Bug#818672: jessie-pu: package pgplot5/5.2.2-19+deb8u1

[Andreas Beckmann]

On 2016-03-20 17:11, Adam D. Barratt wrote:
> +pgplot5 (5.2.2-19+deb8u1) jessie; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * Use multiarch path to zconf.h  (Closes: #784783)
> +(thanks to Edmund Grimley Evans and Vincent McIntyre)
> 
> The bug number is typoed (and was in the unstable upload) - it should be
> #784743. With that changed, please go ahead.

I just took the changelog entry from sid and rewrote it to mention the
actual problem fixed, keeping the other bits. Bug number updated and
uploaded - but I still didn't verify that this references the correct
bug :-)


Andreas

Bug#818801: jessie-pu: package cairo/1.14.0-2.1+deb8u1

[Moritz Mühlenhoff]

On Sun, Mar 20, 2016 at 06:43:48PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sun, 2016-03-20 at 19:33 +0100, Moritz Muehlenhoff wrote:
> > +cairo (1.14.0-2.1+deb8u1) jessie; urgency=medium
> > +
> > +  * Fix CVE-2016-3190
> 
> I'd prefer a slightly more detailed changelog, but please go ahead.

Thanks, uploaded.

Cheers,
Moritz

Bug#818837: nmu: libdbi-drivers_0.9.0-3

[Ruben Undheim]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu


Hello,

There are some memory issues when running the test suite for the package
openbsc. These disappears if libdbi-drivers is first rebuilt with GCC 5. It is
hard to track down exactly what the problem is, but rebuilding it seems to make
the test suite pass for openbsc..


Ruben

nmu libdbi-drivers_0.9.0-3 . ANY . unstable . -m ""

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armel, powerpc

Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Processed: Re: Bug#818801: jessie-pu: package cairo/1.14.0-2.1+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #818801 [release.debian.org] jessie-pu: package cairo/1.14.0-2.1+deb8u1
Added tag(s) confirmed.

-- 
818801: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818801
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#818801: jessie-pu: package cairo/1.14.0-2.1+deb8u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2016-03-20 at 19:33 +0100, Moritz Muehlenhoff wrote:
> +cairo (1.14.0-2.1+deb8u1) jessie; urgency=medium
> +
> +  * Fix CVE-2016-3190

I'd prefer a slightly more detailed changelog, but please go ahead.

Regards,

Adam

Bug#818801: jessie-pu: package cairo/1.14.0-2.1+deb8u1

[Moritz Muehlenhoff]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,
I'd like to update cairo for the next jessie point update for
CVE-2016-3190.

I've been using the updated package for a day on my jessie workstation.

Cheers,
Moritz

debdiff:

diff -Nru cairo-1.14.0/debian/changelog cairo-1.14.0/debian/changelog
--- cairo-1.14.0/debian/changelog   2014-10-24 21:38:48.0 +0200
+++ cairo-1.14.0/debian/changelog   2016-03-19 22:38:11.0 +0100
@@ -1,3 +1,9 @@
+cairo (1.14.0-2.1+deb8u1) jessie; urgency=medium
+
+  * Fix CVE-2016-3190
+
+ -- Moritz Mühlenhoff   Sat, 19 Mar 2016 22:37:18 +0100
+
 cairo (1.14.0-2.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru cairo-1.14.0/debian/patches/0009-CVE-2016-3190.patch 
cairo-1.14.0/debian/patches/0009-CVE-2016-3190.patch
--- cairo-1.14.0/debian/patches/0009-CVE-2016-3190.patch1970-01-01 
01:00:00.0 +0100
+++ cairo-1.14.0/debian/patches/0009-CVE-2016-3190.patch2016-03-19 
22:35:25.0 +0100
@@ -0,0 +1,32 @@
+From 5c82d91a5e15d29b1489dcb413b24ee7fdf59934 Mon Sep 17 00:00:00 2001
+From: Bryce Harrington 
+Date: Wed, 3 Dec 2014 19:28:15 -0800
+Subject: image: Fix crash in _fill_xrgb32_lerp_opaque_spans
+
+If a span length is negative don't go out of bounds processing the fill
+data.
+
+Patch thanks to Ilya Sakhnenko  on mailing list.
+
+Signed-off-by: Bryce Harrington 
+
+diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
+index 6ff0f09..48072f8 100644
+--- a/src/cairo-image-compositor.c
 b/src/cairo-image-compositor.c
+@@ -2242,10 +2242,10 @@ _fill_xrgb32_lerp_opaque_spans (void 
*abstract_renderer, int y, int h,
+spans[0].x, y, len, 1, r->u.fill.pixel);
+   } else {
+   uint32_t *d = (uint32_t*)(r->u.fill.data + 
r->u.fill.stride*y + spans[0].x*4);
+-  while (len--)
++  while (len-- > 0)
+   *d++ = r->u.fill.pixel;
+   }
+-  } else while (len--) {
++  } else while (len-- > 0) {
+   *d = lerp8x4 (r->u.fill.pixel, a, *d);
+   d++;
+   }
+-- 
+cgit v0.10.2
+
diff -Nru cairo-1.14.0/debian/patches/series cairo-1.14.0/debian/patches/series
--- cairo-1.14.0/debian/patches/series  2014-10-24 21:36:09.0 +0200
+++ cairo-1.14.0/debian/patches/series  2016-03-19 22:36:20.0 +0100
@@ -4,3 +4,4 @@
 06_hurd-map-noreserve.patch
 0005-CFF-Fix-unaligned-access.patch
 0008-tor-scan-converter-can-t-do_fullrow-when-intersectio.patch
+0009-CVE-2016-3190.patch

Bug#818672: jessie-pu: package pgplot5/5.2.2-19+deb8u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sat, 2016-03-19 at 16:23 +0100, Andreas Beckmann wrote:
> pgplot5 FTBFS in jessie due to a hardcoded non-multiarch path to
> zconf.h.
> 
> This is a backport of the 5.2.2-19.1 NMU to sid excluding the spurious
> addition of some .f files in debian/.

+pgplot5 (5.2.2-19+deb8u1) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Use multiarch path to zconf.h  (Closes: #784783)
+(thanks to Edmund Grimley Evans and Vincent McIntyre)

The bug number is typoed (and was in the unstable upload) - it should be
#784743. With that changed, please go ahead.

Regards,

Adam

Bug#818679: jessie-pu: package sus/7.20160312~deb8u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sat, 2016-03-19 at 17:17 +0100, Andreas Beckmann wrote:
> sus is a downloader package and one of the external tarballs being
> downloaded has changed, again.

Yay downloader packages. :-(

> This is a rebuild of the package from sid for jessie.

Please go ahead.

Regards,

Adam

Processed: Re: Bug#818672: jessie-pu: package pgplot5/5.2.2-19+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #818672 [release.debian.org] jessie-pu: package pgplot5/5.2.2-19+deb8u1
Added tag(s) confirmed.

-- 
818672: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818672
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#818679: jessie-pu: package sus/7.20160312~deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #818679 [release.debian.org] jessie-pu: package sus/7.20160312~deb8u1
Added tag(s) confirmed.

-- 
818679: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818679
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#797906: jessie-pu: package dolibarr/3.5.5+dfsg1-2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #797906 [release.debian.org] jessie-pu: package dolibarr/3.5.5+dfsg1-2
Added tag(s) confirmed.

