Bug#856187: (no subject)

[Fabrice Dagorn]

Dear Maintainer,

here is a patch for your 2.8-2 package fixing this bug.
Sorry for #856198, I thought it would help.

Regards,
 Fabrice Dagorn

Index: entropybroker-2.8/handle_client.cpp
===
--- entropybroker-2.8.orig/handle_client.cpp
+++ entropybroker-2.8/handle_client.cpp
@@ -698,23 +698,35 @@ void main_loop(std::vector *
 			// this way we go through each fd in the process_pipe_from_client_thread part
 			// so that we detect closed fds
 			int set = 0;
+			int failed = 0;
 			for(unsigned int i=0; i at(loop) -> to_main[0] && fds.at(i).revents & POLLIN) {
-	set = 1;
-	break;
+if(fds.at(i).fd == clients -> at(loop) -> to_main[0])
+{
+	if(fds.at(i).revents & POLLIN)
+	{
+		set = 1;
+		break;
+	}
+	if(fds.at(i).revents & (POLLERR|POLLHUP|POLLNVAL))
+	{
+		failed = 1;
+		break;
+	}
 };
 			};
 			if(rc > 0 && set == 1 ) {
 
 if (process_pipe_from_client_thread(clients -> at(loop), _clients, _servers) == -1)
-{
-	dolog(LOG_INFO, "main|connection with %s/%s lost", clients -> at(loop) -> host.c_str(), clients -> at(loop) -> type.c_str());
+	failed = 1;
+			}
+			if(rc > 0 && failed == 1 ) {
 
-	user_map -> inc_misc_errors(clients -> at(loop) -> username);
-	gs -> inc_misc_errors();
+dolog(LOG_INFO, "main|connection with %s/%s lost", clients -> at(loop) -> host.c_str(), clients -> at(loop) -> type.c_str());
 
-	delete_ids.push_back( -> at(loop) -> th);
-}
+user_map -> inc_misc_errors(clients -> at(loop) -> username);
+gs -> inc_misc_errors();
+
+delete_ids.push_back( -> at(loop) -> th);
 			}
 		}

Processed: The problem has been in sitesummary since the start

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 852623 0.1.7
Bug #852623 {Done: Holger Levsen } [sitesummary] 
sitesummary-client fails to submit data
Marked as found in versions sitesummary/0.1.7.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
852623: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852623
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#852623: sitesummary-client fails to submit data

[Petter Reinholdtsen]

[Holger Levsen
> I've decided to just go the simple route as shown above. The fix will
> hit us in jessie with the next apache2 security update, so??? meh.

The apache update hit a few hours ago, and block all jessie clients from
reporting to their sitesummary collector running Jessie.

This is quite bad, as it break updates to the Nagios configuration for those
of us using the configuration generated by Sitesummary.

Anyone planning a backport to Jessie?

-- 
Happy hacking
Petter Reinholdtsen

Processed: your mail

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 856259 2.5-2+v2.4-3
Bug #856259 [wpasupplicant] wpasupplicant: missing dependency on ifupdown
Marked as found in versions wpa/2.5-2+v2.4-3.
> found 856259 2:2.4-1
Bug #856259 [wpasupplicant] wpasupplicant: missing dependency on ifupdown
Marked as found in versions wpa/2:2.4-1.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
856259: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856259
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#856259: wpasupplicant: missing dependency on ifupdown

[Michael Gilbert]

package: wpasupplicant
severity: serious
justification: policy 3.5
version: 2.5-2+v2.4-3, 2:2.4-1

wpasupplicant relies on ifupdown, but there is no relationship to it
declared in the packaging.

For example, without ifupdown installed running these commands:

# ifconfig wlan0 create wlandev iwn0
# wpa_supplicant -i wlan0 -c wpa.conf

causes the wpa_supplicant process to hang using 100% CPU.

Once ifupdown is installed, the exact same set of commands and same
conf file, wpasupplicant correctly connects to my access point.

Best wishes,
Mike

Bug#856211: anna: please implement SHA256 verification of .udeb files

[Cyril Brulebois]

Steven Chamberlain  (2017-02-26):
> To date, anna still only implements MD5 verification of .udeb files,
> despite its formal deprecation as a digital signature algorithm by
> RFC6151 (2011) and recommendations of academic literature years prior.
> 
> The files are typically downloaded via insecure HTTP transport, so the
> checksum verification is critical for the security of the installed
> system.  stretch is expected to be a supported release until 2022.  So
> I'm tentatively filing this bug as RC-severity.
> 
> Further context and an overview of related bugs will be published at:
> https://wiki.debian.org/InstallerDebacle

AFAICT net-retriever does the fetching and checking work?


KiBi.


signature.asc
Description: Digital signature

Bug#855928: marked as done (golang-1.6: FTBFS: tests failed)

[Debian Bug Tracking System]

Your message dated Mon, 27 Feb 2017 16:02:21 +1300
with message-id 

Bug#855926: marked as done (golang: FTBFS: tests failed)

[Debian Bug Tracking System]

Your message dated Mon, 27 Feb 2017 16:00:33 +1300
with message-id 

Bug#855451: marked as done (inn2: FTBFS: objdump: … passwd/auth_krb5': No such file)

[Debian Bug Tracking System]

Your message dated Mon, 27 Feb 2017 01:50:17 +
with message-id 
and subject line Bug#855451: fixed in inn2 2.6.1-2
has caused the Debian Bug report #855451,
regarding inn2: FTBFS: objdump: … passwd/auth_krb5': No such file
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
855451: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855451
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: inn2
Version: 2.6.1-1
Severity: serious

In the last build on buildds [0] there is piece:

|dh_shlibdeps --exclude=/usr/lib/news/bin/auth/passwd/auth_krb5 -- \
|   -dSuggests 
/«PKGBUILDDIR»/debian/inn2/usr/lib/news/bin/auth/passwd/auth_krb5 \
|  
/«PKGBUILDDIR»/debian/inn2-lfs/usr/lib/news/bin/auth/passwd/auth_krb5 \
|   -dDepends
|objdump: 
'/«PKGBUILDDIR»/debian/inn2-lfs/usr/lib/news/bin/auth/passwd/auth_krb5': No 
such file
|dpkg-shlibdeps: warning: debian/inn2/usr/lib/news/libstorage.so.3.0.1 contains 
an unresolvable reference to symbol HISlookup: it's probably a plugin
|objdump: 
'/«PKGBUILDDIR»/debian/inn2-lfs/usr/lib/news/bin/auth/passwd/auth_krb5': No 
such file
|dh_gencontrol --no-package=inn2-lfs -- \

and it continued to build the package. Now I tried the same [1] and it
failed:

|dh_shlibdeps --exclude=/usr/lib/news/bin/auth/passwd/auth_krb5 -- \
|   -dSuggests 
/<>/debian/inn2/usr/lib/news/bin/auth/passwd/auth_krb5 \
|  
/<>/debian/inn2-lfs/usr/lib/news/bin/auth/passwd/auth_krb5 \
|   -dDepends
|dpkg-shlibdeps: error: cannot read 
/<>/debian/inn2-lfs/usr/lib/news/bin/auth/passwd/auth_krb5: No 
such file or directory
|dh_shlibdeps: dpkg-shlibdeps -Tdebian/inn2.substvars -dSuggests 
/<>/debian/inn2/usr/lib/news/bin/auth/passwd/auth_krb5 
/<>/debian/inn2-lfs/usr/lib/news/bin/auth/passwd/auth_krb5 
-dDepends debian/inn2/usr/lib/news/bin/auth/resolv/domain 
debian/inn2/usr/lib/news/bin/auth/resolv/ident 
debian/inn2/usr/lib/news/bin/auth/passwd/ckpasswd 
debian/inn2/usr/lib/news/bin/auth/passwd/radius 
debian/inn2/usr/lib/news/bin/innbind debian/inn2/usr/lib/news/bin/buffindexed_d 
debian/inn2/usr/lib/news/bin/tdx-util debian/inn2/usr/lib/news/bin/innd 
debian/inn2/usr/lib/news/bin/tinyleaf debian/inn2/usr/lib/news/bin/nnrpd 
debian/inn2/usr/lib/news/bin/innfeed debian/inn2/usr/lib/news/bin/imapfeed 
debian/inn2/usr/lib/news/bin/convdate debian/inn2/usr/lib/news/bin/fastrm 
debian/inn2/usr/lib/news/bin/grephistory debian/inn2/usr/lib/news/bin/expire 
debian/inn2/usr/lib/news/bin/expireover debian/inn2/usr/lib/news/bin/makedbz 
debian/inn2/usr/lib/news/bin/makehistory 
debian/inn2/usr/lib/news/bin/prunehistory debian/inn2/usr/lib/news/bin/ctlinnd 
debian/inn2/usr/lib/news/bin/ovdb_init 
debian/inn2/usr/lib/news/bin/ovdb_monitor 
debian/inn2/usr/lib/news/bin/ovdb_server debian/inn2/usr/lib/news/bin/ovdb_stat 
debian/inn2/usr/lib/news/bin/getlist debian/inn2/usr/lib/news/bin/innconfval 
debian/inn2/usr/lib/news/bin/sm debian/inn2/usr/lib/news/bin/overchan 
debian/inn2/usr/lib/news/bin/actsync debian/inn2/usr/lib/news/bin/archive 
debian/inn2/usr/lib/news/bin/batcher debian/inn2/usr/lib/news/bin/buffchan 
debian/inn2/usr/lib/news/bin/cvtbatch debian/inn2/usr/lib/news/bin/filechan 
debian/inn2/usr/lib/news/bin/inndf debian/inn2/usr/lib/news/bin/innxbatch 
debian/inn2/usr/lib/news/bin/innxmit debian/inn2/usr/lib/news/bin/ninpaths 
debian/inn2/usr/lib/news/bin/nntpget debian/inn2/usr/lib/news/bin/shlock 
debian/inn2/usr/lib/news/bin/shrinkfile 
debian/inn2/usr/lib/news/libstorage.so.3.0.1 
debian/inn2/usr/lib/news/libinnhist.so.3.0.1 returned exit code 2
|debian/rules:193: recipe for target 'install5' failed

What I figured out is that it builds with dpkg 1.18.18 and fails with
(current) 1.18.22. I have no idea if this is a inn2 bug or a dpkg
regression.

[0] 
https://buildd.debian.org/status/fetch.php?pkg=inn2=amd64=2.6.1-1=1483062536=0
[1] 
https://breakpoint.cc/openssl-rebuild/2017-02-16-rebuild-sid-openssl1.1.0e/attempted/inn2_2.6.1-1_amd64-2017-02-16T20%3A56%3A56Z

Sebastian
--- End Message ---
--- Begin Message ---
Source: inn2
Source-Version: 2.6.1-2

We believe that the bug you reported is fixed in the latest version of
inn2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 855...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.

Bug#851852: marked as done (netdata: postfix/postdrop Read-only filesystem)

[Debian Bug Tracking System]

Your message dated Mon, 27 Feb 2017 00:18:51 +
with message-id 
and subject line Bug#851852: fixed in netdata 1.5.0+dfsg-3
has caused the Debian Bug report #851852,
regarding netdata: postfix/postdrop Read-only filesystem
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
851852: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851852
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: netdata
Version: 1.4.0+dfsg-3
Severity: normal

Dear Maintainer,
After installing netdata system logs are flooded with following errors:
jan 19 11:40:06 server postfix/postdrop[11512]: warning: mail_queue_enter: 
create file maildrop/770542.11512: Read-only file system

It seems that netdata runs postdrop as netdata user so I've tried to add 
netdtata to postdrop group. Unfortunately it didn't help.
I'm not sure why I'm getting those Read-only filesystem errors. Issue is 
reproducible on two different servers - both have postfix
configured as MTA.

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages netdata depends on:
ii  adduser  3.115
ii  fonts-font-awesome   4.7.0~dfsg-1
ii  init-system-helpers  1.47
ii  libc62.24-9
ii  libcap2-bin  1:2.25-1
ii  libjs-bootstrap  3.3.7+dfsg-2
ii  libjs-d3 3.5.17-1
ii  libjs-jquery 3.1.1-2
ii  libjs-raphael2.1.0-1
ii  libuuid1 2.29-1
ii  lsb-base 9.20161125
ii  netdata-data 1.4.0+dfsg-3
ii  python   2.7.13-1
ii  zlib1g   1:1.2.8.dfsg-4

netdata recommends no packages.

netdata suggests no packages.

-- no debconf information
--- End Message ---
--- Begin Message ---
Source: netdata
Source-Version: 1.5.0+dfsg-3

We believe that the bug you reported is fixed in the latest version of
netdata, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 851...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Federico Ceratto  (supplier of updated netdata package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 26 Feb 2017 23:58:43 +
Source: netdata
Binary: netdata netdata-data
Architecture: source all amd64
Version: 1.5.0+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Lennart Weller 
Changed-By: Federico Ceratto 
Description:
 netdata- real-time charts for system monitoring
 netdata-data - real-time charts for system monitoring (Data)
Closes: 851852
Changes:
 netdata (1.5.0+dfsg-3) unstable; urgency=medium
 .
   * Update service unit configuration (Closes: #851852)
Checksums-Sha1:
 bd77c1e58a246468655855e01ac4d824f18a90f7 2108 netdata_1.5.0+dfsg-3.dsc
 1c07e5fa98d9a3feeb90a2033bc793200231075b 419856 
netdata_1.5.0+dfsg-3.debian.tar.xz
 5697facbdcc79d86a75817897b1742f38690571e 736772 
netdata-data_1.5.0+dfsg-3_all.deb
 4510b66c67151f1033da90bc526d708e97419b79 901222 
netdata-dbgsym_1.5.0+dfsg-3_amd64.deb
 07fa4d5a1660f1ac7ef71f1370d96f802a3aa9f3 5119 
netdata_1.5.0+dfsg-3_amd64.buildinfo
 ccbfbd71278147a8eb4350ba57d4ef00143c8a65 430200 netdata_1.5.0+dfsg-3_amd64.deb
Checksums-Sha256:
 74ac5544662b53b74f49e8fd9688adbb311d62ed964e930b88ab66a82cf709c5 2108 
netdata_1.5.0+dfsg-3.dsc
 61882b74c0f7ef6c36cbfa8ef54469bf632575a1e5ecabe71c71b7bac3f49977 419856 
netdata_1.5.0+dfsg-3.debian.tar.xz
 a32504a7749920e6af41b650f11e3302aaa2e9539d6d6a595e5b858d2c07ae90 736772 
netdata-data_1.5.0+dfsg-3_all.deb
 c8d02b5acf5eafa65b216113fa767833b71f0c547f1a2cf5617d51c7b58c7e3f 901222 
netdata-dbgsym_1.5.0+dfsg-3_amd64.deb
 998e1edb0534f4c9d1d3cf8fcfb531157f39b08c77ff543dceabe58a9d602549 5119 
netdata_1.5.0+dfsg-3_amd64.buildinfo
 4ab59756c48f858282ca6f189f32b562cd9c10467690008b08c986954f0d8ddd 430200 
netdata_1.5.0+dfsg-3_amd64.deb
Files:
 a040b189c261ea1d3e3516f406bc878a 2108 net optional 

Bug#855930: Bug#853119: Request to take a look at #855930

[Norbert Preining]

> > So lulaatex seems to really use the HOME directory.

PS @Tomasz, that was my question concerning /var writable!
I used a cowbuilder where the building user is root, thus the
font database is built in /var/lib/texmf (TEXMFSYSVAR), while
when run as other user it is ~/.texlive2016/... (TEXMFVAR)

You can do
export TEXMFVAR=/path/to/some/writable/dir
before running the make process to get something similar working.

Best

Norbert

--
PREINING Norbert   http://www.preining.info
Accelia Inc. +JAIST +TeX Live +Debian Developer
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

Bug#855930: Bug#853119: Request to take a look at #855930

[Norbert Preining]

> > So lulaatex seems to really use the HOME directory.

Yes, of course, because it has to update the font database.

Complain to the author of the whole setup about extra
font database in lua format (Hans Hagen of ConTeXt) for
that requirement, but that is the way it is.

Lualatex maintains a database of all the otf/ttf fonts
decomposed into lua code.

Ah and yes, that has been the case already since ages.

Best

Norbert

--
PREINING Norbert   http://www.preining.info
Accelia Inc. +JAIST +TeX Live +Debian Developer
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

Bug#855930: Bug#853119: Request to take a look at #855930

[Tomasz Buchert]

On 26/02/17 23:49, Vincent Danjean wrote:
> [...]
>
> And, for more info:
> $ mkdir p
> $ HOME=p lualatex lualatex-example.tex
> This is LuaTeX, Version 0.95.0 (TeX Live 2016/Debian)
> [...]
> luaotfload | db : Font names database not found, generating new one.
> luaotfload | db : This can take several minutes; please be patient.(compiling 
> luc: /var/li
> b/texmf/luatex-cache/generic/fonts/otl/lmroman10-regular.luc)(compiling luc: 
> p/
> .texlive2016/texmf-var/luatex-cache/generic/fonts/otl/lmroman10-regular.luc)(sa
> ve: 
> p/.texlive2016/texmf-var/luatex-cache/generic/fonts/otl/lmroman10-regular.l
> ua)(save: 
> p/.texlive2016/texmf-var/luatex-cache/generic/fonts/otl/lmroman10-reg
> ular.luc)))
> [...]
> $ find p
> p
> p/.texlive2016
> p/.texlive2016/texmf-var
> p/.texlive2016/texmf-var/luatex-cache
> p/.texlive2016/texmf-var/luatex-cache/generic
> p/.texlive2016/texmf-var/luatex-cache/generic/names
> p/.texlive2016/texmf-var/luatex-cache/generic/names/luaotfload-lookup-cache.luc
> p/.texlive2016/texmf-var/luatex-cache/generic/names/luaotfload-names.lua.gz
> p/.texlive2016/texmf-var/luatex-cache/generic/names/luaotfload-names.luc
> p/.texlive2016/texmf-var/luatex-cache/generic/names/luaotfload-lookup-cache.lua
> p/.texlive2016/texmf-var/luatex-cache/generic/fonts
> p/.texlive2016/texmf-var/luatex-cache/generic/fonts/otl
> p/.texlive2016/texmf-var/luatex-cache/generic/fonts/otl/lmroman10-regular.luc
> p/.texlive2016/texmf-var/luatex-cache/generic/fonts/otl/lmroman10-regular.lua
> $
>
> So lulaatex seems to really use the HOME directory.
>
>   Regards,
> Vincent
>

Wow, a really nice find!

Tomasz


signature.asc
Description: PGP signature

Bug#856210: libdebian-installer: please parse SHA256 field and add it to di_* structs

[Steven Chamberlain]

Hi,

Bastian Blank wrote:
> This change breaks the existing ABI and therefor needs an ABI bump, but
> it is missing from the patch.

I agree, that should be done.  Thanks.

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


signature.asc
Description: Digital signature

Bug#851060: libnids 1.23-2.1 NMU

[Marcos Fouces]

El 26/02/17 a las 18:05, James Cowgill escribió:


Well now that I've collected all the fixes together and tested it, I'm
going to do the NMU anyway :)


Good to read that! Now i will try to contact Vassillis. if he is MIA, 
then i incorporate libnids to pkg-security team.


Cheers,

Marcos




Control: tags -1 patch pending

Hi,

On 25/02/17 18:00, James Cowgill wrote:

On 23/02/17 22:44, Marcos Fouces wrote:

I am agree with you, when i fix these bugs i will create a separate git
branch, cherry-pick only freeze-allowed changes and try to get a package
ready for stretch.

Ok. Since I can now get dsniff working, I will happily NMU this unless
you want to do it.

Well now that I've collected all the fixes together and tested it, I'm
going to do the NMU anyway :)

Uploaded NMU attached.

