Processed: Re: Bug#849698: jessie-pu: package python-crypto/2.6.1-5+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 - moreinfo
Bug #849698 [release.debian.org] jessie-pu: package python-crypto/2.6.1-5+deb8u1
Removed tag(s) moreinfo.

-- 
849698: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849698
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#849698: jessie-pu: package python-crypto/2.6.1-5+deb8u1

[Sebastian Ramacher]

Control: tags -1 - moreinfo

Hi

On 2016-12-31 17:03:32, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
> 
> On Thu, 2016-12-29 at 23:15 +0100, Sebastian Ramacher wrote:
> > I'd like to fix CVE-2013-7459 (#849495) in jessie via the next point 
> > release.
> > The issue was marked as no-dsa.
> > 
> > The proposed debdiff is attached. The same patch was applied to the package 
> > in
> > unstable.
> 
> +  * Throw exception when IV is used with ECB or CTR (CVE-2013-7459)
> 
> Do we know if any packages currently in Debian misuse the functions in
> that way? (I realise that any that do are broken, but I'd prefer to find
> that out /before/ releasing an point release that makes them explode if
> possible.)

I am not aware of any packages in jessie that pass IVs when using ECB or CTR. At
least I did not find any using codesearch.d.n. This observation was also part of
reason to declare the issue as no-dsa.

Cheers
-- 
Sebastian Ramacher


signature.asc
Description: PGP signature

Bug#849869: jessie-pu: package unrtf/0.21.5-3

[Willi Mann]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

As per request of the security team, I intend to upload a security fix 
(CVE-2016-10091) of the unrtf package for the next jessie point release.

The changelog is:
unrtf (0.21.5-3+deb8u1) stable; urgency=medium

  * Add patch from upstream to fix CVE-2016-10091 (buffer overflow in various
cmd_ functions) closes: 849705

 -- Willi Mann   Sun, 01 Jan 2017 19:50:41 +0100

debdiff attached.

Let me know whether this intended upload is fine with you.

Willi

-- System Information:
Debian Release: 8.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.7.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru unrtf-0.21.5/debian/changelog unrtf-0.21.5/debian/changelog
--- unrtf-0.21.5/debian/changelog	2015-01-27 20:50:01.0 +0100
+++ unrtf-0.21.5/debian/changelog	2017-01-01 19:51:52.0 +0100
@@ -1,3 +1,10 @@
+unrtf (0.21.5-3+deb8u1) stable; urgency=medium
+
+  * Add patch from upstream to fix CVE-2016-10091 (buffer overflow in various
+cmd_ functions) closes: 849705
+
+ -- Willi Mann   Sun, 01 Jan 2017 19:50:41 +0100
+
 unrtf (0.21.5-3) unstable; urgency=medium
 
   [ Salvatore Bonaccorso ]
diff -Nru unrtf-0.21.5/debian/patches/0009-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch unrtf-0.21.5/debian/patches/0009-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch
--- unrtf-0.21.5/debian/patches/0009-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch	1970-01-01 01:00:00.0 +0100
+++ unrtf-0.21.5/debian/patches/0009-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch	2017-01-01 19:49:05.0 +0100
@@ -0,0 +1,179 @@
+From: Jean-Francois Dockes 
+Date: Sat, 31 Dec 2016 20:25:19 +0100
+Subject: Replace all instances of sprintf with snprintf and adjust size of
+ integer field in some cases
+
+This fixes CVE-2016-10091
+
+Bug-Debian: https://bugs.debian.org/849705
+---
+ src/attr.c|  4 ++--
+ src/convert.c | 28 ++--
+ src/output.c  |  4 ++--
+ 3 files changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/src/attr.c b/src/attr.c
+index 0337fd0..aea2a69 100644
+--- a/src/attr.c
 b/src/attr.c
+@@ -743,7 +743,7 @@ char *
+ assemble_string(char *string, int nr)
+ {
+ 
+-	char *s, tmp[12];/* Number of characters that can be in int type (including '\0') - AF */
++	char *s, tmp[20];
+ 	int i = 0, j = 0;
+ 
+ 	if (string == NULL)
+@@ -759,7 +759,7 @@ assemble_string(char *string, int nr)
+ 		}
+ 
+ 		if (string[i] != '\0') {
+-			sprintf(tmp, "%d", nr);
++			snprintf(tmp, 20, "%d", nr);
+ 			strcpy([j], tmp);
+ 			j = j + strlen(tmp);
+ 		}
+diff --git a/src/convert.c b/src/convert.c
+index d22a2f9..62355be 100644
+--- a/src/convert.c
 b/src/convert.c
+@@ -448,7 +448,7 @@ static const int fcharsetparmtocp(int parm)
+ }
+ 
+ // Translate code page to encoding name hopefully suitable as iconv input
+-static char *cptoencoding(parm)
++static char *cptoencoding(int parm)
+ {
+ // Note that CP0 is supposed to mean current system default, which does
+ // not make any sense as a stored value, we don't handle it.
+@@ -935,7 +935,7 @@ cmd_cf (Word *w, int align, char has_param, int num) {
+ 	}
+ 	else
+ 	{
+-		sprintf(str,"#%02x%02x%02x",
++		snprintf(str, 40, "#%02x%02x%02x",
+ 			color_table[num].r,
+ 			color_table[num].g,
+ 			color_table[num].b);
+@@ -962,7 +962,7 @@ cmd_cb (Word *w, int align, char has_param, int num) {
+ 	}
+ 	else
+ 	{
+-		sprintf(str,"#%02x%02x%02x",
++		snprintf(str, 40, "#%02x%02x%02x",
+ 			color_table[num].r,
+ 			color_table[num].g,
+ 			color_table[num].b);
+@@ -987,7 +987,7 @@ cmd_fs (Word *w, int align, char has_param, int points) {
+ 	/* Note, fs20 means 10pt */
+ 	points /= 2;
+ 
+-	sprintf(str,"%d",points);
++	snprintf(str, 20, "%d", points);
+ 	attr_push(ATTR_FONTSIZE,str);
+ 
+ 	return FALSE;
+@@ -1118,7 +1118,7 @@ cmd_f (Word *w, int align, char has_param, int num)
+ {
+ // TOBEDONE: WHAT'S THIS ???
+ name = my_malloc(12);
+-sprintf(name, "%d", num);
++			snprintf(name, 12, "%d", num);
+ }
+ 
+ /* we are going to output entities, so should not output font */
+@@ -1169,7 +1169,7 @@ cmd_highlight (Word *w, int align, char has_param, int num)
+ 	}
+ 	else
+ 	{
+-		sprintf(str,"#%02x%02x%02x",
++		snprintf(str, 40, "#%02x%02x%02x",
+ 			color_table[num].r,
+ 			color_table[num].g,
+ 			color_table[num].b);
+@@ -1324,9 +1324,9 @@ cmd_ftech (Word *w, int align, char has_param, int param) {
+ 
+ static int 
+ cmd_expand (Word *w, int align, char has_param, int param) {
+-	char str[10];
++	char str[20];
+ 	if (has_param) {
+-		sprintf(str, "%d", param/4);
++		

Bug#849865: jessie-pu: package postgresql-common/165+deb8u2

[Christoph Berg]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I would like to upload postgresql-common/165+deb8u2 with the diff
quoted below to jessie. It's fixing a data-loss bug, and a security
issue. The issues are already addresses in unstable (both in 178).

Is that ok?

diff --git a/debian/changelog b/debian/changelog
index 0d6bd4f..1d583cb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+postgresql-common (165+deb8u2) jessie; urgency=medium
+
+  * pg_upgradecluster: Properly upgrade databases with non-login role owners.
+(Closes: #614374, #838812)
+  * pg_ctlcluster, t/020_create_sql_remove.t: Protect against symlink in
+/var/log/postgresql/ allowing the creation of arbitrary files elsewhere.
+Discovered by Dawid Golunski, thanks! (CVE-2016-1255)
+  * t/TestLib.pm: Cherry-pick program_ok() from master for use in
+t/020_create_sql_remove.t.
+
+ -- Christoph Berg   Sun, 01 Jan 2017 18:48:30 +0100
+
 postgresql-common (165+deb8u1) jessie; urgency=medium
 
   * pg_upgradecluster: Set default dynamic_shared_memory_type = mmap.
diff --git a/pg_ctlcluster b/pg_ctlcluster
index 924f878..d2bb897 100755
--- a/pg_ctlcluster
+++ b/pg_ctlcluster
@@ -23,7 +23,7 @@ use warnings;
 use Getopt::Long;
 use POSIX qw/setsid dup2 setlocale LC_ALL :sys_wait_h/;
 use PgCommon;
-use Fcntl 'SEEK_SET';
+use Fcntl qw(SEEK_SET O_RDWR O_CREAT O_EXCL);
 
 my ($version, $cluster, $pg_ctl, $force);
 my (@postmaster_auxoptions, @pg_ctl_opts_from_cli);
@@ -394,17 +394,20 @@ if ($> == 0 && ! -e '/var/log/postgresql' &&
 
 # recreate missing log file
 if ($action ne 'stop' && $info{'logfile'} && ! -e $info{'logfile'}) {
-open L, '>', $info{'logfile'} or 
+if ($> == 0) { # drop privileges; this is important if logfile
+# was determined via an /etc/postgresql/.../log symlink
+change_ugid $info{'owneruid'}, $info{'ownergid'};
+}
+sysopen (L, $info{'logfile'}, O_RDWR|O_CREAT|O_EXCL) or
error 'Could not create log file ' . $info{'logfile'};
+close L;
 chmod 0640, $info{'logfile'};
-my $g;
+$< = $> = 0; # will silently fail if we were not root before, that's 
intended
+$( = $) = 0;
 if ($info{'owneruid'} < 500) {
-   $g = (getgrnam 'adm')[2];
-} else {
-   $g = $info{'ownergid'};
+my $g = (getgrnam 'adm')[2];
+chown $info{'owneruid'}, $g, $info{'logfile'} if (defined $g);
 }
-chown $info{'owneruid'}, $g, $info{'logfile'};
-close L;
 }
 
 # recreate /var/run/postgresql
diff --git a/pg_upgradecluster b/pg_upgradecluster
index 876a0af..04c59c6 100755
--- a/pg_upgradecluster
+++ b/pg_upgradecluster
@@ -433,18 +433,16 @@ if (!fork) {
error 'automatic upgrade of tablespaces is not supported';
}
 
-   # get list of databases, owners, and allowed connections
+   # get list of databases (value = datallowconn)
my %databases;
open F, '-|', $oldpsql, '-h', $oldsocket, '-p', $info{'port'}, 
'-F|', '-d', 'template1', '-Atc', 
-   'SELECT datname, datallowconn, 
pg_catalog.pg_encoding_to_char(encoding), usename FROM pg_database, pg_user 
WHERE datdba = usesysid' or 
+   'SELECT datname, datallowconn FROM pg_database' or
error 'Could not get pg_database list';
while () {
chomp;
-   my ($n, $a, $e, $o) = split '\|';
-   ($o) = $o =~ /^(.*)$/; # untaint
-   ($e) = $e =~ /^([\w_]+)$/; # untaint
-   $databases{$n} = [$a eq 't', $o, $e];
+   my ($n, $a) = split '\|';
+   $databases{$n} = ($a eq 't');
}
close F;
error 'could not get list of databases' if $?;
@@ -453,7 +451,7 @@ if (!fork) {
for my $db (keys %databases) {
next if $db eq 'template0';
 
-   unless (${$databases{$db}}[0]) {
+   unless ($databases{$db}) {
print "Temporarily enabling access to database $db\n";
(system $oldpsql, '-h', $oldsocket, '-p', $info{'port'}, '-q', 
'-d', 'template1', '-c', 
@@ -546,8 +544,8 @@ if (!fork) {
'-d', $db, '-c', 'ANALYZE') == 0 or
error 'Could not ANALZYE database';
 
-   unless (${$databases{$db}}[0]) {
-   print "Disabling access to database $db\n";
+   unless ($databases{$db}) {
+   print "Disabling access to database $db again\n";
(system $oldpsql, '-h', $oldsocket, '-p', $info{'port'}, '-q', 
'-d', 'template1', '-c', 
"BEGIN READ WRITE; UPDATE pg_database SET datallowconn = 
'f' where datname = '$db'; COMMIT") == 0 or
diff --git a/t/020_create_sql_remove.t b/t/020_create_sql_remove.t
index 457bf9a..f71b4cf 100644
--- a/t/020_create_sql_remove.t
+++ b/t/020_create_sql_remove.t
@@ -10,7 +10,7 @@ use lib 't';
 use TestLib;
 use PgCommon;
 
-use Test::More tests => 

Re: [Pkg-openssl-devel] embedding openssl source in sslcan

[Kurt Roeckx]

On Sun, Jan 01, 2017 at 04:37:48PM +0100, Raphael Hertzog wrote:
> On Sat, 31 Dec 2016, Julien Cristau wrote:
> > On Thu, Dec 22, 2016 at 13:37:11 +0100, Sebastian Andrzej Siewior wrote:
> > 
> > > tl;dr: Has anyone a problem if sslscan embeds openssl 1.0.2 in its
> > > source?
> > > 
> > > sslscan [0] as packaged in Debian currently relies on external libssl as
> > > provided by the openssl package. The openssl package disables support
> > > compression, SSLv2 and SSLv3 which is good but it also means that
> > > sslscan can not detect a SSL implementation that is still providing
> > > support for one of these deprecated protocols or compression.
> > > One could say that it is not required to test for SSLv2 because if
> > > libssl does not support it then it is not possible for an application to
> > > offer it. However libssl is not the only SSL toolkit in Debian and one
> > > might need to scan a non-Debian / older machine.
> > > 
> > Is this really something we need to be shipping?  If yes, I'd personally
> > really like this to get an explicit exemption from normal policy by the
> > security team, so please talk to them (debian-security@ldo is not it).
> 
> "need" is somewhat hard to define, but to give an additional data point,
> it's one of the things that we do in Kali to make it more useful for
> security professionals so it would be nice if it we could do it in Debian
> as well.
> 
> That said sslscan is not the only tool where it could be useful and
> packaging an alternate openssl-insecure should be considered too if it's
> feasible (at least so that we can have alternative versions of the openssl
> command line tools that can continue to support SSL2 and SSL3).

Note that SSLv2 has been completly removed in the 1.1 version, so
you'll never have 1 openssl version that supports both SSLv2 and
TLS 1.3. I think one of the other issues they run into is that
OpenSSL no longer can send a ClientHello without any extensions,
so they can't tests for extenstion tolerances.

I think in the long run, those applications should consider using
an other implementation of SSL/TLS, or write enough of if to be
able to do the tests that they want. And I think there are already
such other programs out there that can do that.


Kurt

Re: embedding openssl source in sslcan

[Raphael Hertzog]

On Sat, 31 Dec 2016, Julien Cristau wrote:
> On Thu, Dec 22, 2016 at 13:37:11 +0100, Sebastian Andrzej Siewior wrote:
> 
> > tl;dr: Has anyone a problem if sslscan embeds openssl 1.0.2 in its
> > source?
> > 
> > sslscan [0] as packaged in Debian currently relies on external libssl as
> > provided by the openssl package. The openssl package disables support
> > compression, SSLv2 and SSLv3 which is good but it also means that
> > sslscan can not detect a SSL implementation that is still providing
> > support for one of these deprecated protocols or compression.
> > One could say that it is not required to test for SSLv2 because if
> > libssl does not support it then it is not possible for an application to
> > offer it. However libssl is not the only SSL toolkit in Debian and one
> > might need to scan a non-Debian / older machine.
> > 
> Is this really something we need to be shipping?  If yes, I'd personally
> really like this to get an explicit exemption from normal policy by the
> security team, so please talk to them (debian-security@ldo is not it).

"need" is somewhat hard to define, but to give an additional data point,
it's one of the things that we do in Kali to make it more useful for
security professionals so it would be nice if it we could do it in Debian
as well.

That said sslscan is not the only tool where it could be useful and
packaging an alternate openssl-insecure should be considered too if it's
feasible (at least so that we can have alternative versions of the openssl
command line tools that can continue to support SSL2 and SSL3).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Bug#849855: unblock: unrtf/0.21.9-clean-3

[Willi Mann]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock


Please lower the testing migration delay for package unrtf. It fixes
CVE-2016-10091 (buffer overflow).  Debdiff attached. Note that the changes to
import-orig.sh in the debdiff can be ignored. They are only relevant for
packaging the next upstream release.

unblock unrtf/0.21.9-clean-3

-- System Information:
Debian Release: 8.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.7.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

[Didier 'OdyX' Raboud]

Le samedi, 31 décembre 2016, 17.10:09 h CET Adam D. Barratt a écrit :
> Control: tags -1 + confirmed
> 
> On Tue, 2016-12-27 at 14:18 +0100, Didier 'OdyX' Raboud wrote:
> > I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, and
> > security team members suggested to get it fixed through stable updates.
> > 
> > This bug is a simple 'fetching gpg key from keyservers with a short
> > keyid' problem, and upstream's fix is to use the full fingerprint.
> 
> Please go ahead.

Uploaded, thanks for the confirmation.

-- 
Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Re: Let autopkgtests be gating for testing migration in Buster: heads-up and brain-dump

[Martin Pitt]

Hello all,

Julien Cristau [2016-12-31 17:45 +0100]:
> > > 2b) let britney generate a list of tests it would like to perform
> > Is 2b really necessary?  I'm not sure why we would need that.
> > 
> Or to be more correct, I'm not sure we would *want* britney to be able
> to (or have to) do that.

I find britney the best place for it both 

  conceptually: it's the piece that makes policy decisions and has overrides
  for broken/ignored tests

as well as

  operationally: it already has knowledge which package groups want to
  propagate and has an efficient way to compute reverse dependencies and other
  information such as Testsuite-Triggers: from source packages; and it's the
  place which has to interpret these results, so it must know which ones to
  look for anyway.

It's IMHO not the place of the test execution engine to prescribe which tests
to run, as that limits its utility to just one use case (and we use Ubuntu's
engine for lots of other cases that just britney testing migration) and
duplicates/potentially disagrees with logic and decisions that britney already
makes.

TBH I'm a bit surprised by your remark, I would have thought it was quite
obvious that this should be under the release team's/britney's control -- but
apparently not then. Where would you like this policy/decisions to live?

Thanks, and happy new year!

Martin
-- 
Martin Pitt| http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)