Bug#930024: marked as done (neovim: CVE-2019-12735: Modelines allow arbitrary code execution)

[Debian Bug Tracking System]

Your message dated Thu, 27 Jun 2019 02:59:59 +
with message-id 
and subject line Bug#930024: fixed in neovim 0.3.4-3
has caused the Debian Bug report #930024,
regarding neovim: CVE-2019-12735: Modelines allow arbitrary code execution
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
930024: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930024
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: neovim
Severity: important
Tags: upstream

Dear Maintainer,

Neovim versions < 0.3.6 are subject to an Arbitrary Code Execution exploit via
modelines, as described in this blogpost:

https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-
neovim.md

Upgrading the Neovim package to >= 0.3.6 fixes this exploit.



-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: neovim
Source-Version: 0.3.4-3

We believe that the bug you reported is fixed in the latest version of
neovim, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 930...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James McCoy  (supplier of updated neovim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 26 Jun 2019 21:21:33 -0400
Source: neovim
Architecture: source
Version: 0.3.4-3
Distribution: unstable
Urgency: high
Maintainer: Debian Vim Maintainers 
Changed-By: James McCoy 
Closes: 930024
Changes:
 neovim (0.3.4-3) unstable; urgency=high
 .
   * Backport additional changes to address CVE-2019-12735 (Closes: #930024)
 + vim-patch:8.1.0177: defining function in sandbox is inconsistent
 + vim-patch:8.1.0189: function defined in sandbox not tested
 + vim-patch:8.1.0538: evaluating a modeline might invoke using a shell
   command
 + vim-patch:8.1.0539: cannot build without the sandbox
 + vim-patch:8.1.0540: may evaluate insecure value when appending to option
 + vim-patch:8.1.0544: setting 'filetype' in a modeline causes an error
 + vim-patch:8.1.0613: when executing an insecure function the secure flag
   is stuck
 + vim-patch:8.1.1046: the "secure" variable is used inconsistently
 + vim-patch:8.1.0205: invalid memory access with invalid modeline
 + vim-patch:8.1.0206: duplicate test function name
 + vim-patch:8.1.0506: modeline test fails when run by root
 + vim-patch:8.1.0546: modeline test with keymap fails
 + vim-patch:8.1.0547: modeline test with keymap still fails
 + vim-patch:8.1.1366: using expressions in a modeline is unsafe
 + vim-patch:8.1.1367: can set 'modelineexpr' in modeline
 + vim-patch:8.1.1368: modeline test fails with python but without
   pythonhome
 + vim-patch:8.1.1382: error when editing test file
 + vim-patch:8.1.1401: misspelled mkspellmem as makespellmem
   * Backport patch to prevent use of nvim's API within the sandbox
Checksums-Sha1:
 2b469eb20f9c15a791f55f880b795fae43cb1e2a 2639 neovim_0.3.4-3.dsc
 92e3dc08924e1554fe78e592433b1b598f3b0296 26884 neovim_0.3.4-3.debian.tar.xz
 be038d319b0e6cbead906a4c39ba9db1b21cf5af 8218 neovim_0.3.4-3_amd64.buildinfo
Checksums-Sha256:
 317fddb847548883de032b71c8923e79ba03568e14285cd78077cf22ead8230a 2639 
neovim_0.3.4-3.dsc
 aea5b17551716f438a0a061c027850f0ec09b0b36cc0c37b4055703e06b4f9b6 26884 
neovim_0.3.4-3.debian.tar.xz
 b000ccded8321f145249b904bd199a4b294cabf6bbbded621eb0179ba6083e6a 8218 
neovim_0.3.4-3_amd64.buildinfo
Files:
 b7df3c0ff912856357144c08e3f7b5ca 2639 editors optional neovim_0.3.4-3.dsc
 381c3d4d41720d420dec4e0d8b71996f 26884 editors optional 
neovim_0.3.4-3.debian.tar.xz
 b9e96215f900b27e988793b8467b8587 8218 editors optional 
neovim_0.3.4-3_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQKSBAEBCgB9FiEEkb+/TWlWvV33ty0j3+aRrjMbo9sFAl0UIJtfFIAALgAo

Processed: tagging 929531

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 929531 + buster-ignore
Bug #929531 [grub-pc] grub-pc: grub2 fat_test fails with 4.19.0-5-amd64 kernel 
if one ensure it does not gets auto-skipped
Added tag(s) buster-ignore.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
929531: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929531
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#931140: lsat: probably obsolete

[Ivo De Decker]

package: lsat
severity: serious

Hi,

lsat claims to be a 'security auditor tool':

"The Linux Security Auditing Tool (LSAT) is a post install security auditor
for Linux/Unix. It checks many system configurations and local network
settings on the system for common security/config errors and for packages that
are not needed."

However, the last maintainer upload was in 2009, so I guess this package
probably cannot give any useful security information.

Ivo

Processed: Re: Bug#926539: rootskel: steal-ctty no longer works on at least sparc64

[Debian Bug Tracking System]

Processing control commands:

> reopen -1
Bug #926539 {Done: Ben Hutchings } [src:linux] rootskel: 
steal-ctty no longer works on at least sparc64
'reopen' may be inappropriate when a bug has been closed with a version;
all fixed versions will be cleared, and you may need to re-add them.
Bug reopened
No longer marked as fixed in versions linux/4.19.37-5.
> reassign -1 src:linux,rootskel
Bug #926539 [src:linux] rootskel: steal-ctty no longer works on at least sparc64
Bug reassigned from package 'src:linux' to 'src:linux,rootskel'.
Ignoring request to alter found versions of bug #926539 to the same values 
previously set
Ignoring request to alter fixed versions of bug #926539 to the same values 
previously set
> severity -1 serious
Bug #926539 [src:linux,rootskel] rootskel: steal-ctty no longer works on at 
least sparc64
Severity set to 'serious' from 'important'

-- 
926539: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926539
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#924657: console-setup | kbdnames-maker: Call `{bind,}textdomain` after switching locale (!2)

[Niko Tyni]

On Wed, Jun 26, 2019 at 11:23:28PM +0300, Niko Tyni wrote:
> clone 924657 -1
> reassign -1 perl 5.28.1-6
> severity -1 important
> retitle -1 perl: switching locales no longer invalidates gettext translation 
> cache
> thanks

Forgot that the BTS doesn't like clones of merged bugs.
I've filed #931139 instead.
-- 
Niko

Processed (with 4 errors): Re: console-setup | kbdnames-maker: Call `{bind,}textdomain` after switching locale (!2)

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> clone 924657 -1
Bug #924657 [keyboard-configuration] kbdnames are generated with incorrect 
translations
Bug #922604 [keyboard-configuration] all_kbdnames data structure corrupt
Failed to clone 924657: Bug is marked as being merged with others. Use an 
existing clone.

> reassign -1 perl 5.28.1-6
Failed to clear fixed versions and reopen on -1: The 'bug' parameter ("-1") to 
Debbugs::Control::set_package did not pass regex check
.

> severity -1 important
Failed to set severity of Bug -1 to important: The 'bug' parameter ("-1") to 
Debbugs::Control::set_severity did not pass regex check
.

> retitle -1 perl: switching locales no longer invalidates gettext translation 
> cache
Failed to set the title of -1: The 'bug' parameter ("-1") to 
Debbugs::Control::set_title did not pass regex check
.

> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#924657: console-setup | kbdnames-maker: Call `{bind,}textdomain` after switching locale (!2)

[Niko Tyni]

clone 924657 -1
reassign -1 perl 5.28.1-6
severity -1 important
retitle -1 perl: switching locales no longer invalidates gettext translation 
cache
thanks

On Wed, Jun 19, 2019 at 08:01:01PM +, Iain Lane wrote:
 
> Hi @MichaIng-guest - sorry, I've dropped the ball on this a bit. There's a 
> [corresponding Debian 
> bug](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924657) with some 
> discussion in it, but the status is that we're a bit stalled a the minute. I 
> agree that my proposal here in this MR is a workaround and maybe Perl should 
> do something about this itself (slightly less convinced that glibc can be 
> blamed since presumably this has always been the behaviour of `uselocale()`?).
> 
> For Buster should we go ahead with this workaround? I'm not very confident in 
> pushing on it myself alone but maybe between me, @intrigeri and @ntyni we 
> have enough bravery?

As I already noted on the bug, the workaround seems fine to me. I think
it should be used for Buster, but I don't have a chance to do anything
else about this right now. Sorry.

I'm cloning a bug against perl and will try to take it upstream later
when I find the time.
-- 
Niko Tyni   nt...@debian.org

Bug#931097: unattended-upgrades: InvalidURL(f"URL can't contain control characters. {url!r} "

[Markus Koschany]

Hello,

Am 26.06.19 um 09:59 schrieb duncanwebb:
> Package: unattended-upgrades
> Version: 0.83.3.2+deb8u1
> Severity: serious
> Justification: normal
> 
> Dear Maintainer,
> 
> Jessie uses python 3.4 and python 3.4 does not support f"" strings
> 
> So now unattended upgrades no longer performs security upgrades.

[...]

Thank you for reporting this issue. We have corrected this problem with
the upload of python3.4 version 3.4.2-1+deb8u4 yesterday. Unfortunately
a manual upgrade is required, afterwards unattended-upgrades will
continue to work again as intended.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#929527: [pkg-netfilter-team] Bug#929527: Bug#929527: Bug#914694

[Arturo Borrero Gonzalez]

Control: severity -1 important

On 6/26/19 2:28 PM, Thomas Lamprecht wrote:
> 
> Hmm, but that's a grave issue which may just render the firewall void
> for _any_ intermediate chain and produces segmentation faults errors.
> 

The issue you found is not a general-case issue.
The segfault is only produced apparently if you:

* define a custom chain
* flush all rules of that custom chain (not required, because the chain was just
created)
* add a rule to that custom chain

all in the same batch.

I may understand that this is important for some scripts or robots making use of
the iptables interface in that particular way, but is not the general case of
how people define and add rules to custom chain/ruleset.
Because of this, I think we should lower the severity of this bug.

I understand is annoying in your use case, and I'm sorry for that.
Thankfully, we already have an iptables version fixing the issue, but
unfortunately it won't make it to Debian Buster in the first round as I already
explained in my previous email.

> How about a minimal patch which places higher update-alternative priority
> to the the -legacy parts of iptables so that the alternative currently
> working in Buster is used by default. Once the fixed nft based is rolled
> out the priorities could then be switched again (or if that cannot be done
> for a stable release, in Bullseye).
> 

No, sorry, we won't do this at this point.

Processed: Re: [pkg-netfilter-team] Bug#929527: Bug#929527: Bug#914694

[Debian Bug Tracking System]

Processing control commands:

> severity -1 important
Bug #929527 [iptables] /usr/sbin/xtables-nft-multi: restoring IP Tables with an 
self-defined chain segfaults in libnftnl.so
Severity set to 'important' from 'grave'

-- 
929527: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929527
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#929527: [pkg-netfilter-team] Bug#929527: Bug#914694

[Thomas Lamprecht]

On 6/26/19 2:14 PM, Arturo Borrero Gonzalez wrote:
> On 6/25/19 10:25 AM, Thomas Lamprecht wrote:
>> Don't want to nag to much but is there any news regarding this?
>> Buster is planned to release pretty soon (<2 weeks) and iptables
>> is quite a important package, IMO. Maybe it went under my radar
>> but I saw no unblock request on d.o release list.
>>
>> For now I just used update-alternative to use the legacy variants,
>> which work fine here, but if my understanding is correct then this
>> package (version?) could be thrown out of Buster if it still has RC
>> bug so close to the planned release, I mean iptables may be an
>> exception as it's quite relevant and still used by a lot but still.
>>
> 
> The last upstream release of iptables won't make it into Debian Buster at this
> point.
> 
> Once buster is released I will:
> 
> * provide uptodate package backports of newer upstream releases in
> buster-backports (for both iptables and nftables)
> * for important bugs, I would try backporting concrete patches to the version 
> in
> buster-stable.
> 
> 

Hmm, but that's a grave issue which may just render the firewall void
for _any_ intermediate chain and produces segmentation faults errors.

How about a minimal patch which places higher update-alternative priority
to the the -legacy parts of iptables so that the alternative currently
working in Buster is used by default. Once the fixed nft based is rolled
out the priorities could then be switched again (or if that cannot be done
for a stable release, in Bullseye).

