Bug#1071015: RFS: color-picker/1.0.3-3 -- Powerful screen color picker based on Qt

[Hugo Torres de Lima]

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "color-picker":

 * Package name : color-picker
   Version  : 1.0.3-3
   Upstream contact : https://github.com/keshavbhatt/ColorPicker/issues
 * URL  : https://github.com/keshavbhatt/ColorPicker
 * License  : MIT
 * Vcs  : https://salsa.debian.org/debian/colorpicker
   Section  : graphics

The source builds the following binary packages:

  color-picker - Powerful screen color picker based on Qt

To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/color-picker/

Alternatively, you can download the package with 'dget' using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/c/color-picker/color-picker_1.0.3-3.dsc

Changes since the last upload:

 color-picker (1.0.3-3) unstable; urgency=medium
 .
   * debian/control: bumped Standards-Version to 4.7.0.
   * debian/copyright: Updated dates.
   * debian/patches/01-segfaults.patch:
   - Created. Thanks to Sudip Mukherjee (Closes: #1060003)

Regards,
--
  Hugo Torres de Lima

Bug#1055605: fstack-clash-protection hardening change breaks building packages with clang on arm64

[Hugo Melder]

Package: dpkg-dev
Version: 1.22.0
Severity: important

Hi,

The recent change (https://git.dpkg.org/cgit/dpkg/dpkg.git/diff/?id=11efff1bf) 
breaks building Debian packages with clang on arm64. LLVM does not have 
-fstack-clash-protection enabled on aarch64 (https://reviews.llvm.org/D96007).

Here is the original bug report for adding clash protection: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918914

The GNUstep Objective-C 2.0 toolchain depends on Clang as GCC does not have 
newer Objective-C features such as ARC, properties, and blocks.

Fedora enables stack-clash-protection based on the toolchain 
(https://src.fedoraproject.org/fork/tstellar/rpms/redhat-rpm-config/blob/c0bad810b4b47086f58e7537e258333b14c92c45/f/rpmrc#_77),
 and omits the flag when the compiler is not gcc.

I would suggest either checking for the compiler (if possible), or disabling it 
for aarch64 until Clang has support for it as well. Right now, projects like 
Grand Central Dispatch (libdispatch) or other projects with -Werror turned on, 
refuse to build.

Bug#1053280: RFS: gsimplecal/2.5.1-1 -- lightweight GUI calendar application

[Hugo Torres]

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "gsimplecal":

 * Package name : gsimplecal
   Version  : 2.5.1-1
   Upstream contact : https://github.com/dmedvinsky/gsimplecal/issues
 * URL  : https://dmedvinsky.github.io/gsimplecal
 * License  : BSD-3-Clause
 * Vcs  : https://salsa.debian.org/debian/gsimplecal
   Section  : misc

The source builds the following binary packages:

  gsimplecal - lightweight GUI calendar application

To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/gsimplecal/

Alternatively, you can download the package with 'dget' using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/g/gsimplecal/gsimplecal_2.5.1-1.dsc

Changes since the last upload:

 gsimplecal (2.5.1-1) unstable; urgency=medium
 .
   * New upstream version 2.5.1

Regards,
--
  Hugo Torres de Lima

Bug#1051730: RFS: viewnior/1.8-2 [QA] -- simple, fast and elegant image viewer

[Hugo Torres]

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "viewnior":

 * Package name : viewnior
   Version  : 1.8-2
   Upstream contact : https://github.com/hellosiyan/Viewnior/issues
 * URL  : https://siyanpanayotov.com/project/viewnior/
 * License  : GPL-3+
 * Vcs  : https://salsa.debian.org/debian/viewnior
   Section  : graphics

The source builds the following binary packages:

  viewnior - simple, fast and elegant image viewer

To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/viewnior/

Alternatively, you can download the package with 'dget' using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/v/viewnior/viewnior_1.8-2.dsc

Changes since the last upload:

 viewnior (1.8-2) unstable; urgency=medium
 .
   * QA upload.
   * Using new DH level format. Consequently:
   - debian/compat: Removed.
   - debian/control: Changed from 'debhelper' to 'debhelper-compat' in
 Build-Depends field and bumped level to 13.
   * debian/changelog: Removed extra blank space.
   * debian/control:
   - Added 'Rules-Requires-Root: no' to source stanza.
   - Bumped Standards-Version to 4.6.2.
   * debian/copyright:
   - Added Upstream-Contact.
   - Organized licenses.
   - Updated Source URL.
   - Updated upstream email address.
   - Using a secure URI in Format field.
   * debian/upstream/metadata: Created.
   * debian/rules:
   - Added hardening.
   - Removed --parallel argument.

Regards,
--
  Hugo Torres de Lima

Bug#1051183: RFS: gsimplecal/2.5-1 -- lightweight GUI calendar application

[Hugo Torres]

Control: tags 1051183 - moreinfo

Hi Jeroen,

Thanks for your help. I fixed the package and uploaded it to the mentors.

On 9/5/23 09:07, Jeroen Ploemen wrote:

Control: tags -1 moreinfo

On Mon, 04 Sep 2023 00:44:08 -0300
Hugo Torres  wrote:


I am looking for a sponsor for my package gsimplecal:

hi Hugo,

some minor issues came up during review:

* copyright: upstream years outdated (only the years for the packaging
   were changed, despite the changelog claiming otherwise).
* lintian: W: gsimplecal: mismatched-override hardening-no-fortify-functions 
usr/bin/gsimplecal [usr/share/lintian/overrides/gsimplecal:2]
   (probably caused by a change in lintian's output format)


Please remove the moreinfo tag (and CC me directly) once you have an
updated package ready.

Bug#1051183: RFS: gsimplecal/2.5-1 -- lightweight GUI calendar application

[Hugo Torres]

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "gsimplecal":

 * Package name : gsimplecal
   Version  : 2.5-1
   Upstream contact : https://github.com/dmedvinsky/gsimplecal/issues
 * URL  : https://dmedvinsky.github.io/gsimplecal
 * License  : BSD-3-Clause
 * Vcs  : https://salsa.debian.org/debian/gsimplecal
   Section  : misc

The source builds the following binary packages:

  gsimplecal - lightweight GUI calendar application

To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/gsimplecal/

Alternatively, you can download the package with 'dget' using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/g/gsimplecal/gsimplecal_2.5-1.dsc

Changes since the last upload:

 gsimplecal (2.5-1) unstable; urgency=medium
 .
   * New upstream version 2.5
   * debian/control: bumped·Standards-Version·to 4.6.2
   * debian/copyright: Updated upstream copyright year.

Regards,
--
  Hugo Torres de Lima

Bug#1050115: RFS: mp3info/0.8.5a+dfsg-1 -- MP3 technical info viewer and ID3 1.x tag editor

[Hugo Torres]

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "mp3info":

 * Package name : mp3info
   Version  : 0.8.5a+dfsg-1
   Upstream contact : Cedric Tefft 
 * URL  : https://www.ibiblio.org/mp3info/
 * License  : GPL-2+
 * Vcs  : https://salsa.debian.org/debian/mp3info
   Section  : sound

The source builds the following binary packages:

  mp3info - MP3 technical info viewer and ID3 1.x tag editor

To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/mp3info/

Alternatively, you can download the package with 'dget' using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/m/mp3info/mp3info_0.8.5a+dfsg-1.dsc

Changes since the last upload:

 mp3info (0.8.5a+dfsg-1) unstable; urgency=medium
 .
   * Removing support for gtk2. Consequently:
   - debian/control:
   - Removed libgtk2.0-dev in Build-Depends. (Closes: #967642)
   - Removed package: mp3info-gtk
   - debian/mp3info-gtk.dirs: Removed.
   - debian/mp3info-gtk.docs: Removed.
   - debian/mp3info-gtk.files: Removed.
   - debian/mp3info-gtk.menu: Removed.
   - debian/patches/04_removing_gtk2_interface.patch: Created.
   * debian/control: Bumped Standards-Version to 4.6.2.
   * debian/copyright: Updated.

Regards,
--
  Hugo Torres de Lima

Bug#1032352: RFS: cldump/0.11~dfsg-6 [QA] -- Clarion database files extractor

[Hugo Torres]

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "cldump":

 * Package name : cldump
   Version  : 0.11~dfsg-6
   Upstream contact : Julien BLACHE 
 * URL  : [fill in URL of upstream's web site]
 * License  : GPL-2
 * Vcs  : [fill in URL of packaging vcs]
   Section  : misc

The source builds the following binary packages:

  cldump - Clarion database files extractor

To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/cldump/

Alternatively, you can download the package with 'dget' using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/c/cldump/cldump_0.11~dfsg-6.dsc

Changes since the last upload:

 cldump (0.11~dfsg-6) unstable; urgency=medium
 .
   * QA upload.
   * debian/control: Updated Standards-Version for 4.6.2.
   * debian/copyright: Updated.
   * debian/patches: Created 01-hardening.patch.

Regards,
--
  Hugo Torres de Lima

Bug#1006991: closed by Aurélien COUDERC (Re: Bug#1006991: libkwin4-effect-builtins1 blocks apt ugrade on Debian testing)

[Hugo Peek]

Thanks a lot for your quick response Aurélien! I'm happy to hear that. Last
time I ignored the warning, and sabotaged mariadb..

Greets,
Hugo

On Thu, Mar 10, 2022, 14:21 Debian Bug Tracking System <
ow...@bugs.debian.org> wrote:

> This is an automatic notification regarding your Bug report
> which was filed against the libkwin4-effect-builtins1 package:
>
> #1006991: libkwin4-effect-builtins1 blocks apt ugrade on Debian testing
>
> It has been closed by Aurélien COUDERC .
>
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Aurélien COUDERC <
> couc...@debian.org> by
> replying to this email.
>
>
> --
> 1006991: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006991
> Debian Bug Tracking System
> Contact ow...@bugs.debian.org with problems
>
>
>
> -- Forwarded message --
> From: "Aurélien COUDERC" 
> To: Debian Bug Tracking System ,
> debian-qt-...@lists.debian.org
> Cc: Hugo Peek , 1006991-d...@bugs.debian.org
> Bcc:
> Date: Thu, 10 Mar 2022 07:19:04 +0100
> Subject: Re: Bug#1006991: libkwin4-effect-builtins1 blocks apt ugrade on
> Debian testing
> Le jeudi 10 mars 2022, 06:43:46 CET Hugo Peek a écrit :
> > Package: libkwin4-effect-builtins1
> > Version: 4:5.23.5-1
> > Severity: normal
> > X-Debbugs-Cc: hugop...@gmail.com
> >
> > Dear Maintainer,
>
> Dear Hugo,
>
> thanks for your bug report.
>
> […]
> >
> > When trying to update through Discover, it says:
> >
> > The following packages will be removed by the update:
> > - libkwin4-effect-builtins1 (4:5.23.5-1)
>
> This library has been removed from Plasma in 5.24, so you can safely
> upgrade.
>
>
> Happy hacking,
> --
> Aurélien
>
>
> -- Forwarded message --
> From: Hugo Peek 
> To: Debian Bug Tracking System 
> Cc:
> Bcc:
> Date: Thu, 10 Mar 2022 13:43:46 +0800
> Subject: libkwin4-effect-builtins1 blocks apt ugrade on Debian testing
> Package: libkwin4-effect-builtins1
> Version: 4:5.23.5-1
> Severity: normal
> X-Debbugs-Cc: hugop...@gmail.com
>
> Dear Maintainer,
>
> Apt upgrade is holding all KDE updates back:
>
> The following packages have been kept back:
>   breeze breeze-cursor-theme kde-cli-tools kde-cli-tools-data
> kde-config-gtk-style kde-config-screenlocker
>   kde-plasma-desktop kde-standard kde-style-breeze kdeplasma-addons-data
> khotkeys khotkeys-data kwin-common
>   kwin-data kwin-style-breeze kwin-x11 libcolorcorrect5
> libkdecorations2-5v5 libkdecorations2private9
>   libkfontinst5 libkfontinstui5 libkscreenlocker5 libkwaylandserver5
> libkwineffects13 libkwinglutils13
>   libkwinxrenderutils13 libkworkspace5-5 libnotificationmanager1
> libplasma-geolocation-interface5
>   libpowerdevilcore2 libpowerdevilui5 libtaskmanager6abi1 libweather-ion7
> plasma-dataengines-addons
>   plasma-desktop plasma-desktop-data plasma-integration
> plasma-runners-addons plasma-wallpapers-addons
>   plasma-widgets-addons plasma-workspace plasma-workspace-data powerdevil
> powerdevil-data systemsettings
> 0 upgraded, 0 newly installed, 0 to remove and 45 not upgraded.
>
> When trying to update through Discover, it says:
>
> The following packages will be removed by the update:
> - libkwin4-effect-builtins1 (4:5.23.5-1)
>
> I didn't proceed after that, because I didn't feel like bodging my system
> today.
>
>
> -- System Information:
> Debian Release: bookworm/sid
>   APT prefers testing
>   APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 5.16.0-3-amd64 (SMP w/4 CPU threads; PREEMPT)
> Locale: LANG=en_PH.UTF-8, LC_CTYPE=en_PH.UTF-8 (charmap=UTF-8),
> LANGUAGE=en_PH:en
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages libkwin4-effect-builtins1 depends on:
> ii  libc6 2.33-7
> ii  libepoxy0 1.5.9-2
> ii  libkf5configcore5 5.90.0-1
> ii  libkf5configgui5  5.90.0-1
> ii  libkf5configwidgets5  5.90.1-4
> ii  libkf5globalaccel-bin 5.90.0-1
> ii  libkf5globalaccel55.90.0-1
> ii  libkf5i18n5   5.90.0-1
> ii  libkf5notifications5  5.90.0-1
> ii  libkf5plasma5 5.

Bug#1006991: libkwin4-effect-builtins1 blocks apt ugrade on Debian testing

[Hugo Peek]

Package: libkwin4-effect-builtins1
Version: 4:5.23.5-1
Severity: normal
X-Debbugs-Cc: hugop...@gmail.com

Dear Maintainer,

Apt upgrade is holding all KDE updates back:

The following packages have been kept back:
  breeze breeze-cursor-theme kde-cli-tools kde-cli-tools-data 
kde-config-gtk-style kde-config-screenlocker
  kde-plasma-desktop kde-standard kde-style-breeze kdeplasma-addons-data 
khotkeys khotkeys-data kwin-common
  kwin-data kwin-style-breeze kwin-x11 libcolorcorrect5 libkdecorations2-5v5 
libkdecorations2private9
  libkfontinst5 libkfontinstui5 libkscreenlocker5 libkwaylandserver5 
libkwineffects13 libkwinglutils13
  libkwinxrenderutils13 libkworkspace5-5 libnotificationmanager1 
libplasma-geolocation-interface5
  libpowerdevilcore2 libpowerdevilui5 libtaskmanager6abi1 libweather-ion7 
plasma-dataengines-addons
  plasma-desktop plasma-desktop-data plasma-integration plasma-runners-addons 
plasma-wallpapers-addons
  plasma-widgets-addons plasma-workspace plasma-workspace-data powerdevil 
powerdevil-data systemsettings
0 upgraded, 0 newly installed, 0 to remove and 45 not upgraded.

When trying to update through Discover, it says:

The following packages will be removed by the update:
- libkwin4-effect-builtins1 (4:5.23.5-1)

I didn't proceed after that, because I didn't feel like bodging my system today.


-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.16.0-3-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_PH.UTF-8, LC_CTYPE=en_PH.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_PH:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libkwin4-effect-builtins1 depends on:
ii  libc6 2.33-7
ii  libepoxy0 1.5.9-2
ii  libkf5configcore5 5.90.0-1
ii  libkf5configgui5  5.90.0-1
ii  libkf5configwidgets5  5.90.1-4
ii  libkf5globalaccel-bin 5.90.0-1
ii  libkf5globalaccel55.90.0-1
ii  libkf5i18n5   5.90.0-1
ii  libkf5notifications5  5.90.0-1
ii  libkf5plasma5 5.90.0-2
ii  libkf5service-bin 5.90.0-1
ii  libkf5service55.90.0-1
ii  libkf5windowsystem5   5.90.0-1
ii  libkwaylandserver5 [libkwaylandserver5-5.23]  5.23.5-1
ii  libkwineffects13  4:5.23.5-1
ii  libkwinglutils13  4:5.23.5-1
ii  libqt5core5a  5.15.2+dfsg-15
ii  libqt5dbus5   5.15.2+dfsg-15
ii  libqt5gui55.15.2+dfsg-15
ii  libqt5qml55.15.2+dfsg-10
ii  libqt5quick5  5.15.2+dfsg-10
ii  libqt5widgets55.15.2+dfsg-15
ii  libstdc++612-20220302-1
ii  libxcb1   1.14-3

libkwin4-effect-builtins1 recommends no packages.

libkwin4-effect-builtins1 suggests no packages.

-- no debconf information

Bug#1006688: reportbug: Debian 11 KDE (Mirror download not working on Google Chrome Version 99.0.4844.51)

[Hugo B]

Package: reportbug
Version: 7.10.3+deb11u1
Severity: minor
X-Debbugs-Cc: hugo.lalint...@gmail.com

Dear Maintainer, cant download mirrors on Google chrome  Version 99.0.4844.51 
Im using debian 11 KDE. Example: I try download it and when I click the FTP 
link nothing happens so need change to another browser to download it. On 
firefox is working fine.

* ** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
 ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


-- Package-specific info:
** Environment settings:
INTERFACE="text"

** /root/.reportbugrc:
reportbug_version "7.10.3+deb11u1"
mode novice
ui text
realname "Hugo B"
email "hugo.lalint...@gmail.com"
no-check-uid
no-cc
list-cc-me
smtphost reportbug.debian.org

-- System Information:
Debian Release: 11.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-11-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages reportbug depends on:
ii  apt2.2.4
ii  python33.9.2-3
ii  python3-reportbug  7.10.3+deb11u1
ii  sensible-utils 0.0.14

reportbug recommends no packages.

Versions of packages reportbug suggests:
pn  claws-mail
pn  debconf-utils 
pn  debsums   
pn  default-mta | postfix | exim4 | mail-transport-agent  
pn  dlocate   
pn  emacs-bin-common  
ii  file  1:5.39-3
ii  gnupg 2.2.27-2
pn  python3-urwid 
pn  reportbug-gtk 
ii  xdg-utils 1.1.3-4.1

Versions of packages python3-reportbug depends on:
ii  apt2.2.4
ii  file   1:5.39-3
ii  python33.9.2-3
ii  python3-apt2.2.1
ii  python3-debian 0.1.39
ii  python3-debianbts  3.1.0
ii  python3-requests   2.25.1+dfsg-2
ii  sensible-utils 0.0.14

python3-reportbug suggests no packages.

-- no debconf information

Bug#945281: dwm: new upstream release

[Hugo Lefeuvre]

Hi Bastian,

Thank you very much for this. I'm overwhelmed by work and couldn't find
time and energy for Debian lately. I'm really sorry for the lack of
responsivity!

Best,
Hugo

On Sun, Dec 12, 2021 at 12:02:06PM +0100, Bastian Germann wrote:
> I am sponsoring a NMU (DELAYED/3) for this. The debdiff is attached.

> diff -Nru dwm-6.1/BUGS dwm-6.2/BUGS
> --- dwm-6.1/BUGS  2015-11-08 23:11:48.0 +0100
> +++ dwm-6.2/BUGS  1970-01-01 01:00:00.0 +0100
> @@ -1,44 +0,0 @@
> 
> -
> -18:17 < Biolunar> when i change my resolution in dwm (to a smaller one) and 
> then back to the native, the top bar is not repainted. that's since 5.7.2, in 
> 5.6 it worked fine
> -18:19 < Biolunar> is it just happening to me or a (known) bug?
> -18:24 < Biolunar> and in addition, mplayers fullscreen is limited to the 
> small resolution after i changed it back to the native
> -
> -reproducible with xrandr -s but not with --output and --mode, strange
> -
> 
> -
> -yet another corner case:
> -open a terminal, focus another monitor, but without moving the mouse
> -pointer there
> -if there is no client on the other monitor to get the focus, then the
> -terminal will be unfocused but it will accept input
> -
> 
> -
> -Donald Allen reported this:
> -
> -starting emacs from dmenu in archlinux results in missing configure of 
> emacs, but mod1-space or mod1-shift-space fix this problem. this problem is 
> new and did not happen in 1.6 xorg servers
> -
> 
> -
> -voltaic reports this:
> -
> -When I use two monitors, one larger in resolution than the other, the
> -bar is drawn using the smaller x-dimension on both screens. I think
> -what's happening is that there are two bars drawn, but the short bar
> -is always on top of the long bar such that I can't see the information
> -under the short bar. If I switch to the small screen, hide the short
> -bar, and then switch to the large screen, the long bar is drawn
> -correctly.
> -
> -A similar problem occurs when I have started dwm on a small resolution
> -monitor (laptop screen) and then I switch to a large external display.
> -When I do this, the bar itself is drawn for the original smaller
> -resolution, but the information to be printed on the bar is
> -right-aligned for a longer bar. So what I see is a bar that has the
> -right hand side of it cut-off. See attached screenshot.
> -
> -I am using standard options for xrandr such as --output VGA1 --auto, etc.
> -
> 
> diff -Nru dwm-6.1/config.def.h dwm-6.2/config.def.h
> --- dwm-6.1/config.def.h  2015-11-08 23:11:48.0 +0100
> +++ dwm-6.2/config.def.h  2019-02-02 13:55:28.0 +0100
> @@ -1,20 +1,22 @@
>  /* See LICENSE file for copyright and license details. */
>  
>  /* appearance */
> -static const char *fonts[] = {
> - "monospace:size=10"
> -};
> -static const char dmenufont[]   = "monospace:size=10";
> -static const char normbordercolor[] = "#44";
> -static const char normbgcolor[] = "#22";
> -static const char normfgcolor[] = "#bb";
> -static const char selbordercolor[]  = "#005577";
> -static const char selbgcolor[]  = "#005577";
> -static const char selfgcolor[]  = "#ee";
>  static const unsigned int borderpx  = 1;/* border pixel of windows */
>  static const unsigned int snap  = 32;   /* snap pixel */
>  static const int showbar= 1;/* 0 means no bar */
>  static const int topbar = 1;/* 0 means bottom bar */
> +static const char *fonts[]  = { "monospace:size=10" };
> +static const char dmenufont[]   = "monospace:size=10";
> +static const char col_gray1[]   = "#22";
> +static const char col_gray2[]   = "#44";
> +static const char col_gray3[]   = "#bb";
> +static const char col_gray4[]   = "#ee";
> +static const char col_cyan[]= "#005577";
> +static const char *colors[][3]  = {
> + /*   fg bg border   */
> + [SchemeNorm] = { col_gray3, col_gray1, col_gray2 },
> + [SchemeSel]  = { col_gray4, col_cyan,  col_cyan  },
> +};
>  
>  /* tagging */
>  static const char *tags[] = { "1", "2", "3", "4", "5", "6", "7", "8", "9" };
> @@ -54,7 +56,7 @@
>  
>  /* commands */
>  static char dmenumon[2] = "0"; /* component of dmenucmd, manipulated in 
> spawn() */
> -static const char *dmenucmd[] = { "dmenu_run", 

Bug#995086: RFS: color-picker/1.0.2-2 -- Powerful screen color picker based on Qt

[Hugo Torres]

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "color-picker":

 * Package name: color-picker
   Version : 1.0.2-2
   Upstream Author : https://github.com/keshavbhatt/ColorPicker/issues
 * URL : https://github.com/keshavbhatt/ColorPicker
 * License : MIT
 * Vcs : https://salsa.debian.org/debian/colorpicker
   Section : graphics

It builds those binary packages:

  color-picker - Powerful screen color picker based on Qt

To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/color-picker/

Alternatively, one can download the package with dget using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/c/color-picker/color-picker_1.0.2-2.dsc

Changes since the last upload:

 color-picker (1.0.2-2) unstable; urgency=medium
 .
   * debian/control: Updated Vcs-* URLs.
   * debian/upstream/io.github.keshavbhatt.color_picker.metainfo.xml:
   - Added caption tag in images.
   - Added content_rating tag.

Regards,
--
  Hugo Torres de Lima

Bug#994631: RFS: color-picker/1.0.2-1 -- Powerful screen color picker based on Qt

[Hugo Torres]

Necessary the creation of the Debian repository in Salsa.

I created the repository in my account to make the migration: 
https://salsa.debian.org/f9kill/colorpicker

--
Hugo Torres de Lima
0x365C8CEF4233E3D8

Sent with ProtonMail Secure Email.

signature.asc
Description: OpenPGP digital signature

Bug#994631: RFS: color-picker/1.0.2-1 -- Powerful screen color picker based on Qt

[Hugo Torres de Lima]

Package: sponsorship-requests
Severity: wishlist

Dear mentors,

I am looking for a sponsor for my package "color-picker":

 * Package name: color-picker
   Version : 1.0.2-1
   Upstream Author : https://github.com/keshavbhatt/ColorPicker/issues
 * URL : https://github.com/keshavbhatt/ColorPicker
 * License : MIT
 * Vcs : https://salsa.debian.org/debian/color-picker
   Section : graphics

It builds those binary packages:

  color-picker - Powerful screen color picker based on Qt

To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/color-picker/

Alternatively, one can download the package with dget using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/c/color-picker/color-picker_1.0.2-1.dsc

Changes since the last upload:

 color-picker (1.0.2-1) unstable; urgency=medium
 .
   * New upstream version 1.0.2
   * Upload to unstable.
   * debian/control: Bumped Standards-Version to 4.6.0.

Regards,
--
  Hugo Torres de Lima

Bug#993344: RFS: gsimplecal/2.2-3 -- lightweight GUI calendar application

[Hugo Torres de Lima]

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "gsimplecal":

 * Package name: gsimplecal
   Version : 2.2-3
   Upstream Author : https://github.com/dmedvinsky/gsimplecal/issues
 * URL : https://dmedvinsky.github.io/gsimplecal
 * License : BSD-3-Clause
 * Vcs : https://salsa.debian.org/debian/gsimplecal
   Section : misc

It builds those binary packages:

  gsimplecal - lightweight GUI calendar application

To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/gsimplecal/

Alternatively, one can download the package with dget using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/g/gsimplecal/gsimplecal_2.2-3.dsc

Changes since the last upload:

 gsimplecal (2.2-3) unstable; urgency=medium
 .
   * Upload to unstable.
   * debian/copyright: Removed extra blank space.

Regards,
--
  Hugo Torres de Lima

Bug#941850: clamav: inconsistent results with "better zip bomb" reproducers

[Hugo Lefeuvre]

Hi Sebastian,

On Tue, Jun 29, 2021 at 09:57:57PM +0200, Sebastian Andrzej Siewior wrote:
> On 2019-10-07 08:41:51 [+0200], Hugo Lefeuvre wrote:
> > I have discovered this during my regression tests for the jessie update. My
> > main worry was to have broken something, I'm glad it's not the case.
> > Thanks for your time!
> 
> What do we do here?

Not sure, my Debian time is extremely reduced at the moment and I don't
think that I'll have time to try and reproduce again. When I reported the
bug it was a reproducible issue. If you have time, the right thing to do
might be to reproduce once more and bring it upstream...

Thanks!

Best,
Hugo
-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#987759: RFS: color-picker/1.0.1-1 [ITP] -- Powerful screen color picker based on Qt

[Hugo Torres]

debian/tests/control has been removed because it does not provide any
useful tests, avoiding errors with autopkgtest.


--
Hugo Torres de Lima
GPG: 4AF1 1173 DCAD 0380 CC43 A5C6 365C 8CEF 4233 E3D8

Sent with ProtonMail Secure Email.

‐‐‐ Original Message ‐‐‐
On Sunday, May 16, 2021 3:14 AM, Adam Borowski  wrote:

> On Thu, Apr 29, 2021 at 01:02:08AM -0300, Hugo Torres de Lima wrote:
> 

> > -   Package name : color-picker
> > Version : 1.0.1-1
> > 

> 

> > color-picker (1.0.1-1) experimental; urgency=medium
> > .
> > 

> > -   Initial release (Closes: #987756)
> 

> Hi!
> The autopkgtest sometimes fails:
> autopkgtest [22:06:30]: test command1: xvfb-run -a color-picker &
> autopkgtest [22:06:30]: test command1: [---
> QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-kilobyte'
> autopkgtest [22:06:30]: test command1: ---]
> autopkgtest [22:06:30]: test command1: - - - - - - - - - - results - - - - - 
> - - - - -
> command1 FAIL stderr: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to 
> '/tmp/runtime-kilobyte'
> autopkgtest [22:06:31]: test command1: - - - - - - - - - - stderr - - - - - - 
> - - - -
> QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-kilobyte'
> autopkgtest [22:06:31]:  summary
> command1 FAIL stderr: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to 
> '/tmp/runtime-kilobyte'
> 

> But, what it is even supposed to do?
> Save from racey stderr messages from very early startup, this won't fail
> even if the package is completely broken, due to '&':
> Test-Command: false &
> succeeds. I see where you copied this from -- a bunch of GUI packages
> also have such bogus autopkgtests, but they do nothing useful. Eg.
> Test-Command: xvfb-run -a /usr/bin/gcrytsal &
> (package gnome-chemistry-utils) doesn't catch even the obvious typo.
> 

> Meow!
> 

> --
> ⢀⣴⠾⠻⢶⣦⠀ The oldest dated printed book includes the following license grant:
> ⣾⠁⢠⠒⠀⣿⡁ Reverently made for universal free distribution by Wang Jie
> ⢿⡄⠘⠷⠚⠋⠀ on behalf of his two parents on the 15th of the 4th moon of
> ⠈⠳⣄ the 9th year of Xiantong [11 May 868].



signature.asc
Description: OpenPGP digital signature

Bug#988431: RFS: open-invaders/0.3-6 [QA] -- Space Invaders clone

[Hugo Torres]

debian/tests/control has been removed because it does not provide any
useful tests, avoiding errors with autopkgtest.


--
Hugo Torres de Lima
GPG: 4AF1 1173 DCAD 0380 CC43 A5C6 365C 8CEF 4233 E3D8

Sent with ProtonMail Secure Email.

‐‐‐ Original Message ‐‐‐
On Sunday, May 16, 2021 10:46 AM, Adam Borowski  wrote:

> On Wed, May 12, 2021 at 06:38:28PM -0300, Hugo Torres wrote:
> 

> > -   Package name : open-invaders
> > Version : 0.3-6
> > 

> 

> > Changes since the last upload:
> > open-invaders (0.3-6) experimental; urgency=medium
> > .
> > 

> > -   QA upload.
> > -   debian/control:
> > -   Added 'Rules-Requires-Root: no' to source stanza.
> > -   Added Vcs-* URLs to salsa.debian.org.
> > -   Bumped DH level format to 13.
> > -   Bumped Standards-Version to 4.5.1.
> > -   Updated homepage.
> > -   debian/copyright: Updated for format 1.0.
> > -   debian/lintian-overrides: Created for false positive.
> > -   debian/debian/open-invaders-data.docs renamed for open-invaders.docs.
> > -   debian/open-invaders.desktop: Added Keywords.
> > -   debian/patches/doc_directory_commented.patch: Created.
> > -   debian/patches/fix_ftbfs_gcc45.patch: Added header.
> > -   debian/patches/fix_pmask_amd64.patch: Added header.
> > -   debian/patches/format_security.patch: Added date in header.
> > -   debian/rules: Added the DEB_BUILD_MAINT_OPTIONS, 
> > DEB_CXXFLAGS_MAINT_APPEND,
> > DEB_CFLAGS_MAINT_APPEND and DEB_LDFLAGS_MAINT_APPEND variable
> > to improve the GCC hardening.
> > 

> > -   debian/salsa-ci.yml: Added to provide CI tests for Salsa.
> > -   debian/tests/control: Created for basic CI testing.
> > -   debian/upstream/metadata: Created.
> > -   debian/watch:
> > -   Bumped to version 4.
> > -   Updated the source address.
> 

> Alas, the autopkgtest fails -- and is bogus.
> 

> autopkgtest [15:02:01]: test command1: xvfb-run -a open-invaders &
> autopkgtest [15:02:01]: test command1: [---
> /usr/share
> ALSA lib confmisc.c:767:(parse_card) cannot find card '0'
> ALSA lib conf.c:4745:(_snd_config_evaluate) function snd_func_card_driver 
> returned error: No such file or directory
> ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
> ALSA lib conf.c:4745:(_snd_config_evaluate) function snd_func_concat returned 
> error: No such file or directory
> ALSA lib confmisc.c:1246:(snd_func_refer) error evaluating name
> ALSA lib conf.c:4745:(_snd_config_evaluate) function snd_func_refer returned 
> error: No such file or directory
> ALSA lib conf.c:5233:(snd_config_expand) Evaluate error: No such file or 
> directory
> ALSA lib pcm.c:2660:(snd_pcm_open_noupdate) Unknown PCM default
> autopkgtest [15:02:01]: test command1: ---]
> autopkgtest [15:02:01]: test command1: - - - - - - - - - - results - - - - - 
> - - - - -
> command1 FAIL stderr: ALSA lib confmisc.c:767:(parse_card) cannot find card 
> '0'
> autopkgtest [15:02:01]: test command1: - - - - - - - - - - stderr - - - - - - 
> - - - -
> ALSA lib confmisc.c:767:(parse_card) cannot find card '0'
> ALSA lib conf.c:4745:(_snd_config_evaluate) function snd_func_card_driver 
> returned error: No such file or directory
> ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
> ALSA lib conf.c:4745:(_snd_config_evaluate) function snd_func_concat returned 
> error: No such file or directory
> ALSA lib confmisc.c:1246:(snd_func_refer) error evaluating name
> ALSA lib conf.c:4745:(_snd_config_evaluate) function snd_func_refer returned 
> error: No such file or directory
> ALSA lib conf.c:5233:(snd_config_expand) Evaluate error: No such file or 
> directory
> ALSA lib pcm.c:2660:(snd_pcm_open_noupdate) Unknown PCM default
> autopkgtest [15:02:01]:  summary
> command1 FAIL stderr: ALSA lib confmisc.c:767:(parse_card) cannot find card 
> '0'
> 

> But that failure happened only due to luck. The '&' at the end stops
> most of errors from causing a failure, even "Test-Command: false &"
> succeeds.
> 

> Meow!
> 

> --
> ⢀⣴⠾⠻⢶⣦⠀ The oldest dated printed book includes the following license grant:
> ⣾⠁⢠⠒⠀⣿⡁ Reverently made for universal free distribution by Wang Jie
> ⢿⡄⠘⠷⠚⠋⠀ on behalf of his two parents on the 15th of the 4th moon of
> ⠈⠳⣄ the 9th year of Xiantong [11 May 868].



signature.asc
Description: OpenPGP digital signature

Bug#988431: Additional information

[Hugo Torres]

Necessary the creation of the Debian repository in Salsa.

I created the repository in my account to make the migration: 
https://salsa.debian.org/f9kill/open-invaders

--

Hugo Torres de Lima

GPG: 4AF1 1173 DCAD 0380 CC43 A5C6 365C 8CEF 4233 E3D8

Sent with ProtonMail Secure Email.

signature.asc
Description: OpenPGP digital signature

Bug#988431: RFS: open-invaders/0.3-6 [QA] -- Space Invaders clone

[Hugo Torres]

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "open-invaders":

 * Package name: open-invaders
   Version : 0.3-6
   Upstream Author : Darryl LeCount 
 * URL : https://sourceforge.net/projects/open-invaders
 * License : GPL-2+
 * Vcs : https://salsa.debian.org/debian/open-invaders
   Section : games

It builds those binary packages:

  open-invaders - Space Invaders clone
  open-invaders-data - Space Invaders clone (data package)

To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/open-invaders/

Alternatively, one can download the package with dget using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/o/open-invaders/open-invaders_0.3-6.dsc

Changes since the last upload:

 open-invaders (0.3-6) experimental; urgency=medium
 .
   * QA upload.
   * debian/control:
   - Added 'Rules-Requires-Root: no' to source stanza.
   - Added Vcs-* URLs to salsa.debian.org.
   - Bumped DH level format to 13.
   - Bumped Standards-Version to 4.5.1.
   - Updated homepage.
   * debian/copyright: Updated for format 1.0.
   * debian/lintian-overrides: Created for false positive.
   * debian/debian/open-invaders-data.docs renamed for open-invaders.docs.
   * debian/open-invaders.desktop: Added Keywords.
   * debian/patches/doc_directory_commented.patch: Created.
   * debian/patches/fix_ftbfs_gcc45.patch: Added header.
   * debian/patches/fix_pmask_amd64.patch: Added header.
   * debian/patches/format_security.patch: Added date in header.
   * debian/rules: Added the DEB_BUILD_MAINT_OPTIONS, DEB_CXXFLAGS_MAINT_APPEND,
   DEB_CFLAGS_MAINT_APPEND and DEB_LDFLAGS_MAINT_APPEND variable
   to improve the GCC hardening.
   * debian/salsa-ci.yml: Added to provide CI tests for Salsa.
   * debian/tests/control: Created for basic CI testing.
   * debian/upstream/metadata: Created.
   * debian/watch:
   - Bumped to version 4.
   - Updated the source address.

Regards,
--
  Hugo Torres de Lima

Bug#987759: RFS: color-picker/1.0.1-1 [ITP] -- Powerful screen color picker based on Qt

[Hugo Torres]

Necessary the creation of the Debian repository in Salsa.

I created the repository in my account to make the migration: 
https://salsa.debian.org/f9kill/colorpicker

--
Hugo Torres de Lima
GPG: 4AF1 1173 DCAD 0380 CC43 A5C6 365C 8CEF 4233 E3D8

Sent with ProtonMail Secure Email.

signature.asc
Description: OpenPGP digital signature

Bug#987759: RFS: color-picker/1.0.1-1 [ITP] -- Powerful screen color picker based on Qt

[Hugo Torres de Lima]

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "color-picker":

 * Package name: color-picker
   Version : 1.0.1-1
   Upstream Author : https://github.com/keshavbhatt/ColorPicker/issues
 * URL : https://github.com/keshavbhatt/ColorPicker
 * License : MIT
 * Vcs : https://salsa.debian.org/debian/color-picker
   Section : graphics

It builds those binary packages:

  color-picker - Powerful screen color picker based on Qt

To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/color-picker/

Alternatively, one can download the package with dget using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/c/color-picker/color-picker_1.0.1-1.dsc

Changes for the initial release:

 color-picker (1.0.1-1) experimental; urgency=medium
 .
   * Initial release (Closes: #987756)

Regards,
--
  Hugo Torres de Lima

Bug#987756: ITP: color-picker -- Powerful screen color picker based on Qt

[Hugo Torres de Lima]

Package: wnpp
Severity: wishlist
Owner: Hugo Torres de Lima 

* Package name: color-picker
  Version : 1.0.1
  Upstream Author : Keshav Bhatt 
* URL : https://github.com/keshavbhatt/ColorPicker
* License : MIT
  Programming Lang: C++
  Description : Powerful screen color picker based on Qt

 Colour picker and colour editor for web designers and digital
 artists, With Color Picker, identifying the colours, saving and
 editing is a quick and simple job.
 .
 Color Picker features include:
 .
 Five formats of colour codes: HTML, HexRGBA, RGB, HSB/HSV, CMYK
 and their variations. Conversion of HTML, HEX and RGB colour codes
 into the corresponding colours.
 .
 Colour picker for easy handling and greater precision.
 .
 Colour list for saving and reusing the picked colour samples for
 each picked colour.
 .
 Support Switching three themes - System theme, Flat Light theme
 and Dark theme.

Bug#986314: RFS: gsimplecal/2.1-2 [QA] -- lightweight GUI calendar application

[Hugo Torres]

Hi Giovani.

Made the recommended changes.

--
Hugo Torres de Lima
GPG key: 4AF1 1173 DCAD 0380 CC43 A5C6 365C 8CEF 4233 E3D8

Sent with ProtonMail Secure Email.

signature.asc
Description: OpenPGP digital signature

Bug#986777: RFS: ink/0.5.3-2 [QA] -- tool for checking the ink level of your local printer

[Hugo Torres de Lima]

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "ink":

 * Package name: ink
   Version : 0.5.3-2
   Upstream Author : Markus Heinz 
 * URL : http://ink.sourceforge.net/
 * License : GPL-2
 * Vcs : https://salsa.debian.org/debian/ink
   Section : admin

It builds those binary packages:

  ink - tool for checking the ink level of your local printer

To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/ink/

Alternatively, one can download the package with dget using this command:

  dget -x https://mentors.debian.net/debian/pool/main/i/ink/ink_0.5.3-2.dsc

Changes since the last upload:

 ink (0.5.3-2) experimental; urgency=medium
 .
   * QA upload.
   * debian/control:
   - Bumped DH level format to 13.
   - Bumped Standards-Version to 4.5.1.
   * debian/copyright:
   - Added Upstream-Contact.
   - Updated license order.
   - Updated upstream and packaging copyright years.
   * debian/ink.lintian-overrides: Added for false positive about
   spelling-error-in-binary.
   * debian/rules:
   - Removed comments.
   - Updated DEB_LDFLAGS_MAINT_APPEND and added DEB_CFLAGS_MAINT_APPEND
 variable to improve the GCC hardening.
   * debian/salsa-ci.yml: Added to provide CI tests for Salsa.
   * debian/tests/control: Created for basic CI testing.
   * debian/upstream/metadata: Created.
   * debian/watch:
   - Bumped to version 4.
   - Updated the source address.

Regards,
-- 
  Hugo Torres de Lima

Bug#986314: RFS: gsimplecal/2.1-2 [QA] -- lightweight GUI calendar application

[Hugo Torres]

Thanks for the answer.

  - Links vcs- * Updated for salsa.
  - Version of software updated.

Necessary for the creation of the Debian repository in Salsa.

I created the repository in my account to make the migration:
https://salsa.debian.org/f9kill/gsimplecal



--
Hugo Torres de Lima
GPG key: 4AF1 1173 DCAD 0380 CC43 A5C6 365C 8CEF 4233 E3D8

Sent with ProtonMail Secure Email.

‐‐‐ Original Message ‐‐‐
Em sábado, abril 3, 2021 2:04 PM, Andreas Ronnquist  
escreveu:

> On Fri, 02 Apr 2021 17:58:45 -0300,
> Hugo Torres de limahugotor...@protonmail.com wrote:
> 

> > Package: sponsorship-requests
> > Severity: normal
> > Dear mentors,
> > I am looking for a sponsor for my package "gsimplecal":
> > 

> > -   Package name : gsimplecal
> > Version : 2.1-2
> > Upstream Author : https://github.com/dmedvinsky/gsimplecal/issues
> > 

> > -   URL : https://dmedvinsky.github.io/gsimplecal
> > -   License : BSD-3-Clause
> > -   Vcs :
> > http://anonscm.debian.org/cgit/collab-maint/gsimplecal.git Section
> > : misc
> > 

> > 

> > It builds those binary packages:
> > gsimplecal - lightweight GUI calendar application
> > To access further information about this package, please visit the
> > following URL:
> > https://mentors.debian.net/package/gsimplecal/
> 

> -- 8< --
> 

> There seems to be changes in salsa, which has updated the Vcs-*-fields,
> while yours are still pointing to alioth.
> 

> https://salsa.debian.org/jmsrdebian/gsimplecal/-/blob/debian/master/debian/changelog
> 

> Also, there seems to be an upstream 2.2 available from February, which
> could be nice to package.
> 

> -- Andreas Rönnquist
> mailingli...@gusnan.se
> gus...@debian.org



signature.asc
Description: OpenPGP digital signature

Bug#986314: RFS: gsimplecal/2.1-2 [QA] -- lightweight GUI calendar application

[Hugo Torres de Lima]

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "gsimplecal":

 * Package name: gsimplecal
   Version : 2.1-2
   Upstream Author : https://github.com/dmedvinsky/gsimplecal/issues
 * URL : https://dmedvinsky.github.io/gsimplecal
 * License : BSD-3-Clause
 * Vcs : http://anonscm.debian.org/cgit/collab-maint/gsimplecal.git
   Section : misc

It builds those binary packages:

  gsimplecal - lightweight GUI calendar application

To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/gsimplecal/

Alternatively, one can download the package with dget using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/g/gsimplecal/gsimplecal_2.1-2.dsc

Changes since the last upload:

 gsimplecal (2.1-2) experimental; urgency=medium
 .
   * QA upload.
   * Using new DH level format. Consequently:
   - debian/compat: Removed.
   - debian/control: Changed from 'debhelper' to 'debhelper-compat' in
 Build-Depends field and bumped level to 13.
   * debian/control:
   - Added 'Rules-Requires-Root: no' to source stanza.
   - Bumped Standards-Version to 4.5.1.
   - Changed priority to optional.
   - Removed the dh-autoreconf from Build-Depends field.
   - Updated homepage.
   * debian/copyright:
   - Added Upstream-Contact.
   - Updated upstream and packaging copyright years.
   - Using a secure URI in Format field.
   * debian/docs: Added document README.rst.
   * debian/rules: Added the DEB_CXXFLAGS_MAINT_APPEND and
   DEB_LDFLAGS_MAINT_APPEND variable to improve the GCC
   hardening.
   * debian/upstream/metadata: Created.
   * debian/watch:
   - Bumped to version 4.
   - Updated the source address.

Regards,
-- 
  Hugo Torres de Lima

Bug#945317: xcftools NMU for CVE-2019-5086 and CVE-2019-5087

[Hugo Lefeuvre]

Hi Salvatore and Markus,

On Thu, Feb 11, 2021 at 06:32:42AM +0100, Salvatore Bonaccorso wrote:
[...]
> On Thu, Feb 11, 2021 at 03:03:19AM +0100, Markus Koschany wrote:
> [...]
> > Am Mittwoch, den 10.02.2021, 22:03 +0100 schrieb Salvatore Bonaccorso:
> > [...]
> > > 
> > > I'm not fully in favor to have all the (build-)rdeps forced out of
> > > Debian, that would likely not be a benefit as seems unfair to the
> > > castle-game-engine, game-data-packager and neurodebian packages, but
> > > still think having out xcftools out of bullseye would be the right
> > > thing.
> > > 
> > 
> > I believe it makes sense to remove xcftools from Debian because there is a 
> > lack
> > of upstream support and development but I wouldn't be too aggressive about 
> > the
> > removal at the moment. My intention is to send a patch to fix the open CVE 
> > in
> > stable to you when we have addressed the remaining 32 bit issues.
> 
> Yes that sounds fine. Admittely it was for us in dsa-needed only
> because Hugo initially aimed to adress it across all suites top-down.
> It might just be an option to include a fix once it is stable enough
> via a point release. But we can look at it once you have a fix as well
> for the 32bit issues.
> 
> So thanks for working on it!

Thanks from my part too! Unfortunately I am struggling to find
time for Debian currently. I makes me feel bad, and I hope that I
will be able to come back soon.

Do you know if xcftools is only used as a build dependency, or is
it used by some end users directly? The popcon is not that low
and my fear is that, even after removing it from Debian, users
would continue to use it, installing from somewhere else,
effectively being at even higher risk than with the Debian
archive's (semi-) patched version.

Of course if we can't offer any support I guess it's still better
to get rid of it than giving a false impression of
support/security.

Best,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#982162: msmtp: cannot read custom aliases file (Permission denied)

[Hugo Villeneuve]

Source: msmtp
Version: 1.8.3
Severity: normal

Dear Maintainer,
when specifying a custom aliases file in /etc/msmtprc configuration file like 
this:

aliases   /etc/aliases.msmtp

msmtp returns the following error:

$> echo -e "foo" | msmtp -t postmaster
msmtp: /etc/aliases.msmtp: Permission denied

Here are the permissions of the file:
$> ls -al /etc/aliases.msmtp
-rw-r--r-- 1 root root  75 Feb  6 21:44 /etc/aliases.msmtp

Here is the dmesg output that I observed that seems to indicate it is a problem 
with AppArmor (which I know nothing about):

[1051574.267096] audit: type=1400 audit(1612667641.178:68): apparmor="DENIED" 
operation="open" profile="/usr/bin/msmtp" name="/etc/aliases.msmtp" pid=17563 
comm="sendmail" requested_mask="r" denied_mask="r" fsuid=0 ouid=0


-- System Information:
Debian Release: 10.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-9-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#964627: fractgen: diff for NMU version 2.1.5-1.1

[Hugo Lefeuvre]

Hi Adrian,

On Fri, Feb 05, 2021 at 10:03:43AM +0200, Adrian Bunk wrote:
> Control: tags 964627 + patch
> Control: tags 964627 + pending
> 
> Dear maintainer,
> 
> I've prepared an NMU for fractgen (versioned as 2.1.5-1.1) and uploaded 
> it to DELAYED/1. Please feel free to tell me if I should cancel it.

Thank you very much for this NMU. I am completely overloaded with work
currently and could not find time to handle this. Feel free to upload to
unstable right away!

Best Regards,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#964627: fractgen: FTBFS: colorschemeinterface.cc

[Hugo Lefeuvre]

Hi Lucas,

thanks a lot for this bug report. I will do my best to sort this out during
the week-end.

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

debian-bugs-dist@lists.debian.org

[Victor Hugo Sánchez Gracida]

https://drive.google.com/file/d/10LwSnTSEk4fe6OrS8cl3kpiyLeLSzQLQ/view?usp=drivesdk

Enviado desde Outlook Mobile

Bug#958981: ITP: xreader -- A generic document reader

[Hugo Ziviani]

Package: wnpp
Severity: wishlist

Starting working on the packing for xreader.
Available on: (https://github.com/linuxmint/xreader)

hugoziviani

Bug#952769: isc-dhcp-client: Package "isc-dhcp-client" is not installable in the Debian SID PowerPC Port. Unmet dependencies: "libdns1107" and "libisc1104"

[Hugo Melder]

Package: isc-dhcp-client
Version: 4.4.1-2.1
Severity: grave
Tags: d-i a11y
Justification: renders package unusable



-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: PowerPC

Kernel: Linux 5.4.0-4-amd64 (SMP w/16 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages isc-dhcp-client depends on:
ii  debianutils4.9.1
ii  iproute2   5.5.0-1
ii  libc6  2.29-10
ii  libdns-export1107  1:9.11.14+dfsg-3
ii  libisc-export1104  1:9.11.14+dfsg-3

Versions of packages isc-dhcp-client recommends:
ii  isc-dhcp-common  4.4.1-2.1

Versions of packages isc-dhcp-client suggests:
pn  avahi-autoipd 
pn  isc-dhcp-client-ddns  
pn  resolvconf

-- no debconf information

Bug#951453: RFS: pysolfc/2.6.4-3 -- collection of more than 1000 solitaire card games

[Hugo Lefeuvre]

Hi,

thanks for your contribution, this should be in unstable by tonight.

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#907635: add .apk as file extension for jar and jarsigner #907635

[Hugo Ziviani]

Hello, I’m Hugo, and I would like to take this correction (#907635). 
I think this is not exactly a bug. 
Could anyone give-me more information if I start upstream or I can start from 
here downstream. 
Thanks, 
Hugo 

Bug#907635: add .apk as file extension for jar and jarsigner

[Hugo Ziviani]

Hello, I’m Hugo, and I would like to take this correction (#907635).
I think this is not exactly a bug.
Could anyone give-me more information if I start upstream or I can start from 
here downstream.
Thanks,
Hugo

___
ERROR Related:
Package: bash-completion
Version: 1:2.8-1

Android APK files are officially defined as JAR files with JAR
signatures.  An APK _must_ have a JAR signature to be considered a valid
APK.  JAR signatures in Android land are known as "v1 signatures", there
is now v2 and v3 signatures which are still compatible with JAR, but not
verified or created by JAR tools.

I would really love to see `jarsigner` and `jar` do proper completion
for .apk files.

Bug#942763: python-reportlab: CVE-2019-17626: remote code execution in colors.py

[Hugo Lefeuvre]

Hi,

a fix was recently published for this issue. I am concerned that it might
no be fit for a DSA/DLA:

(1) upstream imported a number of snippets from ZPL licensed projects. I
don't think it respected the ZPL terms.

(2) the changes are large and hard to review. Pretending that these changes
address the vulnerability completely would be a little bit presumptuous.

Furthermore, the code imported from Zope provides "safe" evaluation of
Python code. This kind of code is complex, and prone to security
vulnerabilities and bugs. There are definitely regressions in there.

I have asked upstream regarding the licensing issue. For the rest, I think
we should wait for followups, or possibly a better patch.

Any comments/advice?

cheers,
Hugo

-- 
    Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#947374: cacti: CVE-2019-17357: does not seem to affect stretch

[Hugo Lefeuvre]

> > rationale: template_id is sanitized at line 1048:
> > input_validate_input_number(get_request_var_request("template_id"));
> […]
> > Chris: you worked on cacti in jessie and triaged it not-affected. Jessie
> > has a similar version, does this match your findings?
> 
> Ah yes; well-spotted. :)

Ack, same for stretch in the end. :)

BTW, there is a confusion in the jessie update, the changelog says it fixes
CVE-2019-17357 and the patch is called CVE-2019-17357.patch, but the
actual CVE being fixed is CVE-2019-17358, not CVE-2019-17357.

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#947374: cacti: CVE-2019-17357: does not seem to affect stretch

[Hugo Lefeuvre]

Hi,

after taking a look at the source code, this vulnerability does not seem to
affect cacti 0.8.8h+ds1-10 (stretch).

rationale: template_id is sanitized at line 1048:
input_validate_input_number(get_request_var_request("template_id"));

This check was replaced over time and gradually disappeared, which explains
the security issue in recent versions.

Chris: you worked on cacti in jessie and triaged it not-affected. Jessie
has a similar version, does this match your findings?

Just to make sure, I contacted upstream to get reproduction instructions
before I triage this not-affected in stretch in the tracker.

cheers,
Hugo

-- 
    Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#945265: new upstream version 0.102.1 to fix CVE-2019-15961

[Hugo Lefeuvre]

Hi Sebastian,

I see that your work migrated to testing, and wondered...  are you still
intending to prepare updates for stretch and buster? Is there anything I
can do to help you?

thanks for your work!

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#942575: buster-pu: package openjpeg2/2.3.0-2+deb10u1

[Hugo Lefeuvre]

Hi,

On Fri, Nov 08, 2019 at 09:56:53PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Fri, 2019-10-18 at 13:23 +0200, Hugo Lefeuvre wrote:
> > as discussed in #939553[0], no DSA will be issued by the security
> > team for CVE-2018-21010 and this vulnerability can be fixed via -pu.
> > The attached debdiff addresses this issue, along with CVE-2018-20847.
> 
> Please go ahead; thanks.

for some reason, I completely forgot about this. done.

thanks!

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#870273: imagemagick: regression in 8:6.8.9.9-5+deb8u10

[Hugo Lefeuvre]

> Looks like I found the issue:
> 
> 0224-Ensure-token-does-not-overflow.patch corresponds to [0]. This patch
> was meant for ImageMagick 7.x, not 6.x. The correct patch is [1] (the one
> used in stretch).
> 
> This will be fixed in the next security update.

Not completely true. After spending some more time on this issue, I found
out that the following three patches are missing in jessie:

https://github.com/ImageMagick/ImageMagick6/commit/fc8ccba0f20ca330d959fcbb17a791e5b52ac53e
https://github.com/ImageMagick/ImageMagick6/commit/7573b8712697a3d34143eb3e6ea814287cc4c6a7
https://github.com/ImageMagick/ImageMagick6/commit/4cc316818e5b841ff5a9394a0730d5be6e8686ce

backporting them is sufficient to fix the issue.

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#870273: imagemagick: regression in 8:6.8.9.9-5+deb8u10

[Hugo Lefeuvre]

> I'm working on imagemagick on behalf of the Debian LTS team and just
> noticed this bug report.
> 
> I have reproduced this issue in jessie, and can confirm that this
> regression is still present in 8:6.8.9.9-5+deb8u18.  I can also confirm
> that the regression was introduced between patch 0224 and 0227.
> 
> I'll try to ship a patch for this along with the next jessie update.

Looks like I found the issue:

0224-Ensure-token-does-not-overflow.patch corresponds to [0]. This patch
was meant for ImageMagick 7.x, not 6.x. The correct patch is [1] (the one
used in stretch).

This will be fixed in the next security update.

cheers,
Hugo

[0] 
https://github.com/ImageMagick/ImageMagick/commit/4b85d29608d5bc0ab641f49e80b6cf8965928fb4
[1] 
https://github.com/ImageMagick/ImageMagick6/commit/663e70e90257797f4634ea8dd4a31e0947d1f266

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#870273: imagemagick: regression in 8:6.8.9.9-5+deb8u10

[Hugo Lefeuvre]

Hi,

I'm working on imagemagick on behalf of the Debian LTS team and just
noticed this bug report.

I have reproduced this issue in jessie, and can confirm that this
regression is still present in 8:6.8.9.9-5+deb8u18.  I can also confirm
that the regression was introduced between patch 0224 and 0227.

I'll try to ship a patch for this along with the next jessie update.

regards,
Hugo

-- 
    Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214

[Hugo Lefeuvre]

> thanks for your valuable work on this bug!
> Yes, I can prepare update on 30-31st of December.

that would be great, thanks! :-)

cheers,
Hugo

-- 
    Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214

[Hugo Lefeuvre]

> Sounds like a sensible plan, if we are going to release updates as
> well for stretch and buster, so that there is not "regression" (I mean
> timewise, in case upstream will not land a new version) for buster ->
> bullseye updates.

Agree! Anton, do you think you could handle this update in unstable?  I'd
love to help, but my Debian time is somewhat limited currently...

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214

[Hugo Lefeuvre]

Hi,

> As there will not be a fix for all CVEs in one go, let's split the bug
> for the benefit of tracking the fixes. CVE-2019-12211 and
> CVE-2019-12213  have the same upstream change, so will clone this into
> three.

thanks Salvatore!

regarding CVE-2019-12213 and CVE-2019-12211 in unstable: I have asked
upstream about his plans to release 3.18.1 but did not receive any answer
yet.  I suppose that we should cherry pick the patch if we want a quick
fix.

cheers,
Hugo

-- 
    Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214

[Hugo Lefeuvre]

Hi,

small update:

I have updated jessie with the cherry picked patch for CVE-2019-12213 and
CVE-2019-12211.

I have contacted upstream to know when he is planning to release 3.18.1 so
that we can get this fixed in testing without cherry picking.

I am currently testing stretch and buster updates with the cherry picked
patch.

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#945265: new upstream version 0.102.1 to fix CVE-2019-15961

[Hugo Lefeuvre]

Dear clamav maintainers,

are you planning to address this in stretch/buster via -updates?  I can
provide some help if needed (and make sure this gets backported to
jessie-security).

thanks!

regards,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#929597: [PATCH] CVE-2019-12211: heap buffer overflow via memcpy

[Hugo Lefeuvre]

Hi,

Upstream seems to have merged my patch along with some more changes
regarding CVE-2019-12213[0].

I am planning to take a look at this patch and release a DLA for jessie.

The security team is also planning to release a DSA for stretch and buster.
I am already working on a jessie upload, so I should also be able to handle
stretch and buster.  Anton, you know this package better than me, would you
be available to test the update?

thanks!

regards,
Hugo

[0] https://sourceforge.net/p/freeimage/svn/1825/

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#942514: CVE-2019-16729 fixed in 1.0.4-1.1+deb8u1

[Hugo Lefeuvre]

fixed 942514 1.0.4-1.1+deb8u1
thanks

Hi Russell,

thanks for preparing this update. I just became aware of this and noticed
that no DLA was released. In fact, neither the bug tracker nor the security
tracker are aware of this issue being fixed.

Releasing DLA-2000-1 for this, updating the bug tracker as well.

regards,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#929597: [PATCH] CVE-2019-12211: heap buffer overflow via memcpy

[Hugo Lefeuvre]

Hi Anton,

> Thanks, Hugo, for analyzing the issue in details and proposing the fix.
> 
> Do you want to add the patch into the corresponding forum-thread
> in freeimage website?

yes, I have just forwarded my message to the SF thread. Let's hope upstream
will find some time to take a look at it.

cheers,
Hugo

-- 
    Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#940575: RFS: fortran-language-server/1.10.2-1 [ITP] -- Fortran Language Server for the Language Server Protocol

[Hugo Lefeuvre]

Hi Denis,

I did a few minor changes and uploaded.

Upstream published 1.10.3 recently, you might want to package it.
No need to open RFSs in the future, just send me an e-mail.

Please, don't forget to update upstream and pristine-tar branches/to push
them. :)

I will close this bug once ftpmasters have accepted the package.

cheers,
Hugo

-- 
    Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#936214: bleachbit: Python2 removal in sid/bullseye

[Hugo Lefeuvre]

Hi Matthias,

I see that you just raised the severity of this bug to serious, and
Bleachbit is now to be removed on 16.11.

I don't think this is the way to go. Upstream is actively working on this.
We have recently managed the GTK3 migration, meaning that Py3 is now top
priority.  Loosing Bleachbit would be a significant source of annoyance for
many Debian users (popcon 2754 at the moment).

May I add the py2keep flag, until the Bleachbit Py3 migration completes?

regards,
Hugo

-- 
    Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#885261: bleachbit: Depends on unmaintained pygtk

[Hugo Lefeuvre]

Hi,

> It seems that, while a Python 3 version is not yet available, upstream has
> released version 3.0, which brings new features and fixes and transitions to
> GTK3, which would be a step to the right direction, since a version with
> full Python 3 is not yet ready by upstream (but they seem to be working on
> it).
> 
> It would be super nice to have this new version packaged from a user's
> perspective and, also, from an archive/distribution/removal perspective
> also.

thanks for the heads up. 3.0 will be in the archive asap, I'm working on it.

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#929597: [PATCH] CVE-2019-12211: heap buffer overflow via memcpy

[Hugo Lefeuvre]

Hi,

The overflow happens during the following call to memcpy:

// convert to strip
if(x + tileWidth > width) {
src_line = imageRowSize - rowSize;
} else {
src_line = tileRowSize;
}
BYTE *src_bits = tileBuffer;
BYTE *dst_bits = bits + rowSize;
for(int k = 0; k < nrows; k++) {
memcpy(dst_bits, src_bits, src_line);
src_bits += tileRowSize;
dst_bits -= dst_pitch;
}

This portion of code copies image data from a libTIFF-provided buffer to an
internal buffer. The overflow happens because src_line is larger than the
size of dst_bits.

This is the result of an inconsistency between libTIFF and freeimage:

In the libTIFF case, tile row size is
= samplesperpixel * bitspersample * tilewidth / 8
= bitsperpixel * tilewidth / 8
= 6 * 32 * 7 / 8 = 168

In the freeimage case, tile row size is
bitsperpixel * tilewidth / 8
= 32 * 7 / 8 = 28

As a result, the two buffers are differently sized.

freeimage has a bpp of 32 because CreateImageType calls
FreeImage_AllocateHeader with MIN(bpp, 32).

This 'MIN(bpp, 32)' looks like a terrible hack to me, but we can't change
it to 'bpp' because FIT_BITMAP images with bpp > 32 does not seem to be
supported by freeimage. Also, in this case, bpp > 32 doesn't even make
sense:

Looking closely at the reproducer, we can notice that it defines a bilevel
image with samplesperpixel and bitspersample parameters, both unexpected in
bilevel images.

Pixels in bilevel images can either be black or white. There is as such
only one sample per pixel, and a single bit per sample is sufficient.  The
spec defines bpp = 8. It is unclear whether the specification allows for
arbitrary values of bitspersample or samplesperpixel (extrasamples?) in
this case.

This file gets rejected by most libTIFF tools.

# patch

+ add check to CreateImageType() to reject FIT_BITMAP images with bpp > 32
  instead of passing MIN(bpp, 32).
+ change type of dst_pitch to unsigned
+ call memcpy with MIN(dst_pitch, src_line) instead of src_line. this will
  help overcome any further (future) discrepancy between libTIFF and
  freeimage.

# tests

I have tested for regressions with the following samples, using a modified
version of Examples/Linux/linux-gtk.c:

http://www.simplesystems.org/libtiff/images.html

During these tests, I found other issues with bilevel images, unrelated to
this patch. I will try to take a look at them in the future.

I can provide additional explanations if there is anything unclear.

I'd like to get this patch peer-reviewed/merged upstream before shipping
it in a Debian release.

regards,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Description: fix heap buffer overflow when bpp > 32 and fit == FIT_BITMAP
 + add check to CreateImageType() to reject FIT_BITMAP images with bpp > 32
   instead of passing MIN(bpp, 32).
 + change type of dst_pitch to unsigned.
 + call memcpy with MIN(dst_pitch, src_line) instead of src_line. this will
   help overcome any further (future) discrepancy between libTIFF and
   freeimage.
Author: Hugo Lefeuvre 
Bug-Debian: https://bugs.debian.org/929597
--- a/Source/FreeImage/PluginTIFF.cpp	2019-10-26 14:21:39.329052757 +0200
+++ b/Source/FreeImage/PluginTIFF.cpp	2019-10-26 15:03:18.597957090 +0200
@@ -461,8 +461,12 @@
 			
 		}
 		else {
+			if(bpp > 32) {
+// check for malicious images
+return NULL;
+			}
 
-			dib = FreeImage_AllocateHeader(header_only, width, height, MIN(bpp, 32), FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
+			dib = FreeImage_AllocateHeader(header_only, width, height, bpp, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
 		}
 
 
@@ -2041,7 +2045,7 @@
 }
 
 // calculate src line and dst pitch
-int dst_pitch = FreeImage_GetPitch(dib);
+unsigned int dst_pitch = FreeImage_GetPitch(dib);
 uint32 tileRowSize = (uint32)TIFFTileRowSize(tif);
 uint32 imageRowSize = (uint32)TIFFScanlineSize(tif);
 
@@ -2071,7 +2075,7 @@
 		BYTE *src_bits = tileBuffer;
 		BYTE *dst_bits = bits + rowSize;
 		for(int k = 0; k < nrows; k++) {
-			memcpy(dst_bits, src_bits, src_line);
+			memcpy(dst_bits, src_bits, MIN(dst_pitch, src_line));
 			src_bits += tileRowSize;
 			dst_bits -= dst_pitch;
 		}


signature.asc
Description: PGP signature

Bug#942763: python-reportlab: CVE-2019-17626: remote code execution in colors.py

[Hugo Lefeuvre]

Source: python-reportlab
Version: 3.5.28-1
Severity: important
Tags: security upstream
Forwarded: 
https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code

Hi,

python-reportlab is affected by the following vulnerability:

CVE-2019-17626[0]: "ReportLab through 3.5.26 allows remote code execution
because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted
XML document with 'https://security-tracker.debian.org/tracker/CVE-2019-17626

regards,
Hugo

-- 
    Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C



signature.asc
Description: PGP signature

Bug#942578: CVE-2019-17540: heap-based buffer overflow in ReadPSInfo in coders/ps.c

[Hugo Lefeuvre]

FTR: Dirk Lemstra confirmed that those four commits correspond to the fixes
for CVE-2019-17540.

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#942578: imagemagick: CVE-2019-17540: heap-based buffer overflow in ReadPSInfo in coders/ps.c

[Hugo Lefeuvre]

Source: imagemagick
Version: 8:6.9.10.23+dfsg-2.1
Severity: important

Hi,

imagemagick is affected by CVE-2019-17540, a heap-based buffer overflow in
ReadPSInfo in coders/ps.c.

There are very few information online regarding this vulnerability. I had a
look and found the following four commits:

https://github.com/ImageMagick/ImageMagick/commit/668d6a970553a94b0a2e378afda1d37abac94b5c
https://github.com/ImageMagick/ImageMagick/commit/9667a9034a5eeedb30dfb18cfd1083ff32fd679b
https://github.com/ImageMagick/ImageMagick/commit/73dd03cfb57f8f8c0a732fa062b9966ec7bf2f91
https://github.com/ImageMagick/ImageMagick/commit/e868e227085463932c5db32e5e0f27e306a0eb95

this looks like what we are searching for; a buffer overflow WRITE of size
1 in ReadPSInfo. I will contact Dirk Lemstra and ask for more information.

regards,
Hugo

[0] https://security-tracker.debian.org/tracker/CVE-2019-17540

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C



signature.asc
Description: PGP signature

Bug#942575: buster-pu: package openjpeg2/2.3.0-2+deb10u1

[Hugo Lefeuvre]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Dear release managers,

as discussed in #939553[0], no DSA will be issued by the security team for
CVE-2018-21010 and this vulnerability can be fixed via -pu. The attached
debdiff addresses this issue, along with CVE-2018-20847.

This is almost the same debdiff as #942024[1] (for stretch-pu).

thanks!

cheers,
Hugo

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939553
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942024

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru openjpeg2-2.3.0/debian/changelog openjpeg2-2.3.0/debian/changelog
--- openjpeg2-2.3.0/debian/changelog2019-03-10 18:34:51.0 +0100
+++ openjpeg2-2.3.0/debian/changelog2019-10-17 14:48:09.0 +0200
@@ -1,3 +1,14 @@
+openjpeg2 (2.3.0-2+deb10u1) buster; urgency=high
+
+  * Backport security fixes:
+  * CVE-2018-21010: heap buffer overflow in color_apply_icc_profile
+(Closes: #939553).
+  * CVE-2018-20847: improper computation of values in the function
+opj_get_encoding_parameters, leading to an integer overflow
+(Closes: #931294).
+
+ -- Hugo Lefeuvre   Thu, 17 Oct 2019 14:48:09 +0200
+
 openjpeg2 (2.3.0-2) unstable; urgency=high
 
   [ Hugo Lefeuvre ]
diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch 
openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch
--- openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch 1970-01-01 
01:00:00.0 +0100
+++ openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch 2019-10-17 
14:43:51.0 +0200
@@ -0,0 +1,40 @@
+Description: fix integer overflow in opj_get_encoding_parameters
+ This bug is known at three places in the source code:
+ opj_get_all_encoding_parameters() and opj_tcd_init_tile() in pi.c and tcd.c
+ (both fixed _before_ the release of 2.1.2), and opj_get_encoding_parameters()
+ in pi.c. This patch addresses the issue in opj_get_encoding_parameters().
+Author: Young_X 
+Origin: upstream, https://github.com/uclouvain/openjpeg/commit/c58df149900df862
+--- a/src/lib/openjp2/pi.c 2019-10-17 14:41:15.997977749 +0200
 b/src/lib/openjp2/pi.c 2019-10-17 14:43:46.276679721 +0200
+@@ -748,6 +748,9 @@
+ /* position in x and y of tile */
+ OPJ_UINT32 p, q;
+ 
++/* non-corrected (in regard to image offset) tile offset */
++OPJ_UINT32 l_tx0, l_ty0;
++
+ /* preconditions */
+ assert(p_cp != 00);
+ assert(p_image != 00);
+@@ -763,14 +766,12 @@
+ q = p_tileno / p_cp->tw;
+ 
+ /* find extent of tile */
+-*p_tx0 = opj_int_max((OPJ_INT32)(p_cp->tx0 + p * p_cp->tdx),
+- (OPJ_INT32)p_image->x0);
+-*p_tx1 = opj_int_min((OPJ_INT32)(p_cp->tx0 + (p + 1) * p_cp->tdx),
+- (OPJ_INT32)p_image->x1);
+-*p_ty0 = opj_int_max((OPJ_INT32)(p_cp->ty0 + q * p_cp->tdy),
+- (OPJ_INT32)p_image->y0);
+-*p_ty1 = opj_int_min((OPJ_INT32)(p_cp->ty0 + (q + 1) * p_cp->tdy),
+- (OPJ_INT32)p_image->y1);
++l_tx0 = p_cp->tx0 + p * p_cp->tdx; /* can't be greater than p_image->x1 
so won't overflow */
++*p_tx0 = (OPJ_INT32)opj_uint_max(l_tx0, p_image->x0);
++*p_tx1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, p_cp->tdx), 
p_image->x1);
++l_ty0 = p_cp->ty0 + q * p_cp->tdy; /* can't be greater than p_image->y1 
so won't overflow */
++*p_ty0 = (OPJ_INT32)opj_uint_max(l_ty0, p_image->y0);
++*p_ty1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, p_cp->tdy), 
p_image->y1);
+ 
+ /* max precision is 0 (can only grow) */
+ *p_max_prec = 0;
diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch 
openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch
--- openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch 1970-01-01 
01:00:00.0 +0100
+++ openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch 2019-10-17 
14:34:45.0 +0200
@@ -0,0 +1,26 @@
+Description: color_apply_icc_profile: avoid potential heap buffer overflow 
+ This patch addresses CVE-2018-21010. It differs slightly from upstream's
+ patch in that we avoid whitespace refactoring and complex nested ifs.
+Author: Even Rouault , Hugo Lefeuvre 

+Origin: upstream, https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c9
+--- a/src/bin/common/color.c   2019-10-17 14:33:21.021771909 +0200
 b/src/bin/common/color.c   2019-10-17 14:34:39.397137223 +0200
+@@ -597,6 +597,18 @@
+ }
+ 
+ if (image->numcomps > 2) { /* RGB, RGBA */
++
++  if (!(image->comps[0].w == image->comps[1].w &&
++image->comps[0].w == image->comps[2].w) ||
++  !(image->comps[0].h == image->comps[1].h &&
++image->comps[0].h == i

Bug#942514: pam-python: CVE-2019-16729: local root escalation

[Hugo Lefeuvre]

Source: pam-python
Version: 1.0.6-1.1
Severity: important

Hi,

pam-python is affected by the following security issue:

CVE-2019-16729[0]: "pam-python before 1.0.7-1 has an issue in regard to the
default environment variable handling of Python, which could allow for
local root escalation in certain PAM setups."

Russell: I see that you are also upstream of pam-python. This vulnerability
was fixed in sid via 1.0.7-1 but since this is a local root exploit, we
should probably backport fixes for stable releases. However I am struggling
to find precise information about this issue and can't assess the severity
properly.

Could you provide some more information related to this vulnerability? an
isolated patch would be ideal.

thanks!

regards,
Hugo

[0] https://security-tracker.debian.org/tracker/CVE-2019-16729

-- 
    Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C



signature.asc
Description: PGP signature

Bug#941036: cacti: CVE-2019-16723

[Hugo Lefeuvre]

Hi Salvatore, Paul,

I had a look at this issue in jessie, stretch and buster. I concluded that
jessie and stretch are not affected. I have reproduced the issue in buster.

# Quick breakdown:

Graphs are retrieved using rrdtool_function_graph() from lib/rrd.php, this
is true for jessie onwards.

rrdtool_function_graph() has a check for permissions, which is in fact very
similar to the ones introduced in 7a6a17252 and c7cf4a26e.

Before cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326[0] this check in
rrdtool_function_graph() was always executed. After this commit the check
is only executed when $user > 0.

Note: 0 is the default value for $user:

[lib/rrd.php:1179][1]

function rrdtool_function_graph($local_graph_id, $rra_id, $graph_data_array,
$rrdtool_pipe = '', &$xport_meta = array(), $user = 0) {
...

However graph_image.php, graph_json.php and rrdtool_function_xport() call
rrdtool_function_graph() without passing $user:

[graph_image.php:132][2]

$output = rrdtool_function_graph(get_request_var('local_graph_id'), 
$rra_id, $graph_data_array);

Hence, permissions are never checked after this commit. I don't think this
is the intended affect.

Now, let's try something: take 1.2.2+ds1-2+deb10u1, the version in buster
which is affected and simply revert cf73ae1a9f65b5a27d7f9d10:

--- a/lib/rrd.php   2019-10-16 13:24:08.590183640 +0200
+++ b/lib/rrd.php   2019-10-16 13:24:34.302046280 +0200
@@ -1171,11 +1171,11 @@

/* before we do anything; make sure the user has permission to view 
this graph,
if not then get out */
-   if ($user > 0) {
+   //if ($user > 0) {
if (!is_graph_allowed($local_graph_id, $user)) {
return 'GRAPH ACCESS DENIED';
}
-   }
+   //}

if (getenv('LANG') == '') {
putenv('LANG=' . str_replace('-', '_', CACTI_LOCALE) . 
'.UTF-8');

Try to reproduce: this is sufficient to "fix" the issue and appears to
confirm previous analysis.

Any comments?

cheers,
Hugo

[0] 
https://github.com/Cacti/cacti/commit/cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326
[1] https://github.com/Cacti/cacti/blob/develop/lib/rrd.php#L1179
[2] https://github.com/Cacti/cacti/blob/develop/graph_image.php#L132

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#942024: stretch-pu: package openjpeg2/2.1.2-1.1+deb9u4

[Hugo Lefeuvre]

Hi,

> I think that second occurrence of 2018-21010 might be incorrect. :-)

right, same typo twice. I meant CVE-2016-9112 of course :)

> Please go ahead.

uploaded, thanks!

-- 
    Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#942172: clamav-daemon: After upgrade, clamd cannon create /var/run/clamav/clamd.ctl and stop.

[Hugo Lefeuvre]

Hi Filipe, Sebastian,

> I could only test from 0.100.0+dfsg-0+deb8u1 as I couldn't find
> 0.100.3+dfsg-0+deb8u1 anywhere in the archives and I'm out of servers
> running clamav-daemon 0.100.3+dfsg-0+deb8u1; but as /run/clamav/ is root
> owned in 0.100.0+dfsg-0+deb8u1 and clamav-daemon 0.101.4+dfsg-0+deb8u2 got
> started without a problem after the upgrade I'd say it's OK.

thanks for your time. I have done some more tests myself and went ahead
with the upload, I hope everything will be fine now. Sorry for the trouble.

If you see anything suspicious, don't hesitate to open a bug report, I will
take a look at it.

regards,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#942172: clamav-daemon: After upgrade, clamd cannon create /var/run/clamav/clamd.ctl and stop.

[Hugo Lefeuvre]

Hi Filipe,

> I did strike this in three boxes. Straight upgrade but opted not to touch
> config when asked. Don't know if it matters. However I did not find any
> reference to /etc/systemd/system/clamav-daemon.service.d/extend.conf in the
> package scripts as in stretch.
> 
> The chown did make the difference. And the extend.conf prior to the upgrade
> on further two boxes got the upgrade working, AFAICT.

thanks for your answer.

After further investigations, I have found a probable cause for this issue:
debian/patches/clamd_dont_depend_on_clamav_demon_socket.patch was
mistakenly backported from the stretch upload.

This should not have been backported, because the jessie package is still
providing the systemd socket, which was removed from the stretch package in
0.99.2+dfsg-3 because of #824042[0].

I did not backport this removal because I considered it too intrusive for a
security upload. Looking back, this was maybe a mistake because it
increased the complexity of the backport.

I have prepared a regression update addressing this issue. It would be a
true benefit for the quality of this upload if somebody could give it a try
before I go on with uploading. You can find (UNRELEASED) amd64 builds,
signed by myself on my Debian webpage:

https://people.debian.org/~hle/lts/clamav/

regards,
Hugo

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824042

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#942172: clamav-daemon: After upgrade, clamd cannon create /var/run/clamav/clamd.ctl and stop.

[Hugo Lefeuvre]

Hi,

I did not notice this bug during my tests. I have just tried to reproduce
it by upgrading a jessie system from 0.100.3+dfsg-0+deb8u1 to
0.101.4+dfsg-0+deb8u1 and did not experience any issue restarting
clamav-daemon.

Furthermore, /var/run/clamav/ belonging to root:root or clamav:root does
not seem to change anything on my system. My understanding is that
/var/run/clamav/clamd.ctl is created by systemd, not by the daemon itself.

Also, I don't think chown clamav /var/run/clamav should survive a restart.

Filipe: did you also experience this bug?

Thanks.

regards,
Hugo

-- 
    Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#942024: stretch-pu: package openjpeg2/2.1.2-1.1+deb9u4

[Hugo Lefeuvre]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear release managers,

as discussed in #939553[0], no DSA will be issued by the security team for
CVE-2018-21010 and this vulnerability can be fixed via -pu. The attached
debdiff addresses this issue, along with CVE-2018-20847 and CVE-2018-21010.

Patches for CVE-2018-20847 and CVE-2018-21010 are straight from upstream.
Concerning CVE-2018-21010, I did a few changes to remove non-security
related refactoring and improve readability.

thanks!

cheers,
Hugo

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939553

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru openjpeg2-2.1.2/debian/changelog openjpeg2-2.1.2/debian/changelog
--- openjpeg2-2.1.2/debian/changelog2019-03-07 22:41:30.0 +0100
+++ openjpeg2-2.1.2/debian/changelog2019-10-08 15:20:27.0 +0200
@@ -1,3 +1,16 @@
+openjpeg2 (2.1.2-1.1+deb9u4) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2018-21010: heap buffer overflow in color_apply_icc_profile
+(Closes: #939553).
+  * CVE-2018-20847: improper computation of values in the function
+opj_get_encoding_parameters, leading to an integer overflow
+(Closes: #931294).
+  * CVE-2016-9112: floating point exception or divide by zero in the
+function opj_pi_next_cprl (Closes: #844551).
+
+ -- Hugo Lefeuvre   Tue, 08 Oct 2019 15:20:27 +0200
+
 openjpeg2 (2.1.2-1.1+deb9u3) stretch-security; urgency=medium
 
   * Non-maintainer upload by the Security Team.
diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2016-9112.patch 
openjpeg2-2.1.2/debian/patches/CVE-2016-9112.patch
--- openjpeg2-2.1.2/debian/patches/CVE-2016-9112.patch  1970-01-01 
01:00:00.0 +0100
+++ openjpeg2-2.1.2/debian/patches/CVE-2016-9112.patch  2019-10-08 
15:20:27.0 +0200
@@ -0,0 +1,59 @@
+Subject: fix division by zero and undefined behavior on shift in pi.c
+Author: Even Rouault 
+Origin: upstream, https://github.com/uclouvain/openjpeg/commit/d27ccf01c68a31ad
+--- a/src/lib/openjp2/pi.c 2019-10-08 15:46:03.364003550 +0200
 b/src/lib/openjp2/pi.c 2019-10-09 08:59:02.183880328 +0200
+@@ -360,6 +360,17 @@
+   try1 = opj_int_ceildiv(pi->ty1, 
(OPJ_INT32)(comp->dy << levelno));
+   rpx = res->pdx + levelno;
+   rpy = res->pdy + levelno;
++
++  /* To avoid divisions by zero / 
undefined behaviour on shift */
++  /* in below tests */
++  /* Fixes reading 
id:26,sig:08,src:002419,op:int32,pos:60,val:+32 */
++  /* of 
https://github.com/uclouvain/openjpeg/issues/938 */
++  if (rpx >= 31 || ((comp->dx << rpx) >> 
rpx) != comp->dx ||
++  rpy >= 31 || ((comp->dy << rpy) 
>> rpy) != comp->dy) {
++  continue;
++  }
++
++  /* See ISO-15441. B.12.1.3 Resolution 
level-position-component-layer progression */
+   if (!((pi->y % (OPJ_INT32)(comp->dy << 
rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy){
+   continue;   
+   }
+@@ -441,6 +452,17 @@
+   try1 = opj_int_ceildiv(pi->ty1, 
(OPJ_INT32)(comp->dy << levelno));
+   rpx = res->pdx + levelno;
+   rpy = res->pdy + levelno;
++
++  /* To avoid divisions by zero / 
undefined behaviour on shift */
++  /* in below tests */
++  /* Relates to 
id:19,sig:08,src:001098,op:flip1,pos:49 */
++  /* of 
https://github.com/uclouvain/openjpeg/issues/938 */
++  if (rpx >= 31 || ((comp->dx << rpx) >> 
rpx) != comp->dx ||
++  rpy >= 31 || ((comp->dy << rpy) 
>> rpy) != comp->dy) {
++  continue;
++  }
++
++  /* See ISO-15441. B.12.1.4 
Position-component-resolution level-layer progression */
+   if (!((pi->y % (OPJ_INT32)(comp->dy << 
rpy) == 0) || ((pi->y == p

Bug#939553: openjpeg2: CVE-2018-21010

[Hugo Lefeuvre]

> s/Matthieu/Mathieu/

Huh, sorry, I take note.

> > I'm going to bump unstable to 2.3.1, this should address the four
> > currently open issues.
> >
> > Matthieu, if you want to double check the debdiff before upload, let me 
> > know. :)
> 
> I was about to upload 2.3.1 this week, so this should be just fine.
> Pay attention to 2.3.0-3 in your dch that's all I care really. I'll
> import in git after the upload since it is ready.

ack, thanks!

regards,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#939553: openjpeg2: CVE-2018-21010

[Hugo Lefeuvre]

Hi Salvatore, Matthieu,

I'm going to bump unstable to 2.3.1, this should address the four
currently open issues.

Matthieu, if you want to double check the debdiff before upload, let me know. :)

I might prepare a small jessie update for CVE-2018-21010. I had a quick
look, and so far it seems that this vulnerability would allow significant
heap write overflow. Hard to exploit, but this is enough for a DLA, in my
opinion.

Regarding stretch and buster, I don't think this is worth a DSA, but we
could fix this via a point update later on.

cheers,
Hugo

-- 
    Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#941850: clamav: inconsistent results with "better zip bomb" reproducers

[Hugo Lefeuvre]

Hi Sebastian,

> > clamdscan returns different results when run different times. The first
> > time the file is considered sane, the second time as "infected".
> > 
> > It looks like clamdscan doesn't always hit the OverlappingFiles heuristic.
> > 
> > $ clamdscan /tmp/zbsm.zip
> > /tmp/zbsm.zip: OK
> > 
> > --- SCAN SUMMARY ---
> > Infected files: 0
> > Time: 120.771 sec (2 m 0 s)
> > $ clamdscan /tmp/zbsm.zip
> > /tmp/zbsm.zip: Heuristics.Zip.OverlappingFiles FOUND
> > 
> > --- SCAN SUMMARY ---
> > Infected files: 1
> > Time: 51.885 sec (0 m 51 s)
> 
> I don't understand the difference between the first run vs the second.
> Please note that that clamdscan uses the daemon for scanning which *may*
> cache the last result. A fresh started daemon:
> |$ clamdscan zbsm.zip
> |/home/bigeasy/zbsm.zip: Heuristics.Zip.OverlappingFiles FOUND
> |
> |--- SCAN SUMMARY ---
> |Infected files: 1
> |Time: 119.048 sec (1 m 59 s)
> |$ clamdscan zbsm.zip 
> |/home/bigeasy/zbsm.zip: Heuristics.Zip.OverlappingFiles FOUND
> |
> |--- SCAN SUMMARY ---
> |Infected files: 1
> |Time: 0.367 sec (0 m 0 s)
> 
> So the first scan was *really* performed, the second one used the
> previous result. The odd-part is "OK" vs "FOUND" for the daemon and I
> can't pin point the 51secs.

OK, so this is not reproducible on your system. I have no idea why
clamdscan behaves like this on my machine, but my knowledge of this code
base is limited.

> zbxl.zip is a different story. It says "Data scanned: 0.00 MB" which
> means it didn't do anything. My guess is that your file limit is 25MiB
> while the file is ~40MiB. That time here is just load the database.
>
> [...]
> 
> Here it scanned something and you see the time it needed is almost the
> same as in the previous example where it did just load its database.

Ack, thanks for pointing that out, I forgot about the file size limit.
 
> So far I don't see anything wrong.

I have discovered this during my regression tests for the jessie update. My
main worry was to have broken something, I'm glad it's not the case.
Thanks for your time!

regards,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#941850: clamav: inconsistent results with "better zip bomb" reproducers

[Hugo Lefeuvre]

Package: clamav
Version: clamav/0.101.4+dfsg-1
Severity: normal

Hi,

clamdscan returns surprising results for "better zip bomb" reproducers[0]:

* Inconsistent results with zbsm.zip:

clamdscan returns different results when run different times. The first
time the file is considered sane, the second time as "infected".

It looks like clamdscan doesn't always hit the OverlappingFiles heuristic.

$ clamdscan /tmp/zbsm.zip
/tmp/zbsm.zip: OK

--- SCAN SUMMARY ---
Infected files: 0
Time: 120.771 sec (2 m 0 s)
$ clamdscan /tmp/zbsm.zip
/tmp/zbsm.zip: Heuristics.Zip.OverlappingFiles FOUND

--- SCAN SUMMARY ---
Infected files: 1
Time: 51.885 sec (0 m 51 s)

* zbxl.zip

clamdscan returns OK for zbxl.zip after 0.000 sec. clamscan needs more than
one minute. This difference is surprising to me.

$ clamdscan /tmp/zbxl.zip
/tmp/zbxl.zip: OK

--- SCAN SUMMARY ---
Infected files: 0
Time: 0.000 sec (0 m 0 s)
$ clamscan /tmp/zbxl.zip
/tmp/zbxl.zip: OK

--- SCAN SUMMARY ---
Known viruses: 6354861
Engine version: 0.101.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 43.75 MB (ratio 0.00:1)
Time: 66.032 sec (1 m 6 s)

This is reproducible with 0.101.4 in unstable (not a VM), stretch and
jessie (both VMs).

cheers,
Hugo

[0] https://www.bamsoftware.com/hacks/zipbomb/

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#912224: since update 1.3.3.5-4+deb8u5 php ldap authentification failure

[Hugo Lefeuvre]

Hi,

Sorry for the very late answer. For some reason, it looks like the LTS team
was not aware of this bug...

I am the one who provided these updates. This issue must have slipped
through my LDAP tests. I will investigate this as soon as possible and
provide a fix consequently.

Mike, you did the latest 389-ds-base update. Did you notice anything wrong
during your tests?

Thanks!

regards,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#938316: qreator: Python2 removal in sid/bullseye [PATCH]

[Hugo Lefeuvre]

Hi,

I have ported qreator to Python 3, you can find a debdiff in attachment.

I did not test everything, so there might still be some issues around. I did
not forward it to upstream, feel free to do it if you want.

regards,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru qreator-16.06.1/debian/changelog qreator-16.06.1/debian/changelog
--- qreator-16.06.1/debian/changelog	2019-03-30 15:35:12.0 -0400
+++ qreator-16.06.1/debian/changelog	2019-08-30 10:37:56.0 -0400
@@ -1,3 +1,10 @@
+qreator (16.06.1-3.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Port to Python 3 (Closes: #938316).
+
+ -- Hugo Lefeuvre   Fri, 30 Aug 2019 10:37:56 -0400
+
 qreator (16.06.1-3.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru qreator-16.06.1/debian/control qreator-16.06.1/debian/control
--- qreator-16.06.1/debian/control	2018-04-14 08:48:31.0 -0400
+++ qreator-16.06.1/debian/control	2019-08-30 10:37:56.0 -0400
@@ -3,8 +3,27 @@
 Priority: optional
 Maintainer: Chow Loong Jin 
 Build-Depends: debhelper (>= 8.0.0),
-   python-all (>= 2.6.6-3~),
-   python-distutils-extra
+   geoclue-2.0,
+   gir1.2-champlain-0.12,
+   gir1.2-clutter-1.0,
+   gir1.2-gdkpixbuf-2.0,
+   gir1.2-geoclue-2.0,
+   gir1.2-glib-2.0,
+   gir1.2-gtk-3.0,
+   gir1.2-gtkchamplain-0.12,
+   gir1.2-gtkclutter-1.0,
+   gir1.2-nm-1.0,
+   python3-all (>= 2.6.6-3~),
+   python3-cairo,
+   python3-dbus,
+   python3-distutils-extra,
+   python3-gi,
+   python3-gi-cairo,
+   python3-pil (>= 2.0.0),
+   python3-qrencode,
+   python3-requests,
+   python3-vobject,
+   python3-xdg
 Standards-Version: 4.1.3
 Homepage: https://launchpad.net/qreator
 Vcs-Git: https://anonscm.debian.org/git/collab-maint/qreator.git
@@ -12,26 +31,27 @@
 
 Package: qreator
 Architecture: all
-Depends: ${python:Depends}, ${misc:Depends},
- python-pil (>= 2.0.0),
- python-cairo,
- python-dbus,
- python-gi,
- python-gi-cairo,
+Depends: geoclue-2.0,
  gir1.2-champlain-0.12,
  gir1.2-clutter-1.0,
+ gir1.2-gdkpixbuf-2.0,
  gir1.2-geoclue-2.0,
  gir1.2-glib-2.0,
- gir1.2-gdkpixbuf-2.0,
  gir1.2-gtk-3.0,
  gir1.2-gtkchamplain-0.12,
  gir1.2-gtkclutter-1.0,
  gir1.2-nm-1.0,
- python-qrencode,
- python-requests,
- python-vobject,
- python-xdg,
- geoclue-2.0
+ python3-cairo,
+ python3-dbus,
+ python3-gi,
+ python3-gi-cairo,
+ python3-pil (>= 2.0.0),
+ python3-qrencode,
+ python3-requests,
+ python3-vobject,
+ python3-xdg,
+ ${misc:Depends},
+ ${python3:Depends}
 Description: graphical utility for creating QR codes
  Qreator enables you to easily create your own QR codes to encode different
  types of information in an efficient, compact and cool way.
diff -Nru qreator-16.06.1/debian/patches/python3-port.patch qreator-16.06.1/debian/patches/python3-port.patch
--- qreator-16.06.1/debian/patches/python3-port.patch	1969-12-31 19:00:00.0 -0500
+++ qreator-16.06.1/debian/patches/python3-port.patch	2019-08-30 10:37:56.0 -0400
@@ -0,0 +1,426 @@
+Subject: Port to python 3
+Author: Hugo Lefeuvre 
+Last-Update: 2019-08-30
+--- a/qreator/QRCode.py	2019-08-30 10:53:58.823320698 -0400
 b/qreator/QRCode.py	2019-08-30 16:12:48.309437828 -0400
+@@ -18,7 +18,7 @@
+ try:
+ import qrencode
+ except ImportError:
+-print "You need to install the python-qrencode package"
++print("You need to install the python-qrencode package")
+ sys.exit(1)
+ from PIL import Image
+ from PIL import ImageOps
+@@ -143,11 +143,11 @@
+ def _add_border(self, current_color_bg=None):
+ '''Adds a border to the QR code'''
+ if current_color_bg:
+-fill = (current_color_bg[0], current_color_bg[1],
+-current_color_bg[2], 255)
++fill = (int(current_color_bg[0]), int(current_color_bg[1]),
++int(current_color_bg[2]), 255)
+ else:
+ fill = 'white'
+ # Add a border
+-border_size = (self.output_size - self.image.size[0]) / 2
++border_size = int((self.output_size - self.image.size[0]) / 2)
+ self.image = ImageOps.expand(self.image, border=border_size,
+  fill=fill)
+--- a/qreator/qrcodes/QRCodeLocation.py	2019-08-30 10:53:58.823320698 -0400
 b/q

Bug#936214: bleachbit: Python2 removal in sid/bullseye

[Hugo Lefeuvre]

Control: forward -1 https://github.com/bleachbit/bleachbit/issues/163

Hi Matthias,

Thanks for your bug report.

On Fri, Aug 30, 2019 at 07:11:46AM +, Matthias Klose wrote:
> Python2 becomes end-of-live upstream, and Debian aims to remove
> Python2 from the distribution, as discussed in
> https://lists.debian.org/debian-python/2019/07/msg00080.html
> 
> Your package either build-depends, depends on Python2, or uses Python2
> in the autopkg tests.  Please stop using Python2, and fix this issue
> by one of the following actions.
> 
> - Convert your Package to Python3. This is the preferred option.  In
>   case you are providing a Python module foo, please consider dropping
>   the python-foo package, and only build a python3-foo package.  Please
>   don't drop Python2 modules, which still have reverse dependencies,
>   just document them.
>   
>   This is the preferred option.

Upstream is currently working on the migration. As far as I am aware, we should
not be too far from a final Python 3 release. I have just pinged them.

Bleachbit has a fairly high popcon and is active upstream. Bleachbit's removal
would be a real loss for many users.

regards,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#936051: stretch-pu: package sdl-image1.2/1.2.12-5+deb9u2

[Hugo Lefeuvre]

Small update: I forgot to close the bug report (#932755) and did not mention
CVE-2019-5058 in debian/changelog. You can find an updated debdiff in
attachment.

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru sdl-image1.2-1.2.12/debian/changelog sdl-image1.2-1.2.12/debian/changelog
--- sdl-image1.2-1.2.12/debian/changelog	2018-04-15 11:54:38.0 -0400
+++ sdl-image1.2-1.2.12/debian/changelog	2019-08-29 08:28:17.0 -0400
@@ -1,3 +1,17 @@
+sdl-image1.2 (1.2.12-5+deb9u2) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2018-3977, CVE-2019-5058: buffer overflow in do_layer_surface
+(IMG_xcf.c) (Closes: #932755).
+  * CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.
+  * CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+  * CVE-2019-12216, CVE-2019-12217,
+CVE-2019-12218, CVE-2019-12219,
+CVE-2019-12220, CVE-2019-12221,
+CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre   Thu, 29 Aug 2019 08:28:17 -0400
+
 sdl-image1.2 (1.2.12-5+deb9u1) stretch-security; urgency=high
 
   * Backport various security fixes:
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch	1969-12-31 19:00:00.0 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch	2019-08-29 08:26:26.0 -0400
@@ -0,0 +1,19 @@
+Description: Fix potential buffer overflow on corrupt or maliciously-crafted XCF file.
+ This patch bundles two fixes, the original one for CVE-2018-3977
+ (TALOS-2018-0645) which is actually broken, and the followup patch
+ (TALOS-2019-0842).
+Author: Ryan C. Gordon 
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8
+  https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10
+--- a/IMG_xcf.c	2019-07-23 11:56:35.733259428 -0300
 b/IMG_xcf.c	2019-07-23 11:57:55.036947079 -0300
+@@ -634,6 +634,9 @@
+   p16 = (Uint16 *) p8;
+   p   = (Uint32 *) p8;
+   for (y=ty; y < ty+oy; y++) {
++	if ((y >= surface->h) || ((tx+ox) > surface->w)) {
++		break;
++	}
+ 	row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4);
+ 	switch (hierarchy->bpp) {
+ 	case 4:
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch	1969-12-31 19:00:00.0 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch	2019-08-29 08:26:26.0 -0400
@@ -0,0 +1,83 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga 
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c	2019-07-23 11:28:25.847897628 -0300
 b/IMG_pcx.c	2019-07-23 11:43:07.748441381 -0300
+@@ -100,6 +100,8 @@
+ 	Uint8 *row, *buf = NULL;
+ 	char *error = NULL;
+ 	int bits, src_bits;
++	int count = 0;
++	Uint8 ch;
+ 
+ 	if ( !src ) {
+ 		/* The error message has been set in SDL_RWFromFile */
+@@ -148,14 +150,14 @@
+ 	bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ 	if (bpl > surface->pitch) {
+ 		error = "bytes per line is too large (corrupt?)";
++		goto done;
+ 	}
+-	buf = calloc(SDL_max(bpl, surface->pitch), 1);
++	buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ 	row = surface->pixels;
+ 	for ( y=0; yh; ++y ) {
+ 		/* decode a scan line to a temporary buffer first */
+-		int i, count = 0;
+-		Uint8 ch;
+-		Uint8 *dst = (src_bits == 8) ? row : buf;
++		int i;
++		Uint8 *dst = buf;
+ 		if ( pcxh.Encoding == 0 ) {
+ 			if(!SDL_RWread(src, dst, bpl, 1)) {
+ error = "file truncated";
+@@ -168,14 +170,15 @@
+ 		error = "file truncated";
+ 		goto done;
+ 	}
+-	if( (ch & 0xc0) == 0xc0) {
+-		count = ch & 0x3f;
++	if( ch < 0xc0) {
++		count = 1;
++	} else {
++		count = ch - 0xc0;
+ 		if(!SDL_RWread(src, &ch, 1, 1)) {
+ 			error = "file truncated";
+ 			goto done;
+ 		}
+-	} else
+-		count = 1;
++	}
+ }
+ dst[i] = ch;
+ count--;
+@@ -207,10 +210,16 @@
+ int x;
+ dst = row + plane;
+ for(x = 0; x < width; x++) {
++	if ( dst >= row+surface->pitch ) {
++		error = "decoding out of bounds (corrupt?)";
++		goto done;
++	}
+ 	*dst = *src++;
+ 	dst += pcxh.NPlanes;
+ }
+ 			}
++		} else {
++			SDL_memcpy(row, buf, bpl);
+ 		}
+ 
+ 		row += surface->pitch;
+@@ -227,8 +236,9 @@
+ 			/* look for a 256-colour palette */
+ 			do {
+ if ( !SDL_RWread(src, &ch, 1, 1)) {
+-	error = "file truncated";
+-	goto done;
++	/* Couldn't find the palet

Bug#930363: faad2: fix build with gcc-9 [patch]

[Hugo Lefeuvre]

Hi Fabian,

> Am Donnerstag, den 29.08.2019, 08:04 -0400 schrieb Hugo Lefeuvre:
> > Fabian (faad2 maintainer and upstream), do you want to handle this?
> > Otherwise I can NMU a second time with this patch.
> 
> please go ahead with a second NMU. I am a bit short on time currently
> (home alone with the 10mo baby...).

Ack, I'll NMU then. Good luck with the baby :)

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#936056: buster-pu: package sdl-image1.2/1.2.12-10+deb10u1

[Hugo Lefeuvre]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-CC: t...@security.debian.org

Hi,

sdl-image1.2 is affected by a number of security issues in buster. Impact is
quite minor, but it would still be nice to get them fixed.

Attached is a debdiff addressing most of them for buster.

libsdl2-image 2.0.4+dfsg1+deb10u1 and 2.0.1+dfsg-2+deb9u2 have already been
accepted in stretch-pu and buster-pu, those are the same issues and the same
patches.

(I initially intended to submit -pu requests for both sdl-image1.2 and libsdl2
at the same time, but for a number of reasons sdl-image1.2 was delayed)

This is essentially the same update as 1.2.12-5+deb9u2, see #936051.

thanks!

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru sdl-image1.2-1.2.12/debian/changelog sdl-image1.2-1.2.12/debian/changelog
--- sdl-image1.2-1.2.12/debian/changelog	2018-11-04 18:58:30.0 -0500
+++ sdl-image1.2-1.2.12/debian/changelog	2019-08-29 08:51:05.0 -0400
@@ -1,3 +1,17 @@
+sdl-image1.2 (1.2.12-10+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2019-5058: Fix CVE-2018-3977.patch from previous upload: check should
+be done for y, not ty (Closes: #932755).
+  * CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.
+  * CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+  * CVE-2019-12216, CVE-2019-12217,
+CVE-2019-12218, CVE-2019-12219,
+CVE-2019-12220, CVE-2019-12221,
+CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre   Thu, 29 Aug 2019 08:51:05 -0400
+
 sdl-image1.2 (1.2.12-10) unstable; urgency=medium
 
   * Non-maintainer upload with permission of maintainers.
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch	2018-11-04 18:58:30.0 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch	2019-08-29 08:51:05.0 -0400
@@ -9,15 +9,13 @@
  IMG_xcf.c | 3 +++
  1 file changed, 3 insertions(+)
 
-diff --git a/IMG_xcf.c b/IMG_xcf.c
-index 064e641..93b6929 100644
 a/IMG_xcf.c
-+++ b/IMG_xcf.c
-@@ -634,6 +634,9 @@ static int do_layer_surface (SDL_Surface * surface, SDL_RWops * src, xcf_header
+--- a/IMG_xcf.c	2019-08-29 09:34:10.888355386 -0400
 b/IMG_xcf.c	2019-08-29 09:34:37.702747635 -0400
+@@ -634,6 +634,9 @@
p16 = (Uint16 *) p8;
p   = (Uint32 *) p8;
for (y=ty; y < ty+oy; y++) {
-+	if ((ty >= surface->h) || ((tx+ox) > surface->w)) {
++	if ((y >= surface->h) || ((tx+ox) > surface->w)) {
 +		break;
 +	}
  	row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4);
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch	1969-12-31 19:00:00.0 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch	2019-08-29 08:49:56.0 -0400
@@ -0,0 +1,83 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga 
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c	2019-07-23 11:28:25.847897628 -0300
 b/IMG_pcx.c	2019-07-23 11:43:07.748441381 -0300
+@@ -100,6 +100,8 @@
+ 	Uint8 *row, *buf = NULL;
+ 	char *error = NULL;
+ 	int bits, src_bits;
++	int count = 0;
++	Uint8 ch;
+ 
+ 	if ( !src ) {
+ 		/* The error message has been set in SDL_RWFromFile */
+@@ -148,14 +150,14 @@
+ 	bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ 	if (bpl > surface->pitch) {
+ 		error = "bytes per line is too large (corrupt?)";
++		goto done;
+ 	}
+-	buf = calloc(SDL_max(bpl, surface->pitch), 1);
++	buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ 	row = surface->pixels;
+ 	for ( y=0; yh; ++y ) {
+ 		/* decode a scan line to a temporary buffer first */
+-		int i, count = 0;
+-		Uint8 ch;
+-		Uint8 *dst = (src_bits == 8) ? row : buf;
++		int i;
++		Uint8 *dst = buf;
+ 		if ( pcxh.Encoding == 0 ) {
+ 			if(!SDL_RWread(src, dst, bpl, 1)) {
+ error = "file truncated";
+@@ -168,14 +170,15 @@
+ 		error = "file truncated";
+ 		goto done;
+ 	}
+-	if( (ch & 0xc0) == 0xc0) {
+-		count = ch & 0x3f;
++	if( ch < 0xc0) {
++		count = 1;
++	} else {
++		count = ch - 0xc0;
+ 		if(!SDL_RWread(src, &ch, 1, 1)) {
+ 			error = "file truncated";
+ 			goto done;
+ 		}
+-	} else
+-		count = 1;
++	}
+ }
+ dst[i] = ch;
+ count--;
+@@ -207,10 +210,16 @@
+ int x;
+ dst = row + plane;
+ for(x = 0; x < width; x++) {
++

Bug#936051: stretch-pu: package sdl-image1.2/1.2.12-5+deb9u2

[Hugo Lefeuvre]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

sdl-image1.2 is affected by a number of security issues in stretch. Impact is
quite minor, but it would still be nice to get them fixed.

Attached is a debdiff addressing most of them for stretch.

libsdl2-image 2.0.4+dfsg1+deb10u1 and 2.0.1+dfsg-2+deb9u2 have already been
accepted in stretch-pu and buster-pu, those are the same issues and the same
patches.

(I initially intended to submit -pu requests for both sdl-image1.2 and libsdl2
at the same time, but for a number of reasons sdl-image1.2 was delayed)

thanks!

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru sdl-image1.2-1.2.12/debian/changelog sdl-image1.2-1.2.12/debian/changelog
--- sdl-image1.2-1.2.12/debian/changelog	2018-04-15 11:54:38.0 -0400
+++ sdl-image1.2-1.2.12/debian/changelog	2019-08-29 08:28:17.0 -0400
@@ -1,3 +1,16 @@
+sdl-image1.2 (1.2.12-5+deb9u2) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2018-3977: buffer overflow in do_layer_surface (IMG_xcf.c).
+  * CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.
+  * CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+  * CVE-2019-12216, CVE-2019-12217,
+CVE-2019-12218, CVE-2019-12219,
+CVE-2019-12220, CVE-2019-12221,
+CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre   Thu, 29 Aug 2019 08:28:17 -0400
+
 sdl-image1.2 (1.2.12-5+deb9u1) stretch-security; urgency=high
 
   * Backport various security fixes:
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch	1969-12-31 19:00:00.0 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch	2019-08-29 08:26:26.0 -0400
@@ -0,0 +1,19 @@
+Description: Fix potential buffer overflow on corrupt or maliciously-crafted XCF file.
+ This patch bundles two fixes, the original one for CVE-2018-3977
+ (TALOS-2018-0645) which is actually broken, and the followup patch
+ (TALOS-2019-0842).
+Author: Ryan C. Gordon 
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8
+  https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10
+--- a/IMG_xcf.c	2019-07-23 11:56:35.733259428 -0300
 b/IMG_xcf.c	2019-07-23 11:57:55.036947079 -0300
+@@ -634,6 +634,9 @@
+   p16 = (Uint16 *) p8;
+   p   = (Uint32 *) p8;
+   for (y=ty; y < ty+oy; y++) {
++	if ((y >= surface->h) || ((tx+ox) > surface->w)) {
++		break;
++	}
+ 	row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4);
+ 	switch (hierarchy->bpp) {
+ 	case 4:
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch	1969-12-31 19:00:00.0 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch	2019-08-29 08:26:26.0 -0400
@@ -0,0 +1,83 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga 
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c	2019-07-23 11:28:25.847897628 -0300
 b/IMG_pcx.c	2019-07-23 11:43:07.748441381 -0300
+@@ -100,6 +100,8 @@
+ 	Uint8 *row, *buf = NULL;
+ 	char *error = NULL;
+ 	int bits, src_bits;
++	int count = 0;
++	Uint8 ch;
+ 
+ 	if ( !src ) {
+ 		/* The error message has been set in SDL_RWFromFile */
+@@ -148,14 +150,14 @@
+ 	bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ 	if (bpl > surface->pitch) {
+ 		error = "bytes per line is too large (corrupt?)";
++		goto done;
+ 	}
+-	buf = calloc(SDL_max(bpl, surface->pitch), 1);
++	buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ 	row = surface->pixels;
+ 	for ( y=0; yh; ++y ) {
+ 		/* decode a scan line to a temporary buffer first */
+-		int i, count = 0;
+-		Uint8 ch;
+-		Uint8 *dst = (src_bits == 8) ? row : buf;
++		int i;
++		Uint8 *dst = buf;
+ 		if ( pcxh.Encoding == 0 ) {
+ 			if(!SDL_RWread(src, dst, bpl, 1)) {
+ error = "file truncated";
+@@ -168,14 +170,15 @@
+ 		error = "file truncated";
+ 		goto done;
+ 	}
+-	if( (ch & 0xc0) == 0xc0) {
+-		count = ch & 0x3f;
++	if( ch < 0xc0) {
++		count = 1;
++	} else {
++		count = ch - 0xc0;
+ 		if(!SDL_RWread(src, &ch, 1, 1)) {
+ 			error = "file truncated";
+ 			goto done;
+ 		}
+-	} else
+-		count = 1;
++	}
+ }
+ dst[i] = ch;
+ count--;
+@@ -207,10 +210,16 @@
+ int x;
+ dst = row + plane;
+ for(x = 0; x < width; x++) {
++	if ( dst >= row+surface->pitch ) {
++		er

Bug#930363: faad2: fix build with gcc-9 [patch]

[Hugo Lefeuvre]

Hi Gianfranco,

On Thu, Aug 29, 2019 at 07:43:15AM +0200, Gianfranco Costamagna wrote:
> control: severity -1 serious
> On Tue, 11 Jun 2019 15:06:01 +0200 Gianfranco Costamagna 
>  wrote:
> > Source: faad2
> > Version: 2.8.8-3
> > Severity: normal
> > tags: patch
> > 
> > Hello, looks like gcc-9 is adding wl,asneeded flag in compilation, so libs
> > passed as CFLAGS are not correctly used by gcc anymore, because only LIBS
> > is added at the end of the compilation line.
> > 
> > The following patch fixes the issue, and starts then using again the glib
> > implementation of the library.  (without the patch, the bundled version is
> > used everywhere, and the build fails only on i386 because of an
> > implementation mismatch of a long/int data type)
> > 
> > I reported the patch already upstream
> > https://sourceforge.net/p/faac/bugs/242/
> > patch: 
> > http://launchpadlibrarian.net/427773869/faad2_2.8.8-3_2.8.8-3ubuntu1.diff.gz
> 
> Now this bug is RC, and preventing CVE fixes from Migration.
> Hugo, can you please reupload with the Ubuntu patch?
> https://launchpad.net/ubuntu/+source/faad2/2.8.8-3.1ubuntu1
> I rebased it with the upstream version

Fabian (faad2 maintainer and upstream), do you want to handle this?

Otherwise I can NMU a second time with this patch.

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#914641: faad2: CVE-2018-19502 CVE-2018-19503 CVE-2018-19504 CVE-2019-6956

[Hugo Lefeuvre]

Hi Fabian,

> > Please let me know if you want me to change anything, otherwise I am
> > waiting for your ack to upload.
> 
> Please go ahead!

OK, uploaded.

> Is the list of closed CVEs complete?

Yes, everything fixed in sid!

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#914641: faad2: CVE-2018-19502 CVE-2018-19503 CVE-2018-19504 CVE-2019-6956

[Hugo Lefeuvre]

Hi,

Following a discussion with Fabian on GitHub[0], here is a NMU for faad2 in
unstable. This NMU addresses the last few open security issues via targeted
patches, until they are integrated in the next upstream release.

Please let me know if you want me to change anything, otherwise I am waiting
for your ack to upload.

regards,
Hugo

[0] https://github.com/knik0/faad2/pull/38

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru faad2-2.8.8/debian/changelog faad2-2.8.8/debian/changelog
--- faad2-2.8.8/debian/changelog	2019-06-07 14:07:34.0 -0400
+++ faad2-2.8.8/debian/changelog	2019-08-27 13:29:39.0 -0400
@@ -1,3 +1,15 @@
+faad2 (2.8.8-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload with maintainer's permission.
+  * CVE-2019-6956: Buffer over read in the function ps_mix_phase()
+(libfaad/ps_dec.c) (Closes: #914641).
+  * CVE-2018-20196: Stack buffer overflow in the function calculate_gain
+(libfaad/sbr_hfadj.c).
+  * CVE-2018-20199, CVE-2018-20360: NULL pointer dereference in the function
+ifilter_bank (libfaad/filtbank.c).
+
+ -- Hugo Lefeuvre   Tue, 27 Aug 2019 13:29:39 -0400
+
 faad2 (2.8.8-3) unstable; urgency=high
 
   * Team upload.
diff -Nru faad2-2.8.8/debian/patches/CVE-2018-20196.patch faad2-2.8.8/debian/patches/CVE-2018-20196.patch
--- faad2-2.8.8/debian/patches/CVE-2018-20196.patch	1969-12-31 19:00:00.0 -0500
+++ faad2-2.8.8/debian/patches/CVE-2018-20196.patch	2019-08-27 13:29:39.0 -0400
@@ -0,0 +1,48 @@
+Description: fix stack based buffer overflow in calculate_gain (libfaad/sbr_hfadj.c)
+ sbr_fbt: sbr->M should not exceed MAX_M
+ .
+ sbr->M is set by derived_frequency_table() from user-passed input
+ without checking for > MAX_M.
+ .
+ This leads to out-of-bounds accesses later, crashes and potential
+ security relevant issues. It should be considered a fatal error for
+ the SBR block.
+ .
+ return error code if sbr->M > MAX_M.
+ .
+ also, in some cases sbr_extension_data() ignores the return value of
+ calc_sbr_tables, probably assuming that sbr is always valid. It should
+ almost certainly not do that.
+Author: Hugo Lefeuvre 
+Origin: upstream, https://github.com/knik0/faad2/commit/6aeeaa1af0caf986daf22
+--- a/libfaad/sbr_fbt.c	2009-05-31 03:02:54.0 -0400
 b/libfaad/sbr_fbt.c	2019-08-26 09:14:35.368320494 -0400
+@@ -526,6 +526,8 @@
+ }
+ 
+ sbr->M = sbr->f_table_res[HI_RES][sbr->N_high] - sbr->f_table_res[HI_RES][0];
++if (sbr->M > MAX_M)
++return 1;
+ sbr->kx = sbr->f_table_res[HI_RES][0];
+ if (sbr->kx > 32)
+ return 1;
+--- a/libfaad/sbr_syntax.c	2009-05-31 03:02:54.0 -0400
 b/libfaad/sbr_syntax.c	2019-08-26 09:15:14.108163215 -0400
+@@ -196,7 +196,7 @@
+ /* if an error occured with the new header values revert to the old ones */
+ if (rt > 0)
+ {
+-calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
++result += calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
+ saved_samplerate_mode, saved_freq_scale,
+ saved_alter_scale, saved_xover_band);
+ }
+@@ -215,7 +215,7 @@
+ if ((result > 0) &&
+ (sbr->Reset || (sbr->bs_header_flag && sbr->just_seeked)))
+ {
+-calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
++result += calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
+ saved_samplerate_mode, saved_freq_scale,
+ saved_alter_scale, saved_xover_band);  
+ }
diff -Nru faad2-2.8.8/debian/patches/CVE-2018-20360-20199.patch faad2-2.8.8/debian/patches/CVE-2018-20360-20199.patch
--- faad2-2.8.8/debian/patches/CVE-2018-20360-20199.patch	1969-12-31 19:00:00.0 -0500
+++ faad2-2.8.8/debian/patches/CVE-2018-20360-20199.patch	2019-08-27 13:29:39.0 -0400
@@ -0,0 +1,49 @@
+Description: fix NULL pointer dereference in ifilter_bank (libfaad/filtbank.c)
+ specrec: better handle unexpected PS
+ .
+ Parametric Stereo (PS) can arrive at any moment in input files. PS
+ changes the number of output channels and therefore requires more
+ allocated memory in various structures from hDecoder.
+ .
+ The current faad2 code attempts to perform allocation surgery in
+ hDecoder to recover from this. This works well when there is only one
+ frame channel, else it creates large number of memory corruption
+ issues.
+ .
+ If there is more than one input channel, return cleanly with error
+ code. It would be nice to handle this, but this is likely to be a lot
+ of work and is beyond the scope of a security fix.
+ .
+ This patch addresses CVE-2018-20360 and CVE-2018-20199.
+Author: Hugo Lefeuvre 
+Origi

Bug#934359: clamav: ZIP bomb causes extreme CPU spikes

[Hugo Lefeuvre]

Hi,

> >  The zip bomb vulnerability mitigated in 0.101.3 has been assigned the
> >  CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-
> >  bomb mitigation was immediately identified. To remediate the zip-bomb
> >  scan time issue, a scan time limit has been introduced in 0.101.4. This
> >  limit now resolves ClamAV's vulnerability to CVE-2019-12625.
> > 
> > The default scan time limit is 2 minutes (12 milliseconds).
> > 
> > To customize the time limit:
> > - use the clamscan  --max-scantime option
> > - use the clamd  MaxScanTime config option
> > 
> > Libclamav users may customize the time limit using the cl_engine_set_num
> > function. For example:
> > 
> > C
> > cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, 
> > time_limit_milliseconds)
> > 
> > Thanks to David Fifield for reviewing the zip-bomb mitigation in
> > 0.101.3 and reporting the issue.
> 
> https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html

Great! Is anybody working on 0.101.4 updates for stretch/buster? I plan to
backport the update to jessie after that.

regards,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#934359: clamav: ZIP bomb causes extreme CPU spikes

[Hugo Lefeuvre]

Hi Sebastian,

> > Even though this issue is marked as fixed in unstable, the current patch is
> > incomplete (see upstream bug report). Upstream is actively working on a
> > more advanced patch.
> 
> I am aware of the situation. I uploaded to unstable what upstream
> released as 0.101.3 (the latest one) and prepared an update for stable.
> _After_ that, the bugtracker got updated claiming that the fix is not
> perfect and other zip bomb was added to the backtracker.

I'm sorry if this sounded insistent, it was not intended like that.

thanks for your work!

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#934359: clamav: ZIP bomb causes extreme CPU spikes

[Hugo Lefeuvre]

Source: clamav
Version: 0.101.2+dfsg-3
Severity: important
Tags: security upstream
Forwarded: https://bugzilla.clamav.net/show_bug.cgi?id=12356

Hi,

clamav is affected by a DoS vulnerability caused by crafted, extremely
compressed ZIP files.

Even though this issue is marked as fixed in unstable, the current patch is
incomplete (see upstream bug report). Upstream is actively working on a
more advanced patch.

regards,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#931449: imagemagick: CVE-2019-13305/CVE-2019-13306

[Hugo Lefeuvre]

Hi,

These issues are similar, both fixed by [0]. Upstream claims to have fixed
CVE-2019-13306 via [1] but this is wrong, [1] is reverted by [0].

I took some time to investigate this vulnerability. Unless I am mistaken,
this allows for arbitrary stack buffer overflow up to 10 bytes via pixel
luma values. My exploitation skills are limited, but this could be an
exploitable vulnerability.

I think this should be fixed, at least via point release?

regards,
Hugo

[0] 
https://github.com/ImageMagick/ImageMagick6/commit/5c7fbf9a14fb83c9685ad69d48899f490a37609d
[1] 
https://github.com/ImageMagick/ImageMagick6/commit/cb5ec7d98195aa74d5ed299b38eff2a68122f3fa

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1

[Hugo Lefeuvre]

Hi Salvatore,

> > Done! You can find an updated debdiff for buster in attachement. The new
> > debdiff ships CVE-2019-5058.patch which addresses the remaining issue in
> > IMG_xcf.c.
> 
> Is the attachment missing?

Right, attachment is missing! Better now :)

regards,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/changelog libsdl2-image-2.0.4+dfsg1/debian/changelog
--- libsdl2-image-2.0.4+dfsg1/debian/changelog	2019-02-03 11:59:26.0 +0100
+++ libsdl2-image-2.0.4+dfsg1/debian/changelog	2019-07-26 22:01:14.0 +0200
@@ -1,3 +1,18 @@
+libsdl2-image (2.0.4+dfsg1-1+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * Multiple security issues (Closes: #932754):
+- CVE-2019-5058: buffer overflow in do_layer_surface (IMG_xcf.c).
+- CVE-2019-5052: integer overflow and subsequent buffer overflow in
+  IMG_pcx.c.
+- CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+- CVE-2019-12216, CVE-2019-12217,
+  CVE-2019-12218, CVE-2019-12219,
+  CVE-2019-12220, CVE-2019-12221,
+  CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre   Fri, 26 Jul 2019 17:01:14 -0300
+
 libsdl2-image (2.0.4+dfsg1-1) unstable; urgency=medium
 
   * New upstream version.
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch
--- libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch	1970-01-01 01:00:00.0 +0100
+++ libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch	2019-07-26 22:01:14.0 +0200
@@ -0,0 +1,84 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga 
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c	2019-07-26 17:35:40.331470589 -0300
 b/IMG_pcx.c	2019-07-26 17:48:45.760965290 -0300
+@@ -98,6 +98,8 @@
+ Uint8 *row, *buf = NULL;
+ char *error = NULL;
+ int bits, src_bits;
++int count = 0;
++Uint8 ch;
+ 
+ if ( !src ) {
+ /* The error message has been set in SDL_RWFromFile */
+@@ -146,14 +148,14 @@
+ bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ if (bpl > surface->pitch) {
+ error = "bytes per line is too large (corrupt?)";
++goto done;
+ }
+-buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1);
++buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ row = (Uint8 *)surface->pixels;
+ for ( y=0; yh; ++y ) {
+ /* decode a scan line to a temporary buffer first */
+-int i, count = 0;
+-Uint8 ch;
+-Uint8 *dst = (src_bits == 8) ? row : buf;
++int i;
++Uint8 *dst = buf;
+ if ( pcxh.Encoding == 0 ) {
+ if(!SDL_RWread(src, dst, bpl, 1)) {
+ error = "file truncated";
+@@ -166,14 +168,15 @@
+ error = "file truncated";
+ goto done;
+ }
+-if( (ch & 0xc0) == 0xc0) {
+-count = ch & 0x3f;
+-if(!SDL_RWread(src, &ch, 1, 1)) {
++if ( ch < 0xc0 ) {
++count = 1;
++} else {
++count = ch - 0xc0;
++if( !SDL_RWread(src, &ch, 1, 1)) {
+ error = "file truncated";
+ goto done;
+ }
+-} else
+-count = 1;
++}
+ }
+ dst[i] = ch;
+ count--;
+@@ -205,10 +208,16 @@
+ int x;
+ dst = row + plane;
+ for(x = 0; x < width; x++) {
++if ( dst >= row+surface->pitch ) {
++error = "decoding out of bounds (corrupt?)";
++goto done;
++}
+ *dst = *innerSrc++;
+ dst += pcxh.NPlanes;
+ }
+ }
++} else {
++SDL_memcpy(row, buf, bpl);
+ }
+ 
+ row += surface->pitch;
+@@ -225,8 +234,9 @@
+ /* look for a 256-colour palette */
+ do {
+ if ( !SDL_RWread(src, &ch, 1, 1)) {
+-error = "file truncated";
+-goto done;
++/* Couldn't find the palette, try the end of the file */
++SDL_RWseek(src, -768, RW_SEEK_END);
++break;
+ }
+ } while ( ch != 12 );
+ 
diff -Nru 

Bug#931740: CVE-2019-12977 analysis

[Hugo Lefeuvre]

Hi,

I had a look at CVE-2019-12977:

This allows attackers to manipulate the JP2 compression arguments passed by
imagemagick to openjpeg. As long as openjpeg sanitizes its arguments, this
issue does not have any security impact. Any useful exploit of this issue
requires to chain it with another vulnerability in openjpeg.

Also: I suspect that these compression arguments can actually be
arbitrarily set by the user, without exploiting any kind of vulnerability.
In other words, this issue might be completely irrelevant from a security
standpoint because it does not allow the user to do more than what he can
already do.

regards,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#932755: sdl-image1.2: multiple security issues

[Hugo Lefeuvre]

Hi Felix,

> > Concerning testing: can I upload the NMU?
> 
> Sure, please go ahead!

thanks! I have uploaded the NMU, with some very small changes: I have added
a patch for CVE-2019-5058, which addresses issues in a previously uploaded
patch for CVE-2018-3977 (via 1.2.12-10).

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1

[Hugo Lefeuvre]

Hi,

> > Buster received [0] per 2.0.4+dfsg1-1, but not [1]. Even if I was aware
> > that the initial patch was broken (see stretch patch descriptions), I
> > failed to handle this properly in the buster version.
> > 
> > As far as I remember, I did not upload this diff yet. I'll just provide an
> > updated version asap. I will also update the testing NMU[2], which I
> > fortunately did not upload yet.
> 
> Perfect, thank you for that!

Done! You can find an updated debdiff for buster in attachement. The new
debdiff ships CVE-2019-5058.patch which addresses the remaining issue in
IMG_xcf.c.

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#932755: sdl-image1.2: multiple security issues

[Hugo Lefeuvre]

Hi Salvatore,

> FTR, there are new CVEs which appeared for TALOS-2019-0841
> TALOS-2019-0842, TALOS-2019-0843 and TALOS-2019-0844.
> 
> It is unfortunate that Cisco Talos project is a bit intransparent on
> referencing the respecitve upstream fixes after disclosure :(

Thanks for the information. I will update the testing NMU to address these
issues as well and perform some triage in the tracker (CVE-2019-5058 is the
same as CVE-2018-3977 and CVE-2019-5057 looks familiar as well).

regards,
Hugo

-- 
    Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1

[Hugo Lefeuvre]

Hi Salvatore,

> Maybe I'm missing something but but please double check. Can it be
> that the stretch-pu upload contains the fix
> https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 for TALOS-2019-0842
> but the buster-pu one missed it? (Note this has a new CVE assigned
> CVE-2019-5058, the change afaics is included in your stretch-pu
> debdiff, is this right? but not in the buster-pu one?)

Thanks for catching this. The situation is quite messy, so I will try to
summarize it in a few words.

CVE-2018-3977 is the actual buffer overflow in IMG_pcx.c. This
vulnerabilitity was "fixed" via [0], however the fix is broken (the check
should be done for y, not ty). Talos decided to report the remaining issue
as a separate vulnerability, TALOS-2019-0842, which was recently assigned
CVE-2019-5058. It was fixed via [1].

CVE-2019-5058/TALOS-2019-0842 is not a new vulnerability, it's just
CVE-2018-3977 which wasn't fixed properly.

Buster received [0] per 2.0.4+dfsg1-1, but not [1]. Even if I was aware
that the initial patch was broken (see stretch patch descriptions), I
failed to handle this properly in the buster version.

As far as I remember, I did not upload this diff yet. I'll just provide an
updated version asap. I will also update the testing NMU[2], which I
fortunately did not upload yet.

Thanks again!

regards,
Hugo

[0] https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8
[1] https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932755

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#885681: gummi: Depends on unmaintained gtksourceview2

[Hugo Lefeuvre]

Hi Jeremy,

I have ping-ed upstream about this. I have somehow overlooked this until
now, and would really like to avoid Gummi's removal. There's a good user
base on Debian, popcon is fairly high.

I hope that we will be able to manage a proper transition in the next
months.

Thanks for your work.

regards,
Hugo

-- 
    Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#933242: python-slugify: text-unicode still required dependency

[Hugo Lefeuvre]

Source: python-slugify
Version: 3.0.2-2
Severity: grave

Hi,

3.0.2-2 fixed the missing unidecode binary dependency. However
text-unidecode is still registered as a required dependency. This breaks
reverse dependencies if text-unidecode is not installed on the system.

I'm working on it.

regards,
Hugo

-- 
    Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#932755: sdl-image1.2: multiple security issues

[Hugo Lefeuvre]

Dear SDL packages maintainers,

I have uploaded the jessie LTS update.

I will coordinate with the security team for stretch and buster fixes via
point release.

Concerning testing: can I upload the NMU?

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#933218: stretch-pu: package libsdl2-image/2.0.1+dfsg-2+deb9u2

[Hugo Lefeuvre]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

libsdl2-image is currently affected by the following security issues in
stretch:

* CVE-2018-3977: Heap buffer overflow.

* CVE-2019-5052: integer overflow and subsequent buffer overflow in
  IMG_pcx.c.

* CVE-2019-5051: heap-based buffer overflow in IMG_pcx.c.

* CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).

* CVE-2019-12216, CVE-2019-12217,
  CVE-2019-12218, CVE-2019-12219,
  CVE-2019-12220, CVE-2019-12221,
  CVE-2019-1: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).

(for more information, see #932754)

Attached is a debdiff addressing all of them for stretch.

All of these patches are from upstream, I have removed whitespace changes
and non security related refactoring.

This is the same patch as #933147.

thanks!

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru libsdl2-image-2.0.1+dfsg/debian/changelog libsdl2-image-2.0.1+dfsg/debian/changelog
--- libsdl2-image-2.0.1+dfsg/debian/changelog	2018-04-15 12:26:34.0 -0300
+++ libsdl2-image-2.0.1+dfsg/debian/changelog	2019-07-27 13:19:47.0 -0300
@@ -1,3 +1,18 @@
+libsdl2-image (2.0.1+dfsg-2+deb9u2) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Multiple security issues (Closes: #932754):
+- CVE-2018-3977: buffer overflow in do_layer_surface (IMG_xcf.c).
+- CVE-2019-5052: integer overflow and subsequent buffer overflow in
+  IMG_pcx.c.
+- CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+- CVE-2019-12216, CVE-2019-12217,
+  CVE-2019-12218, CVE-2019-12219,
+  CVE-2019-12220, CVE-2019-12221,
+  CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre   Sat, 27 Jul 2019 13:19:47 -0300
+
 libsdl2-image (2.0.1+dfsg-2+deb9u1) stretch-security; urgency=high
 
   * Backport various security fixes:
diff -Nru libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2018-3977.patch libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2018-3977.patch
--- libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2018-3977.patch	1969-12-31 21:00:00.0 -0300
+++ libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2018-3977.patch	2019-07-27 13:19:47.0 -0300
@@ -0,0 +1,19 @@
+Description: Fix potential buffer overflow on corrupt or maliciously-crafted XCF file.
+ This patch bundles two fixes, the original one for CVE-2018-3977
+ (TALOS-2018-0645) which is actually broken, and the followup patch
+ (TALOS-2019-0842).
+Author: Ryan C. Gordon 
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8
+  https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10
+--- a/IMG_xcf.c	2019-07-27 13:21:45.402211011 -0300
 b/IMG_xcf.c	2019-07-27 13:21:45.398211049 -0300
+@@ -637,6 +637,9 @@
+   p16 = (Uint16 *) p8;
+   p   = (Uint32 *) p8;
+   for (y=ty; y < ty+oy; y++) {
++if ((y >= surface->h) || ((tx+ox) > surface->w)) {
++break;
++}
+ row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4);
+ switch (hierarchy->bpp) {
+ case 4:
diff -Nru libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-12218.patch libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-12218.patch
--- libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-12218.patch	1969-12-31 21:00:00.0 -0300
+++ libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-12218.patch	2019-07-27 13:19:47.0 -0300
@@ -0,0 +1,84 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga 
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c	2019-07-27 13:21:30.158367768 -0300
 b/IMG_pcx.c	2019-07-27 13:21:30.154367811 -0300
+@@ -100,6 +100,8 @@
+ Uint8 *row, *buf = NULL;
+ char *error = NULL;
+ int bits, src_bits;
++int count = 0;
++Uint8 ch;
+ 
+ if ( !src ) {
+ /* The error message has been set in SDL_RWFromFile */
+@@ -148,14 +150,14 @@
+ bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ if (bpl > surface->pitch) {
+ error = "bytes per line is too large (corrupt?)";
++goto done;
+ }
+-buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1);
++buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ row = (Uint8 *)surface->pixels;
+ for ( y=0; yh; ++y ) {
+ /* decode a scan line to a temporary buffer first */
+-int i, count = 0;
+-Uint8 ch;
+-Uint8 *dst = (src_bits == 8) ? row : buf;
++int i;
++Uint8 *dst = buf;
+ if ( pcxh.Encoding == 0 ) {
+ if(!SDL_RWread(src, dst, bpl, 1)) {
+ error = "file truncated";
+@@ -168,14 +170,15 @@
+ er

Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1

[Hugo Lefeuvre]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,

libsdl2-image is currently affected by the following security issues:

* CVE-2019-5052: integer overflow and subsequent buffer overflow in
  IMG_pcx.c.

* CVE-2019-5051: heap-based buffer overflow in IMG_pcx.c.

* CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).

* CVE-2019-12216, CVE-2019-12217,
  CVE-2019-12218, CVE-2019-12219,
  CVE-2019-12220, CVE-2019-12221,
  CVE-2019-1: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).

(for more information, see #932754)

Attached is a debdiff addressing all of them for buster.

All of these patches are from upstream, I have removed whitespace changes
and non security related refactoring.

thanks!

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/changelog libsdl2-image-2.0.4+dfsg1/debian/changelog
--- libsdl2-image-2.0.4+dfsg1/debian/changelog	2019-02-03 08:59:26.0 -0200
+++ libsdl2-image-2.0.4+dfsg1/debian/changelog	2019-07-26 17:01:14.0 -0300
@@ -1,3 +1,17 @@
+libsdl2-image (2.0.4+dfsg1-1+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * Multiple security issues (Closes: #932754):
+- CVE-2019-5052: integer overflow and subsequent buffer overflow in
+  IMG_pcx.c.
+- CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+- CVE-2019-12216, CVE-2019-12217,
+  CVE-2019-12218, CVE-2019-12219,
+  CVE-2019-12220, CVE-2019-12221,
+  CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre   Fri, 26 Jul 2019 17:01:14 -0300
+
 libsdl2-image (2.0.4+dfsg1-1) unstable; urgency=medium
 
   * New upstream version.
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch
--- libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch	1969-12-31 21:00:00.0 -0300
+++ libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch	2019-07-26 17:01:14.0 -0300
@@ -0,0 +1,84 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga 
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c	2019-07-26 17:35:40.331470589 -0300
 b/IMG_pcx.c	2019-07-26 17:48:45.760965290 -0300
+@@ -98,6 +98,8 @@
+ Uint8 *row, *buf = NULL;
+ char *error = NULL;
+ int bits, src_bits;
++int count = 0;
++Uint8 ch;
+ 
+ if ( !src ) {
+ /* The error message has been set in SDL_RWFromFile */
+@@ -146,14 +148,14 @@
+ bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ if (bpl > surface->pitch) {
+ error = "bytes per line is too large (corrupt?)";
++goto done;
+ }
+-buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1);
++buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ row = (Uint8 *)surface->pixels;
+ for ( y=0; yh; ++y ) {
+ /* decode a scan line to a temporary buffer first */
+-int i, count = 0;
+-Uint8 ch;
+-Uint8 *dst = (src_bits == 8) ? row : buf;
++int i;
++Uint8 *dst = buf;
+ if ( pcxh.Encoding == 0 ) {
+ if(!SDL_RWread(src, dst, bpl, 1)) {
+ error = "file truncated";
+@@ -166,14 +168,15 @@
+ error = "file truncated";
+ goto done;
+ }
+-if( (ch & 0xc0) == 0xc0) {
+-count = ch & 0x3f;
+-if(!SDL_RWread(src, &ch, 1, 1)) {
++if ( ch < 0xc0 ) {
++count = 1;
++} else {
++count = ch - 0xc0;
++if( !SDL_RWread(src, &ch, 1, 1)) {
+ error = "file truncated";
+ goto done;
+ }
+-} else
+-count = 1;
++}
+ }
+ dst[i] = ch;
+ count--;
+@@ -205,10 +208,16 @@
+ int x;
+ dst = row + plane;
+ for(x = 0; x < width; x++) {
++if ( dst >= row+surface->pitch ) {
++error = "decoding out of bounds (corrupt?)";
++goto done;
++}
+ *dst = *innerSrc++;
+ dst += pcxh.NPlanes;
+ }
+ }
++} else {
++SDL_memcpy(row, buf, bpl);
+ }
+ 
+ row += surface->pitch;
+@@ -225,8 +234,9 @@
+ /* look 

Bug#922466: whitelist not working on python3 (buster version)

[Hugo Lefeuvre]

Hi,

Sorry for overlooking this issue. This should be fixed in the next pyzor
upload, in the next few days.

Thanks for reporting this.

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Bug#932755: libsdl2-image security issues in testing

[Hugo Lefeuvre]

> However in the sdl-image1.2 case upstream did not provide a new release
> addressing these issues, so I guess we'll have to go for targeted fixes. I
> will provide a debdiff shortly. Would you be available to review it? I can
> handle the upload if necessary, or NMU.

as promised, the debdiff for unstable (in attachment).

I did very quick smoke tests. However it would be surprising that this
patch would break anything since it was tested extensively in jessie and
upstream versions are identical.

(just in case, I smoke test using [0] with valgrind)

cheers,
Hugo

[0] /usr/share/doc/libsdl-image1.2-dev/examples/showimage.c

-- 
    Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru sdl-image1.2-1.2.12/debian/changelog sdl-image1.2-1.2.12/debian/changelog
--- sdl-image1.2-1.2.12/debian/changelog	2018-11-04 21:58:30.0 -0200
+++ sdl-image1.2-1.2.12/debian/changelog	2019-07-24 20:30:03.0 -0300
@@ -1,3 +1,16 @@
+sdl-image1.2 (1.2.12-11) unstable; urgency=medium
+
+  * Non-maintainer upload with permission of maintainers.
+  * Multiple security fixes (Closes: #932755):
+- CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.
+- CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+- CVE-2019-12216, CVE-2019-12217,
+  CVE-2019-12218, CVE-2019-12219,
+  CVE-2019-12220, CVE-2019-12221,
+  CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre   Wed, 24 Jul 2019 20:30:03 -0300
+
 sdl-image1.2 (1.2.12-10) unstable; urgency=medium
 
   * Non-maintainer upload with permission of maintainers.
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch	1969-12-31 21:00:00.0 -0300
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch	2019-07-24 20:27:21.0 -0300
@@ -0,0 +1,83 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga 
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c	2019-07-23 11:28:25.847897628 -0300
 b/IMG_pcx.c	2019-07-23 11:43:07.748441381 -0300
+@@ -100,6 +100,8 @@
+ 	Uint8 *row, *buf = NULL;
+ 	char *error = NULL;
+ 	int bits, src_bits;
++	int count = 0;
++	Uint8 ch;
+ 
+ 	if ( !src ) {
+ 		/* The error message has been set in SDL_RWFromFile */
+@@ -148,14 +150,14 @@
+ 	bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ 	if (bpl > surface->pitch) {
+ 		error = "bytes per line is too large (corrupt?)";
++		goto done;
+ 	}
+-	buf = calloc(SDL_max(bpl, surface->pitch), 1);
++	buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ 	row = surface->pixels;
+ 	for ( y=0; yh; ++y ) {
+ 		/* decode a scan line to a temporary buffer first */
+-		int i, count = 0;
+-		Uint8 ch;
+-		Uint8 *dst = (src_bits == 8) ? row : buf;
++		int i;
++		Uint8 *dst = buf;
+ 		if ( pcxh.Encoding == 0 ) {
+ 			if(!SDL_RWread(src, dst, bpl, 1)) {
+ error = "file truncated";
+@@ -168,14 +170,15 @@
+ 		error = "file truncated";
+ 		goto done;
+ 	}
+-	if( (ch & 0xc0) == 0xc0) {
+-		count = ch & 0x3f;
++	if( ch < 0xc0) {
++		count = 1;
++	} else {
++		count = ch - 0xc0;
+ 		if(!SDL_RWread(src, &ch, 1, 1)) {
+ 			error = "file truncated";
+ 			goto done;
+ 		}
+-	} else
+-		count = 1;
++	}
+ }
+ dst[i] = ch;
+ count--;
+@@ -207,10 +210,16 @@
+ int x;
+ dst = row + plane;
+ for(x = 0; x < width; x++) {
++	if ( dst >= row+surface->pitch ) {
++		error = "decoding out of bounds (corrupt?)";
++		goto done;
++	}
+ 	*dst = *src++;
+ 	dst += pcxh.NPlanes;
+ }
+ 			}
++		} else {
++			SDL_memcpy(row, buf, bpl);
+ 		}
+ 
+ 		row += surface->pitch;
+@@ -227,8 +236,9 @@
+ 			/* look for a 256-colour palette */
+ 			do {
+ if ( !SDL_RWread(src, &ch, 1, 1)) {
+-	error = "file truncated";
+-	goto done;
++	/* Couldn't find the palette, try the end of the file */
++	SDL_RWseek(src, -768, RW_SEEK_END);
++	break;
+ }
+ 			} while ( ch != 12 );
+ 
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch	1969-12-31 21:00:00.0 -0300
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch	2019-07-24 20:27:21.0 -0300
@@ -0,0 +1,15 @@
+Description: fix invalid data read on bpl == -1
+ Issue known as TALOS-2019-0821, or CVE-2019-5052.
+Author: Sam Lantinga 
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/b920be2b3fc6
+--- a/IMG_pcx.c	2019-07-23 11:55:37.9