Bug#1070154: bullseye-pu: qtbase-opensource-src/5.15.2+dfsg-9+deb11u1
Hi Jonathan, On 12.05.24 13:13, Jonathan Wiltshire wrote: Please go ahead. great, thanks ... ... and done. Thorsten
Bug#1070778: [Debian-astro-maintainers] Bug#1070778: indi-armadillo-platypus: Add Appstream metainfo announcing HW support
Hi Petter, thanks a lot for this patch, the Appstream stuff is like a book of seven seals for me. On Thu, 9 May 2024, Petter Reinholdtsen wrote: + + com.github.indilib.indi-3rdparty There are lots of drivers in this repository, distributed over several packages. Shouldn't there be a unique id for each package? Thorsten
Bug#1070154: bullseye-pu: qtbase-opensource-src/5.15.2+dfsg-9+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu The attached debdiff for qtbase-opensource-src fixes several CVEs in Bullseye. All CVEs are marked as no-dsa by the security team. Thorstendiff -Nru qtbase-opensource-src-5.15.2+dfsg/debian/changelog qtbase-opensource-src-5.15.2+dfsg/debian/changelog --- qtbase-opensource-src-5.15.2+dfsg/debian/changelog 2021-07-02 17:58:04.0 +0200 +++ qtbase-opensource-src-5.15.2+dfsg/debian/changelog 2024-04-28 22:48:02.0 +0200 @@ -1,3 +1,33 @@ +qtbase-opensource-src (5.15.2+dfsg-9+deb11u1) bullseye; urgency=medium + + * Non-maintainer upload by the LTS Team. + * CVE-2024-25580 (Closes: #1064053) +fix buffer overflow due to crafted KTX image file + * CVE-2023-32763 (Closes: #1036702) +fix QTextLayout buffer overflow due to crafted SVG file + * CVE-2022-25255 +prevent QProcess from execution of a binary from the current working +directory when not found in the PATH + * CVE-2023-24607 (Closes: #1031872) +fix denial of service via a crafted string when the SQL ODBC driver +plugin is used + * fix regression caused by patch for CVE-2023-24607 + * CVE-2023-32762 +prevent incorrect parsing of the strict-transport-security (HSTS) header + * CVE-2023-51714 (Closes: #1060694) +fix incorrect HPack integer overflow check. + * CVE-2023-38197 (Closes: #1041105) +fix infinite loop in recursive entity expansion + * CVE-2023-37369 (Closes: #1059302) +fix crash of application in QXmlStreamReader due to crafted XML string + * CVE-2023-34410 (Closes: #1037210) +fix checking during TLS whether root of the chain really is a +configured CA certificate + * CVE-2023-33285 (Closes: #1036848) +fix buffer overflow in QDnsLookup + + -- Thorsten Alteholz Sun, 28 Apr 2024 22:48:02 +0200 + qtbase-opensource-src (5.15.2+dfsg-9) unstable; urgency=medium * Revert adding fix-misplacement-of-placeholder-text-in-QLineEdit.diff. diff -Nru qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff --- qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff 1970-01-01 01:00:00.0 +0100 +++ qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff 2024-03-05 13:22:01.0 +0100 @@ -0,0 +1,96 @@ +Description: QProcess: ensure we don't accidentally execute something from CWD + Unless "." (or the empty string) is in $PATH, we're not supposed to find + executables in the current directory. This is how the Unix shells behave + and we match their behavior. It's also the behavior Qt had prior to 5.9 + (commit 28666d167aa8e602c0bea25ebc4d51b55005db13). On Windows, searching + the current directory is the norm, so we keep that behavior. + . + This commit does not add an explicit check for an empty return from + QStandardPaths::findExecutable(). Instead, we allow that empty string to + go all the way to execve(2), which will fail with ENOENT. We could catch + it early, before fork(2), but why add code for the error case? + . + See https://kde.org/info/security/advisory-20220131-1.txt +Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2022-25255-qprocess5-15.diff +Last-Update: 2022-02-21 + +Index: qtbase-opensource-src-5.15.2+dfsg/src/corelib/io/qprocess_unix.cpp +=== +--- qtbase-opensource-src-5.15.2+dfsg.orig/src/corelib/io/qprocess_unix.cpp 2024-03-05 13:21:06.432881985 +0100 qtbase-opensource-src-5.15.2+dfsg/src/corelib/io/qprocess_unix.cpp 2024-03-05 13:21:06.428881981 +0100 +@@ -1,7 +1,7 @@ + / + ** + ** Copyright (C) 2016 The Qt Company Ltd. +-** Copyright (C) 2016 Intel Corporation. ++** Copyright (C) 2022 Intel Corporation. + ** Contact: https://www.qt.io/licensing/ + ** + ** This file is part of the QtCore module of the Qt Toolkit. +@@ -422,14 +422,15 @@ + // Add the program name to the argument list. + argv[0] = nullptr; + if (!program.contains(QLatin1Char('/'))) { ++// findExecutable() returns its argument if it's an absolute path, ++// otherwise it searches $PATH; returns empty if not found (we handle ++// that case much later) + const QString = QStandardPaths::findExecutable(program); +-if (!exeFilePath.isEmpty()) { +-const QByteArray = QFile::encodeName(exeFilePath); +-argv[0] = ::strdup(tmp.constData()); +-} +-} +-if (!argv[0]) ++const QByteArray = QFile::encodeName(exeFilePath); ++argv[0] = ::strdup(tmp.constData()); ++} else { + argv[0] = ::strdup(encodedProgramName.constData()); ++} + + // Add every argument to the list + for (int i = 0; i < arguments.count(); ++i) +@@ -9
Bug#1070153: bookworm-pu: qtbase-opensource-src/5.15.8+dfsg-11+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu The attached debdiff for qtbase-opensource-src fixes several CVEs in Bookworm. All CVEs are marked as no-dsa by the security team. The debdiff is based on version 5.15.8+dfsg-11+deb12u1, which is already in s-p-u. Thorstendiff -Nru qtbase-opensource-src-5.15.8+dfsg/debian/changelog qtbase-opensource-src-5.15.8+dfsg/debian/changelog --- qtbase-opensource-src-5.15.8+dfsg/debian/changelog 2024-04-07 11:45:51.0 +0200 +++ qtbase-opensource-src-5.15.8+dfsg/debian/changelog 2024-04-28 20:48:02.0 +0200 @@ -1,3 +1,13 @@ +qtbase-opensource-src (5.15.8+dfsg-11+deb12u2) bookworm; urgency=medium + + * Non-maintainer upload by the LTS Team. + * CVE-2024-25580 (Closes: #1064053) +fix buffer overflow due to crafted KTX image file + * CVE-2023-51714 (Closes: #1060694) +fix incorrect HPack integer overflow check. + + -- Thorsten Alteholz Sun, 28 Apr 2024 20:48:02 +0200 + qtbase-opensource-src (5.15.8+dfsg-11+deb12u1) bookworm; urgency=medium [ Alexander Volkov ] diff -Nru qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2023-51714.diff qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2023-51714.diff --- qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2023-51714.diff 1970-01-01 01:00:00.0 +0100 +++ qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2023-51714.diff 2024-04-28 20:48:02.0 +0200 @@ -0,0 +1,61 @@ +From 23c3fc483e8b6e21012a61f0bea884446f727776 Mon Sep 17 00:00:00 2001 +From: Marc Mutz +Date: Tue, 12 Dec 2023 22:08:07 +0100 +Subject: [PATCH] HPack: fix incorrect integer overflow check + +This code never worked: + +For the comparison with max() - 32 to trigger, on 32-bit platforms (or +Qt 5) signed interger overflow would have had to happen in the +addition of the two sizes. The compiler can therefore remove the +overflow check as dead code. + +On Qt 6 and 64-bit platforms, the signed integer addition would be +very unlikely to overflow, but the following truncation to uint32 +would yield the correct result only in a narrow 32-value window just +below UINT_MAX, if even that. + +Fix by using the proper tool, qAddOverflow. + +Manual conflict resolutions: + - qAddOverflow doesn't exist in Qt 5, use private add_overflow + predecessor API instead + +Change-Id: I7599f2e75ff7f488077b0c60b81022591005661c +Reviewed-by: Allan Sandfeld Jensen +(cherry picked from commit ee5da1f2eaf8932aeca02ffea6e4c618585e29e3) +Reviewed-by: Qt Cherry-pick Bot +(cherry picked from commit debeb8878da2dc706ead04b6072ecbe7e5313860) +Reviewed-by: Thiago Macieira +Reviewed-by: Marc Mutz +(cherry picked from commit 811b9eef6d08d929af8708adbf2a5effb0eb62d7) +(cherry picked from commit f931facd077ce945f1e42eaa3bead208822d3e00) +(cherry picked from commit 9ef4ca5ecfed771dab890856130e93ef5ceabef5) +Reviewed-by: Mårten Nordheim +--- + +Index: qtbase-opensource-src-5.15.8+dfsg/src/network/access/http2/hpacktable.cpp +=== +--- qtbase-opensource-src-5.15.8+dfsg.orig/src/network/access/http2/hpacktable.cpp 2024-04-24 16:08:28.259865332 +0200 qtbase-opensource-src-5.15.8+dfsg/src/network/access/http2/hpacktable.cpp 2024-04-24 16:09:16.163853040 +0200 +@@ -40,6 +40,7 @@ + #include "hpacktable_p.h" + + #include ++#include + + #include + #include +@@ -62,8 +63,10 @@ + // for counting the number of references to the name and value would have + // 32 octets of overhead." + +-const unsigned sum = unsigned(name.size() + value.size()); +-if (std::numeric_limits::max() - 32 < sum) ++size_t sum; ++if (add_overflow(size_t(name.size()), size_t(value.size()), )) ++return HeaderSize(); ++if (sum > (std::numeric_limits::max() - 32)) + return HeaderSize(); + return HeaderSize(true, quint32(sum + 32)); + } diff -Nru qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2024-25580.diff qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2024-25580.diff --- qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2024-25580.diff 1970-01-01 01:00:00.0 +0100 +++ qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2024-25580.diff 2024-04-28 20:48:02.0 +0200 @@ -0,0 +1,197 @@ +diff --git a/src/gui/util/qktxhandler.cpp b/src/gui/util/qktxhandler.cpp +index 0d98e97453..6a79e55109 100644 +--- a/src/gui/util/qktxhandler.cpp b/src/gui/util/qktxhandler.cpp +@@ -73,7 +73,7 @@ struct KTXHeader { + quint32 bytesOfKeyValueData; + }; + +-static const quint32 headerSize = sizeof(KTXHeader); ++static constexpr quint32 qktxh_headerSize = sizeof(KTXHeader); + + // Currently unused, declared for future reference + struct KTXKeyValuePairItem { +@@ -103,11 +103,36 @@ struct KTXMipmapLevel { + */ + }; + +-bool QKtxHandler::canRead(const QByteArray , const QByteArray ) ++static bool
Bug#1069930: RM: gutenprint [armel armhf i386] -- ROM; software no longer works on 32bit architectures
Package: ftp.debian.org Severity: normal Control: affects -1 + src:gutenprint Unfortunately this software no longer runs on 32bit architectures. The time to fix this is better spent on other things. Thorsten
Bug#1064550: bullseye-pu: libjwt/1.10.2-1+deb11u1
Hi Jonathan, On 22.04.24 19:10, Jonathan Wiltshire wrote: Please go ahead. great, thanks ... ... and uploaded. Thorsten
Bug#1067544: bullseye-pu: libmicrohttpd/0.9.72-2+deb11u1.debdiff
Hi Jonathan, On 22.04.24 18:59, Jonathan Wiltshire wrote: Please go ahead. great, thanks ... ... and uploaded. Thorsten
Bug#1060769: foo2zjs: diff for NMU version 20200505dfsg0-2.1
Hi Chris, thanks for preparing the upload. From my point of view the change in debian/NEWS is not correct. If at all there could have been a new entry for this upload, but I don't think this change is that important to explicitly inform all users. Anyway, I just uploaded 20200505dfsg0-3 now ... Thorsten
Bug#812326: SystemV / LSB init header: cups-browsed depends on avahi and cups
Package: cups-browsed Hi Mike, unfortunately this is a feature and not a bug. As cups-browsed only Recommends: avahi-daemon, it might not be installed and you can not require to wait for its start. As far as I know systemd has some kind of timeout and the system will still boot when avahi-daemon is not installed. So, if you don't mind I will close this bug again. Thorsten
Bug#1068913: RM: libosmo-netif [armel armhf i386] -- ROM; software no longer works on 32bit architectures
Package: ftp.debian.org Severity: normal Control: affects -1 + src:libosmo-netif Unfortunately this software no longer runs on 32bit architectures. The time to fix this is better spent on other things. Thorsten
Bug#1068911: RM: osmo-mgw [armel armhf i386] -- ROM; software no longer works on 32bit architectures
Package: ftp.debian.org Severity: normal Control: affects -1 + src:osmo-mgw Unfortunately this software no longer runs on 32bit architectures. The time to fix this is better spent on other things. Thorsten
Bug#1068910: RM: osmo-bsc [armel armhf i386] -- ROM; software no longer works on 32bit architectures
Package: ftp.debian.org Severity: normal Control: affects -1 + src:osmo-bsc Unfortunately this software no longer runs on 32bit architectures. The time to fix this is better spent on other things. Thorsten
Bug#1068908: RM: osmo-iuh [armel armhf i386] -- ROM; software no longer works on 32bit architectures
Package: ftp.debian.org Severity: normal Control: affects -1 + src:osmo-iuh Unfortunately this software no longer runs on 32bit architectures. The time to fix this is better spent on other things. Thorsten
Bug#1068909: RM: osmo-msc [armel armhf i386] -- ROM; software no longer works on 32bit architectures
Package: ftp.debian.org Severity: normal Control: affects -1 + src:osmo-msc Unfortunately this software no longer runs on 32bit architectures. The time to fix this is better spent on other things. Thorsten
Bug#1068906: RM: osmo-sgsn [armel armhf i386] -- ROM; software no longer works on 32bit architectures
Package: ftp.debian.org Severity: normal Control: affects -1 + src:osmo-sgsn Unfortunately this software no longer runs on 32bit architectures. The time to fix this is better spent on other things. Thorsten
Bug#1068907: RM: osmo-hlr [armel armhf i386] -- ROM; software no longer works on 32bit architectures
Package: ftp.debian.org Severity: normal Control: affects -1 + src:osmo-hlr Unfortunately this software no longer runs on 32bit architectures. The time to fix this is better spent on other things. Thorsten
Bug#1068905: RM: libosmo-sccp [armel armhf i386] -- ROM; software no longer works on 32bit architectures
Package: ftp.debian.org Severity: normal Control: affects -1 + src:libosmo-sccp Unfortunately this software no longer runs on 32bit architectures. The time to fix this is better spent on other things. Thorsten
Bug#1068902: RM: osmo-pcu [armel armhf i386] -- ROM; software no longer works on 32bit architectures
Package: ftp.debian.org Severity: normal Control: affects -1 + src:osmo-pcu Unfortunately this software no longer runs on 32bit architectures. The time to fix this is better spent on other things. Thorsten
Bug#952735: gnupg-pkcs11-scd: when used as scdaemon, `gnupg --card-status` reports wrong informations
Control: severity -1 normal Control: forwarded -1 https://github.com/alonbl/gnupg-pkcs11-scd/issues/61 I can reproduce this bug with my card reader and I forwarded the bug upstream -> https://github.com/alonbl/gnupg-pkcs11-scd/issues/61 As this is just a cosmectic bug, I reduce severity again to normal.
Bug#1068368: Removed package(s) from unstable
On Mon, 8 Apr 2024, Andreas Beckmann wrote: The python3.10 removal accidentally caused the removal of 'and', too, most likely because of the non-standard subject line that got misparsed. (Hint: Using reportbug would have helped to get that formatted correctly.) oh, thanks for catching this ... ... and accepted. Thorsten
Bug#1067633: reverse dependency
Control: tags -1 + moreinfo Hi Sebastian, there is a reverse dependency that needs to be taken care of: Checking reverse dependencies... # Broken Depends: libauthen-krb5-admin-perl: libauthen-krb5-admin-perl In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1067903: reverse dependencies
Control: tags -1 + moreinfo Hi Helmut, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Depends: flatpak: flatpak gnome-remote-desktop: gnome-remote-desktop # Broken Build-Depends: flatpak: fuse3 libfuse3-dev (3.1.1 >=) gnome-remote-desktop: libfuse3-dev (3.9.1 >=) libvirt: libfuse3-dev vorta: fuse3 In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1067200: reverse dependencies
Control: tags -1 + moreinfo Hi , there are some reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Build-Depends: adios: cython3-legacy astra-toolbox/contrib: cython3-legacy atropos: cython3-legacy azure-uamqp-python: cython3-legacy basemap: cython3-legacy chemps2: cython3-legacy cyvcf2: cython3-legacy grpc: cython3-legacy h5py: cython3-legacy (0.29.15 >=) indexed-gzip: cython3-legacy libimobiledevice: cython3-legacy mayavi2: cython3-legacy mdtraj: cython3-legacy meson: cython3-legacy mlpy: cython3-legacy mpi4py: cython3-legacy mpi4py-fft: cython3-legacy (0.25~ >=) obitools: cython3-legacy petsc4py: cython3-legacy (0.24~ >=) py-libzfs/contrib: cython3-legacy pybik: cython3-legacy pydantic: cython3-legacy pyfftw: cython3-legacy pygccjit: cython3-legacy pymatgen: cython3-legacy pynfft: cython3-legacy pyregion: cython3-legacy python-esmre: cython3-legacy python-feather-format: cython3-legacy python-hidapi: cython3-legacy python-libzim: cython3-legacy python-llfuse: cython3-legacy python-orderedset: cython3-legacy python-pomegranate: cython3-legacy python-pyspike: cython3-legacy python-sfml: cython3-legacy python-skbio: cython3-legacy python-thinc: cython3-legacy python-thriftpy: cython3-legacy pyyaml: cython3-legacy qutip: cython3-legacy (0.29.36~ >=) renpy: cython3-legacy scipy: cython3-legacy skimage: cython3-legacy slepc4py: cython3-legacy statsmodels: cython3-legacy (0.29.32~ >=) xmms2: cython3-legacy Not all of them are Arch: all, so in case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1065470: reverse dependencies
Control: tags -1 + moreinfo Hi Thomas, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Depends: ceph: ceph-mgr-cephadm ceph-mgr-dashboard ceph-mgr-k8sevents ceph-mgr-rook ceph-resource-agents cephfs-shell cephfs-top libcephfs-java python3-ceph ceph-iscsi: ceph-iscsi libvirt: libvirt-daemon-driver-storage-rbd manila: manila-share nfs-ganesha: nfs-ganesha-ceph nfs-ganesha-rados-grace nfs-ganesha-rgw openstack-cluster-installer: openstack-cluster-installer tcmu: tcmu-runner [armel armhf] tgt: tgt-rbd uwsgi: uwsgi-plugin-rados # Broken Build-Depends: ceph-iscsi: python3-rados python3-rbd eckit: librados-dev libradospp-dev fdb: librados-dev fio: librbd-dev libvirt: librados-dev librbd-dev nfs-ganesha: libcephfs-dev librados-dev librgw-dev tcmu: librados-dev librbd-dev tgt: librbd-dev uwsgi: librados-dev xrootd: librados-dev libradospp-dev libradosstriper-dev Dependency problem found. In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1063848: reverse dependencies
Control: tags -1 + moreinfo Hi Thomas, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Depends: sahara-plugin-spark: python3-sahara-plugin-spark sahara-plugin-vanilla: python3-sahara-plugin-vanilla # Broken Build-Depends: sahara-plugin-spark: python3-sahara sahara-plugin-vanilla: python3-sahara Dependency problem found. In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1066973: reverse dependencies
Control: tags -1 + moreinfo Hi Drew, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Depends: python-emmet-core: python3-emmet-core python-mp-api: python3-mp-api # Broken Build-Depends: custodian: python3-pymatgen python-emmet-core: python3-pymatgen (2023.5.8~ >=) python-mp-api: python3-pymatgen (2022.3.7~ >=) xraylarch: python3-pymatgen Dependency problem found. In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1065623: reverse dependencies
Control: tags -1 + moreinfo Hi, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Depends: baresip: baresip-x11 # Broken Build-Depends: baresip: libomxil-bellagio-dev kodi: libomxil-bellagio-dev vlc: libomxil-bellagio-dev In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1067544: bullseye-pu: libmicrohttpd/0.9.72-2+deb11u1.debdiff
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu The attached debdiff for libmicrohttpd fixes CVE-2023-27371 in Bullseye. It is marked as no-dsa by the security team. The fix was uploaded to Buster about a year ago and nobody complained yet. For whatever reason, the upload to Bullseye was forgotten back then, so I catch up on this now. Thorsten diff -Nru libmicrohttpd-0.9.72/debian/changelog libmicrohttpd-0.9.72/debian/changelog --- libmicrohttpd-0.9.72/debian/changelog 2021-02-27 06:47:48.0 +0100 +++ libmicrohttpd-0.9.72/debian/changelog 2024-03-23 12:03:02.0 +0100 @@ -1,3 +1,12 @@ +libmicrohttpd (0.9.72-2+deb11u1) bullseye; urgency=medium + + * Non-maintainer upload by the LTS Team. + * CVE-2023-27371 +parsing crafted POST requests result in an out of bounds read, which +might cause a DoS (Denial of Service) + + -- Thorsten Alteholz Sat, 23 Mar 2024 12:03:02 +0100 + libmicrohttpd (0.9.72-2) sid; urgency=medium * Uploading to sid. diff -Nru libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch --- libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch1970-01-01 01:00:00.0 +0100 +++ libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch2023-03-29 19:22:12.0 +0200 @@ -0,0 +1,23 @@ +From e0754d1638c602382384f1eface30854b1defeec Mon Sep 17 00:00:00 2001 +From: Christian Grothoff +Date: Sun, 26 Feb 2023 17:51:24 +0100 +Subject: fix parser bug that could be used to crash servers using the + MHD_PostProcessor + +--- + src/microhttpd/postprocessor.c | 2 +- + 1 file changed, 1 insertions(+), 1 deletions(-) + +Index: libmicrohttpd-0.9.72/src/microhttpd/postprocessor.c +=== +--- libmicrohttpd-0.9.72.orig/src/microhttpd/postprocessor.c 2023-03-29 19:22:08.888629726 +0200 libmicrohttpd-0.9.72/src/microhttpd/postprocessor.c2023-03-29 19:22:08.884629728 +0200 +@@ -321,7 +321,7 @@ + return NULL; /* failed to determine boundary */ + boundary += MHD_STATICSTR_LEN_ ("boundary="); + blen = strlen (boundary); +-if ( (blen == 0) || ++if ( (blen < 2) || + (blen * 2 + 2 > buffer_size) ) + return NULL; /* (will be) out of memory or invalid boundary */ + if ( (boundary[0] == '"') && diff -Nru libmicrohttpd-0.9.72/debian/patches/series libmicrohttpd-0.9.72/debian/patches/series --- libmicrohttpd-0.9.72/debian/patches/series 1970-01-01 01:00:00.0 +0100 +++ libmicrohttpd-0.9.72/debian/patches/series 2023-03-29 19:21:28.0 +0200 @@ -0,0 +1 @@ +CVE-2023-27371.patch
Bug#977276: marked as done (gnucobol FTCBFS: abuses AC_CHECK_FILE, uses AC_RUN_IFELSE)
Hi Helmut, is there a reason you closed that bug? Thorsten
Bug#1066951: RM: a56 -- ROM; rc buggy and dead upstream
Package: ftp.debian.org Severity: normal When trying to fix #1066195, the corresponding patch grew more and more. I no longer wonder why C got such a bad reputation when this was valid code 30 years ago. From my point of view this code needs an entire rework. As I long time ago stopped working with DSPs, I don't want to do this rework by myself. If nobody takes up the baton, I think it is better to remove this package from Debian. As the software fails to compile now, orphaning the package does not seem to be appropriate. Thorsten
Bug#1063264: reverse dependencies
Control: tags -1 + moreinfo Hi Alexandre, this seems to be a major task, so I am tagging with moreinfo again. Just for information this is the current list of reverse dependencies: Checking reverse dependencies... # Broken Depends: dioptas: dioptas [amd64] flask-autoindex: python3-flask-autoindex mdp: python3-mdp pyferret: python3-ferret tahoe-lafs: tahoe-lafs # Broken Build-Depends: dioptas: python3-future flask-autoindex: python3-future pyferret: python3-future tahoe-lafs: python3-future mdp is still listed here!? In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1062371: reverse dependencie
Control: tags -1 + moreinfo Hi Andreas et al, there are still reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Depends: emboss: jemboss emboss-explorer: emboss-explorer # Broken Build-Depends: bioperl-run: emboss embassy-domainatrix: emboss-lib (6.6.1~ <) embassy-domalign: emboss-lib (6.6.1~ <) embassy-domsearch: emboss-lib (6.6.0-1~ >=) emboss-lib (6.6.1~ <) python-biopython: emboss In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1063376: reverse dependenc
Control: tags -1 + moreinfo Hi Andreas, please file one RM bug for each package that needs to be partially removed. This needs to be done even for dependencies of dependencies. Please remove the moreinfo tag once that is done. Thorsten
Bug#1064551: bookworm-pu: libjwt/1.10.2-1+deb11u1
On Sun, 25 Feb 2024, Jonathan Wiltshire wrote: Please go ahead. great, thanks ... ... and uploaded. Thorsten
Bug#1064376: reverse dependency
Control: tags -1 + moreinfo Hi Marcos, there is a reverse dependency that needs to be taken care of: Checking reverse dependencies... # Broken Depends: ganglia-modules-linux: ganglia-modules-linux # Broken Build-Depends: ganglia-modules-linux: libganglia1-dev In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1063855: reverse dependencies
Control: tags -1 + moreinfo Hi Georges, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Build-Depends: dygraphs: jsdoc-toolkit emperor: jsdoc-toolkit Dependency problem found. In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1064551: bookworm-pu: libjwt/1.10.2-1+deb11u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu The attached debdiff for libjwt fixes CVE-2024-25189 in Bookworm. It is marked as no-dsa by the security team. The fix is straightfoward and should not make any problems. Thorsten diff -Nru libjwt-1.10.2/debian/changelog libjwt-1.10.2/debian/changelog --- libjwt-1.10.2/debian/changelog 2019-07-14 19:03:00.0 +0200 +++ libjwt-1.10.2/debian/changelog 2024-02-19 22:03:02.0 +0100 @@ -1,3 +1,10 @@ +libjwt (1.10.2-1+deb12u1) bookworm; urgency=medium + + * CVE-2024-25189 (Closes: #1063534) +fix a timing side channel via strcmp() + + -- Thorsten Alteholz Mon, 19 Feb 2024 22:03:02 +0100 + libjwt (1.10.2-1) unstable; urgency=medium * New upstream release diff -Nru libjwt-1.10.2/debian/libjwt0.symbols libjwt-1.10.2/debian/libjwt0.symbols --- libjwt-1.10.2/debian/libjwt0.symbols2019-01-13 15:13:51.0 +0100 +++ libjwt-1.10.2/debian/libjwt0.symbols2024-02-19 22:03:02.0 +0100 @@ -38,5 +38,6 @@ jwt_sign_sha_hmac@Base 1.9.0 jwt_sign_sha_pem@Base 1.9.0 jwt_str_alg@Base 1.9.0 + jwt_strcmp@Base 1.10.2 jwt_verify_sha_hmac@Base 1.9.0 jwt_verify_sha_pem@Base 1.9.0 diff -Nru libjwt-1.10.2/debian/libjwt-gnutls0.symbols libjwt-1.10.2/debian/libjwt-gnutls0.symbols --- libjwt-1.10.2/debian/libjwt-gnutls0.symbols 2019-01-13 15:13:51.0 +0100 +++ libjwt-1.10.2/debian/libjwt-gnutls0.symbols 2024-02-19 22:03:02.0 +0100 @@ -38,5 +38,6 @@ jwt_sign_sha_hmac@Base 1.9.0 jwt_sign_sha_pem@Base 1.9.0 jwt_str_alg@Base 1.9.0 + jwt_strcmp@Base 1.10.2 jwt_verify_sha_hmac@Base 1.9.0 jwt_verify_sha_pem@Base 1.9.0 diff -Nru libjwt-1.10.2/debian/patches/CVE-2024-25189-1.patch libjwt-1.10.2/debian/patches/CVE-2024-25189-1.patch --- libjwt-1.10.2/debian/patches/CVE-2024-25189-1.patch 1970-01-01 01:00:00.0 +0100 +++ libjwt-1.10.2/debian/patches/CVE-2024-25189-1.patch 2024-02-19 22:03:02.0 +0100 @@ -0,0 +1,130 @@ +commit f73bac57c5bece16ac24f1a70022aa34355fc1bf +Author: Ben Collins +Date: Fri Feb 9 09:03:35 2024 -0500 + +Implement a safer strcmp() function + +As noted, the strcmp() function can be used for time-based side attacks. + +I tried to test this and could not find a reasonable way to implement +this attack for several reasons: + +1) strcmp() is optimized to compare 4 and 8 bytes at a time when possible + on almost every modern system, making the attack almost impossible. +2) Running 128 million iterations of strcmp() for a single byte attack + gave sub-nanosecond average differences (locally on same excution stack) + and almost as often as the comparison was correct, it was also wrong in + the reverse sense (i.e. two byte strcmp() took less time than single + byte). +3) Adding noise from network, application stack, web server, etc. would + only add to the failure rate of guessing the differences above. + +Erwan noted that there are proofs out there showing that signal noise +reduction can make this guessing more "accurate", but this proof also +noted it would take up to 4 billion guesses to completely cover this +attack surface. The claim was that 50k attempts per second would break +a 256-bit hmac in 22 hours. While this isn't impossible, it's very +implausible. + +However, for the sake of cryptographic correctness, I implemented +jwt_strcmp() which always compares all bytes, and does so up to the +longest string in the 2-string set, without passing string boundaries. + +This makes it time-consistent for len(max(a,b)) comparisons. I proofed +this using a 128 million interation average for various scenarious. + +Reported-by: Erwan Legrand +Signed-off-by: Ben Collins + +Index: libjwt-1.10.2/libjwt/jwt-gnutls.c +=== +--- libjwt-1.10.2.orig/libjwt/jwt-gnutls.c 2024-02-19 22:38:58.575655983 +0100 libjwt-1.10.2/libjwt/jwt-gnutls.c 2024-02-19 22:38:58.571655984 +0100 +@@ -90,7 +90,7 @@ + jwt_Base64encode(buf, sig_check, len); + jwt_base64uri_encode(buf); + +- if (!strcmp(sig, buf)) ++ if (!jwt_strcmp(sig, buf)) + ret = 0; + + free(sig_check); +Index: libjwt-1.10.2/libjwt/jwt-openssl.c +=== +--- libjwt-1.10.2.orig/libjwt/jwt-openssl.c2024-02-19 22:38:58.575655983 +0100 libjwt-1.10.2/libjwt/jwt-openssl.c 2024-02-19 22:38:58.571655984 +0100 +@@ -140,7 +140,7 @@ + jwt_base64uri_encode(buf); + + /* And now... */ +- ret = strcmp(buf, sig) ? EINVAL : 0; ++ ret = jwt_strcmp(buf, sig) ? EINVAL : 0; + + jwt_verify_hmac_done: + BIO_free_all(b64); +Index: libjwt-1.10.2/libjwt/jwt
Bug#1064550: bullseye-pu: libjwt/1.10.2-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu The attached debdiff for libjwt fixes CVE-2024-25189 in Bullseye. It is marked as no-dsa by the security team. The fix is straightfoward and should not make any problems. Thorsten diff -Nru libjwt-1.10.2/debian/changelog libjwt-1.10.2/debian/changelog --- libjwt-1.10.2/debian/changelog 2019-07-14 19:03:00.0 +0200 +++ libjwt-1.10.2/debian/changelog 2024-02-20 23:03:02.0 +0100 @@ -1,3 +1,10 @@ +libjwt (1.10.2-1+deb11u1) bullseye; urgency=medium + + * CVE-2024-25189 (Closes: #1063534) +fix a timing side channel via strcmp() + + -- Thorsten Alteholz Tue, 20 Feb 2024 23:03:02 +0100 + libjwt (1.10.2-1) unstable; urgency=medium * New upstream release diff -Nru libjwt-1.10.2/debian/libjwt0.symbols libjwt-1.10.2/debian/libjwt0.symbols --- libjwt-1.10.2/debian/libjwt0.symbols2019-01-13 15:13:51.0 +0100 +++ libjwt-1.10.2/debian/libjwt0.symbols2024-02-20 23:03:02.0 +0100 @@ -38,5 +38,6 @@ jwt_sign_sha_hmac@Base 1.9.0 jwt_sign_sha_pem@Base 1.9.0 jwt_str_alg@Base 1.9.0 + jwt_strcmp@Base 1.10.2 jwt_verify_sha_hmac@Base 1.9.0 jwt_verify_sha_pem@Base 1.9.0 diff -Nru libjwt-1.10.2/debian/libjwt-gnutls0.symbols libjwt-1.10.2/debian/libjwt-gnutls0.symbols --- libjwt-1.10.2/debian/libjwt-gnutls0.symbols 2019-01-13 15:13:51.0 +0100 +++ libjwt-1.10.2/debian/libjwt-gnutls0.symbols 2024-02-20 23:03:02.0 +0100 @@ -38,5 +38,6 @@ jwt_sign_sha_hmac@Base 1.9.0 jwt_sign_sha_pem@Base 1.9.0 jwt_str_alg@Base 1.9.0 + jwt_strcmp@Base 1.10.2 jwt_verify_sha_hmac@Base 1.9.0 jwt_verify_sha_pem@Base 1.9.0 diff -Nru libjwt-1.10.2/debian/patches/CVE-2024-25189-1.patch libjwt-1.10.2/debian/patches/CVE-2024-25189-1.patch --- libjwt-1.10.2/debian/patches/CVE-2024-25189-1.patch 1970-01-01 01:00:00.0 +0100 +++ libjwt-1.10.2/debian/patches/CVE-2024-25189-1.patch 2024-02-20 23:03:02.0 +0100 @@ -0,0 +1,130 @@ +commit f73bac57c5bece16ac24f1a70022aa34355fc1bf +Author: Ben Collins +Date: Fri Feb 9 09:03:35 2024 -0500 + +Implement a safer strcmp() function + +As noted, the strcmp() function can be used for time-based side attacks. + +I tried to test this and could not find a reasonable way to implement +this attack for several reasons: + +1) strcmp() is optimized to compare 4 and 8 bytes at a time when possible + on almost every modern system, making the attack almost impossible. +2) Running 128 million iterations of strcmp() for a single byte attack + gave sub-nanosecond average differences (locally on same excution stack) + and almost as often as the comparison was correct, it was also wrong in + the reverse sense (i.e. two byte strcmp() took less time than single + byte). +3) Adding noise from network, application stack, web server, etc. would + only add to the failure rate of guessing the differences above. + +Erwan noted that there are proofs out there showing that signal noise +reduction can make this guessing more "accurate", but this proof also +noted it would take up to 4 billion guesses to completely cover this +attack surface. The claim was that 50k attempts per second would break +a 256-bit hmac in 22 hours. While this isn't impossible, it's very +implausible. + +However, for the sake of cryptographic correctness, I implemented +jwt_strcmp() which always compares all bytes, and does so up to the +longest string in the 2-string set, without passing string boundaries. + +This makes it time-consistent for len(max(a,b)) comparisons. I proofed +this using a 128 million interation average for various scenarious. + +Reported-by: Erwan Legrand +Signed-off-by: Ben Collins + +Index: libjwt-1.10.2/libjwt/jwt-gnutls.c +=== +--- libjwt-1.10.2.orig/libjwt/jwt-gnutls.c 2024-02-19 22:38:58.575655983 +0100 libjwt-1.10.2/libjwt/jwt-gnutls.c 2024-02-19 22:38:58.571655984 +0100 +@@ -90,7 +90,7 @@ + jwt_Base64encode(buf, sig_check, len); + jwt_base64uri_encode(buf); + +- if (!strcmp(sig, buf)) ++ if (!jwt_strcmp(sig, buf)) + ret = 0; + + free(sig_check); +Index: libjwt-1.10.2/libjwt/jwt-openssl.c +=== +--- libjwt-1.10.2.orig/libjwt/jwt-openssl.c2024-02-19 22:38:58.575655983 +0100 libjwt-1.10.2/libjwt/jwt-openssl.c 2024-02-19 22:38:58.571655984 +0100 +@@ -140,7 +140,7 @@ + jwt_base64uri_encode(buf); + + /* And now... */ +- ret = strcmp(buf, sig) ? EINVAL : 0; ++ ret = jwt_strcmp(buf, sig) ? EINVAL : 0; + + jwt_verify_hmac_done: + BIO_free_all(b64); +Index: libjwt-1.10.2/libjwt/jwt
Bug#1063534: [Debian-iot-maintainers] Bug#1063534: libjwt: CVE-2024-25189
Hi Moritz, thanks for the bug. Upstream knows about the issue and already fixed it [1] + [2]. Thorsten [1] https://github.com/benmcollins/libjwt/commit/f73bac57c5bece16ac24f1a70022aa34355fc1bf [2] https://github.com/benmcollins/libjwt/commit/a5d61ef4f1b383876e0a78534383f38159471fd6
Bug#1062371: reverse dependencies
Control: tags -1 + moreinfo Hi Andreas, please remove the moreinfo tag again after all reverse dependencies have been handled. Thorsten
Bug#1060186: bookworm-pu: libde265/1.0.11-1+deb12u2
On 29.01.24 23:02, Adam D. Barratt wrote: Please go ahead. great, thanks ... ... and done. Thorsten
Bug#1060185: bullseye-pu: libde265/1.0.11-0+deb11u3
On 01.02.24 07:37, Adam D. Barratt wrote: Please go ahead. great, thanks ... ... and done. Thorsten
Bug#1060326: reverse dependencies
On 17.01.24 23:52, IOhannes m zmölnig (Debian/GNU) wrote: what is required from my side? do i need to contact the maintainers of these packages to coordinate? someone needs to file the RM-bugs (please one bug for each package). It would be best if the maintainer is involved in this or at least knows about it. Thorsten
Bug#1061114: reverse dependency
Control: tags -1 + moreinfo Hi Andreas, there is a reverse dependency that needs to be taken care of: Checking reverse dependencies... # Broken Depends: qcumber: qcumber In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1061113: reverse dependency
Control: tags -1 + moreinfo Hi Alexandre, there is a reverse dependency that needs to be taken care of: Checking reverse dependencies... # Broken Build-Depends: commando: python3-fswrap In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1060453: reverse dependencie
Control: tags -1 + moreinfo Hi Anton, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Depends: ceph: ceph-common ceph-mgr ceph-mon ceph-osd librados-dev librados2 librgw2 radosgw dogecoin: dogecoin graph-tool: python3-graph-tool [ppc64el] i2pd: i2pd [armel] lomiri-thumbnailer: lomiri-thumbnailer-service [riscv64] openems: libnf2ff0 [amd64 arm64 i386 mips64el ppc64el riscv64 s390x] libopenems0 [amd64 arm64 i386 mips64el ppc64el riscv64 s390x] slic3r: slic3r [i386] slic3r-prusa: prusa-slicer [s390x] srslte: srsenb [amd64 arm64 armel armhf i386 mips64el ppc64el s390x] srsepc [amd64 arm64 armel armhf i386 mips64el ppc64el s390x] srsue [amd64 arm64 armel armhf i386 mips64el ppc64el s390x] swift-im: libswiften-dev libswiften0 vg: vg [amd64 mips64el] vowpal-wabbit: libvw0 [amd64 i386] xrt: libxrt-utils [amd64] libxrt1 [amd64 arm64] # Broken Build-Depends: brewtarget: libboost1.74-dev dmrgpp: libboost1.74-dev In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1060326: reverse dependencies
Control: tags -1 + moreinfo Hi IOhannes, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Depends: obs-3d-effect: obs-3d-effect obs-advanced-scene-switcher: obs-advanced-scene-switcher obs-ashmanix-blur-filter: obs-ashmanix-blur-filter obs-ashmanix-countdown: obs-ashmanix-countdown obs-color-monitor: obs-color-monitor obs-command-source: obs-command-source obs-downstream-keyer: obs-downstream-keyer obs-gradient-source: obs-gradient-source obs-move-transition: obs-move-transition obs-ptz: obs-ptz obs-scene-as-transition: obs-scene-as-transition obs-scene-collection-manager: obs-scene-collection-manager obs-scene-notes-dock: obs-scene-notes-dock obs-scene-tree-view: obs-scene-tree-view obs-source-clone: obs-source-clone obs-source-copy: obs-source-copy obs-time-source: obs-time-source obs-transition-table: obs-transition-table obs-vintage-filter: obs-vintage-filter obs-websocket: obs-websocket # Broken Build-Depends: looking-glass: libobs-dev obs-3d-effect: libobs-dev (29 >=) obs-advanced-scene-switcher: libobs-dev (26.1.2 >=) obs-ashmanix-blur-filter: libobs-dev obs-ashmanix-countdown: libobs-dev (29 >=) obs-color-monitor: libobs-dev (29 >=) obs-command-source: libobs-dev (29 >=) obs-downstream-keyer: libobs-dev (29 >=) obs-gradient-source: libobs-dev (29 >=) obs-move-transition: libobs-dev (28.0.1 >=) obs-ptz: libobs-dev obs-scene-as-transition: libobs-dev (29 >=) obs-scene-collection-manager: libobs-dev (28.0.1 >=) obs-scene-notes-dock: libobs-dev (29 >=) obs-scene-tree-view: libobs-dev (29 >=) obs-source-clone: libobs-dev (29 >=) obs-source-copy: libobs-dev (29 >=) obs-time-source: libobs-dev obs-transition-table: libobs-dev (29 >=) obs-vintage-filter: libobs-dev (29 >=) obs-websocket: libobs-dev (26.1 >=) In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1060454: reverse dependency
Control: tags -1 + moreinfo Hi Anton, there are reverse dependencies that needs to be taken care of: Checking reverse dependencies... # Broken Build-Depends: pbcopper: libboost1.81-dev r-cran-openmx: libboost-system1.81-dev In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1060186: bookworm-pu: libde265/1.0.11-1+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu The attached debdiff for libde265 fixes CVE-2023-49468, CVE-2023-49467 and CVE-2023-49465 in Bookworm. All CVEs are marked as no-dsa by the security team. The fix was already uploaded to Stretch and nobody complained up to now. Thorsten diff -Nru libde265-1.0.11/debian/changelog libde265-1.0.11/debian/changelog --- libde265-1.0.11/debian/changelog2023-11-26 13:03:02.0 +0100 +++ libde265-1.0.11/debian/changelog2023-12-29 23:03:02.0 +0100 @@ -1,3 +1,16 @@ +libde265 (1.0.11-1+deb12u2) bookworm; urgency=medium + + * Non-maintainer upload by the LTS Team. +(Closes: #1059275) + * CVE-2023-49465 +heap-buffer-overflow in derive_spatial_luma_vector_prediction() + * CVE-2023-49467 +heap-buffer-overflow in derive_combined_bipredictive_merging_candidates() + * CVE-2023-49468 +global buffer overflow in read_coding_unit() + + -- Thorsten Alteholz Fri, 29 Dec 2023 23:03:02 +0100 + libde265 (1.0.11-1+deb12u1) bookworm; urgency=medium * Non-maintainer upload by the LTS Team. diff -Nru libde265-1.0.11/debian/patches/CVE-2023-49465.patch libde265-1.0.11/debian/patches/CVE-2023-49465.patch --- libde265-1.0.11/debian/patches/CVE-2023-49465.patch 1970-01-01 01:00:00.0 +0100 +++ libde265-1.0.11/debian/patches/CVE-2023-49465.patch 2023-12-26 00:54:10.0 +0100 @@ -0,0 +1,26 @@ +commit 1475c7d2f0a6dc35c27e18abc4db9679bfd32568 +Author: Dirk Farin +Date: Thu Nov 23 19:43:55 2023 +0100 + +possible fix for #435 + +Index: libde265-1.0.11/libde265/motion.cc +=== +--- libde265-1.0.11.orig/libde265/motion.cc2023-12-26 00:54:05.172996659 +0100 libde265-1.0.11/libde265/motion.cc 2023-12-26 00:54:05.168996661 +0100 +@@ -1859,7 +1859,14 @@ + logmvcand(vi); + + const de265_image* imgX = NULL; +- if (vi.predFlag[X]) imgX = ctx->get_image(shdr->RefPicList[X][ vi.refIdx[X] ]); ++ if (vi.predFlag[X]) { ++if (vi.refIdx[X] < 0 || vi.refIdx[X] >= MAX_NUM_REF_PICS) { ++ return; ++} ++ ++imgX = ctx->get_image(shdr->RefPicList[X][ vi.refIdx[X] ]); ++ } ++ + const de265_image* imgY = NULL; + if (vi.predFlag[Y]) imgY = ctx->get_image(shdr->RefPicList[Y][ vi.refIdx[Y] ]); + diff -Nru libde265-1.0.11/debian/patches/CVE-2023-49467.patch libde265-1.0.11/debian/patches/CVE-2023-49467.patch --- libde265-1.0.11/debian/patches/CVE-2023-49467.patch 1970-01-01 01:00:00.0 +0100 +++ libde265-1.0.11/debian/patches/CVE-2023-49467.patch 2023-12-26 00:53:43.0 +0100 @@ -0,0 +1,22 @@ +commit 7e4faf254bbd2e52b0f216cb987573a2cce97b54 +Author: Dirk Farin +Date: Thu Nov 23 19:38:34 2023 +0100 + +prevent endless loop for #434 input + +diff --git a/libde265/slice.cc b/libde265/slice.cc +index 435123dc..3a8a8de1 100644 +--- a/libde265/slice.cc b/libde265/slice.cc +@@ -2582,6 +2582,11 @@ static int decode_rqt_root_cbf(thread_context* tctx) + + static int decode_ref_idx_lX(thread_context* tctx, int numRefIdxLXActive) + { ++ // prevent endless loop when 'numRefIdxLXActive' is invalid ++ if (numRefIdxLXActive <= 1) { ++return 0; ++ } ++ + logtrace(LogSlice,"# ref_idx_lX\n"); + + int cMax = numRefIdxLXActive-1; diff -Nru libde265-1.0.11/debian/patches/CVE-2023-49468.patch libde265-1.0.11/debian/patches/CVE-2023-49468.patch --- libde265-1.0.11/debian/patches/CVE-2023-49468.patch 1970-01-01 01:00:00.0 +0100 +++ libde265-1.0.11/debian/patches/CVE-2023-49468.patch 2023-12-26 00:53:43.0 +0100 @@ -0,0 +1,26 @@ +commit 3e822a3ccf88df1380b165d6ce5a00494a27ceeb +Author: Dirk Farin +Date: Thu Nov 23 19:11:34 2023 +0100 + +fix #432 (undefined IPM) + +diff --git a/libde265/image.h b/libde265/image.h +index 0b536054..0a0c0e32 100644 +--- a/libde265/image.h b/libde265/image.h +@@ -624,7 +624,14 @@ public: + + enum IntraPredMode get_IntraPredMode(int x,int y) const + { +-return (enum IntraPredMode)intraPredMode.get(x,y); ++uint8_t ipm = intraPredMode.get(x,y); ++ ++// sanitize values if IPM is uninitialized (because of earlier read error) ++if (ipm > 34) { ++ ipm = 0; ++} ++ ++return static_cast(ipm); + } + + enum IntraPredMode get_IntraPredMode_atIndex(int idx) const diff -Nru libde265-1.0.11/debian/patches/series libde265-1.0.11/debian/patches/series --- libde265-1.0.11/debian/patches/series 2023-11-21 19:08:07.0 +0100 +++ libde265-1.0.11/debian/patches/series 2023-12-26 00:54:03.0 +0100 @@ -9,3 +9,6 @@ CVE-2023-43887.patch CVE-2023-47471.patch +CVE-2023-49465.patch +CVE-2023-49467.patch +CVE-2023-49468.patch
Bug#1060185: bullseye-pu: libde265/1.0.11-0+deb11u3
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu The attached debdiff for libde265 fixes CVE-2023-49468, CVE-2023-49467 and CVE-2023-49465 in Bullseye. All CVEs are marked as no-dsa by the security team. The fix was already uploaded to Stretch and nobody complained up to now. Thorsten diff -Nru libde265-1.0.11/debian/changelog libde265-1.0.11/debian/changelog --- libde265-1.0.11/debian/changelog2023-11-26 13:03:02.0 +0100 +++ libde265-1.0.11/debian/changelog2023-12-29 23:03:02.0 +0100 @@ -1,3 +1,16 @@ +libde265 (1.0.11-0+deb11u3) bullseye; urgency=high + + * Non-maintainer upload by the LTS Team. +(Closes: #1059275) + * CVE-2023-49465 +heap-buffer-overflow in derive_spatial_luma_vector_prediction() + * CVE-2023-49467 +heap-buffer-overflow in derive_combined_bipredictive_merging_candidates() + * CVE-2023-49468 +global buffer overflow in read_coding_unit() + + -- Thorsten Alteholz Fri, 29 Dec 2023 23:03:02 +0100 + libde265 (1.0.11-0+deb11u2) bullseye; urgency=high * Non-maintainer upload by the LTS Team. diff -Nru libde265-1.0.11/debian/patches/CVE-2023-49465.patch libde265-1.0.11/debian/patches/CVE-2023-49465.patch --- libde265-1.0.11/debian/patches/CVE-2023-49465.patch 1970-01-01 01:00:00.0 +0100 +++ libde265-1.0.11/debian/patches/CVE-2023-49465.patch 2023-12-29 23:03:02.0 +0100 @@ -0,0 +1,26 @@ +commit 1475c7d2f0a6dc35c27e18abc4db9679bfd32568 +Author: Dirk Farin +Date: Thu Nov 23 19:43:55 2023 +0100 + +possible fix for #435 + +Index: libde265-1.0.11/libde265/motion.cc +=== +--- libde265-1.0.11.orig/libde265/motion.cc2023-12-26 00:54:05.172996659 +0100 libde265-1.0.11/libde265/motion.cc 2023-12-26 00:54:05.168996661 +0100 +@@ -1859,7 +1859,14 @@ + logmvcand(vi); + + const de265_image* imgX = NULL; +- if (vi.predFlag[X]) imgX = ctx->get_image(shdr->RefPicList[X][ vi.refIdx[X] ]); ++ if (vi.predFlag[X]) { ++if (vi.refIdx[X] < 0 || vi.refIdx[X] >= MAX_NUM_REF_PICS) { ++ return; ++} ++ ++imgX = ctx->get_image(shdr->RefPicList[X][ vi.refIdx[X] ]); ++ } ++ + const de265_image* imgY = NULL; + if (vi.predFlag[Y]) imgY = ctx->get_image(shdr->RefPicList[Y][ vi.refIdx[Y] ]); + diff -Nru libde265-1.0.11/debian/patches/CVE-2023-49467.patch libde265-1.0.11/debian/patches/CVE-2023-49467.patch --- libde265-1.0.11/debian/patches/CVE-2023-49467.patch 1970-01-01 01:00:00.0 +0100 +++ libde265-1.0.11/debian/patches/CVE-2023-49467.patch 2023-12-29 23:03:02.0 +0100 @@ -0,0 +1,22 @@ +commit 7e4faf254bbd2e52b0f216cb987573a2cce97b54 +Author: Dirk Farin +Date: Thu Nov 23 19:38:34 2023 +0100 + +prevent endless loop for #434 input + +diff --git a/libde265/slice.cc b/libde265/slice.cc +index 435123dc..3a8a8de1 100644 +--- a/libde265/slice.cc b/libde265/slice.cc +@@ -2582,6 +2582,11 @@ static int decode_rqt_root_cbf(thread_context* tctx) + + static int decode_ref_idx_lX(thread_context* tctx, int numRefIdxLXActive) + { ++ // prevent endless loop when 'numRefIdxLXActive' is invalid ++ if (numRefIdxLXActive <= 1) { ++return 0; ++ } ++ + logtrace(LogSlice,"# ref_idx_lX\n"); + + int cMax = numRefIdxLXActive-1; diff -Nru libde265-1.0.11/debian/patches/CVE-2023-49468.patch libde265-1.0.11/debian/patches/CVE-2023-49468.patch --- libde265-1.0.11/debian/patches/CVE-2023-49468.patch 1970-01-01 01:00:00.0 +0100 +++ libde265-1.0.11/debian/patches/CVE-2023-49468.patch 2023-12-29 23:03:02.0 +0100 @@ -0,0 +1,26 @@ +commit 3e822a3ccf88df1380b165d6ce5a00494a27ceeb +Author: Dirk Farin +Date: Thu Nov 23 19:11:34 2023 +0100 + +fix #432 (undefined IPM) + +diff --git a/libde265/image.h b/libde265/image.h +index 0b536054..0a0c0e32 100644 +--- a/libde265/image.h b/libde265/image.h +@@ -624,7 +624,14 @@ public: + + enum IntraPredMode get_IntraPredMode(int x,int y) const + { +-return (enum IntraPredMode)intraPredMode.get(x,y); ++uint8_t ipm = intraPredMode.get(x,y); ++ ++// sanitize values if IPM is uninitialized (because of earlier read error) ++if (ipm > 34) { ++ ipm = 0; ++} ++ ++return static_cast(ipm); + } + + enum IntraPredMode get_IntraPredMode_atIndex(int idx) const diff -Nru libde265-1.0.11/debian/patches/series libde265-1.0.11/debian/patches/series --- libde265-1.0.11/debian/patches/series 2023-11-21 19:01:52.0 +0100 +++ libde265-1.0.11/debian/patches/series 2023-12-29 23:03:02.0 +0100 @@ -8,3 +8,7 @@ CVE-2023-27103.patch CVE-2023-43887.patch CVE-2023-47471.patch + +CVE-2023-49465.patch +CVE-2023-49467.patch +CVE-2023-49468.patch
Bug#1055439: reverse dependency
Control: tags -1 + moreinfo Hi Andreas, there is a reverse dependency that needs to be taken care of: Checking reverse dependencies... # Broken Build-Depends: libpod: golang-github-docker-go-plugins-helpers-dev In case it matters, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1056738: bullseye-pu: minizip/1.1-8+deb11u1
On Tue, 19 Dec 2023, Jonathan Wiltshire wrote: Please go ahead. great, thanks ... ... and uploaded. Thorsten
Bug#1056935: bullseye-pu: libde265/1.0.11-0+deb11u2
On Tue, 19 Dec 2023, Jonathan Wiltshire wrote: Please go ahead. great, thanks ... ... and uploaded. Thorsten
Bug#1056785: reverse dependency
Control: tags -1 + moreinfo Hi Matthias, there is a reverse dependency that needs to be taken care of: Checking reverse dependencies... # Broken Depends: python3.10: libpython3.10-dbg libpython3.10-stdlib # Broken Build-Depends: python3.10: libmpdec-dev (2.5.1~ >=) In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1050069: reverse dependencies
Control: tags -1 + moreinfo Hi Sylvestre, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Depends: aflplusplus: afl++ bpftrace: bpftrace [amd64 arm64 armhf ppc64el s390x] castxml: castxml [mips64el] clazy: clazy [amd64 arm64 armel armhf mips64el ppc64el riscv64 s390x] clazy-tests [amd64 arm64 armel armhf mips64el ppc64el riscv64 s390x] crystal: crystal [amd64] emscripten: emscripten ghdl: ghdl-llvm [arm64] google-android-installers/non-free: google-android-extras-google-auto-installer [amd64] halide: libhalide14-0 [i386] libhalide14-0-dev [i386] intel-graphics-compiler: libigc-tools [amd64] libigc1 [amd64 i386] libigdfcl1 [amd64 i386] iwyu: iwyu llvmlite: python3-llvmlite [amd64 arm64 armel armhf i386 mips64el ppc64el s390x] oclgrind: liboclgrind-21.10 [amd64 arm64 armel armhf i386 mips64el ppc64el riscv64] opencl-clang-14: libopencl-clang14 openvdb: libopenvdb-ax-tools libopenvdb-ax10.0 spirv-llvm-translator-14: libllvmspirvlib14 llvm-spirv-14 starpu-contrib/contrib: starpu-contrib-examples [amd64] # Broken Build-Depends: aflplusplus: clang-14 lld-14 llvm-14-dev aspectc++: libclang-14-dev libpolly-14-dev llvm-14-dev bpftrace: clang-14 libclang-14-dev llvm-14-dev crystal: lld-14 llvm-14-dev emscripten: clang-14 lld-14 llvm-14 firefox: clang-14 libc++-14-dev-wasm32 libclang-14-dev libclang-rt-14-dev-wasm32 lld-14 llvm-14-dev firefox-esr: clang-14 libc++-14-dev-wasm32 libclang-14-dev libclang-rt-14-dev-wasm32 lld-14 llvm-14-dev intel-graphics-compiler: clang-14 liblld-14-dev llvm-14-dev intel-vc-intrinsics: llvm-14-dev iwyu: clang-14 libclang-14-dev llvm-14-dev llvmlite: llvm-14-dev oclgrind: clang-14 libclang-14-dev libpolly-14-dev llvm-14-dev opencl-clang-14: clang-14 libclang-14-dev libclang-cpp14-dev llvm-14-dev openvdb: llvm-14-dev spirv-llvm-translator-14: clang-14 libclang-14-dev llvm-14-dev triton: libmlir-14-dev mlir-14-tools vboot-utils: clang-14 libfuzzer-14-dev wasi-libc: clang-14 llvm-14 In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1052199: reverse dependencies
Control: tags -1 + moreinfo Hi David, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Depends: forensics-extra: forensics-extra # Broken Build-Depends: libz-mingw-w64: pev In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1058701: pm-utils: unauthorised and uncommunicated removal
Hi Ian, On Thu, 21 Dec 2023, Ian Jackson wrote: I have just become aware of #1058701 via the automated email that resulted from the removal of pm-utils. this is sad. The RM bug appeared on the tracker page of the package, in your packages overview, on the ftpmaster removals page (or on the bug page). It was also sent to debian-bugs-dist@lists.debian.org. Where would have been a better place to draw your attention to it? I am still using this package. I'm sure others are. The package *is* maintained in Debian. Hmm, the standards version is 3.9.7, the VCS URLs point to a no longer existing repository, the last upload was in 2019. This looks rather like an abandoned package. But of course, your mileage may vary I intend to re-upload the last version shortly (and reopen all the bug reports). Yes, please do so. Thorsten
Bug#1058935: reverse dependencies
Control: tags -1 + moreinfo Hi Luca, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Build-Depends: collectd: libdpdk-dev openvswitch: libdpdk-dev (22.11.3-2~ >=) uhd: libdpdk-dev (20 >=) In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1058652: reverse dependencies