Bug#929527: [pkg-netfilter-team] Bug#929527: Bug#914694

[Arturo Borrero Gonzalez]

On 6/25/19 10:25 AM, Thomas Lamprecht wrote:
> Don't want to nag to much but is there any news regarding this?
> Buster is planned to release pretty soon (<2 weeks) and iptables
> is quite a important package, IMO. Maybe it went under my radar
> but I saw no unblock request on d.o release list.
> 
> For now I just used update-alternative to use the legacy variants,
> which work fine here, but if my understanding is correct then this
> package (version?) could be thrown out of Buster if it still has RC
> bug so close to the planned release, I mean iptables may be an
> exception as it's quite relevant and still used by a lot but still.
> 

The last upstream release of iptables won't make it into Debian Buster at this
point.

Once buster is released I will:

* provide uptodate package backports of newer upstream releases in
buster-backports (for both iptables and nftables)
* for important bugs, I would try backporting concrete patches to the version in
buster-stable.

Bug#931066: Info

[MaXaMaR]

Baremetal linux distributions also don’t work with modeset, just hang & 
shutdown, livecds too.

Processed: found 904297 in 1.0.8-1.2, affects 884264, found 857954 in 2:1.02.155-3, found 883820 in 6.0.1-10 ...

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 904297 1.0.8-1.2
Bug #904297 [dms-core] dms-core: fails to install: calls /etc/init.d/procps 
incorrectly
Marked as found in versions dms/1.0.8-1.2.
> affects 884264 + fusionforge-plugin-moinmoin fusionforge-plugin-scmgit 
> fusionforge-plugin-scmsvn
Bug #884264 [fusionforge-web] fusionforge-web: fails to install: 
/usr/share/fusionforge/post-install.d/web/web.sh: line 126: 
/etc/httpd/conf.modules.d/00-macro.conf: No such file or directory
Added indication that 884264 affects fusionforge-plugin-moinmoin, 
fusionforge-plugin-scmgit, and fusionforge-plugin-scmsvn
> found 857954 2:1.02.155-3
Bug #857954 [libdevmapper-dev] libdevmapper-dev: broken symlink: 
/usr/lib//libdevmapper-event-lvm2.so -> 
/lib//libdevmapper-event-lvm2.so.2.02
Marked as found in versions lvm2/2.03.02-3.
> found 883820 6.0.1-10
Bug #883820 [scilab-cli] scilab-cli: broken symlink: 
/usr/share/man/man1/scilab-cli.1.gz -> scilab.1.gz
Marked as found in versions scilab/6.0.1-10.
> found 857215 7.5.0+dfsg-3
Bug #857215 [heimdal-multidev] heimdal-multidev: broken symlink: 
/usr/lib//heimdal/windc.so -> ../windc.so.0.0.0
Marked as found in versions heimdal/7.5.0+dfsg-3.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
857215: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857215
857954: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857954
883820: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883820
884264: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884264
904297: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904297
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#931097: unattended-upgrades: InvalidURL(f"URL can't contain control characters. {url!r} "

[Debian Bug Tracking System]

Processing control commands:

> tags -1 moreinfo unreproducible
Bug #931097 {Done: Salvatore Bonaccorso } [python3.4] 
unattended-upgrades: InvalidURL(f"URL can't contain control characters. {url!r} 
"
Bug #931044 {Done: Salvatore Bonaccorso } [python3.4] 
installing python3.4 fails
Bug #931057 {Done: Salvatore Bonaccorso } [python3.4] 
python3: Error while upgrading python3.4
Ignoring request to alter tags of bug #931097 to the same tags previously set
Ignoring request to alter tags of bug #931044 to the same tags previously set
Ignoring request to alter tags of bug #931057 to the same tags previously set

-- 
931044: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931044
931057: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931057
931097: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931097
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#931097: unattended-upgrades: InvalidURL(f"URL can't contain control characters. {url!r} "

[Bálint Réczey]

Control: tags -1 moreinfo unreproducible

Hi,

duncanwebb  ezt írta (időpont: 2019. jún.
26., Sze, 10:05):
>
> Package: unattended-upgrades
> Version: 0.83.3.2+deb8u1
> Severity: serious
> Justification: normal
>
> Dear Maintainer,
>
> Jessie uses python 3.4 and python 3.4 does not support f"" strings
>
> So now unattended upgrades no longer performs security upgrades.
>
> /etc/cron.daily/apt:
> Traceback (most recent call last):
>   File "/usr/bin/unattended-upgrade", line 55, in 
> import apt
>   File "/usr/lib/python3/dist-packages/apt/__init__.py", line 26, in 
> from apt.package import Package
>   File "/usr/lib/python3/dist-packages/apt/package.py", line 32, in 
> from http.client import BadStatusLine
>   File "/usr/lib/python3.4/http/client.py", line 1014
> raise InvalidURL(f"URL can't contain control characters. {url!r} "
>  ^
> SyntaxError: invalid syntax
>
> The problem is in the file /usr/lib/python3.4/http/client.py, changing (f"URL 
> to ("URL will
> will allow unattended-upgrades to work again but doesn't do what is intended.

