Re: fluidsynth 2.0
Hello Felipe, thanks for the explanation. Currently I'm a bit too busy to take care about this. Version 2.0 introduced a seek function (among other changes). This seek function was originally implemented by Willem Vree and is available on his website in the form of modified files for an older fluidsynth version. There is also a Python binding which needs this seek function. Someone else suggested to integrate the seek function into fluidsynth, but the upstream maintainer requested changes to the code. Willem Vree found some problems with the modified implementation compared to his original one, at least on his system. Unfortunately I was not yet able to reproduce the problems. My system is different, maybe the problem occurs only in a certain environment. I plan to prepare a newer hardware for re-testing and solving the problems in the seek function. Felipe Sateler wrote: On Fri, Oct 26, 2018 at 5:05 AM Bodo Meißner wrote: Is there a way to handle incompatible and conflicting libfluidsynth-dev versions? For example source package A build-depends on libfluidsynth-dev <2.0.0, source package B and build-depends on libfluidsynth-dev >= 2.0.0? Until now I didn't find information about this topic. Links to related documentation are welcome. But does it make any sense to keep both versions? Does fluidsynth upstream plan to continue supporting both? fluidsynth.org shows only releases for version 2.0 after 1.1.11 (May 2018) and the 1.1.x releases are mainly bugfixes, so there doesn't seem to be any current development for 1.x. I agree that at some time all applications should switch to fluidsynth 2.0. I think the first step would be to prepare a package targeting experimental, see how much stuff fails to build and how hard it is to fix. With that info, it can be decided if it's best to keep both or port all apps to version 2.0. I think I will dig into the problems with the seek function first because that's what is needed to use fluidsynth for EasyABC which I'm interested in. Best regards, Bodo
Re: fluidsynth 2.0
(Sorry, this seems to have gotten stuck in the drafts folder) On Fri, Oct 26, 2018 at 5:05 AM Bodo Meißner wrote: > Hello Felipe, > > thanks for the hint. > > Zitat von Felipe Sateler : > > > I think the more relevant question is whether version 2.0.0 introduced > any > > backwards-incompatible change. > > According to the documentation, version 2.0.0 introduced incompatible > API changes, not only adding new functions. > Bummer. Hopefully the API changes don't impact everyone. > > If so, then it probably needs fixing in all > > reverse dependencies before it can be updated. > > For the binary library this can probably be handled by installing both > libfluidsynth1 and libfluidsynth2 packages. > Right. > > Is there a way to handle incompatible and conflicting > libfluidsynth-dev versions? > For example source package A build-depends on libfluidsynth-dev > <2.0.0, source package B and build-depends on libfluidsynth-dev >= > 2.0.0? > Until now I didn't find information about this topic. Links to related > documentation are welcome. > But does it make any sense to keep both versions? Does fluidsynth upstream plan to continue supporting both? > Or does this mean that all packages that build-depend on > libfluidsynth-dev would have to be changed to use version >= 2.0.0? > I think this is the more viable option. The number of packages is not large (I see 24), and many are maintained here in this team. I think the first step would be to prepare a package targeting experimental, see how much stuff fails to build and how hard it is to fix. With that info, it can be decided if it's best to keep both or port all apps to version 2.0. -- Saludos, Felipe Sateler
Bug#915763: faac: CVE-2018-19886 CVE-2018-19887 CVE-2018-19889 CVE-2018-19890 CVE-2018-19891
Source: faac Version: 1.29.9.2-2 Severity: important Tags: security upstream Hi, The following vulnerabilities were published for faac. CVE-2018-19886[0]: | An invalid memory address dereference was discovered in the huffcode | function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC) | 1.29.9.2. The vulnerability causes a segmentation fault and application | crash, which leads to denial of service in the book 8 case. CVE-2018-19887[1]: | An invalid memory address dereference was discovered in the huffcode | function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC) | 1.29.9.2. The vulnerability causes a segmentation fault and application | crash, which leads to denial of service in the book 4 case. CVE-2018-19889[2]: | An invalid memory address dereference was discovered in the huffcode | function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC) | 1.29.9.2. The vulnerability causes a segmentation fault and application | crash, which leads to denial of service in the book 6 case. CVE-2018-19890[3]: | An invalid memory address dereference was discovered in the huffcode | function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC) | 1.29.9.2. The vulnerability causes a segmentation fault and application | crash, which leads to denial of service in the book 2 case. CVE-2018-19891[4]: | An invalid memory address dereference was discovered in the huffcode | function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC) | 1.29.9.2. The vulnerability causes a segmentation fault and application | crash, which leads to denial of service in the book 10 case. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-19886 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19886 [1] https://security-tracker.debian.org/tracker/CVE-2018-19887 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19887 [2] https://security-tracker.debian.org/tracker/CVE-2018-19889 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19889 [3] https://security-tracker.debian.org/tracker/CVE-2018-19890 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19890 [4] https://security-tracker.debian.org/tracker/CVE-2018-19891 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19891 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#915760: vlc: CVE-2018-19857
Source: vlc Version: 3.0.4-3 Severity: important Tags: patch security upstream Hi, The following vulnerability was published for vlc. CVE-2018-19857[0]: | The CAF demuxer in modules/demux/caf.c in VideoLAN VLC media player | 3.0.4 may read memory from an uninitialized pointer when processing | magic cookies in CAF files, because a ReadKukiChunk() cast converts a | return value to an unsigned int even if that value is negative. This | could result in a denial of service and/or a potential infoleak. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-19857 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19857 [1] https://dyntopia.com/advisories/013-vlc [2] https://git.videolan.org/?p=vlc.git;a=commit;h=0cc5ea748ee5ff7705dde61ab15dff8f58be39d0 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#915349: marked as done (giada FTBFS with juce 5.4.1)
Your message dated Thu, 6 Dec 2018 15:37:38 +0100 with message-id and subject line Re: giada FTBFS with juce 5.4.1 has caused the Debian Bug report #915349, regarding giada FTBFS with juce 5.4.1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 915349: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915349 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: giada Version: 0.15.2+ds1-1 Severity: serious Tags: ftbfs https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/giada.html ... In file included from src/deps/juce/modules/juce_audio_processors/juce_audio_processors.cpp:164: src/deps/juce/modules/juce_audio_processors/format_types/juce_VSTPluginFormat.cpp:49:10: fatal error: pluginterfaces/vst2.x/aeffect.h: No such file or directory #include ^ compilation terminated. make[2]: *** [Makefile:5250: src/deps/juce/modules/juce_audio_processors/giada-juce_audio_processors.o] Error 1 --- End Message --- --- Begin Message --- On Sun, 02 Dec 2018 23:47:33 +0200 Adrian Bunk wrote: > Source: giada > Version: 0.15.2+ds1-1 > Severity: serious > Tags: ftbfs > > https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/giada.html > > ... > In file included from > src/deps/juce/modules/juce_audio_processors/juce_audio_processors.cpp:164: > src/deps/juce/modules/juce_audio_processors/format_types/juce_VSTPluginFormat.cpp:49:10: > fatal error: pluginterfaces/vst2.x/aeffect.h: No such file or directory > #include > ^ > compilation terminated. > make[2]: *** [Makefile:5250: > src/deps/juce/modules/juce_audio_processors/giada-juce_audio_processors.o] > Error 1 > > this was caused by #913915 in the juce package. i've reverted the upload of juce to the last-known-good version that supports VST2, which fixes the FTBFS for giada for now. (in the meantime, i'm doing some research on how to fix the underlying issue). fgasdmr IOhannes signature.asc Description: OpenPGP digital signature --- End Message ---
o2_1.0~repack-1_amd64.changes ACCEPTED into unstable, unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 04 Dec 2018 14:48:05 +0100 Source: o2 Binary: libo2-dev libo2 Architecture: source amd64 Version: 1.0~repack-1 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers Changed-By: IOhannes m zmölnig (Debian/GNU) Description: libo2 - next generation communication protocol for music systems libo2-dev - next generation communication protocol for music systems - develo Closes: 915265 Changes: o2 (1.0~repack-1) unstable; urgency=medium . * Initial release. (Closes: #915265) Checksums-Sha1: dfe6d29e0f189d22589b022c3de812fce894f2b6 2003 o2_1.0~repack-1.dsc e3317d9063d906dfbbc941269d9e7a49ce42b9b1 281599 o2_1.0~repack.orig.tar.gz 11a4edac14aaf1d5774a393ea789a5e2775e3b36 4536 o2_1.0~repack-1.debian.tar.xz a691e29f75f82f61251168f4276fdbde06da825f 5880 libo2-dbgsym_1.0~repack-1_amd64.deb 61cba58d1acc68a5219e06d64f24970732f47885 214140 libo2-dev_1.0~repack-1_amd64.deb b636355bb6fe5e19d635e61ca30b155ffa8436f6 37168 libo2_1.0~repack-1_amd64.deb 6f65dbd313b35f6e6688ca99d7e88c3424ca3b4a 7013 o2_1.0~repack-1_amd64.buildinfo Checksums-Sha256: 88be93ed75993790130d44c25b748e7c9284e6576d9787300c0d38cb22d82c6f 2003 o2_1.0~repack-1.dsc 72a1642a0f5982d05640ebdec96554c7924eea54872051c4a00aac1e772f7b53 281599 o2_1.0~repack.orig.tar.gz a12e886895b923b5ec23848bf81be76eaa97ffd7790c082dfee6c415e4930bae 4536 o2_1.0~repack-1.debian.tar.xz b1a3509c3224b4e14e7803625b436ceaf61269d94db66871f2abf38936423d88 5880 libo2-dbgsym_1.0~repack-1_amd64.deb c8edbd6b5116d11dd13abee2100c28b323b87573231ed6ef98b69add2508d502 214140 libo2-dev_1.0~repack-1_amd64.deb abc37400e3481f54637533320e7179ac9138e3228c2f683948fe2ffb6a35f8cc 37168 libo2_1.0~repack-1_amd64.deb 42ec7638329e437adbe4af512a5809e9e2344758ebf365f7ade0cecb27a473e4 7013 o2_1.0~repack-1_amd64.buildinfo Files: 5042710581c70da8a9804dd4699f9a29 2003 libs optional o2_1.0~repack-1.dsc 94235cb24caf49ddc0f9fe0cc3c93afe 281599 libs optional o2_1.0~repack.orig.tar.gz 00f46b7a80d6ed180cdae209b11cd0d1 4536 libs optional o2_1.0~repack-1.debian.tar.xz 830198c9aa0adbe323c31bb44ae5287a 5880 debug optional libo2-dbgsym_1.0~repack-1_amd64.deb 89cbb05213a5996722694722e679143d 214140 libdevel optional libo2-dev_1.0~repack-1_amd64.deb e8be552abeee2cb24d90250c16862d74 37168 libs optional libo2_1.0~repack-1_amd64.deb 6c19663031081b89cd77077c75677fe1 7013 libs optional o2_1.0~repack-1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEdAXnRVdICXNIABVttlAZxH96NvgFAlwGiZoACgkQtlAZxH96 NvgCdA//QO299uCggshMnPpmfdDztOP7d+gYiGNkycNzNDhu/ngYqJPtQ5N/Cg1O EjnV/wikhv4cBcX6bzIfgefsZ6auuo6+GB5BIxdCFGqyEVlUEoXWBJFrYc744HYA D0lAlTzmh4bh03AqKbm/S+dbLIKwNLoenfwINSFAiDc/nt+4M5TqK4sppgsiacUJ kEOswBA721Bkstn1rpEG44Ac4WKf09MXPe0luqe+YW03utTcByi9bYJPZuuPIHDR sOjgNXHjXrY0yquCBbunPsLvbE2/8aJhrNTHIrOrWmZPQzdclWvQOpmefaKXpUiD iVl7r9fq7z9Huik1hNVoqLaAQC2yUeh3xBFLFmBljCMBmIERoRzlT/58vYHvGrkt +RSkpz3+yA6isP4oiJsL/cSPf4Chr7ZKTX+0BKn7xdXTPam483QqDWF+d2ktZcXL TieF3ZOebypOiY4igUQZQ6qVpBXDbh6gEnszT9GFDy+goYmQdkdBzQFcWks3mpkC Q57dC29Gc6T+bI/T4VDjjK9+A/EavOFJxoXHyCW5qIywO+BG62a0vTIqsZ+SZavi tWtt1SSC27yr7d0BvOt5kaifVwfao4jOJrNZMB6o/SQQ7fekH/TPc6Uqvz1Q/O1x pMyNdYtTYlj1DRj1DNNxXwkp78ilF2Ju2mYDV6GFoqab8thhmIY= =xAf2 -END PGP SIGNATURE- Thank you for your contribution to Debian.
pd-csound_1.01.0-1_amd64.changes ACCEPTED into unstable, unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 05 Dec 2018 09:32:13 +0100 Source: pd-csound Binary: pd-csound Architecture: source amd64 Version: 2:1.01.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers Changed-By: IOhannes m zmölnig (Debian/GNU) Description: pd-csound - Csound external for Pure Data Closes: 915553 Changes: pd-csound (2:1.01.0-1) unstable; urgency=medium . * Initial release. (Closes: #915553) * Use epoch (2) in version number, since 'pd-csound' used to be part of the 'csound' package, until csound_1:6.10.0~dfsg-2 Checksums-Sha1: 8e6c39900f2fc21db3e84de96be82bcb6af0658d 2005 pd-csound_1.01.0-1.dsc 0246f7a705e9fac5f4d5cf4afba99c35286bead2 479359 pd-csound_1.01.0.orig.tar.gz 97f20f5519f7b4ead802589ec3c6e0b2a4494a0b 2388 pd-csound_1.01.0-1.debian.tar.xz 01ff8db2b107befec892531caf8b9b22a496b321 23024 pd-csound-dbgsym_1.01.0-1_amd64.deb 68b42b684a070f6c5f9c9893c9273d08febb18dd 8916 pd-csound_1.01.0-1_amd64.buildinfo 6b372aec7bd12a6a15ebb1f58e9a37946374e48d 341020 pd-csound_1.01.0-1_amd64.deb Checksums-Sha256: 554fa99e66a9ef9b260ec35fd9628cb80ca4a4ec769d76b16ecb823b33490712 2005 pd-csound_1.01.0-1.dsc ecaf9b8305afafdb92a6bc0eb7605509a3c20c38aeb926002056e745550f4707 479359 pd-csound_1.01.0.orig.tar.gz 0996dc61dc0908720df0d102215488d5e4d2390a8d3948bf4bf2c9f00ca704e5 2388 pd-csound_1.01.0-1.debian.tar.xz bbd2352c40fdd022d19263762d97d8eaa9ccfce7642df7f63fbc7201c8f35aa3 23024 pd-csound-dbgsym_1.01.0-1_amd64.deb 0230577788b5b95b6bac2a1c94a77b1db83a08009e65e68bbd7206c02fe50aa4 8916 pd-csound_1.01.0-1_amd64.buildinfo 64775118e585a1d8f1da9ebb6b10d5a946bd5a7de4b9ff9d95150ba0649bb778 341020 pd-csound_1.01.0-1_amd64.deb Files: 2f6682dbc5f060e02926c47493699474 2005 sound optional pd-csound_1.01.0-1.dsc ebe297a7bc600efd2bbdb7544bfee697 479359 sound optional pd-csound_1.01.0.orig.tar.gz f7dcdc25811d56d6f6738f9222156395 2388 sound optional pd-csound_1.01.0-1.debian.tar.xz 391ba63aef63d8ad5ef9e46cd1f4b9dd 23024 debug optional pd-csound-dbgsym_1.01.0-1_amd64.deb d072756e358c92b79b39bcc52721a739 8916 sound optional pd-csound_1.01.0-1_amd64.buildinfo 0a34b8eb1567a9fac15d219ab015ec6d 341020 sound optional pd-csound_1.01.0-1_amd64.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEdAXnRVdICXNIABVttlAZxH96NvgFAlwHlBkACgkQtlAZxH96 Nvg7hQ//bPvMctFHpH1E7KmA/MS1CBZ4blrAfRxd/plDSWmAqZG2KUOGOBQWhQax O0r0aG32xByT9Ra0/IwRt6bP7YgVxGzs4z4QltcIVWA/zl0hMEGdNd5CXOx3fj/X UHxmuytcUNxO97fxzTHtHTUU8wdF7I4QwLXotERao6sZlP4U5jQWvwdqXxIDTg0G zj0jSDc7IFvEPxFzJ8em8+oOCIpJp//CHOq1PnagdX5t/VAn+NR3pLTTpDOKkWkT dsUft3yeWkvBdhMXlJ2jFHeWQ6QBKhg1r+a/HX7bzufTYDvgcfRSWSk/4L6EVzGX 5ET7MMUdAI6YLJ42F+0RzwdOlPGJGw0G8aBQSN1xsFS8dSkxprcP+ZFKUGMCT8Fy f92iMIpBztqXnwdhH/Q5fYWXiVvi1IaKP+FPNr782GBFsG4PUa2Y1Jozk6rkuUrD udVIBZqQ3xQWQ9EvSwgLqwBWW/F16wFf/gOEzD4sN22GPohvatcUCsoasAqxRT3k jh0g6Eg2olWCBrx3N6I/7qtTmKghNzr6FuJzmPak7PhoLr4jRoTfmt+PZpf3T9iq na3jF/Od9xK/fKD8iWYZpmr5V2NeXqM1LpwC74DAVuXG3qiiiPADtSuuFq/VFNUB RKk/LM8aFx05ucQv2fj/IUvDkygPwt5qVtTIVKMkqsqYSeB8vHE= =vLP3 -END PGP SIGNATURE- Thank you for your contribution to Debian.