Thanks,
James

Bug#855930: Bug#853119: Request to take a look at #855930

[Vincent Danjean]

Le 26/02/2017 à 23:37, Vincent Danjean a écrit :
> I eventually succeeded in reproducing the bug: lualatex needs a
> writable HOME directory. On my plain (sid) system:
> $ cat lualatex-example.tex
> \documentclass{article}
> \usepackage{luacode}
> \begin{document}
> A random number:
> \begin{luacode}
> tex.print(math.random())
> \end{luacode}
> \end{document}
> $ lualatex lualatex-example.tex
> This is LuaTeX, Version 0.95.0 (TeX Live 2016/Debian)
> [...]
> Transcript written on lualatex-example.log.
> $ HOME=/non-existatn lualatex lualatex-example.tex
> This is LuaTeX, Version 0.95.0 (TeX Live 2016/Debian)
>  restricted system commands enabled.
> (./lualatex-example.tex
> LaTeX2e <2017/01/01> patch level 1
> 
> quiting: fix your writable cache path

And, for more info:
$ mkdir p
$ HOME=p lualatex lualatex-example.tex
This is LuaTeX, Version 0.95.0 (TeX Live 2016/Debian)
[...]
luaotfload | db : Font names database not found, generating new one.
luaotfload | db : This can take several minutes; please be patient.(compiling 
luc: /var/li
b/texmf/luatex-cache/generic/fonts/otl/lmroman10-regular.luc)(compiling luc: p/
.texlive2016/texmf-var/luatex-cache/generic/fonts/otl/lmroman10-regular.luc)(sa
ve: p/.texlive2016/texmf-var/luatex-cache/generic/fonts/otl/lmroman10-regular.l
ua)(save: p/.texlive2016/texmf-var/luatex-cache/generic/fonts/otl/lmroman10-reg
ular.luc)))
[...]
$ find p
p
p/.texlive2016
p/.texlive2016/texmf-var
p/.texlive2016/texmf-var/luatex-cache
p/.texlive2016/texmf-var/luatex-cache/generic
p/.texlive2016/texmf-var/luatex-cache/generic/names
p/.texlive2016/texmf-var/luatex-cache/generic/names/luaotfload-lookup-cache.luc
p/.texlive2016/texmf-var/luatex-cache/generic/names/luaotfload-names.lua.gz
p/.texlive2016/texmf-var/luatex-cache/generic/names/luaotfload-names.luc
p/.texlive2016/texmf-var/luatex-cache/generic/names/luaotfload-lookup-cache.lua
p/.texlive2016/texmf-var/luatex-cache/generic/fonts
p/.texlive2016/texmf-var/luatex-cache/generic/fonts/otl
p/.texlive2016/texmf-var/luatex-cache/generic/fonts/otl/lmroman10-regular.luc
p/.texlive2016/texmf-var/luatex-cache/generic/fonts/otl/lmroman10-regular.lua
$

So lulaatex seems to really use the HOME directory.

  Regards,
Vincent

-- 
Vincent Danjean   GPG key ID 0xD17897FA vdanj...@debian.org
GPG key fingerprint: 621E 3509 654D D77C 43F5  CA4A F6AE F2AF D178 97FA
Unofficial pkgs: http://moais.imag.fr/membres/vincent.danjean/deb.html
APT repo:  deb http://people.debian.org/~vdanjean/debian unstable main

Bug#856212: cdebootstrap: please implement SHA256 verification of .deb files

[Steven Chamberlain]

Hi,

Bastian Blank wrote:
> I was not able to provide a real fix as I'm rather time constrained.

Don't worry, I'm prepared to write patches.  But I wonder:

  * is it okay to drop MD5 support, when implementing SHA256?
  * must we fix this before the stretch release?  or otherwise, would it
be possible to make such a big change in a stable point release?

> However please provide this information, as I only found something with
> about 2^120 for preimage attacks on MD5, which is still not fesable in
> real live.

Last time I brought up the topic, that argument was given.

But maybe it's the wrong approach to ask "are we *sure* MD5 is broken
and we must replace it?".  We need to make a prediction that lasts the
supported lifetime of stretch (until 2022?);  and some adversaries do
not reveal their capabilities.

It's actually kind of bizarre that we've published SHA256 sums in the
archive since 2007 and *still* don't use them here.  I think there is a
greater risk that we forget, or be too lazy, than we do this 'too soon'.

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


signature.asc
Description: Digital signature

Bug#855930: Bug#853119: Request to take a look at #855930

[Vincent Danjean]

Le 26/02/2017 à 22:37, Lucas Nussbaum a écrit :
> On 26/02/17 at 21:41 +0100, Vincent Danjean wrote:
>> Can you elaborate? I cannot reproduce this failure. It works
>> in my sbuild environment.
> 
> if you have a successful build with sbuild, please provide the build
> log: it's usually useful to just diff the build logs to compare list of
> packages.

Looking at the machine, it seems it was not a sbuild, but a build
in my new testing chroot (created with debootstrap, buildd variant).
  So, I just digged more into it as my sbuild invocation fails indeed.

The installed packages are the same (but sbuild-build-depends-core-dummy
and sbuild-build-depends-latex-make-dummy of course).

I eventually succeeded in reproducing the bug: lualatex needs a
writable HOME directory. On my plain (sid) system:
$ cat lualatex-example.tex
\documentclass{article}
\usepackage{luacode}
\begin{document}
A random number:
\begin{luacode}
tex.print(math.random())
\end{luacode}
\end{document}
$ lualatex lualatex-example.tex
This is LuaTeX, Version 0.95.0 (TeX Live 2016/Debian)
[...]
Transcript written on lualatex-example.log.
$ HOME=/non-existatn lualatex lualatex-example.tex
This is LuaTeX, Version 0.95.0 (TeX Live 2016/Debian)
 restricted system commands enabled.
(./lualatex-example.tex
LaTeX2e <2017/01/01> patch level 1

quiting: fix your writable cache path


  So Norbert, should I reassign this bug to texlive-luatex (it seems
a regression), so should I provide an (temporary empty) writable HOME
directory during the lualatex invocation?

  Regards,
Vincent

-- 
Vincent Danjean   GPG key ID 0xD17897FA vdanj...@debian.org
GPG key fingerprint: 621E 3509 654D D77C 43F5  CA4A F6AE F2AF D178 97FA
Unofficial pkgs: http://moais.imag.fr/membres/vincent.danjean/deb.html
APT repo:  deb http://people.debian.org/~vdanjean/debian unstable main

Processed: fix found version for 855434

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> # testing is also affected
> found 855434 55.0.2883.75-6
Bug #855434 [chromium] chromium: builds with experimental features enabled
Marked as found in versions chromium-browser/55.0.2883.75-6.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
855434: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855434
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#856212: cdebootstrap: please implement SHA256 verification of .deb files

[Bastian Blank]

On Sun, Feb 26, 2017 at 04:32:43PM +, Steven Chamberlain wrote:
> To date, cdebootstrap still only implements MD5 verification of .deb
> files, despite its formal deprecation as a digital signature algorithm
> by RFC6151 (2011) and recommendations of academic literature years
> prior.

I was not able to provide a real fix as I'm rather time constrained.
However please provide this information, as I only found something with
about 2^120 for preimage attacks on MD5, which is still not fesable in
real live.

Bastian

-- 
Klingon phaser attack from front!
100% Damage to life support

Bug#855930: Bug#853119: Request to take a look at #855930

[Lucas Nussbaum]

On 26/02/17 at 21:41 +0100, Vincent Danjean wrote:
>   Lucas: can you tell us how more on how the build environment
> is generated ?

Hi,

I used sbuild-createchroot, then manually cleaned it with debfoster. But
there should be nothing special about it, except the removal of lsb-base
and tzdata which are no longer essential packages.

> > However, if you build w sbuild, this seems to fail.
> 
> Can you elaborate? I cannot reproduce this failure. It works
> in my sbuild environment.

if you have a successful build with sbuild, please provide the build
log: it's usually useful to just diff the build logs to compare list of
packages.

Lucas

Bug#856064: libdbd-mysql-perl: reads of floats currupted as 0

[Ivo De Decker]

Hi,

On Sun, Feb 26, 2017 at 09:49:44PM +0100, gregor herrmann wrote:
> > So from my point of view, as it is two days until the 1st of March right
> > now (at least in my timezone) we need to get a fixed version of
> > libdbd-mysql-perl in unstable by tomorrow at the latest. Is this going
> > to be possible?
> 
> Sure, I just uploaded 4.041-2 to unstable.

Unblocked libdbd-mysql-perl.

> Thanks for handling all this stuff!

Cheers,

Ivo

Bug#854740: marked as done (CVE-2017-5591)

[Debian Bug Tracking System]

Your message dated Sun, 26 Feb 2017 21:13:31 +
with message-id 
and subject line Bug#854740: fixed in slixmpp 1.2.2-1.1
has caused the Debian Bug report #854740,
regarding CVE-2017-5591
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
854740: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854740
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: slixmpp
Severity: grave
Tags: security

Please see http://seclists.org/oss-sec/2017/q1/373

Cheers,
Moritz
--- End Message ---
--- Begin Message ---
Source: slixmpp
Source-Version: 1.2.2-1.1

We believe that the bug you reported is fixed in the latest version of
slixmpp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 854...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany  (supplier of updated slixmpp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 26 Feb 2017 20:31:13 +0100
Source: slixmpp
Binary: python3-slixmpp python3-slixmpp-lib python-slixmpp-doc
Architecture: source
Version: 1.2.2-1.1
Distribution: unstable
Urgency: medium
Maintainer: Tanguy Ortolo 
Changed-By: Markus Koschany 
Description:
 python-slixmpp-doc - Threadless, event-based XMPP Python library 
(documentation)
 python3-slixmpp - Threadless, event-based XMPP Python 3 library
 python3-slixmpp-lib - Threadless, event-based XMPP Python 3 library (optional 
binary mo
Closes: 854740
Changes:
 slixmpp (1.2.2-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix CVE-2017-5591:
 An incorrect implementation of XEP-0280: Message Carbons in slixmpp allows
 a remote attacker to impersonate any user, including contacts, in the
 vulnerable application's display. This allows for various kinds of social
 engineering attacks. (Closes: #854740)
Checksums-Sha1:
 46b3e2f43e47932490b3f1a00b03a88dc540fe80 2252 slixmpp_1.2.2-1.1.dsc
 6dafb322b6815acac3e0d95b9a4988908c6d7aed 8452 slixmpp_1.2.2-1.1.debian.tar.xz
 b8e9f3a121fae2278e93bfe0df4db3157ee77ebb 6942 slixmpp_1.2.2-1.1_amd64.buildinfo
Checksums-Sha256:
 9c111c793ebac871e8591bca087aad16f3d60e372f0bfe5dc2bc0c5f1a134e16 2252 
slixmpp_1.2.2-1.1.dsc
 1c3c0bf4ed0772df23dabcba00e61fc50871ba64cf25372fc7aa59d9582c02a9 8452 
slixmpp_1.2.2-1.1.debian.tar.xz
 50d2e0ff43742f677d773e7a4d899e8db73b74b665e8ed5fbe1ab637d4844588 6942 
slixmpp_1.2.2-1.1_amd64.buildinfo
Files:
 cedb1677faf8d2cca88e79f4a2db7029 2252 python optional slixmpp_1.2.2-1.1.dsc
 a3cc21b7eab8436d0699b1c7cafca776 8452 python optional 
slixmpp_1.2.2-1.1.debian.tar.xz
 ed65e3223d6c7d36832ee779c163a668 6942 python optional 
slixmpp_1.2.2-1.1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlizMMFfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkbqMP/3MjcdbCmht4c8/acYslXzAVyEygGbTiUpyW
QngqTVaHxWoogsGLMMeMqJVJjVEukL/9liIVBxRaGByGKwIMqbLM9jNG6+zuva7k
ergCoSvcksnsBrA9St5ovKPax2UBGxb1JDD4wUq0/JkhRHPvS6D2qT4rn0JU25Jz
m/30NsommR4VEQJW7YvBHwxFRkPBflJE4F58vwrrYQoBQgdSH1f5LQhg7/2CRMri
XwBaNEDkjqhBQObOySr69/MDKq3EonzXYxU/TI4PhxPGCHSmXIZSoIWkQ0E4zlNC
pHuM4AjksP8Glbs7YP+AX26xFV6C1ikR2nNWnXIpeb5Ic/kM0dg1HPh2qfFJMAyx
xYjBqkGP8BQGN9FugWghmx2sbuBz5kn3LxRSF/T2pZHL0IV9cRC6ekRZz9NoNKj8
ODQjFsl1Y9fPM1KObsouxXKp3NFZtuTRdLGBEm1oI0T4xMEggiQc/cBDAYu9a4OC
MC21YRGh30hiPG17cDSoHmDn4L4rvsUIYGfU5nhZk/eEYKy3RMzy51O3rcM/0s0G
OuGKqU7pDcffJ8aJCDoNr9aDpVEL9XTWlvqhb3hNUJKEb0NNJBjQp/H4+tNnA2Pz
otBAEn/I5AlCDUiZOw19xM47wcfXGBYkIDmRYhTwdtlyFyzXqxU1tLzRrZDw7rX2
yv5Sm5UI
=0OGy
-END PGP SIGNATURE End Message ---

Bug#808463: marked as done (ntfs-3g: non-free code in boot.c)

[Debian Bug Tracking System]

Your message dated Sun, 26 Feb 2017 21:12:53 +
with message-id 
and subject line Bug#808463: fixed in ntfs-3g 1:2016.2.22AR.1+dfsg-1
has caused the Debian Bug report #808463,
regarding ntfs-3g: non-free code in boot.c
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
808463: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808463
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ntfs-3g
Version: 0.0.0+20070920-1
Severity: serious

On Dec 20, Sam Morris  wrote:

> That reminds me... I wonder if anyone has looked into the legal status of
> boot_array from ntfs-3g?
> 
> https://sources.debian.net/src/ntfs-3g/1:2015.3.14AR.1-1/ntfsprogs/boot.c/
There is not much to look at: while it would be hard to argue that this 
Microsoft-originated software cannot be redistributed for this purpose, 
I think that it is quite obvious that it is missing the corresponding 
source code and that until proven otherwise it must be assumed to not 
allow derivate works.
So it is clearly not DFSG free and should eventually be removed.

Unless I am missing something about the NTFS on-disk structure, then the 
first 512 bytes (the boot record proper) can be easily replaced by the 
code from dosfstools and the rest (the first part of NTLDR) can be 
omitted since it is only useful if you need to boot a Windows OS from 
the disk, which would need to be installed from other sources anyway
(Windows PE has a program to install NTLDR, in needed).

-- 
ciao,
Marco


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: ntfs-3g
Source-Version: 1:2016.2.22AR.1+dfsg-1

We believe that the bug you reported is fixed in the latest version of
ntfs-3g, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 808...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS)  (supplier of updated ntfs-3g package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 26 Feb 2017 12:34:31 +
Source: ntfs-3g
Binary: ntfs-3g ntfs-3g-dbg ntfs-3g-dev libntfs-3g871 ntfs-3g-udeb
Architecture: source amd64
Version: 1:2016.2.22AR.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) 
Changed-By: Laszlo Boszormenyi (GCS) 
Description:
 libntfs-3g871 - read/write NTFS driver for FUSE (runtime library)
 ntfs-3g- read/write NTFS driver for FUSE
 ntfs-3g-dbg - read/write NTFS driver for FUSE (debug)
 ntfs-3g-dev - read/write NTFS driver for FUSE (development)
 ntfs-3g-udeb - read/write NTFS driver for FUSE (udeb)
Closes: 808463
Changes:
 ntfs-3g (1:2016.2.22AR.1+dfsg-1) unstable; urgency=medium
 .
   * Repack source to have a DFSG free NTFS boot sector (closes: #808463) and
 update copyright accordingly.
   * Update watch file to mangle +dfsg from source version.
Checksums-Sha1:
 ef06138e977b4d5a836f434699e7b1696560d076 2283 ntfs-3g_2016.2.22AR.1+dfsg-1.dsc
 9ce8f628cc38290c96e0ca941fe357f0367693e5 854400 
ntfs-3g_2016.2.22AR.1+dfsg.orig.tar.xz
 266b79388f4153f7091cb54cf6c560fac38fb060 23208 
ntfs-3g_2016.2.22AR.1+dfsg-1.debian.tar.xz
 061f5bc84be3c19a50984c18e1e3586e71004dab 164784 
libntfs-3g871_2016.2.22AR.1+dfsg-1_amd64.deb
 e9c505a54228a704c3ea826f98ff3a9e702bea6e 1761632 
ntfs-3g-dbg_2016.2.22AR.1+dfsg-1_amd64.deb
 ac0d86040e19db37c9b81c00a5ef82a60abe6ff1 234266 
ntfs-3g-dev_2016.2.22AR.1+dfsg-1_amd64.deb
 0ac4c6641b4d6465dd7f885548dbe08f3226a0d7 219416 
ntfs-3g-udeb_2016.2.22AR.1+dfsg-1_amd64.udeb
 d5cf582ae993c11907d053e514828066ea16289f 7395 
ntfs-3g_2016.2.22AR.1+dfsg-1_amd64.buildinfo
 6ab9f34439d93a5a04c3eb7e27cdbf0b5ce8655b 396904 
ntfs-3g_2016.2.22AR.1+dfsg-1_amd64.deb
Checksums-Sha256:
 ec3bd4301622132f1977f92375560a40cc09f1c33321631c9bdd3587fa4ffd09 2283 
ntfs-3g_2016.2.22AR.1+dfsg-1.dsc
 f8280f303af720c34c9ccea55fe4f026134ce74fb8d183800f4af40c8a5922e8 854400 
ntfs-3g_2016.2.22AR.1+dfsg.orig.tar.xz
 2d014959696e9faa029fe8310760d1a34e343b644a8411859810927fd849e9a5 23208 
ntfs-3g_2016.2.22AR.1+dfsg-1.debian.tar.xz
 

Bug#856064: marked as done (libdbd-mysql-perl: reads of floats currupted as 0)

[Debian Bug Tracking System]

Your message dated Sun, 26 Feb 2017 21:08:54 +
with message-id 
and subject line Bug#856064: fixed in libdbd-mysql-perl 4.041-2
has caused the Debian Bug report #856064,
regarding libdbd-mysql-perl: reads of floats currupted as 0
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
856064: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856064
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libdbd-mysql-perl
Version: 4.041-1
Severity: grave
Justification: causes non-serious data loss

When reading floats from mysql, they are always read as 0.

As values are currupted and as it is the cause of a grave bug in another
package, I have set this to grave.

Possibly only happens in Perl's tainted mode; I have asked for
confirmation.

Upstream bug report:
https://github.com/perl5-dbi/DBD-mysql/issues/78

Upstream patch:
https://github.com/perl5-dbi/DBD-mysql/pull/102

This is the cause of a RC bug against amavisd-new:
https://bugs.debian.org/847311

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (100, 
'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libdbd-mysql-perl depends on:
ii  libc6 2.24-9
ii  libdbi-perl [perl-dbdabi-94]  1.636-1+b1
ii  libmariadbclient1810.1.21-5
ii  perl  5.24.1-1
ii  perl-base [perlapi-5.24.1]5.24.1-1

libdbd-mysql-perl recommends no packages.

libdbd-mysql-perl suggests no packages.

