Bug#861431: restic: Rebuild needed for CVE-2017-3204; #859655

2017-05-02 Thread Michael Lustfield 
> It's built happily on ppc64el for the archive, so please either close this
> bug or leave the fixed version in place (by all means keep it open if you
> want to explore possible resource exhaustion on other machines).

I haven't had a chance to re-test this build. If it's building fine
for the archive, that's good enough for me. I might do some rebuild
testing down the road, but I think it makes more sense to close now
and re-open only if issues are found.

Bug#861431: restic: Rebuild needed for CVE-2017-3204; #859655

2017-05-02 Thread Jonathan Wiltshire 
Control: found -1 0.3.3-1+b1
Control: fixed -1 0.3.3-1+b2

Hi,

On Sun, Apr 30, 2017 at 12:51:03PM +0200, Félix Sipma wrote:
> ppc64el rebuilding seems to give the same error as yours, though.
> 
> Do you think we can close this bug, or associate it with ppc64el only?
> 
> It may be an issue with insufficient ressources but I'm not sure, and I'm a 
> bit
> out of idea on how to fix this...

It's built happily on ppc64el for the archive, so please either close this
bug or leave the fixed version in place (by all means keep it open if you
want to explore possible resource exhaustion on other machines).

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Processed: Re: Bug#861431: restic: Rebuild needed for CVE-2017-3204; #859655

2017-05-02 Thread Debian Bug Tracking System 
Processing control commands:

> found -1 0.3.3-1+b1
Bug #861431 [restic] restic: Rebuild needed for CVE-2017-3204; #859655
Marked as found in versions restic/0.3.3-1.
> fixed -1 0.3.3-1+b2
Bug #861431 [restic] restic: Rebuild needed for CVE-2017-3204; #859655
Marked as fixed in versions restic/0.3.3-1.

-- 
861431: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861431
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#861431: restic: Rebuild needed for CVE-2017-3204; #859655

2017-04-30 Thread Félix Sipma 
Control: tag -1 unreproducible

I can't reproduce this on amd64.

And https://buildd.debian.org/status/package.php?p=restic says amd64, arm64,
armel, armhf, i386 were rebuilt without any problem.

ppc64el rebuilding seems to give the same error as yours, though.

Do you think we can close this bug, or associate it with ppc64el only?

