Bug#848587: castle-combat does not start because numpy.oldnumeric has been removed
On Sun, 2016-12-18 at 18:15 +0100, koopa wrote: > numpy.oldnumeric has been removed in 1.9 release so castle-combat does not > start > https://docs.scipy.org/doc/numpy-dev/release.html#numpy-1-9-0-release-notes > > so castle-combat does not start > Thanks for pointing this out. castle-combat hasn't been developed upstream in many years, so it's unlikely it will be updated for this transition. I'll request removal of the package. signature.asc Description: This is a digitally signed message part
Bug#688007: monkey: Fails to drop supplemental groups when lowering privileges
Package: monkey Version: 0.9.3-1 Severity: grave Tags: security Justification: user security hole Monkey webserver fails to drop supplemental groups when lowering privileges. This allows any local user on the system to read any fine that root's supplemental groups can access. Monkey does perform a filesystem access check to make sure that its EUID/EGID can access the target file, but this check is subject to TOCTOU flaws. -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688008: monkey: CGI scripts executed without dropping RUID/RGID root
Package: monkey Version: 0.9.3-1 Severity: grave Tags: security Justification: user security hole The Monkey webserver retains RUID/RGID root so that it can regain root as needed to perform privileged operations. Unfortunately, monkey does not drop RUID/RGID root before executing CGI scripts. This allows any user with write access to a cgi-bin directory to gain local root. It would also allow a remote attacker to do the same in combination with a CGI/PHP script that has any remote code execution bug. -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#672080: apt-watch: FTBFS: apt-watch-common.cc:16:34: error: 'write' was not declared in this scope
Thanks for the bug report on apt-watch. It should be straightforward to fix. signature.asc Description: OpenPGP digital signature
Bug#638074: apt-watch and the ongoing GNOME 3 transition
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/19/2011 07:08 PM, Michael Biebl wrote: Hi John, as you might have noticed, the GNOME 3 transition is now ongoing in unstable. Could you please upload apt-watch 0.4.0 from experimental to unstable now as otherwise apt-watch will block this transition. In case you are currently busy, I can offer to NMU, if you are ok with that. Feel free to NMU. I tried to do the rebuild a few days ago but libpanel-applet-4-dev and libapt-pkg-dev weren't installable. If it's buildable now, please feel free to upload. No changes are necessary from the previous build other than the release target. If no NMU takes place I should be able to get this uploaded tonight assuming its dependencies are now installable. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6gUEsACgkQBYeybkXz+/k5mQCfTWz44jCOPpHiBW7SPms5wKYd CLQAoOI0vmkTD3WpoUOc9O3gCD/lfcRp =mCku -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#638002: Improper seteuid() calls in src/log.c and src/masqmail.c
Package: masqmail Version: 0.2.21-4 Severity: critical Tags: security Justification: root security hole Reporting publicly since this has already been disclosed on the masqmail list. In src/log.c there are two logging functions that use this logic: uid_t saved_uid; saved_uid = seteuid(conf.mail_uid); write to a log file... seteuid(saved_uid); The first seteuid() call here isn't returning the previous EUID, it's returning 0 on success and -1 on failure. The net result should be that any time masqmail writes to the log, it's resetting the EUID to root. This would undo the effect of other code in masqmail that drops root privileges. The most recent upstream version of masqmail (0.3.2) contains identical code to the version I audited (Debian stable's version 0.2.27). Per information provided by the upstream author, src/masqmail.c contains additional code with the same type of flaw. -- System Information: Debian Release: 6.0.2 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#636270: FTBFS: test failure: Failed test 'direct split (yahoo) (rows)'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/01/2011 04:00 PM, Dominic Hargreaves wrote: Source: libfinance-quotehist-perl Version: 1.16-1 Severity: serious Justification: fails to build from source (but built successfully in the past) This package FTBFS with a clean sid chroot: Thanks for the report. I'm going to disable all of the remote tests in this package. That should bring it more in line with the policies the debian-perl team is following. http://pkg-perl.alioth.debian.org/policy.html#test_suites -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk43PGIACgkQBYeybkXz+/ns0wCfU0Ye+YlNAW8DSRjlSna0jMtr OZkAnito+nvhNXs2noKaQv3h0MkX2+WB =hASW -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#612914: Fails to build from source
