Bug#929165: How to use rm_conffile to remove files that contain empty " ", comma "," and wildcard "*"?
On 2021-03-07 Hideki Yamane wrote: > X-debbugs-CC: debian-de...@lists.debian.org > I've tried to remove files that was accidentally containts empty " ", > comma "," and wildcard "*" via rm_conffile from dpkg-maintscript-helper. > However, it returns an error like below. > > dh_installdeb: error: The current conffile path for rm_conffile must be > > present and absolute, got > > '/etc/apt/trusted.gpg.d/ubuntu-keyring-2016-dbgsym.gpg, > I've specified it like below. > > # cat debian/ubuntu-dbgsym-keyring.maintscript > > rm_conffile '/etc/apt/trusted.gpg.d/ubuntu-keyring-2016-dbgsym.gpg, *' [...] > How to use rm_conffile to remove such files that contains empty, comma > and * in its filenames? Hello, I think that might be a dh_installdeb error, it seems to check whether the first character is a '/', and does not account for possible quoting characters. This might work around this rm_conffile /etc/apt/trusted.gpg.d/ubuntu-keyring-2016-dbgsym.gpg,\ \* BTW you should really specify [prior-version and [package]. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#973927: please close as duplicate of #947425
Hi, This bug is a duplicate of bug #947425 and should be closed. By the way Willi Mann's diff solved this issue.
Processed: found 984644 in 1.6.0-1.1
Processing commands for cont...@bugs.debian.org: > found 984644 1.6.0-1.1 Bug #984644 [node-xmlhttprequest-ssl] node-xmlhttprequest-ssl: Unmaintained fork of node-xmlhttprequest Marked as found in versions node-xmlhttprequest-ssl/1.6.0-1.1. > thanks Stopping processing here. Please contact me if you need assistance. -- 984644: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984644 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#984689: ruby-vcr: DFSG violation (Hippocratic license)
Package: ruby-vcr Version: 6.0.0-2 Severity: serious Dear Maintainer, ruby-vcr license has been changed to The Hippocaratic License since versoin 5.1. I think it is not DFSG compliant. -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-3-amd64 (SMP w/16 CPU threads) Kernel taint flags: TAINT_WARN Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8), LANGUAGE=ja_JP.UTF-8 Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -- no debconf information
Bug#929165: How to use rm_conffile to remove files that contain empty " ", comma "," and wildcard "*"?
X-debbugs-CC: debian-de...@lists.debian.org Hi, I've tried to remove files that was accidentally containts empty " ", comma "," and wildcard "*" via rm_conffile from dpkg-maintscript-helper. However, it returns an error like below. > dh_installdeb: error: The current conffile path for rm_conffile must be > present and absolute, got > '/etc/apt/trusted.gpg.d/ubuntu-keyring-2016-dbgsym.gpg, I've specified it like below. > # cat debian/ubuntu-dbgsym-keyring.maintscript > rm_conffile '/etc/apt/trusted.gpg.d/ubuntu-keyring-2016-dbgsym.gpg, *' > rm_conffile '/etc/apt/trusted.gpg.d/ubuntu-dbgsym-removed-keys.gpg, *' How to use rm_conffile to remove such files that contains empty, comma and * in its filenames? -- Regards, Hideki Yamane henrich @ debian.org/iijmio-mail.jp
Bug#984665: [Pkg-rust-maintainers] Bug#984665: CVE-2021-25900
I started looking into this bug and trying to gauge it's impact. In particular what if-any applications in Debian actually use the broken code. First I tried to use codesearch to search for insert_many but I got way too many false-positives. So I tried a different approach. I did however notice some embedded code copies of smallvec during this search, more on that later. I used zcat /srv/ftp.debian.org/mirror/dists/sid/main/binary-amd64/Packages.gz | grep-dctrl rust-smallvec -sPackage to identify what applications use (directly or indirectly) rust-smallvec, I came up with the following list. bat cargo-lock cargo-outdated (build-depends uninstallable, not in testing) debcargo git-absorb grcov sq-keyring-linter sqop sq sqv spotify-tui (not in testing) I installed the build-dependencies for all of these packages except cargo-outdated and did "grep -r insert_many /usr/share/cargo/registry/" the only calls were in the tests and benchmarks of smallvec itself. I then downloaded and extracted the source packages for the apps themselves into a directory and issued "grep -r insert_many *" in that directory, there were no matches I tried to repeat the process for buster, unfortunately it seems the version of the tooling used to build many of the rust packages in buster did not add built-using: or x-cargo-built-using:, It's possible there are also some rust applications in bullseye that have not been touched for a long time and hence suffer from the same isue. Anyway one application was found in buster that had an X-Cargo-Built-Using for rust-smallvec. ripgrep I found the following packages that appeard to have embedded copies of smallvec, it's very possible there were others as I did not do an exhaustive search. I repeated the build-dependency and source package contents tests described above in buster, using the list of packages from both stable and unstable (where the package existed in stable), again I found now results. Going back to the original codesearch I noticed the following packages in the list, that seemed (based mainly on my memory of what uses rust) like they might be rust-related and investigated them further. I did not investigate every package in the list for rust dependencies. firefox firefox-esr rust-lexical-core librsvg thunderbird firefox, firefox-esr, librsvg and thunderbird seem to have embedded copies of rust-smallvec, but don't appear to call insert_many rust-lexical-core seems to be completely unrelated to arrayvec (it does not build-depend directly or indirectly on it and it does not appear to have an embedded copy of it) This search has not been perfect and I may try and assemble tooling to do a better one, but my tentative conclusion is that the insert_many operation in rust-arrayvec does not seem to actually be used.
Processed: severity of 983183 is serious
Processing commands for cont...@bugs.debian.org: > severity 983183 serious Bug #983183 {Done: Martijn van Brummelen } [libpam-script] libpam-script: Wrong path for pam_script.so Severity set to 'serious' from 'important' > thanks Stopping processing here. Please contact me if you need assistance. -- 983183: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983183 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#984673: solarwolf: Thread object has no attribute isAlive
Package: solarwolf Version: 1.5+dfsg1-2 Severity: grave X-Debbugs-Cc: a...@debian.org solarwolf fails to start because of an AttributeError: Thread object has no attribute isAlive. The funtion was removed in Python 3.9. The new one appears to be is_alive(). I try to prepare a patch for solarwolf but wouldn't mind if someone else beats me to it. Markus -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-14-amd64 (SMP w/4 CPU threads) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages solarwolf depends on: ii python3 3.9.1-1 pn python3-pygame solarwolf recommends no packages. solarwolf suggests no packages.
Processed: Re: test-archive.t fails in the autopkg tests
Processing control commands: > tags -1 patch Bug #984490 [src:mercurial] test-archive.t fails in the autopkg tests Added tag(s) patch. -- 984490: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984490 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#984490: test-archive.t fails in the autopkg tests
Control: tags -1 patch Hi, In Ubuntu, the attached patch was applied to achieve the following: * d/p/python-3.9.2.patch: Use "&" instead of ";" as query string separator in test-archive.t to fix FTBFS with Python 3.9.2, which changed its urllib.parse.parse_qsl() behavior to only accept "&" as a separator by default. Thanks for considering the patch. Logan diff -Nru mercurial-5.6.1/debian/patches/python-3.9.2.patch mercurial-5.6.1/debian/patches/python-3.9.2.patch --- mercurial-5.6.1/debian/patches/python-3.9.2.patch 1969-12-31 19:00:00.0 -0500 +++ mercurial-5.6.1/debian/patches/python-3.9.2.patch 2021-03-02 23:00:32.0 -0500 @@ -0,0 +1,15 @@ +--- a/tests/test-archive.t b/tests/test-archive.t +@@ -334,10 +334,10 @@ + > pass + > if len(sys.argv) <= 3: + > node, archive = sys.argv[1:] +- > requeststr = 'cmd=archive;node=%s;type=%s' % (node, archive) ++ > requeststr = 'cmd=archive=%s=%s' % (node, archive) + > else: + > node, archive, file = sys.argv[1:] +- > requeststr = 'cmd=archive;node=%s;type=%s;file=%s' % (node, archive, file) ++ > requeststr = 'cmd=archive=%s=%s=%s' % (node, archive, file) + > try: + > stdout = sys.stdout.buffer + > except AttributeError: diff -Nru mercurial-5.6.1/debian/patches/series mercurial-5.6.1/debian/patches/series --- mercurial-5.6.1/debian/patches/series 2021-02-01 11:46:24.0 -0500 +++ mercurial-5.6.1/debian/patches/series 2021-03-02 23:00:01.0 -0500 @@ -4,3 +4,4 @@ deb_specific__optional-dependencies deb_specific__disable_libdir_replacement.patch 0005-Tolerate-SIGINT-getting-the-kill-in-test-stdio.py.patch +python-3.9.2.patch
Bug#984672: oneisenough: AttributeError: module 'time' has no attribute 'clock'
Package: oneisenough Version: 0.40-5 Severity: grave X-Debbugs-Cc: a...@debian.org oneisenough fails to start because the function time.clock() has been removed in Python 3.8. I believe time.process_time() is the new equivalent but I have not tested the patch yet. Markus -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-14-amd64 (SMP w/4 CPU threads) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages oneisenough depends on: ii fonts-dejavu-core 2.37-2 ii python33.9.1-1 pn python3-pygame oneisenough recommends no packages. oneisenough suggests no packages.
