Processed: tagging 872441

2017-08-17 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> tags 872441 + moreinfo
Bug #872441 [release.debian.org] stretch-pu: package gsoap/2.8.35-4+deb9u1
Added tag(s) moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
872441: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872441
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1

2017-08-17 Thread Adam D. Barratt 
On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote:
> Hi, 
> 
> On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote:
[...]
> > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
> > +
> > +  * Fix for CVE-2017-9765 (Closes: )
> > +
> > + -- Mattias Ellert   Wed, 16 Aug 2017 
> > 11:58:11 +0200
> > +
> >  gsoap (2.8.35-4) unstable; urgency=medium
> 
> once this changelog has a proper Closes line with bug-number this patch
> looks sane to me.

Is there actually a Debian bug for the issue? I couldn't find one.

Regards,

Adam

Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1

2017-08-17 Thread Martin Zobel-Helas 
Hi, 

On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote:
> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> This is a proposal to fix CVE-2017-9765 in stretch.
> debdiff is attached.
> 
> Mattias Ellert

> diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog
> --- gsoap-2.8.35/debian/changelog 2016-12-06 09:32:36.0 +0100
> +++ gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.0 +0200
> @@ -1,3 +1,9 @@
> +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
> +
> +  * Fix for CVE-2017-9765 (Closes: )
> +
> + -- Mattias Ellert   Wed, 16 Aug 2017 11:58:11 
> +0200
> +
>  gsoap (2.8.35-4) unstable; urgency=medium

once this changelog has a proper Closes line with bug-number this patch
looks sane to me.

Cheers,
Martin
(former stable release manager)

-- 
 Martin Zobel-Helas Debian System Administrator
 Debian & GNU/Linux Developer   Debian Listmaster
 http://about.me/zobel   Debian Webmaster
 GPG Fingerprint:  6B18 5642 8E41 EC89 3D5D  BDBB 53B1 AC6D B11B 627B

Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1

2017-08-17 Thread Martin Zobel-Helas 
Hi, 

On Thu Aug 17, 2017 at 16:38:30 +0200, Mattias Ellert wrote:
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> This is a proposal to fix CVE-2017-9765 in jessie.
> debdiff is attached.
> 
> Mattias Ellert

> diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog
> --- gsoap-2.8.17/debian/changelog 2014-07-11 13:45:59.0 +0200
> +++ gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 +0200
> @@ -1,3 +1,9 @@
> +gsoap (2.8.17-1+deb8u1) jessie; urgency=medium
> +
> +  * Fix for CVE-2017-9765 (Closes: )
> +
> + -- Mattias Ellert   Wed, 16 Aug 2017 11:30:40 
> +0200
> +
>  gsoap (2.8.17-1) unstable; urgency=medium

once this changelog has a proper Closes line with bug-number this patch
looks sane to me.

Cheers,
Martin
(former stable release manager)

-- 
 Martin Zobel-Helas Debian System Administrator
 Debian & GNU/Linux Developer   Debian Listmaster
 http://about.me/zobel   Debian Webmaster
 GPG Fingerprint:  6B18 5642 8E41 EC89 3D5D  BDBB 53B1 AC6D B11B 627B

Bug#868756: stretch-pu: package ntp/1:4.2.8p10+dfsg-3+deb9u1 (pre-pre-approval)

2017-08-17 Thread Martin Zobel-Helas 
Hi, 

from my perspective this patch looks sane.

Cheers,
Martin
(former stable release manager)

-- 
 Martin Zobel-Helas Debian System Administrator
 Debian & GNU/Linux Developer   Debian Listmaster
 http://about.me/zobel   Debian Webmaster
 GPG Fingerprint:  6B18 5642 8E41 EC89 3D5D  BDBB 53B1 AC6D B11B 627B

Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1

2017-08-17 Thread Mattias Ellert 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

This is a proposal to fix CVE-2017-9765 in jessie.
debdiff is attached.

Mattias Ellert
diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog
--- gsoap-2.8.17/debian/changelog	2014-07-11 13:45:59.0 +0200
+++ gsoap-2.8.17/debian/changelog	2017-08-16 11:30:40.0 +0200
@@ -1,3 +1,9 @@
+gsoap (2.8.17-1+deb8u1) jessie; urgency=medium
+
+  * Fix for CVE-2017-9765 (Closes: )
+
+ -- Mattias Ellert   Wed, 16 Aug 2017 11:30:40 +0200
+
 gsoap (2.8.17-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch
--- gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch	1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch	2017-08-16 09:29:32.0 +0200
@@ -0,0 +1,54 @@
+diff -ur gsoap-2.7.orig/gsoap/stdsoap2.c gsoap-2.7/gsoap/stdsoap2.c
+--- gsoap-2.7.orig/gsoap/stdsoap2.c	2010-04-06 18:23:14.0 +0200
 gsoap-2.7/gsoap/stdsoap2.c	2017-08-01 15:05:03.634309308 +0200
+@@ -1509,17 +1509,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+   register char *s = buf;
+-  register int i = sizeof(buf);
+-  register soap_wchar c = soap_getchar(soap);
+-  /* This is a quick way to parse XML PI and we could use a callback instead to
+-   * enable applications to intercept processing instructions */
+-  while ((int)c != EOF && c != '?')
+-  { if (--i > 0)
++  register size_t i = sizeof(buf);
++  register soap_wchar c;
++  /* Parse the XML PI encoding declaration and look for  */
++  while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++  { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+   *s++ = (char)c;
++  i--;
+ }
+-c = soap_getchar(soap);
+   }
+   *s = '\0';
+   DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
+diff -ur gsoap-2.7.orig/gsoap/stdsoap2.cpp gsoap-2.7/gsoap/stdsoap2.cpp
+--- gsoap-2.7.orig/gsoap/stdsoap2.cpp	2010-04-06 18:23:14.0 +0200
 gsoap-2.7/gsoap/stdsoap2.cpp	2017-08-01 15:05:03.636309306 +0200
+@@ -1509,17 +1509,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+   register char *s = buf;
+-  register int i = sizeof(buf);
+-  register soap_wchar c = soap_getchar(soap);
+-  /* This is a quick way to parse XML PI and we could use a callback instead to
+-   * enable applications to intercept processing instructions */
+-  while ((int)c != EOF && c != '?')
+-  { if (--i > 0)
++  register size_t i = sizeof(buf);
++  register soap_wchar c;
++  /* Parse the XML PI encoding declaration and look for  */
++  while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++  { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+   *s++ = (char)c;
++  i--;
+ }
+-c = soap_getchar(soap);
+   }
+   *s = '\0';
+   DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
diff -Nru gsoap-2.8.17/debian/patches/series gsoap-2.8.17/debian/patches/series
--- gsoap-2.8.17/debian/patches/series	2014-07-11 20:36:40.0 +0200
+++ gsoap-2.8.17/debian/patches/series	2017-08-16 11:28:38.0 +0200
@@ -21,3 +21,6 @@
 
 # https://sourceforge.net/p/gsoap2/patches/119/
 gsoap-doxygen-paths.patch
+
+# CVE-2017-9765
+gsoap-CVE-2017-9765.patch


signature.asc
Description: This is a digitally signed message part

Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1

2017-08-17 Thread Mattias Ellert 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

This is a proposal to fix CVE-2017-9765 in stretch.
debdiff is attached.

Mattias Ellert
diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog
--- gsoap-2.8.35/debian/changelog	2016-12-06 09:32:36.0 +0100
+++ gsoap-2.8.35/debian/changelog	2017-08-16 11:58:11.0 +0200
@@ -1,3 +1,9 @@
+gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
+
+  * Fix for CVE-2017-9765 (Closes: )
+
+ -- Mattias Ellert   Wed, 16 Aug 2017 11:58:11 +0200
+
 gsoap (2.8.35-4) unstable; urgency=medium
 
   * Rebuild for OpenSSL 1.1.0
diff -Nru gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch
--- gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch	1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch	2017-08-16 11:54:02.0 +0200
@@ -0,0 +1,54 @@
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c
+--- gsoap-2.8.orig/gsoap/stdsoap2.c	2016-04-03 03:33:31.0 +0200
 gsoap-2.8/gsoap/stdsoap2.c	2017-08-01 14:51:44.141083499 +0200
+@@ -1711,17 +1711,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+   char *s = buf;
+-  int i = sizeof(buf);
+-  soap_wchar c = soap_getchar(soap);
+-  /* This is a quick way to parse XML PI and we could use a callback instead to
+-   * enable applications to intercept processing instructions */
+-  while ((int)c != EOF && c != '?')
+-  { if (--i > 0)
++  size_t i = sizeof(buf);
++  soap_wchar c;
++  /* Parse the XML PI encoding declaration and look for  */
++  while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++  { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+   *s++ = (char)c;
++  i--;
+ }
+-c = soap_getchar(soap);
+   }
+   *s = '\0';
+   DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp
+--- gsoap-2.8.orig/gsoap/stdsoap2.cpp	2016-04-03 03:33:31.0 +0200
 gsoap-2.8/gsoap/stdsoap2.cpp	2017-08-01 14:51:44.143083498 +0200
+@@ -1711,17 +1711,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+   char *s = buf;
+-  int i = sizeof(buf);
+-  soap_wchar c = soap_getchar(soap);
+-  /* This is a quick way to parse XML PI and we could use a callback instead to
+-   * enable applications to intercept processing instructions */
+-  while ((int)c != EOF && c != '?')
+-  { if (--i > 0)
++  size_t i = sizeof(buf);
++  soap_wchar c;
++  /* Parse the XML PI encoding declaration and look for  */
++  while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++  { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+   *s++ = (char)c;
++  i--;
+ }
+-c = soap_getchar(soap);
+   }
+   *s = '\0';
+   DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
diff -Nru gsoap-2.8.35/debian/patches/series gsoap-2.8.35/debian/patches/series
--- gsoap-2.8.35/debian/patches/series	2016-09-26 14:49:01.0 +0200
+++ gsoap-2.8.35/debian/patches/series	2017-08-16 11:57:36.0 +0200
@@ -10,3 +10,6 @@
 
 # Backport fix from upstream
 gsoap-backport.patch
+
+# CVE-2017-9765
+gsoap-CVE-2017-9765.patch


signature.asc
Description: This is a digitally signed message part

Re: stretch-pu: package samba/2:4.5.12+dfsg-1

2017-08-17 Thread Adam D. Barratt 

On 2017-08-17 9:31, Mathieu Parent wrote:

Hi stable release team,

I had no response to this bug. I know this is a huge diff, but please 
review it.


For the record it's not /that/ old yet and the original mail never 
reached debian-release, presumably due to the diff size.


(Was your mail intentionally copied both to the bug and the list?)

Regards,

Adam

stretch-pu: package samba/2:4.5.12+dfsg-1

2017-08-17 Thread Mathieu Parent 
Hi stable release team,

I had no response to this bug. I know this is a huge diff, but please review it.

FYI, I'll cherry-pick the following commit fixing a typo before upload:
https://anonscm.debian.org/cgit/pkg-samba/samba.git/commit/?id=57fbf8399242bb4d19058960d8c8a5d1be115110

Regards

-- 
Mathieu Parent

texstudio: building against qt4 instead of qt5 for stretch

2017-08-17 Thread Tom Jampen 
Hi

In bug #869359 (Rather use qt4 due to qt5 bugs) I was asked to build
texstudio against qt4 instead of qt5 because of a severe bug in qt5. In
short qt5 does not allow to input polytonic greek letters like ἀ ἁ ἄ ἅ ἂ
ἃ ἆ ἐ ἑ etc.

Due to the problems with qt5, upstream is still shipping two versions of
their own packages, one with qt4 and one with qt5 support.

What does the release team think of going back to qt4 for texstudio in
stretch? Do you want me to go forward with such a change for the next
point release? And what would be the next steps?

I've made the necessary changes and built texstudio for stretch against
qt4. Please find attached the debdiff.

Thanks and regards
Tom
diff -Nru texstudio-2.11.2+debian/debian/changelog 
texstudio-2.11.2+debian/debian/changelog
--- texstudio-2.11.2+debian/debian/changelog2016-10-23 19:37:11.0 
+0200
+++ texstudio-2.11.2+debian/debian/changelog2017-08-17 07:30:23.0 
+0200
@@ -1,3 +1,9 @@
+texstudio (2.11.2+debian-2) unstable; urgency=medium
+
+  * Moving back to using qt4 instead of qt5 (Closes: #869359).
+
+ -- Tom Jampen   Thu, 17 Aug 2017 07:30:23 +0200
+
 texstudio (2.11.2+debian-1) unstable; urgency=medium
 
   * Merging upstream version 2.11.2+debian.
diff -Nru texstudio-2.11.2+debian/debian/control 
texstudio-2.11.2+debian/debian/control
--- texstudio-2.11.2+debian/debian/control  2016-10-11 23:28:14.0 
+0200
+++ texstudio-2.11.2+debian/debian/control  2017-08-17 07:30:23.0 
+0200
@@ -3,14 +3,14 @@
 Priority: optional
 Maintainer: Tom Jampen 
 Build-Depends:
- debhelper (>= 9), libhunspell-dev, libpoppler-qt5-dev, libqt5svg5-dev,
- libquazip5-dev, pkg-config, qt5-qmake, qtscript5-dev, qttools5-dev, zlib1g-dev
+ debhelper (>= 9), libhunspell-dev, libpoppler-qt4-dev, libquazip-dev,
+ libx11-dev, pkg-config, qt4-qmake, zlib1g-dev
 Standards-Version: 3.9.8
 Homepage: http://texstudio.sf.net/
 
 Package: texstudio
 Architecture: any
-Depends: ${misc:Depends}, ${shlibs:Depends}, libqt5svg5
+Depends: ${misc:Depends}, ${shlibs:Depends}, libqt4-svg
 Recommends:
  texlive-base, texlive-latex-base, texlive-latex-recommended, texstudio-doc,
  texstudio-l10n
diff -Nru texstudio-2.11.2+debian/debian/patches/04-quazip-qt5.patch 
texstudio-2.11.2+debian/debian/patches/04-quazip-qt5.patch
--- texstudio-2.11.2+debian/debian/patches/04-quazip-qt5.patch  2016-10-12 
07:41:57.0 +0200
+++ texstudio-2.11.2+debian/debian/patches/04-quazip-qt5.patch  1970-01-01 
01:00:00.0 +0100
@@ -1,16 +0,0 @@
-Author: Tom Jampen 
-Description:
- Patches texstudio.pro to use libquazip5 as TeXstudio is built against qt5.
-
-diff -Naurp a/texstudio.pro b/texstudio.pro
 a/texstudio.pro2016-10-12 07:40:25.470131505 +0200
-+++ b/texstudio.pro2016-10-12 07:41:08.138720884 +0200
-@@ -471,7 +471,7 @@ isEmpty(USE_SYSTEM_QUAZIP) {
-   DEFINES += QUAZIP_STATIC
-   include(quazip/quazip/quazip.pri)
- } else {
--  isEmpty(QUAZIP_LIB): QUAZIP_LIB = -lquazip
-+  isEmpty(QUAZIP_LIB): QUAZIP_LIB = -lquazip5
-   isEmpty(QUAZIP_INCLUDE): QUAZIP_INCLUDE = $${PREFIX}/include/quazip
- 
-   INCLUDEPATH += $${QUAZIP_INCLUDE}
diff -Nru texstudio-2.11.2+debian/debian/patches/series 
texstudio-2.11.2+debian/debian/patches/series
--- texstudio-2.11.2+debian/debian/patches/series   2016-10-11 
23:28:14.0 +0200
+++ texstudio-2.11.2+debian/debian/patches/series   2017-08-17 
07:30:23.0 +0200
@@ -1,4 +1,3 @@
 01-removed-upstream-files.patch
 02-fix-desktop.patch
 03-disable-auto-update.patch
-04-quazip-qt5.patch
diff -Nru texstudio-2.11.2+debian/debian/rules 
texstudio-2.11.2+debian/debian/rules
--- texstudio-2.11.2+debian/debian/rules2016-10-11 23:28:14.0 
+0200
+++ texstudio-2.11.2+debian/debian/rules2017-08-17 07:30:23.0 
+0200
@@ -2,7 +2,6 @@
 
 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed
-export QT_SELECT=qt5
 
 DEBIAN_DIR=$(dir $(firstword $(MAKEFILE_LIST)))
 UPSTREAM_VERSION=$(shell dpkg-parsechangelog -l$(DEBIAN_DIR)/changelog \