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 fixed 612914 1.14-1+squeeze1 thanks The fixed version of libfinance-quotehist-perl has been accepted into stable-proposed-updates and will be included in the next stable release. The patch applied is: diff --git a/debian/rules b/debian/rules index 2d33f6a..20f4b36 100755 - --- a/debian/rules +++ b/debian/rules @@ -2,3 +2,5 @@ %: dh $@ + +override_dh_auto_test: -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3gQWEACgkQBYeybkXz+/lPwgCcDJDuTkh7VRmnknsQvgQQ89yc XSwAnRDUQMLztkJ8umri9V/asVCOW9K/ =Hggj -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#612914: Fails to build from source
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/29/2011 04:05 AM, Moritz Mühlenhoff wrote: Hi, * Moritz Mühlenhoff muehlenh...@univention.de [2011-02-14 10:27:55 CET]: Am Montag 14 Februar 2011 04:24:35 schrieb John Lightsey: Yes, I can reproduce the FTBFS with 1.14. This was corrected upstream with 1.16 which is already in testing and unstable. The newer version doesn't include adjusted prices in any tests since Yahoo changes these periodically. I've cherrypicked the upstream test suite fixes from 1.16 and now the build succeeds. Moritz, can you name which upstream commits are needed to fix this? John, what are your plans to get this fixed in squeeze? I just tested, the package still FTBFS in squeeze, and in the case of a potential needed security or otherwise related update, this *really* needs to get fixed for squeeze, too. Hi Gerfried, Patch is attached. This is essentially every change in 1.16 except the changelog and the version number bump. IMHO it would be better to simply put 1.16 into squeeze if this is truly worth fixing. My reading of 5.5.1 in the developers reference doesn't suggest to me that a FTBFS by itself merits a stable update, but if I'm mistaken in that belief I'd be happy to put 1.16 into stable. John -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk27VQMACgkQBYeybkXz+/k1UACfebTgcZ5aG9KenL5zdqdyaFfv UAIAn0YnsmuWhi74yePm97aGEtw3s6J8 =iV1j -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#612914: Fails to build from source
On 02/11/2011 08:28 AM, Moritz Muehlenhoff wrote: Hi John, I've tried to rebuild java-imaging-utilities for Univention Corporate Server, a Debian derived distribution based on Debian stable (currently Lenny, our next release will be based on Squeeze). libfinance-quotehist-perl fails to build from source, see the following log. Apparently some of the fetched stock data has changed? Very strange. Thanks for reporting this. I'll dig into it today. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#612914: Fails to build from source
tag 612914 squeeze thanks Yes, I can reproduce the FTBFS with 1.14. This was corrected upstream with 1.16 which is already in testing and unstable. The newer version doesn't include adjusted prices in any tests since Yahoo changes these periodically. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#594353: apt-watch: FTBFS with apt 0.8.0
tags 594353 + pending thanks I'll upload a new version tonight without -Werror in CXXFLAGS. The package builds fine aside from the deprecation warnings. Thanks for your bug report. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#548909: xen-tools: xen-create-image creates world readable disk image files
Package: xen-tools Version: 3.9-4 Severity: grave Tags: security Justification: user security hole I'm tagging this security, though common best practices would suggest that access to the Dom0 should be severely restricted to begin with. When xen-create-image is used to create a file based DomU, the disk image files will have world readable permissions on a typical system with default umask settings. This means that all accounts on the Dom0 will have full access to the data on the DomU. The fix is to simply to alter createLoopbackImages() to chmod 0600 the image files after they are created with DD and before the filesystem is initialized or to simply to adjust the umask before running dd. This problem exists in both the stable 3.9 version of xen-tools and the unstable 4.1 version. -- System Information: Debian Release: 5.0.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-xen-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages xen-tools depends on: ii debootstrap 1.0.10lenny1Bootstrap a basic Debian system ii libconfig-inifiles-perl 2.39-5 Read .ini-style configuration file ii libtext-template-perl1.44-1.2Text::Template perl module ii perl-modules 5.10.0-19lenny2 Core Perl modules Versions of packages xen-tools recommends: ii libexpect-perl 1.20-1Expect.pm - Perl Expect interface ii reiserfsprogs 1:3.6.19-6User-level tools for ReiserFS file ii rinse 1.3-2 RPM installation environment ii xen-hypervisor-3.2-1-amd64 3.2.1-2.jd1 The Xen Hypervisor on AMD64 ii xen-shell 1.8-3 Console based Xen administration u ii xfsprogs 2.9.8-1lenny1 Utilities for managing the XFS fil xen-tools suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#478440: Should castle-combat be removed from Debian?
On Sun, 2009-09-27 at 15:48 +0200, Luca Falavigna wrote: I was looking at castle-combat trying to see if it can be ported to python-numpy because python-numeric* packages have been removed. This is not a trivial task because some things have changed and it crashes every now and then, with twisted too. Do you think it can be scheduled for removal from Debian, or will upstream take care of this? The upstream author of castle-combat is still active and responsive. Unless there's a compelling reason to ask for immediate removal, please give me a little more time to get this resolved. John signature.asc Description: This is a digitally signed message part
Bug#524474: FollowSymlinks / SymlinksIfOwnerMatch ignored with server-side-includes
This shouldn't be tagged as a grave security issue. The symlink tests in Apache are trivial to overcome with timing attacks and the Apache documentation explicitly states that the symlink tests should not be considered a security restriction. http://httpd.apache.org/docs/2.2/mod/core.html#options John signature.asc Description: This is a digitally signed message part
Bug#431324: FTBFS: undefined reference to `glade_xml_signal_autoconnect'
tags 431324 + pending thanks I isolated the problem with apt-watch yesterday and I'll have a new version uploaded this evening with the fix. John signature.asc Description: This is a digitally signed message part
Bug#409523: FTBFS: gpe/render.h: No such file or directory
tags 409523 + patch thanks According to the changelog in libgpewidget-0.114 gpe/render.h was removed because it was considered obsolete and unused. Simply deleting the #include directive from main.c allows gpe-edit to compile and run properly. Patch attached. John diff -Nur gpe-edit-0.25.orig/main.c gpe-edit-0.25/main.c --- gpe-edit-0.25.orig/main.c 2004-08-13 05:56:18.0 -0500 +++ gpe-edit-0.25/main.c 2007-02-07 12:13:57.0 -0600 @@ -21,7 +21,6 @@ #include gpe/init.h #include gpe/errorbox.h -#include gpe/render.h #include gpe/pixmaps.h #include gpe/picturebutton.h #include gpe/question.h signature.asc Description: This is a digitally signed message part
Bug#409688: FTBFS: gpe/render.h: No such file or directory
According to the changelog in libgpewidget-0.114 gpe/render.h was removed because it was considered obsolete and unused. Simply deleting the #include directive from main.c allows gpe-julia to compile and run properly. Patch attached. John diff -Nur gpe-julia-0.0.6.orig/main.c gpe-julia-0.0.6/main.c --- gpe-julia-0.0.6.orig/main.c 2007-02-07 12:32:45.0 -0600 +++ gpe-julia-0.0.6/main.c 2007-02-07 12:33:24.0 -0600 @@ -19,7 +19,6 @@ #include gpe/init.h #include gpe/picturebutton.h #include gpe/pixmaps.h -#include gpe/render.h #include gpe/errorbox.h static struct gpe_icon my_icons[] = { signature.asc Description: This is a digitally signed message part
Bug#369551: castle-combat: Unhandled error in Deferred when shooting
On Tue, 2006-06-20 at 20:07 +0200, Karl Bartel wrote: I just uploaded a new release. The code worked out quite different than in the patch, because I wanted to add a Sound on/off switch without adding an additional conditional around each line where a sound is played. This bug should be fixed nevertheless. I didn't manage to disable my sound card (well, I didn't try very hard...) to verify this, so it would be great if you could let me know whether it works for you. The new version will crash if you don't have a sound card and toggle the sound on/off switch in the config menu. You can't call pygame.mixer.music.stop() without a working mixer. I've updated the 16-no_sound_device.dpatch to fix the problem and it's attached here. There are also a couple of typos still present in 0.8.1: data/doc/rules.html Line 21: s/seperated/separated/ src/gamephases.py Line 242: s/enemey's/enemy's/ John 16-no_sound_device.dpatch Description: application/shellscript
Bug#340070: yate: FTBFS: compile error: invalid conversion
tags 340070 + patch thanks pri_set_error and pri_set_message in libpri.h from libpri-dev have changed since this version of yate was released. Updating yate to a newer upstream would likely fix the FTBFS error. Barring that, the attached dpatch gets the yate package compiling again in its current form. I assume the changes will make no difference in the functioning on yate, but I don't use the software and have not tested it. John zapchan.dpatch Description: application/shellscript
Bug#336840: space-orbit: doesn't start
tags 336840 + patch thanks Reordering the call to glutInit in orbit.c fixes this error. John diff -ur space-orbit-1.01.orig/src/orbit.c space-orbit-1.01/src/orbit.c --- space-orbit-1.01.orig/src/orbit.c 2005-12-13 18:22:35.0 -0600 +++ space-orbit-1.01/src/orbit.c 2005-12-13 18:22:22.0 -0600 @@ -41,6 +41,9 @@ /* Set up the player viewpoint, etc */ InitPlayer(); + /* glutInit is required for InitStuff() */ + glutInit(argc, argv); + /* Initialize all sorts of other stuff */ InitStuff(); @@ -63,8 +66,10 @@ */ { char *p; - - glutInit (argc, argv); + + /* This is being called in main() now */ + /* glutInit (argc, argv); */ + glutInitDisplayMode (GLUT_RGBA | GLUT_DOUBLE | GLUT_DEPTH); glutInitWindowPosition (0, 0);
Bug#328044: FTBFS: PIC register ebx clobbered in asm
On Mon, 2005-09-12 at 12:52 -0700, Matt Kraai wrote: xmms-goom fails to build because it clobbers the PIC register ebx in an asm statement: Sorry for taking so long to address this issue. I was originally thinking I'd just fix the sections of assembly code with the obvious pushl...popl, then I became sidetracked and decided to package a newer upstream release (where these problems and several others are fixed.) Anyway, the new versions will be uploaded within the next week or so. Please don't NMU this package in the interim. I am working on a fix. John -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]