Bug#1034206: unblock: owslib/0.27.2-3

[Bas Couwenberg]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: ows...@packages.debian.org
Control: affects -1 + src:owslib

Please unblock package owslib

It is affected by CVE-2023-27476 reported in #1034182.

[ Reason ]
Fixes security issue and missing recommended dependencies.

[ Impact ]
Unfixed security issue.

[ Tests ]
Upstream test suite.

[ Risks ]
Low, the changes are pretty straight forward.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Testing autoremoval of rdeps would remove qgis which is one of, if not the, 
most important GIS packages for users.

The package has not been unloaded to unstable yet.

unblock owslib/0.27.2-3
diff -Nru owslib-0.27.2/debian/changelog owslib-0.27.2/debian/changelog
--- owslib-0.27.2/debian/changelog  2022-11-07 19:38:12.0 +0100
+++ owslib-0.27.2/debian/changelog  2023-04-11 06:30:11.0 +0200
@@ -1,3 +1,16 @@
+owslib (0.27.2-3) unstable; urgency=medium
+
+  * Team upload.
+  * Add Rules-Requires-Root to control file.
+  * Add py3dist overrides for dataclasses.
+  * Fix 'Recommends' typo.
+  * Bump Standards-Version to 4.6.2, no changes.
+  * Add upstream patch to fix CVE-2023-27476.
+(closes: #1034182)
+  * Add python3-lxml to build dependencies.
+
+ -- Bas Couwenberg   Tue, 11 Apr 2023 06:30:11 +0200
+
 owslib (0.27.2-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru owslib-0.27.2/debian/control owslib-0.27.2/debian/control
--- owslib-0.27.2/debian/control2022-10-19 11:58:01.0 +0200
+++ owslib-0.27.2/debian/control2023-04-11 06:29:20.0 +0200
@@ -8,22 +8,23 @@
dh-python,
python3-all,
python3-dateutil,
+   python3-lxml,
python3-pytest,
python3-requests,
python3-setuptools,
python3-tz,
python3-yaml
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Vcs-Browser: https://salsa.debian.org/debian-gis-team/owslib
 Vcs-Git: https://salsa.debian.org/debian-gis-team/owslib.git
 Homepage: https://geopython.github.com/OWSLib/
+Rules-Requires-Root: no
 
 Package: python3-owslib
 Architecture: all
-Depends: python3-lxml,
- ${python3:Depends},
+Depends: ${python3:Depends},
  ${misc:Depends}
-Recommeds: python3-pyproj
+Recommends: python3-pyproj
 Description: Client library for Open Geospatial (OGC) web services (Python 3)
  OWSLib is a Python package for client programming with Open Geospatial
  Consortium (OGC) web service (hence OWS) interface standards, and their
diff -Nru owslib-0.27.2/debian/patches/series 
owslib-0.27.2/debian/patches/series
--- owslib-0.27.2/debian/patches/series 2022-10-19 11:58:01.0 +0200
+++ owslib-0.27.2/debian/patches/series 2023-04-11 06:25:37.0 +0200
@@ -1 +1,2 @@
 yaml-safe_load.patch
+use-only-lxml-for-XML-handling.patch
diff -Nru owslib-0.27.2/debian/patches/use-only-lxml-for-XML-handling.patch 
owslib-0.27.2/debian/patches/use-only-lxml-for-XML-handling.patch
--- owslib-0.27.2/debian/patches/use-only-lxml-for-XML-handling.patch   
1970-01-01 01:00:00.0 +0100
+++ owslib-0.27.2/debian/patches/use-only-lxml-for-XML-handling.patch   
2023-04-11 06:28:15.0 +0200
@@ -0,0 +1,318 @@
+Description: use only lxml for XML handling
+ Fixes CVE-2023-27476
+Author: Tom Kralidis 
+Origin: 
https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063
+Bug: https://github.com/geopython/OWSLib/pull/863
+Bug-Debian: https://bugs.debian.org/1034182
+
+--- a/.github/workflows/main.yml
 b/.github/workflows/main.yml
+@@ -8,9 +8,7 @@ jobs:
+ strategy:
+   matrix:
+ python-version: [3.6, 3.7, 3.8, 3.9]
+-lxml: [true, false]
+ env:
+-LXML: ${{ matrix.lxml }}
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ COVERALLS_SERVICE_NAME: github
+ steps:
+@@ -28,8 +26,6 @@ jobs:
+ pip3 install -e .
+ pip3 install -r requirements.txt
+ pip3 install -r requirements-dev.txt
+-echo "LXML => $LXML"
+-if [ "$LXML" == "true" ]; then pip install lxml; fi
+ - name: run tests ⚙️
+   run: python3 -m pytest
+ - name: run coveralls ⚙️
+--- a/docs/en/installation.rst
 b/docs/en/installation.rst
+@@ -4,7 +4,7 @@ Installation
+ Requirements
+ 
+ 
+-OWSLib requires a Python interpreter, as well as `ElementTree 
`_ or `lxml 
`_ for XML parsing.
++OWSLib requires a Python interpreter, as well as `lxml `_ 
for XML parsing.
+ 
+ Install
+ ---
+--- a/etc/debian/control
 b/etc/debian/control
+@@ -9,5 +9,5 @@ Homepage: http://geopython.github.com/OW
+ 
+ Package: python-owslib
+ Architecture: all
+-Depends: 

Bug#856649: suricata: IPv4 defrag evasion issue

[Salvatore Bonaccorso]

Source: suricata
Source-Version: 3.2.1-1~exp1

Hi Sascha,

On Mon, Apr 10, 2023 at 11:11:12PM +0200, Sascha Steinbiss wrote:
> Hi Salvatore,
> 
> > > (re: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856649)
> > > 
> > > Can we just close this bug? This has been addressed for years, and I am 
> > > not
> > > sure we need to keep these open forever.
> > 
> > Can you pin point the upstream version where this was fixed?
> 
> Sure, you did so yourself in your original bug report from 2017 [1] :)
> It's upstream version 3.2.1, which is confirmed by the tags listed in the
> commit on GitHub and the target version of the fix in upstream's Redmine.
> That version was uploaded to unstable later in March 2017 [2].

Wow that is embarassing :-(. Yes let's close this bug. Metadata was
already tracking it correctly, but there is no point in keeping the
bug open.

Thanks for prodding again.

Regards,
Salvatore

Bug#1034205: wayout: does not do anything

[Antoine Beaupre]

Package: wayout
Version: 0.1.4-1
Severity: normal
X-Debbugs-Cc: ~mil/sxmo-de...@lists.sr.ht

I can't figure out how to use this program.

The upstream README (which is actually not shipped with the Debian
package) has a few examples:

> Static example for a calendar:
> 
> $ cal | wayout
> 
> Example to use wayout as a simple digital clock using --feed-line:
> 
> $ while; do date +%H:%M:%S; sleep 1; done | wayout --feed-line
> 
> You can use the pango markup language for text markup and colours:
> 
> $ echo "bold\nred" | wayout

Yet those don't really work so well:

 1. the first example just immediately exits and leaves no trace of
 a calendar in the output

 2. the second example *does* work, but is buried under all the other
 windows, so it's actually pretty hard to tell it actually *did* work
 unless you know where to look for it

 3. the third example fails for the same reason as the first
 (presumably?)

It looks like wayout immediately exits when the pipe shuts down, and
tears out its own widget alongside. For example, the first example, in
verbose mode, says this:

anarcat@angela:~$ cal | wayout --verbose
[main] wayout: version=0.1.4
[main] w=320 h=240 font=Monospace 26
[main] Init Wayland.
[output] Creating: global_name=44
[output] Configuring: global_name=44
[main] Starting loop.
[main] Got end of input, exiting
[main] Finish Wayland.
[output] Destroying all outputs.

Interestingly, using `--feed-line` with `cal` kind of works if you
squint a little, except not really: it only outputs the last line of
the calendar.

So, how does one use this?

My use case is to make a pop-up on a keybinding or a status bar
button, for example to show a calendar or undertime(1) in an overlay.

Thanks!

a.

-- System Information:
Debian Release: 12.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'stable-security'), (500, 
'testing'), (500, 'stable'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-7-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages wayout depends on:
ii  libc62.36-8
ii  libcairo21.16.0-7
ii  libpango-1.0-0   1.50.12+ds-1
ii  libpangocairo-1.0-0  1.50.12+ds-1
ii  libwayland-client0   1.21.0-1

wayout recommends no packages.

wayout suggests no packages.

-- no debconf information

Bug#1034204: RFP: wlclock -- A digital analog clock for Wayland desktops

[Antoine Beaupre]

Package: wnpp
Severity: wishlist

* Package name: wlclock
  Version : 1.0.1
  Upstream Contact: Leon Plickat
* URL : https://git.sr.ht/~leon_plickat/wlclock
* License : GPL3
  Programming Lang: C
  Description : A digital analog clock for Wayland desktops

wlclock is a digital analog clock for Wayland desktops.

wlclock is inspired by xclock and the default configuration has been
chosen to mimic it. However unlike xclock, wlclock is not a regular
window but a desktop-widget.

A Wayland compositor must implement the Layer-Shell and XDG-Output for
wlclock to work.



Found this after finding wayout, which is derived from wlclock and
which *is* packaged in Debian...

Seems like a good foundational tool to have in this brave new Wayland
universe... Also curious to see if it keeps time as well as xclock...

Bug#1034203: snmp: specifying -Op /at all/ segfaults all snmpcmd(1) commands

[наб]

Package: snmp
Version: 5.9+dfsg-4+deb11u1
Version: 5.9.3+dfsg-2
Severity: normal

Dear Maintainer,

Originally ran into
  $ snmptranslate -Op TAURON-G13-MIB::tauronG13
  Segmentation fault
this morning by accident.

This happens in all these configurations:
  $ snmptranslate -Op .1
  Segmentation fault
  $ snmptranslate -Op
  Segmentation fault
  $ snmpget -Op
  Segmentation fault


Best,
наб

-- System Information:
Debian Release: 11.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-20-amd64 (SMP w/24 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_FIRMWARE_WORKAROUND, 
TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages snmp depends on:
ii  libc6 2.31-13+deb11u5
ii  libsnmp-base  5.9+dfsg-4+deb11u1
ii  libsnmp40 5.9+dfsg-4+deb11u1
ii  libssl1.1 1.1.1n-0+deb11u4

Versions of packages snmp recommends:
ii  perl  5.32.1-4+deb11u2

snmp suggests no packages.

-- no debconf information


signature.asc
Description: PGP signature

Bug#1034202: mirror listing update for linux.purple-cat.net

[Mike Hosken]

Package: mirrors
Severity: minor
User: mirr...@packages.debian.org
Usertags: mirror-list

Submission-Type: update
Site: linux.purple-cat.net
Type: leaf
Archive-architecture: ALL amd64 arm64 armel armhf hurd-i386 i386 kfreebsd-amd64 
kfreebsd-i386 mips mips64el mipsel powerpc ppc64el s390x
Archive-http: /debian/
Archive-rsync: debian/
Maintainer: Mike Hosken 
Country: NZ New Zealand
Location: Dunedin 
Sponsor: Unifone NZ https://unifone.net.nz/
Comment: Updated information as not on list anymore. Ip address has changed. 
Also full Debian ports repo on debian-ports and Debian archive on debian-archive




Trace Url: http://linux.purple-cat.net/debian/project/trace/
Trace Url: 
http://linux.purple-cat.net/debian/project/trace/ftp-master.debian.org
Trace Url: http://linux.purple-cat.net/debian/project/trace/linux.purple-cat.net

Bug#1034201: support DANE for HTTPS authentication

[John Scott]

Package: apt
Version: 2.6.0
Severity: wishlist

apt-transport-https only supports the traditional certificate authority model.
However, APT uses GnuTLS, which has a convenient interface for validating 
certificates with DANE. GnuTLS should be used to provide an alternative to the 
certificate authorities.


-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "amd64";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Install-Recommends "true";
APT::Install-Suggests "0";
APT::Sandbox "";
APT::Sandbox::User "_apt";
APT::Sandbox::Seccomp "true";
APT::Authentication "";
APT::Authentication::TrustCDROM "true";
APT::NeverAutoRemove "";
APT::NeverAutoRemove:: "^firmware-linux.*";
APT::NeverAutoRemove:: "^linux-firmware$";
APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*$";
APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*-[a-z0-9]*$";
APT::VersionedKernelPackages "";
APT::VersionedKernelPackages:: "linux-.*";
APT::VersionedKernelPackages:: "kfreebsd-.*";
APT::VersionedKernelPackages:: "gnumach-.*";
APT::VersionedKernelPackages:: ".*-modules";
APT::VersionedKernelPackages:: ".*-kernel";
APT::Never-MarkAuto-Sections "";
APT::Never-MarkAuto-Sections:: "metapackages";
APT::Never-MarkAuto-Sections:: "tasks";
APT::Move-Autobit-Sections "";
APT::Move-Autobit-Sections:: "oldlibs";
APT::Periodic "";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::Unattended-Upgrade "0";
APT::Update "";
APT::Update::Post-Invoke-Success "";
APT::Update::Post-Invoke-Success:: "test -x /usr/bin/apt-show-versions || exit 
0 ; apt-show-versions -i";
APT::Update::Post-Invoke-Success:: "/usr/bin/test -e 
/usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service && 
/usr/bin/test -S /var/run/dbus/system_bus_socket && /usr/bin/gdbus call 
--system --dest org.freedesktop.PackageKit --object-path 
/org/freedesktop/PackageKit --timeout 4 --method 
org.freedesktop.PackageKit.StateHasChanged cache-update > /dev/null; /bin/echo 
> /dev/null";
APT::Update::Post-Invoke-Success:: "if /usr/bin/test -w /var/cache/swcatalog -a 
-e /usr/bin/appstreamcli; then appstreamcli refresh --source=os > /dev/null || 
true; fi";
APT::Update::Post-Invoke-Success:: "if /usr/bin/test -w 
/var/lib/command-not-found/ -a -e /usr/lib/cnf-update-db; then 
/usr/lib/cnf-update-db > /dev/null; fi";
APT::Update::Post-Invoke "";
APT::Update::Post-Invoke:: "[ ! -x /usr/bin/debtags ] || debtags update || 
true";
APT::Architectures "";
APT::Architectures:: "amd64";
APT::Architectures:: "i386";
APT::Architectures:: "arm64";
APT::Compressor "";
APT::Compressor::. "";
APT::Compressor::.::Name ".";
APT::Compressor::.::Extension "";
APT::Compressor::.::Binary "";
APT::Compressor::.::Cost "0";
APT::Compressor::zstd "";
APT::Compressor::zstd::Name "zstd";
APT::Compressor::zstd::Extension ".zst";
APT::Compressor::zstd::Binary "zstd";
APT::Compressor::zstd::Cost "60";
APT::Compressor::zstd::CompressArg "";
APT::Compressor::zstd::CompressArg:: "-19";
APT::Compressor::zstd::UncompressArg "";
APT::Compressor::zstd::UncompressArg:: "-d";
APT::Compressor::lz4 "";
APT::Compressor::lz4::Name "lz4";
APT::Compressor::lz4::Extension ".lz4";
APT::Compressor::lz4::Binary "lz4";
APT::Compressor::lz4::Cost "50";
APT::Compressor::lz4::CompressArg "";
APT::Compressor::lz4::CompressArg:: "-1";
APT::Compressor::lz4::UncompressArg "";
APT::Compressor::lz4::UncompressArg:: "-d";
APT::Compressor::gzip "";
APT::Compressor::gzip::Name "gzip";
APT::Compressor::gzip::Extension ".gz";
APT::Compressor::gzip::Binary "gzip";
APT::Compressor::gzip::Cost "100";
APT::Compressor::gzip::CompressArg "";
APT::Compressor::gzip::CompressArg:: "-6n";
APT::Compressor::gzip::UncompressArg "";
APT::Compressor::gzip::UncompressArg:: "-d";
APT::Compressor::xz "";
APT::Compressor::xz::Name "xz";
APT::Compressor::xz::Extension ".xz";
APT::Compressor::xz::Binary "xz";
APT::Compressor::xz::Cost "200";
APT::Compressor::xz::CompressArg "";
APT::Compressor::xz::CompressArg:: "-6";
APT::Compressor::xz::UncompressArg "";
APT::Compressor::xz::UncompressArg:: "-d";
APT::Compressor::bzip2 "";
APT::Compressor::bzip2::Name "bzip2";
APT::Compressor::bzip2::Extension ".bz2";
APT::Compressor::bzip2::Binary "bzip2";
APT::Compressor::bzip2::Cost "300";
APT::Compressor::bzip2::CompressArg "";
APT::Compressor::bzip2::CompressArg:: "-6";
APT::Compressor::bzip2::UncompressArg "";
APT::Compressor::bzip2::UncompressArg:: "-d";
APT::Compressor::lzma "";
APT::Compressor::lzma::Name "lzma";
APT::Compressor::lzma::Extension ".lzma";
APT::Compressor::lzma::Binary "xz";
APT::Compressor::lzma::Cost "400";
APT::Compressor::lzma::CompressArg "";
APT::Compressor::lzma::CompressArg:: "--format=lzma";
APT::Compressor::lzma::CompressArg:: "-6";
APT::Compressor::lzma::UncompressArg "";
APT::Compressor::lzma::UncompressArg:: "--format=lzma";
APT::Compressor::lzma::UncompressArg:: "-d";
Dir "/";
Dir::State "var/lib/apt";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::extended_states 

Bug#1034195: filezilla: Filezilla not available anymore at i386

[Philip Wyett]

On Mon, 2023-04-10 at 23:23 +0200, Gert van de Kraats wrote:
> Source: filezilla
> Version: 3.63.0-1
> Severity: important
> 
> Dear Maintainer,
> 
> Recently I automatically upgraded to version 3.63.0-1.
> With this version the package and binary filezilla is no longer available at
> i386 architecture (32 bits).
> 
> This is also visible at the Debian package overview for filezilla.
> The common filezilla are delivered. Also libfilezilla34 still is 
> delivered at
> i386.
> 
> 
> -- System Information:
> Debian Release: 12.0
> APT prefers testing-security
> APT policy: (500, 'testing-security'), (500, 'testing')
> Architecture: i386 (i686)
> 
> Kernel: Linux 6.1.0-7-686-pae (SMP w/2 CPU threads; PREEMPT)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
> LANGUAGE=en_US:en
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled

Hi Gert,

As with many developers, the upstream filezilla has employed CPU features i.e. 
sse2 that is not
enabled on the Debian i386 build servers. This is their right and meant 
exclusion from i386 of
filezilla. I am sorry if this is an issue, but unavoidable and has been the 
case for many packages
that are no longer available on i386.

libflezilla does not as yet employ CPU features that would cause exclusion from 
i386 and being a
library, could be used by other applications. This is why I felt it best to 
leave its i386 build
intact.

Regards

Phil

-- 
*** Playing the game for the games own sake. ***


Associations:

* Debian Maintainer (DM)
* Fedora/EPEL Maintainer.
* Contributor member of the AlmaLinux foundation.

WWW: https://kathenas.org

Buy Me a Coffee: https://www.buymeacoffee.com/kathenasorg

Twitter: @kathenasorg

Instagram: @kathenasorg

IRC: kathenas

GPG: 724AA9B52F024C8B


signature.asc
Description: This is a digitally signed message part

Bug#1034169: libqt5core5a: upgrade to 5.15.8+dfsg-4 stops krunner shortcut from working

[Samuel Thibault]

Hello,

Thanks for the backtrace, I believe I understand what is happening.  I
came up with another solution that should be way safer.

Thanks,
Samuel

Bug#1033995: qtbase-opensource-src: Fix accessibility of qt5 applications run as root

[Samuel Thibault]

Control: reopen -1
Control: found -1 5.15.8+dfsg-5

Hello,

So the patch that was submitted upstream is indeed posing
problems: #1034160, #1034169, #1034191. AIUI, I guess that connecting
the enabledChanged signal too early is problematic because the code is
not actually ready to handle it because initialization is not finished.

I however came up with another way to fix the issue, that is way simpler
and should really not pose any problem since that's the way it's
happening in the normal case. I have submitted it upstream, and here is
the change.

Samuel
Description: fix accessibility on XCB when running as root
 Accessibility actually works when running applications as root, but we
 would never properly connect, since the enabledChanged signal would be
 emitted from the constructor in this case. So after connecting the
 signal, check the value by hand to make sure not to miss the
 notification.
 Only applications running as root would be affected, because all other
 applications would go through the asynchronous pattern of getting the
 bus address from dbus instead.
Origin: https://codereview.qt-project.org/c/qt/qtbase/+/205196
Bug: https://bugs.debian.org/1033995
Last-Update: 2023-04-09

--- a/src/platformsupport/linuxaccessibility/bridge.cpp
+++ b/src/platformsupport/linuxaccessibility/bridge.cpp
@@ -65,6 +65,10 @@ QSpiAccessibleBridge::QSpiAccessibleBrid
 {
 dbusConnection = new DBusConnection();
 connect(dbusConnection, SIGNAL(enabledChanged(bool)), this, 
SLOT(enabledChanged(bool)));
+// Now that we have connected the signal, make sure we didn't miss a 
change,
+// e.g. when running as root or when AT_SPI_BUS_ADDRESS is set by hand.
+if (dbusConnection->isEnabled())
+enabledChanged(true);
 }
 
 void QSpiAccessibleBridge::enabledChanged(bool enabled)

Bug#1034200: lomiri: reproducible builds: results.txt contains arbitrary data

[Vagrant Cascadian]

Source: lomiri
Severity: normal
Tags: patch
User: reproducible-bui...@lists.alioth.debian.org
Usertags: randomness
X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org

The data in the shipped results.txt file contains arbitrary data:

  
https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/diffoscope-results/lomiri.html

  /usr/share/doc/lomiri/html/results.txt.gz
  
  DUPTYPE_FIRST_OCCURRENCE·516·0·32·33·982296778·3·./classlomiri_1...
  vs.
  DUPTYPE_FIRST_OCCURRENCE·516·0·32·34·1071371337·3·./classlomiri_1...

The attached patch to debian/rules fixes this by removing the
results.txt from a dh_installdocs override.

The results.txt file appears to be an artifact from generating the
documentation and does not appear to be referenced from the produced
documentation, though someone familiar with using the documentation
should verify this before applying the patch!


According to my local tests, applying this patch (and another soon to be
submitted) should make lomiri build reproducibly on
tests.reproducible-builds.org once lomiri lands in debian testing!
(tests for debian unstable/experimental also test build path variations,
which introduce additional issues)


Thanks for maintaining lomiri!


live well,
  vagrant
From 20c863bb5459c89656db9ec726d8e975fb5e761c Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian 
Date: Mon, 10 Apr 2023 14:13:05 -0700
Subject: [PATCH 1/4] debian/rules: Add dh_installdocs override to remove
 results.txt.

This file contains variable information which breaks reproducible
builds.

The results.txt file appears to be a leftover build artifact from, as
it is not obviously referrenced from the documentation itself.
---
 debian/rules | 5 +
 1 file changed, 5 insertions(+)

diff --git a/debian/rules b/debian/rules
index 641f27c..0424204 100755
--- a/debian/rules
+++ b/debian/rules
@@ -64,6 +64,11 @@ override_dh_install:
 	cd debian/tmp/usr/share/doc/lomiri/html/ && symlinks -rc .
 	dh_install
 
+override_dh_installdocs:
+	dh_installdocs
+	# Remove results.txt for reproducible builds
+	rm -vf debian/lomiri-doc/usr/share/doc/lomiri/html/results.txt
+
 # use private lib directories
 override_dh_makeshlibs:
 	dh_makeshlibs -Nlomiri-tests
-- 
2.39.2



signature.asc
Description: PGP signature

Bug#1034199: lomiri: reproducible builds: temporary directories embedded in .sh files

[Vagrant Cascadian]

Source: lomiri
Severity: normal
Tags: patch
User: reproducible-bui...@lists.alioth.debian.org
Usertags: randomness
X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org

The files in the lomiri tarball appear to be in arbitrary order,
possibly affected by locale or filesystem differences:

  
https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/diffoscope-results/lomiri.html

  /usr/libexec/lomiri/tests/scripts/gdbtestLomiriSortFilterProxyModel.sh

  export·HOME=/tmp/tmp.RvWPuq0Oob
  vs.
  export·HOME=/tmp/tmp.lLVsKmMCrB

The attached patch to an upstream CMakeLists.txt file fixes this by
specifying HOME=/nonexistent.

I have not tested that this actually functions correctly, only that it
fixes the reproducibility issue... however, relying on HOME being set to
a temporary directory at build time is a bit of a security risk (as
anyone can write to /tmp)... an alternate fix might be using mktemp -d
at runtime rather than build time?


According to my local tests, applying this patch (and another soon to be
submitted) should make lomiri build reproducibly on
tests.reproducible-builds.org once lomiri lands in debian testing!
(tests for debian unstable/experimental also test build path variations,
which introduce additional issues)


Thanks for maintaining lomiri!


live well,
  vagrant
From 72922583a433728186c3ffeabb6c407e42e63d12 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian 
Date: Mon, 10 Apr 2023 14:16:30 -0700
Subject: [PATCH 2/4] tests/plugins/Utils/CMakeLists.txt: Avoid embedding a
 randomized HOME value.

---
 tests/plugins/Utils/CMakeLists.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/plugins/Utils/CMakeLists.txt b/tests/plugins/Utils/CMakeLists.txt
index ebf5047..93aa5a9 100644
--- a/tests/plugins/Utils/CMakeLists.txt
+++ b/tests/plugins/Utils/CMakeLists.txt
@@ -20,7 +20,7 @@ foreach(util_test
 DESTINATION "${SHELL_PRIVATE_LIBEXECDIR}/tests/plugins/Utils"
 )
 add_lomiri_unittest(${util_test} ${util_test}TestExec ADD_TEST
-ENVIRONMENT LD_LIBRARY_PATH=${CMAKE_BINARY_DIR}/plugins/Utils HOME=${TMPDIR}
+ENVIRONMENT LD_LIBRARY_PATH=${CMAKE_BINARY_DIR}/plugins/Utils HOME=/nonexistent
 )
 
 endforeach()
-- 
2.39.2



signature.asc
Description: PGP signature

Bug#1034198: bullseye-pu: package golang-github-containers-common/0.33.4+ds1-1+deb11u1

[Reinhard Tartler]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: golang-github-containers-com...@packages.debian.org, 
siret...@tauware.de
Control: affects -1 + src:golang-github-containers-common

[ Reason ]

Podman relies on DBUS for correct functioning and reads the
DBUS_SESSION_BUS_ADDRESS environent variables. As it turns out, some session
managers use multiple values, separated by comma, to add additional
information, such as a "guid". Unfortunately, an oversight in the parsing code
in podman 3 fails to take multi-value items into account and leads to podman
failing to connect to the session bus.

