Processed: retitle 838960 to mpg123: CVE-2016-1000247: denial of service with crafted id3v2 tags

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 838960 mpg123: CVE-2016-1000247: denial of service with crafted id3v2 
> tags
Bug #838960 {Done: Sebastian Ramacher } [mpg123] denial 
of service with crafted id3v2 tags in all mpg123 versions since 0.60
Changed Bug title to 'mpg123: CVE-2016-1000247: denial of service with crafted 
id3v2 tags' from 'denial of service with crafted id3v2 tags in all mpg123 
versions since 0.60'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
838960: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838960
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#839686: forked-daapd: does not recreate stuff in /var/cache after deletion

[Bálint Réczey]

Hi Dominik,

2016-10-06 23:15 GMT+02:00 Dominik George :
> Hi,
>
>> IMO it is unreasonable to think that removing the whole
>> /var/cache/forked-daapd directory can be deleted and is expected to be
>> recreated because many services drop root privileges thus can't create
>> dirs in /var/cache:
>
>> In my interpretation of the FHS the _files_ can be removed and are
>> expected to be recreated, while _directory structures_ need to be kept
>> for applications to operate.
>
> I do not quite agree.
>
> The same would be true for /var/run, but there, the application or the
> init system is expected to create the relevant directories before
> dropping privileges.

/var/run is different, see very different wording in FHS.

http://www.pathname.com/fhs/2.2/fhs-5.13.html#FN37

5.13 /var/run : Run-time variable data

5.13.1 Purpose

This directory contains system information data describing the system
since it was booted. Files under this directory must be cleared
(removed or truncated as appropriate) at the beginning of the boot
process. Programs may have a subdirectory of /var/run; this is
encouraged for programs that use more than one run-time file.[footnote
37]

...

[37] /var/run should be unwritable for unprivileged users (root or
users running daemons); it is a major security problem if any user can
write in this directory. Process identifier (PID) files, which were
originally placed in /etc, must be placed in /var/run. The naming
convention for PID files is .pid. For example, the crond
PID file is named /var/run/crond.pid.

Cheers,
Balint

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#839686: forked-daapd: does not recreate stuff in /var/cache after deletion

[Dominik George]

Hi,

> IMO it is unreasonable to think that removing the whole
> /var/cache/forked-daapd directory can be deleted and is expected to be
> recreated because many services drop root privileges thus can't create
> dirs in /var/cache:

> In my interpretation of the FHS the _files_ can be removed and are
> expected to be recreated, while _directory structures_ need to be kept
> for applications to operate.

I do not quite agree.

The same would be true for /var/run, but there, the application or the
init system is expected to create the relevant directories before
dropping privileges.

Cheers,
Nik


signature.asc
Description: PGP signature
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Processed: Re: forked-daapd: does not recreate stuff in /var/cache after deletion

[Debian Bug Tracking System]

Processing control commands:

> notfound -1 24.1-1+b1
Bug #839686 [forked-daapd] forked-daapd: does not recreate stuff in /var/cache 
after deletion
Ignoring request to alter found versions of bug #839686 to the same values 
previously set

-- 
839686: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839686
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#839686: marked as done (forked-daapd: does not recreate stuff in /var/cache after deletion)

[Debian Bug Tracking System]

Your message dated Thu, 6 Oct 2016 23:08:46 +0200
with message-id <410609ab-b066-b29a-5faf-07ce4d247...@balintreczey.hu>
and subject line Re: forked-daapd: does not recreate stuff in /var/cache after 
deletion
has caused the Debian Bug report #839686,
regarding forked-daapd: does not recreate stuff in /var/cache after deletion
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
839686: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839686
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: forked-daapd
Version: 24.1-1+b1
Severity: serious
Justification: Policy 9.1.1

After deleting /var/cache/forked-daapd, forked-daapd cannot start up
again because it fails to open the database.

forked-daapd seems to require its data files there, while the FHS
unmistakably states:

"Unlike /var/spool, the cached files can be deleted without data loss.
The data must remain valid between invocations of the application and
rebooting the system.

Files located under /var/cache may be expired in an application specific
manner, by the system administrator, or both. The application must
always be able to recover from manual deletion of these files (generally
because of a disk space shortage). No other requirements are made on the
data format of the cache directories."

Please note that while the below information states this is Raspbian, I
can assure that forked-daapd and all its dependencies on this system are
plain Debian armhf ☺.

-- System Information:
Distributor ID: Raspbian
Description:Raspbian GNU/Linux testing (stretch)
Release:testing
Codename:   stretch
Architecture: armv7l

Kernel: Linux 4.4.21-v7+ (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages forked-daapd depends on:
ii  adduser 3.115
ii  avahi-daemon0.6.32-1
ii  libantlr3c-3.2-03.2-3
ii  libasound2  1.1.2-1
ii  libavahi-client30.6.32-1
ii  libavahi-common30.6.32-1
ii  libavcodec-extra57  7:3.1.3-1+b3
ii  libavfilter67:3.1.3-1+b3
ii  libavformat57   7:3.1.3-1+b3
ii  libavutil55 7:3.1.3-1+b3
ii  libc6   2.24-3
ii  libconfuse1 3.0+dfsg-2
ii  libcurl3-gnutls 7.50.1-1
ii  libevent-2.0-5  2.0.21-stable-2+b1
ii  libgcrypt20 1.7.3-1
ii  libgnutls30 3.5.4-2
ii  libgpg-error0   1.24-1
ii  libjson-c3  0.12.1-1
ii  libmxml12.10-1
ii  libplist3   1.12-3.1
ii  libprotobuf-c1  1.2.1-1+b1
ii  libsqlite3-03.14.2-1
ii  libswscale4 7:3.1.3-1+b3
ii  libunistring0   0.9.6+really0.9.3-0.1
ii  psmisc  22.21-2.1
ii  zlib1g  1:1.2.8.dfsg-2+b1

Versions of packages forked-daapd recommends:
ii  libavcodec-extra   7:3.1.3-1
ii  libavcodec-extra57 [libavcodec-extra]  7:3.1.3-1+b3

forked-daapd suggests no packages.

-- Configuration Files:
/etc/forked-daapd.conf changed [not included]

-- no debconf information
--- End Message ---
--- Begin Message ---
Control: notfound -1 24.1-1+b1

Hi Dominik,

On Mon, 03 Oct 2016 23:23:26 +0200 Dominik George  wrote:
> Package: forked-daapd
> Version: 24.1-1+b1
> Severity: serious
> Justification: Policy 9.1.1
> 
> After deleting /var/cache/forked-daapd, forked-daapd cannot start up
> again because it fails to open the database.
> 
> forked-daapd seems to require its data files there, while the FHS
> unmistakably states:
> 
> "Unlike /var/spool, the cached files can be deleted without data loss.
> The data must remain valid between invocations of the application and
> rebooting the system.
> 
> Files located under /var/cache may be expired in an application specific
> manner, by the system administrator, or both. The application must
> always be able to recover from manual deletion of these files (generally
> because of a disk space shortage). No other requirements are made on the
> data format of the cache directories."

I have tested unstable's forked-daapd and if I remove cache files they
get recreated but the directory structure is not.

IMO it is unreasonable to think that removing the whole
/var/cache/forked-daapd directory can be deleted and is expected to be
recreated because many services drop root privileges thus can't create
dirs in /var/cache:

total 64
drwxr-xr-x 16 root  root 4096 Oct  6 20:56 .
drwxr-xr-x 11 root  root 4096 Sep  5 23:27 ..
drwxr-xr-x  3 root  root 4096 Sep  7 14:08 app-info
drwxr-xr-x  3 root  root 4096 Oct  6 20:56 apt
drwxr-xr-x  2 

Bug#839686: forked-daapd: does not recreate stuff in /var/cache after deletion

[Balint Reczey]

Control: notfound -1 24.1-1+b1

Hi Dominik,

On Mon, 03 Oct 2016 23:23:26 +0200 Dominik George  wrote:
> Package: forked-daapd
> Version: 24.1-1+b1
> Severity: serious
> Justification: Policy 9.1.1
> 
> After deleting /var/cache/forked-daapd, forked-daapd cannot start up
> again because it fails to open the database.
> 
> forked-daapd seems to require its data files there, while the FHS
> unmistakably states:
> 
> "Unlike /var/spool, the cached files can be deleted without data loss.
> The data must remain valid between invocations of the application and
> rebooting the system.
> 
> Files located under /var/cache may be expired in an application specific
> manner, by the system administrator, or both. The application must
> always be able to recover from manual deletion of these files (generally
> because of a disk space shortage). No other requirements are made on the
> data format of the cache directories."

I have tested unstable's forked-daapd and if I remove cache files they
get recreated but the directory structure is not.

IMO it is unreasonable to think that removing the whole
/var/cache/forked-daapd directory can be deleted and is expected to be
recreated because many services drop root privileges thus can't create
dirs in /var/cache:

total 64
drwxr-xr-x 16 root  root 4096 Oct  6 20:56 .
drwxr-xr-x 11 root  root 4096 Sep  5 23:27 ..
drwxr-xr-x  3 root  root 4096 Sep  7 14:08 app-info
drwxr-xr-x  3 root  root 4096 Oct  6 20:56 apt
drwxr-xr-x  2 root  root 4096 Sep  7 14:08 cracklib
drwxr-xr-x  2 root  root 4096 Oct  5 09:25 debconf
drwxr-xr-x  2 root  root 4096 Sep  5 23:28 dictionaries-common
drwxr-xr-x  2 root  root 4096 Sep  8 20:40 fontconfig
drwxr-xr-x  2 root  root 4096 Feb 22  2016 fonts
drwxr-xr-x  2 daapd root 4096 Oct  6 21:01 forked-daapd
drwxr-xr-x  2 root  root 4096 Aug 31 08:28 gdm
drwx--  2 root  root 4096 Oct  6 20:56 ldconfig
drwx--x--x  3 root  root 4096 Sep  7 15:39 lightdm
drwxr-sr-x 37 man   root 4096 Oct  6 21:00 man
drwxr-xr-x  3 root  root 4096 Sep  7 14:08 PackageKit
drwxr-xr-x  2 root  root 4096 Aug 15 11:17 realmd

In my interpretation of the FHS the _files_ can be removed and are
expected to be recreated, while _directory structures_ need to be kept
for applications to operate.

Cheers,
Balint

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#839941: whishlist ffmpeg

[Sebastian Ramacher]

On 2016-10-06 19:19:49, Bálint Réczey wrote:
> Hi Marc,
> 
> 2016-10-06 17:28 GMT+02:00 Struminski, Marc :
> > Package: ffmpeg
> > Severity: wishlist
> >
> > Hi maintainers,
> >
> > Is it possible to add libfreetype, nvenc, decklink and libmfx to ffmpeg in
> > Debian.
> 
> Libfreetype seems to be possible.

It's already used.

Cheers
-- 
Sebastian Ramacher


signature.asc
Description: PGP signature
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#839952: libambix: FTBFS on *i386: basic2extended_identity4x4_float32__{f64, i32} fail

[Aaron M. Ucko]

Source: libambix
Version: 0.1-1
Severity: important
Justification: fails to build from source

Builds of libambix for i386 and the non-release architectures
hurd-i386 and kfreebsd-i386 all failed because the
basic2extended_identity4x4_float32__{f64,i32} tests both did (along
with the matrix test, reported separately just now as #839950).  Could
you please take a look?

Thanks!

