Bug#926931: unblock: golang-github-go-debos-fakemachine/0.0~git20181105.9316584-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package golang-github-go-debos-fakemachine
Fixes release critical bug which causes package to be unusable
diff -Nru
golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/changelog
golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/changelog
--- golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/changelog
2018-11-09 10:15:18.0 +0100
+++ golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/changelog
2019-04-12 11:53:04.0 +0200
@@ -1,3 +1,10 @@
+golang-github-go-debos-fakemachine (0.0~git20181105.9316584-2) unstable;
urgency=medium
+
+ * fakemachine: execution fails due to missing shared lib
+(Closes: #924392)
+
+ -- Héctor Orón Martínez Fri, 12 Apr 2019 11:53:04 +0200
+
golang-github-go-debos-fakemachine (0.0~git20181105.9316584-1) unstable;
urgency=medium
* New upstream version 0.0~git20181105.9316584
diff -Nru
golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/patches/0001-Add-libresolve.so.2-in-the-initramfs.patch
golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/patches/0001-Add-libresolve.so.2-in-the-initramfs.patch
---
golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/patches/0001-Add-libresolve.so.2-in-the-initramfs.patch
1970-01-01 01:00:00.0 +0100
+++
golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/patches/0001-Add-libresolve.so.2-in-the-initramfs.patch
2019-04-12 11:47:40.0 +0200
@@ -0,0 +1,25 @@
+From: Sjoerd Simons
+Date: Tue, 5 Mar 2019 10:17:57 +0100
+Subject: Add libresolve.so.2 in the initramfs
+
+busybox in buster depends on libresolve.so.2 so copy it to the
+initramfs; Potentially in future fakemachine should move to
+busybox-static
+
+Signed-off-by: Sjoerd Simons
+---
+ machine.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/machine.go b/machine.go
+index 4a9bd83..021ee67 100644
+--- a/machine.go
b/machine.go
+@@ -457,6 +457,7 @@ func (m *Machine) startup(command string, extracontent
[][2]string) (int, error)
+ if mergedUsrSystem() {
+ prefix = "/usr"
+ }
++ w.CopyFile(prefix + "/lib/x86_64-linux-gnu/libresolv.so.2")
+ w.CopyFile(prefix + "/lib/x86_64-linux-gnu/libc.so.6")
+ w.CopyFile(prefix + "/bin/busybox")
+
diff -Nru
golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/patches/series
golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/patches/series
---
golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/patches/series
1970-01-01 01:00:00.0 +0100
+++
golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/patches/series
2019-04-12 11:47:40.0 +0200
@@ -0,0 +1 @@
+0001-Add-libresolve.so.2-in-the-initramfs.patch
unblock golang-github-go-debos-fakemachine/0.0~git20181105.9316584-2
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf
Kernel: Linux 4.19.0-4-amd64 (SMP w/16 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8),
LANGUAGE=ca_AD.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Bug#926124: unblock: weston/5.0.0-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package weston Fixed a couple bugs related to: - make build reproducible - fix startup with systemd-login Find debdiff attached: diff --git a/debian/changelog b/debian/changelog index d6a391bc..ba9cb592 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +weston (5.0.0-3) unstable; urgency=medium + + * debian/control: add libdbus-1-dev to Build-Depends +- Fixes "won't start despite having an active logind session" +(Closes: #799325) +Thanks Paul Menzel for analysis. + * debian/patches/reproducible-build-899358.patch: new patch +- Make the build reproducible +(Closes: #899358) + + -- Héctor Orón Martínez Thu, 28 Mar 2019 14:11:26 +0100 + weston (5.0.0-2) unstable; urgency=medium [ Emilio Pozuelo Monfort ] diff --git a/debian/control b/debian/control index c2c11c28..4eea61de 100644 --- a/debian/control +++ b/debian/control @@ -10,6 +10,7 @@ Build-Depends: debhelper (>= 10), quilt, pkg-config, + libdbus-1-dev, libpixman-1-dev (>= 0.25.2), libpng-dev, libjpeg-dev, diff --git a/debian/patches/reproducible-build-899358.patch b/debian/patches/reproducible-build-899358.patch new file mode 100644 index ..642c9dfb --- /dev/null +++ b/debian/patches/reproducible-build-899358.patch @@ -0,0 +1,14 @@ +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899358 +Index: weston/weston.ini.in +=== +--- weston.orig/weston.ini.in 2019-03-28 12:55:11.730324981 +0100 weston/weston.ini.in 2019-03-28 12:58:53.029372855 +0100 +@@ -38,7 +38,7 @@ + + [launcher] + icon=/usr/share/icons/gnome/24x24/apps/arts.png +-path=@abs_top_builddir@/weston-flower ++path=@libexecdir@/weston-flower + + [input-method] + path=@libexecdir@/weston-keyboard diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index ..4a8185bf --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +reproducible-build-899358.patch unblock weston/5.0.0-3 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.19.0-4-amd64 (SMP w/16 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#922340: unblock: open-build-service/2.9.4-1
Hello, Missatge de Jonathan Wiltshire del dia dg., 17 de març 2019 a les 19:04: > > Control: tag -1 moreinfo > > Hi, > > On Wed, Mar 06, 2019 at 11:51:45PM +0100, Hector Oron wrote: > > OK, I tried, and to be honest, stable isn't perfect either, since > > distro lifecycle is longer than application support, so not allowing > > newer upstream versions in stable is problematic security wise in the > > long term. open-build-service is not the only one in this category, > > there are many packages in the same situation and it'd be nice to find > > a common solution for all those. > > What is upstream's approach to stable security updates like? How long is a > stable series maintained? Is it realistic to cherry-pick fixes from new > upstream releases for buster's lifetime? > > New upstreams in stable aren't a problem in themselves, but when not all > new upstream releases are suitable (e.g. mixing bug fixes and features) the > effect can be to block further releases, and make fixing high severity bugs > harder. I have been discussing with my colleagues about current state of the package and it needs a bit more polishing, hence we are fine with closing this unblock as Paul did. We'll look into alternative ways to distribute the package for the next stable distribution. Thanks, -- Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
Bug#922339: unblock: python-cassandra-driver/3.16.0-1
Hello, Missatge de Paul Gevers del dia ds., 30 de març 2019 a les 19:12: > > tags 922339 wontfix > thanks > > On Sun, 17 Mar 2019 17:38:21 + Jonathan Wiltshire > wrote: > > On Thu, Feb 14, 2019 at 08:11:55PM +0100, Héctor Orón Martínez wrote: > > > Please unblock package python-cassandra-driver > > > > > > I have been working with Emmanuel Arias on getting his package sponsored > > > into Debian, however it did not make it into Buster on time. It is a > > > `salt` build dependency (however `salt` package maintainer has disabled > > > it until it makes it in Buster). > > > > Is the intention that salt will enable support once this package migrates? > > Will that require an unblock too? > > > > #921658 seems to suggest that salt is only a test-time build dependency. > > Does this mean that not all of salt's tests are being run at the moment? > > What is the impact of this? > > > > 2018-12-05 when the upload was prepared to 2019-02-08 when it was uploaded > > is quite a long delay. Is long-term maintenance assured? Are sufficient > > sponsors available for the next 5-6 years? > > I am closing this bug as wontfix as it is getting too late in the cycle > for new packages and the above questions were not answered. I am fine with that if it is not bloking saltstack from being in buster. We can get it back in for Bullseye. Thanks, -- Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
Bug#922342: unblock: ruby-jquery-ui-rails/6.0.1+dfsg-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package ruby-jquery-ui-rails `ruby-jquery-ui-rails` did not make it on time for the soft-free however I'd like release team to consider and grant an exception for it so we can get `open-build-service` package in for Buster release. I am not attaching a debdiff since it is a major update. Gitlab is available at: https://salsa.debian.org/ruby-team/ruby-jquery-ui-rails Thanks for considering unblock ruby-jquery-ui-rails/6.0.1+dfsg-3 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.19.0-2-amd64 (SMP w/16 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#922341: unblock: ruby-clockwork/2.0.3-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package ruby-clockwork `ruby-clockwork` did not make it on time for the soft-free however I'd like release team to consider and grant an exception for it so we can get `open-build-service` package in for Buster release. I am not attaching a debdiff since it is a major update. Gitlab is available at: https://salsa.debian.org/ruby-team/ruby-clockwork Thanks for considering unblock ruby-clockwork/2.0.3-4 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.19.0-2-amd64 (SMP w/16 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#922340: unblock: open-build-service/2.9.4-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package open-build-service A lot of effort has been put into `open-build-service`, since ruby rails 5 transition needed to happen and it did. Even uploading the package on-time it was delayed due to a couple dependencies: `ruby-clockwork` and `ruby-jquery-ui-rails`. Please consider an exception and allow `open-build-service` into Buster release. I am not attaching a debdiff since it is a major upstream version update. You might check gitlab instead at: https://salsa.debian.org/ruby-team/open-build-service And its dependencies at: https://salsa.debian.org/ruby-team/ruby-clockwork https://salsa.debian.org/ruby-team/ruby-jquery-ui-rails unblock open-build-service/2.9.4-1 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.19.0-2-amd64 (SMP w/16 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#922339: unblock: python-cassandra-driver/3.16.0-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package python-cassandra-driver I have been working with Emmanuel Arias on getting his package sponsored into Debian, however it did not make it into Buster on time. It is a `salt` build dependency (however `salt` package maintainer has disabled it until it makes it in Buster). I am not attaching a debdiff because it is a new upstream version and I am requesting an exception here. You may check gitlab instead, which I know it is not preferred. https://salsa.debian.org/python-team/modules/python-cassandra-driver unblock python-cassandra-driver/3.16.0-1 Thanks for considering an exception to allow this package into Buster release. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.19.0-2-amd64 (SMP w/16 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#912853: transition: icu
Hey Steve, Missatge de Steve McIntyre del dia dc., 14 de nov. 2018 a les 17:11: > Digging further and installing some debug symbols, I get to a problem > in libfreetype6: > > (sid-armhf)steve@mjolnir:~/debian/harfbuzz/harfbuzz-2.1.1/build-main$ gdb > util/.libs/hb-shape core > ... > Core was generated by > `/home/steve/debian/harfbuzz/harfbuzz-2.1.1/build-main/util/.libs/hb-shape > ../te'. > Program terminated with signal SIGBUS, Bus error. > #0 TT_Get_MM_Var (face=0x1c66d78, master=master@entry=0x0) at > ./freetype-2.8.1/src/truetype/ttgxvar.c:2122 > 2122if ( a->minimum > a->def || Thanks! Did you check if version in experimental (freetype-2.9.1) fixes it? Regards -- Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
Bug#912853: transition: icu
Hello, Missatge de Emilio Pozuelo Monfort del dia dt., 13 de nov. 2018 a les 18:44: > > On 13/11/2018 17:45, László Böszörményi (GCS) wrote: > > Please note that src:harfbuzz currently has a problem on armhf, it > > failed to build three times in line. The reason is known: the > > arm-arm-01 named buildd always failed to build it[1]. Can you schedule > > its build on an other armhf machine or a buildd admin (in Cc) can do > > it? There's no sense trying to build it on the mentioned box again and > > again or even later. If possible, please set that src:harfbuzz > > shouldn't be tried to build on the arm-arm-01 machine in the future. > > That will be investigated. The problem is that arm-arm-01 is an arm64 machine, > building armhf packages. harfbuzz doesn't like that. Indeed, Steve is working on that topic, re-building armhf/armel on arm64 and already found some issues. I pinged him about it in IRC, however I CC him on this one as it might be valuable for his work. Regards -- Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
Bug#912853: transition: icu