Bug#984615: xterm: bug in CVE-2021-27135 patch in at least stretch
On Sat, Mar 06, 2021 at 06:46:25PM +0100, Sven Joachim wrote: ... > Run xterm under valgrind and select some text. Valgrind will be very > unhappy with xterm 327-2+deb9u1 but should not show up any errors in valgrind usually has something to say, but (noting that I'm only interested in what it says when I configure --with-valgrind(*)), I get a report of ~5000 lines using these options OPTS="-v \ --num-callers=10 \ --error-limit=no \ --show-reachable=yes \ --leak-resolution=high \ --track-origins=yes \ --leak-check=yes \ --show-reachable=yes" ...and almost all of that is stuff that I can't fix without adding interfaces in X11, Xt and Xaw. (*) asan2 also has things to say, but most of that is not useful without a complete set of debug-libraries (again, X11/Xt/Xaw). -- Thomas E. Dickey https://invisible-island.net ftp://ftp.invisible-island.net signature.asc Description: PGP signature
Bug#984647: marked as done (forensics-extra's autopkg tests always fail on 32bit archs)
Your message dated Sat, 06 Mar 2021 20:19:25 + with message-id and subject line Bug#984647: fixed in forensics-extra 2.29 has caused the Debian Bug report #984647, regarding forensics-extra's autopkg tests always fail on 32bit archs to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 984647: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984647 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: src:forensics-extra Version: 2.28 Severity: serious Tags: sid bullseye forensics-extra's autopkg tests always fail on 32bit archs, because the test dependencies cannot be fulfilled on these architectures, caused by the removal of the 32bit builds of swt4-gtk. The reference autopkg test for testing will always fail, allowing migration of this package despite eventually introducing new regressions on armhf and i386. The test command1 should accommodate for the installability. [...] Broken stegosuite:armhf Depends on libswt-cairo-gtk-4-jni:armhf < none @un H > Broken stegosuite:armhf Depends on libswt-gtk-4-jni:armhf < none @un H > Broken stegosuite:armhf Depends on libcommons-cli-java:armhf < none | 1.4-2 @un uH > (>= 1.4) Considering libcommons-cli-java:armhf 0 as a solution to stegosuite:armhf 0 Re-Instated libcommons-cli-java:armhf Broken stegosuite:armhf Depends on liblogback-java:armhf < none | 1:1.2.3-6 @un uH > (>= 1.2.3) Considering liblogback-java:armhf 0 as a solution to stegosuite:armhf 0 Re-Instated libslf4j-java:armhf Re-Instated liblogback-java:armhf Broken stegosuite:armhf Depends on libswt-gtk-4-java:armhf < none @un H > Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: stegosuite : Depends: libswt-cairo-gtk-4-jni but it is not installable Depends: libswt-gtk-4-jni but it is not installable Depends: libswt-gtk-4-java but it is not installable E: Unable to correct problems, you have held broken packages. command1 FAIL badpkg blame: forensics-extra --- End Message --- --- Begin Message --- Source: forensics-extra Source-Version: 2.29 Done: Joao Eriberto Mota Filho We believe that the bug you reported is fixed in the latest version of forensics-extra, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 984...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Joao Eriberto Mota Filho (supplier of updated forensics-extra package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 06 Mar 2021 15:58:29 -0300 Source: forensics-extra Architecture: source Version: 2.29 Distribution: unstable Urgency: medium Maintainer: Debian Security Tools Changed-By: Joao Eriberto Mota Filho Closes: 984647 Changes: forensics-extra (2.29) unstable; urgency=medium . * Generated a new debian/control, forgotten in last revision, to move stegosuite from FED to FGR. Thanks to Matthias Klose. (Closes: #984647) Checksums-Sha1: 79a46f6e4ed52f3abe5265dae42f32f78b193ad6 1888 forensics-extra_2.29.dsc 4106f4407c56b26eebacd9e3dce61e7bc248851a 22428 forensics-extra_2.29.tar.xz cf5a6eac2444299064d8703e1c9b6d4d461c8902 5588 forensics-extra_2.29_source.buildinfo Checksums-Sha256: 335120ac3df02b4214a027580a0b280ff57ca97994edb4e10039e623e55db7f7 1888 forensics-extra_2.29.dsc 249fd1f44e11b52bd1dfb3019c3e82e22bdbc3956f08ed0fdda7e94214c9dbb0 22428 forensics-extra_2.29.tar.xz 9f64aab45c0cff0eca6ba4c24974fa8ac91dd556c4c4b49e5a2fff6f4b0e3864 5588 forensics-extra_2.29_source.buildinfo Files: a949dd64916fd0404b62da77508a08b4 1888 metapackages optional forensics-extra_2.29.dsc 1288dd133720d0722e08be5c2ac4fd37 22428 metapackages optional forensics-extra_2.29.tar.xz 93b43a65c1c46773434be368340a1171 5588 metapackages optional forensics-extra_2.29_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEENX3LDuyVoBrrofDS3mO5xwTr6e8FAmBD27UACgkQ3mO5xwTr
Processed: severity of 969896 is grave
Processing commands for cont...@bugs.debian.org: > severity 969896 grave Bug #969896 [src:rust-http] rust-http: Integer Overflow in HeaderMap::reserve() can cause Denial of Service Severity set to 'grave' from 'normal' > thanks Stopping processing here. Please contact me if you need assistance. -- 969896: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969896 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#984665: CVE-2021-25900
Source: rust-smallvec Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team https://rustsec.org/advisories/RUSTSEC-2021-0003.html https://github.com/servo/rust-smallvec/issues/252 Cheers, Moritz
Bug#984615: xterm: bug in CVE-2021-27135 patch in at least stretch
On Sat, Mar 06, 2021 at 06:07:43PM +, Thorsten Glaser wrote: > Sven Joachim dixit: > > >I see that this might be a problem (albeit unlikely to happen in > >practice), however I have trouble understanding exactly where a > >use-after-realloc bug comes into play. Maybe Thorsten can help me fix > >my blindness? > > The next time something is selected, the code a little further > up will check if the allocated size is sufficient, and, if so, > use screen->selection_data which was the pre-realloc address of > line. > > >> I am glad and surprised that sid is okay and there doesn't seem to be > > The code in sid completely differs (structures, variable names, etc). The renaming (selection_size) comes from patch #338, which looks like this item: Patch #338 - 2018/12/09 * amend solution for Debian #758633 to ensure that replies for bracketed paste are not sent while processing a selection for exec-formatted (Debian #913237). > >suggestion you could also apply the patches to the SaltTextAway() > >function from xterm 365e. > > If 365e is like 366 (currently in sid), you’ll have lots of fun due > to the renamed everything. 366 is current. I have some changes for 367 which I'll put out after seeing what I can do to improve performance with fwvm active-icon. > I’d rather Tom changed xterm upstream to address the realloc-failure > difference. I know he reads Debian bugreports ;-) and he’s really > busy so probably takes longer to respond. it used to be the case that downstream would ask my opinion on patches like this -- it's been a while since anyone did -- Thomas E. Dickey https://invisible-island.net ftp://ftp.invisible-island.net signature.asc Description: PGP signature
Processed: housekeeping
Processing commands for cont...@bugs.debian.org: > severity 984616 wishlist Bug #984616 [nis] nis: prompting due to modified conffiles which were not modified by the user: /etc/default/nis Severity set to 'wishlist' from 'serious' > tags 984616 + wontfix Bug #984616 [nis] nis: prompting due to modified conffiles which were not modified by the user: /etc/default/nis Added tag(s) wontfix. > thanks Stopping processing here. Please contact me if you need assistance. -- 984616: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984616 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#926276: Should guacamole-client be removed?
Hi, On Wed, Apr 03, 2019 at 12:27:25PM +, Mike Gabriel wrote: > Hi Moritz, > > On Di 02 Apr 2019 22:04:34 CEST, Moritz Muehlenhoff wrote: > > > Source: guacamole-client > > Severity: serious > > > > Should guacamole-client be removed? > > > > guacamole-client hasn't been updated since 2016, is removed from testing > > since 1.5 years and has four RC bugs at this point > > > > Cheers, > > Moritz > > My suggestion to 'Nik was to drop FreeRDP support for a while and fix the > other issues and keep that in unstable. > > However, it's the maintainers call at the end. Almost 2 years later: Should maybe now guacamole-client be removed from the archive alltogether? The version currently in sid lacks quite behind the current upstream version, has security-bugs open (and at least one quite hard to backport fixes to the version in sid). As such I think it would be better to remove the package as well in unstable? Regards, Salvatore
Bug#981878: ruby-gitlab-pg-query downloads from the internet during the build
On Thu, 04 Feb 2021 20:49:39 +0200 Adrian Bunk wrote: > /usr/lib/ruby/2.7.0/net/http.rb:960:in `initialize': Failed to open TCP connection to codeload.github.com:443 (Network is unreachable - connect(2) for "codeload.github.com" port 443) (Errno::ENETUNREACH) >from /usr/lib/ruby/2.7.0/net/http.rb:960:in `open' >from /usr/lib/ruby/2.7.0/net/http.rb:960:in `block in connect' >from /usr/lib/ruby/2.7.0/timeout.rb:95:in `block in timeout' >from /usr/lib/ruby/2.7.0/timeout.rb:105:in `timeout' >from /usr/lib/ruby/2.7.0/net/http.rb:958:in `connect' >from /usr/lib/ruby/2.7.0/net/http.rb:943:in `do_start' >from /usr/lib/ruby/2.7.0/net/http.rb:932:in `start' >from /usr/lib/ruby/2.7.0/open-uri.rb:346:in `open_http' >from /usr/lib/ruby/2.7.0/open-uri.rb:764:in `buffer_open' >from /usr/lib/ruby/2.7.0/open-uri.rb:235:in `block in open_loop' >from /usr/lib/ruby/2.7.0/open-uri.rb:233:in `catch' >from /usr/lib/ruby/2.7.0/open-uri.rb:233:in `open_loop' >from /usr/lib/ruby/2.7.0/open-uri.rb:174:in `open_uri' >from /usr/lib/ruby/2.7.0/open-uri.rb:744:in `open' >from /usr/lib/ruby/2.7.0/open-uri.rb:50:in `open' >from extconf.rb:19:in `block in ' >from extconf.rb:18:in `open' >from extconf.rb:18:in `' > /usr/lib/ruby/2.7.0/net/http.rb:960:in `initialize': Network is unreachable - connect(2) for "codeload.github.com" port 443 (Errno::ENETUNREACH) >from /usr/lib/ruby/2.7.0/net/http.rb:960:in `open' >from /usr/lib/ruby/2.7.0/net/http.rb:960:in `block in connect' This gem (gitlab-pg_query) is a fork of pg_query. gitlab is now using pg_query directly instead of ther fork. I'm uploading pg_query gem as ruby-pg-query with a fix for this issue. Once ruby-pg-query is accepted and its reverse dependencies switch to the new package, I will request removal of this package.
Bug#984647: forensics-extra's autopkg tests always fail on 32bit archs
Hi Matthias, Thanks a lot for your report. This issue was identificated in 2.28 version by me. I wrote in file list-of-packages-extra: -stegosuite FED +stegosuite FGR # FIXME, dependencies not available for i386 in autopkgtest In other words, I moved stegosuite from Depends (in forensics-extra) to Recommends (in forensics-extra-gui). However, because of a mistake of mine, a new debian/control file wasn't generated by gen-control.sh command. I will release the revision 2.29 to fix it. Thanks again. Eriberto
Bug#984508: marked as done (cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script)
Your message dated Sat, 06 Mar 2021 18:33:25 + with message-id and subject line Bug#984508: fixed in cpl-plugin-visir 4.3.10+dfsg-4 has caused the Debian Bug report #984508, regarding cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 984508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984508 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: cpl-plugin-amber-calib Version: 4.4.0+dfsg-2 Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team The maintainer script of cpl-plugin-amber-calib has this code: https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23 | wget -O- ${URL} | \ | tar xzO ${TAR} | \ | tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1 The URL is an unencrypted ftp:// URL. A malicious remote could easily replace the requested archive and supply a different version. Such a replacement could include a setuid root binary for instance. Once installed, a local user can use it for a local privilege escalation. I guess that this is not the only cpl plugin affected by this kind of vulnerability. Helmut --- End Message --- --- Begin Message --- Source: cpl-plugin-visir Source-Version: 4.3.10+dfsg-4 Done: Ole Streicher We believe that the bug you reported is fixed in the latest version of cpl-plugin-visir, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 984...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ole Streicher (supplier of updated cpl-plugin-visir package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 06 Mar 2021 17:44:01 +0100 Source: cpl-plugin-visir Architecture: source Version: 4.3.10+dfsg-4 Distribution: unstable Urgency: medium Maintainer: Debian Astronomy Team Changed-By: Ole Streicher Closes: 984508 Changes: cpl-plugin-visir (4.3.10+dfsg-4) unstable; urgency=medium . * Check SHA sum for downloaded calibration file (Closes: #984508) Checksums-Sha1: 8c0bcd074368dcb2e68c1d01a3a25bdc07ff8075 2423 cpl-plugin-visir_4.3.10+dfsg-4.dsc bfd4e622a7ec10ff1b71fd0036085fda79bb7736 12180 cpl-plugin-visir_4.3.10+dfsg-4.debian.tar.xz Checksums-Sha256: 99af2707a3e5557c0f224dbee0fddb73bd1b5f66580f4793a26426ba706c0b76 2423 cpl-plugin-visir_4.3.10+dfsg-4.dsc 56e8d7d17a52ec4953b9431209c6cd9977baa868602a501683e7fc71e5bfb1b0 12180 cpl-plugin-visir_4.3.10+dfsg-4.debian.tar.xz Files: 6615482b535cc2cea56c72c574bbfbfc 2423 science optional cpl-plugin-visir_4.3.10+dfsg-4.dsc 4248ce1a0dfb29a205113d98853326ad 12180 science optional cpl-plugin-visir_4.3.10+dfsg-4.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmBDyO8ACgkQcRWv0HcQ 3PdhvQ/5AcUfX2fhjO3FsYTCN0IlK8nYFgkluDCT5sRtelqneYsY3WfgAb9MGqLC J1RFyYhnwLfxRa7t9PjoLGyzNX12gbTk3gf1LPFRvxRd7t4fxb5ZF4CYv32w17Q9 Q7zmhnyxmEkc2E9d7cAVhcuG7N6UgOOXI8cwocQEapZ9rOGYnYJyh0MyBDmNq9i3 KujO6hQlshNRAwGereEt943HCZU+ptvwhu3jaGv9Ls6eENyFNS3ICMTGSoC8yEbg WrLpKOkceoyzXn/JGc0XCjyBkHUdhpcGIa22Nsiqq5UwmtDAAD1mo/3kr9Fsz391 LNHRDO2yYqkNONuUl0YbWpN2qqEuCe6IFulX4yGhPwm0KX8C54pExyvTuC3N2Xqn tT1N+RvseT9LBJgw0P51O91aC41pSAeQ0LCMYkPqrFTqNnEgQgQXetdFCNNvgbET rvlhCbLcVgW9DDQOcWSRLdI3zhOgg2CM434CBpFCYxkTOypNAUaiv0j6ZVEE18dV SnXUPFPhzexHA81cIGYMNE5XDE+v0RvVqR6roP2h9Lodfj/VamhqYfLB/PigJrcx TDgN3FNDsD6knZtR68gCoqSY6yuJgH8Rln2pyXYSIc480ENENPBRwVhBxMWA992Q ajC7G6tkZRk+pugehaFroJ10TZqcoXNN1XpdANcMhWhVOu9Zymo= =GS/a -END PGP SIGNATURE End Message ---
Bug#984615: xterm: bug in CVE-2021-27135 patch in at least stretch
Sven Joachim dixit: >I see that this might be a problem (albeit unlikely to happen in >practice), however I have trouble understanding exactly where a >use-after-realloc bug comes into play. Maybe Thorsten can help me fix >my blindness? The next time something is selected, the code a little further up will check if the allocated size is sufficient, and, if so, use screen->selection_data which was the pre-realloc address of line. >> I am glad and surprised that sid is okay and there doesn't seem to be The code in sid completely differs (structures, variable names, etc). >suggestion you could also apply the patches to the SaltTextAway() >function from xterm 365e. If 365e is like 366 (currently in sid), you’ll have lots of fun due to the renamed everything. I’d rather Tom changed xterm upstream to address the realloc-failure difference. I know he reads Debian bugreports ;-) and he’s really busy so probably takes longer to respond. bye, //mirabilos -- >> Why don't you use JavaScript? I also don't like enabling JavaScript in > Because I use lynx as browser. +1 -- Octavio Alvarez, me and ⡍⠁⠗⠊⠕ (Mario Lang) on debian-devel
Bug#984615: xterm: bug in CVE-2021-27135 patch in at least stretch
On 2021-03-06 02:49 +0530, Utkarsh Gupta wrote: > Hi Thorsten > > On Sat, Mar 6, 2021 at 2:25 AM Thorsten Glaser wrote: >> debian/patches/CVE-2021-27135.patch changes button.c line (after >> patching) 3747 to: >> >>line = realloc(line, screen->selection_size); >> >> But “line” is a local variable, the address of the buffer must >> be stored in the one handed out, too, so please change this to: >> >> if ((have * 2) < (size_t) j) { >> Char *next = realloc(line, have + 1); >> if (next) { >> screen->selection_data = line = next; >> screen->selection_size = have + 1; >> } >> } >> >> This also deals properly with realloc failures (since we’re >> shrinking, ignore them and just keep the older, larger area). I see that this might be a problem (albeit unlikely to happen in practice), however I have trouble understanding exactly where a use-after-realloc bug comes into play. Maybe Thorsten can help me fix my blindness? > Thanks for the very comprehensive bug report and for the patch as well! > >> I’ve not looked at jessie-ELTS or buster-security whether they >> are affected as well; sid is clean (and where I got the realloc >> failure check necessity from, although sid’s free()s the buffer >> if realloc fails; this isn’t needed @Tom). > > If this seems to be happening in stretch, I assume there's a problem > with jessie-ELTS as well. That said, buster is good because a DSA > wasn't issued and this will be fixed via a point release. I had already prepared an update for buster, but fortunately it did not happen yet, because that one also has the same bug as yours. > I am glad and surprised that sid is okay and there doesn't seem to be > a problem. Just to cross-check and ensure I get it right (for stretch > and jessie), can you send me the reproducer as well? I'd like to be > able to reproduce this before and after your patch (just to be one the > safer side) and do the same for jessie as well! Run xterm under valgrind and select some text. Valgrind will be very unhappy with xterm 327-2+deb9u1 but should not show up any errors in that regard with a correctly patched version. Instead of Thorsten's suggestion you could also apply the patches to the SaltTextAway() function from xterm 365e. Cheers, Sven
Bug#984469: guitarix: debian/copyright is inaccurate
Hi guitarix upstream maintainer here. Please downgrade the severity of this bug. The files in question don't be part of the distributed package, so there is no serious reason to mark guitarix "unfit for release". Even if the [debian/copyright] file may be wrong for those files, that haven't any relation to the distributed package, as they are only part of the source, and be in no relation to the distributed binary. If it helps, I could mark the files in question as CC-BY-1.0 so that the copyright file is correct. However, this is by far not a serious bug, so please, handle it.
Bug#980809: rmatrix: breaks autopkgtest of r-cran-glmmtmb on s390x
Hi Graham and Martin, Thanks for coming back to this, I had also meant to write to Martin this weekend. On 6 March 2021 at 19:16, Graham Inggs wrote: | Is there a bug opened for this issue with Matrix upstream? Per field Bug-Reports in DESCRIPTION, the repo (and bug tracker) are (still) at R-Forge: https://r-forge.r-project.org/tracker/?atid=294_id=61=browse | I may have some useful feedback from TMB upstream to add. You may need an account there :-/ To Martin: As I can run some simple tests on s390x, is this something you could possible schedule to make some time for? Best, Dirk -- https://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
Bug#980809: rmatrix: breaks autopkgtest of r-cran-glmmtmb on s390x
Hi Dirk Is there a bug opened for this issue with Matrix upstream? I may have some useful feedback from TMB upstream to add. Regards Graham
Bug#984508: marked as done (cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script)
Your message dated Sat, 06 Mar 2021 17:03:25 + with message-id and subject line Bug#984508: fixed in cpl-plugin-vimos 4.1.1+dfsg-3 has caused the Debian Bug report #984508, regarding cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 984508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984508 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: cpl-plugin-amber-calib Version: 4.4.0+dfsg-2 Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team The maintainer script of cpl-plugin-amber-calib has this code: https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23 | wget -O- ${URL} | \ | tar xzO ${TAR} | \ | tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1 The URL is an unencrypted ftp:// URL. A malicious remote could easily replace the requested archive and supply a different version. Such a replacement could include a setuid root binary for instance. Once installed, a local user can use it for a local privilege escalation. I guess that this is not the only cpl plugin affected by this kind of vulnerability. Helmut --- End Message --- --- Begin Message --- Source: cpl-plugin-vimos Source-Version: 4.1.1+dfsg-3 Done: Ole Streicher We believe that the bug you reported is fixed in the latest version of cpl-plugin-vimos, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 984...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ole Streicher (supplier of updated cpl-plugin-vimos package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 06 Mar 2021 17:37:41 +0100 Source: cpl-plugin-vimos Architecture: source Version: 4.1.1+dfsg-3 Distribution: unstable Urgency: medium Maintainer: Debian Astronomy Maintainers Changed-By: Ole Streicher Closes: 984508 Changes: cpl-plugin-vimos (4.1.1+dfsg-3) unstable; urgency=medium . * Check SHA sum for downloaded calibration file (Closes: #984508) Checksums-Sha1: f46f6a0bf8f814018d8887d2274cd3a5099acf4c 2447 cpl-plugin-vimos_4.1.1+dfsg-3.dsc 649c3f1cb39c2f0e73fc3aa85ee28515929d1815 11584 cpl-plugin-vimos_4.1.1+dfsg-3.debian.tar.xz Checksums-Sha256: 4a0d09a34c15ca7b770390d9d8989358e8f9d39c162aecc1ea0aa018088e7a36 2447 cpl-plugin-vimos_4.1.1+dfsg-3.dsc ce5c84f7adb1663f89dfb6d4d5722d17c50606fb9d1a9eca8433ce44dfcf 11584 cpl-plugin-vimos_4.1.1+dfsg-3.debian.tar.xz Files: 215a36194620fcc90196dbfae6b153e2 2447 science optional cpl-plugin-vimos_4.1.1+dfsg-3.dsc ef51c6c5b4ccb07b4d1bc97a9282d1cf 11584 science optional cpl-plugin-vimos_4.1.1+dfsg-3.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmBDsKYACgkQcRWv0HcQ 3PdGphAA0Tc/XpGYz2PFIgZwTpd+CwhQBoralAS2kJmNbkk4sAfjmXKpLqyc/7dp YyXYaqmS3cyej0SuvkrVW9XysxMtxObweM262oQ6kcRmhT1GoJUxaE51SL9ei9Ty k89KH6d+aiqhVFJ2FIZEa1CFVbXGmrtawp6gvPmaqIxNgjhkO+UQONO/aV61enzA 2IpaAdbUGEkfGDhPxRr5ii0W8I7GbTLxtpvmMGpOFqbAVM8REz3D8g19H0QWKqLp CEYBt2No/WMWGWGJptevM3xLccC3IIyt9QxJ9hB1FHRoxKRPRuSrD5Ht+/HTaZdl fzlito8jPgjXgZqH5a53dxCPbz5LvDaKU4wbDKQgngQk5tngZVMf7fkVg88WzxxS 3cgs774PSojR/aQPz9veiru1WuUVEqiO4YMDpvuK0KHNOuXCQ0+ADwyecHFDuFvo ubXxKroAmTiv2a/b51p5NKQQfd8/0Y8+2/ZES7wHIzt/3vxL9GKvHnexTmuNCIax F9N5nKcEb3WLPBLg6a3Sd9eg/0DPc/hD4QHNJKaVqBfV0v8jTphL6jNDoTIO2o1N 9FQTvwodhPq8unehaT1NDqgsNYxUaR0OphYMt9/W7eZp4XBpzkeLeUNy+SyMH/DC vLndXaVHu7u9OCsrBCvEGmDyZ/qyZb6tJCgzs+zlhBv7dAUEKKY= =wv25 -END PGP SIGNATURE End Message ---
Bug#984508: marked as done (cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script)
Your message dated Sat, 06 Mar 2021 17:03:30 + with message-id and subject line Bug#984508: fixed in cpl-plugin-xshoo 3.5.0+dfsg-3 has caused the Debian Bug report #984508, regarding cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 984508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984508 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: cpl-plugin-amber-calib Version: 4.4.0+dfsg-2 Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team The maintainer script of cpl-plugin-amber-calib has this code: https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23 | wget -O- ${URL} | \ | tar xzO ${TAR} | \ | tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1 The URL is an unencrypted ftp:// URL. A malicious remote could easily replace the requested archive and supply a different version. Such a replacement could include a setuid root binary for instance. Once installed, a local user can use it for a local privilege escalation. I guess that this is not the only cpl plugin affected by this kind of vulnerability. Helmut --- End Message --- --- Begin Message --- Source: cpl-plugin-xshoo Source-Version: 3.5.0+dfsg-3 Done: Ole Streicher We believe that the bug you reported is fixed in the latest version of cpl-plugin-xshoo, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 984...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ole Streicher (supplier of updated cpl-plugin-xshoo package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 06 Mar 2021 17:49:45 +0100 Source: cpl-plugin-xshoo Architecture: source Version: 3.5.0+dfsg-3 Distribution: unstable Urgency: medium Maintainer: Debian Astronomy Maintainers Changed-By: Ole Streicher Closes: 984508 Changes: cpl-plugin-xshoo (3.5.0+dfsg-3) unstable; urgency=medium . * Check SHA sum for downloaded calibration file (Closes: #984508) Checksums-Sha1: 8ca070fc0b0117f6dba73b16e5779f169bec4d7c 2439 cpl-plugin-xshoo_3.5.0+dfsg-3.dsc b9c7eed80e6b4a5a2fc85460e9f359216854819f 11544 cpl-plugin-xshoo_3.5.0+dfsg-3.debian.tar.xz Checksums-Sha256: ef9a64d41826e2721008d380796a44fb6d17b13d81bccb66eee48c577989459e 2439 cpl-plugin-xshoo_3.5.0+dfsg-3.dsc 0ef139b847f7cb998047479c7690f0f387ba5e45bfa01ae988702d9660fd259e 11544 cpl-plugin-xshoo_3.5.0+dfsg-3.debian.tar.xz Files: fba482836a203bb7aa5d9d2fe233de20 2439 science optional cpl-plugin-xshoo_3.5.0+dfsg-3.dsc 1b4a59b6723de4498af97b17be8dfbe2 11544 science optional cpl-plugin-xshoo_3.5.0+dfsg-3.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmBDs44ACgkQcRWv0HcQ 3PeHYBAArjuttZJZ6gNhDKFStsvAdSJeHBlY1LmfwdExHJNuySSw3DSqy2zZoaxi L/xKLRWdODvVZ1aSqOsxKJqnPibQRbk3B47iX2zigTHyo1eMtau9Lgy7j4EP7FEh mFi4Ou3hjHxyJl2Lb3AnF/FOoen3wlxpurhwW9ZzfQ+/ZFau1suhflw9BQfTZAou GGxUHHya7ZB8G2AKR6/mb3T7EU2ym6OIp4HqR+VV5/U3v74buNvb0j/qWph5mtfj DyjtQhG8JIaNAMs3gdwMV9Bi/ophX9sDojXL3Jn4fYB/OwEZe5kLA46BBEHgzsiM Iqnq8GefLVpW0fMWOjb52xS1JZYooPp7nztP4RVxygiGz/bbFwT5nr/48/Hu36H3 4vmBDpf4d+kQsUDeL/5lVdGhbwmp1vLC2nMuP2NPL2EFYZ8fDv/TjoaR4YbSFMJV KQzZyyYqj+qFW6ZaAWVgFco0M/fhPVQeecvyariKjXcGQrm/ks616VwMmrgs2S5K 07PyM86xGeNSCWYOR6QSwW1STh631h/oWHK5snMzuQQ3L2pKFvlvTPc2jmVvwKLe mY/QJfd8sShMolkOLBA2xzigfW4kcWSctgA50ZnqugdB+3bI1PmYL8lu+k0LjEoa rjuVLbsPaSXhuj7zvn9c96fGaXfV68D+Mct9t4hEoJgSnNuddUI= =2Mr5 -END PGP SIGNATURE End Message ---
Bug#984508: marked as done (cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script)
Your message dated Sat, 06 Mar 2021 16:48:55 + with message-id and subject line Bug#984508: fixed in cpl-plugin-uves 6.1.3+dfsg-4 has caused the Debian Bug report #984508, regarding cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 984508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984508 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: cpl-plugin-amber-calib Version: 4.4.0+dfsg-2 Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team The maintainer script of cpl-plugin-amber-calib has this code: https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23 | wget -O- ${URL} | \ | tar xzO ${TAR} | \ | tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1 The URL is an unencrypted ftp:// URL. A malicious remote could easily replace the requested archive and supply a different version. Such a replacement could include a setuid root binary for instance. Once installed, a local user can use it for a local privilege escalation. I guess that this is not the only cpl plugin affected by this kind of vulnerability. Helmut --- End Message --- --- Begin Message --- Source: cpl-plugin-uves Source-Version: 6.1.3+dfsg-4 Done: Ole Streicher We believe that the bug you reported is fixed in the latest version of cpl-plugin-uves, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 984...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ole Streicher (supplier of updated cpl-plugin-uves package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 06 Mar 2021 17:30:58 +0100 Source: cpl-plugin-uves Architecture: source Version: 6.1.3+dfsg-4 Distribution: unstable Urgency: medium Maintainer: Debian Astronomy Maintainers Changed-By: Ole Streicher Closes: 984508 Changes: cpl-plugin-uves (6.1.3+dfsg-4) unstable; urgency=medium . * Check SHA sum for downloaded calibration file (Closes: #984508) Checksums-Sha1: 3dba13f0b3c22a2c8b66279a498f024f574a0bf5 2449 cpl-plugin-uves_6.1.3+dfsg-4.dsc ecf221c0ea408fab91e1282ac311940ad60f63e7 11552 cpl-plugin-uves_6.1.3+dfsg-4.debian.tar.xz Checksums-Sha256: 363850e1a4dc73bc06c4143e1cde2d6e6a2a28a0d5d6810118f645c4477c88cb 2449 cpl-plugin-uves_6.1.3+dfsg-4.dsc b27cc5d1fb40d1667da1a7ee9656fa31dd899ec3a7919939d11036e93409 11552 cpl-plugin-uves_6.1.3+dfsg-4.debian.tar.xz Files: 45479452915899fef8ea463f578ce1ec 2449 science optional cpl-plugin-uves_6.1.3+dfsg-4.dsc f04f170580346286e8be7f070cdadc6d 11552 science optional cpl-plugin-uves_6.1.3+dfsg-4.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmBDrxIACgkQcRWv0HcQ 3Pf7RRAApPUF2CE7ax1B3vdLIs699gq3415rpP2+XBVUUEIlpbtqkcBBeJ0hra+O hy4VvWKNFzNIi4ndnCYNU5oV5m9qGtafYmknPltXMO+b3//jiy/Aaltzi/+0Lul9 z/u5drCvSF5qi6liwMqogd0Pe8E6JdHCvRSnXhW50rfTt0bDHtoNg+qpzfjmBRmA 3w2sq5a81Cn4D7FRWZEvKvSMHCbnp/8Wu+tJoAVcFrb7Gl+SK47pUc1hs+Hw7hzH SfNKRu2Wlq9Wt20oQzTGi5+Iv3e2zRaJxfGRO0krSTc85XNNh25NO3rXdK8l4W+W a36ER+cvH7/aJmADeXgXLo+UP9C+oClmOQLN1L922Fg3I+y+D9sDH474yM5Io+VC dVwVFqikHK+u4GVvr424PSTF3Dvd7P2PxXYvqA7h69T5I77y/Fi+UhMxXBG32sYT 7pTIyAQpGCwmnf5CBjPGQ91923JmVN9iv6UoITLA3CXui0jBmFBs5KXytetBVr2r /qWRn42hpbeXApIy7DssmlpU9xTjIDokK8Zo0xpBj7c7eF2AfoXdVdJPoyBTV+Ey Z3sw/iLziNchKK1uhdzsdr6W9CTPY1otdiOztKa9r6meWfYbA0i2DhXCgwm7J+3J KTxFvHeusPHyJktLD19CMLuB0Lt3dqFJH+poDZ5NMEu7r75soks= =J6Kd -END PGP SIGNATURE End Message ---
Bug#984508: marked as done (cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script)
Your message dated Sat, 06 Mar 2021 16:48:50 + with message-id and subject line Bug#984508: fixed in cpl-plugin-naco 4.4.9+dfsg-3 has caused the Debian Bug report #984508, regarding cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 984508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984508 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: cpl-plugin-amber-calib Version: 4.4.0+dfsg-2 Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team The maintainer script of cpl-plugin-amber-calib has this code: https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23 | wget -O- ${URL} | \ | tar xzO ${TAR} | \ | tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1 The URL is an unencrypted ftp:// URL. A malicious remote could easily replace the requested archive and supply a different version. Such a replacement could include a setuid root binary for instance. Once installed, a local user can use it for a local privilege escalation. I guess that this is not the only cpl plugin affected by this kind of vulnerability. Helmut --- End Message --- --- Begin Message --- Source: cpl-plugin-naco Source-Version: 4.4.9+dfsg-3 Done: Ole Streicher We believe that the bug you reported is fixed in the latest version of cpl-plugin-naco, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 984...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ole Streicher (supplier of updated cpl-plugin-naco package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 06 Mar 2021 17:23:55 +0100 Source: cpl-plugin-naco Architecture: source Version: 4.4.9+dfsg-3 Distribution: unstable Urgency: medium Maintainer: Debian Astronomy Maintainers Changed-By: Ole Streicher Closes: 984508 Changes: cpl-plugin-naco (4.4.9+dfsg-3) unstable; urgency=medium . * Check SHA sum for downloaded calibration file (Closes: #984508) Checksums-Sha1: 43eb21e9a5446ab345780fb97b9779680a3086ad 2416 cpl-plugin-naco_4.4.9+dfsg-3.dsc d04bd0e0e7d94d30a2b52ce5082370382cf686d6 11424 cpl-plugin-naco_4.4.9+dfsg-3.debian.tar.xz Checksums-Sha256: dfec4e3b3167e545e1423705b6bd9164e79c15dd6b015f4d1effc1665106694d 2416 cpl-plugin-naco_4.4.9+dfsg-3.dsc c4612651afd83303c1f91b1ced6565c4f9e6e140827330f87c4b8639765af089 11424 cpl-plugin-naco_4.4.9+dfsg-3.debian.tar.xz Files: 9f741fb89ae7b6b764b7879d2a3c39ba 2416 science optional cpl-plugin-naco_4.4.9+dfsg-3.dsc cd3cb9528a6108fad39239cb54a68936 11424 science optional cpl-plugin-naco_4.4.9+dfsg-3.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmBDrVIACgkQcRWv0HcQ 3Pdpuw//dkv7vAdukUtsu70ux/LzD77yFD6DFzbq31MJo5xhv+6j97Ca7v6hRCd7 r0hs1v5ecVMCuke9wnr2KH93m/7BEDy7YBR+shEqyC11RFX7G5jfzJVk79Rra1VZ CjsvEtUJLGovN/ZNKOFaP5uX4hxG53TtrYGaOb+TSas0ndyo9Gs7qysURobGD9qf Asp/Ww9sAy2UsqtT6yWBCHDxAdSyLvCVoG4+hRG5wYUcIajIoNWa8YNEm0yjP+hv j+XeBJBwHKzflYRdENx9iqUbl749LKoIJaqC9Un+JEYW1eO9W7BE1MzD0s6HAT0V EA3XPuKIsw23U1rkGjp8ueGW34S86yND0Ik620+9yBu+tKmu+qtidHE1FZ+RUa8+ egHf93HmVKU1cVzycnB9Fh18KxTH/W/gQZKk0nlo2uVlN2ZKXkpAoxCIxTPJ0/F0 PhLxqEvxsj5Z+juO4Lt8zDZgHaFmAR7vZo9n1YowQ0aEyhkRctn1l/KJAKWsSEgf qCcVfAq/B21lEc+2cdm+xwDie3DznUuzc7YFDBXnzfzyvYWM5AxWvYQFQlts6r7d 4v/0JXuHNc0ZreIat0i11UDQvept40m4TYNltRFa5Xrz5ZXWhVWPsZI5xpA4niXD qdVft++7J9WZM3670lS3vN1+qEXm33K7oqU0VMa4ZIlow5HDsGA= =MqLl -END PGP SIGNATURE End Message ---
Bug#984508: marked as done (cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script)
Your message dated Sat, 06 Mar 2021 16:18:39 + with message-id and subject line Bug#984508: fixed in cpl-plugin-muse 2.8.3+dfsg-3 has caused the Debian Bug report #984508, regarding cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 984508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984508 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: cpl-plugin-amber-calib Version: 4.4.0+dfsg-2 Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team The maintainer script of cpl-plugin-amber-calib has this code: https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23 | wget -O- ${URL} | \ | tar xzO ${TAR} | \ | tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1 The URL is an unencrypted ftp:// URL. A malicious remote could easily replace the requested archive and supply a different version. Such a replacement could include a setuid root binary for instance. Once installed, a local user can use it for a local privilege escalation. I guess that this is not the only cpl plugin affected by this kind of vulnerability. Helmut --- End Message --- --- Begin Message --- Source: cpl-plugin-muse Source-Version: 2.8.3+dfsg-3 Done: Ole Streicher We believe that the bug you reported is fixed in the latest version of cpl-plugin-muse, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 984...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ole Streicher (supplier of updated cpl-plugin-muse package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 06 Mar 2021 16:36:30 +0100 Source: cpl-plugin-muse Architecture: source Version: 2.8.3+dfsg-3 Distribution: unstable Urgency: medium Maintainer: Debian Astro Team Changed-By: Ole Streicher Closes: 984508 Changes: cpl-plugin-muse (2.8.3+dfsg-3) unstable; urgency=medium . * Check SHA sum for downloaded calibration file (Closes: #984508) Checksums-Sha1: b0d93c78b57a0c84468bc844414816e116030ba1 2396 cpl-plugin-muse_2.8.3+dfsg-3.dsc 008388663f8b74ca5e9ddaad3c89272c7486e231 14040 cpl-plugin-muse_2.8.3+dfsg-3.debian.tar.xz Checksums-Sha256: dcc326c16c1845aae35072930f07d04a66769bf9631fbbc69703f33c80199f01 2396 cpl-plugin-muse_2.8.3+dfsg-3.dsc ea55d2572389935289fe78dc816151c27c6c869ec5f22c2b984e92fb5f05dc41 14040 cpl-plugin-muse_2.8.3+dfsg-3.debian.tar.xz Files: 52c8d783655b0d3f7a9efd50f6be8208 2396 science optional cpl-plugin-muse_2.8.3+dfsg-3.dsc d0a8f43b3c52e031b4c6f6744d9b302a 14040 science optional cpl-plugin-muse_2.8.3+dfsg-3.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmBDqMMACgkQcRWv0HcQ 3PdQHhAA09YUZfsLMb9mc/taMs4/mGu194bDLaKSpDktu+d/e5uWbtrTQYTRISap v8qRXfV8zKFXOsMTjzw7osWeTHt+63GHBFb+4M7noyjsaUSRkcnh+X2sDvwha9nm IE56z7Vkeib6qd6H8Lk2jHKp1kXrbuPvoOXGqQ9b1IxUi6/54mVUqvgzPRL/VD3l PABQ6rNh44b6ZcVJDmnhEzS7U7QB13uh+Ez4lJs7ArkmvxHHfFShF6eaTLn/3/JD 1teu7Pjf6BmCemWfYT1LnXjooSc9YJys0sFbE/2dZD21B/GAD2vHX0v4BSYD15le y+TgoQ+baQZlwmRG1JhkYpnrLIyiLxrh2IdsBLRkrEY8WJILmHk5WSfGady3xZQn K9U7MVRzA5kXsrF+a+pGcKqHEhflbKTmuNP3lbpvZ13TXCQwlwqOWcV2njSfAJSW n6QUORJX2NdGLf2HfbMfLZgNvqKpCzDmEwFQeP10ApLippDJ6UOvQ/YhUOnQq8Kl 6I2YioJJnY90oUIepnWSIJQwVKzKCNRd4YaCayB9mjGz38GVAjXmEtnbr1Fz1YrX 8yJamU5clrVvXFVLiO7VMiFB+P17PpoM5VmuL/kgxyK5XZUJmPZxQ0A0yzJXDdrV +yzxFWDkhiZBSalMhGUuj+DdZ2Dm1hPUNQH1XgvI73Ul6cEFIvg= =EZry -END PGP SIGNATURE End Message ---
Bug#984508: marked as done (cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script)
Your message dated Sat, 06 Mar 2021 15:18:48 + with message-id and subject line Bug#984508: fixed in cpl-plugin-giraf 2.16.7+dfsg-3 has caused the Debian Bug report #984508, regarding cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 984508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984508 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: cpl-plugin-amber-calib Version: 4.4.0+dfsg-2 Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team The maintainer script of cpl-plugin-amber-calib has this code: https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23 | wget -O- ${URL} | \ | tar xzO ${TAR} | \ | tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1 The URL is an unencrypted ftp:// URL. A malicious remote could easily replace the requested archive and supply a different version. Such a replacement could include a setuid root binary for instance. Once installed, a local user can use it for a local privilege escalation. I guess that this is not the only cpl plugin affected by this kind of vulnerability. Helmut --- End Message --- --- Begin Message --- Source: cpl-plugin-giraf Source-Version: 2.16.7+dfsg-3 Done: Ole Streicher We believe that the bug you reported is fixed in the latest version of cpl-plugin-giraf, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 984...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ole Streicher (supplier of updated cpl-plugin-giraf package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 06 Mar 2021 15:52:22 +0100 Source: cpl-plugin-giraf Architecture: source Version: 2.16.7+dfsg-3 Distribution: unstable Urgency: medium Maintainer: Debian Astronomy Maintainers Changed-By: Ole Streicher Closes: 984508 Changes: cpl-plugin-giraf (2.16.7+dfsg-3) unstable; urgency=medium . * Check SHA sum for downloaded calibration file (Closes: #984508) Checksums-Sha1: c171cad390cd7a3c28d5f036a49e1eec338caafa 2452 cpl-plugin-giraf_2.16.7+dfsg-3.dsc 30e68a33cd1819f64d53364080638d2977745d3f 9900 cpl-plugin-giraf_2.16.7+dfsg-3.debian.tar.xz Checksums-Sha256: f76eab6e5985ed2d622586632ffac19657ca25894161f1beecee18f93919ec9c 2452 cpl-plugin-giraf_2.16.7+dfsg-3.dsc 3d4c9cf22d503445012b2cb60f239f06102e3dfcc6fd66ada4285cdb980f26b0 9900 cpl-plugin-giraf_2.16.7+dfsg-3.debian.tar.xz Files: 99ed9cec1c25c01a779d597c0fc533d0 2452 science optional cpl-plugin-giraf_2.16.7+dfsg-3.dsc 8490b3d04a20aba5d129d78624074cda 9900 science optional cpl-plugin-giraf_2.16.7+dfsg-3.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmBDmQYACgkQcRWv0HcQ 3Pextg/+O0WMhdqVghSaled6Gd7NqN45E2mBKQoeOX4YSO0wiytmp4cw8GVKu2yT hrW1OA1uwOJADQZMbgLe4yeoItSOx6LVC6zQB17nSc+ifjkAqFWM4iSdIOmBGgdW PywMXXBXDb+3KYGcWpNRBi++c0pimUTR72JOlrDU1wERYD4mayZhHy9SYW6iKjaK 2xNJcRQIk5Fo8LjHkVjnjtbVcUHW5plJo5IbJDY9PMPBSRN6O2d18PYB5H/slgXi d6IMHB94lRQtpSpDCNRWYfEZfCbB77VsFAfYKxOtkkS0Wt6BtQLhXbDWFwNDCmyx 4GeLvNlksfFcVA3MuEC9HsoJZWy2ECWpK8xuilOLuILFbPHdQ138GdPm7ug49RmW O5Fv3AQmrXo/SkiEdVvkG7SgQ49ZED0msKKOwieLeAc14cituv2QX+p4k4L3396/ mx7P1JJcNO6kOJzr2VSGSxbwXl9f/0r5ZGJ9dGahLfh+AGYfgTwgIM4OwjYB3tJe qCIFWApUNVjRA4U8dXU1VOx9wbhF0xIyaVgNlC8mCdqO9WzyKPRgJNO+1bPoF/Go q1xl9aJ7DaaiZVXNLeNC13vh9v7uh8P/p5cT/gzXI8dFlvejWXeNrwsfOVJDMNbm b31mFiOyXGXMBptgSEjD0f6zhshg4sCxQ2EctSfxyz2vFZJw5+w= =1PMk -END PGP SIGNATURE End Message ---
Bug#984508: marked as done (cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script)
Your message dated Sat, 06 Mar 2021 15:18:43 + with message-id and subject line Bug#984508: fixed in cpl-plugin-fors 5.5.6+dfsg-3 has caused the Debian Bug report #984508, regarding cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 984508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984508 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: cpl-plugin-amber-calib Version: 4.4.0+dfsg-2 Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team The maintainer script of cpl-plugin-amber-calib has this code: https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23 | wget -O- ${URL} | \ | tar xzO ${TAR} | \ | tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1 The URL is an unencrypted ftp:// URL. A malicious remote could easily replace the requested archive and supply a different version. Such a replacement could include a setuid root binary for instance. Once installed, a local user can use it for a local privilege escalation. I guess that this is not the only cpl plugin affected by this kind of vulnerability. Helmut --- End Message --- --- Begin Message --- Source: cpl-plugin-fors Source-Version: 5.5.6+dfsg-3 Done: Ole Streicher We believe that the bug you reported is fixed in the latest version of cpl-plugin-fors, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 984...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ole Streicher (supplier of updated cpl-plugin-fors package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 06 Mar 2021 15:33:07 +0100 Source: cpl-plugin-fors Architecture: source Version: 5.5.6+dfsg-3 Distribution: unstable Urgency: medium Maintainer: Debian Astronomy Maintainers Changed-By: Ole Streicher Closes: 984508 Changes: cpl-plugin-fors (5.5.6+dfsg-3) unstable; urgency=medium . * Check SHA sum for downloaded calibration file (Closes: #984508) Checksums-Sha1: 1e096abd0736b8fec2141e44ac8d94ce9c192393 2431 cpl-plugin-fors_5.5.6+dfsg-3.dsc 4d6619465354de5af56cb9bbffe4a6bf3773953b 13112 cpl-plugin-fors_5.5.6+dfsg-3.debian.tar.xz Checksums-Sha256: 4d42fe53fb08a2967787fc92d5e84435c50c6fa560abe8196b7a53dbac5a4ff6 2431 cpl-plugin-fors_5.5.6+dfsg-3.dsc d41a05ebf19d897fdd081381e3c08e6caebf473ee58be269ffb93e11f68e8c85 13112 cpl-plugin-fors_5.5.6+dfsg-3.debian.tar.xz Files: 7be11fe20ac3e9b7e6a9a32bd71b4f66 2431 science optional cpl-plugin-fors_5.5.6+dfsg-3.dsc f884a82f9b3aead35d9c76eac9597e2f 13112 science optional cpl-plugin-fors_5.5.6+dfsg-3.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmBDk3cACgkQcRWv0HcQ 3PcgrxAAso68wQtOzsWEdsZLsxUmyuxBxqKh9Cl/fwedoxXn4pV97ZcDcoz/FiCF JDEP5NflVIzps5M+jhg/NQgk4+ff0bVdwytWlHaDEu/juabKluRsKdgehlrqsl0w MeMBHk8boX7AfkfqhN9m/j6w+2NC9Wd6NkWBISTh5MOTixXJb724VUwP2uTQOV0c Foilv7wO4+BwCBUR7iBS3t3bbsyh4xJaxCIICT0E9BBAmgN1jXUGk8oaK17vZ1RS g1is8ziSegwb2ZkdvHjxSTg3W2J9UncMr9q0bMWFGZDBgAWXNrc7IU1vJxpolFHT ikhOJ1ZfGLYKvVz0keQ9kzYLKiTH/rUkMJGBawaEix/OgXIARXPDj9HTAoVa2AIw cSQAI1BX/uw4R7RLnbrn62anN2wVm3jumS/eS+No01xNQBh3R3OORVQwZ6/SaqGI 19kgqqJi+b/fEU3HVbBpb264mk80FKjUdpJxleJvRyWwg19f1GNk569eA4UvCGun jGVUATK8dwL+WB+bLESlms5FyT/b2/tbeWs9TQr5sJLIKHpoUKSe6dWJGbTpbRsT 5tWDjXHAlPQb2NYZ9DzpfST1bTIf3/9WYMwF+edzTLNvC1IvP6uqbfO+Dridh2tR Y7cA8/g5mdd5dAhDcwix9SWGI6olWI0qj8smjKwQc7gyMuBJ+ys= =Dnkp -END PGP SIGNATURE End Message ---
Bug#984646: omniorb-nameserver: omniNames does not start any longer
Package: omniorb-nameserver Version: 4.2.2-0.9+b1 Severity: grave Tags: d-i Justification: renders package unusable Dear Maintainer, * What led up to the situation? starting omniorb4-nameserver a second time. * What exactly did you do (or not do) that was effective (or ineffective)? rm -f /var/lib/omniorb/omninames* starting/stopping omniorb4-nameserver 2 times: systemctl start omniorb-nameserver => service runs systemctl stop omniorb-nameserver => in /var/lib/omniorb/: omninames-*.bak omninames-*.dat exists systemctl start omniorb-nameserver * What was the outcome of this action? => omniorb4-nameserver service does not run (systemctl status omniorb4-nameserver) => in /var/lib/omniorb/: omninames-*.bak omninames-*.dat omninames-*.log exists * What outcome did you expect instead? - omniNames nameserver service runs. - omninames-*.log does not exist in /var/lib/omniorb/ * I think the problem is in /etc/init.d/omniorb4-nameserver which copies omninames-*.bak file to .log According to http://omniorb.sourceforge.net/omni42/omniNames.html ".log" is replaced by ".dat". I think this is just a matter of filename extensions. -- System Information: Debian Release: 10.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-14-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages omniorb-nameserver depends on: ii libc6 2.28-10 ii libgcc1 1:8.3.0-6 ii libomniorb4-2 4.2.2-0.9+b1 ii libomnithread4 4.2.2-0.9+b1 ii libstdc++6 8.3.0-6 ii lsb-base10.2019051400 omniorb-nameserver recommends no packages. omniorb-nameserver suggests no packages.
Bug#984508: marked as done (cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script)
Your message dated Sat, 06 Mar 2021 14:48:26 + with message-id and subject line Bug#984508: fixed in cpl-plugin-amber 4.4.0+dfsg-3 has caused the Debian Bug report #984508, regarding cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 984508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984508 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: cpl-plugin-amber-calib Version: 4.4.0+dfsg-2 Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team The maintainer script of cpl-plugin-amber-calib has this code: https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23 | wget -O- ${URL} | \ | tar xzO ${TAR} | \ | tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1 The URL is an unencrypted ftp:// URL. A malicious remote could easily replace the requested archive and supply a different version. Such a replacement could include a setuid root binary for instance. Once installed, a local user can use it for a local privilege escalation. I guess that this is not the only cpl plugin affected by this kind of vulnerability. Helmut --- End Message --- --- Begin Message --- Source: cpl-plugin-amber Source-Version: 4.4.0+dfsg-3 Done: Ole Streicher We believe that the bug you reported is fixed in the latest version of cpl-plugin-amber, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 984...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ole Streicher (supplier of updated cpl-plugin-amber package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 05 Mar 2021 18:09:00 +0100 Source: cpl-plugin-amber Architecture: source Version: 4.4.0+dfsg-3 Distribution: unstable Urgency: medium Maintainer: Debian Astronomy Maintainers Changed-By: Ole Streicher Closes: 984508 Changes: cpl-plugin-amber (4.4.0+dfsg-3) unstable; urgency=medium . * Check SHA sum for downloaded calibration file (Closes: #984508) Checksums-Sha1: 6d2653ab391ec14b8f053d8f3633637784f73f72 2443 cpl-plugin-amber_4.4.0+dfsg-3.dsc 5c9bfb4b4c7d4713e7fee7490648f26e5220c283 9704 cpl-plugin-amber_4.4.0+dfsg-3.debian.tar.xz Checksums-Sha256: 602c0fc8298cc7e4b6c4a86adf696a4dc562eead4d34fef76eeb8741e210a4b2 2443 cpl-plugin-amber_4.4.0+dfsg-3.dsc 29855133907fdf4b799e6974f392d592c3f622085d18ef37dbad02132617b03f 9704 cpl-plugin-amber_4.4.0+dfsg-3.debian.tar.xz Files: fa5d7b8a00a284f3415964db09a81f37 2443 science optional cpl-plugin-amber_4.4.0+dfsg-3.dsc f3b4b723c6fd6218b943da5b8bb61fb6 9704 science optional cpl-plugin-amber_4.4.0+dfsg-3.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmBDkTkACgkQcRWv0HcQ 3PdighAAxle5sDSEnEgwWhbWtxbeVYWgeX9CThHE8aMcSQ0m903NgF1NTG3gI1cH 4HxNAmnTO8YW9bX/eAo6XA8ZB2BkaMvVM2Js3yqSZNs+jRCPdql7jm/0BdINUqoW ne8KJgXUjESphFejppgAHJBZPeWCHSJxo83OrlXbeTOfJ0sHVib8juDQlFfWxEpT 9iq1EpNFmrai8xOW5vLZtX7C+c4Rzz4gYoCzW/0r25lF6poioYt9N05N6VlC4Idj PzyCPdbBL0xt+GcExpvAG9A+z5283V7ZOoWZUN80Y5doUJFl4sj2GZDyecgb91sA LP7mzyriVKmx21WXzEqvZOAwMz4aC11V47469yE9wFaKS+AE+7DhY37vJwywHdLR 2rL7LpQqRejXltCrjk4cFHFZGgI0LTgBoo5H6DS+wjarlVBGmEDBCp7wp9HH6aa1 g+bvMUfttxnh+jBFVdCmjfBljMTfj3iv1wTNk8E2eVKR6IIlIPWiD6Oo5/4gpno4 2DuLRp0bDdMJBfjDe2crS5Xt0GiLX7a9uayXzkrqKlBVsZEn4rpoQPB5iYAKGMLk i03l3Wburatw7XiDh50LNO/gqqVBsj+uOD24eAQzgoTWOFDZe/TyUUSD+vjP0TZa c8G7EvLiMcaKDa1KuBkzzrIH5Az5CqqKbO6D4ZmIW/gdfU4pGG0= =uj4E -END PGP SIGNATURE End Message ---
Processed: user debian...@lists.debian.org, usertagging 958029, affects 958029, usertagging 888060
Processing commands for cont...@bugs.debian.org: > user debian...@lists.debian.org Setting user to debian...@lists.debian.org (was a...@debian.org). > usertags 958029 piuparts There were no usertags set. Usertags are now: piuparts. > affects 958029 + python-imiptools python-imipweb Bug #958029 [src:imip-agent] imip-agent: build-depends on removed packages: python-babel python-psycopg2 Added indication that 958029 affects python-imiptools and python-imipweb > usertags 888060 piuparts There were no usertags set. Usertags are now: piuparts. > thanks Stopping processing here. Please contact me if you need assistance. -- 888060: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888060 958029: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958029 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#984647: forensics-extra's autopkg tests always fail on 32bit archs
Package: src:forensics-extra Version: 2.28 Severity: serious Tags: sid bullseye forensics-extra's autopkg tests always fail on 32bit archs, because the test dependencies cannot be fulfilled on these architectures, caused by the removal of the 32bit builds of swt4-gtk. The reference autopkg test for testing will always fail, allowing migration of this package despite eventually introducing new regressions on armhf and i386. The test command1 should accommodate for the installability. [...] Broken stegosuite:armhf Depends on libswt-cairo-gtk-4-jni:armhf < none @un H > Broken stegosuite:armhf Depends on libswt-gtk-4-jni:armhf < none @un H > Broken stegosuite:armhf Depends on libcommons-cli-java:armhf < none | 1.4-2 @un uH > (>= 1.4) Considering libcommons-cli-java:armhf 0 as a solution to stegosuite:armhf 0 Re-Instated libcommons-cli-java:armhf Broken stegosuite:armhf Depends on liblogback-java:armhf < none | 1:1.2.3-6 @un uH > (>= 1.2.3) Considering liblogback-java:armhf 0 as a solution to stegosuite:armhf 0 Re-Instated libslf4j-java:armhf Re-Instated liblogback-java:armhf Broken stegosuite:armhf Depends on libswt-gtk-4-java:armhf < none @un H > Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: stegosuite : Depends: libswt-cairo-gtk-4-jni but it is not installable Depends: libswt-gtk-4-jni but it is not installable Depends: libswt-gtk-4-java but it is not installable E: Unable to correct problems, you have held broken packages. command1 FAIL badpkg blame: forensics-extra
Bug#983379: [PATCH] um: mark all kernel symbols as local
On Fri, 2021-03-05 at 20:54 +, Anton Ivanov wrote: > On 05/03/2021 20:43, Johannes Berg wrote: > > From: Johannes Berg > > > > Ritesh reported a bug [1] against UML, noting that it crashed on > > startup. The backtrace shows the following (heavily redacted): > > > > (gdb) bt > > ... > > #26 0x60015b5d in sem_init () at ipc/sem.c:268 > > #27 0x7f89906d92f7 in ?? () from /lib/x86_64-linux- > > gnu/libcom_err.so.2 > > #28 0x7f8990ab8fb2 in call_init (...) at dl-init.c:72 > > ... > > #40 0x7f89909bf3a6 in nss_load_library (...) at > > nsswitch.c:359 > > ... > > #44 0x7f8990895e35 in _nss_compat_getgrnam_r (...) at > > nss_compat/compat-grp.c:486 > > #45 0x7f8990968b85 in __getgrnam_r [...] > > #46 0x7f89909d6b77 in grantpt [...] > > #47 0x7f8990a9394e in __GI_openpty [...] > > #48 0x604a1f65 in openpty_cb (...) at arch/um/os- > > Linux/sigio.c:407 > > #49 0x604a58d0 in start_idle_thread (...) at arch/um/os- > > Linux/skas/process.c:598 > > #50 0x60004a3d in start_uml () at > > arch/um/kernel/skas/process.c:45 > > #51 0x600047b2 in linux_main (...) at > > arch/um/kernel/um_arch.c:334 > > #52 0x6000574f in main (...) at arch/um/os- > > Linux/main.c:144 > > > > indicating that the UML function openpty_cb() calls openpty(), > > which internally calls __getgrnam_r(), which causes the nsswitch > > machinery to get started. > > > > This loads, through lots of indirection that I snipped, the > > libcom_err.so.2 library, which (in an unknown function, "??") > > calls sem_init(). > > > > Now, of course it wants to get libpthread's sem_init(), since > > it's linked against libpthread. However, the dynamic linker > > looks up that symbol against the binary first, and gets the > > kernel's sem_init(). > > > > Hajime Tazaki noted that "objcopy -L" can localize a symbol, > > so the dynamic linker wouldn't do the lookup this way. I tried, > > but for some reason that didn't seem to work. > > > > Doing the same thing in the linker script instead does seem to > > work, though I cannot entirely explain - it *also* works if I > > just add "VERSION { { global: *; }; }" instead, indicating that > > something else is happening that I don't really understand. It > > may be that explicitly doing that marks them with some kind of > > empty version, and that's different from the default. > > > > Explicitly marking them with a version breaks kallsyms, so that > > doesn't seem to be possible. > > > > Marking all the symbols as local seems correct, and does seem > > to address the issue, so do that. Also do it for static link, > > nsswitch libraries could still be loaded there. > > > > [1] https://bugs.debian.org/983379 > > > > Reported-by: Ritesh Raj Sarraf > > Signed-off-by: Johannes Berg > > --- > > arch/um/kernel/dyn.lds.S | 6 ++ > > arch/um/kernel/uml.lds.S | 6 ++ > > 2 files changed, 12 insertions(+) > > > > diff --git a/arch/um/kernel/dyn.lds.S b/arch/um/kernel/dyn.lds.S > > index dacbfabf66d8..2f2a8ce92f1e 100644 > > --- a/arch/um/kernel/dyn.lds.S > > +++ b/arch/um/kernel/dyn.lds.S > > @@ -6,6 +6,12 @@ OUTPUT_ARCH(ELF_ARCH) > > ENTRY(_start) > > jiffies = jiffies_64; > > > > +VERSION { > > + { > > + local: *; > > + }; > > +} > > + > > SECTIONS > > { > > PROVIDE (__executable_start = START); > > diff --git a/arch/um/kernel/uml.lds.S b/arch/um/kernel/uml.lds.S > > index 45d957d7004c..7a8e2b123e29 100644 > > --- a/arch/um/kernel/uml.lds.S > > +++ b/arch/um/kernel/uml.lds.S > > @@ -7,6 +7,12 @@ OUTPUT_ARCH(ELF_ARCH) > > ENTRY(_start) > > jiffies = jiffies_64; > > > > +VERSION { > > + { > > + local: *; > > + }; > > +} > > + > > SECTIONS > > { > > /* This must contain the right address - not quite the default > > ELF one.*/ > > Tested on all 3 machines where the issue was seen before. > > Acked-By: Anton Ivanov Tested-By: Ritesh Raj Sarraf -- Ritesh Raj Sarraf | http://people.debian.org/~rrs Debian - The Universal Operating System signature.asc Description: This is a digitally signed message part
Bug#984644: node-xmlhttprequest-ssl: Unmaintained fork of node-xmlhttprequest
Package: node-xmlhttprequest-ssl Severity: serious node-xmlhttprequest-ssl is an unmaintained fork of node-xmlhttprequest. It should be removed from Bullseye
Bug#984616: nis: prompting due to modified conffiles which were not modified by the user: /etc/default/nis
On Fri, Mar 05, 2021 at 09:57:27PM +0100, Andreas Beckmann wrote: during a test with piuparts I noticed your package failed the piuparts upgrade test because dpkg detected a conffile as being modified and then prompted the user for an action. As there is no user input, this fails. But this is not the real problem, the real problem is that this prompt shows up in the first place, as there was nobody modifying this conffile at all, the package has just been installed and upgraded... This is a violation of policy 10.7.3, see https://www.debian.org/doc/debian-policy/ch-files.html#behavior, which says "[These scripts handling conffiles] must not ask unnecessary questions (particularly during upgrades), and must otherwise be good citizens." This is a non sense, the 4 series is proposing a relevant change to the system, that is having all services off in that stupid file (the previous insane default was having the system in client+broadcast mode). The simple mechanism of conffiles can only undestand if the new default is different from the current file, not if the user maintained that on purpose or not. So a the question IS relevant. The whole wide changes are explained in the NEWS file and a sane admin will prefer to have all services stopped and act for the better. -- Francesco P. Lovergine