Bug#930024: neovim: Arbitrary Code Execution exploit on all neovim versions < 0.3.6 via modelines

2019-06-05 Thread Matthew Crews 
Source: neovim
Severity: important
Tags: upstream

Dear Maintainer,

Neovim versions < 0.3.6 are subject to an Arbitrary Code Execution exploit via
modelines, as described in this blogpost:

https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-
neovim.md

Upgrading the Neovim package to >= 0.3.6 fixes this exploit.



-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#930022: vim: Arbitrary Code Execution exploit on all VIM versions < 8.1.1365 via modelines

2019-06-05 Thread Matthew Crews 
Source: vim
Severity: important
Tags: upstream

Dear Maintainer,

Vim versions < 8.1.1365 are subject to an Arbitrary Code Execution exploit via
modelines, as described in this blogpost:

https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-
neovim.md

Upgrading the Vim package to >= 8.1.1365 fixes this exploit.



-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#805711: Info received (light-locker: no login possible after suspend)

2019-06-03 Thread Matthew Crews 
This issue is still present in Buster. The workaround (switch to VT8
then back to VT7) also still works in Buster.



signature.asc
Description: OpenPGP digital signature

Bug#924955: discover: Sort dropdown menu options disappear when moused over

2019-03-18 Thread Matthew Crews 
Apologies, this was meant for plasma-discover. Please close this bug.



signature.asc
Description: OpenPGP digital signature

Bug#923653: RE: plasma-discover: mousehover over sort options makes them disappear

2019-03-18 Thread Matthew Crews 
On Sat, 16 Mar 2019 19:02:42 + Larus Contract
 wrote:
> Some additional information: deactivating compositor doesn't help.
> The options start disapperating on the second item, meaning the first is 
> selectable and works.
> I've added images showing the problem. In the images, there is an update 
> ongoing, but they do not affect the package nor the bug, it persisted after 
> the update.
Confirmed on my end as well. It is not the first item in the list that
triggers this bug, but rather "any" item on the list that is highlighted.

This bug is also present on Fedora as well (running Plasma 5.14.5 and
KDE Frameworks 5.55). This may be an upstream bug, unsure if it was
fixed in Plasma 5.15 or not.



signature.asc
Description: OpenPGP digital signature

Bug#924220: sddm-theme-debian-maui: background-nologo.svg from theme.conf does not exist

2019-03-12 Thread Matthew Crews 
On Sun, 10 Mar 2019 12:22:07 +0100 Robert  wrote:
> Package: sddm-theme-debian-maui
> Version: 0.18.0-1
> Severity: important
> 
> Dear Maintainer,
> 
> "/usr/share/sddm/themes/debian-maui/theme.conf" contains
> "background=/usr/share/desktop-base/active-theme/login/background-nologo.svg",
> but the "background-nologo.svg" does not exist on a fresh installed debian
> testing.
> 
> There is only a "background.svg" and a "background-withlogo.svg" under
> "/usr/share/desktop-base/active-theme/login/"

This is  a problem when upgrading from Stretch to Buster as well.
background-nologo.svg is deleted from the system as a result of the
change in default theme to FuturePrototype from softWaves.

This should be classified as a critical bug IMO, as it directly impacts
KDE Plasma users upgrading from Stretch to Buster.



signature.asc
Description: OpenPGP digital signature

Bug#917812: gnome-software: update broke gnome software

2019-02-18 Thread Matthew Crews 
I too am affected by this bug. Gnome-software routinely stalls at
"Software catalog is being loaded". Only a full system restart seems to
restore functionality, and only temporarily.


signature.asc
Description: This is a digitally signed message part

Bug#922179: shim-signed depends on packages not repos

2019-02-12 Thread Matthew Crews 
Package: shim-signed
Version: 1.28+nmu1+0.9+1474479173.6c180c6-1
Severity: important

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?

Attempted to install shim-signed, it depends on:

* shim 0.9+1474479173.6c180c6-1, however version 15+1533136590.3beb971-2 is the 
one in the repos
* secureboot-db, however that package is not in the sid repos at all.

   * What exactly did you do (or not do) that was effective (or
 ineffective)?

N/A

   * What was the outcome of this action?

Failed to install

   * What outcome did you expect instead?

I expected shim-signed to be installable.


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages shim-signed depends on:
ii  debconf [debconf-2.0]  1.5.70
ii  grub-efi-amd64-bin 2.02+dfsg1-11
ii  grub2-common   2.02+dfsg1-11
pn  mokutil
ii  shim   15+1533136590.3beb971-2

Versions of packages shim-signed recommends:
pn  secureboot-db  

shim-signed suggests no packages.

Bug#921118: RFP: qml-box2d -- The goal of the qml-box2d plugin is to expose the functionality of Box2D (C++) as a QML plugin in order to make it easier to write physics based software in QML.

2019-02-01 Thread Matthew Crews 
Package: wnpp
Severity: wishlist

* Package name: qml-box2d
  Version : 2.0.0
  Upstream Author : Thorbjørn Lindeijer 
* URL : https://github.com/qml-box2d/qml-box2dh
* License : Zlib
  Programming Lang: QML
  Description : The goal of the qml-box2d plugin is to expose the
functionality of Box2D (C++) as a QML plugin in order to make it easier to
write physics based software in QML.





This package is a missing optional dependency for Gcompris, Bug #920752.
Currently Gcompris is built without this library, and is missing a few
activities. Adding this package to Debian and rebuilding Gcompris with the
proper build option will allow us to close Bug #920752.

Bug#920752: gcompris-qt-data: Gcompris Debian version is missing activities found in flatpak version

2019-02-01 Thread Matthew Crews 
On Fri, 1 Feb 2019 13:46:42 +0100 Johnny Jazeix  wrote:
> Sorry, I didn't see the reply, I thought I would have a notification.
> 
> These activities use box2d and according to the logs (
> https://buildd.debian.org/status/fetch.php?pkg=gcompris-qt=alpha=0.95-1=1547387638=0)
> it is disabled and we don't add them in the package on this case
> ("Disabling qml-box2d module and depending activities:
> balancebox,land_safe,submarine").
> 
> This means that, even if box2d is installed afterwards, these activities
> won't be present.
> 
> I created a new task on GCompris bug server to check if it is possible to
> have the box2d check at runtime instead of compilation time:
> https://phabricator.kde.org/T10432
> 
> On Debian side, it seems the qml-box2d library is not packaged (
> https://github.com/qml-box2d/qml-box2d).
> In GCompris, when it's not available we compile it ourselves (via
> -DQML_BOX2D_MODULE=submodule) but I'm not sure if it would be acceptable to do
> it in Debian?
> Best way would probably be for qml-box2d to be packaged, set it as a
> mandatory dependency and use -DQML_BOX2D_MODULE=system.
> 
> Note: I'm one of the GCompris developers, I don't know much about the
> packaging.
> 
> Johnny

Thank you Johnny for the insight!

Looking at the license for qml-box2d, I don't see any reason that it
shouldn't be included in Debian, but considering how late we are into
the Buster release cycle, I don't think we can get it in the repos in
time for Buster?

In any case, I think this bug should be reclassified as a missing
dependency.



signature.asc
Description: OpenPGP digital signature

Bug#920752: gcompris-qt-data: Gcompris Debian version is missing activities found in flatpak version

2019-01-30 Thread Matthew Crews 
On Wed, 30 Jan 2019 13:49:35 +0100 Johnny Jazeix  wrote:
> Hi,
> 
> can you be more precise on which activities are missing?
> 
> Regards,
> 
> Johnny

I can.

Under the Pig (science?) section, the Debian version is missing "Land
Safe" and "Pilot a Submarine"

Under Konqi (Games?) section, the Debian version is missing "Balance Box"

Fortunately, those three seem to be the only ones missing.

Cheers.

-Matt



signature.asc
Description: OpenPGP digital signature

Bug#920752: gcompris-qt-data: Gcompris Debian version is missing activities found in flatpak version

2019-01-28 Thread Matthew Crews 
Package: gcompris-qt-data
Version: 0.95-1
Severity: normal

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?

I was comparing the Flatpak version of Gcompris and the Debian version of
Gcompris, and I noticed that the Debian version in Testing is missing a few
activities found in the Flatpak version. I verified that the software version
of both is the same (0.95) so I believe the issue is in the gcompris-qt-data
package.

   * What exactly did you do (or not do) that was effective (or
 ineffective)?

N/A

* What was the outcome of this action?

N/A

   * What outcome did you expect instead?

I expected the Debian version of Gcompris to have the same activities as the
Flatpak version.



-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

gcompris-qt-data depends on no packages.

Versions of packages gcompris-qt-data recommends:
ii  gcompris-qt  0.95-1

gcompris-qt-data suggests no packages.

-- no debconf information

Bug#905867: firmware-realtek: Wi-Fi does not work on rtl8822be but Bluetooth does

2018-09-17 Thread Matthew Crews 
I can confirm this bug on my end too on my Lenovo E580 laptop.

What I find odd is that Ubuntu has no problems recognizing this chipset and 
having the wifi work, but Debian doesn't even recognize that the WiFi device is 
there.

Bug#906158: intel-microcode: Update intel-microcode to 20180807

2018-08-22 Thread Matthew Crews 
I can't speak for the maintainer, or the ability to redistribute, but clause 3 
(v) of the license is pretty troublesome.

To quote:

3. LICENSE RESTRICTIONS. All right, title and interest in and to the Software 
and associated documentation are and will remain the exclusive property of 
Intel and its licensors or suppliers. Unless expressly permitted under the 
Agreement, You will not, and will not allow any third party to

**Snip**

(v) publish or provide any Software benchmark or comparison test results.

**Snip**

This is basically telling end users that they can't use the software in any way 
they see fit, nor publish the results as they see fit. This package might 
already be in non-free, but this seems a bit much.

Bug#846278: Bug 846278

2018-06-21 Thread Matthew Crews 
I want to confirm that this is still a problem in Stretch. I experience the 
same problem as message #25 using Nvidia drivers, only I have no way of 
actually switching TTYs to force a log out!

This is on a brand new install of 9.4.

Bug#884198: ecryptfs-utils missing dependency "rsync"

2017-12-12 Thread Matthew Crews 
Package: ecryptfs-utils
Version: 111-4
Severity: normal

Dear Maintainer,

In order to use the command "ecryptfs-migrate-home" which is provided by
ecryptfs-utils, the utility rsync is required. Without rsync installed, the
"ecryptfs-migrate-home" command will error out stating that rsync needs to be
installed.

Please consider making rsync a dependency for the "ecryptfs-utils" package. If
that is not desired, please make it either a suggested or recommended
dependency.

Thank you.


-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ecryptfs-utils depends on:
ii  gettext-base0.19.8.1-2
ii  keyutils1.5.9-9
ii  libassuan0  2.4.3-2
ii  libc6   2.24-11+deb9u1
ii  libecryptfs1111-4
ii  libgpg-error0   1.26-2
ii  libgpgme11  1.8.0-3+b2
ii  libkeyutils11.5.9-9
ii  libpam-runtime  1.1.8-3.6
ii  libpam0g1.1.8-3.6
ii  libtspi10.3.14+fixed1-1

ecryptfs-utils recommends no packages.

Versions of packages ecryptfs-utils suggests:
ii  cryptsetup  2:1.7.3-4

-- no debconf information

Bug#879484: Network-Manager should Default to Non-Random MAC Address on WiFi

2017-10-22 Thread Matthew Crews 
Package: network-manager
Version: 1.6.2-3
Severity: wishlist

Dear Maintainer,

I think that Network-Manager default settings should be changed to default to
non-random MAC addresses on WiFi. Even though there are security reasons for
enabling this by default, this results in less "out of the box" support for
WiFi cards on fresh Debian installs and on Live CDs. Other GNU/Linux
distributions have this setting disabled by default.

   * What led up to the situation?

I was using a live CD of Debian 9.2 with Gnome (written to a USB thumb rive),
and my wireless card was not connecting to my network, even though Network-
Manager was detecting both the card and the network. I tried a live CD for
Ubuntu 17.10 Gnome version, and it connected without issue. I investigated, and
saw that Ubuntu's live CD has a setting in
"/etc/NetworkManager/NetworkManager.conf" that is not present on Debian's
version:

[device]
wifi.scan-rand-mac-address=no

   * What exactly did you do (or not do) that was effective (or
 ineffective)?

I added this setting to "/etc/NetworkManager/NetworkManager.conf" on my Debian
live CD, and after restarting Network Manager my wireless card connected to my
WiFi network without issue.

[device]
wifi.scan-rand-mac-address=no



-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages network-manager depends on:
ii  adduser3.115
ii  dbus   1.10.22-0+deb9u1
ii  init-system-helpers1.48
ii  libaudit1  1:2.6.7-2
ii  libbluetooth3  5.43-2+deb9u1
ii  libc6  2.24-11+deb9u1
ii  libglib2.0-0   2.50.3-2
ii  libgnutls303.5.8-5+deb9u3
ii  libgudev-1.0-0 230-3
ii  libjansson42.9-1
ii  libmm-glib01.6.4-1
ii  libndp01.6-1+b1
ii  libnewt0.520.52.19-1+b1
ii  libnl-3-2003.2.27-2
ii  libnm0 1.6.2-3
ii  libpam-systemd 232-25+deb9u1
ii  libpolkit-agent-1-00.105-18
ii  libpolkit-gobject-1-0  0.105-18
ii  libreadline7   7.0-3
ii  libselinux12.6-3+b3
ii  libsoup2.4-1   2.56.0-2+deb9u1
ii  libsystemd0232-25+deb9u1
ii  libteamdctl0   1.26-1+b1
ii  libuuid1   2.29.2-1
ii  lsb-base   9.20161125
ii  policykit-10.105-18
ii  udev   232-25+deb9u1
ii  wpasupplicant  2:2.4-1+deb9u1

Versions of packages network-manager recommends:
ii  crda 3.18-1
ii  dnsmasq-base 2.76-5+deb9u1
ii  iptables 1.6.0+snapshot20161117-6
ii  iputils-arping   3:20161105-1
ii  isc-dhcp-client  4.3.5-3
ii  modemmanager 1.6.4-1
ii  ppp  2.4.7-1+4

Versions of packages network-manager suggests:
pn  libteam-utils  

-- no debconf information