Bug#988968: unblock: e17/0.24.2-6

2021-05-21 Thread Ross Vandegrift 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: rvandegr...@debian.org

Please unblock package e17

[ Reason ]

0.24.2-6 recommends libddcutil2, which has been replaced by libddcutil3.  

[ Impact ]

A non-existant package will be recommended.  Backlight controls for external 
monitors won't work unless the user tries libddcutil3.

[ Tests ]

There are no automated tests.  I have used libddcutil3 without regression
since uploading the change.

[ Risks ]

Low risk - e17 only builds leaf packages and the change is trivial.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

unblock e17/0.24.2-7
diff -Nru e17-0.24.2/debian/changelog e17-0.24.2/debian/changelog
--- e17-0.24.2/debian/changelog 2021-01-01 14:29:49.0 -0800
+++ e17-0.24.2/debian/changelog 2021-05-02 22:02:56.0 -0700
@@ -1,3 +1,10 @@
+e17 (0.24.2-7) unstable; urgency=medium
+
+  * d/control: Recommend libddcutil3 instead of libddcutil2 which isn't in
+bullseye
+
+ -- Ross Vandegrift   Sun, 02 May 2021 22:02:56 -0700
+
 e17 (0.24.2-6) unstable; urgency=medium
 
   * Recommend libddcutil2 and update NEWS with backlight control info
diff -Nru e17-0.24.2/debian/control e17-0.24.2/debian/control
--- e17-0.24.2/debian/control   2021-01-01 14:07:17.0 -0800
+++ e17-0.24.2/debian/control   2021-05-02 21:57:47.0 -0700
@@ -51,7 +51,7 @@
  acpid,
  bc,
  bluez,
- libddcutil2,
+ libddcutil3,
  libevas-loaders,
  packagekit,
  terminology | x-terminal-emulator,

Bug#988763: rxvt-unicode: Remote(?) code execution via ESC G Q

2021-05-21 Thread Paul Szabo 
Dear Ryan,

I see 9.22-11 in sid (unstable), but in bullseye (testing) it is 9.22-10
still (and buster is unchaged at 9.22-6). Will 9.22-11 make it into
bullseye, will this (non?!-)security bug be fixed soon?

Thanks, Paul
-- 
Paul Szabo   p...@maths.usyd.edu.au   www.maths.usyd.edu.au/u/psz
School of Mathematics and Statistics   University of SydneyAustralia

Bug#988540: im-config: breaks the keyboard configuration

2021-05-21 Thread Osamu Aoki 
Gunnar,

Thank you for very accurate assessment of the situation.

On Tue, 2021-05-18 at 00:22 +0200, Gunnar Hjalmarsson wrote:
> On 2021-05-17 22:19, Vincent Lefevre wrote:
> > On 2021-05-17 21:11:16 +0200, Gunnar Hjalmarsson wrote:
> > > I think it's too much to ask from a simple Xsession plugin such as
> > > im-config that it should be responsible for preventing any kind of
> > > possible conflicts.
> > 
> > Then it should not be started by default. If it is so important,
> > desktop environments could depend on it and enable it on their side.
> 
> If you run "apt rdepends ibus" on a Debian system you see that basically 
> only input method packages depend on ibus. (gnome-shell recommends it, 
> which is a special case.) But the output is free of random applications 
> which depend on ibus.
> 
> Well, not in your case, since you installed zoom. I can't tell why they 
> made zoom depend on ibus, but I'm pretty sure it's a rare exception.

I can confirm this situation here too.  It didn't bother me since I was
using ibus.

At least, zoom should have used RECOMMENDS and user should have avoided
to install ibus.

> So whatever you think about it, your case is special. ibus was installed 
> for you even if you didn't really ask for it, and since it pulled 
> im-config, ibus is configured and launched automatically by default. On 
> top of that you have an advanced keyboard configuration using an xkbcomp 
> call in ~/.xsession, and somehow those things don't play well together.

Yah

> The im-config behavior is based on the assumption that if you install an 
> input method framework such as ibus or fcitx, you want to use it. It's a 
> reasonable assumption and it makes it easier for input method users.
> 
> Actually im-config checks the XDG_CURRENT_DESKTOP environment variable, 
> and theoretically it wouldn't be very difficult to disable it by default 
> if that variable is unset/empty. But personally I would not like to see 
> such a change. The interest of input method users carries greater weight 
> IMO.
> 
> Maybe somebody comes up with a clever solution which makes everybody 
> happy. Short of such a solution and for now, please just disable or 
> remove im-config and move on.

For wayland based applications, they can't use XKB thing.  That's why
ibus included such XKB functionality now to support European language
on Wayland. At the same time you need to configure ibus for such
special features.  Gnome Tweaks can do it.  So theoretically, using
dconf, you should be able to set the same effect even with ibus.  But
the best approach is not to install ibus if you want pure classic X
based desktop.  If zoom depends on ibus and if you can live without
ibus, create fake ibus package with equives.  This may be cleanest
solution for non-free package creating problem.

Bug#988832: unblock: libx11/2:1.7.1-1

2021-05-21 Thread Cyril Brulebois 
Hi,

Paul Gevers  (2021-05-21):
> On 20-05-2021 10:26, Emilio Pozuelo Monfort wrote:
> > Please unblock package libx11
> 
> This needs also an ack from d-i, boot CC-ed.

Tests are looking good, feel free to go ahead.

> > The debdiff is a little large due to the autotools version the
> > tarball was generated with. I'm attaching a debdiff filtered with
> > 
> >   filterdiff -x '*/Makefile.in' -x '*.man' -x '*/aclocal.m4' -x 
> > '*/configure'
> > 
> > (the *.man changes are actual manpage syntax fixes, but make it
> > harder to review the actually important code fixes in this update,
> > so I filtered them).

Thanks for that.

> Funny how some copyrights go backward in time in this release.

Exactly my first reaction when I d'd your package. :)


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#975911: mariadb-client: appears to ignore ~/.editrc keybind settings

2021-05-21 Thread Trevor Cordes 
I confirmed I was correct by making a small patch to libedit and
recompiling libedit and installing the custom rpm.  It indeed fixes
this bug, without any changes to mysql.  The bug is for sure in
libedit.  The bug is for sure the issetugid-related code.

My patch to libedit-20210419-3.1.tar.gz is attached.

Note: this patch is almost certainly a security hole as I don't address
the reason that setuid stuff is in there in the first place.  Consider
it a PoC and not something you should use unless you know what you are
doing.  I would expect the upstream to come up with a real fix shortly.


tecpatchlibedit
Description: Binary data

Bug#975911: mariadb-client: appears to ignore ~/.editrc keybind settings

2021-05-21 Thread Trevor Cordes 
On Thu, 26 Nov 2020 12:50:26 -0500 The Wanderer 
wrote:
> On 2020-11-26 at 09:43, The Wanderer wrote:
> 
> > Package: mariadb-client
> > Version: 1:10.5.8-3
> > Severity: normal
> > 
> > Prior to the upgrade, in an interactive session within the 'mysql'
> > terminal-based client, Ctrl+W would kill everything to the left of
> > the cursor up to the first word boundary (which in practice
> > appeared to mean "whitespace"), but nothing to the left of that
> > point.
> > 
> > This is apparently not the default, but I have it configured in
> > ~/.editrc. The contents of that file are as follows:
>
> Either way, the fact that ~/.editrc does not seem to be being
> respected is still an issue, which may or may not reside in
> mariadb-client. This additional discovery may simply mean that it was
> being ignored previously as well, I just hadn't noticed.

Hi, this is also bugging me on Fedora 32.  Digging deep into the
library chain and source code, it almost certainly is a libedit issue.
Linux doesn't have issetugid(), and in src/el.c in libedit
(2019-something thru 20210419 versions) it clearly only reads editrc if
issetugid is available.

The upstream here is http://thrysoee.dk/editline/, and it has this
changelog:


2013-07-10 Jess Thrysoee

   * version-info: 0:46:0

   * configure.ac, src/el.c: ~/.editrc was never sourced on Linux.
On Linux issetugid is not available. When unable to determine if
the current process is tainted, we did not trust the HOME
 environment variable and therefore could not load ~/.editrc.
Now instead use secure_getenv or a issetugid based
 implementation of secure_getenv. Patch by Paolo Tosco.


Which means at one time this was fixed.  That's why this used to work
for us.  But something must have regressed in the source, and the fix
code which I think is the stuff dealing with HAVE_SECURE_GETENV defines
near the top of el.c doesn't actually help at all anymore.

A quick fix would be to fudge the source having to do with issetugid to
just not check the ifdef nor call the function.  Of course, that could
be a security hole if somehow it gets run in a setuid/gid context.

I have contacted the thrysoee.dk maintainer about getting this fixed in
his version, which will automatically trickle down to fix this for us
in deb & fedora.

Bug#988174: (/usr/bin/qemu-aarch64-static: Segfaults sometimes on python3-minimal on arm64)

2021-05-21 Thread Bernhard Übelacker 

Hello Diederik,
I am not involved in packaging, just
trying to collect some information.



Architecture: amd64 (x86_64)


The subject on the email mentions "on arm64".
From the Architecture line I assume this should read "on amd64"?




[44932.698657] python3.9[313800]: segfault at 2524310 ip 005637c0 sp 
7ffdeefd1098 error 4 in qemu-aarch64-static[401000+3e3000]
[44932.698664] Code: 00 e9 94 78 1c 00 0f 1f 40 00 64 83 2c 25 50 ff ff ff 01 74 05 
c3 0f 1f 40 00 48 8d 3d e9 d0 7f 00 e9 e4 85 1c 00 0f 1f 40 00 <64> 8b 04 25 50 
ff ff ff 85 c0 0f 9f c0 c3 66 90 48 83 ec 08 64 8b


The breaking instruction seems to be here:

0x5637c0: file ../../linux-user/mmap.c, line 43.

   0x005637c0 :   64 8b 04 25 50 ff ff ff mov
%fs:0xff50,%eax


https://sources.debian.org/src/qemu/1:5.2+dfsg-10/linux-user/mmap.c/#L43

25 static __thread int mmap_lock_count;
...
41 bool have_mmap_lock(void)
42 {
43 return mmap_lock_count > 0 ? true : false;
44 }


I have hoped it might be more clear, but this might probably
be related to the thread local storage of mmap_lock_count.
Maybe systemd-coredump would collect a core of such a crash?


Kind regards,
Bernhard

From Diederik's second mail:
[44932.698657] python3.9[313800]: segfault at 2524310 ip 005637c0 sp 
7ffdeefd1098 error 4 in qemu-aarch64-static[401000+3e3000]
[44932.698664] Code: 00 e9 94 78 1c 00 0f 1f 40 00 64 83 2c 25 50 ff ff ff 01 
74 05 c3 0f 1f 40 00 48 8d 3d e9 d0 7f 00 e9 e4 85 1c 00 0f 1f 40 00 <64> 8b 04 
25 50 ff ff ff 85 c0 0f 9f c0 c3 66 90 48 83 ec 08 64 8b

https://wiki.debian.org/InterpretingKernelOutputAtProcessCrash

error 4 == 0b0100:
bit 0 ==0: no page found
bit 1 ==0: read access
bit 2 ==1: user-mode access

echo -n "find /b ..., ..., 0x" && \
echo "00 e9 94 78 1c 00 0f 1f 40 00 64 83 2c 25 50 ff ff ff 01 74 05 c3 0f 1f 
40 00 48 8d 3d e9 d0 7f 00 e9 e4 85 1c 00 0f 1f 40 00 <64> 8b 04 25 50 ff ff ff 
85 c0 0f 9f c0 c3 66 90 48 83 ec 08 64 8b" \
 | sed 's/[<>]//g' | sed 's/ /, 0x/g'

find /b ..., ..., 0x00, 0xe9, 0x94, 0x78, 0x1c, 0x00, 0x0f, 0x1f, 0x40, 0x00, 
0x64, 0x83, 0x2c, 0x25, 0x50, 0xff, 0xff, 0xff, 0x01, 0x74, 0x05, 0xc3, 0x0f, 
0x1f, 0x40, 0x00, 0x48, 0x8d, 0x3d, 0xe9, 0xd0, 0x7f, 0x00, 0xe9, 0xe4, 0x85, 
0x1c, 0x00, 0x0f, 0x1f, 0x40, 0x00, 0x64, 0x8b, 0x04, 0x25, 0x50, 0xff, 0xff, 
0xff, 0x85, 0xc0, 0x0f, 0x9f, 0xc0, 0xc3, 0x66, 0x90, 0x48, 0x83, 0xec, 0x08, 
0x64, 0x8b


##


# Bullseye/testing amd64 qemu VM 2021-05-21

dpkg --add-architecture arm64
apt update
apt dist-upgrade

apt install gdb qemu-user-static-dbgsym

echo "set enable-bracketed-paste off" >> /etc/inputrc; bash


gdb -q
set width 0
set pagination off
file /usr/bin/qemu-aarch64-static
tb main
run

(gdb) info target
Symbols from "/usr/bin/qemu-aarch64-static".
Native process:
Using the running image of child Thread 0xd873c0 (LWP 975).
While running this, GDB does not access memory from...
Local exec file:
`/usr/bin/qemu-aarch64-static', file type elf64-x86-64.
Entry point: 0x403670
...
0x00401140 - 0x007e2872 is .text
...
(gdb) find /b 0x00401140, 0x007e2872, 0x00, 0xe9, 0x94, 0x78, 
0x1c, 0x00, 0x0f, 0x1f, 0x40, 0x00, 0x64, 0x83, 0x2c, 0x25, 0x50, 0xff, 0xff, 
0xff, 0x01, 0x74, 0x05, 0xc3, 0x0f, 0x1f, 0x40, 0x00, 0x48, 0x8d, 0x3d, 0xe9, 
0xd0, 0x7f, 0x00, 0xe9, 0xe4, 0x85, 0x1c, 0x00, 0x0f, 0x1f, 0x40, 0x00, 0x64, 
0x8b, 0x04, 0x25, 0x50, 0xff, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x9f, 0xc0, 0xc3, 
0x66, 0x90, 0x48, 0x83, 0xec, 0x08, 0x64, 0x8b
0x563796 
1 pattern found.

(gdb) b * (0x563796 + 42)
Breakpoint 2 at 0x5637c0: file ../../linux-user/mmap.c, line 43.

(gdb) info b
Num Type   Disp Enb AddressWhat
2   breakpoint keep y   0x005637c0 in have_mmap_lock at 
../../linux-user/mmap.c:43

(gdb) disassemble /r 0x563796, 0x563796 + 62
Dump of assembler code from 0x563796 to 0x5637d4:
   0x00563796 :   00 e9   add
%ch,%cl
   0x00563798 :   94  xchg   
%eax,%esp
   0x00563799 :   78 1c   js 
0x5637b7 
   0x0056379b :   00 0f   add
%cl,(%rdi)
   0x0056379d:  1f  (bad)  
   0x0056379e:  40 00 64 83 2c  add
%spl,0x2c(%rbx,%rax,4)
   0x005637a3 :  25 50 ff ff ff  and
$0xff50,%eax
   0x005637a8 :  01 74 05 c3 add
%esi,-0x3d(%rbp,%rax,1)
   0x005637ac : 0f 1f 40 00 nopl   
0x0(%rax)
   0x005637b0 : 48 8d 3d e9 d0 7f 00lea
0x7fd0e9(%rip),%rdi# 0xd608a0 
   0x005637b7 : e9 e4 85 1c 00  jmp
0x72bda0 <__pthread_mutex_unlock>
   0x005637bc:  0f 1f 40 00

Bug#988652: logrotate: kern.log,syslog and other files in /var/log not rotating

2021-05-21 Thread UN-pi 

With the removed delaycompress-option it is working a little bit better :

-rw-r-  1 root adm   0 Mai 22 00:00 kern.log
-rw-r-  1 root adm   17152 Mai 21 18:02 kern.log.1.gz
-rw-rw-r--  1 root utmp 298368 Mai 22 02:29 lastlog
drwx--  2 root root   4096 Mai 22 00:55 letsencrypt
drwxr-x---  2 www-data www-data   4096 Mai 21 05:31 lighttpd
-rw-r-  1 root adm   0 Okt 18  2020 mail.err
-rw-r-  1 root adm 867 Mai 22 01:00 mail.info
-rw-r-  1 root adm 462 Mai 21 17:54 mail.info.1.gz
-rw-r-  1 root adm 867 Mai 22 01:00 mail.log
-rw-r-  1 root adm 462 Mai 21 17:54 mail.log.1.gz
-rw-r-  1 root adm   0 Mai 22 00:00 mail.warn
-rw-r-  1 root adm 142 Mai 21 17:54 mail.warn.1.gz
-rw-r-  1 root adm 154 Mai 22 00:00 messages
-rw-r-  1 root adm   17462 Mai 21 21:09 messages.1.gz
drwxr-s---  2 mysql    adm    4096 Mai 22 00:00 mysql
-rw-r-  1 root www-data   1042 Mai 22 02:00 ncp.log
drwxr-xr-x  2 root root   4096 Feb 20  2019 openvpn
-rw-r-  1 root adm   54483 Mai 22 02:28 openvpn.log
-rw---  1 root root    669 Mai 22 02:38 
openvpn-status.log

-rw-r--r--  1 root root   2516 Feb 15 07:22 pcas.txt
-rw---  1 root root    186 Mai 21 21:21 php7.3-fpm.log
drwxr-xr-x  2 pihole   pihole 4096 Jun 15  2020 pihole
-rw-r--r--  1 pihole   pihole    0 Mai 22 00:00 pihole-FTL.log
-rw-r--r--  1 pihole   pihole    11945 Mai 22 00:00 pihole-FTL.log.1
-rw-r--r--  1 pihole   pihole    0 Mai 22 00:00 pihole.log
-rw-r--r--  1 pihole   pihole 2156 Mai 22 00:00 pihole.log.1
-rw-r--r--  1 root root   9908 Mai 16 03:11 
pihole_updateGravity.log
-rw-r--r--  1 root root  48265 Mai 15 18:34 
popularity-contest
-rw-r--r--  1 root root  16226 Mai 15 18:34 
popularity-contest.new.gpg

drwx--  2 root root   4096 Mai 27  2020 private
drwxr-s---  2 redis    adm    4096 Mai 21 05:31 redis
-rw-r-  1 root adm   23506 Mai 22 01:54 rng.log
drwxr-x---  3 root adm    4096 Mai 18 05:47 samba
-rw-r-  1 root adm   16815 Mai 22 02:36 syslog
-rw-r-  1 root adm   51224 Mai 22 00:00 syslog.1.gz


syslog is starting with:

May 22 00:00:02 debian64 rsyslogd:  [origin software="rsyslogd" 
swVersion="8.1901.0" x-pid="6765" x-info="https://www.rsyslog.com;] 
rsyslogd was HUPed

May 22 00:00:02 debian64 systemd[1]: logrotate.service: Succeeded.
May 22 00:00:02 debian64 systemd[1]: Started Rotate log files.
May 22 00:00:02 debian64 systemd[1]: man-db.service: Succeeded.
May 22 00:00:02 debian64 systemd[1]: Started Daily man-db regeneration.
May 22 00:01:01 debian64 CRON[10633]: (root) CMD (/root/checkipv6.sh > 
/dev/null 2>&1)
May 22 00:02:01 debian64 CRON[10647]: (root) CMD (/root/checkwebmin.sh > 
/dev/null 2>&1)
May 22 00:05:01 debian64 CRON[10671]: (www-data) CMD (php -f 
/var/www/nextcloud/cron.php)


Notice: The man-db-regeneration succeeded BEFORE starting.

