Bug#1028436: transition: re2
Hi Sebastian (2023.06.13_21:42:46_+) > Please go ahead with the upload to unstable. Uploaded, thanks! SR -- Stefano Rivera http://tumbleweed.org.za/ +1 415 683 3272
Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: xerial-sqlite-j...@packages.debian.org Control: affects -1 + src:xerial-sqlite-jdbc Dear Release team, I would like to upload xerial-sqlite-jdbc to stable-proposed-updates. [ Reason ] Grave bug #1036706 has been filled a few days before the release of Bookworm. This is a security bug associated to CVE-2023-32697. Although it has been marked no-dsa by the security team, we exchanged a few emails and our conclusion was the fix of this bug, which amounts to cherry-pick one commit of upstream, should land in Bookworm during a point release. [ Impact ] CVE-2023-32697 would remain. The Debian-packaged reverse dependencies of the package are mainly used in a single-user environment, but possibly it is also used in a network environment by some users for their own programs, and this is where there might be some hazard. [ Tests ] The package was built in a Bookworm chroot and its autopkgtest is passing. [ Risks ] Code is very simple, only 2 lines are changed. Upstream has published it three weeks ago and it has issued new upstream versions since then. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Cherry-picking commit edb4b8adc2447bc04e05b9b908195a4bc7926242 from upstream, which uses a random UUID instead of the hash of some fixed address in order to define the DB file name. Thanks for your help, Best, -- Pierre diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 14:24:45.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 23:19:59.0 +0200 @@ -1,3 +1,9 @@ +xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium + + * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm) + + -- Pierre Gruet Tue, 13 Jun 2023 23:19:59 +0200 + xerial-sqlite-jdbc (3.40.1.0+dfsg-1) unstable; urgency=medium * New upstream version 3.40.1.0+dfsg diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 1970-01-01 01:00:00.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 2023-06-13 23:17:23.0 +0200 @@ -0,0 +1,28 @@ +Description: fixing CVE-2023-32697 +Author: Pierre Gruet +Origin: upstream, https://github.com/xerial/sqlite-jdbc/commit/edb4b8adc2447bc04e05b9b908195a4bc7926242 +Bug: https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2 +Bug-Debian: https://bugs.debian.org/1036706 +Forwarded: not-needed +Applied-Upstream: edb4b8adc2447bc04e05b9b908195a4bc7926242 +Last-Update: 2023-06-13 + +--- a/src/main/java/org/sqlite/SQLiteConnection.java b/src/main/java/org/sqlite/SQLiteConnection.java +@@ -13,6 +13,7 @@ + import java.sql.ResultSet; + import java.sql.SQLException; + import java.util.Properties; ++import java.util.UUID; + import java.util.concurrent.Executor; + import org.sqlite.SQLiteConfig.TransactionMode; + import org.sqlite.core.CoreDatabaseMetaData; +@@ -303,7 +304,7 @@ + } + + String tempFolder = new File(System.getProperty("java.io.tmpdir")).getAbsolutePath(); +-String dbFileName = String.format("sqlite-jdbc-tmp-%d.db", resourceAddr.hashCode()); ++String dbFileName = String.format("sqlite-jdbc-tmp-%s.db", UUID.randomUUID()); + File dbFile = new File(tempFolder, dbFileName); + + if (dbFile.exists()) { diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-02-02 17:16:53.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-06-13 23:10:58.0 +0200 @@ -7,3 +7,4 @@ skip_OSInfoTest.patch tests_without_archunit-junit5_and_some_assertions.patch junit-jupiter-params_artifact.patch +CVE-2023-32697.patch
Processed: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Processing control commands: > affects -1 + src:xerial-sqlite-jdbc Bug #1037542 [release.debian.org] bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1 Added indication that 1037542 affects src:xerial-sqlite-jdbc -- 1037542: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037542 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#1028436: transition: re2
Processing control commands: > tags -1 = confirmed Bug #1028436 [release.debian.org] transition: re2 Added tag(s) confirmed; removed tag(s) trixie. -- 1028436: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028436 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1028436: transition: re2
Control: tags -1 = confirmed On 2023-01-10 19:22:20 -0400, Stefano Rivera wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: transition > X-Debbugs-Cc: r...@packages.debian.org > Control: affects -1 + src:re2 > > Sorry for a last minute request. I was just looking through my packages > on the weekend and noticed that re2 had tagged a new release, but I > hadn't seen it due to the GitHub layout change last year. > > This is a very minor ABI break in the C++ library, caused by changing > class layout. > > The in the 6 months since the previous release, they've only made 22 > commits. Which also means that if it misses the freeze, it's probably > not a big deal. > > The new version is currently sitting in experimental bin-NEW. Please go ahead with the upload to unstable. Cheers -- Sebastian Ramacher
Bug#1037531: bookworm-pu: package boost1.81/1.81.0-5+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu [ Reason ] This upload fixes #1036986 by adding a dependency on the shared library package to the -dev package. The same fix was applied as part of 1.81.0-5.1 in unstable. [ Impact ] Users are missing the corresponding shared library package when working with the boost json library. [ Tests ] Double-checked that the binary packages have the correct dependencies. [ Risks ] Change is trivial. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The added dependency is the only change. Cheers -- Sebastian Ramacher diff -Nru boost1.81-1.81.0/debian/changelog boost1.81-1.81.0/debian/changelog --- boost1.81-1.81.0/debian/changelog 2023-05-14 22:52:13.0 +0200 +++ boost1.81-1.81.0/debian/changelog 2023-06-11 19:35:53.0 +0200 @@ -1,3 +1,10 @@ +boost1.81 (1.81.0-5+deb12u1) bookworm; urgency=medium + + * debian/control: Add dependency on libboost-json1.81.0 for +libboost-json1.81-dev (Closes: #1036986) + + -- Sebastian Ramacher Sun, 11 Jun 2023 19:35:53 +0200 + boost1.81 (1.81.0-5) unstable; urgency=medium * [0330664] Better handling of the upstream version number diff -Nru boost1.81-1.81.0/debian/control boost1.81-1.81.0/debian/control --- boost1.81-1.81.0/debian/control 2023-05-14 22:51:28.0 +0200 +++ boost1.81-1.81.0/debian/control 2023-06-11 19:35:53.0 +0200 @@ -1502,6 +1502,7 @@ Depends: ${misc:Depends}, libboost1.81-dev (= ${binary:Version}), libboost-container1.81-dev (= ${binary:Version}), + libboost-json1.81.0 (= ${binary:Version}), libboost-system1.81-dev (= ${binary:Version}) Conflicts: libboost-json1.80-dev Description: C++ containers and algorithms that implement JSON
Bug#1037474: transition: openmm
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hello, I would like to request a transition slot for openmm (experimental -> unstable) due to soname bump. Current ben tracker [1] is OK. Status of reverse dependencies: - cpptraj: not in sid - molmodel: FTBFS with gemmi (#1037472) - openstructure: OK - python-pdbfixer: OK - macromoleculebuilder: FTBFS with gemmi (#1037463) Thanks, Andrius [1] https://release.debian.org/transitions/html/auto-openmm.html
Bug#1037466: nmu: spirv-llvm-translator-16_16.0.0-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu spirv-llvm-translator-16_16.0.0-1 . ANY . experimental . -m "Rebuild against llvm 16.0.5" the updated llvm-16/gcc-13 combination causes symbol changes that I'd like to collect before uploading the package to unstable Andreas
Bug#1037461: bookworm-pu: package ayatana-indicator-datetime/22.9.1-1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu [ Reason ] In Lomiri's clock app, it is possible to configure alarms with custom alarm sounds. ayatana-indicator-datetime is responsible for playing those alarm sounds when the time comes. However, ayatana-indicator-datetime only plays the system-wide default alarm sound. [ Impact ] Limited to Lomiri users, configuring custom alarm sounds will work with this changeset. [ Tests ] Manually, on a bookworm system running Lomiri. [ Risks ] Virtually none. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] + * debian/patches: ++ Add 0001_engine-eds-fix-retrieving-custom-alarm-sound-path.patch. Fix + playing of custom alarm sounds. (Closes: #1037330). -> a patch from upstream (contributed by Ubuntu Touch developers) will be cherry-picked into bookworm's version of ayatana-indicator-datetime. [ Other info ] None. diff -Nru ayatana-indicator-datetime-22.9.1/debian/changelog ayatana-indicator-datetime-22.9.1/debian/changelog --- ayatana-indicator-datetime-22.9.1/debian/changelog 2022-11-23 17:06:05.0 +0100 +++ ayatana-indicator-datetime-22.9.1/debian/changelog 2023-06-11 17:54:33.0 +0200 @@ -1,3 +1,11 @@ +ayatana-indicator-datetime (22.9.1-1+deb12u1) bookworm; urgency=medium + + * debian/patches: ++ Add 0001_engine-eds-fix-retrieving-custom-alarm-sound-path.patch. Fix + playing of custom alarm sounds. (Closes: #1037330). + + -- Mike Gabriel Sun, 11 Jun 2023 17:54:33 +0200 + ayatana-indicator-datetime (22.9.1-1) unstable; urgency=medium * New upstream release. diff -Nru ayatana-indicator-datetime-22.9.1/debian/patches/0001_engine-eds-fix-retrieving-custom-alarm-sound-path.patch ayatana-indicator-datetime-22.9.1/debian/patches/0001_engine-eds-fix-retrieving-custom-alarm-sound-path.patch --- ayatana-indicator-datetime-22.9.1/debian/patches/0001_engine-eds-fix-retrieving-custom-alarm-sound-path.patch 1970-01-01 01:00:00.0 +0100 +++ ayatana-indicator-datetime-22.9.1/debian/patches/0001_engine-eds-fix-retrieving-custom-alarm-sound-path.patch 2023-06-11 17:53:40.0 +0200 @@ -0,0 +1,203 @@ +From e089a84b306ef09667752b910d87538043140042 Mon Sep 17 00:00:00 2001 +From: Ratchanan Srirattanamet +Date: Tue, 6 Jun 2023 15:54:11 +0700 +Subject: [PATCH] engine-eds: fix retrieving custom alarm sound path + +ECal 2.0 returns the list of attachments as a GSList (a singly linked +list). I'm not sure why, but the logic for iterating the list is +completely incorrect. Fixing that fixes custom alarm sound. + +A test is added to catch this case. + +Bug-UBports: https://gitlab.com/ubports/development/apps/lomiri-clock-app/-/issues/183 +Signed-off-by: Mike Gabriel +--- + src/engine-eds.cpp | 13 ++- + tests/CMakeLists.txt | 1 + + tests/test-eds-ics-alarm-custom-sound.cpp| 92 + tests/test-eds-ics-alarm-custom-sound.ics.in | 32 +++ + 4 files changed, 131 insertions(+), 7 deletions(-) + create mode 100644 tests/test-eds-ics-alarm-custom-sound.cpp + create mode 100644 tests/test-eds-ics-alarm-custom-sound.ics.in + +diff --git a/src/engine-eds.cpp b/src/engine-eds.cpp +index b7f4682..2748fc1 100644 +--- a/src/engine-eds.cpp b/src/engine-eds.cpp +@@ -635,19 +635,18 @@ private: + auto action = e_cal_component_alarm_get_action(alarm); + if (action == E_CAL_COMPONENT_ALARM_AUDIO) + { +-ICalAttach *attach = nullptr; + auto attachments = e_cal_component_alarm_get_attachments(alarm); + +-if (attachments != nullptr && attachments->next != nullptr) +-attach = I_CAL_ATTACH (attachments->data); ++for (; attachments != nullptr; attachments = attachments->next) { ++ICalAttach *attach = I_CAL_ATTACH (attachments->data); + +-if (attach != nullptr) +-{ +-if (i_cal_attach_get_is_url (attach)) ++if (attach != nullptr && i_cal_attach_get_is_url (attach)) + { + const char* url = i_cal_attach_get_url(attach); +-if (url != nullptr) ++if (url != nullptr) { + ret = url; ++break; ++} + } + } + if (ret.empty()) +diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt +index 4b9b1d7..81eeb5d 100644 +--- a/tests/CMakeLists.txt b/tests/CMakeLists.txt +@@ -108,6 +108,7 @@ add_eds_ics_test_by_name(test-eds-ics-tzids-2) + add_eds_ics_test_by_name(test-eds-ics-tzids-utc) + add_eds_ics_test_by_name(test-eds-ics-non-attending-alarms) +