-- no debconf information
--- End Message ---
--- Begin Message ---
Source: libdbd-mysql-perl
Source-Version: 4.041-2

We believe that the bug you reported is fixed in the latest version of
libdbd-mysql-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 856...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann  (supplier of updated libdbd-mysql-perl 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 26 Feb 2017 21:43:27 +0100
Source: libdbd-mysql-perl
Binary: libdbd-mysql-perl
Architecture: source
Version: 4.041-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group 
Changed-By: gregor herrmann 
Closes: 856064
Description: 
 libdbd-mysql-perl - Perl5 database interface to the MariaDB/MySQL database
Changes:
 libdbd-mysql-perl (4.041-2) unstable; urgency=medium
 .
   * Add regression-fix-float_type_conversion.patch to fix a regression in
 the conversion of floats which under some circumstances simply
 returned 0.
 Thanks to Brian May for the bug report, and Pali Rohár for backporting
 his fix to 4.041.
 (Closes: #856064)
Checksums-Sha1: 
 65688760fed2fb53e4eb068c83465099e1ec8da7 2512 libdbd-mysql-perl_4.041-2.dsc
 caf4efdd1e49cf9659e0a930236047066fc403e9 11404 
libdbd-mysql-perl_4.041-2.debian.tar.xz
Checksums-Sha256: 
 55b440a4c5ff0bb04393e0c749617992db3889bb9971a9faae6ef153a9d56a7c 2512 
libdbd-mysql-perl_4.041-2.dsc
 ea8e348f5c60a7a617598432e577750a614141e43eb52ba571ffe34e6575a22c 11404 
libdbd-mysql-perl_4.041-2.debian.tar.xz
Files: 
 48a8199542e24eb074553abf2dc7bf98 2512 perl optional 
libdbd-mysql-perl_4.041-2.dsc
 fcd2f6d995596bc2a87f87981067556c 11404 perl optional 
libdbd-mysql-perl_4.041-2.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAlizPw5fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgb1QxAAvPiFZR9v/xUGRT3QKbHq1bDuStQF2kGjMJ+Ew2TSt5e3wgcMVoFLyqdQ
zv313284AWMOuq1+IET4T4mKcoCXUQ67s+u0UNKQG8JZSrCYWb6T8h93d4vVgZ4C
n9R/7niJPU8XvQF9n6GEr7tsbkKAnmEfm2ingFPOpQLzic3NrhjFtqXpe9r/zouM
9YVp8IbrgjqkjrdnpySlpeuQ0/4sDAU4OCOZV1RxK+WeeHFmRVJWEEk4OslV7NTD

Bug#779990: marked as done (gwave: Segmentation fault on startup)

[Debian Bug Tracking System]

Your message dated Sun, 26 Feb 2017 21:08:49 +
with message-id 
and subject line Bug#779990: fixed in gwave 20090213-6.1
has caused the Debian Bug report #779990,
regarding gwave: Segmentation fault on startup
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
779990: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779990
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: gwave
Version: 20090213-6
Severity: important

Dear Maintainer,

gwave segfaults when I attempt to run it on Debian Sid:

$ gwave
Gtk-Message: Failed to load module "canberra-gtk-module"
;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
;;;   or pass the --no-auto-compile argument to disable.
;;; compiling /usr/share/guile/app/gwave/gwave-startup.scm
;;; compiling /usr/share/guile/site/gnome-2.scm
;;; compiled 
/home/debian/.cache/guile/ccache/2.0-LE-8-2.0/usr/share/guile/site/gnome-2.scm.go

;;; compiling /usr/share/guile-gnome-2/gnome/gtk.scm
;;; compiling /usr/share/guile-gnome-2/gnome/gobject.scm
;;; compiling /usr/share/guile-gnome-2/gnome/gobject/gtype.scm
;;; compiling /usr/share/guile-gnome-2/gnome/gobject/utils.scm
;;; compiled 
/home/debian/.cache/guile/ccache/2.0-LE-8-2.0/usr/share/guile-gnome-2/gnome/gobject/utils.scm.go

;;; compiling /usr/share/guile-gnome-2/gnome/gobject/config.scm
;;; compiled 
/home/debian/.cache/guile/ccache/2.0-LE-8-2.0/usr/share/guile-gnome-2/gnome/gobject/config.scm.go
;;; gnome-2/gnome/gobject/gtype.scm:81:4: warning: possibly unbound 
variable `%gtype-class-bind'
;;; gnome-2/gnome/gobject/gtype.scm:85:4: warning: possibly unbound 
variable `%gtype-class-inherit-magic'
;;; gnome-2/gnome/gobject/gtype.scm:103:2: warning: possibly unbound 
variable `%gtype-instance-construct'
;;; compiled 
/home/debian/.cache/guile/ccache/2.0-LE-8-2.0/usr/share/guile-gnome-2/gnome/gobject/gtype.scm.go

Segmentation fault

This has also been reported in Ubuntu as
https://bugs.launchpad.net/ubuntu/+source/gwave/+bug/1311839

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gwave depends on:
ii  guile-2.0-libs 2.0.11+1-9
ii  guile-gnome2-glib  2.16.2-1.1
ii  guile-gnome2-gtk   2.16.2-1.1
ii  libc6  2.19-15
ii  libglib2.0-0   2.42.1-1
ii  libgtk2.0-02.24.25-2
ii  libreadline6   6.3-8+b3
ii  libx11-6   2:1.6.2-3

Versions of packages gwave recommends:
ii  extra-xdg-menus  1.0-4

gwave suggests no packages.

-- no debconf information

--
mvh / best regards
Hans Joachim Desserud
http://desserud.org
--- End Message ---
--- Begin Message ---
Source: gwave
Source-Version: 20090213-6.1

We believe that the bug you reported is fixed in the latest version of
gwave, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 779...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patricio Paez  (supplier of updated gwave package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Mon, 22 Aug 2016 12:30:03 -0500
Source: gwave
Binary: gwave
Architecture: source
Version: 20090213-6.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Electronics Team 

Changed-By: Patricio Paez 
Description:
 gwave  - waveform viewer eg for spice simulators
Closes: 779990
Changes:
 gwave (20090213-6.1) unstable; urgency=medium
 .
   * Non-maintainer upload
   * Added make_stack.diff patch to remove use of
 scm_the_last_stack_fluid_var that was deprecated from guile in
 commit ec16eb7847895247be3438c25d2d27ce2e137b83 dated 19 Jun 2010.
   * Added std_menus.diff patch to replace gtk-menu-append and
 gtk-menu-bar-append with gtk-menu-shell-append, preventing
 the use of the append generic that is missing in guile-gnome.
 - Closes: #779990, LP: #1311839
Checksums-Sha1:
 

Bug#856210: libdebian-installer: please parse SHA256 field and add it to di_* structs

[Bastian Blank]

Hi Steven

On Sun, Feb 26, 2017 at 06:30:31PM +, Steven Chamberlain wrote:
> I've attached only the most minimal patch to allow reverse-depends do
> implement SHA256.  They must adapt to the new names of struct members
> *and* remember that the hash length is now different.  (The hash data is
> stored in variable-length fields but the length is not recorded in the
> structs, and the has is denoted by a magic number not an enum;  that
> could be made better, but requiring a much larger diff).

This change breaks the existing ABI and therefor needs an ABI bump, but
it is missing from the patch.

Regards,
Bastian

-- 
It is necessary to have purpose.
-- Alice #1, "I, Mudd", stardate 4513.3

Bug#856064: libdbd-mysql-perl: reads of floats currupted as 0

[gregor herrmann]

On Mon, 27 Feb 2017 07:37:53 +1100, Brian May wrote:

> Brian May  writes:
> > amavisd-new has already been removed from testing. I think the chances
> > of getting it back in are remote - however I have asked the release team
> > - see #856067.
> 
> The release gods^h^h^h^h^h team has spoken. They say they will accept
> amavisd-new back in the archive:
> 
> "Not in a point release, but I'll cut you a deal: if the underlying bug in
> libdbd-mysql-perl is fixed (but *without* the additional fixes Pali
> mentions), and an unblock bug opened before 1st March, I'll unblock
> amavisd-new and amavisd-milter for stretch."
> 
> "(no precedents, subject to future developments, blah, blah, etc, etc)."

Cool.
 
> So from my point of view, as it is two days until the 1st of March right
> now (at least in my timezone) we need to get a fixed version of
> libdbd-mysql-perl in unstable by tomorrow at the latest. Is this going
> to be possible?

Sure, I just uploaded 4.041-2 to unstable.

Thanks for handling all this stuff!


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Donovan: Living for the lovelight


signature.asc
Description: Digital Signature

Bug#855930: Bug#853119: Request to take a look at #855930

[Vincent Danjean]

Le 26/02/2017 à 15:29, Tomasz Buchert a écrit :
> On 26/02/17 10:25, Norbert Preining wrote:
>> On Sun, 26 Feb 2017, Norbert Preining wrote:
>>> I will try to run it in a clean cowbuilder with only the build-deps
>>> installed and see what might be the reason.
> 
> Thanks for looking into it.
> Let's also move the discussion to #855930 :).

  I forgot to add this info to this bug report:
I installed a testing schroot to try to rebuild it with testing
dependencies with sbuild. And it works...
  I've no idea of the root cause of this. I checked in the
provided log that Lucas uses recent (testing) tex packages.

  Lucas: can you tell us how more on how the build environment
is generated ?

  In any case, I will probably downgrade the severity if
nobody is able to reproduce the problem. If needed, I can ask
the release team to accept a package with this test disabled
(lualatex support is a nice feature but if it does not work
in all environment, it does not warrant a package removal)

>> Just done this, too, worked without a hinch:
>> 'lualatex' '--interaction' 'errorstopmode' '--jobname' 'lualatex-example' 
>> '\RequirePackage[extension=.pdf]{texdepends}\input{lualatex-example.tex}'
>> [...]
> 
> However, if you build w sbuild, this seems to fail.

Can you elaborate? I cannot reproduce this failure. It works
in my sbuild environment.

> Can it be some
> failure in how tex packages are installed? Sbuild may create a very
> minimal environment that exposes this problem.
> 
>> One idea: is /var writable???
> 
> I'm afraid I don't understand this. Can you elaborate?
> 
>> Norbert
> 
> Thanks,
> Tomasz

  Regards,
Vincent

-- 
Vincent Danjean   GPG key ID 0xD17897FA vdanj...@debian.org
GPG key fingerprint: 621E 3509 654D D77C 43F5  CA4A F6AE F2AF D178 97FA
Unofficial pkgs: http://moais.imag.fr/membres/vincent.danjean/deb.html
APT repo:  deb http://people.debian.org/~vdanjean/debian unstable main

Bug#856210: libdebian-installer: please parse SHA256 field and add it to di_* structs

[Steven Chamberlain]

With that patch, reverse-deps anna and cdebootstrap shall FTBFS with:

| gcc -Wdate-time -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE -g -O2 
-fdebug-prefix-map=/home/steven/git/anna=. 
-specs=/usr/share/dpkg/pie-compile.specs -fstack-protector-strong -Wformat 
-Werror=format-security -Wall -W -ggdb -Wdate-time -D_FORTIFY_SOURCE=2 
-D_GNU_SOURCE  -c -o anna.o anna.c
| anna.c: In function ‘install_modules’:
| anna.c:321:25: error: ‘di_package {aka struct di_package}’ has no member 
named ‘md5sum’
|  if (! md5sum(package->md5sum, dest_file)) {
|  ^~

| gcc -DHAVE_CONFIG_H -I. -I../../src -I..  -I../../include -Wdate-time 
-D_FORTIFY_SOURCE=2  -g -O2 
-fdebug-prefix-map=/home/steven/git/cdebootstrap-0.7.6=. 
-specs=/usr/share/dpkg/pie-compile.specs -fstack-protector-strong -Wformat 
-Werror=format-security -std=gnu99 -c -o gpg.o ../../src/gpg.c
| ../../src/check.c: In function ‘check_deb’:
| ../../src/check.c:61:40: error: ‘di_package {aka struct di_package}’ has no 
member named ‘md5sum’
|return check_sum (target, "md5sum", p->md5sum, message);
| ^~
| ../../src/check.c: In function ‘check_packages’:
| ../../src/check.c:75:35: error: ‘di_release {aka struct di_release}’ has no 
member named ‘md5sum’
|item = di_hash_table_lookup (rel->md5sum, );
|^~

so it should be quite clear that they must implement a new hashing
algorithm;  and this makes absolutely sure they are not still using MD5
unintentionally (which was the case in #856215).

If my libdebian-installer patch is okay, I will submit the patches for
anna and cdebootstrap (bugs are already filed against them).  Hopefully
no other reverse-dependencies would be affected (because they do not use
the md5sums field, and the struct size is not changing);  though if they
do use, I'd prefer they FTBFS so that we find out.

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


signature.asc
Description: Digital signature

Processed: tagging 665334

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 665334 - pending
Bug #665334 [fontforge] non-DFSG postscript embedded in fontforge (currently 
August 2014
Removed tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
665334: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665334
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: [Pkg-electronics-devel] Bug#779990: gwave: Segmentation fault on startup

[Debian Bug Tracking System]

Processing control commands:

> tags -1 pending
Bug #779990 [gwave] gwave: Segmentation fault on startup
Added tag(s) pending.
> severity -1 serious
Bug #779990 [gwave] gwave: Segmentation fault on startup
Severity set to 'serious' from 'important'

-- 
779990: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779990
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#856064: libdbd-mysql-perl: reads of floats currupted as 0

[Brian May]

Brian May  writes:

> amavisd-new has already been removed from testing. I think the chances
> of getting it back in are remote - however I have asked the release team
> - see #856067.

The release gods^h^h^h^h^h team has spoken. They say they will accept
amavisd-new back in the archive:

"Not in a point release, but I'll cut you a deal: if the underlying bug in
libdbd-mysql-perl is fixed (but *without* the additional fixes Pali
mentions), and an unblock bug opened before 1st March, I'll unblock
amavisd-new and amavisd-milter for stretch."

"(no precedents, subject to future developments, blah, blah, etc, etc)."

So from my point of view, as it is two days until the 1st of March right
now (at least in my timezone) we need to get a fixed version of
libdbd-mysql-perl in unstable by tomorrow at the latest. Is this going
to be possible?

Thanks.
-- 
Brian May 

Bug#856142: ghostscript: CVE-2017-6196

[Salvatore Bonaccorso]

Control: tags -1 + patch

Attached proposed debdiff (not yet uploaded, neither to a delayed
queue).

Regards,
Salvatore
diff -Nru ghostscript-9.20~dfsg/debian/changelog 
ghostscript-9.20~dfsg/debian/changelog
--- ghostscript-9.20~dfsg/debian/changelog  2017-01-25 05:26:10.0 
+0100
+++ ghostscript-9.20~dfsg/debian/changelog  2017-02-26 21:03:15.0 
+0100
@@ -1,3 +1,11 @@
+ghostscript (9.20~dfsg-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Resolve image enumerator ownership on error (CVE-2017-6196)
+(Closes: #856142)
+
+ -- Salvatore Bonaccorso   Sun, 26 Feb 2017 21:03:15 +0100
+
 ghostscript (9.20~dfsg-2) unstable; urgency=medium
 
   * Add patch cherry-picked upstream to always print full PWG Raster
diff -Nru 
ghostscript-9.20~dfsg/debian/patches/1002-Resolve-image-enumerator-ownership-on-error.patch
 
ghostscript-9.20~dfsg/debian/patches/1002-Resolve-image-enumerator-ownership-on-error.patch
--- 
ghostscript-9.20~dfsg/debian/patches/1002-Resolve-image-enumerator-ownership-on-error.patch
 1970-01-01 01:00:00.0 +0100
+++ 
ghostscript-9.20~dfsg/debian/patches/1002-Resolve-image-enumerator-ownership-on-error.patch
 2017-02-26 21:03:15.0 +0100
@@ -0,0 +1,63 @@
+From ecceafe3abba2714ef9b432035fe0739d9b1a283 Mon Sep 17 00:00:00 2001
+From: Ken Sharp 
+Date: Mon, 20 Feb 2017 09:45:18 +
+Subject: [PATCH] Resolve image enumerator ownership on error
+
+Bug #697596 "Use-After-Free in i_free_object()"
+
+There is confusion over ownership of 'penum' between gx_begin_image1(),
+gx_begin_image4() and gx_image_enum_begin() which is called from these
+two functions (and only from these two functions).
+
+The enumerator is allocated in gx_begin_image?() and freed there if
+gx_image_enum_begin() returns an error. However, gx_image_enum_begin()
+also frees the enumerator on an error; except that it doesn't always do
+so. Its a large function and there are at least 9 ways to exit it, only
+4 of which free the enumerator.
+
+This commit removes the 'free' instances from gx_image_enum_begin()
+leaving the cleanup as the responsibility of the calling code, which
+performed the allocation.
+---
+ base/gxipixel.c | 4 
+ 1 file changed, 4 deletions(-)
+
+diff --git a/base/gxipixel.c b/base/gxipixel.c
+index c41d3b885..4eb654844 100644
+--- a/base/gxipixel.c
 b/base/gxipixel.c
+@@ -290,7 +290,6 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs,
+ penum->Height = height;
+ 
+ if ((code = gx_image_compute_mat(pgs, pmat, &(pim->ImageMatrix), )) < 
0) {
+-gs_free_object(mem, penum, "gx_default_begin_image");
+ return code;
+ }
+ /* Grid fit: A common construction in postscript/PDF files is for images
+@@ -587,7 +586,6 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs,
+ }
+ if (masked) {   /* This is imagemask. */
+ if (bps != 1 || pcs != NULL || penum->alpha || decode[0] == 
decode[1]) {
+-gs_free_object(mem, penum, "gx_default_begin_image");
+ return_error(gs_error_rangecheck);
+ }
+ /* Initialize color entries 0 and 255. */
+@@ -607,7 +605,6 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs,
+ 
+ spp = cs_num_components(pcs);
+ if (spp < 0) {  /* Pattern not allowed */
+-gs_free_object(mem, penum, "gx_default_begin_image");
+ return_error(gs_error_rangecheck);
+ }
+ if (penum->alpha)
+@@ -715,7 +712,6 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs,
+ bsize = ((bps > 8 ? width * 2 : width) + 15) * spp;
+ buffer = gs_alloc_bytes(mem, bsize, "image buffer");
+ if (buffer == 0) {
+-gs_free_object(mem, penum, "gx_default_begin_image");
+ return_error(gs_error_VMerror);
+ }
+ penum->bps = bps;
+-- 
+2.11.0
+
diff -Nru ghostscript-9.20~dfsg/debian/patches/series 
ghostscript-9.20~dfsg/debian/patches/series
--- ghostscript-9.20~dfsg/debian/patches/series 2017-01-25 05:04:25.0 
+0100
+++ ghostscript-9.20~dfsg/debian/patches/series 2017-02-26 21:03:15.0 
+0100
@@ -7,6 +7,7 @@
 020161008~f5c7555.patch
 020161026~0726780.patch
 1001_fix_openjp2_dynamic_linking.patch
+1002-Resolve-image-enumerator-ownership-on-error.patch
 2001_docdir_fix_for_debian.patch
 2002_gs_man_fix_debian.patch
 2003_support_multiarch.patch

Processed: Re: Bug#856142: ghostscript: CVE-2017-6196

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + patch
Bug #856142 [ghostscript] ghostscript: CVE-2017-6196
Added tag(s) patch.

-- 
856142: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856142
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#850692: pyrit: failed with 'BitEnumField' object has no attribute 'names'

[Christian Kastner]

Hi all,

first of all, apologies for the late reply. I moved in February, and I'm
still in the process of settling in. I have still to unpack my
development machine...

On 2017-02-14 09:39, Raphael Hertzog wrote:
> On Mon, 09 Jan 2017, Sophie Brun wrote:
>> AttributeError: 'BitEnumField' object has no attribute 'names'
> [...]
>> Consider joining the pkg-security team, we could co-maintain pyrit there:
>> https://wiki.debian.org/Teams/pkg-security

I would very much be interested in moving this to pkg-security. Even
further -- if anyone is interested in taking over as primary maintainer,
I'd be happy to step down, as I am no longer an active user of pyrit.
Otherwise, I'll continue maintaining it.

> you haven't replied to this bug in more than a month. Someone upgraded it
> to RC severity because the package FTBFS actually.
> 
> So we should handle it promptly now. In the pkg-security team, we're
> willing to help you on this package... please reply and let us know how to
> proceed.

Please go ahead and upload anything you want/need. I don't think I will
be able to implement any changes myself prior to 2017-03-04.

If anyone could cake a look at #855166 (a new FTBFS), that would be
great. Otherwise I'll do that on the upcoming weekend.

> If I don't hear back from you, I'll assume that it's ok to move the
> package to pkg-security.

Full ACK on moving to pkg-security.

Regards,
Chrsitian



signature.asc
Description: OpenPGP digital signature

Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[Sebastian Andrzej Siewior]

On 2017-02-26 20:31:23 [+0100], Pino Toscano wrote:
> In data domenica 26 febbraio 2017 20:15:25 CET, John Paul Adrian Glaubitz ha 
> scritto:
> > On 02/26/2017 07:48 PM, Sebastian Andrzej Siewior wrote:
> > > I don't insist on anything. I noticed that this package does not depend on
> > > libssl after building and that is why I took a look.
> 
> That is because it dlopen's libssl at runtime.
> 
> > Interesting. So, I guess the best option would actually to drop the B-D on
> > libssl-dev completely. I have checked it myself and indeed libkf5khtml5 does
> > not depend on libssl at all. Plus, the package also builds fine with the
> > build dependency on libssl-dev completely removed.
> 
> That is because it is an optional dependency.
> 
> > Lisandro, maybe just dropping the build dependency on libssl-dev would be
> > the best option if it's actually not used at all?
> 
> NACK.

Yes, correct. There are a few symbols that export key creation and signing (or
something like that) so if you build this package without ssl then those
symbols are missing which would require a transition :)

Again. If someone who knows that package can say that it works with fine 1.1
and the missing symbols don't matter and it won't clash with 1.0 in any way
then feel free to close this. We are in freeze after all.

Sebastian

Bug#856036: screen sharing is not working and vino is segfaulting when started manually

[Andreas Henriksson]

Hello Pirate Praveen,

On Fri, Feb 24, 2017 at 07:31:24PM +0530, Pirate Praveen wrote:
> package: vino
> version: 3.22.0-1
> severity: grave
> justification: makes the package unuseable
> 
> I'm not able to share desktop using vino (5900 socket is not open) and
> when I manually start vino-server I get segmentation fault
[...]

My guess is that you're trying to run vino under a GNOME *Wayland* session,
right?

As designed vino is tied to the X server. It's not targeted for porting
to Wayland. AIUI capturing the entire screen is simply not allowed
for security reasons under wayland. Remoting functionality needs to be
implemented at a different level in the stack on Wayland (and vino
is not part of the solution at all).

Regards,
Andreas Henriksson

Bug#854740: slixmpp: diff for NMU version 1.2.2-1.1

[Markus Koschany]

Control: tags 854740 + patch
Control: tags 854740 + pending

Dear maintainer,

I've prepared an NMU for slixmpp (versioned as 1.2.2-1.1) and
uploaded it to unstable. Please find attached the debdiff.

Regards,

Markus
diff -Nru slixmpp-1.2.2/debian/changelog slixmpp-1.2.2/debian/changelog
--- slixmpp-1.2.2/debian/changelog	2016-11-29 17:19:17.0 +0100
+++ slixmpp-1.2.2/debian/changelog	2017-02-26 20:31:13.0 +0100
@@ -1,3 +1,14 @@
+slixmpp (1.2.2-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2017-5591:
+An incorrect implementation of XEP-0280: Message Carbons in slixmpp allows
+a remote attacker to impersonate any user, including contacts, in the
+vulnerable application's display. This allows for various kinds of social
+engineering attacks. (Closes: #854740)
+
+ -- Markus Koschany   Sun, 26 Feb 2017 20:31:13 +0100
+
 slixmpp (1.2.2-1) unstable; urgency=medium
 
   * New upstream version:
diff -Nru slixmpp-1.2.2/debian/patches/CVE-2017-5591.patch slixmpp-1.2.2/debian/patches/CVE-2017-5591.patch
--- slixmpp-1.2.2/debian/patches/CVE-2017-5591.patch	1970-01-01 01:00:00.0 +0100
+++ slixmpp-1.2.2/debian/patches/CVE-2017-5591.patch	2017-02-26 20:31:13.0 +0100
@@ -0,0 +1,34 @@
+From: Markus Koschany 
+Date: Sun, 26 Feb 2017 20:28:43 +0100
+Subject: CVE-2017-5591
+
+An incorrect implementation of XEP-0280: Message Carbons in slixmpp allows a
+remote attacker to impersonate any user, including contacts, in the vulnerable
+application's display. This allows for various kinds of social engineering
+attacks.
+
+Bug-Debian: https://bugs.debian.org/854740
+Origin: https://github.com/poezio/slixmpp/commit/22664ee7b86c8e010f312b66d12590fb471
+---
+ slixmpp/plugins/xep_0280/carbons.py | 6 --
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/slixmpp/plugins/xep_0280/carbons.py b/slixmpp/plugins/xep_0280/carbons.py
+index 261238b..aa71f7f 100644
+--- a/slixmpp/plugins/xep_0280/carbons.py
 b/slixmpp/plugins/xep_0280/carbons.py
+@@ -61,10 +61,12 @@ class XEP_0280(BasePlugin):
+ self.xmpp.plugin['xep_0030'].add_feature('urn:xmpp:carbons:2')
+ 
+ def _handle_carbon_received(self, msg):
+-self.xmpp.event('carbon_received', msg)
++if msg['from'].bare == self.xmpp.boundjid.bare:
++self.xmpp.event('carbon_received', msg)
+ 
+ def _handle_carbon_sent(self, msg):
+-self.xmpp.event('carbon_sent', msg)
++if msg['from'].bare == self.xmpp.boundjid.bare:
++self.xmpp.event('carbon_sent', msg)
+ 
+ def enable(self, ifrom=None, timeout=None, callback=None,
+timeout_callback=None):
diff -Nru slixmpp-1.2.2/debian/patches/series slixmpp-1.2.2/debian/patches/series
--- slixmpp-1.2.2/debian/patches/series	2016-11-29 17:01:50.0 +0100
+++ slixmpp-1.2.2/debian/patches/series	2017-02-26 20:31:13.0 +0100
@@ -1 +1,2 @@
 disable-incorrect-tests.patch
+CVE-2017-5591.patch

Processed: slixmpp: diff for NMU version 1.2.2-1.1

[Debian Bug Tracking System]

Processing control commands:

> tags 854740 + patch
Bug #854740 [src:slixmpp] CVE-2017-5591
Added tag(s) patch.
> tags 854740 + pending
Bug #854740 [src:slixmpp] CVE-2017-5591
Added tag(s) pending.

-- 
854740: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854740
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#856232: routino-www: Data files in /var/lib/routino/data not created

[Sebastiaan Couwenberg]

Control: severity -1 important
Control: tags -1 moreinfo

Hi Morten,

On 02/26/2017 08:19 PM, Morten Bo Johansen wrote:
> Having installed and reinstalled both of the packages routino
> and routino-www, I notice that the data files
> 
>   nodes.mem, relations.mem, segments.mem and ways.mem
> 
> that, according to the README.Debian file in the routino
> package, are supposed to have been created by the program
> "planetsplitter", have actually not been created.

You need to run planetsplitter to create these files, have you done that?

The planetsplitter --dir option specifies the location where to store
the generated data files.

> I am not sure if that is the reason that the entire map area in
> the routino-www program is empty?

Probably.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

Processed: Re: Bug#856232: routino-www: Data files in /var/lib/routino/data not created

[Debian Bug Tracking System]

Processing control commands:

> severity -1 important
Bug #856232 [routino-www] routino-www: Data files in /var/lib/routino/data not 
created
Severity set to 'important' from 'grave'
> tags -1 moreinfo
Bug #856232 [routino-www] routino-www: Data files in /var/lib/routino/data not 
created
Added tag(s) moreinfo.

-- 
856232: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856232
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#856218: marked as done (FTBFS during documentation build)

[Debian Bug Tracking System]

Your message dated Sun, 26 Feb 2017 19:33:55 +
with message-id 
and subject line Bug#856218: fixed in yade 2017.01a-4
has caused the Debian Bug report #856218,
regarding FTBFS during documentation build
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
856218: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856218
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: yade
Version: 2017.01a-2
Severity: serious
Tags: upstream

Yade fails to build from scratch during documentation generation [1].
Relevant lines in the build log:

==
(/usr/share/texlive/texmf-dist/tex/latex/needspace/needspace.sty)
  ** (sphinx) defining (legacy) text style macros without \sphinx prefix
  ** if clashes with packages, set latex_keep_old_macro_names=False in conf.py

  ! LaTeX Error: Command \strong already defined.
  Or name \end... illegal, see p.192 of the manual.

  See the LaTeX manual or LaTeX Companion for explanation.
  Type  H   for immediate help.
  ...  

  l.912 }

  ? 
  ! Emergency stop.
...  
  
l.912 }
  
==
--- End Message ---
--- Begin Message ---
Source: yade
Source-Version: 2017.01a-4

We believe that the bug you reported is fixed in the latest version of
yade, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 856...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anton Gladky  (supplier of updated yade package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 26 Feb 2017 20:21:22 +0100
Source: yade
Binary: yade libyade python-yade yade-doc
Architecture: source
Version: 2017.01a-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Science Maintainers 

Changed-By: Anton Gladky 
Description:
 libyade- Platform for discrete element modeling. Libraries
 python-yade - Platform for discrete element modeling. Python bindings
 yade   - Platform for discrete element modeling
 yade-doc   - Platform for discrete element modeling. Documentation
Closes: 856218
Changes:
 yade (2017.01a-4) unstable; urgency=medium
 .
   * [e248862] Fix FTBFS during documentation build. (Closes: #856218)
Checksums-Sha1:
 8dee647036bdd57bc7f077da383ac40a47320985 2832 yade_2017.01a-4.dsc
 aaf86923708c09fc9ad94cde169d0f53f12efefa 31152 yade_2017.01a-4.debian.tar.xz
 ab6a6e3052911e84fcfaabf0d82deb9c61476063 25182 yade_2017.01a-4_source.buildinfo
Checksums-Sha256:
 e7cd195dfe4c8ff38e85838adabf12bf46d1661cf6c6c36994b75283cb95248f 2832 
yade_2017.01a-4.dsc
 289632506d6b94ff415a327956f1a08be0077d886c4b5518df984e90282c3174 31152 
yade_2017.01a-4.debian.tar.xz
 1dc0afac6edf434f10a509d51198f8d9a63e743a8ab59733fc41c14a38e5a60f 25182 
yade_2017.01a-4_source.buildinfo
Files:
 4ca32f2db55ccc415833ebd37e8dc503 2832 science extra yade_2017.01a-4.dsc
 00f53d37eef4dcba4a6c4d050b303bd1 31152 science extra 
yade_2017.01a-4.debian.tar.xz
 035fff6922959548c3cbbced20a42744 25182 science extra 
yade_2017.01a-4_source.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAlizKtsACgkQ0+Fzg8+n
/waJcA//cznTj8NIV2PTWWcfpc4HvQmRA/80j7Acoi1KpOmx/r0GDwCuyzIFNM4w
ROdfHP1jBXTTLb4cQWpos7FCWXQlOeUJJ0ExjkkmzhEbnqTTc1s68WxZDHYuRuYA
iJHo8KsCz+7SHsCsz5hdsScmfrdLFW3G93h/TPCbRMImnsaojGro/6S78QKKXoDe
pFxTDSChmjWucfmSysAdvFyxMk32dQIzXdRGgAnSJaqupIQDUI4Y2F8VaNUBOJHH
jeLhs/y+1HDwZ9FLFPby1HTP3fLKN3kNBp5/rTSKOaj/u3UB7DGtLqZeK82EUHf7
LGrh54vF5hCVRmes8XeyuYqnxsl/SGedM0u2dBGgoeDzKEiDjlS5yoI1n+liav6/
EIfDv4QnTFoGAYcQ1qS1RU2vnWwnPjTv/DnnYo3gX34bUucmERUbvoAKMq2Pz6vc
PVeNhjL2wz5SPC0zl9tDdGpPE146dFxVec59/bjDFVO9tScbUUxW57YlgS9WWzMd
slfGVDmoUqQhiuh+XQ7x4lk8BvHNeCRiboeqkmQOBdrk4uipU/FHUFIktiVeAKz/
Pw3g0cy1QtIFR/MeWpBZ1U3xXhqQXwBxWI8tcEQ1R86ocboOx7dgXt+dQej85UjK
+q5vzUkckzeTGyqyjWYiAPvLgDTVfEukUWbzK50Wv2sLVp6o8/0=
=8beL
-END PGP SIGNATURE End Message ---

Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[Scott Kitterman]

On February 26, 2017 2:15:25 PM EST, John Paul Adrian Glaubitz 
 wrote:
>On 02/26/2017 07:48 PM, Sebastian Andrzej Siewior wrote:
>> I don't insist on anything. I noticed that this package does not
>depend on
>> libssl after building and that is why I took a look.
>
>Interesting. So, I guess the best option would actually to drop the B-D
>on
>libssl-dev completely. I have checked it myself and indeed libkf5khtml5
>does
>not depend on libssl at all. Plus, the package also builds fine with
>the
>build dependency on libssl-dev completely removed.
>
>Lisandro, maybe just dropping the build dependency on libssl-dev would
>be
>the best option if it's actually not used at all?

We shouldn't be changing the way a package builds during freeze.  It was last 
built with openssl 1.0, so that's what we should have for now.

Scott K

Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[Pino Toscano]

In data domenica 26 febbraio 2017 20:15:25 CET, John Paul Adrian Glaubitz ha 
scritto:
> On 02/26/2017 07:48 PM, Sebastian Andrzej Siewior wrote:
> > I don't insist on anything. I noticed that this package does not depend on
> > libssl after building and that is why I took a look.

That is because it dlopen's libssl at runtime.

> Interesting. So, I guess the best option would actually to drop the B-D on
> libssl-dev completely. I have checked it myself and indeed libkf5khtml5 does
> not depend on libssl at all. Plus, the package also builds fine with the
> build dependency on libssl-dev completely removed.

That is because it is an optional dependency.

> Lisandro, maybe just dropping the build dependency on libssl-dev would be
> the best option if it's actually not used at all?

NACK.

-- 
Pino Toscano

signature.asc
Description: This is a digitally signed message part.

Bug#856233: edtsurf FTBFS on architectures where char is unsigned

[Adrian Bunk]

Source: edtsurf
Version: 0.2009-3
Severity: serious
Tags: stretch sid

From an armhf build:

...
make[1]: Entering directory '/home/debian/edtsurf-0.2009'
g++ -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 
-fdebug-prefix-map=/home/debian/edtsurf-0.2009=. -fstack-protector-strong 
-Wformat -Werror=format-security -c ParsePDB.cpp -o ParsePDB.o
In file included from ParsePDB.cpp:12:0:
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
 1,1,1, 1,1,-1, 1,-1,1, -1,1,1, 1,-1,-1, -1,-1,1, -1,1,-1, -1,-1,-1};
   ^
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
CommonPara.h:49:67: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
ParsePDB.cpp: In member function ‘bool ParsePDB::loadpdb(char*)’:
ParsePDB.cpp:1462:28: warning: ignoring return value of ‘char* fgets(char*, 
int, FILE*)’, declared with attribute warn_unused_result [-Wunused-result]
   fgets(oneline,255,filein);
^
Makefile:7: recipe for target 'ParsePDB.o' failed
make[1]: *** [ParsePDB.o] Error 1
make[1]: Leaving directory '/home/debian/edtsurf-0.2009'
dh_auto_build: make -j1 returned exit code 2
debian/rules:8: recipe for target 'build' failed
make: *** [build] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2

Bug#856231: qpxtool FTBFS on architectures where char is unsigned

[Adrian Bunk]

Source: qpxtool
Version: 0.7.2-4
Severity: serious
Tags: stretch sid

From an armhf build:

...
g++ -g -O2 -fdebug-prefix-map=/home/debian/qpxtool-0.7.2=. 
-fstack-protector-strong -Wformat -Werror=format-security -Wall -O2 -fPIC 
-DOFFT_64BIT -DHAVE_FOPEN64 -DHAVE_FSEEKO -DUSE_LIBPNG   -I. -I./include 
-I../include -Wdate-time -D_FORTIFY_SOURCE=2  -c -o qpx_mmc.o qpx_mmc.cpp
qpx_mmc.cpp:1807:2: warning: #warning DVD+RW total sectors reading [-Wcpp]
 #warning DVD+RW total sectors reading
  ^~~
In file included from ./include/qpx_mmc.h:24:0,
 from qpx_mmc.cpp:22:
./include/qpx_mmc_defs.h:609:1: error: narrowing conversion of ‘-1’ from ‘int’ 
to ‘char’ inside { } [-Wnarrowing]
 };
 ^
./include/qpx_mmc_defs.h:609:1: error: narrowing conversion of ‘-1’ from ‘int’ 
to ‘char’ inside { } [-Wnarrowing]
qpx_mmc.cpp: In function ‘int set_cd_speed(drive_info*)’:
qpx_mmc.cpp:2694:3: warning: this ‘if’ clause does not guard... 
[-Wmisleading-indentation]
   if (!drive->silent) sperror ("SET_CD_SPEED",drive->err); return (drive->err);
   ^~
qpx_mmc.cpp:2694:60: note: ...this statement, but the latter is misleadingly 
indented as if it is guarded by the ‘if’
   if (!drive->silent) sperror ("SET_CD_SPEED",drive->err); return (drive->err);
^~
qpx_mmc.cpp: In function ‘int plextor_px755_get_auth_code(drive_info*, unsigned 
char*)’:
qpx_mmc.cpp:3122:3: warning: this ‘for’ clause does not guard... 
[-Wmisleading-indentation]
   for (int i=0; i<16; i++) printf("0x%02X ",dev->rd_buf[i]&0xFF); printf("\n");
   ^~~
qpx_mmc.cpp:3122:67: note: ...this statement, but the latter is misleadingly 
indented as if it is guarded by the ‘for’
   for (int i=0; i<16; i++) printf("0x%02X ",dev->rd_buf[i]&0xFF); printf("\n");
   ^~
: recipe for target 'qpx_mmc.o' failed
make[3]: *** [qpx_mmc.o] Error 1

Bug#856232: routino-www: Data files in /var/lib/routino/data not created

[Morten Bo Johansen]

Package: routino-www
Version: 3.1.1-4
Severity: grave
Justification: renders package unusable

Dear Maintainer,

Having installed and reinstalled both of the packages routino
and routino-www, I notice that the data files

  nodes.mem, relations.mem, segments.mem and ways.mem

that, according to the README.Debian file in the routino
package, are supposed to have been created by the program
"planetsplitter", have actually not been created.

I am not sure if that is the reason that the entire map area in
the routino-www program is empty?

Thanks,
Morten

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=da_DK.utf-8, LC_CTYPE=da_DK.utf-8 (charmap=UTF-8) (ignored: LC_ALL 
set to da_DK.utf-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages routino-www depends on:
ii  apache2 [httpd]2.4.25-3
ii  javascript-common  11
ii  libjs-leaflet  0.7.7+20160312-1
pn  perl:any   
ii  routino3.1.1-4

routino-www recommends no packages.

routino-www suggests no packages.

-- no debconf information

Processed (with 3 errors): Fixed in delayed NMU

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #851196 [src:libplist] libplist: CVE-2017-5209
Added tag(s) pending.
> user debian-rele...@lists.debian.org
Unknown command or malformed arguments to command.

> usertag -1 bsp-2017-02-de-Berlin
Unknown command or malformed arguments to command.

> usertag 856226 bsp-2017-02-de-Berlin
Unknown command or malformed arguments to command.


