Bug#991335: unblock: supertuxkart (pre-approval)
Control: tags -1 - moreinfo Hi Sebastian, On Sun, Jul 25, 2021 at 04:50:17PM +0200, Sebastian Ramacher wrote: > Thanks, please go ahead. Once the new version is available in unstable, > please remove the moreinfo tag. the new version is now available in unstable. Thanks for the unblock approval! Kind regards, Reiner signature.asc Description: PGP signature
Bug#991335: unblock: supertuxkart (pre-approval)
uxkart-1.2+ds/debian/asset-replacements/karts/sara_the_wizard/icon-sara.png and /tmp/JTPOFCV03m/supertuxkart-1.2+ds2/debian/asset-replacements/karts/sara_the_wizard/icon-sara.png differ Binary files /tmp/Bjy0baotd8/supertuxkart-1.2+ds/debian/asset-replacements/sfx/jump.ogg and /tmp/JTPOFCV03m/supertuxkart-1.2+ds2/debian/asset-replacements/sfx/jump.ogg differ Binary files /tmp/Bjy0baotd8/supertuxkart-1.2+ds/debian/asset-replacements/sfx/plopp.ogg and /tmp/JTPOFCV03m/supertuxkart-1.2+ds2/debian/asset-replacements/sfx/plopp.ogg differ Binary files /tmp/Bjy0baotd8/supertuxkart-1.2+ds/debian/asset-replacements/tracks/stk_enterprise/img_0572.png and /tmp/JTPOFCV03m/supertuxkart-1.2+ds2/debian/asset-replacements/tracks/stk_enterprise/img_0572.png differ diff -Nru supertuxkart-1.2+ds/debian/changelog supertuxkart-1.2+ds2/debian/changelog --- supertuxkart-1.2+ds/debian/changelog2021-01-30 16:44:06.0 +0100 +++ supertuxkart-1.2+ds2/debian/changelog 2021-07-25 12:48:11.0 +0200 @@ -1,3 +1,21 @@ +supertuxkart (1.2+ds2-1) unstable; urgency=medium + + * Team upload. + * Repack upstream tarball to drop non-free assets: (Closes: #990368) +- the karts beastie and hexley have been removed +- remove unused files with unknown license status: + roof_test.png, stone-gloss.jpg, window.png +- replace assets with unknown license status: + img_0572.png, icon-sara.png, jump.ogg, plopp.ogg + * d/copyright: Sync license and copyright information with upstream +stk-assets repo. Thanks to deve and benau for license investigations and +asset replacements. + * d/rules: Copy replaced assets into data directory. + * Cherry-pick upstream patches to keep network compatibility when official +karts are missing. + + -- Reiner Herrmann Sun, 25 Jul 2021 12:48:11 +0200 + supertuxkart (1.2+ds-2) unstable; urgency=medium * Team upload. diff -Nru supertuxkart-1.2+ds/debian/copyright supertuxkart-1.2+ds2/debian/copyright --- supertuxkart-1.2+ds/debian/copyright2021-01-30 16:44:06.0 +0100 +++ supertuxkart-1.2+ds2/debian/copyright 2021-07-25 12:48:11.0 +0200 @@ -15,6 +15,16 @@ lib/glew lib/libsquish lib/mcpp + data/karts/beastie + data/karts/hexley + data/tracks/stk_enterprise/img_0572.png + data/tracks/stk_enterprise/stone-gloss.jpg + data/tracks/stk_enterprise/window.png + data/library/stklib_aztecHouse_a/roof_test.png + data/sfx/jump.ogg + data/sfx/plopp.ogg + data/karts/sara_the_wizard/icon-sara.png + data/karts/sara_the_racer/icon-sara.png Files: * Copyright: 2006-2019 SuperTuxKart-Team @@ -180,8 +190,8 @@ 2015 Dawid Gan 2016 GaryShearer 2015 Thomas Glamsch -License: -Comment: Appears to be (partially) generated by a program, according to SVN log. +License: public-domain +Comment: generated images from Blender scene Files: data/supertuxkart.appdata.xml Copyright: SuperTuxKart Team @@ -225,16 +235,21 @@ Files: data/models/gift-loop-gloss.png Copyright: 2014 Marianne "Auria" Gagnon -License: +License: CC-BY-SA-3.0 Files: data/models/bubblegum-nolok.spm data/models/bubblegum-nolok-low.spm - data/models/bubblegum_nolok.jpg data/models/bubblegum_shield_nolok.spm data/models/bubblegum_shield_nolok.png Copyright: 2013 Marianne Gagnon -License: +License: CC-BY-SA-3.0 + +Files: data/models/bubblegum_nolok.jpg +Copyright: + 2013 MiniBjorn + 2013 Marianne Gagnon +License: CC-BY-SA-3.0 Files: data/models/bubblegum_shield.spm @@ -242,26 +257,22 @@ Copyright: 2013 johannesr1 2013 Marianne Gagnon -License: -Comment: Possibly ineligible for copyright protection since it's just a sphere and a single solid-color texture. +License: CC-BY-SA-3.0 Files: data/models/balldimpleddark.jpg Copyright: 2012 Hero License: CC-BY-SA-3.0 -Files: data/models/banana.spm +Files: + data/models/banana.spm + data/models/banana.png Copyright: 2008 Thomas Oppl (Horace) License: CC-BY-SA-3.0 - -Files: data/models/banana.png -Copyright: -License: -Comment: See r2366. Maybe by Thomas Oppl? Who knows? +Comment: See r2366. Files: data/models/bowling.spm Copyright: 2008, 2013 Marianne Gagnon -License: -Comment: Does this even qualify for copyright? It's just a textured icosphere. +License: CC-BY-SA-3.0 Files: data/models/christmas_hat.spm @@ -312,7 +323,7 @@ 2008 donconso 2009 MiniBjorn 2013 Jean-Manuel Clémençon -License: CC-BY-SA +License: CC-BY-SA-3.0 Comment: I don't know what MiniBjorn changed to put this under his choice of license... Jean-Manuel Clémençon redid the textures. @@ -362,10 +373,10 @@ Files: data/models/warning.png Copyright: 2008 Constantin Pelikan (donconso) -License: +License: CC-BY-SA-3.0 Files: data/models/zipper.png -Copyright: 2000 Steve Baker (?) +Copyright: 2000 Steve Baker License: GPL-2 Files: @@ -386,9 +397,9 @@ Comment: Excerpt (and, I think, amplification) of the original,
Bug#991335: unblock: supertuxkart (pre-approval)
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Dear release team,
this is a request for pre-approval of a supertuxkart upload.
The upstream tarball of supertuxkart 1.2+ds-2 currently includes data
files that are not free (#990368). Additionaly the d/copyright file is
lacking license information for a few additional resources (only data files).
To fix this bug, the two non-free karts will get removed from the upstream
tarball. But as removal of these files would cause a regression in online
multiplayer games, upstream provided two patches (+1 patch that fixes a
memory leak in one of these patches) that keep network compatibility with
other players intact.
Additionaly I'm currently in contact with an upstream contributor who is
investigating the remaining copyright/license issues.
To fix them, the plan is to amend d/copyright where possible
(investigations are currently ongoing), or to replace unknown/non-free files
with free alternatives.
I noticed that supertuxkart is marked for autoremoval on August 3rd
currently, which is probably after the bullseye release.
Does this mean supertuxkart 1.2+ds-2 will be part of bullseye and can
then still be fixed by a stable-proposed-update? Or does the upload
and migration to bullseye have to happen before July 31st?
Below is the full list of files that would get removed from the upstream
tarball:
data/karts/beastie/beastie-icon.png
data/karts/beastie/beastie.spm
data/karts/beastie/beastie_kart_colorizationMask.png
data/karts/beastie/beastie_kart_diffuse.png
data/karts/beastie/beastie_kart_gloss.png
data/karts/beastie/beastie_kart_leftDoor.png
data/karts/beastie/beastie_kart_leftDoor_colorizationMask.png
data/karts/beastie/beastie_kart_leftDoor_gloss.png
data/karts/beastie/beastie_n_kart_wheel_colorizationMask.png
data/karts/beastie/beastie_n_kart_wheel_diffuse.png
data/karts/beastie/beastie_n_kart_wheel_gloss.png
data/karts/beastie/beastie_shadow.png
data/karts/beastie/beastie_texture.png
data/karts/hexley/hexley.spm
data/karts/hexley/hexley_dashboard_diffuse.png
data/karts/hexley/hexley_dashboard_gloss.png
data/karts/hexley/hexley_diffuse.png
data/karts/hexley/hexley_gloss.png
data/karts/hexley/hexley_kart_Normal.png
data/karts/hexley/hexley_kart_colorizationMask.png
data/karts/hexley/hexley_kart_diffuse.png
data/karts/hexley/hexley_kart_frontGlass.png
data/karts/hexley/hexley_kart_gloss.png
data/karts/hexley/hexley_shadow.png
data/karts/hexley/hexley_wheel_Normal.png
data/karts/hexley/hexley_wheel_colorizationMask.png
data/karts/hexley/hexley_wheel_diffuse.png
data/karts/hexley/hexley_wheel_gloss.png
data/karts/hexley/hexley_window.png
data/karts/hexley/hexleyicon.png
data/karts/hexley/hexleyicon32.png
Attached are the mentioned upstream patches.
Kind regards,
Reiner
From 851290d4c866130abb22ee61114016378af4cb45 Mon Sep 17 00:00:00 2001
From: Benau
Date: Sun, 18 Jul 2021 00:49:49 +0800
Subject: [PATCH] Add code to generate official karts list
---
data/official_karts.xml | 21 ++
sources.cmake| 2 +-
src/karts/official_karts.cpp | 128 +++
src/karts/official_karts.hpp | 20 ++
src/main.cpp | 9 +++
5 files changed, 179 insertions(+), 1 deletion(-)
create mode 100644 data/official_karts.xml
create mode 100644 src/karts/official_karts.cpp
create mode 100644 src/karts/official_karts.hpp
diff --git a/data/official_karts.xml b/data/official_karts.xml
new file mode 100644
index 000..671aadf369e
--- /dev/null
+++ b/data/official_karts.xml
@@ -0,0 +1,21 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/sources.cmake b/sources.cmake
index d4f28ae4de4..ba4868d717e 100644
--- a/sources.cmake
+++ b/sources.cmake
@@ -1,5 +1,5 @@
# Modify this file to change the last-modified date when you add/remove a file.
-# This will then trigger a new cmake run automatically.
