Re: left mouse click
Hi, On Thu, 2016-06-09 at 19:34 -0500, Ryan Eads Sr. wrote: > Debian-release Team, > > I have had a continuing problem with Debian since Debian 7, the > left mouse click is not being recognized. It is fine after a reboot, > but shortly after using the mouse the left click will be recognized. It I'm afraid that we're unable to offer end-user support; please see https://www.debian.org/support for some further suggestions. Regards, Adam
left mouse click
Debian-release Team, I have had a continuing problem with Debian since Debian 7, the left mouse click is not being recognized. It is fine after a reboot, but shortly after using the mouse the left click will be recognized. It has been undetermined as to what causes the problem. This situation has occurred on 3 different motherboards: 2 AMD, and on my new ASRock Intel H97 Anniversary with a i3core 3.7mHz cpu, 3 different wireless mice, and 3 different wired mice. It seems that any flavor of Debian based on 7 (Ubuntu, Puppy, Mint) and after has this same problem, I know it is not a hardware issue all the components have worked great before when running Debian 6. I really need my computer to function for school study, and for my job. Right now I am using Windows 7 Home Premium (for which I REALLY DISLIKE). I have listed a bug report in the past and asked on the various Debian and Linux forums, but no answers. I do not run half breed machines. I run one and only one OS on my machines. When I run Linux there is no Windows partition. Please help! Thank you, Ryan K. Eads --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
Bug#826714: jessie-pu: package biber/1.9-3+deb8u1
On Thu, Jun 09, 2016 at 10:00:18PM +0100, Adam D. Barratt wrote: > On Wed, 2016-06-08 at 10:34 +0100, Dominic Hargreaves wrote: > > As per #826667 the last perl update unfortunately broke biber too > > (at least it causes a test failure; the actual cause is a bit unclear, > > but the fix is taken straight from the upstream perl 5.22 fixes). > > Do we know what the specific failure is? It wasn't very clear from the > log (or I was misreading). I don't think anyone really knows more than what's on the bug log. There was some suggestion that really the bug is in perl, but I don't think it's been reported as such upstream - and it does seem to only affect this particular case. Dominic.
NEW changes in stable-new
Processing changes file: cmake_3.0.2-1+deb8u1_amd64.changes ACCEPT Processing changes file: e2fsprogs_1.42.12-2_i386.changes ACCEPT Processing changes file: p7zip_9.20.1~dfsg.1-4.1+deb8u2_allonly.changes ACCEPT Processing changes file: p7zip_9.20.1~dfsg.1-4.1+deb8u2_amd64.changes ACCEPT Processing changes file: p7zip_9.20.1~dfsg.1-4.1+deb8u2_arm64.changes ACCEPT Processing changes file: p7zip_9.20.1~dfsg.1-4.1+deb8u2_armel.changes ACCEPT Processing changes file: p7zip_9.20.1~dfsg.1-4.1+deb8u2_armhf.changes ACCEPT Processing changes file: p7zip_9.20.1~dfsg.1-4.1+deb8u2_i386.changes ACCEPT Processing changes file: p7zip_9.20.1~dfsg.1-4.1+deb8u2_mips.changes ACCEPT Processing changes file: p7zip_9.20.1~dfsg.1-4.1+deb8u2_mipsel.changes ACCEPT Processing changes file: p7zip_9.20.1~dfsg.1-4.1+deb8u2_powerpc.changes ACCEPT Processing changes file: p7zip_9.20.1~dfsg.1-4.1+deb8u2_ppc64el.changes ACCEPT Processing changes file: p7zip_9.20.1~dfsg.1-4.1+deb8u2_s390x.changes ACCEPT Processing changes file: vorbis-tools_1.4.0-6+deb8u1_amd64.changes ACCEPT
Re: openjpeg / stretch
