Bug#681016: [release.debian.org] unblock: dotlrn/2.5.0+dfsg-8
> Thanks. btw, I'm assuming these issues also apply to the package in > unstable? If so then they should really be fixed there too. Yes, once the solution is "definitive" i'll apply the changes to unstable, otherwise it will break on the upgrade. Openacs package has the same issues so it will be updated too. > +ucf --debconf-ok $localconfigtmp $localconfig || cp -f > $localconfigtmp $localconfig > > Under what circumstances might ucf fail in a way that would necessitate > the forced copying? None in particular, just thought it could be more robust that way. In case local ucf is broken somehow, dotlrn could install anyway. > +chmod 640 $localconfig > +chown www-data:www-data $localconfig > > This looks like it would overwrite any local changes made to the > permissions? Yes, should i check if the file already exists and respect the existing permissions? > +rm -f /etc/aolserver4/conf.d/dotlrn.tcl > /etc/aolserver4/conf.d/dotlrn.sh > +# Start aolserver after removal > +[ -f /etc/init.d/aolserver4 ] && invoke-rc.d aolserver4 start > > What's the logic here? If the intention is to make aolserver4 notice > that the configuration files have gone away then "restart" would > probably be more appropriate? There is a potential issue here though if > the service wasn't actually running before dotlrn was removed. I see, so could this be an acceptable replacement? [ -f /etc/init.d/aolserver4 ] && [ -f /var/run/aolserver4/dotlrn.pid ] && invoke-rc.d aolserver4 restart ...or this one, assuming /etc/init.d/aolserver4 exists if there is a /var/run/aolserver4/dotlrn.pid file: [ -f /var/run/aolserver4/dotlrn.pid ] && invoke-rc.d aolserver4 restart > +# If the file was not modified by the user, then we can restore > +# it to its initial state (before running postinst and modify it > +# with debconf values) by deleting the modified lines. > +# > +# See Bug #688435 > +# > +if dpkg --compare-versions "$2" le "2.5.0+dfsg-6+wheezy1" > +then > +# Reset config.tcl to its primordial state > +sed -i '/set db_host/,/set db_user/d' /etc/dotlrn/config.tcl > +fi > > If the file had been modified by the user, you've just overwritten their > changes? I guess that would already have happened with the forced > debconf overwrite. :-( Only the changes between the lines "## Debconf changes (DO NOT EDIT BYHAND) ##" and "## End Debconf Changes ###" are overwritten. The idea behind this was: - If the file wasn't modified by the user, then the upgrade is performed smoothly and the new config.local file is generated with the old debconf values. - If the "debconf block" was modified by hand by the user, then overwrite the changes with the debconf ones in config.local. It should be ok, because there was a warning about not doing that. - If another block of the file was modified by the user, then prompt him about the changes, as with any other config file. Now, i realise that i'm assuming that the user should only use debconf to modify these changes (database settings, via package reconfigure), should i give the user the chance to edit this settings by hand, checking them on preinst and replacing the current debconf values with the modified ones? Thanks again! Kind regards, Héctor -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1349230582.10379.99.camel@bulma
Bug#688966: Review midgard2-core package
On Thu, Sep 27, 2012 at 04:44:52PM +0200, Piotr Pokora wrote: > Please review midgard2-core for inclusion in squeeze. > Package contains only one RC bug: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677795 > > New source package which fixes the bug (with renamed packages) is > waiting in queue ,marked as NEW. Package itself doesn't containt any > upstream changes. Also there is related package 'php5-midgard2' which > can be uploaded to unstable and rebuilt due to dependency name change. We do not have access to NEW. Hence you'd need to provide us with a debdiff for us to voice our opinion about it. Kind regards Philipp Kern signature.asc Description: Digital signature
Bug#689390: marked as done (unblock: spice-gtk/0.12-5)
Your message dated Tue, 02 Oct 2012 21:08:04 +0100 with message-id <1349208484.14024.17.ca...@jacala.jungle.funky-badger.org> and subject line Re: Bug#689390: unblock: spice-gtk/0.12-5 has caused the Debian Bug report #689390, regarding unblock: spice-gtk/0.12-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 689390: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689390 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package spice-gtk. It fixes a root security hole via GDBus (#689155), by correctly sanitizing the environment in a setuid helper before doing anything non-trivial. This is basically the same flaw as the one mitigated by #689070 in dbus, but with GDBus instead of libdbus, and fixing it in the setuid program rather than second-guessing it in the library. unblock spice-gtk/0.12-5 -- System Information: Debian Release: wheezy/sid APT prefers testing-proposed-updates APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diffstat for spice-gtk-0.12 spice-gtk-0.12 changelog|6 ++ patches/clearenv-in-usb-acl-helper.patch | 64 +++ patches/series |1 3 files changed, 71 insertions(+) diff -Nru spice-gtk-0.12/debian/changelog spice-gtk-0.12/debian/changelog --- spice-gtk-0.12/debian/changelog 2012-07-08 18:20:26.0 +0100 +++ spice-gtk-0.12/debian/changelog 2012-10-01 14:31:41.0 +0100 @@ -1,3 +1,9 @@ +spice-gtk (0.12-5) unstable; urgency=high + + * Add patch clearenv-in-usb-acl-helper.patch (Closes: #689155) + + -- Liang Guo Mon, 01 Oct 2012 21:30:21 +0800 + spice-gtk (0.12-4) unstable; urgency=low * Correct version problem in *.pc (Closes: #680290) diff -Nru spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch --- spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch 1970-01-01 01:00:00.0 +0100 +++ spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch 2012-10-01 14:29:38.0 +0100 @@ -0,0 +1,64 @@ +Author: Colin Walters +Origin: upstream, commit:efbf867bb88845d5edf839550b54494b1bb752b9 +Date: Fri, 14 Sep 2012 09:21:28 + +Subject: usb-acl-helper: Clear environment + +Otherwise we can be subject to attack via environment variables such +as DBUS_SYSTEM_BUS_ADDRESS. +This addresses CVE-2012-4425 http://seclists.org/oss-sec/2012/q3/470 +--- a/configure.ac b/configure.ac +@@ -256,6 +256,8 @@ + EXTERNAL_PNP_IDS="$with_pnp_ids_path" + fi + ++AC_CHECK_FUNCS(clearenv) ++ + PKG_CHECK_MODULES(GLIB2, glib-2.0 >= 2.22) + AC_SUBST(GLIB2_CFLAGS) + AC_SUBST(GLIB2_LIBS) +--- a/gtk/spice-client-glib-usb-acl-helper.c b/gtk/spice-client-glib-usb-acl-helper.c +@@ -158,7 +158,8 @@ + if (state == STATE_WAITING_FOR_STDIN_EOF) + set_facl(path, getuid(), 0); + +-g_main_loop_quit(loop); ++if (loop) ++g_main_loop_quit(loop); + } + + /* Not available in polkit < 0.101 */ +@@ -311,11 +312,32 @@ + } + #endif + ++#ifndef HAVE_CLEARENV ++extern char **environ; ++ ++static int ++clearenv (void) ++{ ++if (environ != NULL) ++environ[0] = NULL; ++return 0; ++} ++#endif ++ + int main(void) + { + pid_t parent_pid; + GInputStream *stdin_unix_stream; + ++ /* Nuke the environment to get a well-known and sanitized ++ * environment to avoid attacks via e.g. the DBUS_SYSTEM_BUS_ADDRESS ++ * environment variable and similar. ++ */ ++if (clearenv () != 0) { ++FATAL_ERROR("Error clearing environment: %s\n", g_strerror (errno)); ++return 1; ++} ++ + g_type_init(); + + loop = g_main_loop_new(NULL, FALSE); diff -Nru spice-gtk-0.12/debian/patches/series spice-gtk-0.12/debian/patches/series --- spice-gtk-0.12/debian/patches/series 2012-06-28 18:15:40.0 +0100 +++ spice-gtk-0.12/debian/patches/series 2012-10-01 14:19:27.0 +0100 @@ -2,3 +2,4 @@ fix-parsing-uri-query.patch fix-spice-audio-binding.patch make-celt-to-be-optional.patch +clearenv-in-usb-acl-helper.patch --- End Message --- --- Begin Message --- On Tue, 2012-10-02 at 08:13 +0100, Simon McVittie wrote: >
Pre-approval request, Gnuplot 4.6.1 for Wheezy
Thanks, Torquil, for the information. Dear release-team, would you agree to unblock Gnuplot 4.6.1 for the Wheezy, if it will be packaged? Announcement has the following information [1]. GNUPLOT VERSION 4.6.1 === This is an incremental release of gnuplot version 4.6 containing various bug fixes and a couple of new features. A synopsis of changes since the previous patchlevel (version 4.6.0) is given below and in the NEWS file. Detailed information is in ChangeLog. New features, changes and fixes since gnuplot version 4.6.0 === * NEW syntax hints inside Emacs gnuplot-mode * NEW support tabulation (set table) of pixel values from image plot styles * NEW support tabulation of variable color column * CHANGE emf output modified for better compatibility with MS Office programs * CHANGE canvas terminal loads appropriate font file for UTF-8 encoding * CHANGE skip execution of empty iteration loops in set and do commands * CHANGE build scripts modified to accommodate automake 1.12 * CHANGE new policy: objects given in screen coords are not clipped to graph * CHANGE Draw the z-axis label at a fixed distance to the left of the z-axis * CHANGE "unset object N" succeeds even if there is currently no object N * FIX margin space required for rotated axis tic labels * FIX check for NaN values in binary input * FIX backslash handling in enhanced text strings * FIX cairo terminals sometimes lost the line segment before a polygon * FIX interactive toggle of multiplots in svg * FIX failure to balance {} if an input file did not end with a newline * FIX strlen() and substring operators correctly handle UTF-8 * FIX initialization of history when configured --with-readline=bsd * FIX set term cairolatex pdf mono * FIX palette-related corruption in some cairolatex output * FIX preserve number of active call arguments across a nested call command * FIX wxt terminal mutex protecting execution of the command list * FIX apply clipping to the interior fill of circles and ellipses * FIX corruption of weights used for plotting with smooth acsplines * FIX skip columnheader line when applying "every" filter * FIX handle out-of-range pm3d values when cb axis is set to log scale * FIX top/bottom color distinction in hidden3d when not using palette/RGB colors * FIX allow toggling on/off of more than 10 plots in windows terminal * FIX color printing from windows terminal * FIX set term win font "," * FIX incorrect return for acos(x) when imag(x) > 0 (bug present since v3.7) incorrect return for asin(x) when imag(x) > 0 (bug in 4.4.4, 4.6.0) incorrect asinh(x) when real(x) < 0 && imag(x) == 0 (bug in 4.4.4, 4.6.0) * FIX keep sufficient precision in canvas and svg coords to report time in msec * FIX the input buffer was not always extended correctly inside a { clause } * FIX some cairolatex set_color requests were being ignored * FIX calculated value of kernel density mean and sigma * FIX emf terminal dashed line support Thanks, Anton 2012/10/2 Torquil Macdonald Sørensen : > Package: gnuplot > Version: 4.6.0-8 > Severity: wishlist > > Please package 4.6.1, since it has some useful bug fixes. > > Best regards > Torquil Sørensen -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/calf6qjmo_l2v_+p9a_oguhujq+sqnxn-xre6nv5fndbt6de...@mail.gmail.com