+# This will then trigger a new cmake run automatically.
file(GLOB_RECURSE STK_HEADERS RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "src/*.hpp")
file(GLOB_RECURSE STK_SOURCES RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "src/*.cpp")
file(GLOB_RECURSE STK_SHADERS RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "data/shaders/*")
diff --git a/src/karts/official_karts.cpp b/src/karts/official_karts.cpp
new file mode 100644
index 000..c8d7b9f38b7
--- /dev/null
+++ b/src/karts/official_karts.cpp
@@ -0,0 +1,128 @@
+#include "karts/official_karts.hpp"
+
+#include "karts/kart_properties_manager.hpp"
+#include "io/file_manager.hpp"
+#include "io/xml_node.hpp"
+#include "karts/kart_model.hpp"
+#include "karts/kart_properties.hpp"
+#include "utils/file_utils.hpp"
+#include "utils/log.hpp"
+#include "utils/vec3.hpp"
+
+#include
+#include
+#include
+#include
+
+namespace OfficialKarts
+{
+//
+struct OfficialKart
+{
Bug#987471: unblock: fluidsynth/2.1.7-1.1
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: utka...@debian.org, debian-multime...@lists.debian.org
Please unblock package fluidsynth
I intend to NMU version 2.1.7-1.1 to DELAYED/3, which imports
an upstream security fix.
[ Reason ]
The package has a use-after-free vulnerability.
[ Impact ]
Arbitrary code execute or denial of service.
[ Tests ]
I tested that it compiles, installs and tested running it
against the vulnerable example file from the upstream bug
tracker. With the patch applied, it no longer crashes.
unblock fluidsynth/2.1.7-1.1
diff -Nru fluidsynth-2.1.7/debian/changelog fluidsynth-2.1.7/debian/changelog
--- fluidsynth-2.1.7/debian/changelog 2021-02-09 21:43:23.0 +0100
+++ fluidsynth-2.1.7/debian/changelog 2021-04-24 13:37:51.0 +0200
@@ -1,3 +1,11 @@
+fluidsynth (2.1.7-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Import patch that fixes use-after-free vulnerability. (CVE-2021-28421)
+(Closes: #987168)
+
+ -- Reiner Herrmann Sat, 24 Apr 2021 13:37:51 +0200
+
fluidsynth (2.1.7-1) unstable; urgency=medium
* New upstream version 2.1.7
diff -Nru fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch
--- fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch 1970-01-01 01:00:00.0 +0100
+++ fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch 2021-04-24 13:35:20.0 +0200
@@ -0,0 +1,84 @@
+From 005719628aef0bd48dc7b2f860c7e4ca16b81044 Mon Sep 17 00:00:00 2001
+From: Tom M
+Date: Mon, 15 Mar 2021 20:12:51 +0100
+Subject: [PATCH] Invalid generators were not removed from zone list (#810)
+Bug: https://github.com/FluidSynth/fluidsynth/issues/808
+Bug-Debian: https://bugs.debian.org/987168
+
+fluid_list_remove() should receive the beginning of a list, so it can adjust the predecessor of the element to be removed. Otherwise the element would remain in the list, which in this case led to a use-after-free afterwards.
+---
+ src/sfloader/fluid_sffile.c | 20
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/sfloader/fluid_sffile.c b/src/sfloader/fluid_sffile.c
+index 001a0a0a4..47ab98d97 100644
+--- a/src/sfloader/fluid_sffile.c
b/src/sfloader/fluid_sffile.c
+@@ -1355,7 +1355,7 @@ static int load_pmod(SFData *sf, int size)
+ * --- */
+ static int load_pgen(SFData *sf, int size)
+ {
+-fluid_list_t *p, *p2, *p3, *dup, **hz = NULL;
++fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list;
+ SFZone *z;
+ SFGen *g;
+ SFGenAmount genval;
+@@ -1369,7 +1369,7 @@ static int load_pgen(SFData *sf, int size)
+ /* traverse through all presets */
+ gzone = FALSE;
+ discarded = FALSE;
+-p2 = ((SFPreset *)(p->data))->zone;
++start_of_zone_list = p2 = ((SFPreset *)(p->data))->zone;
+
+ if(p2)
+ {
+@@ -1516,11 +1516,13 @@ static int load_pgen(SFData *sf, int size)
+ }
+ else
+ {
++p2 = fluid_list_next(p2); /* advance to next zone before deleting the current list element */
+ /* previous global zone exists, discard */
+ FLUID_LOG(FLUID_WARN, "Preset '%s': Discarding invalid global zone",
+ ((SFPreset *)(p->data))->name);
+-*hz = fluid_list_remove(*hz, p2->data);
+-delete_zone((SFZone *)fluid_list_get(p2));
++fluid_list_remove(start_of_zone_list, z);
++delete_zone(z);
++continue;
+ }
+ }
+
+@@ -1864,7 +1866,7 @@ static int load_imod(SFData *sf, int size)
+ /* load instrument generators (see load_pgen for loading rules) */
+ static int load_igen(SFData *sf, int size)
+ {
+-fluid_list_t *p, *p2, *p3, *dup, **hz = NULL;
++fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list;
+ SFZone *z;
+ SFGen *g;
+ SFGenAmount genval;
+@@ -1878,7 +1880,7 @@ static int load_igen(SFData *sf, int size)
+ /* traverse through all instruments */
+ gzone = FALSE;
+ discarded = FALSE;
+-p2 = ((SFInst *)(p->data))->zone;
++start_of_zone_list = p2 = ((SFInst *)(p->data))->zone;
+
+ if(p2)
+ {
+@@ -2024,11 +2026,13 @@ static int load_igen(SFData *sf, int size)
+ }
+ else
+ {
++p2 = fluid_list_next(p2); /* advance to next zone before deleting the current list element */
+ /* previous global zone exists, discard */
+ FLUID_LOG(FLUID_WARN, "Instrument '%s': Discarding invalid global zone",
+ ((SFInst *)(p->data))->name);
Bug#986747: unblock: bouncy/0.6.20071104-8
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package bouncy
[ Reason ]
A missing dependency on a python3 module prevented the program from starting.
