Processed: bookworm-pu: package glewlwyd/2.7.5-3
Processing control commands: > affects -1 + src:glewlwyd Bug #1056936 [release.debian.org] bookworm-pu: package glewlwyd/2.7.5-3 Added indication that 1056936 affects src:glewlwyd -- 1056936: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056936 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1056936: bookworm-pu: package glewlwyd/2.7.5-3
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: glewl...@packages.debian.org Control: affects -1 + src:glewlwyd (Please provide enough information to help the release team to judge the request efficiently. E.g. by filling in the sections below.) [ Reason ] Fix possible buffer overflow in webauthn attestation (CVE-2023-49208) [ Risks ] If a crafted webauthn assertion is executed, could result in denial of service or the execution of arbitrary code [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The change checks the length of a parameter before copying it into a fixed size array.diff -Nru glewlwyd-2.7.5/debian/changelog glewlwyd-2.7.5/debian/changelog --- glewlwyd-2.7.5/debian/changelog 2023-05-04 07:21:27.0 -0400 +++ glewlwyd-2.7.5/debian/changelog 2023-11-23 17:12:13.0 -0500 @@ -1,3 +1,9 @@ +glewlwyd (2.7.5-3+deb12u1) bookworm; urgency=medium + + * d/patches: Fix CVE-2023-49208 + + -- Nicolas Mora Thu, 23 Nov 2023 17:12:13 -0500 + glewlwyd (2.7.5-3) unstable; urgency=medium * Install config.json as config-2.7.json (Closes: #1035503) diff -Nru glewlwyd-2.7.5/debian/patches/CVE-2023-49208.patch glewlwyd-2.7.5/debian/patches/CVE-2023-49208.patch --- glewlwyd-2.7.5/debian/patches/CVE-2023-49208.patch 1969-12-31 19:00:00.0 -0500 +++ glewlwyd-2.7.5/debian/patches/CVE-2023-49208.patch 2023-11-23 17:12:13.0 -0500 @@ -0,0 +1,21 @@ +Description: Fix CVE-2023-49208 for bookworm +Author: Nicolas Mora +Forwarded: not-needed +--- a/src/scheme/webauthn.c b/src/scheme/webauthn.c +@@ -2260,13 +2260,13 @@ + for (i=0; i
Bug#1056935: bullseye-pu: libde265/1.0.11-0+deb11u2
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for libde265 fixes CVE-2023-27102, CVE-2023-27103,
CVE-2023-43887 and CVE-2023-47471 in Bullseye.
Except CVE-2023-43887 all others are marked as no-dsa by the security
team (CVE-2023-43887 appeared recently and was not evaluated yet).
The fix was already uploaded to Stretch and nobody complained up to now.
Thorsten
diff -Nru libde265-1.0.11/debian/changelog libde265-1.0.11/debian/changelog
--- libde265-1.0.11/debian/changelog2023-02-04 17:18:48.0 +0100
+++ libde265-1.0.11/debian/changelog2023-11-26 13:03:02.0 +0100
@@ -1,3 +1,19 @@
+libde265 (1.0.11-0+deb11u2) bullseye; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2023-27102 (Closes: #1033257)
+fix segmentation violation in the
+function decoder_context::process_slice_segment_header
+ * CVE-2023-27103
+fix heap buffer overflow in the
+function derive_collocated_motion_vectors
+ * CVE-2023-43887
+fix buffer over-read in pic_parameter_set::dump
+ * CVE-2023-47471 (Closes: #1056187)
+fix buffer overflow in the slice_segment_header function
+
+ -- Thorsten Alteholz Sun, 26 Nov 2023 13:03:02 +0100
+
libde265 (1.0.11-0+deb11u1) bullseye-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27102.patch
libde265-1.0.11/debian/patches/CVE-2023-27102.patch
--- libde265-1.0.11/debian/patches/CVE-2023-27102.patch 1970-01-01
01:00:00.0 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-27102.patch 2023-11-21
14:07:48.0 +0100
@@ -0,0 +1,23 @@
+commit 0b1752abff97cb542941d317a0d18aa50cb199b1
+Author: Dirk Farin
+Date: Sat Mar 4 10:32:43 2023 +0100
+
+check whether referenced PPS exists (fixes #393)
+
+Index: libde265-1.0.11/libde265/decctx.cc
+===
+--- libde265-1.0.11.orig/libde265/decctx.cc2023-11-19 19:08:18.703219858
+0100
libde265-1.0.11/libde265/decctx.cc 2023-11-19 19:08:18.703219858 +0100
+@@ -2276,9 +2276,10 @@
+ // get PPS and SPS for this slice
+
+ int pps_id = hdr->slice_pic_parameter_set_id;
+- if (pps[pps_id]->pps_read==false) {
++ if (pps[pps_id]==nullptr || pps[pps_id]->pps_read==false) {
+ logerror(LogHeaders, "PPS %d has not been read\n", pps_id);
+-assert(false); // TODO
++img->decctx->add_warning(DE265_WARNING_NONEXISTING_PPS_REFERENCED, false);
++return false;
+ }
+
+ current_pps = pps[pps_id];
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27103.patch
libde265-1.0.11/debian/patches/CVE-2023-27103.patch
--- libde265-1.0.11/debian/patches/CVE-2023-27103.patch 1970-01-01
01:00:00.0 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-27103.patch 2023-11-21
14:07:48.0 +0100
@@ -0,0 +1,54 @@
+commit d6bf73e765b7a23627bfd7a8645c143fd9097995
+Author: Dirk Farin
+Date: Sat Mar 4 10:27:59 2023 +0100
+
+check for valid slice header index access (fixes #394)
+
+Index: libde265-1.0.11/libde265/de265.cc
+===
+--- libde265-1.0.11.orig/libde265/de265.cc 2023-11-19 19:08:22.851224558
+0100
libde265-1.0.11/libde265/de265.cc 2023-11-19 19:08:22.847224554 +0100
+@@ -174,6 +174,8 @@
+ return "Bit-depth of current image does not match SPS";
+ case DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH:
+ return "Chroma format of reference image does not match current image";
++ case DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS:
++return "Access with invalid slice header index";
+
+ default: return "unknown error";
+ }
+Index: libde265-1.0.11/libde265/de265.h
+===
+--- libde265-1.0.11.orig/libde265/de265.h 2023-11-19 19:08:22.851224558
+0100
libde265-1.0.11/libde265/de265.h 2023-11-19 19:08:22.847224554 +0100
+@@ -145,7 +145,8 @@
+ DE265_WARNING_REFERENCE_IMAGE_SIZE_DOES_NOT_MATCH_SPS=1029,
+ DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1030,
+ DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1031,
+- DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032
++ DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032,
++ DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS=1033
+ } de265_error;
+
+ LIBDE265_API const char* de265_get_error_text(de265_error err);
+Index: libde265-1.0.11/libde265/motion.cc
+===
+--- libde265-1.0.11.orig/libde265/motion.cc2023-11-19 19:08:22.851224558
+0100
libde265-1.0.11/libde265/motion.cc 2023-11-19 19:08:22.847224554 +0100
+@@ -1266,6 +1266,16 @@
+
+
+
++ int slice_hdr_idx = colImg->get_SliceHeaderIndex(xColPb,yColPb);
++ if (slice_hdr_idx >= colImg->slices.size()) {
++
Bug#1056934: bookworm-pu: libde265/1.0.11-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for libde265 fixes CVE-2023-27102, CVE-2023-27103,
CVE-2023-43887 and CVE-2023-47471 in Bookworm.
Except CVE-2023-43887 all others are marked as no-dsa by the security team
(CVE-2023-43887 appeared recently and was not evaluated yet).
The fix was already uploaded to Stretch and nobody complained up to now.
Thorsten
diff -Nru libde265-1.0.11/debian/changelog libde265-1.0.11/debian/changelog
--- libde265-1.0.11/debian/changelog2023-02-02 16:06:20.0 +0100
+++ libde265-1.0.11/debian/changelog2023-11-26 13:03:02.0 +0100
@@ -1,3 +1,19 @@
+libde265 (1.0.11-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2023-27102 (Closes: #1033257)
+fix segmentation violation in the
+function decoder_context::process_slice_segment_header
+ * CVE-2023-27103
+fix heap buffer overflow in the
+function derive_collocated_motion_vectors
+ * CVE-2023-43887
+fix buffer over-read in pic_parameter_set::dump
+ * CVE-2023-47471 (Closes: #1056187)
+fix buffer overflow in the slice_segment_header function
+
+ -- Thorsten Alteholz Sun, 26 Nov 2023 13:03:02 +0100
+
libde265 (1.0.11-1) unstable; urgency=medium
[ Tobias Frost ]
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27102.patch
libde265-1.0.11/debian/patches/CVE-2023-27102.patch
--- libde265-1.0.11/debian/patches/CVE-2023-27102.patch 1970-01-01
01:00:00.0 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-27102.patch 2023-11-21
14:10:17.0 +0100
@@ -0,0 +1,23 @@
+commit 0b1752abff97cb542941d317a0d18aa50cb199b1
+Author: Dirk Farin
+Date: Sat Mar 4 10:32:43 2023 +0100
+
+check whether referenced PPS exists (fixes #393)
+
+Index: libde265-1.0.11/libde265/decctx.cc
+===
+--- libde265-1.0.11.orig/libde265/decctx.cc2023-11-19 19:08:18.703219858
+0100
libde265-1.0.11/libde265/decctx.cc 2023-11-19 19:08:18.703219858 +0100
+@@ -2276,9 +2276,10 @@
+ // get PPS and SPS for this slice
+
+ int pps_id = hdr->slice_pic_parameter_set_id;
+- if (pps[pps_id]->pps_read==false) {
++ if (pps[pps_id]==nullptr || pps[pps_id]->pps_read==false) {
+ logerror(LogHeaders, "PPS %d has not been read\n", pps_id);
+-assert(false); // TODO
++img->decctx->add_warning(DE265_WARNING_NONEXISTING_PPS_REFERENCED, false);
++return false;
+ }
+
+ current_pps = pps[pps_id];
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27103.patch
libde265-1.0.11/debian/patches/CVE-2023-27103.patch
--- libde265-1.0.11/debian/patches/CVE-2023-27103.patch 1970-01-01
01:00:00.0 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-27103.patch 2023-11-21
14:10:17.0 +0100
@@ -0,0 +1,54 @@
+commit d6bf73e765b7a23627bfd7a8645c143fd9097995
+Author: Dirk Farin
+Date: Sat Mar 4 10:27:59 2023 +0100
+
+check for valid slice header index access (fixes #394)
+
+Index: libde265-1.0.11/libde265/de265.cc
+===
+--- libde265-1.0.11.orig/libde265/de265.cc 2023-11-19 19:08:22.851224558
+0100
libde265-1.0.11/libde265/de265.cc 2023-11-19 19:08:22.847224554 +0100
+@@ -174,6 +174,8 @@
+ return "Bit-depth of current image does not match SPS";
+ case DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH:
+ return "Chroma format of reference image does not match current image";
++ case DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS:
++return "Access with invalid slice header index";
+
+ default: return "unknown error";
+ }
+Index: libde265-1.0.11/libde265/de265.h
+===
+--- libde265-1.0.11.orig/libde265/de265.h 2023-11-19 19:08:22.851224558
+0100
libde265-1.0.11/libde265/de265.h 2023-11-19 19:08:22.847224554 +0100
+@@ -145,7 +145,8 @@
+ DE265_WARNING_REFERENCE_IMAGE_SIZE_DOES_NOT_MATCH_SPS=1029,
+ DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1030,
+ DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1031,
+- DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032
++ DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032,
++ DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS=1033
+ } de265_error;
+
+ LIBDE265_API const char* de265_get_error_text(de265_error err);
+Index: libde265-1.0.11/libde265/motion.cc
+===
+--- libde265-1.0.11.orig/libde265/motion.cc2023-11-19 19:08:22.851224558
+0100
libde265-1.0.11/libde265/motion.cc 2023-11-19 19:08:22.847224554 +0100
+@@ -1266,6 +1266,16 @@
+
+
+
++ int slice_hdr_idx = colImg->get_SliceHeaderIndex(xColPb,yColPb);
++ if (slice_hdr_idx >= colImg->slices.size()) {
++ctx->add_warning(DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS, false);
Bug#1056918: bullseye-pu: package perl/5.32.1-4+deb11u3
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: p...@packages.debian.org, Salvatore Bonaccorso
Control: affects -1 + src:perl
[ Reason ]
I'd like to fix #1056746 / CVE-2023-47038 in perl for bullseye. It's a
non-DSA security issue that was made public yesterday and fixed upstream
in 5.34.2.
[ Impact ]
CVE-2023-47038 has security impact for applications that use untrusted
regular expressions to match input.
[ Tests ]
The fix augments the test suite to check for this issue. I have also
checked manually that the crash is gone with the patch. I reviewed amd64
binary debdiffs too and did some installation tests.
[ Risks ]
The fix is minimal and was trivially backported from the upstream fix in
5.34.1. It only differs from the one in sid / 5.36.0-10 by some fuzz. I
don't expect any fallout, but obviously I'll report here if any problems
are found in the 5.36.0-10 testing migration checks.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
The only change is a patch to the regexp engine in regcomp.c
and the associated new tests. The patch description has
a long explanation of the issue.
[ Other info ]
I'm uploading right away as I don't expect any of this to be
controversial. Hope that's fine by you.
Thanks for your work on Debian.
diff -Nru perl-5.32.1/debian/changelog perl-5.32.1/debian/changelog
--- perl-5.32.1/debian/changelog2021-09-24 19:10:58.0 +0300
+++ perl-5.32.1/debian/changelog2023-11-25 23:03:14.0 +0200
@@ -1,3 +1,10 @@
+perl (5.32.1-4+deb11u3) bullseye; urgency=medium
+
+ * [SECURITY] CVE-2023-47038: Write past buffer end via illegal
+user-defined Unicode property. (Closes: #1056746)
+
+ -- Niko Tyni Sat, 25 Nov 2023 23:03:14 +0200
+
perl (5.32.1-4+deb11u2) bullseye; urgency=medium
* Apply upstream patch fixing a regexp memory leak. (Closes: #994834)
diff -Nru perl-5.32.1/debian/patches/fixes/CVE-2023-47038.diff
perl-5.32.1/debian/patches/fixes/CVE-2023-47038.diff
--- perl-5.32.1/debian/patches/fixes/CVE-2023-47038.diff1970-01-01
02:00:00.0 +0200
+++ perl-5.32.1/debian/patches/fixes/CVE-2023-47038.diff2023-11-25
23:03:14.0 +0200
@@ -0,0 +1,119 @@
+From: Karl Williamson
+Date: Sat, 9 Sep 2023 11:59:09 -0600
+Subject: Fix read/write past buffer end: perl-security#140
+
+A package name may be specified in a \p{...} regular expression
+construct. If unspecified, "utf8::" is assumed, which is the package
+all official Unicode properties are in. By specifying a different
+package, one can create a user-defined property with the same
+unqualified name as a Unicode one. Such a property is defined by a sub
+whose name begins with "Is" or "In", and if the sub wishes to refer to
+an official Unicode property, it must explicitly specify the "utf8::".
+S_parse_uniprop_string() is used to parse the interior of both \p{} and
+the user-defined sub lines.
+
+In S_parse_uniprop_string(), it parses the input "name" parameter,
+creating a modified copy, "lookup_name", malloc'ed with the same size as
+"name". The modifications are essentially to create a canonicalized
+version of the input, with such things as extraneous white-space
+stripped off. I found it convenient to strip off the package specifier
+"utf8::". To to so, the code simply pretends "lookup_name" begins just
+after the "utf8::", and adjusts various other values to compensate.
+However, it missed the adjustment of one required one.
+
+This is only a problem when the property name begins with "perl" and
+isn't "perlspace" nor "perlword". All such ones are undocumented
+internal properties.
+
+What happens in this case is that the input is reparsed with slightly
+different rules in effect as to what is legal versus illegal. The
+problem is that "lookup_name" no longer is pointing to its initial
+value, but "name" is. Thus the space allocated for filling "lookup_name"
+is now shorter than "name", and as this shortened "lookup_name" is
+filled by copying suitable portions of "name", the write can be to
+unallocated space.
+
+The solution is to skip the "utf8::" when reparsing "name". Then both
+"lookup_name" and "name" are effectively shortened by the same amount,
+and there is no going off the end.
+
+This commit also does white-space adjustment so that things align
+vertically for readability.
+
+This can be easily backported to earlier Perl releases.
+
+Bug-Debian: https://bugs.debian.org/1056746
+Origin: backport,
https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010
+---
+ regcomp.c | 17 +++--
+ t/re/pat_advanced.t | 8
+ 2 files changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/regcomp.c b/regcomp.c
+index 5c72ff7..d282ebc 100644
Processed: bullseye-pu: package perl/5.32.1-4+deb11u3
Processing control commands: > affects -1 + src:perl Bug #1056918 [release.debian.org] bullseye-pu: package perl/5.32.1-4+deb11u3 Added indication that 1056918 affects src:perl -- 1056918: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056918 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1055600: transition: suitesparse-7.3
Le vendredi 17 novembre 2023 à 07:43 +0100, Sebastian Ramacher a écrit : > On 2023-11-08 18:00:20 +0100, Sébastien Villemot wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: transition > > Control: forwarded -1 > > https://release.debian.org/transitions/html/auto-suitesparse.html > > Please schedule a transition for suitesparse 7.3, which currently sits in > > experimental. > > > > One the shared libraries got a SOVERSION bump (libcholmod4 → libcholmod5). > > The > > ABI change is minor and I’m therefore fairly confident that there won’t be > > any > > issue. > > Please go ahead. The transition is mostly complete. The only remaining issue is an autopkgtest failure of octave in testing, reported as #1056392. I’ve argued there that this issue only affects partial upgrades, and that I’m not sure how to fix it (if fixing is needed at all). Please advise. -- ⢀⣴⠾⠻⢶⣦⠀ Sébastien Villemot ⣾⠁⢠⠒⠀⣿⡁ Debian Developer ⢿⡄⠘⠷⠚⠋⠀ https://sebastien.villemot.name ⠈⠳⣄ https://www.debian.org signature.asc Description: This is a digitally signed message part
Processed: bookworm-pu: package perl/5.36.0-7+deb12u1
Processing control commands: > affects -1 + src:perl Bug #1056917 [release.debian.org] bookworm-pu: package perl/5.36.0-7+deb12u1 Added indication that 1056917 affects src:perl -- 1056917: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056917 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1056917: bookworm-pu: package perl/5.36.0-7+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: p...@packages.debian.org, Salvatore Bonaccorso
Control: affects -1 + src:perl
[ Reason ]
I'd like to fix #1056746 / CVE-2023-47038 in perl for bookworm. It's a
non-DSA security issue that was made public yesterday and fixed upstream
in 5.36.2.
[ Impact ]
CVE-2023-47038 has security impact for applications that use untrusted
regular expressions to match input.
[ Tests ]
The fix augments the test suite to check for this issue. I have also
checked manually that the crash is gone with the patch. I reviewed amd64
binary debdiffs too and did some installation tests.
[ Risks ]
The fix is minimal and identical to the one in sid / 5.36.0-10. I don't
expect any fallout, but obviously I'll report here if any problems are
found in the testing migration checks.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
The only change is a patch to the regexp engine in regcomp.c
and the associated new tests. The patch description has
a long explanation of the issue.
[ Other info ]
I'm uploading right away as I don't expect any of this to be
controversial. Hope that's fine by you.
Thanks for your work on Debian.
diff -Nru perl-5.36.0/debian/changelog perl-5.36.0/debian/changelog
--- perl-5.36.0/debian/changelog2023-01-08 23:28:47.0 +0200
+++ perl-5.36.0/debian/changelog2023-11-25 22:59:54.0 +0200
@@ -1,3 +1,10 @@
+perl (5.36.0-7+deb12u1) bookworm; urgency=medium
+
+ * [SECURITY] CVE-2023-47038: Write past buffer end via illegal
+user-defined Unicode property. (Closes: #1056746)
+
+ -- Niko Tyni Sat, 25 Nov 2023 22:59:54 +0200
+
perl (5.36.0-7) unstable; urgency=medium
* Break backuppc (<< 4.4.0-7~) due to Data::Dumper changes in 5.36
diff -Nru perl-5.36.0/debian/patches/fixes/CVE-2023-47038.diff
perl-5.36.0/debian/patches/fixes/CVE-2023-47038.diff
--- perl-5.36.0/debian/patches/fixes/CVE-2023-47038.diff1970-01-01
02:00:00.0 +0200
+++ perl-5.36.0/debian/patches/fixes/CVE-2023-47038.diff2023-11-25
22:59:54.0 +0200
@@ -0,0 +1,119 @@
+From: Karl Williamson
+Date: Sat, 9 Sep 2023 11:59:09 -0600
+Subject: Fix read/write past buffer end: perl-security#140
+
+A package name may be specified in a \p{...} regular expression
+construct. If unspecified, "utf8::" is assumed, which is the package
+all official Unicode properties are in. By specifying a different
+package, one can create a user-defined property with the same
+unqualified name as a Unicode one. Such a property is defined by a sub
+whose name begins with "Is" or "In", and if the sub wishes to refer to
+an official Unicode property, it must explicitly specify the "utf8::".
+S_parse_uniprop_string() is used to parse the interior of both \p{} and
+the user-defined sub lines.
+
+In S_parse_uniprop_string(), it parses the input "name" parameter,
+creating a modified copy, "lookup_name", malloc'ed with the same size as
+"name". The modifications are essentially to create a canonicalized
+version of the input, with such things as extraneous white-space
+stripped off. I found it convenient to strip off the package specifier
+"utf8::". To to so, the code simply pretends "lookup_name" begins just
+after the "utf8::", and adjusts various other values to compensate.
+However, it missed the adjustment of one required one.
+
+This is only a problem when the property name begins with "perl" and
+isn't "perlspace" nor "perlword". All such ones are undocumented
+internal properties.
+
+What happens in this case is that the input is reparsed with slightly
+different rules in effect as to what is legal versus illegal. The
+problem is that "lookup_name" no longer is pointing to its initial
+value, but "name" is. Thus the space allocated for filling "lookup_name"
+is now shorter than "name", and as this shortened "lookup_name" is
+filled by copying suitable portions of "name", the write can be to
+unallocated space.
+
+The solution is to skip the "utf8::" when reparsing "name". Then both
+"lookup_name" and "name" are effectively shortened by the same amount,
+and there is no going off the end.
+
+This commit also does white-space adjustment so that things align
+vertically for readability.
+
+This can be easily backported to earlier Perl releases.
+
+Bug-Debian: https://bugs.debian.org/1056746
+Origin: backport,
https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6
+---
+ regcomp.c | 17 +++--
+ t/re/pat_advanced.t | 8
+ 2 files changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/regcomp.c b/regcomp.c
+index 4051333..9c0338c 100644
+--- a/regcomp.c
b/regcomp.c
+@@ -24178,7 +24178,7 @@ S_parse_uniprop_string(pTHX_
+ *
Bug#1054657: Transition issue for r-cran-rstanarm (Was: Bug#1055922: rmatrix: ABI change in Matrix 1.6-2)
Hi Graham, Am Fri, Nov 24, 2023 at 10:20:38PM +0100 schrieb Andreas Tille: > > Closing now because there's nothing to be done in rmatrix. > > > > The remaining regressions seen are caused by unrelated uploads of > > r-cran-seurat/r-cran-seuratobject on 2023-11-01 and r-cran-seuratobject 5.0.1-1 has migrated to testing today. r-cran-seurat had not passed waiting time. > > r-cran-rstan/r-cran-rstanarm on 2023-10-27 which have not yet > > migrated. I've asked ftpmaster for removal (see bug #1056913) of some architecture builds for r-cran-rstan which is preventing the migration of this package. There is another issue for r-cran-rstan which affects a regression for r-cran-projpred for ppc64el architecture[1] which boils down to: 53s Unpacking pandoc (2.17.1.1-3) ... 54s dpkg-deb: error: subprocess was killed by signal (Killed) 54s dpkg: error processing archive /tmp/apt-dpkg-install-geka0F/120-pandoc_2.17.1.1-3_ppc64el.deb (--unpack): 54s cannot copy extracted data for './usr/bin/pandoc' to '/usr/bin/pandoc.dpkg-new': unexpected end of file or stream ... 71s Errors were encountered while processing: 71s /tmp/apt-dpkg-install-geka0F/120-pandoc_2.17.1.1-3_ppc64el.deb 72s E: Sub-process /usr/bin/dpkg returned an error code (1) It seems something on this architecture is broken I can't do anything about. Could you provide help here? Kind regards Andreas. [1] https://ci.debian.net/data/autopkgtest/testing/ppc64el/r/r-cran-projpred/40151666/log.gz -- http://fam-tille.de
Bug#1056574: transition: ppp
Hi, And maybe then reversing this in openfortivpn package: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056235#27 Thanks!
Bug#1055857: transition: opm-common
Hi, Am Thu, Nov 23, 2023 at 09:32:31AM +0100 schrieb Sebastian Ramacher: On 2023-11-12 21:42:20 +0100, Markus Blatt wrote: Dear Debian release team, A new upstream release of OPM is available. To ease migration to testing I am requesting a mini-transition. Uploading to unstable would probably work even without a transition, but I would like to play it safe. This should only affect the OPM source packages opm-common, opm-grid, opm- models, opm-simulators and opm-upscaling. I have already uploaded new versions to experimental that seemed to have built without any issues, see [1]. (please explain about the transition: impacted packages, reason, ... for more info see: https://wiki.debian.org/Teams/ReleaseTeam/Transitions) Ben file: title = "libopm-common-2023"; is_affected = .depends ~ "libopm-common-2023.04" | .depends ~ "libopm- common-2023.10"; is_good = .depends ~ "libopm-common-2023.10"; is_bad = .depends ~ "libopm-common-2023.04"; libopm-common has a Provides: libopm-common-X, but the shared library included in libopm-common also has a SONAME of libopm-common.X. Why is the packaging not following the common practice of matching the package name with the SONAME? Thanks a lot for noticing. Indeed the library has an SONAME, but as upstream does not care about API changes, one cannot rely on them. Basically the SONAME is changed with every release. Releases happen twice a year in April/October. Hence we have 2022.04, 2022.10, 2023.04, 2023.10, etc. The problem probably is that there is no compatibility between 2023.04 and 2023.10. If we would do intermediate snapshot releases, then those might have slightly incompatibe APIs, too. The reason for the current situation probably is a combination of lack of knowledge on my side and inspiration taken from libdune-common-dev. I now realise that the situation is different here, though. Solving the SONAME issue might require quite some additional work. We would need to start with 2024.0 now and increase the major number with every release. If we do this only in Debian then those numbers would also differ from upstream, which might be a problem. What would your suggestion be? Cheers, Markus
Bug#1056574: transition: ppp
On 26/11/2023 10:56, Chris Boot wrote: Any way to reduce possible breakage, or to detect and fix it before the transition starts? Like rebuilding rdeps, or checking rdep autopkgtests? I'll go an do some rebuilds now and see how they go. If any breakage occurs it will be obvious at build time. The status of the rdeps (list taken from the tracker): connman: OK network-manager: OK pptpd: https://bugs.debian.org/1056898 sstp-client: https://bugs.debian.org/1056900 network-manager-fortisslvpn: https://bugs.debian.org/1056901 network-manager-l2tp: OK network-manager-pptp: OK network-manager-sstp: https://bugs.debian.org/1056903 Cheers, Chris -- Chris Boot bo...@debian.org
Bug#1056574: transition: ppp
[re-sending to include the bug, oops] On 24/11/2023 15:52, Emilio Pozuelo Monfort wrote: On 23/11/2023 11:54, Chris Boot wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: p...@packages.debian.org Control: affects -1 + src:ppp Hello Release Team friends, I uploaded ppp-2.5.0-1+1 to experimental back in September, and I think it's time to unleash it on unstable, ideally in the next few days. This is an ABI break both due to the new upstream version but there are also significant changes in this release that may break dependent packages. Any way to reduce possible breakage, or to detect and fix it before the transition starts? Like rebuilding rdeps, or checking rdep autopkgtests? I'll go an do some rebuilds now and see how they go. If any breakage occurs it will be obvious at build time. The upload I'm planning, 2.5.0-1+2, only has a minor fix for loong64 and a changelog fix. As usual this isn't a traditional library package upload so the Ben file looks a bit foreign. See #890204 for a previous time we did this. I have added a tracker, should appear in an hour or two. Many thanks. Cheers, Chris -- Chris Boot bo...@debian.org