Bug#688100: unblock: fglrx-driver/1:12-6+point-2
Quoting Andreas Beckmann (deb...@abeckmann.de): > On 2012-09-20 07:30, Christian PERRIER wrote: > > You have an outstanding call for translations for the changes that > > modified these debconf templates. Please wait for it to complete and > [...] > > I can for instance make sure you get these 8 needed updates (among > > others probably). I can even "shake" the late comers (there will be some). > > Translation deadline is approaching, one critical (es) and two other > (gl, sk) are missing. I'm shaking the Spanish team as hard as I can. You won't probably get an update for Galician and I have doubts for Slovak. signature.asc Description: Digital signature
Bug#687189: unblock: calendarserver/3.2+dfsg-2
Will upload calendarserver 3.2+dfsg-4 in a few hours. This provides an updated copy of Vtimezone zoneinfo databse. In the future versions, we plan to use the system zoneinfo database at /usr/share/zoneinfo . Regards, Rahul. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/506b3f28.5030...@users.sourceforge.net
Bug#689449: marked as done (unblock: xserver-xorg-input-synaptics/1.6.2-2)
Your message dated Tue, 02 Oct 2012 20:01:52 +0100 with message-id <1349204512.14024.16.ca...@jacala.jungle.funky-badger.org> and subject line Re: Bug#689449: unblock: xserver-xorg-input-synaptics/1.6.2-2 has caused the Debian Bug report #689449, regarding unblock: xserver-xorg-input-synaptics/1.6.2-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 689449: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689449 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package xserver-xorg-input-synaptics Single upstream fix for memory corruption. unblock xserver-xorg-input-synaptics/1.6.2-2 Cheers, Julien signature.asc Description: Digital signature --- End Message --- --- Begin Message --- On Tue, 2012-10-02 at 20:31 +0200, Julien Cristau wrote: > Please unblock package xserver-xorg-input-synaptics > > Single upstream fix for memory corruption. Unblocked; thanks. Regards, Adam--- End Message ---
Bug#681016: [release.debian.org] unblock: dotlrn/2.5.0+dfsg-8
Control: tags -1 + moreinfo Control: retitle -1 unblock: dotlrn/2.5.0+dfsg-6+wheezy2 On Tue, 2012-10-02 at 01:38 +0200, Hector Romojaro wrote: > I have uploaded the new version containing the fix for the new RC bug > previously mentioned to svn, and asked for upload to t-p-u to my > sponsor[1]. Thanks. btw, I'm assuming these issues also apply to the package in unstable? If so then they should really be fixed there too. > About the bug and the fix, the problem was that /etc/dotlrn/config.tcl > was being modified by debconf on the install and, as it's marked as a > conffile, on the upgrade is detected as modified by the user (even if > that's not the case). > > The fix consists in using another file (/etc/dotlrn/config.local) > containing the local config values, managed bu ucf and modified by > debconf on the install, and import these values from the original > config.tcl file. Also, the preinst script tries to revert the config.tcl > to its primordial state so it's not detected as modified on the upgrade. Looking through the diff, I had a few queries: +ucf --debconf-ok $localconfigtmp $localconfig || cp -f $localconfigtmp $localconfig Under what circumstances might ucf fail in a way that would necessitate the forced copying? +chmod 640 $localconfig +chown www-data:www-data $localconfig This looks like it would overwrite any local changes made to the permissions? +rm -f /etc/aolserver4/conf.d/dotlrn.tcl /etc/aolserver4/conf.d/dotlrn.sh +# Start aolserver after removal +[ -f /etc/init.d/aolserver4 ] && invoke-rc.d aolserver4 start What's the logic here? If the intention is to make aolserver4 notice that the configuration files have gone away then "restart" would probably be more appropriate? There is a potential issue here though if the service wasn't actually running before dotlrn was removed. +# If the file was not modified by the user, then we can restore +# it to its initial state (before running postinst and modify it +# with debconf values) by deleting the modified lines. +# +# See Bug #688435 +# +if dpkg --compare-versions "$2" le "2.5.0+dfsg-6+wheezy1" +then +# Reset config.tcl to its primordial state +sed -i '/set db_host/,/set db_user/d' /etc/dotlrn/config.tcl +fi If the file had been modified by the user, you've just overwritten their changes? I guess that would already have happened with the forced debconf overwrite. :-( Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1349203722.14024.15.ca...@jacala.jungle.funky-badger.org
Processed: Re: Bug#681016: [release.debian.org] unblock: dotlrn/2.5.0+dfsg-8
Processing control commands: > tags -1 + moreinfo Bug #681016 [release.debian.org] [release.debian.org] unblock: dotlrn/2.5.0+dfsg-8 Ignoring request to alter tags of bug #681016 to the same tags previously set > retitle -1 unblock: dotlrn/2.5.0+dfsg-6+wheezy2 Bug #681016 [release.debian.org] [release.debian.org] unblock: dotlrn/2.5.0+dfsg-8 Changed Bug title to 'unblock: dotlrn/2.5.0+dfsg-6+wheezy2' from '[release.debian.org] unblock: dotlrn/2.5.0+dfsg-8' -- 681016: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681016 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b681016.134920381527971.transcr...@bugs.debian.org
