Bug#1071568: closing 1071568
close 1071568 535.161.08-2~deb12u1~bpo11+1 thanks Fixed with the version accepted in bullseye-backports.
Bug#1071568: nvidia-kernel-dkms: module (from backports) fails to build with 5.10.216-1 (ABI 29 kernel) in Debian bullseye
Package: nvidia-kernel-dkms Version: 525.147.05-7~deb12u1~bpo11+2 Severity: serious Justification: FTBFS X-Debbugs-Cc: car...@debian.org Hi Andreas, This is only for the bullseye-backports version of 525.147.05-7~deb12u1~bpo11+2 when building for 5.10.216-1 (ABI 29 kernel). The build fails with: make -f /usr/src/linux-headers-5.10.0-29-common/scripts/Makefile.modpost sed 's/ko$/o/' /var/lib/dkms/nvidia-current/525.147.05/build/modules.order | scripts/mod/modpost -m-o /var/lib/d kms/nvidia-current/525.147.05/build/Module.symvers -e -i Module.symvers -T - FATAL: modpost: GPL-incompatible module nvidia.ko uses GPL-only symbol 'rcu_read_unlock_strict' make[3]: *** [/usr/src/linux-headers-5.10.0-29-common/scripts/Makefile.modpost:123: /var/lib/dkms/nvidia-current/525.147.05/build/Module.symvers] Error 1 make[2]: *** [/usr/src/linux-headers-5.10.0-29-common/Makefile:1783: modules] Error 2 make[2]: Leaving directory '/usr/src/linux-headers-5.10.0-29-amd64' make[1]: *** [Makefile:192: __sub-make] Error 2 make[1]: Leaving directory '/usr/src/linux-headers-5.10.0-29-common' make: *** [Makefile:82: modules] Error 2 Regards, Salvatore make.log.gz Description: application/gzip
Bug#1058890: closing 1058890
close 1058890 6.1.85-1 thanks According to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058890#79
Bug#1071160: git: CVE-2024-32002 CVE-2024-32004 CVE-2024-32020 CVE-2024-32021 CVE-2024-32465
Source: git Version: 1:2.43.0-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for git. CVE-2024-32002[0]: | Git is a revision control system. Prior to versions 2.45.1, 2.44.1, | 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with | submodules can be crafted in a way that exploits a bug in Git | whereby it can be fooled into writing files not into the submodule's | worktree but into a `.git/` directory. This allows writing a hook | that will be executed while the clone operation is still running, | giving the user no opportunity to inspect the code that is being | executed. The problem has been patched in versions 2.45.1, 2.44.1, | 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support | is disabled in Git (e.g. via `git config --global core.symlinks | false`), the described attack won't work. As always, it is best to | avoid cloning repositories from untrusted sources. CVE-2024-32004[1]: | Git is a revision control system. Prior to versions 2.45.1, 2.44.1, | 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare | a local repository in such a way that, when cloned, will execute | arbitrary code during the operation. The problem has been patched in | versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. | As a workaround, avoid cloning repositories from untrusted sources. CVE-2024-32020[2]: | Git is a revision control system. Prior to versions 2.45.1, 2.44.1, | 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up | hardlinking files into the target repository's object database when | source and target repository reside on the same disk. If the source | repository is owned by a different user, then those hardlinked files | may be rewritten at any point in time by the untrusted user. Cloning | local repositories will cause Git to either copy or hardlink files | of the source repository into the target repository. This | significantly speeds up such local clones compared to doing a | "proper" clone and saves both disk space and compute time. When | cloning a repository located on the same disk that is owned by a | different user than the current user we also end up creating such | hardlinks. These files will continue to be owned and controlled by | the potentially-untrusted user and can be rewritten by them at will | in the future. The problem has been patched in versions 2.45.1, | 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. CVE-2024-32021[3]: | Git is a revision control system. Prior to versions 2.45.1, 2.44.1, | 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local | source repository that contains symlinks via the filesystem, Git may | create hardlinks to arbitrary user-readable files on the same | filesystem as the target repository in the `objects/` directory. | Cloning a local repository over the filesystem may creating | hardlinks to arbitrary user-owned files on the same filesystem in | the target Git repository's `objects/` directory. When cloning a | repository over the filesystem (without explicitly specifying the | `file://` protocol or `--no-local`), the optimizations for local | cloning will be used, which include attempting to hard link the | object files instead of copying them. While the code includes checks | against symbolic links in the source repository, which were added | during the fix for CVE-2022-39253, these checks can still be raced | because the hard link operation ultimately follows symlinks. If the | object on the filesystem appears as a file during the check, and | then a symlink during the operation, this will allow the adversary | to bypass the check and create hardlinks in the destination objects | directory to arbitrary, user-readable files. The problem has been | patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, | and 2.39.4. CVE-2024-32465[4]: | Git is a revision control system. The Git project recommends to | avoid working in untrusted repositories, and instead to clone it | first with `git clone --no-local` to obtain a clean copy. Git has | specific protections to make that a safe operation even with an | untrusted source repository, but vulnerabilities allow those | protections to be bypassed. In the context of cloning local | repositories owned by other users, this vulnerability has been | covered in CVE-2024-32004. But there are circumstances where the | fixes for CVE-2024-32004 are not enough: For example, when obtaining | a `.zip` file containing a full copy of a Git repository, it should | not be trusted by default to be safe, as e.g. hooks could be | configured to run within the context of that repository. The problem | has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, | 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories | that have been obtained via archives from untrusted sources.
Bug#1070395: closing 1070395, found 1070395 in 1.11.1-2.1
close 1070395 1.11.1-4 found 1070395 1.11.1-2.1 thanks
Bug#1070395: tinyproxy: CVE-2023-40533 CVE-2023-49606
Control: retitle -1 tinyproxy: CVE-2023-49606 Hi, CVE-2023-40533 as a duplicate of CVE-2022-40468 . Regards, Salvatore
Bug#1070711: python-werkzeug: CVE-2024-34069
Source: python-werkzeug Version: 3.0.2-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for python-werkzeug. CVE-2024-34069[0]: | Werkzeug is a comprehensive WSGI web application library. The | debugger in affected versions of Werkzeug can allow an attacker to | execute code on a developer's machine under some circumstances. This | requires the attacker to get the developer to interact with a domain | and subdomain they control, and enter the debugger PIN, but if they | are successful it allows access to the debugger even if it is only | running on localhost. This also requires the attacker to guess a URL | in the developer's application that will trigger the debugger. This | vulnerability is fixed in 3.0.3. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34069 https://www.cve.org/CVERecord?id=CVE-2024-34069 [1] https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985 [2] https://github.com/pallets/werkzeug/commit/71b69dfb7df3d912e66bab87fbb1f21f83504967 [3] https://github.com/pallets/werkzeug/commit/890b6b62634fa61224222aee31081c61b054ff01 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#1070710: python-html-sanitizer: CVE-2024-34078: Arbitrary HTML present after sanitization because of unicode normalization
Source: python-html-sanitizer Version: 2.2-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for python-html-sanitizer. CVE-2024-34078[0]: | html-sanitizer is an allowlist-based HTML cleaner. If using | `keep_typographic_whitespace=False` (which is the default), the | sanitizer normalizes unicode to the NFKC form at the end. Some | unicode characters normalize to chevrons; this allows specially | crafted HTML to escape sanitization. The problem has been fixed in | 2.4.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34078 https://www.cve.org/CVERecord?id=CVE-2024-34078 [1] https://github.com/matthiask/html-sanitizer/security/advisories/GHSA-wvhx-q427-fgh3 [2] https://github.com/matthiask/html-sanitizer/commit/48db42fc5143d0140c32d929c46b802f96913550 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#1070369: sssd: CVE-2023-3758
Source: sssd Version: 2.9.4-2 Severity: grave Tags: security upstream Forwarded: https://github.com/SSSD/sssd/pull/7302 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for sssd. CVE-2023-3758[0]: | A race condition flaw was found in sssd where the GPO policy is not | consistently applied for authenticated users. This may lead to | improper authorization issues, granting or denying access to | resources inappropriately. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-3758 https://www.cve.org/CVERecord?id=CVE-2023-3758 [1] https://github.com/SSSD/sssd/pull/7302 [2] https://bugzilla.redhat.com/show_bug.cgi?id=2223762 [3] https://github.com/SSSD/sssd/commit/e1bfbc2493c4194988acc3b2413df3dde0735ae3 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#1070004: ruby-sidekiq: CVE-2024-32887
Package: ruby-sidekiq Version: 7.2.1+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team The following vulnerability was published for ruby-sidekiq. It only affects the experimental version, as the issue was introduced in 7.2.0 an fixed upstream in 7.2.4. Should not land into unstable, so filling with RC severity. CVE-2024-32887[0]: | Sidekiq is simple, efficient background processing for Ruby. Sidekiq | is reflected XSS vulnerability. The value of substr parameter is | reflected in the response without any encoding, allowing an attacker | to inject Javascript code into the response of the application. An | attacker could exploit it to target users of the Sidekiq Web UI. | Moreover, if other applications are deployed on the same domain or | website as Sidekiq, users of those applications could also be | affected, leading to a broader scope of compromise. Potentially | compromising their accounts, forcing the users to perform sensitive | actions, stealing sensitive data, performing CORS attacks, | defacement of the web application, etc. This issue has been patched | in version 7.2.4. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32887 https://www.cve.org/CVERecord?id=CVE-2024-32887 [1] https://github.com/sidekiq/sidekiq/security/advisories/GHSA-q655-3pj8-9fxq Regards, Salvatore
Bug#1069968: ruby3.2: CVE-2024-27282
Source: ruby3.2 Version: 3.2.3-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: clone -1 -2 Control: reassign -2 src;ruby3.1 3.1.2-8 Control: retitle -2 ruby3.1: CVE-2024-27282 Control: found -2 3.1.2-7 Hi, The following vulnerability was published for ruby. CVE-2024-27282[0]: | Arbitrary memory address read vulnerability with Regex search If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-27282 https://www.cve.org/CVERecord?id=CVE-2024-27282 [1] https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/ [2] https://github.com/ruby/ruby/commit/989a2355808a63fc45367785c82ffd46d18c900a Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#1069966: ruby3.1: CVE-2024-27280: Buffer overread vulnerability in StringIO
Source: ruby3.1 Version: 3.1.2-8 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 3.1.2-7 Hi, The following vulnerability was published for ruby3.1. CVE-2024-27280[0]: | Buffer overread vulnerability in StringIO If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-27280 https://www.cve.org/CVERecord?id=CVE-2024-27280 [1] https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/ Regards, Salvatore
Bug#1069747: reassign 1069747 to src:linux, closing 1069747
reassign 1069747 src:linux close 1069747 thanks The missing pre-requisite backport was specific to the 6.1.y series.
Bug#1069728: freerdp2: CVE-2024-32039 CVE-2024-32040 CVE-2024-32041 CVE-2024-32458 CVE-2024-32459 CVE-2024-32460
Source: freerdp2 Version: 2.11.5+dfsg1-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for freerdp2. CVE-2024-32039[0]: | FreeRDP is a free implementation of the Remote Desktop Protocol. | FreeRDP based clients using a version of FreeRDP prior to 3.5.0 or | 2.11.6 are vulnerable to integer overflow and out-of-bounds write. | Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, do not | use `/gfx` options (e.g. deactivate with `/bpp:32` or `/rfx` as it | is on by default). CVE-2024-32040[1]: | FreeRDP is a free implementation of the Remote Desktop Protocol. | FreeRDP based clients that use a version of FreeRDP prior to 3.5.0 | or 2.11.6 and have connections to servers using the `NSC` codec are | vulnerable to integer underflow. Versions 3.5.0 and 2.11.6 patch the | issue. As a workaround, do not use the NSC codec (e.g. use `-nsc`). CVE-2024-32041[2]: | FreeRDP is a free implementation of the Remote Desktop Protocol. | FreeRDP based clients that use a version of FreeRDP prior to 3.5.0 | or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and | 2.11.6 patch the issue. As a workaround, deactivate `/gfx` (on by | default, set `/bpp` or `/rfx` options instead. CVE-2024-32458[3]: | FreeRDP is a free implementation of the Remote Desktop Protocol. | FreeRDP based clients that use a version of FreeRDP prior to 3.5.0 | or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and | 2.11.6 patch the issue. As a workaround, use `/gfx` or `/rfx` modes | (on by default, require server side support). CVE-2024-32459[4]: | FreeRDP is a free implementation of the Remote Desktop Protocol. | FreeRDP based clients and servers that use a version of FreeRDP | prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. | Versions 3.5.0 and 2.11.6 patch the issue. No known workarounds are | available. CVE-2024-32460[5]: | FreeRDP is a free implementation of the Remote Desktop Protocol. | FreeRDP based based clients using `/bpp:32` legacy `GDI` drawing | path with a version of FreeRDP prior to 3.5.0 or 2.11.6 are | vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch | the issue. As a workaround, use modern drawing paths (e.g. `/rfx` or | `/gfx` options). The workaround requires server side support. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32039 https://www.cve.org/CVERecord?id=CVE-2024-32039 [1] https://security-tracker.debian.org/tracker/CVE-2024-32040 https://www.cve.org/CVERecord?id=CVE-2024-32040 [2] https://security-tracker.debian.org/tracker/CVE-2024-32041 https://www.cve.org/CVERecord?id=CVE-2024-32041 [3] https://security-tracker.debian.org/tracker/CVE-2024-32458 https://www.cve.org/CVERecord?id=CVE-2024-32458 [4] https://security-tracker.debian.org/tracker/CVE-2024-32459 https://www.cve.org/CVERecord?id=CVE-2024-32459 [5] https://security-tracker.debian.org/tracker/CVE-2024-32460 https://www.cve.org/CVERecord?id=CVE-2024-32460 [6] https://www.freerdp.com/2024/04/17/2_11_6-release Regards, Salvatore
Bug#1064293: less: CVE-2022-48624
Hi, On Sat, Apr 20, 2024 at 07:54:13AM -0400, P. J. McDermott wrote: > On 2024-04-19 at 15:55, Salvatore Bonaccorso wrote: > > Hi, > > > > FWIW, I'm actually preparing a security update for the two CVEs and > > for bookworm I was first planning to do a 590-2.1 reaching unstable, > > and so then 590-2.1~deb12u1 for bookworm. > > > > But if you want to override it with a NMU and proposing to salvage the > > package this is equally fine. > > Your DELAYED/2 NMU is probably the fastest and best way to get these > CVEs fixed in unstable and bookworm, so that's fine, thanks. Any plans > for 551-2 in bullseye? The two patches in your NMU apply cleanly there. Yes, both bookworm-security and bullseye-security updates are already prepared and uploaded to security-master. I will wait for some exposure of less in unstable with the two fixes before releasing the DSA. I have not pushed the changes yet to the repository (will be done after the DSA release). I cannot comment on the salvaging of the package directly, as Milan has responded to the bug and even acked the NMU. So I assume he is active and you need to discuss with him on co-maintainership for less. But as I read the discussion is already happening. So stopping here to comment. Regards, Salvatore
Bug#1067018: lnav: FTBFS on arm{el,hf}: test failures
FWIW, I will try to work on the new available upstream version in the next days and see if the two RC bugs on lnav can be addressed along. it does not make sense to investigate the testsuite failure right now without rebasing to the new version.
Bug#1068938: marked as pending in less
Control: tag -1 pending Hello, Bug #1068938 in less reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/debian/less/-/commit/e353d9a5cf7f29570e0ae4e0431b5254feaebbda Fix bug when viewing a file whose name contains a newline (CVE-2024-32487) Closes: #1068938 (this message was generated automatically) -- Greetings https://bugs.debian.org/1068938
Bug#1064293: marked as pending in less
Control: tag -1 pending Hello, Bug #1064293 in less reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/debian/less/-/commit/e61c8283fbf69a8262d3cec653090fab6e83042d Shell-quote filenames when invoking LESSCLOSE (CVE-2022-48624) Closes: #1064293 (this message was generated automatically) -- Greetings https://bugs.debian.org/1064293
Bug#1064293: less: diff for NMU version 590-2.1
Control: tags 1064293 + patch
Control: tags 1064293 + pending
Control: tags 1068938 + patch
Control: tags 1068938 + pending
Dear maintainer,
I've prepared an NMU for less (versioned as 590-2.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
As well pushed in a separte branch on salsa, which can be merged if
accepted to unstable:
https://salsa.debian.org/debian/less/-/tree/sid-2024-security-fixes?ref_type=heads
Regards.
Salvatore
diff -Nru less-590/debian/changelog less-590/debian/changelog
--- less-590/debian/changelog 2023-03-12 17:18:18.0 +0100
+++ less-590/debian/changelog 2024-04-19 15:09:49.0 +0200
@@ -1,3 +1,13 @@
+less (590-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Shell-quote filenames when invoking LESSCLOSE (CVE-2022-48624)
+(Closes: #1064293)
+ * Fix bug when viewing a file whose name contains a newline (CVE-2024-32487)
+(Closes: #1068938)
+
+ -- Salvatore Bonaccorso Fri, 19 Apr 2024 15:09:49 +0200
+
less (590-2) sid; urgency=medium
* d/control: set standards version to 4.6.2
diff -Nru less-590/debian/patches/Fix-bug-when-viewing-a-file-whose-name-contains-a-ne.patch less-590/debian/patches/Fix-bug-when-viewing-a-file-whose-name-contains-a-ne.patch
--- less-590/debian/patches/Fix-bug-when-viewing-a-file-whose-name-contains-a-ne.patch 1970-01-01 01:00:00.0 +0100
+++ less-590/debian/patches/Fix-bug-when-viewing-a-file-whose-name-contains-a-ne.patch 2024-04-19 15:09:49.0 +0200
@@ -0,0 +1,67 @@
+From: Mark Nudelman
+Date: Thu, 11 Apr 2024 17:49:48 -0700
+Subject: Fix bug when viewing a file whose name contains a newline.
+Origin: https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33
+Bug-Debian: https://bugs.debian.org/1068938
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-32487
+
+---
+ filename.c | 31 +--
+ 1 file changed, 25 insertions(+), 6 deletions(-)
+
+--- a/filename.c
b/filename.c
+@@ -136,6 +136,15 @@ metachar(c)
+ }
+
+ /*
++ * Must use quotes rather than escape char for this metachar?
