NEW changes in stable-new
Processing changes file: rust-cbindgen_0.14.4-1~deb10u1_mips64el-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: librsvg_2.44.10-2.1+deb10u3_mips-buildd.changes ACCEPT Processing changes file: librsvg_2.44.10-2.1+deb10u3_mips64el-buildd.changes ACCEPT Processing changes file: librsvg_2.44.10-2.1+deb10u3_mipsel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: chocolate-doom_3.0.0-4+deb10u1_mips-buildd.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_mips-buildd.changes ACCEPT Processing changes file: librsvg_2.44.10-2.1+deb10u3_armel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: base-files_10.3+deb10u6_mips-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: chocolate-doom_3.0.0-4+deb10u1_armel-buildd.changes ACCEPT Processing changes file: chocolate-doom_3.0.0-4+deb10u1_armhf-buildd.changes ACCEPT Processing changes file: chocolate-doom_3.0.0-4+deb10u1_i386-buildd.changes ACCEPT Processing changes file: chocolate-doom_3.0.0-4+deb10u1_mipsel-buildd.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_arm64-buildd.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_armhf-buildd.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_i386-buildd.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_mips64el-buildd.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_mipsel-buildd.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_ppc64el-buildd.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_s390x-buildd.changes ACCEPT Processing changes file: librsvg_2.44.10-2.1+deb10u3_amd64-buildd.changes ACCEPT Processing changes file: librsvg_2.44.10-2.1+deb10u3_arm64-buildd.changes ACCEPT Processing changes file: librsvg_2.44.10-2.1+deb10u3_armhf-buildd.changes ACCEPT Processing changes file: librsvg_2.44.10-2.1+deb10u3_i386.changes ACCEPT Processing changes file: librsvg_2.44.10-2.1+deb10u3_s390x-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: base-files_10.3+deb10u6_amd64-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u6_arm64-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u6_armel-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u6_armhf-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u6_i386-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u6_mips64el-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u6_mipsel-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u6_ppc64el-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u6_s390x-buildd.changes ACCEPT Processing changes file: chocolate-doom_3.0.0-4+deb10u1_arm64-buildd.changes ACCEPT Processing changes file: chocolate-doom_3.0.0-4+deb10u1_mips64el-buildd.changes ACCEPT Processing changes file: chocolate-doom_3.0.0-4+deb10u1_ppc64el-buildd.changes ACCEPT Processing changes file: chocolate-doom_3.0.0-4+deb10u1_s390x-buildd.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_armel-buildd.changes ACCEPT Processing changes file: librsvg_2.44.10-2.1+deb10u3_all.changes ACCEPT
NEW changes in stable-new
Processing changes file: cargo_0.43.1-3~deb10u1_mips64el-buildd.changes ACCEPT Processing changes file: rust-cbindgen_0.14.4-1~deb10u1_mips-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: linux-latest_105+deb10u6_mips-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: base-files_10.3+deb10u6_source.changes ACCEPT Processing changes file: chocolate-doom_3.0.0-4+deb10u1_amd64.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_amd64.changes ACCEPT Processing changes file: rust-cbindgen_0.14.4-1~deb10u1_mipsel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: librsvg_2.44.10-2.1+deb10u3_source.changes ACCEPT Processing changes file: cargo_0.43.1-3~deb10u1_mips-buildd.changes ACCEPT Processing changes file: linux_4.19.146-1_mips-buildd.changes ACCEPT Processing changes file: rustc_1.41.1+dfsg1-1~deb10u1_mips64el-buildd.changes ACCEPT
Processed: chocolate-doom 3.0.0-4+deb10u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 970583 = buster pending Bug #970583 [release.debian.org] buster-pu: package chocolate-doom/3.0.0-4+deb10u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 970583: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970583 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#970583: chocolate-doom 3.0.0-4+deb10u1 flagged for acceptance
package release.debian.org tags 970583 = buster pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster. Thanks for your contribution! Upload details == Package: chocolate-doom Version: 3.0.0-4+deb10u1 Explanation: fix missing validation [CVE-2020-14983]
Bug#970584: inetutils 1.9.4-7+deb10u1 flagged for acceptance
package release.debian.org tags 970584 = buster pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster. Thanks for your contribution! Upload details == Package: inetutils Version: 1.9.4-7+deb10u1 Explanation: fix remote code execution issue [CVE-2020-10188]
Processed: inetutils 1.9.4-7+deb10u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 970584 = buster pending Bug #970584 [release.debian.org] buster-pu: package inetutils/2:1.9.4-7+deb10u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 970584: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970584 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#970584: buster-pu: package inetutils/2:1.9.4-7+deb10u1
On Sat, Sep 19, 2020 at 06:17:20PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sat, 2020-09-19 at 13:33 +0200, Moritz Muehlenhoff wrote: > > Fix for CVE-2020-10188, which doesn' really warrant a DSA. > > > > Please go ahead. Thanks, uploaded. Cheers, Moritz
Bug#970583: buster-pu: package chocolate-doom/3.0.0-4+deb10u1
On Sat, Sep 19, 2020 at 06:15:22PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sat, 2020-09-19 at 13:31 +0200, Moritz Muehlenhoff wrote: > > Fix for CVE-2020-14983, which doesn't really warrant a DSA. > > Please go ahead. Thanks, uploaded. Cheers, Moritz
Bug#970655: buster-pu: package sleuthkit/4.6.5-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Dear Release Team, I would like to update the sleuthkit on the buster to prevent a stack buffer overflow in yaffsfs_istat, because during a review of the Debian Security Tracker, I found CVE-2020-10232. There is no DSA assigned to the bug and it was marked "no-dsa" and so I'm doing a normal upload. "This is potentially exploitable by an attacker creating a file in a yaffs image with abnormally large time values", as reported in: https://github.com/sleuthkit/sleuthkit/pull/1836 Vulnerable code follows: tsk/fs/yaffs.cpp line 2442: char timeBuf[32]; This vulnerability has been assigned the CVE id CVE-2020-10232. Upstream fixed the bug at: https://github.com/sleuthkit/sleuthkit/pull/1836/commits/459ae818fc8dae717549810150de4d191ce158f1 [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10232 [1] https://security-tracker.debian.org/tracker/CVE-2020-10232 [2] https://bugs.debian.org/953976 Sincerely, Francisco diff -Nru sleuthkit-4.6.5/debian/changelog sleuthkit-4.6.5/debian/changelog --- sleuthkit-4.6.5/debian/changelog2019-01-22 11:53:42.0 + +++ sleuthkit-4.6.5/debian/changelog2020-09-16 23:47:07.0 + @@ -1,3 +1,11 @@ +sleuthkit (4.6.5-1+deb10u1) buster; urgency=high + + * Team upload. + * Add patch to fix stack buffer overflow in yaffsfs_istat. +(Closes: #953976, CVE-2020-10232) + + -- Francisco Vilmar Cardoso Ruviaro Wed, 16 Sep 2020 23:47:07 + + sleuthkit (4.6.5-1) unstable; urgency=medium * Team upload diff -Nru sleuthkit-4.6.5/debian/patches/CVE-2020-10232.patch sleuthkit-4.6.5/debian/patches/CVE-2020-10232.patch --- sleuthkit-4.6.5/debian/patches/CVE-2020-10232.patch 1970-01-01 00:00:00.0 + +++ sleuthkit-4.6.5/debian/patches/CVE-2020-10232.patch 2020-09-16 23:47:07.0 + @@ -0,0 +1,21 @@ +Description: Fix stack buffer overflow in yaffsfs_istat. + Prevent a stack buffer overflow in yaffsfs_istat by increasing + the buffer size to the size required by tsk_fs_time_to_str. +Author: micrictor +Origin: https://github.com/sleuthkit/sleuthkit/commit/459ae818fc8dae717549810150de4d191ce158f1 +Bug: https://github.com/sleuthkit/sleuthkit/pull/1836 +Forwarded: not-needed +Reviewed-By: Francisco Vilmar Cardoso Ruviaro +Last-Update: 2020-08-28 + +--- sleuthkit-4.6.5.orig/tsk/fs/yaffs.cpp sleuthkit-4.6.5/tsk/fs/yaffs.cpp +@@ -2439,7 +2439,7 @@ static uint8_t + YAFFSFS_INFO *yfs = (YAFFSFS_INFO *)fs; + char ls[12]; + YAFFSFS_PRINT_ADDR print; +-char timeBuf[32]; ++char timeBuf[128]; + YaffsCacheObject * obj = NULL; + YaffsCacheVersion * version = NULL; + YaffsHeader * header = NULL; diff -Nru sleuthkit-4.6.5/debian/patches/series sleuthkit-4.6.5/debian/patches/series --- sleuthkit-4.6.5/debian/patches/series 2019-01-22 11:52:14.0 + +++ sleuthkit-4.6.5/debian/patches/series 2020-09-16 23:47:07.0 + @@ -3,4 +3,4 @@ 50_disable-ant-clean.patch 60_fix-FTBFS-HURD.patch 0005-Disable-test_libraries.sh.patch - +CVE-2020-10232.patch -- Francisco Vilmar Cardoso Ruviaro 4096R: 1B8C F656 EF3B 8447 2F48 F0E7 82FB F706 0B2F 7D00
NEW changes in stable-new
Processing changes file: cargo_0.43.1-3~deb10u1_mipsel-buildd.changes ACCEPT
Bug#966028: buster-pu: package librsvg/2.44.10-2.1+deb10u1
On 20/09/2020 10:55, Emilio Pozuelo Monfort wrote: > On 25/07/2020 12:04, Adam D. Barratt wrote: >> Hi, >> >> On Wed, 2020-07-22 at 13:26 +0200, Emilio Pozuelo Monfort wrote: >>> On 22/07/2020 13:19, Emilio Pozuelo Monfort wrote: So I have gone with the minimal backport to 2.44.10 instead (which I've also tested) and it's already uploaded. debdiff attached. >>> >>> Attached for real now. >> >> Unfortunately it appears that this FTBFS on ppc64el and s390x, with a >> segmentation fault in the tests. > > I have uploaded a new revision, fixing this FTBFS and the one caused by the > new > rustc 1.41. Shame on me, the ppc64el/s390x was good but the other, general FTBFS with rustc 1.41 wasn't sufficiently tested due to a mistake on my side. I have done a new brown paper bug release to stable-new, hopefully this will be the final one. Thanks, Emilio diff -Nru librsvg-2.44.10/debian/changelog librsvg-2.44.10/debian/changelog --- librsvg-2.44.10/debian/changelog2020-09-20 10:48:42.0 +0200 +++ librsvg-2.44.10/debian/changelog2020-09-20 21:21:54.0 +0200 @@ -1,3 +1,12 @@ +librsvg (2.44.10-2.1+deb10u3) buster; urgency=medium + + * nalgebra-borrow-mutable-immutable.patch: +- Update checksum for cg.rs. + * cssparser-dont-assign-to-borrowed-variable.patch: +- Fix another build failure with rustc 1.41. + + -- Emilio Pozuelo Monfort Sun, 20 Sep 2020 21:21:54 +0200 + librsvg (2.44.10-2.1+deb10u2) buster; urgency=medium * nalgebra-borrow-mutable-immutable.patch: fix build with rustc 1.41. diff -Nru librsvg-2.44.10/debian/patches/cssparser-dont-assign-to-borrowed-variable.patch librsvg-2.44.10/debian/patches/cssparser-dont-assign-to-borrowed-variable.patch --- librsvg-2.44.10/debian/patches/cssparser-dont-assign-to-borrowed-variable.patch 1970-01-01 01:00:00.0 +0100 +++ librsvg-2.44.10/debian/patches/cssparser-dont-assign-to-borrowed-variable.patch 2020-09-20 18:59:43.0 +0200 @@ -0,0 +1,92 @@ +From 3c98d22c5de3b696bf1fde2b6c90069812312aa6 Mon Sep 17 00:00:00 2001 +From: Simon Sapin +Date: Tue, 23 Apr 2019 13:47:25 +0200 +Subject: [PATCH] Fix a future-compat warning + +``` +warning[E0506]: cannot assign to `self.input.cached_token` because it is borrowed + --> src/parser.rs:591:17 +| +566 | pub fn next_including_whitespace_and_comments( self) -> Result<<'i>, BasicParseError<'i>> { +| - let's call the lifetime of this reference `'1` +... +579 | Some(ref cached_token) +| borrow of `self.input.cached_token` occurs here +... +591 | self.input.cached_token = Some(CachedToken { +| ^^^ assignment to borrowed `self.input.cached_token` occurs here +... +603 | Ok(token) +| - returning this value requires that `self.input.cached_token.0` is borrowed for `'1` +| += warning: this error has been downgraded to a warning for backwards compatibility with previous releases += warning: this represents potential undefined behavior in your code and this warning will become a hard error in the future +``` +--- + src/parser.rs | 50 +++--- + 1 file changed, 27 insertions(+), 23 deletions(-) + +--- a/vendor/cssparser/src/parser.rs