Bug#1028436: transition: re2
Hi Sebastian (2023.06.13_21:42:46_+) > Please go ahead with the upload to unstable. Uploaded, thanks! SR -- Stefano Rivera http://tumbleweed.org.za/ +1 415 683 3272
Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: xerial-sqlite-j...@packages.debian.org
Control: affects -1 + src:xerial-sqlite-jdbc
Dear Release team,
I would like to upload xerial-sqlite-jdbc to stable-proposed-updates.
[ Reason ]
Grave bug #1036706 has been filled a few days before the release of Bookworm.
This is a security bug associated to CVE-2023-32697. Although it has been
marked no-dsa by the security team, we exchanged a few emails and our
conclusion was the fix of this bug, which amounts to cherry-pick one commit of
upstream, should land in Bookworm during a point release.
[ Impact ]
CVE-2023-32697 would remain. The Debian-packaged reverse dependencies of the
package are mainly used in a single-user environment, but possibly it is also
used in a network environment by some users for their own programs, and this is
where there might be some hazard.
[ Tests ]
The package was built in a Bookworm chroot and its autopkgtest is passing.
[ Risks ]
Code is very simple, only 2 lines are changed. Upstream has published it
three weeks ago and it has issued new upstream versions since then.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Cherry-picking commit edb4b8adc2447bc04e05b9b908195a4bc7926242 from upstream,
which uses a random UUID instead of the hash of some fixed address in order to
define the DB file name.
Thanks for your help,
Best,
--
Pierre
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog
xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04
14:24:45.0 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13
23:19:59.0 +0200
@@ -1,3 +1,9 @@
+xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium
+
+ * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm)
+
+ -- Pierre Gruet Tue, 13 Jun 2023 23:19:59 +0200
+
xerial-sqlite-jdbc (3.40.1.0+dfsg-1) unstable; urgency=medium
* New upstream version 3.40.1.0+dfsg
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch
xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch
1970-01-01 01:00:00.0 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch
2023-06-13 23:17:23.0 +0200
@@ -0,0 +1,28 @@
+Description: fixing CVE-2023-32697
+Author: Pierre Gruet
+Origin: upstream,
https://github.com/xerial/sqlite-jdbc/commit/edb4b8adc2447bc04e05b9b908195a4bc7926242
+Bug:
https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2
+Bug-Debian: https://bugs.debian.org/1036706
+Forwarded: not-needed
+Applied-Upstream: edb4b8adc2447bc04e05b9b908195a4bc7926242
+Last-Update: 2023-06-13
+
+--- a/src/main/java/org/sqlite/SQLiteConnection.java
b/src/main/java/org/sqlite/SQLiteConnection.java
+@@ -13,6 +13,7 @@
+ import java.sql.ResultSet;
+ import java.sql.SQLException;
+ import java.util.Properties;
++import java.util.UUID;
+ import java.util.concurrent.Executor;
+ import org.sqlite.SQLiteConfig.TransactionMode;
+ import org.sqlite.core.CoreDatabaseMetaData;
+@@ -303,7 +304,7 @@
+ }
+
+ String tempFolder = new
File(System.getProperty("java.io.tmpdir")).getAbsolutePath();
+-String dbFileName = String.format("sqlite-jdbc-tmp-%d.db",
resourceAddr.hashCode());
++String dbFileName = String.format("sqlite-jdbc-tmp-%s.db",
UUID.randomUUID());
+ File dbFile = new File(tempFolder, dbFileName);
+
+ if (dbFile.exists()) {
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series
xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-02-02
17:16:53.0 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-06-13
23:10:58.0 +0200
@@ -7,3 +7,4 @@
skip_OSInfoTest.patch
tests_without_archunit-junit5_and_some_assertions.patch
junit-jupiter-params_artifact.patch
+CVE-2023-32697.patch
Processed: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Processing control commands: > affects -1 + src:xerial-sqlite-jdbc Bug #1037542 [release.debian.org] bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1 Added indication that 1037542 affects src:xerial-sqlite-jdbc -- 1037542: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037542 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#1028436: transition: re2
Processing control commands: > tags -1 = confirmed Bug #1028436 [release.debian.org] transition: re2 Added tag(s) confirmed; removed tag(s) trixie. -- 1028436: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028436 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1028436: transition: re2
Control: tags -1 = confirmed On 2023-01-10 19:22:20 -0400, Stefano Rivera wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: transition > X-Debbugs-Cc: r...@packages.debian.org > Control: affects -1 + src:re2 > > Sorry for a last minute request. I was just looking through my packages > on the weekend and noticed that re2 had tagged a new release, but I > hadn't seen it due to the GitHub layout change last year. > > This is a very minor ABI break in the C++ library, caused by changing > class layout. > > The in the 6 months since the previous release, they've only made 22 > commits. Which also means that if it misses the freeze, it's probably > not a big deal. > > The new version is currently sitting in experimental bin-NEW. Please go ahead with the upload to unstable. Cheers -- Sebastian Ramacher
Bug#1037531: bookworm-pu: package boost1.81/1.81.0-5+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
This upload fixes #1036986 by adding a dependency on the shared library
package to the -dev package. The same fix was applied as part of
1.81.0-5.1 in unstable.
[ Impact ]
Users are missing the corresponding shared library package when working
with the boost json library.
[ Tests ]
Double-checked that the binary packages have the correct dependencies.
[ Risks ]
Change is trivial.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The added dependency is the only change.
Cheers
--
Sebastian Ramacher
diff -Nru boost1.81-1.81.0/debian/changelog boost1.81-1.81.0/debian/changelog
--- boost1.81-1.81.0/debian/changelog 2023-05-14 22:52:13.0 +0200
+++ boost1.81-1.81.0/debian/changelog 2023-06-11 19:35:53.0 +0200
@@ -1,3 +1,10 @@
+boost1.81 (1.81.0-5+deb12u1) bookworm; urgency=medium
+
+ * debian/control: Add dependency on libboost-json1.81.0 for
+libboost-json1.81-dev (Closes: #1036986)
+
+ -- Sebastian Ramacher Sun, 11 Jun 2023 19:35:53 +0200
+
boost1.81 (1.81.0-5) unstable; urgency=medium
* [0330664] Better handling of the upstream version number
diff -Nru boost1.81-1.81.0/debian/control boost1.81-1.81.0/debian/control
--- boost1.81-1.81.0/debian/control 2023-05-14 22:51:28.0 +0200
+++ boost1.81-1.81.0/debian/control 2023-06-11 19:35:53.0 +0200
@@ -1502,6 +1502,7 @@
Depends: ${misc:Depends},
libboost1.81-dev (= ${binary:Version}),
libboost-container1.81-dev (= ${binary:Version}),
+ libboost-json1.81.0 (= ${binary:Version}),
libboost-system1.81-dev (= ${binary:Version})
Conflicts: libboost-json1.80-dev
Description: C++ containers and algorithms that implement JSON
Bug#1037474: transition: openmm
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hello, I would like to request a transition slot for openmm (experimental -> unstable) due to soname bump. Current ben tracker [1] is OK. Status of reverse dependencies: - cpptraj: not in sid - molmodel: FTBFS with gemmi (#1037472) - openstructure: OK - python-pdbfixer: OK - macromoleculebuilder: FTBFS with gemmi (#1037463) Thanks, Andrius [1] https://release.debian.org/transitions/html/auto-openmm.html
Bug#1037466: nmu: spirv-llvm-translator-16_16.0.0-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu spirv-llvm-translator-16_16.0.0-1 . ANY . experimental . -m "Rebuild against llvm 16.0.5" the updated llvm-16/gcc-13 combination causes symbol changes that I'd like to collect before uploading the package to unstable Andreas
Bug#1037461: bookworm-pu: package ayatana-indicator-datetime/22.9.1-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
In Lomiri's clock app, it is possible to configure alarms with
custom alarm sounds. ayatana-indicator-datetime is responsible
for playing those alarm sounds when the time comes.
However, ayatana-indicator-datetime only plays the system-wide
default alarm sound.
[ Impact ]
Limited to Lomiri users, configuring custom alarm sounds will
work with this changeset.
[ Tests ]
Manually, on a bookworm system running Lomiri.
[ Risks ]
Virtually none.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
+ * debian/patches:
++ Add 0001_engine-eds-fix-retrieving-custom-alarm-sound-path.patch. Fix
+ playing of custom alarm sounds. (Closes: #1037330).
-> a patch from upstream (contributed by Ubuntu Touch developers) will be
cherry-picked into bookworm's version of ayatana-indicator-datetime.
[ Other info ]
None.
diff -Nru ayatana-indicator-datetime-22.9.1/debian/changelog
ayatana-indicator-datetime-22.9.1/debian/changelog
--- ayatana-indicator-datetime-22.9.1/debian/changelog 2022-11-23
17:06:05.0 +0100
+++ ayatana-indicator-datetime-22.9.1/debian/changelog 2023-06-11
17:54:33.0 +0200
@@ -1,3 +1,11 @@
+ayatana-indicator-datetime (22.9.1-1+deb12u1) bookworm; urgency=medium
+
+ * debian/patches:
++ Add 0001_engine-eds-fix-retrieving-custom-alarm-sound-path.patch. Fix
+ playing of custom alarm sounds. (Closes: #1037330).
+
+ -- Mike Gabriel Sun, 11 Jun 2023 17:54:33 +0200
+
ayatana-indicator-datetime (22.9.1-1) unstable; urgency=medium
* New upstream release.
diff -Nru
ayatana-indicator-datetime-22.9.1/debian/patches/0001_engine-eds-fix-retrieving-custom-alarm-sound-path.patch
ayatana-indicator-datetime-22.9.1/debian/patches/0001_engine-eds-fix-retrieving-custom-alarm-sound-path.patch
---
ayatana-indicator-datetime-22.9.1/debian/patches/0001_engine-eds-fix-retrieving-custom-alarm-sound-path.patch
1970-01-01 01:00:00.0 +0100
+++
ayatana-indicator-datetime-22.9.1/debian/patches/0001_engine-eds-fix-retrieving-custom-alarm-sound-path.patch
2023-06-11 17:53:40.0 +0200
@@ -0,0 +1,203 @@
+From e089a84b306ef09667752b910d87538043140042 Mon Sep 17 00:00:00 2001
+From: Ratchanan Srirattanamet
+Date: Tue, 6 Jun 2023 15:54:11 +0700
+Subject: [PATCH] engine-eds: fix retrieving custom alarm sound path
+
+ECal 2.0 returns the list of attachments as a GSList (a singly linked
+list). I'm not sure why, but the logic for iterating the list is
+completely incorrect. Fixing that fixes custom alarm sound.
+
+A test is added to catch this case.
+
+Bug-UBports:
https://gitlab.com/ubports/development/apps/lomiri-clock-app/-/issues/183
+Signed-off-by: Mike Gabriel
+---
+ src/engine-eds.cpp | 13 ++-
+ tests/CMakeLists.txt | 1 +
+ tests/test-eds-ics-alarm-custom-sound.cpp| 92
+ tests/test-eds-ics-alarm-custom-sound.ics.in | 32 +++
+ 4 files changed, 131 insertions(+), 7 deletions(-)
+ create mode 100644 tests/test-eds-ics-alarm-custom-sound.cpp
+ create mode 100644 tests/test-eds-ics-alarm-custom-sound.ics.in
+
+diff --git a/src/engine-eds.cpp b/src/engine-eds.cpp
+index b7f4682..2748fc1 100644
+--- a/src/engine-eds.cpp
b/src/engine-eds.cpp
+@@ -635,19 +635,18 @@ private:
+ auto action = e_cal_component_alarm_get_action(alarm);
+ if (action == E_CAL_COMPONENT_ALARM_AUDIO)
+ {
+-ICalAttach *attach = nullptr;
+ auto attachments = e_cal_component_alarm_get_attachments(alarm);
+
+-if (attachments != nullptr && attachments->next != nullptr)
+-attach = I_CAL_ATTACH (attachments->data);
++for (; attachments != nullptr; attachments = attachments->next) {
++ICalAttach *attach = I_CAL_ATTACH (attachments->data);
+
+-if (attach != nullptr)
+-{
+-if (i_cal_attach_get_is_url (attach))
++if (attach != nullptr && i_cal_attach_get_is_url (attach))
+ {
+ const char* url = i_cal_attach_get_url(attach);
+-if (url != nullptr)
++if (url != nullptr) {
+ ret = url;
++break;
++}
+ }
+ }
+ if (ret.empty())
+diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
+index 4b9b1d7..81eeb5d 100644
+--- a/tests/CMakeLists.txt
b/tests/CMakeLists.txt
+@@ -108,6 +108,7 @@ add_eds_ics_test_by_name(test-eds-ics-tzids-2)
+ add_eds_ics_test_by_name(test-eds-ics-tzids-utc)
+ add_eds_ics_test_by_name(test-eds-ics-non-attending-alarms)
+
