NEW changes in stable-new
Processing changes file: rust-cbindgen_0.14.4-1~deb10u1_mips64el-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: librsvg_2.44.10-2.1+deb10u3_mips-buildd.changes ACCEPT Processing changes file: librsvg_2.44.10-2.1+deb10u3_mips64el-buildd.changes ACCEPT Processing changes file: librsvg_2.44.10-2.1+deb10u3_mipsel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: chocolate-doom_3.0.0-4+deb10u1_mips-buildd.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_mips-buildd.changes ACCEPT Processing changes file: librsvg_2.44.10-2.1+deb10u3_armel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: base-files_10.3+deb10u6_mips-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: chocolate-doom_3.0.0-4+deb10u1_armel-buildd.changes ACCEPT Processing changes file: chocolate-doom_3.0.0-4+deb10u1_armhf-buildd.changes ACCEPT Processing changes file: chocolate-doom_3.0.0-4+deb10u1_i386-buildd.changes ACCEPT Processing changes file: chocolate-doom_3.0.0-4+deb10u1_mipsel-buildd.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_arm64-buildd.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_armhf-buildd.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_i386-buildd.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_mips64el-buildd.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_mipsel-buildd.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_ppc64el-buildd.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_s390x-buildd.changes ACCEPT Processing changes file: librsvg_2.44.10-2.1+deb10u3_amd64-buildd.changes ACCEPT Processing changes file: librsvg_2.44.10-2.1+deb10u3_arm64-buildd.changes ACCEPT Processing changes file: librsvg_2.44.10-2.1+deb10u3_armhf-buildd.changes ACCEPT Processing changes file: librsvg_2.44.10-2.1+deb10u3_i386.changes ACCEPT Processing changes file: librsvg_2.44.10-2.1+deb10u3_s390x-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: base-files_10.3+deb10u6_amd64-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u6_arm64-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u6_armel-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u6_armhf-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u6_i386-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u6_mips64el-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u6_mipsel-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u6_ppc64el-buildd.changes ACCEPT Processing changes file: base-files_10.3+deb10u6_s390x-buildd.changes ACCEPT Processing changes file: chocolate-doom_3.0.0-4+deb10u1_arm64-buildd.changes ACCEPT Processing changes file: chocolate-doom_3.0.0-4+deb10u1_mips64el-buildd.changes ACCEPT Processing changes file: chocolate-doom_3.0.0-4+deb10u1_ppc64el-buildd.changes ACCEPT Processing changes file: chocolate-doom_3.0.0-4+deb10u1_s390x-buildd.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_armel-buildd.changes ACCEPT Processing changes file: librsvg_2.44.10-2.1+deb10u3_all.changes ACCEPT
NEW changes in stable-new
Processing changes file: cargo_0.43.1-3~deb10u1_mips64el-buildd.changes ACCEPT Processing changes file: rust-cbindgen_0.14.4-1~deb10u1_mips-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: linux-latest_105+deb10u6_mips-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: base-files_10.3+deb10u6_source.changes ACCEPT Processing changes file: chocolate-doom_3.0.0-4+deb10u1_amd64.changes ACCEPT Processing changes file: inetutils_1.9.4-7+deb10u1_amd64.changes ACCEPT Processing changes file: rust-cbindgen_0.14.4-1~deb10u1_mipsel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: librsvg_2.44.10-2.1+deb10u3_source.changes ACCEPT Processing changes file: cargo_0.43.1-3~deb10u1_mips-buildd.changes ACCEPT Processing changes file: linux_4.19.146-1_mips-buildd.changes ACCEPT Processing changes file: rustc_1.41.1+dfsg1-1~deb10u1_mips64el-buildd.changes ACCEPT
Processed: chocolate-doom 3.0.0-4+deb10u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 970583 = buster pending Bug #970583 [release.debian.org] buster-pu: package chocolate-doom/3.0.0-4+deb10u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 970583: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970583 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#970583: chocolate-doom 3.0.0-4+deb10u1 flagged for acceptance
package release.debian.org tags 970583 = buster pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster. Thanks for your contribution! Upload details == Package: chocolate-doom Version: 3.0.0-4+deb10u1 Explanation: fix missing validation [CVE-2020-14983]
Bug#970584: inetutils 1.9.4-7+deb10u1 flagged for acceptance
package release.debian.org tags 970584 = buster pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster. Thanks for your contribution! Upload details == Package: inetutils Version: 1.9.4-7+deb10u1 Explanation: fix remote code execution issue [CVE-2020-10188]
Processed: inetutils 1.9.4-7+deb10u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 970584 = buster pending Bug #970584 [release.debian.org] buster-pu: package inetutils/2:1.9.4-7+deb10u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 970584: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970584 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#970584: buster-pu: package inetutils/2:1.9.4-7+deb10u1
On Sat, Sep 19, 2020 at 06:17:20PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sat, 2020-09-19 at 13:33 +0200, Moritz Muehlenhoff wrote: > > Fix for CVE-2020-10188, which doesn' really warrant a DSA. > > > > Please go ahead. Thanks, uploaded. Cheers, Moritz
Bug#970583: buster-pu: package chocolate-doom/3.0.0-4+deb10u1
On Sat, Sep 19, 2020 at 06:15:22PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sat, 2020-09-19 at 13:31 +0200, Moritz Muehlenhoff wrote: > > Fix for CVE-2020-14983, which doesn't really warrant a DSA. > > Please go ahead. Thanks, uploaded. Cheers, Moritz
Bug#970655: buster-pu: package sleuthkit/4.6.5-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Dear Release Team, I would like to update the sleuthkit on the buster to prevent a stack buffer overflow in yaffsfs_istat, because during a review of the Debian Security Tracker, I found CVE-2020-10232. There is no DSA assigned to the bug and it was marked "no-dsa" and so I'm doing a normal upload. "This is potentially exploitable by an attacker creating a file in a yaffs image with abnormally large time values", as reported in: https://github.com/sleuthkit/sleuthkit/pull/1836 Vulnerable code follows: tsk/fs/yaffs.cpp line 2442: char timeBuf[32]; This vulnerability has been assigned the CVE id CVE-2020-10232. Upstream fixed the bug at: https://github.com/sleuthkit/sleuthkit/pull/1836/commits/459ae818fc8dae717549810150de4d191ce158f1 [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10232 [1] https://security-tracker.debian.org/tracker/CVE-2020-10232 [2] https://bugs.debian.org/953976 Sincerely, Francisco diff -Nru sleuthkit-4.6.5/debian/changelog sleuthkit-4.6.5/debian/changelog --- sleuthkit-4.6.5/debian/changelog2019-01-22 11:53:42.0 + +++ sleuthkit-4.6.5/debian/changelog2020-09-16 23:47:07.0 + @@ -1,3 +1,11 @@ +sleuthkit (4.6.5-1+deb10u1) buster; urgency=high + + * Team upload. + * Add patch to fix stack buffer overflow in yaffsfs_istat. +(Closes: #953976, CVE-2020-10232) + + -- Francisco Vilmar Cardoso Ruviaro Wed, 16 Sep 2020 23:47:07 + + sleuthkit (4.6.5-1) unstable; urgency=medium * Team upload diff -Nru sleuthkit-4.6.5/debian/patches/CVE-2020-10232.patch sleuthkit-4.6.5/debian/patches/CVE-2020-10232.patch --- sleuthkit-4.6.5/debian/patches/CVE-2020-10232.patch 1970-01-01 00:00:00.0 + +++ sleuthkit-4.6.5/debian/patches/CVE-2020-10232.patch 2020-09-16 23:47:07.0 + @@ -0,0 +1,21 @@ +Description: Fix stack buffer overflow in yaffsfs_istat. + Prevent a stack buffer overflow in yaffsfs_istat by increasing + the buffer size to the size required by tsk_fs_time_to_str. +Author: micrictor +Origin: https://github.com/sleuthkit/sleuthkit/commit/459ae818fc8dae717549810150de4d191ce158f1 +Bug: https://github.com/sleuthkit/sleuthkit/pull/1836 +Forwarded: not-needed +Reviewed-By: Francisco Vilmar Cardoso Ruviaro +Last-Update: 2020-08-28 + +--- sleuthkit-4.6.5.orig/tsk/fs/yaffs.cpp sleuthkit-4.6.5/tsk/fs/yaffs.cpp +@@ -2439,7 +2439,7 @@ static uint8_t + YAFFSFS_INFO *yfs = (YAFFSFS_INFO *)fs; + char ls[12]; + YAFFSFS_PRINT_ADDR print; +-char timeBuf[32]; ++char timeBuf[128]; + YaffsCacheObject * obj = NULL; + YaffsCacheVersion * version = NULL; + YaffsHeader * header = NULL; diff -Nru sleuthkit-4.6.5/debian/patches/series sleuthkit-4.6.5/debian/patches/series --- sleuthkit-4.6.5/debian/patches/series 2019-01-22 11:52:14.0 + +++ sleuthkit-4.6.5/debian/patches/series 2020-09-16 23:47:07.0 + @@ -3,4 +3,4 @@ 50_disable-ant-clean.patch 60_fix-FTBFS-HURD.patch 0005-Disable-test_libraries.sh.patch - +CVE-2020-10232.patch -- Francisco Vilmar Cardoso Ruviaro 4096R: 1B8C F656 EF3B 8447 2F48 F0E7 82FB F706 0B2F 7D00
NEW changes in stable-new
Processing changes file: cargo_0.43.1-3~deb10u1_mipsel-buildd.changes ACCEPT
Bug#966028: buster-pu: package librsvg/2.44.10-2.1+deb10u1
On 20/09/2020 10:55, Emilio Pozuelo Monfort wrote:
> On 25/07/2020 12:04, Adam D. Barratt wrote:
>> Hi,
>>
>> On Wed, 2020-07-22 at 13:26 +0200, Emilio Pozuelo Monfort wrote:
>>> On 22/07/2020 13:19, Emilio Pozuelo Monfort wrote:
So I have gone with the minimal backport to 2.44.10 instead (which
I've also tested) and it's already uploaded. debdiff attached.
>>>
>>> Attached for real now.
>>
>> Unfortunately it appears that this FTBFS on ppc64el and s390x, with a
>> segmentation fault in the tests.
>
> I have uploaded a new revision, fixing this FTBFS and the one caused by the
> new
> rustc 1.41.
Shame on me, the ppc64el/s390x was good but the other, general FTBFS with rustc
1.41 wasn't sufficiently tested due to a mistake on my side.
I have done a new brown paper bug release to stable-new, hopefully this will be
the final one.
Thanks,
Emilio
diff -Nru librsvg-2.44.10/debian/changelog librsvg-2.44.10/debian/changelog
--- librsvg-2.44.10/debian/changelog2020-09-20 10:48:42.0 +0200
+++ librsvg-2.44.10/debian/changelog2020-09-20 21:21:54.0 +0200
@@ -1,3 +1,12 @@
+librsvg (2.44.10-2.1+deb10u3) buster; urgency=medium
+
+ * nalgebra-borrow-mutable-immutable.patch:
+- Update checksum for cg.rs.
+ * cssparser-dont-assign-to-borrowed-variable.patch:
+- Fix another build failure with rustc 1.41.
+
+ -- Emilio Pozuelo Monfort Sun, 20 Sep 2020 21:21:54 +0200
+
librsvg (2.44.10-2.1+deb10u2) buster; urgency=medium
* nalgebra-borrow-mutable-immutable.patch: fix build with rustc 1.41.
diff -Nru
librsvg-2.44.10/debian/patches/cssparser-dont-assign-to-borrowed-variable.patch
librsvg-2.44.10/debian/patches/cssparser-dont-assign-to-borrowed-variable.patch
---
librsvg-2.44.10/debian/patches/cssparser-dont-assign-to-borrowed-variable.patch
1970-01-01 01:00:00.0 +0100
+++
librsvg-2.44.10/debian/patches/cssparser-dont-assign-to-borrowed-variable.patch
2020-09-20 18:59:43.0 +0200
@@ -0,0 +1,92 @@
+From 3c98d22c5de3b696bf1fde2b6c90069812312aa6 Mon Sep 17 00:00:00 2001
+From: Simon Sapin
+Date: Tue, 23 Apr 2019 13:47:25 +0200
+Subject: [PATCH] Fix a future-compat warning
+
+```
+warning[E0506]: cannot assign to `self.input.cached_token` because it is
borrowed
+ --> src/parser.rs:591:17
+|
+566 | pub fn next_including_whitespace_and_comments( self) ->
Result<<'i>, BasicParseError<'i>> {
+| - let's call the
lifetime of this reference `'1`
+...
+579 | Some(ref cached_token)
+| borrow of `self.input.cached_token`
occurs here
+...
+591 | self.input.cached_token = Some(CachedToken {
+| ^^^ assignment to borrowed
`self.input.cached_token` occurs here
+...
+603 | Ok(token)
+| - returning this value requires that
`self.input.cached_token.0` is borrowed for `'1`
+|
+= warning: this error has been downgraded to a warning for backwards
compatibility with previous releases
+= warning: this represents potential undefined behavior in your code and
this warning will become a hard error in the future
+```
+---
+ src/parser.rs | 50 +++---
+ 1 file changed, 27 insertions(+), 23 deletions(-)
+
+--- a/vendor/cssparser/src/parser.rs
b/vendor/cssparser/src/parser.rs
+@@ -555,28 +555,34 @@ impl<'i: 't, 't> Parser<'i, 't> {
+ }
+
+ let token_start_position = self.input.tokenizer.position();
+-let token;
+-match self.input.cached_token {
+-Some(ref cached_token)
+-if cached_token.start_position == token_start_position => {
+-self.input.tokenizer.reset(_token.end_state);
+-match cached_token.token {
+-Token::Function(ref name) =>
self.input.tokenizer.see_function(name),
+-_ => {}
+-}
+-token = _token.token
++let using_cached_token = self
++.input
++.cached_token
++.as_ref()
++.map_or(false, |cached_token| {
++cached_token.start_position == token_start_position
++});
++let token = if using_cached_token {
++let cached_token = self.input.cached_token.as_ref().unwrap();
++self.input.tokenizer.reset(_token.end_state);
++match cached_token.token {
++Token::Function(ref name) =>
self.input.tokenizer.see_function(name),
++_ => {}
+ }
+-_ => {
+-let new_token = self.input.tokenizer.next()
+-.map_err(|()|
self.new_basic_error(BasicParseErrorKind::EndOfInput))?;
+-self.input.cached_token = Some(CachedToken {
+-token: new_token,
+-start_position: token_start_position,
+-
NEW changes in stable-new
Processing changes file: rustc_1.41.1+dfsg1-1~deb10u1_mips-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: rustc_1.41.1+dfsg1-1~deb10u1_mipsel-buildd.changes ACCEPT
Bug#969633: transition: json-simple
Hi Emilio, Emilio Pozuelo Monfort a écrit le 20/09/2020 à 18:50 : > On 06/09/2020 13:38, Gilles Filippini wrote: >> Emilio Pozuelo Monfort a écrit le 06/09/2020 à 12:19 : >>> On 06/09/2020 11:53, Gilles Filippini wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi, I'd like to transition json-simple 3.1.1 surrently sitting into experimental. The name of the library doens't change, but reverse dependencies need a binnmu. >>> >>> Why is that? >> >> Upstream removed an API that was deprecated long ago and introduced a >> few backward incompatible changes. > > Then it needs a SONAME bump. There is no such thing in java. I asked the question on the debian-java list whether to change the binary package's name and it was answered that it should be avoidable [1]. I eventually chose not to change it because there are few reverse dependencies. [1] https://lists.debian.org/debian-java/2020/05/msg00025.html What do you think? _g. signature.asc Description: OpenPGP digital signature
Bug#969633: transition: json-simple
On 06/09/2020 13:38, Gilles Filippini wrote: > Emilio Pozuelo Monfort a écrit le 06/09/2020 à 12:19 : >> On 06/09/2020 11:53, Gilles Filippini wrote: >>> Package: release.debian.org >>> Severity: normal >>> User: release.debian@packages.debian.org >>> Usertags: transition >>> >>> Hi, >>> >>> I'd like to transition json-simple 3.1.1 surrently sitting into >>> experimental. >>> The name of the library doens't change, but reverse dependencies need a >>> binnmu. >> >> Why is that? > > Upstream removed an API that was deprecated long ago and introduced a > few backward incompatible changes. Then it needs a SONAME bump. Emilio
NEW changes in stable-new
Processing changes file: node-bl_1.1.2-1+deb10u1_all.changes ACCEPT Processing changes file: node-elliptic_6.4.1~dfsg-1+deb10u1_all-buildd.changes ACCEPT Processing changes file: node-url-parse_1.2.0-2+deb10u1_all.changes ACCEPT
NEW changes in stable-new
Processing changes file: llvm-toolchain-7_7.0.1-8+deb10u2_mips64el-buildd.changes ACCEPT
Bug#970632: nmu: util-linux_2.36-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu util-linux doesn't know about the new capabilities from Linux 5.8 yet, e.g.: % setpriv --bounding-set -all echo test setpriv: libcap-ng is too old for "all" caps The problem is not actually libcap-ng but util-linux having picked up an old CAP_LAST_CAP when it was built. Rebuilding against linux-libc-dev 5.8 fixes this: nmu util-linux_2.36-3 . linux-any . unstable . -m "Rebuild against linux-libc-dev >= 5.8 to pick up new capabilities" --extra-depends 'linux-libc-dev (>= 5.8)' (not sure if linux-any is supported here)
NEW changes in stable-new
Processing changes file: node-bl_1.1.2-1+deb10u1_sourceonly.changes ACCEPT Processing changes file: node-elliptic_6.4.1~dfsg-1+deb10u1_sourceonly.changes ACCEPT Processing changes file: node-url-parse_1.2.0-2+deb10u1_sourceonly.changes ACCEPT
Bug#969369: node-elliptic 6.4.1~dfsg-1+deb10u1 flagged for acceptance
package release.debian.org tags 969369 = buster pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster. Thanks for your contribution! Upload details == Package: node-elliptic Version: 6.4.1~dfsg-1+deb10u1 Explanation: prevent malleability and overflows [CVE-2020-13822]
Bug#969366: node-url-parse 1.2.0-2+deb10u1 flagged for acceptance
package release.debian.org tags 969366 = buster pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster. Thanks for your contribution! Upload details == Package: node-url-parse Version: 1.2.0-2+deb10u1 Explanation: fix insufficient validation and sanitization of user input [CVE-2020-8124]
Processed: node-url-parse 1.2.0-2+deb10u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 969366 = buster pending Bug #969366 [release.debian.org] buster-pu: package node-url-parse/1.2.0-2+deb10u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 969366: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969366 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: node-elliptic 6.4.1~dfsg-1+deb10u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 969369 = buster pending Bug #969369 [release.debian.org] buster-pu: package node-elliptic/6.4.1_dfsg-1+deb10u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 969369: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969369 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: node-bl 1.1.2-1+deb10u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 969348 = buster pending Bug #969348 [release.debian.org] buster-pu: package node-bl/1.1.2-1+deb10u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 969348: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969348 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#969348: node-bl 1.1.2-1+deb10u1 flagged for acceptance
package release.debian.org tags 969348 = buster pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster. Thanks for your contribution! Upload details == Package: node-bl Version: 1.1.2-1+deb10u1 Explanation: fix over-read vulnerability [CVE-2020-8244]
NEW changes in stable-new
Processing changes file: librsvg_2.44.10-2.1+deb10u2_source.changes ACCEPT
Bug#966028: librsvg 2.44.10-2.1+deb10u2 flagged for acceptance
package release.debian.org tags 966028 = buster pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster. Thanks for your contribution! Upload details == Package: librsvg Version: 2.44.10-2.1+deb10u2 Explanation: fix build failures on mips with newer rustc, and ppc64el and s390x with the fix for CVE-2019-20446
Processed: librsvg 2.44.10-2.1+deb10u2 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 966028 = buster pending Bug #966028 [release.debian.org] buster-pu: package librsvg/2.44.10-2.1+deb10u1 Ignoring request to alter tags of bug #966028 to the same tags previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 966028: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966028 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
NEW changes in stable-new
Processing changes file: llvm-toolchain-7_7.0.1-8+deb10u2_mipsel-buildd.changes ACCEPT
Bug#966028: buster-pu: package librsvg/2.44.10-2.1+deb10u1
On 25/07/2020 12:04, Adam D. Barratt wrote:
> Hi,
>
> On Wed, 2020-07-22 at 13:26 +0200, Emilio Pozuelo Monfort wrote:
>> On 22/07/2020 13:19, Emilio Pozuelo Monfort wrote:
>>> So I have gone with the minimal backport to 2.44.10 instead (which
>>> I've also tested) and it's already uploaded. debdiff attached.
>>
>> Attached for real now.
>
> Unfortunately it appears that this FTBFS on ppc64el and s390x, with a
> segmentation fault in the tests.
I have uploaded a new revision, fixing this FTBFS and the one caused by the new
rustc 1.41.
debdiff attached.
Cheers,
Emilio
diff -Nru librsvg-2.44.10/debian/changelog librsvg-2.44.10/debian/changelog
--- librsvg-2.44.10/debian/changelog2020-07-22 13:11:57.0 +0200
+++ librsvg-2.44.10/debian/changelog2020-09-20 10:48:42.0 +0200
@@ -1,3 +1,12 @@
+librsvg (2.44.10-2.1+deb10u2) buster; urgency=medium
+
+ * nalgebra-borrow-mutable-immutable.patch: fix build with rustc 1.41.
+ * Don-t-drop-nodes-recursively-to-avoid-stack-over.patch: fix stack
+exhaustion due to recursion when freeing nodes, which caused FTBFS
+on ppc64el and s390x with the newly introduced tests for CVE-2019-20446.
+
+ -- Emilio Pozuelo Monfort Sun, 20 Sep 2020 10:48:42 +0200
+
librsvg (2.44.10-2.1+deb10u1) buster; urgency=medium
* CVE-2019-20446: DoS via billion laughs attack.
diff -Nru
librsvg-2.44.10/debian/patches/Don-t-drop-nodes-recursively-to-avoid-stack-over.patch
librsvg-2.44.10/debian/patches/Don-t-drop-nodes-recursively-to-avoid-stack-over.patch
---
librsvg-2.44.10/debian/patches/Don-t-drop-nodes-recursively-to-avoid-stack-over.patch
1970-01-01 01:00:00.0 +0100
+++
librsvg-2.44.10/debian/patches/Don-t-drop-nodes-recursively-to-avoid-stack-over.patch
2020-09-20 10:46:33.0 +0200
@@ -0,0 +1,96 @@
+From 1235c2de5bbeb16deb48013505c6b2a767915c03 Mon Sep 17 00:00:00 2001
+From: Federico Mena Quintero
+Date: Fri, 14 Dec 2018 17:00:08 -0600
+Subject: [PATCH] (#393): Don't drop nodes recursively to avoid stack overflow
+
+We borrow a dropping technique from Kuchiki, to avoid deep recursion
+when there are thousands of sibling nodes.
+
+https://gitlab.gnome.org/GNOME/librsvg/issues/393
+---
+ rsvg_internals/src/node.rs | 69 ++
+ 1 file changed, 69 insertions(+)
+
+diff --git a/rsvg_internals/src/node.rs b/rsvg_internals/src/node.rs
+index 36e3df03..493ae844 100644
+--- a/rsvg_internals/src/node.rs
b/rsvg_internals/src/node.rs
+@@ -655,6 +655,75 @@ impl Node {
+ }
+ }
+
++/// Prevent stack overflow when recursively dropping nodes
++///
++/// Dropping nodes is recursive, since a node owns strong references
++/// to its next sibling and its first child. When there is an SVG
++/// with a flat hierarchy of a few hundred thousand elements,
++/// recursively dropping these siblings can cause stack overflow.
++///
++/// Here, we convert recursion to an explicit heap-allocated stack of
++/// nodes that need to be dropped. This technique is borrowed from
++/// [kuchiki]'s tree implementation.
++///
++/// [kuchiki]: https://github.com/kuchiki-rs/kuchiki/blob/master/src/tree.rs
++impl Drop for Node {
++fn drop( self) {
++let mut stack = Vec::new();
++
++if let Some(rc) = take_if_unique_strong(_child) {
++non_recursive_drop_unique_rc(rc, stack);
++}
++
++if let Some(rc) = take_if_unique_strong(_sib) {
++non_recursive_drop_unique_rc(rc, stack);
++}
++
++fn non_recursive_drop_unique_rc(mut rc: Rc, stack:
Vec>) {
++loop {
++if let Some(child) = take_if_unique_strong(_child) {
++stack.push(rc);
++rc = child;
++continue;
++}
++
++if let Some(sibling) = take_if_unique_strong(_sib) {
++rc = sibling;
++continue;
++}
++
++if let Some(parent) = stack.pop() {
++rc = parent;
++continue;
++}
++
++return;
++}
++}
++}
++}
++
++/// Return `Some` if the `NodeRef` is the only strong reference count
++///
++/// Note that this leaves the tree in a partially inconsistent state, since
++/// the weak references to the node referenced by `r` will now point to
++/// an unlinked node.
++fn take_if_unique_strong(r: >>) -> Option> {
++let mut r = r.borrow_mut();
++
++let has_single_ref = match *r {
++None => false,
++Some(ref rc) if Rc::strong_count(rc) > 1 => false,
++Some(_) => true,
++};
++
++if has_single_ref {
++r.take()
++} else {
++None
++}
++}
++
+ pub fn node_ptr_to_weak(raw_parent: *const RsvgNode) -> Option> {
+ if raw_parent.is_null() {
+ None
+--
+2.20.1
+
diff -Nru
librsvg-2.44.10/debian/patches/nalgebra-borrow-mutable-immutable.patch
NEW changes in stable-new
Processing changes file: pyzmq_17.1.2-2+deb10u1_mipsel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: libx11_1.6.7-1+deb10u1_mipsel-buildd.changes ACCEPT Processing changes file: pyzmq_17.1.2-2+deb10u1_mips64el-buildd.changes ACCEPT
