Processed: Re: Bug#849698: jessie-pu: package python-crypto/2.6.1-5+deb8u1
Processing control commands: > tags -1 - moreinfo Bug #849698 [release.debian.org] jessie-pu: package python-crypto/2.6.1-5+deb8u1 Removed tag(s) moreinfo. -- 849698: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849698 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#849698: jessie-pu: package python-crypto/2.6.1-5+deb8u1
Control: tags -1 - moreinfo Hi On 2016-12-31 17:03:32, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Thu, 2016-12-29 at 23:15 +0100, Sebastian Ramacher wrote: > > I'd like to fix CVE-2013-7459 (#849495) in jessie via the next point > > release. > > The issue was marked as no-dsa. > > > > The proposed debdiff is attached. The same patch was applied to the package > > in > > unstable. > > + * Throw exception when IV is used with ECB or CTR (CVE-2013-7459) > > Do we know if any packages currently in Debian misuse the functions in > that way? (I realise that any that do are broken, but I'd prefer to find > that out /before/ releasing an point release that makes them explode if > possible.) I am not aware of any packages in jessie that pass IVs when using ECB or CTR. At least I did not find any using codesearch.d.n. This observation was also part of reason to declare the issue as no-dsa. Cheers -- Sebastian Ramacher signature.asc Description: PGP signature
Bug#849869: jessie-pu: package unrtf/0.21.5-3
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu As per request of the security team, I intend to upload a security fix (CVE-2016-10091) of the unrtf package for the next jessie point release. The changelog is: unrtf (0.21.5-3+deb8u1) stable; urgency=medium * Add patch from upstream to fix CVE-2016-10091 (buffer overflow in various cmd_ functions) closes: 849705 -- Willi MannSun, 01 Jan 2017 19:50:41 +0100 debdiff attached. Let me know whether this intended upload is fine with you. Willi -- System Information: Debian Release: 8.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.7.0-0.bpo.1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru unrtf-0.21.5/debian/changelog unrtf-0.21.5/debian/changelog --- unrtf-0.21.5/debian/changelog 2015-01-27 20:50:01.0 +0100 +++ unrtf-0.21.5/debian/changelog 2017-01-01 19:51:52.0 +0100 @@ -1,3 +1,10 @@ +unrtf (0.21.5-3+deb8u1) stable; urgency=medium + + * Add patch from upstream to fix CVE-2016-10091 (buffer overflow in various +cmd_ functions) closes: 849705 + + -- Willi Mann Sun, 01 Jan 2017 19:50:41 +0100 + unrtf (0.21.5-3) unstable; urgency=medium [ Salvatore Bonaccorso ] diff -Nru unrtf-0.21.5/debian/patches/0009-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch unrtf-0.21.5/debian/patches/0009-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch --- unrtf-0.21.5/debian/patches/0009-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch 1970-01-01 01:00:00.0 +0100 +++ unrtf-0.21.5/debian/patches/0009-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch 2017-01-01 19:49:05.0 +0100 @@ -0,0 +1,179 @@ +From: Jean-Francois Dockes +Date: Sat, 31 Dec 2016 20:25:19 +0100 +Subject: Replace all instances of sprintf with snprintf and adjust size of + integer field in some cases + +This fixes CVE-2016-10091 + +Bug-Debian: https://bugs.debian.org/849705 +--- + src/attr.c| 4 ++-- + src/convert.c | 28 ++-- + src/output.c | 4 ++-- + 3 files changed, 18 insertions(+), 18 deletions(-) + +diff --git a/src/attr.c b/src/attr.c +index 0337fd0..aea2a69 100644 +--- a/src/attr.c b/src/attr.c +@@ -743,7 +743,7 @@ char * + assemble_string(char *string, int nr) + { + +- char *s, tmp[12];/* Number of characters that can be in int type (including '\0') - AF */ ++ char *s, tmp[20]; + int i = 0, j = 0; + + if (string == NULL) +@@ -759,7 +759,7 @@ assemble_string(char *string, int nr) + } + + if (string[i] != '\0') { +- sprintf(tmp, "%d", nr); ++ snprintf(tmp, 20, "%d", nr); + strcpy([j], tmp); + j = j + strlen(tmp); + } +diff --git a/src/convert.c b/src/convert.c +index d22a2f9..62355be 100644 +--- a/src/convert.c b/src/convert.c +@@ -448,7 +448,7 @@ static const int fcharsetparmtocp(int parm) + } + + // Translate code page to encoding name hopefully suitable as iconv input +-static char *cptoencoding(parm) ++static char *cptoencoding(int parm) + { + // Note that CP0 is supposed to mean current system default, which does + // not make any sense as a stored value, we don't handle it. +@@ -935,7 +935,7 @@ cmd_cf (Word *w, int align, char has_param, int num) { + } + else + { +- sprintf(str,"#%02x%02x%02x", ++ snprintf(str, 40, "#%02x%02x%02x", + color_table[num].r, + color_table[num].g, + color_table[num].b); +@@ -962,7 +962,7 @@ cmd_cb (Word *w, int align, char has_param, int num) { + } + else + { +- sprintf(str,"#%02x%02x%02x", ++ snprintf(str, 40, "#%02x%02x%02x", + color_table[num].r, + color_table[num].g, + color_table[num].b); +@@ -987,7 +987,7 @@ cmd_fs (Word *w, int align, char has_param, int points) { + /* Note, fs20 means 10pt */ + points /= 2; + +- sprintf(str,"%d",points); ++ snprintf(str, 20, "%d", points); + attr_push(ATTR_FONTSIZE,str); + + return FALSE; +@@ -1118,7 +1118,7 @@ cmd_f (Word *w, int align, char has_param, int num) + { + // TOBEDONE: WHAT'S THIS ??? + name = my_malloc(12); +-sprintf(name, "%d", num); ++ snprintf(name, 12, "%d", num); + } + + /* we are going to output entities, so should not output font */ +@@ -1169,7 +1169,7 @@ cmd_highlight (Word *w, int align, char has_param, int num) + } + else + { +- sprintf(str,"#%02x%02x%02x", ++ snprintf(str, 40, "#%02x%02x%02x", + color_table[num].r, + color_table[num].g, + color_table[num].b); +@@ -1324,9 +1324,9 @@ cmd_ftech (Word *w, int align, char has_param, int param) { + + static int + cmd_expand (Word *w, int align, char has_param, int param) { +- char str[10]; ++ char str[20]; + if (has_param) { +- sprintf(str, "%d", param/4); ++
Bug#849865: jessie-pu: package postgresql-common/165+deb8u2
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, I would like to upload postgresql-common/165+deb8u2 with the diff quoted below to jessie. It's fixing a data-loss bug, and a security issue. The issues are already addresses in unstable (both in 178). Is that ok? diff --git a/debian/changelog b/debian/changelog index 0d6bd4f..1d583cb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +postgresql-common (165+deb8u2) jessie; urgency=medium + + * pg_upgradecluster: Properly upgrade databases with non-login role owners. +(Closes: #614374, #838812) + * pg_ctlcluster, t/020_create_sql_remove.t: Protect against symlink in +/var/log/postgresql/ allowing the creation of arbitrary files elsewhere. +Discovered by Dawid Golunski, thanks! (CVE-2016-1255) + * t/TestLib.pm: Cherry-pick program_ok() from master for use in +t/020_create_sql_remove.t. + + -- Christoph BergSun, 01 Jan 2017 18:48:30 +0100 + postgresql-common (165+deb8u1) jessie; urgency=medium * pg_upgradecluster: Set default dynamic_shared_memory_type = mmap. diff --git a/pg_ctlcluster b/pg_ctlcluster index 924f878..d2bb897 100755 --- a/pg_ctlcluster +++ b/pg_ctlcluster @@ -23,7 +23,7 @@ use warnings; use Getopt::Long; use POSIX qw/setsid dup2 setlocale LC_ALL :sys_wait_h/; use PgCommon; -use Fcntl 'SEEK_SET'; +use Fcntl qw(SEEK_SET O_RDWR O_CREAT O_EXCL); my ($version, $cluster, $pg_ctl, $force); my (@postmaster_auxoptions, @pg_ctl_opts_from_cli); @@ -394,17 +394,20 @@ if ($> == 0 && ! -e '/var/log/postgresql' && # recreate missing log file if ($action ne 'stop' && $info{'logfile'} && ! -e $info{'logfile'}) { -open L, '>', $info{'logfile'} or +if ($> == 0) { # drop privileges; this is important if logfile +# was determined via an /etc/postgresql/.../log symlink +change_ugid $info{'owneruid'}, $info{'ownergid'}; +} +sysopen (L, $info{'logfile'}, O_RDWR|O_CREAT|O_EXCL) or error 'Could not create log file ' . $info{'logfile'}; +close L; chmod 0640, $info{'logfile'}; -my $g; +$< = $> = 0; # will silently fail if we were not root before, that's intended +$( = $) = 0; if ($info{'owneruid'} < 500) { - $g = (getgrnam 'adm')[2]; -} else { - $g = $info{'ownergid'}; +my $g = (getgrnam 'adm')[2]; +chown $info{'owneruid'}, $g, $info{'logfile'} if (defined $g); } -chown $info{'owneruid'}, $g, $info{'logfile'}; -close L; } # recreate /var/run/postgresql diff --git a/pg_upgradecluster b/pg_upgradecluster index 876a0af..04c59c6 100755 --- a/pg_upgradecluster +++ b/pg_upgradecluster @@ -433,18 +433,16 @@ if (!fork) { error 'automatic upgrade of tablespaces is not supported'; } - # get list of databases, owners, and allowed connections + # get list of databases (value = datallowconn) my %databases; open F, '-|', $oldpsql, '-h', $oldsocket, '-p', $info{'port'}, '-F|', '-d', 'template1', '-Atc', - 'SELECT datname, datallowconn, pg_catalog.pg_encoding_to_char(encoding), usename FROM pg_database, pg_user WHERE datdba = usesysid' or + 'SELECT datname, datallowconn FROM pg_database' or error 'Could not get pg_database list'; while () { chomp; - my ($n, $a, $e, $o) = split '\|'; - ($o) = $o =~ /^(.*)$/; # untaint - ($e) = $e =~ /^([\w_]+)$/; # untaint - $databases{$n} = [$a eq 't', $o, $e]; + my ($n, $a) = split '\|'; + $databases{$n} = ($a eq 't'); } close F; error 'could not get list of databases' if $?; @@ -453,7 +451,7 @@ if (!fork) { for my $db (keys %databases) { next if $db eq 'template0'; - unless (${$databases{$db}}[0]) { + unless ($databases{$db}) { print "Temporarily enabling access to database $db\n"; (system $oldpsql, '-h', $oldsocket, '-p', $info{'port'}, '-q', '-d', 'template1', '-c', @@ -546,8 +544,8 @@ if (!fork) { '-d', $db, '-c', 'ANALYZE') == 0 or error 'Could not ANALZYE database'; - unless (${$databases{$db}}[0]) { - print "Disabling access to database $db\n"; + unless ($databases{$db}) { + print "Disabling access to database $db again\n"; (system $oldpsql, '-h', $oldsocket, '-p', $info{'port'}, '-q', '-d', 'template1', '-c', "BEGIN READ WRITE; UPDATE pg_database SET datallowconn = 'f' where datname = '$db'; COMMIT") == 0 or diff --git a/t/020_create_sql_remove.t b/t/020_create_sql_remove.t index 457bf9a..f71b4cf 100644 --- a/t/020_create_sql_remove.t +++ b/t/020_create_sql_remove.t @@ -10,7 +10,7 @@ use lib 't'; use TestLib; use PgCommon; -use Test::More tests =>
Re: [Pkg-openssl-devel] embedding openssl source in sslcan
On Sun, Jan 01, 2017 at 04:37:48PM +0100, Raphael Hertzog wrote: > On Sat, 31 Dec 2016, Julien Cristau wrote: > > On Thu, Dec 22, 2016 at 13:37:11 +0100, Sebastian Andrzej Siewior wrote: > > > > > tl;dr: Has anyone a problem if sslscan embeds openssl 1.0.2 in its > > > source? > > > > > > sslscan [0] as packaged in Debian currently relies on external libssl as > > > provided by the openssl package. The openssl package disables support > > > compression, SSLv2 and SSLv3 which is good but it also means that > > > sslscan can not detect a SSL implementation that is still providing > > > support for one of these deprecated protocols or compression. > > > One could say that it is not required to test for SSLv2 because if > > > libssl does not support it then it is not possible for an application to > > > offer it. However libssl is not the only SSL toolkit in Debian and one > > > might need to scan a non-Debian / older machine. > > > > > Is this really something we need to be shipping? If yes, I'd personally > > really like this to get an explicit exemption from normal policy by the > > security team, so please talk to them (debian-security@ldo is not it). > > "need" is somewhat hard to define, but to give an additional data point, > it's one of the things that we do in Kali to make it more useful for > security professionals so it would be nice if it we could do it in Debian > as well. > > That said sslscan is not the only tool where it could be useful and > packaging an alternate openssl-insecure should be considered too if it's > feasible (at least so that we can have alternative versions of the openssl > command line tools that can continue to support SSL2 and SSL3). Note that SSLv2 has been completly removed in the 1.1 version, so you'll never have 1 openssl version that supports both SSLv2 and TLS 1.3. I think one of the other issues they run into is that OpenSSL no longer can send a ClientHello without any extensions, so they can't tests for extenstion tolerances. I think in the long run, those applications should consider using an other implementation of SSL/TLS, or write enough of if to be able to do the tests that they want. And I think there are already such other programs out there that can do that. Kurt
Re: embedding openssl source in sslcan
On Sat, 31 Dec 2016, Julien Cristau wrote: > On Thu, Dec 22, 2016 at 13:37:11 +0100, Sebastian Andrzej Siewior wrote: > > > tl;dr: Has anyone a problem if sslscan embeds openssl 1.0.2 in its > > source? > > > > sslscan [0] as packaged in Debian currently relies on external libssl as > > provided by the openssl package. The openssl package disables support > > compression, SSLv2 and SSLv3 which is good but it also means that > > sslscan can not detect a SSL implementation that is still providing > > support for one of these deprecated protocols or compression. > > One could say that it is not required to test for SSLv2 because if > > libssl does not support it then it is not possible for an application to > > offer it. However libssl is not the only SSL toolkit in Debian and one > > might need to scan a non-Debian / older machine. > > > Is this really something we need to be shipping? If yes, I'd personally > really like this to get an explicit exemption from normal policy by the > security team, so please talk to them (debian-security@ldo is not it). "need" is somewhat hard to define, but to give an additional data point, it's one of the things that we do in Kali to make it more useful for security professionals so it would be nice if it we could do it in Debian as well. That said sslscan is not the only tool where it could be useful and packaging an alternate openssl-insecure should be considered too if it's feasible (at least so that we can have alternative versions of the openssl command line tools that can continue to support SSL2 and SSL3). Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
Bug#849855: unblock: unrtf/0.21.9-clean-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please lower the testing migration delay for package unrtf. It fixes CVE-2016-10091 (buffer overflow). Debdiff attached. Note that the changes to import-orig.sh in the debdiff can be ignored. They are only relevant for packaging the next upstream release. unblock unrtf/0.21.9-clean-3 -- System Information: Debian Release: 8.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.7.0-0.bpo.1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1
Le samedi, 31 décembre 2016, 17.10:09 h CET Adam D. Barratt a écrit : > Control: tags -1 + confirmed > > On Tue, 2016-12-27 at 14:18 +0100, Didier 'OdyX' Raboud wrote: > > I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, and > > security team members suggested to get it fixed through stable updates. > > > > This bug is a simple 'fetching gpg key from keyservers with a short > > keyid' problem, and upstream's fix is to use the full fingerprint. > > Please go ahead. Uploaded, thanks for the confirmation. -- Cheers, OdyX signature.asc Description: This is a digitally signed message part.
Re: Let autopkgtests be gating for testing migration in Buster: heads-up and brain-dump
Hello all, Julien Cristau [2016-12-31 17:45 +0100]: > > > 2b) let britney generate a list of tests it would like to perform > > Is 2b really necessary? I'm not sure why we would need that. > > > Or to be more correct, I'm not sure we would *want* britney to be able > to (or have to) do that. I find britney the best place for it both conceptually: it's the piece that makes policy decisions and has overrides for broken/ignored tests as well as operationally: it already has knowledge which package groups want to propagate and has an efficient way to compute reverse dependencies and other information such as Testsuite-Triggers: from source packages; and it's the place which has to interpret these results, so it must know which ones to look for anyway. It's IMHO not the place of the test execution engine to prescribe which tests to run, as that limits its utility to just one use case (and we use Ubuntu's engine for lots of other cases that just britney testing migration) and duplicates/potentially disagrees with logic and decisions that britney already makes. TBH I'm a bit surprised by your remark, I would have thought it was quite obvious that this should be under the release team's/britney's control -- but apparently not then. Where would you like this policy/decisions to live? Thanks, and happy new year! Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)