Bug#951935: ufw: FTBFS: ERROR: test_get_iptables_version (tests.unit.test_util.UtilTestCase)
On Wed, 26 Feb 2020, Jamie Strandboge wrote: > Thanks for the report! Yes, this is known and the fix queued. I was > recently approved for Debian Maintainer and will do this as soon as I'm > given upload permissions (key added, in process of getting someone to > run dcut for me). I uploaded 0.36-3 but forgot to add Closes: 951935. This should be resolved in 0.36-3; please report back if this is not the case. -- Email: ja...@strandboge.com IRC: jdstrand
Bug#951935: ufw: FTBFS: ERROR: test_get_iptables_version (tests.unit.test_util.UtilTestCase)
On Sun, 23 Feb 2020, Lucas Nussbaum wrote: > Source: ufw > Version: 0.36-1 > Severity: serious > Justification: FTBFS on amd64 > Tags: buster sid > Usertags: ftbfs-20200222 ftbfs-buster > > Hi, > > During a rebuild of all packages in sid, your package failed to build > on amd64. Thanks for the report! Yes, this is known and the fix queued. I was recently approved for Debian Maintainer and will do this as soon as I'm given upload permissions (key added, in process of getting someone to run dcut for me). -- Jamie Strandboge | http://www.canonical.com
Bug#938746: ufw: Python2 removal in sid/bullseye
On Tue, 03 Sep 2019, Jamie Strandboge wrote: > On Fri, 30 Aug 2019, Matthias Klose wrote: > > > Package: src:ufw > > Version: 0.36-1 > > Severity: normal > > Tags: sid bullseye > > User: debian-pyt...@lists.debian.org > > Usertags: py2removal > > ufw's use of python2 is limited to providing the python-ufw package for > people and running various tests with python2 for that package. > python-ufw has no reverse dependencies and so I've queued removal of the > binary for the next upload (the changes are already in debian/master). FYI, ufw 0.36-2 is ready to be uploaded to address this bug but blocked on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949518 being fixed (since the iptables regression renders ufw completely broken and the upload will continue to fail autopkgtests). Once the iptables regression is fixed, I'll updload ufw. -- Email: ja...@strandboge.com IRC: jdstrand
Bug#949518: ufw: does not work with iptables-restore 1.8.4-2 (blank line in file)
On Wed, 22 Jan 2020, Jamie Strandboge wrote: > There are two cases (outlined in the upstream bug) that is causing ufw > trouble when using iptables-nft-restore with stdin: I forgot to mention, pkg-netfilter-team, ufw 0.36-2 adds (among other things) autopkgtest tests that will hopefully uncover future regressions in iptables as they pertain to ufw usage. I'll be uploading that after this bug is fixed. -- Email: ja...@strandboge.com IRC: jdstrand
Bug#949518: ufw: does not work with iptables-restore 1.8.4-2 (blank line in file)
On Tue, 21 Jan 2020, Paul Aurich wrote: > Package: ufw > Version: 0.36-1 > Severity: grave > Justification: renders package unusable > > ufw fails to start with iptables 1.8.4-2, even after #946289 is fixed. > Downgrading to iptables 1.8.3-2 fixes this. iptables-restore > (iptables-nft-restore) can no longer handle blank lines in the restored file. Thank you for the report. I can confirm this regression in iptables 1.8.4 and have filed https://bugzilla.netfilter.org/show_bug.cgi?id=1400 upstream. There are two cases (outlined in the upstream bug) that is causing ufw trouble when using iptables-nft-restore with stdin: Policy of the form: $ cat /tmp/blank-with-policy *filter # comment -A INPUT -j ACCEPT COMMIT $ and of the form: $ cat /tmp/blank-outside-of-policy # this next blank line causes the file to not load *filter # comment -A INPUT -j ACCEPT COMMIT $ The former results in iptables-nft-restore erroring out and the latter results in iptables-nft-restore exiting with a 0 return code but not adding the policy. Tested with 1.8.4-2. Downgrading to 1.8.3 resolves the issue[1]. As an alternative to downgrading, until this bug is resolved, users may also use iptables-legacy via: $ sudo update-alternatives --config iptables $ sudo update-alternatives --config ip6tables [1] obtain iptables, libip4tc2, libip6tc2, libiptc0 and libxtables12 from http://snapshot.debian.org/package/iptables/1.8.3-2/ -- Email: ja...@strandboge.com IRC: jdstrand
Bug#946289: ufw: fails to start with iptables 1.8.4
On Fri, 13 Dec 2019, Jamie Strandboge wrote: > I can confirm this. It looks like iptables-restore and iptables6-restore > in 1.8.4 has broken -n behavior with the nft varieties. This is https://bugzilla.netfilter.org/show_bug.cgi?id=1394 -- Email: ja...@strandboge.com IRC: jdstrand
Bug#946289: ufw: fails to start with iptables 1.8.4
On Fri, 06 Dec 2019, Antonio Terceiro wrote: > Package: ufw > Version: 0.36-1 > Severity: grave > Justification: renders package unusable > > This started since the latest upgrade of iptables (1.8.4). Reverting to > 1.8.3 (testing) makes it work again. > > This is the contents of the journal for ufw.service: > > -- Logs begin at Thu 2019-12-05 14:15:18 -03, end at Fri 2019-12-06 13:45:35 > -03. -- > dez 05 14:15:18 lemur ufw-init[455]: Bad argument `DROP' > dez 05 14:15:18 lemur ufw-init[455]: Error occurred at line: 4 > dez 05 14:15:18 lemur ufw-init[455]: Try `iptables-restore -h' or > 'iptables-restore --help' for more information. I can confirm this. It looks like iptables-restore and iptables6-restore in 1.8.4 has broken -n behavior with the nft varieties. Create some simple policy: $ cat /tmp/pol *filter # builtin chains :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT With 1.8.2-4 on buster: $ cat /tmp/pol | sudo /usr/sbin/iptables-legacy-restore -n $ cat /tmp/pol | sudo /usr/sbin/iptables-nft-restore -n $ With 1.8.4-1 on sid: $ cat /tmp/pol | sudo /usr/sbin/iptables-legacy-restore -n $ cat /tmp/pol | sudo /usr/sbin/iptables-nft-restore -n Bad argument `ACCEPT' Error occurred at line: 4 Try `iptables-nft-restore -h' or 'iptables-nft-restore --help' for more information. -- Email: ja...@strandboge.com IRC: jdstrand
Bug#921680: ufw cannot determine iptables version, fails
On Thu, 07 Feb 2019, PanaColina wrote: > Package: ufw > Version: 0.36-1 > Severity: grave > Justification: renders package unusable > > Dear Maintainer, > > On clean new install of ufw, any ufw command > (eg: "ufw status") results in: > "ERROR: Couldn't determine iptables version" > > Additional packages automatically installed at the same time: > iptables 1.8.2-3 > libnftables0 0.9.0-2 > libnftnl11 1.1.2-2 > nftables 0.9.0-2 > > Assuming some conflict, I removed nftables and libnftables0, but error > persists. > > ufw is set as dependent on libnftnl11, and of course iptables > I cannot reproduce this with the current 4.19 kernel or on an older 4.17 kernel (like you have-- you may want to consider upgrading). $ dpkg -l|grep -E '(ufw|iptables|nft)'|awk '{print $1, $2, $3}' ii iptables 1.8.2-3 ii libnftables0:amd64 0.9.0-2 ii libnftnl11:amd64 1.1.2-2 ii libnftnl7:amd64 1.1.1-1 ii nftables 0.9.0-2 ii ufw 0.36-1 $ /sbin/iptables --version iptables v1.8.2 (nf_tables) $ sudo ufw status Status: inactive $ sudo ufw enable Firewall is active and enabled on system startup $ sudo ufw status Status: active To Action From -- -- 22/tcp ALLOW Anywhere 22/tcp (v6)ALLOW Anywhere (v6) It continues to work with iptables-legacy (using update-alternatives; I updated the alternative, ran ufw disable and rebooted): $ /sbin/iptables --version iptables v1.8.2 (legacy) $ sudo ufw status Status: inactive $ sudo ufw enable Firewall is active and enabled on system startup $ sudo ufw status Status: active To Action From -- -- 22/tcp ALLOW Anywhere 22/tcp (v6)ALLOW Anywhere (v6) What is the output of 'sudo /usr/share/ufw/check-requirements'? What is the output of '/sbin/iptables --version'? > -- System Information: > Debian Release: buster/sid > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.17.17 (SMP w/8 CPU cores) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > LANGUAGE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages ufw depends on: > ii debconf [debconf-2.0] 1.5.70 > ii iptables 1.8.2-3 > ii lsb-base 10.2018112800 > ii python33.7.2-1 > ii ucf3.0038+nmu1 > > ufw recommends no packages. > > Versions of packages ufw suggests: > ii rsyslog 8.40.0-1+b1 > > -- debconf information: > ufw/existing_configuration: > ufw/allow_known_ports: > ufw/enable: false > ufw/allow_custom_ports: -- Jamie Strandboge | http://www.canonical.com signature.asc Description: PGP signature
Bug#918548: [pkg-apparmor] Bug#918548: About possibility to translate AppArmor tunables
On Mon, 07 Jan 2019, Ian Jackson wrote: > Package: apparmor > Version: 2.13.2-3 > Severity: serious > > Vincas, thanks for reporting this bug on the debian-i18n list. > I think it needs a much higher profile. > > Vincas Dargis writes ("About possibility to translate AppArmor tunables"): > > Let's look at one tunable file example. Currently, Debian and > > upstream version of `/etc/apparmor.d/tunables/xdg-user-dirs` (from > > apparmor package) have these contents: > > > > ``` > > @{XDG_DESKTOP_DIR}="Desktop" > ... > > The problem is that on my machine, "Desktop" is actually "Darbastalis", > > I think you mean "in your account" ? I mean, if you had several users > who used different languages, wouldn't their "Desktop" directory be > called different things ? Indeed... > > ``` > > @{XDG_DESKTOP_DIR}+="Darbastalis" #lt > > @{XDG_DESKTOP_DIR}+="Darbvirsma" #lv > > @{XDG_DOWNLOAD_DIR}+="Atsisiuntimai" #lt > > @{XDG_DOWNLOAD_DIR}+="Lejupielādes" #lv > > ... > > ``` > To the AppArmor maintainers: > > I have filed this as `serious' not to try to force you to fix this, > but because this bug seems like it will cause AppArmor to work badly > for many people and I felt you would want me to be sure you noticed. > So please adjust the severity as you like. I don't have all the context since the bug only has part of the thread, but I can say two things: 1. importantly, profiles are (currently) system wide so the @{XDG_*_DIR} apparmor variables should be adjusted for all languages the system's users use, otherwise policy using this variable will fail to work for any missing languages 2. the apparmor project supports distros and sysadmins by provided the /etc/apparmor.d/tunables/xdg-user-dirs file (conffile in Debian) and /etc/apparmor.d/tunables/xdg-user-dirs.d directory for managing the @{XDG_*_DIR} variables in the manner it appears the thread is describing. This is also discussed in the apparmor.d man page. AppArmor the project currently does not provide any more support beyond this in part because different distros handle language support differently and no one has driven anything better. With my distro-maintainer hat on, there is more than enough here to have a nice story. I can imagine perhaps a dpkg trigger that would update file(s) in /etc/apparmor.d/tunables/xdg-user-dirs.d based on language changes. Not having a lot of experience with language support in Debian and its downstreams, I can't offer anything more concrete, but there is definitely an opportunity to do something nice here. As for the seriousness of the bug, I'll let the Debian apparmor devs decide but will say that this issue has been known for many years in Ubuntu where apparmor is on by default and the current upstream mechanisms have proved 'ok enough'. I'll speculate and say this probably has something to do with the fact that the @{XDG_*_DIR} variables aren't widely used in system-shipped policy and what is left is sysadmin created policy and if the sysadmin is writing the policy, the man page is likely consulted. -- Jamie Strandboge | http://www.canonical.com signature.asc Description: PGP signature
Bug#912595: ufw fails to start with option IPV6=yes in /etc/default/ufw ERROR: unknown option "--icmpv6-type"
On Thu, 01 Nov 2018, Karlheinz Geyer wrote: > Hi Jamie, > thx vm for ur reply... > > Jamie Strandboge [01.11.2018 13.34.36 -0500]: > > > What is the output of: > > > > $ sudo /usr/share/ufw/check-requirements > > # /usr/share/ufw/check-requirements > Has python: pass (binary: python2.7, version: 2.7.15+, py2) > Has iptables: pass > Has ip6tables: pass > > Has /proc/net/dev: pass > Has /proc/net/if_inet6: pass > > This script will now attempt to create various rules using the iptables > and ip6tables commands. This may result in module autoloading (eg, for > IPv6). > Proceed with checks (Y/n)? ... > == IPv6 == > Creating 'ufw-check-requirements6'... done > Inserting RETURN at top of 'ufw-check-requirements6'... done ... > icmpv6 (destination-unreachable): FAIL > error was: ip6tables v1.8.1 (nf_tables): unknown option "--icmpv6-type" > Try `ip6tables -h' or 'ip6tables --help' for more information. > icmpv6 (packet-too-big): FAIL > error was: ip6tables v1.8.1 (nf_tables): unknown option "--icmpv6-type" > Try `ip6tables -h' or 'ip6tables --help' for more information. > icmpv6 (time-exceeded): FAIL > error was: ip6tables v1.8.1 (nf_tables): unknown option "--icmpv6-type" > Try `ip6tables -h' or 'ip6tables --help' for more information. > icmpv6 (parameter-problem): FAIL > error was: ip6tables v1.8.1 (nf_tables): unknown option "--icmpv6-type" > Try `ip6tables -h' or 'ip6tables --help' for more information. > icmpv6 (echo-request): FAIL > error was: ip6tables v1.8.1 (nf_tables): unknown option "--icmpv6-type" > Try `ip6tables -h' or 'ip6tables --help' for more information. > icmpv6 with hl (neighbor-solicitation): FAIL > error was: ip6tables v1.8.1 (nf_tables): unknown option "--icmpv6-type" > Try `ip6tables -h' or 'ip6tables --help' for more information. > icmpv6 with hl (neighbor-advertisement): FAIL > error was: ip6tables v1.8.1 (nf_tables): unknown option "--icmpv6-type" > Try `ip6tables -h' or 'ip6tables --help' for more information. > icmpv6 with hl (router-solicitation): FAIL > error was: ip6tables v1.8.1 (nf_tables): unknown option "--icmpv6-type" > Try `ip6tables -h' or 'ip6tables --help' for more information. > icmpv6 with hl (router-advertisement): FAIL > error was: ip6tables v1.8.1 (nf_tables): unknown option "--icmpv6-type" > Try `ip6tables -h' or 'ip6tables --help' for more information. > ipv6 rt: pass > It looks like your kernel doesn't support these options and you may want to upgrade your kernel and/or update its config. Please note that the recent upgrade to iptables 1.8.1 in sid caused a regression in ufw: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911986#35 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912610 -- Jamie Strandboge | http://www.canonical.com signature.asc Description: PGP signature
Bug#912595: ufw fails to start with option IPV6=yes in /etc/default/ufw ERROR: unknown option "--icmpv6-type"
What is the output of: $ sudo /usr/share/ufw/check-requirements -- Jamie Strandboge | http://www.canonical.com signature.asc Description: PGP signature
Bug#896787: ufw: missing build dependency on python3-distutils
On Tue, 2018-04-24 at 12:57 +0300, Adrian Bunk wrote: > Source: ufw > Version: 0.35-5 > Severity: serious > > https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/uf > w.html > > ... > Performing tests 'installation/check_help' > - installing > Traceback (most recent call last): > File "./setup.py", line 29, in > from distutils.command.install import install as _install > ModuleNotFoundError: No module named 'distutils.command' > make: *** [debian/rules:39: install] Error 1 > > > Due to > > python3.6 (3.6.5~rc1-2) unstable; urgency=medium > > * python3.6: Drop dependency on python3-distutils. > ... > -- Matthias Klose Tue, 20 Mar 2018 14:29:58 +0800 Thanks for reporting this issue. I've prepared 0.35-6 to address this issue and it should be available in unstable soon. -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part
Bug#849628: ufw: FTBFS: Command '--dry-run route allow ssh/udp' exited with '1', but expected '0'
On Sun, 2017-01-08 at 07:39 -0600, Jamie Strandboge wrote: > On Thu, 2016-12-29 at 09:10 +, Chris Lamb wrote: > > Command '--dry-run allow ssh/udp' exited with '1', but expected '0' > > ** FAIL ** FYI, this is now fixed in trunk and this will be fixed in 0.35-3 which will be uploaded soon. Thanks for the report! :) -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part
Bug#849628: ufw: FTBFS: Command '--dry-run route allow ssh/udp' exited with '1', but expected '0'
On Thu, 2016-12-29 at 09:10 +, Chris Lamb wrote: > > Performing tests 'ipv6/rules6' > - installing > - result: > Command '--dry-run allow to 2001:db8:3:4:5:6:7:8 port tftp from > 2001:db8::/32 port ssh' exited with '1', but expected '0' > ** FAIL ** > > Performing tests 'ipv6/rules64' > - installing > - result: > Command '--dry-run allow ssh/udp' exited with '1', but expected '0' > ** FAIL ** It looks like netbase removed the entry from /etc/services for ssh/udp. Before: $ grep ssh /etc/services ssh 22/tcp # SSH Remote Login Protocol ssh 22/udp Now: $ grep ssh /etc/services.dpkg-new ssh 22/tcp # SSH Remote Login Protocol -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part
Bug#833234: openvpn-blacklist: diff for NMU version 0.5+nmu1
On Thu, 2016-11-10 at 10:25 +, Jonathan Wiltshire wrote: > Control: tags 833234 + patch > Control: tags 833234 + pending > > Dear maintainer, > > I've prepared an NMU for openvpn-blacklist (versioned as 0.5+nmu1) and > uploaded it to DELAYED/2. Please feel free to tell me if I > should delay it longer. > > Regards. Thanks! This looks good to me. -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part
Bug#818000: Configuration files stored in /lib/ufw; FHS violation
On Sat, 2016-03-12 at 15:30 +, Ben Hutchings wrote: > Package: ufw > Version: 0.34-2 > Severity: serious > > Configuration files written by the ufw command (user.rules, > user6.rules) must be stored in either /etc (if they are also intended > to be directly editable) or /var. > > I spent quite some time trying to understand how to transfer my ufw > configuration to a new installation; following the FHS would have > saved me that. > Sorry about that. Actually this has been discussed at great length in the upstream bug. Here has been my historical take: https://bugs.launchpad.net/ufw/+bug/728128/comments/1 That said with 0.35 I finally yielded: ufw (0.35) RELEASED; urgency=medium ... * move user[6].rules to /etc/ufw (LP: #728128) In other words, this will be fixed in 0.35-1. > Ben. > > -- System Information: > Debian Release: stretch/sid > APT prefers unstable > APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores) > Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages ufw depends on: > ii debconf [debconf-2.0] 1.5.59 > ii init-system-helpers1.29 > ii iptables 1.6.0-2 > ii python33.5.1-2 > pn python3:any > ii ucf3.0035 > > ufw recommends no packages. > > Versions of packages ufw suggests: > ii rsyslog 8.16.0-1 > > -- debconf information excluded -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part
Bug#797020: ufw: FTBFS: False is not true
On 08/26/2015 06:16 PM, Chris Lamb wrote: > > ufw fails to build from source in unstable/amd64. Even with net-tools > installed (for `netstat`) it fails in a similar way if that helps. ... > The full build log is attached or can be viewed here: > > > https://reproducible.debian.net/logs/unstable/amd64/ufw_0.34-1.build1.log.gz > > Huh, this worked in a sid schroot and in the Ubuntu sync to wily. I'll take a look and get this fixed up. Thanks for the report! -- Jamie Strandboge http://www.ubuntu.com/ signature.asc Description: OpenPGP digital signature
Bug#740289: openjdk-6: [PATCH] fixes for backport releases
Package: openjdk-6 Version: 6b30-1.13.1-1 Severity: serious Tags: patch Justification: fails to build from source (but built successfully in the past) User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu trusty ubuntu-patch Dear Maintainer, In preparing security updates for older releases of Ubuntu, I found a number of issues with the current openjdk-6 package: * configure and acinclude.m4 were patched directly rather than using a patch system resulting in aclocal being run on every build. IcedTead 1.13.1 now requires autotools 1.14, but this is not available on Ubuntu 13.10 and earlier. * debian/patches/java-access-bridge-security.patch was malformed and would not apply on Ubuntu 10.04 LTS * the previous security update introduced LP: #1283828 (upstream 8017173) The attached patch was applied to Ubuntu to achieve the following: * pull out changes to configure and acinclude.m4 from diff.gz and conditionally apply to Debian and Ubuntu releases that have arm64 and/or automake-1.14. IcedTea 1.13 requires automake 1.14 now and the change to diff.gz caused a FTBFS on backport builds - add debian/patches/autotools-aarch64.diff - debian/rules: + add PRECONFIGURE_DEBIAN_PATCHES which is empty on releases where we don't have automake-1.14, otherwise add autotools-aarch64.diff + add preconfigure-distribution-patches.stamp target and have stamps/icedtea-configure depend on it + adjust debian-clean to unapply PRECONFIGURE_DEBIAN_PATCHES * debian/patches/8017173.diff: XMLCipher with RSA_OAEP Key Transport algorithm can't be instantiated (LP: #1283828) * debian/patches/java-access-bridge-security.patch: fix malformed patch Ubuntu also did the following as part of the security update: * debian/rules: disable system lcms2 for releases that don't have lcms2 2.5 or higher but after further investigation, it seems this was not actually required, so I removed this from the patch I am submitting to you now. debian/patches/8017173.diff adds a test case, but it is not run in the build. I didn't investigate why, but it can be run manually with: $ javac -XDignore.symbol.file GetInstance.java $ java GetInstance A patched openjdk will exit with '0' while unpatched will throw the exception in the bug. This regression was introduced due to a partial backport from openjdk8 to openjdk7 which IcedTea picked up. They then pulled back this partial backport for the 1.x releases. Incidentally, this issue affects openjdk-7 7u51-2.4.5-1ubuntu1, so it should be applied to the openjdk-7 package in sid as well. I filed this bug with upstream for the regression: http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1688 Thanks for considering the patch. -- System Information: Debian Release: jessie/sid APT prefers trusty-updates APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500, 'trusty') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.13.0-8-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash reverted: --- openjdk-6-6b30-1.13.1/acinclude.m4 +++ openjdk-6-6b30-1.13.1.orig/acinclude.m4 @@ -22,12 +22,6 @@ JRE_ARCH_DIR=alpha CROSS_TARGET_ARCH=alpha ;; -arm64|aarch64) - BUILD_ARCH_DIR=aarch64 - INSTALL_ARCH_DIR=aarch64 - JRE_ARCH_DIR=aarch64 - ARCHFLAG="-D_LITTLE_ENDIAN" - ;; arm*) BUILD_ARCH_DIR=arm INSTALL_ARCH_DIR=arm @@ -1559,7 +1553,7 @@ AC_MSG_RESULT(${ENABLE_SYSTEM_LCMS}) if test x"${ENABLE_SYSTEM_LCMS}" = "xyes"; then dnl Check for LCMS2 headers and libraries. +PKG_CHECK_MODULES(LCMS2, lcms2 >= 2.5,[LCMS2_FOUND=yes],[LCMS2_FOUND=no]) -PKG_CHECK_MODULES(LCMS2, lcms2,[LCMS2_FOUND=yes],[LCMS2_FOUND=no]) if test "x${LCMS2_FOUND}" = xno then AC_MSG_ERROR([Could not find LCMS >= 2.5; install it or build with --disable-system-lcms to use the in-tree copy.]) reverted: --- openjdk-6-6b30-1.13.1/configure +++ openjdk-6-6b30-1.13.1.orig/configure @@ -7216,12 +7216,6 @@ JRE_ARCH_DIR=alpha CROSS_TARGET_ARCH=alpha ;; -arm64|aarch64) - BUILD_ARCH_DIR=aarch64 - INSTALL_ARCH_DIR=aarch64 - JRE_ARCH_DIR=aarch64 - ARCHFLAG="-D_LITTLE_ENDIAN" - ;; arm*) BUILD_ARCH_DIR=arm INSTALL_ARCH_DIR=arm @@ -9484,7 +9478,7 @@ mkdir tmp.$$ cd tmp.$$ cat << \EOF > $CLASS +/* [#]line 9481 "configure" */ -/* [#]line 9487 "configure" */ public class Test { @@ -9526,7 +9520,7 @@ mkdir tmp.$$ cd tmp.$$ cat << \EOF > $CLASS +/* [#]line 9523 "configure" */ -/* [#]line 9529 "configure" */ import java.lang.reflect.Method; public class Test @@ -9593,7 +9587,7 @@ mkdir tmp.$$ cd tmp.$$ cat << \EOF > $CLASS +/* [#]line 9590 "configure" */ -/* [#]line 9596 "configure" */ public class Test { public static void main(String[] args) @@ -9641,7 +9635,7 @@ mkdir tmp.$$ cd tmp
