Re: [DebianGIS-dev] libterralib_3.3.1-1_i386.changes REJECTED
On Sun, Jun 21, 2009 at 11:52:26AM +, Frank Lichtenheld wrote: Hi. This includes much 3rd Party software which needs to be reflected in debian/copyright, even if only to say that it is unused. There are also several compiled binaries in there, it would be nice if you could either remove them or document from which sources they were built. Gruesse, Frank Alastair, while on that it's also better removing completely the included geotiff stuff, because the include csv file from EPSG are not free and should not be distributed in a main source. I would clean up the orig tar ball. -- Francesco P. Lovergine ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
Re: [DebianGIS-dev] libterralib_3.3.1-1_i386.changes REJECTED
Francesco P. Lovergine wrote: On Sun, Jun 21, 2009 at 11:52:26AM +, Frank Lichtenheld wrote: Hi. This includes much 3rd Party software which needs to be reflected in debian/copyright, even if only to say that it is unused. There are also several compiled binaries in there, it would be nice if you could either remove them or document from which sources they were built. Gruesse, Frank Alastair, while on that it's also better removing completely the included geotiff stuff, because the include csv file from EPSG are not free and should not be distributed in a main source. I would clean up the orig tar ball. Agreed. Am doing so. Regards Alastair ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] r2295 - packages/hdf5
Author: frankie Date: 2009-06-22 10:15:55 + (Mon, 22 Jun 2009) New Revision: 2295 Added: packages/hdf5/tags/ Log: [svn-inject] Creating tags/ directory. ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] r2296 - packages/hdf5
Author: frankie Date: 2009-06-22 10:16:16 + (Mon, 22 Jun 2009) New Revision: 2296 Added: packages/hdf5/trunk/ Log: Creating trunk directory ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] r2298 - packages/hdf5/trunk/debian
Author: frankie Date: 2009-06-22 10:29:59 + (Mon, 22 Jun 2009) New Revision: 2298 Modified: packages/hdf5/trunk/debian/changelog Log: Preparing for tagging. Modified: packages/hdf5/trunk/debian/changelog === --- packages/hdf5/trunk/debian/changelog2009-06-22 10:16:29 UTC (rev 2297) +++ packages/hdf5/trunk/debian/changelog2009-06-22 10:29:59 UTC (rev 2298) @@ -1,6 +1,5 @@ hdf5 (1.8.3-1) experimental; urgency=low - * NOT YET RELEASED. * New upstream release. * Added a patch debian/patches/autotools to update autotools and remove limitation in using thread-safety along with C++/Fortran bindings. ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Processed: severity of 523027 is grave
Processing commands for cont...@bugs.debian.org: severity 523027 grave Bug#523027: mapserver: multiple vulnerabilities Severity set to `grave' from `important' End of message, stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Processed: fixed 523027 in 5.2.2-1
Processing commands for cont...@bugs.debian.org: fixed 523027 5.2.2-1 Bug#523027: mapserver: multiple vulnerabilities Bug marked as fixed in version 5.2.2-1. End of message, stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] r2299 - packages/hdf5
Author: frankie Date: 2009-06-22 13:17:48 + (Mon, 22 Jun 2009) New Revision: 2299 Added: packages/hdf5/tarballs/ Log: Creating tarballs directory ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] r2300 - packages/hdf5/tarballs
Author: frankie Date: 2009-06-22 13:20:36 + (Mon, 22 Jun 2009) New Revision: 2300 Added: packages/hdf5/tarballs/hdf5_1.8.3.orig.tar.gz Log: Adding original tarball Added: packages/hdf5/tarballs/hdf5_1.8.3.orig.tar.gz === (Binary files differ) Property changes on: packages/hdf5/tarballs/hdf5_1.8.3.orig.tar.gz ___ Added: svn:mime-type + application/octet-stream ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Bug#523027: incorrect upstream fix for CVE-2009-0840 (mapserver)
Hi,
from the CVE description:
| Heap-based buffer underflow in the readPostBody function in cgiutil.c in
| mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote
| attackers to have an unknown impact via a negative value in the Content-Length
| HTTP header.
The affected code is in cgiutil.c:
41 static char *readPostBody( cgiRequestObj *request )
42 {
43 char *data;
44 int data_max, data_len, chunk_size;
45
46 msIO_needBinaryStdin();
47
48 /* */
49 /* If the length is provided, read in one gulp.*/
50 /* */
51 if( getenv(CONTENT_LENGTH) != NULL ) {
52 data_max = atoi(getenv(CONTENT_LENGTH));
53 data = (char *) malloc(data_max+1);
54 if( data == NULL ) {
55 msIO_printf(Content-type: text/html%c%c,10,10);
56 msIO_printf(malloc() failed, Content-Length: %d unreasonably
large?\n, data_max );
57 exit( 1 );
58 }
59
60 if( (int) msIO_fread(data, 1, data_max, stdin) data_max ) {
There is obviously a problem in case the content-length is negative.
The following is the upstream patch which was used to fix this issue:
static char *readPostBody( cgiRequestObj *request )
{
char *data;
- int data_max, data_len, chunk_size;
+ unsigned int data_max, data_len;
+ int chunk_size;
Unfortunately this doesn't fix the issue and I wonder why people always think
changing signed types to unsigned will fix such errors.
If I pass 0x as the content-length according to type conversion rules
in C atoi() will convert this to -1 which is again converted to 0x when
assigning it to an unsigned int. data_max+1 in line 53 will then overflow and
malloc is called with a parameter of 0. This causes malloc to allocated the
smallest
possible chunk but it will _not_ return NULL (well, implementation defined). So
it
is still possible to perform a heap-based buffer overflow after the upstream
fix.
I'm not sure if this should get a new CVE id but the versions in the CVE id
description should be adjusted and the upstream patch revised.
Cheers
Nico
P.S. @Alan, this is also the reason I have to reject your packages in our
security queue again.
--
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.
pgpPx4SxvuRUS.pgp
Description: PGP signature
___
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Bug#523027: [oss-security] incorrect upstream fix for CVE-2009-0840 (mapserver)
Hi, * Nico Golde oss-security...@ngolde.de [2009-06-22 15:45]: [...] Unfortunately this doesn't fix the issue and I wonder why people always think changing signed types to unsigned will fix such errors. If I pass 0x as the content-length according to type conversion rules in C atoi() will convert this to -1 which is again converted to 0x when 0x^^ -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpHsL354yfxo.pgp Description: PGP signature ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Processing of libterralib_3.3.1-2_i386.changes
libterralib1-doc_3.3.1-2_all.deb has incorrect size; deleting it Due to the errors above, the .changes file couldn't be processed. Please fix the problems for the upload to happen. Greetings, Your Debian queue daemon ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Processing of libterralib_3.3.1-2_i386.changes
libterralib_3.3.1-2_i386.changes uploaded successfully to localhost along with the files: libterralib_3.3.1-2.dsc libterralib_3.3.1-2.diff.gz libterralib1-doc_3.3.1-2_all.deb libterralib1-dev_3.3.1-2_i386.deb libterralib1c2a_3.3.1-2_i386.deb Greetings, Your Debian queue daemon ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] r2301 - in packages/gosmore/trunk/debian: . patches
Author: nd-guest
Date: 2009-06-22 21:02:53 + (Mon, 22 Jun 2009)
New Revision: 2301
Removed:
packages/gosmore/trunk/debian/patches/10-findresources.dpatch
Modified:
packages/gosmore/trunk/debian/changelog
packages/gosmore/trunk/debian/patches/00list
packages/gosmore/trunk/debian/rules
Log:
new svn snapshot, api0.6 compatible
Modified: packages/gosmore/trunk/debian/changelog
===
--- packages/gosmore/trunk/debian/changelog 2009-06-22 13:20:36 UTC (rev
2300)
+++ packages/gosmore/trunk/debian/changelog 2009-06-22 21:02:53 UTC (rev
2301)
@@ -1,3 +1,12 @@
+gosmore (0.0.0.20090618-1) UNRELEASED; urgency=low
+
+ * NOT RELEASED YET
+ * New upstream snapshot fetched from svn, revision 15979. (Closes: #533372)
+ * Removed debian/ and map-icons/ dirs from tarball in get-orig-source target.
