Re: Porter roll call for Debian Stretch
John Paul Adrian Glaubitz wrote... > On 09/20/2016 11:16 PM, Niels Thykier wrote: > >- powerpc: No porter (RM blocker) > > I'd be happy to pick up powerpc to keep it for Stretch. I'm already > maintaining powerpcspe which is very similar to powerpc. For somewhat personal reasons I'm interested in keeping powerpc in stretch as well. I certainly cannot take the entire role as a porter, especially since I don't know what amount of work this implies. But I am willing to help. There are two powerpc boxes in my collection, used regulary. One runs on stable, the other on testing. I haven't done d-i tests but certainly could do. Christoph signature.asc Description: Digital signature
Bug#838882: Acknowledgement (jessie-pu: package darktable/1.4.2-1+b3)
Lintian points out I want a ':' after Closes.
Bug#838882: jessie-pu: package darktable/1.4.2-1+b3
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 This update would fix CVE-2015-3885 / #786792 in stable. The CVE has previously been classified as not severe enough for a DSA. - -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (900, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.6.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQGcBAEBCAAGBQJX6HNlAAoJEPIClx2kp54sPD8L/RpiaGuf3Qn6Wy7RZboY+5Wp 2m1TKjYzdWUTm46yldmiSuMrvsy39rUR//c+KkJGTAqbCXus5V1sXgFiSGRxiiVt rMWJd2F3JjdBWbU8uFVTFNj7ihSkV2B6g37tlySbUQaBNZY5y3EkTfMKEo6hL/M+ js/wNIRJkK5+fwIAKyo1kPQR6D3VGps4EJt1xOAoxGC62j3v0J0efgGsuSxVCZNQ RUqkrkIt3YRgUMrZGJlmLeezOfHI9k3E/1mLKbgqkP+tVF2bMgINbQWvBgDDJsPy y7As5Pi0I741ekBKfhTx9zrUaXpA2+qu8tEsKJDrSLxsEnAeRGEN2OCtBcHUiLwK TLRH4Ktq+jVgES3y5eCie3EGCIQTHUxIVeZyQJcFyOlF3z5fepXdIiG2VmPnMsCI nMkqq3wsgr5rIYovfOCALONmOnV+9DcAsmE7E38WlG7u+79pBbrLY8lSdNx0dNzK 5QuFUQ8pC2qapF3BpufFAGikTiYl3VvyBNSGAvKjoA== =dFI8 -END PGP SIGNATURE- diff -Nru darktable-1.4.2/debian/changelog darktable-1.4.2/debian/changelog --- darktable-1.4.2/debian/changelog 2014-05-04 00:43:43.0 -0300 +++ darktable-1.4.2/debian/changelog 2016-09-25 21:51:51.0 -0300 @@ -1,3 +1,10 @@ +darktable (1.4.2-1+deb8u1) stable; urgency=medium + + * Cherry pick upstream commit 0f809ca5048. Fix for CVE-2015-3885 +(Closes #786792) + + -- David BremnerSun, 25 Sep 2016 21:49:23 -0300 + darktable (1.4.2-1) unstable; urgency=medium * New upstream release. diff -Nru darktable-1.4.2/debian/patches/0001-LibRaw-address-CVE-2015-3885-fix-integer-overflow-in.patch darktable-1.4.2/debian/patches/0001-LibRaw-address-CVE-2015-3885-fix-integer-overflow-in.patch --- darktable-1.4.2/debian/patches/0001-LibRaw-address-CVE-2015-3885-fix-integer-overflow-in.patch 1969-12-31 20:00:00.0 -0400 +++ darktable-1.4.2/debian/patches/0001-LibRaw-address-CVE-2015-3885-fix-integer-overflow-in.patch 2016-09-25 21:52:29.0 -0300 @@ -0,0 +1,40 @@ +From b2c17dd163bea76f4817ad726a1e874206969dc1 Mon Sep 17 00:00:00 2001 +From: Roman Lebedev +Date: Fri, 22 May 2015 13:18:48 +0300 +Subject: [PATCH] LibRaw: address CVE-2015-3885: fix integer overflow in + ljpeg_start() + +The fix is not tested. +Based on ufraw. + +(cherry picked from commit 0f809ca5048c71080437da543aefbfde65ebf10a) +--- + src/external/LibRaw/internal/dcraw_common.cpp | 8 +--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/external/LibRaw/internal/dcraw_common.cpp b/src/external/LibRaw/internal/dcraw_common.cpp +index 948ef3f..982ecd7 100644 +--- a/src/external/LibRaw/internal/dcraw_common.cpp b/src/external/LibRaw/internal/dcraw_common.cpp +@@ -630,7 +630,8 @@ void CLASS canon_compressed_load_raw() + + int CLASS ljpeg_start (struct jhead *jh, int info_only) + { +- int c, tag, len; ++ int c, tag; ++ ushort len; + uchar data[0x1]; + const uchar *dp; + +@@ -641,8 +642,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only) + do { + fread (data, 2, 2, ifp); + tag = data[0] << 8 | data[1]; +-len = (data[2] << 8 | data[3]) - 2; +-if (tag <= 0xff00) return 0; ++len = (data[2] << 8 | data[3]); ++if (tag <= 0xff00 || len <= 2) return 0; ++len -= 2; + fread (data, 1, len, ifp); + switch (tag) { + case 0xffc3: diff -Nru darktable-1.4.2/debian/patches/series darktable-1.4.2/debian/patches/series --- darktable-1.4.2/debian/patches/series 1969-12-31 20:00:00.0 -0400 +++ darktable-1.4.2/debian/patches/series 2016-09-25 21:52:29.0 -0300 @@ -0,0 +1,2 @@ +# exported from git by git-debcherry +0001-LibRaw-address-CVE-2015-3885-fix-integer-overflow-in.patch
Bug#830200: transition: perl
binNMU candidates for experimental: courier_0.76.2-1 nginx_1.11.3-1~exp2 libatteanx-store-memorytriplestore-perl_0.001~20150811-1 imagemagick_8:6.9.5.9+dfsg-1 but you probably don't want that one: linux_4.8~rc5-1~exp1 Andreas
Bug#838869: jessie-pu: package libdatetime-timezone-perl/1:1.75-2+2016g
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I've prepared an update for libdatetime-timezone-perl in jessie, which incorporates the 2016g version of the Olson db. As usual, as a quilt patch which only touches the data files. Since the major change in this tzdata release is that Turkey doesn't switch back from +03 to +02 at the end of October, this might be material for stable-updates, depending on when the next point release is planned. I'm attaching a manually stripped down debdiff. Cheers, gregor -BEGIN PGP SIGNATURE- iQJ8BAEBCgBmBQJX6EQLXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMUUxMzE2RTkzQTc2MEE4MTA0RDg1RkFC QjNBNjgwMTg2NDlBQTA2AAoJELs6aAGGSaoGM7kP/3bgXGbBt5wAzZmzCXaGIOzQ +n49bVKRz50LghBnCsWVkcq96FKlH3Uh3EC0QMCsZgNo716fZ2tu/G2eyWF0D+LU nFbW/sCwAJK/BUHe8fDWofOwFa8npGj/Dqz9t071OLrnW5L0UjX5p4pTlLOnN0f6 Lh8HUTeg/4pGpMBoO8ULoqGauoq42OU3uKu1hhSyAWliNbW4IvWfRR26RdrwEOfo QQGQzx+COpoO0vwWjWomwrq8nkXwd8pMctdEhokzlOtVIi9kL2Ckzkg9cJjDgZoQ O1GUB4fZOn/QqxMqPQCRgnuDniQo++e9TwrsI4Yw55IYmczHOgnqdBu+krm8t/0Y 3rCP4QJQcZgpVJeanAvQckV1H52wbDhOLrigweA6K4/8ExRc2s1jyO74zmNB4ViE /8jLUN5SFAsW1PcgE7kxE0yMqsDAW5/UIwYJv6HjreAxCKsTa6+BL9qNd3hofipz mNZ2zHutSDmpdr58pUt5gRfaZC56eNkC3+EzePg8s+DxoCuveBR98LWqrb+/pTlg umtd5tqszRvInrS1bnrrlMdkidTgRpiYXSveiRxGI4BUUOA3F0AL2GFGdr9bD8U6 X+KlgOs+HUGhu0D6iWVWcILRzXsRxgRtzE4G+lJwozRNIbicZV4m4XzXO7NEEktD TL+NbE8DcAC2OSjR+lKk =lDGV -END PGP SIGNATURE- diff -Nru libdatetime-timezone-perl-1.75/debian/changelog libdatetime-timezone-perl-1.75/debian/changelog --- libdatetime-timezone-perl-1.75/debian/changelog 2016-07-07 19:18:40.0 +0200 +++ libdatetime-timezone-perl-1.75/debian/changelog 2016-09-25 14:21:38.0 +0200 @@ -1,3 +1,12 @@ +libdatetime-timezone-perl (1:1.75-2+2016g) UNRELEASED; urgency=medium + + * Update to Olson database version 2016g. +Add patch debian/patches/olson-2016g, which updates the timezone *.pm +files, using upstream's tools/parse_olson script. +This update contains contemporary changes for Europe/Istanbul. + + -- gregor herrmannSun, 25 Sep 2016 14:21:38 +0200 + libdatetime-timezone-perl (1:1.75-2+2016f) jessie; urgency=medium * Update to Olson database version 2016f. diff -Nru libdatetime-timezone-perl-1.75/debian/patches/olson-2016g libdatetime-timezone-perl-1.75/debian/patches/olson-2016g --- libdatetime-timezone-perl-1.75/debian/patches/olson-2016g 1970-01-01 01:00:00.0 +0100 +++ libdatetime-timezone-perl-1.75/debian/patches/olson-2016g 2016-09-25 14:21:38.0 +0200 @@ -0,0 +1,23710 @@ +Description: update to olson db 2016g +Origin: vendor +Author: gregor herrmann +Last-Update: 2016-09-25 + +--- a/lib/DateTime/TimeZone/Africa/Abidjan.pm b/lib/DateTime/TimeZone/Africa/Abidjan.pm +@@ -3,7 +3,7 @@ + # DateTime::TimeZone module distribution in the tools/ directory + + # +-# Generated from debian/tzdata/africa. Olson data version 2016f ++# Generated from debian/tzdata/africa. Olson data version 2016g + # + # Do not edit this file directly. + # +@@ -39,7 +39,7 @@ + ], + ]; + +-sub olson_version { '2016f' } ++sub olson_version { '2016g' } + + sub has_dst_changes { 0 } + +--- a/lib/DateTime/TimeZone/Europe/Istanbul.pm b/lib/DateTime/TimeZone/Europe/Istanbul.pm +@@ -3,7 +3,7 @@ + # DateTime::TimeZone module distribution in the tools/ directory + + # +-# Generated from debian/tzdata/europe. Olson data version 2016f ++# Generated from debian/tzdata/europe. Olson data version 2016g + # + # Do not edit this file directly. + # +@@ -530,7 +530,7 @@ + 62427466800, #local_end 1979-04-01 03:00:00 (Sun) + 14400, + 1, +-'TRST', ++'+04', + ], + [ + 62427452400, #utc_start 1979-03-31 23:00:00 (Sat) +@@ -539,7 +539,7 @@ + 6276800, #local_end 1979-10-15 00:00:00 (Mon) + 14400, + 1, +-'TRST', ++'+04', + ], + [ + 6262400, #utc_start 1979-10-14 20:00:00 (Sun) +@@ -548,7 +548,7 @@ + 62459521200, #local_end 1980-04-06 03:00:00 (Sun) + 10800, + 0, +-'TRT', ++'+03', + ], + [ + 62459510400, #utc_start 1980-04-06 00:00:00 (Sun) +@@ -557,7 +557,7 @@ + 62475926400, #local_end 1980-10-13 00:00:00 (Mon) + 14400, + 1, +-'TRST', ++'+04', + ], + [ + 62475912000, #utc_start 1980-10-12 20:00:00 (Sun) +@@ -566,7 +566,7 @@ + 62490366000, #local_end 1981-03-29 03:00:00 (Sun) + 10800, + 0, +-'TRT', ++'+03', + ], + [ + 62490355200, #utc_start 1981-03-29 00:00:00 (Sun) +@@ -575,7 +575,7 @@ + 62507376000, #local_end 1981-10-12 00:00:00 (Mon) + 14400, + 1, +-'TRST', ++'+04', + ], + [ + 62507361600, #utc_start 1981-10-11 20:00:00 (Sun) +@@ -584,7 +584,7 @@ + 62521815600, #local_end 1982-03-28 03:00:00 (Sun) + 10800, + 0, +-'TRT', ++'+03', + ], + [ + 62521804800, #utc_start 1982-03-28 00:00:00 (Sun) +@@ -593,7 +593,7 @@
Processed: libcoro-perl: FTBFS with Perl 5.24: panic: corrupt saved stack index -144185424
Processing control commands: > block 830200 with -1 Bug #830200 [release.debian.org] transition: perl 830200 was blocked by: 825629 825524 825231 834800 838394 834795 825609 825014 825762 834798 834799 834797 836636 825012 837719 834249 834796 830200 was not blocking any bugs. Added blocking bug(s) of 830200: 838851 -- 830200: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830200 838851: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838851 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: block 830200 with 825629
Processing commands for cont...@bugs.debian.org: > # we missed this earlier for some reason > block 830200 with 825629 Bug #830200 [release.debian.org] transition: perl 830200 was blocked by: 837719 825231 834795 834799 825014 834798 834796 834249 825524 825012 836636 825609 834800 834797 825762 838394 830200 was not blocking any bugs. Added blocking bug(s) of 830200: 825629 > thanks Stopping processing here. Please contact me if you need assistance. -- 830200: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830200 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 838514
Processing commands for cont...@bugs.debian.org: > tags 838514 + pending Bug #838514 [release.debian.org] britney: patch to speed up loop performance Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 838514: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838514 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
ITM: Britney2 branch britney-patch-bundle-2016-09 into master
Hi, I intend to merge the branch [britney-patch-bundle-2016-09] consisting of 22 patches into master no later than Monday the 3th of October. It has been tested with [no regressions]. * CC: People known to run Britney * BCC: contributors + the debian bug New "features": * Policies can now define their own hints (Ubuntu has already merged this) Bugs fixed/Merges: * #838514 (patch to speed up loop performance) * GH#12 (Handle missing arches in p-u gracefully) * GH#13 (Use better exception handling) Other notes: * It cherry-picks 4 commits from Ubuntu * A SourcePackage class is introduced to replace the "list" objects for source package data. * Britney now parses InRelease files to determine whether an architecture is available for a given suite (instead of abusing "NEW_ARCHES" config for this). Though no "by-hash" support yet. The shortlog: Colin Watson (3): Clarify excuse HTML/text for the mindays == 0 case Rename fucked_arches to outofsync_arches Make removal of obsolete source packages configurable Mathieu Trudel-Lapierre (1): Update whitespace; make the output easier to read Niels Thykier (18): Minor hint creation refactoring Change argument order for HintCollection.add_hint hint-tester: Use hint-parser for parsing excuse hints HintParser: Support adding new hints to the parser hints: Move Hint creation out of add_hints Extract an AgeDayHint class from Hint Support policies registering their own hints Let the age policy register its own hints Add an ignore-rc-bugs hint britney.py: Make hinted removal excuses valid AgePolicy: Create the (new) date file automatically britney -> util: Extract a "create_provides_map" britney: Make read_binaries read all binaries for a suite britney: Skip architectures not listed in InRelease files britney: Remove out a tuple lookup in get_dependency_solvers inst-tester: Fix typo in a variable name Create a SourcePackage class Prefer s.x to s[X] for SourcePackage objects Robert Bruce Park (1): Python loop performance enhancements. Thanks, ~Niels [britney-patch-bundle-2016-09]: https://anonscm.debian.org/cgit/users/nthykier/britney.git/log/?h=britney-patch-bundle-2016-09 Head is: 10ccd0e337fb734a9793b39da3a3b11857918962 [no regressions]: https://travis-ci.org/Debian/britney2/builds/162543509 signature.asc Description: OpenPGP digital signature
Bug#838692: nmu: nlopt_2.4.2+dfsg-1~bpo70+1
On 25/09/16 11:30, Emilio Pozuelo Monfort wrote: > On 23/09/16 19:14, Andreas Beckmann wrote: >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: binnmu >> >> nmu nlopt_2.4.2+dfsg-1~bpo70+1 . amd64 . wheezy-backports . -m "Rebuild in a >> clean wheezy environment." >> >> it's currently uninstallable in wheezy-backports: >> >>libnlopt0 : Depends: libc6 (>= 2.14) but 2.13-38+deb7u11 is to be >> installed > > @backports team: can you take a look at this? Now cc'ing -backports@. Emilio
Bug#815036: transition: msgpack-c
On 25/09/16 13:59, James McCoy wrote: > On Sun, Sep 25, 2016 at 11:23:43AM +0200, Emilio Pozuelo Monfort wrote: >> On 24/09/16 22:52, James McCoy wrote: >>> On Sat, Sep 03, 2016 at 02:10:08PM -0400, James McCoy wrote: On Wed, Aug 31, 2016 at 05:01:33PM +0200, Emilio Pozuelo Monfort wrote: > Upload msgpack-c to unstable, then you bump the remaining bugs to RC. Done. The tmate maintainer is going to move the compatible version from experimental to unstable today. >>> >>> It looks like everything's transitioned. >> >> Should src:msgpack be removed from the archive now? libmsgpack3 has no rdeps. > > Yes, it should. Then please file an RM bug against ftp.debian.org Thanks, Emilio
Bug#830200: transition: perl
On 23/09/16 12:48, Emilio Pozuelo Monfort wrote: > On 23/09/16 11:40, Dominic Hargreaves wrote: >> On Fri, Sep 23, 2016 at 09:23:24AM +0200, Julien Cristau wrote: >>> On Fri, Sep 23, 2016 at 00:34:15 +0200, Emilio Pozuelo Monfort wrote: >>> Control: tags -1 confirmed Hi Dom! On 19/09/16 17:52, Dominic Hargreaves wrote: > On Wed, Sep 14, 2016 at 11:13:04AM +0100, Dominic Hargreaves wrote: >> On Thu, Jul 07, 2016 at 12:55:34PM +0200, Niko Tyni wrote: >>> We'd like to have Perl 5.24 in stretch. > >> I'd like to propose that we upload perl 5.24 to unstable next week. >> There are a few things left to deal with and I've just updated the >> blocker >> list. I think they can all be either fixed in a week or removed, >> with the possible exception of graphicsmagick which was a new FTBFS >> which has popped up only on ppc64el. >> >> #825524: liblexical-underscore-perl - there is a patch available >> #834249: openbabel - there is a patch available >> #825012: libalgorithm-permute-perl - no rdeps, to remove >> #825231: libdevel-beginlift-perl - no rdeps, to remove >> #837719: graphicsmagick - new issue, may need to wait or push for hacky >> fix? >> #825762: libtext-sprintfn-perl - fixed upstream >> #834800: libkavorka-perl - one rdep libmoops-perl, both can be removed > > These are nearly all sorted now - just openbabel to hit sid (in > DELAYED at the moment) and the other three blockers to be removed > from testing when the time comes. Thanks as ever to those who worked on > these issues. > > Release team, are we in a position to upload in the next day or two > or do we need to wait for a better time? I wanted to get openmpi done, and that's happened today. So, let's start this! >>> It actually only almost happened. So maybe hold this for a bit. >> >> Okay. Ready to upload when you say the word! > > Britney crashed last night, but it just run and the openmpi issues are solved. > Go ahead! I have scheduled all the binNMUs. Unfortunately I didn't notice linux is a part of this transition. Let's hope we can get all the perl side ready soon and that linux gets fixed (it's got an RC bug atm) so stuff doesn't get blocked. Regards, Emilio
Processed: Re: Bug#836917: transition: openmpi
Processing control commands: > tags -1 pending Bug #836917 [release.debian.org] transition: openmpi Added tag(s) pending. -- 836917: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836917 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#815036: transition: msgpack-c
On Sun, Sep 25, 2016 at 11:23:43AM +0200, Emilio Pozuelo Monfort wrote: > On 24/09/16 22:52, James McCoy wrote: > > On Sat, Sep 03, 2016 at 02:10:08PM -0400, James McCoy wrote: > >> On Wed, Aug 31, 2016 at 05:01:33PM +0200, Emilio Pozuelo Monfort wrote: > >>> Upload msgpack-c to unstable, then you bump the remaining bugs to RC. > >> > >> Done. The tmate maintainer is going to move the compatible version from > >> experimental to unstable today. > > > > It looks like everything's transitioned. > > Should src:msgpack be removed from the archive now? libmsgpack3 has no rdeps. Yes, it should. Cheers, -- James GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB
Bug#836917: transition: openmpi
Control: tags -1 pending On 07/09/16 10:25, Bas Couwenberg wrote: > The upload of openmpi (2.0.1-3) to unstable has triggered another > transition. This needed a big hammer to get it into testing. The fact that the different libopenmpi versions conflict with each other doesn't really help. This is just pending the boost1.58 removal from testing. Cheers, Emilio
Bug#836917: transition: openmpi
On 25/09/16 12:15, Andreas Beckmann wrote: > One binNMU is needed for experimental, too: > > nmu hdf5_1.10.0-patch1+docs-1~exp4 . ANY . experimental . -m "Rebuild against > libopenmpi2." Scheduled. Emilio
Bug#836917: transition: openmpi