b/vendor/cssparser/src/parser.rs +@@ -555,28 +555,34 @@ impl<'i: 't, 't> Parser<'i, 't> { + } + + let token_start_position = self.input.tokenizer.position(); +-let token; +-match self.input.cached_token { +-Some(ref cached_token) +-if cached_token.start_position == token_start_position => { +-self.input.tokenizer.reset(_token.end_state); +-match cached_token.token { +-Token::Function(ref name) => self.input.tokenizer.see_function(name), +-_ => {} +-} +-token = _token.token ++let using_cached_token = self ++.input ++.cached_token ++.as_ref() ++.map_or(false, |cached_token| { ++cached_token.start_position == token_start_position ++}); ++let token = if using_cached_token { ++let cached_token = self.input.cached_token.as_ref().unwrap(); ++self.input.tokenizer.reset(_token.end_state); ++match cached_token.token { ++Token::Function(ref name) => self.input.tokenizer.see_function(name), ++_ => {} + } +-_ => { +-let new_token = self.input.tokenizer.next() +-.map_err(|()| self.new_basic_error(BasicParseErrorKind::EndOfInput))?; +-self.input.cached_token = Some(CachedToken { +-token: new_token, +-start_position: token_start_position, +-
NEW changes in stable-new
Processing changes file: rustc_1.41.1+dfsg1-1~deb10u1_mips-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: rustc_1.41.1+dfsg1-1~deb10u1_mipsel-buildd.changes ACCEPT
Bug#969633: transition: json-simple
Hi Emilio, Emilio Pozuelo Monfort a écrit le 20/09/2020 à 18:50 : > On 06/09/2020 13:38, Gilles Filippini wrote: >> Emilio Pozuelo Monfort a écrit le 06/09/2020 à 12:19 : >>> On 06/09/2020 11:53, Gilles Filippini wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi, I'd like to transition json-simple 3.1.1 surrently sitting into experimental. The name of the library doens't change, but reverse dependencies need a binnmu. >>> >>> Why is that? >> >> Upstream removed an API that was deprecated long ago and introduced a >> few backward incompatible changes. > > Then it needs a SONAME bump. There is no such thing in java. I asked the question on the debian-java list whether to change the binary package's name and it was answered that it should be avoidable [1]. I eventually chose not to change it because there are few reverse dependencies. [1] https://lists.debian.org/debian-java/2020/05/msg00025.html What do you think? _g. signature.asc Description: OpenPGP digital signature
Bug#969633: transition: json-simple
On 06/09/2020 13:38, Gilles Filippini wrote: > Emilio Pozuelo Monfort a écrit le 06/09/2020 à 12:19 : >> On 06/09/2020 11:53, Gilles Filippini wrote: >>> Package: release.debian.org >>> Severity: normal >>> User: release.debian@packages.debian.org >>> Usertags: transition >>> >>> Hi, >>> >>> I'd like to transition json-simple 3.1.1 surrently sitting into >>> experimental. >>> The name of the library doens't change, but reverse dependencies need a >>> binnmu. >> >> Why is that? > > Upstream removed an API that was deprecated long ago and introduced a > few backward incompatible changes. Then it needs a SONAME bump. Emilio
NEW changes in stable-new
Processing changes file: node-bl_1.1.2-1+deb10u1_all.changes ACCEPT Processing changes file: node-elliptic_6.4.1~dfsg-1+deb10u1_all-buildd.changes ACCEPT Processing changes file: node-url-parse_1.2.0-2+deb10u1_all.changes ACCEPT
NEW changes in stable-new
Processing changes file: llvm-toolchain-7_7.0.1-8+deb10u2_mips64el-buildd.changes ACCEPT
Bug#970632: nmu: util-linux_2.36-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu util-linux doesn't know about the new capabilities from Linux 5.8 yet, e.g.: % setpriv --bounding-set -all echo test setpriv: libcap-ng is too old for "all" caps The problem is not actually libcap-ng but util-linux having picked up an old CAP_LAST_CAP when it was built. Rebuilding against linux-libc-dev 5.8 fixes this: nmu util-linux_2.36-3 . linux-any . unstable . -m "Rebuild against linux-libc-dev >= 5.8 to pick up new capabilities" --extra-depends 'linux-libc-dev (>= 5.8)' (not sure if linux-any is supported here)
NEW changes in stable-new
Processing changes file: node-bl_1.1.2-1+deb10u1_sourceonly.changes ACCEPT Processing changes file: node-elliptic_6.4.1~dfsg-1+deb10u1_sourceonly.changes ACCEPT Processing changes file: node-url-parse_1.2.0-2+deb10u1_sourceonly.changes ACCEPT
Bug#969369: node-elliptic 6.4.1~dfsg-1+deb10u1 flagged for acceptance
package release.debian.org tags 969369 = buster pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster. Thanks for your contribution! Upload details == Package: node-elliptic Version: 6.4.1~dfsg-1+deb10u1 Explanation: prevent malleability and overflows [CVE-2020-13822]
Bug#969366: node-url-parse 1.2.0-2+deb10u1 flagged for acceptance
package release.debian.org tags 969366 = buster pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster. Thanks for your contribution! Upload details == Package: node-url-parse Version: 1.2.0-2+deb10u1 Explanation: fix insufficient validation and sanitization of user input [CVE-2020-8124]
Processed: node-url-parse 1.2.0-2+deb10u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 969366 = buster pending Bug #969366 [release.debian.org] buster-pu: package node-url-parse/1.2.0-2+deb10u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 969366: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969366 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: node-elliptic 6.4.1~dfsg-1+deb10u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 969369 = buster pending Bug #969369 [release.debian.org] buster-pu: package node-elliptic/6.4.1_dfsg-1+deb10u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 969369: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969369 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: node-bl 1.1.2-1+deb10u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 969348 = buster pending Bug #969348 [release.debian.org] buster-pu: package node-bl/1.1.2-1+deb10u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 969348: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969348 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#969348: node-bl 1.1.2-1+deb10u1 flagged for acceptance
package release.debian.org tags 969348 = buster pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster. Thanks for your contribution! Upload details == Package: node-bl Version: 1.1.2-1+deb10u1 Explanation: fix over-read vulnerability [CVE-2020-8244]
NEW changes in stable-new
Processing changes file: librsvg_2.44.10-2.1+deb10u2_source.changes ACCEPT
Bug#966028: librsvg 2.44.10-2.1+deb10u2 flagged for acceptance
package release.debian.org tags 966028 = buster pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster. Thanks for your contribution! Upload details == Package: librsvg Version: 2.44.10-2.1+deb10u2 Explanation: fix build failures on mips with newer rustc, and ppc64el and s390x with the fix for CVE-2019-20446
Processed: librsvg 2.44.10-2.1+deb10u2 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 966028 = buster pending Bug #966028 [release.debian.org] buster-pu: package librsvg/2.44.10-2.1+deb10u1 Ignoring request to alter tags of bug #966028 to the same tags previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 966028: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966028 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
NEW changes in stable-new
Processing changes file: llvm-toolchain-7_7.0.1-8+deb10u2_mipsel-buildd.changes ACCEPT
Bug#966028: buster-pu: package librsvg/2.44.10-2.1+deb10u1
On 25/07/2020 12:04, Adam D. Barratt wrote: > Hi, > > On Wed, 2020-07-22 at 13:26 +0200, Emilio Pozuelo Monfort wrote: >> On 22/07/2020 13:19, Emilio Pozuelo Monfort wrote: >>> So I have gone with the minimal backport to 2.44.10 instead (which >>> I've also tested) and it's already uploaded. debdiff attached. >> >> Attached for real now. > > Unfortunately it appears that this FTBFS on ppc64el and s390x, with a > segmentation fault in the tests. I have uploaded a new revision, fixing this FTBFS and the one caused by the new rustc 1.41. debdiff attached. Cheers, Emilio diff -Nru librsvg-2.44.10/debian/changelog librsvg-2.44.10/debian/changelog --- librsvg-2.44.10/debian/changelog2020-07-22 13:11:57.0 +0200 +++ librsvg-2.44.10/debian/changelog2020-09-20 10:48:42.0 +0200 @@ -1,3 +1,12 @@ +librsvg (2.44.10-2.1+deb10u2) buster; urgency=medium + + * nalgebra-borrow-mutable-immutable.patch: fix build with rustc 1.41. + * Don-t-drop-nodes-recursively-to-avoid-stack-over.patch: fix stack +exhaustion due to recursion when freeing nodes, which caused FTBFS +on ppc64el and s390x with the newly introduced tests for CVE-2019-20446. + + -- Emilio Pozuelo Monfort Sun, 20 Sep 2020 10:48:42 +0200 + librsvg (2.44.10-2.1+deb10u1) buster; urgency=medium * CVE-2019-20446: DoS via billion laughs attack. diff -Nru librsvg-2.44.10/debian/patches/Don-t-drop-nodes-recursively-to-avoid-stack-over.patch librsvg-2.44.10/debian/patches/Don-t-drop-nodes-recursively-to-avoid-stack-over.patch --- librsvg-2.44.10/debian/patches/Don-t-drop-nodes-recursively-to-avoid-stack-over.patch 1970-01-01 01:00:00.0 +0100 +++ librsvg-2.44.10/debian/patches/Don-t-drop-nodes-recursively-to-avoid-stack-over.patch 2020-09-20 10:46:33.0 +0200 @@ -0,0 +1,96 @@ +From 1235c2de5bbeb16deb48013505c6b2a767915c03 Mon Sep 17 00:00:00 2001 +From: Federico Mena Quintero +Date: Fri, 14 Dec 2018 17:00:08 -0600 +Subject: [PATCH] (#393): Don't drop nodes recursively to avoid stack overflow + +We borrow a dropping technique from Kuchiki, to avoid deep recursion +when there are thousands of sibling nodes. + +https://gitlab.gnome.org/GNOME/librsvg/issues/393 +--- + rsvg_internals/src/node.rs | 69 ++ + 1 file changed, 69 insertions(+) + +diff --git a/rsvg_internals/src/node.rs b/rsvg_internals/src/node.rs +index 36e3df03..493ae844 100644 +--- a/rsvg_internals/src/node.rs b/rsvg_internals/src/node.rs +@@ -655,6 +655,75 @@ impl Node { + } + } + ++/// Prevent stack overflow when recursively dropping nodes ++/// ++/// Dropping nodes is recursive, since a node owns strong references ++/// to its next sibling and its first child. When there is an SVG ++/// with a flat hierarchy of a few hundred thousand elements, ++/// recursively dropping these siblings can cause stack overflow. ++/// ++/// Here, we convert recursion to an explicit heap-allocated stack of ++/// nodes that need to be dropped. This technique is borrowed from ++/// [kuchiki]'s tree implementation. ++/// ++/// [kuchiki]: https://github.com/kuchiki-rs/kuchiki/blob/master/src/tree.rs ++impl Drop for Node { ++fn drop( self) { ++let mut stack = Vec::new(); ++ ++if let Some(rc) = take_if_unique_strong(_child) { ++non_recursive_drop_unique_rc(rc, stack); ++} ++ ++if let Some(rc) = take_if_unique_strong(_sib) { ++non_recursive_drop_unique_rc(rc, stack); ++} ++ ++fn non_recursive_drop_unique_rc(mut rc: Rc, stack: Vec>) { ++loop { ++if let Some(child) = take_if_unique_strong(_child) { ++stack.push(rc); ++rc = child; ++continue; ++} ++ ++if let Some(sibling) = take_if_unique_strong(_sib) { ++rc = sibling; ++continue; ++} ++ ++if let Some(parent) = stack.pop() { ++rc = parent; ++continue; ++} ++ ++return; ++} ++} ++} ++} ++ ++/// Return `Some` if the `NodeRef` is the only strong reference count ++/// ++/// Note that this leaves the tree in a partially inconsistent state, since ++/// the weak references to the node referenced by `r` will now point to ++/// an unlinked node. ++fn take_if_unique_strong(r: >>) -> Option> { ++let mut r = r.borrow_mut(); ++ ++let has_single_ref = match *r { ++None => false, ++Some(ref rc) if Rc::strong_count(rc) > 1 => false, ++Some(_) => true, ++}; ++ ++if has_single_ref { ++r.take() ++} else { ++None ++} ++} ++ + pub fn node_ptr_to_weak(raw_parent: *const RsvgNode) -> Option> { + if raw_parent.is_null() { + None +-- +2.20.1 + diff -Nru librsvg-2.44.10/debian/patches/nalgebra-borrow-mutable-immutable.patch
NEW changes in stable-new
Processing changes file: pyzmq_17.1.2-2+deb10u1_mipsel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: libx11_1.6.7-1+deb10u1_mipsel-buildd.changes ACCEPT Processing changes file: pyzmq_17.1.2-2+deb10u1_mips64el-buildd.changes ACCEPT