Bug#906258: stretch-pu: package yubico-piv-tool/1.4.2-2
On Thu, Aug 22, 2019 at 09:28:18PM +0100, Adam D. Barratt wrote: > Ping on a new upload? There's just over a week if you want to get this > in to 9.10. Thanks for the reminder; uploaded. signature.asc Description: PGP signature
Bug#906258: stretch-pu: package yubico-piv-tool/1.4.2-2
On Sat, 2019-02-23 at 22:41 +0100, Julien Cristau wrote: > On 2/23/19 7:56 PM, Nicolas Braud-Santoni wrote: > > On Sat, Feb 23, 2019 at 02:27:04PM +0100, Nicolas Braud-Santoni > > wrote: > > > On Fri, Feb 15, 2019 at 04:55:58PM +0100, Nicolas Braud-Santoni > > > wrote: > > > > On Wed, Feb 13, 2019 at 03:34:50PM +0100, Nicolas Braud-Santoni > > > > wrote: > > > > > I assume I can't just dput this, as it already exists in > > > > > stable-new. > > > > > Could you reject the existing package first, and I will > > > > > reupload? > > > > > > > > Uploaded a new revision at the request of jcristau. > > > > > > Ping? > > > > Nevermind, ftpmaster rejected the upload: > > > They did not; I did, as I told you in > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906258#69 The mail claims to be from "Debian FTP Masters" as it is sent by dak at the point of rejection. However, in the case of rejections from {,old}stable-new, dak is simply carrying out requests from the Release Team. > > On Sat, Feb 23, 2019 at 05:47:07PM +, Debian FTP Masters wrote: > > > yubico-piv-tool - inappropriate changelog entry > > > > Dear ftpmasters, could you clarify in which way the changelog entry > > is inappropriate, and what would be an appropriate changelog entry? > > > An appropriate changelog entry is one that describes the changes made > to the package. For example, "Remove cruft that was included in the > source package by mistake" would be one way to describe the changes > in your upload. Ping on a new upload? There's just over a week if you want to get this in to 9.10. Regards, Adam
Bug#906258: stretch-pu: package yubico-piv-tool/1.4.2-2
On 2/23/19 7:56 PM, Nicolas Braud-Santoni wrote: > On Sat, Feb 23, 2019 at 02:27:04PM +0100, Nicolas Braud-Santoni wrote: >> On Fri, Feb 15, 2019 at 04:55:58PM +0100, Nicolas Braud-Santoni wrote: >>> On Wed, Feb 13, 2019 at 03:34:50PM +0100, Nicolas Braud-Santoni wrote: I assume I can't just dput this, as it already exists in stable-new. Could you reject the existing package first, and I will reupload? >>> >>> Uploaded a new revision at the request of jcristau. >> >> Ping? > > Nevermind, ftpmaster rejected the upload: > They did not; I did, as I told you in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906258#69 > On Sat, Feb 23, 2019 at 05:47:07PM +, Debian FTP Masters wrote: >> yubico-piv-tool - inappropriate changelog entry > > > Dear ftpmasters, could you clarify in which way the changelog entry is > inappropriate, and what would be an appropriate changelog entry? > An appropriate changelog entry is one that describes the changes made to the package. For example, "Remove cruft that was included in the source package by mistake" would be one way to describe the changes in your upload. Cheers, Julien
Bug#906258: stretch-pu: package yubico-piv-tool/1.4.2-2
On Sat, Feb 23, 2019 at 02:27:04PM +0100, Nicolas Braud-Santoni wrote: > On Fri, Feb 15, 2019 at 04:55:58PM +0100, Nicolas Braud-Santoni wrote: > > On Wed, Feb 13, 2019 at 03:34:50PM +0100, Nicolas Braud-Santoni wrote: > > > I assume I can't just dput this, as it already exists in stable-new. > > > Could you reject the existing package first, and I will reupload? > > > > Uploaded a new revision at the request of jcristau. > > Ping? Nevermind, ftpmaster rejected the upload: On Sat, Feb 23, 2019 at 05:47:07PM +, Debian FTP Masters wrote: > yubico-piv-tool - inappropriate changelog entry Dear ftpmasters, could you clarify in which way the changelog entry is inappropriate, and what would be an appropriate changelog entry? Best, nicoo signature.asc Description: PGP signature
Bug#906258: stretch-pu: package yubico-piv-tool/1.4.2-2
On 2/15/19 4:55 PM, Nicolas Braud-Santoni wrote: > On Wed, Feb 13, 2019 at 03:34:50PM +0100, Nicolas Braud-Santoni wrote: >> I assume I can't just dput this, as it already exists in stable-new. >> Could you reject the existing package first, and I will reupload? > > Uploaded a new revision at the request of jcristau. > I've marked that revision for reject as its changelog entry is entirely inappropriate and doesn't describe the changes to the package. Cheers, Julien
Bug#906258: stretch-pu: package yubico-piv-tool/1.4.2-2
On Fri, Feb 15, 2019 at 04:55:58PM +0100, Nicolas Braud-Santoni wrote: > On Wed, Feb 13, 2019 at 03:34:50PM +0100, Nicolas Braud-Santoni wrote: > > I assume I can't just dput this, as it already exists in stable-new. > > Could you reject the existing package first, and I will reupload? > > Uploaded a new revision at the request of jcristau. Ping? signature.asc Description: PGP signature
Bug#906258: stretch-pu: package yubico-piv-tool/1.4.2-2
On Wed, Feb 13, 2019 at 03:34:50PM +0100, Nicolas Braud-Santoni wrote: > I assume I can't just dput this, as it already exists in stable-new. > Could you reject the existing package first, and I will reupload? Uploaded a new revision at the request of jcristau. signature.asc Description: PGP signature
Bug#906258: stretch-pu: package yubico-piv-tool/1.4.2-2
On Wed, Feb 13, 2019 at 03:21:44PM +0100, Nicolas Braud-Santoni wrote: > > Didn't you do that? (Or your sponsor, I guess, but I still assumed you'd be > > aware.) > > [...] > > I didn't remove anything, no. I have nothing to do with the package, just > > looking at what's been proposed / uploaded in order to decide whether to > > accept it. > > OK, I will go, do the necessary fixes and upload to stretch-pu again :) Looks like the change was introduced in my sponsor's build, here is the result from me rebuilding the same thing which was in Git: $ debdiff ../yubico-piv-tool_1.4.2-2.dsc /opt/deb/buildarea/yubico-piv-tool_1.4.2-2+deb9u1.dsc dpkg-source: warning: extracting unsigned source package (/opt/deb/buildarea/yubico-piv-tool_1.4.2-2+deb9u1.dsc) diff -Nru yubico-piv-tool-1.4.2/debian/changelog yubico-piv-tool-1.4.2/debian/changelog --- yubico-piv-tool-1.4.2/debian/changelog 2017-01-08 12:41:03.0 +0100 +++ yubico-piv-tool-1.4.2/debian/changelog 2018-08-14 21:12:50.0 +0200 @@ -1,3 +1,11 @@ +yubico-piv-tool (1.4.2-2+deb9u1) stretch-proposed-updates; urgency=high + + * Team upload. + * Backport the fix for CVE-2018-14779 & CVE-2018-14780 +Closes: #906128 + + -- Nicolas Braud-Santoni Tue, 14 Aug 2018 21:12:50 +0200 + yubico-piv-tool (1.4.2-2) unstable; urgency=medium * Fix openssl 1.1 ftbfs. Closes: #828616. diff -Nru yubico-piv-tool-1.4.2/debian/patches/0001-lib-in-ykpiv_transfer_data-handle-overflow-by-exitin.patch yubico-piv-tool-1.4.2/debian/patches/0001-lib-in-ykpiv_transfer_data-handle-overflow-by-exitin.patch --- yubico-piv-tool-1.4.2/debian/patches/0001-lib-in-ykpiv_transfer_data-handle-overflow-by-exitin.patch 1970-01-01 01:00:00.0 +0100 +++ yubico-piv-tool-1.4.2/debian/patches/0001-lib-in-ykpiv_transfer_data-handle-overflow-by-exitin.patch 2018-08-14 21:12:50.0 +0200 @@ -0,0 +1,32 @@ +Subject: lib: in ykpiv_transfer_data() handle overflow by exiting + +this is detected and printed, but we never exit the function + +Thanks to Eric Sesterhenn of x41 D-Sec for reporting this issue to us. +--- + lib/ykpiv.c | 5 - + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/ykpiv.c b/lib/ykpiv.c +index 96a5a90..b5fdcbb 100644 +Origin: vendor +Bug: 906128 +From: Klas Lindfors +Reviewed-by: Nicolas Braud-Santoni +Last-Update: 2018-08-14 +Applied-Upstream: 01a127a44a2229ea14195208e444ec526eaf45f4 + +--- a/lib/ykpiv.c b/lib/ykpiv.c +@@ -317,7 +317,10 @@ ykpiv_rc ykpiv_transfer_data(ykpiv_state *state, const unsigned char *templ, + return YKPIV_OK; + } + if(*out_len + recv_len - 2 > max_out) { +- fprintf(stderr, "Output buffer to small, wanted to write %lu, max was %lu.", *out_len + recv_len - 2, max_out); ++ if(state->verbose) { ++fprintf(stderr, "Output buffer to small, wanted to write %lu, max was %lu.", *out_len + recv_len - 2, max_out); ++ } ++ return YKPIV_SIZE_ERROR; + } + if(out_data) { + memcpy(out_data, data, recv_len - 2); diff -Nru yubico-piv-tool-1.4.2/debian/patches/0002-lib-in-_ykpiv_fetch_object-handle-bogus-length-by-re.patch yubico-piv-tool-1.4.2/debian/patches/0002-lib-in-_ykpiv_fetch_object-handle-bogus-length-by-re.patch --- yubico-piv-tool-1.4.2/debian/patches/0002-lib-in-_ykpiv_fetch_object-handle-bogus-length-by-re.patch 1970-01-01 01:00:00.0 +0100 +++ yubico-piv-tool-1.4.2/debian/patches/0002-lib-in-_ykpiv_fetch_object-handle-bogus-length-by-re.patch 2018-08-14 21:12:50.0 +0200 @@ -0,0 +1,33 @@ +Subject: lib: in _ykpiv_fetch_object() handle bogus length by returning + +otherwise we might memmove() to much data + +Thanks to Eric Sesterhenn of x41 D-Sec for reporting this issue to us. +--- + lib/ykpiv.c | 6 ++ + 1 file changed, 6 insertions(+) + +diff --git a/lib/ykpiv.c b/lib/ykpiv.c +index b5fdcbb..d4aab29 100644 +Origin: vendor +Bug: 906128 +From: Klas Lindfors +Reviewed-by: Nicolas Braud-Santoni +Last-Update: 2018-08-14 +Applied-Upstream: 80d47c82f019d6676e8cc5392a31d7478af8015e + +--- a/lib/ykpiv.c b/lib/ykpiv.c +@@ -806,6 +806,12 @@ ykpiv_rc ykpiv_fetch_object(ykpiv_state *state, int object_id, + if(offs == 0) { + return YKPIV_SIZE_ERROR; + } ++if(outlen > offs + 1 + *len) { ++ if(state->verbose) { ++fprintf(stderr, "Invalid length indicated in object, total objlen is %lu, indicated length is %lu.", *len, outlen); ++ } ++ return YKPIV_SIZE_ERROR; ++} + memmove(data, data + 1 + offs, outlen); + *len = outlen; + return YKPIV_OK; diff -Nru yubico-piv-tool-1.4.2/debian/patches/series yubico-piv-tool-1.4.2/debian/patches/series --- yubico-piv-tool-1.4.2/debian/patches/series 1970-01-01 01:00:00.0 +0100 +++ yubico-piv-tool-1.4.2/debian/patches/series 201
Bug#906258: stretch-pu: package yubico-piv-tool/1.4.2-2
On Fri, Feb 08, 2019 at 12:53:14PM +, Adam D. Barratt wrote: > > On Wed, Aug 29, 2018 at 08:21:18AM +0100, Adam D. Barratt wrote: > > > > It seems the tags in the packaging repo do not actually match the > > uploads > > to the archive, and I do not know why: this is a team-maintained > > package, > > and the Yubico folks who did the original packaging (and are part of the > > team) seem to have lost interest in maintaining their packages, so I > > have > > no idea which process they were using. > > Sure, but when you upload the package it needs to contain the changes you > expect. So either the change should be reverted, or it should be documented > in the changelog (ideally with rationale). Yes, definitely; I was just explaining why that slipped in (but I now know better and use debdiff). > > It looks like something was uploaded, though: > > Didn't you do that? (Or your sponsor, I guess, but I still assumed you'd be > aware.) > [...] > I didn't remove anything, no. I have nothing to do with the package, just > looking at what's been proposed / uploaded in order to decide whether to > accept it. OK, I will go, do the necessary fixes and upload to stretch-pu again :) Best, nicoo signature.asc Description: PGP signature
Bug#906258: stretch-pu: package yubico-piv-tool/1.4.2-2
On 2018-09-08 01:00, Nicolas Braud-Santoni wrote: Control: tag -1 - moreinfo Hi Adam, Sorry for getting back to you this late. Likewise apologies for overlooking the response for so long. On Wed, Aug 29, 2018 at 08:21:18AM +0100, Adam D. Barratt wrote: Control: tags -1 + moreinfo Why does the diff contain (and not mention): upstream-signing-key.pgp 1451 --- upstream-signing-key.pgp.backup 1451 +++ upstream/signing-key.asc 1966 ++ ? It seems the tags in the packaging repo do not actually match the uploads to the archive, and I do not know why: this is a team-maintained package, and the Yubico folks who did the original packaging (and are part of the team) seem to have lost interest in maintaining their packages, so I have no idea which process they were using. Sure, but when you upload the package it needs to contain the changes you expect. So either the change should be reverted, or it should be documented in the changelog (ideally with rationale). It looks like something was uploaded, though: Didn't you do that? (Or your sponsor, I guess, but I still assumed you'd be aware.) $ rmadison -s stable,stable-new yubico-piv-tool yubico-piv-tool | 1.4.2-2| stable | source, amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x yubico-piv-tool | 1.4.2-2+deb9u1 | stable-new | source, amd64 I assume you removed the bogus upstream-signing-key.pgp change? I didn't remove anything, no. I have nothing to do with the package, just looking at what's been proposed / uploaded in order to decide whether to accept it. Regards, Adam
