Bug#1057671: cytadela: game include non free graphical assets

2023-12-07 Thread Sylvain Beucler 

Hi,

I know this may come as a shock, given how often this isn't the case, 
but the contrib status is dutifully documented in the copyright file:
https://metadata.ftp-master.debian.org/changelogs//contrib/c/cytadela/cytadela_1.1.0-4_copyright 
;)


Please review and revise severity / close accordingly :)

--

All the algorithms and artwork were taken from the original with
permission from their authors. Distribution of the artwork (as a
part of the conversion) is allowed under terms of the GNU GPL.


--

This package in in the 'contrib' archive area and is not part of the
Debian GNU/Linux distribution.

The reason is that while the game data is free, there is no published
software to modify the game levels:

- .cmf and .3dg are generated from the original game's map files,
  using the 'mapconv' converter:
  http://sourceforge.net/projects/cytadela/files/mapconv/

  That's the files we have no way to modify, neither in the original
  or the converted form.  If somebody writes an editor (which should
  not be particularly difficult) the package can go in the 'main' area
  of the Debian archive.

- For reference: .far files are archives (similar to .zip files), they
  can be created and extracted using the free 'fareditor' application:
  http://cytadela.sourceforge.net/download.php
  http://sourceforge.net/projects/cytadela/files/fareditor/

  The .far archives contains textures and game fonts.

Since the game engine is made specially for these 'contrib' data, it
basically depends on them, so it goes to 'contrib' as well.  It can go
in 'main' as soon as the original data goes in 'main'.

Cheers!
Sylvain

Bug#1035875: Arbitrary code execution vulnerability in versions < 2.3

2023-06-20 Thread Sylvain Beucler 

Hi,

I requested a CVE at cveform.mitre.org so we can start a discussion with 
upstream on clear grounds, and possibly involve other distros :)


From https://github.com/mtrojnar/osslsigncode/compare/2.2...2.3 there 
are a lot of commits that fixes memory issues, e.g.

  fix double free in msi_dirent_new()
  Fix more fuzzer errors
  etc.
so most probably there isn't a single clean patch to apply :/

We might want to just bump to buster and bullseye to 2.3, there's only 
one rdep AFAICS.


Cheers!
Sylvain Beucler
Debian LTS Team
(this week's Front-Desk person)

Bug#992118: squid3-dbg: uninstallable cruft package from src:squid3 in jessie-elts

2021-08-12 Thread Sylvain Beucler 

Hi,

Note that jessie-elts is not part of the official Debian project, see
https://wiki.debian.org/LTS/Extended

So using Debian-specific resources (the BTS) for elts-specific issues 
may be considered an abuse.


Cheers!
Sylvain Beucler
Debian LTS Team

On Thu, 12 Aug 2021 00:17:36 +0200 Andreas Beckmann  wrote:

Package: squid3-dbg
Version: 3.4.8-6+deb8u9
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Control: close -1

jessie-elts has squid3-dbg 3.4.8-6+deb8u9, but src:squid3 (and therefore
the squid3 binary package, too) is already at 3.5.23-5+deb8u4 in
jessie-elts, rendering the -dbg package uninstallable. The -dbg package
is no longer built by the newer source package, leaving around some
uninstallable cruft packages.

This is probably not an actionable bug.
Its primary intention is to mark the corresponding piuparts failures as
known bugs.

Bug#961491: CVE-2020-10936: Security flaws in setuid wrappers

2020-12-14 Thread Sylvain Beucler 

On 07/12/2020 12:06, Stefan Hornburg (Racke) wrote:

On 12/7/20 10:52 AM, Sylvain Beucler wrote:

This high-severity issue was marked with:
[buster] - sympa  (Will be fixed via point release)

Consequently I am surprised that it wasn't part of last week's Debian 10.7 
point release.

What happened?
Can we consider switching to a DSA?


Yes, sorry I missed that point release. If you want a DSA, that's fine for me.


Status update: the update is ready and a debdiff was sent for approval 
to the security team 2 days ago.


Cheers!
Sylvain
diff -Nru sympa-6.2.40~dfsg/debian/changelog sympa-6.2.40~dfsg/debian/changelog
--- sympa-6.2.40~dfsg/debian/changelog	2019-01-20 16:57:14.0 +0100
+++ sympa-6.2.40~dfsg/debian/changelog	2020-12-10 14:39:54.0 +0100
@@ -1,3 +1,21 @@
+sympa (6.2.40~dfsg-1+deb10u1) buster-security; urgency=high
+
+  * Non-maintainer upload.
+  * CVE-2020-10936: Sympa allows privilege escalation through setuid
+wrappers. (Closes: #961491)
+  * CVE-2020-26932: restrict access to sympa_newaliases-wrapper (setuid
+root) to group sympa. (Closes: #971904)
+  * Ask the user whether they want/need sympa_newaliases-wrapper to
+be setuid root (CVE-2020-26880 mitigation).
+  * CVE-2020-9369: prevents creation of temporary files and email
+notifications to listmasters when encountering malformed input
+parameters. (Closes: #952428)
+  * CVE-2020-29668: Sympa allows remote attackers to obtain full SOAP API
+access by sending any arbitrary string (except one from an expired
+cookie) as the cookie value to authenticateAndRun. (Closes: #976020).
+
+ -- Sylvain Beucler   Thu, 10 Dec 2020 14:39:54 +0100
+
 sympa (6.2.40~dfsg-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru sympa-6.2.40~dfsg/debian/config sympa-6.2.40~dfsg/debian/config
--- sympa-6.2.40~dfsg/debian/config	2018-12-22 19:47:42.0 +0100
+++ sympa-6.2.40~dfsg/debian/config	2020-12-08 18:37:40.0 +0100
@@ -124,6 +124,10 @@
 db_go
 fi
 
