Bug#848942: Acknowledgement (jessie-pu: package most/5.0.0a-2.3)

[Benj. Mako Hill]

Greetings!

I forgot to mention that I've discussed this with the security team
and uploading to stable-proposed-updates was their suggestion and
recommendation.

Regards,
Mako

-- 
Benjamin Mako Hill
http://mako.cc/

Creativity can be a social contribution, but only in so far
as society is free to use the results. --GNU Manifesto


signature.asc
Description: PGP signature

Bug#848942: jessie-pu: package most/5.0.0a-2.3

[Benjamin Mako Hill]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

There was a recent non-critical CVE issued for most:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848132
https://security-tracker.debian.org/tracker/CVE-2016-1253

The fix (a debdiff is attached) is this on-liner that changes single quotes to
double quotes.

Regards,
Mako


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -u most-5.0.0a/debian/changelog most-5.0.0a/debian/changelog
--- most-5.0.0a/debian/changelog
+++ most-5.0.0a/debian/changelog
@@ -1,3 +1,11 @@
+most (5.0.0a-2.3+deb8u1) stable-proposed-updates; urgency=high
+
+  * lzma-support.patch:
+- Fix CVE-2016-1253: shell injection attack when opening
+  lzma-compressed files (Closes: #848132)
+ 
+ -- Benjamin Mako Hill   Tue, 20 Dec 2016 16:52:16 -0800
+
 most (5.0.0a-2.3) unstable; urgency=low
 
   * Non-maintainer upload.
diff -u most-5.0.0a/src/file.h most-5.0.0a/src/file.h
--- most-5.0.0a/src/file.h
+++ most-5.0.0a/src/file.h
@@ -22,7 +22,7 @@
 #define MOST_MAX_FILES 4096
 #define MOST_GUNZIP_POPEN_FORMAT "gzip -dc \"%s\""
 #define MOST_BZIP2_POPEN_FORMAT "bzip2 -dc \"%s\""
-#define MOST_LZMA_POPEN_FORMAT "lzma -dc '%s'"
+#define MOST_LZMA_POPEN_FORMAT "lzma -dc \"%s\""
 
 extern void most_reread_file (void);
 extern void most_read_to_line (int);

Bug#848937: nmu: beignet_1.2.1-1

[Andreas Beckmann]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

nmu beignet_1.2.1-1 . amd64 i386 . unstable . -m "Rebuild against llvm 3.9 to 
match mesa."

Mixing OpenCL ICD built against libllvm3.8 (beignet) and libllvm3.9
(mesa) in one application leads to frequent crashes.

The packaging depends on both llvm 3.8 and llvm 3.9 and picks the one
used by mesa at build time.


Andreas

Re: 8.7 planning

[Adam D. Barratt]

On Mon, 2016-12-19 at 14:19 +0100, Julien Cristau wrote:
> Jan 7th/8th
> 
> Jan 14th/15th

Both look okay.

> Jan 21st/22nd

I could do the Saturday until around lunchtime but will be AFK after
that and unlikely to be around on Sunday morning at least. (So on the
whole, NACK.)

> Jan 28th/29th - Cambridge BSP, probably not ideal

Unlikely to work, for that reason.

> Feb 4th/5th - FOSDEM, probably not great either
> 
> Feb 11th/12th

Both like fine for me.

Regards,

Adam

Processed: Re: Bug#848610: jessie-pu: package pgpdump/0.28-1+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #848610 [release.debian.org] jessie-pu: package pgpdump/0.28-1+deb8u1
Added tag(s) confirmed.

-- 
848610: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848610
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#848908: jessie-pu: package shutter/0.92-0.1+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #848908 [release.debian.org] jessie-pu: package shutter/0.92-0.1+deb8u1
Added tag(s) confirmed.

-- 
848908: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848908
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#848610: jessie-pu: package pgpdump/0.28-1+deb8u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2016-12-18 at 23:42 +0100, Christoph Biedl wrote:
> CVE-2016-4021[1] hasn't been handled in jessie yet. The security team
> suggested to use an upcoming point release for this, this got ACKed
> by the stable security team. The pgpdump maintainer Jose Luis Rivas
> (CC'd) has agreed to this procedure.

Please go ahead.

Regards,

Adam

Bug#848908: jessie-pu: package shutter/0.92-0.1+deb8u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Tue, 2016-12-20 at 19:12 +0100, Christoph Biedl wrote:
> CVE-2015-0854[1] hasn't been handled in jessie yet. The security team
> ACKed to use an upcoming point release for this. The shutter maintainer
> Ryan Niebur is in Cc:.

