Bug#912198: stretch-pu: package spamassassin/3.4.2-1~deb9u1
On Wed, Oct 31, 2018 at 10:01:13PM +, Adam D. Barratt wrote: > Please feel free to upload, bearing in mind that the window for getting > updates into the 9.6 point release closes during this weekend. Uploaded. Thanks. noah signature.asc Description: PGP signature
Bug#912531: stretch-pu: package exiv2/0.25-3.1+deb9u2
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
I have prepared an update for exiv2 in jessie (0.24-4.1+deb8u2) related
to CVE-2018-16336 and also including a minor fix to the previous patch
for CVE-2018-10958 and CVE-2018-10999.
The patch for the jessie package applied to the stretch exiv2 package
with only one small change required. I corresponded with the exiv2
maintainers and also Salvatore about whether I should upload this as a
security update.
Salvatore indicated that for stable he was inclined to consider that
this did not warrant a DSA and he recommended that I proceed with a
stable update for the next point release.
Please find attached the source debdiff.
Regards,
-Roberto
diff -Nru exiv2-0.25/debian/changelog exiv2-0.25/debian/changelog
--- exiv2-0.25/debian/changelog 2018-06-27 08:09:36.0 -0400
+++ exiv2-0.25/debian/changelog 2018-10-20 22:43:10.0 -0400
@@ -1,3 +1,13 @@
+exiv2 (0.25-3.1+deb9u2) stretch-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Minor adjustment to the patch for CVE-2018-10958 and CVE-2018-10999. The
+initial patch was overly restrictive in counting PNG image chunks.
+ * CVE-2018-16336: remote denial of service (heap-based buffer over-read) via
+a crafted image file.
+
+ -- Roberto C. Sanchez Sat, 20 Oct 2018 22:43:10 -0400
+
exiv2 (0.25-3.1+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru exiv2-0.25/debian/patches/CVE-2018-10958_10999_1_of_2.patch exiv2-0.25/debian/patches/CVE-2018-10958_10999_1_of_2.patch
--- exiv2-0.25/debian/patches/CVE-2018-10958_10999_1_of_2.patch 2018-06-27 08:09:36.0 -0400
+++ exiv2-0.25/debian/patches/CVE-2018-10958_10999_1_of_2.patch 2018-10-20 22:43:10.0 -0400
@@ -32,7 +32,7 @@
}
else if(type == iTXt_Chunk)
{
-+const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_-1], '\0');
++const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_], '\0');
+if (nullSeparators < 2) throw Error(58);
+
// Extract a deflate compressed or uncompressed UTF-8 text chunk
diff -Nru exiv2-0.25/debian/patches/CVE-2018-10958_10999_2_of_2.patch exiv2-0.25/debian/patches/CVE-2018-10958_10999_2_of_2.patch
--- exiv2-0.25/debian/patches/CVE-2018-10958_10999_2_of_2.patch 2018-06-27 08:09:36.0 -0400
+++ exiv2-0.25/debian/patches/CVE-2018-10958_10999_2_of_2.patch 2018-10-20 22:43:10.0 -0400
@@ -14,7 +14,7 @@
@@ -159,14 +159,24 @@
else if(type == iTXt_Chunk)
{
- const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_-1], '\0');
+ const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_], '\0');
-if (nullSeparators < 2) throw Error(58);
+if (nullSeparators < 2) throw Error(58, "iTXt chunk: not enough null separators");
diff -Nru exiv2-0.25/debian/patches/CVE-2018-16336.patch exiv2-0.25/debian/patches/CVE-2018-16336.patch
--- exiv2-0.25/debian/patches/CVE-2018-16336.patch 1969-12-31 19:00:00.0 -0500
+++ exiv2-0.25/debian/patches/CVE-2018-16336.patch 2018-10-20 22:43:10.0 -0400
@@ -0,0 +1,130 @@
+From 35b3e596edacd2437c2c5d3dd2b5c9502626163d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?=
+Date: Fri, 17 Aug 2018 16:41:05 +0200
+Subject: [PATCH] Add overflow & overread checks to PngChunk::parseTXTChunk()
+
+This function was creating a lot of new pointers and strings without
+properly checking the array bounds. This commit adds several calls
+to enforce(), making sure that the pointers stay within bounds.
+Strings are now created using the helper function
+string_from_unterminated() to prevent overreads in the constructor of
+std::string.
+
+This fixes #400
+---
+ src/pngchunk_int.cpp | 63 ++--
+ 1 file changed, 37 insertions(+), 26 deletions(-)
+
+--- exiv2-stretch.git.orig/src/pngchunk.cpp
exiv2-stretch.git/src/pngchunk.cpp
+@@ -40,6 +40,8 @@
+ #include "iptc.hpp"
+ #include "image.hpp"
+ #include "error.hpp"
++#include "helper_functions.hpp"
++#include "safe_op.hpp"
+
+ // + standard includes
+ #include
+@@ -127,6 +129,8 @@
+
+ if(type == zTXt_Chunk)
+ {
++if (data.size_ < Safe::add(keysize, 2)) throw Error(58);
++
+ // Extract a deflate compressed Latin-1 text chunk
+
+ // we get the compression method after the key
+@@ -143,11 +147,13 @@
+ // compressed string after the compression technique spec
+ const byte* compressedText = data.pData_ + keysize + 2;
+ unsigned int compressedTextSize = data.size_ - keysize - 2;
++if (compressedTextSize >= data.size_) throw Error(58);
+
+ zlibUnco
Bug#912198: stretch-pu: package spamassassin/3.4.2-1~deb9u1
Control: tags -1 + confirmed On Mon, 2018-10-29 at 20:28 -0700, Noah Meyerhans wrote: > On Mon, Oct 29, 2018 at 07:16:18PM +, Adam D. Barratt wrote: > > > I have prepared an upload for stretch that is a backport of the > > > 3.4.2-1 package currently in testing. The changelog entries from > > > 3.4.1-6 to 3.4.2-1~deb9u1 are below. Note that stretch currently > > > contains 3.4.1-6+deb9u1. The changes in that version are included > > > in > > > the 3.4.1-7 entry in the backport. > > > > > > The debdiff for the debian/ subdirectory is attached. I pruned > > > the > > > upstream changes, since they result in a large diff, but can > > > provide > > > them if you want. > > > > Yes, please. > > See attached. Thanks. Please feel free to upload, bearing in mind that the window for getting updates into the 9.6 point release closes during this weekend. Regards, Adam
Processed: Re: Bug#912198: stretch-pu: package spamassassin/3.4.2-1~deb9u1
Processing control commands: > tags -1 + confirmed Bug #912198 [release.debian.org] stretch-pu: package spamassassin/3.4.2-1~deb9u1 Added tag(s) confirmed. -- 912198: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912198 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#902557: transition: Perl 5.28
On Wed, Oct 31, 2018 at 10:04:21AM +0100, Emilio Pozuelo Monfort wrote: > Control: tags -1 confirmed > Yes. Let's go ahead then as things look good now. Thanks, uploaded. -- Niko
Processed: forcibly merging 908601 912447
Processing commands for cont...@bugs.debian.org: > reassign 908601 src:xorg-server 2:1.19.2-1+deb9u2 Bug #908601 [xorg-server] glx: do not pick sRGB config for 32-bit RGBA visual Bug reassigned from package 'xorg-server' to 'src:xorg-server'. No longer marked as found in versions 2:1.19.2-1+deb9u2. Ignoring request to alter fixed versions of bug #908601 to the same values previously set Bug #908601 [src:xorg-server] glx: do not pick sRGB config for 32-bit RGBA visual Marked as found in versions xorg-server/2:1.19.2-1+deb9u2. > reassign 912447 src:xorg-server 2:1.19.2-1+deb9u2 Bug #912447 [src:xorg-server] xserver-xorg-core: xserver-xorg produces many display bugs when used with BPO Mesa Ignoring request to reassign bug #912447 to the same package Bug #912447 [src:xorg-server] xserver-xorg-core: xserver-xorg produces many display bugs when used with BPO Mesa Marked as found in versions xorg-server/2:1.19.2-1+deb9u2; no longer marked as found in versions xorg-server/2:1.19.2-1+deb9u4. > forcemerge 908601 912447 Bug #908601 [src:xorg-server] glx: do not pick sRGB config for 32-bit RGBA visual Bug #912447 [src:xorg-server] xserver-xorg-core: xserver-xorg produces many display bugs when used with BPO Mesa Severity set to 'normal' from 'important' 912447 was not blocked by any bugs. 912447 was not blocking any bugs. Added blocking bug(s) of 912447: 912462 Added tag(s) patch. Merged 908601 912447 > thanks Stopping processing here. Please contact me if you need assistance. -- 908601: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908601 912447: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912447 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#912465: RM: mozvoikko/2.2-0.1
Control: tags -1 + moreinfo On Wed, 2018-10-31 at 21:29 +0100, Moritz Muehlenhoff wrote: > Please remove mozvoikko from stretch, it's broken with Firefox 60. > Removal from sid was filed in #912457. Unfortunately it has r-deps: # Broken Depends: debian-parl: parl-desktop-eu parl-desktop-world Regards, Adam
Processed: Re: Bug#912465: RM: mozvoikko/2.2-0.1
Processing control commands: > tags -1 + moreinfo Bug #912465 [release.debian.org] RM: mozvoikko/2.2-0.1 Added tag(s) moreinfo. -- 912465: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912465 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 912465
Processing commands for cont...@bugs.debian.org: > tags 912465 + stretch Bug #912465 [release.debian.org] RM: mozvoikko/2.2-0.1 Added tag(s) stretch. > thanks Stopping processing here. Please contact me if you need assistance. -- 912465: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912465 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#912462: stretch-pu: package xorg-server/2:1.19.2-1+deb9u5
Processing control commands: > tags -1 + confirmed d-i Bug #912462 [release.debian.org] stretch-pu: package xorg-server/2:1.19.2-1+deb9u5 Added tag(s) d-i and confirmed. -- 912462: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912462 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#912462: stretch-pu: package xorg-server/2:1.19.2-1+deb9u5
Control: tags -1 + confirmed d-i On Wed, 2018-10-31 at 21:11 +0100, Andreas Boll wrote: > I'd like to backport an upstream xorg-server patch to stable to fix > issue #908601. It fixes a kwin regression caused by Mesa >= 18.0. > This > issue has already been fixed in xorg-server in unstable and testing. > However with backporting Mesa to stretch-backports this issue has > also > been triggered with xorg-server in stretch. Since we don't backport > xorg-server to stretch-backports and the required patch for stretch > is > very small I'd like to fix this issue via stretch-pu. > I'd be OK with that, but as xorg-server produces a udeb, it'll need a d-i ack first. CCing KiBi and tagging appropriately. Regards, Adam
Bug#893189: llvm-defaults to llvm-7 ? [was: Re: Bug#893189: transition: llvm-defaults to llvm 6.0]
On Tue, Oct 23, 2018 at 09:11:53AM +0200, Sylvestre Ledru wrote: >... > * Remove everything but 6 & 7 from the archive to release with only two llvm > versions. (maybe one if we are very lucky? :) Luck alone won't help. The biggest block for shipping only LLVM 7 in buster might be to move ghc on arm* either to LLVM 7 or to not use LLVM - and this would ideally have to be done before the last gc transition for buster starts. > Cheers, > Sylvestre cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
Bug#912465: RM: mozvoikko/2.2-0.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Please remove mozvoikko from stretch, it's broken with Firefox 60. Removal from sid was filed in #912457. Cheers, Moritz
Processed: block 908601 with 912462
Processing commands for cont...@bugs.debian.org: > block 908601 with 912462 Bug #908601 [xorg-server] glx: do not pick sRGB config for 32-bit RGBA visual 908601 was not blocked by any bugs. 908601 was not blocking any bugs. Added blocking bug(s) of 908601: 912462 > thanks Stopping processing here. Please contact me if you need assistance. -- 908601: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908601 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#912462: stretch-pu: package xorg-server/2:1.19.2-1+deb9u5
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Control: block 908601 by -1 Hi, I'd like to backport an upstream xorg-server patch to stable to fix issue #908601. It fixes a kwin regression caused by Mesa >= 18.0. This issue has already been fixed in xorg-server in unstable and testing. However with backporting Mesa to stretch-backports this issue has also been triggered with xorg-server in stretch. Since we don't backport xorg-server to stretch-backports and the required patch for stretch is very small I'd like to fix this issue via stretch-pu. Attached is the debdiff between xorg-server 2:1.19.2-1+deb9u4 and 2:1.19.2-1+deb9u5. Thanks, Andreas diff -u xorg-server-1.19.2/debian/changelog xorg-server-1.19.2/debian/changelog --- xorg-server-1.19.2/debian/changelog +++ xorg-server-1.19.2/debian/changelog @@ -1,3 +1,12 @@ +xorg-server (2:1.19.2-1+deb9u5) stretch; urgency=medium + + * Cherry-pick c2954b16c (glx: do not pick sRGB config for 32-bit RGBA +visual) from upstream. Fixes various blending issues with kwin and +Mesa >= 18.0 (i.e. Mesa from stretch-backports) (Closes: #908601). +Thanks to Nicholas D Steeves and Robert Trebula for testing! + + -- Andreas Boll Wed, 31 Oct 2018 17:58:03 +0100 + xorg-server (2:1.19.2-1+deb9u4) stretch-security; urgency=medium * Disable -logfile and -modulepath when running with elevated privileges. diff -u xorg-server-1.19.2/debian/patches/series xorg-server-1.19.2/debian/patches/series --- xorg-server-1.19.2/debian/patches/series +++ xorg-server-1.19.2/debian/patches/series @@ -12,0 +13 @@ +12_glx-do-not-pick-sRGB-config-for-32-bit-RGBA-visual.patch only in patch2: unchanged: --- xorg-server-1.19.2.orig/debian/patches/12_glx-do-not-pick-sRGB-config-for-32-bit-RGBA-visual.patch +++ xorg-server-1.19.2/debian/patches/12_glx-do-not-pick-sRGB-config-for-32-bit-RGBA-visual.patch @@ -0,0 +1,31 @@ +commit c2954b16c8730c7ed8441fd8dba25900f3aed265 +Author: Tapani Pälli +Date: Tue Nov 28 09:23:29 2017 +0200 + +glx: do not pick sRGB config for 32-bit RGBA visual + +This fixes blending issues seen with kwin and gnome-shell when +32bit visual has sRGB capability set. + +Reviewed-by: Adam Jackson +Signed-off-by: Tapani Pälli +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103699 +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103646 +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103655 + +diff --git a/glx/glxscreens.c b/glx/glxscreens.c +index 73444152a..596d972e0 100644 +--- a/glx/glxscreens.c b/glx/glxscreens.c +@@ -271,6 +271,11 @@ pickFBConfig(__GLXscreen * pGlxScreen, VisualPtr visual) + /* If it's the 32-bit RGBA visual, demand a 32-bit fbconfig. */ + if (visual->nplanes == 32 && config->rgbBits != 32) + continue; ++/* If it's the 32-bit RGBA visual, do not pick sRGB capable config. ++ * This can cause issues with compositors that are not sRGB aware. ++ */ ++if (visual->nplanes == 32 && config->sRGBCapable == GL_TRUE) ++continue; + /* Can't use the same FBconfig for multiple X visuals. I think. */ + if (config->visualID != 0) + continue;
Bug#912444: stretch-pu: package ola/0.10.3.nojsmin-2
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Would like to fix #876251; minor but very annoying bug in init script
means the daemon just doesn't start.
Was fixed in unstable quite a while ago, just needs a stable update.
Proposed debdiff attached. This is fairly large because the
--single-debian-patch thing is not deterministic (yuck), but if one
ignores that it's a one character fix and a changelog entry.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unreleased'), (500, 'unstable'),
(500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, m68k, arm64
Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=nl_BE.UTF-8, LC_CTYPE=nl_BE.UTF-8 (charmap=UTF-8),
LANGUAGE=nl_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru ola-0.10.3.nojsmin/debian/changelog
ola-0.10.3.nojsmin/debian/changelog
--- ola-0.10.3.nojsmin/debian/changelog 2017-03-17 17:13:52.0 +0100
+++ ola-0.10.3.nojsmin/debian/changelog 2018-10-31 17:02:06.0 +0100
@@ -1,3 +1,9 @@
+ola (0.10.3.nojsmin-2+deb9u1) stretch; urgency=medium
+
+ * Fix typo in /etc/init.d/rdm_test_server; Closes: #876251.
+
+ -- Wouter Verhelst Wed, 31 Oct 2018 17:02:06 +0100
+
ola (0.10.3.nojsmin-2) unstable; urgency=medium
* Fix symlink target to point to a .js file rather than a .sj one (whoops);
diff -Nru ola-0.10.3.nojsmin/debian/ola-rdm-tests.rdm_test_server.init
ola-0.10.3.nojsmin/debian/ola-rdm-tests.rdm_test_server.init
--- ola-0.10.3.nojsmin/debian/ola-rdm-tests.rdm_test_server.init
2017-03-09 11:21:39.0 +0100
+++ ola-0.10.3.nojsmin/debian/ola-rdm-tests.rdm_test_server.init
2018-10-31 17:01:50.0 +0100
@@ -17,7 +17,7 @@
PIDFILE=/var/run/$CMD.pid
DESC="OLA RDM Test Server"
USER=olad
-DAEMON_ARGS="--world-writable"
+DAEMON_ARGS="--world-writeable"
# Reads config file (will override defaults above)
[ -r /etc/default/ola-rdm-tests ] && . /etc/default/ola-rdm-tests
diff -Nru ola-0.10.3.nojsmin/debian/patches/debian-changes
ola-0.10.3.nojsmin/debian/patches/debian-changes
--- ola-0.10.3.nojsmin/debian/patches/debian-changes2017-03-17
17:13:52.0 +0100
+++ ola-0.10.3.nojsmin/debian/patches/debian-changes2018-10-31
17:02:06.0 +0100
@@ -5,12 +5,11 @@
information below has been extracted from the changelog. Adjust it or drop
it.
.
- ola (0.10.2-3) unstable; urgency=medium
+ ola (0.10.3.nojsmin-3) stretch; urgency=medium
.
- * Cherry-pick 4 commits from upstream git to fix include issues on
- mips*. Closes: #836383.
+ * Fix typo in /etc/init.d/rdm_test_server; Closes: #876251.
Author: Wouter Verhelst
-Bug-Debian: https://bugs.debian.org/836383
+Bug-Debian: https://bugs.debian.org/876251
---
The information above should follow the Patch Tagging Guidelines, please
@@ -23,126 +22,9 @@
Bug-Ubuntu: https://launchpad.net/bugs/
Forwarded:
Reviewed-By:
-Last-Update: 2016-11-22
+Last-Update: 2018-10-31
--- /dev/null
-+++ ola-0.10.3.nojsmin/.travis-ci.sh
-@@ -0,0 +1,114 @@
-+#!/bin/bash
-+
-+# This script is triggered from the script section of .travis.yml
-+# It runs the appropriate commands depending on the task requested.
-+
-+set -e
-+
-+CPP_LINT_URL="https://raw.githubusercontent.com/google/styleguide/gh-pages/cpplint/cpplint.py";;
-+
-+COVERITY_SCAN_BUILD_URL="https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh";
-+
-+if [[ $TASK = 'lint' ]]; then
-+ # run the lint tool only if it is the requested task
-+ autoreconf -i;
-+ ./configure --enable-rdm-tests --enable-ja-rule;
-+ # the following is a bit of a hack to build the files normally built during
-+ # the build, so they are present for linting to run against
-+ make builtfiles
-+ # first check we've not got any generic NOLINTs
-+ # count the number of generic NOLINTs
-+ nolints=$(grep -IR NOLINT * | grep -v "NOLINT(" | wc -l)
-+ if [[ $nolints -ne 0 ]]; then
-+# print the output for info
-+echo $(grep -IR NOLINT * | grep -v "NOLINT(")
-+echo "Found $nolints generic NOLINTs"
-+exit 1;
-+ else
-+echo "Found $nolints generic NOLINTs"
-+ fi;
-+ # then fetch and run the main cpplint tool
-+ wget -O cpplint.py $CPP_LINT_URL;
-+ chmod u+x cpplint.py;
-+ ./cpplint.py \
-+--filter=-legal/copyright,-readability/streams,-runtime/arrays \
-+$(find ./ \( -name "*.h" -or -name "*.cpp" \) -and ! \( \
-+-wholename "./common/protocol/Ola.pb.*" -or \
-+-wholename "./common/rpc/Rpc.pb.*" -or \
-+-wholename "./common/rpc/TestService.pb.*" -or \
-+-wholename "./common/rdm/Pids.pb.*" -or \
-+-wholename "./config.h" -or \
-+-wholename "./plugins/*/messages/*ConfigMessages.pb.*" -or \
-+-wholename "./too
Bug#912194: stretch-pu: package enigmail/2.0.8-5~deb9u1
On Mon 2018-10-29 19:31:07 +, Adam D. Barratt wrote: > Please go ahead. this is now uploaded, and it's in stable-new. --dkg
Bug#910065: stretch-pu: package libmail-deliverystatus-bounceparser-perl/1.542-1
Le 31/10/2018 à 13:57, Adam D. Barratt a écrit : > On 2018-10-08 06:18, Xavier wrote: >> Le 06/10/2018 à 18:43, Adam D. Barratt a écrit : >>> Control: tags -1 + moreinfo >>> >>> On Tue, 2018-10-02 at 11:10 +0200, Xavier Guimard wrote: libmail-deliverystatus-bounceparser-perl contains some viruses in its tests files (#864800). This update proposes to clean sources. Since debdiff contains virus signatures, it can not be embedded here (rejected by SMTP server). I put it on qa.debian.org server: /home/yadd/libmail-deliverystatus-bounceparser-perl_1.542-1.debdiff >>> >>> +libmail-deliverystatus-bounceparser-perl (1.542+deb9u1-1) stable- >>> proposed-updates; urgency=medium >>> >>> The version there is odd. Normally it would be 1.5242-1+deb9u1. Is this >>> an attempt to indicate that the source tarball has changed, i.e. a new >>> "upstream" version? If so, I'd prefer 1.542+repacked-1~deb9u1, as a >>> backport from unstable, with the changes that don't immediately look >>> appropriate reverted: >>> >>> * Declare compliance with policy 4.2.1 >>> * Remove dependency to libtest-simple-perl (>= 0.94) >>> * Bump debhelper compatibility to 10 >>> >>> As an additional note, the preferred changelog distribution is simply >>> "stretch". > [...] >> thanks. New version uploaded to qa.debian.org: >> /home/yadd/libmail-deliverystatus-bounceparser-perl_1.542-1.debdiff > > Thanks. That still appears to include the changes mentioned above, > however. The Standards-Version bump isn't a huge issue, and the > dependency change may well be fine if you can explain a little more > about why it's being removed, but in general stable updates shouldn't > make changes like debhelper compat bumps where they're not relevant to > fixing the issue at hand. > > Regards, > > Adam Hello, thanks. Updated and pushed at the same place (old debdiff moved to archives/)
Bug#910065: stretch-pu: package libmail-deliverystatus-bounceparser-perl/1.542-1
On 2018-10-08 06:18, Xavier wrote: Le 06/10/2018 à 18:43, Adam D. Barratt a écrit : Control: tags -1 + moreinfo On Tue, 2018-10-02 at 11:10 +0200, Xavier Guimard wrote: libmail-deliverystatus-bounceparser-perl contains some viruses in its tests files (#864800). This update proposes to clean sources. Since debdiff contains virus signatures, it can not be embedded here (rejected by SMTP server). I put it on qa.debian.org server: /home/yadd/libmail-deliverystatus-bounceparser-perl_1.542-1.debdiff +libmail-deliverystatus-bounceparser-perl (1.542+deb9u1-1) stable- proposed-updates; urgency=medium The version there is odd. Normally it would be 1.5242-1+deb9u1. Is this an attempt to indicate that the source tarball has changed, i.e. a new "upstream" version? If so, I'd prefer 1.542+repacked-1~deb9u1, as a backport from unstable, with the changes that don't immediately look appropriate reverted: * Declare compliance with policy 4.2.1 * Remove dependency to libtest-simple-perl (>= 0.94) * Bump debhelper compatibility to 10 As an additional note, the preferred changelog distribution is simply "stretch". [...] thanks. New version uploaded to qa.debian.org: /home/yadd/libmail-deliverystatus-bounceparser-perl_1.542-1.debdiff Thanks. That still appears to include the changes mentioned above, however. The Standards-Version bump isn't a huge issue, and the dependency change may well be fine if you can explain a little more about why it's being removed, but in general stable updates shouldn't make changes like debhelper compat bumps where they're not relevant to fixing the issue at hand. Regards, Adam
Bug#912425: stretch-pu: package libxml-stream-perl/1.24-2
Control: tags -1 + confirmed On 2018-10-31 11:49, Florian Schlichting wrote: libxml-stream-perl in Stretch turns on verification of SSL certificates by default, but fails to provide a default path to the CA root certificates, without which all encrypted connections fail. In Debian, the default set of certificates is located in /etc/ssl/certs, so instead - or in addition to - fixing every program using libxml-stream-perl behind the curtain (such as sendxmpp), this update ensures a working set of defaults. Please go ahead. Regards, Adam
Processed: Re: Bug#912425: stretch-pu: package libxml-stream-perl/1.24-2
Processing control commands: > tags -1 + confirmed Bug #912425 [release.debian.org] stretch-pu: package libxml-stream-perl/1.24-2 Added tag(s) confirmed. -- 912425: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912425 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#912367: stretch-pu: package gthumb/3:3.4.4.1-5
On 31/10/2018 05:32, Salvatore Bonaccorso wrote: Hi Herbert, [Dislcaimer: not SRM here, but only commenting on small issue below] On Tue, Oct 30, 2018 at 03:31:27PM -0300, Herbert Parentes Fortes Neto wrote: Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu I made Gthumb Debian package version 3:3.4.4.1-6+deb9u1 The version should actually be 3:3.4.4.1-*5*+deb9u1 given the last version in stretch is 3:3.4.4.1-5. Regards, Salvatore Thanks Salvatore! Updated and a new file is attached: - gthumb_3.4.4.1-5_3.4.4.1-5+deb9u1.diff.gz Regards, Herbert gthumb_3.4.4.1-5_3.4.4.1-5+deb9u1.diff.gz Description: application/gzip
Bug#912425: stretch-pu: package libxml-stream-perl/1.24-2
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
libxml-stream-perl in Stretch turns on verification of SSL certificates
by default, but fails to provide a default path to the CA root
certificates, without which all encrypted connections fail.
In Debian, the default set of certificates is located in /etc/ssl/certs,
so instead - or in addition to - fixing every program using
libxml-stream-perl behind the curtain (such as sendxmpp), this update
ensures a working set of defaults.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (900, 'testing'), (800, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru libxml-stream-perl-1.24/debian/changelog
libxml-stream-perl-1.24/debian/changelog
--- libxml-stream-perl-1.24/debian/changelog2015-06-05 22:03:56.0
+0200
+++ libxml-stream-perl-1.24/debian/changelog2018-10-31 12:00:40.0
+0100
@@ -1,3 +1,9 @@
+libxml-stream-perl (1.24-2+deb9u1) stretch; urgency=medium
+
+ * Provide a default CA path (closes: #908027, LP: 1774614)
+
+ -- Florian Schlichting Wed, 31 Oct 2018 12:00:40 +0100
+
libxml-stream-perl (1.24-2) unstable; urgency=medium
* Team upload.
diff -Nru libxml-stream-perl-1.24/debian/patches/default-ca-path.patch
libxml-stream-perl-1.24/debian/patches/default-ca-path.patch
--- libxml-stream-perl-1.24/debian/patches/default-ca-path.patch
1970-01-01 01:00:00.0 +0100
+++ libxml-stream-perl-1.24/debian/patches/default-ca-path.patch
2018-10-31 11:59:27.0 +0100
@@ -0,0 +1,18 @@
+Description: provide a default ssl_ca_path
+ ssl_verify is on by default, but will fail unless provided with a valid
+ ssl_ca_path. On Debian, commonly trusted CA certificates are stored in
+ /etc/ssl/certs
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908027
+Forwarded: https://github.com/dap/XML-Stream/issues/19
+
+--- a/lib/XML/Stream.pm
b/lib/XML/Stream.pm
+@@ -220,7 +220,7 @@
+ $self->{SIDS}->{default}->{ssl} = 0;
+ $self->{SIDS}->{default}->{_tls} = 0;
+ $self->{SIDS}->{default}->{ssl_verify} = 0x01; # verify peer by default
+-$self->{SIDS}->{default}->{ssl_ca_path} = '';
++$self->{SIDS}->{default}->{ssl_ca_path} = '/etc/ssl/certs';
+ $self->{SIDS}->{default}->{namespace} = "";
+ $self->{SIDS}->{default}->{myhostname} = $fullname;
+ $self->{SIDS}->{default}->{derivedhostname} = $fullname;
diff -Nru libxml-stream-perl-1.24/debian/patches/series
libxml-stream-perl-1.24/debian/patches/series
--- libxml-stream-perl-1.24/debian/patches/series 2015-06-05
22:03:56.0 +0200
+++ libxml-stream-perl-1.24/debian/patches/series 2018-10-31
11:59:27.0 +0100
@@ -1 +1,2 @@
t_upstream_uninitialized_value.diff
+default-ca-path.patch
Processed: tagging 910065
Processing commands for cont...@bugs.debian.org: > tags 910065 - moreinfo Bug #910065 [release.debian.org] stretch-pu: package libmail-deliverystatus-bounceparser-perl/1.542-1 Removed tag(s) moreinfo. > thanks Stopping processing here. Please contact me if you need assistance. -- 910065: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910065 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#902557: transition: Perl 5.28
Processing control commands: > tags -1 confirmed Bug #902557 [release.debian.org] transition: Perl 5.28 Added tag(s) confirmed. -- 902557: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902557 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#902557: transition: Perl 5.28
Control: tags -1 confirmed
On 28/10/2018 13:24, Mattia Rizzolo wrote:
> On Sun, Oct 28, 2018 at 02:14:01PM +0200, Niko Tyni wrote:
>> The only thing I found is gnumeric (#912099). Given it only links against
>> libperl5.26, I'm not sure if that's an actual blocker or if libperl5.26
>> and libperl5.28 can exist in testing at the same time ("soft updates"?)
>
> If libperl can really be soft-updated these days, it doesn't block the
> starting of the transition, but it *does* block the ending, as of course
> we would like to remove libperl5.26 at some point...
libperl amounts for a very small part of the transition, and that shouldn't be a
problem. The larger issue is that all the perlapi-* rdeps need to migrate
simultaneously, as they are provided by perl-base and thus can't both co-exist
in testing.
> Of course, gnumeric can be removed :P
Yes. Let's go ahead then as things look good now.
Cheers,
Emilio
Bug#912367: stretch-pu: package gthumb/3:3.4.4.1-5
Hi Herbert, [Dislcaimer: not SRM here, but only commenting on small issue below] On Tue, Oct 30, 2018 at 03:31:27PM -0300, Herbert Parentes Fortes Neto wrote: > Package: release.debian.org > Severity: normal > Tags: stretch > User: release.debian@packages.debian.org > Usertags: pu > > I made Gthumb Debian package version 3:3.4.4.1-6+deb9u1 The version should actually be 3:3.4.4.1-*5*+deb9u1 given the last version in stretch is 3:3.4.4.1-5. Regards, Salvatore
Bug#912401: stretch-pu: package network-manager/1.6.2-3+deb9u2
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, I'd like to make a stable upload for network-manager, addressing CVE-2018-15688 [1]. NetworkManager ships an internal copy of sd-network, which is used by the dhcp=internal plugin. This plugin is used as fallback if isc-dhcp-client is not installed or configured explicitly. Both cases are rather uncommon which is why the security team agreed that this is sufficient to be fixed via a regular stable upload and doesn't require a stable-security upload. Upstream has committed the fix to the nm-1-6 branch and included various smaller fixes while at it [2]. Strictly speaking, only [3] should be necessary to address the CVE, but upstream recommends to pull the whole branch, which is what I did. The full debdiff is attached. I didn't upload yet, in case you think only [3] should be applied an the other changes are not appropriate. Please let me know if I can upload as-is or if you prefer to handle this differently. Thanks for considering, Michael [1] https://security-tracker.debian.org/tracker/CVE-2018-15688 [2] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/commit/885d17821895bbefd143599771b2bf7eb8308267 [3] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/commit/01ca2053bbea09f35b958c8cc7631e15469acb79 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff --git a/debian/changelog b/debian/changelog index ebb876f17..7fca98e83 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +network-manager (1.6.2-3+deb9u2) stretch; urgency=medium + + * dhcp6: Make sure we have enough space for the DHCP6 option header. +Fixes out-of-bounds heap write in systemd-networkd dhcpv6 option handling +which also affects the "internal" DHCP plugin of NetworkManager. +(CVE-2018-15688, LP: #1795921) + + -- Michael Biebl Wed, 31 Oct 2018 07:54:50 +0100 + network-manager (1.6.2-3+deb9u1) stretch; urgency=medium * libnm: Fix accessing enabled and metered properties. diff --git a/debian/patches/dhcp6-fix-an-off-by-one-error-in-dhcp6_option_parse_domai.patch b/debian/patches/dhcp6-fix-an-off-by-one-error-in-dhcp6_option_parse_domai.patch new file mode 100644 index 0..718ecc72c --- /dev/null +++ b/debian/patches/dhcp6-fix-an-off-by-one-error-in-dhcp6_option_parse_domai.patch @@ -0,0 +1,50 @@ +From: Evgeny Vereshchagin +Date: Sat, 29 Sep 2018 03:06:10 + +Subject: dhcp6: fix an off-by-one error in dhcp6_option_parse_domainname + +==14==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200055fa9c at pc 0x005458f1 bp 0x7ffc78940d90 sp 0x7ffc78940d88 +READ of size 1 at 0x60200055fa9c thread T0 +#0 0x5458f0 in dhcp6_option_parse_domainname /work/build/../../src/systemd/src/libsystemd-network/dhcp6-option.c:555:29 +#1 0x54706e in dhcp6_lease_set_domains /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-lease.c:242:13 +#2 0x53fce0 in client_parse_message /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:984:29 +#3 0x53f3bc in client_receive_advertise /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:1083:13 +#4 0x53d57f in client_receive_message /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:1182:21 +#5 0x7f0f7159deee in source_dispatch /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3042:21 +#6 0x7f0f7159d431 in sd_event_dispatch /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3455:21 +#7 0x7f0f7159ea8d in sd_event_run /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3512:21 +#8 0x531f2b in fuzz_client /work/build/../../src/systemd/src/fuzz/fuzz-dhcp6-client.c:44:9 +#9 0x531bc1 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-dhcp6-client.c:53:9 +#10 0x57bec8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:570:15 +#11 0x579d67 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:479:3 +#12 0x57dc92 in fuzzer::Fuzzer::MutateAndTestOne() /src/libfuzzer/FuzzerLoop.cpp:707:19 +#13 0x580ca6 in fuzzer::Fuzzer::Loop(std::__1::vector, std::__1::allocator >, fuzzer::fuzzer_allocator, std::__1::allocator > > > const&) /src/libfuzzer/FuzzerLoop.cpp:838:5 +#14 0x55e968 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:764:6 +#15 0x551a1c in
