Bug#926931: unblock: golang-github-go-debos-fakemachine/0.0~git20181105.9316584-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package golang-github-go-debos-fakemachine Fixes release critical bug which causes package to be unusable diff -Nru golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/changelog golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/changelog --- golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/changelog 2018-11-09 10:15:18.0 +0100 +++ golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/changelog 2019-04-12 11:53:04.0 +0200 @@ -1,3 +1,10 @@ +golang-github-go-debos-fakemachine (0.0~git20181105.9316584-2) unstable; urgency=medium + + * fakemachine: execution fails due to missing shared lib +(Closes: #924392) + + -- Héctor Orón Martínez Fri, 12 Apr 2019 11:53:04 +0200 + golang-github-go-debos-fakemachine (0.0~git20181105.9316584-1) unstable; urgency=medium * New upstream version 0.0~git20181105.9316584 diff -Nru golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/patches/0001-Add-libresolve.so.2-in-the-initramfs.patch golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/patches/0001-Add-libresolve.so.2-in-the-initramfs.patch --- golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/patches/0001-Add-libresolve.so.2-in-the-initramfs.patch 1970-01-01 01:00:00.0 +0100 +++ golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/patches/0001-Add-libresolve.so.2-in-the-initramfs.patch 2019-04-12 11:47:40.0 +0200 @@ -0,0 +1,25 @@ +From: Sjoerd Simons +Date: Tue, 5 Mar 2019 10:17:57 +0100 +Subject: Add libresolve.so.2 in the initramfs + +busybox in buster depends on libresolve.so.2 so copy it to the +initramfs; Potentially in future fakemachine should move to +busybox-static + +Signed-off-by: Sjoerd Simons +--- + machine.go | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/machine.go b/machine.go +index 4a9bd83..021ee67 100644 +--- a/machine.go b/machine.go +@@ -457,6 +457,7 @@ func (m *Machine) startup(command string, extracontent [][2]string) (int, error) + if mergedUsrSystem() { + prefix = "/usr" + } ++ w.CopyFile(prefix + "/lib/x86_64-linux-gnu/libresolv.so.2") + w.CopyFile(prefix + "/lib/x86_64-linux-gnu/libc.so.6") + w.CopyFile(prefix + "/bin/busybox") + diff -Nru golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/patches/series golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/patches/series --- golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/patches/series 1970-01-01 01:00:00.0 +0100 +++ golang-github-go-debos-fakemachine-0.0~git20181105.9316584/debian/patches/series 2019-04-12 11:47:40.0 +0200 @@ -0,0 +1 @@ +0001-Add-libresolve.so.2-in-the-initramfs.patch unblock golang-github-go-debos-fakemachine/0.0~git20181105.9316584-2 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.19.0-4-amd64 (SMP w/16 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8), LANGUAGE=ca_AD.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#926124: unblock: weston/5.0.0-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package weston Fixed a couple bugs related to: - make build reproducible - fix startup with systemd-login Find debdiff attached: diff --git a/debian/changelog b/debian/changelog index d6a391bc..ba9cb592 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +weston (5.0.0-3) unstable; urgency=medium + + * debian/control: add libdbus-1-dev to Build-Depends +- Fixes "won't start despite having an active logind session" +(Closes: #799325) +Thanks Paul Menzel for analysis. + * debian/patches/reproducible-build-899358.patch: new patch +- Make the build reproducible +(Closes: #899358) + + -- Héctor Orón Martínez Thu, 28 Mar 2019 14:11:26 +0100 + weston (5.0.0-2) unstable; urgency=medium [ Emilio Pozuelo Monfort ] diff --git a/debian/control b/debian/control index c2c11c28..4eea61de 100644 --- a/debian/control +++ b/debian/control @@ -10,6 +10,7 @@ Build-Depends: debhelper (>= 10), quilt, pkg-config, + libdbus-1-dev, libpixman-1-dev (>= 0.25.2), libpng-dev, libjpeg-dev, diff --git a/debian/patches/reproducible-build-899358.patch b/debian/patches/reproducible-build-899358.patch new file mode 100644 index ..642c9dfb --- /dev/null +++ b/debian/patches/reproducible-build-899358.patch @@ -0,0 +1,14 @@ +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899358 +Index: weston/weston.ini.in +=== +--- weston.orig/weston.ini.in 2019-03-28 12:55:11.730324981 +0100 weston/weston.ini.in 2019-03-28 12:58:53.029372855 +0100 +@@ -38,7 +38,7 @@ + + [launcher] + icon=/usr/share/icons/gnome/24x24/apps/arts.png +-path=@abs_top_builddir@/weston-flower ++path=@libexecdir@/weston-flower + + [input-method] + path=@libexecdir@/weston-keyboard diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index ..4a8185bf --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +reproducible-build-899358.patch unblock weston/5.0.0-3 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.19.0-4-amd64 (SMP w/16 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#922340: unblock: open-build-service/2.9.4-1
Hello, Missatge de Jonathan Wiltshire del dia dg., 17 de març 2019 a les 19:04: > > Control: tag -1 moreinfo > > Hi, > > On Wed, Mar 06, 2019 at 11:51:45PM +0100, Hector Oron wrote: > > OK, I tried, and to be honest, stable isn't perfect either, since > > distro lifecycle is longer than application support, so not allowing > > newer upstream versions in stable is problematic security wise in the > > long term. open-build-service is not the only one in this category, > > there are many packages in the same situation and it'd be nice to find > > a common solution for all those. > > What is upstream's approach to stable security updates like? How long is a > stable series maintained? Is it realistic to cherry-pick fixes from new > upstream releases for buster's lifetime? > > New upstreams in stable aren't a problem in themselves, but when not all > new upstream releases are suitable (e.g. mixing bug fixes and features) the > effect can be to block further releases, and make fixing high severity bugs > harder. I have been discussing with my colleagues about current state of the package and it needs a bit more polishing, hence we are fine with closing this unblock as Paul did. We'll look into alternative ways to distribute the package for the next stable distribution. Thanks, -- Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
Bug#922339: unblock: python-cassandra-driver/3.16.0-1
Hello, Missatge de Paul Gevers del dia ds., 30 de març 2019 a les 19:12: > > tags 922339 wontfix > thanks > > On Sun, 17 Mar 2019 17:38:21 + Jonathan Wiltshire > wrote: > > On Thu, Feb 14, 2019 at 08:11:55PM +0100, Héctor Orón Martínez wrote: > > > Please unblock package python-cassandra-driver > > > > > > I have been working with Emmanuel Arias on getting his package sponsored > > > into Debian, however it did not make it into Buster on time. It is a > > > `salt` build dependency (however `salt` package maintainer has disabled > > > it until it makes it in Buster). > > > > Is the intention that salt will enable support once this package migrates? > > Will that require an unblock too? > > > > #921658 seems to suggest that salt is only a test-time build dependency. > > Does this mean that not all of salt's tests are being run at the moment? > > What is the impact of this? > > > > 2018-12-05 when the upload was prepared to 2019-02-08 when it was uploaded > > is quite a long delay. Is long-term maintenance assured? Are sufficient > > sponsors available for the next 5-6 years? > > I am closing this bug as wontfix as it is getting too late in the cycle > for new packages and the above questions were not answered. I am fine with that if it is not bloking saltstack from being in buster. We can get it back in for Bullseye. Thanks, -- Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
Bug#922342: unblock: ruby-jquery-ui-rails/6.0.1+dfsg-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package ruby-jquery-ui-rails `ruby-jquery-ui-rails` did not make it on time for the soft-free however I'd like release team to consider and grant an exception for it so we can get `open-build-service` package in for Buster release. I am not attaching a debdiff since it is a major update. Gitlab is available at: https://salsa.debian.org/ruby-team/ruby-jquery-ui-rails Thanks for considering unblock ruby-jquery-ui-rails/6.0.1+dfsg-3 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.19.0-2-amd64 (SMP w/16 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#922341: unblock: ruby-clockwork/2.0.3-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package ruby-clockwork `ruby-clockwork` did not make it on time for the soft-free however I'd like release team to consider and grant an exception for it so we can get `open-build-service` package in for Buster release. I am not attaching a debdiff since it is a major update. Gitlab is available at: https://salsa.debian.org/ruby-team/ruby-clockwork Thanks for considering unblock ruby-clockwork/2.0.3-4 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.19.0-2-amd64 (SMP w/16 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#922340: unblock: open-build-service/2.9.4-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package open-build-service A lot of effort has been put into `open-build-service`, since ruby rails 5 transition needed to happen and it did. Even uploading the package on-time it was delayed due to a couple dependencies: `ruby-clockwork` and `ruby-jquery-ui-rails`. Please consider an exception and allow `open-build-service` into Buster release. I am not attaching a debdiff since it is a major upstream version update. You might check gitlab instead at: https://salsa.debian.org/ruby-team/open-build-service And its dependencies at: https://salsa.debian.org/ruby-team/ruby-clockwork https://salsa.debian.org/ruby-team/ruby-jquery-ui-rails unblock open-build-service/2.9.4-1 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.19.0-2-amd64 (SMP w/16 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#922339: unblock: python-cassandra-driver/3.16.0-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package python-cassandra-driver I have been working with Emmanuel Arias on getting his package sponsored into Debian, however it did not make it into Buster on time. It is a `salt` build dependency (however `salt` package maintainer has disabled it until it makes it in Buster). I am not attaching a debdiff because it is a new upstream version and I am requesting an exception here. You may check gitlab instead, which I know it is not preferred. https://salsa.debian.org/python-team/modules/python-cassandra-driver unblock python-cassandra-driver/3.16.0-1 Thanks for considering an exception to allow this package into Buster release. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.19.0-2-amd64 (SMP w/16 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#912853: transition: icu
Hey Steve, Missatge de Steve McIntyre del dia dc., 14 de nov. 2018 a les 17:11: > Digging further and installing some debug symbols, I get to a problem > in libfreetype6: > > (sid-armhf)steve@mjolnir:~/debian/harfbuzz/harfbuzz-2.1.1/build-main$ gdb > util/.libs/hb-shape core > ... > Core was generated by > `/home/steve/debian/harfbuzz/harfbuzz-2.1.1/build-main/util/.libs/hb-shape > ../te'. > Program terminated with signal SIGBUS, Bus error. > #0 TT_Get_MM_Var (face=0x1c66d78, master=master@entry=0x0) at > ./freetype-2.8.1/src/truetype/ttgxvar.c:2122 > 2122if ( a->minimum > a->def || Thanks! Did you check if version in experimental (freetype-2.9.1) fixes it? Regards -- Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
Bug#912853: transition: icu
Hello, Missatge de Emilio Pozuelo Monfort del dia dt., 13 de nov. 2018 a les 18:44: > > On 13/11/2018 17:45, László Böszörményi (GCS) wrote: > > Please note that src:harfbuzz currently has a problem on armhf, it > > failed to build three times in line. The reason is known: the > > arm-arm-01 named buildd always failed to build it[1]. Can you schedule > > its build on an other armhf machine or a buildd admin (in Cc) can do > > it? There's no sense trying to build it on the mentioned box again and > > again or even later. If possible, please set that src:harfbuzz > > shouldn't be tried to build on the arm-arm-01 machine in the future. > > That will be investigated. The problem is that arm-arm-01 is an arm64 machine, > building armhf packages. harfbuzz doesn't like that. Indeed, Steve is working on that topic, re-building armhf/armel on arm64 and already found some issues. I pinged him about it in IRC, however I CC him on this one as it might be valuable for his work. Regards -- Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
