Override component to main
libmspub 0.0.4-1ubuntu2 in raring: universe/misc -> main
libmspub-0.0-0 0.0.4-1ubuntu2 in raring amd64: universe/libs/optional -> main
libmspub-0.0-0 0.0.4-1ubuntu2 in raring armhf: universe/libs/optional -> main
libmspub-0.0-0 0.0.4-1ubuntu2 in raring i386: universe/libs
@mterry: Current upload by bdung is using dh9 and thus has fortify. see
also:
https://bugs.launchpad.net/ubuntu/+source/libmspub/+bug/1124082/comments/5
** Branch unlinked: lp:~bjoern-michaelsen/+junk/libmspub-hardening-no-
fortify
** Changed in: libmspub (Ubuntu)
Status: Incomplete => New
$ hardening-check --verbose /usr/bin/pub2*
/usr/bin/pub2raw:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes
protected: printf
Read-only relocations: yes
Immediate binding: no, not found!
/usr/bin/pub2xhtml:
Positio
$ hardening-check --verbose /usr/lib/libmspub-0.0.so.0.0.4
/usr/lib/libmspub-0.0.so.0.0.4:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
unprotected: memset
unprotected:
Remaining lintian hardening warning is a false positive. Approved.
** Changed in: libmspub (Ubuntu)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1124082
Title:
** Branch linked: lp:~bjoern-michaelsen/+junk/libmspub-hardening-no-
fortify
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1124082
Title:
[MIR] libmspub
To manage notifications about this bug go to
** Changed in: libmspub (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1124082
Title:
[MIR] libmspub
To manage notifica
@Seth, just a quick follow up on tests and MIRs. It's a little odd. If
there are tests, we usually block on enabling them and making them fail
the build. But if there aren't tests, we don't generally require the
often large effort of adding them, especially when we aren't upstream
and that would
@mterry: thanks for letting me know about a test suite not being
customary.
@Björn: thanks for filing the bug report upstream and talking with
them on IRC about a test suite. Full unit tests would be a superb bonus
and probably a development assistance upstream as well. :)
- No CVE history
- No
Seth, while I also am super sad about the lack of tests, we don't
generally block a MIR on the absence of upstream tests (especially when
Canonical is not upstream). I've filed bug 1128952 about the lack
(which links to the upstream bug Björn mentioned.
So I wouldn't worry about that from an appr
@Seth:
Discussed this with upstream on IRC, they are open and welcoming it, thus filed
a bug at:
https://bugs.freedesktop.org/show_bug.cgi?id=61050
Note that mspub is really young and new, just doing their first releases
thus there was no immediate need for tests as there was nothing they
could
I've asked the security team to provide me feedback on my report, before
pasting it in here.
The version I audited had inconsistent stack protection and fortify, and
missed PIE and BIND_NOW completely. I understand those are fixed in a
newer upload.
The version I audited also did not have any kin
The lintian warning remain? Neither my pbuilder builds of
0.0.4-1ubuntu1, nor the downloaded 0.0.4-1ubuntu2 .deb files emit
hardening-no-fortify-functions.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs
> Also, it does have the lintian warning hardening-no-fortify-functions, like
> the other
> MIRs above. Björn, can you just check if that warning is a false or true
> positive?
the lintian warning remains, now enabled verbose build logs to see that
the package is built this way. The lintian chec
I have uploaded libmspub 0.0.4-1ubuntu1 which fixes the hardening-no-
fortify-functions lintian warning.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1124082
Title:
[MIR] libmspub
To manage notifi
@Björn: It's not my decision. It's the decision of the MIR team.
@MIR team: Is it okay to wait for the next Debian upload to get
hardening-no-fortify-functions fixed or should I fix hardening-no-
fortify-functions in Ubuntu and get back in sync with Debian with their
next upload?
--
You received
Judging from the Email exchange with Rene hardening-no-fortify-functions
isnt a concern for this.
@bdrung: Can we unblock this as your other changes are helpful, but no
blockers?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https:/
Identical comments as for libcdr and libvisio MIR bugs: The hardening-
no-fortify-functions is a valid lintian warning. I sent a mail to the
Debian maintainer containing a bunch of patches adding multi-arch
support and fixing hardening-no-fortify-functions and other lintian
complaints.
--
You rec
Ugh. Again, identical packaging and concerns from MIR bug 1124074 and
bug 1124092. I feel like I'm stuck. :)
-Simple, modern packaging
-No delta
-No test suite
-No symbols file, but it's C++, so that's understandable
-debian/copyright file is a little malformed (missing license stanza), but
th
19 matches
Mail list logo