NEW changes in stable-new
Processing changes file: mariadb_10.11.4-1~deb12u1_mips64el-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: mariadb_10.11.4-1~deb12u1_mipsel-buildd.changes ACCEPT
Bug#1043144: transition: mutter/gnome-shell 44
On Sun, 20 Aug 2023 at 19:52:50 +, Graham Inggs wrote: > I added your combined ben file to the tracker with some minor changes: > https://release.debian.org/transitions/html/gnome-shell-44.html Thanks! > Please go ahead. Initial round of builds in progress. smcv
Bug#1043144: transition: mutter/gnome-shell 44
Control: tags -1 confirmed Hi Simon I added your combined ben file to the tracker with some minor changes: https://release.debian.org/transitions/html/gnome-shell-44.html On Tue, 15 Aug 2023 at 17:18, Simon McVittie wrote: > I think this is ready to go. Repeating the list of packages needing > sourceful uploads from experimental into unstable in approximately this > order, for the release team's convenience: > > * mutter > * gnome-shell > * gnome-shell-extensions > * gnome-remote-desktop > * budgie-desktop > * gnome-shell-extension-bluetooth-quick-connect > * gnome-shell-extension-gsconnect > * gnome-shell-extension-tiling-assistant > > And then any remaining extensions in > https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-gnome-maintainers%40lists.alioth.debian.org=gnome-shell-44 > will need temporarily removing from testing to let the transition through. > > The release team has traditionally been relatively trigger-happy about > removing broken Shell extensions, since they are clearly less important > than GNOME itself. When the transition is otherwise ready to migrate, > I'll provide a full list of packages needing removal. Please go ahead. Regards Graham
Processed: Re: Bug#1043144: transition: mutter/gnome-shell 44
Processing control commands: > tags -1 confirmed Bug #1043144 [release.debian.org] transition: mutter/gnome-shell 44 Added tag(s) confirmed. -- 1043144: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043144 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
NEW changes in stable-new
Processing changes file: mariadb_10.11.4-1~deb12u1_s390x-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: mariadb_10.11.4-1~deb12u1_arm64-buildd.changes ACCEPT Processing changes file: mariadb_10.11.4-1~deb12u1_armel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: mariadb_10.11.4-1~deb12u1_armhf-buildd.changes ACCEPT Processing changes file: mariadb_10.11.4-1~deb12u1_i386-buildd.changes ACCEPT Processing changes file: mariadb_10.11.4-1~deb12u1_ppc64el-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: mariadb_10.11.4-1~deb12u1_all-buildd.changes ACCEPT Processing changes file: mariadb_10.11.4-1~deb12u1_amd64-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: freedombox_23.6.2+deb12u1_all-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: freedombox_23.6.2+deb12u1_amd64.changes ACCEPT Processing changes file: mariadb_10.11.4-1~deb12u1_source.changes ACCEPT
Processed: tagging 1049902
Processing commands for cont...@bugs.debian.org: > tags 1049902 + moreinfo Bug #1049902 [release.debian.org] bookworm-pu: package raspi-firmware/20220830+ds-1+deb12u1 Added tag(s) moreinfo. > thanks Stopping processing here. Please contact me if you need assistance. -- 1049902: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049902 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#1049862: bookworm-pu: package efibootguard/0.13-2+deb12u1
Processing control commands: > tag -1 confirmed Bug #1049862 [release.debian.org] bookworm-pu: package efibootguard/0.13-2+deb12u1 Added tag(s) confirmed. -- 1049862: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049862 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1049862: bookworm-pu: package efibootguard/0.13-2+deb12u1
Control: tag -1 confirmed On Wed, Aug 16, 2023 at 11:41:00AM +0200, Bastian Germann wrote: > [ Reason ] > This backports the fix for CVE-2023-39950 to bookworm. > The Security Team told us to go the stable-pu route. Please go ahead. > [x] the issue is verified as fixed in unstable It would have been helpful to mention this issue and/or the CVE identifier in the unstable upload if possible, so that this is easier to verify. I realise it may not have had a CVE or been explicitly mentioned upstream at the time it was uploaded though. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Processed: Re: Bug#1049336: bookworm-pu: package filezilla/3.63.0-1+deb12u2
Processing control commands: > tag -1 confirmed Bug #1049336 [release.debian.org] bookworm-pu: package filezilla/3.63.0-1+deb12u2 Added tag(s) confirmed. -- 1049336: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049336 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1049336: bookworm-pu: package filezilla/3.63.0-1+deb12u2
Control: tag -1 confirmed On Mon, Aug 14, 2023 at 12:49:47PM +0100, Phil Wyett wrote: > [ Reason ] > Crash when removing file types from list in packages configuration. Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Processed: freedombox 23.6.2+deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1049379 = bookworm pending Bug #1049379 [release.debian.org] bookworm-pu: package freedombox/23.6.2+deb12u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1049379: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049379 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: mariadb 10.11.4-1~deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1037107 = bookworm pending Bug #1037107 [release.debian.org] bookworm-pu: mariadb/1:10.11.4-0+deb12u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1037107: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037107 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1049379: freedombox 23.6.2+deb12u1 flagged for acceptance
package release.debian.org tags 1049379 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: freedombox Version: 23.6.2+deb12u1 Explanation: use n= in apt preferences for smooth upgrades
Bug#1037107: Acknowledgement (pre-unblock: bookworm-pu: mariadb/1:10.11.3-2/+deb12u1)
| diff -Nru mariadb-10.11.3/debian/changelog mariadb-10.11.4/debian/changelog | --- mariadb-10.11.3/debian/changelog 2023-05-28 06:16:42.0 + | +++ mariadb-10.11.4/debian/changelog 2023-08-03 03:08:31.0 + | @@ -1,3 +1,18 @@ | +mariadb (1:10.11.4-1~deb12u1) bookworm; urgency=medium | + | + [ Otto Kekäläinen ] | + * New upstream version 10.11.4. Includes fixes for several severe regressions, | +see details at https://mariadb.com/kb/en/mariadb-10-11-4-release-notes/ | + * Duplicate selected Lintian overrides in old Lintian syntax for NEW queue | +(this might strictly not be needed for bookworm but does not hurt either) | + * Extend the transitional package metadata referenced below | + * Bump revision to 'u2' to satisfy Debian FTP queue requirements That last line seems wrong but in the interests of expediency it can be fixed in retrospect next upload. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1037107: mariadb 10.11.4-1~deb12u1 flagged for acceptance
package release.debian.org tags 1037107 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: mariadb Version: 10.11.4-1~deb12u1 Explanation: new upstream bugfix release
Processed: bookworm-pu: package marco/1.26.1-3+deb12u2
Processing control commands: > affects -1 + src:marco Bug #1050126 [release.debian.org] bookworm-pu: package marco/1.26.1-3+deb12u2 Added indication that 1050126 affects src:marco -- 1050126: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050126 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1050126: bookworm-pu: package marco/1.26.1-3+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: ma...@packages.debian.org Control: affects -1 + src:marco In MATE's window manager marco an annoying issue was introduced with marco's version in Debian bullseye (iirc). If compositing was enabled in gsettings, there would be nice shadows around windows on local displays, but black frames (instead of the shadows) around windows when MATE was run in an X2Go session. Mihai Moldovan now worked on a fix for this and we'd like to bring his patches to marco in Debian bookworm (so the X2Go user experience is without black shadows around windows). As a side note: to hide (work-around) this flaw in Debian 12, the default setting for compositing in MATE had been switched to off. [ Reason ] Make MATE well usable in X2Go without the need of disabling compositing in its WM. So, local sessions can run with compositing enabled while it gets switch to off automatically when running in a remote session (e.g. X2Go) that does not support compositing. [ Impact ] When using MATE with compositing enabled, black frames around windows appear when using MATE over X2Go. [ Tests ] Manual tests (local, remote MATE session). [ Risks ] Minimal, regressions can be possible. The patches have also already been accepted by MATE upstream. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] + * debian/patches: ++ Add 0001_check-availability-of-compositing-1.patch and + 0002_check-availability-of-compositing-2.patch. Check that compositing + is not only requested, but also available. + + Enabling code that is supposed to be used in compositing conditions is + harmful if compositing is not actually available. Just checking the + preference is not enough to make sure that compositing is available - + the X server might be missing crucial extensions for compositing to + work, which in turn correctly disables the internal compositor. + + The end result is graphical issues like black borders around windows in + such situations. + + Make sure that compositing is both requested AND available to fix this + bug. + + This resolves an annoying issue when running MATE desktop in X2Go + sessions with the x2goagent (nx-libs) Xserver backend. -> these are the patches that fix marco in X2Go sessions... + * debian/: ++ Drop black-frame-in-X2Go-sessions-workaround, re-enable compositing by + default again. This drops the gsettings override + 20_marco-debian.gschema.override. This removes the work-around that we introduced in Debian 12. Dropping this gsettings override reinstates marco's compositing settings as present in Debian 11. [ Other info ] This change will be helpful to MATE in Debian Edu where we use X2Go for thinclients that connect to remote sessions running MATE or Xfce. As a side note, for Xfce we also have a patch fixing a similar issue in xfwm. diff -Nru marco-1.26.1/debian/20_marco-debian.gschema.override marco-1.26.1/debian/20_marco-debian.gschema.override --- marco-1.26.1/debian/20_marco-debian.gschema.override2023-04-25 16:04:32.0 +0200 +++ marco-1.26.1/debian/20_marco-debian.gschema.override1970-01-01 01:00:00.0 +0100 @@ -1,2 +0,0 @@ -[org.mate.Marco.general] -compositing-manager=false diff -Nru marco-1.26.1/debian/changelog marco-1.26.1/debian/changelog --- marco-1.26.1/debian/changelog 2023-07-10 06:47:02.0 +0200 +++ marco-1.26.1/debian/changelog 2023-08-19 21:31:53.0 +0200 @@ -1,3 +1,31 @@ +marco (1.26.1-3+deb12u2) bookworm; urgency=medium + + * debian/patches: ++ Add 0001_check-availability-of-compositing-1.patch and + 0002_check-availability-of-compositing-2.patch. Check that compositing + is not only requested, but also available. + + Enabling code that is supposed to be used in compositing conditions is + harmful if compositing is not actually available. Just checking the + preference is not enough to make sure that compositing is available - + the X server might be missing crucial extensions for compositing to + work, which in turn correctly disables the internal compositor. + + The end result is graphical issues like black borders around windows in + such situations. + + Make sure that compositing is both requested AND available to fix this + bug. + + This resolves an annoying issue when running MATE desktop in X2Go + sessions with the x2goagent (nx-libs) Xserver backend. + * debian/: ++ Drop black-frame-in-X2Go-sessions-workaround, re-enable compositing by + default again. This drops the gsettings override + 20_marco-debian.gschema.override. + + -- Mike Gabriel Sat, 19 Aug 2023
Bug#1040498: Should we consider the transition ready (Was: Bug#1040498: transition: r-bioc-biocgenerics)
Hi Andreas On Wed, 16 Aug 2023 at 11:24, Andreas Tille wrote: > Am Tue, Aug 01, 2023 at 01:06:41PM + schrieb Graham Inggs: > > At least the following packages are failing their own autopkgtests in > > unstable (list not complete): > > r-bioc-cummerbund > > r-bioc-decoupler > > r-bioc-monocle > > r-bioc-scran > > r-bioc-singler > > Most of those packages have autopkgtests marked as >Failed (not a regression) > Am I correct that we do not need to take any action regarding the > transition? Well, it means those autopkgtests already regressed in testing, but they do not block migration. Now that r-bioc-biocgenerics has migrated, you can see that at least r-bioc-cummerbund, r-bioc-scran and r-bioc-singler are still blocked by other packages which need attention. > > r-bioc-dupradar has regressed from passing to neutral, apparently due > > to the use of 'skip-not-installable'. Please don't use this > > restriction on all the autopkgtests in a package, otherwise there are > > no tests which are not superficial, and regressions can migrate to > > testing. > > Could you please be more verbose about this hint (may be suggesting a > patch that implements your suggestion since I'm afraid I do not > understand this correctly) --- a/debian/tests/autopkgtest-pkg-r.conf +++ b/debian/tests/autopkgtest-pkg-r.conf @@ -2,4 +2,3 @@ r-cran-knitr, \ r-cran-rmarkdown, \ r-bioc-annotationhub -extra_restrictions=skip-not-installable In general, skip-not-installable is no good as it does not catch when packages are non-installable, and during that time, it can hide other regressions and allow them to migrate. It may have some special use cases; e.g. a test depending on a package that is only available in unstable (virtualbox or openjdk-8), but skip-not-installable should not be applied to a package's only autopkgtest, or all of them, only the one that actually requires it. On Fri, 18 Aug 2023 at 10:40, Andreas Tille wrote: > I've fixed r-bioc-decoupler manually to remove this blocker quickly > (instead of working around invalid version specifications by detecting > these in dh-r) Thanks! elbrus marked r-bioc-decoupler urgent, and rather than being blocked by the autopkgtest regression of r-bioc-metagenomeseq, I removed 1.40.0-1 from testing (previously removed on 2023-07-16, but somehow migrated again) to allow r-bioc-biocgenerics to migrate. > Do you see any other blocker? Besides those packages mentioned above, there are others still needing attention. These can be seen on the team's DDPO page [1], just search for 'Excuse' there. Regards Graham [1] https://qa.debian.org/developer.php?email=r-pkg-team%40alioth-lists.debian.net
Bug#1050113: unblock: rust-rustls-webpki/0.101.3-1.1
Hi On Sat, 19 Aug 2023 at 23:57, plugwash wrote: > The package is blocked by autopkgtest failures on ppc64el and s390x. The > reason > for these failures is that the package (which is arch all) is not installable > on these architectures because it depends on the ring crate which is not > currently portable. Please can you override these failures and allow the > package to migrate to testing. I added a hint, but rust-rustls-webpki/0.101.3-1.1 was superseded by 0.101.3-2. I'll look again later. Regards Graham
Bug#1050124: bookworm-pu: package vte2.91/0.70.6-2~deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: vte2...@packages.debian.org
Control: affects -1 + src:vte2.91
I've uploaded another proposed vte2.91 update for bookworm. Please consider
this for 12.2.
[ Reason ]
#1040049
[ Impact ]
If not fixed, there is a crash with an assertion failure that occurs
frequently in some user workflows (I've never been able to reproduce it
myself, but the bug reporter Luca Boccassi saw it frequently).
[ Tests ]
Luca has been running a prerelease version of this update (identical except
for version number) for several weeks, and has not seen the bug again.
Available from: https://people.debian.org/~smcv/12.2/pool/main/v/vte2.91/
A functionally equivalent version was in testing for about 1 week before
being superseded by a newer upstream release, with no regression reports.
The version proposed here is a straightforward rebuild of that version
for bookworm.
[ Risks ]
Low risk: targeted fix from upstream which just invalidates caches more
often.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
All changes are for #1040049, no extraneous diff present.
diffstat for vte2.91-0.70.6 vte2.91-0.70.6
debian/changelog | 17 ++
debian/patches/series |1
debian/patches/widget-Invalidate-ringview-when-the-invalidating.patch | 69
++
src/vte.cc| 13 +
4 files changed, 100 insertions(+)
diff -Nru vte2.91-0.70.6/debian/changelog vte2.91-0.70.6/debian/changelog
--- vte2.91-0.70.6/debian/changelog 2023-06-14 12:17:06.0 +0100
+++ vte2.91-0.70.6/debian/changelog 2023-08-09 13:01:27.0 +0100
@@ -1,3 +1,20 @@
+vte2.91 (0.70.6-2~deb12u1) bookworm; urgency=medium
+
+ * Team upload
+ * Rebuild for bookworm (Closes: #1040049)
+
+ -- Simon McVittie Wed, 09 Aug 2023 13:01:27 +0100
+
+vte2.91 (0.70.6-2) unstable; urgency=medium
+
+ * Team upload
+ * d/p/widget-Invalidate-ringview-when-the-invalidating.patch:
+Add patch from upstream git to invalidate ring view more often when
+necessary, fixing various assertion failures during event handling
+(Closes: #1040049)
+
+ -- Simon McVittie Fri, 14 Jul 2023 11:31:40 +0100
+
vte2.91 (0.70.6-1~deb12u1) bookworm; urgency=medium
* Team upload
diff -Nru vte2.91-0.70.6/debian/patches/series
vte2.91-0.70.6/debian/patches/series
--- vte2.91-0.70.6/debian/patches/series2023-06-14 12:17:06.0
+0100
+++ vte2.91-0.70.6/debian/patches/series2023-08-09 13:01:27.0
+0100
@@ -1 +1,2 @@
+widget-Invalidate-ringview-when-the-invalidating.patch
Allow-background-color-and-color-on-VteTerminal-widgets-t.patch
diff -Nru
vte2.91-0.70.6/debian/patches/widget-Invalidate-ringview-when-the-invalidating.patch
vte2.91-0.70.6/debian/patches/widget-Invalidate-ringview-when-the-invalidating.patch
---
vte2.91-0.70.6/debian/patches/widget-Invalidate-ringview-when-the-invalidating.patch
1970-01-01 01:00:00.0 +0100
+++
vte2.91-0.70.6/debian/patches/widget-Invalidate-ringview-when-the-invalidating.patch
2023-08-09 13:01:27.0 +0100
@@ -0,0 +1,69 @@
+From: Egmont Koblinger
+Date: Thu, 13 Jul 2023 21:59:29 +0200
+Subject: widget: Invalidate ringview when the invalidating
+
+When the ringview is not invalidated when the ring has changed leads to
+failed assertion aborts when handling events, e.g. vte#2636, vte#2637,
+vte#2632, vte#2577.
+
+Bug: https://gitlab.gnome.org/GNOME/vte/-/issues/2636
+Bug: https://gitlab.gnome.org/GNOME/vte/-/issues/2637
+Bug-Debian: https://bugs.debian.org/1040049
+Applied-upstream: 0.73.0, commit:461bc3e43c819fa0e3b62d0cf40ef533a69cc7f7
+---
+ src/vte.cc | 13 +
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/vte.cc b/src/vte.cc
+index b8e15d7..561cc42 100644
+--- a/src/vte.cc
b/src/vte.cc
+@@ -2050,6 +2050,7 @@ Terminal::queue_adjustment_value_changed(double v)
+ _vte_debug_print(VTE_DEBUG_ADJ,
+ "Scrolling by %f\n", dy);
+
++m_ringview.invalidate();
+ invalidate_all();
+ match_contents_clear();
+ emit_text_scrolled(dy);
+@@ -2899,6 +2900,9 @@ Terminal::drop_scrollback()
+ if (m_screen == _normal_screen) {
+ queue_adjustment_value_changed(m_normal_screen.insert_delta);
+ adjust_adjustments_full();
++m_ringview.invalidate();
++invalidate_all();
++match_contents_clear();
+ }
+ }
+
+@@ -7548,6 +7552,9 @@ Terminal::set_size(long columns,
+ gtk_widget_queue_resize(m_widget); // FIXMEgtk4?
+ #endif
+
++
Processed: bookworm-pu: package vte2.91/0.70.6-2~deb12u1
Processing control commands: > affects -1 + src:vte2.91 Bug #1050124 [release.debian.org] bookworm-pu: package vte2.91/0.70.6-2~deb12u1 Added indication that 1050124 affects src:vte2.91 -- 1050124: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050124 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: bullseye-pu: package cryptmount/5.3.3-1+deb11u1
Processing control commands: > affects -1 + src:cryptmount Bug #1050121 [release.debian.org] bullseye-pu: package cryptmount/5.3.3-1+deb11u1 Added indication that 1050121 affects src:cryptmount -- 1050121: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050121 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1050121: bullseye-pu: package cryptmount/5.3.3-1+deb11u1
Package: release.debian.org Version: 5.3.3-1 Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: rwpen...@users.sourceforge.net Control: affects -1 + src:cryptmount [ Reason ] When cryptmount is passed invalid command-line arguments, it is likely to crash with a SEGV error due to inappropriately zeroed memory passed to getopt_long(). [ Impact ] The absence of error-messages when invalid command-line arguments are supplied affects usability. The use of uninitialized memory with a setuid binary is, potentially, a security risk. [ Tests ] The fix involves a single-line change to replace a call to malloc() with one to calloc(). This has been tested manually on invalid command-line arguments, and the upstream "mudslinger" test-suite has been used for regression tests across a wide range of usage scenarios. [ Risks ] The proposed change has very little risk of side-effects. [ Checklist ] [x] *all* changes are documents in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in bullseye [x] the issue is verified as fixed in unstable [ Changes ] A call to malloc() prior to using getopt_long() has been replaced by a similar call to calloc(). diff -Nru cryptmount-5.3.3/debian/changelog cryptmount-5.3.3/debian/changelog --- cryptmount-5.3.3/debian/changelog 2021-01-01 14:34:20.0 + +++ cryptmount-5.3.3/debian/changelog 2023-07-20 11:30:00.0 +0100 @@ -1,3 +1,12 @@ +cryptmount (5.3.3-1+deb11u1) bullseye; urgency=low + + * Fix for memory-initialization in command-line parser (bug#1038384) +- one-line change to source-code, replacing malloc() with calloc() +- reduces risk of SEGV crashes when handling unrecognized + command-line options + + -- RW Penney Sun, 20 Jul 2023 10:30:00 + + cryptmount (5.3.3-1) unstable; urgency=low * New upstream release diff -Nru cryptmount-5.3.3/debian/patches/docfiles-pathnames.patch cryptmount-5.3.3/debian/patches/docfiles-pathnames.patch --- cryptmount-5.3.3/debian/patches/docfiles-pathnames.patch2021-01-01 15:19:51.0 + +++ cryptmount-5.3.3/debian/patches/docfiles-pathnames.patch2023-07-20 11:30:00.0 +0100 @@ -1,4 +1,7 @@ -Correct installation pathnames in documentation +Description: Correct installation pathnames in documentation + Some documentation files not installed except in Debian packaging +Author: RW Penney +Forwarded: not-needed --- a/README +++ b/README @@ -64,7 +64,7 @@ diff -Nru cryptmount-5.3.3/debian/patches/getopt-initialization.patch cryptmount-5.3.3/debian/patches/getopt-initialization.patch --- cryptmount-5.3.3/debian/patches/getopt-initialization.patch 1970-01-01 01:00:00.0 +0100 +++ cryptmount-5.3.3/debian/patches/getopt-initialization.patch 2023-07-01 08:05:21.0 +0100 @@ -0,0 +1,14 @@ +Description: Fix memory initialization error in command-line parser +Author: RW Penney +Forwarded: not-needed +--- a/cryptmount.c b/cryptmount.c +@@ -1372,7 +1372,7 @@ + #ifdef _GNU_SOURCE + struct option *longopts; + +-longopts = (struct option*)malloc((n_options + 1) * sizeof(struct option)); ++longopts = (struct option*)calloc(n_options + 1, sizeof(struct option)); + for (i=0; i
NEW changes in stable-new
Processing changes file: marco_1.26.1-3+deb12u2_source.changes REJECT
Bug#1050119: bullseye-pu: package unrar-nonfree/1:6.0.3-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org
Hi,
[ Reason ]
unrar-nonfree is affected by CVE-2022-48579 in Bullseye. non-free
packages are not supported by the security team but it makes still
sense to fix this issue via a point update.
[ Impact ]
unrar-nonfree would continue to be affected by CVE-2022-48579.
[ Tests ]
I have manually created a rar archive which includes several symlinks
pointing to each other, files with relative paths and special
characters and in all cases unrar-nonfree seems to do the right thing.
An official reproducer was not available.
[ Risks ]
If I made a mistake there should be an unpack error or something
similar, which is not the case. Command switches didn't change so an
external program like xarchiver continues to work as expected.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Other info ]
Maintainer approves point update. (#1050080)
diff -Nru unrar-nonfree-6.0.3/debian/changelog
unrar-nonfree-6.0.3/debian/changelog
--- unrar-nonfree-6.0.3/debian/changelog2022-05-10 13:26:16.0
+0200
+++ unrar-nonfree-6.0.3/debian/changelog2023-08-20 09:58:26.0
+0200
@@ -1,3 +1,13 @@
+unrar-nonfree (1:6.0.3-1+deb11u2) bullseye; urgency=high
+
+ * Non maintainer upload.
+ * Fix CVE-2022-48579:
+It was discovered that UnRAR, an unarchiver for rar files, allows
+extraction of files outside of the destination folder via symlink chains.
+(Closes: #1050080)
+
+ -- Markus Koschany Sun, 20 Aug 2023 09:58:26 +0200
+
unrar-nonfree (1:6.0.3-1+deb11u1) bullseye; urgency=high
* Fix CVE-2022-30333 (Closes: #1010837)
diff -Nru unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch
unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch
--- unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch
1970-01-01 01:00:00.0 +0100
+++ unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch
2023-08-20 09:58:26.0 +0200
@@ -0,0 +1,429 @@
+From: Markus Koschany
+Date: Mon, 14 Aug 2023 15:43:54 +0200
+Subject: CVE-2022-48579
+
+Origin:
https://github.com/pmachapman/unrar/commit/2ecab6bb5ac4f3b88f270218445496662020205f
+---
+ arcread.cpp | 4 ++-
+ extinfo.cpp | 89 +++
+ extinfo.hpp | 3 +-
+ extract.cpp | 44 +
+ extract.hpp | 6
+ hardlinks.cpp | 2 --
+ model.cpp | 6 ++--
+ os.hpp| 1 +
+ pathfn.cpp| 14 +++---
+ timefn.hpp| 11
+ ulinks.cpp| 6 ++--
+ win32stm.cpp | 9 --
+ 12 files changed, 170 insertions(+), 25 deletions(-)
+
+diff --git a/arcread.cpp b/arcread.cpp
+index d1df6c0..63858d9 100644
+--- a/arcread.cpp
b/arcread.cpp
+@@ -1441,7 +1441,9 @@ bool Archive::ReadSubData(Array *UnpData,File
*DestFile,bool TestMode)
+ {
+ if (SubHead.UnpSize>0x100)
+ {
+- // So huge allocation must never happen in valid archives.
++ // Prevent the excessive allocation. When reading to memory, normally
++ // this function operates with reasonably small blocks, such as
++ // the archive comment, NTFS ACL or "Zone.Identifier" NTFS stream.
+ uiMsg(UIERROR_SUBHEADERUNKNOWN,FileName);
+ return false;
+ }
+diff --git a/extinfo.cpp b/extinfo.cpp
+index 5cb90a4..0f25f31 100644
+--- a/extinfo.cpp
b/extinfo.cpp
+@@ -112,6 +112,68 @@ static bool LinkInPath(const wchar *Name)
+ }
+
+
++// Delete symbolic links in file path, if any, and replace them by
directories.
++// Prevents extracting files outside of destination folder with symlink
chains.
++bool LinksToDirs(const wchar *SrcName,const wchar *SkipPart,std::wstring
)
++{
++ // Unlike Unix, Windows doesn't expand lnk1 in symlink targets like
++ // "lnk1/../dir", but converts the path to "dir". In Unix we need to call
++ // this function to prevent placing unpacked files outside of destination
++ // folder if previously we unpacked "dir/lnk1" -> "..",
++ // "dir/lnk2" -> "lnk1/.." and "dir/lnk2/anypath/poc.txt".
++ // We may still need this function to prevent abusing symlink chains
++ // in link source path if we remove detection of such chains
++ // in IsRelativeSymlinkSafe. This function seems to make other symlink
++ // related safety checks redundant, but for now we prefer to keep them too.
++ //
++ // 2022.12.01: the performance impact is minimized after adding the check
++ // against the previous path and enabling this verification only after
++ // extracting a symlink with ".." in target. So we enabled it for Windows
++ // as well for extra safety.
++//#ifdef _UNIX
++ wchar Path[NM];
++ if (wcslen(SrcName)>=ASIZE(Path))
++return false; // It should not be that
