Processed: bullseye-pu: package distro-info-data/0.51+deb11u6
Processing control commands: > affects -1 + src:distro-info-data Bug #1070158 [release.debian.org] bullseye-pu: package distro-info-data/0.51+deb11u6 Added indication that 1070158 affects src:distro-info-data -- 1070158: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070158 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1070158: bullseye-pu: package distro-info-data/0.51+deb11u6
Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: distro-info-d...@packages.debian.org Control: affects -1 + src:distro-info-data User: release.debian@packages.debian.org Usertags: pu This is a regular distro-info-data update. [ Reason ] This update adds: 1. bullseye and bookworm LTS & ELTS. 2. Ubuntu 24.10 Oracular Oriole [ Impact ] $ ubuntu-distro-info -d ubuntu-distro-info: Distribution data outdated. $ debian-distro-info --lts -f --date=2024-09-01 $ [ Tests ] We have automated tests that check the basic CSV data structure. Manually verified the affected Debian & Ubuntu releases. [ Risks ] Minimal, this is a data-only package, and there are no schema changes. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * Update data to 0.61: - Declare LTS and ELTS intentions for bullseye and bookworm - debian: Fix LTS EOL date for bullseye - debian.csv: Fix EOL date for 2.2 - Add Ubuntu 24.10 "Oracular Oriole" (LP: #2064136) diff -Nru distro-info-data-0.51+deb11u5/debian/changelog distro-info-data-0.51+deb11u6/debian/changelog --- distro-info-data-0.51+deb11u5/debian/changelog 2023-10-29 08:57:15.0 -0400 +++ distro-info-data-0.51+deb11u6/debian/changelog 2024-04-30 20:54:51.0 -0400 @@ -1,3 +1,13 @@ +distro-info-data (0.51+deb11u6) bullseye; urgency=medium + + * Update data to 0.61: +- Declare LTS and ELTS intentions for bullseye and bookworm +- debian: Fix LTS EOL date for bullseye +- debian.csv: Fix EOL date for 2.2 +- Add Ubuntu 24.10 "Oracular Oriole" (LP: #2064136) + + -- Stefano Rivera Tue, 30 Apr 2024 20:54:51 -0400 + distro-info-data (0.51+deb11u5) bullseye; urgency=medium * Update data to 0.59: diff -Nru distro-info-data-0.51+deb11u5/debian.csv distro-info-data-0.51+deb11u6/debian.csv --- distro-info-data-0.51+deb11u5/debian.csv2023-10-29 08:57:15.0 -0400 +++ distro-info-data-0.51+deb11u6/debian.csv2024-04-30 20:54:51.0 -0400 @@ -4,7 +4,7 @@ 1.3,Bo,bo,1996-12-12,1997-06-05,1999-03-09 2.0,Hamm,hamm,1997-06-05,1998-07-24,2000-03-09 2.1,Slink,slink,1998-07-24,1999-03-09,2000-10-30 -2.2,Potato,potato,1999-03-09,2000-08-15,2003-07-30 +2.2,Potato,potato,1999-03-09,2000-08-15,2003-06-30 3.0,Woody,woody,2000-08-15,2002-07-19,2006-06-30 3.1,Sarge,sarge,2002-07-19,2005-06-06,2008-03-31 4.0,Etch,etch,2005-06-06,2007-04-08,2010-02-15 @@ -14,8 +14,8 @@ 8,Jessie,jessie,2013-05-04,2015-04-26,2018-06-17,2020-06-30,2025-06-30 9,Stretch,stretch,2015-04-26,2017-06-17,2020-07-18,2022-06-30,2027-06-30 10,Buster,buster,2017-06-17,2019-07-06,2022-09-10,2024-06-30,2029-06-30 -11,Bullseye,bullseye,2019-07-06,2021-08-14,2024-08-14 -12,Bookworm,bookworm,2021-08-14,2023-06-10,2026-06-10 +11,Bullseye,bullseye,2019-07-06,2021-08-14,2024-08-14,2026-08-31,2031-06-30 +12,Bookworm,bookworm,2021-08-14,2023-06-10,2026-06-10,2028-06-30,2033-06-30 13,Trixie,trixie,2023-06-10 14,Forky,forky,2025-08-01 ,Sid,sid,1993-08-16 diff -Nru distro-info-data-0.51+deb11u5/ubuntu.csv distro-info-data-0.51+deb11u6/ubuntu.csv --- distro-info-data-0.51+deb11u5/ubuntu.csv2023-10-29 08:57:15.0 -0400 +++ distro-info-data-0.51+deb11u6/ubuntu.csv2024-04-30 20:54:51.0 -0400 @@ -39,3 +39,4 @@ 23.04,Lunar Lobster,lunar,2022-10-20,2023-04-20,2024-01-25 23.10,Mantic Minotaur,mantic,2023-04-20,2023-10-12,2024-07-11 24.04 LTS,Noble Numbat,noble,2023-10-12,2024-04-25,2029-05-31,2029-05-31,2034-04-25 +24.10,Oracular Oriole,oracular,2024-04-25,2024-10-10,2025-07-10
Bug#1070157: bookworm-pu: package distro-info-data/0.58+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: distro-info-d...@packages.debian.org Control: affects -1 + src:distro-info-data User: release.debian@packages.debian.org Usertags: pu This is a regular distro-info-data update. [ Reason ] This update adds: 1. bullseye and bookworm LTS & ELTS. 2. Ubuntu 24.10 Oracular Oriole [ Impact ] $ ubuntu-distro-info -d ubuntu-distro-info: Distribution data outdated. $ debian-distro-info --lts -f --date=2024-09-01 $ [ Tests ] We have automated tests that check the basic CSV data structure. Manually verified the affected Debian & Ubuntu releases. [ Risks ] Minimal, this is a data-only package, and there are no schema changes. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] * Update data to 0.61: - Declare LTS and ELTS intentions for bullseye and bookworm - debian: Fix LTS EOL date for bullseye - debian.csv: Fix EOL date for 2.2 - Add Ubuntu 24.10 "Oracular Oriole" (LP: #2064136) diff -Nru distro-info-data-0.58+deb12u1/debian/changelog distro-info-data-0.58+deb12u2/debian/changelog --- distro-info-data-0.58+deb12u1/debian/changelog 2023-10-29 06:12:45.0 -0400 +++ distro-info-data-0.58+deb12u2/debian/changelog 2024-04-30 20:41:56.0 -0400 @@ -1,3 +1,13 @@ +distro-info-data (0.58+deb12u2) bookworm; urgency=medium + + * Update data to 0.61: +- Declare LTS and ELTS intentions for bullseye and bookworm +- debian: Fix LTS EOL date for bullseye +- debian.csv: Fix EOL date for 2.2 +- Add Ubuntu 24.10 "Oracular Oriole" (LP: #2064136) + + -- Stefano Rivera Tue, 30 Apr 2024 20:41:56 -0400 + distro-info-data (0.58+deb12u1) bookworm; urgency=medium * Update data to 0.59: diff -Nru distro-info-data-0.58+deb12u1/debian.csv distro-info-data-0.58+deb12u2/debian.csv --- distro-info-data-0.58+deb12u1/debian.csv2023-10-29 06:12:45.0 -0400 +++ distro-info-data-0.58+deb12u2/debian.csv2024-04-30 20:41:56.0 -0400 @@ -4,7 +4,7 @@ 1.3,Bo,bo,1996-12-12,1997-06-05,1999-03-09 2.0,Hamm,hamm,1997-06-05,1998-07-24,2000-03-09 2.1,Slink,slink,1998-07-24,1999-03-09,2000-10-30 -2.2,Potato,potato,1999-03-09,2000-08-15,2003-07-30 +2.2,Potato,potato,1999-03-09,2000-08-15,2003-06-30 3.0,Woody,woody,2000-08-15,2002-07-19,2006-06-30 3.1,Sarge,sarge,2002-07-19,2005-06-06,2008-03-31 4.0,Etch,etch,2005-06-06,2007-04-08,2010-02-15 @@ -14,8 +14,8 @@ 8,Jessie,jessie,2013-05-04,2015-04-26,2018-06-17,2020-06-30,2025-06-30 9,Stretch,stretch,2015-04-26,2017-06-17,2020-07-18,2022-06-30,2027-06-30 10,Buster,buster,2017-06-17,2019-07-06,2022-09-10,2024-06-30,2029-06-30 -11,Bullseye,bullseye,2019-07-06,2021-08-14,2024-08-14 -12,Bookworm,bookworm,2021-08-14,2023-06-10,2026-06-10 +11,Bullseye,bullseye,2019-07-06,2021-08-14,2024-08-14,2026-08-31,2031-06-30 +12,Bookworm,bookworm,2021-08-14,2023-06-10,2026-06-10,2028-06-30,2033-06-30 13,Trixie,trixie,2023-06-10 14,Forky,forky,2025-08-01 ,Sid,sid,1993-08-16 diff -Nru distro-info-data-0.58+deb12u1/ubuntu.csv distro-info-data-0.58+deb12u2/ubuntu.csv --- distro-info-data-0.58+deb12u1/ubuntu.csv2023-10-29 06:12:45.0 -0400 +++ distro-info-data-0.58+deb12u2/ubuntu.csv2024-04-30 20:41:56.0 -0400 @@ -39,3 +39,4 @@ 23.04,Lunar Lobster,lunar,2022-10-20,2023-04-20,2024-01-25 23.10,Mantic Minotaur,mantic,2023-04-20,2023-10-12,2024-07-11 24.04 LTS,Noble Numbat,noble,2023-10-12,2024-04-25,2029-05-31,2029-05-31,2034-04-25 +24.10,Oracular Oriole,oracular,2024-04-25,2024-10-10,2025-07-10
Processed: bookworm-pu: package distro-info-data/0.58+deb12u2
Processing control commands: > affects -1 + src:distro-info-data Bug #1070157 [release.debian.org] bookworm-pu: package distro-info-data/0.58+deb12u2 Added indication that 1070157 affects src:distro-info-data -- 1070157: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070157 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1070154: bullseye-pu: qtbase-opensource-src/5.15.2+dfsg-9+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for qtbase-opensource-src fixes several CVEs in
Bullseye. All CVEs are marked as no-dsa by the security team.
Thorstendiff -Nru qtbase-opensource-src-5.15.2+dfsg/debian/changelog
qtbase-opensource-src-5.15.2+dfsg/debian/changelog
--- qtbase-opensource-src-5.15.2+dfsg/debian/changelog 2021-07-02
17:58:04.0 +0200
+++ qtbase-opensource-src-5.15.2+dfsg/debian/changelog 2024-04-28
22:48:02.0 +0200
@@ -1,3 +1,33 @@
+qtbase-opensource-src (5.15.2+dfsg-9+deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2024-25580 (Closes: #1064053)
+fix buffer overflow due to crafted KTX image file
+ * CVE-2023-32763 (Closes: #1036702)
+fix QTextLayout buffer overflow due to crafted SVG file
+ * CVE-2022-25255
+prevent QProcess from execution of a binary from the current working
+directory when not found in the PATH
+ * CVE-2023-24607 (Closes: #1031872)
+fix denial of service via a crafted string when the SQL ODBC driver
+plugin is used
+ * fix regression caused by patch for CVE-2023-24607
+ * CVE-2023-32762
+prevent incorrect parsing of the strict-transport-security (HSTS) header
+ * CVE-2023-51714 (Closes: #1060694)
+fix incorrect HPack integer overflow check.
+ * CVE-2023-38197 (Closes: #1041105)
+fix infinite loop in recursive entity expansion
+ * CVE-2023-37369 (Closes: #1059302)
+fix crash of application in QXmlStreamReader due to crafted XML string
+ * CVE-2023-34410 (Closes: #1037210)
+fix checking during TLS whether root of the chain really is a
+configured CA certificate
+ * CVE-2023-33285 (Closes: #1036848)
+fix buffer overflow in QDnsLookup
+
+ -- Thorsten Alteholz Sun, 28 Apr 2024 22:48:02 +0200
+
qtbase-opensource-src (5.15.2+dfsg-9) unstable; urgency=medium
* Revert adding fix-misplacement-of-placeholder-text-in-QLineEdit.diff.
diff -Nru qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff
qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff
--- qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff
1970-01-01 01:00:00.0 +0100
+++ qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff
2024-03-05 13:22:01.0 +0100
@@ -0,0 +1,96 @@
+Description: QProcess: ensure we don't accidentally execute something from CWD
+ Unless "." (or the empty string) is in $PATH, we're not supposed to find
+ executables in the current directory. This is how the Unix shells behave
+ and we match their behavior. It's also the behavior Qt had prior to 5.9
+ (commit 28666d167aa8e602c0bea25ebc4d51b55005db13). On Windows, searching
+ the current directory is the norm, so we keep that behavior.
+ .
+ This commit does not add an explicit check for an empty return from
+ QStandardPaths::findExecutable(). Instead, we allow that empty string to
+ go all the way to execve(2), which will fail with ENOENT. We could catch
+ it early, before fork(2), but why add code for the error case?
+ .
+ See https://kde.org/info/security/advisory-20220131-1.txt
+Origin: upstream,
https://download.qt.io/official_releases/qt/5.15/CVE-2022-25255-qprocess5-15.diff
+Last-Update: 2022-02-21
+
+Index: qtbase-opensource-src-5.15.2+dfsg/src/corelib/io/qprocess_unix.cpp
+===
+--- qtbase-opensource-src-5.15.2+dfsg.orig/src/corelib/io/qprocess_unix.cpp
2024-03-05 13:21:06.432881985 +0100
qtbase-opensource-src-5.15.2+dfsg/src/corelib/io/qprocess_unix.cpp
2024-03-05 13:21:06.428881981 +0100
+@@ -1,7 +1,7 @@
+ /
+ **
+ ** Copyright (C) 2016 The Qt Company Ltd.
+-** Copyright (C) 2016 Intel Corporation.
++** Copyright (C) 2022 Intel Corporation.
+ ** Contact: https://www.qt.io/licensing/
+ **
+ ** This file is part of the QtCore module of the Qt Toolkit.
+@@ -422,14 +422,15 @@
+ // Add the program name to the argument list.
+ argv[0] = nullptr;
+ if (!program.contains(QLatin1Char('/'))) {
++// findExecutable() returns its argument if it's an absolute path,
++// otherwise it searches $PATH; returns empty if not found (we handle
++// that case much later)
+ const QString = QStandardPaths::findExecutable(program);
+-if (!exeFilePath.isEmpty()) {
+-const QByteArray = QFile::encodeName(exeFilePath);
+-argv[0] = ::strdup(tmp.constData());
+-}
+-}
+-if (!argv[0])
++const QByteArray = QFile::encodeName(exeFilePath);
++argv[0] = ::strdup(tmp.constData());
++} else {
+ argv[0] = ::strdup(encodedProgramName.constData());
++}
+
+ // Add every argument to the list
+ for (int i = 0; i < arguments.count(); ++i)
+@@ -983,15 +984,16 @@
+
Bug#1070155: bullseye-pu: package wpa/2.9.0-21+deb11u1
Package: release.debian.org Severity: important Tags: bullseye X-Debbugs-Cc: w...@packages.debian.org Control: affects -1 + src:wpa User: release.debian@packages.debian.org Usertags: pu tags: security [ Reason ] CVE-2023-52160 security bug [ Impact ] security bug is present [ Tests ] Test suite run fine [ Checklist ] [ X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [ X] attach debdiff against the package in (old)stable [ X] the issue is verified as fixed in unstable [ Changes ] The previous PEAP client behavior allowed the server to skip Phase 2 authentication with the expectation that the server was authenticated during Phase 1 through TLS server certificate validation. Various PEAP specifications are not exactly clear on what the behavior on this front is supposed to be and as such, this ended up being more flexible than the TTLS/FAST/TEAP cases. However, this is not really ideal when unfortunately common misconfiguration of PEAP is used in deployed devices where the server trust root (ca_cert) is not configured or the user has an easy option for allowing this validation step to be skipped. Change the default PEAP client behavior to be to require Phase 2 authentication to be successfully completed for cases where TLS session resumption is not used and the client certificate has not been configured. Those two exceptions are the main cases where a deployed authentication server might skip Phase 2 and as such, where a more strict default behavior could result in undesired interoperability issues. Requiring Phase 2 authentication will end up disabling TLS session resumption automatically to avoid interoperability issues. [ Other info ] Buster is fixed so upgrade reintroduce the CVE Bastiendiff -Nru wpa-2.9.0/debian/changelog wpa-2.9.0/debian/changelog --- wpa-2.9.0/debian/changelog 2021-02-25 21:19:14.0 + +++ wpa-2.9.0/debian/changelog 2024-04-30 22:45:18.0 + @@ -1,3 +1,19 @@ +wpa (2:2.9.0-21+deb11u1) bullseye; urgency=high + + * Non-maintainer upload on behalf of the Security Team. + * Fix CVE-2023-52160 (Closes: #1064061): +The implementation of PEAP in wpa_supplicant allows +authentication bypass. For a successful attack, +wpa_supplicant must be configured to not verify +the network's TLS certificate during Phase 1 +authentication, and an eap_peap_decrypt vulnerability +can then be abused to skip Phase 2 authentication. +The attack vector is sending an EAP-TLV Success packet +instead of starting Phase 2. This allows an adversary +to impersonate Enterprise Wi-Fi networks. + + -- Bastien Roucari??s Tue, 30 Apr 2024 22:45:18 + + wpa (2:2.9.0-21) unstable; urgency=high * Fix typos in the package descriptions. diff -Nru wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch --- wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 1970-01-01 00:00:00.0 + +++ wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 2024-04-30 22:45:18.0 + @@ -0,0 +1,211 @@ +From: Jouni Malinen +Date: Sat, 8 Jul 2023 19:55:32 +0300 +Subject: CVE-2023-52160 PEAP client: Update Phase 2 authentication + requirements + +The previous PEAP client behavior allowed the server to skip Phase 2 +authentication with the expectation that the server was authenticated +during Phase 1 through TLS server certificate validation. Various PEAP +specifications are not exactly clear on what the behavior on this front +is supposed to be and as such, this ended up being more flexible than +the TTLS/FAST/TEAP cases. However, this is not really ideal when +unfortunately common misconfiguration of PEAP is used in deployed +devices where the server trust root (ca_cert) is not configured or the +user has an easy option for allowing this validation step to be skipped. + +Change the default PEAP client behavior to be to require Phase 2 +authentication to be successfully completed for cases where TLS session +resumption is not used and the client certificate has not been +configured. Those two exceptions are the main cases where a deployed +authentication server might skip Phase 2 and as such, where a more +strict default behavior could result in undesired interoperability +issues. Requiring Phase 2 authentication will end up disabling TLS +session resumption automatically to avoid interoperability issues. + +Allow Phase 2 authentication behavior to be configured with a new phase1 +configuration parameter option: +'phase2_auth' option can be used to control Phase 2 (i.e., within TLS +tunnel) behavior for PEAP: + * 0 = do not require Phase 2 authentication + * 1 = require Phase 2 authentication when client certificate + (private_key/client_cert) is no used and TLS session resumption was + not used
Processed: bullseye-pu: package wpa/2.9.0-21+deb11u1
Processing control commands: > affects -1 + src:wpa Bug #1070155 [release.debian.org] bullseye-pu: package wpa/2.9.0-21+deb11u1 Added indication that 1070155 affects src:wpa -- 1070155: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070155 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1070153: bookworm-pu: qtbase-opensource-src/5.15.8+dfsg-11+deb12u2
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for qtbase-opensource-src fixes several CVEs in
Bookworm. All CVEs are marked as no-dsa by the security team.
The debdiff is based on version 5.15.8+dfsg-11+deb12u1, which is already
in s-p-u.
Thorstendiff -Nru qtbase-opensource-src-5.15.8+dfsg/debian/changelog
qtbase-opensource-src-5.15.8+dfsg/debian/changelog
--- qtbase-opensource-src-5.15.8+dfsg/debian/changelog 2024-04-07
11:45:51.0 +0200
+++ qtbase-opensource-src-5.15.8+dfsg/debian/changelog 2024-04-28
20:48:02.0 +0200
@@ -1,3 +1,13 @@
+qtbase-opensource-src (5.15.8+dfsg-11+deb12u2) bookworm; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2024-25580 (Closes: #1064053)
+fix buffer overflow due to crafted KTX image file
+ * CVE-2023-51714 (Closes: #1060694)
+fix incorrect HPack integer overflow check.
+
+ -- Thorsten Alteholz Sun, 28 Apr 2024 20:48:02 +0200
+
qtbase-opensource-src (5.15.8+dfsg-11+deb12u1) bookworm; urgency=medium
[ Alexander Volkov ]
diff -Nru qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2023-51714.diff
qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2023-51714.diff
--- qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2023-51714.diff
1970-01-01 01:00:00.0 +0100
+++ qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2023-51714.diff
2024-04-28 20:48:02.0 +0200
@@ -0,0 +1,61 @@
+From 23c3fc483e8b6e21012a61f0bea884446f727776 Mon Sep 17 00:00:00 2001
+From: Marc Mutz
+Date: Tue, 12 Dec 2023 22:08:07 +0100
+Subject: [PATCH] HPack: fix incorrect integer overflow check
+
+This code never worked:
+
+For the comparison with max() - 32 to trigger, on 32-bit platforms (or
+Qt 5) signed interger overflow would have had to happen in the
+addition of the two sizes. The compiler can therefore remove the
+overflow check as dead code.
+
+On Qt 6 and 64-bit platforms, the signed integer addition would be
+very unlikely to overflow, but the following truncation to uint32
+would yield the correct result only in a narrow 32-value window just
+below UINT_MAX, if even that.
+
+Fix by using the proper tool, qAddOverflow.