[ Impact ]
This is highly inconvenient to the users as they would have to either use a
session manager that sets the DBUS_SESSION_BUS_ADDRESS without commas, or the
user would have to sanitize the environment manually. Only very highly skilled
users that happened to find https://github.com/containers/podman/issues/15546 or
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018816 would be able to 
figure
this out.

[ Tests ]
This was manually tested.

[ Risks ]
the risk of regression is minimal, the patch was taken from upstream, and is 
included
in later releases.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
diff --git a/debian/changelog b/debian/changelog
index c23b4b9b..97d97794 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+golang-github-containers-common (0.33.4+ds1-1+deb11u2) bullseye; urgency=medium
+
+  * Fix parsing of DBUS_SESSION_BUS_ADDRESS, Closes: #1018816
+
+ -- Reinhard Tartler   Mon, 10 Apr 2023 18:19:51 -0400
+
 golang-github-containers-common (0.33.4+ds1-1+deb11u1) bullseye; urgency=medium
 
   * Backport seccomp patches from upstream to allow execution of newer
diff --git a/debian/patches/DBUS_SESSION_BUS_ADDRESS_parsing.patch 
b/debian/patches/DBUS_SESSION_BUS_ADDRESS_parsing.patch
new file mode 100644
index ..d1408a43
--- /dev/null
+++ b/debian/patches/DBUS_SESSION_BUS_ADDRESS_parsing.patch
@@ -0,0 +1,37 @@
+commit 47ea9a8cbcc35d1e758b01ae40f37fec8a2e310b
+Author: Giuseppe Scrivano 
+Date:   Mon Jul 26 15:00:25 2021 +0200
+
+config: split arguments in DBUS_SESSION_BUS_ADDRESS
+
+split the DBUS_SESSION_BUS_ADDRESS value so that something like:
+
+unix:path=/run/user/1000/bus,guid=817e9ffcfb383869ad17ea8360e7428a
+
+will ignore ",guid=817e9ffcfb383869ad17ea8360e7428a" when checking
+that the path exists.
+
+Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1984531
+
+Signed-off-by: Giuseppe Scrivano 
+
+--- a/pkg/config/config.go
 b/pkg/config/config.go
+@@ -538,9 +538,14 @@
+ 
+   session := os.Getenv("DBUS_SESSION_BUS_ADDRESS")
+   hasSession := session != ""
+-  if hasSession && strings.HasPrefix(session, "unix:path=") {
+-  _, err := os.Stat(strings.TrimPrefix(session, "unix:path="))
+-  hasSession = err == nil
++  if hasSession {
++  for _, part := range strings.Split(session, ",") {
++  if strings.HasPrefix(part, "unix:path=") {
++  _, err := os.Stat(strings.TrimPrefix(part, 
"unix:path="))
++  hasSession = err == nil
++  break
++  }
++  }
+   }
+ 
+   if !hasSession {
diff --git a/debian/patches/series b/debian/patches/series
index c2a2b119..201ff0d9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,4 @@ seccomp-fixup.patch
 08bbb0dfae71da36afd3be1ca104701e6cfa4406.patch
 0f242ca74bd16175bc55013ed457c88137bec0cf.patch
 689e5b074454da5228bb05604f89b7a876baa8fe.patch
+DBUS_SESSION_BUS_ADDRESS_parsing.patch

Bug#1031439: gcc-sh-elf FTBFS: mystery solved?

[John Scott]

Hi,

I'm doing the build right now and it got past the part where it's been failing, 
so I'm pretty sure we're good!

Adrian, would you be willing to sponsor my upload? I'll send a second mail when 
it's ready. The change is extremely small, and to be frank I'll probably skip 
running the test suite, but I believe the software will be sound.


signature.asc
Description: This is a digitally signed message part

Bug#1034197: [INTL:ro] Translation of "apt-listchanges" to Romanian

[Remus-Gabriel Chelu]

Package: apt-listchanges
Version:3.25
Severity: wishlist
Tags: l10n, patch

Dear Maintainer,

Please find attached the Romanian translation of the «apt-listchanges» file.

Thanks,
Remus-Gabriel

apt-listchanges_3.25_ro.po
Description: Binary data

Bug#1033913: partman-auto-lvm: Broken "Guided - use entire disk and set up LVM" in UEFI mode

[Steve McIntyre]

I've just pushed an update to the code here...

On Mon, Apr 10, 2023 at 05:45:15PM +0200, Pascal Hambourg wrote:
>On 10/04/2023 at 15:13, Steve McIntyre wrote:
>> 
>> Overall comment: I'm not trying to make the heuristics 100% reliable
>> here, as I don't think that's actually possible. Instead, I'm trying
>> to tread the fine line of:
>> 
>>   * minimising false negatives - let's try to pick up on the most
>> common cases where people are dual-booting with other systems and
>> might not understand the issues here. That's 99%+ going to be
>> people with Windows installed
>> 
>>   * minimising false positives - the issue that angered Cyril in
>> particular, with an incomplete LVM setup triggering the "bios
>> bootable OS" warning
>
>IMO it is more important to avoid false positives, because switching to a
>BIOS installation on systems which are not BIOS-boot capable would create a
>non bootable system. In case oft is easier to install GRUB for BIOS boot on
>an running EFI system than the other way around.

No. The reason I added this check and warning in the first place is to
avoid breaking existing (all-too-common) systems where Windows users
have a BIOS-booting installation but their BIOS is set to boot both
UEFI and BIOS. That's a stupid combination, but again all too
common. :-( New users who are just trying to install Debian dual-boot
are much less likely to be able to diagnose this kind of problem.

>> > - Other BIOS boot loaders such as syslinux/extlinux do not need or use a 
>> > BIOS
>> > boot partition.
>> 
>> Also not a use case I'm particularly caring about, I'll be
>> honest. They're also *really* not likely to work well without another
>> filesystem in use, which I expect we'll detect anyway.
>
>Indeed other partitions are needed and will be detected, but they will not
>increment $NUM_NOT_ESP if the disk is GPT and has no BIOS boot partition (so
>$DISK_BIOS_BOOT=no), so it might cause a false negative. So why not just
>treat MSDOS and GPT disk labels equally and treat BIOS boot partitions like
>any other non-ESP ?

It's a false negative that I really don't believe or care about very
much, I'll be honest. This is getting to be an edge case on an edge
case.

>> > 1b) IIUC the patch fixes #1033913 because the disk selected for 
>> > installation
>> > has received a new GPT disklabel without a BIOS boot partition, so further
>> > checking is skipped. But IMO the root cause of #1033913 is that changes are
>> > not committed to disk after setting the 'boot' and 'esp' flags to the newly
>> > created ESP partition before stopping parted_server.
>
>I originally thought about fixing partman-auto-lvm but it appears that other
>transient states can also trigger the "force UEFI installation" dialog during
>partitioning, for example after setting up LVM in manual partitioning if
>there is no ESP partition yet. As discussed in #debian-boot, a more general
>fix might be to run the check only once because only existing partitions
>before partitioning are relevant. Are there any use cases for which this
>might cause a false negative ?

So I've now modded the code to add a flag file - it'll only run the
check and (maybe) raise the warning on the first entry into
partman. Thanks for the suggection, this is clearly the correct
answer.

>> > 4) It appears that partman fails to detect the specially crafted partition
>> > table on the installation media created with a debian image. Is it intended
>> > or fortunately unintentional ? If partman could see the EFI partition on 
>> > the
>> > installation media, the detection of BIOS-bootable systems would fail.
>> 
>> That's not a worry for today... :-)
>
>Sure, but the issue can also happen if another removable media is present.
>For instance the USB drive I use to provide missing firmware has an ESP
>partition (and a regular partition table) thus can cause a false negative.

Again, we're hitting edge cases. We can't know for sure what the user
wants here, so we can't just ignore removable media (for example).

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
"Since phone messaging became popular, the young generation has lost the
 ability to read or write anything that is longer than one hundred and sixty
 characters."  -- Ignatios Souvatzis

Bug#1030930: podman: DNS resolution fails in 'podman build' but works in 'podman run'

[Reinhard Tartler]

Control: tag -1 + unreproducible moreinfo

Hi Kevin,

great to hear from you in this space!

On Thu, Feb 9, 2023 at 8:36 AM Kevin P. Fleming  wrote:

> Package: podman
> Version: 4.3.1+ds1-5+b1
> Severity: important
>
> Dear Maintainer,
>
> I am seeing DNS resolution fail when using 'podman build' but succeed when
> using 'podman run', with a Dockerfile which contains the same commands I
> run
> manually in the 'podman run'-launched shell.
>
> Dockerfile
> --
> FROM alpine:3.10
> RUN cat /etc/resolv.conf
> RUN apk add tar
>

Unfortunately, I can't reproduce. Please help me to reproduce this issue.
Also, maybe upstream has an idea, can you please report this issue at
https://github.com/containers/podman/issues/new/choose. In any case, here
is the output that I get:

siretart@x1:/tmp/dnstest$ cat >> Containerfile
FROM alpine:3.10
RUN cat /etc/resolv.conf
RUN apk add tar
siretart@x1:/tmp/dnstest$ cat Containerfile
FROM alpine:3.10
RUN cat /etc/resolv.conf
RUN apk add tar
siretart@x1:/tmp/dnstest$ podman build .
STEP 1/3: FROM alpine:3.10
Resolved "alpine" as an alias
(/etc/containers/registries.conf.d/shortnames.conf)
Trying to pull docker.io/library/alpine:3.10...
Getting image source signatures
Copying blob 396c31837116 done
Copying config e7b300aee9 done
Writing manifest to image destination
Storing signatures
STEP 2/3: RUN cat /etc/resolv.conf
search int.tauware.de
nameserver 10.0.2.3
nameserver 192.168.88.3
--> 2ce59772eaf
STEP 3/3: RUN apk add tar
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
fetch
http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
(1/1) Installing tar (1.32-r1)
Executing busybox-1.30.1-r5.trigger
OK: 6 MiB in 15 packages
COMMIT
--> 7c1bfd9e030
7c1bfd9e030f07b05cc9427a97c0bc5ff73bca5436bce389ad81da1a64f64a11



-- 
regards,
Reinhard

Bug#1034195: filezilla: Filezilla not available anymore at i386

[Gert van de Kraats]

Source: filezilla
Version: 3.63.0-1
Severity: important

Dear Maintainer,

Recently I automatically upgraded to version 3.63.0-1.
With this version the package and binary filezilla is no longer available at
i386 architecture (32 bits).

This is also visible at the Debian package overview for filezilla.
The common filezilla are delivered. Also libfilezilla34 still is 
delivered at

i386.


-- System Information:
Debian Release: 12.0
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 6.1.0-7-686-pae (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en

Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#1034194: unblock: closure-compiler/20130227+dfsg1-13

[Markus Koschany]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: a...@debian.org

Please unblock package closure-compiler

[ Reason ]

This is related to #1034127 and the unblock request of rhino 1.7.14.
If we ship rhino 1.7.14 in Bookworm, then closure-compiler should be
unblocked too to fix a FTBFS.


[ Impact ]

If rhino is unblocked but closure-compiler is not, then the package in
testing will FTBFS.

[ Tests ]

closure-compiler builds fine now and works as expected.

[ Risks ]

closure-compiler is used to minify/optimize Javascript files and this
still seems to work.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock closure-compiler/20130227+dfsg1-13
diff -Nru closure-compiler-20130227+dfsg1/debian/changelog 
closure-compiler-20130227+dfsg1/debian/changelog
--- closure-compiler-20130227+dfsg1/debian/changelog2022-11-19 
09:00:34.0 +0100
+++ closure-compiler-20130227+dfsg1/debian/changelog2023-02-14 
00:18:02.0 +0100
@@ -1,3 +1,12 @@
+closure-compiler (20130227+dfsg1-13) unstable; urgency=medium
+
+  * QA upload.
+  * Tighten dependency on librhino-java to >= 1.7.14.
+  * Fix FTBFS with rhino 1.7.14.
+  * Use canonical VCS URI.
+
+ -- Markus Koschany   Tue, 14 Feb 2023 00:18:02 +0100
+
 closure-compiler (20130227+dfsg1-12) unstable; urgency=medium
 
   * QA upload.
diff -Nru closure-compiler-20130227+dfsg1/debian/control 
closure-compiler-20130227+dfsg1/debian/control
--- closure-compiler-20130227+dfsg1/debian/control  2022-11-19 
09:00:34.0 +0100
+++ closure-compiler-20130227+dfsg1/debian/control  2023-02-14 
00:18:02.0 +0100
@@ -12,7 +12,7 @@
 libargs4j-java,
 libguava-java (>= 15.0),
 libjsr305-java,
-librhino-java (>= 1.7R4),
+librhino-java (>= 1.7.14),
 ant,
 libjarjar-java,
 protobuf-compiler,
@@ -20,8 +20,8 @@
 javahelper (>= 0.25)
 Build-Depends-Indep: default-jdk-doc, libmaven-javadoc-plugin-java
 Standards-Version: 4.1.0
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/closure-compiler.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/closure-compiler.git
+Vcs-Git: https://salsa.debian.org/java-team/closure-compiler.git
+Vcs-Browser: https://salsa.debian.org/java-team/closure-compiler
 Homepage: https://developers.google.com/closure/compiler/
 
 Package: closure-compiler
diff -Nru 
closure-compiler-20130227+dfsg1/debian/patches/fix-librhino-java-FTBFS.patch 
closure-compiler-20130227+dfsg1/debian/patches/fix-librhino-java-FTBFS.patch
--- 
closure-compiler-20130227+dfsg1/debian/patches/fix-librhino-java-FTBFS.patch
1970-01-01 01:00:00.0 +0100
+++ 
closure-compiler-20130227+dfsg1/debian/patches/fix-librhino-java-FTBFS.patch
2023-02-14 00:18:02.0 +0100
@@ -0,0 +1,65 @@
+From: Markus Koschany 
+Date: Tue, 14 Feb 2023 00:06:12 +0100
+Subject: fix librhino-java FTBFS
+
+Fix FTBFS with rhino 1.7.14.
+
+Forwarded: not-needed
+---
+ src/com/google/javascript/jscomp/parsing/IRFactory.java  | 4 ++--
+ src/com/google/javascript/jscomp/parsing/TypeSafeDispatcher.java | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/com/google/javascript/jscomp/parsing/IRFactory.java 
b/src/com/google/javascript/jscomp/parsing/IRFactory.java
+index 361f31d..0e34a4d 100644
+--- a/src/com/google/javascript/jscomp/parsing/IRFactory.java
 b/src/com/google/javascript/jscomp/parsing/IRFactory.java
+@@ -65,7 +65,7 @@ import com.google.javascript.rhino.head.ast.SwitchCase;
+ import com.google.javascript.rhino.head.ast.SwitchStatement;
+ import com.google.javascript.rhino.head.ast.ThrowStatement;
+ import com.google.javascript.rhino.head.ast.TryStatement;
+-import com.google.javascript.rhino.head.ast.UnaryExpression;
++import com.google.javascript.rhino.head.ast.UpdateExpression;
+ import com.google.javascript.rhino.head.ast.VariableDeclaration;
+ import com.google.javascript.rhino.head.ast.VariableInitializer;
+ import com.google.javascript.rhino.head.ast.WhileLoop;
+@@ -1145,7 +1145,7 @@ class IRFactory {
+ }
+ 
+ @Override
+-Node processUnaryExpression(UnaryExpression exprNode) {
++Node processUpdateExpression(UpdateExpression exprNode) {
+   int type = transformTokenType(exprNode.getType());
+   Node operand = transform(exprNode.getOperand());
+   if (type == Token.NEG && operand.isNumber()) {
+diff --git a/src/com/google/javascript/jscomp/parsing/TypeSafeDispatcher.java 
b/src/com/google/javascript/jscomp/parsing/TypeSafeDispatcher.java
+index 95aaacd..fc6ace3 100644
+--- a/src/com/google/javascript/jscomp/parsing/TypeSafeDispatcher.java
 b/src/com/google/javascript/jscomp/parsing/TypeSafeDispatcher.java
+@@ -55,7 +55,7 @@ import com.google.javascript.rhino.head.ast.SwitchCase;
+ import com.google.javascript.rhino.head.ast.SwitchStatement;
+ 

Bug#856649: suricata: IPv4 defrag evasion issue

[Sascha Steinbiss]

Hi Salvatore,


(re: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856649)

Can we just close this bug? This has been addressed for years, and I am not
sure we need to keep these open forever.


Can you pin point the upstream version where this was fixed?


Sure, you did so yourself in your original bug report from 2017 [1] :)
It's upstream version 3.2.1, which is confirmed by the tags listed in 
the commit on GitHub and the target version of the fix in upstream's 
Redmine. That version was uploaded to unstable later in March 2017 [2].


Just FYI: we're at 6.0.10 now.

Best regards
Sascha

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856649#5
[2] 
https://tracker.debian.org/news/841144/accepted-suricata-321-1-source-into-unstable/


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1034127: unblock: rhino/1.7.14-2.1

[Markus Koschany]

Am Sonntag, dem 09.04.2023 um 22:28 +0200 schrieb Paul Gevers:
> 
> [ Risks ]
> This is a new upstream release. This is not a small change. And while
> typing this unblock request, I'm getting uncomfortable and wonder if
> we want this. But as it's all prepared, let's discuss and pull Markus
> in to elaborate a bit too.

I am in favor of shipping rhino 1.7.14 in Bookworm for all the reasons Paul has
mentioned. I believe at this point in the release cycle we don't want to make
arbitrary changes but we also want to deliver the best possible software
package to our users. I'm not confident to find a different fix to address
#1026639 and the broken web application in openrefine. It clearly works with
1.7.14 but not with the current version in testing. Since I only had to patch
one reverse-dependency, the orphaned package closure-compiler, and everything
else appears to work as expected, I believe the risks are very manageable.
Worst case would be to rebuild another package. We also get the latest upstream
version and don't have to ship a six year old version again. 

Markus


signature.asc
Description: This is a digitally signed message part

Bug#996367: pipewire issues with M-Audio 410

[Alexandre Lymberopoulos]

Package: pipewire-pulse

Dear all,

As mentioned in a message sent on Fri, 18 Nov 2022 19:33:34 -0300, the
bug reported under the number 996367 (version 0.3.38-2) seems to be
solved at that moment (version 0.3.60-1). I'm sorry but can't figure out
which version implemented the solution after so long.

I must express my gratitude for the guys here working hard on pipewire.

Best, Alexandre
-- 
===
Alexandre Lymberopoulos - lym...@gmail.com
===

Bug#996367: pipewire issues with M-Audio 410

[Alexandre Lymberopoulos]

Dear Alban,

Unfortunately I can't remember the exact point where the bug I reported
was solved, it was more than one year between my bugreport and the
answer of the maintainer, and almost five months from that answer to
your message.

I'll close this bug now. Thanks for writing.

Cheers, Alexandre

On Apr 08 2023, Alban Browaeys wrote:
> Alexandre, could you close this bug report as you told it to
> be solved?
> 
> See https://www.debian.org/Bugs/Developer#closing
> That is, if you know the version that fixed the issue, add the pseudo-
> header
> Version: 
> if you do not know the version, do not include this Version pseudo-
> header.
> 
> If you know what fixed the bug tell in the email body.
> 
> 
> and then send this email to 996367-d...@bugs.debian.org to close this
> bug.
>  
> 
> Cheers,
> Alban
> 
> 
> On Fri, 18 Nov 2022 19:33:34 -0300 Alexandre Lymberopoulos
>  wrote:
> > Hello, Dylan!
> > 
> > Things are going much better with the new releases: 996367 seems to
> be 
> > solved, but 997915 persists. For the latter it seems to be something 
> > like capturing sources with different sample rates (like 48Khz and 
> > 44Khz). This guess is due to the resulting sound: the "default" 
> > recording device (as selected with pavucontrol - have pipewire, pulse
> > and jack installed here! more on this later) have nice sound and the 
> > other sounds like playing a standard 33rpm vinyl in 45rpm (revealing
> my 
> > age here) with a lot of clips.
> > 
> > To make things tidy and clean here I would like to know if there is a
> > way to keep just pipewire running here (over ALSA, probably) and if 
> > there are some mixer software to use with pipewire (ffado-mixer
> stopped 
> > working with M-Audio 410 here).
> > 
> > Best,
> > Alexandre
> > 
> >
> ===
> 
> > Alexandre Lymberopoulos - lym...@gmail.com
> >
> ===
> 
> > 
> > 
> > On Fri, Nov 18 2022 at 02:54:57 PM +01:00:00, Dylan Aïssi 
> >  wrote:
> > > Hello Alexandre,
> > > 
> > > My apologies for not responding earlier.
> > > 
> > > Do you still have these problems with pipewire or have they been 
> > > solved
> > > with the new versions?
> > > 
> > > Best,
> > > Dylan
> > 
> > 
> > 
> > 
> 

-- 
===
Alexandre Lymberopoulos - lym...@gmail.com
===

Bug#1034193: minidlna: Dutch localization error: contains Swedish

[Manuel Bilderbeek]

Package: minidlna
Version: 1.3.0+dfsg-2.2+b3
Severity: normal

Dear Maintainer,

Since I am using Dutch (NL) localization on my PC, I noticed that I suddenly
see a Swedish text on my TV when browsing my PC's DLNA directories.

In particular, I see the text "Nyligen tillagd" appearing in
/usr/share/locale/nl/LC_MESSAGES/minidlna.mo
That is the Swedish text I see.

Please change this to: "Recent toegevoegd", which I think would be a proper
Dutch translation for "Recently added".

I guess the Swedish localization team missed this one item :)

Thanks.

Kind regards,
Manuel

-- System Information:
Debian Release: 12.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-7-amd64 (SMP w/32 CPU threads; PREEMPT)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages minidlna depends on:
ii  adduser3.132
ii  init-system-helpers1.65.2
ii  libavformat59  7:5.1.2-3
ii  libavutil577:5.1.2-3
ii  libc6  2.36-8
ii  libexif12  0.6.24-1+b1
ii  libflac12  1.4.2+ds-2
ii  libid3tag0 0.15.1b-14
ii  libjpeg62-turbo1:2.1.5-2
ii  libogg01.3.5-3
ii  libsqlite3-0   3.40.1-2
ii  libvorbis0a1.3.7-1
ii  sysvinit-utils [lsb-base]  3.06-2

minidlna recommends no packages.

minidlna suggests no packages.

-- Configuration Files:
/etc/minidlna.conf changed:
media_dir=/var/lib/minidlna
port=8200
friendly_name=Manuel's PC
inotify=yes
album_art_names=Cover.jpg/cover.jpg/AlbumArtSmall.jpg/albumartsmall.jpg
album_art_names=AlbumArt.jpg/albumart.jpg/Album.jpg/album.jpg
album_art_names=Folder.jpg/folder.jpg/Thumb.jpg/thumb.jpg
wide_links=yes


-- no debconf information

Bug#1034192: xserver-xorg-video-nouveau: Random system freeze while watching videos (GT710/GK208B)

[Bartosz Skrzypczak]

Package: xserver-xorg-video-nouveau
Version: 1:1.0.17-2
Severity: important

So far I have only reproduced this issue while playing youtube videos in 
firefox. This did not happen with official nvidia drivers (before it got 
moved to nvidia-tesla-driver). While playing a video, the X will randomly 
freeze (sometimes after a few minutes, sometimes an hour). Audio will 
continue playing for some time. The system does not respond to any keyboard 
input (not even attempting to switch to TTY), but mouse cursor continues 
to move.

I was able to connect to that PC through SSH from my laptop. The Xorg process 
was stuck at 100% cpu utilization (one core/thread). I noticed that 
there was no extra output in dmesg, or xorg log. I have perf installed, so I 
ran perf record - this showed that most of the CPU time is spent on 
nouveau_dma_wait. File with perf archive output: 
https://www.dropbox.com/s/l8bsqp0jdyfnvom/perf.data.tar.bz2?dl=1

After killing the Xorg process, the system appears to work normally, but I had 
one incident where after restarting X, it froze again almost 
immediately and it became completely unresponsive, with no ability to connect 
through ssh, not responding to ping. Since I don't have a serial 
output, I can't see what actually happened.

-- Package-specific info:
/etc/X11/X does not exist.
/etc/X11/X is not a symlink.
/etc/X11/X is not executable.