-- 
851196: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851196
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed (with 3 errors): Fixed in delayed NMU

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #852385 [src:libplist] libplist: CVE-2017-5545
Added tag(s) pending.
> user debian-rele...@lists.debian.org
Unknown command or malformed arguments to command.

> usertag -1 bsp-2017-02-de-Berlin
Unknown command or malformed arguments to command.

> usertag 856226 bsp-2017-02-de-Berlin
Unknown command or malformed arguments to command.


-- 
852385: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852385
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed (with 3 errors): Fixed in delayed NMU

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #854000 [src:libplist] CVE-2017-5834 CVE-2017-5835 CVE-2017-5836
Added tag(s) pending.
> user debian-rele...@lists.debian.org
Unknown command or malformed arguments to command.

> usertag -1 bsp-2017-02-de-Berlin
Unknown command or malformed arguments to command.

> usertag 856226 bsp-2017-02-de-Berlin
Unknown command or malformed arguments to command.


-- 
854000: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854000
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#851196: Fixed in delayed NMU

[Hilko Bengen]

control: tag -1 pending
control: user debian-rele...@lists.debian.org
control: usertag -1 bsp-2017-02-de-Berlin
control: usertag 856226 bsp-2017-02-de-Berlin

I have (hopefully) fixed these bugs by uploading a new upstream snapshot
to DELAYED/15, see #856226.

Cheers,
-Hilko

Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[John Paul Adrian Glaubitz]

On 02/26/2017 07:48 PM, Sebastian Andrzej Siewior wrote:
> I don't insist on anything. I noticed that this package does not depend on
> libssl after building and that is why I took a look.

Interesting. So, I guess the best option would actually to drop the B-D on
libssl-dev completely. I have checked it myself and indeed libkf5khtml5 does
not depend on libssl at all. Plus, the package also builds fine with the
build dependency on libssl-dev completely removed.

Lisandro, maybe just dropping the build dependency on libssl-dev would be
the best option if it's actually not used at all?

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaub...@debian.org
`. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
  `-GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Bug#855142: security bug closed without fix

[Salvatore Bonaccorso]

Hello!

On Thu, Feb 16, 2017 at 07:43:29AM +0100, Sébastien Delafond wrote:
> On Feb/16, Henri Salo wrote:
> > Shouldn't this be closed AFTER the fix is available? Especially since this 
> > is a
> > security issue.
> 
> Yes. Bastien, can you please reopen this ?

AFAICS, pdfsandwich uses OCaml's temp_file, so all should be fine
actually.

Regards,
Salvatore

Bug#852929: scalable-cyrfonts: FTBFS: LaTeX requires e-TeX.

[Sascha Steinbiss]

tags 852929 patch
user debian-rele...@lists.debian.org
usertags 852929 + bsp-2017-02-de-Berlin
thanks


Hi all,

[…]
> touch latex_mtx
> tex --ini '\input hugelatex.ini \dump'
> This is TeX, Version 3.14159265 (TeX Live 2016/Debian) (INITEX)
> (./hugelatex.ini
> (/usr/share/texlive/texmf-dist/tex/latex/base/latex.ltx
> ! LaTeX requires e-TeX.
> l.98 {LaTeX requires e-TeX}
>
> ))

Switching to ‘luatex' instead of ‘tex’ fixed the issue for me. Please see 
attached patch.
However, I would be happy if someone could take a second look. I don’t usually 
write Cyrillic ;)

Cheers
Sascha



use-luatex.patch
Description: Binary data


signature.asc
Description: Message signed with OpenPGP

Processed: your mail

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 852929 patch
Bug #852929 [src:scalable-cyrfonts] scalable-cyrfonts: FTBFS: LaTeX requires 
e-TeX.
Added tag(s) patch.
> user debian-rele...@lists.debian.org
Setting user to debian-rele...@lists.debian.org (was sa...@debian.org).
> usertags 852929 + bsp-2017-02-de-Berlin
There were no usertags set.
Usertags are now: bsp-2017-02-de-Berlin.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
852929: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852929
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#856227: ufraw FTBFS on architectures where char is unsigned

[Adrian Bunk]

Source: ufraw
Version: 0.22-1
Severity: serious

From an armhf build:

...

make[4]: Entering directory '/home/debian/ufraw-0.22'
g++ -DHAVE_CONFIG_H -I.  -pthread -I/usr/include/gtk-2.0 
-I/usr/lib/arm-linux-gnueabihf/gtk-2.0/include -I/usr/include/gio-unix-2.0/ 
-I/usr/include/cairo -I/usr/include/pango-1.0 -I/usr/include/atk-1.0 
-I/usr/include/cairo -I/usr/include/pixman-1 -I/usr/include/libpng16 
-I/usr/include/gdk-pixbuf-2.0 -I/usr/include/libpng16 -I/usr/include/pango-1.0 
-I/usr/include/harfbuzz -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 
-I/usr/lib/arm-linux-gnueabihf/glib-2.0/include -I/usr/include/freetype2 
-pthread -I/usr/include/glib-2.0 
-I/usr/lib/arm-linux-gnueabihf/glib-2.0/include  -I/usr/include/lensfun 
-I/usr/include/glib-2.0 -I/usr/lib/arm-linux-gnueabihf/glib-2.0/include 
-I/usr/include/arm-linux-gnueabihf -I/usr/include/libpng16  -DDCRAW_NOMAIN 
-DUFRAW_LOCALEDIR=\"/usr/share/locale\" -Wdate-time -D_FORTIFY_SOURCE=2  -g -O2 
-fdebug-prefix-map=/home/debian/ufraw-0.22=. -fstack-protector-strong -Wformat 
-Werror=format-security -fopenmp -c -o dcraw.o dcraw.cc
dcraw.cc:10079:21: warning: invalid suffix on literal; C++11 requires a space 
between literal and string macro [-Wliteral-suffix]
   strcpy (th->soft, "dcraw v"DCRAW_VERSION);
 ^
dcraw.cc: In member function ‘void DCRaw::kodak_radc_load_raw()’:
dcraw.cc:2307:3: error: narrowing conversion of ‘-2’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
   };
   ^
dcraw.cc:2307:3: error: narrowing conversion of ‘-3’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
dcraw.cc:2307:3: error: narrowing conversion of ‘-17’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
dcraw.cc:2307:3: error: narrowing conversion of ‘-5’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
dcraw.cc:2307:3: error: narrowing conversion of ‘-7’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
dcraw.cc:2307:3: error: narrowing conversion of ‘-18’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
dcraw.cc:2307:3: error: narrowing conversion of ‘-9’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
dcraw.cc:2307:3: error: narrowing conversion of ‘-2’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
dcraw.cc:2307:3: error: narrowing conversion of ‘-28’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
dcraw.cc:2307:3: error: narrowing conversion of ‘-49’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
dcraw.cc:2307:3: error: narrowing conversion of ‘-9’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
dcraw.cc:2307:3: error: narrowing conversion of ‘-79’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
dcraw.cc:2307:3: error: narrowing conversion of ‘-1’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
dcraw.cc:2307:3: error: narrowing conversion of ‘-16’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
dcraw.cc:2307:3: error: narrowing conversion of ‘-37’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
dcraw.cc:2307:3: error: narrowing conversion of ‘-26’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
dcraw.cc:2307:3: error: narrowing conversion of ‘-13’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
dcraw.cc:2307:3: error: narrowing conversion of ‘-39’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
dcraw.cc:2307:3: error: narrowing conversion of ‘-55’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
dcraw.cc:2307:3: error: narrowing conversion of ‘-76’ from ‘int’ to ‘char’ 
inside { } [-Wnarrowing]
Makefile:901: recipe for target 'dcraw.o' failed
make[4]: *** [dcraw.o] Error 1

Bug#856182: marked as done (Package does not include node.d directory required by nodejs plugins)

[Debian Bug Tracking System]

Your message dated Sun, 26 Feb 2017 18:51:49 +
with message-id 
and subject line Bug#856182: fixed in netdata 1.5.0+dfsg-2
has caused the Debian Bug report #856182,
regarding Package does not include node.d directory required by nodejs plugins
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
856182: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856182
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: netdata
Version: 1.5.0+dfsg-1
Severity: serious

The package misses to include the node.d directory and its files, especially 
the node_modules directory required by nodejs plugins.

Missing files:

$ l /usr/lib/x86_64-linux-gnu/netdata/node.d/
total 68
-rw-r--r-- 1 root root 32377 Feb 25 11:56 named.node.js
drwxr-xr-x 3 root root  4096 Feb 25 11:56 node_modules
-rw-r--r-- 1 root root 0 Feb 25 11:56 README.md
-rw-r--r-- 1 root root 10555 Feb 25 11:56 sma_webbox.node.js
-rw-r--r-- 1 root root 18060 Feb 25 11:56 snmp.node.js

The actual files seem to be processed upon build, but don't make it to the 
package:

$ l ./debian/tmp/usr/lib/x86_64-linux-gnu/netdata/node.d
total 68
-rw-r--r-- 1 root root 0 Feb 26 06:25 README.md
-rw-r--r-- 1 root root 32377 Feb 26 06:25 named.node.js
drwxr-xr-x 3 root root  4096 Feb 26 06:25 node_modules
-rw-r--r-- 1 root root 10555 Feb 26 06:25 sma_webbox.node.js
-rw-r--r-- 1 root root 18060 Feb 26 06:25 snmp.node.js

Without the files included it is impossible to run nodejs plugins.

Regards
Thomas


signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: netdata
Source-Version: 1.5.0+dfsg-2

We believe that the bug you reported is fixed in the latest version of
netdata, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 856...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Federico Ceratto  (supplier of updated netdata package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 26 Feb 2017 18:27:33 +
Source: netdata
Binary: netdata netdata-data
Architecture: source all amd64
Version: 1.5.0+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Lennart Weller 
Changed-By: Federico Ceratto 
Description:
 netdata- real-time charts for system monitoring
 netdata-data - real-time charts for system monitoring (Data)
Closes: 856182
Changes:
 netdata (1.5.0+dfsg-2) unstable; urgency=medium
 .
   [ Lennart Weller ]
   * Include node.d modules now as we recommend nodejs (Closes: #856182)
   * Move data dependencies to data package
Checksums-Sha1:
 88b6a9d4f4de523f4918c0f5035620d1a5069623 2108 netdata_1.5.0+dfsg-2.dsc
 efe710b46825ca58ce547b394634a3546fd26964 419756 
netdata_1.5.0+dfsg-2.debian.tar.xz
 499d97e5587d4818ce5751377eac8fc4691e5a46 736794 
netdata-data_1.5.0+dfsg-2_all.deb
 ed3e541a391c53a9ce3e418d0f1ed8bda875a03c 901482 
netdata-dbgsym_1.5.0+dfsg-2_amd64.deb
 a8468a8907bef3f076257bc37b46d532030a5143 5119 
netdata_1.5.0+dfsg-2_amd64.buildinfo
 3f572b29161367daa3b1662cb62b98e531495486 430118 netdata_1.5.0+dfsg-2_amd64.deb
Checksums-Sha256:
 d365118f56efdd65705d0e3dc653befd3066ac5ac81318def0f636047a564ed0 2108 
netdata_1.5.0+dfsg-2.dsc
 0800162eb7fc9b09d8b2fa0534545f6183f4b314757620684f28a4712e14aa0c 419756 
netdata_1.5.0+dfsg-2.debian.tar.xz
 a0834312ca2f992f998461ceed0942b74591198a96b695405c9c77460c969719 736794 
netdata-data_1.5.0+dfsg-2_all.deb
 b4c2d5bcbb0ee3c4b3fc99cf34fe2fce4cc55b4cebb349cea58a5833472dc5bd 901482 
netdata-dbgsym_1.5.0+dfsg-2_amd64.deb
 9ff4c3a57a8dd81e87e7bd20888388dd5b1c5eef1975a0071a402cc2c78bb903 5119 
netdata_1.5.0+dfsg-2_amd64.buildinfo
 7f89e0b409a4974a61aeedb7ac411ffe2b025c04f62bf8c24adb175fb13f833b 430118 
netdata_1.5.0+dfsg-2_amd64.deb
Files:
 1176a8716b30523abb1a3db66eb347c5 2108 net optional netdata_1.5.0+dfsg-2.dsc
 fd85cf7514efca56e14165a0897d291d 419756 net optional 
netdata_1.5.0+dfsg-2.debian.tar.xz
 913eee46f6cdfcab4eab33dbcba4e9c7 736794 net optional 
netdata-data_1.5.0+dfsg-2_all.deb
 87ffb25105383514d62cb0400cd20438 901482 debug extra 
netdata-dbgsym_1.5.0+dfsg-2_amd64.deb
 

Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[Sebastian Andrzej Siewior]

On 2017-02-26 01:03:23 [+0100], John Paul Adrian Glaubitz wrote:
> But the question is whether SSL support is actually relevant in khtml at all.

If it is not exported or mixed with QT's SSL then it is not relevant.

> As you can see from the list of reverse dependencies, there's actually not
> much that is using khtml and the very few packages that use it are offline
> only like SystemSettings or Kiten. So, I don't think any SSL code is actually
> ever used.
> 
> I mean, if you really insist to rebuild khtml with libssl1.0-dev, then please
> just let's go ahead in order to get the number of RC bugs for Stretch down.

I don't insist on anything. I noticed that this package does not depend on
libssl after building and that is why I took a look. Then I noticed it is QT
based and loads symbols which don't exist. If none of that matters then simply
close the bug and keep everything as-is.

> Adrian

Sebastian

Processed: closing 851852

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> # The bug has been fixed in release 1.5
> close 851852
Bug #851852 [netdata] netdata: postfix/postdrop Read-only filesystem
Marked Bug as done
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
851852: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851852
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#856210: libdebian-installer: please parse SHA256 field and add it to di_* structs

[Steven Chamberlain]

Control: tags -1 + patch

Hi,

The regression in Bug#856215 in cdebootstrap:
"since SHA1 removal from Release file, only MD5sums are used"
could only be fixed by adding support for the SHA256 fields.

An open question is whether to preserve any support for MD5.
Keeping it would:

  + reduce potential for breakage (in case MD5 is "good enough" for some
use-case or SHA256 is still impractical)
  + allow verifiers to check both MD5 *and* SHA256, for even stronger
authentication in case one or both algorithms are broken
  - add complexity

Otherwise, dropping MD5 entirely would:

  * break reverse-dependencies (hopefully just anna, cdebootstrap) thus
*forcing* us to stop using MD5 there, and implement SHA256

I've attached only the most minimal patch to allow reverse-depends do
implement SHA256.  They must adapt to the new names of struct members
*and* remember that the hash length is now different.  (The hash data is
stored in variable-length fields but the length is not recorded in the
structs, and the has is denoted by a magic number not an enum;  that
could be made better, but requiring a much larger diff).

A follow-up commit should extend the testsuite to check parsing of the
SHA256 fields;  that also would result in a larger diff however.

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org
diff --git a/debian/changelog b/debian/changelog
index 3dd29e1..1b7fcd8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,16 @@
 libdebian-installer (0.109) UNRELEASED; urgency=medium
 
+  [ Samuel Thibault ]
   * Fix build with gcc-7. Closes: #853489
 
+  [ Steven Chamberlain ]
+  * Parse SHA256 fields instead of MD5Sum fields in Packages files.
+  * Parse SHA256 fields instead of (no longer existing) SHA1 fields in
+Release files.
+  * In structs di_release and di_package, add new sha256 member and
+remove the md5sum member (a backward-incompatible change, this will
+force reverse-dependencies to stop using MD5 for verification).
+
  -- Samuel Thibault   Tue, 31 Jan 2017 11:09:16 +0100
 
 libdebian-installer (0.108) unstable; urgency=medium
diff --git a/include/debian-installer/package.h b/include/debian-installer/package.h
index 72d7444..e1f699d 100644
--- a/include/debian-installer/package.h
+++ b/include/debian-installer/package.h
@@ -112,7 +112,7 @@ struct di_package
   di_slist depends; /**< Any different dependency types */
   char *filename;   /**< Filename field */
   size_t size;  /**< Size field */
-  char *md5sum; /**< MD5Sum field */
+  char *sha256; /**< SHA256 field */
   char *short_description;  /**< Description field, first part*/
   char *description;/**< Description field, second part */
   unsigned int resolver;/**< @internal */
diff --git a/include/debian-installer/package_internal.h b/include/debian-installer/package_internal.h
index f6357d1..d410ce2 100644
--- a/include/debian-installer/package_internal.h
+++ b/include/debian-installer/package_internal.h
@@ -52,7 +52,7 @@ const di_parser_fieldinfo
   internal_di_package_parser_field_enhances,
   internal_di_package_parser_field_filename,
   internal_di_package_parser_field_size,
-  internal_di_package_parser_field_md5sum,
+  internal_di_package_parser_field_sha256,
   internal_di_package_parser_field_description;
 
 /**
diff --git a/include/debian-installer/release.h b/include/debian-installer/release.h
index 223a4f8..8e3c572 100644
--- a/include/debian-installer/release.h
+++ b/include/debian-installer/release.h
@@ -40,7 +40,7 @@ struct di_release
   char *origin; /**< Origin field */
   char *suite;  /**< Suite field */
   char *codename;   /**< Codename field */
-  di_hash_table *md5sum;/**< checksum fields, includes di_release_file */
+  di_hash_table *sha256;/**< checksum fields, includes di_release_file */
   di_mem_chunk *release_file_mem_chunk; /**< @internal */
 };
 
@@ -55,7 +55,7 @@ struct di_release_file
 di_rstring key; /**< @internal */
   };
   unsigned int size;/**< size */
-  char *sum[2]; /**< checksums, currently md5 and sha1 */
+  char *sum[2]; /**< checksums, currently md5 and sha256 */
 };
 
 di_release *di_release_alloc (void);
diff --git a/src/package.c b/src/package.c
index 653b5dd..82c7653 100644
--- a/src/package.c
+++ b/src/package.c
@@ -38,7 +38,7 @@ void di_package_destroy (di_package *package)
   di_free (package->architecture);
   di_free (package->version);
   di_free (package->filename);
-  di_free 

Processed: Re: Bug#856210: libdebian-installer: please parse SHA256 field and add it to di_* structs

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + patch
Bug #856210 [src:libdebian-installer] libdebian-installer: please parse SHA256 
field and add it to di_* structs
Added tag(s) patch.

-- 
856210: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856210
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Not in (old)stable

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 856199 stretch sid
Bug #856199 {Done: Adrian Bunk } [src:vbrfix] vbrfix FTBFS on 
armhf
Added tag(s) sid and stretch.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
856199: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856199
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#838303: marked as done (kde-plasma-desktop: KDE does not start after log in)

[Debian Bug Tracking System]

Your message dated Sun, 26 Feb 2017 19:16:14 +0100
with message-id <6bfa4d7e-334a-10ac-0d19-8764c2c0b...@physik.fu-berlin.de>
and subject line Re: Bug#838303: kde-plasma-desktop: KDE does not start after 
log in
has caused the Debian Bug report #838303,
regarding kde-plasma-desktop: KDE does not start after log in
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
838303: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838303
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: kde-plasma-desktop
Version: 5:91
Severity: grave
Justification: renders package unusable

Dear Maintainer,

   * What led up to the situation?

On the 15th of September I have upgraded some packages

   * What was the outcome of this action?

Next time when I started this computer, after the sddm login screen when I
successfully log in, I can see a KDE loading splash screen as expected, but
after the spalsh screen I see only a blank black screen, with the mouse pointer
on the left edge. I can move the pointer up and down, but it doesn't move
horizontally.

   * What outcome did you expect instead?

A working system

   * What exactly did you do (or not do) that was effective (or
 ineffective)?

I can switch to the console with ctrl-alt-Fn and log in there. I could only
restart the computer, could not find a way to fix KDE.  I have removed every
KDE and X packages, then I installed LXDE desktop. With LXDE the system works.

I reinstalled task-desktop-kde.  Now in sddm I have the option to select plasma
or lxde (among some other things). If I select LXDE it works. If I select
Plasma, I have the same issue as before.

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages kde-plasma-desktop depends on:
ii  kde-baseapps  4:16.08.0-1
ii  kde-runtime   4:16.08.0-1
ii  plasma-desktop4:5.6.5-1
ii  plasma-workspace  4:5.6.5.1-1
ii  udisks2   2.1.7-2
ii  upower0.99.4-3

Versions of packages kde-plasma-desktop recommends:
ii  kwin-x11  4:5.7.0-1
ii  sddm  0.13.0-1
ii  xserver-xorg  1:7.7+16

Versions of packages kde-plasma-desktop suggests:
ii  kde-l10n-engb [kde-l10n]  4:16.04.3-1

-- no debconf information
--- End Message ---
--- Begin Message ---
On 02/26/2017 07:07 PM, Gábor Nagy wrote:
> I no longer have the issue.
> Feel free to close the bug.

Great, thanks for the feedback. Closing.

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaub...@debian.org
`. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
  `-GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913--- End Message ---

Bug#855925: sugar-irc-activity: diff for NMU version 8-1.3

[Tomasz Buchert]

My mistake again! I included a wrong e-mail in the last upload
changelog.  Here is the right debdiff. Will upload to DELAYED/3
as soon as dcut does its job.diff -Nru sugar-irc-activity-8/debian/changelog sugar-irc-activity-8/debian/changelog
--- sugar-irc-activity-8/debian/changelog	2013-07-09 20:07:25.0 +0200
+++ sugar-irc-activity-8/debian/changelog	2017-02-26 18:09:56.0 +0100
@@ -1,3 +1,10 @@
+sugar-irc-activity (8-1.3) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Remove broken deps (Closes: #855925)
+
+ -- Tomasz Buchert   Sun, 26 Feb 2017 18:09:56 +0100
+
 sugar-irc-activity (8-1.2) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru sugar-irc-activity-8/debian/control sugar-irc-activity-8/debian/control
--- sugar-irc-activity-8/debian/control	2013-07-09 20:07:25.0 +0200
+++ sugar-irc-activity-8/debian/control	2017-02-26 18:09:56.0 +0100
@@ -11,8 +11,8 @@
  debhelper (>= 6),
  cdbs (>= 0.4.67~),
  python (>= 2.6.6-3~),
- python-sugar-0.88 | python-sugar,
- python-sugar-toolkit-0.88 | python-sugar-toolkit,
+ python-sugar,
+ python-sugar-toolkit,
  unzip
 Standards-Version: 3.9.1.0
 Vcs-Git: git://git.debian.org/collab-maint/sugar-irc-activity.git
@@ -31,9 +31,9 @@
  Sugar has since grown into a more widely usable low-resource desktop
  environment for kids.
  .
- This Activity allows you to contact other Sugar users and enthusiasts 
- on the internet and chat with them. It uses a system called Internet 
+ This Activity allows you to contact other Sugar users and enthusiasts
+ on the internet and chat with them. It uses a system called Internet
  Relay Chat, or IRC for short. There are several IRC channels for Sugar
- users and developers. It defaults to a "room" called #sugar, but you 
- can also enter other rooms by typing /join #room where room is the  
+ users and developers. It defaults to a "room" called #sugar, but you
+ can also enter other rooms by typing /join #room where room is the
  name of the room you wish to join.

Processed: mcabber: diff for NMU version 1.0.4-1.1

[Debian Bug Tracking System]

Processing control commands:

> tags 854738 + patch
Bug #854738 {Done: Markus Koschany } [mcabber] CVE-2017-5604
Added tag(s) patch.
> tags 854738 + pending
Bug #854738 {Done: Markus Koschany } [mcabber] CVE-2017-5604
Added tag(s) pending.

-- 
854738: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854738
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#854738: mcabber: diff for NMU version 1.0.4-1.1

[Markus Koschany]

Control: tags 854738 + patch
Control: tags 854738 + pending

Dear maintainer,

I've prepared an NMU for mcabber (versioned as 1.0.4-1.1) and
uploaded it to unstable. Please find attached the debdiff.

Regards,

Markus
diff -Nru mcabber-1.0.4/debian/changelog mcabber-1.0.4/debian/changelog
--- mcabber-1.0.4/debian/changelog	2016-12-20 13:50:12.0 +0100
+++ mcabber-1.0.4/debian/changelog	2017-02-26 18:42:08.0 +0100
@@ -1,3 +1,14 @@
+mcabber (1.0.4-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2017-5604:
+An incorrect implementation of XEP-0280: Message Carbons in mcabber allows
+a remote attacker to impersonate any user, including contacts, in the
+vulnerable application's display. This allows for various kinds of social
+engineering attacks. (Closes: #854738)
+
+ -- Markus Koschany   Sun, 26 Feb 2017 18:42:08 +0100
+
 mcabber (1.0.4-1) unstable; urgency=medium
 
   * New upstream version which fixes roster push attacks (CVE-2016-9928,
diff -Nru mcabber-1.0.4/debian/patches/CVE-2017-5604.patch mcabber-1.0.4/debian/patches/CVE-2017-5604.patch
--- mcabber-1.0.4/debian/patches/CVE-2017-5604.patch	1970-01-01 01:00:00.0 +0100
+++ mcabber-1.0.4/debian/patches/CVE-2017-5604.patch	2017-02-26 18:42:08.0 +0100
@@ -0,0 +1,35 @@
+From: Markus Koschany 
+Date: Sun, 26 Feb 2017 18:39:28 +0100
+Subject: CVE-2017-5604
+
+An incorrect implementation of XEP-0280: Message Carbons in mcabber allows a
+remote attacker to impersonate any user, including contacts, in the vulnerable
+application's display. This allows for various kinds of social engineering
+attacks.
+
+Bug-Debian: https://bugs.debian.org/854738
+Origin: https://mcabber.com/hg/rev/2a9569fd7644
+---
+ mcabber/xmpp.c | 9 +
+ 1 file changed, 9 insertions(+)
+
+diff --git a/mcabber/xmpp.c b/mcabber/xmpp.c
+index 7524ee8..e297aa7 100644
+--- a/mcabber/xmpp.c
 b/mcabber/xmpp.c
+@@ -1159,6 +1159,15 @@ static LmHandlerResult handle_messages(LmMessageHandler *handler,
+ 
+ // Parse a message that is send to one of our other resources
+ if (!g_strcmp0(carbon_name, "received")) {
++  // Check envelope JID for carbon messages
++  gchar *self_bjid = jidtodisp(lm_connection_get_jid(lconnection));
++  if (g_strcmp0(self_bjid, bjid)) {
++scr_LogPrint(LPRINT_LOGNORM, "Received invalid carbon copy!");
++g_free(self_bjid);
++goto handle_messages_return;
++  }
++  g_free(self_bjid);
++
+   from = lm_message_node_get_attribute(x, "from");
+   if (!from) {
+ scr_LogPrint(LPRINT_LOGNORM, "Malformed carbon copy!");
diff -Nru mcabber-1.0.4/debian/patches/series mcabber-1.0.4/debian/patches/series
--- mcabber-1.0.4/debian/patches/series	2016-12-20 13:50:12.0 +0100
+++ mcabber-1.0.4/debian/patches/series	2017-02-26 18:42:08.0 +0100
@@ -1 +1,2 @@
 spelling_manpage
+CVE-2017-5604.patch

Bug#838303: kde-plasma-desktop: KDE does not start after log in

[Gábor Nagy]

I no longer have the issue.
Feel free to close the bug.

Cheers, Gabor

On 26 Feb 2017 16:50, "John Paul Adrian Glaubitz" <
glaub...@physik.fu-berlin.de> wrote:

Hi Gabor!

Is there any update on this bug report from your side? Does this
problem still persist? If not, we should close this bug report
as keeping it open will delay the release of Debian Stretch.

I am running KDE 5 here on Debian unstable as well and I cannot
reproduce this particular issue.

Thanks,
Adrian

--
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaub...@debian.org
`. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
  `-GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Bug#854738: marked as done (CVE-2017-5604)

[Debian Bug Tracking System]

Your message dated Sun, 26 Feb 2017 18:04:05 +
with message-id 
and subject line Bug#854738: fixed in mcabber 1.0.4-1.1
has caused the Debian Bug report #854738,
regarding CVE-2017-5604
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
854738: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854738
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: mcabber
Severity: grave
Tags: security

Please see http://seclists.org/oss-sec/2017/q1/373

Cheers,
Moritz
--- End Message ---
--- Begin Message ---
Source: mcabber
Source-Version: 1.0.4-1.1

We believe that the bug you reported is fixed in the latest version of
mcabber, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 854...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany  (supplier of updated mcabber package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 26 Feb 2017 18:42:08 +0100
Source: mcabber
Binary: mcabber
Architecture: source
Version: 1.0.4-1.1
Distribution: unstable
Urgency: medium
Maintainer: Franziska Lichtblau 
Changed-By: Markus Koschany 
Description:
 mcabber- small Jabber (XMPP) console client
Closes: 854738
Changes:
 mcabber (1.0.4-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix CVE-2017-5604:
 An incorrect implementation of XEP-0280: Message Carbons in mcabber allows
 a remote attacker to impersonate any user, including contacts, in the
 vulnerable application's display. This allows for various kinds of social
 engineering attacks. (Closes: #854738)
Checksums-Sha1:
 893b0335f5d8ff51992218ba3861a0b864fb9961 2131 mcabber_1.0.4-1.1.dsc
 3ebe66f2ec5855644a8a6a502a5d3e8497dd7fa0 5400 mcabber_1.0.4-1.1.debian.tar.xz
 0f9019e0a8187bc321d3c691b2184e9fea0a11ec 6543 mcabber_1.0.4-1.1_amd64.buildinfo
Checksums-Sha256:
 a6581da14a2f622c4b43f98755208d7aab5fa9bf7276bc174af265dd21528749 2131 
mcabber_1.0.4-1.1.dsc
 6957ab85cd56014434366510e036bb4649164627c6912fdb5dc8db02f425f7a5 5400 
mcabber_1.0.4-1.1.debian.tar.xz
 0a8953726ebfb069f71d067e870323ccd4dc7208ae27c31af22a911316bc5324 6543 
mcabber_1.0.4-1.1_amd64.buildinfo
Files:
 58c764c11c16f334f797e6c88180d7bb 2131 net optional mcabber_1.0.4-1.1.dsc
 c15c6c744156e4973b79ccf368136d77 5400 net optional 
mcabber_1.0.4-1.1.debian.tar.xz
 e813d2c91818cf300f07a611c536a255 6543 net optional 
mcabber_1.0.4-1.1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlizFYlfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkA98P/iNcd8R4Nk6CyNOyq37tb1/gb3Zvd/yjYThG
Dk2rfsksf57LR1uMJ1ixuu5zl3xk9Kfcc5oBM2dUUuY5oZzgiq33x4rfRMpuNUqb
3SzP0P63fRcLptvXb0T0VaE/R7vbw58t4kFCr6bALXgOPLYG5JHQPPdQ1tzv9C3Y
ynLQ1vphkM5gHHTDzMxYhpRH3yFWpY5oqoOsA3pCa8NYL9U4216HWctyfubtjtMe
qoJkZlBdDwIk2wrGXpm7mEwWUrFNVRLt5qmQ+Jp2Q7QR1GuTuOIF7EpgpTAlZjQk
b/P2M4wzLrYNdFYM2aAYKpMe/vcnUkZSVN5vtoyBBHO4HCkDVQnxMwZwLjAdwm1f
HwQjBn4qIZzUOMmRWL8i1U4YxRT3W//UNoV+W6+2h7eLDjpVZ5UW2nP5ng4nt6uM
Yj4lJdeM8btFUib/PSjjnL1BJoeO1M2Rc+1iLHetuRcanuIUCUFBaL2FkMs524/9
QXNo8j/bSODMbY93Pb/j6gMwyUywbzvRcQyN6zM65CseTAW8N8okDyPHQLWo8xab
agEQTTb9Wx9YTAhGANrxo2IislXen2voJpsbhrn8bX/RBhiMOQSNZQeLy+6S06jk
lqErJDJNogcJgzoGVsevL2e90Ery9iwmK6O6tEONiJvLaBhmAzB1/BhKZo/PqV/c
l5Vb7nnc
=C5Gb
-END PGP SIGNATURE End Message ---

Processed: your mail

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 750895 patch
Bug #750895 [python3-tempita] python3-tempita: doesn't work
Added tag(s) patch.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
750895: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=750895
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#856162: ctpp2 FTBFS on !i386/amd64: missing symbols

[John Paul Adrian Glaubitz]

Control: reopen -1

On 02/26/2017 05:37 PM, Vasudev Kamath wrote:
> Thanks for the offer, I had already prepared the fix. I uploaded it and
> have raised the unblock request.

That didn't work, unfortunately. Several architectures are still failing [1].

Adrian

> [1] https://buildd.debian.org/status/package.php?p=ctpp2=sid

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaub...@debian.org
`. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
  `-GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Processed: Re: Bug#856162: ctpp2 FTBFS on !i386/amd64: missing symbols

[Debian Bug Tracking System]

Processing control commands:

> reopen -1
Bug #856162 {Done: Vasudev Kamath } [src:ctpp2] ctpp2 
FTBFS on !i386/amd64: missing symbols
'reopen' may be inappropriate when a bug has been closed with a version;
all fixed versions will be cleared, and you may need to re-add them.
Bug reopened
No longer marked as fixed in versions ctpp2/2.8.3-20.

-- 
856162: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856162
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#750895: python3-tempita: doesn't work with python 3.3

[Sascha Steinbiss]

Hi all,

> 2. This issue is already fixed in the upstream in this commit:
>  
> https://github.com/gjhiggins/tempita/commit/ce87d4c0f057880c5b0dc77e83e3eecad7f355a7
>  (The previous commit of this, 75064399e7e72fd67e2a0c21c675d6289e7d1ec9, 
> suffers from the same error.)

Here’s a small patch that backports their fix to this version. I also added a 
tiny autopkgtest to check the issue is fixed.

Cheers
Sascha


0001-address-encoding-issues-to-fix-750895.patch
Description: Binary data


signature.asc
Description: Message signed with OpenPGP

Processed: sugar-irc-activity: diff for NMU version 8-1.3

[Debian Bug Tracking System]

Processing control commands:

> tags 855925 + patch
Bug #855925 [src:sugar-irc-activity] sugar-irc-activity: FTBFS: unsatisfiable 
build-dependencies: python-sugar-0.88, python-sugar-toolkit-0.88
Added tag(s) patch.
> tags 855925 + pending
Bug #855925 [src:sugar-irc-activity] sugar-irc-activity: FTBFS: unsatisfiable 
build-dependencies: python-sugar-0.88, python-sugar-toolkit-0.88
Added tag(s) pending.

-- 
855925: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855925
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#855925: sugar-irc-activity: diff for NMU version 8-1.3

[Tomasz Buchert]

Control: tags 855925 + patch
Control: tags 855925 + pending

Dear maintainer,

I've prepared an NMU for sugar-irc-activity (versioned as 8-1.3) and
uploaded it to DELAYED/3. Please feel free to tell me if I
should delay it longer.

For the context of the fix, please see https://bugs.debian.org/855932.

Regards,
Tomasz
diff -Nru sugar-irc-activity-8/debian/changelog sugar-irc-activity-8/debian/changelog
--- sugar-irc-activity-8/debian/changelog	2013-07-09 20:07:25.0 +0200
+++ sugar-irc-activity-8/debian/changelog	2017-02-26 18:09:56.0 +0100
@@ -1,3 +1,10 @@
+sugar-irc-activity (8-1.3) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Remove broken deps (Closes: #855925)
+
+ -- Tomasz Buchert   Sun, 26 Feb 2017 18:09:56 +0100
+
 sugar-irc-activity (8-1.2) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru sugar-irc-activity-8/debian/control sugar-irc-activity-8/debian/control
--- sugar-irc-activity-8/debian/control	2013-07-09 20:07:25.0 +0200
+++ sugar-irc-activity-8/debian/control	2017-02-26 18:09:56.0 +0100
@@ -11,8 +11,8 @@
  debhelper (>= 6),
  cdbs (>= 0.4.67~),
  python (>= 2.6.6-3~),
- python-sugar-0.88 | python-sugar,
- python-sugar-toolkit-0.88 | python-sugar-toolkit,
+ python-sugar,
+ python-sugar-toolkit,
  unzip
 Standards-Version: 3.9.1.0
 Vcs-Git: git://git.debian.org/collab-maint/sugar-irc-activity.git
@@ -31,9 +31,9 @@
  Sugar has since grown into a more widely usable low-resource desktop
  environment for kids.
  .
- This Activity allows you to contact other Sugar users and enthusiasts 
- on the internet and chat with them. It uses a system called Internet 
+ This Activity allows you to contact other Sugar users and enthusiasts
+ on the internet and chat with them. It uses a system called Internet
  Relay Chat, or IRC for short. There are several IRC channels for Sugar
- users and developers. It defaults to a "room" called #sugar, but you 
- can also enter other rooms by typing /join #room where room is the  
+ users and developers. It defaults to a "room" called #sugar, but you
+ can also enter other rooms by typing /join #room where room is the
  name of the room you wish to join.

Bug#856218: FTBFS during documentation build

[Anton Gladky]

Package: yade
Version: 2017.01a-2
Severity: serious
Tags: upstream

Yade fails to build from scratch during documentation generation [1].
Relevant lines in the build log:

==
(/usr/share/texlive/texmf-dist/tex/latex/needspace/needspace.sty)
  ** (sphinx) defining (legacy) text style macros without \sphinx prefix
  ** if clashes with packages, set latex_keep_old_macro_names=False in conf.py

  ! LaTeX Error: Command \strong already defined.
  Or name \end... illegal, see p.192 of the manual.

  See the LaTeX manual or LaTeX Companion for explanation.
  Type  H   for immediate help.
  ...  

  l.912 }

  ? 
  ! Emergency stop.
...  
  
l.912 }
  
==

Bug#855602: marked as done (libnids: undefined reference to `before' after being rebuilt / on mips64el)

[Debian Bug Tracking System]

Your message dated Sun, 26 Feb 2017 17:18:52 +
with message-id 
and subject line Bug#855602: fixed in libnids 1.23-2.1
has caused the Debian Bug report #855602,
regarding libnids: undefined reference to `before' after being rebuilt / on 
mips64el
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
855602: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855602
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libnids
Version: 1.23-2
Severity: serious
Tags: patch

Hi,

After being rebuilt with a recent toolchain, attempting to link against
libnids gives the error:
> /usr/lib/libnids.so: undefined reference to `before'
> /usr/lib/libnids.so: undefined reference to `after'

Notably mips64el already contains a broken binary in the archive as can
be seen from this build log of dsniff:
https://buildd.debian.org/status/fetch.php?pkg=dsniff=mips64el=2.4b1%2Bdebian-23=1487505250=0

powerpcspe and ppc64 also seem to be broken.

A patch to fix this was already applied to the package in Ubuntu and
I've attached it for convenience.

