Bug#977027: [Pkg-javascript-devel] Bug#977027: rhino breaks dojo autopkgtest: Cannot set property "dojo" of null to "[object Object]"

[Bastien ROUCARIES]

Le jeu. 6 avr. 2023 à 11:24, Paul Gevers  a écrit :
>
> Control: tags -1 pending patch
>
> On 06-04-2023 12:54, Paul Gevers wrote:
> > I'm going to prepare NMU's for rhino and dojo and upload to DELAYED/5
>
> Please find the debdiffs attached.

Go ahead
>
> Paul
> --
> Pkg-javascript-devel mailing list
> pkg-javascript-de...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Bug#977027: [Pkg-javascript-devel] Bug#977027: rhino breaks dojo autopkgtest: Cannot set property "dojo" of null to "[object Object]"

[Bastien ROUCARIES]

Le dim. 26 mars 2023 à 21:39, Markus Koschany  a écrit :

> Hi Graham,
>
> Am Sonntag, dem 26.03.2023 um 19:28 +0200 schrieb Graham Inggs:
> > Hi Markus
> >
> > On Sun, 26 Mar 2023 at 16:34, Markus Koschany  wrote:
> > > 1. There is no transition needed because only shrinksafe is affected
> by the
> > > new
> > > rhino version.
>
>
> > How did you determine this?
>
> Rhino 1.7.14 was mostly API compatible meaning I only had to fix an issue
> in
> closure-compiler. All other packages can be built from source without
> modifications. I didn't find any other runtime / ABI issues so far.
>
> >
> > > 2. shrinksafe has no reverse-dependencies
> >
> > That is true, but src:dojo has ledgersmb and tt-rss as
> reverse-dependencies.
>
> I used codesearch.debian.net and found only documentation or other minor
> references of shrinksafe in affected packages.
>
> https://codesearch.debian.net/search?q=shrinksafe=1
>
> Since all Java tests in dojo pass after the rebuild and almost all of the
> code
> in dojo is Javascript anyway, I don't see how ledgersmb and tt-rss can be
> affected by the new rhino version. Wouldn't those packages depend on rhino
> in
> some way? To me it seems rhino is only required to build shrinksafe which
> can
> be used for compressing Javascript files. But maybe the dojo maintainers
> can
> chime in here.
>

Yes shrinksafe is only used for compression.

Bastien

>
>
> Regards,
>
> Markus
> --
> Pkg-javascript-devel mailing list
> pkg-javascript-de...@alioth-lists.debian.net
>
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
>

Bug#993301: prototypejs: FTBFS

[Bastien ROUCARIES]

Le mer. 17 nov. 2021 à 13:02, Andreas Beckmann  a écrit :

> Control: tag -1 moreinfo
>
> On Mon, 30 Aug 2021 12:23:22 + "=?utf-8?q?Bastien_Roucari=C3=A8s?="
>  wrote:
> > Source: prototypejs
> > Severity: serious
> > Justification: 4
> >
> > Dear Maintainer,
> >
> > The source is https://github.com/prototypejs/prototype/tree/master and
> need
> > rake for building...
> >
> > So FTBFS
>
> I can rebuild prototypejs/1.7.1-3.1 in sid and bullseye without
> problems. What errors do you encounter?
>

Yes but this not prefered source of modification...

> There is a new upstream release 1.7.3 (from 2015) available on github.
> Does that version fail?
>
> And how is this related to rake?
>
Sée thé salsa tree un order to understand why i need rake

>
>
> Andreas
>

Bug#996836: [Pkg-javascript-devel] Bug#996836: node-webpack: webpack embeds binary files in es-module-lexer component

[Bastien ROUCARIES]

Le mar. 19 oct. 2021 à 16:12, Yadd  a écrit :

> Source: node-webpack
> Version: 5.58.2+~cs5.11.7-1
> Severity: serious
> Justification: DFSG
>
> webpack 5.58 uses es-module-lexer. For now, this component is downloaded
> including some binary files (WASM,...). This should be fixed before
> going to unstable.
>

I really hate wasm...

What is the source language ? Rust ?

>
> --
> Pkg-javascript-devel mailing list
> pkg-javascript-de...@alioth-lists.debian.net
>
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
>

Bug#994451: golang-github-containers-common: secomp.json does not include newer syscall used by stable kernel/glibc on arm

[Bastien ROUCARIES]

Le lun. 27 sept. 2021 à 16:08, Reinhard Tartler  a écrit :
>
>
> On Thu, Sep 16, 2021 at 4:18 AM Bastien Roucariès 
>  wrote:
>>
>> Package: golang-github-containers-common
>> Version: 0.33.4+ds1-1
>> Severity: critical
>> Tags: upstream
>> Forwarded: 
>> https://github.com/containers/common/commit/42d1db16bfc0dbaee5781d230dc2bcbaa0849c6e
>> Control: fixed -1 0.42.1+ds1-1
>>
>> Dear Maintainer,
>>
>> golang-github-containers-common in stable does not include recent syscall 
>> used
>> by stable kernel/glibc breaking in my case simple container that do 
>> unattended-
>> upgrade on arm
>> particularly syscall=436 that is timer_settime64
>>
>> I believe this should be fixed in a point release.
>
>
> I agree. I realized that these syscall changes also affect amd64. I was able 
> to reproduce the issue
> by running a distribution that ships with glibc 2.34, such as ubuntu impish. 
> The testcase would be:
>
> $ podman run --rm -it ubuntu:impish sh -c 'apt update -qq && apt -y 
> full-upgrade && apt install -y libc6 jq'
>
> The symptom is described in more detail at 
> https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/1943049
>
> The problem here is that the issue is not simply dealt with updating the 
> secomp.json file, but also some code changes are required
> that allow setting the default return value for some syscalls. This means 
> that in order to fix this issue in stable, 3 uploads are needed:
>
> - golang-github-opencontainers-specs
> - golang-github-containers-common
> - libpod
>
> I'm cloning this bug appropriately so that these uploads can be tracked 
> separately.
> For now,I've backported and verified the changes. For your convenience, I've 
> uploaded the packages I got so far to
> https://people.debian.org/~siretart/bug.994451/
>
>>
>> BTW I strongly believe that  seccomp.json is a config file and should be
>> shipped in /etc and 988443  should also be shipped in stable.
>
>
> I could get convinced if the issue was fixable by just upading the 
> seccomp.json policy file.
> Sadly, that's not the case.
It seems that recent version of this package allow to change at exec
time the seccomp.json file.
But for this version, you take the point it need rebuilt.

Note that I have fixed this problem by manually using the unstable
version on my stable.

Bastien


> Stable Release team, I think this bug should be cloned with those 
> instructions:
>
>
> --
> regards,
> Reinhard

Bug#994974: [Pkg-javascript-devel] Bug#994974: node-define-property: Please deembed and fix vulnereability

[Bastien ROUCARIES]

Le ven. 24 sept. 2021 à 08:16, Jonas Smedegaard  a écrit :
>
> Hi Bastien,
>
> Quoting Bastien Roucariès (2021-09-24 09:49:37)
> > Package: node-define-property
> > Severity: serious
> > Tags: security upstream fixed-upstream
> > Justification: security bug
> > Forwarded: https://github.com/jonschlinkert/define-property/pull/6
> > X-Debbugs-Cc: Debian Security Team 
> >
> > Dear Maintainer,
> >
> > According to
> > https://www.npmjs.com/advisories/1490
> > node-define-property is vulnerable
> >
> >
> > Because it embed small modules that are vulnerable.
>
> Sorry, I don't see the advisory mentioning define-property anywhere, and
> don't see our actual code calling "constructor" anywhere, as seems to be
> what the security in the advisory is about.
>
> Your reference to a PR 6 seems to be tied to an older version of
> define-property than in Debian.
>
> Please elaborate how this vulnerability affects code in Debian.
>
>
> > Embdeding is bad and we have here another proof
>
> I was puzzled at first, but think I now understand your point:
>
> Embedding in general is not necessarily bad but is complex to do right -
> embedding without proper tracking is bad.

Yes it is lack of README.Sources, lack of lintian tag

>
> What confused me is that at first I thought you were ranting about
> Debian practice of embedding, but it seems you are ranting about lack of
> tracking of (either upstream or Debian-introduced) embedding.  Do I
> understand that correctly?

Yes it is

Fixed nevertheless
>
> Thanks for reporting, regardless,
>
>  - Jonas
>
> --
>  * Jonas Smedegaard - idealist & Internet-arkitekt
>  * Tlf.: +45 40843136  Website: http://dr.jones.dk/
>
>  [x] quote me freely  [ ] ask before reusing  [ ] keep private

Bug#994720: [Pkg-javascript-devel] Bug#994720: nodejs: Please depends of sse2-support

[Bastien ROUCARIES]

Le dim. 19 sept. 2021 à 21:03, Jérémy Lal  a écrit :
>
>
>> Le dim. 19 sept. 2021 à 22:33, Bastien Roucariès 
>>  a écrit :
>>
>> Source: nodejs
>> Severity: serious
>> Tags: patch
>> Justification: base arch
>> Forwarded: 
>> https://chromium.googlesource.com/v8/v8.git/+/e825c4318eb2065ffdf9044aa6a5278635c36427
>>
>> Dear Maintainer,
>>
>> libv8 need sse2 on i386 since 2017...
>>
>> I asked upstream better communication with us, but we must depends on
>> sse2-support
>>
>> Patch because I will fix on git asap I have a bug number.
>>
>
> [i386] sse2-support is already a dependency... but that fact has not made it 
> to buster.
Yes and b-d should also depends
>
> Jérémy

Bug#994703: [Pkg-javascript-devel] Bug#994703: Bug#994703: nodejs: please documents deps or avoid it

[Bastien ROUCARIES]

Le dim. 19 sept. 2021 à 19:33, Jérémy Lal  a écrit :
>
>
>
> Le dim. 19 sept. 2021 à 18:54, Bastien Roucariès 
>  a écrit :
>>
>> Package: nodejs
>> Version: 12.22.5~dfsg-2
>> Severity: serious
>>
>> Dear Maintainer,
>>
>> README.source should document the deps directory.
>>
>> It will be better to remove some libs from deps. Why libz is needed for node 
>> ?
>> Could we push this plugin stuff to libz and so on.
>>
>> Acorn embdeded should be fixed by recent version.
>>
>> openssl one is worry some..
>
>
> Hi,
>
> What's in ./deps/ is mostly not used for building node.
> It's pretty much obvious if you look at ./debian/rules configure flags.

Yes but README.Source is in this case good
>
> I believe it is not common practice to remove unused files, as long as it's 
> okay with DFSG.
Yes also
> That's why
> zlib, openssl, nghttp2, http-parser, uv, c-ares, brotli
> are kept around in ./deps/ directory.
>
> This is actually useful, it makes debugging against "upstream-like" builds 
> easier.

Yes but in order to be less worried about something in this huge code
base use these files, I will really prefer to move the deps dir before
configure or removing the -r bit in order to avoid something strange

I was hit ten years ago by some leaking hardcoded path on a project I
compiled, and I really prefer to be paraonoiac on this side

Bastien

> Jérémy
>
> --
> Pkg-javascript-devel mailing list
> pkg-javascript-de...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Bug#994603: errormsg

[Bastien ROUCARIES]