[ Impact ]
Without python3-future installed, bouncy does not start and the user
would need to install the missing dependency manually.
[ Tests ]
I tested running the program with and without the new dependency
and can confirm that it does not start without it, and starts/runs
successfully with it.
[ Risks ]
Low risk, no code changes, only new runtime dependency.
unblock bouncy/0.6.20071104-8
diff -Nru bouncy-0.6.20071104/debian/changelog
bouncy-0.6.20071104/debian/changelog
--- bouncy-0.6.20071104/debian/changelog2019-09-15 18:17:45.0
+0200
+++ bouncy-0.6.20071104/debian/changelog2021-04-10 15:55:51.0
+0200
@@ -1,3 +1,12 @@
+bouncy (0.6.20071104-8) unstable; urgency=medium
+
+ * Team upload.
+ * Add dependency on python3-future.
+Thanks to Jérôme Bouat for the report, Hans Joachim Desserud for the fix.
+(Closes: #986577) (LP: #1922504)
+
+ -- Reiner Herrmann Sat, 10 Apr 2021 15:55:51 +0200
+
bouncy (0.6.20071104-7) unstable; urgency=medium
* Team upload.
diff -Nru bouncy-0.6.20071104/debian/control bouncy-0.6.20071104/debian/control
--- bouncy-0.6.20071104/debian/control 2019-09-15 18:17:45.0 +0200
+++ bouncy-0.6.20071104/debian/control 2021-04-10 15:55:51.0 +0200
@@ -21,6 +21,7 @@
Architecture: all
Depends:
fonts-dejavu-core,
+ python3-future,
python3-opengl,
python3-pygame,
${misc:Depends},
Bug#929736: unblock: firejail/0.9.58.2-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package firejail The version in unstable fixes two security issues: #929732 (debian/patches/seccomp-join.patch): This issue allowed someone to run a program inside a jail that is protected by seccomp filters without any seccomp filtering. The location of the filters inside the jail was writable, so it could be overwritten/deleted, so programs that were afterwards joined into the jail had no filter applied. #929733 (debian/patches/truncation.patch): A race was possible that allowed someone inside the jail to truncate the firejail binary outside the jail under certain conditions. (The jailed program needs to be run as root, and it needs to be terminated from the outside as root.) Thanks in advance. Kind regards, Reiner unblock firejail/0.9.58.2-2 diff -Nru firejail-0.9.58.2/debian/changelog firejail-0.9.58.2/debian/changelog --- firejail-0.9.58.2/debian/changelog 2019-02-08 20:06:02.0 +0100 +++ firejail-0.9.58.2/debian/changelog 2019-05-29 21:06:42.0 +0200 @@ -1,3 +1,16 @@ +firejail (0.9.58.2-2) unstable; urgency=high + + * Cherry-pick security fix for seccomp bypass issue. (Closes: #929732) +Seccomp filters were writable inside the jail, so they could be +overwritten/truncated. Another jail that was then joined with the first +one, had no seccomp filters applied. + * Cherry-pick security fix for binary truncation issue. (Closes: #929733) +When the jailed program was running as root, and firejail was killed +from the outside (as root), the jailed program had the possibility to +truncate the firejail binary outside the jail. + + -- Reiner Herrmann Wed, 29 May 2019 21:06:42 +0200 + firejail (0.9.58.2-1) unstable; urgency=medium * New upstream release. diff -Nru firejail-0.9.58.2/debian/patches/seccomp-join.patch firejail-0.9.58.2/debian/patches/seccomp-join.patch --- firejail-0.9.58.2/debian/patches/seccomp-join.patch 1970-01-01 01:00:00.0 +0100 +++ firejail-0.9.58.2/debian/patches/seccomp-join.patch 2019-05-29 18:57:28.0 +0200 @@ -0,0 +1,91 @@ +From: smitsohu +Subject: [PATCH] mount runtime seccomp files read-only (#2602) +Bug: https://github.com/netblue30/firejail/issues/2718 +Bug-Debian: https://bugs.debian.org/929732 +Origin: upstream, https://github.com/netblue30/firejail/commit/eecf35c + +avoid creating locations in the file system that are both writable and +executable (in this case for processes with euid of the user). + +for the same reason also remove user owned libfiles +when it is not needed any more + +--- a/src/firejail/firejail.h b/src/firejail/firejail.h +@@ -57,13 +57,14 @@ + #define RUN_LIB_FILE "/run/firejail/mnt/libfiles" + #define RUN_DNS_ETC "/run/firejail/mnt/dns-etc" + +-#define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp.list"// list of seccomp files installed +-#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol"// protocol filter +-#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter +-#define RUN_SECCOMP_32"/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures +-#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute +-#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter +-#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library ++#define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp" ++#define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp/seccomp.list" // list of seccomp files installed ++#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp/seccomp.protocol" // protocol filter ++#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp" // configured filter ++#define RUN_SECCOMP_32"/run/firejail/mnt/seccomp/seccomp.32" // 32bit arch filter installed on 64bit architectures ++#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp/seccomp.mdwx" // filter for memory-deny-write-execute ++#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp/seccomp.block_secondary" // secondary arch blocking filter ++#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp/seccomp.postexec" // filter for post-exec library + #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make + #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make + #define PATH_SECCO
Bug#862937: unblock: firejail/0.9.44.8-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package firejail
Version 0.9.44.8-2 includes a cherry-picked patch that fixes a memory
corruption which leads to a crash when firejail is called with certain
options (#862083).
Kind regards,
Reiner
unblock firejail/0.9.44.8-2
diff -Nru firejail-0.9.44.8/debian/changelog firejail-0.9.44.8/debian/changelog
--- firejail-0.9.44.8/debian/changelog 2017-01-19 23:14:35.0 +0100
+++ firejail-0.9.44.8/debian/changelog 2017-05-09 21:15:19.0 +0200
@@ -1,3 +1,10 @@
+firejail (0.9.44.8-2) unstable; urgency=medium
+
+ * Cherry-pick upstream patch for memory corruption in noblacklist
+processing (Closes: #862083).
+
+ -- Reiner Herrmann <rei...@reiner-h.de> Tue, 09 May 2017 21:15:19 +0200
+
firejail (0.9.44.8-1) unstable; urgency=medium
* New upstream release.
diff -Nru
firejail-0.9.44.8/debian/patches/0001-bugfix-ugly-memory-corruption-in-noblacklist-process.patch
firejail-0.9.44.8/debian/patches/0001-bugfix-ugly-memory-corruption-in-noblacklist-process.patch
---
firejail-0.9.44.8/debian/patches/0001-bugfix-ugly-memory-corruption-in-noblacklist-process.patch
1970-01-01 01:00:00.0 +0100
+++
firejail-0.9.44.8/debian/patches/0001-bugfix-ugly-memory-corruption-in-noblacklist-process.patch
2017-05-09 21:10:12.0 +0200
@@ -0,0 +1,241 @@
+From: netblue30 <netblu...@yahoo.com>
+Subject: [PATCH] bugfix: ugly memory corruption in noblacklist processing
+Origin: upstream,
https://github.com/netblue30/firejail/commit/ad51fb7489a148ed87abe367a82e0d25203b2d28
+Debian-Bug: https://bugs.debian.org/862083
+
+diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
+index 13be6b11..d1445ea3 100644
+--- a/src/firejail/firejail.h
b/src/firejail/firejail.h
+@@ -631,6 +631,7 @@ void run_symlink(int argc, char **argv);
+
+ // paths.c
+ char **build_paths(void);
++unsigned int count_paths(void);
+
+ // fs_mkdir.c
+ void fs_mkdir(const char *name);
+diff --git a/src/firejail/fs.c b/src/firejail/fs.c
+index 3ea4725b..3efaae93 100644
+--- a/src/firejail/fs.c
b/src/firejail/fs.c
+@@ -436,26 +436,35 @@ void fs_blacklist(void) {
+
+ // Process noblacklist command
+ if (strncmp(entry->data, "noblacklist ", 12) == 0) {
+- char **paths = build_paths();
+-
+- char *enames[sizeof(paths)+1] = {0};
+- int i = 0;
++ char **enames;
++ int i;
+
+ if (strncmp(entry->data + 12, "${PATH}", 7) == 0) {
+ // expand ${PATH} macro
+- while (paths[i] != NULL) {
+- if (asprintf([i], "%s%s",
paths[i], entry->data + 19) == -1)
++ char **paths = build_paths();
++ unsigned int npaths = count_paths();
++ enames = calloc(npaths, sizeof(char *));
++ if (!enames)
++ errExit("calloc");
++
++ for (i = 0; paths[i]; i++) {
++ if (asprintf([i], "%s%s",
paths[i],
++ entry->data + 19) == -1)
+ errExit("asprintf");
+- i++;
+ }
+- } else {
++ assert(enames[npaths-1] == 0);
++
++ }
++ else {
+ // expand ${HOME} macro if found or pass as is
++ enames = calloc(2, sizeof(char *));
++ if (!enames)
++ errExit("calloc");
+ enames[0] = expand_home(entry->data + 12,
homedir);
+- enames[1] = NULL;
++ assert(enames[1] == 0);
+ }
+
+- i = 0;
+- while (enames[i] != NULL) {
++ for (i = 0; enames[i]; i++) {
+ if (noblacklist_c >= noblacklist_m) {
+ noblacklist_m *= 2;
+ noblacklist = realloc(noblacklist,
sizeof(*noblacklist) * noblacklist_m);
+@@ -463,12 +472,9 @@ void fs_blacklist(void) {
+ errExit("failed increasing
memory for noblacklist entries");
+ }
+ noblacklist[noblacklist_c++] = enames[i];
+- i++;
+
Bug#857307: unblock: musl/1.1.16-3
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package musl
1.1.16-3 includes a fix for applications crashing on startup on ppc64(el)
(#857078).
Attached is the debdiff.
Thanks in advance!
Kind regards,
Reiner
unblock musl/1.1.16-3
diff -Nru musl-1.1.16/debian/changelog musl-1.1.16/debian/changelog
--- musl-1.1.16/debian/changelog2017-01-22 18:18:26.0 +0100
+++ musl-1.1.16/debian/changelog2017-03-09 19:19:31.0 +0100
@@ -1,3 +1,10 @@
+musl (1.1.16-3) unstable; urgency=medium
+
+ * Import upstream fix for PPC64 crash.
+Thanks to Breno Leitao for investigating. (Closes: #857078)
+
+ -- Reiner Herrmann <rei...@reiner-h.de> Thu, 09 Mar 2017 19:19:31 +0100
+
musl (1.1.16-2) unstable; urgency=medium
[ Breno Leitao ]
diff -Nru musl-1.1.16/debian/patches/ppc64-crash.patch
musl-1.1.16/debian/patches/ppc64-crash.patch
--- musl-1.1.16/debian/patches/ppc64-crash.patch1970-01-01
01:00:00.0 +0100
+++ musl-1.1.16/debian/patches/ppc64-crash.patch2017-03-09
19:10:03.0 +0100
@@ -0,0 +1,29 @@
+From: Rich Felker <dal...@aerifal.cx>
+Subject: fix ld-behavior-dependent crash in ppc64 ldso startup
+Origin: upstream,
http://git.musl-libc.org/cgit/musl/commit/?id=fc85fb38605a8bf341c367b8ab0d36edab2bdbfc
+Bug: http://www.openwall.com/lists/musl/2017/03/07/2
+Bug-Debian: https://bugs.debian.org/857078
+
+the 32-bit pc-relative address for stage 2 of dynamic linker entry was
+wrongly loaded with a zero-extending load instead of sign-extending
+load, resulting in an invalid jump if the offset happened to be
+negative, which depends on the linker's ordering of text sections.
+---
+ arch/powerpc64/reloc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc64/reloc.h b/arch/powerpc64/reloc.h
+index e1bad00..faf70ac 100644
+--- a/arch/powerpc64/reloc.h
b/arch/powerpc64/reloc.h
+@@ -27,6 +27,6 @@
+ " bl 1f \n" \
+ " .long " #sym "-. \n" \
+ "1: mflr %1 \n" \
+- " lwz %0, 0(%1) \n" \
++ " lwa %0, 0(%1) \n" \
+ " add %0, %0, %1 \n" \
+ : "=r"(*(fp)), "=r"((long){0}) : : "memory", "lr" )
+--
+cgit v0.11.2
+
diff -Nru musl-1.1.16/debian/patches/series musl-1.1.16/debian/patches/series
--- musl-1.1.16/debian/patches/series 2017-01-22 17:54:16.0 +0100
+++ musl-1.1.16/debian/patches/series 2017-03-09 19:08:03.0 +0100
@@ -1,2 +1,3 @@
arm-object_arch.patch
dpkg-gcc-specs.diff
+ppc64-crash.patch
Bug#854945: unblock: lprng/3.8.B-2.1
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package lprng.
The NMU 3.8.B-2.1 fixes a bug where SSL support in the package was
silently dropped since OpenSSL 1.1 (#854468), because the configure
checks were looking for a deprecated library symbol, which is now
a preprocessor macro. The change restores SSL support by looking for
a different symbol.
Regards,
Reiner
unblock lprng/3.8.B-2.1
diff -Nru lprng-3.8.B/debian/changelog lprng-3.8.B/debian/changelog
--- lprng-3.8.B/debian/changelog2012-06-11 10:07:15.0 +0200
+++ lprng-3.8.B/debian/changelog2017-02-08 21:20:30.0 +0100
@@ -1,3 +1,11 @@
+lprng (3.8.B-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Don't lose authentication support when compiled with OpenSSL 1.1, patch by
+Reiner Herrmann <rei...@reiner-h.de> (Closes: #854468).
+
+ -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Wed, 08 Feb 2017
21:20:30 +0100
+
lprng (3.8.B-2) unstable; urgency=low
* Compilies on hurd-i386 Closes: #671848
diff -Nru lprng-3.8.B/debian/patches/openssl_1.1.patch
lprng-3.8.B/debian/patches/openssl_1.1.patch
--- lprng-3.8.B/debian/patches/openssl_1.1.patch1970-01-01
01:00:00.0 +0100
+++ lprng-3.8.B/debian/patches/openssl_1.1.patch2017-02-08
21:19:17.0 +0100
@@ -0,0 +1,27 @@
+--- a/configure.ac
b/configure.ac
+@@ -1008,7 +1008,7 @@
+ SSL_LDADD="-L$dir $SSL_LDADD"
+ fi
+ LDFLAGS="$LDFLAGS $SSL_LDADD"
+- AC_TRY_LINK_FUNC(SSL_load_error_strings,ac_linked_libssl="true",
++ AC_TRY_LINK_FUNC(OPENSSL_init_ssl,ac_linked_libssl="true",
+ ac_linked_libssl="false");
+ AC_TRY_LINK_FUNC(RC4_set_key,ac_linked_libcrypto="true",
+ ac_linked_libcrypto="false");
+--- a/configure
b/configure
+@@ -10408,11 +10408,11 @@
+ #ifdef __cplusplus
+ extern "C"
+ #endif
+-char SSL_load_error_strings ();
++char OPENSSL_init_ssl ();
+ int
+ main ()
+ {
+-return SSL_load_error_strings ();
++return OPENSSL_init_ssl ();
+ ;
+ return 0;
+ }
diff -Nru lprng-3.8.B/debian/patches/series lprng-3.8.B/debian/patches/series
--- lprng-3.8.B/debian/patches/series 2012-06-11 08:49:05.0 +0200
+++ lprng-3.8.B/debian/patches/series 2017-02-08 21:19:17.0 +0100
@@ -1,3 +1,4 @@
lpd_conf_manwarnings
portable_maxpathlen
string_literals
+openssl_1.1.patch
Bug#854944: unblock: ftpcopy/0.6.7-3.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package ftpcopy. The 0.6.7-3.1 NMU contains a fix for an FTBFS bug (#854512), because dpkg-shlibdeps was called on a shell script, which is fatal in recent dpkg versions. Regards, Reiner unblock ftpcopy/0.6.7-3.1 diff -u ftpcopy-0.6.7/debian/changelog ftpcopy-0.6.7/debian/changelog --- ftpcopy-0.6.7/debian/changelog +++ ftpcopy-0.6.7/debian/changelog @@ -1,3 +1,11 @@ +ftpcopy (0.6.7-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix FTBFS by calling dpkg-shlibdeps only for binaries and not +the ftpcp shell script (Closes: #854512). + + -- Reiner Herrmann <rei...@reiner-h.de> Wed, 08 Feb 2017 18:57:50 +0100 + ftpcopy (0.6.7-3) unstable; urgency=medium * debian/diff/disable--html-option.diff: the --html option is no diff -u ftpcopy-0.6.7/debian/rules ftpcopy-0.6.7/debian/rules --- ftpcopy-0.6.7/debian/rules +++ ftpcopy-0.6.7/debian/rules @@ -69,7 +69,7 @@ install-indep: deb-checkdir deb-checkuid build-indep-stamp binary-arch: deb-checkdir deb-checkuid install-arch ftpcopy.deb - test '$(DIET)' -ne 0 || dpkg-shlibdeps '$(DIR)'/usr/bin/* + test '$(DIET)' -ne 0 || dpkg-shlibdeps '$(DIR)'/usr/bin/ftpcopy '$(DIR)'/usr/bin/ftpls dpkg-gencontrol -isp -pftpcopy -P'$(DIR)' dpkg -b '$(DIR)' ..
Bug#850750: unblock: firejail/0.9.44.4-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package firejail firejail 0.9.44.4-1 contains fixes for 3 CVEs compared to the version in stretch (CVE-2017-5180, CVE-2017-5206, CVE-2017-5207). Please lower the migration time for it. Kind regards, Reiner unblock firejail/0.9.44.4-1 diff -Nru firejail-0.9.44.2/configure firejail-0.9.44.4/configure --- firejail-0.9.44.2/configure 2016-12-02 14:18:09.0 +0100 +++ firejail-0.9.44.4/configure 2017-01-07 13:58:37.0 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.44.2. +# Generated by GNU Autoconf 2.69 for firejail 0.9.44.4. # # Report bugs to <netblu...@yahoo.com>. # @@ -580,8 +580,8 @@ # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.44.2' -PACKAGE_STRING='firejail 0.9.44.2' +PACKAGE_VERSION='0.9.44.4' +PACKAGE_STRING='firejail 0.9.44.4' PACKAGE_BUGREPORT='netblu...@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1259,7 +1259,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.44.2 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.44.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1320,7 +1320,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.44.2:";; + short | recursive ) echo "Configuration of firejail 0.9.44.4:";; esac cat <<\_ACEOF @@ -1424,7 +1424,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.44.2 +firejail configure 0.9.44.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1726,7 +1726,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.44.2, which was +It was created by firejail $as_me 0.9.44.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4303,7 +4303,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.44.2, which was +This file was extended by firejail $as_me 0.9.44.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES= $CONFIG_FILES @@ -4357,7 +4357,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/&/g'`" ac_cs_version="\\ -firejail config.status 0.9.44.2 +firejail config.status 0.9.44.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru firejail-0.9.44.2/configure.ac firejail-0.9.44.4/configure.ac --- firejail-0.9.44.2/configure.ac 2016-12-02 14:17:36.0 +0100 +++ firejail-0.9.44.4/configure.ac 2017-01-07 13:57:38.0 +0100 @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.44.2, netblu...@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.44.4, netblu...@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) diff -Nru firejail-0.9.44.2/debian/changelog firejail-0.9.44.4/debian/changelog --- firejail-0.9.44.2/debian/changelog 2016-12-04 21:44:08.0 +0100 +++ firejail-0.9.44.4/debian/changelog 2017-01-07 20:24:40.0 +0100 @@ -1,3 +1,24 @@ +firejail (0.9.44.4-1) unstable; urgency=high + + * New upstream release. +- Security fixes for: CVE-2017-5180, CVE-2017-5206, CVE-2017-5207 + (Closes: #850528, #850558) + * Drop patches applied upstream. + + -- Reiner Herrmann <rei...@reiner-h.de> Sat, 07 Jan 2017 20:24:40 +0100 + +firejail (0.9.44.2-3) unstable; urgency=high + + * Add followup fix for CVE-2017-5180 (Closes: #850160). + + -- Reiner Herrmann <rei...@reiner-h.de> Fri, 06 Jan 2017 13:44:25 +0100 + +firejail (0.9.44.2-2) unstable; urgency=high + + * Add upstream fix for CVE-2017-5180 (Closes: #850160). + + -- Reiner Herrmann <rei...@reiner-h.de> Wed, 04 Jan 2017 23:56:30 +0100 + firejail (0.9.44.2-1) unstable; urgency=medium * New upstream release. diff -Nru firejail-0.9.44.2/platform/rpm/old-mkrpm.sh firejail-0.9.44.4/platform/rpm/old-mkrpm.sh --- firejail-0.9.44.2/platform/rpm/old-mkrpm.sh 2016-12-03 20:14:29.0 +0100 +++ firejail-0.9.44.4/platform/rpm/old-mkrpm.sh 2017-01-07 17:43:11.0 +0100 @@ -1,5 +1,5 @@ #!/
Bug#843411: jessie-pu: package musl/1.1.5-2
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi,
musl in jessie is affected by CVE-2016-8859.