Bug#731863: python-ufw: fails to upgrade from 'testing' - trying to overwrite /usr/share/pyshared/ufw/backend_iptables.py
Thanks for the bug and I'll get this fixed in the next upload. Note that in the normal upgrade case, python-ufw will not be pulled in as part of the upgrade because ufw itself does not depend on it so it doesn't get pulled in as part of the upgrade (which is why I've not seen this bug before now). Obviously, if anything starts to use it, users will see it. signature.asc Description: OpenPGP digital signature
Bug#714529: lcms2 needs security updates found in the last openjdk-7 security updates (CVE-2013-4160)
FYI, Ubuntu fixed this here: http://www.ubuntu.com/usn/usn-1911-1/ Attached is the debdiff used for Ubuntu 12.04 LTS, which is based on Debian's 2.2+git20110628-2. -- Jamie Strandboge http://www.ubuntu.com/ diff -Nru lcms2-2.2+git20110628/debian/changelog lcms2-2.2+git20110628/debian/changelog --- lcms2-2.2+git20110628/debian/changelog 2011-10-18 11:22:46.0 -0500 +++ lcms2-2.2+git20110628/debian/changelog 2013-07-01 11:51:05.0 -0500 @@ -1,3 +1,15 @@ +lcms2 (2.2+git20110628-2ubuntu3.1) precise-security; urgency=low + + * SECURITY UPDATE: incorporate IcedTea fixes for lcms (LP: #1196517) +- debian/patches/ojdk-8007925+8007926.patch: Improve + cmsStageAllocLabV2ToV4curves. Improve cmsPipelineDup. +- debian/patches/ojdk-8007927.patch: Improve + cmsAllocProfileSequenceDescription. +- debian/patches/ojdk-8007929.patch: Improve CurvesAlloc. +- debian/patches/ojdk-8009654.patch: Improve stability of cmsnamed. + + -- Jamie Strandboge Mon, 01 Jul 2013 11:50:56 -0500 + lcms2 (2.2+git20110628-2ubuntu3) precise; urgency=low * Rebuild for libjpeg8. diff -Nru lcms2-2.2+git20110628/debian/control lcms2-2.2+git20110628/debian/control --- lcms2-2.2+git20110628/debian/control2011-08-28 06:42:58.0 -0500 +++ lcms2-2.2+git20110628/debian/control2013-07-01 11:51:12.0 -0500 @@ -1,7 +1,8 @@ Source: lcms2 Section: libs Priority: optional -Maintainer: Oleksandr Moskalenko +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Oleksandr Moskalenko Build-Depends: debhelper (>= 7.0.50~), autotools-dev, libjpeg-dev, libtiff4-dev, zlib1g-dev, quilt Standards-Version: 3.9.2 Homepage: http://www.littlecms.com/ diff -Nru lcms2-2.2+git20110628/debian/patches/ojdk-8007925+8007926.patch lcms2-2.2+git20110628/debian/patches/ojdk-8007925+8007926.patch --- lcms2-2.2+git20110628/debian/patches/ojdk-8007925+8007926.patch 1969-12-31 18:00:00.0 -0600 +++ lcms2-2.2+git20110628/debian/patches/ojdk-8007925+8007926.patch 2013-07-01 12:08:48.0 -0500 @@ -0,0 +1,28 @@ +# HG changeset patch +# Date 1364497268 -14400 +# Node ID 56f01b89d8b8f7e2cbc651dccbd904b45698be24 +# Parent 09c14ca57ff092cd304a4e29f9398176255a72ab +8007925: Improve cmsStageAllocLabV2ToV4curves +8007926: Improve cmsPipelineDup + +Index: lcms2-2.2+git20110628/src/cmslut.c +=== +--- lcms2-2.2+git20110628.orig/src/cmslut.c2011-06-27 23:20:02.0 -0500 lcms2-2.2+git20110628/src/cmslut.c 2013-07-01 10:51:20.0 -0500 +@@ -980,6 +980,7 @@ + mpe = cmsStageAllocToneCurves(ContextID, 3, LabTable); + cmsFreeToneCurveTriple(LabTable); + ++if (mpe == NULL) return mpe; + mpe ->Implements = cmsSigLabV2toV4; + return mpe; + } +@@ -1291,6 +1292,8 @@ + if (lut == NULL) return NULL; + + NewLUT = cmsPipelineAlloc(lut ->ContextID, lut ->InputChannels, lut ->OutputChannels); ++if (NewLUT == NULL) return NULL; ++ + for (mpe = lut ->Elements; + mpe != NULL; + mpe = mpe ->Next) { diff -Nru lcms2-2.2+git20110628/debian/patches/ojdk-8007927.patch lcms2-2.2+git20110628/debian/patches/ojdk-8007927.patch --- lcms2-2.2+git20110628/debian/patches/ojdk-8007927.patch 1969-12-31 18:00:00.0 -0600 +++ lcms2-2.2+git20110628/debian/patches/ojdk-8007927.patch 2013-07-01 12:08:48.0 -0500 @@ -0,0 +1,22 @@ +# HG changeset patch +# User bae +# Date 1363852330 -14400 +# Node ID 4047e9efcbd0966d8cc15d51f9b25ae5b141e239 +# Parent a7299af2af32c38eef541180e26f4aac7d79bff8 +8007927: Improve cmsAllocProfileSequenceDescription + +Index: lcms2-2.2+git20110628/src/cmsnamed.c +=== +--- lcms2-2.2+git20110628.orig/src/cmsnamed.c 2013-07-01 11:02:26.0 -0500 lcms2-2.2+git20110628/src/cmsnamed.c 2013-07-01 11:03:56.0 -0500 +@@ -698,6 +702,10 @@ + Seq -> seq = (cmsPSEQDESC*) _cmsCalloc(ContextID, n, sizeof(cmsPSEQDESC)); + Seq -> n= n; + ++if (Seq -> seq == NULL) { ++_cmsFree(ContextID, Seq); ++ return NULL; ++} + + for (i=0; i < n; i++) { + Seq -> seq[i].Manufacturer = NULL; diff -Nru lcms2-2.2+git20110628/debian/patches/ojdk-8007929.patch lcms2-2.2+git20110628/debian/patches/ojdk-8007929.patch --- lcms2-2.2+git20110628/debian/patches/ojdk-8007929.patch 1969-12-31 18:00:00.0 -0600 +++ lcms2-2.2+git20110628/debian/patches/ojdk-8007929.patch 2013-07-01 12:08:48.0 -0500 @@ -0,0 +1,27 @@ +# HG changeset patch +# User bae +# Date 1363852924 -14400 +# Node ID 2c71b4f2104b4951376604d50d5ecd176cd5acc7 +# Parent 4047e9efcbd0966d8cc15d51f9b25ae5b141e239 +8007929: Improve CurvesAlloc + +Index: lcms2-2.2+git20110628/src/cmsopt.c +=== +--- lcms2-
Bug#697865: libnss3-1d: fix for DSA-2599 is incomplete
Package: libnss3-1d Version: 3.12.8-1+squeeze6 Severity: grave Tags: security Justification: user security hole -- System Information: Debian Release: 6.0.6 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Versions of packages libnss3-1d depends on: ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib ii libnspr4-0d 4.8.6-1 NetScape Portable Runtime Library ii libsqlite3-03.7.3-1 SQLite 3 shared library ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime libnss3-1d recommends no packages. libnss3-1d suggests no packages. http://www.debian.org/security/2013/dsa-2599 updated squeeze by updating ckbi (certdata.txt and certdata.c) to distrust the mis-issued TURKTRUST intermediate CAs. In preparing updates for Ubuntu, I saw that while 'strings /usr/lib/nss/libnssckbi.so' shows that the certificates were added to libnssckbi.so (certutil will only show root certificates, so you can't verify the inclusion of the intermediates with this tool-- if there is another tool to do this, please let me know :), nss does not actually blacklist them. If I follow the instructions from the upstream bug[1] to verify the certs are blacklisted, the certs chain is shown as good: # Compile nss since we need access to vfychain and it isn't shipped in packages $ sudo apt-get build-dep nss $ sudo apt-get install libnss3-1d # needed at runtime for vfychain (make sure # it is 3.12.8-1+squeeze6) $ apt-get source nss=3.12.8-1+squeeze6 $ cd nss-*/ $ fakeroot debian/rules build $ mozilla/dist/bin/vfychain -u 1 /tmp/turktrust-google-1.der \ /tmp/turktrust-google-2.der \ /tmp/turktrust-google-3.der Chain is good! $ mozilla/dist/bin/vfychain -u 3 /tmp/turktrust-intermediate-2.der \ /tmp/turktrust-google-3.der Chain is good! Both of these should show 'Chain is bad!'. I can confirm that simply updating ckbi is not enough for nss 3.13.1 and earlier. I did not check wheezy. I was able to confirm that if I recompile nspr 2:4.9.4-2 and nss 2:3.14.1.with.ckbi.1.93-1 on an Ubuntu 12.10 system, vfychain would correctly blacklist them. As a result, I am considering upgrading nss and nspr on all of Ubuntu's stable releases to the latest upstream versions (with ckbi 1.93) to address this issue rather than trying to identify and cherrypick the commits to make blacklisting an intermediate work. [1]https://bugzilla.mozilla.org/show_bug.cgi?id=825022#c8 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#686872: python-urllib3 should default to verifying certificates
Package: python-urllib3 Version: 1.3-2 Severity: grave Tags: patch security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu quantal ubuntu-patch Dear Maintainer, In Ubuntu, the attached patch was applied to achieve the following: * debian/patches/02_require-cert-verification.patch: verify SSL certificates by default (LP: #1047054) urllib3 does not set cert_req or ca_certs by default, so certificates are not checked and MITM is trivial. Ie, it has in connectionpool.py: def __init__(self, host, port=None, strict=False, timeout=None, maxsize=1, block=False, headers=None, key_file=None, cert_file=None, cert_reqs='CERT_NONE', ca_certs=None): This should be changed to: def __init__(self, host, port=None, strict=False, timeout=None, maxsize=1, block=False, headers=None, key_file=None, cert_file=None, cert_reqs='CERT_REQUIRED', ca_certs='/etc/ssl/certs/ca-certificates.crt') Attached is a patch to do the above. It has been verified to check certificates by default, allows for disabling certificate verification, and the testsuite passes without modification. Thanks for considering the patch. -- System Information: Debian Release: wheezy/sid APT prefers quantal-updates APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500, 'quantal') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.5.0-13-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru python-urllib3-1.3/debian/changelog python-urllib3-1.3/debian/changelog diff -Nru python-urllib3-1.3/debian/patches/02_require-cert-verification.patch python-urllib3-1.3/debian/patches/02_require-cert-verification.patch --- python-urllib3-1.3/debian/patches/02_require-cert-verification.patch 1969-12-31 18:00:00.0 -0600 +++ python-urllib3-1.3/debian/patches/02_require-cert-verification.patch 2012-09-06 16:15:25.0 -0500 @@ -0,0 +1,18 @@ +Author: Jamie Strandboge +Description: require SSL certificate validation by default by using + CERT_REQUIRED and using the system /etc/ssl/certs/ca-certificates.crt +Bug-Ubuntu: https://launchpad.net/bugs/1047054 + +Index: python-urllib3-1.3/urllib3/connectionpool.py +=== +--- python-urllib3-1.3.orig/urllib3/connectionpool.py 2012-09-06 16:03:50.0 -0500 python-urllib3-1.3/urllib3/connectionpool.py 2012-09-06 16:08:59.0 -0500 +@@ -463,7 +463,7 @@ + strict=False, timeout=None, maxsize=1, + block=False, headers=None, + key_file=None, cert_file=None, +- cert_reqs='CERT_NONE', ca_certs=None): ++ cert_reqs='CERT_REQUIRED', ca_certs='/etc/ssl/certs/ca-certificates.crt'): + + super(HTTPSConnectionPool, self).__init__(host, port, + strict, timeout, maxsize, diff -Nru python-urllib3-1.3/debian/patches/series python-urllib3-1.3/debian/patches/series --- python-urllib3-1.3/debian/patches/series 2012-02-10 16:46:21.0 -0600 +++ python-urllib3-1.3/debian/patches/series 2012-09-06 16:03:57.0 -0500 @@ -1 +1,2 @@ 01_do-not-use-embedded-python-six.patch +02_require-cert-verification.patch