Bug#689449: unblock: xserver-xorg-input-synaptics/1.6.2-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package xserver-xorg-input-synaptics Single upstream fix for memory corruption. unblock xserver-xorg-input-synaptics/1.6.2-2 Cheers, Julien signature.asc Description: Digital signature
Bug#689448: unblock: xorg-server/2:1.12.4-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package xorg-server unblock xorg-server/2:1.12.4-1 One revert for a regression from 1.12.3.902 (sorry about that one, I was aware of it but somehow thought it wasn't in 1.12.3.902), plus a couple more fixes that might help ia64. And an added conflict for a driver that's no longer shipped, which will hopefully help apt with the upgrade path. diff --git a/ChangeLog b/ChangeLog index 3fc89f8..1a89ccc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,19 @@ +commit dfc03ef3fda3572db590c2096272c990d434163e +Author: Jeremy Huddleston Sequoia +Date: Sun Aug 26 22:11:00 2012 -0700 + +configure.ac: Version bump to 1.12.4 + +Signed-off-by: Jeremy Huddleston Sequoia + +commit 8995fcf260895ad288146b78d4c42b6f3b838d4f +Author: Jeremy Huddleston Sequoia +Date: Sun Aug 26 22:09:49 2012 -0700 + +XQuartz: Bump version to 2.7.3 + +Signed-off-by: Jeremy Huddleston Sequoia + commit a6d7400507f220d6f98b853def7904586fb1eadd Author: Jeremy Huddleston Sequoia Date: Sun Aug 19 09:07:33 2012 -0700 diff --git a/configure.ac b/configure.ac index 28c9cf8..7c7e69e 100644 --- a/configure.ac +++ b/configure.ac @@ -26,8 +26,8 @@ dnl dnl Process this file with autoconf to create configure. AC_PREREQ(2.60) -AC_INIT([xorg-server], 1.12.3.902, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server) -RELEASE_DATE="2012-08-19" +AC_INIT([xorg-server], 1.12.4, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server) +RELEASE_DATE="2012-08-27" AC_CONFIG_SRCDIR([Makefile.am]) AM_INIT_AUTOMAKE([foreign dist-bzip2]) AM_MAINTAINER_MODE diff --git a/debian/changelog b/debian/changelog index 0043c70..77da19b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +xorg-server (2:1.12.4-1) unstable; urgency=low + + * New upstream stable release. + * int10: fix pci_device_read_rom usage (closes: #686153). Thanks, Stephan +Schreiber! + * Revert 'Unload submodules' (closes: #686152). Seems to introduce a +regression, let's try that again later. Thanks, Stephan Schreiber! + * Revert "fb: reorder Bresenham error correction to avoid overshoot". Fixes +regression introduced in 1.12.3.902 (fdo#54168, closes: #688908) + * Add conflicts against obsolete evtouch input driver (hopefully closes: +#687268) + + -- Julien Cristau Sun, 30 Sep 2012 12:47:00 +0200 + xorg-server (2:1.12.3.902-1) unstable; urgency=low * New upstream release candidate diff --git a/debian/control b/debian/control index 8db33e2..d8f3735 100644 --- a/debian/control +++ b/debian/control @@ -119,6 +119,8 @@ Breaks: xserver-xorg-video-vga (<= 1:4.1.0-8), libgl1-mesa-dri (<< 7.10.2-4), libgl1-mesa-dri-experimental (<< 7.10.2-4), +Conflicts: + xserver-xorg-input-evtouch, Provides: ${videoabi}, ${inputabi}, diff --git a/debian/patches/04_int10-fix-pci_device_read_rom-usage.diff b/debian/patches/04_int10-fix-pci_device_read_rom-usage.diff new file mode 100644 index 000..e33351f --- /dev/null +++ b/debian/patches/04_int10-fix-pci_device_read_rom-usage.diff @@ -0,0 +1,45 @@ +From ccef32b333cde427e728d30253c221d9d7aabb3a Mon Sep 17 00:00:00 2001 +From: Stephan Schreiber +Date: Wed, 29 Aug 2012 19:58:23 +0200 +Subject: [PATCH] int10: fix pci_device_read_rom usage + +I noticed that the build-in int10 driver always reports +"Unable to retrieve all of segment 0x0C." +even though the entire BIOS data is retrieved with success. + +The associated code is in hw/xfree86/int10/generic.c, in the function +xf86ExtendedInitInt10(): + +if (pci_device_read_rom(pInt->dev, vbiosMem) < V_BIOS_SIZE) { +xf86DrvMsg(screen, X_WARNING, + "Unable to retrieve all of segment 0x0C.\n"); +} + +The function pci_device_read_rom() is from libpciaccess; its return +value is not a size but an error status code: 0 means success. +If pci_device_read_rom() returns 0 for success, the warning is generated. + +The proposed patch corrects the evaluation of the return value of +pci_device_read_rom() and of the supplied BIOS size. + +Debian bug#686153 + +Signed-off-by: Julien Cristau +--- + hw/xfree86/int10/generic.c |3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: xorg-server/hw/xfree86/int10/generic.c +=== +--- xorg-server.orig/hw/xfree86/int10/generic.c xorg-server/hw/xfree86/int10/generic.c +@@ -178,7 +178,8 @@ xf86ExtendedInitInt10(int entityIndex, i + */ + vbiosMem = (char *) base + V_BIOS; + memset(vbiosMem, 0, 2 * V_BIOS_SIZE); +-if (pci_device_read_rom(pInt->dev, vbiosMem) < V_BIOS_SIZE) { ++if (pci_device_read_rom(pInt->dev, vbiosMem) != 0 ++|| pInt->dev->rom_size < V_BIOS_SIZE) { + xf86DrvMsg(screen, X_WARNING, +"Unable to retrieve all of segment 0x0C.\n"); + } diff --git a/deb
Bug#689438: marked as done (unblock: docbook-slides/3.4.0-5)
Your message dated Tue, 02 Oct 2012 19:04:22 +0100 with message-id <1349201062.14024.4.ca...@jacala.jungle.funky-badger.org> and subject line Re: Bug#689438: unblock: docbook-slides/3.4.0-5 has caused the Debian Bug report #689438, regarding unblock: docbook-slides/3.4.0-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 689438: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689438 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package docbook-slides Please unblock docbook-slides. This will allow the fix to #686516 to move to testing. Thanks unblock docbook-slides/3.4.0-5 -- System Information: Debian Release: 6.0.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (200, 'testing'), (100, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-0.bpo.2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash --- End Message --- --- Begin Message --- On Tue, 2012-10-02 at 18:01 +0200, Mathieu Malaterre wrote: > Please unblock docbook-slides. This will allow the fix to #686516 to > move to testing. Thanks Unblocked; thanks. Regards, Adam--- End Message ---
