Bug#886593: stretch-pu: package qtpass/1.1.6-1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, the current version in stable has a insecure built-in password generator. As the built-in password generator not used in qtpass' default config, the security team asked me to fix it via stretch-pu. Here is the corresponding link: https://security-tracker.debian.org/tracker/source-package/qtpass I attached the debdiff (the fix is adopted from upstream, see https://github.com/IJHack/QtPass/issues/338 for reference). May a go ahead? Best, Philip diff -Nru qtpass-1.1.6/debian/changelog qtpass-1.1.6/debian/changelog --- qtpass-1.1.6/debian/changelog 2016-12-02 16:23:16.0 +0100 +++ qtpass-1.1.6/debian/changelog 2018-01-07 13:45:10.0 +0100 @@ -1,3 +1,9 @@ +qtpass (1.1.6-1+deb9u1) stretch; urgency=medium + + * Fix insecure built-in password generator (Fixes: CVE-2017-18021) + + -- Philip RinnSun, 07 Jan 2018 13:45:10 +0100 + qtpass (1.1.6-1) unstable; urgency=medium * New upstream release diff -Nru qtpass-1.1.6/debian/NEWS qtpass-1.1.6/debian/NEWS --- qtpass-1.1.6/debian/NEWS1970-01-01 01:00:00.0 +0100 +++ qtpass-1.1.6/debian/NEWS2018-01-07 13:45:10.0 +0100 @@ -0,0 +1,15 @@ +qtpass (1.1.6-1+deb9u1) stretch; urgency=medium + + All passwords generated with QtPass' built-in password generator prior to + 1.1.6-1+deb9u1 are possibly predictable and enumerable by hackers. + The generator used libc's random(), seeded with srand(msecs), where msecs is + not the msecs since 1970 (not that that'd be secure anyway), but rather the + msecs since the last second. This means there are only 1000 different + sequences of generated passwords. + . + NB: QtPass uses `pwgen` to generate passwords by default. This means, if you + didn't change the configuration to use the built-in password generator your + passwords are safe. If you used the built-in password generator, change all + passwords you generated with QtPass. + + -- Philip Rinn Sun, 07 Jan 2018 13:45:10 +0100 diff -Nru qtpass-1.1.6/debian/patches/01-fix-password-generator.patch qtpass-1.1.6/debian/patches/01-fix-password-generator.patch --- qtpass-1.1.6/debian/patches/01-fix-password-generator.patch 1970-01-01 01:00:00.0 +0100 +++ qtpass-1.1.6/debian/patches/01-fix-password-generator.patch 2018-01-04 22:38:41.0 +0100 @@ -0,0 +1,67 @@ +--- a/mainwindow.cpp b/mainwindow.cpp +@@ -67,7 +67,6 @@ + connect(actionAddPassword, SIGNAL(triggered()), this, + SLOT(on_addButton_clicked())); + connect(actionAddFolder, SIGNAL(triggered()), this, SLOT(addFolder())); +- qsrand(static_cast(QTime::currentTime().msec())); + + #if QT_VERSION >= QT_VERSION_CHECK(5, 2, 0) + ui->lineEdit->setClearButtonEnabled(true); +@@ -1900,10 +1899,10 @@ + else + qDebug() << "pwgen fail"; + } else { +-int charsetLength = pwdConfig.Characters[selection].length(); ++quint32 charsetLength = pwdConfig.Characters[selection].length(); + if (charsetLength > 0) { + for (int i = 0; i < length; ++i) { +-int index = qrand() % charsetLength; ++quint32 index = Util::boundedRandom(charsetLength); + QChar nextChar = pwdConfig.Characters[selection].at(index); + passwd.append(nextChar); + } +--- a/util.cpp b/util.cpp +@@ -9,6 +9,9 @@ + #else + #include + #endif ++#include ++#include ++#include + QProcessEnvironment Util::_env; + bool Util::_envInitialised; + +@@ -137,3 +140,21 @@ + nanosleep(, NULL); + #endif + } ++ ++quint32 Util::boundedRandom(quint32 bound) { ++ static int fd = -1; ++ if (bound < 2) ++ return 0; ++ ++ if (fd == -1) ++ assert((fd = open("/dev/urandom", O_RDONLY)) >= 0); ++ ++ quint32 randval; ++ const quint32 max_mod_bound = (1 + ~bound) % bound; ++ ++ do ++ assert(read(fd, , sizeof(randval)) == sizeof(randval)); ++ while (randval < max_mod_bound); ++ ++ return randval % bound; ++} +--- a/util.h b/util.h +@@ -16,6 +16,7 @@ + static bool checkConfig(QString passStore, QString passExecutable, + QString gpgExecutable); + static void qSleep(int ms); ++ static quint32 boundedRandom(quint32 bound); + + private: + static void initialiseEnvironment(); diff -Nru qtpass-1.1.6/debian/patches/series qtpass-1.1.6/debian/patches/series --- qtpass-1.1.6/debian/patches/series 1970-01-01 01:00:00.0 +0100 +++ qtpass-1.1.6/debian/patches/series 2018-01-04 22:11:50.0 +0100 @@ -0,0 +1 @@ +01-fix-password-generator.patch
Bug#886589: stretch-pu: package mapproxy/1.9.0-3+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu To fix CVE-2017-1000426 an update of mapproxy for stretch has been prepared, but the security team doesn't consider the issue severe enough to warrant a DSA. Is this change okay to upload to proposed-updates? Kind Regards, Bas diff -Nru mapproxy-1.9.0/debian/changelog mapproxy-1.9.0/debian/changelog --- mapproxy-1.9.0/debian/changelog 2016-08-22 11:56:27.0 +0200 +++ mapproxy-1.9.0/debian/changelog 2018-01-07 09:33:15.0 +0100 @@ -1,3 +1,11 @@ +mapproxy (1.9.0-3+deb9u1) stretch; urgency=medium + + * Update branch in gbp.conf & Vcs-Git URL. + * Add upstream patch to fix Cross Site Scripting (XSS) issue in demo service. +Fixes CVE-2017-1000426. + + -- Bas CouwenbergSun, 07 Jan 2018 09:33:15 +0100 + mapproxy (1.9.0-3) unstable; urgency=medium * Add access_contraints patch ignored by .gitignore. diff -Nru mapproxy-1.9.0/debian/control mapproxy-1.9.0/debian/control --- mapproxy-1.9.0/debian/control 2016-08-14 12:48:50.0 +0200 +++ mapproxy-1.9.0/debian/control 2018-01-07 09:33:15.0 +0100 @@ -37,7 +37,7 @@ xsltproc Standards-Version: 3.9.8 Vcs-Browser: https://anonscm.debian.org/cgit/pkg-grass/mapproxy.git -Vcs-Git: https://anonscm.debian.org/git/pkg-grass/mapproxy.git +Vcs-Git: https://anonscm.debian.org/git/pkg-grass/mapproxy.git -b stretch Homepage: http://mapproxy.org/ X-Python-Version: >= 2.7 diff -Nru mapproxy-1.9.0/debian/gbp.conf mapproxy-1.9.0/debian/gbp.conf --- mapproxy-1.9.0/debian/gbp.conf 2016-08-14 12:48:50.0 +0200 +++ mapproxy-1.9.0/debian/gbp.conf 2018-01-07 09:33:15.0 +0100 @@ -6,7 +6,7 @@ # The default name for the Debian branch is "master". # Change it if the name is different (for instance, "debian/unstable"). -debian-branch = master +debian-branch = stretch # git-import-orig uses the following names for the upstream tags. # Change the value if you are not using git-import-orig diff -Nru mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch --- mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch 1970-01-01 01:00:00.0 +0100 +++ mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch 2018-01-07 09:33:15.0 +0100 @@ -0,0 +1,66 @@ +Description: demo: escape args to avoid XSS + Fixes CVE-2017-1000426, +Author: Oliver Tonnhofer +Origin: https://github.com/mapproxy/mapproxy/commit/87faa667007b00ef11ee09b16707aa9ad2e8da28 + +--- a/mapproxy/service/demo.py b/mapproxy/service/demo.py +@@ -22,6 +22,7 @@ import os + import pkg_resources + import mimetypes + from collections import defaultdict ++from xml.sax.saxutils import escape + + from mapproxy.config.config import base_config + from mapproxy.compat import PY2 +@@ -108,7 +109,10 @@ class DemoServer(Server): + demo = self._render_capabilities_template('demo/capabilities_demo.html', capabilities, 'WMTS', url) + elif 'tms_capabilities' in req.args: + if 'layer' in req.args and 'srs' in req.args: +-url = '%s/tms/1.0.0/%s/%s'%(req.script_url, req.args['layer'], req.args['srs']) ++# prevent dir traversal (seems it's not possible with urllib2, but better safe then sorry) ++layer = req.args['layer'].replace('..', '') ++srs = req.args['srs'].replace('..', '') ++url = '%s/tms/1.0.0/%s/%s'%(req.script_url, layer, srs) + else: + url = '%s/tms/1.0.0/'%(req.script_url) + capabilities = urllib2.urlopen(url) +@@ -171,14 +175,14 @@ class DemoServer(Server): + def _render_wms_template(self, template, req): + template = get_template(template, default_inherit="demo/static.html") + layer = self.layers[req.args['wms_layer']] +-srs = req.args['srs'] ++srs = escape(req.args['srs']) + bbox = layer.extent.bbox_for(SRS(srs)) + width = bbox[2] - bbox[0] + height = bbox[3] - bbox[1] + min_res = max(width/256, height/256) + return template.substitute(layer=layer, +image_formats=self.image_formats, +- format=req.args['format'], ++ format=escape(req.args['format']), +srs=srs, +layer_srs=self.layer_srs, +bbox=bbox, +@@ -202,8 +206,8 @@ class DemoServer(Server): + else: + add_res_to_options = False + return template.substitute(layer=tile_layer, +- srs=req.args['srs'], +- format=req.args['format'], ++
Bug#886319: failed amd64 build of singular 1:4.1.0-p3+ds-2+b1
Debian buildds: > * Source package: singular > * Version: 1:4.1.0-p3+ds-2+b1 > * Architecture: amd64 > * State: failed > * Suite: sid > * Builder: x86-ubc-01.debian.org > * Build log: > https://buildd.debian.org/status/fetch.php?pkg=singular=amd64=1%3A4.1.0-p3%2Bds-2%2Bb1=1515330074=log > > Please note that these notifications do not necessarily mean bug reports > in your package but could also be caused by other packages, temporary > uninstallabilities and arch-specific breakages. A look at the build log > despite this disclaimer would be appreciated however. > This (and other arches) were apparently built against libflint that links against libntl27 the old library: Get:120 http://mirror-ubc.debian.org/debian unstable/main amd64 libflint-2.5.2 amd64 2.5.2-17 [922 kB] I am not sure why this happened; singular is listed as "dependency level 3" on the transition tracker whereas flint is level 2: https://release.debian.org/transitions/html/auto-ntl.html Please re-schedule it to build against flint 2.5.2-17+b1 which should be linked correctly against libntl35. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git
Bug#886509: marked as done (britney: drop duplicate 'has new bugs' excuses item)
Your message dated Sun, 07 Jan 2018 12:22:00 + with message-idand subject line Re: Bug#886509: britney: drop duplicate 'has new bugs' excuses item has caused the Debian Bug report #886509, regarding britney: drop duplicate 'has new bugs' excuses item to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 886509: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886509 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: wishlist User: release.debian@packages.debian.org Usertags: britney Please apply this patch to drop the duplicate 'has new bugs' excuses item. The 'Updating foo introduces new bugs:' item includes bug numbers so the 'has new bugs' item is less useful than it. -- bye, pabs https://wiki.debian.org/PaulWise From ceca85e82f047e7763ea1102ccdbf6da548e9932 Mon Sep 17 00:00:00 2001 From: Paul Wise Date: Sat, 6 Jan 2018 11:28:21 +0800 Subject: [PATCH] Drop duplicate 'has new bugs' excuses item The other item includes bug numbers so this one is less useful. --- britney2/policies/policy.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/britney2/policies/policy.py b/britney2/policies/policy.py index e588351..adcc938 100644 --- a/britney2/policies/policy.py +++ b/britney2/policies/policy.py @@ -476,9 +476,6 @@ class RCBugPolicy(BasePolicy): old_bugs = rcbugs_info['unique-target-bugs'] excuse.setbugs(old_bugs, new_bugs) if new_bugs: -excuse.addhtml("%s https://bugs.debian.org/cgi-bin/pkgreport.cgi?; \ - "src=%s=critical=grave=serious\" " \ - "target=\"_blank\">has new bugs!" % (source_name, quote(source_name))) excuse.addhtml("Updating %s introduces new bugs: %s" % (source_name, ", ".join( ["https://bugs.debian.org/%s\;>#%s" % (quote(a), a) for a in new_bugs]))) -- 2.15.1 signature.asc Description: This is a digitally signed message part --- End Message --- --- Begin Message --- Paul Wise: > Package: release.debian.org > Severity: wishlist > User: release.debian@packages.debian.org > Usertags: britney > > Please apply this patch to drop the duplicate 'has new bugs' excuses > item. The 'Updating foo introduces new bugs:' item includes bug numbers > so the 'has new bugs' item is less useful than it. > Thanks, this has been deployed on release.d.o and will be visible after the next britney run. Thanks, ~Niels--- End Message ---
Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Control: tag -1 + moreinfo The issue in Linux 4.14 with feature set pinning vs. mount operations was not fixed yet so the 2.11.0-3+deb9u1 package that was accepted in the proposed-updates stable queue is not suitable for Stretch currently ⇒ dear release team, feel free to reject or delete it if it helps you ensure it does not land in the next point release. Also, after some discussion with Fabian the proposed change was re-implemented slightly differently in testing/sid; I want to do the same for the Stretch proposed update ⇒ tagging "moreinfo". I'm not sure if I should remove the "confirmed" and/or "pending" tag so in doubt I'll leave it to you to do the right thing. Cheers, -- intrigeri
Processed: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Processing control commands: > tag -1 + moreinfo Bug #882697 [release.debian.org] stretch-pu: package apparmor/2.11.0-3+deb9u1 Added tag(s) moreinfo. -- 882697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Re: Bug#870056: nmu: robustirc-bridge_1.7-1
On Sat, Jan 6, 2018 at 19:19:13 +0100, Michael Stapelberg wrote: > On Sat, Jan 6, 2018 at 6:30 PM, Julien Cristauwrote: > > > also implications on visibility of unreleased security updates, so the > > set of people with access needs to stay limited. > > > Just to confirm: is this a side-effect of getting the permission? Being > able to schedule binNMUs doesn’t sound related to security updates to me :) > Yes. Side effect of getting more than guest/read-only access to wanna-build. Cheers, Julien