+ * Removed 10-findresources.dpatch, applied upstream.
+
+ -- Andreas Putzo andr...@putzo.net Thu, 18 Jun 2009 09:50:26 +
+
gosmore (0.0.0.20080704-1) unstable; urgency=low
[ Andreas Putzo ]
Modified: packages/gosmore/trunk/debian/patches/00list
===
--- packages/gosmore/trunk/debian/patches/00list2009-06-22 13:20:36 UTC
(rev 2300)
+++ packages/gosmore/trunk/debian/patches/00list2009-06-22 21:02:53 UTC
(rev 2301)
@@ -1 +1 @@
-10-findresources
+#10-findresources
Deleted: packages/gosmore/trunk/debian/patches/10-findresources.dpatch
===
--- packages/gosmore/trunk/debian/patches/10-findresources.dpatch
2009-06-22 13:20:36 UTC (rev 2300)
+++ packages/gosmore/trunk/debian/patches/10-findresources.dpatch
2009-06-22 21:02:53 UTC (rev 2301)
@@ -1,66 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 10-findresources.dpatch by Andreas Putzo andr...@putzo.net
-##
-## DP: Search for files first in current directory, then in ~/.gosmre/, then
-## DP: in $(prefix)/share/gosmore/.
-## DP: Backported from upstream svn revision 8642.
-
-...@dpatch@
-diff -urNad gosmore-0.0.0.20080704~/gosmore.cpp
gosmore-0.0.0.20080704/gosmore.cpp
gosmore-0.0.0.20080704~/gosmore.cpp2008-07-04 16:41:19.0
+
-+++ gosmore-0.0.0.20080704/gosmore.cpp 2008-07-04 16:42:16.0 +
-@@ -4,7 +4,9 @@
- #define WIN32_LEAN_AND_MEAN
- #include stdio.h
- #include stdlib.h
-+#include sys/stat.h
- #include string.h
-+#include string
- #include math.h
- #include ctype.h
- #include assert.h
-@@ -57,6 +59,7 @@
- #endif
- #ifdef _WIN32_WCE
- #define gtk_widget_queue_clear(x) // After Click() returns we Invalidate
-+
- struct GtkWidget {
- struct {
- int width, height;
-@@ -67,6 +70,16 @@
- struct GdkEventButton {
- int x, y, button;
- };
-+#else
-+const char *FindResource (char *fname)
-+{
-+ static std::string s;
-+ struct stat dummy;
-+ if (stat (fname, dummy) == 0) return fname;
-+ s = (std::string) getenv (HOME) + /.gosmore/ + fname;
-+ if (stat (s.c_str (), dummy) != 0) s = (std::string) RES_DIR + fname;
-+ return s.c_str ();
-+}
- #endif
-
- #define TILEBITS (18)
-@@ -857,7 +870,7 @@
- routeColour, FALSE, TRUE);
- gdk_gc_set_fill (mygc, GDK_SOLID);
- icons = gdk_pixmap_create_from_xpm (draw-window, NULL, NULL,
-- icons.xpm);
-+ FindResource (icons.xpm));
- }
-
- GdkRectangle clip;
-@@ -1544,7 +1557,9 @@
- int defaultRestrict[2 STYLE_BITS];
- memset (defaultRestrict, 0, sizeof (defaultRestrict));
- FILE *icons_csv = fopen (icons.csv, r);
--xmlTextReaderPtr sXml = xmlNewTextReaderFilename (elemstyles.xml);
-+if (!icons_csv) icons_csv = fopen (FindResource (icons.csv), r);
-+xmlTextReaderPtr sXml = xmlNewTextReaderFilename (
-+ FindResource (elemstyles.xml));
- if (!sXml || !icons_csv) {
- fprintf (stderr, Either icons.csv or elemstyles.xml not found\n);
- return 3;
Modified: packages/gosmore/trunk/debian/rules
===
--- packages/gosmore/trunk/debian/rules 2009-06-22 13:20:36 UTC (rev 2300)
+++ packages/gosmore/trunk/debian/rules 2009-06-22 21:02:53 UTC (rev 2301)