 debian/upstream

To fix the situation please do the following:
  1) Examine debian/copyright_* and referenced files
  2) Update debian/copyright as needed
  3) Replace debian/copyright_hints with debian/copyright_newhints
touch debian/stamp-copyright-check
touch debian/stamp-upstream-cruft
node-gyp configure
gyp info it worked if it ends with ok
gyp info using node-gyp@7.1.2
gyp info using node@12.22.5 | linux | x64
gyp info find Python using Python version 3.9.7 found at "/usr/bin/python3"
gyp info spawn /usr/bin/python3
gyp info spawn args [
gyp info spawn args   '/usr/share/nodejs/node-gyp/gyp/gyp_main.py',
gyp info spawn args   'binding.gyp',
gyp info spawn args   '-f',
gyp info spawn args   'make',
gyp info spawn args   '-I',
gyp info spawn args   '/tmp/node-stringprep/build/config.gypi',
gyp info spawn args   '-I',
gyp info spawn args   '/usr/share/nodejs/node-gyp/addon.gypi',
gyp info spawn args   '-I',
gyp info spawn args   '/usr/include/nodejs/common.gypi',
gyp info spawn args   '-Dlibrary=shared_library',
gyp info spawn args   '-Dvisibility=default',
gyp info spawn args   '-Dnode_root_dir=/usr/include/nodejs',
gyp info spawn args   '-Dnode_gyp_dir=/usr/share/nodejs/node-gyp',
gyp info spawn args
'-Dnode_lib_file=/usr/include/nodejs/<(target_arch)/node.lib',
gyp info spawn args   '-Dmodule_root_dir=/tmp/node-stringprep',
gyp info spawn args   '-Dnode_engine=v8',
gyp info spawn args   '--depth=.',
gyp info spawn args   '--no-parallel',
gyp info spawn args   '--generator-output',
gyp info spawn args   'build',
gyp info spawn args   '-Goutput_dir=.'
gyp info spawn args ]
gyp info ok
touch debian/stamp-node-gyp-configure
V=1  CC="cc"  CXX="g++"  CFLAGS="-g -O2
-ffile-prefix-map=/tmp/node-stringprep=. -fstack-protector-strong
-Wformat -Werror=format-security"  CXXFLAGS="-g -O2
-ffile-prefix-map=/tmp/node-stringprep=. -fstack-protector-strong
-Wformat -Werror=format-security"  CPPFLAGS="-Wdate-time
-D_FORTIFY_SOURCE=2"  LDFLAGS="-Wl,-z,relro -Wl,-z,now" \
node-gyp build
gyp info it worked if it ends with ok
gyp info using node-gyp@7.1.2
gyp info using node@12.22.5 | linux | x64
gyp info spawn make
gyp info spawn args [ 'BUILDTYPE=Release', '-C', 'build' ]
make[1] : on entre dans le répertoire « /tmp/node-stringprep/build »
  g++ -o Release/obj.target/node_stringprep/node-stringprep.o
../node-stringprep.cc '-DNODE_GYP_MODULE_NAME=node_stringprep'
'-DUSING_UV_SHARED=1' '-DUSING_V8_SHARED=1'
'-DV8_DEPRECATION_WARNINGS=1' '-DV8_DEPRECATION_WARNINGS'
'-DV8_IMMINENT_DEPRECATION_WARNINGS' '-D_LARGEFILE_SOURCE'
'-D_FILE_OFFSET_BITS=64' '-D__STDC_FORMAT_MACROS'
'-DBUILDING_NODE_EXTENSION' -I/usr/include/nodejs/include/node
-I/usr/include/nodejs/src -I/usr/include/nodejs/deps/openssl/config
-I/usr/include/nodejs/deps/openssl/openssl/include
-I/usr/include/nodejs/deps/uv/include -I/usr/include/nodejs/deps/zlib
-I/usr/include/nodejs/deps/v8/include -I../../../usr/share/nodejs/nan
-fPIC -pthread -Wall -Wextra -Wno-unused-parameter -m64 -fPIC -O3
-fno-omit-frame-pointer -fno-rtti -std=gnu++1y `pkg-config icu-i18n
--cflags` -MMD -MF
./Release/.deps/Release/obj.target/node_stringprep/node-stringprep.o.d.raw
-Wdate-time -D_FORTIFY_SOURCE=2 -g -O2
-ffile-prefix-map=/tmp/node-stringprep=. -fstack-protector-strong
-Wformat -Werror=format-security -c
../node-stringprep.cc:20:26: error: ‘Handle’ has not been declared
   20 |   static void Initialize(Handle target)
  |  ^~
../node-stringprep.cc:20:32: error: expected ‘,’ or ‘...’ before ‘<’ token
   20 |   static void Initialize(Handle target)
  |^
../node-stringprep.cc:154:5: warning: dynamic exception specifications
are deprecated in C++11 [-Wdeprecated]
  154 | throw(UnknownProfileException)
  | ^
../node-stringprep.cc: In static member function ‘static void
StringPrep::Initialize(int)’:
../node-stringprep.cc:28:5: error: ‘target’ was not declared in this scope
   28 | target->Set(Nan::New("StringPrep").ToLocalChecked(),
t->GetFunction());
  | ^~
../node-stringprep.cc:28:81: error: no matching function for call to
‘v8::FunctionTemplate::GetFunction()’
   28 | target->Set(Nan::New("StringPrep").ToLocalChecked(),
t->GetFunction());
  |
 ^
In file included from /usr/include/nodejs/src/node.h:67,
 from ../../../usr/share/nodejs/nan/nan.h:56,
 from ../node-stringprep.cc:1:
/usr/include/nodejs/deps/v8/include/v8.h:6126:46: note: candidate:
‘v8::MaybeLocal
v8::FunctionTemplate::GetFunction(v8::Local)’
 6126 |   V8_WARN_UNUSED_RESULT MaybeLocal GetFunction(
  |  ^~~
/usr/include/nodejs/deps/v8/include/v8.h:6126:46: note:   candidate
expects 1 argument, 0 provided
../node-stringprep.cc: In static member function ‘static
Nan::NAN_METHOD_RETURN_TYPE
StringPrep::New(Nan::NAN_METHOD_ARGS_TYPE)’:
../node-stringprep.cc:48:48: error: no matching function for call to

Bug#992150:

[Bastien ROUCARIES]

control: reassign -1 src:firefox-esr

Bug#992150: Please allow symlink in system extension

[Bastien ROUCARIES]

Followup-For: Bug #992150
Control: clone -1 -2
Control: assign -1 src:firefox-esr

Bug#980202: FTBFS: gscan2pdf tests fail

[Bastien ROUCARIES]

Hi,

Just uploaded 6.9.11-58 as suggested by upstream.

No changes unfortunately

Bastien

Le ven. 22 janv. 2021 à 19:30, Cristy  a écrit :
>
> Subject "convert fails to create image with text" claims
>
> convert +matte -depth 1 -colorspace Gray -pointsize 12 -units PixelsPerInch 
> -density 300 label:"The quick brown fox" test.png
>
> returns unexpected results. We tried the command with ImageMagick 6.9.11-58 
> and get expected results under Fedora 33 and Debian 4.19.160-2 I686. Can you 
> try -58 on your system? Do you get expected results (test-old.png from bug 
> report)?
>
> Thanks,
>
> ImageMagick Development Team

Bug#979942: [Pkg-javascript-devel] Bug#979942: Bug#979942: Bug#979942: embedding dead code is no fix to bug for removing that same dead code

[Bastien ROUCARIES]

Le mar. 12 janv. 2021 à 21:02, Jonas Smedegaard  a écrit :
>
> Quoting Bastien ROUCARIES (2021-01-12 21:17:36)
> > Fixed it was a little bit hard to test options of compression one by
> > one but it work now.

Hi,

It was harder than I thought.

This time I document the requirement for this package under
https://salsa.debian.org/js-team/node-browser-pack/-/blob/master/debian/rules#L13

And I think I have suffisantly documented the bandaid method in case
of future problems

Could you confirm I am clear ?

Bastien
>
> Great!  Thanks!
>
>  - Jonas
>
> --
>  * Jonas Smedegaard - idealist & Internet-arkitekt
>  * Tlf.: +45 40843136  Website: http://dr.jones.dk/
>
>  [x] quote me freely  [ ] ask before reusing  [ ] keep private

Bug#979942: [Pkg-javascript-devel] Bug#979942: Bug#979942: embedding dead code is no fix to bug for removing that same dead code

[Bastien ROUCARIES]

Hi,

Fixed it was a little bit hard to test options of compression one by
one but it work now.


Le mar. 12 janv. 2021 à 17:48, Xavier  a écrit :
>
> Control: tags -1 reopen
> Control: severity -1 serious
>
> Le 12/01/2021 à 18:17, Jonas Smedegaard a écrit :
> > Quoting Debian FTP Masters (2021-01-12 18:06:40)
> >>  node-browser-pack (6.1.0+ds-7) unstable; urgency=medium
> >>  .
> >>* Team upload
> >>* Bump debhelper compatibility level to 13
> >>* Declare compliance with policy 4.5.1
> >>* Use dh-sequence-nodejs
> >>* Remove dependency to node-uglify but embed node-uglify in 
> >> build_modules
> >>  else build file is wrong (Closes: #979942)
> >
> > Do I read the above correctly that node-browser-pack "fixes" node-uglify
> > going away by embedding it, hidden?
> >
> > I disagree that that is a fix.
>
> OK, but I didn't succeed to fix that, let's reopen, upgrade severity and
> wait for someone else to fix it
>
> --
> Pkg-javascript-devel mailing list
> pkg-javascript-de...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Bug#971216: Bug#977205: imagemagick: CVE-2020-29599

[Bastien ROUCARIES]

hi,

I am ok with this but could you mention, the whole list of format
instead of ghostscript format in changelog aka (pdf, eps, ps)

Bastien

Le dim. 3 janv. 2021 à 14:21, Salvatore Bonaccorso  a écrit :
>
> Hi Bastien,
>
> Hope you are ok.
>
> On Tue, Dec 15, 2020 at 10:34:59AM +0100, Bastien ROUCARIES wrote:
> > Hi,
> >
> > As said on debian-provate go ahead please. I am late due to payjob issue.
>
> Alright attached is a proposed debdiff for covering the CVEs, but
> please double check them as well please (it includes as well disabling
> the ghostscript handled formats).
>
> There is though another RC bug, #971216 which needs handling for
> bullseye and unstable.
>
> Can you take it from here in case you got more free time?
>
> Regards,
> Salvatore

Bug#977205: imagemagick: CVE-2020-29599

[Bastien ROUCARIES]

Hi,

As said on debian-provate go ahead please. I am late due to payjob issue.

Bastien

On Sat, Dec 12, 2020 at 3:06 PM Salvatore Bonaccorso  wrote:
>
> Source: imagemagick
> Version: 8:6.9.11.24+dfsg-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: car...@debian.org, Debian Security Team 
> 
>
> Hi,
>
> The following vulnerability was published for imagemagick.
>
> A very extensive blogpost[1] explains the issue, and note that the
> provided POC though does only work so far in ImageMagick7 the issue is
> present as well in legacy ImageMagick 6, affected versions should be
> around 6.9.8-1 onwards.
>
> The required fixes for ImageMagick6 are referenced in the
> security-tracker.
>
> As a side node: For buster the issue is mitigated as the recent DSA
> included the 200-disable-ghostscript-formats.patch patch and disables
> ghostscript handled formats. As a hardening measure against those
> issue it might be ideal to ship the disabling as well in bullseye.
>
> CVE-2020-29599[0]:
> | ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the
> | -authenticate option, which allows setting a password for password-
> | protected PDF files. The user-controlled password was not properly
> | escaped/sanitized and it was therefore possible to inject additional
> | shell commands via coders/pdf.c.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2020-29599
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29599
> [1] 
> https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
>
> Regards,
> Salvatore
>
> -- System Information:
> Debian Release: bullseye/sid
>   APT prefers unstable
>   APT policy: (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.10.0-rc6-amd64 (SMP w/8 CPU threads)
> Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>

Bug#952312: [Pkg-javascript-devel] Bug#952312: Bug#952312: Bug#952312: node-eslint-scope: FTBFS: tests failed

[Bastien ROUCARIES]

Le mar. 25 févr. 2020 à 19:48, Jonas Smedegaard  a écrit :

> control: reassign -1 node-espree
> control: affects -1 node-eslint-scope
>
> Quoting Xavier (2020-02-25 18:29:35)
> > Le 23/02/2020 à 14:50, Lucas Nussbaum a écrit :
> > > During a rebuild of all packages in sid, your package failed to
> > > build on amd64.
> >
> > Some test are incompatible with node-espree-6. The fix could be
> > simply:
>
> Certainly not a fix to disable tests.
>
> The package node-espree has exactly one reverse dependency which is
> node-eslint-scope, so this is a case of bad coordination.
>
> (yes, another fix would be to upgrade node-eslint-scope, but that is
> more complex and less urgent, so let's roll back first and work on going
> forward in experimental first



Node-espree was upgraded due to not compatible with acorn6...

So upgrade is safer

> )
>
>
>  - Jonas
>
> --
>  * Jonas Smedegaard - idealist & Internet-arkitekt
>  * Tlf.: +45 40843136  Website: http://dr.jones.dk/
>
>  [x] quote me freely  [ ] ask before reusing  [ ] keep private--
> Pkg-javascript-devel mailing list
> pkg-javascript-de...@alioth-lists.debian.net
>
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Bug#951398: Rebuild pax

[Bastien ROUCARIES]

On Mon, Feb 17, 2020 at 10:12 PM Norbert Preining  wrote:
>
> Hi Bastien,
>
> On Mon, 17 Feb 2020, Bastien ROUCARIES wrote:
> > For rebuilding pax you need to apply this patch then from
>
> Ok, it is not that easy but done that now.
>
> > source/pax/latex/pax run ant
>
> ok.
>
> This script generates **three** files:
> texmf-dist/tex/latex/pax/pax.jargood
> texmf-dist/tex/latex/pax/lib/commons-logging.jar
> texmf-dist/tex/latex/pax/lib/pdfbox.jar
>
> Are the last two necessary there, i.e., should we replace them with
> links to the respective files in the installed packages?

They need to be replaced by link to their respective package (normally
it is symlink to /usr/share/commons-logging.jar)

Best

Bastien
>
> Best
>
> Norbert
>
> --
> PREINING Norbert  https://www.preining.info
> Accelia Inc. + IFMGA ProGuide + TU Wien + JAIST + TeX Live + Debian Dev
> GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

Bug#951398: Patch

[Bastien ROUCARIES]

control: tags -1 + patch

Patch file

Bug#918642: imagemagick: identify 6.9.10-23 doesn't convert units (pixels per cm/in)

[Bastien ROUCARIES]

