Bug#1074259: transition: alglib
Done. Anton Am Mi., 26. Juni 2024 um 09:10 Uhr schrieb Emilio Pozuelo Monfort : > > Control: tags -1 confirmed > > On 25/06/2024 15:14, Anton Gladky wrote: > > Package: release.debian.org > > Severity: normal > > X-Debbugs-Cc: alg...@packages.debian.org > > Control: affects -1 + src:alglib > > User: release.debian@packages.debian.org > > Usertags: transition > > > > > > Dear release team, > > > > plase schedule a tiny transition of the new version of > > alglib library. There are only 3 dependencies and they > > are all building fine against new alglib. > > Go ahead. > > Cheers, > Emilio
Bug#1074259: transition: alglib
Package: release.debian.org Severity: normal X-Debbugs-Cc: alg...@packages.debian.org Control: affects -1 + src:alglib User: release.debian@packages.debian.org Usertags: transition Dear release team, plase schedule a tiny transition of the new version of alglib library. There are only 3 dependencies and they are all building fine against new alglib. Thanks Ben file: title = "alglib"; is_affected = .depends ~ "libalglib4.0" | .depends ~ "libalglib4.2"; is_good = .depends ~ "libalglib4.2"; is_bad = .depends ~ "libalglib4.0";
Bug#1061200: transition: vtk9
Hi, it looks like the transition can be finished soon. Please check. Thanks Anton
Bug#1061200: transition: vtk9
Hi Sebastian, thanks for the note. Yes, I started to work on it. liggghts is already fixed. Regards Anton Am So., 9. Juni 2024 um 18:07 Uhr schrieb Sebastian Ramacher < sramac...@debian.org>: > Hi Anton > > On 2024-06-08 09:44:05 +0200, Anton Gladky wrote: > > Uploaded and built on all relevant platforms. > > Please, schedule the rebuild. > > There are some failures. #1072822 in gdcm looks like an issue in vtk9 > though. could you please take a look? > > Cheers > > > > > Thank you. > > > > Anton > > > > > > Am So., 2. Juni 2024 um 13:10 Uhr schrieb Sebastian Ramacher < > > sramac...@debian.org>: > > > > > Control: tags -1 confirmed > > > > > > On 2024-01-20 18:15:32 +0100, Anton Gladky wrote: > > > > Package: release.debian.org > > > > Severity: normal > > > > User: release.debian@packages.debian.org > > > > Usertags: transition > > > > X-Debbugs-Cc: v...@packages.debian.org > > > > Control: affects -1 + src:vtk9 > > > > > > > > > > > > Dear release team, > > > > > > > > please schedule vtk9.3 transition. > > > > > > > > Ben file: > > > > > > > > title = "vtk9"; > > > > is_affected = .depends ~ "libvtk9\.1|libvtk9\.1\-qt" | .depends ~ > > > "libvtk9\.3|libvtk9\.3\-qt"; > > > > is_good = .depends ~ "libvtk9\.3|libvtk9\.3\-qt"; > > > > is_bad = .depends ~ "libvtk9\.1|libvtk9\.1\-qt"; > > > > > > > > I have done a full rebuild and some failures are detected. Bugs > (most of > > > them with patches) will > > > > be filed in the next time. > > > > > > Please go ahead. > > > > > > Cheers > > > -- > > > Sebastian Ramacher > > > > > -- > Sebastian Ramacher >
Bug#1061200: transition: vtk9
Uploaded and built on all relevant platforms. Please, schedule the rebuild. Thank you. Anton Am So., 2. Juni 2024 um 13:10 Uhr schrieb Sebastian Ramacher < sramac...@debian.org>: > Control: tags -1 confirmed > > On 2024-01-20 18:15:32 +0100, Anton Gladky wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: transition > > X-Debbugs-Cc: v...@packages.debian.org > > Control: affects -1 + src:vtk9 > > > > > > Dear release team, > > > > please schedule vtk9.3 transition. > > > > Ben file: > > > > title = "vtk9"; > > is_affected = .depends ~ "libvtk9\.1|libvtk9\.1\-qt" | .depends ~ > "libvtk9\.3|libvtk9\.3\-qt"; > > is_good = .depends ~ "libvtk9\.3|libvtk9\.3\-qt"; > > is_bad = .depends ~ "libvtk9\.1|libvtk9\.1\-qt"; > > > > I have done a full rebuild and some failures are detected. Bugs (most of > them with patches) will > > be filed in the next time. > > Please go ahead. > > Cheers > -- > Sebastian Ramacher >
Bug#1061200: transition: vtk9
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: v...@packages.debian.org Control: affects -1 + src:vtk9 -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, please schedule vtk9.3 transition. Ben file: title = "vtk9"; is_affected = .depends ~ "libvtk9\.1|libvtk9\.1\-qt" | .depends ~ "libvtk9\.3|libvtk9\.3\-qt"; is_good = .depends ~ "libvtk9\.3|libvtk9\.3\-qt"; is_bad = .depends ~ "libvtk9\.1|libvtk9\.1\-qt"; I have done a full rebuild and some failures are detected. Bugs (most of them with patches) will be filed in the next time. Thank you Anton -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmWr/7QRHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wYKUA//a5VTdDoQST30wyb4hSsN40HKHU5Y65xX wLIcozZWvdzSnFQa7NDojOihsiYEjUEokhqqCGf7XbVZ/FokyJclzgh6ZHoX9APj 6O/Xfz5GHPpYblwMGC8029yUqnlQfQXcR7gS5HqfGBGZ1FyWRAqY0hS5kzbY/LYK mpcOAo0zGqj/4FaSNCCycPP9Yn+0HMUqcmT2mmGPye3cjnhrl+Ixlo/Is8+1vb3Z 92APiFLa259DeucniY02qMMSZdCS9Gv3VjMSah/4qYpJnbdtGjz/Vy0t0IRY6hSY D06I/YJiM8miY1QK5xwG2F5ElXermhuWNvf8dfy/DFJk7gul6HiSTUpe18xcv2y9 PR1h+NA0fEFVtaHf0KYaST45KPN2xIcRLovZQPX3IPzxuwHO5TcGYzd632/TTF7e 8OnVj3yoqhd41Gc0K8/0XBv7TgJ7nrXhcsUwi8MA1CArir0fGr5ZjTrKRBrzCc4p xF7AtxZuxWXoJ18SXE3oudWmuk97kSS5yAHzgBOgj4LUjTtJAzZIQtwgJT+sLvLJ QeISyC3z3mEf9+ed287EuYxWKuhdyUdElvLDfU66H/FL6Nzb2LrjskK6HfPrLsBe tDyyDm09rnhI47t6gDy3X+oPcgLd7SzIrXQQm8jmXCx3PxKHx8bDWXanF5ViBvte pfsgZmdit5k= =56QT -END PGP SIGNATURE-
Bug#1059961: transition: benchmark
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: benchm...@packages.debian.org Control: affects -1 + src:benchmark -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, please schedule a tiny benchmark transition. Thanks! Ben file: title = "benchmark"; is_affected = .depends ~ "libbenchmark1debian" | .depends ~ "libbenchmark1.8.3"; is_good = .depends ~ "libbenchmark1.8.3"; is_bad = .depends ~ "libbenchmark1debian"; -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmWWWMARHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wb6uA/9FuLjNjbEHrnfYhaMJPlFjc1d7xSOv5MJ SsQJP8RRQP3KpSuP2U3B66b1itzRSOCMb+OiDIK9nigUPjM79l/E8WlVtZ6mLTBp 9PAoe391wPmJ4th3MzGQCOwCam/eXgy1xLa7/l6BgfBDRiOCygokFB1Pu3Af8IJq 34fsyPX2mbFoGjA+oqQcCLDPDmkWWYvo6iuMvP9tC3nGWojzAJlj4BS0Kds4ulsQ NQ78W28wNfwqGSyfegHYN/8krkxWZI+OVXD/4eaW4qs+lfsMabdfCaiomA5dZZb8 N3UaPZdXwDRVw00btwW2lB/FN4smWd7V9gOprVzwwU8VfG9NGWGZ1DTrLQCjDQgj /FGVFgTnp29xZSE1Z9FGJJh0BwJJLgM77x3+cDf8SHVwLiWO8DS51Y4P4xLTXSS6 9fvjea5XfquhDfSLsXpXFt6wFrnjrAImj/v1OWp9negPSRWyKycNzf4ePgIqhvw6 rQV6+VTVFGpB7DggoHqHmFEi8JV6SC44f5USpcHd5mMvHczGIgfuzho69xSoKx4U CmdGtVEbEGsnxqylqFYHkfUz6B2Euper193JXAX5GQ/2DzrJe5TNsXStGvRBy+PS TNSLeZMMkMofNE+1VjiffqQgmRSdFzqCmX6gmd3Zs6ZA20iNUjdcNPxKW9BAslbh TndgQAtpDV4= =EugD -END PGP SIGNATURE-
Bug#1028489: boost1.83 as default
Hi Sebastian, uploded. Anton Am So., 17. Dez. 2023 um 18:13 Uhr schrieb Sebastian Ramacher : ... > Please go ahead. > > Cheers > -- > Sebastian Ramacher
Bug#1028489: boost1.83 as default
Hi Sebastian, bugs are filed: https://udd.debian.org/bugs/?release=na=ign=7=7=only=ftbfs-boost183-transition=gl...@debian.org=1=1=1=1#results Regards Anton
Bug#1028489: boost1.83 as default
retitle 1028489 transition: boost1.83 thanks Dear release team, please consider an updated ben-file. Thanks! Ben file: title = "boost1.83"; is_affected = .depends ~ /libboost[a-z-.]*1\.[74]/ is_good = .depends ~ /libboost[a-z-.]*1\.83/ is_bad = .depends ~ /libboost[a-z-.]*1\.74/
Bug#1053912: transition: alglib
Hi Sebastian, uploaded, thanks! Anton Am Di., 17. Okt. 2023 um 17:37 Uhr schrieb Sebastian Ramacher < sramac...@debian.org>: > Control: tags -1 confirmed > Control: forwarded -1 > https://release.debian.org/transitions/html/auto-alglib.html > > Hi Anton > > On 2023-10-14 09:59:15 +0200, Anton Gladky wrote: > > Please schedule the transition of alglib. All reverse dependencies are > built and fine. > > Please go ahead. > > Cheers > -- > Sebastian Ramacher >
Bug#1053912: transition: alglib
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: alg...@packages.debian.org Control: affects -1 + src:alglib -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Please schedule the transition of alglib. All reverse dependencies are built and fine. Thanks Ben file: title = "alglib"; is_affected = .depends ~ "libalglib3.19" | .depends ~ "libalglib4.0"; is_good = .depends ~ "libalglib4.0"; is_bad = .depends ~ "libalglib3.19"; -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmUqSlERHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wYWWhAAgl9opG5Ch9wN8FvouBJqkdhJs/yfI5Sg iL2Qf3UGLuW+pCEYmnlJm2B+cJCCMQvqXKNpAHWfr9pSylQzc0/lBhl3QnAKFu2K 5m8Lm8aMTMWj5LdiCnsA/A2bN5oCQW74aAHi5f2aOIgOMCVmWpjXP3fG1CdoTh4h DgYfqjRHt9wELlSKuBCk+VvHfCg2S2mhvgTi4tCtWUJFetgb9Dg2Uxsd0AJNLS8x f7xP/Azzy+fWHFO32ncbIKNXQ0ee3cm/j9HI0Oq9BkvAMlIS/EU5qTD6u5jSwkQm x6FL50ribCodm41wvnWPs8cT7qF/ZbP3DZv8sCqpa8nM7EI+JhnWCOXthAsKYs+/ KJWZiGxDoXDTP0STuhV2ENg5xahQM6SZMWten/5GvxuteZIUEuTNigxhgEyqE0AY gtAsLjRImsVmqlfOPjV9213/GuNiZW1vequrnIrhDsJj2jJ3VH+A8HfHnYv15/+p IcszCVmHHNP5szOMvmk/bPIk9CMsg7bMUNg2AdmOsMbPwGBMGL+6aJRmVvdiHOql VQPfwxAwn32TZQy2TuOLr3kT5VDRMwOOD38AdmnQL8lj4DVWjarqM7Cb7l12x8Cz UO7nhvnXzqPMh0bTQDffvoOXey2vLKqMGYrOhyANVY35ugA3ctOnAzv0ol/cF1gN U+N5xvOI4DY= =rzva -END PGP SIGNATURE-
Bug#1028489: transition: boost1.81
Hi James, thanks for the offer. At the moment I am preparing 1.83 and will ask for transition soon. Best regards David James schrieb am Mi., 4. Okt. 2023, 20:23: > Hi Anton, > > Is there anything I can do to help this transition along? I wish to > package software that does not build on 1.74, but does on 1.81 and 1.82. > If there's anyway I can assist with bumping boost-defaults to 1.81 or 1.82 > I would be happy to help. > > Regards, > > David James > >
Bug#1028489: transition: boost1.81
Hi Sebastian, unfortunately no. I am cosidering though the packaging of 1.82. Let's see. Regards Anton Am Di., 20. Juni 2023 um 00:35 Uhr schrieb Sebastian Ramacher : > > Hi Anton > > On 2023-01-30 19:28:37 +0100, Anton Gladky wrote: > > Hi Sebastian, > > > > thanks for the information. Let's do it just after release. > > > > Just for the record. The full test rebuild has been done (thanks to Lucas!). > > Results and logs are here: > > > > http://qa-logs.debian.net/2023/01/15/ > > Have bugs been filed for the failing builds? > > Cheers > -- > Sebastian Ramacher
Bug#1028489: transition: boost1.81
Hi Sebastian, thanks for the information. Let's do it just after release. Just for the record. The full test rebuild has been done (thanks to Lucas!). Results and logs are here: http://qa-logs.debian.net/2023/01/15/ Regards Anton
Bug#1028489: transition: boost1.81
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: boost1...@packages.debian.org Control: affects -1 + src:boost1.81 Dear release team, this is the placeholder for the possible upcoming boost1.81 transition. We are working hard to prepare the transition as smooth as possible. Large test rebuild of all dependent packages is planned. Thanks Ben file: title = "boost1.81"; is_affected = .depends ~ /libboost[a-z-.]*1\.[74]/ is_good = .depends ~ /libboost[a-z-.]*1\.81/ is_bad = .depends ~ /libboost[a-z-.]*1\.74/
Bug#1025056: transition: numerical library transition: hypre / petsc / slepc / sundials
Hi Sebastian, thanks for noting it! #1027402 is fixed now in unstable (that was wrong version in Breaks+Replaces). Regards Anton Am Sa., 31. Dez. 2022 um 14:20 Uhr schrieb Sebastian Ramacher : > > Hi Anton > > On 2022-12-28 09:30:00 +0100, Anton Gladky wrote: > > Hi Sebastian, > > > > sundials is already in NEW, fixing two RC bugs. > > Dyssol will be uploaded shortly. > > It's now in unstable. Please also fix #1027402. > > Cheers > > > > > Regards > > > > Anton > > > > Am Di., 27. Dez. 2022 um 12:23 Uhr schrieb Sebastian Ramacher > > : > > > > > > Hi Drew, hi Anton > > > > > > On 2022-12-19 21:52:10 +0100, Sebastian Ramacher wrote: > > > > Hi Drew > > > > > > > > On 2022-12-19 18:14:53 +0100, Drew Parsons wrote: > > > > > The hypre/petsc part of this transition is complete. > > > > > > > > > > The sundials part is waiting for dyssol to be patched. Anton is > > > > > preparing > > > > > this. > > > > > > > > sundials will also need fixes for #1026330 and #1026352. > > > > > > Any news regarding sundials? > > > > > > Cheers > > > > > > > > > > > Cheers > > > > > > > > > > > > > > Drew > > > > > > > > > > > > > > > On 2022-11-29 23:34, Sebastian Ramacher wrote: > > > > > > Control: tags -1 confirmed > > > > > > > > > > > > Hi Drew > > > > > > > > > > > > On 2022-11-29 12:16:55 +0100, Drew Parsons wrote: > > > > > > > Package: release.debian.org > > > > > > > Severity: normal > > > > > > > User: release.debian@packages.debian.org > > > > > > > Usertags: transition > > > > > > > X-Debbugs-Cc: Anton Gladky > > > > > > > > > > > > > > We'd like to update the numerical library stack in time for the > > > > > > > new > > > > > > > stable release. > > > > > > > > > > > > > > Affected libraries are > > > > > > > > > > > > > > hypre2.25.0 -> 2.26.0 > > > > > > > petsc/slepc3.17 -> 3.18 > > > > > > > sundials 5.8.0 -> 6.4.1 > > > > > > > > > > > > > > Autotransitions are already generated: > > > > > > > https://release.debian.org/transitions/html/auto-hypre.html > > > > > > > https://release.debian.org/transitions/html/auto-petsc.html > > > > > > > https://release.debian.org/transitions/html/auto-slepc.html > > > > > > > https://release.debian.org/transitions/html/auto-sundials.html > > > > > > > > > > > > > > Most of the dependent packages are under our control > > > > > > > (Debian Science Team), octave is the main one outside our team. > > > > > > > > > > > > > > Updates have built fine in experimental and dependent > > > > > > > packages are building successfully against them. > > > > > > > > > > > > > > Anton Gladky will upload the sundials update. > > > > > > > > > > > > Please go ahead > > > > > > > > > > > > Cheers > > > > > > > > > > > > > -- > > > > Sebastian Ramacher > > > > > > > > > > -- > > > Sebastian Ramacher > > > > -- > Sebastian Ramacher
Bug#1025056: transition: numerical library transition: hypre / petsc / slepc / sundials
Hi Sebastian, sundials is already in NEW, fixing two RC bugs. Dyssol will be uploaded shortly. Regards Anton Am Di., 27. Dez. 2022 um 12:23 Uhr schrieb Sebastian Ramacher : > > Hi Drew, hi Anton > > On 2022-12-19 21:52:10 +0100, Sebastian Ramacher wrote: > > Hi Drew > > > > On 2022-12-19 18:14:53 +0100, Drew Parsons wrote: > > > The hypre/petsc part of this transition is complete. > > > > > > The sundials part is waiting for dyssol to be patched. Anton is preparing > > > this. > > > > sundials will also need fixes for #1026330 and #1026352. > > Any news regarding sundials? > > Cheers > > > > > Cheers > > > > > > > > Drew > > > > > > > > > On 2022-11-29 23:34, Sebastian Ramacher wrote: > > > > Control: tags -1 confirmed > > > > > > > > Hi Drew > > > > > > > > On 2022-11-29 12:16:55 +0100, Drew Parsons wrote: > > > > > Package: release.debian.org > > > > > Severity: normal > > > > > User: release.debian@packages.debian.org > > > > > Usertags: transition > > > > > X-Debbugs-Cc: Anton Gladky > > > > > > > > > > We'd like to update the numerical library stack in time for the new > > > > > stable release. > > > > > > > > > > Affected libraries are > > > > > > > > > > hypre2.25.0 -> 2.26.0 > > > > > petsc/slepc3.17 -> 3.18 > > > > > sundials 5.8.0 -> 6.4.1 > > > > > > > > > > Autotransitions are already generated: > > > > > https://release.debian.org/transitions/html/auto-hypre.html > > > > > https://release.debian.org/transitions/html/auto-petsc.html > > > > > https://release.debian.org/transitions/html/auto-slepc.html > > > > > https://release.debian.org/transitions/html/auto-sundials.html > > > > > > > > > > Most of the dependent packages are under our control > > > > > (Debian Science Team), octave is the main one outside our team. > > > > > > > > > > Updates have built fine in experimental and dependent > > > > > packages are building successfully against them. > > > > > > > > > > Anton Gladky will upload the sundials update. > > > > > > > > Please go ahead > > > > > > > > Cheers > > > > > > > -- > > Sebastian Ramacher > > > > -- > Sebastian Ramacher
Bug#1025056: transition: numerical library transition: hypre / petsc / slepc / sundials
Dyssol has just been (today!) released. I will upload it ASAP. Regards Anton Am Mo., 19. Dez. 2022 um 18:14 Uhr schrieb Drew Parsons : > > The hypre/petsc part of this transition is complete. > > The sundials part is waiting for dyssol to be patched. Anton is > preparing this. > > Drew > > > On 2022-11-29 23:34, Sebastian Ramacher wrote: > > Control: tags -1 confirmed > > > > Hi Drew > > > > On 2022-11-29 12:16:55 +0100, Drew Parsons wrote: > >> Package: release.debian.org > >> Severity: normal > >> User: release.debian@packages.debian.org > >> Usertags: transition > >> X-Debbugs-Cc: Anton Gladky > >> > >> We'd like to update the numerical library stack in time for the new > >> stable release. > >> > >> Affected libraries are > >> > >> hypre2.25.0 -> 2.26.0 > >> petsc/slepc3.17 -> 3.18 > >> sundials 5.8.0 -> 6.4.1 > >> > >> Autotransitions are already generated: > >> https://release.debian.org/transitions/html/auto-hypre.html > >> https://release.debian.org/transitions/html/auto-petsc.html > >> https://release.debian.org/transitions/html/auto-slepc.html > >> https://release.debian.org/transitions/html/auto-sundials.html > >> > >> Most of the dependent packages are under our control > >> (Debian Science Team), octave is the main one outside our team. > >> > >> Updates have built fine in experimental and dependent > >> packages are building successfully against them. > >> > >> Anton Gladky will upload the sundials update. > > > > Please go ahead > > > > Cheers
Bug#1023419: transition: freeglut
Uploaded, thanks! Anton
Bug#1023419: transition: freeglut
Hi Sebastian, you are right. I have uploaded a new package into experimental, which introduces fereglut3-dev as a transitional package. I will rebuild and report about results. Regards Anton Am Do., 3. Nov. 2022 um 22:51 Uhr schrieb Sebastian Ramacher : > > Control: tags -1 moreinfo > Control: forwarded -1 > https://release.debian.org/transitions/html/auto-freeglut.html > > On 2022-11-03 20:12:03 +0100, Anton Gladky wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: transition > > > > > > New version of freeglut library and binary renaming. > > Reverse depends were rebuilt against new lib. > > > > > > Ben file: > > > > title = "freeglut"; > > is_affected = .depends ~ "freeglut3|freeglut3-dev" | .depends ~ > > "libglut-dev|libglut3.12"; > > is_good = .depends ~ "libglut-dev|libglut3.12"; > > is_bad = .depends ~ "freeglut3|freeglut3-dev"; > > What's the deal with the renamed -dev package? Do we need sourceful > uploads for all the reverse dependencies? What's the upgrade path for > users? Or in other words: why is there no transitional freeglut3-dev > package? > > Cheers > -- > Sebastian Ramacher
Bug#1023419: transition: freeglut
Hi Sebastian, rename was done to match the real shared object name to the package name: /usr/lib/x86_64-linux-gnu/libglut.so.3.11.0 will go to libglut3.11. At the moment source uploads are not necessary as libglut-dev provides freeglut3-dev. But after the transition yes, the batch of NMUs is planned. > why is there no transitional freeglut3-dev I thought it was enough that libglut-dev "provides" the freeglu3-dev. If not - I will add it. Thanks Regards Anton Am Do., 3. Nov. 2022 um 22:51 Uhr schrieb Sebastian Ramacher : > > Control: tags -1 moreinfo > Control: forwarded -1 > https://release.debian.org/transitions/html/auto-freeglut.html > > On 2022-11-03 20:12:03 +0100, Anton Gladky wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: transition > > > > > > New version of freeglut library and binary renaming. > > Reverse depends were rebuilt against new lib. > > > > > > Ben file: > > > > title = "freeglut"; > > is_affected = .depends ~ "freeglut3|freeglut3-dev" | .depends ~ > > "libglut-dev|libglut3.12"; > > is_good = .depends ~ "libglut-dev|libglut3.12"; > > is_bad = .depends ~ "freeglut3|freeglut3-dev"; > > What's the deal with the renamed -dev package? Do we need sourceful > uploads for all the reverse dependencies? What's the upgrade path for > users? Or in other words: why is there no transitional freeglut3-dev > package? > > Cheers > -- > Sebastian Ramacher
Bug#1023419: transition: freeglut
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition New version of freeglut library and binary renaming. Reverse depends were rebuilt against new lib. Ben file: title = "freeglut"; is_affected = .depends ~ "freeglut3|freeglut3-dev" | .depends ~ "libglut-dev|libglut3.12"; is_good = .depends ~ "libglut-dev|libglut3.12"; is_bad = .depends ~ "freeglut3|freeglut3-dev"; Thanks Anton
Re: debian-archive-keyring, update for stretch, problem
Hi Adam, thanks for your reply! I have found the reason. I generated the signature using Debian/Testing (Bookworm), but the signature should be generated in the same environment, where it will be used (in this case Stretch). I regenerated signatures under stretch and everything works fine. Best regards Anton Am Sa., 12. März 2022 um 22:24 Uhr schrieb Adam D. Barratt : > > Hi, > > FWIW, I haven't touched d-a-k for a few years now, nor have I seen your > package, so I'm largely guessing based on your provided text below. > > On Sat, 2022-03-12 at 21:52 +0100, Anton Gladky wrote: > > I followed the README.maintainer. Added my key into team/members. > > But then, when I just refresh the signature: > > > > make clean > > make keyrings/debian-archive-keyring.gpg > > gpg --armor --detach-sign keyrings/debian-archive-keyring.gpg > > > > The package does not build and fails with the following message: > > > > === > > gpg --no-options --no-default-keyring --no-auto-check-trustdb > > --trustdb-name ./trustdb.gpg \ > > --keyring keyrings/team-members.gpg --verify \ > > keyrings/debian-archive-removed-keys.gpg.asc \ > > keyrings/debian-archive-removed-keys.gpg > > gpg: Signature made Sat Mar 12 20:41:08 2022 UTC > > gpg:using RSA key > > BBBD45EA818AB86FF67E7285D3E17383CFA7FF06 > > gpg: BAD signature from "Anton Gladky " [unknown] > > > > === > > > > Could you please give advice, why the lately refreshed and signed > > debian-archive-removed-keys.gpg has a bad signature? > > My suspicion would be that you signed the keyring before running the > build - although you only mention signing debian-archive-keyring.gpg - > but had somehow not built it correctly so, after it got rebuilt by the > makefile, your previous signature file no longer matched. (The point of > using jetring is that the result should match.) > > How did you manipulate debian-archive-removed-keys.gpg? Do its contents > align with removed-keys/index, and the signature on that? > > Not that it helps you directly, but I don't remember having seen such > an error when I was building the package. > > Regards, > > Adam >
debian-archive-keyring, update for stretch, problem
Dear all, it is basically the followup of this discussion [1]. I followed the README.maintainer. Added my key into team/members. But then, when I just refresh the signature: make clean make keyrings/debian-archive-keyring.gpg gpg --armor --detach-sign keyrings/debian-archive-keyring.gpg The package does not build and fails with the following message: === gpg --no-options --no-default-keyring --no-auto-check-trustdb --trustdb-name ./trustdb.gpg \ --keyring keyrings/team-members.gpg --verify \ keyrings/debian-archive-removed-keys.gpg.asc \ keyrings/debian-archive-removed-keys.gpg gpg: Signature made Sat Mar 12 20:41:08 2022 UTC gpg:using RSA key BBBD45EA818AB86FF67E7285D3E17383CFA7FF06 gpg: BAD signature from "Anton Gladky " [unknown] === Could you please give advice, why the lately refreshed and signed debian-archive-removed-keys.gpg has a bad signature? Should I do some other steps as listed in readme? [1] https://lists.debian.org/debian-release/2021/10/msg00395.html Thanks Anton
Re: Update of debian-archive-keyring in stretch?
I have followed the steps described in README.maintainer, added my key to the team for stretch and imported keys. It looks like everything works.Testing it. Regards Anton Am Fr., 11. März 2022 um 14:28 Uhr schrieb Utkarsh Gupta : > > Hi Jonathan, > > On Mon, Oct 11, 2021 at 6:24 AM Utkarsh Gupta wrote: > > On Tue, Oct 5, 2021 at 1:26 PM Jonathan Wiltshire wrote: > > > You will need (but may not want) the commit removing jessie's keys as > > > well. > > > Basically all intermediate commits which touch keyrings - a removal is > > > really a move from the main keyring to the archive keyring, so it will > > > change the makeup of the keyring and fail the validation. > > > > > > If you actually need the jessie keys kept, as I suspect you do, I can > > > prepare a stretch branch with new signatures on it in a few days. > > > > That'd be really helpful, yes. Though I am still unsure what am I missing. > > When you prep a branch for stretch, please let me know and as I said, > > that'd be really helpful. Thank you so much! > > Friendly ping on this. Any status update on this, please? :) > Do you think you can take a look at this sooner? Let me/us know. > > > > I intend to simplify the whole thing significantly in bookworm; this whole > > > jetring and gpg validation thing makes for a lot of maintenance pain. > > > > Perfect, that'll indeed help a lot. :) > > > - u >
Bug#1002627: transition: alglib
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, please provide a slot for the transition of alglib. All reverse-dependencies are checked and not FTBFS are detected. So the tranition should be short and easy. Thanks, Anton Ben file: title = "alglib"; is_affected = .depends ~ "libalglib3.17" | .depends ~ "libalglib3.18"; is_good = .depends ~ "libalglib3.18"; is_bad = .depends ~ "libalglib3.17"; -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmHHknARHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wb+Eg//VXgqo+MEfluKITlUQyu3bjJ0WP8rbRDb Bf/0/cHAxjvhowRUI4h9KlyVfhkfDrXQ1+a7p4+M37XFj6uMxpvKrRBUJbfpjwge D3ydsaS636bjcxhPL6Bf2UXLtAidQ4jWJgNjzgGevxyoTUeKvQX8CqrbYBi7HcxS zr8JmfaJwwClRXgzhO34mWt5MxdhxlthjNMI17jrrkVxN8SbKYv7eablO3Nre4Mi SDv16/Gd0T8ldOn41EfNz9F0Sm66XxNlNj7kCRP7c0EDtR/IBJ28NoaBh6jaoU/1 vGvhfsqXaO2XFXcgB4OW/wu3+ioL/Xv6rz88Ec44nEm5Tlbfv2gGfaKD7P2QBa0K K5WdJOPrZTRfgimr02SS+tXdCZb/d+ucH44tvTgWxWiRFFIrKy+WRQsidYHZpfdP F0CpRmDcydtr7fxxxz/yQFoUmDaB4wNF/wGOc1nhyH0PupaLEgDekbNuwzqlMu7K TA/fj+6D5ws4FBxwauVEpWV2Qb8gwJByFXTaDt7vzEhlsDIwgjHP+TVdERyPhYE2 nhs/Hs+RUsYACEjqOk7HXGE+uIrsG05iD8yxFsgGsRdCssESWov5TBJwwm2Vlqq2 JOa/0Vv8iagsarO+neTiKhtRWW1LHqkmVye5uo9wTevj1Ws80aHETAWJqODOSfzU BBTMi+957/A= =yKYi -END PGP SIGNATURE-
Bug#1002619: bullseye-pu: package gnuplot/gnuplot_5.4.1+dfsg1-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, [ Reason ] gnuplot_5.4.1+dfsg1-1+deb11u1 is fixing security issue CVE-2021-44917. Please include it into the bullseye. [ Impact ] Security issue [ Tests ] Done on CI and locally. [ Risks ] No risks awaited [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Patch imported from upstream. Thanks Anton -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmHHZV4RHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/waXwg/+N32dARCRDysGWA2f1KWiP/9slcH00cYQ Vyja1+nYut1S4HuWv8oWX7dvC9anSj8+I123M3Q7k2kG1iRN0FyydXnxwQT7xU8p ewS0NJvgO8QLPAS1kAzn72zT6KMnBlIbYoLGuVjnWRpQiCO8P0GJ8pgK7mr1tNN2 2/t+TfD7gvGgpN1ZIxnrpa5wwSBvG/txJqO7sazC6O7NZwRRxzHP5GG1Gn6I6yJP MparDEkNpSDeZTIo6o6D6g8dnMVIG6ukpWp0aJIHzKpy6a/P3agzglwTyl2V20+L m06EP4/zureXmAQz8mCA7rvTMo/N6LCRPKVOssNXwnja98kD612icYFhFg+P7tOY xlhbHVh+E8mEAbbovfaQp0MvlkvrkOwB0KtB8vcSaC0//HU3OsBS4f0g8Gb+fFa6 9OMTuCZ3XUEiNXHOr8P6LyCwK6R+blU1O0nAF8DuC14nR00Wjbi/h6SwuHNvNHEq WuGwLp2fWDKBd4ViQCMRwI5IcEhi9usW+q3e/X08VuI2t/tb2Nv+5fPbqTzQ6q1w TD4vQOT8YrTP4i+MKDOUkXoVePidmVNVHmChEgANqCMQfQ85gcHT6ldq1l+GADJ9 pVLZi6qjA3T/ePS70Dox/TAy/saKXO7hQhtlj4V4vKm2EGh0hvZzdS6wkvMHORuq z6abtXAa96M= =tBfC -END PGP SIGNATURE- diff -Nru gnuplot-5.4.1+dfsg1/debian/changelog gnuplot-5.4.1+dfsg1/debian/changelog --- gnuplot-5.4.1+dfsg1/debian/changelog2020-12-03 22:27:21.0 +0100 +++ gnuplot-5.4.1+dfsg1/debian/changelog2021-12-25 19:15:06.0 +0100 @@ -1,3 +1,9 @@ +gnuplot (5.4.1+dfsg1-1+deb11u1) bullseye; urgency=medium + + * Fix divide by zero vulnerability. CVE-2021-44917. (Closes: #1002539) + + -- Anton Gladky Sat, 25 Dec 2021 19:15:06 +0100 + gnuplot (5.4.1+dfsg1-1) unstable; urgency=medium * [945257b] New upstream version 5.4.1+dfsg1 diff -Nru gnuplot-5.4.1+dfsg1/debian/.gitlab-ci.yml gnuplot-5.4.1+dfsg1/debian/.gitlab-ci.yml --- gnuplot-5.4.1+dfsg1/debian/.gitlab-ci.yml 2020-09-24 23:46:23.0 +0200 +++ gnuplot-5.4.1+dfsg1/debian/.gitlab-ci.yml 2021-12-25 19:15:06.0 +0100 @@ -1,3 +1,4 @@ include: - - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml +variables: + RELEASE: 'bullseye' diff -Nru gnuplot-5.4.1+dfsg1/debian/patches/CVE-2021-44917.patch gnuplot-5.4.1+dfsg1/debian/patches/CVE-2021-44917.patch --- gnuplot-5.4.1+dfsg1/debian/patches/CVE-2021-44917.patch 1970-01-01 01:00:00.0 +0100 +++ gnuplot-5.4.1+dfsg1/debian/patches/CVE-2021-44917.patch 2021-12-25 19:15:06.0 +0100 @@ -0,0 +1,114 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + gnuplot (5.4.2+dfsg2-1) unstable; urgency=medium + . + * [4370a18] Update d/watch + * [7d7c5c0] New upstream version 5.4.2+dfsg1.orig + * [97d5d83] Refresh patches + * [9d8bbae] Update gitlab.ci + * [e168129] Use secure URI in debian/watch. + * [08324bf] Bump debhelper from old 12 to 13. + * [3a47530] Update standards version to 4.5.1, no changes needed. + * [ba4a50d] Avoid explicitly specifying -Wl,--as-needed linker flag. + * [9ce752b] Set Standards-Version: 4.6.0 + * [917e564] Use execute-syntax for some commands in d/rules +Author: Anton Gladky + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: https://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: 2021-12-25 + +Index: gnuplot-5.4.1+dfsg1/src/set.c +=== +--- gnuplot-5.4.1+dfsg1.orig/src/set.c gnuplot-5.4.1+dfsg1/src/set.c +@@ -5058,18 +5058,6 @@ set_terminal() + fprintf(stderr,"Options are '%s'\n",term_options); + if ((term->flags & TERM_MONOCHROME)) + init_monochrome(); +- +-/* Sanity check: +- * The most common failure mode found by fuzzing is a divide-by-zero +- * caused by initializing the basic unit of the current terminal character +- * size to zero. I keep patching the individual terminals, but a generic +- * sanity check may at least prevent a crash due to mistyping. +-
Bug#1000477: bullseye-pu: package gmp/2:6.2.1+dfsg-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu Dear release team, I have prepared a fix for bullseye, fixing CVE-2021-43618. The fix was also successfully fixed in unstable and testing. Gitlab-CI is employed for the package testing. Diff is aattached. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Thanks Anton diff -Nru gmp-6.2.1+dfsg/debian/changelog gmp-6.2.1+dfsg/debian/changelog --- gmp-6.2.1+dfsg/debian/changelog 2020-11-15 19:04:37.0 +0100 +++ gmp-6.2.1+dfsg/debian/changelog 2021-11-23 21:37:19.0 +0100 @@ -1,3 +1,10 @@ +gmp (2:6.2.1+dfsg-1+deb11u1) bullseye; urgency=medium + + * [ba91bc2] Add .gitlab-ci.yml + * [a848ad6] Avoid bit size overflows. CVE-2021-43618 + + -- Anton Gladky Tue, 23 Nov 2021 21:37:19 +0100 + gmp (2:6.2.1+dfsg-1) unstable; urgency=medium [ Steve Robbins ] diff -Nru gmp-6.2.1+dfsg/debian/.gitlab-ci.yml gmp-6.2.1+dfsg/debian/.gitlab-ci.yml --- gmp-6.2.1+dfsg/debian/.gitlab-ci.yml1970-01-01 01:00:00.0 +0100 +++ gmp-6.2.1+dfsg/debian/.gitlab-ci.yml2021-11-23 21:31:26.0 +0100 @@ -0,0 +1,6 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml +variables: + RELEASE: 'bullseye' + SALSA_CI_DISABLE_REPROTEST: 1 + SALSA_CI_DISABLE_BLHC: 1 diff -Nru gmp-6.2.1+dfsg/debian/patches/CVE-2021-43618.patch gmp-6.2.1+dfsg/debian/patches/CVE-2021-43618.patch --- gmp-6.2.1+dfsg/debian/patches/CVE-2021-43618.patch 1970-01-01 01:00:00.0 +0100 +++ gmp-6.2.1+dfsg/debian/patches/CVE-2021-43618.patch 2021-11-23 21:36:27.0 +0100 @@ -0,0 +1,25 @@ +# Origin: https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e +# HG changeset patch +# User Marco Bodrato +# Date 1634836009 -7200 +# Node ID 561a9c25298e17bb01896801ff353546c6923dbd +# Parent e1fd9db13b475209a864577237ea4b9105b3e96e +mpz/inp_raw.c: Avoid bit size overflows + +Index: gmp/mpz/inp_raw.c +=== +--- gmp.orig/mpz/inp_raw.c gmp/mpz/inp_raw.c +@@ -88,8 +88,11 @@ mpz_inp_raw (mpz_ptr x, FILE *fp) + + abs_csize = ABS (csize); + ++ if (UNLIKELY (abs_csize > ~(mp_bitcnt_t) 0 / 8)) ++return 0; /* Bit size overflows */ ++ + /* round up to a multiple of limbs */ +- abs_xsize = BITS_TO_LIMBS (abs_csize*8); ++ abs_xsize = BITS_TO_LIMBS ((mp_bitcnt_t) abs_csize * 8); + + if (abs_xsize != 0) + { diff -Nru gmp-6.2.1+dfsg/debian/patches/series gmp-6.2.1+dfsg/debian/patches/series --- gmp-6.2.1+dfsg/debian/patches/series1970-01-01 01:00:00.0 +0100 +++ gmp-6.2.1+dfsg/debian/patches/series2021-11-15 22:20:32.0 +0100 @@ -0,0 +1 @@ +CVE-2021-43618.patch
Bug#1000473: buster-pu: package gmp/gmp_6.1.2+dfsg-4+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Dear release team, I have prepared a fix for buster, fixing CVE-2021-43618. The fix was also successfully fixed in unstable and testing. Gitlab-CI is employed for the package testing. Diff is applied. Thanks [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Thanks Anton diff -Nru gmp-6.1.2+dfsg/debian/changelog gmp-6.1.2+dfsg/debian/changelog --- gmp-6.1.2+dfsg/debian/changelog 2018-12-02 07:39:34.0 +0100 +++ gmp-6.1.2+dfsg/debian/changelog 2021-11-23 21:09:08.0 +0100 @@ -1,3 +1,10 @@ +gmp (2:6.1.2+dfsg-4+deb10u1) buster; urgency=medium + + * [1f4ce6d] Add .gitlab-ci.yml + * [df6d314] Avoid bit size overflows. CVE-2021-43618 + + -- Anton Gladky Tue, 23 Nov 2021 21:09:08 +0100 + gmp (2:6.1.2+dfsg-4) unstable; urgency=medium * Team Upload. diff -Nru gmp-6.1.2+dfsg/debian/.gitlab-ci.yml gmp-6.1.2+dfsg/debian/.gitlab-ci.yml --- gmp-6.1.2+dfsg/debian/.gitlab-ci.yml1970-01-01 01:00:00.0 +0100 +++ gmp-6.1.2+dfsg/debian/.gitlab-ci.yml2021-11-23 21:04:00.0 +0100 @@ -0,0 +1,6 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml +variables: + RELEASE: 'buster' + SALSA_CI_DISABLE_REPROTEST: 1 + SALSA_CI_DISABLE_BLHC: 1 diff -Nru gmp-6.1.2+dfsg/debian/patches/CVE-2021-43618.patch gmp-6.1.2+dfsg/debian/patches/CVE-2021-43618.patch --- gmp-6.1.2+dfsg/debian/patches/CVE-2021-43618.patch 1970-01-01 01:00:00.0 +0100 +++ gmp-6.1.2+dfsg/debian/patches/CVE-2021-43618.patch 2021-11-23 21:06:22.0 +0100 @@ -0,0 +1,25 @@ +# Origin: https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e +# HG changeset patch +# User Marco Bodrato +# Date 1634836009 -7200 +# Node ID 561a9c25298e17bb01896801ff353546c6923dbd +# Parent e1fd9db13b475209a864577237ea4b9105b3e96e +mpz/inp_raw.c: Avoid bit size overflows + +Index: gmp/mpz/inp_raw.c +=== +--- gmp.orig/mpz/inp_raw.c gmp/mpz/inp_raw.c +@@ -89,8 +89,11 @@ mpz_inp_raw (mpz_ptr x, FILE *fp) + + abs_csize = ABS (csize); + ++ if (UNLIKELY (abs_csize > ~(mp_bitcnt_t) 0 / 8)) ++return 0; /* Bit size overflows */ ++ + /* round up to a multiple of limbs */ +- abs_xsize = BITS_TO_LIMBS (abs_csize*8); ++ abs_xsize = BITS_TO_LIMBS ((mp_bitcnt_t) abs_csize * 8); + + if (abs_xsize != 0) + { diff -Nru gmp-6.1.2+dfsg/debian/patches/series gmp-6.1.2+dfsg/debian/patches/series --- gmp-6.1.2+dfsg/debian/patches/series2018-12-02 07:39:27.0 +0100 +++ gmp-6.1.2+dfsg/debian/patches/series2021-11-23 21:06:09.0 +0100 @@ -1 +1,2 @@ gmp-exception-sigfpe.patch +CVE-2021-43618.patch
Bug#996204: Bug#998411: Bug#996204: transition: numerical library stack: hypre SONAME (Policy 8.1)
I have fixed gmsh. It will appear in NEW soon. Regards Anton
Bug#996204: transition: numerical library stack
sundials_5.8.0 is in unstable already. Cheers Anton
Bug#996204: transition: numerical library stack
OK, I will upload it into unstable very soon. What abou #997664? The package should go to NEW actually. Or leave it as it is for the moment? Anton Am Mo., 25. Okt. 2021 um 21:15 Uhr schrieb Drew Parsons : > > The sundials 5.8.0 test build in experimental looks successful. > Probably not worth waiting for the mipsel build, it's been slow to > build, especially for experimental. > > Drew > > > > On 2021-10-22 17:40, Anton Gladky wrote: > > Great, thanks! Will do it very shortly. > > > > Anton > > > > Sebastian Ramacher schrieb am Fr., 22. Okt. > > 2021, 14:35: > ... > >> > >> I think we are ready for the sundials upload. > >>
Bug#996204: transition: numerical library stack
Great, thanks! Will do it very shortly. Anton Sebastian Ramacher schrieb am Fr., 22. Okt. 2021, 14:35: > Hi Anton > > On 2021-10-12 13:09:02, Drew Parsons wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: transition > > X-Debbugs-Cc: debian-scie...@lists.debian.org, Anton Gladky < > gl...@debian.org> > > > > I'd like to proceed with a transition of the numerical library stack. > > This involves > > > > superlu 5.2.2+dfsg1 -> 5.3.0+dfsg1 (both libsuperlu5 so not > really a transition) > > superlu-dist libsuperlu-dist6 -> libsuperlu-dist7 > > hypre 2.18.2 -> 2.22.1 (internal within libhypre-dev) > > mumps libmumps-5.3 -> libmumps-5.4 > > scotch6.1.0 -> 6.1.1 (both libscotch-6.1 so not a transition) > > petsc libpetsc-.*3.14 -> libpetsc-.*3.15 > > slepc libslepc-.*3.14 -> libslepc-.*3.15 > > (together with petsc4py, slepc4py) > > > > Header packages libxtensor-dev, libxtensor-blas-dev will also be > > upgraded (xtl-dev 0.7.2 already got uploaded to unstable). > > > > fenics-dolfinx will upgrade > > libdolfinx-.*2019.2 -> libdolfinx-.*0.3 > > (along with other fenics components). There is currently some problem > > with fenics-dolfinx 1:0.3.0-4 on 32-bit arches i386, armel, armhf. > > I'll skip the demo_poisson_mpi tests for them if necessary. > > > > sundials 5.7.0 is incompatible with hypre 2.22, Anton Gladky (cc:d) will > > upgrade to sundials 5.8.0. > > I think we are ready for the sundials upload. > > Cheers > > > > > openmpi/mpi4py/h5py have recently migrated to testing so shouldn't give > > any particular trouble (apart from the known 32-bit dolfinx problem) > > > > auto transitions are already in place: > > > > https://release.debian.org/transitions/html/auto-superlu-dist.html > > https://release.debian.org/transitions/html/auto-mumps.html > > https://release.debian.org/transitions/html/auto-petsc.html > > https://release.debian.org/transitions/html/auto-slepc.html > > > > > > Ben file: > > > > title = "numerical library stack"; > > is_affected = .depends ~ "libpetsc-.*3.14" | .depends ~ > "libpetsc-.*3.15"; > > is_good = .depends ~ "libpetsc-.*3.15"; > > is_bad = .depends ~ "libpetsc-.*3.14"; > > > > -- > Sebastian Ramacher >
Bug#996695: buster-pu: package plib/plib_1.8.5-8+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Anton Gladky Anhänge15:17 (vor 1 Minute) an Debian; Bcc: gladk Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu Dear release team, the plib versioned 1.8.5-8+deb10u1 is prepared for the bullseye next stable release. [ Reason ] This upload fixes a security issue CVE-2021-38714. [ Impact ] It should not have any impact on end users. [ Tests ] Salsa-ci is employed to check main package characteristics https://salsa.debian.org/debian/plib/-/pipelines/303704 [ Risks ] No risks are known. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] See attached diff. Sanitized values check is implemented. Best regards Anton diff -Nru plib-1.8.5/debian/changelog plib-1.8.5/debian/changelog --- plib-1.8.5/debian/changelog 2017-07-24 21:24:48.0 +0200 +++ plib-1.8.5/debian/changelog 2021-10-17 14:56:13.0 +0200 @@ -1,3 +1,10 @@ +plib (1.8.5-8+deb10u1) buster; urgency=medium + + * Prevent integer overflow in ssgLoadTGA() function. CVE-2021-38714 +(Closes: #992973) + + -- Anton Gladky Sun, 17 Oct 2021 14:56:13 +0200 + plib (1.8.5-8) unstable; urgency=medium * QA upload. diff -Nru plib-1.8.5/debian/.gitlab-ci.yml plib-1.8.5/debian/.gitlab-ci.yml --- plib-1.8.5/debian/.gitlab-ci.yml1970-01-01 01:00:00.0 +0100 +++ plib-1.8.5/debian/.gitlab-ci.yml2021-10-17 14:56:13.0 +0200 @@ -0,0 +1,7 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + RELEASE: 'buster' + SALSA_CI_COMPONENTS: 'main contrib non-free' + SALSA_CI_DISABLE_REPROTEST: 1 diff -Nru plib-1.8.5/debian/patches/08_CVE-2021-38714.patch plib-1.8.5/debian/patches/08_CVE-2021-38714.patch --- plib-1.8.5/debian/patches/08_CVE-2021-38714.patch 1970-01-01 01:00:00.0 +0100 +++ plib-1.8.5/debian/patches/08_CVE-2021-38714.patch 2021-10-10 15:14:22.0 +0200 @@ -0,0 +1,64 @@ +Description: Prevent integer overflow in ssgLoadTGA() function. CVE-2021-38714 +Author: Anton Gladky +Bug-Debian: https://bugs.debian.org/992973 +Last-Update: 2021-10-02 + +Index: plib/src/ssg/ssgLoadTGA.cxx +=== +--- plib.orig/src/ssg/ssgLoadTGA.cxx plib/src/ssg/ssgLoadTGA.cxx +@@ -23,6 +23,7 @@ + + + #include "ssgLocal.h" ++#include + + #ifdef SSG_LOAD_TGA_SUPPORTED + +@@ -103,9 +104,9 @@ bool ssgLoadTGA ( const char *fname, ssg + + // image info + int type = header[2]; +-int xsize = get16u(header + 12); +-int ysize = get16u(header + 14); +-int bits = header[16]; ++unsigned int xsize = get16u(header + 12); ++unsigned int ysize = get16u(header + 14); ++unsigned int bits = header[16]; + + /* image types: + * +@@ -169,9 +170,32 @@ bool ssgLoadTGA ( const char *fname, ssg + } + + ++const auto bytes_to_allocate = (bits / 8) * xsize * ysize; ++ ++ulSetError( UL_DEBUG, "bytes_to_allocate=%ld xsize = %ld, ysize = %ld, %ld == %ld ", bytes_to_allocate, xsize, ysize, bytes_to_allocate / xsize, (ysize * (bits / 8))); ++ ++if (xsize != 0 && ((ysize * (bits / 8)) != bytes_to_allocate / xsize)) ++{ ++ ulSetError( UL_WARNING, "Integer overflow in image size: xsize = %d, ysize = %d", xsize, ysize); ++ return false; ++} ++else ++{ ++ulSetError( UL_DEBUG, "ssgLoadTGA: Allocating %ld bytes for the size %d x %d", bytes_to_allocate, xsize, ysize ); ++} ++ + // read image data + +-GLubyte *image = new GLubyte [ (bits / 8) * xsize * ysize ]; ++GLubyte *image; ++try ++{ ++image = new GLubyte [ bytes_to_allocate ]; ++} ++catch (const std::bad_alloc&) ++{ ++ulSetError( UL_WARNING, "ssgLoadTGA: Allocation of %d bytes failed!", bytes_to_allocate); ++ return false; ++} + + if ((type & 8) != 0) + { diff -Nru plib-1.8.5/debian/patches/series plib-1.8.5/debian/patches/series --- plib-1.8.5/debian/patches/series2017-07-24 20:11:17.0 +0200 +++ plib-1.8.5/debian/patches/series2021-10-02 13:24:19.0 +0200 @@ -6,3 +6,4 @@ 06_spelling_errors.diff 05_CVE-2012-4552.diff 07_dont_break_joystick_system_calibration.diff +08_CVE-2021-38714.patch
Bug#996694: bullseye-pu: package plib/1.8.5-8+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu Dear release team, the plib versioned 1.8.5-8+deb10u1 is prepared for the bullseye next stable release. [ Reason ] This upload fixes a security issue CVE-2021-38714. [ Impact ] It should not have any impact on end users. [ Tests ] Salsa-ci is employed to check main package characteristics https://salsa.debian.org/debian/plib/-/pipelines/303701 [ Risks ] No risks are known. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] See attached diff. Sanitized values check is implemented. Best regards Anton diff -Nru plib-1.8.5/debian/changelog plib-1.8.5/debian/changelog --- plib-1.8.5/debian/changelog 2017-07-24 21:24:48.0 +0200 +++ plib-1.8.5/debian/changelog 2021-10-17 14:56:13.0 +0200 @@ -1,3 +1,10 @@ +plib (1.8.5-8+deb11u1) bullseye; urgency=medium + + * Prevent integer overflow in ssgLoadTGA() function. CVE-2021-38714 +(Closes: #992973) + + -- Anton Gladky Sun, 17 Oct 2021 14:56:13 +0200 + plib (1.8.5-8) unstable; urgency=medium * QA upload. diff -Nru plib-1.8.5/debian/.gitlab-ci.yml plib-1.8.5/debian/.gitlab-ci.yml --- plib-1.8.5/debian/.gitlab-ci.yml1970-01-01 01:00:00.0 +0100 +++ plib-1.8.5/debian/.gitlab-ci.yml2021-10-17 14:56:13.0 +0200 @@ -0,0 +1,7 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + RELEASE: 'bullseye' + SALSA_CI_COMPONENTS: 'main contrib non-free' + SALSA_CI_DISABLE_REPROTEST: 1 diff -Nru plib-1.8.5/debian/patches/08_CVE-2021-38714.patch plib-1.8.5/debian/patches/08_CVE-2021-38714.patch --- plib-1.8.5/debian/patches/08_CVE-2021-38714.patch 1970-01-01 01:00:00.0 +0100 +++ plib-1.8.5/debian/patches/08_CVE-2021-38714.patch 2021-10-10 15:14:22.0 +0200 @@ -0,0 +1,64 @@ +Description: Prevent integer overflow in ssgLoadTGA() function. CVE-2021-38714 +Author: Anton Gladky +Bug-Debian: https://bugs.debian.org/992973 +Last-Update: 2021-10-02 + +Index: plib/src/ssg/ssgLoadTGA.cxx +=== +--- plib.orig/src/ssg/ssgLoadTGA.cxx plib/src/ssg/ssgLoadTGA.cxx +@@ -23,6 +23,7 @@ + + + #include "ssgLocal.h" ++#include + + #ifdef SSG_LOAD_TGA_SUPPORTED + +@@ -103,9 +104,9 @@ bool ssgLoadTGA ( const char *fname, ssg + + // image info + int type = header[2]; +-int xsize = get16u(header + 12); +-int ysize = get16u(header + 14); +-int bits = header[16]; ++unsigned int xsize = get16u(header + 12); ++unsigned int ysize = get16u(header + 14); ++unsigned int bits = header[16]; + + /* image types: + * +@@ -169,9 +170,32 @@ bool ssgLoadTGA ( const char *fname, ssg + } + + ++const auto bytes_to_allocate = (bits / 8) * xsize * ysize; ++ ++ulSetError( UL_DEBUG, "bytes_to_allocate=%ld xsize = %ld, ysize = %ld, %ld == %ld ", bytes_to_allocate, xsize, ysize, bytes_to_allocate / xsize, (ysize * (bits / 8))); ++ ++if (xsize != 0 && ((ysize * (bits / 8)) != bytes_to_allocate / xsize)) ++{ ++ ulSetError( UL_WARNING, "Integer overflow in image size: xsize = %d, ysize = %d", xsize, ysize); ++ return false; ++} ++else ++{ ++ulSetError( UL_DEBUG, "ssgLoadTGA: Allocating %ld bytes for the size %d x %d", bytes_to_allocate, xsize, ysize ); ++} ++ + // read image data + +-GLubyte *image = new GLubyte [ (bits / 8) * xsize * ysize ]; ++GLubyte *image; ++try ++{ ++image = new GLubyte [ bytes_to_allocate ]; ++} ++catch (const std::bad_alloc&) ++{ ++ulSetError( UL_WARNING, "ssgLoadTGA: Allocation of %d bytes failed!", bytes_to_allocate); ++ return false; ++} + + if ((type & 8) != 0) + { diff -Nru plib-1.8.5/debian/patches/series plib-1.8.5/debian/patches/series --- plib-1.8.5/debian/patches/series2017-07-24 20:11:17.0 +0200 +++ plib-1.8.5/debian/patches/series2021-10-02 13:24:19.0 +0200 @@ -6,3 +6,4 @@ 06_spelling_errors.diff 05_CVE-2012-4552.diff 07_dont_break_joystick_system_calibration.diff +08_CVE-2021-38714.patch
Bug#990898: unblock: httraqt/1.4.9-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, please unblock package httraqt. Upload 1.4.9-5 fixes release critical bug #990895, which was recently detected. Diff is attached. unblock httraqt/1.4.9-5 Thanks Anton -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmDqBXcRHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wY4QA/8DiDz9fNaWAW/2onyn+zou2k4lDVnvf0X 52NRdpOJ2dDYfVh/DjOL8bgF0hhva/jqpXsRuOx6cw0r3LBfn+ifafUhIV7sH0SI 4IhyRSjgL2nHl1Qfr693+vR5Wxb84WTbXsMZBux/M1Y55Q9TlEVjmuDuKy+SC9lg POV/xUs/XC4EwtLSsN5SBVk/uVZfCvYelU6i7mtBlRmnJbtSopGReYGmZVLrQFD8 OGkWk6HcLCr2LefYCvRLjtzggVpZZjaDD84FPzxCxmqsMlkSVLyz/LmTBYQqH4LB NSmZNLhIsOjJDO10nDzXOFxvOvDeqJkew5oHp9q/mkD2yhClDZHEVoIYpk2nqE/l HOv9Ce1aaaBDBDHHEhiv+Y50/a5M2SJpTHq138W+T3kPLDR4R190Xo4AuJLGituT kZme4dnRDs7syrV8R6S0xy74/b4qtP5RemGOS9RP/UKV+Xk4AdDni3pERfKdKUnb ybdD4fqdZSD1E5qB4/MjlEX9CHsFWDO43zYHsUpsG/nPpiH9ODvXpxmdL/v6o2AN QXTOQBkcTQb9QDjoyPl56BdD9CNl1LLTPaVELHHcfCXT+WW89eQn6Kde9Lr19kU6 ggD+1EL8rA5tkesAsg79j3T9Mq4zZQy//2s8yUmu/1W8exw36oFvBVRIgiqKdEdg aJvqImoF83c= =RzFI -END PGP SIGNATURE- diff --git a/debian/changelog b/debian/changelog index c7da9ab..bf983b0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +httraqt (1.4.9-5) unstable; urgency=medium + + * Install doc-files in /usr/share/httraqt. (Closes: #990895) + + -- Anton Gladky Sat, 10 Jul 2021 22:16:58 +0200 + httraqt (1.4.9-4) unstable; urgency=medium * [936829d] Fix section in manpage. (Closes: #963343) diff --git a/debian/httraqt.doc-base b/debian/httraqt.doc-base index d97da4c..4fef6b5 100644 --- a/debian/httraqt.doc-base +++ b/debian/httraqt.doc-base @@ -4,5 +4,5 @@ Author: Xavier Roche & other contributors Section: Network/Web Browsing Format: HTML -Index: /usr/share/doc/httraqt/help/index.html -Files: /usr/share/doc/httraqt/help/*.* +Index: /usr/share/httraqt/help/index.html +Files: /usr/share/httraqt/help/*.* diff --git a/debian/rules b/debian/rules index c132f1a..ba78c0d 100755 --- a/debian/rules +++ b/debian/rules @@ -11,8 +11,3 @@ override_dh_installchangelogs: override_dh_auto_configure: dh_auto_configure -- -DBUILD_DATE="$(BUILD_DATE)" - -override_dh_auto_install: - dh_auto_install - mkdir -p $(CURDIR)/debian/httraqt/usr/share/doc - mv $(CURDIR)/debian/httraqt/usr/share/httraqt $(CURDIR)/debian/httraqt/usr/share/doc/httraqt
Bug#988557: Diff
Diff is now attached. Anton diff -Nru sundials-4.1.0+dfsg/debian/changelog sundials-4.1.0+dfsg/debian/changelog --- sundials-4.1.0+dfsg/debian/changelog 2020-12-20 14:20:47.0 +0100 +++ sundials-4.1.0+dfsg/debian/changelog 2021-05-15 16:51:20.0 +0200 @@ -1,3 +1,9 @@ +sundials (4.1.0+dfsg-4) unstable; urgency=medium + + * [5c80d16] Install libsundials_*sunnonlinsol*.so.*. (Closes: #988551) + + -- Anton Gladky Sat, 15 May 2021 16:51:20 +0200 + sundials (4.1.0+dfsg-3) unstable; urgency=medium * Team upload. diff -Nru sundials-4.1.0+dfsg/debian/libsundials-sunlinsol2.install sundials-4.1.0+dfsg/debian/libsundials-sunlinsol2.install --- sundials-4.1.0+dfsg/debian/libsundials-sunlinsol2.install 2020-12-07 20:30:37.0 +0100 +++ sundials-4.1.0+dfsg/debian/libsundials-sunlinsol2.install 2021-05-15 16:50:44.0 +0200 @@ -1 +1,2 @@ usr/lib/*/libsundials_*sunlinsol*.so.* +usr/lib/*/libsundials_*sunnonlinsol*.so.*
Bug#988557: unblock: sundials/4.1.0+dfsg-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Dear release team, please unblock package sundials. Version 4.1.0+dfsg-4 fixes RC-Bug #988551. Diff is attached. unblock sundials/4.1.0+dfsg-4 Thanks Anton
Bug#988482: buster-pu: package libgetdata/0.10.0-5+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, I have prepared an upload libgetdata_0.10.0-5+deb10u1 which fixes CVE-2021-20204. Security team has marked this CVE as no-dsa and recommended to use a point release to fix this CVE. Diff is attached. Regards Anton -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmCdntMRHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wY9fA/9GhbpQE/14peaNZt693zH+Rytwe6nazqa ZbWljwhAXFDgNKNtlphAmoBVmhGBAnS4r2lpi8sBnTgTJByZL4QQYWv5YGX4sle0 79uYmpRHpykDR+9EufEYdAykx68voieai5COkp86RmsiSyUrdIUKIxj7osNQ4BdZ euTSejNiMGxYxjMesI2UYFtYrEsEqe5z1HuKo4fJSjfvjB8xchLhAWgeWp7Xj0nC W3zbnutXKracEyxo+pi0kbRzyLoc8I/N4yzX0b85Q7LoP3Iib/7N2+FrskW6LFQ2 bxF9SpbvZcnIdgirPqoAVtnbUK+kb5Ux6f9GJwDZLyAeT3gwxfKZEyODQKz/+rYq qAtlDiSZ2nLgORw35oEqdJZCOoOdByigQ+T5pbtdzfvWUyQokTO6l+u5vo31kkse 5PE7YHtbsarvWamvAMLUTUPvH23bLG6tNgPkFSLQQBqz75y9OMl7+fsslXUoMlpv +ELQRFTywOXHmfOlpHGDjGqgWdhWn03PEcMAsDcTGSxUOHTlsXFkHidkLTQR2A0G nUVSee5MBougDzTP8qZ6dcRelLYolf7hD3MkNfiOMzfD8YLFpSKkaGRFGN3Aur5A QPOQ3SdDgX/b3OQSHX1121wTuiLWAf/avoQvM79V4TSDdLCjKwZ2JbB30YTE3ULl h8bmLlsgihM= =XSBh -END PGP SIGNATURE- diff -Nru libgetdata-0.10.0/debian/changelog libgetdata-0.10.0/debian/changelog --- libgetdata-0.10.0/debian/changelog 2018-07-08 16:05:59.0 +0200 +++ libgetdata-0.10.0/debian/changelog 2021-05-13 23:20:53.0 +0200 @@ -1,3 +1,10 @@ +libgetdata (0.10.0-5+deb10u1) buster; urgency=medium + + * Team upload. + * Fix CVE-2021-20204. + + -- Anton Gladky Thu, 13 May 2021 23:20:53 +0200 + libgetdata (0.10.0-5) unstable; urgency=medium * Rebuild for python3.7 support diff -Nru libgetdata-0.10.0/debian/patches/CVE-2021-20204.patch libgetdata-0.10.0/debian/patches/CVE-2021-20204.patch --- libgetdata-0.10.0/debian/patches/CVE-2021-20204.patch 1970-01-01 01:00:00.0 +0100 +++ libgetdata-0.10.0/debian/patches/CVE-2021-20204.patch 2021-05-13 23:20:53.0 +0200 @@ -0,0 +1,24 @@ +Description: Raise error if returned first_raw in _GD_ParseFieldSpec is NULL + Fix for CVE-2021-20204 +Author: Anton Gladky +Bug-Debian: https://bugs.debian.org/988239 +Last-Update: 2021-05-09 + +Index: libgetdata/src/parse.c +=== +--- libgetdata.orig/src/parse.c libgetdata/src/parse.c +@@ -2501,9 +2501,12 @@ char *_GD_ParseFragment(FILE *restrict f + match = _GD_ParseDirective(D, p, in_cols, n_cols, me, _name, + , tok_pos); + +-if (D->error == GD_E_OK && !match) ++if (D->error == GD_E_OK && !match) { + first_raw = _GD_ParseFieldSpec(D, p, n_cols, in_cols, strlen(in_cols[0]), + NULL, me, 0, 1, , tok_pos); ++ if (first_raw == NULL) ++_GD_SetError(D, GD_E_BAD_DIRFILE, GD_E_ENTRY_TYPE, NULL, 0, NULL); ++} + + if (D->error == GD_E_FORMAT) { + /* call the callback for this error */ diff -Nru libgetdata-0.10.0/debian/patches/series libgetdata-0.10.0/debian/patches/series --- libgetdata-0.10.0/debian/patches/series 2018-07-08 16:05:59.0 +0200 +++ libgetdata-0.10.0/debian/patches/series 2021-05-13 23:20:13.0 +0200 @@ -1 +1,2 @@ #python3.patch +CVE-2021-20204.patch
Bug#988278: [pre-approval] unblock: libgetdata/0.10.0-10
Sebastian, I have double checked the code, and you are probably right. It is better to put this if-check into the internal scope of "(D->error == GD_E_OK && !match)". Pipeline is passed, so I will upload it into unstable. Thanks again. Anton Am Mo., 10. Mai 2021 um 22:42 Uhr schrieb Sebastian Ramacher < sramac...@debian.org>: > Control: tags -1 confirmed > > On 2021-05-10 22:35:28, Anton Gladky wrote: > > Control: tags -1 -moreinfo > > > > Hi Sebastian, > > > > Thanks for looking into this issue. Yes, it is intentional. We should > always > > check whether first_raw is NULL or not. > > Then please go ahead. > > Cheers > > > > > I have reproduced the issue in the CI-pipeline [1], and the proposed > patch > > fixes > > the issue [2]: no more segfault, just an error message due to exploit. > > > > [1] https://salsa.debian.org/science-team/libgetdata/-/jobs/1631525 > > [2] https://salsa.debian.org/science-team/libgetdata/-/jobs/1633848 > > > > Anton > > > > > > Am Mo., 10. Mai 2021 um 22:27 Uhr schrieb Sebastian Ramacher < > > sramac...@debian.org>: > > > > > > > > +--- libgetdata-0.10.0.orig/src/parse.c > > > > libgetdata-0.10.0/src/parse.c > > > > +@@ -2504,6 +2504,9 @@ char *_GD_ParseFragment(FILE *restrict f > > > > + if (D->error == GD_E_OK && !match) > > > > + first_raw = _GD_ParseFieldSpec(D, p, n_cols, in_cols, > > > strlen(in_cols[0]), > > > > + NULL, me, 0, 1, , tok_pos); > > > > ++ if (first_raw == NULL) { > > > > ++_GD_SetError(D, GD_E_BAD_DIRFILE, GD_E_ENTRY_TYPE, NULL, 0, > > > NULL); > > > > ++ } > > > > > > Is it intentional that newly addeded if is evaluated in any case or is > > > this patch missing curly brackets for the body of "if (D->error = > > > GD_E_OK && !match)"? > > > > > -- > Sebastian Ramacher >
Bug#988278: [pre-approval] unblock: libgetdata/0.10.0-10
Control: tags -1 -moreinfo Hi Sebastian, Thanks for looking into this issue. Yes, it is intentional. We should always check whether first_raw is NULL or not. I have reproduced the issue in the CI-pipeline [1], and the proposed patch fixes the issue [2]: no more segfault, just an error message due to exploit. [1] https://salsa.debian.org/science-team/libgetdata/-/jobs/1631525 [2] https://salsa.debian.org/science-team/libgetdata/-/jobs/1633848 Anton Am Mo., 10. Mai 2021 um 22:27 Uhr schrieb Sebastian Ramacher < sramac...@debian.org>: > > +--- libgetdata-0.10.0.orig/src/parse.c > > libgetdata-0.10.0/src/parse.c > > +@@ -2504,6 +2504,9 @@ char *_GD_ParseFragment(FILE *restrict f > > + if (D->error == GD_E_OK && !match) > > + first_raw = _GD_ParseFieldSpec(D, p, n_cols, in_cols, > strlen(in_cols[0]), > > + NULL, me, 0, 1, , tok_pos); > > ++ if (first_raw == NULL) { > > ++_GD_SetError(D, GD_E_BAD_DIRFILE, GD_E_ENTRY_TYPE, NULL, 0, > NULL); > > ++ } > > Is it intentional that newly addeded if is evaluated in any case or is > this patch missing curly brackets for the body of "if (D->error = > GD_E_OK && !match)"? >
Bug#988278: [pre-approval] unblock: libgetdata/0.10.0-10
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, this is the pre-approval request for libgetdata/0.10.0-10 It fixes CVE-2021-20204 (#988239). It is not a release critical bug, but security issue. Diff is attached. Thanks unblock libgetdata/0.10.0-10 -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmCX2GcRHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wYG0BAAlD+ubdz+Y5mTIlSqqb5mbSatB7ok0Gbs gI9loXe46+9VupBk4hEG75EBhM5JDk4y2Zy5ZSy3ErT29/cxUhcU9U7tGht//HDg sHCFQASoUkwxJFtUTSWFsNELA1S7ZICAAkLYzk+mLIP/tOOXqeInHscYZ+XRjPdC Erlc+8RbTF9RTHIKXB6LEOne8IgqXgLGEWYNwIk70qUrIQ5gZlS0qiQ2hr7LhMJQ ZmNwbGUlpAIVw3AelYb301VyS6Mfl3jSUTbunTIXrRtGI7S6RNnRA+nYHsnS/ozj MqDMot9O9NRQS+2YyF808Mdz+wleR5TqXGuOG8vqUdCXcyRZCSCSCKVbJLAGSEPz TmZnTUDAiFLxD0O519c2qPhV2I4HaahveDS3jmt8Wk6jbFjX/j+MCFFhrPRJgko6 CsRFm4K9jA7qWydNrZqHVC5EKCdXANmzlM8PZtckCR6srDzJj3z0MvKFybdVfYvP /OEC4t42oTBwxaaArXXYMaNqPJIwdeCQdgTIht5SXS+yk/JdCF27ZOHuvVUTI7p8 hSYxx1pPvvet+1wwpV+Xw3uG92xuEe55nrd1lMLdhRpFyPT2LMupr043rRB6zTMr goOL9ZlO9aKHHUAU1C1as50gD5vtBEENuVol7HCDtxQGTX79nFg8aW3oLG7ZeeTl wPH0S5YFf+c= =PdQH -END PGP SIGNATURE- diff --git a/debian/changelog b/debian/changelog index 2c30a9c..514058c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +libgetdata (0.10.0-10) unstable; urgency=medium + + * Team upload. + * [4ee5ad0] Fix CVE-2021-20204. (Closes: #988239) + + -- Anton Gladky Sun, 09 May 2021 14:27:38 +0200 + libgetdata (0.10.0-9) unstable; urgency=medium * Fix FTBFFS on binary-all build (missing file). Closes: #966522 diff --git a/debian/patches/CVE-2021-20204.patch b/debian/patches/CVE-2021-20204.patch new file mode 100644 index 000..08bb876 --- /dev/null +++ b/debian/patches/CVE-2021-20204.patch @@ -0,0 +1,18 @@ +Description: Raise error if returned first_raw in _GD_ParseFieldSpec is NULL + Fix for CVE-2021-20204 +Author: Anton Gladky +Bug-Debian: https://bugs.debian.org/988239 +Last-Update: 2021-05-09 + +--- libgetdata-0.10.0.orig/src/parse.c libgetdata-0.10.0/src/parse.c +@@ -2504,6 +2504,9 @@ char *_GD_ParseFragment(FILE *restrict f + if (D->error == GD_E_OK && !match) + first_raw = _GD_ParseFieldSpec(D, p, n_cols, in_cols, strlen(in_cols[0]), + NULL, me, 0, 1, , tok_pos); ++ if (first_raw == NULL) { ++_GD_SetError(D, GD_E_BAD_DIRFILE, GD_E_ENTRY_TYPE, NULL, 0, NULL); ++ } + + if (D->error == GD_E_FORMAT) { + /* call the callback for this error */ diff --git a/debian/patches/series b/debian/patches/series index 24c0911..cc09615 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ #python3.patch +CVE-2021-20204.patch
Bug#988112: unblock: gfsview/20121130+dfsg-7
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, please unblock package gfsview Upload gfsview/20121130+dfsg-7 fixes RC-bug #987935. I have enabled ci-pipelines to ensure the package functionality, and now all tests are green [1]. Diff is attached. [1] https://salsa.debian.org/science-team/gfsview/-/pipelines unblock gfsview/20121130+dfsg-7 Best regards Anton -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmCTAXcRHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wZocA/+O/2XDkjko0feJZzyA3WKmh3qymptclOi jQU3RacssdCCvxlmQ0fusea6LJ0uC/779rZ8ps3dZ87+7zE5ZBeS6V/oo8rExgmO uPE9Mjnt5sttzKCECpFD19O4DvGZF03JTFRvU2QpGJT4NPAgldmmwk8C2DJU+AM8 GWz9UTq2qIZ36znMNbgoKixqcPYklxgbD4ruAkaT9AGlv9+eEnzJL5RIuxb6YSBU mn6np/tg/iXog7ZWgHgtYGkvzXpxctdDOYlxZ++UzcIL4Ro2vpdRnOXw1gn8ZJbP 0b5vK0I4HGrZuhlHOIdayGKjfTjNXlDM86UMjtlXTFzbMBBJTAdieBBlFEvfCfF3 EOBRLh1YMwk8n39oonxQuxs0svI2BywXO9u/eIlXU2PyMkfNKaVB3vCojV18ei/D Ny7e+w6Jn7mkS5sQyELMy5cISA3G85Wg/lIL1HPr1WUioTvXYGv3XNfJivSoCT+v vMwY2WC+wtYLE669gxeNIIw+K1H1z/8UYfOg9Pr3OvI+LxKcyUtGeTxx5ZPE0WUy EgWNCezdFhqQWsD7rLw030n7Fbp4UlifTEtSCbX9Q0bZ4fcCq7tvPKMs4fFswugz HEB6Y5y4lJy+MI72xO/ATzKCZgECqtQ3mGg7t9SisYrUZyC4id83XIKUZpjYUqAe 8vF0qAoKW14= =Kv+6 -END PGP SIGNATURE- diff --git a/debian/.gitlab-ci.yml b/debian/.gitlab-ci.yml new file mode 100644 index 000..26871b9 --- /dev/null +++ b/debian/.gitlab-ci.yml @@ -0,0 +1,2 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml diff --git a/debian/changelog b/debian/changelog index 74725fa..1f11cf2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +gfsview (20121130+dfsg-7) unstable; urgency=medium + + * Team upload. + * [9fb3053] Add .gitlab-ci.yml + * [634d5c0] Link against X11. (Closes: #987935) + + -- Anton Gladky Wed, 05 May 2021 22:03:32 +0200 + gfsview (20121130+dfsg-6) unstable; urgency=medium * Team upload. diff --git a/debian/patches/02_use_system_gl2ps.patch b/debian/patches/02_use_system_gl2ps.patch index 02c99c4..3f384f1 100644 --- a/debian/patches/02_use_system_gl2ps.patch +++ b/debian/patches/02_use_system_gl2ps.patch @@ -2,10 +2,10 @@ Description: use packaged gl2ps instead of embedded. Author: Anton Gladky Last-Update: 2014-05-08 -Index: gfsview-snapshot-121130/Makefile.am +Index: gfsview-20121130+dfsg/Makefile.am === gfsview-snapshot-121130.orig/Makefile.am -+++ gfsview-snapshot-121130/Makefile.am +--- gfsview-20121130+dfsg.orig/Makefile.am gfsview-20121130+dfsg/Makefile.am @@ -26,12 +26,10 @@ if HAVE_GTK INTERACTIVE = view endif @@ -20,10 +20,10 @@ Index: gfsview-snapshot-121130/Makefile.am m4 if DARCS_CONTROLLED -Index: gfsview-snapshot-121130/batch/Makefile.am +Index: gfsview-20121130+dfsg/batch/Makefile.am === gfsview-snapshot-121130.orig/batch/Makefile.am -+++ gfsview-snapshot-121130/batch/Makefile.am +--- gfsview-20121130+dfsg.orig/batch/Makefile.am gfsview-20121130+dfsg/batch/Makefile.am @@ -10,17 +10,15 @@ noinst_LTLIBRARIES = librender2D.la libr librender2D_la_SOURCES = render.c render.h @@ -44,10 +44,10 @@ Index: gfsview-snapshot-121130/batch/Makefile.am bin_PROGRAMS = gfsview-batch2D gfsview-batch3D -Index: gfsview-snapshot-121130/gl/gfsgl.h +Index: gfsview-20121130+dfsg/gl/gfsgl.h === gfsview-snapshot-121130.orig/gl/gfsgl.h -+++ gfsview-snapshot-121130/gl/gfsgl.h +--- gfsview-20121130+dfsg.orig/gl/gfsgl.h gfsview-20121130+dfsg/gl/gfsgl.h @@ -23,7 +23,7 @@ #include @@ -57,10 +57,10 @@ Index: gfsview-snapshot-121130/gl/gfsgl.h #ifdef __cplusplus extern "C" { -Index: gfsview-snapshot-121130/view/Makefile.am +Index: gfsview-20121130+dfsg/view/Makefile.am === gfsview-snapshot-121130.orig/view/Makefile.am -+++ gfsview-snapshot-121130/view/Makefile.am +--- gfsview-20121130+dfsg.orig/view/Makefile.am gfsview-20121130+dfsg/view/Makefile.am @@ -26,23 +26,20 @@ SRC = \ glade/mangled_interface.c glade/interface.h \ glade/callbacks.c glade/callbacks.h \ @@ -72,7 +72,7 @@ Index: gfsview-snapshot-121130/view/Makefile.am gfsview2D_SOURCES = $(SRC) gfkgl2D.h gfsview2D_CFLAGS = @SN_CFLAGS@ @GTK_CFLAGS@ @GERRIS2D_CFLAGS@ -gfsview2D_LDADD = -L$(top_builddir)/gl2ps -lgl2ps \ -+gfsview2D_LDADD = -lgl2ps \ ++gfsview2D_LDADD = -lgl2ps -lX11 \ -L$(top_builddir)/gl -lgfsgl2D \ @SN_LIBS@ @GTK_LIBS@ @GERRIS2D_LIBS@ -gfsview2D_DEPENDENCIES = $(top_builddir)/gl2ps/libgl2ps.la $(top_builddir)/gl/libgfsgl2D.la @@ -80,17 +80,17 @@ Index: gfsview-snapshot-121130/view/Makefile.am gfsview3D_SOURC
Bug#985378: unblock: boost1.74/1.74.0-9
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Please unblock package boost1.74 boost1.74_1.74.0-9 fixes RC-bug #984838 Diff is attached. unblock boost1.74/1.74.0-9 Thanks Anton Gladky -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmBRF0IRHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wYT0g//YZuOhL9/699+0fNcMECh1UX/rtCGE7Ee jlaU9j3fIbRLIDe/SDzGF4EOJmlR64I4h+tzde3ze4YCdvueVVXRcGLXX3aobROr GYnGXiDvEWTL3ZUA65aGZVLNcy5ytjrUtC2Y3xLi4Ti4w0oxmih+F5hKE6OmU3BD SRJBi8XPJ2AAiItydo3gR89l9jK5sau9yiM7IBNiCT5CWXpzWwrH+DyDuvvOqTAG SGlkl0Ppl4i/bGe+VjrBw0uO2I7gBwie613ybRevFXEu8op00Ei30N/y2RqTyXqq 14W/Cql2iOHN3vyLzfZiyyWLk9JXslPzwEwWEL5KpeCYk3CA+Csdj1rRnnIKMNL+ lM+jEloYENhhu7+sM2E8su8slUsFKBauPc6U+jCUrWsBztkIzxTz+mrVMSqmkIBW 9ZyE1R0xrTtiQ+kjQMAsfnbOWNJ2XZ/1QeVaYcoLL8AbWSIXWZVJsBrb8dZMpENW kV95pgn3wDbwtxpsXnxXfOjpdQuwfOM2u2D277reCf46KURTm8PO7lb2oqlK9DiN 32sIceQUnuQIYVSPzreRUbe3JV9cIyapLGZU1fn4McLE8x4ups2DNXFXMdpG3e5o S1G1GY6zf+Ay1pICy4zLr6eEzDcOKoiM3Y67WNMzBtnZrrggc1dN916J7TuQP3vC 0KOP2eosxHA= =Pwa4 -END PGP SIGNATURE- diff --git a/debian/changelog b/debian/changelog index 0d4a3cf10..98695eea4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +boost1.74 (1.74.0-9) unstable; urgency=medium + + [ Andreas Beckmann ] + * libboost1.74-dev: Smoothen upgrades from buster by depending on +libstdc++-${gxx:major}-dev using the build-time version of g++ instead of +the virtual libstdc++-dev provided by multiple packages. +(Closes: #984838) + + -- Anton Gladky Sat, 13 Mar 2021 09:21:38 +0100 + boost1.74 (1.74.0-8) unstable; urgency=medium * [85a2610] Fix compilation warnings. (Closes: #980497) diff --git a/debian/control b/debian/control index e730db2af..a9d12e62a 100644 --- a/debian/control +++ b/debian/control @@ -24,7 +24,7 @@ Package: libboost1.74-dev Architecture: any Multi-Arch: same Section: libdevel -Depends: ${misc:Depends}, ${shlibs:Depends}, libstdc++-dev +Depends: ${misc:Depends}, ${shlibs:Depends}, libstdc++-${gxx:major}-dev Suggests: libboost1.74-doc, libboost-atomic1.74-dev, libboost-chrono1.74-dev, diff --git a/debian/rules b/debian/rules index 025139a8c..da506a948 100755 --- a/debian/rules +++ b/debian/rules @@ -343,6 +343,9 @@ ifeq ($(BUILD_NUMPY), yes) sed -i -r 's/^(libboost_numpy([0-9]{2}) \S+ (\S+).*)$$/\1, \3-py\2/' debian/libboost-numpy$(SOVERSION)/DEBIAN/shlibs endif +override_dh_gencontrol: + dh_gencontrol -- -V'gxx:major=$(shell dpkg-query -f '$${version}' -W g++ | sed 's/.*://;s/\..*//')' + $(b2): cd tools/build && bison -y -d -o src/engine/jamgram.cpp src/engine/jamgram.y ./bootstrap.sh --with-icu=/usr --prefix=$(CURDIR)/debian/tmp/usr \
Bug#976115: transition: boost-defaults
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, this is a transition request to upgrade boost-defaults from 1.71 to 1.74. Most of issues in packages are tracked here [1], many of them are already fixed. Ben file: title = "boost-defaults"; is_affected = .depends ~ /libboost[a-z-.]*1\.7[14]/; is_good = .depends ~ /libboost[a-z-.]*1\.74/; is_bad = .depends ~ /libboost[a-z-.]*1\.71/; [1] https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=team%2Bboost%40tracker.debian.org=boost174 Best regards Anton -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAl/EG1ARHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wbO1g/+L9hHIPADbzvSHsoFB7a65YGX8Zt6lLWP Lgeyd5ybf2CJEtmanRE4ynl9+hwvmxrRL2S90vIzSpt9/LGp4c8nVoVDLKQWQ0SE czTwEfUa0pozK0Iqg3ZNzuQewOFiTaCXqZNUUg0lEKfrXc66wv98YdqyogW1mxAE BYCleO8bMHGbdqOnwWQ25+OxkjAdPAa0bYmE5MskfAJS+M9TBkRtkKHpSUMjoRjm wQAQV/qMz5lcsdIjzLF3b05y0CAl4NLVhXUcPDiaurVQF90isfkWrjERSChfbT7b eUPc3BYGSub2BTyIjZ7yhiL7/gGF1yfcE0raLp697Pd8DrrIVpKJ4rqrXcfQpvVI RZ84QDplbHThfDXMS75y2CfEV5SN5aZxmHNC/DabCAlAIogcX8znT5ZZXJ1bi1I0 NgDT431qDsslhv541pxy2LNwyLomAM1UAIw32ZMzbJBiJXN+XZLA82Ys7yxoXL5n RlAuPLRafE0bN4GwK+D5xMx3xEngLzjp/IRK2sQY686WMuoaneQmoZWrp7GUSO17 pr1CxgPJtyBySlFnYjvfCHDaJogQQRRvZ35TAA9s3kAdn0nyCwVs+52YZSb9ZU+1 +cmGvSb1py9lzx21cN0C2vu7Qq0xKVbT6uSf5Dfu5a/jaiozG4b2JLiBKJAV4F1L v5ne8TmiMs8= =sQyK -END PGP SIGNATURE-
Bug#954023: stretch-pu: package amd64-microcode/3.20181128.1~deb9u1
Hi Adam, > Anton, do you have any idea how widespread use of the existing stretch- > backports package has been? No, I do not have this information. If you are not sure - feel free to reject this request. Best regards Anton Am Do., 2. Juli 2020 um 22:14 Uhr schrieb Adam D. Barratt < a...@adam-barratt.org.uk>: > Apologies for letting this sit for a while. > > On Mon, 2020-03-23 at 18:08 -0300, Henrique de Moraes Holschuh wrote: > > On Sat, 21 Mar 2020, Adam D. Barratt wrote: > > > On Sun, 2020-03-15 at 21:37 +0100, Anton Gladky wrote: > > > > I have prepared an update for amd64-microcode for Debian Stretch, > > > > which fixes CVE-2017-5715. Please see an attached debdiff. > > > > > > > > This is the newer upstream version, which fixes CVE-2017-5715. > > > > Security team marked this CVE for Stretch as [1]. > > > > > > Do you have any input / thoughts on this proposed update? > > > > The microcode might be safe enough, we don't have regressions > > reported against the lastest one (which is just a revert by AMD of an > > update that did cause regressions when not applied through UEFI). > > > > But that's with recent kernels. > > > > I have no idea about the kernel codepaths it might activate, though, > > if new MSRs are exposed. > > I'm torn as to what to do with this request, given that we're about to > hit the EOL point release for stretch. > > Anton, do you have any idea how widespread use of the existing stretch- > backports package has been? > > Regards, > > Adam > >
Bug#961379: buster-pu: package libntlm/1.5-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Dear release team, I have prepared an NMU for buster release which fixes CVE-2019-17455. Please let mw know whether I can upload it. Diff is attached. Thanks, Anton diff -Nru libntlm-1.5/debian/changelog libntlm-1.5/debian/changelog --- libntlm-1.5/debian/changelog2018-08-24 22:03:11.0 +0200 +++ libntlm-1.5/debian/changelog2020-05-23 21:18:56.0 +0200 @@ -1,3 +1,17 @@ +libntlm (1.5-1+deb10u1) buster; urgency=medium + + * Non-maintainer upload + * Fix buffer overflow. CVE-2019-17455: + Libntlm through 1.5 relies on a fixed buffer size for + tSmbNtlmAuthRequest, tSmbNtlmAuthChallenge, and tSmbNtlmAuthResponse + read and write operations, as demonstrated by a stack-based buffer + over-read in buildSmbNtlmAuthRequest in smbutil.c for a crafted + NTLM request. + Closes: #942145 + * Add regression test for CVE-2019-17455 + + -- Anton Gladky Sat, 23 May 2020 21:18:56 +0200 + libntlm (1.5-1) unstable; urgency=low * New upstream version. diff -Nru libntlm-1.5/debian/patches/10_fix_buffer_overflow_CVE-CVE-2019-17455.patch libntlm-1.5/debian/patches/10_fix_buffer_overflow_CVE-CVE-2019-17455.patch --- libntlm-1.5/debian/patches/10_fix_buffer_overflow_CVE-CVE-2019-17455.patch 1970-01-01 01:00:00.0 +0100 +++ libntlm-1.5/debian/patches/10_fix_buffer_overflow_CVE-CVE-2019-17455.patch 2020-05-23 21:12:10.0 +0200 @@ -0,0 +1,85 @@ +From b967886873fcf19f816b9c0868465f2d9e5df85e Mon Sep 17 00:00:00 2001 +From: Simon Josefsson +Date: Sun, 19 Apr 2020 09:30:05 +0200 +Subject: [PATCH] Fix buffer overflow. Patch from Cedric Buissart based on + report by Kirin. CVE-2019-17455 + +<https://gitlab.com/jas/libntlm/-/issues/2> +--- + ntlm.h| 8 +--- + smbutil.c | 13 - + 2 files changed, 13 insertions(+), 8 deletions(-) + +Index: libntlm-1.5/ntlm.h +=== +--- libntlm-1.5.orig/ntlm.h libntlm-1.5/ntlm.h +@@ -36,6 +36,8 @@ extern "C" + + #define NTLM_VERSION "1.5" + ++#define MSG_BUFSIZE 1024 ++ + /* + * These structures are byte-order dependant, and should not + * be manipulated except by the use of the routines provided +@@ -55,7 +57,7 @@ extern "C" + uint32 flags; + tSmbStrHeader user; + tSmbStrHeader domain; +-uint8 buffer[1024]; ++uint8 buffer[MSG_BUFSIZE]; + uint32 bufIndex; + } tSmbNtlmAuthRequest; + +@@ -68,7 +70,7 @@ extern "C" + uint8 challengeData[8]; + uint8 reserved[8]; + tSmbStrHeader emptyString; +-uint8 buffer[1024]; ++uint8 buffer[MSG_BUFSIZE]; + uint32 bufIndex; + } tSmbNtlmAuthChallenge; + +@@ -84,7 +86,7 @@ extern "C" + tSmbStrHeader uWks; + tSmbStrHeader sessionKey; + uint32 flags; +-uint8 buffer[1024]; ++uint8 buffer[MSG_BUFSIZE]; + uint32 bufIndex; + } tSmbNtlmAuthResponse; + +Index: libntlm-1.5/smbutil.c +=== +--- libntlm-1.5.orig/smbutil.c libntlm-1.5/smbutil.c +@@ -46,9 +46,9 @@ char versionString[] = PACKAGE_STRING; + + /* + * Must be multiple of two +- * We use a statis buffer of 1024 bytes for message ++ * We use a statis buffer of MSG_BUFSIZE [1024] bytes for message + * At maximun we but 48 bytes (ntlm responses) and 3 unicode strings so +- * NTLM_BUFSIZE * 3 + 48 <= 1024 ++ * NTLM_BUFSIZE * 3 + 48 <= MSG_BUFSIZE + */ + #define NTLM_BUFSIZE 320 + +@@ -70,10 +70,13 @@ char versionString[] = PACKAGE_STRING; + */ + #define AddBytes(ptr, header, buf, count) \ + { \ +- ptr->header.len = ptr->header.maxlen = UI16LE(count); \ ++ size_t count2 = count; \ ++ if (count2 > MSG_BUFSIZE - ptr->bufIndex) \ ++count2 = MSG_BUFSIZE - ptr->bufIndex; \ ++ ptr->header.len = ptr->header.maxlen = UI16LE(count2); \ + ptr->header.offset = UI32LE((ptr->buffer - ((uint8*)ptr)) + ptr->bufIndex); \ +- memcpy(ptr->buffer+ptr->bufIndex, buf, count); \ +- ptr->bufIndex += count; \ ++ memcpy(ptr->buffer+ptr->bufIndex, buf, count2); \ ++ ptr->bufIndex += count2; \ + } + + #define AddString(ptr, header, string) \ diff -Nru libntlm-1.5/debian/patches/20_test_CVE-2019-17455.patch libntlm-1.5/debian/patches/20_test_CVE-2019-17455.patch --- libntlm-1.5/debian/patches/20_test_CVE-2019-17455.patch 1970-01-01 01:00:00.0 +0100 +++ libntlm-1.5/debian/patches/20_test_CVE-2019-17455.patch 2020-05-23 21:05:29.0 +0200 @@ -0,0 +1,90 @@ +From aa975994cf9cf39c33ce33a1b2988277c456dec1 Mon Sep 17 00:00:00 2001 +From: Simon Josefsson +Date: Sun, 19 Apr 2020 09:44:17 +0200 +Subject: [PATCH] Add regression check for CVE-2019-17455 overflow. + +--- + Makefile.am | 2 +- + test_CVE-2019-17455.c | 61 +++ +
Bug#954023: Minor debdiff update
Please see an updated debdiff in attachment (dropped one line in d/changelog). Best regards Anton diff -Nru amd64-microcode-3.20160316.3/debian/changelog amd64-microcode-3.20181128.1~deb9u1/debian/changelog --- amd64-microcode-3.20160316.3/debian/changelog 2016-11-30 02:54:53.0 +0100 +++ amd64-microcode-3.20181128.1~deb9u1/debian/changelog2020-03-12 20:29:09.0 +0100 @@ -1,3 +1,71 @@ +amd64-microcode (3.20181128.1~deb9u1) stretch; urgency=high + + * New upstream release. + * Add IBPB support for family 17h AMD processors (CVE-2017-5715) +(since version 3.20180515.1). + + -- Anton Gladky Thu, 12 Mar 2020 20:29:09 +0100 + +amd64-microcode (3.20181128.1) unstable; urgency=medium + + * New microcode update packages from AMD upstream: ++ New Microcodes: + sig 0x00800f82, patch id 0x0800820b, 2018-06-20 + * README: update for new release + + -- Henrique de Moraes Holschuh Sat, 15 Dec 2018 18:42:12 -0200 + +amd64-microcode (3.20180524.1) unstable; urgency=high + + * New microcode update packages from AMD upstream: ++ Re-added Microcodes: + sig 0x00610f01, patch id 0x06001119, 2012-07-13 + * This update avoids regressing sig 0x610f01 processors on systems with +outdated firmware by adding back exactly the same microcode patch that was +present before [for these processors]. It does not implement Spectre-v2 +mitigation for these processors. + * README: update for new release + + -- Henrique de Moraes Holschuh Fri, 25 May 2018 15:38:22 -0300 + +amd64-microcode (3.20180515.1) unstable; urgency=high + + * New microcode update packages from AMD upstream: ++ New Microcodes: + sig 0x00800f12, patch id 0x08001227, 2018-02-09 ++ Updated Microcodes: + sig 0x00600f12, patch id 0x0600063e, 2018-02-07 + sig 0x00600f20, patch id 0x06000852, 2018-02-06 ++ Removed Microcodes: + sig 0x00610f01, patch id 0x06001119, 2012-07-13 + * Adds Spectre v2 (CVE-2017-5715) microcode-based mitigation support, +plus other unspecified fixes/updates. + * README, debian/copyright: update for new release + + -- Henrique de Moraes Holschuh Sat, 19 May 2018 13:51:06 -0300 + +amd64-microcode (3.20171205.2) unstable; urgency=medium + + * debian/control: update Vcs-* fields for salsa.debian.org + + -- Henrique de Moraes Holschuh Fri, 04 May 2018 07:51:40 -0300 + +amd64-microcode (3.20171205.1) unstable; urgency=high + + * New microcode updates (closes: #886382): +sig 0x00800f12, patch id 0x08001213, 2017-12-05 +Thanks to SuSE for distributing these ahead of AMD's official release! + * Add IBPB support for family 17h AMD processors (CVE-2017-5715) + * README: describe source for faml17h microcode update + * Upload to unstable to match IBPB microcode support on Intel in Debian +unstable. + * WARNING: requires at least kernel 4.15, 4.14.13, 4.9.76, 4.4.111 (or a +backport of commit f4e9b7af0cd58dd039a0fb2cd67d57cea4889abf +"x86/microcode/AMD: Add support for fam17h microcode loading") otherwise +it will not be applied to the processor. + + -- Henrique de Moraes Holschuh Mon, 08 Jan 2018 12:19:57 -0200 + amd64-microcode (3.20160316.3) unstable; urgency=medium * initramfs: Make the early initramfs reproducible (closes: #845194) diff -Nru amd64-microcode-3.20160316.3/debian/control amd64-microcode-3.20181128.1~deb9u1/debian/control --- amd64-microcode-3.20160316.3/debian/control 2016-11-30 02:53:04.0 +0100 +++ amd64-microcode-3.20181128.1~deb9u1/debian/control 2018-12-15 03:43:55.0 +0100 @@ -5,8 +5,8 @@ Uploaders: Giacomo Catenazzi Build-Depends: debhelper (>= 9) Standards-Version: 3.9.8 -Vcs-Git: git://git.debian.org/users/hmh/amd64-microcode.git -Vcs-Browser: http://git.debian.org/?p=users/hmh/amd64-microcode.git +Vcs-Git: https://salsa.debian.org/hmh/amd64-microcode.git +Vcs-Browser: https://salsa.debian.org/hmh/amd64-microcode XS-Autobuild: yes Package: amd64-microcode diff -Nru amd64-microcode-3.20160316.3/debian/copyright amd64-microcode-3.20181128.1~deb9u1/debian/copyright --- amd64-microcode-3.20160316.3/debian/copyright 2016-11-30 02:53:04.0 +0100 +++ amd64-microcode-3.20181128.1~deb9u1/debian/copyright2018-12-15 03:43:55.0 +0100 @@ -2,8 +2,9 @@ Sun Jun 10 10:54:36 BRT 2012 It was downloaded from http://www.amd64.org/support/microcode.html up to -version 20120910 (now: http://www.amd64.org/microcode.html). It was built from -the linux-firmware git tree at for version 20131007 onwards. +version 20120910 (now: http://www.amd64.org/microcode.html). For version +20131007 onwards, it was built from the linux-firmware git repository at: +https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/ Debian only distributes the AMD64 microcode file in its unaltered form. @@ -13,7 +14,7 @@ Upstream Copyright: -Copyright (C) 2010-2014 Advanced Micro Devices, Inc., +Copyright
Bug#954023: stretch-pu: package amd64-microcode/3.20181128.1~deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, I have prepared an update for amd64-microcode for Debian Stretch, which fixes CVE-2017-5715. Please see an attached debdiff. This is the newer upstream version, which fixes CVE-2017-5715. Security team marked this CVE for Stretch as [1]. The package version with "~" is needed to guarantee the smooth update to the buster, where the current version is 3.20181128.1. Also I am preparing an update for Jessie [2] and it would be good to have 3.20181128.1~deb9u1 in Stretch for the smooth Jessie->Stretch upgrade. Please review the dediff and let me know, whether I may proceed with an update or make some changes. [1] https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c9dda4132363fd5b169a3aad5fec48a4e4d2f72#4716ef5aa8f2742228ba3b3633215c8b808565e3_171225_171225 [2] https://lists.debian.org/ Best regards Anton -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAl5ukfwRHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wZgDw/+Js19fZilIjDbjr0w8iYC+qxnO47RGErn AedyJM95teD29SM9mIqPzXc2/u1x1NXwLY8ClFNHIOR1ZytvHKdzBU/KIyUk8WqH mAZrND1y+lGuwn6kigAFJlKBg1TDqnb48zXYoMyesnrs0ssQHydf9LfHlOjCNgTe j0W3clD9FyEsFibiZbhAnFd1Qsw4BL0kFgu9UqkPkUukoux1OS0RQ3EqJgGS9K2L ak6lGSzKgvXZPY5WHcsTVni9v4OK4qVyPR8z0Wbd7eZOwGXLtYWUsB1rzAVlvDoR CPStHhhneCzSvRYYAL4du2CaKRI7NLv+xIcJauraXWGVVvTVi6kkR7K3jb4BZeSV 5wIYzc5n5ErVXhwMJrDiD+ADhw4AqBz/8m81ogKN615BWb6+MFnFp57l8WlvTuNU EzcPTTndJwym76N2MsKn9xC79xAKx+IKK8LpDgN+0PhXGHOExCPddBubLgfXr45w WiydO+E/z+tuMOZWpU3RMDZBeRiAhXL/A9qfAhjftrI6LNdRAu3Mu/kOTkqwq8CN x3TPHjmhy46XKF7qd43jF40kNI5Kdk++9+LFQvhV8pzhndPSSzN6PGX8fA2o5zn8 Je14ja1dKx1j09oCJALip/qA3nxO5tvH83OW1Kc+tKegJYut/vydInANWfpGX3yC j+t+z6slM2g= =/zSd -END PGP SIGNATURE- diff -Nru amd64-microcode-3.20160316.3/debian/changelog amd64-microcode-3.20181128.1~deb9u1/debian/changelog --- amd64-microcode-3.20160316.3/debian/changelog 2016-11-30 02:54:53.0 +0100 +++ amd64-microcode-3.20181128.1~deb9u1/debian/changelog2020-03-12 20:29:09.0 +0100 @@ -1,3 +1,72 @@ +amd64-microcode (3.20181128.1~deb9u1) stretch; urgency=high + + * Non-maintainer upload by the Security Team. + * New upstream release. + * Add IBPB support for family 17h AMD processors (CVE-2017-5715) +(since version 3.20180515.1). + + -- Anton Gladky Thu, 12 Mar 2020 20:29:09 +0100 + +amd64-microcode (3.20181128.1) unstable; urgency=medium + + * New microcode update packages from AMD upstream: ++ New Microcodes: + sig 0x00800f82, patch id 0x0800820b, 2018-06-20 + * README: update for new release + + -- Henrique de Moraes Holschuh Sat, 15 Dec 2018 18:42:12 -0200 + +amd64-microcode (3.20180524.1) unstable; urgency=high + + * New microcode update packages from AMD upstream: ++ Re-added Microcodes: + sig 0x00610f01, patch id 0x06001119, 2012-07-13 + * This update avoids regressing sig 0x610f01 processors on systems with +outdated firmware by adding back exactly the same microcode patch that was +present before [for these processors]. It does not implement Spectre-v2 +mitigation for these processors. + * README: update for new release + + -- Henrique de Moraes Holschuh Fri, 25 May 2018 15:38:22 -0300 + +amd64-microcode (3.20180515.1) unstable; urgency=high + + * New microcode update packages from AMD upstream: ++ New Microcodes: + sig 0x00800f12, patch id 0x08001227, 2018-02-09 ++ Updated Microcodes: + sig 0x00600f12, patch id 0x0600063e, 2018-02-07 + sig 0x00600f20, patch id 0x06000852, 2018-02-06 ++ Removed Microcodes: + sig 0x00610f01, patch id 0x06001119, 2012-07-13 + * Adds Spectre v2 (CVE-2017-5715) microcode-based mitigation support, +plus other unspecified fixes/updates. + * README, debian/copyright: update for new release + + -- Henrique de Moraes Holschuh Sat, 19 May 2018 13:51:06 -0300 + +amd64-microcode (3.20171205.2) unstable; urgency=medium + + * debian/control: update Vcs-* fields for salsa.debian.org + + -- Henrique de Moraes Holschuh Fri, 04 May 2018 07:51:40 -0300 + +amd64-microcode (3.20171205.1) unstable; urgency=high + + * New microcode updates (closes: #886382): +sig 0x00800f12, patch id 0x08001213, 2017-12-05 +Thanks to SuSE for distributing these ahead of AMD's official release! + * Add IBPB support for family 17h AMD processors (CVE-2017-5715) + * README: describe source for faml17h microcode update + * Upload to unstable to match IBPB microcode support on Intel in Debian +unstable. + * WARNING: requires at least kernel 4.15, 4.14.13, 4.9.76, 4.4.111 (or a +backport of commit f4e9b7af0cd58dd039a0fb2cd67d57cea4889abf +"x86/microcode/AMD: Add support for fam17h microcode loading") otherwise +it will not be applied to the processor. + + -- Henrique de Moraes Holschuh
Re: New proposed-updates diff: h2o 2.2.5+dfsg2-2+deb10u1
Hello Adam, thanks, I will reupload the package. Regards Anton Am Mi., 21. Aug. 2019 um 22:25 Uhr schrieb Adam D. Barratt : > > On Wed, 2019-08-21 at 19:34 +, Debian Queue Viewer wrote: > [...] > > > > +h2o (2.2.5+dfsg2-2+deb10u1) buster-security; urgency=high > > + > > + * [d9b7843] Fix HTTP/2 DoS attack vulnerabilities. > > + CVE-2019-9512 CVE-2019-9514 CVE-2019-9515. (Closes: > > #934886) > > + > > + -- Anton Gladky Tue, 20 Aug 2019 22:29:07 +0200 > > This was intended to be uploaded to the security archive, not ftp- > master. > > I'll get the copy that's landed in stable-new flagged for rejection, > please re-upload to the security archive so that it can be processed > there. > > Regards, > > Adam >
Bug#932030: stretch-pu: package gnuplot/5.2.6+dfsg1-1+deb10u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, please consider the following buster-update for the gnuplot package. This upload fixes the issue #926658. Thanks, Anton -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAl0q/vARHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wYySg/+NJdSPSbuE172bzEx7/WvZnnSGw7GDOvN mltnjYsHFqOa4Fh7G1k2mPJEZjgb/1q3APR+iHWLYTp7upkxY3u6PyciHFYkus7l xNQb4oolS2J+wbaH0pV+5eKSScz26zSWNFioy/YEt14u09R7B1/SZ5JsLCUFLyrd BzYdmp0fnShxSPB/5ZDWq5NReMSFa//lx4b7vklRiyx6B5Gua9gXQEAm4/Z8TZXi hRth1XtfDxchKpU8j4n5IblhMLofC/NO1AdoErdEVL5L+uzEg9nIXOGP9v3pXem2 9IXGLdd2cWbn65FpYypo/mg8R2GqODHGKohUc5amVJJB4LhdqF/MrxcXDlteTdJF hhK+mAyftSk/sGpswWrUkPiVplCY9FhyMLv2SNl1DA1sqAPr/nT7X95UZH4kxuFl lu561ZDcv4EWZFnZN2W/JFKusO08VaRnVHXJtBRsTxo95CXhplrJGUbIjwIPqO4q XOxvsc1krkqF2do10qG9P1lLeEZgIJMmf2fDkwkB6qztDCOKLmQtDtGxnXW+wcP4 Ullxy8NSGD9CVIPDNfJTQDK7A/QZOz22ZdrCws7hifAmgMlDhUECoCYoGWk+SkJh o81fmguVkFcpvNSel1eDFc9gf2SINEYR9r6mcbQ6HNTI1qKmeauPv4NDHLQfea9G eWJ6ZD/CqE0= =+uwc -END PGP SIGNATURE- diff -Nru gnuplot-5.2.6+dfsg1/debian/changelog gnuplot-5.2.6+dfsg1/debian/changelog --- gnuplot-5.2.6+dfsg1/debian/changelog2019-01-05 23:07:07.0 +0100 +++ gnuplot-5.2.6+dfsg1/debian/changelog2019-07-14 09:49:07.0 +0200 @@ -1,3 +1,10 @@ +gnuplot (5.2.6+dfsg1-1+deb10u1) buster; urgency=medium + + * [7b7626a] Fix incomplete/unsafe initialization of ARGV array. + (Closes: #926658) + + -- Anton Gladky Sun, 14 Jul 2019 09:49:07 +0200 + gnuplot (5.2.6+dfsg1-1) unstable; urgency=medium * [132187c] New upstream version 5.2.6+dfsg1 diff -Nru gnuplot-5.2.6+dfsg1/debian/patches/15_fix_incomplete_ARGV_array_init.patch gnuplot-5.2.6+dfsg1/debian/patches/15_fix_incomplete_ARGV_array_init.patch --- gnuplot-5.2.6+dfsg1/debian/patches/15_fix_incomplete_ARGV_array_init.patch 1970-01-01 01:00:00.0 +0100 +++ gnuplot-5.2.6+dfsg1/debian/patches/15_fix_incomplete_ARGV_array_init.patch 2019-07-14 09:48:48.0 +0200 @@ -0,0 +1,61 @@ +Description: fix incomplete/unsafe initialization of ARGV array +Author: Ethan A Merritt +Origin: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/732014eefd41235a143626d2bc02d3d34934e1b3/ +Bug-Debian: https://bugs.debian.org/926658 +Bug: https://sourceforge.net/p/gnuplot/bugs/2115/ + + +Index: gnuplot-5.2.6+dfsg1/src/misc.c +=== +--- gnuplot-5.2.6+dfsg1.orig/src/misc.c gnuplot-5.2.6+dfsg1/src/misc.c +@@ -239,6 +239,7 @@ prepare_call(int calltype) + udv->udv_value.type = ARRAY; + ARGV = udv->udv_value.v.value_array = gp_alloc((argv_size + 1) * sizeof(t_value), "array state"); + ARGV[0].v.int_val = argv_size; ++ARGV[0].type = NOTDEFINED; + + for (argindex = 1; argindex <= 9; argindex++) { + char *argstring = call_args[argindex-1]; +@@ -586,9 +587,14 @@ lf_push(FILE *fp, char *name, char *cmdl + } + /* Save ARGV[] */ + lf->argv[0].v.int_val = 0; ++ lf->argv[0].type = NOTDEFINED; + if ((udv = get_udv_by_name("ARGV")) && udv->udv_value.type == ARRAY) { +- for (argindex = 0; argindex <= call_argc; argindex++) ++ for (argindex = 0; argindex <= call_argc; argindex++) { + lf->argv[argindex] = udv->udv_value.v.value_array[argindex]; ++ if (lf->argv[argindex].type == STRING) ++ lf->argv[argindex].v.string_val = ++ gp_strdup(lf->argv[argindex].v.string_val); ++ } + } + } + lf->depth = lf_head ? lf_head->depth+1 : 0; /* recursion depth */ +Index: gnuplot-5.2.6+dfsg1/src/plot.c +=== +--- gnuplot-5.2.6+dfsg1.orig/src/plot.c gnuplot-5.2.6+dfsg1/src/plot.c +@@ -1,7 +1,3 @@ +-#ifndef lint +-static char *RCSid() { return RCSid("$Id: plot.c,v 1.174 2017/05/20 16:43:19 markisch Exp $"); } +-#endif +- + /* GNUPLOT - plot.c */ + + /*[ +@@ -638,10 +634,11 @@ RECOVER_FROM_ERROR_IN_DASH: + fprintf(stderr, "syntax: gnuplot -c scriptname args\n"); + gp_exit(EXIT_FAILURE); + } +- for (i=0; i
Bug#932029: stretch-pu: package gnuplot/5.2.6+dfsg1-1+deb10u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, please consider the following buster-update for the gnuplot package. This upload fixes the issue #926658. Thanks Anton -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAl0q/cARHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wZ/hxAAkMGXgPOoWbKMu/XGgWQ/pmejR7is2ncF +e98xbUxycNLoL9qioNugf5dF5O7D4QNR2xjwJ7YZAXUQOZMVcKmzeIv3U2pP3Ij JS/BmfAcBl5hXYW+BRKXO9yEIOmdVfv/n6NJ19ROuH+bTiaQukKsG3tURC0mztJS soDihB1FKPoh9HzYPsyXxevOQ8OaiD71mwZdudW5r1dCKDR2uC2042DKD85T279T eIqzzBOn/1PelagXChyoJZA5M2qz/ZpKiUkEHf5SVd89iUoCYuGwiRaTFoJ26Tko 3dNDs2qgFuQkFCwy8grpH7tT+yKzmbWpbpyaGGOGk8gzsYa6CytXsbKEbDsDpxn+ bwL3ikcW4rNhhuzletKzbvHh7i5EjcfX5sBUrQMYIjoD9YIxpFNcHxevA59whYjv 3WS9c6a6TIpFxgeubVskbkbMdLqpu5yki8uWVpYu2/wVC5U0gzwFbaBlL9yFZtPX 7igw7ci3e4vv3qorQjgVt+NjXLLTsxtnFG/2b5HBJxaQx3OXOUg/APcyJj9eBZZg 3lvDjN8+swgnyJCL4Fx6yWOaiLx+e4nItcOvhDDjPp3Ui+tDoxoDv9gljkfPVrsr OIXZC7S5nGXwsQ1c9Sm0t315cvhCGPwQ5uObo1l7JkOaln4t/399Y1T9wxjuGHBX CxIVqjY5A+A= =bcul -END PGP SIGNATURE- diff -Nru gnuplot-5.2.6+dfsg1/debian/changelog gnuplot-5.2.6+dfsg1/debian/changelog --- gnuplot-5.2.6+dfsg1/debian/changelog2019-01-05 23:07:07.0 +0100 +++ gnuplot-5.2.6+dfsg1/debian/changelog2019-07-14 09:49:07.0 +0200 @@ -1,3 +1,10 @@ +gnuplot (5.2.6+dfsg1-1+deb10u1) buster; urgency=medium + + * [7b7626a] Fix incomplete/unsafe initialization of ARGV array. + (Closes: #926658) + + -- Anton Gladky Sun, 14 Jul 2019 09:49:07 +0200 + gnuplot (5.2.6+dfsg1-1) unstable; urgency=medium * [132187c] New upstream version 5.2.6+dfsg1 diff -Nru gnuplot-5.2.6+dfsg1/debian/patches/15_fix_incomplete_ARGV_array_init.patch gnuplot-5.2.6+dfsg1/debian/patches/15_fix_incomplete_ARGV_array_init.patch --- gnuplot-5.2.6+dfsg1/debian/patches/15_fix_incomplete_ARGV_array_init.patch 1970-01-01 01:00:00.0 +0100 +++ gnuplot-5.2.6+dfsg1/debian/patches/15_fix_incomplete_ARGV_array_init.patch 2019-07-14 09:48:48.0 +0200 @@ -0,0 +1,61 @@ +Description: fix incomplete/unsafe initialization of ARGV array +Author: Ethan A Merritt +Origin: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/732014eefd41235a143626d2bc02d3d34934e1b3/ +Bug-Debian: https://bugs.debian.org/926658 +Bug: https://sourceforge.net/p/gnuplot/bugs/2115/ + + +Index: gnuplot-5.2.6+dfsg1/src/misc.c +=== +--- gnuplot-5.2.6+dfsg1.orig/src/misc.c gnuplot-5.2.6+dfsg1/src/misc.c +@@ -239,6 +239,7 @@ prepare_call(int calltype) + udv->udv_value.type = ARRAY; + ARGV = udv->udv_value.v.value_array = gp_alloc((argv_size + 1) * sizeof(t_value), "array state"); + ARGV[0].v.int_val = argv_size; ++ARGV[0].type = NOTDEFINED; + + for (argindex = 1; argindex <= 9; argindex++) { + char *argstring = call_args[argindex-1]; +@@ -586,9 +587,14 @@ lf_push(FILE *fp, char *name, char *cmdl + } + /* Save ARGV[] */ + lf->argv[0].v.int_val = 0; ++ lf->argv[0].type = NOTDEFINED; + if ((udv = get_udv_by_name("ARGV")) && udv->udv_value.type == ARRAY) { +- for (argindex = 0; argindex <= call_argc; argindex++) ++ for (argindex = 0; argindex <= call_argc; argindex++) { + lf->argv[argindex] = udv->udv_value.v.value_array[argindex]; ++ if (lf->argv[argindex].type == STRING) ++ lf->argv[argindex].v.string_val = ++ gp_strdup(lf->argv[argindex].v.string_val); ++ } + } + } + lf->depth = lf_head ? lf_head->depth+1 : 0; /* recursion depth */ +Index: gnuplot-5.2.6+dfsg1/src/plot.c +=== +--- gnuplot-5.2.6+dfsg1.orig/src/plot.c gnuplot-5.2.6+dfsg1/src/plot.c +@@ -1,7 +1,3 @@ +-#ifndef lint +-static char *RCSid() { return RCSid("$Id: plot.c,v 1.174 2017/05/20 16:43:19 markisch Exp $"); } +-#endif +- + /* GNUPLOT - plot.c */ + + /*[ +@@ -638,10 +634,11 @@ RECOVER_FROM_ERROR_IN_DASH: + fprintf(stderr, "syntax: gnuplot -c scriptname args\n"); + gp_exit(EXIT_FAILURE); + } +- for (i=0; i
Bug#932028: stretch-pu: package gnuplot/5.2.6+dfsg1-1+deb10u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, please consider the following buster-update for the gnuplot package. This upload fixes the issue #926658. Thanks, Anton -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAl0rAo0RHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wamNA//aJ7jiIEW51CfAgpF9gN6CI3bEHN9pLYJ UALWTP5tIzKesg9oxMXGlg4j6pkNlVV4D8rYFgh1mVTzwmHcWtx88NiO0L7rZnr+ Jsvq0BPhEVfZf10pxPuyYP9f7m4mU6x1LIf+48iMAOw59grP0pu4YlpdGie67Yie jX99KKKUenZP+zpAafRuiQ+UHggY3J2ofoyjtKWrWPoTuCyyEhfPE3wJgc96qJE8 jKZvqxuoBGyPLb/iX67wJowOFfDo7aXRme9/sybNPWM3QXOdpIxaehOmWCywZ9pP mqdktLoERdv/yP/w33KeSTilbfu6naqCasBh1DJu44HZQdVNtLuEDJ/rk0X4qv9m FkG9X7xHHX0FqPuPeru2vc5h71pkZfIpIUodrCOjBmwaSWOfvlK6XP56TrIwDipR qgjkWKFIbWQLm8pN3OMnk3pByVhanB9MhKcqNBtUKDVUIJEdqmcAqi97STD7kkAC UL3ef9GGLZcvBmzur9kPNJmOYukH7QW3IkhIP/lbW06BqIarMLEu2COL4raX6Q9F QH50zdGP4CJIEy7e9fCqKZk4bWpsuiRtTHQni4V2WqdD3zPA22x4dqzSpw31vDEw 5appCh4QBx3OIRxMsvCk1uWJ2K8gme+8Rv2+/rjNTdk47hdJVdS8lvTqfh9yVKt7 zofxD1s7cX4= =KhD4 -END PGP SIGNATURE- diff -Nru gnuplot-5.2.6+dfsg1/debian/changelog gnuplot-5.2.6+dfsg1/debian/changelog --- gnuplot-5.2.6+dfsg1/debian/changelog2019-01-05 23:07:07.0 +0100 +++ gnuplot-5.2.6+dfsg1/debian/changelog2019-07-14 09:49:07.0 +0200 @@ -1,3 +1,10 @@ +gnuplot (5.2.6+dfsg1-1+deb10u1) buster; urgency=medium + + * [7b7626a] Fix incomplete/unsafe initialization of ARGV array. + (Closes: #926658) + + -- Anton Gladky Sun, 14 Jul 2019 09:49:07 +0200 + gnuplot (5.2.6+dfsg1-1) unstable; urgency=medium * [132187c] New upstream version 5.2.6+dfsg1 diff -Nru gnuplot-5.2.6+dfsg1/debian/patches/15_fix_incomplete_ARGV_array_init.patch gnuplot-5.2.6+dfsg1/debian/patches/15_fix_incomplete_ARGV_array_init.patch --- gnuplot-5.2.6+dfsg1/debian/patches/15_fix_incomplete_ARGV_array_init.patch 1970-01-01 01:00:00.0 +0100 +++ gnuplot-5.2.6+dfsg1/debian/patches/15_fix_incomplete_ARGV_array_init.patch 2019-07-14 09:48:48.0 +0200 @@ -0,0 +1,61 @@ +Description: fix incomplete/unsafe initialization of ARGV array +Author: Ethan A Merritt +Origin: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/732014eefd41235a143626d2bc02d3d34934e1b3/ +Bug-Debian: https://bugs.debian.org/926658 +Bug: https://sourceforge.net/p/gnuplot/bugs/2115/ + + +Index: gnuplot-5.2.6+dfsg1/src/misc.c +=== +--- gnuplot-5.2.6+dfsg1.orig/src/misc.c gnuplot-5.2.6+dfsg1/src/misc.c +@@ -239,6 +239,7 @@ prepare_call(int calltype) + udv->udv_value.type = ARRAY; + ARGV = udv->udv_value.v.value_array = gp_alloc((argv_size + 1) * sizeof(t_value), "array state"); + ARGV[0].v.int_val = argv_size; ++ARGV[0].type = NOTDEFINED; + + for (argindex = 1; argindex <= 9; argindex++) { + char *argstring = call_args[argindex-1]; +@@ -586,9 +587,14 @@ lf_push(FILE *fp, char *name, char *cmdl + } + /* Save ARGV[] */ + lf->argv[0].v.int_val = 0; ++ lf->argv[0].type = NOTDEFINED; + if ((udv = get_udv_by_name("ARGV")) && udv->udv_value.type == ARRAY) { +- for (argindex = 0; argindex <= call_argc; argindex++) ++ for (argindex = 0; argindex <= call_argc; argindex++) { + lf->argv[argindex] = udv->udv_value.v.value_array[argindex]; ++ if (lf->argv[argindex].type == STRING) ++ lf->argv[argindex].v.string_val = ++ gp_strdup(lf->argv[argindex].v.string_val); ++ } + } + } + lf->depth = lf_head ? lf_head->depth+1 : 0; /* recursion depth */ +Index: gnuplot-5.2.6+dfsg1/src/plot.c +=== +--- gnuplot-5.2.6+dfsg1.orig/src/plot.c gnuplot-5.2.6+dfsg1/src/plot.c +@@ -1,7 +1,3 @@ +-#ifndef lint +-static char *RCSid() { return RCSid("$Id: plot.c,v 1.174 2017/05/20 16:43:19 markisch Exp $"); } +-#endif +- + /* GNUPLOT - plot.c */ + + /*[ +@@ -638,10 +634,11 @@ RECOVER_FROM_ERROR_IN_DASH: + fprintf(stderr, "syntax: gnuplot -c scriptname args\n"); + gp_exit(EXIT_FAILURE); + } +- for (i=0; i
Bug#914563: transition: alglib
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Dear release team, please provide a slot for the transition of the new alglib version 3.14. All build reverse-depenencies of the package are building fine with this new version. Thanks, Anton === Ben file: title = "alglib"; is_affected = .depends ~ "libalglib3.11" | .depends ~ "libalglib3.14"; is_good = .depends ~ "libalglib3.14"; is_bad = .depends ~ "libalglib3.11"; -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.18.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#904316: transition: boost-defaults
Hi. from my point of view it is also better to have new boost-defaults in the unstable and fix needed packages there. We doe not have too much time for now to have an intermediate upload into experimental. If this transition will be smooth and fast, we could consider to package 1.68/1.69. But it would probably be too risky and can potentially delay the next release. Regards Anton Am Mo., 24. Sep. 2018 um 02:21 Uhr schrieb Dimitri John Ledkov : ... > Largely rebuilds in Ubuntu have been sufficient to identify and fix > the bulk of boost transition issues > http://people.canonical.com/~ubuntu-archive/transitions/html/boost1.67.html > > After the initial rounds of NMUs I typically work off the Debian > transition tracker to complete transition / files FTBFS bugs / NMU > patches. > > I can prepare the boost-defaults upload into experimental, but I'd > rather have this transition approved and boost-defaults uploaded into > unstable.
Bug#907771: transition: qcustomplot
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Dear release team, please schedule the transition of the qcustomplot package. It seems that the bost dependent packages are building fine against the new package version. Ben file: title = "qcustomplot"; is_affected = .depends ~ "libqcustomplot1.3" | .depends ~ "libqcustomplot2.0"; is_good = .depends ~ "libqcustomplot2.0"; is_bad = .depends ~ "libqcustomplot1.3"; Thanks Anton
Bug#841234: jessie-pu: package libiberty/20141014-1
Hi Adam, I forgot about this bug. Actually I do not have any interest and time now to make an upload. So, I think the bug can be closed. Thanks Anton 2018-06-13 22:17 GMT+02:00 Adam D. Barratt : > On Sat, 2016-12-17 at 11:42 +0100, Julien Cristau wrote: >> Control: tag -1 moreinfo >> >> On Tue, Oct 18, 2016 at 20:32:56 +0200, Anton Gladky wrote: >> >> > Package: release.debian.org >> > Severity: normal >> > Tags: jessie >> > User: release.debian@packages.debian.org >> > Usertags: pu >> > >> > Dear release team, >> > >> > libiberty needs to be updated in Jessie, because the newer version >> > fixes many security issues: >> > >> > CVE-2016-4487 CVE-2016-4488 CVE-2016-4489 CVE-2016-4490 >> > CVE-2016-4492 CVE-2016-4493 CVE-2016-2226 CVE-2016-6131 >> > >> >> What makes it impossible to backport just the fixes for the above >> issues, rather than importing a full new upstream release? A short >> description of the issues so we don't have to look them up would also >> have been helpful. >> > > Ping? The above was 18 months ago, and we're within a few days of > closing updates to jessie before it becomes LTS. > > Regards, > > Adam
Bug#876041: transition: gl2ps
The package is successfully built on all relevant platforms. Please, schedule binnmus. Thank you, Anton 2017-09-27 0:24 GMT+02:00 Emilio Pozuelo Monfort: > > Go ahead. > > Cheers, > Emilio
Bug#876041: transition: gl2ps
Control: tags -1 -moreinfo All rdeps are tested against new version (except vtk6 due to the current dependency problem in sid). Package: avogadro OK Package: drawxtlOK Package: gabedit OK Package: gfsview OK Package: giac OK Package: gmshOK Package: oce OK Package: octave OK Package: paraviewOK Package: qtiplot OK Package: sumoOK Package: vtk6Not testable now in sid, fails to install deps Package: xcrysdenOK Please consider scheduling the transition. Thanks Anton 2017-09-23 18:10 GMT+02:00 Emilio Pozuelo Monfort <po...@debian.org>: > Control: tags -1 moreinfo > > On 23/09/17 17:44, Anton Gladky wrote: >> I did not check them. Just generated the list of symbols and >> no symbols were removed since the last versions (+4 new >> symbols) > > That's not enough. E.g. symbols may have changed their signatures, or structs > may have renamed or deleted some members... > >> So, from my point of view, it is enough to be sure that everything >> is OK with the back-compatibility. If it is not the case, just let me >> know and I will try to build rdeps against new gl2ps. > > Yes please. > > Emilio
Bug#876510: transition: oce
oce is successfully built in sid on all relevant platforms. Cheers Anton 2017-09-23 15:49 GMT+02:00 Emilio Pozuelo Monfort: > > Go ahead. > > Emilio
Bug#876041: transition: gl2ps
I did not check them. Just generated the list of symbols and no symbols were removed since the last versions (+4 new symbols) So, from my point of view, it is enough to be sure that everything is OK with the back-compatibility. If it is not the case, just let me know and I will try to build rdeps against new gl2ps. Cheers Anton 2017-09-23 17:35 GMT+02:00 Emilio Pozuelo Monfort <po...@debian.org>: > On 17/09/17 22:19, Anton Gladky wrote: >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: transition >> >> >> Dear release team, >> >> due to a new version of gl2ps, one need the transition to a new binary. >> Please schedule it. > > Do the rdeps build fine against the new gl2ps? > > Emilio
Bug#876510: transition: oce
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Dear release team, please schedule the transition slot for the new version of oce. All reverse-depends build fine except deal.ii which seems to be failing due to some other reasons (#876509). Ben file: title = "oce"; is_affected = .depends ~ "liboce-foundation10|liboce-modeling10|liboce-ocaf-lite10|liboce-ocaf10|liboce-visualization10" | .depends ~ "liboce-foundation11|liboce-modeling11|liboce-ocaf-lite11|liboce-ocaf11|liboce-visualization11"; is_good = .depends ~ "liboce-foundation11|liboce-modeling11|liboce-ocaf-lite11|liboce-ocaf11|liboce-visualization11"; is_bad = .depends ~ "liboce-foundation10|liboce-modeling10|liboce-ocaf-lite10|liboce-ocaf10|liboce-visualization10"; Thanks, Anton
Bug#876041: transition: gl2ps
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Dear release team, due to a new version of gl2ps, one need the transition to a new binary. Please schedule it. Ben file: title = "gl2ps"; is_affected = .depends ~ "libgl2ps1" | .depends ~ "libgl2ps1.4"; is_good = .depends ~ "libgl2ps1.4"; is_bad = .depends ~ "libgl2ps1"; Thanks, Anton
Bug#868355: nmu: ceres-solver_1.12.0+dfsg0-1+b3
Hi all, well, I would prefer to rebuild all reverse dependencies after each new eigen3 (and probably any other header-only lib) upload [1] and be ready to request it. But it looks like it is not a common case to do such BinNMUs. [1] https://bugs.debian.org/845819 Regards Anton 2017-07-19 8:35 GMT+02:00 Philipp Huebner: > Hi, > > until I find the time to package the new release of Ceres Solver, > please go ahead with the BinNMU. > > With Eigen3 being a header-only library and numeric math libraries > making use of derivatives and templating like crazy, I believe this > strict Eigen3 check to be well reasoned. > > I'll ask upstream about this, but expect them to confirm it. > > > Regards, > -- > .''`. Philipp Huebner > : :' : pgp fp: 6719 25C5 B8CD E74A 5225 3DF9 E5CA 8C49 25E4 205F > `. `'` > `- >
Bug#868146: transition: alglib
2017-07-14 9:16 GMT+02:00 Emilio Pozuelo Monfort: > Go ahead now. Uploaded. Anton
Bug#868146: transition: alglib
Hi Emilio, libalglib-dev is in build-deps of vtk6. But it looks like vtk6 does not use it. I will not file a bug against vtk6 because it mostly EOL. Please let me know when I can make an upload into the sid. Best regards Anton 2017-07-12 19:48 GMT+02:00 Emilio Pozuelo Monfort: > I don't see vtk6 as affected? In any case this needs to wait for the gdal > transition to finish, as that one can't smooth transition to testing and this > would get entangled with it due to qmapshack (and possibly vtk6).
Bug#868146: transition: alglib
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Dear release team, please provide a slot for the transition of alglib-library. The new version 3.11 has been uploaded to the experimental and built succesfully an all relevant platforms [1]. All reverse dependencies has been successfully built against the new library version (vtk6, qtiplot and qmapshack). Ben file: title = "alglib"; is_affected = .depends ~ "libalglib3.10" | .depends ~ "libalglib3.11"; is_good = .depends ~ "libalglib3.11"; is_bad = .depends ~ "libalglib3.10"; [1] https://buildd.debian.org/status/package.php?p=alglib=experimental Thanks, Anton
Bug#867624: Debdiff
Debdiff is applied. Anton avogadro.debdiff Description: Binary data
Bug#867624: stretch-pu: package avogadro/1.2.0-1+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Dear release team, avogadro_1.2.0-1 in stretch has a serious bug #865085 which makes the package completely unusable. The reason is the incompatibility with eigen3 >> 3.3 which was not detected during the development phase. Upstream fixed this problem [1], [2]. The proposed update fixes the bug. Basically both patches were applied against the current source package. Please consider to accept this update, though patches are big. Otherwise the package should be completely removed from the stretch not to scare users. [1] https://github.com/cryos/avogadro/commit/43af3c117b0b3220b15c2fe2895b94bbd83d3a60.patch [2] https://github.com/cryos/avogadro/commit/2d4be7ede177a8df7340fe3b209698d591ee8a04.patch Thank you, Anton
Bug#865214: stretch-pu: package gnuplot/5.0.5+dfsg1-6+deb9u1
Hi Cyril, thank you for the extended answer and useful information! Please find an attached patch with the fixed changelog number. Best regards Anton On 06/25/2017 11:09 PM, Cyril Brulebois wrote: > Hi, > > Anton Gladky <gl...@debian.org> (2017-06-19): >> Package: release.debian.org >> Severity: normal >> Tags: stretch >> User: release.debian@packages.debian.org >> Usertags: pu >> >> Dear release team, >> >> the following gnuplot version fixes the CVE-2017-9670. Please let me >> know, whether it can be upoaded to proposed-updates. > > Looking at the security tracker, it looks like this was decided this was > going to be a no-dsa fix, but feel free to mention this upfront in your > next pu requests. :) > > Anyway, looking at the diff: the version number isn't appropriate, as > stretch has 5.0.5+dfsg1-6, you should be uploading 5.0.5+dfsg1-6+deb9u1. > Alternatively, if you were going to backport 5.0.5+dfsg1-7 from testing, > you could use 5.0.5+dfsg1-7~deb9u1, but then this should be on top of > the 5.0.5+dfsg1-7 changelog entry. > > Either way, please provide an updated debdiff with a proper version (for > a simple patch like this, I think the first solution would have a slight > preference on my side → 5.0.5+dfsg1-6+deb9u1). > > Thanks already. > > > KiBi. > diff -Nru gnuplot-5.0.5+dfsg1/debian/changelog gnuplot-5.0.5+dfsg1/debian/changelog --- gnuplot-5.0.5+dfsg1/debian/changelog2017-04-03 22:58:59.0 +0200 +++ gnuplot-5.0.5+dfsg1/debian/changelog2017-06-16 22:35:29.0 +0200 @@ -1,3 +1,10 @@ +gnuplot (5.0.5+dfsg1-6+deb9u1) stretch; urgency=high + + * [02931b6] Fix memory corruption vulnerability. CVE-2017-9670. + (Closes: #864901) + + -- Anton Gladky <gl...@debian.org> Fri, 16 Jun 2017 22:35:29 +0200 + gnuplot (5.0.5+dfsg1-6) unstable; urgency=medium * Team upload. diff -Nru gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch --- gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch 1970-01-01 01:00:00.0 +0100 +++ gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch 2017-06-16 22:35:29.0 +0200 @@ -0,0 +1,18 @@ +Description: Fix memory corruption vulnerability. CVE-2017-9670 +Author: Ethan Merritt +Bug-Debian: https://bugs.debian.org/864901 +Origin: https://sourceforge.net/p/gnuplot/bugs/_discuss/thread/44ec637c/af0f/attachment/uninitialized_variables_%28Bug1933%29.patch +Bug: https://sourceforge.net/p/gnuplot/bugs/1933/ +Reviewed-By: Anton Gladky <gl...@debian.org> +Last-Update: 2017-06-16 + +--- gnuplot-5.0.5+dfsg1.orig/src/set.c gnuplot-5.0.5+dfsg1/src/set.c +@@ -5926,6 +5926,7 @@ load_tic_series(AXIS_INDEX axis) + + if (!equals(c_token, ",")) { + /* only step specified */ ++ incr_token = c_token; + incr = start; + start = -VERYLARGE; + end = VERYLARGE; diff -Nru gnuplot-5.0.5+dfsg1/debian/patches/series gnuplot-5.0.5+dfsg1/debian/patches/series --- gnuplot-5.0.5+dfsg1/debian/patches/series 2017-04-03 22:54:50.0 +0200 +++ gnuplot-5.0.5+dfsg1/debian/patches/series 2017-06-16 22:35:29.0 +0200 @@ -6,3 +6,4 @@ 11_fix_linkage_wx.patch 13_honour_SOURCE_DATE_EPOCH.patch 14_strip_username_from_output.patch +20_CVE-2017-9670.patch signature.asc Description: OpenPGP digital signature
Bug#865214: stretch-pu: package gnuplot/5.0.5+dfsg1-7+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Dear release team, the following gnuplot version fixes the CVE-2017-9670. Please let me know, whether it can be upoaded to proposed-updates. Diff is provided. Thanks, Anton diff -Nru gnuplot-5.0.5+dfsg1/debian/changelog gnuplot-5.0.5+dfsg1/debian/changelog --- gnuplot-5.0.5+dfsg1/debian/changelog2017-04-03 22:58:59.0 +0200 +++ gnuplot-5.0.5+dfsg1/debian/changelog2017-06-16 22:35:29.0 +0200 @@ -1,3 +1,10 @@ +gnuplot (5.0.5+dfsg1-7+deb9u1) stretch; urgency=high + + * [02931b6] Fix memory corruption vulnerability. CVE-2017-9670. + (Closes: #864901) + + -- Anton Gladky <gl...@debian.org> Fri, 16 Jun 2017 22:35:29 +0200 + gnuplot (5.0.5+dfsg1-6) unstable; urgency=medium * Team upload. diff -Nru gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch --- gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch 1970-01-01 01:00:00.0 +0100 +++ gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch 2017-06-16 22:35:29.0 +0200 @@ -0,0 +1,18 @@ +Description: Fix memory corruption vulnerability. CVE-2017-9670 +Author: Ethan Merritt +Bug-Debian: https://bugs.debian.org/864901 +Origin: https://sourceforge.net/p/gnuplot/bugs/_discuss/thread/44ec637c/af0f/attachment/uninitialized_variables_%28Bug1933%29.patch +Bug: https://sourceforge.net/p/gnuplot/bugs/1933/ +Reviewed-By: Anton Gladky <gl...@debian.org> +Last-Update: 2017-06-16 + +--- gnuplot-5.0.5+dfsg1.orig/src/set.c gnuplot-5.0.5+dfsg1/src/set.c +@@ -5926,6 +5926,7 @@ load_tic_series(AXIS_INDEX axis) + + if (!equals(c_token, ",")) { + /* only step specified */ ++ incr_token = c_token; + incr = start; + start = -VERYLARGE; + end = VERYLARGE; diff -Nru gnuplot-5.0.5+dfsg1/debian/patches/series gnuplot-5.0.5+dfsg1/debian/patches/series --- gnuplot-5.0.5+dfsg1/debian/patches/series 2017-04-03 22:54:50.0 +0200 +++ gnuplot-5.0.5+dfsg1/debian/patches/series 2017-06-16 22:35:29.0 +0200 @@ -6,3 +6,4 @@ 11_fix_linkage_wx.patch 13_honour_SOURCE_DATE_EPOCH.patch 14_strip_username_from_output.patch +20_CVE-2017-9670.patch
Bug#864907: unblock: gnuplot/5.0.5+dfsg1-7, CVE-2017-9670
Package: release.debian.org Severity: normal Tags: security upstream patch User: release.debian@packages.debian.org Usertags: unblock Please unblock package gnuplot it fixes CVE-2017-9670. The fix is trivial. Patch is attached. unblock gnuplot/5.0.5+dfsg1-7 The diff is attached. Thanks Anton diff --git a/debian/changelog b/debian/changelog index 3705f0e..a27d6a4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +gnuplot (5.0.5+dfsg1-7) unstable; urgency=high + + * [02931b6] Fix memory corruption vulnerability. CVE-2017-9670. + (Closes: #864901) + + -- Anton Gladky <gl...@debian.org> Fri, 16 Jun 2017 22:35:29 +0200 + gnuplot (5.0.5+dfsg1-6) unstable; urgency=medium * Team upload. diff --git a/debian/patches/20_CVE-2017-9670.patch b/debian/patches/20_CVE-2017-9670.patch new file mode 100644 index 000..482ea7e --- /dev/null +++ b/debian/patches/20_CVE-2017-9670.patch @@ -0,0 +1,18 @@ +Description: Fix memory corruption vulnerability. CVE-2017-9670 +Author: Ethan Merritt +Bug-Debian: https://bugs.debian.org/864901 +Origin: https://sourceforge.net/p/gnuplot/bugs/_discuss/thread/44ec637c/af0f/attachment/uninitialized_variables_%28Bug1933%29.patch +Bug: https://sourceforge.net/p/gnuplot/bugs/1933/ +Reviewed-By: Anton Gladky <gl...@debian.org> +Last-Update: 2017-06-16 + +--- gnuplot-5.0.5+dfsg1.orig/src/set.c gnuplot-5.0.5+dfsg1/src/set.c +@@ -5926,6 +5926,7 @@ load_tic_series(AXIS_INDEX axis) + + if (!equals(c_token, ",")) { + /* only step specified */ ++ incr_token = c_token; + incr = start; + start = -VERYLARGE; + end = VERYLARGE; diff --git a/debian/patches/series b/debian/patches/series index 94e0bfa..3c19808 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,4 @@ 11_fix_linkage_wx.patch 13_honour_SOURCE_DATE_EPOCH.patch 14_strip_username_from_output.patch +20_CVE-2017-9670.patch
Bug#864046: unblock: freemat/4.2+dfsg1-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package freemat this version workarounds #863686 by disabling LLVM-support. unblock freemat/4.2+dfsg1-4 Thanks, Anton
Bug#862214: Pre-approval request, unblock: vtk6/6.3.0+dfsg1-5
Control: tags -1 - moreinfo Uploaded and the package was built successfully on all relevant release platforms. Thanks, Anton 2017-05-12 17:09 GMT+02:00 Niels Thykier <ni...@thykier.net>: > Control: tags -1 confirmed moreinfo > > Anton Gladky: >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: unblock >> >> Please unblock package vtk6 >> >> During the last upload of the version 6.3.0+dfsg1-4 some line endings >> in autopkgtests were accidentally broken and it causes test failures [1]. >> >> This upload is trivial and just replaces broken line endings. >> >> [1] https://ci.debian.net/packages/v/vtk6/unstable/amd64/ >> >> unblock vtk6/6.3.0+dfsg1-5 >> >> >> Thanks, >> >> Anton >> > > Please go ahead and remove the moreinfo tag once the upload has been > accepted into unstable and built on all relevant release architectures. > > Thanks, > ~Niels > >
Bug#862214: Pre-approval request, unblock: vtk6/6.3.0+dfsg1-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package vtk6 During the last upload of the version 6.3.0+dfsg1-4 some line endings in autopkgtests were accidentally broken and it causes test failures [1]. This upload is trivial and just replaces broken line endings. [1] https://ci.debian.net/packages/v/vtk6/unstable/amd64/ unblock vtk6/6.3.0+dfsg1-5 Thanks, Anton diff -Nru vtk6-6.3.0+dfsg1/debian/changelog vtk6-6.3.0+dfsg1/debian/changelog --- vtk6-6.3.0+dfsg1/debian/changelog 2017-03-14 21:34:10.0 +0100 +++ vtk6-6.3.0+dfsg1/debian/changelog 2017-05-09 22:38:56.0 +0200 @@ -1,3 +1,9 @@ +vtk6 (6.3.0+dfsg1-5) unstable; urgency=medium + + * Fix line endings in autopkgtests to let them run. + + -- Anton Gladky <gl...@debian.org> Tue, 09 May 2017 22:38:56 +0200 + vtk6 (6.3.0+dfsg1-4) unstable; urgency=medium * [9a28dbe] Fix symlink onto vtk. (Closes: #857533). diff -Nru vtk6-6.3.0+dfsg1/debian/patches/100_javac-heap.patch vtk6-6.3.0+dfsg1/debian/patches/100_javac-heap.patch --- vtk6-6.3.0+dfsg1/debian/patches/100_javac-heap.patch2016-04-14 14:36:27.0 +0200 +++ vtk6-6.3.0+dfsg1/debian/patches/100_javac-heap.patch2017-05-09 22:38:24.0 +0200 @@ -1,8 +1,8 @@ -Description: set JVM max memory to 1024m. -Author: Matthias Klose <d...@ubuntu.com> -Acked-By: Anton Gladky <gl...@debian.org> -Last-Update: 2016-02-12 - +Description: set JVM max memory to 1024m. +Author: Matthias Klose <d...@ubuntu.com> +Acked-By: Anton Gladky <gl...@debian.org> +Last-Update: 2016-02-12 + Index: VTK-6.3.0/Wrapping/Java/CMakeLists.txt === --- VTK-6.3.0.orig/Wrapping/Java/CMakeLists.txt diff -Nru vtk6-6.3.0+dfsg1/debian/patches/101_java_install_path.patch vtk6-6.3.0+dfsg1/debian/patches/101_java_install_path.patch --- vtk6-6.3.0+dfsg1/debian/patches/101_java_install_path.patch 2016-04-14 14:36:38.0 +0200 +++ vtk6-6.3.0+dfsg1/debian/patches/101_java_install_path.patch 2017-05-09 22:38:24.0 +0200 @@ -1,11 +1,11 @@ -Description: Install Java modules in the correct path - This patch corrects the installation of the native Java modules - to go to the path given by the Debian Java Policy. This helps - to later use the simple install file to get them to the right - location in the package. -Author: Gert Wollny <gw.foss...@gmail.com -Last-Update: 2016-03-26 - +Description: Install Java modules in the correct path + This patch corrects the installation of the native Java modules + to go to the path given by the Debian Java Policy. This helps + to later use the simple install file to get them to the right + location in the package. +Author: Gert Wollny <gw.foss...@gmail.com +Last-Update: 2016-03-26 + Index: VTK-6.3.0/CMake/vtkJavaWrapping.cmake === --- VTK-6.3.0.orig/CMake/vtkJavaWrapping.cmake diff -Nru vtk6-6.3.0+dfsg1/debian/patches/102_enable_system_proj4_lib.patch vtk6-6.3.0+dfsg1/debian/patches/102_enable_system_proj4_lib.patch --- vtk6-6.3.0+dfsg1/debian/patches/102_enable_system_proj4_lib.patch 2016-04-14 14:36:45.0 +0200 +++ vtk6-6.3.0+dfsg1/debian/patches/102_enable_system_proj4_lib.patch 2017-05-09 22:38:24.0 +0200 @@ -1,8 +1,8 @@ -Description: Correct code to enable use of system proj4 -Author: Matthew Woehlke <matthew.woeh...@kitware.com> -Bug: https://bugs.debian.org/750184 -Upstream-Bug: http://www.vtk.org/Bug/view.php?id=14126 - +Description: Correct code to enable use of system proj4 +Author: Matthew Woehlke <matthew.woeh...@kitware.com> +Bug: https://bugs.debian.org/750184 +Upstream-Bug: http://www.vtk.org/Bug/view.php?id=14126 + Index: VTK-6.3.0/CMake/FindLIBPROJ4.cmake === --- VTK-6.3.0.orig/CMake/FindLIBPROJ4.cmake diff -Nru vtk6-6.3.0+dfsg1/debian/patches/104_fix_gcc_version_6.patch vtk6-6.3.0+dfsg1/debian/patches/104_fix_gcc_version_6.patch --- vtk6-6.3.0+dfsg1/debian/patches/104_fix_gcc_version_6.patch 2016-04-14 14:36:53.0 +0200 +++ vtk6-6.3.0+dfsg1/debian/patches/104_fix_gcc_version_6.patch 2017-05-09 22:38:24.0 +0200 @@ -1,7 +1,7 @@ -Description: Fix to be able to compile with gcc-6 -Author: Gerardo Malazdrewicz <gera...@malazdrewicz.com.ar> -Bug: https://bugs.debian.org/812296 - +Description: Fix to be able to compile with gcc-6 +Author: Gerardo Malazdrewicz <gera...@malazdrewicz.com.ar> +Bug: https://bugs.debian.org/812296 + Index: VTK-6.3.0/CMake/GenerateExportHeader.cmake === --- VTK-6.3.0.orig/CMake/GenerateExportHeader.cmake diff -Nru vtk6-6.3.0+dfsg1/debian/patches/105_unforce_embedded_glew.patch vtk6-6.3.0+dfsg1/debian/patches/105_unforce_embedded_glew.patch --- vtk6-6.3.0+dfsg1/debian/p
Bug#860310: unblock pre-apptoval request for yade/2017.01a-8
tags 860310 -moreinfo thanks Hi Niels, yade_2017.01a-8 has been succesfully built on all relevant release platforms [1]. [1] https://buildd.debian.org/status/package.php?p=yade Best regards Anton 2017-04-17 13:07 GMT+02:00 Niels Thykier: > Ack, please go ahead and let us know when the upload has been built on > all relevant release architectures.
Bug#860346: unblock: oce/0.17.2-2
tags 860346 -moreinfo thanks Hi Niels, oce_0.17.2-2 has been succesfully built on all release platforms [1]. [1] https://buildd.debian.org/status/package.php?p=oce Anton 2017-04-17 13:02 GMT+02:00 Niels Thykier: > Ack, please go ahead and let us know once the upload has been compiled > on all relevant release architectures.
Bug#860346: unblock: oce/0.17.2-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package oce The upstream has found and fixed an annoying bug [1] in oce. Debian and Ubuntu packages are affected. OCE_LIBRARIES wrongly includes DRAWEX if -DOCE_DRAW=ON. The attached patch was cherry-picked from upstream repo. unblock oce/0.17.2-2 [1] https://github.com/tpaviot/oce/issues/660 Thanks, Anton diff -Nru oce-0.17.2/debian/changelog oce-0.17.2/debian/changelog --- oce-0.17.2/debian/changelog 2016-06-16 23:05:45.0 +0200 +++ oce-0.17.2/debian/changelog 2017-04-14 22:35:14.0 +0200 @@ -1,3 +1,10 @@ +oce (0.17.2-2) unstable; urgency=medium + + [ Janus Weil ] + * [c25582f] Prevent DRAWEXE from being added to OCE_LIBRARIES. + + -- Anton Gladky <gl...@debian.org> Fri, 14 Apr 2017 22:35:14 +0200 + oce (0.17.2-1) unstable; urgency=medium * [776089c] Imported Upstream version 0.17.2 diff -Nru oce-0.17.2/debian/patches/do_not_add_drawexe.patch oce-0.17.2/debian/patches/do_not_add_drawexe.patch --- oce-0.17.2/debian/patches/do_not_add_drawexe.patch 1970-01-01 01:00:00.0 +0100 +++ oce-0.17.2/debian/patches/do_not_add_drawexe.patch 2017-04-14 22:33:04.0 +0200 @@ -0,0 +1,25 @@ +From 340781368c4d1902887fe6a5b7288cce5eb53456 Mon Sep 17 00:00:00 2001 +From: Janus Weil <ja...@gcc.gnu.org> +Date: Sun, 12 Mar 2017 16:47:28 +0100 +Subject: [PATCH] prevent DRAWEXE from being added to OCE_LIBRARIES * see issue + #660 + +--- + CMakeLists.txt | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 19e9705..c379b3c 100644 +--- a/CMakeLists.txt b/CMakeLists.txt +@@ -990,7 +990,9 @@ macro(process_module modulename modules_std) + list(APPEND modules ${ARGN}) + endif(NOT OCE_DISABLE_X11) + foreach(module ${modules}) +- list(APPEND OCE_LIBRARIES ${module}) ++ if(NOT module MATCHES ".*EXE") ++ list(APPEND OCE_LIBRARIES ${module}) ++ endif() + set(TOOLKIT_MODULES "") + set(TOOLKIT_DEPENDS "") + set(TOOLKIT_INCLUDE_DIRECTORIES "") diff -Nru oce-0.17.2/debian/patches/series oce-0.17.2/debian/patches/series --- oce-0.17.2/debian/patches/series2016-01-29 13:01:05.0 +0100 +++ oce-0.17.2/debian/patches/series2017-04-14 22:33:49.0 +0200 @@ -1,2 +1,3 @@ split-export.patch speedup-BRepMesh_test.patch +do_not_add_drawexe.patch
Bug#860310: unblock pre-apptoval request for yade/2017.01a-8
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package yade Yade upstream have found a critical bug in so-called periodic boundaries contact detection [1]. It would be good to have this fix in Debian as well. I cherry-picked the upstream's patch, which is attached to this mail. unblock yade/2017.01a-8 [1] http://www.mail-archive.com/yade-dev@lists.launchpad.net/msg12355.html Thanks, Anton diff -Nru yade-2017.01a/debian/changelog yade-2017.01a/debian/changelog --- yade-2017.01a/debian/changelog 2017-02-28 22:03:24.0 +0100 +++ yade-2017.01a/debian/changelog 2017-04-14 12:43:59.0 +0200 @@ -1,3 +1,10 @@ +yade (2017.01a-8) unstable; urgency=medium + + [ Bruno Chareyre ] + * [be08409] Critical bugfix for periodic boundaries. + + -- Anton Gladky <gl...@debian.org> Fri, 14 Apr 2017 12:43:59 +0200 + yade (2017.01a-7) unstable; urgency=medium * [31387da] Add missing dependency on python-pyqt5.qtsvg in python-yade. diff -Nru yade-2017.01a/debian/patches/09_fix_periodic_boundaries.patch yade-2017.01a/debian/patches/09_fix_periodic_boundaries.patch --- yade-2017.01a/debian/patches/09_fix_periodic_boundaries.patch 1970-01-01 01:00:00.0 +0100 +++ yade-2017.01a/debian/patches/09_fix_periodic_boundaries.patch 2017-04-14 12:42:33.0 +0200 @@ -0,0 +1,28 @@ +From c7c8e6f62d452c81a31415f05a12587a6cc8c452 Mon Sep 17 00:00:00 2001 +From: bchareyre <bruno.chare...@grenoble-inp.fr> +Date: Fri, 14 Apr 2017 12:04:32 +0200 +Subject: [PATCH] Critical bugfix for collision detection in periodic boundary + conditions. Bounds lists were left partially unordered, then some + interactions were never detected (my toughest yade debugging until now). + +--- + pkg/common/InsertionSortCollider.cpp | 6 -- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/pkg/common/InsertionSortCollider.cpp b/pkg/common/InsertionSortCollider.cpp +index dc5d7ac..163a4f4 100644 +--- a/pkg/common/InsertionSortCollider.cpp b/pkg/common/InsertionSortCollider.cpp +@@ -410,8 +410,10 @@ Real InsertionSortCollider::cellWrapRel(const Real x, const Real x0, const Real + void InsertionSortCollider::insertionSortPeri(VecBounds& v, InteractionContainer* interactions, Scene*, bool doCollide){ + assert(periodic); + long =v.loIdx; const long =v.size; +- for(long _i=0; _i<size; _i++){ +- const long i=v.norm(_i); ++ /* We have to visit each bound at least once (first condition), but this is not enough. The correct ordering in the begining of the list needs a second pass to connect begin and end consistently (the second condition). Strictly the second condition should include "+ (v.norm(j+1)==loIdx ? v.cellDim : 0)" but it is ok as is since the shift is added inside the loop. */ ++ long _i=0; ++ for(; (_i<size) || (v[v.norm(_i)].coord < v[v.norm(_i-1)].coord); _i++){ ++ const long i=v.norm(_i);//FIXME: useless, and many others can probably be removed + const long i_1=v.norm(i-1); + //switch period of (i) if the coord is below the lower edge cooridnate-wise and just above the split + if(i==loIdx && v[i].coord<0){ v[i].period-=1; v[i].coord+=v.cellDim; loIdx=v.norm(loIdx+1); } diff -Nru yade-2017.01a/debian/patches/series yade-2017.01a/debian/patches/series --- yade-2017.01a/debian/patches/series 2017-02-26 20:21:22.0 +0100 +++ yade-2017.01a/debian/patches/series 2017-04-14 12:42:59.0 +0200 @@ -1,3 +1,4 @@ 01_remove_google_analytics.patch 08_fix_gui.patch +09_fix_periodic_boundaries.patch
Bug#857079: unblock: solvespace/2.3+repack2-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package solvespace This upload fixes an RC-bug #856937 and the patch is very small, adding a dependency on libslvs1 to the -dev package. Diff is attached. unblock solvespace/2.3+repack2-2 Thanks, Anton diff -Nru solvespace-2.3+repack1/debian/changelog solvespace-2.3+repack1/debian/changelog --- solvespace-2.3+repack1/debian/changelog 2016-12-31 09:54:59.0 +0100 +++ solvespace-2.3+repack1/debian/changelog 2017-03-06 20:59:20.0 +0100 @@ -1,3 +1,9 @@ +solvespace (2.3+repack1-2) unstable; urgency=medium + + * [0d4dc2b] Add missing dependency on libslvs1. (Closes: #856937) + + -- Anton Gladky <gl...@debian.org> Mon, 06 Mar 2017 20:59:20 +0100 + solvespace (2.3+repack1-1) unstable; urgency=medium * [a7825d4] Add d/watch. diff -Nru solvespace-2.3+repack1/debian/control solvespace-2.3+repack1/debian/control --- solvespace-2.3+repack1/debian/control 2016-08-15 22:31:44.0 +0200 +++ solvespace-2.3+repack1/debian/control 2016-12-31 09:54:59.0 +0100 @@ -55,7 +55,7 @@ Section: libdevel Architecture: any Multi-Arch: same -Depends: ${misc:Depends}, ${shlibs:Depends} +Depends: ${misc:Depends}, ${shlibs:Depends}, libslvs1 (= ${binary:Version}) Description: SolveSpace geometric kernel (development files) SolveSpace is a parametric 2d/3d CAD. libslvs contains the geometric kernel of SolveSpace, built as a library.
Bug#856837: unblock: yade/2017.01a-7
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package yade There were several uploads, which are fixing the RC-bugs #856175 (GUI was not visible completely) and #856218 (detected FTBFS during generation of PDF-file). Debdiff is attached. unblock yade/2017.01a-7 Thanks, Anton diff -Nru yade-2017.01a/debian/changelog yade-2017.01a/debian/changelog --- yade-2017.01a/debian/changelog 2017-01-23 17:36:15.0 +0100 +++ yade-2017.01a/debian/changelog 2017-02-28 22:03:24.0 +0100 @@ -1,3 +1,34 @@ +yade (2017.01a-7) unstable; urgency=medium + + * [31387da] Add missing dependency on python-pyqt5.qtsvg in python-yade. + + -- Anton Gladky <gl...@debian.org> Tue, 28 Feb 2017 22:03:24 +0100 + +yade (2017.01a-6) unstable; urgency=medium + + * [2366d84] Add missing dependency on python-pyqt5.qtsvg. + + -- Anton Gladky <gl...@debian.org> Tue, 28 Feb 2017 21:53:02 +0100 + +yade (2017.01a-5) unstable; urgency=medium + + * [eb193dd] Revert patch applied by last upload. + * [11efabc] Stop generating of PDF file. (Closes: #856218) + + -- Anton Gladky <gl...@debian.org> Mon, 27 Feb 2017 23:20:27 +0100 + +yade (2017.01a-4) unstable; urgency=medium + + * [e248862] Fix FTBFS during documentation build. (Closes: #856218) + + -- Anton Gladky <gl...@debian.org> Sun, 26 Feb 2017 20:21:22 +0100 + +yade (2017.01a-3) unstable; urgency=medium + + * [14120f5] Initialize GUI in IPython 5. (Closes: #856175) + + -- Anton Gladky <gl...@debian.org> Sun, 26 Feb 2017 00:47:26 +0100 + yade (2017.01a-2) unstable; urgency=medium * [1a804bb] Disable parallel build. diff -Nru yade-2017.01a/debian/control yade-2017.01a/debian/control --- yade-2017.01a/debian/control2017-01-19 22:48:02.0 +0100 +++ yade-2017.01a/debian/control2017-02-28 22:03:03.0 +0100 @@ -32,6 +32,7 @@ python-numpy, python-sip, python-pyqt5, + python-pyqt5.qtsvg, python-tk, python-xlib, zlib1g-dev @@ -108,6 +109,7 @@ python-matplotlib, python-minieigen, python-pyqt5, + python-pyqt5.qtsvg, python-tk, python-xlib, ${misc:Depends}, diff -Nru yade-2017.01a/debian/patches/08_fix_gui.patch yade-2017.01a/debian/patches/08_fix_gui.patch --- yade-2017.01a/debian/patches/08_fix_gui.patch 1970-01-01 01:00:00.0 +0100 +++ yade-2017.01a/debian/patches/08_fix_gui.patch 2017-02-26 00:46:13.0 +0100 @@ -0,0 +1,21 @@ +From: Anton Gladky <gl...@debian.org> +Date: Sat, 25 Feb 2017 22:30:24 +0100 +Subject: [PATCH] Initialize gui in IPython 5. +--- + core/main/main.py.in | 7 +-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +Index: yade/core/main/main.py.in +=== +--- yade.orig/core/main/main.py.in yade/core/main/main.py.in +@@ -244,6 +244,9 @@ def userSession(gui='none',qapp=None): + InteractiveShellEmbed.config=cfg + InteractiveShellEmbed.banner1=banner+'\n' + ipshell=InteractiveShellEmbed() ++ # If IPython > 5 one need to initialize graphic gui ++ if ((gui == "qt5" or gui == "qt4")and yade.runtime.ipython_version>=500): ++ ipshell.enable_gui(gui) + ipshell() + + ## run userSession in a way corresponding to the features we use: diff -Nru yade-2017.01a/debian/patches/series yade-2017.01a/debian/patches/series --- yade-2017.01a/debian/patches/series 2017-01-19 22:46:11.0 +0100 +++ yade-2017.01a/debian/patches/series 2017-02-26 20:21:22.0 +0100 @@ -1 +1,3 @@ 01_remove_google_analytics.patch +08_fix_gui.patch + diff -Nru yade-2017.01a/debian/rules yade-2017.01a/debian/rules --- yade-2017.01a/debian/rules 2017-01-23 17:35:59.0 +0100 +++ yade-2017.01a/debian/rules 2017-02-27 23:21:05.0 +0100 @@ -47,7 +47,7 @@ dh_numpy ifeq ($(BUILD_DOC), yes) #Generate docs - cd $(CURDIR)/doc/sphinx; PYTHONPATH=. $(tmpInstall)/usr/bin/yade yadeSphinx.py; cd _build/latex; xelatex Yade.tex; xelatex Yade.tex; xelatex Yade.tex; + cd $(CURDIR)/doc/sphinx; PYTHONPATH=. $(tmpInstall)/usr/bin/yade yadeSphinx.py endif #Delete all pyc files find . -name '*.pyc' -print0 | xargs -0 rm -f diff -Nru yade-2017.01a/debian/yade-doc.doc-base yade-2017.01a/debian/yade-doc.doc-base --- yade-2017.01a/debian/yade-doc.doc-base 2014-06-25 20:23:46.0 +0200 +++ yade-2017.01a/debian/yade-doc.doc-base 2017-02-27 23:21:05.0 +0100 @@ -7,6 +7,3 @@ Format: html Index: /usr/share/doc/yade-doc/html/index.html Files: /usr/share/doc/yade-doc/*.* - -Format: PDF -Files: /usr/share/doc/yade-doc/Yade.pdf diff -Nru yade-2017.01a/debian/yade-doc.docs ya
Bug#845819: nmu all revers build depends of eigen3
Hi Niels, 2017-02-05 17:52 GMT+01:00 Niels Thykier: > We don't plan to rebuild for the sake of rebuilding, so I am closing > this request with no action. > > Please do reopen it if there are requirements (i.e. something breaks) if > we do not recompile the reverse dependencies. But from what I can tell > so far, this is not the case here. Sure, no problem with the bug closing. it is probably the question for the longer discussion in the future, how should we proceed with header-only libraries. Usually I do not ask for the rebuilding after an upload of this package. But there was a discussion last August [1] regarding this topic. And sometimes it makes really sense to rebuild all rdeps. [1] https://lists.debian.org/debian-science/2016/08/msg00032.html Best regards Anton
Bug#845819: nmu all revers build depends of eigen3
It is a header-only library. There is no ABI. But it would be good to build all deps against new eigen3. Regards Anton 2017-01-18 0:30 GMT+01:00 Emilio Pozuelo Monfort <po...@debian.org>: > On 26/11/16 23:03, Anton Gladky wrote: >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: binnmu >> >> Dear release team, >> >> the new version of header only library eigen3 has recently >> been released and uploaded into the Debian. Thus it would >> be good to rebuild all reverse dependencies of this package >> in the archive. >> >> The arrached list contains all possible reverse-debendencies, >> which need to be binNMUed. > > Why is this needed? Did libeigen break the ABI? > > Cheers, > Emilio
Bug#845819: nmu all revers build depends of eigen3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Dear release team, the new version of header only library eigen3 has recently been released and uploaded into the Debian. Thus it would be good to rebuild all reverse dependencies of this package in the archive. The arrached list contains all possible reverse-debendencies, which need to be binNMUed. If there is a better mechanism to ask for such request, please let me know. Thank you Anton analitza avogadro cain calligra ceres-solver csound digikam dolfin fastqtl freecad gnudatalanguage guitarix iqtree kalzium kido kstars lammps liggghts mia minieigen movit mpqc3 mrpt nanopolish openbabel opencv openscad opensurgsim orocos-kdl palabos paraview pcl probabel purify ros-eigen-stl-containers ros-geometric-shapes ros-geometry ros-geometry-experimental ros-laser-geometry ros-pcl-conversions ros-rviz salmon sopt step tiledarray woo yade cufflinks
Bug#844526: Bug#844486: gnuplot-qt: Mismatch between the program and library build versions with GNUTERM=wxt
Hi Olly, thanks for your opinion! From my point of view, wxwidgets3.0 should be binNMUed together with all rdeps. Because even a minor source upload of wxwidges3.0t will start this process anyway but in uncoordinated mode. Cheers Anton 2016-11-17 2:36 GMT+01:00 Olly Betts: > However, if you want to eliminate this warning message and are going to > binNMU wxwidgets3.0 to that end, you will also need to binNMU any of its > rdeps which haven't been built with the newer compiler ABI, or else > you're just going to swap around which rdeps issue this warning. > > Cheers, > Olly
Bug#844526: nmu: wxwidgets3.0_3.0.2+dfsg-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Dear release team, wxwidgets needs to be recompiled due to a versions mismatch. See #844486 for more details. Recompiling this package fixes the problem in #844486 nmu wxwidgets3.0_3.0.2+dfsg-2 . ANY . unstable . -m "Fix ABI mismatch" Thanks, Anton
Re: jessie-pu: package libiberty/20161017-1+deb8u1
Hello Adam, 2016-10-17 21:48 GMT+02:00 Adam D. Barratt: > Please file this as an appropriately-tagged bug against > release.debian.org; mails to the list have a tendency to get lost. thanks for the review. I used a reportbug, but it did not send a mail to submit@b.d.o. Will repeat the procedure. >> Also libiberty is statically linked against "ht" which is also >> should be updated in order to fix same CVEs, becuase ht used >> embedded copy of libiberty (#840358). > > I'm slightly confused here. libiberty is statically linked against > something that embeds libiberty? That seems somewhat circular. ht contained a vulnerable embedded copy of libiberty. I stripped it out and built ht against fixed libiberty, which is now statically linked against ht. So, for the proper fixing of all CVEs in Jessie and potentially in Wheezy one need to backport the newest libiberty and then upload the stripped version of ht. > From a very quick look: > > +libiberty (20161017-1+deb8u1) jessie-proposed-updates; urgency=medium > +libiberty (20161017-1) unstable; urgency=medium > That's broken. The upload to stable needs to have a lower version than > unstable. libiberty (20161017-1~deb8u1) will that work? > diff -Nru libiberty-20141014/debian/compat libiberty-20161017/debian/compat > --- libiberty-20141014/debian/compat2013-11-16 20:38:52.0 +0100 > +++ libiberty-20161017/debian/compat2016-02-15 20:15:24.0 +0100 > @@ -1 +1 @@ > -7 > +9 > [...] > -Build-Depends: debhelper (>= 8.0.0), autotools-dev > -Standards-Version: 3.9.6 > +Build-Depends: debhelper (>= 9), autotools-dev > > That's not an acceptable change for a stable update. Ok, I will revert it. > The debdiff also doesn't appear to contain any changes outside of > debian/, which makes it impossible to review. I filtered it because the full diff is over 40k lines, which is unreadable. To fix those CVEs we need to backport the complete new version. Thanks Anton
jessie-pu: package libiberty/20161017-1+deb8u1
Dear release team, libiberty needs to be updated in Jessie, because the newer version fixes many security issues: CVE-2016-4487 CVE-2016-4488 CVE-2016-4489 CVE-2016-4490 CVE-2016-4492 CVE-2016-4493 CVE-2016-2226 CVE-2016-6131 Also libiberty is statically linked against "ht" which is also should be updated in order to fix same CVEs, becuase ht used embedded copy of libiberty (#840358). Please review an attached patch (filtered). Thanks Anton diff -Nru libiberty-20141014/debian/changelog libiberty-20161017/debian/changelog --- libiberty-20141014/debian/changelog 2014-10-14 14:24:19.0 +0200 +++ libiberty-20161017/debian/changelog 2016-10-17 21:05:57.0 +0200 @@ -1,3 +1,38 @@ +libiberty (20161017-1+deb8u1) jessie-proposed-updates; urgency=medium + + * Update to the latest version. Fix security issues. +CVE-2016-4487 CVE-2016-4488 CVE-2016-4489 CVE-2016-4490 +CVE-2016-4492 CVE-2016-4493 CVE-2016-2226 CVE-2016-6131 + + -- Anton Gladky <gl...@debian.org> Mon, 17 Oct 2016 21:05:57 +0200 + +libiberty (20161017-1) unstable; urgency=medium + + * Update to 20161017 (CVE-2016-6131). Closes: #840889. + * Don't apply "fixes" which are not yet accepted upstream. + + -- Matthias Klose <d...@debian.org> Mon, 17 Oct 2016 11:37:08 +0200 + +libiberty (20161011-1) unstable; urgency=medium + + * Update to 20161011 (security issues fixed: CVE-2016-6131, CVE-2016-4493, +CVE-2016-4492, CVE-2016-4491, CVE-2016-4490, CVE-2016-4489, CVE-2016-4488, +CVE-2016-4487, CVE-2016-2226. Closes: #840360. + + -- Matthias Klose <d...@debian.org> Tue, 11 Oct 2016 09:14:23 +0200 + +libiberty (20160807-1) unstable; urgency=medium + + * Update to 20160807. + + -- Matthias Klose <d...@debian.org> Sun, 07 Aug 2016 14:03:33 +0200 + +libiberty (20160215-1) unstable; urgency=medium + + * Update to 20160215. + + -- Matthias Klose <d...@debian.org> Mon, 15 Feb 2016 20:15:28 +0100 + libiberty (20141014-1) unstable; urgency=medium * Update to 20141014. diff -Nru libiberty-20141014/debian/compat libiberty-20161017/debian/compat --- libiberty-20141014/debian/compat 2013-11-16 20:38:52.0 +0100 +++ libiberty-20161017/debian/compat 2016-02-15 20:15:24.0 +0100 @@ -1 +1 @@ -7 +9 diff -Nru libiberty-20141014/debian/control libiberty-20161017/debian/control --- libiberty-20141014/debian/control 2014-10-14 14:23:49.0 +0200 +++ libiberty-20161017/debian/control 2016-08-07 14:04:01.0 +0200 @@ -3,8 +3,8 @@ Priority: optional Maintainer: Debian GCC Maintainers <debian-...@lists.debian.org> Uploaders: Matthias Klose <d...@debian.org> -Build-Depends: debhelper (>= 8.0.0), autotools-dev -Standards-Version: 3.9.6 +Build-Depends: debhelper (>= 9), autotools-dev +Standards-Version: 3.9.8 Homepage: http://gcc.gnu.org/ Package: libiberty-dev diff -Nru libiberty-20141014/debian/patches/use-ldflags.diff libiberty-20161017/debian/patches/use-ldflags.diff --- libiberty-20141014/debian/patches/use-ldflags.diff 2014-10-14 14:28:49.0 +0200 +++ libiberty-20161017/debian/patches/use-ldflags.diff 2016-10-11 09:17:52.0 +0200 @@ -2,7 +2,7 @@ === --- a/libiberty/Makefile.in +++ b/libiberty/Makefile.in -@@ -415,7 +415,7 @@ TAGS: $(CFILES) +@@ -416,7 +416,7 @@ etags tags TAGS: etags-subdir demangle: $(ALL) $(srcdir)/cp-demangle.c @echo "The standalone demangler, now named c++filt, is now" @echo "a part of binutils."
Re: Unsattisfied dependency python-cffi-backend-api-min (<= 9729)
Dear all, is there any progress on this issue? How can we help with it? I have 3 pending packages, waiting to be built. Thanks Anton
Re: Unsattisfied dependency python-cffi-backend-api-min (<= 9729)
Dear all, I have just uploaded dose3_5.0-1~bpo8+1 into jessie-backports. Thanks Anton 2016-06-29 11:37 GMT+02:00 Ralf Treinen <trei...@pps.univ-paris-diderot.fr>: > Hi, > > On Wed, Jun 29, 2016 at 07:34:03AM +0200, Johannes Schauer wrote: >> Hi Anton, >> >> Quoting Anton Gladky (2016-06-29 07:30:36) >> > are you planning to upload dose3 to jessie-backports? >> >> I would like to ask Ralf to do that because I never did a backport upload and >> would first have to familiarize myself with all the policies and >> technicalities >> for which I currently do not have time right now. > > yes I can do that in the next days. I think Josch prepared already > something in our git repo. > > Cheers -Ralf. > -- > Ralf Treinen > Institut de Recherche en Informatique Fondamentale > Équipe Preuves, Programmes et Systèmes > Université Paris Diderot, Paris, France. > http://www.irif.univ-paris-diderot.fr/~treinen/
Re: Unsattisfied dependency python-cffi-backend-api-min (<= 9729)
Hi Johannes, are you planning to upload dose3 to jessie-backports? Thanks Anton 2016-06-22 13:32 GMT+02:00 Johannes Schauer: > Hi all, > > Quoting Pietro Abate (2016-06-22 11:44:59) > > Hei josh, can you check this branch ? > > > > dose3.5.0-debian-jessie > > > > I don't have a vm with debian jessie ready, but I've used an opam > > switch that should be close enough to what we ave in jessie. > > thanks to Pietro we now have a patch that lets dose3 from experimental > work in > stable. I pushed it to the branch jessie-backports/master of the dose3 > packaging git. > > > https://anonscm.debian.org/cgit/pkg-ocaml-maint/packages/dose3.git/commit/?h=jessie-backports/master=e6b2a9b7321cf5639826ef73ff6f668dfc3fdf0d > > It builds fine inside a Jessie chroot with backports enabled (needed for > newer > librpm). > > Thanks! > > cheers, josch >
Unsattisfied dependency python-cffi-backend-api-min (<= 9729)
Dear release team, I am not sure, whether I ask the question, using the correct address. If I am not right, please redirect me. Two of my packages (liggghts and yade) are waiting to be build on build servers due to unsatisfied dependency with the following note: = liggghts build-depends on: - amd64:libvtk6-dev amd64:libvtk6-dev depends on: - amd64:python-vtk6 (= 6.3.0+dfsg1-1) amd64:python-vtk6 depends on: - amd64:python-twisted amd64:python-twisted depends on: - amd64:python-twisted-core (>= 16.2.0-1) amd64:python-twisted-core depends on: - amd64:python-openssl amd64:python-openssl depends on: - amd64:python-cryptography (>= 1.3) amd64:python-cryptography depends on missing: - amd64:python-cffi-backend-api-min (<= 9729) = Can it happen due to some ongoing transitions and I should just wait? Thank you Anton
Bug#824887: transition: gl2ps
Thanks, have just uploaded it to unstable. Regards Anton 2016-05-27 12:30 GMT+02:00 Emilio Pozuelo Monfort: > BTW did you test that the rdeps build against the new version? If so, then you > can go ahead and upload to unstable.
Bug#824887: transition: gl2ps
Hi Emilio, no problem. Is it possible to schedule "gmsh" to be built after "oce" during the transition? Thanks Anton 2016-05-21 11:20 GMT+02:00 Emilio Pozuelo Monfort: > > Let's wait until the gdal transition is finished.
Bug#824887: transition: gl2ps
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition New lib-version. Ben file: title = "gl2ps"; is_affected = .depends ~ "libgl2ps0" | .depends ~ "libgl2ps1"; is_good = .depends ~ "libgl2ps1"; is_bad = .depends ~ "libgl2ps0"; -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#812314: nmu: oce_0.15-7
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu oce_0.15-7 . ANY . unstable . -m "Rebuild oce against freeimage_3.17" Dear release team, oce needs to be rebuilt against freeimage_3.17, because shared objects are now shipped in multi-arch way and it causes FTBFS of 3rd party package #812269. Thanks Anton
Bug#808521: transition: mpich
Hi Emilio, 2016-01-09 12:07 GMT+01:00 Emilio Pozuelo Monfort: > > netpipe-mpich2 depends on mpich2 > Fixed (NMUed). > espresso/s390x failed to build > Fixed in package elpa, could you please schedule espresso_s390x and check, whether we can finish this transition? Thanks Regards Anton
Bug#808521: transition: mpich
2016-01-09 12:07 GMT+01:00 Emilio Pozuelo Monfort: > I won't know until the package gets to 5/5 and britney tries to migrate it, > but > some potential issues: > > netpipe-mpich2 depends on mpich2 I will NMU it. > espresso/s390x failed to build I was trying to fix it, but it looks like it fails on other archs too. Will file RC-bug. Regards Anton
Bug#808521: transition: mpich
Hi Emilio, it looks like almost all problems were resolved. Could you please check, what should be done to finish this transition? Thanks Anton > e.g. netpipe fails because mpicc.mpich2 is gone, other packages fail because > they can't find mpif77.mpich... > > Emilio