Bug#710784: postinst uses /usr/share/doc content (Policy 12.3): /usr/share/doc/webalizer/examples/sample.conf.gz
On Tue, Jan 07, 2014 at 10:58:26AM +0100, Daniel Stensnes wrote: > Are you sure this is done? I just got this: > Yes, I'm sure :) but it's done in sid, not in wheezy. > > $ sudo apt-get install webalizer > > Reading package lists... Done > > Building dependency tree > > Reading state information... Done > > Suggested packages: > > httpd > > The following NEW packages will be installed: > > webalizer > > 0 upgraded, 1 newly installed, 0 to remove and 21 not upgraded. > > Need to get 0 B/372 kB of archives. > > After this operation, 1,192 kB of additional disk space will be used. > > Retrieving bug reports... Done > > Parsing Found/Fixed information... Done > > serious bugs of webalizer (-> 2.23.05-1) > > #710784 - webalizer: postinst uses /usr/share/doc content (Policy 12.3): > > /usr/share/doc/webalizer/examples/sample.conf.gz (Fixed: > > webalizer/2.23.08-1) It written just above, it's fixed in version 2.23.08-1 ... > > Summary: > > webalizer(1 bug) > > Are you sure you want to install/upgrade the above packages? [Y/n/?/...] y > > Preconfiguring packages ... > > Selecting previously unselected package webalizer. > > (Reading database ... 206103 files and directories currently installed.) > > Unpacking webalizer (from .../webalizer_2.23.05-1_amd64.deb) ... > > Processing triggers for man-db ... > > Setting up webalizer (2.23.05-1) ... ... and you are installing version 2.23.05-1 ! > > /var/www/webalizer created > > $ > > I currently have Debian Wheezy 7.2 and apt is up to date with the > lastest packages in the repositories. apt-cache policy reports this > for the webalizer package: > > > $ apt-cache policy webalizer > > webalizer: > > Installed: 2.23.05-1 > > Candidate: 2.23.05-1 > > Version table: > > *** 2.23.05-1 0 > > 500 http://ftp.no.debian.org/debian/ wheezy/main amd64 Packages > > 100 /var/lib/dpkg/status > > - Daniel And by the way, it's a serious bug because it does not follow the policy but unless you are explicitly excluding /usr/share/doc/ as explained in the bug, this should not affect you. Best Regards Julien -- Julien Viard de Galbert http://silicone.homelinux.org/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#676126: netsed NMU
On Sun, Jul 08, 2012 at 04:46:00PM +0200, Sven Hoexter wrote: > Julien, I'm not sure if my fix is 'the Ruby way' for the issue > at hand, but it at least works for now. If you can please take a look > at the attached 05-ftbfs_ruby1.9_testsuite_require_syntax.diff patch. I'm not 100% sure it's 'the Ruby way' but it works so I integrated it in my git, thanks ! Best Regards, Julien VdG -- Julien Viard de Galbert http://silicone.homelinux.org/ GPG Key ID: D00E52B6 Published on: hkp://keys.gnupg.net Key Fingerprint: E312 A31D BEC3 74CC C49E 6D69 8B30 6538 D00E 52B6 signature.asc Description: Digital signature
Bug#675407: xserver-xorg-video-openchrome: openchrome relink against new xserver results in null pointer dereference
On Fri, Jun 01, 2012 at 02:40:04AM +0200, Cyril Brulebois wrote: > Sebastian Reichel (31/05/2012): > > Hi, > > > > It's not enough to rebuild openchrome against the new X-Server, > > since the new X-Server does not run vgaHWSetStdFuncs(hwp) anymore: > > > > http://cgit.freedesktop.org/xorg/xserver/commit/?id=4bd6579188e718654c35f95623fd4772f9e0ef06 > > > > Please update the driver to support the X-Server's ABI change. > > Hello, > > can you please test the attached patch? Seems like upstream's svn (no > comment) has no fix at the moment. This might be because upstream switched to git :) and I didn't have time to update to package to track the git version yet. I hope I can find some time soon. -- Julien Viard de Galbert http://silicone.homelinux.org/ GPG Key ID: D00E52B6 Published on: hkp://keys.gnupg.net Key Fingerprint: E312 A31D BEC3 74CC C49E 6D69 8B30 6538 D00E 52B6 signature.asc Description: Digital signature
