Bug#695423: unblock: cups/1.5.3-2.9
Control: retitle -1 unblock: cups/1.5.3-2.11.1 Le vendredi, 28 décembre 2012 14.39:36, Didier 'OdyX' Raboud a écrit : > Le vendredi, 28 décembre 2012 10.27:32, Julien Cristau a écrit : > > Well, it's at least as large as the input string, but potentially with > > no space for the terminating nul character, AIUI. > > > > > Good catch! I'll upload a new cups 1.5.3-2.11 with that fix. What is > > > the good way to Depend on libc > 2.13 across all our architectures ? > > > > Depends: libc-bin (>= 2.13). > > Uploaded 1.5.3-2.11 with your requested changes, thanks again for your > review! Actually, 1.5.3-2.11 was a broken upload (shame on me), I re-uploaded 1.5.3-2.11.1 without the spurious patch file. Cheers, OdyX signature.asc Description: This is a digitally signed message part.
Bug#695423: unblock: cups/1.5.3-2.9
Le vendredi, 28 décembre 2012 10.27:32, Julien Cristau a écrit : > Well, it's at least as large as the input string, but potentially with > no space for the terminating nul character, AIUI. > > > Good catch! I'll upload a new cups 1.5.3-2.11 with that fix. What is the > > good way to Depend on libc > 2.13 across all our architectures ? > > Depends: libc-bin (>= 2.13). Uploaded 1.5.3-2.11 with your requested changes, thanks again for your review! OdyX signature.asc Description: This is a digitally signed message part.
Bug#695423: unblock: cups/1.5.3-2.9
On Fri, Dec 28, 2012 at 10:12:02 +0100, Didier 'OdyX' Raboud wrote: > Le mardi, 25 décembre 2012 21.45:41, Julien Cristau a écrit : > > On Fri, Dec 7, 2012 at 22:31:33 +0100, Didier Raboud wrote: > > > Please unblock package cups (…) > > > > Questions: > > Hi Julien, thanks for this review! > > > - what does "mv /etc/cups/cupsd.conf /etc/cups/cupsd.conf.conffile-bak" > > in preinst achieve? > > In versions prior to 1.5.3-2.7, /etc/cups/cupsd.conf is a conffile, > registered > as such by dpkg. So in a normal upgrading case, the file would either be > dropped (if never modified) or marked obsolete (if ever modified). As we want > neither, moving it away before the dpkg unpack (making this file unnoticed to > dpkg) and reinstating it after the unpack (in postinst for normal cases and > postrm "abort-upgrade" in case something fails) makes /etc/cups/cupsd.conf a > non-dpkg-conffile without having it marked as "obsolete" (which is irrelevant > for that file). > > Granted, /etc/cups/cupsd.conf should not be in /etc/ but in /var/lib/, but > that would be the subject for another intrusive patch (and upstream > apparently > plans to do that change in a not-too-distant future). > > > - in cups-dbus-utf8.patch, I'm wondering if the "if (str_len > buflen)" > > check isn't off-by-one? > > To be honest, I don't really know. As I read the code (and the surrounding > comments), making it off-by-one puts the buffer size on the safe side (aka > always at least as large as the input string). > Well, it's at least as large as the input string, but potentially with no space for the terminating nul character, AIUI. > > Actually, one more: the validate_utf8 thing uses en_US.UTF-8, which may > > or may not exist. You might want to use C.UTF-8 instead, which is in > > our libc since 2.13. > > Good catch! I'll upload a new cups 1.5.3-2.11 with that fix. What is the good > way to Depend on libc > 2.13 across all our architectures ? > Depends: libc-bin (>= 2.13). Cheers, Julien signature.asc Description: Digital signature
Bug#695423: unblock: cups/1.5.3-2.9
Le mardi, 25 décembre 2012 21.45:41, Julien Cristau a écrit : > On Fri, Dec 7, 2012 at 22:31:33 +0100, Didier Raboud wrote: > > Please unblock package cups (…) > > Questions: Hi Julien, thanks for this review! > - what does "mv /etc/cups/cupsd.conf /etc/cups/cupsd.conf.conffile-bak" > in preinst achieve? In versions prior to 1.5.3-2.7, /etc/cups/cupsd.conf is a conffile, registered as such by dpkg. So in a normal upgrading case, the file would either be dropped (if never modified) or marked obsolete (if ever modified). As we want neither, moving it away before the dpkg unpack (making this file unnoticed to dpkg) and reinstating it after the unpack (in postinst for normal cases and postrm "abort-upgrade" in case something fails) makes /etc/cups/cupsd.conf a non-dpkg-conffile without having it marked as "obsolete" (which is irrelevant for that file). Granted, /etc/cups/cupsd.conf should not be in /etc/ but in /var/lib/, but that would be the subject for another intrusive patch (and upstream apparently plans to do that change in a not-too-distant future). > - in cups-dbus-utf8.patch, I'm wondering if the "if (str_len > buflen)" > check isn't off-by-one? To be honest, I don't really know. As I read the code (and the surrounding comments), making it off-by-one puts the buffer size on the safe side (aka always at least as large as the input string). > Actually, one more: the validate_utf8 thing uses en_US.UTF-8, which may > or may not exist. You might want to use C.UTF-8 instead, which is in > our libc since 2.13. Good catch! I'll upload a new cups 1.5.3-2.11 with that fix. What is the good way to Depend on libc > 2.13 across all our architectures ? Cheers, OdyX signature.asc Description: This is a digitally signed message part.
Bug#695423: unblock: cups/1.5.3-2.9
On Tue, Dec 25, 2012 at 21:45:41 +0100, Julien Cristau wrote: > I can buy the rest of this. > Actually, one more: the validate_utf8 thing uses en_US.UTF-8, which may or may not exist. You might want to use C.UTF-8 instead, which is in our libc since 2.13. Cheers, Julien signature.asc Description: Digital signature
Bug#695423: unblock: cups/1.5.3-2.9
On Fri, Dec 7, 2012 at 22:31:33 +0100, Didier Raboud wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package cups as 1.5.3-2.9 fixes the security bug in > #692791 (lpadmin-to-root privilege escalation). In addition to that, it > also fixes a series of other "nice-to-have"'s from either upstream or > RedHat, some dependency-tightening between libraries and some > documentation fixes (such as putting under the Debian Printing Team > umbrella). > > The debdiff is attached (but it has many diff-of-diff's) and you can > find all that in the git repository too: > > http://anonscm.debian.org/gitweb/?p=pkg-cups/cups.git;a=shortlog;h=refs/heads/master-wheezy > > > I'm aware the diff is quite extensive but I made sure to keep the > changes self-contained (mostly) and in different patches. Don't hesitate > to ask for details on specific parts of that diff, I'm open to dropping > specific patches if it helps migrating that important security fix into > Wheezy. > Questions: - what does "mv /etc/cups/cupsd.conf /etc/cups/cupsd.conf.conffile-bak" in preinst achieve? - in cups-dbus-utf8.patch, I'm wondering if the "if (str_len > buflen)" check isn't off-by-one? I can buy the rest of this. Cheers, Julien signature.asc Description: Digital signature