++ */
++static int must_quote(char c)
++{
++ /* {{ Maybe the set of must_quote chars should be configurable? }} */
++ return (c == '\n');
++}
++
++/*
+ * Insert a backslash before each metacharacter in a string.
+ */
+ public char *
+@@ -168,6 +177,9 @@ shell_quote(s)
+ * doesn't support escape chars. Use quotes.
+ */
+ use_quotes = 1;
++ } else if (must_quote(*p))
++ {
++len += 3; /* open quote + char + close quote */
+ } else
+ {
+ /*
+@@ -197,15 +209,22 @@ shell_quote(s)
+ {
+ while (*s != '\0')
+ {
+- if (metachar(*s))
++ if (!metachar(*s))
+ {
+-/*
+- * Add the escape char.
+- */
++*p++ = *s++;
++ } else if (must_quote(*s))
++ {
++/* Surround the char with quotes. */
++*p++ = openquote;
++*p++ = *s++;
++*p++ = closequote;
++ } else
++ {
++/* Insert an escape char before the char. */
+ strcpy(p, esc);
+ p += esclen;
++*p++ = *s++;
+ }
+- *p++ = *s++;
+ }
+ *p = '\0';
+ }
diff -Nru less-590/debian/patches/Shell-quote-filenames-when-invoking-LESSCLOSE.patch less-590/debian/patches/Shell-quote-filenames-when-invoking-LESSCLOSE.patch
--- less-590/debian/patches/Shell-quote-filenames-when-invoking-LESSCLOSE.patch 1970-01-01 01:00:00.0 +0100
+++ less-590/debian/patches/Shell-quote-filenames-when-invoking-LESSCLOSE.patch 2024-04-19 15:09:49.0 +0200
@@ -0,0 +1,43 @@
+From: Mark Nudelman
+Date: Sat, 25 Jun 2022 11:54:43 -0700
+Subject: Shell-quote filenames when invoking LESSCLOSE.
+Origin: https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144
+Bug-Debian: https://bugs.debian.org/1064293
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-48624
+
+---
+ filename.c | 10 --
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/filename.c b/filename.c
+index 5824e385dce4..dff20c08d81c 100644
+--- a/filename.c
b/filename.c
+@@ -972,6 +972,8 @@ close_altfile(altfilename, filename)
+ {
+ #if HAVE_POPEN
+ char *lessclose;
++ char *qfilename;
++ char *qaltfilename;
+ FILE *fd;
+ char *cmd;
+ int len;
+@@ -986,9 +988,13 @@ close_altfile(altfilename, filename)
+ error("LESSCLOSE ignored; must contain no more than 2 %%s", NULL_PARG);
+ return;
+ }
+- len = (int) (strlen(lessclose) + strlen(filename) + strlen(altfilename) + 2);
++ qfilename = shell_quote(filename);
++ qaltfilename = shell_quote(altfilename);
++ len = (int) (strlen(lessclose) + strlen(qfilename) + strlen(qaltfilename) + 2);
+ cmd = (char *) ecalloc(len, sizeof(char));
+- SNPRINTF2(cmd, len, lessclose, filename, altfilename);
++ SNPRINTF2(cmd, len, lessclose, qfilename, qaltfilename);
++ free(qaltfilename);
++ free(qfilename);
+ fd = shellcmd(cmd);
+ free(cmd);
+ if (fd != NULL)
+--
+2.43.0
+
diff -Nru less-590/debian/patches/serie
Bug#1064293: less: CVE-2022-48624
Hi, FWIW, I'm actually preparing a security update for the two CVEs and for bookworm I was first planning to do a 590-2.1 reaching unstable, and so then 590-2.1~deb12u1 for bookworm. But if you want to override it with a NMU and proposing to salvage the package this is equally fine. Regards, Salvatore
Bug#1069059: cockpit update from DSA-5655-1 without binary builds (build failures)
Hi Martin,
On Tue, Apr 16, 2024 at 09:26:02AM +0200, Martin Pitt wrote:
> Control: tag -1 upstream fixed-upstream patch
> Control: forwarded -1 https://github.com/cockpit-project/cockpit/pull/19790
>
> Hello Salvatore and Santiago,
>
> Salvatore Bonaccorso [2024-04-15 19:28 +0200]:
> > The update for cockpit in DSA 5655-1 had problems with the
> > test-sshbridge test, causing FTBFS:
> >
> > >From the tail of the test failure:
> >
> > # cockpit-protocol-DEBUG: test-ssh: output queue empty
> >
> > (cockpit-ssh:3731): cockpit-ssh-WARNING **: 20:51:17.702:
> > (src/ssh/cockpitsshrelay.c:1423):cockpit_ssh_connect: runtime check failed:
> > (ssh_options_set (data->session, SSH_OPTIONS_HOST, host) == 0)
> >
> > (cockpit-ssh:3731): cockpit-ssh-WARNING **: 20:51:17.702:
> > (src/ssh/cockpitsshrelay.c:1424):cockpit_ssh_connect: runtime check failed:
> > (ssh_options_parse_config (data->session, NULL) == 0)
> > # cockpit-protocol-DEBUG: test-ssh: reading input 1
> > # cockpit-protocol-DEBUG: test-ssh: received a 82 byte payload
> > # cockpit-protocol-DEBUG: test-ssh: want more data
> > **
> > cockpit-ssh:ERROR:src/ssh/test-sshbridge.c:560:wait_until_transport_init:
> > assertion failed (json_object_get_string_member (init, "command") ==
> > "init"): ("authorize" == "init")
> > Bail out!
> > cockpit-ssh:ERROR:src/ssh/test-sshbridge.c:560:wait_until_transport_init:
> > assertion failed (json_object_get_string_member (init, "command") ==
> > "init"): ("authorize" == "init")
> > cockpit-ssh-Message: 20:51:17.704: cockpit-ssh some_host: -1 couldn't
> > connect: Hostname required 'some_host' '22'
> > cockpit-ssh-Message: 20:51:17.704: couldn't write control message: Broken
> > pipe
> > cockpit-ssh-Message: 20:51:17.704: couldn't write authorize message:
> > Inappropriate ioctl for device
> > FAIL test-sshbridge (exit status: 134)
>
> Argh, I can reproduce. The test passes with the previous
> http://snapshot.debian.org/package/libssh/0.10.5-3/ but fails with current
> 0.10.6-0+deb12u1.
>
> The reason is annoyingly mundane, and already got fixed upstream half a year
> ago:
> https://github.com/cockpit-project/cockpit/commit/518d36c3492020525
>
> I prepared a package update with that fix cherry-picked. See attached debdiff.
> It builds fine in a clean bookworm container now.
> But I don't know how exactly to target and upload this: to bookworm-security
> or
> -updates? It's a follow-up for a previous security update to make that
> actually
> work, but not a security update in itself.
Technically speaking, as the issue is present already before the DSA
release, you are right and the proposed update way would have been the
way to go. *But* we have a released security-update wich de-facto does
not reach the users right now, so I propose to release the regression
fix trough a security and make it a DSA regression announce.
Can you please upload to security-master?
Regards,
Salvatore
Bug#1069059: cockpit update from DSA-5655-1 without binary builds (build failures)
Source: cockpit
Version: 287.1-0+deb12u1
Severity: serious
Justification: missing binary builds, FTBFS
X-Debbugs-Cc: t...@security.debian.org, a...@debian.org, car...@debian.org
Hi
The update for cockpit in DSA 5655-1 had problems with the
test-sshbridge test, causing FTBFS:
>From the tail of the test failure:
# cockpit-protocol-DEBUG: test-ssh: output queue empty
(cockpit-ssh:3731): cockpit-ssh-WARNING **: 20:51:17.702:
(src/ssh/cockpitsshrelay.c:1423):cockpit_ssh_connect: runtime check failed:
(ssh_options_set (data->session, SSH_OPTIONS_HOST, host) == 0)
(cockpit-ssh:3731): cockpit-ssh-WARNING **: 20:51:17.702:
(src/ssh/cockpitsshrelay.c:1424):cockpit_ssh_connect: runtime check failed:
(ssh_options_parse_config (data->session, NULL) == 0)
# cockpit-protocol-DEBUG: test-ssh: reading input 1
# cockpit-protocol-DEBUG: test-ssh: received a 82 byte payload
# cockpit-protocol-DEBUG: test-ssh: want more data
**
cockpit-ssh:ERROR:src/ssh/test-sshbridge.c:560:wait_until_transport_init:
assertion failed (json_object_get_string_member (init, "command") == "init"):
("authorize" == "init")
Bail out!
cockpit-ssh:ERROR:src/ssh/test-sshbridge.c:560:wait_until_transport_init:
assertion failed (json_object_get_string_member (init, "command") == "init"):
("authorize" == "init")
cockpit-ssh-Message: 20:51:17.704: cockpit-ssh some_host: -1 couldn't connect:
Hostname required 'some_host' '22'
cockpit-ssh-Message: 20:51:17.704: couldn't write control message: Broken pipe
cockpit-ssh-Message: 20:51:17.704: couldn't write authorize message:
Inappropriate ioctl for device
FAIL test-sshbridge (exit status: 134)
Regards,
Salvatore
Bug#1068770: linux-image-6.1.0-18-amd64: Local privilege escalation vulnerability in kernel n_gsm driver
Control: tags -1 + confirmed pending Control: found -1 6.1.82-1 Hi, On Wed, Apr 10, 2024 at 12:16:21PM -0700, LW wrote: > Package: src:linux > Version: 6.1.76-1 > Severity: critical > Tags: upstream security > Justification: root security hole > X-Debbugs-Cc: lw-deb-...@greyskydesigns.com, Debian Security Team > > > Dear Maintainer, > > A Reddit thread[1] linked to a Github page[2] with a local root > escalation exploit. This exploit works on the current "bookworm" > stable kernel, 6.1.0-18-amd64. > > It can be worked around by blocking the n_gsm driver: > > echo 'blacklist n_gsm' | sudo tee -a /etc/modprobe.d/blacklist-gsm.conf > sudo rmmod n_gsm > > > [1] > https://old.reddit.com/r/linux/comments/1c0i7tx/someone_found_a_kernel_0day/ > [2] https://github.com/YuriiCrimson/ExploitGSM/ Thanks we are already aware of the issue. Upstream is going to apply a mitigation for the issue: https://lore.kernel.org/stable/2024041054-asleep-replace-96e8@gregkh/T/#m3a8ce43359ad57e447faa4db6ecf4f4c1b60c498 Regards, Salvatore
Bug#1064724: marked as pending in yapet
Control: tag -1 pending Hello, Bug #1064724 in yapet reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/carnil/yapet/-/commit/06ca998023176a9c6234861b1281ee2172b301c9 crypt/blowfish: Remove EVP_CIPHER_CTX_set_key_length() Closes: #1064724 (this message was generated automatically) -- Greetings https://bugs.debian.org/1064724
Bug#1068045: [Pkg-openssl-devel] Bug#1068045: libssl3: breaks YAPET
Hi Sebastian, On Mon, Apr 08, 2024 at 06:43:01PM +0200, Sebastian Andrzej Siewior wrote: > control: tags -1 patch > control: reassign -1 yapet 2.6-1 > > On 2024-04-08 08:32:58 [+0200], Kurt Roeckx wrote: > > There might be a related change that doesn't allow restarting the > > operation with the same context without setting things up again. > > Yapet is broken and the openssl update revealed the problem. I > reassigned it to yapet 2.6 but probably affects earlier versions. > But then the 1.1.1 series is no longer maintained so… > > Patches attached and they hold the details of why and such. > > This needs to be applied to unstable and Bookworm. > The testsuite passes and I can open Sean's test file. > Further testing is welcome by actual users ;) Thanks for the investigation and bringing the fixes to upstream already: https://github.com/RafaelOstertag/yapet/pull/29 > > I can NMU if needed just yell. No need for that, will take it with my maintainers hat on from here. Regards, Salvatore
Bug#1067829: Fails to build on arm{el,hf} with 64bit time_t: export-cache.c:110:51: error: format ‘%ld’ expects argument of type ‘long int’, but argument 4 has type ‘time_t’ {aka ‘long long int’} [-We
ime, sizeof(flushtime), "%lld\n", (long long int)now);
for (i = 0; junction_proc_files[i] != NULL; i++) {
retval = junction_write_time(junction_proc_files[i], flushtime);
>From 774394df352c249775d51d5d6e3effa775096b4f Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso
Date: Sat, 6 Apr 2024 20:48:43 +0200
Subject: [PATCH] junction: export-cache: cast to a type with a known size to
ensure sprintf works
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As reported in Debian, with the 64bit time_t transition for the armel
and armhf architecture, it was found that nfs-utils fails to compile
with:
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../../support/include -I/usr/include/tirpc -I/usr/include/libxml2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_TIME_BITS=64 -Wdate-time -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE -pipe -Wall -Wextra -Werror=strict-prototypes -Werror=missing-prototypes -Werror=missing-declarations -Werror=format=2 -Werror=undef -Werror=missing-include-dirs -Werror=strict-aliasing=2 -Werror=init-self -Werror=implicit-function-declaration -Werror=return-type -Werror=switch -Werror=overflow -Werror=parentheses -Werror=aggregate-return -Werror=unused-result -fno-strict-aliasing -Werror=format-overflow=2 -Werror=int-conversion -Werror=incompatible-pointer-types -Werror=misleading-indentation -Wno-cast-function-type -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/<>=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -c xml.c -fPIC -DPIC -o .libs/xml.o
export-cache.c: In function ‘junction_flush_exports_cache’:
export-cache.c:110:51: error: format ‘%ld’ expects argument of type ‘long int’, but argument 4 has type ‘time_t’ {aka ‘long long int’} [-Werror=format=]
110 | snprintf(flushtime, sizeof(flushtime), "%ld\n", now);
| ~~^ ~~~
| | |
| | time_t {aka long long int}
| long int
| %lld
time_t is not guaranteed to be 64-bit, so it must be coerced into the expected
type for printf. Cast it to long long.
Reported-by: Vladimir Petko
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218540
Link: https://bugs.debian.org/1067829
Link: https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/2055349
Fixes: 494d22396d3d ("Add LDAP-free version of libjunction to nfs-utils")
Suggested-by: Vladimir Petko
Signed-off-by: Salvatore Bonaccorso
---
support/junction/export-cache.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/support/junction/export-cache.c b/support/junction/export-cache.c
index 4e578c9b37b1..00187c019d60 100644
--- a/support/junction/export-cache.c
+++ b/support/junction/export-cache.c
@@ -107,7 +107,7 @@ junction_flush_exports_cache(void)
xlog(D_GENERAL, "%s: time(3) failed", __func__);
return FEDFS_ERR_SVRFAULT;
}
- snprintf(flushtime, sizeof(flushtime), "%ld\n", now);
+ snprintf(flushtime, sizeof(flushtime), "%lld\n", (long long)now);
for (i = 0; junction_proc_files[i] != NULL; i++) {
retval = junction_write_time(junction_proc_files[i], flushtime);
--
2.43.0
Bug#1068045: [Pkg-openssl-devel] Bug#1068045: libssl3: breaks YAPET
Hi Sean, On Sat, Apr 06, 2024 at 04:54:14PM +0800, Sean Whitton wrote: > control: reassign -1 libssl3,yapet > control: found -1 libssl3/3.1.5-1 > control: found -1 yapet/2.6-1 > control: retitle -1 libssl3,yapet: YAPET cannot decrypt YAPET1.0-format DB > > Hello, > > On Sat 30 Mar 2024 at 03:01pm +01, Sebastian Andrzej Siewior wrote: > > >> > >>> Also, yapet is unchanged in unstable. Is the problem there, too? > >> > > I have now confirmed that the problem is in unstable too. As it is a regression caused by libssl3 3.0.11 based to 3.0.13, why is it reassigned to yapet? (the regression is as well present in unstable). That said: You are right, opening 1.0 format databases should still work that said, but is regressing with the openssl update. And as per manpage: YAPET 2.0 will read and write pre YAPET 2.0 files. Pre YAPET 2.0 files are converted to YAPET 2.0 files when changing the master password. Once converted, the files can no longer be read by pre YAPET 2.0 versions. I can ask upstream, but currently yapet will FTBFS with problems in the testsuite anyway, and the problems are related. And yapet FTBFS with the new openssl in bookworm-pu in same way as in unstable (but not with the old version). Thus I believe #1068045 and #1064724 are actually related. Regards, Salvatore
Bug#1068045: Bug#1064724: yapet: FTBFS: dh_auto_test: error: make -j8 check "TESTSUITEFLAGS=-j8 --verbose" VERBOSE=1 returned exit code 2
Hi, On Thu, Mar 21, 2024 at 09:09:02AM +0100, Salvatore Bonaccorso wrote: > Hi Vladimir, > > On Thu, Mar 21, 2024 at 08:39:32PM +1300, Vladimir Petko wrote: > > Package: yapet > > Followup-For: Bug #1064724 > > User: ubuntu-de...@lists.ubuntu.com > > Usertags: origin-ubuntu noble ubuntu-patch > > Control: tags -1 patch > > > > Dear Maintainer, > > > > The package fails to build due to the recent changes in openssl. > > I have disabled the affected tests, but probably the issue should be fixed > > upstream. > > > > When investigating test failure I've also noticed that the tests fail on > > armhf > > due to the usage of std::memset that was optimized away. I have replaced the > > call with std::fill() > > > > In Ubuntu, the attached patch was applied to achieve the following: > > > > * d/p/use-std-fill.patch: use std::fill to reset memory instead of > > std::memset. This fixes armhf test failure (LP: 2058584). > > * d/p/disable-blowfish-tests.patch: disable failing blowfish tests. > > See Debian bug 1064724. > > > > > > Thanks for considering the patch. > > Thanks for your work. I would like to give upstream some time to look > at the two reported issues. I'm not going to apply the patch for now, as the underlying issue is triggered due to a change in openssl. Cf. #1068045. Regards, Salvatore
Bug#1068412: [ftpmas...@ftp-master.debian.org: Accepted apache2 2.4.59-1 (source) into unstable]
Source: apache2 Source-Version: 2.4.59-1 - Forwarded message from Debian FTP Masters - -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 05 Apr 2024 08:08:11 +0400 Source: apache2 Built-For-Profiles: nocheck Architecture: source Version: 2.4.59-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Yadd Closes: 1032628 1054564 Changes: apache2 (2.4.59-1) unstable; urgency=medium . [ Stefan Fritsch ] * Remove old transitional packages libapache2-mod-md and libapache2-mod-proxy-uwsgi. Closes: #1032628 . [ Yadd ] * mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564) * Refresh patches * New upstream version 2.4.59 * Refresh patches * Update patches * Update test framework Checksums-Sha1: f1cf18103ca23c57beaa2985bbbe4eee1e8dff87 3334 apache2_2.4.59-1.dsc 7a118baaed0f2131e482f93f5057038ca6c021be 9843252 apache2_2.4.59.orig.tar.gz 837cdf46898d962c4c05642745566249fc91e52b 833 apache2_2.4.59.orig.tar.gz.asc 3e1cad5ee1fc66d350465c1e81d7e0f88221bc01 820300 apache2_2.4.59-1.debian.tar.xz Checksums-Sha256: 25e6990e65cb685f3172143648806ab0fd263a18cd412155f0d14d7ef9987428 3334 apache2_2.4.59-1.dsc e4ec4ce12c6c8f5a794dc2263d126cb1d6ef667f034c4678ec945d61286e8b0f 9843252 apache2_2.4.59.orig.tar.gz 0ad3f670b944ebf08c81544bc82fae9496e88d96840cd0612d8cdeaa073eb06d 833 apache2_2.4.59.orig.tar.gz.asc 1e869a5024215a2a9b69603daf1395840774640f7b2701ca4b7971452a0641d1 820300 apache2_2.4.59-1.debian.tar.xz Files: 3f3ee286b583f22ec5cb3efc1f0a5016 3334 httpd optional apache2_2.4.59-1.dsc c39d28e0777bc95631cb49958fdb6601 9843252 httpd optional apache2_2.4.59.orig.tar.gz 3c342b3dcc0fe227a1fffdf9997987d0 833 httpd optional apache2_2.4.59.orig.tar.gz.asc 4da024370ede9c5a75a0df725be0cdc5 820300 httpd optional apache2_2.4.59-1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmYPec8ACgkQ9tdMp8mZ 7umCiw//TB1rIA1czwHsUrdeOIT3HG9qERzBJsmsP8nyg+cIrytiGfhlt2eOmLYO X+Wo19J98VuCmTbJClb6opAfSpvJG2AmNUl/PYAqOBzvDgR+QlEMmVXVgxUp9+Tv 0e0P2H+8U0pO3dE51VIXqYtCLTLQnLaci763ewB0oRlSWuzoVNDDahUS3iJ5e58o btwUQQwq+2F+RBclRhuXca3dOI93UBZDsv56mxR+p2o0vpo+pQRZjHDv8tzT3bOq /PyWusXKPDf9MXYZqwY2TgYx8v/YdDVYqzgr6Tj/VXgXEKC22pudzSv9/J5iGfHh VHmf02Gh+0wNWmxajqK2KlxjMON/Qn6kyoAok9w5vv4HtOXBZimzdq0kDsc8EjJl QuaBcwIAy+0EATBhjaVY7sHtM9SydJNr1f4DBBD9kEB2DKEE9n7/iFxcFfSMd52Y xwJ4fPk1fe1ki7k/qn0VULpzf1iM3JDQE19uXyE29cSW4eJhiWvH1v+NZzzxNo+t NtDhSIEEnUkGZSsYyg2qg5NH3e3PJMadc1nTRY6hVNzGpJlsUrCKnMOZbJsBQM6S cNCY48ux8ziQmJNowvBVbXf6/+SH9h2+CYFRw9GZagaNe1yfErNglbn78KZqJUHw YcXIFc96qeznRJ9zRhPdHGGeqa+nETH1lWBp6eitihkKhDjCF48= =dQDE -END PGP SIGNATURE- - End forwarded message -
Bug#1068417: trafficserver: CVE-2024-31309: HTTP/2 CONTINUATION frames can be utilized for DoS attacks
Source: trafficserver Version: 9.2.3+ds-1+deb12u1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 8.1.9+ds-1~deb11u1 Hi, The following vulnerability was published for trafficserver. CVE-2024-31309[0]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31309 https://www.cve.org/CVERecord?id=CVE-2024-31309 [1] https://www.kb.cert.org/vuls/id/421644 [2] https://github.com/apache/trafficserver/pull/11207 [3] https://github.com/apache/trafficserver/pull/11206 Regards, Salvatore
Bug#1068415: nghttp2: CVE-2024-28182: Reading unbounded number of HTTP/2 CONTINUATION frames to cause excessive CPU usage
Source: nghttp2 Version: 1.60.0-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for nghttp2. CVE-2024-28182[0]: | nghttp2 is an implementation of the Hypertext Transfer Protocol | version 2 in C. The nghttp2 library prior to version 1.61.0 keeps | reading the unbounded number of HTTP/2 CONTINUATION frames even | after a stream is reset to keep HPACK context in sync. This causes | excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 | mitigates this vulnerability by limiting the number of CONTINUATION | frames it accepts per stream. There is no workaround for this | vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28182 https://www.cve.org/CVERecord?id=CVE-2024-28182 [1] https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#1068347: [ftpmas...@ftp-master.debian.org: Accepted nodejs 18.20.1+dfsg-1 (source) into unstable]
Source: nodejs Source-Version: 18.20.1+dfsg-1 - Forwarded message from Debian FTP Masters - -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 03 Apr 2024 16:50:38 +0200 Source: nodejs Architecture: source Version: 18.20.1+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers Changed-By: Jérémy Lal Changes: nodejs (18.20.1+dfsg-1) unstable; urgency=medium . * New upstream version 18.20.1+dfsg + CVE-2024-27983: HTTP/2 server crash (High) + CVE-2024-27982: HTTP Request Smuggling (Medium) * Breaks libnode108, not 109 * copyright: remove file * Drop build/test_dns_resolveany_bad_ancount.patch, applied Checksums-Sha1: 6a1c634577a5c44ffc9a8add91de854f8d52f3c6 4359 nodejs_18.20.1+dfsg-1.dsc 2540b9b84f230689afcbf507a307d46d4ef2a411 269724 nodejs_18.20.1+dfsg.orig-ada.tar.xz fe2823889f88c0ba801ec4565b302dc987f27168 274360 nodejs_18.20.1+dfsg.orig-types-node.tar.xz 224708ebbaaada74e786059a276dca0054fabf33 29305332 nodejs_18.20.1+dfsg.orig.tar.xz 85cf8906b32eaf766c2b08690fd24be97ddc619a 163104 nodejs_18.20.1+dfsg-1.debian.tar.xz ffe31e7755d29173054a343fa72cc978878d4e8e 10916 nodejs_18.20.1+dfsg-1_source.buildinfo Checksums-Sha256: b8eeb8d2a7cc17dc772fa9f0817d8d294842eb8e3ea4cdf34cc59fd29baf768a 4359 nodejs_18.20.1+dfsg-1.dsc 0c3caa8771a2bc6ac5d32912d07383dcae8a0cf145ed6f7017cbf6b41478acd2 269724 nodejs_18.20.1+dfsg.orig-ada.tar.xz ea406dd59b86fb2ab96043231d9ff763611c0fb08d5cabbaeccad770d1b34068 274360 nodejs_18.20.1+dfsg.orig-types-node.tar.xz 558c42f89f57a56e8d1e131fb6bb0a40f1cc844e52e2393837f932c0d8c8b31b 29305332 nodejs_18.20.1+dfsg.orig.tar.xz 9213d005e8a8e4e758db1e4f3f13eb22f611ce2be1d48d558cb4558d946f7f30 163104 nodejs_18.20.1+dfsg-1.debian.tar.xz 18067729aa2e52618b01a9dc2c6bd1dfbdbb469cce8a5b8f379fb9294947fea6 10916 nodejs_18.20.1+dfsg-1_source.buildinfo Files: 0e064ee9907fcb2b19f8f6fe88215a53 4359 javascript optional nodejs_18.20.1+dfsg-1.dsc 327a080764e93ab10a593efba5b84fd3 269724 javascript optional nodejs_18.20.1+dfsg.orig-ada.tar.xz 93414acee8286f9dc2e1b649cda05b09 274360 javascript optional nodejs_18.20.1+dfsg.orig-types-node.tar.xz dae02efb441915a83486babec21c8186 29305332 javascript optional nodejs_18.20.1+dfsg.orig.tar.xz 175f3688d3380ceb1b3fe3fbf65fe59f 163104 javascript optional nodejs_18.20.1+dfsg-1.debian.tar.xz 06d37a9966050b373c0e0b13d103f9a3 10916 javascript optional nodejs_18.20.1+dfsg-1_source.buildinfo -BEGIN PGP SIGNATURE- iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmYNu8wSHGthcG91ZXJA bWVsaXgub3JnAAoJEGYRwF7dOfN0iF8P/jgSVspzx+1vifQxluwWLsWXJSp7jgxr f1iOvKrmf5rXb7W1FICDoa53bOd+SmIL4Lbmd066+38k90n0zKEK61hpZoA84F6C jYekdGsGNPGoJeygJjxK99+ZEUvAAsBmtOvq5l7aLAHQJskPXZSD7zRxRbvoAt9k PRPQKh7uqreV3LoJGOMHnSdxUHNroM89oSqzx73nLyvfjW4+/xWkXIf3+DBoycFr X0b9PaQmlRWH3bWdYBTb5GXMNL6qkQD41YdN4KpJd3oe17qUVBfI9+VssJuN3Gii EQ6DQni0E4nPw9AmDG9nACjbqq1QOfWiJRmCZ6bHtPxRrTdaFUJeIhxymBqFq6V+ u4hGTgLJno2HQJ/8dPNIK2cYI/NbSRhBSIx62OPvyAEeSLAUJ9coDvoZ5/euazwS YFxlLnp0+/FqwXR2LWAw+Za5SNdSPoTbbYyE93yxBtTFBAhq7XIIf2IoEkgLkV+z 7jYXn+DGUFnthHz1e4XAfrIHagMn/hfYgyrpzp37UyLRhY2Rk3t8/Brt44lcE001 rREGxh8QYR7ECimOdpobzoXk4JbmFf2VlvYxl7mVTzRsTeuBHaHX1VH+Dy4qLGfK vuUBF7bjIeMCkCXrahu3kW3DFsWopqcmAGIOk/mA4iQsDvMzk7hfqNqdI/JbMPPu jGMuZfAIvxbk =8Xn2 -END PGP SIGNATURE- - End forwarded message -
Bug#1068189: debhelper: --link-doc checking for known packages makes linux-signed build FTBFS
Control: reassign -1 src:linux 6.7.9-2
Hi Niels,
On Mon, Apr 01, 2024 at 05:19:43PM +0200, Niels Thykier wrote:
> Salvatore Bonaccorso:
> > Source: debhelper
> > Version: 13.15
> > Severity: serious
> > Tags: ftbfs
> > Justification: Regression for other package builds, FTBFS
> > X-Debbugs-Cc: car...@debian.org,debian-ker...@lists.debian.org
> > Control: affects -1 +
> > src:linux,src:linux-signed-amd64,src:linux-signed-arm64
> >
> > Hi Niels,
> >
> > Not fully investigated, but starting to fill a bugreport. I noticed
> > that the src:linux pipeline on salsa started to fail for the
> > jobs in th build-signed stage (in the build-signed job).
> >
> > https://salsa.debian.org/carnil/linux/-/jobs/5527774
> >
> > (and for saving the output):
> >
> > [...]
> >
> > (attached as well the raw log)
> >
> > I'm not 100% sure yet, this might be a problem in our packaging in
> > which case we can re-eassign. But it only got triggered with the
> > change recently in debhelper:
> >
> > https://salsa.debian.org/debian/debhelper/-/commit/dec5cfad00e2abd9ee3594f90c93f3fa42bb73ff
> >
> > Regards,
> > Salvatore
>
> Hi Salvatore
>
> It was a suggestion raised (I think on IRC) to have debhelper explicitly
> check these parameters, because a lot of t64 breakage was "unnoticed" by
> debhelper. That is, when people forgot to update --link-doc parameters
> (etc.).
>
> The code for `--link-doc` uses `${binary:Version}` for the dependency, so
> the package should really be from the same source[1]. In my view, it was
> never a case that was expected to work between source packages.
>
> I think `linux` with `linux-signed` is doing something really special here
> (especially considering it has worked so far), and I think the question is
> whether `linux`/`linux-signed` should get a special-case or concluding that
> the `--link-doc` is not suitable for the `linux`/`linux-signed` case.
>
> I would like to hear your case for what makes `--link-doc` sensible for the
> `linux-signed` case. I know of `linux-signed`, but I have no idea what you
> are dealing with in practice, so it is hard for me to make a judgement call
> on this (other than my biased gut feeling of wanting to minimize
> special-cases).
Thanks for your very quick reply, this is much appreicated.
I understand the reason and src:linux should not get really to be
exceptionally handled. So for now I will re-assign it to src:linux
and we can search for a solution in our package.
Thanks a lot for your work on debhelper!
Regards,
Salvatore
Bug#1068189: debhelper: --link-doc checking for known packages makes linux-signed build FTBFS
Source: debhelper Version: 13.15 Severity: serious Tags: ftbfs Justification: Regression for other package builds, FTBFS X-Debbugs-Cc: car...@debian.org,debian-ker...@lists.debian.org Control: affects -1 + src:linux,src:linux-signed-amd64,src:linux-signed-arm64 Hi Niels, Not fully investigated, but starting to fill a bugreport. I noticed that the src:linux pipeline on salsa started to fail for the jobs in th build-signed stage (in the build-signed job). https://salsa.debian.org/carnil/linux/-/jobs/5527774 (and for saving the output): dh_installdocs --link-doc=linux-headers-6.7+unreleased-cloud-amd64 dh_installdocs: error: Requested unknown package linux-headers-6.7+unreleased-cloud-amd64 via --link-doc, expected one of: linux-image-6.7+unreleased-amd64 linux-image-amd64 linux-headers-amd64 linux-image-6.7+unreleased-cloud-amd64 linux-image-cloud-amd64 linux-headers-cloud-amd64 linux-image-6.7+unreleased-rt-amd64 linux-image-rt-amd64 linux-headers-rt-amd64 make[2]: *** [debian/rules.real:81: binary_meta] Error 25 make[1]: *** [debian/rules.gen:21: binary-arch_amd64_none_cloud-amd64_meta] Error 2 make: *** [debian/rules:19: binary-arch] Error 2 dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2 (attached as well the raw log) I'm not 100% sure yet, this might be a problem in our packaging in which case we can re-eassign. But it only got triggered with the change recently in debhelper: https://salsa.debian.org/debian/debhelper/-/commit/dec5cfad00e2abd9ee3594f90c93f3fa42bb73ff Regards, Salvatore 5527774.log.gz Description: application/gzip
Bug#1067849: util-linux: CVE-2024-28085: wall: escape sequence injection
Source: util-linux Version: 2.39.3-11 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.38.1-5 Control: found -1 2.36.1-8+deb11u1 Control: found -1 2.36.1-8 Control: found -1 2.33.1-0.1 Hi, The following vulnerability was published for util-linux. CVE-2024-28085[0]: | escape sequence injection in wall If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28085 https://www.cve.org/CVERecord?id=CVE-2024-28085 [1] https://www.openwall.com/lists/oss-security/2024/03/27/5 [2] https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt [3] https://github.com/skyler-ferrante/CVE-2024-28085 Regards, Salvatore -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-18-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: sysvinit (via /sbin/init)
Bug#1064724: yapet: FTBFS: dh_auto_test: error: make -j8 check "TESTSUITEFLAGS=-j8 --verbose" VERBOSE=1 returned exit code 2
Hi Vladimir, On Thu, Mar 21, 2024 at 08:39:32PM +1300, Vladimir Petko wrote: > Package: yapet > Followup-For: Bug #1064724 > User: ubuntu-de...@lists.ubuntu.com > Usertags: origin-ubuntu noble ubuntu-patch > Control: tags -1 patch > > Dear Maintainer, > > The package fails to build due to the recent changes in openssl. > I have disabled the affected tests, but probably the issue should be fixed > upstream. > > When investigating test failure I've also noticed that the tests fail on armhf > due to the usage of std::memset that was optimized away. I have replaced the > call with std::fill() > > In Ubuntu, the attached patch was applied to achieve the following: > > * d/p/use-std-fill.patch: use std::fill to reset memory instead of > std::memset. This fixes armhf test failure (LP: 2058584). > * d/p/disable-blowfish-tests.patch: disable failing blowfish tests. > See Debian bug 1064724. > > > Thanks for considering the patch. Thanks for your work. I would like to give upstream some time to look at the two reported issues. Regards, Salvatore
Bug#1067393: fastdds: CVE-2024-28231
Source: fastdds Version: 2.11.2+ds-6 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for fastdds. CVE-2024-28231[0]: | eprosima Fast DDS is a C++ implementation of the Data Distribution | Service standard of the Object Management Group. Prior to versions | 2.14.0, 2.13.4, 2.12.3, 2.10.4, and 2.6.8, manipulated DATA | Submessage can cause a heap overflow error in the Fast-DDS process, | causing the process to be terminated remotely. Additionally, the | payload_size in the DATA Submessage packet is declared as uint32_t. | When a negative number, such as -1, is input into this variable, it | results in an Integer Overflow (for example, -1 gets converted to | 0x). This eventually leads to a heap-buffer-overflow, | causing the program to terminate. Versions 2.14.0, 2.13.4, 2.12.3, | 2.10.4, and 2.6.8 contain a fix for this issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28231 https://www.cve.org/CVERecord?id=CVE-2024-28231 [1] https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-9m2j-qw67-ph4w Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#1064967: fontforge DSA (was: Re: Bug#1064967: fontforge: diff for NMU version 1:20230101~dfsg-1.1)
Hi Adrian, On Sat, Mar 16, 2024 at 12:12:01AM +0200, Adrian Bunk wrote: > On Wed, Mar 13, 2024 at 08:39:47PM +0100, Salvatore Bonaccorso wrote: > > Hi Adrian, > > Hi Salvatore, > > > On Fri, Mar 08, 2024 at 02:03:55AM +0200, Adrian Bunk wrote: > > > Control: tags 1064967 + patch > > > Control: tags 1064967 + pending > > > > > > Dear maintainer, > > > > > > I've prepared an NMU for fontforge (versioned as 1:20230101~dfsg-1.1) and > > > uploaded it to DELAYED/2. Please feel free to tell me if I should cancel > > > it. > > > > > > @Security team: > > > If wanted, I could afterwards also prepare (pu or DSA) updates for > > > bookworm and bullseye. > > > > We came to the conclusion that it warrants a DSA. Could you prepare > > debdiffs for bookworm-security and bulseye-security? > > the debdiffs are attached. > > Tested on both releases with the PoCs from [1] and that opening a normal > compressed font still works. DSA for your work released. Thanks for your contribution! Regards, Salvatore
Bug#1067115: gross: CVE-2023-52159
Source: gross Version: 1.0.2-4 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for gross. CVE-2023-52159[0]: | A stack-based buffer overflow vulnerability in gross 0.9.3 through | 1.x before 1.0.4 allows remote attackers to trigger a denial of | service (grossd daemon crash) or potentially execute arbitrary code | in grossd via crafted SMTP transaction parameters that cause an | incorrect strncat for a log entry. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-52159 https://www.cve.org/CVERecord?id=CVE-2023-52159 [1] https://codeberg.org/bizdelnick/gross/wiki/Known-vulnerabilities#cve-2023-52159 Regards, Salvatore
Bug#1067018: lnav: FTBFS on arm{el,hf}: test failures
Hi Sebastian,
On Sat, Mar 16, 2024 at 11:34:23PM +0100, Sebastian Ramacher wrote:
> Source: lnav
> Version: 0.11.2-1
> Severity: serious
> Tags: ftbfs
> Justification: fails to build from source (but built successfully in the past)
> X-Debbugs-Cc: sramac...@debian.org
>
> https://buildd.debian.org/status/fetch.php?pkg=lnav=armhf=0.11.2-1%2Bb1=1710618595=0
>
>
> 2024-03-16T19:49:36+00:00
> ␛[0;35m=␛[0m
> ␛[0;35mCommand␛[0m: test: env TEST_COMMENT=parse_url1 ./drive_sql
> ␛[0;32mBEGIN␛[0m
> test_sql_str_func.sh_b088735cf46f23ca3d5fb3da41f07a6a3b1cba35.out
> ␛[0;32mEND␛[0m
> test_sql_str_func.sh_b088735cf46f23ca3d5fb3da41f07a6a3b1cba35.out
> OUT: test: env TEST_COMMENT=parse_url1 ./drive_sql
> ---
> /<>/test/expected/test_sql_str_func.sh_b088735cf46f23ca3d5fb3da41f07a6a3b1cba35.out
> 2023-07-03 04:16:02.0 +
> +++ test_sql_str_func.sh_b088735cf46f23ca3d5fb3da41f07a6a3b1cba35.out
> 2024-03-16 19:49:36.550940820 +
> @@ -1,2 +0,0 @@
> -Row 0:
> - Column parse_url('https://example.com'):
> {"scheme":"https","user":null,"password":null,"host":"example.com","port":null,"path":"/","query":null,"parameters":null,"fragment":null}
> FAIL! EXPECTED OUT DIFF
> ␛[0;31mBEGIN␛[0m
> test_sql_str_func.sh_b088735cf46f23ca3d5fb3da41f07a6a3b1cba35.err
> error: sqlite3_exec failed -- misuse of sqlite3_result_subtype() by
> parse_url()
> ␛[0;31mEND␛[0m
> test_sql_str_func.sh_b088735cf46f23ca3d5fb3da41f07a6a3b1cba35.err
> ERR: test: env TEST_COMMENT=parse_url1 ./drive_sql
> ---
> /<>/test/expected/test_sql_str_func.sh_b088735cf46f23ca3d5fb3da41f07a6a3b1cba35.err
> 2023-07-03 04:16:02.0 +
> +++ test_sql_str_func.sh_b088735cf46f23ca3d5fb3da41f07a6a3b1cba35.err
> 2024-03-16 19:49:36.558940841 +
> @@ -0,0 +1 @@
> +error: sqlite3_exec failed -- misuse of sqlite3_result_subtype() by
> parse_url()
> FAIL! EXPECTED ERR DIFF
>
> 2024-03-16T19:49:36+00:00
> ␛[0;35m=␛[0m
> ␛[0;35mCommand␛[0m: test: env TEST_COMMENT=parse_url2 ./drive_sql
> ␛[0;32mBEGIN␛[0m
> test_sql_str_func.sh_0947bfe7ec626eaa0409a45b10fcbb634fb12eb7.out
> ␛[0;32mEND␛[0m
> test_sql_str_func.sh_0947bfe7ec626eaa0409a45b10fcbb634fb12eb7.out
> OUT: test: env TEST_COMMENT=parse_url2 ./drive_sql
> ---
> /<>/test/expected/test_sql_str_func.sh_0947bfe7ec626eaa0409a45b10fcbb634fb12eb7.out
> 2023-07-03 04:16:02.0 +
> +++ test_sql_str_func.sh_0947bfe7ec626eaa0409a45b10fcbb634fb12eb7.out
> 2024-03-16 19:49:36.662941118 +
> @@ -1,2 +0,0 @@
> -Row 0:
> - Column parse_url('https://example.com/'):
> {"scheme":"https","user":null,"password":null,"host":"example.com","port":null,"path":"/","query":null,"parameters":null,"fragment":null}
> FAIL! EXPECTED OUT DIFF
> ␛[0;31mBEGIN␛[0m
> test_sql_str_func.sh_0947bfe7ec626eaa0409a45b10fcbb634fb12eb7.err
> error: sqlite3_exec failed -- misuse of sqlite3_result_subtype() by
> parse_url()
> ␛[0;31mEND␛[0m
> test_sql_str_func.sh_0947bfe7ec626eaa0409a45b10fcbb634fb12eb7.err
> ERR: test: env TEST_COMMENT=parse_url2 ./drive_sql
> ---
> /<>/test/expected/test_sql_str_func.sh_0947bfe7ec626eaa0409a45b10fcbb634fb12eb7.err
> 2023-07-03 04:16:02.0 +
> +++ test_sql_str_func.sh_0947bfe7ec626eaa0409a45b10fcbb634fb12eb7.err
> 2024-03-16 19:49:36.674941150 +
> @@ -0,0 +1 @@
> +error: sqlite3_exec failed -- misuse of sqlite3_result_subtype() by
> parse_url()
> FAIL! EXPECTED ERR DIFF
>
> 2024-03-16T19:49:36+00:00
> ␛[0;35m=␛[0m
> ␛[0;35mCommand␛[0m: test: env TEST_COMMENT=parse_url3 ./drive_sql
> ␛[0;32mBEGIN␛[0m
> test_sql_str_func.sh_bac7f6531a2adf70cd1871fb13eab26dff133b7c.out
> ␛[0;32mEND␛[0m
> test_sql_str_func.sh_bac7f6531a2adf70cd1871fb13eab26dff133b7c.out
> OUT: test: env TEST_COMMENT=parse_url3 ./drive_sql
> ---
> /<>/test/expected/test_sql_str_func.sh_bac7f6531a2adf70cd1871fb13eab26dff133b7c.out
> 2023-07-03 04:16:02.0 +
> +++ test_sql_str_func.sh_bac7f6531a2adf70cd1871fb13eab26dff133b7c.out
> 2024-03-16 19:49:36.778941428 +
> @@ -1,2 +0,0 @@
> -Row 0:
> - Column parse_url('https://example.com/search?flag'):
> {"scheme":"https","user":null,"password":null,"host":"example.com","port":null,"path":"/search","query":"flag","parameters":{"flag":null},"fragment":null}
> FAIL! EXPECTED OUT DIFF
> ␛[0;31mBEGIN␛[0m
> test_sql_str_func.sh_bac7f6531a2adf70cd1871fb13eab26dff133b7c.err
> error: sqlite3_exec failed -- misuse of sqlite3_result_subtype() by
> parse_url()
> ␛[0;31mEND␛[0m
> test_sql_str_func.sh_bac7f6531a2adf70cd1871fb13eab26dff133b7c.err
> ERR: test: env TEST_COMMENT=parse_url3 ./drive_sql
> ---
> /<>/test/expected/test_sql_str_func.sh_bac7f6531a2adf70cd1871fb13eab26dff133b7c.err
> 2023-07-03 04:16:02.0 +
> +++ test_sql_str_func.sh_bac7f6531a2adf70cd1871fb13eab26dff133b7c.err
> 2024-03-16 19:49:36.790941460 +
> @@
Bug#1064967: fontforge DSA (was: Re: Bug#1064967: fontforge: diff for NMU version 1:20230101~dfsg-1.1)
Hi Adrian, On Sat, Mar 16, 2024 at 12:12:01AM +0200, Adrian Bunk wrote: > On Wed, Mar 13, 2024 at 08:39:47PM +0100, Salvatore Bonaccorso wrote: > > Hi Adrian, > > Hi Salvatore, > > > On Fri, Mar 08, 2024 at 02:03:55AM +0200, Adrian Bunk wrote: > > > Control: tags 1064967 + patch > > > Control: tags 1064967 + pending > > > > > > Dear maintainer, > > > > > > I've prepared an NMU for fontforge (versioned as 1:20230101~dfsg-1.1) and > > > uploaded it to DELAYED/2. Please feel free to tell me if I should cancel > > > it. > > > > > > @Security team: > > > If wanted, I could afterwards also prepare (pu or DSA) updates for > > > bookworm and bullseye. > > > > We came to the conclusion that it warrants a DSA. Could you prepare > > debdiffs for bookworm-security and bulseye-security? > > the debdiffs are attached. > > Tested on both releases with the PoCs from [1] and that opening a normal > compressed font still works. Thanks for the debdiffs and providing as well the done testing background. Please do upload to security-master (both will need to be built with -sa). Regards, Salvatore
Bug#1064967: fontforge DSA (was: Re: Bug#1064967: fontforge: diff for NMU version 1:20230101~dfsg-1.1)
Hi Adrian, On Fri, Mar 08, 2024 at 02:03:55AM +0200, Adrian Bunk wrote: > Control: tags 1064967 + patch > Control: tags 1064967 + pending > > Dear maintainer, > > I've prepared an NMU for fontforge (versioned as 1:20230101~dfsg-1.1) and > uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. > > @Security team: > If wanted, I could afterwards also prepare (pu or DSA) updates for > bookworm and bullseye. We came to the conclusion that it warrants a DSA. Could you prepare debdiffs for bookworm-security and bulseye-security? Regards, Salvatore
Bug#1066119: fastdds: CVE-2023-50716
Source: fastdds Version: 2.11.2+ds-6.1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.11.2+ds-6 Hi, The following vulnerability was published for fastdds. CVE-2023-50716[0]: | eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of | the Data Distribution Service standard of the Object Management | Group. Prior to versions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7, | an invalid DATA_FRAG Submessage causes a bad-free error, and the | Fast-DDS process can be remotely terminated. If an invalid Data_Frag | packet is sent, the `Inline_qos, SerializedPayload` member of object | `ch` will attempt to release memory without initialization, | resulting in a 'bad-free' error. Versions 2.13.0, 2.12.2, 2.11.3, | 2.10.2, and 2.6.7 fix this issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-50716 https://www.cve.org/CVERecord?id=CVE-2023-50716 [1] https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-5m2f-hvj2-cx2h Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#1066108: intel-microcode: CVE-2023-43490 CVE-2023-39368 CVE-2023-38575 CVE-2023-22655 CVE-2023-28746
Source: intel-microcode Version: 3.20231114.1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 3.20231114.1~deb12u1 Control: found -1 3.20231114.1~deb11u1 Hi, The following vulnerabilities were published for intel-microcode. CVE-2023-43490[0], CVE-2023-39368[1], CVE-2023-38575[2], CVE-2023-22655[3] and CVE-2023-28746[4]. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-43490 https://www.cve.org/CVERecord?id=CVE-2023-43490 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01045.html [1] https://security-tracker.debian.org/tracker/CVE-2023-39368 https://www.cve.org/CVERecord?id=CVE-2023-39368 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00972.html [2] https://security-tracker.debian.org/tracker/CVE-2023-38575 https://www.cve.org/CVERecord?id=CVE-2023-38575 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00982.html [3] https://security-tracker.debian.org/tracker/CVE-2023-22655 https://www.cve.org/CVERecord?id=CVE-2023-22655 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00960.html [4] https://security-tracker.debian.org/tracker/CVE-2023-28746 https://www.cve.org/CVERecord?id=CVE-2023-28746 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00898.html https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html I think we should do a classical top-down approach here, let it first go through unstable. We can decide if we want to postpone it trough the point release afterwards or go via a point release. Regards, Salvatore
Bug#1063484: libuv1: CVE-2024-24806
Hi Dominique, On Thu, Mar 07, 2024 at 08:58:11AM +0100, Dominique Dumont wrote: > On Wednesday, 6 March 2024 21:07:56 CET Salvatore Bonaccorso wrote: > > Thank you very much. Looks good to me, feel free to upload as well to > > security-master (and build as well with -sa). > > Done. DSA 5638-1 has been released today. Thanks a lot for your contribution! Regards, Salvatore
Bug#1065814: golang-github-go-jose-go-jose: CVE-2024-28180
Source: golang-github-go-jose-go-jose Version: 3.0.1-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for golang-github-go-jose-go-jose. CVE-2024-28180[0]: | Package jose aims to provide an implementation of the Javascript | Object Signing and Encryption set of standards. An attacker could | send a JWE containing compressed data that used large amounts of | memory and CPU when decompressed by Decrypt or DecryptMulti. Those | functions now return an error if the decompressed data would exceed | 250kB or 10x the compressed size (whichever is larger). This | vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28180 https://www.cve.org/CVERecord?id=CVE-2024-28180 [1] https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g [2] https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a Regards, Salvtore
Bug#1065320: linux-image-6.1.0-18-amd64: 6.1.0-18 kernel enters ACPI Error loop during boot & requires power cycle
Control: severity -1 serious Control: tags -1 + upstream fixed-upstream Control: forwarded -1 https://lore.kernel.org/regressions/zd2bsv8vsfjml...@archie.me/ https://bugzilla.kernel.org/show_bug.cgi?id=218531 Control: found -1 6.6.15-1 Control: found -1 6.7.4-1~exp1 Hi Lee, On Sat, Mar 02, 2024 at 05:33:55PM +, Lee Elliott wrote: > Package: src:linux > Version: 6.1.76-1 > Severity: critical > Justification: breaks the whole system > X-Debbugs-Cc: leeejobsacco...@mail.co.uk > > Dear Maintainer, > >* What led up to the situation? > >Trying to boot the system with the 6.1.0-18 kernel > >* What exactly did you do (or not do) that was effective (or > ineffective)? > >I tried adding 'boot_delay=1000' boot option to slow the console >scroll rate, to enable better recording of the error messages. > >I tried rebooting the previous 6.1.0-17 kernel. > >* What was the outcome of this action? > >After adding the 'boot_delay=1000' option the boot process >progressed no further than "Loading initial ramdisk ..." >(left for several minutes - required power cycle). > >The system boots sucessfully on the previous 6.1.0-17 kernel > >* What outcome did you expect instead? > >I expected the system to successfully boot. > >* Additional observations > >This system also normally includes 'hpet=disable' and >'acpi_enforce_resources=lax' boot options but removing these >made no difference. > >Although I was not able to boot the system with the >'boot_delay=1000' option and obtain clear photographs of the >console output - the ones I've attached suffer from >'overprinting' - it does seem clear that ACPI errors are >being reported. > >There appear to be two distinct phases to this problem. >Initially, ACPI seems to be reporting errors for "GPE", as >shown in the first attached photograph, but after ~10 seconds >or so, ACPI then switches to continuously reporting an error >for PM_TIMER, as shown in the second attached photograph. At >this point a power cycle is required. > >Purging and reinstalling the package made no difference. Atm, >only three kernels are installed on this system but I have >had more in the past as I normally compile my own kernels >from the corresponding Debian source package. My own 6.1.76-1 >kernel also suffers from the same problem, whereas my own >6.1.69-1 kernel boots and runs Ok. > >Comparing the kernel configs for 6.1.0-17 and 6.1.0-18 >showed just one functional change - an additional >Compile-time checks and compiler option, which did not seem >relevant to this problem. The images were missing but from the description I assume it's the same regression as reported in https://lore.kernel.org/regressions/zd2bsv8vsfjml...@archie.me/ https://bugzilla.kernel.org/show_bug.cgi?id=218531 It looks a fix has landed in mainline: https://git.kernel.org/linus/aec7d25b497ce4a8d044e9496de0aa433f7f8f06 Regards, Salvatore
Bug#1063484: libuv1: CVE-2024-24806
Hi On Wed, Mar 06, 2024 at 07:06:55PM +0100, Dominique Dumont wrote: > On Tuesday, 5 March 2024 22:15:50 CET Salvatore Bonaccorso wrote: > > The debdiff for bookworm-security looks good to me. Please do upload > > to security-master (and make sure to build with -sa as the orig > > tarball is not yet on security-master for 1.44.2). > > Done. Thank you, builds arrived. > > So we just need as well the bullseye-security one, as per above, can > > you prepare this one as well. > > Done. Here's the debdiff in attachment Thank you very much. Looks good to me, feel free to upload as well to security-master (and build as well with -sa). Regards, Salvatore
Bug#1063484: libuv1: CVE-2024-24806
Hi Dominique, On Sun, Mar 03, 2024 at 03:51:28PM +0100, Dominique Dumont wrote: > On Thu, 29 Feb 2024 21:53:07 +0100 Salvatore Bonaccorso > wrote: > > libuv1 is as well affected in bullseye and it's still supported. Can > > you have a look as well at this version? > > The same patch (with a refresh) applies to bullseye. I can also prepare an > upload. The debdiff for bookworm-security looks good to me. Please do upload to security-master (and make sure to build with -sa as the orig tarball is not yet on security-master for 1.44.2). So we just need as well the bullseye-security one, as per above, can you prepare this one as well. Regards, Salvatore
Bug#1056253: rust-ripasso-cursive - FTBFS with rust-ripasso 0.6.4
Hi Alex, On Fri, Mar 01, 2024 at 08:26:31AM +0100, Alexander Kjäll wrote: > Hi > > I was waiting for another transition that was staged in experimental. Due > to the quality of the different clipboard crates. > > But if this block something I will make a temporary solution. Thanks for the status update! Regards, Salvatore
Bug#1056253: rust-ripasso-cursive - FTBFS with rust-ripasso 0.6.4
Hi On Mon, Dec 11, 2023 at 07:10:22PM +0100, Alexander Kjäll wrote: > Hi > > I'm sorry for the semver breakage, the last version was a bit stressed > out due to the security problems with libgit2 not verifying server > signatures (that has since been fixed). > > I think the best path forward might be to package the latest versions, > I have started that but not finished yet due to some real life things > taking all my free time lately. Was there any progress on it (or can/should rust-ripasso-cursive be removed from the archive)? I'm asking because an old version of libgit2-1.5 binary package cannot be removed from unstable, as rust-ripasso-cursive cannot be rebuild right now to pick up the new dependency. Regards, Salvatore
Bug#1063484: libuv1: CVE-2024-24806
Hi Dominique, [Adding CC to team@s.d.o] On Tue, Feb 20, 2024 at 07:08:48PM +0100, Dominique Dumont wrote: > Hi > > On Wed, 14 Feb 2024 12:57:52 +0100 Dominique Dumont wrote: > > I'm still pondering what should be done for stable which ships a libuv > 1.44.2 > > I've prepared a fix for bookworm. You'll find the debdiff in attachment. > > Please tell me if I can upload this package to bookworm-security. Thanks for preparing the update, I will try to have a look at the debdiff in the next days. libuv1 is as well affected in bullseye and it's still supported. Can you have a look as well at this version? Regards, Salvatore
Bug#1064996: azure-uamqp-python: CVE-2024-27099
Source: azure-uamqp-python Version: 1.6.8-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for azure-uamqp-python. CVE-2024-27099[0]: | The uAMQP is a C library for AMQP 1.0 communication to Azure Cloud | Services. When processing an incorrect `AMQP_VALUE` failed state, | may cause a double free problem. This may cause a RCE. Update | submodule with commit 2ca42b6e4e098af2d17e487814a91d05f6ae4987. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-27099 https://www.cve.org/CVERecord?id=CVE-2024-27099 [1] https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-6rh4-fj44-v4jj Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#1064192: openrefine: CVE-2024-23833
Source: openrefine Version: 3.7.7-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for openrefine. Markus, please adjust severity if you think grave/RC severity is not appropriate. openrefine updates were batches previously as well just in point release, that might be enough here as well. CVE-2024-23833[0]: | OpenRefine is a free, open source power tool for working with messy | data and improving it. A jdbc attack vulnerability exists in | OpenRefine(version<=3.7.7) where an attacker may construct a JDBC | query which may read files on the host filesystem. Due to the newer | MySQL driver library in the latest version of OpenRefine (8.0.30), | there is no associated deserialization utilization point, so | original code execution cannot be achieved, but attackers can use | this vulnerability to read sensitive files on the target server. | This issue has been addressed in version 3.7.8. Users are advised to | upgrade. There are no known workarounds for this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-23833 https://www.cve.org/CVERecord?id=CVE-2024-23833 [1] https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4 [2] https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#1064062: iwd: CVE-2023-52161
Hi, On Fri, Feb 16, 2024 at 04:15:19PM +0100, Moritz Mühlenhoff wrote: > Source: iwd > X-Debbugs-CC: t...@security.debian.org > Severity: grave > Tags: security > > Hi, > > The following vulnerability was published for iwd. > > CVE-2023-52161[0]: > https://www.top10vpn.com/research/wifi-vulnerabilities/ > > While this mentions a patch for wpasupplication, it's not obvious > if this was reported/fixed in iwd. The iwd commit is https://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/?id=6415420f1c92012f64063c131480ffcef58e60ca . Regards, Salvatore
Bug#1063852: pdns-recursor: crafted DNSSEC records in a zone can lead to a denial of service in Recursor (CVE-2023-50387 CVE-2023-50868)
Source: pdns-recursor Version: 4.9.2-2 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for pdns-recursor. CVE-2023-50387[0] and CVE-2023-50868[1]. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-50387 https://www.cve.org/CVERecord?id=CVE-2023-50387 [1] https://security-tracker.debian.org/tracker/CVE-2023-50868 https://www.cve.org/CVERecord?id=CVE-2023-50868 [2] https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#1063804: FTBFS: depmod: FATAL: could not search modules: No such file or directory
Hi Bastian, On Mon, Feb 12, 2024 at 10:16:21PM +0100, Bastian Blank wrote: > On Mon, Feb 12, 2024 at 10:09:41PM +0100, Salvatore Bonaccorso wrote: > > kernel-wedge copy-modules 6.6.15 amd64 6.6.15-amd64 > > depmod: ERROR: could not open directory > > /<>/debian/linux-image-6.6.15-amd64/usr/lib/modules/6.6.15-amd64: > > No such file or directory > > I would say depmod changed the API from /lib/modules to > /usr/lib/modules. Re-assign? A right, the last upload of kmod changed to use: --with-module-directory=/usr/lib/modules Looping in Marco for comments. Regards, Salvatore
Bug#1063804: FTBFS: depmod: FATAL: could not search modules: No such file or directory
Source: linux-signed-amd64 Version: 6.6.15+2 Severity: serious Justification: FTBFS X-Debbugs-Cc: car...@debian.org, wa...@debian.org, k...@debian.org The linux-signed-amd64 (and arm64 one) currently FTBFS (only filling one for amd64, as the same for arm64): https://buildd.debian.org/status/fetch.php?pkg=linux-signed-amd64=amd64=6.6.15%2B2=1707701442=0 [...] dh_builddeb -- -Zxz dpkg-deb: building package 'linux-image-6.6.15-amd64' in '../linux-image-6.6.15-amd64_6.6.15-2_amd64.deb'. make[2]: Leaving directory '/<>' /usr/bin/make -f debian/rules.real binary_installer ABINAME='6.6.15' ARCH='amd64' COMPILER='gcc-13' DESTDIR='/<>/debian/tmp' DH_OPTIONS='-pacpi-modules-6.6.15-amd64-di -pata-modules-6.6.15-amd64-di -pbtrfs-modules-6.6.15-amd64-di -pcdrom-core-modules-6.6.15-amd64-di -pcrc-modules-6.6.15-amd64-di -pcrypto-dm-modules-6.6.15-amd64-di -pcrypto-modules-6.6.15-amd64-di -pefi-modules-6.6.15-amd64-di -pevent-modules-6.6.15-amd64-di -pext4-modules-6.6.15-amd64-di -pf2fs-modules-6.6.15-amd64-di -pfat-modules-6.6.15-amd64-di -pfb-modules-6.6.15-amd64-di -pfirewire-core-modules-6.6.15-amd64-di -pi2c-modules-6.6.15-amd64-di -pinput-modules-6.6.15-amd64-di -pisofs-modules-6.6.15-amd64-di -pjfs-modules-6.6.15-amd64-di -pkernel-image-6.6.15-amd64-di -ploop-modules-6.6.15-amd64-di -pmd-modules-6.6.15-amd64-di -pmmc-core-modules-6.6.15-amd64-di -pmmc-modules-6.6.15-amd64-di -pmouse-modules-6.6.15-amd64-di -pmtd-core-modules-6.6.15-amd64-di -pmultipath-modules-6.6.15-amd64-di -pnbd-modules-6.6.15-amd64-di -pnic-modules-6.6.15-amd64-di -pnic-pcmcia-modules-6.6.15-amd64-di -pnic-shared-modules-6.6.15-amd64-di -pnic-usb-modules-6.6.15-amd64-di -pnic-wireless-modules-6.6.15-amd64-di -ppata-modules-6.6.15-amd64-di -ppcmcia-modules-6.6.15-amd64-di -ppcmcia-storage-modules-6.6.15-amd64-di --modules-6.6.15-amd64-di -prfkill-modules-6.6.15-amd64-di -psata-modules-6.6.15-amd64-di -pscsi-core-modules-6.6.15-amd64-di -pscsi-modules-6.6.15-amd64-di -pscsi-nic-modules-6.6.15-amd64-di -pserial-modules-6.6.15-amd64-di -psound-modules-6.6.15-amd64-di -pspeakup-modules-6.6.15-amd64-di -psquashfs-modules-6.6.15-amd64-di -pudf-modules-6.6.15-amd64-di -puinput-modules-6.6.15-amd64-di -pusb-modules-6.6.15-amd64-di -pusb-serial-modules-6.6.15-amd64-di -pusb-storage-modules-6.6.15-amd64-di -pxfs-modules-6.6.15-amd64-di' FEATURESET='none' FLAVOUR='amd64' IMAGE_FILE='arch/x86/boot/bzImage' IMAGE_INSTALL_STEM='vmlinuz' IMAGE_PACKAGE_NAME='kernel-image-6.6.15-amd64-di' KCONFIG='debian/config/config debian/config/kernelarch-x86/config debian/config/amd64/config' KCONFIG_OPTIONS=' -o "BUILD_SALT=\"6.6.15-amd64\""' KERNEL_ARCH='x86' LOCALVERSION='-amd64' LOCALVERSION_HEADERS='' LOCALVERSION_IMAGE='-amd64' SOURCEVERSION='6.6.15-2' SOURCE_BASENAME='linux' SOURCE_SUFFIX='' UPSTREAMVERSION='6.6' VDSO='True' VERSION='6.6' make[2]: Entering directory '/<>' dh_testroot dh_prep dh_installdirs DH_OPTIONS="-pkernel-image-6.6.15-amd64-di --sourcedir=debian/linux-image-6.6.15-amd64" dh_install boot/vmlinuz-6.6.15-amd64 DH_OPTIONS="-pkernel-image-6.6.15-amd64-di --sourcedir=debian/linux-image-6.6.15-amd64" dh_install lib/modules/6.6.15-amd64/modules.builtin DH_OPTIONS="-pkernel-image-6.6.15-amd64-di --sourcedir=debian/linux-image-6.6.15-amd64" dh_install lib/modules/6.6.15-amd64/modules.order kernel-wedge copy-modules 6.6.15 amd64 6.6.15-amd64 depmod: ERROR: could not open directory /<>/debian/linux-image-6.6.15-amd64/usr/lib/modules/6.6.15-amd64: No such file or directory depmod: FATAL: could not search modules: No such file or directory No module interdependencies found. This probably means your modules.dep is broken. If this is intentional, touch /<>/debian/installer/no-modules make[2]: *** [debian/rules.real:95: binary_installer] Error 1 make[2]: Leaving directory '/<>' make[1]: *** [debian/rules.gen:14: binary-arch_amd64_none_amd64_installer] Error 2 make[1]: Leaving directory '/<>' make: *** [debian/rules:19: binary-arch] Error 2 dpkg-buildpackage: error: debian/rules binary-arch subprocess returned exit status 2 Regards, Salvatore
Bug#1063603: composer: CVE-2024-24821
Source: composer Version: 2.6.6-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for composer. CVE-2024-24821[0]: | Composer is a dependency Manager for the PHP language. In affected | versions several files within the local working directory are | included during the invocation of Composer and in the context of the | executing user. As such, under certain conditions arbitrary code | execution may lead to local privilege escalation, provide lateral | user movement or malicious code execution when Composer is invoked | within a directory with tampered files. All Composer CLI commands | are affected, including composer.phar's self-update. The following | scenarios are of high risk: Composer being run with sudo, Pipelines | which may execute Composer on untrusted projects, Shared | environments with developers who run Composer individually on the | same project. This vulnerability has been addressed in versions | 2.7.0 and 2.2.23. It is advised that the patched versions are | applied at the earliest convenience. Where not possible, the | following should be addressed: Remove all sudo composer privileges | for all users to mitigate root privilege escalation, and avoid | running Composer within an untrusted directory, or if needed, verify | that the contents of `vendor/composer/InstalledVersions.php` and | `vendor/composer/installed.php` do not include untrusted code. A | reset can also be done on these files by the following:```sh rm | vendor/composer/installed.php vendor/composer/InstalledVersions.php | composer install --no-scripts --no-plugins ``` If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24821 https://www.cve.org/CVERecord?id=CVE-2024-24821 [1] https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h [2] https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#1063494: engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers
Source: engrampa Version: 1.26.1-4 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for engrampa. CVE-2023-52138[0]: | Engrampa is an archive manager for the MATE environment. Engrampa is | found to be vulnerable to a Path Traversal vulnerability that can be | leveraged to achieve full Remote Command Execution (RCE) on the | target. While handling CPIO archives, the Engrampa Archive manager | follows symlink, cpio by default will follow stored symlinks while | extracting and the Archiver will not check the symlink location, | which leads to arbitrary file writes to unintended locations. When | the victim extracts the archive, the attacker can craft a malicious | cpio or ISO archive to achieve RCE on the target system. This | vulnerability was fixed in commit 63d5dfa. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-52138 https://www.cve.org/CVERecord?id=CVE-2023-52138 [1] https://github.com/mate-desktop/engrampa/commit/63d5dfa9005c6b16d0f0ccd888cc859fca78f970 [2] https://github.com/mate-desktop/engrampa/security/advisories/GHSA-c98h-v39w-3r7v Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#1063484: libuv1: CVE-2024-24806
Source: libuv1
Version: 1.46.0-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for libuv1.
CVE-2024-24806[0]:
| libuv is a multi-platform support library with a focus on
| asynchronous I/O. The `uv_getaddrinfo` function in
| `src/unix/getaddrinfo.c` (and its windows counterpart
| `src/win/getaddrinfo.c`), truncates hostnames to 256 characters
| before calling `getaddrinfo`. This behavior can be exploited to
| create addresses like `0x7f01`, which are considered valid
| by `getaddrinfo` and could allow an attacker to craft payloads that
| resolve to unintended IP addresses, bypassing developer checks. The
| vulnerability arises due to how the `hostname_ascii` variable (with
| a length of 256 bytes) is handled in `uv_getaddrinfo` and
| subsequently in `uv__idna_toascii`. When the hostname exceeds 256
| characters, it gets truncated without a terminating null byte. As a
| result attackers may be able to access internal APIs or for websites
| (similar to MySpace) that allows users to have
| `username.example.com` pages. Internal services that crawl or cache
| these user pages can be exposed to SSRF attacks if a malicious user
| chooses a long vulnerable username. This issue has been addressed in
| release version 1.48.0. Users are advised to upgrade. There are no
| known workarounds for this vulnerability.
Note, that the advisory at [1] mentions that affected versions are
only > 1.45.x. Looking at the git changes, is it not introduced after
6dd44caa35b4 ("unix,win: support IDNA 2008 in uv_getaddrinfo()") in
v1.24.0?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-24806
https://www.cve.org/CVERecord?id=CVE-2024-24806
[1] https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Bug#1063422: linux-image-6.1.0-18-amd64: F2FS rw mount at boot fails with "invalid zstd compress level: 6"
Control: tags -1 + upstream Control: severity -1 important Hi On Wed, Feb 07, 2024 at 10:43:47PM -0500, Dhya wrote: > Package: src:linux > Version: 6.1.76-1 > Severity: critical > Justification: breaks the whole system > > Dear Maintainer, > > After upgrade to linux-image-6.1.0-18-amd64 6.1.76-1 F2FS filesystem > fails to mount rw. Message in the boot journal: > > kernel: F2FS-fs (nvme0n1p6): invalid zstd compress level: 6 > > There was recently an f2fs patch to the 6.1 kernel tree which might be > related: https://www.spinics.net/lists/stable-commits/msg329957.html > > Was able to recover the system by doing: > > sudo mount -o > remount,rw,relatime,lazytime,background_gc=on,discard,no_heap,user_xattr,inline_xattr,acl,inline_data,inline_dentry,extent_cache,mode=adaptive,active_logs=6,alloc_mode=default,checkpoint_merge,fsync_mode=posix,compress_algorithm=lz4,compress_log_size=2,compress_mode=fs,atgc,discard_unit=block,memory=normal > /dev/nvme0n1p6 / > > under the running bad 6.1.0-18-amd64 kernel, then editing > /etc/default/grub: > > GRUB_DEFAULT="Advanced options for Debian GNU/Linux>Debian GNU/Linux, with > Linux 6.1.0-17-amd64" > > and running 'update-grub' and rebooting to boot the 6.1.0-17-amd64 > kernel. Thanks for the report. Can you please report your finding upstream and keep this downstream report in the loop as well please? Regards, Salvatore
Bug#1063416: libgit2: CVE-2024-24577: Arbitrary code execution due to heap corruption in `git_index_add`
Source: libgit2 Version: 1.7.1+ds-2 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.5.1+ds-1 Control: found -1 1.1.0+dfsg.1-4+deb11u1 Control: found -1 1.1.0+dfsg.1-4 Hi, The following vulnerability was published for libgit2. CVE-2024-24577[0]: | libgit2 is a portable C implementation of the Git core methods | provided as a linkable library with a solid API, allowing to build | Git functionality into your application. Using well-crafted inputs | to `git_index_add` can cause heap corruption that could be leveraged | for arbitrary code execution. There is an issue in the | `has_dir_name` function in `src/libgit2/index.c`, which frees an | entry that should not be freed. The freed entry is later used and | overwritten with potentially bad actor-controlled data leading to | controlled heap corruption. Depending on the application that uses | libgit2, this could lead to arbitrary code execution. This issue has | been patched in version 1.6.5 and 1.7.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24577 https://www.cve.org/CVERecord?id=CVE-2024-24577 [1] https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8 [2] https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3 [3] https://github.com/libgit2/libgit2/commit/487af0cf6687dc48b0a960fa2f39894e2d84d77b Regards, Salvatore
Bug#1063020: linux: documentation build failure: Sphinx parallel build error: UnboundLocalError: cannot access local variable 'fname' where it is not associated with a value
Intreestingly and unfortunately my local test now fails in a different way. So first sorting that out. The xmldocs build hangs instead now. Regards, Salvatore
Bug#1063020: linux: documentation build failure: Sphinx parallel build error: UnboundLocalError: cannot access local variable 'fname' where it is not associated with a value
Source: linux Version: 6.6.15-1 Severity: serious Justification: FTBFS X-Debbugs-Cc: car...@debian.org The build for arch:all package FTBFS due to a problem in the documentation build: [2Kreading sources... [ 98%] userspace-api/media/v4l/vidioc-g-frequency .. virt/kvm/devices/vfio /<>/debian/build/build-doc/Documentation/translations/zh_TW/dev-tools/index.rst:21: WARNING: toctree contains reference to nonexisting document 'translations/zh_TW/dev-tools/sparse' /<>/debian/build/build-doc/Documentation/driver-api/usb/usb:164: ./drivers/usb/core/message.c:968: WARNING: Duplicate C declaration, also defined at driver-api/usb/gadget:793. Declaration is '.. c:function:: int usb_string (struct usb_device *dev, int index, char *buf, size_t size)'. /<>/debian/build/build-doc/Documentation/driver-api/usb/usb.rst:968: WARNING: Duplicate C declaration, also defined at driver-api/usb/gadget:793. Declaration is '.. c:struct:: usb_string'. /<>/debian/build/build-doc/Documentation/driver-api/miscellaneous:47: ./drivers/pwm/core.c:548: WARNING: Duplicate C declaration, also defined at driver-api/miscellaneous:240. Declaration is '.. c:function:: int pwm_capture (struct pwm_device *pwm, struct pwm_capture *result, unsigned long timeout)'. /<>/debian/build/build-doc/Documentation/driver-api/80211/cfg80211:48: ./include/net/cfg80211.h:7273: WARNING: Duplicate C declaration, also defined at driver-api/80211/cfg80211:7234. Declaration is '.. c:function:: void cfg80211_rx_assoc_resp (struct net_device *dev, struct cfg80211_rx_assoc_resp *data)'. /<>/debian/build/build-doc/Documentation/driver-api/80211/mac80211:109: ./include/net/mac80211.h:5169: WARNING: Duplicate C declaration, also defined at driver-api/80211/mac80211:1116. Declaration is '.. c:function:: void ieee80211_tx_status (struct ieee80211_hw *hw, struct sk_buff *skb)'. /<>/debian/build/build-doc/Documentation/gpu/drm-kms:360: ./drivers/gpu/drm/drm_fourcc.c:336: WARNING: Duplicate C declaration, also defined at gpu/drm-kms:38. Declaration is '.. c:function:: const struct drm_format_info * drm_format_info (u32 format)'. /<>/debian/build/build-doc/Documentation/gpu/drm-kms:459: ./drivers/gpu/drm/drm_modeset_lock.c:392: WARNING: Duplicate C declaration, also defined at gpu/drm-kms:49. Declaration is '.. c:function:: int drm_modeset_lock (struct drm_modeset_lock *lock, struct drm_modeset_acquire_ctx *ctx)'. /<>/debian/build/build-doc/Documentation/gpu/drm-uapi:357: ./drivers/gpu/drm/drm_ioctl.c:928: WARNING: Duplicate C declaration, also defined at gpu/drm-uapi:70. Declaration is '.. c:function:: bool drm_ioctl_flags (unsigned int nr, unsigned int *flags)'. Sphinx parallel build error: UnboundLocalError: cannot access local variable 'fname' where it is not associated with a value make[5]: *** [Documentation/Makefile:148: xmldocs] Error 2 make[4]: *** [/<>/debian/build/build-doc/Makefile:1722: xmldocs] Error 2 make[3]: *** [Makefile:246: __sub-make] Error 2 make[3]: Leaving directory '/<>/debian/build/build-doc' make[2]: *** [debian/rules.real:209: debian/stamps/build-doc] Error 2 make[2]: Leaving directory '/<>' make[1]: *** [debian/rules.gen:1955: build-indep_doc] Error 2 make[1]: Leaving directory '/<>' make: *** [debian/rules:66: build-indep] Error 2 dpkg-buildpackage: error: debian/rules binary-indep subprocess returned exit status 2 Trying to look into it ASAP. Regards, Salvatore
Bug#1058720: slurm-wlm: CVE-2023-49933 CVE-2023-49935 CVE-2023-49936 CVE-2023-49937 CVE-2023-49938
Ciao Gennaro, On Sat, Feb 03, 2024 at 12:28:24PM +0100, Gennaro Oliva wrote: > Ciao Salvatore, > > On Sun, Jan 28, 2024 at 11:37:34AM +0100, Salvatore Bonaccorso wrote: > > Reviewing your uploaded changes, the changelog mentions > > CVE-2023-49935, but believe his was not affecting 22.05.8. Let's > > still release with that in the changelog, the security-tracker should > > be already correct on that. > > Sorry about that, I also forgot to build and upload the contrib package > (check #1062264) I have uploaded at the same url and attached the debdiff. > > https://people.debian.org/~oliva/slurm-wlm-22.05.8-4+deb12u2 Right I see we should have handled this similarly to DSA 5529-1. If you have tested the update then please do update. I think we should drop the CVE-2023-49935 reference here as well? > > Do you have any progress for unstable/trixie so we do not have a > > regression once after the DSA is released? > > I'm working on it this week end. It is a major release upgrade. I hope > to release it at the beginning of next week. Ok! Regards, Salvatore
Bug#1062532: Accepted runc 1.1.12+ds1-1 (source) into unstable
Source: runc Source-Version: 1.1.12+ds1-1 Control: fixed 1062532 1.0.0~rc93+ds1-5+deb11u3 Control: fixed 1062532 1.1.5+ds1-1+deb12u1 This fixes #1062532. Adding as well the fixed version for the pending runc update via bullseye-security and bookworm-security. - Forwarded message from Debian FTP Masters - -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 02 Feb 2024 21:20:26 +0800 Source: runc Architecture: source Version: 1.1.12+ds1-1 Distribution: unstable Urgency: medium Maintainer: Debian Go Packaging Team Changed-By: Shengjing Zhu Changes: runc (1.1.12+ds1-1) unstable; urgency=medium . * Team upload * New upstream version 1.1.12+ds1 + CVE-2024-21626: several container breakouts due to internally leaked fds Checksums-Sha1: 5bef8274f96e27dcf68992efe30b8f372807e0ad 2772 runc_1.1.12+ds1-1.dsc 937c3fe186bca9df98b96c4f1b1354a89092d66c 528632 runc_1.1.12+ds1.orig.tar.xz 6520a024c7ba75259db6a396e7bd95c245281cdb 14768 runc_1.1.12+ds1-1.debian.tar.xz adc4f0be51d402e882acc7bfcab17b2404c26a39 8215 runc_1.1.12+ds1-1_amd64.buildinfo Checksums-Sha256: 848316908f87dc5d286cf381d4bee523c495327cab033b9aa59b154a1d37d2c6 2772 runc_1.1.12+ds1-1.dsc ab7ab8842157c9607f450cf1f2cc7dc2a61cc134766c27111d0e113bdd41d6a8 528632 runc_1.1.12+ds1.orig.tar.xz 367dfbddbc0b6bb3b06ef60dd21d6a006b1b7fdedab882bd861e14889516b419 14768 runc_1.1.12+ds1-1.debian.tar.xz ab4810f32b977a6f811a24c206cef248f1e98d21561cfb5e5eb012570a37b4d8 8215 runc_1.1.12+ds1-1_amd64.buildinfo Files: d2ecde618e10f3096c71dff70088339e 2772 admin optional runc_1.1.12+ds1-1.dsc 2c788fe39dea435e8db8e5baceba60e0 528632 admin optional runc_1.1.12+ds1.orig.tar.xz 6056fd3324edcb874b3d1b732cca1d08 14768 admin optional runc_1.1.12+ds1-1.debian.tar.xz b981612583fa02cb52aa8ebb427fd757 8215 admin optional runc_1.1.12+ds1-1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEc793ixFTU9Vien7Zh7Iv85yjO70FAmW87XUACgkQh7Iv85yj O718SQf+J8O0B8ZD224eAg4Q3HpeG5hFFUaVWxRLpvBXfs5XQI1/Rl+SrnElLSRw inX9kZaUK/cIcs5E8gxiYl+o2Hf+qDjdTqziBt/j8HkTk7Gp4z5oFVX5I7JrnaH6 Xw3AeQ8yzPC8d3DPR7p3VMGRJwXrxV/Ox8ZB7Vd7HGB/pC5nzGzGbMaq+LwAy/nH lY1GmdJkjj1cusFhgSs01hbNtZTJCVoBupBF4YdMmA6n/O6t7Rr7ZASks29u4jxo qd1JgFNJJciZ3SZjtY76AFwfg0sWV+OmY5oEVa7qgA1xeoIxPwWnhlYUeSueNmTJ Gxn9fh8uPucRpuqxg7RTfU3Ml9Pr5A== =mnTr -END PGP SIGNATURE- - End forwarded message -
Bug#1062532: runc: CVE-2024-21626
Source: runc
Version: 1.1.10+ds1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for runc.
CVE-2024-21626[0]:
| runc is a CLI tool for spawning and running containers on Linux
| according to the OCI specification. In runc 1.1.11 and earlier, due
| to an internal file descriptor leak, an attacker could cause a
| newly-spawned container process (from runc exec) to have a working
| directory in the host filesystem namespace, allowing for a container
| escape by giving access to the host filesystem ("attack 2"). The
| same attack could be used by a malicious image to allow a container
| process to gain access to the host filesystem through runc run
| ("attack 1"). Variants of attacks 1 and 2 could be also be used to
| overwrite semi-arbitrary host binaries, allowing for complete
| container escapes ("attack 3a" and "attack 3b"). runc 1.1.12
| includes patches for this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-21626
https://www.cve.org/CVERecord?id=CVE-2024-21626
[1] https://www.openwall.com/lists/oss-security/2024/01/31/6
[2]
https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Bug#1058720: slurm-wlm: CVE-2023-49933 CVE-2023-49935 CVE-2023-49936 CVE-2023-49937 CVE-2023-49938
Hi Gennaro, On Sat, Dec 30, 2023 at 10:55:32PM +0100, Gennaro Oliva wrote: > Dear Salvatore, > I prepared an updated version of the slurm-wlm package for bookworm in > response to CVE-2023-49933/49935/49936/49937/49938 > > The package can be found here: > > https://people.debian.org/~oliva/slurm-wlm-22.05.8-4+deb12u2 > > debdiff attached. > > A new package for sid in under preparation. > > Please let me know if I can be of any further help. > > I take this opportunity to wish you and to all the security team members > a successful and prosperous new year. Reviewing your uploaded changes, the changelog mentions CVE-2023-49935, but believe his was not affecting 22.05.8. Let's still release with that in the changelog, the security-tracker should be already correct on that. Do you have any progress for unstable/trixie so we do not have a regression once after the DSA is released? Regards, Salvatore
Bug#1060052: Status?
Hi, On Thu, Jan 25, 2024 at 02:55:52AM +, Dennis Haney wrote: > Can we please get a new release of a stable kernel? > This keeps crashing our machines, and it is a pain manually updating > to the 6.5 kernel on all of them. A fix for this issue will be released with the upcoming point releases scheduled on 10th of february as per https://lists.debian.org/debian-release/2024/01/msg00399.html . The kernel will be latest available as well one week earlier in bookworm-proposed-updates. Regards, Salvatore
Bug#1061522: atril: CVE-2023-52076
Source: atril Version: 1.26.1-4 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for atril. CVE-2023-52076[0]: | Atril Document Viewer is the default document reader of the MATE | desktop environment for Linux. A path traversal and arbitrary file | write vulnerability exists in versions of Atril prior to 1.26.2. | This vulnerability is capable of writing arbitrary files anywhere on | the filesystem to which the user opening a crafted document has | access. The only limitation is that this vulnerability cannot be | exploited to overwrite existing files, but that doesn't stop an | attacker from achieving Remote Command Execution on the target | system. Version 1.26.2 of Atril contains a patch for this | vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-52076 https://www.cve.org/CVERecord?id=CVE-2023-52076 [1] https://github.com/mate-desktop/atril/security/advisories/GHSA-6mf6-mxpc-jc37 [2] https://github.com/mate-desktop/atril/commit/e70b21c815418a1e6ebedf6d8d31b8477c03ba50 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#1061521: linux-image-6.6.13-amd64: 6.6.13-1 no more keyboard resuming from suspend
Control: tags -1 + moreinfo On Thu, Jan 25, 2024 at 10:01:04PM +0100, r2rien wrote: > Package: linux-image-6.6.13-amd64 > Version: 6.6.13-1 > Severity: grave > Justification: renders package unusable > X-Debbugs-Cc: deb...@r2rien.net > > Resuming from suspend keyboard totally unresponsive, thus no sysrq, no tty to > the rescue, only power button. > Stuck in gdm3 login screen, > thus impossible to type password to unlock gnome-session > I tagged it as grave so people with apt-listbugs could be informed Please do provide some more information. Is this a regression from 6.6.11-1. In case yes, can you please try to bisect the changes in upstreams 6.6.11 to 6.6.13 so we can isolate which change causes it? When you resume from suspend, do you get anything logged in the kernel log, can you attach it here? Regards, Salvatore
Bug#1061519: shim: CVE-2023-40546 CVE-2023-40547 CVE-2023-40548 CVE-2023-40549 CVE-2023-40550 CVE-2023-40551
Source: shim Version: 15.7-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 15.7-1~deb11u1 Hi, The following vulnerabilities were published for shim. According to [6]: * Various CVE fixes: CVE-2023-40546 mok: fix LogError() invocation CVE-2023-40547 - avoid incorrectly trusting HTTP headers CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system CVE-2023-40549 Authenticode: verify that the signature header is in bounds. CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-40546 https://www.cve.org/CVERecord?id=CVE-2023-40546 [1] https://security-tracker.debian.org/tracker/CVE-2023-40547 https://www.cve.org/CVERecord?id=CVE-2023-40547 [2] https://security-tracker.debian.org/tracker/CVE-2023-40548 https://www.cve.org/CVERecord?id=CVE-2023-40548 [3] https://security-tracker.debian.org/tracker/CVE-2023-40549 https://www.cve.org/CVERecord?id=CVE-2023-40549 [4] https://security-tracker.debian.org/tracker/CVE-2023-40550 https://www.cve.org/CVERecord?id=CVE-2023-40550 [5] https://security-tracker.debian.org/tracker/CVE-2023-40551 https://www.cve.org/CVERecord?id=CVE-2023-40551 [6] https://github.com/rhboot/shim/releases/tag/15.8 Regards, Salvatore
Bug#1061518: closing 1061518
close 1061518 thanks
Bug#1061517: closing 1061517
close 1061517 thanks
Bug#1061172: pillow: CVE-2023-50447
Source: pillow Version: 10.1.0-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for pillow. CVE-2023-50447[0]: | Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code | Execution via the environment parameter, a different vulnerability | than CVE-2022-22817 (which was about the expression parameter). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-50447 https://www.cve.org/CVERecord?id=CVE-2023-50447 [1] https://duartecsantos.github.io/2023-01-02-CVE-2023-50447/ [2] https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html#imagemath-eval-restricted-environment-keys Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#1061138: coreutils: CVE-2024-0684: heap overflow in split --line-bytes with very long lines
Source: coreutils
Version: 9.4-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for coreutils.
CVE-2024-0684[0]:
| heap overflow in split --line-bytes with very long lines
Note, the severity is choosen as such to make sure the fix lands in
trixie, but is slight overrated. If you feel strong on it feel free to
downgrade.
The issue can be reproduced with:
{ printf '%131070s\n' ''; printf 'x\n'; printf '%131071s\n' ''; } > in
split -C 131072 ---io=131072 in
and only affects trixie and unstable version of split.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-0684
https://www.cve.org/CVERecord?id=CVE-2024-0684
[1] https://www.openwall.com/lists/oss-security/2024/01/18/2
Regards,
Salvatore
Bug#1061126: mysql-8.0: Security fixes from January 2024 CPU
Source: mysql-8.0 Version: 8.0.35-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, See https://www.oracle.com/security-alerts/cpujan2024.html#AppendixMSQL for a list of CVEs affecting src:mysql-8.0. Regards, Salvatore
Bug#1060751: atril: CVE-2023-51698
Source: atril Version: 1.26.1-3 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for atril. CVE-2023-51698[0]: | Atril is a simple multi-page document viewer. Atril is vulnerable to | a critical Command Injection Vulnerability. This vulnerability gives | the attacker immediate access to the target system when the target | user opens a crafted document or clicks on a crafted link/URL using | a maliciously crafted CBT document which is a TAR archive. A patch | is available at commit ce41df6. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-51698 https://www.cve.org/CVERecord?id=CVE-2023-51698 [1] https://github.com/mate-desktop/atril/security/advisories/GHSA-34rr-j8v9-v4p2 [2] https://github.com/mate-desktop/atril/commit/ce41df6467521ff9fd4f16514ae7d6ebb62eb1ed Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#1060005: cifs-utils: Copy file with cp, hangs with a kernel NULL pointer dereference.
Hi A fix for this issue has been queued for the 6.1.y series: https://lore.kernel.org/stable/zajygki9o5j1u...@eldamar.lan/T/#m934ca5a14db8bcef8f24329c7edee8a3592465b2 If someone additionally might or want to test testbuilds please have a look at: https://people.debian.org/~carnil/tmp/linux/1060005/ The builds are signed with my key in the Debian keyring. Regards, Salvatore
Bug#1060701: go-git: CVE-2023-49568 CVE-2023-49569
Source: golang-github-go-git-go-git Version: 5.4.2-4 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for go-git. CVE-2023-49568[0]: | A denial of service (DoS) vulnerability was discovered in go-git | versions prior to v5.11. This vulnerability allows an attacker to | perform denial of service attacks by providing specially crafted | responses from a Git server which triggers resource exhaustion in | go-git clients. Applications using only the in-memory filesystem | supported by go-git are not affected by this vulnerability. This is | a go-git implementation issue and does not affect the upstream | git cli. CVE-2023-49569[1]: | A path traversal vulnerability was discovered in go-git versions | prior to v5.11. This vulnerability allows an attacker to create and | amend files across the filesystem. In the worse case scenario, | remote code execution could be achieved. Applications are only | affected if they are using the ChrootOS | https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , | which is the default when using "Plain" versions of Open and Clone | funcs (e.g. PlainClone). Applications using BoundOS | https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or | in-memory filesystems are not affected by this issue. This is a go- | git implementation issue and does not affect the upstream git cli. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49568 https://www.cve.org/CVERecord?id=CVE-2023-49568 https://github.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r [1] https://security-tracker.debian.org/tracker/CVE-2023-49569 https://www.cve.org/CVERecord?id=CVE-2023-49569 https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.6.9-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1058887: linux-image-6.5.0-5-amd64: impossible to switch off iwlwifi adaptor
Hi The issue should be fixed with https://git.kernel.org/linus/400f6ebbc175286576c7f7fddf3c347d09d12310 . Can you check that commit on top of the most current version in unstable to confirm? Regards, Salvatore
Bug#1058720: slurm-wlm: CVE-2023-49933 CVE-2023-49935 CVE-2023-49936 CVE-2023-49937 CVE-2023-49938
Hi Gennaro, On Sat, Dec 30, 2023 at 10:55:32PM +0100, Gennaro Oliva wrote: > Dear Salvatore, > I prepared an updated version of the slurm-wlm package for bookworm in > response to CVE-2023-49933/49935/49936/49937/49938 > > The package can be found here: > > https://people.debian.org/~oliva/slurm-wlm-22.05.8-4+deb12u2 > > debdiff attached. > > A new package for sid in under preparation. > > Please let me know if I can be of any further help. Thank a a lot. If you were able to test the version as well with the fixes and spotted no problem, please do upload to security-master. > > I take this opportunity to wish you and to all the security team members > a successful and prosperous new year. I wish you the very same :) Regards, Salvatore
Bug#1053825: Screensaver with only blank does not work after suspend
Hi Klaus, On Sat, Oct 21, 2023 at 08:34:55AM +0100, Klaus Ethgen wrote: > Hi, > > Am Do den 19. Okt 2023 um 20:46 schrieb Salvatore Bonaccorso: > > On Thu, Oct 12, 2023 at 06:57:20AM +0100, Klaus Ethgen wrote: > > > Package: src:linux > > > Version: 6.5.6-1 > > > Severity: critical > > > Tags: security > > > X-Debbugs-Cc: Debian Security Team > > > > > > It is not fully clear for me, where exactly this bug happens. First I > > > was thinking about xscreensaver but that package got not updated for > > > ages. The bug happens with updates from kernel 6.4.0 to 6.5.0. > > > > So you are saying this happens solely after switching from 6.4.y > > series to 6.5.y series. Thus I assume 6.5.3-1 in testing as well > > exposes the issue. > > Might be but I cannot test that due to the other AMD display related > bug. > > > > I use xscreensaver with fvwm3 on my amd laptop. xscreensaver is set up > > > to only blank the screen. > > I first thought, that it does not happen with fvwm2 but I also see it > with fvwm2 but not that often. > > > > When I lock the screen and press a key or moving the mouse, everything > > > is fine. But when I go to suspend too ram after locking and waking up > > > the laptop, the password dialog gets showed as usual but I can see the > > > full desktop content with probably sensitive material on in. Although, I > > > cannot interact with the desktop, it is a security break to reveal the > > > content without authenticating. > > > > > > It might be related, when I have a PSI chat window on the screen but on > > > different desktop, it gets moved to the current one. That definitively > > > also came with the new kernel. > > > > Can you please attach as well the kernel log once you triggered the > > behaviour? Anything suspicious logged? > > I could. But there is no hint and no unusual log entry. > > > Next, can you bisect the kernel between a good known upstream version > > and 6.5.6? Can you as well test 6.5.7 upstream to see if it fixes the > > issue? > > That would take many time to recompile kernel, test it for several hours > and try again. I do realize, but given we have nobody else reporting similar behaviour we need to rely on you bisecting the breaking change so it might be reported upstream. But that said, in meanwhile we have 6.6.8-1 uploaded to unstable. It would be great if you can report back if that version resolves the issue. If it's still reproducibe, check first that it's as well reproducible with an untained kernel because othwerise an upstream report might not be accepted. Can you check that? Regards, Salvatore
Bug#1059033: asterisk: CVE-2023-49786
Source: asterisk Version: 1:20.5.0~dfsg+~cs6.13.40431414-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for asterisk. CVE-2023-49786[0]: | Asterisk is an open source private branch exchange and telephony | toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1; | as well as certified-asterisk prior to 18.9-cert6; Asterisk is | susceptible to a DoS due to a race condition in the hello handshake | phase of the DTLS protocol when handling DTLS-SRTP for media setup. | This attack can be done continuously, thus denying new DTLS-SRTP | encrypted calls during the attack. Abuse of this vulnerability may | lead to a massive Denial of Service on vulnerable Asterisk servers | for calls that rely on DTLS-SRTP. Commit | d7d7764cb07c8a1872804321302ef93bf62cba05 contains a fix, which is | part of versions 18.20.1, 20.5.1, 21.0.1, amd 18.9-cert6. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49786 https://www.cve.org/CVERecord?id=CVE-2023-49786 [1] https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq [2] https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#1057967: still no wifi.
Hi, On Tue, Dec 19, 2023 at 12:41:24PM +0100, Friedhelm Mehnert wrote: > This is to report, that even with this kernel, > > > 2023-12-19T11:19:09.704363+01:00 m2 kernel: [0.00] > > Linux version 6.1.0-16-amd64 (debian-kern > > e...@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, > > GNU ld (GNU Binutils for Debian) 2.40) #1 SMP > > PREEMPT_DYNAMIC Debian 6.1.67-1 (2023-12-12) > > the bug is NOT fixed. Wifi does not come up, when booting this kernel. > > These are the relevant lines from the kernel-log: > > > > 2023-12-19T11:19:09.706109+01:00 m2 kernel: > > [5.573251] SSE version of gcm_enc/dec engaged. > > 2023-12-19T11:19:09.706110+01:00 m2 kernel: > > [5.671819] iwlwifi: `N' invalid for parameter `enable_ini' > >^^ > > 2023-12-19T11:19:09.706111+01:00 m2 kernel: > >[5.672964] usb 1-1.6: Found UVC 1.00 device Integrated Camera (17ef:480f) This is a misconfiguration, see some context in #1057260. Regards, Salvatore
Bug#1057545: bosh: FTBFS: bosh.c:453:23: error: invalid use of incomplete typedef ‘WINDOW’ {aka ‘struct _win_st’}
Hi Sven,
On Sat, Dec 16, 2023 at 07:44:21PM +0100, Sven Joachim wrote:
> Control: tags -1 + patch
>
> On 2023-12-05 23:03 +0100, Santiago Vila wrote:
>
> > Package: src:bosh
> > Version: 0.6-11
> > Severity: serious
> > Tags: ftbfs
> >
> > Dear maintainer:
> >
> > During a rebuild of all packages in unstable, your package failed to build:
> >
> >
> > [...]
> > gcc -DPACKAGE_NAME=\"\" -DPACKAGE_TARNAME=\"\" -DPACKAGE_VERSION=\"\"
> > -DPACKAGE_STRING=\"\" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE_URL=\"\"
> > -DPACKAGE=\"bosh\" -DVERSION=\"0.6\" -DHAVE_STDIO_H=1 -DHAVE_STDLIB_H=1
> > -DHAVE_STRING_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_STRINGS_H=1
> > -DHAVE_SYS_STAT_H=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_UNISTD_H=1 -DSTDC_HEADERS=1
> > -DHAVE_LIBNCURSES=1 -I. -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -g -O2
> > -ffile-prefix-map=/<>=. -fstack-protector-strong
> > -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection
> > -c -o bosh.o bosh.c
> > In file included from bosh.c:23:
> > bosh.c: In function ‘keyhandler_readstr’:
> > bosh.c:453:23: error: invalid use of incomplete typedef ‘WINDOW’ {aka
> > ‘struct _win_st’}
> > 453 | mvaddch(stdscr->_cury,stdscr->_curx-1,' ');
> > | ^~
> > bosh.c:453:37: error: invalid use of incomplete typedef ‘WINDOW’ {aka
> > ‘struct _win_st’}
> > 453 | mvaddch(stdscr->_cury,stdscr->_curx-1,' ');
> > | ^~
> > bosh.c:454:20: error: invalid use of incomplete typedef ‘WINDOW’ {aka
> > ‘struct _win_st’}
> > 454 | move(stdscr->_cury,stdscr->_curx-1);
> > |^~
> > bosh.c:454:34: error: invalid use of incomplete typedef ‘WINDOW’ {aka
> > ‘struct _win_st’}
> > 454 | move(stdscr->_cury,stdscr->_curx-1);
> > | ^~
>
> The attached patch fixes that, using the getcury()/getcurx() functions
> rather than accessing the stdscr structure directly which no longer
> works in current ncurses. It is straightforward, but I have only tested
> that bosh builds, not if it works.
Thanks a lot for the patch!
Regards,
Salvatore
Bug#1057545: marked as pending in bosh
Control: tag -1 pending Hello, Bug #1057545 in bosh reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/carnil/bosh/-/commit/d4ddff2fc72b3013cdffb30766bb49254bc2e3b1 Avoid accessing internal ncurses structures (fixes FTBFS) Thanks: Sven Joachim Closes: #1057545 (this message was generated automatically) -- Greetings https://bugs.debian.org/1057545
Bug#1052983: Bug#1057914: Bug#1056996: bluez: diff for NMU version 5.70-1.1~exp0
Hi Nobuhiro, On Fri, Dec 15, 2023 at 05:38:17AM +0100, Salvatore Bonaccorso wrote: > Hi Nobuhiro > > On Fri, Dec 15, 2023 at 08:37:13AM +0900, Nobuhiro Iwamatsu wrote: > > Hi Salvatore, > > > > Thanks for your work. > > This patch looks good to me. > > Please upload without DELAYED/2 to unstable. > > Thanks for the confirmation, so I rescheduled it *but* note due to the > UsrMerge changes it goes first to experimental, so it can be tested by > the dumat tool from Helmut (Cc'ed). After the ack from Helmut and the dumat check I have now uploaded to unstable. Regards, Salvatore
Bug#1058721: squid: CVE-2023-50269: SQUID-2023:10: Denial of Service in HTTP Request parsing
Source: squid Version: 6.5-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for squid. CVE-2023-50269[0]: | Squid is a caching proxy for the Web. Due to an Uncontrolled | Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 | through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable | to a Denial of Service attack against HTTP Request parsing. This | problem allows a remote client to perform Denial of Service attack | by sending a large X-Forwarded-For header when the | follow_x_forwarded_for feature is configured. This bug is fixed by | Squid version 6.6. In addition, patches addressing this problem for | the stable releases can be found in Squid's patch archives. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-50269 https://www.cve.org/CVERecord?id=CVE-2023-50269 [1] https://github.com/squid-cache/squid/security/advisories/GHSA-wgq4-4cfg-c4x3 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.6-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1058720: slurm-wlm: CVE-2023-49933 CVE-2023-49935 CVE-2023-49936 CVE-2023-49937 CVE-2023-49938
Source: slurm-wlm Version: 23.02.6-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi Gennaro, The following vulnerabilities were published for slurm-wlm. CVE-2023-49933[0]: | An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and | 23.11.x. There is Improper Enforcement of Message Integrity During | Transmission in a Communication Channel. This allows attackers to | modify RPC traffic in a way that bypasses message hash checks. The | fixed versions are 22.05.11, 23.02.7, and 23.11.1. CVE-2023-49935[1]: | An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There | is Incorrect Access Control because of a slurmd Message Integrity | Bypass. An attacker can reuse root-level authentication tokens | during interaction with the slurmd process. This bypasses the RPC | message hashes that protect against undesired MUNGE credential | reuse. The fixed versions are 23.02.7 and 23.11.1. CVE-2023-49936[2]: | An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and | 23.11.x. A NULL pointer dereference leads to denial of service. The | fixed versions are 22.05.11, 23.02.7, and 23.11.1. CVE-2023-49937[3]: | An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and | 23.11.x. Because of a double free, attackers can cause a denial of | service or possibly execute arbitrary code. The fixed versions are | 22.05.11, 23.02.7, and 23.11.1. CVE-2023-49938[4]: | An issue was discovered in SchedMD Slurm 22.05.x and 23.02.x. There | is Incorrect Access Control: an attacker can modified their extended | group list that is used with the sbcast subsystem, and open files | with an unauthorized set of extended groups. The fixed versions are | 22.05.11 and 23.02.7. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49933 https://www.cve.org/CVERecord?id=CVE-2023-49933 [1] https://security-tracker.debian.org/tracker/CVE-2023-49935 https://www.cve.org/CVERecord?id=CVE-2023-49935 [2] https://security-tracker.debian.org/tracker/CVE-2023-49936 https://www.cve.org/CVERecord?id=CVE-2023-49936 [3] https://security-tracker.debian.org/tracker/CVE-2023-49937 https://www.cve.org/CVERecord?id=CVE-2023-49937 [4] https://security-tracker.debian.org/tracker/CVE-2023-49938 https://www.cve.org/CVERecord?id=CVE-2023-49938 Regards, Salvatore
Bug#1052983: Bug#1056996: bluez: diff for NMU version 5.70-1.1~exp0
Hi Nobuhiro On Fri, Dec 15, 2023 at 08:37:13AM +0900, Nobuhiro Iwamatsu wrote: > Hi Salvatore, > > Thanks for your work. > This patch looks good to me. > Please upload without DELAYED/2 to unstable. Thanks for the confirmation, so I rescheduled it *but* note due to the UsrMerge changes it goes first to experimental, so it can be tested by the dumat tool from Helmut (Cc'ed). Thank you! Regards, Salvatore
Bug#1052983: bluez: diff for NMU version 5.70-1.1~exp0
Control: tags 1052983 + pending
Control: tags 1056996 + pending
Control: tags 1057914 + patch
Control: tags 1057914 + pending
Dear maintainer,
I've prepared an NMU for bluez (versioned as 5.70-1.1~exp0) and
uploaded it to DELAYED/2 (targetting experimental to expose the
UsrMerge parts first by the dumat tool). Please feel free to tell me
if I should delay it longer.
Regards,
Salvatore
diff -Nru bluez-5.70/debian/bluez-meshd.install bluez-5.70/debian/bluez-meshd.install
--- bluez-5.70/debian/bluez-meshd.install 2023-10-24 08:17:00.0 +0200
+++ bluez-5.70/debian/bluez-meshd.install 2023-12-14 22:32:44.0 +0100
@@ -1,5 +1,5 @@
usr/share/dbus-1/system.d/bluetooth-mesh.conf
-lib/systemd/system/bluetooth-mesh.service
+${env:deb_systemdsystemunitdir}/bluetooth-mesh.service
usr/bin/mesh-cfgclient
usr/bin/mesh-cfgtest
usr/bin/meshctl
diff -Nru bluez-5.70/debian/bluez.install bluez-5.70/debian/bluez.install
--- bluez-5.70/debian/bluez.install 2023-10-24 08:17:00.0 +0200
+++ bluez-5.70/debian/bluez.install 2023-12-14 22:32:44.0 +0100
@@ -7,7 +7,7 @@
usr/bin/btattach
usr/bin/btmon
usr/bin/hciattach
-usr/bin/hciconfig bin/
+usr/bin/hciconfig
usr/bin/hcitool
usr/bin/sdptool
usr/bin/rctest
@@ -20,11 +20,11 @@
usr/bin/mpris-proxy
tools/btmgmt usr/bin
tools/obexctl usr/bin
-lib/udev/hid2hci
-lib/udev/rules.d/97-hid2hci.rules
+${env:deb_udevdir}/hid2hci
+${env:deb_udevdir}/rules.d/97-hid2hci.rules
attrib/gatttool usr/bin
#-- for systemd
-lib/systemd/system/bluetooth.service
+${env:deb_systemdsystemunitdir}/bluetooth.service
usr/share/dbus-1/system.d/bluetooth.conf
usr/share/dbus-1/system-services/org.bluez.service
usr/share/zsh/site-functions/_bluetoothctl
diff -Nru bluez-5.70/debian/changelog bluez-5.70/debian/changelog
--- bluez-5.70/debian/changelog 2023-10-24 08:17:00.0 +0200
+++ bluez-5.70/debian/changelog 2023-12-14 22:32:44.0 +0100
@@ -1,3 +1,20 @@
+bluez (5.70-1.1~exp0) experimental; urgency=medium
+
+ * Non-maintainer upload.
+
+ [ Helmut Grohne ]
+ * Fix FTBFS when systemd.pc changes systemdsystemunitdir (Closes: #1052983)
+
+ [ Chris Hofstaedtler ]
+ * Defer udev file placement to udev's pkg-config data (Closes: #1056996)
+ * Install hciconfig into /usr/bin instead of /bin
+
+ [ Salvatore Bonaccorso ]
+ * input.conf: Change default of ClassicBondedOnly (CVE-2023-45866)
+(Closes: #1057914)
+
+ -- Salvatore Bonaccorso Thu, 14 Dec 2023 22:32:44 +0100
+
bluez (5.70-1) unstable; urgency=medium
* Update to 5.70.
diff -Nru bluez-5.70/debian/control bluez-5.70/debian/control
--- bluez-5.70/debian/control 2023-10-24 08:17:00.0 +0200
+++ bluez-5.70/debian/control 2023-12-14 22:32:44.0 +0100
@@ -18,7 +18,8 @@
python3-docutils,
udev,
check ,
- systemd
+ systemd,
+ systemd-dev,
Standards-Version: 4.6.1
Rules-Requires-Root: no
Vcs-Browser: https://salsa.debian.org/bluetooth-team/bluez
diff -Nru bluez-5.70/debian/patches/input.conf-Change-default-of-ClassicBondedOnly.patch bluez-5.70/debian/patches/input.conf-Change-default-of-ClassicBondedOnly.patch
--- bluez-5.70/debian/patches/input.conf-Change-default-of-ClassicBondedOnly.patch 1970-01-01 01:00:00.0 +0100
+++ bluez-5.70/debian/patches/input.conf-Change-default-of-ClassicBondedOnly.patch 2023-12-14 22:32:44.0 +0100
@@ -0,0 +1,52 @@
+From: Luiz Augusto von Dentz
+Date: Tue, 10 Oct 2023 13:03:12 -0700
+Subject: input.conf: Change default of ClassicBondedOnly
+Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=25a471a83e02e1effb15d5a488b3f0085eaeb675
+Bug-Debian: https://bugs.debian.org/1057914
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-45866
+
+This changes the default of ClassicBondedOnly since defaulting to false
+is not inline with HID specification which mandates the of Security Mode
+4:
+
+BLUETOOTH SPECIFICATION Page 84 of 123
+Human Interface Device (HID) Profile:
+
+ 5.4.3.4.2 Security Modes
+ Bluetooth HID Hosts shall use Security Mode 4 when interoperating with
+ Bluetooth HID devices that are compliant to the Bluetooth Core
+ Specification v2.1+EDR[6].
+---
+ profiles/input/device.c | 2 +-
+ profiles/input/input.conf | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/profiles/input/device.c b/profiles/input/device.c
+index 4a50ea9921a9..4310dd192e11 100644
+--- a/profiles/input/device.c
b/profiles/input/device.c
+@@ -81,7 +81,7 @@ struct input_device {
+
+ static int idle_timeout = 0;
+ static bool uhid_enabled = false;
+-static bool classic_bonded_only = false;
++static bool classic_bonded_only = true;
+
+ void input_set_idle_timeout(int timeout)
+ {
+diff --git a/profiles/input/input.conf b/profiles/input/input.conf
+index 4c70bc561f05..d8645f3dd664 100644
+--- a/profiles/input/input.conf
b/profiles/input/input.conf
+@@ -17,7 +17,7 @@
+ # platforms may want
Bug#1055021: linux: mips64el loongson3 kernel crashes when running cmake
Contol: tags -1 + fixed-upstream Control: found -1 6.1.66-1 Control: found -1 6.5.13-1 On Sun, Oct 29, 2023 at 02:16:57PM +0100, Aurelien Jarno wrote: > Source: linux > Version: 5.10.197-1 > Severity: grave > Tags: upstream patch > X-Debbugs-Cc: d...@debian.org, debian-m...@lists.debian.org > > The loongson3 flavour of the mips64el kernel crash when running cmake: > > | [ 4390.501529] do_cpu invoked from kernel context![#1]: > | [ 4390.506483] CPU: 3 PID: 24061 Comm: iou-sqp-22284 Not tainted > 5.10.0-26-loongson-3 #1 Debian 5.10.197-1 > | [ 4390.515820] Hardware name: Loongson > Lemote-3A4000-7A-1w-V1.00-A1901/Lemote-3A4000-7A-1w-V1.00-A1901, BIOS > Loongson-PMON-V3.3-20201222 12/22/2020 > | [ 4390.528699] $ 0 : 80bf9030 0001 > 98020f844000 > | [ 4390.536669] $ 4 : 9801017bb2c0 80dbc0b8 0008 > 02008200 > | [ 4390.544634] $ 8 : 0001 0001 > 02e27c19 > | [ 4390.552600] $12 : 5400cce0 80199c00 01ea > 01ea > | [ 4390.560565] $16 : 980100253700 80ecc740 > 9800023cb8c0 > | [ 4390.568530] $20 : 80ecdce0 9801017bb2c0 9801017bb8e0 > > | [ 4390.576495] $24 : 0028 98020f847e58 > | [ 4390.584461] $28 : 98020f844000 98020f847d40 9800023cb8c0 > 80bf925c > | [ 4390.592426] Hi : 00de > | [ 4390.595974] Lo : d70a40ec > | [ 4390.599532] epc : 802177c0 _save_fp+0x10/0xa0 > | [ 4390.604727] ra : 80bf925c __schedule+0x804/0xe08 > | [ 4390.610263] Status: 5400cce2 KX SX UX KERNEL EXL > | [ 4390.614949] Cause : 102c (ExcCode 0b) > | [ 4390.618930] PrId : 0014c004 (ICT Loongson-3) > | [ 4390.623257] Modules linked in: asix usbnet mii sg ip6t_REJECT > nf_reject_ipv6 ip6table_filter ip6_tables nfnetlink_log nfnetlink > xt_hashlimit ipt_REJECT nf_reject_ipv4 xt_NFLOG xt_multiport xt_tcpudp > xt_state xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c > iptable_filter sch_fq tcp_bbr fuse drm drm_panel_orientation_quirks configfs > ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic ohci_pci > dm_mod r8169 realtek mdio_devres ohci_hcd ehci_pci of_mdio xhci_pci xhci_hcd > ehci_hcd fixed_phy libphy usbcore usb_common > | [ 4390.671116] Process iou-sqp-22284 (pid: 24061, > threadinfo=743a6e5b, task=63cca72a, tls=00fff0de98e0) > | [ 4390.681930] Stack : 80ed 80ed > 98020f6e8c40 > | [ 4390.689897] 98020004 d37c8307c148dccb 9801017bb2c0 > > | [ 4390.697863] 0001 90 > | [ 4390.721759] 980104957480 98020f6e8c00 > 80ed > | [ 4390.729724] 98020f6e8c40 98020f6e8c08 > > | [ 4390.737689] 9801017bb2c0 802c61f8 > 98020f6e8c48 > | [ 4390.745655] 98020f6e8c48 2d7071732d756f69 003438323232 > d37c8307c148dccb > | [ 4390.753621] 807106e0 98020f6e8c00 9801097e90c8 > 7400cce0 > | [ 4390.761588] ... > | [ 4390.764017] Call Trace: > | [ 4390.766453] [] _save_fp+0x10/0xa0 > | [ 4390.771306] [] __schedule+0x804/0xe08 > | [ 4390.776497] [] schedule+0x58/0x150 > | [ 4390.781432] [] io_sq_thread+0x550/0x578 > | [ 4390.786798] [] ret_from_kernel_thread+0x14/0x1c > | [ 4390.792856] > | [ 4390.794330] Code: 000c6940 05a10011 f4830b10 > f4850b30 f4870b50 f4890b70 f48b0b90 > | [ 4390.804038] > | [ 4411.502993] rcu: INFO: rcu_preempt self-detected stall on CPU > | [ 4411.508728] rcu: 1-...!: (5250 ticks this GP) > idle=2c6/1/0x4002 softirq=1149627/1149627 fqs=4 > | [ 4411.518413] (t=5254 jiffies g=735145 q=4914963) > | [ 4411.522999] rcu: rcu_preempt kthread starved for 5248 jiffies! g735145 > f0x2 RCU_GP_WAIT_FQS(5) ->state=0x200 ->cpu=2 > | [ 4411.533458] rcu: Unless rcu_preempt kthread gets sufficient CPU time, > OOM is now expected behavior. > | [ 4411.542535] rcu: RCU grace-period kthread stack dump: > | [ 4411.547552] task:rcu_preempt state:R stack: 0 pid: 13 ppid: 2 > flags:0x0010 > | [ 4411.555860] Stack : 80ed 80bff978 80ed > 8031bbd4 > | [ 4411.563826] 0004 d37c8307c148dccb 98010025 > 00208040 > | [ 4411.571791] 80ed 9801002c7c98 80ed > 80f62ce0 > | [ 4411.579756] 0006 0001 > 80bf98b8 > | [ 4411.587721] 0001000f9aa0 > 80bfdb98 > | [ 4411.595686] 8030bbc8 5400cce1 80ed > > | [ 4411.603651] 98000236cc78 0001000f9aa0 80319968 > 0842 > | [ 4411.611617] 98010025 d37c8307c148dccb 80f62a80 > > | [ 4411.619582]
Bug#1057967: linux/6.1.67-1 uploaded addressing #1057967 and #1057969
Hi Thanks to all for testing the test build with the one commit revert. 6.1.67-1 is now underway. I will check with stable release managers if a SUA (update through stable-updates) can be released. Regards, Salvatore
Bug#1057843: linux: ext4 data corruption in 6.1.64-1
As there were some questions along in this thread let me summarize
some points:
The issue affects fs/ext4 code, so no other filesystems are affected
(e.g. btrfs).
The issue affects all kernels which have the commit 91562895f803
("ext4: properly sync file size update after O_SYNC direct IO") from
6.7-rc1 (which is present in 6.6.3, 6.5.13 and 6.1.64) but when commit
936e114a245b ("iomap: update ki_pos a little later in
iomap_dio_complete") from 6.5-rc1 is missing (which was backported to
5.15.142 and 6.1.66 additionally).
The only upstream combination where that reverse and missing commit
happened was 6.1.64 and 6.1.65.
Debian is affected as per 6.1.64-1 upload which was the kernel aimed
for 12.3 point release.
The issue affects file corruption when direct IO writes are involved.
O_DIRECT writes did not properly update current file position after
the write so data and file was getting mangled.
While this does not affect every write ever happend on the system on a
ext4 filesystem with a broken kernel, O_DIRECT writes might be quite
common in in programms trying to get high performance. It might be
argued that it is not that common, but it's not inexistant.
TTOMK, such file corruptions cannot be easily detected. Candidates to
check are every modified file written since booted with the broken
kernel 6.1.64-1.
Poeple still not having booted into 6.1.66-1 are urged to do so.
Regards,
Salvatore
Bug#1057967: linux-image-6.1.0-15-amd64 renders my physical bookworm/gnome computer largely unusable
Hi,
On Mon, Dec 11, 2023 at 01:27:07PM +0100, Kevin Price wrote:
> Thank you Salvatore!
>
> Am 11.12.23 um 12:37 schrieb Salvatore Bonaccorso:
> > It still would be helpfull if you can get to the logs of the previous
> > boot. After booting back in the working kernel, do you have anything
> > sensible logged in the previous boot log? If so can you share that
> > please?
>
> Sure. Here's my boot.log.
I was more interested to get some nformation from the kernel. If you
get dmesg output that would be good, maybe the journalctl from the bug
otherwise, which will help to get more context.
>
> The first one at "Mon Dec 11 00:54:03 CET 2023" is the faulty 6.1.0-15.
>
> The 2nd one at "Mon Dec 11 01:13:38 CET 2023" is the working 6.1.0-13.
>
> Need any more logfiles or testing? I intend to test
> debian-live-12.4.0-amd64-gnome.iso on my computer, IOT rule out any
> local config peculiarities, FWIW.
>
> > I'm right now curious to find out if we see the same as
> > #1057969 and if the upstream commit db46c77f3d51 ("Revert "wifi:
> > cfg80211: fix CQM for non-range use"") in 6.1.67 upstream fixes the
> > issue.
>
> Please let me know what kernel version you want me to test, if they're
> provides as debian binaries. I'd be glad to help, probably not only for
> my own sake. Bear with me I'm unwilling to build kernel packages myself,
> due to lack of computing resources. HTH
I have put binary packages for amd64 built in
https://people.debian.org/~carnil/tmp/linux/1057967/
*but* they are completely unofficial builds. To give assurance of
provenance I have generated a sha256sum file as well for the uploaded
files and signed it with my key in the Debian keyring.
If you personal policy allows you to install such packages please test
with those, otherwise we need you to have built your own packages.
Regards,
Salvatore
Bug#1057967: linux-image-6.1.0-15-amd64 renders my physical bookworm/gnome computer largely unusable
Control: tags -1 + moreinfo
Hi Kevin,
On Mon, Dec 11, 2023 at 02:55:50AM +0100, Kevin Price wrote:
> Package: linux-image-6.1.0-15-amd64
> Version: 6.1.66-1
> Severity: critical
> Control: -1 notfound 6.1.64-1
>
> When booting 6.1.0-15, my physical amd64/bookworm/gnome computer
> misbehaves in many ways, rendering it largely unusable. With kernels up
> to 6.1.0-13, and even briefly with the otherwise broken 6.1.0-14, all of
> this seemed fine.
>
> Misbehavior includes, not limited to:
>
> 1. Most actions take considerably longer than usual.
>
> 2. The GDM greeter has an English keyboard layout, which otherwise is
> German. (Login works.)
>
> 3. There seems to be no network connectivity. No WiFi icon. "ping
> 8.8.8.8" returns IIRC network unreachable.
>
> 4. Launching Firefox does apparently nothing.
>
> 5. Launching gnome-terminal does work, but some basic commands just
> freeze, such as "ip a" or "sudo dmesg". sudo hangs before prompting for
> the passphrase. At that stage, even "sudo -i", I cannot interrupt with "^C".
>
> 6. Shutting down takes ages, with systemd waiting for a bunch of
> processes (sudo) and services to terminate, most of the latter seem to
> be somehow network-related, but you tell me which aren't.
>
> After more that 10 min I used hard power-off, leaving my ext4 dirty, but
> being perfectly able to boot any of 6.1.0-12 through -15, with -12 and
> -13 working properly, and -15 showing the exact same misbehavior
> reproducibly.
>
> I'll attach all I could get out of reportbug running under 6.1.0-15, and
> please let me know what further testing I may perform IOT help you.
> Please also specify whether you'd like me to do that testing under
> 6.1.0-15, in which I cannot even invoke sudo, or under 6.1.0-13, which
> will do anything fine.
It still would be helpfull if you can get to the logs of the previous
boot. After booting back in the working kernel, do you have anything
sensible logged in the previous boot log? If so can you share that
please? I'm right now curious to find out if we see the same as
#1057969 and if the upstream commit db46c77f3d51 ("Revert "wifi:
cfg80211: fix CQM for non-range use"") in 6.1.67 upstream fixes the
issue.
Regards,
Salvatore
Bug#1057969: linux-image-6.1.0-15-amd64: suspend/resume broken in 6.1.66 on Lenovo Thinkpad X230
Control: tags -1 + moreinfo Hi Steve, On Sun, Dec 10, 2023 at 07:41:15PM -0800, Steve VanDevender wrote: > Package: src:linux > Version: 6.1.66-1 > Severity: grave > Tags: upstream > Justification: renders package unusable > > I would have tried to report this from the 6.1.66 kernel but once a > suspend is attempted network access is also broken so I have had to > reboot into a working kernel in order to report the bug. > > The problem may be related to the wireless network drivers since some > processes that can't be frozen for suspend are NetworkManager, > wpa-supplicant, and iw. > > I have included boot messages from the affected kernel through an > attempt to suspend the system including the traces from the processes > that seem to get wedged by an attempt to suspend. > > -- Package-specific info: > ** Kernel log: boot messages should be attached > 2023-12-10T18:48:54.150384-08:00 glitch kernel: [0.00] microcode: > microcode updated early to revision 0x21, date = 2019-02-13 > 2023-12-10T18:48:54.151278-08:00 glitch kernel: [0.00] Linux version > 6.1.0-15-amd64 (debian-ker...@lists.debian.org) (gcc-12 (Debian 12.2.0-14) > 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian > 6.1.66-1 (2023-12-09) > 2023-12-10T18:48:54.151283-08:00 glitch kernel: [0.00] Command line: > BOOT_IMAGE=/vmlinuz-6.1.0-15-amd64 root=/dev/mapper/glitch-root ro quiet > 2023-12-10T18:48:54.151286-08:00 glitch kernel: [0.00] BIOS-provided > physical RAM map: > 2023-12-10T18:48:54.151288-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0x-0x0009d7ff] usable > 2023-12-10T18:48:54.151289-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0x0009d800-0x0009] reserved > 2023-12-10T18:48:54.151290-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0x000e-0x000f] reserved > 2023-12-10T18:48:54.151297-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0x0010-0x1fff] usable > 2023-12-10T18:48:54.151298-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0x2000-0x201f] reserved > 2023-12-10T18:48:54.151299-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0x2020-0x40003fff] usable > 2023-12-10T18:48:54.151300-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0x40004000-0x40004fff] reserved > 2023-12-10T18:48:54.151301-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0x40005000-0xcec2] usable > 2023-12-10T18:48:54.151302-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0xcec3-0xdae9efff] reserved > 2023-12-10T18:48:54.151303-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0xdae9f000-0xdaf9efff] ACPI NVS > 2023-12-10T18:48:54.151306-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0xdaf9f000-0xdaffefff] ACPI data > 2023-12-10T18:48:54.151307-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0xdafff000-0xdf9f] reserved > 2023-12-10T18:48:54.151308-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0xf800-0xfbff] reserved > 2023-12-10T18:48:54.151309-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0xfec0-0xfec00fff] reserved > 2023-12-10T18:48:54.151310-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0xfed08000-0xfed08fff] reserved > 2023-12-10T18:48:54.151311-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0xfed1-0xfed19fff] reserved > 2023-12-10T18:48:54.151319-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0xfed1c000-0xfed1] reserved > 2023-12-10T18:48:54.151320-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0xfee0-0xfee00fff] reserved > 2023-12-10T18:48:54.151321-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0xffc0-0x] reserved > 2023-12-10T18:48:54.151322-08:00 glitch kernel: [0.00] BIOS-e820: > [mem 0x0001-0x00011e5f] usable > 2023-12-10T18:48:54.151323-08:00 glitch kernel: [0.00] NX (Execute > Disable) protection: active > 2023-12-10T18:48:54.151324-08:00 glitch kernel: [0.00] SMBIOS 2.7 > present. > 2023-12-10T18:48:54.151327-08:00 glitch kernel: [0.00] DMI: LENOVO > 2306CTO/2306CTO, BIOS G2ETA7WW (2.67 ) 09/09/2016 > 2023-12-10T18:48:54.151328-08:00 glitch kernel: [0.00] tsc: Fast TSC > calibration using PIT > 2023-12-10T18:48:54.151329-08:00 glitch kernel: [0.00] tsc: Detected > 2494.294 MHz processor > 2023-12-10T18:48:54.151330-08:00 glitch kernel: [0.001086] e820: update > [mem 0x-0x0fff] usable ==> reserved > 2023-12-10T18:48:54.151331-08:00 glitch kernel: [0.001089] e820: remove > [mem 0x000a-0x000f] usable > 2023-12-10T18:48:54.151332-08:00 glitch kernel: [
Bug#1057914: bluez: CVE-2023-45866
Source: bluez Version: 5.70-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for bluez. CVE-2023-45866[0]: | Bluetooth HID Hosts in BlueZ may permit an unauthenticated | Peripheral role HID Device to initiate and establish an encrypted | connection, and accept HID keyboard reports, potentially permitting | injection of HID messages when no user interaction has occurred in | the Central role to authorize such access. An example affected | package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some | cases, a CVE-2020-0556 mitigation would have already addressed this | Bluetooth HID Hosts issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-45866 https://www.cve.org/CVERecord?id=CVE-2023-45866 [1] https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
