unstable to the latest, and I do not experience this issue. I also upgraded my packages in unstable to the latest, which included installing python2.4 for the first time, and I had no problems with bittornado afterwards. I also tried uninstalling python2.3 (still worked fine), and then uninstalling and reinstalling bittornado with only python2.4 present (still no problem). Artur, what install order did you use? I assume something like: first python2.3 (long ago), then bittornado (a while ago), then python2.4 (recently)? If that's the case you might try uninstalling/reinstalling bittornado to see if it solves your problem. As Micah asked, the output of dpkg -l python* might be helpful. Also, perhaps the output of locate -e BitTornado. Cameron Dale -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#361521: torrentflux: The adodb folder is missing.
severity 361521 wishlist retitle 361521 torrentflux: does not work with adodb in stable/sarge tags 361521 sarge thanks Hi ryaner, I've downgraded your bug, as it is related to an old distribution that is not supported by this version of torrentflux. Read below for more info. I don't have a good solution right now for getting torrentflux to work with sarge, and I'm working on the upstream upgrade so I can't devote any time to it right now. Perhaps in the future I will have more time and we can work on this some more. Ryaner said the following on 08/04/2006 1:48 PM: Main html bundle does not include the adodb folder required by Torrentflux. This leads to 2 warnings about being unable to open the adodb files and then the Fatal error when trying to open a DB connection. As TF has the folder values hardcoded, you will either need to update the values to point to the adodb package pulling in by dependancies or just include the adodb folder with the TF html bundle. As Debian already includes adodb in the form of the the libphp-adodb package, I could not include the adodb bundle included with torrentflux. The current version of libphp-adodb in testing/unstable (4.72) installs the adodb files into /usr/share/php/adodb. As /usr/share/php is in the include path of PHP, the hardcoded values that come with torrentflux work perfectly. The old version of libphp-adodb in stable/sarge (4.52) installs the adodb files into /usr/share/adodb. They are not automatically included in the PHP path. There is a note in the libphp-adodb README.debian, indicating the proper method for adding the adodb files to the PHP include path. I'm not sure what to suggest to you to get torrentflux to work with stable/sarge. You could try adding the adodb to the include path for PHP, or moving the adodb to a subfolder of an already included path, or adjusting the include values in torrentflux. None of these are great solutions. FYI, you may also have problems with the bittornado version that is in stable. I haven't confirmed this, but I suspect torrentflux may need =0.3.13 version of bittornado. Let me know if the stable/sarge one does work for you. -- Cameron Dale [EMAIL PROTECTED] signature.asc Description: OpenPGP digital signature
Bug#349985: various unfixed security bugs
Attached are the patches I have prepared that backports the fixes of these vulnerabilities to the version in sarge (4.52-1). -- Cameron Dale signature.asc Description: Digital signature
Bug#358872: libphp-adodb: Multiple cross-site scripting (XSS) vulnerabilities
Attached is a patch I have prepared that backports the fix of this vulnerability to the version in sarge (4.52-1). -- Cameron Dale diff -Nur libphp-adodb-4.52/build-tree/adodb/adodb-pager.inc.php libphp-adodb-4.52.new/build-tree/adodb/adodb-pager.inc.php --- libphp-adodb-4.52/build-tree/adodb/adodb-pager.inc.php 2004-08-10 01:26:22.0 -0700 +++ libphp-adodb-4.52.new/build-tree/adodb/adodb-pager.inc.php 2006-03-24 15:52:38.0 -0800 @@ -60,7 +60,7 @@ global $HTTP_SERVER_VARS,$PHP_SELF,$HTTP_SESSION_VARS,$HTTP_GET_VARS; $curr_page = $id.'_curr_page'; - if (empty($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF']; + if (empty($PHP_SELF)) $PHP_SELF = htmlspecialchars($HTTP_SERVER_VARS['PHP_SELF']); // htmlspecialchars() to prevent XSS attacks $this-sql = $sql; $this-id = $id; @@ -70,7 +70,7 @@ $next_page = $id.'_next_page'; if (isset($HTTP_GET_VARS[$next_page])) { - $HTTP_SESSION_VARS[$curr_page] = $HTTP_GET_VARS[$next_page]; + $HTTP_SESSION_VARS[$curr_page] = (integer) $HTTP_GET_VARS[$next_page]; } if (empty($HTTP_SESSION_VARS[$curr_page])) $HTTP_SESSION_VARS[$curr_page] = 1; ## at first page @@ -284,4 +284,4 @@ } -? \ No newline at end of file +? signature.asc Description: Digital signature
Bug#349985: various unfixed security bugs
Attached are the patches I have prepared that backports the fixes of these vulnerabilities to the version in sarge (4.52-1). They're really attached this time. -- Cameron Dale diff -Nur libphp-adodb-4.52/build-tree/adodb/server.php libphp-adodb-4.52.new/build-tree/adodb/server.php --- libphp-adodb-4.52/build-tree/adodb/server.php 2004-07-06 01:32:26.0 -0700 +++ libphp-adodb-4.52.new/build-tree/adodb/server.php 2006-03-24 15:32:39.0 -0800 @@ -26,7 +26,7 @@ * Define the IP address you want to accept requests from * as a security measure. If blank we accept anyone promisciously! */ -$ACCEPTIP = ''; +$ACCEPTIP = '127.0.0.1'; /* * Connection parameters @@ -34,7 +34,7 @@ $driver = 'mysql'; $host = 'localhost'; // DSN for odbc $uid = 'root'; -$pwd = ''; +$pwd = 'garbage-it-is'; $database = 'test'; /* DO NOT MODIFY BELOW HERE =*/ @@ -67,13 +67,15 @@ $remote = $HTTP_SERVER_VARS[REMOTE_ADDR]; -if (empty($HTTP_GET_VARS['sql'])) err('No SQL'); if (!empty($ACCEPTIP)) if ($remote != '127.0.0.1' $remote != $ACCEPTIP) err(Unauthorised client: '$remote'); +if (empty($HTTP_GET_VARS['sql'])) err('No SQL'); + + $conn = ADONewConnection($driver); if (!$conn-Connect($host,$uid,$pwd,$database)) err($conn-ErrorNo(). $sep . $conn-ErrorMsg()); @@ -95,4 +97,4 @@ } else err($conn-ErrorNo(). $sep .$conn-ErrorMsg()); -? \ No newline at end of file +? diff -Nur libphp-adodb-4.52/build-tree/adodb/tests/tmssql.php libphp-adodb-4.52.new/build-tree/adodb/tests/tmssql.php --- libphp-adodb-4.52/build-tree/adodb/tests/tmssql.php 2003-04-15 04:36:28.0 -0700 +++ libphp-adodb-4.52.new/build-tree/adodb/tests/tmssql.php 2006-03-24 15:41:04.0 -0800 @@ -53,6 +53,16 @@ $rs = $conn-Execute('delete from tester'); print date=.$conn-GetOne('select getdate()').br; } + + +$ACCEPTIP = '127.0.0.1'; + +$remote = $HTTP_SERVER_VARS[REMOTE_ADDR]; + +if (!empty($ACCEPTIP)) + if ($remote != '127.0.0.1' $remote != $ACCEPTIP) + die(Unauthorised client: '$remote'); + ? a href=tmssql.php?do=tmssqlmssql/a a href=tmssql.php?do=tpearpear/a @@ -60,6 +70,11 @@ ?php if (!empty($_GET['do'])) { $do = $_GET['do']; - $do(); + switch($do) { + case 'tpear': + case 'tadodb': + case 'tmssql': + $do(); + } } -? \ No newline at end of file +? diff -Nur libphp-adodb-4.52/build-tree/adodb/drivers/adodb-postgres64.inc.php libphp-adodb-4.52.new/build-tree/adodb/drivers/adodb-postgres64.inc.php --- libphp-adodb-4.52/build-tree/adodb/drivers/adodb-postgres64.inc.php 2004-08-10 01:26:27.0 -0700 +++ libphp-adodb-4.52.new/build-tree/adodb/drivers/adodb-postgres64.inc.php 2006-03-24 15:49:22.0 -0800 @@ -214,7 +214,7 @@ return $ret; } - /* + // if magic quotes disabled, use pg_escape_string() function qstr($s,$magic_quotes=false) { @@ -223,7 +223,7 @@ return '.pg_escape_string($s).'; } if ($this-replaceQuote[0] == '\\'){ - $s = adodb_str_replace(array('\\',\0),array('',\\\0),$s); + $s = adodb_str_replace(array('\\',\0),array('',000),$s); } return '.str_replace(',$this-replaceQuote,$s).'; } @@ -232,7 +232,7 @@ $s = str_replace('\\','',$s); return '$s'; } - */ + // Format date column in sql string given an input format that understands Y M D signature.asc Description: Digital signature
Bug#358872: Processed: notfound 358872 in 4.72-0.1, found 358872 in 4.52-1
Debian Bug Tracking System wrote: Processing commands for [EMAIL PROTECTED]: # Automatically generated email from bts, devscripts version 2.9.15 notfound 358872 4.72-0.1 Bug#358872: libphp-adodb: Multiple cross-site scripting (XSS) vulnerabilities Bug marked as not found in version 4.72-0.1. # I assume; but not in the version that is claimed to fix it... found 358872 4.52-1 Bug#358872: libphp-adodb: Multiple cross-site scripting (XSS) vulnerabilities Bug marked as found in version 4.52-1. End of message, stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) Oops, looks like I submitted the bug on my locally created package instead of the proper one. The current version in testing and unstable (4.64-4) does suffer from this bug as well as the version in stable (4.52-1). Sorry. -- Cameron Dale [EMAIL PROTECTED] signature.asc Description: OpenPGP digital signature
Bug#358872: libphp-adodb: Multiple cross-site scripting (XSS) vulnerabilities
Package: libphp-adodb Version: 4.72-0.1 Severity: grave Tags: security Justification: user security hole Another vulnerability: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0806 See also: http://www.securityfocus.com/archive/1/archive/1/425393/100/0/threaded Is fixed in 4.72: http://sourceforge.net/project/shownotes.php?release_id=395252group_id=42718 -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.15-1-k7 Locale: LANG=en_CA, LC_CTYPE=en_CA (charmap=ISO-8859-1) Versions of packages libphp-adodb depends on: ii debconf [debconf-2.0] 1.4.70 Debian configuration management sy ii libapache2-mod-php5 [phpapi-2 5.1.2-1server-side, HTML-embedded scripti ii php4-cgi [phpapi-20050606]4:4.4.2-1 server-side, HTML-embedded scripti ii php5-cli [phpapi-20051025]5.1.2-1command-line interpreter for the p Versions of packages libphp-adodb recommends: ii php4-mysql4:4.4.2-1 MySQL module for php4 pn php4-odbc | php5-odbc none (no description available) ii php4-pgsql4:4.4.2-1 PostgreSQL module for php4 pn php4-sybase | php5-sybase none (no description available) ii php5-mysql5.1.2-1MySQL module for php5 ii php5-pgsql5.1.2-1PostgreSQL module for php5 -- debconf information: * libphp-adodb/pathmove: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]