Please go ahead.

Regards,

Adam

Bug#848926: jessie-pu: package libclamunrar/0.99-0+deb8u2

[Adam D. Barratt]

Control: tags -1 + confirmed

On Tue, 2016-12-20 at 22:17 +0100, Sebastian Andrzej Siewior wrote:
> This update contains four patches which I noticed in upstream's git.
> They appeared in July and the last fix (for a fix) was done last week. I
> have no idea when 0.99.3 will appear and the changes in the debdiff are
> the only (functional changes) in libclamunrar* since the 0.99.
> 
> The fixes look like bugs found by afl (or other fuzzer) while throwing
> .rar files at clamav.

Please go ahead.

Regards,

Adam

Processed: Re: Bug#848926: jessie-pu: package libclamunrar/0.99-0+deb8u2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #848926 [release.debian.org] jessie-pu: package libclamunrar/0.99-0+deb8u2
Added tag(s) confirmed.

-- 
848926: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848926
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#848926: jessie-pu: package libclamunrar/0.99-0+deb8u2

[Sebastian Andrzej Siewior]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

This update contains four patches which I noticed in upstream's git.
They appeared in July and the last fix (for a fix) was done last week. I
have no idea when 0.99.3 will appear and the changes in the debdiff are
the only (functional changes) in libclamunrar* since the 0.99.

The fixes look like bugs found by afl (or other fuzzer) while throwing
.rar files at clamav.

Sebastian
diff -Nru libclamunrar-0.99/debian/changelog libclamunrar-0.99/debian/changelog
--- libclamunrar-0.99/debian/changelog  2016-02-03 22:10:12.0 +0100
+++ libclamunrar-0.99/debian/changelog  2016-12-16 21:38:26.0 +0100
@@ -1,3 +1,10 @@
+libclamunrar (0.99-0+deb8u2) stable; urgency=medium
+
+  * Add patches from upstream bugzilla bb11600 and bb11601 to fix out of band
+access.
+
+ -- Sebastian Andrzej Siewior   Fri, 16 Dec 2016 
21:38:26 +0100
+
 libclamunrar (0.99-0+deb8u1) stable; urgency=medium
 
   [ Scott Kitterman ]
@@ -10,7 +17,7 @@
   * switch from libclamunrar6 to libclamunrar7
   * copy clamav's watch file
   * add pkg-config to dependencies so autoreconf does not break
-  * don't links against libpcre if available.
+  * don't link against libpcre if available.
 
  -- Sebastian Andrzej Siewior   Wed, 03 Feb 2016 
21:52:51 +0100
 
diff -Nru libclamunrar-0.99/debian/.git-dpm libclamunrar-0.99/debian/.git-dpm
--- libclamunrar-0.99/debian/.git-dpm   2016-02-03 22:09:03.0 +0100
+++ libclamunrar-0.99/debian/.git-dpm   2016-12-16 21:38:26.0 +0100
@@ -1,8 +1,8 @@
 # see git-dpm(1) from git-dpm package
-1256542cf41587e62a048e687097f23cef1511f0
-1256542cf41587e62a048e687097f23cef1511f0
-1256542cf41587e62a048e687097f23cef1511f0
-1256542cf41587e62a048e687097f23cef1511f0
-libclamunrar_0.98.5.orig.tar.xz
-6d4a3441e142002ffdaa76ad313bc018985e1999
-304828
+e677e64787390c59bdb925be08113ebf47aed869
+e677e64787390c59bdb925be08113ebf47aed869
+87f93791ab6959fd522bdf0b1211ff0480cff4c7
+87f93791ab6959fd522bdf0b1211ff0480cff4c7
+libclamunrar_0.99.orig.tar.xz
+3299e943affefb7a1aea0cada292f1c4ec039aed
+311248
diff -Nru libclamunrar-0.99/debian/patches/bb11600.patch 
libclamunrar-0.99/debian/patches/bb11600.patch
--- libclamunrar-0.99/debian/patches/bb11600.patch  1970-01-01 
01:00:00.0 +0100
+++ libclamunrar-0.99/debian/patches/bb11600.patch  2016-12-16 
21:38:26.0 +0100
@@ -0,0 +1,24 @@
+From 5a04072c135be7b49279792401f10d7b4f723ab5 Mon Sep 17 00:00:00 2001
+From: Steven Morgan 
+Date: Tue, 12 Jul 2016 12:36:29 -0400
+Subject: bb11600 - fix out of bounds stack read.
+
+Patch-Name: bb11600.patch
+---
+ libclamunrar/unrar20.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libclamunrar/unrar20.c b/libclamunrar/unrar20.c
+index ecfe40cf32f3..d938c472e1d8 100644
+--- a/libclamunrar/unrar20.c
 b/libclamunrar/unrar20.c
+@@ -117,7 +117,8 @@ static int read_tables20(int fd, unpack_data_t 
*unpack_data)
+   n = (rar_getbits(unpack_data) >> 14) + 3;
+   rar_addbits(unpack_data, 2);
+   while ((n-- > 0) && (i < table_size)) {
+-  table[i] = table[i-1];
++  if (i>0)
++  table[i] = table[i-1];
+   i++;
+   }
+   } else {
diff -Nru libclamunrar-0.99/debian/patches/bb11600_pt2.patch 
libclamunrar-0.99/debian/patches/bb11600_pt2.patch
--- libclamunrar-0.99/debian/patches/bb11600_pt2.patch  1970-01-01 
01:00:00.0 +0100
+++ libclamunrar-0.99/debian/patches/bb11600_pt2.patch  2016-12-16 
21:38:26.0 +0100
@@ -0,0 +1,24 @@
+From 6c667e29a8980bef06544bb2c931a18512aaf745 Mon Sep 17 00:00:00 2001
+From: Steven Morgan 
+Date: Tue, 12 Jul 2016 14:31:38 -0400
+Subject: fix possible out of bounds stack read.
+
+Patch-Name: bb11600_pt2.patch
+---
+ libclamunrar/unrar.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libclamunrar/unrar.c b/libclamunrar/unrar.c
+index 456da4d6fef9..40a3d63cbd3e 100644
+--- a/libclamunrar/unrar.c
 b/libclamunrar/unrar.c
+@@ -469,7 +469,8 @@ static int read_tables(int fd, unpack_data_t *unpack_data)
+   rar_addbits(unpack_data, 7);
+   }
+   while (n-- > 0 && i < table_size) {
+-  table[i] = table[i-1];
++  if (i>0)
++  table[i] = table[i-1];
+   i++;
+   }
+   } else {
diff -Nru libclamunrar-0.99/debian/patches/bb11601.patch 
libclamunrar-0.99/debian/patches/bb11601.patch
--- libclamunrar-0.99/debian/patches/bb11601.patch  1970-01-01 
01:00:00.0 +0100
+++ 

Let autopkgtests be gating for testing migration in Buster: heads-up and brain-dump

[Paul Gevers]

Hi all,

I already started this discussion on IRC (in both #debci and
#debian-release), but for future reference, and some brain-dump I want
to continue on the lists.

As most of you have probably noticed by now, I have taken up the task to
have Debian let debci/autopkgtest results be gating for
unstable-to-testing migration (very similar to what Ubuntu already does
for -proposed-to- migration). I would really love to
see this happen early in the Buster release cycle. I have started a wiki
page¹ to document the requirements and the (outcome of the) discussions.
I'll try to keep that up-to-date with as we progress. As it is a wiki,
feel free to contribute anything that isn't controversial.

As I currently see it, from discussion with multiple of you, there are
three pieces that need to play together in Debian:
1) autopkgtest: the testing platform
2) debci: the Debian CI worker
3) britney: where the migration policy is implemented and enforced

Currently debci is testing packages in unstable. But similar to what
Ubuntu is doing, I think that for this purpose we actually want to test
in testing with only the possible candidate (and if needed it's
dependencies) from unstable. Luckily, autopkgtest is nearly able to do
that, except it needs to support Debian suites instead of only Ubuntu's
"pockets".

Apart from testing testing (no typo), and again copying Ubuntu, I think
we want to run the test suites of the candidate *and* of all the reverse
dependencies that have test suites. This way, you'll see when a
candidate deteriorates testing. For this, debci need some changes: it
needs a testing suite environment and it needs to call autopkgtest with
the additional arguments. To enable debci to know *what* should be
tested, britney must communicate to debci.

Finally, of course, britney needs to be aware of debci results and take
them into account during judgment.

I think the logical order to for me to tackle (I mean, create the code)
this is:
0) figure out how to test all of this without breaking the real
instances (hints more than welcome).
1) fix autopkgtest to enable --apt-suite (next to the current --apt-pocket)
In parallel:
2a) getting a testing suite up for debci and extend debci to be aware of
the additional arguments for autopkgtest
2b) let britney generate a list of tests it would like to perform
2c) align on the transfer mechanism between britney(1) and debci
3) enable debci to swallow the commands from britney
4) enable the policy in britney

Opinions? Other ideas?

If not too many objections, I'll start with 0 and 1. And I sincerely
hope that Antonio wants to help with 2a, but I'd like to hear his
thoughts first. I already had a extensive discussion with pitti and he
is guiding me through the Ubuntu code, which I think serves as a great
example.

I'll probably be back to you way before we are past point 2a.

Paul

PS: as default on Debian mail-lists, no need to CC me, I am subscribed
to the autopkgtest-devel list.

¹ https://wiki.debian.org/debci/britneyIntegration



signature.asc
Description: OpenPGP digital signature

Re: MariaDB 10.2 into Debian in December

[Otto Kekäläinen]

Hello!

This plan didn't hold as the release of 10.2 by upstream seems
delayed. I have therefore started preparing MariaDB 10.1 for Debian
and I am almost complete now, so I can upload it (first to
experimental) very soon. The differences between 10.0 and 10.1 are
quite small from dependant packages point of view, so I don't expect
any hickups during the upgrade.


2016-10-04 0:18 GMT+03:00 Otto Kekäläinen :
> Hello!
>
> MariaDB 10.2 is now in beta and about to be released in December.
> Considering the announced freeze dates, is there something I should
> consider before preparing and uploading mariadb-10.2 to replace
> mariadb-10.0?
>
> Can mariadb-10.0 to mariadb-10.2 upgrade be considered as a transition
> and thus forbidden after November 5th? In my opinion no, but I guess
> it is better to check from you first.
>
> Stretch key dates
> [2016-Nov-05] Transition freeze
> [2016-Dec-05] Mandatory 10-day migrations
> [2017-Jan-05] Soft freeze (no new packages, no re-entry, 10-day migrations)
> [2017-Feb-05] Full freeze
>
> My plan is to upload 10.2 beta into experimental soon, and the final
> 10.2 to unstable when released. This will also mean the
> default-mysql-* metapackages will be updated to point to mariadb-10.2
> derived binary packages.
>
> (And yes, I am skipping 10.1 and going directly to 10.2)

Bug#848610: jessie-pu: package pgpdump/0.28-1+deb8u1

[Christoph Biedl]

Christoph "I had a cold" Biedl wrote...

> CVE-2016-4021[1] hasn't been handled in jessie yet. The security team
> suggested to use an upcoming point release for this, this got ACKed
> by the stable security team.

Well, you guess: The security team ACKed to use an upcoming point
release for this.

Christoph


signature.asc
Description: Digital signature

Bug#848908: jessie-pu: package shutter/0.92-0.1+deb8u1

[Christoph Biedl]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hello release team,

CVE-2015-0854[1] hasn't been handled in jessie yet. The security team
ACKed to use an upcoming point release for this. The shutter maintainer
Ryan Niebur is in Cc:.

Find attached a debdiff based on the fixed stretch version 0.93.1-1,
the original patch triggered a Perl error.

Testing confirmed the described exploit no longer works then.

Regards,

Christoph

[1] https://security-tracker.debian.org/tracker/CVE-2015-0854

diff -Nru shutter-0.92/debian/changelog shutter-0.92/debian/changelog
--- shutter-0.92/debian/changelog   2014-08-10 17:51:22.0 +0200
+++ shutter-0.92/debian/changelog   2016-12-20 19:00:20.0 +0100
@@ -1,3 +1,9 @@
+shutter (0.92-0.1+deb8u1) jessie; urgency=high
+
+  * Fix insecure usage of system(). Closes: #798862 [CVE-2015-0854]
+
+ -- Christoph Biedl   Tue, 20 Dec 2016 
19:00:20 +0100
+
 shutter (0.92-0.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru shutter-0.92/debian/patches/CVE-2015-0854.patch 
shutter-0.92/debian/patches/CVE-2015-0854.patch
--- shutter-0.92/debian/patches/CVE-2015-0854.patch 1970-01-01 
01:00:00.0 +0100
+++ shutter-0.92/debian/patches/CVE-2015-0854.patch 2016-12-20 
18:59:57.0 +0100
@@ -0,0 +1,18 @@
+Description: Fix insecure use of system()
+Author: Luke Faraone 
+ID: CVE-2015-0854
+Bug: https://bugs.launchpad.net/shutter/+bug/1495163
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798862
+
+--- a/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm
 b/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm
+@@ -53,7 +53,8 @@
+ 
+ sub xdg_open {
+   my ( $self, $dialog, $link, $user_data ) = @_;
+-  system("xdg-open $link");
++  my @args = ("xdg-open", $link);
++  system(@args);
+   if($?){
+   my $response = $self->{_dialogs}->dlg_error_message( 
+   sprintf( $self->{_d}->get("Error while executing %s."), 
"'xdg-open'"),
diff -Nru shutter-0.92/debian/patches/series shutter-0.92/debian/patches/series
--- shutter-0.92/debian/patches/series  1970-01-01 01:00:00.0 +0100
+++ shutter-0.92/debian/patches/series  2016-12-20 18:40:00.0 +0100
@@ -0,0 +1 @@
+CVE-2015-0854.patch


signature.asc
Description: Digital signature

Re: Bug#846385: imagemagick: Potential ABI break upstream (without SONAME change)

[roucaries bastien]

BTW feel free to NMU imagemagick during a short break I take in the
next two days.

Bastien

Re: Bug#846385: imagemagick: Potential ABI break upstream (without SONAME change)

[roucaries bastien]

On Tue, Dec 20, 2016 at 4:22 PM, roucaries bastien
 wrote:
> On Wed, Dec 14, 2016 at 1:29 PM, roucaries bastien
>  wrote:
>> On Wed, Dec 14, 2016 at 1:28 PM, roucaries bastien
>>  wrote:
>>> On Tue, Dec 13, 2016 at 12:21 AM, Emilio Pozuelo Monfort
>>>  wrote:
 On 09/12/16 22:37, roucaries bastien wrote:
> control: forwarded -1 
> https://github.com/ImageMagick/ImageMagick/issues/320
>
> Dear realease team,
>
> What is the next step?

 In which version was the ABI break introduced?
>>>
>>> It was introduced more than 2 years ago ( 6.9.2-10). One version after
>>> jessie what lie in unstable before jessie release.

 In general I would prefer the change to be reverted, but depending on how 
 long
 this has been in the archive, and in order to stay up to date for security
 fixes, it may be best to do the soname bump.
>>>
>>> From a security point of view, I prefer recent version. I do not want
>>> to keep jessie version with huge patch queue for

 Can you check if your rdeps build fine against a new imagemagick?
>
> libmagick++ rdeps build fine except traficserver due to a sphinx error
> (unreleated to imagemagick)
> libmagickwand rdeps build fine except rss-glx due to unreleated build
> conflict (#838800)
> libmagickcore rdeps build fine except dx due to missing .mak file
> (unlikely imagemagick)

trafficserver is - #848800
dx #848894

>
> Will rebuild traficserver and dx under sid chroot and report FTBFS.
>
> Seems it is ok
>
> Bastien
>>>
>>> What i will do i will set on unstable the newer version with so dump
>>> and will begin to rebuilt on pbuilder. Normally it will be fine.
>>
>> s/unstable/experimental/g
>>>
>>> I wish to have abi checker on the debian side
>>>
>>> Bastien

 Emilio

Re: Bug#846385: imagemagick: Potential ABI break upstream (without SONAME change)

[roucaries bastien]

On Wed, Dec 14, 2016 at 1:29 PM, roucaries bastien
 wrote:
> On Wed, Dec 14, 2016 at 1:28 PM, roucaries bastien
>  wrote:
>> On Tue, Dec 13, 2016 at 12:21 AM, Emilio Pozuelo Monfort
>>  wrote:
>>> On 09/12/16 22:37, roucaries bastien wrote:
 control: forwarded -1 https://github.com/ImageMagick/ImageMagick/issues/320

 Dear realease team,

 What is the next step?
>>>
>>> In which version was the ABI break introduced?
>>
>> It was introduced more than 2 years ago ( 6.9.2-10). One version after
>> jessie what lie in unstable before jessie release.
>>>
>>> In general I would prefer the change to be reverted, but depending on how 
>>> long
>>> this has been in the archive, and in order to stay up to date for security
>>> fixes, it may be best to do the soname bump.
>>
>> From a security point of view, I prefer recent version. I do not want
>> to keep jessie version with huge patch queue for
>>>
>>> Can you check if your rdeps build fine against a new imagemagick?

libmagick++ rdeps build fine except traficserver due to a sphinx error
(unreleated to imagemagick)
libmagickwand rdeps build fine except rss-glx due to unreleated build
conflict (#838800)
libmagickcore rdeps build fine except dx due to missing .mak file
(unlikely imagemagick)

Will rebuild traficserver and dx under sid chroot and report FTBFS.

Seems it is ok

Bastien
>>
>> What i will do i will set on unstable the newer version with so dump
>> and will begin to rebuilt on pbuilder. Normally it will be fine.
>
> s/unstable/experimental/g
>>
>> I wish to have abi checker on the debian side
>>
>> Bastien
>>>
>>> Emilio

Bug#794194: release.debian.org: Update Ubuntu patch

[Paul Gevers]

Package: release.debian.org
Followup-For: Bug #794194
User: release.debian@packages.debian.org
Usertags: britney
Control: tags 794194 -moreinfo

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

While diving into debci/britney integration, I noticed that the Ubuntu patch to
fix this issue isn't up-to-date anymore in this bug. It seems that the current
implementation in Ubuntu is answering the concerns.

Paul
P.s. I may try to commit the fix myself to the GitHub archive, but I try
to focus a little bit, so I thought to at least let this bug know.

- -- System Information:
Debian Release: stretch/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAlhZDAgACgkQnFyZ6wW9
dQoI4Af+OCo5a5Bs9NEsj5gW/in6W9rub1cGDeP5yCxw3vXdX4R8xzbVAEXi4r6j
fYZOtoOdCU4Q+Mtp+AYwKqeG3cqtAwC9jhSje/8/5tAMbDCDl2e/EJvoJAA78udJ
b9b0TJI0SEk1vuYf1AXDKpednm4U1lhR+6N1JhEUZylsgbgv6ppPJpZr1Ufq8CvP
sI4wKpXBOAx5vq7/N+PqgOA1Is6/a9/1dc+5b206gH1UpU9t7Rp/KqpAbu++4RT2
YRKGzyTx0+IoHQtBNKALt+nJjoUNOo7XcUHeZlaV8CV1l3f1dBGN+n16iU8svcQE
WIFByifN0uvgRQrNoBdDDf7Vfj/eIw==
=AxHY
-END PGP SIGNATURE-
>From e5f306c5f5997d2455c6f3df56887070ac07b249 Mon Sep 17 00:00:00 2001
From: Martin Pitt 
Date: Tue, 12 Jul 2016 09:21:15 +0200
Subject: [PATCH] Consider packages with M-A qualifiers for reverse
 dependencies

Strip of Multi-Arch qualifiers ":any" and ":native" when building the
dependency fields, as they are not part of the package name.

This will fix cases like

  Package: ipython3
  Depends: python3:any (>= 3)

and include ipython3 in python3's reverse dependencies.

Closes: #794194
---
 britney.py |  8 
 britney2/installability/builder.py | 18 --
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/britney.py b/britney.py
index b3f2d45..684f20d 100755
--- a/britney.py
+++ b/britney.py
@@ -195,7 +195,7 @@ from britney2 import SuiteInfo, SourcePackage, BinaryPackageId, BinaryPackage
 from britney2.consts import (SOURCE, SOURCEVER, ARCHITECTURE, CONFLICTS, DEPENDS, PROVIDES, MULTIARCH)
 from britney2.excuse import Excuse
 from britney2.hints import HintParser
-from britney2.installability.builder import build_installability_tester
+from britney2.installability.builder import build_installability_tester, ma_parse_depends
 from britney2.migrationitem import MigrationItem
 from britney2.policies.policy import AgePolicy, RCBugPolicy, PiupartsPolicy, PolicyVerdict
 from britney2.utils import (old_libraries_format, undo_changes,
@@ -711,7 +711,7 @@ class Britney(object):
 return sources
 
 def _parse_provides(self, pkg_id, provides_raw):
-parts = apt_pkg.parse_depends(provides_raw, False)
+parts = ma_parse_depends(provides_raw)
 nprov = []
 for or_clause in parts:
 if len(or_clause) != 1:  # pragma: no cover
@@ -1004,7 +1004,7 @@ class Britney(object):
 binary_u = binaries_s_a[pkg]
 
 # local copies for better performance
-parse_depends = apt_pkg.parse_depends
+parse_depends = ma_parse_depends
 
 # analyze the dependency fields (if present)
 deps = binary_u.depends
@@ -1014,7 +1014,7 @@ class Britney(object):
 
 
 # for every dependency block (formed as conjunction of disjunction)
-for block, block_txt in zip(parse_depends(deps, False), deps.split(',')):
+for block, block_txt in zip(parse_depends(deps), deps.split(',')):
 # if the block is satisfied in testing, then skip the block
 packages = get_dependency_solvers(block, binaries_t_a, provides_t_a)
 if packages:
diff --git a/britney2/installability/builder.py b/britney2/installability/builder.py
index 034a18f..94e3ecb 100644
--- a/britney2/installability/builder.py
+++ b/britney2/installability/builder.py
@@ -21,6 +21,20 @@ from britney2.utils import ifilter_except, iter_except, get_dependency_solvers
 from britney2.installability.solver import InstallabilitySolver
 
 
+def ma_parse_depends(dep_str):
+"""Parse a dependency string into a list of triples
+
+This is like apt_pkg.parse_depends but filters out :any and :native
+Multi-Arch prefixes. We don't use apt_pkg.parse_depends(dep_str, True)
+as that would also filter out arch specific dependencies like :amd64.
+"""
+res = apt_pkg.parse_depends(dep_str, False)
+filtered = []
+for or_clause in res:
+filtered.append([(p.replace(':any', '').replace(':native', ''), v, r) for (p, v, r) in or_clause])
+return filtered
+
+
 def build_installability_tester(binaries, archs):
 """Create the installability tester"""
 
@@ -43,10 +57,10 @@ def 

Processed: release.debian.org: Update Ubuntu patch

[Debian Bug Tracking System]

Processing control commands:

> tags 794194 -moreinfo
Bug #794194 [release.debian.org] britney: Strip off Multi-Arch qualifiers in 
reverse dependency calculation
Removed tag(s) moreinfo.

-- 
794194: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794194
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#845254: unblock: win32-loader/0.8.0

[Emilio Pozuelo Monfort]

On 20/12/16 10:14, Ansgar Burchardt wrote:
> Didier 'OdyX' Raboud writes:
>> Le lundi, 21 novembre 2016, 23.30:52 h CET Cyril Brulebois a écrit :
>>> so feel free to let this package get into testing when it's copied over
>>> by ftpmasters.
>>
>> Le lundi, 21 novembre 2016, 21.09:46 h CET Didier 'OdyX' Raboud a écrit :
>>> 0.8.0 is long overdue in stretch, please let it migrate. ftpmaster: please
>>> copy debian/tools/win32-loader/unstable into …/testing
>>
>> ftpmasters: ping ?
> 
> tools/win32-loader/testing/ now has win32-loader from Apr 21 2016. Sorry
> for forgetting about this :/

And unblocked. It should migrate in the next britney run.

Emilio

Bug#845254: unblock: win32-loader/0.8.0

[Ansgar Burchardt]

Didier 'OdyX' Raboud writes:
> Le lundi, 21 novembre 2016, 23.30:52 h CET Cyril Brulebois a écrit :
>> so feel free to let this package get into testing when it's copied over
>> by ftpmasters.
>
> Le lundi, 21 novembre 2016, 21.09:46 h CET Didier 'OdyX' Raboud a écrit :
>> 0.8.0 is long overdue in stretch, please let it migrate. ftpmaster: please
>> copy debian/tools/win32-loader/unstable into …/testing
>
> ftpmasters: ping ?

tools/win32-loader/testing/ now has win32-loader from Apr 21 2016. Sorry
for forgetting about this :/

Ansgar

Bug#845254: unblock: win32-loader/0.8.0

[Didier 'OdyX' Raboud]

Le lundi, 21 novembre 2016, 23.30:52 h CET Cyril Brulebois a écrit :
> so feel free to let this package get into testing when it's copied over
> by ftpmasters.

Le lundi, 21 novembre 2016, 21.09:46 h CET Didier 'OdyX' Raboud a écrit :
> 0.8.0 is long overdue in stretch, please let it migrate. ftpmaster: please
> copy debian/tools/win32-loader/unstable into …/testing

ftpmasters: ping ?

-- 
Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Processed: Re: Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 -moreinfo
Bug #840643 [release.debian.org] jessie-pu: package cups/1.7.5-11+deb8u1
Removed tag(s) moreinfo.

-- 
840643: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840643
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Didier 'OdyX' Raboud]

Control: tag -1 -moreinfo

Le samedi, 17 décembre 2016, 11.38:59 h CET Julien Cristau a écrit :
> > - and debdiff
> > cups_1.7.5-11+deb8u2.debdiff
> 
> The debdiff is the one we tend to look at, but it looks like it was not
> attached.

Indeed, sorry. Here it comes.

-- 
Cheers,
OdyXdiff -Nru cups-1.7.5/debian/changelog cups-1.7.5/debian/changelog
--- cups-1.7.5/debian/changelog	2015-06-09 09:45:50.0 +0200
+++ cups-1.7.5/debian/changelog	2016-10-10 10:05:10.0 +0200
@@ -1,3 +1,13 @@
+cups (1.7.5-11+deb8u2) jessie-security; urgency=high
+
+  * Disable SSLv3 and RC4 by default to address POODLE vulnerability
+(Closes: #839226)
+- Implement SSLOptions to permit the use of AllowSSLv3 and AllowRC4
+  respectively
+  * Refresh patches
+
+ -- Didier Raboud   Mon, 10 Oct 2016 10:05:10 +0200
+
 cups (1.7.5-11+deb8u1) jessie-security; urgency=high
 
   * Import 1.7 upstream fix for CERT VU#810572: Privilege escalation through
diff -Nru cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch
--- cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch	2016-10-10 09:55:05.0 +0200
@@ -27,7 +27,7 @@
LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -246,6 +246,9 @@
+@@ -248,6 +248,9 @@
  	/* SSL/TLS options */
  #endif /* HAVE_SSL */
  
diff -Nru cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch
--- cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch	2016-10-10 09:55:10.0 +0200
@@ -21,7 +21,7 @@
LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -251,6 +251,9 @@
+@@ -253,6 +253,9 @@
  VAR int			IdleExitTimeout		VALUE(0);
  	/* Time after which an idle cupsd will exit */
  
@@ -51,7 +51,7 @@
  #endif /* HAVE_SYSTEMD */
 --- a/man/cupsd.conf.man.in
 +++ b/man/cupsd.conf.man.in
-@@ -521,6 +521,12 @@
+@@ -528,6 +528,12 @@
  "notify-events", "notify-pull-method", "notify-recipient-uri",
  "notify-subscriber-user-name", and "notify-user-data".
  .TP 5
diff -Nru cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch
--- cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch	2016-10-10 09:55:09.0 +0200
@@ -13,7 +13,7 @@
LogTimeFormat= CUPSD_TIME_STANDARD;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -166,7 +166,7 @@
+@@ -168,7 +168,7 @@
  	/* Allow overrides? */
  			ConfigFilePerm		VALUE(0640),
  	/* Permissions for config files */
diff -Nru cups-1.7.5/debian/patches/pidfile.patch cups-1.7.5/debian/patches/pidfile.patch
--- cups-1.7.5/debian/patches/pidfile.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/pidfile.patch	2016-10-10 09:55:08.0 +0200
@@ -24,7 +24,7 @@
  
if (!strcmp(CUPS_DEFAULT_PRINTCAP, "/etc/printers.conf"))
  PrintcapFormat = PRINTCAP_SOLARIS;
-@@ -,6 +3335,7 @@
+@@ -3370,6 +3372,7 @@
   !_cups_strcasecmp(line, "SystemGroup") ||
   !_cups_strcasecmp(line, "SystemGroupAuthKey") ||
   !_cups_strcasecmp(line, "TempDir") ||
@@ -34,7 +34,7 @@
cupsdLogMessage(CUPSD_LOG_INFO,
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -245,6 +245,8 @@
+@@ -247,6 +247,8 @@
  VAR int			SSLOptions		VALUE(CUPSD_SSL_NONE);
  	/* SSL/TLS options */
  #endif /* HAVE_SSL */
diff -Nru cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch
--- cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch	2016-10-10 09:55:07.0 +0200
@@ -11,7 +11,7 @@
 
 --- a/scheduler/ipp.c
 +++ b/scheduler/ipp.c
-@@ -8249,6 +8249,11 @@
+@@ -8206,6 +8206,11 @@
ipp_attribute_t	*attr,		/* Current attribute */
  			*attr2,		/* Job attribute */
  			*prev2;		/* Previous job attribute */
@@ -23,7 +23,7 @@
  
  
   /*
-@@ -8310,6 +8315,85 @@
+@@ -8267,6 +8272,85 @@
}
  
   /*
diff -Nru cups-1.7.5/debian/patches/series cups-1.7.5/debian/patches/series
--- cups-1.7.5/debian/patches/series	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/series	2016-10-10 09:54:51.0 +0200
@@ -6,6 +6,7 @@
 str4500-cupsGetPPD3-Only-use-symlink-if-file-is-readable-STR.patch
 str4551-fix-buffer-overflow-in-cupsRasterReadPixels.patch