Re: Bug#1037196: bullseye-pu: package dbus/1.12.28-0+deb11u1

[Cyril Brulebois]

Simon McVittie  (2023-06-07):
> Technically dbus has udebs, although as noted in the similar bookworm
> update request, they aren't directly useful for anything.

I only glanced at the discussion that happened a few hours/days ago on
IRC, but that seemed compelling. No objections from the d-i side.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#1037196: bullseye-pu: package dbus/1.12.28-0+deb11u1

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@packages.debian.org, debian-boot@lists.debian.org
Control: affects -1 + src:dbus

[ Reason ]
Fix a local denial of service for which the security team does not intend
to do a DSA (dbus#457, #1037151; CVE assignment pending).

[ Impact ]
While a sysadmin is using `dbus-monitor --system` or similar tools,
an unprivileged local user can cause denial of service by crashing the
`dbus-daemon --system`.

The new upstream release also fixes some smaller bugs:
- fix a denial of service that wasn't relevant for the way Debian compiles
  dbus (it was only a problem when assertions are enabled)
- an autopkgtest regression on Ubuntu kernels
- wrong upstream bug reporting URLs
- a documentation typo

[ Tests ]
Build-time tests and autopkgtests pass. There is new test coverage for the
denial of service, which was able to reproduce the bug. I also smoke-tested
this on a GNOME virtual machine; I already upgraded my real-hardware
systems to bookworm, so I can't directly test this on hardware.

[ Risks ]
It's a key package, so any regressions would be highly visible.

Technically dbus has udebs, although as noted in the similar bookworm
update request, they aren't directly useful for anything.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [ ] the issue is verified as fixed in unstable
  - intentionally not done yet due to the full freeze, because dbus
has udebs

[ Changes ]
bus/connection.c: fix the denial of service, #1037151
dbus/dbus-connection{.c,-internal.h}: enablers for #1037151
dbus/dbus-string.c: fix a local denial of service if assertions are
enabled in the dbus-daemon, which in Debian they are not
doc/dbus-api-design.duck: fix a typo in some sample code, not functionally
significant
configure.ac, dbus/dbus-sysdeps-unix.c: update bug reporting URLs
AUTHORS, NEWS, configure.ac: release administrivia
test/data/dbus-installed-tests.aaprofile.in: make a test profile a little
more permissive to fix an autopkgtest regression on Ubuntu kernels
test/data/valid-config-files, test/monitor.c: reproducer for the denial
of service bug

smcv
debdiff *.dsc | filterdiff -p1 -xaminclude_static.am -xMakefile.in -x'*/Makefile.in' -xconfigure

diffstat for dbus-1.12.24 dbus-1.12.28

 AUTHORS |4 +
 Makefile.in |2 
 NEWS|   54 +++
 aminclude_static.am |2 
 build-aux/ltmain.sh |4 -
 bus/Makefile.in |2 
 bus/connection.c|   15 
 configure   |   36 +-
 configure.ac|6 -
 dbus/Makefile.in|2 
 dbus/dbus-connection-internal.h |2 
 dbus/dbus-connection.c  |   11 ++-
 dbus/dbus-string.c  |2 
 dbus/dbus-sysdeps-unix.c|2 
 debian/changelog|   13 +++
 doc/dbus-api-design.duck|4 -
 test/Makefile.in|2 
 test/data/dbus-installed-tests.aaprofile.in |4 +
 test/data/valid-config-files/forbidding.conf.in |3 
 test/monitor.c  |   84 +---
 20 files changed, 212 insertions(+), 42 deletions(-)

diff -Nru dbus-1.12.24/AUTHORS dbus-1.12.28/AUTHORS
--- dbus-1.12.24/AUTHORS	2022-10-05 11:04:10.0 +0100
+++ dbus-1.12.28/AUTHORS	2023-06-06 14:00:50.0 +0100
@@ -40,6 +40,7 @@
 Daniel P. Berrange 
 Daniel Reed 
 Dan Williams 
+Dave Jones 
 Dave Reisner 
 David King 
 David Zeuthen 
@@ -65,6 +66,7 @@
 Havoc Pennington 
 Havoc Pennington 
 Hendrik Buschmeier 
+hongjinghao 
 hyeric 
 ilovezfs 
 Ioan-Adrian Ratiu 
@@ -113,6 +115,7 @@
 Marc Brockschmidt 
 Marc Mutz 
 Marc Mutz 
+Marco Trevisan (Treviño) 
 Marcus Brinkmann 
 Mark Brand 
 Mark McLoughlin 
@@ -215,6 +218,7 @@
 Wulf C. Krueger 
 Xan Lopez 
 Yaakov Selkowitz 
+Yen-Chin, Lee 
 Yiyang Fei 
 Zack Rusin 
 Илья А. Ткаченко 
diff -Nru dbus-1.12.24/build-aux/ltmain.sh dbus-1.12.28/build-aux/ltmain.sh
--- dbus-1.12.24/build-aux/ltmain.sh	2022-10-05 11:04:51.0 +0100
+++ dbus-1.12.28/build-aux/ltmain.sh	2023-06-06 12:05:06.0 +0100
@@ -31,7 +31,7 @@
 
 PROGRAM=libtool
 PACKAGE=libtool
-VERSION="2.4.7 Debian-2.4.7-4"
+VERSION="2.4.7 Debian-2.4.7-5"
 package_revision=2.4.7
 
 
@@ -2308,7 +2308,7 @@
compiler:   $LTCC
compiler flags: $LTCFLAGS
linker: $LD (gnu? $with_gnu_ld)
-   version:$progname $scriptversi

Re: Bug#1037194: bookworm-pu: package dbus/1.14.8-1~deb12u1

[Cyril Brulebois]

Simon McVittie  (2023-06-07):
> Technically dbus has udebs, although as noted above they are not
> directly useful for anything.

I only glanced at the discussion that happened a few hours/days ago on
IRC, but that seemed compelling. No objections from the d-i side.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#1037194: bookworm-pu: package dbus/1.14.8-1~deb12u1

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@packages.debian.org, debian-boot@lists.debian.org
Control: affects -1 + src:dbus

[ Reason ]
Fix a local denial of service for which the security team does not intend
to do a DSA (dbus#457, #1037151; CVE assignment pending).

[ Impact ]
While a sysadmin is using `dbus-monitor --system` or similar tools,
an unprivileged local user can cause denial of service by crashing the
`dbus-daemon --system`.

The new upstream release also fixes some smaller bugs:
- minor memory leaks if malloc() returns NULL
- interop with non-Debian compilers
- a documentation typo

The packaging also makes dbus-daemon and dbus-bin correctly Multi-Arch:
foreign, like the larger dbus package already was, which is useful in
some cross-compiling scenarios (#1033056). I can revert this if you want,
but it seems like a low-risk and useful change to sneak into 12.1.

[ Tests ]
Build-time tests and autopkgtests pass. There is new test coverage for the
denial of service, which was able to reproduce the bug. I also smoke-tested
this on a GNOME virtual machine, and I'll be uploading to unstable to get
wider user testing as soon as the trixie cycle opens.

I avoided uploading to unstable right now because one of dbus' udebs
is included in the installer - although as far as I can see, it's only
an enabler for a feature that never happened (a11y in the graphical
installer), and isn't actually practically useful.

[ Risks ]
It's a key package, so any regressions would be highly visible.

Technically dbus has udebs, although as noted above they are not directly
useful for anything.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  - the debdiff is for what I'll upload to unstable, for bookworm
it'll get a new 1.14.8-1~deb12u1 changelog entry at the top
  [ ] the issue is verified as fixed in unstable
  - intentionally not done yet due to the full freeze

[ Changes ]
d/control: let dbus-bin:amd64 satisfy Depends: dbus-bin from a non-amd64
package, and the same for dbus-daemon, to help with cross-compiling
bus/connection.c: fix the denial of service, #1037151
dbus/dbus-connection{.c,-internal.h}: enablers for #1037151
dbus/dbus-internals.h: interop with non-gcc compilers
dbus/dbus-*-win.c: interop with non-gcc compilers, not compiled on Debian
dbus/dbus-message.c: fix minor memory leaks if out-of-memory
doc/dbus-api-design.duck: fix a typo in some sample code, not functionally
significant
AUTHORS, NEWS, configure.ac: release administrivia
test/data, test/monitor.c: reproducer for the denial of service bug

[ Other info ]
I'm the de facto upstream release manager for dbus, and I intend to keep
1.14.x suitable for Debian security updates and stable point releases
throughout the non-LTS lifetime of Debian 12, the same as I did for
older branches for the last few years.

After the packaging in unstable diverges from what's appropriate for
stable, I'll do the stable updates as 1.14.x-0+deb12u1, similar to how
we handled 1.12.x in buster and bullseye.

Please let me know if any of the changes are considered inappropriate.

smcv
debdiff *.dsc | filterdiff -p1 -xaminclude_static.am -xMakefile.in -x'*/Makefile.in' -xconfigure

diffstat for dbus-1.14.6 dbus-1.14.8

 AUTHORS |9 ++
 Makefile.in |2 
 NEWS|   29 
 aminclude_static.am |2 
 bus/Makefile.in |2 
 bus/connection.c|   15 
 cmake/DBus1ConfigVersion.cmake  |2 
 configure   |   26 +++
 configure.ac|4 -
 dbus/Makefile.in|2 
 dbus/dbus-connection-internal.h |2 
 dbus/dbus-connection.c  |   11 ++-
 dbus/dbus-internals.h   |2 
 dbus/dbus-message.c |   12 ++-
 dbus/dbus-spawn-win.c   |8 +-
 dbus/dbus-sysdeps-win.c |4 -
 debian/changelog|   14 
 debian/control  |2 
 doc/dbus-api-design.duck|4 -
 test/Makefile.in|2 
 test/data/valid-config-files/forbidding.conf.in |3 
 test/monitor.c  |   84 +---
 22 files changed, 197 insertions(+), 44 deletions(-)

diff -Nru dbus-1.14.6/AUTHORS dbus-1.14.8/AUTHORS
--- dbus-1.14.6/AUTHORS	2022-10-05 11:03:53.0 +0100
+++ dbus-1.14.8/AUTHORS	2023-06-06 14:00:36.0 +0100
@

debian-installer_20230607_source.changes ACCEPTED into unstable

[Debian FTP Masters]

Thank you for your contribution to Debian.



Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 07 Jun 2023 03:01:56 +0200
Source: debian-installer
Architecture: source
Version: 20230607
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team 
Changed-By: Cyril Brulebois 
Changes:
 debian-installer (20230607) unstable; urgency=medium
 .
   * Release early, release often!
Checksums-Sha1:
 1e5aca38cb5c186bf887f391b962479ab45c4e1b 4015 debian-installer_20230607.dsc
 d49c17a120ba82e2bd6210e27ec6f375ab533059 1194268 
debian-installer_20230607.tar.xz
 87d9bc0af088d8fa82e88c9d8a43d3c79849e4a0 12695 
debian-installer_20230607_source.buildinfo
Checksums-Sha256:
 d2cfeee60e5179f85b7691f1b297b2bf78fdfa4d946cdb401e8324e63c295e06 4015 
debian-installer_20230607.dsc
 5d7a906971573ae37b6c69a3b24a4bc8855f3717581185439c0293a81e20f80f 1194268 
debian-installer_20230607.tar.xz
 8cfd7e5c322a902ef2a3bef974cebf4e9a1eeb9dbbd34724a11ac08511d76909 12695 
debian-installer_20230607_source.buildinfo
Files:
 24fbfcce15a5d16f8ec7083e508ce145 4015 devel optional 
debian-installer_20230607.dsc
 fbb4002043eaeb74945664a096ebabf5 1194268 devel optional 
debian-installer_20230607.tar.xz
 b3f7b8818ce31ec54cbe163d9fd83aeb 12695 devel optional 
debian-installer_20230607_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJEBAEBCgAuFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmSAapkQHGtpYmlAZGVi
aWFuLm9yZwAKCRD/kUrwwrNVIEZYD/9G1Ow41cEvSvTIhZji0TXbSGnt/qdywjrw
7s23ApGKT1SeglB2rFdJSTha8nFRxowLUZuj8ZBaHOfbFLgZyezDeDil7a9nfqxb
T3cHzPpulWIIhU8o1b+GQrGFXFRqg60illEBspg10yKKL8Gy6x8bwDD3IX1qPnlE
TdFFE+8POF7doyCAKsTiZFsRBx6dxzZlyKrxxDPdUEOu9JWVlFiNBwgsFVUV5biK
OKdyTYACee/P0TpL8M6hfdykHSMSrBXaKoX7/GKYvdtHrvxH77SEYpLZpOehrnGk
LTWuwhg213yzhTWO20CaaHXUhR+NTsMXibLH7DZ07OujQVKKP0RTKaCFd3nGm2df
Cdupohj89AWwQD40tBzL0Q6WSUqn+pQEfTQzafH6w1OQOQgJM8wh/Wo2RDf7rd34
Qyaw4CHKHuqQH8jYd7yxeJ4OpM8Poe4CNS3VtXm3Nl5SOgOSjlDrruT9nTQaOkIw
ZrV+qeQQdYOY6jiaJWG/C/KL/nlGXZoqWoKarSsIiyepCTpc/1w2BfvT4S+6RNom
sb93E9gruKlNxDUn4GxAeIQ5BKrPac3az0SN94owHn1EPp/Lxe1gbIZqiSKiGAUx
3G715wX3jYcJlymLXjsOXi+a46vJzapc0Fl1VLlgj2vVn4pTMX4+SIXDyr2ztc3L
KbY3/lPJQg==
=7DMe
-END PGP SIGNATURE-

Processing of debian-installer_20230607_source.changes

[Debian FTP Masters]

debian-installer_20230607_source.changes uploaded successfully to localhost
along with the files:
  debian-installer_20230607.dsc
  debian-installer_20230607.tar.xz
  debian-installer_20230607_source.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

Bug#1037186: debian-installer: bookworm d-i graphics are not shown on Raptor system

[Cyril Brulebois]

Hi,

Hector Oron  (2023-06-07):
> El mié, 7 jun 2023, 13:03, Cyril Brulebois  escribió:
> 
> > Hector Oron  (2023-06-07):
> > > and Timonthy was able to test that. I could expand the change to ppc64
> > > (be) and cdrom targets and test that.
> > >
> > > Note, the ppc64el installer images are unusable with that change, at
> > > least on the Raptor systems
> >
> > I don't think you answered my question about fbdev.
> >
> 
> I defer to Timothy since I do not have a machine myself, but since Raptorcs
> is Debian partner I had assumed we - Debian - would like to ship a working
> product that works for them.

I'm happy to help. That just needs to happen *before* final preparations
have happened!


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#1037186: debian-installer: bookworm d-i graphics are not shown on Raptor system

[Hector Oron]

Hello

El mié, 7 jun 2023, 13:03, Cyril Brulebois  escribió:

> Hector Oron  (2023-06-07):
> > and Timonthy was able to test that. I could expand the change to ppc64
> > (be) and cdrom targets and test that.
> >
> > Note, the ppc64el installer images are unusable with that change, at
> > least on the Raptor systems
>
> I don't think you answered my question about fbdev.
>

I defer to Timothy since I do not have a machine myself, but since Raptorcs
is Debian partner I had assumed we - Debian - would like to ship a working
product that works for them.

Thanks for your support

>

Bug#1037186: debian-installer: bookworm d-i graphics are not shown on Raptor system

[Cyril Brulebois]

Hector Oron  (2023-06-07):
> and Timonthy was able to test that. I could expand the change to ppc64
> (be) and cdrom targets and test that.
> 
> Note, the ppc64el installer images are unusable with that change, at
> least on the Raptor systems

I don't think you answered my question about fbdev.

> and since the change only affects power package lists, I'd consider it
> as low impact/risk. I know we are close to a release, and it is very
> bad timing however if it can be merged, it'd be great, otherwise we'll
> have to wait until the first point release.

If you look at the work that's been going on during the last few
months on the -boot or -cd side, I think it's fair to say I have been
very accommodating, trying hard to satisfy as many reasonable requests
as possible, balancing those against possible risks. We've got some
extensive and appreciated leeway/flexibility, but at some point, I
have to draw a line.

That line was drawn a few hours ago.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#1037186: debian-installer: bookworm d-i graphics are not shown on Raptor system

[Hector Oron]

Hello,

  To be honest, I only updated ppc64el netboot image with the following patch:

--- a/build/pkg-lists/netboot/ppc64el.cfg
+++ b/build/pkg-lists/netboot/ppc64el.cfg
@@ -1,5 +1,6 @@
 input-modules-${kernel:Version}
 nic-modules-${kernel:Version}
+fb-modules-${kernel:Version} ?
 usb-modules-${kernel:Version}
 virtio-modules-${kernel:Version} ?

I built the installer posted at:
https://people.debian.org/~zumbi/netboot_ppc64el/

and Timonthy was able to test that. I could expand the change to ppc64
(be) and cdrom targets and test that.

Note, the ppc64el installer images are unusable with that change, at
least on the Raptor systems, and since the change only affects power
package lists, I'd consider it as low impact/risk. I know we are close
to a release, and it is very bad timing, however if it can be merged,
it'd be great, otherwise we'll have to wait until the first point
release.

Thanks for your support.

On Wed, 7 Jun 2023 at 12:29, Cyril Brulebois  wrote:
>
> Hi,
>
> Hector Oron Martinez  (2023-06-07):
> > We found latest installer for bookworm is missing ast DRM kernel
> > module, causing graphical failure on ppc64el Raptor machines. Could
> > you please consider the following change or similar for the
> > debian-installer bookworm release.
> >
> >   
> > https://salsa.debian.org/installer-team/debian-installer/-/merge_requests/34
>
> Thanks for the patch, but this is too late. We can consider that for
> unstable, and later on via a point release.
>
> I know for a fact we have fbdev in ppc64el builds, as we've suffered a
> regression there (#1033058, for which someone still needs to find a real
> fix on the kernel side, hint hint wink wink); isn't that generic driver
> sufficient to get some basic output?
>
> Also, I don't understand what's going on with the build/Makefile part:
>  1. This is a temporary workaround for 3 architectures that run into
> issues under UEFI/SB, which isn't quite relevant for ppc64el. (The
> idea was to avoid having to re-upload linux and linux-signed-* for
> just a few additions to the fb-modules udeb.)
>  2. If you look at the following commit, I suppose you'll get the very
> same impression as I have: this merge request is very likely to
> trigger a direct FTBFS on ppc64el.
>   
> https://salsa.debian.org/installer-team/debian-installer/-/commit/32e4d58c263fc5454067a7217ee7103cfb12bc1b
>
>
> Cheers,
> --
> Cyril Brulebois (k...@debian.org)
> D-I release manager -- Release team member -- Freelance Consultant



-- 
 Héctor Orón  -.. . -... .. .- -.   -.. . ...- . .-.. --- .--. . .-.

Bug#1037186: debian-installer: bookworm d-i graphics are not shown on Raptor system

[Cyril Brulebois]

Hi,

Hector Oron Martinez  (2023-06-07):
> We found latest installer for bookworm is missing ast DRM kernel
> module, causing graphical failure on ppc64el Raptor machines. Could
> you please consider the following change or similar for the
> debian-installer bookworm release.
> 
>   https://salsa.debian.org/installer-team/debian-installer/-/merge_requests/34

Thanks for the patch, but this is too late. We can consider that for
unstable, and later on via a point release.

I know for a fact we have fbdev in ppc64el builds, as we've suffered a
regression there (#1033058, for which someone still needs to find a real
fix on the kernel side, hint hint wink wink); isn't that generic driver
sufficient to get some basic output?

Also, I don't understand what's going on with the build/Makefile part:
 1. This is a temporary workaround for 3 architectures that run into
issues under UEFI/SB, which isn't quite relevant for ppc64el. (The
idea was to avoid having to re-upload linux and linux-signed-* for
just a few additions to the fb-modules udeb.)
 2. If you look at the following commit, I suppose you'll get the very
same impression as I have: this merge request is very likely to
trigger a direct FTBFS on ppc64el.
  
https://salsa.debian.org/installer-team/debian-installer/-/commit/32e4d58c263fc5454067a7217ee7103cfb12bc1b


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#1037186: debian-installer: bookworm d-i graphics are not shown on Raptor system

[Hector Oron Martinez]

Source: debian-installer
Version: 20230526
Severity: important
X-Debbugs-Cc: tpear...@raptorcs.com, zu...@debian.org

Hello,

We found latest installer for bookworm is missing ast DRM kernel module, 
causing graphical failure on ppc64el Raptor machines. Could you please consider 
the following change or similar for the debian-installer bookworm release.

  https://salsa.debian.org/installer-team/debian-installer/-/merge_requests/34

Regards

-- System Information:
Debian Release: 12.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-9-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=ca_ES.UTF-8, LC_CTYPE=ca_ES.UTF-8 (charmap=UTF-8), 
LANGUAGE=ca_ES:ca
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled