Bug#942440: transition: libevent

2019-11-12 Thread Balint Reczey 
On Mon, Nov 11, 2019 at 11:07 PM Paul Gevers  wrote:
>
> Control: tags -1 confirmed
>
> Hi Balint,
>
> On 16-10-2019 13:44, Balint Reczey wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: transition
> >
> > Dear Release Team,
> >
> > I would like to update libevent in unstable.
> >
> > I have performed test rebuilds [1] in Ubuntu 19.10 which found no
> > libenvent-specific FTBFS issue.
>
> Please go ahead.

Uploaded, thanks.

Cheers,
Balint

-- 
Balint Reczey
Ubuntu & Debian Developer

Bug#942440: transition: libevent

2019-10-16 Thread Balint Reczey 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Dear Release Team,

I would like to update libevent in unstable.

I have performed test rebuilds [1] in Ubuntu 19.10 which found no
libenvent-specific FTBFS issue.

 In terms of 'ben' lingo, the transition has the following parameters:

Affected: .depends ~
/\b(libevent\-2\.1\-7|libevent\-core\-2\.1\-7|libevent\-extra\-2\.1\-7|libevent\-openssl\-2\.1\-7|libevent\-pthreads\-2\.1\-7|libevent\-2\.1\-6|libevent\-core\-2\.1\-6|libevent\-extra\-2\.1\-6|libevent\-openssl\-2\.1\-6|libevent\-pthreads\-2\.1\-6)\b/
Good: .depends ~
/\b(libevent\-2\.1\-7|libevent\-core\-2\.1\-7|libevent\-extra\-2\.1\-7|libevent\-openssl\-2\.1\-7|libevent\-pthreads\-2\.1\-7)\b/
Bad: .depends ~
/\b(libevent\-2\.1\-6|libevent\-core\-2\.1\-6|libevent\-extra\-2\.1\-6|libevent\-openssl\-2\.1\-6|libevent\-pthreads\-2\.1\-6)\b/

Cheers,
Balint

[1]: https://launchpad.net/~rbalint/+archive/ubuntu/scratch4/+packages
--
Balint Reczey
Ubuntu & Debian Developer

Bug#918706: nmu: multiple imagemagick reverse dependencies

2019-01-08 Thread Balint Reczey 
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: binnmu
Severity: normal

Dear Release Team,

Imagemagick upstream temporarily broke ABI (#916839) and the following
packages may need a binNMU as the current packages were built and
linked with the broken imagemagick libraries while they were present
in the archive:

  nmu aiscm_0.18.1-1 . ANY . -m 'Rebuild against imagemagick that
fixed ABI breakage.'
  nmu chafa_1.0.1-2 . ANY . -m 'Rebuild against imagemagick that fixed
ABI breakage.'
  nmu emacs_1:25.2+1-11 . ANY . -m 'Rebuild against imagemagick that
fixed ABI breakage.'
  nmu gem_1:0.94~pre1-1 . ANY . -m 'Rebuild against imagemagick that
fixed ABI breakage.'
  nmu graphicsmagick_1.4~hg15873-1 . ANY . -m 'Rebuild against
imagemagick that fixed ABI breakage.'
  nmu inkscape_0.92.3-7 . ANY . -m 'Rebuild against imagemagick that
fixed ABI breakage.'
  nmu pqiv_2.11-1 . ANY . -m 'Rebuild against imagemagick that fixed
ABI breakage.'
  nmu vips_8.7.2-1 . ANY . -m 'Rebuild against imagemagick that fixed
ABI breakage.'

Imagemagick already build for the release architectures but on some
ports a dependency-wait could be applied for imagemagick
(8:6.9.10.23+dfsg-1).

Thanks,
Balint

-- 
Balint Reczey
Ubuntu & Debian Developer

Bug#877374: stretch-pu: shadow 1:4.4-4.1+deb9u1

2018-01-13 Thread Balint Reczey 
On Sat, Jan 13, 2018 at 5:14 PM, Julien Cristau <jcris...@debian.org> wrote:
> Control: tag -1 moreinfo
>
> On Sun, Oct  1, 2017 at 08:04:48 +0200, Balint Reczey wrote:
>
>>  shadow (1:4.4-4.1+deb9u1) stretch; urgency=medium
>>  .
>>* Revert adding pts/0 and pts/1 to securetty.
>>  Adding pts/* defeats the purpose of securetty. Let containers add it if
>>  needed as described in #830255.
>
> I'm not sure I'm comfortable with the regression risk for users from
> this one.  How long have those been listed in securetty?

It was added in 1:4.4-2 since 2017-01-19 to 2017-09-27 when 1:4.5-1 reverted it.

Cheers,
Balint

Bug#877374: stretch-pu: shadow 1:4.4-4.1+deb9u1

2017-10-01 Thread Balint Reczey 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear Release Team,

I have prepared an update for the shadow package which may be released
as a stable update:

Changes:
 shadow (1:4.4-4.1+deb9u1) stretch; urgency=medium
 .
   * Revert adding pts/0 and pts/1 to securetty.
     Adding pts/* defeats the purpose of securetty. Let containers add it if
     needed as described in #830255.
   * Fix buffer overflow if NULL line is present in db (CVE-2017-12424)
     (Closes: #756630)

The Security Team suggested fixing those minor security-related issues via
proposed-updates rather than via stretch-security.

Thanks,
Balint

diff -Nru shadow-4.4/debian/changelog shadow-4.4/debian/changelog
--- shadow-4.4/debian/changelog	2017-05-17 13:59:59.0 +0200
+++ shadow-4.4/debian/changelog	2017-09-30 03:30:30.0 +0200
@@ -1,3 +1,13 @@
+shadow (1:4.4-4.1+deb9u1) stretch; urgency=medium
+
+  * Revert adding pts/0 and pts/1 to securetty.
+Adding pts/* defeats the purpose of securetty. Let containers add it if
+needed as described in #830255.
+  * Fix buffer overflow if NULL line is present in db (CVE-2017-12424)
+(Closes: #756630)
+
+ -- Balint Reczey <bal...@balintreczey.hu>  Fri, 29 Sep 2017 21:30:30 -0400
+
 shadow (1:4.4-4.1) unstable; urgency=high
 
   * Non-maintainer upload.
diff -Nru shadow-4.4/debian/patches/0009-Fix-buffer-overflow-if-NULL-line-is-present-in-db.patch shadow-4.4/debian/patches/0009-Fix-buffer-overflow-if-NULL-line-is-present-in-db.patch
--- shadow-4.4/debian/patches/0009-Fix-buffer-overflow-if-NULL-line-is-present-in-db.patch	1970-01-01 01:00:00.0 +0100
+++ shadow-4.4/debian/patches/0009-Fix-buffer-overflow-if-NULL-line-is-present-in-db.patch	2017-09-30 03:30:30.0 +0200
@@ -0,0 +1,42 @@
+From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tm...@fedoraproject.org>
+Date: Fri, 31 Mar 2017 16:25:06 +0200
+Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
+
+If ptr->line == NULL for an entry, the first cycle will exit,
+but the second one will happily write past entries buffer.
+We actually do not want to exit the first cycle prematurely
+on ptr->line == NULL.
+Signed-off-by: Tomas Mraz <tm...@fedoraproject.org>
+---
+ lib/commonio.c | 8 
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/lib/commonio.c b/lib/commonio.c
+index b10da06a..31edbaaf 100644
+--- a/lib/commonio.c
 b/lib/commonio.c
+@@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int (*cmp) (const void *, const void *))
+ 	for (ptr = db->head;
+ 	(NULL != ptr)
+ #if KEEP_NIS_AT_END
+-	 && (NULL != ptr->line)
+-	 && (   ('+' != ptr->line[0])
+-	 && ('-' != ptr->line[0]))
++	 && ((NULL == ptr->line)
++	 || (('+' != ptr->line[0])
++	 && ('-' != ptr->line[0])))
+ #endif
+ 	 ;
+ 	 ptr = ptr->next) {
+ 		n++;
+ 	}
+ #if KEEP_NIS_AT_END
+-	if ((NULL != ptr) && (NULL != ptr->line)) {
++	if (NULL != ptr) {
+ 		nis = ptr;
+ 	}
+ #endif
+-- 
+2.11.0
+
diff -Nru shadow-4.4/debian/patches/series shadow-4.4/debian/patches/series
--- shadow-4.4/debian/patches/series	2017-05-17 13:59:59.0 +0200
+++ shadow-4.4/debian/patches/series	2017-09-30 03:30:30.0 +0200
@@ -6,6 +6,7 @@
 0006-French-manpage-translation.patch
 0007-Fix-some-spelling-issues-in-the-Norwegian-translatio.patch
 0008-su-properly-clear-child-PID.patch
+0009-Fix-buffer-overflow-if-NULL-line-is-present-in-db.patch
 301-Reset-pid_child-only-if-waitpid-was-successful.patch
 
 # These patches are only for the testsuite:
diff -Nru shadow-4.4/debian/securetty.linux shadow-4.4/debian/securetty.linux
--- shadow-4.4/debian/securetty.linux	2017-05-17 13:59:59.0 +0200
+++ shadow-4.4/debian/securetty.linux	2017-09-30 03:30:30.0 +0200
@@ -164,11 +164,6 @@
 ttyM1
 #...
 