Thanks,
James
diff -Nru libnids-1.23/debian/changelog libnids-1.23/debian/changelog
--- libnids-1.23/debian/changelog	2010-07-21 19:23:34.0 +
+++ libnids-1.23/debian/changelog	2015-12-06 06:16:57.0 +
@@ -1,3 +1,11 @@
+libnids (1.23-2ubuntu1) xenial; urgency=medium
+
+  * debian/patches/before-after.patch: Fix declarations of before and after
+functions so that they are defined in util.h, fixing undefined references
+in libnibs.so.
+
+ -- Logan Rosen   Sun, 06 Dec 2015 01:16:24 -0500
+
 libnids (1.23-2) unstable; urgency=high
 
   * Update my email address (closes: #574042).
diff -Nru libnids-1.23/debian/control libnids-1.23/debian/control
--- libnids-1.23/debian/control	2010-07-21 00:14:44.0 +
+++ libnids-1.23/debian/control	2015-12-06 06:16:58.0 +
@@ -1,7 +1,8 @@
 Source: libnids
 Section: libdevel
 Priority: optional
-Maintainer: Vasilis Pappas 
+Maintainer: Ubuntu Developers 
+XSBC-Original-Maintainer: Vasilis Pappas 
 Build-Depends: libpcap0.8-dev, libnet1-dev (>= 1.1.2.1), debhelper (>= 5), autotools-dev, pkg-config, libglib2.0-dev
 Standards-Version: 3.9.0
 
diff -Nru libnids-1.23/debian/patches/before-after.patch libnids-1.23/debian/patches/before-after.patch
--- libnids-1.23/debian/patches/before-after.patch	1970-01-01 00:00:00.0 +
+++ libnids-1.23/debian/patches/before-after.patch	2015-12-06 06:16:16.0 +
@@ -0,0 +1,52 @@
+Description: fix before and after declarations
+ Fix declarations of before and after functions so that they just happen in the header file to fix undefined references in libnids.so.
+Origin: upstream, http://downloads.sourceforge.net/project/libnids/libnids/1.24/libnids-1.24.tar.gz
+Forwarded: no
+Applied-Upstream: 1.24
+Last-Update: 2015-12-06
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/util.c
 b/src/util.c
+@@ -29,18 +29,6 @@
+   return ret;
+ }
+ 
+-inline int
+-before(u_int seq1, u_int seq2)
+-{
+-  return ((int)(seq1 - seq2) < 0);
+-}
+-
+-inline int
+-after(u_int seq1, u_int seq2)
+-{
+-  return ((int)(seq2 - seq1) < 0);
+-}
+-
+ void
+ register_callback(struct proc_node **procs, void (*x))
+ {
+--- a/src/util.h
 b/src/util.h
+@@ -23,8 +23,18 @@
+ 
+ void nids_no_mem(char *);
+ char *test_malloc(int);
+-inline int before(u_int seq1, u_int seq2);
+-inline int after(u_int seq1, u_int seq2);
++
++static inline int
++before(u_int seq1, u_int seq2)
++{
++  return ((int)(seq1 - seq2) < 0);
++}
++
++static inline int
++after(u_int seq1, u_int seq2)
++{
++  return ((int)(seq2 - seq1) < 0);
++}
+ void register_callback(struct proc_node **procs, void (*x));
+ void unregister_callback(struct proc_node **procs, void (*x));
+ 
diff -Nru libnids-1.23/debian/patches/series libnids-1.23/debian/patches/series
--- libnids-1.23/debian/patches/series	2010-07-21 00:13:10.0 +
+++ libnids-1.23/debian/patches/series	2015-12-06 06:11:40.0 +
@@ -1 +1,2 @@
 debian-changes-1.23-2
+before-after.patch


signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: libnids
Source-Version: 1.23-2.1

We believe that the bug you reported is fixed in the latest version of
libnids, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the 

Bug#851060: marked as done (libnids1.21: can't assemble TCP streams on armhf)

[Debian Bug Tracking System]

Your message dated Sun, 26 Feb 2017 17:18:52 +
with message-id 
and subject line Bug#851060: fixed in libnids 1.23-2.1
has caused the Debian Bug report #851060,
regarding libnids1.21: can't assemble TCP streams on armhf
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
851060: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851060
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libnids1.21
Version: 1.23-2
Control: affects -1 + dsniff

At least on armhf (on both Debian Unstable as well as on Raspbian
Jessie), libnids1.21 can't assemble TCP streams correctly. This
affects software relying on libnids, such as dsniff.

Compiling the library myself, I could reproduce that gcc's strict
aliasing assumptions don't hold for this code.  Turning off
optimizations relying on strict aliasing fixed the issue for me.  The
compiler flag is -fno-strict-aliasing.

My proposal would be to add this flag, as the library itself is mostly
unmaintained.

Steps to reproduce:
- Run dsniff (which is based on libnids; package maintainers Cc'ed)
- curl -v --basic --user foo:bar http://neverssl.com/

Expected results:
- dsniff should report the observed credentials

Observed results:
- dsniff returns nothing


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: libnids
Source-Version: 1.23-2.1

We believe that the bug you reported is fixed in the latest version of
libnids, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 851...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill  (supplier of updated libnids package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 26 Feb 2017 16:25:37 +
Source: libnids
Binary: libnids-dev libnids1.21
Architecture: source
Version: 1.23-2.1
Distribution: unstable
Urgency: medium
Maintainer: Vasilis Pappas 
Changed-By: James Cowgill 
Description:
 libnids-dev - IP defragmentation TCP segment reassembly library (development)
 libnids1.21 - IP defragmentation TCP segment reassembly library
Closes: 851060 855602
Changes:
 libnids (1.23-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix assembly of TCP streams on armhf by adding -fno-strict-aliasing.
 (Closes: #851060)
   * Fix use of "inline" with GCC >= 5 which causes undefined references in
 applications linked against libnids. (Closes: #855602)
Checksums-Sha1:
 1ee590b460fe60caa72cdf928ac22dd85584c00a 1833 libnids_1.23-2.1.dsc
 862362c7b124bc19c117cd9d760414d57eacb08a 7220 libnids_1.23-2.1.debian.tar.xz
 e116285857730057208c3d071088afe854c80085 6209 libnids_1.23-2.1_source.buildinfo
Checksums-Sha256:
 05cb544ff47cf26c082ad3e6d10b89ac45d9705166ba9d3cc93c5e877f0d2ee4 1833 
libnids_1.23-2.1.dsc
 abc77c0ceb57f8ba8747799b230d7097d16379cd3f1ffed3ff0f2c537a5686da 7220 
libnids_1.23-2.1.debian.tar.xz
 cfd28989b0a1b555ceec5898b04e8cb6fc85a54b6e689008cfaf3dae8eced22c 6209 
libnids_1.23-2.1_source.buildinfo
Files:
 7369d208b908c3519299f65804887c0d 1833 libdevel optional libnids_1.23-2.1.dsc
 1e18e167a2b6b58e89cc5d6d7505e28e 7220 libdevel optional 
libnids_1.23-2.1.debian.tar.xz
 466c57648fcb3be93667283244497a30 6209 libdevel optional 
libnids_1.23-2.1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlizCXcUHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe/lAhAApe4ohjbXOsiBuXscHqo6H095X7WO
ZGDw8IK9rwl6Jxp3dSVqO8Zqd3YUZun6HUWfr/uNEjRsNlibHePP732A4eiU9iDh
QEoc6rX3/hU2fVIMHK0bPwOqocqv46KBXBe9AHcb8Vx8j2TDhhiKpIXtzTlAVntv
SVale6vkTbvXiMmklfJwvda5vDoWCTraL9NGArKrp5ZK1bM/cWUVBP33pqeGXlq4
+2wAu3kyQ1eIBe8+F93N1RAo6+2TylzrQed6vjp+8ndVgH7QUoe1WKpsf3A4dUpq
khneqb0VCdmAIig8oMY3vGhMA7GeRG33AarBszS3GKWpKC3KB2LAA4PqHOGkPabX
EyyiOU2R12n1oth5S/pX6Xu2E5k3UWOzRn9JSMYGM4LKvtqfgZDVVvbKABRZTQNZ
RjCBYQeeHOPEAWIcT3eX20gx7AX+MmrI6hk1V7BgS0UQlShyoW4Ob5D0xWbwVyEj
a7C1naHBRmdvO85E/i7jWM2NBj9bPS6KeSikvEqVeCQ2hTVmSBh/HnrfltclHRT2
F1cx9Tr7NAmjie8S0ODZYRx5ja1s0aY06ztdgpapaiLUNIrux3kiWOQYaX+FKtIo
stWmd4un1GyStJ3j+Ng8f86q6pcZfAGsRFgV46CT/hgjIDhS1u1N2O8JWPcmcLsH

Bug#855932: sugar-physics-activity: FTBFS: unsatisfiable build-dependencies: python-sugar-0.88, python-sugar-toolkit-0.88

[Lucas Nussbaum]

On 26/02/17 at 17:02 +0100, Sascha Steinbiss wrote:
> Hi,
> 
> > During a rebuild of all packages in stretch (in a stretch chroot, not a
> > sid chroot), your package failed to build on amd64.
> […]
> > > The following packages have unmet dependencies:
> > >  sbuild-build-depends-sugar-physics-activity-dummy : Depends: 
> > > python-sugar-0.88 but it is not installable
> > >  Depends: 
> > > python-sugar-toolkit-0.88 but it is not installable
> > > E: Unable to correct problems, you have held broken packages.
> > > apt-get failed.
> 
> I just tried to reproduce this in a current stretch cowbuilder chroot, and 
> for me the questionable build-deps are satisfied through their alternatives 
> in d/control, which are python-sugar_0.98.0-5 and 
> python-sugar-toolkit_0.110.0-1. The build succeeds for me, see attached log.
> 
> I’m not sure here why your build insists on python-sugar-0.88 (if you are, I 
> would be glad to be enlightened!). BTW I encountered the same issue when 
> trying to reproduce #855925.

Hi,

For reproducibility reasons, sbuild only uses the first alternative when
considering alternative build-deps. If you really need the alternative,
you course revert it (a|b => b|a) to make sbuild happy.

Lucas

Processed: tagging 854587

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 854587 + pending
Bug #854587 [icedove] icedove: incorrect start-version in 
{icedove,thunderbird}.maintscript
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
854587: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854587
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: libnids 1.23-2.1 NMU

[Debian Bug Tracking System]

Processing control commands:

> tags -1 patch pending
Bug #855602 [src:libnids] libnids: undefined reference to `before' after being 
rebuilt / on mips64el
Added tag(s) pending and patch.

-- 
855602: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855602
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: libnids 1.23-2.1 NMU

[Debian Bug Tracking System]

Processing control commands:

> tags -1 patch pending
Bug #851060 [libnids1.21] libnids1.21: can't assemble TCP streams on armhf
Added tag(s) pending.

-- 
851060: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851060
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#851060: libnids 1.23-2.1 NMU

[James Cowgill]

Control: tags -1 patch pending

Hi,

On 25/02/17 18:00, James Cowgill wrote:
> On 23/02/17 22:44, Marcos Fouces wrote:
>> I am agree with you, when i fix these bugs i will create a separate git
>> branch, cherry-pick only freeze-allowed changes and try to get a package
>> ready for stretch.
> 
> Ok. Since I can now get dsniff working, I will happily NMU this unless
> you want to do it.

Well now that I've collected all the fixes together and tested it, I'm
going to do the NMU anyway :)

Uploaded NMU attached.

Thanks,
James
diff -Nru libnids-1.23/debian/changelog libnids-1.23/debian/changelog
--- libnids-1.23/debian/changelog   2010-07-21 20:23:34.0 +0100
+++ libnids-1.23/debian/changelog   2017-02-26 16:25:37.0 +
@@ -1,3 +1,13 @@
+libnids (1.23-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix assembly of TCP streams on armhf by adding -fno-strict-aliasing.
+(Closes: #851060)
+  * Fix use of "inline" with GCC >= 5 which causes undefined references in
+applications linked against libnids. (Closes: #855602)
+
+ -- James Cowgill   Sun, 26 Feb 2017 16:25:37 +
+
 libnids (1.23-2) unstable; urgency=high
 
   * Update my email address (closes: #574042).
diff -Nru libnids-1.23/debian/patches/01_before-after.patch 
libnids-1.23/debian/patches/01_before-after.patch
--- libnids-1.23/debian/patches/01_before-after.patch   1970-01-01 
01:00:00.0 +0100
+++ libnids-1.23/debian/patches/01_before-after.patch   2017-02-26 
16:25:37.0 +
@@ -0,0 +1,52 @@
+Description: fix before and after declarations
+ Fix declarations of before and after functions so that they just happen in 
the header file to fix undefined references in libnids.so.
+Origin: upstream, 
http://downloads.sourceforge.net/project/libnids/libnids/1.24/libnids-1.24.tar.gz
+Bug-Debian: https://bugs.debian.org/855602
+Applied-Upstream: 1.24
+Last-Update: 2015-12-06
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/util.c
 b/src/util.c
+@@ -29,18 +29,6 @@ test_malloc(int x)
+   return ret;
+ }
+ 
+-inline int
+-before(u_int seq1, u_int seq2)
+-{
+-  return ((int)(seq1 - seq2) < 0);
+-}
+-
+-inline int
+-after(u_int seq1, u_int seq2)
+-{
+-  return ((int)(seq2 - seq1) < 0);
+-}
+-
+ void
+ register_callback(struct proc_node **procs, void (*x))
+ {
+--- a/src/util.h
 b/src/util.h
+@@ -23,8 +23,18 @@ struct lurker_node {
+ 
+ void nids_no_mem(char *);
+ char *test_malloc(int);
+-inline int before(u_int seq1, u_int seq2);
+-inline int after(u_int seq1, u_int seq2);
++
++static inline int
++before(u_int seq1, u_int seq2)
++{
++  return ((int)(seq1 - seq2) < 0);
++}
++
++static inline int
++after(u_int seq1, u_int seq2)
++{
++  return ((int)(seq2 - seq1) < 0);
++}
+ void register_callback(struct proc_node **procs, void (*x));
+ void unregister_callback(struct proc_node **procs, void (*x));
+ 
diff -Nru libnids-1.23/debian/patches/02_inline.patch 
libnids-1.23/debian/patches/02_inline.patch
--- libnids-1.23/debian/patches/02_inline.patch 1970-01-01 01:00:00.0 
+0100
+++ libnids-1.23/debian/patches/02_inline.patch 2017-02-25 17:50:03.0 
+
@@ -0,0 +1,45 @@
+Description: Fix more undefined references when using GCC-5.
+ Avoids making the functions ip_fast_csum, ip_compute_csum, my_tcp_check and
+ my_udp_check inline. See https://github.com/aol/moloch/issues/440 as well.
+Author: Robert Scheck 
+Origin: vendor, 
http://pkgs.fedoraproject.org/cgit/rpms/libnids.git/commit/?id=ecafb692f20e0acad555f66c3cc1646997a82dae
+Bug-Debian: https://bugs.debian.org/855602
+---
+This patch header follows DEP-3: https://dep.debian.net/deps/dep3/
+
+--- a/src/checksum.c
 b/src/checksum.c
+@@ -120,7 +120,7 @@ csum_partial(const u_char * buff, int le
+   By Jorge Cwik , adapted for linux by Arnt
+   Gulbrandsen.
+ */
+-inline u_short ip_fast_csum(u_char * iph, u_int ihl)
++u_short ip_fast_csum(u_char * iph, u_int ihl)
+ {
+   u_int sum;
+   if (dontchksum(((struct ip*)iph)->ip_src.s_addr))
+@@ -191,13 +191,13 @@ csum_tcpudp_magic(u_int saddr, u_int dad
+   this routine is used for miscellaneous IP-like checksums, mainly in
+   icmp.c
+ */
+-inline u_short
++u_short
+ ip_compute_csum(u_char * buff, int len)
+ {
+   return (csum_fold(csum_partial(buff, len, 0)));
+ }
+ 
+-inline u_short
++u_short
+ my_tcp_check(struct tcphdr *th, int len, u_int saddr, u_int daddr)
+ {
+   if (dontchksum(saddr))
+@@ -205,7 +205,7 @@ my_tcp_check(struct tcphdr *th, int len,
+   return csum_tcpudp_magic(saddr, daddr, len, IPPROTO_TCP,
+  csum_partial((char *)th, len, 0));
+ }
+-inline u_short
++u_short
+ my_udp_check(void *u, int len, u_int saddr, u_int daddr)
+ {
+   if (dontchksum(saddr))
diff -Nru libnids-1.23/debian/patches/series libnids-1.23/debian/patches/series
--- libnids-1.23/debian/patches/series  2010-07-21 01:13:10.0 +0100
+++ 

Bug#855932: sugar-physics-activity: diff for NMU version 7+dfsg-1.3

[Tomasz Buchert]

Oh my, actually due to me building the package in stretch sbuild, it
got rejected during the upload. So now I've uploaded it to the
unstable, DELAYED/3. \o/

Tomasz


signature.asc
Description: PGP signature

Bug#856162: marked as done (ctpp2 FTBFS on !i386/amd64: missing symbols)

[Debian Bug Tracking System]

Your message dated Sun, 26 Feb 2017 16:48:45 +
with message-id 
and subject line Bug#856162: fixed in ctpp2 2.8.3-20
has caused the Debian Bug report #856162,
regarding ctpp2 FTBFS on !i386/amd64: missing symbols
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
856162: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856162
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ctpp2
Version: 2.8.3-19
Severity: serious

https://buildd.debian.org/status/package.php?p=ctpp2=unstable

...
dpkg-gensymbols: warning: some symbols or patterns disappeared in the symbols 
file: see diff output below
dpkg-gensymbols: warning: debian/libctpp2-2v5/DEBIAN/symbols doesn't match 
completely debian/libctpp2-2v5.symbols
--- debian/libctpp2-2v5.symbols (libctpp2-2v5_2.8.3-19+b1_arm64)
+++ dpkg-gensymbolsNQ_FbH   2017-02-25 04:31:35.654638803 +
@@ -192,8 +192,8 @@
  _ZN4CTPP12CTPP2GetText10ReadMODataEPKhi@Base 2.8.3
  
_ZN4CTPP12CTPP2GetText11FindMessageERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES8_S8_@Base
 2.8.3
  
_ZN4CTPP12CTPP2GetText11SetLanguageERNS_14SyscallFactoryERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE@Base
 2.8.3
- (arch=!amd64 !i386 !ia64 !powerpcspe 
!s390)_ZN4CTPP12CTPP2GetText12CTPP2CatalogD1Ev@Base 2.8.3
- (arch=!amd64 !i386 !ia64 !powerpcspe 
!s390)_ZN4CTPP12CTPP2GetText12CTPP2CatalogD2Ev@Base 2.8.3
+#MISSING: 2.8.3-19+b1# (arch=!amd64 !i386 !ia64 !powerpcspe 
!s390)_ZN4CTPP12CTPP2GetText12CTPP2CatalogD1Ev@Base 2.8.3
+#MISSING: 2.8.3-19+b1# (arch=!amd64 !i386 !ia64 !powerpcspe 
!s390)_ZN4CTPP12CTPP2GetText12CTPP2CatalogD2Ev@Base 2.8.3
  (arch=armel armhf hppa hurd-i386 i386 kfreebsd-i386 mips mipsel powerpc 
x32)_ZN4CTPP12CTPP2GetText12IsLtOrGtExprERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEj@Base
 2.8.3
  (arch=!armel !armhf !hppa !hurd-i386 !i386 !kfreebsd-i386 !mips !mipsel 
!powerpc 
!x32)_ZN4CTPP12CTPP2GetText12IsLtOrGtExprERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEm@Base
 2.8.3
  (arch=armel armhf hppa hurd-i386 i386 kfreebsd-i386 mips mipsel powerpc 
x32)_ZN4CTPP12CTPP2GetText13IsTernaryExprERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEj@Base
 2.8.3
@@ -1273,51 +1273,51 @@
  _ZNK4CTPP9FnVersion7GetNameEv@Base 2.8.3
  _ZNK4CTPP9HashTable3GetEPKcj@Base 2.8.3
  _ZNK4CTPP9HashTable4SizeEv@Base 2.8.3
- (arch=!amd64 
!i386)_ZNSt3mapINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEN4CTPP12CTPP2GetText12CTPP2CatalogESt4lessIS5_ESaISt4pairIKS5_S8_EEEixERSC_@Base
 2.8.3
- (arch=!amd64 
!i386)_ZNSt3mapINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES_IS5_N4CTPP12CTPP2GetText12CTPP2CatalogESt4lessIS5_ESaISt4pairIKS5_S8_EEESA_SaISB_ISC_SF_EEEixERSC_@Base
 2.8.3
+#MISSING: 2.8.3-19+b1# (arch=!amd64 
!i386)_ZNSt3mapINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEN4CTPP12CTPP2GetText12CTPP2CatalogESt4lessIS5_ESaISt4pairIKS5_S8_EEEixERSC_@Base
 2.8.3
+#MISSING: 2.8.3-19+b1# (arch=!amd64 
!i386)_ZNSt3mapINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES_IS5_N4CTPP12CTPP2GetText12CTPP2CatalogESt4lessIS5_ESaISt4pairIKS5_S8_EEESA_SaISB_ISC_SF_EEEixERSC_@Base
 2.8.3
  (optional=templinst|arch=!amd64 !arm64 !armel !armhf !hppa !hurd-i386 !i386 
!kfreebsd-amd64 !kfreebsd-i386 !mips !mipsel !powerpc !ppc64 !ppc64el !s390x 
!x32)_ZNSt3mapISsS_ISsN4CTPP12CTPP2GetText12CTPP2CatalogESt4lessISsESaISt4pairIKSsS2_EEES4_SaIS5_IS6_S9_EEEixERS6_@Base
 2.8.3
  (optional=templinst|arch=ia64 powerpcspe 
s390)_ZNSt3mapISsSsSt4lessISsESaISt4pairIKSsSsEEEixERS3_@Base 2.8.3
  (optional=templinst|arch=ia64 powerpcspe 
s390)_ZNSt3mapISsjSt4lessISsESaISt4pairIKSsjEEEixERS3_@Base 2.8.3
- (arch=!amd64 
!i386)_ZNSt4pairIKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEN4CTPP12CTPP2GetText12CTPP2CatalogEED1Ev@Base
 2.8.3
- (arch=!amd64 
!i386)_ZNSt4pairIKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEN4CTPP12CTPP2GetText12CTPP2CatalogEED2Ev@Base
 2.8.3
- (arch=!amd64 
!i386)_ZNSt4pairIKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEN4CTPP3CDTEED1Ev@Base
 2.8.3
- (arch=!amd64 
!i386)_ZNSt4pairIKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEN4CTPP3CDTEED2Ev@Base
 2.8.3
- (arch=!amd64 
!i386)_ZNSt4pairIKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES5_ED1Ev@Base
 2.8.3
- (arch=!amd64 
!i386)_ZNSt4pairIKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES5_ED2Ev@Base
 2.8.3
- (arch=!amd64 
!i386)_ZNSt4pairIKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEESt3mapIS5_N4CTPP12CTPP2GetText12CTPP2CatalogESt4lessIS5_ESaIS_IS6_SA_D1Ev@Base
 2.8.3
- (arch=!amd64 

Bug#856162: ctpp2 FTBFS on !i386/amd64: missing symbols

[Vasudev Kamath]

Hi Adrian,

John Paul Adrian Glaubitz  writes:

> control: tags -1 patch
>
> Hi!
>
> Attaching a debdiff for an NMU with the updated symbols for all architectures.
>
> I used the helper scripts from the pkg-kde-tools package to update the symbols
> file from the build logs from the buildds.
>
> I can upload the package to DELAY/5 if that's ok.

Thanks for the offer, I had already prepared the fix. I uploaded it and
have raised the unblock request.

Cheers,
Vasudev

Bug#856215: cdebootstrap: since SHA1 removal from Release file, only MD5sums are used

[Steven Chamberlain]

Source: cdebootstrap
Version: 0.5.8
Severity: grave
Tags: security stretch sid
X-Debbugs-Cc: secur...@debian.org
User: debian-rele...@lists.debian.org
Usertags: bsp-2017-02-de-Berlin

Hi,

The current Debian 'testing' release - the upcoming 'stretch' release
candidate - removed the SHA1 sums from the Release file.  That was
intended to deprecate it in favour of SHA256.  An unintended consequence
is that cdebootstrap, when SHA1 sums are unavailable, falls back to
using only the MD5Sum field instead:

http://sources.debian.net/src/cdebootstrap/0.7.6/src/check.c/#L79

  if (item->sum[1])
return check_sum (target, "sha1sum", item->sum[1], buf_name);
  if (item->sum[0])
return check_sum (target, "md5sum", item->sum[0], buf_name);

Further context and an overview of related bugs will be published at:
https://wiki.debian.org/InstallerDebacle

Thanks,
Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


signature.asc
Description: Digital signature

Bug#856213: cdebootstrap: SHA1 verification truncates hash from 160 to 128 bits

[Steven Chamberlain]

Source: cdebootstrap
Version: 0.5.8
Severity: grave
Tags: security
X-Debbugs-Cc: secur...@debian.org
User: debian-rele...@lists.debian.org
Usertags: bsp-2017-02-de-Berlin
Control: block 856212 by -1

Hi,

cdebootstrap implemented in version 0.5.8 (2011) verification of the
Packages files using the SHA1 field of the Release file. That first
featured in the installer of the 'wheezy' release (2013).

But whereas md5sum yields a 32-byte hex string, sha1sum yields a 40-byte
hex string. cdebootstrap did not consider this, and so it would only
compare the first 32 bytes of the hex string against the expected value
(effectively truncating the SHA1 hash from 160 to only 128 bits): 

http://sources.debian.net/src/cdebootstrap/0.7.6/src/check.c/#L54

if (item->sum[1])
  return check_sum (target, "sha256sum", item->sum[1], buf_name);
...
if (!strncmp (buf, sum, 32))

Further context and an overview of related bugs will be published at:
https://wiki.debian.org/InstallerDebacle

Thanks,
Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


signature.asc
Description: Digital signature

Processed: cdebootstrap: SHA1 verification truncates hash from 160 to 128 bits

[Debian Bug Tracking System]

Processing control commands:

> block 856212 by -1
Bug #856212 [src:cdebootstrap] cdebootstrap: please implement SHA256 
verification of .deb files
856212 was blocked by: 856210
856212 was not blocking any bugs.
Added blocking bug(s) of 856212: 856213

-- 
856212: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856212
856213: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856213
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#855932: sugar-physics-activity: diff for NMU version 7+dfsg-1.3

[Tomasz Buchert]

Control: tags 855932 + patch
Control: tags 855932 + pending

Dear maintainer,

I've prepared an NMU for sugar-physics-activity (versioned as 7+dfsg-1.3) and
*wanted* to upload it to DELAYED/3, but since I've put it after the .changes 
file,
it got uploaded immediately. Sorry for that...

I'll ask the release team to unblock this.

Regards,
Tomasz
diff -Nru sugar-physics-activity-7+dfsg/debian/changelog sugar-physics-activity-7+dfsg/debian/changelog
--- sugar-physics-activity-7+dfsg/debian/changelog	2013-07-09 20:21:10.0 +0200
+++ sugar-physics-activity-7+dfsg/debian/changelog	2017-02-26 17:27:37.0 +0100
@@ -1,3 +1,10 @@
+sugar-physics-activity (7+dfsg-1.3) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * d/control: remove non-existing alternatives (Closes: #855932)
+
+ -- Tomasz Buchert   Sun, 26 Feb 2017 17:27:37 +0100
+
 sugar-physics-activity (7+dfsg-1.2) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru sugar-physics-activity-7+dfsg/debian/control sugar-physics-activity-7+dfsg/debian/control
--- sugar-physics-activity-7+dfsg/debian/control	2013-07-09 20:21:10.0 +0200
+++ sugar-physics-activity-7+dfsg/debian/control	2017-02-26 17:26:45.0 +0100
@@ -8,8 +8,8 @@
  debhelper (>= 7.0.1),
  cdbs (>= 0.4.90~),
  python (>= 2.6.6-3~),
- python-sugar-0.88 | python-sugar,
- python-sugar-toolkit-0.88 | python-sugar-toolkit,
+ python-sugar,
+ python-sugar-toolkit,
  unzip
 Standards-Version: 3.9.1
 Homepage: http://wiki.sugarlabs.org/go/Activities/Physics

Processed: sugar-physics-activity: diff for NMU version 7+dfsg-1.3

[Debian Bug Tracking System]

Processing control commands:

> tags 855932 + patch
Bug #855932 [src:sugar-physics-activity] sugar-physics-activity: FTBFS: 
unsatisfiable build-dependencies: python-sugar-0.88, python-sugar-toolkit-0.88
Added tag(s) patch.
> tags 855932 + pending
Bug #855932 [src:sugar-physics-activity] sugar-physics-activity: FTBFS: 
unsatisfiable build-dependencies: python-sugar-0.88, python-sugar-toolkit-0.88
Added tag(s) pending.

-- 
855932: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855932
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#856212: cdebootstrap: please implement SHA256 verification of .deb files

[Steven Chamberlain]

Source: cdebootstrap
Version: 0.7.6
Severity: grave
Tags: security
X-Debbugs-Cc: secur...@debian.org
User: debian-rele...@lists.debian.org
Usertags: bsp-2017-02-de-Berlin
Control: block -1 by 856210

Hi,

To date, cdebootstrap still only implements MD5 verification of .deb
files, despite its formal deprecation as a digital signature algorithm
by RFC6151 (2011) and recommendations of academic literature years
prior.

The files are typically downloaded via insecure HTTP transport, so the
checksum verification is critical for the security of the installed
system.  stretch is expected to be a supported release until 2022.  So
I'm tentatively filing this bug as RC-severity.

Further context and an overview of related bugs will be published at:
https://wiki.debian.org/InstallerDebacle

Thanks,
Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


signature.asc
Description: Digital signature

Processed: anna: please implement SHA256 verification of .udeb files

[Debian Bug Tracking System]

Processing control commands:

> block -1 by 856210
Bug #856211 [src:anna] anna: please implement SHA256 verification of .udeb files
856211 was not blocked by any bugs.
856211 was not blocking any bugs.
Added blocking bug(s) of 856211: 856210

-- 
856211: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856211
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#856211: anna: please implement SHA256 verification of .udeb files

[Steven Chamberlain]

Source: anna
Version: 1.57
Severity: grave
Tags: security
X-Debbugs-Cc: secur...@debian.org
User: debian-rele...@lists.debian.org
Usertags: bsp-2017-02-de-Berlin
Control: block -1 by 856210

Hi,

To date, anna still only implements MD5 verification of .udeb files,
despite its formal deprecation as a digital signature algorithm by
RFC6151 (2011) and recommendations of academic literature years prior.

The files are typically downloaded via insecure HTTP transport, so the
checksum verification is critical for the security of the installed
system.  stretch is expected to be a supported release until 2022.  So
I'm tentatively filing this bug as RC-severity.

Further context and an overview of related bugs will be published at:
https://wiki.debian.org/InstallerDebacle

Thanks,
Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


signature.asc
Description: Digital signature

Processed: cdebootstrap: please implement SHA256 verification of .deb files

[Debian Bug Tracking System]

Processing control commands:

> block -1 by 856210
Bug #856212 [src:cdebootstrap] cdebootstrap: please implement SHA256 
verification of .deb files
856212 was not blocked by any bugs.
856212 was not blocking any bugs.
Added blocking bug(s) of 856212: 856210

-- 
856212: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856212
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#855932: sugar-physics-activity: FTBFS: unsatisfiable build-dependencies: python-sugar-0.88, python-sugar-toolkit-0.88

[Tomasz Buchert]

On 26/02/17 17:02, Sascha Steinbiss wrote:
> [...]

I can reproduce this with my sbuild config. Note that according to
"man sbuild" the default dep-resolver is "apt" which always takes the
first alternative. I can build successfully with
"--build-dep-resolver=aptitude", just like Sascha did.

The best solution is to simply remove the first alternative that is
causing troubles and we are good to go. Let me prepare an NMU.

Tomasz


signature.asc
Description: PGP signature

Bug#856210: libdebian-installer: please parse SHA256 field and add it to di_* structs

[Steven Chamberlain]

Source: libdebian-installer
Version: 0.108
Severity: serious
Tags: security
X-Debbugs-Cc: secur...@debian.org
User: debian-rele...@lists.debian.org
Usertags: bsp-2017-02-de-Berlin

Hi,

The 'etch' release (2007) added to the Release file, a field for SHA256
sums to authenticate Packages files.  But to date, libdebian-installer
does not parse it, so anna (which fetches .udeb installer component) and
cdebootstrap (which fetches .deb base system packages) can not yet
verify the SHA256 sums.

http://sources.debian.net/src/libdebian-installer/0.108/include/debian-installer/release.h/#L43
http://sources.debian.net/src/libdebian-installer/0.108/include/debian-installer/release.h/#L58
http://sources.debian.net/src/libdebian-installer/0.108/include/debian-installer/package.h/#L115

Further context and an overview of related bugs will be published at:
https://wiki.debian.org/InstallerDebacle

This bug is not itself RC, but it will be a blocking issue for RC bugs
I'm about to file.

I intend to submit a patch for this shortly.

Thanks,
Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


signature.asc
Description: Digital signature

Bug#856146: marked as done (broken: missing dependencies)

[Debian Bug Tracking System]

Your message dated Sun, 26 Feb 2017 16:20:26 +
with message-id 
and subject line Bug#856146: fixed in webcamoid 7.2.1+dfsg1-5
has caused the Debian Bug report #856146,
regarding broken: missing dependencies
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
856146: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856146
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: webcamoid
Version: 7.2.1+dfsg1-4
Severity: grave
Justification: renders package unusable

When I try to start webcamoid, nothing happens. Running it from a
terminal, I get this:

$ webcamoid
QQmlApplicationEngine failed to load component
qrc:/Webcamoid/share/qml/main.qml:252 Type MediaBar unavailable
qrc:/Webcamoid/share/qml/MediaBar.qml:138 Type AddMedia unavailable
qrc:/Webcamoid/share/qml/AddMedia.qml:148 Type FileDialog unavailable
qrc:/QtQuick/Dialogs/DefaultFileDialog.qml:48 module "Qt.labs.settings" is not 
installed
qrc:/QtQuick/Dialogs/DefaultFileDialog.qml:47 module "Qt.labs.folderlistmodel" 
is not installed
qrc:/QtQuick/Dialogs/DefaultFileDialog.qml:48 module "Qt.labs.settings" is not 
installed
qrc:/QtQuick/Dialogs/DefaultFileDialog.qml:47 module "Qt.labs.folderlistmodel" 
is not installed

Installing qml-module-qt-labs-folderlistmodel and qml-module-qt-labs-settings
makes it work.


-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages webcamoid depends on:
ii  akqml7.2.1+dfsg1-4
ii  libavkys77.2.1+dfsg1-4
ii  libc62.24-9
ii  libgcc1  1:6.3.0-8
ii  libqt5core5a 5.7.1+dfsg-3+b1
ii  libqt5gui5   5.7.1+dfsg-3+b1
ii  libqt5opengl55.7.1+dfsg-3+b1
ii  libqt5qml5   5.7.1-2
ii  libqt5quick5 5.7.1-2
ii  libqt5widgets5   5.7.1+dfsg-3+b1
ii  libstdc++6   6.3.0-8
ii  qml-module-qtquick-controls  5.7.1~20161021-2
ii  qml-module-qtquick-dialogs   5.7.1~20161021-2
ii  qml-module-qtquick-layouts   5.7.1-2
ii  qml-module-qtquick-window2   5.7.1-2
ii  webcamoid-data   7.2.1+dfsg1-4
ii  webcamoid-plugins7.2.1+dfsg1-4

webcamoid recommends no packages.

webcamoid suggests no packages.

-- no debconf information


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: webcamoid
Source-Version: 7.2.1+dfsg1-5

We believe that the bug you reported is fixed in the latest version of
webcamoid, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 856...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Herbert Parentes Fortes Neto  (supplier of updated webcamoid 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 26 Feb 2017 12:28:31 -0300
Source: webcamoid
Binary: webcamoid libavkys7 libavkys-dev webcamoid-plugins akqml webcamoid-data
Architecture: source amd64 all
Version: 7.2.1+dfsg1-5
Distribution: unstable
Urgency: medium
Maintainer: Herbert Parentes Fortes Neto 
Changed-By: Herbert Parentes Fortes Neto 
Description:
 akqml  - full featured webcam capture application - qml module
 libavkys-dev - full featured webcam capture application - dev
 libavkys7  - full featured webcam capture application - library
 webcamoid  - full featured webcam capture application
 webcamoid-data - icons and locale files for webcamoid
 webcamoid-plugins - full featured webcam capture application - plugins
Closes: 856146
Changes:
 webcamoid (7.2.1+dfsg1-5) unstable; urgency=medium
 .
   * debian/control:
   - Add to webcamoid 'Depends':
   - qml-module-qt-labs-folderlistmodel
   - 

Bug#788769: marked as done (entangle: FTBFS without networking: relax-ng: failed to load external entity [..] mallard-1.0.rng)

[Florian Schlichting]

Control: tags -1 +patch

Hi Michael, Berlin BSP here.

Given that it's too late now to get a mallard-rng package into Stretch,
I suggest to ship the mallard-1.0.rng file as part of the yelp-tools
package for now (e.g. as /usr/share/yelp-tools/mallard/mallard-1.0.rng)
and simply use that as relaxng schema in yelp-check:

--- a/tools/yelp-check.in
+++ b/tools/yelp-check.in
@@ -931,46 +931,9 @@
 }
.
 yelp_validate_page () {
-# Using temp files because pipes create subshells, making it really
-# hard to return the right exit status in a portable way.
-if [ "x$check_rng_dir" = "x" ]; then
-check_rng_dir=`mktemp -d "${TMPDIR:-/tmp}"/yelp-`
-fi
 check_out_file=`mktemp "${TMPDIR:-/tmp}"/yelp-`
-check_rng_file=`(
-echo ''
-echo ''
-echo ''
-echo ''
-echo ''
-echo ''
-echo ''
-echo ''
-echo 'cache/1.0 1.0'
-echo ''
-echo ''
-echo '1.0'
-echo ''
-echo ''
-echo ''
-echo ''
-) | xsltproc - "$1"`
-check_rng_file=`urlencode "$check_rng_file" /`.rng
-if [ ! -f "$check_rng_dir/$check_rng_file" ]; then
-# If we've already made an RNG file for this version string, don't
-# do it again. We've urlencoded the file name + slashes, because
-# version strings often contain slashes. But xsltproc treats the
-# -o option as a URL and urldecodes, so doubly urlencode, because
-# we want the urlencoded string to be the on-disk name.
-xsltproc -o "$check_rng_dir/"`urlencode "$check_rng_file"` \
---param rng.strict "$check_strict" \
---stringparam rng.strict.allow "$check_strict_allow" \
-"$xsl_mal_rng" "$1"
-fi
-xmllint --noout --xinclude --noent --relaxng 
"$check_rng_dir/$check_rng_file" "$1" > "$check_out_file" 2>&1
+check_rng_file="/usr/share/yelp-tools/mallard/mallard-1.0.rng"
+xmllint --noout --xinclude --noent --relaxng "$check_rng_file" "$1" > 
"$check_out_file" 2>&1
 ret="$?"
 cat "$check_out_file" | grep -v 'validates$'
 rm "$check_out_file"


Do you want me to prepare an NMU or would you prefer to validate or
improve upon the fix in some way?

Florian

Processed: Re: Bug#788769: marked as done (entangle: FTBFS without networking: relax-ng: failed to load external entity [..] mallard-1.0.rng)

[Debian Bug Tracking System]

Processing control commands:

> tags -1 +patch
Bug #788769 [yelp-tools] yelp-check validate fails without networking: 
relax-ng: failed to load external entity [..] mallard-1.0.rng
Added tag(s) patch.

-- 
788769: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788769
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems