Bug#896945: stretch-pu: package cffi/0.18.0-1+deb9u1

2018-04-26 Thread Sébastien Villemot 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear Release Team,

I have prepared (and uploaded) an update to the cffi package that fixes
#894543. The debdiff is attached.

Best,

-- 
⢀⣴⠾⠻⢶⣦⠀  Sébastien Villemot
⣾⠁⢠⠒⠀⣿⡁  Debian Developer
⢿⡄⠘⠷⠚⠋⠀  http://sebastien.villemot.name
⠈⠳⣄  http://www.debian.org
diff -u cffi-0.18.0/debian/changelog cffi-0.18.0/debian/changelog
--- cffi-0.18.0/debian/changelog
+++ cffi-0.18.0/debian/changelog
@@ -1,3 +1,12 @@
+cffi (1:0.18.0-1+deb9u1) stretch; urgency=medium
+
+  * Add missing files for cffi-libffi and cffi-toolchain. (Closes: #894543)
+  * Add missing Depends on gcc (for cffi-toolchain), pkg-config and
+libc6-dev | libc-dev (for cffi-grovel) and libffi-dev (for
+cffi-libffi).
+
+ -- Sébastien Villemot   Thu, 26 Apr 2018 08:24:48 +
+
 cffi (1:0.18.0-1) unstable; urgency=medium
 
   * Quicklisp release update.
diff -u cffi-0.18.0/debian/control cffi-0.18.0/debian/control
--- cffi-0.18.0/debian/control
+++ cffi-0.18.0/debian/control
@@ -11,7 +11,11 @@
 
 Package: cl-cffi
 Architecture: all
-Depends: ${misc:Depends}, cl-alexandria,  cl-trivial-features, cl-babel
+Depends: ${misc:Depends}, cl-alexandria,  cl-trivial-features, cl-babel,
+ gcc,
+ libc6-dev | libc-dev,
+ pkg-config,
+ libffi-dev
 Description: The Common Foreign Function Interface for Common Lisp
  CFFI, the Common Foreign Function Interface, purports to be a portable foreign
  function interface for Common Lisp. The CFFI library is composed of a
diff -u cffi-0.18.0/debian/install cffi-0.18.0/debian/install
--- cffi-0.18.0/debian/install
+++ cffi-0.18.0/debian/install
@@ -1 +1 @@
-*.asd examples/  tests/  uffi-compat/ src/ grovel/ usr/share/common-lisp/source/cl-cffi/
+*.asd examples/  tests/  uffi-compat/ src/ grovel/ libffi/ toolchain/ usr/share/common-lisp/source/cl-cffi/


signature.asc
Description: PGP signature

Bug#896942: jessie-pu: package xerces-c/3.1.1-5.1+deb8u3

2018-04-26 Thread William Blough 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

I would like to update xerces-c in a future point release.  This update
will fix one issue:

  * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of
Offensive Research discovered that the Xerces-C XML parser mishandles
certain kinds of external DTD references, resulting in dereference of a
NULL pointer while processing the path to the DTD. The bug allows for a
denial of service attack in applications that allow DTD processing and do
not prevent external DTD usage, and could conceivably result in remote code
execution.

The CVE was deemed by the security team to not be critical enough for a
DSA, but they suggested that it might be included in a point release.

This issue has been fixed in unstable, and I have attached a debdiff
that reflects the desired changes.

Regards,
Bill


-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru xerces-c-3.1.1/debian/changelog xerces-c-3.1.1/debian/changelog
--- xerces-c-3.1.1/debian/changelog 2016-06-29 10:47:44.0 -0400
+++ xerces-c-3.1.1/debian/changelog 2018-04-26 00:28:32.0 -0400
@@ -1,3 +1,15 @@
+xerces-c (3.1.1-5.1+deb8u4) jessie; urgency=medium
+
+  * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of
+Offensive Research discovered that the Xerces-C XML parser mishandles
+certain kinds of external DTD references, resulting in dereference of a
+NULL pointer while processing the path to the DTD. The bug allows for a
+denial of service attack in applications that allow DTD processing and do
+not prevent external DTD usage, and could conceivably result in remote code
+execution.
+
+ -- William Blough   Thu, 26 Apr 2018 00:28:32 -0400
+
 xerces-c (3.1.1-5.1+deb8u3) jessie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch 
xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch
--- xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch  1969-12-31 
19:00:00.0 -0500
+++ xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch  2018-04-26 
00:28:32.0 -0400
@@ -0,0 +1,26 @@
+From: Markus Koschany 
+Date: Thu, 29 Mar 2018 20:58:48 +0200
+Subject: CVE-2017-12627
+
+Origin: https://svn.apache.org/viewvc?view=revision=1819998
+Upstream-Advisory: https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt
+---
+ src/xercesc/util/PlatformUtils.cpp | 5 -
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/xercesc/util/PlatformUtils.cpp 
b/src/xercesc/util/PlatformUtils.cpp
+index eee1dc5..39c71ac 100644
+--- a/src/xercesc/util/PlatformUtils.cpp
 b/src/xercesc/util/PlatformUtils.cpp
+@@ -920,7 +920,10 @@ XMLCh* XMLPlatformUtils::weavePaths(const XMLCh* const
basePath
+ 
+ XMLString::subString(tmpBuf, basePath, 0, (basePtr - basePath + 1), 
manager);
+ tmpBuf[basePtr - basePath + 1] = 0;
+-XMLString::catString(tmpBuf, relativePath);
++if (relativePath)
++{
++XMLString::catString(tmpBuf, relativePath);
++}
+ 
+ removeDotSlash(tmpBuf, manager);
+ 
diff -Nru xerces-c-3.1.1/debian/patches/series 
xerces-c-3.1.1/debian/patches/series
--- xerces-c-3.1.1/debian/patches/series2016-06-29 10:47:44.0 
-0400
+++ xerces-c-3.1.1/debian/patches/series2018-04-26 00:28:32.0 
-0400
@@ -4,3 +4,4 @@
 CVE-2016-2099.patch
 CVE-2016-4463.patch
 disable-DTD-processing-through-envvariable.patch
+CVE-2017-12627.patch

Bug#896940: stretch-pu: package xerces-c/3.1.4+debian-2

2018-04-26 Thread William Blough 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

I would like to update xerces-c in a future point release.  This update
will fix two issues:

  * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of
Offensive Research discovered that the Xerces-C XML parser mishandles
certain kinds of external DTD references, resulting in dereference of a
NULL pointer while processing the path to the DTD. The bug allows for a
denial of service attack in applications that allow DTD processing and do
not prevent external DTD usage, and could conceivably result in remote code
execution.
  * Fix a regression that forced gcc to use SSE2, even on platforms that do not
support it (e.g., i386).  This caused program crashes due to invalid CPU
instructions.


The CVE was deemed by the security team to not be critical enough for a
DSA, but they suggested that it might be included in a point release.

Both of these issues have been fixed in unstable, and I have attached a
debdiff that reflects the desired changes.

Regards,
Bill

-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru xerces-c-3.1.4+debian/debian/changelog 
xerces-c-3.1.4+debian/debian/changelog
--- xerces-c-3.1.4+debian/debian/changelog  2016-12-16 06:52:57.0 
-0500
+++ xerces-c-3.1.4+debian/debian/changelog  2018-04-26 00:35:59.0 
-0400
@@ -1,3 +1,18 @@
+xerces-c (3.1.4+debian-2+deb9u1) stretch; urgency=medium
+
+  * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of
+Offensive Research discovered that the Xerces-C XML parser mishandles
+certain kinds of external DTD references, resulting in dereference of a
+NULL pointer while processing the path to the DTD. The bug allows for a
+denial of service attack in applications that allow DTD processing and do
+not prevent external DTD usage, and could conceivably result in remote code
+execution.
+  * Fix a regression that forced gcc to use SSE2, even on platforms that do not
+support it (e.g., i386).  This caused program crashes due to invalid CPU
+instructions.
+
+ -- William Blough   Thu, 26 Apr 2018 00:35:59 -0400
+
 xerces-c (3.1.4+debian-2) unstable; urgency=medium
 
   * Fix AC_LANG_SOURCE warnings.
diff -Nru xerces-c-3.1.4+debian/debian/patches/CVE-2017-12627.patch 
xerces-c-3.1.4+debian/debian/patches/CVE-2017-12627.patch
--- xerces-c-3.1.4+debian/debian/patches/CVE-2017-12627.patch   1969-12-31 
19:00:00.0 -0500
+++ xerces-c-3.1.4+debian/debian/patches/CVE-2017-12627.patch   2018-04-26 
00:35:59.0 -0400
@@ -0,0 +1,26 @@
+From: Markus Koschany 
+Date: Thu, 29 Mar 2018 20:58:48 +0200
+Subject: CVE-2017-12627
+
+Origin: https://svn.apache.org/viewvc?view=revision=1819998
+Upstream-Advisory: https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt
+---
+ src/xercesc/util/PlatformUtils.cpp | 5 -
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/xercesc/util/PlatformUtils.cpp 
b/src/xercesc/util/PlatformUtils.cpp
+index eee1dc5..39c71ac 100644
+--- a/src/xercesc/util/PlatformUtils.cpp
 b/src/xercesc/util/PlatformUtils.cpp
+@@ -920,7 +920,10 @@ XMLCh* XMLPlatformUtils::weavePaths(const XMLCh* const
basePath
+ 
+ XMLString::subString(tmpBuf, basePath, 0, (basePtr - basePath + 1), 
manager);
+ tmpBuf[basePtr - basePath + 1] = 0;
+-XMLString::catString(tmpBuf, relativePath);
++if (relativePath)
++{
++XMLString::catString(tmpBuf, relativePath);
++}
+ 
+ removeDotSlash(tmpBuf, manager);
+ 
diff -Nru xerces-c-3.1.4+debian/debian/patches/series 
xerces-c-3.1.4+debian/debian/patches/series
--- xerces-c-3.1.4+debian/debian/patches/series 2016-12-16 06:52:57.0 
-0500
+++ xerces-c-3.1.4+debian/debian/patches/series 2018-04-26 00:35:59.0 
-0400
@@ -1,3 +1,4 @@
 psviwriter_strrchr_fix
 fix_fprintf_warnings.diff
 fix_ac_lang_source_warnings
+CVE-2017-12627.patch
diff -Nru xerces-c-3.1.4+debian/debian/rules xerces-c-3.1.4+debian/debian/rules
--- xerces-c-3.1.4+debian/debian/rules  2016-12-16 06:52:57.0 -0500
+++ xerces-c-3.1.4+debian/debian/rules  2018-04-26 00:35:59.0 -0400
@@ -15,7 +15,10 @@
dh $@ --with autoreconf
 
 override_dh_auto_configure:
-   dh_auto_configure -- --disable-pretty-make --enable-netaccessor-curl
+   dh_auto_configure -- --disable-pretty-make --enable-netaccessor-curl 
--disable-sse2
+   # Note: This disables explicit passing of -msse2 to gcc.  It does not
+   # actually disable sse2

New Clamav pu for Stretch/Jessie

2018-04-26 Thread Sebastian Andrzej Siewior 
Hi,

I filled #896918 and #896919 for stretch-pu / jessie-pu. The bugs did
not make it to the list due to their size.

  https://bugs.debian.org/896918
  https://bugs.debian.org/896919

Sebastian