-# Unix98 PTY slaves
-pts/0
-pts/1
-#...
-
 # Technology Concepts serial card
 ttyT0
 ttyT1

Bug#869956: transition: libevent 2.1.8-stable-2

2017-07-27 Thread Balint Reczey 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition
Block: -1 by 869900  869902 869951

Dear Release Team,

I would like to upload libevent 2.1.8-stable to unstable.

Test rebuild in Debian revealed 3 reverse build dependencies which
FTBFS and I filed
bugs against them linking to the build logs [1].

Test rebuild in Ubuntu showed similar results with a few unrelated
build failures [2]

Thanks,
Balint

[1] 
https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=libevent-20170726=rbalint%40ubuntu.com;dist=unstable
[2] https://launchpad.net/~rbalint/+archive/ubuntu/libevent-2.1/+packages

-- 
Balint Reczey
Debian & Ubuntu Developer

Bug#863476: unblock: kodi/2:17.1+dfsg1-3

2017-05-27 Thread Balint Reczey 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Dear Release Team,

Please unblock the kodi update which fixes a security issue:

Changes:
 kodi (2:17.1+dfsg1-3) unstable; urgency=medium
 .
   * Fix zip file directory traversal vulnerability (CVE-2017-8314)
 (Closes: #863230)

Please find the debdiff attached.

Cheers,
Balint

-- 
Balint Reczey
Debian & Ubuntu Developer
diff -Nru kodi-17.1+dfsg1/debian/changelog kodi-17.1+dfsg1/debian/changelog
--- kodi-17.1+dfsg1/debian/changelog	2017-04-14 00:07:38.0 +0200
+++ kodi-17.1+dfsg1/debian/changelog	2017-05-27 02:49:58.0 +0200
@@ -1,3 +1,10 @@
+kodi (2:17.1+dfsg1-3) unstable; urgency=medium
+
+  * Fix zip file directory traversal vulnerability (CVE-2017-8314)
+(Closes: #863230)
+
+ -- Balint Reczey <rbal...@ubuntu.com>  Sat, 27 May 2017 00:50:34 +0200
+
 kodi (2:17.1+dfsg1-2) unstable; urgency=medium
 
   * Upload to unstable
diff -Nru kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch
--- kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch	1970-01-01 01:00:00.0 +0100
+++ kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch	2017-05-27 02:49:58.0 +0200
@@ -0,0 +1,107 @@
+From 35cfe35608b15335ef21d798947fceab3f47c8d7 Mon Sep 17 00:00:00 2001
+From: Rechi <re...@users.noreply.github.com>
+Date: Wed, 10 May 2017 10:21:42 +0200
+Subject: [PATCH] [filesystem] ZipManager: skip path traversal
+
+---
+ xbmc/filesystem/ZipManager.cpp  |  3 ++-
+ xbmc/filesystem/ZipManager.h|  3 +++
+ xbmc/filesystem/test/CMakeLists.txt |  3 ++-
+ xbmc/filesystem/test/TestZipManager.cpp | 38 +
+ 4 files changed, 45 insertions(+), 2 deletions(-)
+ create mode 100644 xbmc/filesystem/test/TestZipManager.cpp
+
+diff --git a/xbmc/filesystem/ZipManager.cpp b/xbmc/filesystem/ZipManager.cpp
+index df6220b..f2c6973 100644
+--- a/xbmc/filesystem/ZipManager.cpp
 b/xbmc/filesystem/ZipManager.cpp
+@@ -199,7 +199,8 @@ bool CZipManager::GetZipList(const CURL& url, std::vector& items)
+ // Jump after central file header extra field and file comment
+ mFile.Seek(ze.eclength + ze.clength,SEEK_CUR);
+ 
+-items.push_back(ze);
++if (!std::regex_search(strName, PATH_TRAVERSAL))
++  items.push_back(ze);
+   }
+ 
+   /* go through list and figure out file header lengths */
+diff --git a/xbmc/filesystem/ZipManager.h b/xbmc/filesystem/ZipManager.h
+index 551fe5d..93243b9 100644
+--- a/xbmc/filesystem/ZipManager.h
 b/xbmc/filesystem/ZipManager.h
+@@ -32,12 +32,15 @@
+ #define ECDREC_SIZE 22
+ 
+ #include 
++#include 
+ #include 
+ #include 
+ #include 
+ 
+ class CURL;
+ 
++static const std::regex PATH_TRAVERSAL(R"_((^|\/|\\)\.{2}($|\/|\\))_");
++
+ struct SZipEntry {
+   unsigned int header;
+   unsigned short version;
+diff --git a/xbmc/filesystem/test/CMakeLists.txt b/xbmc/filesystem/test/CMakeLists.txt
+index 5d77633..5be4e3d 100644
+--- a/xbmc/filesystem/test/CMakeLists.txt
 b/xbmc/filesystem/test/CMakeLists.txt
+@@ -2,6 +2,7 @@ set(SOURCES TestDirectory.cpp
+ TestFile.cpp
+ TestFileFactory.cpp
+ TestRarFile.cpp
+-TestZipFile.cpp)
++TestZipFile.cpp
++TestZipManager.cpp)
+ 
+ core_add_test_library(filesystem_test)
+diff --git a/xbmc/filesystem/test/TestZipManager.cpp b/xbmc/filesystem/test/TestZipManager.cpp
+new file mode 100644
+index 000..b72dbb6
+--- /dev/null
 b/xbmc/filesystem/test/TestZipManager.cpp
+@@ -0,0 +1,38 @@
++/*
++ *  Copyright (C) 2017 Team XBMC
++ *  http://xbmc.org
++ *
++ *  This Program is free software; you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation; either version 2, or (at your option)
++ *  any later version.
++ *
++ *  This Program is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with XBMC; see the file COPYING.  If not, see
++ *  <http://www.gnu.org/licenses/>.
++ *
++ */
++
++#include "filesystem/ZipManager.h"
++
++#include "gtest/gtest.h"
++
++TEST(TestZipManager, PathTraversal)
++{
++  ASSERT_TRUE(std::regex_search("..", PATH_TRAVERSAL));
++  ASSERT_TRUE(std::regex_search("../test.txt", PATH_TRAVERSAL));
++  ASSERT_TRUE(std::regex_search("..\\test.txt", PATH_TRAVERSAL));
++  ASSERT_TRUE(std::regex_search("test/../test.txt", PATH_TRAVERSAL));
++  ASSERT_T

Bug#859708: unblock: kodi/2:17.1+dfsg1-2

2017-04-06 Thread Balint Reczey 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Dear Release Team,

Current kodi version in Stretch is 2:17.0+dfsg1-3 but upstream
already released Kodi 17.1 which is available from experimental
as 2:17.1+dfsg1-1.

Among many other bugfixes it fixes #847701 which made kodi unusable on
many slower i386 machines.

I believe 17.1 would be a better fit for Stretch, while the diff
between 17.0 and 17.1 contains quite a lot bug fixes:

https://github.com/xbmc/xbmc/compare/a10c5048f2487bd9b2dc1f35d2fee48a2594...fc1619b118f6d503f920a49cf4ac4afcd0dd6b41

At the moment 2:17.1+dfsg1-1 is uploaded to experimental only and I
would like to upload 2:17.0+dfsg1-2 with no new changes to
unstable if it would be allowed to migrate to testing.

Otherwise I will just triage and add the fix for #847701 to
2:17.0+dfsg1-3 and upload that minimal change to unstable as
2:17.0+dfsg1-4, but would prefer going th 17.1 way.

Please share your opinion about the options.

The attached patch contains the packaging changes only because the full debdiff 
is ~400k.

Cheers,
Balint

unblock kodi/2:17.1+dfsg1-2

diff --git a/debian/changelog b/debian/changelog
index cd613f2..5bda691 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
+kodi (2:17.1+dfsg1-1) experimental; urgency=medium
+
+  * Depend on fonts-noto-mono package which contains NotoMono-Regular.ttf
+(Closes: #856668)
+  * Fix FTBFS on alpha by not using Intel assempler code (Closes: #856815)
+  * Imported Upstream version 17.1+dfsg1
+See: https://kodi.tv/kodi-v17-1-krypton
+  * Update my Uploader email address to my Ubuntu one
+  * Fix extract-components target in d/rules
+
+ -- Balint Reczey <rbal...@ubuntu.com>  Sun, 02 Apr 2017 11:01:21 +0200
+
+kodi (2:17.1~rc1+dfsg1-1) experimental; urgency=medium
+
+  * Imported Upstream version 17.1~rc1+dfsg1
+  * Refresh patches
+
+ -- Balint Reczey <bal...@balintreczey.hu>  Tue, 28 Feb 2017 02:21:54 +0100
+
 kodi (2:17.0+dfsg1-3) unstable; urgency=medium
 
   * Ship disabled systemd service file (Closes: #854985, #801886)
diff --git a/debian/control b/debian/control
index f15679b..bb44790 100644
--- a/debian/control
+++ b/debian/control
@@ -2,7 +2,7 @@ Source: kodi
 Section: video
 Priority: optional
 Maintainer: Debian Multimedia Maintainers 
<pkg-multimedia-maintain...@lists.alioth.debian.org>
-Uploaders: Balint Reczey <bal...@balintreczey.hu>
+Uploaders: Balint Reczey <rbal...@ubuntu.com>
 Build-Depends: autoconf,
  automake,
  autopoint,
@@ -140,6 +140,7 @@ Multi-Arch: foreign
 Depends: mesa-utils,
  x11-utils,
  fonts-noto-hinted,
+ fonts-noto-mono,
  fonts-roboto-hinted,
  libjs-jquery,
  libjs-iscroll,
diff --git a/debian/patches/06-use-external-libraries.patch 
b/debian/patches/06-use-external-libraries.patch
index 2f2952e..01953b0 100644
--- a/debian/patches/06-use-external-libraries.patch
+++ b/debian/patches/06-use-external-libraries.patch
@@ -15,7 +15,7 @@ Forwarded: not-needed
  all: $(BOOTSTRAP_TARGETS)
 --- a/configure.ac
 +++ b/configure.ac
-@@ -2391,18 +2391,11 @@
+@@ -2392,18 +2392,11 @@
  ], [0])
  
  XB_CONFIG_MODULE([lib/gtest], [
diff --git a/debian/patches/10-dont-use-omitted-files.patch 
b/debian/patches/10-dont-use-omitted-files.patch
index 4b018ac..ca1d57d 100644
--- a/debian/patches/10-dont-use-omitted-files.patch
+++ b/debian/patches/10-dont-use-omitted-files.patch
@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -2203,7 +2203,6 @@
+@@ -2204,7 +2204,6 @@
  tools/Linux/kodi-standalone.sh \
  tools/Linux/kodi-xsession.desktop \
  tools/EventClients/Makefile \
diff --git a/debian/patches/12-build-cpluff-pic-only.patch 
b/debian/patches/12-build-cpluff-pic-only.patch
index 2668b4f..5b483f1 100644
--- a/debian/patches/12-build-cpluff-pic-only.patch
+++ b/debian/patches/12-build-cpluff-pic-only.patch
@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -2385,7 +2385,7 @@
+@@ -2386,7 +2386,7 @@
  --prefix="${prefix}" --includedir="${includedir}" --libdir="${libdir}" 
--datadir="${datadir}" \
  --host=$host_alias \
  --build=$build_alias \
diff --git a/debian/patches/14-ignore-test-results.patch 
b/debian/patches/14-ignore-test-results.patch
index d180146..5dbbc20 100644
--- a/debian/patches/14-ignore-test-results.patch
+++ b/debian/patches/14-ignore-test-results.patch
@@ -1,6 +1,6 @@
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -611,7 +611,7 @@
+@@ -615,7 +615,7 @@
  
  ifeq (1,@GTEST_CONFIGURED@)
  check: testsuite
diff --git a/debian/patches/16-fix-alpha-build.patch 
b/debian/patches/16-fix-alpha-build.patch
new file mode 100644
index 000..0acfb99
--- /dev/null
+++ b/debian/patches/16-fix-alpha-build.patch
@@ -0,0 +1,84 @@
+Description: Fix alpha build
+Forwarded: not-needed
+Author:  Michael Cree <mc...@orcon.net.nz>
+Bug: https://bugs.

Bug#859332: unblock: forked-daapd/24.2-2

2017-04-02 Thread Balint Reczey 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Dear Release Team,

Please unblock latest forked-daapd in unstable.

Changes:
 forked-daapd (24.2-2) unstable; urgency=medium
 .
   * Update my Uploader email address to my Ubuntu one
   * Install systemd service enabled by default (Closes: #858696)

Cheers,
Balint

unblock: forked-daapd/24.2-2

--
Balint Reczey
Debian & Ubuntu Developer
diff -Nru forked-daapd-24.2/debian/changelog forked-daapd-24.2/debian/changelog
--- forked-daapd-24.2/debian/changelog	2016-11-10 21:15:49.0 +0100
+++ forked-daapd-24.2/debian/changelog	2017-04-02 13:11:25.0 +0200
@@ -1,3 +1,10 @@
+forked-daapd (24.2-2) unstable; urgency=medium
+
+  * Update my Uploader email address to my Ubuntu one
+  * Install systemd service enabled by default (Closes: #858696)
+
+ -- Balint Reczey <rbal...@ubuntu.com>  Sun, 02 Apr 2017 12:06:56 +0200
+
 forked-daapd (24.2-1) unstable; urgency=medium
 
   [ Espen Jürgensen ]
diff -Nru forked-daapd-24.2/debian/control forked-daapd-24.2/debian/control
--- forked-daapd-24.2/debian/control	2016-11-10 21:15:49.0 +0100
+++ forked-daapd-24.2/debian/control	2017-04-02 13:11:25.0 +0200
@@ -1,6 +1,6 @@
 Source: forked-daapd
 Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintain...@lists.alioth.debian.org>
-Uploaders: Balint Reczey <bal...@balintreczey.hu>
+Uploaders: Balint Reczey <rbal...@ubuntu.com>
 Section: sound
 Priority: optional
 Build-Depends: debhelper (>= 9~),
@@ -31,6 +31,7 @@
gperf,
autotools-dev,
dh-autoreconf,
+   dh-systemd,
libcurl4-gnutls-dev
 Standards-Version: 3.9.8
 Vcs-Browser: https://anonscm.debian.org/cgit/pkg-multimedia/forked-daapd.git
diff -Nru forked-daapd-24.2/debian/rules forked-daapd-24.2/debian/rules
--- forked-daapd-24.2/debian/rules	2016-11-10 21:15:49.0 +0100
+++ forked-daapd-24.2/debian/rules	2017-04-02 13:11:25.0 +0200
@@ -13,7 +13,7 @@
 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 
 %:
-	dh $@ --with autoreconf
+	dh $@ --with autoreconf --with systemd
 
 override_dh_auto_configure:
 	dh_auto_configure -- --enable-lastfm --enable-mpd --enable-itunes --enable-chromecast --with-pulseaudio

Bug#857119: unblock: wireshark/2.2.5+g440fd4d-2

2017-03-08 Thread Balint Reczey 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Tags: patch

Dear Release Team,

I have prepared wireshark 2.2.5+g440fd4d-1 in experimental which fixes
9 vulnerabilities and other bugs which are not listed here, just on
the release notes link.

Changes:
 wireshark (2.2.5+g440fd4d-1) experimental; urgency=medium
 .
   * New upstream release
 - release notes:
   https://www.wireshark.org/docs/relnotes/wireshark-2.2.5.html
 - security fixes:
   - The STANAG 4607 file parser could go into an infinite loop
 (CVE-2017-6014)
   - The NetScaler file parser could go into an infinite loop
 (CVE-2017-6467)
   - The NetScaler file parser could crash (CVE-2017-6468)
   - The LDSS dissector could crash (CVE-2017-6469)
   - The IAX2 dissector could go into an infinite loop
 (CVE-2017-6470)
   - The WSP dissector could go into an infinite loop (CVE-2017-6471)
   - The RTMTP dissector could go into an infinite loop
 (CVE-2017-6472)
   - The K12 file parser could crash (CVE-2017-6473)
   - The NetScaler file parser could go into an infinite loop
 (CVE-2017-6474)
   * Update symbols file for libwireshark8

I believe wireshark point releases very rarely cause regressions due
to the heavy testing performed upstream and I think it would be safe
to upload this point release to unstable and let it migrate to
testing.

If you wouldn't like to accept the full point release to Stretch I
will happily backport the security fixes to 2.2.4 and upload that to
unstable.

Please find the patch in the following link because it was too big for
inclusion in the email:

https://people.debian.org/~rbalint/wireshark_2.2.5+g440fd4d-1.patch

Please share your preference regarding the next upload.

Cheers,
Balint

unblock wireshark/2.2.5+g440fd4d-2

Bug#855112: unblock: libevent/2.0.21-stable-3

2017-02-14 Thread Balint Reczey 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Dear Release Team,

Please unblock latest libevent in unstable.

Changes:
 libevent (2.0.21-stable-3) unstable; urgency=medium
 .
   * Fix three vulnerabilites (Closes: #854092):
 - DNS remote stack overread vulnerability (CVE-2016-10195)
 - (Stack) buffer overflow in evutil_parse_sockaddr_port()
   (CVE-2016-10196)
 - Out-of-bounds read in search_make_new() (CVE-2016-10197)
   * Add myself as an uploader
   * ACK NMU

Cheers,
Balint

unblock libevent/2.0.21-stable-3

diff -Nru libevent-2.0.21-stable/debian/changelog libevent-2.0.21-stable/debian/changelog
--- libevent-2.0.21-stable/debian/changelog	2016-11-03 08:43:46.0 +0100
+++ libevent-2.0.21-stable/debian/changelog	2017-02-12 21:45:49.0 +0100
@@ -1,3 +1,15 @@
+libevent (2.0.21-stable-3) unstable; urgency=medium
+
+  * Fix three vulnerabilites (Closes: #854092):
+- DNS remote stack overread vulnerability (CVE-2016-10195)
+- (Stack) buffer overflow in evutil_parse_sockaddr_port()
+  (CVE-2016-10196)
+- Out-of-bounds read in search_make_new() (CVE-2016-10197)
+  * Add myself as an uploader
+  * ACK NMU
+
+ -- Balint Reczey <bal...@balintreczey.hu>  Sun, 12 Feb 2017 21:43:18 +0100
+
 libevent (2.0.21-stable-2.1) unstable; urgency=medium
 
   [ Helmut Grohne ]
diff -Nru libevent-2.0.21-stable/debian/control libevent-2.0.21-stable/debian/control
--- libevent-2.0.21-stable/debian/control	2014-08-25 18:02:38.0 +0200
+++ libevent-2.0.21-stable/debian/control	2017-02-12 21:45:49.0 +0100
@@ -2,7 +2,8 @@
 Section: libs
 Priority: optional
 Maintainer: Anibal Monsalve Salazar <ani...@debian.org>
-Uploaders: Leo Costela <cost...@debian.org>
+Uploaders: Leo Costela <cost...@debian.org>,
+   Balint Reczey <bal...@balintreczey.hu>
 Build-Depends: dpkg-dev (>= 1.16.1~), debhelper (>= 9), libssl-dev, dh-autoreconf
 Standards-Version: 3.9.3
 Homepage: http://libevent.org/
diff -Nru libevent-2.0.21-stable/debian/patches/0001-evdns-fix-searching-empty-hostnames.patch libevent-2.0.21-stable/debian/patches/0001-evdns-fix-searching-empty-hostnames.patch
--- libevent-2.0.21-stable/debian/patches/0001-evdns-fix-searching-empty-hostnames.patch	1970-01-01 01:00:00.0 +0100
+++ libevent-2.0.21-stable/debian/patches/0001-evdns-fix-searching-empty-hostnames.patch	2017-02-12 21:45:49.0 +0100
@@ -0,0 +1,65 @@
+From ec65c42052d95d2c23d1d837136d1cf1d9ecef9e Mon Sep 17 00:00:00 2001
+From: Azat Khuzhin <a3at.m...@gmail.com>
+Date: Fri, 25 Mar 2016 00:33:47 +0300
+Subject: [PATCH] evdns: fix searching empty hostnames
+
+From #332:
+  Here follows a bug report by **Guido Vranken** via the _Tor bug bounty program_. Please credit Guido accordingly.
+
+  ## Bug report
+
+  The DNS code of Libevent contains this rather obvious OOB read:
+
+  ```c
+  static char *
+  search_make_new(const struct search_state *const state, int n, const char *const base_name) {
+  const size_t base_len = strlen(base_name);
+  const char need_to_append_dot = base_name[base_len - 1] == '.' ? 0 : 1;
+  ```
+
+  If the length of ```base_name``` is 0, then line 3125 reads 1 byte before the buffer. This will trigger a crash on ASAN-protected builds.
+
+  To reproduce:
+
+  Build libevent with ASAN:
+  ```
+  $ CFLAGS='-fomit-frame-pointer -fsanitize=address' ./configure && make -j4
+  ```
+  Put the attached ```resolv.conf``` and ```poc.c``` in the source directory and then do:
+
+  ```
+  $ gcc -fsanitize=address -fomit-frame-pointer poc.c .libs/libevent.a
+  $ ./a.out
+  =
+  ==22201== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6006efdf at pc 0x4429da bp 0x7ffe1ed47300 sp 0x7ffe1ed472f8
+  READ of size 1 at 0x6006efdf thread T0
+  ```
+
+P.S. we can add a check earlier, but since this is very uncommon, I didn't add it.
+
+Fixes: #332
+---
+ evdns.c | 5 -
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/evdns.c b/evdns.c
+index 905ff6b..e9dbc35 100644
+--- a/evdns.c
 b/evdns.c
+@@ -3175,9 +3175,12 @@ search_set_from_hostname(struct evdns_base *base) {
+ static char *
+ search_make_new(const struct search_state *const state, int n, const char *const base_name) {
+ 	const size_t base_len = strlen(base_name);
+-	const char need_to_append_dot = base_name[base_len - 1] == '.' ? 0 : 1;
++	char need_to_append_dot;
+ 	struct search_domain *dom;
+ 
++	if (!base_len) return NULL;
++	need_to_append_dot = base_name[base_len - 1] == '.' ? 0 : 1;
++
+ 	for (dom = state->head; dom; dom = dom->next) {
+ 		if (!n--) {
+ 			/* this is the postfix we want */
+-- 
+2.1.4
+
diff -Nru libevent-2.0.21-stable/debian/patches/0002-test-dns-regression-for-empty-hostname.patch libevent-2.0.21-stable/debian/patches/0002-test-dns-regression-for-empty-hostname.patch
--- libeve

Bug#854910: unblock: ffmpeg/7:3.2.4-1

2017-02-11 Thread Balint Reczey 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Dear Release Team,

The new FFmpeg upstream release contains bug fixes incuding fixes for
security issues. I believe most non-security releated issues would
deserve important severity, too.

I would like to upload the new upstream release to unstable and ship it
in Stretch, but I can also cherry-pick most fixes to the current package
it this would be acceptable.

Please share your opinion about the options.

Cheers,
Balint

unblock ffmpeg/7:3.2.4-1

diff -Nru ffmpeg-3.2.2/Changelog ffmpeg-3.2.4/Changelog
--- ffmpeg-3.2.2/Changelog	2016-12-06 00:28:58.0 +0100
+++ ffmpeg-3.2.4/Changelog	2017-02-10 14:25:37.0 +0100
@@ -1,6 +1,51 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.
 
+version 3.2.4:
+- avcodec/h264_slice: Clear ref_counts on redundant slices
+- lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid
+- lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr
+- avcodec/pictordec: Fix logic error
+- ffserver_config: Setup codecpar in add_codec()
+- Changelog: fix typos
+
+version 3.2.3:
+- avcodec/movtextdec: Fix decode_styl() cleanup
+- lavf/matroskadec: fix is_keyframe for early Blocks
+- configure: bump year
+- avcodec/pngdec: Check trns more completely
+- avcodec/interplayvideo: Move parameter change check up
+- avcodec/dca_lbr: Fix off by 1 error in freq check
+- avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac()
+- pgssubdec: reset rle_data_len/rle_remaining_len on allocation error
+- swscale: save ebx register when it is not available
+- avformat/flacdec: Check avio_read result when reading flac block header.
+- avcodec/utils: correct align value for interplay
+- avcodec/vp56: Check for the bitstream end, pass error codes on
+- avcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan()
+- avcodec/pngdec: Fix off by 1 size in decode_zbuf()
+- libopenmpt: add missing avio_read return value check
+- avcodec/bsf: Fix av_bsf_list_free()
+- avcodec/omx: Do not pass negative value into av_malloc()
+- avformat/avidec: skip odml master index chunks in avi_sync
+- avcodec/mjpegdec: Check for rgb before flipping
+- lavf/utils.c Protect against accessing entries[nb_entries]
+- avutil/random_seed: Reduce the time needed on systems with very low precision clock()
+- swscale/swscale: Fix dereference of stride array before null check
+- avutil/random_seed: Improve get_generic_seed() with higher precision clock()
+- avformat/mp3dec: fix msan warning when verifying mpa header
+- avformat/utils: Print verbose error message if stream count exceeds max_streams
+- avformat/options_table: Set the default maximum number of streams to 1000
+- lavf/chromaprint: Update for version 1.4
+- avutil: Add av_image_check_size2()
+- avformat: Add max_streams option
+- avcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated
+- avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory()
+- avformat/oggdec: Skip streams in duration correction that did not had their duration set.
+- avcodec/ffv1enc: Fix size of first slice
+- ffplay: fix sws_scale possible out of bounds array access
+- avfilter/vf_hwupload_cuda: Add min/max limits for the 'device' option
+
 version 3.2.2:
 - ffserver: Check chunk size
 - Avoid using the term "file" and prefer "url" in some docs and comments
diff -Nru ffmpeg-3.2.2/configure ffmpeg-3.2.4/configure
--- ffmpeg-3.2.2/configure	2016-12-06 00:28:58.0 +0100
+++ ffmpeg-3.2.4/configure	2017-02-10 14:25:25.0 +0100
@@ -6703,7 +6703,7 @@
 #define FFMPEG_CONFIG_H
 #define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)"
 #define FFMPEG_LICENSE "$(c_escape $license)"
-#define CONFIG_THIS_YEAR 2016
+#define CONFIG_THIS_YEAR 2017
 #define FFMPEG_DATADIR "$(eval c_escape $datadir)"
 #define AVCONV_DATADIR "$(eval c_escape $datadir)"
 #define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})"
diff -Nru ffmpeg-3.2.2/debian/changelog ffmpeg-3.2.4/debian/changelog
--- ffmpeg-3.2.2/debian/changelog	2017-01-22 00:01:34.0 +0100
+++ ffmpeg-3.2.4/debian/changelog	2017-02-10 22:26:43.0 +0100
@@ -1,3 +1,14 @@
+ffmpeg (7:3.2.4-1) unstable; urgency=medium
+
+  * Import new upstream bugfix release 3.2.4.
+ - Fixes CVE-2016-9561, CVE-2017-5024 and CVE-2017-5025.
+  * Drop patches, included upstream:
+ - lavf-chromaprint-Update-for-version-1.4.patch
+ - libopenmpt-add-missing-avio_read-return-value-check.patch
+ - swscale-save-ebx-register-when-it-is-not-available.patch
+
+ -- Andreas Cadhalpun   Fri, 10 Feb 2017 22:24:45 +0100
+
 ffmpeg (7:3.2.2-2) unstable; urgency=medium
 
   * Cherry-pick patches from upstream:
diff -Nru ffmpeg-3.2.2/debian/patches/lavf-chromaprint-Update-for-version-1.4.patch

Bug#847490: unblock: ffmpeg/7:3.2.2-1

2016-12-08 Thread Balint Reczey 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-CC: pkg-multimedia-maintain...@lists.alioth.debian.org

Please unblock package ffmpeg and please decrease the migration delay
to 2 days.

According to Andreas Cadhalpun ffmpeg maintainer it fixes the following
security issues:

1: https://trac.ffmpeg.org/ticket/5992
2: https://trac.ffmpeg.org/ticket/5994

Please see the debdiff attached.

Thanks,
Balint

unblock ffmpeg/7:3.2.2-1
diff -Nru ffmpeg-3.2.1/Changelog ffmpeg-3.2.2/Changelog
--- ffmpeg-3.2.1/Changelog	2016-11-26 03:12:05.0 +0100
+++ ffmpeg-3.2.2/Changelog	2016-12-06 00:28:58.0 +0100
@@ -1,6 +1,26 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.
 
+version 3.2.2:
+- ffserver: Check chunk size
+- Avoid using the term "file" and prefer "url" in some docs and comments
+- avformat/rtmppkt: Check for packet size mismatches
+- zmqsend: Initialize ret to 0
+- avcodec/flacdec: Fix undefined shift in decode_subframe()
+- avcodec/get_bits: Fix get_sbits_long(0)
+- avformat/ffmdec: Check media type for chunks
+- avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed()
+- avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c
+- avformat/oggparsespeex: Check frames_per_packet and packet_size
+- avformat/utils: Check start/end before computing duration in update_stream_timings()
+- avcodec/flac_parser: Update nb_headers_buffered
+- avformat/idroqdec: Check chunk_size for being too large
+- avcodec/me_cmp: Fix median_sad size
+- avformat/utils: Fix type mismatch
+- configure: check for strtoull on msvc
+- http: move chunk handling from http_read_stream() to http_buf_read().
+- http: make length/offset-related variables unsigned
+
 version 3.2.1:
 - avcodec/aac_adtstoasc_bsf: validate and forward extradata if the stream is already ASC
 - mss2: only use error correction for matching block counts
diff -Nru ffmpeg-3.2.1/configure ffmpeg-3.2.2/configure
--- ffmpeg-3.2.1/configure	2016-11-26 03:12:05.0 +0100
+++ ffmpeg-3.2.2/configure	2016-12-06 00:28:58.0 +0100
@@ -6271,6 +6271,7 @@
 EOF
 fi
 check_func strtoll || add_cflags -Dstrtoll=_strtoi64
+check_func strtoull || add_cflags -Dstrtoull=_strtoui64
 # the new SSA optimzer in VS2015 U3 is mis-optimizing some parts of the code
 # this flag should be re-checked on newer compiler releases and put under a
 # version check once its fixed
diff -Nru ffmpeg-3.2.1/debian/changelog ffmpeg-3.2.2/debian/changelog
--- ffmpeg-3.2.1/debian/changelog	2016-11-27 02:27:33.0 +0100
+++ ffmpeg-3.2.2/debian/changelog	2016-12-06 23:59:13.0 +0100
@@ -1,3 +1,12 @@
+ffmpeg (7:3.2.2-1) unstable; urgency=medium
+
+  * Import new upstream bugfix release 3.2.2.
+  * Fix log messages in autopkgtest.
+  * Enable frei0r on powerpcspe.
+  * Drop --disable-tesseract.
+
+ -- Andreas Cadhalpun <andreas.cadhal...@googlemail.com>  Tue, 06 Dec 2016 23:58:20 +0100
+
 ffmpeg (7:3.2.1-1) unstable; urgency=medium
 
   [ Balint Reczey ]
diff -Nru ffmpeg-3.2.1/debian/control ffmpeg-3.2.2/debian/control
--- ffmpeg-3.2.1/debian/control	2016-11-27 02:27:33.0 +0100
+++ ffmpeg-3.2.2/debian/control	2016-12-06 23:59:13.0 +0100
@@ -25,7 +25,7 @@
 # --enable-libflite
  flite1-dev,
 # --enable-frei0r
- frei0r-plugins-dev [!powerpcspe] ,
+ frei0r-plugins-dev ,
 # --enable-ladspa
  ladspa-sdk,
 # --enable-libass
diff -Nru ffmpeg-3.2.1/debian/rules ffmpeg-3.2.2/debian/rules
--- ffmpeg-3.2.1/debian/rules	2016-11-27 02:27:33.0 +0100
+++ ffmpeg-3.2.2/debian/rules	2016-12-06 23:59:13.0 +0100
@@ -47,7 +47,6 @@
 	--libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
 	--incdir=/usr/include/$(DEB_HOST_MULTIARCH) \
 	--enable-gpl \
-	--disable-libtesseract \
 	--disable-stripping \
 	--enable-avresample \
 	--enable-avisynth \
@@ -142,10 +141,10 @@
 		--disable-libopencv \
 		--disable-libx264
 else
-	CONFIG += --enable-libopencv
+	CONFIG += --enable-libopencv \
+		--enable-frei0r
 ifeq (,$(filter $(DEB_HOST_ARCH),powerpcspe))
-	CONFIG += --enable-frei0r \
-		--enable-libx264
+	CONFIG += --enable-libx264
 endif
 ifeq (,$(filter $(DEB_HOST_ARCH),sh4))
 	CONFIG += --enable-chromaprint
diff -Nru ffmpeg-3.2.1/debian/tests/encdec ffmpeg-3.2.2/debian/tests/encdec
--- ffmpeg-3.2.1/debian/tests/encdec	2016-11-27 02:27:33.0 +0100
+++ ffmpeg-3.2.2/debian/tests/encdec	2016-12-06 23:59:13.0 +0100
@@ -313,7 +313,7 @@
 else
 failures="${failures}${errmsg}\n"
 fi
-echo -e "FAILED: $errmsg\n\n"
+echo -e "\nFAILED: $errmsg\n\n"
 continue
 fi
 ret=0
@@ -326,7 +326,7 @@
 else
 failures="${failures}${errmsg}\n"
 fi
-echo -e "FAILED: $errmsg\n\n"
+echo -e "\nFAILED: $er

Re: Porter roll call for Debian Stretch

2016-08-22 Thread Balint Reczey 
On 08/22/2016 07:12 PM, Bálint Réczey wrote:
> Hi Guillem,
> 
> 2016-08-21 14:02 GMT+02:00 Guillem Jover :
>> Hi!
>>
>> On Sun, 2016-08-21 at 10:24:42 +0200, Bálint Réczey wrote:
>>> I'm testing a set of patches [2] for gcc and dpkg which enable bindnow for 
>>> all
>>> arches and PIE for amd64, ppc64el and s390x in sync with Ubuntu.
>>>
>>> My assumption was that this set of architectures need the least amount of
>>> additional work since they are tested already in Ubuntu, but I would be 
>>> happy
>>> if more ports would opt in for PIE.
>>>
>>> I plan filing wishlist bugs against dpkg and gcc with the patches
>>> after I rebuilt a
>>> few packages with the defaults.
>>
>> TBH I think PIE should in fact be safer to enable globally than
>> bindnow, because the latter changes the run-time behavior and things
>> might break (perhaps even silently) when failing to load plugins
>> or similar.
> 
> Yes, in that sense enabling PIE is safer indeed. Regarding bindnow
> I don't expect too many surprises either, since other distributions
> already tested enabling bindnow and probably they found
> most issues.
> 
>>
>> From dpkg PoV enabling both, would at least require a full-archive
>> rebuild, for bindnow ideally also a full autopkgtest run (as the
>> updated dpkg FAQ states now, after Lucas Nussbaum approached me some
>> weeks ago mentioning he was willing to do such archive-wide rebuild).
> 
> The patches at [2] seem to work well and since you expressed that you would
> prefer changing both toolchain and dpkg, too, I would like to suggest running
> the rebuild with those patches.
> 
> I think Matthias would be OK with the patch since it is very small and brings
> Debian's gcc closer to Ubuntu's.
> 
> Lucas, could you please run the rebuild with the three patches?
> 
> I'll attach the patches to the bug reports.

For the record I have opened #835146, #835148 and #835149 against dpkg
and gcc-6 with the patches.

> 
> [2] https://people.debian.org/~rbalint/ppa/pie-bindnow/
>

Bug#833145: RM: libcec-platform -- ROM;obsolete; FTBFS, RC-buggy

2016-08-01 Thread Balint Reczey 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

Hi,

Please remove libcec-platform from unstable.

The source package has been replaced by p8-platform.

All reverse dependencies have migrated to p8-platform's binary packages.

Thanks,
Balint

Bug#829650: jessie-pu: package ruby-eventmachine/1.0.3-6+deb8u1

2016-07-04 Thread Balint Reczey 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear Release Team,

The Security Team suggested fixing the TEMP-0678512-2E167C [1] security
issue through a point release.

The issue is a remotely triggerable crash due to stack overflow.

Please see the debdiff attached.

The fix for Wheezy which is very similar was discussed [2] on the Wheezy
LTS list.

Cheers,
Balint

[1] https://security-tracker.debian.org/tracker/TEMP-0678512-2E167C
[2] https://lists.debian.org/debian-lts/2016/06/msg00141.html
diff -Nru ruby-eventmachine-1.0.3/debian/changelog ruby-eventmachine-1.0.3/debian/changelog
--- ruby-eventmachine-1.0.3/debian/changelog	2014-04-07 00:34:46.0 +0200
+++ ruby-eventmachine-1.0.3/debian/changelog	2016-07-04 22:00:03.0 +0200
@@ -1,3 +1,12 @@
+ruby-eventmachine (1.0.3-6+deb8u1) stable; urgency=medium
+
+  * Team upload
+  * Fix remotely triggerable crash due to FD handling
+(Closes: #678512, #696015)
+  * Fix memory leak caused when fixing crash
+
+ -- Balint Reczey <bal...@balintreczey.hu>  Mon, 04 Jul 2016 21:48:06 +0200
+
 ruby-eventmachine (1.0.3-6) unstable; urgency=low
 
   * Bump gem2deb build dependency to 0.7.5~
diff -Nru ruby-eventmachine-1.0.3/debian/patches/0001-use-ruby-select-api-with-expandable-fd-sets.patch ruby-eventmachine-1.0.3/debian/patches/0001-use-ruby-select-api-with-expandable-fd-sets.patch
--- ruby-eventmachine-1.0.3/debian/patches/0001-use-ruby-select-api-with-expandable-fd-sets.patch	1970-01-01 01:00:00.0 +0100
+++ ruby-eventmachine-1.0.3/debian/patches/0001-use-ruby-select-api-with-expandable-fd-sets.patch	2016-07-04 22:00:03.0 +0200
@@ -0,0 +1,217 @@
+From eab3baaba75c8c9e549aea54d3b356ab287a57b0 Mon Sep 17 00:00:00 2001
+From: Patrick Reynolds <patrick.reyno...@github.com>
+Date: Tue, 11 Mar 2014 16:01:25 -0500
+Subject: [PATCH 1/3] use ruby select api with expandable fd sets
+
+Conflicts:
+	ext/em.h
+---
+ ext/em.cpp | 54 +-
+ ext/em.h   | 10 +-
+ tests/test_many_fds.rb | 22 
+ 3 files changed, 54 insertions(+), 32 deletions(-)
+ create mode 100644 tests/test_many_fds.rb
+
+diff --git a/ext/em.cpp b/ext/em.cpp
+index 670da31..6a3a2ef 100644
+--- a/ext/em.cpp
 b/ext/em.cpp
+@@ -524,12 +524,12 @@ void EventMachine_t::_RunEpollOnce()
+ 	#ifdef HAVE_RB_WAIT_FOR_SINGLE_FD
+ 	if ((ret = rb_wait_for_single_fd(epfd, RB_WAITFD_IN|RB_WAITFD_PRI, )) < 1) {
+ 	#else
+-	fd_set fdreads;
++	rb_fdset_t fdreads;
+ 
+-	FD_ZERO();
+-	FD_SET(epfd, );
++	rb_fd_init();
++	rb_fd_set(epfd, );
+ 
+-	if ((ret = rb_thread_select(epfd + 1, , NULL, NULL, )) < 1) {
++	if ((ret = rb_thread_fd_select(epfd + 1, , NULL, NULL, )) < 1) {
+ 	#endif
+ 		if (ret == -1) {
+ 			assert(errno != EINVAL);
+@@ -601,12 +601,12 @@ void EventMachine_t::_RunKqueueOnce()
+ 	#ifdef HAVE_RB_WAIT_FOR_SINGLE_FD
+ 	if ((ret = rb_wait_for_single_fd(kqfd, RB_WAITFD_IN|RB_WAITFD_PRI, )) < 1) {
+ 	#else
+-	fd_set fdreads;
++	rb_fdset_t fdreads;
+ 
+-	FD_ZERO();
+-	FD_SET(kqfd, );
++	rb_fd_init();
++	rb_fd_set(kqfd, );
+ 
+-	if ((ret = rb_thread_select(kqfd + 1, , NULL, NULL, )) < 1) {
++	if ((ret = rb_thread_fd_select(kqfd + 1, , NULL, NULL, )) < 1) {
+ 	#endif
+ 		if (ret == -1) {
+ 			assert(errno != EINVAL);
+@@ -792,9 +792,9 @@ SelectData_t::SelectData_t
+ SelectData_t::SelectData_t()
+ {
+ 	maxsocket = 0;
+-	FD_ZERO ();
+-	FD_ZERO ();
+-	FD_ZERO ();
++	rb_fd_init ();
++	rb_fd_init ();
++	rb_fd_init ();
+ }
+ 
+ 
+@@ -807,7 +807,7 @@ _SelectDataSelect
+ static VALUE _SelectDataSelect (void *v)
+ {
+ 	SelectData_t *sd = (SelectData_t*)v;
+-	sd->nSockets = select (sd->maxsocket+1, &(sd->fdreads), &(sd->fdwrites), &(sd->fderrors), &(sd->tv));
++	sd->nSockets = rb_fd_select (sd->maxsocket+1, &(sd->fdreads), &(sd->fdwrites), &(sd->fderrors), &(sd->tv));
+ 	return Qnil;
+ }
+ #endif
+@@ -848,9 +848,9 @@ void EventMachine_t::_RunSelectOnce()
+ 
+ 	SelectData_t SelectData;
+ 	/*
+-	fd_set fdreads, fdwrites;
+-	FD_ZERO ();
+-	FD_ZERO ();
++	rb_fdset_t fdreads, fdwrites;
++	rb_fd_init ();
++	rb_fd_init ();
+ 
+ 	int maxsocket = 0;
+ 	*/
+@@ -860,7 +860,7 @@ void EventMachine_t::_RunSelectOnce()
+ 	// running on localhost with a randomly-chosen port. (*Puke*)
+ 	// Windows has a version of the Unix pipe() library function, but it doesn't
+ 	// give you back descriptors that are selectable.
+-	FD_SET (LoopBreakerReader, &(SelectData.fdreads));
++	rb_fd_set (LoopBreakerReader, &(SelectData.fdreads));
+ 	if (SelectData.maxsocket < LoopBreakerReader)
+ 		SelectData.maxsocket = LoopBreakerReader;
+ 
+@@ -875,15 +875,15 @@ void EventMachine_t::_RunSelectOnce()
+ 		assert (sd != INVALID_SOCKET);
+ 
+ 		if (ed->SelectForRead())
+-			FD_SET (sd, &(SelectData.fdreads));
++			rb_fd_set (sd, &(SelectData.fdre

Bug#795002: nmu: motion

2015-08-09 Thread Balint Reczey 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Dear Release Team,

Motion seems to be built in an outdated chroot for the upload.
Please rebuild it to use the latest version of libav.*-dev packages
which are now built from ffmpeg.

nmu motion_3.2.12+git20140228-6 . amd64 . unstable . -m Rebuild against
ffmpeg

Cheers,
Balint



signature.asc
Description: OpenPGP digital signature

Bug#771804: unblock: xbmc/2:13.2+dfsg1-4

2014-12-02 Thread Balint Reczey 
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal


Dear Release Team,

Please unblock xbmc to let it migrate to Jessie.

The update contains only two fixes for important bugs and one minor
source cleaning change which does not affect the built binaries:

Changes:
 xbmc (2:13.2+dfsg1-4) unstable; urgency=medium
 .
   * Version check is now removed from source, no need to remove it
during the build
   * Fix suspend/hibernate with upower = 0.99.1 (Closes: #767161)
   * Fix random failure in playing video using VDPAU (Closes: #742896)

Thanks:
Balint


diff -Nru xbmc-13.2+dfsg1/debian/changelog xbmc-13.2+dfsg1/debian/changelog
--- xbmc-13.2+dfsg1/debian/changelog2014-10-25 00:40:28.0 +0200
+++ xbmc-13.2+dfsg1/debian/changelog2014-11-08 00:05:40.0 +0100
@@ -1,3 +1,11 @@
+xbmc (2:13.2+dfsg1-4) unstable; urgency=medium
+
+  * Version check is now removed from source, no need to remove it during the 
build
+  * Fix suspend/hibernate with upower = 0.99.1 (Closes: #767161)
+  * Fix random failure in playing video using VDPAU (Closes: #742896)
+
+ -- Balint Reczey bal...@balintreczey.hu  Fri, 07 Nov 2014 23:52:10 +0100
+
 xbmc (2:13.2+dfsg1-3) unstable; urgency=medium
 
   [ Balint Reczey ]
diff -Nru 
xbmc-13.2+dfsg1/debian/patches/0017-libav-Fix-uninitialized-read.patch 
xbmc-13.2+dfsg1/debian/patches/0017-libav-Fix-uninitialized-read.patch
--- xbmc-13.2+dfsg1/debian/patches/0017-libav-Fix-uninitialized-read.patch  
1970-01-01 01:00:00.0 +0100
+++ xbmc-13.2+dfsg1/debian/patches/0017-libav-Fix-uninitialized-read.patch  
2014-11-08 00:05:40.0 +0100
@@ -0,0 +1,26 @@
+From 414522d5049a230e71a2c2fef45a6b525d6a9803 Mon Sep 17 00:00:00 2001
+From: Anton Khirnov an...@khirnov.net
+Date: Sun, 26 Oct 2014 18:29:48 +0100
+Subject: [PATCH] Fix uninitialized read.
+
+---
+ xbmc/cores/dvdplayer/DVDCodecs/Video/VDPAU.cpp | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/xbmc/cores/dvdplayer/DVDCodecs/Video/VDPAU.cpp 
b/xbmc/cores/dvdplayer/DVDCodecs/Video/VDPAU.cpp
+index 932985a..9d90a9c 100644
+--- a/xbmc/cores/dvdplayer/DVDCodecs/Video/VDPAU.cpp
 b/xbmc/cores/dvdplayer/DVDCodecs/Video/VDPAU.cpp
+@@ -1095,9 +1095,6 @@ int CDecoder::Decode(AVCodecContext *avctx, AVFrame 
*pFrame)
+ 
+   CSingleLock lock(m_DecoderSection);
+ 
+-  if (m_DecoderError  pFrame)
+-return VC_ERROR;
+-
+   if (!m_vdpauConfigured)
+ return VC_ERROR;
+ 
+-- 
+2.0.0.rc2
+
diff -Nru 
xbmc-13.2+dfsg1/debian/patches/0018-linux-Check-for-Logind-first-then-Kit-s-with-UPower-.patch
 
xbmc-13.2+dfsg1/debian/patches/0018-linux-Check-for-Logind-first-then-Kit-s-with-UPower-.patch
--- 
xbmc-13.2+dfsg1/debian/patches/0018-linux-Check-for-Logind-first-then-Kit-s-with-UPower-.patch
  1970-01-01 01:00:00.0 +0100
+++ 
xbmc-13.2+dfsg1/debian/patches/0018-linux-Check-for-Logind-first-then-Kit-s-with-UPower-.patch
  2014-11-08 00:05:40.0 +0100
@@ -0,0 +1,30 @@
+From c6ae8568b99785465d1461c8878cdee08ff44eae Mon Sep 17 00:00:00 2001
+From: Balint Reczey bal...@balintreczey.hu
+Date: Tue, 4 Nov 2014 00:13:21 +0100
+Subject: [PATCH] linux: Check for Logind first, then *Kit-s with UPower when
+ detecting PM framework
+
+Logind is the most likely candidate to work nowadays and latest UPower does
+not provide suspend/hibernate API.
+---
+ xbmc/powermanagement/PowerManager.cpp | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/xbmc/powermanagement/PowerManager.cpp
 b/xbmc/powermanagement/PowerManager.cpp
+@@ -78,12 +78,12 @@
+   m_instance = new CAndroidPowerSyscall();
+ #elif defined(TARGET_POSIX)
+ #if defined(HAS_DBUS)
+-  if (CConsoleUPowerSyscall::HasConsoleKitAndUPower())
++  if (CLogindUPowerSyscall::HasLogind())
++m_instance = new CLogindUPowerSyscall();
++  else if (CConsoleUPowerSyscall::HasConsoleKitAndUPower())
+ m_instance = new CConsoleUPowerSyscall();
+   else if (CConsoleDeviceKitPowerSyscall::HasDeviceConsoleKit())
+ m_instance = new CConsoleDeviceKitPowerSyscall();
+-  else if (CLogindUPowerSyscall::HasLogind())
+-m_instance = new CLogindUPowerSyscall();
+   else if (CUPowerSyscall::HasUPower())
+ m_instance = new CUPowerSyscall();
+ #if defined(HAS_HAL)
diff -Nru xbmc-13.2+dfsg1/debian/patches/series 
xbmc-13.2+dfsg1/debian/patches/series
--- xbmc-13.2+dfsg1/debian/patches/series   2014-10-25 00:40:28.0 
+0200
+++ xbmc-13.2+dfsg1/debian/patches/series   2014-11-08 00:05:40.0 
+0100
@@ -11,6 +11,8 @@
 0013-mips-Add-configure-option-for-mips-and-mipsel.patch
 0014-mips-Don-t-use-ASM-round-and-truncate-on-MIPS.patch
 0016-mips-Fix-build-with-using-OpenGL-rendering.patch
+0017-libav-Fix-uninitialized-read.patch
+0018-linux-Check-for-Logind-first-then-Kit-s-with-UPower-.patch
 03-privacy.patch
 04-differentiate-from-vanilla-XBMC.patch
 05-Fix-GLES-with-X11.patch
@@ -19,3 +21,4 @@
 08-armel.patch
 09-use-correct-ftgl.h
 11-fix-vdpau-include.patch

Bug#770879: unblock: meld/3.12.1-2

2014-11-24 Thread Balint Reczey 
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal


Dear Release Team,

Please unblock meld to let it migrate to Jessie.
The update contains only a single fix for a regression compared to
Wheezy-s version.

Changes:
 meld (3.12.1-2) unstable; urgency=medium
 .
   * Fix SIGINT handling by cherry-picking patch from upstream
 (Closes: #768180)


Thanks:
Balint

diff -Nru meld-3.12.1/debian/changelog meld-3.12.1/debian/changelog
--- meld-3.12.1/debian/changelog	2014-10-28 00:46:24.0 +0100
+++ meld-3.12.1/debian/changelog	2014-11-14 22:26:00.0 +0100
@@ -1,3 +1,10 @@
+meld (3.12.1-2) unstable; urgency=medium
+
+  * Fix SIGINT handling by cherry-picking patch from upstream
+(Closes: #768180)
+
+ -- Balint Reczey bal...@balintreczey.hu  Tue, 28 Oct 2014 00:52:16 +0100
+
 meld (3.12.1-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru meld-3.12.1/debian/patches/0002-bin-meld-Hook-SIGINT-using-GLib-instead-of-Python-fo.patch meld-3.12.1/debian/patches/0002-bin-meld-Hook-SIGINT-using-GLib-instead-of-Python-fo.patch
--- meld-3.12.1/debian/patches/0002-bin-meld-Hook-SIGINT-using-GLib-instead-of-Python-fo.patch	1970-01-01 01:00:00.0 +0100
+++ meld-3.12.1/debian/patches/0002-bin-meld-Hook-SIGINT-using-GLib-instead-of-Python-fo.patch	2014-11-24 22:17:28.0 +0100
@@ -0,0 +1,42 @@
+From 74e15dda8536b1b381e91496527ead06c3182c35 Mon Sep 17 00:00:00 2001
+From: Kai Willadsen kai.willad...@gmail.com
+Date: Sat, 22 Nov 2014 08:07:16 +1000
+Subject: [PATCH] bin/meld: Hook SIGINT using GLib instead of Python for
+ instant quitting
+
+The previous solution worked, but waited until the window got focus,
+repainted or we otherwise ran the event loop, which was weird. This
+just works straight away.
+---
+ bin/meld | 7 +--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/bin/meld
 b/bin/meld
+@@ -21,6 +21,7 @@
+ import locale
+ import logging
+ import os
++import signal
+ import subprocess
+ import sys
+ 
+@@ -130,7 +131,7 @@
+ 
+ pyver = (2, 7)
+ gtk_requirement = (3, 6)
+-glib_requirement = (2, 34, 0)
++glib_requirement = (2, 36, 0)
+ gtksourceview_requirement = (3, 6, 0)
+ 
+ def missing_reqs(mod, ver, exception=None):
+@@ -243,5 +244,9 @@
+ setup_resources()
+ 
+ import meld.meldapp
++if sys.platform != 'win32':
++from gi.repository import GLib
++GLib.unix_signal_add(GLib.PRIORITY_DEFAULT, signal.SIGINT,
++ lambda *args: meld.meldapp.app.quit(), None)
+ status = meld.meldapp.app.run(sys.argv)
+ sys.exit(status)
diff -Nru meld-3.12.1/debian/patches/series meld-3.12.1/debian/patches/series
--- meld-3.12.1/debian/patches/series	2014-10-27 10:13:21.0 +0100
+++ meld-3.12.1/debian/patches/series	2014-11-24 22:13:33.0 +0100
@@ -1,2 +1,3 @@
 01_skip_compile_schema_and_icon_cache_update.patch
 0001-meld.vc.svn-Make-repository-validity-check-relative-.patch
+0002-bin-meld-Hook-SIGINT-using-GLib-instead-of-Python-fo.patch

Re: Bug#607969: sqlite: Still useful?

2014-10-29 Thread Balint Reczey 
Hi,

On Mon, 4 Aug 2014 20:08:21 +0100 Manuel A. Fernandez Montecelo
manuel.montez...@gmail.com wrote:
 Control: severity -1 serious
 
 Hi,
 
 I stumbled upon this bug by chance when looking at why it did not
 compile in some new ports.
 
 Raising severity so at the very least it gets auto-removed from
 testing and thus it does not get included in the next stable release
 (it already was included in the last, despite opinions in this bug
 about the contrary).
 
 I guess that it's better to just ask FTP masters to remove the
 package, but I'll leave that to other people, since they were
 interested in doing that in the past (all in copy now).
Filing bugs against reverse dependencies to migrate to sqlite 3 would be
a better start IMO.
Probably it is too late to convert everything for Jessie:

$ apt-cache rdepends sqlite
sqlite
Reverse Depends:
  phpbb3
 |movabletype-opensource
  sqlite:i386
  sqlite-doc
  qsf
  phpbb3
  lire
  imms-common
  csync2
  beancounter

Dear Release Team, should this package be released with Jessie?

Cheers,
Balint


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5450b46c.9050...@balintreczey.hu

Re: Bug#607969: sqlite: Still useful?

2014-10-29 Thread Balint Reczey 
Hi Laszlo,

On Wed, 29 Oct 2014 10:52:02 +0100
=?UTF-8?B?TMOhc3psw7MgQsO2c3rDtnJtw6lueWkgKEdDUyk=?= g...@debian.org wrote:
 On Wed, Oct 29, 2014 at 10:33 AM, Balint Reczey bal...@balintreczey.hu 
 wrote:
  On Mon, 4 Aug 2014 20:08:21 +0100 Manuel A. Fernandez Montecelo
  manuel.montez...@gmail.com wrote:
  I stumbled upon this bug by chance when looking at why it did not
  compile in some new ports.
  It should compile on all of them by now. The buildd archive shows
 that arm64 and ppc64el are fine, even mips and sparc.
 
  I guess that it's better to just ask FTP masters to remove the
  package, but I'll leave that to other people, since they were
  interested in doing that in the past (all in copy now).
  Yes, I was about to ask its removal as upstream no longer supports
 it. But it works correctly and I got personal mails that they would
 still use it on low-end (embedded?) machines where sqlite3 would
 require more CPU and/or memory.
In this case I think this bug could be simply closed by answering the
question (Yes.).  :-)

Having reverse dependencies is actually useful to keep the code tested.

Cheers,
Balint


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/545123ad.1030...@balintreczey.hu

Re: Bug#763148: Prevent migration to jessie

2014-10-18 Thread Balint Reczey 
Dear Security and Release Teams,

On Sun, 05 Oct 2014 23:23:07 +0200 Andreas Cadhalpun
andreas.cadhal...@googlemail.com wrote:
 Hi Andreas,
 
 On 05.10.2014 22:54, Andreas Barth wrote:
  * Andreas Cadhalpun (andreas.cadhal...@googlemail.com) [141005 22:36]:
  That's because the last message from a release team member in this bug
  said [1]:
  'However (and please note that I'm not a member of the security team
  and just speak for myself here as always when not otherwise marked) if
 
  As I said, I was just speaking for myself. That I might be at other
  times speaking as a member of the release team doesn't make it an
  opinion of the release team. For the release team opinion on this
  topic seen Cyrils mails.
 
  Also, the re-evaluation happened. It however didn't had the outcome
  you wanted (basically because the web browser needs so many security
  updates which only could be done by backporting all of it that the
  embedded copy doesn't make any difference - this is an exceptional
  thing which does happen but not very often. I can understand it, and
  of course it's the call of the security team how to ensure that Debian
  has security updates. I hadn't know that at the time I though about
  the possibility, otherwise I would have already achived at that moment
  at the conclusion).
 
 
  Conclusion: Though I'm usually an optimistic person how to get things
  achived, I don't see any way left how at this late time it's possible
  to ship with ffmpeg in jessie. I'm sorry but we have to face the
  facts. Independend if we like them or not (and I can fully understand
  that you don't like them, but it's no good pretending facts are
  different than they are). Sorry.
 
 Thanks for explaining.
 
 It's sad that it isn't possible to have FFmpeg in jessie, but hopefully 
 it'll be in jessie+1.
Could you please confirm that bug will be closed and FFmpeg will be let
migrating to testing after Jessie's release no matter if Libav is still
present there?
The current packaging of FFmpeg lets it to co-exist with Libav and the
next release cycle could be used to test it more extensively.

Cheers,
Balint


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5442825b.9070...@balintreczey.hu

Please bump urgency for xbmc and xbmc-pvr-addons

2014-05-12 Thread Balint Reczey 
Dear Release Team,

Could you please bump urgency of xbmc and xbmc-pvr-addons to medium to
let them migrate to testing faster before I upload the next major version?

Thanks,
Balint


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/53708496.8010...@balintreczey.hu

Please bump urgency for xbmc and xbmc-pvr-addons

2014-05-12 Thread Balint Reczey 
Dear Release Team,

Could you please bump urgency of xbmc and xbmc-pvr-addons to medium to
let them migrate to testing faster before I upload the next major version?

Thanks,
Balint



signature.asc
Description: OpenPGP digital signature

Bug#703125: tpu: wireshark/1.8.2-5wheezy1

2013-03-15 Thread Balint Reczey 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: tpu

Hi,

I would like to upload wireshark/1.8.2-5wheezy1 to
testing-proposed-updates to fix open security issues in wheezy.
It would have the same content as wireshark/1.8.2-5 just bumping the
changelog.

Currently 1.8.2-2 is in testing and 1.8.6-1 is in unstable.

Originally I wanted to let 1.8.2-5 migrate to wheezy, but I have
uploaded 1.8.6-1 to unstable (instead of experimental) accidentally
which prevents the migration.

Thanks,
Balint



signature.asc
Description: OpenPGP digital signature