Bug#948242: stable->unstable autopkgtests should be run for testing migration
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: britney In #947852 or #945840 there were testing->unstable autopkgtest regressions in reverse dependencies that blocked testing migration. Fixing them by fixing the broken reverse dependencies in unstable, or even (auto)removal from testing, does not solve the same problem during upgrades or potentially in backports. The reverse dependency might even have been fixed in testing before the breaking change happened in unstable, which is currently completely missed. It would catch more potential problems in stable->nextstable upgrades and backports usage if stable->unstable autopkgtests would be run and required to pass for testing migration similar to the testing->unstable autopkgtests that are already run. If autopkgtest machine speed is an issue, testing this on amd64 should already catch most problems. It is rare that such incompatibilities are specific to other architectures.
Bug#947170: marked as done (transition: botan)
Your message dated Sun, 5 Jan 2020 22:03:09 +0100 with message-id <31fdf5e2-b2d8-02da-5923-de2b1bbd4...@debian.org> and subject line Re: Bug#947170: transition: botan has caused the Debian Bug report #947170, regarding transition: botan to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 947170: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947170 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi RMs, Small transition of botan, which is already in experimental. Two packages are affected, namely biboumi and libqtshadowsocks. The biboumi source builds fine with the new botan release. But libqtshadowsocks doesn't and has a dead upstream for more than a year. I added its maintainer as Cc if s/he can fix it. Otherwise I don't know what's the RM point of view on keeping dead upstream packages in the archive. Regards, Laszlo/GCS --- End Message --- --- Begin Message --- Hi László, On 26-12-2019 21:43, Paul Gevers wrote: > On 22-12-2019 13:42, László Böszörményi (GCS) wrote: >> Small transition of botan, which is already in experimental. Two >> packages are affected, namely biboumi and libqtshadowsocks. >> The biboumi source builds fine with the new botan release. > > Please go ahead in unstable. Everything seems to have migrated. Closing the bug. Paul signature.asc Description: OpenPGP digital signature --- End Message ---
Bug#945896: buster-pu: package ros-ros-comm/1.14.3+ds1-5
Two more CVEs where published, please find a new patch attached. Cheers Jochen diff --git a/debian/changelog b/debian/changelog index 3f3bc57..2f80bb1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +ros-ros-comm (1.14.3+ds1-5+deb10u1) stable; urgency=high + + * Add https://github.com/ros/ros_comm/pull/1771 (Fix CVE-2019-13566, CVE-2019-13465) + * Add https://github.com/ros/ros_comm/pull/1741 (Fix CVE-2019-13445) + + -- Jochen Sprickerhof Sun, 05 Jan 2020 15:33:55 +0100 + ros-ros-comm (1.14.3+ds1-5) unstable; urgency=medium * install ros/transport headers (LP: #1815896) diff --git a/debian/patches/0008-fixing-string-check.patch b/debian/patches/0008-fixing-string-check.patch new file mode 100644 index 000..513acfe --- /dev/null +++ b/debian/patches/0008-fixing-string-check.patch @@ -0,0 +1,65 @@ +From: Daniel Wang +Date: Mon, 22 Jul 2019 15:47:21 -0700 +Subject: fixing string check + +Signed-off-by: Daniel Wang +--- + clients/roscpp/src/libros/transport/transport_tcp.cpp | 8 + clients/roscpp/src/libros/transport/transport_udp.cpp | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/clients/roscpp/src/libros/transport/transport_tcp.cpp b/clients/roscpp/src/libros/transport/transport_tcp.cpp +index f33a355..ddc47f5 100644 +--- a/clients/roscpp/src/libros/transport/transport_tcp.cpp b/clients/roscpp/src/libros/transport/transport_tcp.cpp +@@ -276,7 +276,7 @@ bool TransportTCP::connect(const std::string& host, int port) + + bool found = false; + struct addrinfo* it = addr; +-char namebuf[128]; ++char namebuf[128] = {}; + for (; it; it = it->ai_next) + { + if (!s_use_ipv6_ && it->ai_family == AF_INET) +@@ -288,7 +288,7 @@ bool TransportTCP::connect(const std::string& host, int port) + address->sin_family = it->ai_family; + address->sin_port = htons(port); + +-strcpy(namebuf, inet_ntoa(address->sin_addr)); ++strncpy(namebuf, inet_ntoa(address->sin_addr), sizeof(namebuf)-1); + found = true; + break; + } +@@ -734,14 +734,14 @@ std::string TransportTCP::getClientURI() + sockaddr_in *sin = (sockaddr_in *)&sas; + sockaddr_in6 *sin6 = (sockaddr_in6 *)&sas; + +- char namebuf[128]; ++ char namebuf[128] = {}; + int port; + + switch (sas.ss_family) + { + case AF_INET: + port = ntohs(sin->sin_port); +- strcpy(namebuf, inet_ntoa(sin->sin_addr)); ++ strncpy(namebuf, inet_ntoa(sin->sin_addr), sizeof(namebuf)-1); + break; + case AF_INET6: + port = ntohs(sin6->sin6_port); +diff --git a/clients/roscpp/src/libros/transport/transport_udp.cpp b/clients/roscpp/src/libros/transport/transport_udp.cpp +index 47d969e..45f817e 100644 +--- a/clients/roscpp/src/libros/transport/transport_udp.cpp b/clients/roscpp/src/libros/transport/transport_udp.cpp +@@ -710,9 +710,9 @@ std::string TransportUDP::getClientURI() + + sockaddr_in *sin = (sockaddr_in *)&sas; + +- char namebuf[128]; ++ char namebuf[128] = {}; + int port = ntohs(sin->sin_port); +- strcpy(namebuf, inet_ntoa(sin->sin_addr)); ++ strncpy(namebuf, inet_ntoa(sin->sin_addr), sizeof(namebuf)-1); + + std::string ip = namebuf; + std::stringstream uri; diff --git a/debian/patches/1741.patch b/debian/patches/1741.patch new file mode 100644 index 000..a107510 --- /dev/null +++ b/debian/patches/1741.patch @@ -0,0 +1,21 @@ +From: Christopher Wecht +Date: Thu, 4 Jul 2019 21:19:14 +0200 +Subject: [PATCH] rosbag/record: fix signed int overflow + +--- + tools/rosbag/src/record.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/rosbag/src/record.cpp b/tools/rosbag/src/record.cpp +index f6cbb20..d8739bc 100644 +--- a/tools/rosbag/src/record.cpp b/tools/rosbag/src/record.cpp +@@ -123,7 +123,7 @@ rosbag::RecorderOptions parseOptions(int argc, char** argv) { + ROS_WARN("Use of \"--split \" has been deprecated. Please use --split --size or --split --duration "); + if (S < 0) + throw ros::Exception("Split size must be 0 or positive"); +-opts.max_size = 1048576 * S; ++opts.max_size = 1048576 * static_cast(S); + } + } + if(vm.count("max-splits")) diff --git a/debian/patches/series b/debian/patches/series index 6e4e210..daf961c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,3 +5,5 @@ 0005-Add-defaults-to-roswtf.patch 0006-Use-system-libb64.patch 0007-Build-Python-3-version-of-roslz4.patch +0008-fixing-string-check.patch +1741.patch signature.asc Description: PGP signature
Bug#948219: stretch-pu: package ros-ros-comm/1.12.6-2
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi release team, The ros-ros-comm version in stretch is affected by two new CVEs: CVE-2019-13465 and CVE-2019-13445. The first one was already fixed by 1.12.6-2+deb9u1, cf. #945944, but the second one is new. The attached patch is against 1.12.6-2+deb9u1 and also adopts the changelog to mention the second CVE. Cheers Jochen -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.4.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff --git a/debian/changelog b/debian/changelog index b4bfdc6..7630a9a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,12 @@ +ros-ros-comm (1.12.6-2+deb9u2) stretch; urgency=medium + + * Add https://github.com/ros/ros_comm/pull/1741 (Fix CVE-2019-13445) + + -- Jochen Sprickerhof Sun, 05 Jan 2020 15:45:11 +0100 + ros-ros-comm (1.12.6-2+deb9u1) stretch; urgency=high - * Add https://github.com/ros/ros_comm/pull/1771 (Fix CVE-2019-13566) + * Add https://github.com/ros/ros_comm/pull/1771 (Fix CVE-2019-13566, CVE-2019-13465) -- Jochen Sprickerhof Sun, 24 Nov 2019 17:03:50 +0100 diff --git a/debian/patches/1741.patch b/debian/patches/1741.patch new file mode 100644 index 000..86b4b35 --- /dev/null +++ b/debian/patches/1741.patch @@ -0,0 +1,21 @@ +From: Christopher Wecht +Date: Thu, 4 Jul 2019 21:19:14 +0200 +Subject: [PATCH] rosbag/record: fix signed int overflow + +--- + tools/rosbag/src/record.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/rosbag/src/record.cpp b/tools/rosbag/src/record.cpp +index dda378f..95e3413 100644 +--- a/tools/rosbag/src/record.cpp b/tools/rosbag/src/record.cpp +@@ -121,7 +121,7 @@ rosbag::RecorderOptions parseOptions(int argc, char** argv) { + ROS_WARN("Use of \"--split \" has been deprecated. Please use --split --size or --split --duration "); + if (S < 0) + throw ros::Exception("Split size must be 0 or positive"); +-opts.max_size = 1048576 * S; ++opts.max_size = 1048576 * static_cast(S); + } + } + if(vm.count("max-splits")) diff --git a/debian/patches/series b/debian/patches/series index 6695bde..bbadad6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,3 +5,4 @@ 0005-Add-defaults-to-roswtf.patch 0007-move-heaers-to-include-xmlrpcpp.patch 0007-fixing-string-check.patch +1741.patch
Re: rust ecosystem worries of a release team member
Paul Gevers: > [..] > > [1] Now thunderbird is blocked by rust-cbindgen (last version migrated > in September with uploads since October), which is blocked by rust-syn > (last version migrated in July, with new uploads since August). Involved > is rust-proc-macro2 (last version migrated in July, with new uploads > since August (and currently triggers an autopkgtest regression)), > rust-unicode-xid (which has been trying to migrate to testing since > August), rust-quote (trying to migrate since August). And I may be > missing others. rustc was involved at some moment, cargo was involved > (and FTBFS for some time) etc... > As discussed in #debian-release, this huge migration involving unicode-xid, proc-macro2, etc, is blocked on some packages in NEW as well as other things including the autopkgtests. Please be aware that rust autopkgtests are a new experimental thing and as such will take a while to iron out. After that though, future stuff should be much easier. To help this process, is there a way we can mass-download all the logs of all the failures? I basically want to grep all the rust-* failure logs for ^error, and group them per source package. That way it'll be easier to see which things we have to automate solutions for, and which things we can get away with a manual override. Best, Ximin -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git
Uploading linux (5.4.8-1)
Hi I'm intenting to upload linux version 5.4.8-1 to unstable today (Sunday) unless some surprises arise. As perfering to move to the new stable version 5.4.8 while there were ABI changes, prefered to do an ABI bump. The upload cosinst of imports of the new 5.4.7 and 5.4.8 stable versions and additionally the following packaging changes were done: * Enable EROFS filesystem support as module. Enable EROFS_FS as module, enable EROFS_FS_XATTR, EROFS_FS_POSIX_ACL, EROFS_FS_SECURITY, EROFS_FS_ZIP and EROFS_FS_CLUSTER_PAGE_LIMIT. Thanks to Gao Xiang (Closes: #946569) * Enable additional netfilter modules. Enable NFT_BRIDGE_META, NF_CONNTRACK_BRIDGE, IP6_NF_MATCH_SRH, NFT_XFRM and NFT_SYNPROXY as modules. Thanks to Arturo Borrero Gonzalez (Closes: #948031) and fixes for FBTFS on mips* (Thanks to YunQiang Su) [ YunQiang Su ] * [mips*/octeon] Fix ftbfs on mips* due to octeon image-file: move "image-file: linux" to octeon_build from octeon_image. Regards, Salvatore signature.asc Description: PGP signature
Bug#948203: buster-pu: package compactheader/2.1.6-1
Am 05.01.20 um 10:50 schrieb Carsten Schoenert: > Hello RT, > > I'd like to update the package compactheader in buster as the existing > version in buster isn't compatible with the new Thunderbird ESR series > 68.x any more. > > The current thunderbird package in stable-security has already a Breaks > on xul-ext-compachtheader << 3.0.0~ to force a removal of the old > incompatible version. > > Unfortunately the version of thunderbird in testing is stocking to > 60.9.1 due blocked migration from unstable. I've forgotten to add that this new package version also introduces a new binary package webext-compactheader and the existing package xul-ext-compactheader is moved over into a transitional package which is depending on webext-compactheader. The package for buster would be a rebuild of the current package in unstable. Currently there is no version of compactheader in testing due missing thunderbird package >= 68.0. -- Regards Carsten Schoenert
Bug#948205: buster-pu: package sogo-connector/60.0.2-1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Dear RT, I'd like to update the package sogo-connector in buster as the existing version in buster isn't compatible with the new Thunderbird ESR series 68.x any more. The current thunderbird package in stable-security has already a Breaks on xul-ext-sogo-connector << 68.0.0-1~ to force a removal of the old incompatible version. The version for buster would be a rebuild of the version 68.0.1-1 in testing which also introduces a new binary package webext-sogo-connector because the old xul-ext-sogo-connecter is now an transitional package which is depending on the webext-* package. The same technical transition was done e.g. for the dispmua package too. Regards Carsten -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.3.0-3-amd64 (SMP w/6 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#948203: buster-pu: package compactheader/2.1.6-1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hello RT, I'd like to update the package compactheader in buster as the existing version in buster isn't compatible with the new Thunderbird ESR series 68.x any more. The current thunderbird package in stable-security has already a Breaks on xul-ext-compachtheader << 3.0.0~ to force a removal of the old incompatible version. Unfortunately the version of thunderbird in testing is stocking to 60.9.1 due blocked migration from unstable. -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.3.0-3-amd64 (SMP w/6 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#948199: non-transition: libqt5quick5-gles
Package: release.debian.org Dear Release team, Continuing the work on the OpenGL ES variant of Qt, recently I have prepared an OpenGL ES build of Qt Quick library, packaged as libqt5quick5-gles. Similar to the previous non-transition (#919218), I would like to request a rebuild of all packages that currently depend on libqt5quick5, so that they get an alternative dependency on libqt5quick5-gles. This will fix bugs like #948112. Please create a tracker based on this ben file: title = "libqt5quick5-gles"; is_affected = .depends ~ "libqt5quick5"; is_good = .depends ~ "libqt5quick5-gles"; is_bad = .depends ~ "libqt5quick5" & ! .depends ~ "libqt5quick5-gles"; And binNMU all packages marked as bad. The rebuild is *not* needed on armel and armhf, please exclude those architectures from the tracker. As last time, the packages can be rebuilt at any time and in any order. -- Dmitry Shachnev signature.asc Description: PGP signature