-- 
Aaron M. Ucko, KB1CJC (amu at alum.mit.edu, ucko at debian.org)
http://www.mit.edu/~amu/ | http://stuff.mit.edu/cgi/finger/?a...@monk.mit.edu

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#839950: libambix: FTBFS: matrix test fails

[Aaron M. Ucko]

Source: libambix
Version: 0.1-1
Severity: important
Justification: fails to build from source

Builds of libambix for several architectures failed due to an error in
the matrix test.  These builds didn't log further details, but I
presume you should be able to reproduce the error on a porterbox.
FWIW, the architectures that failed so far in this fashion are arm64,
i386, powerpc, ppc64, and s390x, plus the non-release architectures
hurd-i386, kfreebsd-i386, and ppc64.  However, builds for several more
architectures are still pending, so the problem may turn out to be
somewhat wider.

The *i386 builds also encountered two other test suite errors, which
I'll report separately since they have not (so far) occurred elsewhere.

-- 
Aaron M. Ucko, KB1CJC (amu at alum.mit.edu, ucko at debian.org)
http://www.mit.edu/~amu/ | http://stuff.mit.edu/cgi/finger/?a...@monk.mit.edu

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#839941: whishlist ffmpeg

[Bálint Réczey]

Hi Marc,

2016-10-06 17:28 GMT+02:00 Struminski, Marc :
> Package: ffmpeg
> Severity: wishlist
>
> Hi maintainers,
>
> Is it possible to add libfreetype, nvenc, decklink and libmfx to ffmpeg in
> Debian.

Libfreetype seems to be possible.
nvenc is problematic because due to its license, but may be OK:
http://ffmpeg.org/pipermail/ffmpeg-devel/2016-April/193467.html

libmfx is not packaged.
decklink is not packaged either and seems to be non-free.

> When it is also possible libebur128.

libebur128 is already used.

Cheers,
Balint

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

gmusicbrowser 1.1.15~ds0-1 MIGRATED to testing

[Debian testing watch]

FYI: The status of the gmusicbrowser source package
in Debian's testing distribution has changed.

  Previous version: 1.1.14~ds0-1
  Current version:  1.1.15~ds0-1

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#839941: whishlist ffmpeg

[Struminski, Marc]

Package: ffmpeg
Severity: wishlist

Hi maintainers,

Is it possible to add libfreetype, nvenc, decklink and libmfx to ffmpeg in
Debian.
When it is also possible libebur128.

Decklink = Blackmagic Capture-Cards
Nvenc = NVIDIA hw-encoding
Libmfx = Intel hw-encoding

Kind regards
Marc Struminski

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#798043: lives: creates (and uses) world-writeable directory

[James Cowgill]

Hi,

On 01/10/16 07:23, salsaman wrote:
> James, I was wondering what action should be taken regarding
> directory/subdirectory permissions for existing users. The options I can
> think of (from simplest to most complex): a) do nothing, only new users
> get the benefit. b) add a note in Release Notes informing users how to
> update the directory permissions manually, or c) Show a one time pop-up
> when LiVES is upgraded asking the user if they want the program to
> update permissions for the working directory for them, and if they click
> Yes, do the update for them.
> 
> Which of the options do you recommend ?

Sorry for not replying sooner - I've been quite busy recently!

I think c is the nicest solution for users so if you're prepared to
implement it, that would be the best solution. Adding something to the
release notes and possibly the debian/NEWS file is probably OK if not.

I think we need to tell users somehow, so not option a :)

Thanks,
James



signature.asc
Description: OpenPGP digital signature
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Processing of libambix_0.1-1_amd64.changes

[Debian FTP Masters]

libambix_0.1-1_amd64.changes uploaded successfully to localhost
along with the files:
  libambix_0.1-1.dsc
  libambix_0.1.orig.tar.gz
  libambix_0.1-1.debian.tar.xz

Greetings,

Your Debian queue daemon (running on host franck.debian.org)

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

libambix_0.1-1_amd64.changes ACCEPTED into unstable

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 06 Oct 2016 14:55:13 +0200
Source: libambix
Binary: libambix0 libambix-dev libambix-doc libambix-utils pd-ambix
Architecture: source
Version: 0.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers 

Changed-By: IOhannes m zmölnig (Debian/GNU) 
Description:
 libambix-dev - AMBIsonics eXchange library (development files)
 libambix-doc - AMBIsonics eXchange library (documentation)
 libambix-utils - AMBIsonics eXchange library (utilities)
 libambix0  - AMBIsonics eXchange library
 pd-ambix   - AMBIsonics eXchange objects for Pure Data
Changes:
 libambix (0.1-1) unstable; urgency=medium
 .
   * New upstream version 0.1
 .
   * Refreshed patches
   * Versioned B-D on libsndfile1-dev
   * Enabled 'make check' target
   * Updated d/libambix0.symbols
   * Updated d/copyright_hints
   * Updated d/copyright
   * Updated debian/README.source
   * Dropped d/control.in
   * Bumped standards-version to 3.9.8
Checksums-Sha1:
 c222bc635fc3c2cee850630e4014bce6ae82ef75 2376 libambix_0.1-1.dsc
 78228fd564cd02f239fa400169d3008967e299c8 178768 libambix_0.1.orig.tar.gz
 9809f4f7380afeefd1b3ee5e256bd5c27315a7b0 6904 libambix_0.1-1.debian.tar.xz
Checksums-Sha256:
 2f71425de9d9d0426b83b2ef1548ed9f56842f95ae926f8b70bb9f2a43b51543 2376 
libambix_0.1-1.dsc
 88c0d94d4af42569df25c19eb1a594e68477e6cc1020db0a4f37ff0bc1986bc4 178768 
libambix_0.1.orig.tar.gz
 9c7afe54f8ec5dc598921684866d0bdd7190cfd557d5f3ea64e24e49cbe4ac63 6904 
libambix_0.1-1.debian.tar.xz
Files:
 5a71ce79506846fc9c91be95aa4c0edc 2376 devel optional libambix_0.1-1.dsc
 72f27272a4999a1c3efded44f4895896 178768 devel optional libambix_0.1.orig.tar.gz
 2c0e9db023aadd5bdfea8bcbeea8cb75 6904 devel optional 
libambix_0.1-1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIcBAEBCAAGBQJX9k1hAAoJELZQGcR/ejb42ZsP/jPGLtHSDZyqxk/zd8KGjRWh
JG9P/RJU25kQATNVn+v7My6g1hy3q4vWpew4l4omc/NQ9mYqI0wDkV28JYHcr0CZ
C+YlSBY+kpLa75ENaqbuZgYxKMDJnV1Z/pYofzfs88g5WZRGsNq58DiPmbAsl4Pn
SN6w3RwYCVimRISGhCsnfPmbDU7wvbg1B9pnRDzHiS7mjOAMQ5+J2uWowER3/at9
IieqHFwucFRknaEsayxyVH6I8ekvxZReUIlMHmbRqxX0+U4Bcw6DnmDW+Gfu0YyS
9qAVXKIgMSDccRCeiWA5fC5kxVYrvyInvc3IPSQlC3QxrByws8BrXdPzAUXsMUGn
GH8rwhFxR/UkfFxyuLj2NHCJEHIk+zfmozGDaxYzu3F3TAedJMej08ZLLuVt9g8q
XgywXg0pMtneDlsviJ4MODfQekuuPVPwkYT2LoWSd944xD+6Uvsbh7nIKrPak/Jj
3s57yqv6WKn5rzXCR/MDNkPVjLLFUTIYeh51+F+dpqcgmiTtJqlmvxBvznU3HWGk
YzOqmMeb2JAxdxptssoDSUuhtVr+eqmnvecv4t6GVNhsR593MOpbYXW/JC5AuDgj
jIdW9X1mGSP6Sc1z2WE9PVX2V4q6z5oBMHoyhRPZsY+fHCOTh8HF3orNgwA9iNbo
mPnTgXzEIBehMPnqWyUd
=oZwl
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers