Re: Bug#508111: devscripts: Insecure tempfile creation (redux).
Hi, Nico Golde wrote, Monday, December 08, 2008 8:36 AM: * Adam D. Barratt [EMAIL PROTECTED] [2008-12-08 09:09]: On Mon, 2008-12-08 at 01:31 +0100, Cyril Brulebois wrote: [...] Since the filename is predictable, I guess debsign is vulnerable to symlink attacks and the like (although I'm no security crack, etc., sorry if I'm overthinking the consequences of this bug). I'm not 100% sure myself, to be honest. Security team? No this is correct, devscripts is vulnerable to a symlink attack before the fix (for example signfile()). Thanks. The code in question is present in lenny, but not etch. I'm assuming that the changes to devscripts since freeze are far too big for the release team to consider pushing the fixed version in directly so this would require a t-p-u upload or DTSA; I've CCed debian-release for their opinion. (#507482 relates to a similar issue where a few scripts use $$ when creating temporary directories. That issue is fixed in unstable and affects both etch and lenny, but I'm not sure if it warrants an update to either distribution). Regards, Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Freeze exception for wbxml2
Hi, wbxml2_0.9.2-7 fixes two RC bugs, #506740 and #507689. However, wbxml2_0.9.2-6 is not in lenny yet; -6 contains an additional fix for #497709 which is a one-liner. Unfortunately, -6 also contains a renaming of the patches to let them all have consistent names, which blows up the interdiff. I believe the fix for #497709 should be included in lenny as well. If the release team does not want to let the patch-renaming in, I could either upload a -8 reverting that (making the interdiff since -5 more manageable), or upload to t-p-u. Thoughts? Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#508111: devscripts: Insecure tempfile creation (redux).
Hi, * Adam D. Barratt [EMAIL PROTECTED] [2008-12-08 11:03]: Nico Golde wrote, Monday, December 08, 2008 8:36 AM: * Adam D. Barratt [EMAIL PROTECTED] [2008-12-08 09:09]: On Mon, 2008-12-08 at 01:31 +0100, Cyril Brulebois wrote: [...] Since the filename is predictable, I guess debsign is vulnerable to symlink attacks and the like (although I'm no security crack, etc., sorry if I'm overthinking the consequences of this bug). I'm not 100% sure myself, to be honest. Security team? No this is correct, devscripts is vulnerable to a symlink attack before the fix (for example signfile()). Thanks. The code in question is present in lenny, but not etch. I'm assuming that the changes to devscripts since freeze are far too big for the release team to consider pushing the fixed version in directly so this would require a t-p-u upload or DTSA; I've CCed debian-release for their opinion. (#507482 relates to a similar issue where a few scripts use $$ when creating temporary directories. That issue is fixed in unstable and affects both etch and lenny, but I'm not sure if it warrants an update to either distribution). Just had a look again at this issue. It should be no real problem as mktemp creates the file with safe permissions, so this can't be used to overwrite an arbitrary file. Though mktemp is stuck in an endless loop if there is already a symlink present with the template name. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpamjbwtO020.pgp Description: PGP signature
RC#506892 (mpg321): BTS false positive ?
Dear Release team, I had a look at bts.turmzimmer.net and inspected the following case: [FREEZE] Package: mpg321 (optional; orphaned) [mpg321/0.2.10.6 ; =] [add/edit comment] 506892 [ t] mpg321: Fails to remove/purge Reported by: Kurt Roeckx Date: Tue, 25 Nov 2008 18:06:09 UTC Severity: serious Found in version mpg321/0.2.10.5 Fixed in version mpg321/0.2.10.6 Done: Barry deFreese It seems to be a false positive as the bug is fixed in 0.2.10.6, that migrated to testing according to p.d.o, the PTS and rmadison. Nevertheless, the BTS seems to think that 0.2.10.5 is still in Lenny, if I understand correctly the meanign of the version graph: digraph G { mpg321/0.2.10.6 [fillcolor=chartreuse,style=filled,shape=rect,label=mpg321/0.2.10.6\n(unstable)] mpg321/0.2.10.5 [fillcolor=salmon,style=filled,shape=ellipse,label=mpg321/0.2.10.5\n(testing)] mpg321/0.2.10.6-mpg321/0.2.10.5 [dir=back] } Have a nice day, -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Unblock request: backupninja 0.9.6-4
Hello! Please consider unblocking backupninja 0.9.6-4, it has some trivial fixes that would be nice if they were included in Lenny: * Fix df error message from cron (Closes: #497535) * Removed Lenny unsupported desturl example (Closes: #507679) * Fixed Lintain warning: maintainer-script-ignores-errors preinst As you can see, from the below diff, the changes are quite small: Index: debian/changelog === --- debian/changelog(revision 622) +++ debian/changelog(revision 626) @@ -1,3 +1,11 @@ +backupninja (0.9.6-4) unstable; urgency=low + + * Fix df error message from cron (Closes: #497535) + * Removed Lenny unsupported desturl example (Closes: #507679) + * Fixed Lintain warning: maintainer-script-ignores-errors preinst + + -- Micah Anderson [EMAIL PROTECTED] Mon, 08 Dec 2008 09:41:22 -0500 + backupninja (0.9.6-3) unstable; urgency=low * Removed configure.ac and regenerate the autoconf junk so Index: debian/backupninja.preinst === --- debian/backupninja.preinst (revision 622) +++ debian/backupninja.preinst (revision 626) @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/sh -e # Remove the erroneous /etc/logrotate.d/backupninja directory if it exists Index: src/backupninja.in === --- src/backupninja.in (revision 622) +++ src/backupninja.in (revision 626) @@ -561,7 +561,7 @@ previous= for i in $(ls $configdirectory); do backuploc=$(grep ^directory $configdirectory/$i | @AWK@ '{print $3}') - if [ $backuploc != $previous ]; then +if [ $backuploc != $previous -a -n $backuploc ]; then df -h $backuploc previous=$backuploc fi Index: examples/example.dup === --- examples/example.dup(revision 622) +++ examples/example.dup(revision 626) @@ -120,12 +120,6 @@ #keep = 60 #keep = yes -# full destination URL, in duplicity format; if set, desturl overrides -# sshoptions, destdir, desthost and destuser; it also disables -# testconnect and -# bandwithlimit. For details, see duplicity manpage, section URL -# FORMAT. -#desturl = file:///usr/local/backup -#desturl = rsync://[EMAIL PROTECTED]//var/backup/bla - # bandwith limit, in kbit/s ; default is 0, i.e. no limit #bandwidthlimit = 128 signature.asc Description: Digital signature
Re: Bug#508111: devscripts: Insecure tempfile creation (redux).
Nico Golde wrote, Mon, 8 Dec 2008 11:25:36 +0100: [...] Nico Golde wrote, Monday, December 08, 2008 8:36 AM: [...] No this is correct, devscripts is vulnerable to a symlink attack before the fix (for example signfile()). [...] Just had a look again at this issue. It should be no real problem as mktemp creates the file with safe permissions, so this can't be used to overwrite an arbitrary file. Though mktemp is stuck in an endless loop if there is already a symlink present with the template name. Thanks. In that case, I don't think this needs any RM action; apologies for the noise. Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Suggestion for removal: acl2.
* Charles Plessy [Wed, 03 Dec 2008 22:57:54 +0900]: Dear release team, I would like to suggest to remove RC-bugged acl2 package from testing. Hello, Charles, a removal hint was added by Luk yesterday. Cheers, -- Adeodato Simó dato at net.com.org.es Debian Developer adeodato at debian.org Listening to: Marina Rossell - Rumba dels 60 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Please unblock nvidia-cg-toolkit 2.0.0015.deb3
* Andres Mejia [Sat, 06 Dec 2008 09:29:49 -0500]: I'm not sure what happened to my last email. Please unblock nvidia-cg-toolkit 2.0.0015.deb3. Done by Luk in the other thread AFAICS. -- Adeodato Simó dato at net.com.org.es Debian Developer adeodato at debian.org Listening to: Marina Rossell - Rumba de Barcelona -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: collectd-4.4.2-3 for Lenny?
On Sun, Dec 07, 2008 at 04:55:01PM +0100, Sebastian Harl wrote: So, this only touches translations and documentation. It would be nice if you would unblock collectd-4.4.2-3. Done. Kind regards, Philipp Kern -- .''`. Philipp KernDebian Developer : :' : http://philkern.de Release Assistant `. `' xmpp:[EMAIL PROTECTED] Stable Release Manager `-finger pkern/[EMAIL PROTECTED] signature.asc Description: Digital signature
Re: Request for binNMU of clamfs 0.9.1-3
* Krzysztof Burghardt [Sun, 07 Dec 2008 20:47:08 +0100]: Hello RMs, I kindly request rebuild of clamfs on all architectures. This is needed to fix dependency problems after libpoco's components soname change [1]. clamfs_0.9.1-3, Rebuild against newer libpoco fixes #507711, 1, alpha amd64 arm armel hppa i386 ia64 mips mipsel powerpc s390 sparc Scheduled. binNMUs can't close bugs, doing that with this message. -- Adeodato Simó dato at net.com.org.es Debian Developer adeodato at debian.org Listening to: Marina Rossell - La guerra de Cuba -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RC#506892 (mpg321): BTS false positive ?
Charles Plessy wrote: Dear Release team, I had a look at bts.turmzimmer.net and inspected the following case: There are multiple instances of these and indeed it's not the sync script on bts.turmzimmer.net, but the BTS that is out of date. Cheers Luk [FREEZE] Package: mpg321 (optional; orphaned) [mpg321/0.2.10.6 ; =] [add/edit comment] 506892 [ t] mpg321: Fails to remove/purge Reported by: Kurt Roeckx Date: Tue, 25 Nov 2008 18:06:09 UTC Severity: serious Found in version mpg321/0.2.10.5 Fixed in version mpg321/0.2.10.6 Done: Barry deFreese It seems to be a false positive as the bug is fixed in 0.2.10.6, that migrated to testing according to p.d.o, the PTS and rmadison. Nevertheless, the BTS seems to think that 0.2.10.5 is still in Lenny, if I understand correctly the meanign of the version graph: digraph G { mpg321/0.2.10.6 [fillcolor=chartreuse,style=filled,shape=rect,label=mpg321/0.2.10.6\n(unstable)] mpg321/0.2.10.5 [fillcolor=salmon,style=filled,shape=ellipse,label=mpg321/0.2.10.5\n(testing)] mpg321/0.2.10.6-mpg321/0.2.10.5 [dir=back] } Have a nice day, -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SRM] graphviz stable update for CVE-2008-4555
On Mon, Dec 08, 2008 at 06:46:04AM +0100, Cyril Brulebois wrote: according to the Security Team, this issue (CVE-2008-4555 [1]) doesn't warrant a DSA, so I'm proposing the following source debdiff. I'm excluding config.{guess,sub} update from it. And sorry for the delay. Please go ahead. Kind regards, Philipp Kern -- .''`. Philipp KernDebian Developer : :' : http://philkern.de Release Assistant `. `' xmpp:[EMAIL PROTECTED] Stable Release Manager `-finger pkern/[EMAIL PROTECTED] signature.asc Description: Digital signature
libgoocanvas-dev
Hello, would it be possible to upgrade this package - libgoocanvas-dev - to the latest version 0.13? http://bjorn.haxx.se/debian/testing.pl?package=libgoocanvas-dev thank you in advance Zeev Pekar -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Accepted suitesparse 3.2.0-1 (source all i386)
Hi, Christophe Prud'homme wrote: suitesparse (3.2.0-1) unstable; urgency=low WTF? Accepted: libsuitesparse-3.2.0_3.2.0-1_i386.deb to pool/main/s/suitesparse/libsuitesparse-3.2.0_3.2.0-1_i386.deb libsuitesparse-dbg_3.2.0-1_i386.deb to pool/main/s/suitesparse/libsuitesparse-dbg_3.2.0-1_i386.deb libsuitesparse-dev_3.2.0-1_i386.deb to pool/main/s/suitesparse/libsuitesparse-dev_3.2.0-1_i386.deb libsuitesparse-doc_3.2.0-1_all.deb to pool/main/s/suitesparse/libsuitesparse-doc_3.2.0-1_all.deb suitesparse_3.2.0-1.diff.gz to pool/main/s/suitesparse/suitesparse_3.2.0-1.diff.gz suitesparse_3.2.0-1.dsc to pool/main/s/suitesparse/suitesparse_3.2.0-1.dsc suitesparse_3.2.0.orig.tar.gz to pool/main/s/suitesparse/suitesparse_3.2.0.orig.tar.gz Nice. Uploading a NEW PACKAGE NAME version of suitesparse, breaking all of the following reverse-deps: [EMAIL PROTECTED]:~$ grep-available -FDepends libsuitesparse-3.1.0 -sPackage Package: libsuitesparse-dev Package: illuminator-demo Package: libluminate7 Package: python-scipy Package: libpetsc2.3.3 Package: openoffice.org-calc Package: lp-solve Package: octave3.0 Package: octave3.1 Package: python-sparse Package: freemat Package: libsuitesparse-dbg (and openoffice.org-core in turn depends on lp-solve). When those now get rebuilt in sid against the new suitesparse (and they need to because they will become uninstallable when libsuitesparse-3.1.0 semi-automatically get removed) they can't be fixed via sid anymore. Did you EVER hear of the freeze? Upload such stuff to experimental. Anyway, we discussed that quickly on #debian-relese. Reverted. Will NMU with epoch uploading 3.1.0 again. Grüße/Regards, René -- .''`. René Engelhard -- Debian GNU/Linux Developer : :' : http://www.debian.org | http://people.debian.org/~rene/ `. `' [EMAIL PROTECTED] | GnuPG-Key ID: 248AEB73 `- Fingerprint: 41FA F208 28D4 7CA5 19BB 7AD9 F859 90B0 248A EB73 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: bts.turmzimmer.net not updating
On Tue, Dec 9, 2008 at 1:05 PM, Ben Hutchings [EMAIL PROTECTED] wrote: I noticed that bts.turmzimmer.net is showing stale information for some bugs. Firstly it's missing tags that I added yesterday, but I also found several fixed and reassigned bugs that had old information. So I think it is not being updated at all. Did a cron job break? See [EMAIL PROTECTED]: http://lists.debian.org/debian-release/2008/12/msg00190.html -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Apt built but not installed on alpha, prevents fixing RC bug in Lenny.
Dear Alpha buildd admins, apt is built on alpha but not installed: http://buildd.debian.org/pkg.cgi?pkg=apt It prevents the propagation of version 0.7.19 to Lenny, which fixes the RC bug http://bugs.debian.org/463030 Can you do something? Have a nice day, -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]