Your message dated Wed, 27 Mar 2019 06:47:00 +0000
with message-id <[email protected]>
and subject line Re: Bug#925583: unblock:
node-opencv/6.0.0+git20180416.cfc96ba0-3
has caused the Debian Bug report #925583,
regarding unblock: node-opencv/6.0.0+git20180416.cfc96ba0-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
925583: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925583
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package node-opencv
Hi all,
This release fixes 2 bugs:
- #925571: CVE-2019-10061
- #924462: "please make the build reproducible"
Even if this vulnerability isn't tagged as "serious" but only
"important", I think it is a good thing to upgrade Debian version.
node-opencv has no reverse dependencies, so it seems not risky to
unblock this change.
Cheers,
Xavier
unblock node-opencv/6.0.0+git20180416.cfc96ba0-3
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=
(charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index ebfd618..fde7213 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+node-opencv (6.0.0+git20180416.cfc96ba0-3) unstable; urgency=medium
+
+ * Team upload
+
+ [ Xavier Guimard ]
+ * Add dh_installexamples -Xtmp/ to make build reproductible. Thanks to
+ Chris Lamb (Closes: #924462)
+
+ [ Utkarsh Gupta ]
+ * Add patch to fix CVE-2019-10061 (Closes: #925571)
+
+ -- Utkarsh Gupta <[email protected]> Wed, 27 Mar 2019 04:27:41 +0530
+
node-opencv (6.0.0+git20180416.cfc96ba0-2) unstable; urgency=medium
* Team upload
@@ -6,10 +19,6 @@ node-opencv (6.0.0+git20180416.cfc96ba0-2) unstable;
urgency=medium
* Add upstream/metadata
* Update description
* Set hardening flags
- * Remove unneeded dependency versions
- * Add upstream/metadata
- * Update description
- * Set hardening flags
* Fix autopkgtest failures on an unbuild tree and test installed files
* Install examples in the right place
diff --git a/debian/patches/CVE-2019-10061.patch
b/debian/patches/CVE-2019-10061.patch
new file mode 100644
index 0000000..40ede57
--- /dev/null
+++ b/debian/patches/CVE-2019-10061.patch
@@ -0,0 +1,51 @@
+Description: This patch is in reference with CVE-2019-10061.
+Author: Utkarsh Gupta
+Origin:
https://github.com/peterbraden/node-opencv/commit/81a4b8620188e89f7e4fc985f3c89b58d4bcc86b
+
https://github.com/peterbraden/node-opencv/commit/aaece6921d7368577511f06c94c99dd4e9653563
+Bug-Debian: https://bugs.debian.org/925571
+Last-Update: 2019-03-26
+
+--- node-opencv-6.0.0+git20180416.cfc96ba0.orig/src/FaceRecognizer.h
++++ node-opencv-6.0.0+git20180416.cfc96ba0/src/FaceRecognizer.h
+@@ -8,6 +8,7 @@ namespace cv {
+ using cv::face::FaceRecognizer;
+ }
+ #else
++#warning using opencv2 contrib
+ #include "opencv2/contrib/contrib.hpp"
+ #endif
+
+--- node-opencv-6.0.0+git20180416.cfc96ba0.orig/utils/find-opencv.js
++++ node-opencv-6.0.0+git20180416.cfc96ba0/utils/find-opencv.js
+@@ -2,13 +2,20 @@
+
+ var exec = require("child_process").exec;
+ var fs = require("fs");
+-var flag = process.argv[2] || "--exists";
++
++var flags = {
++ '--cflags' : '--cflags',
++ '--libs' : '--libs'
++}
++var flag = flags[process.argv[2]] || '--exists'
++
++
+
+ // Normally |pkg-config opencv ...| could report either OpenCV 2.x or OpenCV
3.y
+ // depending on what is installed. To enable both 2.x and 3.y to co-exist on
+ // the same machine, the opencv.pc for 3.y can be installed as opencv3.pc and
+ // then selected by |export PKG_CONFIG_OPENCV3=1| before building node-opencv.
+-var opencv = process.env.PKG_CONFIG_OPENCV3 === "1" ? "opencv3" : '"opencv >=
2.3.1"';
++var opencv = process.env.PKG_CONFIG_OPENCV3 === "1" ? "opencv3" : ' "opencv
>= 2.3.1"';
+
+ function main(){
+ //Try using pkg-config, but if it fails and it is on Windows, try the
fallback
+@@ -18,7 +25,7 @@ function main(){
+ fallback();
+ }
+ else{
+- throw new Error("ERROR: failed to run: pkg-config", opencv,
flag);
++ throw new Error("ERROR: failed to run: pkg-config" + opencv + "
" + flag + " - Is OpenCV installed?");
+ }
+ }
+ else{
diff --git a/debian/patches/series b/debian/patches/series
index bf036a7..4d1e52d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
0001_fix_makefile.patch
0002_patch_unittest.patch
+CVE-2019-10061.patch
diff --git a/debian/rules b/debian/rules
index 1cd5e96..299c7ba 100755
--- a/debian/rules
+++ b/debian/rules
@@ -35,6 +35,9 @@ override_dh_auto_clean:
rm -rf node_modules
rm -rf build
+override_dh_installexamples:
+ dh_installexamples -Xtmp/
+
DEB_UPSTREAM_VERSION := $(shell echo $(DEB_VERSION) | sed -e 's/-[^-]*$$//')
GIT_URL = https://github.com/peterbraden/node-opencv.git
get-orig-source:
--- End Message ---
--- Begin Message ---
Xavier Guimard:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock package node-opencv
>
> Hi all,
>
> This release fixes 2 bugs:
> - #925571: CVE-2019-10061
> - #924462: "please make the build reproducible"
>
> Even if this vulnerability isn't tagged as "serious" but only
> "important", I think it is a good thing to upgrade Debian version.
>
> node-opencv has no reverse dependencies, so it seems not risky to
> unblock this change.
>
> Cheers,
> Xavier
>
> unblock node-opencv/6.0.0+git20180416.cfc96ba0-3
>
> [...]
Unblocked, thanks.
~Niels
--- End Message ---