Diversions concerning libGL are in place

diversion of /usr/lib/arm-linux-gnueabihf/libGL.so.1.2.0 to 
/usr/lib/mesa-diverted/arm-linux-gnueabihf/libGL.so.1.2.0 by glx-diversions
diversion of /usr/lib/powerpc64le-linux-gnu/libGLESv2.so.2 to 
/usr/lib/mesa-diverted/powerpc64le-linux-gnu/libGLESv2.so.2 by glx-diversions
diversion of /usr/lib/libGL.so.1 to /usr/lib/mesa-diverted/libGL.so.1 by 
glx-diversions
diversion of /usr/lib/arm-linux-gnueabihf/libGLESv2.so.2.0.0 to 
/usr/lib/mesa-diverted/arm-linux-gnueabihf/libGLESv2.so.2.0.0 by glx-diversions
diversion of /usr/lib/libGLESv2.so.2 to /usr/lib/mesa-diverted/libGLESv2.so.2 
by glx-diversions
diversion of /usr/lib/arm-linux-gnueabihf/libGL.so to 
/usr/lib/mesa-diverted/arm-linux-gnueabihf/libGL.so by glx-diversions
diversion of /usr/lib/i386-linux-gnu/libGLX_indirect.so.0 to 
/usr/lib/mesa-diverted/i386-linux-gnu/libGLX_indirect.so.0 by glx-diversions
diversion of /usr/lib/x86_64-linux-gnu/libGLESv1_CM.so.1.1.0 to 
/usr/lib/mesa-diverted/x86_64-linux-gnu/libGLESv1_CM.so.1.1.0 by glx-diversions
diversion of /usr/lib/arm-linux-gnueabihf/libGLESv1_CM.so to 
/usr/lib/mesa-diverted/arm-linux-gnueabihf/libGLESv1_CM.so by glx-diversions
diversion of /usr/lib/i386-linux-gnu/libGLESv2.so.2 to 
/usr/lib/mesa-diverted/i386-linux-gnu/libGLESv2.so.2 by glx-diversions
diversion of /usr/lib/arm-linux-gnueabihf/libGLESv2.so.2.1.0 to 
/usr/lib/mesa-diverted/arm-linux-gnueabihf/libGLESv2.so.2.1.0 by glx-diversions
diversion of /usr/lib/i386-linux-gnu/libGLESv2.so.2.1.0 to 
/usr/lib/mesa-diverted/i386-linux-gnu/libGLESv2.so.2.1.0 by glx-diversions
diversion of /usr/lib/x86_64-linux-gnu/libGLESv2.so.2 to 
/usr/lib/mesa-diverted/x86_64-linux-gnu/libGLESv2.so.2 by glx-diversions
diversion of /usr/lib/x86_64-linux-gnu/libGLX_indirect.so.0 to 
/usr/lib/mesa-diverted/x86_64-linux-gnu/libGLX_indirect.so.0 by glx-diversions
diversion of /usr/lib/arm-linux-gnueabihf/libGL.so.1.2 to 
/usr/lib/mesa-diverted/arm-linux-gnueabihf/libGL.so.1.2 by glx-diversions
diversion of /usr/lib/x86_64-linux-gnu/libGLESv2.so.2.1.0 to 
/usr/lib/mesa-diverted/x86_64-linux-gnu/libGLESv2.so.2.1.0 by glx-diversions
diversion of /usr/lib/powerpc64le-linux-gnu/libGLESv1_CM.so to 
/usr/lib/mesa-diverted/powerpc64le-linux-gnu/libGLESv1_CM.so by glx-diversions
diversion of /usr/lib/aarch64-linux-gnu/libGLESv1_CM.so.1.1.0 to 
/usr/lib/mesa-diverted/aarch64-linux-gnu/libGLESv1_CM.so.1.1.0 by glx-diversions
diversion of /usr/lib/powerpc64le-linux-gnu/libGL.so.1.2.0 to 
/usr/lib/mesa-diverted/powerpc64le-linux-gnu/libGL.so.1.2.0 by glx-diversions
diversion of /usr/lib/libGLESv1_CM.so.1.1.0 to 
/usr/lib/mesa-diverted/libGLESv1_CM.so.1.1.0 by glx-diversions
diversion of /usr/lib/powerpc64le-linux-gnu/libGLESv2.so to 
/usr/lib/mesa-diverted/powerpc64le-linux-gnu/libGLESv2.so by glx-diversions
diversion of /usr/lib/i386-linux-gnu/libGLESv1_CM.so.1 to 
/usr/lib/mesa-diverted/i386-linux-gnu/libGLESv1_CM.so.1 by glx-diversions
diversion of /usr/lib/aarch64-linux-gnu/libGL.so.1.2.0 to 
/usr/lib/mesa-diverted/aarch64-linux-gnu/libGL.so.1.2.0 by glx-diversions
diversion of /usr/lib/x86_64-linux-gnu/libGLESv1_CM.so to 
/usr/lib/mesa-diverted/x86_64-linux-gnu/libGLESv1_CM.so by glx-diversions
diversion of /usr/lib/arm-linux-gnueabihf/libGLESv1_CM.so.1.2.0 to 
/usr/lib/mesa-diverted/arm-linux-gnueabihf/libGLESv1_CM.so.1.2.0 by 
glx-diversions
diversion of /usr/lib/arm-linux-gnueabihf/libGLESv1_CM.so.1.1.0 to 
/usr/lib/mesa-diverted/arm-linux-gnueabihf/libGLESv1_CM.so.1.1.0 by 
glx-diversions
diversion of /usr/lib/libGL.so.1.2.0 

Bug#1034191: Alt-F2 fail to open krunner

[Ivan Sergio Borgonovo]

Package: libqt5gui5
Version: 5.15.8+dfsg-4

After upgrading from 5.15.8+dfsg-3 to 5.15.8+dfsg-4 opening krunner in 
lxqt doesn't work anymore.


It doesn't seem to be a shortcut problem Alt-F1, F2 etc... works.

Launching krunner from konsole get stuck with no debugging info.

Downgrading fix the problem.

thanks

--
Ivan Sergio Borgonovo
https://www.webthatworks.it https://www.borgonovo.net

Bug#1033847: Please update to upstream sources

[Richard B. Kreckel]

On 4/10/23 19:55, Sergio Durigan Junior wrote:

 fix_quote_readline_by_ref.patch, thanks to JuanJo Ciarlante (Closes: 
#739835)
 
 + avoid escaping 1st '~' (LP: #1288314)

 + avoid quoting if empty, else expansion without args only shows
   dirs (LP: #1288031)
 + replace double escaping to single (eg for completing file/paths
   with spaces)


Bingo! What I observe is reported in #825317.

I can confirm that adding a backslash before ~* in 
_quote_readline_by_ref() stops bash doing the very expensive NSS lookup.


Using the upstream version of the function has the same effect, of course.

In my humble opinion, this is a prime example that Debian (and Ubuntu) 
maintainers should be careful with their patches, especially in 
well-maintained packages.


Best wishes,
  -richard.
--
Richard B. Kreckel

Bug#1034190: More security bugs in game loading

[Ben Hutchings]

Package: sgt-puzzles
Version: 20230122.806ae71-1
Severity: serious
Tags: security upstream fixed-upstream
X-Debbugs-Cc: Debian Security Team 

Ben Harris found multiple issues in sgt-puzzles where a malformed game
description or save file can lead to a buffer overflow, buffer
overread, use of an uniniitialised pointer, integer overflow, null
pointer dereference, division by zero, assertion failure, or memory
leak.  These were fixed upstream over the past few months.

The Debian package doesn't register any media type handler for save
files, so I think this can only be exploited by social-engineering a
user into loading such a file or description.

For most of these bugs, the impact is limited to a crash of the
application.  However, the various memory safety errors may be more
serious.  On some architectures, division by zero does not cause an
exception and this might also be exploitable.

Ben.

-- System Information:
Debian Release: 12.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 
'stable-security'), (500, 'oldstable-updates'), (500, 'unstable'), (500, 
'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-7-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages sgt-puzzles depends on:
ii  libc62.36-8
ii  libcairo21.16.0-7
ii  libgdk-pixbuf-2.0-0  2.42.10+dfsg-1+b1
ii  libglib2.0-0 2.74.6-1
ii  libgtk-3-0   3.24.37-2
ii  libpango-1.0-0   1.50.12+ds-1
ii  libpangocairo-1.0-0  1.50.12+ds-1

Versions of packages sgt-puzzles recommends:
ii  chromium [www-browser]  111.0.5563.64-1
ii  firefox [www-browser]   111.0-3
ii  lynx [www-browser]  2.9.0dev.12-1
ii  xdg-utils   1.1.3-4.1

sgt-puzzles suggests no packages.

-- debconf-show failed

Bug#1034189: Support for NVIDIA GeForce FX 5200 in PowerMac G5

[Stan Johnson]

Package: src:linux
Version: 6.1.0-7-powerpc64

Please add support in future Debian powerpc64 kernels for
the NVIDIA GeForce FX 5200 graphics card for PowerMac G5.

The applicable option appears to be CONFIG_FB_RIVA=y or
CONFIG_FB_RIVA=m.

Adding ONFIG_FB_RIVA will allow testing of default Debian
kernels in some PowerMac G5 systems.

Bug#1033593: spyder: does not allow running profiler and says "Please install the Python profiler modules"

[Julian Gilbey]

On Sun, Apr 09, 2023 at 11:07:10AM +0100, Julian Gilbey wrote:
> On Mon, Mar 27, 2023 at 06:34:27PM -0300, Patrick Zanon wrote:
> > Package: spyder
> > Version: 5.4.2+ds-5
> > Severity: important
> > X-Debbugs-Cc: ne...@libero.it
> > 
> > 
> > Dear Maintainer,
> > 
> > I'm trying to use spyder's profiling tools, but when I try to run code with 
> > the
> > profiler, the menu item is greyed out. Also if I enable profiler pane 
> > display, 
> > Spyder says "Please install python profiler modules".
> > 
> > In my installation I have:
> >* python3 which provides the python-profiler virtual package
> >* python3-line-profiler
> >* python3-p profile

Dear Patrick,

I just took a quick look at this, and found it works with no
problems, so I don't understand the problem you are having.

I've just uploaded python3-spyder-line-profiler 0.3.1-1 to unstable
(it won't make it to bookworm, though); please install that and see if
the line profiler then works for you.

Best wishes,

   Julian

Bug#1034069: /var/log/boot~ is never created

[Mark Hindley]

Bjarni,

Thanks for this

On Fri, Apr 07, 2023 at 09:52:17PM +, Bjarni Ingi Gislason wrote:
> Package: bootlogd
> Version: 3.06-2
> Severity: important
> 
> Dear Maintainer,
> 
>* What led up to the situation?
> 
> /var/log/boot*  was not updated after 28th September 2021.
> 
>   File is used in /etc/init.d/bootlogd.
> 
>   The conditional code
> 
>   if [ -f /var/log/boot ] && [ -f /var/log/boot~ ]
>   then
>   [ "$VERBOSE" = no ] || log_action_begin_msg "Moving boot log 
> file"
>   # bootlogd writes to boot, making backup at boot~
>   cd /var/log && {
>   chgrp adm boot || :
>   savelog -q -p -c 5 boot &&
>   mv boot.0 boot  &&
>   mv boot~ boot.0
>   }
>   ES=$?
>   [ "$VERBOSE" = no ] || log_action_end_msg $ES
>   fi
> 
> is therefore never used.

Yes, I think this code might be cruft from before the change to bootlog using
/run/bootlog.

We may still need to implement savelog rotation for /run/bootlog ->
/var/log/boot though. I will test that.

> -- System Information:
> Debian Release: 12.0
>   APT prefers testing-security
>   APT policy: (500, 'testing-security'), (500, 'testing')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 6.1.20-1 (SMP w/2 CPU threads; PREEMPT)
> Kernel taint flags: TAINT_WARN
> Locale: LANG=is_IS.iso88591, LC_CTYPE=is_IS.iso88591 (charmap=ISO-8859-1), 
> LANGUAGE not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: sysvinit (via /sbin/init)
> 
> Versions of packages bootlogd depends on:
> ii  libc6   2.36-8
> ii  sysvinit-utils  3.06-2
> 
> bootlogd recommends no packages.
> 
> bootlogd suggests no packages.
> 
> -- Configuration Files:
> /etc/init.d/bootlogd changed [not included]
> /etc/init.d/stop-bootlogd [Errno 2] No such file or directory: 
> '/etc/init.d/stop-bootlogd'
> /etc/init.d/stop-bootlogd-single [Errno 2] No such file or directory: 
> '/etc/init.d/stop-bootlogd-single'

However, AFAICS these scripts are still required. Can you reinstate them and you
should have boot logging to /var/log/boot at least.

Mark

Bug#1034169: libqt5core5a: upgrade to 5.15.8+dfsg-4 stops krunner shortcut from working

[Samuel Thibault]

Antonio, le lun. 10 avril 2023 21:13:59 +0200, a ecrit:
> Thread 1 "krunner" received signal SIGSEGV, Segmentation fault.
> 0x74a9814a in ?? () from /lib/x86_64-linux-gnu/libdbus-1.so.3
> (gdb) bt
> #0  0x74a9814a in ?? () from /lib/x86_64-linux-gnu/libdbus-1.so.3
> #1  0x74a982d2 in ?? () from /lib/x86_64-linux-gnu/libdbus-1.so.3
> #2  0x74a982d2 in ?? () from /lib/x86_64-linux-gnu/libdbus-1.so.3
> #3  0x74a982d2 in ?? () from /lib/x86_64-linux-gnu/libdbus-1.so.3
> #4  0x74a98608 in ?? () from /lib/x86_64-linux-gnu/libdbus-1.so.3
> #5  0x74a98743 in ?? () from /lib/x86_64-linux-gnu/libdbus-1.so.3
> #6  0x74a98a40 in _dbus_type_reader_set_basic () from /lib/
> x86_64-linux-gnu/libdbus-1.so.3
> #7  0x74a9604b in _dbus_header_set_field_basic () from /lib/
> x86_64-linux-gnu/libdbus-1.so.3
> #8  0x74a9a92d in ?? () from /lib/x86_64-linux-gnu/libdbus-1.so.3
> #9  0x74a9c793 in dbus_message_iter_append_basic () from /lib/
> x86_64-linux-gnu/libdbus-1.so.3
> #10 0x769c990b in ?? () from /lib/x86_64-linux-gnu/libQt5DBus.so.5
> #11 0x769cb8f1 in ?? () from /lib/x86_64-linux-gnu/libQt5DBus.so.5
> #12 0x7699e8b0 in ?? () from /lib/x86_64-linux-gnu/libQt5DBus.so.5
> #13 0x7699854d in ?? () from /lib/x86_64-linux-gnu/libQt5DBus.so.5
> #14 0x7699b2a8 in ?? () from /lib/x86_64-linux-gnu/libQt5DBus.so.5

Could you re-run with libdbus-1-3-dbgsym and libqt5dbus5-dbgsym
installed?

Samuel

Bug#1034169: libqt5core5a: upgrade to 5.15.8+dfsg-4 stops krunner shortcut from working

[Antonio]

Found this:

$ systemctl --user status plasma-krunner
×plasma-krunner.service - KRunner
Loaded: loaded (/usr/lib/systemd/user/plasma-krunner.service; static)
Active: failed(Result: signal) since Mon 2023-04-10 21:11:08 CEST; 
14s ago

  Duration: 5.239s
   Process: 10623 ExecStart=/usr/bin/krunner (code=killed, signal=SEGV)
  Main PID: 10623 (code=killed, signal=SEGV)
   CPU: 4.176s

apr 10 21:11:03 SAT systemd[3611]: Starting plasma-krunner.service - 
KRunner...
apr 10 21:11:03 SAT systemd[3611]: Started plasma-krunner.service - 
KRunner.
apr 10 21:11:08 SAT systemd[3611]: plasma-krunner.service: Main process 
exited, code=killed, status=11/SEGV
apr 10 21:11:08 SAT systemd[3611]: plasma-krunner.service: Failed with 
result 'signal'.
apr 10 21:11:08 SAT systemd[3611]: plasma-krunner.service: Consumed 
4.176s CPU time.


...

$ gdb /usr/bin/krunner
GNU gdb (Debian 13.1-2) 13.1
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 


This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
.
Find the GDB manual and other documentation resources online at:
   .

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/krunner...
(No debugging symbols found in /usr/bin/krunner)
(gdb) r
Starting program: /usr/bin/krunner
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x703ff6c0 (LWP 10743)]
[New Thread 0x7fffef9e76c0 (LWP 10744)]
[New Thread 0x7fffeccbe6c0 (LWP 10745)]
[New Thread 0x7fffe67ff6c0 (LWP 10746)]
[New Thread 0x7fffe5ffe6c0 (LWP 10747)]
[New Thread 0x7fffe57fd6c0 (LWP 10748)]
[New Thread 0x7fffe4ffc6c0 (LWP 10749)]
[New Thread 0x7fffd8dff6c0 (LWP 10750)]
[New Thread 0x7fffbbfff6c0 (LWP 10751)]
[New Thread 0x7fffc3fff6c0 (LWP 10752)]
[New Thread 0x7fffc37fe6c0 (LWP 10753)]
[New Thread 0x7fffc2ffd6c0 (LWP 10754)]
[New Thread 0x7fffc27fc6c0 (LWP 10755)]
[New Thread 0x7fffc1ffb6c0 (LWP 10756)]
[New Thread 0x7fffc17fa6c0 (LWP 10757)]
[New Thread 0x7fffc0ff96c0 (LWP 10758)]
[New Thread 0x7fffbb7fe6c0 (LWP 10759)]
[New Thread 0x7fffbaffd6c0 (LWP 10760)]
[New Thread 0x7fffba7fc6c0 (LWP 10761)]
[New Thread 0x7fffb9ffb6c0 (LWP 10762)]
[New Thread 0x7fffb97fa6c0 (LWP 10763)]
[New Thread 0x7fffb8ff96c0 (LWP 10764)]
[Thread 0x7fffb8ff96c0 (LWP 10764) exited]
[New Thread 0x7fffb8ff96c0 (LWP 10765)]
[Thread 0x7fffb8ff96c0 (LWP 10765) exited]
[New Thread 0x7fffb8ff96c0 (LWP 10766)]
_
__Thread 1 "krunner" received signal SIGSEGV, Segmentation fault. _
0x74a9814ain ??() from /lib/x86_64-linux-gnu/libdbus-1.so.3
(gdb) bt
#0 0x74a9814ain ??() from /lib/x86_64-linux-gnu/libdbus-1.so.3
#1 0x74a982d2in ??() from /lib/x86_64-linux-gnu/libdbus-1.so.3
#2 0x74a982d2in ??() from /lib/x86_64-linux-gnu/libdbus-1.so.3
#3 0x74a982d2in ??() from /lib/x86_64-linux-gnu/libdbus-1.so.3
#4 0x74a98608in ??() from /lib/x86_64-linux-gnu/libdbus-1.so.3
#5 0x74a98743in ??() from /lib/x86_64-linux-gnu/libdbus-1.so.3
#6 0x74a98a40in _dbus_type_reader_set_basic() from 
/lib/x86_64-linux-gnu/libdbus-1.so.3
#7 0x74a9604bin _dbus_header_set_field_basic() from 
/lib/x86_64-linux-gnu/libdbus-1.so.3

#8 0x74a9a92din ??() from /lib/x86_64-linux-gnu/libdbus-1.so.3
#9 0x74a9c793in dbus_message_iter_append_basic() from 
/lib/x86_64-linux-gnu/libdbus-1.so.3

#10 0x769c990bin ??() from /lib/x86_64-linux-gnu/libQt5DBus.so.5
#11 0x769cb8f1in ??() from /lib/x86_64-linux-gnu/libQt5DBus.so.5
#12 0x7699e8b0in ??() from /lib/x86_64-linux-gnu/libQt5DBus.so.5
#13 0x7699854din ??() from /lib/x86_64-linux-gnu/libQt5DBus.so.5
#14 0x7699b2a8in ??() from /lib/x86_64-linux-gnu/libQt5DBus.so.5
#15 0x76986f3bin QDBusConnection::call(QDBusMessage const&, 
QDBus::CallMode, int) const()

  from /lib/x86_64-linux-gnu/libQt5DBus.so.5
#16 0x769a4000in ??() from /lib/x86_64-linux-gnu/libQt5DBus.so.5
#17 0x769a6455in 
QDBusAbstractInterfaceBase::qt_metacall(QMetaObject::Call, int, void**)()

  from /lib/x86_64-linux-gnu/libQt5DBus.so.5
#18 0x769a65c7in 
QDBusAbstractInterface::qt_metacall(QMetaObject::Call, int, void**)()

  from /lib/x86_64-linux-gnu/libQt5DBus.so.5
#19 0x70b886a5in ??() from /lib/x86_64-linux-gnu/libQt5XcbQpa.so.5
#20 0x75ebebeain QMetaProperty::read(QObject const*) const()
  from /lib/x86_64-linux-gnu/libQt5Core.so.5
#21 0x75ee4beein QObject::property(char const*) const()
  from 

Bug#1034177: bzip2: CVE-2023-29415 CVE-2023-29416 CVE-2023-29418 CVE-2023-29419 CVE-2023-29420 CVE-2023-29421

[Salvatore Bonaccorso]

Hi Santiago,

On Mon, Apr 10, 2023 at 08:51:06PM +0200, Santiago Ruano Rincón wrote:
> Control: reassign -1 bzip3
> Control: retitle -1 bipz3 CVE-2023-29415 CVE-2023-29416
> CVE-2023-29418 CVE-2023-29419 CVE-2023-29420 CVE-2023-29421
> 
> Dear Moritz and Sec Team,
> 
> Please, correct me if I am wrong, but it seems a bzip3 bug, instead of a
> bzip2's.

there was an overlap in our messages ;-). Yes the issues are in
src:bzip3 not src:bzip2. 

Regards,
Salvatore

Bug#1034177: bzip2: CVE-2023-29415 CVE-2023-29416 CVE-2023-29418 CVE-2023-29419 CVE-2023-29420 CVE-2023-29421

[Santiago Ruano Rincón]

Control: reassign -1 bzip3
Control: retitle -1 bipz3 CVE-2023-29415 CVE-2023-29416 CVE-2023-29418 
CVE-2023-29419 CVE-2023-29420 CVE-2023-29421

Dear Moritz and Sec Team,

Please, correct me if I am wrong, but it seems a bzip3 bug, instead of a
bzip2's.

El 10/04/23 a las 19:33, Moritz Mühlenhoff escribió:
> Source: bzip2
> X-Debbugs-CC: t...@security.debian.org
> Severity: grave
> Tags: security
> 
> Hi,
> 
> The following vulnerabilities were published for bzip2.
> 
> CVE-2023-29415[0]:
> | An issue was discovered in libbzip3.a in bzip3 before 1.3.0. A denial
> | of service (process hang) can occur with a crafted archive because
> | bzip3 does not follow the required procedure for interacting with
> | libsais.
> 
> https://github.com/kspalaiologos/bzip3/issues/95
> https://github.com/kspalaiologos/bzip3/commit/56c24ca1f8f25e648d42154369b6962600f76465

bzip2 -t 4.crashes.bz3
bzip2: 4.crashes.bz3: bad magic number (file not created by bzip2)

You can use the `bzip2recover' program to attempt to recover
data from undamaged sections of corrupted files.

> 
> CVE-2023-29416[1]:
> | An issue was discovered in libbzip3.a in bzip3 before 1.3.0. A
> | bz3_decode_block out-of-bounds write can occur with a crafted archive
> | because bzip3 does not follow the required procedure for interacting
> | with libsais.
> 
> https://github.com/kspalaiologos/bzip3/commit/bfa5bf82b53715dfedf048e5859a46cf248668ff
>  (1.3.0)
> https://github.com/kspalaiologos/bzip3/issues/92
> 

I got similar errors.

> CVE-2023-29418[2]:
> | An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is
> | an xwrite out-of-bounds read.
> 
> https://github.com/kspalaiologos/bzip3/commit/aae16d107f804f69000c09cd92027a140968cc9d
>  (1.2.3)
> https://github.com/kspalaiologos/bzip3/issues/92
> 
> CVE-2023-29419[3]:
> | An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is
> | a bz3_decode_block out-of-bounds read.
> 
> https://github.com/kspalaiologos/bzip3/commit/8ec8ce7d3d58bf42dabc47e4cc53aa27051bd602
>  (1.2.3)
> https://github.com/kspalaiologos/bzip3/issues/92
> 
> CVE-2023-29420[4]:
> | An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is
> | a crash caused by an invalid memmove in bz3_decode_block.
> 
> https://github.com/kspalaiologos/bzip3/commit/bb06deb85f1c249838eb938e0dab271d4194f8fa
>  (1.2.3)
> https://github.com/kspalaiologos/bzip3/issues/92
> 
> CVE-2023-29421[5]:
> | An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is
> | an out-of-bounds write in bz3_decode_block.
> 
> https://github.com/kspalaiologos/bzip3/issues/94
> https://github.com/kspalaiologos/bzip3/commit/33b1951f153c3c5dc8ed736b9110437e1a619b7d
>  (1.2.3)

I am unable to find a similar code in my local bzip2 copy.

> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2023-29415
> https://www.cve.org/CVERecord?id=CVE-2023-29415
> [1] https://security-tracker.debian.org/tracker/CVE-2023-29416
> https://www.cve.org/CVERecord?id=CVE-2023-29416
> [2] https://security-tracker.debian.org/tracker/CVE-2023-29418
> https://www.cve.org/CVERecord?id=CVE-2023-29418
> [3] https://security-tracker.debian.org/tracker/CVE-2023-29419
> https://www.cve.org/CVERecord?id=CVE-2023-29419
> [4] https://security-tracker.debian.org/tracker/CVE-2023-29420
> https://www.cve.org/CVERecord?id=CVE-2023-29420
> [5] https://security-tracker.debian.org/tracker/CVE-2023-29421
> https://www.cve.org/CVERecord?id=CVE-2023-29421
> 
> Please adjust the affected versions in the BTS as needed.
> 

Cheers,

 -- Santiago


signature.asc
Description: PGP signature

Bug#1034177: bzip2: CVE-2023-29415 CVE-2023-29416 CVE-2023-29418 CVE-2023-29419 CVE-2023-29420 CVE-2023-29421

[Salvatore Bonaccorso]

Hi Moritz,

On Mon, Apr 10, 2023 at 07:33:38PM +0200, Moritz Mühlenhoff wrote:
> Source: bzip2
> X-Debbugs-CC: t...@security.debian.org
> Severity: grave
> Tags: security
> 
> Hi,
> 
> The following vulnerabilities were published for bzip2.

I think this all should be against src:bzip3 instead?

Regards,
Salvatore

Bug#1033847: Please update to upstream sources

[Gabriel F. T. Gomes]

Thanks, Sergio.

You're the best archaeologist! S2

On Mon, 10 Apr 2023 13:55:27 -0400
Sergio Durigan Junior  wrote:

> On Monday, April 10 2023, Gabriel F. T. Gomes wrote:
> 
> > When I took the maintainer role for bash-completion, I did a lot of bug
> > archaeology, but the amount of bugs and patches was too large, so I
> > don't know the reason for every packaging bit. I could do some more
> > digging, but a lot of the history was gone when we moved to salsa (I
> > even forgot the name of the old system), so I'll just focus on your
> > problem and try to determine if we can get rid of this specific patch
> > while minimizing pain for other users.  
> 
> Hey!
> 
> So, the old system was called Alioth.  When we migrated to salsa, there
> was some effort to preserve the history of old repositories, and
> fortunately bash-completion was one of them.
> 
> For reference, you can find the Alioth archive here:
> 
>   https://alioth-archive.debian.org/
> 
> Bash-completion's archive is here:
> 
>   https://alioth-archive.debian.org/git/bash-completion/
> 
> We're interested in the debian.git.tar.xz file, which contains the
> git repo for the Debian package:
> 
> $ wget https://alioth-archive.debian.org/git/bash-completion/debian.git.tar.xz
> $ tar xf debian.git.tar.xz
> $ git clone debian.git old-bash-completion
> $ cd old-bash-completion
> $ git log -- debian/patches/00-fix_quote_readline_by_ref.patch
> commit d734ca3bd73ae49b8f452802fb8fb65a440ab07a
> Author: David Paleino 
> AuthorDate: Wed Mar 19 10:20:35 2014 +0100
> Commit: David Paleino 
> CommitDate: Wed Mar 19 10:20:35 2014 +0100
> 
> fix_quote_readline_by_ref.patch, thanks to JuanJo Ciarlante (Closes: 
> #739835)
> 
> + avoid escaping 1st '~' (LP: #1288314)
> + avoid quoting if empty, else expansion without args only shows
>   dirs (LP: #1288031)
> + replace double escaping to single (eg for completing file/paths
>   with spaces)
> 
> HTH,
> 

Bug#1034169: libqt5core5a: upgrade to 5.15.8+dfsg-4 stops krunner shortcut from working

[Antonio]

I confirm this problem, it should be in one of the following packages 
installed today:


10/04/23 ^ 10:20:56 libqt5opengl5-dev:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:20:57 qtbase5-private-dev:amd64 
(5.15.8+dfsg-3->5.15.8+dfsg-4)

10/04/23 ^ 10:21:00 qtbase5-dev:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:02 libqt5core5a:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:02 libqt5dbus5:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:02 libqt5network5:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:02 libqt5gui5:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:03 libqt5widgets5:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:03 libqt5opengl5:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:03 libqt5printsupport5:amd64 
(5.15.8+dfsg-3->5.15.8+dfsg-4)

10/04/23 ^ 10:21:04 libqt5sql5:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:04 libqt5test5:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:04 libqt5xml5:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:04 qt5-qmake:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:05 qt5-qmake-bin:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:05 qtbase5-dev-tools:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:06 libqt5concurrent5:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:06 libqt5sql5-mysql:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:06 libqt5sql5-odbc:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:06 libqt5sql5-psql:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:06 libqt5sql5-sqlite:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:06 libqt5sql5-tds:amd64 (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:07 libsub-handlesvia-perl:all (0.046-1->0.05-1)
10/04/23 ^ 10:21:07 libunbound8:amd64 (1.17.1-1->1.17.1-2)
10/04/23 ^ 10:21:07 qt5-flatpak-platformtheme:amd64 
(5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:07 qt5-xdgdesktopportal-platformtheme:amd64 
(5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:07 qt5-gtk-platformtheme:amd64 
(5.15.8+dfsg-3->5.15.8+dfsg-4)

10/04/23 ^ 10:21:07 qtbase5-doc:all (5.15.8+dfsg-3->5.15.8+dfsg-4)
10/04/23 ^ 10:21:08 svn2cl:all (0.14-2->0.14-3)
10/04/23 + 10:21:09 qtbase5-doc:all (5.15.8+dfsg-4)
10/04/23 + 10:21:09 libunbound8:amd64 (1.17.1-2)
10/04/23 + 10:21:09 qt5-qmake-bin:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 svn2cl:all (0.14-3)
10/04/23 + 10:21:09 libsub-handlesvia-perl:all (0.05-1)
10/04/23 + 10:21:09 libqt5core5a:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 libqt5dbus5:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 libqt5test5:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 libqt5concurrent5:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 qt5-qmake:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 libqt5network5:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 libqt5sql5:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 qtbase5-dev-tools:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 libqt5xml5:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 libqt5sql5-psql:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 libqt5sql5-tds:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 libqt5sql5-sqlite:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 libqt5sql5-mysql:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 libqt5gui5:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 libqt5widgets5:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 libqt5sql5-odbc:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 qt5-gtk-platformtheme:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 libqt5printsupport5:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 qtbase5-dev:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 libqt5opengl5:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 qtbase5-private-dev:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 libqt5opengl5-dev:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:09 qt5-xdgdesktopportal-platformtheme:amd64 
(5.15.8+dfsg-4)

10/04/23 + 10:21:09 qt5-flatpak-platformtheme:amd64 (5.15.8+dfsg-4)
10/04/23 + 10:21:13 man-db:amd64 (2.11.2-2)
10/04/23 + 10:21:14 libc-bin:amd64 (2.36-8)

Krunner is currently no longer available.

Thanks,
Antonio

Bug#1034169: libqt5core5a: upgrade to 5.15.8+dfsg-4 stops krunner shortcut from working

[Samuel Thibault]

Antonio, le lun. 10 avril 2023 20:40:12 +0200, a ecrit:
> I confirm this problem,

Ok, but I'd need a way to reproduce it to be able to fix the change...

Samuel

Bug#1021490: bookworm: please mention users must migrate off dmraid

[Paul Gevers]

Control: tags -1 patch

On 09-10-2022 15:15, Chris Hofstaedtler wrote:

please add a note to the bookworm release notes, stating that users need
to migrate off dmraid during or before the bookworm cycle.

New systems cannot be installed with it. bookworm will still have the
dmraid package, so users should be able to copy their data off any such
setup.

I would think in trixie dmraid will be gone completely.


I just filed 1034188 to ensure that.

How's the attached proposal?

Paul
diff --git a/en/issues.dbk b/en/issues.dbk
index 908b7eef..76adbdb6 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -537,6 +537,13 @@
 The upstream developer suggests using
 libnss-myhostname instead.
   
+  
+dmraid has not
+seen upstream activity since end 2010 and has been on life
+support in . bookworm will be the last release to
+ship it, so please plan accordingly if you're using
+dmraid.
+  
 	
 
   


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1034188: dmraid's last Debian stable release is bookworm

[Paul Gevers]

Source: dmraid
Severity: serious
Tags: sid trixie bookworm bookworm-ignore

Hi,

As discussed in bug 864423 and soon to be documented in the 
release-notes, dmraid is not to be shipped in Debian stable after the 
release of bookworm. This bug should ensure that dmraid will not be in 
trixie.


Paul


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1033847: Please update to upstream sources

[Sergio Durigan Junior]

On Monday, April 10 2023, Gabriel F. T. Gomes wrote:

> When I took the maintainer role for bash-completion, I did a lot of bug
> archaeology, but the amount of bugs and patches was too large, so I
> don't know the reason for every packaging bit. I could do some more
> digging, but a lot of the history was gone when we moved to salsa (I
> even forgot the name of the old system), so I'll just focus on your
> problem and try to determine if we can get rid of this specific patch
> while minimizing pain for other users.

Hey!

So, the old system was called Alioth.  When we migrated to salsa, there
was some effort to preserve the history of old repositories, and
fortunately bash-completion was one of them.

For reference, you can find the Alioth archive here:

  https://alioth-archive.debian.org/

Bash-completion's archive is here:

  https://alioth-archive.debian.org/git/bash-completion/

We're interested in the debian.git.tar.xz file, which contains the
git repo for the Debian package:

$ wget https://alioth-archive.debian.org/git/bash-completion/debian.git.tar.xz
$ tar xf debian.git.tar.xz
$ git clone debian.git old-bash-completion
$ cd old-bash-completion
$ git log -- debian/patches/00-fix_quote_readline_by_ref.patch
commit d734ca3bd73ae49b8f452802fb8fb65a440ab07a
Author: David Paleino 
AuthorDate: Wed Mar 19 10:20:35 2014 +0100
Commit: David Paleino 
CommitDate: Wed Mar 19 10:20:35 2014 +0100

fix_quote_readline_by_ref.patch, thanks to JuanJo Ciarlante (Closes: 
#739835)

+ avoid escaping 1st '~' (LP: #1288314)
+ avoid quoting if empty, else expansion without args only shows
  dirs (LP: #1288031)
+ replace double escaping to single (eg for completing file/paths
  with spaces)

HTH,

-- 
Sergio
GPG key ID: 237A 54B1 0287 28BF 00EF  31F4 D0EB 7628 65FC 5E36
Please send encrypted e-mail if possible
https://sergiodj.net/


signature.asc
Description: PGP signature

Bug#1034187: gpac: CVE-2023-0841 CVE-2023-1448 CVE-2023-1449 CVE-2023-1452 CVE-2023-1654 CVE-2023-1655

[Moritz Mühlenhoff]

Source: gpac
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for gpac.

CVE-2023-1448[1]:
| A vulnerability, which was classified as problematic, was found in
| GPAC 2.3-DEV-rev35-gbbca86917-master. This affects the function
| gf_m2ts_process_sdt of the file media_tools/mpegts.c. The manipulation
| leads to heap-based buffer overflow. Attacking locally is a
| requirement. The exploit has been disclosed to the public and may be
| used. It is recommended to apply a patch to fix this issue. The
| identifier VDB-223293 was assigned to this vulnerability.

https://github.com/gpac/gpac/issues/2388
https://github.com/gpac/gpac/commit/8db20cb634a546c536c31caac94e1f74b778b463

CVE-2023-1449[2]:
| A vulnerability has been found in GPAC 2.3-DEV-rev35-gbbca86917-master
| and classified as problematic. This vulnerability affects the function
| gf_av1_reset_state of the file media_tools/av_parsers.c. The
| manipulation leads to double free. It is possible to launch the attack
| on the local host. The exploit has been disclosed to the public and
| may be used. It is recommended to apply a patch to fix this issue.
| VDB-223294 is the identifier assigned to this vulnerability.

https://github.com/gpac/gpac/issues/2387
https://github.com/gpac/gpac/commit/8ebbfd61c73d61a2913721a492e5a81fb8d9f9a9

CVE-2023-1452[3]:
| A vulnerability was found in GPAC 2.3-DEV-rev35-gbbca86917-master. It
| has been declared as critical. Affected by this vulnerability is an
| unknown functionality of the file filters/load_text.c. The
| manipulation leads to buffer overflow. Local access is required to
| approach this attack. The exploit has been disclosed to the public and
| may be used. It is recommended to apply a patch to fix this issue. The
| identifier VDB-223297 was assigned to this vulnerability.

https://github.com/gpac/gpac/issues/2386
https://github.com/gpac/gpac/commit/a5efec8187de02d1f0a412140b0bf030a6747d3f

CVE-2023-1654[4]:
| Denial of Service in GitHub repository gpac/gpac prior to 2.4.0.

https://huntr.dev/bounties/33652b56-128f-41a7-afcc-10641f69ff14
https://github.com/gpac/gpac/commit/2c055153d401b8c49422971e3a0159869652d3da

CVE-2023-1655[5]:
| Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to
| 2.4.0.

https://huntr.dev/bounties/05f1d1de-bbfd-43fe-bdf9-7f73419ce7c9
https://github.com/gpac/gpac/commit/e7f96c2d3774e4ea25f952bcdf55af1dd6e919f4

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-0841
https://www.cve.org/CVERecord?id=CVE-2023-0841
[1] https://security-tracker.debian.org/tracker/CVE-2023-1448
https://www.cve.org/CVERecord?id=CVE-2023-1448
[2] https://security-tracker.debian.org/tracker/CVE-2023-1449
https://www.cve.org/CVERecord?id=CVE-2023-1449
[3] https://security-tracker.debian.org/tracker/CVE-2023-1452
https://www.cve.org/CVERecord?id=CVE-2023-1452
[4] https://security-tracker.debian.org/tracker/CVE-2023-1654
https://www.cve.org/CVERecord?id=CVE-2023-1654
[5] https://security-tracker.debian.org/tracker/CVE-2023-1655
https://www.cve.org/CVERecord?id=CVE-2023-1655

Please adjust the affected versions in the BTS as needed.

Bug#1034185: opendoas: CVE-2023-28339

[Moritz Mühlenhoff]

Source: opendoas
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for opendoas.

CVE-2023-28339[0]:
| OpenDoas through 6.8.2, when TIOCSTI is available, allows privilege
| escalation because of sharing a terminal with the original session.
| NOTE: TIOCSTI is unavailable in OpenBSD 6.0 and later, and can be made
| unavailable in the Linux kernel 6.2 and later.

https://github.com/Duncaen/OpenDoas/issues/106
https://www.openwall.com/lists/oss-security/2023/03/14/4

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-28339
https://www.cve.org/CVERecord?id=CVE-2023-28339

Please adjust the affected versions in the BTS as needed.

Bug#1034186: heat: CVE-2023-1625

[Moritz Mühlenhoff]

Source: heat
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for heat.

CVE-2023-1625[0]:
information leak in API

https://bugzilla.redhat.com/show_bug.cgi?id=2181621
https://review.opendev.org/c/openstack/heat/+/868166
https://github.com/openstack/heat/commit/1305a3152f75c6e62ec5094ea2bfc38f165204cf
 (20.0.0.0rc1)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-1625
https://www.cve.org/CVERecord?id=CVE-2023-1625

Please adjust the affected versions in the BTS as needed.

Bug#1034184: nextcloud-desktop: CVE-2023-28999

[Moritz Mühlenhoff]

Source: nextcloud-desktop
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for nextcloud-desktop.

CVE-2023-28999[0]:
| Nextcloud is an open-source productivity platform. In Nextcloud
| Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until
| 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server
| administrator can gain full access to an end-to-end encrypted folder.
| They can decrypt files, recover the folder structure and add new
| files.#8203; This issue is fixed in Nextcloud Desktop 3.8.0,
| Nextcloud Android 3.25.0, and Nextcloud iOS 4.8.0. No known
| workarounds are available.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8875-wxww-3rr8
https://github.com/nextcloud/desktop/pull/5560

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-28999
https://www.cve.org/CVERecord?id=CVE-2023-28999

Please adjust the affected versions in the BTS as needed.

Bug#1034183: stellarium: CVE-2023-28371

[Moritz Mühlenhoff]

Source: stellarium
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for stellarium.

CVE-2023-28371[0]:
| In Stellarium through 1.2, attackers can write to files that are
| typically unintended, such as ones with absolute pathnames or ..
| directory traversal.

https://github.com/Stellarium/stellarium/commit/1261f74dc4aa6bbd01ab514343424097f8cf46b7
https://github.com/Stellarium/stellarium/commit/787a894897b7872ae96e6f5804a182210edd5c78
https://github.com/Stellarium/stellarium/commit/eba61df3b38605befcb43687a4c0a159dbc0c5cb


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-28371
https://www.cve.org/CVERecord?id=CVE-2023-28371

Please adjust the affected versions in the BTS as needed.

Bug#1034182: owslib: CVE-2023-27476

[Moritz Mühlenhoff]

Source: owslib
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for owslib.

CVE-2023-27476[0]:
| OWSLib is a Python package for client programming with Open Geospatial
| Consortium (OGC) web service interface standards, and their related
| content models. OWSLib's XML parser (which supports both `lxml` and
| `xml.etree`) does not disable entity resolution, and could lead to
| arbitrary file reads from an attacker-controlled XML payload. This
| affects all XML parsing in the codebase. This issue has been addressed
| in version 0.28.1. All users are advised to upgrade. The only known
| workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc`
| for details.

https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-27476
https://www.cve.org/CVERecord?id=CVE-2023-27476

Please adjust the affected versions in the BTS as needed.

Bug#1034181: nomad: CVE-2023-0821

[Moritz Mühlenhoff]

Source: nomad
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for nomad.

CVE-2023-0821[0]:
| HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3
| jobs using a maliciously compressed artifact stanza source can cause
| excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4.

https://discuss.hashicorp.com/t/hcsec-2023-05-nomad-client-vulnerable-to-decompression-bombs-in-artifact-block/50292

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-0821
https://www.cve.org/CVERecord?id=CVE-2023-0821

Please adjust the affected versions in the BTS as needed.

Bug#1034179: qemu: CVE-2023-1544

[Moritz Mühlenhoff]

Source: qemu
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qemu.

CVE-2023-1544[0]:
| A flaw was found in the QEMU implementation of VMWare's paravirtual
| RDMA device. This flaw allows a crafted guest driver to allocate and
| initialize a huge number of page tables to be used as a ring of
| descriptors for CQ and async events, potentially leading to an out-of-
| bounds read and crash of QEMU.

https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-1544
https://www.cve.org/CVERecord?id=CVE-2023-1544

Please adjust the affected versions in the BTS as needed.

Bug#1034180: radare2: CVE-2023-1605

[Moritz Mühlenhoff]

Source: radare2
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for radare2.

CVE-2023-1605[0]:
| Denial of Service in GitHub repository radareorg/radare2 prior to
| 5.8.6.

https://huntr.dev/bounties/9dddcf5b-7dd4-46cc-abf9-172dce20bab2
https://github.com/radareorg/radare2/commit/508a6307045441defd1bef0999a1f7052097613f

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-1605
https://www.cve.org/CVERecord?id=CVE-2023-1605

Please adjust the affected versions in the BTS as needed.

Bug#1034178: opensmtpd: CVE-2023-29323

[Moritz Mühlenhoff]

Source: opensmtpd
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for opensmtpd.

CVE-2023-29323[0]:
| ascii_load_sockaddr in smtpd in OpenBSD before 7.1 errata 024 and 7.2
| before errata 020, and OpenSMTPD Portable before 7.0.0-portable commit
| f748277, can abort upon a connection from a local, scoped IPv6
| address.

https://ftp.openbsd.org/pub/OpenBSD/patches/7.1/common/024_smtpd.patch.sig

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-29323
https://www.cve.org/CVERecord?id=CVE-2023-29323

Please adjust the affected versions in the BTS as needed.

Bug#1034177: bzip2: CVE-2023-29415 CVE-2023-29416 CVE-2023-29418 CVE-2023-29419 CVE-2023-29420 CVE-2023-29421

[Moritz Mühlenhoff]

Source: bzip2
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for bzip2.

CVE-2023-29415[0]:
| An issue was discovered in libbzip3.a in bzip3 before 1.3.0. A denial
| of service (process hang) can occur with a crafted archive because
| bzip3 does not follow the required procedure for interacting with
| libsais.

https://github.com/kspalaiologos/bzip3/issues/95
https://github.com/kspalaiologos/bzip3/commit/56c24ca1f8f25e648d42154369b6962600f76465

CVE-2023-29416[1]:
| An issue was discovered in libbzip3.a in bzip3 before 1.3.0. A
| bz3_decode_block out-of-bounds write can occur with a crafted archive
| because bzip3 does not follow the required procedure for interacting
| with libsais.

https://github.com/kspalaiologos/bzip3/commit/bfa5bf82b53715dfedf048e5859a46cf248668ff
 (1.3.0)
https://github.com/kspalaiologos/bzip3/issues/92

CVE-2023-29418[2]:
| An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is
| an xwrite out-of-bounds read.

https://github.com/kspalaiologos/bzip3/commit/aae16d107f804f69000c09cd92027a140968cc9d
 (1.2.3)
https://github.com/kspalaiologos/bzip3/issues/92

CVE-2023-29419[3]:
| An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is
| a bz3_decode_block out-of-bounds read.

https://github.com/kspalaiologos/bzip3/commit/8ec8ce7d3d58bf42dabc47e4cc53aa27051bd602
 (1.2.3)
https://github.com/kspalaiologos/bzip3/issues/92

CVE-2023-29420[4]:
| An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is
| a crash caused by an invalid memmove in bz3_decode_block.

https://github.com/kspalaiologos/bzip3/commit/bb06deb85f1c249838eb938e0dab271d4194f8fa
 (1.2.3)
https://github.com/kspalaiologos/bzip3/issues/92

CVE-2023-29421[5]:
| An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is
| an out-of-bounds write in bz3_decode_block.

https://github.com/kspalaiologos/bzip3/issues/94
https://github.com/kspalaiologos/bzip3/commit/33b1951f153c3c5dc8ed736b9110437e1a619b7d
 (1.2.3)

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-29415
https://www.cve.org/CVERecord?id=CVE-2023-29415
[1] https://security-tracker.debian.org/tracker/CVE-2023-29416
https://www.cve.org/CVERecord?id=CVE-2023-29416
[2] https://security-tracker.debian.org/tracker/CVE-2023-29418
https://www.cve.org/CVERecord?id=CVE-2023-29418
[3] https://security-tracker.debian.org/tracker/CVE-2023-29419
https://www.cve.org/CVERecord?id=CVE-2023-29419
[4] https://security-tracker.debian.org/tracker/CVE-2023-29420
https://www.cve.org/CVERecord?id=CVE-2023-29420
[5] https://security-tracker.debian.org/tracker/CVE-2023-29421
https://www.cve.org/CVERecord?id=CVE-2023-29421

Please adjust the affected versions in the BTS as needed.

Bug#1032642: iproute2: ip tunnel change ip6gre to gre crashes with stack smash

[Stephen Hemminger]

On Mon, 3 Apr 2023 20:47:01 -0600
David Ahern  wrote:

> On 4/3/23 9:24 AM, Stephen Hemminger wrote:
> > ted  
> >>
> >> This happens because iproute2 just assumes the tunnel is ipv4, but the
> >> kernel "knows" it's actually ip6gre so when calling the SIOCGETTUNNEL
> >> ioctl it writes back a struct ip6_tnl_parm2 into the struct
> >> ip_tunnel_parm which is smaller, so the stack gets overwritten. Is
> >> there any way to tell from userspace whether a gre is v4 or v6 before
> >> doing an ioctl? The ioctls don't take/return a size parameter as far
> >> as I can see...  
> > 
> > Ip uses and IPv4 UDP socket when it thinks it is talking to GRE.
> > And a IPv6 UDP socket when it is talking to GRE6.
> > 
> > So the kernel could check and error out?
> >   
> 
> Does seem like a kernel bug and a well known design flaw in ioctl
> interface (assuming buffer of a specific size). The best iproute2 can do
> is have `old_p` be a larger size (e.g., ip6_tnl_parm2) to avoid the
> overrun, but then the result is nonsense with no way for it no an ipv6
> struct was passed back. The crash at least indicates something is off.

I started to look into redoing the whole 'ip tunnel XXX' as just a remapping
of arguments and calling the equivalent 'ip link ... type YYY' and it is doable
for the basic stuff.

Then starting looking at the Potential Router List (PRL) stuff.
Looks like this is only supported through ioctl().
Definitely a dusty dark corner of networking code with rarely used features.

Plus things like, the code to get PRL will allow bigger get if called
from root vs non-root user??

Bug#1034169: libqt5core5a: upgrade to 5.15.8+dfsg-4 stops krunner shortcut from working

[Samuel Thibault]

Hello,

Arthur Marsh, le mar. 11 avril 2023 00:43:16 +0930, a ecrit:
> krunner alt-F2 shortcut worked again

I cannot reproduce the issue.  What I did was:

- install bookworm with the KDE desktop task
- upgrade libqt5core5a to 5.15.8+dfsg-4, that upgraded all other
  libraries from qt5base.
- rebooted
- logged into the KDE session
- pressed alt-f2, and krunner showed up.

I tried both with Xorg and wayland, in both cases it worked.

Is there something specific in your desktop environment, compared to
that situation?

The change included in 5.15.8+dfsg-4 is really not related to shortcuts
at all so this issue is very surprising.

Samuel

Bug#1033847: Please update to upstream sources

[Gabriel F. T. Gomes]

On Mon, 10 Apr 2023 14:04:06 +0200
"Richard B. Kreckel"  wrote:
>
> Regarding my hangs: It is because something's broken in my NIS 
> (yellow-pages) setup (haven't fully analyzed yet). It turns out that, 
> when doing tab completion, your patch 00-fix_quote_readline_by_ref.patch 
> tries to match against ~*, which incurs a NIS look-up and that blocks.
> The upstream version doesn't do that and it seems like the patch has 
> never been applied.

Thanks for the info, I'll try to replicate.

> Are you sure it is necessary?

I'm not sure. See below.

> If no: can it be removed?

Maybe. See below.

> If yes: has it been reported upstream and what was the response?

I don't know. See below.

When I took the maintainer role for bash-completion, I did a lot of bug
archaeology, but the amount of bugs and patches was too large, so I
don't know the reason for every packaging bit. I could do some more
digging, but a lot of the history was gone when we moved to salsa (I
even forgot the name of the old system), so I'll just focus on your
problem and try to determine if we can get rid of this specific patch
while minimizing pain for other users.

Best regards,
Gabriel

Bug#1034167: unblock (pre-approval): mutter/43.4-1

[Sebastian Ramacher]

Control: tags -1 moreinfo confirmed

On 2023-04-10 15:29:08 +0100, Simon McVittie wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: mut...@packages.debian.org
> Control: affects -1 + src:mutter
> 
> I'd like to upload a new upstream bug fix release of mutter.

Please go ahead and remove the moreinfo tag once the version is
available in unstable.

Cheers

> 
> [ Reason ]
> Catch up with upstream 43.4 bug fix release, and cherry-pick patches
> that were already accepted for 43.5.
> 
> [ Impact ]
> Multiple bug fixes and one translation update. Also transfer various
> earlier bug fixes from Debian patches into part of the upstream source.
> 
> [ Tests ]
> I used a previous release-candidate on my Intel laptop for several days
> without noticing any regressions. The only change since that version is
> the Abkhazian translation update.
> 
> Upstream's automated tests (at build-time and during autopkgtest) have the
> same coverage and results as the version currently in bookworm.
> 
> [ Risks ]
> Key package with high visibility in our default desktop environment, but
> the changes are narrowly targeted.
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
>   (filtered to exclude patch contents and translations)
> 
> [ Other info ]
> This has only been tested together with the corresponding gnome-shell
> update.
> 
> There is a remaining X11 focus issue that I'd like to be able to fix in
> bookworm (#1032388) but upstream does not have a solution for it yet,
> and the version already in testing has the same bug.
> 
> unblock mutter/43.4-1

> debdiff *.dsc | filterdiff -p1 -x'po/*.po' -x'debian/patches/*.patch'
> 
> diffstat for mutter-43.3 mutter-43.4
> 
>  NEWS 
>   |   13 
>  clutter/clutter/clutter-text.c   
>   |1 
>  cogl/cogl/cogl-framebuffer.c 
>   |2 
>  cogl/cogl/cogl-onscreen.c
>   |   18 
>  cogl/cogl/cogl-onscreen.h
>   |3 
>  debian/changelog 
>   |   23 
>  debian/patches/Revert-x11-Do-not-move-X11-input-focus-during-grabs.patch 
>   |   87 
>  
> debian/patches/Revert-x11-events-Do-not-update-focus-XWindow-during-grab.patch
>  |   36 
>  debian/patches/Update-Abkhazian-translation.patch
>   | 4262 ++
>  
> debian/patches/color-device-Don-t-close-lcms-profile-on-error-from-cd_ic.patch
>  |   52 
>  debian/patches/color-device-Make-sure-lcms_context-is-not-NULL.patch 
>   |   47 
>  debian/patches/core-Avoid-focusing-windows-on-map-during-grabs.patch 
>   |   35 
>  debian/patches/debian/Support-Dynamic-triple-double-buffering.patch  
>   |8 
>  debian/patches/debian/meson-Do-not-mark-CI-test-tools-as-required.patch  
>   |2 
>  debian/patches/meson-add-back-default_driver-option.patch
>   |2 
>  debian/patches/series
>   |   10 
>  debian/patches/wayland-Don-t-overwrite-surface-offsets.patch 
>   |   57 
>  debian/patches/wayland-Skip-subsurface-desync-if-parent-is-NULL.patch
>   |   35 
>  debian/patches/x11-Avoid-updating-focus-on-wayland-compositor.patch  
>   |   47 
>  
> debian/patches/x11-Ignore-_NET_ACTIVE_WINDOW-client-messages-while-grabb.patch
>  |   45 
>  meson.build  
>   |2 
>  po/ab.po 
>   | 4159 +
>  src/backends/meta-stage-impl.c   
>   |   14 
>  src/wayland/meta-wayland-subsurface.c
>   |6 
>  24 files changed, 8509 insertions(+), 457 deletions(-)
> 
> diff -Nru mutter-43.3/clutter/clutter/clutter-text.c 
> mutter-43.4/clutter/clutter/clutter-text.c
> --- mutter-43.3/clutter/clutter/clutter-text.c2023-02-13 
> 18:12:26.0 +
> +++ mutter-43.4/clutter/clutter/clutter-text.c2023-03-19 
> 22:26:48.0 +
> @@ -1826,7 +1826,6 @@
>  
>clutter_text_free_paint_volume (self);
>  
> -  clutter_text_set_buffer (self, NULL);
>g_free (priv->font_name);
>  
>g_clear_object (>input_focus);
> diff -Nru mutter-43.3/cogl/cogl/cogl-framebuffer.c 
> mutter-43.4/cogl/cogl/cogl-framebuffer.c
> --- mutter-43.3/cogl/cogl/cogl-framebuffer.c  2023-02-13 18:12:26.0 
> +
> +++ mutter-43.4/cogl/cogl/cogl-framebuffer.c  2023-03-19 22:26:48.0 
> +
> @@ -1695,8 +1695,6 @@
>

Bug#1034166: unblock (pre-approval): gnome-shell/43.4-1

[Sebastian Ramacher]

Control: tags -1 moreinfo confirmed

On 2023-04-10 15:27:52 +0100, Simon McVittie wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: gnome-sh...@packages.debian.org
> Control: affects -1 + src:gnome-shell
> 
> I'd like to upload a new upstream bug fix release of gnome-shell.

Please go ahead and remove the moreinfo tag once the version is
available in unstable.

Cheers

> 
> [ Reason ]
> Catch up with upstream 43.4 bug fix release, and cherry-pick patches
> that were already accepted for 43.5.
> 
> [ Impact ]
> One small bug fix, one translation update, and convert several earlier
> translation updates and bug fixes from being applied as patches to being
> part of the updated upstream source.
> 
> [ Tests ]
> I used a previous release-candidate on my Intel laptop for several days
> without noticing any regressions. The only change since that version is
> the Abkhazian translation update.
> 
> [ Risks ]
> Key package with high visibility in our default desktop environment, but
> the changes are narrowly targeted.
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
>   (filtered to exclude patch contents and translations)
> 
> [ Other info ]
> This has only been tested together with the corresponding mutter update.
> 
> unblock gnome-shell/43.4-1

> debdiff *.dsc | filterdiff -p1 -x'debian/patches/*.patch' -x'po/*.po'
> 
> diffstat for gnome-shell-43.3 gnome-shell-43.4
> 
>  NEWS 
>   |   14 
>  debian/changelog 
>   |   16 
>  debian/patches/Update-Abkhazian-translation.patch
>   | 4910 ++
>  debian/patches/Update-Finnish-translation.patch  
>   |  873 -
>  debian/patches/Update-Georgian-translation.patch 
>   |  577 -
>  debian/patches/Update-German-translation.patch   
>   |  896 -
>  debian/patches/Update-Hungarian-translation.patch
>   |  848 -
>  debian/patches/Update-Indonesian-translation.patch   
>   |  544 -
>  debian/patches/Update-Lithuanian-translation.patch   
>   |  554 -
>  debian/patches/Update-Polish-translation.patch   
>   |  806 -
>  debian/patches/Update-Portuguese-translation.patch   
>   |  574 -
>  debian/patches/Update-Serbian-translation.patch  
>   |  591 -
>  debian/patches/Update-Slovenian-translation.patch
>   | 1990 
>  debian/patches/Update-Swedish-translation.patch  
>   |  537 -
>  debian/patches/Update-Turkish-translation.patch  
>   |  869 -
>  debian/patches/Update-Ukrainian-translation.patch
>   |  577 -
>  debian/patches/debian/Revert-build-Port-to-gcr4.patch
>   |2 
>  
> debian/patches/overview-Don-t-claim-to-be-SHOWN-when-HIDDEN-during-start.patch
>  |   38 
>  
> debian/patches/overview-Hide-when-failing-to-take-grab-at-end-of-startup.patch
>  |   27 
>  debian/patches/series
>   |   16 
>  js/ui/dnd.js 
>   |9 
>  js/ui/status/network.js  
>   |6 
>  meson.build  
>   |2 
>  po/ab.po 
>   | 4383 
>  po/fr.po 
>   |  377 
>  
> subprojects/extensions-app/data/metainfo/org.gnome.Extensions.metainfo.xml.in 
>  |1 
>  subprojects/extensions-app/meson.build   
>   |2 
>  subprojects/extensions-app/subprojects/shew/meson.build  
>   |2 
>  subprojects/extensions-tool/meson.build  
>   |2 
>  subprojects/shew/meson.build 
>   |2 
>  30 files changed, 9414 insertions(+), 10631 deletions(-)
> 
> diff -Nru gnome-shell-43.3/debian/changelog gnome-shell-43.4/debian/changelog
> --- gnome-shell-43.3/debian/changelog 2023-03-08 11:09:54.0 +
> +++ gnome-shell-43.4/debian/changelog 2023-04-10 14:07:38.0 +0100
> @@ -1,3 +1,19 @@
> +gnome-shell (43.4-1) unstable; urgency=medium
> +
> +  * Team upload
> +  * New upstream release
> +- Fix memory leaks when the list of wireless networks is refreshed
> +  (GNOME/gnome-shell!2652)
> +- Stop tracking 

Bug#1034175: libfm-qt12: When connecting to an unknown host using ssh:// or sftp:// target, "Log In Anyway" button is ignored

[Julien ROBIN]

Package: libfm-qt12
Version: 1.2.1-1+b1
Severity: normal
X-Debbugs-Cc: julien.robi...@free.fr

Dear Maintainer,

When connecting to ssh:// or sftp:// for the first time, a question message
appears, which is normal (described below). But the "Log In Anyway" button
causes "Login dialog canceled" instead of validating.
The following message (and the following bug) only occurs when the remote ssh
host isn't already into ~/.ssh folder.

The related message:
-
Identity Verification Failed
Verifying the identity of “[...]” failed, this happens when you log in to a
computer the first time.

The identity sent by the remote computer is "[...]". If you want to be
absolutely sure it is safe to continue, contact the system administrator.
-
2 buttons are available:
  - Log In Anyway
  - Cancel Login

But both of them give the following message: "Login dialog canceled"

This message's text and buttons can be seen on others software using GVFS (see
"gvfsbackendsftp.c", from the GVFS source code, this is where these messages
are located).
However into these others software the "Log In Anyway" button is correctly
handled and/or transmitted to GVFS.

I took a look into the lxqt source codes and I believe I found where and why
this bug occurs (this is the only place a QMessageBox::Question is used to
display both message and buttons from somewhere else).
It's libfm-qt/src/mountoperationquestiondialog.cpp (and its associated header
mountoperationquestiondialog_p.h).

The "done()" event handler seems to be doing right, however the closeEvent()
handler (which is going to be called soon or late, before or after done() I
don't know) is forcibly passing G_MOUNT_OPERATION_ABORTED to
g_mount_operation_reply(), without any check to avoid it in case this is not
wanted. This may be originating this issue.

Hoping this report may help,

Best regards,
Julien ROBIN


-- System Information:
Debian Release: 12.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-7-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libfm-qt12 depends on:
ii  libc6 2.36-8
ii  libexif12 0.6.24-1+b1
ii  libglib2.0-0  2.74.6-1
ii  libglib2.0-bin2.74.6-1
ii  libmenu-cache31.1.0-1.1
ii  libqt5core5a [qtbase-abi-5-15-8]  5.15.8+dfsg-3
ii  libqt5gui55.15.8+dfsg-3
ii  libqt5widgets55.15.8+dfsg-3
ii  libqt5x11extras5  5.15.8-2
ii  libstdc++612.2.0-14
ii  libxcb1   1.15-1
ii  shared-mime-info  2.2-1

Versions of packages libfm-qt12 recommends:
ii  libfm-qt-l10n  1.2.1-1

libfm-qt12 suggests no packages.

-- no debconf information

Bug#1034134: [pre-approval] unblock: glibc/2.36-9

[Sebastian Ramacher]

Control: tags -1 moreinfo confirmed

On 2023-04-10 11:02:23 +0200, Aurelien Jarno wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: gl...@packages.debian.org, debian-gl...@lists.debian.org
> Control: affects -1 + src:glibc
> 
> [ Reason ]
> An RC bug reported by a user (#1033931) triggered a routing update of
> the glibc package from the upstream stable tree, which contains the fix.
> 
> The upstream stable tree also includes a fix to the daylight computation
> affecting at least the Africa/Tripoli timezone, as well as a fix to the
> testsuite on POWER when compiling with -mcpu=power10 (which is not the
> case of Debian).
> 
> This is also the occasion to update the debconf translation that has
> been received since the toolchain freeze.

Please go ahead and remove the moreinfo tag once the version is
available in unstable.

Cheers

> 
> [ Impact ]
> The FIS-GT.M database randomly crash on x86 processors using the SSE2
> version of memcmp, due to a bug in that specific implementation.
> 
> [ Tests ]
> The changes to the SSE2 version of memcmp is covered by the existing
> testsuite. The changes to the daylight computation comes with a new
> test, which unfortunately can't be run, as it requires a binary test
> file which can't be included easily in the diff, so it is disabled in
> the debian package, but I verified manually it passes correctly.
> 
> [ Risks ]
> The changes in the resulting binary packages are quite small if we
> except the translation updates, and have been shipped in some other
> distributions for a couple of months.
> 
> Let me anyway detail the changelog that might look scarying at a first
> glance:
> 
> |  [ Aurelien Jarno ]
> |  * debian/po/it.po: Update Italian debconf translation, by Luca Monducci.
> |Closes: #1028133.
> |  * debian/po/tr.po: Update Turkish debconf translation, by Atila KOÇ.
> |Closes: #1028306.
> |  * debian/po/cs.po: Update Czech debconf translation, by Miroslav Kure.
> |Closes: #1028326.
> |  * debian/po/zh_CN.po: Update Chinese debconf translation, by Tianyu Chen.
> |  * debian/po/pt.po: Update Portugues debconf translation, by Pedro Ribeiro.
> |Closes: #1028353.
> |  * debian/po/sk.po: Fix invalid control sequence in Slovak translation.
> |  * debian/po/pt_BR.po: Update Brazilian Portuguese debconf translation, by
> |Adriano Rafael Gomes. Closes: #1029005.
> |  * debian/po/nl.po: Update Dutch debconf translation, by Frans Spiesschaert.
> |Closes: #1029018, #1033905.
> |  * debian/po/ro.po: Update Romanian debconf translation, by Remus-Gabriel
> |Chelu. Closes: #1031163.
> 
> All of the above are just debconf translation updates received
> recently, it would be good to have them for Bookworm. They represent the
> majority of the diff.
> 
> |  * debian/patches/git-updates.diff: update from upstream stable branch:
> |- Prevent SIGSEGV in the SSE2 version of memcmp when data is concurrently
> |  modified. Closes: #1033931.
> |- Fix a corner case in daylight computation affecting the Africa/Tripoli
> |  zone since tzdata 2022g.
> |- Fix elf/tst-tlsopt-powerpc failure when compiled with -mcpu=power10.
> 
> Those are the changes pulled from the upstream stable branch. Note that
> the changes to elf/tst-tlsopt-powerpc is not relevant for Debian as the
> ppc64el toolchain does not default to -mcpu=power10 (and neither the
> ppc64 nor powerpc one do), and anyway the change is in the testsuite so
> does not affect the resulting binary packages.
> 
> |  * patches/any/local-disable-tst-bz29951.diff: disable new test included in
> |the latest update from upstream stable branch, as git-updates.diff can't
> |include the corresponding binary test file.
> 
> As explained above we can't easily run the new test for the daylight
> computation fix, so this patch disables it until we can find a better
> solution.
> 
> |  [ Samuel Thibault ]
> |  * debian/sysdeps/hurd.mk: Add -fno-omit-frame-pointer to extra_cflags.
> |  * debian/testsuite-xfail-debian.mk: Update hurd results.
> |  * debian/patches/hurd-i386/git-intr-msg-cfa.diff: Fix stack unwinding over
> |_hurd_intr_rpc_mach_msg, for go runtime.
> |  * debian/libc0.3.symbols.hurd-i386: Update symbols with new RPCs.
> 
> Those are changes that have been accumulated in git since the toolchain
> freeze, and only affect hurd specific code, so with no impact on the
> binaries of the release architectures.
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing

> diff --git a/debian/changelog b/debian/changelog
> index d1a16865..d67a3e5d 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,41 @@
> +glibc (2.36-9) unstable; urgency=medium
> +
> +  [ Aurelien Jarno ]
> +  * debian/po/it.po: Update Italian debconf translation, by Luca Monducci.
> +

Bug#1034149: unblock: (pre-approval): glib2.0/2.74.6-2

[Sebastian Ramacher]

Control: tags -1 confirmed moreinfo

On 2023-04-10 13:17:32 +0100, Simon McVittie wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: glib...@packages.debian.org
> Control: affects -1 + src:glib2.0
> 
> I've been using this proposed glib2.0 update for a few days and I'd like
> to upload it to unstable. There's nothing RC here, but it seems safer and
> easier to do several small bugfix updates rather than one large one.

Please go ahead and remove the moreinfo tag once the package is
available in unstable.

Cheers

> 
> [ Reason ]
> Pick up stable-branch changes from upstream, which are expected to be
> released in 2.74.7 at some point.
> 
> [ Impact ]
> If not accepted:
> - Peer-to-peer D-Bus servers implemented with GLib, such as the ones in
>   gvfs and ibus, won't interoperate properly with sd-bus clients
>   (GNOME/glib#2916)
> - Some multi-threaded uses of GDBus will have a use-after-free
>   (GNOME/glib#2924)
> - glib2.0 will FTBFS in non-minimal Docker containers (GNOME/glib#3307)
> 
> [ Tests ]
> Automated tests continue to pass, and I've been using this version on my
> laptop for several days. There is no specific test coverage for the changes.
> 
> [ Risks ]
> High-visibility key package, but the changes are narrowly targeted.
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> unblock glib2.0/2.74.6-2

> diffstat for glib2.0-2.74.6 glib2.0-2.74.6
> 
>  debian/changelog 
>   |   13 
>  debian/patches/gdbus-Fix-an-accidental-string-freeze-break.patch 
>   |   31 ++
>  debian/patches/gdbus-Never-buffer-reads-during-server-authentication.patch   
>   |  141 ++
>  
> debian/patches/gdbusconnection-Make-GDBusMethodInvocation-transfer-a-bit.patch
>  |   28 +
>  
> debian/patches/gdbusinterfaceskeleton-Fix-a-use-after-free-of-a-GDBusMet.patch
>  |   58 
>  
> debian/patches/gdbusinterfaceskeleton-Remove-an-unnecessary-helper-struc.patch
>  |   83 +
>  debian/patches/series
>   |6 
>  debian/patches/tests-Skip-assert-msg-test.py-if-gdb-fails.patch  
>   |   34 ++
>  gio/gdbusauth.c  
>   |   50 ++-
>  gio/gdbusconnection.c
>   |2 
>  gio/gdbusinterfaceskeleton.c 
>   |   24 -
>  glib/tests/assert-msg-test.py
>   |6 
>  12 files changed, 442 insertions(+), 34 deletions(-)
> 
> diff -Nru glib2.0-2.74.6/debian/changelog glib2.0-2.74.6/debian/changelog
> --- glib2.0-2.74.6/debian/changelog   2023-03-02 20:53:53.0 +
> +++ glib2.0-2.74.6/debian/changelog   2023-04-04 09:55:32.0 +0100
> @@ -1,3 +1,16 @@
> +glib2.0 (2.74.6-2) unstable; urgency=medium
> +
> +  * d/patches: Update to upstream 2.74.x branch commit
> +2.74.6-12-ga1e169129, omitting Windows-specific changes
> +- Fix GDBus server interop with sd-bus clients (GNOME/glib#2916)
> +- Fix use-after-free of a GDBusMethodInvocation in some threaded
> +  use patterns (GNOME/glib#2924)
> +- Fix a test failure resulting in FTBFS in some container environments
> +  if gdb happens to be installed, but access to ptrace and
> +  /proc/PID/mem is disallowed (GNOME/glib#3307)
> +
> + -- Simon McVittie   Tue, 04 Apr 2023 09:55:32 +0100
> +
>  glib2.0 (2.74.6-1) unstable; urgency=medium
>  
>* New upstream stable release
> diff -Nru 
> glib2.0-2.74.6/debian/patches/gdbusconnection-Make-GDBusMethodInvocation-transfer-a-bit.patch
>  
> glib2.0-2.74.6/debian/patches/gdbusconnection-Make-GDBusMethodInvocation-transfer-a-bit.patch
> --- 
> glib2.0-2.74.6/debian/patches/gdbusconnection-Make-GDBusMethodInvocation-transfer-a-bit.patch
>  1970-01-01 01:00:00.0 +0100
> +++ 
> glib2.0-2.74.6/debian/patches/gdbusconnection-Make-GDBusMethodInvocation-transfer-a-bit.patch
>  2023-04-04 09:55:32.0 +0100
> @@ -0,0 +1,28 @@
> +From: Philip Withnall 
> +Date: Wed, 22 Feb 2023 12:50:10 +
> +Subject: gdbusconnection: Make GDBusMethodInvocation transfer a bit clearer
> +
> +Add a missing steal call in `schedule_method_call()`. This introduces no
> +functional changes, but documents the ownership transfer more clearly.
> +
> +Signed-off-by: Philip Withnall 
> +Bug: https://gitlab.gnome.org/GNOME/glib/-/issues/2924
> +Origin: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3298
> +Applied-upstream: 2.74.7, commit:2da9ca2727a559a5e6b517582d14ba05d963f603
> +---
> + gio/gdbusconnection.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c
> +index 

Bug#977945: Can't reproduce

[ng]

I can't reproduce this anymore, how should I proceed?

I am not sure if it was caused by a bad implementation of start x on 
tty, I am currently using the following on my .profile file:


if [ -z $DISPLAY ] && [ "$(tty)" = "/dev/tty1" ]; then
   exec startxfce4
fi


It was either that or an update.   I believe I was using startx instead 
of xfce4, something like:


if [ -z "${DISPLAY}" ] && [ "${XDG_VTNR}" -eq 1 ]; then
  exec startx
fi

Anyhow, seems to be fixed/not a bug per se?

Bug#1034172: python-cmarkgfm: CVE-2023-26485 CVE-2023-24824

[Moritz Mühlenhoff]

Source: python-cmarkgfm
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for python-cmarkgfm.

CVE-2023-26485[0]:
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
| rendering library and program in C. A polynomial time complexity issue
| in cmark-gfm may lead to unbounded resource exhaustion and subsequent
| denial of service. This CVE covers quadratic complexity issues when
| parsing text which leads with either large numbers of `_` characters.
| This issue has been addressed in version 0.29.0.gfm.10. Users are
| advised to upgrade. Users unable to upgrade should validate that their
| input comes from trusted sources. ### Impact A polynomial time
| complexity issue in cmark-gfm may lead to unbounded resource
| exhaustion and subsequent denial of service. ### Proof of concept ```
| $ ~/cmark-gfm$ python3 -c 'pad = "_" * 10; print(pad + "." + pad,
| end="")' | time ./build/src/cmark-gfm --to plaintext ``` Increasing
| the number 1 in the above commands causes the running time to
| increase quadratically. ### Patches This vulnerability have been
| patched in 0.29.0.gfm.10. ### Note on cmark and cmark-gfm XXX: TBD
| [cmark-gfm](https://github.com/github/cmark-gfm) is a fork of
| [cmark](https://github.com/commonmark/cmark) that adds the GitHub
| Flavored Markdown extensions. The two codebases have diverged over
| time, but share a common core. These bugs affect both `cmark` and
| `cmark-gfm`. ### Credit We would like to thank @gravypod for reporting
| this vulnerability. ### References
| https://en.wikipedia.org/wiki/Time_complexity ### For more information
| If you have any questions or comments about this advisory: * Open an
| issue in [github/cmark-gfm](https://github.com/github/cmark-gfm)

https://github.com/github/cmark-gfm/security/advisories/GHSA-r8vr-c48j-fcc5
https://github.com/github/cmark-gfm/commit/07a66c9bc341f902878e37d7da8647d6ef150987

CVE-2023-24824[1]:
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
| rendering library and program in C. A polynomial time complexity issue
| in cmark-gfm may lead to unbounded resource exhaustion and subsequent
| denial of service. This CVE covers quadratic complexity issues when
| parsing text which leads with either large numbers of `` or `-`
| characters. This issue has been addressed in version 0.29.0.gfm.10.
| Users are advised to upgrade. Users unable to upgrade should validate
| that their input comes from trusted sources.

https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh
https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-26485
https://www.cve.org/CVERecord?id=CVE-2023-26485
[1] https://security-tracker.debian.org/tracker/CVE-2023-24824
https://www.cve.org/CVERecord?id=CVE-2023-24824

Please adjust the affected versions in the BTS as needed.

Bug#1034174: ruby-commonmarker: CVE-2023-26485 CVE-2023-24824

[Moritz Mühlenhoff]

Source: ruby-commonmarker
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for ruby-commonmarker.

CVE-2023-26485[0]:
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
| rendering library and program in C. A polynomial time complexity issue
| in cmark-gfm may lead to unbounded resource exhaustion and subsequent
| denial of service. This CVE covers quadratic complexity issues when
| parsing text which leads with either large numbers of `_` characters.
| This issue has been addressed in version 0.29.0.gfm.10. Users are
| advised to upgrade. Users unable to upgrade should validate that their
| input comes from trusted sources. ### Impact A polynomial time
| complexity issue in cmark-gfm may lead to unbounded resource
| exhaustion and subsequent denial of service. ### Proof of concept ```
| $ ~/cmark-gfm$ python3 -c 'pad = "_" * 10; print(pad + "." + pad,
| end="")' | time ./build/src/cmark-gfm --to plaintext ``` Increasing
| the number 1 in the above commands causes the running time to
| increase quadratically. ### Patches This vulnerability have been
| patched in 0.29.0.gfm.10. ### Note on cmark and cmark-gfm XXX: TBD
| [cmark-gfm](https://github.com/github/cmark-gfm) is a fork of
| [cmark](https://github.com/commonmark/cmark) that adds the GitHub
| Flavored Markdown extensions. The two codebases have diverged over
| time, but share a common core. These bugs affect both `cmark` and
| `cmark-gfm`. ### Credit We would like to thank @gravypod for reporting
| this vulnerability. ### References
| https://en.wikipedia.org/wiki/Time_complexity ### For more information
| If you have any questions or comments about this advisory: * Open an
| issue in [github/cmark-gfm](https://github.com/github/cmark-gfm)

https://github.com/github/cmark-gfm/security/advisories/GHSA-r8vr-c48j-fcc5
https://github.com/github/cmark-gfm/commit/07a66c9bc341f902878e37d7da8647d6ef150987

CVE-2023-24824[1]:
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
| rendering library and program in C. A polynomial time complexity issue
| in cmark-gfm may lead to unbounded resource exhaustion and subsequent
| denial of service. This CVE covers quadratic complexity issues when
| parsing text which leads with either large numbers of `` or `-`
| characters. This issue has been addressed in version 0.29.0.gfm.10.
| Users are advised to upgrade. Users unable to upgrade should validate
| that their input comes from trusted sources.

https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh
https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-26485
https://www.cve.org/CVERecord?id=CVE-2023-26485
[1] https://security-tracker.debian.org/tracker/CVE-2023-24824
https://www.cve.org/CVERecord?id=CVE-2023-24824

Please adjust the affected versions in the BTS as needed.

Bug#1034173: r-cran-commonmark: CVE-2023-26485 CVE-2023-24824

[Moritz Mühlenhoff]

Source: r-cran-commonmark
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for r-cran-commonmark.

CVE-2023-26485[0]:
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
| rendering library and program in C. A polynomial time complexity issue
| in cmark-gfm may lead to unbounded resource exhaustion and subsequent
| denial of service. This CVE covers quadratic complexity issues when
| parsing text which leads with either large numbers of `_` characters.
| This issue has been addressed in version 0.29.0.gfm.10. Users are
| advised to upgrade. Users unable to upgrade should validate that their
| input comes from trusted sources. ### Impact A polynomial time
| complexity issue in cmark-gfm may lead to unbounded resource
| exhaustion and subsequent denial of service. ### Proof of concept ```
| $ ~/cmark-gfm$ python3 -c 'pad = "_" * 10; print(pad + "." + pad,
| end="")' | time ./build/src/cmark-gfm --to plaintext ``` Increasing
| the number 1 in the above commands causes the running time to
| increase quadratically. ### Patches This vulnerability have been
| patched in 0.29.0.gfm.10. ### Note on cmark and cmark-gfm XXX: TBD
| [cmark-gfm](https://github.com/github/cmark-gfm) is a fork of
| [cmark](https://github.com/commonmark/cmark) that adds the GitHub
| Flavored Markdown extensions. The two codebases have diverged over
| time, but share a common core. These bugs affect both `cmark` and
| `cmark-gfm`. ### Credit We would like to thank @gravypod for reporting
| this vulnerability. ### References
| https://en.wikipedia.org/wiki/Time_complexity ### For more information
| If you have any questions or comments about this advisory: * Open an
| issue in [github/cmark-gfm](https://github.com/github/cmark-gfm)

https://github.com/github/cmark-gfm/security/advisories/GHSA-r8vr-c48j-fcc5
https://github.com/github/cmark-gfm/commit/07a66c9bc341f902878e37d7da8647d6ef150987

CVE-2023-24824[1]:
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
| rendering library and program in C. A polynomial time complexity issue
| in cmark-gfm may lead to unbounded resource exhaustion and subsequent
| denial of service. This CVE covers quadratic complexity issues when
| parsing text which leads with either large numbers of `` or `-`
| characters. This issue has been addressed in version 0.29.0.gfm.10.
| Users are advised to upgrade. Users unable to upgrade should validate
| that their input comes from trusted sources.

https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh
https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-26485
https://www.cve.org/CVERecord?id=CVE-2023-26485
[1] https://security-tracker.debian.org/tracker/CVE-2023-24824
https://www.cve.org/CVERecord?id=CVE-2023-24824

Please adjust the affected versions in the BTS as needed.

Bug#1034171: cmark-gfm: CVE-2023-26485 CVE-2023-24824

[Moritz Mühlenhoff]

Source: cmark-gfm
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for cmark-gfm.

CVE-2023-26485[0]:
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
| rendering library and program in C. A polynomial time complexity issue
| in cmark-gfm may lead to unbounded resource exhaustion and subsequent
| denial of service. This CVE covers quadratic complexity issues when
| parsing text which leads with either large numbers of `_` characters.
| This issue has been addressed in version 0.29.0.gfm.10. Users are
| advised to upgrade. Users unable to upgrade should validate that their
| input comes from trusted sources. ### Impact A polynomial time
| complexity issue in cmark-gfm may lead to unbounded resource
| exhaustion and subsequent denial of service. ### Proof of concept ```
| $ ~/cmark-gfm$ python3 -c 'pad = "_" * 10; print(pad + "." + pad,
| end="")' | time ./build/src/cmark-gfm --to plaintext ``` Increasing
| the number 1 in the above commands causes the running time to
| increase quadratically. ### Patches This vulnerability have been
| patched in 0.29.0.gfm.10. ### Note on cmark and cmark-gfm XXX: TBD
| [cmark-gfm](https://github.com/github/cmark-gfm) is a fork of
| [cmark](https://github.com/commonmark/cmark) that adds the GitHub
| Flavored Markdown extensions. The two codebases have diverged over
| time, but share a common core. These bugs affect both `cmark` and
| `cmark-gfm`. ### Credit We would like to thank @gravypod for reporting
| this vulnerability. ### References
| https://en.wikipedia.org/wiki/Time_complexity ### For more information
| If you have any questions or comments about this advisory: * Open an
| issue in [github/cmark-gfm](https://github.com/github/cmark-gfm)

https://github.com/github/cmark-gfm/security/advisories/GHSA-r8vr-c48j-fcc5
https://github.com/github/cmark-gfm/commit/07a66c9bc341f902878e37d7da8647d6ef150987

CVE-2023-24824[1]:
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
| rendering library and program in C. A polynomial time complexity issue
| in cmark-gfm may lead to unbounded resource exhaustion and subsequent
| denial of service. This CVE covers quadratic complexity issues when
| parsing text which leads with either large numbers of `` or `-`
| characters. This issue has been addressed in version 0.29.0.gfm.10.
| Users are advised to upgrade. Users unable to upgrade should validate
| that their input comes from trusted sources.

https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh
https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-26485
https://www.cve.org/CVERecord?id=CVE-2023-26485
[1] https://security-tracker.debian.org/tracker/CVE-2023-24824
https://www.cve.org/CVERecord?id=CVE-2023-24824

Please adjust the affected versions in the BTS as needed.

Bug#990703: Bookworm has the fix

[ng]

Hello,

pinentry-program /usr/bin/pinentry  works again in Bookworm,  I don't 
have to install pinentry-qt anymore.


Bug resolved.

Bug#1034170: netatalk: CVE-2022-43634

[Moritz Mühlenhoff]

Source: netatalk
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for netatalk.

CVE-2022-43634[0]:
| This vulnerability allows remote attackers to execute arbitrary code
| on affected installations of Netatalk. Authentication is not required
| to exploit this vulnerability. The specific flaw exists within the
| dsi_writeinit function. The issue results from the lack of proper
| validation of the length of user-supplied data prior to copying it to
| a fixed-length heap-based buffer. An attacker can leverage this
| vulnerability to execute code in the context of root. Was ZDI-
| CAN-17646.

https://github.com/Netatalk/Netatalk/pull/186
https://github.com/advisories/GHSA-fwj9-7qq8-jc93
https://www.zerodayinitiative.com/advisories/ZDI-23-094/
https://github.com/Netatalk/netatalk/commit/5fcb4ab02aced14484310165b3d754bb2f0820ca


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-43634
https://www.cve.org/CVERecord?id=CVE-2022-43634

Please adjust the affected versions in the BTS as needed.

Bug#1033913: partman-auto-lvm: Broken "Guided - use entire disk and set up LVM" in UEFI mode

[Pascal Hambourg]

On 10/04/2023 at 15:13, Steve McIntyre wrote:


Overall comment: I'm not trying to make the heuristics 100% reliable
here, as I don't think that's actually possible. Instead, I'm trying
to tread the fine line of:

  * minimising false negatives - let's try to pick up on the most
common cases where people are dual-booting with other systems and
might not understand the issues here. That's 99%+ going to be
people with Windows installed

  * minimising false positives - the issue that angered Cyril in
particular, with an incomplete LVM setup triggering the "bios
bootable OS" warning


IMO it is more important to avoid false positives, because switching to 
a BIOS installation on systems which are not BIOS-boot capable would 
create a non bootable system. In case oft is easier to install GRUB for 
BIOS boot on an running EFI system than the other way around.



- Other BIOS boot loaders such as syslinux/extlinux do not need or use a BIOS
boot partition.


Also not a use case I'm particularly caring about, I'll be
honest. They're also *really* not likely to work well without another
filesystem in use, which I expect we'll detect anyway.


Indeed other partitions are needed and will be detected, but they will 
not increment $NUM_NOT_ESP if the disk is GPT and has no BIOS boot 
partition (so $DISK_BIOS_BOOT=no), so it might cause a false negative. 
So why not just treat MSDOS and GPT disk labels equally and treat BIOS 
boot partitions like any other non-ESP ?



1b) IIUC the patch fixes #1033913 because the disk selected for installation
has received a new GPT disklabel without a BIOS boot partition, so further
checking is skipped. But IMO the root cause of #1033913 is that changes are
not committed to disk after setting the 'boot' and 'esp' flags to the newly
created ESP partition before stopping parted_server.


I originally thought about fixing partman-auto-lvm but it appears that 
other transient states can also trigger the "force UEFI installation" 
dialog during partitioning, for example after setting up LVM in manual 
partitioning if there is no ESP partition yet. As discussed in 
#debian-boot, a more general fix might be to run the check only once 
because only existing partitions before partitioning are relevant. Are 
there any use cases for which this might cause a false negative ?



4) It appears that partman fails to detect the specially crafted partition
table on the installation media created with a debian image. Is it intended
or fortunately unintentional ? If partman could see the EFI partition on the
installation media, the detection of BIOS-bootable systems would fail.


That's not a worry for today... :-)


Sure, but the issue can also happen if another removable media is 
present. For instance the USB drive I use to provide missing firmware 
has an ESP partition (and a regular partition table) thus can cause a 
false negative.

Bug#1034169: libqt5core5a: upgrade to 5.15.8+dfsg-4 stops krunner shortcut from working

[Arthur Marsh]

Package: libqt5core5a
Version: 5.15.8+dfsg-4
Severity: important

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?

Doing the following upgrade:

[UPGRADE] libqt5concurrent5:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4
[UPGRADE] libqt5core5a:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4
[UPGRADE] libqt5dbus5:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4
[UPGRADE] libqt5gui5:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4
[UPGRADE] libqt5network5:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4
[UPGRADE] libqt5opengl5:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4
[UPGRADE] libqt5opengl5-dev:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4
[UPGRADE] libqt5printsupport5:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4
[UPGRADE] libqt5sql5:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4
[UPGRADE] libqt5sql5-mysql:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4
[UPGRADE] libqt5sql5-psql:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4
[UPGRADE] libqt5sql5-sqlite:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4
[UPGRADE] libqt5test5:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4
[UPGRADE] libqt5widgets5:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4
[UPGRADE] libqt5xml5:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4
[UPGRADE] qt5-gtk-platformtheme:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4
[UPGRADE] qt5-qmake:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4
[UPGRADE] qt5-qmake-bin:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4
[UPGRADE] qtbase5-dev:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4
[UPGRADE] qtbase5-dev-tools:amd64 5.15.8+dfsg-3 -> 5.15.8+dfsg-4


   * What exactly did you do (or not do) that was effective (or
 ineffective)?

Downgrading all those packages to 5.15.8+gfsg-3

   * What was the outcome of this action?

krunner alt-F2 shortcut worked again

   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 12.0
  APT prefers experimental
  APT policy: (1, 'experimental')
merged-usr: no
Architecture: amd64 (x86_64)

Kernel: Linux 6.3.0-rc6 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libqt5core5a depends on:
ii  libc6  2.36-8
ii  libdouble-conversion3  3.2.1-1
ii  libgcc-s1  13-20230320-1
ii  libglib2.0-0   2.75.2-1
ii  libicu72   72.1-3
ii  libpcre2-16-0  10.42-1
ii  libstdc++6 13-20230320-1
ii  libzstd1   1.5.4+dfsg2-5
ii  shared-mime-info   2.2-1
ii  zlib1g 1:1.2.13.dfsg-1

Versions of packages libqt5core5a recommends:
ii  qttranslations5-l10n  5.15.8-2

Versions of packages libqt5core5a suggests:
ii  libthai0  0.1.29-1

-- no debconf information

Bug#1032298: tcpdump: apparmor blocks writing to stdout/stderr in lxd container [PATCH]

[Romain Francoise]

Hi,

On Fri, Mar 3, 2023 at 9:45 AM Gianfranco Costamagna
 wrote:
> +  # allow printing to stdout/stderr when inside a container
> +  # (LP: #1667016)
> +  /dev/pts/* rw,

Thank you for reporting this issue, and the patch. While the change is
indeed trivial, giving unfettered rw access to /dev/pts/* it is a high
price to pay in terms of weakening the sandbox for an uncommon use
case. With access to /dev/pts, an attacker can access SSH sessions and
other terminals.

Is there any way this could be fixed on the LXD side, or made more restrictive?

Regards,
-- 
Romain Francoise 
https://people.debian.org/~rfrancoise/

Bug#1020479: Ready to Implement

[Soren Stoutner]

The dependencies are finally in place so this can be implemented.

To make things simpler for dictionary packagers, we are using a virtual 
package and an unversioned path for the conversion tool so that dictionary 
packagers don’t have to make modifications to their packages when the versions 
of Qt change in Debian.

All you should need to do is the following:

1.  Build-depend on `convert-bdic`.
2.  Create a temporary copy of the dictionaries and remove the IGNORE commands 
from 
the .aff files.
2.  Use /usr/bin/convert-bdic to do the dictionary conversion.
3.  Place the .bdic files in /usr/share/hunspell-bdic.

More detailed information can be found in the dictionary packager 
documentation at:

file:///usr/share/doc/dictionaries-common-dev/dsdt-policy.html#hunspell-bdic

Thanks,

Soren
-- 
Soren Stoutner
so...@stoutner.com


signature.asc
Description: This is a digitally signed message part.

Bug#1034098: Acknowledgement (reportbug: gamemode needs policykit-1 as a dependency)

[Safir Secerovic]

Hi Simon,

Yes, you are correct. policykit-1 was its own package in stable.
For testing and further things have been decentralized.

Also, yes, it should depend on pkexec.
I have checked with upstream and also verified with other distros.

Hopefully, this can be implemented soon.

Regards,
sapphire

On Sat, Apr 8, 2023 at 2:21 PM Debian Bug Tracking System <
ow...@bugs.debian.org> wrote:

> Thank you for filing a new Bug report with Debian.
>
> You can follow progress on this Bug here: 1034098:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034098.
>
> This is an automatically generated reply to let you know your message
> has been received.
>
> Your message is being forwarded to the package maintainers and other
> interested parties for their attention; they will reply in due course.
>
> As you requested using X-Debbugs-CC, your message was also forwarded to
>   stephanlach...@debian.org
> (after having been given a Bug report number, if it did not have one).
>
> Your message has been sent to the package maintainer(s):
>  Debian Games Team 
>
> If you wish to submit further information on this problem, please
> send it to 1034...@bugs.debian.org.
>
> Please do not send mail to ow...@bugs.debian.org unless you wish
> to report a problem with the Bug-tracking system.
>
> --
> 1034098: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034098
> Debian Bug Tracking System
> Contact ow...@bugs.debian.org with problems
>

Bug#1034168: RFS: profile-cleaner/2.44-1 [ITP] -- Reduces browser profile size by cleaning their sqlite databases

[Peter B]

Package: sponsorship-requests
Severity: wishlist

Dear mentors,

I am looking for a sponsor for my package "profile-cleaner":

 * Package name : profile-cleaner
   Version  : 2.44-1
   Upstream contact : graysky 
 * URL  : https://github.com/graysky2/profile-cleaner
 * License  : Expat
 * Vcs  : N/A
   Section  : utils

I came across this package when searching for ideas to speed up Firefox.
Its by the same author as profile-sync-daemon.

The source builds the following binary packages:
  profile-cleaner - Reduces browser profile size by cleaning their sqlite 
databases

To access further information about this package, please visit the following 
URL:
https://mentors.debian.net/package/profile-cleaner/

Alternatively, you can download the package with 'dget' using this command:
  dget -x 
https://mentors.debian.net/debian/pool/main/p/profile-cleaner/profile-cleaner_2.44-1.dsc

Changes for the initial release:
 profile-cleaner (2.44-1) unstable; urgency=medium
 .
   * Initial release. (Closes: #1033413)

Regards,
  Peter Blackman

Bug#1034167: unblock (pre-approval): mutter/43.4-1

[Simon McVittie]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: mut...@packages.debian.org
Control: affects -1 + src:mutter

I'd like to upload a new upstream bug fix release of mutter.

[ Reason ]
Catch up with upstream 43.4 bug fix release, and cherry-pick patches
that were already accepted for 43.5.

[ Impact ]
Multiple bug fixes and one translation update. Also transfer various
earlier bug fixes from Debian patches into part of the upstream source.

[ Tests ]
I used a previous release-candidate on my Intel laptop for several days
without noticing any regressions. The only change since that version is
the Abkhazian translation update.

Upstream's automated tests (at build-time and during autopkgtest) have the
same coverage and results as the version currently in bookworm.

[ Risks ]
Key package with high visibility in our default desktop environment, but
the changes are narrowly targeted.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing
  (filtered to exclude patch contents and translations)

[ Other info ]
This has only been tested together with the corresponding gnome-shell
update.

There is a remaining X11 focus issue that I'd like to be able to fix in
bookworm (#1032388) but upstream does not have a solution for it yet,
and the version already in testing has the same bug.

unblock mutter/43.4-1
debdiff *.dsc | filterdiff -p1 -x'po/*.po' -x'debian/patches/*.patch'

diffstat for mutter-43.3 mutter-43.4

 NEWS   |   13 
 clutter/clutter/clutter-text.c |1 
 cogl/cogl/cogl-framebuffer.c   |2 
 cogl/cogl/cogl-onscreen.c  |   18 
 cogl/cogl/cogl-onscreen.h  |3 
 debian/changelog   |   23 
 debian/patches/Revert-x11-Do-not-move-X11-input-focus-during-grabs.patch   |   87 
 debian/patches/Revert-x11-events-Do-not-update-focus-XWindow-during-grab.patch |   36 
 debian/patches/Update-Abkhazian-translation.patch  | 4262 ++
 debian/patches/color-device-Don-t-close-lcms-profile-on-error-from-cd_ic.patch |   52 
 debian/patches/color-device-Make-sure-lcms_context-is-not-NULL.patch   |   47 
 debian/patches/core-Avoid-focusing-windows-on-map-during-grabs.patch   |   35 
 debian/patches/debian/Support-Dynamic-triple-double-buffering.patch|8 
 debian/patches/debian/meson-Do-not-mark-CI-test-tools-as-required.patch|2 
 debian/patches/meson-add-back-default_driver-option.patch  |2 
 debian/patches/series  |   10 
 debian/patches/wayland-Don-t-overwrite-surface-offsets.patch   |   57 
 debian/patches/wayland-Skip-subsurface-desync-if-parent-is-NULL.patch  |   35 
 debian/patches/x11-Avoid-updating-focus-on-wayland-compositor.patch|   47 
 debian/patches/x11-Ignore-_NET_ACTIVE_WINDOW-client-messages-while-grabb.patch |   45 
 meson.build|2 
 po/ab.po   | 4159 +
 src/backends/meta-stage-impl.c |   14 
 src/wayland/meta-wayland-subsurface.c  |6 
 24 files changed, 8509 insertions(+), 457 deletions(-)

diff -Nru mutter-43.3/clutter/clutter/clutter-text.c mutter-43.4/clutter/clutter/clutter-text.c
--- mutter-43.3/clutter/clutter/clutter-text.c	2023-02-13 18:12:26.0 +
+++ mutter-43.4/clutter/clutter/clutter-text.c	2023-03-19 22:26:48.0 +
@@ -1826,7 +1826,6 @@
 
   clutter_text_free_paint_volume (self);
 
-  clutter_text_set_buffer (self, NULL);
   g_free (priv->font_name);
 
   g_clear_object (>input_focus);
diff -Nru mutter-43.3/cogl/cogl/cogl-framebuffer.c mutter-43.4/cogl/cogl/cogl-framebuffer.c
--- mutter-43.3/cogl/cogl/cogl-framebuffer.c	2023-02-13 18:12:26.0 +
+++ mutter-43.4/cogl/cogl/cogl-framebuffer.c	2023-03-19 22:26:48.0 +
@@ -1695,8 +1695,6 @@
   CoglFramebufferPrivate *priv =
 cogl_framebuffer_get_instance_private (framebuffer);
 
-  g_return_if_fail (buffers & COGL_BUFFER_BIT_COLOR);
-
   cogl_framebuffer_driver_discard_buffers (priv->driver, buffers);
 }
 
diff -Nru mutter-43.3/cogl/cogl/cogl-onscreen.c mutter-43.4/cogl/cogl/cogl-onscreen.c
--- mutter-43.3/cogl/cogl/cogl-onscreen.c	2023-04-10 14:26:00.0 +0100
+++ mutter-43.4/cogl/cogl/cogl-onscreen.c	2023-04-10 14:26:01.0 +0100
@@ -334,17 +334,16 

Bug#1034166: unblock (pre-approval): gnome-shell/43.4-1

[Simon McVittie]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: gnome-sh...@packages.debian.org
Control: affects -1 + src:gnome-shell

I'd like to upload a new upstream bug fix release of gnome-shell.

[ Reason ]
Catch up with upstream 43.4 bug fix release, and cherry-pick patches
that were already accepted for 43.5.

[ Impact ]
One small bug fix, one translation update, and convert several earlier
translation updates and bug fixes from being applied as patches to being
part of the updated upstream source.

[ Tests ]
I used a previous release-candidate on my Intel laptop for several days
without noticing any regressions. The only change since that version is
the Abkhazian translation update.

[ Risks ]
Key package with high visibility in our default desktop environment, but
the changes are narrowly targeted.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing
  (filtered to exclude patch contents and translations)

[ Other info ]
This has only been tested together with the corresponding mutter update.

unblock gnome-shell/43.4-1
debdiff *.dsc | filterdiff -p1 -x'debian/patches/*.patch' -x'po/*.po'

diffstat for gnome-shell-43.3 gnome-shell-43.4

 NEWS   |   14 
 debian/changelog   |   16 
 debian/patches/Update-Abkhazian-translation.patch  | 4910 ++
 debian/patches/Update-Finnish-translation.patch|  873 -
 debian/patches/Update-Georgian-translation.patch   |  577 -
 debian/patches/Update-German-translation.patch |  896 -
 debian/patches/Update-Hungarian-translation.patch  |  848 -
 debian/patches/Update-Indonesian-translation.patch |  544 -
 debian/patches/Update-Lithuanian-translation.patch |  554 -
 debian/patches/Update-Polish-translation.patch |  806 -
 debian/patches/Update-Portuguese-translation.patch |  574 -
 debian/patches/Update-Serbian-translation.patch|  591 -
 debian/patches/Update-Slovenian-translation.patch  | 1990 
 debian/patches/Update-Swedish-translation.patch|  537 -
 debian/patches/Update-Turkish-translation.patch|  869 -
 debian/patches/Update-Ukrainian-translation.patch  |  577 -
 debian/patches/debian/Revert-build-Port-to-gcr4.patch  |2 
 debian/patches/overview-Don-t-claim-to-be-SHOWN-when-HIDDEN-during-start.patch |   38 
 debian/patches/overview-Hide-when-failing-to-take-grab-at-end-of-startup.patch |   27 
 debian/patches/series  |   16 
 js/ui/dnd.js   |9 
 js/ui/status/network.js|6 
 meson.build|2 
 po/ab.po   | 4383 
 po/fr.po   |  377 
 subprojects/extensions-app/data/metainfo/org.gnome.Extensions.metainfo.xml.in  |1 
 subprojects/extensions-app/meson.build |2 
 subprojects/extensions-app/subprojects/shew/meson.build|2 
 subprojects/extensions-tool/meson.build|2 
 subprojects/shew/meson.build   |2 
 30 files changed, 9414 insertions(+), 10631 deletions(-)

diff -Nru gnome-shell-43.3/debian/changelog gnome-shell-43.4/debian/changelog
--- gnome-shell-43.3/debian/changelog	2023-03-08 11:09:54.0 +
+++ gnome-shell-43.4/debian/changelog	2023-04-10 14:07:38.0 +0100
@@ -1,3 +1,19 @@
+gnome-shell (43.4-1) unstable; urgency=medium
+
+  * Team upload
+  * New upstream release
+- Fix memory leaks when the list of wireless networks is refreshed
+  (GNOME/gnome-shell!2652)
+- Stop tracking drag-and-drop source object when destroyed
+  (part of GNOME/gnome-shell!2318)
+- Translation update: fr
+- All other changes were included in 43.3-2 and 43.3-3
+  * Drop patches added by 43.3-2 and 43.3-3, included in upstream 43.4
+  * d/patches: Update to gnome-43 branch commit 43.4-1-g3499d2e87
+- Translation update: ab
+
+ -- Simon McVittie   Mon, 10 Apr 2023 14:07:38 +0100
+
 gnome-shell (43.3-3) unstable; urgency=medium
 
   * Team 

Bug#1034165: unblock: waypipe/0.8.4-3

[Gard Spreemann]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: wayp...@packages.debian.org, g...@nonempty.org
Control: affects -1 + src:waypipe

Please unblock package waypipe.


[ Reason ]
Waypipe versions prior to 0.8.6 contain a memory leak that is documented
as bug #1034163 [1]. I have cherry-picked a one-line fix from upstream
[2], and have verified that it fixes the problem. I have uploaded
0.8.4-3 to unstable with that patch as the only change. A debdiff
against 0.8.4-2 (in testing) is attached.

[ Impact ]
If the unblock isn't granted, Bookworm will ship with a version of
waypipe that leaks memory, making long-running sessions
problematic. Since waypipe's job is to provide SSH forwarding (à la "ssh
-X") to software running under Wayland, such long-running sessions are
expected.

[ Tests ]
By running waypipe in debug mode, e.g.

 waypipe -d ssh localhost weston-simple-shm  2>&1 | grep "in flight"

one can watch the "number of bytes in flight" messages report an
ever-increasing number of bytes in the version of waypipe in Bookworm
(0.8.4-2). With the fixed version from unstable (0.8.4-3), the number
of bytes in flight remains bounded.

This test was recommended to me by waypipe's upstream author.

[ Risks ]
The fix is a one-line patch, authored by upstream and already released
as part of upstream's version 0.8.6.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing


[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034163

[2] 
https://gitlab.freedesktop.org/mstoeckl/waypipe/-/commit/9070c4c527c906cb186588ca410d92d2f7f3c7ba


unblock waypipe/0.8.4-3
diff -Nru waypipe-0.8.4/debian/changelog waypipe-0.8.4/debian/changelog
--- waypipe-0.8.4/debian/changelog	2022-11-23 17:11:16.0 +0100
+++ waypipe-0.8.4/debian/changelog	2023-04-10 15:51:36.0 +0200
@@ -1,3 +1,9 @@
+waypipe (0.8.4-3) unstable; urgency=medium
+
+  * Add upstream patch to fix memory leak. (Closes: #1034163)
+
+ -- Gard Spreemann   Mon, 10 Apr 2023 15:51:36 +0200
+
 waypipe (0.8.4-2) unstable; urgency=medium
 
   * Increase timeout limit for build-time tests. (Closes: #1011322)
diff -Nru waypipe-0.8.4/debian/patches/0001-Fix-a-memory-leak.patch waypipe-0.8.4/debian/patches/0001-Fix-a-memory-leak.patch
--- waypipe-0.8.4/debian/patches/0001-Fix-a-memory-leak.patch	1970-01-01 01:00:00.0 +0100
+++ waypipe-0.8.4/debian/patches/0001-Fix-a-memory-leak.patch	2023-04-10 15:51:36.0 +0200
@@ -0,0 +1,29 @@
+From: Gard Spreemann 
+Date: Mon, 10 Apr 2023 12:21:18 +0200
+Subject: Fix a memory leak
+
+This cherry-picks upstream commit
+9070c4c527c906cb186588ca410d92d2f7f3c7ba. The original commit message
+follows.
+
+This was introduced by a0f6bfa191f55b99e4ff68dd0063aa0c0e12dcbd
+incorrectly checking when to increase the value of
+cxs->last_confirmed_msgno. As a result, one of the two Waypipe
+processes would leak all the messages sent to the other process.
+---
+ src/mainloop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mainloop.c b/src/mainloop.c
+index 181319c..38a084d 100644
+--- a/src/mainloop.c
 b/src/mainloop.c
+@@ -280,7 +280,7 @@ static int interpret_chanmsg(struct chan_msg_state *cmsg,
+ 	} else if (type == WMSG_ACK_NBLOCKS) {
+ 		struct wmsg_ack *ackm = (struct wmsg_ack *)packet;
+ 		if (msgno_gt(ackm->messages_received,
+-cxs->last_received_msgno)) {
++cxs->last_confirmed_msgno)) {
+ 			cxs->last_confirmed_msgno = ackm->messages_received;
+ 		}
+ 		return 0;
diff -Nru waypipe-0.8.4/debian/patches/series waypipe-0.8.4/debian/patches/series
--- waypipe-0.8.4/debian/patches/series	1970-01-01 01:00:00.0 +0100
+++ waypipe-0.8.4/debian/patches/series	2023-04-10 15:51:36.0 +0200
@@ -0,0 +1 @@
+0001-Fix-a-memory-leak.patch


signature.asc
Description: PGP signature

Bug#1034164: unblock: teeworlds/0.7.5-2

[Salvatore Bonaccorso]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: teewor...@packages.debian.org, Moritz Muehlenhoff 
, car...@debian.org
Control: affects -1 + src:teeworlds

Dear release team,

Please unblock package teeworlds

Moritz Muehlenhoff addressed with a targetted fix CVE-2021-43518,
#1009070 for teeworlds. It has been in unstable for 24 days, but needs
an explicit unblock. The issue would be classified no-dsa for bookworm
similar to bullseye, but as the fix is quite isolated might be worth
having it fixed in bookworm.

Attached is the full debdiff for the changes. I cannot say about
specific done tests on the package.

unblock teeworlds/0.7.5-2

Regards,
Salvatore
diff -Nru teeworlds-0.7.5/debian/changelog teeworlds-0.7.5/debian/changelog
--- teeworlds-0.7.5/debian/changelog2020-08-30 15:38:14.0 +0200
+++ teeworlds-0.7.5/debian/changelog2023-03-17 11:46:31.0 +0100
@@ -1,3 +1,10 @@
+teeworlds (0.7.5-2) unstable; urgency=medium
+
+  * Backport 91e5492d4c210f82f1ca6b43a73417fef5463368 as the hotfix
+for CVE-2021-43518 (Closes: #1009070)
+
+ -- Moritz Muehlenhoff   Fri, 17 Mar 2023 11:46:31 +0100
+
 teeworlds (0.7.5-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru teeworlds-0.7.5/debian/patches/CVE-2021-43518.patch 
teeworlds-0.7.5/debian/patches/CVE-2021-43518.patch
--- teeworlds-0.7.5/debian/patches/CVE-2021-43518.patch 1970-01-01 
01:00:00.0 +0100
+++ teeworlds-0.7.5/debian/patches/CVE-2021-43518.patch 2023-03-17 
11:46:31.0 +0100
@@ -0,0 +1,34 @@
+Backport 91e5492d4c210f82f1ca6b43a73417fef5463368 as the hotfix for 
CVE-2021-43518
+
+--- teeworlds-0.7.5.orig/src/game/client/components/maplayers.cpp
 teeworlds-0.7.5/src/game/client/components/maplayers.cpp
+@@ -254,7 +254,7 @@ void CMapLayers::LoadEnvPoints(const CLa
+   p.m_Time = pEnvPoint_v1->m_Time;
+   p.m_Curvetype = pEnvPoint_v1->m_Curvetype;
+ 
+-  for(int c = 0; c < pItem->m_Channels; c++)
++  for(int c = 0; c < min(pItem->m_Channels, 4); 
c++)
+   {
+   p.m_aValues[c] = 
pEnvPoint_v1->m_aValues[c];
+   p.m_aInTangentdx[c] = 0;
+--- teeworlds-0.7.5.orig/src/game/editor/io.cpp
 teeworlds-0.7.5/src/game/editor/io.cpp
+@@ -478,7 +478,8 @@ int CEditorMap::Load(class IStorage *pSt
+   for(int e = 0; e < Num; e++)
+   {
+   CMapItemEnvelope *pItem = (CMapItemEnvelope 
*)DataFile.GetItem(Start+e, 0, 0);
+-  CEnvelope *pEnv = new 
CEnvelope(pItem->m_Channels);
++  const int Channels = min(pItem->m_Channels, 4);
++  CEnvelope *pEnv = new CEnvelope(Channels);
+   pEnv->m_lPoints.set_size(pItem->m_NumPoints);
+   for(int n = 0; n < pItem->m_NumPoints; n++)
+   {
+@@ -495,7 +496,7 @@ int CEditorMap::Load(class IStorage *pSt
+   pEnv->m_lPoints[n].m_Time = 
pEnvPoint_v1->m_Time;
+   pEnv->m_lPoints[n].m_Curvetype 
= pEnvPoint_v1->m_Curvetype;
+ 
+-  for(int c = 0; c < 
pItem->m_Channels; c++)
++  for(int c = 0; c < Channels; 
c++)
+   {
+   
pEnv->m_lPoints[n].m_aValues[c] = pEnvPoint_v1->m_aValues[c];
+   }
diff -Nru teeworlds-0.7.5/debian/patches/series 
teeworlds-0.7.5/debian/patches/series
--- teeworlds-0.7.5/debian/patches/series   2020-08-30 15:38:14.0 
+0200
+++ teeworlds-0.7.5/debian/patches/series   2023-03-17 11:46:31.0 
+0100
@@ -5,3 +5,4 @@
 no-cmake.patch
 python3.patch
 new-wavpack.patch
+CVE-2021-43518.patch

Bug#1034107: RFP: xmpppy -- XMPP implementation in Python

[Alexey Nezhdanov]

Hi.

I wasn't maintaining the project for at least 12 years. But there are
indeed several people who move it forward. You might have better luck
contacting them on the GitHub issue tracker.

You might also consider doing the debian maintainer work (porting,
packaging, etc) yourself (as I did about 15 years ago). Finding someone
who'll upload the package for you is usually not a problem.

Best regards,
Alexey Nezhdanov.

‪Am So., 9. Apr. 2023 um 07:15 Uhr schrieb ‫أحمد المحمودي‬‎ <
aelmahmo...@users.sourceforge.net>:‬

> Package: wnpp
> Severity: wishlist
>
> * Package name: xmpppy
>   Version : 0.7.1
>   Upstream Author : Alexey Nezhdanov 
> * URL : https://github.com/xmpppy/xmpppy
> * License : GPL-3
>   Programming Lang: Python
>   Description : XMPP implementation in Python
> Python 2/3 implementation of XMPP (RFC3920, RFC3921).
> This is a set of modules providing functionality for writing
> XMPP-compliant clients or server components in Python.
> This library was initially designed as "rework" of jabberpy library but
> lately become a separate product.
> Unlike jabberpy it is distributed under the terms of GPL.
>
> This was previously removed from Debian (formerly python-xmpp) because
> it was no longer updated by upstream. Yet Alexey has continued
> maintaining it on GitHub, and has added Python3 support.
>
> At least the jabber weechat plugin (provided by weechat-scripts) uses
> it.
>
> --
> ‎أحمد المحمودي (Ahmed El-Mahmoudy)
>  Digital design engineer
> GPG KeyIDs: 4096R/A7EF5671 2048R/EDDDA1B7
> GPG Fingerprints:
>  6E2E E4BB 72E2 F417 D066  6ABF 7B30 B496 A7EF 5761
>  8206 A196 2084 7E6D 0DF8  B176 BC19 6A94 EDDD A1B7
>

Bug#1029210: smartmontools.service fails since bookworm

[Christian Franke]

Possible fix for the package: Add '-q nodev0' or '-q never' to ExecStart 
in smartmontools.service.


Workaround for users: Add one of these to smartd_opts in 
/etc/default/smartmontools.


Option '-q nodev0' is available since smartmontools 7.3. Then smartd 
will exit with status 0 instead of 17 (default '-q nodev') if there are 
no devices to monitor. Systemd should no longer report this as a failed 
service.


With '-q never', smartd will keep running and does nothing. This was the 
default for '-q' in some previous versions of (only!) the Debian 
package. This Debian-specific patch was reverted later, see:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006630

Regards,

Christian
smartmontools.org

Bug#1012218: firefox 111.0.1-1 can be built on Unmatched board

[Bo YU]

Source: firefox
Version: 111.0.1-1
Followup-For: Bug #1012218

Hi,

The firefox now can be built on the Unmatched board with the patch:

```
...
Build Architecture: riscv64
Build Type: binary
Build-Space: 16289628
Build-Time: 59070
Distribution: experimental
Host Architecture: riscv64
Install-Time: 317
Job: /home/rv/build/firefox/t-111-0-1/firefox_111.0.1-1.1.dsc
Machine Architecture: riscv64
Package: firefox
Package-Time: 59916
Source-Version: 111.0.1-1.1
Space: 16289628
Status: successful
Version: 111.0.1-1.1


The firefox has supported SpiderMonkey on riscv64[0]&[1] for Since 111.0,
so we can build the package with the option.

The way to solve the problem of linker is just to increase 
`$stalled_pkg_timeout`
from 150 to 300 on sbuildrc. I believe all riscv64 buildd machines[2] has 
supported
the options also.

So could you apply the patch on the next upload? Thanks.

[0]: 
https://bugzilla.mozilla.org/show_bug.cgi?id=1800431&_gl=1*1t95bon*_ga*MjA2MzY0NDQyMy4xNjE1MjU3OTAw*_ga_MQ7767QQQW*MTY4MTEzMzIyMS4yLjEuMTY4MTEzMzQ0MC4wLjAuMA..
[1]: 
https://bugzilla.mozilla.org/show_bug.cgi?id=1812559&_gl=1*1unakpc*_ga*MjA2MzY0NDQyMy4xNjE1MjU3OTAw*_ga_MQ7767QQQW*MTY4MTEzMzIyMS4yLjEuMTY4MTEzMzU0My4wLjAuMA..
[2]: https://buildd.debian.org/status/architecture.php?a=riscv64=sid

-- 
Regards,
--
  Bo YU

diff -Nru firefox-111.0.1/debian/browser.mozconfig.in 
firefox-111.0.1/debian/browser.mozconfig.in
--- firefox-111.0.1/debian/browser.mozconfig.in 2023-03-24 20:21:01.0 
+
+++ firefox-111.0.1/debian/browser.mozconfig.in 2023-04-09 07:52:32.0 
+
@@ -30,6 +30,15 @@
 ac_add_options --with-unsigned-addon-scopes=app,system
 ac_add_options --allow-addon-sideload
 ac_add_options --enable-alsa
-%if DIST == bullseye || DIST == buster || DIST == stretch || DEB_HOST_ARCH == 
s390x
+%if DIST == bullseye || DIST == buster || DIST == stretch || DEB_HOST_ARCH == 
s390x || DEB_HOST_ARCH == riscv64
 ac_add_options --without-wasm-sandboxed-libraries
 %endif
+# riscv64
+%if DEB_HOST_ARCH == riscv64
+ac_add_options --disable-debug
+ac_add_options --disable-lto
+ac_add_options --disable-debug-symbols
+ac_add_options --disable-geckodriver
+ac_add_options --enable-linker=bfd
+ac_add_options --enable-jit
+%endif
diff -Nru firefox-111.0.1/debian/changelog firefox-111.0.1/debian/changelog
--- firefox-111.0.1/debian/changelog2023-03-24 20:21:58.0 +
+++ firefox-111.0.1/debian/changelog2023-04-09 07:52:32.0 +
@@ -1,3 +1,9 @@
+firefox (111.0.1-1.1) experimental; urgency=low
+
+  * Support for riscv64(jit)
+
+ -- Bo YU   Sun, 09 Apr 2023 07:52:32 +
+
 firefox (111.0.1-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru firefox-111.0.1/debian/rules firefox-111.0.1/debian/rules
--- firefox-111.0.1/debian/rules2023-03-24 20:21:01.0 +
+++ firefox-111.0.1/debian/rules2023-04-09 07:52:32.0 +
@@ -35,7 +35,9 @@
 $(foreach lib,$(sort $(call uc,$(SYSTEM_LIBS))),$(eval $(call 
system_lib,$(lib
 
 OFFICIAL_BRANDING := browser/branding/official
-MOZILLA_OFFICIAL := 1
+ifneq (riscv64,$(DEB_HOST_ARCH))
+   MOZILLA_OFFICIAL := 1
+endif
 # ESR, Beta and Releases use the official branding
 ifneq (,$(filter release beta esr%,$(SHORT_SOURCE_CHANNEL)))
 BRANDING ?= $(OFFICIAL_BRANDING)
@@ -97,7 +99,9 @@
 # Make the linker generate compressed debug sections. dh_strip would do
 # the same anyways, but it allows elfhack to work in combination with
 # unstripped binaries when they would normally be larger than 2GiB.
+ifneq (riscv64,$(DEB_HOST_ARCH))
 LDFLAGS += -Wl,--compress-debug-sections=zlib
+endif
 
 # Disable debug symbols when building on 32-bits machines, because
 # a) the rust compiler can't deal with it in the available address


signature.asc
Description: PGP signature

Bug#1034163: waypipe: Leaks memory

[Gard Spreemann]

Package: waypipe
Version: 0.8.4-2
Severity: important
X-Debbugs-Cc: g...@nonempty.org

Upstream commit 9070c4c527c906cb186588ca410d92d2f7f3c7ba fixes and
documents a memory leak [1] present in versions prior to 0.8.6.

The leak can be reproduced by running e.g.

 waypipe -d ssh localhost weston-simple-shm  2>&1 | grep "in flight"

and watching the number of bytes in flight steadily increasing as time
goes by.

[1] 
https://gitlab.freedesktop.org/mstoeckl/waypipe/-/commit/9070c4c527c906cb186588ca410d92d2f7f3c7ba

-- System Information:
Debian Release: 12.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-security'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-7-amd64 (SMP w/6 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages waypipe depends on:
ii  libavcodec59  7:5.1.2-3
ii  libavutil57   7:5.1.2-3
ii  libc6 2.36-8
ii  libgbm1   22.3.6-1+deb12u1
ii  liblz4-1  1.9.4-1
ii  libswscale6   7:5.1.2-3
ii  libva22.17.0-1
ii  libzstd1  1.5.4+dfsg2-5

Versions of packages waypipe recommends:
ii  openssh-client  1:9.2p1-2
ii  openssh-server  1:9.2p1-2

waypipe suggests no packages.

-- no debconf information


signature.asc
Description: PGP signature

Bug#1023596: bookworm: document changes in default rsyslog configuration

[Richard Lewis]

This bug is now fixed in commit 7122b30d

https://salsa.debian.org/ddp-team/release-notes/-/commit/7122b30dd1a483379759558faa720db7b570010c

(i dont know if the bug should be set closed/pending or if that happens later?)

Bug#1031259: ddcutil requires module i2c-dev

[Sanford Rockowitz]

The upstream source has been changed to install file 
/usr/lib/modules-conf.d/ddcutil, which will ensure that module i2c-dev 
is loaded.  The change will appear in Debian once the code freeze for 
bookworm is lifted.

Bug#1034158: geocode-glib: geolocation not working in Initial Setup, Weather

[Jeremy Bícha]

The patch fixes the bug for Initial Setup and the GNOME Clocks app.

I wasn't able to reproduce the bug in some other GNOME apps that
depend on geocode-glib: Maps and Weather.

Thank you,
Jeremy Bícha

Bug#1034162: unblock: cinnamon/5.6.8-1

[Fabio Fantoni]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: cinna...@packages.debian.org, fantonifa...@tiscali.it
Control: affects -1 + src:cinnamon

Please unblock package cinnamon

5.6.8-1 include a new bugfix release with some fixes:
- grouped-window-list: Make appGroup's flashButton sane, fix invalid 
source id.

- cinnamon-screenshot.c: Disable unredirection when taking a screenshot.
- remove unused import cairo
- cs_themes: load theme thumbnail from XDG_DATA_DIRS
- gwl: Fix typo.
- sound applet: Clear the source ID in Seeker._timerCallback().
- window-list: Fix signal name for tile notifications.
- overrides.js: Silently fail to install polyfills.

One fix seems a "big patch" 
(https://github.com/linuxmint/cinnamon/commit/fcffd73eace934c817db394d347705f81e564f3c)
but solves cinnamon crash in some cases doing screenshot 
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032912)


No regression found or reported, I think is good to have in bookworm.

[ Risks ]
I consider the risk of regression small

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

unblock cinnamon/5.6.8-1
diff --git a/debian/changelog b/debian/changelog
index 6ca12b51a..8bd8d7d27 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+cinnamon (5.6.8-1) unstable; urgency=medium
+
+  * New upstream bugfix version 5.6.8 (Closes: #1032912)
+
+ -- Fabio Fantoni   Sun, 19 Mar 2023 22:38:37 +0100
+
 cinnamon (5.6.7-1) unstable; urgency=medium
 
   * New upstream version 5.6.7
diff --git 
a/files/usr/share/cinnamon/applets/grouped-window-l...@cinnamon.org/appGroup.js 
b/files/usr/share/cinnamon/applets/grouped-window-l...@cinnamon.org/appGroup.js
index ef0a7e5b8..9ca6b37d5 100644
--- 
a/files/usr/share/cinnamon/applets/grouped-window-l...@cinnamon.org/appGroup.js
+++ 
b/files/usr/share/cinnamon/applets/grouped-window-l...@cinnamon.org/appGroup.js
@@ -1,6 +1,7 @@
 const Cinnamon = imports.gi.Cinnamon;
 const Meta = imports.gi.Meta;
 const Clutter = imports.gi.Clutter;
+const GLib = imports.gi.GLib;
 const St = imports.gi.St;
 const Main = imports.ui.main;
 const Tweener = imports.ui.tweener;
@@ -304,35 +305,40 @@ class AppGroup {
 if (this._needsAttention) return;
 
 this._needsAttention = true;
-let counter = 0;
-this.flashButton(counter);
+this.flashButton();
 }
 
-flashButton(counter) {
-if (!this._needsAttention || !this.actor) return;
+flashButton() {
+if (!this._needsAttention || !this.actor || this.flashTimer)
+return;
 
-// If the app was closed during a flash sequence, stop looping.
-if (!this.groupState.groupReady && this.groupState.isFavoriteApp) {
-
this.actor.remove_style_class_name('grouped-window-list-item-demands-attention');
+if (!this.groupState.groupReady && this.groupState.isFavoriteApp)
 return;
-}
 
-this.actor.remove_style_pseudo_class('active');
-
this.actor.add_style_class_name('grouped-window-list-item-demands-attention');
-if (counter < FLASH_MAX_COUNT) {
-this.flashTimer = Mainloop.timeout_add(FLASH_INTERVAL, () => {
-if (this.actor && 
this.actor.has_style_class_name('grouped-window-list-item-demands-attention')) {
-
this.actor.remove_style_class_name('grouped-window-list-item-demands-attention');
-this.actor.add_style_pseudo_class('active');
-}
+let counter = 0;
+const sc = "grouped-window-list-item-demands-attention";
 
-this.flashTimer = Mainloop.timeout_add(FLASH_INTERVAL, () => {
-this.flashButton(++counter);
-});
-});
-} else {
-this.flashTimer = 0;
-}
+this.flashTimer = Mainloop.timeout_add(FLASH_INTERVAL, () => {
+if (!this._needsAttention) {
+this.flashTimer = 0;
+return GLib.SOURCE_REMOVE;
+}
+
+if (this.actor.has_style_class_name(sc)) {
+this.actor.add_style_class_name("active");
+this.actor.remove_style_class_name(sc);
+}
+else {
+this.actor.remove_style_class_name("active")
+this.actor.add_style_class_name(sc);
+}
+
+const continueFlashing = (counter++ < FLASH_MAX_COUNT);
+if (!continueFlashing) {
+this.flashTimer = 0;
+}
+return continueFlashing;
+});
 }
 
 getPreferredWidth(actor, forHeight, alloc) {
@@ -597,9 +603,7 @@ class AppGroup {
 if (hasFocus) {
 this.listState.trigger('updateFocusState', appId);
 this.actor.add_style_pseudo_class('focus');
-

Bug#1034161: unblock: muffin/5.6.4-1

[Fabio Fantoni]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: muf...@packages.debian.org, fantonifa...@tiscali.it
Control: affects -1 + src:muffin

Please unblock package muffin

5.6.4-1 include a new bugfix release with some fixes:
- meta-gpu-xrandr: Account for the current user text scale factor when 
calculating the crtc scale based on Xft.dpi.

- window.c: Allow meta_window_get_xwindow() to be used with introspection.
- window.c: Restore property notify for the tile mode property.
- place.c: Add missing import.
- display.c: Make meta_display_get_pointer_window() available to 
cinnamon again.

- clutter-text.c: Remove redundant clutter_text_set_buffer call in finalize.

The symbol added is not a new function but only export of existant function,
making it available again to cinnamon.

I also added replace of libgdk-pixbuf2.0-dev build-dep. with 
libgdk-pixbuf-2.0-dev,
libgdk-pixbuf2.0-dev is a transition metapackage from bullseye so should 
don't

be a risk FWIK.

No regression found or reported, I think is good to have in bookworm.

[ Risks ]
I consider the risk of regression small

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

unblock muffin/5.6.4-1
diff --git a/clutter/clutter/clutter-text.c b/clutter/clutter/clutter-text.c
index 3da410f..e18ed4c 100644
--- a/clutter/clutter/clutter-text.c
+++ b/clutter/clutter/clutter-text.c
@@ -1807,7 +1807,6 @@ clutter_text_finalize (GObject *gobject)
 
   clutter_text_dirty_paint_volume (self);
 
-  clutter_text_set_buffer (self, NULL);
   g_free (priv->font_name);
 
   g_clear_object (>input_focus);
diff --git a/debian/changelog b/debian/changelog
index 88556cf..e435e28 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+muffin (5.6.4-1) unstable; urgency=medium
+
+  * New upstream bugfix version 5.6.4
+  * Replace libgdk-pixbuf2.0-dev build-dep. with libgdk-pixbuf-2.0-dev
+  * Update symbols
+
+ -- Fabio Fantoni   Sun, 19 Mar 2023 22:33:27 +0100
+
 muffin (5.6.3-1) unstable; urgency=medium
 
   * New upstream version 5.6.3
diff --git a/debian/control b/debian/control
index 130f0e7..0626f50 100644
--- a/debian/control
+++ b/debian/control
@@ -149,7 +149,7 @@ Depends: gir1.2-meta-muffin-0.0 (= ${binary:Version}),
  libcinnamon-desktop-dev (>= 5.6),
  libdrm-dev,
  libegl1-mesa-dev,
- libgdk-pixbuf2.0-dev,
+ libgdk-pixbuf-2.0-dev,
  libgles2-mesa-dev | libgles2-dev,
  libglib2.0-dev,
  libgraphene-1.0-dev (>= 1.9.3),
diff --git a/debian/libmuffin0.symbols b/debian/libmuffin0.symbols
index 2a1f2eb..279e3ed 100644
--- a/debian/libmuffin0.symbols
+++ b/debian/libmuffin0.symbols
@@ -2136,6 +2136,7 @@ libmuffin.so.0 libmuffin0 #MINVER#
  meta_display_get_monitor_scale@Base 5.4.1
  meta_display_get_n_monitors@Base 5.4.1
  meta_display_get_pad_action_label@Base 5.4.1
+ meta_display_get_pointer_window@Base 5.6.4
  meta_display_get_primary_monitor@Base 5.4.1
  meta_display_get_selection@Base 5.4.1
  meta_display_get_size@Base 5.4.1
diff --git a/meson.build b/meson.build
index 63b5fad..d4b4590 100644
--- a/meson.build
+++ b/meson.build
@@ -1,5 +1,5 @@
 project('muffin', 'c',
-  version: '5.6.3',
+  version: '5.6.4',
   meson_version: '>= 0.50.0',
   license: 'GPLv2+'
 )
diff --git a/src/backends/meta-settings-private.h 
b/src/backends/meta-settings-private.h
index a7241ce..8965e1c 100644
--- a/src/backends/meta-settings-private.h
+++ b/src/backends/meta-settings-private.h
@@ -58,6 +58,8 @@ void meta_settings_update_ui_scaling_factor (MetaSettings 
*settings);
 gboolean meta_settings_get_global_scaling_factor (MetaSettings *settings,
   int  *scaing_factor);
 
+double meta_settings_get_font_scaling_factor (MetaSettings *settings);
+
 META_EXPORT_TEST
 gboolean meta_settings_is_experimental_feature_enabled (MetaSettings   
*settings,
 
MetaExperimentalFeature feature);
diff --git a/src/backends/meta-settings.c b/src/backends/meta-settings.c
index e544d65..f4a692f 100644
--- a/src/backends/meta-settings.c
+++ b/src/backends/meta-settings.c
@@ -223,6 +223,12 @@ meta_settings_update_font_dpi (MetaSettings *settings)
 g_signal_emit (settings, signals[FONT_DPI_CHANGED], 0);
 }
 
+double
+meta_settings_get_font_scaling_factor(MetaSettings *settings)
+{
+return g_settings_get_double (settings->interface_settings, 
"text-scaling-factor");
+}
+
 int
 meta_settings_get_font_dpi (MetaSettings *settings)
 {
diff --git a/src/backends/x11/meta-gpu-xrandr.c 
b/src/backends/x11/meta-gpu-xrandr.c
index 65a3c30..f2563e6 100644
--- a/src/backends/x11/meta-gpu-xrandr.c
+++ b/src/backends/x11/meta-gpu-xrandr.c
@@ -98,6 +98,10 @@ static int
 get_current_dpi_scale (MetaMonitorManagerXrandr 

Bug#1033913: partman-auto-lvm: Broken "Guided - use entire disk and set up LVM" in UEFI mode

[Steve McIntyre]

Hey Pascal, and thanks for the review!

Overall comment: I'm not trying to make the heuristics 100% reliable
here, as I don't think that's actually possible. Instead, I'm trying
to tread the fine line of:

 * minimising false negatives - let's try to pick up on the most
   common cases where people are dual-booting with other systems and
   might not understand the issues here. That's 99%+ going to be
   people with Windows installed

 * minimising false positives - the issue that angered Cyril in
   particular, with an incomplete LVM setup triggering the "bios
   bootable OS" warning

On Mon, Apr 10, 2023 at 01:01:01PM +0200, Pascal Hambourg wrote:
>partman-efi "Fix detection of BIOS-bootable systems" provides a significant
>improvement over previous behaviour. However I have a few comments.
>
>1a) The patch assumes that a GPT disk may be BIOS-bootable only if it has a
>BIOS boot partition. But a GPT disk can be BIOS-bootable even without a BIOS
>boot partition:
>- GRUB may be installed without a BIOS boot partition if /boot is a plain
>partition (using blocklists), even though it is less reliable so a BIOS boot
>partition is strongly recommended.

Yeah, GRUB installed using blocklists is so much *not* a thing anybody
should be doing these days.

>- Other BIOS boot loaders such as syslinux/extlinux do not need or use a BIOS
>boot partition.

Also not a use case I'm particularly caring about, I'll be
honest. They're also *really* not likely to work well without another
filesystem in use, which I expect we'll detect anyway.

>1b) IIUC the patch fixes #1033913 because the disk selected for installation
>has received a new GPT disklabel without a BIOS boot partition, so further
>checking is skipped. But IMO the root cause of #1033913 is that changes are
>not committed to disk after setting the 'boot' and 'esp' flags to the newly
>created ESP partition before stopping parted_server.
>This can be seen in /var/log/partman:
>
>/bin/autopartition-lvm
>NEW_LABEL sda gpt
>NEW_PARTITION 1 sda ext2 538MB (future ESP)
>NEW_PARTITION 2 sda ext2 512MB (future /boot)
>NEW_PARTITION 3 sda ext3 159GB (future LVM)
>SET_FLAGS sda3 lvm
>(user prompt to write changes to the disk)
>COMMIT sda
>...
>/lib/partman/update.d/21efi_sync_flag
>SET_FLAGS sda1 boot esp
>...
>/bin/perform_recipe_by_lvm
>QUIT <- esp and boot flags have not been committed yet so are lost
>...
>/lib/partman/init.d/50efi
>GET_FLAGS sda1 -> none
>
>2) The patch considers the 'esp' and 'boot' flags to be equal. But this is
>true only with GPT. With MSDOS, they have totally different meanings:
>- 'esp' means that the partition has the ESP type identifier.
>- 'boot' means that the partition has the active/boot indicator set. The UEFI
>specification says that this indicator is ignored by EFI boot.

ACK, I think you're correct here. Yay parted and its inconsistent
"flags" concept. :-(

>3) The patch considers LVM and RAID partitions not bootable. But both LVM and
>RAID superblocks can have a boot loader reserved area. Also, GRUB may boot
>them directly without a /boot partition.

Hmmm, maybe.

>4) It appears that partman fails to detect the specially crafted partition
>table on the installation media created with a debian image. Is it intended
>or fortunately unintentional ? If partman could see the EFI partition on the
>installation media, the detection of BIOS-bootable systems would fail.

That's not a worry for today... :-)

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
You lock the door
And throw away the key
There's someone in my head but it's not me 

Bug#856649: suricata: IPv4 defrag evasion issue

[Salvatore Bonaccorso]

Hi,

On Sun, Apr 09, 2023 at 01:16:34PM +0200, Sascha Steinbiss wrote:
> Hi,
> 
> (re: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856649)
> 
> Can we just close this bug? This has been addressed for years, and I am not
> sure we need to keep these open forever.

Can you pin point the upstream version where this was fixed?

Regards,
Salvatore

Bug#1032469: smartmontools: startup takes too long for systemd

[Christian Franke]

A note for upcoming smartmontools release 7.4:

It NOTIFY_SOCKET is set in environment, smartd 7.4 will sd_notify 
"EXTEND_TIMEOUT_USEC=2000" for each disk during device registration 
and then for each disk during first device checks.No such calls will 
occur after "READY=1" has been notified.


Regards,

Christian
smartmontools.org

Bug#1034160: libkscreenlocker5: Screen locker crashes asking for loginctl command

[Adilson dos Santos Dantas]

Package: libkscreenlocker5
Version: 5.27.2-1
Severity: grave
Justification: renders package unusable

Dear Maintainer,

After some libraries updates, I cannot lock my plasma session anymore.

It shows a black screen with a message asking to go to a virtual terminal and 
run a 'loginctl unlock-session 2' or similar to unlock the screen.

This is happening with my desktop and my notebook. Even with a reboot this 
problem presists.

Debian Release: 12.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.2.10 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8), 
LANGUAGE=pt_BR:pt:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libkscreenlocker5 depends on:
ii  kio5.103.0-1
ii  kpackagetool5  5.103.0-1
ii  libc6  2.36-8
ii  libkf5configcore5  5.103.0-2
ii  libkf5configgui5   5.103.0-2
ii  libkf5configqml5   5.103.0-2
ii  libkf5coreaddons5  5.103.0-1
ii  libkf5crash5   5.103.0-1
ii  libkf5declarative5 5.103.0-1
ii  libkf5globalaccel-bin  5.103.0-1
ii  libkf5globalaccel5 5.103.0-1
ii  libkf5i18n55.103.0-1
ii  libkf5idletime55.103.0-2
ii  libkf5kiocore5 5.103.0-1
ii  libkf5notifications5   5.103.0-1
ii  libkf5package5 5.103.0-1
ii  libkf5quickaddons5 5.103.0-1
ii  libkf5screendpms8  4:5.27.2-1
ii  libkf5waylandclient5   4:5.103.0-1
ii  libkf5windowsystem55.103.0-1
ii  libkf5xmlgui5  5.103.0-1
ii  liblayershellqtinterface5  5.27.2-1
ii  libpam0g   1.5.2-6
ii  libqt5core5a   5.15.8+dfsg-4
ii  libqt5dbus55.15.8+dfsg-4
ii  libqt5gui5 5.15.8+dfsg-4
ii  libqt5network5 5.15.8+dfsg-4
ii  libqt5qml5 5.15.8+dfsg-3
ii  libqt5quick5   5.15.8+dfsg-3
ii  libqt5widgets5 5.15.8+dfsg-4
ii  libqt5x11extras5   5.15.8-2
ii  libstdc++6 12.2.0-14
ii  libwayland-client0 1.21.0-1
ii  libwayland-server0 1.21.0-1
ii  libx11-6   2:1.8.4-2
ii  libxcb-keysyms10.4.0-1+b2
ii  libxcb11.15-1
ii  libxi6 2:1.8-1+b1
ii  psmisc 23.6-1

Versions of packages libkscreenlocker5 recommends:
ii  kde-config-screenlocker  5.27.2-1

libkscreenlocker5 suggests no packages.

-- no debconf information

Bug#1033755: heimdal: CVE-2022-3116

[Salvatore Bonaccorso]

On Sat, Apr 08, 2023 at 01:44:33PM +0200, Salvatore Bonaccorso wrote:
> Hi Brian,
> 
> On Sat, Apr 08, 2023 at 07:56:55PM +1000, Brian May wrote:
> > Salvatore Bonaccorso  writes:
> > 
> > > Version: 7.8.git20221117.28daf24+dfsg-1.1
> > 
> > Are you sure this applies to the unstable version?
> > 
> > I can only find one out of two chunks in the patch. Maybe it was already
> > fixed in the stable branch which we use for unstable?
> 
> I *was* almost sure this was only fixed in the master branch of
> Heimdal and was not in 7.7.0 as well, and 7.8 does not seem to have
> the change applied as well. 
> 
> But I will double-check again.
> 
> https://www.kb.cert.org/vuls/id/730793 contains some more information
> and some distributions like Ubuntu did cherry pick the fix as well in
> their respective 7.7.0 and 7.5.0 based versions.

Here is what ubuntu has backported for the older series, for 7.7.0
https://launchpadlibrarian.net/628258298/heimdal_7.7.0+dfsg-1ubuntu1_7.7.0+dfsg-1ubuntu1.1.diff.gz
and for 7.5.0 it is included in
https://launchpadlibrarian.net/628240960/heimdal_7.5.0+dfsg-1_7.5.0+dfsg-1ubuntu0.1.diff.gz
and the change for spnego/accept_sec_context.c still applies to the
version in unstable.

The upstream code was refactored in master branch of upstream project,
but the underlying issue seems what is touched there.

Unfortunately I have no further information available on the heimdal
issue, still it might be worth getting this fixed via unstable in
bookworm.

Let me know what you think, Brian.

Regards,
Salvatore

Bug#1034159: Kernel support for more ChromeOS devices

[Alper Nebi Yasak]

Source: linux
Version: 6.1.20-2
Severity: wishlist

Hi,

I've been going through ChromiumOS kernel configs [1] in hope that I
could reach a reasonable list of things to enable for hardware support
for more chromebooks. What I did is roughly:

- Prepend base.config, /common.config to /*.flavour.config
- Run "make olddefconfig" then "make savedefconfig" for each flavour
- Run "scripts/diffconfig" vs Debian's _none configs
- Filter to only have new non-n values, and n->[ym] changes
- Merge per-flavour changes into one file per arch
- Filter out configs that I guess aren't hardware-related
- Convert them into CONFIG=[ym] form, as many into =m as I could

I'm attaching what I got so far, but they are still huge (66/112/258
configs for arm/x86/arm64). I didn't have time to drill down into how
much of this is really useful or which devices need which configs. I'll
try to file per-chromebook MRs as I figure things out.

Not sure what I can get done in time for bookworm (fearing that it's
probably already too late). It would be nice if you could have a look
and pick whatever ones make sense to include at this stage.


[1] ChromiumOS kernel configuration sources
https://chromium.googlesource.com/chromiumos/third_party/kernel/+/refs/heads/chromeos-6.1/chromeos/config/chromeos/CONFIG_ARCH_TEGRA_114_SOC=y
CONFIG_ARCH_TEGRA_2x_SOC=y
CONFIG_ARCH_TEGRA_3x_SOC=y
CONFIG_ARM_ERRATA_818325_852422=y
CONFIG_ARM_ERRATA_821420=y
CONFIG_ARM_ERRATA_825619=y
CONFIG_ARM_ERRATA_857271=y
CONFIG_BATTERY_BQ27XXX_I2C=m
CONFIG_BT_AOSPEXT=y
CONFIG_BT_HCIBFUSB=m
CONFIG_BT_HCIVHCI=m
CONFIG_BT_MSFTEXT=y
CONFIG_CHARGER_BQ24735=m
CONFIG_CHARGER_CROS_PCHG=m
CONFIG_CHARGER_TPS65090=m
CONFIG_CROS_EC_CHARDEV=m
CONFIG_CROS_EC_LIGHTBAR=m
CONFIG_CROS_EC_SENSORHUB=m
CONFIG_CROS_EC_SYSFS=m
CONFIG_CROS_USBPD_NOTIFY=m
CONFIG_DAX=m
CONFIG_GPIO_TPS6586X=y
CONFIG_HW_RANDOM_TPM=y
CONFIG_I2C_HID_OF=m
CONFIG_I2C_STUB=m
CONFIG_IIO_CONFIGFS=m
CONFIG_IIO_CROS_EC_ACCEL_LEGACY=m
CONFIG_IIO_CROS_EC_SENSORS_CORE=m
CONFIG_IIO_HRTIMER_TRIGGER=m
CONFIG_IIO_SW_TRIGGER=m
CONFIG_IIO_SYSFS_TRIGGER=m
CONFIG_INPUT_JOYSTICK=y
CONFIG_JOYSTICK_IFORCE=m
CONFIG_JOYSTICK_IFORCE_USB=m
CONFIG_JOYSTICK_XPAD_FF=y
CONFIG_JOYSTICK_XPAD_LEDS=y
CONFIG_JOYSTICK_XPAD=m
CONFIG_KEYBOARD_GPIO_POLLED=m
CONFIG_KEYBOARD_NVEC=m
CONFIG_MFD_CROS_EC_DEV=m
CONFIG_MFD_NVEC=m
CONFIG_MFD_TPS65090=y
CONFIG_MFD_TPS6586X=y
CONFIG_MOUSE_CYAPA=m
CONFIG_MWIFIEX=m
CONFIG_MWIFIEX_SDIO=m
CONFIG_NET_VENDOR_ARC=y
CONFIG_NET_VENDOR_SEEQ=y
CONFIG_NVEC_PAZ00=m
CONFIG_NVEC_POWER=m
CONFIG_REGULATOR_PWM=m
CONFIG_REGULATOR_TPS51632=m
CONFIG_REGULATOR_TPS62360=m
CONFIG_REGULATOR_TPS65090=m
CONFIG_REGULATOR_TPS6586X=m
CONFIG_ROCKCHIP_INNO_HDMI=y
CONFIG_RT2800USB_UNKNOWN=y
CONFIG_SENSORS_LM90=m
CONFIG_SOC_TEGRA20_VOLTAGE_COUPLER=y
CONFIG_SOC_TEGRA30_VOLTAGE_COUPLER=y
CONFIG_TCG_TIS_I2C_INFINEON=m
CONFIG_TEGRA20_EMC=m
CONFIG_TEGRA30_EMC=m
CONFIG_TEGRA_IOMMU_GART=y
CONFIG_TOUCHSCREEN_ELAN=m
CONFIG_USB_MASS_STORAGE=m
CONFIG_ARCH_MEDIATEK=y
CONFIG_ARM_MEDIATEK_CCI_DEVFREQ=m
CONFIG_ARM_MEDIATEK_CPUFREQ=m
CONFIG_ARM_MEDIATEK_CPUFREQ_HW=m
CONFIG_ARM_SMC_WATCHDOG=m
CONFIG_ATH10K_SDIO=m
CONFIG_ATH10K_SNOC=m
CONFIG_ATH11K_AHB=m
CONFIG_BT_AOSPEXT=y
CONFIG_BT_HCIBFUSB=m
CONFIG_BT_HCIVHCI=m
CONFIG_BT_MSFTEXT=y
CONFIG_BT_MTKSDIO=m
CONFIG_COMMON_CLK_MT6765=y
CONFIG_COMMON_CLK_MT6779=m
CONFIG_COMMON_CLK_MT6795=m
CONFIG_COMMON_CLK_MT6795_MFGCFG=m
CONFIG_COMMON_CLK_MT6795_MMSYS=m
CONFIG_COMMON_CLK_MT6795_VDECSYS=m
CONFIG_COMMON_CLK_MT6795_VENCSYS=m
CONFIG_COMMON_CLK_MT7622=y
CONFIG_COMMON_CLK_MT7986=y
CONFIG_COMMON_CLK_MT7986_ETHSYS=y
CONFIG_COMMON_CLK_MT8167=y
CONFIG_COMMON_CLK_MT8167_AUDSYS=y
CONFIG_COMMON_CLK_MT8167_IMGSYS=y
CONFIG_COMMON_CLK_MT8167_MFGCFG=y
CONFIG_COMMON_CLK_MT8167_MMSYS=y
CONFIG_COMMON_CLK_MT8167_VDECSYS=y
CONFIG_COMMON_CLK_MT8173=y
CONFIG_COMMON_CLK_MT8173_MMSYS=y
CONFIG_COMMON_CLK_MT8183=y
CONFIG_COMMON_CLK_MT8183_AUDIOSYS=y
CONFIG_COMMON_CLK_MT8183_CAMSYS=y
CONFIG_COMMON_CLK_MT8183_IMGSYS=y
CONFIG_COMMON_CLK_MT8183_IPU_ADL=y
CONFIG_COMMON_CLK_MT8183_IPU_CONN=y
CONFIG_COMMON_CLK_MT8183_IPU_CORE0=y
CONFIG_COMMON_CLK_MT8183_IPU_CORE1=y
CONFIG_COMMON_CLK_MT8183_MFGCFG=y
CONFIG_COMMON_CLK_MT8183_MMSYS=y
CONFIG_COMMON_CLK_MT8183_VDECSYS=y
CONFIG_COMMON_CLK_MT8183_VENCSYS=y
CONFIG_COMMON_CLK_MT8186=y
CONFIG_COMMON_CLK_MT8192=y
CONFIG_COMMON_CLK_MT8195=y
CONFIG_COMMON_CLK_MT8365=m
CONFIG_COMMON_CLK_MT8365_APU=m
CONFIG_COMMON_CLK_MT8365_CAM=m
CONFIG_COMMON_CLK_MT8365_MFG=m
CONFIG_COMMON_CLK_MT8365_MMSYS=m
CONFIG_COMMON_CLK_MT8365_VDEC=m
CONFIG_COMMON_CLK_MT8365_VENC=m
CONFIG_COMMON_CLK_MT8516=y
CONFIG_COMMON_CLK_PALMAS=m
CONFIG_CROS_EC_MKBP_PROXIMITY=m
CONFIG_CROS_EC_RPMSG=m
CONFIG_DRM_ANALOGIX_ANX7625=m
CONFIG_DRM_ANALOGIX_ANX78XX=m
CONFIG_DRM_ITE_IT6505=m
CONFIG_DRM_MEDIATEK=m
CONFIG_DRM_MEDIATEK_HDMI=m
CONFIG_DRM_PANEL_BOE_TV101WUM_NL6=m
CONFIG_DRM_PANEL_INNOLUX_P079ZCA=m
CONFIG_DRM_PANEL_KINGDISPLAY_KD097D04=m
CONFIG_DRM_PANEL_SAMSUNG_ATNA33XC20=m
CONFIG_DRM_PANEL_VISIONOX_RM69299=m
CONFIG_DRM_PARADE_PS8640=m

Bug#1034158: geocode-glib: geolocation not working in Initial Setup, Weather

[Jeremy Bícha]

Source: geocode-glib
Version: 3.26.3-5
Severity: serious
Forwarded: https://gitlab.gnome.org/GNOME/geocode-glib/-/issues/30

Automatic geolocation isn't working in the GNOME Weather or GNOME
Initial Setup Apps. This is a regression from the libsoup3 migration.

Thank you,
Jeremy Bícha

Bug#1034157: unblock: pci.ids/0.0~2023.03.17-1

[Guillem Jover]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pci@packages.debian.org
Control: affects -1 + src:pci.ids

Please unblock package pci.ids

[ Reason ]

This is a data-only package that provides know PCI IDs and their
descriptions, which helps with hardware enablement. (I've been meaning
to send similar requests for stable, but as I've not don that before I
was a bit hesitant, but depending on the outcome of this one, I might
start proposing those too.)

[ Impact ]

Hardware that was previously unknown would now be known to the system
and packages using this database.

[ Tests ]

The package provides an autopkgtest that verifies the format of the
database.

[ Risks ]

I'd say very minimal.

[ Checklist ]

  [√] all changes are documented in the d/changelog
  [√] I reviewed all changes and I approve them
  [√] attach debdiff against the package in testing

[ Other info ]

None.

unblock pci.ids/0.0~2023.03.17-1

Thanks,
Guillem
diff -Nru pci.ids-0.0~2023.02.23/debian/changelog 
pci.ids-0.0~2023.03.17/debian/changelog
--- pci.ids-0.0~2023.02.23/debian/changelog 2023-02-26 23:31:06.0 
+0100
+++ pci.ids-0.0~2023.03.17/debian/changelog 2023-03-22 23:56:31.0 
+0100
@@ -1,3 +1,10 @@
+pci.ids (0.0~2023.03.17-1) unstable; urgency=medium
+
+  * New upstream release.
+- Refresh patch.
+
+ -- Guillem Jover   Wed, 22 Mar 2023 23:56:31 +0100
+
 pci.ids (0.0~2023.02.23-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru pci.ids-0.0~2023.02.23/debian/patches/0001-Fix-encoding-issues.patch 
pci.ids-0.0~2023.03.17/debian/patches/0001-Fix-encoding-issues.patch
--- pci.ids-0.0~2023.02.23/debian/patches/0001-Fix-encoding-issues.patch
2023-02-26 23:30:31.0 +0100
+++ pci.ids-0.0~2023.03.17/debian/patches/0001-Fix-encoding-issues.patch
2023-03-22 23:51:29.0 +0100
@@ -12,7 +12,7 @@
 
 --- a/pci.ids
 +++ b/pci.ids
-@@ -2749,7 +2749,7 @@
+@@ -2752,7 +2752,7 @@
  # FX-797A-TNBC
1682 3213  HD 7970 Black Edition
1682 3214  Double D HD 7970
@@ -21,7 +21,7 @@
  # Radeon HD 7970 X2
1787 2317  Radeon HD 7990
1787 3000  Tahiti XT2 [Radeon HD 7970 GHz Edition]
-@@ -2812,7 +2812,7 @@
+@@ -2815,7 +2815,7 @@
174b e282  Vapor-X R9 290X Tri-X OC
174b e285  R9 290X Tri-X OC
174b e324  Grenada XT2 [Radeon R9 390X]
@@ -30,7 +30,7 @@
1787 2357  Grenada XT [Radeon R9 390X]
67b1  Hawaii PRO [Radeon R9 290/390]
1043 04dd  STRIX R9 390
-@@ -3703,7 +3703,7 @@
+@@ -3707,7 +3707,7 @@
1002 0322  All-in-Wonder X1800XL
1002 0d02  Radeon X1800 CrossFire Edition
710a  R520 [Radeon X1800 GTO]
@@ -39,7 +39,7 @@
710b  R520 [Radeon X1800 GTO]
710e  R520 GL [FireGL V7300]
13cc 3d0c  MXRT-5150
-@@ -7495,7 +7495,7 @@
+@@ -7499,7 +7499,7 @@
1077 02f2  QLogic 1x32Gb QLE2770 FC HBA
1077 02f3  QLogic 2x32Gb QLE2772 FC HBA
1590 02d3  SN1610Q - 1P Enhanced 32GFC Single Port Fibre 
Channel Host Bus Adapter
@@ -48,7 +48,7 @@
2289  ISP2852-based 64/32G Fibre Channel to PCIe Controller with 
StorCryption
1077 02e9  QLE2882 Dual Port 64GFC PCIe Gen4 x8 Adapter with 
StorCryption
1077 02eb  QLE2782 Dual Port 32GFC PCIe Gen4 x8 Adapter with 
StorCryption
-@@ -13227,7 +13227,7 @@
+@@ -13233,7 +13233,7 @@
10ec 8739  Dell Wireless 1801
17aa b736  Z50-75
b822  RTL8822BE 802.11a/b/g/n/ac WiFi adapter
@@ -57,7 +57,7 @@
17aa 5124  ThinkPad E595
17aa b023  ThinkPad E595
c821  RTL8821CE 802.11ac PCIe Wireless Network Adapter
-@@ -21323,10 +21323,10 @@
+@@ -21338,10 +21338,10 @@
193d 1084  NIC-ETH540F-3S-2P
1016  MT27710 Family [ConnectX-4 Lx Virtual Function]
1017  MT27800 Family [ConnectX-5]
@@ -72,7 +72,7 @@
193d 1051  NIC-IB1040i-Mb-2P
1018  MT27800 Family [ConnectX-5 Virtual Function]
1019  MT28800 Family [ConnectX-5 Ex]
-@@ -21522,7 +21522,7 @@
+@@ -21540,7 +21540,7 @@
  15cd  Dreamtech Co Ltd
  15ce  Genrad Inc
  # https://www.hilscher.com/imprint/
@@ -81,7 +81,7 @@
  CIFX PCI/PCIe
  15d1  Infineon Technologies AG
  15d2  FIC (First International Computer Inc)
-@@ -21993,14 +21993,14 @@
+@@ -22013,14 +22013,14 @@
002e  AR9287 Wireless Network Adapter (PCI-Express)
105b e034  T77H167.00
0030  AR93xx Wireless Network Adapter
@@ -98,7 +98,7 @@
105b e044  Unex DHXA-225
144d 410e  AR9485WB-EG 802.11b/g/n mini-PCIe card on a series 3 
laptop
1a3b 1186  AW-NE186H
-@@ -25410,13 +25410,13 @@
+@@ -25434,13 +25434,13 @@
1203  NVMe SSD Controller UHXXXa series
1e81 a121  NVMe SSD UHXXXa 

Bug#1034156: libgpg-error: New upstream version 1.47

[Andreas Metzler]

Source: libgpg-error
Version: 1.46-1
Severity: wishlist

Hello,

libgpg-error 1.47 has been released, please find branches on salssa that
could be fast-forwarded:
debian/experimental-tmp-1.47 --> debian/experimental
pristine-tar-tmp-1.47 --> pristine-tar
upstream-tmp-1.47 --> upstream

cu Andreas

Bug#1034155: ippsample: CVE-2023-28428

[Salvatore Bonaccorso]

Source: ippsample
Version: 0.0~git20220607.72f89b3-1
Severity: normal
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerability was published for ippsample.

CVE-2023-28428[0]:
| PDFio is a C library for reading and writing PDF files. In versions
| 1.1.0 and prior, a denial of service vulnerability exists in the pdfio
| parser. Crafted pdf files can cause the program to run at 100%
| utilization and never terminate. This is different from
| CVE-2023-24808. A patch for this issue is available in version 1.1.1.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-28428
https://www.cve.org/CVERecord?id=CVE-2023-28428
[1] 
https://github.com/michaelrsweet/pdfio/commit/97d4955666779dc5b0665e15dd951a5c12426a31
[2] 
https://github.com/michaelrsweet/pdfio/security/advisories/GHSA-68x8-9phf-j7jf

Regards,
Salvatore

Bug#1034154: libyang2: CVE-2023-26916

[Salvatore Bonaccorso]

Source: libyang2
Version: 2.1.30-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/CESNET/libyang/issues/1979
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerability was published for libyang2.

CVE-2023-26916[0]:
| libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL
| pointer dereference via the function lys_parse_mem at lys_parse_mem.c.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-26916
https://www.cve.org/CVERecord?id=CVE-2023-26916
[1] https://github.com/CESNET/libyang/issues/1979

Regards,
Salvatore

Bug#1034153: unblock: scikit-rf/0.15.4-2.1

[Josef Schneider]

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: josef81...@gmail.com, t...@debian.org, ruben.undh...@gmail.com
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package scikit-rf.

[ Reason ]
This update allows the python package to import without error by 
importing the collections.abc python package in replacement of the 
collections python package because collections.abc contains the Sequence 
and MutableMapping attributes (see #1032392).


[ Impact ]
With this fix, the package does not throw an AttributeError when being 
imported in a python console. scikit-rf has no reverse-dependencies, so 
there is no impact on other packages.


[ Tests ]
dh_auto_test runs during the build and would fail the build if tests 
failed. I installed the new .deb and ran `import skrf` and `from skrf 
import Network` in a python console. No error was thrown and running 
`skrf` produces '/usr/lib/python3/dist-packages/skrf/__init__.py'> as expected. The 
updates were also reviewed by the DD who signed and uploaded the package.


[ Risks ]
scikit-rf has no reverse-dependencies so there are no risks.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock: scikit-rf/0.15.4-2.1

--
Josef Schneider

GPG Fingerprint 3267 0331 DB61 A817 7D25 4D05 5A44 BC12 F2A8 E58F
diff -Nru scikit-rf-0.15.4/debian/changelog scikit-rf-0.15.4/debian/changelog
--- scikit-rf-0.15.4/debian/changelog   2020-12-02 09:46:23.0 +0100
+++ scikit-rf-0.15.4/debian/changelog   2023-04-04 19:53:06.0 +0200
@@ -1,3 +1,11 @@
+scikit-rf (0.15.4-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add patch to import python package collections.abc instead of collections.
++ Fixes AttributeError when importing the package (Closes: #1032392).
+
+ -- Josef Schneider   Tue, 04 Apr 2023 19:53:06 +0200
+
 scikit-rf (0.15.4-2) unstable; urgency=medium
 
   * First source-only upload
diff -Nru scikit-rf-0.15.4/debian/patches/0002-import-collections-abc.patch 
scikit-rf-0.15.4/debian/patches/0002-import-collections-abc.patch
--- scikit-rf-0.15.4/debian/patches/0002-import-collections-abc.patch   
1970-01-01 01:00:00.0 +0100
+++ scikit-rf-0.15.4/debian/patches/0002-import-collections-abc.patch   
2023-04-04 19:53:06.0 +0200
@@ -0,0 +1,43 @@
+From eb86566f22b80cf782585dc04d872fc11b437946 Mon Sep 17 00:00:00 2001
+From: Josef Schneider 
+Date: Tue, 4 Apr 2023 20:04:21 +0200
+Subject: [PATCH] import collections abc
+
+---
+ skrf/util.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/skrf/util.py b/skrf/util.py
+index b9566f3..355ec0e 100644
+--- a/skrf/util.py
 b/skrf/util.py
+@@ -32,7 +32,7 @@ import six.moves.cPickle as pickle
+ 
+ import numpy as npy
+ from datetime import datetime
+-import collections
++import collections.abc
+ import pprint
+ import re
+ from subprocess import Popen, PIPE
+@@ -286,7 +286,7 @@ def findReplace(directory, find, replace, filePattern):
+ 
+ # general purpose objects
+ 
+-class HomoList(collections.Sequence):
++class HomoList(collections.abc.Sequence):
+ '''
+ 
+ A Homogeneous Sequence
+@@ -384,7 +384,7 @@ class HomoList(collections.Sequence):
+ return pprint.pformat(self.store)
+ 
+ 
+-class HomoDict(collections.MutableMapping):
++class HomoDict(collections.abc.MutableMapping):
+ '''
+ A Homogeneous Mutable Mapping
+ 
+-- 
+2.38.1
+
diff -Nru scikit-rf-0.15.4/debian/patches/series 
scikit-rf-0.15.4/debian/patches/series
--- scikit-rf-0.15.4/debian/patches/series  2020-12-02 09:45:36.0 
+0100
+++ scikit-rf-0.15.4/debian/patches/series  2023-04-04 19:53:06.0 
+0200
@@ -1 +1,2 @@
 0001-Included-script-should-run-with-Python-3.patch
+0002-import-collections-abc.patch


OpenPGP_0x5A44BC12F2A8E58F.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1034152: configobj: CVE-2023-26112

[Salvatore Bonaccorso]

Source: configobj
Version: 5.0.8-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/DiffSK/configobj/issues/232
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerability was published for configobj.

CVE-2023-26112[0]:
| All versions of the package configobj are vulnerable to Regular
| Expression Denial of Service (ReDoS) via the validate function, using
| (.+?)\((.*)\). **Note:** This is only exploitable in the case of a
| developer, putting the offending value in a server side configuration
| file.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-26112
https://www.cve.org/CVERecord?id=CVE-2023-26112
[1] https://github.com/DiffSK/configobj/issues/232

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore