Bug#1071197: ninja-build: 1.12 breaks chromium build

[Felix Geyer]

On 15.05.24 23:49, Andres Salomon wrote:

Package: ninja-build
Version: 1.12.1-1
Severity: serious
Tags: affects -1 chromium
X-Debbugs-Cc: Andres Salomon 

Chromium in unstable breaks with ninja-build 1.12. See here for example, where the same chromium 
version (124.0.6367.201-1) built fine on architectures where older ninja-build was available, but 
failed on newer ninja-build:


   https://buildd.debian.org/status/logs.php?pkg=chromium=amd64
   https://buildd.debian.org/status/logs.php?pkg=chromium=armhf

I've also verified in a sid chroot that 1.12.1-1 fails to build chromium
124.0.6367.207, but if I downgrade ninja-build to 1.11.1-2 then that same version of chromium 
successfully builds.


I'll be investigating further to see if I can figure out whether the problem is a bug in chromium, 
gn, or ninja (and reassign accordingly if necessary). But in the meantime, I don't think it's a 
good idea for ninja-build to migrate to trixie just yet (hence the severity).


This looks like https://issues.chromium.org/issues/336911498

Felix

Bug#1057428: libseccomp ftbfs on i386

[Felix Geyer]

On 04.12.23 22:03, Matthias Klose wrote:

Package: src:libseccomp
Version: 2.5.4-2
Severity: serious
Tags: sid trixie
User: debian-pyt...@lists.debian.org
Usertags: python3.12

libseccomp ftbfs on i386. probably not related to Python 3.12, but blocks the 
addition of Python 3.12


Seems like glibc 2.37-13 broke valgrind on i386:
https://ci.debian.net/packages/v/valgrind/testing/i386/40527816/

Bug#1052785: marked as pending in golang-github-jinzhu-now

[Felix Geyer]

Control: tag -1 pending

Hello,

Bug #1052785 in golang-github-jinzhu-now reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/go-team/packages/golang-github-jinzhu-now/-/commit/fa9084aa580db10460f67684db88818ccbc0


Build-depend on tzdata-legacy (or older tzdata version)

Closes: #1052785


(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1052785

Bug#1052787: marked as pending in golang-github-mattn-go-sqlite3

[Felix Geyer]

Control: tag -1 pending

Hello,

Bug #1052787 in golang-github-mattn-go-sqlite3 reported by you has been fixed 
in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/go-team/packages/golang-github-mattn-go-sqlite3/-/commit/448a02fa5fd798dc833f99524a7bc2055f72890e


Build-depend on tzdata-legacy (or older tzdata version)

Closes: #1052787


(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1052787

Bug#1052819: marked as pending in golang-github-mattn-go-runewidth

[Felix Geyer]

Control: tag -1 pending

Hello,

Bug #1052819 in golang-github-mattn-go-runewidth reported by you has been fixed 
in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/go-team/packages/golang-github-mattn-go-runewidth/-/commit/3839ff3b053316621d85b16a488357ec693ea2b0


Fix building with unicode data 15.1.0

Closes: #1052819


(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1052819

Bug#1003044: marked as pending in python-dateutil

[Felix Geyer]

Control: tag -1 pending

Hello,

Bug #1003044 in python-dateutil reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/python-team/packages/python-dateutil/-/commit/963b19f968769247a62604bd0582131dc11d3329


Don't fall back on bundled zoneinfo database

Closes: #1003044


(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1003044

Bug#1003044: internal 'getzoneinfofile_stream' method emits a warning message

[Felix Geyer]

On Sun, 05 Mar 2023 18:50:06 +0100 Arnout Vandecappelle 
 wrote:

This still fails to address the original issue: an irrelevant warning is 
printed when performing a fairly mundane thing (requesting a nonexistent 
timezone).


That part could be easily fixed. We can just remove the fallback from dateutil.tz.gettz() to 
get_zonefile_instance() since we know that the system database is available.



I repeat: I don't think anyone really wants to use the bundled database.


That's probably true but there are direct users of the dateutil.zoneinfo API which intrinsically 
uses the bundled database.


For example within Debian packages:
https://sources.debian.org/src/python-hypothesis/6.67.1-1/hypothesis-python/src/hypothesis/extra/dateutil.py/?hl=56#L56
https://sources.debian.org/src/python-sqlalchemy-utils/0.38.2-2/sqlalchemy_utils/types/timezone.py/?hl=44#L44

These are currently broken. Just silencing the warning will leave them broken.

We could patch the implementation to use the system database but that means deviating from the 
upstream behavior and carrying that patch forever.

The API even includes the metadata dictionary that would have to be faked as 
well:
https://sources.debian.org/src/python-dateutil/2.8.2-1/dateutil/zoneinfo/__init__.py/#L46

Therefore shipping the bundled zoneinfo tarball seems like the better solution 
to me.
The timezone database is clearly DFSG-free. We would have to repackage the upstream tarball to 
include the timezone database source though.

Thankfully upstream ships the script to (re-)generate the zoneinfo tarball.

Felix

Bug#1003044: python3-dateutil: python_dateutil get_zonefile_instance functionality is broken (no zoneinfo found)

[Felix Geyer]

On 21.02.23 20:46, Sandro Tosi wrote:

it produces output on stderr, which many tools consider it an error
and fails build.


When raising the severity of a bug to grave I would expect some concrete details
on what exactly is broken instead of a hand-wavy "breaks some stuff".
But anyway let's focus on the issue.


dateutil.zoneinfo really shouldn't be used directly and I don't see any


can you back this quote please? zoneinfo is part of the public API,
and just breaking it (via the removal of the zonefile) and say not to
use it is going in the wrong direction.


https://dateutil.readthedocs.io/en/stable/zoneinfo.html#dateutil.zoneinfo.gettz
has a warning that you shouldn't use it.
For get_zonefile_instance() it only says "using the data provided by the
dateutil package". This implies that the data is outdated most of the time
since it's rarely updated. Unfortunately that's not clearly stated.

Of course it's part of the public API. Unfortunately its design leaves us only
with bad options.


I guess we have two options if we want to change the current behavior:
1) Ship the outdated tzdata tarball even though nothing should really use it.
2) Add a patch to remove the dateutil.zoneinfo fallback.


i think you're missing

3) fix dateutil.zoneinfo to use a system-available zone info file


It wouldn't be fixing it since the sole purpose of this API is to use the
bundled timezone database instead of the potentially absent (from a general POV,
of course the Debian package depends on tzdata) system timezone database.

I'm inclined to just ship the bundled timezone database with the package:

- We wouldn't have to permanently patch the code.
- dateutil consumers that just want accurate timezone information are supposed
  to use dateutil.tz.gettz() which already prefers the system database.
- Direct dateutil.zoneinfo users kind of opted into receiving outdated timezone
  information.

Felix

Bug#1003044: python3-dateutil: python_dateutil get_zonefile_instance functionality is broken (no zoneinfo found)

[Felix Geyer]

On Sat, 7 Jan 2023 03:34:19 -0500 Sandro Tosi  wrote:

> python-dateutil expects to have 'dateutil-zoneinfo.tar.gz' in it's directory
> tree, but this file is removed in the packaging.
>
> Error:
> "/usr/lib/python3/dist-packages/dateutil/zoneinfo/__init__.py:26: UserWarning:
> I/O error(2): Datei oder Verzeichnis nicht gefunden
>   warnings.warn("I/O error({0}): {1}".format(e.errno, e.strerror))"
>
> Using: "matplotlib.dates import DateFormatter"

indeed this is breaking matplotlib, thus the grave severity. it needs
to be addressed for bookworm


How exactly does this break matplotlib?
dateutil.zoneinfo really shouldn't be used directly and I don't see any
reference to it in the matplotlib code.

dateutil.tz prefers the system timezone database so you should see this
warning only when trying to use a non-existent timezone.
Even then it is just a warning, not an exception that is thrown.

>>> import dateutil.tz
>>> dateutil.tz.gettz('UTC')
tzfile('/usr/share/zoneinfo/UTC')
>>> dateutil.tz.gettz('foo')
/usr/lib/python3/dist-packages/dateutil/zoneinfo/__init__.py:26: UserWarning: I/O error(2): No 
such file or directory

  warnings.warn("I/O error({0}): {1}".format(e.errno, e.strerror))


I guess we have two options if we want to change the current behavior:
1) Ship the outdated tzdata tarball even though nothing should really use it.
2) Add a patch to remove the dateutil.zoneinfo fallback.

Bug#1024037: marked as pending in pytaglib

[Felix Geyer]

Control: tag -1 pending

Hello,

Bug #1024037 in pytaglib reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/python-team/packages/pytaglib/-/commit/f93efe9d20556aa37c1485ff029343f77959d84e


Regenerate cython files.

* Regenerate cython files.
  - Fixes FTBFS with Python 3.11 (Closes: #1024037)


(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1024037

Bug#1023959: python-crc32c ftbfs on arm64

[Felix Geyer]

On Sun, 13 Nov 2022 09:10:37 +0100 Matthias Klose  wrote:

Package: src:python-crc32c
Version: 2.3-1
Severity: serious
Tags: sid bookworm ftbfs
User: debian-pyt...@lists.debian.org
Usertag: python3.11

[...]
In file included from crc32c_arm64.c:22:
/usr/lib/gcc/aarch64-linux-gnu/12/include/arm_acle.h: In function 
‘_crc32c_hw_arm64’:
/usr/lib/gcc/aarch64-linux-gnu/12/include/arm_acle.h:197:1: error: inlining 
failed in call to ‘always_inline’ ‘__crc32cd’: target specific option mismatch

   197 | __crc32cd (uint32_t __a, uint64_t __b)
   | ^
crc32c_arm64.c:91:12: note: called from here
91 | crc ^= __crc32cd(0, t0);
   |^~~~




The upstream build system adds -march=armv8-a+crc+crypto to the compiler flags
if it's built on arm.
It detects this by checking if sysconfig.get_platform() contains one of
'aarch64_be', 'aarch64', 'armv8b', 'armv8l', 'universal2'.

However pybuild passes $DEB_HOST_ARCH (the Debian architecture name) in 
_PYTHON_HOST_PLATFORM:
https://salsa.debian.org/python-team/tools/dh-python/-/blob/42fc6aba/pybuild#L84

Because of this sysconfig.get_platform() returns linux-arm64 instead of the 
expected
linux-aarch64 on arm64 and -march isn't passed to the compiler.

This seems like questionable behavior of pybuild. No software would expect to 
find
the Debian architecture name in get_platform() instead of the kernel 
architecture name.
There is already special casing for amd64 -> x86_64 but it really needs to do 
this
for all architectures where both don't match.

Felix

Bug#1023912: marked as pending in python-uinput

[Felix Geyer]

Control: tag -1 pending

Hello,

Bug #1023912 in python-uinput reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/python-team/packages/python-uinput/-/commit/c58022a9a69325ec219408057c568f1674034c56


Support Python 3.11

Closes: #1023912


(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1023912

Bug#997366: speedcrunch: FTBFS: TypeError: 'SpeedCrunchSessionLexer' object is not callable

[Felix Geyer]

Control: tags -1 patch
Control: tags -1 pending

On Sat, 23 Oct 2021 21:41:50 +0200 Lucas Nussbaum  wrote:

Source: speedcrunch
Version: 0.12.0-5
Severity: serious
Justification: FTBFS
Tags: bookworm sid ftbfs

Hi,

During a rebuild of all packages in sid, your package failed to build
on amd64.


I've prepared a fix for building against Sphinx >= 4 and uploaded it to 
DELAYED/5.
Please feel free to tell me if I should cancel it. The debdiff is attached.

Felixdiff -Nru speedcrunch-0.12.0/debian/changelog 
speedcrunch-0.12.0/debian/changelog
--- speedcrunch-0.12.0/debian/changelog 2020-04-19 14:13:08.0 +0200
+++ speedcrunch-0.12.0/debian/changelog 2022-10-29 09:59:26.0 +0200
@@ -1,3 +1,11 @@
+speedcrunch (0.12.0-5.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix docs build with Sphinx >= 4. (Closes: #997366)
+- Add 0007-fix-docs-build-with-Sphinx-4.patch
+
+ -- Felix Geyer   Sat, 29 Oct 2022 09:59:26 +0200
+
 speedcrunch (0.12.0-5) unstable; urgency=medium
 
   * d/patches, d/control: fix docs build with Sphinx >= 2.0
diff -Nru 
speedcrunch-0.12.0/debian/patches/0007-fix-docs-build-with-Sphinx-4.patch 
speedcrunch-0.12.0/debian/patches/0007-fix-docs-build-with-Sphinx-4.patch
--- speedcrunch-0.12.0/debian/patches/0007-fix-docs-build-with-Sphinx-4.patch   
1970-01-01 01:00:00.0 +0100
+++ speedcrunch-0.12.0/debian/patches/0007-fix-docs-build-with-Sphinx-4.patch   
2022-10-29 09:59:26.0 +0200
@@ -0,0 +1,33 @@
+Description: Fix FTBFS with Sphinx >= 4
+
+Pass the type instead of an instance to add_lexer().
+
+> Sphinx.add_lexer():
+> Take a lexer class as an argument.
+> An instance of lexers are still supported until Sphinx-3.x.
+
+--- speedcrunch-0.12.0.orig/doc/src/extensions/sc_lexer.py
 speedcrunch-0.12.0/doc/src/extensions/sc_lexer.py
+@@ -108,16 +108,18 @@ class SpeedCrunchSessionLexer(SpeedCrunc
+ ]
+ }
+ 
++def __init__(self):
++super().__init__(stripnl=False)
++self.add_filter('raiseonerror')
++
+ 
+ __all__ = ['SpeedCrunchLexer', 'SpeedCrunchSessionLexer']
+ 
+ 
+ # Sphinx extension interface
+ def setup(app):
+-sc_lexer = SpeedCrunchSessionLexer(stripnl=False)
+-sc_lexer.add_filter('raiseonerror')
+-app.add_lexer('sc', sc_lexer)
+-app.add_lexer('speedcrunch', sc_lexer)
++app.add_lexer('sc', SpeedCrunchSessionLexer)
++app.add_lexer('speedcrunch', SpeedCrunchSessionLexer)
+ return {
+ 'version': '0.1',
+ 'parallel_read_safe': True,
diff -Nru speedcrunch-0.12.0/debian/patches/series 
speedcrunch-0.12.0/debian/patches/series
--- speedcrunch-0.12.0/debian/patches/series2020-04-19 11:13:12.0 
+0200
+++ speedcrunch-0.12.0/debian/patches/series2022-10-29 09:59:14.0 
+0200
@@ -4,3 +4,4 @@
 0004-Replace-the-REBUILD_MANUAL-option-with-a-path.patch
 0005-docs-fix-docs-build-with-Sphinx-2.0.patch
 0006-Use-CMake-s-CXX_STANDARD-property.patch
+0007-fix-docs-build-with-Sphinx-4.patch

Bug#994285: libseccomp: FTBFS on arm64, armhf, mips64el and mipsel

[Felix Geyer]

Hi,

On 30.09.21 08:40, Johannes Schauer Marin Rodrigues wrote:

Hi Felix,

On Fri, 17 Sep 2021 07:15:16 +0200 Johannes Schauer Marin Rodrigues 
 wrote:

you set the upstream bug to https://github.com/seccomp/libseccomp/issues/336
but I don't think that is correct. The failures is not the same for the
different architectures. mipsel fails different than arm64. I bisected
upstream git on both architectures and found out that the arm64 failure was
introduced in aa0f858 and the mipsel failure comes from e976080.

I contacted upstream about that here:
https://github.com/seccomp/libseccomp/issues/338


the problem has no been present in unstable for three weeks. This is blocking
my work. Could we revert the offending commits or at least set a deadline up to
how long we want to wait for upstream to fix this issue?

I'm willing to put work into an NMU in case you don't have the time right now.


I've prepared a revert of the problematic commits in the git repo.

So far I've tested amd64 build+autopkgtest and mipsel build, no issues yet.

Cheers,
Felix

Bug#950688: boost1.71: python autopkgtest fails

[Felix Geyer]

Source: boost1.71
Version: 1.71.0-5
Severity: serious

The boost1.71 python autopkgtest fails with cmake >= 3.16 because the python
include path isn't added correctly.

In debian/tests/srcs/python/CMakeLists.txt the variable Python_INCLUDE_DIR
is used but the correct variable is Python_INCLUDE_DIRS (S at the end).

I'm not quite sure why this worked before but Python_INCLUDE_DIR isn't part
of the documented FindPython interface. See:
https://cmake.org/cmake/help/v3.15/module/FindPython.html

Filing as serious since it blocks cmake migrating to testing.

Cheers,
Felix

Bug#945489: llvm-toolchain-9: autopkgtest needs update for new version of cmake: fails on warning

[Felix Geyer]

Hi LLVM maintainers,

On Mon, 25 Nov 2019 21:59:48 +0100 Paul Gevers  wrote:
> Source: llvm-toolchain-9
> Version: 1:9.0.0-3
> Severity: serious
> X-Debbugs-CC: debian...@lists.debian.org, cm...@packages.debian.org
> Tags: sid bullseye
> User: debian...@lists.debian.org
> Usertags: needs-update
> Control: affects -1 src:cmake
> 
> Dear maintainers,
> 
> With a recent upload of cmake the autopkgtest of llvm-toolchain-9 fails
> in testing when that autopkgtest is run with the binary packages of
> cmake from unstable. It passes when run with only packages from testing.
> In tabular form:

I'd really appreciate an upload to unstable to fix this since it blocks
testing migration of cmake.

Cheers,
Felix

Bug#944892: oce: autopkgtest fails due to broken CMakeLists.txt

[Felix Geyer]

Source: oce
Version: 0.18.2-3
Severity: serious

The oce autopkgtest fails since cmake 3.15 entered unstable:

> CMake Warning (dev) in CMakeLists.txt:
>   No project() command is present.  The top-level CMakeLists.txt file must
>   contain a literal, direct call to the project() command.  Add a line of
>   code such as
>
> project(ProjectName)
>
>   near the top of the file, but after cmake_minimum_required().
>
>   CMake is pretending there is a "project(Project)" command on the first
>   line.

https://ci.debian.net/data/autopkgtest/testing/amd64/o/oce/3434170/log.gz

Corresponding cmake documentation:
https://cmake.org/cmake/help/v3.16/command/project.html#usage

Note that this isn't a new requirement but cmake just started to print a
warning.

Filing as serious since this blocks cmake migration to testing.

Bug#944893: wslay: autopkgtest fails due to broken CMakeLists.txt

[Felix Geyer]

Source: wslay
Version: 1.1.0-1
Severity: serious

The wslay autopkgtest fails since cmake 3.15 entered unstable:

> CMake Warning (dev) in CMakeLists.txt:
>   No project() command is present.  The top-level CMakeLists.txt file must
>   contain a literal, direct call to the project() command.  Add a line of
>   code such as
>
> project(ProjectName)
>
>   near the top of the file, but after cmake_minimum_required().
>
>   CMake is pretending there is a "project(Project)" command on the first
>   line.
> This warning is for project developers.  Use -Wno-dev to suppress it.

https://ci.debian.net/data/autopkgtest/testing/amd64/w/wslay/3434172/log.gz

Corresponding cmake documentation:
https://cmake.org/cmake/help/v3.16/command/project.html#usage

Note that this isn't a new requirement but cmake just started to print a
warning.

Filing as serious since this blocks cmake migration to testing.

Bug#942179: marked as pending in pyudev

[Felix Geyer]

Control: tag -1 pending

Hello,

Bug #942179 in pyudev reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/python-team/modules/pyudev/commit/23dfb71eb035b9ed2000217f485cbfd60f9eb0ea


Backport upstream patches to fix compatbility with pytest 4.6.

Closes: #942179


(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/942179

Bug#941674: gnome-shell-extension-dashtodock: Not working

[Felix Geyer]

Control: tags -1 + fixed-upstream

On Thu, 03 Oct 2019 19:10:50 +0200 Domenico Cufalo  wrote:

Package: gnome-shell-extension-dashtodock
Version: 66-1
Severity: grave
Justification: renders package unusable

Dear Maintainer,

   * What led up to the situation?

Latest upgrade to Gnome 3.34


Upstream has released version 67 that is compatible with Gnome 3.34.

Bug#941892: gnome-shell-extension-suspend-button: broken with gnome 3.34

[Felix Geyer]

Package: gnome-shell-extension-suspend-button
Version: 0~git20180827-2
Severity: serious
Tags: fixed-upstream

The suspend button extension fails to load on Gnome 3.34, making it 
completely unusable:


JS WARNING: 
[/usr/share/gnome-shell/extensions/suspend-button@laserb/extension.js 
165]: reference to undefined property "_actionsItem"
Extension "suspend-button@laserb" had error: TypeError: 
this.systemMenu._actionsItem is undefined


This has already been fixed in the upstream git repo:

https://github.com/laserb/gnome-shell-extension-suspend-button/commit/1c111de98b6caf87681e60e96ce22d32036ae002

Bug#934905: libaqbanking35: libaqbanking not ready for PSD2, will not work after 14 September 2019

[Felix Geyer]

On 25.08.19 13:33, Felix Geyer wrote:

Hi Micha,

On Mon, 19 Aug 2019 20:19:28 +0200 Micha Lenk  wrote:

Hi Christian,

I understand your bug report and confirm it to be an issue.

Unfortunately I don't have much capacity at the moment to work on an updated package in a timely 
manner. But I do appreciate and support any volunteer's help.


I've tested libaqbaking 5.8.1 in combination with gnucash 3.6 + patch for the 
registration key.
It seems to work fine, at least the unregistered software warning from the log 
is gone.

The only packaging changes are some new entries in the symbols file (diff 
attached).
Do you mind if I NMU 5.8.1 to unstable?


I've uploaded version 5.8.2 to DELAYED/2 now.

Cheers,
Felix

Bug#875133: marked as pending in qca2

[Felix Geyer]

Control: tag -1 pending

Hello,

Bug #875133 in qca2 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/qt-kde-team/extras/qca2/commit/c9f84f89eaf8fef0b55d8bfb788378460fca87df


Stop building packages for Qt 4.

Closes: #875133


(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/875133

Bug#934905: libaqbanking35: libaqbanking not ready for PSD2, will not work after 14 September 2019

[Felix Geyer]

Hi Micha,

On Mon, 19 Aug 2019 20:19:28 +0200 Micha Lenk  wrote:

Hi Christian,

I understand your bug report and confirm it to be an issue.

Unfortunately I don't have much capacity at the moment to work on an 
updated package in a timely manner. But I do appreciate and support any 
volunteer's help.


I've tested libaqbaking 5.8.1 in combination with gnucash 3.6 + patch for the 
registration key.
It seems to work fine, at least the unregistered software warning from the log 
is gone.

The only packaging changes are some new entries in the symbols file (diff 
attached).
Do you mind if I NMU 5.8.1 to unstable?

Cheers,
Felix
diff --color -Nur libaqbanking-5.7.8/debian/libaqbanking35.symbols aqbanking-5.8.1/debian/libaqbanking35.symbols
--- libaqbanking-5.7.8/debian/libaqbanking35.symbols	2019-01-01 16:17:58.0 +0100
+++ aqbanking-5.8.1/debian/libaqbanking35.symbols	2019-08-25 11:35:28.119248252 +0200
@@ -80,6 +80,8 @@
  AB_AccountStatus_fromDb@Base 4.0.0
  AB_AccountStatus_new@Base 4.0.0
  AB_AccountStatus_toDb@Base 4.0.0
+ AB_AccountType_fromChar@Base 5.8.1
+ AB_AccountType_toChar@Base 5.8.1
  AB_Account_GetAccountName@Base 4.0.0
  AB_Account_GetAccountNumber@Base 4.0.0
  AB_Account_GetAccountType@Base 4.0.0
@@ -480,6 +482,10 @@
  AB_Banking_MakeGermanIban@Base 5.2.0beta
  AB_Banking_OnlineFini@Base 4.0.0
  AB_Banking_OnlineInit@Base 4.0.0
+ AB_Banking_RuntimeConfig_GetCharValue@Base 5.8.1
+ AB_Banking_RuntimeConfig_GetIntValue@Base 5.8.1
+ AB_Banking_RuntimeConfig_SetCharValue@Base 5.8.1
+ AB_Banking_RuntimeConfig_SetIntValue@Base 5.8.1
  AB_Banking_SaveAccountConfig@Base 4.2.0
  AB_Banking_SaveAppConfig@Base 4.0.0
  AB_Banking_SaveLocalImExporterProfile@Base 4.2.6

Bug#932882: python3-pyroute2: /usr/bin/ss2 shipped in both packages

[Felix Geyer]

Package: python3-pyroute2
Version: 0.5.4-1
Severity: serious

/usr/bin/ss2 is shipped in python-pyroute2 and python3-pyroute2 without any
kind of Conflicts/Replaces resulting in an error when trying to install
both packages:

> Preparing to unpack .../10-python-pyroute2_0.5.4-1_all.deb ...
> Unpacking python-pyroute2 (0.5.4-1) over (0.5.2-1) ...
> Preparing to unpack .../11-python3-pyroute2_0.5.4-1_all.deb ...
> Unpacking python3-pyroute2 (0.5.4-1) over (0.5.2-1) ...
> dpkg: error processing archive 
> /tmp/apt-dpkg-install-0jYnUK/11-python3-pyroute2_0.5.4-1_all.deb (--unpack):
>  trying to overwrite '/usr/bin/ss2', which is also in package python-pyroute2 
> 0.5.4-1
> dpkg-deb: error: paste subprocess was killed by signal (Broken pipe)

Cheers,
Felix

Bug#924609: Bug#924610: Bug#924609: Ports of CVE patches from Debian LTS for libsdl1.2

[Felix Geyer]

Hi,

On 24.04.19 21:33, Salvatore Bonaccorso wrote:

Hi Kari,

On Wed, Apr 24, 2019 at 07:15:44PM +0300, Kari Pahula wrote:

Hi.

I've ported the CVE patches from Debian LTS for libsdl1.2 in unstable.

First thanks for working on the issues!

I have not reviewed your patches, but just a remark. Never just
forward-port a patchset from an older suite to newer (although the
version is identical here).

Furthermore as Moritz pointed out, at time of writing the bugreport,
only some of the bugs got patches, but not all were merged upstream,
several of the CVEs got later on upstream patches rather then
previously linked ones from the bugzilla.  We should base the upload
based on the current upstream patches which by now should be complete
(but double check the updated references in the security-tracker).



Unfortunately there are still some bug reports without merged fixes.
I've kept the Debian security tracker up-to-date in this regard
(the CVEs with committed patches have a link to them).

Felix

Bug#923420: coreutils: mv broken when file system doesn't support RENAME_NOREPLACE

[Felix Geyer]

Package: coreutils
Version: 8.30-2
Severity: serious

Hi,

With those distro patches from version 8.30-2 mv fails on filesystems that don't
support the renameat2 RENAME_NOREPLACE flag.
I noticed this because coreutils 8.30-2 breaks autopkgtest with the qemu runner
which calls mv on a 9p filesystem.

renameatu.patch is the offender as it only changes renameat2() calls to 
renameatu()
in lib/ but not in src/.
As a result some tools call the glibc renameat2() instead of the gnulib one 
which
has appropriate fallbacks.
I haven't checked what other tools are exactly affected (calls are in mv.c, 
shred.c
and copy.c).

After an extended debugging session,
Felix

Bug#915148: [Pkg-cmake-team] Bug#915148: cmake: regression in ros-ros-comm build

[Felix Geyer]

Hi,

On 01.12.18 06:31, Gianfranco Costamagna wrote:

Package: cmake
Version: 3.13.1-1
Severity: serious
Affects: ros-ros-comm

A simple ros-ros-comm rebuild now fails with the new cmake in unstable,
due to lpthread not being found as target.
I don't know if catkin is to blame, or something else, but clearly the
old cmake in testing is not having issues.

I'm opening this bug to prevent testing migration, until the problem is
sorted out (in one way or the other)
snip of the failure:

-- Using CATKIN_TEST_RESULTS_DIR: 
/<>/ros-ros-comm-1.14.3+ds1/obj-x86_64-linux-gnu/test_results
-- Found gtest: gtests will be built
-- nosetests not found, Python tests can not be run (try installing package 
'python-nose')
-- catkin 0.7.14
-- Boost version: 1.67.0
-- Found the following Boost libraries:
--   system
--   thread
--   chrono
--   date_time
--   atomic
CMake Error at 
obj-x86_64-linux-gnu/devel/share/rostest/cmake/rostestConfig.cmake:146 
(message):
   Project 'rostest' tried to find library '-lpthread'.  The library is
   neither a target nor built/installed properly.  Did you compile project
   'rostest'? Did you find_package() it before the subdirectory containing its
   code is included?
Call Stack (most recent call first):
   /usr/share/catkin/cmake/catkinConfig.cmake:87 (find_package)
   tools/rostest/CMakeLists.txt:23 (find_package)


-- Configuring incomplete, errors occurred!
See also 
"/<>/ros-ros-comm-1.14.3+ds1/obj-x86_64-linux-gnu/CMakeFiles/CMakeOutput.log".
See also 
"/<>/ros-ros-comm-1.14.3+ds1/obj-x86_64-linux-gnu/CMakeFiles/CMakeError.log".
cd obj-x86_64-linux-gnu && tail -v -n \+0 CMakeCache.txt
==> CMakeCache.txt <==


This problem occurs since my commit adds ${CMAKE_THREAD_LIBS_INIT} 
("-lpthread") to
Boost_LIBRARIES when needed:
https://gitlab.kitware.com/cmake/cmake/commit/bd831ed0948a1e99f573f0056f2bee5d3b21009e

ros-catkin iterates over dependency libraries (Boost_LIBRARIES among other 
things) and does this:
https://sources.debian.org/src/ros-catkin/0.7.14-7/cmake/templates/pkgConfig.cmake.in/#L118

Until my commit Boost_LIBRARIES only contained absolute paths to boost 
libraries so that code
just passes them on. For the "-lpthread" case it calls find_library(... 
"-lpthread") which fails.

Adding something like this would probably fix it:
>   elseif(${library} MATCHES "^-l")
>     list(APPEND @PROJECT_NAME@_LIBRARIES ${library})

CCing Brad, maybe you could comment if ros-catkin should expect -l... entries 
there or FindBoost
needs to be changed?

Cheers,
Felix

Bug#915039: CVE-2018-19516: HTML email can open browser window automatically

[Felix Geyer]

Source: kf5-messagelib
Version: 4:18.08.1-1
Severity: grave
Tags: upstream security

Hi,

KDE published the following security advisory (CVE-2018-19516):

> messagelib by default displays emails as plain text, but gives the user
> an option to "Prefer HTML to plain text" in the settings and if that option
> is not enabled there is way to enable HTML display when an email contains 
> HTML.
>
> Some HTML emails can trick messagelib into opening a new browser window when
> displaying said email as HTML.
>
> This happens even if the option to allow the HTML emails to access
> remote servers is disabled in KMail settings.
>
> This means that the owners of the servers referred in the email can see
> in their access logs your IP address.

https://www.kde.org/info/security/advisory-20181128-1.txt

Cheers,
Felix

Bug#905140: [Pkg-cmake-team] Bug#905140: Bug #905140 in cmake marked as pending

[Felix Geyer]

Hi,

On 09.08.2018 22:38, Svante Signell wrote:

Hello,

What about the bugs with patches, e.g. for Hurd and kFreeBSD. Still
somebody needs to NMU this package... You don't seem interested in
fixing bugs to your package, except RC ones.

Not the ideal way Debian maintainers should work with their packages...


Instead of making wild accusations I suggest that instead you respond
to questions on bugs you opened.
I'm not interested in maintaining patches for things that clearly belong 
upstream.
Once upstream has reviewed the changes I'm happy to cherry-pick them.

#905138 on 2018-08-01:

Have you forwarded your non-packaging changes upstream to cmake / libuv
(#905140 is already fixed in 3.12)?
I really don't want to carry those as patches.


The same applies to #900240

Cheers,
Felix

Bug#905140: Bug #905140 in cmake marked as pending

[Felix Geyer]

Control: tag -1 pending

Hello,

Bug #905140 in cmake reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/cmake-team/cmake/commit/12de5624a18704f1a9d7368a3267b7dddea0b3ec


New upstream release.

Fixes FTBFS with recent version of libuv1. (Closes: #905140)



(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/905140

Bug#896914: quassel: Implement custom deserializer to add our own sanity checks

[Felix Geyer]

Hi,

On Wed, 25 Apr 2018 20:58:52 +0200 Salvatore Bonaccorso  
wrote:
> Source: quassel
> Version: 1:0.12.4-1
> Severity: normal
> Tags: patch security upstream
> Control: fixed -1 1:0.12.5-1
> 
> Hi Felix,
> 
> Filling this as bug to have an identifier, since no CVE has been
> assigned.
> 
> https://www.quassel-irc.org/node/130
> 
> Commit "Implement custom deserializer to add our own sanity checks":
> 
> https://github.com/quassel/quassel/commit/18389a713a6810f57ab237b945e8ee03df857b8b

I'm working on updates for jessie and stretch.

Backporting to stretch is easy.
jessie requires a bit more work as the patch uses quite some C++11 features 
which
isn't enabled in 0.10.

Felix

Bug#891026: zfs-dkms: Incompatible with kernel 4.15

[Felix Geyer]

Package: zfs-dkms
Version: 0.7.5-1
Severity: serious

Hi,

Kernel 4.15 has just landed in unstable.
THe zfs-linux 0.7.5 module fails to build against 4.15 and thus needs
to be updated to 0.7.6.

Please let me know if you need help updating the package.

Cheers,
Felix

Bug#878264: marked as done (libsdl2: CVE-2017-2888: Integer overflow while creating a new RGB surface)

[Felix Geyer]

Control: reopen -1

On 12.10.2017 19:36, Debian Bug Tracking System wrote:
> Upstream patch seem to be [1], but please note that this might not be
> enough, cf. https://bugzilla.redhat.com/show_bug.cgi?id=1500623#c2 .

Sorry I missed this, reopening the bug.

Felix

Bug#876654: prosody: incompatible lua-sec version as dependency of prosody in stable

[Felix Geyer]

Hi,

On Sun, 24 Sep 2017 16:16:59 +0200 Leah Oswald  
wrote:
> It seems that this bug occures becaus the package lua5.1-sec that is a 
> dependency of prosody resolves to the lua-sec package with version 0.6-3
> in debian stretch. But lua-sec with version 0.6 isn't supported by 
> prosody 0.9.x. See: https://prosody.im/doc/depends
> 
> It seems this issue makes prosody mostly unusable for encrypted
> connections.

I don't think this analysis is correct. I've tested connecting prosody with 
jabber.ccc-mannheim.de
on stretch and captured the packets.
The two sides just can't agree on a TLS cipher/curve.

jabber.ccc-mannheim.de supports only ECDHE ciphers and the secp256r1 (aka 
prime256v1) curve.
Prosody by default allows only the secp384r1 curve.

You can verify this with:
openssl s_client -cipher ECDHE-RSA-AES128-GCM-SHA256 -curves prime256v1 
-starttls xmpp-server
-connect falster.c3ma.de:xmpp-server
works

openssl s_client -cipher ECDHE-RSA-AES128-GCM-SHA256 -curves secp384r1 
-starttls xmpp-server
-connect falster.c3ma.de:xmpp-server
fails

You can of course argue whether allowing only secp384r1 is a good default.

Felix

Bug#868639: [Pkg-cmake-team] Bug#868639: cmake: error while loading shared libraries: libcrypto.so.1.0.0

[Felix Geyer]

Hi,

On 17.07.2017 04:20, Augusto Fraga Giachero wrote:
> I've recently migrated my server from Debian 8 to Debian 9 and installed the 
> last version of cmake available to Debian Stretch.
> 
> Every time I invoke cmake a get as result:
> cmake: error while loading shared libraries: libcrypto.so.1.0.0: cannot open 
> shared object file: No such file or directory 
> 
> And it imediately closes.
> 
> It seems that this package has been compiled with an older version of libssl 
> than what is available in the Debian Stretch repository (libssl1.0.2 and 
> libssl1.1).

cmake doesn't link against libcrypto but transitively through libcurl.

Either the upgrade on your system has been interrupted in the middle or your 
system is modified in
some way.

In a clean stretch chroot cmake links against the following:

# ldd /usr/bin/cmake
linux-vdso.so.1 (0x7ffc8c1de000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x7f72615ef000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x7f72613d5000)
libarchive.so.13 => /usr/lib/x86_64-linux-gnu/libarchive.so.13 
(0x7f7261121000)
libcurl.so.4 => /usr/lib/x86_64-linux-gnu/libcurl.so.4 
(0x7f7260ea1000)
libjsoncpp.so.1 => /usr/lib/x86_64-linux-gnu/libjsoncpp.so.1 
(0x7f7260c6d000)
libuv.so.1 => /usr/lib/x86_64-linux-gnu/libuv.so.1 (0x7f7260a47000)
libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 
(0x7f72606c5000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 
(0x7f72604ae000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7f726010f000)
/lib64/ld-linux-x86-64.so.2 (0x55b4020f3000)
libnettle.so.6 => /usr/lib/x86_64-linux-gnu/libnettle.so.6 
(0x7f725fed8000)
libacl.so.1 => /lib/x86_64-linux-gnu/libacl.so.1 (0x7f725fccf000)
liblzo2.so.2 => /lib/x86_64-linux-gnu/liblzo2.so.2 (0x7f725faab000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x7f725f885000)
liblz4.so.1 => /usr/lib/x86_64-linux-gnu/liblz4.so.1 
(0x7f725f673000)
libbz2.so.1.0 => /lib/x86_64-linux-gnu/libbz2.so.1.0 
(0x7f725f463000)
libxml2.so.2 => /usr/lib/x86_64-linux-gnu/libxml2.so.2 
(0x7f725f0a8000)
libnghttp2.so.14 => /usr/lib/x86_64-linux-gnu/libnghttp2.so.14 
(0x7f725ee82000)
libidn2.so.0 => /usr/lib/x86_64-linux-gnu/libidn2.so.0 
(0x7f725ec5e000)
librtmp.so.1 => /usr/lib/x86_64-linux-gnu/librtmp.so.1 
(0x7f725ea41000)
libssh2.so.1 => /usr/lib/x86_64-linux-gnu/libssh2.so.1 
(0x7f725e815000)
libpsl.so.5 => /usr/lib/x86_64-linux-gnu/libpsl.so.5 
(0x7f725e607000)
libssl.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2 
(0x7f725e39e000)
libcrypto.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.2 
(0x7f725df3a000)
libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 
(0x7f725dced000)
libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 
(0x7f725da13000)
libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 
(0x7f725d7e)
libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 
(0x7f725d5dc000)
liblber-2.4.so.2 => /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2 
(0x7f725d3cd000)
libldap_r-2.4.so.2 => /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 
(0x7f725d17c000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 
(0x7f725cf5d000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x7f725cc59000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x7f725ca51000)
libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x7f725c839000)
libattr.so.1 => /lib/x86_64-linux-gnu/libattr.so.1 (0x7f725c634000)
libicui18n.so.57 => /usr/lib/x86_64-linux-gnu/libicui18n.so.57 
(0x7f725c1b8000)
libicuuc.so.57 => /usr/lib/x86_64-linux-gnu/libicuuc.so.57 
(0x7f725be1)
libicudata.so.57 => /usr/lib/x86_64-linux-gnu/libicudata.so.57 
(0x7f725a393000)
libunistring.so.0 => /usr/lib/x86_64-linux-gnu/libunistring.so.0 
(0x7f725a07c000)
libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30 
(0x7f7259ce3000)
libhogweed.so.4 => /usr/lib/x86_64-linux-gnu/libhogweed.so.4 
(0x7f7259aae000)
libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10 
(0x7f7259829000)
libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20 
(0x7f725951a000)
libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 
(0x7f725930e000)
libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 
(0x7f725910a000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 
(0x7f7258ef3000)
libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 
(0x7f7258cd6000)
libp11-kit.so.0 => /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 

Bug#868327: [Pkg-cmake-team] Bug#868327: Could NOT find Java: Found unsuitable version "..", but required is at

[Felix Geyer]

Control: severity -1 important

On 14.07.2017 16:26, Mathieu Malaterre wrote:
> Control: severity -1 serious
> 
> Since it fails on release archs, change severity (FTBFS):
> 
> https://buildd.debian.org/status/fetch.php?pkg=gdcm=ppc64el=2.8.0-1%7Eexp1=1500041681=log

Fortunately we don't make releases from experimental.

Felix

Bug#867514: [Pkg-cmake-team] Bug#867514: python2.7/cmake: find_package called with invalid argument "2.7.13+"

[Felix Geyer]

Control: reassign -1 libsolv 0.6.28-1
Control: notforwarded -1

On Tue, 11 Jul 2017 22:57:08 +0200 Felix Geyer <fge...@debian.org> wrote:
> Hi Adrian,
> 
> On 07.07.2017 01:11, Adrian Bunk wrote:
> > -- Found PythonLibs: /usr/lib/mips-linux-gnu/libpython2.7.so (found 
> > suitable version "2.7.13+", minimum required is "2") 
> > CMake Error at bindings/python/CMakeLists.txt:9 (FIND_PACKAGE):
> >   find_package called with invalid argument "2.7.13+"
> 
> I've submitted a patch upstream.
> 
> Please note however that libsolv doesn't follow the recommended way to find 
> the Python interpreter
> + libs:
> 
> > If calling both ``find_package(PythonInterp)`` and
> > ``find_package(PythonLibs)``, call ``find_package(PythonInterp)`` first to> 
> > get the currently active Python version by default with a consistent version
> > of PYTHON_LIBRARIES.

I'm reassigning the bug since it's the caller's responsibility to pass a valid 
version to
find_package().
PYTHONLIBS_VERSION_STRING contains the full version string by design.
libsolv would have to parse the x.y.z version from the variable.

Full upstream response:
https://gitlab.kitware.com/cmake/cmake/merge_requests/1047#note_288680


Felix

Bug#867514: [Pkg-cmake-team] Bug#867514: python2.7/cmake: find_package called with invalid argument "2.7.13+"

[Felix Geyer]

Hi Adrian,

On 07.07.2017 01:11, Adrian Bunk wrote:
> -- Found PythonLibs: /usr/lib/mips-linux-gnu/libpython2.7.so (found suitable 
> version "2.7.13+", minimum required is "2") 
> CMake Error at bindings/python/CMakeLists.txt:9 (FIND_PACKAGE):
>   find_package called with invalid argument "2.7.13+"

I've submitted a patch upstream.

Please note however that libsolv doesn't follow the recommended way to find the 
Python interpreter
+ libs:

> If calling both ``find_package(PythonInterp)`` and
> ``find_package(PythonLibs)``, call ``find_package(PythonInterp)`` first to> 
> get the currently active Python version by default with a consistent version
> of PYTHON_LIBRARIES.
Felix

Bug#867223: libclamunrar: CVE-2012-6706: arbitrary memory write

[Felix Geyer]

Source: libclamunrar
Version: 0.99-0+deb7u1
Severity: grave
Tags: security
Justification: user security hole

CVE-2012-6706 also affects libclamunrar. See #865461 for the original bug 
report against
unrar-nonfree.

Upstream fix:
https://github.com/vrtadmin/clamav-devel/commit/d4699442bce76574573dc564e7f2177d679b88bd

Felix

Bug#865461: unrar: VMSF_DELTA filter in unrar allows arbitrary memory write

[Felix Geyer]

On 23.06.2017 10:26, Raphael Hertzog wrote:
> Hello Felix,
>
> On Thu, 22 Jun 2017, Felix Geyer wrote:
>> I've prepared a backported patch of the relevant changes from 5.5.5 for 
>> jessie and stretch.
> How did you identify the relevant changes from 5.5.5 given that we
> don't have any git repository and that we don't have access to the
> previous release (5.5.4?) either AFAIK?

You can still download version 5.5.4:
http://www.rarlab.com/rar/unrarsrc-5.5.4.tar.gz

The 5.5.4 -> 5.5.5 diff contains some changes regarding input validation.
Those aren't directly related to this issue and are more difficult to backport 
so I've skipped them.

Felix

Bug#865461: unrar: VMSF_DELTA filter in unrar allows arbitrary memory write

[Felix Geyer]

Hi,

On Thu, 22 Jun 2017 18:49:16 +0200 Salvatore Bonaccorso <car...@debian.org> 
wrote:
> Control: retitle -1 unrar-nonfree: CVE-2012-6706: VMSF_DELTA filter in unrar 
> allows arbitrary memory write
> 
> CVE-2012-6706 was assigned by MITRE for this issue.

I've prepared a backported patch of the relevant changes from 5.5.5 for jessie 
and stretch.
Review and testing is welcome of course :)


I haven't checked if the patch applies to wheezy as well but it should be at 
least a starting point.

Cheers,
Felix
diff -Nru unrar-nonfree-5.2.7/debian/changelog 
unrar-nonfree-5.2.7/debian/changelog
--- unrar-nonfree-5.2.7/debian/changelog2015-03-27 22:54:31.0 
+0100
+++ unrar-nonfree-5.2.7/debian/changelog2017-06-22 20:47:18.0 
+0200
@@ -1,3 +1,11 @@
+unrar-nonfree (1:5.2.7-0.1+deb8u1) jessie; urgency=medium
+
+  * Add bound checks for VMSF_DELTA, VMSF_RGB and VMSF_AUDIO paramters.
+- Backported from 5.5.5
+- Fixes CVE-2012-6706
+
+ -- Felix Geyer <fge...@debian.org>  Thu, 22 Jun 2017 20:47:18 +0200
+
 unrar-nonfree (1:5.2.7-0.1) unstable; urgency=high
 
   * Non-maintainer upload.
diff -Nru unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706 
unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706
--- unrar-nonfree-5.2.7/debian/patches/CVE-2012-67061970-01-01 
01:00:00.0 +0100
+++ unrar-nonfree-5.2.7/debian/patches/CVE-2012-67062017-06-22 
20:46:24.0 +0200
@@ -0,0 +1,44 @@
+--- unrar-nonfree-5.3.2.org/rarvm.cpp
 unrar-nonfree-5.3.2/rarvm.cpp
+@@ -965,7 +965,7 @@
+   {
+ int DataSize=R[4],Channels=R[0],SrcPos=0,Border=DataSize*2;
+ SET_VALUE(false,[VM_GLOBALMEMADDR+0x20],DataSize);
+-if ((uint)DataSize>=VM_GLOBALMEMADDR/2)
++if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || 
(uint)Channels>MAX3_UNPACK_CHANNELS || Channels==0)
+   break;
+ 
+ // Bytes from same channels are grouped to continual data blocks,
+@@ -984,7 +984,7 @@
+ byte *SrcData=Mem,*DestData=SrcData+DataSize;
+ const int Channels=3;
+ SET_VALUE(false,[VM_GLOBALMEMADDR+0x20],DataSize);
+-if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0)
++if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0 || 
DataSize<3 || Width>DataSize || PosR>2)
+   break;
+ for (int CurChannel=0;CurChannel<Channels;CurChannel++)
+ {
+@@ -1029,7 +1029,7 @@
+ int DataSize=R[4],Channels=R[0];
+ byte *SrcData=Mem,*DestData=SrcData+DataSize;
+ SET_VALUE(false,[VM_GLOBALMEMADDR+0x20],DataSize);
+-if ((uint)DataSize>=VM_GLOBALMEMADDR/2)
++if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || (uint)Channels>128 || 
Channels==0)
+   break;
+ for (int CurChannel=0;CurChannel<Channels;CurChannel++)
+ {
+--- unrar-nonfree-5.3.2.orig/unpack.hpp
 unrar-nonfree-5.3.2/unpack.hpp
+@@ -7,6 +7,12 @@
+ // Maximum number of filters per entire data block.
+ #define MAX_UNPACK_FILTERS   8192
+ 
++// Limit maximum number of channels in RAR3 delta filter to some reasonable
++// value to prevent too slow processing of corrupt archives with invalid
++// channels number. Must be equal or larger than v3_MAX_FILTER_CHANNELS.
++// No need to provide it for RAR5, which uses only 5 bits to store channels.
++#define MAX3_UNPACK_CHANNELS  1024
++
+ // Maximum number of filters per entire data block for RAR3 unpack.
+ #define MAX3_FILTERS 1024
+ 
diff -Nru unrar-nonfree-5.2.7/debian/patches/series 
unrar-nonfree-5.2.7/debian/patches/series
--- unrar-nonfree-5.2.7/debian/patches/series   2013-08-15 16:56:10.0 
+0200
+++ unrar-nonfree-5.2.7/debian/patches/series   2017-06-22 20:46:33.0 
+0200
@@ -1 +1,2 @@
 fix-buildflags
+CVE-2012-6706
diff -Nru unrar-nonfree-5.3.2/debian/changelog 
unrar-nonfree-5.3.2/debian/changelog
--- unrar-nonfree-5.3.2/debian/changelog2015-08-10 14:58:20.0 
+0200
+++ unrar-nonfree-5.3.2/debian/changelog2017-06-22 20:20:40.0 
+0200
@@ -1,3 +1,11 @@
+unrar-nonfree (1:5.3.2-1+deb9u1) stretch; urgency=medium
+
+  * Add bound checks for VMSF_DELTA, VMSF_RGB and VMSF_AUDIO paramters.
+- Backported from 5.5.5
+- Fixes CVE-2012-6706
+
+ -- Felix Geyer <fge...@debian.org>  Thu, 22 Jun 2017 20:20:40 +0200
+
 unrar-nonfree (1:5.3.2-1) unstable; urgency=medium
 
   * New upstream release (Closes: #759586)
diff -Nru unrar-nonfree-5.3.2/debian/patches/CVE-2012-6706 
unrar-nonfree-5.3.2/debian/patches/CVE-2012-6706
--- unrar-nonfree-5.3.2/debian/patches/CVE-2012-67061970-01-01 
01:00:00.0 +0100
+++ unrar-nonfree-5.3.2/debian/patches/CVE-2012-67062017-06-22 
20:20:40.0 +0200
@@ -0,0 +1,44 @@
+--- unrar-nonfree-5.3.2.org/rarvm.cpp
 unrar-nonfree-5.3.2/rarvm.cpp
+@@ -965,7 +965,7 @@
+   {
+ int DataSize=R[4],Channels=R[0],SrcPos=0,Border=DataSize*2;
+ SET_VALUE(false,[V

Bug#865461: unrar: VMSF_DELTA filter in unrar allows arbitrary memory write

[Felix Geyer]

Package: unrar
Version: 1:4.1.4-1+deb7u1
Severity: grave
Tags: security
Justification: user security hole

The VMSF_DELTA filter in unrar allows arbitrary memory write.

See the Google Project Zero report:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1286=6

This affects all Debian releases (verified with the provided test case on i386).

Felix

Bug#857261: chromium-widevine: widevine extension no longer works

[Felix Geyer]

Control: severity -1 normal

Hi,

On Thu, 09 Mar 2017 11:09:36 +0100 Enrico Rossi  wrote:
> Package: chromium-widevine
> Version: 56.0.2924.76-5
> Severity: grave
> Justification: renders package unusable
> 
> Dear Maintainer,
> 
> With the upgrade to v.56.0 this extension no longer works.
> Trying to force the load of the extensions to chromium doesn't work
> either.
> 
> No matter how I try to enable the extension, I got "Failed to load
> extension from: . Manifest file is missing or unreadable."

Are you sure your bug report is about widevine?
widevine isn't an extension but a plugin.
You can check if it's loaded by typing "navigator.plugins" into the inspector 
console.

FWIW widevine with chromium 57.0.2987.133-1 is working fine for me.

Note: This package only provides the adapter.
You still need to put the widevine drm module from chrome into 
/usr/lib/chromium/libwidevinecdm.so

Felix

Bug#851584: bareos-database-common: fails to upgrade from 'jessie': mysql said: ERROR 1067 (42000) at line 2: Invalid default value for 'CreateTime'

[Felix Geyer]

Control: tags -1 sid
Control: severity -1 normal

On Mon, 16 Jan 2017 17:19:06 +0100 Andreas Beckmann  wrote:
> Package: bareos-database-common
> Version: 16.2.4-3
> Severity: serious
> User: debian...@lists.debian.org
> Usertags: piuparts
> Control: affects -1 + bareos-database-mysql
> 
> Hi,
> 
> during a test with piuparts I noticed your package fails to upgrade from
> 'jessie'.
> It installed fine in 'jessie', then the upgrade to 'sid' fails.
> 
> >From the attached log (scroll to the bottom...):
> 
>   [...]
> 
> This was a jessie -> sid test and it picked to upgrade mysql-5.5 -> mysql-5.7
> Feel free to downgrade if this issue is specific to this weird combination.

Bareos doesn't support MySQL 5.7 (yet), see 
https://bugs.bareos.org/view.php?id=660

Felix

Bug#844546: teeworlds: possible remote code execution on the client

[Felix Geyer]

Package: teeworlds
Version: 0.6.1+dfsg-1
Severity: grave
Tags: security
Justification: user security hole

teeworlds upstream has released version 0.6.4.

https://www.teeworlds.com/?page=news=12086 says

> the security vulnerability is worse, attacker controlled memory-writes and
> possibly arbitrary code execution on the client, abusable by any server the
> client joins

The upstream fix:
https://github.com/teeworlds/teeworlds/commit/ff254722a2683867fcb3e67569ffd36226c4bc62

There doesn't seem to be a CVE assigned to this vulnerability.

Felix

Bug#828519: qca2: FTBFS with openssl 1.1.0

[Felix Geyer]

Control: severity -1 important

On Sun, 26 Jun 2016 12:23:51 +0200 Kurt Roeckx  wrote:
> Source: qca2
> Version: 2.1.1-2
> Severity: important
> Control: block 827061 by -1
> 
> Hi,
> 
> OpenSSL 1.1.0 is about to released.  During a rebuild of all packages using
> OpenSSL this package fail to build.  A log of that build can be found at:
> https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/qca2_2.1.1-2_amd64-20160529-1516
> 
> On https://wiki.openssl.org/index.php/1.1_API_Changes you can see various of 
> the
> reasons why it might fail.  There are also updated man pages at
> https://www.openssl.org/docs/manmaster/ that should contain useful 
> information.
> 
> There is a libssl-dev package available in experimental that contains a recent
> snapshot, I suggest you try building against that to see if everything works.

I've changed qca2 to build against openssl 1.0 for now.

Felix

Bug#822320: closed by Felix Geyer <fge...@debian.org> (Re: cmake depends on cmake-data which is uninstallable (FTBFS arch:all))

[Felix Geyer]

On 24.04.2016 13:57, Laurent Bigonville wrote:
> The fact that the build is failing in the "CMake.FileDownload" is expected I 
> guess?

No, I've never seen that test fail.

> The build system should never download files outside of the tarball, most of 
> the buildd disable
> the network. Shouldn't this test be disabled or the result be ignored if 
> failing?

The test just downloads file://@CMAKE_CURRENT_SOURCE_DIR@/FileDownloadInput.png

Felix

Bug#796611: ferm causes a unit ordering cycle that breaks booting

[Felix Geyer]

On Tue, 29 Mar 2016 13:34:33 +0200 Alexander Wirt  wrote:
> > OK. I sent a github PR with both commits to ease your work. You could
> > have just asked for them...
> I already integrated them, but thanks. And sorry for being grumpy, but I
> really dislike those 0-day nmus.

FWIW ferm 2.2-4 doesn't contain the fixes from 2.2-3.2

Felix

Bug#796611: ferm causes a unit ordering cycle that breaks booting

[Felix Geyer]

Hi Felipe,

On Mon, 28 Mar 2016 20:56:48 -0300 Felipe Sateler  wrote:
> I have uploaded an nmu. I have made the unit call out to the init
> script, because it does more work than simply invoking ferm.
> 
> Please find attached the debdiff

I see two problems with your systemd service:

1) By default (CACHE=yes) the init script writes to /var/cache/ferm/ and
   the systemd service is ordered Before=network-pre.target.
   If /var is on a remote filesystem you have created a dependency cycle.

2) The systemd service declares Conflicts=shutdown.target. What's the rationale
   for unloading iptables rules on shutdown?
   It seems unnecessary and dangerous to me since you probably can't guarantee 
that
   this is done after network daemons are shut down.

Felix

Bug#809810: libapache2-mod-passenger: Can't locate arybase.pm at /usr/sbin/vlogger line 430, line 1.

[Felix Geyer]

Control: severity -1 normal
Control: tags -1 unreproducible

On 04.01.2016 11:35, Géraud Guibert wrote:
> Package: libapache2-mod-passenger
> Version: 4.0.53-1
> Severity: grave
> Justification: renders package unusable

No it doesn't, most configurations work fine.

> Hello,
> 
> Before the libapache2-mod-passenger is installed, the vlogger
> perl script linked to Apache is correctly working on the
> Debian Jessie 8 server (amd64).
> 
> When redmine and the passenger + ruby dependencies are
> installed, the Apache crashes with the followin error message:
> 
> Can't locate arybase.pm in @INC (you may need to install the arybase module)
> (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.20.2
> /usr/local/share/perl/5.20.2
> /usr/lib/x86_64-linux-gnu/perl5/5.20 /usr/share/perl5 /usr/lib/x86_64-linux-
> gnu/perl/5.20 /usr/share/perl/5.20 /usr/local/lib/site_perl)
> at /usr/sbin/vlogger line 430,  line 1.

I can't reproduce this.

This is what I tried:
- Based on a minimal testcase from
https://anonscm.debian.org/cgit/pkg-ruby-extras/passenger.git/tree/debian/tests/rack
- Installed vlogger
- Added: CustomLog "| /usr/sbin/vlogger -s access.log /var/log/apache2" combined

Access to /testrack works fine and is logged to /var/log/apache2//access.log

So this is either related to other system modifications or only a combination 
of Apache modules
triggers it.

Felix

Bug#801474: kscreen: No longer supports 2 monitors

[Felix Geyer]

Control: severity -1 important
Control: tags -1 moreinfo

On Mon, 19 Oct 2015 17:26:30 +0200 Salvo Tomaselli  wrote:
> Debian does not automatically subscribe reporters to bugs, so unless you 
> include them in the email, they don't receive anything (like in this case, 
> where I by chance just came online to check if there was activity).
> 
> At the moment I don't have a 2nd screen around that I can use to do further 
> tests, so I don't know.

Downgrading the severity as it works for others. So kscreen is not unusable in 
a general sense.

Felix

Bug#802339: kdenlive: build-depends on obsolete kde-workspace-dev

[Felix Geyer]

Source: kdenlive
Version: 15.08.2-1
Severity: serious
User: debian-qt-...@lists.debian.org
Usertags: plasma5-transition

Hi,

kdenlive build-depends on the obsolete kde-workspace-dev.
To finish the transition to KDE Plasma 5 src:kde-workspace will
be removed from the archive shortly.

Please update your package accordingly.

Thanks,
Felix

Bug#797946: closed by Mateusz Łukasik <mat...@linuxmint.pl> (Bug#797946: fixed in openbox 3.6.1-2)

[Felix Geyer]

On 15.10.2015 12:03, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the openbox-kde-session package:
> 
> #797946: openbox-kde-session: depends on obsolete kde-workspace-bin
> 
> It has been closed by Mateusz Łukasik .

> 
>* debian/control:
>  + Drop obsolete kde-workspace-bin from openbox-kde-session depends.
>  (Closes: #797946)

This is not a fix.
openbox-kde-session execs startkde so you really need to depend on 
plasma-desktop or
kde-plasma-desktop.

Felix

Bug#799449: [pkg-apparmor] Processed: severity of 799449 is serious

[Felix Geyer]

Control: tags -1 - help

This issue is most likely caused by g++ bug #799811.

Felix

Bug#799449: [pkg-apparmor] Processed: severity of 799449 is serious

[Felix Geyer]

On Mon, 05 Oct 2015 21:27:58 +0200 intrigeri  wrote:
> Control: tag -1 + help
> 
> sarnold wants a stracktrace and says: "if you can get it to fail by
> hand, runniung it with gdb ought to do the trick, gdb ./tst_regex ;
> "run" "bt" iiirc.."
> 
> => anyone with access to mips* a porter box can do that and report
> back here. Help is welcome :)

Doesn't look very promising:

minkus% gdb tst_lib
GNU gdb (Debian 7.10-1) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "mips-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
.
Find the GDB manual and other documentation resources online at:
.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from tst_lib...done.
(gdb) run
Starting program: /home/fgeyer/apparmor-2.10/parser/tst_lib
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/mips-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x in ?? ()
(gdb) bt full
#0  0x in ?? ()
No symbol table info available.
#1  0x005537a0 in _PROCEDURE_LINKAGE_TABLE_ ()
No symbol table info available.
Backtrace stopped: frame did not save the PC


fwiw all parser/tst_* segfault the same way.

Felix

Bug#800468: crashes in liblmdb on start-up

[Felix Geyer]

Hi,

On Sat, 03 Oct 2015 15:58:34 +0200 Mario Blättermann 
 wrote:
> Same behavior on a freshly installed Stretch. The gdb output:
> 
> (gdb) run
> Starting program: /usr/bin/dolphin
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> [New Thread 0x7fffe235a700 (LWP 14801)]
> [New Thread 0x7fffdafbd700 (LWP 14802)]
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x7fffead34960 in mdb_txn_begin ()
> from /usr/lib/x86_64-linux-gnu/liblmdb.so.0
> 
> It happened after I tried to config Dolphin to let the preview sidebar 
> appear.

Could you please test if upgrading libkf5baloo5 and libkf5balooengine5 to 
5.14.0-2 (unstable)
fixes the crash?

Felix

Bug#799491: FTBFS: Missing Build-Depends on libsoprano-dev

[Felix Geyer]

Hi,

The "Missing Build-Depends on libsoprano-dev" bug reports are incorrect.
It's actually a missing dependency of kdelibs5-dev. I've fixed that in 
4.14.12-2.

You may want to drop the libsoprano-dev B-D again in choqok and kmldonkey.

Cheers,
Felix

Bug#792137: [einstein] No Longer Runs with Latest Qt/KDE5 Upgrades

[Felix Geyer]

Hi,

On Sun, 12 Jul 2015 00:38:28 +0300 David Baron  wrote:
> Package: einstein
> Version: 2.0.dfsg.2-9
> Severity: grave
> 
> --- Please enter the report below this line. ---
> Get the following when run from a terminal: 
> ~$ einstein
> terminate called after throwing an instance of 'std::logic_error'
>   what():  basic_string::_S_construct null not valid
> Aborted
> 
> Worked fine yesterday.
> Many KDE-desktop packages have been upgraded

Was this maybe an issue related to the GCC 5 transition?
Does it still crash with an up-to-date unstable?
It works fine for me.

Cheers,
Felix

Bug#794937: Applications crash with phonon-backend-vlc

[Felix Geyer]

On Mon, 10 Aug 2015 23:35:38 -0300 Lisandro 
=?ISO-8859-1?Q?Dami=E1n_Nicanor_P=E9rez?= Meyer
perezme...@gmail.com wrote:
 retitle 794937 phonon-qt5 packages should not depend/recommend phonon-backend
 thanks
 
 I think the problem is that the virtual package phonon-backend is provided by 
 phonon-backend-gstreamer, phonon-backend-null, phonon-backend-vlc, phonon4qt5-
 backend-gstreamer

That is a problem but not this one. I've fixed the virtual package stuff now.

This problem seems to be that vlc loads its GUI plugin.
The vlc GUI is Qt5 so this creates the conflict crashing the application.

Bug #755154 in vlc was supposed to fix this.

Michael, I supposed you have *vlc* = 2.2.1-1 installed?
If so does reinstalling them help? Maybe the plugin cache is in some way 
corrupt.

Cheers,
Felix

Bug#797120: redshift-plasmoid: Not usable anymore in Plasma5

[Felix Geyer]

Package: redshift-plasmoid
Version: 1.0-1
Severity: serious
Tags: stretch sid
Justification: Not usable anymore

Hi! Plasma 5 has arrived to testing a few weeks ago and so all Plasma 4
widgets have become unusable.

Please consider either porting this widget to Plasma5 or asking for it's
removal from the archive.

Thanks,
Felix

Bug#797123: plasma-widget-veromix: Not usable anymore in Plasma5

[Felix Geyer]

Package: plasma-widget-veromix
Version: 0.18.3-1.1
Severity: serious
Tags: stretch sid
Justification: Not usable anymore

Hi! Plasma 5 has arrived to testing a few weeks ago and so all Plasma 4
widgets have become unusable.

Please consider either porting this widget to Plasma5 or dropping this binary
package.

Thanks,
Felix

Bug#797121: plasma-widget-yawp: Not usable anymore in Plasma5

[Felix Geyer]

Package: plasma-widget-yawp
Version: 0.4.2-1
Severity: serious
Tags: stretch sid
Justification: Not usable anymore

Hi! Plasma 5 has arrived to testing a few weeks ago and so all Plasma 4
widgets have become unusable.

Please consider either porting this widget to Plasma5 or asking for it's
removal from the archive.

Thanks,
Felix

Bug#794061: breeze: Breeze theme completely stopped working after the last upgrade

[Felix Geyer]

On 01.08.2015 09:22, Salvo Tomaselli wrote:
 Hello,
 
 Could you check with ldd /usr/bin/qweborf.
 That'll shows which Qt library is used.
 It's python. It uses pyqt4.
 I am attaching the ldd output for subsurface, which is a C++ thing that uses 
 Qt4.
 
 The Debian qt4-x11 build looks for plugins in /usr/lib/arch/qt4/plugins.
 That's why it loads the breeze style even when the path is not explicitly
 listed in QT_PLUGIN_PATH.
 I don't think it does load it without the env-var :)

Well it seems to work for everyone else so something has to be configured on
your system to break it.

Anyway I don't have time to debug this further but I'll just add back the 
symlink.

Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#794061: breeze: Breeze theme completely stopped working after the last upgrade

[Felix Geyer]

Hi,

On 31.07.2015 00:05, Salvo Tomaselli wrote:
 Hello,
 
 You don't happen to have a custom Qt build installed?
 
 I have installed some official binaries from Qt, but they go in /opt so I 
 wouldn't think that has anything to do with it.

Could you check with ldd /usr/bin/qweborf.
That'll shows which Qt library is used.

 /usr/lib/x86_64-linux-gnu/qt4/plugins is the plugin path that is hardcoded
 in the Debian qt4-x11 package.
 I don't understand what you mean.

The Debian qt4-x11 build looks for plugins in /usr/lib/arch/qt4/plugins.
That's why it loads the breeze style even when the path is not explicitly listed
in QT_PLUGIN_PATH.

Cheers,
Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#794061: breeze: Breeze theme completely stopped working after the last upgrade

[Felix Geyer]

Hi,

On 30.07.2015 21:45, Salvo Tomaselli wrote:
 Hello,
 
 thanks for the quick reply.
 
 Does this only affect KDE4 applications or also Qt4-only ones (like
 speedcrunch)?
 Yes, for example qweborf (attached) looks like that.
 
 Could you please post the output of:
 - echo $QT_PLUGIN_PATH
 /usr/lib/x86_64-linux-gnu/qt4/plugins/:/usr/lib/kde4/plugins/
 
 Which I previously set in my session as a workaround, however, before filing 
 the bugreport I have tried unsetting the variable but the result was the same.

You don't happen to have a custom Qt build installed?
/usr/lib/x86_64-linux-gnu/qt4/plugins is the plugin path that is hardcoded in 
the
Debian qt4-x11 package.

Cheers,
Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#794061: breeze: Breeze theme completely stopped working after the last upgrade

[Felix Geyer]

Hi,

On Thu, 30 Jul 2015 10:16:38 +0200 Salvo Tomaselli tipos...@tiscali.it wrote:
 Package: breeze
 Version: 4:5.3.2-3
 Severity: grave
 Justification: renders package unusable
 
 Dear Maintainer,
 
 after the recent upgrade of the breeze theme, Qt4 applications look
 really bad.

Does this only affect KDE4 applications or also Qt4-only ones (like 
speedcrunch)?

Could you please post the output of:
- echo $QT_PLUGIN_PATH
- grep style ~/.config/Trolltech.conf

Try launching an application with the parameter -style breeze.
Does it still not use the breeze style?

Does qtconfig-qt4 (package qt4-qtconfig) list breeze in the style list?

Cheers,
Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#788543: bareos-sd will silently corrupt backups when using multi-volume disk-based jobs

[Felix Geyer]

On 20.07.2015 21:17, Evgeni Golov wrote:
 On Mon, Jul 20, 2015 at 07:42:25PM +0200, Felix Geyer wrote:
 Hi,

 On 20.07.2015 19:03, Evgeni Golov wrote:
 Hi

 I actually have an almost ready 14.2.5 in git that would just fix 
 everything. I'll try to get that done until the weekend. Does that sound ok 
 for you?

 Sounds greats :)
 Are you also going to take care of fixing bareos in jessie?
 
 After the fix has migrated to Stretch: yes.
 If you want to have it earlier (and discuss details with SRM): feeld 
 free to do a team upload of your backported patch :)

Team upload? Are you trying to lure me in? :P

I don't think there is a deadline for 8.2 yet so I'm not in a rush.

Cheers,
Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#788543: bareos-sd will silently corrupt backups when using multi-volume disk-based jobs

[Felix Geyer]

Hi,

On 20.07.2015 19:03, Evgeni Golov wrote:
 Hi
 
 I actually have an almost ready 14.2.5 in git that would just fix everything. 
 I'll try to get that done until the weekend. Does that sound ok for you?

Sounds greats :)
Are you also going to take care of fixing bareos in jessie?

Cheers,
Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#788543: bareos-sd will silently corrupt backups when using multi-volume disk-based jobs

[Felix Geyer]

Hi,

On 13.06.2015 01:32, Felix Geyer wrote:
 Hi,
 
 On Fri, 12 Jun 2015 17:30:51 +0200 Michael Renner r...@amd.co.at wrote:
 Package: bareos
 Version: 14.2.1+20141017gitc6c5b56-4
 Severity: critical
 Justification: causes serious data loss

 In March 2015 bareos fixed a bug which caused silent corruption of
 backups when the following conditions are met:

  * backups are written to disk (tape backups are not affected)
  * autolabelling is enabled
  * a backup spans over multiple volumes
  * the additional volumes are newly created and labeled during the backup.

 Bug: https://bugs.bareos.org/view.php?id=437
 Announcement: 
 http://www.bareos.com/en/company_news/items/Bareos-14.2.4-published.html
 Fix for 14.2: 
 https://github.com/bareos/bareos/commit/263240eaa911563a8468ecdaf7d4957201b41426

 Given that the above conditions are met in most bareos installations
 I've tagged this as critical.


 While I'm at it I'd like to point out that Joerg Steffens, an upstream 
 maintainer,
 employee and/or partner of bareos.com and co-maintainer of this
 package in Debian, hasn't found the time to inform the Debian community of 
 this issue, lest
 providing a patched package.
 
 Attached is a debdiff that contains a backport of the upstream fix.

How about reverting the fix for #769536 (circular dependency hell) until 
there is a proper
solution for it?
That way we can get this bug fixed and bareos back into testing.
I've prepared those changes in the attached debdiff.

What do you think?

Cheers,
Felix
diff -Nru bareos-14.2.1+20141017gitc6c5b56/debian/changelog 
bareos-14.2.1+20141017gitc6c5b56/debian/changelog
--- bareos-14.2.1+20141017gitc6c5b56/debian/changelog   2014-12-02 
10:25:20.0 +0100
+++ bareos-14.2.1+20141017gitc6c5b56/debian/changelog   2015-07-20 
18:24:24.0 +0200
@@ -1,3 +1,12 @@
+bareos (14.2.1+20141017gitc6c5b56-4.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Revert fix for #769536 until there is a proper solution. (Closes: #771870)
+  * Fix data corruption bug affecting file based backups. (Closes: #788543)
+- Backport upstream fix as fix_multi_volume_data_corruption.diff
+
+ -- Felix Geyer fge...@debian.org  Mon, 20 Jul 2015 18:18:13 +0200
+
 bareos (14.2.1+20141017gitc6c5b56-4) unstable; urgency=medium
 
   [ Joerg Steffens ]
diff -Nru bareos-14.2.1+20141017gitc6c5b56/debian/control 
bareos-14.2.1+20141017gitc6c5b56/debian/control
--- bareos-14.2.1+20141017gitc6c5b56/debian/control 2014-12-01 
19:28:21.0 +0100
+++ bareos-14.2.1+20141017gitc6c5b56/debian/control 2015-07-20 
18:17:26.0 +0200
@@ -96,7 +96,7 @@
 Package:bareos-database-common
 Architecture:   any
 Pre-Depends:debconf (= 1.4.30) | debconf-2.0
-Depends:bareos-common (= ${binary:Version}), dbconfig-common, lsb-base 
(= 3.2-13), ${shlibs:Depends}, ${misc:Depends}
+Depends:bareos-database-postgresql  (= ${binary:Version}) | 
bareos-database-mysql (= ${binary:Version}) | bareos-database-sqlite3 (= 
${binary:Version}), bareos-common (= ${binary:Version}), dbconfig-common, 
lsb-base (= 3.2-13), ${shlibs:Depends}, ${misc:Depends}
 Description: Backup Archiving Recovery Open Sourced - common catalog files
  Bareos is a set of programs to manage backup, recovery and verification of
  data across a network of computers of different kinds.
@@ -146,7 +146,7 @@
 Package:bareos-database-tools
 Architecture:   any
 Pre-Depends:debconf (= 1.4.30) | debconf-2.0
-Depends:bareos-common (= ${binary:Version}), 
bareos-database-postgresql (= ${binary:Version}) | bareos-database-mysql (= 
${binary:Version}) | bareos-database-sqlite3 (= ${binary:Version}), lsb-base 
(= 3.2-13), ${shlibs:Depends}, ${misc:Depends}
+Depends:bareos-common (= ${binary:Version}), bareos-database-common (= 
${binary:Version}), lsb-base (= 3.2-13), ${shlibs:Depends}, ${misc:Depends}
 Conflicts: bacula-sd-mysql, bacula-sd-pgsql, bacula-sd-sqlite3
 Description: Backup Archiving Recovery Open Sourced - database tools
  Bareos is a set of programs to manage backup, recovery and verification of
@@ -184,7 +184,7 @@
 Package:bareos-director
 Architecture:   any
 Pre-Depends:debconf (= 1.4.30) | debconf-2.0, adduser
-Depends:bareos-common (= ${binary:Version}), 
bareos-database-postgresql (= ${binary:Version}) | bareos-database-mysql (= 
${binary:Version}) | bareos-database-sqlite3 (= ${binary:Version}), 
bareos-database-tools, lsb-base (= 3.2-13), bsd-mailx | mailx, 
${shlibs:Depends}, ${misc:Depends}
+Depends:bareos-common (= ${binary:Version}), bareos-database-common (= 
${binary:Version}), bareos-database-tools, lsb-base (= 3.2-13), bsd-mailx | 
mailx, ${shlibs:Depends}, ${misc:Depends}
 Recommends: logrotate
 Conflicts:  bacula-director
 Replaces:   bacula-director
diff -Nru bareos-14.2.1+20141017gitc6c5b56/debian/control.in 
bareos-14.2.1+20141017gitc6c5b56/debian/control.in
--- bareos-14.2.1+20141017gitc6c5b56/debian

Bug#791467: plowshare: javascript usage puts user at risk of remote code execution

[Felix Geyer]

Hi,

On Mon, 06 Jul 2015 11:42:55 +1000 Carl Suster c...@contraflo.ws wrote:
 I am in the process of packaging the new upstream version of plowshare.
 There has been a significant change so that the core framework (of shell
 scripts) is kept entirely separate to the scripts which use this API to
 implement support for specific external sites. Once this new version is
 available in the archives (it will have to go through the NEW queue
 because of the split into separate packages), I will be able to audit
 the code more carefully and isolate any javascript snippets. Hence I'll
 defer addressing this bug until the new package is ready.

plowshare4 is part of a stable Debian release so the new upstream version
won't help there.

There doesn't seem to be a difference between version 1 and 2 on how
Javascript is handled anyway.
The modules parse Javascript code from a website and call javascript()
which is located in core.sh.

That leaves two options:
1) Figure out how to make rhino run the javascript code in a sandbox.
2) Add a patch to disable Javascript code evaluation (probably breaking some
   modules).

Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#778143: teeworlds: ftbfs with GCC-5

[Felix Geyer]

Control: tags -1 unreproducible

On Thu, 12 Feb 2015 10:37:23 + Matthias Klose d...@debian.org wrote:
 The package fails to build in a test rebuild on at least amd64 with
 gcc-5/g++-5, but succeeds to build with gcc-4.9/g++-4.9. The
 severity of this report may be raised before the stretch release.

I can't reproduce this.
The package builds fine with gcc 5.1.1-12 (unstable).

Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#771870: [Pkg-bareos-devel] Bug#771870: Bug#771870: bareos-database-common: fails to install: bareos-database-common.config: /usr/sbin/bareos-dbcheck: not found

[Felix Geyer]

On 15.06.2015 12:59, Jörg Steffens wrote:
 Am 13.06.2015 um 11:41 schrieb Felix Geyer:
 [...]
 Shouldn't the whole setting up a database part be done in the director 
 package?
 It's the one that cares about having a database setup and it can depend on 
 -tools
 and a database backend.
 So by the time the director is configured you have all the things you need to
 create the database.
 
 For upstream I can say, this bug have been fixed a while ago, see
 https://github.com/bareos/bareos/commit/53fa745060609b5f6123c03258fc1f809435ab01

bareos-database-common doesn't pull in the bareos-dbcheck binary from 
bareos-database-tools
with that commit.

 The reason why the logic is not in bareos-director is that the catalog
 (database) should be installable on a different system then the director.

I'm not quite sure I follow.
You want bareos-database-common to be installable on the database server?
That seems not very desirable as you have to worry about version mismatches and 
you can't
automatically write the database configuration to the director config.

Afaik dbconfig-common can work with remote databases if you configure it that 
way.
Of course the custom package tooling around it needs to support it too.

Cheers,
Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#771870: [Pkg-bareos-devel] Bug#771870: bareos-database-common: fails to install: bareos-database-common.config: /usr/sbin/bareos-dbcheck: not found

[Felix Geyer]

Hi,

On Wed, 03 Dec 2014 10:58:03 +0100 Evgeni Golov evg...@debian.org wrote:
 Hi,
 
 On 12/03/2014 04:10 AM, Andreas Beckmann wrote:
 
  during a test with piuparts I noticed your package failed to install. As
  per definition of the release team this makes the package too buggy for
  a release, thus the severity.
 
 Thanks. This is what you get when you try to solve dependency loops :/
 
 From the attached log (scroll to the bottom...):
  
Selecting previously unselected package bareos-database-common.
(Reading database ... 9220 files and directories currently installed.)
Preparing to unpack 
  .../bareos-database-common_14.2.1+20141017gitc6c5b56-4_amd64.deb ...
Unpacking bareos-database-common (14.2.1+20141017gitc6c5b56-4) ...
Setting up bareos-database-common (14.2.1+20141017gitc6c5b56-4) ...
/var/lib/dpkg/info/bareos-database-common.config: 1: 
  /var/lib/dpkg/info/bareos-database-common.config: /usr/sbin/bareos-dbcheck: 
  not found
Warning: failed to get dbname from config, using default value 
  bareos, see /tmp/bareos-config.11958.log
/var/lib/dpkg/info/bareos-database-common.config: 1: 
  /var/lib/dpkg/info/bareos-database-common.config: /usr/sbin/bareos-dbcheck: 
  not found
Warning: failed to get dbuser from config, using default value 
  bareos, see /tmp/bareos-config.11958.log
(config) dbc_go() bareos-database-common configure.
 
 bareos-database-common is not designed to be installed alone, yet it
 triggers the above bug in that situation.
 
 We could add a layer of [ -x /usr/sbin/bareos-dbcheck ] around the
 calls to it (it's in bareos-database-tools).
 Or we re-add bareos-database-tools to bareos-database-common depends,
 but remove bareos-database-{postgresql,mysql,sqlite} from -tools depends
 (which is also wrong, as dbcheck won't work then in all cases).

Shouldn't the whole setting up a database part be done in the director package?
It's the one that cares about having a database setup and it can depend on 
-tools
and a database backend.
So by the time the director is configured you have all the things you need to
create the database.

Cheers,
Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#788543: bareos-sd will silently corrupt backups when using multi-volume disk-based jobs

[Felix Geyer]

Hi,

On Fri, 12 Jun 2015 17:30:51 +0200 Michael Renner r...@amd.co.at wrote:
 Package: bareos
 Version: 14.2.1+20141017gitc6c5b56-4
 Severity: critical
 Justification: causes serious data loss
 
 In March 2015 bareos fixed a bug which caused silent corruption of
 backups when the following conditions are met:
 
  * backups are written to disk (tape backups are not affected)
  * autolabelling is enabled
  * a backup spans over multiple volumes
  * the additional volumes are newly created and labeled during the backup.
 
 Bug: https://bugs.bareos.org/view.php?id=437
 Announcement: 
 http://www.bareos.com/en/company_news/items/Bareos-14.2.4-published.html
 Fix for 14.2: 
 https://github.com/bareos/bareos/commit/263240eaa911563a8468ecdaf7d4957201b41426
 
 Given that the above conditions are met in most bareos installations
 I've tagged this as critical.
 
 
 While I'm at it I'd like to point out that Joerg Steffens, an upstream 
 maintainer,
 employee and/or partner of bareos.com and co-maintainer of this
 package in Debian, hasn't found the time to inform the Debian community of 
 this issue, lest
 providing a patched package.

Attached is a debdiff that contains a backport of the upstream fix.

Cheers,
Felix
diff -Nru 
bareos-14.2.1+20141017gitc6c5b56/debian/patches/fix_multi_volume_data_corruption.diff
 
bareos-14.2.1+20141017gitc6c5b56/debian/patches/fix_multi_volume_data_corruption.diff
--- 
bareos-14.2.1+20141017gitc6c5b56/debian/patches/fix_multi_volume_data_corruption.diff
   1970-01-01 01:00:00.0 +0100
+++ 
bareos-14.2.1+20141017gitc6c5b56/debian/patches/fix_multi_volume_data_corruption.diff
   2015-06-13 01:07:56.0 +0200
@@ -0,0 +1,39 @@
+Description: Backport of upstream fix Don't trash dcr-rec while doing 
autolabeling.
+Origin: backport, 
https://github.com/bareos/bareos/commit/263240eaa911563a8468ecdaf7d4957201b41426
+Bug: https://bugs.bareos.org/view.php?id=437
+Bug-Debian: https://bugs.debian.org/788543
+
+--- bareos-14.2.1+20141017gitc6c5b56.orig/src/stored/label.c
 bareos-14.2.1+20141017gitc6c5b56/src/stored/label.c
+@@ -341,6 +341,7 @@ static bool write_volume_label_to_block(
+ bool write_new_volume_label_to_dev(DCR *dcr, const char *VolName,
+const char *PoolName, bool relabel)
+ {
++   DEV_RECORD *rec;
+JCR *jcr = dcr-jcr;
+DEVICE *dev = dcr-dev;
+DEV_BLOCK *block = dcr-block;
+@@ -420,15 +421,18 @@ bool write_new_volume_label_to_dev(DCR *
+  goto bail_out;
+   }
+ 
+-  create_volume_label_record(dcr, dev, dcr-rec);
+-  dcr-rec-Stream = 0;
+-  dcr-rec-maskedStream = 0;
++  rec = new_record();
++  create_volume_label_record(dcr, dev, rec);
++  rec-Stream = 0;
++  rec-maskedStream = 0;
+ 
+-  if (!write_record_to_block(dcr, dcr-rec)) {
++  if (!write_record_to_block(dcr, rec)) {
+  Dmsg2(130, Bad Label write on %s: ERR=%s\n, dev-print_name(), 
dev-print_errmsg());
++ free_record(rec);
+  goto bail_out;
+   } else {
+- Dmsg2(130, Wrote label of %d bytes to %s\n, dcr-rec-data_len, 
dev-print_name());
++ Dmsg2(130, Wrote label of %d bytes to %s\n, rec-data_len, 
dev-print_name());
++ free_record(rec);
+   }
+ 
+   Dmsg0(130, Call write_block_to_dev()\n);
diff -Nru bareos-14.2.1+20141017gitc6c5b56/debian/patches/series 
bareos-14.2.1+20141017gitc6c5b56/debian/patches/series
--- bareos-14.2.1+20141017gitc6c5b56/debian/patches/series  2014-12-01 
19:25:28.0 +0100
+++ bareos-14.2.1+20141017gitc6c5b56/debian/patches/series  2015-06-13 
01:02:49.0 +0200
@@ -1 +1,2 @@
 size_t_cn_length.patch
+fix_multi_volume_data_corruption.diff

Bug#787574: cmake: segfaults on mipsel

[Felix Geyer]

Hi,

On Wed, 3 Jun 2015 00:51:33 +0200 Jakub Wilk jw...@debian.org wrote:
 Package: cmake
 Version: 3.2.2-2
 Severity: grave
 User: debian-m...@lists.debian.org
 Usertags: mipsel
 
 cmake segfaults all the time in mipsel sid chroot on eder.d.o:
 
 $ cmake --help
 Segmentation fault
 
 
 Backtrace:
 
 #0  nettle_yarrow256_update (ctx=0x7582a68c rnd_ctx, 
 source_index=optimized out, entropy=128, length=32, data=0x7fff35bc 
 \243|\302\221\224\v)\f\376\354\253\363\237Z\361J\257.\v\377\224)\265\257\035\016\215\207B\266\216\006)
  at yarrow256.c:264
 #1  0x75800050 in do_device_source (init=1, event=0x7fff3618, ctx=0x7582a68c 
 rnd_ctx) at rnd.c:147
 #2  0x7580027c in wrap_nettle_rnd_init (ctx=optimized out) at rnd.c:241
 #3  0x7574f8a0 in _gnutls_rnd_init () at random.c:49
 #4  0x7573ff2c in gnutls_global_init () at gnutls_global.c:272
 #5  0x75719bd4 in lib_init () at gnutls_global.c:434
 warning: GDB can't find the start of the function at 0x77fd527a.
 #6  0x77fd527c in ?? () from /lib/ld.so.1

Is cmake (indirectly) linked against multiple versions of libnettle?
Given the timing it sounds a lot like bug #784009

Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#774171: unrar: symlink directory traversal

[Felix Geyer]

I have filed a wheezy-pu request as bug #783659.

Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#756819: no support for xorg-xserver 1.16

[Felix Geyer]

Control: severity -1 important

On 03.08.2014 20:16, Caitlin Matos wrote:
 I can confirm that
 https://www.virtualbox.org/download/testcase/VBoxGuestAdditions_4.3.15-95180.iso
  is working with
 the latest xorg packages from testing.
 
I suggest to upload a fixed virtualbox-guest-additions-iso package with the 
break and to remove
 it from testing.
It is useless at this point.
the alternative can be to package this fixed version (taken from the bug 
report)
https://www.virtualbox.org/download/testcase/VBoxGuestAdditions_4.3.15-95180.iso
and upload again.

I think is better a development iso instead of a completely broken one, 
specially for testing.

Just my .02$

 Gianfranco
 
 Agreed.

virtualbox-guest-additions-iso provides an iso image with guest additions 
installers for all kinds
of operating systems.
How is it completely broken when it doesn't work on the development version 
of one of them?
As I said for Debian guests there exists the virtualbox-guest-x11 package as 
Debian-native way to
install guest additions.

 I have bumped this back up to grave. It is absolutely a release critical bug 
 and, as Gianfranco
 said, the current package is completely useless.

Can we please not play the severity game? kthx

Besides, since you are using Windows as the host you are not even using this 
package.
The iso is something you have on the host and pass through to the guest.

Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#756819: no support for xorg-xserver 1.16

[Felix Geyer]

Control: reassign -1 virtualbox-guest-additions-iso 4.3.14-1

Hi,

On 02.08.2014 09:34, Ritesh Raj Sarraf wrote:
 On 08/02/2014 07:28 AM, Caitlin Matos wrote:
 I apologize, I'm not sure exactly which package this should be filed
 against, but I'm pretty sure this is the correct one.

 I am on a Windows 8.1 host running Debian jessie. I updated xorg-xserver
 etc. to the current version in testing, 1.16.0-1. However, I am no
 longer able to use the X11-related guest utilities.

 The relevant output from VBoxLinuxAdditions.run in the guest additions
 ISO:

  Installing the Window System drivers
  Warning: unknown version of the X Window System installed.  Not
 installing X Window System drivers.

 Looking at the code, the issue is obvious. It is searching for
 /opt/VBoxGuestAdditions-4.3.14/lib/VBoxGuestAdditions/vboxvideo_drv_116.so, 
 which does not exist.

You are using the non-free guest additions. We have no way of changing them 
beyond what upstream
provides.

Please uninstall them and instead install the virtualbox-guest-x11 Debian 
package.
It is built from source against the current Xorg server.

Cheers,
Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#755814: kde4libs: CVE-2014-5033

[Felix Geyer]

Hi Moritz,

On Wed, 23 Jul 2014 16:05:25 +0200 Moritz Muehlenhoff j...@inutil.org wrote:
 Package: kde4libs
 Severity: grave
 Tags: security
 Justification: user security hole
 
 Hi,
 please see https://bugzilla.novell.com/show_bug.cgi?id=864716 for the original
 bug report. The upstream fix is available here:
 http://quickgit.kde.org/?p=kdelibs.gita=commith=e4e7b53b71e2659adaf52691d4accc3594203b23
 
 We should also fix this in Wheezy.

Attached is a debdiff that adds the upstream patch to kde4libs/wheezy.
I've tested that kauth still works (e.g. changing the display manager setting 
in system settings).
Please let me know if I can go ahead and upload it to the security archive.

Cheers,
Felix
diff -Nru kde4libs-4.8.4/debian/changelog kde4libs-4.8.4/debian/changelog
--- kde4libs-4.8.4/debian/changelog 2012-10-26 00:02:15.0 +0200
+++ kde4libs-4.8.4/debian/changelog 2014-07-31 20:39:56.0 +0200
@@ -1,3 +1,11 @@
+kde4libs (4:4.8.4-4+deb7u1) wheezy-security; urgency=medium
+
+  * Fix kauth authentication bypass. (Closes: #755814)
+- Add CVE-2014-5033.patch, cherry-picked from upstream.
+- CVE-2014-5033
+
+ -- Felix Geyer fge...@debian.org  Thu, 31 Jul 2014 20:20:00 +0200
+
 kde4libs (4:4.8.4-4) unstable; urgency=low
 
   * Backport an upstream patch to fix copying of files with extended ACLs.
diff -Nru kde4libs-4.8.4/debian/patches/CVE-2014-5033.patch 
kde4libs-4.8.4/debian/patches/CVE-2014-5033.patch
--- kde4libs-4.8.4/debian/patches/CVE-2014-5033.patch   1970-01-01 
01:00:00.0 +0100
+++ kde4libs-4.8.4/debian/patches/CVE-2014-5033.patch   2014-07-30 
21:36:06.0 +0200
@@ -0,0 +1,50 @@
+From: Martin T. H. Sandsmark martin.sandsm...@kde.org
+Date: Mon, 21 Jul 2014 20:52:40 +
+Subject: Use dbus system bus name instead of PID for authentication.
+X-Git-Url: 
http://quickgit.kde.org/?p=kdelibs.gita=commitdiffh=e4e7b53b71e2659adaf52691d4accc3594203b23
+---
+Use dbus system bus name instead of PID for authentication.
+
+Using the PID for authentication is prone to a PID reuse
+race condition, and a security issue.
+
+REVIEW: 119323
+---
+
+
+--- a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
 b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
+@@ -144,7 +144,7 @@
+ 
+ Action::AuthStatus Polkit1Backend::actionStatus(const QString action)
+ {
+-PolkitQt1::UnixProcessSubject subject(QCoreApplication::applicationPid());
++PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID()));
+ PolkitQt1::Authority::Result r = 
PolkitQt1::Authority::instance()-checkAuthorizationSync(action, subject,
+   
PolkitQt1::Authority::None);
+ switch (r) {
+@@ -160,21 +160,12 @@
+ 
+ QByteArray Polkit1Backend::callerID() const
+ {
+-QByteArray a;
+-QDataStream s(a, QIODevice::WriteOnly);
+-s  QCoreApplication::applicationPid();
+-
+-return a;
++return QDBusConnection::systemBus().baseService().toUtf8();
+ }
+ 
+ bool Polkit1Backend::isCallerAuthorized(const QString action, QByteArray 
callerID)
+ {
+-QDataStream s(callerID, QIODevice::ReadOnly);
+-qint64 pid;
+-
+-s  pid;
+-
+-PolkitQt1::UnixProcessSubject subject(pid);
++PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID));
+ PolkitQt1::Authority *authority = PolkitQt1::Authority::instance();
+ 
+ PolkitResultEventLoop e;
+
diff -Nru kde4libs-4.8.4/debian/patches/series 
kde4libs-4.8.4/debian/patches/series
--- kde4libs-4.8.4/debian/patches/series2012-10-25 23:06:36.0 
+0200
+++ kde4libs-4.8.4/debian/patches/series2014-07-31 20:19:56.0 
+0200
@@ -26,3 +26,4 @@
 glibc_filesystem.diff
 python3-support-bytecode.patch
 fix-copying-of-files-with-extended-ACLs.patch
+CVE-2014-5033.patch

Bug#751853: polkit-kde-1: polkit-kde broken: bad exec path

[Felix Geyer]

Hi,

 When launching polkit auth in KDE, it fails in logs with:
 /usr/lib/polkit-1/polkit-agent-helper-1 no such file or directory

 ln -s /usr/lib/policykit-1 /usr/lib/polkit-1 fix the issue.

 polkit-kde-1 should use policykit-1 as agent path.

Are you maybe using some libpolkit* package from experimental?
In experimental the path changed from /usr/lib/policykit-1 to /usr/lib/polkit-1.
So your problem sounds a lot like a half-upgraded policykit.

Otherwise please provide instructions on how to reproduce this.

Cheers,
Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#717364: ninja-build: diff for NMU version 1.3.4-1.2

[Felix Geyer]

tags 717364 + pending
thanks

Dear maintainer,

Upstream has accepted Stevens patch.

I've prepared an NMU for ninja-build (versioned as 1.3.4-1.2) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Felix
diff -Nru ninja-build-1.3.4/debian/changelog ninja-build-1.3.4/debian/changelog
--- ninja-build-1.3.4/debian/changelog	2013-07-18 10:09:58.0 +0200
+++ ninja-build-1.3.4/debian/changelog	2014-05-31 10:02:40.0 +0200
@@ -1,3 +1,11 @@
+ninja-build (1.3.4-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add gnukfreebsd.patch to fix platform detection on gnukfreebsd 9 and later.
+Thanks to Steven Chamberlain for the patch. (Closes: #717364)
+
+ -- Felix Geyer fge...@debian.org  Sat, 31 May 2014 10:01:37 +0200
+
 ninja-build (1.3.4-1.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru ninja-build-1.3.4/debian/patches/gnukfreebsd.patch ninja-build-1.3.4/debian/patches/gnukfreebsd.patch
--- ninja-build-1.3.4/debian/patches/gnukfreebsd.patch	1970-01-01 01:00:00.0 +0100
+++ ninja-build-1.3.4/debian/patches/gnukfreebsd.patch	2014-05-31 10:02:48.0 +0200
@@ -0,0 +1,24 @@
+Description: Fix platform detection on Debian gnukfreebsd = 9.
+Author: Steven Chamberlain ste...@pyro.eu.org
+Forwarded: https://github.com/martine/ninja/pull/770
+
+--- a/platform_helper.py
 b/platform_helper.py
+@@ -19,7 +19,7 @@
+ 
+ def platforms():
+ return ['linux', 'darwin', 'freebsd', 'openbsd', 'solaris', 'sunos5',
+-'mingw', 'msvc', 'gnukfreebsd8']
++'mingw', 'msvc', 'gnukfreebsd']
+ 
+ class Platform( object ):
+ def __init__( self, platform):
+@@ -31,7 +31,7 @@
+ self._platform = 'linux'
+ elif self._platform.startswith('freebsd'):
+ self._platform = 'freebsd'
+-elif self._platform.startswith('gnukfreebsd8'):
++elif self._platform.startswith('gnukfreebsd'):
+ self._platform = 'freebsd'
+ elif self._platform.startswith('openbsd'):
+ self._platform = 'openbsd'
diff -Nru ninja-build-1.3.4/debian/patches/series ninja-build-1.3.4/debian/patches/series
--- ninja-build-1.3.4/debian/patches/series	2013-07-01 01:25:05.0 +0200
+++ ninja-build-1.3.4/debian/patches/series	2014-05-31 10:02:59.0 +0200
@@ -1,3 +1,4 @@
 00bootstrap.patch
 01configure.patch
 asciidoc.patch
+gnukfreebsd.patch

Bug#748910: CVE-2014-0240: Possibility of local privilege escalation when using daemon, mode

[Felix Geyer]

On 2014-05-22 09:57, Eric Sesterhenn wrote:

Package: libapache2-mod-wsgi
Version: 3.3-4
Severity: critical
Tags: security
Justification: root security hole

Dear Maintainer,

as far as I can tell, CVE-2014-0240 affects the stable package of
mod-wsgi. The
patch provided by the mod-wsgi team applies wih fuzzing to the source
shipped
by debian. If a kernel = 2.6.0 and  3.1.0 is installed, this issue 
might

allow local privilege escalation


I'll upload fixed packages for squeeze and wheezy later today.

Cheers,
Felix


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#741602: virtualbox: CVE-2014-0981 CVE-2014-0982 CVE-2014-0983

[Felix Geyer]

Hi Moritz,

On 14.03.2014 13:11, Moritz Muehlenhoff wrote:
 Package: virtualbox
 Severity: grave
 Tags: security
 Justification: user security hole
 
 Hi,
 please see 
 http://www.coresecurity.com/advisories/oracle-virtualbox-3d-acceleration-multiple-memory-corruption-vulnerabilities

Attached are tested debdiffs for squeeze- and wheezy-security.
Please let me know if I can upload them to security-master.

Cheers,
Felix
diff -u virtualbox-ose-3.2.10-dfsg/debian/changelog 
virtualbox-ose-3.2.10-dfsg/debian/changelog
--- virtualbox-ose-3.2.10-dfsg/debian/changelog
+++ virtualbox-ose-3.2.10-dfsg/debian/changelog
@@ -1,3 +1,12 @@
+virtualbox-ose (3.2.10-dfsg-1+squeeze3) squeeze-security; urgency=high
+
+  * Fix memory corruption vulnerabilities in 3D acceleration. (Closes: #741602)
+- CVE-2014-0981, CVE-2014-0983
+- Backport fixes from version 3.2.22 in debian/patches/CVE-2014-0981.patch
+  and debian/patches/CVE-2014-0983.patch
+
+ -- Felix Geyer fge...@debian.org  Mon, 14 Apr 2014 11:33:29 +0200
+
 virtualbox-ose (3.2.10-dfsg-1+squeeze2) squeeze-security; urgency=high
 
   * Apply fixes from the January 2014 security advisory. (Closes: #735410)
diff -u virtualbox-ose-3.2.10-dfsg/debian/patches/series 
virtualbox-ose-3.2.10-dfsg/debian/patches/series
--- virtualbox-ose-3.2.10-dfsg/debian/patches/series
+++ virtualbox-ose-3.2.10-dfsg/debian/patches/series
@@ -14,0 +15,2 @@
+CVE-2014-0981.patch
+CVE-2014-0983.patch
only in patch2:
unchanged:
--- virtualbox-ose-3.2.10-dfsg.orig/debian/patches/CVE-2014-0981.patch
+++ virtualbox-ose-3.2.10-dfsg/debian/patches/CVE-2014-0981.patch
@@ -0,0 +1,52 @@
+--- a/src/VBox/GuestHost/OpenGL/util/net.c
 b/src/VBox/GuestHost/OpenGL/util/net.c
+@@ -956,7 +956,7 @@
+ conn-InstantReclaim( conn, (CRMessage *) msg );
+ }
+ 
+-
++#ifdef IN_GUEST
+ /**
+  * Called by the main receive function when we get a CR_MESSAGE_WRITEBACK
+  * message.  Writeback is used to implement glGet*() functions.
+@@ -989,7 +989,7 @@
+ (*writeback)--;
+ crMemcpy( dest_ptr, ((char *)rb) + sizeof(*rb), payload_len );
+ }
+-
++#endif
+ 
+ /**
+  * This is used by the SPUs that do packing (such as Pack, Tilesort and
+@@ -1067,13 +1067,21 @@
+ }
+ break;
+ case CR_MESSAGE_READ_PIXELS:
+-crError( Can't handle read pixels );
++crWarning( Can't handle read pixels );
+ return;
+ case CR_MESSAGE_WRITEBACK:
++#ifdef IN_GUEST
+ crNetRecvWriteback( (pRealMsg-writeback) );
++#else
++crWarning(CR_MESSAGE_WRITEBACK not expected\n);
++#endif
+ return;
+ case CR_MESSAGE_READBACK:
++#ifdef IN_GUEST
+ crNetRecvReadback( (pRealMsg-readback), len );
++#else
++crWarning(CR_MESSAGE_READBACK not expected\n);
++#endif
+ return;
+ case CR_MESSAGE_CRUT:
+ /* nothing */
+@@ -1091,7 +1099,7 @@
+ {
+ char string[128];
+ crBytesToString( string, sizeof(string), msg, len );
+-crError(crNetDefaultRecv: received a bad message: type=%d 
buf=[%s]\n
++crWarning(crNetDefaultRecv: received a bad message: type=%d 
buf=[%s]\n
+ Did you add a new message type and forget to 
tell 
+ crNetDefaultRecv() about it?\n,
+ msg-header.type, string );
only in patch2:
unchanged:
--- virtualbox-ose-3.2.10-dfsg.orig/debian/patches/CVE-2014-0983.patch
+++ virtualbox-ose-3.2.10-dfsg/debian/patches/CVE-2014-0983.patch
@@ -0,0 +1,69 @@
+--- a/src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py
 b/src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py
+@@ -46,6 +46,7 @@
+ for func_name in keys:
+ current = 0
+ array = 
++condition = 
+ m = re.search( r^(Color|Normal)([1234])(ub|b|us|s|ui|i|f|d)$, func_name 
)
+ if m :
+ current = 1
+@@ -68,6 +69,7 @@
+ name = texCoord
+ type = m.group(3) + m.group(2)
+ array = [texture-GL_TEXTURE0_ARB]
++condition = if (texture = GL_TEXTURE0_ARB  texture  
GL_TEXTURE0_ARB + CR_MAX_TEXTURE_UNITS)
+ m = re.match( r^(Index)(ub|b|us|s|ui|i|f|d)$, func_name )
+ if m :
+ current = 1
+@@ -91,18 +93,23 @@
+ name = string.lower( m.group(1)[:1] ) + m.group(1)[1:]
+ type = m.group(3) + m.group(2)
+ array = [index]
++condition = if (index  CR_MAX_VERTEX_ATTRIBS)
+ if func_name == VertexAttrib4NubARB:
+ current = 1
+ name = vertexAttrib
+ type = ub4
+ array = [index]
++condition = if (index  CR_MAX_VERTEX_ATTRIBS)
+ 
+ if current:
+ params = apiutil.Parameters(func_name)
+ print 'void SERVER_DISPATCH_APIENTRY crServerDispatch%s( %s )' % ( 
func_name, apiutil.MakeDeclarationString(params) )
+ print '{'
+-print '\tcr_server.head_spu-dispatch_table.%s( %s

Bug#742994: Non-free images in warmux data package (superman logo)

[Felix Geyer]

On 29.03.2014 21:39, Grant H. wrote:
 Package: warmux-data
 Version: 1:11.04.1+repack-5
 Severity: serious
 
 See:
 * https://bugzilla.redhat.com/show_bug.cgi?id=1071866
 * https://trisquel.info/en/issues/11228
 * http://www.dccomics.com/copyright
 * http://www.dccomics.com/terms-of-use
 
 The superman logo is copyrighted and not available for redistribution.
 These files are located in
 
 warmux-11.04/data/weapon/supertux/superman.png
 warmux-11.04/data/weapon/supertux/supertux_ico.png
 warmux-11.04/data/weapon/supertux/supertux.png

If no one else has a better idea I'll just remove the S from those images
and repackage the orig tarball.

Cheers,
Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#735410: Information on recent VBox CVEs

[Felix Geyer]

Hi,

On 09.02.2014 02:04, Moritz Mühlenhoff wrote:
 On Sun, Feb 09, 2014 at 01:14:08AM +1300, Matthew Daley wrote:
 Hi,

 I've recently released some more detailed information on these CVEs
 that can hopefully help out; see
 http://seclists.org/fulldisclosure/2014/Feb/48.
 
 Saw that, thanks for following up in the bug log.
 
 Felix, given that the scope is actually broader than local DoS
 we should handle this via -security.

I finally got around to test the fixed packages for squeeze and wheezy.
Sorry it took so long ...

The debdiffs I posted to this bug work fine.
From my perspective they can be pushed to the security archive.
Please let me know if you want me to upload them.

Cheers,
Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#735410: virtualbox: CVE-2013-5892 CVE-2014-0407 CVE-2014-0406 CVE-2014-0404

[Felix Geyer]

On 15.01.2014 09:19, Moritz Muehlenhoff wrote:
 Package: virtualbox
 Severity: grave
 Tags: security
 
 http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
 
 Several vulnerabilities have been reported in VirtualBox. Details are scarce, 
 so
 please get in touch with upstream for more information on eventual backports
 to oldstable/stable. Judging from the CVSS scores this is likely only local
 denial of service, in that case we likely don't need a DSA.
 
 CVE-2013-5892   
 CVE-2014-0407
 CVE-2014-0406
 CVE-2014-0404

Upstream kindly provided a patch that fixes the 4 CVEs. Attached are yet 
untested
debdiffs for wheezy and squeeze.
Do you want to handle this through a security update?
According to upstream the vulnerabilities are mostly about users on the VM 
being able
to crash their VM. No ways to execute code on the host are known.

 In addition CVE-2014-0405 seems to affect virtualbox-guest-additions-iso from 
 non-free

I guess we can't really fix that. The only option would be to upgrade the 
package
to 4.1.30 / 3.2.12.

Regards,
Felix
diff -Nru virtualbox-4.1.18-dfsg/debian/changelog 
virtualbox-4.1.18-dfsg/debian/changelog
--- virtualbox-4.1.18-dfsg/debian/changelog 2013-03-31 20:45:33.0 
+0200
+++ virtualbox-4.1.18-dfsg/debian/changelog 2014-01-28 21:18:42.0 
+0100
@@ -1,3 +1,11 @@
+virtualbox (4.1.18-dfsg-2+deb7u2) wheezy; urgency=high
+
+  * Apply fixes from the January 2014 security advisory. (Closes: #735410)
+- Add debian/patches/38-security-fixes-2014-01.patch
+- CVE-2013-5892, CVE-2014-0407, CVE-2014-0406, CVE-2014-0404
+
+ -- Felix Geyer fge...@debian.org  Tue, 28 Jan 2014 21:12:21 +0100
+
 virtualbox (4.1.18-dfsg-2+deb7u1) unstable; urgency=high
 
   * Fix build failure with the Debian wheezy kernel which backports the drm
diff -Nru virtualbox-4.1.18-dfsg/debian/patches/38-security-fixes-2014-01.patch 
virtualbox-4.1.18-dfsg/debian/patches/38-security-fixes-2014-01.patch
--- virtualbox-4.1.18-dfsg/debian/patches/38-security-fixes-2014-01.patch   
1970-01-01 01:00:00.0 +0100
+++ virtualbox-4.1.18-dfsg/debian/patches/38-security-fixes-2014-01.patch   
2014-01-28 21:20:29.0 +0100
@@ -0,0 +1,471 @@
+--- a/include/VBox/VMMDev.h
 b/include/VBox/VMMDev.h
+@@ -114,6 +114,10 @@
+ 
+ /** Maximum request packet size. */
+ #define VMMDEV_MAX_VMMDEVREQ_SIZE   _1M
++/** Maximum number of HGCM parameters. */
++#define VMMDEV_MAX_HGCM_PARMS   1024
++/** Maximum total size of hgcm buffers in one call. */
++#define VMMDEV_MAX_HGCM_DATA_SIZE   UINT32_C(0x7FFF)
+ 
+ /**
+  * VMMDev request types.
+--- a/src/VBox/Devices/Graphics/DevVGA_VBVA.cpp
 b/src/VBox/Devices/Graphics/DevVGA_VBVA.cpp
+@@ -613,6 +613,13 @@
+ 
+ if (fShape)
+ {
++ if (pShape-u32Width  8192 || pShape-u32Height  8192)
++ {
++ Log((vbvaMousePointerShape: unsupported size %ux%u\n,
++   pShape-u32Width, pShape-u32Height));
++ return VERR_INVALID_PARAMETER;
++ }
++
+  cbPointerData = pShape-u32Width + 7) / 8) * pShape-u32Height + 
3)  ~3)
+  + pShape-u32Width * 4 * pShape-u32Height;
+ }
+--- a/src/VBox/Devices/VMMDev/VMMDev.cpp
 b/src/VBox/Devices/VMMDev/VMMDev.cpp
+@@ -795,6 +795,20 @@
+ 
+ #endif /* VBOX_WITH_PAGE_SHARING */
+ 
++static int vmmdevVerifyPointerShape(VMMDevReqMousePointer *pReq)
++{
++/* Should be enough for most mouse pointers. */
++if (pReq-width  8192 || pReq-height  8192)
++return VERR_INVALID_PARAMETER;
++
++uint32_t cbShape = (pReq-width + 7) / 8 * pReq-height; /* size of the 
AND mask */
++cbShape = ((cbShape + 3)  ~3) + pReq-width * 4 * pReq-height; /* + gap 
+ size of the XOR mask */
++if (RT_UOFFSETOF(VMMDevReqMousePointer, pointerData) + cbShape  
pReq-header.size)
++return VERR_INVALID_PARAMETER;
++
++return VINF_SUCCESS;
++}
++
+ /**
+  * Port I/O Handler for the generic request interface
+  * @see FNIOMIOPORTOUT for details.
+@@ -1163,6 +1177,10 @@
+ /* forward call to driver */
+ if (fShape)
+ {
++pRequestHeader-rc = 
vmmdevVerifyPointerShape(pointerShape);
++if (RT_FAILURE(pRequestHeader-rc))
++break;
++
+ pThis-pDrv-pfnUpdatePointerShape(pThis-pDrv,
+fVisible,
+fAlpha,
+--- a/src/VBox/Devices/VMMDev/VMMDevHGCM.cpp
 b/src/VBox/Devices/VMMDev/VMMDevHGCM.cpp
+@@ -97,6 +97,9 @@
+  */
+ VBOXHGCMSVCPARM *paHostParms;
+ 
++/* Number of elements in paHostParms */
++uint32_t cHostParms;
++
+ /* Linear pointer parameters information. */
+ int cLinPtrs;
+ 
+@@ -250,8 +253,6 @@
+ {
+ int rc = VINF_SUCCESS;
+ 
+-AssertRelease (u32Size  0);
+-
+ VBOXHGCMLINPTR *pLinPtr

Bug#729740: debian/copyright appears to list the wrong license

[Felix Geyer]

Control: tags -1 patch

Attached is a patch with copyright file updates.

Cheers,
Felix

diff -Nru ipe-7.1.4/debian/copyright ipe-7.1.4/debian/copyright
--- ipe-7.1.4/debian/copyright	2008-11-07 11:14:17.0 +0100
+++ ipe-7.1.4/debian/copyright	2013-11-23 15:28:03.0 +0100
@@ -4,33 +4,39 @@
 It was downloaded from: http://ipe.compgeom.org/ 
 Current site: http://tclab.kaist.ac.kr/ipe/
 
-Copyright (C) 1993-2007 Otfried Cheong
+Copyright (C) 1993-2013 Otfried Cheong
+Copyright (C) 2003 Kepler Project
 
-This program is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation; either version 2 of the License, or (at
-your option) any later version.
-
-As a special exception, you have permission to link Ipe with the CGAL
-library and distribute executables, as long as you follow the
-requirements of the Gnu General Public License in regard to all of the
-software in the executable aside from CGAL.
-
-This program is distributed in the hope that it will be useful, but
-WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-General Public License for more details.
+Ipe is free software; you can redistribute it and/or modify it
+under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 3 of the License, or
+(at your option) any later version.
+
+As a special exception, you have permission to link Ipe with the
+CGAL library and distribute executables, as long as you follow the
+requirements of the Gnu General Public License in regard to all of
+the software in the executable aside from CGAL.
+
+Ipe is distributed in the hope that it will be useful, but WITHOUT
+ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
+License for more details.
 
-Version 2 of the GPL may be found in /usr/share/common-licenses/GPL-2
+Version 3 of the GPL may be found in /usr/share/common-licenses/GPL-3
 
 
 
 Ipe uses the Zlib library by Jean-loup Gailly and Mark Adler
 (www.gzip.org/zlib), the Freetype~2 library by David Turner, Robert
 Wilhelm, and Werner Lemberg (www.freetype.org), as well as some code
-from Xpdf by Derek B. Noonburg (www.foolabs.com/xpdf).
+from Xpdf by Derek B. Noonburg (www.foolabs.com/xpdf) and pdfTeX by
+Han The Thanh th...@pdftex.org.
 
 
 
-Xpdf is icensed under the GNU General Public License (GPL), version 2.
+Xpdf is icensed under the GNU General Public License (GPL), version 2 and 3.
 
+
+
+pdfTeX is licensed under the GNU General Public License (GPL) either version 2
+of the License, or (at your option) any later version.

Bug#725511: yorick-gl: FTBFS: No rule to make target `check.i', needed by `check-dll'

[Felix Geyer]

Control: tags -1 patch

yorick-gl doesn't seem to ship unit tests so making dh_auto_test
seems to be a sensible thing to do:

diff -Nru yorick-gl-1.1+cvs20070922+dfsg/debian/rules 
yorick-gl-1.1+cvs20070922+dfsg/debian/rules
--- yorick-gl-1.1+cvs20070922+dfsg/debian/rules2012-06-28 
15:40:38.0 +0200
+++ yorick-gl-1.1+cvs20070922+dfsg/debian/rules2013-11-23 
16:06:36.0 +0100
@@ -20,6 +20,8 @@
 #CFLAGS=$(CFLAGS) ./configure
 # also make sure yorz.doc is not built (or installed)
 
+override_dh_auto_test:
+# make check fails and upstream doesn't actually ship unit tests
 
 override_dh_auto_clean:
 touch Makegl


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#718139: zeroc-icee-translators: FTBFS: Trying patch debian/patches/10-add-common-flags.patch at level 1 ... 0 ... 2 ... failure.

[Felix Geyer]

Control: tags -1 patch

Make.rules.GNU and Make.rules.GNU_kFreeBSD are just symlinks to
Make.rules.Linux so the patch should only be applied to Make.rules.Linux.
A patch for the patch is attached.

Cheers,
Felix

diff -u zeroc-icee-translators-1.2.0/debian/patches/10-add-common-flags.patch zeroc-icee-translators-1.2.0/debian/patches/10-add-common-flags.patch
--- zeroc-icee-translators-1.2.0/debian/patches/10-add-common-flags.patch
+++ zeroc-icee-translators-1.2.0/debian/patches/10-add-common-flags.patch
@@ -1,27 +1,3 @@
-diff -Nur zeroc-icee-translators-1.2.0/config/Make.rules.GNU zeroc-icee-translators-1.2.0.new/config/Make.rules.GNU
 zeroc-icee-translators-1.2.0/config/Make.rules.GNU	2007-01-15 16:49:09.0 +0100
-+++ zeroc-icee-translators-1.2.0.new/config/Make.rules.GNU	2007-05-16 11:07:44.0 +0200
-@@ -83,7 +83,7 @@
-   lp64suffix	= 64
-endif
- 
--   CXXFLAGS		= $(CXXARCHFLAGS) -ftemplate-depth-128 -Wall -D_REENTRANT
-+   CXXFLAGS		= $(CXXARCHFLAGS) -ftemplate-depth-128 -Wall -D_REENTRANT -DHAVE_ENDIAN_H -DHAVE_LIMITS_H
- 
-ifeq ($(STATICLIBS),)
-   CXXFLAGS		+= -fPIC
-diff -Nur zeroc-icee-translators-1.2.0/config/Make.rules.GNU_kFreeBSD zeroc-icee-translators-1.2.0.new/config/Make.rules.GNU_kFreeBSD
 zeroc-icee-translators-1.2.0/config/Make.rules.GNU_kFreeBSD	2007-01-15 16:49:09.0 +0100
-+++ zeroc-icee-translators-1.2.0.new/config/Make.rules.GNU_kFreeBSD	2007-05-16 11:07:44.0 +0200
-@@ -83,7 +83,7 @@
-   lp64suffix	= 64
-endif
- 
--   CXXFLAGS		= $(CXXARCHFLAGS) -ftemplate-depth-128 -Wall -D_REENTRANT
-+   CXXFLAGS		= $(CXXARCHFLAGS) -ftemplate-depth-128 -Wall -D_REENTRANT -DHAVE_ENDIAN_H -DHAVE_LIMITS_H
- 
-ifeq ($(STATICLIBS),)
-   CXXFLAGS		+= -fPIC
 diff -Nur zeroc-icee-translators-1.2.0/config/Make.rules.Linux zeroc-icee-translators-1.2.0.new/config/Make.rules.Linux
 --- zeroc-icee-translators-1.2.0/config/Make.rules.Linux	2007-01-15 16:49:09.0 +0100
 +++ zeroc-icee-translators-1.2.0.new/config/Make.rules.Linux	2007-05-16 11:07:44.0 +0200

Bug#718004: paramiko-doc: fails to upgrade from 'wheezy' - trying to overwrite /usr/share/doc-base/python-paramiko

[Felix Geyer]

Control: tags -1 patch

Proper Breaks/Replaces is missing for paramiko-doc:

diff -Nru paramiko-1.10.1/debian/control paramiko-1.10.1/debian/control
--- paramiko-1.10.1/debian/control2013-05-27 07:07:38.0 +0200
+++ paramiko-1.10.1/debian/control2013-11-22 23:40:37.0 +0100
@@ -17,6 +17,8 @@
 Section: doc
 Architecture: all
 Depends: ${misc:Depends}
+Breaks: python-paramiko ( 1.10.1-1~)
+Replaces: python-paramiko ( 1.10.1-1~)
 Description: Make ssh v2 connections with Python (Documentation)
  This is a library for making SSH2 connections (client or server).
  Emphasis is on using SSH2 as an alternative to SSL for making secure


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#728869: gammaray FTBFS: build failed on post-compile-test on mips/mipsel

[Felix Geyer]

Control: forwarded -1 https://github.com/KDAB/GammaRay/issues/63
Control: severity -1 important

I see you've already forwarded it upstream, so hopefully
it will be fixed soon.
I'm downgrading the severity as gammaray never built on mips*.

Cheers,
Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#728585: FTBFS: cp: not writing through dangling symlink

[Felix Geyer]

Source: jenkins-job-builder
Version: 0.5.0-1
Severity: serious
Tags: patch
Justification: fails to build from source

jenkins-job-builder 0.5.0-1 fails to build from source, see the build log below.
The problem seems to be that dh_link is called too early. dh_installdocs/cp then
refuses to overwrite the dangling symlinks.
Note that dh_link X Y also processes the links config files.

This patch should fix the problem:

diff -Nru jenkins-job-builder-0.5.0/debian/links 
jenkins-job-builder-0.5.0/debian/links
--- jenkins-job-builder-0.5.0/debian/links  2013-07-28 16:32:22.0 
+0200
+++ jenkins-job-builder-0.5.0/debian/links  2013-11-03 12:50:11.0 
+0100
@@ -5,3 +5,5 @@
 # Overwrite underscore.js from upstream tarball with a link to 
underscore.min.js
 # provided by Underscore Debian package
 /usr/share/javascript/underscore/underscore.min.js 
usr/share/doc/jenkins-job-builder/html/_static/underscore.js
+
+/usr/share/jenkins-job-builder/jenkins-jobs usr/bin/jenkins-jobs
diff -Nru jenkins-job-builder-0.5.0/debian/rules 
jenkins-job-builder-0.5.0/debian/rules
--- jenkins-job-builder-0.5.0/debian/rules  2013-07-28 16:32:22.0 
+0200
+++ jenkins-job-builder-0.5.0/debian/rules  2013-11-03 12:50:05.0 
+0100
@@ -21,7 +21,6 @@
dh_install
mv debian/jenkins-job-builder/usr/bin/jenkins-jobs \
debian/jenkins-job-builder/usr/share/jenkins-job-builder
-   dh_link /usr/share/jenkins-job-builder/jenkins-jobs 
/usr/bin/jenkins-jobs
 
 override_dh_installchangelogs:
dh_installchangelogs ChangeLog


Build log:
   debian/rules override_dh_install
make[1]: Entering directory `/tmp/buildd/jenkins-job-builder-0.5.0'
dh_install
mv debian/jenkins-job-builder/usr/bin/jenkins-jobs \
debian/jenkins-job-builder/usr/share/jenkins-job-builder
dh_link /usr/share/jenkins-job-builder/jenkins-jobs /usr/bin/jenkins-jobs
make[1]: Leaving directory `/tmp/buildd/jenkins-job-builder-0.5.0'
   dh_installdocs
cp: not writing through dangling symlink 
'/tmp/buildd/jenkins-job-builder-0.5.0/debian/jenkins-job-builder/usr/share/doc/jenkins-job-builder/html/_static/jquery.js'
cp: not writing through dangling symlink 
'/tmp/buildd/jenkins-job-builder-0.5.0/debian/jenkins-job-builder/usr/share/doc/jenkins-job-builder/html/_static/underscore.js'
dh_installdocs: cd 'build/docs/html/..'  find 'html' \( -type f -or -type l 
\) -and ! -empty -print0 | xargs -0 -I {} cp --parents -dp {} 
/tmp/buildd/jenkins-job-builder-0.5.0/debian/jenkins-job-builder/usr/share/doc/jenkins-job-builder
 returned exit code 123
make: *** [binary] Error 123
dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status 2


Regards,
Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#728586: FTBFS: missing build-dependency on dh-autoreconf

[Felix Geyer]

Package: gramadoir
Version: 0.7-1
Severity: serious
Tags: patch
Justification: fails to build from source

gramadoir lacks a build-dependency on dh-autoreconf.

Trivial patch (dh-autoreconf pulls in all the auto* packages it needs):

diff -Nru gramadoir-0.7/debian/control gramadoir-0.7/debian/control
--- gramadoir-0.7/debian/control2013-10-15 11:07:41.0 +0200
+++ gramadoir-0.7/debian/control2013-11-03 13:05:41.0 +0100
@@ -2,7 +2,7 @@
 Section: misc
 Priority: optional
 Maintainer: Alastair McKinstry mckins...@debian.org
-Build-Depends: debhelper (= 9), autotools-dev
+Build-Depends: debhelper (= 9), dh-autoreconf
 Build-Depends-Indep: libstring-approx-perl, liblocale-po-perl
 Homepage: http://borel.slu.edu/gramadoir/index.html
 Standards-Version: 3.9.4


Build log:

dpkg-buildpackage: host architecture amd64
 fakeroot debian/rules clean
dh clean --with autoreconf
dh: unable to load addon autoreconf: Can't locate 
Debian/Debhelper/Sequence/autoreconf.pm in @INC (you may need to install the 
Debian::Debhelper::Sequence::autoreconf module) (@INC contains: /etc/perl 
/usr/local/lib/perl/5.18.1 /usr/local/share/perl/5.18.1 /usr/lib/perl5 
/usr/share/perl5 /usr/lib/perl/5.18 /usr/share/perl/5.18 
/usr/local/lib/site_perl .) at (eval 10) line 2.
BEGIN failed--compilation aborted at (eval 10) line 2.

make: *** [clean] Error 2
dpkg-buildpackage: error: fakeroot debian/rules clean gave error exit status 2


Regards,
Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#728588: FTBFS: test requires internet connectivity

[Felix Geyer]

Package: libnet-https-nb-perl
Version: 0.20-1
Severity: serious
Justification: fails to build from source

This package requires internet connectivity for its test suite
to pass. Package builds must not not rely on external network
connectivity, but should be self-contained.

t/proxy-with-https.t tries to fetch 
https://www.google.co.uk/images/srpr/logo4w.png

Build log:

   dh_auto_test
make[1]: Entering directory `/tmp/buildd/libhttp-async-perl-0.20'
PERL_DL_NONLAZY=1 /usr/bin/perl -MExtUtils::Command::MM -e test_harness(0, 
'blib/lib', 'blib/arch') t/*.t
t/bad-connections.t ... ok
t/bad-headers.t ... ok
t/bad-hosts.t . ok
t/dead-connection.t ... ok
t/headers.t ... ok
t/local-addr.t  skipped: test requires Sys::HostIP to be installed
t/make-url-absolute.t . ok
t/not-modified.t .. ok
t/pod-coverage.t .. ok
t/pod.t ... ok
t/polite.t  ok
t/poll-interval.t . ok

#   Failed test 'check for proxy header 'yes''
#   at t/proxy-with-https.t line 47.
#  got: ''
# expected: 'yes'
# Looks like you failed 1 test of 5.
t/proxy-with-https.t .. 
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/5 subtests 
t/proxy.t . ok
t/real-servers.t .. skipped: enable these tests by setting REAL_SERVERS
t/redirects.t . ok
t/release-cpan-changes.t .. skipped: install Test::CPAN::Changes to run this 
test
t/setup.t . ok
t/strip-host-from-uri.t ... ok
t/template.t .. skipped: just a template to base other tests on
t/timeout.t ... ok

Test Summary Report
---
t/proxy-with-https.t(Wstat: 256 Tests: 5 Failed: 1)
  Failed test:  5
  Non-zero exit status: 1
Files=21, Tests=163, 37 wallclock secs ( 0.09 usr  0.03 sys +  2.56 cusr  0.44 
csys =  3.12 CPU)
Result: FAIL
Failed 1/21 test programs. 1/163 subtests failed.
make[1]: *** [test_dynamic] Error 255
make[1]: Leaving directory `/tmp/buildd/libhttp-async-perl-0.20'
dh_auto_test: make -j1 test returned exit code 2
make: *** [build] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#725942: libapache2-mod-fcgid: CVE-2013-4365

[Felix Geyer]

On 10.10.2013 09:06, Moritz Muehlenhoff wrote:
 Package: libapache2-mod-fcgid
 Severity: grave
 Tags: security
 Justification: user security hole
 
 This was assigned CVE-2013-4365:
 http://www.mail-archive.com/dev@httpd.apache.org/msg58077.html
 
 Isolated patch:
 https://mail-archives.apache.org/mod_mbox/httpd-cvs/201309.mbox/%3c20130929174048.13b962388...@eris.apache.org%3E
 
 Can you prepare updated packages for oldstable/stable and contact 
 t...@security.debian.org ?
 http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security

I've prepared updates for wheezy and squeeze, see the attached debdiffs.
Please let me know if I should upload these.

Cheers,
Felix
diff -u libapache2-mod-fcgid-2.3.6/debian/changelog 
libapache2-mod-fcgid-2.3.6/debian/changelog
--- libapache2-mod-fcgid-2.3.6/debian/changelog
+++ libapache2-mod-fcgid-2.3.6/debian/changelog
@@ -1,3 +1,10 @@
+libapache2-mod-fcgid (1:2.3.6-1+squeeze2) squeeze-security; urgency=high
+
+  * Fix CVE-2013-4365: heap buffer overwrite. (Closes: #725942)
+- Add debian/patches/30_CVE-2013-4365.dpatch
+
+ -- Felix Geyer fge...@debian.org  Thu, 10 Oct 2013 21:21:29 +0200
+
 libapache2-mod-fcgid (1:2.3.6-1+squeeze1) stable-security; urgency=high
 
   * Non-maintainer upload.
diff -u libapache2-mod-fcgid-2.3.6/debian/patches/00list 
libapache2-mod-fcgid-2.3.6/debian/patches/00list
--- libapache2-mod-fcgid-2.3.6/debian/patches/00list
+++ libapache2-mod-fcgid-2.3.6/debian/patches/00list
@@ -2,0 +3 @@
+30_CVE-2013-4365.dpatch
only in patch2:
unchanged:
--- libapache2-mod-fcgid-2.3.6.orig/debian/patches/30_CVE-2013-4365.dpatch
+++ libapache2-mod-fcgid-2.3.6/debian/patches/30_CVE-2013-4365.dpatch
@@ -0,0 +1,35 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## DP: Fix CVE-2013-4365: heap buffer overwrite
+## DP: Origin: https://svn.apache.org/viewvc?view=revisionrevision=r1527362
+
+@DPATCH@
+
+--- a/modules/fcgid/fcgid_bucket.c
 b/modules/fcgid/fcgid_bucket.c
+@@ -112,10 +112,12 @@
+ if (header.type == FCGI_STDERR) {
+ char *logbuf = apr_bucket_alloc(APR_BUCKET_BUFF_SIZE, b-list);
+ char *line;
++apr_size_t hasput;
+ 
+ memset(logbuf, 0, APR_BUCKET_BUFF_SIZE);
+ 
+ hasread = 0;
++hasput = 0;
+ while (hasread  bodysize) {
+ char *buffer;
+ apr_size_t bufferlen, canput, willput;
+@@ -130,9 +132,10 @@
+ 
+ canput = fcgid_min(bufferlen, bodysize - hasread);
+ willput =
+-fcgid_min(canput, APR_BUCKET_BUFF_SIZE - hasread - 1);
+-memcpy(logbuf + hasread, buffer, willput);
++fcgid_min(canput, APR_BUCKET_BUFF_SIZE - hasput - 1);
++memcpy(logbuf + hasput, buffer, willput);
+ hasread += canput;
++hasput += willput;
+ 
+ /* Ignore the canput bytes */
+ fcgid_ignore_bytes(ctx, canput);
diff -u libapache2-mod-fcgid-2.3.6/debian/changelog 
libapache2-mod-fcgid-2.3.6/debian/changelog
--- libapache2-mod-fcgid-2.3.6/debian/changelog
+++ libapache2-mod-fcgid-2.3.6/debian/changelog
@@ -1,3 +1,10 @@
+libapache2-mod-fcgid (1:2.3.6-1.2+deb7u1) wheezy-security; urgency=high
+
+  * Fix CVE-2013-4365: heap buffer overwrite. (Closes: #725942)
+- Add debian/patches/40_CVE-2013-4365.dpatch
+
+ -- Felix Geyer fge...@debian.org  Thu, 10 Oct 2013 20:02:54 +0200
+
 libapache2-mod-fcgid (1:2.3.6-1.2) unstable; urgency=low
 
   * Non-maintainer upload.
diff -u libapache2-mod-fcgid-2.3.6/debian/patches/00list 
libapache2-mod-fcgid-2.3.6/debian/patches/00list
--- libapache2-mod-fcgid-2.3.6/debian/patches/00list
+++ libapache2-mod-fcgid-2.3.6/debian/patches/00list
@@ -3,0 +4 @@
+40_CVE-2013-4365.dpatch
only in patch2:
unchanged:
--- libapache2-mod-fcgid-2.3.6.orig/debian/patches/40_CVE-2013-4365.dpatch
+++ libapache2-mod-fcgid-2.3.6/debian/patches/40_CVE-2013-4365.dpatch
@@ -0,0 +1,35 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## DP: Fix CVE-2013-4365: heap buffer overwrite
+## DP: Origin: https://svn.apache.org/viewvc?view=revisionrevision=r1527362
+
+@DPATCH@
+
+--- a/modules/fcgid/fcgid_bucket.c
 b/modules/fcgid/fcgid_bucket.c
+@@ -112,10 +112,12 @@
+ if (header.type == FCGI_STDERR) {
+ char *logbuf = apr_bucket_alloc(APR_BUCKET_BUFF_SIZE, b-list);
+ char *line;
++apr_size_t hasput;
+ 
+ memset(logbuf, 0, APR_BUCKET_BUFF_SIZE);
+ 
+ hasread = 0;
++hasput = 0;
+ while (hasread  bodysize) {
+ char *buffer;
+ apr_size_t bufferlen, canput, willput;
+@@ -130,9 +132,10 @@
+ 
+ canput = fcgid_min(bufferlen, bodysize - hasread);
+ willput =
+-fcgid_min(canput, APR_BUCKET_BUFF_SIZE - hasread - 1);
+-memcpy(logbuf + hasread, buffer, willput);
++fcgid_min(canput, APR_BUCKET_BUFF_SIZE - hasput - 1);
++memcpy(logbuf + hasput, buffer, willput);
+ hasread += canput;
++hasput

Bug#722570: pyudev: diff for NMU version 0.16.1-1.1

[Felix Geyer]

Hi,

On 13.09.2013 18:48, Luk Claes wrote:
 Dear maintainer,
 
 I've prepared an NMU for pyudev (versioned as 0.16.1-1.1) and
 uploaded it to DELAYED/07. Please feel free to tell me if I
 should delay it longer.

Thanks for the NMU, it looks good except it doesn't include the changes
staged in the SVN repo.
I've canceled the NMU and re-uploaded the package with those changes.

Cheers,
Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#696011: fix is missing

[Felix Geyer]

On 12.08.2013 17:55, Daniel Pocock wrote:
 
 This bug was supposedly serious and marked RC and then marked done
 
 The fixed version was apparently uploaded but is not available in stable

The bug affected experimental and later unstable and is fixed in both.
wheezy was never affected by this because the wheezy kernel is based on
v3.2.

 Can somebody please comment on this?  How can somebody running wheezy
 use this fix?  Or should the bug be re-opened?

Apparently you already reopened the bug for whatever reason.
It shouldn't be surprising that external kernel modules don't work with
the latest kernel version since the API is constantly changing.

The latest version of virtualbox is in wheezy-backports which is compatible
with the kernel from wheezy-backports.

Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#696011: fix is missing

[Felix Geyer]

On 12.08.2013 18:45, Daniel Pocock wrote:
 On 12/08/13 18:40, Felix Geyer wrote:
 On 12.08.2013 17:55, Daniel Pocock wrote:
 This bug was supposedly serious and marked RC and then marked done

 The fixed version was apparently uploaded but is not available in stable
 The bug affected experimental and later unstable and is fixed in both.
 wheezy was never affected by this because the wheezy kernel is based on
 v3.2.
 
 The comments suggest that it also impacts guests, although it doesn't
 appear that patching the host's kernel module has any impact on the
 guest in this case.

Both the host and guest kernel modules from wheezy are not compatible with
kernel 3.7.
Why are you concerned about the guest modules? Do you need to run wheezy
with a sid kernel as a guest as well?

 Can somebody please comment on this?  How can somebody running wheezy
 use this fix?  Or should the bug be re-opened?
 Apparently you already reopened the bug for whatever reason.
 It shouldn't be surprising that external kernel modules don't work with
 the latest kernel version since the API is constantly changing.

 The latest version of virtualbox is in wheezy-backports which is compatible
 with the kernel from wheezy-backports.
 
 An unrelated kernel issue on Thinkpads prevents me running the wheezy
 kernel (I put up with it crashing every day for 2 weeks and then had to
 take a kernel from sid).
 
 It was relatively easy for me to copy the patch into /usr/src on my
 wheezy box and the dkms builds the module successfully - I suspect I
 will not be the only person to come across this type of scenario during
 the life of wheezy

That's why the latest virtualbox version is in wheezy-backports.
I don't think adding patches for unsupported kernels are suitable for
stable updates.

Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#712301: more info needed on node-oauth FTBFS

[Felix Geyer]

Hi Laszlo,

On 27.07.2013 10:38, Laszlo Boszormenyi (GCS) wrote:
 tags 712301 moreinfo unreproducible
 thanks
 
 Hi Felix,
 
  I build my packages in a clear pbuilder chroot before uploading. As I
 know, it doesn't have any internet connection. Now I've tried to rebuild
 node-oauth with an unplugged ethernet cable. It still builds.
  On the other hand, your bugreport states the exception occurs in
 events.js which was called from dns.js . Neither one is present in my
 pbuilder chroot and package builds fine.

Maybe you still had the relevant entries in a local DNS cache?
test/internet/test-dns.js definitely checks all sorts of internet
hostnames like www.google.com, gmail.com, rackspace.com 
dns.js and events.js are built into nodejs (see lib/dns.js in the nodejs
source package).

 I suspect your build tree was polluted and I may build-conflict on some
 other package. Please re-try the build process and put online the full
 build log somewhere if it fails there. If not, please close your
 bugreport.

It's minimal pbuilder chroot, see the attached full build log.

Cheers,
Felix
I: Using pkgname logfile
I: Current time: Sat Jul 27 10:53:01 CEST 2013
I: pbuilder-time-stamp: 1374915181
I: Installing the build-deps
 - Attempting to satisfy build-dependencies
 - Creating pbuilder-satisfydepends-dummy package
Package: pbuilder-satisfydepends-dummy
Version: 0.invalid.0
Architecture: amd64
Maintainer: Debian Pbuilder Team pbuilder-ma...@lists.alioth.debian.org
Description: Dummy package to satisfy dependencies with apt - created by 
pbuilder
 This package was created automatically by pbuilder to satisfy the
 build-dependencies of the package being currently built.
Depends: debhelper (= 9), node-vows (= 0.5)
dpkg-deb: building package `pbuilder-satisfydepends-dummy' in 
`/tmp/satisfydepends-apt/pbuilder-satisfydepends-dummy.deb'.
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following extra packages will be installed:
  bsdmainutils debhelper file gettext gettext-base groff-base intltool-debian
  libasprintf0c2 libc-ares2 libcroco3 libev4 libffi6 libglib2.0-0 libmagic1
  libpipeline1 libssl1.0.0 libunistring0 libv8-3.8.9.20 libxml2 man-db
  node-diff node-eyes node-vows nodejs po-debconf
Suggested packages:
  wamerican wordlist whois vacation dh-make gettext-doc groff less www-browser
  libmail-box-perl
Recommended packages:
  curl wget lynx-cur autopoint libasprintf-dev libgettextpo-dev
  libglib2.0-data shared-mime-info xml-core coffeescript libmail-sendmail-perl
The following NEW packages will be installed:
  bsdmainutils debhelper file gettext gettext-base groff-base intltool-debian
  libasprintf0c2 libc-ares2 libcroco3 libev4 libffi6 libglib2.0-0 libmagic1
  libpipeline1 libssl1.0.0 libunistring0 libv8-3.8.9.20 libxml2 man-db
  node-diff node-eyes node-vows nodejs pbuilder-satisfydepends-dummy
  po-debconf
0 upgraded, 26 newly installed, 0 to remove and 0 not upgraded.
Need to get 12.5 MB/12.5 MB of archives.
After this operation, 34.8 MB of additional disk space will be used.
Get:1 http://[fd2a:4006:773a::1]:3142/ftp.debian.org/debian/ sid/main 
libpipeline1 amd64 1.2.4-1 [41.0 kB]
Get:2 http://[fd2a:4006:773a::1]:3142/ftp.debian.org/debian/ sid/main 
libssl1.0.0 amd64 1.0.1e-3 [1242 kB]
Get:3 http://[fd2a:4006:773a::1]:3142/ftp.debian.org/debian/ sid/main 
groff-base amd64 1.22.2-3 [747 kB]
Get:4 http://[fd2a:4006:773a::1]:3142/ftp.debian.org/debian/ sid/main 
bsdmainutils amd64 9.0.5 [211 kB]
Get:5 http://[fd2a:4006:773a::1]:3142/ftp.debian.org/debian/ sid/main man-db 
amd64 2.6.5-2 [976 kB]
Get:6 http://[fd2a:4006:773a::1]:3142/ftp.debian.org/debian/ sid/main 
libasprintf0c2 amd64 0.18.3-1 [29.6 kB]
Get:7 http://[fd2a:4006:773a::1]:3142/ftp.debian.org/debian/ sid/main libmagic1 
amd64 1:5.14-2 [216 kB]
Get:8 http://[fd2a:4006:773a::1]:3142/ftp.debian.org/debian/ sid/main libxml2 
amd64 2.9.1+dfsg1-2 [911 kB]
Get:9 http://[fd2a:4006:773a::1]:3142/ftp.debian.org/debian/ sid/main libffi6 
amd64 3.0.13-4 [21.6 kB]
Get:10 http://[fd2a:4006:773a::1]:3142/ftp.debian.org/debian/ sid/main 
libglib2.0-0 amd64 2.36.3-3 [2048 kB]
Get:11 http://[fd2a:4006:773a::1]:3142/ftp.debian.org/debian/ sid/main 
libcroco3 amd64 0.6.8-2 [133 kB]
Get:12 http://[fd2a:4006:773a::1]:3142/ftp.debian.org/debian/ sid/main 
libunistring0 amd64 0.9.3-5 [434 kB]
Get:13 http://[fd2a:4006:773a::1]:3142/ftp.debian.org/debian/ sid/main 
libc-ares2 amd64 1.10.0-2 [76.7 kB]
Get:14 http://[fd2a:4006:773a::1]:3142/ftp.debian.org/debian/ sid/main file 
amd64 1:5.14-2 [54.0 kB]
Get:15 http://[fd2a:4006:773a::1]:3142/ftp.debian.org/debian/ sid/main 
gettext-base amd64 0.18.3-1 [161 kB]
Get:16 http://[fd2a:4006:773a::1]:3142/ftp.debian.org/debian/ sid/main gettext 
amd64 0.18.3-1 [1898 kB]
Get:17 http://[fd2a:4006:773a::1]:3142/ftp.debian.org/debian/ sid/main 
intltool-debian all 0.35.0+20060710.1 [30.8 kB]
Get:18 http://[fd2a:4006:773a::1]:3142/ftp.debian.org/debian/ sid/main