I noticed that there are NEW log-entries in the OLD-syslog.1.gz-file 
which belong to the new day.


May 21 23:59:01 debian64 CRON[10390]: (daemon) CMD (test -x 
/usr/bin/debsecan && /usr/bin/debsecan --cron)

May 22 00:00:01 debian64 systemd[1]: Starting Daily man-db regeneration...
May 22 00:00:01 debian64 systemd[1]: Starting Rotate log files...
May 22 00:00:01 debian64 systemd[1]: Reloading The Apache HTTP Server.
May 22 00:00:01 debian64 systemd[1]: Reloaded The Apache HTTP Server.
May 22 00:00:01 debian64 CRON[10559]: (root) CMD ( 
PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole flush once quiet)
May 22 00:00:01 debian64 CRON[10564]: (root) CMD ( 
PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole updatechecker local)
May 22 00:00:01 debian64 CRON[10565]: (www-data) CMD (php -f 
/var/www/nextcloud/cron.php)
May 22 00:00:01 debian64 CRON[10567]: (root) CMD 
(/root/checkfritzreboot.sh > /dev/null 2>&1)
May 22 00:00:01 debian64 CRON[10568]: (root) CMD (/root/check6tunnel.sh 
> /dev/null 2>&1)

Bug#988763: rxvt-unicode: Remote(?) code execution via ESC G Q

2021-05-21 Thread Ryan Kavanagh 
On Sat, May 22, 2021 at 10:54:40AM +1000, Paul Szabo wrote:
> I see 9.22-11 in sid (unstable), but in bullseye (testing) it is 9.22-10
> still (and buster is unchaged at 9.22-6). Will 9.22-11 make it into
> bullseye, will this (non?!-)security bug be fixed soon?

They need to be manually unblocked by the release team:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988925 (testing)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988962 (buster)

This should happen soon.

Best,
Ryan


signature.asc
Description: PGP signature

Bug#988964: please demote diffoscope to Recommends

2021-05-21 Thread Vagrant Cascadian 
On 2021-05-21, Vagrant Cascadian wrote:
> On 2021-05-21, John Scott wrote:
>> On my system, reprotest has the following Depends/Recommends:
>> Depends: diffoscope (>= 112~), python3-distro, python3-rstr, python3:any, 
>> python3-debian, apt-utils, libdpkg-perl, procps, python3-pkg-resources
>> Recommends: disorderfs, faketime, locales-all, sudo
>>
>> Reprotest should really recommend Diffoscope so that users don't need
>> to install it whom only want to check if packages are reproducible;
>> this is what the --no-diffoscope argument is for.
>>
>> I would send a Merge Request, but I frankly can't figure out where this
>> comes from. The applicable section in debian/control says
>> Depends: ${python3:Depends},
>>  python3-debian,
>>  apt-utils,
>>  libdpkg-perl,
>>  procps,
>>  python3-pkg-resources,
>>  python3-rstr,
>>  ${misc:Depends}
>> Recommends:
>>  diffoscope (>= 112~),
>>  disorderfs,
>>  faketime,
>>  locales-all,
>>  sudo,
>>
>> so my only guess is that Diffoscope gets pulled into
>> ${python3:Depends}?
>
> Yes, just confirmed that it gets added through python3:Depends.
>
> So, I presume it will require mangling python3:Depends, or adjusting the
> code to convince the pybuild/dh_python/etc that it doesn't belong there.

diffoscope is in install_requires, removing it gets it out of
python3:Depends, but may have other unintended consequences:

diff --git a/setup.py b/setup.py
index 72c2c00..d04d554 100644
--- a/setup.py
+++ b/setup.py
@@ -20,7 +20,6 @@ setup(name='reprotest',
   ],
   },
   install_requires=[
-  'diffoscope',
   'rstr',
   'distro',
   ],


live well,
  vagrant


signature.asc
Description: PGP signature

Bug#988964: please demote diffoscope to Recommends

2021-05-21 Thread Vagrant Cascadian 
On 2021-05-21, John Scott wrote:
> On my system, reprotest has the following Depends/Recommends:
> Depends: diffoscope (>= 112~), python3-distro, python3-rstr, python3:any, 
> python3-debian, apt-utils, libdpkg-perl, procps, python3-pkg-resources
> Recommends: disorderfs, faketime, locales-all, sudo
>
> Reprotest should really recommend Diffoscope so that users don't need
> to install it whom only want to check if packages are reproducible;
> this is what the --no-diffoscope argument is for.
>
> I would send a Merge Request, but I frankly can't figure out where this
> comes from. The applicable section in debian/control says
> Depends: ${python3:Depends},
>  python3-debian,
>  apt-utils,
>  libdpkg-perl,
>  procps,
>  python3-pkg-resources,
>  python3-rstr,
>  ${misc:Depends}
> Recommends:
>  diffoscope (>= 112~),
>  disorderfs,
>  faketime,
>  locales-all,
>  sudo,
>
> so my only guess is that Diffoscope gets pulled into
> ${python3:Depends}?

Yes, just confirmed that it gets added through python3:Depends.

So, I presume it will require mangling python3:Depends, or adjusting the
code to convince the pybuild/dh_python/etc that it doesn't belong there.

live well,
  vagrant


signature.asc
Description: PGP signature

Bug#943425: [klibc] #943425 [s390x] setjmp/longjmp do not save/restore all registers in use

2021-05-21 Thread Thorsten Glaser 
Hello Ben,

any chance to upload at least the patch for s390x?
This affects a release architrecture, so I’d NMU this if
necessary, so we have it fixed in bullseye.

Thanks,
//mirabilos
-- 
  “Having a smoking section in a restaurant is like having
  a peeing section in a swimming pool.”
-- Edward Burr

Bug#988967: unblock: mercurial/5.6.1-3

2021-05-21 Thread Stefano Rivera 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: Tristan Seligmann , Julien Cristau 


Please unblock package mercurial

mercurial (5.6.1-3) unstable; urgency=medium

  * Team upload.

  [ Helmut Grohne ]
  * Annotate test dependencies  (closes: #980337).

  [ Stefano Rivera ]
  * python-3.9.2.patch: Use "&" instead of ";" as query string separator
in test-archive.t to fix FTBFS with Python 3.9.2, which changed its
urllib.parse.parse_qsl() behavior to only accept "&" as a separator by
default. (closes: #986514)

 -- Stefano Rivera   Fri, 21 May 2021 12:06:47 -0400

[ Reason ]
Fixes FTBFS with Python 3.9.2+. See #986514

[ Impact ]
FTBFS + autopkgtest failure.

[ Tests ]
It's a test change (and marking dependencies )

[ Risks ]
Patch is from upstream, and Ubuntu has carried it for a month, without
issue.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock mercurial/5.6.1-3
diff -Nru mercurial-5.6.1/debian/changelog mercurial-5.6.1/debian/changelog
--- mercurial-5.6.1/debian/changelog2021-02-01 12:47:09.0 -0400
+++ mercurial-5.6.1/debian/changelog2021-05-21 12:06:47.0 -0400
@@ -1,3 +1,18 @@
+mercurial (5.6.1-3) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Helmut Grohne ]
+  * Annotate test dependencies  (closes: #980337).
+
+  [ Stefano Rivera ]
+  * python-3.9.2.patch: Use "&" instead of ";" as query string separator
+in test-archive.t to fix FTBFS with Python 3.9.2, which changed its
+urllib.parse.parse_qsl() behavior to only accept "&" as a separator by
+default. (closes: #986514)
+
+ -- Stefano Rivera   Fri, 21 May 2021 12:06:47 -0400
+
 mercurial (5.6.1-2) unstable; urgency=medium
 
   * tests: make test-subrepo-git.t compatible with git's master->main
diff -Nru mercurial-5.6.1/debian/control mercurial-5.6.1/debian/control
--- mercurial-5.6.1/debian/control  2021-02-01 12:39:12.0 -0400
+++ mercurial-5.6.1/debian/control  2021-05-21 12:06:47.0 -0400
@@ -10,14 +10,14 @@
  debhelper-compat (= 13),
  dh-python,
  gettext,
- netbase,
- patchutils (>= 0.2.25),
+ netbase ,
+ patchutils (>= 0.2.25) ,
  python3-all-dev,
  python3-docutils,
  python3-roman,
- rename,
- unzip,
- zip,
+ rename ,
+ unzip ,
+ zip ,
  less ,
 Standards-Version: 4.5.0
 Homepage: https://www.mercurial-scm.org/
diff -Nru mercurial-5.6.1/debian/patches/python-3.9.2.patch 
mercurial-5.6.1/debian/patches/python-3.9.2.patch
--- mercurial-5.6.1/debian/patches/python-3.9.2.patch   1969-12-31 
20:00:00.0 -0400
+++ mercurial-5.6.1/debian/patches/python-3.9.2.patch   2021-05-21 
12:06:47.0 -0400
@@ -0,0 +1,34 @@
+From: Martin von Zweigbergk 
+Date: Fri, 21 May 2021 12:03:33 -0400
+Subject: tests: make test-archive.t pass on py3.9 (issue6504)
+
+Something got stricter at parsing URL query parameters and now the
+parameters need to be separated by "&"; ";" is no longer allowed. See
+issue6504 for details.
+
+Differential Revision: https://phab.mercurial-scm.org/D10472
+
+Origin: upstream, https://www.mercurial-scm.org/repo/hg/rev/dc8976cc3a6e
+Bug-Debian: https://bugs.debian.org/986514
+Bug-upstream: https://bz.mercurial-scm.org/show_bug.cgi?id=6504
+---
+ tests/test-archive.t | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/test-archive.t b/tests/test-archive.t
+index 606c9e2..384a04a 100644
+--- a/tests/test-archive.t
 b/tests/test-archive.t
+@@ -334,10 +334,10 @@ invalid arch type should give 404
+   > pass
+   > if len(sys.argv) <= 3:
+   > node, archive = sys.argv[1:]
+-  > requeststr = 'cmd=archive;node=%s;type=%s' % (node, archive)
++  > requeststr = 'cmd=archive=%s=%s' % (node, archive)
+   > else:
+   > node, archive, file = sys.argv[1:]
+-  > requeststr = 'cmd=archive;node=%s;type=%s;file=%s' % (node, archive, 
file)
++  > requeststr = 'cmd=archive=%s=%s=%s' % (node, archive, 
file)
+   > try:
+   > stdout = sys.stdout.buffer
+   > except AttributeError:
diff -Nru mercurial-5.6.1/debian/patches/series 
mercurial-5.6.1/debian/patches/series
--- mercurial-5.6.1/debian/patches/series   2021-02-01 12:46:24.0 
-0400
+++ mercurial-5.6.1/debian/patches/series   2021-05-21 12:06:47.0 
-0400
@@ -4,3 +4,4 @@
 deb_specific__optional-dependencies
 deb_specific__disable_libdir_replacement.patch
 0005-Tolerate-SIGINT-getting-the-kill-in-test-stdio.py.patch
+python-3.9.2.patch

Bug#988966: /boot/vmlinuz-5.10.0-6-armmp-lpae: lamobo-r1 ethernet/bridge failure

2021-05-21 Thread Vagrant Cascadian 
Package: src:linux
Version: 5.10.28-1
Severity: normal
File: /boot/vmlinuz-5.10.0-6-armmp-lpae
X-Debbugs-Cc: vagr...@debian.org
Control: block 986767 by -1

The ethernet bridge fails to work on 5.10.x (also tried 5.10.38-1),
but works fine on 4.19.x from buster. (This was also reported in
https://bugs.debian.org/986767)

I noticed these messages when booting up:

[6.254047] bcm53xx stmmac-0:1e: failed to register switch: -517
[6.339663] bcm53xx stmmac-0:1e: failed to register switch: -517



-- Package-specific info:
** Kernel log: boot messages should be attached

** Model information
Hardware: Allwinner sun7i (A20) Family
Revision: 
Device Tree model: Lamobo R1

** Network interface configuration:
*** /etc/network/interfaces:

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

allow-hotplug eth0
iface eth0 inet dhcp

** PCI devices:

** USB devices:
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub


-- System Information:
Debian Release: 11.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'stable-updates'), (500, 
'testing'), (500, 'stable'), (1, 'experimental'), (1, 'unstable')
Architecture: armhf (armv7l)

Kernel: Linux 5.10.0-7-armmp-lpae (SMP w/2 CPU threads)
Kernel taint flags: TAINT_CRAP, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages linux-image-5.10.0-6-armmp-lpae depends on:
ii  initramfs-tools [linux-initramfs-tool]  0.140
ii  kmod28-1
ii  linux-base  4.6

Versions of packages linux-image-5.10.0-6-armmp-lpae recommends:
ii  apparmor 2.13.6-10
ii  firmware-linux-free  20200122-1

Versions of packages linux-image-5.10.0-6-armmp-lpae suggests:
pn  debian-kernel-handbook  
pn  linux-doc-5.10  

Versions of packages linux-image-5.10.0-6-armmp-lpae is related to:
pn  firmware-amd-graphics 
pn  firmware-atheros  
pn  firmware-bnx2 
pn  firmware-bnx2x
pn  firmware-brcm80211
pn  firmware-cavium   
pn  firmware-intel-sound  
pn  firmware-intelwimax   
pn  firmware-ipw2x00  
pn  firmware-ivtv 
pn  firmware-iwlwifi  
pn  firmware-libertas 
pn  firmware-linux-nonfree
pn  firmware-misc-nonfree 
pn  firmware-myricom  
pn  firmware-netxen   
pn  firmware-qlogic   
pn  firmware-realtek  
pn  firmware-samsung  
pn  firmware-siano
pn  firmware-ti-connectivity  
pn  xen-hypervisor

-- no debconf information

Bug#988965: llvm-toolchain-12: llvm 12 generates bad human-readable IR output on mipsel

2021-05-21 Thread Ximin Luo 
Source: llvm-toolchain-12
Version: 1:12.0.0-3
Severity: important
X-Debbugs-Cc: debian-m...@lists.debian.org, debian-r...@lists.debian.org

Dear Maintainer,

LLVM 12's ability to emit IR in human-readable form is corrupted on mipsel 
32-bit:

$ cat main.c 
#include 

int main() {
  char *a = NULL;
  char *b = NULL;
  memcpy(a, b, 0);
}
$ clang-12 -S -emit-llvm main.c
$ grep 00G8 main.ll
  call void @llvm.memcpy.00G8.00G8.G32(i8* align 1 %3, i8* align 1 %4, i32 0, 
i1 false)
declare void @llvm.memcpy.00G8.00G8.G32(i8* noalias nocapture writeonly, i8* 
noalias nocapture readonly, i32, i1 immarg) #1

00G8 is not correct, it should be p0i8 and suggests miscompilation somewhere as
the source code of the function does not contain these characters:

https://github.com/llvm/llvm-project/blob/5b6cae5524905bc43cfc21a515f828528d1f2e68/llvm/lib/IR/Function.cpp#L777

This additionally makes some rustc tests fail.

LLVM 11 is fine.

I filed a Debian bug for now because I could not find any other LLVM 12 mipsel
binaries to test with online; neither upstream nor Fedora distribute these.
Please do forward upstream if you are confident this is not a Debian-specific
issue.

X

-- System Information:
Debian Release: 11.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-security'), (500, 'testing-debug'), (500, 'stable'), (300, 
'unstable'), (100, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.9.0-4-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#988964: please demote diffoscope to Recommends

2021-05-21 Thread John Scott 
Package: reprotest
Version: 0.7.16
Severity: minor

On my system, reprotest has the following Depends/Recommends:
Depends: diffoscope (>= 112~), python3-distro, python3-rstr, python3:any, 
python3-debian, apt-utils, libdpkg-perl, procps, python3-pkg-resources
Recommends: disorderfs, faketime, locales-all, sudo

Reprotest should really recommend Diffoscope so that users don't need
to install it whom only want to check if packages are reproducible;
this is what the --no-diffoscope argument is for.

I would send a Merge Request, but I frankly can't figure out where this
comes from. The applicable section in debian/control says
Depends: ${python3:Depends},
 python3-debian,
 apt-utils,
 libdpkg-perl,
 procps,
 python3-pkg-resources,
 python3-rstr,
 ${misc:Depends}
Recommends:
 diffoscope (>= 112~),
 disorderfs,
 faketime,
 locales-all,
 sudo,

so my only guess is that Diffoscope gets pulled into
${python3:Depends}?

-- System Information:
Debian Release: 11.0
  APT prefers testing
  APT policy: (500, 'testing'), (2, 'unstable'), (1, 'testing-debug'),
(1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-6-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_USER, TAINT_WARN, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages reprotest depends on:
ii  apt-utils  2.2.3
ii  diffoscope 172
ii  libdpkg-perl   1.20.9
ii  procps 2:3.3.17-5
ii  python3    3.9.2-3
ii  python3-debian 0.1.39
ii  python3-distro 1.5.0-1
ii  python3-pkg-resources  52.0.0-3
ii  python3-rstr   2.2.6-2

Versions of packages reprotest recommends:
ii  disorderfs   0.5.11-1
ii  faketime 0.9.8-9
ii  locales-all  2.31-12
ii  sudo 1.9.5p2-3

Versions of packages reprotest suggests:
ii  autodep8 0.24
pn  qemu-system  
ii  qemu-utils   1:5.2+dfsg-10
pn  schroot  

-- no debconf information



signature.asc
Description: This is a digitally signed message part

Bug#892842: OpenJDK 8 archive re-entry

2021-05-21 Thread Thorsten Glaser 
On Mon, 26 Apr 2021, Thorsten Glaser wrote:

>I assume the normal
> process of looking at it and eventually getting back to us will run
> now.

So far, nothing happened, and repeated inquiries got no response at all.

