Bug#864193: unblock: chromium-browser/58.0.3029.96-1
package: release.debian.org user: release.debian@packages.debian.org usertags: unblock Please consider unblocking chromium ahead of the stretch window closing. This updates corrects a single security issue that could lead to remote code execution by visiting a malicious web page. Best wishes, Mike unblock chromium-browser/58.0.3029.96-1
Bug#864189: unblock: systemd/232-25
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, please consider unblocking systemd. The changes include two fixes for selinux, a fix for a dist-upgrade failure and an important performance regression. None of those should affect the udev/libudev1 udeb, i.e. the installer. That said, I've CCed debian-boot for a d-i/KiBi ack. Here's an annotated changelog systemd (232-25) unstable; urgency=medium * hwdb: Use path_join() to generate the hwdb_bin path. This ensures /lib/udev/hwdb.bin gets the correct SELinux context. Having double slashes in the path makes selabel_lookup_raw() return the wrong context. (Closes: #851933) https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=stretch=16508bf I was asked by the SELinux maintainers to fix this for stretch. In the end, it turned out to be a bug in libselinux (#863854). But the fix for libselinux is rather invasive so will likely not make it into stretch and it's easy to avoid triggering the bug, so I've decided to fix/work around this in systemd. * selinux: Enable labeling and access checks for unprivileged users. Revert commit that inadvertently broke a lot of SELinux related functionality for both unprivileged users and systemd instances running as MANAGER_USER and instead deal with the auditd issue by checking for the CAP_AUDIT_WRITE capability before opening an audit netlink socket. (Closes: #863800) https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=stretch=5088d0 Laurent Bigonville, one of the SELinux maintainers, asked me to pull those fixes for stretch. He tested the patches and confirmed that they work. The patches are from upstream. * Revert "systemd-sysv: Add Conflicts: systemd-shim" Under certain conditions this confuses Jessies's apt which then tries to remove systemd while being the active init system, resulting in a failed dist-upgrade. While this turned out to be a bug in apt, avoid this situation by dropping the Conflicts. (Closes: #854041) https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=stretch=a99075 This is bug which imho is the most important one to get fixed for r0. It was (sometimes) causing dist-upgrade failures, if prior to the upgrade systemd-shim was installed. David Kalnischkies identified this as a bug in apt, but since we can't retroactively fix apt in jessie, I decided to drop this Conflicts again to avoid this situation. * link: Fix offload features initialization. This fixes a regression introduced in v232 which caused TCP segmentation offloads being disabled by default, resulting in significant performance issues under certain conditions. (Closes: #864073) https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=stretch=551b79 This seemed like a rather straightforward fix which was unfortuantely only reported the other day. Otherwise I would have pulled it earlier. The patch is from upstream. Full debdiff is attached as well. Regards, Michael unblock systemd/232-25 -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff --git a/debian/changelog b/debian/changelog index 68276b7..d3789db 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,27 @@ +systemd (232-25) unstable; urgency=medium + + * hwdb: Use path_join() to generate the hwdb_bin path. +This ensures /lib/udev/hwdb.bin gets the correct SELinux context. Having +double slashes in the path makes selabel_lookup_raw() return the wrong +context. (Closes: #851933) + * selinux: Enable labeling and access checks for unprivileged users. +Revert commit that inadvertently broke a lot of SELinux related +functionality for both unprivileged users and systemd instances running +as MANAGER_USER and instead deal with the auditd issue by checking for +the CAP_AUDIT_WRITE capability before opening an audit netlink socket. +(Closes: #863800) + * Revert "systemd-sysv: Add Conflicts: systemd-shim" +Under certain conditions this confuses Jessies's apt which then tries to +remove systemd while being the active init system, resulting in a failed +dist-upgrade. While this turned out to be a bug in apt, avoid this +situation by dropping the Conflicts. (Closes: #854041) + * link: Fix offload features initialization. +This fixes a regression introduced in v232 which caused TCP +segmentation offloads being disabled by default, resulting in +significant performance issues under certain conditions. (Closes: #864073) + + -- Michael BieblSun, 04 Jun 2017 22:58:32
Bug#863519: unblock blockdiag/1.5.3+dfsg-2
retitile 863519: unblock blockdiag/1.5.3+dfsg-5 Hi, Niels 2017-06-04 0:30 GMT+09:00 Niels Thykier: > I am not confident that the "install -d" variant used in the -4 upload > is entirely safe from this symlink attack. Furthermore, it still causes > issues by: > > * It would (still?) cause issues if multiple versions of blockdiag are >built on the same machine concurrently. > * It assumes /tmp rather than using $(TMPDIR) if set (minor issue) > > A quick fix to both of these would be to place the temporary directory > in the "debian" directory (instead of /tmp/). That > would solve all of my concerns with the temporary directory used by the > build. I changed to use PYBUILD {build_dir} instead of /tmp/ in the "-5" upload. Attached is the source debdiff. Regards, diff -Nru blockdiag-1.5.3+dfsg/debian/changelog blockdiag-1.5.3+dfsg/debian/changelog --- blockdiag-1.5.3+dfsg/debian/changelog2017-05-31 07:19:40.0 +0900 +++ blockdiag-1.5.3+dfsg/debian/changelog2017-06-04 12:08:49.0 +0900 @@ -1,3 +1,21 @@ +blockdiag (1.5.3+dfsg-5) unstable; urgency=medium + + * debian/rules +- Fixes to use PYBUILD {build_dir} instead of hardcoded temporary directory + on PYBUILD_BEFORE_TEST. +- Updates PYBUILD_AFTER_TEST. +- Removes overrider_dh_python2 target. +- Removes copying test image files to testimages directory + on overrider_dh_python3. + * debian/patches +- Deletes fixes-ghostscript_not_found_test.patch +- Updates Fixed-remote-image-resouces.patch. + * Removes unnecessary files. +- debian/python-blockdiag.links +- debian/python3-blockdiag.links + + -- Kouhei Maeda Sun, 04 Jun 2017 12:08:49 +0900 + blockdiag (1.5.3+dfsg-4) unstable; urgency=medium * debian/rules diff -Nru blockdiag-1.5.3+dfsg/debian/patches/Fixed-remote-image-resouces.patch blockdiag-1.5.3+dfsg/debian/patches/Fixed-remote-image-resouces.patch --- blockdiag-1.5.3+dfsg/debian/patches/Fixed-remote-image-resouces.patch 2017-05-31 07:19:40.0 +0900 +++ blockdiag-1.5.3+dfsg/debian/patches/Fixed-remote-image-resouces.patch 2017-06-04 11:19:43.0 +0900 @@ -4,25 +4,25 @@ Index: blockdiag-1.5.3+dfsg/src/blockdiag/tests/diagrams/background_url_image.diag === blockdiag-1.5.3+dfsg.orig/src/blockdiag/tests/diagrams/background_url_image.diag 2017-06-04 11:06:19.475245999 +0900 -+++ blockdiag-1.5.3+dfsg/src/blockdiag/tests/diagrams/background_url_image.diag 2017-06-04 11:06:50.142572000 +0900 +--- blockdiag-1.5.3+dfsg.orig/src/blockdiag/tests/diagrams/background_url_image.diag 2017-06-04 11:17:13.518449125 +0900 blockdiag-1.5.3+dfsg/src/blockdiag/tests/diagrams/background_url_image.diag 2017-06-04 11:19:16.593641793 +0900 @@ -1,7 +1,8 @@ { - A [background = "http://python.org/images/python-logo.gif;]; - B [background = "http://blockdiag.com/favicon.ico;]; - C [background = "http://upload.wikimedia.org/wikipedia/commons/9/9b/Scalable_Vector_Graphics_Circle2.svg;]; - D [background = "http://people.sc.fsu.edu/~jburkardt/data/eps/circle.eps;]; -+ A [background = "/usr/lib/python3.5/idlelib/Icons/python.gif"]; ++ A [background = "blockdiag/tests/diagrams/white.gif"]; + B [background = "/usr/lib/python3.5/idlelib/Icons/idle.ico"]; -+ C [background = "/usr/lib/python3.5/idlelib/Icons/idle_16.png"]; ++ C [background = "blockdiag/tests/diagrams/debian-logo-256color-palettealpha.png"]; + D [background = "circle.eps"]; + E [background = "circle.svg"]; Z; } Index: blockdiag-1.5.3+dfsg/src/blockdiag/tests/diagrams/node_icon.diag === blockdiag-1.5.3+dfsg.orig/src/blockdiag/tests/diagrams/node_icon.diag 2017-06-04 11:06:19.475245999 +0900 -+++ blockdiag-1.5.3+dfsg/src/blockdiag/tests/diagrams/node_icon.diag 2017-06-04 11:06:19.471244000 +0900 +--- blockdiag-1.5.3+dfsg.orig/src/blockdiag/tests/diagrams/node_icon.diag 2017-06-04 11:17:13.518449125 +0900 blockdiag-1.5.3+dfsg/src/blockdiag/tests/diagrams/node_icon.diag 2017-06-04 11:17:13.514449125 +0900 @@ -2,5 +2,5 @@ A -> B; diff -Nru blockdiag-1.5.3+dfsg/debian/python-blockdiag.links blockdiag-1.5.3+dfsg/debian/python-blockdiag.links --- blockdiag-1.5.3+dfsg/debian/python-blockdiag.links2014-09-01 07:58:18.0 +0900 +++ blockdiag-1.5.3+dfsg/debian/python-blockdiag.links1970-01-01 09:00:00.0 +0900 @@ -1,2 +0,0 @@ -usr/share/doc/python-blockdiag/testimages/debian-logo-256color-palettealpha.png usr/lib/python2.7/dist-packages/blockdiag/tests/diagrams/debian-logo-256color-palettealpha.png -usr/share/doc/python-blockdiag/testimages/white.gif usr/lib/python2.7/dist-packages/blockdiag/tests/diagrams/white.gif diff -Nru blockdiag-1.5.3+dfsg/debian/python3-blockdiag.links blockdiag-1.5.3+dfsg/debian/python3-blockdiag.links ---
Bug#864083: marked as done (unblock: libgcrypt20/1.7.6-2)
Your message dated Sun, 04 Jun 2017 21:29:00 + with message-id <4d0a6a78-53d6-1b69-ffd0-e749a42f4...@thykier.net> and subject line Re: Bug#864083: unblock: libgcrypt20/1.7.6-2 has caused the Debian Bug report #864083, regarding unblock: libgcrypt20/1.7.6-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 864083: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864083 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libgcrypt20, the upload features the following changes: * Refresh debian/upstream/signing-key.asc, key-expiry-dates bumped. * Pull two fixes from gcrypt 1.7.7 bugfix release: + 30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch Fix possible timing attack on EdDSA session key. + 30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch Fix long standing bug in secure memory implementation which could lead to a segv on free. unblock libgcrypt20/1.7.6-2 Thanks, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru libgcrypt20-1.7.6/debian/changelog libgcrypt20-1.7.6/debian/changelog --- libgcrypt20-1.7.6/debian/changelog 2017-01-26 11:58:32.0 +0100 +++ libgcrypt20-1.7.6/debian/changelog 2017-06-03 10:58:36.0 +0200 @@ -1,3 +1,15 @@ +libgcrypt20 (1.7.6-2) unstable; urgency=high + + * Refresh debian/upstream/signing-key.asc, key-expiry-dates bumped. + * Pull two fixes from gcrypt 1.7.7 bugfix release: ++ 30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch + Fix possible timing attack on EdDSA session key. ++ 30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch + Fix long standing bug in secure memory implementation which could lead + to a segv on free. + + -- Andreas MetzlerSat, 03 Jun 2017 10:58:36 +0200 + libgcrypt20 (1.7.6-1) unstable; urgency=medium * New upstream version, includes diff -Nru libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch --- libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch 1970-01-01 01:00:00.0 +0100 +++ libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch 2017-06-03 10:53:37.0 +0200 @@ -0,0 +1,35 @@ +From f9494b3f258e01b6af8bd3941ce436bcc00afc56 Mon Sep 17 00:00:00 2001 +From: Jo Van Bulck +Date: Thu, 19 Jan 2017 17:00:15 +0100 +Subject: [PATCH 1/2] ecc: Store EdDSA session key in secure memory. + +* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): use mpi_snew to allocate +session key. +-- + +An attacker who learns the EdDSA session key from side-channel +observation during the signing process, can easily revover the long- +term secret key. Storing the session key in secure memory ensures that +constant time point operations are used in the MPI library. + +Signed-off-by: Jo Van Bulck +--- + cipher/ecc-eddsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cipher/ecc-eddsa.c b/cipher/ecc-eddsa.c +index f91f8489..813e030d 100644 +--- a/cipher/ecc-eddsa.c b/cipher/ecc-eddsa.c +@@ -603,7 +603,7 @@ _gcry_ecc_eddsa_sign (gcry_mpi_t input, ECC_secret_key *skey, + a = mpi_snew (0); + x = mpi_new (0); + y = mpi_new (0); +- r = mpi_new (0); ++ r = mpi_snew (0); + ctx = _gcry_mpi_ec_p_internal_new (skey->E.model, skey->E.dialect, 0, + skey->E.p, skey->E.a, skey->E.b); + b = (ctx->nbits+7)/8; +-- +2.11.0 + diff -Nru libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch --- libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch 1970-01-01 01:00:00.0 +0100 +++ libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch 2017-06-03 10:53:37.0 +0200 @@ -0,0 +1,69 @@ +From 91456759b887e153c4d4ce19538d478df260cab2 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Fri, 2 Jun 2017 10:34:42 +0900 +Subject: [PATCH 2/2] secmem: Fix SEGV and stat calculation. + +* src/secmem (init_pool): Care about the header size.
Bug#864083: unblock: libgcrypt20/1.7.6-2
Cyril Brulebois(2017-06-04): > I'm missing cryptsetup test cases right now, so I can't tell in a few > minutes. I'll try to add one and/or run this manually on monday, but > not making any promises. At some point, late requests will need to be > punted for r1. Especially given the current amount and the timing > getting tighter and tighter. I actually managed to get that on today's schedule: I had a playbook for full images (but none for netboot-gtk yet), and after some tweaks I've confirmed a basic encrypted LVM setup with default encryption settings still works fine with an updated libgcrypt20-udeb. ACK. KiBi. signature.asc Description: Digital signature
Bug#863472: unblock: openssl/1.1.0f-1
On Sun, Jun 04, 2017 at 06:53:29PM +0200, Cyril Brulebois wrote: > Kurt Roeckx(2017-06-04): > > So I changed it this instead: > > dh_makeshlibs -a -V --add-udeb="libcrypto1.1-udeb" -Xengines > > > > the shlib files now looks like: > > libcrypto 1.1 libssl1.1 (>= 1.1.0f) > > libssl 1.1 libssl1.1 (>= 1.1.0f) > > udeb: libcrypto 1.1 libcrypto1.1-udeb (>= 1.1.0f) > > udeb: libssl 1.1 libssl1.1-udeb (>= 1.1.0f) > > > > Since we have symbol files, this does not affect non-udeb > > packages. > > As discussed on IRC (#debian-devel), the earlier syntax (-V with a > version) was fine, and more accurate as it only needs to be bumped > when symbols change. However, using -V without a specific version > should get us updated dependencies every time; they might be stricter > than needed, but that's better than forgetting about bumping the > version IMHO, so fine with me. So I've uploaded openssl 1.1.0f-2 and openssl1.0 1.0.2l-2 Kurt
Bug#864085: unblock: dnsmasq/2.76-5
On 04/06/17 16:36, Jonathan Wiltshire wrote: > Control: tag -1 moreinfo > > On Sun, Jun 04, 2017 at 09:58:44AM +0100, ? wrote: >> The dnsmasq package in testing has a serious problem when dns-root-data is >> installed, due to changes in the format of the dns-root-data files. >> The effect is to render dnsmasq unusable. > > Bother. > >> There are several serious bugs filed to this effect, but they should >> really be release-critical, eg 863896 >> >> There are also several bugs in the DNSSEC validation code, which are fixed >> upstream, and really should be in stretch. >> >> Therefore, if we can get dnsmasq-2.77-1, currently in unstable, into Stretch, >> that would be a Good Thing. If not, it will need a point release. > > The delta from testing to unstable right now is not really suitable this > late in the process. I would prefer a targetted fix through t-p-u. I understand. > > However, I wonder if that format change in dns-root-data risks problems in > other packages. Ondřej, is there any advantage to reverting that (keeping > the RC fix for parse-root-anchors.sh)? > The patch to fix this in dnsmasq is at : http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=44eb875a5ab2e3b862a6b2bc9fbbb919475d2107 (that regexp handles both old and new formats.) Cheers, Simon.
Bug#863472: unblock: openssl/1.1.0f-1
Kurt Roeckx(2017-06-04): > So I changed it this instead: > dh_makeshlibs -a -V --add-udeb="libcrypto1.1-udeb" -Xengines > > the shlib files now looks like: > libcrypto 1.1 libssl1.1 (>= 1.1.0f) > libssl 1.1 libssl1.1 (>= 1.1.0f) > udeb: libcrypto 1.1 libcrypto1.1-udeb (>= 1.1.0f) > udeb: libssl 1.1 libssl1.1-udeb (>= 1.1.0f) > > Since we have symbol files, this does not affect non-udeb > packages. As discussed on IRC (#debian-devel), the earlier syntax (-V with a version) was fine, and more accurate as it only needs to be bumped when symbols change. However, using -V without a specific version should get us updated dependencies every time; they might be stricter than needed, but that's better than forgetting about bumping the version IMHO, so fine with me. Thanks. KiBi. signature.asc Description: Digital signature
Bug#864083: unblock: libgcrypt20/1.7.6-2
Hi, Niels Thykier(2017-06-04): > Ack from here, CC'ing KiBi for a d-i ack - assuming there is still > time. Worst case, we will have to defer it to 9.1. I'm missing cryptsetup test cases right now, so I can't tell in a few minutes. I'll try to add one and/or run this manually on monday, but not making any promises. At some point, late requests will need to be punted for r1. Especially given the current amount and the timing getting tighter and tighter. KiBi. signature.asc Description: Digital signature
Bug#864076: marked as done (unblock: distro-info-data/0.36)
Your message dated Sun, 04 Jun 2017 16:45:06 + with message-idand subject line unblock distro-info-data has caused the Debian Bug report #864076, regarding unblock: distro-info-data/0.36 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 864076: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864076 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package distro-info-data This is a pre-upload unblock request for distro-info-data, now that the Jessie release date has been announced. While I was here, I realised that we didn't have EOL dates for Jessie or Wheezy yet :( We have a long-standing bug of not including LTS dates (#782685) so I've maintained the status-quo and did that for these two as well. Alternatively, I could just extend the support dates out to include LTS, but that seems like another bad idea :/ So, are you OK with this patch-set, and would you consider allowing it in, for Stretch? unblock distro-info-data/0.36 Thanks, SR diff --git a/debian.csv b/debian.csv index c1f0962..b476031 100644 --- a/debian.csv +++ b/debian.csv @@ -10,10 +10,10 @@ version,codename,series,created,release,eol 4.0,Etch,etch,2005-06-06,2007-04-08,2010-02-15 5.0,Lenny,lenny,2007-04-08,2009-02-14,2012-02-06 6.0,Squeeze,squeeze,2009-02-14,2011-02-06,2014-05-31 -7,Wheezy,wheezy,2011-02-06,2013-05-04 -8,Jessie,jessie,2013-05-04,2015-04-25 -9,Stretch,stretch,2015-04-25 -10,Buster,buster,2018-07-01 +7,Wheezy,wheezy,2011-02-06,2013-05-04,2016-04-26 +8,Jessie,jessie,2013-05-04,2015-04-25,2018-06-06 +9,Stretch,stretch,2015-04-25,2017-06-17 +10,Buster,buster,2017-06-17 11,Bullseye,bullseye,2020-11-05 ,Sid,sid,1993-08-16 ,Experimental,experimental,1993-08-16 diff --git a/debian/changelog b/debian/changelog index cec721c..130df23 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +distro-info-data (0.36) UNRELEASED; urgency=medium + + * Set EOL date for Debian Wheezy. This excludes LTS, which we haven't +supported in distro-info yet, for Debian, but matches what we did for +Squeeze. + * Set (provisional) EOL date for Debian Jessie. + * Set release date for Stretch (and matching creation date for Buster). It +has been announced. + + -- Stefano Rivera Sat, 03 Jun 2017 18:07:40 -0700 + distro-info-data (0.35) unstable; urgency=medium * Correct Ubuntu Zesty release date. --- End Message --- --- Begin Message --- Unblocked distro-info-data.--- End Message ---
Bug#864027: unblock: swift/2.10.2-1
Hi, 2017-06-04 16:55 GMT+02:00 Jonathan Wiltshire: > Let's defer this, I'm not comfortable with such changes this close to > release. > so let's wait for p-u and first stretch point release? -- Best regards Ondřej Nový Email: n...@ondrej.org PGP: 3D98 3C52 EB85 980C 46A5 6090 3573 1255 9D1E 064B
Bug#864085: unblock: dnsmasq/2.76-5
Control: tag -1 moreinfo On Sun, Jun 04, 2017 at 09:58:44AM +0100, ? wrote: > The dnsmasq package in testing has a serious problem when dns-root-data is > installed, due to changes in the format of the dns-root-data files. > The effect is to render dnsmasq unusable. Bother. > There are several serious bugs filed to this effect, but they should > really be release-critical, eg 863896 > > There are also several bugs in the DNSSEC validation code, which are fixed > upstream, and really should be in stretch. > > Therefore, if we can get dnsmasq-2.77-1, currently in unstable, into Stretch, > that would be a Good Thing. If not, it will need a point release. The delta from testing to unstable right now is not really suitable this late in the process. I would prefer a targetted fix through t-p-u. However, I wonder if that format change in dns-root-data risks problems in other packages. Ondřej, is there any advantage to reverting that (keeping the RC fix for parse-root-anchors.sh)? -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Processed: Re: Bug#864085: unblock: dnsmasq/2.76-5
Processing control commands: > tag -1 moreinfo Bug #864085 [release.debian.org] unblock: dnsmasq/2.76-5 Added tag(s) moreinfo. -- 864085: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864085 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#864092: marked as done (unblock: llvm-toolchain-3.8)
Your message dated Sun, 4 Jun 2017 16:14:10 +0100 with message-id <20170604151410.jcfukosmjumvb...@powdarrmonkey.net> and subject line Re: Bug#864092: unblock: llvm-toolchain-3.8 has caused the Debian Bug report #864092, regarding unblock: llvm-toolchain-3.8 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 864092: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864092 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Hi Release Team Please unblock package llvm-toolchain-3.8, we fixed the Julia build (bad arm64 generated code), and also fixed a sanitizer hang on newer kernels (it is an upstream patch, it might be incomplete, we tested and it worked, but it hanged again on one buildd) unblock llvm-toolchain-3.8/1:3.8.1-24 thanks G. diff -Nru llvm-toolchain-3.8-3.8.1/debian/changelog llvm-toolchain-3.8-3.8.1/debian/changelog --- llvm-toolchain-3.8-3.8.1/debian/changelog 2017-04-25 19:46:34.0 +0200 +++ llvm-toolchain-3.8-3.8.1/debian/changelog 2017-06-02 15:15:49.0 +0200 @@ -1,3 +1,14 @@ +llvm-toolchain-3.8 (1:3.8.1-24) unstable; urgency=medium + + * Team upload + * debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch: +fix relocation issue, preventing Julia from working correctly on +arm64 (Closes: #862360, #861484) + * debian/patches/asan-48bit-VMA-aarch64.patch: +- fix asan testsuite hang with some arm64 builders. + + -- Gianfranco CostamagnaFri, 02 Jun 2017 15:11:29 +0200 + llvm-toolchain-3.8 (1:3.8.1-23) unstable; urgency=medium * Oups, same player try again (wrong package name, sorry) diff -Nru llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch --- llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch 1970-01-01 01:00:00.0 +0100 +++ llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch 2017-06-02 15:12:44.0 +0200 @@ -0,0 +1,16 @@ +Description: [asan] Enable 48-bit VMA support on aarch64 +Origin: upstream, https://reviews.llvm.org/D22095?id=63084 +Bug-Debian: https://bugs.debian.org/862360 +Author: Adhemerval Zanella +Last-Update: 2016-07-07 +--- a/compiler-rt/lib/sanitizer_common/sanitizer_platform.h b/compiler-rt/lib/sanitizer_common/sanitizer_platform.h +@@ -114,6 +114,8 @@ + // will still work but will consume more memory for TwoLevelByteMap. + #if defined(__mips__) + # define SANITIZER_MMAP_RANGE_SIZE FIRST_32_SECOND_64(1ULL << 32, 1ULL << 40) ++#elif defined(__aarch64__) ++# define SANITIZER_MMAP_RANGE_SIZE FIRST_32_SECOND_64(1ULL << 32, 1ULL << 48) + #else + # define SANITIZER_MMAP_RANGE_SIZE FIRST_32_SECOND_64(1ULL << 32, 1ULL << 47) + #endif diff -Nru llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch --- llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch 1970-01-01 01:00:00.0 +0100 +++ llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch 2017-06-02 15:14:37.0 +0200 @@ -0,0 +1,16 @@ +Description: Fix R_AARCH64_MOVW_UABS_G3 relocation +Origin: upstream, https://reviews.llvm.org/D27609?id=80860 +Bug-Debian: https://bugs.debian.org/862360 +Author: Yichao Yu +Last-Update: 2016-12-15 +--- a/lib/ExecutionEngine/RuntimeDyld/RuntimeDyldELF.cpp b/lib/ExecutionEngine/RuntimeDyld/RuntimeDyldELF.cpp +@@ -357,7 +357,7 @@ + // bits affected by the relocation on entry is garbage. + *TargetPtr &= 0xffe0001fU; + // Immediate goes in bits 20:5 of MOVZ/MOVK instruction +-*TargetPtr |= Result >> (48 - 5); ++*TargetPtr |= (Result & 0xULL) >> (48 - 5); + // Shift must be "lsl #48", in bits 22:21 + assert((*TargetPtr >> 21 & 0x3) == 3 && "invalid shift for relocation"); + break; diff -Nru llvm-toolchain-3.8-3.8.1/debian/patches/series llvm-toolchain-3.8-3.8.1/debian/patches/series --- llvm-toolchain-3.8-3.8.1/debian/patches/series 2017-03-19 22:10:46.0 +0100 +++ llvm-toolchain-3.8-3.8.1/debian/patches/series 2017-06-02 15:11:44.0 +0200 @@ -57,3 +57,5 @@ lldb-server-path.diff lldb-server-link.diff add_symbols_versioning.patch +fix-R_AARCH64_MOVW_UABS_G3-relocation.patch +asan-48bit-VMA-aarch64.patch signature.asc Description: OpenPGP
Bug#864152: marked as done (unblock: msgpuck/1.0.3-1.1)
Your message dated Sun, 4 Jun 2017 16:11:05 +0100 with message-id <20170604151105.sygj4izgm2bxo...@powdarrmonkey.net> and subject line Re: Bug#864152: unblock: msgpuck/1.0.3-1.1 has caused the Debian Bug report #864152, regarding unblock: msgpuck/1.0.3-1.1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 864152: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864152 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi Please unblock package msgpuck It fixes CVE-2016-9036 (Invalid handling of map16 format in mp_check()), which is #849212. unblock msgpuck/1.0.3-1.1 Full debdiff against version in testing attached. Regards, Salvatore diff -Nru msgpuck-1.0.3/debian/changelog msgpuck-1.0.3/debian/changelog --- msgpuck-1.0.3/debian/changelog 2016-08-09 21:14:15.0 +0200 +++ msgpuck-1.0.3/debian/changelog 2017-06-04 12:49:08.0 +0200 @@ -1,3 +1,10 @@ +msgpuck (1.0.3-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2016-9036 (Closes: #849212) + + -- Moritz MuehlenhoffSun, 04 Jun 2017 12:49:08 +0200 + msgpuck (1.0.3-1) unstable; urgency=medium * Fix GCC 6.0 and Doxygen warnings diff -Nru msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch --- msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch1970-01-01 01:00:00.0 +0100 +++ msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch2017-06-04 12:49:05.0 +0200 @@ -0,0 +1,186 @@ +From d2c366e27eea4a5a24c6ec36ffcc4f4fd5b361ac Mon Sep 17 00:00:00 2001 +From: Roman Tsisyk +Date: Thu, 15 Dec 2016 19:28:23 +0300 +Subject: [PATCH] Fix handling of map16 format in mp_check() + +Fixes TALOS-2016-0254 +Fixes CVE-2016-9036 +Fixes #12 + +[adjusted for 1.0.3] +--- msgpuck-1.0.3.orig/msgpuck.h msgpuck-1.0.3/msgpuck.h +@@ -1940,7 +1940,7 @@ mp_check(const char **data, const char * + case MP_HINT_MAP_16: + /* MP_MAP (16) */ + if (mp_unlikely(*data + sizeof(uint16_t) > end)) +- return false; ++ return 1; + k += 2 * mp_load_u16(data); + break; + case MP_HINT_MAP_32: +--- msgpuck-1.0.3.orig/test/msgpuck.c msgpuck-1.0.3/test/msgpuck.c +@@ -771,9 +771,153 @@ test_mp_print() + return check_plan(); + } + ++int ++test_mp_check() ++{ ++ plan(65); ++ header(); ++ ++#define invalid(data, fmt, ...) ({ \ ++ const char *p = data; \ ++ isnt(mp_check(, p + sizeof(data) - 1), 0, fmt, ## __VA_ARGS__); \ ++}); ++ ++ /* fixmap */ ++ invalid("\x81", "invalid fixmap 1"); ++ invalid("\x81\x01", "invalid fixmap 2"); ++ invalid("\x8f\x01", "invalid fixmap 3"); ++ ++ /* fixarray */ ++ invalid("\x91", "invalid fixarray 1"); ++ invalid("\x92\x01", "invalid fixarray 2"); ++ invalid("\x9f\x01", "invalid fixarray 3"); ++ ++ /* fixstr */ ++ invalid("\xa1", "invalid fixstr 1"); ++ invalid("\xa2\x00", "invalid fixstr 2"); ++ invalid("\xbf\x00", "invalid fixstr 3"); ++ ++ /* bin8 */ ++ invalid("\xc4", "invalid bin8 1"); ++ invalid("\xc4\x01", "invalid bin8 2"); ++ ++ /* bin16 */ ++ invalid("\xc5", "invalid bin16 1"); ++ invalid("\xc5\x00\x01", "invalid bin16 2"); ++ ++ /* bin32 */ ++ invalid("\xc6", "invalid bin32 1"); ++ invalid("\xc6\x00\x00\x00\x01", "invalid bin32 2"); ++ ++ /* ext8 */ ++ invalid("\xc7", "invalid ext8 1"); ++ invalid("\xc7\x00", "invalid ext8 2"); ++ invalid("\xc7\x01\xff", "invalid ext8 3"); ++ invalid("\xc7\x02\xff\x00", "invalid ext8 4"); ++ ++ /* ext16 */ ++ invalid("\xc8", "invalid ext16 1"); ++ invalid("\xc8\x00\x00", "invalid ext16 2"); ++ invalid("\xc8\x00\x01\xff", "invalid ext16 3"); ++ invalid("\xc8\x00\x02\xff\x00", "invalid ext16 4"); ++ ++ /* ext32 */ ++ invalid("\xc9", "invalid ext32 1"); ++ invalid("\xc9\x00\x00\x00\x00", "invalid ext32 2"); ++ invalid("\xc9\x00\x00\x00\x01\xff", "invalid ext32 3"); ++ invalid("\xc9\x00\x00\x00\x02\xff\x00", "invalid ext32 4"); ++ ++ /* float32 */ ++ invalid("\xca", "invalid float32 1"); ++ invalid("\xca\x00\x00\x00", "invalid float32 2"); ++ ++ /* float64 */ ++ invalid("\xcb", "invalid float64 1"); ++ invalid("\xcb\x00\x00\x00\x00\x00\x00\x00", "invalid
Bug#864091: marked as done (unblock: ettercap/1:0.8.2-5)
Your message dated Sun, 4 Jun 2017 16:03:12 +0100 with message-id <20170604150312.uuc3cslqtmvqp...@powdarrmonkey.net> and subject line Re: Bug#864091: unblock: ettercap (CVE) has caused the Debian Bug report #864091, regarding unblock: ettercap/1:0.8.2-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 864091: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864091 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Hi Release Team Please unblock package ettercap, we fixed CVE 2017-8366 unblock ettercap/1:0.8.2-5 debdiff attached diff -Nru ettercap-0.8.2/debian/changelog ettercap-0.8.2/debian/changelog --- ettercap-0.8.2/debian/changelog 2017-03-07 21:28:07.0 +0100 +++ ettercap-0.8.2/debian/changelog 2017-06-04 09:27:11.0 +0200 @@ -1,3 +1,12 @@ +ettercap (1:0.8.2-5) unstable; urgency=high + + [ Alexander Koeppe ] + * debian/patches/803.patch: Fix buffer overflow/underflow +with bad filters (Closes: #861604). +CVE-2017-8366 + + -- Gianfranco CostamagnaSun, 04 Jun 2017 09:24:59 +0200 + ettercap (1:0.8.2-4) unstable; urgency=high * debian/patches/626dc56686f15f2dda13c48f78c2a666cb6d8506.patch: diff -Nru ettercap-0.8.2/debian/patches/803.patch ettercap-0.8.2/debian/patches/803.patch --- ettercap-0.8.2/debian/patches/803.patch 1970-01-01 01:00:00.0 +0100 +++ ettercap-0.8.2/debian/patches/803.patch 2017-06-04 09:25:14.0 +0200 @@ -0,0 +1,210 @@ +From d14d2558da14a33abf7baab28957488a75d16af1 Mon Sep 17 00:00:00 2001 +From: Alexander Koeppe +Date: Thu, 1 Jun 2017 08:56:23 +0200 +Subject: [PATCH 1/4] Add ASAN compiler flags in DEBUG build type + +--- + CMakeLists.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: ettercap-0.8.2/CMakeLists.txt +=== +--- ettercap-0.8.2.orig/CMakeLists.txt ettercap-0.8.2/CMakeLists.txt +@@ -125,7 +125,27 @@ + # library dir path in our RPATH. + set(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE) + endif(NOT DISABLE_RPATH) ++ ++# set general build flags for debug build-type + set(CMAKE_C_FLAGS_DEBUG "-O0 -ggdb3 -DDEBUG -Wall -Wno-pointer-sign -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security -Wextra -Wredundant-decls" CACHE STRING "" FORCE) ++# append ASAN build flags if compiler version has support ++if ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU") ++ if (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8) ++ set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -fsanitize=address -fno-omit-frame-pointer" CACHE STRING "" FORCE) ++ message("Building with ASAN support (GNU compiler)") ++ else (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8) ++ message("Building without ASAN support (GNU compiler)") ++ endif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8) ++elseif ("${CMAKE_C_COMPILER_ID}" STREQUAL "Clang") ++ if (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1) ++ set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -fsanitize=address -fno-omit-frame-pointer" CACHE STRING "" FORCE) ++ message("Building with ASAN support (Clang compiler)") ++ elseif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1) ++ message("Building without ASAN support (Clang compiler)") ++ endif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1) ++endif ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU") ++ ++# set build flags for release build-type + set(CMAKE_C_FLAGS_RELEASE "-O2 -w -D_FORTIFY_SOURCE=2" CACHE STRING "" FORCE) + + if(OS_DARWIN) +Index: ettercap-0.8.2/include/ec_strings.h +=== +--- ettercap-0.8.2.orig/include/ec_strings.h ettercap-0.8.2/include/ec_strings.h +@@ -40,7 +40,7 @@ + + EC_API_EXTERN int match_pattern(const char *s, const char *pattern); + EC_API_EXTERN int base64_decode(char *bufplain, const char *bufcoded); +-EC_API_EXTERN int strescape(char *dst, char *src); ++EC_API_EXTERN int strescape(char *dst, char *src, size_t len); + EC_API_EXTERN int str_replace(char **text, const char *s, const char *d); + EC_API_EXTERN size_t strlen_utf8(const char *s); + EC_API_EXTERN char * ec_strtok(char *s, const char *delim, char **ptrptr); +Index: ettercap-0.8.2/src/ec_strings.c +=== +--- ettercap-0.8.2.orig/src/ec_strings.c ettercap-0.8.2/src/ec_strings.c +@@ -167,13 +167,14 @@ + /* + * convert the escaped string into a binary one +
Bug#864084: marked as done (unblock: zabbix/1:3.0.7+dfsg-3)
Your message dated Sun, 4 Jun 2017 16:01:29 +0100 with message-id <20170604150129.jxkv65qx6bmy3...@powdarrmonkey.net> and subject line Re: Bug#864084: unblock: zabbix/1:3.0.7+dfsg-3 has caused the Debian Bug report #864084, regarding unblock: zabbix/1:3.0.7+dfsg-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 864084: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864084 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Affects: -1 zabbix X-Debbugs-CC: j...@debian.org Please unblock zabbix/1:3.0.7+dfsg-3 I would like to accommodate two attached diffs to Stretch please. One fixes defunctional UI (broken by incompatible libjs-jquery) and another fixes two security vulnerabilities as per #863584. Thanks. -- All the best, Dmitry Smirnov. signature.asc Description: This is a digitally signed message part. diff --git a/debian/changelog b/debian/changelog index d570c6d..755bc59 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +zabbix (1:3.0.7+dfsg-2) unstable; urgency=medium + + * Frontend-PHP: switch to private jQuery (Closes: #857287). + + -- Dmitry SmirnovSun, 21 May 2017 13:56:56 +1000 + zabbix (1:3.0.7+dfsg-1) unstable; urgency=medium * New upstream release [December 2016]. diff --git a/debian/control b/debian/control index d989f84..c0f275f 100644 --- a/debian/control +++ b/debian/control @@ -21,7 +21,7 @@ Build-Depends: debhelper (>= 9), automake, dh-autoreconf, dh-systemd (>= 1.5), d ## dh-linktree: ,libjs-prototype ,libjs-jquery-ui (>= 1.10.1) -,libjs-jquery (>= 1.10.1) +# ,libjs-jquery (>= 1.10.1) ## java-gateway deps: ,javahelper Build-Depends-Indep: default-jdk diff --git a/debian/zabbix-frontend-php.linktrees b/debian/zabbix-frontend-php.linktrees index 7308d0c..9dc6cc8 100644 --- a/debian/zabbix-frontend-php.linktrees +++ b/debian/zabbix-frontend-php.linktrees @@ -4,5 +4,5 @@ replace /usr/share/javascript/prototype/prototype.js /usr/share/zabbix/js/vend ## libjs-jquery-ui (1.10.1 vs 1.10.3) replace /usr/share/javascript/jquery-ui/jquery-ui.js /usr/share/zabbix/js/vendors/jquery-ui.js -## libjs-jquery (1.11.3 vs 1.10.2) -replace /usr/share/javascript/jquery/jquery.js /usr/share/zabbix/js/vendors/jquery.js +## libjs-jquery (3.1.1 vs 1.10.2) +#replace /usr/share/javascript/jquery/jquery.js /usr/share/zabbix/js/vendors/jquery.js diff --git a/debian/changelog b/debian/changelog index 755bc59..d1c4c64 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +zabbix (1:3.0.7+dfsg-3) unstable; urgency=high + + * CVE-2017-2824, CVE-2017-2825: new upstream patches +"ZBX-12075_r67082.patch", "ZBX-12075_r67270.patch" (Closes: #863584). + + -- Dmitry Smirnov Sun, 04 Jun 2017 17:14:06 +1000 + zabbix (1:3.0.7+dfsg-2) unstable; urgency=medium * Frontend-PHP: switch to private jQuery (Closes: #857287). diff --git a/debian/patches/ZBX-12075_r67082.patch b/debian/patches/ZBX-12075_r67082.patch new file mode 100644 index 000..59bf622 --- /dev/null +++ b/debian/patches/ZBX-12075_r67082.patch @@ -0,0 +1,44 @@ +Bug-Upstream: https://support.zabbix.com/browse/ZBX-12075 +From 089f0d90b3d94c577263e8bdfe08ce3f33f9e178 Mon Sep 17 00:00:00 2001 +Origin: upstream +Date: Wed, 5 Apr 2017 15:31:59 + +Subject: [DEV-567] added validation of discovered host IP addresses + +--- a/src/libs/zbxcommon/misc.c b/src/libs/zbxcommon/misc.c +@@ -1872,17 +1872,9 @@ + ** + **/ + int is_ip(const char *ip) + { +- zabbix_log(LOG_LEVEL_DEBUG, "In is_ip() ip:'%s'", ip); +- +- if (SUCCEED == is_ip4(ip)) +- return SUCCEED; +-#if defined(HAVE_IPV6) +- if (SUCCEED == is_ip6(ip)) +- return SUCCEED; +-#endif +- return FAIL; ++ return SUCCEED == is_ip4(ip) ? SUCCEED : is_ip6(ip); + } + + /** + ** +--- a/src/libs/zbxdbhigh/proxy.c b/src/libs/zbxdbhigh/proxy.c +@@ -2561,8 +2561,14 @@ + + if (FAIL == zbx_json_value_by_name(_row, ZBX_PROTO_TAG_IP, ip, sizeof(ip))) + goto json_parse_error; + ++ if (SUCCEED != is_ip(ip)) ++ { ++ zabbix_log(LOG_LEVEL_DEBUG, "\"%s\" is not a valid IP address", ip); ++ goto next; ++ } ++ + if (SUCCEED ==
Processed: retitle 864091 to unblock: ettercap/1:0.8.2-5
Processing commands for cont...@bugs.debian.org: > retitle 864091 unblock: ettercap/1:0.8.2-5 Bug #864091 [release.debian.org] unblock: ettercap/1:0.8.2-5 Ignoring request to change the title of bug#864091 to the same title > thanks Stopping processing here. Please contact me if you need assistance. -- 864091: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864091 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#864027: unblock: swift/2.10.2-1
Control: tag -1 wontfix Hi, On Sat, Jun 03, 2017 at 01:43:54PM +0200, Ondřej Nový wrote: > This is pre-approval. Please allow unblock of package swift/2.10.2-1 > > This is new upstream STABLE (minor version) release. This is only backports of > fixies from master. I removed 3 patches: > - Quarantine_malformed_database_schema_SQLite_errors.patch > - For_any_part_only_one_replica_can_move_in_a_rebalance.patch > - FTBFS_i386.patch > because it's applied upstream in this release. Let's defer this, I'm not comfortable with such changes this close to release. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Processed: Re: Bug#864027: unblock: swift/2.10.2-1
Processing control commands: > tag -1 wontfix Bug #864027 [release.debian.org] unblock: swift/2.10.2-1 (pre-approval) Added tag(s) wontfix. -- 864027: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864027 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#864048: Bug#861031: mate-desktop-environment: several minor updates to various MATE 1.16 components
HI Vlad, hi Niels, On So 04 Jun 2017 14:14:49 CEST, Vlad Orlov wrote: Hi, This is great, I see all the listed packages are now in Unstable, and all unblock requests are approved. The marco/1.16.1-1 unblock approval is still missing. Niels even lowered the migration delay to 2-3 days for these packages. Oh, did not notice that. Cool. Did not even know that this is possible. However, marco and mate-themes are left with 10 days... maybe contact Niels about these two? Doing so, by Cc: the marco unblock request and Niels personally. I also added a comment on mate-themes unblock just in case, even though it's done already. Saw that, thanks for seconding my decision to just dput mate-themes 3.22.11-1 without ACK from the RT. Thanks Niels, for letting it through, once more. Thanks to you and Niels for handling all the updates quickly :) Same from my side! Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpZs67qkFcf3.pgp Description: Digitale PGP-Signatur
Processed: Re: Bug#864088: unblock (pre-approval): sqlite3/3.6.12-4
Processing control commands: > tags -1 - moreinfo Bug #864088 [release.debian.org] unblock (pre-approval): sqlite3/3.6.12-4 Removed tag(s) moreinfo. -- 864088: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864088 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#864088: unblock (pre-approval): sqlite3/3.6.12-4
Control: tags -1 - moreinfo Hi On Sun, Jun 04, 2017 at 11:20:00AM +, Niels Thykier wrote: > Control: tags -1 confirmed moreinfo > > László Böszörményi (GCS): > > Package: release.debian.org > > User: release.debian@packages.debian.org > > Usertags: unblock > > > > Hi Release Team, > > > > I would like to upload a security related update for sqlite3. It contains: > > - Prevent a possible NULL pointer dereference in the OP_Found opcode > > that can follow an OOM error. Problem found by OSS-Fuzz[1], > > - Stack overflow while parsing deeply nested JSON[2], > > - JSON allows unescaped control characters in strings[3], > > - JSON extension accepts invalid numeric values[4]. > > > > Upstream tagged these as 'code defect' and severity 'severe'. The > > changes itself are small and the 3.19.2-1 version in experimental > > contains these fixes. > > > > Debdiff is attached. Thanks for consideration. > > > > Regards, > > Laszlo/GCS > > [1] http://www.sqlite.org/src/info/c2de178fe7e2e4e0 > > [2] https://www.sqlite.org/src/info/981329adeef51011052 > > [3] https://www.sqlite.org/src/info/6c9b5514077fed34551 > > [4] https://www.sqlite.org/src/info/b93be8729a895a528e2 > > > > Ack, please go ahead. Given the deadlines for migration, ideally this > upload is completed no later than Monday. Remvoing the moreinfo tag, since uploaded and built on all release architectures afaics. Regards, Salvatore
Processed: retitle 864091 to unblock: ettercap/1:0.8.2-5
Processing commands for cont...@bugs.debian.org: > retitle 864091 unblock: ettercap/1:0.8.2-5 Bug #864091 [release.debian.org] unblock ettercap/1:0.8.2-5 Changed Bug title to 'unblock: ettercap/1:0.8.2-5' from 'unblock ettercap/1:0.8.2-5'. > thanks Stopping processing here. Please contact me if you need assistance. -- 864091: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864091 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: retitle 864091 to unblock ettercap/1:0.8.2-5
Processing commands for cont...@bugs.debian.org: > retitle 864091 unblock ettercap/1:0.8.2-5 Bug #864091 [release.debian.org] unblock: ettercap (CVE) Changed Bug title to 'unblock ettercap/1:0.8.2-5' from 'unblock: ettercap (CVE)'. > thanks Stopping processing here. Please contact me if you need assistance. -- 864091: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864091 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#864152: unblock: msgpuck/1.0.3-1.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi Please unblock package msgpuck It fixes CVE-2016-9036 (Invalid handling of map16 format in mp_check()), which is #849212. unblock msgpuck/1.0.3-1.1 Full debdiff against version in testing attached. Regards, Salvatore diff -Nru msgpuck-1.0.3/debian/changelog msgpuck-1.0.3/debian/changelog --- msgpuck-1.0.3/debian/changelog 2016-08-09 21:14:15.0 +0200 +++ msgpuck-1.0.3/debian/changelog 2017-06-04 12:49:08.0 +0200 @@ -1,3 +1,10 @@ +msgpuck (1.0.3-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2016-9036 (Closes: #849212) + + -- Moritz MuehlenhoffSun, 04 Jun 2017 12:49:08 +0200 + msgpuck (1.0.3-1) unstable; urgency=medium * Fix GCC 6.0 and Doxygen warnings diff -Nru msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch --- msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch1970-01-01 01:00:00.0 +0100 +++ msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch2017-06-04 12:49:05.0 +0200 @@ -0,0 +1,186 @@ +From d2c366e27eea4a5a24c6ec36ffcc4f4fd5b361ac Mon Sep 17 00:00:00 2001 +From: Roman Tsisyk +Date: Thu, 15 Dec 2016 19:28:23 +0300 +Subject: [PATCH] Fix handling of map16 format in mp_check() + +Fixes TALOS-2016-0254 +Fixes CVE-2016-9036 +Fixes #12 + +[adjusted for 1.0.3] +--- msgpuck-1.0.3.orig/msgpuck.h msgpuck-1.0.3/msgpuck.h +@@ -1940,7 +1940,7 @@ mp_check(const char **data, const char * + case MP_HINT_MAP_16: + /* MP_MAP (16) */ + if (mp_unlikely(*data + sizeof(uint16_t) > end)) +- return false; ++ return 1; + k += 2 * mp_load_u16(data); + break; + case MP_HINT_MAP_32: +--- msgpuck-1.0.3.orig/test/msgpuck.c msgpuck-1.0.3/test/msgpuck.c +@@ -771,9 +771,153 @@ test_mp_print() + return check_plan(); + } + ++int ++test_mp_check() ++{ ++ plan(65); ++ header(); ++ ++#define invalid(data, fmt, ...) ({ \ ++ const char *p = data; \ ++ isnt(mp_check(, p + sizeof(data) - 1), 0, fmt, ## __VA_ARGS__); \ ++}); ++ ++ /* fixmap */ ++ invalid("\x81", "invalid fixmap 1"); ++ invalid("\x81\x01", "invalid fixmap 2"); ++ invalid("\x8f\x01", "invalid fixmap 3"); ++ ++ /* fixarray */ ++ invalid("\x91", "invalid fixarray 1"); ++ invalid("\x92\x01", "invalid fixarray 2"); ++ invalid("\x9f\x01", "invalid fixarray 3"); ++ ++ /* fixstr */ ++ invalid("\xa1", "invalid fixstr 1"); ++ invalid("\xa2\x00", "invalid fixstr 2"); ++ invalid("\xbf\x00", "invalid fixstr 3"); ++ ++ /* bin8 */ ++ invalid("\xc4", "invalid bin8 1"); ++ invalid("\xc4\x01", "invalid bin8 2"); ++ ++ /* bin16 */ ++ invalid("\xc5", "invalid bin16 1"); ++ invalid("\xc5\x00\x01", "invalid bin16 2"); ++ ++ /* bin32 */ ++ invalid("\xc6", "invalid bin32 1"); ++ invalid("\xc6\x00\x00\x00\x01", "invalid bin32 2"); ++ ++ /* ext8 */ ++ invalid("\xc7", "invalid ext8 1"); ++ invalid("\xc7\x00", "invalid ext8 2"); ++ invalid("\xc7\x01\xff", "invalid ext8 3"); ++ invalid("\xc7\x02\xff\x00", "invalid ext8 4"); ++ ++ /* ext16 */ ++ invalid("\xc8", "invalid ext16 1"); ++ invalid("\xc8\x00\x00", "invalid ext16 2"); ++ invalid("\xc8\x00\x01\xff", "invalid ext16 3"); ++ invalid("\xc8\x00\x02\xff\x00", "invalid ext16 4"); ++ ++ /* ext32 */ ++ invalid("\xc9", "invalid ext32 1"); ++ invalid("\xc9\x00\x00\x00\x00", "invalid ext32 2"); ++ invalid("\xc9\x00\x00\x00\x01\xff", "invalid ext32 3"); ++ invalid("\xc9\x00\x00\x00\x02\xff\x00", "invalid ext32 4"); ++ ++ /* float32 */ ++ invalid("\xca", "invalid float32 1"); ++ invalid("\xca\x00\x00\x00", "invalid float32 2"); ++ ++ /* float64 */ ++ invalid("\xcb", "invalid float64 1"); ++ invalid("\xcb\x00\x00\x00\x00\x00\x00\x00", "invalid float64 2"); ++ ++ /* uint8 */ ++ invalid("\xcc", "invalid uint8 1"); ++ ++ /* uint16 */ ++ invalid("\xcd\x00", "invalid uint16 1"); ++ ++ /* uint32 */ ++ invalid("\xce\x00\x00\x00", "invalid uint32 1"); ++ ++ /* uint64 */ ++ invalid("\xcf\x00\x00\x00\x00\x00\x00\x00", "invalid uint64 1"); ++ ++ /* int8 */ ++ invalid("\xd0", "invalid int8 1"); ++ ++ /* int16 */ ++ invalid("\xd1\x00", "invalid int16 1"); ++ ++ /* int32 */ ++ invalid("\xd2\x00\x00\x00", "invalid int32 1"); ++ ++ /* int64 */ ++ invalid("\xd3\x00\x00\x00\x00\x00\x00\x00", "invalid int64 1"); ++ ++ /* fixext8 */ ++ invalid("\xd4", "invalid fixext8 1"); ++ invalid("\xd4\x05", "invalid fixext8 2"); ++ ++ /* fixext16 */ ++ invalid("\xd5", "invalid fixext16 1"); ++
Bug#863472: unblock: openssl/1.1.0f-1
On Sun, Jun 04, 2017 at 11:09:00AM +, Niels Thykier wrote: > Kurt Roeckx: > > [...] > >> > >> Maybe file this as an RC bug against openssl so that it isn't forgotten > >> about, but ignore it for r0? > > > > So I have prepared an update. Should I upload it? > > > > [...] > > > > > > Kurt > > > > Ack from here, so if KiBi is ok with it, then please go ahead. So I changed it this instead: dh_makeshlibs -a -V --add-udeb="libcrypto1.1-udeb" -Xengines the shlib files now looks like: libcrypto 1.1 libssl1.1 (>= 1.1.0f) libssl 1.1 libssl1.1 (>= 1.1.0f) udeb: libcrypto 1.1 libcrypto1.1-udeb (>= 1.1.0f) udeb: libssl 1.1 libssl1.1-udeb (>= 1.1.0f) Since we have symbol files, this does not affect non-udeb packages. Kurt
Bug#864065: unblock: mate-themes/3.22.11-1
Hi, Thanks for unblocking. This is really a good improvement over version 3.22.6. We (upstream devs) have been testing various themes from the package, and with each next version they definitely get better. :)
Re: Coordinating Debian Stretch & Tails 3.0 releases?
Hi, intrigeri: > Tails 3.0 will be released either on June 13 or on June 17. We've decided to release Tails 3.0 on June 13: we have to release _something_ on that day anyway (Firefox security update), so moving the Tails 3.0 release to June 17 would have added a substantial amount of work on our plate, and forced our users to upgrade twice in just a few days. > In any case, the Debian & Tails releases will be very close to each > other :) Still true! I hope this will benefit both projects from a communication/publicity point of view :) Cheers, -- intrigeri
Bug#864088: unblock (pre-approval): sqlite3/3.6.12-4
Control: tags -1 confirmed moreinfo László Böszörményi (GCS): > Package: release.debian.org > User: release.debian@packages.debian.org > Usertags: unblock > > Hi Release Team, > > I would like to upload a security related update for sqlite3. It contains: > - Prevent a possible NULL pointer dereference in the OP_Found opcode > that can follow an OOM error. Problem found by OSS-Fuzz[1], > - Stack overflow while parsing deeply nested JSON[2], > - JSON allows unescaped control characters in strings[3], > - JSON extension accepts invalid numeric values[4]. > > Upstream tagged these as 'code defect' and severity 'severe'. The > changes itself are small and the 3.19.2-1 version in experimental > contains these fixes. > > Debdiff is attached. Thanks for consideration. > > Regards, > Laszlo/GCS > [1] http://www.sqlite.org/src/info/c2de178fe7e2e4e0 > [2] https://www.sqlite.org/src/info/981329adeef51011052 > [3] https://www.sqlite.org/src/info/6c9b5514077fed34551 > [4] https://www.sqlite.org/src/info/b93be8729a895a528e2 > Ack, please go ahead. Given the deadlines for migration, ideally this upload is completed no later than Monday. Thanks, ~Niels
Processed: Re: Bug#864088: unblock (pre-approval): sqlite3/3.6.12-4
Processing control commands: > tags -1 confirmed moreinfo Bug #864088 [release.debian.org] unblock (pre-approval): sqlite3/3.6.12-4 Added tag(s) confirmed and moreinfo. -- 864088: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864088 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#863472: unblock: openssl/1.1.0f-1
Kurt Roeckx: > [...] >> >> Maybe file this as an RC bug against openssl so that it isn't forgotten >> about, but ignore it for r0? > > So I have prepared an update. Should I upload it? > > [...] > > > Kurt > Ack from here, so if KiBi is ok with it, then please go ahead. Thanks, ~Niels
Bug#863472: unblock: openssl/1.1.0f-1
On Sun, Jun 04, 2017 at 05:29:21AM +0200, Cyril Brulebois wrote: > Niels Thykier(2017-06-03): > > Kurt Roeckx: > > > Package: release.debian.org > > > User: release.debian@packages.debian.org > > > Usertags: unblock > > > Severity: normal > > > > > > Hi, > > > > > > I've uploaded a new upstream version of openssl that contains bug > > > fixes. The Debian changelog says: > > >* New upstream version > > > - Fix regression in req -x509 (Closes: #839575) > > > - Properly detect features on the AMD Ryzen processor > > >(Closes: #861145) > > > - Don't mention -tls1_3 in the manpage (Closes: #859191) > > >* Update libssl1.1.symbols for new symbols > > >* Update man-section.patch > > > > > > > > > Kurt > > > > > > > Hi, > > > > Fine by me. CC'ing KiBi for a d-i ack assuming he is ok with this > > last minute change. > > Erm. > > The libssl1.1-udeb package is broken, as it fails to depend on an > appropriate version of libcrypto1.1-udeb, which means I've just > successfully built a debian-installer against testing with this > addition: build/localudebs/libssl1.1-udeb_1.1.0f-1_amd64.udeb > and gotten a broken wget: > | wget: /usr/lib/libcrypto.so.1.1: version `OPENSSL_1_1_0f' not found > (required by /usr/lib/libssl.so.1.1) > > See the missing version here: > | $ dpkg --info build/localudebs/libssl1.1-udeb_1.1.0f-1_amd64.udeb|grep > Depends: > | Depends: libc6-udeb (>= 2.24), libcrypto1.1-udeb > > One could argue they're from the same source and that this isn't a > practical problem since they're going to migrate at the same time and be > used together in debian-installer, but further fun could come up when > other packages start depending on particular symbols (hello wget), so I > think I'd be nice to have this fixed. > > Maybe file this as an RC bug against openssl so that it isn't forgotten > about, but ignore it for r0? So I have prepared an update. Should I upload it? The source changes are: --- openssl-1.1.0f/debian/changelog 2017-05-25 18:29:01.0 +0200 +++ openssl-1.1.0f/debian/changelog 2017-06-04 12:07:38.0 +0200 @@ -1,3 +1,10 @@ +openssl (1.1.0f-2) unstable; urgency=medium + + * Make the udeb use a versioned depends (Closes: #864080) + * Conflict with libssl1.0-dev (Closes: #863367) + + -- Kurt Roeckx Sun, 04 Jun 2017 12:07:38 +0200 + openssl (1.1.0f-1) unstable; urgency=medium * New upstream version diff -Nru openssl-1.1.0f/debian/control openssl-1.1.0f/debian/control --- openssl-1.1.0f/debian/control 2017-01-26 23:19:08.0 +0100 +++ openssl-1.1.0f/debian/control 2017-06-04 12:07:33.0 +0200 @@ -72,6 +72,7 @@ Multi-Arch: same Recommends: libssl-doc Depends: libssl1.1 (= ${binary:Version}), ${misc:Depends} +Conflicts: libssl1.0-dev Description: Secure Sockets Layer toolkit - development files This package is part of the OpenSSL project's implementation of the SSL and TLS cryptographic protocols for secure communication over the diff -Nru openssl-1.1.0f/debian/rules openssl-1.1.0f/debian/rules --- openssl-1.1.0f/debian/rules 2017-05-25 18:17:29.0 +0200 +++ openssl-1.1.0f/debian/rules 2017-06-04 11:48:25.0 +0200 @@ -138,7 +138,7 @@ override_dh_makeshlibs: #dpkg-gensymbols -Pdebian/libssl1.1/ -plibssl1.1 -c4 - dh_makeshlibs -a --add-udeb="libcrypto1.1-udeb" -Xengines + dh_makeshlibs -a --add-udeb="libcrypto1.1-udeb (>= 1.1.0f)" -Xengines # XXX: This needs gets set perl:any by dh_perl which is correct, but # that breaks debootstrap in jessie (the current stable). This hack # could be removed once stretch is stable and contains a fixed It changes the shlibs file from: libcrypto 1.1 libssl1.1 libssl 1.1 libssl1.1 udeb: libcrypto 1.1 libcrypto1.1-udeb udeb: libssl 1.1 libssl1.1-udeb to: libcrypto 1.1 libssl1.1 libssl 1.1 libssl1.1 udeb: libcrypto 1.1 libcrypto1.1-udeb (>= 1.1.0f) udeb: libssl 1.1 libssl1.1-udeb (>= 1.1.0f) It results in the following debdiff change on the binaries: File lists identical (after any substitutions) Control files of package libcrypto1.1-udeb: lines which differ (wdiff format) - Version: [-1.1.0f-1-] {+1.1.0f-2+} Control files of package libssl-dev: lines which differ (wdiff format) -- {+Conflicts: libssl1.0-dev+} Depends: libssl1.1 (= [-1.1.0f-1)-] {+1.1.0f-2)+} Version: [-1.1.0f-1-] {+1.1.0f-2+} Control files of package libssl-doc: lines which differ (wdiff format) -- Version: [-1.1.0f-1-] {+1.1.0f-2+} Control files of package libssl1.1: lines which differ (wdiff format) - Version: [-1.1.0f-1-] {+1.1.0f-2+} Control files of package libssl1.1-dbgsym: lines which differ (wdiff
Bug#864091: unblock: ettercap (CVE)
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Hi Release Team Please unblock package ettercap, we fixed CVE 2017-8366 unblock ettercap/1:0.8.2-5 debdiff attached diff -Nru ettercap-0.8.2/debian/changelog ettercap-0.8.2/debian/changelog --- ettercap-0.8.2/debian/changelog 2017-03-07 21:28:07.0 +0100 +++ ettercap-0.8.2/debian/changelog 2017-06-04 09:27:11.0 +0200 @@ -1,3 +1,12 @@ +ettercap (1:0.8.2-5) unstable; urgency=high + + [ Alexander Koeppe ] + * debian/patches/803.patch: Fix buffer overflow/underflow +with bad filters (Closes: #861604). +CVE-2017-8366 + + -- Gianfranco CostamagnaSun, 04 Jun 2017 09:24:59 +0200 + ettercap (1:0.8.2-4) unstable; urgency=high * debian/patches/626dc56686f15f2dda13c48f78c2a666cb6d8506.patch: diff -Nru ettercap-0.8.2/debian/patches/803.patch ettercap-0.8.2/debian/patches/803.patch --- ettercap-0.8.2/debian/patches/803.patch 1970-01-01 01:00:00.0 +0100 +++ ettercap-0.8.2/debian/patches/803.patch 2017-06-04 09:25:14.0 +0200 @@ -0,0 +1,210 @@ +From d14d2558da14a33abf7baab28957488a75d16af1 Mon Sep 17 00:00:00 2001 +From: Alexander Koeppe +Date: Thu, 1 Jun 2017 08:56:23 +0200 +Subject: [PATCH 1/4] Add ASAN compiler flags in DEBUG build type + +--- + CMakeLists.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: ettercap-0.8.2/CMakeLists.txt +=== +--- ettercap-0.8.2.orig/CMakeLists.txt ettercap-0.8.2/CMakeLists.txt +@@ -125,7 +125,27 @@ + # library dir path in our RPATH. + set(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE) + endif(NOT DISABLE_RPATH) ++ ++# set general build flags for debug build-type + set(CMAKE_C_FLAGS_DEBUG "-O0 -ggdb3 -DDEBUG -Wall -Wno-pointer-sign -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security -Wextra -Wredundant-decls" CACHE STRING "" FORCE) ++# append ASAN build flags if compiler version has support ++if ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU") ++ if (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8) ++ set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -fsanitize=address -fno-omit-frame-pointer" CACHE STRING "" FORCE) ++ message("Building with ASAN support (GNU compiler)") ++ else (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8) ++ message("Building without ASAN support (GNU compiler)") ++ endif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8) ++elseif ("${CMAKE_C_COMPILER_ID}" STREQUAL "Clang") ++ if (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1) ++ set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -fsanitize=address -fno-omit-frame-pointer" CACHE STRING "" FORCE) ++ message("Building with ASAN support (Clang compiler)") ++ elseif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1) ++ message("Building without ASAN support (Clang compiler)") ++ endif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1) ++endif ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU") ++ ++# set build flags for release build-type + set(CMAKE_C_FLAGS_RELEASE "-O2 -w -D_FORTIFY_SOURCE=2" CACHE STRING "" FORCE) + + if(OS_DARWIN) +Index: ettercap-0.8.2/include/ec_strings.h +=== +--- ettercap-0.8.2.orig/include/ec_strings.h ettercap-0.8.2/include/ec_strings.h +@@ -40,7 +40,7 @@ + + EC_API_EXTERN int match_pattern(const char *s, const char *pattern); + EC_API_EXTERN int base64_decode(char *bufplain, const char *bufcoded); +-EC_API_EXTERN int strescape(char *dst, char *src); ++EC_API_EXTERN int strescape(char *dst, char *src, size_t len); + EC_API_EXTERN int str_replace(char **text, const char *s, const char *d); + EC_API_EXTERN size_t strlen_utf8(const char *s); + EC_API_EXTERN char * ec_strtok(char *s, const char *delim, char **ptrptr); +Index: ettercap-0.8.2/src/ec_strings.c +=== +--- ettercap-0.8.2.orig/src/ec_strings.c ettercap-0.8.2/src/ec_strings.c +@@ -167,13 +167,14 @@ + /* + * convert the escaped string into a binary one + */ +-int strescape(char *dst, char *src) ++int strescape(char *dst, char *src, size_t len) + { +char *olddst = dst; ++ char *oldsrc = src; +int c; +int val; + +- while ((c = *src++) != '\0') { ++ while ((c = *src++) != '\0' && (size_t)(src - oldsrc) <= len) { + if (c == '\\') { + switch ((c = *src++)) { + case '\0': +@@ -218,9 +219,11 @@ + if (c >= '0' && c <= '7') + val = (val << 3) | (c - '0'); + else +- --src; ++ if (src > oldsrc) /* protect against buffer underflow */ ++--src; +} else +- --src; ++ if (src > oldsrc) /* protect against buffer underflow */ ++ --src; +*dst++
Bug#864092: unblock: llvm-toolchain-3.8
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Hi Release Team Please unblock package llvm-toolchain-3.8, we fixed the Julia build (bad arm64 generated code), and also fixed a sanitizer hang on newer kernels (it is an upstream patch, it might be incomplete, we tested and it worked, but it hanged again on one buildd) unblock llvm-toolchain-3.8/1:3.8.1-24 thanks G. diff -Nru llvm-toolchain-3.8-3.8.1/debian/changelog llvm-toolchain-3.8-3.8.1/debian/changelog --- llvm-toolchain-3.8-3.8.1/debian/changelog 2017-04-25 19:46:34.0 +0200 +++ llvm-toolchain-3.8-3.8.1/debian/changelog 2017-06-02 15:15:49.0 +0200 @@ -1,3 +1,14 @@ +llvm-toolchain-3.8 (1:3.8.1-24) unstable; urgency=medium + + * Team upload + * debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch: +fix relocation issue, preventing Julia from working correctly on +arm64 (Closes: #862360, #861484) + * debian/patches/asan-48bit-VMA-aarch64.patch: +- fix asan testsuite hang with some arm64 builders. + + -- Gianfranco CostamagnaFri, 02 Jun 2017 15:11:29 +0200 + llvm-toolchain-3.8 (1:3.8.1-23) unstable; urgency=medium * Oups, same player try again (wrong package name, sorry) diff -Nru llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch --- llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch 1970-01-01 01:00:00.0 +0100 +++ llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch 2017-06-02 15:12:44.0 +0200 @@ -0,0 +1,16 @@ +Description: [asan] Enable 48-bit VMA support on aarch64 +Origin: upstream, https://reviews.llvm.org/D22095?id=63084 +Bug-Debian: https://bugs.debian.org/862360 +Author: Adhemerval Zanella +Last-Update: 2016-07-07 +--- a/compiler-rt/lib/sanitizer_common/sanitizer_platform.h b/compiler-rt/lib/sanitizer_common/sanitizer_platform.h +@@ -114,6 +114,8 @@ + // will still work but will consume more memory for TwoLevelByteMap. + #if defined(__mips__) + # define SANITIZER_MMAP_RANGE_SIZE FIRST_32_SECOND_64(1ULL << 32, 1ULL << 40) ++#elif defined(__aarch64__) ++# define SANITIZER_MMAP_RANGE_SIZE FIRST_32_SECOND_64(1ULL << 32, 1ULL << 48) + #else + # define SANITIZER_MMAP_RANGE_SIZE FIRST_32_SECOND_64(1ULL << 32, 1ULL << 47) + #endif diff -Nru llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch --- llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch 1970-01-01 01:00:00.0 +0100 +++ llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch 2017-06-02 15:14:37.0 +0200 @@ -0,0 +1,16 @@ +Description: Fix R_AARCH64_MOVW_UABS_G3 relocation +Origin: upstream, https://reviews.llvm.org/D27609?id=80860 +Bug-Debian: https://bugs.debian.org/862360 +Author: Yichao Yu +Last-Update: 2016-12-15 +--- a/lib/ExecutionEngine/RuntimeDyld/RuntimeDyldELF.cpp b/lib/ExecutionEngine/RuntimeDyld/RuntimeDyldELF.cpp +@@ -357,7 +357,7 @@ + // bits affected by the relocation on entry is garbage. + *TargetPtr &= 0xffe0001fU; + // Immediate goes in bits 20:5 of MOVZ/MOVK instruction +-*TargetPtr |= Result >> (48 - 5); ++*TargetPtr |= (Result & 0xULL) >> (48 - 5); + // Shift must be "lsl #48", in bits 22:21 + assert((*TargetPtr >> 21 & 0x3) == 3 && "invalid shift for relocation"); + break; diff -Nru llvm-toolchain-3.8-3.8.1/debian/patches/series llvm-toolchain-3.8-3.8.1/debian/patches/series --- llvm-toolchain-3.8-3.8.1/debian/patches/series 2017-03-19 22:10:46.0 +0100 +++ llvm-toolchain-3.8-3.8.1/debian/patches/series 2017-06-02 15:11:44.0 +0200 @@ -57,3 +57,5 @@ lldb-server-path.diff lldb-server-link.diff add_symbols_versioning.patch +fix-R_AARCH64_MOVW_UABS_G3-relocation.patch +asan-48bit-VMA-aarch64.patch signature.asc Description: OpenPGP digital signature
Bug#864088: unblock (pre-approval): sqlite3/3.6.12-4
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Hi Release Team, I would like to upload a security related update for sqlite3. It contains: - Prevent a possible NULL pointer dereference in the OP_Found opcode that can follow an OOM error. Problem found by OSS-Fuzz[1], - Stack overflow while parsing deeply nested JSON[2], - JSON allows unescaped control characters in strings[3], - JSON extension accepts invalid numeric values[4]. Upstream tagged these as 'code defect' and severity 'severe'. The changes itself are small and the 3.19.2-1 version in experimental contains these fixes. Debdiff is attached. Thanks for consideration. Regards, Laszlo/GCS [1] http://www.sqlite.org/src/info/c2de178fe7e2e4e0 [2] https://www.sqlite.org/src/info/981329adeef51011052 [3] https://www.sqlite.org/src/info/6c9b5514077fed34551 [4] https://www.sqlite.org/src/info/b93be8729a895a528e2 diff -Nru sqlite3-3.16.2/debian/changelog sqlite3-3.16.2/debian/changelog --- sqlite3-3.16.2/debian/changelog 2017-02-13 17:31:26.0 + +++ sqlite3-3.16.2/debian/changelog 2017-06-04 07:58:54.0 + @@ -1,3 +1,13 @@ +sqlite3 (3.16.2-4) unstable; urgency=high + + * Backport fix for a possible NULL pointer dereference in the OP_Found +opcode that can follow an OOM error. + * Backport fix for stack overflow while parsing deeply nested JSON. + * Backport fix for JSON allows unescaped control characters in strings. + * Backport fix for JSON extension accepts invalid numeric values. + + -- Laszlo Boszormenyi (GCS)Sun, 04 Jun 2017 07:58:54 + + sqlite3 (3.16.2-3) unstable; urgency=medium * Backport upstream fix to ensure that sqlite3_blob_reopen() correctly diff -Nru sqlite3-3.16.2/debian/patches/36-OSS-Fuzz.patch sqlite3-3.16.2/debian/patches/36-OSS-Fuzz.patch --- sqlite3-3.16.2/debian/patches/36-OSS-Fuzz.patch 1970-01-01 00:00:00.0 + +++ sqlite3-3.16.2/debian/patches/36-OSS-Fuzz.patch 2017-06-04 07:58:54.0 + @@ -0,0 +1,24 @@ +Index: sqlite3/src/vdbe.c +== +--- sqlite3/src/vdbe.c sqlite3/src/vdbe.c +@@ -4017,14 +4017,16 @@ + } + #endif + pIdxKey = + pFree = 0; + }else{ ++assert( pIn3->flags & MEM_Blob ); ++rc = ExpandBlob(pIn3); ++assert( rc==SQLITE_OK || rc==SQLITE_NOMEM ); ++if( rc ) goto no_mem; + pFree = pIdxKey = sqlite3VdbeAllocUnpackedRecord(pC->pKeyInfo); + if( pIdxKey==0 ) goto no_mem; +-assert( pIn3->flags & MEM_Blob ); +-(void)ExpandBlob(pIn3); + sqlite3VdbeRecordUnpack(pC->pKeyInfo, pIn3->n, pIn3->z, pIdxKey); + } + pIdxKey->default_rc = 0; + takeJump = 0; + if( pOp->opcode==OP_NoConflict ){ + diff -Nru sqlite3-3.16.2/debian/patches/40-JSON-1.patch sqlite3-3.16.2/debian/patches/40-JSON-1.patch --- sqlite3-3.16.2/debian/patches/40-JSON-1.patch 1970-01-01 00:00:00.0 + +++ sqlite3-3.16.2/debian/patches/40-JSON-1.patch 2017-06-04 07:58:54.0 + @@ -0,0 +1,205 @@ +Index: sqlite3/ext/misc/json1.c +== +--- sqlite3/ext/misc/json1.c sqlite3/ext/misc/json1.c +@@ -726,17 +726,18 @@ + char c; + u32 j; + int iThis; + int x; + JsonNode *pNode; +- while( safe_isspace(pParse->zJson[i]) ){ i++; } +- if( (c = pParse->zJson[i])=='{' ){ ++ const char *z = pParse->zJson; ++ while( safe_isspace(z[i]) ){ i++; } ++ if( (c = z[i])=='{' ){ + /* Parse object */ + iThis = jsonParseAddNode(pParse, JSON_OBJECT, 0, 0); + if( iThis<0 ) return -1; + for(j=i+1;;j++){ +- while( safe_isspace(pParse->zJson[j]) ){ j++; } ++ while( safe_isspace(z[j]) ){ j++; } + x = jsonParseValue(pParse, j); + if( x<0 ){ + if( x==(-2) && pParse->nNode==(u32)iThis+1 ) return j+1; + return -1; + } +@@ -743,18 +744,18 @@ + if( pParse->oom ) return -1; + pNode = >aNode[pParse->nNode-1]; + if( pNode->eType!=JSON_STRING ) return -1; + pNode->jnFlags |= JNODE_LABEL; + j = x; +- while( safe_isspace(pParse->zJson[j]) ){ j++; } +- if( pParse->zJson[j]!=':' ) return -1; ++ while( safe_isspace(z[j]) ){ j++; } ++ if( z[j]!=':' ) return -1; + j++; + x = jsonParseValue(pParse, j); + if( x<0 ) return -1; + j = x; +- while( safe_isspace(pParse->zJson[j]) ){ j++; } +- c = pParse->zJson[j]; ++ while( safe_isspace(z[j]) ){ j++; } ++ c = z[j]; + if( c==',' ) continue; + if( c!='}' ) return -1; + break; + } + pParse->aNode[iThis].n = pParse->nNode - (u32)iThis - 1; +@@ -762,19 +763,19 @@ + }else if( c=='[' ){ + /* Parse array */ + iThis = jsonParseAddNode(pParse, JSON_ARRAY, 0, 0); + if( iThis<0 ) return -1; + for(j=i+1;;j++){ +- while( safe_isspace(pParse->zJson[j]) ){ j++; } ++ while( safe_isspace(z[j]) ){ j++; } + x = jsonParseValue(pParse, j); +
Bug#864085: unblock: dnsmasq/2.76-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package dnsmasq The dnsmasq package in testing has a serious problem when dns-root-data is installed, due to changes in the format of the dns-root-data files. The effect is to render dnsmasq unusable. There are several serious bugs filed to this effect, but they should really be release-critical, eg 863896 There are also several bugs in the DNSSEC validation code, which are fixed upstream, and really should be in stretch. Therefore, if we can get dnsmasq-2.77-1, currently in unstable, into Stretch, that would be a Good Thing. If not, it will need a point release. Apologies for the short notice. unblock dnsmasq/2.76-5 -- System Information: Debian Release: stretch/sid APT prefers xenial-updates APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-78-generic (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#864084: unblock: zabbix/1:3.0.7+dfsg-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Affects: -1 zabbix X-Debbugs-CC: j...@debian.org Please unblock zabbix/1:3.0.7+dfsg-3 I would like to accommodate two attached diffs to Stretch please. One fixes defunctional UI (broken by incompatible libjs-jquery) and another fixes two security vulnerabilities as per #863584. Thanks. -- All the best, Dmitry Smirnov. signature.asc Description: This is a digitally signed message part. diff --git a/debian/changelog b/debian/changelog index d570c6d..755bc59 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +zabbix (1:3.0.7+dfsg-2) unstable; urgency=medium + + * Frontend-PHP: switch to private jQuery (Closes: #857287). + + -- Dmitry SmirnovSun, 21 May 2017 13:56:56 +1000 + zabbix (1:3.0.7+dfsg-1) unstable; urgency=medium * New upstream release [December 2016]. diff --git a/debian/control b/debian/control index d989f84..c0f275f 100644 --- a/debian/control +++ b/debian/control @@ -21,7 +21,7 @@ Build-Depends: debhelper (>= 9), automake, dh-autoreconf, dh-systemd (>= 1.5), d ## dh-linktree: ,libjs-prototype ,libjs-jquery-ui (>= 1.10.1) -,libjs-jquery (>= 1.10.1) +# ,libjs-jquery (>= 1.10.1) ## java-gateway deps: ,javahelper Build-Depends-Indep: default-jdk diff --git a/debian/zabbix-frontend-php.linktrees b/debian/zabbix-frontend-php.linktrees index 7308d0c..9dc6cc8 100644 --- a/debian/zabbix-frontend-php.linktrees +++ b/debian/zabbix-frontend-php.linktrees @@ -4,5 +4,5 @@ replace /usr/share/javascript/prototype/prototype.js /usr/share/zabbix/js/vend ## libjs-jquery-ui (1.10.1 vs 1.10.3) replace /usr/share/javascript/jquery-ui/jquery-ui.js /usr/share/zabbix/js/vendors/jquery-ui.js -## libjs-jquery (1.11.3 vs 1.10.2) -replace /usr/share/javascript/jquery/jquery.js /usr/share/zabbix/js/vendors/jquery.js +## libjs-jquery (3.1.1 vs 1.10.2) +#replace /usr/share/javascript/jquery/jquery.js /usr/share/zabbix/js/vendors/jquery.js diff --git a/debian/changelog b/debian/changelog index 755bc59..d1c4c64 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +zabbix (1:3.0.7+dfsg-3) unstable; urgency=high + + * CVE-2017-2824, CVE-2017-2825: new upstream patches +"ZBX-12075_r67082.patch", "ZBX-12075_r67270.patch" (Closes: #863584). + + -- Dmitry Smirnov Sun, 04 Jun 2017 17:14:06 +1000 + zabbix (1:3.0.7+dfsg-2) unstable; urgency=medium * Frontend-PHP: switch to private jQuery (Closes: #857287). diff --git a/debian/patches/ZBX-12075_r67082.patch b/debian/patches/ZBX-12075_r67082.patch new file mode 100644 index 000..59bf622 --- /dev/null +++ b/debian/patches/ZBX-12075_r67082.patch @@ -0,0 +1,44 @@ +Bug-Upstream: https://support.zabbix.com/browse/ZBX-12075 +From 089f0d90b3d94c577263e8bdfe08ce3f33f9e178 Mon Sep 17 00:00:00 2001 +Origin: upstream +Date: Wed, 5 Apr 2017 15:31:59 + +Subject: [DEV-567] added validation of discovered host IP addresses + +--- a/src/libs/zbxcommon/misc.c b/src/libs/zbxcommon/misc.c +@@ -1872,17 +1872,9 @@ + ** + **/ + int is_ip(const char *ip) + { +- zabbix_log(LOG_LEVEL_DEBUG, "In is_ip() ip:'%s'", ip); +- +- if (SUCCEED == is_ip4(ip)) +- return SUCCEED; +-#if defined(HAVE_IPV6) +- if (SUCCEED == is_ip6(ip)) +- return SUCCEED; +-#endif +- return FAIL; ++ return SUCCEED == is_ip4(ip) ? SUCCEED : is_ip6(ip); + } + + /** + ** +--- a/src/libs/zbxdbhigh/proxy.c b/src/libs/zbxdbhigh/proxy.c +@@ -2561,8 +2561,14 @@ + + if (FAIL == zbx_json_value_by_name(_row, ZBX_PROTO_TAG_IP, ip, sizeof(ip))) + goto json_parse_error; + ++ if (SUCCEED != is_ip(ip)) ++ { ++ zabbix_log(LOG_LEVEL_DEBUG, "\"%s\" is not a valid IP address", ip); ++ goto next; ++ } ++ + if (SUCCEED == zbx_json_value_by_name(_row, ZBX_PROTO_TAG_PORT, tmp, sizeof(tmp))) + port = atoi(tmp); + + zbx_json_value_by_name(_row, ZBX_PROTO_TAG_KEY, key_, sizeof(key_)); diff --git a/debian/patches/ZBX-12075_r67270.patch b/debian/patches/ZBX-12075_r67270.patch new file mode 100644 index 000..10a403c --- /dev/null +++ b/debian/patches/ZBX-12075_r67270.patch @@ -0,0 +1,93 @@ +Bug-Upstream: https://support.zabbix.com/browse/ZBX-12075 +From 17a159950db846a1c6365027c647b25a4bb02b94 Mon Sep 17 00:00:00 2001 +Origin: upstream +Date: Wed, 12 Apr 2017 06:17:40 + +Subject: [DEV-567] resurrected old IP check function to check SourceIP config file parameter taking into account IPv6 support enabled/disabled at compile time + +--- a/include/common.h b/include/common.h +@@ -981,8 +981,9 @@ + #ifdef HAVE_IPV6 + int is_ip6(const char *ip); + #endif + int is_ip4(const char
Bug#864083: unblock: libgcrypt20/1.7.6-2
Control: tags -1 confirmed d-i Andreas Metzler: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package libgcrypt20, the upload features the following > changes: > * Refresh debian/upstream/signing-key.asc, key-expiry-dates bumped. > * Pull two fixes from gcrypt 1.7.7 bugfix release: > + 30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch > Fix possible timing attack on EdDSA session key. > + 30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch > Fix long standing bug in secure memory implementation which could lead > to a segv on free. > > unblock libgcrypt20/1.7.6-2 > > Thanks, cu Andreas > Ack from here, CC'ing KiBi for a d-i ack - assuming there is still time. Worst case, we will have to defer it to 9.1. Thanks, ~Niels
Processed: Re: Bug#864083: unblock: libgcrypt20/1.7.6-2
Processing control commands: > tags -1 confirmed d-i Bug #864083 [release.debian.org] unblock: libgcrypt20/1.7.6-2 Added tag(s) confirmed and d-i. -- 864083: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864083 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#864083: unblock: libgcrypt20/1.7.6-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libgcrypt20, the upload features the following changes: * Refresh debian/upstream/signing-key.asc, key-expiry-dates bumped. * Pull two fixes from gcrypt 1.7.7 bugfix release: + 30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch Fix possible timing attack on EdDSA session key. + 30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch Fix long standing bug in secure memory implementation which could lead to a segv on free. unblock libgcrypt20/1.7.6-2 Thanks, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru libgcrypt20-1.7.6/debian/changelog libgcrypt20-1.7.6/debian/changelog --- libgcrypt20-1.7.6/debian/changelog 2017-01-26 11:58:32.0 +0100 +++ libgcrypt20-1.7.6/debian/changelog 2017-06-03 10:58:36.0 +0200 @@ -1,3 +1,15 @@ +libgcrypt20 (1.7.6-2) unstable; urgency=high + + * Refresh debian/upstream/signing-key.asc, key-expiry-dates bumped. + * Pull two fixes from gcrypt 1.7.7 bugfix release: ++ 30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch + Fix possible timing attack on EdDSA session key. ++ 30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch + Fix long standing bug in secure memory implementation which could lead + to a segv on free. + + -- Andreas MetzlerSat, 03 Jun 2017 10:58:36 +0200 + libgcrypt20 (1.7.6-1) unstable; urgency=medium * New upstream version, includes diff -Nru libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch --- libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch 1970-01-01 01:00:00.0 +0100 +++ libgcrypt20-1.7.6/debian/patches/30_gcry177_01-ecc-Store-EdDSA-session-key-in-secure-memory.patch 2017-06-03 10:53:37.0 +0200 @@ -0,0 +1,35 @@ +From f9494b3f258e01b6af8bd3941ce436bcc00afc56 Mon Sep 17 00:00:00 2001 +From: Jo Van Bulck +Date: Thu, 19 Jan 2017 17:00:15 +0100 +Subject: [PATCH 1/2] ecc: Store EdDSA session key in secure memory. + +* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): use mpi_snew to allocate +session key. +-- + +An attacker who learns the EdDSA session key from side-channel +observation during the signing process, can easily revover the long- +term secret key. Storing the session key in secure memory ensures that +constant time point operations are used in the MPI library. + +Signed-off-by: Jo Van Bulck +--- + cipher/ecc-eddsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cipher/ecc-eddsa.c b/cipher/ecc-eddsa.c +index f91f8489..813e030d 100644 +--- a/cipher/ecc-eddsa.c b/cipher/ecc-eddsa.c +@@ -603,7 +603,7 @@ _gcry_ecc_eddsa_sign (gcry_mpi_t input, ECC_secret_key *skey, + a = mpi_snew (0); + x = mpi_new (0); + y = mpi_new (0); +- r = mpi_new (0); ++ r = mpi_snew (0); + ctx = _gcry_mpi_ec_p_internal_new (skey->E.model, skey->E.dialect, 0, + skey->E.p, skey->E.a, skey->E.b); + b = (ctx->nbits+7)/8; +-- +2.11.0 + diff -Nru libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch --- libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch 1970-01-01 01:00:00.0 +0100 +++ libgcrypt20-1.7.6/debian/patches/30_gcry177_02-secmem-Fix-SEGV-and-stat-calculation.patch 2017-06-03 10:53:37.0 +0200 @@ -0,0 +1,69 @@ +From 91456759b887e153c4d4ce19538d478df260cab2 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Fri, 2 Jun 2017 10:34:42 +0900 +Subject: [PATCH 2/2] secmem: Fix SEGV and stat calculation. + +* src/secmem (init_pool): Care about the header size. +(_gcry_secmem_malloc_internal): Likewise. +(_gcry_secmem_malloc_internal): Use mb->size for stats. + +-- + +GnuPG-bug-id: 3027 +Signed-off-by: NIIBE Yutaka +--- + src/secmem.c | 10 +- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/secmem.c b/src/secmem.c +index 46bbf82e..b2a9667d 100644 +--- a/src/secmem.c b/src/secmem.c +@@ -454,7 +454,7 @@ init_pool (pooldesc_t *pool, size_t n) + + /* Initialize first memory block. */ + mb = (memblock_t *) pool->mem; +- mb->size = pool->size; ++ mb->size = pool->size - BLOCK_HEAD_SIZE; + mb->flags = 0; + } + +@@ -610,7 +610,7 @@ _gcry_secmem_malloc_internal (size_t size, int xhint) + mb = mb_get_new (pool, (memblock_t *) pool->mem, size); + if (mb) + { +- stats_update (pool, size, 0); ++ stats_update (pool, mb->size, 0); +
Bug#864067: marked as done (unblock: plasma-workspace/5.8.6-2.1)
Your message dated Sun, 04 Jun 2017 07:15:00 + with message-idand subject line Re: Bug#864067: unblock: plasma-workspace/5.8.6-2.1 has caused the Debian Bug report #864067, regarding unblock: plasma-workspace/5.8.6-2.1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 864067: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864067 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, I want to upload a NMU of plasma-workspace to unstable fixing an issue where processing stopped in ksplashqml on some environments(e.g. Japanese environment), proposed patch attached. unblock plasma-workspace/5.8.6-2.1. -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf, armel, sh4, powerpc Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=ja_JP.utf8, LC_CTYPE=ja_JP.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru plasma-workspace-5.8.6/debian/changelog plasma-workspace-5.8.6/debian/changelog --- plasma-workspace-5.8.6/debian/changelog 2017-03-16 03:45:10.0 +0900 +++ plasma-workspace-5.8.6/debian/changelog 2017-06-02 22:17:22.0 +0900 @@ -1,3 +1,12 @@ +plasma-workspace (4:5.8.6-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix problem where processing stopped in ksplashqml on some environments. +(Closes: #862558) +Add patches/replace-fds.patch. + + -- Nobuhiro Iwamatsu Fri, 02 Jun 2017 22:17:22 +0900 + plasma-workspace (4:5.8.6-2) unstable; urgency=medium * Release to unstable diff -Nru plasma-workspace-5.8.6/debian/patches/replace-fds.patch plasma-workspace-5.8.6/debian/patches/replace-fds.patch --- plasma-workspace-5.8.6/debian/patches/replace-fds.patch 1970-01-01 09:00:00.0 +0900 +++ plasma-workspace-5.8.6/debian/patches/replace-fds.patch 2017-06-02 22:17:22.0 +0900 @@ -0,0 +1,122 @@ +Description: Not close stdin,stdout,stderr, and redirects stdin,stdout,stderr to /dev/null + This fix a bug in ksplashqml. An upstream commit + https://cgit.kde.org/plasma-workspace.git/commit/?id=56d2c15b9acb9c4b57398b281685807c3191f622 + has caused this problem. + + x-session-manag,133,kdetest /usr/bin/x-session-manager + +-(ksplashqml,232) + +-ssh-agent,191 /usr/bin/im-launch x-session-manager + +-uim-toolbar,220 + | +-{llvmpipe-0},235 + | +-{llvmpipe-1},236 + | +-{llvmpipe-2},237 + | `-{llvmpipe-3},238 + `-uim-xim,219 + ksplashqml,233,kdetest Breeze --pid + +-mozc_server,239 + | +-{IPCServer},244 + | +-{QueueTimer},240 + | +-{QueueTimer},243 + | `-{WatchDog},242 + +-uim-candwin-qt5,245 -v + | +-{QDBusConnection},249 + | `-{QXcbEventReader},248 + |-{QDBusConnection},255 + |-{QQmlThread},254 + |-{QXcbEventReader},234 + |-{llvmpipe-0},250 + |-{llvmpipe-1},251 + |-{llvmpipe-2},252 + `-{llvmpipe-3},253 + + # strace -f -p 133 + strace: Process 133 attached + read(3, ^Cstrace: Process 133 detached + + + It looks like the parent process (133), x-session-manager (startkde + script), is waiting for the stdout of the ksplashqml process (232), + but which is now defunct. Its child process(es) may be writing to the + same fd. + + # ls -l /proc/133/fd/3 + lr-x-- 1 kdetest kdetest 64 May 31 05:13 /proc/133/fd/3 -> pipe:[88694] + + The direct child of the ksplashqml process (233), the splash screen daemon, + closes the file descriptor at ksplash/ksplashqml/main.cpp:97. + + # ls -l /proc/233/fd/1 + ls: cannot access '/proc/233/fd/1': No such file or directory + + One of the children of the process (239), mozc_server, is holding the fd: + + # ls -l /proc/239/fd/1 + l-wx-- 1 kdetest kdetest 64 May 31 05:14 /proc/239/fd/1 -> pipe:[88694] + + So the startkde process has finished reading the pid number string from + the now-defunct process, but is still waiting for another write(s) until + the (shared) fd has been closed. + + This mozc_server process has been started during uim-qt5 + (a QPlatformInputContext) startup in the SplashApp + initialization phase at ksplash/ksplashqml/main.cpp:92. + + Due to the upstream commit the splash screen daemon does not close file + descriptors before the SplashApp initialization, thus its subprocess + shares the fds. + + The commit log states Wayland
Bug#864067: unblock: plasma-workspace/5.8.6-2.1
Hi, 2017-06-04 15:00 GMT+09:00 Niels Thykier: > Control: tags -1 confirmed moreinfo > > Nobuhiro Iwamatsu: >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: unblock >> >> Hi, >> >> I want to upload a NMU of plasma-workspace to unstable fixing an issue >> where processing stopped in ksplashqml on some environments(e.g. Japanese >> environment), proposed patch attached. >> >> unblock plasma-workspace/5.8.6-2.1. >> >> [...] >> > > Ack, please go head. Please do the upload today or tomorrow (with at > most 1-day in the delay queue, but preferably without delay) as the > deadline for migration is Friday. Thanks! I just uploaded. > > Thanks, > ~Niels > > Best regards, Nobuhiro -- Nobuhiro Iwamatsu iwamatsu at {nigauri.org / debian.org} GPG ID: 40AD1FA6
Bug#864049: marked as done (unblock: mate-desktop/1.16.2-2)
Your message dated Sun, 04 Jun 2017 06:07:00 + with message-idand subject line Re: Bug#864049: unblock: mate-desktop/1.16.2-2 has caused the Debian Bug report #864049, regarding unblock: mate-desktop/1.16.2-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 864049: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864049 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please consider unblocking a minor follow-up fix for package mate-desktop The DH call until mate-desktop 1.16.2-1 has been missing the "--with gir" option. The proposed next upload of mate-desktop will fix that. A .debdiff has been attached. unblock mate-desktop/1.16.2-2 -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru mate-desktop-1.16.2/debian/changelog mate-desktop-1.16.2/debian/changelog --- mate-desktop-1.16.2/debian/changelog2017-04-28 22:28:53.0 +0200 +++ mate-desktop-1.16.2/debian/changelog2017-06-03 16:14:34.0 +0200 @@ -1,3 +1,11 @@ +mate-desktop (1.16.2-2) unstable; urgency=medium + + * debian/rules: ++ Add --with gir to DH options. Fixes missing dependencies in + gir1.2-mate-desktop. (Closes: #862172). + + -- Mike Gabriel Sat, 03 Jun 2017 16:14:34 +0200 + mate-desktop (1.16.2-1) unstable; urgency=medium * New upstream release. diff -Nru mate-desktop-1.16.2/debian/rules mate-desktop-1.16.2/debian/rules --- mate-desktop-1.16.2/debian/rules2016-09-30 09:46:02.0 +0200 +++ mate-desktop-1.16.2/debian/rules2017-06-03 16:12:32.0 +0200 @@ -7,7 +7,7 @@ include /usr/share/dpkg/buildflags.mk %: - dh $@ $(DHFLAGS) --with python2 + dh $@ $(DHFLAGS) --with gir,python2 override_dh_install: rm -f debian/tmp/usr/lib/*/*.la --- End Message --- --- Begin Message --- Mike Gabriel: > [...] > > Ah... not uploaded by me so far. Right. Dang. Just did so. Should appear > in unstable soon. > > Mike Unblocked, thanks, ~Niels--- End Message ---
Bug#864068: marked as done (unblock: debian-edu-doc/1.921~20170603)
Your message dated Sun, 04 Jun 2017 06:02:00 + with message-id <44228efe-0025-21fa-6bce-23a464213...@thykier.net> and subject line Re: Bug#864068: unblock: debian-edu-doc/1.921~20170603 has caused the Debian Bug report #864068, regarding unblock: debian-edu-doc/1.921~20170603 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 864068: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864068 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package debian-edu-doc, it just contains documentation and translation updates (matching the change in debian-edu-install/1.916, among others). $ debdiff debian-edu-doc_1.920~20170528.dsc debian-edu-doc_1.921~20170603.dsc|diffstat debian/changelog | 18 documentation/debian-edu-jessie/debian-edu-jessie-manual.nb.po | 36 - documentation/debian-edu-stretch/debian-edu-stretch-manual.da.po | 58 - documentation/debian-edu-stretch/debian-edu-stretch-manual.de.po | 59 - documentation/debian-edu-stretch/debian-edu-stretch-manual.es.po | 57 - documentation/debian-edu-stretch/debian-edu-stretch-manual.fr.po | 77 -- documentation/debian-edu-stretch/debian-edu-stretch-manual.it.po | 116 +-- documentation/debian-edu-stretch/debian-edu-stretch-manual.ja.po | 70 +- documentation/debian-edu-stretch/debian-edu-stretch-manual.nb.po | 305 -- documentation/debian-edu-stretch/debian-edu-stretch-manual.nl.po | 106 +-- documentation/debian-edu-stretch/debian-edu-stretch-manual.pl.po | 26 documentation/debian-edu-stretch/debian-edu-stretch-manual.pot | 26 documentation/debian-edu-stretch/debian-edu-stretch-manual.xml | 12 documentation/debian-edu-stretch/debian-edu-stretch-manual.zh.po | 38 - documentation/rosegarden/rosegarden-manual.nb.po | 60 - 15 files changed, 459 insertions(+), 605 deletions(-) I've also attached this diff. unblock debian-edu-doc/1.921~20170603 Thanks for your work on Stretch! -- cheers, Holger debian-edu-doc_1.921~20170603.diff.gz Description: application/gzip signature.asc Description: Digital signature --- End Message --- --- Begin Message --- Holger Levsen: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package debian-edu-doc, it just contains documentation and > translation updates (matching the change in debian-edu-install/1.916, among > others). > > [...] > > I've also attached this diff. > > unblock debian-edu-doc/1.921~20170603 > > > Thanks for your work on Stretch! > Unblocked, thanks. ~Niels--- End Message ---
Processed: Re: Bug#864067: unblock: plasma-workspace/5.8.6-2.1
Processing control commands: > tags -1 confirmed moreinfo Bug #864067 [release.debian.org] unblock: plasma-workspace/5.8.6-2.1 Added tag(s) confirmed and moreinfo. -- 864067: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864067 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#864067: unblock: plasma-workspace/5.8.6-2.1
Control: tags -1 confirmed moreinfo Nobuhiro Iwamatsu: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Hi, > > I want to upload a NMU of plasma-workspace to unstable fixing an issue > where processing stopped in ksplashqml on some environments(e.g. Japanese > environment), proposed patch attached. > > unblock plasma-workspace/5.8.6-2.1. > > [...] > Ack, please go head. Please do the upload today or tomorrow (with at most 1-day in the delay queue, but preferably without delay) as the deadline for migration is Friday. Thanks, ~Niels
Processed: Re: Bug#864076: unblock: distro-info-data/0.36
Processing control commands: > tags -1 confirmed moreinfo Bug #864076 [release.debian.org] unblock: distro-info-data/0.36 Added tag(s) moreinfo and confirmed. -- 864076: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864076 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#864076: unblock: distro-info-data/0.36
Control: tags -1 confirmed moreinfo Stefano Rivera: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package distro-info-data > > This is a pre-upload unblock request for distro-info-data, now that the > Jessie release date has been announced. > > While I was here, I realised that we didn't have EOL dates for Jessie or > Wheezy yet :( We have a long-standing bug of not including LTS dates > (#782685) so I've maintained the status-quo and did that for these two > as well. Alternatively, I could just extend the support dates out to > include LTS, but that seems like another bad idea :/ > > So, are you OK with this patch-set, and would you consider allowing it > in, for Stretch? > > unblock distro-info-data/0.36 > > Thanks, > > SR > > [...] > Ack, please go head. Please do the upload today or tomorrow as the deadline for migration is Friday. Thanks, ~Niels