One binNMU is needed for experimental, too: nmu hdf5_1.10.0-patch1+docs-1~exp4 . ANY . experimental . -m "Rebuild against libopenmpi2." Andreas
Bug#838780: jessie-pu: package irssi/0.8.17-1+deb8u1
Hi, * Adam D. Barratt[2016-09-24 21:24:18 CEST]: > On Sat, 2016-09-24 at 21:18 +0200, Rhonda D'Vine wrote: > > The patch that upstream provides is this: > > https://github.com/irssi/scripts.irssi.org/commit/f1b1eb154baa684fad5d65bf4dff79c8ded8b65a > > > > I uploaded it to unstable already and would like to push it to stable, > > too. > > That looks okay, but please could we have a source debdiff for the > proposed upload, as built and hopefully tested on jessie. I commited it locally to my git, the attached diff is "git diff HEAD^.." which was the commit from the security update. Thanks, Rhonda -- Fühlst du dich mutlos, fass endlich Mut, los | Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang Fühlst du dich haltlos, such Halt und lass los| diff --git a/debian/changelog b/debian/changelog index 364754f..79b5c38 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +irssi (0.8.17-1+deb8u2) jessie; urgency=high + + * New patch 23fix-buf.pl to fix an information exposure issue involved with +using buf.pl and /upgrade (closes: #838762) + + -- Rhonda D'Vine Sat, 24 Sep 2016 16:10:19 +0200 + irssi (0.8.17-1+deb8u1) jessie-security; urgency=high * Non-maintainer upload by the Security Team. diff --git a/debian/patches/23fix-buf.pl b/debian/patches/23fix-buf.pl new file mode 100644 index 000..27963fd --- /dev/null +++ b/debian/patches/23fix-buf.pl @@ -0,0 +1,103 @@ +Author: Rhonda D'Vine vim:ft=diff: +Description: Fix information exposure during /upgrade, BTS #838762 + +--- a/scripts/buf.pl b/scripts/buf.pl +@@ -5,7 +5,7 @@ use Irssi qw(command signal_add signal_a + settings_get_str settings_get_bool channels windows + settings_add_str settings_add_bool get_irssi_dir + window_find_refnum signal_stop); +-$VERSION = '2.13'; ++$VERSION = '2.20'; + %IRSSI = ( + authors => 'Juerd', + contact => 'ju...@juerd.nl', +@@ -13,10 +13,8 @@ $VERSION = '2.13'; + description => 'Saves the buffer for /upgrade, so that no information is lost', + license => 'Public Domain', + url => 'http://juerd.nl/irssi/', +-changed => 'Mon May 13 19:41 CET 2002', +-changes => 'Severe formatting bug removed * oops, I ' . +- 'exposed Irssi to ircII foolishness * sorry ' . +- '** removed logging stuff (this is a fix)', ++changed => 'Thu Sep 22 01:37 CEST 2016', ++changes => 'Fixed file permissions (leaked everything via filesystem)', + note1 => 'This script HAS TO BE in your scripts/autorun!', + note2 => 'Perl support must be static or in startup', + ); +@@ -39,9 +37,15 @@ use Data::Dumper; + + my %suppress; + ++sub _filename { sprintf '%s/scrollbuffer', get_irssi_dir } ++ + sub upgrade { +-open BUF, q{>}, sprintf('%s/scrollbuffer', get_irssi_dir) or die $!; +-print BUF join("\0", map $_->{server}->{address} . $_->{name}, channels), "\n"; ++my $fn = _filename; ++my $old_umask = umask 0077; ++open my $fh, q{>}, $fn or die "open $fn: $!"; ++umask $old_umask; ++ ++print $fh join("\0", map $_->{server}->{address} . $_->{name}, channels), "\n"; + for my $window (windows) { + next unless defined $window; + next if $window->{name} eq 'status'; +@@ -57,36 +61,39 @@ sub upgrade { + redo if defined $line; + } + } +- printf BUF "%s:%s\n%s", $window->{refnum}, $lines, $buf; ++ printf $fh "%s:%s\n%s", $window->{refnum}, $lines, $buf; + } +-close BUF; ++close $fh; + unlink sprintf("%s/sessionconfig", get_irssi_dir); + command 'layout save'; + command 'save'; + } + + sub restore { +-open BUF, q{<}, sprintf('%s/scrollbuffer', get_irssi_dir) or die $!; +-my @suppress = split /\0/, ; ++my $fn = _filename; ++open my $fh, q{<}, $fn or die "open $fn: $!"; ++unlink $fn or warn "unlink $fn: $!"; ++ ++my @suppress = split /\0/, readline $fh; + if (settings_get_bool 'upgrade_suppress_join') { + chomp $suppress[-1]; + @suppress{@suppress} = (2) x @suppress; + } + active_win->command('^window scroll off'); +-while (my $bla = ){ ++while (my $bla = readline $fh){ + chomp $bla; + my ($refnum, $lines) = split /:/, $bla; + next unless $lines; + my $window = window_find_refnum $refnum; + unless (defined $window){ +- for 1..$lines; ++ readline $fh for 1..$lines; + next; + } + my $view = $window->view; + $view->remove_all_lines(); + $view->redraw(); + my $buf = ''; +- $buf .= for 1..$lines; ++ $buf .= readline $fh for 1..$lines; + my $sep = settings_get_str 'upgrade_separator'; + $sep .= "\n" if $sep ne ''; + $window->gui_printtext_after(undef, MSGLEVEL_CLIENTNOTICE, "$buf\cO$sep"); +@@ -119,3 +126,10 @@ signal_add 'event join' => 's + unless (-f sprintf('%s/scripts/autorun/buf.pl', get_irssi_dir)) { +
Bug#838692: nmu: nlopt_2.4.2+dfsg-1~bpo70+1
On 23/09/16 19:14, Andreas Beckmann wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: binnmu > > nmu nlopt_2.4.2+dfsg-1~bpo70+1 . amd64 . wheezy-backports . -m "Rebuild in a > clean wheezy environment." > > it's currently uninstallable in wheezy-backports: > >libnlopt0 : Depends: libc6 (>= 2.14) but 2.13-38+deb7u11 is to be installed @backports team: can you take a look at this? Cheers, Emilio
Bug#838693: nmu: libteam_1.12-2~bpo70+1
On 23/09/16 19:16, Andreas Beckmann wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: binnmu > > nmu libteam_1.12-2~bpo70+1 . amd64 . wheezy-backports . -m "Rebuild in a > clean wheezy environment." > > this was not built in wheezy ... > >libteam5 : Depends: libc6 (>= 2.14) but 2.13-38+deb7u11 is to be installed @backports team: can you take a look at this? Cheers, Emilio
Bug#838673: marked as done (nmu: slurm-llnl_16.05.2-1)
Your message dated Sun, 25 Sep 2016 11:23:11 +0200 with message-id <05f694d4-bd0a-1a3b-8baf-51f8f1c15...@debian.org> and subject line Re: Bug#838673: nmu: slurm-llnl_16.05.2-1 has caused the Debian Bug report #838673, regarding nmu: slurm-llnl_16.05.2-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 838673: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838673 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu slurm-llnl_16.05.2-1 . amd64 . unstable . -m "Rebuild against librrd8." Maintainer upload was built against librrd4. Andreas --- End Message --- --- Begin Message --- On 23/09/16 16:20, Andreas Beckmann wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: binnmu > > nmu slurm-llnl_16.05.2-1 . amd64 . unstable . -m "Rebuild against librrd8." > > Maintainer upload was built against librrd4. Scheduled. Emilio--- End Message ---
Bug#815036: transition: msgpack-c
On 24/09/16 22:52, James McCoy wrote: > On Sat, Sep 03, 2016 at 02:10:08PM -0400, James McCoy wrote: >> On Wed, Aug 31, 2016 at 05:01:33PM +0200, Emilio Pozuelo Monfort wrote: >>> Upload msgpack-c to unstable, then you bump the remaining bugs to RC. >> >> Done. The tmate maintainer is going to move the compatible version from >> experimental to unstable today. > > It looks like everything's transitioned. Should src:msgpack be removed from the archive now? libmsgpack3 has no rdeps. Emilio
Bug#836192: marked as done (transition: libdap)
Your message dated Sun, 25 Sep 2016 11:21:18 +0200 with message-idand subject line Re: Bug#836192: transition: libdap has caused the Debian Bug report #836192, regarding transition: libdap to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 836192: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836192 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Control: block -1 by 836187 Dear Release Team, As discussed in the protobuf transition bugreport, the upload of libdap (3.18.0-1) to unstable has triggered another uncoordinated transition, which is causing the osmium rebuilds to fail. Before the reverse dependencies can be rebuilt, the build failures on the release architectures (#836187) need to be fixed first. The maintainer (Alastair McKinstry) is CC'ed. Kind Regards, Bas Ben file: title = "libdap"; is_affected = .depends ~ "libdap17v5" | .depends ~ "libdap23"; is_good = .depends ~ "libdap23"; is_bad = .depends ~ "libdap17v5"; --- End Message --- --- Begin Message --- On 24/09/16 21:37, Sebastiaan Couwenberg wrote: > This transition should be done, time to close this bugreport? Yes. Emilio--- End Message ---
Bug#836447: marked as done (transition: proj)
Your message dated Sun, 25 Sep 2016 11:20:43 +0200 with message-idand subject line Re: Bug#836447: transition: proj has caused the Debian Bug report #836447, regarding transition: proj to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 836447: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836447 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Control: forwarded -1 https://release.debian.org/transitions/html/auto-proj.html PROJ.4 4.9.3 has been released and bumps the SOVERSION from 9 to 12, requiring a transition. We've had the release candidates in experimental for a little while already, and the issues identified with those have already been fixed in unstable. Only gpx2shp needed a patch to support the renamed PI defines in projects.h from proj 4.9.3. All reverse dependencies rebuilt successfully with the new proj packages from experimental (as summarized below), except mapnik (3.0.11+ds-1) in unstable because it lacks support for Boost 1.61 (#833756), the mapnik 3.0.12 release candidates in experimental do support Boost 1.61. Mapnik 3.0.11 is scheduled for automatic removal from testing on 2016-09-21, unfortunately I don't expect the 3.0.12 final release before that time. Please also schedule binNMUs for the affected packages in experimental if those have not yet moved to unstable when the transition starts. spatialite (4.4.0~rc1-1~exp1) spatialite-tools (4.4.0~rc1-1~exp1), grass(7.0.5~rc1-1~exp1) mapnik (3.0.12~rc6+ds-1~exp2) python-mapnik(1:0.0~20160810-3a60211-1~exp1), I will move the new pdal & qgis packages from experimental to unstable today. Transition: proj libproj9 (4.9.2-3) -> libproj12 (4.9.3-1~exp1) The status of the most recent rebuilds is as follows. gpx2shp (0.71.0-4) OK libgeo-proj4-perl (1.05-3)OK libgeotiff-dfsg (1.4.2-2) OK ogdi-dfsg (3.2.0+ds-1)OK openorienteering-mapper (0.6.3-2) OK pdl (1:2.016-4) OK proj-rdnap (2008-5)OK python-pyproj (1.9.5.1-2) OK shapelib(1.3.0-8) OK sosi2osm(1.0.0-3) OK spatialite (4.3.0a-5 / 4.4.0~rc1-1~exp1) OK / OK survex (1.2.27-1) OK zygrib (7.0.0-4) OK gdal(2.1.1+dfsg-1) OK magics++(2.29.2-1) OK pyspatialite(3.0.1-11) OK spatialite-gui (2.0.0~devel2-4)OK spatialite-tools(4.3.0-2 / 4.4.0~rc1-1~exp1)OK / OK cdo (1.7.2+dfsg.1-1)OK dans-gdal-scripts (0.23-6)OK grass (7.0.4-3 / 7.0.5~rc1-1~exp1)OK / OK libosmium (2.8.0-2) OK mapcache(1.4.1-3) OK mapnik (3.0.11+ds-1 / 3.0.12~rc4+ds-1~exp1) FTBFS / OK mapproxy(1.9.0-3) OK mapserver (7.0.1-3) OK merkaartor (0.18.3-1) OK metview (4.6.7-1) OK ncl (6.3.0-11) OK otb (5.6.1+dfsg-1) OK pdal(1.3.0-1) OK postgis (2.2.2+dfsg-4) OK qlandkartegt(1.8.1+ds-6)OK qmapshack (1.6.3-1) OK saga(2.3.1+dfsg-1) OK sumo(0.27.1+dfsg1-1)OK thuban (1.2.2-11) OK vtk6(6.3.0+dfsg1-1) OK xastir (2.0.8-2) OK ifrit (4.1.2-5) OK libgdal-grass (2.1.1-2) OK osm2pgsql (0.90.1+ds-1) OK python-mapnik (1:0.0~20160531-f65767a-1 /