It may be an issue with insufficient ressources but I'm not sure, and I'm a bit
out of idea on how to fix this...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.0
Source: restic
Binary: restic
Architecture: amd64 source
Version: 0.3.3-2
Checksums-Md5:
 566fd1b258ec1b3e7549934808771cea 2219 restic_0.3.3-2.dsc
 2f4223cfb51930ac2137a86041a8077d 2005748 restic_0.3.3-2_amd64.deb
Checksums-Sha1:
 e384e72da90c6148c8a202b6ff904c7f9d45de96 2219 restic_0.3.3-2.dsc
 c50197897298c92b7c0cb14e2e7f888effb53c89 2005748 restic_0.3.3-2_amd64.deb
Checksums-Sha256:
 f5ec3a55d8635f5d7c7708a340e7ac6f7b5754f1f1f66f0350fb447b3700f6c6 2219 
restic_0.3.3-2.dsc
 c57a34cd921d4ec48efe961a3069a7cb32b85d35acdfa65e1723cacab5a3ef75 2005748 
restic_0.3.3-2_amd64.deb
Build-Origin: Debian
Build-Architecture: amd64
Build-Date: Sun, 30 Apr 2017 10:25:53 +
Build-Path: /build/restic-A7Oe9X/restic-0.3.3
Installed-Build-Depends:
 autoconf (= 2.69-10),
 automake (= 1:1.15-6),
 autopoint (= 0.19.8.1-2),
 autotools-dev (= 20161112.1),
 base-files (= 9.9),
 base-passwd (= 3.5.43),
 bash (= 4.4-4+b2),
 binutils (= 2.28-4),
 bsdmainutils (= 9.0.12+nmu1),
 bsdutils (= 1:2.29.2-1),
 build-essential (= 12.3),
 bzip2 (= 1.0.6-8.1),
 coreutils (= 8.26-3),
 cpp (= 4:6.3.0-4),
 cpp-5 (= 5.4.1-8),
 cpp-6 (= 6.3.0-14),
 dash (= 0.5.8-2.4),
 debconf (= 1.5.60),
 debhelper (= 10.2.5),
 debianutils (= 4.8.1.1),
 dh-autoreconf (= 14),
 dh-strip-nondeterminism (= 0.032-1),
 diffutils (= 1:3.5-3),
 dpkg (= 1.18.23),
 dpkg-dev (= 1.18.23),
 e2fslibs (= 1.43.4-2),
 e2fsprogs (= 1.43.4-2),
 file (= 1:5.30-1),
 findutils (= 4.6.0+git+20161106-2),
 g++ (= 4:6.3.0-4),
 g++-6 (= 6.3.0-14),
 gcc (= 4:6.3.0-4),
 gcc-5 (= 5.4.1-8),
 gcc-5-base (= 5.4.1-8),
 gcc-6 (= 6.3.0-14),
 gcc-6-base (= 6.3.0-14),
 gettext (= 0.19.8.1-2),
 gettext-base (= 0.19.8.1-2),
 golang-1.7-go (= 1.7.4-2),
 golang-1.7-src (= 1.7.4-2),
 golang-any (= 2:1.7~5),
 golang-bazil-fuse-dev (= 0.0~git20160811.0.371fbbd-2),
 golang-etcd-dev (= 2.0.0-2),
 golang-github-armon-consul-api-dev (= 0.0~git20150107.0.dcfedd5-2),
 golang-github-cpuguy83-go-md2man-dev (= 1.0.6+ds-1),
 golang-github-davecgh-go-spew-dev (= 1.1.0-1),
 golang-github-elithrar-simple-scrypt-dev (= 1.1+git20161119.3.2325946-1),
 golang-github-fsnotify-fsnotify-dev (= 1.4.2-1),
 golang-github-hashicorp-hcl-dev (= 0.0~git20161215.0.80e628d-1),
 golang-github-inconshreveable-mousetrap-dev (= 0.0~git20141017.0.76626ae-1),
 golang-github-kr-fs-dev (= 0.0~git2013.0.2788f0d-2),
 golang-github-magiconair-properties-dev (= 1.7.0-2),
 golang-github-minio-minio-go-dev (= 2.0.2-1),
 golang-github-mitchellh-mapstructure-dev (= 0.0~git20161204.0.5a0325d-1),
 golang-github-pelletier-go-buffruneio-dev (= 0.0~git20160124.0.df1e16f-1),
 golang-github-pelletier-go-toml-dev (= 0.4.0+git20161213.2.017119f-1),
 golang-github-pkg-errors-dev (= 0.8.0-1),
 golang-github-pkg-sftp-dev (= 0.0~git20160930.0.4d0e916-1),
 golang-github-pmezard-go-difflib-dev (= 1.0.0-1),
 golang-github-restic-chunker-dev (= 0.1.0-1),
 golang-github-russross-blackfriday-dev (= 1.4+git20161003.40.5f33e7b-1),
 golang-github-shurcool-sanitized-anchor-name-dev (= 
0.0~git20160918.0.1dba4b3-1),
 golang-github-spf13-afero-dev (= 0.0~git20161226.0.90dd71e-1),
 golang-github-spf13-cast-dev (= 0.0~git20161225.0.56a7ecb-1),
 golang-github-spf13-cobra-dev (= 0.0~git20170314.0.7be4bed-1),
 golang-github-spf13-jwalterweatherman-dev (= 
0.0~git20170109.0.fa7ca7e.really.git20160311.0.33c24e7-1),
 golang-github-spf13-pflag-dev (= 0.0~git20161024.0.5ccb023-1),
 golang-github-spf13-viper-dev (= 0.0~git20161213.0.5ed0fc3-3),
 golang-github-stretchr-objx-dev (= 0.0~git20150928.0.1a9d0bb-1),
 golang-github-stretchr-testify-dev (= 1.1.4+ds-1),
 golang-github-xordataexchange-crypt-dev (= 0.0.2+git20150523.17.749e360-4),
 golang-go (= 2:1.7~5),
 golang-golang-x-crypto-dev (= 
1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1),
 golang-golang-x-net-dev (= 1:0.0+git20161013.8b4af36+dfsg-3),
 golang-golang-x-sys-dev (= 0.0~git20161122.0.30237cf-1),
 golang-golang-x-text-dev (= 0.0~git20161013.0.c745997-2),
 golang-golang-x-tools-dev (= 1:0.0~git20161028.0.b814a3b+ds-4),
 golang-gopkg-check.v1-dev (= 0.0+git20161208.0.20d25e2-1),
 golang-gopkg-yaml.v2-dev (= 0.0+git20160928.0.a5b47d3-2),
 golang-src (= 2:1.7~5),
 golang-x-text-dev (= 0.0~git20161013.0.c745997-2),
 grep (= 2.27-2),
 groff-base (= 1.22.3-9),
 gzip (= 1.6-5+b1),
 hostname (= 3.18+b1),
 init-system-helpers (= 1.47),
 intltool-debian (= 0.35.0+20060710.4),
 libacl1 (= 2.2.52-3+b1),
 libarchive-zip-perl (= 1.59-1),
 libasan2 (= 5.4.1-8),
 libasan3 (= 6.3.0-14),
 libatomic1 (= 6.3.0-14),

Bug#861431: restic: Rebuild needed for CVE-2017-3204; #859655

2017-04-28 Thread Michael Lustfield 
Package: restic
Justification: renders package unusable
Tags: security
Severity: grave

A CVE was issued for golang-go.crypto which is a build dependency of this
package. While attempting a rebuild of restic against this updated crypto
library, I ran into a build failure. This failure did not seem to come from the
changes made in the crypto library.

I have attached the build log from that failure, as generated by sbuild. The
error indicated it may be a simple solution, but I'm lacking the time to dig
into it. I saw no build failure when testing the change in unstable.

Thanks,
-- 
Michael Lustfield


restic_0.3.3-1
Description: Binary data