Seems to be working for me:

root@j:~# unattended-upgrade --dry-run --verbose
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: ['origin=Debian,codename=jessie,label=Debian-Security']
No packages found that can be upgraded unattended
root@j:~# dpkg -l unattended-upgrades
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version
  ArchitectureDescription
+++--===-===-=
ii  unattended-upgrades
0.83.3.2+deb8u1 all
automatic installation of security upgrades

>
> -- System Information:
> Debian Release: 8.10
>   APT prefers oldstable
>   APT policy: (500, 'oldstable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 4.9.0-0.bpo.5-amd64 (SMP w/32 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages unattended-upgrades depends on:
> ii  apt1.0.9.8.5
> ii  apt-utils  1.0.9.8.5
> ii  debconf [debconf-2.0]  1.5.56+deb8u1
> ii  init-system-helpers1.22
> ii  lsb-base   4.1+Debian13+nmu1
> ii  lsb-release4.1+Debian13+nmu1
> ii  python33.4.2-2

root@j:~# dpkg -l python3.4
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version
  ArchitectureDescription
+++--===-===-=
ii  python3.4
3.4.2-1+deb8u4  amd64
Interactive high-level object-oriented language (version 3.4)

Your python3.4 version seem to be newer than mine. Probably it
introduced a regression.
Please seek for help at the source of this package.

Cheers,
Balint

> ii  python3-apt0.9.3.12
> ii  ucf3.0030
> ii  xz-utils   5.1.1alpha+20120614-2+b3
>
> unattended-upgrades recommends no packages.
>
> Versions of packages unattended-upgrades suggests:
> ii  bsd-mailx  8.1.2-0.20141216cvs-2
> ii  exim4-daemon-light [mail-transport-agent]  4.84.2-2+deb8u5
>
> -- debconf-show failed
>

Processed: Re: Bug#931097: unattended-upgrades: InvalidURL(f"URL can't contain control characters. {url!r} "

[Debian Bug Tracking System]

Processing control commands:

> tags -1 moreinfo unreproducible
Bug #931097 {Done: Salvatore Bonaccorso } [python3.4] 
unattended-upgrades: InvalidURL(f"URL can't contain control characters. {url!r} 
"
Bug #931044 {Done: Salvatore Bonaccorso } [python3.4] 
installing python3.4 fails
Bug #931057 {Done: Salvatore Bonaccorso } [python3.4] 
python3: Error while upgrading python3.4
Added tag(s) moreinfo and unreproducible.
Added tag(s) moreinfo and unreproducible.
Added tag(s) moreinfo and unreproducible.

-- 
931044: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931044
931057: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931057
931097: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931097
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#931106: flang-7: fails to remove: rm: cannot remove '/usr/lib/x86_64-linux-gnu/fortran/': Is a directory

[Andreas Beckmann]

Package: flang-7
Version: 20190329-1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package fails to remove.

>From the attached log (scroll to the bottom...):

  Removing flang-7 (20190329-1) ...
  rm: cannot remove '/usr/lib/x86_64-linux-gnu/fortran/': Is a directory
  dpkg: error processing package flang-7 (--remove):
   installed flang-7 package post-removal script subprocess returned error exit 
status 1


cheers,

Andreas


flang-7_20190329-1.log.gz
Description: application/gzip

Bug#931104: openvswitch-common: Wrong dependency on python-six

[Benjamin Drung]

Package: openvswitch-common
Version: 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12
Severity: grave

Hi,

openvswitch-common correctly depends on python3, because it ships
scripts written in Python 3:

```
# file /usr/bin/ov* | grep python
/usr/bin/ovn-detrace:a /usr/bin/python3 script, ASCII text 
executable
/usr/bin/ovn-docker-overlay-driver:  a /usr/bin/python3 script, ASCII text 
executable
/usr/bin/ovn-docker-underlay-driver: a /usr/bin/python3 script, ASCII text 
executable
/usr/bin/ovs-dpctl-top:  a /usr/bin/python3 script, ASCII text 
executable
/usr/bin/ovs-l3ping: a /usr/bin/python3 script, ASCII text 
executable
/usr/bin/ovs-parse-backtrace:a /usr/bin/python3 script, ASCII text 
executable
/usr/bin/ovs-pcap:   a /usr/bin/python3 script, ASCII text 
executable
/usr/bin/ovs-tcpdump:a /usr/bin/python3 script, ASCII text 
executable
/usr/bin/ovs-tcpundump:  a /usr/bin/python3 script, ASCII text 
executable
/usr/bin/ovs-test:   a /usr/bin/python3 script, ASCII text 
executable
/usr/bin/ovs-vlan-test:  a /usr/bin/python3 script, ASCII text 
executable
```

But openvswitch-common depends on python-six (pulling in Python 2) instead of
python3-six. Following script import six and will fail if python3-six is
missing:

```
# grep "from six" $(file /usr/bin/ov* | grep python | sed 's/:.*//') 
/usr/bin/ovs-l3ping:from six.moves import xmlrpc_client as xmlrpclib
/usr/bin/ovs-test:from six.moves import xmlrpc_client as xmlrpclib
/usr/bin/ovs-vlan-test:from six.moves import BaseHTTPServer
/usr/bin/ovs-vlan-test:from six.moves import http_client as httplib
```

This can be easily reproduced in a minimal Debian chroot:

```
# ovs-l3ping
Traceback (most recent call last):
  File "/usr/bin/ovs-l3ping", line 24, in 
from six.moves import xmlrpc_client as xmlrpclib
ModuleNotFoundError: No module named 'six'
```

-- 
Benjamin Drung
System Developer
Debian & Ubuntu Developer

1&1 IONOS Cloud GmbH | Greifswalder Str. 207 | 10405 Berlin | Germany
E-mail: benjamin.dr...@cloud.ionos.com | Web: www.ionos.de

Head Office: Berlin, Germany
District Court Berlin Charlottenburg, Registration number: HRB 125506 B
Executive Management: Christoph Steffens, Matthias Steinberg, Achim Weiss

Member of United Internet

Bug#931066: Info

[MaXaMaR]

After memcpy replace (just in radeonsi_dri and some other places):

maxamar@ubuntu:/var/log$ cat Xorg.0.log
[69.599]
X.Org X Server 1.20.4
X Protocol Version 11, Revision 0
[69.599] Build Operating System: Linux 4.4.0-143-generic x86_64 Ubuntu
[69.599] Current Operating System: Linux ubuntu 5.0.0-19-generic #20-Ubuntu 
SMP Wed Jun 19 17:04:04 UTC 2019 x86_64
[69.599] Kernel command line: BOOT_IMAGE=/vmlinuz-5.0.0-19-generic 
root=UUID=dd5bf364-43c0-4d36-908a-dc9b663ac1a4 ro amdgpu.dc=0 
amdgpu.si_support=1
[69.599] Build Date: 03 April 2019  09:03:57AM
[69.599] xorg-server 2:1.20.4-1ubuntu3 (For technical support please see 
http://www.ubuntu.com/support)
[69.599] Current version of pixman: 0.36.0
[69.599]Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
[69.599] Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
[69.599] (==) Log file: "/var/log/Xorg.0.log", Time: Wed Jun 26 11:15:08 
2019
[69.599] (++) Using config file: "/root/xorg.conf.new"
[69.599] (==) Using system config directory "/usr/share/X11/xorg.conf.d"
[69.600] (==) ServerLayout "X.org Configured"
[69.600] (**) |-->Screen "Screen0" (0)
[69.600] (**) |   |-->Monitor "Monitor0"
[69.600] (**) |   |-->Device "Card0"
[69.600] (**) |-->Screen "Screen1" (1)
[69.600] (**) |   |-->Monitor "Monitor1"
[69.601] (**) |   |-->Device "Card1"
[69.601] (**) |-->Screen "Screen2" (2)
[69.601] (**) |   |-->Monitor "Monitor2"
[69.601] (**) |   |-->Device "Card2"
[69.601] (**) |-->Input Device "Mouse0"
[69.601] (**) |-->Input Device "Keyboard0"
[69.601] (==) Automatically adding devices
[69.601] (==) Automatically enabling devices
[69.601] (==) Automatically adding GPU devices
[69.601] (==) Automatically binding GPU devices
[69.601] (==) Max clients allowed: 256, resource mask: 0x1f
[69.601] (WW) The directory "/usr/share/fonts/X11/cyrillic" does not exist.
[69.601]Entry deleted from font path.
[69.601] (WW) The directory "/usr/share/fonts/X11/100dpi/" does not exist.
[69.601]Entry deleted from font path.
[69.601] (WW) The directory "/usr/share/fonts/X11/75dpi/" does not exist.
[69.601]Entry deleted from font path.
[69.601] (WW) The directory "/usr/share/fonts/X11/100dpi" does not exist.
[69.601]Entry deleted from font path.
[69.601] (WW) The directory "/usr/share/fonts/X11/75dpi" does not exist.
[69.601]Entry deleted from font path.
[69.601] (WW) The directory "/usr/share/fonts/X11/cyrillic" does not exist.
[69.601]Entry deleted from font path.
[69.601] (WW) The directory "/usr/share/fonts/X11/100dpi/" does not exist.
[69.601]Entry deleted from font path.
[69.601] (WW) The directory "/usr/share/fonts/X11/75dpi/" does not exist.
[69.601]Entry deleted from font path.
[69.601] (WW) The directory "/usr/share/fonts/X11/100dpi" does not exist.
[69.601]Entry deleted from font path.
[69.601] (WW) The directory "/usr/share/fonts/X11/75dpi" does not exist.
[69.601]Entry deleted from font path.
[69.601] (**) FontPath set to:
/usr/share/fonts/X11/misc,
/usr/share/fonts/X11/Type1,
built-ins,
/usr/share/fonts/X11/misc,
/usr/share/fonts/X11/Type1,
built-ins
[69.601] (**) ModulePath set to "/usr/lib/xorg/modules"
[69.602] (WW) Hotplugging is on, devices using drivers 'kbd', 'mouse' or 
'vmmouse' will be disabled.
[69.602] (WW) Disabling Mouse0
[69.602] (WW) Disabling Keyboard0
[69.602] (II) Loader magic: 0x55b3e6614020
[69.602] (II) Module ABI versions:
[69.602]X.Org ANSI C Emulation: 0.4
[69.602]X.Org Video Driver: 24.0
[69.602]X.Org XInput driver : 24.1
[69.602]X.Org Server Extension : 10.0
[69.603] (--) using VT number 2

[69.603] (II) systemd-logind: logind integration requires -keeptty and 
-keeptty was not provided, disabling logind integration
[69.604] (II) xfree86: Adding drm device (/dev/dri/card0)
[69.604] (II) xfree86: Adding drm device (/dev/dri/card1)
[69.638] (--) PCI:*(0@0:1:0) 1234::1af4:1100 rev 2, Mem @ 
0xf000/16777216, 0xfea14000/4096, BIOS @ 0x/131072
[69.638] (--) PCI: (1@0:0:0) 1002:67df:1da2:e366 rev 225, Mem @ 
0x6/8589934592, 0x8/2097152, 0xfe80/262144, I/O @ 
0x5000/256, BIOS @ 0x/131072
[69.638] (II) "glx" will be loaded. This was enabled by default and also 
specified in the config file.
[69.638] (II) LoadModule: "glx"
[69.638] (II) Loading /usr/lib/xorg/modules/extensions/libglx.so
[69.639] (II) Module glx: vendor="X.Org Foundation"
[69.639]compiled for 1.20.4, module version = 1.0.0
[69.639]ABI 

Processed: Re: installing python3.4 fails

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> reassign 931097 python3.4
Bug #931097 [unattended-upgrades] unattended-upgrades: InvalidURL(f"URL can't 
contain control characters. {url!r} "
Bug reassigned from package 'unattended-upgrades' to 'python3.4'.
No longer marked as found in versions unattended-upgrades/0.83.3.2+deb8u1.
Ignoring request to alter fixed versions of bug #931097 to the same values 
previously set
> forcemerge 931044 931097
Bug #931044 {Done: Salvatore Bonaccorso } [python3.4] 
installing python3.4 fails
Bug #931057 {Done: Salvatore Bonaccorso } [python3.4] 
python3: Error while upgrading python3.4
Bug #931097 [python3.4] unattended-upgrades: InvalidURL(f"URL can't contain 
control characters. {url!r} "
Severity set to 'critical' from 'serious'
Marked Bug as done
There is no source info for the package 'python3.4' at version '3.4.2-1+deb8u4' 
with architecture ''
Unable to make a source version for version '3.4.2-1+deb8u4'
Marked as fixed in versions 3.4.2-1+deb8u4.
There is no source info for the package 'python3.4' at version '3.4.2-1+deb8u3' 
with architecture ''
Unable to make a source version for version '3.4.2-1+deb8u3'
Marked as found in versions 3.4.2-1+deb8u3.
Added tag(s) confirmed and pending.
Bug #931057 {Done: Salvatore Bonaccorso } [python3.4] 
python3: Error while upgrading python3.4
Merged 931044 931057 931097
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
931044: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931044
931057: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931057
931097: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931097
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#931097: installing python3.4 fails

[Chris Lamb]

reassign 931097 python3.4
forcemerge 931044 931097
thanks

Thanks for filing this. However it was already filed as #931044 and
the issue itself was fixed in python3.4 3.4.2-1+deb8u4.

Hope that helps.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#931097: unattended-upgrades: InvalidURL(f"URL can't contain control characters. {url!r} "

[duncanwebb]

Package: unattended-upgrades
Version: 0.83.3.2+deb8u1
Severity: serious
Justification: normal

Dear Maintainer,

Jessie uses python 3.4 and python 3.4 does not support f"" strings

So now unattended upgrades no longer performs security upgrades.

/etc/cron.daily/apt:
Traceback (most recent call last):
  File "/usr/bin/unattended-upgrade", line 55, in 
import apt
  File "/usr/lib/python3/dist-packages/apt/__init__.py", line 26, in 
from apt.package import Package
  File "/usr/lib/python3/dist-packages/apt/package.py", line 32, in 
from http.client import BadStatusLine
  File "/usr/lib/python3.4/http/client.py", line 1014
raise InvalidURL(f"URL can't contain control characters. {url!r} "
 ^
SyntaxError: invalid syntax

The problem is in the file /usr/lib/python3.4/http/client.py, changing (f"URL 
to ("URL will
will allow unattended-upgrades to work again but doesn't do what is intended.

-- System Information:
Debian Release: 8.10
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-0.bpo.5-amd64 (SMP w/32 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages unattended-upgrades depends on:
ii  apt1.0.9.8.5
ii  apt-utils  1.0.9.8.5
ii  debconf [debconf-2.0]  1.5.56+deb8u1
ii  init-system-helpers1.22
ii  lsb-base   4.1+Debian13+nmu1
ii  lsb-release4.1+Debian13+nmu1
ii  python33.4.2-2
ii  python3-apt0.9.3.12
ii  ucf3.0030
ii  xz-utils   5.1.1alpha+20120614-2+b3

unattended-upgrades recommends no packages.

Versions of packages unattended-upgrades suggests:
ii  bsd-mailx  8.1.2-0.20141216cvs-2
ii  exim4-daemon-light [mail-transport-agent]  4.84.2-2+deb8u5

-- debconf-show failed

Bug#930056: Ping: could you remove synphot-data (Buster RC)?

[Ole Streicher]

Dear ftp-master,

may I ping you to remove synphot-data [all] (Bug #930863) soon? This
currently blocks the unblocking and migration of the pysynphot package
(Bug #930717), resolving the Buster RC bug #930056 "synphot-data:
creates world writable
files:/usr/share/synphot/grp/hst/cdbs/comp/acs/acs_*_syn.fits".

Thank you very much!

Best regards

Ole

Bug#931066: Info

[MaXaMaR]

Seems to be the problem with memcpy(), after changing to custom memcpy, Xorg 
progresses, screen mode seems to try to change but then entire machine crashes. 
Amdgpu logs show timeout like 3/4 jobs complete then PCI reset. Memmove also 
needs to be replaced (everywhere) to test this.
They were moving from custom memcpy/memmove in last releases.