Bug#622897: Re: webalizer: remote exploit
Hello Jim, As stated in bug #491200 I'm packaging the latest version of webalizer but I didn't get it uploaded yet. On Mon, Apr 18, 2011 at 02:05:27PM -0400, Jim Salter wrote: > Package: webalizer > Followup-For: Bug #622897 > > > Moritz, I believe that the initial attack was through webalizer because > the path /var/www/.webalizer contained php injections which gave the ^-- with a dot > attackers their initial shell, which was first used to host a phishing > form which was also under /var/www/webalizer - whereas the production ^-- or no dot ? > site on the host was under /[redacted]/[redacted], under which no files > were added, removed, or modified. > The /var/www/webalizer directory is filled by webalizer, however, webalizer is not a webapp written in php so I don't see how php could compromise webalizer. > I'm not sure what you mean by "recent years"; but my own research showed > a widely-exploited security bug in Webalizer in 2009 which I sincerely > hope was either fixed by the upstream maintainers, or at least patched > in Debian's repos. If it's that bug... well, dear lord, please let's > get that patched, it's been two years already? =) > > Ref: > http://news.softpedia.com/news/Webalizer-Bug-Possibly-Leading-to-Mass-Web-Compromise-119983.shtml Your reference does not really explain the exploit, following the link on "warns" [1] I ended up on [2] witch dates back to 2002 (not 2009). 1: http://threatcenter.blogspot.com/2009/08/mass-compromise-of-sites-with-webalizer.html 2: http://linuxdevcenter.com/pub/a/linux/2002/04/16/insecurities.html Looking in webalizer changelog: | 2.01-xx changes from 1.30-04 | [...] | o Fix posible obscure buffer overflow bug in DNS resolver code That could be the fix for the 2002 bug, however lenny's webalizer version is 2.01.10-32.4 so it uses webalizer 2.01-10 which already include this fix. See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=143019 To get it patched, I guess we need a little more information on how exactly you got attacked. Unless you had a pretty old version, it's not the same bug. Also did you have the reverse dns feature enabled (in the webalizer configuration that outputs to /var/www/webalizer) ? As it's off by default. > > ... or at LEAST let's fix the installation process so that it doesn't > silently expose itself on the default site. Well once I'll got the version uploaded with the latest upstream code, I plan to look at the configuration parts, so I'll look at that too. > > I still use webalizer on some very high-traffic sites because I don't > know of any other packages which can scale linearly to handle VERY high > levels of traffic - one client of mine generates about 40G of Apache > logs per day on app servers alone; webalizer's the only thing I know of > that can handle that volume. So help us identify that bug ! :) Best Regards, Julien VdG -- Julien Viard de Galbert http://silicone.homelinux.org/ GPG Key ID: D00E52B6 Published on: hkp://keys.gnupg.net Key Fingerprint: E312 A31D BEC3 74CC C49E 6D69 8B30 6538 D00E 52B6 signature.asc Description: Digital signature
Bug#614022: xserver-xorg-video-openchrome: gdm fails to start X
severity 614022 normal forwarded 614022 http://www.openchrome.org/trac/ticket/395 thanks It does not fail for me, so I guess it depends on the card model... So I reduced the severity to normal as it wont affect all users. I've send the patch upstream, they are generally quick to respond, so if it gets integrated I'll push the new upstream version, else I'll push a -2 with the patch within a few days. Best Regards, -- Julien Viard de Galbert http://silicone.homelinux.org/ GPG Key ID: D00E52B6 Published on: hkp://keys.gnupg.net Key Fingerprint: E312 A31D BEC3 74CC C49E 6D69 8B30 6538 D00E 52B6 signature.asc Description: Digital signature
Bug#614022: xserver-xorg-video-openchrome: gdm fails to start X
Hello, Thanks for your report and your patch. I'm getting the changes to the driver done by Cyril and I'll test your patch. It really looks like a regression at upstream r888, I'll report it upstream. Thanks again ! Julien VdG -- Julien Viard de Galbert http://silicone.homelinux.org/ GPG Key ID: D00E52B6 Published on: hkp://keys.gnupg.net Key Fingerprint: E312 A31D BEC3 74CC C49E 6D69 8B30 6538 D00E 52B6 signature.asc Description: Digital signature
Bug#553502: autolog: a segfault patch
Package: autolog Severity: normal Hi, I could get a segfault by simply running './autolog -d -o', even by running './autolog -d -o -n' which does not even try to kill processes... So I don't know if this is the same case as the original submitter as I didn't have to wait for any warning before getting the segfault. Anyway, you will find a patch that fixes the one I found. About the bug: Basically it parses (using strtok by the way) the output of a ps command line by line. The line buffer has a size of 256 bytes so if the output line of ps is longer than that, it get parsed as the next line and it will of course not parse correctly. For some reasons, when ran from gdb, the ps command limits its output to 80 chars as if ps was run in a terminal, so it does not segfault ;) The patch simply read the line until it finds the ending \n so that the parser will not segfault. (by the way as the config file allows the change the ps command, the parser should probably be written in a safer way...) Regards, Julien Vdg -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -au autolog-0.40.orig/autolog.c autolog-0.40/autolog.c --- autolog-0.40.orig/autolog.c 2010-10-29 16:15:11.0 +0200 +++ autolog-0.40/autolog.c 2010-10-29 16:14:27.0 +0200 @@ -1082,6 +1082,18 @@ } } } + /* Read to the end of line to avoid parsing the rest of the command + * line in next round and getting a segfault as ps_pid will be null!! + */ + i=strlen(iline); + while(iline[i-1] != '\n'){ + if(!fgets(iline, LINELEN, ps)) { + /* end of file, exit*/ + fclose(ps); + return; + } + i=strlen(iline); + } } fclose(ps); } Les sous-répertoires autolog-0.40.orig/debian et autolog-0.40/debian sont identiques. Les sous-répertoires autolog-0.40.orig/.pc et autolog-0.40/.pc sont identiques.
Bug#597379: openchrome: Update makes X freeze
On Tue, Sep 28, 2010 at 04:28:37PM +0200, Cyril Brulebois wrote: > Nethanel Elzas (28/09/2010): > > Well it went fast, after installing commit 830, X freezes upon > > startup, 829 was fine. I tried to look at the diff between 830 and > > 829 but don't understand it :-( First thanks for taking the time to identify the faulty commit. I also want to thank Julien and Cyril for pushing in the right direction while I was too busy to read those mails. > > Neither do I. For reference, the diff is: > http://svn.openchrome.org/trac/changeset?new=830%40trunk&old=829%40trunk > > > Is there something else I can try? > > Maybe try to revert the change concerning src/via_dri.c, that is, > remove the following lines: > | /* For AMD64 */ > | #ifdef __x86_64__ > | return FALSE; > | #endif > > (Suggesting that because you're on amd64, like Ibaidul.) > > AFAICT that triggers a premature end in VIADRIAgpInit and maybe that's > causing troubles. Trying that shouldn't hurt. I think it worth trying that as upstream also reverted it later see: http://svn.openchrome.org/trac/changeset/854/trunk/src/via_dri.c If it works, I think we have our fix ;) I'll then prepare a new package (unless Cyril or Julien want to do this simple change directly as I'll need a sponsor anyway). Best Regards -- Julien Viard de Galbert http://silicone.homelinux.org/ GPG Key ID: D00E52B6 Published on: hkp://keys.gnupg.net Key Fingerprint: E312 A31D BEC3 74CC C49E 6D69 8B30 6538 D00E 52B6 signature.asc Description: Digital signature
Bug#586037: executes a tight non-blocking loop.
On Mon, Jun 21, 2010 at 01:05:36AM +0100, Tim Retout wrote: > > We need a stable location where new release tarballs will appear (are > you always going to use /repository/unpackaged/ ?), and then we can > use a debian/watch file to get updated automatically with new > releases. Ok, I created a new release directory at: http://silicone.homelinux.org/release/netsed/ You can expect this page to exist and list the release... currently it's just a generated Index, but it might become a nicer page someday... so please use the two part format on debian watch. something like: http://silicone.homelinux.org/release/netsed netsed-(.+)\.tar\.gz Hope this fully suits your needs. Julien VdG -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#586037: executes a tight non-blocking loop.
I'd like to do more testing (like writing automated tests), but in the meantime here is a new release: http://silicone.homelinux.org/repository/unpackaged/netsed-0.02b.tar.gz It integrates the patches from Mats Erik Andersson to provide IPv6 capability. What would be the best for next releases ? 1. Do you want me to continue sending mails to this bug ? 2. Should I publish it on my blog ? (I will write an article soon anyway) http://silicone.homelinux.org/ 3. Any other suggestions ? Thanks. On Sat, Jun 19, 2010 at 08:55:45AM +0200, LENART Janos wrote: > If your version is 100% compatible with the current netsed (but less > buggy :-) ), than we can move swiftly and replace it. Well my only concern about 100%, would be people relying on a bug in the rule matching than was not actually doing what the doc described... For details, see http://silicone.homelinux.org/git/netsed.git/?a=commitdiff;h=387a9d46387e2488efac08931b0aab57c7594aa4 -- Julien VdG -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#586037: [netsed] Replacing gethostbyname() to get IPv6
On Sat, Jun 19, 2010 at 02:42:47PM +0200, Mats Erik Andersson wrote: > A week ago I did develop a patch against netsed-0.01c > to get rid of gethostbyname(3) by using getaddrinfo(3). > Thus implementing full IPv6 support and more for the TCP > layer of netsed. Would Julien Viard accept this, being the > de facto new upstream author? Sure, I already spent 3 hours last night to prepare the code. Please send your patch either directly to me, or to the bug #397420 where it probably belong, I'll get it from here. > > The looping bug I addressed in the original text of this > message has no bearing on IPv6, nor does any reimplementation > to using selsect(2) instead of a misconceived polling. > About IPv6 I'll probably need help, I currently have no IPv6 knowledge... > > MEA > Best Regards -- Julien Viard de Galbert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#586037: executes a tight non-blocking loop.
On Fri, Jun 18, 2010 at 11:14:26PM +0100, Tim Retout wrote: > On 18 June 2010 23:10, Julien Viard de Galbert > wrote: > > Hi again, > > > > Just tried your testcase with netsed and my modified version. > > > > And while I could reproduice the heavy cpu load with original netsed, my > > version is not impacted. > > This is good. Could you provide a link to your version, so we can > consider using it as the new upstream? > Sure I can: http://silicone.homelinux.org/repository/unpackaged/netsed-0.02a.tar.gz I just took the time to recover my old history and to rebuild a clean git base. you should be able to clone from here http://silicone.homelinux.org/git/netsed.git/ I'm not happy with the hostname resolving code, I think I've read somewhere that gethostbyname is kind of bad. And I have to fix UDP too... I've thought about adopting the debian package, but fixing the bug will take some more time, and I have no previous experience in official packaging, so I'll leave it to QA for now. Best Regards Julien VdG -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#586037: executes a tight non-blocking loop.
Hi again, Just tried your testcase with netsed and my modified version. And while I could reproduice the heavy cpu load with original netsed, my version is not impacted. Best regards Julien VdG -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#586037: executes a tight non-blocking loop.
Package: netsed Severity: normal Hi there, I have a forked version of netsed on my blog, that I wrote 4 years ago... I did rewrite most waiting to use 'select' so even if I don't remember seeing that particular point it might be fixed (or fixable), I will check it. As for #230406 regarding UDP support, I didn't write it (no need for me at the time) but I don't think it's that difficult. I'm currently reading most debian documentation and wanted to adopt netsed, however if the plan is to remove netsed that discourages me :( Also note that upstream no longer maintain it either... 4 years ago I did mail about my changes and never got any replies. best regards Julien Viard de Galbert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org