Bug#677427: raptor: Fix for CVE-2012-0037 no applied during build
Package: raptor Version: 1.4.21-7 Severity: grave Tags: patch security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu quantal ubuntu-patch Dear Maintainer, While 1.4.21-7 claims to fix CVE-2012-0037, it does not because debian/patches/series was not updated. Attached is a patch to: * update the series file * update raptor-1.4.21-cve.patch to apply cleanly with 02-fix-639065 applied first * adjust raptor-1.4.21-cve.patch to initialize entity_input to NULL to fix a compiler warning when compiling with -Wuninitialized. Thanks for considering the patch. -- System Information: Debian Release: wheezy/sid APT prefers precise-updates APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 'precise') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-24-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru raptor-1.4.21/debian/changelog raptor-1.4.21/debian/changelog diff -Nru raptor-1.4.21/debian/control raptor-1.4.21/debian/control --- raptor-1.4.21/debian/control 2012-03-23 00:24:07.0 -0500 +++ raptor-1.4.21/debian/control 2012-06-13 15:31:13.0 -0500 @@ -1,7 +1,8 @@ Source: raptor Section: devel Priority: optional -Maintainer: Dave Beckett +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Dave Beckett Build-Depends: debhelper (>> 5), autotools-dev, cdbs, libtool (>= 1.5), libxml2-dev (>= 2.5.10), libcurl4-gnutls-dev, libxslt1-dev (>= 1.0.18) Standards-Version: 3.9.3 Homepage: http://librdf.org/raptor/ diff -Nru raptor-1.4.21/debian/patches/raptor-1.4.21-cve.patch raptor-1.4.21/debian/patches/raptor-1.4.21-cve.patch --- raptor-1.4.21/debian/patches/raptor-1.4.21-cve.patch 2012-02-22 15:53:42.0 -0600 +++ raptor-1.4.21/debian/patches/raptor-1.4.21-cve.patch 2012-06-13 15:36:42.0 -0500 @@ -1,6 +1,7 @@ -diff -urN -X /home/dajobe/dev/dontdiff -x raptor.rdf -x file1.txt -x xmlent1.rdf -x rapper -x rdfdiff raptor-1.4.21.orig/src/raptor.h raptor-1.4.21/src/raptor.h raptor-1.4.21.orig/src/raptor.h 2010-01-29 15:54:42.0 -0800 -+++ raptor-1.4.21/src/raptor.h 2012-02-04 15:29:56.0 -0800 +Index: raptor-1.4.21/src/raptor.h +=== +--- raptor-1.4.21.orig/src/raptor.h 2010-01-29 17:54:42.0 -0600 raptor-1.4.21/src/raptor.h 2012-06-13 15:24:20.0 -0500 @@ -407,6 +407,7 @@ * @RAPTOR_FEATURE_RSS_TRIPLES: Atom/RSS serializer writes extra RDF triples it finds (none, rdf-xml, atom-triples) * @RAPTOR_FEATURE_ATOM_ENTRY_URI: Atom entry URI. If given, generate an Atom Entry Document with the item having the given URI, otherwise generate an Atom Feed Document with any items found. @@ -19,9 +20,10 @@ } raptor_feature; -diff -urN -X /home/dajobe/dev/dontdiff -x raptor.rdf -x file1.txt -x xmlent1.rdf -x rapper -x rdfdiff raptor-1.4.21.orig/src/raptor_feature.c raptor-1.4.21/src/raptor_feature.c raptor-1.4.21.orig/src/raptor_feature.c 2010-01-29 15:54:42.0 -0800 -+++ raptor-1.4.21/src/raptor_feature.c 2012-02-04 15:29:56.0 -0800 +Index: raptor-1.4.21/src/raptor_feature.c +=== +--- raptor-1.4.21.orig/src/raptor_feature.c 2010-01-29 17:54:42.0 -0600 raptor-1.4.21/src/raptor_feature.c 2012-06-13 15:24:20.0 -0500 @@ -93,7 +93,8 @@ { RAPTOR_FEATURE_JSON_EXTRA_DATA , 6, "jsonExtraData", "JSON serializer extra data" }, { RAPTOR_FEATURE_RSS_TRIPLES , 6, "rssTriples", "Atom/RSS serializer writes extra RDF triples" }, @@ -32,18 +34,11 @@ }; -diff -urN -X /home/dajobe/dev/dontdiff -x raptor.rdf -x file1.txt -x xmlent1.rdf -x rapper -x rdfdiff raptor-1.4.21.orig/src/raptor_internal.h raptor-1.4.21/src/raptor_internal.h raptor-1.4.21.orig/src/raptor_internal.h 2010-01-29 15:54:42.0 -0800 -+++ raptor-1.4.21/src/raptor_internal.h 2012-02-04 15:30:55.0 -0800 -@@ -852,7 +852,6 @@ - - #ifdef RAPTOR_WWW_LIBCURL - #include --#include - #include - #endif - -@@ -1060,6 +1059,14 @@ +Index: raptor-1.4.21/src/raptor_internal.h +=== +--- raptor-1.4.21.orig/src/raptor_internal.h 2012-06-13 15:24:20.0 -0500 raptor-1.4.21/src/raptor_internal.h 2012-06-13 15:25:58.0 -0500 +@@ -1058,6 +1058,14 @@ /* sax2 init failed - do not try to do anything with it */ int failed; @@ -58,9 +53,10 @@ }; int raptor_sax2_init(raptor_world* world); -diff -urN -X /home/dajobe/dev/dontdiff -x raptor.rdf -x file1.txt -x xmlent1.rdf -x rapper -x rdfdiff raptor-1.4.21.orig/src/raptor_libxml.c raptor-1.4.21/src/raptor_libxml.c raptor-1.4.21.orig/src/raptor_libxml.c 2010-01-29 15:54:42.0 -0800 -+++ raptor-1.4.21/src/raptor_libxml.c 2012-02-22 12:29:38.0 -0800 +Index: raptor-1.4.21/src/raptor_libxml
Bug#673331: backuppc: fix for CVE-2011-5081
Package: backuppc Version: 3.2.1-2 Severity: grave Tags: patch security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu quantal ubuntu-patch Dear Maintainer, In Ubuntu, the attached patch was applied to achieve the following: * SECURITY UPDATE: XSS in CGI/RestoreFile.pm - lib/BackupPC/CGI/RestoreFile.pm: update to escape share and backup number - CVE-2011-5081 I developed the attached patch and forwarded it upstream. I have not heard back yet, but the patch is obvious and works here. Thanks for considering the patch. -- System Information: Debian Release: wheezy/sid APT prefers precise-updates APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 'precise') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-24-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -u backuppc-3.2.1/debian/changelog backuppc-3.2.1/debian/changelog only in patch2: unchanged: --- backuppc-3.2.1.orig/lib/BackupPC/CGI/RestoreFile.pm +++ backuppc-3.2.1/lib/BackupPC/CGI/RestoreFile.pm @@ -154,12 +154,12 @@ my $a = $view->fileAttrib($num, $share, $dir); if ( $dir =~ m{(^|/)\.\.(/|$)} || !defined($a) ) { $dir = decode_utf8($dir); -ErrorExit("Can't restore bad file ${EscHTML($dir)} ($num, $share)"); +ErrorExit("Can't restore bad file ${EscHTML($dir)} (${EscHTML($num)}, ${EscHTML($share)})"); } my $f = BackupPC::FileZIO->open($a->{fullPath}, 0, $a->{compress}); if ( !defined($f) ) { my $fullPath = decode_utf8($a->{fullPath}); -ErrorExit("Unable to open file ${EscHTML($fullPath)} ($num, $share)"); +ErrorExit("Unable to open file ${EscHTML($fullPath)} (${EscHTML($num)}, ${EscHTML($share)})"); } my $data; if ( !$skipHardLink && $a->{type} == BPC_FTYPE_HARDLINK ) {
Bug#663677: ufw: FTBFS: Test suite failure
> Your package fails to build from source. Full build log attached. > > > Performing tests 'bad/apps' > - installing > - result: > Command '--dry-run allow to 192.168.0.0/16 app Samba from 192.168.0.0/16 port > http' exited with '0', but expected '1' > ** FAIL ** Yes, this is https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/947224 and fixed in 0.31. I will be preparing an upload for Debian soon. -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part
Bug#656377: libxml2: [PATCH] fix for CVE-2011-3919
Package: libxml2 Version: 2.7.8.dfsg-5.1 Severity: grave Tags: patch security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu precise ubuntu-patch Dear Maintainer, In Ubuntu, the attached patch was applied to achieve the following: * SECURITY UPDATE: denial of service via buffer overflow - parser.c: fix an allocation error when copying entities - 5bd3c061823a8499b27422aee04ea20aae24f03e - CVE-2011-3919 Thanks for considering the patch. References: http://git.gnome.org/browse/libxml2/commit/?id=5bd3c061823a8499b27422aee04ea20aae24f03e http://src.chromium.org/svn/trunk/src/third_party/libxml/README.chromium https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3919 http://googlechromereleases.blogspot.com/2012/01/stable-channel-update.html -- System Information: Debian Release: wheezy/sid APT prefers precise-updates APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 'precise') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-8-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -u libxml2-2.7.8.dfsg/parser.c libxml2-2.7.8.dfsg/parser.c --- libxml2-2.7.8.dfsg/parser.c +++ libxml2-2.7.8.dfsg/parser.c @@ -2709,7 +2709,7 @@ buffer[nbchars++] = '&'; if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) { - growBuffer(buffer, XML_PARSER_BUFFER_SIZE); + growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE); } for (;i > 0;i--) buffer[nbchars++] = *cur++; diff -u libxml2-2.7.8.dfsg/debian/changelog libxml2-2.7.8.dfsg/debian/changelog
Bug#656278: t1lib: [PATCH] fixes for remaining CVEs
Package: t1lib Version: 5.1.2-3.4 Severity: grave Tags: patch security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu precise ubuntu-patch Dear Maintainer, In Ubuntu, the attached patch was applied to achieve the following: * SECURITY UPDATE: fix denial of service via oversized fonts - debian/patches/CVE-2011-1552_1553_1554.patch: add additional tests to address remaining crashes - CVE-2011-1552 - CVE-2011-1553 - CVE-2011-1554 * SECURITY UPDATE: fix heap-based buffer overflow via AFM font parser - update debian/patches/series to apply CVE-2010-2642.patch which was mistakenly not updated in 5.1.2-3.4 - CVE-2010-2642 - CVE-2011-0433 Debian took the Ubuntu patch for CVE-2011-0764 (which is great). RedHat later fixed the remaining open CVEs with a patch landing in Fedora's http://koji.fedoraproject.org/koji/buildinfo?buildID=282529. I then verified all the patches in Debian against Fedora's patchset and came up with this patch against 5.1.2-3.4. While Debian included an equivalent patch for CVE-2010-2642 (which also fixes CVE-2011-0433), it was not added to the debian/patches/series file, so it wasn't applied during the build. The attached debdiff should bring unstable up to date on these issues. Thanks for considering the patch. -- System Information: Debian Release: wheezy/sid APT prefers precise-updates APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 'precise') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-8-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -u t1lib-5.1.2/debian/changelog t1lib-5.1.2/debian/changelog diff -u t1lib-5.1.2/debian/control t1lib-5.1.2/debian/control --- t1lib-5.1.2/debian/control +++ t1lib-5.1.2/debian/control @@ -1,7 +1,8 @@ Source: t1lib Section: libs Priority: optional -Maintainer: Ruben Molina +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Ruben Molina Build-Depends: cdbs, debhelper (>= 7), autotools-dev, libice-dev, libsm-dev, libx11-dev, libxext-dev, libxaw7-dev, quilt Standards-Version: 3.8.0 Homepage: ftp://sunsite.unc.edu/pub/Linux/libs/graphics/ diff -u t1lib-5.1.2/debian/patches/series t1lib-5.1.2/debian/patches/series --- t1lib-5.1.2/debian/patches/series +++ t1lib-5.1.2/debian/patches/series @@ -6,0 +7,2 @@ +CVE-2011-1552_1553_1554.patch +CVE-2010-2642.patch only in patch2: unchanged: --- t1lib-5.1.2.orig/debian/patches/CVE-2011-1552_1553_1554.patch +++ t1lib-5.1.2/debian/patches/CVE-2011-1552_1553_1554.patch @@ -0,0 +1,133 @@ +Author: Jaroslav Škarvada +Description: Fix more crashes on oversized fonts +Bug-Redhat: http://bugzilla.redhat.com/show_bug.cgi?id=692909 +Index: t1lib-5.1.2/lib/type1/lines.c +=== +--- t1lib-5.1.2.orig/lib/type1/lines.c 2007-12-23 09:49:42.0 -0600 t1lib-5.1.2/lib/type1/lines.c 2012-01-17 14:15:08.0 -0600 +@@ -67,6 +67,10 @@ + None. + */ + ++#define BITS (sizeof(LONG)*8) ++#define HIGHTEST(p) (((p)>>(BITS-2)) != 0) /* includes sign bit */ ++#define TOOBIG(xy) ((xy < 0) ? HIGHTEST(-xy) : HIGHTEST(xy)) ++ + /* + :h2.StepLine() - Produces Run Ends for a Line After Checks + +@@ -84,6 +88,9 @@ +IfTrace4((LineDebug > 0), ".StepLine: (%d,%d) to (%d,%d)\n", + x1, y1, x2, y2); + ++ if ( TOOBIG(x1) || TOOBIG(x2) || TOOBIG(y1) || TOOBIG(y2)) ++ abort("Lines this big not supported", 49); ++ +dy = y2 - y1; + + /* +Index: t1lib-5.1.2/lib/type1/objects.c +=== +--- t1lib-5.1.2.orig/lib/type1/objects.c 2007-12-23 09:49:42.0 -0600 t1lib-5.1.2/lib/type1/objects.c 2012-01-17 14:15:08.0 -0600 +@@ -1137,12 +1137,13 @@ + "Context: out of them", /* 46 */ + "MatrixInvert: can't", /* 47 */ + "xiStub called", /* 48 */ +-"Illegal access type1 abort() message" /* 49 */ ++"Lines this big not supported", /* 49 */ ++"Illegal access type1 abort() message" /* 50 */ + }; + +- /* no is valid from 1 to 48 */ +- if ( (number<1)||(number>48)) +-number=49; ++ /* no is valid from 1 to 49 */ ++ if ( (number<1)||(number>49)) ++number=50; + return( err_msgs[number-1]); + + } +Index: t1lib-5.1.2/lib/type1/type1.c +=== +--- t1lib-5.1.2.orig/lib/type1/type1.c 2012-01-17 14:13:28.0 -0600 t1lib-5.1.2/lib/type1/type1.c 2012-01-17 14:19:54.0 -0600 +@@ -1012,6 +1012,7 @@ + double nextdtana = 0.0; /* tangent of post-delta against horizontal line */ + double nextdtanb = 0.0; /* tangent of post-delta against vertical line */ + ++ if (ppoints == NULL || numppoints < 1) Error0v("FindStems: No previous point!\n"); + + /* setup default hinted position *
Bug#647315: Security issue (no CVE yet)
FYI, this now has a CVE (CVE-2011-4103) amd looks to be fixed in 0.2.2-2: python-django-piston (0.2.2-2) unstable; urgency=low [ Michael Ziegler ] * Bump Standards Version to 3.9.2. * Remove reference to /usr/share/common-licenses/BSD and strip trailing whitespace in copyright. * Fix a copy-paste error in copyright. * Fix a security issue in the YAML emitter. * Disable the pickle loader due to security concerns (Closes: #646517). [ Luca Falavigna ] * Enable DM-Upload-Allowed field signature.asc Description: This is a digitally signed message part
Bug#646865: backuppc: [PATCH] fix related issue to CVE-2011-3361 in CGI/View.pm
Package: backuppc Version: 3.2.1-1 Severity: grave Tags: patch security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu precise ubuntu-patch In Ubuntu, the attached patch was applied to achieve the following: * SECURITY UPDATE: XSS in CGI/View.pm - lib/BackupPC/CGI/View.pm: update to verify backup number is numeric - CVE-2011- A CVE was requested on oss-security: http://www.openwall.com/lists/oss-security/2011/10/27/8 Thanks for considering the patch. -- System Information: Debian Release: wheezy/sid APT prefers oneiric-updates APT policy: (500, 'oneiric-updates'), (500, 'oneiric-security'), (500, 'oneiric') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-12-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -u backuppc-3.2.1/debian/changelog backuppc-3.2.1/debian/changelog diff -u backuppc-3.2.1/lib/BackupPC/CGI/View.pm backuppc-3.2.1/lib/BackupPC/CGI/View.pm --- backuppc-3.2.1/lib/BackupPC/CGI/View.pm +++ backuppc-3.2.1/lib/BackupPC/CGI/View.pm @@ -46,7 +46,7 @@ my $compress = 0; my $fh; my $host = $In{host}; -my $num = $In{num}; +my $num = ${EscHTML($In{num})}; my $type = $In{type}; my $linkHosts = 0; my($file, $comment);
Bug#632484: [PATCH] honeyd FTBFS (configure: error: Couldn't figure out how to access libc)
Package: honeyd Version: 1.5c-8 Followup-For: Bug #632484 User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu oneiric ubuntu-patch *** /tmp/tmpNjoEKf In Ubuntu, the attached patch was applied to achieve the following: [ Steve Langasek ] * configure.in: Fix wrong attempt to use dlsym() without linking against -ldl, which resulted in a build-time failure to detect support for RTLD_NEXT and ultimately leads to a build failure with multiarch due to wrong probing of libc.so. Closes: #632484, LP: #749247. This is Ubuntu bug: https://bugs.launchpad.net/ubuntu/oneiric/+source/honeyd/+bug/749247 After applying the patch, you will want to install autoconf and libtool, then run 'autoreconf -fi'. In the Ubuntu package I just did this and had it be part of the diff.gz, but I thought you may want to handle it differently. The patch also includes declaring the package as source format 1.0. Thanks for considering the patch. -- System Information: Debian Release: wheezy/sid APT prefers oneiric-updates APT policy: (500, 'oneiric-updates'), (500, 'oneiric-security'), (500, 'oneiric') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-11-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -u honeyd-1.5c/configure.in honeyd-1.5c/configure.in --- honeyd-1.5c/configure.in +++ honeyd-1.5c/configure.in @@ -680,6 +680,9 @@ HAVEMETHOD=no +dnl Better look at libdl if trying to use dlsym()... +LIBS="$LIBDL" + AC_MSG_CHECKING(if we can access libc without dlopen) AC_TRY_RUN( #include @@ -702,9 +705,6 @@ if test "$HAVEMETHOD" = "no"; then -dnl Make sure we use libld if necessary -- CPK -LIBS="$LIBDL $LIBS" - dnl ugly, ugly hack LIBCGUESS=`echo /lib/libc.so.*` USRLIBCGUESS=`echo /usr/lib/libc.so*` --- honeyd-1.5c.orig/debian/source/format +++ honeyd-1.5c/debian/source/format @@ -0,0 +1 @@ +1.0
Bug#632984: oprofile: CVE-2011-2472 is not fixed due to 0003-Avoid-blindly-source-SETUP_FILE-with.patch
Package: oprofile Version: 0.9.6-1.3 Severity: grave Tags: patch security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu oneiric ubuntu-patch In Ubuntu, the attached patch was applied to achieve the following: * SECURITY UPDATE: arbitrary file overwrite - 0005-add-back-error_if_not_basename.patch: readd error_if_not_basename() which was removed in 0003-Avoid-blindly-source-SETUP_FILE-with.patch See http://www.openwall.com/lists/oss-security/2011/07/07/6 for details. Thanks for considering the patch. -- System Information: Debian Release: squeeze/sid APT prefers natty-updates APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38-8-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash --- oprofile-0.9.6.orig/debian/patches/0005-add-back-error_if_not_basename.patch +++ oprofile-0.9.6/debian/patches/0005-add-back-error_if_not_basename.patch @@ -0,0 +1,19 @@ +Author: Jamie Strandboge +Description: add back error_if_not_basename() which was removed in + 0003-Avoid-blindly-source-SETUP_FILE-with.patch +Forwarded: yes + +Index: oprofile-0.9.6/utils/opcontrol +=== +--- oprofile-0.9.6.orig/utils/opcontrol2011-07-07 10:58:26.0 -0500 oprofile-0.9.6/utils/opcontrol 2011-07-07 10:58:35.0 -0500 +@@ -785,7 +785,8 @@ + ;; + + --save) +-error_if_invalid_arg $arg $val ++ error_if_invalid_arg $arg $val ++ error_if_not_basename $arg $val + DUMP=yes + SAVE_SESSION=yes + SAVE_NAME=$val
Bug#607732: opensc: buffer overflow with rogue cards
Package: opensc Version: 0.11.13-1 Severity: grave Tags: patch security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu natty ubuntu-patch In Ubuntu, the attached patch was applied to achieve the following: * SECURITY UPDATE: specially crafted cards may be able to execute code. - debian/patches/min-max.patch: Add MIN and MAX macros for last patch - debian/patches/buffer-overflow.patch: Fix potential buffer overflow by rogue cards. (LP: #692483) This is upstream changesets: https://www.opensc-project.org/opensc/changeset/4912 https://www.opensc-project.org/opensc/changeset/4913 This was originally submitted as an Ubuntu bug in: https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/692483 This does not currently have a CVE assigned. Thanks for considering the patch. -- System Information: Debian Release: squeeze/sid APT prefers natty-updates APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty') Architecture: amd64 (x86_64) Kernel: Linux 2.6.37-10-generic (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru opensc-0.11.13/debian/changelog opensc-0.11.13/debian/changelog diff -Nru opensc-0.11.13/debian/patches/buffer-overflow.patch opensc-0.11.13/debian/patches/buffer-overflow.patch --- opensc-0.11.13/debian/patches/buffer-overflow.patch 1969-12-31 18:00:00.0 -0600 +++ opensc-0.11.13/debian/patches/buffer-overflow.patch 2010-12-21 08:02:31.0 -0600 @@ -0,0 +1,48 @@ +## Description: Fix buffer overflow +## Origin: upstream, https://www.opensc-project.org/opensc/changeset/4913 +## Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/692483 +Index: opensc-0.11.13/src/libopensc/card-acos5.c +=== +--- opensc-0.11.13.orig/src/libopensc/card-acos5.c 2010-12-21 09:50:31.963758002 +0100 opensc-0.11.13/src/libopensc/card-acos5.c 2010-12-21 09:50:28.265608001 +0100 +@@ -140,8 +140,8 @@ + /* + * Cache serial number. + */ +- memcpy(card->serialnr.value, apdu.resp, apdu.resplen); +- card->serialnr.len = apdu.resplen; ++ memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR)); ++ card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR); + + /* + * Copy and return serial number. +Index: opensc-0.11.13/src/libopensc/card-atrust-acos.c +=== +--- opensc-0.11.13.orig/src/libopensc/card-atrust-acos.c 2010-12-21 09:50:31.903788002 +0100 opensc-0.11.13/src/libopensc/card-atrust-acos.c 2010-12-21 09:50:28.265608001 +0100 +@@ -853,8 +853,8 @@ + if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00) + return SC_ERROR_INTERNAL; + /* cache serial number */ +- memcpy(card->serialnr.value, apdu.resp, apdu.resplen); +- card->serialnr.len = apdu.resplen; ++ memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR)); ++ card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR); + /* copy and return serial number */ + memcpy(serial, &card->serialnr, sizeof(*serial)); + return SC_SUCCESS; +Index: opensc-0.11.13/src/libopensc/card-starcos.c +=== +--- opensc-0.11.13.orig/src/libopensc/card-starcos.c 2010-12-21 09:50:32.043718002 +0100 opensc-0.11.13/src/libopensc/card-starcos.c 2010-12-21 09:50:28.265608001 +0100 +@@ -1289,8 +1289,8 @@ + if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00) + return SC_ERROR_INTERNAL; + /* cache serial number */ +- memcpy(card->serialnr.value, apdu.resp, apdu.resplen); +- card->serialnr.len = apdu.resplen; ++ memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR)); ++ card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR); + /* copy and return serial number */ + memcpy(serial, &card->serialnr, sizeof(*serial)); + return SC_SUCCESS; diff -Nru opensc-0.11.13/debian/patches/min-max.patch opensc-0.11.13/debian/patches/min-max.patch --- opensc-0.11.13/debian/patches/min-max.patch 1969-12-31 18:00:00.0 -0600 +++ opensc-0.11.13/debian/patches/min-max.patch 2010-12-21 08:02:31.0 -0600 @@ -0,0 +1,39 @@ +## Description: Add MIN and MAX macros for buffer overflow patch +## Origin: upstream, https://www.opensc-project.org/opensc/changeset/4912 +## Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/692483 +Index: opensc-0.11.13/src/libopensc/internal.h +=== +--- opensc-0.11.13.orig/src/libopensc/internal.h 2010-12-21 09:51:32.763343000 +0100 opensc-0.11.13/src/libopensc/internal.h 2010-12-21 09:51:29.894778002 +0100 +@@ -48,6 +48,13 @@ + #else + #define msleep(t) Sleep(t) + #define sleep(t) Sleep((t) * 1000) ++#endif ++ ++#ifndef MAX ++#define MAX(x, y) (((x) > (y)) ? (x) : (y)) ++#endif ++#ifndef MIN ++#define MIN(x, y) (((x) < (y)) ? (x) : (y)) + #endif
