Bug#869966: stretch-pu: package gosa-plugin-mailaddress/0.99.5-2+deb9u1
Hi Adam, On So 30 Jul 2017 23:49:13 CEST, Adam D. Barratt wrote: Control: tags -1 + confirmed On Fri, 2017-07-28 at 10:59 +0200, Mike Gabriel wrote: Vincent Danjean spotted a flaw in gosa-plugin-mailaddress, recently, that relates to the renaming of class constructor names as required with PHP 7. The attached .debdiff fixes this issue for Debian stretch. Please accept the .debdiff as a stretch-pu upload candidate. +gosa-plugin-mailaddress (0.99.5-2+deb9u1) stretch-proposed-updates; urgency=medium Ack. Package adapted this this. The preferred changelog distribution is simply "stretch". Please go ahead. Uploaded just now. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpDFevhnoaLv.pgp Description: Digitale PGP-Signatur
Bug#870402: nmu: libvoikko_4.1-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu libvoikko_4.1-1 . ANY . unstable . -m "Rebuild against libhfstospell9." The transition tracker does not seem to pick up this transition (only libvoikko is affected). Andreas
Processed: reopening 868455, block 868455 with 869762
Processing commands for cont...@bugs.debian.org: > reopen 868455 Bug #868455 {Done: Gianfranco Costamagna} [src:libbiod] libbiod: FTBFS with new ldc? Bug reopened Ignoring request to alter fixed versions of bug #868455 to the same values previously set > block 868455 with 869762 Bug #868455 [src:libbiod] libbiod: FTBFS with new ldc? 868455 was not blocked by any bugs. 868455 was not blocking any bugs. Added blocking bug(s) of 868455: 869762 > thanks Stopping processing here. Please contact me if you need assistance. -- 868455: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868455 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#870376: jessie-pu: package sudo/1.8.10p3-1+deb8u5
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi sudo in jessie ist still affected by CVE-2017-1000368. The issue IMHo does not need a DSA, since with the previous fixes due to the /dev traversal changes the issue was not anymore exploitable. Still it would make sense IMHO to address it. Attached is the proposed debdiff. But in the Debian BTS: #863897 Regards, Salvatore diff -Nru sudo-1.8.10p3/debian/changelog sudo-1.8.10p3/debian/changelog --- sudo-1.8.10p3/debian/changelog 2017-05-28 13:25:43.0 +0200 +++ sudo-1.8.10p3/debian/changelog 2017-08-01 15:00:25.0 +0200 @@ -1,3 +1,10 @@ +sudo (1.8.10p3-1+deb8u5) jessie; urgency=medium + + * Non-maintainer upload. + * CVE-2017-1000368: Arbitrary terminal access (Closes: #863897) + + -- Salvatore BonaccorsoTue, 01 Aug 2017 15:00:25 +0200 + sudo (1.8.10p3-1+deb8u4) jessie-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru sudo-1.8.10p3/debian/patches/CVE-2017-1000368.patch sudo-1.8.10p3/debian/patches/CVE-2017-1000368.patch --- sudo-1.8.10p3/debian/patches/CVE-2017-1000368.patch 1970-01-01 01:00:00.0 +0100 +++ sudo-1.8.10p3/debian/patches/CVE-2017-1000368.patch 2017-08-01 15:00:25.0 +0200 @@ -0,0 +1,76 @@ + +# HG changeset patch +# User Todd C. Miller +# Date 1496243671 21600 +# Node ID 15a46f4007dde8e819dd2c70e670a529bbb9d312 +# Parent 6f3d9816541ba84055ae5aec6ff9d9523c2a96f3 +A command name may also contain newline characters so read +/proc/self/stat until EOF. It is not legal for /proc/self/stat to +contain embedded NUL bytes so treat the file as corrupt if we see +any. With help from Qualys. + +This is not exploitable due to the /dev traversal changes in sudo +1.8.20p1 (thanks Solar!). + +--- a/src/ttyname.c b/src/ttyname.c +@@ -412,24 +412,36 @@ get_process_ttyname(void) + char * + get_process_ttyname(void) + { +-char path[PATH_MAX], *line = NULL, *tty = NULL; +-size_t linesize = 0; +-ssize_t len; +-FILE *fp; ++char path[PATH_MAX], *tty = NULL; ++char *cp, buf[1024]; ++ssize_t nread; ++int fd; + debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL) + +-/* Try to determine the tty from tty_nr in /proc/pid/stat. */ +-snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid()); +-if ((fp = fopen(path, "r")) != NULL) { +- len = getline(, , fp); +- fclose(fp); +- if (len != -1) { ++/* ++ * Try to determine the tty from tty_nr in /proc/pid/stat. ++ * Ignore /proc/self/stat if it contains embedded NUL bytes. ++ */ ++if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) { ++cp = buf; ++while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) { ++if (nread == -1) { ++if (errno == EAGAIN || errno == EINTR) ++continue; ++break; ++} ++cp += nread; ++if (cp >= buf + sizeof(buf)) ++break; ++} ++if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) { + /* + * Field 7 is the tty dev (0 if no tty). +- * Since the process name at field 2 "(comm)" may include spaces, +- * start at the last ')' found. ++ * Since the process name at field 2 "(comm)" may include ++ * whitespace (including newlines), start at the last ')' found. + */ +-char *cp = strrchr(line, ')'); ++*cp = '\0'; ++cp = strrchr(buf, ')'); + if (cp != NULL) { + char *ep = cp; + const char *errstr; +@@ -453,7 +465,8 @@ get_process_ttyname(void) + } + } + } +- efree(line); ++if (fd != -1) ++close(fd); + } + + debug_return_str(tty); diff -Nru sudo-1.8.10p3/debian/patches/series sudo-1.8.10p3/debian/patches/series --- sudo-1.8.10p3/debian/patches/series 2017-05-28 13:25:43.0 +0200 +++ sudo-1.8.10p3/debian/patches/series 2017-08-01 15:00:25.0 +0200 @@ -16,3 +16,4 @@ CVE-2015-5602-6.patch CVE-2015-5602-7.patch CVE-2017-1000367.patch +CVE-2017-1000368.patch
Bug#870336: Helping migration of camlp5, lablgtk2, etc.
Package: release.debian.org Severity: normal Dear RT, camlp5, lablgtk2 and other packages have been waiting for migration to testing for a while. Their migration is essentially blocked by hol-light and botch which FTBFS at the moment. Here are hints to make things evolve (courtesy of comigrate): age-days 4 frama-c/20161101+silicon+dfsg-6 age-days 3 pxp/1.2.9-1 age-days 3 utop/1.19.3-2 easy aac-tactics/amd64/8.6.1-1 aac-tactics/arm64/8.6.1-1 aac-tactics/armel/8.6.1-1 aac-tactics/armhf/8.6.1-1 aac-tactics/i386/8.6.1-1 aac-tactics/mips/8.6.1-1 aac-tactics/mips64el/8.6.1-1 aac-tactics/mipsel/8.6.1-1 aac-tactics/ppc64el/8.6.1-1 aac-tactics/s390x/8.6.1-1 advi/mips/1.10.2-3 advi/mips64el/1.10.2-3 advi/mipsel/1.10.2-3 advi/ppc64el/1.10.2-3 advi/s390x/1.10.2-3 alt-ergo/mips/1.30-1 alt-ergo/mips64el/1.30-1 alt-ergo/mipsel/1.30-1 alt-ergo/ppc64el/1.30-1 alt-ergo/s390x/1.30-1 ara/1.0.33 belenios/1.4+dfsg-2 ben/0.7.7 -botch/0.21-3 cairo-ocaml/amd64/1:1.2.0-6 cairo-ocaml/arm64/1:1.2.0-6 cairo-ocaml/armel/1:1.2.0-6 cairo-ocaml/armhf/1:1.2.0-6 cairo-ocaml/i386/1:1.2.0-6 cairo-ocaml/mips/1:1.2.0-6 cairo-ocaml/mips64el/1:1.2.0-6 cairo-ocaml/mipsel/1:1.2.0-6 cairo-ocaml/ppc64el/1:1.2.0-6 cairo-ocaml/s390x/1:1.2.0-6 camlimages/amd64/1:4.2.0-1.1 camlimages/arm64/1:4.2.0-1.1 camlimages/armel/1:4.2.0-1.1 camlimages/armhf/1:4.2.0-1.1 camlimages/i386/1:4.2.0-1.1 camlimages/mips/1:4.2.0-1.1 camlimages/mips64el/1:4.2.0-1.1 camlimages/mipsel/1:4.2.0-1.1 camlimages/ppc64el/1:4.2.0-1.1 camlimages/s390x/1:4.2.0-1.1 camlp5/7.01-1 camomile/0.8.5-1 cduce/amd64/0.6.0-5 cduce/arm64/0.6.0-5 cduce/armel/0.6.0-5 cduce/armhf/0.6.0-5 cduce/i386/0.6.0-5 coinst/mips/1.9.3-1 coinst/mips64el/1.9.3-1 coinst/mipsel/1.9.3-1 coinst/ppc64el/1.9.3-1 coinst/s390x/1.9.3-1 coq/amd64/8.6-4 coq/arm64/8.6-4 coq/armel/8.6-4 coq/armhf/8.6-4 coq/i386/8.6-4 coq/mips/8.6-4 coq/mips64el/8.6-4 coq/mipsel/8.6-4 coq/ppc64el/8.6-4 coq/s390x/8.6-4 cryptokit/1.11-1 dose3/5.0.1-9 eliom/amd64/4.2-3 eliom/arm64/4.2-3 eliom/armel/4.2-3 eliom/armhf/4.2-3 eliom/i386/4.2-3 eliom/mips/4.2-3 eliom/mips64el/4.2-3 eliom/mipsel/4.2-3 eliom/ppc64el/4.2-3 eliom/s390x/4.2-3 frama-c/20161101+silicon+dfsg-6 freetennis/mips/0.4.8-10 freetennis/mips64el/0.4.8-10 freetennis/mipsel/0.4.8-10 freetennis/ppc64el/0.4.8-10 freetennis/s390x/0.4.8-10 galax/amd64/1.1-15 galax/arm64/1.1-15 galax/armel/1.1-15 galax/armhf/1.1-15 galax/i386/1.1-15 galax/mips/1.1-15 galax/mips64el/1.1-15 galax/mipsel/1.1-15 