Bug#687695: pre-approve unblock: tryton-modules-party-vcarddav/2.2.1-1
On Sat, 2012-09-15 at 10:22 +0200, Mathias Behrle wrote: > please approve the upload of tryton-modules-party-vcarddav_2.2.1-1. > > The new version contains the upstream bug fix release [1]. [...] > * Reports must no more be encoded in base64 I might regret asking this, but... why not? Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1349201227.14024.6.ca...@jacala.jungle.funky-badger.org
Bug#689446: marked as done (unblock: libxslt/1.1.26-14)
Your message dated Tue, 02 Oct 2012 19:01:26 +0100 with message-id <1349200886.14024.3.ca...@jacala.jungle.funky-badger.org> and subject line Re: Bug#689446: unblock: libxslt/1.1.26-14 has caused the Debian Bug report #689446, regarding unblock: libxslt/1.1.26-14 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 689446: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689446 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock This fixes three CVEs (Bug #689422): CVE-2012-2870 CVE-2012-2871 CVE-2012-2893 unblock: libxslt/1.1.26-14 -- Regards, Aron Xu libxslt_1.1.26-14.debdiff Description: Binary data --- End Message --- --- Begin Message --- On Wed, 2012-10-03 at 01:55 +0800, Aron Xu wrote: > This fixes three CVEs (Bug #689422): > > CVE-2012-2870 > CVE-2012-2871 > CVE-2012-2893 Unblocked; thanks. Regards, Adam--- End Message ---
Bug#689438: unblock: docbook-slides/3.4.0-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package docbook-slides Please unblock docbook-slides. This will allow the fix to #686516 to move to testing. Thanks unblock docbook-slides/3.4.0-5 -- System Information: Debian Release: 6.0.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (200, 'testing'), (100, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-0.bpo.2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121002160142.534.47058.report...@lirispat.univ-lyon1.fr
Bug#689362: unblock: qt-at-spi/0.3.1-2
Samuel Thibault, le Mon 01 Oct 2012 23:51:43 +0200, a écrit : > Please unblock package qt-at-spi > > unblock qt-at-spi/0.3.1-2 > > This adds the multi-arch declaration, so that users can install a 32bit > bridge for accessing 32bit applications on 64bit machines. Oops, Luke had commited it and I hadn't tested it myself. It happens that there's a issue with it (generated documentation which does not exactly the same), and packages are thus not co-installable (see #689403). I'll probably have to split out the documentation to a new qt-at-spi-doc package. Samuel -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121002155931.ga21...@type.bordeaux.inria.fr
Bug#689425: unblock: fcitx-googlepinyin/0.1.6-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock This is a relatively big debdiff, but most of the noise are come from the newly added svg files which show up as text files in diff. These changes are limiting the input and install icons to avoid crashing fcitx main program. Even when known issues in fcitx has already been fixed, it would be good to make fcitx-googlepinyin safer. unblock: fcitx-googlepinyin/0.1.6-1 -- Regards, Aron Xu fcitx-googlepinyin_0.1.6-1.debdiff Description: Binary data
Bug#689157: unblock: mediawiki-extensions/2.9, mediawiki/1:1.19.2-2
Dear Release Team, please extend the courtesy to unblock the MediaWiki packages to today’s uploads: mediawiki-extensions/2.9, mediawiki/1:1.19.2-2 The reason behind this is the removal of the FCKeditor extension which works only up to and including MediaWiki 1.17 and has been deprecated by the Wikimedia Foundation in favour of another, not yet packaged, extension (see #689375 for the full details). We would like to have this, now non-working, extension removed from src:mediawiki-extensions and broken by mediawiki, in wheezy too, and have added appropriate NEWS entries. Furthermore, there’s a small fix for the Collection extension regarding downloading the generated PDFs from the "PDF Export" link and for Wikibooks in PDF format, which was broken depending on the version or configuration of the render server (affecting one of two possible codepaths). This basically inlines a bit of code from two “convenience wrapper” functions in order to access the HTTP Response headers. The debdiffs (attached) are relatively short (I have represented file removals as comment in the top instead of including their full diff): mediawiki: - add NEWS entry, break any version of mediawiki-extensions-fckeditor - adjust debian/watch file for DDPO vs. uscan behaviour difference: patch (dversionmangle) away the epoch, which DDPO doesn’t like, as done for src:cvs mediawiki-extensions: - remove all files related to the FCKeditor extension - add NEWS entry - remove debian/{control{,.in},copyright,patches/series,rules} entries related to the FCKeditor extension - debian/patches/fix_collection.patch: add fix for downloading generated PDFs - remove svn-revisions entries related to the FCKeditor extension Thanks in advance, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-314 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Boris Esser, Sebastian Manckedeleted: - mediawiki-extensions-2.8/debian/mediawiki-extensions-fckeditor.links - mediawiki-extensions-2.8/debian/patches/fix_fckeditor.patch - mediawiki-extensions-2.8/dist/mediawiki-extensions-fckeditor/ --- mediawiki-extensions-2.8/debian/NEWS1970-01-01 01:00:00.0 +0100 +++ mediawiki-extensions-2.9/debian/NEWS2012-10-02 14:09:51.0 +0200 @@ -0,0 +1,11 @@ +mediawiki-extensions (2.9) unstable; urgency=low + + The mediawiki-extensions-fckeditor package has been + deprecated by the Wikimedia foundation and is thus + no longer included in the packaging, so if your wikis + have been using this extension, please remove it from + their configuration to avoid breakage. This can be + done using "sudo mwdisext FCKeditor.php" if installed + from Debian packaging. + + -- Thorsten Glaser Tue, 02 Oct 2012 14:09:42 +0200 --- mediawiki-extensions-2.8/debian/changelog 2012-09-20 13:45:26.0 +0200 +++ mediawiki-extensions-2.9/debian/changelog 2012-10-02 14:09:51.0 +0200 @@ -1,3 +1,10 @@ +mediawiki-extensions (2.9) unstable; urgency=low + + * Collection: fix downloading generated PDFs from the render server + * FCKeditor: remove, no longer works with MW 1.19 (Closes: #689375) + + -- Thorsten Glaser Tue, 02 Oct 2012 14:09:42 +0200 + mediawiki-extensions (2.8) unstable; urgency=low * Remove dependency of mw-ext-collection on various ECMAscript --- mediawiki-extensions-2.8/debian/control 2012-09-20 13:45:26.0 +0200 +++ mediawiki-extensions-2.9/debian/control 2012-10-02 12:13:31.0 +0200 @@ -91,17 +91,6 @@ This extension is set for the Debian mediawiki package, but it may also be used separately. -Package: mediawiki-extensions-fckeditor -Architecture: all -Depends: ${misc:Depends}, mediawiki-extensions-base, - fckeditor -Description: Extensions for MediaWiki -- FCKeditor extension - This package provides the mediawiki extensions for - FCKeditor wysiwyg editor. - . - This extension is set for the Debian mediawiki - package, but it may also be used separately. - Package: mediawiki-extensions-collection Architecture: all Depends: ${misc:Depends}, mediawiki-extensions-base, php5-curl @@ -130,7 +119,6 @@ mediawiki-extensions-ldapauth, mediawiki-extensions-openid, mediawiki-extensions-confirmedit, - mediawiki-extensions-fckeditor, mediawiki-extensions-collection, mediawiki-extensions-graphviz, ${misc:Depends} --- mediawiki-extensions-2.8/debian/control.in 2012-09-20 13:45:26.0 +0200 +++ mediawiki-extensions-2.9/debian/control.in 2012-10-02 12:13:31.0 +0200 @@ -91,17 +91,6 @@ This extension is set for the Debian mediawiki package, but it may also be used separately. -Package: mediawiki-extensions-fckeditor -Architecture: all -Depends: ${misc:Depends}, mediawiki-extensions-base, - fckeditor -Description: Extensions for MediaWiki -- FCKeditor extension - This package provides the mediawiki extensions for - FCKeditor wysiwyg editor. - . - This extension is set f
Processed: your mail
Processing commands for cont...@bugs.debian.org: > retitle 689156 unblock: mediawiki/1:1.19.2-2 Bug #689156 [release.debian.org] unblock: mediawiki/1:1.19.2-1 Changed Bug title to 'unblock: mediawiki/1:1.19.2-2' from 'unblock: mediawiki/1:1.19.2-1' > retitle 689157 unblock: mediawiki-extensions/2.9 Bug #689157 [release.debian.org] unblock: mediawiki-extensions/2.8 Changed Bug title to 'unblock: mediawiki-extensions/2.9' from 'unblock: mediawiki-extensions/2.8' > thanks Stopping processing here. Please contact me if you need assistance. -- 689156: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689156 689157: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689157 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.c.134918159815125.transcr...@bugs.debian.org
Bug#688100: unblock: fglrx-driver/1:12-6+point-2
On 2012-09-20 07:30, Christian PERRIER wrote: > You have an outstanding call for translations for the changes that > modified these debconf templates. Please wait for it to complete and [...] > I can for instance make sure you get these 8 needed updates (among > others probably). I can even "shake" the late comers (there will be some). Translation deadline is approaching, one critical (es) and two other (gl, sk) are missing. Everything else is prepared in SVN and ready for upload, there is only one other change: bumping the ia32-libs Breaks to (<< 1:0). Andreas -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/506abcc5.4050...@abeckmann.de
Re: Freeze Exceptions for libti*, TiLP, GFM and TilEm
On Mon, 1 Oct 2012 20:44:39 -0400 Albert Huang wrote: > > 5. as above, important changes that the maintainer feels are needed > > before release. > > > > http://release.debian.org/wheezy/freeze_policy.html > My intent was based on #5 - the current package(s), as they stand, are > rather unusable. ... but no bugs have been reported about such problems and it is too late to introduce a new package into Wheezy. The changes would have to be ported to the existing packages instead. > > None of which are release critical for Debian. > Ah - I originally thought that FTBFS was considered RC. Not unless the FTBFS affects a release architecture. > For backports, would I ask end users to add that repo once the release > occurs? To go into backports, the packages have to be first uploaded to unstable, migrated into testing (which will be Jessie by that stage) and then built on Wheezy and uploaded to wheezy-backports once that becomes available. > And backports will NOT ever migrate packages to stable > (wheezy), I would assume? Yes. backports never make it into a point release and these packages do not sound like they would be suitable for inclusion into a point release of Wheezy. Users of stable are generally quite familiar with using the relevant backports packages. Users specify exactly which packages are selected from backports. -- Neil Williams = http://www.linux.codehelp.co.uk/ pgpq5cbni0CII.pgp Description: PGP signature