Bug#912853: transition: icu
Hello László, Missatge de László Böszörményi (GCS) del dia dt., 13 de nov. 2018 a les 17:46: > > On Mon, Nov 12, 2018 at 4:05 PM Emilio Pozuelo Monfort > wrote: > > On 11/11/2018 11:24, László Böszörményi (GCS) wrote: > > > On Sun, Nov 4, 2018 at 4:45 PM Laszlo Boszormenyi (GCS) > > > wrote: > > >> I'd like to upload ICU 63.1 which was recently released for Buster. > > > I still miss the last three packages rebuilt, but I don't expect any > > > problems with those. > > > First, my methodology was to build the related packages both on i386 > > > and amd64 (32 and 64 bit) to detect all possible problems in advance. > > > If a package failed due to ICU, I've patched it. If the reason was not > > > clear, rebuilt the package for Sid to check that result as well. > > > The order of rebuilds was harfbuzz -> boost1.67 -> make boost-defaults > > > point to it, then all other packages. > > Please go ahead with this. I will ack the boost transition once this is > > built. > Please note that src:harfbuzz currently has a problem on armhf, it > failed to build three times in line. The reason is known: the > arm-arm-01 named buildd always failed to build it[1]. Can you schedule > its build on an other armhf machine or a buildd admin (in Cc) can do > it? There's no sense trying to build it on the mentioned box again and > again or even later. If possible, please set that src:harfbuzz > shouldn't be tried to build on the arm-arm-01 machine in the future. I have blacklisted it in arm-arm-01, however someone had give it back and it is building (update built!) in arnold now. Regards > Thanks, > Laszlo/GCS > [1] https://buildd.debian.org/status/logs.php?pkg=harfbuzz=armhf -- Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
Bug#892031: stretch-pu: package wayland/1.12.0-1
Hello, Missatge de Salvatore Bonaccorso del dia dv., 9 de nov. 2018 a les 6:57: > Friendly ping, can you upload the fixed package? Unfortunately this > will not make it for 9.6 but can then for 9.7. I have uploaded the package. Regards -- Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
Bug#903830: RM: intel-processor-trace/stable [s390x] -- ANAIS; package only meanful on Intel architecture
Package: ftp.debian.org Severity: normal The `intel-processor-trace` package is only meanful on Intel arches, therefore other binaries should be removed from the archive. Please, remove s390x binaries (libipt1, libipt-dev) for stable/testing and unstable distributions. Regards
Bug#892070: stretch-pu: package obs-build/20160921-1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hello, I would like to push security fix into stable for `obs-build`. The patch fixes CVE-2017-14804 as described in #887306. Please consider the following patch attached. Regards -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff -Nru obs-build-20170201/debian/changelog obs-build-20170201/debian/changelog --- obs-build-20170201/debian/changelog 2017-08-04 23:24:36.0 +0200 +++ obs-build-20170201/debian/changelog 2018-03-04 23:05:06.0 +0100 @@ -1,3 +1,11 @@ +obs-build (20170201-3+deb9u1) stretch; urgency=medium + + * CVE-2017-14804 (Closes: #887306) +- Improve extractbuild to avoid write to files in the host system. +- debian/patches/Improve-sanity-checks-in-extractbuild.patch: add new + + -- Héctor Orón Martínez <zu...@debian.org> Sun, 04 Mar 2018 23:05:06 +0100 + obs-build (20170201-3) unstable; urgency=medium [ Sjoerd Simons ] diff -Nru obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch --- obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch 1970-01-01 01:00:00.0 +0100 +++ obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch 2018-03-04 23:01:56.0 +0100 @@ -0,0 +1,34 @@ +From fc36b1c95afbe11e65fd1ed6f75c1824cdb26230 Mon Sep 17 00:00:00 2001 +Message-Id: <fc36b1c95afbe11e65fd1ed6f75c1824cdb26230.1511739165.git.suse-...@gmx.de> +From: Marcus Huewe <suse-...@gmx.de> +Date: Sun, 26 Nov 2017 20:25:48 +0100 +Subject: [PATCH] Improve sanity checks in extractbuild + +A \0 in a symlink target can be used to write to a file in the host +system. For the same reason, we do not allow to process a file more +than once. A \0 in a filename makes no sense, hence forbid it. +--- + extractbuild | 3 +++ + 1 file changed, 3 insertions(+) + +Index: obs-build-20160921/extractbuild +=== +--- obs-build-20160921.orig/extractbuild obs-build-20160921/extractbuild +@@ -74,6 +74,8 @@ while () { + my ($filetype, $file, $filesize, $blksize, @blocks) = split(/ /); + die("invalid input '$_'\n") unless defined($file); + $file =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge; ++ die("bad file '$file' (contains \\0)\n") if $file =~ /\0/; ++ die("already processed: $file\n") if $done{$file}; + die("bad file '$file'\n") if "/$file/" =~ /\/\.{0,2}\//s; + if ($file =~ /^(.*)\//s) { + die("file without directory: $file\n") unless $done{$1} && $done{$1} eq 'd'; +@@ -88,6 +90,7 @@ while () { + my $target = $filesize; + die("symlink without target\n") unless defined $target; + $target =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge; ++die("bad symlink: $target (contains \\0)\n") if $target =~ /\0/; + die("bad symlink: $target\n") if "/$target/" =~ /\/\.?\//s; + if ("/$target/" =~ /^(\/\.\.)+\/(.*?)$/s) { + my ($head, $tail) = ($1, $2); diff -Nru obs-build-20170201/debian/patches/series obs-build-20170201/debian/patches/series --- obs-build-20170201/debian/patches/series2017-08-04 23:24:36.0 +0200 +++ obs-build-20170201/debian/patches/series2018-03-04 23:03:58.0 +0100 @@ -15,3 +15,4 @@ HACK-Make-glibc-build.patch debootstrap-generate-apt-caches.patch +Improve-sanity-checks-in-extractbuild.patch
Bug#892032: jessie-pu: package wayland/1.6.0-2
Hello, 2018-03-04 15:44 GMT+01:00 Emilio Pozuelo Monfort <po...@debian.org>: > On 04/03/18 12:46, Héctor Orón Martínez wrote: >> >> diff --git a/debian/changelog b/debian/changelog >> index 645a4bc..b6409a8 100644 >> --- a/debian/changelog >> +++ b/debian/changelog >> @@ -1,3 +1,14 @@ >> +wayland (1.6.0-2+deb8u1) stretch; urgency=medium > > Distribution should be jessie. Ouch! Right. Find new version attached -- Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-. From c9f4eb1998a3b390c8b03df7c84f83608a3418fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A9ctor=20Or=C3=B3n=20Mart=C3=ADnez?= <zu...@debian.org> Date: Sun, 4 Mar 2018 12:29:17 +0100 Subject: [PATCH] debian/patches/CVE-2017-16612.patch: fix cursor integer overflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Héctor Orón Martínez <zu...@debian.org> --- debian/changelog| 11 + debian/patches/CVE-2017-16612.patch | 47 + debian/patches/series | 1 + 3 files changed, 59 insertions(+) create mode 100644 debian/patches/CVE-2017-16612.patch create mode 100644 debian/patches/series diff --git a/debian/changelog b/debian/changelog index 645a4bc..0379671 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +wayland (1.6.0-2+deb8u1) jessie; urgency=medium + + * debian/patches/CVE-2017-16612.patch: (Closes: #889681) +- libXcursor before 1.1.15 has various integer overflows that could lead + to heap buffer overflows when processing malicious cursors, e.g., with + programs like GIMP. It is also possible that an attack vector exists + against the related code in cursor/xcursor.c in Wayland through + 1.14.0. + + -- Héctor Orón Martínez <zu...@debian.org> Sun, 04 Mar 2018 12:27:36 +0100 + wayland (1.6.0-2) unstable; urgency=medium * Switch back to use upstream tarball. diff --git a/debian/patches/CVE-2017-16612.patch b/debian/patches/CVE-2017-16612.patch new file mode 100644 index 000..9d91f70 --- /dev/null +++ b/debian/patches/CVE-2017-16612.patch @@ -0,0 +1,47 @@ +commit 5d201df72f3d4f4cb8b8f75f980169b03507da38 +Author: Tobias Stoeckmann <tob...@stoeckmann.org> +Date: Tue Nov 28 21:38:07 2017 +0100 + +cursor: Fix heap overflows when parsing malicious files. + +It is possible to trigger heap overflows due to an integer overflow +while parsing images. + +The integer overflow occurs because the chosen limit 0x1 for +dimensions is too large for 32 bit systems, because each pixel takes +4 bytes. Properly chosen values allow an overflow which in turn will +lead to less allocated memory than needed for subsequent reads. + +See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8 +Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961 + +Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org> +[Pekka: add link to the corresponding libXcursor commit] +Signed-off-by: Pekka Paalanen <pekka.paala...@collabora.co.uk> + +diff --git a/cursor/xcursor.c b/cursor/xcursor.c +index ca41c4a..689c702 100644 +--- a/cursor/xcursor.c b/cursor/xcursor.c +@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height) + { + XcursorImage*image; + ++if (width < 0 || height < 0) ++ return NULL; ++if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE) ++ return NULL; ++ + image = malloc (sizeof (XcursorImage) + + width * height * sizeof (XcursorPixel)); + if (!image) +@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile *file, + if (!_XcursorReadUInt (file, )) + return NULL; + /* sanity check data */ +-if (head.width >= 0x1 || head.height > 0x1) ++if (head.width > XCURSOR_IMAGE_MAX_SIZE || ++ head.height > XCURSOR_IMAGE_MAX_SIZE) + return NULL; + if (head.width == 0 || head.height == 0) + return NULL; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..4c42ec7 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2017-16612.patch -- 2.16.2
Bug#892032: jessie-pu: package wayland/1.6.0-2
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hello, I would like to apply oldstable fix for #889681 in oldstable. I am attaching the patch I plan to upload to oldstable. Note, I have requested security team if they want to handle it via security queue or stable update instead. Regards -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled From 5df34123d130816a1acf506d8e9f1a1c3e3efcc8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A9ctor=20Or=C3=B3n=20Mart=C3=ADnez?= <zu...@debian.org> Date: Sun, 4 Mar 2018 12:29:17 +0100 Subject: [PATCH] debian/patches/CVE-2017-16612.patch: fix cursor integer overflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Héctor Orón Martínez <zu...@debian.org> --- debian/changelog| 11 + debian/patches/CVE-2017-16612.patch | 47 + debian/patches/series | 1 + 3 files changed, 59 insertions(+) create mode 100644 debian/patches/CVE-2017-16612.patch create mode 100644 debian/patches/series diff --git a/debian/changelog b/debian/changelog index 645a4bc..b6409a8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +wayland (1.6.0-2+deb8u1) stretch; urgency=medium + + * debian/patches/CVE-2017-16612.patch: (Closes: #889681) +- libXcursor before 1.1.15 has various integer overflows that could lead + to heap buffer overflows when processing malicious cursors, e.g., with + programs like GIMP. It is also possible that an attack vector exists + against the related code in cursor/xcursor.c in Wayland through + 1.14.0. + + -- Héctor Orón Martínez <zu...@debian.org> Sun, 04 Mar 2018 12:27:36 +0100 + wayland (1.6.0-2) unstable; urgency=medium * Switch back to use upstream tarball. diff --git a/debian/patches/CVE-2017-16612.patch b/debian/patches/CVE-2017-16612.patch new file mode 100644 index 000..9d91f70 --- /dev/null +++ b/debian/patches/CVE-2017-16612.patch @@ -0,0 +1,47 @@ +commit 5d201df72f3d4f4cb8b8f75f980169b03507da38 +Author: Tobias Stoeckmann <tob...@stoeckmann.org> +Date: Tue Nov 28 21:38:07 2017 +0100 + +cursor: Fix heap overflows when parsing malicious files. + +It is possible to trigger heap overflows due to an integer overflow +while parsing images. + +The integer overflow occurs because the chosen limit 0x1 for +dimensions is too large for 32 bit systems, because each pixel takes +4 bytes. Properly chosen values allow an overflow which in turn will +lead to less allocated memory than needed for subsequent reads. + +See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8 +Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961 + +Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org> +[Pekka: add link to the corresponding libXcursor commit] +Signed-off-by: Pekka Paalanen <pekka.paala...@collabora.co.uk> + +diff --git a/cursor/xcursor.c b/cursor/xcursor.c +index ca41c4a..689c702 100644 +--- a/cursor/xcursor.c b/cursor/xcursor.c +@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height) + { + XcursorImage*image; + ++if (width < 0 || height < 0) ++ return NULL; ++if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE) ++ return NULL; ++ + image = malloc (sizeof (XcursorImage) + + width * height * sizeof (XcursorPixel)); + if (!image) +@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile *file, + if (!_XcursorReadUInt (file, )) + return NULL; + /* sanity check data */ +-if (head.width >= 0x1 || head.height > 0x1) ++if (head.width > XCURSOR_IMAGE_MAX_SIZE || ++ head.height > XCURSOR_IMAGE_MAX_SIZE) + return NULL; + if (head.width == 0 || head.height == 0) + return NULL; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..4c42ec7 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2017-16612.patch -- 2.16.2
Bug#892031: stretch-pu: package wayland/1.12.0-1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hello, I would like to apply fix in stable for #889681. I have asked security team if they want the fix via security queue or stable update, however I have gotten no reply yet. I am attaching the patch I intend to upload to stable if you acknowledge it. Regards -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled From 2471b0463e9395bd981f8b875e3280f1fc6b995f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A9ctor=20Or=C3=B3n=20Mart=C3=ADnez?= <zu...@debian.org> Date: Sun, 4 Mar 2018 11:54:40 +0100 Subject: [PATCH] debian/patches/CVE-2017-16612.patch: fix cursor integer overflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Héctor Orón Martínez <zu...@debian.org> --- debian/changelog| 11 + debian/patches/CVE-2017-16612.patch | 47 + debian/patches/series | 1 + 3 files changed, 59 insertions(+) create mode 100644 debian/patches/CVE-2017-16612.patch create mode 100644 debian/patches/series diff --git a/debian/changelog b/debian/changelog index 2f84b50..7495ef3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +wayland (1.12.0-1+deb9u1) stretch; urgency=medium + + * debian/patches/CVE-2017-16612.patch: (Closes: #889681) +- libXcursor before 1.1.15 has various integer overflows that could lead + to heap buffer overflows when processing malicious cursors, e.g., with + programs like GIMP. It is also possible that an attack vector exists + against the related code in cursor/xcursor.c in Wayland through + 1.14.0. + + -- Héctor Orón Martínez <zu...@debian.org> Sun, 04 Mar 2018 11:43:29 +0100 + wayland (1.12.0-1) unstable; urgency=medium * New upstream release. Closes: #840752. diff --git a/debian/patches/CVE-2017-16612.patch b/debian/patches/CVE-2017-16612.patch new file mode 100644 index 000..9d91f70 --- /dev/null +++ b/debian/patches/CVE-2017-16612.patch @@ -0,0 +1,47 @@ +commit 5d201df72f3d4f4cb8b8f75f980169b03507da38 +Author: Tobias Stoeckmann <tob...@stoeckmann.org> +Date: Tue Nov 28 21:38:07 2017 +0100 + +cursor: Fix heap overflows when parsing malicious files. + +It is possible to trigger heap overflows due to an integer overflow +while parsing images. + +The integer overflow occurs because the chosen limit 0x1 for +dimensions is too large for 32 bit systems, because each pixel takes +4 bytes. Properly chosen values allow an overflow which in turn will +lead to less allocated memory than needed for subsequent reads. + +See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8 +Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961 + +Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org> +[Pekka: add link to the corresponding libXcursor commit] +Signed-off-by: Pekka Paalanen <pekka.paala...@collabora.co.uk> + +diff --git a/cursor/xcursor.c b/cursor/xcursor.c +index ca41c4a..689c702 100644 +--- a/cursor/xcursor.c b/cursor/xcursor.c +@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height) + { + XcursorImage*image; + ++if (width < 0 || height < 0) ++ return NULL; ++if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE) ++ return NULL; ++ + image = malloc (sizeof (XcursorImage) + + width * height * sizeof (XcursorPixel)); + if (!image) +@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile *file, + if (!_XcursorReadUInt (file, )) + return NULL; + /* sanity check data */ +-if (head.width >= 0x1 || head.height > 0x1) ++if (head.width > XCURSOR_IMAGE_MAX_SIZE || ++ head.height > XCURSOR_IMAGE_MAX_SIZE) + return NULL; + if (head.width == 0 || head.height == 0) + return NULL; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..4c42ec7 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2017-16612.patch -- 2.16.2