Bug#848613: nmu: dovecot-antispam_2.0+20150222-1~bpo8+1

2016-12-18 Thread Alexander Gerasiov 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

nmu dovecot-antispam_2.0+20150222-1~bpo8+1 . ALL . -m "Rebuild against 
dovecot-abi-2.2.abiv26"

-- System Information:
Debian Release: 7.11
  APT prefers oldstable-updates
  APT policy: (640, 'oldstable-updates'), (640, 'oldstable-proposed-updates'), 
(640, 'oldstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-45-pve (SMP w/4 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Bug#848610: jessie-pu: package pgpdump/0.28-1+deb8u1

2016-12-18 Thread Christoph Biedl 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hello release team,

CVE-2016-4021[1] hasn't been handled in jessie yet. The security team
suggested to use an upcoming point release for this, this got ACKed
by the stable security team. The pgpdump maintainer Jose Luis Rivas
(CC'd) has agreed to this procedure.

Find attached a debdiff based on the data in the tracker and upstream
git, and can confirm the fix mitigates the issue.

You might notice it's not the original patch, instead it includes a
follow-up commit from upstream.[2] And while preparing the diff I
realized it's probably a good idea to include commit 6e15953: "fixing
a buffer overrun" that was found using the American fuzzy lop as well.

Regards,

Christoph

[1] https://security-tracker.debian.org/tracker/CVE-2016-4021
[2] See https://github.com/kazu-yamamoto/pgpdump/commits/master/buffer.c
for the commit history.
diff -u pgpdump-0.28/debian/changelog pgpdump-0.28/debian/changelog
--- pgpdump-0.28/debian/changelog
+++ pgpdump-0.28/debian/changelog
@@ -1,3 +1,11 @@
+pgpdump (0.28-1+deb8u1) jessie; urgency=high
+
+  * Fix endless loop parsing specially crafted input in read_binary.
+Upstream commits ece39dd and 0c306f4. Closes: #773747 [CVE-2016-4021]
+  * Fix a buffer overrun in read_radix64. Upstream commit 6e15953
+
+ -- Christoph Biedl   Thu, 15 Dec 2016 
23:30:21 +0100
+
 pgpdump (0.28-1) unstable; urgency=low
 
   * New upstream version.
only in patch2:
unchanged:
--- pgpdump-0.28.orig/buffer.c
+++ pgpdump-0.28/buffer.c
@@ -80,8 +80,17 @@
 private int
 read_binary(byte *p, unsigned int max)
 {
-   /* errno */
-   return fread(p, sizeof(byte), max, stdin);
+   if (feof(stdin)) {
+   exit(EXIT_SUCCESS);
+   }
+
+   size_t ret = fread(p, sizeof(byte), max, stdin);
+
+   if (ferror(stdin)) {
+   warn_exit("error in read_binary");
+   }
+
+   return ret;
 }
 
 private int
@@ -117,6 +126,9 @@
done = YES;
return out;
}
+   if (c >= 128) {
+ continue;
+   }
d = base256[c];
switch (d) {
case OOB:


signature.asc
Description: Digital signature

Bug#848607: nmu: dune-grid-glue_2.5.0~20161206g666200e-2, dune-pdelab_2.5.0~20161204gdb53a76-3

2016-12-18 Thread Ansgar Burchardt 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Please schedule binNMUs for dune-grid-glue and dune-pdelab to have
them rebuilt against dune-grid 2.5.0-1.

  nmu dune-grid-glue_2.5.0~20161206g666200e-2 . ANY . unstable . -m "Rebuild 
against dune-grid 2.5.0."
  nmu dune-pdelab_2.5.0~20161204gdb53a76-3 . ANY . unstable . -m "Rebuild 
against dune-grid 2.5.0."