On 09/06/16 10:37, Mathieu Malaterre wrote: > On Thu, Jun 2, 2016 at 9:03 AM, Mathieu Malaterre wrote: >> On Wed, Jun 1, 2016 at 7:10 PM, Emilio Pozuelo Monfort >> wrote: >>> On 31/05/16 12:00, Mathieu Malaterre wrote: [adding debian-release] Hi, On Thu, May 12, 2016 at 12:48 PM, Mathieu Malaterre wrote: > Hi, > > On Thu, May 12, 2016 at 12:16 PM, Moritz Muehlenhoff > wrote: >> Hi, >> in jessie we have the unfortunate situation of having two copies of >> openjpeg in the archive src:openjpeg and src:openjpeg2. Can you get >> rid of openjpeg for stretch? We accept two source packages for transition >> purposes, but these need to be sorted out by the subsequent release. > > That does not seems doable [*]. openjpeg 1.x and openjpeg 2.x have > different API, and it requires a significant effort to move from one > API to the other. Without upstream help from each packages, this > cannot possibly be done (at least by me). > > If someone wants to volunteer, some projects have successfully moved > from openjpeg 1.x to openjpeg 2.x (from the top of my head: > mupdf/gdal/leptonlib) so some projects may have code so that they > compile against either openjpeg 1.x or openjpeg 2.x using #idef > triggered during configuration time. > > The other option is to deactivate JPEG 2000 support from those > packages. imagemagick (accidentally) removed support for JPEG 2000 > (#773530) and no one complained so far. Actually the issue is maybe a little more than just a security concern. See the bug report #825907. >>> >>> Is openjpeg not using versioned symbols? >> >> No (very very few packages are actually using this trick AFAIK). >> I'll leave it to debian-release to decide the severity of this bug. Meanwhile I'll track package(s) still using OpenJPEG 1.5.x API. >>> >>> You can do like it is being done for jasper: file bugs with >>> severity:important >>> against all the rdeps, telling them we want to remove openjpeg from Stretch >>> for >>> security reasons, and that the bugs will get bumped to RC in some time. >>> Then we >>> can see how things evolve and what to do next. >>> >>> See >>> >>> https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=jasper-rm;users=j...@debian.org >>> https://release.debian.org/transitions/html/jasper-rm.html >>> https://lists.debian.org/debian-release/2016/03/msg6.html >>> >>> How does that sound? >> >> Sound good! Severity: important is not too annoying for packager, but >> clear enough. I'll do that ASAP. > > Done: > > https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=stretch2000&user=malat%40debian.org Thanks. I have created https://release.debian.org/transitions/html/openjpeg-rm.html Emilio
Bug#826829: jessie-pu: package vorbis-tools/1.4.0-6+deb8u1
Control: tags -1 + pending On Thu, 2016-06-09 at 12:22 +0200, Petter Reinholdtsen wrote: > [Adam D. Barratt] > > Please go ahead. > > Thank you. I uploaded the package a few seconds ago, and pushed the tag > to git. Flagged for acceptance. Regards, Adam
Processed: Re: Bug#826829: jessie-pu: package vorbis-tools/1.4.0-6+deb8u1
Processing control commands: > tags -1 + pending Bug #826829 [release.debian.org] jessie-pu: package vorbis-tools/1.4.0-6+deb8u1 Added tag(s) pending. -- 826829: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826829 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#826714: jessie-pu: package biber/1.9-3+deb8u1
On Wed, 2016-06-08 at 10:34 +0100, Dominic Hargreaves wrote: > As per #826667 the last perl update unfortunately broke biber too > (at least it causes a test failure; the actual cause is a bit unclear, > but the fix is taken straight from the upstream perl 5.22 fixes). Do we know what the specific failure is? It wasn't very clear from the log (or I was misreading). Regards, Adam
Bug#826335: jessie-pu: package e2fsprogs/1.42.12-2
