Processed: bookworm-pu: package qemu/1:7.2+dfsg-7+deb12u4
Processing control commands: > affects -1 + src:qemu Bug #1062044 [release.debian.org] bookworm-pu: package qemu/1:7.2+dfsg-7+deb12u4 Added indication that 1062044 affects src:qemu -- 1062044: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062044 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1062006: bullseye-pu: package glibc/2.31-13+deb11u8
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gl...@packages.debian.org
Control: affects -1 + src:glibc
[ Reason ]
A memory corruption was discovered in the glibc's qsort()
function, due to missing bounds check and when called by a program
with a non-transitive comparison function and a large number of
attacker-controlled elements. As the use of qsort() with a
non-transitive comparison function is undefined according to POSIX and
ISO C standards, this is not considered a vulnerability in the glibc
itself (hence no CVE number has been assigned).
However as misbehaving callers seems to be relatively common, it is
still a security issue and the qsort() function needs to be hardened
against them.
[ Impact ]
Installations will be left vulnerable to the qsort() security issue.
[ Tests ]
There is no specific test added for that change, however there are a few
upstream tests checking qsort().
[ Risks ]
The code change is very simple, and has been reviewed as part of
DSA-561-11. In addition a similar change went upstream a few weeks ago:
https://sourceware.org/git/?p=glibc.git;a=commit;h=e4d8117b82065dc72e8df80097360e7c05a349b9
https://sourceware.org/git/?p=glibc.git;a=commit;h=b9390ba93676c4b1e87e218af5e7e4bb596312ac
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The change basically just add a bounds check to a test. This is what got
uploaded in 2.36-9+deb12u4 for bookworm-security and 2.37-15 for
unstable.
[ Other info ]
Given the limited changes, I have already uploaded the package to the
archive. Thanks for considering.
diff -Nru glibc-2.31/debian/changelog glibc-2.31/debian/changelog
--- glibc-2.31/debian/changelog 2023-10-02 22:22:57.0 +0200
+++ glibc-2.31/debian/changelog 2024-01-28 23:58:14.0 +0100
@@ -1,3 +1,10 @@
+glibc (2.31-13+deb11u8) bullseye; urgency=medium
+
+ * debian/patches/any/local-qsort-memory-corruption.patch: Fix a memory
+corruption in qsort() when using nontransitive comparison functions.
+
+ -- Aurelien Jarno Sun, 28 Jan 2024 23:58:14 +0100
+
glibc (2.31-13+deb11u7) bullseye-security; urgency=medium
* debian/patches/any/local-CVE-2023-4911.patch: Fix a buffer overflow in the
diff -Nru glibc-2.31/debian/patches/any/local-qsort-memory-corruption.patch
glibc-2.31/debian/patches/any/local-qsort-memory-corruption.patch
--- glibc-2.31/debian/patches/any/local-qsort-memory-corruption.patch
1970-01-01 01:00:00.0 +0100
+++ glibc-2.31/debian/patches/any/local-qsort-memory-corruption.patch
2024-01-28 23:58:14.0 +0100
@@ -0,0 +1,13 @@
+diff -rup a/stdlib/qsort.c b/stdlib/qsort.c
+--- a/stdlib/qsort.c 2023-07-31 10:54:16.0 -0700
b/stdlib/qsort.c 2024-01-15 09:08:25.596167959 -0800
+@@ -224,7 +224,8 @@ _quicksort (void *const pbase, size_t to
+ while ((run_ptr += size) <= end_ptr)
+ {
+ tmp_ptr = run_ptr - size;
+- while ((*cmp) ((void *) run_ptr, (void *) tmp_ptr, arg) < 0)
++ while (tmp_ptr != base_ptr
++ && (*cmp) ((void *) run_ptr, (void *) tmp_ptr, arg) < 0)
+ tmp_ptr -= size;
+
+ tmp_ptr += size;
diff -Nru glibc-2.31/debian/patches/series glibc-2.31/debian/patches/series
--- glibc-2.31/debian/patches/series2023-10-02 22:18:17.0 +0200
+++ glibc-2.31/debian/patches/series2024-01-28 23:58:14.0 +0100
@@ -170,3 +170,4 @@
any/git-ld.so-cache-endianness-markup.diff
any/local-CVE-2021-33574-mq_notify-use-after-free.diff
any/local-CVE-2023-4911.patch
+any/local-qsort-memory-corruption.patch
Processed: bullseye-pu: package glibc/2.31-13+deb11u8
Processing control commands: > affects -1 + src:glibc Bug #1062006 [release.debian.org] bullseye-pu: package glibc/2.31-13+deb11u8 Added indication that 1062006 affects src:glibc -- 1062006: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062006 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: bullseye-pu: package usb.ids/2024.01.20-0+deb11u1
Processing control commands: > affects -1 + src:usb.ids Bug #1062005 [release.debian.org] bullseye-pu: package usb.ids/2024.01.20-0+deb11u1 Added indication that 1062005 affects src:usb.ids -- 1062005: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062005 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: bookworm-pu: package usb.ids/2024.01.20-0+deb12u1
Processing control commands: > affects -1 + src:usb.ids Bug #1062004 [release.debian.org] bookworm-pu: package usb.ids/2024.01.20-0+deb12u1 Added indication that 1062004 affects src:usb.ids -- 1062004: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062004 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1062005: bullseye-pu: package usb.ids/2024.01.20-0+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: usb@packages.debian.org Control: affects -1 + src:usb.ids [ Reason ] This new upstream version of the USB ID database adds a few USB devices. [ Impact ] New USB devices will not be displayed with a human readable name for packages using this database. [ Tests ] There is no test associated with this database. This package only contains data, no code. [ Risks ] Risks are very low, such update are routinely done in stable. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] I would like to do an update of the usb.ids package to add/update around ~200 USB devices to the usb.ids database. Those changes are already in testing/sid for a few days. Note that contrary to the last (old-)stable update, there have been incompatible changes for introduced in testing/sid to support boot with an empty /etc and /var, so this is not a rebuild of the testing/sid package. [ Other info ] I have already uploaded the package to the archive. Thanks for considering. diff -Nru usb.ids-2023.01.16/debian/changelog usb.ids-2024.01.20/debian/changelog --- usb.ids-2023.01.16/debian/changelog 2023-04-11 14:14:30.0 +0200 +++ usb.ids-2024.01.20/debian/changelog 2024-01-30 07:07:08.0 +0100 @@ -1,3 +1,9 @@ +usb.ids (2024.01.20-0+deb11u1) bullseye; urgency=medium + + * New upstream version. + + -- Aurelien Jarno Tue, 30 Jan 2024 07:07:08 +0100 + usb.ids (2023.01.16-0+deb11u1) bullseye; urgency=medium * Upload to bullseye. diff -Nru usb.ids-2023.01.16/usb.ids usb.ids-2024.01.20/usb.ids --- usb.ids-2023.01.16/usb.ids 2023-01-16 21:34:10.0 +0100 +++ usb.ids-2024.01.20/usb.ids 2024-01-20 21:34:02.0 +0100 @@ -9,8 +9,8 @@ # The latest version can be obtained from # http://www.linux-usb.org/usb.ids # -# Version: 2023.01.16 -# Date:2023-01-16 20:34:10 +# Version: 2024.01.20 +# Date:2024-01-20 20:34:02 # # Vendors, devices and interfaces. Please keep sorted. @@ -259,7 +259,7 @@ 0507 DVD+RW 050c 5219 Wireless Keyboard 0511 OfficeJet K60 - 0512 DeckJet 450 + 0512 DeskJet 450 0517 LaserJet 1000 051d Bluetooth Interface 052a LaserJet M1212nf MFP @@ -271,6 +271,7 @@ 0612 business inkjet 3000 0624 Bluetooth Dongle 0641 X1200 Optical Mouse + 0653 DeskJet 3700 series 0701 ScanJet 5300c/5370c 0704 DeskJet 825c 0705 ScanJet 4400c @@ -752,9 +753,9 @@ 008c AVC-2310 Device 0094 eHome Infrared Receiver 009b AVC-1410 GameBridge TV NTSC - 2000 USBXchange + 2000 USBXchange Firmware Loader 2001 USBXchange Adapter - 2002 USB2-Xchange + 2002 USB2-Xchange Firmware Loader 2003 USB2-Xchange Adapter 4000 4-port hub adcc Composite Device Support @@ -820,6 +821,9 @@ 601f FT601 32-bit FIFO IC 6ee0 EZO Carrier Board 6f70 HB-RF-USB + 7150 FT2232x wired for MPSSE+UART + 7151 FT2232x wired for MPSSE+UART + 7152 FreeCalypso dual UART with boot control 7be8 FT232R 8028 Dev board JTAG (FT232H based) 8040 4 Port Hub @@ -964,6 +968,7 @@ fc0b Crystalfontz CFA-633 USB LCD fc0c Crystalfontz CFA-631 USB LCD fc0d Crystalfontz CFA-635 USB LCD + fc0e Crystalfontz CFA-533 fc82 SEMC DSS-20/DSS-25 SyncStation fd48 ShipModul MiniPlex-4xUSB NMEA Multiplexer fd49 ShipModul MiniPlex-4xUSB-AIS NMEA Multiplexer @@ -1714,6 +1719,7 @@ 3fcc RME MADIface 4041 Hub and media card controller 4060 Ultra Fast Media Reader + 4063 xD/SD/MS/MMC Reader 4064 Ultra Fast Media Reader 4712 USB4712 high-speed hub 4713 USB4715 high-speed hub (2 ports disabled) @@ -1970,6 +1976,9 @@ 9800 Remote Control Receiver_iMON 9803 eHome Infrared Receiver 9804 DMB Receiver Control + 9a10 34UC88-B + 9a11 34UC88-B + 9a39 27UP850 - WK.AEUDCSN - External Monitor 4K 9c01 LGE Sync 043f RadiSys Corp. 0440 Eizo Nanao Corp. @@ -2372,7 +2381,6 @@ 029d Xbox360 HD-DVD Drive 029e Xbox360 HD-DVD Memory Unit 02a0 Xbox360 Big Button IR - 02a1 Xbox 360 Wireless Receiver for Windows 02a8 Xbox360 Wireless N Networking Adapter [Atheros AR7010+AR9280] 02ad Xbox NUI Audio 02ae Xbox NUI Camera @@ -2387,11 +2395,10 @@ 02dd Xbox One Controller (Firmware 2015) 02e0 Xbox One Wireless Controller 02e3 Xbox One Elite Controller - 02e6 Wireless XBox Controller Dongle - 02ea Xbox One S Controller +
Bug#1062004: bookworm-pu: package usb.ids/2024.01.20-0+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: usb@packages.debian.org Control: affects -1 + src:usb.ids [ Reason ] This new upstream version of the USB ID database adds a few USB devices. [ Impact ] New USB devices will not be displayed with a human readable name for packages using this database. [ Tests ] There is no test associated with this database. This package only contains data, no code. [ Risks ] Risks are very low, such update are routinely done in stable. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] I would like to do an update of the usb.ids package to add/update around ~60 USB devices to the usb.ids database. Those changes are already in testing/sid for a few days. Note that contrary to the last (old-)stable update, there have been incompatible changes for introduced in testing/sid to support boot with an empty /etc and /var, so this is not a rebuild of the testing/sid package. [ Other info ] I have already uploaded the package to the archive. Thanks for considering. diff -Nru usb.ids-2023.05.17/debian/changelog usb.ids-2024.01.20/debian/changelog --- usb.ids-2023.05.17/debian/changelog 2023-07-14 18:30:52.0 +0200 +++ usb.ids-2024.01.20/debian/changelog 2024-01-30 07:07:50.0 +0100 @@ -1,3 +1,9 @@ +usb.ids (2024.01.20-0+deb12u1) bookworm; urgency=medium + + * New upstream version. + + -- Aurelien Jarno Tue, 30 Jan 2024 07:07:50 +0100 + usb.ids (2023.05.17-0+deb12u1) bookworm; urgency=medium * Upload to bookworm. diff -Nru usb.ids-2023.05.17/usb.ids usb.ids-2024.01.20/usb.ids --- usb.ids-2023.05.17/usb.ids 2023-05-17 21:34:13.0 +0200 +++ usb.ids-2024.01.20/usb.ids 2024-01-20 21:34:02.0 +0100 @@ -9,8 +9,8 @@ # The latest version can be obtained from # http://www.linux-usb.org/usb.ids # -# Version: 2023.05.17 -# Date:2023-05-17 20:34:13 +# Version: 2024.01.20 +# Date:2024-01-20 20:34:02 # # Vendors, devices and interfaces. Please keep sorted. @@ -753,9 +753,9 @@ 008c AVC-2310 Device 0094 eHome Infrared Receiver 009b AVC-1410 GameBridge TV NTSC - 2000 USBXchange + 2000 USBXchange Firmware Loader 2001 USBXchange Adapter - 2002 USB2-Xchange + 2002 USB2-Xchange Firmware Loader 2003 USB2-Xchange Adapter 4000 4-port hub adcc Composite Device Support @@ -821,6 +821,9 @@ 601f FT601 32-bit FIFO IC 6ee0 EZO Carrier Board 6f70 HB-RF-USB + 7150 FT2232x wired for MPSSE+UART + 7151 FT2232x wired for MPSSE+UART + 7152 FreeCalypso dual UART with boot control 7be8 FT232R 8028 Dev board JTAG (FT232H based) 8040 4 Port Hub @@ -1716,6 +1719,7 @@ 3fcc RME MADIface 4041 Hub and media card controller 4060 Ultra Fast Media Reader + 4063 xD/SD/MS/MMC Reader 4064 Ultra Fast Media Reader 4712 USB4712 high-speed hub 4713 USB4715 high-speed hub (2 ports disabled) @@ -1972,6 +1976,8 @@ 9800 Remote Control Receiver_iMON 9803 eHome Infrared Receiver 9804 DMB Receiver Control + 9a10 34UC88-B + 9a11 34UC88-B 9a39 27UP850 - WK.AEUDCSN - External Monitor 4K 9c01 LGE Sync 043f RadiSys Corp. @@ -2392,6 +2398,7 @@ 02e6 Xbox Wireless Adapter for Windows 02ea Xbox One Controller 02fd Xbox One S Controller [Bluetooth] + 02fe Xbox Wireless Adapter for Windows 0400 Windows Powered Pocket PC 2002 0401 Windows Powered Pocket PC 2002 0402 Windows Powered Pocket PC 2002 @@ -2568,6 +2575,7 @@ 0800 Wireless keyboard (All-in-One-Media) 0810 LifeCam HD-3000 0823 Classic IntelliMouse + 082a Pro Intellimouse 0900 Surface Dock Hub 0901 Surface Dock Hub 0902 Surface Dock Hub @@ -2734,6 +2742,7 @@ 0301 USB 1.0 Hub 0500 Serial & Parallel Ports ff10 Virtual Keyboard and Mouse + ff20 Virtual CDROM 046c Toshiba Corp., Digital Media Equipment 046d Logitech, Inc. 0082 Acer Aspire 5672 Webcam @@ -3131,10 +3140,10 @@ c52b Unifying Receiver c52d R700 Remote Presenter receiver c52e MK260 Wireless Combo Receiver - c52f Unifying Receiver + c52f Nano Receiver c531 C-U0007 [Unifying Receiver] c532 Unifying Receiver - c534 Unifying Receiver + c534 Nano Receiver c537 Cordless Mouse Receiver c539 Lightspeed Receiver c53a PowerPlay Wireless Charging System @@ -3525,6 +3534,7 @@ 5720 Mass Storage Device 5721 Interrupt Demo 5722 Bulk Demo +
