Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1
Control: tags -1 + pending On Tue, 2017-01-03 at 12:47 +, Adam D. Barratt wrote: > On 2017-01-03 12:23, Didier 'OdyX' Raboud wrote: > > Le mardi, 3 janvier 2017, 12.21:36 h CET Adam D. Barratt a écrit : > >> You can't immediately re-use the version. Either we can reject the > >> current package and you can then upload a fixed +deb8u1, or you can > >> upload +deb8u2 which just adds the fix above. > > > > It does make sense to re-use the same version, doesn't it? If so, > > please > > reject, I'll upload after that. > > There are advantages to both approaches. > > In any case, I've asked dak to reject the current upload. Hopefully it > will action that soonish. Re-uploaded and flagged for acceptance. Regards, Adam
Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1
On 2017-01-03 12:23, Didier 'OdyX' Raboud wrote: Le mardi, 3 janvier 2017, 12.21:36 h CET Adam D. Barratt a écrit : You can't immediately re-use the version. Either we can reject the current package and you can then upload a fixed +deb8u1, or you can upload +deb8u2 which just adds the fix above. It does make sense to re-use the same version, doesn't it? If so, please reject, I'll upload after that. There are advantages to both approaches. In any case, I've asked dak to reject the current upload. Hopefully it will action that soonish. Regards, Adam
Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1
Le mardi, 3 janvier 2017, 12.21:36 h CET Adam D. Barratt a écrit : > You can't immediately re-use the version. Either we can reject the > current package and you can then upload a fixed +deb8u1, or you can > upload +deb8u2 which just adds the fix above. It does make sense to re-use the same version, doesn't it? If so, please reject, I'll upload after that. -- Cheers, OdyX
Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1
On 2017-01-03 11:03, Didier 'OdyX' Raboud wrote: Le lundi, 2 janvier 2017, 18.10:15 h CET Adam D. Barratt a écrit : Automated post-upload lintian checks caught a new issue: +E: empty-manual-page usr/share/man/man1/hp-toolbox.1.gz [...] Ah yes. I had fixed this in b1b3f529471d15fb97d1c651f3c60901cc67131b, see attached patch. This is due to new (entirely rightful) restrictions in the buildds (or in my sbuild setup) apparently. Ah, thanks for the explanation. So I should cherry-pick that and re-upload Yes, please. (re-using the 3.14.6-1+deb8u1 version number ?) ? You can't immediately re-use the version. Either we can reject the current package and you can then upload a fixed +deb8u1, or you can upload +deb8u2 which just adds the fix above. Regards, Adam
Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1
Le lundi, 2 janvier 2017, 18.10:15 h CET Adam D. Barratt a écrit : > On Sun, 2017-01-01 at 11:38 +0100, Didier 'OdyX' Raboud wrote: > > Le samedi, 31 décembre 2016, 17.10:09 h CET Adam D. Barratt a écrit : > > > Control: tags -1 + confirmed > > > > > > On Tue, 2016-12-27 at 14:18 +0100, Didier 'OdyX' Raboud wrote: > > > > I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, > > > > and > > > > security team members suggested to get it fixed through stable > > > > updates. > > > > > > > > This bug is a simple 'fetching gpg key from keyservers with a short > > > > keyid' problem, and upstream's fix is to use the full fingerprint. > > > > > > Please go ahead. > > > > Uploaded, thanks for the confirmation. > > Automated post-upload lintian checks caught a new issue: > > +E: empty-manual-page usr/share/man/man1/hp-toolbox.1.gz > > and indeed: > > adsb@coccia:/srv/mirrors/debian/pool/main/h/hplip$ dpkg-deb -c > hplip-gui_3.14.6-1_all.deb | grep toolbox.1 -rw-r--r-- root/root 818 > 2014-06-15 07:31 ./usr/share/man/man1/hp-toolbox.1.gz > adsb@coccia:/srv/mirrors/debian/pool/main/h/hplip$ dpkg-deb -c > /srv/ftp-master.debian.org/policy/pool/main/h/hplip/hplip-gui_3.14.6-1+deb8 > u1_all.deb | grep toolbox.1 -rw-r--r-- root/root20 2016-12-27 13:48 > ./usr/share/man/man1/hp-toolbox.1.gz > > Any idea what's going on there? Ah yes. I had fixed this in b1b3f529471d15fb97d1c651f3c60901cc67131b, see attached patch. This is due to new (entirely rightful) restrictions in the buildds (or in my sbuild setup) apparently. So I should cherry-pick that and re-upload (re-using the 3.14.6-1+deb8u1 version number ?) ? -- Cheers, OdyX>From b1b3f529471d15fb97d1c651f3c60901cc67131b Mon Sep 17 00:00:00 2001 From: Didier Raboud Date: Mon, 3 Oct 2016 11:37:37 +0200 Subject: [PATCH] Export HOME when building the manpages to permit hp-toolbox's manpage generation --- debian/rules | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/rules b/debian/rules index d44f11cbf..1aa626d6f 100755 --- a/debian/rules +++ b/debian/rules @@ -167,6 +167,7 @@ override_dh_install: for file in *; do \ if readlink $$file | grep ".py"; then \ PYTHONPATH=../lib/python$(PYTHON_DEFAULT_VERSION)/$(PYTHON_SITENAME)/ \ +HOME=./ \ LD_LIBRARY_PATH=../lib/$(DEB_HOST_MULTIARCH) python3 ./$$file --help-man > $(CURDIR)/$$file.1 ; \ fi; \ done \ -- 2.11.0
Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1
On Sun, 2017-01-01 at 11:38 +0100, Didier 'OdyX' Raboud wrote: > Le samedi, 31 décembre 2016, 17.10:09 h CET Adam D. Barratt a écrit : > > Control: tags -1 + confirmed > > > > On Tue, 2016-12-27 at 14:18 +0100, Didier 'OdyX' Raboud wrote: > > > I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, and > > > security team members suggested to get it fixed through stable updates. > > > > > > This bug is a simple 'fetching gpg key from keyservers with a short > > > keyid' problem, and upstream's fix is to use the full fingerprint. > > > > Please go ahead. > > Uploaded, thanks for the confirmation. Automated post-upload lintian checks caught a new issue: +E: empty-manual-page usr/share/man/man1/hp-toolbox.1.gz and indeed: adsb@coccia:/srv/mirrors/debian/pool/main/h/hplip$ dpkg-deb -c hplip-gui_3.14.6-1_all.deb | grep toolbox.1 -rw-r--r-- root/root 818 2014-06-15 07:31 ./usr/share/man/man1/hp-toolbox.1.gz adsb@coccia:/srv/mirrors/debian/pool/main/h/hplip$ dpkg-deb -c /srv/ftp-master.debian.org/policy/pool/main/h/hplip/hplip-gui_3.14.6-1+deb8u1_all.deb | grep toolbox.1 -rw-r--r-- root/root20 2016-12-27 13:48 ./usr/share/man/man1/hp-toolbox.1.gz Any idea what's going on there? Regards, Adam
Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1
Le samedi, 31 décembre 2016, 17.10:09 h CET Adam D. Barratt a écrit : > Control: tags -1 + confirmed > > On Tue, 2016-12-27 at 14:18 +0100, Didier 'OdyX' Raboud wrote: > > I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, and > > security team members suggested to get it fixed through stable updates. > > > > This bug is a simple 'fetching gpg key from keyservers with a short > > keyid' problem, and upstream's fix is to use the full fingerprint. > > Please go ahead. Uploaded, thanks for the confirmation. -- Cheers, OdyX signature.asc Description: This is a digitally signed message part.
Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1
Control: tags -1 + confirmed On Tue, 2016-12-27 at 14:18 +0100, Didier 'OdyX' Raboud wrote: > I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, and > security team members suggested to get it fixed through stable updates. > > This bug is a simple 'fetching gpg key from keyservers with a short > keyid' problem, and upstream's fix is to use the full fingerprint. Please go ahead. Regards, Adam
Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Dear RT, I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, and security team members suggested to get it fixed through stable updates. This bug is a simple 'fetching gpg key from keyservers with a short keyid' problem, and upstream's fix is to use the full fingerprint. The debdiff is attached. Cheers, OdyX diff -Nru hplip-3.14.6/debian/changelog hplip-3.14.6/debian/changelog --- hplip-3.14.6/debian/changelog 2014-06-15 09:24:19.0 +0200 +++ hplip-3.14.6/debian/changelog 2016-12-27 09:13:54.0 +0100 @@ -1,3 +1,11 @@ +hplip (3.14.6-1+deb8u1) stable; urgency=medium + + * Backport CVE-2015-0839 fix from upstream's 3.15.7: use full gpg key +fingerprint when fetching key from keyservers +(Closes: #787353, LP: #1432516) + + -- Didier Raboud Tue, 27 Dec 2016 09:13:54 +0100 + hplip (3.14.6-1) unstable; urgency=low * New upstream release diff -Nru hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch --- hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch 1970-01-01 01:00:00.0 +0100 +++ hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch 2016-12-27 09:10:11.0 +0100 @@ -0,0 +1,19 @@ +Description: Use the full key fingerprint, to fix insecure binary driver verification +Bug-CVE: CVE-2015-0839 +Bug-Upstream: https://bugs.launchpad.net/hplip/+bug/1432516 +Bug-Debian: https://bugs.debian.org/787353 +Origin: vendor +Last-Update: 2015-07-15 + +--- a/base/validation.py b/base/validation.py +@@ -40,8 +40,7 @@ + + + class GPG_Verification(DigiSign_Verification): +- +-def __init__(self, pgp_site = 'pgp.mit.edu', key = 0xA59047B9): ++def __init__(self, pgp_site = 'pgp.mit.edu', key = 0x4ABA2F66DBD5A95894910E0673D770CDA59047B9): + self.__pgp_site = pgp_site + self.__key = key + self.__gpg = utils.which('gpg',True) diff -Nru hplip-3.14.6/debian/patches/series hplip-3.14.6/debian/patches/series --- hplip-3.14.6/debian/patches/series 2014-04-04 17:05:13.0 +0200 +++ hplip-3.14.6/debian/patches/series 2016-12-27 09:04:13.0 +0100 @@ -18,3 +18,4 @@ #hp-mkuri-libnotify-so-4-support.dpatch hpaio-option-duplex.diff musb-c-do-not-crash-on-usb-failure.patch +cve-2015-0839-insecure-binary-driver-verification.patch