Hello László, Missatge de László Böszörményi (GCS) del dia dt., 13 de nov. 2018 a les 17:46: > > On Mon, Nov 12, 2018 at 4:05 PM Emilio Pozuelo Monfort > wrote: > > On 11/11/2018 11:24, László Böszörményi (GCS) wrote: > > > On Sun, Nov 4, 2018 at 4:45 PM Laszlo Boszormenyi (GCS) > > > wrote: > > >> I'd like to upload ICU 63.1 which was recently released for Buster. > > > I still miss the last three packages rebuilt, but I don't expect any > > > problems with those. > > > First, my methodology was to build the related packages both on i386 > > > and amd64 (32 and 64 bit) to detect all possible problems in advance. > > > If a package failed due to ICU, I've patched it. If the reason was not > > > clear, rebuilt the package for Sid to check that result as well. > > > The order of rebuilds was harfbuzz -> boost1.67 -> make boost-defaults > > > point to it, then all other packages. > > Please go ahead with this. I will ack the boost transition once this is > > built. > Please note that src:harfbuzz currently has a problem on armhf, it > failed to build three times in line. The reason is known: the > arm-arm-01 named buildd always failed to build it[1]. Can you schedule > its build on an other armhf machine or a buildd admin (in Cc) can do > it? There's no sense trying to build it on the mentioned box again and > again or even later. If possible, please set that src:harfbuzz > shouldn't be tried to build on the arm-arm-01 machine in the future. I have blacklisted it in arm-arm-01, however someone had give it back and it is building (update built!) in arnold now. Regards > Thanks, > Laszlo/GCS > [1] https://buildd.debian.org/status/logs.php?pkg=harfbuzz=armhf -- Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
Bug#892031: stretch-pu: package wayland/1.12.0-1
Hello, Missatge de Salvatore Bonaccorso del dia dv., 9 de nov. 2018 a les 6:57: > Friendly ping, can you upload the fixed package? Unfortunately this > will not make it for 9.6 but can then for 9.7. I have uploaded the package. Regards -- Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
Bug#903830: RM: intel-processor-trace/stable [s390x] -- ANAIS; package only meanful on Intel architecture
Package: ftp.debian.org Severity: normal The `intel-processor-trace` package is only meanful on Intel arches, therefore other binaries should be removed from the archive. Please, remove s390x binaries (libipt1, libipt-dev) for stable/testing and unstable distributions. Regards
Bug#892070: stretch-pu: package obs-build/20160921-1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Hello,
I would like to push security fix into stable for `obs-build`.
The patch fixes CVE-2017-14804 as described in #887306.
Please consider the following patch attached.
Regards
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf
Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru obs-build-20170201/debian/changelog
obs-build-20170201/debian/changelog
--- obs-build-20170201/debian/changelog 2017-08-04 23:24:36.0 +0200
+++ obs-build-20170201/debian/changelog 2018-03-04 23:05:06.0 +0100
@@ -1,3 +1,11 @@
+obs-build (20170201-3+deb9u1) stretch; urgency=medium
+
+ * CVE-2017-14804 (Closes: #887306)
+- Improve extractbuild to avoid write to files in the host system.
+- debian/patches/Improve-sanity-checks-in-extractbuild.patch: add new
+
+ -- Héctor Orón Martínez <zu...@debian.org> Sun, 04 Mar 2018 23:05:06 +0100
+
obs-build (20170201-3) unstable; urgency=medium
[ Sjoerd Simons ]
diff -Nru
obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch
obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch
---
obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch
1970-01-01 01:00:00.0 +0100
+++
obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch
2018-03-04 23:01:56.0 +0100
@@ -0,0 +1,34 @@
+From fc36b1c95afbe11e65fd1ed6f75c1824cdb26230 Mon Sep 17 00:00:00 2001
+Message-Id:
<fc36b1c95afbe11e65fd1ed6f75c1824cdb26230.1511739165.git.suse-...@gmx.de>
+From: Marcus Huewe <suse-...@gmx.de>
+Date: Sun, 26 Nov 2017 20:25:48 +0100
+Subject: [PATCH] Improve sanity checks in extractbuild
+
+A \0 in a symlink target can be used to write to a file in the host
+system. For the same reason, we do not allow to process a file more
+than once. A \0 in a filename makes no sense, hence forbid it.
+---
+ extractbuild | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: obs-build-20160921/extractbuild
+===
+--- obs-build-20160921.orig/extractbuild
obs-build-20160921/extractbuild
+@@ -74,6 +74,8 @@ while () {
+ my ($filetype, $file, $filesize, $blksize, @blocks) = split(/ /);
+ die("invalid input '$_'\n") unless defined($file);
+ $file =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
++ die("bad file '$file' (contains \\0)\n") if $file =~ /\0/;
++ die("already processed: $file\n") if $done{$file};
+ die("bad file '$file'\n") if "/$file/" =~ /\/\.{0,2}\//s;
+ if ($file =~ /^(.*)\//s) {
+ die("file without directory: $file\n") unless $done{$1} && $done{$1} eq
'd';
+@@ -88,6 +90,7 @@ while () {
+ my $target = $filesize;
+ die("symlink without target\n") unless defined $target;
+ $target =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
++die("bad symlink: $target (contains \\0)\n") if $target =~ /\0/;
+ die("bad symlink: $target\n") if "/$target/" =~ /\/\.?\//s;
+ if ("/$target/" =~ /^(\/\.\.)+\/(.*?)$/s) {
+ my ($head, $tail) = ($1, $2);
diff -Nru obs-build-20170201/debian/patches/series
obs-build-20170201/debian/patches/series
--- obs-build-20170201/debian/patches/series2017-08-04 23:24:36.0
+0200
+++ obs-build-20170201/debian/patches/series2018-03-04 23:03:58.0
+0100
@@ -15,3 +15,4 @@
HACK-Make-glibc-build.patch
debootstrap-generate-apt-caches.patch
+Improve-sanity-checks-in-extractbuild.patch
Bug#892032: jessie-pu: package wayland/1.6.0-2
Hello,
2018-03-04 15:44 GMT+01:00 Emilio Pozuelo Monfort <po...@debian.org>:
> On 04/03/18 12:46, Héctor Orón Martínez wrote:
>>
>> diff --git a/debian/changelog b/debian/changelog
>> index 645a4bc..b6409a8 100644
>> --- a/debian/changelog
>> +++ b/debian/changelog
>> @@ -1,3 +1,14 @@
>> +wayland (1.6.0-2+deb8u1) stretch; urgency=medium
>
> Distribution should be jessie.
Ouch! Right. Find new version attached
--
Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
From c9f4eb1998a3b390c8b03df7c84f83608a3418fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A9ctor=20Or=C3=B3n=20Mart=C3=ADnez?= <zu...@debian.org>
Date: Sun, 4 Mar 2018 12:29:17 +0100
Subject: [PATCH] debian/patches/CVE-2017-16612.patch: fix cursor integer
overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Héctor Orón Martínez <zu...@debian.org>
---
debian/changelog| 11 +
debian/patches/CVE-2017-16612.patch | 47 +
debian/patches/series | 1 +
3 files changed, 59 insertions(+)
create mode 100644 debian/patches/CVE-2017-16612.patch
create mode 100644 debian/patches/series
diff --git a/debian/changelog b/debian/changelog
index 645a4bc..0379671 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+wayland (1.6.0-2+deb8u1) jessie; urgency=medium
+
+ * debian/patches/CVE-2017-16612.patch: (Closes: #889681)
+- libXcursor before 1.1.15 has various integer overflows that could lead
+ to heap buffer overflows when processing malicious cursors, e.g., with
+ programs like GIMP. It is also possible that an attack vector exists
+ against the related code in cursor/xcursor.c in Wayland through
+ 1.14.0.
+
+ -- Héctor Orón Martínez <zu...@debian.org> Sun, 04 Mar 2018 12:27:36 +0100
+
wayland (1.6.0-2) unstable; urgency=medium
* Switch back to use upstream tarball.
diff --git a/debian/patches/CVE-2017-16612.patch b/debian/patches/CVE-2017-16612.patch
new file mode 100644
index 000..9d91f70
--- /dev/null
+++ b/debian/patches/CVE-2017-16612.patch
@@ -0,0 +1,47 @@
+commit 5d201df72f3d4f4cb8b8f75f980169b03507da38
+Author: Tobias Stoeckmann <tob...@stoeckmann.org>
+Date: Tue Nov 28 21:38:07 2017 +0100
+
+cursor: Fix heap overflows when parsing malicious files.
+
+It is possible to trigger heap overflows due to an integer overflow
+while parsing images.
+
+The integer overflow occurs because the chosen limit 0x1 for
+dimensions is too large for 32 bit systems, because each pixel takes
+4 bytes. Properly chosen values allow an overflow which in turn will
+lead to less allocated memory than needed for subsequent reads.
+
+See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
+Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961
+
+Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>
+[Pekka: add link to the corresponding libXcursor commit]
+Signed-off-by: Pekka Paalanen <pekka.paala...@collabora.co.uk>
+
+diff --git a/cursor/xcursor.c b/cursor/xcursor.c
+index ca41c4a..689c702 100644
+--- a/cursor/xcursor.c
b/cursor/xcursor.c
+@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height)
+ {
+ XcursorImage*image;
+
++if (width < 0 || height < 0)
++ return NULL;
++if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
++ return NULL;
++
+ image = malloc (sizeof (XcursorImage) +
+ width * height * sizeof (XcursorPixel));
+ if (!image)
+@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile *file,
+ if (!_XcursorReadUInt (file, ))
+ return NULL;
+ /* sanity check data */
+-if (head.width >= 0x1 || head.height > 0x1)
++if (head.width > XCURSOR_IMAGE_MAX_SIZE ||
++ head.height > XCURSOR_IMAGE_MAX_SIZE)
+ return NULL;
+ if (head.width == 0 || head.height == 0)
+ return NULL;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..4c42ec7
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2017-16612.patch
--
2.16.2
Bug#892032: jessie-pu: package wayland/1.6.0-2
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hello,
I would like to apply oldstable fix for #889681 in oldstable.
I am attaching the patch I plan to upload to oldstable.
Note, I have requested security team if they want to handle it via
security queue or stable update instead.
Regards
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf
Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
From 5df34123d130816a1acf506d8e9f1a1c3e3efcc8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A9ctor=20Or=C3=B3n=20Mart=C3=ADnez?= <zu...@debian.org>
Date: Sun, 4 Mar 2018 12:29:17 +0100
Subject: [PATCH] debian/patches/CVE-2017-16612.patch: fix cursor integer
overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Héctor Orón Martínez <zu...@debian.org>
---
debian/changelog| 11 +
debian/patches/CVE-2017-16612.patch | 47 +
debian/patches/series | 1 +
3 files changed, 59 insertions(+)
create mode 100644 debian/patches/CVE-2017-16612.patch
create mode 100644 debian/patches/series
diff --git a/debian/changelog b/debian/changelog
index 645a4bc..b6409a8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+wayland (1.6.0-2+deb8u1) stretch; urgency=medium
+
+ * debian/patches/CVE-2017-16612.patch: (Closes: #889681)
+- libXcursor before 1.1.15 has various integer overflows that could lead
+ to heap buffer overflows when processing malicious cursors, e.g., with
+ programs like GIMP. It is also possible that an attack vector exists
+ against the related code in cursor/xcursor.c in Wayland through
+ 1.14.0.
+
+ -- Héctor Orón Martínez <zu...@debian.org> Sun, 04 Mar 2018 12:27:36 +0100
+
wayland (1.6.0-2) unstable; urgency=medium
* Switch back to use upstream tarball.
diff --git a/debian/patches/CVE-2017-16612.patch
b/debian/patches/CVE-2017-16612.patch
new file mode 100644
index 000..9d91f70
--- /dev/null
+++ b/debian/patches/CVE-2017-16612.patch
@@ -0,0 +1,47 @@
+commit 5d201df72f3d4f4cb8b8f75f980169b03507da38
+Author: Tobias Stoeckmann <tob...@stoeckmann.org>
+Date: Tue Nov 28 21:38:07 2017 +0100
+
+cursor: Fix heap overflows when parsing malicious files.
+
+It is possible to trigger heap overflows due to an integer overflow
+while parsing images.
+
+The integer overflow occurs because the chosen limit 0x1 for
+dimensions is too large for 32 bit systems, because each pixel takes
+4 bytes. Properly chosen values allow an overflow which in turn will
+lead to less allocated memory than needed for subsequent reads.
+
+See also:
https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
+Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961
+
+Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>
+[Pekka: add link to the corresponding libXcursor commit]
+Signed-off-by: Pekka Paalanen <pekka.paala...@collabora.co.uk>
+
+diff --git a/cursor/xcursor.c b/cursor/xcursor.c
+index ca41c4a..689c702 100644
+--- a/cursor/xcursor.c
b/cursor/xcursor.c
+@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height)
+ {
+ XcursorImage*image;
+
++if (width < 0 || height < 0)
++ return NULL;
++if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
++ return NULL;
++
+ image = malloc (sizeof (XcursorImage) +
+ width * height * sizeof (XcursorPixel));
+ if (!image)
+@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile *file,
+ if (!_XcursorReadUInt (file, ))
+ return NULL;
+ /* sanity check data */
+-if (head.width >= 0x1 || head.height > 0x1)
++if (head.width > XCURSOR_IMAGE_MAX_SIZE ||
++ head.height > XCURSOR_IMAGE_MAX_SIZE)
+ return NULL;
+ if (head.width == 0 || head.height == 0)
+ return NULL;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..4c42ec7
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2017-16612.patch
--
2.16.2
Bug#892031: stretch-pu: package wayland/1.12.0-1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Hello,
I would like to apply fix in stable for #889681.
I have asked security team if they want the fix via security queue or stable
update, however I have gotten no reply yet. I am attaching the patch I intend
to upload to stable if you acknowledge it.
Regards
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf
Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
From 2471b0463e9395bd981f8b875e3280f1fc6b995f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A9ctor=20Or=C3=B3n=20Mart=C3=ADnez?= <zu...@debian.org>
Date: Sun, 4 Mar 2018 11:54:40 +0100
Subject: [PATCH] debian/patches/CVE-2017-16612.patch: fix cursor integer
overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Héctor Orón Martínez <zu...@debian.org>
---
debian/changelog| 11 +
debian/patches/CVE-2017-16612.patch | 47 +
debian/patches/series | 1 +
3 files changed, 59 insertions(+)
create mode 100644 debian/patches/CVE-2017-16612.patch
create mode 100644 debian/patches/series
diff --git a/debian/changelog b/debian/changelog
index 2f84b50..7495ef3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+wayland (1.12.0-1+deb9u1) stretch; urgency=medium
+
+ * debian/patches/CVE-2017-16612.patch: (Closes: #889681)
+- libXcursor before 1.1.15 has various integer overflows that could lead
+ to heap buffer overflows when processing malicious cursors, e.g., with
+ programs like GIMP. It is also possible that an attack vector exists
+ against the related code in cursor/xcursor.c in Wayland through
+ 1.14.0.
+
+ -- Héctor Orón Martínez <zu...@debian.org> Sun, 04 Mar 2018 11:43:29 +0100
+
wayland (1.12.0-1) unstable; urgency=medium
* New upstream release. Closes: #840752.
diff --git a/debian/patches/CVE-2017-16612.patch
b/debian/patches/CVE-2017-16612.patch
new file mode 100644
index 000..9d91f70
--- /dev/null
+++ b/debian/patches/CVE-2017-16612.patch
@@ -0,0 +1,47 @@
+commit 5d201df72f3d4f4cb8b8f75f980169b03507da38
+Author: Tobias Stoeckmann <tob...@stoeckmann.org>
+Date: Tue Nov 28 21:38:07 2017 +0100
+
+cursor: Fix heap overflows when parsing malicious files.
+
+It is possible to trigger heap overflows due to an integer overflow
+while parsing images.
+
+The integer overflow occurs because the chosen limit 0x1 for
+dimensions is too large for 32 bit systems, because each pixel takes
+4 bytes. Properly chosen values allow an overflow which in turn will
+lead to less allocated memory than needed for subsequent reads.
+
+See also:
https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
+Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961
+
+Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>
+[Pekka: add link to the corresponding libXcursor commit]
+Signed-off-by: Pekka Paalanen <pekka.paala...@collabora.co.uk>
+
+diff --git a/cursor/xcursor.c b/cursor/xcursor.c
+index ca41c4a..689c702 100644
+--- a/cursor/xcursor.c
b/cursor/xcursor.c
+@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height)
+ {
+ XcursorImage*image;
+
++if (width < 0 || height < 0)
++ return NULL;
++if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
++ return NULL;
++
+ image = malloc (sizeof (XcursorImage) +
+ width * height * sizeof (XcursorPixel));
+ if (!image)
+@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile *file,
+ if (!_XcursorReadUInt (file, ))
+ return NULL;
+ /* sanity check data */
+-if (head.width >= 0x1 || head.height > 0x1)
++if (head.width > XCURSOR_IMAGE_MAX_SIZE ||
++ head.height > XCURSOR_IMAGE_MAX_SIZE)
+ return NULL;
+ if (head.width == 0 || head.height == 0)
+ return NULL;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..4c42ec7
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2017-16612.patch
--
2.16.2
