Bug#940004: nmu: isl
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Please binNMU these packages for the recent isl upload to unstable: that only affects various gcc packages. the native and cross compilers are uploaded, the -mipsen packages are in unstable only, and stuck in NEW, the remaining one is gcc-mingw-w64 Pinged the maintainer too.
Bug#940003: nmu: rebuild packages for binutils 2.32.51.x
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Please binNMU these packages for the recent binutils upload to unstable: naev 0.7.0-2 wcc 0.0.2+dfsg-3 (amd64 only) looking-glass 0+b1-1
NEW changes in oldstable-new
Processing changes file: libreoffice_5.2.7-1+deb9u11_source.changes ACCEPT Processing changes file: libreoffice_5.2.7-1+deb9u11_all.changes ACCEPT Processing changes file: libreoffice_5.2.7-1+deb9u11_amd64.changes ACCEPT Processing changes file: libreoffice_5.2.7-1+deb9u11_arm64.changes ACCEPT Processing changes file: libreoffice_5.2.7-1+deb9u11_armel.changes ACCEPT Processing changes file: libreoffice_5.2.7-1+deb9u11_armhf.changes ACCEPT Processing changes file: libreoffice_5.2.7-1+deb9u11_i386.changes ACCEPT Processing changes file: libreoffice_5.2.7-1+deb9u11_mips.changes ACCEPT Processing changes file: libreoffice_5.2.7-1+deb9u11_mips64el.changes ACCEPT Processing changes file: libreoffice_5.2.7-1+deb9u11_mipsel.changes ACCEPT Processing changes file: libreoffice_5.2.7-1+deb9u11_ppc64el.changes ACCEPT Processing changes file: libreoffice_5.2.7-1+deb9u11_s390x.changes ACCEPT
NEW changes in stable-new
Processing changes file: ghostscript_9.27~dfsg-2+deb10u2_sourceonly.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u2_all.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u2_amd64.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u2_arm64.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u2_armel.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u2_armhf.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u2_i386.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u2_mips.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u2_mips64el.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u2_mipsel.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u2_ppc64el.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u2_s390x.changes ACCEPT Processing changes file: libreoffice_6.1.5-3+deb10u4_source.changes ACCEPT Processing changes file: libreoffice_6.1.5-3+deb10u4_all.changes ACCEPT Processing changes file: libreoffice_6.1.5-3+deb10u4_amd64.changes ACCEPT Processing changes file: libreoffice_6.1.5-3+deb10u4_arm64.changes ACCEPT Processing changes file: libreoffice_6.1.5-3+deb10u4_armel.changes ACCEPT Processing changes file: libreoffice_6.1.5-3+deb10u4_armhf.changes ACCEPT Processing changes file: libreoffice_6.1.5-3+deb10u4_i386.changes ACCEPT Processing changes file: libreoffice_6.1.5-3+deb10u4_mips.changes ACCEPT Processing changes file: libreoffice_6.1.5-3+deb10u4_mips64el.changes ACCEPT Processing changes file: libreoffice_6.1.5-3+deb10u4_mipsel.changes ACCEPT Processing changes file: libreoffice_6.1.5-3+deb10u4_ppc64el.changes ACCEPT Processing changes file: libreoffice_6.1.5-3+deb10u4_s390x.changes ACCEPT Processing changes file: trafficserver_8.0.2+ds-1+deb10u1_source.changes ACCEPT Processing changes file: trafficserver_8.0.2+ds-1+deb10u1_amd64.changes ACCEPT Processing changes file: trafficserver_8.0.2+ds-1+deb10u1_arm64.changes ACCEPT Processing changes file: trafficserver_8.0.2+ds-1+deb10u1_armhf.changes ACCEPT Processing changes file: trafficserver_8.0.2+ds-1+deb10u1_i386.changes ACCEPT Processing changes file: trafficserver_8.0.2+ds-1+deb10u1_mips.changes ACCEPT Processing changes file: trafficserver_8.0.2+ds-1+deb10u1_mips64el.changes ACCEPT Processing changes file: trafficserver_8.0.2+ds-1+deb10u1_mipsel.changes ACCEPT Processing changes file: trafficserver_8.0.2+ds-1+deb10u1_ppc64el.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: ghostscript_9.26a~dfsg-0+deb9u5_sourceonly.changes ACCEPT Processing changes file: ghostscript_9.26a~dfsg-0+deb9u5_all.changes ACCEPT Processing changes file: ghostscript_9.26a~dfsg-0+deb9u5_amd64.changes ACCEPT Processing changes file: ghostscript_9.26a~dfsg-0+deb9u5_arm64.changes ACCEPT Processing changes file: ghostscript_9.26a~dfsg-0+deb9u5_armel.changes ACCEPT Processing changes file: ghostscript_9.26a~dfsg-0+deb9u5_armhf.changes ACCEPT Processing changes file: ghostscript_9.26a~dfsg-0+deb9u5_i386.changes ACCEPT Processing changes file: ghostscript_9.26a~dfsg-0+deb9u5_mips.changes ACCEPT Processing changes file: ghostscript_9.26a~dfsg-0+deb9u5_mips64el.changes ACCEPT Processing changes file: ghostscript_9.26a~dfsg-0+deb9u5_mipsel.changes ACCEPT Processing changes file: ghostscript_9.26a~dfsg-0+deb9u5_ppc64el.changes ACCEPT Processing changes file: ghostscript_9.26a~dfsg-0+deb9u5_s390x.changes ACCEPT
Processed: block 939989 with 932677 932679 932683
Processing commands for cont...@bugs.debian.org: > block 939989 with 932677 932679 932683 Bug #939989 [release.debian.org] transition: gdal 939989 was blocked by: 931944 939872 939891 939989 was not blocking any bugs. Added blocking bug(s) of 939989: 932677, 932679, and 932683 > thanks Stopping processing here. Please contact me if you need assistance. -- 939989: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939989 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: transition: gdal
Processing control commands: > block -1 by 939872 939891 931944 Bug #939989 [release.debian.org] transition: gdal 939989 was not blocked by any bugs. 939989 was not blocking any bugs. Added blocking bug(s) of 939989: 939872, 939891, and 931944 > forwarded -1 https://release.debian.org/transitions/html/auto-gdal.html Bug #939989 [release.debian.org] transition: gdal Set Bug forwarded-to-address to 'https://release.debian.org/transitions/html/auto-gdal.html'. -- 939989: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939989 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#939989: transition: gdal
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Control: block -1 by 939872 939891 931944 Control: forwarded -1 https://release.debian.org/transitions/html/auto-gdal.html For the Debian GIS team I'd like to transition to GDAL 3.x. This is the next step in the major update of the GIS stack after PROJ 6. All reverse dependencies rebuilt successfully with GDAL 3.0.1 from experimental as summarized below, except fiona, mysql-workbench & vtk7. The fiona issue is actually related to GDAL 3, mysql-workbench FTBFS due to gcc-9 & -Werror, and vtk7 hasn't been updated for PROJ 6 yet. libgdal-grass doesn't need a binNMU as the 3.0.1 version will be uploaded to unstable instead. Transition: gdal libgdal20 (2.4.2+dfsg-1+b2) -> libgdal26 (3.0.1+dfsg-1~exp3) The status of the most recent rebuilds is as follows. dans-gdal-scripts (0.24-3) OK fiona (1.8.6-2)FTBFS (#939872) gazebo (9.6.0-2)OK gmt (5.4.5+dfsg-2) OK libcitygml (2.0.9-2)OK libosmium (2.15.2-1) OK mapcache(1.8.0-1)OK mapnik (3.0.22+ds1-1) OK mapproxy(1.12.0-1) OK mapserver (7.4.1-1)OK mysql-workbench (8.0.17+dfsg-1) FTBFS (#939891) ncl (6.6.2-1)OK node-srs(0.4.8+dfsg-4) OK octave-mapping (1.2.1-4)OK openorienteering-mapper (0.8.4-2)OK openscenegraph (3.2.3+dfsg1-3) OK pdal(2.0.1+ds-1) OK pgsql-ogr-fdw (1.0.8-1)OK pktools (2.6.7.6+ds-2) OK postgis (2.5.3+dfsg-1) OK pprepair(0.0~20170614-dd91a21-3) OK prepair (0.7.1-3)OK python-django (2:2.2.5-1) OK qmapshack (1.13.1-1) OK r-cran-mi (1.0-7) OK r-cran-rgdal(1.4-4-1)OK r-cran-sf (0.7-7+dfsg-1) OK r-cran-tmvtnorm (1.4-10-3) OK rasterio(1.0.28-1) OK sumo(1.1.0+dfsg1-1) OK vtk6(6.3.0+dfsg2-3) OK vtk7(7.1.1+dfsg1-12) FTBFS (#931944) cloudcompare(2.10.3-3) OK grass (7.8.0-1)OK opencv (3.2.0+dfsg-6) OK openscenegraph-3.4 (3.4.1+dfsg1-5) OK osmcoastline(2.2.4-1)OK pyosmium(2.15.3-1) OK libgdal-grass (2.4.2-3 / 3.0.1-1~exp3) FTBFS / OK osgearth(2.10.2+dfsg-1) OK otb (6.6.1+dfsg-3) OK qgis(3.4.11+dfsg-2) OK saga(7.3.0+dfsg-1) OK Kind Regards, Bas
Re: Bug#933002: docker.io: CVE-2019-13139
On Sun, 2019-08-18 at 16:22 +0100, Adam D. Barratt wrote: > On Sun, 2019-08-18 at 16:56 +0200, Arnaud Rebillout wrote: > > * The bug you want to fix in stable must be fixed in unstable > > already (and not waiting in NEW or the delayed queue) > > > > My issue with this particular bug (#933002) is that for now, > > docker.io doesn't build in unstable. It will take a while before > > it > > builds again, as there was changes in the dependency tree. > > > > On the other hand, fixing this bug in stable is just a matter of > > importing the patch from upstream and rebuilding the package. > > > > So how am I supposed to handle that? Waiting for docker.io to be > > fixed and built again in unstable will delay the fix in stable for > > weeks, I don't think it's a good option. > > Nevertheless, that is the case I'm afraid. Updates to stable via > proposed-updates are not appropriate for urgent security updates - > that is what the security archive is for. For the record, this fix became part of DSA 4521. > Looking at > https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=docker.io > , there doesn't appear to be a bug filed for the build failure, so > there's no indication of what the issues are, nor what needs to be > done to fix them. and it looks like the build failures got fixed. Regards, Adam
Bug#939982: britney: triggers tests even when all tests are removed; potentially causing autodep8 to be called
Package: release.debian.org User: release.debian@packages.debian.org Usertags: britney Hi Eriberto, Thanks for talking about the issues you have, I could not have guessed. On 10-09-2019 17:53, Eriberto Mota wrote: > I was using a test over a DKMS package (lime-forensics). I removed > all tests[1] because Debian wasn't process it (adding a Neutral tag) > and to close the bug #935543. Now I have a regression in my > package[2][3]. However, I no longer maintain a test. I think it is a > bug in debci. How to proceed to avoid a regression after removing all > tests? This is not an issue with debci, as that just runs tests on behalf of other entities. The culprit here is britney, the migration software of the release team, hence filing a bug against it. The problem is that the migration software *seems* (I haven't checked properly yet) to trigger even in the case that all tests are removed. Because autopkgtest (the software) is by default configured to try and call autodep8 if no tests are found, you package was tested with tests from autodep8, while in your case that is inappropriate as they fail. You have no way of telling the infrastructure that. As britney considering neutral-to-fail a regression your package is flagged as such. I see that's nothing you can solve so I'll ignore the failure. > [1] > https://salsa.debian.org/pkg-security-team/lime-forensics/commit/d7d4c79ae7ea55c5d64cc6103d3745e199056284 > [2] https://ci.debian.net/packages/l/lime-forensics/ > [3]https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939893 Paul signature.asc Description: OpenPGP digital signature
Bug#939978: marked as done (buster-pu: package flightcrew/0.7.2+dfsg-13+deb10u1)
Your message dated Tue, 10 Sep 2019 19:11:20 +0100 with message-id <8878ff801666ef402d18c771343db4d2fd56d901.ca...@adam-barratt.org.uk> and subject line Re: Bug#939978: buster-pu: package flightcrew/0.7.2+dfsg-13+deb10u1 has caused the Debian Bug report #939978, regarding buster-pu: package flightcrew/0.7.2+dfsg-13+deb10u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 939978: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939978 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Subject: buster-pu: package flightcrew/0.7.2+dfsg-13+deb10u1 Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: buster Severity: normal Hello, I would like to update the flightcrew package in Buster release. The goal is to fix the CVE-2019-13241. Please find attached the debdiff. Best Regards, François -- System Information: Debian Release: 10.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/16 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash From 1ee41f78678f520402823b1524e02cba5c5d0d88 Mon Sep 17 00:00:00 2001 From: Francois Mazen Date: Tue, 10 Sep 2019 09:27:47 +0200 Subject: [PATCH] Fix CVE-2019-13241 --- debian/changelog | 6 ++ debian/patches/fix-CVE-2019-13241.diff | 58 ++ debian/patches/series| 1 + debian/source/include-binaries | 1 + debian/tests/CVE-2019-13241 | 28 debian/tests/CVE-2019-13241_zip-slip.zip | Bin 0 -> 545 bytes debian/tests/control | 2 ++ 7 files changed, 96 insertions(+) create mode 100644 debian/patches/fix-CVE-2019-13241.diff create mode 100644 debian/source/include-binaries create mode 100644 debian/tests/CVE-2019-13241 create mode 100644 debian/tests/CVE-2019-13241_zip-slip.zip create mode 100644 debian/tests/control diff --git a/debian/changelog b/debian/changelog index b6a222f..dd9a681 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +flightcrew (0.7.2+dfsg-13+deb10u1) buster; urgency=high + + * Fix CVE-2019-13241 for buster. + + -- Francois Mazen Sun, 08 Sep 2019 21:55:23 +0200 + flightcrew (0.7.2+dfsg-13) unstable; urgency=medium [ Ondřej Nový ] diff --git a/debian/patches/fix-CVE-2019-13241.diff b/debian/patches/fix-CVE-2019-13241.diff new file mode 100644 index 000..5357d6a --- /dev/null +++ b/debian/patches/fix-CVE-2019-13241.diff @@ -0,0 +1,58 @@ +Description: fix CVE-2019-13241 +Author: Francois Mazen + + +--- a/src/zipios/src/zipextraction.cpp b/src/zipios/src/zipextraction.cpp +@@ -63,6 +63,43 @@ + fs::create_directory( filepath ); + } + ++void CheckPathTraversalVulnerability(const fs::path& root_folder, const fs::path& file_path) ++{ ++ ++fs::path canonical_path = fs::weakly_canonical(file_path); ++fs::path canonical_root_path = fs::weakly_canonical(root_folder); ++ ++fs::path::iterator root_iterator = canonical_root_path.begin(); ++fs::path::iterator path_iterator = canonical_path.begin(); ++bool isDifferenceFound = false; ++while(!isDifferenceFound && ++ root_iterator != canonical_root_path.end() && ++ path_iterator != canonical_path.end()) ++{ ++if((*root_iterator) != (*path_iterator)) ++{ ++isDifferenceFound = true; ++} ++else ++{ ++++root_iterator; ++++path_iterator; ++} ++} ++ ++if(!isDifferenceFound && ++ root_iterator != canonical_root_path.end() && ++ path_iterator == canonical_path.end()) ++{ ++// We reached the end of the path without iterating the whole root. ++isDifferenceFound = true; ++} ++ ++if(isDifferenceFound) ++{ ++throw InvalidStateException( "Corrupt epub detected with local file path: " + file_path.string()) ; ++} ++} + + void ExtractZipToFolder( const fs::path _to_zip, const fs::path _to_folder ) + { +@@ -75,6 +112,7 @@ + + fs::path new_file_path = path_to_folder / (*it)->getName(); + ++CheckPathTraversalVulnerability(path_to_folder, new_file_path); + CreateFilepath( new_file_path ); + WriteEntryToFile( *stream, new_file_path ); + } diff --git a/debian/patches/series b/debian/patches/series index
Bug#934132: Unblock elogind 241.3-1+debian1 migration to bullseye
On Thu, Sep 05, 2019 at 06:44:26PM +0100, Mark Hindley wrote: > Julien, > > On Tue, Sep 03, 2019 at 09:03:42PM +0100, Mark Hindley wrote: > > Control: severity 934491 serious > > > > On Tue, Sep 03, 2019 at 09:34:51PM +0200, Julien Cristau wrote: > > > Anyway, I guess if #934491 is upgraded to RC then I can drop the block > > > hint. > > #934491 is now RC, would you please remove your block hint for elogind. Julien, I am sorry to just keep asking, however in the absence of any action or response from you, I am unsure what else I can do. In accordance with your offer of a week ago, and in the light of #934491 now being RC, would you please remove your block hint for elogind. Thank you. Mark
Bug#939978: buster-pu: package flightcrew/0.7.2+dfsg-13+deb10u1
Subject: buster-pu: package flightcrew/0.7.2+dfsg-13+deb10u1 Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: buster Severity: normal Hello, I would like to update the flightcrew package in Buster release. The goal is to fix the CVE-2019-13241. Please find attached the debdiff. Best Regards, François -- System Information: Debian Release: 10.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/16 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash From 1ee41f78678f520402823b1524e02cba5c5d0d88 Mon Sep 17 00:00:00 2001 From: Francois Mazen Date: Tue, 10 Sep 2019 09:27:47 +0200 Subject: [PATCH] Fix CVE-2019-13241 --- debian/changelog | 6 ++ debian/patches/fix-CVE-2019-13241.diff | 58 ++ debian/patches/series| 1 + debian/source/include-binaries | 1 + debian/tests/CVE-2019-13241 | 28 debian/tests/CVE-2019-13241_zip-slip.zip | Bin 0 -> 545 bytes debian/tests/control | 2 ++ 7 files changed, 96 insertions(+) create mode 100644 debian/patches/fix-CVE-2019-13241.diff create mode 100644 debian/source/include-binaries create mode 100644 debian/tests/CVE-2019-13241 create mode 100644 debian/tests/CVE-2019-13241_zip-slip.zip create mode 100644 debian/tests/control diff --git a/debian/changelog b/debian/changelog index b6a222f..dd9a681 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +flightcrew (0.7.2+dfsg-13+deb10u1) buster; urgency=high + + * Fix CVE-2019-13241 for buster. + + -- Francois Mazen Sun, 08 Sep 2019 21:55:23 +0200 + flightcrew (0.7.2+dfsg-13) unstable; urgency=medium [ Ondřej Nový ] diff --git a/debian/patches/fix-CVE-2019-13241.diff b/debian/patches/fix-CVE-2019-13241.diff new file mode 100644 index 000..5357d6a --- /dev/null +++ b/debian/patches/fix-CVE-2019-13241.diff @@ -0,0 +1,58 @@ +Description: fix CVE-2019-13241 +Author: Francois Mazen + + +--- a/src/zipios/src/zipextraction.cpp b/src/zipios/src/zipextraction.cpp +@@ -63,6 +63,43 @@ + fs::create_directory( filepath ); + } + ++void CheckPathTraversalVulnerability(const fs::path& root_folder, const fs::path& file_path) ++{ ++ ++fs::path canonical_path = fs::weakly_canonical(file_path); ++fs::path canonical_root_path = fs::weakly_canonical(root_folder); ++ ++fs::path::iterator root_iterator = canonical_root_path.begin(); ++fs::path::iterator path_iterator = canonical_path.begin(); ++bool isDifferenceFound = false; ++while(!isDifferenceFound && ++ root_iterator != canonical_root_path.end() && ++ path_iterator != canonical_path.end()) ++{ ++if((*root_iterator) != (*path_iterator)) ++{ ++isDifferenceFound = true; ++} ++else ++{ ++++root_iterator; ++++path_iterator; ++} ++} ++ ++if(!isDifferenceFound && ++ root_iterator != canonical_root_path.end() && ++ path_iterator == canonical_path.end()) ++{ ++// We reached the end of the path without iterating the whole root. ++isDifferenceFound = true; ++} ++ ++if(isDifferenceFound) ++{ ++throw InvalidStateException( "Corrupt epub detected with local file path: " + file_path.string()) ; ++} ++} + + void ExtractZipToFolder( const fs::path _to_zip, const fs::path _to_folder ) + { +@@ -75,6 +112,7 @@ + + fs::path new_file_path = path_to_folder / (*it)->getName(); + ++CheckPathTraversalVulnerability(path_to_folder, new_file_path); + CreateFilepath( new_file_path ); + WriteEntryToFile( *stream, new_file_path ); + } diff --git a/debian/patches/series b/debian/patches/series index dd411b2..f8c0cdb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ disable_filesystem3_overload modify_cmake_for_debian reproducible-build use_random_unique_tmp_path +fix-CVE-2019-13241.diff diff --git a/debian/source/include-binaries b/debian/source/include-binaries new file mode 100644 index 000..5b216eb --- /dev/null +++ b/debian/source/include-binaries @@ -0,0 +1 @@ +debian/tests/CVE-2019-13241_zip-slip.zip diff --git a/debian/tests/CVE-2019-13241 b/debian/tests/CVE-2019-13241 new file mode 100644 index 000..baac7e0 --- /dev/null +++ b/debian/tests/CVE-2019-13241 @@ -0,0 +1,28 @@ +#!/bin/sh + +# Check the CVE-2019-13241 vulnerability. +# See https://security-tracker.debian.org/tracker/CVE-2019-13241 +# Author: Francois Mazen + +EVIL_FILE=/tmp/evil.txt + +if [ -f "$EVIL_FILE" ]; then +echo "$EVIL_FILE exists, removing it." +rm -f $EVIL_FILE +else +echo
Bug#939967: stretch-pu: package flightcrew/0.7.2+dfsg-9+deb9u1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: stretch Severity: normal Hello, I would like to update the flightcrew package in Stretch release. The goal is to fix the CVE-2019-13241. Please find attached the debdiff. Best Regards, François -- System Information: Debian Release: 10.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/16 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash From 24d531e5efce69f77b85d8c16aef2a099e9f143c Mon Sep 17 00:00:00 2001 From: Francois Mazen Date: Tue, 10 Sep 2019 16:28:31 +0200 Subject: [PATCH] Fix CVE-2019-13241. --- debian/changelog | 6 ++ debian/patches/fix-CVE-2019-13241.diff | 59 +++ debian/patches/series| 1 + debian/source/include-binaries | 1 + debian/tests/CVE-2019-13241 | 28 debian/tests/CVE-2019-13241_zip-slip.zip | Bin 0 -> 545 bytes debian/tests/control | 2 ++ 7 files changed, 97 insertions(+) create mode 100644 debian/patches/fix-CVE-2019-13241.diff create mode 100644 debian/source/include-binaries create mode 100644 debian/tests/CVE-2019-13241 create mode 100644 debian/tests/CVE-2019-13241_zip-slip.zip create mode 100644 debian/tests/control diff --git a/debian/changelog b/debian/changelog index f602446..511639c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +flightcrew (0.7.2+dfsg-9+deb9u1) stretch; urgency=medium + + * Fix CVE-2019-13241 for stretch release. + + -- Francois Mazen Tue, 10 Sep 2019 15:34:26 +0200 + flightcrew (0.7.2+dfsg-9) unstable; urgency=medium * d/copyright: claim copyright for the 2017. diff --git a/debian/patches/fix-CVE-2019-13241.diff b/debian/patches/fix-CVE-2019-13241.diff new file mode 100644 index 000..98019d0 --- /dev/null +++ b/debian/patches/fix-CVE-2019-13241.diff @@ -0,0 +1,59 @@ +Description: fix CVE-2019-13241 +Author: Francois Mazen + + +--- a/src/zipios/src/zipextraction.cpp b/src/zipios/src/zipextraction.cpp +@@ -63,6 +63,44 @@ + fs::create_directory( filepath ); + } + ++void CheckPathTraversalVulnerability(const fs::path& root_folder, const fs::path& file_path) ++{ ++ ++fs::path canonical_path = fs::weakly_canonical(file_path); ++fs::path canonical_root_path = fs::weakly_canonical(root_folder); ++ ++fs::path::iterator root_iterator = canonical_root_path.begin(); ++fs::path::iterator path_iterator = canonical_path.begin(); ++bool isDifferenceFound = false; ++while(!isDifferenceFound && ++ root_iterator != canonical_root_path.end() && ++ path_iterator != canonical_path.end()) ++{ ++if((*root_iterator) != (*path_iterator)) ++{ ++isDifferenceFound = true; ++} ++else ++{ ++++root_iterator; ++++path_iterator; ++} ++} ++ ++if(!isDifferenceFound && ++ root_iterator != canonical_root_path.end() && ++ path_iterator == canonical_path.end()) ++{ ++// We reached the end of the path without iterating the whole root. ++isDifferenceFound = true; ++} ++ ++if(isDifferenceFound) ++{ ++throw InvalidStateException( "Corrupt epub detected with local file path: " + file_path.string()) ; ++} ++} ++ + + void ExtractZipToFolder( const fs::path _to_zip, const fs::path _to_folder ) + { +@@ -75,6 +113,7 @@ + + fs::path new_file_path = path_to_folder / (*it)->getName(); + ++CheckPathTraversalVulnerability(path_to_folder, new_file_path); + CreateFilepath( new_file_path ); + WriteEntryToFile( *stream, new_file_path ); + } diff --git a/debian/patches/series b/debian/patches/series index dd411b2..f8c0cdb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ disable_filesystem3_overload modify_cmake_for_debian reproducible-build use_random_unique_tmp_path +fix-CVE-2019-13241.diff diff --git a/debian/source/include-binaries b/debian/source/include-binaries new file mode 100644 index 000..5b216eb --- /dev/null +++ b/debian/source/include-binaries @@ -0,0 +1 @@ +debian/tests/CVE-2019-13241_zip-slip.zip diff --git a/debian/tests/CVE-2019-13241 b/debian/tests/CVE-2019-13241 new file mode 100644 index 000..baac7e0 --- /dev/null +++ b/debian/tests/CVE-2019-13241 @@ -0,0 +1,28 @@ +#!/bin/sh + +# Check the CVE-2019-13241 vulnerability. +# See https://security-tracker.debian.org/tracker/CVE-2019-13241 +# Author: Francois Mazen + +EVIL_FILE=/tmp/evil.txt + +if [ -f "$EVIL_FILE" ]; then +echo "$EVIL_FILE exists, removing it." +rm -f $EVIL_FILE +else +echo "$EVIL_FILE does
Wdrożenie RODO w Twojej firmie.
Zadbaj o bezpieczeństwo danych osobowych w Twojej firmie. Wdrożymy dla Ciebie niezbędne procedury, aby były zgodne z RODO. Przeszkolimy Twój personel. Przygotujemy spersonalizowaną dokumentację. Jeżeli chcesz wiedzieć więcej odpisz na tą wiadomość *TAK* i pozostaw swój _numer telefonu_, zadzwonimy do Ciebie najszybciej jak to możliwe. Z poważaniem, Kancelaria Prawna Zgodnie z art. 6 ust. 1 lit. f RODO informujemy, iż Pani/Pana dane, przekazane nam za pośrednictwem naszej strony internetowej/formularza kontaktowego lub w inny sposób (przekazanie wizytówki, przesłanie poczty elektronicznej), są gromadzone, przetwarzane i przechowywane w celu prowadzenia korespondencji z Państwem i w celu, dla którego zostały nam udostępnione.Dane osobowe mogą być ujawnione pracownikom lub współpracownikom firmy, jak też podmiotom udzielającym wsparcia firmie na zasadzie zleconych usług i zgodnie z zawartymi umowami powierzenia. Informujemy ponadto, że Pani/Pana dane osobowe nie będą przetwarzane w sposób zautomatyzowany i nie będą profilowane.Posiada Pani/Pan prawo dostępu do treści swoich danych, prawo ich sprostowania, usunięcia, ograniczenia przetwarzania, prawo do przenoszenia danych lub do wniesienia sprzeciwu wobec ich przetwarzania. Osoba, której dane dotyczą, ma prawo wniesienia skargi do PUODO, gdy uzna, iż przetwarzanie jej danych osobowych narusza przepisy RODO.Podanie danych jest dobrowolne, ale niezbędne do realizacji powyższych celów. Pani/Pana dane będą przetwarzane do czasu ustania celu dla jakiego zostały zgromadzone.Niniejszy e-mail oraz wszelkie załączone do niego pliki są poufne i mogą podlegać ochronie prawnej. Jeżeli nie jest Pan/Pani zamierzonym adresatem powyższej wiadomości, nie może jej Pan/Pani ujawniać, kopiować, dystrybuować, ani też w żaden inny sposób udostępniać lub wykorzystywać. O błędnym zaadresowaniu wiadomości prosimy niezwłocznie poinformować nadawcę i usunąć wiadomość.
Bug#939965: buster-pu: package flightcrew/0.7.2+dfsg-13+deb10u1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: buster Severity: normal Hello, I would like to update the flightcrew package in Buster release. The goal is to fix the CVE-2019-13241. Please find attached the debdiff. Best Regards, François -- System Information: Debian Release: 10.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/16 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash From 1ee41f78678f520402823b1524e02cba5c5d0d88 Mon Sep 17 00:00:00 2001 From: Francois Mazen Date: Tue, 10 Sep 2019 09:27:47 +0200 Subject: [PATCH] Fix CVE-2019-13241 --- debian/changelog | 6 ++ debian/patches/fix-CVE-2019-13241.diff | 58 ++ debian/patches/series| 1 + debian/source/include-binaries | 1 + debian/tests/CVE-2019-13241 | 28 debian/tests/CVE-2019-13241_zip-slip.zip | Bin 0 -> 545 bytes debian/tests/control | 2 ++ 7 files changed, 96 insertions(+) create mode 100644 debian/patches/fix-CVE-2019-13241.diff create mode 100644 debian/source/include-binaries create mode 100644 debian/tests/CVE-2019-13241 create mode 100644 debian/tests/CVE-2019-13241_zip-slip.zip create mode 100644 debian/tests/control diff --git a/debian/changelog b/debian/changelog index b6a222f..dd9a681 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +flightcrew (0.7.2+dfsg-13+deb10u1) buster; urgency=high + + * Fix CVE-2019-13241 for buster. + + -- Francois Mazen Sun, 08 Sep 2019 21:55:23 +0200 + flightcrew (0.7.2+dfsg-13) unstable; urgency=medium [ Ondřej Nový ] diff --git a/debian/patches/fix-CVE-2019-13241.diff b/debian/patches/fix-CVE-2019-13241.diff new file mode 100644 index 000..5357d6a --- /dev/null +++ b/debian/patches/fix-CVE-2019-13241.diff @@ -0,0 +1,58 @@ +Description: fix CVE-2019-13241 +Author: Francois Mazen + + +--- a/src/zipios/src/zipextraction.cpp b/src/zipios/src/zipextraction.cpp +@@ -63,6 +63,43 @@ + fs::create_directory( filepath ); + } + ++void CheckPathTraversalVulnerability(const fs::path& root_folder, const fs::path& file_path) ++{ ++ ++fs::path canonical_path = fs::weakly_canonical(file_path); ++fs::path canonical_root_path = fs::weakly_canonical(root_folder); ++ ++fs::path::iterator root_iterator = canonical_root_path.begin(); ++fs::path::iterator path_iterator = canonical_path.begin(); ++bool isDifferenceFound = false; ++while(!isDifferenceFound && ++ root_iterator != canonical_root_path.end() && ++ path_iterator != canonical_path.end()) ++{ ++if((*root_iterator) != (*path_iterator)) ++{ ++isDifferenceFound = true; ++} ++else ++{ ++++root_iterator; ++++path_iterator; ++} ++} ++ ++if(!isDifferenceFound && ++ root_iterator != canonical_root_path.end() && ++ path_iterator == canonical_path.end()) ++{ ++// We reached the end of the path without iterating the whole root. ++isDifferenceFound = true; ++} ++ ++if(isDifferenceFound) ++{ ++throw InvalidStateException( "Corrupt epub detected with local file path: " + file_path.string()) ; ++} ++} + + void ExtractZipToFolder( const fs::path _to_zip, const fs::path _to_folder ) + { +@@ -75,6 +112,7 @@ + + fs::path new_file_path = path_to_folder / (*it)->getName(); + ++CheckPathTraversalVulnerability(path_to_folder, new_file_path); + CreateFilepath( new_file_path ); + WriteEntryToFile( *stream, new_file_path ); + } diff --git a/debian/patches/series b/debian/patches/series index dd411b2..f8c0cdb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ disable_filesystem3_overload modify_cmake_for_debian reproducible-build use_random_unique_tmp_path +fix-CVE-2019-13241.diff diff --git a/debian/source/include-binaries b/debian/source/include-binaries new file mode 100644 index 000..5b216eb --- /dev/null +++ b/debian/source/include-binaries @@ -0,0 +1 @@ +debian/tests/CVE-2019-13241_zip-slip.zip diff --git a/debian/tests/CVE-2019-13241 b/debian/tests/CVE-2019-13241 new file mode 100644 index 000..baac7e0 --- /dev/null +++ b/debian/tests/CVE-2019-13241 @@ -0,0 +1,28 @@ +#!/bin/sh + +# Check the CVE-2019-13241 vulnerability. +# See https://security-tracker.debian.org/tracker/CVE-2019-13241 +# Author: Francois Mazen + +EVIL_FILE=/tmp/evil.txt + +if [ -f "$EVIL_FILE" ]; then +echo "$EVIL_FILE exists, removing it." +rm -f $EVIL_FILE +else +echo "$EVIL_FILE does not exist" +fi + +echo "Opening the evil
Twój FanPage na Facebook'u
Dzień dobry, skuteczne administrowanie *FanPage na Facebook’u* to nasza specjalność. W związku z tym, by zwiększyć zysk Państwa firmy oraz ilość fanów. Przesłanie odpowiedzi o treści* Tak*, umożliwi nam kontakt z Państwem. Ponieważ sami prowadzimy biznes, jesteśmy świadomi, że podstawą każdej firmy są klienci. Zadbamy o przypływ nowych klientów dla Państwa firmy. Z poważaniem , Agencja Interaktywna.
Bug#935250: , #935252: buster-pu: mutter, gnome-shell
On Wed, 21 Aug 2019 at 08:41:31 +0100, Simon McVittie wrote: > I uploaded some mutter fixes to unstable after the buster release which > I think would be worth considering for a buster update - perhaps for > 10.2 rather than 10.1 at this point. On Wed, 21 Aug 2019 at 08:44:47 +0100, Simon McVittie wrote: > I uploaded some GNOME Shell fixes to unstable after the buster release > which I think would be worth considering for a buster update - perhaps > for 10.2 rather than 10.1 at this point. The GNOME team is starting to upload GNOME 3.34 to unstable, so these 3.30.x updates have had as much testing in testing/unstable as they are going to get. I haven't seen any regression reports, either from testing/unstable users or after asking stable users to test a prerelease. Do these changes seem OK to upload to proposed-updates now that 10.1 is out? Early in the cycle is probably a good time, to get as much opportunity as possible for people to try them via proposed-updates. Please let me know if any of the upstream fixes are considered too intrusive and need to be reverted. Test binaries for amd64 which should be equivalent to the version I have prepared for proposed-updates (but with a slightly lower version number): https://people.debian.org/~smcv/201908/mutter/ https://people.debian.org/~smcv/201908/gnome-shell/ Thanks, smcv
Bug#931950: transition: libgeotiff
libgeotiff (1.5.1-2) is in testing, but libgeotiff-dfsg (1.4.3-1) cannot be removed from testing due to gnudatalanguage, which I don't understand. But this should be resolved when the package get autoremoved on the 14th. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
Bug#931949: marked as done (transition: proj)
Your message dated Tue, 10 Sep 2019 08:06:12 +0200 with message-id <34824c6f-88d7-ef08-6d4e-8e96a1690...@xs4all.nl> and subject line Re: Bug#931949: transition: proj has caused the Debian Bug report #931949, regarding transition: proj to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 931949: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931949 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Control: forwarded -1 https://release.debian.org/transitions/html/auto-proj.html Control: block -1 by 931914 931922 931931 931935 931940 931943 931945 931941 931944 931948 931904 931908 931872 For the Debian GIS team I'd like to transition to PROJ 6. This is a major change that affects the wider GIS ecosystem, with proj being at the bottom of the dependency chain. Most packages build successfully with the new version after defining ACCEPT_USE_OF_DEPRECATED_PROJ_API_H to use the deprecated proj_api.h. Several of the affected packages already have this change in unstable. Others have patches available in the BTS. For yet some others have a fix available in a new upstream release that still needs to be packaged. Some packages that FTBFS are dead upstream for quite a while and RM bug have been filed for those. The vtk6 & vtk7 packages and their rdeps (ifrit & lammps) are the biggest issue, but the VTK packages can be updated to use their embedded copy of PROJ 4. VTK upstream also has support for PROJ 6, but this is not packaged yet. libgeotiff-dfsg won't need a rebuild, libgeotiff will be moved to unstable instead. This will trigger a transition too, but it only affects 12 packages, 6 of which are also affected by the proj transition. All libgeotiff rdeps built successfully with the new proj & libgeotiff. python-pyproj also won't need a rebuild, the version in experimental will be moved to unstable as well. This won't trigger a transition. Transition: proj libproj13 (5.2.0-1) -> libproj15 (6.1.1-1~exp1) The status of the most recent rebuilds is as follows. Packages marked with [+] have a patch available in the BTS. josm(0.0.svn15238+dfsg-1) SKIP gpx2shp (0.71.0-7) FTBFS (#931904) libgeo-proj4-perl (1.09-3) FTBFS (#931908) libgeotiff-dfsg (1.4.3-1) SKIP libgeotiff (1.5.1-1~exp3) OK mshr(2018.1.0+dfsg1-7) OK octave-octproj (1.1.5-4) OK [+] (#931914) osm2pgsql (0.96.0+ds-3) OK pdl (1:2.019-5)OK proj-rdnap (2008-9) OK python-cartopy (0.17.0+dfsg-4)OK python-pyproj (1.9.6-1 / 2.2.1+ds-1~exp1)FTBFS / OK sosi2osm(1.0.0-6) OK spatialite (4.3.0a-6) OK survex (1.2.40-1) OK xygrib (1.2.2-1) OK [+] (#931922) gdal(2.4.2+dfsg-1) OK magics++(4.0.3-1) OK spatialite-gui (2.1.0~beta0+really2.0.0~devel2-4) OK spatialite-tools(4.3.0-3) OK xastir (2.1.2-1) OK [+] (#931931) cdo (1.9.7.1-3)OK mapnik (3.0.22+ds-2) OK mapserver (7.4.0-1) OK merkaartor (0.18.3+ds-6) OK metview (5.3.0-2) OK [+] (#931945) ncl (6.6.2-1) OK openorienteering-mapper (0.8.4-1) OK [+] (#931935) pdal(1.8.0+ds-1) OK postgis (2.5.2+dfsg-1)