galax/ppc64el/1.1-15 galax/s390x/1.1-15 -hol-light/20170109-1 lablgtk-extras/amd64/1.5-1 lablgtk-extras/arm64/1.5-1 lablgtk-extras/armel/1.5-1 lablgtk-extras/armhf/1.5-1 lablgtk-extras/i386/1.5-1 lablgtk-extras/mips/1.5-1 lablgtk-extras/mips64el/1.5-1 lablgtk-extras/mipsel/1.5-1 lablgtk-extras/ppc64el/1.5-1 lablgtk-extras/s390x/1.5-1 lablgtk2/2.18.5+dfsg-1 lablgtkmathview/amd64/0.7.8-6 lablgtkmathview/arm64/0.7.8-6 lablgtkmathview/armel/0.7.8-6 lablgtkmathview/armhf/0.7.8-6 lablgtkmathview/i386/0.7.8-6 lablgtkmathview/mips/0.7.8-6 lablgtkmathview/mips64el/0.7.8-6 lablgtkmathview/mipsel/0.7.8-6 lablgtkmathview/ppc64el/0.7.8-6 lablgtkmathview/s390x/0.7.8-6 laby/0.6.4-2 lambda-term/1.10.1-2 ledit/amd64/2.03-5 ledit/arm64/2.03-5 ledit/armel/2.03-5 ledit/armhf/2.03-5 ledit/i386/2.03-5 ledit/mips/2.03-5 ledit/mips64el/2.03-5 ledit/mipsel/2.03-5 ledit/ppc64el/2.03-5 ledit/s390x/2.03-5 liquidsoap/mips/1.1.1-7.2 liquidsoap/mips64el/1.1.1-7.2 liquidsoap/mipsel/1.1.1-7.2 liquidsoap/ppc64el/1.1.1-7.2 liquidsoap/s390x/1.1.1-7.2 lwt/2.5.2-2 monotone-viz/mips/1.0.2-4 monotone-viz/mips64el/1.0.2-4 monotone-viz/mipsel/1.0.2-4 monotone-viz/ppc64el/1.0.2-4 monotone-viz/s390x/1.0.2-4 nurpawiki/amd64/1.2.3-10 nurpawiki/arm64/1.2.3-10 nurpawiki/armel/1.2.3-10 nurpawiki/armhf/1.2.3-10 nurpawiki/i386/1.2.3-10 nurpawiki/mips/1.2.3-10 nurpawiki/mips64el/1.2.3-10 nurpawiki/mipsel/1.2.3-10 nurpawiki/ppc64el/1.2.3-10 nurpawiki/s390x/1.2.3-10 ocaml-fileutils/0.5.2-1 ocaml-gettext/0.3.7-1 ocaml-http/amd64/0.1.5-1 ocaml-http/arm64/0.1.5-1 ocaml-http/armel/0.1.5-1 ocaml-http/armhf/0.1.5-1 ocaml-http/i386/0.1.5-1 ocaml-lastfm/amd64/0.3.0-4 ocaml-lastfm/arm64/0.3.0-4 ocaml-lastfm/armel/0.3.0-4 ocaml-lastfm/armhf/0.3.0-4 ocaml-lastfm/i386/0.3.0-4 ocaml-mm/0.3.0-1 ocaml-ssl/0.5.3-1 ocamlbricks/amd64/0.90+bzr400-2 ocamlbricks/arm64/0.90+bzr400-2 ocamlbricks/armel/0.90+bzr400-2 ocamlbricks/armhf/0.90+bzr400-2 ocamlbricks/i386/0.90+bzr400-2 ocamlbricks/mips/0.90+bzr400-2 ocamlbricks/mips64el/0.90+bzr400-2 ocamlbricks/mipsel/0.90+bzr400-2 ocamlbricks/ppc64el/0.90+bzr400-2 ocamlbricks/s390x/0.90+bzr400-2 ocamldap/amd64/2.1.8-10 ocamldap/arm64/2.1.8-10 ocamldap/armel/2.1.8-10 ocamldap/armhf/2.1.8-10 ocamldap/i386/2.1.8-10 ocamldap/mips/2.1.8-10 ocamldap/mips64el/2.1.8-10 ocamldap/mipsel/2.1.8-10 ocamldap/ppc64el/2.1.8-10 ocamldap/s390x/2.1.8-10 ocamlgraph/amd64/1.8.6-1 ocamlgraph/arm64/1.8.6-1 ocamlgraph/armel/1.8.6-1 ocamlgraph/armhf/1.8.6-1 ocamlgraph/i386/1.8.6-1