+
+Manual conflict resolutions:
+ - qAddOverflow doesn't exist in Qt 5, use private add_overflow
+ predecessor API instead
+
+Change-Id: I7599f2e75ff7f488077b0c60b81022591005661c
+Reviewed-by: Allan Sandfeld Jensen
+(cherry picked from commit ee5da1f2eaf8932aeca02ffea6e4c618585e29e3)
+Reviewed-by: Qt Cherry-pick Bot
+(cherry picked from commit debeb8878da2dc706ead04b6072ecbe7e5313860)
+Reviewed-by: Thiago Macieira
+Reviewed-by: Marc Mutz
+(cherry picked from commit 811b9eef6d08d929af8708adbf2a5effb0eb62d7)
+(cherry picked from commit f931facd077ce945f1e42eaa3bead208822d3e00)
+(cherry picked from commit 9ef4ca5ecfed771dab890856130e93ef5ceabef5)
+Reviewed-by: Mårten Nordheim
+---
+
+Index:
qtbase-opensource-src-5.15.8+dfsg/src/network/access/http2/hpacktable.cpp
+===
+---
qtbase-opensource-src-5.15.8+dfsg.orig/src/network/access/http2/hpacktable.cpp
2024-04-24 16:08:28.259865332 +0200
qtbase-opensource-src-5.15.8+dfsg/src/network/access/http2/hpacktable.cpp
2024-04-24 16:09:16.163853040 +0200
+@@ -40,6 +40,7 @@
+ #include "hpacktable_p.h"
+
+ #include
++#include
+
+ #include
+ #include
+@@ -62,8 +63,10 @@
+ // for counting the number of references to the name and value would have
+ // 32 octets of overhead."
+
+-const unsigned sum = unsigned(name.size() + value.size());
+-if (std::numeric_limits::max() - 32 < sum)
++size_t sum;
++if (add_overflow(size_t(name.size()), size_t(value.size()), ))
++return HeaderSize();
++if (sum > (std::numeric_limits::max() - 32))
+ return HeaderSize();
+ return HeaderSize(true, quint32(sum + 32));
+ }
diff -Nru qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2024-25580.diff
qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2024-25580.diff
--- qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2024-25580.diff
1970-01-01 01:00:00.0 +0100
+++ qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2024-25580.diff
2024-04-28 20:48:02.0 +0200
@@ -0,0 +1,197 @@
+diff --git a/src/gui/util/qktxhandler.cpp b/src/gui/util/qktxhandler.cpp
+index 0d98e97453..6a79e55109 100644
+--- a/src/gui/util/qktxhandler.cpp
b/src/gui/util/qktxhandler.cpp
+@@ -73,7 +73,7 @@ struct KTXHeader {
+ quint32 bytesOfKeyValueData;
+ };
+
+-static const quint32 headerSize = sizeof(KTXHeader);
++static constexpr quint32 qktxh_headerSize = sizeof(KTXHeader);
+
+ // Currently unused, declared for future reference
+ struct KTXKeyValuePairItem {
+@@ -103,11 +103,36 @@ struct KTXMipmapLevel {
+ */
+ };
+
+-bool QKtxHandler::canRead(const QByteArray , const QByteArray )
++static bool qAddOverflow(quint32
Bug#1070151: bookworm-pu: package wpa/2:2.10-12
Package: release.debian.org Severity: important Tags: bookworm X-Debbugs-Cc: w...@packages.debian.org Control: affects -1 + src:wpa User: release.debian@packages.debian.org Usertags: pu tags: security [ Reason ] CVE-2023-52160 security bug [ Impact ] security bug is present [ Tests ] Test suite run fine [ Checklist ] [ X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [ X] attach debdiff against the package in (old)stable [ X] the issue is verified as fixed in unstable [ Changes ] The previous PEAP client behavior allowed the server to skip Phase 2 authentication with the expectation that the server was authenticated during Phase 1 through TLS server certificate validation. Various PEAP specifications are not exactly clear on what the behavior on this front is supposed to be and as such, this ended up being more flexible than the TTLS/FAST/TEAP cases. However, this is not really ideal when unfortunately common misconfiguration of PEAP is used in deployed devices where the server trust root (ca_cert) is not configured or the user has an easy option for allowing this validation step to be skipped. Change the default PEAP client behavior to be to require Phase 2 authentication to be successfully completed for cases where TLS session resumption is not used and the client certificate has not been configured. Those two exceptions are the main cases where a deployed authentication server might skip Phase 2 and as such, where a more strict default behavior could result in undesired interoperability issues. Requiring Phase 2 authentication will end up disabling TLS session resumption automatically to avoid interoperability issues. [ Other info ] Buster is fixed so upgrade reintroduce the CVE Bastiendiff -Nru wpa-2.10/debian/changelog wpa-2.10/debian/changelog --- wpa-2.10/debian/changelog 2023-02-24 13:01:35.0 + +++ wpa-2.10/debian/changelog 2024-04-30 22:45:18.0 + @@ -1,3 +1,19 @@ +wpa (2:2.10-12+deb12u1) bookworm; urgency=high + + * Non-maintainer upload on behalf of the Security Team. + * Fix CVE-2023-52160 (Closes: #1064061): +The implementation of PEAP in wpa_supplicant allows +authentication bypass. For a successful attack, +wpa_supplicant must be configured to not verify +the network's TLS certificate during Phase 1 +authentication, and an eap_peap_decrypt vulnerability +can then be abused to skip Phase 2 authentication. +The attack vector is sending an EAP-TLV Success packet +instead of starting Phase 2. This allows an adversary +to impersonate Enterprise Wi-Fi networks. + + -- Bastien Roucari??s Tue, 30 Apr 2024 22:45:18 + + wpa (2:2.10-12) unstable; urgency=medium * Prevent hostapd units from being started if there???s diff -Nru wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch --- wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 1970-01-01 00:00:00.0 + +++ wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 2024-04-30 22:42:02.0 + @@ -0,0 +1,211 @@ +From: Jouni Malinen +Date: Sat, 8 Jul 2023 19:55:32 +0300 +Subject: CVE-2023-52160 PEAP client: Update Phase 2 authentication + requirements + +The previous PEAP client behavior allowed the server to skip Phase 2 +authentication with the expectation that the server was authenticated +during Phase 1 through TLS server certificate validation. Various PEAP +specifications are not exactly clear on what the behavior on this front +is supposed to be and as such, this ended up being more flexible than +the TTLS/FAST/TEAP cases. However, this is not really ideal when +unfortunately common misconfiguration of PEAP is used in deployed +devices where the server trust root (ca_cert) is not configured or the +user has an easy option for allowing this validation step to be skipped. + +Change the default PEAP client behavior to be to require Phase 2 +authentication to be successfully completed for cases where TLS session +resumption is not used and the client certificate has not been +configured. Those two exceptions are the main cases where a deployed +authentication server might skip Phase 2 and as such, where a more +strict default behavior could result in undesired interoperability +issues. Requiring Phase 2 authentication will end up disabling TLS +session resumption automatically to avoid interoperability issues. + +Allow Phase 2 authentication behavior to be configured with a new phase1 +configuration parameter option: +'phase2_auth' option can be used to control Phase 2 (i.e., within TLS +tunnel) behavior for PEAP: + * 0 = do not require Phase 2 authentication + * 1 = require Phase 2 authentication when client certificate + (private_key/client_cert) is no used and TLS session resumption was + not
Processed: bookworm-pu: package wpa/2:2.10-12
Processing control commands: > affects -1 + src:wpa Bug #1070151 [release.debian.org] bookworm-pu: package wpa/2:2.10-12 Added indication that 1070151 affects src:wpa -- 1070151: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070151 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: bullseye-pu: package cloud-init/22.4.2-1
Processing control commands: > affects -1 + src:cloud-init Bug #1070137 [release.debian.org] bullseye-pu: package cloud-init/22.4.2-1 Added indication that 1070137 affects src:cloud-init -- 1070137: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070137 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1070137: bullseye-pu: package cloud-init/22.4.2-1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: cloud-i...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:cloud-init Hi folks. This isn't a straightforward stable proposed-updates request, but I think starting with such a request is probably the right approach... The cloud team builds official Debian images for multiple cloud environments, including OpenStack, Microsoft Azure, and Amazon EC2. We support all supported stable releases, including those supported by the LTS team. We build images including the backports kernels in addition to the standard kernels. To make a long story short, we build our Azure images with the cloud-init package from bullseye-backports. Images targeting other cloud environments use cloud-init from the main repo. As bullseye-backports nears its EOL date, we're faced with the possibility that our Azure images contain unsupportable packages, and that eventually (when bullseye-backports is archived) we'll be unable to build new images at all. These are scenarios we'd very much like to avoid. We've got at least a few options: 1. With an upcoming bullseye point release (how many more are there?) we update cloud-init to the version that's in bookworm. This is the 22.4.2 package, which is close to the 22.4.1 package we're currently shipping on Azure. 22.4.2 is well tested in bookworm across all major cloud services, though we have not performed any major testing in a bullseye environment yet. For non Azure users, this would be an update from version 20.4.2, which is a pretty large change. 2. We introduce a new versioned cloud-init source and binary package in the bullseye security archive, e.g. something like cloud-init-22.4.1. This would look similar to what the kernel team did with the linux-5.10 source package added to buster-security, and which I assume they plan on doing with linux-6.1 in bullseye-security. The cloud team would transition to this new versioned package for the Azure images, but would continue using the existing bullseye package everywhere else. 3. We do nothing, and leave the bullseye Azure users without a supportable cloud-init package. 4. Something else? There are pros and cons to each option. Given bullseye's age and cloud-init's blast radius (a regression could potentially disrupt the provisioning process of cloud VMs, which is particularly disruptive in such environments) I lean toward option (2) above, as it minimizes the changes. The obvious drawback is that we now have two versions of cloud-init in the bullseye repositories, which was not the case previously. The cloud team is committed to supporting this situation for the duration of the bullseye LTS lifetime. I realize that the security and release teams won't specifically care what choice we make once bullseye's final point release is issued, but I suspect you'll both have useful insights into how best to approach this situation, and we may need your signoff ahead of that event depending on which path we choose. Thanks. noah
Bug#1070040: bookworm-pu: package dm-writeboost/???
Hi, On 30-04-2024 8:54 a.m., Andreas Beckmann wrote: Can you point me to the code that evaluates dpkg's Testsuite-Triggers to schedule these tests? Maybe it's possible to convert dpkg's Testsuite field to a (hardcoded) list of additional triggers ... I think you mean this: https://salsa.debian.org/release-team/britney2/-/blob/master/britney2/utils.py?ref_type=heads#L609 Or probably more something like this one: https://salsa.debian.org/release-team/britney2/-/blob/master/britney2/policies/autopkgtest.py?ref_type=heads#L615 and where it's used. Having said that, I'm not a great fan of teaching britney2 about autodep8 internal details. Paul OpenPGP_signature.asc Description: OpenPGP digital signature
Bug#1069672: bookworm-pu: package flatpak/1.14.8-1~deb12u1
Control: retitle -1 bookworm-pu: package flatpak/1.14.8-1~deb12u1 flatpak 1.14.7 has now been released, closely followed by 1.14.8 to revert unintended changes to the libglnx and bubblewrap submodules. I would like to get this into a Debian 12 point release if possible. I'm sorry about the size of this update, but we've built up quite a large backlog of bug-fix changes upstream, and until very recently I have been the only person making releases, so their frequency is limited by my available time. If time permits, I will try to do more, smaller stable updates in future. [ Impact ] If not accepted, several known bugs remain present in stable. The highest-visibility is that the developer name of an app appears in the CLI where the app name should be, for example "The Chromium Authors" instead of the correct "Chromium Web Browser". Also, if we keep up with upstream stable releases, then next time there is a CVE, we have the option of taking upstream's stable release directly instead of having to backport individual patches. [ Tests ] This is a relatively straightforward backport of the version I uploaded to unstable today. There is a fairly comprehensive test suite. It cannot be run under schroot or lxc due to limitations of nested containers, but I run it in autopkgtest-virt-qemu before each upload, and ci.debian.net has now been configured to run flatpak's tests under autopkgtest-virt-qemu has well. Also successfully manually tested on some bookworm systems: - Can still set up a fresh installation as per https://flathub.org/en-GB/setup/Debian and install/run an app (tested with org.gnome.Recipes) - Can still upgrade apps on an existing installation - `flatpak update`, with an updated version of Chromium available, fixes the developer-name bug mentioned above - It is now possible to run e.g. `flatpak run --command=bash org.gnome.Recipes` inside a `podman run --privileged` container with no D-Bus system bus, which wasn't possible before (tested without Recommends, other than ca-certificates which is required for installing from Flathub) - CVE-2024-32462 is still fixed [ Risks ] Somewhat low risk, all changes are targeted bug fixes. I would say that the highest-risk are the alterations to how AppStream metadata is parsed and displayed, but several distributions are already using those changes via the 1.15.x branch and we have not had regression reports. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * Makefile.am, configure.ac, data/Makefile.am.inc, data/tmpfiles.d/flatpak.conf, debian/flatpak.install, sideload-repos-systemd/Makefile.am.inc: - Add systemd-tmpfiles snippet run during boot to delete any obsolete /var/tmp/flatpak-cache-* from the previous boot * app/flatpak-builtins-build.c, common/flatpak-dir.c, common/flatpak-run.c, debian/patches/*, tests/test-run.sh: - Fix CVE-2024-32462 in upstream source instead of via a patch * app/flatpak-builtins-ps.c: - Use xdg-desktop-portal-gnome in addition to -gtk and -kde to determine whether an app is running in the background * app/flatpak-builtins-remote-info.c: - Fix display of app info in `flatpak remote-info` - Fix some uses of deprecated libappstream API - Forward-compatibility with libappstream 0.17.x and 1.0 * app/flatpak-builtins-remote-ls.c, app/flatpak-builtins-search.c, app/flatpak-builtins-utils.c, app/flatpak-builtins-utils.h, config.h.in, configure.ac: - Fix some uses of deprecated libappstream API - Forward-compatibility with libappstream 0.17.x and 1.0 * app/flatpak-builtins-run.c, tests/testlibrary.c: - Silence compiler warning false-positives * common/flatpak-appdata.c, tests/make-test-app.sh, tests/test-info.sh: - Don't parse the app developer name as though it was the app name (for newly-installed apps the fix takes effect immediately, for affected apps that were installed with an older Flatpak the fix will take effect the next time that app is upgraded) * common/flatpak-dir.c: - Automatically reload D-Bus session bus configuration on new installations and upgrades, so that new .service files are reliably picked up - Forward compatibility with newer GLib - Silence a compiler warning false-positive - Fix a minor memory leak * common/flatpak-prune.c: - Fix some signed integer arithmetic that is strictly speaking undefined behaviour * common/flatpak-run.c, doc/flatpak-run.xml: - Don't let the sandboxed app inherit a wrong value for various environment variables from the host system related to ld.so, EGL and Vulkan * common/flatpak-run.c, tests/test-repo.sh: - Don't try to repeat data migration for apps whose data was already migrated to a new name and then deleted * common/flatpak-run.c: - Ensure that
Processed: Re: Bug#1069672: bookworm-pu: package flatpak/1.14.8-1~deb12u1
Processing control commands: > retitle -1 bookworm-pu: package flatpak/1.14.8-1~deb12u1 Bug #1069672 [release.debian.org] bookworm-pu: package flatpak/1.14.6-1~deb12u1 or 1.14.7-1~deb12u1 Changed Bug title to 'bookworm-pu: package flatpak/1.14.8-1~deb12u1' from 'bookworm-pu: package flatpak/1.14.6-1~deb12u1 or 1.14.7-1~deb12u1'. -- 1069672: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069672 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1070121: nmu: coreutils_9.4-3 (trixie), pam_1.5.2-9.1 (trixie)
On 2024-04-30 15:44:51 +0100, Simon McVittie wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: binnmu > X-Debbugs-Cc: coreut...@packages.debian.org, p...@packages.debian.org, > debian-b...@lists.debian.org > Control: affects -1 + src:coreutils src:pam > > coreutils_9.4-3.1 and pam_1.5.3-7 aren't currently migrating to trixie > for whatever reason. Because debootstrap doesn't currently know about > versioned Provides, I think it would be useful to get versions of these > packages in trixie that have been rebuilt against the 64-bit time_t ABIs > and package names. > > If the versions in trixie don't migrate imminently, please consider: > > nmu coreutils_9.4-3 . ANY . trixie . -m "rebuild against libssl3t64" > nmu pam_1.5.2-9.1 . ANY . trixie . -m "rebuild against libdb5.3t64" > > In a trixie derivative (a non-public future branch of the Steam Runtime) > I found that local rebuilds of those two source packages were enough to > bring a minbase debootstrap back from repeatably failing to reasonably > reliable. I hope they would have a similar effect in real trixie. > > Based on kibi's thread "Making trixie debootstrap-able again?" on -release > and -boot, binNMUing util-linux and iproute2 might also help for d-i's > use-case, which is larger than minbase and wants fdisk and iproute2: > > nmu util-linux_2.39.3-6 . ANY . trixie . -m "rebuild against libreadline8t64" > nmu iproute2_6.7.0-2 . ANY . trixie . -m "rebuild against libtirpc3t64" > > but I have not independently verified that those two are necessary > or sufficient. The packages would be ready to migrate to trixie, but migrating them makes britney crash. I don't expect that to change when we rebuild the packages in trixie. Cheers -- Sebastian Ramacher
Bug#1065309: transition: gnat (12 -> 13 + time_t64)
Hi Nicholas On Tue, 30 Apr 2024 at 12:33, Nicolas Boulenguez wrote: > The time_t64 transition has triggered #1067453 in the Ada compiler, > which is now fixed by gcc-13/13.2.0-24. > > The patch modifies the sources of the Ada standard library, so most > Ada packages need a rebuild in order to update their dependencies > (gnat-13 Provides: gnat-13-HASH > each Ada library Provides: libFOO-dev-HASH > and each consumer Depends: gnat-13-HASH, libFOO-HASH). > > Please schedule the following rebuilds. > > nmu adacgi_1.6-34 . ANY . -m 'Rebuild with #1067453 fixed in > gnat. Closes: #1067070.' > dw adacgi_1.6-34 . ANY . -m 'gnat-13 (>= 13.2.0-24)' > nmu adasockets_1.14-1 . ANY . -m 'Rebuild with #1067453 fixed in > gnat.' > dw adasockets_1.14-1 . ANY . -m 'gnat-13 (>= 13.2.0-24)' > nmu ahven_2.8.9 . ANY . -m 'Rebuild with #1067453 fixed in > gnat. Closes: #1067224, #1069469.' > dw ahven_2.8.9 . ANY . -m 'gnat-13 (>= 13.2.0-24)' > nmu libaunit_24.0.0-2 . ANY . -m 'Rebuild with #1067453 fixed in > gnat. Closes: #1067071.' > dw libaunit_24.0.0-2 . ANY . -m 'gnat-13 (>= 13.2.0-24)' > nmu libgmpada_1.6-2 . ANY . -m 'Rebuild with #1067453 fixed in > gnat.' > dw libgmpada_1.6-2 . ANY . -m 'gnat-13 (>= 13.2.0-24)' > nmu libncursesada_6.3.20211021-11 . ANY . -m 'Rebuild with #1067453 fixed in > gnat. Closes: #1067073.' > dw libncursesada_6.3.20211021-11 . ANY . -m 'gnat-13 (>= 13.2.0-24)' > nmu libtexttools_2.1.0-28 . ANY . -m 'Rebuild with #1067453 fixed in > gnat. Closes: #1069476.' > dw libtexttools_2.1.0-28 . ANY . -m 'gnat-13 (>= 13.2.0-24)' > nmu libxmlada_24.0.0-2. ANY . -m 'Rebuild with #1067453 fixed in > gnat' > dw libxmlada_24.0.0-2. ANY . -m 'gnat-13 (>= 13.2.0-24)' > nmu libxmlezout_1.06.2-14 . ANY . -m 'Rebuild with #1067453 fixed in > gnat. Closes: #1067220.' > dw libxmlezout_1.06.2-14 . ANY . -m 'gnat-13 (>= 13.2.0-24)' > > nmu liblog4ada_1.3.1.b6dafb49-13 . ANY . -m 'Rebuild with #1067453 fixed in > gnat. Closes: #1067074.' > dw liblog4ada_1.3.1.b6dafb49-13 . ANY . -m 'libxmezout-dev (>= > 1.06.2-14+b1)' > > nmu anet_0.5.0-3 . ANY . -m 'Rebuild with #1067453 fixed in > gnat. Closes: #1067353.' > dw anet_0.5.0-3 . ANY . -m 'libahven-dev (>= 2.8.9+b1)' > nmu dbusada_0.6.2-6 . ANY . -m 'Rebuild with #1067453 fixed in > gnat. Closes: #1069421.' > dw dbusada_0.6-2-6 . ANY . -m 'libahven-dev (>= 2.8.9+b1)' > nmu libalog_0.6.2-5 . ANY . -m 'Rebuild with #1067453 fixed in > gnat. Closes: #1069454.' > dw libalog_0.6.2-5 . ANY . -m 'libahven-dev (>= 2.8.9+b1)' > nmu pcscada_0.7.7-6 . ANY . -m 'Rebuild with #1067453 fixed in > gnat. Closes: #1069468.' > dw pcscada_0.7.7-6 . ANY . -m 'libahven-dev (>= 2.8.9+b1)' > > nmu libtemplates-parser_24.0.0-2 . ANY . -m 'Rebuild with #1067453 fixed in > gnat.' > dw libtemplates-parser_24.0.0-2 . ANY . -m 'libxmlada-unicode-dev (>= > 24.0.0-2+b1)' > nmu gprbuild_2024.1.20231009-4. ANY . -m 'Rebuild with #1067453 fixed in > gnat. Closes: #1069467.' > dw gprbuild_2024.1.20231009-4. ANY . -m 'libxmlada-unicode-dev (>= > 24.0.0-2+b1)' > > nmu libgnatcoll_24.1.20230921-4 . ANY . -m 'Rebuild with #1067453 fixed in > gnat.' > dw libgnatcoll_24.1.20230921-4 . ANY . -m 'libgnatprj-dev (>= > 2024.1.20231009-4+b1)' > > nmu libgnatcoll-bindings_24.0.0-2 . ANY . -m 'Rebuild with #1067453 fixed in > gnat.' > dw libgnatcoll-bindings_24.0.0-2 . ANY . -m 'libgnatcoll-dev (>= > 24.1.20230921-4+b1)' > > nmu libgnatcoll-db_23.0.0-6 . ANY . -m 'Rebuild with #1067453 fixed in > gnat.' > dw libgnatcoll-db_23.0.0-6 . ANY . -m 'libgnatcoll-iconv-dev (>= > 24.0.0-2+b1)' Scheduled, thanks, with a couple of fixed typos in versions; ahven_2.8.9 -> 2.8-9 and dbusada_0.6-2-6 -< 0.6.2-6. I'll check on the buildst later to see if any additional binNMUs are required to get the +b versions aligned. Regards Graham
Bug#1055656: A one-liner fix needed before telegram-desktop backporting
Hi all, On Fri, 2024-04-19 at 11:39 -0400, Boyuan Yang wrote: > Hi Nicolas, > > 在 2024-04-09星期二的 10:51 +0300,Egor Duda写道: > > Hello! > > > > Any news on this one? > > > > It seems that Debian maintainers gave their go-ahead on > > https://bugs.debian.org/1055656 > > > > And, in any case, big thanks for all your work on maintaining > > telegram-desktop in Debian! > > While this change may now not be enough to get telegram-desktop > backport done, > I think we can upload this specific fix already to close this bug > report. > > If you are not having time on it, I can upload this version with the > approved > changes to bookworm. Just let me know whether you think it's OK. Since this bookworm-pu has been approved by the Release Team, I am uploading it as-is into DELAYED/7. If anyone has any concerns, please let me know ASAP if you want to stop the upload. Thanks, Boyuan Yang signature.asc Description: This is a digitally signed message part
Processed: nmu: coreutils_9.4-3 (trixie), pam_1.5.2-9.1 (trixie)
Processing control commands: > affects -1 + src:coreutils src:pam Bug #1070121 [release.debian.org] nmu: coreutils_9.4-3 (trixie), pam_1.5.2-9.1 (trixie) Added indication that 1070121 affects src:coreutils and src:pam -- 1070121: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070121 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1070121: nmu: coreutils_9.4-3 (trixie), pam_1.5.2-9.1 (trixie)
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu X-Debbugs-Cc: coreut...@packages.debian.org, p...@packages.debian.org, debian-b...@lists.debian.org Control: affects -1 + src:coreutils src:pam coreutils_9.4-3.1 and pam_1.5.3-7 aren't currently migrating to trixie for whatever reason. Because debootstrap doesn't currently know about versioned Provides, I think it would be useful to get versions of these packages in trixie that have been rebuilt against the 64-bit time_t ABIs and package names. If the versions in trixie don't migrate imminently, please consider: nmu coreutils_9.4-3 . ANY . trixie . -m "rebuild against libssl3t64" nmu pam_1.5.2-9.1 . ANY . trixie . -m "rebuild against libdb5.3t64" In a trixie derivative (a non-public future branch of the Steam Runtime) I found that local rebuilds of those two source packages were enough to bring a minbase debootstrap back from repeatably failing to reasonably reliable. I hope they would have a similar effect in real trixie. Based on kibi's thread "Making trixie debootstrap-able again?" on -release and -boot, binNMUing util-linux and iproute2 might also help for d-i's use-case, which is larger than minbase and wants fdisk and iproute2: nmu util-linux_2.39.3-6 . ANY . trixie . -m "rebuild against libreadline8t64" nmu iproute2_6.7.0-2 . ANY . trixie . -m "rebuild against libtirpc3t64" but I have not independently verified that those two are necessary or sufficient. smcv
Bug#1065309: transition: gnat (12 -> 13 + time_t64)
Package: release.debian.org Followup-For: Bug #1065309 Hello. The time_t64 transition has triggered #1067453 in the Ada compiler, which is now fixed by gcc-13/13.2.0-24. The patch modifies the sources of the Ada standard library, so most Ada packages need a rebuild in order to update their dependencies (gnat-13 Provides: gnat-13-HASH each Ada library Provides: libFOO-dev-HASH and each consumer Depends: gnat-13-HASH, libFOO-HASH). Please schedule the following rebuilds. nmu adacgi_1.6-34 . ANY . -m 'Rebuild with #1067453 fixed in gnat. Closes: #1067070.' dw adacgi_1.6-34 . ANY . -m 'gnat-13 (>= 13.2.0-24)' nmu adasockets_1.14-1 . ANY . -m 'Rebuild with #1067453 fixed in gnat.' dw adasockets_1.14-1 . ANY . -m 'gnat-13 (>= 13.2.0-24)' nmu ahven_2.8.9 . ANY . -m 'Rebuild with #1067453 fixed in gnat. Closes: #1067224, #1069469.' dw ahven_2.8.9 . ANY . -m 'gnat-13 (>= 13.2.0-24)' nmu libaunit_24.0.0-2 . ANY . -m 'Rebuild with #1067453 fixed in gnat. Closes: #1067071.' dw libaunit_24.0.0-2 . ANY . -m 'gnat-13 (>= 13.2.0-24)' nmu libgmpada_1.6-2 . ANY . -m 'Rebuild with #1067453 fixed in gnat.' dw libgmpada_1.6-2 . ANY . -m 'gnat-13 (>= 13.2.0-24)' nmu libncursesada_6.3.20211021-11 . ANY . -m 'Rebuild with #1067453 fixed in gnat. Closes: #1067073.' dw libncursesada_6.3.20211021-11 . ANY . -m 'gnat-13 (>= 13.2.0-24)' nmu libtexttools_2.1.0-28 . ANY . -m 'Rebuild with #1067453 fixed in gnat. Closes: #1069476.' dw libtexttools_2.1.0-28 . ANY . -m 'gnat-13 (>= 13.2.0-24)' nmu libxmlada_24.0.0-2. ANY . -m 'Rebuild with #1067453 fixed in gnat' dw libxmlada_24.0.0-2. ANY . -m 'gnat-13 (>= 13.2.0-24)' nmu libxmlezout_1.06.2-14 . ANY . -m 'Rebuild with #1067453 fixed in gnat. Closes: #1067220.' dw libxmlezout_1.06.2-14 . ANY . -m 'gnat-13 (>= 13.2.0-24)' nmu liblog4ada_1.3.1.b6dafb49-13 . ANY . -m 'Rebuild with #1067453 fixed in gnat. Closes: #1067074.' dw liblog4ada_1.3.1.b6dafb49-13 . ANY . -m 'libxmezout-dev (>= 1.06.2-14+b1)' nmu anet_0.5.0-3 . ANY . -m 'Rebuild with #1067453 fixed in gnat. Closes: #1067353.' dw anet_0.5.0-3 . ANY . -m 'libahven-dev (>= 2.8.9+b1)' nmu dbusada_0.6.2-6 . ANY . -m 'Rebuild with #1067453 fixed in gnat. Closes: #1069421.' dw dbusada_0.6-2-6 . ANY . -m 'libahven-dev (>= 2.8.9+b1)' nmu libalog_0.6.2-5 . ANY . -m 'Rebuild with #1067453 fixed in gnat. Closes: #1069454.' dw libalog_0.6.2-5 . ANY . -m 'libahven-dev (>= 2.8.9+b1)' nmu pcscada_0.7.7-6 . ANY . -m 'Rebuild with #1067453 fixed in gnat. Closes: #1069468.' dw pcscada_0.7.7-6 . ANY . -m 'libahven-dev (>= 2.8.9+b1)' nmu libtemplates-parser_24.0.0-2 . ANY . -m 'Rebuild with #1067453 fixed in gnat.' dw libtemplates-parser_24.0.0-2 . ANY . -m 'libxmlada-unicode-dev (>= 24.0.0-2+b1)' nmu gprbuild_2024.1.20231009-4. ANY . -m 'Rebuild with #1067453 fixed in gnat. Closes: #1069467.' dw gprbuild_2024.1.20231009-4. ANY . -m 'libxmlada-unicode-dev (>= 24.0.0-2+b1)' nmu libgnatcoll_24.1.20230921-4 . ANY . -m 'Rebuild with #1067453 fixed in gnat.' dw libgnatcoll_24.1.20230921-4 . ANY . -m 'libgnatprj-dev (>= 2024.1.20231009-4+b1)' nmu libgnatcoll-bindings_24.0.0-2 . ANY . -m 'Rebuild with #1067453 fixed in gnat.' dw libgnatcoll-bindings_24.0.0-2 . ANY . -m 'libgnatcoll-dev (>= 24.1.20230921-4+b1)' nmu libgnatcoll-db_23.0.0-6 . ANY . -m 'Rebuild with #1067453 fixed in gnat.' dw libgnatcoll-db_23.0.0-6 . ANY . -m 'libgnatcoll-iconv-dev (>= 24.0.0-2+b1)' The alire libflorist libgtkada plplot packages are also affected but require a normal upload for other reasons anyway. Thanks.
Bug#1070108: bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u2
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: org-m...@packages.debian.org
Control: affects -1 + src:org-mode
Control: block -1 by 1069943
This is security update for CVEs marked no-dsa by the secteam.
It backports a series of upstream commits for CVE-2024-30203, CVE-2024-30204
and CVE-2024-30205.
I had to backport a feature that the fixes use to pop up a dialog asking the
user about the potentially unsafe remote resources.
This involves only localised code changes, and is already two years old, so
has received an adequate amount of testing upstream.
The fix depends on some corresponding changes to Emacs, in #1069943.
I manually tested the fixes using reproducers provided in the BTS and from
upstream. The fixes are already in unstable. I have uploaded to oldstable-pu.
--
Sean Whitton
diff -Nru org-mode-9.4.0+dfsg/debian/changelog
org-mode-9.4.0+dfsg/debian/changelog
--- org-mode-9.4.0+dfsg/debian/changelog2023-08-03 14:28:47.0
+0100
+++ org-mode-9.4.0+dfsg/debian/changelog2024-04-30 09:08:33.0
+0100
@@ -1,3 +1,11 @@
+org-mode (9.4.0+dfsg-1+deb11u2) bullseye; urgency=high
+
+ * Team upload.
+ * Fix CVE-2024-30203, CVE-2024-30204 & CVE-2024-30205 (Closes: #1067663).
+- Require Emacs 1:27.1+1-3.1+deb11u3 to ensure we get the whole fix.
+
+ -- Sean Whitton Tue, 30 Apr 2024 09:08:33 +0100
+
org-mode (9.4.0+dfsg-1+deb11u1) bullseye; urgency=medium
* Team upload.
diff -Nru org-mode-9.4.0+dfsg/debian/control org-mode-9.4.0+dfsg/debian/control
--- org-mode-9.4.0+dfsg/debian/control 2023-08-03 14:28:47.0 +0100
+++ org-mode-9.4.0+dfsg/debian/control 2024-04-30 09:08:33.0 +0100
@@ -11,7 +11,8 @@
Package: elpa-org
Architecture: all
-Depends: ${elpa:Depends}, ${misc:Depends}, elpa-htmlize
+Depends: ${elpa:Depends}, ${misc:Depends}, elpa-htmlize,
+ emacs-gtk (>= 1:27.1+1-3.1+deb11u3) | emacs-lucid (>= 1:27.1+1-3.1+deb11u3) |
emacs-nox (>= 1:27.1+1-3.1+deb11u3)
Recommends: emacs (>= 46.0)
Suggests: org-mode-doc, ditaa, texlive-latex-extra, texlive-fonts-recommended,
texinfo
Enhances: emacs,
diff -Nru
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_01.patch
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_01.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_01.patch
1970-01-01 01:00:00.0 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_01.patch
2024-04-30 09:08:33.0 +0100
@@ -0,0 +1,56 @@
+From: Ihor Radchenko
+Date: Tue, 20 Feb 2024 12:47:24 +0300
+Subject: org-latex-preview: Add protection when `untrusted-content' is
+ non-nil
+
+* lisp/org/org.el (org--latex-preview-when-risky): New variable
+controlling how to handle LaTeX previews in Org files from untrusted
+origin.
+(org-latex-preview): Consult `org--latex-preview-when-risky' before
+generating previews.
+
+This patch adds a layer of protection when LaTeX preview is requested
+for an email attachment, where `untrusted-content' is set to non-nil.
+
+(cherry picked from Emacs commit 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c)
+---
+ lisp/org.el | 19 +++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index 4964e01..eea46cb 100644
+--- a/lisp/org.el
b/lisp/org.el
+@@ -1074,6 +1074,24 @@ the following lines anywhere in the buffer:
+ :package-version '(Org . "8.0")
+ :type 'boolean)
+
++(defvar untrusted-content) ; defined in files.el
++(defvar org--latex-preview-when-risky nil
++ "If non-nil, enable LaTeX preview in Org buffers from unsafe source.
++
++Some specially designed LaTeX code may generate huge pdf or log files
++that may exhaust disk space.
++
++This variable controls how to handle LaTeX preview when rendering LaTeX
++fragments that originate from incoming email messages. It has no effect
++when Org mode is unable to determine the origin of the Org buffer.
++
++An Org buffer is considered to be from unsafe source when the
++variable `untrusted-content' has a non-nil value in the buffer.
++
++If this variable is non-nil, LaTeX previews are rendered unconditionally.
++
++This variable may be renamed or changed in the future.")
++
+ (defcustom org-insert-mode-line-in-empty-file nil
+ "Non-nil means insert the first line setting Org mode in empty files.
+ When the function `org-mode' is called interactively in an empty file, this
+@@ -15820,6 +15838,7 @@ fragments in the buffer."
+ (interactive "P")
+ (cond
+((not (display-graphic-p)) nil)
++ ((and untrusted-content (not org--latex-preview-when-risky)) nil)
+;; Clear whole buffer.
+((equal arg '(64))
+ (org-clear-latex-preview (point-min) (point-max))
diff -Nru
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_02.patch
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_02.patch
---
Processed: bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u2
Processing control commands: > affects -1 + src:org-mode Bug #1070108 [release.debian.org] bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u2 Added indication that 1070108 affects src:org-mode > block -1 by 1069943 Bug #1070108 [release.debian.org] bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u2 1070108 was not blocked by any bugs. 1070108 was not blocking any bugs. Added blocking bug(s) of 1070108: 1069943 -- 1070108: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070108 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1070040: bookworm-pu: package dm-writeboost/???
On 30/04/2024 07.40, Paul Gevers wrote: On 30-04-2024 12:43 a.m., Andreas Beckmann wrote: Testsuite: autopkgtest-pkg-dkms Right. I was talking about Testsuite-Triggers in the sources file generated by dpkg. Perhaps you can spot what's wrong with this setup s.t. it does not trigger as intended. I hope it's clear now. Thanks. That really explains why it's not working as I expected. At least for most packages. nvidia-graphics-drivers got lucky because there is also a (manual) test for building the module from the -source package with m-a which also has the linux-doc dependency. Related, for future reference, we also have the hint-testsuite-triggers [1] restriction in autopkgtest. I know, but using that for every package would be against the spirit of Testsuite: autopkgtest-foo ;-) Can you point me to the code that evaluates dpkg's Testsuite-Triggers to schedule these tests? Maybe it's possible to convert dpkg's Testsuite field to a (hardcoded) list of additional triggers ... Andreas