As issues with openmpi on mips64el (#848574) currently prevent
building of dune-common and dune-grid 2.5.0, a dep-wait would be nice
so the packages might get rebuilt later.

  dw dune-grid-glue_2.5.0~20161206g666200e-2 . ANY . unstable . -m 
"libdune-grid-dev (>= 2.5.0)"
  dw dune-pdelab_2.5.0~20161204gdb53a76-3 . ANY . unstable . -m 
"libdune-grid-dev (>= 2.5.0)"

Ansgar

Bug#845263: jessie-pu: package w3m/0.5.3-19+deb8u1

2016-12-18 Thread Tatsuya Kinoshita 
On December 17, 2016 at 12:30PM +0100, jcristau (at debian.org) wrote:
>> w3m (0.5.3-19+deb8u1) jessie; urgency=medium
> Please go ahead.

Uploaded.

Thanks,
--
Tatsuya Kinoshita


pgpZqiZjXwsaR.pgp
Description: PGP signature

Processed: Re: [Pkg-tigervnc-devel] Bug#843543: tigervnc: FTBFS with xserver 1.19

2016-12-18 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> forcemerge 843543 846733
Bug #843543 [src:tigervnc] tigervnc: FTBFS with xserver 1.19
Bug #843543 [src:tigervnc] tigervnc: FTBFS with xserver 1.19
Added tag(s) sid and stretch.
Bug #846733 [src:tigervnc] tigervnc: FTBFS: debian/rules:126: recipe for target 
'unix/xserver/.apply-patches-vnc-patch-xorg.stamp' failed
843265 was blocked by: 846502 845644 845637 845640 845639 845331 843543 845638 
846784 848051 845000 845635
843265 was not blocking any bugs.
Added blocking bug(s) of 843265: 846733
Merged 843543 846733
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
843265: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=843265
843543: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=843543
846733: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=846733
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#844264: release.debian.org: Please clarify "Packages must autobuild without failure"

2016-12-18 Thread Santiago Vila 
On Sun, Dec 18, 2016 at 04:36:57PM +0500, Andrey Rahmatullin wrote:
> On Sun, Dec 18, 2016 at 12:21:19PM +0100, Santiago Vila wrote:
> > The alternative is what it's currently happening: "Why bother to ask
> > for permission to use stretch-ignore tag when you can always downgrade
> > a RC bug to wishlist?" (Based on what they do, this is what some
> > maintainers seem to think).
>
> Some packages also run tests but ignore the results.

Yes, but that's a lot better, IMO, than having a package which FTBFS
half of the time and ignoring the FTBFS.

Thanks.

Bug#844264: release.debian.org: Please clarify "Packages must autobuild without failure"

2016-12-18 Thread Andrey Rahmatullin 
On Sun, Dec 18, 2016 at 12:21:19PM +0100, Santiago Vila wrote:
> The alternative is what it's currently happening: "Why bother to ask
> for permission to use stretch-ignore tag when you can always downgrade
> a RC bug to wishlist?" (Based on what they do, this is what some
> maintainers seem to think).
Some packages also run tests but ignore the results.

-- 
WBR, wRAR


signature.asc
Description: PGP signature

Bug#844264: release.debian.org: Please clarify "Packages must autobuild without failure"

2016-12-18 Thread Santiago Vila 
On Sat, Dec 17, 2016 at 10:48:00AM +0100, Julien Cristau wrote:
> On Thu, Dec 15, 2016 at 21:19:23 +0100, Santiago Vila wrote:
> 
> > Any progress on this?
> > 
> > In case it helps, I made a list of bugs in this FTBFS-randomly category:
> > 
> > https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=ftbfs-randomly;users=sanv...@debian.org
> > 
> > In almost all cases, the failure happens because there is a test which
> > fails.
> > 
> > So: Why do we allow tests to make the package to fail if we then do
> > not consider the failure to be RC?
> > 
> > IMO, either the program is ok when the test fails, or it's not.
>
> I'm afraid it's more nuanced than this, and trying to make it all white
> or all black is not helpful.

Thanks a lot for replying.

Unfortunately, I'm not sure how to interpret that.

Do you mean it's better not to have a common rule for these bugs and
instead decide on a case by case basis?

Could we please agree, at least, that this is RC in general and
maintainers should ask for stretch-ignore tag? I don't think
this is asking too much.

The alternative is what it's currently happening: "Why bother to ask
for permission to use stretch-ignore tag when you can always downgrade
a RC bug to wishlist?" (Based on what they do, this is what some
maintainers seem to think).

Thanks.