Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
This update addresses three sets of bugs:
- The firmware-{adi,ralink} pckages were supposed to be replaced by
firmware-misc-nonfree between jessie and stretch, but I failed to
include transitional packages to make this work (#907320).
- Security vulnerabilities in packet processing in Broadcom wifi
firmware (CVE-2016-0801, CVE-2017-0561, CVE-2017-9417, #869639,
a.k.a. "Broadpwn").
- Security vulnerabilities in WPA2 key handling in Broadcom wifi
firmware (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, CVE-2017-13081, a.k.a. "KRACK").
(The security vulnerabilities went unfixed for a long time so it
doesn't make much difference if the fixes wait for the next point
release.)
The following source diff excludes generated files debian/control,
debian/firmware-*.copyright, and debian/rules.gen.
Ben.
---
diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py
index 491bbe329c54..b087b7e602d5 100755
--- a/debian/bin/gencontrol.py
+++ b/debian/bin/gencontrol.py
@@ -1,9 +1,10 @@
#!/usr/bin/env python3
-import os, re, sys, codecs
+import os, re, sys, locale
sys.path.insert(0, "debian/lib/python")
sys.path.append(sys.argv[1] + "/lib/python")
+locale.setlocale(locale.LC_CTYPE, "C.UTF-8")
from config import Config
from debian_linux.debian import Package, PackageRelation
@@ -92,7 +93,7 @@ Package._fields['Description'] = PackageDescription
for dir in self.dirs:
filename = "%s/%s.in" % (dir, name)
if os.path.exists(filename):
- f = codecs.open(filename, 'r', 'utf-8')
+ f = open(filename, 'r')
if prefix == 'control':
return read_control(f)
elif prefix == 'templates':
@@ -145,7 +146,7 @@ Package._fields['Description'] = PackageDescription
makefile = Makefile()
self.do_source(packages)
- self.do_meta(packages, makefile)
+ self.do_extra(packages, makefile)
self.do_main(packages, makefile)
self.write(packages, makefile)
@@ -154,17 +155,17 @@ Package._fields['Description'] = PackageDescription
source = self.templates["control.source"]
packages['source'] = self.process_package(source[0], ())
- def do_meta(self, packages, makefile):
+ def do_extra(self, packages, makefile):
config_entry = self.config['base',]
vars = {}
vars.update(config_entry)
- for entry in self.templates["control.binary.meta"]:
+ for entry in self.templates["control.extra"]:
package_binary = self.process_package(entry, {})
assert package_binary['Package'].startswith('firmware-')
package = package_binary['Package'].replace('firmware-', '')
- f = open('debian/copyright.meta')
+ f = open('debian/copyright.debian')
open("debian/firmware-%s.copyright" % package, 'w').write(f.read())
makeflags = MakeFlags()
@@ -203,8 +204,8 @@ Package._fields['Description'] = PackageDescription
f = open('%s/copyright' % package_dir)
open("debian/firmware-%s.copyright" % package, 'w').write(f.read())
else:
- vars['license'] = codecs.open("%s/LICENSE" % package_dir, 'r',
'utf-8').read()
- codecs.open("debian/firmware-%s.copyright" % package, 'w',
'utf-8').write(self.substitute(copyright, vars))
+ vars['license'] = open("%s/LICENSE" % package_dir, 'r').read()
+ open("debian/firmware-%s.copyright" % package,
'w').write(self.substitute(copyright, vars))
try:
os.unlink('debian/firmware-%s.bug-presubj' % package)
@@ -308,19 +309,19 @@ Package._fields['Description'] = PackageDescription
if 'initramfs-tools' in config_entry.get('support', []):
postinst = self.templates['postinst.initramfs-tools']
- codecs.open("debian/firmware-%s.postinst" % package, 'w',
'utf-8').write(self.substitute(postinst, vars))
+ open("debian/firmware-%s.postinst" % package,
'w').write(self.substitute(postinst, vars))
if 'license-accept' in config_entry:
- license = codecs.open("%s/LICENSE.install" % package_dir, 'r',
'utf-8').read()
+ license = open("%s/LICENSE.install" % package_dir, 'r').read()
preinst = self.templates['preinst.license']
preinst_filename = "debian/firmware-%s.preinst" % package
- codecs.open(preinst_filename, 'w',
'utf-8').write(self.substitute(preinst, vars))
+ open(preinst_filename, 'w').write(self.substitute(preinst, vars))
templates =
self.process_templates(self.templates['templates.license'], vars)
license_split = re.split(r'\n\s*\n', license)
templates[0]['Description'].extend(license_split)
templates_filename = "debian/firmware-%s.templates" % package
- self.write_rfc822(codecs.open(templates_filename, 'w', 'utf-8'),
templates)
+ self.write_rfc822(open(templates_filename, 'w'), templates)
desc = packages_binary[0]['Description']
desc.append(
@@ -336,7 +337,7 @@ You must agree to the terms of this license before it is
installed."""
vars['firmware-list'] = ''.join(firmware_meta_list)
package_meta_temp = self.templates["metainfo.xml"]
# XXX Might need to escape some characters
- codecs.open("debian/firmware-%s.metainfo.xml" % package, 'w',
'utf-8').write(self.substitute(package_meta_temp, vars))
+ open("debian/firmware-%s.metainfo.xml" % package,
'w').write(self.substitute(package_meta_temp, vars))
def process_template(self, in_entry, vars):
e = Template()
@@ -370,10 +371,10 @@ You must agree to the terms of this license before it is
installed."""
self.write_makefile(makefile)
def write_control(self, list):
- self.write_rfc822(codecs.open("debian/control", 'w', 'utf-8'), list)
+ self.write_rfc822(open("debian/control", 'w'), list)
def write_makefile(self, makefile):
- f = codecs.open("debian/rules.gen", 'w', 'utf-8')
+ f = open("debian/rules.gen", 'w')
makefile.write(f)
f.close()
diff --git a/debian/changelog b/debian/changelog
index 745d4613345b..af2adeb54d68 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,26 @@
+firmware-nonfree (20161130-4) stretch; urgency=medium
+
+ * debian/bin/gencontrol.py: Set encoding to UTF-8 globally
+ * Add back firmware-{adi,ralink} as transitional packages (Closes: #907320)
+ * debian/control: Point Vcs URLs to Salsa
+ * Update to linux-support 4.9.0-8
+ * firmware-brcm80211: Update Broadcom wifi firmware to fix security issues
+ (Closes: #869639):
+ - BCM4339 (CVE-2016-0801)
+ - BCM4354 (CVE-2016-0801, CVE-2017-0561, CVE-2017-9417, CVE-2017-13077,
+ CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081)
+ - BCM4356-PCIe (CVE-2016-0801, CVE-2017-0561, CVE-2017-9417,
+ CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
+ CVE-2017-13081)
+ - BCM43340 (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
+ CVE-2017-13081) (also fixes issues when operating in 5GHz band)
+ - BCM43362 (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
+ CVE-2017-13081)
+ - BCM43430 (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
+ CVE-2017-13081)
+
+ -- Ben Hutchings <b...@decadent.org.uk> Sat, 13 Oct 2018 20:27:06 +0100
+
firmware-nonfree (20161130-3) unstable; urgency=medium
* misc-nonfree: Include Intel OPA Gen1 firmware (Closes: #862458)
diff --git a/debian/config/brcm80211/brcm/brcmfmac43340-sdio.bin
b/debian/config/brcm80211/brcm/brcmfmac43340-sdio.bin
new file mode 100644
index 000000000000..a945f80dbeb6
Binary files /dev/null and
b/debian/config/brcm80211/brcm/brcmfmac43340-sdio.bin differ
diff --git a/debian/config/brcm80211/brcm/brcmfmac43362-sdio.bin
b/debian/config/brcm80211/brcm/brcmfmac43362-sdio.bin
new file mode 100644
index 000000000000..62b3643420ed
Binary files /dev/null and
b/debian/config/brcm80211/brcm/brcmfmac43362-sdio.bin differ
diff --git a/debian/config/brcm80211/brcm/brcmfmac4339-sdio.bin
b/debian/config/brcm80211/brcm/brcmfmac4339-sdio.bin
new file mode 100644
index 000000000000..bc8316d80f32
Binary files /dev/null and b/debian/config/brcm80211/brcm/brcmfmac4339-sdio.bin
differ
diff --git a/debian/config/brcm80211/brcm/brcmfmac43430-sdio.bin
b/debian/config/brcm80211/brcm/brcmfmac43430-sdio.bin
new file mode 100644
index 000000000000..4b2945eaca56
Binary files /dev/null and
b/debian/config/brcm80211/brcm/brcmfmac43430-sdio.bin differ
diff --git a/debian/config/brcm80211/brcm/brcmfmac4354-sdio.bin
b/debian/config/brcm80211/brcm/brcmfmac4354-sdio.bin
new file mode 100644
index 000000000000..e2f7b1f04fbb
Binary files /dev/null and b/debian/config/brcm80211/brcm/brcmfmac4354-sdio.bin
differ
diff --git a/debian/config/brcm80211/brcm/brcmfmac4356-pcie.bin
b/debian/config/brcm80211/brcm/brcmfmac4356-pcie.bin
new file mode 100644
index 000000000000..3bf706e08c3b
Binary files /dev/null and b/debian/config/brcm80211/brcm/brcmfmac4356-pcie.bin
differ
diff --git a/debian/config/misc-nonfree/defines
b/debian/config/misc-nonfree/defines
index 907c2e98a95e..c06c0a1d150c 100644