Just keeping the list informed.

bye,
//mirabilos
-- 
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

*

Mit dem tarent-Newsletter nichts mehr verpassen: www.tarent.de/newsletter

*

Bug#987816: dask.distributed: FTBFS due to a build-time test failure

2021-05-21 Thread Stefano Rivera 
Control: tag -1 + unreproducible
Control: forwarded -1 https://github.com/dask/distributed/issues/4839

Hi Andrej (2021.04.30_05:27:41_-0400)
> While rebuilding your package for Apertis, I found that it fails to
> build because a few of the build-time tests fail. I rebuilt the package
> in Debian and received the same result.

> __ test_process_time 
> ___
> ___ test_thread_time 
> ___

I tried to reproduce this, twice, and these tests passed, no FTBFS.

The particular numbers in those tests look like they were pulled out of
thin air.

I do however see test failures in the autopkgtest, which are somewhat
flaky.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#968390: Hope you're keeping safe

2021-05-21 Thread Abdulkader Abdi 
 

Salaam,

 

Almana Financial Broker, is the home of discerning investors. We offer
independent financial advice and assist our clients to make sound investment
decisions from the array of investment opportunities available. We are
structured to render personalized services to our clients thereby ensuring
safety of capital, adequate returns on investments.

 

Our investors are ready to provide funding for your business expansion as
Debt/Equity finance. If you require funding, we would be able to partner
with you.

 

We look forward to your response, thanks and stay safe,

 

Abdulkader Abdi, CFA

Almana Financial Broker

Dubai, United Arab Emirates

Bug#913703: Hope you're keeping safe

2021-05-21 Thread Abdulkader Abdi 
 

Salaam,

 

Almana Financial Broker, is the home of discerning investors. We offer
independent financial advice and assist our clients to make sound investment
decisions from the array of investment opportunities available. We are
structured to render personalized services to our clients thereby ensuring
safety of capital, adequate returns on investments.

 

Our investors are ready to provide funding for your business expansion as
Debt/Equity finance. If you require funding, we would be able to partner
with you.

 

We look forward to your response, thanks and stay safe,

 

Abdulkader Abdi, CFA

Almana Financial Broker

Dubai, United Arab Emirates

Bug#639158: Hope you're keeping safe

2021-05-21 Thread Abdulkader Abdi 
 

Salaam,

 

Almana Financial Broker, is the home of discerning investors. We offer
independent financial advice and assist our clients to make sound investment
decisions from the array of investment opportunities available. We are
structured to render personalized services to our clients thereby ensuring
safety of capital, adequate returns on investments.

 

Our investors are ready to provide funding for your business expansion as
Debt/Equity finance. If you require funding, we would be able to partner
with you.

 

We look forward to your response, thanks and stay safe,

 

Abdulkader Abdi, CFA

Almana Financial Broker

Dubai, United Arab Emirates

Bug#551642: Hope you're keeping safe

2021-05-21 Thread Abdulkader Abdi 
 

Salaam,

 

Almana Financial Broker, is the home of discerning investors. We offer
independent financial advice and assist our clients to make sound investment
decisions from the array of investment opportunities available. We are
structured to render personalized services to our clients thereby ensuring
safety of capital, adequate returns on investments.

 

Our investors are ready to provide funding for your business expansion as
Debt/Equity finance. If you require funding, we would be able to partner
with you.

 

We look forward to your response, thanks and stay safe,

 

Abdulkader Abdi, CFA

Almana Financial Broker

Dubai, United Arab Emirates

Bug#544321: Hope you're keeping safe

2021-05-21 Thread Abdulkader Abdi 
 

Salaam,

 

Almana Financial Broker, is the home of discerning investors. We offer
independent financial advice and assist our clients to make sound investment
decisions from the array of investment opportunities available. We are
structured to render personalized services to our clients thereby ensuring
safety of capital, adequate returns on investments.

 

Our investors are ready to provide funding for your business expansion as
Debt/Equity finance. If you require funding, we would be able to partner
with you.

 

We look forward to your response, thanks and stay safe,

 

Abdulkader Abdi, CFA

Almana Financial Broker

Dubai, United Arab Emirates

Bug#544287: Hope you're keeping safe

2021-05-21 Thread Abdulkader Abdi 
 

Salaam,

 

Almana Financial Broker, is the home of discerning investors. We offer
independent financial advice and assist our clients to make sound investment
decisions from the array of investment opportunities available. We are
structured to render personalized services to our clients thereby ensuring
safety of capital, adequate returns on investments.

 

Our investors are ready to provide funding for your business expansion as
Debt/Equity finance. If you require funding, we would be able to partner
with you.

 

We look forward to your response, thanks and stay safe,

 

Abdulkader Abdi, CFA

Almana Financial Broker

Dubai, United Arab Emirates

Bug#544217: Hope you're keeping safe

2021-05-21 Thread Abdulkader Abdi 
 

Salaam,

 

Almana Financial Broker, is the home of discerning investors. We offer
independent financial advice and assist our clients to make sound investment
decisions from the array of investment opportunities available. We are
structured to render personalized services to our clients thereby ensuring
safety of capital, adequate returns on investments.

 

Our investors are ready to provide funding for your business expansion as
Debt/Equity finance. If you require funding, we would be able to partner
with you.

 

We look forward to your response, thanks and stay safe,

 

Abdulkader Abdi, CFA

Almana Financial Broker

Dubai, United Arab Emirates

Bug#517333: Hope you're keeping safe

2021-05-21 Thread Abdulkader Abdi 
 

Salaam,

 

Almana Financial Broker, is the home of discerning investors. We offer
independent financial advice and assist our clients to make sound investment
decisions from the array of investment opportunities available. We are
structured to render personalized services to our clients thereby ensuring
safety of capital, adequate returns on investments.

 

Our investors are ready to provide funding for your business expansion as
Debt/Equity finance. If you require funding, we would be able to partner
with you.

 

We look forward to your response, thanks and stay safe,

 

Abdulkader Abdi, CFA

Almana Financial Broker

Dubai, United Arab Emirates

Bug#523788: Hope you're keeping safe

2021-05-21 Thread Abdulkader Abdi 
 

Salaam,

 

Almana Financial Broker, is the home of discerning investors. We offer
independent financial advice and assist our clients to make sound investment
decisions from the array of investment opportunities available. We are
structured to render personalized services to our clients thereby ensuring
safety of capital, adequate returns on investments.

 

Our investors are ready to provide funding for your business expansion as
Debt/Equity finance. If you require funding, we would be able to partner
with you.

 

We look forward to your response, thanks and stay safe,

 

Abdulkader Abdi, CFA

Almana Financial Broker

Dubai, United Arab Emirates

Bug#509344: Hope you're keeping safe

2021-05-21 Thread Abdulkader Abdi 
 

Salaam,

 

Almana Financial Broker, is the home of discerning investors. We offer
independent financial advice and assist our clients to make sound investment
decisions from the array of investment opportunities available. We are
structured to render personalized services to our clients thereby ensuring
safety of capital, adequate returns on investments.

 

Our investors are ready to provide funding for your business expansion as
Debt/Equity finance. If you require funding, we would be able to partner
with you.

 

We look forward to your response, thanks and stay safe,

 

Abdulkader Abdi, CFA

Almana Financial Broker

Dubai, United Arab Emirates

Bug#433448: Hope you're keeping safe

2021-05-21 Thread Abdulkader Abdi 
 

Salaam,

 

Almana Financial Broker, is the home of discerning investors. We offer
independent financial advice and assist our clients to make sound investment
decisions from the array of investment opportunities available. We are
structured to render personalized services to our clients thereby ensuring
safety of capital, adequate returns on investments.

 

Our investors are ready to provide funding for your business expansion as
Debt/Equity finance. If you require funding, we would be able to partner
with you.

 

We look forward to your response, thanks and stay safe,

 

Abdulkader Abdi, CFA

Almana Financial Broker

Dubai, United Arab Emirates

Bug#485838: Hope you're keeping safe

2021-05-21 Thread Abdulkader Abdi 
 

Salaam,

 

Almana Financial Broker, is the home of discerning investors. We offer
independent financial advice and assist our clients to make sound investment
decisions from the array of investment opportunities available. We are
structured to render personalized services to our clients thereby ensuring
safety of capital, adequate returns on investments.

 

Our investors are ready to provide funding for your business expansion as
Debt/Equity finance. If you require funding, we would be able to partner
with you.

 

We look forward to your response, thanks and stay safe,

 

Abdulkader Abdi, CFA

Almana Financial Broker

Dubai, United Arab Emirates

Bug#465666: Hope you're keeping safe

2021-05-21 Thread Abdulkader Abdi 
 

Salaam,

 

Almana Financial Broker, is the home of discerning investors. We offer
independent financial advice and assist our clients to make sound investment
decisions from the array of investment opportunities available. We are
structured to render personalized services to our clients thereby ensuring
safety of capital, adequate returns on investments.

 

Our investors are ready to provide funding for your business expansion as
Debt/Equity finance. If you require funding, we would be able to partner
with you.

 

We look forward to your response, thanks and stay safe,

 

Abdulkader Abdi, CFA

Almana Financial Broker

Dubai, United Arab Emirates

Bug#397339: Hope you're keeping safe

2021-05-21 Thread Abdulkader Abdi 
 

Salaam,

 

Almana Financial Broker, is the home of discerning investors. We offer
independent financial advice and assist our clients to make sound investment
decisions from the array of investment opportunities available. We are
structured to render personalized services to our clients thereby ensuring
safety of capital, adequate returns on investments.

 

Our investors are ready to provide funding for your business expansion as
Debt/Equity finance. If you require funding, we would be able to partner
with you.

 

We look forward to your response, thanks and stay safe,

 

Abdulkader Abdi, CFA

Almana Financial Broker

Dubai, United Arab Emirates

Bug#460689: Hope you're keeping safe

2021-05-21 Thread Abdulkader Abdi 
 

Salaam,

 

Almana Financial Broker, is the home of discerning investors. We offer
independent financial advice and assist our clients to make sound investment
decisions from the array of investment opportunities available. We are
structured to render personalized services to our clients thereby ensuring
safety of capital, adequate returns on investments.

 

Our investors are ready to provide funding for your business expansion as
Debt/Equity finance. If you require funding, we would be able to partner
with you.

 

We look forward to your response, thanks and stay safe,

 

Abdulkader Abdi, CFA

Almana Financial Broker

Dubai, United Arab Emirates

Bug#988963: upgrade-reports: upgrade process requires a second "apt full-upgrade"

2021-05-21 Thread Vagrant Cascadian 
Package: upgrade-reports
Severity: normal
X-Debbugs-Cc: vagr...@debian.org

On numerous systems I have upgraded recently, the process of:

  apt upgrade --without-new-pkgs
  apt full-upgrade

Results in at least one package (guile-2.2-libs, zile, sometimes others)
in an un-upgraded state.

Running a second "apt full-upgrade" seems to take care of the issue.

Maybe upgrading apt in-between "apt upgrade --without-new-pkgs" and "apt
full-upgrade" would resolve the issue?


live well,
  vagrant


signature.asc
Description: PGP signature

Bug#988962: buster-pu: package rxvt-unicode/9.22-6+deb10u1

2021-05-21 Thread Ryan Kavanagh 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: r...@debian.org

[ Reason ]

Disables the ESC G Q escape sequence, which could cause the command '0'
to be executed. This addresses:

https://security-tracker.debian.org/tracker/CVE-2021-33477

[ Tests ]

None. Manually confirmed (against unstable) that the patch works.

[ Risks ]

Trivial fix cherry-picked from upstream VCS. Original commit from 2019.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

* Add patch to disable ESC G Q
* Set the git branch to debian/buster

[ Other info ]

Cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988925

-- 
|)|/  Ryan Kavanagh  | GPG: 4E46 9519 ED67 7734 268F
|\|\  https://rak.ac |  BD95 8F7B F8FC 4A11 C97A
diff --git c/debian/changelog w/debian/changelog
index 4604560..fd7fd58 100644
--- c/debian/changelog
+++ w/debian/changelog
@@ -1,3 +1,11 @@
+rxvt-unicode (9.22-6+deb10u1) buster; urgency=medium
+
+  * Disable ESC G Q escape sequence, 20_disable_escape_sequence.diff
+(Closes: #988763, CVE-2021-33477)
+  * Set git branch to debian/buster
+
+ -- Ryan Kavanagh   Fri, 21 May 2021 17:18:00 -0400
+
 rxvt-unicode (9.22-6) unstable; urgency=medium
 
   * Revert the 24bit colour patch. Though no issues seem to arise when using
diff --git c/debian/control w/debian/control
index 4690df26..c2e9549 100644
--- c/debian/control
+++ w/debian/control
@@ -19,7 +19,7 @@ Build-Depends: debhelper (>= 11),
 Rules-Requires-Root: binary-targets
 Standards-Version: 4.3.0
 Homepage: http://software.schmorp.de/pkg/rxvt-unicode.html
-Vcs-Git: https://salsa.debian.org/debian/rxvt-unicode.git -b debian/sid
+Vcs-Git: https://salsa.debian.org/debian/rxvt-unicode.git -b debian/buster
 Vcs-Browser: https://salsa.debian.org/debian/rxvt-unicode
 
 Package: rxvt-unicode
diff --git c/debian/gbp.conf w/debian/gbp.conf
index ae1dc36..6717c9a 100644
--- c/debian/gbp.conf
+++ w/debian/gbp.conf
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch = upstream
-debian-branch = master
+debian-branch = debian/buster
 upstream-tag = upstream/%(version)s
 debian-tag = debian/%(version)s
 pristine-tar = True
diff --git c/debian/patches/20_disable_escape_sequence.diff 
w/debian/patches/20_disable_escape_sequence.diff
new file mode 100644
index 000..12245f2
--- /dev/null
+++ w/debian/patches/20_disable_escape_sequence.diff
@@ -0,0 +1,25 @@
+Description: disable ESC G Q escape sequence
+Origin: http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.584=1.585
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988763
+Last-Update: 2021-05-21
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: rxvt-unicode/src/command.C
+===
+--- rxvt-unicode.orig/src/command.C2019-02-07 15:12:08.0 -0500
 rxvt-unicode/src/command.C 2021-05-21 10:45:22.522127101 -0400
+@@ -2722,12 +2722,14 @@
+ }
+ break;
+ 
++#if 0 // disabled because embedded newlines can make exploits easier
+ /* kidnapped escape sequence: Should be 8.3.48 */
+   case C1_ESA:/* ESC G */
+ // used by original rxvt for rob nations own graphics mode
+ if (cmd_getc () == 'Q')
+   tt_printf ("\033G0\012");   /* query graphics - no graphics */
+ break;
++#endif
+ 
+ /* 8.3.63: CHARACTER TABULATION SET */
+   case C1_HTS:/* ESC H */
diff --git c/debian/patches/series w/debian/patches/series
index 03471d7..8a2f59f 100644
--- c/debian/patches/series
+++ w/debian/patches/series
@@ -9,3 +9,4 @@
 16_no_terminfo.diff
 17_unsafe_man.diff
 18_expand_urxvt-tabbed.1.diff
+20_disable_escape_sequence.diff


signature.asc
Description: PGP signature

Bug#988961: unblock: python-libnacl/1.7.2-3

2021-05-21 Thread Stefano Rivera 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: Colin Watson 

Please unblock package python-libnacl

python-libnacl (1.7.2-3) unstable; urgency=medium

  * Team upload.
  * Patch: Fix crypto_kdf_derive_from_key() on 32-bit platforms.
(Closes: #988102)

 -- Stefano Rivera   Fri, 21 May 2021 16:35:48 -0400

[ Reason ]
Fixes a crash on 32bit platforms.

[ Impact ]
libnacl's KDF is broken on 32bit platforms.

[ Tests ]
The test suite covers the affected code. Test-built (running the test
suite) on i386 and armhf.

[ Risks ]
Trivial change.

Patch is carried by Gentoo, too.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock python-libnacl/1.7.2-3
diff -Nru python-libnacl-1.7.2/debian/changelog 
python-libnacl-1.7.2/debian/changelog
--- python-libnacl-1.7.2/debian/changelog   2020-11-14 08:40:57.0 
-0400
+++ python-libnacl-1.7.2/debian/changelog   2021-05-21 16:35:48.0 
-0400
@@ -1,3 +1,11 @@
+python-libnacl (1.7.2-3) unstable; urgency=medium
+
+  * Team upload.
+  * Patch: Fix crypto_kdf_derive_from_key() on 32-bit platforms.
+(Closes: #988102)
+
+ -- Stefano Rivera   Fri, 21 May 2021 16:35:48 -0400
+
 python-libnacl (1.7.2-2) unstable; urgency=medium
 
   * Add Breaks: python3-duniterpy (<< 0.60.1) (see #974655).
diff -Nru python-libnacl-1.7.2/debian/.gitignore 
python-libnacl-1.7.2/debian/.gitignore
--- python-libnacl-1.7.2/debian/.gitignore  2020-11-14 08:40:57.0 
-0400
+++ python-libnacl-1.7.2/debian/.gitignore  1969-12-31 20:00:00.0 
-0400
@@ -1,6 +0,0 @@
-*.debhelper*
-*.substvars
-debhelper-build-stamp
-files
-python-libnacl
-python3-libnacl
diff -Nru python-libnacl-1.7.2/debian/patches/32bit-kdf.patch 
python-libnacl-1.7.2/debian/patches/32bit-kdf.patch
--- python-libnacl-1.7.2/debian/patches/32bit-kdf.patch 1969-12-31 
20:00:00.0 -0400
+++ python-libnacl-1.7.2/debian/patches/32bit-kdf.patch 2021-05-21 
16:35:48.0 -0400
@@ -0,0 +1,24 @@
+From: =?utf-8?b?TWljaGHFgiBHw7Nybnk=?= 
+Date: Fri, 21 May 2021 16:25:27 -0400
+Subject: Fix crypto_kdf_derive_from_key() on 32-bit platforms
+
+Bug-Upstream: https://github.com/saltstack/libnacl/issues/126
+Bug-Debian: https://bugs.debian.org/988102
+Forwarded: https://github.com/saltstack/libnacl/pull/130
+---
+ libnacl/__init__.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libnacl/__init__.py b/libnacl/__init__.py
+index 98a53d9..f799b23 100644
+--- a/libnacl/__init__.py
 b/libnacl/__init__.py
+@@ -1195,7 +1195,7 @@ def crypto_kdf_derive_from_key(subkey_size, subkey_id, 
context, master_key):
+ """
+ size = int(subkey_size)
+ buf = ctypes.create_string_buffer(size)
+-nacl.crypto_kdf_derive_from_key(buf, subkey_size, subkey_id, context, 
master_key)
++nacl.crypto_kdf_derive_from_key(buf, subkey_size, 
ctypes.c_ulonglong(subkey_id), context, master_key)
+ return buf.raw
+ 
+ 
diff -Nru python-libnacl-1.7.2/debian/patches/series 
python-libnacl-1.7.2/debian/patches/series
--- python-libnacl-1.7.2/debian/patches/series  1969-12-31 20:00:00.0 
-0400
+++ python-libnacl-1.7.2/debian/patches/series  2021-05-21 16:35:48.0 
-0400
@@ -0,0 +1 @@
+32bit-kdf.patch

Bug#988960: unblock: eclipse-titan/7.2.0-1.1

2021-05-21 Thread Stefano Rivera 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: Gergely Pilisi 

Please unblock package eclipse-titan

eclipse-titan (7.2.0-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Re-instate the --no-parallel option, fixing FTBFS on multi-core machines.
(Closes: #987646)

 -- Stefano Rivera   Fri, 21 May 2021 14:58:09 -0400

[ Reason ]
Fixes FTBFS.

[ Impact ]
Expecting auto-removal, if not granted.

[ Tests ]
FTBFS without this change, for me. Doesn't with it.

[ Risks ]
Nothing significant.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock eclipse-titan/7.2.0-1.1
diff -Nru eclipse-titan-7.2.0/debian/changelog 
eclipse-titan-7.2.0/debian/changelog
--- eclipse-titan-7.2.0/debian/changelog2021-02-16 05:25:17.0 
-0400
+++ eclipse-titan-7.2.0/debian/changelog2021-05-21 14:58:09.0 
-0400
@@ -1,3 +1,11 @@
+eclipse-titan (7.2.0-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Re-instate the --no-parallel option, fixing FTBFS on multi-core machines.
+(Closes: #987646)
+
+ -- Stefano Rivera   Fri, 21 May 2021 14:58:09 -0400
+
 eclipse-titan (7.2.0-1) unstable; urgency=medium
 
   * New release.
diff -Nru eclipse-titan-7.2.0/debian/rules eclipse-titan-7.2.0/debian/rules
--- eclipse-titan-7.2.0/debian/rules2021-02-16 05:20:17.0 -0400
+++ eclipse-titan-7.2.0/debian/rules2021-05-21 14:48:25.0 -0400
@@ -3,7 +3,7 @@
 export DEB_BUILD_MAINT_OPTIONS=hardening=+all
 
 %:
-   dh $@ --verbose
+   dh $@ --verbose --no-parallel
 
 override_dh_shlibdeps:
dh_shlibdeps -l$(CURDIR)/Install/lib

Bug#988871: fpart: broken symlink: /usr/share/doc/fpart/README -> README.md

2021-05-21 Thread Ganael Laplanche 

Hello Andreas,


during a test with piuparts I noticed your package ships (or creates)
a broken symlink.

 From the attached log (scroll to the bottom...):

0m39.1s ERROR: FAIL: Broken symlinks:
   /usr/share/doc/fpart/README -> README.md (fpart)


Thanks a lot for your report!

Debian is currently frozen so I'll include a fix with next package 
update (see also #988346).


Best regards,

--
Ganael Laplanche

Bug#988959: unblock: python-schedutils/0.6-2.1

2021-05-21 Thread Andreas Beckmann 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package python-schedutils

Clean up obsolete alternatives on upgrades form buster.

unblock python-schedutils/0.6-2.1
diff -Nru python-schedutils-0.6/debian/changelog 
python-schedutils-0.6/debian/changelog
--- python-schedutils-0.6/debian/changelog  2019-07-29 19:30:20.0 
+0200
+++ python-schedutils-0.6/debian/changelog  2021-05-04 11:13:44.0 
+0200
@@ -1,3 +1,10 @@
+python-schedutils (0.6-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Clean up obsolete alternatives on upgrades.  (Closes: #986813)
+
+ -- Andreas Beckmann   Tue, 04 May 2021 11:13:44 +0200
+
 python-schedutils (0.6-2) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru python-schedutils-0.6/debian/python3-schedutils.preinst 
python-schedutils-0.6/debian/python3-schedutils.preinst
--- python-schedutils-0.6/debian/python3-schedutils.preinst 1970-01-01 
01:00:00.0 +0100
+++ python-schedutils-0.6/debian/python3-schedutils.preinst 2021-05-04 
11:13:22.0 +0200
@@ -0,0 +1,9 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = "upgrade" ] && dpkg --compare-versions "$2" lt-nl "0.6-2.0" ; then
+   update-alternatives --remove pchrt /usr/bin/pchrt3
+   update-alternatives --remove ptaskset /usr/bin/ptaskset3
+fi
+
+#DEBHELPER#

Bug#988958: unblock: python-linux-procfs/0.6.3-1.1

2021-05-21 Thread Andreas Beckmann 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package python-linux-procfs

Remove obsolete alternatives on upgrades from buster.

unblock python-linux-procfs/0.6.3-1.1
diff -Nru python-linux-procfs-0.6.3/debian/changelog 
python-linux-procfs-0.6.3/debian/changelog
--- python-linux-procfs-0.6.3/debian/changelog  2021-01-20 14:38:46.0 
+0100
+++ python-linux-procfs-0.6.3/debian/changelog  2021-05-04 11:26:36.0 
+0200
@@ -1,3 +1,10 @@
+python-linux-procfs (0.6.3-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Remove obsolete alternatives on upgrades.  (Closes: #986812)
+
+ -- Andreas Beckmann   Tue, 04 May 2021 11:26:36 +0200
+
 python-linux-procfs (0.6.3-1) unstable; urgency=medium
 
   [ Ondřej Nový ]
@@ -36,7 +43,7 @@
 
   [ Stewart Ferguson ]
   * Removing python2 binary package
-  * Replacing pflags3 with pflags and removing upodate-alternatives
+  * Replacing pflags3 with pflags and removing update-alternatives
 + Breaks python-linux-procfs
   * Removing unused .gitignore ignore rule
   * Removing superfluous copyright block for COPYING file
diff -Nru python-linux-procfs-0.6.3/debian/python3-linux-procfs.preinst 
python-linux-procfs-0.6.3/debian/python3-linux-procfs.preinst
--- python-linux-procfs-0.6.3/debian/python3-linux-procfs.preinst   
1970-01-01 01:00:00.0 +0100
+++ python-linux-procfs-0.6.3/debian/python3-linux-procfs.preinst   
2021-05-04 11:25:08.0 +0200
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = "upgrade" ] && dpkg --compare-versions "$2" lt-nl "0.6.3-1.0" ; 
then
+  update-alternatives --remove pflags /usr/bin/pflags3
+fi
+
+#DEBHELPER#

Bug#988957: unblock: pydantic/1.7.4-1

2021-05-21 Thread Stefano Rivera 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: Michael Banck 

Please unblock package pydantic

pydantic (1.7.4-1) unstable; urgency=medium

  * Team upload.
  * New upstream point release.
- Fixes CVE-2021-29510: Date and datetime parsing could cause an infinite
  loop by passing either 'infinity' or float('inf') (Closes: #988480)
  * Update watch file to version 4 with current uscan(1) recommended regex.

 -- Stefano Rivera   Fri, 21 May 2021 16:05:17 -0400

[ Reason ]
New upstream point release, with (only) a security fix (DoS).

[ Impact ]
Without this patch, pydantic can be DoSed with "infinity" as a
timestamp.

[ Tests ]
Upstream unit test suite runs during the package build.
There are unit tests for the changes in this release.

[ Risks ]
Upstream maintains support branches, and provided this point release. So
we're not relying on any untested patches.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock pydantic/1.7.4-1
diff -Nru pydantic-1.7.3/debian/changelog pydantic-1.7.4/debian/changelog
--- pydantic-1.7.3/debian/changelog 2021-01-08 03:31:43.0 -0400
+++ pydantic-1.7.4/debian/changelog 2021-05-21 16:05:17.0 -0400
@@ -1,3 +1,13 @@
+pydantic (1.7.4-1) unstable; urgency=medium
+
+  * Team upload.
+  * New upstream point release.
+- Fixes CVE-2021-29510: Date and datetime parsing could cause an infinite
+  loop by passing either 'infinity' or float('inf') (Closes: #988480)
+  * Update watch file to version 4 with current uscan(1) recommended regex.
+
+ -- Stefano Rivera   Fri, 21 May 2021 16:05:17 -0400
+
 pydantic (1.7.3-1) unstable; urgency=medium
 
   [ Sandro Tosi ]
diff -Nru pydantic-1.7.3/debian/watch pydantic-1.7.4/debian/watch
--- pydantic-1.7.3/debian/watch 2021-01-08 03:31:43.0 -0400
+++ pydantic-1.7.4/debian/watch 2021-05-21 16:05:17.0 -0400
@@ -1,2 +1,4 @@
-version=3
-https://github.com/samuelcolvin/pydantic/releases .*/archive/v([\d.]+)\.tar\.gz
+version=4
+opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%@PACKAGE@-$1.tar.gz%" \
+https://github.com/samuelcolvin/pydantic/releases \
+(?:.*?/)?v?(\d[\d.]*)\.tar\.gz
diff -Nru pydantic-1.7.3/.github/workflows/ci.yml 
pydantic-1.7.4/.github/workflows/ci.yml
--- pydantic-1.7.3/.github/workflows/ci.yml 2020-11-30 19:33:24.0 
-0400
+++ pydantic-1.7.4/.github/workflows/ci.yml 2021-05-11 15:04:58.0 
-0400
@@ -80,20 +80,20 @@
 COMPILED: yes
 DEPS: yes
 
-- name: uninstall deps
-  run: pip uninstall -y cython email-validator typing-extensions devtools 
python-dotenv
-
-- name: test compiled without deps
-  run: make test
-
-- run: coverage xml
-- uses: codecov/codecov-action@v1.0.14
-  with:
-file: ./coverage.xml
-env_vars: COMPILED,DEPS,PYTHON,OS
-  env:
-COMPILED: yes
-DEPS: no
+#- name: uninstall deps
+#  run: pip uninstall -y cython email-validator typing-extensions devtools 
python-dotenv
+#
+#- name: test compiled without deps
+#  run: make test
+#
+#- run: coverage xml
+#- uses: codecov/codecov-action@v1.0.14
+#  with:
+#file: ./coverage.xml
+#env_vars: COMPILED,DEPS,PYTHON,OS
+#  env:
+#COMPILED: yes
+#DEPS: no
 
 - name: remove compiled binaries
   run: |
@@ -159,11 +159,12 @@
   with:
 python-version: '3.7'
 
-- name: install
-  run: make install-testing
-
-- name: test
-  run: make test-fastapi
+- run: echo "skip fastapi for now"
+#- name: install
+#  run: make install-testing
+#
+#- name: test
+#  run: make test-fastapi
 
   benchmark:
 name: run benchmarks
diff -Nru pydantic-1.7.3/HISTORY.md pydantic-1.7.4/HISTORY.md
--- pydantic-1.7.3/HISTORY.md   2020-11-30 19:33:24.0 -0400
+++ pydantic-1.7.4/HISTORY.md   2021-05-11 15:04:58.0 -0400
@@ -1,3 +1,9 @@
+## v1.7.4 (2021-05-11)
+
+* **Security fix:** Fix `date` and `datetime` parsing so passing either 
`'infinity'` or `float('inf')` 
+  (or their negative values) does not cause an infinite loop,
+  See security advisory 
[CVE-2021-29510](https://github.com/samuelcolvin/pydantic/security/advisories/GHSA-5jqp-qgf6-3pvh)
+
 ## v1.7.3 (2020-11-30)
 
 Thank you to pydantic's sponsors:
diff -Nru pydantic-1.7.3/pydantic/datetime_parse.py 
pydantic-1.7.4/pydantic/datetime_parse.py
--- pydantic-1.7.3/pydantic/datetime_parse.py   2020-11-30 19:33:24.0 
-0400
+++ pydantic-1.7.4/pydantic/datetime_parse.py   2021-05-11 15:04:58.0 
-0400
@@ -58,6 +58,8 @@
 # if greater than this, the number is in ms, if less than or equal it's in 
seconds
 # (in seconds this is 11th October 2603, in ms it's 20th August 1970)
 MS_WATERSHED = int(2e10)
+# slightly more than datetime.max in ns -

Bug#988956: unblock: ukui-session-manager/3.0.2-1.1

2021-05-21 Thread Andreas Beckmann 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package ukui-session-manager

Clean up obsolete alternatives on upgrades from buster.

unblock ukui-session-manager/3.0.2-1.1
diff -Nru ukui-session-manager-3.0.2/debian/changelog 
ukui-session-manager-3.0.2/debian/changelog
--- ukui-session-manager-3.0.2/debian/changelog 2020-09-27 09:17:37.0 
+0200
+++ ukui-session-manager-3.0.2/debian/changelog 2021-05-04 10:14:20.0 
+0200
@@ -1,3 +1,11 @@
+ukui-session-manager (3.0.2-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Clean up obsolete x-session-manager alternative on upgrades from buster.
+(Closes: #986819)
+
+ -- Andreas Beckmann   Tue, 04 May 2021 10:14:20 +0200
+
 ukui-session-manager (3.0.2-1) unstable; urgency=medium
 
   * New upstream bugfix release.
diff -Nru ukui-session-manager-3.0.2/debian/ukui-session-manager.preinst 
ukui-session-manager-3.0.2/debian/ukui-session-manager.preinst
--- ukui-session-manager-3.0.2/debian/ukui-session-manager.preinst  
1970-01-01 01:00:00.0 +0100
+++ ukui-session-manager-3.0.2/debian/ukui-session-manager.preinst  
2021-05-04 10:14:20.0 +0200
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = "install" ] || [ "$1" = "upgrade" ] ; then
+   if dpkg --compare-versions "$2" lt-nl "3.0.2-1.0" ; then
+   update-alternatives --remove x-session-manager 
/usr/bin/ukui-session
+   fi
+fi
+
+#DEBHELPER#

Bug#988955: unblock: waitress/1.4.4-1.1

2021-05-21 Thread Andreas Beckmann 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package waitress

Fix removal of obsolete alternatives on upgrades from buster.

unblock waitress/1.4.4-1.1
diff -Nru waitress-1.4.4/debian/changelog waitress-1.4.4/debian/changelog
--- waitress-1.4.4/debian/changelog 2021-01-09 10:16:20.0 +0100
+++ waitress-1.4.4/debian/changelog 2021-04-20 20:58:53.0 +0200
@@ -1,3 +1,10 @@
+waitress (1.4.4-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix cleanup of the waitress-serve alternative.  (Closes: #984630)
+
+ -- Andreas Beckmann   Tue, 20 Apr 2021 20:58:53 +0200
+
 waitress (1.4.4-1) unstable; urgency=medium
 
   [ Andrej Shadura ]
diff -Nru waitress-1.4.4/debian/python3-waitress.preinst 
waitress-1.4.4/debian/python3-waitress.preinst
--- waitress-1.4.4/debian/python3-waitress.preinst  2021-01-09 
10:16:20.0 +0100
+++ waitress-1.4.4/debian/python3-waitress.preinst  2021-04-20 
20:58:53.0 +0200
@@ -2,7 +2,7 @@
 
 set -e
 
-if [ "$1" = "configure" ]
+if [ "$1" = "upgrade" ]
 then
 if update-alternatives --list waitress-serve >/dev/null 2>&1
 then

Bug#988954: unblock: adios/1.13.1-28.2

2021-05-21 Thread Andreas Beckmann 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package adios

Remove obsolete alternatives on upgrades from buster.

unblock adios/1.13.1-28.2
diff -Nru adios-1.13.1/debian/changelog adios-1.13.1/debian/changelog
--- adios-1.13.1/debian/changelog   2021-03-06 17:35:45.0 +0100
+++ adios-1.13.1/debian/changelog   2021-05-10 10:49:08.0 +0200
@@ -1,3 +1,17 @@
+adios (1.13.1-28.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Ignore 'update-alternatives --remove-all' failures.
+
+ -- Andreas Beckmann   Mon, 10 May 2021 10:49:08 +0200
+
+adios (1.13.1-28.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Clean up obsolete alternatives on upgrade.  (Closes: #986811)
+
+ -- Andreas Beckmann   Tue, 04 May 2021 11:01:17 +0200
+
 adios (1.13.1-28) unstable; urgency=medium
 
   * postinst/prerm: Ensure generated tags correct.
diff -Nru adios-1.13.1/debian/python3-adios.preinst.in 
adios-1.13.1/debian/python3-adios.preinst.in
--- adios-1.13.1/debian/python3-adios.preinst.in1970-01-01 
01:00:00.0 +0100
+++ adios-1.13.1/debian/python3-adios.preinst.in2021-05-10 
10:37:25.0 +0200
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = "upgrade" ] && dpkg --compare-versions "$2" lt-nl "1.13.1-28.0" ; 
then
+   update-alternatives --remove-all python-py37-adios-@DEB_HOST_MULTIARCH@ 
|| true
+fi
+
+#DEBHELPER#
diff -Nru adios-1.13.1/debian/rules adios-1.13.1/debian/rules
--- adios-1.13.1/debian/rules   2021-03-06 17:35:45.0 +0100
+++ adios-1.13.1/debian/rules   2021-04-23 15:37:41.0 +0200
@@ -9,7 +9,7 @@
 AUTOGENERATED:=   adios_config control libadios-bin.postinst  \
  libadios-mpich-dev.postinst libadios-openmpi-dev.postinst \
  libadios-mpich-dev.prerm libadios-openmpi-dev.prerm \
- python3-adios.postinst python3-adios.prerm
+ python3-adios.preinst python3-adios.postinst 
python3-adios.prerm
 
 MPI_LIBS_OPENMPI:= $(pkg-config ompi-fort --libs)
 MPI_LIBS_MPICH:= $(pkg-config mpich-fort --libs)

Bug#988942: CVE-2021-20291

2021-05-21 Thread Reinhard Tartler 
On Fri, May 21, 2021 at 3:30 PM Moritz Muehlenhoff  wrote:

> Package: golang-github-containers-image
> Severity: important
> Tags: security
> X-Debbugs-Cc: Debian Security Team 
>
> This was assigned CVE-2021-20291:
>
> https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1
>
>
>
Moritz,

here is some more context on severity impact of this issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1939485#c23

> For applications like podman the affect is minimal - podman pull and it
seemingly waits to download the image forever, cancel and the affect is
negated. For something like crio the affect is more severe, with the
malicious image locking the service up, BUT it is still somewhat
responsive. The service then must be killed before returning back to
normal.

The referenced commit changes the containers/storage code to no longer
fork()/exec() out to the xz executable, but instead use the golang-native
implementation of golang-github-ulikunitz-xz-dev, which addresses the
deadlock situation by avoiding awkward unix process coordination.

Upstream switched to version 0.5.10, whereas we only have 0.5.6 in Debian.
That version is at least susceptible against:

- https://github.com/ulikunitz/xz/issues/35 - CVE-2020-16845
-
https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
(similar to/same as CVE-2020-16845)
- https://github.com/ulikunitz/xz/issues/40 -- no CVE, but could also lead
to a DoS situation, I guess

Given the limited impact of this issue (it could leave podman hanging,
leading to a DoS situation in some scenarios), the absence of any unit
tests, and the fact that we'd need to rebuild podman and friends anyways,
I'm pondering whether making this change is worth the risk. Moritz, what do
you think?

If we decided to proceed, the debdiff would look like this:
diff --git a/debian/changelog b/debian/changelog
index 837efeeb1..ad17e4867 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+golang-github-containers-storage (1.24.8+dfsg1-2) unstable; urgency=high
+
+  * Build against system copy of golang-github-ulikunitz-xz-dev,
+Adresses: CVE-2021-20291, Closes: #988942
+
+ -- Reinhard Tartler   Fri, 21 May 2021 16:04:46 -0400
+
 golang-github-containers-storage (1.24.8+dfsg1-1) unstable; urgency=medium

   * New upstream release, focused on targetted bugfixes for podman 3.0
diff --git a/debian/control b/debian/control
index 086dbcb3d..c5c362961 100644
--- a/debian/control
+++ b/debian/control
@@ -24,6 +24,7 @@ Build-Depends: debhelper-compat (= 11),
golang-github-pquerna-ffjson-dev,
golang-github-sirupsen-logrus-dev,
golang-github-stretchr-testify-dev,
+   golang-github-ulikunitz-xz-dev,
golang-github-vbatts-tar-split-dev,
golang-go (>> 2:1.14~~),
golang-go-patricia-dev,
diff --git a/debian/patches/CVE-2021-20291.patch
b/debian/patches/CVE-2021-20291.patch
new file mode 100644
index 0..f87427443
--- /dev/null
+++ b/debian/patches/CVE-2021-20291.patch
@@ -0,0 +1,212 @@
+From 306fcabc964470e4b3b87a43a8f6b7d698209ee1 Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai 
+Date: Wed, 17 Mar 2021 17:24:14 -0400
+Subject: [PATCH] Use an xz library instead of shelling out to xz for
+ decompression
+
+When decompressing layers compressed with xz, use a library rather than
+shelling out to the xz CLI.
+
+Signed-off-by: Nalin Dahyabhai 
+
+--- a/go.mod
 b/go.mod
+@@ -23,6 +23,7 @@
+ github.com/stretchr/testify v1.6.1
+ github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2
+ github.com/tchap/go-patricia v2.3.0+incompatible
++ github.com/ulikunitz/xz v0.5.10
+ github.com/vbatts/tar-split v0.11.1
+ golang.org/x/net v0.0.0-20191004110552-13f9640d40b9
+ golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3
+--- a/pkg/archive/archive.go
 b/pkg/archive/archive.go
+@@ -9,7 +9,6 @@
+ "io"
+ "io/ioutil"
+ "os"
+- "os/exec"
+ "path/filepath"
+ "runtime"
+ "strings"
+@@ -18,7 +17,6 @@
+
+ "github.com/containers/storage/pkg/fileutils"
+ "github.com/containers/storage/pkg/idtools"
+- "github.com/containers/storage/pkg/ioutils"
+ "github.com/containers/storage/pkg/pools"
+ "github.com/containers/storage/pkg/promise"
+ "github.com/containers/storage/pkg/system"
+@@ -26,6 +24,7 @@
+ rsystem "github.com/opencontainers/runc/libcontainer/system"
+ "github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
++ "github.com/ulikunitz/xz"
+ )
+
+ type (
+@@ -167,12 +166,6 @@
+ return Uncompressed
+ }
+
+-func xzDecompress(archive io.Reader) (io.ReadCloser, <-chan struct{},
error) {
+- args := []string{"xz", "-d", "-c", "-q"}
+-
+- return cmdStream(exec.Command(args[0], args[1:]...), archive)
+-}
+-
+ // DecompressStream decompresses the archive and returns a ReaderCloser
with the decompressed archive.
+ func DecompressStream(archive io.Reader) (io.ReadCloser, error) {
+ p := pools.BufioReader32KPool
+@@ -205,15 +198,12 @@
+ readBufWrapper :=

Bug#606767: bind9: man pages and doc files wrongly use /etc/ instead of /etc/bind/

2021-05-21 Thread Athos Ribeiro 

Hello,

This bug is still valid in unstable. However, the patch provided
previously no longer applies for the issue.

I filed a MR in salsa [1] and forwarded the patch upstream [2].

[1] https://salsa.debian.org/dns-team/bind9/-/merge_requests/16
[2] https://gitlab.isc.org/isc-projects/bind9/-/issues/2717

--
Athos Ribeiro

Bug#988927: dino-im: Add dependency for gstreamer1.0-gtk3

2021-05-21 Thread bert 
Package: dino-im
Version: 0.2.0+git20210515.686035c-1
Severity: normal
X-Debbugs-Cc: b...@dismail.de

Dear Maintainer,
in order to enable video calls in dino-im (experimental), I noticed that 
gstreamer1.0-gtk3 seems
to be a dependency. Only after installing that package, the video call button 
is shown in the Dino gui,
and I was able to make video calls.
Thanks!
-- System Information:
Debian Release: 11.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing'), (90, 'unstable'), 
(10, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-6-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dino-im depends on:
ii  dino-im-common  0.2.0+git20210515.686035c-1
ii  libc6   2.31-12
ii  libcairo2   1.16.0-5
ii  libgcc-s1   10.2.1-6
ii  libgcrypt20 1.8.7-3
ii  libgdk-pixbuf-2.0-0 2.42.2+dfsg-1
ii  libgee-0.8-20.20.3-1
ii  libglib2.0-02.66.8-1
ii  libgnutls30 3.7.1-3
ii  libgpg-error0   1.38-2
ii  libgpgme11  1.14.0-1+b2
ii  libgspell-1-2   1.8.4-1
ii  libgstreamer-plugins-base1.0-0  1.18.4-2
ii  libgstreamer1.0-0   1.18.4-2
ii  libgtk-3-0  3.24.24-4
ii  libicu6767.1-6
ii  libnice10   0.1.16-1
ii  libpango-1.0-0  1.46.2-3
ii  libqrencode44.1.1-1
ii  libsignal-protocol-c2.3.2   2.3.3-1
ii  libsoup2.4-12.72.0-2
ii  libsqlite3-03.34.1-3
ii  libsrtp2-1  2.3.0-5
ii  libstdc++6  10.2.1-6
ii  libwebrtc-audio-processing1 0.3-1+b1

Versions of packages dino-im recommends:
ii  ca-certificates 20210119
ii  dbus1.12.20-2
ii  fonts-noto-color-emoji  0~20200916-1
ii  network-manager 1.30.0-2

dino-im suggests no packages.

-- no debconf information

Bug#988953: unblock: cool-retro-term/1.1.1+git20200723-2.1

2021-05-21 Thread Andreas Beckmann 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package cool-retro-term

Unregister the alternative on package removal.

unblock cool-retro-term/1.1.1+git20200723-2.1
diff -Nru cool-retro-term-1.1.1+git20200723/debian/changelog 
cool-retro-term-1.1.1+git20200723/debian/changelog
--- cool-retro-term-1.1.1+git20200723/debian/changelog  2020-11-12 
13:35:29.0 +0100
+++ cool-retro-term-1.1.1+git20200723/debian/changelog  2021-05-18 
18:50:41.0 +0200
@@ -1,3 +1,10 @@
+cool-retro-term (1.1.1+git20200723-2.1) unstable; urgency=medium
+
+  * Remove x-terminal-emulator alternative on package removal.
+(Closes: #983889)
+
+ -- Andreas Beckmann   Tue, 18 May 2021 18:50:41 +0200
+
 cool-retro-term (1.1.1+git20200723-2) unstable; urgency=medium
 
   * d/rules: disable parallel building. (Closes: #973080)
diff -Nru cool-retro-term-1.1.1+git20200723/debian/prerm 
cool-retro-term-1.1.1+git20200723/debian/prerm
--- cool-retro-term-1.1.1+git20200723/debian/prerm  1970-01-01 
01:00:00.0 +0100
+++ cool-retro-term-1.1.1+git20200723/debian/prerm  2021-05-12 
18:09:59.0 +0200
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = "remove" ]; then
+   update-alternatives --remove x-terminal-emulator 
/usr/bin/cool-retro-term
+fi
+
+#DEBHELPER#

Bug#988952: unblock: lz4/1.9.3-2

2021-05-21 Thread Salvatore Bonaccorso 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: car...@debian.org,iwama...@debian.org

Hi Release team,

Please unblock package lz4

The maintainer of lz4 (X-Debbugs-CC'ed) fixed in unstable the
CVE-2021-3520 issue, tracked as well as #987856, which got in
meanwhile as well adressed in buster via DSA 4919-1. So we should make
sure the fix goes as well to bullseye to not cause a (security)
regression from buster to bullseye.

Attaching the full debdiff. Note I'm not the uploader for unstable, so
serving here with the security team perspective to get CVE-2021-3520
fixed in bullseye and void a regression.

Regards,
Salvatore
diff -Nru lz4-1.9.3/debian/changelog lz4-1.9.3/debian/changelog
--- lz4-1.9.3/debian/changelog  2020-11-30 22:07:12.0 +0100
+++ lz4-1.9.3/debian/changelog  2021-05-05 09:29:57.0 +0200
@@ -1,3 +1,11 @@
+lz4 (1.9.3-2) unstable; urgency=medium
+
+  * Fix CVE-2021-3520. (Closes: #987856)
+- This fixed potential memory corruption with negative memmove() size.
+- Add d/patches/0005-CVE-2021-3520.patch
+
+ -- Nobuhiro Iwamatsu   Wed, 05 May 2021 16:29:57 +0900
+
 lz4 (1.9.3-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch 
lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch
--- lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch   1970-01-01 
01:00:00.0 +0100
+++ lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch   2021-05-05 
09:29:57.0 +0200
@@ -0,0 +1,25 @@
+From 8301a21773ef61656225e264f4f06ae14462bca7 Mon Sep 17 00:00:00 2001
+From: Jasper Lievisse Adriaanse 
+Date: Fri, 26 Feb 2021 15:21:20 +0100
+Subject: [PATCH] Fix potential memory corruption with negative memmove() size
+
+---
+ lib/lz4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/lz4.c b/lib/lz4.c
+index 5f524d0..c2f504e 100644
+--- a/lib/lz4.c
 b/lib/lz4.c
+@@ -1749,7 +1749,7 @@ LZ4_decompress_generic(
+  const size_t dictSize /* note : = 0 if noDict */
+  )
+ {
+-if (src == NULL) { return -1; }
++if ((src == NULL) || (outputSize < 0)) { return -1; }
+ 
+ {   const BYTE* ip = (const BYTE*) src;
+ const BYTE* const iend = ip + srcSize;
+-- 
+2.30.0
+
diff -Nru lz4-1.9.3/debian/patches/series lz4-1.9.3/debian/patches/series
--- lz4-1.9.3/debian/patches/series 2020-11-30 22:07:12.0 +0100
+++ lz4-1.9.3/debian/patches/series 2021-05-05 09:29:57.0 +0200
@@ -2,3 +2,4 @@
 0002-Fix-static-link.patch
 0003-Ignore-test.patch
 0004-change-optimize.patch
+0005-CVE-2021-3520.patch

Bug#987686: webkit2gtk breaks balsa autopkgtest: xwd: error: No window with name Balsa exists!

2021-05-21 Thread Paul Gevers 
Control: tags -1 important
Control: retitle -1 balsa autopkgtest fails with xdg-desktop-portal-gtk

Hi

On 21-05-2021 21:43, Alberto Garcia wrote:
> In any case I would definitely reduce the severity of the bug, I just
> didn't want to do it on behalf of the original reporter :)

Oh, with the current downgraded dependency the issue is gone. So,
lowering the severity to prevent removal of balsa for something that
isn't an RC issue in bullseye.

Paul



OpenPGP_signature
Description: OpenPGP digital signature

Bug#988951: regression: focus_path on last items no longer works properly

2021-05-21 Thread Cyril Brulebois 
Package: cdebconf-gtk-udeb
Version: 0.258
Severity: important
X-Debbugs-Cc: Simon McVittie 

Hi,

The 0.258 update is *very* important for us since it makes extra sure
(together with libgtk2.0-0-udeb 2.24.33-2) we don't run into relayout
loops meaning hangs from a user point of view.

Yes, it comes at a price: focussing on the last items of a GtkTreeView
no longer works correctly.

There might be simpler (shorter) ways to trigger this but the following
is robust:

 - Initially detected while testing an encrypted LVM install in Swedish
   (confirming all hangs go away), when reaching the partition layout
   confirmation dialog, the selected entry is the last one in the list,
   but the selection isn't seen. One might wonder where the focus is,
   why no entry was selected, etc. Since that can happen in various
   places, I think users might get confused. That should not be specific
   to Swedish, it just happens to be the first occurrence I noticed.

 - Slightly shorter (`kvm -m 1G -cdrom mini.iso`, no disk layout or even
   disk required), pick a language like French and all default choices,
   until the mirror country selection, pick the very last one
   (États-Unis), and on the mirror host selection, pick the very last
   one again (the actual hostname doesn't matter). Now, on the next
   dialog, hit “Revenir en arrière” (Back), and see the selected
   hostname isn't focussed. Another step back shows the selected country
   isn't focussed either. That should happen with other languages as
   well, using French has the main advantage for me to get the
   appropriate keyboard layout automatically plus get two “back” steps
   that exhibit the problem (other countries might not have a mirror
   list as big as the US one).

With both gtk+2.0 and cdebconf being uploaded recently, I've made sure
to determine what triggers this:
 - bulleye: OK
 - unstable: KO
 - bullseye + gtk2.0: OK
 - bullseye + cdebconf: KO

My first hunch was that the focus_path callback (one-shot call, it
disables itself once it has triggered gtk_tree_view_scroll_to_cell on
the first expose event) happens before the set_text_in_idle one, and
that's indeed correct. I suppose we have a slightly taller widget at
first, we scroll down to the bottom; then when set_text_in_idle happens,
the widget is resized slightly smaller, the position is not correct
anymore (it's no longer “full-bottom” but a little higher as seen in the
scrollbar), and the selected line gets out of sight.

I've tried various things like having the focus_path happens in a
“_later” indirection using the same kind of logic as Simon introduced
for setting the text (with a different priority), but that would happen
waaay before set_text_in_idle anyway.

I've also tried to implement a “double-tap” approach, letting the
callback be called twice, so that we would focus first, let the text be
set and get a new expose event, and re-focus. But it seems the amount of
events we need to reach this point is not constant (I didn't conduct a
real study but it seems one might need up to 4-5 such events).

Next on my list of things to try was adding a pointer to the frontend
object (and its `data` member) so that we could keep the callback alive
until set_text_in_idle has done its job. I thought it might need some
mutex or locking around a counter of pending set_text calls and I
haven't touched that yet. And today, the following rang a bell… :)
  https://salsa.debian.org/installer-team/cdebconf/-/merge_requests/7


I'm happy to be told whether the vague idea above looks like a
workaround that could or even should work before diving a little more
into it, and/or to be suggested better ideas!


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant

Bug#988950: CVE-2020-26892 CVE-2020-26521

2021-05-21 Thread Moritz Muehlenhoff 
Source: golang-github-nats-io-jwt
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team 

https://advisories.nats.io/CVE/CVE-2020-26892.txt
https://advisories.nats.io/CVE/CVE-2020-26521.txt

Cheers,
 Moritz

Bug#988949: CVE-2020-13949

2021-05-21 Thread Moritz Muehlenhoff 
Source: thrift
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

CVE-2020-13949:
https://seclists.org/oss-sec/2021/q1/140

There's no real information what fixed this and it seems invasive, so
probably safest to only pull this after the end of the freeze?

Cheers,
Moritz

Bug#988948: CVE-2019-11939

2021-05-21 Thread Moritz Muehlenhoff 
Source: thrift
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

CVE-2019-11939:
https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757

Cheers,
 Moritz

Bug#987686: webkit2gtk breaks balsa autopkgtest: xwd: error: No window with name Balsa exists!

2021-05-21 Thread Alberto Garcia 
On Fri, May 21, 2021 at 09:28:02PM +0200, Paul Gevers wrote:
> > In webkit2gtk 2.32.1-1 the dependency on xdg-desktop-portal-gtk was
> > downgraded to a recommendation so the test no longer fails.
> 
> balsa is close to autoremoval from bullseye because of this issue.
> Should xdg-desktop-portal-gtk really be a Depends? (Having the
> possibility to downgrade the dependency suggest it *is* not a
> dependency).
> 
> > The underlying cause is still there so I don't know if you want to
> > keep this bug report open to look for a proper solution.
> 
> If you're OK with keeping the downgraded dependency then I think
> this bug can be downgraded too.

Arguably this bug could be closed since the test no longer fails,
although I think it's useful to keep it open in order to track the
issue. But that's up to the Balsa maintainers in my opinion.

In any case I would definitely reduce the severity of the bug, I just
didn't want to do it on behalf of the original reporter :)

Berto

Bug#966524: lvm2: "lvconvert --merge" does not remove the snapshot after completing (found workaround)

2021-05-21 Thread Antonio 

The problem, which I had reported in January, still exists.
It would be useful to apply the patch indicated above or similar (so as 
not to have to apply it to each update of the LVM2 package).


Thanks
Antonio

Bug#988947: redis configuration does not load fragments by default

2021-05-21 Thread sbortman 
Package: redis
Version: 5:5.0.7-2
Severity: normal

Dear Maintainer,

* What led up to the situation?
Upgrades between versions of the package, with local configuration changes

* What exactly did you do (or not do) that was effective
Nothing particular other than modifying the default config (even if 
modification is trivial)

* What was the outcome of this action?
Upgrade caused a configuration conflict which necessitated manual intervention 
and patching/merging of config options.  We frequently updagade/downgrade this 
package for dev puposes and this has been a thorn in our back.

* What outcome did you expect instead?
Currently the redis.conf configuration file supports the "include" keyword. 
However, by default, nothing is included. Problems can pop up when local 
configuration needs to be maintained between upgrades/downgrades. The upgrade 
mechanism will prompt for manual intervention with the configuration file, if 
any changes were made to it. Depending on the amount of customization done 
therein, this could cause a time-consuming and error-prone situation of having 
to merge/patch things up.

Other packages, such as Apache and MySQL (for instance, amongst many others), 
have addressed this by providing a "conf.d"-style directory and having "include 
conf.d/*" type of statement in the default configuration file that's maintained 
by the package maintainer. This is effectively the standard approach seen 
nowadays in Linux.

The benefit is obvious: one can simply drop their local configuration file into 
the provided conf.d directory and upgrade away with far fewer worries.

In summary, please consider affecting the following two (or three) changes to 
the redis package:
1) add an empty /etc/redis/conf.d directory to the package

2) add the statement "include /etc/reds/conf.d/*" to the bottom of the official 
/etc/redis.conf file to serve as an override of all default settings

3) it's not clear to me whether wildcard can actually currently be specified in 
the include statement. If they currently cannot be specified, please patch the 
code to glob using the pattern specified in the include, instead of targeting 
an individual file.
Ideally, redis' default configraion should include an additional statement at 
the bottom of the config file like this:
  include "/etc/redis/conf.d/*"
plus the package should contain a default empty /etc/redis/conf.d directory.



-- System Information:
Debian Release: bullseye/sid
  APT prefers focal-updates
  APT policy: (500, 'focal-updates'), (500, 'focal-security'), (500, 'focal'), 
(100, 'focal-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.11.13-051113-generic (SMP w/12 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_CA:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages redis depends on:
ii  redis-server  5:5.0.7-2

redis recommends no packages.

redis suggests no packages.

-- no debconf information

Bug#988946: CVE-2020-10693

2021-05-21 Thread Moritz Muehlenhoff 
Package: libhibernate-validator-java
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

CVE-2020-10693:
https://bugzilla.redhat.com/show_bug.cgi?id=1805501

Cheers,
 Moritz

Bug#988945: CVE-2019-25009

2021-05-21 Thread Moritz Muehlenhoff 
Source: rust-http
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team 

CVE-2019-25009:
https://rustsec.org/advisories/RUSTSEC-2019-0034.html
https://github.com/hyperium/http/commit/82d53dbdfdb1ffbeb0323200a0bbd30b5f895fa7
https://github.com/hyperium/http/commit/8ffe094df1431321d450860cc56a22dd53175f5e

Cheers,
 Moritz

Bug#988944: CVE-2020-7692

2021-05-21 Thread Moritz Muehlenhoff 
Source: google-oauth-client-java
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team 

CVE-2020-7692:
https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276
https://github.com/googleapis/google-oauth-java-client/issues/469
https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824

Cheers,
 Moritz

Bug#987547: debspawn: diff for NMU version 0.4.1-1.1

2021-05-21 Thread Stefano Rivera 
Control: tags 987547 + pending

Dear maintainer,

I've prepared an NMU for debspawn (versioned as 0.4.1-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards.

SR
diff -Nru debspawn-0.4.1/debian/changelog debspawn-0.4.1/debian/changelog
--- debspawn-0.4.1/debian/changelog	2020-12-21 21:16:47.0 -0400
+++ debspawn-0.4.1/debian/changelog	2021-05-21 15:23:54.0 -0400
@@ -1,3 +1,10 @@
+debspawn (0.4.1-1.1) unstable; urgency=medium
+
+  * Depend on dpkg-dev, which was Recommended through build-essential, but not
+required, causing a crash. (Closes: #987547)
+
+ -- Stefano Rivera   Fri, 21 May 2021 15:23:54 -0400
+
 debspawn (0.4.1-1) unstable; urgency=medium
 
   * New upstream version: 0.4.1
diff -Nru debspawn-0.4.1/debian/control debspawn-0.4.1/debian/control
--- debspawn-0.4.1/debian/control	2020-12-21 21:15:47.0 -0400
+++ debspawn-0.4.1/debian/control	2021-05-21 15:23:38.0 -0400
@@ -19,6 +19,7 @@
 Package: debspawn
 Architecture: all
 Depends: debootstrap,
+ dpkg-dev,
  python3-toml,
  systemd-container,
  zstd,

Bug#988943: CVE-2020-28483

2021-05-21 Thread Moritz Muehlenhoff 
Source: golang-github-gin-gonic-gin
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

CVE-2020-28483:
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-1041736
https://github.com/gin-gonic/gin/pull/2474

Cheers,
 Moritz

Bug#987686: webkit2gtk breaks balsa autopkgtest: xwd: error: No window with name Balsa exists!

2021-05-21 Thread Paul Gevers 
Hi Alberto,

On 11-05-2021 21:03, Alberto Garcia wrote:
> On Tue, Apr 27, 2021 at 11:27:32PM +0200, Alberto Garcia wrote:
> 
>> Nothing to do with webkit actually. The test launches Balsa, waits
>> for two seconds and then takes a screenshot of the window. The bug
>> happens because when xdg-desktop-portal-gtk is installed Balsa takes
>> a very long time to start so those two seconds are not enough.
> 
> In webkit2gtk 2.32.1-1 the dependency on xdg-desktop-portal-gtk was
> downgraded to a recommendation so the test no longer fails.

balsa is close to autoremoval from bullseye because of this issue.
Should xdg-desktop-portal-gtk really be a Depends? (Having the
possibility to downgrade the dependency suggest it *is* not a dependency).

> The underlying cause is still there so I don't know if you want to
> keep this bug report open to look for a proper solution.

If you're OK with keeping the downgraded dependency then I think this
bug can be downgraded too.

Paul



OpenPGP_signature
Description: OpenPGP digital signature

Bug#988942: CVE-2021-20291

2021-05-21 Thread Moritz Muehlenhoff 
Package: golang-github-containers-image
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

This was assigned CVE-2021-20291:
https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1

Cheers,
 Moritz

Bug#988941: ITP: node-rollup-plugin-sass -- Rollup plugin for .sass files

2021-05-21 Thread Pirate Praveen 

Package: wnpp
Severity: wishlist
Owner: Pirate Praveen 
X-Debbugs-CC: debian-de...@lists.debian.org

* Package name : node-rollup-plugin-sass
 Version : 1.2.2
 Upstream Author : BinRui.Guan 
* URL : https://github.com/differui/rollup-plugin-sass#readme
* License : Expat
 Programming Lang: JavaScript
 Description : Rollup plugin for .sass files

This plugin can help handling sass stylesheets with rollup.
.
Node.js is an event-based server-side JavaScript engine.
 .
Node.js is an event-based server-side JavaScript engine.

This is a build dependency of tributejs. Since sass module is not 
packaged (it is written in dart lang which is also not packaged yet), 
node-sass module (node-node-sass package) will be used instead.

Bug#988940: gnome-shell-extension-redshift: Is this package obsolete?

2021-05-21 Thread Adrian Bunk 
Package: gnome-shell-extension-redshift
Version: 3.20.1-2.1
Severity: serious

https://extensions.gnome.org/extension/685/redshift/

Deprecation notice: As of GNOME 3.24, there is native support for night light 
mode in your display settings. This extension is not required or reccomended 
anymore.

Bug#987646: eclipse-titan: diff for NMU version 7.2.0-1.1

2021-05-21 Thread Stefano Rivera 
Control: tags 987646 + patch

Dear maintainer,

I've prepared an NMU for eclipse-titan (versioned as 7.2.0-1.1). The diff
is attached to this message.

Regards.

SR
diff -Nru eclipse-titan-7.2.0/debian/changelog eclipse-titan-7.2.0/debian/changelog
--- eclipse-titan-7.2.0/debian/changelog	2021-02-16 05:25:17.0 -0400
+++ eclipse-titan-7.2.0/debian/changelog	2021-05-21 14:58:09.0 -0400
@@ -1,3 +1,11 @@
+eclipse-titan (7.2.0-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Re-instate the --no-parallel option, fixing FTBFS on multi-core machines.
+(Closes: #987646)
+
+ -- Stefano Rivera   Fri, 21 May 2021 14:58:09 -0400
+
 eclipse-titan (7.2.0-1) unstable; urgency=medium
 
   * New release.
diff -Nru eclipse-titan-7.2.0/debian/rules eclipse-titan-7.2.0/debian/rules
--- eclipse-titan-7.2.0/debian/rules	2021-02-16 05:20:17.0 -0400
+++ eclipse-titan-7.2.0/debian/rules	2021-05-21 14:48:25.0 -0400
@@ -3,7 +3,7 @@
 export DEB_BUILD_MAINT_OPTIONS=hardening=+all
 
 %:
-	dh $@ --verbose
+	dh $@ --verbose --no-parallel
 
 override_dh_shlibdeps:
 	dh_shlibdeps -l$(CURDIR)/Install/lib

Bug#988832: unblock: libx11/2:1.7.1-1

2021-05-21 Thread Paul Gevers 
Control: tags -1 d-i confirmed

Hi,

On 20-05-2021 10:26, Emilio Pozuelo Monfort wrote:
> Please unblock package libx11

This needs also an ack from d-i, boot CC-ed.

> This fixes CVE-2021-31535, a bug in libX11 which could lead to the
> execution of additional X requests due to insufficient buffer checks.
> 
> I have done some manual tests (run an X server with various applications)
> 
> The risks are minor as the changes are pretty much limited to the security
> fix, with minor changes aside of that.
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> The debdiff is a little large due to the autotools version the tarball
> was generated with. I'm attaching a debdiff filtered with
> 
>   filterdiff -x '*/Makefile.in' -x '*.man' -x '*/aclocal.m4' -x '*/configure'
> 
> (the *.man changes are actual manpage syntax fixes, but make it harder to 
> review
> the actually important code fixes in this update, so I filtered them).

Funny how some copyrights go backward in time in this release.

Paul



OpenPGP_signature
Description: OpenPGP digital signature

Bug#988939: unblock: whipper/0.9.0-7

2021-05-21 Thread Stefano Rivera 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: Krzysztof Krzyżaniak (eloy) 

Please unblock package whipper

Adds a couple of missing dependencies, and fixes up a stale description
talking about Python 2.7.

[ Reason ]
Fixes RC bugs for missing dependencies.

[ Impact ]
Without this, I'd expect auto-removal :)

[ Tests ]
Checked that the package installs and runs --help, which it didn't
before.

[ Risks ]
Changes are trivial.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Changelog is kinda weird, but I was mostly just sponsoring an upload for
a DD, so shrug.

unblock whipper/0.9.0-7
diff -Nru whipper-0.9.0/debian/changelog whipper-0.9.0/debian/changelog
--- whipper-0.9.0/debian/changelog  2020-05-29 02:17:36.0 -0400
+++ whipper-0.9.0/debian/changelog  2021-04-27 08:22:21.0 -0400
@@ -1,3 +1,26 @@
+whipper (0.9.0-7) unstable; urgency=medium
+
+  [ Krzysztof Krzyżaniak (eloy) ]
+  * control: Update dependencies, added flac package (Closes: #978166)
+
+  [ Stefano Rivera ]
+  * Depend on python3-distutils, it's used at runtime (Closes: #971628)
+
+ -- Krzysztof Krzyżaniak (eloy)   Tue, 27 Apr 2021 14:22:21 
+0200
+
+whipper (0.9.0-6) unstable; urgency=medium
+
+  * Non maintainer upload by the Reproducible Builds team.
+  * No source change upload to rebuild on buildd with .buildinfo files.
+
+ -- Krzysztof Krzyżaniak (eloy)   Fri, 01 Jan 2021 22:04:03 
+0100
+
+whipper (0.9.0-5) unstable; urgency=medium
+
+  * control: Update description (closes: #968880)
+
+ -- Krzysztof Krzyżaniak (eloy)   Sun, 23 Aug 2020 13:39:11 
+0200
+
 whipper (0.9.0-4) unstable; urgency=medium
 
   * control: Add cdrdao to depends. (Closes: #961758)
diff -Nru whipper-0.9.0/debian/control whipper-0.9.0/debian/control
--- whipper-0.9.0/debian/control2020-05-29 02:05:48.0 -0400
+++ whipper-0.9.0/debian/control2021-04-27 08:22:21.0 -0400
@@ -22,6 +22,7 @@
 Depends: ${python3:Depends},
   ${shlibs:Depends},
   ${misc:Depends},
+  python3-distutils,
   python3-musicbrainzngs,
   python3-cdio,
   python3-requests,
@@ -31,8 +32,9 @@
   sox,
   cd-paranoia,
   cdrdao,
-Description: CD-DA ripper based
- Whipper is a Python 2.7 CD-DA ripper based on the morituri project
+  flac
+Description: CD ripping utility focusing on accuracy over speed
+ Whipper is a Python CD-DA ripper based on the morituri project
  (CDDA ripper for *nix systems aiming for accuracy over speed). It enhances
  morituri which development seems to have halted merging old ignored pull
  requests, improving it with bugfixes and new features.

Bug#988938: RM: 4store -- ROM; dead upstream

2021-05-21 Thread Jonas Smedegaard 
Package: ftp.debian.org
Severity: normal

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi ftpmasters,

Please drop source package 4store from Debian unstable.

Upstream is dead: Last release was in 2015, source tracker saw no
changes since 2017, and issue tracker was last active in 2018.

The package should have no reverse dependencies.


 - Jonas

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmCoA0EACgkQLHwxRsGg
ASGC1A//eh/nXrftAjGnGT9s1VM+Xg7c+OsJBJ7tz1aRphpDVTQNpqnTAl2IAi9l
KuTwRqDtwZQGWw+zsRbGjzQzXygxWG7NlWjDnYSvsWPrgNnYyaqLpJ9xGFpRTpaS
Mpz7kDYJI7++uhZj0qQwQOWPXCXUHNRt36VlD1yZWwebO/BlO21LBxC8yklMy/+D
QOyTce4Jy32m36yytn6slDe4sbm9fQ5Y4E3h1ZfowgydM8gBnaJlcWtBjqiO/hRy
ymT+AWcKBUJn8M23Meo1kLilXfVhnb4UKuw6rqBq8EVIg4J7oqTgjrTx1X4iX28R
cE4S824qGVheJ7IMoerAzPVtfH+4ojw4Gc+pNjHsIKzCjucMGzZVm+2uYLdziwRg
YscrF847l1w8Azf7hTyf9tXSdxzOFUNHRJ514gxShr1G5gXYhD5RGcqOFwgzCAAt
3CZCriqyLvKVi5y7HufGC2DID5OAQZ0rHJZekiGtiE3wfV2YVqguGfAeuM7wnKe1
vBMZQlgdx51lP9JyxNPY/DAyWk+bVvPDWEOHyM2WDVFo1Xc1bBubg6RUWDS/C/0e
Y+vn2q8RCbWyNadMYbfj46vHZR6WQcpaWGxi3qARO2Vy0mEAUNssoj9yzZkuhmNo
ehJWCbmeWXISAwGCvVthwRYS1N1B6mi7TOSUi2X5xMlEAYLLUoQ=
=fhKp
-END PGP SIGNATURE-

Bug#988770: python3-hawkey-doc: broken symlinks: /usr/share/doc/python3-hawkey-doc/html/_static/{jquery,underscore}.js

2021-05-21 Thread Mihai Moldovan 
* On 5/21/21 7:32 PM, Frédéric Pierret wrote:
> I'll try to fix that quickly, thank you.

Yep, just a matter of adding libjs-jquery and libjs-underscore to Depends on
python3-hawkey-doc. I've done that on my weird, stretch-based setup with the
initial dnf 4.0.9 version.


> BTW, Mihai may I change anything for you to not being ping on every issue?

I don't mind being pinged per se. I just can't really take action.

When I see issues, I typically apply fixes to my local package, but naturally
that won't help other Debian users. :)



Mihai



OpenPGP_signature
Description: OpenPGP digital signature

Bug#954824: chromium: Enable PipeWire support in WebRTC

2021-05-21 Thread Sebastian Reichel 
Package: chromium
Version: 90.0.4430.212-1
Followup-For: Bug #954824
Control: tags -1 patch

Hi,

The patch from Riccardo Magliocchetti works, the 'rtc_pipewire_version=0.3'
is no longer needed. Building chromium with this does not add any extra
build depends, since the library is loaded via ldopen. Also it is
runtime disabled by default using chromium's flag system. Last but not
least Debian's Firefox has this enabled.

Screen sharing functionality is especially interesting while many people
a working from home due to Covid-19, so IMHO this should be enabled ASAP.

Thanks,

-- Sebastian

Bug#988923: RFS: distorm3/3.5.2b-1 -- powerful disassembler library for x86/AMD64 binary streams (Python3 bindings)

2021-05-21 Thread Lin Qigang 
Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for the orphaned package "distorm3":

 * Package name: distorm3
   Version : 3.5.2b-1
   Upstream Author : Gil Dabah 
 * URL : https://github.com/gdabah/distorm
 * License : BSD-3-Clause, GPL-3+
 * Vcs : https://salsa.debian.org/debian/distorm3
   Section : libs

It builds those binary packages:

  libdistorm3-3 - powerful disassembler library for x86/AMD64 binary streams
  libdistorm3-dev - powerful disassembler library for x86/AMD64 binary streams 
(development files)
  python3-distorm3 - powerful disassembler library for x86/AMD64 binary streams 
(Python3 bindings)

To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/distorm3/

Alternatively, one can download the package with dget using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/d/distorm3/distorm3_3.5.2b-1.dsc

Changes since the last upload:

 distorm3 (3.5.2b-1) unstable; urgency=medium
 .
   * New upstream release.
   * Removed fix_init_python patch
   * debian/patches: Added patch to update the library version number
   * debian/*.links: Updated symbolic links to new upstream version
   * debian/not-installed: Account for varying python3 directory naming scheme
   * debian/patches: Added makefile library version fix patch
   * debian/libdistorm3-3.symbols: Updated symbols to 3.5.2b
   * debian/python3-distorm: Account for varying python3 directory naming scheme
   * debian/rules: Account for upstream build changes
   * debian/copyright: Updated packaging copyright years
   * debian/control: Updated maintainer
   * Release to unstable

Regards,
-- 

  Lin Qigang

Lin Qigang 
GPG Fingerprint:  8CAD 1250 8EE0 3A41 7223  03EC 7096 F91E D75D 028F

signature.asc
Description: OpenPGP digital signature

Bug#988764: cups-browsed: apparmor blocks access to /usr/share/{cups/,}/locale

2021-05-21 Thread Mike Gabriel 

Hi OdyX,

On  Fr 21 Mai 2021 16:45:46 CEST, Didier 'OdyX' Raboud wrote:


Le vendredi, 21 mai 2021, 16.26:12 h CEST Mike Gabriel a écrit :

Basically, why not? It clutters syslog. It probably won't have
functional consequences, but still...


Well. At this point of the freeze, I'd rather not burden the release  
team with

such a non-"critical, grave, or serious" bug.

https://lists.debian.org/debian-devel-announce/2021/05/msg0.html was 19
days ago, and has

As the release draws nearer, fixes for non-RC bugs which do not affect a
package's general usability will increasingly be deferred or rejected.


Feel free to ask if you feel strongly enough about this, I'll upload if it's
accepted!

Cheers,
--
OdyX


alright then. Minor issue.

Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de



pgpcZXK1IMoWj.pgp
Description: Digitale PGP-Signatur

Bug#978166: Updated package

2021-05-21 Thread Stefano Rivera 
Hi eloy (2021.05.08_05:58:59_-0400)
> There's updated package released in salsa.debian.org
> https://salsa.debian.org/debian/whipper/-/tree/debian/0.9.0-7 but I
> have problems with uploading it into ftp debian.org. Until I resolve
> problems with uploading someone can take build from there and upload it.

I added a fix for #971628 and sponsored the upload.

The changelog is kind of weird, it has many uploads in it that never hit
the Debian archive... Without know the back-story, I didn't fold them
into a -5, but kept it as -7.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#988937: micro-evtd: beeps and runs the fan randomly

2021-05-21 Thread Ryan Tandy 
Package: micro-evtd
Version: 3.4-4
Severity: normal

While testing the recent micro-evtd changes I noticed that this problem 
still happens in buster and bullseye. After some hours or days of 
uptime, the box sometimes beeps and runs the fan, for no apparent 
reason. Sometimes it beeps once, other times continuously.

I think these are the same root cause:

https://lists.debian.org/debian-arm/2017/02/msg00038.html
https://lists.debian.org/debian-arm/2019/04/msg5.html

The symptoms might vary by hardware.

I set DEBUG=2 in micro-evtd.conf and confirmed that micro-evtd is 
causing the beeping, e.g. /var/log/micro-evtd:

Wed May 19 19:21:46 PDT 2021 B 200 0 micon
Wed May 19 19:21:50 PDT 2021 B 201 0 micon
Wed May 19 19:21:52 PDT 2021 B 200 0 micon
Wed May 19 19:21:54 PDT 2021 B 201 0 micon

I am not running with iomem=relaxed, so micro-evtd uses the fallback 
button detection method instead of /dev/mem. I think there is something 
wrong with the button detection in this path.

I can't remember if we ever discussed whether there is some modern way 
of accessing the GPIO? would it require more kernel changes?

Bug#988936: buster-pu: package mqtt-client/1.14-1

2021-05-21 Thread Abhijith PA 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org

Hello Stable release team,

I would like to update mqtt-client in buster for fixing CVE-2019-0222. 
It is fixed in stretch, bullseye and sid. Right now stretch-security 
has a newer version(1.14-1+9u1) than buster, breaking clean upgrades 
to buster. CVE-2019-0222 is no-dsa thus using pu. Vcs field URL also 
updated.

Debdiff is attached. Please allow to upload this fix to Buster.   


--abhijith

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.9.0-4-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru mqtt-client-1.14/debian/changelog mqtt-client-1.14/debian/changelog
--- mqtt-client-1.14/debian/changelog   2016-07-19 13:30:10.0 +0530
+++ mqtt-client-1.14/debian/changelog   2021-05-21 21:59:49.0 +0530
@@ -1,3 +1,13 @@
+mqtt-client (1.14-1+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2019-0222: unmarshalling corrupt MQTT frame can lead to
+broker Out of Memory exception making it unresponsive.
+(Closes: #988109)
+  * Update Vcs-* URL in d/control.
+
+ -- Abhijith PA   Fri, 21 May 2021 21:59:49 +0530
+
 mqtt-client (1.14-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru mqtt-client-1.14/debian/control mqtt-client-1.14/debian/control
--- mqtt-client-1.14/debian/control 2016-07-19 13:28:53.0 +0530
+++ mqtt-client-1.14/debian/control 2021-05-21 21:59:49.0 +0530
@@ -10,8 +10,8 @@
libmaven-bundle-plugin-java,
maven-debian-helper (>= 1.5)
 Standards-Version: 3.9.8
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/mqtt-client.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/mqtt-client.git
+Vcs-Git: https://salsa.debian.org/java-team/mqtt-client.git
+Vcs-Browser: https://salsa.debian.org/java-team/mqtt-client
 Homepage: http://mqtt-client.fusesource.org
 
 Package: libmqtt-client-java
diff -Nru mqtt-client-1.14/debian/patches/CVE-2019-0222.patch 
mqtt-client-1.14/debian/patches/CVE-2019-0222.patch
--- mqtt-client-1.14/debian/patches/CVE-2019-0222.patch 1970-01-01 
05:30:00.0 +0530
+++ mqtt-client-1.14/debian/patches/CVE-2019-0222.patch 2021-05-21 
21:59:02.0 +0530
@@ -0,0 +1,21 @@
+Description: CVE-2019-0222
+
+ unmarshalling corrupt MQTT frame can lead
+ to broker Out of Memory exception making it unresponsive.
+
+Author: Abhijith PA 
+
+diff --git 
a/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java 
b/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java
+index 
08fb8391abbbdb365310cda08373b3a7e4befc3e..a0a5e8ee4cec70d37b9c451e9f2bd02010107dfa
 100644
+--- a/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java
 b/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java
+@@ -62,6 +62,9 @@ public final class MessageSupport {
+ 
+ static protected UTF8Buffer readUTF(DataByteArrayInputStream is) throws 
ProtocolException {
+ int size = is.readUnsignedShort();
++if (size < 0) {
++throw new ProtocolException("Invalid message encoding");
++}
+ Buffer buffer = is.readBuffer(size);
+ if (buffer == null || buffer.length != size) {
+ throw new ProtocolException("Invalid message encoding");
diff -Nru mqtt-client-1.14/debian/patches/series 
mqtt-client-1.14/debian/patches/series
--- mqtt-client-1.14/debian/patches/series  1970-01-01 05:30:00.0 
+0530
+++ mqtt-client-1.14/debian/patches/series  2021-05-21 21:59:02.0 
+0530
@@ -0,0 +1 @@
+CVE-2019-0222.patch


signature.asc
Description: PGP signature

Bug#988764: cups-browsed: apparmor blocks access to /usr/share/{cups/,}/locale

2021-05-21 Thread Mike Gabriel 

Hi OdyX,

On  Fr 21 Mai 2021 15:59:04 CEST, Didier 'OdyX' Raboud wrote:


Control: tags -1 +pending

Hello Mike, and thanks for your patch-provided bugreport.

Le mercredi, 19 mai 2021, 12.33:10 h CEST Mike Gabriel a écrit :

With CUPS on buster and bullseye I see these messages in /var/log/syslog:

May 19 12:26:12 server03 kernel: [4563725.605605] audit: type=1400
audit(1621419972.056:193): apparmor="DENIED" operation="open"
profile="/usr/sbin/cups-browsed" name="/usr/share/cups/locale/"
pid=17771 comm="cups-browsed" requested_mask="r" denied_mask="r"
fsuid=0 ouid=0
May 19 12:26:12 server03 kernel: [4563725.606138] audit: type=1400
audit(1621419972.056:194): apparmor="DENIED" operation="open"
profile="/usr/sbin/cups-browsed" name="/usr/share/locale/" pid=17771
comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 19 12:27:08 server03 systemd[1]: cups-browsed.service: Succeeded.


These error messages / folder access blocks can be amended by this
change in /etc/apparmor.d/usr.sbin.cups-browsed: (…)


I'll upload to experimental in a moment. I assume it doesn't warrant rising
severity and aiming at Bullseye, right?


Basically, why not? It clutters syslog. It probably won't have  
functional consequences, but still...


Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de



pgp9cQnOQ9DBe.pgp
Description: Digitale PGP-Signatur

Bug#988935: gftp-{gtk,text}: broken symlinks: /usr/share/doc/gftp-gtk/* -> ../gftp-common/*

2021-05-21 Thread Andreas Beckmann 
Package: gftp-gtk,gftp-text
Version: 2.7.0b-1
Severity: normal
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package ships (or creates)
a broken symlink.

>From the attached log (scroll to the bottom...):

5m17.8s ERROR: FAIL: Broken symlinks:
  /usr/share/doc/gftp-gtk/README.gz -> ../gftp-common/README.gz (gftp-gtk)
  /usr/share/doc/gftp-gtk/THANKS -> ../gftp-common/THANKS (gftp-gtk)
  /usr/share/doc/gftp-gtk/TODO -> ../gftp-common/TODO (gftp-gtk)
  /usr/share/doc/gftp-gtk/examples/parse-netrc.pl -> 
../../gftp-common/examples/parse-netrc.pl (gftp-gtk)

4m34.1s ERROR: FAIL: Broken symlinks:
  /usr/share/doc/gftp-text/README.gz -> ../gftp-common/README.gz (gftp-text)
  /usr/share/doc/gftp-text/THANKS -> ../gftp-common/THANKS (gftp-text)
  /usr/share/doc/gftp-text/TODO -> ../gftp-common/TODO (gftp-text)
  /usr/share/doc/gftp-text/examples/parse-netrc.pl -> 
../../gftp-common/examples/parse-netrc.pl (gftp-text)

The targeted files are not (any more?) shipped by gftp-common.


cheers,

Andreas


gftp-gtk_2.7.0b-1.log.gz
Description: application/gzip

Bug#988934: U+629B U+62CB show the same character

2021-05-21 Thread 積丹尼 Dan Jacobson 
Package: xfonts-wqy
Version: 1.0.0~rc1-7

Why do I see the same character for both
U+629B, U+62CB ?

$ unicode -v U+629B U+62CB |grep -i strokes
kTotalStrokes: 7
kTotalStrokes: 8

For both I only see the latter (8).

Bug#988933: deb-scrub-obsolete: when drop versioned dependencies for essential packages, drop entire dependency

2021-05-21 Thread Jelmer Vernooij 
Package: lintian-brush
Version: 0.104
Severity: normal

See 
https://salsa.debian.org/pkg-netfilter-team/pkg-nftables/-/merge_requests/5#note_239505

When dropping versioned dependencies for packages that are essential (and were
so in upgrade-release), then drop the entire dependency.


-- System Information:
Debian Release: 11.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-4-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lintian-brush depends on:
ii  devscripts   2.21.2
ii  python3  3.9.2-3
ii  python3-breezy   3.2.0-1
ii  python3-debian   0.1.39
ii  python3-debmutate0.34
ii  python3-distro-info  1.0
ii  python3-dulwich  0.20.15-1
ii  python3-iniparse 0.4-3
ii  python3-ruamel.yaml  0.16.12-2
ii  python3-upstream-ontologist  0.1.18-1

Versions of packages lintian-brush recommends:
ii  decopy   0.2.4.4-0.1
ii  dos2unix 7.4.1-1
ii  gpg  2.2.27-2
ii  libdebhelper-perl13.3.4
ii  lintian  2.104.0
ii  ognibuild0.0.5-1
ii  python3-asyncpg  0.21.0-1+b2
ii  python3-bs4  4.9.3-1
ii  python3-docutils 0.16+dfsg-4
ii  python3-levenshtein  0.12.2-1
ii  python3-lxml 4.6.3-1
ii  python3-markdown 3.3.4-1
ii  python3-pyinotify0.9.6-1.3

Versions of packages lintian-brush suggests:
pn  breezy-debian  
pn  gnome-pkg-tools
ii  po-debconf 1.0.21+nmu1
ii  postgresql-common  225

-- no debconf information

Bug#988932: deb-scrub-obsolete: should not strip trailing commas in dependencies

2021-05-21 Thread Jelmer Vernooij 
Package: lintian-brush
Version: 0.104
Severity: normal

See https://salsa.debian.org/postgresql/psqlodbc/-/merge_requests/1:

deb-scrub-obsolete should not strip commas.

This happens because it drops dependencies first at the moment and then
removes any empty elements in the list. It should just drop dependencies and
remove elements in the list *only* if it is causing the element to be empty.


-- System Information:
Debian Release: 11.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-4-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lintian-brush depends on:
ii  devscripts   2.21.2
ii  python3  3.9.2-3
ii  python3-breezy   3.2.0-1
ii  python3-debian   0.1.39
ii  python3-debmutate0.34
ii  python3-distro-info  1.0
ii  python3-dulwich  0.20.15-1
ii  python3-iniparse 0.4-3
ii  python3-ruamel.yaml  0.16.12-2
ii  python3-upstream-ontologist  0.1.18-1

Versions of packages lintian-brush recommends:
ii  decopy   0.2.4.4-0.1
ii  dos2unix 7.4.1-1
ii  gpg  2.2.27-2
ii  libdebhelper-perl13.3.4
ii  lintian  2.104.0
ii  ognibuild0.0.5-1
ii  python3-asyncpg  0.21.0-1+b2
ii  python3-bs4  4.9.3-1
ii  python3-docutils 0.16+dfsg-4
ii  python3-levenshtein  0.12.2-1
ii  python3-lxml 4.6.3-1
ii  python3-markdown 3.3.4-1
ii  python3-pyinotify0.9.6-1.3

Versions of packages lintian-brush suggests:
pn  breezy-debian  
pn  gnome-pkg-tools
ii  po-debconf 1.0.21+nmu1
ii  postgresql-common  225

-- no debconf information

Bug#988770: python3-hawkey-doc: broken symlinks: /usr/share/doc/python3-hawkey-doc/html/_static/{jquery,underscore}.js

2021-05-21 Thread Frédéric Pierret 

Hi,

Le 5/20/21 à 6:44 AM, Mihai Moldovan a écrit :

* On 5/19/21 1:46 PM, Andreas Beckmann wrote:

Package: python3-hawkey-doc
Version: 0.55.2-6
[...]
during a test with piuparts I noticed your package ships (or creates)
a broken symlink.
[...]
Is python3-hawkey-doc missing a Depends/Recommends/Suggests: libjs-jquery, 
libjs-underscore ?


Yes, it is. Thanks for catching that.


Disclaimer: while I'm listed as the maintainer since I did the initial
packaging, I explicitly mentioned in the ITP that I'm not a DD and can't
actually maintain that package (not just because of the lack of access, but most
importantly time on my part).



Mihai



I'll try to fix that quickly, thank you.

BTW, Mihai may I change anything for you to not being ping on every issue?

Best regards,
Frédéric



OpenPGP_signature
Description: OpenPGP digital signature

Bug#988750: YAML dependencies should be optional/suggested

2021-05-21 Thread gregor herrmann 
Control: forwarded -1 https://rt.cpan.org/Ticket/Display.html?id=136486

On Wed, 19 May 2021 10:09:54 +1000, dc...@prosentient.com.au wrote:

> The Debian package requires that libyaml-perl or libyaml-syck-perl be
> installed, but it is possible to use this package without either of those
> YAML modules. You can specify your own YAML parser (like YAML::XS). 

Thanks for bringing this up.
 
> There is some discussion about this on CPAN:
> https://rt.cpan.org/Ticket/Display.html?id=136485
> https://rt.cpan.org/Ticket/Display.html?id=136486

It's a bit tricky from a packaging point of view; I've replied in
https://rt.cpan.org/Ticket/Display.html?id=136486
and I'm looking forward to working with Tina on this issue.
 

Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   NP: Diana Krall: Come Dance With Me


signature.asc
Description: Digital Signature

Bug#988885: CVE-2021-31323 CVE-2021-31322 CVE-2021-31321 CVE-2021-31320 CVE-2021-31319 CVE-2021-31318 CVE-2021-31317 CVE-2021-31315

2021-05-21 Thread Nicholas Guriev 
Hello! Thank you for pointing out these CVEs.

I investigated deeper into the issues and reviewed the code as of
0.1+dfsg-1 version of the package. Luckily, most of these issues are not
related to rlottie as currently packaged in Debian.

Below are some of my notes. They do not imply 100% guarantee, and real
tests are needed.

CVE-2021-31323:
Code was refactored. mData is now an std::vector this is extended before
parseProperty() call.
  
https://sources.debian.org/src/rlottie/0.1+dfsg-1/src/lottie/lottieparser.cpp/#L1741

CVE-2021-31322, CVE-2021-31319:
Seems unaffected due to checking added by Fix-crash-on-invalid-
data.patch
  
https://sources.debian.org/src/rlottie/0.1+dfsg-1/src/lottie/lottiemodel.cpp/#L248

CVE-2021-31320:
The mentioned while loop has been enhanced by Fix-crash-on-invalid-
data.patch
  
https://sources.debian.org/src/rlottie/0.1+dfsg-1/src/vector/vdrawhelper.cpp/#L168

CVE-2021-31318:
Seems unaffected, because Fix-crash-on-invalid-data.patch inserts type
checking before static_cast<> operator.
  
https://sources.debian.org/src/rlottie/0.1+dfsg-1/src/lottie/lottieitem.cpp/#L454

CVE-2021-31315:
Seems to be already fixed by Check-buffer-length.patch
  https://sources.debian.org/src/rlottie/0.1+dfsg-1/src/vector/vrle.cpp/#L559

CVE-2021-31321:
Code differs, but bez_stack is an array of constant size on the
gray_TWorker structure. It is twice the size of mentioned in the
advisory. However, the vulnerability may be still present.
  
https://sources.debian.org/src/rlottie/0.1+dfsg-1/src/vector/freetype/v_ft_raster.cpp/#L308

CVE-2021-31317:
Not fixed. Need tests.


As for the penultimate bug, I think it would be better to dispose of
bundled freetype code and rely solely on libfreetype already packaged in
Debian. But this may require a lot of changes that are unacceptable
during freeze.

Also note, these issues are all described in context of Telegram Android
client. Nowadays, telegram-desktop is the only package in Debian main
archive that depends on rlottie. Telegram Desktop does not support end-
to-end encrypted secret chats, and so incoming animated stickers are
subject to filtering by Telegram servers. Because of this, a remote
attack is a little more difficult.

There is another thing. For Debian, rlottie is built without a redefined
RAPIDJSON_ASSERT macro, in contrast to upstream Telegram Desktop. By
default the macro expands to abort() function call. This fact may result
in additional SIGABRT crashes on invalid input data. But it will protect
against more dangerous failures.

  
https://github.com/desktop-app/cmake_helpers/blob/ac193a597d6b953f9869a240e21e275ce6e388cb/external/rlottie/CMakeLists.txt#L116



signature.asc
Description: This is a digitally signed message part

Bug#988930: freezer-api-doc: broken symlinks: /usr/share/doc/freezer-api-doc/html/_static/* -> ../../../../python-os-api-ref/*

2021-05-21 Thread Andreas Beckmann 
Package: freezer-api-doc
Version: 
Severity: normal
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package ships (or creates)
a broken symlink.

>From the attached log (scroll to the bottom...):

0m39.3s ERROR: FAIL: Broken symlinks:
  /usr/share/doc/freezer-api-doc/html/_static/api-site.css -> 
../../../../python-os-api-ref/api-site.css (freezer-api-doc)
  /usr/share/doc/freezer-api-doc/html/_static/api-site.js -> 
../../../../python-os-api-ref/api-site.js (freezer-api-doc)
  /usr/share/doc/freezer-api-doc/html/_static/combobox.js -> 
../../../../python-os-api-ref/combobox.js (freezer-api-doc)

Is freezer-api-doc missing a dependency on python-os-api-ref-common ?


cheers,

Andreas


freezer-api-doc_9.0.0-2.log.gz
Description: application/gzip

Bug#988928: grass-doc: broken symlink: /usr/share/doc/grass-doc/html/jquery -> ../../../javascript/jquery

2021-05-21 Thread Sebastiaan Couwenberg 
Control: tags -1 pending

On 5/21/21 6:27 PM, Andreas Beckmann wrote:
> Is grass-doc missing a dependency on libjs-jquery ?

Yes, and it's fixed in git.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

Bug#988929: jverein: broken symlinks: /usr/share/jameica/plugins/jverein/lib/*-*.jar -> ../../../../java/*.jar

2021-05-21 Thread Andreas Beckmann 
Package: jverein
Version: 2.8.18+git20200921.6212a59+dfsg-3
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package ships (or creates)
a broken symlink.

>From the attached log (scroll to the bottom...):

1m38.1s ERROR: FAIL: Broken symlinks:
  /usr/share/jameica/plugins/jverein/lib/bsh-core-2.0b4.jar -> 
../../../../java/bsh.jar (jverein)
  /usr/share/jameica/plugins/jverein/lib/core-3.1.0.jar -> 
../../../../java/core.jar (jverein)
  /usr/share/jameica/plugins/jverein/lib/csvjdbc.jar -> 
../../../../java/csvjdbc.jar (jverein)
  /usr/share/jameica/plugins/jverein/lib/ez-vcard-0.9.5.jar -> 
../../../../java/ez-vcard.jar (jverein)
  /usr/share/jameica/plugins/jverein/lib/freemarker-2.3.23.jar -> 
../../../../java/freemarker.jar (jverein)
  /usr/share/jameica/plugins/jverein/lib/jackson-core-2.6.1.jar -> 
../../../../java/jackson-core.jar (jverein)
  /usr/share/jameica/plugins/jverein/lib/javase-3.1.0.jar -> 
../../../../java/javase.jar (jverein)
  /usr/share/jameica/plugins/jverein/lib/javax.mail-1.6.2.jar -> 
../../../../java/javax.mail.jar (jverein)
  /usr/share/jameica/plugins/jverein/lib/joda-time-2.3.jar -> 
../../../../java/joda-time.jar (jverein)
  /usr/share/jameica/plugins/jverein/lib/jollyday-0.4.7.jar -> 
../../../../java/jollydday.jar (jverein)
  /usr/share/jameica/plugins/jverein/lib/junit-4.8.1.jar -> 
../../../../java/junit4.jar (jverein)
  /usr/share/jameica/plugins/jverein/lib/nc.jar -> ../../../../java/nc.jar 
(jverein)
  /usr/share/jameica/plugins/jverein/lib/snakeyaml-1.13.jar -> 
../../../../java/snakeyaml.jar (jverein)
  /usr/share/jameica/plugins/jverein/lib/vinnie-2.0.1.jar -> 
../../../../java/vinnie.jar (jverein)

There seem to be a bunch of dependencies on *-java packages missing.
If all these are purely optional, feel free to downgrade the severity
and add Recommends/Suggests on the missing packages.

cheers,

Andreas


jverein_2.8.18+git20200921.6212a59+dfsg-3.log.gz
Description: application/gzip

Bug#988083: unblock: micro-evtd/3.4-6

2021-05-21 Thread Roger Shimizu 
control: tags -1 -moreinfo

On Thu, May 20, 2021 at 4:57 AM Paul Gevers  wrote:
>
> Control: tags -1 moreinfo
>
> Hi Ryan,
>
> On 06-05-2021 07:33, Ryan Tandy wrote:
> > #988119: the daemon creates its pid and status files with mode 666,
> > start-stop-daemon doesn't like that and refuses to stop the daemon.
> >
> > I don't know what the appropriate severity is for that one. If it's RC I
> > can make another upload to fix it.
>
> I suggest a new upload to fix that issue. But if it's no regression,
> maybe we can have the current version migrate first.

Yes, #988119 is not a regression issue.
I think it's better to let current version migrate first.
Current version doesn't have any feature change, so it's quite safe.

For #988119 I need some time to fix, and test to confirm it's safe to
deliver to bullseye.
Thanks for your understanding!

Cheers,
-- 
Roger Shimizu, GMT +9 Tokyo
PGP/GPG: 4096R/6C6ACD6417B3ACB1

Bug#988928: grass-doc: broken symlink: /usr/share/doc/grass-doc/html/jquery -> ../../../javascript/jquery

2021-05-21 Thread Andreas Beckmann 
Package: grass-doc
Version: 7.8.5-1
Severity: normal
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package ships (or creates)
a broken symlink.

>From the attached log (scroll to the bottom...):

7m47.0s ERROR: FAIL: Broken symlinks:
  /usr/share/doc/grass-doc/html/jquery -> ../../../javascript/jquery (grass-doc)

Is grass-doc missign a dependency on libjs-jquery ?


cheers,

Andreas


grass-doc_7.8.5-1.log.gz
Description: application/gzip

Bug#988763: rxvt-unicode: Remote(?) code execution via ESC G Q

2021-05-21 Thread Ryan Kavanagh 
Dear Paul,

I just uploaded rxvt-unicode 9.22-11, which includes a backported patch
from 9.26 disabling this escape sequence.

Best wishes,
Ryan

Bug#988926: unblock: pyyaml/5.3.1-4

2021-05-21 Thread Stefano Rivera 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: Scott Kitterman , Michael Hudson-Doyle 


Please unblock package pyyaml

pyyaml (5.3.1-4) unstable; urgency=medium

  * Team upload.

  [ Debian Janitor ]
  * Apply multi-arch hints.
+ python3-yaml-dbg: Add Multi-Arch: same.

  [ Stefano Rivera ]
  * Resolve CVE-2020-14343, more trivial RCEs in .load() and FullLoader.
(Closes: #966233)

 -- Stefano Rivera   Fri, 21 May 2021 11:11:00 -0400

[ Reason ]
Fixes a security issue (#966233, CVE-2020-14343).

Not expecting it to be 100% secure, that requires more significant API
changes, but at least it's a bit better.
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation

[ Impact ]
Known RCE risk in a parsing library.

[ Tests ]
Manually tested that the example exploits are mitigated.

[ Risks ]
Haven't checked reverse-dependencies (there are a lot of them) for
breakage.

Ubuntu has carried this patch for a month, with no known issues.

I saw one issue mentioned on github, but that doesn't trigger an FTBFS
for us (no build-dep on pyyaml): 
https://github.com/networkx/networkx/issues/4569

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock pyyaml/5.3.1-4
diff -Nru pyyaml-5.3.1/debian/changelog pyyaml-5.3.1/debian/changelog
--- pyyaml-5.3.1/debian/changelog   2020-10-22 19:33:33.0 -0400
+++ pyyaml-5.3.1/debian/changelog   2021-05-21 11:11:00.0 -0400
@@ -1,3 +1,17 @@
+pyyaml (5.3.1-4) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Debian Janitor ]
+  * Apply multi-arch hints.
++ python3-yaml-dbg: Add Multi-Arch: same.
+
+  [ Stefano Rivera ]
+  * Resolve CVE-2020-14343, more trivial RCEs in .load() and FullLoader.
+(Closes: #966233)
+
+ -- Stefano Rivera   Fri, 21 May 2021 11:11:00 -0400
+
 pyyaml (5.3.1-3) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru pyyaml-5.3.1/debian/control pyyaml-5.3.1/debian/control
--- pyyaml-5.3.1/debian/control 2020-10-22 19:33:33.0 -0400
+++ pyyaml-5.3.1/debian/control 2021-05-21 11:11:00.0 -0400
@@ -25,6 +25,7 @@
 Section: debug
 Architecture: any
 Depends: python3-yaml (= ${binary:Version}), python3-dbg, ${shlibs:Depends}, 
${misc:Depends}
+Multi-Arch: same
 Description: YAML parser and emitter for Python3 (debug build)
  Python3-yaml is a complete YAML 1.1 parser and emitter for Python3.  It can
  parse all examples from the specification. The parsing algorithm is simple
diff -Nru pyyaml-5.3.1/debian/patches/cve-2020-14343.patch 
pyyaml-5.3.1/debian/patches/cve-2020-14343.patch
--- pyyaml-5.3.1/debian/patches/cve-2020-14343.patch1969-12-31 
20:00:00.0 -0400
+++ pyyaml-5.3.1/debian/patches/cve-2020-14343.patch2021-05-21 
11:11:00.0 -0400
@@ -0,0 +1,127 @@
+From: =?utf-8?q?Ingy_d=C3=B6t_Net?= 
+Date: Sat, 9 Jan 2021 10:53:23 -0500
+Subject: Fix for CVE-2020-14343
+
+Per suggestion https://github.com/yaml/pyyaml/issues/420#issuecomment-663888344
+move a few constructors from full_load to unsafe_load.
+
+Bug-Debian: https://bugs.debian.org/966233
+Bug-Upstream: https://github.com/yaml/pyyaml/issues/420
+Origin: upstream, 
https://github.com/yaml/pyyaml/commit/a001f2782501ad2d24986959f0239a354675f9dc
+---
+ lib/yaml/constructor.py  | 24 
+ lib3/yaml/constructor.py | 24 
+ tests/lib/test_recursive.py  |  2 +-
+ tests/lib3/test_recursive.py |  2 +-
+ 4 files changed, 26 insertions(+), 26 deletions(-)
+
+diff --git a/lib/yaml/constructor.py b/lib/yaml/constructor.py
+index 794681c..c42ee34 100644
+--- a/lib/yaml/constructor.py
 b/lib/yaml/constructor.py
+@@ -722,18 +722,6 @@ FullConstructor.add_multi_constructor(
+ u'tag:yaml.org,2002:python/name:',
+ FullConstructor.construct_python_name)
+ 
+-FullConstructor.add_multi_constructor(
+-u'tag:yaml.org,2002:python/module:',
+-FullConstructor.construct_python_module)
+-
+-FullConstructor.add_multi_constructor(
+-u'tag:yaml.org,2002:python/object:',
+-FullConstructor.construct_python_object)
+-
+-FullConstructor.add_multi_constructor(
+-u'tag:yaml.org,2002:python/object/new:',
+-FullConstructor.construct_python_object_new)
+-
+ class UnsafeConstructor(FullConstructor):
+ 
+ def find_python_module(self, name, mark):
+@@ -750,6 +738,18 @@ class UnsafeConstructor(FullConstructor):
+ return super(UnsafeConstructor, self).set_python_instance_state(
+ instance, state, unsafe=True)
+ 
++UnsafeConstructor.add_multi_constructor(
++u'tag:yaml.org,2002:python/module:',
++UnsafeConstructor.construct_python_module)
++
++UnsafeConstructor.add_multi_constructor(
++u'tag:yaml.org,2002:python/object:',
++UnsafeConstructor.construct_python_object)
++
++UnsafeConstructor.add_multi_constructor(
++

Bug#988876: grub-efi-amd64: outb command no longer works

2021-05-21 Thread Marco Kühnel 
UEFI Secure Boot is disabled. The machine is a Macbook8,3 converted to a pure 
Linux box, however. So, the EFI firmware might be damaged. Thank you for the 
clarification.

In order to disable the (not properly supported) discrete graphics card, I 
need to execute the mentioned outb commands. Indeed, I edited /etc/grub.d/
10_linux in order to do this. 


signature.asc
Description: This is a digitally signed message part.

Bug#988925: unblock: rxvt-unicode/9.22-11

2021-05-21 Thread Ryan Kavanagh 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: r...@debian.org

Please unblock package rxvt-unicode

Disables the ESC G Q escape sequence, which could cause the command '0'
to be executed. This addresses:

https://security-tracker.debian.org/tracker/CVE-2021-33477

[ Tests ]

None

[ Risks ]

Trivial fix cherry-picked from upstream VCS. Original commit from 2019.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock rxvt-unicode/9.22-11

-- 
|)|/  Ryan Kavanagh  | GPG: 4E46 9519 ED67 7734 268F
|\|\  https://rak.ac |  BD95 8F7B F8FC 4A11 C97A
diff -Nru rxvt-unicode-9.22/debian/changelog rxvt-unicode-9.22/debian/changelog
--- rxvt-unicode-9.22/debian/changelog  2021-03-20 12:48:03.0 -0400
+++ rxvt-unicode-9.22/debian/changelog  2021-05-21 10:48:43.0 -0400
@@ -1,3 +1,10 @@
+rxvt-unicode (9.22-11) unstable; urgency=medium
+
+  * Disable ESC G Q escape sequence, 20_disable_escape_sequence.diff
+(Closes: #988763, CVE-2021-33477)
+
+ -- Ryan Kavanagh   Fri, 21 May 2021 10:48:43 -0400
+
 rxvt-unicode (9.22-10) unstable; urgency=medium
 
   * Correct a mistake in 19_sigsegv_perl_environ.diff
diff -Nru rxvt-unicode-9.22/debian/patches/20_disable_escape_sequence.diff 
rxvt-unicode-9.22/debian/patches/20_disable_escape_sequence.diff
--- rxvt-unicode-9.22/debian/patches/20_disable_escape_sequence.diff
1969-12-31 19:00:00.0 -0500
+++ rxvt-unicode-9.22/debian/patches/20_disable_escape_sequence.diff
2021-05-21 10:47:48.0 -0400
@@ -0,0 +1,25 @@
+Description: disable ESC G Q escape sequence
+Origin: http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.584=1.585
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988763
+Last-Update: 2021-05-21
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: rxvt-unicode/src/command.C
+===
+--- rxvt-unicode.orig/src/command.C2019-02-07 15:12:08.0 -0500
 rxvt-unicode/src/command.C 2021-05-21 10:45:22.522127101 -0400
+@@ -2722,12 +2722,14 @@
+ }
+ break;
+ 
++#if 0 // disabled because embedded newlines can make exploits easier
+ /* kidnapped escape sequence: Should be 8.3.48 */
+   case C1_ESA:/* ESC G */
+ // used by original rxvt for rob nations own graphics mode
+ if (cmd_getc () == 'Q')
+   tt_printf ("\033G0\012");   /* query graphics - no graphics */
+ break;
++#endif
+ 
+ /* 8.3.63: CHARACTER TABULATION SET */
+   case C1_HTS:/* ESC H */
diff -Nru rxvt-unicode-9.22/debian/patches/series 
rxvt-unicode-9.22/debian/patches/series
--- rxvt-unicode-9.22/debian/patches/series 2021-03-20 12:48:03.0 
-0400
+++ rxvt-unicode-9.22/debian/patches/series 2021-05-21 10:44:44.0 
-0400
@@ -9,3 +9,4 @@
 17_unsafe_man.diff
 18_expand_urxvt-tabbed.1.diff
 19_sigsegv_perl_environ.diff
+20_disable_escape_sequence.diff


signature.asc
Description: PGP signature

Bug#988608: RFS: scrollz/2.2.3-2 - advanced ircII-based IRC client

2021-05-21 Thread Mike Markley 
On Sun, May 16, 2021 at 02:55:32PM -0600, Mike Markley  wrote:
> Package: sponsorship-requests
> Severity: normal
> 
> I'm seeking assistance uploading a new version of the ScrollZ IRC client
> to unstable that addresses an outstanding CVE:
> https://security-tracker.debian.org/tracker/CVE-2021-29376.
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986215
> 
> Changes:
>  scrollz (2.2.3-2) unstable; urgency=high
>  .
>* Applied patch to ctcp.c to fix CVE-2021-29376 from
>  https://github.com/ScrollZ/ScrollZ/pull/26 (Closes: #986215)
>* Applied minor patch from upstream to the above fix
> 
> I'm listed as the maintainer in this package's control file, but I haven't
> had a key in the keyring for several years.
> 
> This should be the minimum change required to fix this issue. I anticipate
> there will also be stable and possibly oldstable uploads, as well.
> 
> Post-freeze, I do plan to update the source package to a newer upstream
> version.

I received numerous DMARC reports indicating that this original message
wasn't delivered, so I'm quoting this entire message to highlight it, now
that I've relaxed that policy.

The package is up on https://mentors.debian.net/package/scrollz/ now.

-- 
Mike Markley

Bug#871958: dnsmasq: Service start hangs with postfix+resolvconf+systemd

2021-05-21 Thread Utkarsh Gupta 
Hello Simon,

Just slightly pinging this to get your attention.

There's a bug on Launchpad as well, which got an interesting comment
from one of the user who debgugged this further:
https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1778073.

Hoping that'd help. Thanks!


- u

Bug#988508: gnutls28 3.6.7-4+deb10u7 flagged for acceptance

2021-05-21 Thread Adam D Barratt 
package release.debian.org
tags 988508 = buster pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==

Package: gnutls28
Version: 3.6.7-4+deb10u7

Explanation: fix null-pointer dereference issue [CVE-2020-24659]; add several 
improvements to memory reallocation

Bug#987731: openvpn 2.4.7-1+deb10u1 flagged for acceptance

2021-05-21 Thread Adam D Barratt 
package release.debian.org
tags 987731 = buster pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==

Package: openvpn
Version: 2.4.7-1+deb10u1

Explanation: fix "illegal client float" issue [CVE-2020-11810]; ensure key 
state is authenticated before sending push reply [CVE-2020-15078]; increase 
listen() backlog queue to 32

Bug#988912: ca-certificates-local example is not Lintian clean

2021-05-21 Thread Raul Tambre 
Package: ca-certificates
Version: 20210119
Severity: minor

While creating a custom deb package for an internal CA I noticed that the 
included ca-certificates-local is not Lintian clean.

In particular:
* It uses the deprecated Priority: extra 
(priority-extra-is-replaced-by-priority-optional)
* It doesn't explicitly qualify the trigger as await 
(uses-implicit-await-trigger)

Lintian overrides for installing into /usr/local/share might also be 
appropriate.


-- System Information:
Debian Release: 11.0
  APT prefers experimental
  APT policy: (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64

Kernel: Linux 5.10.0-6-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_IE:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ca-certificates depends on:
ii  debconf [debconf-2.0]  1.5.76
ii  openssl3.0.0~~alpha7~+git20200920.28a5f5b3-2

ca-certificates recommends no packages.

ca-certificates suggests no packages.

-- debconf information excluded

Bug#988764: cups-browsed: apparmor blocks access to /usr/share/{cups/,}/locale

2021-05-21 Thread Didier 'OdyX' Raboud 
Le vendredi, 21 mai 2021, 16.26:12 h CEST Mike Gabriel a écrit :
> Basically, why not? It clutters syslog. It probably won't have
> functional consequences, but still...

Well. At this point of the freeze, I'd rather not burden the release team with 
such a non-"critical, grave, or serious" bug.

https://lists.debian.org/debian-devel-announce/2021/05/msg0.html was 19 
days ago, and has
> As the release draws nearer, fixes for non-RC bugs which do not affect a
> package's general usability will increasingly be deferred or rejected.

Feel free to ask if you feel strongly enough about this, I'll upload if it's 
accepted!

Cheers,
-- 
OdyX

signature.asc
Description: This is a digitally signed message part.

  1   2   >