Processed: tagging 872441
Processing commands for cont...@bugs.debian.org: > tags 872441 + moreinfo Bug #872441 [release.debian.org] stretch-pu: package gsoap/2.8.35-4+deb9u1 Added tag(s) moreinfo. > thanks Stopping processing here. Please contact me if you need assistance. -- 872441: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872441 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote: > Hi, > > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote: [...] > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium > > + > > + * Fix for CVE-2017-9765 (Closes: ) > > + > > + -- Mattias EllertWed, 16 Aug 2017 > > 11:58:11 +0200 > > + > > gsoap (2.8.35-4) unstable; urgency=medium > > once this changelog has a proper Closes line with bug-number this patch > looks sane to me. Is there actually a Debian bug for the issue? I couldn't find one. Regards, Adam
Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
Hi, On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote: > Package: release.debian.org > Severity: normal > Tags: stretch > User: release.debian@packages.debian.org > Usertags: pu > > This is a proposal to fix CVE-2017-9765 in stretch. > debdiff is attached. > > Mattias Ellert > diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog > --- gsoap-2.8.35/debian/changelog 2016-12-06 09:32:36.0 +0100 > +++ gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.0 +0200 > @@ -1,3 +1,9 @@ > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium > + > + * Fix for CVE-2017-9765 (Closes: ) > + > + -- Mattias EllertWed, 16 Aug 2017 11:58:11 > +0200 > + > gsoap (2.8.35-4) unstable; urgency=medium once this changelog has a proper Closes line with bug-number this patch looks sane to me. Cheers, Martin (former stable release manager) -- Martin Zobel-Helas Debian System Administrator Debian & GNU/Linux Developer Debian Listmaster http://about.me/zobel Debian Webmaster GPG Fingerprint: 6B18 5642 8E41 EC89 3D5D BDBB 53B1 AC6D B11B 627B
Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
Hi, On Thu Aug 17, 2017 at 16:38:30 +0200, Mattias Ellert wrote: > Package: release.debian.org > Severity: normal > Tags: jessie > User: release.debian@packages.debian.org > Usertags: pu > > This is a proposal to fix CVE-2017-9765 in jessie. > debdiff is attached. > > Mattias Ellert > diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog > --- gsoap-2.8.17/debian/changelog 2014-07-11 13:45:59.0 +0200 > +++ gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 +0200 > @@ -1,3 +1,9 @@ > +gsoap (2.8.17-1+deb8u1) jessie; urgency=medium > + > + * Fix for CVE-2017-9765 (Closes: ) > + > + -- Mattias EllertWed, 16 Aug 2017 11:30:40 > +0200 > + > gsoap (2.8.17-1) unstable; urgency=medium once this changelog has a proper Closes line with bug-number this patch looks sane to me. Cheers, Martin (former stable release manager) -- Martin Zobel-Helas Debian System Administrator Debian & GNU/Linux Developer Debian Listmaster http://about.me/zobel Debian Webmaster GPG Fingerprint: 6B18 5642 8E41 EC89 3D5D BDBB 53B1 AC6D B11B 627B
Bug#868756: stretch-pu: package ntp/1:4.2.8p10+dfsg-3+deb9u1 (pre-pre-approval)
Hi, from my perspective this patch looks sane. Cheers, Martin (former stable release manager) -- Martin Zobel-HelasDebian System Administrator Debian & GNU/Linux Developer Debian Listmaster http://about.me/zobel Debian Webmaster GPG Fingerprint: 6B18 5642 8E41 EC89 3D5D BDBB 53B1 AC6D B11B 627B
Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu This is a proposal to fix CVE-2017-9765 in jessie. debdiff is attached. Mattias Ellert diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog --- gsoap-2.8.17/debian/changelog 2014-07-11 13:45:59.0 +0200 +++ gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 +0200 @@ -1,3 +1,9 @@ +gsoap (2.8.17-1+deb8u1) jessie; urgency=medium + + * Fix for CVE-2017-9765 (Closes: ) + + -- Mattias EllertWed, 16 Aug 2017 11:30:40 +0200 + gsoap (2.8.17-1) unstable; urgency=medium * New upstream release diff -Nru gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch --- gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch 2017-08-16 09:29:32.0 +0200 @@ -0,0 +1,54 @@ +diff -ur gsoap-2.7.orig/gsoap/stdsoap2.c gsoap-2.7/gsoap/stdsoap2.c +--- gsoap-2.7.orig/gsoap/stdsoap2.c 2010-04-06 18:23:14.0 +0200 gsoap-2.7/gsoap/stdsoap2.c 2017-08-01 15:05:03.634309308 +0200 +@@ -1509,17 +1509,16 @@ + soap_get_pi(struct soap *soap) + { char buf[64]; + register char *s = buf; +- register int i = sizeof(buf); +- register soap_wchar c = soap_getchar(soap); +- /* This is a quick way to parse XML PI and we could use a callback instead to +- * enable applications to intercept processing instructions */ +- while ((int)c != EOF && c != '?') +- { if (--i > 0) ++ register size_t i = sizeof(buf); ++ register soap_wchar c; ++ /* Parse the XML PI encoding declaration and look for */ ++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?') ++ { if (i > 1) + { if (soap_blank(c)) + c = ' '; + *s++ = (char)c; ++ i--; + } +-c = soap_getchar(soap); + } + *s = '\0'; + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf)); +diff -ur gsoap-2.7.orig/gsoap/stdsoap2.cpp gsoap-2.7/gsoap/stdsoap2.cpp +--- gsoap-2.7.orig/gsoap/stdsoap2.cpp 2010-04-06 18:23:14.0 +0200 gsoap-2.7/gsoap/stdsoap2.cpp 2017-08-01 15:05:03.636309306 +0200 +@@ -1509,17 +1509,16 @@ + soap_get_pi(struct soap *soap) + { char buf[64]; + register char *s = buf; +- register int i = sizeof(buf); +- register soap_wchar c = soap_getchar(soap); +- /* This is a quick way to parse XML PI and we could use a callback instead to +- * enable applications to intercept processing instructions */ +- while ((int)c != EOF && c != '?') +- { if (--i > 0) ++ register size_t i = sizeof(buf); ++ register soap_wchar c; ++ /* Parse the XML PI encoding declaration and look for */ ++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?') ++ { if (i > 1) + { if (soap_blank(c)) + c = ' '; + *s++ = (char)c; ++ i--; + } +-c = soap_getchar(soap); + } + *s = '\0'; + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf)); diff -Nru gsoap-2.8.17/debian/patches/series gsoap-2.8.17/debian/patches/series --- gsoap-2.8.17/debian/patches/series 2014-07-11 20:36:40.0 +0200 +++ gsoap-2.8.17/debian/patches/series 2017-08-16 11:28:38.0 +0200 @@ -21,3 +21,6 @@ # https://sourceforge.net/p/gsoap2/patches/119/ gsoap-doxygen-paths.patch + +# CVE-2017-9765 +gsoap-CVE-2017-9765.patch signature.asc Description: This is a digitally signed message part
Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu This is a proposal to fix CVE-2017-9765 in stretch. debdiff is attached. Mattias Ellert diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog --- gsoap-2.8.35/debian/changelog 2016-12-06 09:32:36.0 +0100 +++ gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.0 +0200 @@ -1,3 +1,9 @@ +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium + + * Fix for CVE-2017-9765 (Closes: ) + + -- Mattias EllertWed, 16 Aug 2017 11:58:11 +0200 + gsoap (2.8.35-4) unstable; urgency=medium * Rebuild for OpenSSL 1.1.0 diff -Nru gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch --- gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch 2017-08-16 11:54:02.0 +0200 @@ -0,0 +1,54 @@ +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c +--- gsoap-2.8.orig/gsoap/stdsoap2.c 2016-04-03 03:33:31.0 +0200 gsoap-2.8/gsoap/stdsoap2.c 2017-08-01 14:51:44.141083499 +0200 +@@ -1711,17 +1711,16 @@ + soap_get_pi(struct soap *soap) + { char buf[64]; + char *s = buf; +- int i = sizeof(buf); +- soap_wchar c = soap_getchar(soap); +- /* This is a quick way to parse XML PI and we could use a callback instead to +- * enable applications to intercept processing instructions */ +- while ((int)c != EOF && c != '?') +- { if (--i > 0) ++ size_t i = sizeof(buf); ++ soap_wchar c; ++ /* Parse the XML PI encoding declaration and look for */ ++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?') ++ { if (i > 1) + { if (soap_blank(c)) + c = ' '; + *s++ = (char)c; ++ i--; + } +-c = soap_getchar(soap); + } + *s = '\0'; + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf)); +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp +--- gsoap-2.8.orig/gsoap/stdsoap2.cpp 2016-04-03 03:33:31.0 +0200 gsoap-2.8/gsoap/stdsoap2.cpp 2017-08-01 14:51:44.143083498 +0200 +@@ -1711,17 +1711,16 @@ + soap_get_pi(struct soap *soap) + { char buf[64]; + char *s = buf; +- int i = sizeof(buf); +- soap_wchar c = soap_getchar(soap); +- /* This is a quick way to parse XML PI and we could use a callback instead to +- * enable applications to intercept processing instructions */ +- while ((int)c != EOF && c != '?') +- { if (--i > 0) ++ size_t i = sizeof(buf); ++ soap_wchar c; ++ /* Parse the XML PI encoding declaration and look for */ ++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?') ++ { if (i > 1) + { if (soap_blank(c)) + c = ' '; + *s++ = (char)c; ++ i--; + } +-c = soap_getchar(soap); + } + *s = '\0'; + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf)); diff -Nru gsoap-2.8.35/debian/patches/series gsoap-2.8.35/debian/patches/series --- gsoap-2.8.35/debian/patches/series 2016-09-26 14:49:01.0 +0200 +++ gsoap-2.8.35/debian/patches/series 2017-08-16 11:57:36.0 +0200 @@ -10,3 +10,6 @@ # Backport fix from upstream gsoap-backport.patch + +# CVE-2017-9765 +gsoap-CVE-2017-9765.patch signature.asc Description: This is a digitally signed message part
Re: stretch-pu: package samba/2:4.5.12+dfsg-1
On 2017-08-17 9:31, Mathieu Parent wrote: Hi stable release team, I had no response to this bug. I know this is a huge diff, but please review it. For the record it's not /that/ old yet and the original mail never reached debian-release, presumably due to the diff size. (Was your mail intentionally copied both to the bug and the list?) Regards, Adam
stretch-pu: package samba/2:4.5.12+dfsg-1
Hi stable release team, I had no response to this bug. I know this is a huge diff, but please review it. FYI, I'll cherry-pick the following commit fixing a typo before upload: https://anonscm.debian.org/cgit/pkg-samba/samba.git/commit/?id=57fbf8399242bb4d19058960d8c8a5d1be115110 Regards -- Mathieu Parent
texstudio: building against qt4 instead of qt5 for stretch
Hi In bug #869359 (Rather use qt4 due to qt5 bugs) I was asked to build texstudio against qt4 instead of qt5 because of a severe bug in qt5. In short qt5 does not allow to input polytonic greek letters like ἀ ἁ ἄ ἅ ἂ ἃ ἆ ἐ ἑ etc. Due to the problems with qt5, upstream is still shipping two versions of their own packages, one with qt4 and one with qt5 support. What does the release team think of going back to qt4 for texstudio in stretch? Do you want me to go forward with such a change for the next point release? And what would be the next steps? I've made the necessary changes and built texstudio for stretch against qt4. Please find attached the debdiff. Thanks and regards Tom diff -Nru texstudio-2.11.2+debian/debian/changelog texstudio-2.11.2+debian/debian/changelog --- texstudio-2.11.2+debian/debian/changelog2016-10-23 19:37:11.0 +0200 +++ texstudio-2.11.2+debian/debian/changelog2017-08-17 07:30:23.0 +0200 @@ -1,3 +1,9 @@ +texstudio (2.11.2+debian-2) unstable; urgency=medium + + * Moving back to using qt4 instead of qt5 (Closes: #869359). + + -- Tom JampenThu, 17 Aug 2017 07:30:23 +0200 + texstudio (2.11.2+debian-1) unstable; urgency=medium * Merging upstream version 2.11.2+debian. diff -Nru texstudio-2.11.2+debian/debian/control texstudio-2.11.2+debian/debian/control --- texstudio-2.11.2+debian/debian/control 2016-10-11 23:28:14.0 +0200 +++ texstudio-2.11.2+debian/debian/control 2017-08-17 07:30:23.0 +0200 @@ -3,14 +3,14 @@ Priority: optional Maintainer: Tom Jampen Build-Depends: - debhelper (>= 9), libhunspell-dev, libpoppler-qt5-dev, libqt5svg5-dev, - libquazip5-dev, pkg-config, qt5-qmake, qtscript5-dev, qttools5-dev, zlib1g-dev + debhelper (>= 9), libhunspell-dev, libpoppler-qt4-dev, libquazip-dev, + libx11-dev, pkg-config, qt4-qmake, zlib1g-dev Standards-Version: 3.9.8 Homepage: http://texstudio.sf.net/ Package: texstudio Architecture: any -Depends: ${misc:Depends}, ${shlibs:Depends}, libqt5svg5 +Depends: ${misc:Depends}, ${shlibs:Depends}, libqt4-svg Recommends: texlive-base, texlive-latex-base, texlive-latex-recommended, texstudio-doc, texstudio-l10n diff -Nru texstudio-2.11.2+debian/debian/patches/04-quazip-qt5.patch texstudio-2.11.2+debian/debian/patches/04-quazip-qt5.patch --- texstudio-2.11.2+debian/debian/patches/04-quazip-qt5.patch 2016-10-12 07:41:57.0 +0200 +++ texstudio-2.11.2+debian/debian/patches/04-quazip-qt5.patch 1970-01-01 01:00:00.0 +0100 @@ -1,16 +0,0 @@ -Author: Tom Jampen -Description: - Patches texstudio.pro to use libquazip5 as TeXstudio is built against qt5. - -diff -Naurp a/texstudio.pro b/texstudio.pro a/texstudio.pro2016-10-12 07:40:25.470131505 +0200 -+++ b/texstudio.pro2016-10-12 07:41:08.138720884 +0200 -@@ -471,7 +471,7 @@ isEmpty(USE_SYSTEM_QUAZIP) { - DEFINES += QUAZIP_STATIC - include(quazip/quazip/quazip.pri) - } else { -- isEmpty(QUAZIP_LIB): QUAZIP_LIB = -lquazip -+ isEmpty(QUAZIP_LIB): QUAZIP_LIB = -lquazip5 - isEmpty(QUAZIP_INCLUDE): QUAZIP_INCLUDE = $${PREFIX}/include/quazip - - INCLUDEPATH += $${QUAZIP_INCLUDE} diff -Nru texstudio-2.11.2+debian/debian/patches/series texstudio-2.11.2+debian/debian/patches/series --- texstudio-2.11.2+debian/debian/patches/series 2016-10-11 23:28:14.0 +0200 +++ texstudio-2.11.2+debian/debian/patches/series 2017-08-17 07:30:23.0 +0200 @@ -1,4 +1,3 @@ 01-removed-upstream-files.patch 02-fix-desktop.patch 03-disable-auto-update.patch -04-quazip-qt5.patch diff -Nru texstudio-2.11.2+debian/debian/rules texstudio-2.11.2+debian/debian/rules --- texstudio-2.11.2+debian/debian/rules2016-10-11 23:28:14.0 +0200 +++ texstudio-2.11.2+debian/debian/rules2017-08-17 07:30:23.0 +0200 @@ -2,7 +2,6 @@ export DEB_BUILD_MAINT_OPTIONS = hardening=+all export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -export QT_SELECT=qt5 DEBIAN_DIR=$(dir $(firstword $(MAKEFILE_LIST))) UPSTREAM_VERSION=$(shell dpkg-parsechangelog -l$(DEBIAN_DIR)/changelog \