--- a/debian/config/misc-nonfree/defines
+++ b/debian/config/misc-nonfree/defines
@@ -3,8 +3,8 @@ desc: various drivers in the Linux kernel
longdesc:
various drivers in the Linux kernel. This is a collection of firmware blobs
which are not individually large enough to warrant a standalone package
-replaces: firmware-linux (<< 0.19), firmware-ivtv (<< 0.38~),
firmware-linux-nonfree (<< 20151018-1~), firmware-adi, firmware-ralink
-breaks: firmware-linux (<< 0.19), firmware-ivtv (<< 0.38~),
firmware-linux-nonfree (<< 20151018-1~), firmware-adi, firmware-ralink
+replaces: firmware-linux (<< 0.19), firmware-ivtv (<< 0.38~),
firmware-linux-nonfree (<< 20151018-1~), firmware-adi (<< 20151018-1~),
firmware-ralink (<< 20151018-1~)
+breaks: firmware-linux (<< 0.19), firmware-ivtv (<< 0.38~),
firmware-linux-nonfree (<< 20151018-1~), firmware-adi (<< 20151018-1~),
firmware-ralink (<< 20151018-1~)
provides: firmware-adi, firmware-ralink
files:
3com/typhoon.bin
diff --git a/debian/copyright.meta b/debian/copyright.debian
similarity index 100%
rename from debian/copyright.meta
rename to debian/copyright.debian
diff --git a/debian/rules.defs b/debian/rules.defs
index 021b3c43a799..68526d069c09 100644
--- a/debian/rules.defs
+++ b/debian/rules.defs
@@ -1 +1 @@
-KERNELVERSION := 4.9.0-1
+KERNELVERSION := 4.9.0-8
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
index 3d9c8c1471b8..db82e0ae2a96 100644
--- a/debian/source/include-binaries
+++ b/debian/source/include-binaries
@@ -1,4 +1,10 @@
debian/config/amd-graphics/radeon/si58_mc.bin
+debian/config/brcm80211/brcm/brcmfmac4339-sdio.bin
+debian/config/brcm80211/brcm/brcmfmac4354-sdio.bin
+debian/config/brcm80211/brcm/brcmfmac4356-pcie.bin
+debian/config/brcm80211/brcm/brcmfmac43340-sdio.bin
+debian/config/brcm80211/brcm/brcmfmac43362-sdio.bin
+debian/config/brcm80211/brcm/brcmfmac43430-sdio.bin
debian/config/ipw2x00/ipw2100-1.3-i.fw
debian/config/ipw2x00/ipw2100-1.3-p.fw
debian/config/ipw2x00/ipw2100-1.3.fw
diff --git a/debian/templates/control.binary.meta.in
b/debian/templates/control.extra.in
similarity index 59%
rename from debian/templates/control.binary.meta.in
rename to debian/templates/control.extra.in
index 4971599202eb..be0be449cf3b 100644
--- a/debian/templates/control.binary.meta.in
+++ b/debian/templates/control.extra.in
@@ -18,3 +18,18 @@ Description: Binary firmware for various drivers in the
Linux kernel (meta-packa
This package depends on non-free firmware which may be used with drivers
in the Linux kernel.
+Package: firmware-adi
+Section: non-free/oldlibs
+Architecture: all
+Depends: firmware-misc-nonfree, ${misc:Depends}
+Description: Binary firmware for Analog Devices Inc. DSL modem chips (dummmy
package)
+ This is a dummy transitional package. It can be safely removed.
+Multi-Arch: foreign
+
+Package: firmware-ralink
+Section: non-free/oldlibs
+Architecture: all
+Depends: firmware-misc-nonfree, ${misc:Depends}
+Description: Binary firmware for Ralink wireless cards (dummmy package)
+ This is a dummy transitional package. It can be safely removed.
+Multi-Arch: foreign
diff --git a/debian/templates/control.source.in
b/debian/templates/control.source.in
index 6d5c4505592a..7ae4c1c45b6b 100644
--- a/debian/templates/control.source.in
+++ b/debian/templates/control.source.in
@@ -5,6 +5,6 @@ Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Uploaders: Bastian Blank <wa...@debian.org>, Steve Langasek
<vor...@debian.org>, maximilian attems <m...@debian.org>, Ben Hutchings
<b...@decadent.org.uk>
Build-Depends: debhelper (>= 9)
Standards-Version: 3.9.8
-Vcs-Git: https://anonscm.debian.org/git/kernel/firmware-nonfree.git
-Vcs-Browser: https://anonscm.debian.org/cgit/kernel/firmware-nonfree.git
+Vcs-Git: https://salsa.debian.org/kernel-team/firmware-nonfree.git
+Vcs-Browser: https://salsa.debian.org/kernel-team/firmware-nonfree
XS-Autobuild: yes