Control: tags -1 + pending On Tue, 2016-06-07 at 19:11 -0400, Theodore Ts'o wrote: > On Tue, Jun 07, 2016 at 07:30:33PM +0100, Adam D. Barratt wrote: > > > > It's on my to-do list to review. > > > > fwiw there's not been any need to formally acknowledge NMUs via closing > > bugs in the changelog since the BTS gained version-tracking some years > > ago, so long as the changelog for the subsequent upload incorporates the > > stanza from the NMU. > > OK, I'll wait for you to give me a formal review of things you'd like > change, and then I'll re-upload at that time. After some consideration, I've decided that I'm okay with accepting the fixes as uploaded, and as the package has already been uploaded it's not worth a reject-and-reupload cycle purely for the package version; please bear the convention in mind for any future uploads. Regards, Adam
Processed: Re: Bug#826335: jessie-pu: package e2fsprogs/1.42.12-2
Processing control commands: > tags -1 + pending Bug #826335 [release.debian.org] jessie-pu: package e2fsprogs/1.42.12-2 Added tag(s) pending. -- 826335: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826335 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#826662: jessie-pu: package cmake/3.0.2-1+deb8u1
Processing control commands: > tags -1 + pending Bug #826662 [release.debian.org] jessie-pu: package cmake/3.0.2-1+deb8u1 Added tag(s) pending. -- 826662: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826662 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#826662: jessie-pu: package cmake/3.0.2-1+deb8u1
Control: tags -1 + pending On Tue, 2016-06-07 at 16:55 +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On 2016-06-07 16:22, Felix Geyer wrote: > > The openssl 1.0.1t stable update broke the FindOpenSSL module in cmake. > > It really seems like there should be a better way of implementing that > logic... > > Please go ahead. Uploaded and flagged for acceptance. Regards, Adam
Bug#825342: mips/mipsel: make sure all packages built with fpxx enabled
On 07/06/16 19:38, YunQiang Su wrote: > After the 1st step of binNMU of mipsel (mips is still running), mips is finally catching up. > We still have these package having problem: > geoclue: give up > libhtp: give up Not sure what you mean by "give up". Did you see my question in the previous mail? > libc++: clang not enable FPXX by default Did you file a bug for this? > The attachment is the list --- more than 3000 packages. > Sorry for the previous wrong estimation. That list contains e.g. gtk+3.0, but that was rebuilt 8 days ago. Why is it on the list? I thought we had been building with FPXX enabled for months. I'm wondering if this 3k list is accurate or there are many false positives in there. Cheers, Emilio
Re: Bug#825534: jessie-pu: package backuppc/3.3.0-2
On Thu, 09 Jun 2016, Ludovic Drolez wrote: > Hi! > > I'm ready to upload a new package without the patch below. Note that defined(@array) is failing with Perl in stretch... that might be why the patch got added in the packaging. (But in any case the test is useless with "@Backups > 0" being equivalent or stricter.) > > > +++ backuppc-3.3.0/lib/BackupPC/CGI/Browse.pm > > > @@ -65,7 +65,7 @@ > > > # > > > # default to the newest backup > > > # > > > -if ( !defined($In{num}) && defined(@Backups) && @Backups > 0 ) { > > > +if ( !defined($In{num}) && @Backups && @Backups > 0 ) { -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
Bug#826829: jessie-pu: package vorbis-tools/1.4.0-6+deb8u1
[Adam D. Barratt] > Please go ahead. Thank you. I uploaded the package a few seconds ago, and pushed the tag to git. -- Happy hacking Petter Reinholdtsen
Bug#826829: jessie-pu: package vorbis-tools/1.4.0-6+deb8u1
Control: tags -1 + confirmed On 2016-06-09 9:36, Petter Reinholdtsen wrote: On my Debian Jessie machine, three security issues in one of the packages I maintain are reported by debsecan: https://security-tracker.debian.org/tracker/CVE-2014-9638 > https://security-tracker.debian.org/tracker/CVE-2014-9639 > https://security-tracker.debian.org/tracker/CVE-2015-6749 >. In addition there is a RC bug with vcut affecting stable (#818037). Please go ahead. Regards, Adam
Processed: Re: Bug#826829: jessie-pu: package vorbis-tools/1.4.0-6+deb8u1
Processing control commands: > tags -1 + confirmed Bug #826829 [release.debian.org] jessie-pu: package vorbis-tools/1.4.0-6+deb8u1 Added tag(s) confirmed. -- 826829: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826829 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#826829: jessie-pu: package vorbis-tools/1.4.0-6+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu X-Debbugs-CC: pkg-xiph-ma...@lists.alioth.debian.org On my Debian Jessie machine, three security issues in one of the packages I maintain are reported by debsecan: https://security-tracker.debian.org/tracker/CVE-2014-9638 > https://security-tracker.debian.org/tracker/CVE-2014-9639 > https://security-tracker.debian.org/tracker/CVE-2015-6749 >. In addition there is a RC bug with vcut affecting stable (#818037). Some of the issues was fixed in Squeeze by the LTS team (DLA-317-1), but has not yet been fixed in Jessie. I would like to get it fixed in stable too, to get it out of my debsecan list. The attached patch is based on the patches in unstable, and should solve the problems. I asked on #debian-security if they wanted to do a DSA, but they recommended I should use the procedure from https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable >. Is it OK to upload the fix for stable? -- System Information: Debian Release: 8.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=no_NO (charmap=locale: Cannot set LC_MESSAGES to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory ISO-8859-1) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff --git a/debian/changelog b/debian/changelog index 8f795aa..7d414db 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +vorbis-tools (1.4.0-6+deb8u1) jessie; urgency=low + + [ Petter Reinholdtsen ] + * Add gbp.conf file documenting git branch to use for updates to Jessie. + * oggenc: Fix large alloca on bad AIFF input to oggenc (CVE-2015-6749). +(Closes: 797461) + * oggenc: Validate count of channels in the header (CVE-2014-9638, CVE-2014-9639). +(Closes: 776086) + + [ Martin Steghöfer ] + * Fix segmentation fault in vcut (Closes: #818037) + + -- Petter Reinholdtsen Thu, 09 Jun 2016 10:18:53 +0200 + vorbis-tools (1.4.0-6) unstable; urgency=low [ Martin Steghöfer ] diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 000..3926a07 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,3 @@ +[DEFAULT] +debian-branch = debian/jessie +pristine-tar = True diff --git a/debian/patches/0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch b/debian/patches/0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch new file mode 100644 index 000..bd212f9 --- /dev/null +++ b/debian/patches/0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch @@ -0,0 +1,37 @@ +Description: oggenc: Fix large alloca on bad AIFF input + This is CVE-2015-6749. +Author: Mark Harris + +Bug-Debian: https://bugs.debian.org/797461 +Forwarded: https://trac.xiph.org/ticket/2212 +Reviewed-By: Petter Reinholdtsen +Last-Update: 2015-09-22 + +diff --git a/oggenc/audio.c b/oggenc/audio.c +index 22bbed4..05e42b3 100644 +--- a/oggenc/audio.c b/oggenc/audio.c +@@ -245,8 +245,8 @@ static int aiff_permute_matrix[6][6] = + int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen) + { + int aifc; /* AIFC or AIFF? */ +-unsigned int len; +-unsigned char *buffer; ++unsigned int len, readlen; ++unsigned char buffer[22]; + unsigned char buf2[8]; + aiff_fmt format; + aifffile *aiff = malloc(sizeof(aifffile)); +@@ -269,9 +269,9 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen) + return 0; /* Weird common chunk */ + } + +-buffer = alloca(len); +- +-if(fread(buffer,1,len,in) < len) ++readlen = len < sizeof(buffer) ? len : sizeof(buffer); ++if(fread(buffer,1,readlen,in) < readlen || ++ (len > readlen && !seek_forward(in, len-readlen))) + { + fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n")); + return 0; diff --git a/debian/patches/0016-Validate-channel-count-in-audio-header.patch b/debian/patches/0016-Validate-channel-count-in-audio-header.patch new file mode 100644 index 000..4a40846 --- /dev/null +++ b/debian/patches/0016-Validate-channel-count-in-audio-header.patch @@ -0,0 +1,82 @@ +Description: oggenc: validate count of channels in the header + Fixes CVE-2014-9638 and CVE-2014-9639. +Author: Kamil Dudka kdudka at redhat.com +Bug-Debian: https://bugs.debian.org/ + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: http://lists.xiph.org/pipermail/vorbis-dev/2015-February/020423.html +Bug: https://trac.xiph.org/ticket/2136 +Bug: https://trac.xiph.org/ticket/2137 +Bug-Debian: https://bugs.debian.org/776086 +Forwarded: not-needed +Reviewed-By: Petter Reinholdtsen +Last-Update: 2015-0
Re: openjpeg / stretch
On Thu, Jun 2, 2016 at 9:03 AM, Mathieu Malaterre wrote: > On Wed, Jun 1, 2016 at 7:10 PM, Emilio Pozuelo Monfort > wrote: >> On 31/05/16 12:00, Mathieu Malaterre wrote: >>> [adding debian-release] >>> >>> Hi, >>> >>> On Thu, May 12, 2016 at 12:48 PM, Mathieu Malaterre >>> wrote: Hi, On Thu, May 12, 2016 at 12:16 PM, Moritz Muehlenhoff wrote: > Hi, > in jessie we have the unfortunate situation of having two copies of > openjpeg in the archive src:openjpeg and src:openjpeg2. Can you get > rid of openjpeg for stretch? We accept two source packages for transition > purposes, but these need to be sorted out by the subsequent release. That does not seems doable [*]. openjpeg 1.x and openjpeg 2.x have different API, and it requires a significant effort to move from one API to the other. Without upstream help from each packages, this cannot possibly be done (at least by me). If someone wants to volunteer, some projects have successfully moved from openjpeg 1.x to openjpeg 2.x (from the top of my head: mupdf/gdal/leptonlib) so some projects may have code so that they compile against either openjpeg 1.x or openjpeg 2.x using #idef triggered during configuration time. The other option is to deactivate JPEG 2000 support from those packages. imagemagick (accidentally) removed support for JPEG 2000 (#773530) and no one complained so far. >>> >>> Actually the issue is maybe a little more than just a security >>> concern. See the bug report #825907. >> >> Is openjpeg not using versioned symbols? > > No (very very few packages are actually using this trick AFAIK). > >>> I'll leave it to debian-release to decide the severity of this bug. >>> Meanwhile I'll track package(s) still using OpenJPEG 1.5.x API. >> >> You can do like it is being done for jasper: file bugs with >> severity:important >> against all the rdeps, telling them we want to remove openjpeg from Stretch >> for >> security reasons, and that the bugs will get bumped to RC in some time. Then >> we >> can see how things evolve and what to do next. >> >> See >> >> https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=jasper-rm;users=j...@debian.org >> https://release.debian.org/transitions/html/jasper-rm.html >> https://lists.debian.org/debian-release/2016/03/msg6.html >> >> How does that sound? > > Sound good! Severity: important is not too annoying for packager, but > clear enough. I'll do that ASAP. Done: https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=stretch2000&user=malat%40debian.org
Re: Bug#825534: jessie-pu: package backuppc/3.3.0-2
Hi! I'm ready to upload a new package without the patch below. Best regards, Ludovic > > +++ backuppc-3.3.0/lib/BackupPC/CGI/Browse.pm > > @@ -65,7 +65,7 @@ > > # > > # default to the newest backup > > # > > -if ( !defined($In{num}) && defined(@Backups) && @Backups > 0 ) { > > +if ( !defined($In{num}) && @Backups && @Backups > 0 ) { > -- Ludovic Drolez. http://www.aopensource.com - The Android Open Source Portal http://www.drolez.com - Personal site - Linux and Free Software