Bug#1061983: bullseye-pu: package debian-security-support/1:11+2024.01.30
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: debian-security-supp...@packages.debian.org Control: affects -1 + src:debian-security-support [ Reason ] * Add chromium to security-support-ended.deb11, thanks to Andres Salomon. Closes: #1061268 * Add tiles and libspring-java to security-support-limited. Closes: #1057343 [ Impact ] Users might not learn that security support for some packages has ended. [ Risks ] trivial change, data-only update [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable The diff is against the version already approved for+in bullseye-p-u: debian/.gitlab-ci.yml| 13 - debian/changelog |9 + security-support-ended.deb11 |4 +++- security-support-limited |2 ++ 4 files changed, 14 insertions(+), 14 deletions(-) The .gitlab-ci.yml is desired and harmless. The full diff is attached. -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ Es war mir eine Lehre, dich kennenzulernen. diff -Nru debian-security-support-11+2023.12.11/debian/changelog debian-security-support-11+2024.01.30/debian/changelog --- debian-security-support-11+2023.12.11/debian/changelog 2023-12-22 16:48:41.0 +0100 +++ debian-security-support-11+2024.01.30/debian/changelog 2024-01-30 17:55:19.0 +0100 @@ -1,3 +1,12 @@ +debian-security-support (1:11+2024.01.30) bullseye; urgency=medium + + * Add chromium to security-support-ended.deb11, thanks to Andres Salomon. +Closes: #1061268 + * Add tiles and libspring-java to security-support-limited. Closes: #1057343 + * Drop debian/.gitlab-ci.yml. + + -- Holger Levsen Tue, 30 Jan 2024 17:55:19 +0100 + debian-security-support (1:11+2023.12.11) bullseye; urgency=medium [ Santiago Ruano Rincón ] diff -Nru debian-security-support-11+2023.12.11/debian/.gitlab-ci.yml debian-security-support-11+2024.01.30/debian/.gitlab-ci.yml --- debian-security-support-11+2023.12.11/debian/.gitlab-ci.yml 2023-12-22 16:46:13.0 +0100 +++ debian-security-support-11+2024.01.30/debian/.gitlab-ci.yml 1970-01-01 01:00:00.0 +0100 @@ -1,13 +0,0 @@ -image: debian:unstable - -build: - stage: build - - before_script: -- apt-get update && apt-get -y install devscripts git-buildpackage -- mk-build-deps --tool "apt -y -o Debug::pkgProblemResolver=yes --no-install-recommends" --install -r debian/control - - script: -- git checkout master -- git pull -- gbp buildpackage -uc -us diff -Nru debian-security-support-11+2023.12.11/security-support-ended.deb11 debian-security-support-11+2024.01.30/security-support-ended.deb11 --- debian-security-support-11+2023.12.11/security-support-ended.deb11 2023-12-22 16:47:38.0 +0100 +++ debian-security-support-11+2024.01.30/security-support-ended.deb11 2024-01-30 17:51:03.0 +0100 @@ -10,6 +10,8 @@ # 4. Descriptive text or URL with more details (optional) #In the program's output, this is prefixed with "Details:" -tor 0.4.5.16-1 2023-11-22 https://lists.debian.org/debian-security-announce/2023/msg00258.html +chromium 120.0.6099.224-1~deb11u12024-01-23 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061268 consul 1.8.7+dfsg1-2 2023-12-04 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057418 xen 4.14.5+94-ge49571868d-1 2023-09-30 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053246 +tor 0.4.5.16-1 2023-11-22 https://lists.debian.org/debian-security-announce/2023/msg00258.html + diff -Nru debian-security-support-11+2023.12.11/security-support-limited debian-security-support-11+2024.01.30/security-support-limited --- debian-security-support-11+2023.12.11/security-support-limited 2023-12-22 16:47:38.0 +0100 +++ debian-security-support-11+2024.01.30/security-support-limited 2024-01-30 17:55:19.0 +0100 @@ -15,6 +15,7 @@ gnupg1 See #982258 and https://www.debian.org/releases/stretch/amd64/release-notes/ch-whats-new.en.html#modern-gnupg kde4libskhtml has no security support upstream, only for use on trusted content khtml khtml has no security support upstream, only for use on trusted content, see #1004293 +libspring-java should be only used for building other Debian packages or in a secured local environment with trusted devices. mozjs68 Not covered by security support, only suitable for trusted content, see #959804 mozjs78 Not covered by security support, only suitable for trusted content, see #959804 ocsinventory-server Only
Processed: bullseye-pu: package debian-security-support/1:11+2024.01.30
Processing control commands: > affects -1 + src:debian-security-support Bug #1061983 [release.debian.org] bullseye-pu: package debian-security-support/1:11+2024.01.30 Added indication that 1061983 affects src:debian-security-support -- 1061983: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061983 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1061472: bullseye-pu: package tinyxml/2.6.2-4+deb11u2
On Thu, 25 Jan 2024 at 04:44:12 +0100, Guilhem Moulin wrote:
> [ Changes ]
>
> Fix CVE-2023-34194: Reachable assertion (and application exit) via a
> crafted XML document with a '\0' located after whitespace.
Per https://bugs.debian.org/1061473#12 I guess you'd like CVE-2023-40462
to be removed from d/changelog for bullseye-pu as well. New debdiff
attached.
--
Guilhem.
diffstat for tinyxml-2.6.2 tinyxml-2.6.2
changelog|9 +
patches/CVE-2023-34194.patch | 27 +++
patches/series |1 +
3 files changed, 37 insertions(+)
diff -Nru tinyxml-2.6.2/debian/changelog tinyxml-2.6.2/debian/changelog
--- tinyxml-2.6.2/debian/changelog 2022-10-20 16:32:51.0 +0200
+++ tinyxml-2.6.2/debian/changelog 2024-01-25 04:12:05.0 +0100
@@ -1,3 +1,12 @@
+tinyxml (2.6.2-4+deb11u2) bullseye; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2023-34194: Reachable assertion (and application exit) via a
+crafted XML document with a '\0' located after whitespace.
+(Closes: #1059315)
+
+ -- Guilhem Moulin Thu, 25 Jan 2024 04:12:05 +0100
+
tinyxml (2.6.2-4+deb11u1) bullseye; urgency=medium
* Import fix for CVE-2021-42260.
diff -Nru tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch
tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch
--- tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch 1970-01-01
01:00:00.0 +0100
+++ tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch 2024-01-25
04:12:05.0 +0100
@@ -0,0 +1,27 @@
+From: Guilhem Moulin
+Date: Sat, 30 Dec 2023 14:15:54 +0100
+Subject: Avoid reachable assertion via crafted XML document with a '\0'
+ located after whitespace
+
+Bug: https://www.forescout.com/resources/sierra21-vulnerabilities
+Bug-Debian: https://bugs.debian.org/1059315
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-34194
+---
+ tinyxmlparser.cpp | 4
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tinyxmlparser.cpp b/tinyxmlparser.cpp
+index 8aa0dfa..1601962 100644
+--- a/tinyxmlparser.cpp
b/tinyxmlparser.cpp
+@@ -1606,6 +1606,10 @@ const char* TiXmlDeclaration::Parse( const char* p,
TiXmlParsingData* data, TiXm
+ }
+
+ p = SkipWhiteSpace( p, _encoding );
++ if ( !p || !*p )
++ {
++ break;
++ }
+ if ( StringEqual( p, "version", true, _encoding ) )
+ {
+ TiXmlAttribute attrib;
diff -Nru tinyxml-2.6.2/debian/patches/series
tinyxml-2.6.2/debian/patches/series
--- tinyxml-2.6.2/debian/patches/series 2022-10-20 16:32:49.0 +0200
+++ tinyxml-2.6.2/debian/patches/series 2024-01-25 04:12:05.0 +0100
@@ -1,3 +1,4 @@
enforce-use-stl.patch
entity-encoding.patch
CVE-2021-42260.patch
+CVE-2023-34194.patch
signature.asc
Description: PGP signature
Bug#1058615: bookworm-pu: package node-yarnpkg/1.22.19+~cs24.27.18-2+deb12u1
On Mon, 29 Jan 2024 22:06:33 + "Adam D. Barratt" wrote: Please go ahead. Uploaded, thanks! OpenPGP_0x8F53E0193B294B75.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature
Bug#1060668: bookworm-pu: package calibre/6.13.0+repack-2+deb12u3
> + * HTML Input: Dont add resources that exist outside the folder hierarchy > s/Dont/Don't/ > > Please go ahead. Thank you. I was uploaded new package with your fix. -- YOKOTA Hiroshi
Bug#1061476: Updated ben script
Hi, someone uploaded a new mathcomp-analysis not knowing about this planned transition, so it should be taken into account. Cheers, J.Puydt PS: updated ben script dw coq-elpi_2.0.0-1 . ANY . -m 'elpi >= 1.18.1-1' dw coq-hierarchy-builder_1.7.0-1 . ANY . -m 'coq-elpi >= 2.0.0-1' dw ssreflect_2.2.0-1 . ANY . -m 'coq-hierarchy-builder >= 1.7.0-1' dw coq-relation-algebra_1.7.10-1 . ANY . -m 'ssreflect >= 2.2.0-1' dw mathcomp-finmap_2.1.0-1 . ANY . -m 'ssreflect >= 2.2.0-1' nmu coq-deriving_0.2.0-1+b1 . ANY . -m 'Rebuild because of upload of ssreflect=2.2.0-1' dw coq-deriving_0.2.0-1+b1 . ANY . -m 'ssreflect >= 2.2.0-1' nmu coq-reglang_1.2.1-1+b1 . ANY . -m 'Rebuild because of upload of ssreflect=2.2.0-1' dw coq-reglang_1.2.1-1+b1 . ANY . -m 'ssreflect >= 2.2.0-1' nmu coquelicot_3.4.1-1+b1 . ANY . -m 'Rebuild because of upload of ssreflect=2.2.0-1' dw coquelicot_3.4.1-1+b1 . ANY . -m 'ssreflect >= 2.2.0-1' nmu mathcomp-bigenough_1.0.1-12+b1 . ANY . -m 'Rebuild because of upload of ssreflect=2.2.0-1' dw mathcomp-bigenough_1.0.1-12+b1 . ANY . -m 'ssreflect >= 2.2.0-1' nmu mathcomp-zify_1.5.0+2.0+8.16-1+b1 . ANY . -m 'Rebuild because of upload of ssreflect=2.2.0-1' dw mathcomp-zify_1.5.0+2.0+8.16-1+b1 . ANY . -m 'ssreflect >= 2.2.0-1' nmu coq-quickchick_2.0.2-1+b1 . ANY . -m 'Rebuild because of upload of ssreflect=2.2.0-1' dw coq-quickchick_2.0.2-1+b1 . ANY . -m 'ssreflect >= 2.2.0-1' nmu coq-extructures_0.4.0-1+b1 . ANY . -m 'Rebuild because of upload of ssreflect=2.2.0-1 coq-deriving=0.2.0-1+b1' dw coq-extructures_0.4.0-1+b1 . ANY . -m 'ssreflect >= 2.2.0-1' dw coq-extructures_0.4.0-1+b1 . ANY . -m 'coq-deriving >= 0.2.0-1+b1' nmu coq-interval_4.9.0-1+b2 . ANY . -m 'Rebuild because of upload of ssreflect=2.2.0-1 coquelicot=3.4.1-1+b1' dw coq-interval_4.9.0-1+b2 . ANY . -m 'ssreflect >= 2.2.0-1' dw coq-interval_4.9.0-1+b2 . ANY . -m 'coquelicot >= 3.4.1-1+b1' nmu mathcomp-algebra-tactics_1.2.3-1+b1 . ANY . -m 'Rebuild because of upload of mathcomp-zify=1.5.0+2.0+8.16-1+b1 ssreflect=2.2.0-1 coq- elpi=2.0.0-1' dw mathcomp-algebra-tactics_1.2.3-1+b1 . ANY . -m 'mathcomp-zify >= 1.5.0+2.0+8.16-1+b1' dw mathcomp-algebra-tactics_1.2.3-1+b1 . ANY . -m 'ssreflect >= 2.2.0- 1' dw mathcomp-algebra-tactics_1.2.3-1+b1 . ANY . -m 'coq-elpi >= 2.0.0- 1' nmu mathcomp-analysis_1.0.0-1+b1 . ANY . -m 'Rebuild because of upload of coq-hierarchy-builder=1.7.0-1 coq-elpi=2.0.0-1 mathcomp- bigenough=1.0.1-12+b1 mathcomp-finmap=2.1.0-1 ssreflect=2.2.0-1' dw mathcomp-analysis_1.0.0-1+b1 . ANY . -m 'coq-hierarchy-builder >= 1.7.0-1' dw mathcomp-analysis_1.0.0-1+b1 . ANY . -m 'coq-elpi >= 2.0.0-1' dw mathcomp-analysis_1.0.0-1+b1 . ANY . -m 'mathcomp-bigenough >= 1.0.1-12+b1' dw mathcomp-analysis_1.0.0-1+b1 . ANY . -m 'mathcomp-finmap >= 2.1.0- 1' dw mathcomp-analysis_1.0.0-1+b1 . ANY . -m 'ssreflect >= 2.2.0-1' nmu mathcomp-multinomials_2.2.0-1+b1 . ANY . -m 'Rebuild because of upload of mathcomp-bigenough=1.0.1-12+b1 mathcomp-finmap=2.1.0-1 ssreflect=2.2.0-1' dw mathcomp-multinomials_2.2.0-1+b1 . ANY . -m 'mathcomp-bigenough >= 1.0.1-12+b1' dw mathcomp-multinomials_2.2.0-1+b1 . ANY . -m 'mathcomp-finmap >= 2.1.0-1' dw mathcomp-multinomials_2.2.0-1+b1 . ANY . -m 'ssreflect >= 2.2.0-1' nmu mathcomp-real-closed_2.0.0-1+b1 . ANY . -m 'Rebuild because of upload of mathcomp-bigenough=1.0.1-12+b1 ssreflect=2.2.0-1' dw mathcomp-real-closed_2.0.0-1+b1 . ANY . -m 'mathcomp-bigenough >= 1.0.1-12+b1' dw mathcomp-real-closed_2.0.0-1+b1 . ANY . -m 'ssreflect >= 2.2.0-1' nmu coqeal_2.0.1-1+b1 . ANY . -m 'Rebuild because of upload of mathcomp-real-closed=2.0.0-1+b1 ssreflect=2.2.0-1' dw coqeal_2.0.1-1+b1 . ANY . -m 'mathcomp-real-closed >= 2.0.0-1+b1' dw coqeal_2.0.1-1+b1 . ANY . -m 'ssreflect >= 2.2.0-1'