@@ -1,5 +1,5 @@
#!/usr/bin/make -f
-
+
include /usr/share/cdbs/1/class/makefile.mk
include /usr/share/cdbs/1/rules/debhelper.mk
include /usr/share/cdbs/1/rules/dpatch.mk
@@ -9,7 +9,7 @@
CFLAGS := -DRES_DIR='\/usr/share/gosmore/\'
SVNREPO := http://svn.openstreetmap.org/applications/rendering/gosmore
-SVNREV := 8034
+SVNREV := 15979
DATE := $(shell date +%Y%m%d)
get-orig-source:
@@ -17,6 +17,10 @@
test -d ../tarballs/. || mkdir -p ../tarballs
@echo Downloading gosmore from ${SVNREPO}
svn -r $(SVNREV) export ${SVNREPO} ../tarballs/gosmore-0.0.0.${DATE}
+ @echo Removing debian dir
+ rm -rf ../tarballs/gosmore-0.0.0.${DATE}/debian
+ @echo Removing map-icons
+ rm -rf ../tarballs/gosmore-0.0.0.${DATE}/map-icons
[DebianGIS-dev] r2302 - packages/gosmore/trunk/debian
Author: nd-guest Date: 2009-06-22 21:26:51 + (Mon, 22 Jun 2009) New Revision: 2302 Modified: packages/gosmore/trunk/debian/changelog packages/gosmore/trunk/debian/copyright Log: add copyright of ConvertUTF.* See http://lists.debian.org/debian-legal/2006/01/msg00543.html Modified: packages/gosmore/trunk/debian/changelog === --- packages/gosmore/trunk/debian/changelog 2009-06-22 21:02:53 UTC (rev 2301) +++ packages/gosmore/trunk/debian/changelog 2009-06-22 21:26:51 UTC (rev 2302) @@ -4,8 +4,9 @@ * New upstream snapshot fetched from svn, revision 15979. (Closes: #533372) * Removed debian/ and map-icons/ dirs from tarball in get-orig-source target. * Removed 10-findresources.dpatch, applied upstream. + * Mention ConvertUTF.c in debian/copyright. - -- Andreas Putzo andr...@putzo.net Thu, 18 Jun 2009 09:50:26 + + -- Andreas Putzo andr...@putzo.net Mon, 22 Jun 2009 21:25:03 + gosmore (0.0.0.20080704-1) unstable; urgency=low Modified: packages/gosmore/trunk/debian/copyright === --- packages/gosmore/trunk/debian/copyright 2009-06-22 21:02:53 UTC (rev 2301) +++ packages/gosmore/trunk/debian/copyright 2009-06-22 21:26:51 UTC (rev 2302) @@ -9,3 +9,29 @@ Copyright: This software is placed by in the public domain by its authors. + + +The files +ConvertUTF.c +ConvertUTF.h +are Copyright (C) 2001-2004 Unicode, Inc. + +License: + + Disclaimer + + This source code is provided as is by Unicode, Inc. No claims are + made as to fitness for any particular purpose. No warranties of any + kind are expressed or implied. The recipient agrees to determine + applicability of information provided. If this file has been + purchased on magnetic or optical media from Unicode, Inc., the + sole remedy for any claim will be exchange of defective media + within 90 days of receipt. + + Limitations on Rights to Redistribute This Code + + Unicode, Inc. hereby grants the right to freely use the information + supplied in this file in the creation of products supporting the + Unicode Standard, and to make copies of this file in any form + for internal or external distribution as long as this notice + remains attached. ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] r2304 - packages/gosmore/trunk/debian
Author: nd-guest Date: 2009-06-22 21:49:40 + (Mon, 22 Jun 2009) New Revision: 2304 Modified: packages/gosmore/trunk/debian/changelog packages/gosmore/trunk/debian/control Log: close #524042 Modified: packages/gosmore/trunk/debian/changelog === --- packages/gosmore/trunk/debian/changelog 2009-06-22 21:32:15 UTC (rev 2303) +++ packages/gosmore/trunk/debian/changelog 2009-06-22 21:49:40 UTC (rev 2304) @@ -7,8 +7,10 @@ * Mentioned ConvertUTF.c in debian/copyright. * Added a note to the long description that gosmore needs additional data files. (Closes: #491842) + * Dropped dependency on libgps-dev, gosmore tries to parse NMEA sentences +on its own. (Closes: #524042) - -- Andreas Putzo andr...@putzo.net Mon, 22 Jun 2009 21:31:07 + + -- Andreas Putzo andr...@putzo.net Mon, 22 Jun 2009 21:35:00 + gosmore (0.0.0.20080704-1) unstable; urgency=low Modified: packages/gosmore/trunk/debian/control === --- packages/gosmore/trunk/debian/control 2009-06-22 21:32:15 UTC (rev 2303) +++ packages/gosmore/trunk/debian/control 2009-06-22 21:49:40 UTC (rev 2304) @@ -3,7 +3,7 @@ Priority: optional Maintainer: Debian GIS Project pkg-grass-devel@lists.alioth.debian.org Uploaders: Francesco Paolo Lovergine fran...@debian.org, Petter Reinholdtsen p...@debian.org, Andreas Putzo andr...@putzo.net -Build-Depends: debhelper ( 5.0.0), cdbs, libgtk2.0-dev, flite-dev, libgps-dev (= 2.34.dfsg-5) | gpsd ( 2.34.dfsg-1), dpatch, libxml2-dev +Build-Depends: debhelper ( 5.0.0), cdbs, libgtk2.0-dev, flite-dev, dpatch, libxml2-dev Standards-Version: 3.8.0 Homepage: http://wiki.openstreetmap.org/index.php/Gosmore Vcs-Browser: http://svn.debian.org/viewsvn/pkg-grass/packages/gosmore/trunk ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Processed: Re: gosmore: build-dep on libgps-dev not needed anymore
Processing commands for cont...@bugs.debian.org: package gosmore Ignoring bugs not assigned to: gosmore clone 524042 -1 Bug#524042: gosmore: build-dep on libgps-dev not needed anymore Bug 524042 cloned as bug 534254. retitle -1 gosmore: Please use libgpsd instead of parsing NMEA data directly Bug#534254: gosmore: build-dep on libgps-dev not needed anymore Changed Bug title to `gosmore: Please use libgpsd instead of parsing NMEA data directly' from `gosmore: build-dep on libgps-dev not needed anymore'. severity -1 wishlist Bug#534254: gosmore: Please use libgpsd instead of parsing NMEA data directly Severity set to `wishlist' from `normal' thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] libterralib_3.3.1-2_i386.changes REJECTED
Rejected: libterralib_3.3.1-2.dsc refers to libterralib_3.3.1.orig.tar.gz, but I can't find it in the queue or in the pool. === Please feel free to respond to this email if you don't understand why your files were rejected, or if you upload new files which address our concerns. ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