Bug#580120: mediatomb allows anyone to browse and export the whole filesystem
Package: mediatomb Version: 0.12.0~svn2018-6 Severity: grave Tags: security Justification: user security hole This bug was reported to Ubuntu via Launchpad: https://launchpad.net/bugs/569763 >From the upstream documentation: at http://mediatomb.cc/pages/documentation#id2856362: "The server has an integrated filesystem browser, that means that anyone who has access to the UI can browse your filesystem (with user permissions under which the server is running) and also download your data! If you want maximum security - disable the UI completely! Account authentication offers simple protection that might hold back your kids, but it is not secure enough for use in an untrusted environment! Note: since the server is meant to be used in a home LAN environment the UI is enabled by default and accounts are deactivated, thus allowing anyone on your network to connect to the user interface." Unfortunately, the Debian/Ubuntu packaging preserves these installation defaults, which IMHO is incorrect behavior for a distribution. A few ways to solve this are: * the web UI should be disabled on new installs * a debconf question should prompt the user to enable the web UI, but default to 'no' * enable the web UI, but create an account for connecting to it Upstream doesn't seem confident in mediatomb's handling of authentication, so it would probably makes sense to not rely on it and simply disable the feature, documenting how to enable it and the pitfalls of enabling it in README.Debian. -- System Information: Debian Release: squeeze/sid APT prefers lucid-updates APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-21-generic (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#564340: jabberd2: [PATCH] FTBFS: libtool: link: cannot find the library `/usr/lib/libgcrypt.la' or unhandled argument `/usr/lib/libgcrypt.la'
Package: jabberd2 Version: 2.2.8-2 Severity: normal Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu lucid ubuntu-patch In Ubuntu, we've applied the attached patch to achieve the following: * debian.control: Build-Depends on libgcrypt11-dev to fix FTBFS (LP: #538126) We thought you might be interested in doing the same. -- System Information: Debian Release: squeeze/sid APT prefers lucid-updates APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid-proposed'), (500, 'lucid') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-15-generic (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -u jabberd2-2.2.8/debian/control jabberd2-2.2.8/debian/control --- jabberd2-2.2.8/debian/control +++ jabberd2-2.2.8/debian/control @@ -4,7 +4,7 @@ Maintainer: Ubuntu MOTU Developers XSBC-Original-Maintainer: Debian XMPP Maintainers Uploaders: Jorge Salamero Sanz , Thadeu Lima de Souza Cascardo -Build-Depends: debhelper (>= 7), dpatch, autotools-dev, automake, libtool, libssl-dev, libgsasl7-dev (>= 0.2.27), libdb-dev, libpam0g-dev, libmysqlclient15-dev, libpq-dev, libldap2-dev, libsqlite3-dev, libidn11-dev, libexpat1-dev, libudns-dev +Build-Depends: debhelper (>= 7), dpatch, autotools-dev, automake, libtool, libssl-dev, libgsasl7-dev (>= 0.2.27), libdb-dev, libpam0g-dev, libmysqlclient15-dev, libpq-dev, libldap2-dev, libsqlite3-dev, libidn11-dev, libexpat1-dev, libudns-dev, libgcrypt11-dev Standards-Version: 3.8.1 Homepage: http://jabberd2.xiaoka.com/ diff -u jabberd2-2.2.8/debian/changelog jabberd2-2.2.8/debian/changelog
Bug#570737: [PATCH] sudoedit permission in sudoers grants permission to any sudoedit executables
Package: sudo Version: 1.7.2p1-1 Severity: normal Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu lucid ubuntu-patch In Ubuntu, we've applied the attached patch to achieve the following: * SECURITY UPDATE: properly verify path for the 'sudoedit' pseudo-command in match.c - http://sudo.ws/repos/sudo/rev/88f3181692fe - CVE-2010-0426 We thought you might be interested in doing the same. -- System Information: Debian Release: squeeze/sid APT prefers lucid-updates APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid-proposed'), (500, 'lucid') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-14-generic (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -u sudo-1.7.2p1/debian/changelog sudo-1.7.2p1/debian/changelog only in patch2: unchanged: --- sudo-1.7.2p1.orig/match.c +++ sudo-1.7.2p1/match.c @@ -381,7 +381,7 @@ char *sudoers_args; { /* Check for pseudo-commands */ -if (strchr(user_cmnd, '/') == NULL) { +if (sudoers_cmnd[0] != '/') { /* * Return true if both sudoers_cmnd and user_cmnd are "sudoedit" AND * a) there are no args in sudoers OR
Bug#560942: CVE-2009-3560 and CVE-2009-3720 denial-of-services
On Thu, 2010-01-28 at 10:00 +0100, sean finney wrote: > 560942 > i've imported the patches into git but one of them does not apply: > > Applying patch CVE-2009-3560.patch > patching file lib/expat/xmlparse/xmlparse.c > Hunk #1 FAILED at 2330. > 1 out of 1 hunk FAILED -- rejects in file ib/expat/xmlparse/xmlparse.c > Patch CVE-2009-3560.patch does not apply (enforce with -f) That's weird cause it works fine here: $ md5sum /tmp/xmlrpc-c.diff 11b2a93bf29420838e7e560304aba980 /tmp/xmlrpc-c.diff $ apt-get source xmlrpc-c=1.06.27-1 Reading package lists... Done Building dependency tree Reading state information... Done Need to get 707kB of source archives. Get:1 http://ftp.debian.org unstable/main xmlrpc-c 1.06.27-1 (dsc) [1,070B] Get:2 http://ftp.debian.org unstable/main xmlrpc-c 1.06.27-1 (tar) [700kB] Get:3 http://ftp.debian.org unstable/main xmlrpc-c 1.06.27-1 (diff) [6,767B] Fetched 707kB in 1s (458kB/s) dpkg-source: info: extracting xmlrpc-c in xmlrpc-c-1.06.27 dpkg-source: info: unpacking xmlrpc-c_1.06.27.orig.tar.gz dpkg-source: info: applying xmlrpc-c_1.06.27-1.diff.gz $ cd ./xmlrpc-c-1.06.27/ $ cat /tmp/xmlrpc-c.diff | patch -p1 patching file debian/patches/series patching file debian/patches/CVE-2009-3560.patch patching file debian/patches/CVE-2009-3720.patch $ fakeroot debian/rules patch QUILT_PATCHES=debian/patches quilt --quiltrc /dev/null push -a || test $? = 2 Applying patch old-libtool.patch patching file ltconfig Applying patch curl_easy_setopt.patch patching file lib/curl_transport/xmlrpc_curl_transport.c Applying patch CVE-2009-3720.patch patching file lib/expat/xmltok/xmltok_impl.c Applying patch CVE-2009-3560.patch patching file lib/expat/xmlparse/xmlparse.c Now at patch CVE-2009-3560.patch touch debian/stamp-patched Are you looking at 1.16.07-1 from experimental and not 1.06.27-1 from unstable? Jamie -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part
Bug#560942: CVE-2009-3560 and CVE-2009-3720 denial-of-services
Package: xmlrpc-c Version: 1.06.27-1 Severity: normal Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu karmic ubuntu-patch In Ubuntu, we've applied the attached patch to achieve the following: * SECURITY UPDATE: fix DoS via malformed XML - debian/patches/CVE-2009-3720.patch: update expat/xmltok/xmltok_impl.c to not access beyond end of input string - CVE-2009-3720 * SECURITY UPDATE: fix DoS via malformed UTF-8 sequences - debian/patches/CVE-2009-3560.patch: update expat/xmlparse/xmlparse.c to properly recognize the end of a token - CVE-2009-3560 We thought you might be interested in doing the same. Please note that the patches do include the regressions fixes. Jamie -- System Information: Debian Release: squeeze/sid APT prefers karmic-updates APT policy: (500, 'karmic-updates'), (500, 'karmic-security'), (500, 'karmic') Architecture: amd64 (x86_64) Kernel: Linux 2.6.31-17-generic (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -u xmlrpc-c-1.06.27/debian/changelog xmlrpc-c-1.06.27/debian/changelog diff -u xmlrpc-c-1.06.27/debian/patches/series xmlrpc-c-1.06.27/debian/patches/series --- xmlrpc-c-1.06.27/debian/patches/series +++ xmlrpc-c-1.06.27/debian/patches/series @@ -3,0 +4,2 @@ +CVE-2009-3720.patch +CVE-2009-3560.patch only in patch2: unchanged: --- xmlrpc-c-1.06.27.orig/debian/patches/CVE-2009-3560.patch +++ xmlrpc-c-1.06.27/debian/patches/CVE-2009-3560.patch @@ -0,0 +1,19 @@ +Description: DoS via XML document with malformed UTF-8 sequences + (CVE_2009_3560) +Origin: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.166 + http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log#rev1.166 + http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log#rev1.165 + +diff -Nur xmlrpc-c-1.06.27/lib/expat/xmlparse/xmlparse.c xmlrpc-c-1.06.27.new/lib/expat/xmlparse/xmlparse.c +--- xmlrpc-c-1.06.27/lib/expat/xmlparse/xmlparse.c 2007-01-10 19:08:53.0 -0600 xmlrpc-c-1.06.27.new/lib/expat/xmlparse/xmlparse.c 2010-01-26 12:56:33.885170530 -0600 +@@ -2330,6 +2330,9 @@ + return XML_ERROR_UNCLOSED_TOKEN; + case XML_TOK_PARTIAL_CHAR: + return XML_ERROR_PARTIAL_CHAR; ++ case -XML_TOK_PROLOG_S: ++tok = -tok; ++break; + case XML_TOK_NONE: + #ifdef XML_DTD + if (enc != encoding) only in patch2: unchanged: --- xmlrpc-c-1.06.27.orig/debian/patches/CVE-2009-3720.patch +++ xmlrpc-c-1.06.27/debian/patches/CVE-2009-3720.patch @@ -0,0 +1,15 @@ +Description: DoS via malformed XML (CVE-2009-3720) +Origin: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.15&r2=1.13 + +diff -Nur xmlrpc-c-1.06.27/lib/expat/xmltok/xmltok_impl.c xmlrpc-c-1.06.27.new/lib/expat/xmltok/xmltok_impl.c +--- xmlrpc-c-1.06.27/lib/expat/xmltok/xmltok_impl.c 2006-07-11 21:00:38.0 -0500 xmlrpc-c-1.06.27.new/lib/expat/xmltok/xmltok_impl.c 2010-01-26 12:55:26.395172892 -0600 +@@ -1737,7 +1737,7 @@ + const char *end, + POSITION *pos) + { +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + #define LEAD_CASE(n) \ + case BT_LEAD ## n: \
Bug#560074: ntp: CVE-2009-3563 DoS through mode 7 packets
Package: ntp Version: 1:4.2.4p6+dfsg-2 Severity: normal Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu karmic ubuntu-patch In Ubuntu, we've applied the attached patch to achieve the following: * SECURITY UPDATE: fix DoS with mode 7 (MODE_PRIVATE) packets - debian/patches/CVE-2009-3563.patch: update ntpd/ntp_request.c to not send a response packet for and rate limit logging of invalid mode 7 requests and responses - CVE-2009-3563 We thought you might be interested in doing the same. Here are a couple more references: https://support.ntp.org/bugs/show_bug.cgi?id=1331 http://support.ntp.org/bin/view/Main/SecurityNotice#DoS_attack_from_certain_NTP_mode The attached patch should work fine going back to etch as well (with a little fuzz), as we used it as far back as ntp-4.2.0a+stable. Jamie -- System Information: Debian Release: squeeze/sid APT prefers karmic-updates APT policy: (500, 'karmic-updates'), (500, 'karmic-security'), (500, 'karmic') Architecture: amd64 (x86_64) Kernel: Linux 2.6.31-15-generic (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -u ntp-4.2.4p6+dfsg/debian/changelog ntp-4.2.4p6+dfsg/debian/changelog diff -u ntp-4.2.4p6+dfsg/debian/patches/series ntp-4.2.4p6+dfsg/debian/patches/series --- ntp-4.2.4p6+dfsg/debian/patches/series +++ ntp-4.2.4p6+dfsg/debian/patches/series @@ -15,0 +16 @@ +CVE-2009-3563.patch only in patch2: unchanged: --- ntp-4.2.4p6+dfsg.orig/debian/patches/CVE-2009-3563.patch +++ ntp-4.2.4p6+dfsg/debian/patches/CVE-2009-3563.patch @@ -0,0 +1,31 @@ +Description: DoS with mode 7 packets - CVE-2009-3563 +Origin: CERT VU#568372 + +diff -Nur ntp-4.2.4p6+dfsg/ntpd/ntp_request.c ntp-4.2.4p6+dfsg.new/ntpd/ntp_request.c +--- ntp-4.2.4p6+dfsg/ntpd/ntp_request.c 2008-08-10 06:02:41.0 -0500 ntp-4.2.4p6+dfsg.new/ntpd/ntp_request.c 2009-12-03 14:15:58.943054585 -0600 +@@ -409,6 +409,7 @@ + int mod_okay + ) + { ++ static u_long quiet_until; + struct req_pkt *inpkt; + struct req_pkt_tail *tailinpkt; + struct sockaddr_storage *srcadr; +@@ -444,8 +445,14 @@ + || (++ec, INFO_MBZ(inpkt->mbz_itemsize) != 0) + || (++ec, rbufp->recv_length < REQ_LEN_HDR) + ) { +- msyslog(LOG_ERR, "process_private: INFO_ERR_FMT: test %d failed, pkt from %s", ec, stoa(srcadr)); +- req_ack(srcadr, inter, inpkt, INFO_ERR_FMT); ++ NLOG(NLOG_SYSEVENT) ++ if (current_time >= quiet_until) { ++msyslog(LOG_ERR, ++ "process_private: drop test %d" ++ " failed, pkt from %s", ++ ec, stoa(srcadr)); ++quiet_until = current_time + 60; ++ } + return; + } +
Bug#528434: cron: Incomplete fix for CVE-2006-2607 (setgid() and initgroups() not checked)
Package: cron Version: 3.0pl1-105 Severity: grave Tags: patch security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu jaunty ubuntu-patch Hi, I was reviewing a list of old bugs in the Ubuntu bug tracker, and came across: https://bugs.edge.launchpad.net/ubuntu/+source/cron/+bug/46649 I then reviewed the Ubuntu and Debian packages and found that while the most serious issue of not checking setuid() was addressed in 3.0pl1-64, checks for setgid() and initgroups() were not added. Other distributions (eg Gentoo and RedHat) fixed these calls as well. I was then curious to see when these two calls could fail and found that sys_setgid can fail via LSM and CAP_SETGID and sys_setgroups() can fail via LSM, CAP_SETGID, NGROUPS_MAX, and ENOMEM. As such, Ubuntu plans to release a fix for this in our stable releases with the following changelog: * SECURITY UPDATE: cron does not check the return code of setgid() and initgroups(), which under certain circumstances could cause applications to run with elevated group privileges. Note that the more serious issue of not checking the return code of setuid() was fixed in 3.0pl1-64. (LP: #46649) - do_command.c: check return code of setgid() and initgroups() - CVE-2006-2607 We thought you might be interested in doing the same. -- System Information: Debian Release: 5.0 APT prefers jaunty-updates APT policy: (500, 'jaunty-updates'), (500, 'jaunty-security'), (500, 'jaunty') Architecture: amd64 (x86_64) Kernel: Linux 2.6.28-11-generic (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -u cron-3.0pl1/do_command.c cron-3.0pl1/do_command.c --- cron-3.0pl1/do_command.c +++ cron-3.0pl1/do_command.c @@ -296,9 +296,21 @@ /* set our directory, uid and gid. Set gid first, since once * we set uid, we've lost root privledges. */ - setgid(e->gid); + if (setgid(e->gid) !=0) { + char msg[256]; + snprintf(msg, 256, "do_command:setgid(%lu) failed: %s", + (unsigned long) e->gid, strerror(errno)); + log_it("CRON",getpid(),"error",msg); + exit(ERROR_EXIT); + } # if defined(BSD) || defined(POSIX) - initgroups(env_get("LOGNAME", e->envp), e->gid); + if (initgroups(env_get("LOGNAME", e->envp), e->gid) !=0) { + char msg[256]; + snprintf(msg, 256, "do_command:initgroups(%lu) failed: %s", + (unsigned long) e->gid, strerror(errno)); + log_it("CRON",getpid(),"error",msg); + exit(ERROR_EXIT); + } # endif if (setuid(e->uid) !=0) { /* we aren't root after this... */ char msg[256]; diff -u cron-3.0pl1/debian/changelog cron-3.0pl1/debian/changelog
Bug#523213: /etc/cron.daily/apt does not check return code of date
Package: apt Version: 0.7.20.2 Severity: grave Tags: security patch Justification: user security hole The following is also being sent to oss-secur...@lists.openwall.com for a CVE request. Summary --- Systems in certain timezones with automatic updates enabled won't be upgraded on the first day of DST and some systems in affected timezones could end up with automatic updates being disabled permanently. Normal usage of apt is not affected. Discovery credited to: Alexandre Martani Public bug: https://launchpad.net/bugs/354793 The Problem --- The problem arises because the date command errors out on dates/times that are invalid. Eg, DST starts at 03:00 in the Central time zone of the US: $ date --date="2009-03-08 02:00:00" date: invalid date `2009-03-08 02:00:00' This is fine and in and of itself not a problem. However, /etc/cron.daily/apt has: stamp=$(date --date=$(date -r $stamp --iso-8601) +%s) now=$(date --date=$(date --iso-8601) +%s) '--iso-8601' creates dates of the form -MM-DD. Since this is then fed into the date command, the hour, minute and second all default to 0. Some timezones start their DST at midnight, with America/Sao_Paulo as one example. Eg, on a system configured to use the America/Sao_Paulo timezone: $ date --date=2009-10-18 date: invalid date `2009-10-18' This condition causes 'delta=$(($now-$stamp))' in check_stamp() to fail when $stamp is empty (returning non-zero) or for when $now is empty, '$delta -ge $interval' evaluates to false because delta is negative (return non-zero). Either condition results in all or part of the automatic update process to not be performed. Affected Users -- For users in timezones with DST starting at midnight with automatic updates enabled, this can lead to the following error conditions: 1. /etc/cron.daily/apt is run on the first day of the DST, resulting in '$delta -ge $interval' being negative because 'now' is empty and the automatic update is not run. The timestamps are not updated, so the automatic update will occur normally the following day. 2. /etc/cron.daily/apt is run late in the day on the day prior to DST (eg 23:59 on 2009-10-17) and finishes on the day of DST (eg one minute later, at 01:00 on 2009-10-18). This will update the stamp files to have the date of the DST. At this point, apt cannot recover and automatic updates are disabled until manually updating/removing the stamp files. 3. A user using a non-affected timezone and has /etc/cron.daily/apt run normally on the day of the DST. Sometime after that, but before /etc/cron.daily/apt runs again, the user changes her timezone to an affected timezone. At this point, apt cannot recover and automatic updates are disabled until manually updating/removing the stamp files. While all users in scenario '1' are affected, they will eventually get their updates. Though the number of users in '2' and especially '3' are presumed low, the impact for these users is very high, since the expected, automatic security updates will never be applied. The Fix --- The fix is simply to check the return codes of date, and return '0' if the date for 'now' fails, and remove the bad stamp file and return '0' if the date for 'stamp' fails. A patch is attached to the Ubuntu bug, though I have contacted the Debian and Ubuntu maintainer directly and he is working on an update for the development releases of Debian and Ubuntu. Thanks, Jamie -- Package-specific info: -- (no /etc/apt/preferences present) -- -- (/etc/apt/sources.list present, but not submitted) -- -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.28-11-generic (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages apt depends on: ii debian-archive-keyring2009.01.31 GnuPG archive keys of the Debian a ii libc6 2.9-7 GNU C Library: Shared libraries ii libgcc1 1:4.3.3-5 GCC support library ii libstdc++64.3.3-5The GNU Standard C++ Library v3 apt recommends no packages. Versions of packages apt suggests: pn apt-doc(no description available) pn aptitude | synaptic | gnome-a (no description available) ii bzip2 1.0.5-1high-quality block-sorting file co ii dpkg-dev 1.14.25Debian package development tools ii lzma 4.43-14Compression method of 7z format in pn python-apt (no description available) -- no debconf information diff -Nru apt-0.7.20.2ubuntu5/debian/apt.cron.daily apt-0.7.20.2ubuntu6/debian/apt.cron.daily --- apt-0.7.20.2ubuntu5/debian/apt.cron.daily 2009-03-30 08:21:21.0 -0500 +++ apt-0.7.20.2ubuntu6/debian/apt.cron.daily 2009-04-08 14:43:48.0 -0500 @@ -50,8 +50,25 @@ fi
Bug#486502: multiple vulnerabilities found in vim
These should all be fixed now according to: http://groups.google.com/group/vim_dev/tree/browse_frm/month/2008-06/6d7899eac89aa333?rnum=131&_done=%2Fgroup%2Fvim_dev%2Fbrowse_frm%2Fmonth%2F2008-06%3F#doc_9bb6550f4f955f04 Also, 7.1.314 is supposedly mostly not affected, but I did find these commits: http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1012 http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1013 http://vim.svn.sourceforge.net/viewvc/vim?view=rev&revision=1021 -- Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/ signature.asc Description: Digital signature
Bug#486502: multiple vulnerabilities found in vim
Package: vim Version: 1:7.1.314-2 Severity: grave Tags: security Justification: user security hole Forwarding the following, which was just pointed out to me: http://www.rdancer.org/vulnerablevim.html http://www.reddit.com/r/programming/info/6ng40/comments/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#483020: [PATCH] openssl-vulnkey hangs on connecting
Usertags: origin-ubuntu intrepid ubuntu-patch Attached is a patch that Ubuntu plans to use to address this bug. Please note that you will need to adjust the depends on openssl-blacklist to (>> 0.4). This version was just uploaded today. This is also: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/230197 Jamie Strandboge diff -u openvpn-2.1~rc7/init.c openvpn-2.1~rc7/init.c --- openvpn-2.1~rc7/init.c +++ openvpn-2.1~rc7/init.c @@ -1430,6 +1430,7 @@ do_init_crypto_tls_c1 (struct context *c) { const struct options *options = &c->options; + SSL *ssl; if (!c->c1.ks.ssl_ctx) { @@ -1466,6 +1467,59 @@ options->ciphername_defined, options->authname, options->authname_defined, options->keysize, true, true); + /* CVE-2008-0166 (Debian weak key checks) + * Obtain the modulus and bits from the certificate that was initialized, + * and send that to openssl-vulnkey. + */ + ssl = SSL_new(c->c1.ks.ssl_ctx); + if (ssl != NULL) +{ + X509* cert = NULL; + char *bn; + int bits; + + cert = SSL_get_certificate(ssl); + if (cert != NULL) +{ + EVP_PKEY *pkey = X509_get_pubkey (cert); + if (pkey != NULL) +{ + if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL + && pkey->pkey.rsa->n != NULL) +{ + bits = BN_num_bits(pkey->pkey.rsa->n); + bn = BN_bn2hex(pkey->pkey.rsa->n); +} + else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL + && pkey->pkey.dsa->p != NULL) +{ + bits = BN_num_bits(pkey->pkey.dsa->p); + bn = BN_bn2hex(pkey->pkey.dsa->p); +} + if (bn != NULL) +{ + int size = strlen(bn) + 256; + char *command_line = NULL; + + command_line = malloc(size); + check_malloc_return(command_line); + + openvpn_snprintf(command_line, size, "/usr/bin/openssl-vulnkey -q -b %d -m %s", bits, bn); + msg (M_INFO, "/usr/bin/openssl-vulnkey -q -b %d -m ", bits); + if (openvpn_system (command_line, NULL, S_FATAL) != 0) +{ + msg (M_FATAL, "ERROR: '%s' is a known vulnerable key. See 'man openssl-vulnkey' for details.", options->priv_key_file); +} + + OPENSSL_free(bn); + free(command_line); +} + EVP_PKEY_free (pkey); + } +} +SSL_free(ssl); + } + /* TLS handshake authentication (--tls-auth) */ if (options->tls_auth_file) { @@ -1506,25 +1560,10 @@ const struct options *options = &c->options; struct tls_options to; bool packet_id_long_form; - char command_line[256]; ASSERT (options->tls_server || options->tls_client); ASSERT (!options->test_crypto); - /* CVE-2008-0166 (Debian weak key checks) */ - /* Only check if we can actually read the key file. This will fail if we - * already chroot()ed/set[ug]id()'ed. An ENOENT at program start is already - * handled further down, so we can ignore it here. */ - if (options->priv_key_file && access (options->priv_key_file, R_OK) == 0) -{ - openvpn_snprintf(command_line, sizeof (command_line), "/usr/sbin/openssl-vulnkey -q %s", options->priv_key_file); - msg (M_INFO, "%s", command_line); - if (openvpn_system (command_line, NULL, S_FATAL) != 0) -{ - msg (M_FATAL, "ERROR: '%s' is a known vulnerable key. See 'man openssl-vulnkey' for details.", options->priv_key_file); -} -} - init_crypto_pre (c, flags); /* Make sure we are either a TLS client or server but not both */ signature.asc Description: Digital signature
Bug#480059: vorbis-tools vulnerable to CVE-2008-1686
Package: vorbis-tools Version: 1.2.0-1.1 Severity: grave Tags: patch security Justification: user security hole User: [EMAIL PROTECTED] Usertags: origin-ubuntu hardy ubuntu-patch vorbis-tools contains embedded speex code, and although vorbis-tools is linked to libspeex, it compiles the vulnerable code. Attached is a debdiff that Ubuntu is using in its 1.1.1 versions of vorbis-tools (fuzz removed). Here is a suggested changelog entry: * SECURITY UPDATE: array index vulnerability * debian/patches/CVE-2008-1686.diff: fix for ogg123/speex_format.c to properly validate its input * References CVE-2008-1686 diff -u vorbis-tools-1.2.0/debian/changelog vorbis-tools-1.2.0/debian/changelog diff -u vorbis-tools-1.2.0/debian/patches/series vorbis-tools-1.2.0/debian/patches/series --- vorbis-tools-1.2.0/debian/patches/series +++ vorbis-tools-1.2.0/debian/patches/series @@ -5,0 +6 @@ +CVE-2008-1686.patch only in patch2: unchanged: --- vorbis-tools-1.2.0.orig/debian/patches/CVE-2008-1686.patch +++ vorbis-tools-1.2.0/debian/patches/CVE-2008-1686.patch @@ -0,0 +1,12 @@ +diff -Nur vorbis-tools-1.2.0/ogg123/speex_format.c vorbis-tools-1.2.0.new/ogg123/speex_format.c +--- vorbis-tools-1.2.0/ogg123/speex_format.c 2008-03-03 00:37:26.0 -0500 vorbis-tools-1.2.0.new/ogg123/speex_format.c 2008-05-07 17:34:31.0 -0400 +@@ -475,7 +475,7 @@ +cb->printf_error(callback_arg, ERROR, _("Cannot read header")); + return NULL; +} +- if ((*header)->mode >= SPEEX_NB_MODES) { ++ if ((*header)->mode >= SPEEX_NB_MODES || (*header)->mode < 0) { + cb->printf_error(callback_arg, ERROR, + _("Mode number %d does not (any longer) exist in this version"), + (*header)->mode);
Bug#480011: kvm contains several qemu vulnerabilities
Package: kvm Version: 66+dfsg-1.1 Severity: critical Tags: patch security Justification: root security hole User: [EMAIL PROTECTED] Usertags: origin-ubuntu hardy ubuntu-patch Attached is a patch to address several open CVEs in the embedded qemu software in kvm. These issues were addressed in [1] and [2] in qemu, but not kvm. This patch has been extensively tested in Ubuntu's kvm62, which has the same embedded version of qemu (0.9.1) as kvm66 in sid. The Ubuntu patch is the same as 90_security.patch from qemu 0.9.1-1 (excepting some fuzz). The attached patch for sid's kvm is the same as the patch for Ubuntu, except it had to be changed slightly because CVE-2008-0928.patch is applied first in sid. Please note that this does not include the fix for CVE-2008-2004, which was recently included in qemu (0.9.1-5). A suggested changelog entry might be: * debian/patches/CVE-2007-1320+1321+1322+1366+2893.patch based on 90_security.patch from qemu 0.9.1-1. Please note that CVE-2007-2893 is also known as CVE-2007-1323, and CVE-2007-5729 and CVE-2007-5730 are known as CVE-2007-1321 in Debian. This patch addresses the following: - Cirrus LGD-54XX "bitblt" heap overflow. - NE2000 "mtu" heap overflow. - QEMU "net socket" heap overflow. - QEMU NE2000 "receive" integer signedness error. - Infinite loop in the emulated SB16 device. - Unprivileged "aam" instruction does not correctly handle the undocumented divisor operand. - Unprivileged "icebp" instruction will halt emulation. [1] http://www.debian.org/security/2007/dsa-1284 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=424070 Jamie Strandboge diff -u kvm-66+dfsg/debian/changelog kvm-66+dfsg/debian/changelog diff -u kvm-66+dfsg/debian/patches/series kvm-66+dfsg/debian/patches/series --- kvm-66+dfsg/debian/patches/series +++ kvm-66+dfsg/debian/patches/series @@ -10,0 +11 @@ +CVE-2007-1320+1321+1322+1366+2893.patch only in patch2: unchanged: --- kvm-66+dfsg.orig/debian/patches/CVE-2007-1320+1321+1322+1366+2893.patch +++ kvm-66+dfsg/debian/patches/CVE-2007-1320+1321+1322+1366+2893.patch @@ -0,0 +1,323 @@ +diff -Nur kvm-66+dfsg/qemu/block.c kvm-66+dfsg.new/qemu/block.c +--- kvm-66+dfsg/qemu/block.c 2008-05-07 09:59:51.0 -0400 kvm-66+dfsg.new/qemu/block.c 2008-05-07 10:03:24.0 -0400 +@@ -612,6 +612,8 @@ + return -ENOMEDIUM; + if (bs->read_only) + return -EACCES; ++if (sector_num < 0) ++return -EINVAL; + if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors)) + return -EDOM; + if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { +@@ -619,8 +621,14 @@ + } + if (drv->bdrv_pwrite) { + int ret, len; ++int64_t ns; ++ + len = nb_sectors * 512; +-ret = drv->bdrv_pwrite(bs, sector_num * 512, buf, len); ++ns = sector_num * 512; ++if (ns < 0) ++return -EINVAL; ++ ++ret = drv->bdrv_pwrite(bs, ns, buf, len); + if (ret < 0) + return ret; + else if (ret != len) +diff -Nur kvm-66+dfsg/qemu/hw/cirrus_vga.c kvm-66+dfsg.new/qemu/hw/cirrus_vga.c +--- kvm-66+dfsg/qemu/hw/cirrus_vga.c 2008-04-15 09:35:58.0 -0400 kvm-66+dfsg.new/qemu/hw/cirrus_vga.c 2008-05-07 10:00:01.0 -0400 +@@ -224,6 +224,20 @@ + #define CIRRUS_HOOK_NOT_HANDLED 0 + #define CIRRUS_HOOK_HANDLED 1 + ++#define BLTUNSAFE(s) \ ++( \ ++( /* check dst is within bounds */ \ ++(s)->cirrus_blt_height * (s)->cirrus_blt_dstpitch \ +++ ((s)->cirrus_blt_dstaddr & (s)->cirrus_addr_mask) > \ ++(s)->vram_size \ ++) || \ ++( /* check src is within bounds */ \ ++(s)->cirrus_blt_height * (s)->cirrus_blt_srcpitch \ +++ ((s)->cirrus_blt_srcaddr & (s)->cirrus_addr_mask) > \ ++(s)->vram_size \ ++) \ ++) ++ + struct CirrusVGAState; + typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s, + uint8_t * dst, const uint8_t * src, +@@ -645,7 +659,7 @@ + + for (y = 0; y < lines; y++) { + off_cur = off_begin; +- off_cur_end = off_cur + bytesperline; ++ off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask; + off_cur &= TARGET_PAGE_MASK; + while (off_cur < off_cur_end) { + cpu_physical_memory_set_dirty(s->vram_offset + off_cur); +@@ -660,7 +674,11 @@ + { + uint8_t *dst; + +-dst = s->vram_ptr + s->cirrus_blt_dstaddr; ++dst = s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask); ++ ++if (BLTUNSAFE(s)) ++return 0; ++ + (*s->cirrus_rop) (s, dst, src, + s->cirrus_blt_dstpitch, 0, + s->cirrus_blt_width, s->cirrus_blt_height
Bug#461236: boost vulnerabilities
Package: boost Version: 1.34.1-2.2 Severity: critical Tags: patch, security User: [EMAIL PROTECTED] Usertags: origin-ubuntu hardy ubuntu-patch boost as included in Debian is vulnerable to CVE-2008-0171 and CVE-2008-0172. Attached is a debdiff which addresses this issue (changelog entry in debdiff shows upstream patch sources as well). Jamie -- Email: [EMAIL PROTECTED] IRC: jdstrand diff -u boost-1.34.1/debian/changelog boost-1.34.1/debian/changelog --- boost-1.34.1/debian/changelog +++ boost-1.34.1/debian/changelog @@ -1,3 +1,16 @@ +boost (1.34.1-2.3) unstable; urgency=low + + * debian/patches/05_regex_fixes.patch: fix for +basic_regex_parser() in boost/regex/v4/basic_regex_parser.hpp to return +error on invalid repetition of next state + * References +CVE-2008-0171 +CVE-2008-0172 +http://svn.boost.org/trac/boost/changeset/42674 +http://svn.boost.org/trac/boost/changeset/42745 + + -- Jamie Strandboge <[EMAIL PROTECTED]> Tue, 15 Jan 2008 18:22:26 + + boost (1.34.1-2.2) unstable; urgency=low * Non-maintainer upload. only in patch2: unchanged: --- boost-1.34.1.orig/boost/regex/v4/basic_regex_parser.hpp +++ boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp @@ -777,6 +777,7 @@ case syntax_element_restart_continue: case syntax_element_jump: case syntax_element_startmark: + case syntax_element_backstep: // can't legally repeat any of the above: fail(regex_constants::error_badrepeat, m_position - m_base); return false; @@ -1862,6 +1863,7 @@ if(markid == -4) { re_syntax_base* b = this->getaddress(expected_alt_point); + // Make sure we have exactly one alternative following this state: if(b->type != syntax_element_alt) { re_alt* alt = static_cast(this->insert_state(expected_alt_point, syntax_element_alt, sizeof(re_alt))); @@ -1872,6 +1874,15 @@ fail(regex_constants::error_bad_pattern, m_position - m_base); return false; } + // check for invalid repetition of next state: + b = this->getaddress(expected_alt_point); + b = this->getaddress(static_cast(b)->next.i, b); + if((b->type != syntax_element_assert_backref) + && (b->type != syntax_element_startmark)) + { + fail(regex_constants::error_badrepeat, m_position - m_base); + return false; + } } // // append closing parenthesis state: only in patch2: unchanged: --- boost-1.34.1.orig/libs/regex/test/regress/test_perl_ex.cpp +++ boost-1.34.1/libs/regex/test/regress/test_perl_ex.cpp @@ -121,6 +121,17 @@ TEST_INVALID_REGEX("(?:(a)|b)(?(?:", perl); TEST_INVALID_REGEX("(?:(a)|b)(?(?<", perl); TEST_INVALID_REGEX("(?:(a)|b)(?(?getaddress(expected_alt_point); ++ // Make sure we have exactly one alternative following this state: + if(b->type != syntax_element_alt) + { + re_alt* alt = static_cast(this->insert_state(expected_alt_point, syntax_element_alt, sizeof(re_alt))); +@@ -1872,6 +1874,15 @@ + fail(regex_constants::error_bad_pattern, m_position - m_base); + return false; + } ++ // check for invalid repetition of next state: ++ b = this->getaddress(expected_alt_point); ++ b = this->getaddress(static_cast(b)->next.i, b); ++ if((b->type != syntax_element_assert_backref) ++ && (b->type != syntax_element_startmark)) ++ { ++ fail(regex_constants::error_badrepeat, m_position - m_base); ++ return false; ++ } +} +// +// append closing parenthesis state: +diff -Naur ../unpatched/boost-1.34.1/libs/regex/test/regress/test_perl_ex.cpp boost-1.34.1/libs/regex/test/regress/test_perl_ex.cpp +--- ../unpatched/boost-1.34.1/libs/regex/test/regress/test_perl_ex.cpp 2005-09-14 12:20:08.0 + boost-1.34.1/libs/regex/test/regress/test_perl_ex.cpp 2008-01-15 18:20:54.0 + +@@ -121,6 +121,17 @@ +TEST_INVALID_REGEX("(?:(a)|b)(?(?:", perl); +TEST_INVALID_REGEX("(?:(a)|b)(?(?<", perl); +TEST_INVALID_REGEX("(?:(a)|b)(?(? signature.asc Description: Digital signature