Control: tags -1 + moreinfo Hi Noah, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Depends: debian-cloud-images: debian-cloud-images-packages [amd64 arm64] heat-cfntools: heat-cfntools toil: toil # Broken Build-Depends: heat-cfntools: python3-boto python-bioblend: python3-boto python-glance-store: python3-boto salt: python3-boto swift: python3-boto toil: python3-boto In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1057857: reverse dependencies
Control: tags -1 + moreinfo Hi Ilias, there are reverse dependencies that need to be taken care of. Please file for each package a different RM bug. Please remove the moreinfo tag once that is done. Thorsten
Bug#1049459: reverse dependencies
Hi Charles, On 07.12.23 12:17, Charles Plessy wrote: I just submitted bugs against courier and jool. Can I ask you to fix node-mime-types? You are Uploader of it… oh, my last upload was years ago. But I will try to fix it this weekend ... Looking at the source code, it seems that node-mime-types does not need mime-support at all. But if it does please build depend on media-types instead. Ok, thanks, this info helps. Thorsten
Bug#1056724: hplip: diff for NMU version 3.22.10+dfsg0-3.1
Hi Chris, thanks a lot for the debdiff. On 03.12.23 15:37, Chris Hofstaedtler wrote: Please feel free to tell me if I should delay it longer. yes, please let me do the upload by myself. I would like to do it this weekend. Thorsten
Bug#1057239: bookworm-pu: cups/2.4.2-3+deb12u5
On Sat, 2 Dec 2023, Adam D. Barratt wrote: Please go ahead. Great, thanks ... ... and uploaded Thorsten
Bug#1056934: bookworm-pu: libde265/1.0.11-1+deb12u1
On Sat, 2 Dec 2023, Adam D. Barratt wrote: Please go ahead. Great, thanks ... ... and uploaded Thorsten
Bug#1056737: bookworm-pu: minizip/1.1-8+deb12u1
On Sat, 2 Dec 2023, Adam D. Barratt wrote: Please go ahead. Great, thanks ... ... and uploaded Thorsten
Bug#1056614: reverse dependencies
Control: tags -1 + moreinfo Hi MigueL, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Depends: db2twitter: db2twitter retweet: retweet twitterwatch: twitterwatch # Broken Build-Depends: retweet: python3-tweepy In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Please file an RM bug for each package that should be removed. Thorsten
Bug#1057161: reverse dependencies
To: 1057...@bugs.debian.org Subject: reverse dependencies Control: tags -1 + moreinfo Hi Sebastian, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Depends: debian-design: design-desktop-animation ogre-1.9: blender-ogrexml-1.9 # Broken Build-Depends: gfpoken: blender In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1057046: reverse dependencies
Control: tags -1 + moreinfo Hi Matthias, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Build-Depends: gcc-9-cross: autoconf2.64 gcc-9-cross-mipsen: autoconf2.64 gcc-9-cross-ports: autoconf2.64 In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1057204: reverse dependencies
Control: tags -1 + moreinfo Hi Andreas, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Depends: r-bioc-hdf5array: r-bioc-hdf5array r-bioc-rhdf5: r-bioc-rhdf5 # Broken Build-Depends: r-bioc-hdf5array: r-bioc-rhdf5filters r-bioc-rhdf5: r-bioc-rhdf5filters In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1055957: reverse dependencies
Control: tags -1 + moreinfo Hi Chris, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Depends: netpipe: netpipe-pvm slpvm: slang-pvm tablix2: tablix2 # Broken Build-Depends: netpipe: pvm-dev slpvm: pvm-dev tablix2: pvm-dev In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1055867: reverse dependencies
Control: tags -1 + moreinfo Hi Stéphane, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Build-Depends: ocaml-cstruct: libmigrate-parsetree-ocaml-dev ocaml-odoc: libmigrate-parsetree-ocaml-dev ppx-import: libmigrate-parsetree-ocaml-dev In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1055839: reverse dependency
Control: tags -1 + moreinfo Hi Chris, there is a reverse dependency that needs to be taken care of: Checking reverse dependencies... # Broken Depends: dhis-mx-sendmail-engine: dhis-mx-sendmail-engine In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1053623: reverse dependencies
Control: tags -1 + moreinfo Hi Jeremy, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Depends: rust-ansi-parser: librust-ansi-parser-dev # Broken Build-Depends: rust-ansi-parser: librust-nom-4+std-dev librust-nom-4-dev In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1053166: reverse dependencies
Control: tags -1 + moreinfo Hi Bastian, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Depends: newtonsoft-json: nupkg-newtonsoft.json.6.0.8 nunit: nupkg-nunit.2.6.4 nupkg-nunit.mocks.2.6.4 nupkg-nunit.runners.2.6.4 In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1053153: reverse dependencies
Control: tags -1 + moreinfo Hi Bastian, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Depends: mono-tools: mono-profiler mono-tools-gui In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1049459: reverse dependencies
Control: tags -1 + moreinfo Hi Charles, there are reverse dependencies that need to be taken care of: Checking reverse dependencies... # Broken Build-Depends: courier: mime-support jool: mime-support node-mime-types: mime-support In case they matter, this needs to be addressed first. Please remove the moreinfo tag once that is done. Thorsten
Bug#1057239: bookworm-pu: cups/2.4.2-3+deb12u5
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu The attached debdiff for cups fixes a nasty bug in Bookworm. If the PPD file for a printer has a ColorModel option and the only choice for printing in color is not named RGB but CMYK instead, the printer cannot be made printing in color with intuitive methods, usually by selecting the color choice in the print dialog. The fix was already applied in Unstable/Testing and also uploaded to Ubuntu-Lunar and seems to work as expected. Thorsten diff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog --- cups-2.4.2/debian/changelog 2023-10-05 16:35:27.0 +0200 +++ cups-2.4.2/debian/changelog 2023-12-01 20:35:27.0 +0100 @@ -1,3 +1,15 @@ +cups (2.4.2-3+deb12u5) bookworm; urgency=medium + + * 0017-check-colormodel-also-for-CMYK.patch +Take into account that on some printers the ColorModel option's +choice for color printing is CMYK and not RGB. + * 0018-dont-override-color-settings-from-print-dialoag.patch +Prioritize the ColorModel PPD file option over the print-color-mode +IPP attribute. (Closes: #1056581) +(Thanks a lot to Till Kamppeter for the patches) + + -- Thorsten Alteholz Fri, 01 Dec 2023 20:35:27 +0100 + cups (2.4.2-3+deb12u4) bookworm; urgency=medium * remove debian/NEWS again to avoid too much information when only diff -Nru cups-2.4.2/debian/patches/0017-check-colormodel-also-for-CMYK.patch cups-2.4.2/debian/patches/0017-check-colormodel-also-for-CMYK.patch --- cups-2.4.2/debian/patches/0017-check-colormodel-also-for-CMYK.patch 1970-01-01 01:00:00.0 +0100 +++ cups-2.4.2/debian/patches/0017-check-colormodel-also-for-CMYK.patch 2023-12-01 20:35:27.0 +0100 @@ -0,0 +1,21 @@ +From: Thorsten Alteholz +Date: Sat, 2 Dec 2023 00:00:38 +0100 +Subject: check colormodel also for CMYK + +--- + scheduler/printers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scheduler/printers.c b/scheduler/printers.c +index 4efa613..2fbdaad 100644 +--- a/scheduler/printers.c b/scheduler/printers.c +@@ -4509,7 +4509,7 @@ load_ppd(cupsd_printer_t *p) /* I - Printer */ + ppd_option_t *color_model = ppdFindOption(ppd, "ColorModel"); + // ColorModel PPD option + +-if (color_model && strcmp(color_model->defchoice, "RGB")) ++if (color_model && strcmp(color_model->defchoice, "RGB") && strcmp(color_model->defchoice, "CMYK")) + p->num_options = cupsAddOption("print-color-mode", "monochrome", p->num_options, >options); + } + } diff -Nru cups-2.4.2/debian/patches/0018-dont-override-color-settings-from-print-dialoag.patch cups-2.4.2/debian/patches/0018-dont-override-color-settings-from-print-dialoag.patch --- cups-2.4.2/debian/patches/0018-dont-override-color-settings-from-print-dialoag.patch 1970-01-01 01:00:00.0 +0100 +++ cups-2.4.2/debian/patches/0018-dont-override-color-settings-from-print-dialoag.patch 2023-12-01 20:35:27.0 +0100 @@ -0,0 +1,78 @@ +From: Thorsten Alteholz +Date: Sat, 2 Dec 2023 00:01:23 +0100 +Subject: dont override color settings from print dialoag + +--- + cups/ppd-cache.c | 39 +++ + scheduler/ipp.c | 3 +++ + 2 files changed, 38 insertions(+), 4 deletions(-) + +diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c +index 8861813..f72d834 100644 +--- a/cups/ppd-cache.c b/cups/ppd-cache.c +@@ -259,15 +259,46 @@ _cupsConvertOptions( + + color_attr_name = print_color_mode_sup ? "print-color-mode" : "output-mode"; + +- if ((keyword = cupsGetOption("print-color-mode", num_options, options)) == NULL) ++ /* ++ * If we use PPD with standardized PPD option for color support - ColorModel, ++ * prefer it to don't break color/grayscale support for PPDs, either classic ++ * or the ones generated from IPP Get-Printer-Attributes response. ++ */ ++ ++ if ((keyword = cupsGetOption("ColorModel", num_options, options)) == NULL) + { ++ /* ++* No ColorModel in options... ++*/ ++ + if ((choice = ppdFindMarkedChoice(ppd, "ColorModel")) != NULL) + { +- if (!_cups_strcasecmp(choice->choice, "Gray")) +- keyword = "monochrome"; ++ /* ++ * ColorModel is taken from PPD as its default option. ++ */ ++ ++ if (!strcmp(choice->choice, "Gray") || !strcmp(choice->choice, "FastGray") || !strcmp(choice->choice, "DeviceGray")) ++keyword = "monochrome"; + else +- keyword = "color"; ++keyword = "color"; + } ++else ++ /* ++ * print-color-mode is a default option since 2.4.1, use it as a fallback if there is
Bug#1056934: bookworm-pu: libde265/1.0.11-1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu The attached debdiff for libde265 fixes CVE-2023-27102, CVE-2023-27103, CVE-2023-43887 and CVE-2023-47471 in Bookworm. Except CVE-2023-43887 all others are marked as no-dsa by the security team (CVE-2023-43887 appeared recently and was not evaluated yet). The fix was already uploaded to Stretch and nobody complained up to now. Thorsten diff -Nru libde265-1.0.11/debian/changelog libde265-1.0.11/debian/changelog --- libde265-1.0.11/debian/changelog2023-02-02 16:06:20.0 +0100 +++ libde265-1.0.11/debian/changelog2023-11-26 13:03:02.0 +0100 @@ -1,3 +1,19 @@ +libde265 (1.0.11-1+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload by the LTS Team. + * CVE-2023-27102 (Closes: #1033257) +fix segmentation violation in the +function decoder_context::process_slice_segment_header + * CVE-2023-27103 +fix heap buffer overflow in the +function derive_collocated_motion_vectors + * CVE-2023-43887 +fix buffer over-read in pic_parameter_set::dump + * CVE-2023-47471 (Closes: #1056187) +fix buffer overflow in the slice_segment_header function + + -- Thorsten Alteholz Sun, 26 Nov 2023 13:03:02 +0100 + libde265 (1.0.11-1) unstable; urgency=medium [ Tobias Frost ] diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27102.patch libde265-1.0.11/debian/patches/CVE-2023-27102.patch --- libde265-1.0.11/debian/patches/CVE-2023-27102.patch 1970-01-01 01:00:00.0 +0100 +++ libde265-1.0.11/debian/patches/CVE-2023-27102.patch 2023-11-21 14:10:17.0 +0100 @@ -0,0 +1,23 @@ +commit 0b1752abff97cb542941d317a0d18aa50cb199b1 +Author: Dirk Farin +Date: Sat Mar 4 10:32:43 2023 +0100 + +check whether referenced PPS exists (fixes #393) + +Index: libde265-1.0.11/libde265/decctx.cc +=== +--- libde265-1.0.11.orig/libde265/decctx.cc2023-11-19 19:08:18.703219858 +0100 libde265-1.0.11/libde265/decctx.cc 2023-11-19 19:08:18.703219858 +0100 +@@ -2276,9 +2276,10 @@ + // get PPS and SPS for this slice + + int pps_id = hdr->slice_pic_parameter_set_id; +- if (pps[pps_id]->pps_read==false) { ++ if (pps[pps_id]==nullptr || pps[pps_id]->pps_read==false) { + logerror(LogHeaders, "PPS %d has not been read\n", pps_id); +-assert(false); // TODO ++img->decctx->add_warning(DE265_WARNING_NONEXISTING_PPS_REFERENCED, false); ++return false; + } + + current_pps = pps[pps_id]; diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27103.patch libde265-1.0.11/debian/patches/CVE-2023-27103.patch --- libde265-1.0.11/debian/patches/CVE-2023-27103.patch 1970-01-01 01:00:00.0 +0100 +++ libde265-1.0.11/debian/patches/CVE-2023-27103.patch 2023-11-21 14:10:17.0 +0100 @@ -0,0 +1,54 @@ +commit d6bf73e765b7a23627bfd7a8645c143fd9097995 +Author: Dirk Farin +Date: Sat Mar 4 10:27:59 2023 +0100 + +check for valid slice header index access (fixes #394) + +Index: libde265-1.0.11/libde265/de265.cc +=== +--- libde265-1.0.11.orig/libde265/de265.cc 2023-11-19 19:08:22.851224558 +0100 libde265-1.0.11/libde265/de265.cc 2023-11-19 19:08:22.847224554 +0100 +@@ -174,6 +174,8 @@ + return "Bit-depth of current image does not match SPS"; + case DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH: + return "Chroma format of reference image does not match current image"; ++ case DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS: ++return "Access with invalid slice header index"; + + default: return "unknown error"; + } +Index: libde265-1.0.11/libde265/de265.h +=== +--- libde265-1.0.11.orig/libde265/de265.h 2023-11-19 19:08:22.851224558 +0100 libde265-1.0.11/libde265/de265.h 2023-11-19 19:08:22.847224554 +0100 +@@ -145,7 +145,8 @@ + DE265_WARNING_REFERENCE_IMAGE_SIZE_DOES_NOT_MATCH_SPS=1029, + DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1030, + DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1031, +- DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032 ++ DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032, ++ DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS=1033 + } de265_error; + + LIBDE265_API const char* de265_get_error_text(de265_error err); +Index: libde265-1.0.11/libde265/motion.cc +=== +--- libde265-1.0.11.orig/libde265/motion.cc2023-11-19 19:08:22.851224558 +0100 libde265-1.0.11/libde265/motion.cc 2023-11-19 19:08:22.847224554 +0100 +@@ -1266,6 +1266,16 @@ + + + ++ int slice_hdr_idx = colImg->get_SliceHeaderIndex(xColPb,yColPb); ++ if (slice_hdr_idx >= colImg->slices.size()) { ++
Bug#1056935: bullseye-pu: libde265/1.0.11-0+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu The attached debdiff for libde265 fixes CVE-2023-27102, CVE-2023-27103, CVE-2023-43887 and CVE-2023-47471 in Bullseye. Except CVE-2023-43887 all others are marked as no-dsa by the security team (CVE-2023-43887 appeared recently and was not evaluated yet). The fix was already uploaded to Stretch and nobody complained up to now. Thorsten diff -Nru libde265-1.0.11/debian/changelog libde265-1.0.11/debian/changelog --- libde265-1.0.11/debian/changelog2023-02-04 17:18:48.0 +0100 +++ libde265-1.0.11/debian/changelog2023-11-26 13:03:02.0 +0100 @@ -1,3 +1,19 @@ +libde265 (1.0.11-0+deb11u2) bullseye; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2023-27102 (Closes: #1033257) +fix segmentation violation in the +function decoder_context::process_slice_segment_header + * CVE-2023-27103 +fix heap buffer overflow in the +function derive_collocated_motion_vectors + * CVE-2023-43887 +fix buffer over-read in pic_parameter_set::dump + * CVE-2023-47471 (Closes: #1056187) +fix buffer overflow in the slice_segment_header function + + -- Thorsten Alteholz Sun, 26 Nov 2023 13:03:02 +0100 + libde265 (1.0.11-0+deb11u1) bullseye-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27102.patch libde265-1.0.11/debian/patches/CVE-2023-27102.patch --- libde265-1.0.11/debian/patches/CVE-2023-27102.patch 1970-01-01 01:00:00.0 +0100 +++ libde265-1.0.11/debian/patches/CVE-2023-27102.patch 2023-11-21 14:07:48.0 +0100 @@ -0,0 +1,23 @@ +commit 0b1752abff97cb542941d317a0d18aa50cb199b1 +Author: Dirk Farin +Date: Sat Mar 4 10:32:43 2023 +0100 + +check whether referenced PPS exists (fixes #393) + +Index: libde265-1.0.11/libde265/decctx.cc +=== +--- libde265-1.0.11.orig/libde265/decctx.cc2023-11-19 19:08:18.703219858 +0100 libde265-1.0.11/libde265/decctx.cc 2023-11-19 19:08:18.703219858 +0100 +@@ -2276,9 +2276,10 @@ + // get PPS and SPS for this slice + + int pps_id = hdr->slice_pic_parameter_set_id; +- if (pps[pps_id]->pps_read==false) { ++ if (pps[pps_id]==nullptr || pps[pps_id]->pps_read==false) { + logerror(LogHeaders, "PPS %d has not been read\n", pps_id); +-assert(false); // TODO ++img->decctx->add_warning(DE265_WARNING_NONEXISTING_PPS_REFERENCED, false); ++return false; + } + + current_pps = pps[pps_id]; diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27103.patch libde265-1.0.11/debian/patches/CVE-2023-27103.patch --- libde265-1.0.11/debian/patches/CVE-2023-27103.patch 1970-01-01 01:00:00.0 +0100 +++ libde265-1.0.11/debian/patches/CVE-2023-27103.patch 2023-11-21 14:07:48.0 +0100 @@ -0,0 +1,54 @@ +commit d6bf73e765b7a23627bfd7a8645c143fd9097995 +Author: Dirk Farin +Date: Sat Mar 4 10:27:59 2023 +0100 + +check for valid slice header index access (fixes #394) + +Index: libde265-1.0.11/libde265/de265.cc +=== +--- libde265-1.0.11.orig/libde265/de265.cc 2023-11-19 19:08:22.851224558 +0100 libde265-1.0.11/libde265/de265.cc 2023-11-19 19:08:22.847224554 +0100 +@@ -174,6 +174,8 @@ + return "Bit-depth of current image does not match SPS"; + case DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH: + return "Chroma format of reference image does not match current image"; ++ case DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS: ++return "Access with invalid slice header index"; + + default: return "unknown error"; + } +Index: libde265-1.0.11/libde265/de265.h +=== +--- libde265-1.0.11.orig/libde265/de265.h 2023-11-19 19:08:22.851224558 +0100 libde265-1.0.11/libde265/de265.h 2023-11-19 19:08:22.847224554 +0100 +@@ -145,7 +145,8 @@ + DE265_WARNING_REFERENCE_IMAGE_SIZE_DOES_NOT_MATCH_SPS=1029, + DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1030, + DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1031, +- DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032 ++ DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032, ++ DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS=1033 + } de265_error; + + LIBDE265_API const char* de265_get_error_text(de265_error err); +Index: libde265-1.0.11/libde265/motion.cc +=== +--- libde265-1.0.11.orig/libde265/motion.cc2023-11-19 19:08:22.851224558 +0100 libde265-1.0.11/libde265/motion.cc 2023-11-19 19:08:22.847224554 +0100 +@@ -1266,6 +1266,16 @@ + + + ++ int slice_hdr_idx = colImg->get_SliceHeaderIndex(xColPb,yColPb); ++
Bug#1056737: bookworm-pu: minizip/1.1-8+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu The attached debdiff for minizip fixes CVE-2023-45853 in Bookworm. This CVE has been marked as no-dsa by the security team. Chrome upstream added a test for their internal copy of minizip. Running this test against libminizip1 of this package worked as well, so I don't expect any problems. Thorsten diff -Nru minizip-1.1/debian/changelog minizip-1.1/debian/changelog --- minizip-1.1/debian/changelog2016-01-03 04:24:26.0 +0100 +++ minizip-1.1/debian/changelog2023-11-25 13:03:02.0 +0100 @@ -1,3 +1,11 @@ +minizip (1.1-8+deb12u1) bookworm; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2023-45853 (Closes: #1056719) +Reject overflows of zip header fields in minizip. + + -- Thorsten Alteholz Sat, 25 Nov 2023 13:03:02 +0100 + minizip (1.1-8) unstable; urgency=medium * Fix implicit function declaration. diff -Nru minizip-1.1/debian/patches/CVE-2023-45853.patch minizip-1.1/debian/patches/CVE-2023-45853.patch --- minizip-1.1/debian/patches/CVE-2023-45853.patch 1970-01-01 01:00:00.0 +0100 +++ minizip-1.1/debian/patches/CVE-2023-45853.patch 2023-11-18 17:51:11.0 +0100 @@ -0,0 +1,34 @@ +commit 73331a6a0481067628f065ffe87bb1d8f787d10c +Author: Hans Wennborg +Date: Fri Aug 18 11:05:33 2023 +0200 + +Reject overflows of zip header fields in minizip. + +This checks the lengths of the file name, extra field, and comment +that would be put in the zip headers, and rejects them if they are +too long. They are each limited to 65535 bytes in length by the zip +format. This also avoids possible buffer overflows if the provided +fields are too long. + +Index: minizip-1.1/zip.c +=== +--- minizip-1.1.orig/zip.c 2023-11-18 17:51:05.539763813 +0100 minizip-1.1/zip.c 2023-11-18 17:51:05.539763813 +0100 +@@ -1082,6 +1082,17 @@ + return ZIP_PARAMERROR; + #endif + ++// The filename and comment length must fit in 16 bits. ++if ((filename!=NULL) && (strlen(filename)>0x)) ++return ZIP_PARAMERROR; ++if ((comment!=NULL) && (strlen(comment)>0x)) ++return ZIP_PARAMERROR; ++// The extra field length must fit in 16 bits. If the member also requires ++// a Zip64 extra block, that will also need to fit within that 16-bit ++// length, but that will be checked for later. ++if ((size_extrafield_local>0x) || (size_extrafield_global>0x)) ++return ZIP_PARAMERROR; ++ + zi = (zip64_internal*)file; + + if (zi->in_opened_file_inzip == 1) diff -Nru minizip-1.1/debian/patches/series minizip-1.1/debian/patches/series --- minizip-1.1/debian/patches/series 2016-01-03 04:14:08.0 +0100 +++ minizip-1.1/debian/patches/series 2023-11-18 17:50:30.0 +0100 @@ -1,3 +1,5 @@ include.patch automake.patch traversal.patch + +CVE-2023-45853.patch
Bug#1056738: bullseye-pu: minizip/1.1-8+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu The attached debdiff for minizip fixes CVE-2023-45853 in Bullseye. This CVE has been marked as no-dsa by the security team. As this is the same version as in Bookworm, I don't expect any problems in Bullseye as well. Thorsten diff -Nru minizip-1.1/debian/changelog minizip-1.1/debian/changelog --- minizip-1.1/debian/changelog2016-01-03 04:24:26.0 +0100 +++ minizip-1.1/debian/changelog2023-11-25 13:03:02.0 +0100 @@ -1,3 +1,11 @@ +minizip (1.1-8+deb11u1) bullseye; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2023-45853 (Closes: #1056719) +Reject overflows of zip header fields in minizip. + + -- Thorsten Alteholz Sat, 25 Nov 2023 13:03:02 +0100 + minizip (1.1-8) unstable; urgency=medium * Fix implicit function declaration. diff -Nru minizip-1.1/debian/patches/CVE-2023-45853.patch minizip-1.1/debian/patches/CVE-2023-45853.patch --- minizip-1.1/debian/patches/CVE-2023-45853.patch 1970-01-01 01:00:00.0 +0100 +++ minizip-1.1/debian/patches/CVE-2023-45853.patch 2023-11-18 17:54:41.0 +0100 @@ -0,0 +1,34 @@ +commit 73331a6a0481067628f065ffe87bb1d8f787d10c +Author: Hans Wennborg +Date: Fri Aug 18 11:05:33 2023 +0200 + +Reject overflows of zip header fields in minizip. + +This checks the lengths of the file name, extra field, and comment +that would be put in the zip headers, and rejects them if they are +too long. They are each limited to 65535 bytes in length by the zip +format. This also avoids possible buffer overflows if the provided +fields are too long. + +Index: minizip-1.1/zip.c +=== +--- minizip-1.1.orig/zip.c 2023-11-18 17:51:05.539763813 +0100 minizip-1.1/zip.c 2023-11-18 17:51:05.539763813 +0100 +@@ -1082,6 +1082,17 @@ + return ZIP_PARAMERROR; + #endif + ++// The filename and comment length must fit in 16 bits. ++if ((filename!=NULL) && (strlen(filename)>0x)) ++return ZIP_PARAMERROR; ++if ((comment!=NULL) && (strlen(comment)>0x)) ++return ZIP_PARAMERROR; ++// The extra field length must fit in 16 bits. If the member also requires ++// a Zip64 extra block, that will also need to fit within that 16-bit ++// length, but that will be checked for later. ++if ((size_extrafield_local>0x) || (size_extrafield_global>0x)) ++return ZIP_PARAMERROR; ++ + zi = (zip64_internal*)file; + + if (zi->in_opened_file_inzip == 1) diff -Nru minizip-1.1/debian/patches/series minizip-1.1/debian/patches/series --- minizip-1.1/debian/patches/series 2016-01-03 04:14:08.0 +0100 +++ minizip-1.1/debian/patches/series 2023-11-18 17:54:50.0 +0100 @@ -1,3 +1,5 @@ include.patch automake.patch traversal.patch + +CVE-2023-45853.patch
Bug#1053511: Problem found
On 08.11.23 15:27, Debian wrote: Nov 08 14:24:04 PC audit[9568]: AVC apparmor="DENIED" operation="chown" profile="/usr/sbin/cupsd" name="/srv/ssd1/var/spool/cups/" pid=95> Nov 08 14:24:04 PC audit[9568]: AVC apparmor="DENIED" operation="mkdir" profile="/usr/sbin/cupsd" name="/srv/ssd1/var/log/cups/" pid=9568> But this looks rather like a local problem. If your /var/*/cups is not at the default location, you should adapt your apparmor files on your own, shouldn't you? Thorsten
Bug#1053511: Opened an issue at cups
On 07.11.23 17:55, Debian wrote: Is it possible to get somewhere the packages before the upgrade? https://snapshot.debian.org/ might help you.
Bug#1051939: ubpm_1.9.0+20230923-1_amd64.changes REJECTED
Hi Steve, On 26.10.23 05:23, Steven Robbins wrote: On Monday, October 23, 2023 1:00:09 P.M. CDT Thorsten Alteholz wrote: Hi, please ask upstream to add all licenses of embedded stuff like ./sources/plugins/shared/hidapi Could you expand on this request? Each file notes "At the discretion of the user of this library, this software may be licensed under the terms of the GNU General Public License v3, a BSD-Style license, ..." yes, but the sentence goes on: "..., or the original HIDAPI license as outlined in the LICENSE.txt, LICENSE-gpl3.txt, LICENSE-bsd.txt, and LICENSE-orig.txt" The GPL is ok, but the BSD-Style license is not at all unambiguous and what is the contents of LICENSE.txt and LICENSE-orig.txt? They should be "located at the root of the source distribution.", but they are not, hence my request. The debian/copyright specifies GPL-3: Files: sources/plugins/shared/hidapi/* Copyright: 2022, 2023 libusb/hidapi Team License: GPL-3 Yes but this is just a part of the license, at least the "... or BSD-3" is missing. According to Debian policy 12.5 a "verbatim copy of its distribution license(s)" need to appear in your debian/copyright. Sorry, that is a clear miss on my part. I will clarify the license or remove these before re-uploading. Ok, great, thanks a lot. Thorsten
Bug#1053542: package contains license CC-BY-2.5
Package: josm Version: 0.0.svn18646dfsg-1 Severity: serious User: alteh...@debian.org Usertags: license thanks Hi, unfortunately your package contains files with license: CC-BY-2.5 src/javax/annotation/* As you can see on [1] this license is not compatible with DFSG, so please remove the files or move the package to non-free. Thanks! Thorsten [1] https://wiki.debian.org/DFSGLicenses
Bug#1053541: package contains license CC-BY-2.5
Package: anki Version: 2.1.8dfsg-1 Severity: serious User: alteh...@debian.org Usertags: license thanks Hi, unfortunately your package contains a file with license: CC-BY-2.5 debian/browsersel.py As you can see on [1] this license is not compatible with DFSG, so please remove the file or move the package to non-free. Thanks! Thorsten [1] https://wiki.debian.org/DFSGLicenses
Bug#1053540: package contains license CC-BY-SA-2.0-uk
Package: libhtmlcleaner-java Version: 2.21-5 Severity: serious User: alteh...@debian.org Usertags: license thanks Hi, unfortunately your package contains a file with license: CC-BY-SA-2.0-uk src/test/resources/test23.html As you can see on [1] this license is not compatible with DFSG, so please remove the file or move the package to non-free. Thanks! Thorsten [1] https://wiki.debian.org/DFSGLicenses
Bug#1053539: package contains license CC-BY-2.0
Package: retroarch-assets Version: 1.7.6git20221024dfsg-3 Severity: serious User: alteh...@debian.org Usertags: license thanks Hi, unfortunately your package contains files with license: CC-BY-2.0 rgui/wallpaper/mystery_blocks* As you can see on [1] this license is not compatible with DFSG, so please remove the files or move the package to non-free. Thanks! Thorsten [1] https://wiki.debian.org/DFSGLicenses
Bug#1053523: bookworm-pu: cups/2.4.2-3+deb12u4
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu After uploading the fix for CVE-2023-4504 and CVE-2023-32360 to Buster I got some complaints: - the mentioned filename of the cupsd configuration contained a typo and several users were unsure what to do now ... - ... especially as the contents of debian/NEWS was also shown on computers where only cups client was installed. So this upload fixes the typo and removes debian/NEWS again, so that the text is only shown when cups-daemon will be updated. I know it is rather late for this, but maybe this makes things easier for our users. Thorsten diff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog --- cups-2.4.2/debian/changelog 2023-09-29 21:20:27.0 +0200 +++ cups-2.4.2/debian/changelog 2023-10-05 16:35:27.0 +0200 @@ -1,3 +1,11 @@ +cups (2.4.2-3+deb12u4) bookworm; urgency=medium + + * remove debian/NEWS again to avoid too much information when only +the client part is installed + * fix typo in config filename + + -- Thorsten Alteholz Thu, 05 Oct 2023 16:35:27 +0200 + cups (2.4.2-3+deb12u3) bookworm; urgency=medium * move debian/NEWS.Debian to debian/NEWS diff -Nru cups-2.4.2/debian/cups-daemon.NEWS cups-2.4.2/debian/cups-daemon.NEWS --- cups-2.4.2/debian/cups-daemon.NEWS 2023-09-29 21:20:27.0 +0200 +++ cups-2.4.2/debian/cups-daemon.NEWS 2023-10-05 16:35:27.0 +0200 @@ -4,7 +4,7 @@ unauthorized users to fetch documents over local or remote networks. Since this is a configuration fix, it might be that it does not reach you if you are updating 'cups-daemon' (rather than doing a fresh installation). - Please double check your /etc/cups/cupds.conf file, whether it limits the access + Please double check your /etc/cups/cupsd.conf file, whether it limits the access to CUPS-Get-Document with something like the following > >AuthType Default diff -Nru cups-2.4.2/debian/NEWS cups-2.4.2/debian/NEWS --- cups-2.4.2/debian/NEWS 2023-09-29 21:20:27.0 +0200 +++ cups-2.4.2/debian/NEWS 1970-01-01 01:00:00.0 +0100 @@ -1,16 +0,0 @@ -cups (2.4.2-3+deb12u3) bookworm; urgency=medium - - This release addresses a security issue (CVE-2023-32360) which allows - unauthorized users to fetch documents over local or remote networks. - Since this is a configuration fix, it might be that it does not reach you if you - are updating 'cups-daemon' (rather than doing a fresh installation). - Please double check your /etc/cups/cupds.conf file, whether it limits the access - to CUPS-Get-Document with something like the following - > - >AuthType Default - >Require user @OWNER @SYSTEM - >Order deny,allow - > - (The important line is the 'AuthType Default' in this section) - - -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
Bug#1053522: bullseye-pu: cups/2.3.3op2-3+deb11u6
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu After uploading the fix for CVE-2023-4504 and CVE-2023-32360 to Buster I got some complaints: - the mentioned filename of the cupsd configuration contained a typo and several users were unsure what to do now ... - ... especially as the contents of debian/NEWS was also shown on computers where only cups client was installed. So this upload fixes the typo and removes debian/NEWS again, so that the text is only shown when cups-daemon will be updated. I know it is rather late for this, but maybe this makes things easier for our users. Thorsten diff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog --- cups-2.3.3op2/debian/changelog 2023-09-29 21:20:27.0 +0200 +++ cups-2.3.3op2/debian/changelog 2023-10-05 16:35:27.0 +0200 @@ -1,3 +1,11 @@ +cups (2.3.3op2-3+deb11u6) bullseye; urgency=medium + + * remove debian/NEWS again to avoid too much information when only +the client part is installed + * fix typo in config filename + + -- Thorsten Alteholz Thu, 05 Oct 2023 16:35:27 +0200 + cups (2.3.3op2-3+deb11u5) bullseye; urgency=medium * move debian/NEWS.Debian to debian/NEWS diff -Nru cups-2.3.3op2/debian/cups-daemon.NEWS cups-2.3.3op2/debian/cups-daemon.NEWS --- cups-2.3.3op2/debian/cups-daemon.NEWS 2023-09-29 21:20:27.0 +0200 +++ cups-2.3.3op2/debian/cups-daemon.NEWS 2023-10-05 16:35:27.0 +0200 @@ -4,7 +4,7 @@ unauthorized users to fetch documents over local or remote networks. Since this is a configuration fix, it might be that it does not reach you if you are updating 'cups-daemon' (rather than doing a fresh installation). - Please double check your /etc/cups/cupds.conf file, whether it limits the access + Please double check your /etc/cups/cupsd.conf file, whether it limits the access to CUPS-Get-Document with something like the following > >AuthType Default diff -Nru cups-2.3.3op2/debian/NEWS cups-2.3.3op2/debian/NEWS --- cups-2.3.3op2/debian/NEWS 2023-09-29 21:20:27.0 +0200 +++ cups-2.3.3op2/debian/NEWS 1970-01-01 01:00:00.0 +0100 @@ -1,16 +0,0 @@ -cups (2.3.3op2-3+deb11u5) bullseye; urgency=medium - - This release addresses a security issue (CVE-2023-32360) which allows - unauthorized users to fetch documents over local or remote networks. - Since this is a configuration fix, it might be that it does not reach you if you - are updating 'cups-daemon' (rather than doing a fresh installation). - Please double check your /etc/cups/cupds.conf file, whether it limits the access - to CUPS-Get-Document with something like the following - > - >AuthType Default - >Require user @OWNER @SYSTEM - >Order deny,allow - > - (The important line is the 'AuthType Default' in this section) - - -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200
Bug#1053277: libcups2: typo in NEWS
Hi Christian, On 30.09.23 19:02, Christian T. Steigies wrote: I did not find this file (because I don't have a full install), but I think the filename should be cupsd.conf instead of cupds.conf. oops, thanks for telling. You are right, the correct name would have been cupsd.conf Thorsten
Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2
On Fri, 29 Sep 2023, Adam D. Barratt wrote: I should have spotted this before (particularly as we recently had the same issue with another package) but debian/NEWS.Debian should simply be debian/NEWS. dh_installchangelogs then renames it to NEWS.Debian in the binary package. ok, uploaded, I keep my fingers crossed. Thorsten
Bug#1052363: bullseye-pu: cups/2.3.3op2-3+deb11u4
On Fri, 29 Sep 2023, Adam D. Barratt wrote: I should have spotted this before (particularly as we recently had the same issue with another package) but debian/NEWS.Debian should simply be debian/NEWS. dh_installchangelogs then renames it to NEWS.Debian in the binary package. ok, uploaded, I keep my fingers crossed. Thorsten
Bug#1052363: bullseye-pu: cups/2.3.3op2-3+deb11u4
On 27.09.23 20:33, Adam D. Barratt wrote: Thanks; please go ahead. great, thanks, ... ... and uploaded. Thorsten
Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2
On 27.09.23 20:32, Adam D. Barratt wrote: Please go ahead. great, thanks, ... ... and uploaded. Thorsten
Bug#1052363: bullseye-pu: cups/2.3.3op2-3+deb11u4
Control: tags 1052363 - moreinfo On Sat, 23 Sep 2023, Adam D. Barratt wrote: The same query as for bookworm applies here - do we expect users to know how to find the patch? ... and the same new text for Bullseye. Thorstendiff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog --- cups-2.3.3op2/debian/changelog 2023-06-24 10:54:05.0 +0200 +++ cups-2.3.3op2/debian/changelog 2023-09-19 21:20:27.0 +0200 @@ -1,3 +1,12 @@ +cups (2.3.3op2-3+deb11u4) bullseye; urgency=medium + + * CVE-2023-4504 +Postscript parsing heap-based buffer overflow + * CVE-2023-32360 (Closes: #1051953) +authentication issue + + -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200 + cups (2.3.3op2-3+deb11u3) bullseye; urgency=medium * CVE-2023-34241 (Closes: #1038885) diff -Nru cups-2.3.3op2/debian/cups-daemon.NEWS cups-2.3.3op2/debian/cups-daemon.NEWS --- cups-2.3.3op2/debian/cups-daemon.NEWS 2023-06-22 23:22:40.0 +0200 +++ cups-2.3.3op2/debian/cups-daemon.NEWS 2023-09-19 21:20:27.0 +0200 @@ -1,3 +1,20 @@ +cups (2.3.3op2-3+deb11u4) bullseye; urgency=medium + + This release addresses a security issue (CVE-2023-32360) which allows + unauthorized users to fetch documents over local or remote networks. + Since this is a configuration fix, it might be that it does not reach you if you + are updating 'cups-daemon' (rather than doing a fresh installation). + Please double check your /etc/cups/cupds.conf file, whether it limits the access + to CUPS-Get-Document with something like the following + > + >AuthType Default + >Require user @OWNER @SYSTEM + >Order deny,allow + > + (The important line is the 'AuthType Default' in this section) + + -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200 + cups (2.1.4-3) unstable; urgency=low The default ErrorPolicy is changed from 'stop-printer' to 'retry-job', diff -Nru cups-2.3.3op2/debian/NEWS.Debian cups-2.3.3op2/debian/NEWS.Debian --- cups-2.3.3op2/debian/NEWS.Debian1970-01-01 01:00:00.0 +0100 +++ cups-2.3.3op2/debian/NEWS.Debian2023-09-19 21:20:27.0 +0200 @@ -0,0 +1,16 @@ +cups (2.3.3op2-3+deb11u4) bullseye; urgency=medium + + This release addresses a security issue (CVE-2023-32360) which allows + unauthorized users to fetch documents over local or remote networks. + Since this is a configuration fix, it might be that it does not reach you if you + are updating 'cups-daemon' (rather than doing a fresh installation). + Please double check your /etc/cups/cupds.conf file, whether it limits the access + to CUPS-Get-Document with something like the following + > + >AuthType Default + >Require user @OWNER @SYSTEM + >Order deny,allow + > + (The important line is the 'AuthType Default' in this section) + + -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200 diff -Nru cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch --- cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch 1970-01-01 01:00:00.0 +0100 +++ cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch 2023-09-19 21:20:27.0 +0200 @@ -0,0 +1,27 @@ +From: Thorsten Alteholz +Date: Wed, 20 Sep 2023 23:21:42 +0200 +Subject: CVE-2023-32360 + +--- + conf/cupsd.conf.in | 8 +++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in +index 09059dc..67d1c8b 100644 +--- a/conf/cupsd.conf.in b/conf/cupsd.conf.in +@@ -65,7 +65,13 @@ WebInterface @CUPS_WEBIF@ + Order deny,allow + + +- ++ ++Require user @OWNER @SYSTEM ++Order deny,allow ++ ++ ++ ++AuthType Default + Require user @OWNER @SYSTEM + Order deny,allow + diff -Nru cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch --- cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch 1970-01-01 01:00:00.0 +0100 +++ cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch 2023-09-19 21:20:27.0 +0200 @@ -0,0 +1,33 @@ +From: Thorsten Alteholz +Date: Wed, 20 Sep 2023 23:22:44 +0200 +Subject: CVE-2023-4504 + +--- + cups/raster-interpret.c | 14 +- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c +index fbe52f3..89ef158 100644 +--- a/cups/raster-interpret.c b/cups/raster-interpret.c +@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */ + + cur ++; + +-if (*cur == 'b') ++ /* ++ * Return NULL if we reached NULL terminator, a lone backslash ++* is not a valid character in PostScript. ++ */ ++ ++ if (!*cur) ++ { ++*ptr = NULL; ++ ++return (NULL); ++ } ++ ++ if (*cur == 'b') + *valptr++ = '\b'; +
Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2
Control: tags 1052361 - moreinfo Hi Adam, On Sat, 23 Sep 2023, Adam D. Barratt wrote: Hmm. Is there a better way we can point users to the required change here that doesn't require them knowing how to find patches applied to the source package? yes, *sigh* the wording was bad and I also mangled the version numbers, sorry. What do you think of this version, which was thankfully provided by IOhannes? Thorstendiff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog --- cups-2.4.2/debian/changelog 2023-06-24 10:54:05.0 +0200 +++ cups-2.4.2/debian/changelog 2023-09-19 21:20:27.0 +0200 @@ -1,3 +1,12 @@ +cups (2.4.2-3+deb12u2) bookworm; urgency=medium + + * CVE-2023-4504 +Postscript parsing heap-based buffer overflow + * CVE-2023-32360 (Closes: #1051953) +authentication issue + + -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200 + cups (2.4.2-3+deb12u1) bookworm; urgency=medium * CVE-2023-34241 (Closes: #1038885) diff -Nru cups-2.4.2/debian/cups-daemon.NEWS cups-2.4.2/debian/cups-daemon.NEWS --- cups-2.4.2/debian/cups-daemon.NEWS 2023-06-22 23:22:40.0 +0200 +++ cups-2.4.2/debian/cups-daemon.NEWS 2023-09-19 21:20:27.0 +0200 @@ -1,3 +1,20 @@ +cups (2.4.2-3+deb12u2) bookworm; urgency=medium + + This release addresses a security issue (CVE-2023-32360) which allows + unauthorized users to fetch documents over local or remote networks. + Since this is a configuration fix, it might be that it does not reach you if you + are updating 'cups-daemon' (rather than doing a fresh installation). + Please double check your /etc/cups/cupds.conf file, whether it limits the access + to CUPS-Get-Document with something like the following + > + >AuthType Default + >Require user @OWNER @SYSTEM + >Order deny,allow + > + (The important line is the 'AuthType Default' in this section) + + -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200 + cups (2.1.4-3) unstable; urgency=low The default ErrorPolicy is changed from 'stop-printer' to 'retry-job', diff -Nru cups-2.4.2/debian/NEWS.Debian cups-2.4.2/debian/NEWS.Debian --- cups-2.4.2/debian/NEWS.Debian 1970-01-01 01:00:00.0 +0100 +++ cups-2.4.2/debian/NEWS.Debian 2023-09-19 21:20:27.0 +0200 @@ -0,0 +1,16 @@ +cups (2.4.2-3+deb12u2) bookworm; urgency=medium + + This release addresses a security issue (CVE-2023-32360) which allows + unauthorized users to fetch documents over local or remote networks. + Since this is a configuration fix, it might be that it does not reach you if you + are updating 'cups-daemon' (rather than doing a fresh installation). + Please double check your /etc/cups/cupds.conf file, whether it limits the access + to CUPS-Get-Document with something like the following + > + >AuthType Default + >Require user @OWNER @SYSTEM + >Order deny,allow + > + (The important line is the 'AuthType Default' in this section) + + -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200 diff -Nru cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch --- cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch 1970-01-01 01:00:00.0 +0100 +++ cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch 2023-09-19 21:20:27.0 +0200 @@ -0,0 +1,33 @@ +From: Thorsten Alteholz +Date: Wed, 20 Sep 2023 04:55:44 +0200 +Subject: CVE-2023-4504 + +--- + cups/raster-interpret.c | 14 +- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c +index fbe52f3..89ef158 100644 +--- a/cups/raster-interpret.c b/cups/raster-interpret.c +@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */ + + cur ++; + +-if (*cur == 'b') ++ /* ++ * Return NULL if we reached NULL terminator, a lone backslash ++* is not a valid character in PostScript. ++ */ ++ ++ if (!*cur) ++ { ++*ptr = NULL; ++ ++return (NULL); ++ } ++ ++ if (*cur == 'b') + *valptr++ = '\b'; + else if (*cur == 'f') + *valptr++ = '\f'; diff -Nru cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch --- cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 1970-01-01 01:00:00.0 +0100 +++ cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 2023-09-19 21:20:27.0 +0200 @@ -0,0 +1,27 @@ +From: Thorsten Alteholz +Date: Wed, 20 Sep 2023 04:56:47 +0200 +Subject: CVE-2023-32360 + +--- + conf/cupsd.conf.in | 8 +++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in +index b258849..a07536f 100644 +--- a/conf/cupsd.conf.in b/conf/cupsd.conf.in +@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@ + Order deny,allow + + +- ++ ++
Bug#1052363: bullseye-pu: cups/2.3.3op2-3+deb11u4
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu The attached debdiff for cups fixes CVE-2023-4504 and CVE-2023-32360 in Bullseye. These CVEs have been marked as no-dsa by the security team, but at least CVE-2023-32360 got anRC bug (#1051953). Thorsten PS: There already is 2.3.3op2-3+deb11u3 in P-Udiff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog --- cups-2.3.3op2/debian/changelog 2023-06-24 10:54:05.0 +0200 +++ cups-2.3.3op2/debian/changelog 2023-09-19 21:20:27.0 +0200 @@ -1,3 +1,12 @@ +cups (2.3.3op2-3+deb11u4) bullseye; urgency=medium + + * CVE-2023-4504 +Postscript parsing heap-based buffer overflow + * CVE-2023-32360 (Closes: #1051953) +authentication issue + + -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200 + cups (2.3.3op2-3+deb11u3) bullseye; urgency=medium * CVE-2023-34241 (Closes: #1038885) diff -Nru cups-2.3.3op2/debian/cups-daemon.NEWS cups-2.3.3op2/debian/cups-daemon.NEWS --- cups-2.3.3op2/debian/cups-daemon.NEWS 2023-06-22 23:22:40.0 +0200 +++ cups-2.3.3op2/debian/cups-daemon.NEWS 2023-09-19 21:20:27.0 +0200 @@ -1,3 +1,11 @@ +cups (2.4.2-6) unstable; urgency=low + + In case this is not a fresh installation of cups, please double check + whether your cupsd.conf really does contain the limitiation for + "CUPS-Get-Document" (see patch 0019-CVE-2023-32360.patch) + + -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200 + cups (2.1.4-3) unstable; urgency=low The default ErrorPolicy is changed from 'stop-printer' to 'retry-job', diff -Nru cups-2.3.3op2/debian/NEWS.Debian cups-2.3.3op2/debian/NEWS.Debian --- cups-2.3.3op2/debian/NEWS.Debian1970-01-01 01:00:00.0 +0100 +++ cups-2.3.3op2/debian/NEWS.Debian2023-09-19 21:20:27.0 +0200 @@ -0,0 +1,7 @@ +cups (2.4.2-6) unstable; urgency=low + + In case this is not a fresh installation of cups, please double check + whether your cupsd.conf really does contain the limitiation for + "CUPS-Get-Document" (see patch 0019-CVE-2023-32360.patch) + + -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200 diff -Nru cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch --- cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch 1970-01-01 01:00:00.0 +0100 +++ cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch 2023-09-19 21:20:27.0 +0200 @@ -0,0 +1,27 @@ +From: Thorsten Alteholz +Date: Wed, 20 Sep 2023 23:21:42 +0200 +Subject: CVE-2023-32360 + +--- + conf/cupsd.conf.in | 8 +++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in +index 09059dc..67d1c8b 100644 +--- a/conf/cupsd.conf.in b/conf/cupsd.conf.in +@@ -65,7 +65,13 @@ WebInterface @CUPS_WEBIF@ + Order deny,allow + + +- ++ ++Require user @OWNER @SYSTEM ++Order deny,allow ++ ++ ++ ++AuthType Default + Require user @OWNER @SYSTEM + Order deny,allow + diff -Nru cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch --- cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch 1970-01-01 01:00:00.0 +0100 +++ cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch 2023-09-19 21:20:27.0 +0200 @@ -0,0 +1,33 @@ +From: Thorsten Alteholz +Date: Wed, 20 Sep 2023 23:22:44 +0200 +Subject: CVE-2023-4504 + +--- + cups/raster-interpret.c | 14 +- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c +index fbe52f3..89ef158 100644 +--- a/cups/raster-interpret.c b/cups/raster-interpret.c +@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */ + + cur ++; + +-if (*cur == 'b') ++ /* ++ * Return NULL if we reached NULL terminator, a lone backslash ++* is not a valid character in PostScript. ++ */ ++ ++ if (!*cur) ++ { ++*ptr = NULL; ++ ++return (NULL); ++ } ++ ++ if (*cur == 'b') + *valptr++ = '\b'; + else if (*cur == 'f') + *valptr++ = '\f'; diff -Nru cups-2.3.3op2/debian/patches/series cups-2.3.3op2/debian/patches/series --- cups-2.3.3op2/debian/patches/series 2023-06-24 10:54:05.0 +0200 +++ cups-2.3.3op2/debian/patches/series 2023-09-19 21:20:27.0 +0200 @@ -16,3 +16,5 @@ 0016-Fix-certificate-comparison-CVE-2022-26691.patch 0017-CVE-2023-32324.patch 0018-CVE-2023-34241.patch +0019-CVE-2023-32360.patch +0020-CVE-2023-4504.patch
Bug#1052361: bookworm-pu: cups/2.4.2-3+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu The attached debdiff for cups fixes CVE-2023-4504 and CVE-2023-32360 in Bookworm. These CVEs have been marked as no-dsa by the security team, but at least CVE-2023-32360 got an RC bug (#1051953). Thorstendiff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog --- cups-2.4.2/debian/changelog 2023-06-24 10:54:05.0 +0200 +++ cups-2.4.2/debian/changelog 2023-09-19 21:20:27.0 +0200 @@ -1,3 +1,12 @@ +cups (2.4.2-3+deb12u2) bookworm; urgency=medium + + * CVE-2023-4504 +Postscript parsing heap-based buffer overflow + * CVE-2023-32360 (Closes: #1051953) +authentication issue + + -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200 + cups (2.4.2-3+deb12u1) bookworm; urgency=medium * CVE-2023-34241 (Closes: #1038885) diff -Nru cups-2.4.2/debian/cups-daemon.NEWS cups-2.4.2/debian/cups-daemon.NEWS --- cups-2.4.2/debian/cups-daemon.NEWS 2023-06-22 23:22:40.0 +0200 +++ cups-2.4.2/debian/cups-daemon.NEWS 2023-09-19 21:20:27.0 +0200 @@ -1,3 +1,11 @@ +cups (2.4.2-6) unstable; urgency=low + + In case this is not a fresh installation of cups, please double check + whether your cupsd.conf really does contain the limitiation for + "CUPS-Get-Document" (see patch 0015-CVE-2023-32360.patch) + + -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200 + cups (2.1.4-3) unstable; urgency=low The default ErrorPolicy is changed from 'stop-printer' to 'retry-job', diff -Nru cups-2.4.2/debian/NEWS.Debian cups-2.4.2/debian/NEWS.Debian --- cups-2.4.2/debian/NEWS.Debian 1970-01-01 01:00:00.0 +0100 +++ cups-2.4.2/debian/NEWS.Debian 2023-09-19 21:20:27.0 +0200 @@ -0,0 +1,7 @@ +cups (2.4.2-6) unstable; urgency=low + + In case this is not a fresh installation of cups, please double check + whether your cupsd.conf really does contain the limitiation for + "CUPS-Get-Document" (see patch 0015-CVE-2023-32360.patch) + + -- Thorsten Alteholz Tue, 19 Sep 2023 21:20:27 +0200 diff -Nru cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch --- cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch 1970-01-01 01:00:00.0 +0100 +++ cups-2.4.2/debian/patches/0015-CVE-2023-4504.patch 2023-09-19 21:20:27.0 +0200 @@ -0,0 +1,33 @@ +From: Thorsten Alteholz +Date: Wed, 20 Sep 2023 04:55:44 +0200 +Subject: CVE-2023-4504 + +--- + cups/raster-interpret.c | 14 +- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c +index fbe52f3..89ef158 100644 +--- a/cups/raster-interpret.c b/cups/raster-interpret.c +@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */ + + cur ++; + +-if (*cur == 'b') ++ /* ++ * Return NULL if we reached NULL terminator, a lone backslash ++* is not a valid character in PostScript. ++ */ ++ ++ if (!*cur) ++ { ++*ptr = NULL; ++ ++return (NULL); ++ } ++ ++ if (*cur == 'b') + *valptr++ = '\b'; + else if (*cur == 'f') + *valptr++ = '\f'; diff -Nru cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch --- cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 1970-01-01 01:00:00.0 +0100 +++ cups-2.4.2/debian/patches/0016-CVE-2023-32360.patch 2023-09-19 21:20:27.0 +0200 @@ -0,0 +1,27 @@ +From: Thorsten Alteholz +Date: Wed, 20 Sep 2023 04:56:47 +0200 +Subject: CVE-2023-32360 + +--- + conf/cupsd.conf.in | 8 +++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in +index b258849..a07536f 100644 +--- a/conf/cupsd.conf.in b/conf/cupsd.conf.in +@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@ + Order deny,allow + + +- ++ ++Require user @OWNER @SYSTEM ++Order deny,allow ++ ++ ++ ++AuthType Default + Require user @OWNER @SYSTEM + Order deny,allow + diff -Nru cups-2.4.2/debian/patches/series cups-2.4.2/debian/patches/series --- cups-2.4.2/debian/patches/series2023-06-24 10:54:05.0 +0200 +++ cups-2.4.2/debian/patches/series2023-09-19 21:20:27.0 +0200 @@ -12,3 +12,5 @@ 0012-add-pt.patch 0013-CVE-2023-32324.patch 0014-CVE-2023-34241.patch +0015-CVE-2023-4504.patch +0016-CVE-2023-32360.patch
Bug#1052072: package ontospy contains license CC-BY-1.0
Package: ontospy Version: 0~20190225~dfsg1-1 Severity: serious User: alteh...@debian.org Usertags: license thanks Hi Jonas, unfortunately your package contains a file with license: CC-BY-1.0 ontospy/gendocs/misc/html-tests/_FOAFspecification.html This license is not compatible with DFSG[1], so please remove the file or move the package to non-free. Thanks! Thorsten [1] https://lists.debian.org/debian-legal/2004/04/msg00031.html