NEW changes in stable-new
Processing changes file: systemd_232-25+deb9u10_mipsel.changes ACCEPT Processing changes file: vips_8.4.5-1+deb9u1_mipsel.changes ACCEPT
NEW changes in stable-new
Processing changes file: vips_8.4.5-1+deb9u1_mips64el.changes ACCEPT
Processed: Re: unblock: notary/0.6.1~ds1-3
Processing control commands: > tags -1 - moreinfo Bug #926337 [release.debian.org] unblock: notary/0.6.1~ds1-3 Removed tag(s) moreinfo. -- 926337: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926337 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#926337: unblock: notary/0.6.1~ds1-3
Control: tags -1 - moreinfo Hi, It has been built on mips now. // send from my mobile device Ivo De Decker 于 2019年4月5日周五 03:27写道: > Control: tags -1 moreinfo > > Hi, > > On Thu, Apr 04, 2019 at 01:00:00AM +0800, Shengjing Zhu wrote: > > Please unblock package notary > > > > * Regenerate some test certs since they are expired (Closes: #924119) > > > > unblock notary/0.6.1~ds1-3 > > The build failed on mips. This will block migration, even if the package is > unblocked. > > https://buildd.debian.org/status/package.php?p=notary > > Ivo > >
Bug#926438: stretch-pu: package gocode/20150303-3+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Hi,
the recent PU of auto-complete-el caused a regression in
gocode-auto-complete-el, which fails to install due to some emacs lisp
dependency ordering problem.
The easiest workaround is to ensure auto-complete-el is configured first
by promoting it to Pre-Depends.
I also tried to backport the supposed fix from 20150303-5, but that
didn't fix the install error.
With the move to elpa (and new upstream releases of both packages) this
bug is not relevant for testing/sid.
The package is already uploaded.
Andreas
diff -Nru gocode-20150303/debian/changelog gocode-20150303/debian/changelog
--- gocode-20150303/debian/changelog2015-07-28 09:18:12.0 +0200
+++ gocode-20150303/debian/changelog2019-04-05 10:36:56.0 +0200
@@ -1,3 +1,11 @@
+gocode (20150303-3+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * gocode-auto-complete-el: Promote auto-complete-el to Pre-Depends.
+(Closes: #911590)
+
+ -- Andreas Beckmann Fri, 05 Apr 2019 10:36:56 +0200
+
gocode (20150303-3) unstable; urgency=medium
* Remove dh_auto_build override (Closes: #793829)
diff -Nru gocode-20150303/debian/control gocode-20150303/debian/control
--- gocode-20150303/debian/control 2015-07-28 09:18:26.0 +0200
+++ gocode-20150303/debian/control 2019-04-05 10:36:56.0 +0200
@@ -29,7 +29,8 @@
Package: gocode-auto-complete-el
Section: editors
Architecture: all
-Depends: ${shlibs:Depends}, ${misc:Depends}, gocode, auto-complete-el,
+Pre-Depends: auto-complete-el,
+Depends: ${shlibs:Depends}, ${misc:Depends}, gocode,
Enhances: gocode
Description: gocode integration for Emacs
This package provides gocode integration with Emacs, based on
Bug#926439: unblock: tryton-server/5.0.4-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package tryton-server
This version fixes CVE-2019-10868.
debdiff attached.
unblock tryton-server/5.0.4-2
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (800, 'testing'), (700, 'unstable'), (600, 'experimental'), (500,
'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8),
LANGUAGE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru tryton-server-5.0.4/debian/changelog
tryton-server-5.0.4/debian/changelog
--- tryton-server-5.0.4/debian/changelog2019-01-23 16:06:18.0
+0100
+++ tryton-server-5.0.4/debian/changelog2019-04-03 17:29:15.0
+0200
@@ -1,3 +1,15 @@
+tryton-server (5.0.4-2) unstable; urgency=high
+
+ * Add 03_sec_issue8189_check_read_access_on_search_order.patch
+for CVE-2019-10868.
+This patch fixes security issue http://bugs.tryton.org/issue8189:
+ Check read access on field in search_order.
+ An authenticated user can order records based on a field for which
+ he has no access right. This may allow the user to guess values.
+ See also https://discuss.tryton.org/t/security-release-for-issue8189/
+
+ -- Mathias Behrle Wed, 03 Apr 2019 17:29:15 +0200
+
tryton-server (5.0.4-1) unstable; urgency=medium
* Add more configuration parameters to trytond.conf.
diff -Nru
tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch
tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch
---
tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch
1970-01-01 01:00:00.0 +0100
+++
tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch
2019-04-03 17:16:42.0 +0200
@@ -0,0 +1,53 @@
+Description: Check read access on field in search_order.
+ An authenticated user can order records based on a field for which
+ he has no access right. This may allow the user to guess values.
+
+Origin: upstream, http://hg.tryton.org/trytond/rev/b2fab24f9c60
+Bug: http://bugs.tryton.org/issue8189
+Forwarded: not-needed
+Last-Update: 2019-04-03
+
+--- tryton-server-5.0.4.orig/trytond/model/modelstorage.py
tryton-server-5.0.4/trytond/model/modelstorage.py
+@@ -395,7 +395,7 @@ class ModelStorage(Model):
+
+ ModelAccess.check(cls.__name__, 'read')
+
+-def check(domain, cls, to_check):
++def check_domain(domain, cls, to_check):
+ if is_leaf(domain):
+ local, relate = (domain[0].split('.', 1) + [None])[:2]
+ to_check[cls.__name__].add(local)
+@@ -405,16 +405,29 @@ class ModelStorage(Model):
+ else:
+ target = cls._fields[local].get_target()
+ target_domain = [(relate,) + tuple(domain[1:])]
+-check(target_domain, target, to_check)
++check_domain(target_domain, target, to_check)
+ elif not domain:
+ return
+ else:
+ i = 1 if domain[0] in ['OR', 'AND'] else 0
+ for d in domain[i:]:
+-check(d, cls, to_check)
++check_domain(d, cls, to_check)
++
++def check_order(order, cls, to_check):
++if not order:
++return
++for oexpr, otype in order:
++local, _, relate = oexpr.partition('.')
++to_check[cls.__name__].add(local)
++if relate:
++target = cls._fields[local].get_target()
++target_order = [(relate, otype)]
++check_order(target_order, target, to_check)
++
+ if transaction.user and transaction.context.get('_check_access'):
+ to_check = defaultdict(set)
+-check(domain, cls, to_check)
++check_domain(domain, cls, to_check)
++check_order(order, cls, to_check)
+ for name, fields_names in to_check.items():
+ ModelAccess.check(name, 'read')
+ ModelFieldAccess.check(name, fields_names, 'read')
diff -Nru tryton-server-5.0.4/debian/patches/series
tryton-server-5.0.4/debian/patches/series
--- tryton-server-5.0.4/debian/patches/series 2019-01-23 16:06:17.0
+0100
+++ tryton-server-5.0.4/debian/patches/series 2019-04-03 17:11:53.0
+0200
@@ -1,2 +1,3 @@
01_migrate_obsolete_modules.patch
02_avoid_call_to_pypi.patch
+03_sec_issue8189_check_read_access_on_search_order.patch
Bug#926440: unblock: oggvideotools/0.9.1-5
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package oggvideotools
I decided to leave the following all non-invasive changes that
were accumulated in Git:
+ [ Ondřej Nový ]
+ * d/control: Deprecating priority extra as per policy 4.0.1
+ * d/changelog: Remove trailing whitespaces
+ * d/control: Remove trailing whitespaces
+ * d/control: Set Vcs-* to salsa.debian.org
+ * d/control: Remove XS-Testsuite field, not needed anymore
+ * d/watch: Use https protocol
unblock oggvideotools/0.9.1-5
-- System Information:
Debian Release: 9.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-6-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru oggvideotools-0.9.1/debian/changelog
oggvideotools-0.9.1/debian/changelog
--- oggvideotools-0.9.1/debian/changelog2019-02-03 14:37:15.0
+0100
+++ oggvideotools-0.9.1/debian/changelog2019-04-05 09:46:07.0
+0200
@@ -1,3 +1,25 @@
+oggvideotools (0.9.1-5) unstable; urgency=medium
+
+ * Team upload.
+
+ [ Ondřej Nový ]
+ * d/control: Deprecating priority extra as per policy 4.0.1
+ * d/changelog: Remove trailing whitespaces
+ * d/control: Remove trailing whitespaces
+ * d/control: Set Vcs-* to salsa.debian.org
+ * d/control: Remove XS-Testsuite field, not needed anymore
+ * d/watch: Use https protocol
+
+ [ Peter Michael Green ]
+ * Update dependency and file path for python-mecavideo -> python3-mecavideo
+package rename.
+Closes: #924608
+
+ [ Andreas Tille ]
+ * Standards-Version: 4.3.0
+
+ -- Andreas Tille Fri, 05 Apr 2019 09:46:07 +0200
+
oggvideotools (0.9.1-4.1) unstable; urgency=high
* Non-maintainer upload.
@@ -168,7 +190,7 @@
oggvideotools (0.7b-ubuntu1) jaunty; urgency=low
- * rebuilt with libtheora beta1
+ * rebuilt with libtheora beta1
-- jan gerber Tue, 11 Aug 2009 00:27:20 +0200
diff -Nru oggvideotools-0.9.1/debian/control oggvideotools-0.9.1/debian/control
--- oggvideotools-0.9.1/debian/control 2019-02-03 14:37:15.0 +0100
+++ oggvideotools-0.9.1/debian/control 2019-04-05 09:46:07.0 +0200
@@ -17,11 +17,10 @@
libboost-dev,
debconf,
pysycache-i18n,
- python-mecavideo,
-Standards-Version: 4.0.0
-XS-Testsuite: autopkgtest
-Vcs-Git: https://anonscm.debian.org/git/pkg-xiph/oggvideotools.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-xiph/oggvideotools.git
+ python3-mecavideo,
+Standards-Version: 4.3.0
+Vcs-Git: https://salsa.debian.org/multimedia-team/oggvideotools.git
+Vcs-Browser: https://salsa.debian.org/multimedia-team/oggvideotools
Homepage: http://www.streamnik.de/oggvideotools.html
Package: oggvideotools
@@ -34,7 +33,7 @@
* oggCat - concatenates two ogg video files
* oggCut - extracts parts of an ogg file
* oggDump
- * oggJoin - multiplexes ogg streams
+ * oggJoin - multiplexes ogg streams
* oggLength
* oggTranscode - resizes ogg files in multiple ways
* oggScroll
@@ -45,7 +44,6 @@
Package: oggvideotools-dbg
Section: debug
-Priority: extra
Architecture: any
Multi-Arch: no
Depends: oggvideotools (= ${binary:Version}), ${misc:Depends}
@@ -55,7 +53,7 @@
* oggCat - concatenates two ogg video files
* oggCut - extracts parts of an ogg file
* oggDump
- * oggJoin - multiplexes ogg streams
+ * oggJoin - multiplexes ogg streams
* oggLength
* oggTranscode - resizes ogg files in multiple ways
* oggScroll
diff -Nru oggvideotools-0.9.1/debian/tests/control
oggvideotools-0.9.1/debian/tests/control
--- oggvideotools-0.9.1/debian/tests/control2017-05-20 08:10:45.0
+0200
+++ oggvideotools-0.9.1/debian/tests/control2019-04-05 09:46:07.0
+0200
@@ -1,4 +1,4 @@
Tests: test-oggjoin test-oggcut
-Depends: @, debconf, pysycache-i18n, python-mecavideo, valgrind
+Depends: @, debconf, pysycache-i18n, python3-mecavideo, valgrind
Restrictions: allow-stderr
diff -Nru oggvideotools-0.9.1/debian/tests/test-oggcut
oggvideotools-0.9.1/debian/tests/test-oggcut
--- oggvideotools-0.9.1/debian/tests/test-oggcut2016-05-24
11:35:01.0 +0200
+++ oggvideotools-0.9.1/debian/tests/test-oggcut2019-04-05
09:46:07.0 +0200
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# Need the package mktemp and python-mecavideo
+# Need the package mktemp and python3-mecavideo
# Based on https://bugs.launchpad.net/ubuntu/+source/oggvideotools/+bug/1462697 >
# This test does not trigger the reported bug, but test oggCut that do
# not crash. To crash, a different input file is needed, as only some
@@ -24,7 +24,7 @@
echo "info: Running autopkgtest script $0"
-input=/usr/share/python-mecavideo/video/Effet_force_magnetique.ogv
+input=/usr/share/python3-mecavideo/video/Effet_f
Bug#926441: unblock: qemu/1:3.1+dfsg-7
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package qemu
The version currently in -unstable fixes 2 security issues
(CVE-2019-9824 and CVE-2018-20815), patches taken from
upstream, and fixes a mistake in previous version of
one of the binary packages (qemu-guest-agent) - we misplaced
a new config file, putting it to a subdir (/etc/qemu/fsfreeze-hook/
instead of /etc/qemu/fsfreeze-hook), -- this last issue required
some work fixing it and moving the file into proper place. All
various corner cases of this, including when the user modified
that file locally _and_ fixed its location too, where tested and
all works ok. This is Ubuntu bug (LP: #1820291) which slipped to
Debian too.
Here's the debdiff against 1:3.1+dfsg-5 currently in testing:
diff -Nru qemu-3.1+dfsg/debian/changelog qemu-3.1+dfsg/debian/changelog
--- qemu-3.1+dfsg/debian/changelog 2019-03-11 14:30:44.0 +0300
+++ qemu-3.1+dfsg/debian/changelog 2019-03-27 14:24:06.0 +0300
@@ -1,3 +1,26 @@
+qemu (1:3.1+dfsg-7) unstable; urgency=high
+
+ [ Michael Tokarev ]
+ * device_tree-don-t-use-load_image-CVE-2018-20815.patch
+fix heap buffer overflow while loading device tree blob
+(Closes: CVE-2018-20815)
+
+ [ Christian Ehrhardt ]
+ * qemu-guest-agent: fix path of fsfreeze-hook (LP: #1820291)
+ - d/qemu-guest-agent.install: use correct path for fsfreeze-hook
+ - d/qemu-guest-agent.pre{rm|inst}/.postrm: special handling for
+ mv_conffile since the new path is a directory in the old package
+ version which can not be handled by mv_conffile.
+
+ -- Michael Tokarev Wed, 27 Mar 2019 14:24:06 +0300
+
+qemu (1:3.1+dfsg-6) unstable; urgency=high
+
+ * slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
+fix information leakage in slirp code (Closes: CVE-2019-9824)
+
+ -- Michael Tokarev Mon, 18 Mar 2019 14:41:51 +0300
+
qemu (1:3.1+dfsg-5) unstable; urgency=high
* i2c-ddc-fix-oob-read-CVE-2019-3812.patch fixes
diff -Nru
qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch
qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch
---
qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch
1970-01-01 03:00:00.0 +0300
+++
qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch
2019-03-27 14:16:54.0 +0300
@@ -0,0 +1,35 @@
+From: Peter Maydell
+Date: Fri, 14 Dec 2018 13:30:52 +
+Subject: device_tree.c: Don't use load_image() (CVE-2018-20815)
+Commit-Id: da885fe1ee8b4589047484bd7fa05a4905b52b17
+
+The load_image() function is deprecated, as it does not let the
+caller specify how large the buffer to read the file into is.
+Instead use load_image_size().
+
+Signed-off-by: Peter Maydell
+Reviewed-by: Richard Henderson
+Reviewed-by: Stefan Hajnoczi
+Reviewed-by: Michael S. Tsirkin
+Reviewed-by: Eric Blake
+Message-id: 20181130151712.2312-9-peter.mayd...@linaro.org
+---
+ device_tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/device_tree.c b/device_tree.c
+index 6d9c9726f66..296278e12ae 100644
+--- a/device_tree.c
b/device_tree.c
+@@ -91,7 +91,7 @@ void *load_device_tree(const char *filename_path, int *sizep)
+ /* First allocate space in qemu for device tree */
+ fdt = g_malloc0(dt_size);
+
+-dt_file_load_size = load_image(filename_path, fdt);
++dt_file_load_size = load_image_size(filename_path, fdt, dt_size);
+ if (dt_file_load_size < 0) {
+ error_report("Unable to open device tree file '%s'",
+ filename_path);
+--
+2.11.0
+
diff -Nru qemu-3.1+dfsg/debian/patches/series
qemu-3.1+dfsg/debian/patches/series
--- qemu-3.1+dfsg/debian/patches/series 2019-03-11 14:30:08.0 +0300
+++ qemu-3.1+dfsg/debian/patches/series 2019-03-27 14:16:54.0 +0300
@@ -7,3 +7,5 @@
scsi-generic-avoid-possible-oob-access-to-r-buf-CVE-2019-6501.patch
slirp-check-data-length-while-emulating-ident-function-CVE-2019-6778.patch
i2c-ddc-fix-oob-read-CVE-2019-3812.patch
+slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
+device_tree-don-t-use-load_image-CVE-2018-20815.patch
diff -Nru
qemu-3.1+dfsg/debian/patches/slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
qemu-3.1+dfsg/debian/patches/slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
---
qemu-3.1+dfsg/debian/patches/slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
1970-01-01 03:00:00.0 +0300
+++
qemu-3.1+dfsg/debian/patches/slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
2019-03-18 14:41:28.0 +0300
@@ -0,0 +1,49 @@
+From: Samuel Thibault
+Date: Thu, 7 Mar 2019 12:51:34 +0100
+Message-Id: <20190307115143.780-5-samuel.thiba...@ens-lyon.org>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Subject: slirp: check sscanf res
NEW changes in stable-new
Processing changes file: dns-root-data_2019031302~deb9u1_all.changes ACCEPT Processing changes file: dnsruby_1.54-2+deb9u1_all.changes ACCEPT
NEW changes in stable-new
Processing changes file: edk2_0~20161202.7bbe0b3e-1+deb9u1_all.changes ACCEPT
Bug#926442: unblock: torsocks/2.3.0-2
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-CC: Debian Privacy Tools Maintainers Dear Release Team, Please consider unblocking torsocks 2.3.0-2 for buster: torsocks (2.3.0-2) unstable; urgency=medium [ intrigeri & Sandro Knauß ] * Cherry-pick patch from upstream Git, to fix Totem crashing when run under torsocks, by adding support for the getdents and getdents64 syscalls. (Closes: Tails#16618, which would be severity: important in a Debian context.) [ Ulrike Uhlig ] * Update package description: don't make safety promises that upstream prefers not to. (Closes: #870763) This issue surfaced when testing under Tails; please see: https://redmine.tails.boum.org/code/issues/16618#change-102199 … for more information and the specific history of the issue. We would, of course, dearly love to drop our locally-patched copy of this package and be synced with Debian The full debdiff is attached. Apologies for the non-essential changes to the package description (#870763) but this was already pushed to Salsa and it should be pretty harmless from an unblock point of view. Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- debdiff Description: Binary data
Bug#926427: marked as done (unblock: astroidmail/0.14-2.1)
Your message dated Fri, 05 Apr 2019 10:47:46 +
with message-id
and subject line unblock astroidmail
has caused the Debian Bug report #926427,
regarding unblock: astroidmail/0.14-2.1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
926427: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926427
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Dear Release Team,
Please unblock astroidmail 0.14-2.1. This upload fixes the RC bug
https://bugs.debian.org/924818 , which is caused by the compatibility
issue between this software and the newer ronn 0.8.x introduced in the
Buster cycle. The solution is to use the alternative tool (scdoc) as
preferred by upstream to generate the man page. A patch onto
CMakeLists.txt is also applied to fix the ronn compatibility issue
itself.
--
Thanks,
Boyuan Yang
Full source diff is also provided here:
diff -Nru astroidmail-0.14/debian/changelog astroidmail-
0.14/debian/changelog
--- astroidmail-0.14/debian/changelog 2018-11-30 15:54:19.0
-0500
+++ astroidmail-0.14/debian/changelog 2019-04-04 19:03:52.0
-0400
@@ -1,3 +1,13 @@
+astroidmail (0.14-2.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * debian/patches: Add a patch to fix compatibility with
+newer ronn and solve the FTBFS. (Closes: #924818)
+ * debian/control: Add build-dependency on scdoc in order to
+generate man pages with higher quality.
+
+ -- Boyuan Yang Thu, 04 Apr 2019 19:03:52 -0400
+
astroidmail (0.14-2) unstable; urgency=medium
* Add patch cherry-picked upstream
diff -Nru astroidmail-0.14/debian/control astroidmail-
0.14/debian/control
--- astroidmail-0.14/debian/control 2018-10-01 04:27:05.0
-0400
+++ astroidmail-0.14/debian/control 2019-04-04 19:03:50.0
-0400
@@ -28,6 +28,7 @@
pkg-config,
protobuf-compiler,
python3-gi,
+ scdoc,
ronn,
xauth,
xvfb,
diff -Nru astroidmail-0.14/debian/patches/1002-CMakeLists.txt-Update-
ronn-parameters-for-compat-wit.patch astroidmail-
0.14/debian/patches/1002-CMakeLists.txt-Update-ronn-parameters-for-
compat-wit.patch
--- astroidmail-0.14/debian/patches/1002-CMakeLists.txt-Update-ronn-
parameters-for-compat-wit.patch 1969-12-31 19:00:00.0 -0500
+++ astroidmail-0.14/debian/patches/1002-CMakeLists.txt-Update-ronn-
parameters-for-compat-wit.patch 2019-04-04 19:01:03.0 -0400
@@ -0,0 +1,25 @@
+From: Boyuan Yang
+Date: Thu, 4 Apr 2019 18:44:22 -0400
+Subject: CMakeLists.txt: Update ronn parameters for compat with new
ronn
+
+The newer versions of ronn no longer accepts the -p option.
+Using the long option ("--pipe") instead.
+
+Forwarded: https://github.com/astroidmail/astroid/issues/627
+---
+ CMakeLists.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 99b38e4..d1de553 100644
+--- a/CMakeLists.txt
b/CMakeLists.txt
+@@ -410,7 +410,7 @@ if (NOT DISABLE_DOCS)
+ message (WARNING "Falling back to 'ronn' for man page
generation.")
+ add_custom_command (
+ TARGET astroid
+-COMMAND ${RONN} -rp ${CMAKE_SOURCE_DIR}/doc/astroid.1.scd |
gzip > ${CMAKE_BINARY_DIR}/astroid.1.gz
++COMMAND ${RONN} -r --pipe
${CMAKE_SOURCE_DIR}/doc/astroid.1.scd | gzip >
${CMAKE_BINARY_DIR}/astroid.1.gz
+ COMMENT "Generating man page (ronn)")
+ else ()
+ message (FATAL_ERROR "Neither 'scdoc' nor 'ronn' installed. One
is required for man page generation.")
diff -Nru astroidmail-0.14/debian/patches/series astroidmail-
0.14/debian/patches/series
--- astroidmail-0.14/debian/patches/series 2018-11-30
15:50:50.0 -0500
+++ astroidmail-0.14/debian/patches/series 2019-04-04
18:50:50.0 -0400
@@ -1 +1,2 @@
020181123~83c03f4.patch
+1002-CMakeLists.txt-Update-ronn-parameters-for-compat-wit.patch
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Unblocked astroidmail.--- End Message ---
Bug#926435: marked as done (unblock: camitk/4.1.2-3)
Your message dated Fri, 05 Apr 2019 10:48:52 +
with message-id
and subject line unblock camitk
has caused the Debian Bug report #926435,
regarding unblock: camitk/4.1.2-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
926435: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926435
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package camitk
diff -Nru camitk-4.1.2/debian/changelog camitk-4.1.2/debian/changelog
--- camitk-4.1.2/debian/changelog 2018-10-23 10:19:39.0 +0200
+++ camitk-4.1.2/debian/changelog 2019-04-05 07:36:59.0 +0200
@@ -1,3 +1,14 @@
+camitk (4.1.2-3) unstable; urgency=medium
+
+ [ Andreas Beckmann ]
+ * libcamitk-dev: Add Breaks against several vtk6 packages to force switching
+from libvtk6-dev to libvtk7-dev. (Closes: #926430)
+
+ [ Andreas Tille ]
+ * Standards-Version: 4.3.0
+
+ -- Andreas Tille Fri, 05 Apr 2019 07:36:59 +0200
+
camitk (4.1.2-2) unstable; urgency=medium
* VTK7 compatibility. Closes: #909120
diff -Nru camitk-4.1.2/debian/control camitk-4.1.2/debian/control
--- camitk-4.1.2/debian/control 2018-10-23 10:19:39.0 +0200
+++ camitk-4.1.2/debian/control 2019-04-05 07:36:29.0 +0200
@@ -21,7 +21,7 @@
xauth,
doxygen,
graphviz
-Standards-Version: 4.2.1
+Standards-Version: 4.3.0
Vcs-Browser: https://salsa.debian.org/med-team/camitk
Vcs-Git: https://salsa.debian.org/med-team/camitk.git
Homepage: https://camitk.imag.fr/
@@ -81,7 +81,11 @@
${shlibs:Depends}
Recommends: camitk-imp
Suggests: camitk-actionstatemachine
-Breaks: libcamitk3-dev
+Breaks: libcamitk3-dev,
+libvtk6-dev,
+libvtk6-java,
+libvtk6-jni,
+libvtk6-qt-dev,
Replaces: libcamitk3-dev
Description: Computer Assisted Medical Intervention Tool Kit - development
Helps researchers and clinicians to easily and rapidly collaborate in
unblock camitk/4.1.2-3
-- System Information:
Debian Release: 9.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-6-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Unblocked camitk.--- End Message ---
Bug#926440: marked as done (unblock: oggvideotools/0.9.1-5)
Your message dated Fri, 05 Apr 2019 10:50:10 +
with message-id
and subject line unblock oggvideotools
has caused the Debian Bug report #926440,
regarding unblock: oggvideotools/0.9.1-5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
926440: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926440
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package oggvideotools
I decided to leave the following all non-invasive changes that
were accumulated in Git:
+ [ Ondřej Nový ]
+ * d/control: Deprecating priority extra as per policy 4.0.1
+ * d/changelog: Remove trailing whitespaces
+ * d/control: Remove trailing whitespaces
+ * d/control: Set Vcs-* to salsa.debian.org
+ * d/control: Remove XS-Testsuite field, not needed anymore
+ * d/watch: Use https protocol
unblock oggvideotools/0.9.1-5
-- System Information:
Debian Release: 9.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-6-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru oggvideotools-0.9.1/debian/changelog
oggvideotools-0.9.1/debian/changelog
--- oggvideotools-0.9.1/debian/changelog2019-02-03 14:37:15.0
+0100
+++ oggvideotools-0.9.1/debian/changelog2019-04-05 09:46:07.0
+0200
@@ -1,3 +1,25 @@
+oggvideotools (0.9.1-5) unstable; urgency=medium
+
+ * Team upload.
+
+ [ Ondřej Nový ]
+ * d/control: Deprecating priority extra as per policy 4.0.1
+ * d/changelog: Remove trailing whitespaces
+ * d/control: Remove trailing whitespaces
+ * d/control: Set Vcs-* to salsa.debian.org
+ * d/control: Remove XS-Testsuite field, not needed anymore
+ * d/watch: Use https protocol
+
+ [ Peter Michael Green ]
+ * Update dependency and file path for python-mecavideo -> python3-mecavideo
+package rename.
+Closes: #924608
+
+ [ Andreas Tille ]
+ * Standards-Version: 4.3.0
+
+ -- Andreas Tille Fri, 05 Apr 2019 09:46:07 +0200
+
oggvideotools (0.9.1-4.1) unstable; urgency=high
* Non-maintainer upload.
@@ -168,7 +190,7 @@
oggvideotools (0.7b-ubuntu1) jaunty; urgency=low
- * rebuilt with libtheora beta1
+ * rebuilt with libtheora beta1
-- jan gerber Tue, 11 Aug 2009 00:27:20 +0200
diff -Nru oggvideotools-0.9.1/debian/control oggvideotools-0.9.1/debian/control
--- oggvideotools-0.9.1/debian/control 2019-02-03 14:37:15.0 +0100
+++ oggvideotools-0.9.1/debian/control 2019-04-05 09:46:07.0 +0200
@@ -17,11 +17,10 @@
libboost-dev,
debconf,
pysycache-i18n,
- python-mecavideo,
-Standards-Version: 4.0.0
-XS-Testsuite: autopkgtest
-Vcs-Git: https://anonscm.debian.org/git/pkg-xiph/oggvideotools.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-xiph/oggvideotools.git
+ python3-mecavideo,
+Standards-Version: 4.3.0
+Vcs-Git: https://salsa.debian.org/multimedia-team/oggvideotools.git
+Vcs-Browser: https://salsa.debian.org/multimedia-team/oggvideotools
Homepage: http://www.streamnik.de/oggvideotools.html
Package: oggvideotools
@@ -34,7 +33,7 @@
* oggCat - concatenates two ogg video files
* oggCut - extracts parts of an ogg file
* oggDump
- * oggJoin - multiplexes ogg streams
+ * oggJoin - multiplexes ogg streams
* oggLength
* oggTranscode - resizes ogg files in multiple ways
* oggScroll
@@ -45,7 +44,6 @@
Package: oggvideotools-dbg
Section: debug
-Priority: extra
Architecture: any
Multi-Arch: no
Depends: oggvideotools (= ${binary:Version}), ${misc:Depends}
@@ -55,7 +53,7 @@
* oggCat - concatenates two ogg video files
* oggCut - extracts parts of an ogg file
* oggDump
- * oggJoin - multiplexes ogg streams
+ * oggJoin - multiplexes ogg streams
* oggLength
* oggTranscode - resizes ogg files in multiple ways
* oggScroll
diff -Nru oggvideotools-0.9.1/debian/tests/control
oggvideotools-0.9.1/debian/tests/control
--- oggvideotools-0.9.1/debian/tests/control2017-05-20 08:10:45.0
+0200
+++ oggvideotools-0.9.1/debian/tests/control2019-04-05 09:46:07.0
+0200
@@ -1,4 +1,4 @@
Tests: test-oggjoin test-oggcut
-Depends: @, debconf, pysycache-i18n, python-mecavideo, valgrind
+Depends: @, debconf, pysycache-i18n, python3-mecavideo, valgrind
Restrictions: allow-stderr
diff -Nru oggvideotools-0.9.1/debian/tests/t
Bug#926422: marked as done (unblock: java-atk-wrapper/0.33.3-22)
Your message dated Fri, 05 Apr 2019 14:32:15 +
with message-id
and subject line unblock java-atk-wrapper
has caused the Debian Bug report #926422,
regarding unblock: java-atk-wrapper/0.33.3-22
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
926422: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926422
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Hello,
Please unblock package java-atk-wrapper. As shown in Bug#926420, it has
a strong memory leak and performance issue, as raised upstream on
https://bugzilla.gnome.org/show_bug.cgi?id=791970 and
https://issues.apache.org/jira/browse/NETBEANS-861
It does not make applications really crash, but the latter report says
it makes the netbeans UI really unresponsive.
unblock java-atk-wrapper/0.33.3-22
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable-debug'), (500,
'testing-debug'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500,
'proposed-updates'), (500, 'oldoldstable'), (500, 'buildd-unstable'), (500,
'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental-debug'),
(1, 'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.0.0 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru java-atk-wrapper-0.33.3/debian/changelog
java-atk-wrapper-0.33.3/debian/changelog
--- java-atk-wrapper-0.33.3/debian/changelog2018-05-02 23:06:45.0
+0200
+++ java-atk-wrapper-0.33.3/debian/changelog2019-04-04 22:51:05.0
+0200
@@ -1,3 +1,9 @@
+java-atk-wrapper (0.33.3-22) unstable; urgency=medium
+
+ * patches/remove_component_listener: Fix memory leak (Closes: Bug#926420)
+
+ -- Samuel Thibault Thu, 04 Apr 2019 22:51:05 +0200
+
java-atk-wrapper (0.33.3-21) unstable; urgency=medium
* Bump Standards-Version to 4.1.4 (no changes).
diff -Nru java-atk-wrapper-0.33.3/debian/patches/remove_component_listener
java-atk-wrapper-0.33.3/debian/patches/remove_component_listener
--- java-atk-wrapper-0.33.3/debian/patches/remove_component_listener
1970-01-01 01:00:00.0 +0100
+++ java-atk-wrapper-0.33.3/debian/patches/remove_component_listener
2019-04-04 22:50:49.0 +0200
@@ -0,0 +1,23 @@
+commit f9faf04a88685d6759c18572988876215332086a
+Author: Samuel Thibault
+Date: Tue Apr 2 19:55:13 2019 +0200
+
+Fix removing component listener
+
+instead of adding it again.
+
+Fixes https://bugzilla.gnome.org/show_bug.cgi?id=791970
+
+diff --git a/wrapper/org/GNOME/Accessibility/AtkWrapper.java.in
b/wrapper/org/GNOME/Accessibility/AtkWrapper.java.in
+index 0fbb196..3463a59 100644
+--- a/wrapper/org/GNOME/Accessibility/AtkWrapper.java.in
b/wrapper/org/GNOME/Accessibility/AtkWrapper.java.in
+@@ -306,7 +306,7 @@ public class AtkWrapper {
+ case ContainerEvent.COMPONENT_REMOVED:
+ {
+ java.awt.Component c = ((ContainerEvent)e).getChild();
+-c.addComponentListener(componentAdapter);
++c.removeComponentListener(componentAdapter);
+ break;
+ }
+
diff -Nru java-atk-wrapper-0.33.3/debian/patches/series
java-atk-wrapper-0.33.3/debian/patches/series
--- java-atk-wrapper-0.33.3/debian/patches/series 2018-05-02
22:58:28.0 +0200
+++ java-atk-wrapper-0.33.3/debian/patches/series 2019-04-04
22:51:05.0 +0200
@@ -19,4 +19,6 @@
GC
parameters
coords
+remove_component_listener
+
nojavah
--- End Message ---
--- Begin Message ---
Unblocked java-atk-wrapper.--- End Message ---
Bug#926426: marked as done (unblock: python-smoke-zephyr/1.4.1-1)
Your message dated Fri, 05 Apr 2019 14:34:12 + with message-id and subject line unblock python-smoke-zephyr has caused the Debian Bug report #926426, regarding unblock: python-smoke-zephyr/1.4.1-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 926426: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926426 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hello, I'm asking for the unblock of python-smoke-zephyr because a critical bug was solved upstream. This bug was detected in the past and me and upstream thought it was fixed already[0], then after it was reported again recently[1] we found out that the problem still persisted. This time I first tried to fix the problem by uploading 1.4.0-2, and while it was on Unstable I think somebody else filled an unblock request and it was granted, but before this version hit testing I uploaded the correct fix (1.4.1-1) to unstable, that's why you can see two changelog entries on the debdiff. Thanks [0]https://github.com/zeroSteiner/smoke-zephyr/issues/4 [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925208 -- Samuel Henrique python-smoke-zephyr.debdiff Description: Binary data --- End Message --- --- Begin Message --- Unblocked python-smoke-zephyr.--- End Message ---
Bug#926439: marked as done (unblock: tryton-server/5.0.4-2)
Your message dated Fri, 05 Apr 2019 14:36:19 +
with message-id
and subject line unblock tryton-server
has caused the Debian Bug report #926439,
regarding unblock: tryton-server/5.0.4-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
926439: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926439
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package tryton-server
This version fixes CVE-2019-10868.
debdiff attached.
unblock tryton-server/5.0.4-2
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (800, 'testing'), (700, 'unstable'), (600, 'experimental'), (500,
'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8),
LANGUAGE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru tryton-server-5.0.4/debian/changelog
tryton-server-5.0.4/debian/changelog
--- tryton-server-5.0.4/debian/changelog2019-01-23 16:06:18.0
+0100
+++ tryton-server-5.0.4/debian/changelog2019-04-03 17:29:15.0
+0200
@@ -1,3 +1,15 @@
+tryton-server (5.0.4-2) unstable; urgency=high
+
+ * Add 03_sec_issue8189_check_read_access_on_search_order.patch
+for CVE-2019-10868.
+This patch fixes security issue http://bugs.tryton.org/issue8189:
+ Check read access on field in search_order.
+ An authenticated user can order records based on a field for which
+ he has no access right. This may allow the user to guess values.
+ See also https://discuss.tryton.org/t/security-release-for-issue8189/
+
+ -- Mathias Behrle Wed, 03 Apr 2019 17:29:15 +0200
+
tryton-server (5.0.4-1) unstable; urgency=medium
* Add more configuration parameters to trytond.conf.
diff -Nru
tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch
tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch
---
tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch
1970-01-01 01:00:00.0 +0100
+++
tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch
2019-04-03 17:16:42.0 +0200
@@ -0,0 +1,53 @@
+Description: Check read access on field in search_order.
+ An authenticated user can order records based on a field for which
+ he has no access right. This may allow the user to guess values.
+
+Origin: upstream, http://hg.tryton.org/trytond/rev/b2fab24f9c60
+Bug: http://bugs.tryton.org/issue8189
+Forwarded: not-needed
+Last-Update: 2019-04-03
+
+--- tryton-server-5.0.4.orig/trytond/model/modelstorage.py
tryton-server-5.0.4/trytond/model/modelstorage.py
+@@ -395,7 +395,7 @@ class ModelStorage(Model):
+
+ ModelAccess.check(cls.__name__, 'read')
+
+-def check(domain, cls, to_check):
++def check_domain(domain, cls, to_check):
+ if is_leaf(domain):
+ local, relate = (domain[0].split('.', 1) + [None])[:2]
+ to_check[cls.__name__].add(local)
+@@ -405,16 +405,29 @@ class ModelStorage(Model):
+ else:
+ target = cls._fields[local].get_target()
+ target_domain = [(relate,) + tuple(domain[1:])]
+-check(target_domain, target, to_check)
++check_domain(target_domain, target, to_check)
+ elif not domain:
+ return
+ else:
+ i = 1 if domain[0] in ['OR', 'AND'] else 0
+ for d in domain[i:]:
+-check(d, cls, to_check)
++check_domain(d, cls, to_check)
++
++def check_order(order, cls, to_check):
++if not order:
++return
++for oexpr, otype in order:
++local, _, relate = oexpr.partition('.')
++to_check[cls.__name__].add(local)
++if relate:
++target = cls._fields[local].get_target()
++target_order = [(relate, otype)]
++check_order(target_order, target, to_check)
++
+ if transaction.user and transaction.context.get('_check_access'):
+ to_check = defaultdict(set)
+-check(domain,
Bug#926441: marked as done (unblock: qemu/1:3.1+dfsg-7)
Your message dated Fri, 05 Apr 2019 14:37:41 +
with message-id
and subject line unblock qemu
has caused the Debian Bug report #926441,
regarding unblock: qemu/1:3.1+dfsg-7
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
926441: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926441
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package qemu
The version currently in -unstable fixes 2 security issues
(CVE-2019-9824 and CVE-2018-20815), patches taken from
upstream, and fixes a mistake in previous version of
one of the binary packages (qemu-guest-agent) - we misplaced
a new config file, putting it to a subdir (/etc/qemu/fsfreeze-hook/
instead of /etc/qemu/fsfreeze-hook), -- this last issue required
some work fixing it and moving the file into proper place. All
various corner cases of this, including when the user modified
that file locally _and_ fixed its location too, where tested and
all works ok. This is Ubuntu bug (LP: #1820291) which slipped to
Debian too.
Here's the debdiff against 1:3.1+dfsg-5 currently in testing:
diff -Nru qemu-3.1+dfsg/debian/changelog qemu-3.1+dfsg/debian/changelog
--- qemu-3.1+dfsg/debian/changelog 2019-03-11 14:30:44.0 +0300
+++ qemu-3.1+dfsg/debian/changelog 2019-03-27 14:24:06.0 +0300
@@ -1,3 +1,26 @@
+qemu (1:3.1+dfsg-7) unstable; urgency=high
+
+ [ Michael Tokarev ]
+ * device_tree-don-t-use-load_image-CVE-2018-20815.patch
+fix heap buffer overflow while loading device tree blob
+(Closes: CVE-2018-20815)
+
+ [ Christian Ehrhardt ]
+ * qemu-guest-agent: fix path of fsfreeze-hook (LP: #1820291)
+ - d/qemu-guest-agent.install: use correct path for fsfreeze-hook
+ - d/qemu-guest-agent.pre{rm|inst}/.postrm: special handling for
+ mv_conffile since the new path is a directory in the old package
+ version which can not be handled by mv_conffile.
+
+ -- Michael Tokarev Wed, 27 Mar 2019 14:24:06 +0300
+
+qemu (1:3.1+dfsg-6) unstable; urgency=high
+
+ * slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
+fix information leakage in slirp code (Closes: CVE-2019-9824)
+
+ -- Michael Tokarev Mon, 18 Mar 2019 14:41:51 +0300
+
qemu (1:3.1+dfsg-5) unstable; urgency=high
* i2c-ddc-fix-oob-read-CVE-2019-3812.patch fixes
diff -Nru
qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch
qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch
---
qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch
1970-01-01 03:00:00.0 +0300
+++
qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch
2019-03-27 14:16:54.0 +0300
@@ -0,0 +1,35 @@
+From: Peter Maydell
+Date: Fri, 14 Dec 2018 13:30:52 +
+Subject: device_tree.c: Don't use load_image() (CVE-2018-20815)
+Commit-Id: da885fe1ee8b4589047484bd7fa05a4905b52b17
+
+The load_image() function is deprecated, as it does not let the
+caller specify how large the buffer to read the file into is.
+Instead use load_image_size().
+
+Signed-off-by: Peter Maydell
+Reviewed-by: Richard Henderson
+Reviewed-by: Stefan Hajnoczi
+Reviewed-by: Michael S. Tsirkin
+Reviewed-by: Eric Blake
+Message-id: 20181130151712.2312-9-peter.mayd...@linaro.org
+---
+ device_tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/device_tree.c b/device_tree.c
+index 6d9c9726f66..296278e12ae 100644
+--- a/device_tree.c
b/device_tree.c
+@@ -91,7 +91,7 @@ void *load_device_tree(const char *filename_path, int *sizep)
+ /* First allocate space in qemu for device tree */
+ fdt = g_malloc0(dt_size);
+
+-dt_file_load_size = load_image(filename_path, fdt);
++dt_file_load_size = load_image_size(filename_path, fdt, dt_size);
+ if (dt_file_load_size < 0) {
+ error_report("Unable to open device tree file '%s'",
+ filename_path);
+--
+2.11.0
+
diff -Nru qemu-3.1+dfsg/debian/patches/series
qemu-3.1+dfsg/debian/patches/series
--- qemu-3.1+dfsg/debian/patches/series 2019-03-11 14:30:08.0 +0300
+++ qemu-3.1+dfsg/debian/patches/series 2019-03-27 14:16:54.0 +0300
@@ -7,3 +7,5 @@
scsi-generic-avoid-possible-oob-access-to-r-buf-CVE-2019-6501.patch
slirp-check-data-length-while-emulating-ident-function-CVE-2019-6778.patch
i2c-ddc-fix-oob-read-CVE-2019-3812.patch
+slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
+device_tree-do
Bug#926442: marked as done (unblock: torsocks/2.3.0-2)
Your message dated Fri, 05 Apr 2019 14:38:49 + with message-id and subject line unblock torsocks has caused the Debian Bug report #926442, regarding unblock: torsocks/2.3.0-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 926442: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926442 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-CC: Debian Privacy Tools Maintainers Dear Release Team, Please consider unblocking torsocks 2.3.0-2 for buster: torsocks (2.3.0-2) unstable; urgency=medium [ intrigeri & Sandro Knauß ] * Cherry-pick patch from upstream Git, to fix Totem crashing when run under torsocks, by adding support for the getdents and getdents64 syscalls. (Closes: Tails#16618, which would be severity: important in a Debian context.) [ Ulrike Uhlig ] * Update package description: don't make safety promises that upstream prefers not to. (Closes: #870763) This issue surfaced when testing under Tails; please see: https://redmine.tails.boum.org/code/issues/16618#change-102199 … for more information and the specific history of the issue. We would, of course, dearly love to drop our locally-patched copy of this package and be synced with Debian The full debdiff is attached. Apologies for the non-essential changes to the package description (#870763) but this was already pushed to Salsa and it should be pretty harmless from an unblock point of view. Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- debdiff Description: Binary data --- End Message --- --- Begin Message --- Unblocked torsocks.--- End Message ---
Bug#926454: unblock: biabam/0.9.7-7.2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock biabam 0.9.7-7.2. This upload fixes the RC bug https://bugs.debian.org/925227 , which is lintian error debian-rules-missing- required-target binary-arch. The full source diff is attached here. -- Regards, Boyuan diff -Nru biabam-0.9.7/debian/changelog biabam-0.9.7/debian/changelog --- biabam-0.9.7/debian/changelog 2010-04-03 10:55:20.0 -0400 +++ biabam-0.9.7/debian/changelog 2019-04-04 20:14:31.0 -0400 @@ -1,3 +1,34 @@ +biabam (0.9.7-7.2) unstable; urgency=medium + + * Non-maintainer upload. + * Revert changes not relevant to RC bugs for the release freeze +period. (debhelper compat level). + + -- Boyuan Yang Thu, 04 Apr 2019 20:14:31 -0400 + +biabam (0.9.7-7.1) unstable; urgency=high + + * Non-maintainer upload. + + [ Bhavani Shankar ] + * Apply downstream Ubuntu 0.9.7-7ubuntu1 patches. ++ debian/compat: Bump to 9. ++ debian/control: Build-depend on debhelper (>= 9). ++ debian/rules: + - Add required binary-arch target. (Closes: 925227). + - Add recommended build-arch and build-indep targets. +(Fix FTBFS with dpkg-buildpackage -B and -A). + + [ Boyuan Yang ] + * debian/control: ++ Replace obsolete package priority (extra) with + Priority: optional. ++ Update dependency on "exim4 | mail-transport-agent" to + "default-mta | mail-transport-agent | exim4" in order to + fix lintian warning. + + -- Boyuan Yang Thu, 04 Apr 2019 18:15:23 -0400 + biabam (0.9.7-7) unstable; urgency=low * Accepted period in mail body (Closes: #390669) diff -Nru biabam-0.9.7/debian/control biabam-0.9.7/debian/control --- biabam-0.9.7/debian/control 2010-03-29 15:59:10.0 -0400 +++ biabam-0.9.7/debian/control 2019-04-04 20:14:31.0 -0400 @@ -1,6 +1,6 @@ Source: biabam Section: mail -Priority: extra +Priority: optional Maintainer: Thierry Randrianiriana Build-Depends: debhelper (>= 5), quilt (>= 0.40) Standards-Version: 3.8.4 diff -Nru biabam-0.9.7/debian/rules biabam-0.9.7/debian/rules --- biabam-0.9.7/debian/rules 2010-04-03 11:22:43.0 -0400 +++ biabam-0.9.7/debian/rules 2019-04-04 20:12:48.0 -0400 @@ -10,6 +10,8 @@ include /usr/share/quilt/quilt.make build: build-stamp +build-arch: build-stamp +build-indep: build-stamp build-stamp: $(QUILT_STAMPFN) touch build-stamp @@ -39,5 +41,9 @@ dh_md5sums dh_builddeb -binary: binary-indep -.PHONY: build clean binary-indep binary install patch unpatch +# Build architecture-dependent files here. +binary-arch: build install +# We have nothing to do by default. + +binary: binary-indep binary-arch +.PHONY: build build-arch build-indep clean binary-indep binary-arch binary install patch unpatch signature.asc Description: This is a digitally signed message part
Bug#926455: mail_autoremovals: incorrect version number in email warning
Package: release.debian.org Severity: normal I received the following warning mail regarding an autoremoval: > Subject: duc is marked for autoremoval from testing > Date: Fri, 05 Apr 2019 04:39:19 + > > duc 1.4.3-6 is marked for autoremoval from testing on 2019-04-20 > > It is affected by these RC bugs: > 924473: duc: FTBFS (dh_installman: Cannot find "debian/build-nox/doc/duc.1") In fact, #924473 affected duc 1.4.3-5, and 1.4.3-6 contained the bug fix. (I got a separate, correct email for 1.4.3-5, earlier.) In terms of time frame, the wrong mail was received on 5th Apr, the fix was uploaded on 30 Mar and transitioned to testing on 5th Apr, it seems 6 seconds after this mail's Date header was generated: https://tracker.debian.org/news/1037367/duc-143-6-migrated-to-testing/ -- System Information: Debian Release: 9.7 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-debug'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#926456: unblock: debian-timeline/42
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-CC: debian-public...@lists.debian.org Please unblock debian-timeline 42. This is a native package handled by Debian Publicity Team that aims to build https://timeline.debian.net/ . -- Thanks, Boyuan Yang signature.asc Description: This is a digitally signed message part
Bug#926456: marked as done (unblock: debian-timeline/42)
Your message dated Fri, 05 Apr 2019 16:12:23 + with message-id and subject line unblock debian-timeline has caused the Debian Bug report #926456, regarding unblock: debian-timeline/42 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 926456: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926456 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-CC: debian-public...@lists.debian.org Please unblock debian-timeline 42. This is a native package handled by Debian Publicity Team that aims to build https://timeline.debian.net/ . -- Thanks, Boyuan Yang signature.asc Description: This is a digitally signed message part --- End Message --- --- Begin Message --- Unblocked debian-timeline.--- End Message ---
Bug#926480: unblock: tvtime/1.0.11-4
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package tvtime
The patch fixes #924076, a insecure usage of /tmp.
The important part of the debdiff is this:
--- a/src/utils.c
+++ b/src/utils.c
@@ -202,17 +202,11 @@
}
}
-/* If we can't use our /tmp directory, put the fifo in $HOME. */
-if( !mkdir_and_force_owner( fifodir, uid, getgid() ) ) {
-if( asprintf( &fifo, "%s/.tvtime/tvtimefifo-%s",
- getenv( "HOME" ), hostname ) < 0 ) {
-fifo = 0;
-}
-} else {
-if( asprintf( &fifo, "%s/tvtimefifo-%s", fifodir, hostname ) < 0 ) {
-fifo = 0;
-}
-}
+/* put the fifo in $HOME */
+ if( asprintf( &fifo, "%s/.tvtime/tvtimefifo-%s",
+ getenv( "HOME" ), hostname ) < 0 ) {
+ fifo = 0;
+ }
free( hostname );
free( fifodir );
return fifo;
(Sorry for the refreshing of the patches, I realized this just now that
this would not have been necessary)
Debdiff attached.
Cheers,
tobi
unblock tvtime/1.0.11-4
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru tvtime-1.0.11/debian/changelog tvtime-1.0.11/debian/changelog
--- tvtime-1.0.11/debian/changelog 2018-12-10 23:50:07.0 +0100
+++ tvtime-1.0.11/debian/changelog 2019-04-05 20:27:01.0 +0200
@@ -1,3 +1,14 @@
+tvtime (1.0.11-5) unstable; urgency=medium
+
+ * QA upload.
+ * Create repository on salsa.
+ * Refresh patches
+ * Fix "insecure use of /tmp" by only using the fall back to $HOME.
+This is patch 0002-disable-insecure-temp-file.patch
+(Closes: #924076)
+
+ -- Tobias Frost Fri, 05 Apr 2019 20:27:01 +0200
+
tvtime (1.0.11-4) unstable; urgency=medium
* QA upload.
diff -Nru tvtime-1.0.11/debian/control tvtime-1.0.11/debian/control
--- tvtime-1.0.11/debian/control2018-12-10 23:50:07.0 +0100
+++ tvtime-1.0.11/debian/control2019-04-05 19:56:54.0 +0200
@@ -22,6 +22,8 @@
libasound2-dev
Standards-Version: 3.9.3
Homepage: https://linuxtv.org/wiki/index.php/Tvtime
+VCS-Browser: https://salsa.debian.org/debian/tvtime
+VCS-Git: https://salsa.debian.org/debian/tvtime.git
Package: tvtime
Architecture: any
diff -Nru
tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch
tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch
---
tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch
2018-12-10 21:35:44.0 +0100
+++
tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch
2019-04-05 19:57:51.0 +0200
@@ -14,8 +14,6 @@
src/get_media_devices.c | 1 +
1 file changed, 1 insertion(+)
-diff --git a/src/get_media_devices.c b/src/get_media_devices.c
-index 619734ea..453b0677 100644
--- a/src/get_media_devices.c
+++ b/src/get_media_devices.c
@@ -23,6 +23,7 @@
@@ -26,6 +24,3 @@
#include
#include
#include
---
-2.11.0
-
diff -Nru tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch
tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch
--- tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch
1970-01-01 01:00:00.0 +0100
+++ tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch
2019-04-05 20:10:15.0 +0200
@@ -0,0 +1,25 @@
+--- a/src/utils.c
b/src/utils.c
+@@ -202,17 +202,11 @@
+ }
+ }
+
+-/* If we can't use our /tmp directory, put the fifo in $HOME. */
+-if( !mkdir_and_force_owner( fifodir, uid, getgid() ) ) {
+-if( asprintf( &fifo, "%s/.tvtime/tvtimefifo-%s",
+- getenv( "HOME" ), hostname ) < 0 ) {
+-fifo = 0;
+-}
+-} else {
+-if( asprintf( &fifo, "%s/tvtimefifo-%s", fifodir, hostname ) < 0 ) {
+-fifo = 0;
+-}
+-}
++/* put the fifo in $HOME */
++if( asprintf( &fifo, "%s/.tvtime/tvtimefifo-%s",
++ getenv( "HOME" ), hostname ) < 0 ) {
++fifo = 0;
++}
+ free( hostname );
+ free( fifodir );
+ return fifo;
diff -Nru tvtime-1.0.11/debian/patches/freetype.patch
tvtime-1.0.11/debian/patches/freetype.patch
--- tvtime-1.0.11/debian/patches/freetype.patch 2018-10-26 17:32:26.0
+0200
+++ tvtime-1.0.11/debian/patches/freetype.patch 2019-04-05 19:57:50.0
+0200
@@ -2,9 +2,9 @@
Author: Adrian Bunk
Bug-D
Bug#926481: stretch-pu: package open-vm-tools/2:10.1.5-5055683-4+deb9u2
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Hi release team,
as discuassed with the security team, I'd like to fix #925959
with the next stable pointrelease. The proposed debdiff is attached.
Please let me know if its okay to upload.
Thanks,
Bernd
--
Bernd ZeimetzDebian GNU/Linux Developer
http://bzed.dehttp://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
diff --git a/debian/changelog b/debian/changelog
index 0be9f865..9b8f4cbb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+open-vm-tools (2:10.1.5-5055683-4+deb9u2) stable; urgency=medium
+
+ * [34db05f] /tmp/VMwareDnD permissions security fix.
+Fix possible security issue with the permissions of the intermediate
+staging directory and path
+/tmp/VMwareDnD is a staging directory used for DnD and CnP. It should be
+a regular directory, but malicious code or user may create the
/tmp/VMwareDnD
+as a symbolic link which points elsewhere on the system. This may provide
+user access to user B's files.
+Do not set the permission of the root directory if the root directory
+already exists and has the wrong permission. The permission of the
directory
+must be 1777 if it is created by the VMToolsi. If not, then the directory
+has been created or modified by malicious code or user, so just cancel the
+host to guest DnD or CnP operation. (Closes: #925959)
+
+ -- Bernd Zeimetz Fri, 05 Apr 2019 23:10:04 +0200
+
open-vm-tools (2:10.1.5-5055683-4+deb9u1) stretch; urgency=medium
* [dec8df6] Upstream fix for CVE-2015-5191 (Closes: #869633)
diff --git
a/debian/patches/e88f91b00a715b79255de6576506d80ecfdb064c_vmware_dnd_fix.patch
b/debian/patches/e88f91b00a715b79255de6576506d80ecfdb064c_vmware_dnd_fix.patch
new file mode 100644
index ..43daed8a
--- /dev/null
+++
b/debian/patches/e88f91b00a715b79255de6576506d80ecfdb064c_vmware_dnd_fix.patch
@@ -0,0 +1,54 @@
+commit e88f91b00a715b79255de6576506d80ecfdb064c
+Author: Oliver Kurth
+Date: Tue Jan 29 14:03:19 2019 -0800
+
+Fix possible security issue with the permissions of the intermediate
+staging directory and path
+
+/tmp/VMwareDnD is a staging directory used for DnD and CnP. It should be
+a regular directory, but malicious code or user may create the
/tmp/VMwareDnD
+as a symbolic link which points elsewhere on the system. This may provide
+user access to user B's files.
+
+Do not set the permission of the root directory if the root directory
+already exists and has the wrong permission. The permission of the
directory
+must be 1777 if it is created by the VMToolsi. If not, then the directory
+has been created or modified by malicious code or user, so just cancel the
+host to guest DnD or CnP operation.
+
+--- a/open-vm-tools/services/plugins/dndcp/dnd/dndCommon.c
b/open-vm-tools/services/plugins/dndcp/dnd/dndCommon.c
+@@ -276,12 +276,11 @@ DnDCreateRootStagingDirectory(void)
+}
+
+if (File_Exists(root)) {
+- if (!DnDRootDirUsable(root) &&
+- !DnDSetPermissionsOnRootDir(root)) {
++ if (!DnDRootDirUsable(root)) {
+ /*
+- * The directory already exists and its permissions are wrong and
+- * cannot be set, so there's not much we can do.
++ * The directory already exists and its permissions are wrong.
+ */
++ Log("%s: The root dir is not usable.\n", __FUNCTION__);
+ return NULL;
+ }
+} else {
+--- a/open-vm-tools/services/plugins/dndcp/dnd/dndXdg.c
b/open-vm-tools/services/plugins/dndcp/dnd/dndXdg.c
+@@ -318,12 +318,11 @@ CreateApparentRootDirectory(void)
+}
+
+if (File_Exists(root)) {
+- if ( !DnDRootDirUsable(root)
+- && !DnDSetPermissionsOnRootDir(root)) {
++ if (!DnDRootDirUsable(root)) {
+ /*
+- * The directory already exists and its permissions are wrong and
+- * cannot be set, so there's not much we can do.
++ * The directory already exists and its permissions are wrong.
+ */
++ Log_Trivia("dnd: The root dir is not usable.\n");
+ return NULL;
+ }
+} else {
diff --git a/debian/patches/series b/debian/patches/series
index 2c8fbff7..58f5849b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ from_arch/0001-Fix-vmxnet-module-on-kernels-3.16.patch
debian/enable_vmhgfs-fuse_by_default
debian/vmxnet_fix_kernel_4.7.patch
debian/cve-2015-5191.patch
+e88f91b00a715b79255de6576506d80ecfdb064c_vmware_dnd_fix.patch
Bug#926484: unblock: gpsd/3.17-6
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Hi release-team,
please unblock package gpsd.
The applied diff was discussed with the release team and we've
decided its the best way to fix the json related fixes.
Diff between 3.17-5 und 3.17-6 is attached to this mail.
* [0a8e4e18] Pull json fixes from upstream to fix a stack-based
buffer overflow, which may allow remote attackers to execute
arbitrary code on embedded platforms via traffic on Port
2947/TCP or crafted JSON inputs.
CVE-2018-17937 / Closes: #925327
The update also fixes several other json parser bugs.
- ECMA-404 says JSON \u must have 4 hex digits
- Allow for \u escapes with fewer than 4 digits.
- Fail on bad escape string.
unblock gpsd/3.17-6
Thanks,
Bernd
--
Bernd ZeimetzDebian GNU/Linux Developer
http://bzed.dehttp://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
diff --git a/debian/changelog b/debian/changelog
index ebd29108b..16bb69795 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+gpsd (3.17-6) unstable; urgency=medium
+
+ * [0a8e4e18] Pull json fixes from upstream to fix a stack-based
+buffer overflow, which may allow remote attackers to execute
+arbitrary code on embedded platforms via traffic on Port
+2947/TCP or crafted JSON inputs.
+CVE-2018-17937 / Closes: #925327
+The update also fixes several other json parser bugs.
+- ECMA-404 says JSON \u must have 4 hex digits
+- Allow for \u escapes with fewer than 4 digits.
+- Fail on bad escape string.
+ * [71020f4f] Update git-buildpackage config to build from the
+buster branch.
+
+ -- Bernd Zeimetz Fri, 05 Apr 2019 23:31:30 +0200
+
gpsd (3.17-5) unstable; urgency=medium
* [fd1e83f9] Add pkg-config as Build-Dependency.
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 1529a93db..151b02d6b 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -4,7 +4,7 @@
# the default branch for upstream sources:
#upstream-branch = upstream
# the default branch for the debian patch:
-#debian-branch = master
+debian-branch = buster
# the default tag formats used:
#upstream-tag = upstream/%(version)s
#debian-tag = debian/%(version)s
diff --git a/debian/patches/json-cve-fix b/debian/patches/json-cve-fix
new file mode 100644
index 0..e81237bee
--- /dev/null
+++ b/debian/patches/json-cve-fix
@@ -0,0 +1,170 @@
+--- a/json.c
b/json.c
+@@ -30,7 +30,7 @@ will match the right spec against the ac
+ recognize the JSON "null" value. Secondly, arrays may not have
+ character values as elements (this limitation could be easily removed
+ if required). Third, all elements of an array must be of the same
+-type.
++type. Fourth, it can not handle NaN's in doubles (Issue 53150).
+
+There are separate entry points for beginning a parse of either
+ JSON object or a JSON array. JSON "float" quantities are actually
+@@ -59,7 +59,7 @@ reusable module; search for "microjson".
+
+ PERMISSIONS
+This file is Copyright (c) 2010 by the GPSD project
+- BSD terms apply: see the file COPYING in the distribution root for details.
++ SPDX-License-Identifier: BSD-2-clause
+
+ ***/
+ #include
+@@ -188,7 +188,7 @@ static int json_internal_read_object(con
+ char *lptr;
+
+ if (end != NULL)
+- *end = NULL;/* give it a well-defined value on parse
failure */
++ *end = NULL;/* give it a well-defined value on parse failure */
+
+ /* stuff fields with defaults in case they're omitted in the JSON input */
+ for (cursor = attrs; cursor->attribute != NULL; cursor++)
+@@ -294,7 +294,8 @@ static int json_internal_read_object(con
+ }
+ if (cursor->attribute == NULL) {
+ json_debug_trace((1,
+-"Unknown attribute name '%s' (attributes
begin with '%s').\n",
++"Unknown attribute name '%s'"
++ " (attributes begin with '%s').\n",
+ attrbuf, attrs->attribute));
+ /* don't update end here, leave at attribute start */
+ return JSON_ERR_BADATTR;
+@@ -374,6 +375,12 @@ static int json_internal_read_object(con
+ if (pval == NULL)
+ /* don't update end here, leave at value start */
+ return JSON_ERR_NULLPTR;
++ else if (pval > valbuf + JSON_VAL_MAX - 1
++ || pval > valbuf + maxlen) {
++ json_debug_trace((1, "String value too long.\n"));
++ /* don't update end here, leave at value start */
++ return JSON_ERR_STRLONG;/* */
++ }
+ switch (*cp) {
+ case 'b':
+ *pval++ =
Bug#926495: unblock: gnome-gmail/2.6-1
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package gnome-gmail
This version contains a minimal change that resolves the serious bug against
Buster - #926487.
A recent Gmail update is unable to properly process upload MIME-encoded
messages that do not include a message body.The latest gnome-gmail
resolves the
issue by taking more effort for messages to be well formed - to always
include
a message body, and to drop the "To:" header if otherwise blank.
Debdiff attached.
unblock gnome-gmail/2.6-1
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (700, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-4-amd64 (SMP w/6 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru gnome-gmail-2.5.6/debian/changelog gnome-gmail-2.6/debian/changelog
--- gnome-gmail-2.5.6/debian/changelog 2018-10-09 13:38:04.0 -0400
+++ gnome-gmail-2.6/debian/changelog2019-04-05 21:18:19.0 -0400
@@ -1,3 +1,9 @@
+gnome-gmail (2.6-1) unstable; urgency=medium
+
+ * Fix Gmail bug - bad message if no body (Closes: 926487).
+
+ -- David Steele Fri, 05 Apr 2019 21:18:19 -0400
+
gnome-gmail (2.5.6-1) unstable; urgency=medium
* Fix bug in setup.py distutils.
diff -Nru gnome-gmail-2.5.6/gnome-gmail.appdata.xml.in
gnome-gmail-2.6/gnome-gmail.appdata.xml.in
--- gnome-gmail-2.5.6/gnome-gmail.appdata.xml.in2018-10-09
11:22:57.0 -0400
+++ gnome-gmail-2.6/gnome-gmail.appdata.xml.in 2019-04-05 21:22:56.0
-0400
@@ -51,6 +51,7 @@
+
diff -Nru gnome-gmail-2.5.6/gnomegmail.py gnome-gmail-2.6/gnomegmail.py
--- gnome-gmail-2.5.6/gnomegmail.py 2018-10-09 11:22:57.0 -0400
+++ gnome-gmail-2.6/gnomegmail.py 2019-04-05 21:22:56.0 -0400
@@ -569,7 +569,8 @@
qsdict = urllib.parse.parse_qs(query_string)
-qsdict['to'] = [address]
+if address:
+qsdict['to'] = [address]
if 'attachment' in qsdict:
qsdict['attach'] = qsdict['attachment']
@@ -587,6 +588,9 @@
if 'su' in qsdict:
outdict["subject"] = outdict["su"]
+if "body" not in qsdict:
+outdict["body"] = " "
+
return(outdict)
def simple_gmail_url(self):
diff -Nru gnome-gmail-2.5.6/setup.py gnome-gmail-2.6/setup.py
--- gnome-gmail-2.5.6/setup.py 2018-10-09 11:22:57.0 -0400
+++ gnome-gmail-2.6/setup.py2019-04-05 21:22:56.0 -0400
@@ -129,7 +129,7 @@
setup(
name='gnome-gmail',
-version='2.5.6',
+version='2.6',
description='support for Gmail as the preferred GNOME email application',
author='David Steele',
author_email='dste...@gmail.com',
diff -Nru gnome-gmail-2.5.6/test/test_body.py gnome-gmail-2.6/test/test_body.py
--- gnome-gmail-2.5.6/test/test_body.py 2018-10-09 11:22:57.0 -0400
+++ gnome-gmail-2.6/test/test_body.py 2019-04-05 21:22:56.0 -0400
@@ -107,8 +107,8 @@
@pytest.mark.parametrize("mailto, needs_api", (
-("mailto:joe";, False),
-("mailto:joe?subject=hi";, False),
+("mailto:joe";, True),
+("mailto:joe?subject=hi";, True),
("mailto:joe?body=%20";, True),
("mailto:joe?attach=file";, True),
("mailto:joe?attachment=file";, True),
Bug#891010: marked as done (nmu: ruby-bcrypt-pbkdf_1.0.0-1)
Your message dated Sat, 6 Apr 2019 08:11:17 +0200 with message-id <20a30052-9ad4-a388-712a-8aaee93e4...@debian.org> and subject line Re: Subject: nmu: ruby-bcrypt-pbkdf_1.0.0-1 has caused the Debian Bug report #891010, regarding nmu: ruby-bcrypt-pbkdf_1.0.0-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 891010: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891010 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org User: release.debian@packages.debian.org Usertags: binnmu Severity: normal nmu ruby-bcrypt-pbkdf_1.0.0-1 . ANY . unstable . -m "Rebuild for ruby 2.5 support" -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=ml_IN.UTF-8, LC_CTYPE=ml_IN.UTF-8 (charmap=UTF-8), LANGUAGE=ml_IN.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) signature.asc Description: OpenPGP digital signature --- End Message --- --- Begin Message --- Hi, On Wed, 21 Feb 2018 19:30:54 +0530 Pirate Praveen wrote: > nmu ruby-bcrypt-pbkdf_1.0.0-1 . ANY . unstable . -m "Rebuild for ruby > 2.5 support" A new version of ruby-bcrypt-pbkdf got uploaded since, so this is moot now. Paul signature.asc Description: OpenPGP digital signature --- End Message ---
Bug#872293: nmu: loads of golang stuff
Control: tags -1 moreinfo Hi On Sat, 9 Dec 2017 12:24:40 -0500 Paul Tagliamonte wrote: > > What's outdated here, built-using? If so, we rebuild those before or during > > the > > freeze. Not sure we need to do it more often than that, as things will get > > out > > of date again before the freeze. > > Due to the way golang binaries get built, not rebuilding them outside > of freeze results in binaries that become buggy during freeze and > trigger more uploads and rebuilds. > > buildd time is cheep, and ensuring we can both get rid of old sources > and find bugs is important during development. > > The other way we can do this is I can do routine empty uploads -- we > need them rebuilt either way There was a second bug filed (916642) which has seen action. So is there anything missing from there with respect to this list? Also this bug is rather old to fix "out-of-date" issues, so I think it should be closed. Also quoting from that bug: * We (the release team) generally try to rebuild packages with outdated built-using before the release. Paul signature.asc Description: OpenPGP digital signature
Processed: Re: Bug#872293: nmu: loads of golang stuff
Processing control commands: > tags -1 moreinfo Bug #872293 [release.debian.org] nmu: loads of golang stuff Added tag(s) moreinfo. -- 872293: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872293 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#850447: marked as done (nmu: systemd_230-7~bpo8+2)
Your message dated Sat, 6 Apr 2019 08:03:12 +0200 with message-id <372a58c6-ca6d-0cf9-b5f3-c655586ac...@debian.org> and subject line Re: Bug#850447: systemd backport sections only 4K aligned, won't boot with arm64 64K kernel has caused the Debian Bug report #850447, regarding nmu: systemd_230-7~bpo8+2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 850447: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850447 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: systemd Version: 230-7~bpo8+2 Severity: normal Hi, This version of systemd won't boot on arm64 when the kernel is configured for 64K pages: > Starting init: /etc/init exists but couldn't execute it (error -13) > Starting init: /bin/sh exists but couldn't execute it (error -14) > Kernel panic - not syncing: No working init found. Try passing init= option to kernel. See Linux Documentation/admin-guide/init.rst for guidance. > CPU: 3 PID: 1 Comm: init Not tainted 4.10.0-rc2-00036-g5a4dd5f49931 #6712 > Hardware name: ARM Juno development board (r1) (DT) > Call trace: > [] dump_backtrace+0x0/0x25c > [] show_stack+0x20/0x28 > [] dump_stack+0x94/0xb4 > [] panic+0x134/0x2a4 > [] kernel_init+0xf4/0x104 > [] ret_from_fork+0x10/0x20 Booting with init=/bin/bash and interrogating the linker: > root@(none):/lib/systemd# /lib/ld-linux-aarch64.so.1 --list /sbin/init > /sbin/init: error while loading shared libraries: /sbin/init: ELF load command alignment not page-aligned Comparing sytemd's LOAD sections with bash's: > root@(none):/lib/systemd# readelf -a /sbin/init | grep -A 1 LOAD > LOAD 0x 0x 0x > 0x000bc56c 0x000bc56c R E1000 > LOAD 0x000bc7a8 0x000bd7a8 0x000bd7a8 > 0x00020a88 0x00020b7d RW 1000 > root@(none):/lib/systemd# readelf -a /bin/bash | grep -A 1 LOAD > LOAD 0x 0x0040 0x0040 > 0x000d49f4 0x000d49f4 R E1 > LOAD 0x000d4db0 0x004e4db0 0x004e4db0 > 0x8ae8 0xe728 RW 1 (The key to these tables is:) > Program Headers: > Type Offset VirtAddr PhysAddr > FileSizMemSiz Flags Align The Align value for each of systemd's LOAD sections is 4K aligned, not 64K, so the runtime linker can't load it when the kernel is built with a page-size other than 4K. This was reported by Basil Eljuse who was using a filesystem from Linaro. Sanity check whether this should be reported to debian by poking around in the original deb file: > readlink sbin/init > /lib/systemd/systemd > wget http://ftp.uk.debian.org/debian/pool/main/s/systemd/systemd_230-7~bpo8+2_arm64.deb > ar x systemd_230-7~bpo8+2_arm64.deb > tar xf data.tar.xz > readelf -a lib/systemd/systemd | grep -A 1 LOAD > LOAD 0x 0x 0x > 0x000bc56c 0x000bc56c R E1000 > LOAD 0x000bc7a8 0x000bd7a8 0x000bd7a8 > 0x00020a88 0x00020b7d RW 1000 This is potentially a wider issue affecting anything else built with the same linker that built this 'bpo' package. Thanks, James -- Package-specific info: -- System Information: Debian Release: 8.6 APT prefers vivid APT policy: (500, 'vivid'), (500, 'stable-updates'), (500, 'stable') Architecture: arm64 (aarch64) Kernel: Linux 4.10.0-rc2-00036-g5a4dd5f49931 (SMP w/6 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages systemd depends on: ii adduser 3.113+nmu3 ii libacl1 2.2.52-2 ii libapparmor12.10.95-4~bpo8+2 ii libaudit1 1:2.4-1+b1 ii libblkid1 2.27.1-1.linarojessie.1 ii libc6 2.19-18+deb8u6 ii libcap2 1:2.24-8 ii libcap2-bin 1:2.24-8 ii libcryptsetup4 2:1.6.6-5 ii libgcrypt20 1.6.3-2+deb8u2 ii libgpg-error0 1.17-3 ii libidn111.29-1+deb8u2 ii libkmod218-3 ii liblzma55.1.1alpha+20120614-2+b3 ii libmount1 2.27.1-1.linarojessie.1 ii libpam0g1.1.8-3.1+deb8u1+b1 ii libseccomp2 2.2.3-3~bpo8+1 ii libselinux1 2.3-2 ii libsystemd0 230-7~bpo8+2 ii mount 2.27.1-1.linarojessie.1 ii util-linux 2.27.1-1.linarojes
