Bug#848587: castle-combat does not start because numpy.oldnumeric has been removed

2016-12-20 Thread John Lightsey 
On Sun, 2016-12-18 at 18:15 +0100, koopa wrote:
> numpy.oldnumeric has been removed in 1.9 release so castle-combat does not
> start
> https://docs.scipy.org/doc/numpy-dev/release.html#numpy-1-9-0-release-notes
> 
> so castle-combat does not start
> 

Thanks for pointing this out.

castle-combat hasn't been developed upstream in many years, so it's unlikely it
will be updated for this transition. I'll request removal of the package.

signature.asc
Description: This is a digitally signed message part

Bug#688007: monkey: Fails to drop supplemental groups when lowering privileges

2012-09-17 Thread John Lightsey 
Package: monkey
Version: 0.9.3-1
Severity: grave
Tags: security
Justification: user security hole

Monkey webserver fails to drop supplemental groups when lowering privileges.
This allows any local user on the system to read any fine that root's
supplemental
groups can access. Monkey does perform a filesystem access check to make sure
that its EUID/EGID can access the target file, but this check is subject to
TOCTOU flaws.



-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#688008: monkey: CGI scripts executed without dropping RUID/RGID root

2012-09-17 Thread John Lightsey 
Package: monkey
Version: 0.9.3-1
Severity: grave
Tags: security
Justification: user security hole

The Monkey webserver retains RUID/RGID root so that it can regain root as
needed to perform privileged operations. Unfortunately, monkey does not drop
RUID/RGID root before executing CGI scripts. This allows any user with write
access to a cgi-bin directory to gain local root. It would also allow a remote
attacker to do the same in combination with a CGI/PHP script that has any
remote code execution bug.



-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#672080: apt-watch: FTBFS: apt-watch-common.cc:16:34: error: 'write' was not declared in this scope

2012-05-08 Thread John Lightsey 
Thanks for the bug report on apt-watch. It should be straightforward to fix.



signature.asc
Description: OpenPGP digital signature

Bug#638074: apt-watch and the ongoing GNOME 3 transition

2011-10-20 Thread John Lightsey 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 10/19/2011 07:08 PM, Michael Biebl wrote:
 Hi John,
 
 as you might have noticed, the GNOME 3 transition is now ongoing in unstable.
 Could you please upload apt-watch 0.4.0 from experimental to unstable now as
 otherwise apt-watch will block this transition.
 
 In case you are currently busy, I can offer to NMU, if you are ok with that.

Feel free to NMU. I tried to do the rebuild a few days ago but
libpanel-applet-4-dev and libapt-pkg-dev weren't installable. If it's
buildable now, please feel free to upload. No changes are necessary from
the previous build other than the release target.

If no NMU takes place I should be able to get this uploaded tonight
assuming its dependencies are now installable.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6gUEsACgkQBYeybkXz+/k5mQCfTWz44jCOPpHiBW7SPms5wKYd
CLQAoOI0vmkTD3WpoUOc9O3gCD/lfcRp
=mCku
-END PGP SIGNATURE-



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#638002: Improper seteuid() calls in src/log.c and src/masqmail.c

2011-08-16 Thread John Lightsey 
Package: masqmail
Version: 0.2.21-4
Severity: critical
Tags: security
Justification: root security hole

Reporting publicly since this has already been disclosed on the masqmail list.

In src/log.c there are two logging functions that use this logic:

uid_t saved_uid;
saved_uid = seteuid(conf.mail_uid);

write to a log file...

seteuid(saved_uid);


The first seteuid() call here isn't returning the previous EUID, it's
returning 0 on success and -1 on failure. The net result should be that
any time masqmail writes to the log, it's resetting the EUID to root.
This would undo the effect of other code in masqmail that drops root
privileges.

The most recent upstream version of masqmail (0.3.2) contains identical
code to the version I audited (Debian stable's version 0.2.27).

Per information provided by the upstream author, src/masqmail.c contains
additional code with the same type of flaw.