Pre approval request for cracklib2
Dear release team, I have a cracklib2 upload ready that would fix #682735 [1] by applying the patch by Markus Wanner. The patch introduces a new Debian specific function __DEBIAN_SPECIFIC__SafeFascistCheck that does not call exit() when there is a problem reading the dictionary file. The modified Python binding that uses the new function passes the test suite for all supported Python versions. Another option is to patch the existing FascistCheck function, but as libcrack2 has some reverse dependencies I don't think this should be done before the Wheezy release. I will discuss changing FascistCheck with the other upstream developers for a later version though. Would you allow the changed cracklib2 package (debdiff attached) for Wheezy? Best regards Jan [1] http://bugs.debian.org/682735 -- Jan Dittberner - Debian Developer GPG-key: 4096R/558FB8DD 2009-05-10 B2FF 1D95 CE8F 7A22 DF4C F09B A73E 0055 558F B8DD http://ddportfolio.debian.net/ - http://people.debian.org/~jandd/ diff -Nru cracklib2-2.8.19/debian/changelog cracklib2-2.8.19/debian/changelog --- cracklib2-2.8.19/debian/changelog 2012-05-20 01:24:15.0 +0200 +++ cracklib2-2.8.19/debian/changelog 2012-10-02 09:15:24.0 +0200 @@ -1,3 +1,12 @@ +cracklib2 (2.8.19-2) unstable; urgency=low + + * add debian/patches/libcrack2-error-safer-check-variant.patch to provide +__DEBIAN_SPECIFIC__SafeFascistCheck that does not call exit (Closes: +#682735) + * add __DEBIAN_SPECIFIC__SafeFascistCheck to debian/libcrack2.symbols + + -- Jan Dittberner Tue, 02 Oct 2012 09:15:16 +0200 + cracklib2 (2.8.19-1) unstable; urgency=low * New upstream version diff -Nru cracklib2-2.8.19/debian/libcrack2.symbols cracklib2-2.8.19/debian/libcrack2.symbols --- cracklib2-2.8.19/debian/libcrack2.symbols 2012-05-20 01:24:15.0 +0200 +++ cracklib2-2.8.19/debian/libcrack2.symbols 2012-10-02 09:15:24.0 +0200 @@ -27,3 +27,4 @@ Trim@Base 2.8.12 Uppercase@Base 2.8.12 GetDefaultCracklibDict@Base 2.8.14 + __DEBIAN_SPECIFIC__SafeFascistCheck@Base 2.8.19-2~ diff -Nru cracklib2-2.8.19/debian/patches/libcrack2-error-safer-check-variant.patch cracklib2-2.8.19/debian/patches/libcrack2-error-safer-check-variant.patch --- cracklib2-2.8.19/debian/patches/libcrack2-error-safer-check-variant.patch 1970-01-01 01:00:00.0 +0100 +++ cracklib2-2.8.19/debian/patches/libcrack2-error-safer-check-variant.patch 2012-10-02 09:15:24.0 +0200 @@ -0,0 +1,189 @@ +Subject: add a safer check variant +Author: Markus Wanner +Bug-Debian: http://bugs.debian.org/682735 +--- a/lib/fascist.c b/lib/fascist.c +@@ -879,6 +879,48 @@ + return res; + } + ++/* This Debian specific method is a work-around for Debian #682735. Please ++ do not rely on it being available in future verisons of cracklib2. */ ++int ++__DEBIAN_SPECIFIC__SafeFascistCheck(password, path, errstr) ++const char *password; ++const char *path; ++char *errstr; ++{ ++PWDICT *pwp; ++char pwtrunced[STRINGSIZE]; ++ ++/* If passed null for the path, use a compiled-in default */ ++if ( ! path ) ++{ ++ path = DEFAULT_CRACKLIB_DICT; ++} ++ ++/* security problem: assume we may have been given a really long ++ password (buffer attack) and so truncate it to a workable size; ++ try to define workable size as something from which we cannot ++ extend a buffer beyond its limits in the rest of the code */ ++ ++strncpy(pwtrunced, password, TRUNCSTRINGSIZE); ++pwtrunced[TRUNCSTRINGSIZE - 1] = '\0'; /* enforce */ ++ ++/* perhaps someone should put something here to check if password ++ is really long and syslog() a message denoting buffer attacks? */ ++ ++if (!(pwp = PWOpen(path, "r"))) ++{ ++ return 0; ++} ++ ++/* sure seems like we should close the database, since we're only likely to check one password */ ++errstr = FascistLook(pwp, pwtrunced); ++ ++PWClose(pwp); ++pwp = (PWDICT *)0; ++ ++return 1; ++} ++ + const char * + GetDefaultCracklibDict() + { +--- a/python/_cracklibmodule.c b/python/_cracklibmodule.c +@@ -42,6 +42,7 @@ + #ifdef HAVE_LIBINTL_H + #include + #endif ++#include + + #ifdef HAVE_PTHREAD_H + static pthread_mutex_t cracklib_mutex = PTHREAD_MUTEX_INITIALIZER; +@@ -74,7 +75,8 @@ + { + char *candidate, *dict; + char *defaultdict = NULL; +-const char *result; ++int result; ++char *errmsg; + struct stat st; + char *keywords[] = {"pw", "dictpath", NULL}; + char *dictfile; +@@ -148,7 +150,8 @@ + #endif + + LOCK(); +-result = FascistCheck(candidate, dict ? dict : defaultdict); ++result = __DEBIAN_SPECIFIC__SafeFascistCheck(candidate, ++ dict ? dict : defaultdict, errmsg); + UNLOCK(); + + if (defaultdict != NULL) +@@ -156,11 +159,26 @@ + free(defaultdict); + } + +-if (result != NULL) ++if (result) + { +- PyErr_SetString(PyExc_ValueError, result
Bug#689393: unblock: libmtp/1.1.3-35-g0ece104-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libmtp 1.1.3-35-g0ece104-4, it contains a minimalistic patch to fix #687004. The debdiff is attached, thanks for considering. unblock libmtp/1.1.3-35-g0ece104-4 -- System Information: Debian Release: wheezy/sid APT prefers precise-updates APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 'precise'), (100, 'precise-backports') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-31-generic (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru libmtp-1.1.3-35-g0ece104/debian/changelog libmtp-1.1.3-35-g0ece104/debian/changelog --- libmtp-1.1.3-35-g0ece104/debian/changelog 2012-08-29 23:33:30.0 +0100 +++ libmtp-1.1.3-35-g0ece104/debian/changelog 2012-09-30 17:33:20.0 +0100 @@ -1,3 +1,10 @@ +libmtp (1.1.3-35-g0ece104-4) unstable; urgency=low + + * Blacklist Canon EOS 3D for now as it leads to a SIGSEGV in +libc. (Closes: #687004) + + -- Alessio Treglia Sun, 30 Sep 2012 17:32:59 +0100 + libmtp (1.1.3-35-g0ece104-3) unstable; urgency=low * Add Sony Tablet P1 support. (Closes: #683637) diff -Nru libmtp-1.1.3-35-g0ece104/debian/patches/0002-udev_blacklist.patch libmtp-1.1.3-35-g0ece104/debian/patches/0002-udev_blacklist.patch --- libmtp-1.1.3-35-g0ece104/debian/patches/0002-udev_blacklist.patch 1970-01-01 01:00:00.0 +0100 +++ libmtp-1.1.3-35-g0ece104/debian/patches/0002-udev_blacklist.patch 2012-09-10 15:28:44.0 +0100 @@ -0,0 +1,18 @@ +Description: Blacklist Canon EOS 3D for now, it leads to a SIGSEGV in libc. +Author: Alessio Treglia +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687004 +--- + util/mtp-hotplug.c |2 ++ + 1 file changed, 2 insertions(+) + +--- libmtp.orig/util/mtp-hotplug.c libmtp/util/mtp-hotplug.c +@@ -148,6 +148,8 @@ int main (int argc, char **argv) + printf("ATTR{idVendor}==\"0971\", GOTO=\"libmtp_rules_end\"\n"); + printf("# Canon scanners that look like MTP devices (PID 0x22nn)\n"); + printf("ATTR{idVendor}==\"04a9\", ATTR{idProduct}==\"22*\", GOTO=\"libmtp_rules_end\"\n"); ++ printf("# Canon digital camera (EOS 3D) that looks like MTP device (PID 0x3113)\n"); ++ printf("ATTR{idVendor}==\"04a9\", ATTR{idProduct}==\"3113\", GOTO=\"libmtp_rules_end\"\n"); + printf("# Sensitive Atheros devices that look like MTP devices\n"); + printf("ATTR{idVendor}==\"0cf3\", GOTO=\"libmtp_rules_end\"\n"); + printf("# Sensitive Atmel JTAG programmers\n"); diff -Nru libmtp-1.1.3-35-g0ece104/debian/patches/series libmtp-1.1.3-35-g0ece104/debian/patches/series --- libmtp-1.1.3-35-g0ece104/debian/patches/series 2012-08-29 23:24:11.0 +0100 +++ libmtp-1.1.3-35-g0ece104/debian/patches/series 2012-09-10 15:19:22.0 +0100 @@ -1,2 +1,3 @@ 0001-devicedb_updates.patch +0002-udev_blacklist.patch 1002-udev_rules.patch
Bug#689390: unblock: spice-gtk/0.12-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package spice-gtk. It fixes a root security hole via GDBus (#689155), by correctly sanitizing the environment in a setuid helper before doing anything non-trivial. This is basically the same flaw as the one mitigated by #689070 in dbus, but with GDBus instead of libdbus, and fixing it in the setuid program rather than second-guessing it in the library. unblock spice-gtk/0.12-5 -- System Information: Debian Release: wheezy/sid APT prefers testing-proposed-updates APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diffstat for spice-gtk-0.12 spice-gtk-0.12 changelog|6 ++ patches/clearenv-in-usb-acl-helper.patch | 64 +++ patches/series |1 3 files changed, 71 insertions(+) diff -Nru spice-gtk-0.12/debian/changelog spice-gtk-0.12/debian/changelog --- spice-gtk-0.12/debian/changelog 2012-07-08 18:20:26.0 +0100 +++ spice-gtk-0.12/debian/changelog 2012-10-01 14:31:41.0 +0100 @@ -1,3 +1,9 @@ +spice-gtk (0.12-5) unstable; urgency=high + + * Add patch clearenv-in-usb-acl-helper.patch (Closes: #689155) + + -- Liang Guo Mon, 01 Oct 2012 21:30:21 +0800 + spice-gtk (0.12-4) unstable; urgency=low * Correct version problem in *.pc (Closes: #680290) diff -Nru spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch --- spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch 1970-01-01 01:00:00.0 +0100 +++ spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch 2012-10-01 14:29:38.0 +0100 @@ -0,0 +1,64 @@ +Author: Colin Walters +Origin: upstream, commit:efbf867bb88845d5edf839550b54494b1bb752b9 +Date: Fri, 14 Sep 2012 09:21:28 + +Subject: usb-acl-helper: Clear environment + +Otherwise we can be subject to attack via environment variables such +as DBUS_SYSTEM_BUS_ADDRESS. +This addresses CVE-2012-4425 http://seclists.org/oss-sec/2012/q3/470 +--- a/configure.ac b/configure.ac +@@ -256,6 +256,8 @@ + EXTERNAL_PNP_IDS="$with_pnp_ids_path" + fi + ++AC_CHECK_FUNCS(clearenv) ++ + PKG_CHECK_MODULES(GLIB2, glib-2.0 >= 2.22) + AC_SUBST(GLIB2_CFLAGS) + AC_SUBST(GLIB2_LIBS) +--- a/gtk/spice-client-glib-usb-acl-helper.c b/gtk/spice-client-glib-usb-acl-helper.c +@@ -158,7 +158,8 @@ + if (state == STATE_WAITING_FOR_STDIN_EOF) + set_facl(path, getuid(), 0); + +-g_main_loop_quit(loop); ++if (loop) ++g_main_loop_quit(loop); + } + + /* Not available in polkit < 0.101 */ +@@ -311,11 +312,32 @@ + } + #endif + ++#ifndef HAVE_CLEARENV ++extern char **environ; ++ ++static int ++clearenv (void) ++{ ++if (environ != NULL) ++environ[0] = NULL; ++return 0; ++} ++#endif ++ + int main(void) + { + pid_t parent_pid; + GInputStream *stdin_unix_stream; + ++ /* Nuke the environment to get a well-known and sanitized ++ * environment to avoid attacks via e.g. the DBUS_SYSTEM_BUS_ADDRESS ++ * environment variable and similar. ++ */ ++if (clearenv () != 0) { ++FATAL_ERROR("Error clearing environment: %s\n", g_strerror (errno)); ++return 1; ++} ++ + g_type_init(); + + loop = g_main_loop_new(NULL, FALSE); diff -Nru spice-gtk-0.12/debian/patches/series spice-gtk-0.12/debian/patches/series --- spice-gtk-0.12/debian/patches/series 2012-06-28 18:15:40.0 +0100 +++ spice-gtk-0.12/debian/patches/series 2012-10-01 14:19:27.0 +0100 @@ -2,3 +2,4 @@ fix-parsing-uri-query.patch fix-spice-audio-binding.patch make-celt-to-be-optional.patch +clearenv-in-usb-acl-helper.patch