-- 
797906: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797906
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#797906: jessie-pu: package dolibarr/3.5.5+dfsg1-2

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2016-03-20 at 15:09 +0100, Laurent Destailleur (aka Eldy) wrote:

> A fix was prepared to solve several CVE. Security team already
> answered me they on't plan any DSA released for this patch. All fixes
> are already included into unstable.
[...]
> +dolibarr (3.5.5+dfsg1-1+deb8u1) UNRELEASED; urgency=high
> +
> +  * Fix CVE-2016-1912 (Closes: #812496)
> +  * Fix CVE-2015-8685 (Closes: #812449)
> +  * Fix CVE-2015-3935 (Closes: #787762)
> +
> + -- Laurent Destailleur (eldy)   Tue, 08 Sep 
> 2015 15:22:52 +0200

I assume the changelog trailer simply needs updating, as I doubt all of
the patches were added by September. :-) With that and the changelog
distribution set to "jessie", please go ahead.

Regards,

Adam

Bug#818710: wheezy-pu: package amd64-microcode/1.20160316.1

[Henrique de Moraes Holschuh]

On Sun, 20 Mar 2016, Adam D. Barratt wrote:
> On Sun, 2016-03-20 at 12:20 -0300, Henrique de Moraes Holschuh wrote:
> > I have uploaded it through the ftp queue about one hour ago, but I have
> > still not received any email back either from the upload queue daemon, or
> > from dak (and the packages disappeared from the ftp upload queue).
> > 
> > I will try to reupload.
> 
> dinstall's running, hence the lack of response from dak combined with
> the "disappearing" packages (although I'm not sure why you've not had a
> response from the queued).
> 
> I can confirm that the packages have reached the "unchecked" queue so
> should get processed by dak once dinstall finishes; there's no need to
> re-upload.

Thanks!

I did try to re-upload before I got your reply, and promptly got an email
from the upload queue daemon about an existing previous upload.

So, the first try was processed normaly, but the email reply from the queue
daemon got lost in the MTA network.  I assume it will arrive eventually, due
to graylisting or something else of that sort.  If it does, I will look at
the received headers to try to understand where it got delayed...

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Bug#818710: wheezy-pu: package amd64-microcode/1.20160316.1

[Adam D. Barratt]

On Sun, 2016-03-20 at 12:20 -0300, Henrique de Moraes Holschuh wrote:
> I have uploaded it through the ftp queue about one hour ago, but I have
> still not received any email back either from the upload queue daemon, or
> from dak (and the packages disappeared from the ftp upload queue).
> 
> I will try to reupload.

dinstall's running, hence the lack of response from dak combined with
the "disappearing" packages (although I'm not sure why you've not had a
response from the queued).

I can confirm that the packages have reached the "unchecked" queue so
should get processed by dak once dinstall finishes; there's no need to
re-upload.

Regards,

Adam

Bug#818710: wheezy-pu: package amd64-microcode/1.20160316.1

[Henrique de Moraes Holschuh]

On Sun, 20 Mar 2016, Adam D. Barratt wrote:
> On Sat, 2016-03-19 at 19:23 -0300, Henrique de Moraes Holschuh wrote:
> > This is the non-free oldstable companion update for the same issue reported
> > in #818689:
> > 
> > Unfortunately, the microcode for the earlier AMD Piledriver processors being
> > distributed in the amd64-microcode packages currently in non-free oldstable,
> > stable, testing and unstable has been found to be extremely dangerous.
> 
> Please go ahead.

I have uploaded it through the ftp queue about one hour ago, but I have
still not received any email back either from the upload queue daemon, or
from dak (and the packages disappeared from the ftp upload queue).

I will try to reupload.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Bug#797906: jessie-pu: package dolibarr/3.5.5+dfsg1-2

[Laurent Destailleur (aka Eldy)]

Hi Adam.

A fix was prepared to solve several CVE. Security team already answered me
they on't plan any DSA released for this patch. All fixes are already
included into unstable.

Can we push it into stable ? It fixes the following CVE:
* Fix CVE-2016-1912 (Closes: #812496)
* Fix CVE-2015-8685 (Closes: #812449)
* Fix CVE-2015-3935 (Closes: #787762)


This is the debdiff.


diff -Nru dolibarr-3.5.5+dfsg1/debian/changelog
dolibarr-3.5.5+dfsg1/debian/changelog
--- dolibarr-3.5.5+dfsg1/debian/changelog 2014-12-07 15:52:53.0
+0100
+++ dolibarr-3.5.5+dfsg1/debian/changelog 2016-02-08 21:30:58.0
+0100
@@ -1,3 +1,11 @@
+dolibarr (3.5.5+dfsg1-1+deb8u1) UNRELEASED; urgency=high
+
+  * Fix CVE-2016-1912 (Closes: #812496)
+  * Fix CVE-2015-8685 (Closes: #812449)
+  * Fix CVE-2015-3935 (Closes: #787762)
+
+ -- Laurent Destailleur (eldy)   Tue, 08 Sep
2015 15:22:52 +0200
+
 dolibarr (3.5.5+dfsg1-1) unstable; urgency=medium

   * New upstream release with 3.5.5
diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch
dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch
--- dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch 1970-01-01
01:00:00.0 +0100
+++ dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch 2016-02-08
21:30:58.0 +0100
@@ -0,0 +1,35 @@
+diff --git a/htdocs/admin/agenda_extsites.php
b/htdocs/admin/agenda_extsites.php
+index ac105cf..bf68c61 100644
+--- a/htdocs/admin/agenda_extsites.php
 b/htdocs/admin/agenda_extsites.php
+@@ -1,6 +1,7 @@
+ 
+- * Copyright (C) 2011-2014 Juanjo Menent
++/* Copyright (C) 2008-2011  Laurent Destailleur <
e...@users.sourceforge.net>
++ * Copyright (C) 2011-2014  Juanjo Menent   
++ * Copyright (C) 2016   Raphaël Doursenaud  <
rdoursen...@gpcsolutions.fr>
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -88,7 +89,7 @@
+  // Save nb of agenda
+  if (! $error)
+  {
+-
$res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','alpha')),'chaine',0,'',$conf->entity);
++
$res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','int')),'chaine',0,'',$conf->entity);
+  if (! $res > 0) $error++;
+  if (empty($conf->global->AGENDA_EXT_NB)) $conf->global->AGENDA_EXT_NB=5;
+
$MAXAGENDA=empty($conf->global->AGENDA_EXT_NB)?5:$conf->global->AGENDA_EXT_NB;
+@@ -201,9 +202,9 @@
+  // Nb
+  print ''.$langs->trans("AgendaExtNb",$key)."";
+  // Name
+- print '';
++ print '';
+  // URL
+- print '';
++ print '';
+  // Color (Possible colors are limited by Google)
+  print '';
+  //print $formadmin->selectColor($conf->global->$color,
"google_agenda_color".$key, $colorlist);
diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch
dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch
--- dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch 1970-01-01
01:00:00.0 +0100
+++ dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch 2016-02-08
21:30:58.0 +0100
@@ -0,0 +1,22 @@
+diff --git a/debian/changelog b/debian/changelog
+index 7d3e2e1..09dd3e0 100644
+--- a/htdocs/societe/societe.php
 b/htdocs/societe/societe.php
+@@ -272,7 +272,7 @@
+  $num = $db->num_rows($resql);
+  $i = 0;
+
+- $params =
"socname=".$socname."search_nom=".$search_nom."search_town=".$search_town;
++ $params =
"socname=".urlencode($socname)."search_nom=".urlencode($search_nom)."search_town=".urlencode($search_town);
+  $params.= ($sbarcode?"sbarcode=".$sbarcode:"");
+  $params.= 'search_idprof1='.$search_idprof1;
+  $params.= 'search_idprof2='.$search_idprof2;
+@@ -348,7 +348,7 @@
+  print '';
+  print '';
+  if (! empty($search_nom_only) && empty($search_nom))
$search_nom=$search_nom_only;
+- print '';
++ print '';
+  print '';
+  // Barcode
+  if (! empty($conf->barcode->enabled))
diff -Nru
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
---
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
1970-01-01
01:00:00.0 +0100
+++
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
2016-02-08
21:30:58.0 +0100
@@ -0,0 +1,37 @@
+diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
+index 7fba7f5..90eac77 100644
+--- a/htdocs/main.inc.php
 b/htdocs/main.inc.php
+@@ -80,13 +80,15 @@
+ // For SQL Injection (only GET and POST are used to be included into
bad escaped SQL requests)
+ if ($type != 2)
+ {
+-$sql_inj += preg_match('/delete[\s]+from/i', $val);
+-$sql_inj += preg_match('/create[\s]+table/i', $val);
+-$sql_inj += preg_match('/update.+set.+=/i', $val);
+-$sql_inj += preg_match('/insert[\s]+into/i', $val);
+-$sql_inj += preg_match('/select.+from/i', $val);
+- 

Bug#818150: jessie-pu: package php5/5.6.19+dfsg-0+deb8u1

[Moritz Mühlenhoff]

On Mon, Mar 14, 2016 at 11:00:12AM +0100, Ondřej Surý wrote:
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> Hi,
> 
> security team still seems to be heavily overloaded, so I am hoping we
> can do this via jessie-pu again.
> 
> We need to update 5.6.17+dfsg-0+deb8u1 to 5.6.19+dfsg-0+deb8u1 as
> there were several security updates between the releases:

Ack from my side, there's nothing urgent in there, these could go
via spu.

Cheers,
Moritz

Processed: Re: Bug#818710: wheezy-pu: package amd64-microcode/1.20160316.1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #818710 [release.debian.org] wheezy-pu: package amd64-microcode/1.20160316.1
Added tag(s) confirmed.

-- 
818710: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818710
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#818710: wheezy-pu: package amd64-microcode/1.20160316.1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #818710 [release.debian.org] wheezy-pu: package amd64-microcode/1.20160316.1
Ignoring request to alter tags of bug #818710 to the same tags previously set

-- 
818710: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818710
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#818710: wheezy-pu: package amd64-microcode/1.20160316.1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sat, 2016-03-19 at 19:23 -0300, Henrique de Moraes Holschuh wrote:
> This is the non-free oldstable companion update for the same issue reported
> in #818689:
> 
> Unfortunately, the microcode for the earlier AMD Piledriver processors being
> distributed in the amd64-microcode packages currently in non-free oldstable,
> stable, testing and unstable has been found to be extremely dangerous.

Please go ahead.

Regards,

Adam

Bug#818104: Possible MBF: Packages depending on iceweasel but not firefox/firefox-esr

[Niels Thykier]

David Prévot:
> Le 18/03/2016 18:06, Josh Triplett a écrit :
> 
>> I would suggest that Firefox addon packages should depend on "firefox |
>> firefox-esr"
> 
> Most of those packages are mozilla-devscripts for the build and just
> need to be rebuilt to get fixed. Even if our infrastructure has all the
> needed tools to binNMU all of them as a proper transition, some
> limitations on the way arch:all binNMU are handled currently prevents us
> from having most of them already fixed, see #818104.
> 
> What is currently needed if the arch:all binNMU doesn’t get fixed, is
> “just” to upload all of them. I’m currently dragged into doing that for
> hundred of PHP classes packages because of this no arch:all binNMU
> limitation, so I hope someone else from the Debian Mozilla Extension
> Maintainers could take the lead on it (new members are welcome ;).
> 
> Regards
> 
> David
> 

For those wondering about the reasons:

 * dak has a "no arch:all binNMU" check that rejects arch:all binNMUs.
   - It might be time to lift this restriction.

 * These days we could in theory binNMU source packages building only
   arch:all packages.

 * There is a caveat with source packages building both arch:all and
   arch:any packages, where the substvars no longer ensures
   installability (because they assume that version of arch:all is the
   version of the source package).

   - I have tried to device a lintian check which might help us get an
 overview of this situation.

Thanks,
~Niels







signature.asc
Description: OpenPGP digital signature