-- System Information:
Debian Release: 6.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#636270: FTBFS: test failure: Failed test 'direct split (yahoo) (rows)'

2011-08-01 Thread John Lightsey 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 08/01/2011 04:00 PM, Dominic Hargreaves wrote:
 Source: libfinance-quotehist-perl
 Version: 1.16-1
 Severity: serious
 Justification: fails to build from source (but built successfully in the past)
 
 This package FTBFS with a clean sid chroot:

Thanks for the report. I'm going to disable all of the remote tests in
this package. That should bring it more in line with the policies the
debian-perl team is following.

http://pkg-perl.alioth.debian.org/policy.html#test_suites
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk43PGIACgkQBYeybkXz+/ns0wCfU0Ye+YlNAW8DSRjlSna0jMtr
OZkAnito+nvhNXs2noKaQv3h0MkX2+WB
=hASW
-END PGP SIGNATURE-



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#612914: Fails to build from source

2011-05-27 Thread John Lightsey 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

fixed 612914 1.14-1+squeeze1
thanks

The fixed version of libfinance-quotehist-perl has been accepted into
stable-proposed-updates and will be included in the next stable release.

The patch applied is:

diff --git a/debian/rules b/debian/rules
index 2d33f6a..20f4b36 100755
- --- a/debian/rules
+++ b/debian/rules
@@ -2,3 +2,5 @@

 %:
dh $@
+
+override_dh_auto_test:

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3gQWEACgkQBYeybkXz+/lPwgCcDJDuTkh7VRmnknsQvgQQ89yc
XSwAnRDUQMLztkJ8umri9V/asVCOW9K/
=Hggj
-END PGP SIGNATURE-



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#612914: Fails to build from source

2011-04-29 Thread John Lightsey 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/29/2011 04:05 AM, Moritz Mühlenhoff wrote:
 Hi,
 
 * Moritz Mühlenhoff muehlenh...@univention.de [2011-02-14 10:27:55 CET]:
 Am Montag 14 Februar 2011 04:24:35 schrieb John Lightsey:
 Yes, I can reproduce the FTBFS with 1.14. This was corrected upstream
 with 1.16 which is already in testing and unstable. The newer version
 doesn't include adjusted prices in any tests since Yahoo changes these
 periodically.

 I've cherrypicked the upstream test suite fixes from 1.16 and now the
 build succeeds.

  Moritz, can you name which upstream commits are needed to fix this?

  John, what are your plans to get this fixed in squeeze? I just tested,
 the package still FTBFS in squeeze, and in the case of a potential
 needed security or otherwise related update, this *really* needs to get
 fixed for squeeze, too.
 
 Hi Gerfried,
 
 Patch is attached.

This is essentially every change in 1.16 except the changelog and the
version number bump. IMHO it would be better to simply put 1.16 into
squeeze if this is truly worth fixing.

My reading of 5.5.1 in the developers reference doesn't suggest to me
that a FTBFS by itself merits a stable update, but if I'm mistaken in
that belief I'd be happy to put 1.16 into stable.

John
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk27VQMACgkQBYeybkXz+/k1UACfebTgcZ5aG9KenL5zdqdyaFfv
UAIAn0YnsmuWhi74yePm97aGEtw3s6J8
=iV1j
-END PGP SIGNATURE-



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#612914: Fails to build from source

2011-02-13 Thread John Lightsey 
On 02/11/2011 08:28 AM, Moritz Muehlenhoff wrote:
 Hi John,
 I've tried to rebuild java-imaging-utilities for Univention Corporate Server,
 a Debian derived distribution based on Debian stable (currently Lenny, our 
 next
 release will be based on Squeeze).
 
 libfinance-quotehist-perl fails to build from source, see the following log.
 Apparently some of the fetched stock data has changed?

Very strange. Thanks for reporting this. I'll dig into it today.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#612914: Fails to build from source

2011-02-13 Thread John Lightsey 
tag 612914 squeeze
thanks

Yes, I can reproduce the FTBFS with 1.14. This was corrected upstream
with 1.16 which is already in testing and unstable. The newer version
doesn't include adjusted prices in any tests since Yahoo changes these
periodically.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#594353: apt-watch: FTBFS with apt 0.8.0

2010-08-26 Thread John Lightsey 
tags 594353 + pending
thanks

I'll upload a new version tonight without -Werror in CXXFLAGS.  The
package builds fine aside from the deprecation warnings.

Thanks for your bug report.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#548909: xen-tools: xen-create-image creates world readable disk image files

2009-09-29 Thread John Lightsey 
Package: xen-tools
Version: 3.9-4
Severity: grave
Tags: security
Justification: user security hole

I'm tagging this security, though common best practices would suggest that 
access
to the Dom0 should be severely restricted to begin with.

When xen-create-image is used to create a file based DomU, the disk image files
will have world readable permissions on a typical system with default umask
settings.  This means that all accounts on the Dom0 will have full access to 
the data
on the DomU.  The fix is to simply to alter createLoopbackImages() to chmod 
0600 the
image files after they are created with DD and before the filesystem is 
initialized
or to simply to adjust the umask before running dd.

This problem exists in both the stable 3.9 version of xen-tools and the 
unstable 4.1
version.

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-xen-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages xen-tools depends on:
ii  debootstrap  1.0.10lenny1Bootstrap a basic Debian system
ii  libconfig-inifiles-perl  2.39-5  Read .ini-style configuration file
ii  libtext-template-perl1.44-1.2Text::Template perl module
ii  perl-modules 5.10.0-19lenny2 Core Perl modules

Versions of packages xen-tools recommends:
ii  libexpect-perl 1.20-1Expect.pm - Perl Expect interface
ii  reiserfsprogs  1:3.6.19-6User-level tools for ReiserFS file
ii  rinse  1.3-2 RPM installation environment
ii  xen-hypervisor-3.2-1-amd64 3.2.1-2.jd1   The Xen Hypervisor on AMD64
ii  xen-shell  1.8-3 Console based Xen administration u
ii  xfsprogs   2.9.8-1lenny1 Utilities for managing the XFS fil

xen-tools suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#478440: Should castle-combat be removed from Debian?

2009-09-27 Thread John Lightsey 
On Sun, 2009-09-27 at 15:48 +0200, Luca Falavigna wrote:
 I was looking at castle-combat trying to see if it can be ported to
 python-numpy because python-numeric* packages have been removed.
 
 This is not a trivial task because some things have changed and it
 crashes every now and then, with twisted too.
 
 Do you think it can be scheduled for removal from Debian, or will
 upstream take care of this?

The upstream author of castle-combat is still active and responsive.
Unless there's a compelling reason to ask for immediate removal, please
give me a little more time to get this resolved.


John


signature.asc
Description: This is a digitally signed message part

Bug#524474: FollowSymlinks / SymlinksIfOwnerMatch ignored with server-side-includes

2009-05-02 Thread John Lightsey 
This shouldn't be tagged as a grave security issue.  The symlink tests
in Apache are trivial to overcome with timing attacks and the Apache
documentation explicitly states that the symlink tests should not be
considered a security restriction.

http://httpd.apache.org/docs/2.2/mod/core.html#options

John


signature.asc
Description: This is a digitally signed message part

Bug#431324: FTBFS: undefined reference to `glade_xml_signal_autoconnect'

2007-07-11 Thread John Lightsey 
tags 431324 + pending
thanks

I isolated the problem with apt-watch yesterday and I'll have a new
version uploaded this evening with the fix.

John


signature.asc
Description: This is a digitally signed message part

Bug#409523: FTBFS: gpe/render.h: No such file or directory

2007-02-07 Thread John Lightsey 
tags 409523 + patch
thanks

According to the changelog in libgpewidget-0.114 gpe/render.h was
removed because it was considered obsolete and unused.

Simply deleting the #include directive from main.c allows gpe-edit to
compile and run properly.

Patch attached.


John
diff -Nur gpe-edit-0.25.orig/main.c gpe-edit-0.25/main.c
--- gpe-edit-0.25.orig/main.c	2004-08-13 05:56:18.0 -0500
+++ gpe-edit-0.25/main.c	2007-02-07 12:13:57.0 -0600
@@ -21,7 +21,6 @@
 
 #include gpe/init.h
 #include gpe/errorbox.h
-#include gpe/render.h
 #include gpe/pixmaps.h
 #include gpe/picturebutton.h
 #include gpe/question.h


signature.asc
Description: This is a digitally signed message part

Bug#409688: FTBFS: gpe/render.h: No such file or directory

2007-02-07 Thread John Lightsey 
According to the changelog in libgpewidget-0.114 gpe/render.h was
removed because it was considered obsolete and unused.

Simply deleting the #include directive from main.c allows gpe-julia to
compile and run properly.

Patch attached.


John
diff -Nur gpe-julia-0.0.6.orig/main.c gpe-julia-0.0.6/main.c
--- gpe-julia-0.0.6.orig/main.c	2007-02-07 12:32:45.0 -0600
+++ gpe-julia-0.0.6/main.c	2007-02-07 12:33:24.0 -0600
@@ -19,7 +19,6 @@
 #include gpe/init.h
 #include gpe/picturebutton.h
 #include gpe/pixmaps.h
-#include gpe/render.h
 #include gpe/errorbox.h
 
 static struct gpe_icon my_icons[] = {


signature.asc
Description: This is a digitally signed message part

Bug#369551: castle-combat: Unhandled error in Deferred when shooting

2006-06-21 Thread John Lightsey 
On Tue, 2006-06-20 at 20:07 +0200, Karl Bartel wrote:
 I just uploaded a new release. The code worked out quite different  
 than in the patch, because I wanted to add a Sound on/off switch  
 without adding an additional conditional around each line where a  
 sound is played. This bug should be fixed nevertheless.
 I didn't manage to disable my sound card (well, I didn't try very  
 hard...) to verify this, so it would be great if you could let me  
 know whether it works for you.

The new version will crash if you don't have a sound card and toggle the
sound on/off switch in the config menu.  You can't call
pygame.mixer.music.stop() without a working mixer.  I've updated the
16-no_sound_device.dpatch to fix the problem and it's attached here.

There are also a couple of typos still present in 0.8.1:

data/doc/rules.html

Line 21: s/seperated/separated/

src/gamephases.py

Line 242: s/enemey's/enemy's/


John


16-no_sound_device.dpatch
Description: application/shellscript

Bug#340070: yate: FTBFS: compile error: invalid conversion

2005-12-13 Thread John Lightsey 
tags 340070 + patch
thanks

pri_set_error and pri_set_message in libpri.h from libpri-dev have
changed since this version of yate was released.  Updating yate to a
newer upstream would likely fix the FTBFS error.  Barring that, the
attached dpatch gets the yate package compiling again in its current
form.

I assume the changes will make no difference in the functioning on yate,
but I don't use the software and have not tested it.

John


zapchan.dpatch
Description: application/shellscript

Bug#336840: space-orbit: doesn't start

2005-12-13 Thread John Lightsey 
tags 336840 + patch
thanks

Reordering the call to glutInit in orbit.c fixes this error.

John
diff -ur space-orbit-1.01.orig/src/orbit.c space-orbit-1.01/src/orbit.c
--- space-orbit-1.01.orig/src/orbit.c	2005-12-13 18:22:35.0 -0600
+++ space-orbit-1.01/src/orbit.c	2005-12-13 18:22:22.0 -0600
@@ -41,6 +41,9 @@
 	/* Set up the player viewpoint, etc */
 	InitPlayer();
 
+	/* glutInit is required for InitStuff() */
+	glutInit(argc, argv);
+	
 	/* Initialize all sorts of other stuff */
 	InitStuff();
 
@@ -63,8 +66,10 @@
  */
 {
 	char *p;
-
-	glutInit (argc, argv);
+	
+	/* This is being called in main() now */
+	/* glutInit (argc, argv); */
+	
 	glutInitDisplayMode (GLUT_RGBA | GLUT_DOUBLE | GLUT_DEPTH);
 
 	glutInitWindowPosition (0, 0);

Bug#328044: FTBFS: PIC register ebx clobbered in asm

2005-10-14 Thread John Lightsey 
On Mon, 2005-09-12 at 12:52 -0700, Matt Kraai wrote:
 xmms-goom fails to build because it clobbers the PIC register ebx in
 an asm statement:
 

Sorry for taking so long to address this issue.  I was originally
thinking I'd just fix the sections of assembly code with the obvious
pushl...popl, then I became sidetracked and decided to package a newer
upstream release (where these problems and several others are fixed.)

Anyway, the new versions will be uploaded within the next week or so.
Please don't NMU this package in the interim.  I am working on a fix.

John



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]