+# Ask for sympa_newaliases-wrapper to be setuid root
+db_input high sympa/sympa_newaliases-wrapper-setuid-root || [ $? -eq 30 ]
+db_go
+
 # Ask for spool directories removal
 db_input medium wwsympa/remove_spool || [ $? -eq 30 ]
 db_go
diff -Nru sympa-6.2.40~dfsg/debian/patches/CVE-2020-10936.patch sympa-6.2.40~dfsg/debian/patches/CVE-2020-10936.patch
--- sympa-6.2.40~dfsg/debian/patches/CVE-2020-10936.patch	1970-01-01 01:00:00.0 +0100
+++ sympa-6.2.40~dfsg/debian/patches/CVE-2020-10936.patch	2020-12-08 19:03:59.0 +0100
@@ -0,0 +1,94 @@
+Origin: https://github.com/sympa-community/sympa/commit/3f8449c647e5ab32cf6f8837cb600c1756b6189c
+Last-Update: 2020-12-08
+Reviewed-by: Sylvain Beucler 
+
+From 3f8449c647e5ab32cf6f8837cb600c1756b6189c Mon Sep 17 00:00:00 2001
+From: IKEDA Soji 
+Date: Fri, 27 Mar 2020 21:28:18 +0900
+Subject: [PATCH] Sympa SA 2020-002 (candidate): Setuid wrappers should clear
+ environment variables to avoid exploits.
+
+---
+ src/cgi/sympa_soap_server-wrapper.fcgi.c | 7 ++-
+ src/cgi/wwsympa-wrapper.fcgi.c   | 7 ++-
+ src/libexec/sympa_newaliases-wrapper.c   | 7 ++-
+ 3 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/src/cgi/sympa_soap_server-wrapper.fcgi.c b/src/cgi/sympa_soap_server-wrapper.fcgi.c
+index f4c6a6645..435d40c6b 100644
+--- a/src/cgi/sympa_soap_server-wrapper.fcgi.c
 b/src/cgi/sympa_soap_server-wrapper.fcgi.c
+@@ -6,6 +6,9 @@
+   Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
+   2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
+   Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
++  Copyright 2020 The Sympa Community. See the AUTHORS.md
++  file at the top-level directory of this distribution and at
++  <https://github.com/sympa-community/sympa.git>.
+  
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+@@ -24,8 +27,10 @@
+ #include 
+ 
+ int main(int argn, char **argv, char **envp) {
++char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
++
+ setreuid(geteuid(),geteuid());
+ setregid(getegid(),getegid());
+ argv[0] = SYMPASOAP;
+-return execve(SYMPASOAP,argv,envp);
++return execve(SYMPASOAP, argv, myenvp);
+ }
+diff --git a/src/cgi/wwsympa-wrapper.fcgi.c b/src/cgi/wwsympa-wrapper.fcgi.c
+index c66c7f82b..34198ecf9 100644
+--- a/src/cgi/wwsympa-wrapper.fcgi.c
 b/src/cgi/wwsympa-wrapper.fcgi.c
+@@ -6,6 +6,9 @@
+   Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
+   2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
+   Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
++  Copyright 2020 The Sympa Community. See the AUTHORS.md
++  file at the top-level directory of this distribution and at
++  <https://github.com/sympa-community/sympa.git>.
+  
+   This program is free software; you c

Bug#961491: CVE-2020-10936: Security flaws in setuid wrappers

2020-12-07 Thread Sylvain Beucler 

Hi,

On Sat, 10 Oct 2020 09:45:42 +0300 "Stefan Hornburg (Racke)" 
 wrote:

On 10/7/20 3:03 PM, Sylvain Beucler wrote:
> I noticed this local root escalation yesterday and I'm working on a
> Stretch LTS update.
> See also https://salsa.debian.org/sympa-team/sympa/-/merge_requests/1
> 
> Are there plans to update buster?


Hello Sylvain,

thanks a lot of for your patch!

I will talk to the security team concerning buster.


This high-severity issue was marked with:
[buster] - sympa  (Will be fixed via point release)

Consequently I am surprised that it wasn't part of last week's Debian 
10.7 point release.


What happened?
Can we consider switching to a DSA?

Sylvain Beucler
Debian LTS Team

Bug#961491: fixed in sympa 6.2.40~dfsg-5

2020-10-07 Thread Sylvain Beucler 
Hi,

I noticed this local root escalation yesterday and I'm working on a
Stretch LTS update.
See also https://salsa.debian.org/sympa-team/sympa/-/merge_requests/1

Are there plans to update buster?

Cheers!
Sylvain

Bug#908678: Update on the security-tracker git discussion

2020-10-02 Thread Sylvain Beucler 
Hi,

On Tue, 6 Aug 2019 08:28:43 +0200 Salvatore Bonaccorso wrote:
> Thanks for keeping track and following up.
> 
> On Tue, Aug 06, 2019 at 08:05:11AM +0200, Bastian Blank wrote:
> > Moin
> > 
> > On Tue, Jul 02, 2019 at 01:38:10PM +0200, Moritz Muehlenhoff wrote:
> > > On Tue, Jul 02, 2019 at 01:25:43PM +0200, Salvatore Bonaccorso wrote:
> > > > p.s.: Question is if we should do a split as well for the other types of
> > > >   files which are supported (DSA, TDSA, ...) while at it.
> > > We can axe out DTSA/* while we're at it.
> > > For DSA/list (and DLA/list) we can initially keep it as a single file, it 
> > > can
> > > still be split later on if necessary.
> > 
> > Following up to 
> > 
> > | Please provide a plan how and when to fix this before 2019-06-30.
> > 
> > We have now one month later.  Please provide the plan.
> 
> The items in
> https://salsa.debian.org/security-tracker-team/security-tracker-service/issues/1
> needs further detailed and then sorted/prioritized. Later actual
> implementation work on making the split possible on tracker and other
> tooling side needs to happen. We cannot depend on a non-functional
> instance for the day to day work, so all of the above basically will
> need to be ported in some sensible way.
> 
> Progress is slow due to other time limitations in day to day tasks.
> 
> Still if it is going to be too much burden for salsa admin and needs
> to be fast, then I only see that we temporarily switch away from salsa
> to gitlab or another hosting (github will not work) and then move back
> once the split has finally happened.

It seems a bit difficult to make a big switch, probably because it's not
easy to know and test all the various involved scripts.

Considering a more progressive approach, is there something preventing
us from switching to the rewritten repository and split/merging the
file, something like:

diff --git a/conf/post-merge b/conf/post-merge
new file mode 100755
index 00..a9991c1cc9
--- /dev/null
+++ b/conf/post-merge
@@ -0,0 +1,3 @@
+#!/bin/sh
+echo "post-merge"
+[ -f data/CVE/1999.list ] && cat data/CVE/*.list > data/CVE/list
diff --git a/conf/pre-commit b/conf/pre-commit
index 767e478e36..12e781e97d 100755
--- a/conf/pre-commit
+++ b/conf/pre-commit
@@ -5,3 +5,4 @@ set -e
 exec 1>&2

 make check-syntax
+bin/split-by-year.py

?

Cheers!
Sylvain

Bug#964950: nginx: CVE-2020-11724

2020-07-13 Thread Sylvain Beucler 
In case this helps, here's some documentation to test the issue with the
new upstream test cases:
https://wiki.debian.org/LTS/TestSuites/nginx

and my planned stretch package:
https://www.beuc.net/tmp/debian-lts/nginx/

Cheers!
Sylvain Beucler
Debian LTS Team

diff -Nru nginx-1.10.3/debian/changelog nginx-1.10.3/debian/changelog
--- nginx-1.10.3/debian/changelog   2020-01-11 08:28:05.0 +0100
+++ nginx-1.10.3/debian/changelog   2020-07-13 11:40:49.0 +0200
@@ -1,3 +1,11 @@
+nginx (1.10.3-1+deb9u5) stretch-security; urgency=high
+
+  * Non-maintainer upload by the LTS Security Team.
+  * CVE-2020-11724: ngx_http_lua_subrequest.c allows HTTP request
+smuggling, as demonstrated by the ngx.location.capture API.
+
+ -- Sylvain Beucler   Mon, 13 Jul 2020 11:40:49 +0200
+
 nginx (1.10.3-1+deb9u4) stretch; urgency=medium
 
   * Handle CVE-2019-20372, error page request smuggling
diff -Nru nginx-1.10.3/debian/modules/patches/nginx-lua/CVE-2020-11724.patch 
nginx-1.10.3/debian/modules/patches/nginx-lua/CVE-2020-11724.patch
--- nginx-1.10.3/debian/modules/patches/nginx-lua/CVE-2020-11724.patch  
1970-01-01 01:00:00.0 +0100
+++ nginx-1.10.3/debian/modules/patches/nginx-lua/CVE-2020-11724.patch  
2020-07-13 11:40:49.0 +0200
@@ -0,0 +1,863 @@
+Origin: 
https://github.com/openresty/openresty/commit/4e8b4c395f842a078e429c80dd063b232357
+Origin: 
https://github.com/openresty/lua-nginx-module/commit/9ab38e8ee35fc08a57636b1b6190dca70b0076fa
+Last-Update: 2020-07-13
+Reviewed-by: Sylvain Beucler 
+
+commit 96c330c3cb2a5abc95d293854801c7ba2896d1da
+Author: Thibault Charbonnier 
+Date:   Mon Mar 23 19:40:47 2020 -0700
+
+bugfix: prevented request smuggling in the ngx.location.capture API.
+
+From 9ab38e8ee35fc08a57636b1b6190dca70b0076fa Mon Sep 17 00:00:00 2001
+From: Thibault Charbonnier 
+Date: Mon, 23 Mar 2020 19:40:47 -0700
+Subject: [PATCH] bugfix: prevented request smuggling in the
+ ngx.location.capture API.
+
+Signed-off-by: Yichun Zhang (agentzh) 
+(tests)
+
+Index: nginx-lua/src/ngx_http_lua_subrequest.c
+===
+--- nginx-lua.orig/src/ngx_http_lua_subrequest.c
 nginx-lua/src/ngx_http_lua_subrequest.c
+@@ -56,8 +56,6 @@ static ngx_str_t  ngx_http_lua_content_l
+ ngx_string("Content-Length");
+ 
+ 
+-static ngx_int_t ngx_http_lua_set_content_length_header(ngx_http_request_t *r,
+-off_t len);
+ static ngx_int_t ngx_http_lua_adjust_subrequest(ngx_http_request_t *sr,
+ ngx_uint_t method, int forward_body,
+ ngx_http_request_body_t *body, unsigned vars_action,
+@@ -78,7 +76,7 @@ static void ngx_http_lua_cancel_subreq(n
+ static ngx_int_t ngx_http_post_request_to_head(ngx_http_request_t *r);
+ static ngx_int_t ngx_http_lua_copy_in_file_request_body(ngx_http_request_t 
*r);
+ static ngx_int_t ngx_http_lua_copy_request_headers(ngx_http_request_t *sr,
+-ngx_http_request_t *r);
++ngx_http_request_t *pr, ngx_uint_t prcl);
+ 
+ 
+ /* ngx.location.capture is just a thin wrapper around
+@@ -622,8 +620,8 @@ ngx_http_lua_adjust_subrequest(ngx_http_
+ unsigned vars_action, ngx_array_t *extra_vars)
+ {
+ ngx_http_request_t  *r;
+-ngx_int_trc;
+ ngx_http_core_main_conf_t   *cmcf;
++ngx_uint_t   prcl = 0;
+ size_t   size;
+ 
+ r = sr->parent;
+@@ -633,46 +631,32 @@ ngx_http_lua_adjust_subrequest(ngx_http_
+ if (body) {
+ sr->request_body = body;
+ 
+-rc = ngx_http_lua_set_content_length_header(sr,
+-body->buf
+-? ngx_buf_size(body->buf)
+-: 0);
+-
+-if (rc != NGX_OK) {
+-return NGX_ERROR;
+-}
+-
+ } else if (!always_forward_body
+&& method != NGX_HTTP_PUT
+&& method != NGX_HTTP_POST
+&& r->headers_in.content_length_n > 0)
+ {
+-rc = ngx_http_lua_set_content_length_header(sr, 0);
+-if (rc != NGX_OK) {
+-return NGX_ERROR;
+-}
+-
+-#if 1
+ sr->request_body = NULL;
+-#endif
+ 
+ } else {
+-if (ngx_http_lua_copy_request_headers(sr, r) != NGX_OK) {
+-return NGX_ERROR;
++if (!r->headers_in.chunked) {
++prcl = 1;
+ }
+ 
+-if (sr->request_body) {
++if (sr->request_body && sr->request_body->temp_file) {
+ 
+ /* deep-copy the request body */
+ 
+-if (sr->request_body->temp_file) {
+-if (ngx_http_lua_copy_in_file_request_body(sr) != NGX_OK) {
+-return NGX_ERROR;
+-}
++if (ngx_http_lua_copy_in_file_request_body(sr) != NGX_OK) {
++return NGX_ERROR;
+ }
+

Bug#964950: nginx: CVE-2020-11724

2020-07-13 Thread Sylvain Beucler 
Package: nginx
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for ngx_lua.

CVE-2020-11724[0]:
| ngx_http_lua_subrequest.c allows HTTP request smuggling, as
| demonstrated by the ngx.location.capture API.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-11724
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11724

Cheers!
Sylvain Beucler
Debian LTS Team

Bug#963713: net-snmp: CVE-2019-20892

2020-07-07 Thread Sylvain Beucler 
Hi,

On 07/07/2020 17:07, Sylvain Beucler wrote:
> On 06/07/2020 19:11, Sylvain Beucler wrote:
>> Do we have definite info on what versions are affected?
>>
>> I cannot reproduce the issue in jessie/stretch/buster (5.7.x).
>>
>> Incidentally Salvatore's test now yields an error in bullseye
>> (5.8dfsg-3), though I suspect the issue is at the client's level:
>> # snmpbulkget -v3 -Cn1 -Cr1472 -l authPriv -u testuser -a SHA -A
>> testpass -x AES -X testpass 127.0.0.1 1.3.6.1.2.1.1.5 1.3.6.1.2.1.1.7
>> Error in packet.
>> Reason: (genError) A general failure occured
> 
> Bisecting gives a range of ~20 commits where the server is buggy (either
> goes 100% CPU, or rejects the request with "send response: Too long").
> 
> 1a0dbe19bf2787bb5bea913f210a9a5eb4c0c80c
> "new snmp token sendMessageMaxSize"
> works fine.
> 
> 3eb4b473fed816108d1843dadee1ce877415b96b
> "add debug_enable_token_logs debug_disable_token_logs to output_api.h"
> triggers the double-free.
> 
> Anything in-between is random, and includes 2 "getbulk enhancements".
> The date varies greatly so this may be a series of cherry-picks.
> 
> In any case, all of this happens between 5.7.3 and 5.8.pre1.

Restricting further (good..bad):

$ git shortlog
1a0dbe19bf2787bb5bea913f210a9a5eb4c0c80c..e207b8113260fd7d84df0ebdb66925ab70da29b2
Robert Story (2):
  Add VMware copyright
  tweak sndMsgMaxSize handling

VMwareDev Randy (4):
  getbulk enhancements: limit responses gathered
  reduce session msg max sizes to transport max
  getbulk enhancements: response size + fallback to forward encoding
  move v3 engineID probe into initial packet build

Cheers!
Sylvain Beucler
Debian LTS Team

Bug#963713: net-snmp: CVE-2019-20892

2020-07-07 Thread Sylvain Beucler 
Hi,

On 06/07/2020 19:11, Sylvain Beucler wrote:
> Do we have definite info on what versions are affected?
> 
> I cannot reproduce the issue in jessie/stretch/buster (5.7.x).
> 
> Incidentally Salvatore's test now yields an error in bullseye
> (5.8dfsg-3), though I suspect the issue is at the client's level:
> # snmpbulkget -v3 -Cn1 -Cr1472 -l authPriv -u testuser -a SHA -A
> testpass -x AES -X testpass 127.0.0.1 1.3.6.1.2.1.1.5 1.3.6.1.2.1.1.7
> Error in packet.
> Reason: (genError) A general failure occured

Bisecting gives a range of ~20 commits where the server is buggy (either
goes 100% CPU, or rejects the request with "send response: Too long").

1a0dbe19bf2787bb5bea913f210a9a5eb4c0c80c
"new snmp token sendMessageMaxSize"
works fine.

3eb4b473fed816108d1843dadee1ce877415b96b
"add debug_enable_token_logs debug_disable_token_logs to output_api.h"
triggers the double-free.

Anything in-between is random, and includes 2 "getbulk enhancements".
The date varies greatly so this may be a series of cherry-picks.

In any case, all of this happens between 5.7.3 and 5.8.pre1.

Cheers!
Sylvain

Bug#963713: [Pkg-net-snmp-devel] Bug#963713: net-snmp: CVE-2019-20892

2020-07-06 Thread Sylvain Beucler 
Hi,

Do we have definite info on what versions are affected?

I cannot reproduce the issue in jessie/stretch/buster (5.7.x).

Incidentally Salvatore's test now yields an error in bullseye
(5.8dfsg-3), though I suspect the issue is at the client's level:
# snmpbulkget -v3 -Cn1 -Cr1472 -l authPriv -u testuser -a SHA -A
testpass -x AES -X testpass 127.0.0.1 1.3.6.1.2.1.1.5 1.3.6.1.2.1.1.7
Error in packet.
Reason: (genError) A general failure occured

Cheers!
Sylvain Beucler
Debian LTS Team

Bug#926923: Acknowledgement (gradle: CVE-2019-11065)

2019-04-12 Thread Sylvain Beucler 
control: severity -1 important
thanks

Bug#926923: gradle: CVE-2019-11065

2019-04-12 Thread Sylvain Beucler 
Package: gradle
Version: 4.4.1-5
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for gradle.

CVE-2019-11065[0]:
| Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download
| dependencies when the built-in JavaScript or CoffeeScript Gradle
| plugins are used. Dependency artifacts could have been maliciously
| compromised by a MITM attack against the ajax.googleapis.com web site.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-11065
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11065
    https://github.com/gradle/gradle/pull/8927

Cheers!
Sylvain Beucler

Bug#926712: evolution-ews: CVE-2019-3890

2019-04-09 Thread Sylvain Beucler 
Package: evolution-ews
Version: 3.30.5-1
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for evolution-ews.

CVE-2019-3890[0]:
No description was found (try on a search engine)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-3890
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3890
https://gitlab.gnome.org/GNOME/evolution-ews/issues/27
https://gitlab.gnome.org/GNOME/evolution-ews/issues/36
https://bugzilla.redhat.com/show_bug.cgi?id=1678313
Note: depends on evolution-data-server patch

Cheers!
Sylvain Beucler / Debian LTS

Bug#920823: phpmyadmin: CVE-2019-6799: PMASA-2019-1

2019-02-27 Thread Sylvain Beucler 
Uploaded to jessie-security.

Bug#920823: phpmyadmin: CVE-2019-6799: PMASA-2019-1

2019-02-24 Thread Sylvain Beucler 
Hi,

FYI I prepared a patch for jessie, see:
https://lists.debian.org/debian-lts/2019/02/msg00164.html

For stretch, it is worth noting that the fix depends on whether mysql or
mysqli is enabled, whether open_basedir is in effect, and whether we're
protecting against user SQL queries or phpmyadmin-generated queries
(during CSV import).
(but no more phpX-mysql vs. phpX-mysqlnd AFAICS.)

Cheers!
Sylvain

Bug#729986: libnss-mysql-bg: Patch 04_shadow.diff Introduces Lock Acquisition Hang

2014-03-05 Thread Sylvain Beucler 
Package: libnss-mysql-bg
Version: 1.5-3+b1
Followup-For: Bug #729986

Confirmed here, I just lost two evenings tracing down a weird rsync
issue at Gna(.org) down to this.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641404 sheds some
light on the patch's purpose.

I guess it was tested with (u)nscd - which silently detects deadlocks,
but introduces delays to take new users/groups into account.

Yet another reminder not (repeat: not) to apply Debian-specific
patches?  D

- Sylvain

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#647697: libsfml-dev: libsfml embeds non-free Arial font

2011-11-05 Thread Sylvain Beucler 
Package: libsfml-dev
Version: 1.6+dfsg1-2+b1
Severity: serious
Justification: Policy 2.2.1

Hi,

In the SFML fonts tutorial, it is mentioned that SFML provides a
default built-in one, which is Arial with a character size of 30.
http://sfml-dev.org/tutorials/1.6/graphics-fonts.php

The file is indeed present in:
src/SFML/Graphics/Arial.hpp

It can be extracted trivially:
#include stdio.h
static const char DefaultFontData[] =
{
#include Arial.hpp
};
int main(void) {
  FILE* out = fopen(arial.ttf, w);
  fwrite(DefaultFontData, sizeof(DefaultFontData), 1, out);
}

The version in Debian carries that file AFAICT.


This brings 2 issues:

- The font is not DFSG-compliant and needs to be replaced.

- The license of the font may be incompatible with the program that
  uses SFML.  For instance, if we replace this font with
  Liberation-Sans (GPL2+exceptions), which is metrically compatible
  with Arial, the resulting library will not be compabible with a
  GPL-without-exception application.  A work-around is to load the
  font from an external file.
  http://www.mail-archive.com/debian-legal@lists.debian.org/msg36597.html

-- 
Sylvain

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libsfml-dev depends on:
ii  libsfml-audio1.6 1.6+dfsg1-2+b1
ii  libsfml-graphics1.6  1.6+dfsg1-2+b1
ii  libsfml-network1.6   1.6+dfsg1-2+b1
ii  libsfml-system1.61.6+dfsg1-2+b1
ii  libsfml-window1.61.6+dfsg1-2+b1

libsfml-dev recommends no packages.

Versions of packages libsfml-dev suggests:
ii  libsfml-doc 1.6+dfsg1-2   
ii  libsfml1.6-dbg  1.6+dfsg1-2+b1

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#587931: cytadela: Uninstallable; libvlc2 unavailable

2010-07-03 Thread Sylvain Beucler 
 Tested, new package 1.0.1-1 that uses libvlc5 works fine.  Closing bug.  :-)

Neat, thanks for testing.
Enjoy the game :)

-- 
Sylvain



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#587931: cytadela: Uninstallable; libvlc2 unavailable

2010-07-02 Thread Sylvain Beucler 
1h too late - I actually just uploaded 1.0.1 which uses newer libvlc,
please test when it's built for your architecture :)

- Sylvain

On Fri, Jul 02, 2010 at 06:09:50PM -0400, Chris wrote:
 Package: cytadela
 Version: 1.0.0-2
 Severity: grave
 Justification: renders package unusable
 
 
 cytadela depends on libvlc2 which has been removed, making
 cytadela uninstallable.
 
 -- System Information:
 Debian Release: squeeze/sid
   APT prefers unstable
   APT policy: (500, 'unstable')
 Architecture: amd64 (x86_64)
 
 Kernel: Linux 2.6.34-c2d-crk3 (SMP w/2 CPU cores)
 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
 Shell: /bin/sh linked to /bin/dash
 
 Versions of packages cytadela depends on:
 pn  cytadela-data none (no description available)
 ii  libc6 2.11.2-2   Embedded GNU C Library: Shared 
 lib
 ii  libgcc1   1:4.4.4-6  GCC support library
 ii  libgl1-mesa-glx [libgl1]  7.7.1-3A free implementation of the 
 OpenG
 ii  libglu1-mesa [libglu1]7.7.1-3The OpenGL utility library (GLU)
 ii  libsdl-mixer1.2   1.2.8-6+b1 mixer library for Simple 
 DirectMed
 ii  libsdl1.2debian   1.2.14-6   Simple DirectMedia Layer
 ii  libstdc++64.4.4-6The GNU Standard C++ Library v3
 pn  libvlc2   none (no description available)
 ii  vlc-nox   1.1.0-1multimedia player and streamer 
 (wi
 
 cytadela recommends no packages.
 
 cytadela suggests no packages.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#583702: beneath-a-steel-sky: package ships data that cannot be modified

2010-06-07 Thread Sylvain Beucler 
The idea to place it in _contrib_ (not in 'non-free') makes sense to
me.

Placing it in 'main' encourages DDs to add more non-modifiable data
there.


If the tools to modify were lost, then users are locked anyway.
Similarly we wouldn't place executable binaries in 'main' if people
had lost the corresponding source code.


I think non-modifiable .ogg files are a problem.  Sometimes they are
the most usable form (e.g. a live recording), sometimes not (e.g. an
.ogg output of a RoseGarden project), sometimes partially (when
manual/non-automated post-processing was involved).  What archive to
use for them is probably another debate.

-- 
Sylvain



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#584022: page-crunch: Security bugs in ghostscript

2010-06-03 Thread Sylvain Beucler 
OK, so as far as I understand, we'd better pass '-dSAFER -P-' to
'ps2pdf' (which is AFAICS the only ghostscript script that's used in
page-crunch).

David, what do you think?

- Sylvain

On Tue, Jun 01, 2010 at 11:14:06AM +1000, Paul Szabo wrote:
 Package: page-crunch
 Severity: grave
 Tags: security
 Justification: user security hole
 
 
 Please note remote execute-any-code security bugs in ghostscript:
 
   http://bugs.debian.org/583183
 
 This package depends on ghostscript, and may be affected. Please
 evaluate the security of this package, and fix if needed.
 
 Thanks,
 
 Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
 School of Mathematics and Statistics   University of SydneyAustralia
 
 
 -- System Information:
 Debian Release: 5.0.4
   APT prefers stable
   APT policy: (500, 'stable')
 Architecture: i386 (i686)
 
 Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores)
 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
 Shell: /bin/sh linked to /bin/bash



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#578444: [br...@clisp.org: Re: install-reloc error on Debian-hurd and Debian-kfreebsd]

2010-04-20 Thread Sylvain Beucler 
Thanks, I already identified the bug and I think I'll make a new
upstream release.

- Sylvain

- Forwarded message from Bruno Haible br...@clisp.org -

Date: Tue, 20 Apr 2010 00:29:29 +0200
From: Bruno Haible br...@clisp.org
To: bug-gnu...@gnu.org
Cc: Sylvain Beucler b...@beuc.net
Subject: Re: install-reloc error on Debian-hurd and Debian-kfreebsd
User-Agent: KMail/1.9.9

Hi Sylvain,

 https://buildd.debian.org/status/package.php?p=freedink
 
 What happens, apparently, is that 'install-reloc' is called with
 'RELOC_STRIP_PROG= ' (i.e. == nothing).
 [...]/autotools/install-reloc: 118: : Permission denied
 
 On line 118 I have:
 test $strip_prog = ':' || func_verbose $strip_prog $destprog$exeext || 
 exit $?
 ($strip_prog comes from earlier strip_prog=$RELOC_STRIP_PROG)

Indeed this empty value of RELOC_STRIP_PROG is the problem. gnulib's NEWS file 
has
this note:

  2009-01-17  relocatable-prog  In the Makefile.am or Makefile.in, you now also
  need to set RELOCATABLE_STRIP = :.

This was probably overlooked by some developer. But actually, there is no
need for the maintainer to define this variable, since automake can do it.
I'm applying this followup to
http://lists.gnu.org/archive/html/bug-gnulib/2009-01/msg00162.html.


2010-04-19  Bruno Haible  br...@clisp.org

relocatable: Drop the need to define RELOCATABLE_STRIP in Makefile.am.
* m4/relocatable.m4 (gl_RELOCATABLE_BODY): Set RELOCATABLE_STRIP.
Reported by Sylvain Beucler b...@beuc.net.

--- m4/relocatable.m4.orig  Tue Apr 20 00:24:18 2010
+++ m4/relocatable.m4   Tue Apr 20 00:24:14 2010
@@ -1,4 +1,4 @@
-# relocatable.m4 serial 14
+# relocatable.m4 serial 15
 dnl Copyright (C) 2003, 2005-2007, 2009-2010 Free Software Foundation, Inc.
 dnl This file is free software; the Free Software Foundation
 dnl gives unlimited permission to copy and/or distribute it,
@@ -76,9 +76,15 @@
 
   dnl RELOCATABLE_LIBRARY_PATH can be set in configure.ac. Default is empty.
   AC_SUBST([RELOCATABLE_LIBRARY_PATH])
+
   AC_SUBST([RELOCATABLE_CONFIG_H_DIR])
   AC_SUBST([RELOCATABLE_SRC_DIR])
   AC_SUBST([RELOCATABLE_BUILD_DIR])
+
+  dnl Ensure RELOCATABLE_STRIP is defined in Makefiles (at least those
+  dnl generated by automake), with value ':'.
+  RELOCATABLE_STRIP=':'
+  AC_SUBST([RELOCATABLE_STRIP])
 ])
 
 dnl Determine the platform dependent parameters needed to use relocatability:


- End forwarded message -



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#570850: Fix CVE-2009-4029 in Lenny/stable

2010-03-31 Thread Sylvain Beucler 
Hi,

Any progress?

-- 
Sylvain



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#570850: automake: Fix CVE-2009-4029 in Lenny/stable

2010-02-21 Thread Sylvain Beucler 
Package: automake
Version: 1:1.10.1-3
Severity: grave
Tags: security patch
Justification: user security hole

Hi,

Please fix CVE-2009-4029 in automake 1.10.

I create my upstream releases from a Debian stable box, and I was
surprised to see that the generated Makefile.in's still have
instructions for 777 directories.

Attached is a patch :)

Cheers!

-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages automake depends on:
ii  autoconf  2.61-8 automatic configure script builder
ii  autotools-dev 20080123.1 Update infrastructure for config.{

automake recommends no packages.

automake suggests no packages.

-- no debconf information
--- automake1.10-1.10.1/debian/changelog
+++ automake1.10-1.10.1/debian/changelog
@@ -1,3 +1,11 @@
+automake1.10 (1:1.10.1-4) stable-security; urgency=high
+
+  [ Sylvain Beucler ]
+  * Fix CVE-2009-4029, which created world-writable directories in
+distribution tarballs.
+
+ -- Eric Dorland e...@debian.org  Sun, 21 Feb 2010 21:45:48 +0100
+
 automake1.10 (1:1.10.1-3) unstable; urgency=low
 
   * debian/automake.postinst: Bump up the priority to 28 so that it wins
--- automake1.10-1.10.1.orig/lib/am/distdir.am
+++ automake1.10-1.10.1/lib/am/distdir.am
@@ -196,11 +196,7 @@
 endif %?DIST-TARGETS%
 ##
 ## This complex find command will try to avoid changing the modes of
-## links into the source tree, in case they're hard-linked.  It will
-## also make directories writable by everybody, because some
-## brain-dead tar implementations change ownership and permissions of
-## a directory before extracting the files, thus becoming unable to
-## extract them.
+## links into the source tree, in case they're hard-linked.
 ##
 ## Ignore return result from chmod, because it might give an error
 ## if we chmod a symlink.
@@ -213,7 +209,8 @@
 ## the file in place in the source tree.
 ##
 if %?TOPDIR_P%
-   -find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
+   -find $(distdir) -type d ! -perm -755 \
+ -exec chmod u+rwx,go+rx {} \; -o \
  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
  ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \

Bug#570850: Fix CVE-2009-4029 in Lenny/stable

2010-02-21 Thread Sylvain Beucler 
Note: the patch comes from:
http://lists.gnu.org/archive/html/automake-patches/2009-11/msg00017.html

-- 
Sylvain


signature.asc
Description: Digital signature

Bug#516708: Debtorrent just won't give up after receiving 404

2010-01-24 Thread Sylvain Beucler 
Hi,

Any progress on that RC issue?

For the record, I saw that there were commits towards v2.0 (9/2009):
http://svn.debian.org/wsvn/debtorrent/debtorrent/trunk/debian/changelog
but they do not reference this particular bug.

-- 
Sylvain
@BSP2010


signature.asc
Description: Digital signature

Bug#559835: CVE-2009-3736 update

2010-01-24 Thread Sylvain Beucler 
Hi,

The 'lam' package uses the AC_LIBLTDL_CONVENIENCE macro, which forces
the use of the bundled copy.  It only supports
--disable-ltdl-convenience which just produces an error (this package
needs a convenience libltdl).  Note that this is a libtool 1.5
feature, not libtool 2 (where it's deprecated).

--without-included-ltdl (AC_WITH_LTDL) doesn't seem to be used:
$ grep -r included[_-]ltdl .
./share/libltdl/acinclude.m4:AC_ARG_WITH([included_ltdl],
./share/libltdl/acinclude.m4:[  --with-included-ltdluse the GNU ltdl 
sources included here])
./share/libltdl/acinclude.m4:if test x$with_included_ltdl != xyes; then
./share/libltdl/acinclude.m4:  [with_included_ltdl=no],
./share/libltdl/acinclude.m4:  [with_included_ltdl=yes])
./share/libltdl/acinclude.m4:if test x$with_included_ltdl = xno; then
./share/libltdl/acinclude.m4:AC_MSG_RESULT([$with_included_ltdl])

It's only present in the libtldl m4 file, which weren't used in the
various ./configure scripts.


The included copy is used in the SSI module:
$ find -name *.[ch] | xargs grep -r 'ltdl\.h' 
./share/include/lam-ssi.h:/* Ensure to get the right ltdl.h */ 
./share/include/lam-ssi.h:#include lam_ltdl.h
./share/include/lam_ltdl.h:/* ltdl.h -- generic dlopen functions
./share/libltdl/ltdl.c:#include ltdl.h
./share/libltdl/ltdl.c:   order as the enumerated indices in ltdl.h. */
./share/libltdl/ltdl.h:/* ltdl.h -- generic dlopen functions
./share/ssi/base/ssi_module_registry.c:#include lam_ltdl.h
./share/ssi/base/ssi_module_find.c:#include lam_ltdl.h
./share/ssi/crlam/self/src/ssi_crlam_self.c:#include lam_ltdl.h
./share/ssi/crmpi/self/src/ssi_crmpi_self.c:#include lam_ltdl.h

Note that lam_ltdl.h is a mere copy of ltdl.h.


The latest copyright years are 2000 and 2005 for ltdl.h and ltdl.c
respectively, so I guess they are vulnerable.


To test whether the files are used during the build, one can use:
sed -i '1i#error do not use' share/include/lam_ltdl.h share/libltdl/ltdl.c 
share/libltdl/ltdl.h


So at first glance, we could either:

- use AC_LIBLTDL_INSTALLABLE instead of AC_LIBLTDL_CONVENIENCE ,
  re-run autoconf , and remove the embedded copy for safety

- symlink lam_ltdl.h and ltdl.h to system libtldl development files.

-- 
Sylvain


signature.asc
Description: Digital signature

Bug#562723: with slapd.d don't work

2010-01-23 Thread Sylvain Beucler 
Package: slapd
Severity: normal

When you use:

  slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/

slapd converts slapd.conf to /etc/ldap/slapd.d/ .

So it's possible that both are not desync'd on your system, and that
only slapd.conf is a valid configuration.

Can you precise what errors you get?

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (300, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-2-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages slapd depends on:
ii  adduser   3.111  add and remove users and groups
ii  coreutils 7.4-2  The GNU core utilities
ii  debconf [debconf-2.0] 1.5.28 Debian configuration management sy
ii  libc6 2.10.2-2   GNU C Library: Shared libraries
ii  libdb4.7  4.7.25-8   Berkeley v4.7 Database Libraries [
ii  libgnutls26   2.8.5-2the GNU TLS library - runtime libr
ii  libldap-2.4-2 2.4.17-2.1 OpenLDAP libraries
ii  libltdl7  2.2.6a-4   A system independent dlopen wrappe
ii  libperl5.10   5.10.1-8   shared Perl library
ii  libsasl2-22.1.23.dfsg1-3 Cyrus SASL - authentication abstra
ii  libslp1   1.2.1-7.6  OpenSLP libraries
ii  libwrap0  7.6.q-18   Wietse Venema's TCP wrappers libra
ii  lsb-base  3.2-23 Linux Standard Base 3.2 init scrip
ii  perl [libmime-base64-perl 5.10.1-8   Larry Wall's Practical Extraction 
ii  psmisc22.8-1 utilities that use the proc file s
ii  unixodbc  2.2.11-21  ODBC tools libraries

Versions of packages slapd recommends:
ii  libsasl2-modules  2.1.23.dfsg1-3 Cyrus SASL - pluggable authenticat

Versions of packages slapd suggests:
pn  ldap-utilsnone (no description available)

-- debconf information excluded



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#560940: CVE-2009-3560 and CVE-2009-3720 denial-of-services

2009-12-24 Thread Sylvain Beucler 
On Tue, Dec 15, 2009 at 01:31:30PM +0100, Sylvain Beucler wrote:
 Patched package available at:
 http://mentors.debian.net/cgi-bin/sponsor-pkglist?action=details;package=tla

Ben noticed that part of the bundled libexpat was still used.

I missed 2 -I ../lib/expat occurrences, I'll upload a new version in
a bit.

-- 
Sylvain


signature.asc
Description: Digital signature

Bug#560940: CVE-2009-3560 and CVE-2009-3720 denial-of-services

2009-12-24 Thread Sylvain Beucler 
  Patched package available at:
  http://mentors.debian.net/cgi-bin/sponsor-pkglist?action=details;package=tla

The fixed version is up.

$ interdiff tla1.diff tla2.diff | diffstat
 patches/06-disable_builtin_expat.dpatch |   50 +++-
 rules   |5 +--
 2 files changed, 34 insertions(+), 21 deletions(-)


diff -u tla-1.3.5+dfsg/debian/rules tla-1.3.5+dfsg/debian/rules
--- tla-1.3.5+dfsg/debian/rules
+++ tla-1.3.5+dfsg/debian/rules
@@ -56,8 +56,9 @@
 
# Disable builtin expat
# See also patches/06-disable_builtin_expat.dpatch
-   rm -f src/expat/PLUGIN/AUTOCONF
-   rm -f src/expat/PLUGIN/REQ
+   #rm -f src/expat/PLUGIN/AUTOCONF
+   #rm -f src/expat/PLUGIN/REQ
+   rm -rf src/expat/  # Let's play safe
rm -f src/libneon/PLUGIN/REQ
 
# Cleaning package
diff -u tla-1.3.5+dfsg/debian/patches/06-disable_builtin_expat.dpatch 
tla-1.3.5+dfsg/debian/patches/06-disable_builtin_expat.dpatch
--- tla-1.3.5+dfsg/debian/patches/06-disable_builtin_expat.dpatch
+++ tla-1.3.5+dfsg/debian/patches/06-disable_builtin_expat.dpatch
@@ -2,22 +2,12 @@
 ## 06-disable_builtin_expat.dpatch by Sylvain Beucler b...@beuc.net
 ##
 ## All lines beginning with `## DP:' are a description of the patch.
-## DP: use system expat to address CVE-2009-3560 and CVE-2009-3720 DoS
-## DP: see also debian/rules, target 'clean'
+## DP: No description.
 
 tla-1.3.5+dfsg.orig/src/tla/tla/Makefile.in
-+++ tla-1.3.5+dfsg/src/tla/tla/Makefile.in
-@@ -21,7 +21,7 @@
- endif
- 
- $(programs):%$(cfg__exec_suffix):%.o $(thelib) $(filter-out -L%, $(filter-out 
-l%, $(libs)))
--  $(SHELL) $(objroot)/libneon/libtool --mode=link $(CC) $(CFLAGS) 
-L../../expat -o $@ $ $(thelib) $(libs)
-+  $(SHELL) $(objroot)/libneon/libtool --mode=link $(CC) $(CFLAGS) -o $@ 
$ $(thelib) $(libs)
- 
- clean: clean-prog
- 
 tla-1.3.5+dfsg.orig/src/libneon/Makefile.in
-+++ tla-1.3.5+dfsg/src/libneon/Makefile.in
+...@dpatch@
+diff -urNad tla-1.3.5+dfsg~/src/libneon/Makefile.in 
tla-1.3.5+dfsg/src/libneon/Makefile.in
+--- tla-1.3.5+dfsg~/src/libneon/Makefile.in2009-12-24 12:30:27.0 
+0100
 tla-1.3.5+dfsg/src/libneon/Makefile.in 2009-12-24 12:30:41.0 
+0100
 @@ -33,7 +33,7 @@
  
  @SET_MAKE@
@@ -30,11 +20,33 @@
 tla-1.3.5+dfsg.orig/src/libneon/src/Makefile.in
-+++ tla-1.3.5+dfsg/src/libneon/src/Makefile.in
-@@ -26,7 +26,7 @@
+diff -urNad tla-1.3.5+dfsg~/src/libneon/src/Makefile.in 
tla-1.3.5+dfsg/src/libneon/src/Makefile.in
+--- tla-1.3.5+dfsg~/src/libneon/src/Makefile.in2009-12-24 
12:30:27.0 +0100
 tla-1.3.5+dfsg/src/libneon/src/Makefile.in 2009-12-24 12:31:28.0 
+0100
+@@ -25,14 +25,14 @@
+ 
  # Flags
  CPPFLAGS = @DEFS@ @CPPFLAGS@
- CFLAGS = @CFLAGS@  -I$(top_builddir) -I$(top_srcdir)/../expat/lib 
@NEON_CFLAGS@
+-CFLAGS = @CFLAGS@  -I$(top_builddir) -I$(top_srcdir)/../expat/lib 
@NEON_CFLAGS@
 -LDFLAGS = -L$(top_builddir)/../expat @LDFLAGS@
++CFLAGS = @CFLAGS@  -I$(top_builddir) @NEON_CFLAGS@
 +LDFLAGS = @LDFLAGS@
  NEON_LINK_FLAGS = @NEON_LINK_FLAGS@
  # Note: don't substitute @LIBS@ in here; during a bundled
  # build of this directory, @LIBS@ may include -lneon.
+ LIBS = @NEON_LIBS@ @NEON_LTLIBS@
+ 
+-COMPILE = $(CC) $(CPPFLAGS) $(CFLAGS)  -I$(top_builddir) 
-I$(top_srcdir)/../expat/lib @NEON_CFLAGS@
++COMPILE = $(CC) $(CPPFLAGS) $(CFLAGS)  -I$(top_builddir) @NEON_CFLAGS@
+ LINK = $(LIBTOOL) --quiet --mode=link $(CC) $(LDFLAGS)
+ 
+ NEON_BASEOBJS = ne_reque...@neon_objext@ ne_sessi...@neon_objext@ \
+diff -urNad tla-1.3.5+dfsg~/src/tla/tla/Makefile.in 
tla-1.3.5+dfsg/src/tla/tla/Makefile.in
+--- tla-1.3.5+dfsg~/src/tla/tla/Makefile.in2009-12-24 12:30:27.0 
+0100
 tla-1.3.5+dfsg/src/tla/tla/Makefile.in 2009-12-24 12:30:41.0 
+0100
+@@ -21,7 +21,7 @@
+ endif
+ 
+ $(programs):%$(cfg__exec_suffix):%.o $(thelib) $(filter-out -L%, $(filter-out 
-l%, $(libs)))
+-  $(SHELL) $(objroot)/libneon/libtool --mode=link $(CC) $(CFLAGS) 
-L../../expat -o $@ $ $(thelib) $(libs)
++  $(SHELL) $(objroot)/libneon/libtool --mode=link $(CC) $(CFLAGS) -o $@ 
$ $(thelib) $(libs)
+ 
+ clean: clean-prog
+ 


signature.asc
Description: Digital signature

Bug#560940: CVE-2009-3560 and CVE-2009-3720 denial-of-services

2009-12-15 Thread Sylvain Beucler 
Patched package available at:
http://mentors.debian.net/cgi-bin/sponsor-pkglist?action=details;package=tla

-- 
Sylvain


signature.asc
Description: Digital signature

Bug#560940: CVE-2009-3560 and CVE-2009-3720 denial-of-services

2009-12-14 Thread Sylvain Beucler 
I'm having a look at this.

I had worked on this package a while ago, and I'm currently doing a NM
TasksSkills, so it's a pleasure ;)

-- 
Sylvain


signature.asc
Description: Digital signature

Bug#513796: php5-xapian: PHP license incompatible with Xapian

2009-02-01 Thread Sylvain Beucler 
Package: php5-xapian
Version: 1.0.7-3.1
Severity: serious
Justification: Policy 2.3

The PHP license is incompatible with the GNU GPL license due to
strong restrictions on the usage of the term 'PHP'.

Thus combining PHP and Xapian through the php5-xapian module is
not permitted and cannot be redistributed.

This issue was raised upstream but hasn't been resolved (and
probably can't at their level):
http://trac.xapian.org/ticket/191

It would nice to:

- check with debian-legal to confirm

- contact the PHP community so they convert these naming
  restrictions into a proper trademark, making the copyright
  license GPL-compatible (like other scripting languages)

-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (500, 'testing'), (300, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-vserver-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages php5-xapian depends on:
ii  libapache2-mod-p 5.2.6.dfsg.1-0.1~lenny1 server-side, HTML-embedded scripti
ii  libc62.7-18  GNU C Library: Shared libraries
ii  libgcc1  1:4.3.2-1.1 GCC support library
ii  libstdc++6   4.3.2-1.1   The GNU Standard C++ Library v3
ii  libxapian15  1.0.7-4 Search engine library
ii  php5-cli [phpapi 5.2.6.dfsg.1-0.1~lenny1 command-line interpreter for the p
ii  php5-common  5.2.6.dfsg.1-0.1~lenny1 Common files for packages built fr

php5-xapian recommends no packages.

Versions of packages php5-xapian suggests:
pn  xapian-docnone (no description available)

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#512111: iceweasel: Iceweasel disable Firefox upgrade checks

2009-01-17 Thread Sylvain Beucler 
Package: iceweasel
Version: 3.0.5-1
Severity: grave
Tags: security
Justification: user security hole


Since Debian stable is a frozen distro, it's not uncommon to install
the official Firefox binaries when the next version of Firefox is
released, and isn't packaged in stable or backported yet. I've also
also seen that useful to fix browser detection (hotmail) or support
binary extensions (probably to avoid stdlibc++ 5/6 discrepancies).

Anyway, when Iceweasel is started, it silently disables the security
update checks in the configuration.
about:config reports that 'app.update.enabled' is set to false. This
is set on startup.

This is a problem, because as I mentioned people may use, concurrently
or later, an official version of Firefox. In this case, Firefox will
disable security update checks as directed, and thus Firefox won't be
upgraded when there's a security fix. People may work several months
without being notified about a security hole in their Firefox.

The fact Iceweasel disables upsteam security update checks is normal,
because Debian (not upstream) provides those. However it's a mistake
to disable that in the configuration, because this impacts other
versions of Firefox that do use those checks.

So please don't alter 'app.update.enabled' and other settings, and
disable Iceweasel upstream security updates checks using another
method (e.g. by not compiling the related code, or by not using
~/.mozilla/firefox to store the iceweasel configuration).

-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (500, 'testing'), (300, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-vserver-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages iceweasel depends on:
ii  debianutils  2.30Miscellaneous utilities specific t
ii  fontconfig   2.6.0-3 generic font configuration library
ii  libc62.7-16  GNU C Library: Shared libraries
ii  libgcc1  1:4.3.2-1.1 GCC support library
ii  libglib2.0-0 2.16.6-1The GLib library of C routines
ii  libgtk2.0-0  2.12.11-4   The GTK+ graphical user interface 
ii  libnspr4-0d  4.7.1-4 NetScape Portable Runtime Library
ii  libstdc++6   4.3.2-1.1   The GNU Standard C++ Library v3
ii  procps   1:3.2.7-9   /proc file system utilities
ii  psmisc   22.6-1  Utilities that use the proc filesy
ii  xulrunner-1.91.9.0.5-1   XUL + XPCOM application runner

iceweasel recommends no packages.

Versions of packages iceweasel suggests:
pn  latex-xft-fonts   none (no description available)
ii  libkrb53  1.6.dfsg.4~beta1-5 MIT Kerberos runtime libraries
pn  mozpluggernone (no description available)
pn  ttf-mathematica4.1none (no description available)
pn  xfonts-mathml none (no description available)
pn  xprintnone (no description available)
ii  xulrunner-1.9-gnome-s 1.9.0.5-1  Support for GNOME in xulrunner app

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#503712: the gs-common problem

2008-12-28 Thread Sylvain Beucler 
  For the latter, it would be cool if
  the maintainers of the affected packages,
   Vincent   for latex-make
   Sylvain and David for page-crunch
   the Zope guys and Andreas and Fabio for zope-textindexng3
 could weigh in here. I'll look at your packages, but if you already know
 whether it works without ghostscript-x or not, it'd be great if you
 could give me a shout.

page-crunch depends on gs-common for 'pdf2ps' and 'ps2pdf'.

From what I understand we can replace 'gs-common' with 'ghostscript'.

Do you want to sponsor a new package release?

-- 
Sylvain



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#409384: gnome: Fail to mount CD-ROM

2007-02-02 Thread Sylvain Beucler 
Package: gnome
Version: 1:2.14.3.5
Severity: grave
Justification: renders package unusable

Steps to reproduce:
- put CD in drive
- click on the computer icon
- click on the cdrom drive

You get something like impossible to mount the selected volume, and in the 
detailed log there is:

libhal-storage.c 1401 : info: called libhal_free_dbus_error but dbuserror was 
not set.

process 21282: applications must not close shared connections - see 
dbus_connection_close() docs. this is a bug in 
the application.

mount: block device /dev/hda is write-protected, mounting read-only

mount: wrong fs type, bad option, bad superblock on /dev/hda,

   missing codepage or other error

   in some cases useful info is found in syslog - try

   dmesg | tail  or so



erreur: impossible d'exécuter pmount


Using 'pmount /dev/cdrom' do works.


-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.19.2-vs2.2.0-rc8
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)

Versions of packages gnome depends on:
ii  gdm-themes  0.5.1Themes for the GNOME Display Manag
ii  gnome-cups-manager  0.31-3   CUPS printer admin tool for GNOME
ii  gnome-desktop-environment   1:2.14.3.5   The GNOME Desktop Environment
ii  gnome-games-extra-data  2.14.0-1 games for the GNOME desktop (extra
ii  gnome-office1:2.14.3.5   The GNOME Office suite
ii  gnome-power-manager 2.14.3-3+b1  frontend for gnome-powermanager
ii  gnome-screensaver   2.14.3-3 GNOME screen saver and locker
ii  gnome-themes-extras 0.9.0-5  various themes for the GNOME 2 des
ii  rhythmbox   0.9.6-5  music player and organizer for GNO
ii  synaptic0.57.11.1+b1 Graphical package manager
ii  totem-mozilla   2.16.4-2 Totem Mozilla plugin

gnome recommends no packages.

-- no debconf information

Bug#382465: FTBFS on arm, sparc, ia64, hppa

2006-08-11 Thread Sylvain Beucler 
 tla 1.3.5+dfsg-2 fails to build from source on arm, sparc, ia64 and
 hppa[1].

Actually it builds, but the test suite fails on those architectures. I
reported that upstream and they're working on it.
http://lists.gnu.org/archive/html/gnu-arch-users/2006-08/msg6.html

Maybe we can drop the test suite from the build process, though Daniel
was not in favor of such as move.


 This bug currently blocks the neon transition.

We've dropped the libneon dependency (statically linked with the
included libneon24 - migration to libneon26 bugreported upstream).
http://lists.gnu.org/archive/html/gnu-arch-users/2006-07/msg00023.html

Where do you see this?

-- 
Sylvain


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]