Bug#886593: stretch-pu: package qtpass/1.1.6-1

2018-01-07 Thread Philip Rinn 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

the current version in stable has a insecure built-in password generator. As
the built-in password generator not used in qtpass' default config, the
security team asked me to fix it via stretch-pu.
Here is the corresponding link:
https://security-tracker.debian.org/tracker/source-package/qtpass

I attached the debdiff (the fix is adopted from upstream, see
https://github.com/IJHack/QtPass/issues/338 for reference).

May a go ahead?

Best,

Philip
diff -Nru qtpass-1.1.6/debian/changelog qtpass-1.1.6/debian/changelog
--- qtpass-1.1.6/debian/changelog   2016-12-02 16:23:16.0 +0100
+++ qtpass-1.1.6/debian/changelog   2018-01-07 13:45:10.0 +0100
@@ -1,3 +1,9 @@
+qtpass (1.1.6-1+deb9u1) stretch; urgency=medium
+
+  * Fix insecure built-in password generator (Fixes: CVE-2017-18021)
+
+ -- Philip Rinn   Sun, 07 Jan 2018 13:45:10 +0100
+
 qtpass (1.1.6-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru qtpass-1.1.6/debian/NEWS qtpass-1.1.6/debian/NEWS
--- qtpass-1.1.6/debian/NEWS1970-01-01 01:00:00.0 +0100
+++ qtpass-1.1.6/debian/NEWS2018-01-07 13:45:10.0 +0100
@@ -0,0 +1,15 @@
+qtpass (1.1.6-1+deb9u1) stretch; urgency=medium
+
+  All passwords generated with QtPass' built-in password generator prior to
+  1.1.6-1+deb9u1 are possibly predictable and enumerable by hackers.
+  The generator used libc's random(), seeded with srand(msecs), where msecs is
+  not the msecs since 1970 (not that that'd be secure anyway), but rather the
+  msecs since the last second. This means there are only 1000 different
+  sequences of generated passwords.
+  .
+  NB: QtPass uses `pwgen` to generate passwords by default. This means, if you
+  didn't change the configuration to use the built-in password generator your
+  passwords are safe. If you used the built-in password generator, change all
+  passwords you generated with QtPass.
+
+ -- Philip Rinn   Sun, 07 Jan 2018 13:45:10 +0100
diff -Nru qtpass-1.1.6/debian/patches/01-fix-password-generator.patch 
qtpass-1.1.6/debian/patches/01-fix-password-generator.patch
--- qtpass-1.1.6/debian/patches/01-fix-password-generator.patch 1970-01-01 
01:00:00.0 +0100
+++ qtpass-1.1.6/debian/patches/01-fix-password-generator.patch 2018-01-04 
22:38:41.0 +0100
@@ -0,0 +1,67 @@
+--- a/mainwindow.cpp
 b/mainwindow.cpp
+@@ -67,7 +67,6 @@
+   connect(actionAddPassword, SIGNAL(triggered()), this,
+   SLOT(on_addButton_clicked()));
+   connect(actionAddFolder, SIGNAL(triggered()), this, SLOT(addFolder()));
+-  qsrand(static_cast(QTime::currentTime().msec()));
+ 
+ #if QT_VERSION >= QT_VERSION_CHECK(5, 2, 0)
+   ui->lineEdit->setClearButtonEnabled(true);
+@@ -1900,10 +1899,10 @@
+ else
+   qDebug() << "pwgen fail";
+   } else {
+-int charsetLength = pwdConfig.Characters[selection].length();
++quint32 charsetLength = pwdConfig.Characters[selection].length();
+ if (charsetLength > 0) {
+   for (int i = 0; i < length; ++i) {
+-int index = qrand() % charsetLength;
++quint32 index = Util::boundedRandom(charsetLength);
+ QChar nextChar = pwdConfig.Characters[selection].at(index);
+ passwd.append(nextChar);
+   }
+--- a/util.cpp
 b/util.cpp
+@@ -9,6 +9,9 @@
+ #else
+ #include 
+ #endif
++#include 
++#include 
++#include 
+ QProcessEnvironment Util::_env;
+ bool Util::_envInitialised;
+ 
+@@ -137,3 +140,21 @@
+   nanosleep(, NULL);
+ #endif
+ }
++
++quint32 Util::boundedRandom(quint32 bound) {
++  static int fd = -1;
++  if (bound < 2)
++  return 0;
++
++  if (fd == -1)
++  assert((fd = open("/dev/urandom", O_RDONLY)) >= 0);
++
++  quint32 randval;
++  const quint32 max_mod_bound = (1 + ~bound) % bound;
++
++  do
++  assert(read(fd, , sizeof(randval)) == sizeof(randval));
++  while (randval < max_mod_bound);
++
++  return randval % bound;
++}
+--- a/util.h
 b/util.h
+@@ -16,6 +16,7 @@
+   static bool checkConfig(QString passStore, QString passExecutable,
+   QString gpgExecutable);
+   static void qSleep(int ms);
++  static quint32 boundedRandom(quint32 bound);
+ 
+ private:
+   static void initialiseEnvironment();
diff -Nru qtpass-1.1.6/debian/patches/series qtpass-1.1.6/debian/patches/series
--- qtpass-1.1.6/debian/patches/series  1970-01-01 01:00:00.0 +0100
+++ qtpass-1.1.6/debian/patches/series  2018-01-04 22:11:50.0 +0100
@@ -0,0 +1 @@
+01-fix-password-generator.patch

Bug#886589: stretch-pu: package mapproxy/1.9.0-3+deb9u1

2018-01-07 Thread Bas Couwenberg 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

To fix CVE-2017-1000426 an update of mapproxy for stretch has been
prepared, but the security team doesn't consider the issue severe enough
to warrant a DSA.

Is this change okay to upload to proposed-updates?

Kind Regards,

Bas
diff -Nru mapproxy-1.9.0/debian/changelog mapproxy-1.9.0/debian/changelog
--- mapproxy-1.9.0/debian/changelog 2016-08-22 11:56:27.0 +0200
+++ mapproxy-1.9.0/debian/changelog 2018-01-07 09:33:15.0 +0100
@@ -1,3 +1,11 @@
+mapproxy (1.9.0-3+deb9u1) stretch; urgency=medium
+
+  * Update branch in gbp.conf & Vcs-Git URL.
+  * Add upstream patch to fix Cross Site Scripting (XSS) issue in demo service.
+Fixes CVE-2017-1000426.
+
+ -- Bas Couwenberg   Sun, 07 Jan 2018 09:33:15 +0100
+
 mapproxy (1.9.0-3) unstable; urgency=medium
 
   * Add access_contraints patch ignored by .gitignore.
diff -Nru mapproxy-1.9.0/debian/control mapproxy-1.9.0/debian/control
--- mapproxy-1.9.0/debian/control   2016-08-14 12:48:50.0 +0200
+++ mapproxy-1.9.0/debian/control   2018-01-07 09:33:15.0 +0100
@@ -37,7 +37,7 @@
xsltproc
 Standards-Version: 3.9.8
 Vcs-Browser: https://anonscm.debian.org/cgit/pkg-grass/mapproxy.git
-Vcs-Git: https://anonscm.debian.org/git/pkg-grass/mapproxy.git
+Vcs-Git: https://anonscm.debian.org/git/pkg-grass/mapproxy.git -b stretch
 Homepage: http://mapproxy.org/
 X-Python-Version: >= 2.7
 
diff -Nru mapproxy-1.9.0/debian/gbp.conf mapproxy-1.9.0/debian/gbp.conf
--- mapproxy-1.9.0/debian/gbp.conf  2016-08-14 12:48:50.0 +0200
+++ mapproxy-1.9.0/debian/gbp.conf  2018-01-07 09:33:15.0 +0100
@@ -6,7 +6,7 @@
 
 # The default name for the Debian branch is "master".
 # Change it if the name is different (for instance, "debian/unstable").
-debian-branch = master
+debian-branch = stretch
 
 # git-import-orig uses the following names for the upstream tags.
 # Change the value if you are not using git-import-orig
diff -Nru 
mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch 
mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch
--- mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch  
1970-01-01 01:00:00.0 +0100
+++ mapproxy-1.9.0/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch  
2018-01-07 09:33:15.0 +0100
@@ -0,0 +1,66 @@
+Description: demo: escape args to avoid XSS
+ Fixes CVE-2017-1000426,
+Author: Oliver Tonnhofer 
+Origin: 
https://github.com/mapproxy/mapproxy/commit/87faa667007b00ef11ee09b16707aa9ad2e8da28
+
+--- a/mapproxy/service/demo.py
 b/mapproxy/service/demo.py
+@@ -22,6 +22,7 @@ import os
+ import pkg_resources
+ import mimetypes
+ from collections import defaultdict
++from xml.sax.saxutils import escape
+ 
+ from mapproxy.config.config import base_config
+ from mapproxy.compat import PY2
+@@ -108,7 +109,10 @@ class DemoServer(Server):
+ demo = 
self._render_capabilities_template('demo/capabilities_demo.html', capabilities, 
'WMTS', url)
+ elif 'tms_capabilities' in req.args:
+ if 'layer' in req.args and 'srs' in req.args:
+-url = '%s/tms/1.0.0/%s/%s'%(req.script_url, 
req.args['layer'], req.args['srs'])
++# prevent dir traversal (seems it's not possible with 
urllib2, but better safe then sorry)
++layer = req.args['layer'].replace('..', '')
++srs = req.args['srs'].replace('..', '')
++url = '%s/tms/1.0.0/%s/%s'%(req.script_url, layer, srs)
+ else:
+ url = '%s/tms/1.0.0/'%(req.script_url)
+ capabilities = urllib2.urlopen(url)
+@@ -171,14 +175,14 @@ class DemoServer(Server):
+ def _render_wms_template(self, template, req):
+ template = get_template(template, default_inherit="demo/static.html")
+ layer = self.layers[req.args['wms_layer']]
+-srs = req.args['srs']
++srs = escape(req.args['srs'])
+ bbox = layer.extent.bbox_for(SRS(srs))
+ width = bbox[2] - bbox[0]
+ height = bbox[3] - bbox[1]
+ min_res = max(width/256, height/256)
+ return template.substitute(layer=layer,
+image_formats=self.image_formats,
+-   format=req.args['format'],
++   format=escape(req.args['format']),
+srs=srs,
+layer_srs=self.layer_srs,
+bbox=bbox,
+@@ -202,8 +206,8 @@ class DemoServer(Server):
+ else:
+ add_res_to_options = False
+ return template.substitute(layer=tile_layer,
+-   srs=req.args['srs'],
+-   format=req.args['format'],
++

Bug#886319: failed amd64 build of singular 1:4.1.0-p3+ds-2+b1

2018-01-07 Thread Ximin Luo 
Debian buildds:
>  * Source package: singular
>  * Version: 1:4.1.0-p3+ds-2+b1
>  * Architecture: amd64
>  * State: failed
>  * Suite: sid
>  * Builder: x86-ubc-01.debian.org
>  * Build log: 
> https://buildd.debian.org/status/fetch.php?pkg=singular=amd64=1%3A4.1.0-p3%2Bds-2%2Bb1=1515330074=log
> 
> Please note that these notifications do not necessarily mean bug reports
> in your package but could also be caused by other packages, temporary
> uninstallabilities and arch-specific breakages.  A look at the build log
> despite this disclaimer would be appreciated however.
> 

This (and other arches) were apparently built against libflint that links 
against libntl27 the old library:

Get:120 http://mirror-ubc.debian.org/debian unstable/main amd64 libflint-2.5.2 
amd64 2.5.2-17 [922 kB]

I am not sure why this happened; singular is listed as "dependency level 3" on 
the transition tracker whereas flint is level 2:

https://release.debian.org/transitions/html/auto-ntl.html

Please re-schedule it to build against flint 2.5.2-17+b1 which should be linked 
correctly against libntl35.

X

-- 
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git

Bug#886509: marked as done (britney: drop duplicate 'has new bugs' excuses item)

2018-01-07 Thread Debian Bug Tracking System 
Your message dated Sun, 07 Jan 2018 12:22:00 +
with message-id 
and subject line Re: Bug#886509: britney: drop duplicate 'has new bugs' excuses 
item
has caused the Debian Bug report #886509,
regarding britney: drop duplicate 'has new bugs' excuses item
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
886509: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886509
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: wishlist
User: release.debian@packages.debian.org
Usertags: britney

Please apply this patch to drop the duplicate 'has new bugs' excuses
item. The 'Updating foo introduces new bugs:' item includes bug numbers
so the 'has new bugs' item is less useful than it.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
From ceca85e82f047e7763ea1102ccdbf6da548e9932 Mon Sep 17 00:00:00 2001
From: Paul Wise 
Date: Sat, 6 Jan 2018 11:28:21 +0800
Subject: [PATCH] Drop duplicate 'has new bugs' excuses item

The other item includes bug numbers so this one is less useful.
---
 britney2/policies/policy.py | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/britney2/policies/policy.py b/britney2/policies/policy.py
index e588351..adcc938 100644
--- a/britney2/policies/policy.py
+++ b/britney2/policies/policy.py
@@ -476,9 +476,6 @@ class RCBugPolicy(BasePolicy):
 old_bugs = rcbugs_info['unique-target-bugs']
 excuse.setbugs(old_bugs, new_bugs)
 if new_bugs:
-excuse.addhtml("%s https://bugs.debian.org/cgi-bin/pkgreport.cgi?; \
-   "src=%s=critical=grave=serious\" " \
-   "target=\"_blank\">has new bugs!" % (source_name, quote(source_name)))
 excuse.addhtml("Updating %s introduces new bugs: %s" % (source_name, ", ".join(
 ["https://bugs.debian.org/%s\;>#%s" % (quote(a), a) for a in new_bugs])))
 
-- 
2.15.1



signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Paul Wise:
> Package: release.debian.org
> Severity: wishlist
> User: release.debian@packages.debian.org
> Usertags: britney
> 
> Please apply this patch to drop the duplicate 'has new bugs' excuses
> item. The 'Updating foo introduces new bugs:' item includes bug numbers
> so the 'has new bugs' item is less useful than it.
> 

Thanks, this has been deployed on release.d.o and will be visible after
the next britney run.

Thanks,
~Niels--- End Message ---

Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1

2018-01-07 Thread intrigeri 
Control: tag -1 + moreinfo

The issue in Linux 4.14 with feature set pinning vs. mount operations
was not fixed yet so the 2.11.0-3+deb9u1 package that was accepted in
the proposed-updates stable queue is not suitable for Stretch
currently ⇒ dear release team, feel free to reject or delete it if it
helps you ensure it does not land in the next point release.

Also, after some discussion with Fabian the proposed change was
re-implemented slightly differently in testing/sid; I want to do the
same for the Stretch proposed update ⇒ tagging "moreinfo".

I'm not sure if I should remove the "confirmed" and/or "pending" tag
so in doubt I'll leave it to you to do the right thing.

Cheers,
-- 
intrigeri

Processed: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1

2018-01-07 Thread Debian Bug Tracking System 
Processing control commands:

> tag -1 + moreinfo
Bug #882697 [release.debian.org] stretch-pu: package apparmor/2.11.0-3+deb9u1
Added tag(s) moreinfo.

-- 
882697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Re: Bug#870056: nmu: robustirc-bridge_1.7-1

2018-01-07 Thread Julien Cristau 
On Sat, Jan  6, 2018 at 19:19:13 +0100, Michael Stapelberg wrote:

> On Sat, Jan 6, 2018 at 6:30 PM, Julien Cristau  wrote:
> 
> > also implications on visibility of unreleased security updates, so the
> > set of people with access needs to stay limited.
> 
> 
> Just to confirm: is this a side-effect of getting the permission? Being
> able to schedule binNMUs doesn’t sound related to security updates to me :)
> 
Yes.  Side effect of getting more than guest/read-only access to
wanna-build.

Cheers,
Julien