The attached patch cherry-picks the upstream commit,
which fixes this issue.
The security team marked it as no-dsa, so I'm requesting
it to be included in the next jessie update.
Kind regards,
Reiner
diff -Nru musl-1.1.5/debian/changelog musl-1.1.5/debian/changelog
--- musl-1.1.5/debian/changelog 2015-03-31 23:12:02.0 +0200
+++ musl-1.1.5/debian/changelog 2016-10-26 19:39:31.0 +0200
@@ -1,3 +1,10 @@
+musl (1.1.5-2+deb8u1) jessie-security; urgency=high
+
+ * Cherry-pick upstream fix for regex integer overflow in buffer size
+computations; CVE-2016-8859 (Closes: #842171)
+
+ -- Reiner Herrmann <rei...@reiner-h.de> Wed, 26 Oct 2016 19:39:31 +0200
+
musl (1.1.5-2) unstable; urgency=low
* Fixes possible stack-based buffer overflow CVE-2015-1817 (Closes: #781497)
diff -Nru musl-1.1.5/debian/patches/cve-2016-8859.diff musl-1.1.5/debian/patches/cve-2016-8859.diff
--- musl-1.1.5/debian/patches/cve-2016-8859.diff 1970-01-01 01:00:00.0 +0100
+++ musl-1.1.5/debian/patches/cve-2016-8859.diff 2016-10-26 19:39:31.0 +0200
@@ -0,0 +1,71 @@
+From: Rich Felker <dal...@aerifal.cx>
+Subject: fix missing integer overflow checks in regexec buffer size
+ computations
+
+most of the possible overflows were already ruled out in practice by
+regcomp having already succeeded performing larger allocations.
+however at least the num_states*num_tags multiplication can clearly
+overflow in practice. for safety, check them all, and use the proper
+type, size_t, rather than int.
+
+also improve comments, use calloc in place of malloc+memset, and
+remove bogus casts.
+
+Origin: upstream, http://git.musl-libc.org/cgit/musl/commit/?id=c3edc06d1e1360f3570db9155d6b318ae0d0f0f7
+Bug-Debian: https://bugs.debian.org/842171
+---
+ src/regex/regexec.c | 23 ++-
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/src/regex/regexec.c b/src/regex/regexec.c
+index 16c5d0a..dd52319 100644
+--- a/src/regex/regexec.c
b/src/regex/regexec.c
+@@ -34,6 +34,7 @@
+ #include
+ #include
+ #include
++#include
+
+ #include
+
+@@ -206,11 +207,24 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string,
+
+ /* Allocate memory for temporary data required for matching. This needs to
+ be done for every matching operation to be thread safe. This allocates
+- everything in a single large block from the stack frame using alloca()
+- or with malloc() if alloca is unavailable. */
++ everything in a single large block with calloc(). */
+ {
+-int tbytes, rbytes, pbytes, xbytes, total_bytes;
++size_t tbytes, rbytes, pbytes, xbytes, total_bytes;
+ char *tmp_buf;
++
++/* Ensure that tbytes and xbytes*num_states cannot overflow, and that
++ * they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */
++if (num_tags > SIZE_MAX/(8 * sizeof(int) * tnfa->num_states))
++ goto error_exit;
++
++/* Likewise check rbytes. */
++if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next)))
++ goto error_exit;
++
++/* Likewise check pbytes. */
++if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos)))
++ goto error_exit;
++
+ /* Compute the length of the block we need. */
+ tbytes = sizeof(*tmp_tags) * num_tags;
+ rbytes = sizeof(*reach_next) * (tnfa->num_states + 1);
+@@ -221,10 +235,9 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string,
+ + (rbytes + xbytes * tnfa->num_states) * 2 + tbytes + pbytes;
+
+ /* Allocate the memory. */
+-buf = xmalloc((unsigned)total_bytes);
++buf = calloc(total_bytes, 1);
+ if (buf == NULL)
+ return REG_ESPACE;
+-memset(buf, 0, (size_t)total_bytes);
+
+ /* Get the various pointers within tmp_buf (properly aligned). */
+ tmp_tags = (void *)buf;
diff -Nru musl-1.1.5/debian/patches/series musl-1.1.5/debian/patches/series
--- musl-1.1.5/debian/patches/series 2015-03-31 23:11:32.0 +0200
+++ musl-1.1.5/debian/patches/series 2016-10-26 19:39:31.0 +0200
@@ -1 +1,2 @@
cve-2015-1817.diff
+cve-2016-8859.diff