control: fowarded -1 https://github.com/ImageMagick/ImageMagick/issues/1442

Thanks

On Mon, Jan 7, 2019 at 10:57 PM Cédric Boutillier  wrote:
>
> Package: imagemagick
> Version: 8:6.9.10.23+dfsg-1
> Severity: serious
> Tags: upstream
>
> Dear Maintainer,
>
> After the upgrade from 6.9.10.14 to 6.9.10.23, I noticed that the
> autopkgtests for the package ruby-mini-magick is failing due to one test
> about checking units to show the size of the image in cm and inches.
>
> I could isolate the problem by running the `identify` command on a test
> image (rgb.png in the spec/fixtures directory of the ruby-mini-magick
> source package).
>
> Running:
> identify -verbose -units PixelsPerInch rgb.png > output_in.txt
> identify -verbose -units PixelsPerCentimeter rgb.png > output_cm.txt
> diff -u output_in.txt output_cm.txt
>
> gives me the following with 8:6.9.10-14 from testing:
>
> --- /tmp/output_cm.txt  2019-01-07 22:32:49.257702663 +0100
> +++ /tmp/output_in.txt  2019-01-07 22:32:40.457055525 +0100
> @@ -3,9 +3,9 @@
>Mime type: image/png
>Class: PseudoClass
>Geometry: 16x12+0+0
> -  Resolution: 118.11x118.11
> -  Print size: 0.135467x0.1016
> -  Units: PixelsPerCentimeter
> +  Resolution: 300x300
> +  Print size: 0.053x0.04
> +  Units: PixelsPerInch
>Colorspace: sRGB
>Type: Palette
>Base type: Undefined
> @@ -118,12 +118,11 @@
>  signature: 
> 0d23f0078b8f89ca473e67bb38773cb94fd8ec5591e4207e83ff95cb27a6a0dd
>Artifacts:
>  filename: rgb.png
> -units: PixelsPerCentimeter
> +units: PixelsPerInch
>  verbose: true
>Tainted: False
>Filesize: 359B
>Number pixels: 192
> -  Pixels per second: 19200B
> -  User time: 0.010u
> -  Elapsed time: 0:01.010
> +  User time: 0.000u
> +  Elapsed time: 0:01.000
>Version: ImageMagick 6.9.10-14 Q16 x86_64 20181023 https://imagemagick.org
>
> whereas it gives the following with 8:6.9.10-23 (with a suffix -23 to
> the text files).
>
> --- /tmp/output_cm-23.txt   2019-01-07 22:34:38.136761722 +0100
> +++ /tmp/output_in-23.txt   2019-01-07 22:34:45.201163917 +0100
> @@ -5,7 +5,7 @@
>Geometry: 16x12+0+0
>Resolution: 118.11x118.11
>Print size: 0.135467x0.1016
> -  Units: PixelsPerCentimeter
> +  Units: PixelsPerInch
>Colorspace: sRGB
>Type: Palette
>Base type: Undefined
> @@ -118,7 +118,7 @@
>  signature: 
> 0d23f0078b8f89ca473e67bb38773cb94fd8ec5591e4207e83ff95cb27a6a0dd
>Artifacts:
>  filename: rgb.png
> -units: PixelsPerCentimeter
> +units: PixelsPerInch
>  verbose: true
>Tainted: False
>Filesize: 359B
>
> Maybe it was induced by this change?
> https://github.com/ImageMagick/ImageMagick6/commit/8c7648a1adf7bba35594074f191affd3ff3263bb
>
> Attaching the reference image and the full output files.
>
> I am setting severity serious, as it breaks the testsuite of
> ruby-mini-magick and provides wrong data when identifying images.
>
> Thank you in advance
>
> Cédric
>
>
>
> -- Package-specific info:
> ImageMagick program version
> ---
> animate:  ImageMagick 6.9.10-23 Q16 x86_64 20190101 https://imagemagick.org
> compare:  ImageMagick 6.9.10-23 Q16 x86_64 20190101 https://imagemagick.org
> convert:  ImageMagick 6.9.10-23 Q16 x86_64 20190101 https://imagemagick.org
> composite:  ImageMagick 6.9.10-23 Q16 x86_64 20190101 https://imagemagick.org
> conjure:  ImageMagick 6.9.10-23 Q16 x86_64 20190101 https://imagemagick.org
> display:  ImageMagick 6.9.10-23 Q16 x86_64 20190101 https://imagemagick.org
> identify:  ImageMagick 6.9.10-23 Q16 x86_64 20190101 https://imagemagick.org
> import:  ImageMagick 6.9.10-23 Q16 x86_64 20190101 https://imagemagick.org
> mogrify:  ImageMagick 6.9.10-23 Q16 x86_64 20190101 https://imagemagick.org
> montage:  ImageMagick 6.9.10-23 Q16 x86_64 20190101 https://imagemagick.org
> stream:  ImageMagick 6.9.10-23 Q16 x86_64 20190101 https://imagemagick.org
>
> -- System Information:
> Debian Release: buster/sid
>   APT prefers unstable-debug
>   APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), 
> (1, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
> Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= 
> (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages imagemagick depends on:
> ii  imagemagick-6.q16  8:6.9.10.23+dfsg-1
>
> imagemagick recommends no packages.
>
> imagemagick suggests no packages.
>
> -- no debconf information

Bug#916839: imagemagick: Silent ABI break in 6.9.10-11 on i386

[Bastien ROUCARIES]

Hi,

I have uploaded a newer version fixing the problem. Could you ask
release team a rebuild.

BTW could you get a glimpse at ruby-mini-magick ? It seems choked

Bastien

On Sat, Jan 5, 2019 at 4:08 PM Balint Reczey
 wrote:
>
> Hi Bastien,
>
> On Fri, Jan 4, 2019 at 8:41 PM Balint Reczey
>  wrote:
> >
> > Hi,
> >
> > On Thu, Dec 20, 2018 at 6:46 AM Bastien ROUCARIES
> >  wrote:
> > >
> > > On Wed, Dec 19, 2018 at 12:09 PM Balint Reczey
> > >  wrote:
> > > >
> > > > Package: imagemagick
> > > > Version: 8:6.9.10.14+dfsg-1
> > > > Severity: grave
> > > > Control: forwareded -1 
> > > > https://github.com/ImageMagick/ImageMagick6/issues/31
> > > > Control: tags -1 upstream fixed-upstream
> > > > Control: affects -1 ruby-rmagick
> > > >
> > > > Hi,
> > > >
> > > > The ABI broke in 6.9.10-11 due to changing MagickDoubleType to double
> > > > from long double.
> > > > This breaks ruby-rmagick and possibly other reverse dependencies, thus
> > > > after fixing imagemagick please check if some reverse dependencies
> > > > need to be rebuilt. The fix will be available in the .18 upstream
> > > > release.
> > >
> > > Exact, this will need a so bump I suppose...
> >
> > Since the ABI broke only in unstable and testing and only affected
> > i386 and possibly a few rare arches not in Ubuntu I'd say a few
> > rebuilds would suffice. Upstream did not do a major ABI bump either
> > and released the fix.
>
> I have uploaded an NMU to DELAYED/5 with the attached fix, which is
> already included in Ubuntu.
> This will enter the archive before the transition freeze thus Buster
> will be fixed even if no upload is made to imagemagick in the next
> week, but feel free to override it an upload a better fix like a full
> new upstream release.
>
> Cheers,
> Balint
>
> >
> > Cheers,
> > Balint
> >
> > >
> > > Bastien
> > >
> > >
> > >
> > > >
> > > > Cheers,
> > > > Balint
> > > >
> > > > --
> > > > Balint Reczey
> > > > Ubuntu & Debian Developer
> > > >
> >
> >
> >
> > --
> > Balint Reczey
> > Ubuntu & Debian Developer
>
>
>
> --
> Balint Reczey
> Ubuntu & Debian Developer

Bug#916839: imagemagick: Silent ABI break in 6.9.10-11 on i386

[Bastien ROUCARIES]

On Wed, Dec 19, 2018 at 12:09 PM Balint Reczey
 wrote:
>
> Package: imagemagick
> Version: 8:6.9.10.14+dfsg-1
> Severity: grave
> Control: forwareded -1 https://github.com/ImageMagick/ImageMagick6/issues/31
> Control: tags -1 upstream fixed-upstream
> Control: affects -1 ruby-rmagick
>
> Hi,
>
> The ABI broke in 6.9.10-11 due to changing MagickDoubleType to double
> from long double.
> This breaks ruby-rmagick and possibly other reverse dependencies, thus
> after fixing imagemagick please check if some reverse dependencies
> need to be rebuilt. The fix will be available in the .18 upstream
> release.

Exact, this will need a so bump I suppose...

Bastien



>
> Cheers,
> Balint
>
> --
> Balint Reczey
> Ubuntu & Debian Developer
>

Bug#908081: NMU

[Bastien ROUCARIES]

Hi,

I plan to do a NMU in a week about this bug.

Can you ACK ?

Thanks

Bastien

Bug#876618: [Pkg-javascript-devel] Bug#876618: science.js build-depends on removed nodejs-legacy

[Bastien ROUCARIES]

Il

Le ven. 28 sept. 2018 à 07:27, Petter Reinholdtsen  a
écrit :

> Control: tags -1 + help upstream confirmed
>
> [Jérémy Lal]
> > Depending on nodejs-legacy was a serious bug in the first place.
> > Anyway (nodejs >= 6.11.2~) installs /usr/bin/node now.
>
> I had a look at this, and do not know how to fix it.  Replacing
> nodejs-legacy with nodejs in d/control is simple enough, but then the build
> fail like this:
>
> cat science.core.js science.lin.js science.stats.js >> science.v1.js
> uglifyjs < science.v1.js > science.v1.min.js
> node src/package.js > package.json
> (node:7549) [DEP0027] DeprecationWarning: util.puts is deprecated. Use
> console.log instead.
> rm science.stats.js science.lin.js science.core.js
> make[2]: Leaving directory '/home/pere/src/debian/science.js-debian'
> make[1]: Leaving directory '/home/pere/src/debian/science.js-debian'
>debian/rules override_dh_auto_test
> make[1]: Entering directory '/home/pere/src/debian/science.js-debian'
> vows test/env-assert.js test/\*/\*-test.js
> module.js:549
> throw err;
> ^
>

Vow need to be updated or your pa ckage néed to dépend to node-glob

>
> Error: Cannot find module 'glob'
> at Function.Module._resolveFilename (module.js:547:15)
> at Function.Module._load (module.js:474:25)
> at Module.require (module.js:596:17)
> at require (internal/module.js:11:18)
> at Object. (/usr/lib/nodejs/vows/bin/vows:7:14)
> at Module._compile (module.js:652:30)
> at Object.Module._extensions..js (module.js:663:10)
> at Module.load (module.js:565:32)
> at tryModuleLoad (module.js:505:12)
> at Function.Module._load (module.js:497:3)
> make[1]: *** [debian/rules:17: override_dh_auto_test] Error 1
> make[1]: Leaving directory '/home/pere/src/debian/science.js-debian'
> make: *** [debian/rules:8: build] Error 2
> dpkg-buildpackage: error: debian/rules build subprocess returned exit
> status 2
> debuild: fatal error at line 1152:
> dpkg-buildpackage -rfakeroot -us -uc -ui -ICVS -I.#* -I.cvsignore -I.bzr
> -I.svn -I.git failed
>
> Note, the git repo is at salsa now,
> https://salsa.debian.org/js-team/science.js.git >.
>
> --
> Happy hacking
> Petter Reinholdtsen
>
> --
> Pkg-javascript-devel mailing list
> pkg-javascript-de...@alioth-lists.debian.net
>
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Bug#903404: libopengl-image-perl: FTBFS with new imagemagick

[Bastien ROUCARIES]

control: reassign -1 src:imagemagick
control: affects -1 libopengl-image-perl
control: notfound -1 1.03-1
control: found -1 8:6.9.10.2+dfsg-2

On Mon, Jul 9, 2018 at 5:15 PM, gregor herrmann  wrote:
> Package: libopengl-image-perl
> Version: 1.03-1
> Severity: serious
> Tags: ftbfs sid buster
> Justification: fails to build from source (but built successfully in the past)
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> As first discovered by ci.debian.net, libopengl-image-perl fails the
> testsuite after the upgrade of imagemagick:
>
> - -imagemagick-6-common 8:6.9.9.39+dfsg-1
> +imagemagick-6-common 8:6.9.10.2+dfsg-2
> - -libimage-magick-perl 8:6.9.9.39+dfsg-1
> - -libimage-magick-q16-perl 8:6.9.9.39+dfsg-1
> +libimage-magick-perl 8:6.9.10.2+dfsg-2
> +libimage-magick-q16-perl 8:6.9.10.2+dfsg-2
> - -libmagickcore-6.q16-5 8:6.9.9.39+dfsg-1
> +libmagickcore-6.q16-6 8:6.9.10.2+dfsg-2
>
>
>dh_auto_test
> make -j1 test TEST_VERBOSE=1
> make[1]: Entering directory '/build/libopengl-image-perl-1.03'
> PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" 
> "-e" "undef *Test::Harness::Switches; test_harness(1, 'blib/lib', 
> 'blib/arch')" t/*.t
>
> 
> Testing OpenGL::Image
> - 
> Using OpenGL v0.7
> * ok: OpenGL::Image module loaded: v1.03
> * skip: Image::Magick module not installed: Invalid version format 
> (non-numeric data) at /usr/lib/x86_64-linux-gnu/perl/5.26/DynaLoader.pm line 
> 204.
> Compilation failed in require at /usr/share/perl/5.26/parent.pm line 16.
> BEGIN failed--compilation aborted at /usr/share/perl5/Image/Magick.pm line 22.
> Compilation failed in require at (eval 5) line 2.
> BEGIN failed--compilation aborted at (eval 5) line 2.
>
> Testing OpenGL::Image::GetEngines():
>   Magick: 6.9A
>   Targa: 1.01
> Targa is installed
> Magick is installed
> * ok: At least one imaging engine is installed
> * ok: HasEngine('Targa') returned '1.01'
> * ok: Instantiated OpenGL::Array
> * ok: Instantiated OpenGL::Image(width=>128,height=>128)
> * ok: GetPixel returns valid values used with SetPixel
> * ok: Save('test.tga') created image
> Bailout called.  Further testing stopped:
> * ok: Instantiated OpenGL::Image(source=>'test.tga')
> Testing object parameters:
>   alpha: 1
>   components: 4
>   endian: 0
>   engine: Targa
>   flipped: 0
>   gl_format: 32993
>   gl_internalformat: 32856
>   gl_type: 5121
>   height: 128
>   length: 65536
>   pixels: 16384
>   size: 1
>   source: test.tga
>   version: 1.01
>   width: 128
> * ok: Get() returned parameters
> * ok: Get('width','height','pixels') returned: 128 x 128 = 16384
> * ok: Set/Get Pixels within acceptable deviation: 0.000980392156862106
> * ok: IsPowerOf2() returned true
> * ok: GetArray() contains 65536 elements
> * ok: Ptr() returned a valid pointer
> * ok: GetBlob() returned a blob of length: 65536
> * bail: Unable to instantiate 
> OpenGL::Image(engine=>'Magick',source=>'test.png')
>
> ::Magick::Q16::constant not defined. The required ImageMagick libraries 
> are not installed or not installed properly.
> END failed--call queue aborted.
> FAILED--Further testing stopped.
> make[1]: *** [Makefile:837: test_dynamic] Error 22
> make[1]: Leaving directory '/build/libopengl-image-perl-1.03'
> dh_auto_test: make -j1 test TEST_VERBOSE=1 returned exit code 2
>
>
>
> This may or may not be
> $VERSION = '6.9A';
> in /usr/lib/x86_64-linux-gnu/perl5/5.26/Image/Magick/Q16.pm
>
> /usr/share/perl5/Image/Magick.pm line 22 is
> use parent qw/Image::Magick::Q16/;
>
> Cc'ing the libimage-magick-q16-perl maintainers.
>
>
> Cheers,
> gregor
>
> -BEGIN PGP SIGNATURE-
>
> iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAltDfA5fFIAALgAo
> aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
> RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
> qgZhHA/+KRK1H2Vzc/vC2ZsJrz60ucvRgcpBxs2utwdSmkkd7QG1mYitfrTRVDCW
> HfjO2A7GV1fNVwByvq7fnY103bHBRAp2SA3be4pvv7ZEwj5Rx7zgAMemsNGP4AAU
> l+AqnyZ/3H/8De8KXAsD82Z2AQxQuNMXBkLSmG+HJ/LnDnD02BzcL4qTJZ9IdRy/
> D2Z178ai9oMVdBCZlaujttHLbThK1SPpUzzFTcBKkB3HoqyE7ONOpgbVZsDuv4NZ
> TqYvDTu4HO/4NGKhW5YUt4jblaH7mBhmCR8wkxuJfmghWXnZzWK7kOBJjWAKPXaV
> fFDWHnHN0gHyu5tvoLtwvF/ZG39QPoZRYAC6zG1hs31IaQVlpJp5DNJ6zTbABwhG
> IcaxiUYamlpX9bEs90JLpMgrQKqMnJMnZDU67R0zExPwLTdcSdSzLO0o3yOj7+Ut
> YQ1leNkJ4VzlNRQwwk23z0ARuKB1Tzh2mJRVkqjBJr7AXt/P3hQ+6vRkVf9V5Lk4
> Xqmz3q7q1EPs1KLiWPugSWZwzUkS34H2aA0/4lGU1s71fON56CDoRaBlHmWQeLwR
> B9kJvjDULNdxLXV+7whdo/crFWF6pTXJAClTXoT+Fh2ki27lfYMTNC+tAgevl1NR
> m84LnF7FLftZHJBXvCrvd+wV2evmKLbMNKfNUSyEuEPHVdHvu48=
> =/l5i
> -END PGP SIGNATURE-
>
> ___
> pkg-perl-maintainers mailing list
> pkg-perl-maintain...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-perl-maintainers

Bug#900855: [qtquickcontrols2-opensource-src] FTBFS font fontenello

[Bastien ROUCARIES]

Hi,

On Wed, Jun 6, 2018 at 2:34 PM, Lisandro Damián Nicanor Pérez Meyer
 wrote:
> Hi Bastien!
>
> El mar., 5 de jun. de 2018 19:12, Bastien ROUCARIÈS
>  escribió:
>>
>> Package: qtquickcontrols2-opensource-src
>> Severity: serious
>>
>> Hi,
>> examples/quickcontrols2/swipetoremove/fonts/fontello.ttf
>>
>> fail to build from source
>>
>> In your case I suppose they are no need to wait that I upload the package.
>>
>> A repack will be quicker
>
>
> Sorry, but I can't make sense of what you wrote


Source of the file quoted are here https://github.com/fontello/fontelico.font

it could not be build for now due to lack of depends.

It is a policy violation to ship something that could not be built.

They are a few solution:
- repack and remove the files
- wait, I am uploading a /fontelico.font

Bastien

Bug#831548: [Pkg-javascript-devel] Bug#831548: RM: mtasc -- ROM; obsoleted by newer standard web technologies

[Bastien ROUCARIES]

Hi,

On Sat, Jun 2, 2018 at 9:10 AM, Bastien ROUCARIES
 wrote:
>
>
> Le sam. 2 juin 2018 à 08:59, Niels Thykier  a écrit :
>>
>> On Sat, 23 Dec 2017 06:58:52 +0800 Paul Wise  wrote:
>> > Control: severity -1 serious
>> > Control: severity 831553 normal
>> >
>> > Hi everyone,
>> >
>> > The buster cycle is the right time to remove mtasc from the Debian
>> > archive. It has been unmaintained in Debian and upstream for years. The
>> > web ecosystem is moving away from Flash towards standard web tech,
>> > which can now replace most use of Flash. Debian should encourage our
>> > upstreams to move towards standard web tech like HTML5 and JavaScript.
>> >
>> > Please talk to your upstreams about transitioning away from
>> > ActionScript 2 towards HTML5 JavaScript. If they need to still
>> > support Flash for some users, then they should switch to something
>> > like Haxe but they should not build Flash files by default.
>> >
>> > On Fri, 22 Dec 2017 17:29:50 -0500 Scott Kitterman wrote:
>> >
>> > > 15 months later all but one of those bugs is still open.  Can you
>> > > either work
>> > > with the maintainers to get them done or close this request until it's
>> > > ripe
>> > > for processing.
>> >
>> > --
>> > bye,
>> > pabs
>> >
>> > https://wiki.debian.org/PaulWise
>>
>> Hi,
>>
>> This package (dojo) is officially maintained by the Javascript team but
>> appears to be de facto unmaintained.  It has several RC bugs and is
>> stalling the removal of obsolete packages (admittedly only from unstable).
>>
>> If you are still interested in maintaining the package, then please
>> resolve the RC bugs (at the very least this bug, which is blocking
>> others).  If there is no visible progress on resolving this bug in a
>> month from now, I will assume you are no longer interested in it and
>> that you will support a removal of dojo from unstable.
>>
>> I have explicitly included all listed maintainers and uploaders (except
>> for Frank, which appears to have disclaimed interest in this package per
>> #863693)
>>
>> Thanks,
>> ~Niels

I needed to merge shrinksafe back in dojo (upstream merge). I have
modified the control file and will upload ASAP.

Could you check if my merge is right (particularly d/control breaks/replaces).

Repo is here https://salsa.debian.org/js-team/dojo


Bastien

>
> Will get a glimpse.
>
> BTw it means that a few lintian warning are now fatal because ftbfs...
>
> Bastien
>>
>>
>> --
>> Pkg-javascript-devel mailing list
>> pkg-javascript-de...@alioth-lists.debian.net
>>
>> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
>
>
> --
> Pkg-javascript-devel mailing list
> pkg-javascript-de...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Bug#900636: [shrinksafe] Could not compile dojo: merge back with dojo

[Bastien ROUCARIES]

Package: shrinksafe
Severity: grave

Hi;

This package fail to compile dojo.

Dojo is the current upstream so merge back in dojo

Bastien

Bug#831548: [Pkg-javascript-devel] RM: mtasc -- ROM; obsoleted by newer standard web technologies

[Bastien ROUCARIES]

Le sam. 2 juin 2018 à 08:59, Niels Thykier  a écrit :

> On Sat, 23 Dec 2017 06:58:52 +0800 Paul Wise  wrote:
> > Control: severity -1 serious
> > Control: severity 831553 normal
> >
> > Hi everyone,
> >
> > The buster cycle is the right time to remove mtasc from the Debian
> > archive. It has been unmaintained in Debian and upstream for years. The
> > web ecosystem is moving away from Flash towards standard web tech,
> > which can now replace most use of Flash. Debian should encourage our
> > upstreams to move towards standard web tech like HTML5 and JavaScript.
> >
> > Please talk to your upstreams about transitioning away from
> > ActionScript 2 towards HTML5 JavaScript. If they need to still
> > support Flash for some users, then they should switch to something
> > like Haxe but they should not build Flash files by default.
> >
> > On Fri, 22 Dec 2017 17:29:50 -0500 Scott Kitterman wrote:
> >
> > > 15 months later all but one of those bugs is still open.  Can you
> either work
> > > with the maintainers to get them done or close this request until it's
> ripe
> > > for processing.
> >
> > --
> > bye,
> > pabs
> >
> > https://wiki.debian.org/PaulWise
>
> Hi,
>
> This package (dojo) is officially maintained by the Javascript team but
> appears to be de facto unmaintained.  It has several RC bugs and is
> stalling the removal of obsolete packages (admittedly only from unstable).
>
> If you are still interested in maintaining the package, then please
> resolve the RC bugs (at the very least this bug, which is blocking
> others).  If there is no visible progress on resolving this bug in a
> month from now, I will assume you are no longer interested in it and
> that you will support a removal of dojo from unstable.
>
> I have explicitly included all listed maintainers and uploaders (except
> for Frank, which appears to have disclaimed interest in this package per
> #863693)
>
> Thanks,
> ~Niels
>

Will get a glimpse.

BTw it means that a few lintian warning are now fatal because ftbfs...

Bastien

>
> --
> Pkg-javascript-devel mailing list
> pkg-javascript-de...@alioth-lists.debian.net
>
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Bug#900598: [desmume] Include non free file

[Bastien ROUCARIES]

On Fri, Jun 1, 2018 at 10:21 PM, Markus Koschany  wrote:
>
> Am 01.06.2018 um 22:16 schrieb Bastien ROUCARIES:
> [...]
>> No it is not a lintian bug. Unicode withdraw this code before applying
>> the license change.
>>
>> Exhibit 1 does not apply in this case.
>>
>>>
>>> http://www.unicode.org/copyright.html#Exhibit1
>>>
>>> Also see https://bugs.debian.org/864729 for more information. In my
>>> opinion this is merely a documentation bug but not a Policy violation.
>
> No. This is not correct. Please read #864729 and
>
> https://bugs.chromium.org/p/google-breakpad/issues/detail?id=270
>
> why we are allowed to change the license too.

Ok see it. It is nevertheless a bug (not serious) because this code is
buggy and supperseded by ICU. Did you report this upstream ?

Can you send a bug to lintian ? Will try to cook something

Bastien

>
> Not a bug.
>
> Markus
>

Bug#864729: Retitle

[Bastien ROUCARIES]

control: retitle -1 Use obsolete/buggy code
control: severity -1 important

ConvertUTF is nevertheless buggy/obsolete please use libicu

Bastien

Bug#864729: Reopen

[Bastien ROUCARIES]

control: reopen -1
control: found -1 3.3.1~dfsg-5

This bug was not fixed. Unicode body withdraw this code from their
website (due to bugs that are fixed in icu) long before applying
relicencing.

So it is not free

Bastien

Bug#900598: [desmume] Include non free file

[Bastien ROUCARIES]

On Fri, Jun 1, 2018 at 10:07 PM, Markus Koschany  wrote:
> Hi,
>
> Am 01.06.2018 um 21:58 schrieb Bastien ROUCARIÈS:
>> Package: desmume
>> Severity: serious
>>
>> The following file source files include material under a non-free license 
>> from
>> Unicode Inc. Therefore, it is not possible to ship this in main or contrib.
>>
>> src/utils/ConvertUTF.c
>>
>> This license does not grant any permission to modify the files (thus failing
>> DFSG#3). Moreover, the license grant seems to attempt to restrict use to
>> "products supporting the Unicode Standard" (thus failing DFSG#6).
>>
>> In this case a solution is to use libicu and to remove this code by 
>> repacking.
>>
>> If this is a false-positive, please report a bug against Lintian.
>>
>> Refer to https://bugs.debian.org/823100 for details.
>
> Indeed this is a Lintian bug. Unicode changed the license and the new
> license can be found here:

No it is not a lintian bug. Unicode withdraw this code before applying
the license change.

Exhibit 1 does not apply in this case.

>
> http://www.unicode.org/copyright.html#Exhibit1
>
> Also see https://bugs.debian.org/864729 for more information. In my
> opinion this is merely a documentation bug but not a Policy violation.
>
> Regards,
>
> Markus
>

Bug#900032: [Pkg-javascript-devel] Bug#900032: Bug#900032: mocha: missing-copyright-file /usr/share/doc/mocha/copyright

[Bastien ROUCARIES]

Found close

On Tue, May 29, 2018 at 3:25 PM, Bastien ROUCARIES
 wrote:
> On Sat, May 26, 2018 at 11:11 PM, Andreas Moog
>  wrote:
>> On Fri, May 25, 2018 at 12:40:48PM +0200, Bastien ROUCARIES wrote:
>>> Hi,
>>>
>>> I am really clueless. You are right but it will do this only with upgrade.
>>>
>>> I have used correctly dpkg-maintscript-helper.
>>>
>>> Could you crosscheck, my script ?
>>
>> I think from reading the dpkg-maintscript-helper manpage the version you use 
>> is
>> wrong:
>>
>> dir_to_symlink /usr/share/doc/mocha libjs-mocha 4.0.1-1~
>>
>> meaning the version where the conversion is done must be lower than 4.0.1-1.
>>
>> My understanding is that you need to put 4.1.0+ds-1~ as version since you 
>> want
>> to have the coversion done for all prior versions.
>
> No it does not work
>>
>> Kind regards // Viele Grüße
>>
>> Andreas Moog
>>
>> --
>> Pkg-javascript-devel mailing list
>> pkg-javascript-de...@alioth-lists.debian.net
>> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Bug#900032: [Pkg-javascript-devel] Bug#900032: Bug#900032: mocha: missing-copyright-file /usr/share/doc/mocha/copyright

[Bastien ROUCARIES]

On Sat, May 26, 2018 at 11:11 PM, Andreas Moog
 wrote:
> On Fri, May 25, 2018 at 12:40:48PM +0200, Bastien ROUCARIES wrote:
>> Hi,
>>
>> I am really clueless. You are right but it will do this only with upgrade.
>>
>> I have used correctly dpkg-maintscript-helper.
>>
>> Could you crosscheck, my script ?
>
> I think from reading the dpkg-maintscript-helper manpage the version you use 
> is
> wrong:
>
> dir_to_symlink /usr/share/doc/mocha libjs-mocha 4.0.1-1~
>
> meaning the version where the conversion is done must be lower than 4.0.1-1.
>
> My understanding is that you need to put 4.1.0+ds-1~ as version since you want
> to have the coversion done for all prior versions.

No it does not work
>
> Kind regards // Viele Grüße
>
> Andreas Moog
>
> --
> Pkg-javascript-devel mailing list
> pkg-javascript-de...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Bug#900032: [Pkg-javascript-devel] Bug#900032: mocha: missing-copyright-file /usr/share/doc/mocha/copyright

[Bastien ROUCARIES]

Hi,

I am really clueless. You are right but it will do this only with upgrade.

I have used correctly dpkg-maintscript-helper.

Could you crosscheck, my script ?

Bastien

On Thu, May 24, 2018 at 11:58 PM, Thorsten Glaser  wrote:
> Package: mocha
> Version: 4.1.0+ds1-1
> Severity: serious
> Justification: Policy 12.5
>
> Adequate reports:
>
> mocha: missing-copyright-file /usr/share/doc/mocha/copyright
>
> And adequate is right, as /usr/share/doc/mocha/ is empty.
>
> -- System Information:
> Debian Release: buster/sid
>   APT prefers unreleased
>   APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 
> 'unstable'), (100, 'experimental')
> Architecture: x32 (x86_64)
> Foreign Architectures: i386, amd64
>
> Kernel: Linux 4.15.0-1-amd64 (SMP w/8 CPU cores)
> Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=C 
> (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/lksh
> Init: sysvinit (via /sbin/init)
>
> Versions of packages mocha depends on:
> ii  dpkg   1.19.0.5+b1
> ii  libjs-mocha4.1.0+ds1-1
> ii  node-browser-stdout1.3.0-1
> ii  node-commander 2.12.2-1
> ii  node-debug 3.1.0-2
> ii  node-diff  1.4.0~dfsg-1
> ii  node-escape-string-regexp  1.0.5-1
> ii  node-glob  7.1.2-6
> ii  node-growl 1.7.0-1
> ii  node-he1.1.1-1
> ii  node-mkdirp0.5.1-1
> ii  node-supports-color4.4.0-2
> ii  nodejs 10.1.0~dfsg-1
> ii  oxygen-icon-theme  5:5.46.0-1
>
> mocha recommends no packages.
>
> mocha suggests no packages.
>
> -- no debconf information
>
> --
> Pkg-javascript-devel mailing list
> pkg-javascript-de...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Bug#897536: [Pkg-javascript-devel] Bug#897536: mustache.js: FTBFS: make[1]: rake: Command not found

[Bastien ROUCARIES]

On Fri, May 11, 2018 at 12:12 PM, Jonas Meurer  wrote:
> Control: tag -1 +moreinfo
>
> Hello,
>
> I just tried to reproduce the FTBFS and failed. rake is defined as
> build-dependency and correctly pulled in according to linked the build logs.
>
> My best guess is that rake 12.3.1-2 had some bug that got fixed in 12.3.1-3.
>
> Lucas, could you trigger another rebuild to see whether this got fixed
> by the latest rake upload?
>
> In any case, it doesn't look like a bug in mustache.js package to me.

In this case build-depends on 12.3.1-3.

Bastien
>
> Cheers,
>  jonas
>
> On Wed, 2 May 2018 22:51:57 +0200 Lucas Nussbaum  wrote:
>> Source: mustache.js
>> Version: 2.3.0-2
>> Severity: serious
>> Tags: buster sid
>> User: debian...@lists.debian.org
>> Usertags: qa-ftbfs-20180502 qa-ftbfs
>> Justification: FTBFS on amd64
>>
>> Hi,
>>
>> During a rebuild of all packages in sid, your package failed to build on
>> amd64.
>>
>> Relevant part (hopefully):
>> >  debian/rules build
>> > dh build --builddirectory=/<>/build
>> >dh_update_autotools_config -O--builddirectory=/<>/build
>> >dh_auto_configure -O--builddirectory=/<>/build
>> >debian/rules override_dh_auto_build
>> > make[1]: Entering directory '/<>'
>> > rake jquery
>> > make[1]: rake: Command not found
>> > make[1]: *** [debian/rules:13: override_dh_auto_build] Error 127
>>
>> The full build log is available from:
>>http://aws-logs.debian.net/2018/05/02/mustache.js_2.3.0-2_unstable.log
>>
>> A list of current common problems and possible solutions is available at
>> http://wiki.debian.org/qa.debian.org/FTBFS . You're welcome to contribute!
>>
>> About the archive rebuild: The rebuild was done on EC2 VM instances from
>> Amazon Web Services, using a clean, minimal and up-to-date chroot. Every
>> failed build was retried once to eliminate random failures.
>>
>>
>
>
> --
> Pkg-javascript-devel mailing list
> pkg-javascript-de...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Bug#887586: Fixed

[Bastien ROUCARIES]

control: affects -1 - src:node-connect-timeout

On Thu, May 10, 2018 at 11:34 PM, Bastien ROUCARIES
<roucaries.bast...@gmail.com> wrote:
> control: affects -1 - src:node-connect
>
> On Thu, May 10, 2018 at 9:57 PM, Bastien ROUCARIES
> <roucaries.bast...@gmail.com> wrote:
>> control: affects -1 - src:node-cookie-parser

Bug#887586: Fixed

[Bastien ROUCARIES]

control: affects -1 - src:node-connect

On Thu, May 10, 2018 at 9:57 PM, Bastien ROUCARIES
<roucaries.bast...@gmail.com> wrote:
> control: affects -1 - src:node-cookie-parser

Bug#887586: Fixed

[Bastien ROUCARIES]

control: affects -1 - src:node-vhost

Bug#887586: Fixed

[Bastien ROUCARIES]

control: affects -1 - src:node-compression

Bug#887586: Fixed

[Bastien ROUCARIES]

control: affects -1 - src:node-errorhandler

Bug#887586: Fixed

[Bastien ROUCARIES]

control: affects -1 - src:node-cookie-parser

Bug#887586: workarround

[Bastien ROUCARIES]

control: tags -1 + patch

problematic package should be updated or use mocha --exit

Bug#892690: Autoconf-archive bug

[Bastien ROUCARIES]

Hi,

Could you recheck with newer version just uploaded ?

And close if not found

Bastien

Bug#871300:

[Bastien ROUCARIES]

control: noutfound -1 + 8:6.9.9.34+dfsg-1

Bug#889048: [node-source-map] FTBFS: lib/mappings.wasm

[Bastien Roucaries]

Please next time upload to experimental.

It is a good idea to upload now newer version to experimental.

BTW bug in reverse depends should be now important not serious

Bug#882852: Feature not a bug

[Bastien ROUCARIES]

control: severity -1 minor

you could still use explicit coder in order to use rsvg.

You should report this bug on internal coder upstream and report
upstream issue here

Thanks

Bug#882223: Reassign

[Bastien ROUCARIES]

control: assign -1 glibc-doc

Bug#882222: Document security problems with system.3 and popen.3 (argument injection)

[Bastien ROUCARIES]

Package: manpages-dev
Version: 4.13-3
Severity: grave
Tags: security
X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
Justification: more than 20 security bugs filled in other package
control: clone -1 -2
control: reaffect -2 glibc-doc


Please document the implication of system.3 and popen.3, particularly
argument injection.

Please get inspiration from ENV33-C. Do not call system()

Sugest to use execvp and please provide example of secure alternative
for both API

Note that escaping argument is not portable particularly if argument
include control char for a POSIX shell.

https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177



Use of the system() function can result in exploitable
vulnerabilities, in the worst case allowing execution of arbitrary
system commands. Situations in which calls to system() have high risk
include the following:

When passing an unsanitized or improperly sanitized command string
originating from a tainted source
If a command is specified without a path name and the command
processor path name resolution mechanism is accessible to an attacker
If a relative path to an executable is specified and control over the
current working directory is accessible to an attacker
If the specified executable program can be spoofed by an attacker

Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

[Bastien Roucaries]

Le 29 septembre 2017 19:34:24 GMT+02:00, "Jérémy Lal"  a 
écrit :
>2017-09-29 19:24 GMT+02:00 Andreas Beckmann :
>
>> Package: node-d3-color
>> Version: 1.0.3-1
>> Severity: serious
>> Justification: Build-Depends not satisfiable in testing
>> Control: block -1 with 857986
>> Control: clone -1 -2 -3 -4 -5 -6 -7 -8 -9 -10
>> Control: reassign -2 node-d3-format 1.2.0-1
>> Control: retitle -2 node-d3-format: B-D npm not available in testing
>> Control: block -2 with 857986
>> Control: reassign -3 node-d3-queue 3.0.7-1
>> Control: retitle -3 node-d3-queue: B-D npm not available in testing
>> Control: block -3 with 857986
>> Control: reassign -4 node-d3-selection 1.1.0-1
>> Control: retitle -4 node-d3-selection: B-D npm not available in
>testing
>> Control: block -4 with 857986
>> Control: reassign -5 d3-timer 1.0.7-1
>> Control: retitle -5 d3-timer: B-D npm not available in testing
>> Control: block -5 with 857986
>> Control: reassign -6  node-filesize 3.5.10+dfsg-1
>> Control: retitle -6 node-filesize: B-D npm not available in testing
>> Control: block -6 with 857986
>> Control: reassign -7 node-gulp-babel 7.0.0-1
>> Control: retitle -7 node-gulp-babel: B-D npm not available in testing
>> Control: block -7 with 857986
>> Control: reassign -8 node-babel-plugin-transform-define 1.3.0-1
>> Control: retitle -8 node-babel-plugin-transform-define: B-D npm not
>> available in testing
>> Control: block -8 with 857986
>> Control: reassign -9 node-babel 6.25.0+dfsg-8
>> Control: retitle -9 node-babel: B-D npm not available in testing
>> Control: block -9 with 857986
>> Control: reassign -10 node-babylon 6.18.0-1
>> Control: retitle -10 node-babylon: B-D npm not available in testing
>> Control: block -10 with 857986
>>
>>
>> Hi,
>>
>> with npm not available in testing (and according to #857986 this will
>> not change in the near future), these node-* packages must be kept
>> out of testing, since they cannot be rebuilt in testing (regardless
>of
>> any external resources they might need additionally).
>>
>
>Build-Depending on npm is a sign something very wrong, policy-breaking,
>is happening, like downloading a npm module during build.
>
>An example of how wrong the problem is:
>```
>override_dh_auto_build:
>  npm install rollup
>```
>
>ouch
>
>I cc-ed everyone to make sure this doesn't happen again.

Please fill a lintian bug
>
>Jérémy

-- 
Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

Bug#784475: Done some work but crash before main()

[Bastien ROUCARIES]

control: tags -1 + pending

I have uploaded a new version waiting ftpmaster

On Tue, Sep 5, 2017 at 9:11 PM, Lisandro Damián Nicanor Pérez Meyer
<perezme...@gmail.com> wrote:
> On 5 September 2017 at 15:51, Bastien ROUCARIES
> <roucaries.bast...@gmail.com> wrote:
>> Hi,
>>
>> I have done porting work but now it fail before main():
>
> I'm afraid that the version you are working against is not yet ready for Qt5.

Bug#784475: Done some work but crash before main()

[Bastien ROUCARIES]

Hi,

I have done porting work but now it fail before main():

*** Error in 
`/home/bastien/Documents/Personnel/soft/debian/kbibtex/kbibtex/obj-x86_64-linux-gnu/src/program/kbibtex':
realloc(): invalid pointer: 0x559b5f549500 ***
=== Backtrace: =
/lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7fbba63b6bfb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7fbba63bcfc6]
/lib/x86_64-linux-gnu/libc.so.6(realloc+0x219)[0x7fbba63c17d9]
/usr/lib/x86_64-linux-gnu/libQt5Core.so.5(_ZN9QListData12realloc_growEi+0x31)[0x7fbb9e1b2211]
/usr/lib/x86_64-linux-gnu/libQt5Core.so.5(_ZN9QListData6appendEi+0x4f)[0x7fbb9e1b22af]
/usr/lib/x86_64-linux-gnu/libQt5Core.so.5(+0x1cc378)[0x7fbb9e277378]
/usr/lib/x86_64-linux-gnu/libQt5Core.so.5(_Z21qRegisterResourceDataiPKhS0_S0_+0x38d)[0x7fbb9e272b2d]
/usr/lib/x86_64-linux-gnu/libQt5Core.so.5(+0x7d533)[0x7fbb9e128533]
/lib64/ld-linux-x86-64.so.2(+0xf89a)[0x7fbbaa27489a]
/lib64/ld-linux-x86-64.so.2(+0xf9ab)[0x7fbbaa2749ab]
/lib64/ld-linux-x86-64.so.2(+0xc5a)[0x7fbbaa265c5a]
=== Memory map: 
559b5f2e7000-559b5f345000 r-xp  00:2c 9432217
  
/home/bastien/Documents/Personnel/soft/debian/kbibtex/kbibtex/obj-x86_64-linux-gnu/src/program/kbibtex
559b5f544000-559b5f548000 r--p 0005d000 00:2c 9432217
  
/home/bastien/Documents/Personnel/soft/debian/kbibtex/kbibtex/obj-x86_64-linux-gnu/src/program/kbibtex
559b5f548000-559b5f54a000 rw-p 00061000 00:2c 9432217
  
/home/bastien/Documents/Personnel/soft/debian/kbibtex/kbibtex/obj-x86_64-linux-gnu/src/program/kbibtex
559b5f54a000-559b5f54b000 rw-p  00:00 0
559b601f8000-559b60219000 rw-p  00:00 0  [heap]
7fbb9000-7fbb90021000 rw-p  00:00 0
7fbb90021000-7fbb9400 ---p  00:00 0
7fbb96b6e000-7fbb96b82000 r-xp  00:25 18223187
  /lib/x86_64-linux-gnu/libgpg-error.so.0.22.0
7fbb96b82000-7fbb96d81000 ---p 00014000 00:25 18223187
  /lib/x86_64-linux-gnu/libgpg-error.so.0.22.0
7fbb96d81000-7fbb96d82000 r--p 00013000 00:25 18223187
  /lib/x86_64-linux-gnu/libgpg-error.so.0.22.0
7fbb96d82000-7fbb96d83000 rw-p 00014000 00:25 18223187
  /lib/x86_64-linux-gnu/libgpg-error.so.0.22.0
7fbb96d83000-7fbb96dae000 r-xp  00:25 18226505
  /usr/lib/x86_64-linux-gnu/libgraphite2.so.3.0.1
7fbb96dae000-7fbb96fad000 ---p 0002b000 00:25 18226505
  /usr/lib/x86_64-linux-gnu/libgraphite2.so.3.0.1
7fbb96fad000-7fbb96faf000 r--p 0002a000 00:25 18226505
  /usr/lib/x86_64-linux-gnu/libgraphite2.so.3.0.1
7fbb96faf000-7fbb96fb rw-p 0002c000 00:25 18226505
  /usr/lib/x86_64-linux-gnu/libgraphite2.so.3.0.1
7fbb96fb-7fbb96fc r-xp  00:25 20304808
  /usr/lib/x86_64-linux-gnu/libdrm.so.2.4.0
7fbb96fc-7fbb971bf000 ---p 0001 00:25 20304808
  /usr/lib/x86_64-linux-gnu/libdrm.so.2.4.0
7fbb971bf000-7fbb971c r--p f000 00:25 20304808
  /usr/lib/x86_64-linux-gnu/libdrm.so.2.4.0
7fbb971c-7fbb971c1000 rw-p 0001 00:25 20304808
  /usr/lib/x86_64-linux-gnu/libdrm.so.2.4.0
7fbb971c1000-7fbb971c6000 r-xp  00:25 16672579
  /usr/lib/x86_64-linux-gnu/libXxf86vm.so.1.0.0
7fbb971c6000-7fbb973c5000 ---p 5000 00:25 16672579
  /usr/lib/x86_64-linux-gnu/libXxf86vm.so.1.0.0
7fbb973c5000-7fbb973c6000 r--p 4000 00:25 16672579
  /usr/lib/x86_64-linux-gnu/libXxf86vm.so.1.0.0
7fbb973c6000-7fbb973c7000 rw-p 5000 00:25 16672579
  /usr/lib/x86_64-linux-gnu/libXxf86vm.so.1.0.0
7fbb973c7000-7fbb973cb000 r-xp  00:25 13200896
  /usr/lib/x86_64-linux-gnu/libxcb-dri2.so.0.0.0
7fbb973cb000-7fbb975ca000 ---p 4000 00:25 13200896
  /usr/lib/x86_64-linux-gnu/libxcb-dri2.so.0.0.0
7fbb975ca000-7fbb975cb000 r--p 3000 00:25 13200896
  /usr/lib/x86_64-linux-gnu/libxcb-dri2.so.0.0.0
7fbb975cb000-7fbb975cc000 rw-p 4000 00:25 13200896
  /usr/lib/x86_64-linux-gnu/libxcb-dri2.so.0.0.0
7fbb975cc000-7fbb975e4000 r-xp  00:25 13214250
  /usr/lib/x86_64-linux-gnu/libxcb-glx.so.0.0.0
7fbb975e4000-7fbb977e4000 ---p 00018000 00:25 13214250
  /usr/lib/x86_64-linux-gnu/libxcb-glx.so.0.0.0
7fbb977e4000-7fbb977e6000 r--p 00018000 00:25 13214250
  /usr/lib/x86_64-linux-gnu/libxcb-glx.so.0.0.0
7fbb977e6000-7fbb977e7000 rw-p 0001a000 00:25 13214250
  /usr/lib/x86_64-linux-gnu/libxcb-glx.so.0.0.0
7fbb977e7000-7fbb977e8000 r-xp  00:25 15688696
  /usr/lib/x86_64-linux-gnu/libX11-xcb.so.1.0.0
7fbb977e8000-7fbb979e7000 ---p 1000 00:25 15688696
  /usr/lib/x86_64-linux-gnu/libX11-xcb.so.1.0.0
7fbb979e7000-7fbb979e8000 r--p  00:25 15688696
  /usr/lib/x86_64-linux-gnu/libX11-xcb.so.1.0.0
7fbb979e8000-7fbb979e9000 rw-p 1000 00:25 15688696
  /usr/lib/x86_64-linux-gnu/libX11-xcb.so.1.0.0
7fbb979e9000-7fbb979eb000 r-xp  00:25 21156571
  /usr/lib/x86_64-linux-gnu/libXdamage.so.1.1.0
7fbb979eb000-7fbb97bea000 ---p 2000 00:25 21156571
  /usr/lib/x86_64-linux-gnu/libXdamage.so.1.1.0
7fbb97bea000-7fbb97beb000 r--p 1000 00:25 21156571
  /usr/lib/x86_64-linux-gnu/libXdamage.so.1.1.0
7fbb97beb000-7fbb97bec000 rw-p 2000 00:25 21156571
  

Bug#853656: Help needed with gcc-7 error

[Bastien Roucaries]

Use  and make signed

Le 27 août 2017 15:58:34 GMT+02:00, James Cowgill  a écrit 
:
>Hi,
>
>On 27/08/17 14:40, Andreas Tille wrote:
>> Hi,
>> 
>> when trying to build sga it results in an error:
>> 
>> ...
>> g++ -DHAVE_CONFIG_H -I. -I..  -I../Bigraph -I../Thirdparty
>-Wdate-time -D_FORTIFY_SOURCE=2 -fopenmp  -I/usr//include
>-I/usr//include/bamtools -Wall -Wextra  -Wno-unknown-pragmas -std=c++98
>-O3 -c -o libutil_a-VariantIndex.o `test -f 'VariantIndex.cpp' || echo
>'./'`VariantIndex.cpp
>> VariantIndex.cpp: In member function 'VariantRecordVector
>VariantIndex::getNearVariants(const string&, int, int) const':
>> VariantIndex.cpp:89:46: error: call of overloaded 'abs(long unsigned
>int)' is ambiguous
>>  if(abs(record.position - position) < distance)
>>   ^
>
>In C++11, you cannot call abs on an unsigned integer (which makes no
>sense anyway). Probably "record.position" needs casting to a signed
>type
>(like long).
>
>Thanks,
>James

-- 
Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

Bug#873148: Fails to properly escape the ;, {, }, <, and > characters

[Bastien ROUCARIES]

Package: node-shell-quote
severity: serious
forwarded: https://github.com/substack/node-shell-quote/issues/31

couple of open issues that seem reasonably
serious for a package that appears to be intended for sanitising user
input before passing it on to the shell:

Bug#872438: [Pkg-javascript-devel] Bug#872438: Bug#872438: Bug#872438: src:nodejs: FTBFS on mips64el: Can't determine the arch of ./node

[Bastien ROUCARIES]

On Fri, Aug 18, 2017 at 7:42 PM, Jérémy Lal  wrote:
> James Cowgill replied this to my give back request on mip64el:
>
>> My guess is this GCC-7 bug which is breaking lots of stuff on mips64el
>> at the moment:
>> https://bugs.debian.org/871514
>
>> Thanks,
>> James
>
> Cheers,
>
> Jérémy

Thanks BTW why node has no debug symbols ?

Bastien

>
> --
> Pkg-javascript-devel mailing list
> pkg-javascript-de...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Bug#872438: [Pkg-javascript-devel] Bug#872438: src:nodejs: FTBFS on mips64el: Can't determine the arch of ./node

[Bastien ROUCARIES]

Starting program: /home/rouca/nodejs-6.11.2~dfsg/node
warning: GDB can't find the start of the function at 0xfff7fcd0c4.
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/mips64el-linux-gnuabi64/libthread_db.so.1".
warning: GDB can't find the start of the function at 0xfff7fcddc8.
[New Thread 0xfff59db1e0 (LWP 516)]
[New Thread 0xfff59bb1e0 (LWP 517)]
[New Thread 0xfff51bb1e0 (LWP 518)]
[New Thread 0xfff49bb1e0 (LWP 521)]
[New Thread 0xfff41bb1e0 (LWP 522)]

Thread 1 "node" received signal SIGBUS, Bus error.
0x0001 in ?? ()
(gdb) info register
  zero   at   v0   v1
 R0    00ffda68 4500d051 53731e19
a0   a1   a2   a3
 R4   0001 00ffda98 000120f81220 2ee04241
a4   a5   a6   a7
 R8   2ee63501 2ee41019 0003 0003
t0   t1   t2   t3
 R12  35436b00 84080018 811372e0 0009
s0   s1   s2   s3
 R16  0001 00ffda98 0001 
s4   s5   s6   s7
 R20  2ee635c8 beeddead 000120f81258 2ee3ed41
t8   t9   k0   k1
 R24  000120f82cc8 0001 0015 
gp   sp   s8   ra
 R28  000120f424b0 00ffda60 00ffda88 3540610c
status   lo   hi badvaddr
  04109cf3 604189374cdec514 00ebe2a5 0001
 cause   pc
  00800010 0001
  fcsr  fir  restart
  dc64 00739600 
(gdb) bt
warning: GDB can't find the start of the function at 0x3540610b.
#0  0x0001 in ?? ()
#1  0x3540610c in ?? ()
(gdb) frame
#0  0x0001 in ?? ()
(gdb)

Bug#872438: [Pkg-javascript-devel] Bug#872438: src:nodejs: FTBFS on mips64el: Can't determine the arch of ./node

[Bastien ROUCARIES]

On Thu, Aug 17, 2017 at 3:54 PM, Felipe Sateler  wrote:
> Package: src:nodejs
> Version: 6.11.2~dfsg-2
> Severity: serious
>
> nodejs failed to build with this error:
>
> make[1]: Entering directory '/<>'
> # Clean up any leftover processes but don't error if found.
> ps awwx | grep Release/node | grep -v grep | cat
> /usr/bin/python tools/test.py  -p tap \
> --mode=release --flaky-tests=dontcare \
> --arch=mips64el --timeout=3000 message parallel sequential
> Can't determine the arch of: './node'
>
> Can't determine the arch of: './node'
>
> Can't determine the arch of: './node'

The line are :

vm = context.GetVm(arch, mode)
if not exists(vm):
  print "Can't find shell executable: '%s'" % vm
  continue
archEngineContext = Execute([vm, "-p", "process.arch"], context)
vmArch = archEngineContext.stdout.rstrip()
if archEngineContext.exit_code is not 0 or vmArch == "undefined":
  print "Can't determine the arch of: '%s'" % vm
  print archEngineContext.stderr.rstrip()
  continue
env = {
  'mode': mode,
  'system': utils.GuessOS(),
  'arch': vmArch,
}


>
> No tests to run.
> Makefile:220: recipe for target 'test-ci-js' failed
> make[1]: *** [test-ci-js] Error 1
> make[1]: Leaving directory '/<>'
>
>
> Full log at 
> https://buildd.debian.org/status/fetch.php?pkg=nodejs=mips64el=6.11.2~dfsg-2=1502862893=0
>
>
> -- System Information:
> Debian Release: buster/sid
>   APT prefers unstable
>   APT policy: (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
> LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
>
> --
> Pkg-javascript-devel mailing list
> pkg-javascript-de...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Bug#872433: [Pkg-javascript-devel] Bug#872433: Bug#872433: [with solution] Doesn't find modules installed in Debian directories

[Bastien ROUCARIES]

On Thu, Aug 17, 2017 at 2:49 PM, Julien Puydt <julien.pu...@laposte.net> wrote:
> Hi,
>
> Le 17/08/2017 à 14:23, Bastien ROUCARIES a écrit :
>> Could you get a glimpse at node-minimatch debian/test/runtestsuite ?
>
> Won't work, since we don't have all the test deps in Debian (lacking
> object-keys -- beware we have object-key but that's not what it wants).

Could you open a bug or point me to ITP bug ?
>
>> For the NMIU one lintian warning you are member of team javascript add
>> a * team upload at the beginning of changelog. If not you should add a
>> * NMU
>
> I know, but since I had a look at the package yesterday and only filled
> the report today, I don't think it would be correct to push anything or
> plan an upload (NMU or team, whatever) before I left Thorsten ample time
> to answer.
>
> Cheers,
>
> Snark
>
> --
> Pkg-javascript-devel mailing list
> pkg-javascript-de...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Bug#872433: [Pkg-javascript-devel] Bug#872433: [with solution] Doesn't find modules installed in Debian directories

[Bastien ROUCARIES]

Could you get a glimpse at node-minimatch debian/test/runtestsuite ?

For the NMIU one lintian warning you are member of team javascript add
a * team upload at the beginning of changelog. If not you should add a
* NMU

On Thu, Aug 17, 2017 at 2:19 PM, Julien Puydt <julien.pu...@laposte.net> wrote:
> Hi,
>
> Le 17/08/2017 à 14:04, Bastien ROUCARIES a écrit :
>> Could you also modernize this package ? policy bump, autopkg-test (see
>> node-tape)
>
> I bumped std-ver and dh compat if that's what you mean by policy bump.
> There was already an autopkg-test directory and I added a test for my
> patch (which has a DEP3 header).
>
> Here is what my git-log has to say on the changes since debian/1.1.7-2
> was released ; lintian only complains about unreleased-changes,
> changelog-should-mention-nmu and source-nmu-has-incorrect-version-number
> because I created a 1.4.0-1 and I'm not an uploader :
>
> commit 706643f1cc5c6a6d72b0fa092379ed6f029b6540 (HEAD -> master)
> Author: Julien Puydt <julien.pu...@laposte.net>
> Date:   Thu Aug 17 13:54:36 2017 +0200
>
> Remove useless build-dep on dh-buildinfo
>
> commit c5cf00738e9a7c597a86406ddb9ae1c7a8e086a3
> Author: Julien Puydt <julien.pu...@laposte.net>
> Date:   Thu Aug 17 13:52:23 2017 +0200
>
> Add an autopkgtest for the patch to enable Debian paths
>
> commit 5303fa0df9bc3d0f223963a5af33da5f511cf245
> Author: Julien Puydt <julien.pu...@laposte.net>
> Date:   Thu Aug 17 13:46:31 2017 +0200
>
> Add a patch so node_modules isn't always added to searched paths
>
> commit 92349b284cad11524a4a6f7acb1b979794a1d818
> Author: Julien Puydt <julien.pu...@laposte.net>
> Date:   Thu Aug 17 13:42:52 2017 +0200
>
> Bump std-ver to 4.0.0
>
> commit 9bce40b53ef272e9c1035bbd1ad6c8299b55b654
> Author: Julien Puydt <julien.pu...@laposte.net>
> Date:   Thu Aug 17 13:41:45 2017 +0200
>
> Bump dh compat to 10
>
> commit 16f46e9d3789232de1c2d41471851fbb20490014
> Author: Julien Puydt <julien.pu...@laposte.net>
> Date:   Wed Aug 16 19:36:15 2017 +0200
>
> Package upstream 1.4.0
>
> commit 2ad252931b6710dab0a6d708c11e4cbe30ead326
> Merge: febbf48 68dce8d
> Author: Julien Puydt <julien.pu...@laposte.net>
> Date:   Wed Aug 16 19:35:45 2017 +0200
>
> Updated version 1.4.0 from 'upstream/1.4.0'
>
> with Debian dir 641fcf33ab138af6a27661a439a7b435ac210f03
>
> commit 68dce8d4a97fd679c5214be9dc2e16658a7b7cf3 (tag: upstream/1.4.0,
> upstream)
> Author: Julien Puydt <julien.pu...@laposte.net>
> Date:   Wed Aug 16 19:35:39 2017 +0200
>
> New upstream version 1.4.0
>
> commit febbf4801383e0b650432dda8eceeeb1f6275248 (origin/master, origin/HEAD)
> Author: Mike Gabriel <mike.gabr...@das-netzwerkteam.de>
> Date:   Thu Dec 15 11:21:37 2016 +0100
>
> debian/control: Drop myself from Uploaders: field.
>
> commit b2e880ef277e4f2ebf7d20386066efc6ffc029fe (tag: debian/1.1.7-2)
> Author: Thorsten Alteholz <deb...@alteholz.de>
> Date:   Fri Jun 17 19:56:34 2016 +0200
>
> fix typo
>
>
>
> And here is what my d/ch entry looks like:
> node-resolve (1.4.0-1) UNRELEASED; urgency=medium
>
>   * New upstream release.
>   * Bump dh compat to 10.
>   * Bump std-ver to 4.0.0.
>   * Add a patch so node_modules isn't always added to search paths.
>   * Add an autopkgtest to check the patch mentioned above works.
>   * Remove build-dep on dh-buildinfo.
>
>  -- Julien Puydt <julien.pu...@laposte.net>  Wed, 16 Aug 2017 19:35:50 +0200
>
> I think it doesn't look bad, but I'd rather have the uploader (Thorsten
> Alteholz) tell me he's ok with me pushing those changes (or part of
> them) and doing the upload.
>
> Cheers,
>
> Snark on #debian-js

Bug#872433: [Pkg-javascript-devel] Bug#872433: [with solution] Doesn't find modules installed in Debian directories

[Bastien ROUCARIES]

Let ping me at ro...@debian.org if needed

Could you also modernize this package ? policy bump, autopkg-test (see
node-tape)

On Thu, Aug 17, 2017 at 1:40 PM, Julien Puydt  wrote:
> Package: node-resolve
> Version: 1.1.7-2
> Severity: grave
>
> Hi,
>
> I'm surprised nobody reported it yet since it basically makes the
> package useless as far as I see, but the current node resolve doesn't
> find modules installed in Debian directories : while working on another
> package, I was surprised that nothing was found. When investigating
> using strace, I saw that resolve.sync was always adding "node_modules"
> to the paths it tried, so of course it didn't find anything.
>
> I got things to work by editing node-modules-paths.js from:
>
> module.exports = function nodeModulesPaths(start, opts) {
> var modules = opts && opts.moduleDirectory
> ? [].concat(opts.moduleDirectory)
> : ['node_modules'];
>
> to:
>
> module.exports = function nodeModulesPaths(start, opts) {
> var modules = opts && opts.moduleDirectory
> ? [].concat(opts.moduleDirectory)
> : ['node_modules', ''];
>
> ie: I added '' to the list of things to add when generating paths to check.
>
> The following two lines fail with the unpatched node-resolve, and work
> with the patched one:
> resolve=require('resolve')
> resolve.sync('resolve/lib/core.js', {basedir: '/usr/lib/nodejs'})
> (it should be added in debian/tests/)
>
> I'm part of the Debian Javascript maintainers team so I can add the
> necessary patch (with the right header) and test [and probably push
> higher upstream version, std-ver and dh] to the git repository to help
> if you want -- but I'm no DD so can't upload myself.
>
> Cheers,
>
> Snark on #debian-js
>
> --
> Pkg-javascript-devel mailing list
> pkg-javascript-de...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Bug#871300: [Pkg-gmagick-im-team] Bug#871300: libmagick++-6.q16-7: requires rebuild against GCC 7 and symbols/shlibs bump

[Bastien Roucaries]

Le 7 août 2017 22:59:06 GMT+02:00, James Cowgill  a écrit :
>Hi,
>
>On 07/08/17 16:55, roucaries bastien wrote:
>> On Mon, Aug 7, 2017 at 4:47 PM,   wrote:
>>> Package: libmagick++-6.q16-7
>>> Version: 8:6.9.7.4+dfsg-16
>>> Severity: serious
>>> Tags: sid buster
>>> User: debian-...@lists.debian.org
>>> Usertags: gcc-7-op-mangling
>>>
>> 
>> I need a change that break ABI, I will release a new version. Does it
>> exist in this case a short cut
>
>If you are going to rename the Debian package and trigger a package
>transition, you do not need to add any of the extra symbols/shlibs
>stuff. You should still build-depend on gcc (>= 4:7) however - I'm not
>sure if all the buildds use GCC 7 by default yet.


 Should i depends on g++7 for libmagick++-dev ?


>Thanks,
>James

-- 
Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

Bug#869834: CVE-2017-11533: heap buffer overflow in uil coder

[Bastien ROUCARIES]

Source: imagemagick
Version: 8:6.9.7.4+dfsg-12
Severity: serious
Tags: security upstream
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.8.9.9-5+deb8u8
control: found -1 8:6.8.9.9-5+deb8u9
control: found -1 8:6.7.7.10-5+deb7u14
forwarded:https://github.com/ImageMagick/ImageMagick/issues/562

When ImageMagick 7.0.6-1 processes a crafted file in convert, it can
lead to a heap-based buffer over-read in the WriteUILImage() function
in coders/uil.c.

Bug#869728: Avoid a crash for mpc coder

[Bastien ROUCARIES]

Source: src:imagemagick
Version: 8:6.9.7.4+dfsg-12
Severity: serious
Tags: security upstream
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.8.9.9-5+deb8u8
control: found -1 8:6.8.9.9-5+deb8u9
control: found -1 8:6.7.7.10-5+deb7u14
control: found -1 8:6.7.7.10-5+deb7u4
forwarded:  
https://www.imagemagick.org/discourse-server/viewtopic.php?f=3=31438

Avoid a crash for mpc coder

Bug#869727: Memory exhaustion in mpc coder

[Bastien ROUCARIES]

Source: src:imagemagick
Version: 8:6.9.7.4+dfsg-12
Severity: serious
Tags: security upstream
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.8.9.9-5+deb8u8
control: found -1 8:6.8.9.9-5+deb8u9
control: found -1 8:6.7.7.10-5+deb7u14
control: found -1 8:6.7.7.10-5+deb7u4
forwarded: https://github.com/ImageMagick/ImageMagick/issues/546

When identify MPC file , imagemagick will allocate memory to store the
data, here is the critical code:
(Mpc.c , in function ReadMPCImage)

 image->colormap=(PixelInfo *) AcquireQuantumMemory(image->colors+1,  //856
  sizeof(*image->colormap));

The “image->colors" can be obtained from local value “options” as
follow, and the options is controlled by image , in other words the
“image->colors" can be read from input file.
image->colors=StringToUnsignedLong(options); //402

The function StringToUnsignedLong convert string to unsigned long
type, but the return value was not checked.
Here is my policy.xml to limit memory usage,but 256MB limit can be bypassed.

Bug#869726: CVE-2017-11532: memory leak in coders/mpc.c.

[Bastien ROUCARIES]

Source: src:imagemagick
Version: 8:6.9.7.4+dfsg-12
Severity: serious
Tags: security upstream
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.8.9.9-5+deb8u8
control: found -1 8:6.8.9.9-5+deb8u9
control: found -1 8:6.7.7.10-5+deb7u14
control: found -1 8:6.7.7.10-5+deb7u4
forwarded: https://github.com/ImageMagick/ImageMagick/issues/563

When ImageMagick 7.0.6-1 processes a crafted file in convert, it can
lead to a Memory Leak in the WriteMPCImage() function in coders/mpc.c.

Bug#869725: CVE-2017-11531: Memory Leak in coders/histogram.c.

[Bastien ROUCARIES]

Source: src:imagemagick
Version: 8:6.9.7.4+dfsg-12
Severity: serious
Tags: security upstream
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.8.9.9-5+deb8u8
control: found -1 8:6.8.9.9-5+deb8u9
control: found -1 8:6.7.7.10-5+deb7u14
control: found -1 8:6.7.7.10-5+deb7u4
forwarded: https://github.com/ImageMagick/ImageMagick/issues/566


When ImageMagick 7.0.6-1 processes a crafted file in convert, it can
lead to a Memory Leak in the WriteHISTOGRAMImage() function in
coders/histogram.c.

Bug#869210: endless loop in ReadTXTImage

[Bastien ROUCARIES]

Source: imagemagick
Version: 8:6.9.7.4+dfsg-12
Severity: serious
Tags: security upstream
X-Debbugs-CC: t...@security.debian.org
X-Debbugs-CC: Salvatore Bonaccorso 
control: found -1  8:6.9.7.4+dfsg-11+deb9u1
control: found -1 8:6.8.9.9-5+deb8u10
control: found -1 8:6.7.7.10-5+deb7u14
forwarded: https://github.com/ImageMagick/ImageMagick/issues/591

original reported will open a bug

fixed by:
https://github.com/ImageMagick/ImageMagick/commit/83e0f8ffd7eeb7661b0ff83257da23d24ca7f078

Bug#869209: [imagemagick] Null-Point reference in WriteOnePNGImage

[Bastien ROUCARIES]

Source: imagemagick
Version: 8:6.9.7.4+dfsg-12
Severity: serious
Tags: security upstream
X-Debbugs-CC: t...@security.debian.org
X-Debbugs-CC: Salvatore Bonaccorso 
control: found -1  8:6.9.7.4+dfsg-11+deb9u1
control: found -1 8:6.8.9.9-5+deb8u10
control: found -1 8:6.7.7.10-5+deb7u14
forwarded: https://github.com/ImageMagick/ImageMagick/issues/586



Original reporter will open a CVE

Bug#867896: [imagemagick] enable heap overflow check for stdin for mpc files

[Bastien ROUCARIES]

Source: src:imagemagick
Version: 8:6.9.7.4+dfsg-11
Severity: serious
Tags: security upstream
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.8.9.9-5+deb8u8
control: found -1 8:6.8.9.9-5+deb8u9
control: found -1 8:6.7.7.10-5+deb7u14
control: found -1 8:6.7.7.10-5+deb7u4
forwarded: https://github.com/ImageMagick/ImageMagick/issues/556


Enabling seekable streams is required to ensure checking the blob size
works when an image is streamed on stdin. It was an oversight in the
original patch.


Fixed by
https://github.com/ImageMagick/ImageMagick/commit/b007dd3a048097d8f58949297f5b434612e1e1a3#diff-cdb21e3ad4d6e304030bd19bdc881fce

 
https://github.com/ImageMagick/ImageMagick/commit/529ff26b68febb2ac03062c58452ea0b4c6edbc1#diff-cdb21e3ad4d6e304030bd19bdc881fce

Bug#862967: Will try tomorrow

[Bastien ROUCARIES]

Hi,

I plan to release a stable version tomorrow

Bastien

Bug#862690: Found in unstable/testing/stable

[Bastien ROUCARIES]

control: found -1 8:6.8.9.9-5+deb8u8
control: found -1 8:6.7.7.10-5+deb7u13
control: found -1 8:6.7.7.10-5+deb7u4

Bug#860735: CVE-2017-7942: memory leak in avs does not affect old version

[Bastien ROUCARIES]

control: notfound -1,8:6.6.0.4-3
control: notfound -1 8:6.7.7.10-5
control: notfound -1 8:6.8.9.9-5
control: notfound -1 8:6.8.9.9-5+deb8u8
control: notfound -1 8:6.7.7.10-5+deb7u13
>
> Due to code change not affected

Bug#860735: CVE-2017-7942: memory leak in avs does not affect old version

[Bastien ROUCARIES]

control: notfound -1,8:6.6.0.4-3
control: notfound -1 8:6.7.7.10-5
control: notfound -1 8:6.8.9.9-5
control: notfound -1 6.8.9.9-5+deb8u8
control: notfound -1 6.7.7.10-5+deb7u13

Due to code change not affected

Bug#861172: [Pkg-javascript-devel] Bug#861172: node-jsonstream FTBFS in stretch: Build dependency node-tape is not available

[Bastien ROUCARIES]

control: owner -1 ro...@debian.org

On Tue, Apr 25, 2017 at 2:10 PM, Adrian Bunk  wrote:
> Source: node-jsonstream
> Version: 1.0.3-3
> Severity: serious
>
> node-jsonstream build-depends on node-tape, which is not in stretch.
>
> --
> Pkg-javascript-devel mailing list
> pkg-javascript-de...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Bug#860736: CVE-2017-7943 Memory leak in svg

[Bastien ROUCARIES]

Package: src:imagemagick
Version: 8:6.6.0.4-3
Severity: serious
Tags: security
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.7.7.10-5
control: found -1 8:6.8.9.9-5
forwarded: https://github.com/ImageMagick/ImageMagick/issues/427

https://github.com/ImageMagick/ImageMagick/commit/b0e61972ff94e844fbb3ca927e476fc156c240a3

Bug#860735: CVE-2017-7942: memory leak in avs

[Bastien ROUCARIES]

Package: src:imagemagick
Version: 8:6.6.0.4-3
Severity: serious
Tags: security
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.7.7.10-5
control: found -1 8:6.8.9.9-5
forwarded: https://github.com/ImageMagick/ImageMagick/issues/428


Fixed by 962282327f3a28ffb1138f3ad3fb0438b57ae6b1

Bug#860734: CVE-2017-7941 memory leak in sgi

[Bastien ROUCARIES]

Package: src:imagemagick
Version: 8:6.6.0.4-3
Severity: serious
Tags: security
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.7.7.10-5
control: found -1 8:6.8.9.9-5
forwarded: https://github.com/ImageMagick/ImageMagick/issues/428

Fixed by
https://github.com/ImageMagick/ImageMagick/commit/721dc1305b2bfff92e5ca605dc1a47c61ce90b9f

Bug#860382: Install in wrong dir useless

[Bastien ROUCARIES]

Package: node-jsonstream
Version: 1.0.3-1
Severity: grave

This package install files under jsonstream instead of JSONStream...

Thus it is useless

Bug#847282: [Pkg-gmagick-im-team] Bug#847282:

[Bastien ROUCARIES]

Ok found why it fail:

oldstable -> stable create  images.dpkg-backup -> ../imagemagick/images
and www.dpkg-backup -> ../imagemagick/www backup symlink.

These are not owned by package...

I suppose I could nuke them after checking if they point to something sensible

Bastien

Bug#847282: [Pkg-gmagick-im-team] Bug#847282:

[Bastien ROUCARIES]

More information here
https://piuparts.debian.org/wheezy222testing/fail/imagemagick-doc_8:6.9.7.4+dfsg-3.log

Bug#847282:

[Bastien ROUCARIES]

Followup-For: Bug #847282
Control: found -1 8:6.9.7.0+dfsg-3

Reopen found

Bug#859769: Infinite loop due to rounding error

[Bastien Roucaries]

Le 9 avril 2017 18:12:01 GMT+02:00, Salvatore Bonaccorso <car...@debian.org> a 
écrit :
>Hi Bastien,
>
>On Fri, Apr 07, 2017 at 12:06:50PM +0200, Bastien ROUCARIES wrote:
>> Package: src:imagemagick
>> Version: 8:6.6.0.4-3
>> Severity: serious
>> Tags: security
>> X-Debbugs-CC: t...@security.debian.org
>> control: found -1 8:6.7.7.10-5
>> control: found -1 8:6.8.9.9-5
>> forwarded:
>https://www.imagemagick.org/discourse-server/viewtopic.php?f=3=31506
>> 
>> 
>> Fixed by 63757068c803f692bd70304b06ce3406e0b67c7f will open a CVE
>
>heard anything back for a CVE assignment?

Open this morning at 0700Utc

I am waiting
>
>Regards,
>Salvatore

-- 
Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

Bug#859772: Fix include regression

[Bastien ROUCARIES]

Package: src:imagemagick
Version: 8:6.6.0.4-3
Severity: serious
Tags: security
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.7.7.10-5
forwarded: 
https://launchpadlibrarian.net/314715229/FixAcquireVirtualMemoryMemleak.patch


Partial patch with problem

Bug#859771: Undefined behavoir in rle

[Bastien ROUCARIES]

Package: src:imagemagick
Version: 8:6.6.0.4-3
Severity: serious
Tags: security
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.7.7.10-5
control: found -1 8:6.8.9.9-5
forwarded: https://github.com/ImageMagick/ImageMagick/issues/415

Undefined behavior in rle coder reading rle file could lead to lack of
validation of rle file...

Could be triggerd by corrupted file depending of compiler.

Bug#859769: Infinite loop due to rounding error

[Bastien ROUCARIES]

Package: src:imagemagick
Version: 8:6.6.0.4-3
Severity: serious
Tags: security
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.7.7.10-5
control: found -1 8:6.8.9.9-5
forwarded: 
https://www.imagemagick.org/discourse-server/viewtopic.php?f=3=31506


Fixed by 63757068c803f692bd70304b06ce3406e0b67c7f will open a CVE

Bug#847715: [Pkg-javascript-devel] Bug#847715: Plan to do a NMU

[Bastien ROUCARIES]

Here the diff, quite trivial

diff --git a/debian/changelog b/debian/changelog
index 8d6a8ec..25d57f9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-resumer (0.0.0-2) unstable; urgency=medium
+
+  * Team upload.
+  * Bug fix: "node-resumer depends on node-through2 (>= 2.3.4), but
+only 2.0.3-1 is in unstable", thanks to Adrian Bunk (Closes: #847715).
+
+ -- Bastien Roucariès <ro...@debian.org>  Tue, 04 Apr 2017 00:12:33 +0200
+
 node-resumer (0.0.0-1) unstable; urgency=low

   * Initial release (Closes: #814286)
diff --git a/debian/control b/debian/control
index a06010f..9f4222e 100644
--- a/debian/control
+++ b/debian/control
@@ -15,7 +15,7 @@ Package: node-resumer
 Architecture: all
 Depends: ${misc:Depends},
  nodejs,
- node-through2 (>= 2.3.4)
+ node-through2 (>= 2.0)
 Description: through stream that starts paused and resumes on the next tick
  Return a through stream that starts out paused and resumes on the next tick,
  unless somebody called .pause().

On Tue, Apr 4, 2017 at 12:03 AM, Bastien ROUCARIES
<roucaries.bast...@gmail.com> wrote:
> Hi,
>
> I plan to do a NMU on this one.
>
> Do you want the diff ?.
>
> Bastien
>
> --
> Pkg-javascript-devel mailing list
> pkg-javascript-de...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Bug#847715: Plan to do a NMU

[Bastien ROUCARIES]

Hi,

I plan to do a NMU on this one.

Do you want the diff ?.

Bastien

Bug#847282: Ping

[Bastien ROUCARIES]

On Mon, Apr 3, 2017 at 8:36 PM, Adrian Bunk <b...@debian.org> wrote:
> Control: severity -1 serious
>
> On Sun, Mar 12, 2017 at 03:51:29PM +0100, Bastien ROUCARIES wrote:
>> n 2017-01-22 18:02, Bastien ROUCARIES wrote:
>> > Let decrease the severity to something not RC. I need to know if the
>> > problem is in dpkg or imagemagick. And I do not want to block the
>> > security update of imagemagick.
>
> Raising severity again, so that this issue won't get lost for stretch.
>
>> ACK. I'll try to take a more detailed look at it ... ping me if I don't
>> report back ...
>>
>> Ping thus
>
> Adding Andreas, replying to the bug does not Cc the submitter.

For this one adrian I need help...

I do not know where the problem lie. In dpkg maint script or in imagemagick

Trace welcome
>
> cu
> Adrian
>
> --
>
>"Is there not promise of rain?" Ling Tan asked suddenly out
> of the darkness. There had been need of rain for many days.
>"Only a promise," Lao Er said.
>Pearl S. Buck - Dragon Seed
>

Bug#858593: reopen

[Bastien ROUCARIES]

Control: reopen 858593
Control: found 1.20.1-6

Bug#857426: [Pkg-gmagick-im-team] Bug#857426: closed by Bastien ROUCARIES <roucaries.bast...@gmail.com> (does not affect sid, )

[Bastien ROUCARIES]

BTW I will open a CVE

Moreover could you check if  CVE-2016-10068 is fixed ? According to
changelog it is and I could not apply patch (already applied)

On Tue, Mar 14, 2017 at 7:23 AM, Salvatore Bonaccorso <car...@debian.org> wrote:
> Hello Bastien,
>
> On Sat, Mar 11, 2017 at 03:18:04PM +, Debian Bug Tracking System wrote:
>> This is an automatic notification regarding your Bug report
>> which was filed against the src:imagemagick package:
>>
>> #857426: [Bug 1671630] Memory leak in IsOptionMember function
>>
>> It has been closed by Bastien ROUCARIES <roucaries.bast...@gmail.com>.
>>
>> Their explanation is attached below along with your original report.
>> If this explanation is unsatisfactory and you have not received a
>> better one in a separate message then please contact Bastien ROUCARIES 
>> <roucaries.bast...@gmail.com> by
>> replying to this email.
>>
>>
>> --
>> 857426: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857426
>> Debian Bug Tracking System
>> Contact ow...@bugs.debian.org with problems
>
>> Date: Sat, 11 Mar 2017 16:15:15 +0100
>> From: Bastien ROUCARIES <roucaries.bast...@gmail.com>
>> To: 857426-d...@bugs.debian.org
>> Subject: does not affect sid,
>> Message-ID: 
>> <CAE2SPAYRbFdaiCkVS+ObYmXXGO0=hmg5cw2vjmi9le4jgp8...@mail.gmail.com>
>>
>> version: 8:6.9.7.4+dfsg-2
>
> Hmm, I do not see that change from 8:6.9.7.4+dfsg-1 to
> 8:6.9.7.4+dfsg-2. Are you sure that is the fixing version and not
> already done somewhere earlier?
>
> Regards,
> Salvatore
>
> ___
> Pkg-gmagick-im-team mailing list
> pkg-gmagick-im-t...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-gmagick-im-team

Bug#787338: Not free icc profile are not free

[Bastien ROUCARIES]

Upstream clarify licence, see http://www.color.org/srgbprofiles.xalter

not free

Bastien

Bug#857426: Fwd: [Bug 1671630] [NEW] Memleak in IsOptionMember

[Bastien ROUCARIES]

Package: src:imagemagick
Version: 8:6.7.7.10-5
Severity: serious
Tags: security
X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
control: found -1 8:6.6.0.4-3

Does not affect sid/jessie

-- Forwarded message --
From: Stefan Pöschel <1671...@bugs.launchpad.net>
Date: Thu, Mar 9, 2017 at 10:21 PM
Subject: [Bug 1671630] [NEW] Memleak in IsOptionMember
To: roucaries.bastien+b...@gmail.com


Public bug reported:

The ImageMagick version shipped with Ubuntu 16.04 (version
8:6.8.9.9-7ubuntu5.5) is affected by a memory leak. This has been fixed
in the following commit:

http://git.imagemagick.org/repos/ImageMagick/commit/6790815c75bdea0357df5564345847856e995d6b

So I request this fix to be backported to 16.04 (and other affect
version, if applicable; 14.04 is not affected).

The tool ODR-PadEnc which I maintain is affected by the bug:

  https://github.com/Opendigitalradio/ODR-PadEnc/issues/2

Here one of the outputs that Valgrind procudes for each invokation - in
this case, I used 14.04 with
http://archive.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.8.9.9.orig.tar.xz
as I have 16.04 only running in a VM. The patches within
http://archive.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.8.9.9-7ubuntu5.5.debian.tar.xz
do NOT address this bug.

==1961== 455,322 bytes in 111 blocks are definitely lost in loss
record 1,761 of 1,762
==1961==at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1961==by 0x5E2DB3E: AcquireString (string.c:132)
==1961==by 0x5E2FC10: StringToArgv (string.c:2196)
==1961==by 0x5DC46F7: IsOptionMember (option.c:2278)
==1961==by 0x5F3F789: WritePNGImage (png.c:11996)
==1961==by 0x5D12B11: WriteImage (constitute.c:1184)
==1961==by 0x5CDE340: ImageToBlob (blob.c:1607)
==1961==by 0x40D7A5: SLSManager::encodeFile(std::string const&,
int, bool) (sls.cpp:392)
==1961==by 0x4038B1: main (odr-padenc.cpp:324)

** Affects: imagemagick (Ubuntu)
 Importance: Undecided
 Status: New

--
You received this bug notification because you are subscribed to
imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/1671630

Title:
  Memleak in IsOptionMember

Status in imagemagick package in Ubuntu:
  New

Bug description:
  The ImageMagick version shipped with Ubuntu 16.04 (version
  8:6.8.9.9-7ubuntu5.5) is affected by a memory leak. This has been
  fixed in the following commit:

  
http://git.imagemagick.org/repos/ImageMagick/commit/6790815c75bdea0357df5564345847856e995d6b

  So I request this fix to be backported to 16.04 (and other affect
  version, if applicable; 14.04 is not affected).

  The tool ODR-PadEnc which I maintain is affected by the bug:

https://github.com/Opendigitalradio/ODR-PadEnc/issues/2

  Here one of the outputs that Valgrind procudes for each invokation -
  in this case, I used 14.04 with
  
http://archive.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.8.9.9.orig.tar.xz
  as I have 16.04 only running in a VM. The patches within
  
http://archive.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.8.9.9-7ubuntu5.5.debian.tar.xz
  do NOT address this bug.

  ==1961== 455,322 bytes in 111 blocks are definitely lost in loss
record 1,761 of 1,762
  ==1961==at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==1961==by 0x5E2DB3E: AcquireString (string.c:132)
  ==1961==by 0x5E2FC10: StringToArgv (string.c:2196)
  ==1961==by 0x5DC46F7: IsOptionMember (option.c:2278)
  ==1961==by 0x5F3F789: WritePNGImage (png.c:11996)
  ==1961==by 0x5D12B11: WriteImage (constitute.c:1184)
  ==1961==by 0x5CDE340: ImageToBlob (blob.c:1607)
  ==1961==by 0x40D7A5: SLSManager::encodeFile(std::string const&,
int, bool) (sls.cpp:392)
  ==1961==by 0x4038B1: main (odr-padenc.cpp:324)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1671630/+subscriptions

Bug#856881: Not found in stable and oldstable

[Bastien ROUCARIES]

control: notfound - 1 8:6.8.9.9-5+deb8u7
control: notfound - 1 8:6.7.7.10-5+deb7u11

code is not present

Bug#856882: Fwd: Not found in stable and oldstable

[Bastien ROUCARIES]

control: notfound - 1 8:6.8.9.9-5+deb8u7
control: notfound - 1 8:6.7.7.10-5+deb7u11

code is not present

Bug#694308: forwarded

[Bastien ROUCARIES]

control: forwarded -1 https://github.com/adobe-type-tools/afdko/issues/172

Bug#856881: retitle

[Bastien ROUCARIES]

control: tag -1 + patch
control: retitle -1 CVE-2017-6501: null pointer deref in xcf coder

Bug#856880: retitle

[Bastien ROUCARIES]

control: tag -1 + patch
control: retitle -1 CVE-2017-6499: Magick++ memory leak

Bug#856879: retitle

[Bastien ROUCARIES]

control: tag -1 + patch
control: retitle -1 CVE-2017-6500: sun file heap-based buffer over-read

Bug#856882: retitle

[Bastien ROUCARIES]

control: tags -1 + patch
control: retitle -1 [CVE-2017-6497] Added missing null check in psd coder