Bug#906258: stretch-pu: package yubico-piv-tool/1.4.2-2
Control: tag -1 - moreinfo Hi Adam, Sorry for getting back to you this late. On Wed, Aug 29, 2018 at 08:21:18AM +0100, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > Why does the diff contain (and not mention): > > upstream-signing-key.pgp > 1451 --- > upstream-signing-key.pgp.backup > 1451 +++ > upstream/signing-key.asc > 1966 ++ > > ? It seems the tags in the packaging repo do not actually match the uploads to the archive, and I do not know why: this is a team-maintained package, and the Yubico folks who did the original packaging (and are part of the team) seem to have lost interest in maintaining their packages, so I have no idea which process they were using. It looks like something was uploaded, though: > $ rmadison -s stable,stable-new yubico-piv-tool > yubico-piv-tool | 1.4.2-2| stable | source, amd64, arm64, armel, > armhf, i386, mips, mips64el, mipsel, ppc64el, s390x > yubico-piv-tool | 1.4.2-2+deb9u1 | stable-new | source, amd64 I assume you removed the bogus upstream-signing-key.pgp change? Best, nicoo signature.asc Description: PGP signature
Bug#906258: stretch-pu: package yubico-piv-tool/1.4.2-2
Control: tags -1 + moreinfo On 2018-08-19 11:50, Nicolas Braud-Santoni wrote: Control: tag -1 - moreinfo On Thu, Aug 16, 2018 at 10:06:03AM +0200, Julien Cristau wrote: This isn't fixed in sid. Yes, gwolf sponsored the upload, but it was rejected as his new signing subkey isn't yet in debian-keyring; I requested jcc@d.o to sponsor the upload instead. Why does the diff contain (and not mention): upstream-signing-key.pgp | 1451 --- upstream-signing-key.pgp.backup | 1451 +++ upstream/signing-key.asc | 1966 ++ ? FWIW, this is precisely why the periodic mails to dda about stable uploads explicitly say that the bug you file against release.d.o must contain the full source debdiff, *not* simply a pointer to some off-BTS resource. Regards, Adam
Bug#906258: stretch-pu: package yubico-piv-tool/1.4.2-2
Control: tag -1 - moreinfo On Thu, Aug 16, 2018 at 10:06:03AM +0200, Julien Cristau wrote: > This isn't fixed in sid. Yes, gwolf sponsored the upload, but it was rejected as his new signing subkey isn't yet in debian-keyring; I requested jcc@d.o to sponsor the upload instead. Best, nicoo signature.asc Description: PGP signature
Bug#906258: stretch-pu: package yubico-piv-tool/1.4.2-2
Control: tag -1 + moreinfo Control: tag -1 - security On 08/16/2018 10:01 AM, Nicolas Braud-Santoni wrote: > Package: release.debian.org > Severity: normal > Tags: stretch security > User: release.debian@packages.debian.org > Usertags: pu > Control: block 906128 by -1 > > Hi, > > I would like to upload a fix for #906128 (CVE-2018-14779 and CVE-2018-14780) > to stretch-pu; I already backported the fix from upstream to v1.4.2, and my > work is in the branch debian/stretch of the packaging repository: > > https://salsa.debian.org/auth-team/yubico-piv-tool.git > > #906128 was marked by the security team as a minor issue not requiring a DSA > and an upload to stretch-security. This isn't fixed in sid. Cheers, Julien
Bug#906258: stretch-pu: package yubico-piv-tool/1.4.2-2
Package: release.debian.org Severity: normal Tags: stretch security User: release.debian@packages.debian.org Usertags: pu Control: block 906128 by -1 Hi, I would like to upload a fix for #906128 (CVE-2018-14779 and CVE-2018-14780) to stretch-pu; I already backported the fix from upstream to v1.4.2, and my work is in the branch debian/stretch of the packaging repository: https://salsa.debian.org/auth-team/yubico-piv-tool.git #906128 was marked by the security team as a minor issue not requiring a DSA and an upload to stretch-security. Best, nicoo -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.17.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled